Hi,
On 22/01/2021 12:19, Arne Schwabe wrote:
>> I would suggest some refactoring here.
>> We can just assume that BF-CBC is not supported by the SSL library,
>> while also reducing some code duplication:
>>
>> const char *ciphername = o->ciphername;
>>
>> ...
>>
>> /* o->ciphername might be BF-CBC even though the underlying SSL library
>> * does not support it. For this reason we workaround this corner case
>> * by pretending to have no encryption enabled and by manually adding
>> * the required packet overhead to the MTU computation.
>> */
>> if (strcmp(o->ciphername, "BF-CBC") == 0)
>> {
>> ciphername = "none";
>> /* 64 bit block size, 64 bit IV size */
>> frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8);
>> }
>
> That drops the adjusting for the HMAC size. I will add a comment to
> clarify what the other lines are good for.
I moved the crypto_adjustment call below this block, since it is
performed both for BF-CBC and non-BF-CBC. Doesn't it work?
--
Antonio Quartulli
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
