commit 2dfcea2b9dd58ffd68fac4d024c52d2968779d6e
author Glenn Strauss <gstrauss@gluelogic.com> Mon Mar 14 17:26:42 2022 -0400
committer Glenn Strauss <gstrauss@gluelogic.com> Thu Apr 14 15:39:43 2022 -0400
tree 55e2b0c4067dba817b725b6c77919660f4031ccb
parent da7851c8250809a7bf62e9e55ca90690daf59ebf

mbedtls_ssl_config min_tls_version, max_tls_version

Store the TLS version in tls_version instead of major, minor version num

Note: existing application use which accesses the struct member
(using MBEDTLS_PRIVATE) is not compatible on little-endian platforms,
but is compatible on big-endian platforms.  For systems supporting
only TLSv1.2, the underlying values are the same (=> 3).

New setter functions are more type-safe,
taking argument as enum mbedtls_ssl_protocol_version:
mbedtls_ssl_conf_max_tls_version()
mbedtls_ssl_conf_min_tls_version()

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

library/ssl_tls12_client.c

diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index f0a58db..1607a8b 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -1155,8 +1155,7 @@
      */
     if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
         minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
-        major_ver > ssl->conf->max_major_ver  ||
-        minor_ver > ssl->conf->max_minor_ver  )
+        ( ( major_ver << 8 ) | minor_ver ) > ssl->conf->max_tls_version )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
 
@@ -1302,18 +1301,16 @@
                       ssl->conf->transport, buf + 0 );
     ssl->session_negotiate->tls_version = 0x0300 | ssl->minor_ver;
 
-    if( ssl->major_ver < ssl->conf->min_major_ver ||
-        ssl->minor_ver < ssl->conf->min_minor_ver ||
-        ssl->major_ver > ssl->conf->max_major_ver ||
-        ssl->minor_ver > ssl->conf->max_minor_ver )
+    if( ( ( ssl->major_ver << 8 ) | ssl->minor_ver )
+          < ssl->conf->min_tls_version ||
+        ( ( ssl->major_ver << 8 ) | ssl->minor_ver )
+          > ssl->conf->max_tls_version )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1,
-            ( "server version out of bounds -  min: [%d:%d], server: [%d:%d], max: [%d:%d]",
-              ssl->conf->min_major_ver,
-              ssl->conf->min_minor_ver,
-              ssl->major_ver, ssl->minor_ver,
-              ssl->conf->max_major_ver,
-              ssl->conf->max_minor_ver ) );
+            ( "server version out of bounds -  min: [0x%x], server: [0x%x], max: [0x%x]",
+              (unsigned)ssl->conf->min_tls_version,
+              (unsigned)( ( ssl->major_ver << 8 ) | ssl->minor_ver ),
+              (unsigned)ssl->conf->max_tls_version ) );
 
         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
                                      MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );