Allow compile-time configuration of DTLS anti replay
Introduce MBEDTLS_SSL_CONF_ANTI_REPLAY to allow configuring
the use/nonuse of DTLS anti replay protection at compile-time.
Impact on code-size, measured with
> ./scripts/baremetal.sh --rom --gcc --armc5 --armc6
| | GCC | ARMC5 | ARMC6 |
| --- | --- | --- | --- |
| `libmbedtls.a` before | 23559 | 24089 | 27921 |
| `libmbedtls.a` after | 23511 | 24049 | 27903 |
| gain in Bytes | 48 | 40 | 18 |
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index fff20ff..c70bc21 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4322,8 +4322,11 @@
uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
uint64_t bit;
- if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
+ if( mbedtls_ssl_conf_get_anti_replay( ssl->conf ) ==
+ MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
+ {
return( 0 );
+ }
if( rec_seqnum > ssl->in_window_top )
return( 0 );
@@ -4346,8 +4349,11 @@
{
uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
- if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
+ if( mbedtls_ssl_conf_get_anti_replay( ssl->conf ) ==
+ MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
+ {
return;
+ }
if( rec_seqnum > ssl->in_window_top )
{
@@ -8054,12 +8060,13 @@
conf->transport = transport;
}
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \
+ !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
{
- conf->anti_replay = mode;
+ conf->anti_replay = mode;
}
-#endif
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY && !MBEDTLS_SSL_CONF_ANTI_REPLAY */
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
@@ -10738,7 +10745,8 @@
conf->f_cookie_check = ssl_cookie_check_dummy;
#endif
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \
+ !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
#endif