diff options
author | Lev Stipakov | 2019-01-21 22:04:54 +0200 |
---|---|---|
committer | Gert Doering | 2019-07-22 20:25:53 +0200 |
commit | d22ba6b2c551fa83d23b5cf668e08a08fde446bc (patch) | |
tree | 7fecbb9b721cc1c56a99790d60d766c2fb4561d7 /src/openvpn/ssl.c | |
parent | c454b21e7ce458ce6f5bcaf6c313ab3ba3dd5baf (diff) | |
download | openvpn-d22ba6b2c551fa83d23b5cf668e08a08fde446bc.zip openvpn-d22ba6b2c551fa83d23b5cf668e08a08fde446bc.tar.gz |
Fix broken fragment/mssfix with NCP
NCP negotiation replaces worst cast crypto overhead
with actual one in data channel frame. That frame
params are used by mssfix.
Fragment frame still contains worst case overhead.
Because of that TCP packets are fragmented, since
MSS value exceeds max fragment size.
Fix by replacing worst case crypto overhead with
actual one for fragment frame, as it is done for data
channel frame.
Trac #1140
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1548101094-4449-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18135.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/ssl.c')
-rw-r--r-- | src/openvpn/ssl.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 640808f..abc3c53 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1990,7 +1990,8 @@ cleanup: bool tls_session_update_crypto_params(struct tls_session *session, - struct options *options, struct frame *frame) + struct options *options, struct frame *frame, + struct frame *frame_fragment) { if (!session->opt->server && 0 != strcmp(options->ciphername, session->opt->config_ciphername) @@ -2034,6 +2035,22 @@ tls_session_update_crypto_params(struct tls_session *session, frame_init_mssfix(frame, options); frame_print(frame, D_MTU_INFO, "Data Channel MTU parms"); + /* + * mssfix uses data channel framing, which at this point contains + * actual overhead. Fragmentation logic uses frame_fragment, which + * still contains worst case overhead. Replace it with actual overhead + * to prevent unneeded fragmentation. + */ + + if (frame_fragment) + { + frame_remove_from_extra_frame(frame_fragment, crypto_max_overhead()); + crypto_adjust_frame_parameters(frame_fragment, &session->opt->key_type, + options->replay, packet_id_long_form); + frame_set_mtu_dynamic(frame_fragment, options->ce.fragment, SET_MTU_UPPER_BOUND); + frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms"); + } + return tls_session_generate_data_channel_keys(session); } |