cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-10-30 19:20:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix mbedtls_ssl_get_record_expansion() for ChaChaPoly and CBC

Browse Source 
`mbedtls_ssl_get_record_expansion()` is supposed to return the maximum
difference between the size of a protected record and the size of the
encapsulated plaintext.

It had the following two bugs:
(1) It did not consider the new ChaChaPoly ciphersuites, returning
    the error code #MBEDTLS_ERR_SSL_INTERNAL_ERROR in this case.
(2) It did not correctly estimate the maximum record expansion in case
    of CBC ciphersuites in (D)TLS versions 1.1 and higher, in which
    case the ciphertext is prefixed by an explicit IV.

This commit fixes both bugs.
This commit is contained in:
Hanno Becker 2018-08-03 09:40:07 +01:00
parent b363382ba4
commit 5b559ac7ab
1 changed files with 23 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
library/ssl_tls.c
View File

@ -6841,6 +6841,7 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
{ {
size_t transform_expansion; size_t transform_expansion;
const mbedtls_ssl_transform *transform = ssl->transform_out; const mbedtls_ssl_transform *transform = ssl->transform_out;
unsigned block_size;
#if defined(MBEDTLS_ZLIB_SUPPORT) #if defined(MBEDTLS_ZLIB_SUPPORT)
if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL ) if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
@ -6854,13 +6855,33 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
{ {
case MBEDTLS_MODE_GCM: case MBEDTLS_MODE_GCM:
case MBEDTLS_MODE_CCM: case MBEDTLS_MODE_CCM:
case MBEDTLS_MODE_CHACHAPOLY:
case MBEDTLS_MODE_STREAM: case MBEDTLS_MODE_STREAM:
transform_expansion = transform->minlen; transform_expansion = transform->minlen;
break; break;
case MBEDTLS_MODE_CBC: case MBEDTLS_MODE_CBC:
transform_expansion = transform->maclen
+ mbedtls_cipher_get_block_size( &transform->cipher_ctx_enc ); block_size = mbedtls_cipher_get_block_size(
&transform->cipher_ctx_enc );
#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
{
/* Expansion due to addition of
* - MAC
* - CBC padding (theoretically up to 256 bytes, but
* we never use more than block_size)
* - explicit IV
*/
transform_expansion = transform->maclen + 2 * block_size;
}
else
#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
{
/* No explicit IV prior to TLS 1.1. */
transform_expansion = transform->maclen + block_size;
}
break; break;
default: default: