Allow compile-time configuration of DTLS badmac limit

Introduces MBEDTLS_SSL_CONF_BADMAC_LIMIT to fix the maximum number of records with bad MAC tolerated in DTLS at compile-time. Impact on code-size: | | GCC | ARMC5 | ARMC6 | | --- | --- | --- | --- | | `libmbedtls.a` before | 23511 | 24049 | 27903 | | `libmbedtls.a` after | 23487 | 24025 | 27885 | | gain in Bytes | 24 | 24 | 18 |
2026-04-01 18:21:07 +02:00 · 2019-06-12 16:30:46 +01:00
parent 7f376f4ece
commit de67154658
8 changed files with 53 additions and 10 deletions
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3450,8 +3450,9 @@
 * \{
 */

-/* DTLS Anti replay */
+/* DTLS-specific settings */
 //#define MBEDTLS_SSL_CONF_ANTI_REPLAY MBEDTLS_SSL_ANTI_REPLAY_ENABLED
+//#define MBEDTLS_SSL_CONF_BADMAC_LIMIT 0

 /* ExtendedMasterSecret extension
 * The following two options must be set/unset simultaneously. */
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1029,7 +1029,9 @@ struct mbedtls_ssl_config
 #endif

 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+#if !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
    unsigned int badmac_limit;      /*!< limit of records with a bad MAC    */
+#endif /* !MBEDTLS_SSL_CONF_BADMAC_LIMIT */
 #endif

 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
@@ -2043,7 +2045,8 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
 void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode );
 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY && !MBEDTLS_SSL_CONF_ANTI_REPLAY */

-#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \
+    !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
 /**
 * \brief          Set a limit on the number of records with a bad MAC
 *                 before terminating the connection.
@@ -2066,9 +2069,13 @@ void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode );
 *                 connection. On the other hand, a high limit or no limit
 *                 might make us waste resources checking authentication on
 *                 many bogus packets.
+ *
+ * \note           On constrained systems, this option can also be
+ *                 fixed at compile-time by defining the constant
+ *                 MBEDTLS_SSL_CONF_BADMAC_LIMIT.
 */
 void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit );
-#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT && !MBEDTLS_SSL_CONF_BADMAC_LIMIT */

 #if defined(MBEDTLS_SSL_PROTO_DTLS)

--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -1085,6 +1085,23 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
 * be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
 */

+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+#if !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
+static inline unsigned int mbedtls_ssl_conf_get_badmac_limit(
+    mbedtls_ssl_config  const *conf )
+{
+    return( conf->badmac_limit );
+}
+#else /* !MBEDTLS_SSL_CONF_BADMAC_LIMIT */
+static inline unsigned int mbedtls_ssl_conf_get_badmac_limit(
+    mbedtls_ssl_config  const *conf )
+{
+    ((void) conf);
+    return( MBEDTLS_SSL_CONF_BADMAC_LIMIT );
+}
+#endif /* MBEDTLS_SSL_CONF_BADMAC_LIMIT */
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
 #if !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
 static inline unsigned int mbedtls_ssl_conf_get_anti_replay(