commit cac90a15edff69afca15837d3187a4bf655d37be
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Fri Jun 04 11:42:30 2021 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Fri Jun 04 12:29:33 2021 +0200
tree 8fafe70745dc88595a2c57fccf87c2a0ffdca350
parent d60b6c62d57563b04caa1ee0470fb0d1354302d5

Hide constants for TLS 1.0 and TLS 1.1

ssl_server2 had a check that we never try to use a minor version lower
than 2 with DTLS, but that check is no longer needed, as there's no way
that would happen now that MBEDTLS_SSL_MINOR_VERSION_1 is no longer
public.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

include/mbedtls/ssl.h

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index b5b91f3..c6bd358 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -125,14 +125,10 @@
  */
 
 /* These are the high an low bytes of ProtocolVersion as defined by:
- * - RFC 2246: ProtocolVersion version = { 3, 1 };     // TLS v1.0
- * - RFC 4346: ProtocolVersion version = { 3, 2 };     // TLS v1.1
  * - RFC 5246: ProtocolVersion version = { 3, 3 };     // TLS v1.2
  * - RFC 8446: see section 4.2.1
  */
 #define MBEDTLS_SSL_MAJOR_VERSION_3             3
-#define MBEDTLS_SSL_MINOR_VERSION_1             1   /*!< TLS v1.0 deprecated */
-#define MBEDTLS_SSL_MINOR_VERSION_2             2   /*!< TLS v1.1 deprecated */
 #define MBEDTLS_SSL_MINOR_VERSION_3             3   /*!< TLS v1.2 */
 #define MBEDTLS_SSL_MINOR_VERSION_4             4   /*!< TLS v1.3 (experimental) */
 

library/ssl_ciphersuites.c

diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 00dcd07..1bda9c0 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -31,6 +31,7 @@
 
 #include "mbedtls/ssl_ciphersuites.h"
 #include "mbedtls/ssl.h"
+#include "ssl_misc.h"
 
 #include <string.h>
 

library/ssl_misc.h

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 73ffdef..e5ec131 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -65,6 +65,16 @@
 #define inline __inline
 #endif
 
+/* Legacy minor version numbers as defined by:
+ * - RFC 2246: ProtocolVersion version = { 3, 1 };     // TLS v1.0
+ * - RFC 4346: ProtocolVersion version = { 3, 2 };     // TLS v1.1
+ *
+ * We no longer support these versions, but some code still references those
+ * constants, for keep them for now until we clean up that code.
+ */
+#define MBEDTLS_SSL_MINOR_VERSION_1             1
+#define MBEDTLS_SSL_MINOR_VERSION_2             2
+
 /* Determine minimum supported version */
 #define MBEDTLS_SSL_MIN_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
 

programs/ssl/ssl_server2.c

diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 0e7b7f9..151c811 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -2027,10 +2027,6 @@
         if( opt.min_version < ciphersuite_info->min_minor_ver )
         {
             opt.min_version = ciphersuite_info->min_minor_ver;
-            /* DTLS starts with TLS 1.1 */
-            if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
-                opt.min_version < MBEDTLS_SSL_MINOR_VERSION_2 )
-                opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2;
         }
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)