summaryrefslogtreecommitdiff
path: root/src/openvpn/ssl.c
diff options
context:
space:
mode:
authorBernhard Schmidt <berni@debian.org>2020-04-19 15:52:33 +0200
committerBernhard Schmidt <berni@debian.org>2020-04-19 15:52:33 +0200
commit620785fe268a1221c1ba7a9cb5a70f3140a4f1ca (patch)
tree7b876715822d9620801283022ba73f2fce7387a3 /src/openvpn/ssl.c
parent8a3450ef8682b9085637d7b94afc5c7e6f92e64b (diff)
New upstream version 2.4.9upstream/2.4.9
Diffstat (limited to 'src/openvpn/ssl.c')
-rw-r--r--src/openvpn/ssl.c25
1 files changed, 24 insertions, 1 deletions
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 9696e9b..cf66899 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1962,8 +1962,15 @@ cleanup:
bool
tls_session_update_crypto_params(struct tls_session *session,
- struct options *options, struct frame *frame)
+ struct options *options, struct frame *frame,
+ struct frame *frame_fragment)
{
+ if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized)
+ {
+ /* keys already generated, nothing to do */
+ return true;
+ }
+
if (!session->opt->server
&& 0 != strcmp(options->ciphername, session->opt->config_ciphername)
&& !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
@@ -2006,6 +2013,22 @@ tls_session_update_crypto_params(struct tls_session *session,
frame_init_mssfix(frame, options);
frame_print(frame, D_MTU_INFO, "Data Channel MTU parms");
+ /*
+ * mssfix uses data channel framing, which at this point contains
+ * actual overhead. Fragmentation logic uses frame_fragment, which
+ * still contains worst case overhead. Replace it with actual overhead
+ * to prevent unneeded fragmentation.
+ */
+
+ if (frame_fragment)
+ {
+ frame_remove_from_extra_frame(frame_fragment, crypto_max_overhead());
+ crypto_adjust_frame_parameters(frame_fragment, &session->opt->key_type,
+ options->use_iv, options->replay, packet_id_long_form);
+ frame_set_mtu_dynamic(frame_fragment, options->ce.fragment, SET_MTU_UPPER_BOUND);
+ frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms");
+ }
+
return tls_session_generate_data_channel_keys(session);
}