fix DTLS_OVERHEAD and GlobalProtect ESP overhead calculation

GlobalProtect doesn't try to calculate MTU until after it has information on
the ESP ciphersuite, so it can use the real HMAC/encryption key lengths when
calculating ESP overhead.  In practice, I have never seen or heard of a GP
VPN that uses anything other than AES128+SHA1, but both the clients and
servers appear to include support for AES256.

DTLS_OVERHEAD was not correctly accounting for possibility of AES256
(32-byte IV).

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/gpst.c b/gpst.c
index 11ba378465878c8c522cf5695eee4e0e20a348ff..3407486729604560836a81981222c2292a9fe927 100644 (file)
--- a/gpst.c
+++ b/gpst.c
@@ -271,9 +271,8 @@ out:
 
 /* XXX: Look at set_esp_algo() and tell me again what the biggest supported IV is? */
 #define ESP_OVERHEAD (4 /* SPI */ + 4 /* sequence number */ + \
-         20 /* biggest supported MAC (SHA1) */ + 16 /* biggest supported IV (AES-128) */ + \
-        1 /* pad length */ + 1 /* next header */ + \
-         16 /* max padding */ )
+                      1 /* pad length */ + 1 /* next header */ + \
+                      16 /* max padding */ )
 #define UDP_HEADER_SIZE 8
 #define IPV4_HEADER_SIZE 20
 #define IPV6_HEADER_SIZE 40
@@ -327,7 +326,9 @@ static int calculate_mtu(struct openconnect_info *vpninfo)
 
        if (!mtu) {
                /* remove IP/UDP and ESP overhead from base MTU to calculate tunnel MTU */
-               mtu = base_mtu - ESP_OVERHEAD - UDP_HEADER_SIZE;
+               mtu = ( base_mtu - UDP_HEADER_SIZE - ESP_OVERHEAD
+                       - (vpninfo->hmac_key_len ? : 20) /* biggest supported MAC (SHA1) */
+                       - (vpninfo->enc_key_len ? : 32) /* biggest supported IV (AES-256) */ );
                if (vpninfo->peer_addr->sa_family == AF_INET6)
                        mtu -= IPV6_HEADER_SIZE;
                else

diff --git a/openconnect-internal.h b/openconnect-internal.h
index d600daec3b105569e769c9a80ba676120890405d..d8f5e3e4cb7d66aee82463efcb86f791b2222eed 100644 (file)
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -337,7 +337,7 @@ static inline void init_pkt_queue(struct pkt_q *q)
 }
 
 #define DTLS_OVERHEAD (1 /* packet + header */ + 13 /* DTLS header */ + \
-        20 /* biggest supported MAC (SHA1) */ +  16 /* biggest supported IV (AES-128) */ + \
+        20 /* biggest supported MAC (SHA1) */ +  32 /* biggest supported IV (AES-256) */ + \
         16 /* max padding */)
 
 struct esp {