commit e1a0c25f71c7ee592492f12aa3abf61052dad1da
author Gilles Peskine <Gilles.Peskine@arm.com> Thu Jan 13 01:08:03 2022 +0100
committer Gilles Peskine <Gilles.Peskine@arm.com> Mon Feb 21 15:14:01 2022 +0100
tree b44bad05aa01235590068cd60ce90ff6583c279c
parent 915896f03c6fd7584a83347bf0d602f72a3ece0a

New function to access the TLS version from a context as an enum

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

ChangeLog.d/ssl_context-version_number.txt

diff --git a/ChangeLog.d/ssl_context-version_number.txt b/ChangeLog.d/ssl_context-version_number.txt
new file mode 100644
index 0000000..97395f4
--- /dev/null
+++ b/ChangeLog.d/ssl_context-version_number.txt
@@ -0,0 +1,3 @@
+Features
+   * Add a function to access the TLS version from a context in a form that's
+     easy to compare. Fixes #5407.

include/mbedtls/ssl.h

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index ecfcfc6..d911b8f 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1161,6 +1161,14 @@
 #endif
 };
 
+/** Human-friendly representation of the (D)TLS protocol version. */
+typedef enum
+{
+    MBEDTLS_SSL_VERSION_UNKNOWN, /*!< Context not in use or version not yet negotiated. */
+    MBEDTLS_SSL_VERSION_1_2,     /*!< (D)TLS 1.2 */
+    MBEDTLS_SSL_VERSION_1_3,     /*!< (D)TLS 1.3 */
+} mbedtls_ssl_protocol_version;
+
 /*
  * Identifiers for PRFs used in various versions of TLS.
  */
@@ -3933,6 +3941,17 @@
  */
 const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl );
 
+
+/**
+ * \brief          Return the (D)TLS protocol version negotiated in the
+ *                 given connection.
+ *
+ * \param ssl      The SSL context to query.
+ * \return         The negotiated protocol version.
+ */
+mbedtls_ssl_protocol_version mbedtls_ssl_get_version_number(
+    const mbedtls_ssl_context *ssl );
+
 /**
  * \brief          Return the current TLS version
  *

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index e80adb1..436e15c 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2206,6 +2206,21 @@
     return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
 }
 
+mbedtls_ssl_protocol_version mbedtls_ssl_get_version_number(
+    const mbedtls_ssl_context *ssl )
+{
+    /* For major_ver, only 3 is supported, so skip checking it. */
+    switch( ssl->minor_ver )
+    {
+        case MBEDTLS_SSL_MINOR_VERSION_3:
+            return( MBEDTLS_SSL_VERSION_1_2 );
+        case MBEDTLS_SSL_MINOR_VERSION_4:
+            return( MBEDTLS_SSL_VERSION_1_3 );
+        default:
+            return( MBEDTLS_SSL_VERSION_UNKNOWN );
+    }
+}
+
 const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
 {
 #if defined(MBEDTLS_SSL_PROTO_DTLS)