Hi, On 22/01/2021 12:19, Arne Schwabe wrote: >> I would suggest some refactoring here. >> We can just assume that BF-CBC is not supported by the SSL library, >> while also reducing some code duplication: >> >> const char *ciphername = o->ciphername; >> >> ... >> >> /* o->ciphername might be BF-CBC even though the underlying SSL library >> * does not support it. For this reason we workaround this corner case >> * by pretending to have no encryption enabled and by manually adding >> * the required packet overhead to the MTU computation. >> */ >> if (strcmp(o->ciphername, "BF-CBC") == 0) >> { >> ciphername = "none"; >> /* 64 bit block size, 64 bit IV size */ >> frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8); >> } > > That drops the adjusting for the HMAC size. I will add a comment to > clarify what the other lines are good for.
I moved the crypto_adjustment call below this block, since it is performed both for BF-CBC and non-BF-CBC. Doesn't it work? -- Antonio Quartulli _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel