From 60d443f0efed441b5b83af6e302e783fec636e63 Mon Sep 17 00:00:00 2001
From: Davis Goodin <dagood@microsoft.com>
Date: Tue, 9 Jan 2024 12:00:23 -0600
Subject: [PATCH] Fix TLS 1.3 additionalData length check

---
 cipher.go | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/cipher.go b/cipher.go
index 1113d067..ddaadfa8 100644
--- a/cipher.go
+++ b/cipher.go
@@ -337,7 +337,14 @@ type cipherGCM struct {
 const (
 	gcmTagSize           = 16
 	gcmStandardNonceSize = 12
-	gcmTlsAddSize        = 13
+	// TLS 1.2 additional data is constructed as:
+	//
+	//     additional_data = seq_num(8) + TLSCompressed.type(1) + TLSCompressed.version(2) + TLSCompressed.length(2);
+	gcmTls12AddSize = 13
+	// TLS 1.3 additional data is constructed as:
+	//
+	//     additional_data = TLSCiphertext.opaque_type(1) || TLSCiphertext.legacy_record_version(2) || TLSCiphertext.length(2)
+	gcmTls13AddSize      = 5
 	gcmTlsFixedNonceSize = 4
 )
 
@@ -404,8 +411,10 @@ func (g *cipherGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
 		panic("cipher: message too large for buffer")
 	}
 	if g.tls != cipherGCMTLSNone {
-		if len(additionalData) != gcmTlsAddSize {
-			panic("cipher: incorrect additional data length given to GCM TLS")
+		if g.tls == cipherGCMTLS12 && len(additionalData) != gcmTls12AddSize {
+			panic("cipher: incorrect additional data length given to GCM TLS 1.2")
+		} else if g.tls == cipherGCMTLS13 && len(additionalData) != gcmTls13AddSize {
+			panic("cipher: incorrect additional data length given to GCM TLS 1.3")
 		}
 		counter := binary.BigEndian.Uint64(nonce[gcmTlsFixedNonceSize:])
 		if g.tls == cipherGCMTLS13 {