commit 2dfcea2b9dd58ffd68fac4d024c52d2968779d6e
author Glenn Strauss <gstrauss@gluelogic.com> Mon Mar 14 17:26:42 2022 -0400
committer Glenn Strauss <gstrauss@gluelogic.com> Thu Apr 14 15:39:43 2022 -0400
tree 55e2b0c4067dba817b725b6c77919660f4031ccb
parent da7851c8250809a7bf62e9e55ca90690daf59ebf

mbedtls_ssl_config min_tls_version, max_tls_version

Store the TLS version in tls_version instead of major, minor version num

Note: existing application use which accesses the struct member
(using MBEDTLS_PRIVATE) is not compatible on little-endian platforms,
but is compatible on big-endian platforms.  For systems supporting
only TLSv1.2, the underlying values are the same (=> 3).

New setter functions are more type-safe,
taking argument as enum mbedtls_ssl_protocol_version:
mbedtls_ssl_conf_max_tls_version()
mbedtls_ssl_conf_min_tls_version()

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index fa6220d..b3f132d 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2155,14 +2155,12 @@
 
 void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
 {
-    conf->max_major_ver = major;
-    conf->max_minor_ver = minor;
+    conf->max_tls_version = (major << 8) | minor;
 }
 
 void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
 {
-    conf->min_major_ver = major;
-    conf->min_minor_ver = minor;
+    conf->min_tls_version = (major << 8) | minor;
 }
 
 #if defined(MBEDTLS_SSL_SRV_C)
@@ -3577,10 +3575,8 @@
      * least check it matches the requirements for serializing.
      */
     if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
-        ssl->conf->max_major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
-        ssl->conf->min_major_ver > MBEDTLS_SSL_MAJOR_VERSION_3 ||
-        ssl->conf->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ||
-        ssl->conf->min_minor_ver > MBEDTLS_SSL_MINOR_VERSION_3 ||
+        ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 ||
+        ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 ||
 #if defined(MBEDTLS_SSL_RENEGOTIATION)
         ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
 #endif
@@ -4250,6 +4246,32 @@
     conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 
+    if( ( endpoint == MBEDTLS_SSL_IS_SERVER ) ||
+        ( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) )
+    {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+        conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+#else
+        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+#endif
+    }
+    else
+    {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
+        conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+        conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
+#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
+        conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
+        conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
+#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+        conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+#else
+        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+#endif
+    }
+
     /*
      * Preset-specific defaults
      */
@@ -4259,30 +4281,7 @@
          * NSA Suite B
          */
         case MBEDTLS_SSL_PRESET_SUITEB:
-            conf->min_major_ver = MBEDTLS_SSL_MIN_MAJOR_VERSION;
-            conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
 
-            if( ( endpoint == MBEDTLS_SSL_IS_SERVER ) ||
-                ( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) )
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-            {
-                conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
-                conf->max_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
-            }
-#else
-            {
-                conf->min_major_ver = 0;
-                conf->max_major_ver = 0;
-                conf->min_minor_ver = 0;
-                conf->max_minor_ver = 0;
-                return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
-            }
-#endif
-            else
-            {
-                conf->min_minor_ver = MBEDTLS_SSL_MIN_MINOR_VERSION;
-                conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
-            }
             conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -4311,30 +4310,6 @@
          * Default
          */
         default:
-            conf->min_major_ver = MBEDTLS_SSL_MIN_MAJOR_VERSION;
-            conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
-
-            if( ( endpoint == MBEDTLS_SSL_IS_SERVER ) ||
-                ( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) )
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-            {
-                conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
-                conf->max_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
-            }
-#else
-            {
-                conf->min_major_ver = 0;
-                conf->max_major_ver = 0;
-                conf->min_minor_ver = 0;
-                conf->max_minor_ver = 0;
-                return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
-            }
-#endif
-            else
-            {
-                conf->min_minor_ver = MBEDTLS_SSL_MIN_MINOR_VERSION;
-                conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
-            }
 
             conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();