Re: [Openvpn-devel] [PATCH v5] Change buffer allocation calculation and checks to be more static

Gert Doering Wed, 02 Feb 2022 04:10:36 -0800

Hi,

On Mon, Jan 24, 2022 at 03:54:59AM +0100, Arne Schwabe wrote:
> Currently we use half dynamic buffer sizes where we use have a fixed
> overhead for crypto (crypto_max_overhead) but use a dynamic overhead
> for the the other small header sizes.
> 
> Patch v3: rebase
> Patch v4: add size of ack array to control channel frame size
> Patch v5: fix calculation of compression overhead calculated over 0 instead
>           of payload size


Generally this looks okayish, and *most* t_client / t_server tests work
beautifully.

It does break --tls-client --proto tcp for me, for big packets, though...

The client is called like this:

openvpn --ca ... --cert ... --key ... --comp-lzo --verb 3 --tls-client --dev 
tap --proto tcp-client --remote gentoo.ov.greenie.net 51204 --ifconfig 
10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 
fd00:abcd:204:9::2/64 fd00:abcd:204:9::1 --route 10.204.0.0 255.255.0.0 
10.204.9.1 --route-ipv6 fd00:abcd:204::/48 --data-ciphers BF-CBC

and will do

2022-02-02 12:56:52 peer info: IV_CIPHERS=BF-CBC:AES-256-GCM:AES-128-GCM
2022-02-02 12:56:52 peer info: IV_PROTO=42
2022-02-02 12:56:52 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 
1500', remote='tun-mtu 1532'
2022-02-02 12:56:52 P2P mode NCP negotiation result: TLS_export=1, DATA_v2=1, 
peer-id 897556, cipher=BF-CBC
2022-02-02 12:56:52 Control Channel: TLSv1.3, cipher TLSv1.3 
TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA1
2022-02-02 12:56:52 [server] Peer Connection Initiated with 
[AF_INET6]2001:608:0:814::f000:11:51204
2022-02-02 12:56:53 OPTIONS IMPORT: adjusting link_mtu to 1579
2022-02-02 12:56:53 Outgoing Data Channel: Cipher 'BF-CBC' initialized with 128 
bit key
2022-02-02 12:56:53 Outgoing Data Channel: Using 160 bit message hash 'SHA1' 
for HMAC authentication


when sending 1440 byte pings (t_client test) it will complain

2022-02-02 12:56:15 TCP/UDP packet too large on write to 
[AF_INET6]2001:608:0:814::f000:11:51204 (tried=1520,max=1499)
2022-02-02 12:56:15 TCP/UDP packet too large on write to 
[AF_INET6]2001:608:0:814::f000:11:51204 (tried=1520,max=1499)
2022-02-02 12:56:15 TCP/UDP packet too large on write to 
[AF_INET6]2001:608:0:814::f000:11:51204 (tried=1520,max=1499)


soo...  is this something that "should be fixed" by a later patch in the
series, or do we need a v6 of this one?


The same test works correctly with master as of right now (5b3c8ca86976).

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v5] Change buffer allocation calculation and checks to be more static

Reply via email to