Allow the configuration of padding when using CID extension
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 6f6d7f0..e7f42e5 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3354,6 +3354,22 @@
*/
//#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32
+/** \def MBEDTLS_SSL_CID_PADDING_GRANULARITY
+ *
+ * This option controls the use of record plaintext padding
+ * when using the Connection ID extension in DTLS 1.2.
+ *
+ * The padding will always be chosen so that the length of the
+ * padded plaintext is a multiple of the value of this option.
+ *
+ * Note: A value of \c 1 means that no padding will be used
+ * for outgoing records.
+ *
+ * The value MUST be a power of 2.
+ *
+ */
+//#define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16
+
/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
*
* Maximum length (in bytes) of outgoing plaintext fragments.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index d0ecd0b..1acd388 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -270,6 +270,10 @@
#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32
#endif
+#if !defined(MBEDTLS_SSL_CID_PADDING_GRANULARITY)
+#define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16
+#endif
+
/* \} name SECTION: Module settings */
/*
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 41a1c7f..15ab7f8 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -176,9 +176,7 @@
#endif
#if defined(MBEDTLS_SSL_CID)
-#define MBEDTLS_SSL_MAX_CID_EXPANSION 16 /* Currently, we pad records
- * to lengths which are multiples
- * of 16 Bytes. */
+#define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_PADDING_GRANULARITY
#else
#define MBEDTLS_SSL_MAX_CID_EXPANSION 0
#endif
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 7e7d5a0..3882622 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2013,7 +2013,9 @@
uint8_t rec_type )
{
size_t len = *content_size;
- size_t pad = ~len & 0xF; /* Pad to a multiple of 16 */
+
+ /* MBEDTLS_SSL_CID_PADDING_GRANULARITY must be a power of 2. */
+ size_t pad = ~len & ( MBEDTLS_SSL_CID_PADDING_GRANULARITY - 1 );
/* Write real content type */
if( remaining == 0 )
diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c
index a7f2d2d..9286766 100644
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@@ -2530,6 +2530,14 @@
}
#endif /* MBEDTLS_SSL_CID_OUT_LEN_MAX */
+#if defined(MBEDTLS_SSL_CID_PADDING_GRANULARITY)
+ if( strcmp( "MBEDTLS_SSL_CID_PADDING_GRANULARITY", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CID_PADDING_GRANULARITY );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CID_PADDING_GRANULARITY */
+
#if defined(MBEDTLS_SSL_OUT_CONTENT_LEN)
if( strcmp( "MBEDTLS_SSL_OUT_CONTENT_LEN", config ) == 0 )
{