From 381eaa59763d58ba4ab82acee4007b3771bd2d01 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 12 Jun 2019 14:43:01 +0100 Subject: [PATCH] Remove min/maj version from SSL context if only one version enabled If the minor/major version is enforced at compile-time, the `major_ver` and `minor_ver` fields in `mbedtls_ssl_context` are redundant and can be removed. --- include/mbedtls/ssl.h | 16 ++++++++++++++++ include/mbedtls/ssl_internal.h | 10 ++++++++++ library/ssl_cli.c | 9 +++++++++ library/ssl_srv.c | 4 ++++ 4 files changed, 39 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index ee8bd818b..5e9954462 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -63,6 +63,18 @@ #include "platform_time.h" #endif +#if defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER) && \ + defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) && \ + ( MBEDTLS_SSL_CONF_MAX_MAJOR_VER == MBEDTLS_SSL_CONF_MIN_MAJOR_VER ) +#define MBEDTLS_SSL_CONF_FIXED_MAJOR_VER MBEDTLS_SSL_CONF_MIN_MAJOR_VER +#endif + +#if defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) && \ + defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) && \ + ( MBEDTLS_SSL_CONF_MAX_MINOR_VER == MBEDTLS_SSL_CONF_MIN_MINOR_VER ) +#define MBEDTLS_SSL_CONF_FIXED_MINOR_VER MBEDTLS_SSL_CONF_MIN_MINOR_VER +#endif + /* * SSL Error codes */ @@ -1229,8 +1241,12 @@ struct mbedtls_ssl_context renego_max_records is < 0 */ #endif /* MBEDTLS_SSL_RENEGOTIATION */ +#if !defined(MBEDTLS_SSL_CONF_FIXED_MAJOR_VER) int major_ver; /*!< equal to MBEDTLS_SSL_MAJOR_VERSION_3 */ +#endif /* !MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */ +#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER) int minor_ver; /*!< either 0 (SSL3) or 1 (TLS1.0) */ +#endif /* !MBEDTLS_SSL_CONF_FIXED_MINOR_VER */ #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) unsigned badmac_seen; /*!< records with a bad MAC received */ diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 00b941dc6..43443bf59 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -962,12 +962,22 @@ int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl, static inline int mbedtls_ssl_get_minor_ver( mbedtls_ssl_context const *ssl ) { +#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER) return( ssl->minor_ver ); +#else /* !MBEDTLS_SSL_CONF_FIXED_MINOR_VER */ + ((void) ssl); + return( MBEDTLS_SSL_CONF_FIXED_MINOR_VER ); +#endif /* MBEDTLS_SSL_CONF_FIXED_MINOR_VER */ } static inline int mbedtls_ssl_get_major_ver( mbedtls_ssl_context const *ssl ) { +#if !defined(MBEDTLS_SSL_CONF_FIXED_MAJOR_VER) return( ssl->major_ver ); +#else /* !MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */ + ((void) ssl); + return( MBEDTLS_SSL_CONF_FIXED_MAJOR_VER ); +#endif /* MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */ } #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index d69bd1ced..c7a18f58b 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -850,8 +850,12 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE ) { +#if !defined(MBEDTLS_SSL_CONF_FIXED_MAJOR_VER) ssl->major_ver = mbedtls_ssl_conf_get_min_major_ver( ssl->conf ); +#endif /* !MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */ +#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER) ssl->minor_ver = mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ); +#endif /* !MBEDTLS_SSL_CONF_FIXED_MINOR_VER */ } if( mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) == 0 ) @@ -1743,8 +1747,13 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); } +#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER) ssl->minor_ver = minor_ver; +#endif /* !MBEDTLS_SSL_CONF_FIXED_MINOR_VER */ + +#if !defined(MBEDTLS_SSL_CONF_FIXED_MAJOR_VER) ssl->major_ver = major_ver; +#endif /* !MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */ } MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 84cb04b4a..87fe4c973 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1654,8 +1654,12 @@ read_record_header: else if( minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ); +#if !defined(MBEDTLS_SSL_CONF_FIXED_MAJOR_VER) ssl->major_ver = major_ver; +#endif /* MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */ +#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER) ssl->minor_ver = minor_ver; +#endif /* MBEDTLS_SSL_CONF_FIXED_MINOR_VER */ } /*