>From 9ba25e958bae8a3168357246534824181ebd1809 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 7 Jun 2013 11:22:41 +0200 Subject: [PATCH 2/3] fix MTU calculation Signed-off-by: Nikos Mavrogiannopoulos --- dtls.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/dtls.c b/dtls.c index fc803af..ec44446 100644 --- a/dtls.c +++ b/dtls.c @@ -421,27 +421,27 @@ int dtls_try_handshake(struct openconnect_info *vpninfo) int err = gnutls_handshake(vpninfo->new_dtls_ssl); if (!err) { -#ifdef HAVE_GNUTLS_DTLS_SET_DATA_MTU /* Make sure GnuTLS's idea of the MTU is sufficient to take a full VPN MTU (with 1-byte header) in a data record. */ - err = gnutls_dtls_set_data_mtu(vpninfo->new_dtls_ssl, vpninfo->actual_mtu + 1); + err = gnutls_dtls_set_mtu(vpninfo->new_dtls_ssl, vpninfo->actual_mtu-1); if (err) { vpn_progress(vpninfo, PRG_ERR, _("Failed to set DTLS MTU: %s\n"), gnutls_strerror(err)); goto error; } +#ifdef HAVE_GNUTLS_DTLS_SET_DATA_MTU + vpninfo->actual_mtu = gnutls_dtls_get_data_mtu(vpninfo->new_dtls_ssl); #else /* If we don't have gnutls_dtls_set_data_mtu() then make sure we leave enough headroom by adding the worst-case overhead. We only support AES128-CBC and DES-CBC3-SHA anyway, so working out the worst case isn't hard. */ - gnutls_dtls_set_mtu(vpninfo->new_dtls_ssl, - vpninfo->actual_mtu + 1 /* packet + header */ - + 13 /* DTLS header */ - + 20 /* biggest supported MAC (SHA1) */ - + 16 /* biggest supported IV (AES-128) */ - + 16 /* max padding */); + vpninfo->actual_mtu = vpninfo->actual_mtu - 1 /* packet + header */ + - 13 /* DTLS header */ + - 20 /* biggest supported MAC (SHA1) */ + - 16 /* biggest supported IV (AES-128) */ + - 16 /* max padding */); #endif vpn_progress(vpninfo, PRG_INFO, _("Established DTLS connection (using GnuTLS). Ciphersuite %s.\n"), -- 1.7.10.4