allow to transmit 64k TLS Handshake and Application messages via EAP-[T]TLS
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 9 Jul 2012 16:07:18 +0000 (18:07 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 11 Jul 2012 15:09:04 +0000 (17:09 +0200)
src/libtls/tls.h
src/libtls/tls_eap.c
src/libtls/tls_fragmentation.c

index e22b0fa..6b4876f 100644 (file)
 #ifndef TLS_H_
 #define TLS_H_
 
+/**
+ * Maximum size of a TLS fragment
+ * as defined by section 6.2.1. "Fragmentation" of RFC 5246 TLS 1.2
+ */
+#define TLS_MAX_FRAGMENT_LEN   16384
+
 typedef enum tls_version_t tls_version_t;
 typedef enum tls_content_type_t tls_content_type_t;
 typedef enum tls_handshake_type_t tls_handshake_type_t;
index 6134318..e84da70 100644 (file)
 #include <debug.h>
 #include <library.h>
 
-/** Size limit for a single TLS message */
-#define MAX_TLS_MESSAGE_LEN 65536
+/**
+ * Size limit for a TLS message allowing for worst-case protection overhead
+ * according to section 6.2.3. "Payload Protection" of RFC 5246 TLS 1.2
+ */
+#define TLS_MAX_MESSAGE_LEN            4 * (TLS_MAX_FRAGMENT_LEN + 2048)
 
 typedef struct private_tls_eap_t private_tls_eap_t;
 
@@ -165,7 +168,7 @@ static status_t process_pkt(private_tls_eap_t *this, eap_tls_packet_t *pkt)
                }
                msg_len = untoh32(pkt + 1);
                if (msg_len < pkt_len - sizeof(eap_tls_packet_t) - sizeof(msg_len) ||
-                       msg_len > MAX_TLS_MESSAGE_LEN)
+                       msg_len > TLS_MAX_MESSAGE_LEN)
                {
                        DBG1(DBG_TLS, "invalid %N packet length (%u bytes)", eap_type_names,
                                 this->type, msg_len);
index 62e36aa..eb99768 100644 (file)
 #include <bio/bio_reader.h>
 #include <debug.h>
 
+/**
+ * Maximum size of a TLS handshake message we accept
+ */
+#define TLS_MAX_HANDSHAKE_LEN  65536
+
 typedef struct private_tls_fragmentation_t private_tls_fragmentation_t;
 
 /**
@@ -94,16 +99,6 @@ struct private_tls_fragmentation_t {
 };
 
 /**
- * Maximum size of a TLS fragment
- */
-#define MAX_TLS_FRAGMENT_LEN 16384
-
-/**
- * Maximum size of a TLS handshake message we accept
- */
-#define MAX_TLS_HANDSHAKE_LEN 65536
-
-/**
  * Process a TLS alert
  */
 static status_t process_alert(private_tls_fragmentation_t *this,
@@ -134,7 +129,7 @@ static status_t process_handshake(private_tls_fragmentation_t *this,
                status_t status;
                chunk_t data;
 
-               if (reader->remaining(reader) > MAX_TLS_FRAGMENT_LEN)
+               if (reader->remaining(reader) > TLS_MAX_FRAGMENT_LEN)
                {
                        DBG1(DBG_TLS, "TLS fragment has invalid length");
                        this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
@@ -151,7 +146,7 @@ static status_t process_handshake(private_tls_fragmentation_t *this,
                                return NEED_MORE;
                        }
                        this->type = type;
-                       if (len > MAX_TLS_HANDSHAKE_LEN)
+                       if (len > TLS_MAX_HANDSHAKE_LEN)
                        {
                                DBG1(DBG_TLS, "TLS handshake exceeds maximum length");
                                this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
@@ -207,7 +202,7 @@ static status_t process_application(private_tls_fragmentation_t *this,
                status_t status;
                chunk_t data;
 
-               if (reader->remaining(reader) > MAX_TLS_FRAGMENT_LEN)
+               if (reader->remaining(reader) > TLS_MAX_FRAGMENT_LEN)
                {
                        DBG1(DBG_TLS, "TLS fragment has invalid length");
                        this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
@@ -427,14 +422,14 @@ METHOD(tls_fragmentation_t, build, status_t,
        if (this->output.len)
        {
                *type = this->output_type;
-               if (this->output.len <= MAX_TLS_FRAGMENT_LEN)
+               if (this->output.len <= TLS_MAX_FRAGMENT_LEN)
                {
                        *data = this->output;
                        this->output = chunk_empty;
                        return NEED_MORE;
                }
-               *data = chunk_create(this->output.ptr, MAX_TLS_FRAGMENT_LEN);
-               this->output = chunk_clone(chunk_skip(this->output, MAX_TLS_FRAGMENT_LEN));
+               *data = chunk_create(this->output.ptr, TLS_MAX_FRAGMENT_LEN);
+               this->output = chunk_clone(chunk_skip(this->output, TLS_MAX_FRAGMENT_LEN));
                return NEED_MORE;
        }
        return status;