diff options
author | Christian Grothoff <christian@grothoff.org> | 2019-04-15 17:38:16 +0200 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2019-04-15 17:38:16 +0200 |
commit | 1917b866996413f09fa88ae0a6169cb9bd7079e8 (patch) | |
tree | e82839d66549250ce8d7eb88c56e41e1a06dc62d | |
parent | ef15b53cb101c378a905faa759aa95429d2e965d (diff) | |
download | libmicrohttpd-1917b866996413f09fa88ae0a6169cb9bd7079e8.tar.gz libmicrohttpd-1917b866996413f09fa88ae0a6169cb9bd7079e8.zip |
add flags for TLS option control
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | doc/libmicrohttpd.texi | 20 | ||||
-rw-r--r-- | src/include/microhttpd.h | 16 | ||||
-rw-r--r-- | src/microhttpd/daemon.c | 24 |
4 files changed, 55 insertions, 9 deletions
@@ -1,3 +1,7 @@ | |||
1 | Mon 15 Apr 2019 05:33:52 PM CEST | ||
2 | Add MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT and | ||
3 | MHD_USE_INSECURE_TLS_EARLY_DATA flags. -CG | ||
4 | |||
1 | Mon 08 Apr 2019 03:06:05 PM CEST | 5 | Mon 08 Apr 2019 03:06:05 PM CEST |
2 | Fix close() checks as suggested by MK on the mailinglist | 6 | Fix close() checks as suggested by MK on the mailinglist |
3 | (#3926). -MK/CG | 7 | (#3926). -MK/CG |
diff --git a/doc/libmicrohttpd.texi b/doc/libmicrohttpd.texi index 97a79bdc..ad297faa 100644 --- a/doc/libmicrohttpd.texi +++ b/doc/libmicrohttpd.texi | |||
@@ -615,6 +615,26 @@ on platform. If application doesn't have requirements for any | |||
615 | specific polling function, it's recommended to use this flag. This | 615 | specific polling function, it's recommended to use this flag. This |
616 | flag is very convenient for multiplatform applications. | 616 | flag is very convenient for multiplatform applications. |
617 | 617 | ||
618 | @item MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT | ||
619 | Tell the TLS library to support post handshake client authentication. | ||
620 | Only useful in combination with @code{MHD_USE_TLS}. | ||
621 | |||
622 | This option will only work if the underyling TLS library | ||
623 | supports it (i.e. GnuTLS after 3.6.3). If the TLS library | ||
624 | does not support it, MHD may ignore the option and proceed | ||
625 | without supporting this features. | ||
626 | |||
627 | @item MHD_USE_INSECURE_TLS_EARLY_DATA | ||
628 | Tell the TLS library to support TLS v1.3 early data (0-RTT) with the | ||
629 | resulting security drawbacks. Only enable this if you really know what | ||
630 | you are doing. MHD currently does NOT enforce that this only affects | ||
631 | GET requests! You have been warned. | ||
632 | |||
633 | This option will only work if the underyling TLS library | ||
634 | supports it (i.e. GnuTLS after 3.6.3). If the TLS library | ||
635 | does not support it, MHD may ignore the option and proceed | ||
636 | without supporting this features. | ||
637 | |||
618 | @end table | 638 | @end table |
619 | @end deftp | 639 | @end deftp |
620 | 640 | ||
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h index 4917f62b..7bb0e084 100644 --- a/src/include/microhttpd.h +++ b/src/include/microhttpd.h | |||
@@ -126,7 +126,7 @@ typedef intptr_t ssize_t; | |||
126 | * Current version of the library. | 126 | * Current version of the library. |
127 | * 0x01093001 = 1.9.30-1. | 127 | * 0x01093001 = 1.9.30-1. |
128 | */ | 128 | */ |
129 | #define MHD_VERSION 0x00096301 | 129 | #define MHD_VERSION 0x00096302 |
130 | 130 | ||
131 | /** | 131 | /** |
132 | * MHD-internal return code for "YES". | 132 | * MHD-internal return code for "YES". |
@@ -1147,7 +1147,19 @@ enum MHD_FLAG | |||
1147 | * This is combination of #MHD_USE_AUTO and #MHD_USE_INTERNAL_POLLING_THREAD | 1147 | * This is combination of #MHD_USE_AUTO and #MHD_USE_INTERNAL_POLLING_THREAD |
1148 | * flags. | 1148 | * flags. |
1149 | */ | 1149 | */ |
1150 | MHD_USE_AUTO_INTERNAL_THREAD = MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD | 1150 | MHD_USE_AUTO_INTERNAL_THREAD = MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD, |
1151 | |||
1152 | /** | ||
1153 | * Flag set to enable post-handshake client authentication | ||
1154 | * (only useful in combination with #MHD_USE_TLS). | ||
1155 | */ | ||
1156 | MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT = 1U <<17, | ||
1157 | |||
1158 | /** | ||
1159 | * Flag set to enable TLS 1.3 early data. This has | ||
1160 | * security implications, be VERY careful when using this. | ||
1161 | */ | ||
1162 | MHD_USE_INSECURE_TLS_EARLY_DATA = 1U <<18 | ||
1151 | 1163 | ||
1152 | }; | 1164 | }; |
1153 | 1165 | ||
diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c index ab75273b..af137a80 100644 --- a/src/microhttpd/daemon.c +++ b/src/microhttpd/daemon.c | |||
@@ -2460,17 +2460,27 @@ internal_add_connection (struct MHD_Daemon *daemon, | |||
2460 | else | 2460 | else |
2461 | { | 2461 | { |
2462 | #ifdef HTTPS_SUPPORT | 2462 | #ifdef HTTPS_SUPPORT |
2463 | connection->tls_state = MHD_TLS_CONN_INIT; | 2463 | gnutls_init_flags_t flags; |
2464 | MHD_set_https_callbacks (connection); | 2464 | |
2465 | gnutls_init (&connection->tls_session, | 2465 | flags = GNUTLS_SERVER; |
2466 | GNUTLS_SERVER | ||
2467 | #if (GNUTLS_VERSION_NUMBER+0 >= 0x030402) | 2466 | #if (GNUTLS_VERSION_NUMBER+0 >= 0x030402) |
2468 | | GNUTLS_NO_SIGNAL | 2467 | flags |= GNUTLS_NO_SIGNAL; |
2469 | #endif /* GNUTLS_VERSION_NUMBER >= 0x030402 */ | 2468 | #endif /* GNUTLS_VERSION_NUMBER >= 0x030402 */ |
2470 | #if GNUTLS_VERSION_MAJOR >= 3 | 2469 | #if GNUTLS_VERSION_MAJOR >= 3 |
2471 | | GNUTLS_NONBLOCK | 2470 | flags |= GNUTLS_NONBLOCK; |
2472 | #endif /* GNUTLS_VERSION_MAJOR >= 3*/ | 2471 | #endif /* GNUTLS_VERSION_MAJOR >= 3*/ |
2473 | ); | 2472 | #if (GNUTLS_VERSION_NUMBER+0 >= 0x030603) |
2473 | if (0 != (daemon->options & MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT)) | ||
2474 | flags |= GNUTLS_POST_HANDSHAKE_AUTH; | ||
2475 | #endif | ||
2476 | #if (GNUTLS_VERSION_NUMBER+0 >= 0x030605) | ||
2477 | if (0 != (daemon->options & MHD_USE_INSECURE_TLS_EARLY_DATA)) | ||
2478 | flags |= GNUTLS_ENABLE_EARLY_DATA; | ||
2479 | #endif | ||
2480 | connection->tls_state = MHD_TLS_CONN_INIT; | ||
2481 | MHD_set_https_callbacks (connection); | ||
2482 | gnutls_init (&connection->tls_session, | ||
2483 | flags); | ||
2474 | gnutls_priority_set (connection->tls_session, | 2484 | gnutls_priority_set (connection->tls_session, |
2475 | daemon->priority_cache); | 2485 | daemon->priority_cache); |
2476 | gnutls_session_set_ptr (connection->tls_session, | 2486 | gnutls_session_set_ptr (connection->tls_session, |