[DTLS] `#ifndef OPENSSL_NO_DTLS1` does not make sense now
Closed this issue · 2 comments
nak3 commented
description
- Since this commit ,
OPENSSL_NO_DTLS1
is defined by default. - Therefore, the following validation code is skipped by default.
#ifndef OPENSSL_NO_DTLS1
if (larg < (long)dtls1_min_mtu())
return (0);
#endif
reproducer
- Setting MTU via
SSL_set_mtu
does not get error and set-1
tos->d1->mtu
with settingSSL_OP_NO_QUERY_MTU
.
if (!SSL_set_mtu(ssl, -1)) {
fprintf(stderr, "ERROR: failed to set mtu\n");
goto cleanup;
}
proposal patch
- It should have
OPENSSL_NO_DTLS1_2
:
diff --git src/lib/libssl/ssl_lib.c src/lib/libssl/ssl_lib.c
index 1a2bf3695..33b6d1a42 100644
--- src/lib/libssl/ssl_lib.c
+++ src/lib/libssl/ssl_lib.c
@@ -1372,7 +1372,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
s->max_cert_list = larg;
return (l);
case SSL_CTRL_SET_MTU:
-#ifndef OPENSSL_NO_DTLS1
+#if !defined(OPENSSL_NO_DTLS1) && !defined(OPENSSL_NO_DTLS1_2)
if (larg < (long)dtls1_min_mtu())
return (0);
#endif
- Otherwise, just simply use
OPENSSL_NO_DTLS1_2
instead ofOPENSSL_NO_DTLS1
.
diff --git src/lib/libssl/ssl_lib.c src/lib/libssl/ssl_lib.c
index 1a2bf3695..431e1f13f 100644
--- src/lib/libssl/ssl_lib.c
+++ src/lib/libssl/ssl_lib.c
@@ -1372,7 +1372,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
s->max_cert_list = larg;
return (l);
case SSL_CTRL_SET_MTU:
-#ifndef OPENSSL_NO_DTLS1
+#ifndef OPENSSL_NO_DTLS1_2
if (larg < (long)dtls1_min_mtu())
return (0);
#endif
botovq commented
+#if !defined(OPENSSL_NO_DTLS1) && !defined(OPENSSL_NO_DTLS1_2)
Is there any benefit in keeping these guards?
nak3 commented
Ah, it seems that the guards are not necessary. Build was succeeded without the guards as dtls1_min_mtu()
is not guarded.
- updated patch:
diff --git src/lib/libssl/ssl_lib.c src/lib/libssl/ssl_lib.c
index 1a2bf3695..e889337e5 100644
--- src/lib/libssl/ssl_lib.c
+++ src/lib/libssl/ssl_lib.c
@@ -1372,10 +1372,8 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
s->max_cert_list = larg;
return (l);
case SSL_CTRL_SET_MTU:
-#ifndef OPENSSL_NO_DTLS1
if (larg < (long)dtls1_min_mtu())
return (0);
-#endif
if (SSL_is_dtls(s)) {
s->d1->mtu = larg;
return (larg);