Merge pull request #4489 from TRodziewicz/Remove__SSL_RECORD_CHECKING

Remove ssl record checking
2021-05-19 13:57:51 +02:00 · 2021-05-19 13:57:51 +02:00 · 2213871654
commit 2213871654
parent 9cf91affa2 e13a23b439
8 changed files with 16 additions and 35 deletions
--- a/ChangeLog.d/issue4361.txt
+++ b/ChangeLog.d/issue4361.txt
@ -0,0 +1,3 @@
+Removals
+   * Remove the MBEDTLS_SSL_RECORD_CHECKING option and enable by default its
+     previous action. Fixes #4361.
--- a/docs/3.0-migration-guide.d/remove_ssl_record_checking.md
+++ b/docs/3.0-migration-guide.d/remove_ssl_record_checking.md
@ -0,0 +1,13 @@
+Remove MBEDTLS_SSL_RECORD_CHECKING option and enable its action by default
+--------------------------------------------------------------------------
+
+This change does not affect users who use the default config.h, as the
+option MBEDTLS_SSL_RECORD_CHECKING was already on by default.
+
+This option was added only to control compilation of one function,
+mbedtls_ssl_check_record(), which is only useful in some specific cases, so it
+was made optional to allow users who don't need it to save some code space.
+However, the same effect can be achieve by using link-time garbage collection.
+
+Users who changed the default setting of the option need to change the config/
+build system to remove that change.
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -1467,20 +1467,6 @@
 */
 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES

-/**
- * \def MBEDTLS_SSL_RECORD_CHECKING
- *
- * Enable the function mbedtls_ssl_check_record() which can be used to check
- * the validity and authenticity of an incoming record, to verify that it has
- * not been seen before. These checks are performed without modifying the
- * externally visible state of the SSL context.
- *
- * See mbedtls_ssl_check_record() for more information.
- *
- * Uncomment to enable support for record checking.
- */
-#define MBEDTLS_SSL_RECORD_CHECKING
-
 /**
 * \def MBEDTLS_SSL_DTLS_CONNECTION_ID
 *
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -1791,7 +1791,6 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
 */
 void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout );

-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
 /**
 * \brief          Check whether a buffer contains a valid and authentic record
 *                 that has not been seen before. (DTLS only).
@ -1839,7 +1838,6 @@ void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
 int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
                              unsigned char *buf,
                              size_t buflen );
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */

 /**
 * \brief          Set the timer callbacks (Mandatory for DTLS.)
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@ -86,7 +86,6 @@ int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl )
    return( 0 );
 }

-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
 static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
                                    unsigned char *buf,
                                    size_t len,
@ -150,7 +149,6 @@ exit:
    MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) );
    return( ret );
 }
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */

 #define SSL_DONT_FORCE_FLUSH 0
 #define SSL_FORCE_FLUSH      1
--- a/library/version_features.c
+++ b/library/version_features.c
@ -468,9 +468,6 @@ static const char * const features[] = {
 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
    "MBEDTLS_SSL_ALL_ALERT_MESSAGES",
 #endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
-    "MBEDTLS_SSL_RECORD_CHECKING",
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
    "MBEDTLS_SSL_DTLS_CONNECTION_ID",
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
--- a/programs/ssl/ssl_test_common_source.c
+++ b/programs/ssl/ssl_test_common_source.c
@ -159,7 +159,6 @@ int dtls_srtp_key_derivation( void *p_expkey,

 #endif /* MBEDTLS_SSL_EXPORT_KEYS */

-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
 int ssl_check_record( mbedtls_ssl_context const *ssl,
                      unsigned char const *buf, size_t len )
 {
@ -220,7 +219,6 @@ int ssl_check_record( mbedtls_ssl_context const *ssl,

    return( 0 );
 }
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */

 int recv_cb( void *ctx, unsigned char *buf, size_t len )
 {
@ -241,10 +239,8 @@ int recv_cb( void *ctx, unsigned char *buf, size_t len )
        /* Here's the place to do any datagram/record checking
         * in between receiving the packet from the underlying
         * transport and passing it on to the TLS stack. */
-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
        if( ssl_check_record( io_ctx->ssl, buf, recv_len ) != 0 )
            return( -1 );
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
    }

    return( (int) recv_len );
@ -267,10 +263,8 @@ int recv_timeout_cb( void *ctx, unsigned char *buf, size_t len,
        /* Here's the place to do any datagram/record checking
         * in between receiving the packet from the underlying
         * transport and passing it on to the TLS stack. */
-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
        if( ssl_check_record( io_ctx->ssl, buf, recv_len ) != 0 )
            return( -1 );
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
    }

    return( (int) recv_len );
--- a/programs/test/query_config.c
+++ b/programs/test/query_config.c
@ -1299,14 +1299,6 @@ int query_config( const char *config )
    }
 #endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */

-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
-    if( strcmp( "MBEDTLS_SSL_RECORD_CHECKING", config ) == 0 )
-    {
-        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_RECORD_CHECKING );
-        return( 0 );
-    }
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
-
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
    if( strcmp( "MBEDTLS_SSL_DTLS_CONNECTION_ID", config ) == 0 )
    {