[DTLS] `#ifndef OPENSSL_NO_DTLS1` does not make sense now

[nak3]

description

• Since this commit , OPENSSL_NO_DTLS1 is defined by default.
• Therefore, the following validation code is skipped by default.

https://github.com/libressl/openbsd/blob/3d60073121c9fed2d9a86b0ec752999b75409e21/src/lib/libssl/ssl_lib.c#L1375

#ifndef OPENSSL_NO_DTLS1
        if (larg < (long)dtls1_min_mtu())
            return (0);
#endif

reproducer

• Setting MTU via SSL_set_mtu does not get error and set -1 to s->d1->mtu with setting SSL_OP_NO_QUERY_MTU.

    if (!SSL_set_mtu(ssl, -1)) {
        fprintf(stderr, "ERROR: failed to set mtu\n");
        goto cleanup;
    }

proposal patch

• It should have OPENSSL_NO_DTLS1_2:

diff --git src/lib/libssl/ssl_lib.c src/lib/libssl/ssl_lib.c
index 1a2bf3695..33b6d1a42 100644
--- src/lib/libssl/ssl_lib.c
+++ src/lib/libssl/ssl_lib.c
@@ -1372,7 +1372,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
                s->max_cert_list = larg;
                return (l);
        case SSL_CTRL_SET_MTU:
-#ifndef OPENSSL_NO_DTLS1
+#if !defined(OPENSSL_NO_DTLS1) && !defined(OPENSSL_NO_DTLS1_2)
                if (larg < (long)dtls1_min_mtu())
                        return (0);
 #endif

• Otherwise, just simply use OPENSSL_NO_DTLS1_2 instead of OPENSSL_NO_DTLS1.

diff --git src/lib/libssl/ssl_lib.c src/lib/libssl/ssl_lib.c
index 1a2bf3695..431e1f13f 100644
--- src/lib/libssl/ssl_lib.c
+++ src/lib/libssl/ssl_lib.c
@@ -1372,7 +1372,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
                s->max_cert_list = larg;
                return (l);
        case SSL_CTRL_SET_MTU:
-#ifndef OPENSSL_NO_DTLS1
+#ifndef OPENSSL_NO_DTLS1_2
                if (larg < (long)dtls1_min_mtu())
                        return (0);
 #endif

[botovq]

+#if !defined(OPENSSL_NO_DTLS1) && !defined(OPENSSL_NO_DTLS1_2)

Is there any benefit in keeping these guards?

[nak3]

Ah, it seems that the guards are not necessary. Build was succeeded without the guards as dtls1_min_mtu() is not guarded.

• updated patch:

diff --git src/lib/libssl/ssl_lib.c src/lib/libssl/ssl_lib.c
index 1a2bf3695..e889337e5 100644
--- src/lib/libssl/ssl_lib.c
+++ src/lib/libssl/ssl_lib.c
@@ -1372,10 +1372,8 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
                s->max_cert_list = larg;
                return (l);
        case SSL_CTRL_SET_MTU:
-#ifndef OPENSSL_NO_DTLS1
                if (larg < (long)dtls1_min_mtu())
                        return (0);
-#endif
                if (SSL_is_dtls(s)) {
                        s->d1->mtu = larg;
                        return (larg);