Fix additional data calculation if CID is disabled

In contrast to other aspects of the Connection ID extension, the CID-based additional data for MAC computations differs from the non-CID case even if the CID length is 0, because it includes the CID length.
2024-12-23 17:55:37 +00:00 · 2019-05-09 11:38:24 +01:00 · 2019-05-09 11:38:24 +01:00 · 1f02f05f2e
parent 3b1a88506b
commit 1f02f05f2e
1 changed files with 14 additions and 9 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -1647,16 +1647,21 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data,
    memcpy( add_data + 9, rec->ver, sizeof( rec->ver ) );

 #if defined(MBEDTLS_SSL_CID)
-    memcpy( add_data + 11, rec->cid, rec->cid_len );
-    add_data[11 + rec->cid_len + 0] = rec->cid_len;
-    add_data[11 + rec->cid_len + 1] = ( rec->data_len >> 8 ) & 0xFF;
-    add_data[11 + rec->cid_len + 2] = ( rec->data_len >> 0 ) & 0xFF;
-    *add_data_len = 13 + 1 + rec->cid_len;
-#else /* MBEDTLS_SSL_CID */
-    add_data[11 + 0] = ( rec->data_len >> 8 ) & 0xFF;
-    add_data[11 + 1] = ( rec->data_len >> 0 ) & 0xFF;
-    *add_data_len = 13;
+    if( rec->cid_len != 0 )
+    {
+        memcpy( add_data + 11, rec->cid, rec->cid_len );
+        add_data[11 + rec->cid_len + 0] = rec->cid_len;
+        add_data[11 + rec->cid_len + 1] = ( rec->data_len >> 8 ) & 0xFF;
+        add_data[11 + rec->cid_len + 2] = ( rec->data_len >> 0 ) & 0xFF;
+        *add_data_len = 13 + 1 + rec->cid_len;
+    }
+    else
 #endif /* MBEDTLS_SSL_CID */
+    {
+        add_data[11 + 0] = ( rec->data_len >> 8 ) & 0xFF;
+        add_data[11 + 1] = ( rec->data_len >> 0 ) & 0xFF;
+        *add_data_len = 13;
+    }
 }

 int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,