Merge remote-tracking branch 'origin/pr/602' into baremetal
diff --git a/configs/baremetal.h b/configs/baremetal.h
index 89f3771..a88f8ac 100644
--- a/configs/baremetal.h
+++ b/configs/baremetal.h
@@ -104,6 +104,10 @@
#define MBEDTLS_SSL_CONF_SEND mbedtls_net_send
#define MBEDTLS_SSL_CONF_RECV_TIMEOUT mbedtls_net_recv_timeout
#define MBEDTLS_SSL_CONF_RNG mbedtls_hmac_drbg_random
+#define MBEDTLS_SSL_CONF_MIN_MINOR_VER MBEDTLS_SSL_MINOR_VERSION_3
+#define MBEDTLS_SSL_CONF_MAX_MINOR_VER MBEDTLS_SSL_MINOR_VERSION_3
+#define MBEDTLS_SSL_CONF_MIN_MAJOR_VER MBEDTLS_SSL_MAJOR_VERSION_3
+#define MBEDTLS_SSL_CONF_MAX_MAJOR_VER MBEDTLS_SSL_MAJOR_VERSION_3
#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET \
MBEDTLS_SSL_EXTENDED_MS_ENABLED
#define MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET \
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 509cfa4..93831b7 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -620,6 +620,18 @@
#error "MBEDTLS_SSL_DTLS_ANTI_REPLAY defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
+ defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
+ defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) || \
+ defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
+#if !( defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) && \
+ defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) && \
+ defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) && \
+ defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER) )
+#error "MBEDTLS_SSL_CONF_MIN_MINOR_VER, MBEDTLS_SSL_CONF_MAX_MINOR_VER, MBEDTLS_SSL_CONF_MIN_MAJOR_VER, MBEDTLS_SSL_CONF_MAX_MAJOR_VER must be defined simultaneously"
+#endif
+#endif
+
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
#error "MBEDTLS_SSL_DTLS_CONNECTION_ID defined, but not all prerequisites"
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 4d3ccb9..5b17238 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3636,6 +3636,12 @@
*/
//#define MBEDTLS_SSL_CONF_RNG mbedtls_ctr_drbg_random
+/* TLS version */
+//#define MBEDTLS_SSL_CONF_MIN_MINOR_VER MBEDTLS_SSL_MINOR_VERSION_3
+//#define MBEDTLS_SSL_CONF_MAX_MINOR_VER MBEDTLS_SSL_MINOR_VERSION_3
+//#define MBEDTLS_SSL_CONF_MIN_MAJOR_VER MBEDTLS_SSL_MAJOR_VERSION_3
+//#define MBEDTLS_SSL_CONF_MAX_MAJOR_VER MBEDTLS_SSL_MAJOR_VERSION_3
+
/* ExtendedMasterSecret extension
* The following two options must be set/unset simultaneously. */
//#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MS_ENABLED
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 9937b30..0f9ab0e 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -63,6 +63,18 @@
#include "platform_time.h"
#endif
+#if defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER) && \
+ defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) && \
+ ( MBEDTLS_SSL_CONF_MAX_MAJOR_VER == MBEDTLS_SSL_CONF_MIN_MAJOR_VER )
+#define MBEDTLS_SSL_CONF_FIXED_MAJOR_VER MBEDTLS_SSL_CONF_MIN_MAJOR_VER
+#endif
+
+#if defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) && \
+ defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) && \
+ ( MBEDTLS_SSL_CONF_MAX_MINOR_VER == MBEDTLS_SSL_CONF_MIN_MINOR_VER )
+#define MBEDTLS_SSL_CONF_FIXED_MINOR_VER MBEDTLS_SSL_CONF_MIN_MINOR_VER
+#endif
+
/*
* SSL Error codes
*/
@@ -1134,10 +1146,18 @@
unsigned int dhm_min_bitlen; /*!< min. bit length of the DHM prime */
#endif
+#if !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
unsigned char max_major_ver; /*!< max. major version used */
+#endif /* !MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
unsigned char max_minor_ver; /*!< max. minor version used */
+#endif /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
unsigned char min_major_ver; /*!< min. major version used */
+#endif /* !MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
unsigned char min_minor_ver; /*!< min. minor version used */
+#endif /* !MBEDTLS_SSL_CONF_MIN_MINOR_VER */
/*
* Flags (bitfields)
@@ -1223,8 +1243,12 @@
renego_max_records is < 0 */
#endif /* MBEDTLS_SSL_RENEGOTIATION */
+#if !defined(MBEDTLS_SSL_CONF_FIXED_MAJOR_VER)
int major_ver; /*!< equal to MBEDTLS_SSL_MAJOR_VERSION_3 */
+#endif /* !MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
int minor_ver; /*!< either 0 (SSL3) or 1 (TLS1.0) */
+#endif /* !MBEDTLS_SSL_CONF_FIXED_MINOR_VER */
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
unsigned badmac_seen; /*!< records with a bad MAC received */
@@ -2993,6 +3017,8 @@
const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_SSL_ALPN */
+#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
/**
* \brief Set the maximum supported version sent from the client side
* and/or accepted at the server side
@@ -3003,6 +3029,11 @@
* \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
* MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
*
+ * \note On constrained systems, the maximum major/minor version can
+ * also be configured at compile-time by setting
+ * MBEDTLS_SSL_CONF_MAX_MAJOR_VER and
+ * MBEDTLS_SSL_CONF_MAX_MINOR_VER.
+ *
* \param conf SSL configuration
* \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
* \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
@@ -3010,7 +3041,11 @@
* MBEDTLS_SSL_MINOR_VERSION_3 supported)
*/
void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor );
+#endif /* MBEDTLS_SSL_CONF_MAX_MINOR_VER ||
+ MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
/**
* \brief Set the minimum accepted SSL/TLS protocol version
* (Default: TLS 1.0)
@@ -3023,6 +3058,11 @@
* \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
* MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
*
+ * \note On constrained systems, the minimum major/minor version can
+ * also be configured at compile-time by setting
+ * MBEDTLS_SSL_CONF_MIN_MAJOR_VER and
+ * MBEDTLS_SSL_CONF_MIN_MINOR_VER.
+ *
* \param conf SSL configuration
* \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
* \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
@@ -3030,6 +3070,8 @@
* MBEDTLS_SSL_MINOR_VERSION_3 supported)
*/
void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor );
+#endif /* MBEDTLS_SSL_CONF_MIN_MINOR_VER ||
+ MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
/**
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 91d52e7..40391d5 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -514,8 +514,14 @@
#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
int resume; /*!< session resume indicator*/
#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */
+
+#if defined(MBEDTLS_SSL_SRV_C) && \
+ ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED ) )
int max_major_ver; /*!< max. major version client*/
int max_minor_ver; /*!< max. minor version client*/
+#endif /* MBEDTLS_SSL_SRV_C && ( MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED ) */
int cli_exts; /*!< client extension presence*/
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
@@ -703,7 +709,10 @@
mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
+
+#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
int minor_ver;
+#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
uint8_t in_cid_len;
@@ -721,6 +730,16 @@
#endif
};
+static inline int mbedtls_ssl_transform_get_minor_ver( mbedtls_ssl_transform const *transform )
+{
+#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
+ return( transform->minor_ver );
+#else
+ ((void) transform);
+ return( MBEDTLS_SSL_CONF_FIXED_MINOR_VER );
+#endif
+}
+
/*
* Internal representation of record frames
*
@@ -960,6 +979,26 @@
mbedtls_md_type_t md );
#endif
+static inline int mbedtls_ssl_get_minor_ver( mbedtls_ssl_context const *ssl )
+{
+#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
+ return( ssl->minor_ver );
+#else /* !MBEDTLS_SSL_CONF_FIXED_MINOR_VER */
+ ((void) ssl);
+ return( MBEDTLS_SSL_CONF_FIXED_MINOR_VER );
+#endif /* MBEDTLS_SSL_CONF_FIXED_MINOR_VER */
+}
+
+static inline int mbedtls_ssl_get_major_ver( mbedtls_ssl_context const *ssl )
+{
+#if !defined(MBEDTLS_SSL_CONF_FIXED_MAJOR_VER)
+ return( ssl->major_ver );
+#else /* !MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */
+ ((void) ssl);
+ return( MBEDTLS_SSL_CONF_FIXED_MAJOR_VER );
+#endif /* MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */
+}
+
#if defined(MBEDTLS_X509_CRT_PARSE_C)
static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
{
@@ -1000,11 +1039,6 @@
uint32_t *flags );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
-void mbedtls_ssl_write_version( int major, int minor, int transport,
- unsigned char ver[2] );
-void mbedtls_ssl_read_version( int *major, int *minor, int transport,
- const unsigned char ver[2] );
-
static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl )
{
return( (size_t) ( ssl->in_iv - ssl->in_hdr ) );
@@ -1084,6 +1118,69 @@
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
MBEDTLS_SSL_PROTO_TLS1_2 */
+/*
+ * Convert version numbers to/from wire format
+ * and, for DTLS, to/from TLS equivalent.
+ *
+ * For TLS this is the identity.
+ * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
+ * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
+ * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
+ */
+static inline void mbedtls_ssl_write_version( int major, int minor,
+ int transport,
+ unsigned char ver[2] )
+{
+#if !defined(MBEDTLS_SSL_TRANSPORT__BOTH)
+ ((void) transport);
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
+ {
+ if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
+ --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
+
+ ver[0] = (unsigned char)( 255 - ( major - 2 ) );
+ ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
+ }
+ MBEDTLS_SSL_TRANSPORT_ELSE
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS)
+ {
+ ver[0] = (unsigned char) major;
+ ver[1] = (unsigned char) minor;
+ }
+#endif
+}
+
+static inline void mbedtls_ssl_read_version( int *major, int *minor,
+ int transport,
+ const unsigned char ver[2] )
+{
+#if !defined(MBEDTLS_SSL_TRANSPORT__BOTH)
+ ((void) transport);
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
+ {
+ *major = 255 - ver[0] + 2;
+ *minor = 255 - ver[1] + 1;
+
+ if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
+ ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
+ }
+ MBEDTLS_SSL_TRANSPORT_ELSE
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if defined(MBEDTLS_SSL_PROTO_TLS)
+ {
+ *major = ver[0];
+ *minor = ver[1];
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS */
+}
+
#ifdef __cplusplus
}
#endif
@@ -1423,6 +1520,50 @@
}
#endif /* MBEDTLS_SSL_CONF_RNG */
+static inline int mbedtls_ssl_conf_get_max_major_ver(
+ mbedtls_ssl_config const *conf )
+{
+#if !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
+ return( conf->max_major_ver );
+#else
+ ((void) conf);
+ return( MBEDTLS_SSL_CONF_MAX_MAJOR_VER );
+#endif /* MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
+}
+
+static inline int mbedtls_ssl_conf_get_min_major_ver(
+ mbedtls_ssl_config const *conf )
+{
+#if !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
+ return( conf->min_major_ver );
+#else /* !MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
+ ((void) conf);
+ return( MBEDTLS_SSL_CONF_MIN_MAJOR_VER );
+#endif /* MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
+}
+
+static inline int mbedtls_ssl_conf_get_max_minor_ver(
+ mbedtls_ssl_config const *conf )
+{
+#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
+ return( conf->max_minor_ver );
+#else /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
+ ((void) conf);
+ return( MBEDTLS_SSL_CONF_MAX_MINOR_VER );
+#endif /* MBEDTLS_SSL_CONF_MAX_MINOR_VER */
+}
+
+static inline int mbedtls_ssl_conf_get_min_minor_ver(
+ mbedtls_ssl_config const *conf )
+{
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
+ return( conf->min_minor_ver );
+#else /* !MBEDTLS_SSL_CONF_MIN_MINOR_VER */
+ ((void) conf);
+ return( MBEDTLS_SSL_CONF_MIN_MINOR_VER );
+#endif /* MBEDTLS_SSL_CONF_MIN_MINOR_VER */
+}
+
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
static inline unsigned int mbedtls_ssl_conf_get_ems(
mbedtls_ssl_config const *conf )
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 736d9d9..b0c0403 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -180,8 +180,11 @@
*olen = 0;
- if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) !=
+ MBEDTLS_SSL_MINOR_VERSION_3 )
+ {
return;
+ }
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
@@ -537,7 +540,8 @@
*olen = 0;
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
- ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ==
+ MBEDTLS_SSL_MINOR_VERSION_0 )
{
return;
}
@@ -572,7 +576,8 @@
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
- ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ==
+ MBEDTLS_SSL_MINOR_VERSION_0 )
{
return;
}
@@ -767,7 +772,6 @@
if( suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
return( 1 );
-
if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > max_minor_ver ||
mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < min_minor_ver )
{
@@ -825,11 +829,15 @@
if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE )
{
- ssl->major_ver = ssl->conf->min_major_ver;
- ssl->minor_ver = ssl->conf->min_minor_ver;
+#if !defined(MBEDTLS_SSL_CONF_FIXED_MAJOR_VER)
+ ssl->major_ver = mbedtls_ssl_conf_get_min_major_ver( ssl->conf );
+#endif /* !MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
+ ssl->minor_ver = mbedtls_ssl_conf_get_min_minor_ver( ssl->conf );
+#endif /* !MBEDTLS_SSL_CONF_FIXED_MINOR_VER */
}
- if( ssl->conf->max_major_ver == 0 )
+ if( mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
"consider using mbedtls_ssl_config_defaults()" ) );
@@ -846,8 +854,9 @@
buf = ssl->out_msg;
p = buf + 4;
- mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
- ssl->conf->transport, p );
+ mbedtls_ssl_write_version( mbedtls_ssl_conf_get_max_major_ver( ssl->conf ),
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ),
+ ssl->conf->transport, p );
p += 2;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
@@ -960,8 +969,8 @@
ciphersuite_info )
{
if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
- ssl->conf->min_minor_ver,
- ssl->conf->max_minor_ver ) != 0 )
+ mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ),
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) != 0 )
{
continue;
}
@@ -1307,7 +1316,7 @@
size_t len )
{
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
- ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
+ mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 ||
len != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
@@ -1331,7 +1340,7 @@
{
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
- ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
+ mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 ||
len != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
@@ -1542,8 +1551,8 @@
*/
if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
- major_ver > ssl->conf->max_major_ver ||
- minor_ver > ssl->conf->max_minor_ver )
+ major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) ||
+ minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
@@ -1690,25 +1699,40 @@
*/
buf += mbedtls_ssl_hs_hdr_len( ssl );
- MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
- mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
- ssl->conf->transport, buf + 0 );
-
- if( ssl->major_ver < ssl->conf->min_major_ver ||
- ssl->minor_ver < ssl->conf->min_minor_ver ||
- ssl->major_ver > ssl->conf->max_major_ver ||
- ssl->minor_ver > ssl->conf->max_minor_ver )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
- " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
- ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
- ssl->major_ver, ssl->minor_ver,
- ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
+ int major_ver, minor_ver;
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+ MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
+ mbedtls_ssl_read_version( &major_ver, &minor_ver,
+ ssl->conf->transport,
+ buf + 0 );
- return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+ if( major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) ||
+ minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ||
+ major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) ||
+ minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
+ " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
+ mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
+ mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ),
+ major_ver, minor_ver,
+ mbedtls_ssl_conf_get_max_major_ver( ssl->conf ),
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) );
+
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+
+ return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+ }
+
+#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
+ ssl->minor_ver = minor_ver;
+#endif /* !MBEDTLS_SSL_CONF_FIXED_MINOR_VER */
+
+#if !defined(MBEDTLS_SSL_CONF_FIXED_MAJOR_VER)
+ ssl->major_ver = major_ver;
+#endif /* !MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */
}
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
@@ -1865,8 +1889,8 @@
ciphersuite_info )
{
if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
- ssl->conf->min_minor_ver,
- ssl->conf->max_minor_ver ) != 0 )
+ mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ),
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) != 0 )
{
continue;
}
@@ -1893,7 +1917,7 @@
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
if( mbedtls_ssl_suite_get_key_exchange( server_suite_info ) ==
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
- ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+ mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
{
ssl->handshake->ecrs_enabled = 1;
}
@@ -1907,14 +1931,15 @@
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
ssl->session_negotiate->compression = comp;
ext = buf + 40 + n;
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d",
+ ext_len ) );
while( ext_len )
{
@@ -1927,7 +1952,7 @@
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
@@ -2322,7 +2347,7 @@
size_t pms_offset )
{
int ret;
- size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
+ size_t len_bytes = mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
unsigned char *p = ssl->handshake->premaster + pms_offset;
mbedtls_pk_context *peer_pk = NULL;
@@ -2339,8 +2364,9 @@
* opaque random[46];
* } PreMasterSecret;
*/
- mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
- ssl->conf->transport, p );
+ mbedtls_ssl_write_version( mbedtls_ssl_conf_get_max_major_ver( ssl->conf ),
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ),
+ ssl->conf->transport, p );
if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
@@ -2438,7 +2464,7 @@
*pk_alg = MBEDTLS_PK_NONE;
/* Only in TLS 1.2 */
- if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_3 )
{
return( 0 );
}
@@ -2765,7 +2791,7 @@
* Handle the digitally-signed structure
*/
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
{
if( ssl_parse_signature_algorithm( ssl, &p, end,
&md_alg, &pk_alg ) != 0 )
@@ -2788,7 +2814,7 @@
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1)
- if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) < MBEDTLS_SSL_MINOR_VERSION_3 )
{
pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
@@ -3060,7 +3086,7 @@
/* supported_signature_algorithms */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
{
size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
@@ -3553,7 +3579,7 @@
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1)
- if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_3 )
{
/*
* digitally-signed struct {
@@ -3583,7 +3609,7 @@
#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
MBEDTLS_SSL_PROTO_TLS1_1 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
{
/*
* digitally-signed struct {
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 39ce374..3744cf6 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -525,7 +525,7 @@
((void) buf);
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
- ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
+ mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_0 )
{
ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
}
@@ -867,7 +867,7 @@
* present them a SHA-higher cert rather than failing if it's the only
* one we got that satisfies the other conditions.
*/
- if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) < MBEDTLS_SSL_MINOR_VERSION_3 )
{
mbedtls_md_type_t sig_md;
{
@@ -934,8 +934,10 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s",
mbedtls_ssl_suite_get_name( suite_info ) ) );
- if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > ssl->minor_ver ||
- mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < ssl->minor_ver )
+ if( mbedtls_ssl_suite_get_min_minor_ver( suite_info )
+ > mbedtls_ssl_get_minor_ver( ssl ) ||
+ mbedtls_ssl_suite_get_max_minor_ver( suite_info )
+ < mbedtls_ssl_get_minor_ver( ssl ) )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
return( 0 );
@@ -997,7 +999,7 @@
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
/* If the ciphersuite requires signing, check whether
* a suitable hash algorithm is present. */
- if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
{
sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
if( sig_type != MBEDTLS_PK_NONE &&
@@ -1097,23 +1099,30 @@
}
ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
- ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
- ? buf[4] : ssl->conf->max_minor_ver;
+ ssl->minor_ver =
+ ( buf[4] <= mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
+ ? buf[4] : mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
- if( ssl->minor_ver < ssl->conf->min_minor_ver )
+ if( mbedtls_ssl_get_minor_ver( ssl ) < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
" [%d:%d] < [%d:%d]",
- ssl->major_ver, ssl->minor_ver,
- ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
+ mbedtls_ssl_get_major_ver( ssl ),
+ mbedtls_ssl_get_minor_ver( ssl ),
+ mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
+ mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
}
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
ssl->handshake->max_major_ver = buf[3];
ssl->handshake->max_minor_ver = buf[4];
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
{
@@ -1220,7 +1229,8 @@
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
- if( ssl->minor_ver < ssl->conf->max_minor_ver )
+ if( mbedtls_ssl_get_minor_ver( ssl ) <
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
@@ -1621,31 +1631,47 @@
*/
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
- mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
- ssl->conf->transport, buf );
-
- ssl->handshake->max_major_ver = ssl->major_ver;
- ssl->handshake->max_minor_ver = ssl->minor_ver;
-
- if( ssl->major_ver < ssl->conf->min_major_ver ||
- ssl->minor_ver < ssl->conf->min_minor_ver )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
+ int minor_ver, major_ver;
+ mbedtls_ssl_read_version( &major_ver, &minor_ver,
+ ssl->conf->transport,
+ buf );
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+ ssl->handshake->max_major_ver = major_ver;
+ ssl->handshake->max_minor_ver = minor_ver;
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+ if( major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) ||
+ minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
" [%d:%d] < [%d:%d]",
- ssl->major_ver, ssl->minor_ver,
- ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
- return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
- }
+ major_ver, minor_ver,
+ mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
+ mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) );
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+ return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+ }
- if( ssl->major_ver > ssl->conf->max_major_ver )
- {
- ssl->major_ver = ssl->conf->max_major_ver;
- ssl->minor_ver = ssl->conf->max_minor_ver;
+ if( major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) )
+ {
+ major_ver = mbedtls_ssl_conf_get_max_major_ver( ssl->conf );
+ minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
+ }
+ else if( minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
+ minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
+
+#if !defined(MBEDTLS_SSL_CONF_FIXED_MAJOR_VER)
+ ssl->major_ver = major_ver;
+#endif /* MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
+ ssl->minor_ver = minor_ver;
+#endif /* MBEDTLS_SSL_CONF_FIXED_MINOR_VER */
}
- else if( ssl->minor_ver > ssl->conf->max_minor_ver )
- ssl->minor_ver = ssl->conf->max_minor_ver;
/*
* Save client random (inc. Unix time)
@@ -1796,7 +1822,8 @@
/* Do not parse the extensions if the protocol is SSLv3 */
#if defined(MBEDTLS_SSL_PROTO_SSL3)
- if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
+ if( ( mbedtls_ssl_get_major_ver( ssl ) != 3 ) ||
+ ( mbedtls_ssl_get_minor_ver( ssl ) != 0 ) )
{
#endif
/*
@@ -2023,7 +2050,8 @@
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
- if( ssl->minor_ver < ssl->conf->max_minor_ver )
+ if( mbedtls_ssl_get_minor_ver( ssl ) <
+ mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
@@ -2236,7 +2264,7 @@
#if defined(MBEDTLS_DEBUG_C) && \
defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
- if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
{
mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) );
@@ -2344,7 +2372,7 @@
const mbedtls_cipher_info_t *cipher = NULL;
if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
- ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+ mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
{
*olen = 0;
return;
@@ -2394,7 +2422,7 @@
if( mbedtls_ssl_hs_get_extended_ms( ssl->handshake )
== MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
- ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+ mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
{
*olen = 0;
return;
@@ -2638,8 +2666,9 @@
/* The RFC is not clear on this point, but sending the actual negotiated
* version looks like the most interoperable thing to do. */
- mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
- ssl->conf->transport, p );
+ mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
+ mbedtls_ssl_get_minor_ver( ssl ),
+ ssl->conf->transport, p );
MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
p += 2;
@@ -2731,8 +2760,9 @@
buf = ssl->out_msg;
p = buf + 4;
- mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
- ssl->conf->transport, p );
+ mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
+ mbedtls_ssl_get_minor_ver( ssl ),
+ ssl->conf->transport, p );
p += 2;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
@@ -2860,7 +2890,7 @@
/* Do not write the extensions if the protocol is SSLv3 */
#if defined(MBEDTLS_SSL_PROTO_SSL3)
- if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
+ if( ( mbedtls_ssl_get_major_ver( ssl ) != 3 ) || ( mbedtls_ssl_get_minor_ver( ssl ) != 0 ) )
{
#endif
@@ -3042,7 +3072,7 @@
* enum { (255) } HashAlgorithm;
* enum { (255) } SignatureAlgorithm;
*/
- if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
{
const int *cur;
@@ -3401,7 +3431,7 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_pk_type_t sig_alg =
mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
- if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
{
/* A: For TLS 1.2, obey signature-hash-algorithm extension
* (RFC 5246, Sec. 7.4.1.4.1). */
@@ -3477,7 +3507,7 @@
* 2.3: Compute and add the signature
*/
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
{
/*
* For TLS 1.2, we need to specify signature and hash algorithm
@@ -3781,7 +3811,7 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SSL_PROTO_SSL3)
- if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_0 )
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
{
if( len < 2 )
@@ -4401,7 +4431,7 @@
*/
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1)
- if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_3 )
{
md_alg = MBEDTLS_MD_NONE;
hashlen = 36;
@@ -4418,7 +4448,7 @@
#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
MBEDTLS_SSL_PROTO_TLS1_1 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
{
if( i + 2 > ssl->in_hslen )
{
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 5b67d62..0b1ebdd 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -817,7 +817,12 @@
defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
transform->encrypt_then_mac = encrypt_then_mac;
#endif
+
+#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
transform->minor_ver = minor_ver;
+#else
+ ((void) minor_ver);
+#endif /* !MBEDTLS_SSL_CONF_FIXED_MINOR_VER */
/*
* Get various info structures
@@ -1347,7 +1352,7 @@
/* Set PRF, calc_verify and calc_finished function pointers */
ret = ssl_set_handshake_prfs( ssl->handshake,
- ssl->minor_ver,
+ mbedtls_ssl_get_minor_ver( ssl ),
mbedtls_ssl_suite_get_mac( ciphersuite_info ) );
if( ret != 0 )
{
@@ -1393,7 +1398,7 @@
#endif
ssl->handshake->tls_prf,
ssl->handshake->randbytes,
- ssl->minor_ver,
+ mbedtls_ssl_get_minor_ver( ssl ),
mbedtls_ssl_conf_get_endpoint( ssl->conf ),
ssl );
if( ret != 0 )
@@ -1994,7 +1999,8 @@
}
#if defined(MBEDTLS_SSL_PROTO_SSL3)
- if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+ if( mbedtls_ssl_transform_get_minor_ver( transform ) ==
+ MBEDTLS_SSL_MINOR_VERSION_0 )
{
unsigned char mac[SSL_MAC_MAX_BYTES];
ssl_mac( &transform->md_ctx_enc, transform->mac_enc,
@@ -2005,7 +2011,8 @@
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
+ if( mbedtls_ssl_transform_get_minor_ver( transform ) >=
+ MBEDTLS_SSL_MINOR_VERSION_1 )
{
unsigned char mac[MBEDTLS_SSL_MAC_ADD];
@@ -2184,7 +2191,8 @@
* Prepend per-record IV for block cipher in TLS v1.1 and up as per
* Method 1 (6.2.3.2. in RFC4346 and RFC5246)
*/
- if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+ if( mbedtls_ssl_transform_get_minor_ver( transform ) >=
+ MBEDTLS_SSL_MINOR_VERSION_2 )
{
if( f_rng == NULL )
{
@@ -2233,7 +2241,8 @@
}
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
- if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
+ if( mbedtls_ssl_transform_get_minor_ver( transform ) <
+ MBEDTLS_SSL_MINOR_VERSION_2 )
{
/*
* Save IV in SSL3 and TLS1
@@ -2482,7 +2491,8 @@
* Check immediate ciphertext sanity
*/
#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+ if( mbedtls_ssl_transform_get_minor_ver( transform ) >=
+ MBEDTLS_SSL_MINOR_VERSION_2 )
{
/* The ciphertext is prefixed with the CBC IV. */
minlen += transform->ivlen;
@@ -2573,7 +2583,8 @@
/*
* Initialize for prepended IV for block cipher in TLS v1.1 and up
*/
- if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+ if( mbedtls_ssl_transform_get_minor_ver( transform ) >=
+ MBEDTLS_SSL_MINOR_VERSION_2 )
{
/* This is safe because data_len >= minlen + maclen + 1 initially,
* and at this point we have at most subtracted maclen (note that
@@ -2601,7 +2612,8 @@
}
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
- if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
+ if( mbedtls_ssl_transform_get_minor_ver( transform ) <
+ MBEDTLS_SSL_MINOR_VERSION_2 )
{
/*
* Save IV in SSL3 and TLS1
@@ -2643,7 +2655,8 @@
* we have data_len >= padlen here. */
#if defined(MBEDTLS_SSL_PROTO_SSL3)
- if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+ if( mbedtls_ssl_transform_get_minor_ver( transform ) ==
+ MBEDTLS_SSL_MINOR_VERSION_0 )
{
if( padlen > transform->ivlen )
{
@@ -2659,7 +2672,8 @@
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
+ if( mbedtls_ssl_transform_get_minor_ver( transform ) >
+ MBEDTLS_SSL_MINOR_VERSION_0 )
{
/* The padding check involves a series of up to 256
* consecutive memory reads at the end of the record
@@ -2745,7 +2759,8 @@
ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
#if defined(MBEDTLS_SSL_PROTO_SSL3)
- if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+ if( mbedtls_ssl_transform_get_minor_ver( transform ) ==
+ MBEDTLS_SSL_MINOR_VERSION_0 )
{
ssl_mac( &transform->md_ctx_dec,
transform->mac_dec,
@@ -2757,7 +2772,8 @@
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
+ if( mbedtls_ssl_transform_get_minor_ver( transform ) >
+ MBEDTLS_SSL_MINOR_VERSION_0 )
{
/*
* Process MAC and always update for padlen afterwards to make
@@ -3736,7 +3752,7 @@
{
/* In SSLv3, the client might send a NoCertificate alert. */
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
- if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
+ if( ! ( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 &&
ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_CLIENT ) )
@@ -3926,8 +3942,9 @@
/* Skip writing the record content type to after the encryption,
* as it may change when using the CID extension. */
- mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
- ssl->conf->transport, ssl->out_hdr + 1 );
+ mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
+ mbedtls_ssl_get_minor_ver( ssl ),
+ ssl->conf->transport, ssl->out_hdr + 1 );
memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
ssl->out_len[0] = (unsigned char)( len >> 8 );
@@ -3944,7 +3961,8 @@
rec.data_offset = ssl->out_msg - rec.buf;
memcpy( &rec.ctr[0], ssl->out_ctr, 8 );
- mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
+ mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
+ mbedtls_ssl_get_minor_ver( ssl ),
ssl->conf->transport, rec.ver );
rec.type = ssl->out_msgtype;
@@ -4699,13 +4717,13 @@
}
/* Check version */
- if( major_ver != ssl->major_ver )
+ if( major_ver != mbedtls_ssl_get_major_ver( ssl ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
}
- if( minor_ver > ssl->conf->max_minor_ver )
+ if( minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
@@ -4830,7 +4848,7 @@
}
#if defined(MBEDTLS_SSL_PROTO_SSL3)
- if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
+ if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 &&
ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
@@ -4842,7 +4860,7 @@
/*
* TLS encrypted messages can have up to 256 bytes of padding
*/
- if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
+ if( mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_1 &&
ssl->in_msglen > ssl->transform_in->minlen +
MBEDTLS_SSL_IN_CONTENT_LEN + 256 )
{
@@ -4896,7 +4914,8 @@
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
memcpy( &rec.ctr[0], ssl->in_ctr, 8 );
- mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
+ mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
+ mbedtls_ssl_get_minor_ver( ssl ),
ssl->conf->transport, rec.ver );
rec.type = ssl->in_msgtype;
if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in,
@@ -4962,7 +4981,7 @@
else if( ssl->in_msglen == 0 )
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
+ if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3
&& ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
{
/* TLS v1.2 explicitly disallows zero-length messages which are not application data */
@@ -5955,7 +5974,7 @@
#endif
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
- if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
+ if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 &&
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_SERVER &&
ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
@@ -6143,7 +6162,7 @@
* (otherwise an empty Certificate message will be sent).
*/
if( mbedtls_ssl_own_cert( ssl ) == NULL &&
- ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+ mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
{
ssl->out_msglen = 2;
ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
@@ -6435,7 +6454,7 @@
/*
* Check if the client sent an empty certificate
*/
- if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
{
if( ssl->in_msglen == 2 &&
ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT &&
@@ -6987,7 +7006,7 @@
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1)
- if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) < MBEDTLS_SSL_MINOR_VERSION_3 )
ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
else
#endif
@@ -7420,7 +7439,7 @@
* ciphersuite does this (and this is unlikely to change as activity has
* moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
*/
- hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
+ hash_len = ( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
#if defined(MBEDTLS_SSL_RENEGOTIATION)
ssl->verify_data_len = hash_len;
@@ -7567,7 +7586,7 @@
/* There is currently no ciphersuite using another length with TLS 1.2 */
#if defined(MBEDTLS_SSL_PROTO_SSL3)
- if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
hash_len = 36;
else
#endif
@@ -7835,7 +7854,7 @@
/* Adjust out_msg to make space for explicit IV, if used. */
if( transform != NULL &&
- ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+ mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_2 )
{
ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
}
@@ -8717,17 +8736,27 @@
}
#endif /* MBEDTLS_SSL_ALPN */
-void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
+#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
+void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf,
+ int major, int minor )
{
conf->max_major_ver = major;
conf->max_minor_ver = minor;
}
+#endif /* MBEDTLS_SSL_CONF_MAX_MINOR_VER ||
+ MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
-void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
+void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf,
+ int major, int minor )
{
conf->min_major_ver = major;
conf->min_minor_ver = minor;
}
+#endif /* MBEDTLS_SSL_CONF_MIN_MINOR_VER ||
+ MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
@@ -8986,7 +9015,7 @@
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{
- switch( ssl->minor_ver )
+ switch( mbedtls_ssl_get_minor_ver( ssl ) )
{
case MBEDTLS_SSL_MINOR_VERSION_2:
return( "DTLSv1.0" );
@@ -9002,7 +9031,7 @@
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_PROTO_TLS)
{
- switch( ssl->minor_ver )
+ switch( mbedtls_ssl_get_minor_ver( ssl ) )
{
case MBEDTLS_SSL_MINOR_VERSION_0:
return( "SSLv3.0" );
@@ -9064,7 +9093,7 @@
/* For TLS 1.1 or higher, an explicit IV is added
* after the record header. */
#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_2 )
transform_expansion += block_size;
#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
@@ -10188,7 +10217,7 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
#if defined(MBEDTLS_SSL_PROTO_SSL3)
- if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
{
/* SSLv3 does not have a "no_renegotiation" warning, so
we send a fatal alert and abort the connection. */
@@ -10200,7 +10229,7 @@
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_1 )
{
if( ( ret = mbedtls_ssl_send_alert_message( ssl,
MBEDTLS_SSL_ALERT_LEVEL_WARNING,
@@ -10409,7 +10438,7 @@
if( ssl->conf->cbc_record_splitting ==
MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
len <= 1 ||
- ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
+ mbedtls_ssl_get_minor_ver( ssl ) > MBEDTLS_SSL_MINOR_VERSION_1 ||
mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
!= MBEDTLS_MODE_CBC )
{
@@ -10963,10 +10992,18 @@
* NSA Suite B
*/
case MBEDTLS_SSL_PRESET_SUITEB:
+#if !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
+#endif /* !MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
+#endif /* !MBEDTLS_SSL_CONF_MIN_MINOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
+#endif /* !MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
+#endif /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
@@ -10995,21 +11032,28 @@
* Default
*/
default:
+#if !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
MBEDTLS_SSL_MIN_MAJOR_VERSION :
MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
+#endif /* !MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
MBEDTLS_SSL_MIN_MINOR_VERSION :
MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
- conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
- conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
-
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
#endif
+#endif /* !MBEDTLS_SSL_CONF_MIN_MINOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
+ conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
+#endif /* !MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
+ conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
+#endif /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
@@ -11368,71 +11412,10 @@
}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
-/*
- * Convert version numbers to/from wire format
- * and, for DTLS, to/from TLS equivalent.
- *
- * For TLS this is the identity.
- * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
- * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
- * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
- */
-void mbedtls_ssl_write_version( int major, int minor, int transport,
- unsigned char ver[2] )
-{
-#if !defined(MBEDTLS_SSL_TRANSPORT__BOTH)
- ((void) transport);
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
- {
- if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
- --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
-
- ver[0] = (unsigned char)( 255 - ( major - 2 ) );
- ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
- }
- MBEDTLS_SSL_TRANSPORT_ELSE
-#endif
-#if defined(MBEDTLS_SSL_PROTO_TLS)
- {
- ver[0] = (unsigned char) major;
- ver[1] = (unsigned char) minor;
- }
-#endif
-}
-
-void mbedtls_ssl_read_version( int *major, int *minor, int transport,
- const unsigned char ver[2] )
-{
-#if !defined(MBEDTLS_SSL_TRANSPORT__BOTH)
- ((void) transport);
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
- {
- *major = 255 - ver[0] + 2;
- *minor = 255 - ver[1] + 1;
-
- if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
- ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
- }
- MBEDTLS_SSL_TRANSPORT_ELSE
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-#if defined(MBEDTLS_SSL_PROTO_TLS)
- {
- *major = ver[0];
- *minor = ver[1];
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS */
-}
-
int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+ if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_3 )
return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
switch( md )
diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c
index b9271ea..ff30788 100644
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@@ -2754,6 +2754,38 @@
}
#endif /* MBEDTLS_SSL_CONF_RNG */
+#if defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
+ if( strcmp( "MBEDTLS_SSL_CONF_MIN_MINOR_VER", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_MIN_MINOR_VER );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_MIN_MINOR_VER */
+
+#if defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
+ if( strcmp( "MBEDTLS_SSL_CONF_MAX_MINOR_VER", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_MAX_MINOR_VER );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_MAX_MINOR_VER */
+
+#if defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
+ if( strcmp( "MBEDTLS_SSL_CONF_MIN_MAJOR_VER", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_MIN_MAJOR_VER );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
+
+#if defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
+ if( strcmp( "MBEDTLS_SSL_CONF_MAX_MAJOR_VER", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_MAX_MAJOR_VER );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
+
#if defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
if( strcmp( "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET", config ) == 0 )
{
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 897c828..87454b2 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -315,6 +315,20 @@
#define USAGE_READ_TIMEOUT ""
#endif
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
+#define USAGE_MAX_VERSION " max_version=%%s default: (library default: tls1_2)\n"
+#define USAGE_MIN_VERSION " min_version=%%s default: (library default: tls1)\n"
+#define USAGE_FORCE_VERSION " force_version=%%s default: \"\" (none)\n" \
+ " options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n"
+#else
+#define USAGE_MAX_VERSION ""
+#define USAGE_MIN_VERSION ""
+#define USAGE_FORCE_VERSION ""
+#endif
+
#define USAGE \
"\n usage: ssl_client2 param=<>...\n" \
"\n acceptable parameters:\n" \
@@ -368,10 +382,9 @@
"\n" \
" arc4=%%d default: (library default: 0)\n" \
" allow_sha1=%%d default: 0\n" \
- " min_version=%%s default: (library default: tls1)\n" \
- " max_version=%%s default: (library default: tls1_2)\n" \
- " force_version=%%s default: \"\" (none)\n" \
- " options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \
+ USAGE_MIN_VERSION \
+ USAGE_MAX_VERSION \
+ USAGE_FORCE_VERSION \
"\n" \
" force_ciphersuite=<name> default: all enabled\n"\
" query_config=<name> return 0 if the specified\n" \
@@ -1115,6 +1128,10 @@
default: goto usage;
}
}
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
else if( strcmp( p, "min_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
@@ -1145,24 +1162,6 @@
else
goto usage;
}
- else if( strcmp( p, "arc4" ) == 0 )
- {
- switch( atoi( q ) )
- {
- case 0: opt.arc4 = MBEDTLS_SSL_ARC4_DISABLED; break;
- case 1: opt.arc4 = MBEDTLS_SSL_ARC4_ENABLED; break;
- default: goto usage;
- }
- }
- else if( strcmp( p, "allow_sha1" ) == 0 )
- {
- switch( atoi( q ) )
- {
- case 0: opt.allow_sha1 = 0; break;
- case 1: opt.allow_sha1 = 1; break;
- default: goto usage;
- }
- }
else if( strcmp( p, "force_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
@@ -1200,6 +1199,25 @@
else
goto usage;
}
+#endif
+ else if( strcmp( p, "arc4" ) == 0 )
+ {
+ switch( atoi( q ) )
+ {
+ case 0: opt.arc4 = MBEDTLS_SSL_ARC4_DISABLED; break;
+ case 1: opt.arc4 = MBEDTLS_SSL_ARC4_ENABLED; break;
+ default: goto usage;
+ }
+ }
+ else if( strcmp( p, "allow_sha1" ) == 0 )
+ {
+ switch( atoi( q ) )
+ {
+ case 0: opt.allow_sha1 = 0; break;
+ case 1: opt.allow_sha1 = 1; break;
+ default: goto usage;
+ }
+ }
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
else if( strcmp( p, "auth_mode" ) == 0 )
{
@@ -1851,6 +1869,10 @@
}
#endif
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
if( opt.min_version != DFL_MIN_VERSION )
mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3,
opt.min_version );
@@ -1858,6 +1880,7 @@
if( opt.max_version != DFL_MAX_VERSION )
mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3,
opt.max_version );
+#endif
#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
if( opt.fallback != DFL_FALLBACK )
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index cfb3d6a..9cca9c4 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -431,6 +431,20 @@
#define USAGE_CERT_REQ_CA_LIST ""
#endif
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
+#define USAGE_MAX_VERSION " max_version=%%s default: (library default: tls1_2)\n"
+#define USAGE_MIN_VERSION " min_version=%%s default: (library default: tls1)\n"
+#define USAGE_FORCE_VERSION " force_version=%%s default: \"\" (none)\n" \
+ " options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n"
+#else
+#define USAGE_MAX_VERSION ""
+#define USAGE_MIN_VERSION ""
+#define USAGE_FORCE_VERSION ""
+#endif
+
#define USAGE \
"\n usage: ssl_server2 param=<>...\n" \
"\n acceptable parameters:\n" \
@@ -477,10 +491,9 @@
"\n" \
" arc4=%%d default: (library default: 0)\n" \
" allow_sha1=%%d default: 0\n" \
- " min_version=%%s default: (library default: tls1)\n" \
- " max_version=%%s default: (library default: tls1_2)\n" \
- " force_version=%%s default: \"\" (none)\n" \
- " options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \
+ USAGE_MIN_VERSION \
+ USAGE_MAX_VERSION \
+ USAGE_FORCE_VERSION \
"\n" \
" version_suites=a,b,c,d per-version ciphersuites\n" \
" in order from ssl3 to tls1_2\n" \
@@ -1751,6 +1764,10 @@
if( opt.exchanges < 0 )
goto usage;
}
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
else if( strcmp( p, "min_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
@@ -1781,24 +1798,6 @@
else
goto usage;
}
- else if( strcmp( p, "arc4" ) == 0 )
- {
- switch( atoi( q ) )
- {
- case 0: opt.arc4 = MBEDTLS_SSL_ARC4_DISABLED; break;
- case 1: opt.arc4 = MBEDTLS_SSL_ARC4_ENABLED; break;
- default: goto usage;
- }
- }
- else if( strcmp( p, "allow_sha1" ) == 0 )
- {
- switch( atoi( q ) )
- {
- case 0: opt.allow_sha1 = 0; break;
- case 1: opt.allow_sha1 = 1; break;
- default: goto usage;
- }
- }
else if( strcmp( p, "force_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
@@ -1836,6 +1835,31 @@
else
goto usage;
}
+#endif
+ else if( strcmp( p, "arc4" ) == 0 )
+ {
+ switch( atoi( q ) )
+ {
+ case 0: opt.arc4 = MBEDTLS_SSL_ARC4_DISABLED; break;
+ case 1: opt.arc4 = MBEDTLS_SSL_ARC4_ENABLED; break;
+ default: goto usage;
+ }
+ }
+ else if( strcmp( p, "allow_sha1" ) == 0 )
+ {
+ switch( atoi( q ) )
+ {
+ case 0: opt.allow_sha1 = 0; break;
+ case 1: opt.allow_sha1 = 1; break;
+ default: goto usage;
+ }
+ }
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
+
+#endif
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
else if( strcmp( p, "auth_mode" ) == 0 )
{
@@ -2867,11 +2891,16 @@
}
#endif
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
+ !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
if( opt.min_version != DFL_MIN_VERSION )
mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version );
if( opt.max_version != DFL_MIN_VERSION )
mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version );
+#endif
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 553ece4..acbf414 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -563,6 +563,84 @@
fi
}
+check_cmdline_min_minor_version_compat() {
+ __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MIN_MINOR_VER" )"
+ if [ ! -z "$__VAL" ]; then
+ extract_cmdline_argument "min_version"
+ if [ "$__ARG" = "ssl3" ] && [ "$__VAL" != "0" ]; then
+ SKIP_NEXT="YES";
+ elif [ "$__ARG" = "tls1" ] && [ "$__VAL" != "1" ]; then
+ SKIP_NEXT="YES"
+ elif [ "$__ARG" = "tls1_1" ] && [ "$__VAL" != "2" ]; then
+ SKIP_NEXT="YES"
+ elif [ "$__ARG" = "tls1_2" ] && [ "$__VAL" != "3" ]; then
+ SKIP_NEXT="YES"
+ fi
+ fi
+}
+
+check_cmdline_max_minor_version_compat() {
+ __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MAX_MINOR_VER" )"
+ if [ ! -z "$__VAL" ]; then
+ extract_cmdline_argument "max_version"
+ if [ "$__ARG" = "ssl3" ] && [ "$__VAL" != "0" ]; then
+ SKIP_NEXT="YES";
+ elif [ "$__ARG" = "tls1" ] && [ "$__VAL" != "1" ]; then
+ SKIP_NEXT="YES"
+ elif [ "$__ARG" = "tls1_1" ] && [ "$__VAL" != "2" ]; then
+ SKIP_NEXT="YES"
+ elif [ "$__ARG" = "tls1_2" ] && [ "$__VAL" != "3" ]; then
+ SKIP_NEXT="YES"
+ fi
+ fi
+}
+
+check_cmdline_force_version_compat() {
+ __VAL_MAX="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MAX_MINOR_VER" )"
+ __VAL_MIN="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MIN_MINOR_VER" )"
+ if [ ! -z "$__VAL_MIN" ]; then
+
+ # SSL cli/srv cmd line
+
+ extract_cmdline_argument "force_version"
+ if [ "$__ARG" = "ssl3" ] && \
+ ( [ "$__VAL_MIN" != "0" ] || [ "$__VAL_MAX" != "0" ] ); then
+ SKIP_NEXT="YES";
+ elif [ "$__ARG" = "tls1" ] && \
+ ( [ "$__VAL_MIN" != "1" ] || [ "$__VAL_MAX" != "1" ] ); then
+ SKIP_NEXT="YES"
+ elif ( [ "$__ARG" = "tls1_1" ] || [ "$__ARG" = "dtls1" ] ) && \
+ ( [ "$__VAL_MIN" != "2" ] || [ "$__VAL_MAX" != "2" ] ); then
+ SKIP_NEXT="YES"
+ elif ( [ "$__ARG" = "tls1_2" ] || [ "$__ARG" = "dtls1_2" ] ) && \
+ ( [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ] ); then
+ echo "FORCE SKIP"
+ SKIP_NEXT="YES"
+ fi
+
+ # OpenSSL cmd line
+
+ if echo "$CMD" | grep -e "-tls1\($\|[^_]\)" > /dev/null; then
+ if [ "$__VAL_MIN" != "1" ] || [ "$__VAL_MAX" != "1" ]; then
+ SKIP_NEXT="YES"
+ fi
+ fi
+
+ if echo "$CMD" | grep -e "-\(dtls1\($\|[^_]\)\|tls1_1\)" > /dev/null; then
+ if [ "$__VAL_MIN" != "2" ] || [ "$__VAL_MAX" != "2" ]; then
+ SKIP_NEXT="YES"
+ fi
+ fi
+
+ if echo "$CMD" | grep -e "-\(dtls1_2\($\|[^_]\)\|tls1_2\)" > /dev/null; then
+ if [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ]; then
+ SKIP_NEXT="YES"
+ fi
+ fi
+
+ fi
+}
+
# Go through all options that can be hardcoded at compile-time and
# detect whether the command line configures them in a conflicting
# way. If so, skip the test. Otherwise, remove the corresponding
@@ -592,6 +670,11 @@
# Legacy renegotiation
check_cmdline_legacy_renego_compat
+
+ # Version configuration
+ check_cmdline_min_minor_version_compat
+ check_cmdline_max_minor_version_compat
+ check_cmdline_force_version_compat
}
# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function
index a33cc03..ccd4d42 100644
--- a/tests/suites/helpers.function
+++ b/tests/suites/helpers.function
@@ -108,6 +108,21 @@
} \
} while( 0 )
+/**
+ * \brief This macro tests the expression passed to it and skips the
+ * running test if it doesn't evaluate to 'true'.
+ *
+ * \param TEST The test expression to be tested.
+ */
+#define TEST_ASSUME( TEST ) \
+ do { \
+ if( ! (TEST) ) \
+ { \
+ test_skip( #TEST, __LINE__, __FILE__ ); \
+ goto exit; \
+ } \
+ } while( 0 )
+
#if defined(MBEDTLS_CHECK_PARAMS) && !defined(MBEDTLS_PARAM_FAILED_ALT)
/**
* \brief This macro tests the statement passed to it as a test step or
@@ -241,10 +256,17 @@
/*----------------------------------------------------------------------------*/
/* Global variables */
+typedef enum
+{
+ TEST_RESULT_SUCCESS = 0,
+ TEST_RESULT_FAILED,
+ TEST_RESULT_SKIPPED
+} test_result_t;
+
static struct
{
paramfail_test_state_t paramfail_test_state;
- int failed;
+ test_result_t result;
const char *test;
const char *filename;
int line_no;
@@ -280,7 +302,15 @@
void test_fail( const char *test, int line_no, const char* filename )
{
- test_info.failed = 1;
+ test_info.result = TEST_RESULT_FAILED;
+ test_info.test = test;
+ test_info.line_no = line_no;
+ test_info.filename = filename;
+}
+
+void test_skip( const char *test, int line_no, const char* filename )
+{
+ test_info.result = TEST_RESULT_SKIPPED;
test_info.test = test;
test_info.line_no = line_no;
test_info.filename = filename;
@@ -319,7 +349,7 @@
/* Record the location of the failure, but not as a failure yet, in case
* it was part of the test */
test_fail( failure_condition, line, file );
- test_info.failed = 0;
+ test_info.result = TEST_RESULT_SUCCESS;
longjmp( param_fail_jmp, 1 );
}
diff --git a/tests/suites/host_test.function b/tests/suites/host_test.function
index fe6a2bc..0f98d23 100644
--- a/tests/suites/host_test.function
+++ b/tests/suites/host_test.function
@@ -498,7 +498,8 @@
if( ( ret = get_line( file, buf, sizeof(buf) ) ) != 0 )
break;
- mbedtls_fprintf( stdout, "%s%.66s", test_info.failed ? "\n" : "", buf );
+ mbedtls_fprintf( stdout, "%s%.66s",
+ test_info.result == TEST_RESULT_FAILED ? "\n" : "", buf );
mbedtls_fprintf( stdout, " " );
for( i = strlen( buf ) + 1; i < 67; i++ )
mbedtls_fprintf( stdout, "." );
@@ -545,7 +546,7 @@
// If there are no unmet dependencies execute the test
if( unmet_dep_count == 0 )
{
- test_info.failed = 0;
+ test_info.result = TEST_RESULT_SUCCESS;
test_info.paramfail_test_state = PARAMFAIL_TESTSTATE_IDLE;
#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
@@ -610,10 +611,15 @@
}
else if( ret == DISPATCH_TEST_SUCCESS )
{
- if( test_info.failed == 0 )
+ if( test_info.result == TEST_RESULT_SUCCESS )
{
mbedtls_fprintf( stdout, "PASS\n" );
}
+ else if( test_info.result == TEST_RESULT_SKIPPED )
+ {
+ mbedtls_fprintf( stdout, "----\n" );
+ total_skipped++;
+ }
else
{
total_errors++;
diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function
index ca4783d..1f4180d 100644
--- a/tests/suites/main_test.function
+++ b/tests/suites/main_test.function
@@ -156,7 +156,7 @@
else
{
/* Unexpected parameter validation error */
- test_info.failed = 1;
+ test_info.result = TEST_RESULT_FAILED;
}
memset( param_fail_jmp, 0, sizeof(jmp_buf) );
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 9707935..7d7845e 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -168,8 +168,12 @@
((void) etm);
#endif
+#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
t_out->minor_ver = ver;
t_in->minor_ver = ver;
+#else
+ ((void) ver);
+#endif
t_out->ivlen = ivlen;
t_in->ivlen = ivlen;
@@ -432,6 +436,11 @@
mbedtls_ssl_init( &ssl );
mbedtls_ssl_transform_init( &t0 );
mbedtls_ssl_transform_init( &t1 );
+
+#if defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
+ TEST_ASSUME( ver == MBEDTLS_SSL_CONF_FIXED_MINOR_VER );
+#endif
+
TEST_ASSERT( build_transforms( &t0, &t1, cipher_type, hash_id,
etm, tag_mode, ver,
(size_t) cid0_len,
@@ -573,6 +582,10 @@
(size_t) cid0_len,
(size_t) cid1_len ) == 0 );
+#if defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
+ TEST_ASSUME( ver == MBEDTLS_SSL_CONF_FIXED_MINOR_VER );
+#endif
+
TEST_ASSERT( ( buf = mbedtls_calloc( 1, buflen ) ) != NULL );
for( mode=1; mode <= 3; mode++ )