Set correct minimal versions in default conf

Set `MBEDTLS_SSL_MIN_MAJOR_VERSION` and `MBEDTLS_SSL_MIN_MINOR_VERSION`
instead of `MBEDTLS_SSL_MAJOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_1`
This commit is contained in:
Ron Eldor 2017-05-28 10:46:38 +03:00 committed by Gilles Peskine
parent 297d7535fb
commit 5e9f14d4d9
3 changed files with 26 additions and 13 deletions

View file

@ -41,17 +41,6 @@ New deprecations
* Direct manipulation of structure fields of RSA contexts is deprecated. * Direct manipulation of structure fields of RSA contexts is deprecated.
Users are advised to use the extended RSA API instead. Users are advised to use the extended RSA API instead.
API Changes
* Extend RSA interface by multiple functions allowing structure-
independent setup and export of RSA contexts. Most notably,
mbedtls_rsa_import and mbedtls_rsa_complete are introduced for setting
up RSA contexts from partial key material and having them completed to the
needs of the implementation automatically. This allows to setup private RSA
contexts from keys consisting of N,D,E only, even if P,Q are needed for the
purpose or CRT and/or blinding.
* The configuration option MBEDTLS_RSA_ALT can be used to define alternative
implementations of the RSA interface declared in rsa.h.
Bugfix Bugfix
* Fix ssl_parse_record_header() to silently discard invalid DTLS records * Fix ssl_parse_record_header() to silently discard invalid DTLS records
as recommended in RFC 6347 Section 4.1.2.7. as recommended in RFC 6347 Section 4.1.2.7.
@ -101,6 +90,10 @@ Bugfix
RSA test suite where the failure of CTR DRBG initialization lead to RSA test suite where the failure of CTR DRBG initialization lead to
freeing an RSA context and several MPI's without proper initialization freeing an RSA context and several MPI's without proper initialization
beforehand. beforehand.
* Fix setting version TLSv1 as minimal version, even if TLS 1
is not enabled. Set `MBEDTLS_SSL_MIN_MAJOR_VERSION`
and `MBEDTLS_SSL_MIN_MINOR_VERSION` instead
of `MBEDTLS_SSL_MAJOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_1`
Changes Changes
* Extend cert_write example program by options to set the CRT version * Extend cert_write example program by options to set the CRT version
@ -114,6 +107,17 @@ Changes
* Tighten the RSA PKCS#1 v1.5 signature verification code and remove the * Tighten the RSA PKCS#1 v1.5 signature verification code and remove the
undeclared dependency of the RSA module on the ASN.1 module. undeclared dependency of the RSA module on the ASN.1 module.
API Changes
* Extend RSA interface by multiple functions allowing structure-
independent setup and export of RSA contexts. Most notably,
mbedtls_rsa_import and mbedtls_rsa_complete are introduced for setting
up RSA contexts from partial key material and having them completed to the
needs of the implementation automatically. This allows to setup private RSA
contexts from keys consisting of N,D,E only, even if P,Q are needed for the
purpose or CRT and/or blinding.
* The configuration option MBEDTLS_RSA_ALT can be used to define alternative
implementations of the RSA interface declared in rsa.h.
= mbed TLS 2.6.0 branch released 2017-08-10 = mbed TLS 2.6.0 branch released 2017-08-10
Security Security

View file

@ -69,6 +69,9 @@
#endif /* MBEDTLS_SSL_PROTO_TLS1 */ #endif /* MBEDTLS_SSL_PROTO_TLS1 */
#endif /* MBEDTLS_SSL_PROTO_SSL3 */ #endif /* MBEDTLS_SSL_PROTO_SSL3 */
#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
/* Determine maximum supported version */ /* Determine maximum supported version */
#define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 #define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3

View file

@ -7602,8 +7602,14 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
* Default * Default
*/ */
default: default:
conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */ MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
MBEDTLS_SSL_MIN_MAJOR_VERSION :
MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
MBEDTLS_SSL_MIN_MINOR_VERSION :
MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;