commit 6cbad5560dfcd987ce760afdbc9dddab60a3be5f
author Hanno Becker <hanno.becker@arm.com> Wed May 08 15:40:11 2019 +0100
committer Hanno Becker <hanno.becker@arm.com> Mon Jun 03 16:07:50 2019 +0100
tree c972ea9241441cedad543edd737dd3ae92a511cc
parent ad4a1379651a442316df77275c14f53f67ef53e8

Account for additional record expansion when using CIDs

Using the Connection ID extension increases the maximum record expansion
because
- the real record content type is added to the plaintext
- the plaintext may be padded with an arbitrary number of
  zero bytes, in order to prevent leakage of information
  through package length analysis. Currently, we always
  pad the plaintext in a minimal way so that its length
  is a multiple of 16 Bytes.

This commit adapts the various parts of the library to account
for that additional source of record expansion.

include/mbedtls/ssl_internal.h

diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index c7668eb..41a1c7f 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -175,10 +175,19 @@
 #define MBEDTLS_SSL_PADDING_ADD              0
 #endif
 
+#if defined(MBEDTLS_SSL_CID)
+#define MBEDTLS_SSL_MAX_CID_EXPANSION       16 /* Currently, we pad records
+                                                * to lengths which are multiples
+                                                * of 16 Bytes. */
+#else
+#define MBEDTLS_SSL_MAX_CID_EXPANSION        0
+#endif
+
 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD +    \
                                        MBEDTLS_MAX_IV_LENGTH +          \
                                        MBEDTLS_SSL_MAC_ADD +            \
-                                       MBEDTLS_SSL_PADDING_ADD          \
+                                       MBEDTLS_SSL_PADDING_ADD +        \
+                                       MBEDTLS_SSL_MAX_CID_EXPANSION    \
                                        )
 
 #define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
@@ -231,11 +240,23 @@
    implicit sequence number. */
 #define MBEDTLS_SSL_HEADER_LEN 13
 
+#if defined(MBEDTLS_SSL_CID)
 #define MBEDTLS_SSL_IN_BUFFER_LEN  \
     ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
+#else
+#define MBEDTLS_SSL_IN_BUFFER_LEN  \
+    ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) \
+      + ( MBEDTLS_SSL_CID_IN_LEN_MAX ) )
+#endif
 
+#if defined(MBEDTLS_SSL_CID)
 #define MBEDTLS_SSL_OUT_BUFFER_LEN  \
     ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
+#else
+#define MBEDTLS_SSL_OUT_BUFFER_LEN                               \
+    ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN )    \
+      + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) )
+#endif
 
 #ifdef MBEDTLS_ZLIB_SUPPORT
 /* Compression buffer holds both IN and OUT buffers, so should be size of the larger */

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ab2ae6f..cce834e 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -9261,6 +9261,11 @@
             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
     }
 
+#if defined(MBEDTLS_SSL_CID)
+    if( transform->out_cid_len != 0 )
+        transform_expansion += MBEDTLS_SSL_MAX_CID_EXPANSION;
+#endif /* MBEDTLS_SSL_CID */
+
     return( (int)( out_hdr_len + transform_expansion ) );
 }