commit f93c2d7ca551661a851b503122222b38cc2b5189
author Hanno Becker <hanno.becker@arm.com> Thu May 28 07:39:43 2020 +0100
committer Hanno Becker <hanno.becker@arm.com> Thu May 28 10:32:23 2020 +0100
tree e02d511fa3499a72666bb609a01202c6dabd4680
parent 447558df12ba054818569cf8b35869ea8bb136de

Add support for TLS 1.3 record protection to ssl_populate_transform()

Signed-off-by: Hanno Becker <hanno.becker@arm.com>

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 116d2a2..30c917b 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -977,14 +977,24 @@
          * with mode and version:
          * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
          *   (to be concatenated with a dynamically chosen IV of 8 Bytes)
-         * - For ChaChaPoly in TLS 1.2, there's a static IV of 12 Bytes
-         *   (to be XOR'ed with the 8 Byte record sequence number).
+         * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
+         *   a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
+         *   sequence number).
          */
         transform->ivlen = 12;
-        if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+        if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
+        {
             transform->fixed_ivlen = 12;
+        }
         else
-            transform->fixed_ivlen = 4;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+        {
+            if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
+                transform->fixed_ivlen = 12;
+            else
+                transform->fixed_ivlen = 4;
+        }
 
         /* Minimum length of encrypted record */
         explicit_ivlen = transform->ivlen - transform->fixed_ivlen;