Add ssl_get_record_expansion()
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 0c167bd..5c92d37 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -1856,6 +1856,18 @@
*/
const char *ssl_get_version( const ssl_context *ssl );
+/**
+ * \brief Return the (maximum) number of bytes added by the record
+ * layer: header + encryption/MAC overhead (inc. padding)
+ *
+ * \param ssl SSL context
+ *
+ * \return Current maximum record expansion in bytes, or
+ * POLARSSL_ERR_FEATURE_UNAVAILABLE if compression is enabled,
+ * which makes expansion much less predictable
+ */
+int ssl_get_record_expansion( const ssl_context *ssl );
+
#if defined(POLARSSL_X509_CRT_PARSE_C)
/**
* \brief Return the peer certificate from the current connection
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3206a73..54add8e 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5476,6 +5476,40 @@
}
}
+int ssl_get_record_expansion( const ssl_context *ssl )
+{
+ int transform_expansion;
+ const ssl_transform *transform = ssl->transform_out;
+
+#if defined(POLARSSL_ZLIB_SUPPORT)
+ if( ssl->session_out->compression != SSL_COMPRESS_NULL )
+ return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
+#endif
+
+ if( transform == NULL )
+ return( ssl_hdr_len( ssl ) );
+
+ switch( cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
+ {
+ case POLARSSL_MODE_GCM:
+ case POLARSSL_MODE_CCM:
+ case POLARSSL_MODE_STREAM:
+ transform_expansion = transform->minlen;
+ break;
+
+ case POLARSSL_MODE_CBC:
+ transform_expansion = transform->maclen
+ + cipher_get_block_size( &transform->cipher_ctx_enc );
+ break;
+
+ default:
+ SSL_DEBUG_MSG( 0, ( "should never happen" ) );
+ return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
+ }
+
+ return( ssl_hdr_len( ssl ) + transform_expansion );
+}
+
#if defined(POLARSSL_X509_CRT_PARSE_C)
const x509_crt *ssl_get_peer_cert( const ssl_context *ssl )
{
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 53b0645..152ec4e 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -1099,6 +1099,11 @@
printf( " ok\n [ Protocol is %s ]\n [ Ciphersuite is %s ]\n",
ssl_get_version( &ssl ), ssl_get_ciphersuite( &ssl ) );
+ if( ( ret = ssl_get_record_expansion( &ssl ) ) >= 0 )
+ printf( " [ Record expansion is %d ]\n", ret );
+ else
+ printf( " [ Record expansion is unknown (compression) ]\n" );
+
#if defined(POLARSSL_SSL_ALPN)
if( opt.alpn_string != NULL )
{
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index d5c57a4..0f210b9 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -1704,6 +1704,11 @@
ssl_get_version( &ssl ), ssl_get_ciphersuite( &ssl ) );
}
+ if( ( ret = ssl_get_record_expansion( &ssl ) ) >= 0 )
+ printf( " [ Record expansion is %d ]\n", ret );
+ else
+ printf( " [ Record expansion is unknown (compression) ]\n" );
+
#if defined(POLARSSL_SSL_ALPN)
if( opt.alpn_string != NULL )
{