From 90f012037dda434ab75a81f74c950616f5752f3c Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Tue, 15 Mar 2022 15:37:13 +0100
Subject: [PATCH] ssl_tls12_server.c: Simplify TLS version check in ClientHello

The TLS server code only support TLS 1.2 thus simplify
the check of the version proposed by the client.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 library/ssl_misc.h         |  2 --
 library/ssl_tls12_server.c | 24 +++++-------------------
 2 files changed, 5 insertions(+), 21 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 47976a868e..289a64a1d6 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -539,8 +539,6 @@ struct mbedtls_ssl_handshake_params
 {
     /* Frequently-used boolean or byte fields (placed early to take
      * advantage of smaller code size for indirect access on Arm Thumb) */
-    uint8_t max_major_ver;              /*!< max. major version client*/
-    uint8_t max_minor_ver;              /*!< max. minor version client*/
     uint8_t resume;                     /*!<  session resume indicator*/
     uint8_t cli_exts;                   /*!< client extension presence*/
 
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 5bbcd63319..fe81e34d39 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -1415,29 +1415,15 @@ read_record_header:
                       ssl->conf->transport, buf );
     ssl->session_negotiate->minor_ver = ssl->minor_ver;
 
-    ssl->handshake->max_major_ver = ssl->major_ver;
-    ssl->handshake->max_minor_ver = ssl->minor_ver;
-
-    if( ssl->major_ver < ssl->conf->min_major_ver ||
-        ssl->minor_ver < ssl->conf->min_minor_ver )
+    if( ( ssl->major_ver != MBEDTLS_SSL_MAJOR_VERSION_3 ) ||
+        ( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) )
     {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
-                            " [%d:%d] < [%d:%d]",
-                            ssl->major_ver, ssl->minor_ver,
-                            ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server only supports TLS 1.2" ) );
         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
                                      MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
         return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
     }
 
-    if( ssl->major_ver > ssl->conf->max_major_ver )
-    {
-        ssl->major_ver = ssl->conf->max_major_ver;
-        ssl->minor_ver = ssl->conf->max_minor_ver;
-    }
-    else if( ssl->minor_ver > ssl->conf->max_minor_ver )
-        ssl->minor_ver = ssl->conf->max_minor_ver;
-
     /*
      * Save client random (inc. Unix time)
      */
@@ -3660,8 +3646,8 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
         return( ret );
 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
 
-    mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
-                               ssl->handshake->max_minor_ver,
+    mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3,
+                               MBEDTLS_SSL_MINOR_VERSION_3,
                                ssl->conf->transport, ver );
 
     /* Avoid data-dependent branches while checking for invalid