Introduce version comparing functions This zero-cost abstraction allows to change the internal encoding of TLS/DTLS versions in the future.

commit: 7bcf2b5875d3d6b052ba94aa1f46a66e9eb33032 [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Fri Jul 26 09:02:40 2019 +0100
committer: Hanno Becker <hanno.becker@arm.com> Thu Sep 05 17:37:55 2019 +0100
tree: e7230dd70e1a720c1e010a0b14f87dfee7ac675b
parent: baac25d2bf2c17d024a9896aaba0d6af37c8b7a9 [diff]
diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h
index 09d0965..98384ad 100644
--- a/include/mbedtls/platform_util.h
+++ b/include/mbedtls/platform_util.h

@@ -113,6 +113,12 @@
 
 #endif /* MBEDTLS_CHECK_PARAMS */
 
+#if defined(__GNUC__) || defined(__arm__)
+#define MBEDTLS_ALWAYS_INLINE __attribute__((always_inline))
+#else
+#define MBEDTLS_ALWAYS_INLINE
+#endif
+
 /* Internal helper macros for deprecating API constants. */
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
 #if defined(MBEDTLS_DEPRECATED_WARNING)

diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index df221fe..a1acc84 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h

@@ -1237,6 +1237,44 @@
 #endif /* MBEDTLS_SSL_PROTO_TLS */
 }
 
+
+MBEDTLS_ALWAYS_INLINE static inline int mbedtls_ssl_ver_leq( int v0, int v1 )
+{
+    return( v0 <= v1 );
+}
+
+MBEDTLS_ALWAYS_INLINE static inline int mbedtls_ssl_ver_lt( int v0, int v1 )
+{
+    return( v0 < v1 );
+}
+
+MBEDTLS_ALWAYS_INLINE static inline int mbedtls_ssl_ver_geq( int v0, int v1 )
+{
+    return( v0 >= v1 );
+}
+
+MBEDTLS_ALWAYS_INLINE static inline int mbedtls_ssl_ver_gt( int v0, int v1 )
+{
+    return( v0 > v1 );
+}
+
+MBEDTLS_ALWAYS_INLINE static inline size_t mbedtls_ssl_minor_ver_index(
+    int ver )
+{
+    switch( ver )
+    {
+        case MBEDTLS_SSL_MINOR_VERSION_0:
+            return( 0 );
+        case MBEDTLS_SSL_MINOR_VERSION_1:
+            return( 1 );
+        case MBEDTLS_SSL_MINOR_VERSION_2:
+            return( 2 );
+        case MBEDTLS_SSL_MINOR_VERSION_3:
+            return( 3 );
+    }
+    return( 0 );
+}
+
 #ifdef __cplusplus
 }
 #endif
@@ -1677,7 +1715,8 @@
 #define MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl, ver, info ) \
     {                                                            \
         int const *__id_ptr;                                     \
-        for( __id_ptr=(ssl)->conf->ciphersuite_list[ (ver) ];    \
+        for( __id_ptr=(ssl)->conf->ciphersuite_list[             \
+                 mbedtls_ssl_minor_ver_index( ver ) ];           \
              *__id_ptr != 0; __id_ptr++ )                        \
         {                                                        \
            const int __id = *__id_ptr;                           \

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 4e99a80..ae1c400 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c

@@ -772,8 +772,10 @@
     if( suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
         return( 1 );
 
-    if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > max_minor_ver ||
-        mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < min_minor_ver )
+    if( mbedtls_ssl_ver_gt( mbedtls_ssl_suite_get_min_minor_ver( suite_info ),
+                            max_minor_ver ) ||
+        mbedtls_ssl_ver_lt( mbedtls_ssl_suite_get_max_minor_ver( suite_info ),
+                            min_minor_ver ) )
     {
         return( 1 );
     }
@@ -1553,10 +1555,12 @@
      * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
      * even is lower than our min version.
      */
-    if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
-        minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
-        major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf )  ||
-        minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf )  )
+    if( mbedtls_ssl_ver_lt( major_ver, MBEDTLS_SSL_MAJOR_VERSION_3 ) ||
+        mbedtls_ssl_ver_lt( minor_ver, MBEDTLS_SSL_MINOR_VERSION_2 ) ||
+        mbedtls_ssl_ver_gt( major_ver,
+                            mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) ) ||
+        mbedtls_ssl_ver_gt( minor_ver,
+                            mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
 
@@ -1711,10 +1715,14 @@
                                   ssl->conf->transport,
                                   buf + 0 );
 
-        if( major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) ||
-            minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ||
-            major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) ||
-            minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
+        if( mbedtls_ssl_ver_lt( major_ver,
+                                mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) ) ||
+            mbedtls_ssl_ver_lt( minor_ver,
+                                mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) ||
+            mbedtls_ssl_ver_gt( major_ver,
+                                mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) ) ||
+            mbedtls_ssl_ver_gt( minor_ver,
+                                mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
                          " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
@@ -2926,7 +2934,8 @@
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
     defined(MBEDTLS_SSL_PROTO_TLS1_1)
-        if( mbedtls_ssl_get_minor_ver( ssl ) < MBEDTLS_SSL_MINOR_VERSION_3 )
+        if( mbedtls_ssl_ver_lt( mbedtls_ssl_get_minor_ver( ssl ),
+                                MBEDTLS_SSL_MINOR_VERSION_3 ) )
         {
             pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
 

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index b058e7c..11bed2f 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c

@@ -869,7 +869,8 @@
          * present them a SHA-higher cert rather than failing if it's the only
          * one we got that satisfies the other conditions.
          */
-        if( mbedtls_ssl_get_minor_ver( ssl ) < MBEDTLS_SSL_MINOR_VERSION_3 )
+        if( mbedtls_ssl_ver_lt( mbedtls_ssl_get_minor_ver( ssl ),
+                                MBEDTLS_SSL_MINOR_VERSION_3 ) )
         {
             mbedtls_md_type_t sig_md;
             {
@@ -936,10 +937,12 @@
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s",
                                 mbedtls_ssl_suite_get_name( suite_info ) ) );
 
-    if( mbedtls_ssl_suite_get_min_minor_ver( suite_info )
-          > mbedtls_ssl_get_minor_ver( ssl ) ||
-        mbedtls_ssl_suite_get_max_minor_ver( suite_info )
-          < mbedtls_ssl_get_minor_ver( ssl ) )
+    if( mbedtls_ssl_ver_gt(
+            mbedtls_ssl_suite_get_min_minor_ver( suite_info ),
+            mbedtls_ssl_get_minor_ver( ssl ) ) ||
+        mbedtls_ssl_ver_lt(
+            mbedtls_ssl_suite_get_max_minor_ver( suite_info ),
+            mbedtls_ssl_get_minor_ver( ssl ) ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
         return( 0 );
@@ -1111,7 +1114,8 @@
         ? buf[4]  : mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
 #endif
 
-    if( mbedtls_ssl_get_minor_ver( ssl ) < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) )
+    if( mbedtls_ssl_ver_lt( mbedtls_ssl_get_minor_ver( ssl ),
+                            mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
                             " [%d:%d] < [%d:%d]",
@@ -1237,8 +1241,9 @@
         {
             MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
 
-            if( mbedtls_ssl_get_minor_ver( ssl ) <
-                mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
+            if( mbedtls_ssl_ver_lt(
+                    mbedtls_ssl_get_minor_ver( ssl ),
+                    mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) )
             {
                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
 
@@ -1652,8 +1657,10 @@
 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED ||
           MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
 
-        if( major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) ||
-            minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) )
+        if( mbedtls_ssl_ver_lt( major_ver,
+                                mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) ) ||
+            mbedtls_ssl_ver_lt( minor_ver,
+                                mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
                             " [%d:%d] < [%d:%d]",
@@ -1665,13 +1672,19 @@
             return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
         }
 
-        if( major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) )
+        if( mbedtls_ssl_ver_gt(
+                major_ver,
+                mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) ) )
         {
             major_ver = mbedtls_ssl_conf_get_max_major_ver( ssl->conf );
             minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
         }
-        else if( minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
+        else if( mbedtls_ssl_ver_gt(
+                     minor_ver,
+                     mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) )
+        {
             minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
+        }
 
 #if !defined(MBEDTLS_SSL_CONF_FIXED_MAJOR_VER)
         ssl->major_ver = major_ver;
@@ -2061,8 +2074,9 @@
         {
             MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
 
-            if( mbedtls_ssl_get_minor_ver( ssl ) <
-                mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
+            if( mbedtls_ssl_ver_lt(
+                    mbedtls_ssl_get_minor_ver( ssl ),
+                    mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) )
             {
                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
 

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index d4d51b5..d600668 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -861,7 +861,7 @@
     else
 #endif
 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
-    if( minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
+    if( mbedtls_ssl_ver_lt( minor_ver, MBEDTLS_SSL_MINOR_VERSION_3 ) )
         return( tls1_prf( secret, slen, label, random, rlen, dstbuf, dlen ) );
     else
 #endif
@@ -1160,7 +1160,7 @@
     else
 #endif
 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
-    if( minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
+    if( mbedtls_ssl_ver_lt( minor_ver, MBEDTLS_SSL_MINOR_VERSION_3 ) )
         ssl_calc_finished_tls( ssl, buf, from );
     else
 #endif
@@ -1484,7 +1484,7 @@
 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
     defined(MBEDTLS_SSL_PROTO_TLS1_2)
-    if( minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
+    if( mbedtls_ssl_ver_geq( minor_ver, MBEDTLS_SSL_MINOR_VERSION_1 ) )
     {
         /* For HMAC-based ciphersuites, initialize the HMAC transforms.
            For AEAD-based ciphersuites, there is nothing to do here. */
@@ -1759,7 +1759,7 @@
     else
 #endif
 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
-    if( minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
+    if( mbedtls_ssl_ver_lt( minor_ver, MBEDTLS_SSL_MINOR_VERSION_3 ) )
         ssl_calc_verify_tls( ssl, dst, hlen );
     else
 #endif
@@ -2513,8 +2513,9 @@
 #endif
 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
         defined(MBEDTLS_SSL_PROTO_TLS1_2)
-        if( mbedtls_ssl_transform_get_minor_ver( transform ) >=
-            MBEDTLS_SSL_MINOR_VERSION_1 )
+        if( mbedtls_ssl_ver_geq(
+                mbedtls_ssl_transform_get_minor_ver( transform ),
+                MBEDTLS_SSL_MINOR_VERSION_1 ) )
         {
             unsigned char mac[MBEDTLS_SSL_MAC_ADD];
 
@@ -2693,8 +2694,9 @@
          * Prepend per-record IV for block cipher in TLS v1.1 and up as per
          * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
          */
-        if( mbedtls_ssl_transform_get_minor_ver( transform ) >=
-            MBEDTLS_SSL_MINOR_VERSION_2 )
+        if( mbedtls_ssl_ver_geq(
+                mbedtls_ssl_transform_get_minor_ver( transform ),
+                MBEDTLS_SSL_MINOR_VERSION_2 ) )
         {
             if( f_rng == NULL )
             {
@@ -2743,8 +2745,9 @@
         }
 
 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
-        if( mbedtls_ssl_transform_get_minor_ver( transform ) <
-            MBEDTLS_SSL_MINOR_VERSION_2 )
+        if( mbedtls_ssl_ver_lt(
+                mbedtls_ssl_transform_get_minor_ver( transform ),
+                MBEDTLS_SSL_MINOR_VERSION_2 ) )
         {
             /*
              * Save IV in SSL3 and TLS1
@@ -3001,8 +3004,9 @@
          * Check immediate ciphertext sanity
          */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
-        if( mbedtls_ssl_transform_get_minor_ver( transform ) >=
-            MBEDTLS_SSL_MINOR_VERSION_2 )
+        if( mbedtls_ssl_ver_geq(
+                mbedtls_ssl_transform_get_minor_ver( transform ),
+                MBEDTLS_SSL_MINOR_VERSION_2 ) )
         {
             /* The ciphertext is prefixed with the CBC IV. */
             minlen += transform->ivlen;
@@ -3107,8 +3111,9 @@
         /*
          * Initialize for prepended IV for block cipher in TLS v1.1 and up
          */
-        if( mbedtls_ssl_transform_get_minor_ver( transform ) >=
-            MBEDTLS_SSL_MINOR_VERSION_2 )
+        if( mbedtls_ssl_ver_geq(
+                mbedtls_ssl_transform_get_minor_ver( transform ),
+                MBEDTLS_SSL_MINOR_VERSION_2 ) )
         {
             /* Safe because data_len >= minlen + ivlen = 2 * ivlen. */
             memcpy( transform->iv_dec, data, transform->ivlen );
@@ -3137,8 +3142,9 @@
         }
 
 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
-        if( mbedtls_ssl_transform_get_minor_ver( transform ) <
-            MBEDTLS_SSL_MINOR_VERSION_2 )
+        if( mbedtls_ssl_ver_lt(
+                mbedtls_ssl_transform_get_minor_ver( transform ),
+                MBEDTLS_SSL_MINOR_VERSION_2 ) )
         {
             /*
              * Save IV in SSL3 and TLS1, where CBC decryption of consecutive
@@ -3201,8 +3207,9 @@
 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
     defined(MBEDTLS_SSL_PROTO_TLS1_2)
-        if( mbedtls_ssl_transform_get_minor_ver( transform ) >
-            MBEDTLS_SSL_MINOR_VERSION_0 )
+        if( mbedtls_ssl_ver_gt(
+                mbedtls_ssl_transform_get_minor_ver( transform ),
+                MBEDTLS_SSL_MINOR_VERSION_0 ) )
         {
             /* The padding check involves a series of up to 256
              * consecutive memory reads at the end of the record
@@ -3300,8 +3307,9 @@
 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
         defined(MBEDTLS_SSL_PROTO_TLS1_2)
-        if( mbedtls_ssl_transform_get_minor_ver( transform ) >
-            MBEDTLS_SSL_MINOR_VERSION_0 )
+        if( mbedtls_ssl_ver_gt(
+                mbedtls_ssl_transform_get_minor_ver( transform ),
+                MBEDTLS_SSL_MINOR_VERSION_0 ) )
         {
             /*
              * Process MAC and always update for padlen afterwards to make
@@ -5320,7 +5328,8 @@
         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
     }
 
-    if( minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
+    if( mbedtls_ssl_ver_gt( minor_ver,
+                            mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
@@ -8136,7 +8145,9 @@
 
     /* Adjust out_msg to make space for explicit IV, if used. */
     if( transform != NULL &&
-        mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_2 )
+        mbedtls_ssl_ver_geq(
+            mbedtls_ssl_get_minor_ver( ssl ),
+            MBEDTLS_SSL_MINOR_VERSION_2 ) )
     {
         ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
     }
@@ -8625,10 +8636,10 @@
 void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
                                    const int *ciphersuites )
 {
-    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;
-    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;
-    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;
-    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;
+    conf->ciphersuite_list[0] = ciphersuites;
+    conf->ciphersuite_list[1] = ciphersuites;
+    conf->ciphersuite_list[2] = ciphersuites;
+    conf->ciphersuite_list[3] = ciphersuites;
 }
 
 void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
@@ -8638,10 +8649,14 @@
     if( major != MBEDTLS_SSL_MAJOR_VERSION_3 )
         return;
 
-    if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 )
+    if( mbedtls_ssl_ver_lt( minor, MBEDTLS_SSL_MINOR_VERSION_0 ) ||
+        mbedtls_ssl_ver_gt( minor, MBEDTLS_SSL_MINOR_VERSION_3 ) )
+    {
         return;
+    }
 
-    conf->ciphersuite_list[minor] = ciphersuites;
+    conf->ciphersuite_list[mbedtls_ssl_minor_ver_index( minor )] =
+        ciphersuites;
 }
 #endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
 
@@ -9395,8 +9410,12 @@
             /* For TLS 1.1 or higher, an explicit IV is added
              * after the record header. */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
-            if( mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_2 )
+            if( mbedtls_ssl_ver_geq(
+                    mbedtls_ssl_get_minor_ver( ssl ),
+                    MBEDTLS_SSL_MINOR_VERSION_2 ) )
+            {
                 transform_expansion += block_size;
+            }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
 
             break;
@@ -10602,7 +10621,9 @@
 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
     defined(MBEDTLS_SSL_PROTO_TLS1_2)
-                if( mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_1 )
+                if( mbedtls_ssl_ver_geq(
+                        mbedtls_ssl_get_minor_ver( ssl ),
+                        MBEDTLS_SSL_MINOR_VERSION_1 ) )
                 {
                     ret = mbedtls_ssl_send_alert_message( ssl,
                                              MBEDTLS_SSL_ALERT_LEVEL_WARNING,
@@ -10810,7 +10831,9 @@
     if( ssl->conf->cbc_record_splitting ==
             MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
         len <= 1 ||
-        mbedtls_ssl_get_minor_ver( ssl ) > MBEDTLS_SSL_MINOR_VERSION_1 ||
+        mbedtls_ssl_ver_gt(
+            mbedtls_ssl_get_minor_ver( ssl ),
+            MBEDTLS_SSL_MINOR_VERSION_1 ) ||
         mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
                                 != MBEDTLS_MODE_CBC )
     {
@@ -11406,14 +11429,18 @@
      * least check it matches the requirements for serializing.
      */
     if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ||
-        mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) <
-            MBEDTLS_SSL_MAJOR_VERSION_3 ||
-        mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) >
-            MBEDTLS_SSL_MAJOR_VERSION_3 ||
-        mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) <
-            MBEDTLS_SSL_MINOR_VERSION_3 ||
-        mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) >
-            MBEDTLS_SSL_MINOR_VERSION_3 ||
+        mbedtls_ssl_ver_lt(
+            mbedtls_ssl_conf_get_max_major_ver( ssl->conf ),
+            MBEDTLS_SSL_MAJOR_VERSION_3 ) ||
+        mbedtls_ssl_ver_gt(
+            mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
+            MBEDTLS_SSL_MAJOR_VERSION_3 ) ||
+        mbedtls_ssl_ver_lt(
+            mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ),
+            MBEDTLS_SSL_MINOR_VERSION_3 ) ||
+        mbedtls_ssl_ver_gt(
+            mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ),
+            MBEDTLS_SSL_MINOR_VERSION_3 ) ||
         mbedtls_ssl_conf_is_renegotiation_enabled( ssl->conf ) )
     {
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@@ -11938,11 +11965,11 @@
 #endif /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
 
 #if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
-            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
-            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
-            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
-            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
-                                   ssl_preset_suiteb_ciphersuites;
+            conf->ciphersuite_list[0] =
+            conf->ciphersuite_list[1] =
+            conf->ciphersuite_list[2] =
+            conf->ciphersuite_list[3] =
+                ssl_preset_suiteb_ciphersuites;
 #endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -11990,11 +12017,11 @@
 #endif /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
 
 #if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
-            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
-            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
-            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
-            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
-                                   mbedtls_ssl_list_ciphersuites();
+            conf->ciphersuite_list[0] =
+            conf->ciphersuite_list[1] =
+            conf->ciphersuite_list[2] =
+            conf->ciphersuite_list[3] =
+                mbedtls_ssl_list_ciphersuites();
 #endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)

diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 788793a..5c13f8a 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c

@@ -69,6 +69,8 @@
 #include "mbedtls/debug.h"
 #include "mbedtls/timing.h"
 
+#include "mbedtls/ssl_internal.h"
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -1506,14 +1508,18 @@
             mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
 
         if( opt.max_version != -1 &&
-            mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) > opt.max_version )
+            mbedtls_ssl_ver_gt(
+                mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ),
+                opt.max_version ) )
         {
             mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
             ret = 2;
             goto usage;
         }
         if( opt.min_version != -1 &&
-            mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) < opt.min_version )
+            mbedtls_ssl_ver_lt(
+                mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ),
+                opt.min_version ) )
         {
             mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
             ret = 2;
@@ -1523,17 +1529,24 @@
         /* If the server selects a version that's not supported by
          * this suite, then there will be no common ciphersuite... */
         if( opt.max_version == -1 ||
-            opt.max_version > mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) )
+            mbedtls_ssl_ver_gt(
+                opt.max_version,
+                mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) ) )
         {
             opt.max_version = mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info );
         }
-        if( opt.min_version < mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) )
+        if( mbedtls_ssl_ver_lt(
+                opt.min_version,
+                mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) ) )
         {
             opt.min_version = mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info );
             /* DTLS starts with TLS 1.1 */
             if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
-                opt.min_version < MBEDTLS_SSL_MINOR_VERSION_2 )
+                mbedtls_ssl_ver_lt( opt.min_version,
+                                    MBEDTLS_SSL_MINOR_VERSION_2 ) )
+            {
                 opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2;
+            }
         }
 
         /* Enable RC4 if needed and not explicitly disabled */

diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 890725e..a7b5b4d 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c

@@ -68,6 +68,8 @@
 #include "mbedtls/debug.h"
 #include "mbedtls/timing.h"
 
+#include "mbedtls/ssl_internal.h"
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -2232,14 +2234,18 @@
             mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
 
         if( opt.max_version != -1 &&
-            mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) > opt.max_version )
+            mbedtls_ssl_ver_gt(
+                mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ),
+                opt.max_version ) )
         {
             mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
             ret = 2;
             goto usage;
         }
         if( opt.min_version != -1 &&
-            mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) < opt.min_version )
+            mbedtls_ssl_ver_lt(
+                mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ),
+                opt.min_version ) )
         {
             mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
             ret = 2;
@@ -2249,17 +2255,24 @@
         /* If we select a version that's not supported by
          * this suite, then there will be no common ciphersuite... */
         if( opt.max_version == -1 ||
-            opt.max_version > mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) )
+            mbedtls_ssl_ver_gt(
+                opt.max_version,
+                mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) ) )
         {
             opt.max_version = mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info );
         }
-        if( opt.min_version < mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) )
+        if( mbedtls_ssl_ver_lt(
+                opt.min_version,
+                mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) ) )
         {
             opt.min_version = mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info );
             /* DTLS starts with TLS 1.1 */
             if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
-                opt.min_version < MBEDTLS_SSL_MINOR_VERSION_2 )
+                mbedtls_ssl_ver_lt( opt.min_version,
+                                    MBEDTLS_SSL_MINOR_VERSION_2 ) )
+            {
                 opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2;
+            }
         }
 
         /* Enable RC4 if needed and not explicitly disabled */

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index b177779..268d56c 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function

@@ -121,7 +121,7 @@
         CHK( mbedtls_md_setup( &t_in->md_ctx_enc,  md_info, 1 ) == 0 );
         CHK( mbedtls_md_setup( &t_in->md_ctx_dec,  md_info, 1 ) == 0 );
 
-        if( ver > MBEDTLS_SSL_MINOR_VERSION_0 )
+        if( mbedtls_ssl_ver_gt( ver, MBEDTLS_SSL_MINOR_VERSION_0 ) )
         {
             CHK( mbedtls_md_hmac_starts( &t_in->md_ctx_enc,
                                          md0, maclen ) == 0 );
commit	7bcf2b5875d3d6b052ba94aa1f46a66e9eb33032	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Fri Jul 26 09:02:40 2019 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Thu Sep 05 17:37:55 2019 +0100
tree	e7230dd70e1a720c1e010a0b14f87dfee7ac675b
parent	baac25d2bf2c17d024a9896aaba0d6af37c8b7a9 [diff]