allow to transmit 64k TLS Handshake and Application messages via EAP-[T]TLS

author: Andreas Steffen <andreas.steffen@strongswan.org> 2012-07-09 18:07:18 +0200
committer: Andreas Steffen <andreas.steffen@strongswan.org> 2012-07-11 17:09:04 +0200
commit: c36680962cb71d2d17e2440ef6cffa48a8fb1846 (patch)
tree: 689a4e1233a0fd9157d7722c05b1c94d5b3eff89 /src/libtls/tls_eap.c
parent: dfe82160e4f70f52d75e2b6b70e89caf6256cf69 (diff)
download: strongswan-c36680962cb71d2d17e2440ef6cffa48a8fb1846.tar.bz2
strongswan-c36680962cb71d2d17e2440ef6cffa48a8fb1846.tar.xz
1 files changed, 6 insertions, 3 deletions
diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c
index 613431822..e84da7061 100644
--- a/src/libtls/tls_eap.c
+++ b/src/libtls/tls_eap.c
@@ -21,8 +21,11 @@
 #include <debug.h>
 #include <library.h>
 
-/** Size limit for a single TLS message */
-#define MAX_TLS_MESSAGE_LEN 65536
+/**
+ * Size limit for a TLS message allowing for worst-case protection overhead
+ * according to section 6.2.3. "Payload Protection" of RFC 5246 TLS 1.2
+ */
+#define TLS_MAX_MESSAGE_LEN		4 * (TLS_MAX_FRAGMENT_LEN + 2048)
 
 typedef struct private_tls_eap_t private_tls_eap_t;
 
@@ -165,7 +168,7 @@ static status_t process_pkt(private_tls_eap_t *this, eap_tls_packet_t *pkt)
 		}
 		msg_len = untoh32(pkt + 1);
 		if (msg_len < pkt_len - sizeof(eap_tls_packet_t) - sizeof(msg_len) ||
-			msg_len > MAX_TLS_MESSAGE_LEN)
+			msg_len > TLS_MAX_MESSAGE_LEN)
 		{
 			DBG1(DBG_TLS, "invalid %N packet length (%u bytes)", eap_type_names,
 				 this->type, msg_len);
author	Andreas Steffen <andreas.steffen@strongswan.org>	2012-07-09 18:07:18 +0200
committer	Andreas Steffen <andreas.steffen@strongswan.org>	2012-07-11 17:09:04 +0200
commit	c36680962cb71d2d17e2440ef6cffa48a8fb1846 (patch)
tree	689a4e1233a0fd9157d7722c05b1c94d5b3eff89 /src/libtls/tls_eap.c
parent	dfe82160e4f70f52d75e2b6b70e89caf6256cf69 (diff)
download	strongswan-c36680962cb71d2d17e2440ef6cffa48a8fb1846.tar.bz2 strongswan-c36680962cb71d2d17e2440ef6cffa48a8fb1846.tar.xz