corrected values returned in X-CSTP-MTU and X-DTLS-MTU

NEWS

@@ -6,6 +6,8 @@
 - Added support for Salsa20 + UMAC ciphers.
 - Will now check X-CSTP-Address-Type header and will not send address types
   that were not requested.
+- X-CSTP-MTU and DTLS-MTU now contain the expected (but pretty non-sensical)
+  values.
 
 
 * Version 0.1.2 (released 2013-05-07)

src/tlslib.c

@@ -630,3 +630,49 @@ unsigned i;
 	
 	return retval;
 }
+
+size_t tls_get_overhead(gnutls_protocol_t version, gnutls_cipher_algorithm_t cipher, gnutls_mac_algorithm_t mac)
+{
+unsigned iv_size, overhead = 0, t;
+unsigned block_size;
+
+	block_size = gnutls_cipher_get_block_size(cipher);
+	iv_size = gnutls_cipher_get_iv_size(cipher);
+	
+	switch(version) {
+		case GNUTLS_DTLS0_9:
+		case GNUTLS_DTLS1_0:
+		case GNUTLS_DTLS1_2:
+			overhead += 13;
+			break;
+		default:
+			overhead += 5;
+			break;
+	}
+	
+	switch(cipher) {
+		case GNUTLS_CIPHER_3DES_CBC:
+		case GNUTLS_CIPHER_AES_128_CBC:
+		case GNUTLS_CIPHER_AES_256_CBC:
+		case GNUTLS_CIPHER_CAMELLIA_128_CBC:
+		case GNUTLS_CIPHER_CAMELLIA_256_CBC:
+		case GNUTLS_CIPHER_AES_192_CBC:
+		case GNUTLS_CIPHER_CAMELLIA_192_CBC:
+			overhead += block_size; /* max pad */
+			overhead += iv_size; /* explicit IV */
+			break;
+		case GNUTLS_CIPHER_AES_128_GCM:
+		case GNUTLS_CIPHER_AES_256_GCM:
+			overhead += iv_size; /* explicit IV */
+			overhead += block_size; /* tag size */
+			break;
+		default:
+			break;
+	}
+
+	t = gnutls_hmac_get_len(mac);
+	if (t > 0)
+		overhead += t;
+		
+	return overhead;
+}

src/tlslib.h

@@ -22,6 +22,7 @@ void tls_global_init(struct main_server_st* s);
 void tls_global_init_certs(struct main_server_st* s);
 
 ssize_t tls_send_file(gnutls_session_t session, const char *file);
+size_t tls_get_overhead(gnutls_protocol_t, gnutls_cipher_algorithm_t, gnutls_mac_algorithm_t);
 
 #define GNUTLS_FATAL_ERR(x) \
         if (x < 0 && gnutls_error_is_fatal (x) != 0) { \

src/worker-vpn.c

@@ -740,7 +740,7 @@ static int connect_handler(worker_st *ws)
 {
 struct http_req_st *req = &ws->req;
 fd_set rfds;
-int l, e, max, ret;
+int l, e, max, ret, overhead;
 struct vpn_st vinfo;
 unsigned tls_retry;
 char *p;
@@ -955,7 +955,8 @@ socklen_t sl;
 			oclog(ws, LOG_INFO, "reducing DTLS MTU to peer's DTLS MTU (%u)", req->dtls_mtu);
 		}
 
-		tls_printf(ws->session, "X-DTLS-MTU: %u\r\n", ws->conn_mtu);
+		overhead = tls_get_overhead(GNUTLS_DTLS0_9, ws->req.gnutls_cipher, ws->req.gnutls_mac);
+		tls_printf(ws->session, "X-DTLS-MTU: %u\r\n", ws->conn_mtu-overhead);
 	}
 	
 	if (ws->buffer_size <= ws->conn_mtu+mtu_overhead) {
@@ -966,7 +967,8 @@ socklen_t sl;
 			goto exit;
 	}
 
-	ret = tls_printf(ws->session, "X-CSTP-MTU: %u\r\n", ws->conn_mtu);
+	overhead = tls_get_overhead(gnutls_protocol_get_version(ws->session), gnutls_cipher_get(ws->session), gnutls_mac_get(ws->session));
+	ret = tls_printf(ws->session, "X-CSTP-MTU: %u\r\n", ws->conn_mtu-overhead);
 	SEND_ERR(ret);
 
 	oclog(ws, LOG_INFO, "selected MTU is %u", ws->conn_mtu);