Merge branch 'development' into development-restricted

* development: (44 commits) Add test for dependencies on HMAC_DRBG in all.sh Fix undeclared dep on deterministic ECDSA in test Document precondition of nonce-generating function in ssl_msg.c Improve documentation of nonce-generating function in ssl_msg.c Spell out check for non-zero'ness Fix debug print of explicit IV Fix indentation in debug statement in ssl_msg.c Fix typo in check_config.h Mention HKDF in TLS 1.3 feature document Fix typo in header of TLS 1.3 experimental features document Add dependencies for experimental TLS 1.3 features in check_config.h Rename TLS 1.3 padding granularity macro Add documentation on state of upstreaming of TLS 1.3 prototype Change TLS 1.3 default padding to no padding Update query_config.c Fix #endif indicator comment Add missing configuration guards to SSL record protection helpers Introduce configuration option for TLS 1.3 padding granularity Fix copy-pasta in TLS 1.3 record protection unit test names Fix Changelag PR number and uniformize code when prng fails ...
2020-06-08 09:09:04 +02:00 · 2020-06-08 09:09:04 +02:00 · 1fc09be3ea
commit 1fc09be3ea
parent b06d88387e a7f6d25e12
17 changed files with 592 additions and 142 deletions
--- a/ChangeLog.d/fix-ecp-mul-memory-leak.txt
+++ b/ChangeLog.d/fix-ecp-mul-memory-leak.txt
@ -0,0 +1,3 @@
 Bugfix
   * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
     when PRNG function fails. Contributed by Jonas Lejeune in #3318.
--- a/docs/architecture/tls13-experimental.md
+++ b/docs/architecture/tls13-experimental.md
@ -0,0 +1,40 @@
 TLS 1.3 Experimental Developments
 =================================
 Overview
 --------
 Mbed TLS doesn't support the TLS 1.3 protocol yet, but a prototype is in development.
 Stable parts of this prototype that can be independently tested are being successively
 upstreamed under the guard of the following macro:
 ```
 MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
 ```
 This macro will likely be renamed to `MBEDTLS_SSL_PROTO_TLS1_3` once a minimal viable
 implementation of the TLS 1.3 protocol is available.
 See the [documentation of `MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`](../../include/mbedtls/config.h)
 for more information.
 Status
 ------
 The following lists which parts of the TLS 1.3 prototype have already been upstreamed
 together with their level of testing:
 * TLS 1.3 record protection mechanisms
  The record protection routines `mbedtls_ssl_{encrypt|decrypt}_buf()` have been extended
  to support the modified TLS 1.3 record protection mechanism, including modified computation
  of AAD, IV, and the introduction of a flexible padding.
  Those record protection routines have unit tests in `test_suite_ssl` alongside the
  tests for the other record protection routines.
  TODO: Add some test vectors from RFC 8448.
 - The HKDF key derivation function on which the TLS 1.3 key schedule is based,
  is already present as an independent module controlled by `MBEDTLS_HKDF_C`
  independently of the development of the TLS 1.3 prototype.
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@ -619,6 +619,11 @@
 #error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && ( !defined(MBEDTLS_HKDF_C) && \
    !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) )
 #error "MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL defined, but not all prerequisites"
 #endif
 #if (defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) ||  \
     defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \
    !(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                          \
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -1706,6 +1706,25 @@
 */
 #define MBEDTLS_SSL_PROTO_TLS1_2
 /**
 * \def MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
 *
 * This macro is used to selectively enable experimental parts
 * of the code that contribute to the ongoing development of
 * the prototype TLS 1.3 and DTLS 1.3 implementation, and provide
 * no other purpose.
 *
 * \warning TLS 1.3 and DTLS 1.3 aren't yet supported in Mbed TLS,
 *          and no feature exposed through this macro is part of the
 *          public API. In particular, features under the control
 *          of this macro are experimental and don't come with any
 *          stability guarantees.
 *
 * Uncomment this macro to enable experimental and partial
 * functionality specific to TLS 1.3.
 */
 //#define MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
 /**
 * \def MBEDTLS_SSL_PROTO_DTLS
 *
@ -3555,6 +3574,22 @@
 */
 //#define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16
 /** \def MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY
 *
 * This option controls the use of record plaintext padding
 * in TLS 1.3.
 *
 * The padding will always be chosen so that the length of the
 * padded plaintext is a multiple of the value of this option.
 *
 * Note: A value of \c 1 means that no padding will be used
 *       for outgoing records.
 *
 * Note: On systems lacking division instructions,
 *       a power of two should be preferred.
 */
 //#define MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY 1
 /** \def MBEDTLS_SSL_OUT_CONTENT_LEN
 *
 * Maximum length (in bytes) of outgoing plaintext fragments.
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -138,6 +138,7 @@
 #define MBEDTLS_SSL_MINOR_VERSION_1             1   /*!< TLS v1.0 */
 #define MBEDTLS_SSL_MINOR_VERSION_2             2   /*!< TLS v1.1 */
 #define MBEDTLS_SSL_MINOR_VERSION_3             3   /*!< TLS v1.2 */
 #define MBEDTLS_SSL_MINOR_VERSION_4             4   /*!< TLS v1.3 (experimental) */
 #define MBEDTLS_SSL_TRANSPORT_STREAM            0   /*!< TLS      */
 #define MBEDTLS_SSL_TRANSPORT_DATAGRAM          1   /*!< DTLS     */
@ -276,6 +277,10 @@
 #define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16
 #endif
 #if !defined(MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY)
 #define MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY 1
 #endif
 /* \} name SECTION: Module settings */
 /*
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@ -554,6 +554,10 @@ typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
 *   time with the 8-byte record sequence number, without prepending the
 *   latter to the encrypted record.
 *
 * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
 * which allows to add flexible length padding and to hide a record's true
 * content type.
 *
 * In addition to type and version, the following parameters are relevant:
 * - The symmetric cipher algorithm to be used.
 * - The (static) encryption/decryption keys for the cipher.
--- a/library/ecp.c
+++ b/library/ecp.c
@ -1544,7 +1544,10 @@ static int ecp_randomize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *p
            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, 1 ) );
        if( count++ > 10 )
-            return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+        {
            ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
            goto cleanup;
        }
    }
    while( mbedtls_mpi_cmp_int( &l, 1 ) <= 0 );
@ -2278,7 +2281,10 @@ static int ecp_randomize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P
            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, 1 ) );
        if( count++ > 10 )
-            return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+        {
            ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
            goto cleanup;
        }
    }
    while( mbedtls_mpi_cmp_int( &l, 1 ) <= 0 );
@ -2856,7 +2862,10 @@ int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
             * such as secp224k1 are actually very close to the worst case.
             */
            if( ++count > 30 )
-                return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+            {
                ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
                goto cleanup;
            }
            ret = mbedtls_mpi_lt_mpi_ct( d, &grp->N, &cmp );
            if( ret != 0 )
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@ -341,15 +341,25 @@ static void ssl_read_memory( unsigned char *p, size_t len )
 * Encryption/decryption functions
 */
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) ||  \
-/* This functions transforms a DTLS plaintext fragment and a record content
+    defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
- * type into an instance of the DTLSInnerPlaintext structure:
+
 static size_t ssl_compute_padding_length( size_t len,
                                          size_t granularity )
 {
    return( ( granularity - ( len + 1 ) % granularity ) % granularity );
 }
 /* This functions transforms a (D)TLS plaintext fragment and a record content
 * type into an instance of the (D)TLSInnerPlaintext structure. This is used
 * in DTLS 1.2 + CID and within TLS 1.3 to allow flexible padding and to protect
 * a record's content type.
 *
 *        struct {
 *            opaque content[DTLSPlaintext.length];
 *            ContentType real_type;
 *            uint8 zeros[length_of_padding];
- *        } DTLSInnerPlaintext;
+ *        } (D)TLSInnerPlaintext;
 *
 *  Input:
 *  - `content`: The beginning of the buffer holding the
@ -360,23 +370,21 @@ static void ssl_read_memory( unsigned char *p, size_t len )
 *  - `rec_type`: The desired record content type.
 *
 *  Output:
- *  - `content`: The beginning of the resulting DTLSInnerPlaintext structure.
+ *  - `content`: The beginning of the resulting (D)TLSInnerPlaintext structure.
- *  - `*content_size`: The length of the resulting DTLSInnerPlaintext structure.
+ *  - `*content_size`: The length of the resulting (D)TLSInnerPlaintext structure.
 *
 *  Returns:
 *  - `0` on success.
 *  - A negative error code if `max_len` didn't offer enough space
 *    for the expansion.
 */
-static int ssl_cid_build_inner_plaintext( unsigned char *content,
+static int ssl_build_inner_plaintext( unsigned char *content,
                                      size_t *content_size,
                                      size_t remaining,
-                                          uint8_t rec_type )
+                                      uint8_t rec_type,
                                      size_t pad )
 {
    size_t len = *content_size;
    size_t pad = ( MBEDTLS_SSL_CID_PADDING_GRANULARITY -
                   ( len + 1 ) % MBEDTLS_SSL_CID_PADDING_GRANULARITY ) %
        MBEDTLS_SSL_CID_PADDING_GRANULARITY;
    /* Write real content type */
    if( remaining == 0 )
@ -395,9 +403,9 @@ static int ssl_cid_build_inner_plaintext( unsigned char *content,
    return( 0 );
 }
-/* This function parses a DTLSInnerPlaintext structure.
+/* This function parses a (D)TLSInnerPlaintext structure.
- * See ssl_cid_build_inner_plaintext() for details. */
+ * See ssl_build_inner_plaintext() for details. */
-static int ssl_cid_parse_inner_plaintext( unsigned char const *content,
+static int ssl_parse_inner_plaintext( unsigned char const *content,
                                          size_t *content_size,
                                          uint8_t *rec_type )
 {
@ -416,13 +424,15 @@ static int ssl_cid_parse_inner_plaintext( unsigned char const *content,
    return( 0 );
 }
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID ||
          MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
 /* `add_data` must have size 13 Bytes if the CID extension is disabled,
 * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */
 static void ssl_extract_add_data_from_record( unsigned char* add_data,
                                              size_t *add_data_len,
-                                              mbedtls_record *rec )
+                                              mbedtls_record *rec,
                                              unsigned minor_ver )
 {
    /* Quoting RFC 5246 (TLS 1.2):
     *
@ -438,28 +448,50 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data,
     *                         cid +
     *                         cid_length +
     *                         length_of_DTLSInnerPlaintext;
     *
     * For TLS 1.3, the record sequence number is dropped from the AAD
     * and encoded within the nonce of the AEAD operation instead.
     */
-    memcpy( add_data, rec->ctr, sizeof( rec->ctr ) );
+    unsigned char *cur = add_data;
-    add_data[8] = rec->type;
+
-    memcpy( add_data + 9, rec->ver, sizeof( rec->ver ) );
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
    if( minor_ver != MBEDTLS_SSL_MINOR_VERSION_4 )
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
    {
        ((void) minor_ver);
        memcpy( cur, rec->ctr, sizeof( rec->ctr ) );
        cur += sizeof( rec->ctr );
    }
    *cur = rec->type;
    cur++;
    memcpy( cur, rec->ver, sizeof( rec->ver ) );
    cur += sizeof( rec->ver );
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
    if( rec->cid_len != 0 )
    {
-        memcpy( add_data + 11, rec->cid, rec->cid_len );
+        memcpy( cur, rec->cid, rec->cid_len );
-        add_data[11 + rec->cid_len + 0] = rec->cid_len;
+        cur += rec->cid_len;
-        add_data[11 + rec->cid_len + 1] = ( rec->data_len >> 8 ) & 0xFF;
+
-        add_data[11 + rec->cid_len + 2] = ( rec->data_len >> 0 ) & 0xFF;
+        *cur = rec->cid_len;
-        *add_data_len = 13 + 1 + rec->cid_len;
+        cur++;
        cur[0] = ( rec->data_len >> 8 ) & 0xFF;
        cur[1] = ( rec->data_len >> 0 ) & 0xFF;
        cur += 2;
    }
    else
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
    {
-        add_data[11 + 0] = ( rec->data_len >> 8 ) & 0xFF;
+        cur[0] = ( rec->data_len >> 8 ) & 0xFF;
-        add_data[11 + 1] = ( rec->data_len >> 0 ) & 0xFF;
+        cur[1] = ( rec->data_len >> 0 ) & 0xFF;
-        *add_data_len = 13;
+        cur += 2;
    }
    *add_data_len = cur - add_data;
 }
 #if defined(MBEDTLS_SSL_PROTO_SSL3)
@ -509,6 +541,57 @@ static void ssl_mac( mbedtls_md_context_t *md_ctx,
 }
 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
 #if defined(MBEDTLS_GCM_C) || \
    defined(MBEDTLS_CCM_C) || \
    defined(MBEDTLS_CHACHAPOLY_C)
 static int ssl_transform_aead_dynamic_iv_is_explicit(
                                mbedtls_ssl_transform const *transform )
 {
    return( transform->ivlen != transform->fixed_ivlen );
 }
 /* Compute IV := ( fixed_iv || 0 ) XOR ( 0 || dynamic_IV )
 *
 * Concretely, this occurs in two variants:
 *
 * a) Fixed and dynamic IV lengths add up to total IV length, giving
 *       IV = fixed_iv || dynamic_iv
 *
 *    This variant is used in TLS 1.2 when used with GCM or CCM.
 *
 * b) Fixed IV lengths matches total IV length, giving
 *       IV = fixed_iv XOR ( 0 || dynamic_iv )
 *
 *    This variant occurs in TLS 1.3 and for TLS 1.2 when using ChaChaPoly.
 *
 * See also the documentation of mbedtls_ssl_transform.
 *
 * This function has the precondition that
 *
 *     dst_iv_len >= max( fixed_iv_len, dynamic_iv_len )
 *
 * which has to be ensured by the caller. If this precondition
 * violated, the behavior of this function is undefined.
 */
 static void ssl_build_record_nonce( unsigned char *dst_iv,
                                    size_t dst_iv_len,
                                    unsigned char const *fixed_iv,
                                    size_t fixed_iv_len,
                                    unsigned char const *dynamic_iv,
                                    size_t dynamic_iv_len )
 {
    size_t i;
    /* Start with Fixed IV || 0 */
    memset( dst_iv, 0, dst_iv_len );
    memcpy( dst_iv, fixed_iv, fixed_iv_len );
    dst_iv += dst_iv_len - dynamic_iv_len;
    for( i = 0; i < dynamic_iv_len; i++ )
        dst_iv[i] ^= dynamic_iv[i];
 }
 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
 int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
                             mbedtls_ssl_transform *transform,
                             mbedtls_record *rec,
@ -574,6 +657,37 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
    }
    /* The following two code paths implement the (D)TLSInnerPlaintext
     * structure present in TLS 1.3 and DTLS 1.2 + CID.
     *
     * See ssl_build_inner_plaintext() for more information.
     *
     * Note that this changes `rec->data_len`, and hence
     * `post_avail` needs to be recalculated afterwards.
     *
     * Note also that the two code paths cannot occur simultaneously
     * since they apply to different versions of the protocol. There
     * is hence no risk of double-addition of the inner plaintext.
     */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
    if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
    {
        size_t padding =
            ssl_compute_padding_length( rec->data_len,
                                        MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY );
        if( ssl_build_inner_plaintext( data,
                                       &rec->data_len,
                                       post_avail,
                                       rec->type,
                                       padding ) != 0 )
        {
            return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
        }
        rec->type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
    }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
    /*
     * Add CID information
@ -584,17 +698,21 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
    if( rec->cid_len != 0 )
    {
        size_t padding =
            ssl_compute_padding_length( rec->data_len,
                                        MBEDTLS_SSL_CID_PADDING_GRANULARITY );
        /*
         * Wrap plaintext into DTLSInnerPlaintext structure.
-         * See ssl_cid_build_inner_plaintext() for more information.
+         * See ssl_build_inner_plaintext() for more information.
         *
         * Note that this changes `rec->data_len`, and hence
         * `post_avail` needs to be recalculated afterwards.
         */
-        if( ssl_cid_build_inner_plaintext( data,
+        if( ssl_build_inner_plaintext( data,
                        &rec->data_len,
                        post_avail,
-                        rec->type ) != 0 )
+                        rec->type,
                        padding ) != 0 )
        {
            return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
        }
@ -638,7 +756,8 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
        {
            unsigned char mac[MBEDTLS_SSL_MAC_ADD];
-            ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
+            ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
                                              transform->minor_ver );
            mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
                                    add_data_len );
@ -704,52 +823,51 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
    {
        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
        unsigned char iv[12];
-        size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
+        unsigned char *dynamic_iv;
        size_t dynamic_iv_len;
        int dynamic_iv_is_explicit =
            ssl_transform_aead_dynamic_iv_is_explicit( transform );
-        /* Check that there's space for both the authentication tag
+        /* Check that there's space for the authentication tag. */
-         * and the explicit IV before and after the record content. */
+        if( post_avail < transform->taglen )
        if( post_avail < transform->taglen ||
            rec->data_offset < explicit_iv_len )
        {
            MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
            return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
        }
        /*
-         * Generate IV
+         * Build nonce for AEAD encryption.
         *
         * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
         *       part of the IV is prepended to the ciphertext and
         *       can be chosen freely - in particular, it need not
         *       agree with the record sequence number.
         *       However, since ChaChaPoly as well as all AEAD modes
         *       in TLS 1.3 use the record sequence number as the
         *       dynamic part of the nonce, we uniformly use the
         *       record sequence number here in all cases.
         */
-        if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
+        dynamic_iv     = rec->ctr;
-        {
+        dynamic_iv_len = sizeof( rec->ctr );
            /* GCM and CCM: fixed || explicit (=seqnum) */
            memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
            memcpy( iv + transform->fixed_ivlen, rec->ctr,
                    explicit_iv_len );
            /* Prefix record content with explicit IV. */
            memcpy( data - explicit_iv_len, rec->ctr, explicit_iv_len );
        }
        else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
        {
            /* ChachaPoly: fixed XOR sequence number */
            unsigned char i;
-            memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
+        ssl_build_record_nonce( iv, sizeof( iv ),
                                transform->iv_enc,
                                transform->fixed_ivlen,
                                dynamic_iv,
                                dynamic_iv_len );
-            for( i = 0; i < 8; i++ )
+        /*
-                iv[i+4] ^= rec->ctr[i];
+         * Build additional data for AEAD encryption.
-        }
+         * This depends on the TLS version.
-        else
+         */
-        {
+        ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
-            /* Reminder if we ever add an AEAD mode with a different size */
+                                          transform->minor_ver );
            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
        }
        ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
        MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
                               iv, transform->ivlen );
        MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
-                                  data - explicit_iv_len, explicit_iv_len );
+                               dynamic_iv,
                               dynamic_iv_is_explicit ? dynamic_iv_len : 0 );
        MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
                               add_data, add_data_len );
        MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
@ -770,17 +888,32 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
            return( ret );
        }
        MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",
                               data + rec->data_len, transform->taglen );
-
+        /* Account for authentication tag. */
-        rec->data_len    += transform->taglen + explicit_iv_len;
+        rec->data_len += transform->taglen;
        rec->data_offset -= explicit_iv_len;
        post_avail -= transform->taglen;
        /*
         * Prefix record content with dynamic IV in case it is explicit.
         */
        if( dynamic_iv_is_explicit != 0 )
        {
            if( rec->data_offset < dynamic_iv_len )
            {
                MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
                return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
            }
            memcpy( data - dynamic_iv_len, dynamic_iv, dynamic_iv_len );
            rec->data_offset -= dynamic_iv_len;
            rec->data_len    += dynamic_iv_len;
        }
        auth_done++;
    }
    else
-#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
 #if defined(MBEDTLS_CIPHER_MODE_CBC) &&                                    \
    ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
    if( mode == MBEDTLS_MODE_CBC )
@ -898,7 +1031,8 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
                return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
            }
-            ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
+            ssl_extract_add_data_from_record( add_data, &add_data_len,
                                              rec, transform->minor_ver );
            MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
            MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
@ -1012,61 +1146,61 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
        mode == MBEDTLS_MODE_CHACHAPOLY )
    {
        unsigned char iv[12];
-        size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
+        unsigned char *dynamic_iv;
        size_t dynamic_iv_len;
        /*
-         * Prepare IV from explicit and implicit data.
+         * Extract dynamic part of nonce for AEAD decryption.
         *
         * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
         *       part of the IV is prepended to the ciphertext and
         *       can be chosen freely - in particular, it need not
         *       agree with the record sequence number.
         */
-
+        dynamic_iv_len = sizeof( rec->ctr );
-        /* Check that there's enough space for the explicit IV
+        if( ssl_transform_aead_dynamic_iv_is_explicit( transform ) == 1 )
         * (at the beginning of the record) and the MAC (at the
         * end of the record). */
        if( rec->data_len < explicit_iv_len + transform->taglen )
        {
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
+            if( rec->data_len < dynamic_iv_len )
-                                        "+ taglen (%d)", rec->data_len,
+            {
-                                        explicit_iv_len, transform->taglen ) );
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) ",
                                            rec->data_len,
                                            dynamic_iv_len ) );
                return( MBEDTLS_ERR_SSL_INVALID_MAC );
            }
            dynamic_iv = data;
-#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
+            data += dynamic_iv_len;
-        if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
+            rec->data_offset += dynamic_iv_len;
-        {
+            rec->data_len    -= dynamic_iv_len;
            /* GCM and CCM: fixed || explicit */
            /* Fixed */
            memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
            /* Explicit */
            memcpy( iv + transform->fixed_ivlen, data, 8 );
        }
        else
 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
 #if defined(MBEDTLS_CHACHAPOLY_C)
        if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
        {
-            /* ChachaPoly: fixed XOR sequence number */
+            dynamic_iv = rec->ctr;
            unsigned char i;
            memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
            for( i = 0; i < 8; i++ )
                iv[i+4] ^= rec->ctr[i];
        }
        else
 #endif /* MBEDTLS_CHACHAPOLY_C */
        {
            /* Reminder if we ever add an AEAD mode with a different size */
            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
        }
-        /* Group changes to data, data_len, and add_data, because
+        /* Check that there's space for the authentication tag. */
-         * add_data depends on data_len. */
+        if( rec->data_len < transform->taglen )
-        data += explicit_iv_len;
+        {
-        rec->data_offset += explicit_iv_len;
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < taglen (%d) " ) );
-        rec->data_len -= explicit_iv_len + transform->taglen;
+            return( MBEDTLS_ERR_SSL_INVALID_MAC );
        }
        rec->data_len -= transform->taglen;
-        ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
+        /*
         * Prepare nonce from dynamic and static parts.
         */
        ssl_build_record_nonce( iv, sizeof( iv ),
                                transform->iv_dec,
                                transform->fixed_ivlen,
                                dynamic_iv,
                                dynamic_iv_len );
        /*
         * Build additional data for AEAD encryption.
         * This depends on the TLS version.
         */
        ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
                                          transform->minor_ver );
        MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
                               add_data, add_data_len );
@ -1178,7 +1312,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
             *
             * Further, we still know that data_len > minlen */
            rec->data_len -= transform->maclen;
-            ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
+            ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
                                              transform->minor_ver );
            /* Calculate expected MAC. */
            MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
@ -1397,7 +1532,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
         * hence data_len >= maclen in any case.
         */
        rec->data_len -= transform->maclen;
-        ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
+        ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
                                          transform->minor_ver );
 #if defined(MBEDTLS_SSL_PROTO_SSL3)
        if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
@ -1549,10 +1685,22 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
    }
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
    if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
    {
        /* Remove inner padding and infer true content type. */
        ret = ssl_parse_inner_plaintext( data, &rec->data_len,
                                         &rec->type );
        if( ret != 0 )
            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
    }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
    if( rec->cid_len != 0 )
    {
-        ret = ssl_cid_parse_inner_plaintext( data, &rec->data_len,
+        ret = ssl_parse_inner_plaintext( data, &rec->data_len,
                                         &rec->type );
        if( ret != 0 )
            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
@ -4866,6 +5014,15 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
 *       and the caller has to make sure there's space for this.
 */
 static size_t ssl_transform_get_explicit_iv_len(
                        mbedtls_ssl_transform const *transform )
 {
    if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
        return( 0 );
    return( transform->ivlen - transform->fixed_ivlen );
 }
 void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
                                      mbedtls_ssl_transform *transform )
 {
@ -4894,14 +5051,10 @@ void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
        ssl->out_iv  = ssl->out_hdr + 5;
    }
    /* Adjust out_msg to make space for explicit IV, if used. */
    if( transform != NULL &&
        ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
    {
        ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
    }
    else
    ssl->out_msg = ssl->out_iv;
    /* Adjust out_msg to make space for explicit IV, if used. */
    if( transform != NULL )
        ssl->out_msg += ssl_transform_get_explicit_iv_len( transform );
 }
 /* Once ssl->in_hdr as the address of the beginning of the
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -973,15 +973,28 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
        transform->taglen =
            ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
-        /* All modes haves 96-bit IVs;
+        /* All modes haves 96-bit IVs, but the length of the static parts vary
-         * GCM and CCM has 4 implicit and 8 explicit bytes
+         * with mode and version:
-         * ChachaPoly has all 12 bytes implicit
+         * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
         *   (to be concatenated with a dynamically chosen IV of 8 Bytes)
         * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
         *   a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
         *   sequence number).
         */
        transform->ivlen = 12;
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
        if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
        {
            transform->fixed_ivlen = 12;
        }
        else
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
        {
            if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
                transform->fixed_ivlen = 12;
            else
                transform->fixed_ivlen = 4;
        }
        /* Minimum length of encrypted record */
        explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
--- a/library/version_features.c
+++ b/library/version_features.c
@ -519,6 +519,9 @@ static const char * const features[] = {
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
    "MBEDTLS_SSL_PROTO_TLS1_2",
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
    "MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL",
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    "MBEDTLS_SSL_PROTO_DTLS",
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
--- a/programs/test/query_config.c
+++ b/programs/test/query_config.c
@ -1426,6 +1426,14 @@ int query_config( const char *config )
    }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
    if( strcmp( "MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL", config ) == 0 )
    {
        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL );
        return( 0 );
    }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    if( strcmp( "MBEDTLS_SSL_PROTO_DTLS", config ) == 0 )
    {
@ -2610,6 +2618,14 @@ int query_config( const char *config )
    }
 #endif /* MBEDTLS_SSL_CID_PADDING_GRANULARITY */
 #if defined(MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY)
    if( strcmp( "MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY", config ) == 0 )
    {
        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY );
        return( 0 );
    }
 #endif /* MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY */
 #if defined(MBEDTLS_SSL_OUT_CONTENT_LEN)
    if( strcmp( "MBEDTLS_SSL_OUT_CONTENT_LEN", config ) == 0 )
    {
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@ -846,7 +846,23 @@ component_test_no_ctr_drbg () {
    msg "test: no CTR_DRBG"
    make test
-    # no SSL tests as they all depend on CTR_DRBG so far
+    # no ssl-opt.sh/compat.sh as they all depend on CTR_DRBG so far
 }
 component_test_no_hmac_drbg () {
    msg "build: Full minus HMAC_DRBG"
    scripts/config.py full
    scripts/config.py unset MBEDTLS_HMAC_DRBG_C
    scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
    make
    msg "test: no HMAC_DRBG"
    make test
    # No ssl-opt.sh/compat.sh as they never use HMAC_DRBG so far,
    # so there's little value in running those lengthy tests here.
 }
 component_test_new_ecdh_context () {
@ -1731,6 +1747,15 @@ component_test_allow_sha1 () {
    if_build_succeeded tests/ssl-opt.sh -f SHA-1
 }
 component_test_tls13_experimental () {
    msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL enabled"
    scripts/config.pl set MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
    make
    msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL enabled"
    make test
 }
 component_build_mingw () {
    msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s
    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib programs
--- a/tests/suites/test_suite_ecp.data
+++ b/tests/suites/test_suite_ecp.data
@ -446,6 +446,14 @@ ECP point multiplication Curve25519 (element of order 8) #5
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
 ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"B8495F16056286FDB1329CEB8D09DA6AC49FF1FAE35616AEB8413B7C7AEBE0":"00":"01":"00":"01":"00":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
 ECP point multiplication rng fail secp256r1
 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
 ecp_test_mul_rng:MBEDTLS_ECP_DP_SECP256R1:"814264145F2F56F2E96A8E337A1284993FAF432A5ABCE59E867B7291D507A3AF"
 ECP point multiplication rng fail Curve25519
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
 ecp_test_mul_rng:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660"
 ECP test vectors Curve448 (RFC 7748 6.2, after decodeUCoordinate)
 depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
 ecp_test_vec_x:MBEDTLS_ECP_DP_CURVE448:"eb7298a5c0d8c29a1dab27f1a6826300917389449741a974f5bac9d98dc298d46555bce8bae89eeed400584bb046cf75579f51d125498f98":"a01fc432e5807f17530d1288da125b0cd453d941726436c8bbd9c5222c3da7fa639ce03db8d23b274a0721a1aed5227de6e3b731ccf7089b":"ad997351b6106f36b0d1091b929c4c37213e0d2b97e85ebb20c127691d0dad8f1d8175b0723745e639a3cb7044290b99e0e2a0c27a6a301c":"0936f37bc6c1bd07ae3dec7ab5dc06a73ca13242fb343efc72b9d82730b445f3d4b0bd077162a46dcfec6f9b590bfcbcf520cdb029a8b73e":"9d874a5137509a449ad5853040241c5236395435c36424fd560b0cb62b281d285275a740ce32a22dd1740f4aa9161cec95ccc61a18f4ff07"
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@ -724,6 +724,31 @@ exit:
 }
 /* END_CASE */
 /* BEGIN_CASE */
 void ecp_test_mul_rng( int id, data_t * d_hex)
 {
    mbedtls_ecp_group grp;
    mbedtls_mpi d;
    mbedtls_ecp_point Q;
    mbedtls_ecp_group_init( &grp ); mbedtls_mpi_init( &d );
    mbedtls_ecp_point_init( &Q );
    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
    TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &grp.G ) == 0 );
    TEST_ASSERT( mbedtls_mpi_read_binary( &d, d_hex->x, d_hex->len ) == 0 );
    TEST_ASSERT( mbedtls_ecp_mul( &grp, &Q, &d, &grp.G, &rnd_zero_rand, NULL )
                 == MBEDTLS_ERR_ECP_RANDOM_FAILED );
 exit:
    mbedtls_ecp_group_free( &grp ); mbedtls_mpi_free( &d );
    mbedtls_ecp_point_free( &Q );
 }
 /* END_CASE */
 /* BEGIN_CASE */
 void ecp_fast_mod( int id, char * N_str )
 {
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@ -1655,7 +1655,7 @@ depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_C:MBEDTLS_PKCS1_V15:MBEDT
 sign_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":127:PSA_ERROR_BUFFER_TOO_SMALL
 PSA sign: deterministic ECDSA SECP256R1 SHA-256, output buffer too small
-depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C
+depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC
 sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_ERROR_BUFFER_TOO_SMALL
 PSA sign: RSA PKCS#1 v1.5 SHA-256, empty output buffer
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@ -4154,6 +4154,10 @@ Record crypt, AES-128-GCM, 1.2
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0
 Record crypt, AES-128-GCM, 1.3
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_GCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0
 Record crypt, AES-128-GCM, 1.2, CID 4+4
 depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:4:4
@ -4178,6 +4182,10 @@ Record crypt, AES-192-GCM, 1.2
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0
 Record crypt, AES-192-GCM, 1.3
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_GCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0
 Record crypt, AES-192-GCM, 1.2, CID 4+4
 depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:4:4
@ -4202,6 +4210,10 @@ Record crypt, AES-256-GCM, 1.2
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0
 Record crypt, AES-256-GCM, 1.3
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_GCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0
 Record crypt, AES-256-GCM, 1.2, CID 4+4
 depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:4:4
@ -4298,6 +4310,10 @@ Record crypt, AES-128-CCM, 1.2
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0
 Record crypt, AES-128-CCM, 1.3
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_CCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0
 Record crypt, AES-128-CCM, 1.2, CID 4+4
 depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:4:4
@ -4322,6 +4338,10 @@ Record crypt, AES-192-CCM, 1.2
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0
 Record crypt, AES-192-CCM, 1.3
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_CCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0
 Record crypt, AES-192-CCM, 1.2, CID 4+4
 depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:4:4
@ -4346,6 +4366,10 @@ Record crypt, AES-256-CCM, 1.2
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0
 Record crypt, AES-256-CCM, 1.3
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_CCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0
 Record crypt, AES-256-CCM, 1.2, CID 4+4
 depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:4:4
@ -5018,10 +5042,18 @@ Record crypt, ChachaPoly
 depends_on:MBEDTLS_CHACHAPOLY_C:MBEDTLS_SSL_PROTO_TLS1_2
 ssl_crypt_record:MBEDTLS_CIPHER_CHACHA20_POLY1305:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0
 Record crypt, ChachaPoly, 1.3
 depends_on:MBEDTLS_CHACHAPOLY_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
 ssl_crypt_record:MBEDTLS_CIPHER_CHACHA20_POLY1305:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0
 Record crypt, little space, ChachaPoly
 depends_on:MBEDTLS_CHACHAPOLY_C:MBEDTLS_SSL_PROTO_TLS1_2
 ssl_crypt_record_small:MBEDTLS_CIPHER_CHACHA20_POLY1305:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0
 Record crypt, little space, ChachaPoly, 1.3
 depends_on:MBEDTLS_CHACHAPOLY_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
 ssl_crypt_record_small:MBEDTLS_CIPHER_CHACHA20_POLY1305:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0
 Record crypt, little space, ChachaPoly, CID 4+4
 depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CHACHAPOLY_C:MBEDTLS_SSL_PROTO_TLS1_2
 ssl_crypt_record_small:MBEDTLS_CIPHER_CHACHA20_POLY1305:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:4:4
@ -8554,6 +8586,10 @@ Record crypt, little space, AES-128-GCM, 1.2
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0
 Record crypt, little space, AES-128-GCM, 1.3
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_GCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0
 Record crypt, little space, AES-128-GCM, 1.2, CID 4+4
 depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:4:4
@ -8578,6 +8614,10 @@ Record crypt, little space, AES-192-GCM, 1.2
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0
 Record crypt, little space, AES-192-GCM, 1.3
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_GCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0
 Record crypt, little space, AES-192-GCM, 1.2, CID 4+4
 depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:4:4
@ -8602,6 +8642,10 @@ Record crypt, little space, AES-256-GCM, 1.2
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0
 Record crypt, little space, AES-256-GCM, 1.3
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_GCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0
 Record crypt, little space, AES-256-GCM, 1.2, CID 4+4
 depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:4:4
@ -8698,6 +8742,10 @@ Record crypt, little space, AES-128-CCM, 1.2
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0
 Record crypt, little space, AES-128-CCM, 1.3
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_CCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0
 Record crypt, little space, AES-128-CCM, 1.2, CID 4+4
 depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:4:4
@ -8722,6 +8770,10 @@ Record crypt, little space, AES-192-CCM, 1.2
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0
 Record crypt, little space, AES-192-CCM, 1.3
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_CCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0
 Record crypt, little space, AES-192-CCM, 1.2, CID 4+4
 depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:4:4
@ -8746,6 +8798,10 @@ Record crypt, little space, AES-256-CCM, 1.2
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0
 Record crypt, little space, AES-256-CCM, 1.3
 depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_CCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0
 Record crypt, little space, AES-256-CCM, 1.2, CID 4+4
 depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:4:4
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@ -1308,8 +1308,18 @@ static int build_transforms( mbedtls_ssl_transform *t_in,
    {
        case MBEDTLS_MODE_GCM:
        case MBEDTLS_MODE_CCM:
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
            if( ver == MBEDTLS_SSL_MINOR_VERSION_4 )
            {
                t_out->fixed_ivlen = 12;
                t_in->fixed_ivlen  = 12;
            }
            else
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
            {
                t_out->fixed_ivlen = 4;
                t_in->fixed_ivlen = 4;
            }
            t_out->maclen = 0;
            t_in->maclen = 0;
            switch( tag_mode )
@ -3182,6 +3192,26 @@ void ssl_crypt_record( int cipher_type, int hash_id,
            continue;
        }
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
        if( rec.cid_len != 0 )
        {
            /* DTLS 1.2 + CID hides the real content type and
             * uses a special CID content type in the protected
             * record. Double-check this. */
            TEST_ASSERT( rec.type == MBEDTLS_SSL_MSG_CID );
        }
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
        if( t_enc->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
        {
            /* TLS 1.3 hides the real content type and
             * always uses Application Data as the content type
             * for protected records. Double-check this. */
            TEST_ASSERT( rec.type == MBEDTLS_SSL_MSG_APPLICATION_DATA );
        }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
        /* Decrypt record with t_dec */
        ret = mbedtls_ssl_decrypt_buf( &ssl, t_dec, &rec );
        TEST_ASSERT( ret == 0 );
@ -3325,6 +3355,26 @@ void ssl_crypt_record_small( int cipher_type, int hash_id,
            if( ret != 0 )
                continue;
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
            if( rec.cid_len != 0 )
            {
                /* DTLS 1.2 + CID hides the real content type and
                 * uses a special CID content type in the protected
                 * record. Double-check this. */
                TEST_ASSERT( rec.type == MBEDTLS_SSL_MSG_CID );
            }
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
            if( t_enc->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
            {
                /* TLS 1.3 hides the real content type and
                 * always uses Application Data as the content type
                 * for protected records. Double-check this. */
                TEST_ASSERT( rec.type == MBEDTLS_SSL_MSG_APPLICATION_DATA );
            }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
            /* Decrypt record with t_dec */
            TEST_ASSERT( mbedtls_ssl_decrypt_buf( &ssl, t_dec, &rec ) == 0 );