From: Nikos Mavrogiannopoulos Date: Fri, 21 Oct 2016 08:26:13 +0000 (+0200) Subject: gnutls_init: added GNUTLS_NO_TICKETS flags X-Git-Tag: gnutls_3_5_6~46 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb134302567f875c6f2f50cbb7c0a18b7bf5ebc3;p=thirdparty%2Fgnutls.git gnutls_init: added GNUTLS_NO_TICKETS flags These flags allow the callers to disable the automatically enabled session tickets. This could be done only with GNUTLS_NO_EXTENSIONS which also disabled other useful extensions. --- diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 7134e2c094..2d5f5097b7 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -356,6 +356,7 @@ typedef enum { * @GNUTLS_ALLOW_ID_CHANGE: Allow the peer to replace its certificate, or change its ID during a rehandshake. This change is often used in attacks and thus prohibited by default. Since 3.5.0. * @GNUTLS_ENABLE_FALSE_START: Enable the TLS false start on client side if the negotiated ciphersuites allow it. This will enable sending data prior to the handshake being complete, and may introduce a risk of crypto failure when combined with certain key exchanged; for that GnuTLS may not enable that option in ciphersuites that are known to be not safe for false start. Since 3.5.0. * @GNUTLS_FORCE_CLIENT_CERT: When in client side and only a single cert is specified, send that certificate irrespective of the issuers expectated by the server. Since 3.5.0. + * @GNUTLS_NO_TICKETS: Flag to indicate that the session should not use resumption with session tickets. * * Enumeration of different flags for gnutls_init() function. All the flags * can be combined except @GNUTLS_SERVER and @GNUTLS_CLIENT which are mutually @@ -371,7 +372,8 @@ typedef enum { GNUTLS_NO_SIGNAL = (1<<6), GNUTLS_ALLOW_ID_CHANGE = (1<<7), GNUTLS_ENABLE_FALSE_START = (1<<8), - GNUTLS_FORCE_CLIENT_CERT = (1<<9) + GNUTLS_FORCE_CLIENT_CERT = (1<<9), + GNUTLS_NO_TICKETS = (1<<10) } gnutls_init_flags_t; /* compatibility defines (previous versions of gnutls @@ -384,6 +386,9 @@ typedef enum { #define GNUTLS_NO_REPLAY_PROTECTION (1<<5) #define GNUTLS_NO_SIGNAL (1<<6) #define GNUTLS_ALLOW_ID_CHANGE (1<<7) +#define GNUTLS_ENABLE_FALSE_START (1<<8) +#define GNUTLS_FORCE_CLIENT_CERT (1<<9) +#define GNUTLS_NO_TICKETS (1<<10) /** * gnutls_alert_level_t: diff --git a/lib/state.c b/lib/state.c index 08861f017b..496afe4af5 100644 --- a/lib/state.c +++ b/lib/state.c @@ -429,7 +429,8 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags) /* Enable useful extensions */ if ((flags & GNUTLS_CLIENT) && !(flags & GNUTLS_NO_EXTENSIONS)) { #ifdef ENABLE_SESSION_TICKETS - gnutls_session_ticket_enable_client(*session); + if (!(flags & GNUTLS_NO_TICKETS)) + gnutls_session_ticket_enable_client(*session); #endif #ifdef ENABLE_OCSP gnutls_ocsp_status_request_enable_client(*session, NULL, 0,