Introduce getter function for max/min SSL version This is a first step towards hardcoding ssl->{major|minor}_ver in configurations which accept only a single version.

commit: 2881d8013873736e39cbeafa97892d1dcf14a57c [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Wed May 22 14:44:53 2019 +0100
committer: Hanno Becker <hanno.becker@arm.com> Fri Jul 12 15:15:06 2019 +0100
tree: 3b9fd2c11f67bc2923a5c7f4a198ac066c252a66
parent: 3fa1ee567caae5f65ac373ba88c7f9cf7e0aed90 [diff] [blame]
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 38c841d..84cb04b 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c

@@ -536,7 +536,7 @@
     ((void) buf);
 
     if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
-        ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
+        mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_0 )
     {
         ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
     }
@@ -864,7 +864,7 @@
          * present them a SHA-higher cert rather than failing if it's the only
          * one we got that satisfies the other conditions.
          */
-        if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
+        if( mbedtls_ssl_get_minor_ver( ssl ) < MBEDTLS_SSL_MINOR_VERSION_3 )
         {
             mbedtls_md_type_t sig_md;
             {
@@ -930,8 +930,10 @@
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s",
                                 mbedtls_ssl_suite_get_name( suite_info ) ) );
 
-    if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > ssl->minor_ver ||
-        mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < ssl->minor_ver )
+    if( mbedtls_ssl_suite_get_min_minor_ver( suite_info )
+          > mbedtls_ssl_get_minor_ver( ssl ) ||
+        mbedtls_ssl_suite_get_max_minor_ver( suite_info )
+          < mbedtls_ssl_get_minor_ver( ssl ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
         return( 0 );
@@ -993,7 +995,7 @@
     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
     /* If the ciphersuite requires signing, check whether
      * a suitable hash algorithm is present. */
-    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
     {
         sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
         if( sig_type != MBEDTLS_PK_NONE &&
@@ -1094,11 +1096,12 @@
         ( buf[4] <= mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
         ? buf[4]  : mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
 
-    if( ssl->minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) )
+    if( mbedtls_ssl_get_minor_ver( ssl ) < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
                             " [%d:%d] < [%d:%d]",
-                            ssl->major_ver, ssl->minor_ver,
+                            mbedtls_ssl_get_major_ver( ssl ),
+                            mbedtls_ssl_get_minor_ver( ssl ),
                             mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
                             mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) );
 
@@ -1215,7 +1218,7 @@
         {
             MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
 
-            if( ssl->minor_ver <
+            if( mbedtls_ssl_get_minor_ver( ssl ) <
                 mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
             {
                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
@@ -1804,7 +1807,8 @@
 
     /* Do not parse the extensions if the protocol is SSLv3 */
 #if defined(MBEDTLS_SSL_PROTO_SSL3)
-    if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
+    if( ( mbedtls_ssl_get_major_ver( ssl ) != 3 ) ||
+        ( mbedtls_ssl_get_minor_ver( ssl ) != 0 ) )
     {
 #endif
         /*
@@ -2030,7 +2034,7 @@
         {
             MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
 
-            if( ssl->minor_ver <
+            if( mbedtls_ssl_get_minor_ver( ssl ) <
                 mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
             {
                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
@@ -2243,7 +2247,7 @@
 #if defined(MBEDTLS_DEBUG_C)                         && \
     defined(MBEDTLS_SSL_PROTO_TLS1_2)                && \
     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
-    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
     {
         mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(
                 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) );
@@ -2351,7 +2355,7 @@
     const mbedtls_cipher_info_t *cipher = NULL;
 
     if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
-        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
     {
         *olen = 0;
         return;
@@ -2401,7 +2405,7 @@
 
     if( mbedtls_ssl_hs_get_extended_ms( ssl->handshake )
           == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
-        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
     {
         *olen = 0;
         return;
@@ -2645,8 +2649,9 @@
 
     /* The RFC is not clear on this point, but sending the actual negotiated
      * version looks like the most interoperable thing to do. */
-    mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
-                       ssl->conf->transport, p );
+    mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
+                               mbedtls_ssl_get_minor_ver( ssl ),
+                               ssl->conf->transport, p );
     MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
     p += 2;
 
@@ -2738,8 +2743,9 @@
     buf = ssl->out_msg;
     p = buf + 4;
 
-    mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
-                       ssl->conf->transport, p );
+    mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
+                               mbedtls_ssl_get_minor_ver( ssl ),
+                               ssl->conf->transport, p );
     p += 2;
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
@@ -2867,7 +2873,7 @@
 
     /* Do not write the extensions if the protocol is SSLv3 */
 #if defined(MBEDTLS_SSL_PROTO_SSL3)
-    if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
+    if( ( mbedtls_ssl_get_major_ver( ssl ) != 3 ) || ( mbedtls_ssl_get_minor_ver( ssl ) != 0 ) )
     {
 #endif
 
@@ -3049,7 +3055,7 @@
      *     enum { (255) } HashAlgorithm;
      *     enum { (255) } SignatureAlgorithm;
      */
-    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
     {
         const int *cur;
 
@@ -3407,7 +3413,7 @@
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
         mbedtls_pk_type_t sig_alg =
             mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
-        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+        if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
         {
             /* A: For TLS 1.2, obey signature-hash-algorithm extension
              *    (RFC 5246, Sec. 7.4.1.4.1). */
@@ -3483,7 +3489,7 @@
          * 2.3: Compute and add the signature
          */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+        if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
         {
             /*
              * For TLS 1.2, we need to specify signature and hash algorithm
@@ -3787,7 +3793,7 @@
 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
     defined(MBEDTLS_SSL_PROTO_TLS1_2)
 #if defined(MBEDTLS_SSL_PROTO_SSL3)
-    if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
+     if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_0 )
 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
     {
         if( len < 2 )
@@ -4407,7 +4413,7 @@
      */
 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
     defined(MBEDTLS_SSL_PROTO_TLS1_1)
-    if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+    if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_3 )
     {
         md_alg = MBEDTLS_MD_NONE;
         hashlen = 36;
@@ -4424,7 +4430,7 @@
 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
           MBEDTLS_SSL_PROTO_TLS1_1 */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
     {
         if( i + 2 > ssl->in_hslen )
         {
commit	2881d8013873736e39cbeafa97892d1dcf14a57c	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Wed May 22 14:44:53 2019 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Fri Jul 12 15:15:06 2019 +0100
tree	3b9fd2c11f67bc2923a5c7f4a198ac066c252a66
parent	3fa1ee567caae5f65ac373ba88c7f9cf7e0aed90 [diff] [blame]