diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/libcharon/plugins/eap_tls/eap_tls.c | 14 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_ttls/eap_ttls.c | 15 | ||||
| -rw-r--r-- | src/libtls/tls_eap.c | 12 | ||||
| -rw-r--r-- | src/libtls/tls_eap.h | 3 |
4 files changed, 30 insertions, 14 deletions
diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c index 3332788eb..991eb6346 100644 --- a/src/libcharon/plugins/eap_tls/eap_tls.c +++ b/src/libcharon/plugins/eap_tls/eap_tls.c @@ -44,7 +44,9 @@ struct private_eap_tls_t { }; /** Maximum number of EAP-TLS messages/fragments allowed */ -#define MAX_EAP_TLS_MESSAGE_COUNT 24 +#define MAX_MESSAGE_COUNT 24 +/** Default size of a EAP-TLS fragment */ +#define MAX_FRAGMENT_LEN 1024 METHOD(eap_method_t, initiate, status_t, private_eap_tls_t *this, eap_payload_t **out) @@ -66,10 +68,10 @@ METHOD(eap_method_t, process, status_t, status_t status; chunk_t data; - if (++this->processed > MAX_EAP_TLS_MESSAGE_COUNT) + if (++this->processed > MAX_MESSAGE_COUNT) { DBG1(DBG_IKE, "EAP-TLS packet count exceeded (%d > %d)", - this->processed, MAX_EAP_TLS_MESSAGE_COUNT); + this->processed, MAX_MESSAGE_COUNT); return FAILED; } data = in->get_data(in); @@ -120,6 +122,7 @@ static eap_tls_t *eap_tls_create(identification_t *server, identification_t *peer, bool is_server) { private_eap_tls_t *this; + size_t frag_size; INIT(this, .public = { @@ -134,7 +137,10 @@ static eap_tls_t *eap_tls_create(identification_t *server, }, ); - this->tls_eap = tls_eap_create(EAP_TLS, is_server, server, peer, NULL); + frag_size = lib->settings->get_int(lib->settings, + "charon.plugins.eap-tls.fragment_size", MAX_FRAGMENT_LEN); + this->tls_eap = tls_eap_create(EAP_TLS, is_server, server, peer, + NULL, frag_size); if (!this->tls_eap) { free(this); diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c index c5195699c..d450c23d7 100644 --- a/src/libcharon/plugins/eap_ttls/eap_ttls.c +++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c @@ -46,7 +46,9 @@ struct private_eap_ttls_t { }; /** Maximum number of EAP-TTLS messages/fragments allowed */ -#define MAX_EAP_TTLS_MESSAGE_COUNT 32 +#define MAX_MESSAGE_COUNT 32 +/** Default size of a EAP-TTLS fragment */ +#define MAX_FRAGMENT_LEN 1024 METHOD(eap_method_t, initiate, status_t, private_eap_ttls_t *this, eap_payload_t **out) @@ -68,10 +70,10 @@ METHOD(eap_method_t, process, status_t, status_t status; chunk_t data; - if (++this->processed > MAX_EAP_TTLS_MESSAGE_COUNT) + if (++this->processed > MAX_MESSAGE_COUNT) { DBG1(DBG_IKE, "EAP-TTLS packet count exceeded (%d > %d)", - this->processed, MAX_EAP_TTLS_MESSAGE_COUNT); + this->processed, MAX_MESSAGE_COUNT); return FAILED; } data = in->get_data(in); @@ -123,6 +125,7 @@ static eap_ttls_t *eap_ttls_create(identification_t *server, tls_application_t *application) { private_eap_ttls_t *this; + size_t frag_size; INIT(this, .public = { @@ -141,8 +144,10 @@ static eap_ttls_t *eap_ttls_create(identification_t *server, { peer = NULL; } - this->tls_eap = tls_eap_create(EAP_TTLS, is_server, - server, peer, application); + frag_size = lib->settings->get_int(lib->settings, + "charon.plugins.eap-ttls.fragment_size", MAX_FRAGMENT_LEN); + this->tls_eap = tls_eap_create(EAP_TTLS, is_server, server, peer, + application, frag_size); if (!this->tls_eap) { application->destroy(application); diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c index 027929806..1f90855ee 100644 --- a/src/libtls/tls_eap.c +++ b/src/libtls/tls_eap.c @@ -22,8 +22,6 @@ /** Size limit for a single TLS message */ #define MAX_TLS_MESSAGE_LEN 65536 -/** Size of a EAP-TLS fragment */ -#define EAP_TLS_FRAGMENT_LEN 1014 typedef struct private_tls_eap_t private_tls_eap_t; @@ -56,6 +54,11 @@ struct private_tls_eap_t { * First fragment of a multi-fragment record? */ bool first_fragment; + + /** + * Maximum size of an outgoing EAP-TLS fragment + */ + size_t frag_size; }; /** @@ -139,7 +142,7 @@ static status_t process_pkt(private_tls_eap_t *this, eap_tls_packet_t *pkt) static status_t build_pkt(private_tls_eap_t *this, u_int8_t identifier, chunk_t *out) { - char buf[EAP_TLS_FRAGMENT_LEN]; + char buf[this->frag_size]; eap_tls_packet_t *pkt; size_t len, reclen; status_t status; @@ -293,7 +296,7 @@ METHOD(tls_eap_t, destroy, void, */ tls_eap_t *tls_eap_create(eap_type_t type, bool is_server, identification_t *server, identification_t *peer, - tls_application_t *application) + tls_application_t *application, size_t frag_size) { private_tls_eap_t *this; tls_purpose_t purpose; @@ -320,6 +323,7 @@ tls_eap_t *tls_eap_create(eap_type_t type, bool is_server, .type = type, .is_server = is_server, .first_fragment = TRUE, + .frag_size = frag_size, .tls = tls_create(is_server, server, peer, purpose, application), ); if (!this->tls) diff --git a/src/libtls/tls_eap.h b/src/libtls/tls_eap.h index 48b4dec62..8aa2dce19 100644 --- a/src/libtls/tls_eap.h +++ b/src/libtls/tls_eap.h @@ -75,9 +75,10 @@ struct tls_eap_t { * @param server server identity * @param peer peer identity, NULL to omit peer authentication * @param application TLS application layer, if any + * @param frag_size maximum size of a TLS fragment we send */ tls_eap_t *tls_eap_create(eap_type_t type, bool is_server, identification_t *server, identification_t *peer, - tls_application_t *application); + tls_application_t *application, size_t frag_size); #endif /** TLS_EAP_H_ @}*/ |