commit 3fa1ee567caae5f65ac373ba88c7f9cf7e0aed90
author Hanno Becker <hanno.becker@arm.com> Wed May 22 14:44:37 2019 +0100
committer Hanno Becker <hanno.becker@arm.com> Fri Jul 12 15:14:53 2019 +0100
tree 7c0897c183667e73960421a64a214d0c76626c84
parent e965bd397e2299280184228109fc57847b68b104

Set SSL minor version only after validation

library/ssl_cli.c

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 7291fd7..87dc25d 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1716,27 +1716,35 @@
      */
     buf += mbedtls_ssl_hs_hdr_len( ssl );
 
-    MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
-    mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
-                      ssl->conf->transport, buf + 0 );
-
-    if( ssl->major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) ||
-        ssl->minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ||
-        ssl->major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) ||
-        ssl->minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
     {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
-                            " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
-                            mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
-                            mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ),
-                            ssl->major_ver, ssl->minor_ver,
-                            mbedtls_ssl_conf_get_max_major_ver( ssl->conf ),
-                            mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) );
+        int major_ver, minor_ver;
 
-        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
-                                     MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+        MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
+        mbedtls_ssl_read_version( &major_ver, &minor_ver,
+                                  ssl->conf->transport,
+                                  buf + 0 );
 
-        return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+        if( major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) ||
+            minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ||
+            major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) ||
+            minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
+                         " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
+                         mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
+                         mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ),
+                         major_ver, minor_ver,
+                         mbedtls_ssl_conf_get_max_major_ver( ssl->conf ),
+                         mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) );
+
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                      MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+
+            return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+        }
+
+        ssl->minor_ver = minor_ver;
+        ssl->major_ver = major_ver;
     }
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",