Merge pull request #5631 from gstrauss/enum-tls-vers

Unify internal/external TLS protocol version enums
2025-07-28 00:21:48 +03:00 · 2022-04-19 17:05:26 +01:00
parent f4d70b2944 8315811ea7
commit a2da9c7e45
17 changed files with 1235 additions and 1549 deletions
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -243,6 +243,7 @@
 * Various constants
 */

+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
 /* These are the high an low bytes of ProtocolVersion as defined by:
 * - RFC 5246: ProtocolVersion version = { 3, 3 };     // TLS v1.2
 * - RFC 8446: see section 4.2.1
@ -250,6 +251,7 @@
 #define MBEDTLS_SSL_MAJOR_VERSION_3             3
 #define MBEDTLS_SSL_MINOR_VERSION_3             3   /*!< TLS v1.2 */
 #define MBEDTLS_SSL_MINOR_VERSION_4             4   /*!< TLS v1.3 */
+#endif /* MBEDTLS_DEPRECATED_REMOVED */

 #define MBEDTLS_SSL_TRANSPORT_STREAM            0   /*!< TLS      */
 #define MBEDTLS_SSL_TRANSPORT_DATAGRAM          1   /*!< DTLS     */
@ -1099,6 +1101,14 @@ mbedtls_dtls_srtp_info;

 #endif /* MBEDTLS_SSL_DTLS_SRTP */

+/** Human-friendly representation of the (D)TLS protocol version. */
+typedef enum
+{
+    MBEDTLS_SSL_VERSION_UNKNOWN, /*!< Context not in use or version not yet negotiated. */
+    MBEDTLS_SSL_VERSION_TLS1_2 = 0x0303, /*!< (D)TLS 1.2 */
+    MBEDTLS_SSL_VERSION_TLS1_3 = 0x0304, /*!< (D)TLS 1.3 */
+} mbedtls_ssl_protocol_version;
+
 /*
 * This structure is used for storing current session data.
 *
@ -1118,11 +1128,10 @@ struct mbedtls_ssl_session

    unsigned char MBEDTLS_PRIVATE(exported);

-    /*!< Minor version negotiated in the session. Used if and when
-     *   renegotiating or resuming a session instead of the configured minor
-     *   version.
+    /*!< TLS version negotiated in the session. Used if and when renegotiating
+     *   or resuming a session instead of the configured minor TLS version.
     */
-    unsigned char MBEDTLS_PRIVATE(minor_ver);
+    mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(tls_version);

 #if defined(MBEDTLS_HAVE_TIME)
    mbedtls_time_t MBEDTLS_PRIVATE(start);       /*!< starting time      */
@ -1161,14 +1170,6 @@ struct mbedtls_ssl_session
 #endif
 };

-/** Human-friendly representation of the (D)TLS protocol version. */
-typedef enum
-{
-    MBEDTLS_SSL_VERSION_UNKNOWN, /*!< Context not in use or version not yet negotiated. */
-    MBEDTLS_SSL_VERSION_1_2,     /*!< (D)TLS 1.2 */
-    MBEDTLS_SSL_VERSION_1_3,     /*!< (D)TLS 1.3 */
-} mbedtls_ssl_protocol_version;
-
 /*
 * Identifiers for PRFs used in various versions of TLS.
 */
@ -1259,10 +1260,8 @@ struct mbedtls_ssl_config
     * so that elements tend to be in the 128-element direct access window
     * on Arm Thumb, which reduces the code size. */

-    unsigned char MBEDTLS_PRIVATE(max_major_ver);    /*!< max. major version used            */
-    unsigned char MBEDTLS_PRIVATE(max_minor_ver);    /*!< max. minor version used            */
-    unsigned char MBEDTLS_PRIVATE(min_major_ver);    /*!< min. major version used            */
-    unsigned char MBEDTLS_PRIVATE(min_minor_ver);    /*!< min. minor version used            */
+    mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(max_tls_version);  /*!< max. TLS version used */
+    mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(min_tls_version);  /*!< min. TLS version used */

    /*
     * Flags (could be bit-fields to save RAM, but separate bytes make
@ -1515,24 +1514,21 @@ struct mbedtls_ssl_context
                                  renego_max_records is < 0           */
 #endif /* MBEDTLS_SSL_RENEGOTIATION */

-    /*!< Equal to MBEDTLS_SSL_MAJOR_VERSION_3 */
-    int MBEDTLS_PRIVATE(major_ver);
-
-    /*!< Server: Negotiated minor version.
-     *   Client: Maximum minor version to be negotiated, then negotiated minor
+    /*!< Server: Negotiated TLS protocol version.
+     *   Client: Maximum TLS version to be negotiated, then negotiated TLS
     *           version.
     *
-     *   It is initialized as the maximum minor version to be negotiated in the
+     *   It is initialized as the maximum TLS version to be negotiated in the
     *   ClientHello writing preparation stage and used throughout the
     *   ClientHello writing. For a fresh handshake not linked to any previous
-     *   handshake, it is initialized to the configured maximum minor version
+     *   handshake, it is initialized to the configured maximum TLS version
     *   to be negotiated. When renegotiating or resuming a session, it is
-     *   initialized to the previously negotiated minor version.
+     *   initialized to the previously negotiated TLS version.
     *
-     *   Updated to the negotiated minor version as soon as the ServerHello is
+     *   Updated to the negotiated TLS version as soon as the ServerHello is
     *   received.
     */
-    int MBEDTLS_PRIVATE(minor_ver);
+    mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(tls_version);

    unsigned MBEDTLS_PRIVATE(badmac_seen);       /*!< records with a bad MAC received    */

@ -3847,6 +3843,7 @@ void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ss
                                                   mbedtls_dtls_srtp_info *dtls_srtp_info );
 #endif /* MBEDTLS_SSL_DTLS_SRTP */

+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
 /**
 * \brief          Set the maximum supported version sent from the client side
 *                 and/or accepted at the server side.
@ -3855,14 +3852,37 @@ void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ss
 *
 * \note           This ignores ciphersuites from higher versions.
 *
+ * \note           This function is deprecated and has been replaced by
+ *                 \c mbedtls_ssl_conf_max_tls_version().
+ *
 * \param conf     SSL configuration
 * \param major    Major version number (#MBEDTLS_SSL_MAJOR_VERSION_3)
 * \param minor    Minor version number
 *                 (#MBEDTLS_SSL_MINOR_VERSION_3 for (D)TLS 1.2,
 *                 #MBEDTLS_SSL_MINOR_VERSION_4 for TLS 1.3)
 */
-void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor );
+void MBEDTLS_DEPRECATED mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor );
+#endif /* MBEDTLS_DEPRECATED_REMOVED */

+/**
+ * \brief          Set the maximum supported version sent from the client side
+ *                 and/or accepted at the server side.
+ *
+ * \note           After the handshake, you can call
+ *                 mbedtls_ssl_get_version_number() to see what version was
+ *                 negotiated.
+ *
+ * \param conf         SSL configuration
+ * \param tls_version  TLS protocol version number (\p mbedtls_ssl_protocol_version)
+ *                     (#MBEDTLS_SSL_VERSION_UNKNOWN is not valid)
+ */
+static inline void mbedtls_ssl_conf_max_tls_version( mbedtls_ssl_config *conf,
+                                     mbedtls_ssl_protocol_version tls_version )
+{
+    conf->MBEDTLS_PRIVATE(max_tls_version) = tls_version;
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
 /**
 * \brief          Set the minimum accepted SSL/TLS protocol version
 *
@ -3888,13 +3908,35 @@ void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int mino
 *                 mbedtls_ssl_get_version_number() to see what version was
 *                 negotiated.
 *
+ * \note           This function is deprecated and has been replaced by
+ *                 \c mbedtls_ssl_conf_min_tls_version().
+ *
 * \param conf     SSL configuration
 * \param major    Major version number (#MBEDTLS_SSL_MAJOR_VERSION_3)
 * \param minor    Minor version number
 *                 (#MBEDTLS_SSL_MINOR_VERSION_3 for (D)TLS 1.2,
 *                 #MBEDTLS_SSL_MINOR_VERSION_4 for TLS 1.3)
 */
-void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor );
+void MBEDTLS_DEPRECATED mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor );
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Set the minimum supported version sent from the client side
+ *                 and/or accepted at the server side.
+ *
+ * \note           After the handshake, you can call
+ *                 mbedtls_ssl_get_version_number() to see what version was
+ *                 negotiated.
+ *
+ * \param conf         SSL configuration
+ * \param tls_version  TLS protocol version number (\p mbedtls_ssl_protocol_version)
+ *                     (#MBEDTLS_SSL_VERSION_UNKNOWN is not valid)
+ */
+static inline void mbedtls_ssl_conf_min_tls_version( mbedtls_ssl_config *conf,
+                                     mbedtls_ssl_protocol_version tls_version )
+{
+    conf->MBEDTLS_PRIVATE(min_tls_version) = tls_version;
+}

 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
 /**
@ -4225,8 +4267,11 @@ const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl );
 * \param ssl      The SSL context to query.
 * \return         The negotiated protocol version.
 */
-mbedtls_ssl_protocol_version mbedtls_ssl_get_version_number(
-    const mbedtls_ssl_context *ssl );
+static inline mbedtls_ssl_protocol_version mbedtls_ssl_get_version_number(
+    const mbedtls_ssl_context *ssl )
+{
+    return ssl->MBEDTLS_PRIVATE(tls_version);
+}

 /**
 * \brief          Return the current TLS version