git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Lev Stipakov <lev@openvpn.net>
	Wed, 30 Oct 2019 12:44:59 +0000 (14:44 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Wed, 6 Nov 2019 18:55:07 +0000 (19:55 +0100)
commit	3bd91cd0e68762b861c57cf37f144d8a11704e9d
tree	6055823244dc3234bf990490eed9cc7d4b4d6a57	tree \| snapshot
parent	3976acda9bf10b5e62375b66ee42d85eda08fbcf	commit \| diff

Fix broken fragmentation logic when using NCP

This is the 2.4 backport of master patch (commit d22ba6b).

NCP negotiation replaces worst case crypto overhead
with actual one in data channel frame. That frame
params are used by mssfix. Fragment frame still contains
worst case overhead.

Without this patch, fragmentation logic incorrectly uses
max crypto overhead when calculating packet size. It exceeds
fragment size and openvpn peforms fragmentation:

> sudo tcpdump port 1194
13:59:06.956394 IP server.fi.openvpn > nat2.panoulu.net.openvpn: UDP,
length 652
13:59:06.956489 IP server.fi.openvpn > nat2.panoulu.net.openvpn: UDP,
length 648

This patch fixes fragmentation calculation by
setting actual crypto overhead, and no unnecessary
fragmentation is performed:

> sudo tcpdump port 1194
13:58:08.685915 IP server.fi.openvpn > nat2.panoulu.net.openvpn: UDP,
length 1272
13:58:08.686007 IP server.fi.openvpn > nat2.panoulu.net.openvpn: UDP,
length 1272

Trac #1140

Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1572439499-16276-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18975.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/forward.c		diff \| blob \| blame \| history
src/openvpn/init.c		diff \| blob \| blame \| history
src/openvpn/openvpn.h		diff \| blob \| blame \| history
src/openvpn/push.c		diff \| blob \| blame \| history
src/openvpn/ssl.c		diff \| blob \| blame \| history
src/openvpn/ssl.h		diff \| blob \| blame \| history