From 1917b866996413f09fa88ae0a6169cb9bd7079e8 Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Mon, 15 Apr 2019 17:38:16 +0200
Subject: add flags for TLS option control

---
 ChangeLog                |  4 ++++
 doc/libmicrohttpd.texi   | 20 ++++++++++++++++++++
 src/include/microhttpd.h | 16 ++++++++++++++--
 src/microhttpd/daemon.c  | 24 +++++++++++++++++-------
 4 files changed, 55 insertions(+), 9 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 58b87e3a..690232ee 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Mon 15 Apr 2019 05:33:52 PM CEST
+	Add MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT and
+	MHD_USE_INSECURE_TLS_EARLY_DATA flags. -CG
+
 Mon 08 Apr 2019 03:06:05 PM CEST
 	Fix close() checks as suggested by MK on the mailinglist
         (#3926). -MK/CG
diff --git a/doc/libmicrohttpd.texi b/doc/libmicrohttpd.texi
index 97a79bdc..ad297faa 100644
--- a/doc/libmicrohttpd.texi
+++ b/doc/libmicrohttpd.texi
@@ -615,6 +615,26 @@ on platform.  If application doesn't have requirements for any
 specific polling function, it's recommended to use this flag.  This
 flag is very convenient for multiplatform applications.
 
+@item MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT
+Tell the TLS library to support post handshake client authentication.
+Only useful in combination with @code{MHD_USE_TLS}.
+
+This option will only work if the underyling TLS library
+supports it (i.e. GnuTLS after 3.6.3). If the TLS library
+does not support it, MHD may ignore the option and proceed
+without supporting this features. 
+
+@item MHD_USE_INSECURE_TLS_EARLY_DATA
+Tell the TLS library to support TLS v1.3 early data (0-RTT) with the
+resulting security drawbacks. Only enable this if you really know what
+you are doing. MHD currently does NOT enforce that this only affects
+GET requests! You have been warned.
+
+This option will only work if the underyling TLS library
+supports it (i.e. GnuTLS after 3.6.3). If the TLS library
+does not support it, MHD may ignore the option and proceed
+without supporting this features. 
+
 @end table
 @end deftp
 
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
index 4917f62b..7bb0e084 100644
--- a/src/include/microhttpd.h
+++ b/src/include/microhttpd.h
@@ -126,7 +126,7 @@ typedef intptr_t ssize_t;
  * Current version of the library.
  * 0x01093001 = 1.9.30-1.
  */
-#define MHD_VERSION 0x00096301
+#define MHD_VERSION 0x00096302
 
 /**
  * MHD-internal return code for "YES".
@@ -1147,7 +1147,19 @@ enum MHD_FLAG
    * This is combination of #MHD_USE_AUTO and #MHD_USE_INTERNAL_POLLING_THREAD
    * flags.
    */
-  MHD_USE_AUTO_INTERNAL_THREAD = MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD
+  MHD_USE_AUTO_INTERNAL_THREAD = MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD,
+
+  /**
+   * Flag set to enable post-handshake client authentication
+   * (only useful in combination with #MHD_USE_TLS).
+   */
+  MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT = 1U <<17,
+
+  /**
+   * Flag set to enable TLS 1.3 early data.  This has
+   * security implications, be VERY careful when using this.
+   */
+  MHD_USE_INSECURE_TLS_EARLY_DATA = 1U <<18
 
 };
 
diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c
index ab75273b..af137a80 100644
--- a/src/microhttpd/daemon.c
+++ b/src/microhttpd/daemon.c
@@ -2460,17 +2460,27 @@ internal_add_connection (struct MHD_Daemon *daemon,
   else
     {
 #ifdef HTTPS_SUPPORT
-      connection->tls_state = MHD_TLS_CONN_INIT;
-      MHD_set_https_callbacks (connection);
-      gnutls_init (&connection->tls_session,
-                   GNUTLS_SERVER
+      gnutls_init_flags_t flags;
+
+      flags = GNUTLS_SERVER;
 #if (GNUTLS_VERSION_NUMBER+0 >= 0x030402)
-                   | GNUTLS_NO_SIGNAL
+      flags |= GNUTLS_NO_SIGNAL;
 #endif /* GNUTLS_VERSION_NUMBER >= 0x030402 */
 #if GNUTLS_VERSION_MAJOR >= 3
-                   | GNUTLS_NONBLOCK
+      flags |= GNUTLS_NONBLOCK;
 #endif /* GNUTLS_VERSION_MAJOR >= 3*/
-                  );
+#if (GNUTLS_VERSION_NUMBER+0 >= 0x030603)
+      if (0 != (daemon->options & MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT))
+	flags |= GNUTLS_POST_HANDSHAKE_AUTH;
+#endif
+#if (GNUTLS_VERSION_NUMBER+0 >= 0x030605)
+      if (0 != (daemon->options & MHD_USE_INSECURE_TLS_EARLY_DATA))
+	flags |= GNUTLS_ENABLE_EARLY_DATA;
+#endif      
+      connection->tls_state = MHD_TLS_CONN_INIT;
+      MHD_set_https_callbacks (connection);
+      gnutls_init (&connection->tls_session,
+		   flags);
       gnutls_priority_set (connection->tls_session,
 			   daemon->priority_cache);
       gnutls_session_set_ptr (connection->tls_session,
-- 
cgit v1.2.3