Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / 13996927cbb10615b0db4df2c1d6494ab3f3b29b^! / . / library / ssl_msg.c
commit13996927cbb10615b0db4df2c1d6494ab3f3b29b[log] [tgz]
authorHanno Becker <hanno.becker@arm.com>Thu May 28 16:15:19 2020 +0100
committerHanno Becker <hanno.becker@arm.com>Sun May 31 08:51:25 2020 +0100
tree6f55b262ef4f7cb5024c885c10bfad3fed81dc2e
parentb54094bd7c083fbf555ad839f445573a4e8df045 [diff] [blame]
Introduce configuration option for TLS 1.3 padding granularity

TLS 1.3 record protection allows the addition of an arbitrary amount
of padding.

This commit introduces a configuration option

```
   MBEDTLS_SSL_TLS13_PADDING_GRANULARITY
```

The semantics of this option is that padding is chosen in a minimal
way so that the padded plaintext has a length which is a multiple of
MBEDTLS_SSL_TLS13_PADDING_GRANULARITY.

For example, setting MBEDTLS_SSL_TLS13_PADDING_GRANULARITY to 1024
means that padded plaintexts will have length 1024, 2048, ..., while
setting it to 1 means that no padding will be used.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 669a33d..4ae1b8f 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c

@@ -343,6 +343,13 @@
 
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) ||  \
     defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+
+static size_t ssl_compute_padding_length( size_t len,
+                                          size_t granularity )
+{
+    return( ( granularity - ( len + 1 ) % granularity ) % granularity );
+}
+
 /* This functions transforms a (D)TLS plaintext fragment and a record content
  * type into an instance of the (D)TLSInnerPlaintext structure. This is used
  * in DTLS 1.2 + CID and within TLS 1.3 to allow flexible padding and to protect
@@ -374,12 +381,10 @@
 static int ssl_build_inner_plaintext( unsigned char *content,
                                       size_t *content_size,
                                       size_t remaining,
-                                      uint8_t rec_type )
+                                      uint8_t rec_type,
+                                      size_t pad )
 {
     size_t len = *content_size;
-    size_t pad = ( MBEDTLS_SSL_CID_PADDING_GRANULARITY -
-                   ( len + 1 ) % MBEDTLS_SSL_CID_PADDING_GRANULARITY ) %
-        MBEDTLS_SSL_CID_PADDING_GRANULARITY;
 
     /* Write real content type */
     if( remaining == 0 )
@@ -651,10 +656,14 @@
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
     if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
     {
+        size_t padding =
+            ssl_compute_padding_length( rec->data_len,
+                                        MBEDTLS_SSL_TLS13_PADDING_GRANULARITY );
         if( ssl_build_inner_plaintext( data,
-                        &rec->data_len,
-                        post_avail,
-                        rec->type ) != 0 )
+                                       &rec->data_len,
+                                       post_avail,
+                                       rec->type,
+                                       padding ) != 0 )
         {
             return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
         }
@@ -673,6 +682,9 @@
 
     if( rec->cid_len != 0 )
     {
+        size_t padding =
+            ssl_compute_padding_length( rec->data_len,
+                                        MBEDTLS_SSL_CID_PADDING_GRANULARITY );
         /*
          * Wrap plaintext into DTLSInnerPlaintext structure.
          * See ssl_build_inner_plaintext() for more information.
@@ -683,7 +695,8 @@
         if( ssl_build_inner_plaintext( data,
                         &rec->data_len,
                         post_avail,
-                        rec->type ) != 0 )
+                        rec->type,
+                        padding ) != 0 )
         {
             return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
         }