Handle tls and dtls server version selection similarly

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22989)

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 853af8c0aa9f93a43839b6fc6558537b9daa62bd..b0f700dda40f1ad919fd96561758b290538037ba 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1735,16 +1735,14 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s)
         s->client_version = clienthello->legacy_version;
     }
     /*
-     * Do SSL/TLS version negotiation if applicable. For DTLS we just check
-     * versions are potentially compatible. Version negotiation comes later.
+     * Do SSL/TLS version negotiation if applicable.
      */
-    if (!SSL_CONNECTION_IS_DTLS(s)) {
-        protverr = ssl_choose_server_version(s, clienthello, &dgrd);
-    } else if (ssl->method->version != DTLS_ANY_VERSION &&
-               DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) {
+    if (SSL_CONNECTION_IS_DTLS(s)
+            && ssl->method->version != DTLS_ANY_VERSION
+            && DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) {
         protverr = SSL_R_VERSION_TOO_LOW;
     } else {
-        protverr = 0;
+        protverr = ssl_choose_server_version(s, clienthello, &dgrd);
     }
 
     if (protverr) {
@@ -1783,14 +1781,6 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s)
             }
             s->d1->cookie_verified = 1;
         }
-        if (ssl->method->version == DTLS_ANY_VERSION) {
-            protverr = ssl_choose_server_version(s, clienthello, &dgrd);
-            if (protverr != 0) {
-                s->version = s->client_version;
-                SSLfatal(s, SSL_AD_PROTOCOL_VERSION, protverr);
-                goto err;
-            }
-        }
     }
 
     s->hit = 0;