[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [libmicrohttpd] branch master updated: add flags for TLS op
From: |
gnunet |
Subject: |
[GNUnet-SVN] [libmicrohttpd] branch master updated: add flags for TLS option control |
Date: |
Mon, 15 Apr 2019 17:38:53 +0200 |
This is an automated email from the git hooks/post-receive script.
grothoff pushed a commit to branch master
in repository libmicrohttpd.
The following commit(s) were added to refs/heads/master by this push:
new 1917b866 add flags for TLS option control
1917b866 is described below
commit 1917b866996413f09fa88ae0a6169cb9bd7079e8
Author: Christian Grothoff <address@hidden>
AuthorDate: Mon Apr 15 17:38:16 2019 +0200
add flags for TLS option control
---
ChangeLog | 4 ++++
doc/libmicrohttpd.texi | 20 ++++++++++++++++++++
src/include/microhttpd.h | 16 ++++++++++++++--
src/microhttpd/daemon.c | 24 +++++++++++++++++-------
4 files changed, 55 insertions(+), 9 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 58b87e3a..690232ee 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Mon 15 Apr 2019 05:33:52 PM CEST
+ Add MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT and
+ MHD_USE_INSECURE_TLS_EARLY_DATA flags. -CG
+
Mon 08 Apr 2019 03:06:05 PM CEST
Fix close() checks as suggested by MK on the mailinglist
(#3926). -MK/CG
diff --git a/doc/libmicrohttpd.texi b/doc/libmicrohttpd.texi
index 97a79bdc..ad297faa 100644
--- a/doc/libmicrohttpd.texi
+++ b/doc/libmicrohttpd.texi
@@ -615,6 +615,26 @@ on platform. If application doesn't have requirements for
any
specific polling function, it's recommended to use this flag. This
flag is very convenient for multiplatform applications.
address@hidden MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT
+Tell the TLS library to support post handshake client authentication.
+Only useful in combination with @code{MHD_USE_TLS}.
+
+This option will only work if the underyling TLS library
+supports it (i.e. GnuTLS after 3.6.3). If the TLS library
+does not support it, MHD may ignore the option and proceed
+without supporting this features.
+
address@hidden MHD_USE_INSECURE_TLS_EARLY_DATA
+Tell the TLS library to support TLS v1.3 early data (0-RTT) with the
+resulting security drawbacks. Only enable this if you really know what
+you are doing. MHD currently does NOT enforce that this only affects
+GET requests! You have been warned.
+
+This option will only work if the underyling TLS library
+supports it (i.e. GnuTLS after 3.6.3). If the TLS library
+does not support it, MHD may ignore the option and proceed
+without supporting this features.
+
@end table
@end deftp
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
index 4917f62b..7bb0e084 100644
--- a/src/include/microhttpd.h
+++ b/src/include/microhttpd.h
@@ -126,7 +126,7 @@ typedef intptr_t ssize_t;
* Current version of the library.
* 0x01093001 = 1.9.30-1.
*/
-#define MHD_VERSION 0x00096301
+#define MHD_VERSION 0x00096302
/**
* MHD-internal return code for "YES".
@@ -1147,7 +1147,19 @@ enum MHD_FLAG
* This is combination of #MHD_USE_AUTO and #MHD_USE_INTERNAL_POLLING_THREAD
* flags.
*/
- MHD_USE_AUTO_INTERNAL_THREAD = MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD
+ MHD_USE_AUTO_INTERNAL_THREAD = MHD_USE_AUTO |
MHD_USE_INTERNAL_POLLING_THREAD,
+
+ /**
+ * Flag set to enable post-handshake client authentication
+ * (only useful in combination with #MHD_USE_TLS).
+ */
+ MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT = 1U <<17,
+
+ /**
+ * Flag set to enable TLS 1.3 early data. This has
+ * security implications, be VERY careful when using this.
+ */
+ MHD_USE_INSECURE_TLS_EARLY_DATA = 1U <<18
};
diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c
index ab75273b..af137a80 100644
--- a/src/microhttpd/daemon.c
+++ b/src/microhttpd/daemon.c
@@ -2460,17 +2460,27 @@ internal_add_connection (struct MHD_Daemon *daemon,
else
{
#ifdef HTTPS_SUPPORT
- connection->tls_state = MHD_TLS_CONN_INIT;
- MHD_set_https_callbacks (connection);
- gnutls_init (&connection->tls_session,
- GNUTLS_SERVER
+ gnutls_init_flags_t flags;
+
+ flags = GNUTLS_SERVER;
#if (GNUTLS_VERSION_NUMBER+0 >= 0x030402)
- | GNUTLS_NO_SIGNAL
+ flags |= GNUTLS_NO_SIGNAL;
#endif /* GNUTLS_VERSION_NUMBER >= 0x030402 */
#if GNUTLS_VERSION_MAJOR >= 3
- | GNUTLS_NONBLOCK
+ flags |= GNUTLS_NONBLOCK;
#endif /* GNUTLS_VERSION_MAJOR >= 3*/
- );
+#if (GNUTLS_VERSION_NUMBER+0 >= 0x030603)
+ if (0 != (daemon->options & MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT))
+ flags |= GNUTLS_POST_HANDSHAKE_AUTH;
+#endif
+#if (GNUTLS_VERSION_NUMBER+0 >= 0x030605)
+ if (0 != (daemon->options & MHD_USE_INSECURE_TLS_EARLY_DATA))
+ flags |= GNUTLS_ENABLE_EARLY_DATA;
+#endif
+ connection->tls_state = MHD_TLS_CONN_INIT;
+ MHD_set_https_callbacks (connection);
+ gnutls_init (&connection->tls_session,
+ flags);
gnutls_priority_set (connection->tls_session,
daemon->priority_cache);
gnutls_session_set_ptr (connection->tls_session,
--
To stop receiving notification emails like this one, please contact
address@hidden
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] [libmicrohttpd] branch master updated: add flags for TLS option control,
gnunet <=