Merge pull request #4476 from TRodziewicz/Remove__SSL_DTLS_BADMAC_LIMIT_option

Remove _SSL_DTLS_BADMAC_LIMIT option
2021-05-27 09:41:34 +02:00 · 2021-05-27 09:41:34 +02:00 · f3bacd72d2
commit f3bacd72d2
parent b7abba28e3 a86c312d92
10 changed files with 13 additions and 46 deletions
--- a/ChangeLog.d/issue4403.txt
+++ b/ChangeLog.d/issue4403.txt
@ -0,0 +1,2 @@
+Removals
+   * Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403.
--- a/docs/3.0-migration-guide.d/remove_SSL_DTLS_BADMAC_LIMIT_option.md
+++ b/docs/3.0-migration-guide.d/remove_SSL_DTLS_BADMAC_LIMIT_option.md
@ -0,0 +1,11 @@
+Remove MBEDTLS_SSL_DTLS_BADMAC_LIMIT option
+-------------------------------------------
+
+This change does not affect users who used the default `config.h`, as the option
+MBEDTLS_SSL_DTLS_BADMAC_LIMIT was already on by default.
+
+This option was a trade-off between functionality and code size: it allowed
+users who didn't need that feature to avoid paying the cost in code size, by
+disabling it.
+
+This option is no longer present, but its functionality is now always enabled.
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@ -700,11 +700,6 @@
 #error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)"
 #endif

-#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) &&                              \
-    ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
-#error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT  defined, but not all prerequisites"
-#endif
-
 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) &&   \
    !defined(MBEDTLS_SSL_PROTO_TLS1_2)
 #error "MBEDTLS_SSL_ENCRYPT_THEN_MAC defined, but not all prerequsites"
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -1748,17 +1748,6 @@
 */
 #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE

-/**
- * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT
- *
- * Enable support for a limit of records with bad MAC.
- *
- * See mbedtls_ssl_conf_dtls_badmac_limit().
- *
- * Requires: MBEDTLS_SSL_PROTO_DTLS
- */
-#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
-
 /**
 * \def MBEDTLS_SSL_SESSION_TICKETS
 *
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -1151,9 +1151,7 @@ struct mbedtls_ssl_config
                                         that triggers renegotiation        */
 #endif

-#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
    unsigned int badmac_limit;      /*!< limit of records with a bad MAC    */
-#endif

 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
    unsigned int dhm_min_bitlen;    /*!< min. bit length of the DHM prime   */
@ -1226,10 +1224,7 @@ struct mbedtls_ssl_context

    int major_ver;              /*!< equal to  MBEDTLS_SSL_MAJOR_VERSION_3    */
    int minor_ver;              /*!< one of MBEDTLS_SSL_MINOR_VERSION_x macros */
-
-#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
    unsigned badmac_seen;       /*!< records with a bad MAC received    */
-#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */

 #if defined(MBEDTLS_X509_CRT_PARSE_C)
    /** Callback to customize X.509 certificate chain verification          */
@ -2261,7 +2256,6 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
 void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode );
 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */

-#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
 /**
 * \brief          Set a limit on the number of records with a bad MAC
 *                 before terminating the connection.
@ -2286,7 +2280,6 @@ void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode );
 *                 many bogus packets.
 */
 void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit );
-#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */

 #if defined(MBEDTLS_SSL_PROTO_DTLS)

--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@ -4499,14 +4499,12 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl )
                    return( ret );
                }

-#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
                if( ssl->conf->badmac_limit != 0 &&
                    ++ssl->badmac_seen >= ssl->conf->badmac_limit )
                {
                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
                    return( MBEDTLS_ERR_SSL_INVALID_MAC );
                }
-#endif

                /* As above, invalid records cause
                 * dismissal of the whole datagram. */
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -3390,12 +3390,10 @@ void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
 }
 #endif

-#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
 void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
 {
    conf->badmac_limit = limit;
 }
-#endif

 #if defined(MBEDTLS_SSL_PROTO_DTLS)

@ -5418,11 +5416,7 @@ void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */

-#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
-#else
-#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 0u
-#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */

 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
@ -5639,7 +5633,6 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
    /*
     * Saved fields from top-level ssl_context structure
     */
-#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
    used += 4;
    if( used <= buf_len )
    {
@ -5648,7 +5641,6 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
        *p++ = (unsigned char)( ( ssl->badmac_seen >>  8 ) & 0xFF );
        *p++ = (unsigned char)( ( ssl->badmac_seen       ) & 0xFF );
    }
-#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */

 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
    used += 16;
@ -5904,7 +5896,6 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
    /*
     * Saved fields from top-level ssl_context structure
     */
-#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
    if( (size_t)( end - p ) < 4 )
        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );

@ -5913,7 +5904,6 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
                       ( (uint32_t) p[2] <<  8 ) |
                       ( (uint32_t) p[3]       );
    p += 4;
-#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */

 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
    if( (size_t)( end - p ) < 16 )
--- a/programs/ssl/ssl_context_info.c
+++ b/programs/ssl/ssl_context_info.c
@ -872,7 +872,6 @@ void print_deserialized_ssl_context( const uint8_t *ssl, size_t len )
    print_if_bit( "MBEDTLS_SSL_SESSION_TICKETS and client", SESSION_CONFIG_CLIENT_TICKET_BIT, session_cfg_flag );

    print_if_bit( "MBEDTLS_SSL_DTLS_CONNECTION_ID", CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT, context_cfg_flag );
-    print_if_bit( "MBEDTLS_SSL_DTLS_BADMAC_LIMIT", CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT, context_cfg_flag );
    print_if_bit( "MBEDTLS_SSL_DTLS_ANTI_REPLAY", CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT, context_cfg_flag );
    print_if_bit( "MBEDTLS_SSL_ALPN", CONTEXT_CONFIG_ALPN_BIT, context_cfg_flag );

--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -363,12 +363,8 @@ int main( void )
 #define USAGE_ANTI_REPLAY ""
 #endif

-#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
 #define USAGE_BADMAC_LIMIT \
    "    badmac_limit=%%d     default: (library default: disabled)\n"
-#else
-#define USAGE_BADMAC_LIMIT ""
-#endif

 #if defined(MBEDTLS_SSL_PROTO_DTLS)
 #define USAGE_DTLS \
@ -2685,10 +2681,8 @@ int main( int argc, char *argv[] )
            mbedtls_ssl_conf_dtls_anti_replay( &conf, opt.anti_replay );
 #endif

-#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
        if( opt.badmac_limit != DFL_BADMAC_LIMIT )
            mbedtls_ssl_conf_dtls_badmac_limit( &conf, opt.badmac_limit );
-#endif
    }
 #endif /* MBEDTLS_SSL_PROTO_DTLS */

--- a/tests/context-info.sh
+++ b/tests/context-info.sh
@ -214,7 +214,6 @@ run_test "Default configuration, server" \
         -u "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \
         -u "MBEDTLS_SSL_SESSION_TICKETS$" \
         -u "MBEDTLS_SSL_SESSION_TICKETS and client$" \
-         -u "MBEDTLS_SSL_DTLS_BADMAC_LIMIT$" \
         -u "MBEDTLS_SSL_DTLS_ANTI_REPLAY$" \
         -u "MBEDTLS_SSL_ALPN$" \
         -u "ciphersuite.* TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256$" \
@ -238,7 +237,6 @@ run_test "Default configuration, client" \
         -u "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \
         -u "MBEDTLS_SSL_SESSION_TICKETS$" \
         -u "MBEDTLS_SSL_SESSION_TICKETS and client$" \
-         -u "MBEDTLS_SSL_DTLS_BADMAC_LIMIT$" \
         -u "MBEDTLS_SSL_DTLS_ANTI_REPLAY$" \
         -u "MBEDTLS_SSL_ALPN$" \
         -u "ciphersuite.* TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256$" \
@ -345,7 +343,6 @@ run_test "Minimal configuration, server" \
         -n "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \
         -n "MBEDTLS_SSL_SESSION_TICKETS$" \
         -n "MBEDTLS_SSL_SESSION_TICKETS and client$" \
-         -n "MBEDTLS_SSL_DTLS_BADMAC_LIMIT$" \
         -n "MBEDTLS_SSL_DTLS_ANTI_REPLAY$" \
         -n "MBEDTLS_SSL_ALPN$" \

@ -357,7 +354,6 @@ run_test "Minimal configuration, client" \
         -n "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \
         -n "MBEDTLS_SSL_SESSION_TICKETS$" \
         -n "MBEDTLS_SSL_SESSION_TICKETS and client$" \
-         -n "MBEDTLS_SSL_DTLS_BADMAC_LIMIT$" \
         -n "MBEDTLS_SSL_DTLS_ANTI_REPLAY$" \
         -n "MBEDTLS_SSL_ALPN$" \