commit 82202f0a9ce7ecf0a37c224e6cb307d8e9d15b61
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Jul 23 00:28:58 2014 +0200
committer Paul Bakker <p.j.bakker@polarssl.org> Tue Oct 21 16:30:16 2014 +0200
tree 086826e8396626b1e09d917496ee0a7b99812a66
parent 98545f128a030051713bf58e3745ccdd58737f8b

Make DTLS_HELLO_VERIFY a compile option

include/polarssl/check_config.h

diff --git a/include/polarssl/check_config.h b/include/polarssl/check_config.h
index 9a64c10..9fa19c8 100644
--- a/include/polarssl/check_config.h
+++ b/include/polarssl/check_config.h
@@ -263,6 +263,11 @@
 #error "Illegal protocol selection"
 #endif
 
+#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY) &&                              \
+    ( !defined(POLARSSL_SSL_SRV_C) || !defined(POLARSSL_SSL_PROTO_DTLS) )
+#error "POLARSSL_SSL_DTLS_HELLO_VERIFY  defined, but not all prerequisites"
+#endif
+
 #if defined(POLARSSL_SSL_SESSION_TICKETS) && defined(POLARSSL_SSL_TLS_C) && \
     ( !defined(POLARSSL_AES_C) || !defined(POLARSSL_SHA256_C) ||            \
       !defined(POLARSSL_CIPHER_MODE_CBC) )

include/polarssl/config.h

diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 731b90c..4988f39 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -924,6 +924,23 @@
 #define POLARSSL_SSL_ALPN
 
 /**
+ * \def POLARSSL_SSL_DTLS_HELLO_VERIFY
+ *
+ * Enable support for HelloVerifyRequest on DTLS servers.
+ *
+ * This feature is highly recommended to prevent DTLS servers being used as
+ * amplifiers in DoS attacks against other hosts. It should always be enabled
+ * unless you know for sure amplification cannot be a problem in the
+ * environment in which your server operates.
+ *
+ * Requires: POLARSSL_SSL_SRV_C
+ *           POLARSSL_POLARSSL_PROTO_DTLS
+ *
+ * Comment this to disable support for HelloVerifyRequest.
+ */
+#define POLARSSL_SSL_DTLS_HELLO_VERIFY
+
+/**
  * \def POLARSSL_SSL_SESSION_TICKETS
  *
  * Enable support for RFC 5077 session tickets in SSL.

include/polarssl/ssl.h

diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 05bb3de..0bb4505 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -878,7 +878,7 @@
     /*
      * Client id (IP/port) for DTLS hello verify
      */
-#if defined(POLARSSL_SSL_PROTO_DTLS) && defined(POLARSSL_SSL_SRV_C)
+#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
     unsigned char  *cli_id;         /*!<  transport-level ID of the client  */
     size_t          cli_id_len;     /*!<  length of cli_id                  */
     md_context_t    hvr_hmac_ctx;   /*!<  HMAC data for HelloVerifyRequest  */
@@ -1067,7 +1067,7 @@
         int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
         int (*f_send)(void *, const unsigned char *, size_t), void *p_send );
 
-#if defined(POLARSSL_SSL_PROTO_DTLS) && defined(POLARSSL_SSL_SRV_C)
+#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
 /**
  * \brief          Set client's transport-level identification info.
  *                 (Only usable on server.)
@@ -1095,7 +1095,7 @@
 
 /* Temporary */
 int ssl_setup_hvr_key( ssl_context *ssl );
-#endif /* POLARSSL_SSL_PROTO_DTLS && POLARSSL_SSL_SRV_C */
+#endif /* POLARSSL_SSL_DTLS_HELLO_VERIFY */
 
 /**
  * \brief          Set the session cache callbacks (server-side only)