Add option to remove early sanity checks

2023-12-12 17:31:48 +01:00
parent 627310d26a
commit 493bb1760d
3 changed files with 19 additions and 1 deletions
--- a/src/dtls13.c
+++ b/src/dtls13.c
@ -363,11 +363,13 @@ int Dtls13ProcessBufferedMessages(WOLFSSL* ssl)
        if (!msg->ready)
            break;

+#ifndef WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
        ret = MsgCheckEncryption(ssl, msg->type, msg->encrypted);
        if (ret != 0) {
            SendAlert(ssl, alert_fatal, unexpected_message);
            break;
        }
+#endif

        /* We may have DTLS <=1.2 msgs stored from before we knew which version
         * we were going to use. Interpret correctly. */
--- a/src/internal.c
+++ b/src/internal.c
@ -10718,6 +10718,8 @@ int CheckAvailableSize(WOLFSSL *ssl, int size)
    return 0;
 }

+#ifndef WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
+
 int MsgCheckEncryption(WOLFSSL* ssl, byte type, byte encrypted)
 {
 #ifdef WOLFSSL_QUIC
@ -10952,6 +10954,8 @@ static int MsgCheckBoundary(const WOLFSSL* ssl, byte type,
    return 0;
 }

+#endif /* WOLFSSL_DISABLE_EARLY_SANITY_CHECKS */
+
 /**
 * This check is performed as soon as the handshake message type becomes known.
 * These checks can not be delayed and need to be performed when the msg is
@ -10967,8 +10971,9 @@ static int MsgCheckBoundary(const WOLFSSL* ssl, byte type,
 */
 int EarlySanityCheckMsgReceived(WOLFSSL* ssl, byte type, word32 msgSz)
 {
-    byte version_negotiated = 0;
    int ret = 0;
+#ifndef WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
+    byte version_negotiated = 0;

    WOLFSSL_ENTER("EarlySanityCheckMsgReceived");

@ -10995,6 +11000,11 @@ int EarlySanityCheckMsgReceived(WOLFSSL* ssl, byte type, word32 msgSz)
        SendAlert(ssl, alert_fatal, unexpected_message);

    WOLFSSL_LEAVE("EarlySanityCheckMsgReceived", ret);
+#else
+    (void)ssl;
+    (void)type;
+    (void)msgSz;
+#endif

    return ret;
 }
@ -17568,11 +17578,13 @@ int DtlsMsgDrain(WOLFSSL* ssl)
            item->ready && ret == 0) {
        word32 idx = 0;

+    #ifndef WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
        ret = MsgCheckEncryption(ssl, item->type, item->encrypted);
        if (ret != 0) {
            SendAlert(ssl, alert_fatal, unexpected_message);
            break;
        }
+    #endif

    #ifdef WOLFSSL_NO_TLS12
        ret = DoTls13HandShakeMsgType(ssl, item->fullMsg, &idx, item->type,
--- a/tests/api.c
+++ b/tests/api.c
@ -67471,7 +67471,11 @@ static int test_TLSX_CA_NAMES_bad_extension(void)
        }

        ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
+#ifndef WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
        ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), OUT_OF_ORDER_E);
+#else
+        ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), BUFFER_ERROR);
+#endif

        wolfSSL_free(ssl_c);
        ssl_c = NULL;