commit b67c63101246b400c7512cb1adbc590ac06cb6ee

Author: Fabio M. Di Nitto <fdinitto@redhat.com>

Date:   Tue Jul 30 11:18:33 2019 +0200

    [crypto] fix log information

    Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>

diff --git a/libknet/crypto.c b/libknet/crypto.c

index 9f05fba..9d6757b 100644

--- a/libknet/crypto.c

+++ b/libknet/crypto.c

@@ -151,8 +151,6 @@ int crypto_init(

 		goto out;

 	}

-	log_debug(knet_h, KNET_SUB_CRYPTO, "security network overhead: %zu", knet_h->sec_header_size);

-

 out:

 	if (!err) {

 		knet_h->crypto_instance = new;

@@ -161,6 +159,8 @@ out:

 		knet_h->sec_hash_size = new->sec_hash_size;

 		knet_h->sec_salt_size = new->sec_salt_size;

+		log_debug(knet_h, KNET_SUB_CRYPTO, "security network overhead: %zu", knet_h->sec_header_size);

+

 		if (current) {

 			if (crypto_modules_cmds[current->model].ops->fini != NULL) {

 				crypto_modules_cmds[current->model].ops->fini(knet_h, current);

commit a89c2cd6d3863abe0f3ae0165239177a7461ee5e

Author: Fabio M. Di Nitto <fdinitto@redhat.com>

Date:   Wed Jul 31 14:15:07 2019 +0200

    [udp] log information about detected kernel MTU

    Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>

diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c

index 53d2ba0..be990bb 100644

--- a/libknet/transport_udp.c

+++ b/libknet/transport_udp.c

@@ -337,6 +337,7 @@ static int read_errs_from_sock(knet_handle_t knet_h, int sockfd)

 									break;

 								} else {

 									knet_h->kernel_mtu = sock_err->ee_info;

+									log_debug(knet_h, KNET_SUB_TRANSP_UDP, "detected kernel MTU: %u", knet_h->kernel_mtu);

 									pthread_mutex_unlock(&knet_h->kmtu_mutex);

 								}

commit 650ef6d26e83dd7827b2e913c52a1fac67ea60d4

Author: Fabio M. Di Nitto <fdinitto@redhat.com>

Date:   Fri Aug 2 10:43:09 2019 +0200

    [docs] add knet packet layout

    Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>

diff --git a/libknet/threads_pmtud.c b/libknet/threads_pmtud.c

index 603f595..2cd48f9 100644

--- a/libknet/threads_pmtud.c

+++ b/libknet/threads_pmtud.c

@@ -91,6 +91,28 @@ restart:

 		failsafe++;

 	}

+	/*

+	 * unencrypted packet looks like:

+	 *

+	 * | ip | protocol | knet_header | unencrypted data                                  |

+	 * | onwire_len                                                                      |

+	 * | overhead_len  |

+	 *                 | data_len                                                        |

+	 *                               | app MTU                                           |

+	 *

+	 * encrypted packet looks like (not to scale):

+	 *

+	 * | ip | protocol | salt | crypto(knet_header | data)      | crypto_data_pad | hash |

+	 * | onwire_len                                                                      |

+	 * | overhead_len  |

+	 *                 | data_len                                                        |

+	 *                                             | app MTU    |

+	 *

+	 * knet_h->sec_block_size is >= 0 if encryption will pad the data

+	 * knet_h->sec_salt_size is >= 0 if encryption is enabled

+	 * knet_h->sec_hash_size is >= 0 if signing is enabled

+	 */

+

 	data_len = onwire_len - overhead_len;

 	if (knet_h->crypto_instance) {

commit dbed772f0cb9070826eac6524646bd2ea7cce8c0

Author: Fabio M. Di Nitto <fdinitto@redhat.com>

Date:   Fri Aug 2 10:44:23 2019 +0200

    [PMTUd] fix MTU calculation when using crypto and add docs

    Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>

diff --git a/libknet/threads_pmtud.c b/libknet/threads_pmtud.c

index 2cd48f9..1a19806 100644

--- a/libknet/threads_pmtud.c

+++ b/libknet/threads_pmtud.c

@@ -113,29 +113,68 @@ restart:

 	 * knet_h->sec_hash_size is >= 0 if signing is enabled

 	 */

+	/*

+	 * common to all packets

+	 */

 	data_len = onwire_len - overhead_len;

 	if (knet_h->crypto_instance) {

+realign:

 		if (knet_h->sec_block_size) {

+

+			/*

+			 * drop both salt and hash, that leaves only the crypto data and padding

+			 * we need to calculate the padding based on the real encrypted data.

+			 */

+			data_len = data_len - (knet_h->sec_salt_size + knet_h->sec_hash_size);

+

+			/*

+			 * if the crypto mechanism requires padding, calculate the padding

+			 * and add it back to data_len because that's what the crypto layer

+			 * would do.

+			 */

 			pad_len = knet_h->sec_block_size - (data_len % knet_h->sec_block_size);

+

+			/*

+			 * if are at the boundary, reset padding

+			 */

 			if (pad_len == knet_h->sec_block_size) {

 				pad_len = 0;

 			}

 			data_len = data_len + pad_len;

-		}

-		data_len = data_len + (knet_h->sec_hash_size + knet_h->sec_salt_size + knet_h->sec_block_size);

-

-		if (knet_h->sec_block_size) {

+			/*

+			 * if our current data_len is higher than max_mtu_len

+			 * then we need to reduce by padding size (that is our

+			 * increment / decrement value)

+			 *

+			 * this generally happens only on the first PMTUd run

+			 */

 			while (data_len + overhead_len >= max_mtu_len) {

 				data_len = data_len - knet_h->sec_block_size;

 			}

+

+			/*

+			 * add both hash and salt size back, similar to padding above,

+			 * the crypto layer will add them to the data_len

+			 */

+			data_len = data_len + (knet_h->sec_salt_size + knet_h->sec_hash_size);

 		}

 		if (dst_link->last_bad_mtu) {

-			while (data_len + overhead_len >= dst_link->last_bad_mtu) {

-				data_len = data_len - (knet_h->sec_hash_size + knet_h->sec_salt_size + knet_h->sec_block_size);

+			if (data_len + overhead_len >= dst_link->last_bad_mtu) {

+				/*

+				 * reduce data_len to something lower than last_bad_mtu, overhead_len

+				 * and sec_block_size (decrementing step) - 1 (granularity)

+				 */

+				data_len = dst_link->last_bad_mtu - overhead_len - knet_h->sec_block_size - 1;

+				if (knet_h->sec_block_size) {

+					/*

+					 * make sure that data_len is aligned to the sec_block_size boundary

+					 */

+					goto realign;

+				}

 			}

 		}

@@ -144,6 +183,10 @@ restart:

 			return -1;

 		}

+		/*

+		 * recalculate onwire_len based on crypto information

+		 * and place it in the PMTUd packet info

+		 */

 		onwire_len = data_len + overhead_len;

 		knet_h->pmtudbuf->khp_pmtud_size = onwire_len;

commit a9460c72fafe452b7cb584598aa43a87b44428f0

Author: Fabio M. Di Nitto <fdinitto@redhat.com>

Date:   Mon Aug 12 16:52:59 2019 +0200

    [PMTUd] rework the whole math to calculate MTU

    internal changes:

    - drop the concept of sec_header_size that was completely wrong

      and unnecessary

    - bump crypto API to version 3 due to the above change

    - clarify the difference between link->proto_overhead and

      link->status->proto_overhead. We cannot rename the status

      one as it would also change ABI.

    - add onwire.c with documentation on the packet format

      and what various len(s) mean in context.

    - add 3 new functions to calculate MTUs back and forth

      and use them around, hopefully with enough clarification

      on why things are done in a given way.

    - heavily change thread_pmtud.c to use those new facilities.

    - fix major calculation issues when using crypto (non-crypto

      was not affected by the problem).

    - fix checks around to make sure they match the new math.

    - fix padding calculation.

    - add functional PMTUd crypto test

      this test can take several hours (12+) and should be executed

      on a controlled environment since it automatically changes

      loopback MTU to run tests.

    - fix way the lowest MTU is calculated during a PMTUd run

      to avoid spurious double notifications.

    - drop redundant checks.

    user visible changes:

    - Global MTU is now calculated properly when using crypto

      and values will be in general bigger than before due

      to incorrect padding calculation in the previous implementation.

    Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>

diff --git a/libknet/Makefile.am b/libknet/Makefile.am

index d080732..2fa2416 100644

--- a/libknet/Makefile.am

+++ b/libknet/Makefile.am

@@ -36,6 +36,7 @@ sources			= \

 			  links_acl_loopback.c \

 			  logging.c \

 			  netutils.c \

+			  onwire.c \

 			  threads_common.c \

 			  threads_dsthandler.c \

 			  threads_heartbeat.c \

diff --git a/libknet/crypto.c b/libknet/crypto.c

index 9d6757b..afa4f88 100644

--- a/libknet/crypto.c

+++ b/libknet/crypto.c

@@ -154,12 +154,14 @@ int crypto_init(

 out:

 	if (!err) {

 		knet_h->crypto_instance = new;

-		knet_h->sec_header_size = new->sec_header_size;

 		knet_h->sec_block_size = new->sec_block_size;

 		knet_h->sec_hash_size = new->sec_hash_size;

 		knet_h->sec_salt_size = new->sec_salt_size;

-		log_debug(knet_h, KNET_SUB_CRYPTO, "security network overhead: %zu", knet_h->sec_header_size);

+		log_debug(knet_h, KNET_SUB_CRYPTO, "Hash size: %zu salt size: %zu block size: %zu",

+			  knet_h->sec_hash_size,

+			  knet_h->sec_salt_size,

+			  knet_h->sec_block_size);

 		if (current) {

 			if (crypto_modules_cmds[current->model].ops->fini != NULL) {

@@ -195,7 +197,6 @@ void crypto_fini(

 			crypto_modules_cmds[knet_h->crypto_instance->model].ops->fini(knet_h, knet_h->crypto_instance);

 		}

 		free(knet_h->crypto_instance);

-		knet_h->sec_header_size = 0;

 		knet_h->sec_block_size = 0;

 		knet_h->sec_hash_size = 0;

 		knet_h->sec_salt_size = 0;

diff --git a/libknet/crypto_model.h b/libknet/crypto_model.h

index 70f6238..b05e49c 100644

--- a/libknet/crypto_model.h

+++ b/libknet/crypto_model.h

@@ -14,13 +14,12 @@

 struct crypto_instance {

 	int	model;

 	void	*model_instance;

-	size_t	sec_header_size;

 	size_t	sec_block_size;

 	size_t	sec_hash_size;

 	size_t	sec_salt_size;

 };

-#define KNET_CRYPTO_MODEL_ABI 2

+#define KNET_CRYPTO_MODEL_ABI 3

 /*

  * see compress_model.h for explanation of the various lib related functions

diff --git a/libknet/crypto_nss.c b/libknet/crypto_nss.c

index 330b40c..c624a47 100644

--- a/libknet/crypto_nss.c

+++ b/libknet/crypto_nss.c

@@ -801,10 +801,7 @@ static int nsscrypto_init(

 		goto out_err;

 	}

-	crypto_instance->sec_header_size = 0;

-

 	if (nsscrypto_instance->crypto_hash_type > 0) {

-		crypto_instance->sec_header_size += nsshash_len[nsscrypto_instance->crypto_hash_type];

 		crypto_instance->sec_hash_size = nsshash_len[nsscrypto_instance->crypto_hash_type];

 	}

@@ -821,8 +818,6 @@ static int nsscrypto_init(

 			}

 		}

-		crypto_instance->sec_header_size += (block_size * 2);

-		crypto_instance->sec_header_size += SALT_SIZE;

 		crypto_instance->sec_salt_size = SALT_SIZE;

 		crypto_instance->sec_block_size = block_size;

 	}

diff --git a/libknet/crypto_openssl.c b/libknet/crypto_openssl.c

index 0cbc6f5..6571498 100644

--- a/libknet/crypto_openssl.c

+++ b/libknet/crypto_openssl.c

@@ -566,11 +566,8 @@ static int opensslcrypto_init(

 	memmove(opensslcrypto_instance->private_key, knet_handle_crypto_cfg->private_key, knet_handle_crypto_cfg->private_key_len);

 	opensslcrypto_instance->private_key_len = knet_handle_crypto_cfg->private_key_len;

-	crypto_instance->sec_header_size = 0;

-

 	if (opensslcrypto_instance->crypto_hash_type) {

 		crypto_instance->sec_hash_size = EVP_MD_size(opensslcrypto_instance->crypto_hash_type);

-		crypto_instance->sec_header_size += crypto_instance->sec_hash_size;

 	}

 	if (opensslcrypto_instance->crypto_cipher_type) {

@@ -578,8 +575,6 @@ static int opensslcrypto_init(

 		block_size = EVP_CIPHER_block_size(opensslcrypto_instance->crypto_cipher_type);

-		crypto_instance->sec_header_size += (block_size * 2);

-		crypto_instance->sec_header_size += SALT_SIZE;

 		crypto_instance->sec_salt_size = SALT_SIZE;

 		crypto_instance->sec_block_size = block_size;

 	}

diff --git a/libknet/internals.h b/libknet/internals.h

index 3f105a1..31840e4 100644

--- a/libknet/internals.h

+++ b/libknet/internals.h

@@ -71,7 +71,9 @@ struct knet_link {

 	uint8_t received_pong;

 	struct timespec ping_last;

 	/* used by PMTUD thread as temp per-link variables and should always contain the onwire_len value! */

-	uint32_t proto_overhead;

+	uint32_t proto_overhead;		/* IP + UDP/SCTP overhead. NOT to be confused

+						   with stats.proto_overhead that includes also knet headers

+						   and crypto headers */

 	struct timespec pmtud_last;

 	uint32_t last_ping_size;

 	uint32_t last_good_mtu;

@@ -197,7 +199,6 @@ struct knet_handle {

 	int pmtud_forcerun;

 	int pmtud_abort;

 	struct crypto_instance *crypto_instance;

-	size_t sec_header_size;

 	size_t sec_block_size;

 	size_t sec_hash_size;

 	size_t sec_salt_size;

diff --git a/libknet/links.c b/libknet/links.c

index 51ead5a..03e0af9 100644

--- a/libknet/links.c

+++ b/libknet/links.c

@@ -265,7 +265,32 @@ int knet_link_set_config(knet_handle_t knet_h, knet_node_id_t host_id, uint8_t l

 		host->status.reachable = 1;

 		link->status.mtu = KNET_PMTUD_SIZE_V6;

 	} else {

-		link->status.mtu =  KNET_PMTUD_MIN_MTU_V4 - KNET_HEADER_ALL_SIZE - knet_h->sec_header_size;

+		/*

+		 * calculate the minimum MTU that is safe to use,

+		 * based on RFCs and that each network device should

+		 * be able to support without any troubles

+		 */

+		if (link->dynamic == KNET_LINK_STATIC) {

+			/*

+			 * with static link we can be more precise than using

+			 * the generic calc_min_mtu()

+			 */

+			switch (link->dst_addr.ss_family) {

+				case AF_INET6:

+					link->status.mtu =  calc_max_data_outlen(knet_h, KNET_PMTUD_MIN_MTU_V6 - (KNET_PMTUD_OVERHEAD_V6 + link->proto_overhead));

+					break;

+				case AF_INET:

+					link->status.mtu =  calc_max_data_outlen(knet_h, KNET_PMTUD_MIN_MTU_V4 - (KNET_PMTUD_OVERHEAD_V4 + link->proto_overhead));

+					break;

+			}

+		} else {

+			/*

+			 * for dynamic links we start with the minimum MTU

+			 * possible and PMTUd will kick in immediately

+			 * after connection status is 1

+			 */

+			link->status.mtu =  calc_min_mtu(knet_h);

+		}

 		link->has_valid_mtu = 1;

 	}

diff --git a/libknet/onwire.c b/libknet/onwire.c

new file mode 100644

index 0000000..143ac4b

--- /dev/null

+++ b/libknet/onwire.c

@@ -0,0 +1,127 @@

+/*

+ * Copyright (C) 2019 Red Hat, Inc.  All rights reserved.

+ *

+ * Author: Fabio M. Di Nitto <fabbione@kronosnet.org>

+ *

+ * This software licensed under LGPL-2.0+

+ */

+

+#include "config.h"

+

+#include <sys/errno.h>

+#include <stdlib.h>

+#include <string.h>

+

+#include "crypto.h"

+#include "internals.h"

+#include "logging.h"

+#include "common.h"

+#include "transport_udp.h"

+#include "transport_sctp.h"

+

+/*

+ * unencrypted packet looks like:

+ *

+ * | ip | protocol  | knet_header | unencrypted data                                  |

+ * | onwire_len                                                                       |

+ * | proto_overhead |

+ *                  | data_len                                                        |

+ *                                | app MTU                                           |

+ *

+ * encrypted packet looks like (not to scale):

+ *

+ * | ip | protocol  | salt | crypto(knet_header | data)      | crypto_data_pad | hash |

+ * | onwire_len                                                                       |

+ * | proto_overhead |

+ *                  | data_len                                                        |

+ *                                              | app MTU    |

+ *

+ * knet_h->sec_block_size is >= 0 if encryption will pad the data

+ * knet_h->sec_salt_size is >= 0 if encryption is enabled

+ * knet_h->sec_hash_size is >= 0 if signing is enabled

+ */

+

+/*

+ * this function takes in the data that we would like to send

+ * and tells us the outgoing onwire data size with crypto and

+ * all the headers adjustment.

+ * calling thread needs to account for protocol overhead.

+ */

+

+size_t calc_data_outlen(knet_handle_t knet_h, size_t inlen)

+{

+	size_t outlen = inlen, pad_len = 0;

+

+	if (knet_h->sec_block_size) {

+		/*

+		 * if the crypto mechanism requires padding, calculate the padding

+		 * and add it back to outlen because that's what the crypto layer

+		 * would do.

+		 */

+		pad_len = knet_h->sec_block_size - (outlen % knet_h->sec_block_size);

+

+		outlen = outlen + pad_len;

+	}

+

+	return outlen + knet_h->sec_salt_size + knet_h->sec_hash_size;

+}

+

+/*

+ * this function takes in the data that we would like to send

+ * and tells us what is the real maximum data we can send

+ * accounting for headers and crypto

+ * calling thread needs to account for protocol overhead.

+ */

+

+size_t calc_max_data_outlen(knet_handle_t knet_h, size_t inlen)

+{

+	size_t outlen = inlen, pad_len = 0;

+

+	if (knet_h->sec_block_size) {

+		/*

+		 * drop both salt and hash, that leaves only the crypto data and padding

+		 * we need to calculate the padding based on the real encrypted data

+		 * that includes the knet_header.

+		 */

+		outlen = outlen - (knet_h->sec_salt_size + knet_h->sec_hash_size);

+

+		/*

+		 * if the crypto mechanism requires padding, calculate the padding

+		 * and remove it, to align the data.

+		 * NOTE: we need to remove pad_len + 1 because, based on testing,

+		 * if we send data that are already aligned to block_size, the

+		 * crypto implementations will add another block_size!

+		 * so we want to make sure that our data won't add an unnecessary

+		 * block_size that we need to remove later.

+		 */

+		pad_len = outlen % knet_h->sec_block_size;

+

+		outlen = outlen - (pad_len + 1);

+

+		/*

+		 * add both hash and salt size back, similar to padding above,

+		 * the crypto layer will add them to the outlen

+		 */

+		outlen = outlen + (knet_h->sec_salt_size + knet_h->sec_hash_size);

+	}

+

+	/*

+	 * drop KNET_HEADER_ALL_SIZE to provide a clean application MTU

+	 * and various crypto headers

+	 */

+	outlen = outlen - (KNET_HEADER_ALL_SIZE + knet_h->sec_salt_size + knet_h->sec_hash_size);

+

+	return outlen;

+}

+

+/*

+ * set the lowest possible value as failsafe for all links.

+ * KNET_PMTUD_MIN_MTU_V4 < KNET_PMTUD_MIN_MTU_V6

+ * KNET_PMTUD_OVERHEAD_V6 > KNET_PMTUD_OVERHEAD_V4

+ * KNET_PMTUD_SCTP_OVERHEAD > KNET_PMTUD_UDP_OVERHEAD

+ */

+

+size_t calc_min_mtu(knet_handle_t knet_h)

+{

+	return calc_max_data_outlen(knet_h, KNET_PMTUD_MIN_MTU_V4 - (KNET_PMTUD_OVERHEAD_V6 + KNET_PMTUD_SCTP_OVERHEAD));

+}

diff --git a/libknet/onwire.h b/libknet/onwire.h

index 9815bc3..74d4d09 100644

--- a/libknet/onwire.h

+++ b/libknet/onwire.h

@@ -120,7 +120,9 @@ struct knet_header_payload_ping {

 #define KNET_PMTUD_SIZE_V4 65535

 #define KNET_PMTUD_SIZE_V6 KNET_PMTUD_SIZE_V4

-/* These two get the protocol-specific overheads added to them */

+/*

+ * IPv4/IPv6 header size

+ */

 #define KNET_PMTUD_OVERHEAD_V4 20

 #define KNET_PMTUD_OVERHEAD_V6 40

@@ -199,4 +201,8 @@ struct knet_header {

 #define KNET_HEADER_PMTUD_SIZE (KNET_HEADER_SIZE + sizeof(struct knet_header_payload_pmtud))

 #define KNET_HEADER_DATA_SIZE (KNET_HEADER_SIZE + sizeof(struct knet_header_payload_data))

+size_t calc_data_outlen(knet_handle_t knet_h, size_t inlen);

+size_t calc_max_data_outlen(knet_handle_t knet_h, size_t inlen);

+size_t calc_min_mtu(knet_handle_t knet_h);

+

 #endif

diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am

index 3346596..9160780 100644

--- a/libknet/tests/Makefile.am

+++ b/libknet/tests/Makefile.am

@@ -38,6 +38,12 @@ int_checks		= \

 fun_checks		=

+# checks below need to be executed manually

+# or with a specifi environment

+

+long_run_checks		= \

+			  fun_pmtud_crypto_test

+

 benchmarks		= \

 			  knet_bench_test

@@ -45,6 +51,7 @@ noinst_PROGRAMS		= \

 			  api_knet_handle_new_limit_test \

 			  pckt_test \

 			  $(benchmarks) \

+			  $(long_run_checks) \

 			  $(check_PROGRAMS)

 noinst_SCRIPTS		= \

@@ -71,6 +78,7 @@ int_links_acl_ip_test_SOURCES = int_links_acl_ip.c \

 				../logging.c \

 				../netutils.c \

 				../threads_common.c \

+				../onwire.c \

 				../transports.c \

 				../transport_common.c \

 				../transport_loopback.c \

@@ -88,4 +96,9 @@ knet_bench_test_SOURCES	= knet_bench.c \

 			  ../logging.c \

 			  ../compat.c \

 			  ../transport_common.c \

-			  ../threads_common.c

+			  ../threads_common.c \

+			  ../onwire.c

+

+fun_pmtud_crypto_test_SOURCES = fun_pmtud_crypto.c \

+				test-common.c \

+				../onwire.c

diff --git a/libknet/tests/api_knet_send_crypto.c b/libknet/tests/api_knet_send_crypto.c

index 11de857..5fc5463 100644

--- a/libknet/tests/api_knet_send_crypto.c

+++ b/libknet/tests/api_knet_send_crypto.c

@@ -67,7 +67,7 @@ static void test(const char *model)

 	memset(&knet_handle_crypto_cfg, 0, sizeof(struct knet_handle_crypto_cfg));

 	strncpy(knet_handle_crypto_cfg.crypto_model, model, sizeof(knet_handle_crypto_cfg.crypto_model) - 1);

 	strncpy(knet_handle_crypto_cfg.crypto_cipher_type, "aes128", sizeof(knet_handle_crypto_cfg.crypto_cipher_type) - 1);

-	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha1", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);

+	strncpy(knet_handle_crypto_cfg.crypto_hash_type, "sha256", sizeof(knet_handle_crypto_cfg.crypto_hash_type) - 1);

 	knet_handle_crypto_cfg.private_key_len = 2000;

 	if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {

diff --git a/libknet/tests/fun_pmtud_crypto.c b/libknet/tests/fun_pmtud_crypto.c

new file mode 100644

index 0000000..91c062c

--- /dev/null

+++ b/libknet/tests/fun_pmtud_crypto.c

@@ -0,0 +1,326 @@

+/*

+ * Copyright (C) 2019 Red Hat, Inc.  All rights reserved.

+ *

+ * Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>

+ *

+ * This software licensed under GPL-2.0+

+ */

+

+#include "config.h"

+

+#include <errno.h>

+#include <stdio.h>

+#include <stdlib.h>

+#include <string.h>

+#include <unistd.h>

+#include <inttypes.h>

+#include <sys/ioctl.h>

+#include <net/ethernet.h>

+#include <ifaddrs.h>

+#include <net/if.h>

+

+#include "libknet.h"

+

+#include "compress.h"

+#include "internals.h"

+#include "netutils.h"

+#include "onwire.h"

+#include "test-common.h"

+

+static int private_data;

+

+static void sock_notify(void *pvt_data,

+			int datafd,

+			int8_t channel,

+			uint8_t tx_rx,

+			int error,

+			int errorno)

+{

+	return;

+}

+

+static int iface_fd = 0;

+static int default_mtu = 0;

+

+#ifdef KNET_LINUX

+const char *loopback = "lo";

+#endif

+#ifdef KNET_BSD

+const char *loopback = "lo0";

+#endif

+

+static int fd_init(void)

+{

+#ifdef KNET_LINUX

+	return socket(AF_INET, SOCK_STREAM, 0);

+#endif

+#ifdef KNET_BSD

+	return socket(AF_LOCAL, SOCK_DGRAM, 0);

+#endif

+	return -1;

+}

+

+static int set_iface_mtu(uint32_t mtu)

+{

+	int err = 0;

+	struct ifreq ifr;

+

+	memset(&ifr, 0, sizeof(struct ifreq));

+	strncpy(ifr.ifr_name, loopback, IFNAMSIZ - 1);

+	ifr.ifr_mtu = mtu;

+

+	err = ioctl(iface_fd, SIOCSIFMTU, &ifr);

+

+	return err;

+}

+

+static int get_iface_mtu(void)

+{

+	int err = 0, savederrno = 0;

+	struct ifreq ifr;

+

+	memset(&ifr, 0, sizeof(struct ifreq));

+	strncpy(ifr.ifr_name, loopback, IFNAMSIZ - 1);

+

+	err = ioctl(iface_fd, SIOCGIFMTU, &ifr);

+	if (err) {

+		savederrno = errno;

+		goto out_clean;

+	}

+

+	err = ifr.ifr_mtu;

+

+out_clean:

+	errno = savederrno;

+	return err;

+}

+

+static int exit_local(int code)

+{

+	set_iface_mtu(default_mtu);

+	close(iface_fd);

+	iface_fd = 0;

+	exit(code);