tls: enable net.tls_sticket_secret() for session resumption across processes

diff --git a/NEWS b/NEWS
index 35605d72e1521b8cd47d8915bff0b98a7a5f74d1..91464668a182a8103ab8be57fd72716fff0deb36 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,10 @@ Improvements
 ------------
 - capabilities are no longer constrained when running as root (!1012)
 
+Bugfixes
+--------
+- tls: fix compilation to support net.tls_sticket_secret() (!1021)
+
 
 Knot Resolver 5.1.2 (2020-07-01)
 ================================

diff --git a/daemon/tls_session_ticket-srv.c b/daemon/tls_session_ticket-srv.c
index 4335c69e14738d4bcd8fe9e4c13508b69914b23d..ac4fb2e17d6f536d9548fc5264f018510c773136 100644 (file)
--- a/daemon/tls_session_ticket-srv.c
+++ b/daemon/tls_session_ticket-srv.c
@@ -26,11 +26,13 @@
 
 /** Compile-time support for setting the secret. */
 /* This is not secure with TLS <= 1.2 but TLS 1.3 and secure configuration
- * is not available in GnuTLS yet. See https://gitlab.com/gnutls/gnutls/issues/477
-#ifndef TLS_SESSION_RESUMPTION_SYNC
-       #define TLS_SESSION_RESUMPTION_SYNC (GNUTLS_VERSION_NUMBER >= 0x030603)
+ * is not available in GnuTLS yet. See https://gitlab.com/gnutls/gnutls/issues/477 */
+#define TLS_SESSION_RESUMPTION_SYNC (GNUTLS_VERSION_NUMBER >= 0x030603)
+#if TLS_SESSION_RESUMPTION_SYNC
+       #define TST_HASH GNUTLS_DIG_SHA3_512
+#else
+       #define TST_HASH abort()
 #endif
-*/
 
 #if GNUTLS_VERSION_NUMBER < 0x030400
        /* It's of little use anyway.  We may get the secret through lua,
@@ -38,12 +40,6 @@
        #define gnutls_memset memset
 #endif
 
-#ifdef GNUTLS_DIG_SHA3_512
-       #define TST_HASH GNUTLS_DIG_SHA3_512
-#else
-       #define TST_HASH abort()
-#endif
-
 /** Fields are internal to tst_key_* functions. */
 typedef struct tls_session_ticket_ctx {
        uv_timer_t timer;       /**< timer for rotation of the key */