Fix mbedtls_ssl_get_record_expansion() for ChaChaPoly and CBC
`mbedtls_ssl_get_record_expansion()` is supposed to return the maximum
difference between the size of a protected record and the size of the
encapsulated plaintext.
It had the following two bugs:
(1) It did not consider the new ChaChaPoly ciphersuites, returning
the error code #MBEDTLS_ERR_SSL_INTERNAL_ERROR in this case.
(2) It did not correctly estimate the maximum record expansion in case
of CBC ciphersuites in (D)TLS versions 1.1 and higher, in which
case the ciphertext is prefixed by an explicit IV.
This commit fixes both bugs.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 91f96c8..5905a6d 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6841,6 +6841,7 @@
{
size_t transform_expansion;
const mbedtls_ssl_transform *transform = ssl->transform_out;
+ unsigned block_size;
#if defined(MBEDTLS_ZLIB_SUPPORT)
if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
@@ -6854,13 +6855,33 @@
{
case MBEDTLS_MODE_GCM:
case MBEDTLS_MODE_CCM:
+ case MBEDTLS_MODE_CHACHAPOLY:
case MBEDTLS_MODE_STREAM:
transform_expansion = transform->minlen;
break;
case MBEDTLS_MODE_CBC:
- transform_expansion = transform->maclen
- + mbedtls_cipher_get_block_size( &transform->cipher_ctx_enc );
+
+ block_size = mbedtls_cipher_get_block_size(
+ &transform->cipher_ctx_enc );
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+ {
+ /* Expansion due to addition of
+ * - MAC
+ * - CBC padding (theoretically up to 256 bytes, but
+ * we never use more than block_size)
+ * - explicit IV
+ */
+ transform_expansion = transform->maclen + 2 * block_size;
+ }
+ else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
+ {
+ /* No explicit IV prior to TLS 1.1. */
+ transform_expansion = transform->maclen + block_size;
+ }
break;
default: