On Wed, Aug 16, 2017 at 8:03 PM, Daniel Lenski wrote:
> I believe the correct [ESP padding] algorithm is actually as follows:
>
> * From payload MTU, add 2 footer bytes, round *up* to a multiple of
> the blocksize. Add the size of the MAC, IV, and other headers. That's
> the size of the packet on the wire.
> * From wire packet MTU, subtract headers and MAC and IV, round *down*
> to a multiple of blocksize, subtract TWO footer bytes, and that's the
> largest payload you can carry.
Signed-off-by: Daniel Lenski <email address hidden>
Signed-off-by: David Woodhouse <email address hidden>
ca7ac61...
by
Brennan Hildebrand <email address hidden>
Include extra headers needed for ICMP packet-building on FreeBSD
Signed-off-by: Daniel Lenski <email address hidden>
Signed-off-by: David Woodhouse <email address hidden>
fix DTLS_OVERHEAD and GlobalProtect ESP overhead calculation
GlobalProtect doesn't try to calculate MTU until after it has information on
the ESP ciphersuite, so it can use the real HMAC/encryption key lengths when
calculating ESP overhead. In practice, I have never seen or heard of a GP
VPN that uses anything other than AES128+SHA1, but both the clients and
servers appear to include support for AES256.
DTLS_OVERHEAD was not correctly accounting for possibility of AES256
(32-byte IV).
Signed-off-by: Daniel Lenski <email address hidden>
Signed-off-by: David Woodhouse <email address hidden>
If both 'portal-name' and 'gateways' nodes exist, but the 'gateways'
node comes first, we'd never handle the 'portal-name'. It might never
happen in practice... but that's no excuse :)
Signed-off-by: David Woodhouse <email address hidden>
If we really need to override it for *all* requests, let's just do that
in gpst_common_headers(). Although maybe it'd be better just to ensure
that vpninfo->useragent is set appropriately in the first place?
It's not clear what we're gaining by preserving ->urlpath either, since
it never gets used as-is; we only *ever* override it with our own
strings. So we might as well just free the old one and set it.
Signed-off-by: David Woodhouse <email address hidden>