From be2e7e25ac37573d72777d3a576e36b79fcfed5c Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Fri, 1 Oct 2021 17:35:44 -0700
Subject: [PATCH] Change the calculation for the extra data size in a DTLS
 message when checking to see if it'll fit in an MTU. (ZD12983)

---
 src/internal.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index ffd559292..2e96cea36 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -18530,10 +18530,24 @@ int CreateOcspResponse(WOLFSSL* ssl, OcspRequest** ocspRequest,
 
 static int cipherExtraData(WOLFSSL* ssl)
 {
+    int cipherExtra;
     /* Cipher data that may be added by BuildMessage */
-    return ssl->specs.hash_size + ssl->specs.block_size +
-            ssl->specs.aead_mac_size + ssl->specs.iv_size +
-            ssl->specs.pad_size;
+    /* There is always an IV. For AEAD ciphers, there is the
+     * authentication tag (aead_mac_size). For block ciphers
+     * we have the hash_size MAC on the message, and one
+     * block size for possible padding. */
+    if (ssl->specs.cipher_type == aead) {
+        cipherExtra = ssl->specs.aead_mac_size;
+        /* CHACHA does not have an explicit IV. */
+        if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) {
+            cipherExtra += ssl->specs.iv_size;
+        }
+    }
+    else {
+        cipherExtra = ssl->specs.iv_size + ssl->specs.block_size +
+            ssl->specs.hash_size;
+    }
+    return cipherExtra;
 }
 
 #ifndef WOLFSSL_NO_TLS12