mbedtls_ssl_config min_tls_version, max_tls_version

Store the TLS version in tls_version instead of major, minor version num Note: existing application use which accesses the struct member (using MBEDTLS_PRIVATE) is not compatible on little-endian platforms, but is compatible on big-endian platforms. For systems supporting only TLSv1.2, the underlying values are the same (=> 3). New setter functions are more type-safe, taking argument as enum mbedtls_ssl_protocol_version: mbedtls_ssl_conf_max_tls_version() mbedtls_ssl_conf_min_tls_version() Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-03-14 17:26:42 -04:00 · 2022-03-14 17:26:42 -04:00 · 2dfcea2b9d
commit 2dfcea2b9d
parent da7851c825
7 changed files with 96 additions and 120 deletions
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -1239,10 +1239,8 @@ struct mbedtls_ssl_config
     * so that elements tend to be in the 128-element direct access window
     * on Arm Thumb, which reduces the code size. */

-    unsigned char MBEDTLS_PRIVATE(max_major_ver);    /*!< max. major version used            */
-    unsigned char MBEDTLS_PRIVATE(max_minor_ver);    /*!< max. minor version used            */
-    unsigned char MBEDTLS_PRIVATE(min_major_ver);    /*!< min. major version used            */
-    unsigned char MBEDTLS_PRIVATE(min_minor_ver);    /*!< min. minor version used            */
+    uint16_t MBEDTLS_PRIVATE(max_tls_version);  /*!< max. TLS version used          */
+    uint16_t MBEDTLS_PRIVATE(min_tls_version);  /*!< min. TLS version used          */

    /*
     * Flags (could be bit-fields to save RAM, but separate bytes make
@ -3847,6 +3845,24 @@ void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ss
 */
 void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor );

+/**
+ * \brief          Set the maximum supported version sent from the client side
+ *                 and/or accepted at the server side.
+ *
+ * \note           After the handshake, you can call
+ *                 mbedtls_ssl_get_version_number() to see what version was
+ *                 negotiated.
+ *
+ * \param conf         SSL configuration
+ * \param tls_version  TLS protocol version number (\p mbedtls_ssl_protocol_version)
+ *                     (#MBEDTLS_SSL_VERSION_UNKNOWN is not valid)
+ */
+static inline void mbedtls_ssl_conf_max_tls_version( mbedtls_ssl_config *conf,
+                                     mbedtls_ssl_protocol_version tls_version )
+{
+    conf->MBEDTLS_PRIVATE(max_tls_version) = tls_version;
+}
+
 /**
 * \brief          Set the minimum accepted SSL/TLS protocol version
 *
@ -3880,6 +3896,24 @@ void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int mino
 */
 void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor );

+/**
+ * \brief          Set the minimum supported version sent from the client side
+ *                 and/or accepted at the server side.
+ *
+ * \note           After the handshake, you can call
+ *                 mbedtls_ssl_get_version_number() to see what version was
+ *                 negotiated.
+ *
+ * \param conf         SSL configuration
+ * \param tls_version  TLS protocol version number (\p mbedtls_ssl_protocol_version)
+ *                     (#MBEDTLS_SSL_VERSION_UNKNOWN is not valid)
+ */
+static inline void mbedtls_ssl_conf_min_tls_version( mbedtls_ssl_config *conf,
+                                     mbedtls_ssl_protocol_version tls_version )
+{
+    conf->MBEDTLS_PRIVATE(min_tls_version) = tls_version;
+}
+
 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
 /**
 * \brief           Enable or disable Encrypt-then-MAC