commit 7a7e140d4e9150081128e7871f0b62683d9df8ee
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Sep 24 10:52:58 2014 +0200
committer Paul Bakker <p.j.bakker@polarssl.org> Tue Oct 21 16:32:33 2014 +0200
tree 952e577cd1d4e2a2f674c925d5b60e54cb7870d2
parent ea22ce577e89a9a937a4d0d15010bad548e2e388

Add functions for replay protection

include/polarssl/config.h

diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index b13a407..20f104d 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -914,6 +914,15 @@
 #define POLARSSL_SSL_PROTO_DTLS
 
 /**
+ * \def POLARSSL_SSL_DTLS_ANTI_REPLAY
+ *
+ * Enable support for the anti-replay mechanism in DTLS.
+ *
+ * Comment this to disable anti-replay in DTLS.
+ */
+#define POLARSSL_SSL_DTLS_ANTI_REPLAY
+
+/**
  * \def POLARSSL_SSL_ALPN
  *
  * Enable support for Application Layer Protocol Negotiation.

include/polarssl/ssl.h

diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 63a7528..5946799 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -822,6 +822,10 @@
     size_t next_record_offset;  /*!< offset of the next record in datagram
                                      (equal to in_left if none)       */
 #endif
+#if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY)
+    uint64_t in_window_top;     /*!< last validated record seq_num    */
+    uint64_t in_window;         /*!< bitmask for replay detection     */
+#endif
 
     size_t in_hslen;            /*!< current handshake message length,
                                      including the handshake header   */
@@ -2043,6 +2047,12 @@
 int ssl_resend( ssl_context *ssl );
 #endif
 
+/* Visible for testing purposes only */
+#if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY)
+int ssl_dtls_replay_check( ssl_context *ssl );
+void ssl_dtls_replay_update( ssl_context *ssl );
+#endif
+
 /* constant-time buffer comparison */
 static inline int safer_memcmp( const void *a, const void *b, size_t n )
 {