fix DTLS_OVERHEAD and GlobalProtect ESP overhead calculation

GlobalProtect doesn't try to calculate MTU until after it has information on
the ESP ciphersuite, so it can use the real HMAC/encryption key lengths when
calculating ESP overhead.  In practice, I have never seen or heard of a GP
VPN that uses anything other than AES128+SHA1, but both the clients and
servers appear to include support for AES256.

DTLS_OVERHEAD was not correctly accounting for possibility of AES256
(32-byte IV).

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/gpst.c b/gpst.c
index 9089817566aed9baf40a44609fe4bbc4260f63a6..77d0d7b0b7005a690d4b961012b3a2fbf3269736 100644 (file)
--- a/gpst.c
+++ b/gpst.c
@@ -269,9 +269,8 @@ out:
 
 /* XXX: Look at set_esp_algo() and tell me again what the biggest supported IV is? */
 #define ESP_OVERHEAD (4 /* SPI */ + 4 /* sequence number */ + \
-         20 /* biggest supported MAC (SHA1) */ + 16 /* biggest supported IV (AES-128) */ + \
-        1 /* pad length */ + 1 /* next header */ + \
-         16 /* max padding */ )
+                      1 /* pad length */ + 1 /* next header */ + \
+                      16 /* max padding */ )
 #define UDP_HEADER_SIZE 8
 #define IPV4_HEADER_SIZE 20
 #define IPV6_HEADER_SIZE 40
@@ -325,7 +324,9 @@ static int calculate_mtu(struct openconnect_info *vpninfo)
 
        if (!mtu) {
                /* remove IP/UDP and ESP overhead from base MTU to calculate tunnel MTU */
-               mtu = base_mtu - ESP_OVERHEAD - UDP_HEADER_SIZE;
+               mtu = ( base_mtu - UDP_HEADER_SIZE - ESP_OVERHEAD
+                       - (vpninfo->hmac_key_len ? : 20) /* biggest supported MAC (SHA1) */
+                       - (vpninfo->enc_key_len ? : 32) /* biggest supported IV (AES-256) */ );
                if (vpninfo->peer_addr->sa_family == AF_INET6)
                        mtu -= IPV6_HEADER_SIZE;
                else

diff --git a/openconnect-internal.h b/openconnect-internal.h
index 3526ce6ab848b69ed7f137fa39c92b5553718b3d..af357916d35c3af70d4116f1fb79f2c568f54db5 100644 (file)
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -334,7 +334,7 @@ static inline void init_pkt_queue(struct pkt_q *q)
 }
 
 #define DTLS_OVERHEAD (1 /* packet + header */ + 13 /* DTLS header */ + \
-        20 /* biggest supported MAC (SHA1) */ +  16 /* biggest supported IV (AES-128) */ + \
+        20 /* biggest supported MAC (SHA1) */ +  32 /* biggest supported IV (AES-256) */ + \
         16 /* max padding */)
 
 struct esp {