diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-10-21 10:26:13 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-10-21 10:29:38 +0200 |
commit | eb134302567f875c6f2f50cbb7c0a18b7bf5ebc3 (patch) | |
tree | 6148aeb98d2ccc7964ca90de734dfacf19cd7cd3 | |
parent | 10e063fb387eea60aae3b1528175a1526128f816 (diff) | |
download | gnutls-eb134302567f875c6f2f50cbb7c0a18b7bf5ebc3.tar.gz |
gnutls_init: added GNUTLS_NO_TICKETS flags
These flags allow the callers to disable the automatically enabled
session tickets. This could be done only with GNUTLS_NO_EXTENSIONS
which also disabled other useful extensions.
-rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 7 | ||||
-rw-r--r-- | lib/state.c | 3 |
2 files changed, 8 insertions, 2 deletions
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 7134e2c094..2d5f5097b7 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -356,6 +356,7 @@ typedef enum { * @GNUTLS_ALLOW_ID_CHANGE: Allow the peer to replace its certificate, or change its ID during a rehandshake. This change is often used in attacks and thus prohibited by default. Since 3.5.0. * @GNUTLS_ENABLE_FALSE_START: Enable the TLS false start on client side if the negotiated ciphersuites allow it. This will enable sending data prior to the handshake being complete, and may introduce a risk of crypto failure when combined with certain key exchanged; for that GnuTLS may not enable that option in ciphersuites that are known to be not safe for false start. Since 3.5.0. * @GNUTLS_FORCE_CLIENT_CERT: When in client side and only a single cert is specified, send that certificate irrespective of the issuers expectated by the server. Since 3.5.0. + * @GNUTLS_NO_TICKETS: Flag to indicate that the session should not use resumption with session tickets. * * Enumeration of different flags for gnutls_init() function. All the flags * can be combined except @GNUTLS_SERVER and @GNUTLS_CLIENT which are mutually @@ -371,7 +372,8 @@ typedef enum { GNUTLS_NO_SIGNAL = (1<<6), GNUTLS_ALLOW_ID_CHANGE = (1<<7), GNUTLS_ENABLE_FALSE_START = (1<<8), - GNUTLS_FORCE_CLIENT_CERT = (1<<9) + GNUTLS_FORCE_CLIENT_CERT = (1<<9), + GNUTLS_NO_TICKETS = (1<<10) } gnutls_init_flags_t; /* compatibility defines (previous versions of gnutls @@ -384,6 +386,9 @@ typedef enum { #define GNUTLS_NO_REPLAY_PROTECTION (1<<5) #define GNUTLS_NO_SIGNAL (1<<6) #define GNUTLS_ALLOW_ID_CHANGE (1<<7) +#define GNUTLS_ENABLE_FALSE_START (1<<8) +#define GNUTLS_FORCE_CLIENT_CERT (1<<9) +#define GNUTLS_NO_TICKETS (1<<10) /** * gnutls_alert_level_t: diff --git a/lib/state.c b/lib/state.c index 08861f017b..496afe4af5 100644 --- a/lib/state.c +++ b/lib/state.c @@ -429,7 +429,8 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags) /* Enable useful extensions */ if ((flags & GNUTLS_CLIENT) && !(flags & GNUTLS_NO_EXTENSIONS)) { #ifdef ENABLE_SESSION_TICKETS - gnutls_session_ticket_enable_client(*session); + if (!(flags & GNUTLS_NO_TICKETS)) + gnutls_session_ticket_enable_client(*session); #endif #ifdef ENABLE_OCSP gnutls_ocsp_status_request_enable_client(*session, NULL, 0, |