Make DTLS_HELLO_VERIFY a compile option

2025-12-24 00:06:32 +01:00 · 2014-07-23 00:28:58 +02:00 · 2014-07-23 00:28:58 +02:00 · 82202f0a9c
commit 82202f0a9c
parent 98545f128a
6 changed files with 52 additions and 19 deletions
--- a/include/polarssl/check_config.h
+++ b/include/polarssl/check_config.h
@ -263,6 +263,11 @@
 #error "Illegal protocol selection"
 #endif

+#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY) &&                              \
+    ( !defined(POLARSSL_SSL_SRV_C) || !defined(POLARSSL_SSL_PROTO_DTLS) )
+#error "POLARSSL_SSL_DTLS_HELLO_VERIFY  defined, but not all prerequisites"
+#endif
+
 #if defined(POLARSSL_SSL_SESSION_TICKETS) && defined(POLARSSL_SSL_TLS_C) && \
    ( !defined(POLARSSL_AES_C) || !defined(POLARSSL_SHA256_C) ||            \
      !defined(POLARSSL_CIPHER_MODE_CBC) )
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@ -923,6 +923,23 @@
 */
 #define POLARSSL_SSL_ALPN

+/**
+ * \def POLARSSL_SSL_DTLS_HELLO_VERIFY
+ *
+ * Enable support for HelloVerifyRequest on DTLS servers.
+ *
+ * This feature is highly recommended to prevent DTLS servers being used as
+ * amplifiers in DoS attacks against other hosts. It should always be enabled
+ * unless you know for sure amplification cannot be a problem in the
+ * environment in which your server operates.
+ *
+ * Requires: POLARSSL_SSL_SRV_C
+ *           POLARSSL_POLARSSL_PROTO_DTLS
+ *
+ * Comment this to disable support for HelloVerifyRequest.
+ */
+#define POLARSSL_SSL_DTLS_HELLO_VERIFY
+
 /**
 * \def POLARSSL_SSL_SESSION_TICKETS
 *
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@ -878,7 +878,7 @@ struct _ssl_context
    /*
     * Client id (IP/port) for DTLS hello verify
     */
-#if defined(POLARSSL_SSL_PROTO_DTLS) && defined(POLARSSL_SSL_SRV_C)
+#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
    unsigned char  *cli_id;         /*!<  transport-level ID of the client  */
    size_t          cli_id_len;     /*!<  length of cli_id                  */
    md_context_t    hvr_hmac_ctx;   /*!<  HMAC data for HelloVerifyRequest  */
@ -1067,7 +1067,7 @@ void ssl_set_bio( ssl_context *ssl,
        int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
        int (*f_send)(void *, const unsigned char *, size_t), void *p_send );

-#if defined(POLARSSL_SSL_PROTO_DTLS) && defined(POLARSSL_SSL_SRV_C)
+#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
 /**
 * \brief          Set client's transport-level identification info.
 *                 (Only usable on server.)
@ -1095,7 +1095,7 @@ int ssl_set_client_transport_id( ssl_context *ssl,

 /* Temporary */
 int ssl_setup_hvr_key( ssl_context *ssl );
-#endif /* POLARSSL_SSL_PROTO_DTLS && POLARSSL_SSL_SRV_C */
+#endif /* POLARSSL_SSL_DTLS_HELLO_VERIFY */

 /**
 * \brief          Set the session cache callbacks (server-side only)