Use X-DTLS-MTU response from server as well as X-CSTP-MTU

Currently we take a very naïve approach: we just use the higher of the
two. Normally the DTLS MTU will be larger. Theoretically, perhaps we
ought to actually change the MTU of the interface according to whether
DTLS is currently connected or not? That seems cumbersome, and is almost
impossible if we aren't running as root.

So what *should* we do with packets which are "too big" for the CSTP
MTU, if they arrive while DTLS is down? Drop them? And try to fake an
ICMP "too big" or "fragmentation needed" response? Fragment them? Please
$DEITY no. The sanest thing to do would seem to be just to send them
down the CSTP link even though they'll end up fragmented into more than
one TCP packet.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

cstp.c

@@ -311,7 +311,11 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
 			*next_dtls_option = new_option;
 			next_dtls_option = &new_option->next;
 
-			if (!strcmp(buf + 7, "Session-ID")) {
+			if (!strcmp(buf + 7, "MTU")) {
+				int mtu = atol(colon);
+				if (mtu > vpninfo->mtu)
+					vpninfo->mtu = mtu;
+			} else if (!strcmp(buf + 7, "Session-ID")) {
 				if (strlen(colon) != 64) {
 					vpn_progress(vpninfo, PRG_ERR,
 						     _("X-DTLS-Session-ID not 64 characters; is: \"%s\"\n"),
@@ -349,7 +353,9 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
 				return -EINVAL;
 			}
 		} else if (!strcmp(buf + 7, "MTU")) {
-			vpninfo->mtu = atol(colon);
+			int mtu = atol(colon);
+			if (mtu > vpninfo->mtu)
+				vpninfo->mtu = mtu;
 		} else if (!strcmp(buf + 7, "Address")) {
 			if (strchr(new_option->value, ':'))
 				vpninfo->vpn_addr6 = new_option->value;