X-Git-Url: https://www.tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fnet_packet.c;h=8bf399f1fdbcd04396a826afea508880105a0d87;hb=0209f12d27d29f3aedc09b228bd289305851c75d;hp=37535c17c0cc355821fb6786d89f4bbcfe75cccf;hpb=0e653260478005eb7c824a9a1a3df04f39938cd6;p=tinc

diff --git a/src/net_packet.c b/src/net_packet.c
index 37535c17..8bf399f1 100644
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -929,6 +929,25 @@ static length_t choose_initial_maxmtu(node_t *n) {
 		mtu -= SPTPS_DATAGRAM_OVERHEAD;
 		if((n->options >> 24) >= 4)
 			mtu -= sizeof(node_id_t) + sizeof(node_id_t);
+	} else {
+		mtu -= digest_length(n->outdigest);
+
+		/* Now it's tricky. We use CBC mode, so the length of the
+		   encrypted payload must be a multiple of the blocksize. The
+		   sequence number is also part of the encrypted payload, so we
+		   must account for it after correcting for the blocksize.
+		   Furthermore, the padding in the last block must be at least
+		   1 byte. */
+
+		length_t blocksize = cipher_blocksize(n->outcipher);
+
+		if(blocksize > 1) {
+			mtu /= blocksize;
+			mtu *= blocksize;
+			mtu--;
+		}
+
+		mtu -= 4; // seqno
 	}
 
 	if (mtu < 512) {