From 550e1662c7f22c33c0c00c41d365aa013dd2b421 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 8 May 2019 17:37:58 +0100 Subject: [PATCH] Allow the configuration of padding when using CID extension --- include/mbedtls/config.h | 16 ++++++++++++++++ include/mbedtls/ssl.h | 4 ++++ include/mbedtls/ssl_internal.h | 4 +--- library/ssl_tls.c | 4 +++- programs/ssl/query_config.c | 8 ++++++++ 5 files changed, 32 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 3f82acb58..aa6b59744 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -3200,6 +3200,22 @@ */ //#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32 +/** \def MBEDTLS_SSL_CID_PADDING_GRANULARITY + * + * This option controls the use of record plaintext padding + * when using the Connection ID extension in DTLS 1.2. + * + * The padding will always be chosen so that the length of the + * padded plaintext is a multiple of the value of this option. + * + * Note: A value of \c 1 means that no padding will be used + * for outgoing records. + * + * The value MUST be a power of 2. + * + */ +//#define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16 + /** \def MBEDTLS_SSL_OUT_CONTENT_LEN * * Maximum length (in bytes) of outgoing plaintext fragments. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index d8a5a845d..20f55af22 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -266,6 +266,10 @@ #define MBEDTLS_SSL_CID_OUT_LEN_MAX 32 #endif +#if !defined(MBEDTLS_SSL_CID_PADDING_GRANULARITY) +#define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16 +#endif + /* \} name SECTION: Module settings */ /* diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 03b914b9d..03c2d743a 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -167,9 +167,7 @@ #endif #if defined(MBEDTLS_SSL_CID) -#define MBEDTLS_SSL_MAX_CID_EXPANSION 16 /* Currently, we pad records - * to lengths which are multiples - * of 16 Bytes. */ +#define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_PADDING_GRANULARITY #else #define MBEDTLS_SSL_MAX_CID_EXPANSION 0 #endif diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6711fd2ab..eb332b89f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1591,7 +1591,9 @@ static int ssl_cid_build_inner_plaintext( unsigned char *content, uint8_t rec_type ) { size_t len = *content_size; - size_t pad = ~len & 0xF; /* Pad to a multiple of 16 */ + + /* MBEDTLS_SSL_CID_PADDING_GRANULARITY must be a power of 2. */ + size_t pad = ~len & ( MBEDTLS_SSL_CID_PADDING_GRANULARITY - 1 ); /* Write real content type */ if( remaining == 0 ) diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index 6c76f47a5..2423856a9 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -2450,6 +2450,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_SSL_CID_OUT_LEN_MAX */ +#if defined(MBEDTLS_SSL_CID_PADDING_GRANULARITY) + if( strcmp( "MBEDTLS_SSL_CID_PADDING_GRANULARITY", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CID_PADDING_GRANULARITY ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CID_PADDING_GRANULARITY */ + #if defined(MBEDTLS_SSL_OUT_CONTENT_LEN) if( strcmp( "MBEDTLS_SSL_OUT_CONTENT_LEN", config ) == 0 ) {