commit 3fa1ee567caae5f65ac373ba88c7f9cf7e0aed90
author Hanno Becker <hanno.becker@arm.com> Wed May 22 14:44:37 2019 +0100
committer Hanno Becker <hanno.becker@arm.com> Fri Jul 12 15:14:53 2019 +0100
tree 7c0897c183667e73960421a64a214d0c76626c84
parent e965bd397e2299280184228109fc57847b68b104

Set SSL minor version only after validation

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 553ded2..38c841d 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1621,32 +1621,39 @@
      */
     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
 
-    mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
-                      ssl->conf->transport, buf );
-
-    ssl->handshake->max_major_ver = ssl->major_ver;
-    ssl->handshake->max_minor_ver = ssl->minor_ver;
-
-    if( ssl->major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) ||
-        ssl->minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) )
     {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
+        int minor_ver, major_ver;
+        mbedtls_ssl_read_version( &major_ver, &minor_ver,
+                                  ssl->conf->transport,
+                                  buf );
+
+        ssl->handshake->max_major_ver = major_ver;
+        ssl->handshake->max_minor_ver = minor_ver;
+
+        if( major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) ||
+            minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
                             " [%d:%d] < [%d:%d]",
-                            ssl->major_ver, ssl->minor_ver,
+                            major_ver, minor_ver,
                             mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
                             mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) );
-        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
-                                     MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
-        return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
-    }
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+            return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+        }
 
-    if( ssl->major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) )
-    {
-        ssl->major_ver = mbedtls_ssl_conf_get_max_major_ver( ssl->conf );
-        ssl->minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
+        if( major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) )
+        {
+            major_ver = mbedtls_ssl_conf_get_max_major_ver( ssl->conf );
+            minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
+        }
+        else if( minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
+            minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
+
+        ssl->major_ver = major_ver;
+        ssl->minor_ver = minor_ver;
     }
-    else if( ssl->minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
-        ssl->minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
 
     /*
      * Save client random (inc. Unix time)