From e1a0c25f71c7ee592492f12aa3abf61052dad1da Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Thu, 13 Jan 2022 01:08:03 +0100
Subject: [PATCH] New function to access the TLS version from a context as an
 enum

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 ChangeLog.d/ssl_context-version_number.txt |  3 +++
 include/mbedtls/ssl.h                      | 19 +++++++++++++++++++
 library/ssl_tls.c                          | 15 +++++++++++++++
 3 files changed, 37 insertions(+)
 create mode 100644 ChangeLog.d/ssl_context-version_number.txt

diff --git a/ChangeLog.d/ssl_context-version_number.txt b/ChangeLog.d/ssl_context-version_number.txt
new file mode 100644
index 000000000..97395f435
--- /dev/null
+++ b/ChangeLog.d/ssl_context-version_number.txt
@@ -0,0 +1,3 @@
+Features
+   * Add a function to access the TLS version from a context in a form that's
+     easy to compare. Fixes #5407.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index ecfcfc63d..d911b8f05 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1161,6 +1161,14 @@ struct mbedtls_ssl_session
 #endif
 };
 
+/** Human-friendly representation of the (D)TLS protocol version. */
+typedef enum
+{
+    MBEDTLS_SSL_VERSION_UNKNOWN, /*!< Context not in use or version not yet negotiated. */
+    MBEDTLS_SSL_VERSION_1_2,     /*!< (D)TLS 1.2 */
+    MBEDTLS_SSL_VERSION_1_3,     /*!< (D)TLS 1.3 */
+} mbedtls_ssl_protocol_version;
+
 /*
  * Identifiers for PRFs used in various versions of TLS.
  */
@@ -3933,6 +3941,17 @@ int mbedtls_ssl_get_ciphersuite_id_from_ssl( const mbedtls_ssl_context *ssl );
  */
 const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl );
 
+
+/**
+ * \brief          Return the (D)TLS protocol version negotiated in the
+ *                 given connection.
+ *
+ * \param ssl      The SSL context to query.
+ * \return         The negotiated protocol version.
+ */
+mbedtls_ssl_protocol_version mbedtls_ssl_get_version_number(
+    const mbedtls_ssl_context *ssl );
+
 /**
  * \brief          Return the current TLS version
  *
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index e80adb155..436e15c14 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2206,6 +2206,21 @@ const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
     return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
 }
 
+mbedtls_ssl_protocol_version mbedtls_ssl_get_version_number(
+    const mbedtls_ssl_context *ssl )
+{
+    /* For major_ver, only 3 is supported, so skip checking it. */
+    switch( ssl->minor_ver )
+    {
+        case MBEDTLS_SSL_MINOR_VERSION_3:
+            return( MBEDTLS_SSL_VERSION_1_2 );
+        case MBEDTLS_SSL_MINOR_VERSION_4:
+            return( MBEDTLS_SSL_VERSION_1_3 );
+        default:
+            return( MBEDTLS_SSL_VERSION_UNKNOWN );
+    }
+}
+
 const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
 {
 #if defined(MBEDTLS_SSL_PROTO_DTLS)