#ifndef TLS_H_
#define TLS_H_
+/**
+ * Maximum size of a TLS fragment
+ * as defined by section 6.2.1. "Fragmentation" of RFC 5246 TLS 1.2
+ */
+#define TLS_MAX_FRAGMENT_LEN 16384
+
typedef enum tls_version_t tls_version_t;
typedef enum tls_content_type_t tls_content_type_t;
typedef enum tls_handshake_type_t tls_handshake_type_t;
#include <debug.h>
#include <library.h>
-/** Size limit for a single TLS message */
-#define MAX_TLS_MESSAGE_LEN 65536
+/**
+ * Size limit for a TLS message allowing for worst-case protection overhead
+ * according to section 6.2.3. "Payload Protection" of RFC 5246 TLS 1.2
+ */
+#define TLS_MAX_MESSAGE_LEN 4 * (TLS_MAX_FRAGMENT_LEN + 2048)
typedef struct private_tls_eap_t private_tls_eap_t;
}
msg_len = untoh32(pkt + 1);
if (msg_len < pkt_len - sizeof(eap_tls_packet_t) - sizeof(msg_len) ||
- msg_len > MAX_TLS_MESSAGE_LEN)
+ msg_len > TLS_MAX_MESSAGE_LEN)
{
DBG1(DBG_TLS, "invalid %N packet length (%u bytes)", eap_type_names,
this->type, msg_len);
#include <bio/bio_reader.h>
#include <debug.h>
+/**
+ * Maximum size of a TLS handshake message we accept
+ */
+#define TLS_MAX_HANDSHAKE_LEN 65536
+
typedef struct private_tls_fragmentation_t private_tls_fragmentation_t;
/**
tls_application_t *application;
};
-/**
- * Maximum size of a TLS fragment
- */
-#define MAX_TLS_FRAGMENT_LEN 16384
-
-/**
- * Maximum size of a TLS handshake message we accept
- */
-#define MAX_TLS_HANDSHAKE_LEN 65536
-
/**
* Process a TLS alert
*/
status_t status;
chunk_t data;
- if (reader->remaining(reader) > MAX_TLS_FRAGMENT_LEN)
+ if (reader->remaining(reader) > TLS_MAX_FRAGMENT_LEN)
{
DBG1(DBG_TLS, "TLS fragment has invalid length");
this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
return NEED_MORE;
}
this->type = type;
- if (len > MAX_TLS_HANDSHAKE_LEN)
+ if (len > TLS_MAX_HANDSHAKE_LEN)
{
DBG1(DBG_TLS, "TLS handshake exceeds maximum length");
this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
status_t status;
chunk_t data;
- if (reader->remaining(reader) > MAX_TLS_FRAGMENT_LEN)
+ if (reader->remaining(reader) > TLS_MAX_FRAGMENT_LEN)
{
DBG1(DBG_TLS, "TLS fragment has invalid length");
this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
if (this->output.len)
{
*type = this->output_type;
- if (this->output.len <= MAX_TLS_FRAGMENT_LEN)
+ if (this->output.len <= TLS_MAX_FRAGMENT_LEN)
{
*data = this->output;
this->output = chunk_empty;
return NEED_MORE;
}
- *data = chunk_create(this->output.ptr, MAX_TLS_FRAGMENT_LEN);
- this->output = chunk_clone(chunk_skip(this->output, MAX_TLS_FRAGMENT_LEN));
+ *data = chunk_create(this->output.ptr, TLS_MAX_FRAGMENT_LEN);
+ this->output = chunk_clone(chunk_skip(this->output, TLS_MAX_FRAGMENT_LEN));
return NEED_MORE;
}
return status;
projects / thirdparty / strongswan.git / commitdiff
