Merge pull request #4489 from TRodziewicz/Remove__SSL_RECORD_CHECKING
Remove ssl record checking
diff --git a/ChangeLog.d/issue4361.txt b/ChangeLog.d/issue4361.txt
new file mode 100644
index 0000000..f1dbb3f
--- /dev/null
+++ b/ChangeLog.d/issue4361.txt
@@ -0,0 +1,3 @@
+Removals
+ * Remove the MBEDTLS_SSL_RECORD_CHECKING option and enable by default its
+ previous action. Fixes #4361.
diff --git a/docs/3.0-migration-guide.d/remove_ssl_record_checking.md b/docs/3.0-migration-guide.d/remove_ssl_record_checking.md
new file mode 100644
index 0000000..7550f7b
--- /dev/null
+++ b/docs/3.0-migration-guide.d/remove_ssl_record_checking.md
@@ -0,0 +1,13 @@
+Remove MBEDTLS_SSL_RECORD_CHECKING option and enable its action by default
+--------------------------------------------------------------------------
+
+This change does not affect users who use the default config.h, as the
+option MBEDTLS_SSL_RECORD_CHECKING was already on by default.
+
+This option was added only to control compilation of one function,
+mbedtls_ssl_check_record(), which is only useful in some specific cases, so it
+was made optional to allow users who don't need it to save some code space.
+However, the same effect can be achieve by using link-time garbage collection.
+
+Users who changed the default setting of the option need to change the config/
+build system to remove that change.
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 907a041..8e94599 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1468,20 +1468,6 @@
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
/**
- * \def MBEDTLS_SSL_RECORD_CHECKING
- *
- * Enable the function mbedtls_ssl_check_record() which can be used to check
- * the validity and authenticity of an incoming record, to verify that it has
- * not been seen before. These checks are performed without modifying the
- * externally visible state of the SSL context.
- *
- * See mbedtls_ssl_check_record() for more information.
- *
- * Uncomment to enable support for record checking.
- */
-#define MBEDTLS_SSL_RECORD_CHECKING
-
-/**
* \def MBEDTLS_SSL_DTLS_CONNECTION_ID
*
* Enable support for the DTLS Connection ID extension
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index f90c76a..ffbbd79 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1791,7 +1791,6 @@
*/
void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout );
-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
/**
* \brief Check whether a buffer contains a valid and authentic record
* that has not been seen before. (DTLS only).
@@ -1839,7 +1838,6 @@
int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
unsigned char *buf,
size_t buflen );
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
/**
* \brief Set the timer callbacks (Mandatory for DTLS.)
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index faafaba..609aa98 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -86,7 +86,6 @@
return( 0 );
}
-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
unsigned char *buf,
size_t len,
@@ -150,7 +149,6 @@
MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) );
return( ret );
}
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
#define SSL_DONT_FORCE_FLUSH 0
#define SSL_FORCE_FLUSH 1
diff --git a/library/version_features.c b/library/version_features.c
index d2de895..b42fb29 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -468,9 +468,6 @@
#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
"MBEDTLS_SSL_ALL_ALERT_MESSAGES",
#endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
- "MBEDTLS_SSL_RECORD_CHECKING",
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
"MBEDTLS_SSL_DTLS_CONNECTION_ID",
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
diff --git a/programs/ssl/ssl_test_common_source.c b/programs/ssl/ssl_test_common_source.c
index 73457a1..fd7eacf 100644
--- a/programs/ssl/ssl_test_common_source.c
+++ b/programs/ssl/ssl_test_common_source.c
@@ -159,7 +159,6 @@
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
int ssl_check_record( mbedtls_ssl_context const *ssl,
unsigned char const *buf, size_t len )
{
@@ -220,7 +219,6 @@
return( 0 );
}
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
int recv_cb( void *ctx, unsigned char *buf, size_t len )
{
@@ -241,10 +239,8 @@
/* Here's the place to do any datagram/record checking
* in between receiving the packet from the underlying
* transport and passing it on to the TLS stack. */
-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
if( ssl_check_record( io_ctx->ssl, buf, recv_len ) != 0 )
return( -1 );
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
}
return( (int) recv_len );
@@ -267,10 +263,8 @@
/* Here's the place to do any datagram/record checking
* in between receiving the packet from the underlying
* transport and passing it on to the TLS stack. */
-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
if( ssl_check_record( io_ctx->ssl, buf, recv_len ) != 0 )
return( -1 );
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
}
return( (int) recv_len );
diff --git a/programs/test/query_config.c b/programs/test/query_config.c
index c6c4d1f..79c2c54 100644
--- a/programs/test/query_config.c
+++ b/programs/test/query_config.c
@@ -1299,14 +1299,6 @@
}
#endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
- if( strcmp( "MBEDTLS_SSL_RECORD_CHECKING", config ) == 0 )
- {
- MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_RECORD_CHECKING );
- return( 0 );
- }
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
-
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
if( strcmp( "MBEDTLS_SSL_DTLS_CONNECTION_ID", config ) == 0 )
{