[DTLS] `#ifndef OPENSSL_NO_DTLS1` does not make sense now

Question

[DTLS] `#ifndef OPENSSL_NO_DTLS1` does not make sense now

Closed this issue 9 days ago · 2 comments

description

Since this commit , OPENSSL_NO_DTLS1 is defined by default.
Therefore, the following validation code is skipped by default.

https://github.com/libressl/openbsd/blob/3d60073121c9fed2d9a86b0ec752999b75409e21/src/lib/libssl/ssl_lib.c#L1375

#ifndef OPENSSL_NO_DTLS1
		if (larg < (long)dtls1_min_mtu())
			return (0);
#endif

reproducer

Setting MTU via SSL_set_mtu does not get error and set -1 to s->d1->mtu with setting SSL_OP_NO_QUERY_MTU.

    if (!SSL_set_mtu(ssl, -1)) {
        fprintf(stderr, "ERROR: failed to set mtu\n");
        goto cleanup;
    }

proposal patch

It should have OPENSSL_NO_DTLS1_2:

diff --git src/lib/libssl/ssl_lib.c src/lib/libssl/ssl_lib.c
index 1a2bf3695..33b6d1a42 100644
--- src/lib/libssl/ssl_lib.c
+++ src/lib/libssl/ssl_lib.c
@@ -1372,7 +1372,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
                s->max_cert_list = larg;
                return (l);
        case SSL_CTRL_SET_MTU:
-#ifndef OPENSSL_NO_DTLS1
+#if !defined(OPENSSL_NO_DTLS1) && !defined(OPENSSL_NO_DTLS1_2)
                if (larg < (long)dtls1_min_mtu())
                        return (0);
 #endif

Otherwise, just simply use OPENSSL_NO_DTLS1_2 instead of OPENSSL_NO_DTLS1.

diff --git src/lib/libssl/ssl_lib.c src/lib/libssl/ssl_lib.c
index 1a2bf3695..431e1f13f 100644
--- src/lib/libssl/ssl_lib.c
+++ src/lib/libssl/ssl_lib.c
@@ -1372,7 +1372,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
                s->max_cert_list = larg;
                return (l);
        case SSL_CTRL_SET_MTU:
-#ifndef OPENSSL_NO_DTLS1
+#ifndef OPENSSL_NO_DTLS1_2
                if (larg < (long)dtls1_min_mtu())
                        return (0);
 #endif

Answer 1 · 2024-09-22T10:05:12.000Z

+#if !defined(OPENSSL_NO_DTLS1) && !defined(OPENSSL_NO_DTLS1_2)

Is there any benefit in keeping these guards?

Answer 2 · 2024-09-22T10:21:21.000Z

Ah, it seems that the guards are not necessary. Build was succeeded without the guards as dtls1_min_mtu() is not guarded.

updated patch:

diff --git src/lib/libssl/ssl_lib.c src/lib/libssl/ssl_lib.c
index 1a2bf3695..e889337e5 100644
--- src/lib/libssl/ssl_lib.c
+++ src/lib/libssl/ssl_lib.c
@@ -1372,10 +1372,8 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
                s->max_cert_list = larg;
                return (l);
        case SSL_CTRL_SET_MTU:
-#ifndef OPENSSL_NO_DTLS1
                if (larg < (long)dtls1_min_mtu())
                        return (0);
-#endif
                if (SSL_is_dtls(s)) {
                        s->d1->mtu = larg;
                        return (larg);