4 files changed, 55 insertions, 9 deletions
diff --git a/ChangeLog b/ChangeLog
index 58b87e3a..690232ee 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Mon 15 Apr 2019 05:33:52 PM CEST
+        Add MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT and
+        MHD_USE_INSECURE_TLS_EARLY_DATA flags. -CG
 Mon 08 Apr 2019 03:06:05 PM CEST
        Fix close() checks as suggested by MK on the mailinglist
        (#3926). -MK/CG
diff --git a/doc/libmicrohttpd.texi b/doc/libmicrohttpd.texi
index 97a79bdc..ad297faa 100644
--- a/doc/libmicrohttpd.texi
+++ b/doc/libmicrohttpd.texi
@@ -615,6 +615,26 @@ on platform.  If application doesn't have requirements for any
 specific polling function, it's recommended to use this flag.  This
 flag is very convenient for multiplatform applications.
+@item MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT
+Tell the TLS library to support post handshake client authentication.
+Only useful in combination with @code{MHD_USE_TLS}.
+This option will only work if the underyling TLS library
+supports it (i.e. GnuTLS after 3.6.3). If the TLS library
+does not support it, MHD may ignore the option and proceed
+without supporting this features. 
+@item MHD_USE_INSECURE_TLS_EARLY_DATA
+Tell the TLS library to support TLS v1.3 early data (0-RTT) with the
+resulting security drawbacks. Only enable this if you really know what
+you are doing. MHD currently does NOT enforce that this only affects
+GET requests! You have been warned.
+This option will only work if the underyling TLS library
+supports it (i.e. GnuTLS after 3.6.3). If the TLS library
+does not support it, MHD may ignore the option and proceed
+without supporting this features. 
 @end table
 @end deftp
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
index 4917f62b..7bb0e084 100644
--- a/src/include/microhttpd.h
+++ b/src/include/microhttpd.h
@@ -126,7 +126,7 @@ typedef intptr_t ssize_t;
 * Current version of the library.
 * 0x01093001 = 1.9.30-1.
 */
-#define MHD_VERSION 0x00096301
+#define MHD_VERSION 0x00096302
 /**
 * MHD-internal return code for "YES".
@@ -1147,7 +1147,19 @@ enum MHD_FLAG
   * This is combination of #MHD_USE_AUTO and #MHD_USE_INTERNAL_POLLING_THREAD
   * flags.
   */
-  MHD_USE_AUTO_INTERNAL_THREAD = MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD
+  MHD_USE_AUTO_INTERNAL_THREAD = MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD,
+  /**
+   * Flag set to enable post-handshake client authentication
+   * (only useful in combination with #MHD_USE_TLS).
+   */
+  MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT = 1U <<17,
+  /**
+   * Flag set to enable TLS 1.3 early data.  This has
+   * security implications, be VERY careful when using this.
+   */
+  MHD_USE_INSECURE_TLS_EARLY_DATA = 1U <<18
 };
diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c
index ab75273b..af137a80 100644
--- a/src/microhttpd/daemon.c
+++ b/src/microhttpd/daemon.c
@@ -2460,17 +2460,27 @@ internal_add_connection (struct MHD_Daemon *daemon,
  else
    {
 #ifdef HTTPS_SUPPORT
-      connection->tls_state = MHD_TLS_CONN_INIT;
+      gnutls_init_flags_t flags;
-      MHD_set_https_callbacks (connection);
-      gnutls_init (&connection->tls_session,
+      flags = GNUTLS_SERVER;
-                   GNUTLS_SERVER
 #if (GNUTLS_VERSION_NUMBER+0 >= 0x030402)
-                   | GNUTLS_NO_SIGNAL
+      flags |= GNUTLS_NO_SIGNAL;
 #endif /* GNUTLS_VERSION_NUMBER >= 0x030402 */
 #if GNUTLS_VERSION_MAJOR >= 3
-                   | GNUTLS_NONBLOCK
+      flags |= GNUTLS_NONBLOCK;
 #endif /* GNUTLS_VERSION_MAJOR >= 3*/
-                  );
+#if (GNUTLS_VERSION_NUMBER+0 >= 0x030603)
+      if (0 != (daemon->options & MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT))
+        flags |= GNUTLS_POST_HANDSHAKE_AUTH;
+#endif
+#if (GNUTLS_VERSION_NUMBER+0 >= 0x030605)
+      if (0 != (daemon->options & MHD_USE_INSECURE_TLS_EARLY_DATA))
+        flags |= GNUTLS_ENABLE_EARLY_DATA;
+#endif      
+      connection->tls_state = MHD_TLS_CONN_INIT;
+      MHD_set_https_callbacks (connection);
+      gnutls_init (&connection->tls_session,
+                   flags);
      gnutls_priority_set (connection->tls_session,
                           daemon->priority_cache);
      gnutls_session_set_ptr (connection->tls_session,

diff --git a/ChangeLog b/ChangeLog index 58b87e3a..690232ee 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -1,3 +1,7 @@
		1	Mon 15 Apr 2019 05:33:52 PM CEST
		2	Add MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT and
		3	MHD_USE_INSECURE_TLS_EARLY_DATA flags. -CG
		4
1	Mon 08 Apr 2019 03:06:05 PM CEST	5	Mon 08 Apr 2019 03:06:05 PM CEST
2	Fix close() checks as suggested by MK on the mailinglist	6	Fix close() checks as suggested by MK on the mailinglist
3	(#3926). -MK/CG	7	(#3926). -MK/CG


diff --git a/doc/libmicrohttpd.texi b/doc/libmicrohttpd.texi index 97a79bdc..ad297faa 100644 --- a/doc/libmicrohttpd.texi +++ b/doc/libmicrohttpd.texi
@@ -615,6 +615,26 @@ on platform. If application doesn't have requirements for any
615	specific polling function, it's recommended to use this flag. This	615	specific polling function, it's recommended to use this flag. This
616	flag is very convenient for multiplatform applications.	616	flag is very convenient for multiplatform applications.
617		617
		618	@item MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT
		619	Tell the TLS library to support post handshake client authentication.
		620	Only useful in combination with @code{MHD_USE_TLS}.
		621
		622	This option will only work if the underyling TLS library
		623	supports it (i.e. GnuTLS after 3.6.3). If the TLS library
		624	does not support it, MHD may ignore the option and proceed
		625	without supporting this features.
		626
		627	@item MHD_USE_INSECURE_TLS_EARLY_DATA
		628	Tell the TLS library to support TLS v1.3 early data (0-RTT) with the
		629	resulting security drawbacks. Only enable this if you really know what
		630	you are doing. MHD currently does NOT enforce that this only affects
		631	GET requests! You have been warned.
		632
		633	This option will only work if the underyling TLS library
		634	supports it (i.e. GnuTLS after 3.6.3). If the TLS library
		635	does not support it, MHD may ignore the option and proceed
		636	without supporting this features.
		637
618	@end table	638	@end table
619	@end deftp	639	@end deftp
620		640


diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h index 4917f62b..7bb0e084 100644 --- a/src/include/microhttpd.h +++ b/src/include/microhttpd.h
@@ -126,7 +126,7 @@ typedef intptr_t ssize_t;
126	* Current version of the library.	126	* Current version of the library.
127	* 0x01093001 = 1.9.30-1.	127	* 0x01093001 = 1.9.30-1.
128	*/	128	*/
129	#define MHD_VERSION 0x00096301	129	#define MHD_VERSION 0x00096302
130		130
131	/**	131	/**
132	* MHD-internal return code for "YES".	132	* MHD-internal return code for "YES".
@@ -1147,7 +1147,19 @@ enum MHD_FLAG
1147	* This is combination of #MHD_USE_AUTO and #MHD_USE_INTERNAL_POLLING_THREAD	1147	* This is combination of #MHD_USE_AUTO and #MHD_USE_INTERNAL_POLLING_THREAD
1148	* flags.	1148	* flags.
1149	*/	1149	*/
1150	MHD_USE_AUTO_INTERNAL_THREAD = MHD_USE_AUTO \| MHD_USE_INTERNAL_POLLING_THREAD	1150	MHD_USE_AUTO_INTERNAL_THREAD = MHD_USE_AUTO \| MHD_USE_INTERNAL_POLLING_THREAD,
		1151
		1152	/**
		1153	* Flag set to enable post-handshake client authentication
		1154	* (only useful in combination with #MHD_USE_TLS).
		1155	*/
		1156	MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT = 1U <<17,
		1157
		1158	/**
		1159	* Flag set to enable TLS 1.3 early data. This has
		1160	* security implications, be VERY careful when using this.
		1161	*/
		1162	MHD_USE_INSECURE_TLS_EARLY_DATA = 1U <<18
1151		1163
1152	};	1164	};
1153		1165


diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c index ab75273b..af137a80 100644 --- a/src/microhttpd/daemon.c +++ b/src/microhttpd/daemon.c
@@ -2460,17 +2460,27 @@ internal_add_connection (struct MHD_Daemon *daemon,
2460	else	2460	else
2461	{	2461	{
2462	#ifdef HTTPS_SUPPORT	2462	#ifdef HTTPS_SUPPORT
2463	connection->tls_state = MHD_TLS_CONN_INIT;	2463	gnutls_init_flags_t flags;
2464	MHD_set_https_callbacks (connection);	2464
2465	gnutls_init (&connection->tls_session,	2465	flags = GNUTLS_SERVER;
2466	GNUTLS_SERVER
2467	#if (GNUTLS_VERSION_NUMBER+0 >= 0x030402)	2466	#if (GNUTLS_VERSION_NUMBER+0 >= 0x030402)
2468	\| GNUTLS_NO_SIGNAL	2467	flags \|= GNUTLS_NO_SIGNAL;
2469	#endif /* GNUTLS_VERSION_NUMBER >= 0x030402 */	2468	#endif /* GNUTLS_VERSION_NUMBER >= 0x030402 */
2470	#if GNUTLS_VERSION_MAJOR >= 3	2469	#if GNUTLS_VERSION_MAJOR >= 3
2471	\| GNUTLS_NONBLOCK	2470	flags \|= GNUTLS_NONBLOCK;
2472	#endif /* GNUTLS_VERSION_MAJOR >= 3*/	2471	#endif /* GNUTLS_VERSION_MAJOR >= 3*/
2473	);	2472	#if (GNUTLS_VERSION_NUMBER+0 >= 0x030603)
		2473	if (0 != (daemon->options & MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT))
		2474	flags \|= GNUTLS_POST_HANDSHAKE_AUTH;
		2475	#endif
		2476	#if (GNUTLS_VERSION_NUMBER+0 >= 0x030605)
		2477	if (0 != (daemon->options & MHD_USE_INSECURE_TLS_EARLY_DATA))
		2478	flags \|= GNUTLS_ENABLE_EARLY_DATA;
		2479	#endif
		2480	connection->tls_state = MHD_TLS_CONN_INIT;
		2481	MHD_set_https_callbacks (connection);
		2482	gnutls_init (&connection->tls_session,
		2483	flags);
2474	gnutls_priority_set (connection->tls_session,	2484	gnutls_priority_set (connection->tls_session,
2475	daemon->priority_cache);	2485	daemon->priority_cache);
2476	gnutls_session_set_ptr (connection->tls_session,	2486	gnutls_session_set_ptr (connection->tls_session,