Merge pull request #4476 from TRodziewicz/Remove__SSL_DTLS_BADMAC_LIMIT_option

Remove _SSL_DTLS_BADMAC_LIMIT option
2025-11-04 04:32:24 -05:00 · 2021-05-27 09:41:34 +02:00 · 2021-05-27 09:41:34 +02:00 · f3bacd72d2
commit f3bacd72d2
parent b7abba28e3 a86c312d92
10 changed files with 13 additions and 46 deletions
--- a/ChangeLog.d/issue4403.txt
+++ b/ChangeLog.d/issue4403.txt
@ -0,0 +1,2 @@
 Removals
   * Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403.
--- a/docs/3.0-migration-guide.d/remove_SSL_DTLS_BADMAC_LIMIT_option.md
+++ b/docs/3.0-migration-guide.d/remove_SSL_DTLS_BADMAC_LIMIT_option.md
@ -0,0 +1,11 @@
 Remove MBEDTLS_SSL_DTLS_BADMAC_LIMIT option
 -------------------------------------------
 This change does not affect users who used the default `config.h`, as the option
 MBEDTLS_SSL_DTLS_BADMAC_LIMIT was already on by default.
 This option was a trade-off between functionality and code size: it allowed
 users who didn't need that feature to avoid paying the cost in code size, by
 disabling it.
 This option is no longer present, but its functionality is now always enabled.
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@ -700,11 +700,6 @@
 #error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)"
 #endif
 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) &&                              \
    ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
 #error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT  defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) &&   \
    !defined(MBEDTLS_SSL_PROTO_TLS1_2)
 #error "MBEDTLS_SSL_ENCRYPT_THEN_MAC defined, but not all prerequsites"
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -1748,17 +1748,6 @@
 */
 #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
 /**
 * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT
 *
 * Enable support for a limit of records with bad MAC.
 *
 * See mbedtls_ssl_conf_dtls_badmac_limit().
 *
 * Requires: MBEDTLS_SSL_PROTO_DTLS
 */
 #define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
 /**
 * \def MBEDTLS_SSL_SESSION_TICKETS
 *
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -1151,9 +1151,7 @@ struct mbedtls_ssl_config
                                         that triggers renegotiation        */
 #endif
 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
    unsigned int badmac_limit;      /*!< limit of records with a bad MAC    */
 #endif
 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
    unsigned int dhm_min_bitlen;    /*!< min. bit length of the DHM prime   */
@ -1226,10 +1224,7 @@ struct mbedtls_ssl_context
    int major_ver;              /*!< equal to  MBEDTLS_SSL_MAJOR_VERSION_3    */
    int minor_ver;              /*!< one of MBEDTLS_SSL_MINOR_VERSION_x macros */
 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
    unsigned badmac_seen;       /*!< records with a bad MAC received    */
 #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
    /** Callback to customize X.509 certificate chain verification          */
@ -2261,7 +2256,6 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
 void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode );
 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
 /**
 * \brief          Set a limit on the number of records with a bad MAC
 *                 before terminating the connection.
@ -2286,7 +2280,6 @@ void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode );
 *                 many bogus packets.
 */
 void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit );
 #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@ -4499,14 +4499,12 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl )
                    return( ret );
                }
 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
                if( ssl->conf->badmac_limit != 0 &&
                    ++ssl->badmac_seen >= ssl->conf->badmac_limit )
                {
                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
                    return( MBEDTLS_ERR_SSL_INVALID_MAC );
                }
 #endif
                /* As above, invalid records cause
                 * dismissal of the whole datagram. */
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -3390,12 +3390,10 @@ void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
 }
 #endif
 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
 void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
 {
    conf->badmac_limit = limit;
 }
 #endif
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
@ -5418,11 +5416,7 @@ void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
 #else
 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 0u
 #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
@ -5639,7 +5633,6 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
    /*
     * Saved fields from top-level ssl_context structure
     */
 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
    used += 4;
    if( used <= buf_len )
    {
@ -5648,7 +5641,6 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
        *p++ = (unsigned char)( ( ssl->badmac_seen >>  8 ) & 0xFF );
        *p++ = (unsigned char)( ( ssl->badmac_seen       ) & 0xFF );
    }
 #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
    used += 16;
@ -5904,7 +5896,6 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
    /*
     * Saved fields from top-level ssl_context structure
     */
 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
    if( (size_t)( end - p ) < 4 )
        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@ -5913,7 +5904,6 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
                       ( (uint32_t) p[2] <<  8 ) |
                       ( (uint32_t) p[3]       );
    p += 4;
 #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
    if( (size_t)( end - p ) < 16 )
--- a/programs/ssl/ssl_context_info.c
+++ b/programs/ssl/ssl_context_info.c
@ -872,7 +872,6 @@ void print_deserialized_ssl_context( const uint8_t *ssl, size_t len )
    print_if_bit( "MBEDTLS_SSL_SESSION_TICKETS and client", SESSION_CONFIG_CLIENT_TICKET_BIT, session_cfg_flag );
    print_if_bit( "MBEDTLS_SSL_DTLS_CONNECTION_ID", CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT, context_cfg_flag );
    print_if_bit( "MBEDTLS_SSL_DTLS_BADMAC_LIMIT", CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT, context_cfg_flag );
    print_if_bit( "MBEDTLS_SSL_DTLS_ANTI_REPLAY", CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT, context_cfg_flag );
    print_if_bit( "MBEDTLS_SSL_ALPN", CONTEXT_CONFIG_ALPN_BIT, context_cfg_flag );
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -363,12 +363,8 @@ int main( void )
 #define USAGE_ANTI_REPLAY ""
 #endif
 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
 #define USAGE_BADMAC_LIMIT \
    "    badmac_limit=%%d     default: (library default: disabled)\n"
 #else
 #define USAGE_BADMAC_LIMIT ""
 #endif
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
 #define USAGE_DTLS \
@ -2685,10 +2681,8 @@ int main( int argc, char *argv[] )
            mbedtls_ssl_conf_dtls_anti_replay( &conf, opt.anti_replay );
 #endif
 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
        if( opt.badmac_limit != DFL_BADMAC_LIMIT )
            mbedtls_ssl_conf_dtls_badmac_limit( &conf, opt.badmac_limit );
 #endif
    }
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
--- a/tests/context-info.sh
+++ b/tests/context-info.sh
@ -214,7 +214,6 @@ run_test "Default configuration, server" \
         -u "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \
         -u "MBEDTLS_SSL_SESSION_TICKETS$" \
         -u "MBEDTLS_SSL_SESSION_TICKETS and client$" \
         -u "MBEDTLS_SSL_DTLS_BADMAC_LIMIT$" \
         -u "MBEDTLS_SSL_DTLS_ANTI_REPLAY$" \
         -u "MBEDTLS_SSL_ALPN$" \
         -u "ciphersuite.* TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256$" \
@ -238,7 +237,6 @@ run_test "Default configuration, client" \
         -u "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \
         -u "MBEDTLS_SSL_SESSION_TICKETS$" \
         -u "MBEDTLS_SSL_SESSION_TICKETS and client$" \
         -u "MBEDTLS_SSL_DTLS_BADMAC_LIMIT$" \
         -u "MBEDTLS_SSL_DTLS_ANTI_REPLAY$" \
         -u "MBEDTLS_SSL_ALPN$" \
         -u "ciphersuite.* TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256$" \
@ -345,7 +343,6 @@ run_test "Minimal configuration, server" \
         -n "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \
         -n "MBEDTLS_SSL_SESSION_TICKETS$" \
         -n "MBEDTLS_SSL_SESSION_TICKETS and client$" \
         -n "MBEDTLS_SSL_DTLS_BADMAC_LIMIT$" \
         -n "MBEDTLS_SSL_DTLS_ANTI_REPLAY$" \
         -n "MBEDTLS_SSL_ALPN$" \
@ -357,7 +354,6 @@ run_test "Minimal configuration, client" \
         -n "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \
         -n "MBEDTLS_SSL_SESSION_TICKETS$" \
         -n "MBEDTLS_SSL_SESSION_TICKETS and client$" \
         -n "MBEDTLS_SSL_DTLS_BADMAC_LIMIT$" \
         -n "MBEDTLS_SSL_DTLS_ANTI_REPLAY$" \
         -n "MBEDTLS_SSL_ALPN$" \
		`@ -0,0 +1,2 @@`
							`Removals`
							`* Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403.`