From dbd3e8847954e5b0841b31763dcbbf502bd9b431 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 3 Aug 2018 09:40:07 +0100 Subject: [PATCH] Fix mbedtls_ssl_get_record_expansion() for CBC modes `mbedtls_ssl_get_record_expansion()` is supposed to return the maximum difference between the size of a protected record and the size of the encapsulated plaintext. Previously, it did not correctly estimate the maximum record expansion in case of CBC ciphersuites in (D)TLS versions 1.1 and higher, in which case the ciphertext is prefixed by an explicit IV. This commit fixes this bug. Fixes #1914. --- library/ssl_tls.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ca9b8c432..088d8b970 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6686,6 +6686,7 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ) { size_t transform_expansion; const mbedtls_ssl_transform *transform = ssl->transform_out; + unsigned block_size; #if defined(MBEDTLS_ZLIB_SUPPORT) if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL ) @@ -6704,8 +6705,27 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ) break; case MBEDTLS_MODE_CBC: - transform_expansion = transform->maclen - + mbedtls_cipher_get_block_size( &transform->cipher_ctx_enc ); + + block_size = mbedtls_cipher_get_block_size( + &transform->cipher_ctx_enc ); + +#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) + { + /* Expansion due to addition of + * - MAC + * - CBC padding (theoretically up to 256 bytes, but + * we never use more than block_size) + * - explicit IV + */ + transform_expansion = transform->maclen + 2 * block_size; + } + else +#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ + { + /* No explicit IV prior to TLS 1.1. */ + transform_expansion = transform->maclen + block_size; + } break; default: