From: Steffan Karger <steffan@karger.me>
Date: Tue, 29 Jul 2014 20:52:24 +0000 (+0200)
Subject: Fix frame size calculation for non-CBC modes.
X-Git-Tag: v2.4_alpha1~326
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=669f898b8fcaf7a8d43825fa0255c2791cc0ef89;p=thirdparty%2Fopenvpn.git

Fix frame size calculation for non-CBC modes.

CBC mode is the only mode that OpenVPN supports that needs padding. So,
only include the worst case padding size in the frame size calculation when
using CBC mode.

While doing so, rewrite crypto_adjust_frame_parameters() to be better
readable, and provide debug output (for high debug levels).

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1406667144-17674-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8952
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 5cf9b9cd1..c1b9df317 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -403,11 +403,27 @@ crypto_adjust_frame_parameters(struct frame *frame,
 			       bool packet_id,
 			       bool packet_id_long_form)
 {
-  frame_add_to_extra_frame (frame,
-			    (packet_id ? packet_id_size (packet_id_long_form) : 0) +
-			    ((cipher_defined && use_iv) ? cipher_kt_iv_size (kt->cipher) : 0) +
-			    (cipher_defined ? cipher_kt_block_size (kt->cipher) : 0) + /* worst case padding expansion */
-			    kt->hmac_length);
+  size_t crypto_overhead = 0;
+
+  if (packet_id)
+    crypto_overhead += packet_id_size (packet_id_long_form);
+
+  if (cipher_defined)
+    {
+      if (use_iv)
+	crypto_overhead += cipher_kt_iv_size (kt->cipher);
+
+      if (cipher_kt_mode_cbc (kt->cipher))
+	/* worst case padding expansion */
+	crypto_overhead += cipher_kt_block_size (kt->cipher);
+    }
+
+  crypto_overhead += kt->hmac_length;
+
+  frame_add_to_extra_frame (frame, crypto_overhead);
+
+  msg(D_MTU_DEBUG, "%s: Adjusting frame parameters for crypto by %zu bytes",
+      __func__, crypto_overhead);
 }
 
 /*