tls: Initialize SSL context tls_version in mbedtls_ssl_setup()

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2025-02-21 15:41:00 +00:00 · 2023-03-08 15:30:43 +01:00 · 2023-03-08 15:30:43 +01:00 · 8a12aeec93
commit 8a12aeec93
parent 5af4c7f0e2
3 changed files with 14 additions and 12 deletions
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -1605,19 +1605,21 @@ struct mbedtls_ssl_context {
                                                    renego_max_records is < 0           */
 #endif /* MBEDTLS_SSL_RENEGOTIATION */

-    /** Server: Negotiated TLS protocol version.
-     *  Client: Maximum TLS version to be negotiated, then negotiated TLS
-     *          version.
+    /**
+     *  Maximum TLS version to be negotiated, then negotiated TLS version.
     *
-     *  It is initialized as the maximum TLS version to be negotiated in the
-     *  ClientHello writing preparation stage and used throughout the
-     *  ClientHello writing. For a fresh handshake not linked to any previous
-     *  handshake, it is initialized to the configured maximum TLS version
-     *  to be negotiated. When renegotiating or resuming a session, it is
-     *  initialized to the previously negotiated TLS version.
+     *  It is initialized as the configured maximum TLS version to be
+     *  negotiated by mbedtls_ssl_setup().
     *
-     *  Updated to the negotiated TLS version as soon as the ServerHello is
-     *  received.
+     *  When renegotiating or resuming a session, it is overwritten in the
+     *  ClientHello writing preparation stage with the previously negotiated
+     *  TLS version.
+     *
+     *  On client side, updated to the TLS version selected by the server for
+     *  the handshake when the ServerHello is received.
+     *
+     *  On server side, updated to the TLS version the server selects for the
+     *  handshake when the ClientHello is received.
     */
    mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(tls_version);

--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@ -769,7 +769,6 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl)
            ssl->tls_version = session_negotiate->tls_version;
            ssl->handshake->min_tls_version = ssl->tls_version;
        } else {
-            ssl->tls_version = ssl->conf->max_tls_version;
            ssl->handshake->min_tls_version = ssl->conf->min_tls_version;
        }
    }
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -1393,6 +1393,7 @@ int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
    if ((ret = ssl_conf_check(ssl)) != 0) {
        return ret;
    }
+    ssl->tls_version = ssl->conf->max_tls_version;

    /*
     * Prepare base structures