aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2019-04-15 17:38:16 +0200
committerChristian Grothoff <christian@grothoff.org>2019-04-15 17:38:16 +0200
commit1917b866996413f09fa88ae0a6169cb9bd7079e8 (patch)
treee82839d66549250ce8d7eb88c56e41e1a06dc62d
parentef15b53cb101c378a905faa759aa95429d2e965d (diff)
downloadlibmicrohttpd-1917b866996413f09fa88ae0a6169cb9bd7079e8.tar.gz
libmicrohttpd-1917b866996413f09fa88ae0a6169cb9bd7079e8.zip
add flags for TLS option control
-rw-r--r--ChangeLog4
-rw-r--r--doc/libmicrohttpd.texi20
-rw-r--r--src/include/microhttpd.h16
-rw-r--r--src/microhttpd/daemon.c24
4 files changed, 55 insertions, 9 deletions
diff --git a/ChangeLog b/ChangeLog
index 58b87e3a..690232ee 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
1Mon 15 Apr 2019 05:33:52 PM CEST
2 Add MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT and
3 MHD_USE_INSECURE_TLS_EARLY_DATA flags. -CG
4
1Mon 08 Apr 2019 03:06:05 PM CEST 5Mon 08 Apr 2019 03:06:05 PM CEST
2 Fix close() checks as suggested by MK on the mailinglist 6 Fix close() checks as suggested by MK on the mailinglist
3 (#3926). -MK/CG 7 (#3926). -MK/CG
diff --git a/doc/libmicrohttpd.texi b/doc/libmicrohttpd.texi
index 97a79bdc..ad297faa 100644
--- a/doc/libmicrohttpd.texi
+++ b/doc/libmicrohttpd.texi
@@ -615,6 +615,26 @@ on platform. If application doesn't have requirements for any
615specific polling function, it's recommended to use this flag. This 615specific polling function, it's recommended to use this flag. This
616flag is very convenient for multiplatform applications. 616flag is very convenient for multiplatform applications.
617 617
618@item MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT
619Tell the TLS library to support post handshake client authentication.
620Only useful in combination with @code{MHD_USE_TLS}.
621
622This option will only work if the underyling TLS library
623supports it (i.e. GnuTLS after 3.6.3). If the TLS library
624does not support it, MHD may ignore the option and proceed
625without supporting this features.
626
627@item MHD_USE_INSECURE_TLS_EARLY_DATA
628Tell the TLS library to support TLS v1.3 early data (0-RTT) with the
629resulting security drawbacks. Only enable this if you really know what
630you are doing. MHD currently does NOT enforce that this only affects
631GET requests! You have been warned.
632
633This option will only work if the underyling TLS library
634supports it (i.e. GnuTLS after 3.6.3). If the TLS library
635does not support it, MHD may ignore the option and proceed
636without supporting this features.
637
618@end table 638@end table
619@end deftp 639@end deftp
620 640
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
index 4917f62b..7bb0e084 100644
--- a/src/include/microhttpd.h
+++ b/src/include/microhttpd.h
@@ -126,7 +126,7 @@ typedef intptr_t ssize_t;
126 * Current version of the library. 126 * Current version of the library.
127 * 0x01093001 = 1.9.30-1. 127 * 0x01093001 = 1.9.30-1.
128 */ 128 */
129#define MHD_VERSION 0x00096301 129#define MHD_VERSION 0x00096302
130 130
131/** 131/**
132 * MHD-internal return code for "YES". 132 * MHD-internal return code for "YES".
@@ -1147,7 +1147,19 @@ enum MHD_FLAG
1147 * This is combination of #MHD_USE_AUTO and #MHD_USE_INTERNAL_POLLING_THREAD 1147 * This is combination of #MHD_USE_AUTO and #MHD_USE_INTERNAL_POLLING_THREAD
1148 * flags. 1148 * flags.
1149 */ 1149 */
1150 MHD_USE_AUTO_INTERNAL_THREAD = MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD 1150 MHD_USE_AUTO_INTERNAL_THREAD = MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD,
1151
1152 /**
1153 * Flag set to enable post-handshake client authentication
1154 * (only useful in combination with #MHD_USE_TLS).
1155 */
1156 MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT = 1U <<17,
1157
1158 /**
1159 * Flag set to enable TLS 1.3 early data. This has
1160 * security implications, be VERY careful when using this.
1161 */
1162 MHD_USE_INSECURE_TLS_EARLY_DATA = 1U <<18
1151 1163
1152}; 1164};
1153 1165
diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c
index ab75273b..af137a80 100644
--- a/src/microhttpd/daemon.c
+++ b/src/microhttpd/daemon.c
@@ -2460,17 +2460,27 @@ internal_add_connection (struct MHD_Daemon *daemon,
2460 else 2460 else
2461 { 2461 {
2462#ifdef HTTPS_SUPPORT 2462#ifdef HTTPS_SUPPORT
2463 connection->tls_state = MHD_TLS_CONN_INIT; 2463 gnutls_init_flags_t flags;
2464 MHD_set_https_callbacks (connection); 2464
2465 gnutls_init (&connection->tls_session, 2465 flags = GNUTLS_SERVER;
2466 GNUTLS_SERVER
2467#if (GNUTLS_VERSION_NUMBER+0 >= 0x030402) 2466#if (GNUTLS_VERSION_NUMBER+0 >= 0x030402)
2468 | GNUTLS_NO_SIGNAL 2467 flags |= GNUTLS_NO_SIGNAL;
2469#endif /* GNUTLS_VERSION_NUMBER >= 0x030402 */ 2468#endif /* GNUTLS_VERSION_NUMBER >= 0x030402 */
2470#if GNUTLS_VERSION_MAJOR >= 3 2469#if GNUTLS_VERSION_MAJOR >= 3
2471 | GNUTLS_NONBLOCK 2470 flags |= GNUTLS_NONBLOCK;
2472#endif /* GNUTLS_VERSION_MAJOR >= 3*/ 2471#endif /* GNUTLS_VERSION_MAJOR >= 3*/
2473 ); 2472#if (GNUTLS_VERSION_NUMBER+0 >= 0x030603)
2473 if (0 != (daemon->options & MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT))
2474 flags |= GNUTLS_POST_HANDSHAKE_AUTH;
2475#endif
2476#if (GNUTLS_VERSION_NUMBER+0 >= 0x030605)
2477 if (0 != (daemon->options & MHD_USE_INSECURE_TLS_EARLY_DATA))
2478 flags |= GNUTLS_ENABLE_EARLY_DATA;
2479#endif
2480 connection->tls_state = MHD_TLS_CONN_INIT;
2481 MHD_set_https_callbacks (connection);
2482 gnutls_init (&connection->tls_session,
2483 flags);
2474 gnutls_priority_set (connection->tls_session, 2484 gnutls_priority_set (connection->tls_session,
2475 daemon->priority_cache); 2485 daemon->priority_cache);
2476 gnutls_session_set_ptr (connection->tls_session, 2486 gnutls_session_set_ptr (connection->tls_session,