ssl_tls12_server.c: Simplify TLS version check in ClientHello

The TLS server code only support TLS 1.2 thus simplify the check of the version proposed by the client. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-15 15:37:13 +01:00 · 2022-03-15 15:37:13 +01:00 · 90f012037d
commit 90f012037d
parent 086ee0be0e
2 changed files with 5 additions and 21 deletions
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@ -539,8 +539,6 @@ struct mbedtls_ssl_handshake_params
 {
    /* Frequently-used boolean or byte fields (placed early to take
     * advantage of smaller code size for indirect access on Arm Thumb) */
-    uint8_t max_major_ver;              /*!< max. major version client*/
-    uint8_t max_minor_ver;              /*!< max. minor version client*/
    uint8_t resume;                     /*!<  session resume indicator*/
    uint8_t cli_exts;                   /*!< client extension presence*/

--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@ -1415,29 +1415,15 @@ read_record_header:
                      ssl->conf->transport, buf );
    ssl->session_negotiate->minor_ver = ssl->minor_ver;

-    ssl->handshake->max_major_ver = ssl->major_ver;
-    ssl->handshake->max_minor_ver = ssl->minor_ver;
-
-    if( ssl->major_ver < ssl->conf->min_major_ver ||
-        ssl->minor_ver < ssl->conf->min_minor_ver )
+    if( ( ssl->major_ver != MBEDTLS_SSL_MAJOR_VERSION_3 ) ||
+        ( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) )
    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
-                            " [%d:%d] < [%d:%d]",
-                            ssl->major_ver, ssl->minor_ver,
-                            ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server only supports TLS 1.2" ) );
        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
                                     MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
        return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
    }

-    if( ssl->major_ver > ssl->conf->max_major_ver )
-    {
-        ssl->major_ver = ssl->conf->max_major_ver;
-        ssl->minor_ver = ssl->conf->max_minor_ver;
-    }
-    else if( ssl->minor_ver > ssl->conf->max_minor_ver )
-        ssl->minor_ver = ssl->conf->max_minor_ver;
-
    /*
     * Save client random (inc. Unix time)
     */
@ -3660,8 +3646,8 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
        return( ret );
 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */

-    mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
-                               ssl->handshake->max_minor_ver,
+    mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3,
+                               MBEDTLS_SSL_MINOR_VERSION_3,
                               ssl->conf->transport, ver );

    /* Avoid data-dependent branches while checking for invalid