diff --git a/ChangeLog.d/issue4335.txt b/ChangeLog.d/issue4335.txt new file mode 100644 index 0000000000..66480264c2 --- /dev/null +++ b/ChangeLog.d/issue4335.txt @@ -0,0 +1,4 @@ +Changes + * Replace MBEDTLS_SSL_CID_PADDING_GRANULARITY and + MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY with a single unified option + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY. Fixes #4335. diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 715c73ada0..2670a2f1b0 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -3497,27 +3497,10 @@ */ //#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32 -/** \def MBEDTLS_SSL_CID_PADDING_GRANULARITY +/** \def MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY * * This option controls the use of record plaintext padding - * when using the Connection ID extension in DTLS 1.2. - * - * The padding will always be chosen so that the length of the - * padded plaintext is a multiple of the value of this option. - * - * Note: A value of \c 1 means that no padding will be used - * for outgoing records. - * - * Note: On systems lacking division instructions, - * a power of two should be preferred. - * - */ -//#define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16 - -/** \def MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY - * - * This option controls the use of record plaintext padding - * in TLS 1.3. + * when using the Connection ID extension in DTLS 1.2 and TLS 1.3. * * The padding will always be chosen so that the length of the * padded plaintext is a multiple of the value of this option. @@ -3528,7 +3511,7 @@ * Note: On systems lacking division instructions, * a power of two should be preferred. */ -//#define MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY 1 +//#define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 /** \def MBEDTLS_SSL_OUT_CONTENT_LEN * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index bdc2b4797a..78f1a8c9a9 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -257,12 +257,8 @@ #define MBEDTLS_SSL_CID_OUT_LEN_MAX 32 #endif -#if !defined(MBEDTLS_SSL_CID_PADDING_GRANULARITY) -#define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16 -#endif - -#if !defined(MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY) -#define MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY 1 +#if !defined(MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) +#define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 #endif /* \} name SECTION: Module settings */ diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 1f1de2bfdf..73ffdef92e 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -164,7 +164,7 @@ #endif #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) -#define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_PADDING_GRANULARITY +#define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY #else #define MBEDTLS_SSL_MAX_CID_EXPANSION 0 #endif diff --git a/library/ssl_msg.c b/library/ssl_msg.c index a75b9190ba..d62df20d08 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -579,7 +579,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, { size_t padding = ssl_compute_padding_length( rec->data_len, - MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY ); + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY ); if( ssl_build_inner_plaintext( data, &rec->data_len, post_avail, @@ -605,7 +605,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, { size_t padding = ssl_compute_padding_length( rec->data_len, - MBEDTLS_SSL_CID_PADDING_GRANULARITY ); + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY ); /* * Wrap plaintext into DTLSInnerPlaintext structure. * See ssl_build_inner_plaintext() for more information.