summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2019-04-15 17:38:16 +0200
committerChristian Grothoff <christian@grothoff.org>2019-04-15 17:38:16 +0200
commit1917b866996413f09fa88ae0a6169cb9bd7079e8 (patch)
treee82839d66549250ce8d7eb88c56e41e1a06dc62d
parentef15b53cb101c378a905faa759aa95429d2e965d (diff)
add flags for TLS option control
-rw-r--r--ChangeLog4
-rw-r--r--doc/libmicrohttpd.texi20
-rw-r--r--src/include/microhttpd.h16
-rw-r--r--src/microhttpd/daemon.c24
4 files changed, 55 insertions, 9 deletions
diff --git a/ChangeLog b/ChangeLog
index 58b87e3a..690232ee 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Mon 15 Apr 2019 05:33:52 PM CEST
+ Add MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT and
+ MHD_USE_INSECURE_TLS_EARLY_DATA flags. -CG
+
Mon 08 Apr 2019 03:06:05 PM CEST
Fix close() checks as suggested by MK on the mailinglist
(#3926). -MK/CG
diff --git a/doc/libmicrohttpd.texi b/doc/libmicrohttpd.texi
index 97a79bdc..ad297faa 100644
--- a/doc/libmicrohttpd.texi
+++ b/doc/libmicrohttpd.texi
@@ -615,6 +615,26 @@ on platform. If application doesn't have requirements for any
specific polling function, it's recommended to use this flag. This
flag is very convenient for multiplatform applications.
+@item MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT
+Tell the TLS library to support post handshake client authentication.
+Only useful in combination with @code{MHD_USE_TLS}.
+
+This option will only work if the underyling TLS library
+supports it (i.e. GnuTLS after 3.6.3). If the TLS library
+does not support it, MHD may ignore the option and proceed
+without supporting this features.
+
+@item MHD_USE_INSECURE_TLS_EARLY_DATA
+Tell the TLS library to support TLS v1.3 early data (0-RTT) with the
+resulting security drawbacks. Only enable this if you really know what
+you are doing. MHD currently does NOT enforce that this only affects
+GET requests! You have been warned.
+
+This option will only work if the underyling TLS library
+supports it (i.e. GnuTLS after 3.6.3). If the TLS library
+does not support it, MHD may ignore the option and proceed
+without supporting this features.
+
@end table
@end deftp
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
index 4917f62b..7bb0e084 100644
--- a/src/include/microhttpd.h
+++ b/src/include/microhttpd.h
@@ -126,7 +126,7 @@ typedef intptr_t ssize_t;
* Current version of the library.
* 0x01093001 = 1.9.30-1.
*/
-#define MHD_VERSION 0x00096301
+#define MHD_VERSION 0x00096302
/**
* MHD-internal return code for "YES".
@@ -1147,7 +1147,19 @@ enum MHD_FLAG
* This is combination of #MHD_USE_AUTO and #MHD_USE_INTERNAL_POLLING_THREAD
* flags.
*/
- MHD_USE_AUTO_INTERNAL_THREAD = MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD
+ MHD_USE_AUTO_INTERNAL_THREAD = MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD,
+
+ /**
+ * Flag set to enable post-handshake client authentication
+ * (only useful in combination with #MHD_USE_TLS).
+ */
+ MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT = 1U <<17,
+
+ /**
+ * Flag set to enable TLS 1.3 early data. This has
+ * security implications, be VERY careful when using this.
+ */
+ MHD_USE_INSECURE_TLS_EARLY_DATA = 1U <<18
};
diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c
index ab75273b..af137a80 100644
--- a/src/microhttpd/daemon.c
+++ b/src/microhttpd/daemon.c
@@ -2460,17 +2460,27 @@ internal_add_connection (struct MHD_Daemon *daemon,
else
{
#ifdef HTTPS_SUPPORT
- connection->tls_state = MHD_TLS_CONN_INIT;
- MHD_set_https_callbacks (connection);
- gnutls_init (&connection->tls_session,
- GNUTLS_SERVER
+ gnutls_init_flags_t flags;
+
+ flags = GNUTLS_SERVER;
#if (GNUTLS_VERSION_NUMBER+0 >= 0x030402)
- | GNUTLS_NO_SIGNAL
+ flags |= GNUTLS_NO_SIGNAL;
#endif /* GNUTLS_VERSION_NUMBER >= 0x030402 */
#if GNUTLS_VERSION_MAJOR >= 3
- | GNUTLS_NONBLOCK
+ flags |= GNUTLS_NONBLOCK;
#endif /* GNUTLS_VERSION_MAJOR >= 3*/
- );
+#if (GNUTLS_VERSION_NUMBER+0 >= 0x030603)
+ if (0 != (daemon->options & MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT))
+ flags |= GNUTLS_POST_HANDSHAKE_AUTH;
+#endif
+#if (GNUTLS_VERSION_NUMBER+0 >= 0x030605)
+ if (0 != (daemon->options & MHD_USE_INSECURE_TLS_EARLY_DATA))
+ flags |= GNUTLS_ENABLE_EARLY_DATA;
+#endif
+ connection->tls_state = MHD_TLS_CONN_INIT;
+ MHD_set_https_callbacks (connection);
+ gnutls_init (&connection->tls_session,
+ flags);
gnutls_priority_set (connection->tls_session,
daemon->priority_cache);
gnutls_session_set_ptr (connection->tls_session,