Allow hardcoding of min/max minor/major SSL version at compile-time
This commit introduces the numeric compile-time constants
- MBEDTLS_SSL_CONF_MIN_MINOR_VER
- MBEDTLS_SSL_CONF_MAX_MINOR_VER
- MBEDTLS_SSL_CONF_MIN_MAJOR_VER
- MBEDTLS_SSL_CONF_MAX_MAJOR_VER
which, when defined, overwrite the runtime configurable fields
mbedtls_ssl_config::min_major_ver etc. in the SSL configuration.
As for the preceding case of the ExtendedMasterSecret configuration,
it also introduces and puts to use getter functions for these variables
which evaluate to either a field access or the macro value, maintaining
readability of the code.
The runtime configuration API mbedtls_ssl_conf_{min|max}_version()
is kept for now but has no effect if MBEDTLS_SSL_CONF_XXX are set.
This is likely to be changed in a later commit but deliberately omitted
for now, in order to be able to study code-size benefits earlier in the
process.
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index d45f3d3..7291fd7 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -180,8 +180,11 @@
*olen = 0;
- if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) !=
+ MBEDTLS_SSL_MINOR_VERSION_3 )
+ {
return;
+ }
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
@@ -558,7 +561,8 @@
*olen = 0;
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
- ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ==
+ MBEDTLS_SSL_MINOR_VERSION_0 )
{
return;
}
@@ -593,7 +597,8 @@
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
- ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ==
+ MBEDTLS_SSL_MINOR_VERSION_0 )
{
return;
}
@@ -788,7 +793,6 @@
if( suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
return( 1 );
-
if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > max_minor_ver ||
mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < min_minor_ver )
{
@@ -846,11 +850,11 @@
if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE )
{
- ssl->major_ver = ssl->conf->min_major_ver;
- ssl->minor_ver = ssl->conf->min_minor_ver;
+ ssl->major_ver = mbedtls_ssl_conf_get_min_major_ver( ssl->conf );
+ ssl->minor_ver = mbedtls_ssl_conf_get_min_minor_ver( ssl->conf );
}
- if( ssl->conf->max_major_ver == 0 )
+ if( mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
"consider using mbedtls_ssl_config_defaults()" ) );
@@ -867,8 +871,9 @@
buf = ssl->out_msg;
p = buf + 4;
- mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
- ssl->conf->transport, p );
+ mbedtls_ssl_write_version( mbedtls_ssl_conf_get_max_major_ver( ssl->conf ),
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ),
+ ssl->conf->transport, p );
p += 2;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
@@ -981,8 +986,8 @@
ciphersuite_info )
{
if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
- ssl->conf->min_minor_ver,
- ssl->conf->max_minor_ver ) != 0 )
+ mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ),
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) != 0 )
{
continue;
}
@@ -1563,8 +1568,8 @@
*/
if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
- major_ver > ssl->conf->max_major_ver ||
- minor_ver > ssl->conf->max_minor_ver )
+ major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) ||
+ minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
@@ -1715,16 +1720,18 @@
mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
ssl->conf->transport, buf + 0 );
- if( ssl->major_ver < ssl->conf->min_major_ver ||
- ssl->minor_ver < ssl->conf->min_minor_ver ||
- ssl->major_ver > ssl->conf->max_major_ver ||
- ssl->minor_ver > ssl->conf->max_minor_ver )
+ if( ssl->major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) ||
+ ssl->minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ||
+ ssl->major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) ||
+ ssl->minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
" min: [%d:%d], server: [%d:%d], max: [%d:%d]",
- ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
+ mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
+ mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ),
ssl->major_ver, ssl->minor_ver,
- ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
+ mbedtls_ssl_conf_get_max_major_ver( ssl->conf ),
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
@@ -1886,8 +1893,8 @@
ciphersuite_info )
{
if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
- ssl->conf->min_minor_ver,
- ssl->conf->max_minor_ver ) != 0 )
+ mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ),
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) != 0 )
{
continue;
}
@@ -2360,8 +2367,9 @@
* opaque random[46];
* } PreMasterSecret;
*/
- mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
- ssl->conf->transport, p );
+ mbedtls_ssl_write_version( mbedtls_ssl_conf_get_max_major_ver( ssl->conf ),
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ),
+ ssl->conf->transport, p );
if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index e743eff..553ded2 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1090,15 +1090,17 @@
}
ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
- ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
- ? buf[4] : ssl->conf->max_minor_ver;
+ ssl->minor_ver =
+ ( buf[4] <= mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
+ ? buf[4] : mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
- if( ssl->minor_ver < ssl->conf->min_minor_ver )
+ if( ssl->minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
" [%d:%d] < [%d:%d]",
ssl->major_ver, ssl->minor_ver,
- ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
+ mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
+ mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
@@ -1213,7 +1215,8 @@
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
- if( ssl->minor_ver < ssl->conf->max_minor_ver )
+ if( ssl->minor_ver <
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
@@ -1624,25 +1627,26 @@
ssl->handshake->max_major_ver = ssl->major_ver;
ssl->handshake->max_minor_ver = ssl->minor_ver;
- if( ssl->major_ver < ssl->conf->min_major_ver ||
- ssl->minor_ver < ssl->conf->min_minor_ver )
+ if( ssl->major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) ||
+ ssl->minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
" [%d:%d] < [%d:%d]",
ssl->major_ver, ssl->minor_ver,
- ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
+ mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
+ mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
}
- if( ssl->major_ver > ssl->conf->max_major_ver )
+ if( ssl->major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) )
{
- ssl->major_ver = ssl->conf->max_major_ver;
- ssl->minor_ver = ssl->conf->max_minor_ver;
+ ssl->major_ver = mbedtls_ssl_conf_get_max_major_ver( ssl->conf );
+ ssl->minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
}
- else if( ssl->minor_ver > ssl->conf->max_minor_ver )
- ssl->minor_ver = ssl->conf->max_minor_ver;
+ else if( ssl->minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
+ ssl->minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
/*
* Save client random (inc. Unix time)
@@ -2019,7 +2023,8 @@
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
- if( ssl->minor_ver < ssl->conf->max_minor_ver )
+ if( ssl->minor_ver <
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 2a2d321..0c4ba9a 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4705,7 +4705,7 @@
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
}
- if( minor_ver > ssl->conf->max_minor_ver )
+ if( minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
@@ -8717,14 +8717,42 @@
void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
{
+#if defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER) && \
+ defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
+ ((void) conf);
+#endif
+
+#if !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
conf->max_major_ver = major;
+#else
+ ((void) major);
+#endif /* MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
+
+#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
conf->max_minor_ver = minor;
+#else
+ ((void) minor);
+#endif /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
}
void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
{
+#if defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) && \
+ defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
+ ((void) conf);
+#endif
+
+#if !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
conf->min_major_ver = major;
+#else
+ ((void) major);
+#endif /* MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
+
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
conf->min_minor_ver = minor;
+#else
+ ((void) minor);
+#endif /* !MBEDTLS_SSL_CONF_MIN_MINOR_VER */
}
#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
@@ -10961,10 +10989,18 @@
* NSA Suite B
*/
case MBEDTLS_SSL_PRESET_SUITEB:
+#if !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
+#endif /* !MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
+#endif /* !MBEDTLS_SSL_CONF_MIN_MINOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
+#endif /* !MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
+#endif /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
@@ -10991,21 +11027,28 @@
* Default
*/
default:
+#if !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
MBEDTLS_SSL_MIN_MAJOR_VERSION :
MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
+#endif /* !MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
MBEDTLS_SSL_MIN_MINOR_VERSION :
MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
- conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
- conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
-
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
#endif
+#endif /* !MBEDTLS_SSL_CONF_MIN_MINOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
+ conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
+#endif /* !MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
+ conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
+#endif /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =