TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 7f376f4ece7a3e71a51c91f094fe99981ca6f46f^! / . / include / mbedtls / ssl.h
commit7f376f4ece7a3e71a51c91f094fe99981ca6f46f[log] [tgz]
authorHanno Becker <hanno.becker@arm.com>Wed Jun 12 16:20:48 2019 +0100
committerHanno Becker <hanno.becker@arm.com>Tue Jun 25 08:43:31 2019 +0100
treec98a972eedc0169732f9c79ae67979aaaee588b8
parentaf5ab918d92313c938a5628aa6e24fd3a288353c [diff] [blame]
Allow compile-time configuration of DTLS anti replay

Introduce MBEDTLS_SSL_CONF_ANTI_REPLAY to allow configuring
the use/nonuse of DTLS anti replay protection at compile-time.

Impact on code-size, measured with
> ./scripts/baremetal.sh --rom --gcc --armc5 --armc6

|  | GCC | ARMC5 | ARMC6 |
| --- | --- | --- | --- |
| `libmbedtls.a` before | 23559 | 24089 | 27921 |
| `libmbedtls.a` after  | 23511 | 24049 | 27903 |
| gain in Bytes | 48 | 40 | 18 |

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index b517089..fbc6109 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h

@@ -1070,8 +1070,10 @@
 #endif /* !MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
 #endif
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+#if !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
     unsigned int anti_replay : 1;   /*!< detect and prevent replay?         */
-#endif
+#endif /* !MBEDTLS_SSL_CONF_ANTI_REPLAY */
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
     unsigned int cbc_record_splitting : 1;  /*!< do cbc record splitting    */
 #endif
@@ -2016,14 +2018,16 @@
 
 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
 
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \
+    !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
 /**
  * \brief          Enable or disable anti-replay protection for DTLS.
  *                 (DTLS only, no effect on TLS.)
  *                 Default: enabled.
  *
  * \param conf     SSL configuration
- * \param mode     MBEDTLS_SSL_ANTI_REPLAY_ENABLED or MBEDTLS_SSL_ANTI_REPLAY_DISABLED.
+ * \param mode     MBEDTLS_SSL_ANTI_REPLAY_ENABLED or
+ *                 MBEDTLS_SSL_ANTI_REPLAY_DISABLED.
  *
  * \warning        Disabling this is a security risk unless the application
  *                 protocol handles duplicated packets in a safe way. You
@@ -2031,9 +2035,13 @@
  *                 However, if your application already detects duplicated
  *                 packets and needs information about them to adjust its
  *                 transmission strategy, then you'll want to disable this.
+ *
+ * \note            On constrained systems, this option can also be
+ *                  fixed at compile-time by defining the constant
+ *                  MBEDTLS_SSL_CONF_ANTI_REPLAY.
  */
 void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode );
-#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY && !MBEDTLS_SSL_CONF_ANTI_REPLAY */
 
 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
 /**