>> uint16 length = TLSPlaintext.length; > > You can't recover the plaintext without knowing how long it is. This > part at a minimum needs to be in the clear. At which point you need > it to be based on TLSCiphertext.length
Is that really true? You could decrypt the first block/few bytes to get the length (without authentication, of course) and then decrypt the remainder according to this candidate length. Then authenticate the entire record to make sure the candidate length was correct. (I am not claiming anything about the purity of this approach, only that it is technically feasible.) Kyle _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
