diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 6f6d7f064..e7f42e5a3 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -3354,6 +3354,22 @@ */ //#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32 +/** \def MBEDTLS_SSL_CID_PADDING_GRANULARITY + * + * This option controls the use of record plaintext padding + * when using the Connection ID extension in DTLS 1.2. + * + * The padding will always be chosen so that the length of the + * padded plaintext is a multiple of the value of this option. + * + * Note: A value of \c 1 means that no padding will be used + * for outgoing records. + * + * The value MUST be a power of 2. + * + */ +//#define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16 + /** \def MBEDTLS_SSL_OUT_CONTENT_LEN * * Maximum length (in bytes) of outgoing plaintext fragments. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index d0ecd0b11..1acd388f2 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -270,6 +270,10 @@ #define MBEDTLS_SSL_CID_OUT_LEN_MAX 32 #endif +#if !defined(MBEDTLS_SSL_CID_PADDING_GRANULARITY) +#define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16 +#endif + /* \} name SECTION: Module settings */ /* diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 41a1c7fb8..15ab7f83f 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -176,9 +176,7 @@ #endif #if defined(MBEDTLS_SSL_CID) -#define MBEDTLS_SSL_MAX_CID_EXPANSION 16 /* Currently, we pad records - * to lengths which are multiples - * of 16 Bytes. */ +#define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_PADDING_GRANULARITY #else #define MBEDTLS_SSL_MAX_CID_EXPANSION 0 #endif diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7e7d5a0b4..3882622bc 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2013,7 +2013,9 @@ static int ssl_cid_build_inner_plaintext( unsigned char *content, uint8_t rec_type ) { size_t len = *content_size; - size_t pad = ~len & 0xF; /* Pad to a multiple of 16 */ + + /* MBEDTLS_SSL_CID_PADDING_GRANULARITY must be a power of 2. */ + size_t pad = ~len & ( MBEDTLS_SSL_CID_PADDING_GRANULARITY - 1 ); /* Write real content type */ if( remaining == 0 ) diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index a7f2d2de5..9286766aa 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -2530,6 +2530,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_SSL_CID_OUT_LEN_MAX */ +#if defined(MBEDTLS_SSL_CID_PADDING_GRANULARITY) + if( strcmp( "MBEDTLS_SSL_CID_PADDING_GRANULARITY", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CID_PADDING_GRANULARITY ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CID_PADDING_GRANULARITY */ + #if defined(MBEDTLS_SSL_OUT_CONTENT_LEN) if( strcmp( "MBEDTLS_SSL_OUT_CONTENT_LEN", config ) == 0 ) {