Hi, On Sat, Jan 01, 2022 at 05:25:20PM +0100, Arne Schwabe wrote: > This commit fixes the MSS calculation in CBC mode. This fix has two parts: > > - Added rounding to a multiple of block size during calculation of overhead > - In CBC mode the packet ID is part of the plaintext (or payload) rather > than part of the header (like for AEAD), adjust the functions to > correctly reflect this. > > OCC link calculation is not affected since it ignores rounding of CBC > block size completely.
I've done a bit of whacking of this, and it is still not fully right,
unfortunately.
The short form is
- BF-CBC, LZ4, --mssfix 1000, over IPv4
v4 TCP -> MSS 923, resulting UDP payload <= 1008 bytes
v6 TCP -> MSS 903, resulting UDP payload <= 1008 bytes
- BF-CBC, LZ4, --mssfix 1000, over IPv6
v4 TCP -> MSS 923, resulting UDP payload <= 1008 bytes
v6 TCP -> MSS 903, resulting UDP payload <= 1008 bytes
[so this is clearly wrong!]
- BF-CBC, comp no, --mssfix 1000, over IPv4
v4 TCP -> MSS 923, resulting UDP payload <= 1000 bytes
[can't test v6 inside in this particular server instance]
so, something is wrong with the rounding and the compression opcode
in CBC mode. With "comp no" the resulting packets are correct (UDP payload
<= 1000 bytes), with "comp lz4" - doing the framing, but not doing
actual compression - UDP payload exceeds --mssfix config.
So, not merging this, until we've decided how to proceed (fixup patch,
or new version of this one).
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
