mbedtls_ssl_(read|write)_version using tls_version
remove use of MBEDTLS_SSL_MINOR_VERSION_*
remove use of MBEDTLS_SSL_MAJOR_VERSION_*
(only remaining use is in tests/suites/test_suite_ssl.data)
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
diff --git a/library/ssl_client.c b/library/ssl_client.c
index f173097..731b44f 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -602,9 +602,8 @@
* In all cases this is the TLS 1.2 version.
*/
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
- mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3,
- MBEDTLS_SSL_MINOR_VERSION_3,
- ssl->conf->transport, p );
+ mbedtls_ssl_write_version( p, ssl->conf->transport,
+ MBEDTLS_SSL_VERSION_TLS1_2 );
p += 2;
/* ...
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 9202300..672659d 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -59,35 +59,6 @@
#define inline __inline
#endif
-/* Legacy minor version numbers as defined by:
- * - RFC 2246: ProtocolVersion version = { 3, 1 }; // TLS v1.0
- * - RFC 4346: ProtocolVersion version = { 3, 2 }; // TLS v1.1
- *
- * We no longer support these versions, but some code still references those
- * constants as part of negotiating with the peer, so keep them available
- * internally.
- */
-#define MBEDTLS_SSL_MINOR_VERSION_1 1
-#define MBEDTLS_SSL_MINOR_VERSION_2 2
-
-/* Determine minimum supported version */
-#define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
-#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
-#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_4
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
-/* Determine maximum supported version */
-#define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_4
-#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
/* Shorthand for restartable ECC */
#if defined(MBEDTLS_ECP_RESTARTABLE) && \
defined(MBEDTLS_SSL_CLI_C) && \
@@ -1457,10 +1428,10 @@
uint32_t *flags );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
-void mbedtls_ssl_write_version( int major, int minor, int transport,
- unsigned char ver[2] );
-void mbedtls_ssl_read_version( int *major, int *minor, int transport,
- const unsigned char ver[2] );
+void mbedtls_ssl_write_version( unsigned char version[2], int transport,
+ mbedtls_ssl_protocol_version tls_version );
+uint16_t mbedtls_ssl_read_version( const unsigned char version[2],
+ int transport );
static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl )
{
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 0112951..f1e852e 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -2682,8 +2682,8 @@
if( tls_ver == MBEDTLS_SSL_VERSION_TLS1_3 )
tls_ver = MBEDTLS_SSL_VERSION_TLS1_2;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
- mbedtls_ssl_write_version( tls_ver >> 8, tls_ver & 0xFF,
- ssl->conf->transport, ssl->out_hdr + 1 );
+ mbedtls_ssl_write_version( ssl->out_hdr + 1, ssl->conf->transport,
+ tls_ver );
memcpy( ssl->out_ctr, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN );
MBEDTLS_PUT_UINT16_BE( len, ssl->out_len, 0);
@@ -2698,8 +2698,7 @@
rec.data_offset = ssl->out_msg - rec.buf;
memcpy( &rec.ctr[0], ssl->out_ctr, sizeof( rec.ctr ) );
- mbedtls_ssl_write_version( tls_ver >> 8, tls_ver & 0xFF,
- ssl->conf->transport, rec.ver );
+ mbedtls_ssl_write_version( rec.ver, ssl->conf->transport, tls_ver );
rec.type = ssl->out_msgtype;
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
@@ -3421,7 +3420,7 @@
size_t len,
mbedtls_record *rec )
{
- int major_ver, minor_ver;
+ mbedtls_ssl_protocol_version tls_version;
size_t const rec_hdr_type_offset = 0;
size_t const rec_hdr_type_len = 1;
@@ -3531,11 +3530,10 @@
rec->ver[0] = buf[ rec_hdr_version_offset + 0 ];
rec->ver[1] = buf[ rec_hdr_version_offset + 1 ];
- mbedtls_ssl_read_version( &major_ver, &minor_ver,
- ssl->conf->transport,
- &rec->ver[0] );
+ tls_version = mbedtls_ssl_read_version( buf + rec_hdr_version_offset,
+ ssl->conf->transport );
- if( ( ( major_ver << 8 ) | minor_ver ) > ssl->conf->max_tls_version )
+ if( tls_version > ssl->conf->max_tls_version )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS version mismatch" ) );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
@@ -3569,9 +3567,8 @@
MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", buf, rec->data_offset );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %u, "
- "version = [%d:%d], msglen = %" MBEDTLS_PRINTF_SIZET,
- rec->type,
- major_ver, minor_ver, rec->data_len ) );
+ "version = [0x%x], msglen = %" MBEDTLS_PRINTF_SIZET,
+ rec->type, (unsigned)tls_version, rec->data_len ) );
rec->buf = buf;
rec->buf_len = rec->data_offset + rec->data_len;
@@ -5810,51 +5807,35 @@
* and, for DTLS, to/from TLS equivalent.
*
* For TLS this is the identity.
- * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
+ * For DTLS, map as follows, then use 1's complement (v -> ~v):
* 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
+ * DTLS 1.0 is stored as TLS 1.1 internally
*/
-void mbedtls_ssl_write_version( int major, int minor, int transport,
- unsigned char ver[2] )
+void mbedtls_ssl_write_version( unsigned char version[2], int transport,
+ mbedtls_ssl_protocol_version tls_version )
{
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
- {
- if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
- --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
-
- ver[0] = (unsigned char)( 255 - ( major - 2 ) );
- ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
- }
- else
+ tls_version =
+ ~( tls_version - ( tls_version == 0x0302 ? 0x0202 : 0x0201 ) );
#else
((void) transport);
#endif
- {
- ver[0] = (unsigned char) major;
- ver[1] = (unsigned char) minor;
- }
+ MBEDTLS_PUT_UINT16_BE( tls_version, version, 0 );
}
-void mbedtls_ssl_read_version( int *major, int *minor, int transport,
- const unsigned char ver[2] )
+uint16_t mbedtls_ssl_read_version( const unsigned char version[2],
+ int transport )
{
+ uint16_t tls_version = MBEDTLS_GET_UINT16_BE( version, 0 );
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
- {
- *major = 255 - ver[0] + 2;
- *minor = 255 - ver[1] + 1;
-
- if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
- ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
- }
- else
+ tls_version =
+ ~( tls_version - ( tls_version == 0xfeff ? 0x0202 : 0x0201 ) );
#else
((void) transport);
#endif
- {
- *major = ver[0];
- *minor = ver[1];
- }
+ return tls_version;
}
/*
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index 451d871..8f5ab9b 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -1121,7 +1121,7 @@
static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
{
const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
- int major_ver, minor_ver;
+ mbedtls_ssl_protocol_version tls_version;
unsigned char cookie_len;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
@@ -1146,16 +1146,15 @@
* } HelloVerifyRequest;
*/
MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
- mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
+ tls_version = mbedtls_ssl_read_version( p, ssl->conf->transport );
p += 2;
/*
* Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
- * even is lower than our min version.
+ * even if lower than our min version.
*/
- if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
- minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
- ( ( major_ver << 8 ) | minor_ver ) > ssl->conf->max_tls_version )
+ if( tls_version < 0x0302 || /* TLSv1.1 */
+ tls_version > ssl->conf->max_tls_version )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
@@ -1212,7 +1211,6 @@
#endif
int handshake_failure = 0;
const mbedtls_ssl_ciphersuite_t *suite_info;
- int major_ver, minor_ver;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
@@ -1297,10 +1295,8 @@
*/
buf += mbedtls_ssl_hs_hdr_len( ssl );
- MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
- mbedtls_ssl_read_version( &major_ver, &minor_ver,
- ssl->conf->transport, buf + 0 );
- ssl->tls_version = ( major_ver << 8 ) | minor_ver;
+ MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf, 2 );
+ ssl->tls_version = mbedtls_ssl_read_version( buf, ssl->conf->transport );
ssl->session_negotiate->tls_version = ssl->tls_version;
if( ssl->tls_version < ssl->conf->min_tls_version ||
@@ -1988,9 +1984,8 @@
* opaque random[46];
* } PreMasterSecret;
*/
- mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3,
- MBEDTLS_SSL_MINOR_VERSION_3,
- ssl->conf->transport, p );
+ mbedtls_ssl_write_version( p, ssl->conf->transport,
+ MBEDTLS_SSL_VERSION_TLS1_2 );
if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
{
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 3ce7fb2..49cda3f 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -1147,7 +1147,6 @@
int handshake_failure = 0;
const int *ciphersuites;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
- int major, minor;
/* If there is no signature-algorithm extension present,
* we need to fall back to the default values for allowed
@@ -1206,13 +1205,11 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, protocol version: [%d:%d]",
buf[1], buf[2] ) );
- mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
-
/* According to RFC 5246 Appendix E.1, the version here is typically
* "{03,00}, the lowest version number supported by the client, [or] the
* value of ClientHello.client_version", so the only meaningful check here
* is the major version shouldn't be less than 3 */
- if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
+ if( mbedtls_ssl_read_version( buf + 1, ssl->conf->transport ) < 0x0300 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
@@ -1405,8 +1402,7 @@
*/
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
- mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf );
- ssl->tls_version = ( major << 8 ) | minor;
+ ssl->tls_version = mbedtls_ssl_read_version( buf, ssl->conf->transport );
ssl->session_negotiate->tls_version = ssl->tls_version;
if( ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2 )
@@ -2354,8 +2350,7 @@
/* The RFC is not clear on this point, but sending the actual negotiated
* version looks like the most interoperable thing to do. */
- mbedtls_ssl_write_version( ssl->tls_version >> 8, ssl->tls_version & 0xFF,
- ssl->conf->transport, p );
+ mbedtls_ssl_write_version( p, ssl->conf->transport, ssl->tls_version );
MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
p += 2;
@@ -2494,8 +2489,7 @@
buf = ssl->out_msg;
p = buf + 4;
- mbedtls_ssl_write_version( ssl->tls_version >> 8, ssl->tls_version & 0xFF,
- ssl->conf->transport, p );
+ mbedtls_ssl_write_version( p, ssl->conf->transport, ssl->tls_version );
p += 2;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
@@ -3734,9 +3728,8 @@
return( ret );
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
- mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3,
- MBEDTLS_SSL_MINOR_VERSION_3,
- ssl->conf->transport, ver );
+ mbedtls_ssl_write_version( ver, ssl->conf->transport,
+ ssl->session_negotiate->tls_version );
/* Avoid data-dependent branches while checking for invalid
* padding, to protect against timing-based Bleichenbacher-type
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index d7748b7..acb4865 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -75,17 +75,15 @@
* They are defined by the configuration.
* Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.
*/
- mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3,
- MBEDTLS_SSL_MINOR_VERSION_4,
- MBEDTLS_SSL_TRANSPORT_STREAM, p );
+ mbedtls_ssl_write_version( p, MBEDTLS_SSL_TRANSPORT_STREAM,
+ MBEDTLS_SSL_VERSION_TLS1_3 );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:4]" ) );
if( ssl->handshake->min_minor_ver <= MBEDTLS_SSL_MINOR_VERSION_3 )
{
- mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3,
- MBEDTLS_SSL_MINOR_VERSION_3,
- MBEDTLS_SSL_TRANSPORT_STREAM, p + 2 );
+ mbedtls_ssl_write_version( p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,
+ MBEDTLS_SSL_VERSION_TLS1_2 );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:3]" ) );
}
@@ -101,8 +99,8 @@
((void) ssl);
MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 );
- if( buf[0] != MBEDTLS_SSL_MAJOR_VERSION_3 ||
- buf[1] != MBEDTLS_SSL_MINOR_VERSION_4 )
+ if( mbedtls_ssl_read_version( buf, ssl->conf->transport ) !=
+ MBEDTLS_SSL_VERSION_TLS1_3 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected version" ) );
@@ -1026,8 +1024,8 @@
* with ProtocolVersion defined as:
* uint16 ProtocolVersion;
*/
- if( !( p[0] == MBEDTLS_SSL_MAJOR_VERSION_3 &&
- p[1] == MBEDTLS_SSL_MINOR_VERSION_3 ) )
+ if( mbedtls_ssl_read_version( p, ssl->conf->transport ) !=
+ MBEDTLS_SSL_VERSION_TLS1_2 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,