From 9b35f18f6686554ec19d74575018881fabfef2ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 14 Oct 2014 17:47:31 +0200 Subject: [PATCH] Add ssl_get_record_expansion() --- include/polarssl/ssl.h | 12 ++++++++++++ library/ssl_tls.c | 34 ++++++++++++++++++++++++++++++++++ programs/ssl/ssl_client2.c | 5 +++++ programs/ssl/ssl_server2.c | 5 +++++ 4 files changed, 56 insertions(+) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 0c167bd01..5c92d3773 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -1856,6 +1856,18 @@ const char *ssl_get_ciphersuite( const ssl_context *ssl ); */ const char *ssl_get_version( const ssl_context *ssl ); +/** + * \brief Return the (maximum) number of bytes added by the record + * layer: header + encryption/MAC overhead (inc. padding) + * + * \param ssl SSL context + * + * \return Current maximum record expansion in bytes, or + * POLARSSL_ERR_FEATURE_UNAVAILABLE if compression is enabled, + * which makes expansion much less predictable + */ +int ssl_get_record_expansion( const ssl_context *ssl ); + #if defined(POLARSSL_X509_CRT_PARSE_C) /** * \brief Return the peer certificate from the current connection diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 3206a734e..54add8e34 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5476,6 +5476,40 @@ const char *ssl_get_version( const ssl_context *ssl ) } } +int ssl_get_record_expansion( const ssl_context *ssl ) +{ + int transform_expansion; + const ssl_transform *transform = ssl->transform_out; + +#if defined(POLARSSL_ZLIB_SUPPORT) + if( ssl->session_out->compression != SSL_COMPRESS_NULL ) + return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); +#endif + + if( transform == NULL ) + return( ssl_hdr_len( ssl ) ); + + switch( cipher_get_cipher_mode( &transform->cipher_ctx_enc ) ) + { + case POLARSSL_MODE_GCM: + case POLARSSL_MODE_CCM: + case POLARSSL_MODE_STREAM: + transform_expansion = transform->minlen; + break; + + case POLARSSL_MODE_CBC: + transform_expansion = transform->maclen + + cipher_get_block_size( &transform->cipher_ctx_enc ); + break; + + default: + SSL_DEBUG_MSG( 0, ( "should never happen" ) ); + return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); + } + + return( ssl_hdr_len( ssl ) + transform_expansion ); +} + #if defined(POLARSSL_X509_CRT_PARSE_C) const x509_crt *ssl_get_peer_cert( const ssl_context *ssl ) { diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 53b064567..152ec4e33 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1099,6 +1099,11 @@ int main( int argc, char *argv[] ) printf( " ok\n [ Protocol is %s ]\n [ Ciphersuite is %s ]\n", ssl_get_version( &ssl ), ssl_get_ciphersuite( &ssl ) ); + if( ( ret = ssl_get_record_expansion( &ssl ) ) >= 0 ) + printf( " [ Record expansion is %d ]\n", ret ); + else + printf( " [ Record expansion is unknown (compression) ]\n" ); + #if defined(POLARSSL_SSL_ALPN) if( opt.alpn_string != NULL ) { diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index d5c57a464..0f210b9b2 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1704,6 +1704,11 @@ reset: ssl_get_version( &ssl ), ssl_get_ciphersuite( &ssl ) ); } + if( ( ret = ssl_get_record_expansion( &ssl ) ) >= 0 ) + printf( " [ Record expansion is %d ]\n", ret ); + else + printf( " [ Record expansion is unknown (compression) ]\n" ); + #if defined(POLARSSL_SSL_ALPN) if( opt.alpn_string != NULL ) {