Make anti-replay a runtime option
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 1a5cb01..04c199e 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2733,6 +2733,9 @@
uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
uint64_t bit;
+ if( ssl->anti_replay == SSL_ANTI_REPLAY_DISABLED )
+ return( 0 );
+
if( rec_seqnum > ssl->in_window_top )
return( 0 );
@@ -2754,6 +2757,9 @@
{
uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
+ if( ssl->anti_replay == SSL_ANTI_REPLAY_DISABLED )
+ return;
+
if( rec_seqnum > ssl->in_window_top )
{
/* Update window_top and the contents of the window */
@@ -4528,6 +4534,10 @@
ssl->f_cookie_check = ssl_cookie_check_dummy;
#endif
+#if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY)
+ ssl->anti_replay = SSL_ANTI_REPLAY_ENABLED;
+#endif
+
if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
return( ret );
@@ -4745,6 +4755,13 @@
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
}
+#if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY)
+void ssl_set_dtls_anti_replay( ssl_context *ssl, char mode )
+{
+ ssl->anti_replay = mode;
+}
+#endif
+
void ssl_set_authmode( ssl_context *ssl, int authmode )
{
ssl->authmode = authmode;