Move ssl_set_fallback() to work on conf
Initially thought it would be per-connection, but since max_version is in conf
too, and you need to lower that for a fallback connection, the fallback flag
should be in the same place
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index c57cb1c..a73ffe5 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -931,6 +931,9 @@
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
unsigned int session_tickets : 1; /*!< use session tickets? */
#endif
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
+ unsigned int fallback : 1; /*!< is this a fallback? */
+#endif
}
mbedtls_ssl_config;
@@ -956,10 +959,6 @@
unsigned badmac_seen; /*!< records with a bad MAC received */
#endif
-#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
- char fallback; /*!< flag for fallback connections */
-#endif
-
/*
* Callbacks
*/
@@ -1820,10 +1819,10 @@
* while, then cause failures when the server is upgraded to
* support a newer TLS version.
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param fallback MBEDTLS_SSL_IS_NOT_FALLBACK or MBEDTLS_SSL_IS_FALLBACK
*/
-void mbedtls_ssl_set_fallback( mbedtls_ssl_context *ssl, char fallback );
+void mbedtls_ssl_set_fallback( mbedtls_ssl_config *conf, char fallback );
#endif /* MBEDTLS_SSL_FALLBACK_SCSV && MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 354cc5a..bbc8838 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -733,7 +733,7 @@
/* Some versions of OpenSSL don't handle it correctly if not at end */
#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
- if( ssl->fallback == MBEDTLS_SSL_IS_FALLBACK )
+ if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
*p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index e93182c..f72a2c4 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5569,9 +5569,9 @@
}
#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
-void mbedtls_ssl_set_fallback( mbedtls_ssl_context *ssl, char fallback )
+void mbedtls_ssl_set_fallback( mbedtls_ssl_config *conf, char fallback )
{
- ssl->fallback = fallback;
+ conf->fallback = fallback;
}
#endif
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index c6d1ff4..afaafc4 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -1207,7 +1207,7 @@
#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
if( opt.fallback != DFL_FALLBACK )
- mbedtls_ssl_set_fallback( &ssl, opt.fallback );
+ mbedtls_ssl_set_fallback( &conf, opt.fallback );
#endif
mbedtls_printf( " ok\n" );