mbedtls_ssl_config min_tls_version, max_tls_version
Store the TLS version in tls_version instead of major, minor version num
Note: existing application use which accesses the struct member
(using MBEDTLS_PRIVATE) is not compatible on little-endian platforms,
but is compatible on big-endian platforms. For systems supporting
only TLSv1.2, the underlying values are the same (=> 3).
New setter functions are more type-safe,
taking argument as enum mbedtls_ssl_protocol_version:
mbedtls_ssl_conf_max_tls_version()
mbedtls_ssl_conf_min_tls_version()
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
diff --git a/library/ssl_client.c b/library/ssl_client.c
index 39b65e8..6177906 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -864,8 +864,8 @@
}
else
{
- ssl->minor_ver = ssl->conf->max_minor_ver;
- ssl->handshake->min_minor_ver = ssl->conf->min_minor_ver;
+ ssl->minor_ver = ssl->conf->max_tls_version & 0xFF;
+ ssl->handshake->min_minor_ver = ssl->conf->min_tls_version & 0xFF;
}
}
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index af3aa5d..1abe8eb 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -1601,14 +1601,8 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf )
{
- if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
- conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
- conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 &&
- conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
- {
- return( 1 );
- }
- return( 0 );
+ return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
+ conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
@@ -1616,14 +1610,8 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf )
{
- if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
- conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
- conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
- conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
- {
- return( 1 );
- }
- return( 0 );
+ return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
+ conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
@@ -1631,14 +1619,8 @@
static inline int mbedtls_ssl_conf_is_tls13_enabled( const mbedtls_ssl_config *conf )
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
- conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
- conf->min_minor_ver <= MBEDTLS_SSL_MINOR_VERSION_4 &&
- conf->max_minor_ver >= MBEDTLS_SSL_MINOR_VERSION_4 )
- {
- return( 1 );
- }
- return( 0 );
+ return( conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 &&
+ conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3 );
#else
((void) conf);
return( 0 );
@@ -1648,14 +1630,8 @@
static inline int mbedtls_ssl_conf_is_tls12_enabled( const mbedtls_ssl_config *conf )
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
- conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
- conf->min_minor_ver <= MBEDTLS_SSL_MINOR_VERSION_3 &&
- conf->max_minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 )
- {
- return( 1 );
- }
- return( 0 );
+ return( conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 &&
+ conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2 );
#else
((void) conf);
return( 0 );
@@ -1665,14 +1641,8 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_config *conf )
{
- if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
- conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
- conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
- conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
- {
- return( 1 );
- }
- return( 0 );
+ return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
+ conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 8053e76..c79fcfa 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -3541,7 +3541,7 @@
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
}
- if( minor_ver > ssl->conf->max_minor_ver )
+ if( minor_ver > ( ssl->conf->max_tls_version & 0xFF ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index fa6220d..b3f132d 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2155,14 +2155,12 @@
void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
{
- conf->max_major_ver = major;
- conf->max_minor_ver = minor;
+ conf->max_tls_version = (major << 8) | minor;
}
void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
{
- conf->min_major_ver = major;
- conf->min_minor_ver = minor;
+ conf->min_tls_version = (major << 8) | minor;
}
#if defined(MBEDTLS_SSL_SRV_C)
@@ -3577,10 +3575,8 @@
* least check it matches the requirements for serializing.
*/
if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
- ssl->conf->max_major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
- ssl->conf->min_major_ver > MBEDTLS_SSL_MAJOR_VERSION_3 ||
- ssl->conf->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ||
- ssl->conf->min_minor_ver > MBEDTLS_SSL_MINOR_VERSION_3 ||
+ ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 ||
+ ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 ||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
#endif
@@ -4250,6 +4246,32 @@
conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+ if( ( endpoint == MBEDTLS_SSL_IS_SERVER ) ||
+ ( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) )
+ {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+ conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+#else
+ return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+#endif
+ }
+ else
+ {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+ conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
+#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
+ conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
+#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+ conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+#else
+ return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+#endif
+ }
+
/*
* Preset-specific defaults
*/
@@ -4259,30 +4281,7 @@
* NSA Suite B
*/
case MBEDTLS_SSL_PRESET_SUITEB:
- conf->min_major_ver = MBEDTLS_SSL_MIN_MAJOR_VERSION;
- conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
- if( ( endpoint == MBEDTLS_SSL_IS_SERVER ) ||
- ( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) )
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- {
- conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
- conf->max_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
- }
-#else
- {
- conf->min_major_ver = 0;
- conf->max_major_ver = 0;
- conf->min_minor_ver = 0;
- conf->max_minor_ver = 0;
- return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
- }
-#endif
- else
- {
- conf->min_minor_ver = MBEDTLS_SSL_MIN_MINOR_VERSION;
- conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
- }
conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
#if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -4311,30 +4310,6 @@
* Default
*/
default:
- conf->min_major_ver = MBEDTLS_SSL_MIN_MAJOR_VERSION;
- conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
-
- if( ( endpoint == MBEDTLS_SSL_IS_SERVER ) ||
- ( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) )
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- {
- conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
- conf->max_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
- }
-#else
- {
- conf->min_major_ver = 0;
- conf->max_major_ver = 0;
- conf->min_minor_ver = 0;
- conf->max_minor_ver = 0;
- return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
- }
-#endif
- else
- {
- conf->min_minor_ver = MBEDTLS_SSL_MIN_MINOR_VERSION;
- conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
- }
conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index f0a58db..1607a8b 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -1155,8 +1155,7 @@
*/
if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
- major_ver > ssl->conf->max_major_ver ||
- minor_ver > ssl->conf->max_minor_ver )
+ ( ( major_ver << 8 ) | minor_ver ) > ssl->conf->max_tls_version )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
@@ -1302,18 +1301,16 @@
ssl->conf->transport, buf + 0 );
ssl->session_negotiate->tls_version = 0x0300 | ssl->minor_ver;
- if( ssl->major_ver < ssl->conf->min_major_ver ||
- ssl->minor_ver < ssl->conf->min_minor_ver ||
- ssl->major_ver > ssl->conf->max_major_ver ||
- ssl->minor_ver > ssl->conf->max_minor_ver )
+ if( ( ( ssl->major_ver << 8 ) | ssl->minor_ver )
+ < ssl->conf->min_tls_version ||
+ ( ( ssl->major_ver << 8 ) | ssl->minor_ver )
+ > ssl->conf->max_tls_version )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
- ( "server version out of bounds - min: [%d:%d], server: [%d:%d], max: [%d:%d]",
- ssl->conf->min_major_ver,
- ssl->conf->min_minor_ver,
- ssl->major_ver, ssl->minor_ver,
- ssl->conf->max_major_ver,
- ssl->conf->max_minor_ver ) );
+ ( "server version out of bounds - min: [0x%x], server: [0x%x], max: [0x%x]",
+ (unsigned)ssl->conf->min_tls_version,
+ (unsigned)( ( ssl->major_ver << 8 ) | ssl->minor_ver ),
+ (unsigned)ssl->conf->max_tls_version ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );