From: Daniel Lenski <dlenski@gmail.com>
Date: Tue, 15 Aug 2017 18:42:58 +0000 (-0700)
Subject: fix DTLS_OVERHEAD and GlobalProtect ESP overhead calculation
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=2e4a07028e6c9b6e0da29d7eac8b5631ebabf1e7;p=users%2Fdwmw2%2Fopenconnect.git

fix DTLS_OVERHEAD and GlobalProtect ESP overhead calculation

GlobalProtect doesn't try to calculate MTU until after it has information on
the ESP ciphersuite, so it can use the real HMAC/encryption key lengths when
calculating ESP overhead.  In practice, I have never seen or heard of a GP
VPN that uses anything other than AES128+SHA1, but both the clients and
servers appear to include support for AES256.

DTLS_OVERHEAD was not correctly accounting for possibility of AES256
(32-byte IV).

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---

diff --git a/gpst.c b/gpst.c
index 90898175..77d0d7b0 100644
--- a/gpst.c
+++ b/gpst.c
@@ -269,9 +269,8 @@ out:
 
 /* XXX: Look at set_esp_algo() and tell me again what the biggest supported IV is? */
 #define ESP_OVERHEAD (4 /* SPI */ + 4 /* sequence number */ + \
-         20 /* biggest supported MAC (SHA1) */ + 16 /* biggest supported IV (AES-128) */ + \
-	 1 /* pad length */ + 1 /* next header */ + \
-         16 /* max padding */ )
+                      1 /* pad length */ + 1 /* next header */ + \
+                      16 /* max padding */ )
 #define UDP_HEADER_SIZE 8
 #define IPV4_HEADER_SIZE 20
 #define IPV6_HEADER_SIZE 40
@@ -325,7 +324,9 @@ static int calculate_mtu(struct openconnect_info *vpninfo)
 
 	if (!mtu) {
 		/* remove IP/UDP and ESP overhead from base MTU to calculate tunnel MTU */
-		mtu = base_mtu - ESP_OVERHEAD - UDP_HEADER_SIZE;
+		mtu = ( base_mtu - UDP_HEADER_SIZE - ESP_OVERHEAD
+		        - (vpninfo->hmac_key_len ? : 20) /* biggest supported MAC (SHA1) */
+		        - (vpninfo->enc_key_len ? : 32) /* biggest supported IV (AES-256) */ );
 		if (vpninfo->peer_addr->sa_family == AF_INET6)
 			mtu -= IPV6_HEADER_SIZE;
 		else
diff --git a/openconnect-internal.h b/openconnect-internal.h
index 3526ce6a..af357916 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -334,7 +334,7 @@ static inline void init_pkt_queue(struct pkt_q *q)
 }
 
 #define DTLS_OVERHEAD (1 /* packet + header */ + 13 /* DTLS header */ + \
-	 20 /* biggest supported MAC (SHA1) */ +  16 /* biggest supported IV (AES-128) */ + \
+	 20 /* biggest supported MAC (SHA1) */ +  32 /* biggest supported IV (AES-256) */ + \
 	 16 /* max padding */)
 
 struct esp {