From c36680962cb71d2d17e2440ef6cffa48a8fb1846 Mon Sep 17 00:00:00 2001
From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Mon, 9 Jul 2012 18:07:18 +0200
Subject: allow to transmit 64k TLS Handshake and Application messages via
 EAP-[T]TLS

---
 src/libtls/tls_eap.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'src/libtls/tls_eap.c')

diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c
index 613431822..e84da7061 100644
--- a/src/libtls/tls_eap.c
+++ b/src/libtls/tls_eap.c
@@ -21,8 +21,11 @@
 #include <debug.h>
 #include <library.h>
 
-/** Size limit for a single TLS message */
-#define MAX_TLS_MESSAGE_LEN 65536
+/**
+ * Size limit for a TLS message allowing for worst-case protection overhead
+ * according to section 6.2.3. "Payload Protection" of RFC 5246 TLS 1.2
+ */
+#define TLS_MAX_MESSAGE_LEN		4 * (TLS_MAX_FRAGMENT_LEN + 2048)
 
 typedef struct private_tls_eap_t private_tls_eap_t;
 
@@ -165,7 +168,7 @@ static status_t process_pkt(private_tls_eap_t *this, eap_tls_packet_t *pkt)
 		}
 		msg_len = untoh32(pkt + 1);
 		if (msg_len < pkt_len - sizeof(eap_tls_packet_t) - sizeof(msg_len) ||
-			msg_len > MAX_TLS_MESSAGE_LEN)
+			msg_len > TLS_MAX_MESSAGE_LEN)
 		{
 			DBG1(DBG_TLS, "invalid %N packet length (%u bytes)", eap_type_names,
 				 this->type, msg_len);
-- 
cgit v1.2.3