diff --git a/library/ssl_tls.c b/library/ssl_tls.c index fd0c8a7ab..116d2a26c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -973,9 +973,12 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform, transform->taglen = ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; - /* All modes haves 96-bit IVs; - * GCM and CCM has 4 implicit and 8 explicit bytes - * ChachaPoly has all 12 bytes implicit + /* All modes haves 96-bit IVs, but the length of the static parts vary + * with mode and version: + * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes + * (to be concatenated with a dynamically chosen IV of 8 Bytes) + * - For ChaChaPoly in TLS 1.2, there's a static IV of 12 Bytes + * (to be XOR'ed with the 8 Byte record sequence number). */ transform->ivlen = 12; if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )