From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Fri, 29 Jun 2018 09:34:12 +0000 (+0200)
Subject: TLS session resumption: disable on gnutls < 3.5
X-Git-Tag: v2.4.0~7^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=10b9aa70912c940106b28a982ca5facd0b25053b;p=thirdparty%2Fknot-resolver.git

TLS session resumption: disable on gnutls < 3.5
---

diff --git a/NEWS b/NEWS
index d68bfae7e..fbbabeff8 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,7 @@ Security
 New features
 ------------
 - TLS session resumption (RFC 5077), both server and client (!585, #105)
+  (disabled when compiling with gnutls < 3.5)
 - aggressive caching for NSEC3 zones
 - optional protection from DNS Rebinding attack (module rebinding)
 
diff --git a/daemon/tls_session_ticket-srv.c b/daemon/tls_session_ticket-srv.c
index 11a7e3196..9c7acbb18 100644
--- a/daemon/tls_session_ticket-srv.c
+++ b/daemon/tls_session_ticket-srv.c
@@ -240,6 +240,10 @@ tst_ctx_t * tls_session_ticket_ctx_create(uv_loop_t *loop, const char *secret,
 					  size_t secret_len)
 {
 	assert(loop && (!secret_len || secret));
+	#if GNUTLS_VERSION_NUMBER < 0x030500
+		/* We would need different SESSION_KEY_SIZE; avoid assert. */
+		return NULL;
+	#endif
 	tst_ctx_t *ctx = tst_key_create(secret, secret_len, loop);
 	if (ctx) {
 		tst_key_check(&ctx->timer, true);