Typo/grammar fixes only for now.

> Arne Schwabe <a...@rfc2549.org> hat am 10.05.2022 19:04 geschrieben:
> This ensure that control packets are actually  smaller than tls-mtu.

"ensures"

> Since OpenVPN will consider a control message packet complete
> when the TLS record is complete, we have to ensure that the SSL library
> will still write one record, so the receiving side will only be able
> to get/read the control message content when a TLS record is
> complete. To achieve this goal, this commit does:
> 
> - Splitting one read from TLS library into multiple control

"split" to be consistent with other bullet points.

>   channel packets, splitting one TLS record into multiple
>   control packets.
> - increase allowed number of outstanding packets to 6 from 4 on the
>   sender side. This is still okay with older implementation as

"implementations"

>   receivers will have room for 8.
> - calculate the overhead for control channel message to allow
>   staying below that threshold.
> - remove maxlen from key_state_read_ciphertext and related functions
>   as we now always allow control channel messages to be up to
>   TLS_CHANNEL_BUF_SIZE in size and longer limit this by the mtu of

"no longer"

>   control packets as the implemented splitting will take care of
>   larger payloads from the SSL library
> 
> Patch v2: avoid assertion about to large buffer by sticking to 1250 max 
> control size

"too"

>           in this commit and leaving larger sizes for the --tls-mtu commit. 
> Also fix
>           various other small problems and grammer fixes.

"grammar"

[...]
> @@ -496,6 +489,38 @@ reliable_get_buf(struct reliable *rel)
>      return NULL;
>  }
>  
> +/* Counts the number of free buffers in output that can be potientially used

"potentially"

> + * for sending */
> +int
> +reliable_get_num_output_sequenced_available(struct reliable *rel)
> +{
[...]
> diff --git a/src/openvpn/reliable.h b/src/openvpn/reliable.h
> index b9863efe3..5b4f75c28 100644
> --- a/src/openvpn/reliable.h
> +++ b/src/openvpn/reliable.h
[...]
> @@ -385,6 +399,20 @@ void reliable_mark_deleted(struct reliable *rel, struct 
> buffer *buf);
>   */
>  struct buffer *reliable_get_buf_output_sequenced(struct reliable *rel);
>  
> +
> +/**
> + * Counts the number of free buffers in output that can be potientially used

"potentially"

> + * for sending
> + *
> + *  @param rel The reliable structure in which to search for a free
> + *     entry.
> + *
> + *  @return the number of buffer that are available for sending without
> + *             breaking ack sequence
> + * */
> +int
> +reliable_get_num_output_sequenced_available(struct reliable *rel);
> +
>  /**
>   * Mark the reliable entry associated with the given buffer as
>   *     active outgoing.
> diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
> index 61dea996d..1e3c500d8 100644
> --- a/src/openvpn/ssl.c
> +++ b/src/openvpn/ssl.c
[...]
> @@ -334,6 +336,47 @@ tls_init_control_channel_frame_parameters(const struct 
> frame *data_channel_frame
>      frame->tun_mtu = min_int(data_channel_frame->tun_mtu, 1250);
>  }
>  
> +/**
> + * calculate the maximum overhead that control channel frames have

"."

> + * This includes header, op code and everything apart from the
> + * payload itself. This method is a bit pessimistic and might give higher
> + * overhead than we actually have */
> +static int
> +calc_control_channel_frame_overhead(const struct tls_session *session)
> +{
[...]
> @@ -2638,6 +2681,91 @@ read_incoming_tls_plaintext(struct key_state *ks, 
> struct buffer *buf,
>      return true;
>  }
>  
> +static bool
> +write_outgoing_tls_ciphertext(struct tls_session *session, bool 
> *state_change)
> +{
> +    struct key_state *ks = &session->key[KS_PRIMARY];
> +
> +    int rel_avail = 
> reliable_get_num_output_sequenced_available(ks->send_reliable);
> +    if (rel_avail == 0)
> +    {
> +        return true;
> +    }
> +
> +    /* We need to determine how much space is actually available in the 
> control
> +     * channel frame */
> +
> +    int max_pkt_len = min_int(TLS_CHANNEL_BUF_SIZE, 
> session->opt->frame.tun_mtu);
> +
> +
> +    /* Subtract overhead */
> +    max_pkt_len -= calc_control_channel_frame_overhead(session);
> +
> +    /* calculate total available length for outgoing tls ciphertext */
> +    int maxlen = max_pkt_len * rel_avail;
> +
> +    /* Is first packet one that will have a WKC appended? */
> +    if (control_packet_needs_wkc(ks))
> +    {
> +        maxlen -= buf_len(session->tls_wrap.tls_crypt_v2_wkc);
> +    }
> +
> +    /* Not enough space available to send a full control channel packet */
> +    if (maxlen < TLS_CHANNEL_BUF_SIZE)
> +    {
> +        if (rel_avail == TLS_RELIABLE_N_SEND_BUFFERS)
> +        {
> +            msg(D_TLS_ERRORS, "--tls-mtu setting to low. Unable to send TLS 
> packets");

"too"

--tls-mtu is not actually defined, yet. But not sure whether it is worth
fixing this just to restore the text in the next commit.

> +        }
> +        msg(D_REL_LOW, "Reliable: Send queue full, postponing TLS send");
> +        return true;
> +    }
[...]

Regards,
--
Frank Lichtenheld


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to