mbedtls_ssl_config min_tls_version, max_tls_version

Store the TLS version in tls_version instead of major, minor version num

Note: existing application use which accesses the struct member
(using MBEDTLS_PRIVATE) is not compatible on little-endian platforms,
but is compatible on big-endian platforms.  For systems supporting
only TLSv1.2, the underlying values are the same (=> 3).

New setter functions are more type-safe,
taking argument as enum mbedtls_ssl_protocol_version:
mbedtls_ssl_conf_max_tls_version()
mbedtls_ssl_conf_min_tls_version()

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
This commit is contained in:
Glenn Strauss 2022-03-14 17:26:42 -04:00
parent da7851c825
commit 2dfcea2b9d
7 changed files with 96 additions and 120 deletions

View file

@ -1239,10 +1239,8 @@ struct mbedtls_ssl_config
* so that elements tend to be in the 128-element direct access window
* on Arm Thumb, which reduces the code size. */
unsigned char MBEDTLS_PRIVATE(max_major_ver); /*!< max. major version used */
unsigned char MBEDTLS_PRIVATE(max_minor_ver); /*!< max. minor version used */
unsigned char MBEDTLS_PRIVATE(min_major_ver); /*!< min. major version used */
unsigned char MBEDTLS_PRIVATE(min_minor_ver); /*!< min. minor version used */
uint16_t MBEDTLS_PRIVATE(max_tls_version); /*!< max. TLS version used */
uint16_t MBEDTLS_PRIVATE(min_tls_version); /*!< min. TLS version used */
/*
* Flags (could be bit-fields to save RAM, but separate bytes make
@ -3847,6 +3845,24 @@ void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ss
*/
void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor );
/**
* \brief Set the maximum supported version sent from the client side
* and/or accepted at the server side.
*
* \note After the handshake, you can call
* mbedtls_ssl_get_version_number() to see what version was
* negotiated.
*
* \param conf SSL configuration
* \param tls_version TLS protocol version number (\p mbedtls_ssl_protocol_version)
* (#MBEDTLS_SSL_VERSION_UNKNOWN is not valid)
*/
static inline void mbedtls_ssl_conf_max_tls_version( mbedtls_ssl_config *conf,
mbedtls_ssl_protocol_version tls_version )
{
conf->MBEDTLS_PRIVATE(max_tls_version) = tls_version;
}
/**
* \brief Set the minimum accepted SSL/TLS protocol version
*
@ -3880,6 +3896,24 @@ void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int mino
*/
void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor );
/**
* \brief Set the minimum supported version sent from the client side
* and/or accepted at the server side.
*
* \note After the handshake, you can call
* mbedtls_ssl_get_version_number() to see what version was
* negotiated.
*
* \param conf SSL configuration
* \param tls_version TLS protocol version number (\p mbedtls_ssl_protocol_version)
* (#MBEDTLS_SSL_VERSION_UNKNOWN is not valid)
*/
static inline void mbedtls_ssl_conf_min_tls_version( mbedtls_ssl_config *conf,
mbedtls_ssl_protocol_version tls_version )
{
conf->MBEDTLS_PRIVATE(min_tls_version) = tls_version;
}
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
/**
* \brief Enable or disable Encrypt-then-MAC

View file

@ -864,8 +864,8 @@ static int ssl_prepare_client_hello( mbedtls_ssl_context *ssl )
}
else
{
ssl->minor_ver = ssl->conf->max_minor_ver;
ssl->handshake->min_minor_ver = ssl->conf->min_minor_ver;
ssl->minor_ver = ssl->conf->max_tls_version & 0xFF;
ssl->handshake->min_minor_ver = ssl->conf->min_tls_version & 0xFF;
}
}

View file

@ -1601,14 +1601,8 @@ void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight );
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf )
{
if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 &&
conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
{
return( 1 );
}
return( 0 );
return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
@ -1616,14 +1610,8 @@ static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf )
{
if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{
return( 1 );
}
return( 0 );
return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
@ -1631,14 +1619,8 @@ static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf
static inline int mbedtls_ssl_conf_is_tls13_enabled( const mbedtls_ssl_config *conf )
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
conf->min_minor_ver <= MBEDTLS_SSL_MINOR_VERSION_4 &&
conf->max_minor_ver >= MBEDTLS_SSL_MINOR_VERSION_4 )
{
return( 1 );
}
return( 0 );
return( conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 &&
conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3 );
#else
((void) conf);
return( 0 );
@ -1648,14 +1630,8 @@ static inline int mbedtls_ssl_conf_is_tls13_enabled( const mbedtls_ssl_config *c
static inline int mbedtls_ssl_conf_is_tls12_enabled( const mbedtls_ssl_config *conf )
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
conf->min_minor_ver <= MBEDTLS_SSL_MINOR_VERSION_3 &&
conf->max_minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 )
{
return( 1 );
}
return( 0 );
return( conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 &&
conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2 );
#else
((void) conf);
return( 0 );
@ -1665,14 +1641,8 @@ static inline int mbedtls_ssl_conf_is_tls12_enabled( const mbedtls_ssl_config *c
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_config *conf )
{
if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
{
return( 1 );
}
return( 0 );
return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */

View file

@ -3541,7 +3541,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
}
if( minor_ver > ssl->conf->max_minor_ver )
if( minor_ver > ( ssl->conf->max_tls_version & 0xFF ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );

View file

@ -2155,14 +2155,12 @@ void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ss
void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
{
conf->max_major_ver = major;
conf->max_minor_ver = minor;
conf->max_tls_version = (major << 8) | minor;
}
void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
{
conf->min_major_ver = major;
conf->min_minor_ver = minor;
conf->min_tls_version = (major << 8) | minor;
}
#if defined(MBEDTLS_SSL_SRV_C)
@ -3577,10 +3575,8 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
* least check it matches the requirements for serializing.
*/
if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
ssl->conf->max_major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
ssl->conf->min_major_ver > MBEDTLS_SSL_MAJOR_VERSION_3 ||
ssl->conf->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ||
ssl->conf->min_minor_ver > MBEDTLS_SSL_MINOR_VERSION_3 ||
ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 ||
ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 ||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
#endif
@ -4250,6 +4246,32 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
if( ( endpoint == MBEDTLS_SSL_IS_SERVER ) ||
( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) )
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
#else
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
#endif
}
else
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
#else
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
#endif
}
/*
* Preset-specific defaults
*/
@ -4259,30 +4281,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
* NSA Suite B
*/
case MBEDTLS_SSL_PRESET_SUITEB:
conf->min_major_ver = MBEDTLS_SSL_MIN_MAJOR_VERSION;
conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
if( ( endpoint == MBEDTLS_SSL_IS_SERVER ) ||
( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) )
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
{
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
conf->max_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
}
#else
{
conf->min_major_ver = 0;
conf->max_major_ver = 0;
conf->min_minor_ver = 0;
conf->max_minor_ver = 0;
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
#endif
else
{
conf->min_minor_ver = MBEDTLS_SSL_MIN_MINOR_VERSION;
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
}
conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
#if defined(MBEDTLS_X509_CRT_PARSE_C)
@ -4311,30 +4310,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
* Default
*/
default:
conf->min_major_ver = MBEDTLS_SSL_MIN_MAJOR_VERSION;
conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
if( ( endpoint == MBEDTLS_SSL_IS_SERVER ) ||
( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) )
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
{
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
conf->max_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
}
#else
{
conf->min_major_ver = 0;
conf->max_major_ver = 0;
conf->min_minor_ver = 0;
conf->max_minor_ver = 0;
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
#endif
else
{
conf->min_minor_ver = MBEDTLS_SSL_MIN_MINOR_VERSION;
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
}
conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();

View file

@ -1155,8 +1155,7 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
*/
if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
major_ver > ssl->conf->max_major_ver ||
minor_ver > ssl->conf->max_minor_ver )
( ( major_ver << 8 ) | minor_ver ) > ssl->conf->max_tls_version )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
@ -1302,18 +1301,16 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
ssl->conf->transport, buf + 0 );
ssl->session_negotiate->tls_version = 0x0300 | ssl->minor_ver;
if( ssl->major_ver < ssl->conf->min_major_ver ||
ssl->minor_ver < ssl->conf->min_minor_ver ||
ssl->major_ver > ssl->conf->max_major_ver ||
ssl->minor_ver > ssl->conf->max_minor_ver )
if( ( ( ssl->major_ver << 8 ) | ssl->minor_ver )
< ssl->conf->min_tls_version ||
( ( ssl->major_ver << 8 ) | ssl->minor_ver )
> ssl->conf->max_tls_version )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "server version out of bounds - min: [%d:%d], server: [%d:%d], max: [%d:%d]",
ssl->conf->min_major_ver,
ssl->conf->min_minor_ver,
ssl->major_ver, ssl->minor_ver,
ssl->conf->max_major_ver,
ssl->conf->max_minor_ver ) );
( "server version out of bounds - min: [0x%x], server: [0x%x], max: [0x%x]",
(unsigned)ssl->conf->min_tls_version,
(unsigned)( ( ssl->major_ver << 8 ) | ssl->minor_ver ),
(unsigned)ssl->conf->max_tls_version ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );

View file

@ -1179,16 +1179,16 @@ void set_ciphersuite( mbedtls_ssl_config *conf, const char *cipher,
mbedtls_ssl_ciphersuite_from_id( forced_ciphersuite[0] );
TEST_ASSERT( ciphersuite_info != NULL );
TEST_ASSERT( ciphersuite_info->min_minor_ver <= conf->max_minor_ver );
TEST_ASSERT( ciphersuite_info->max_minor_ver >= conf->min_minor_ver );
TEST_ASSERT( ciphersuite_info->min_minor_ver <= ( conf->max_tls_version & 0xFF ) );
TEST_ASSERT( ciphersuite_info->max_minor_ver >= ( conf->min_tls_version & 0xFF ) );
if( conf->max_minor_ver > ciphersuite_info->max_minor_ver )
if( conf->max_tls_version > ( 0x0300 | ciphersuite_info->max_minor_ver ) )
{
conf->max_minor_ver = ciphersuite_info->max_minor_ver;
conf->max_tls_version = 0x0300 | ciphersuite_info->max_minor_ver;
}
if( conf->min_minor_ver < ciphersuite_info->min_minor_ver )
if( conf->min_tls_version < ( 0x0300 | ciphersuite_info->min_minor_ver ) )
{
conf->min_minor_ver = ciphersuite_info->min_minor_ver;
conf->min_tls_version = 0x0300 | ciphersuite_info->min_minor_ver;
}
mbedtls_ssl_conf_ciphersuites( conf, forced_ciphersuite );