Remove the TLS 1.0 and 1.1 support
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 609aa98..540d5d1 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -519,9 +519,9 @@
#endif
/* The PRNG is used for dynamic IV generation that's used
- * for CBC transformations in TLS 1.1 and TLS 1.2. */
+ * for CBC transformations in TLS 1.2. */
#if !( defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
- ( defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) ) )
+ defined(MBEDTLS_SSL_PROTO_TLS1_2) )
((void) f_rng);
((void) p_rng);
#endif
@@ -644,8 +644,7 @@
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
}
-#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
- defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
{
unsigned char mac[MBEDTLS_SSL_MAC_ADD];
@@ -835,12 +834,12 @@
rec->data_len += padlen + 1;
post_avail -= padlen + 1;
-#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
/*
- * Prepend per-record IV for block cipher in TLS v1.1 and up as per
+ * Prepend per-record IV for block cipher in TLS v1.2
* Method 1 (6.2.3.2. in RFC4346 and RFC5246)
*/
- if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+ if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 )
{
if( f_rng == NULL )
{
@@ -865,7 +864,7 @@
transform->ivlen );
}
-#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
"including %" MBEDTLS_PRINTF_SIZET
@@ -889,22 +888,9 @@
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
-#if defined(MBEDTLS_SSL_PROTO_TLS1)
- if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
- {
- /*
- * Save IV in TLS1
- */
- memcpy( transform->iv_enc, transform->cipher_ctx_enc.iv,
- transform->ivlen );
- }
- else
-#endif
- {
- data -= transform->ivlen;
- rec->data_offset -= transform->ivlen;
- rec->data_len += transform->ivlen;
- }
+ data -= transform->ivlen;
+ rec->data_offset -= transform->ivlen;
+ rec->data_len += transform->ivlen;
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
if( auth_done == 0 )
@@ -1381,8 +1367,8 @@
/*
* Check immediate ciphertext sanity
*/
-#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 )
{
/* The ciphertext is prefixed with the CBC IV. */
minlen += transform->ivlen;
@@ -1487,11 +1473,11 @@
return( MBEDTLS_ERR_SSL_INVALID_MAC );
}
-#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
/*
- * Initialize for prepended IV for block cipher in TLS v1.1 and up
+ * Initialize for prepended IV for block cipher in TLS v1.2
*/
- if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+ if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 )
{
/* Safe because data_len >= minlen + ivlen = 2 * ivlen. */
memcpy( transform->iv_dec, data, transform->ivlen );
@@ -1500,7 +1486,7 @@
rec->data_offset += transform->ivlen;
rec->data_len -= transform->ivlen;
}
-#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
/* We still have data_len % ivlen == 0 and data_len >= ivlen here. */
@@ -1519,20 +1505,6 @@
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
-#if defined(MBEDTLS_SSL_PROTO_TLS1)
- if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
- {
- /*
- * Save IV in TLS1, where CBC decryption of consecutive
- * records is equivalent to CBC decryption of the concatenation
- * of the records; in other words, IVs are maintained across
- * record decryptions.
- */
- memcpy( transform->iv_dec, transform->cipher_ctx_dec.iv,
- transform->ivlen );
- }
-#endif
-
/* Safe since data_len >= minlen + maclen + 1, so after having
* subtracted at most minlen and maclen up to this point,
* data_len > 0 (because of data_len % ivlen == 0, it's actually
@@ -1573,8 +1545,7 @@
/* Regardless of the validity of the padding,
* we have data_len >= padlen here. */
-#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
- defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
/* The padding check involves a series of up to 256
* consecutive memory reads at the end of the record
* plaintext buffer. In order to hide the length and
@@ -1609,8 +1580,7 @@
#endif
padlen &= mbedtls_ssl_cf_mask_from_bit( correct );
-#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
- MBEDTLS_SSL_PROTO_TLS1_2 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
/* If the padding was found to be invalid, padlen == 0
* and the subtraction is safe. If the padding was found valid,
@@ -1657,8 +1627,7 @@
ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
transform->minor_ver );
-#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
- defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
/*
* The next two sizes are the minimum and maximum values of
* data_len over all padlen values.
@@ -1686,8 +1655,7 @@
rec->data_len,
min_len, max_len,
transform->maclen );
-#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
- MBEDTLS_SSL_PROTO_TLS1_2 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_SSL_DEBUG_ALL)
MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen );
@@ -5058,10 +5026,10 @@
/* For TLS 1.1 or higher, an explicit IV is added
* after the record header. */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 )
transform_expansion += block_size;
-#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
break;
@@ -5201,8 +5169,7 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
-#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
- defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
{
if( ( ret = mbedtls_ssl_send_alert_message( ssl,
@@ -5213,8 +5180,7 @@
}
}
else
-#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||
- MBEDTLS_SSL_PROTO_TLS1_2 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );