Added strongswan.conf options for EAP-TLS/TTLS fragment size

4 files changed, 30 insertions, 14 deletions

diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c
index 3332788eb..991eb6346 100644
--- a/src/libcharon/plugins/eap_tls/eap_tls.c
+++ b/src/libcharon/plugins/eap_tls/eap_tls.c
@@ -44,7 +44,9 @@ struct private_eap_tls_t {
 };
 
 /** Maximum number of EAP-TLS messages/fragments allowed */
-#define MAX_EAP_TLS_MESSAGE_COUNT 24
+#define MAX_MESSAGE_COUNT 24
+/** Default size of a EAP-TLS fragment */
+#define MAX_FRAGMENT_LEN 1024
 
 METHOD(eap_method_t, initiate, status_t,
 	private_eap_tls_t *this, eap_payload_t **out)
@@ -66,10 +68,10 @@ METHOD(eap_method_t, process, status_t,
 	status_t status;
 	chunk_t data;
 
-	if (++this->processed > MAX_EAP_TLS_MESSAGE_COUNT)
+	if (++this->processed > MAX_MESSAGE_COUNT)
 	{
 		DBG1(DBG_IKE, "EAP-TLS packet count exceeded (%d > %d)",
-			 this->processed, MAX_EAP_TLS_MESSAGE_COUNT);
+			 this->processed, MAX_MESSAGE_COUNT);
 		return FAILED;
 	}
 	data = in->get_data(in);
@@ -120,6 +122,7 @@ static eap_tls_t *eap_tls_create(identification_t *server,
 								 identification_t *peer, bool is_server)
 {
 	private_eap_tls_t *this;
+	size_t frag_size;
 
 	INIT(this,
 		.public = {
@@ -134,7 +137,10 @@ static eap_tls_t *eap_tls_create(identification_t *server,
 		},
 	);
 
-	this->tls_eap = tls_eap_create(EAP_TLS, is_server, server, peer, NULL);
+	frag_size = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-tls.fragment_size", MAX_FRAGMENT_LEN);
+	this->tls_eap = tls_eap_create(EAP_TLS, is_server, server, peer,
+								   NULL, frag_size);
 	if (!this->tls_eap)
 	{
 		free(this);
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c
index c5195699c..d450c23d7 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c
@@ -46,7 +46,9 @@ struct private_eap_ttls_t {
 };
 
 /** Maximum number of EAP-TTLS messages/fragments allowed */
-#define MAX_EAP_TTLS_MESSAGE_COUNT 32
+#define MAX_MESSAGE_COUNT 32
+/** Default size of a EAP-TTLS fragment */
+#define MAX_FRAGMENT_LEN 1024
 
 METHOD(eap_method_t, initiate, status_t,
 	private_eap_ttls_t *this, eap_payload_t **out)
@@ -68,10 +70,10 @@ METHOD(eap_method_t, process, status_t,
 	status_t status;
 	chunk_t data;
 
-	if (++this->processed > MAX_EAP_TTLS_MESSAGE_COUNT)
+	if (++this->processed > MAX_MESSAGE_COUNT)
 	{
 		DBG1(DBG_IKE, "EAP-TTLS packet count exceeded (%d > %d)",
-			 this->processed, MAX_EAP_TTLS_MESSAGE_COUNT);
+			 this->processed, MAX_MESSAGE_COUNT);
 		return FAILED;
 	}
 	data = in->get_data(in);
@@ -123,6 +125,7 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
 								   tls_application_t *application)
 {
 	private_eap_ttls_t *this;
+	size_t frag_size;
 
 	INIT(this,
 		.public = {
@@ -141,8 +144,10 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
 	{
 		peer = NULL;
 	}
-	this->tls_eap = tls_eap_create(EAP_TTLS, is_server,
-								   server, peer, application);
+	frag_size = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-ttls.fragment_size", MAX_FRAGMENT_LEN);
+	this->tls_eap = tls_eap_create(EAP_TTLS, is_server, server, peer,
+								   application, frag_size);
 	if (!this->tls_eap)
 	{
 		application->destroy(application);
diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c
index 027929806..1f90855ee 100644
--- a/src/libtls/tls_eap.c
+++ b/src/libtls/tls_eap.c
@@ -22,8 +22,6 @@
 
 /** Size limit for a single TLS message */
 #define MAX_TLS_MESSAGE_LEN 65536
-/** Size of a EAP-TLS fragment */
-#define EAP_TLS_FRAGMENT_LEN 1014
 
 typedef struct private_tls_eap_t private_tls_eap_t;
 
@@ -56,6 +54,11 @@ struct private_tls_eap_t {
 	 * First fragment of a multi-fragment record?
 	 */
 	bool first_fragment;
+
+	/**
+	 * Maximum size of an outgoing EAP-TLS fragment
+	 */
+	size_t frag_size;
 };
 
 /**
@@ -139,7 +142,7 @@ static status_t process_pkt(private_tls_eap_t *this, eap_tls_packet_t *pkt)
 static status_t build_pkt(private_tls_eap_t *this,
 						  u_int8_t identifier, chunk_t *out)
 {
-	char buf[EAP_TLS_FRAGMENT_LEN];
+	char buf[this->frag_size];
 	eap_tls_packet_t *pkt;
 	size_t len, reclen;
 	status_t status;
@@ -293,7 +296,7 @@ METHOD(tls_eap_t, destroy, void,
  */
 tls_eap_t *tls_eap_create(eap_type_t type, bool is_server,
 						  identification_t *server, identification_t *peer,
-						  tls_application_t *application)
+						  tls_application_t *application, size_t frag_size)
 {
 	private_tls_eap_t *this;
 	tls_purpose_t purpose;
@@ -320,6 +323,7 @@ tls_eap_t *tls_eap_create(eap_type_t type, bool is_server,
 		.type = type,
 		.is_server = is_server,
 		.first_fragment = TRUE,
+		.frag_size = frag_size,
 		.tls = tls_create(is_server, server, peer, purpose, application),
 	);
 	if (!this->tls)
diff --git a/src/libtls/tls_eap.h b/src/libtls/tls_eap.h
index 48b4dec62..8aa2dce19 100644
--- a/src/libtls/tls_eap.h
+++ b/src/libtls/tls_eap.h
@@ -75,9 +75,10 @@ struct tls_eap_t {
  * @param server			server identity
  * @param peer				peer identity, NULL to omit peer authentication
  * @param application		TLS application layer, if any
+ * @param frag_size			maximum size of a TLS fragment we send
  */
 tls_eap_t *tls_eap_create(eap_type_t type, bool is_server,
 						  identification_t *server, identification_t *peer,
-						  tls_application_t *application);
+						  tls_application_t *application, size_t frag_size);
 
 #endif /** TLS_EAP_H_ @}*/