git: 9dfbbc919fd7 - main - if_ovpn: remove incorrect rounding up of packet sizes

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Wed, 21 Sep 2022 19:45:18 UTC 
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=9dfbbc919fd768cff8079af1e458d2c5d5211690

commit 9dfbbc919fd768cff8079af1e458d2c5d5211690
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-09-21 10:17:34 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-09-21 19:44:59 +0000

    if_ovpn: remove incorrect rounding up of packet sizes
    
    The ciphers used by OpenVPN (DCO) do not require data to be block-sized.
    Do not round up to AES_BLOCK_LEN, as this can lead to issues with
    fragmented packets.
    
    Reported by:    Gert Doering <gert@greenie.muc.de>
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/net/if_ovpn.c | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c
index 9e0829d996ce..e2b8322d6df5 100644
--- a/sys/net/if_ovpn.c
+++ b/sys/net/if_ovpn.c
@@ -1557,8 +1557,6 @@ ovpn_decrypt_rx_cb(struct cryptop *crp)
 	return (0);
 }
 
-static uint8_t EMPTY_BUFFER[AES_BLOCK_LEN];
-
 static int
 ovpn_get_af(struct mbuf *m)
 {
@@ -1729,7 +1727,7 @@ ovpn_transmit_to_peer(struct ifnet *ifp, struct mbuf *m,
 	struct ovpn_softc *sc;
 	struct cryptop *crp;
 	uint32_t af, seq;
-	size_t len, real_len, ovpn_hdr_len;
+	size_t len, ovpn_hdr_len;
 	int tunnel_len;
 	int ret;
 
@@ -1752,19 +1750,12 @@ ovpn_transmit_to_peer(struct ifnet *ifp, struct mbuf *m,
 	if (af != 0)
 		BPF_MTAP2(ifp, &af, sizeof(af), m);
 
-	real_len = len = m->m_pkthdr.len;
-	MPASS(real_len <= ifp->if_mtu);
+	len = m->m_pkthdr.len;
+	MPASS(len <= ifp->if_mtu);
 
 	ovpn_hdr_len = sizeof(struct ovpn_wire_header);
 	if (key->encrypt->cipher == OVPN_CIPHER_ALG_NONE)
 		ovpn_hdr_len -= 16; /* No auth tag. */
-	else {
-		/* Round up the len to a multiple of our block size. */
-		len = roundup2(real_len, AES_BLOCK_LEN);
-
-		/* Now extend the mbuf. */
-		m_append(m, len - real_len, EMPTY_BUFFER);
-	}
 
 	M_PREPEND(m, ovpn_hdr_len, M_NOWAIT);
 	if (m == NULL) {