The flag %NO_EXTENSIONS is disabling extension support while being functionaltmp-fix-no-extensions

That is, the %NO_EXTENSIONS option is the only documented way to disable
extensions completely from a session. Clarify that message, mention that
its behavior is undefined when combine with TLS1.3, and make sure that it
is functional. The latter makes sure that safe renegotiation and extended
master secret extensions remain disabled when this flag is given.

That simplifies testing certain scenarios under TLS1.0 or TLS1.1 when
no extensions must be used.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

4 files changed, 11 insertions, 5 deletions

diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 393283e0c9..8d5d9b7cfa 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -1507,7 +1507,8 @@ with %COMPAT.
 @item %NO_EXTENSIONS @tab
 will prevent the sending of any TLS extensions in client side. Note
 that TLS 1.2 requires extensions to be used, as well as safe
-renegotiation thus this option must be used with care.
+renegotiation thus this option must be used with care. When this option
+is set with TLS1.3 enabled the session behavior is undefined.
 
 @item %NO_TICKETS @tab
 will prevent the advertizing of the TLS session ticket extension.
diff --git a/lib/ext/ext_master_secret.c b/lib/ext/ext_master_secret.c
index bafdd7ebd0..f4843e186f 100644
--- a/lib/ext/ext_master_secret.c
+++ b/lib/ext/ext_master_secret.c
@@ -72,6 +72,7 @@ _gnutls_ext_master_secret_recv_params(gnutls_session_t session,
 	ssize_t data_size = _data_size;
 
 	if ((session->internals.flags & GNUTLS_NO_EXTENSIONS) ||
+	    session->internals.priorities->no_extensions ||
 	    session->internals.no_ext_master_secret != 0) {
 		return 0;
 	}
@@ -104,6 +105,7 @@ _gnutls_ext_master_secret_send_params(gnutls_session_t session,
 			       gnutls_buffer_st * extdata)
 {
 	if ((session->internals.flags & GNUTLS_NO_EXTENSIONS) ||
+	    session->internals.priorities->no_extensions != 0 ||
 	    session->internals.no_ext_master_secret != 0) {
 	    session->security_parameters.ext_master_secret = 0;
 	    return 0;
diff --git a/lib/ext/safe_renegotiation.c b/lib/ext/safe_renegotiation.c
index 26d25165bc..8e8798dc5b 100644
--- a/lib/ext/safe_renegotiation.c
+++ b/lib/ext/safe_renegotiation.c
@@ -54,7 +54,8 @@ _gnutls_ext_sr_finished(gnutls_session_t session, void *vdata,
 	sr_ext_st *priv;
 	gnutls_ext_priv_data_t epriv;
 
-	if (session->internals.priorities->sr == SR_DISABLED) {
+	if (session->internals.priorities->sr == SR_DISABLED ||
+	    session->internals.priorities->no_extensions) {
 		return 0;
 	}
 
diff --git a/tests/no-extensions.c b/tests/no-extensions.c
index 76e0040dae..9ea03446ed 100644
--- a/tests/no-extensions.c
+++ b/tests/no-extensions.c
@@ -130,7 +130,7 @@ void start(const char *prio)
 					    &server_cert, &server_key,
 					    GNUTLS_X509_FMT_PEM);
 
-	gnutls_init(&server, GNUTLS_SERVER|GNUTLS_NO_EXTENSIONS);
+	gnutls_init(&server, GNUTLS_SERVER);
 	gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
 				serverx509cred);
 	assert(gnutls_priority_set_direct(server, prio, NULL)>=0);
@@ -152,7 +152,7 @@ void start(const char *prio)
 	if (ret < 0)
 		exit(1);
 
-	ret = gnutls_init(&client, GNUTLS_CLIENT|GNUTLS_NO_EXTENSIONS);
+	ret = gnutls_init(&client, GNUTLS_CLIENT);
 	if (ret < 0)
 		exit(1);
 
@@ -203,5 +203,7 @@ void start(const char *prio)
 
 void doit(void)
 {
-	start("NORMAL:-VERS-ALL:+VERS-TLS1.0:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION");
+	start("NORMAL:-VERS-ALL:+VERS-TLS1.0:%NO_EXTENSIONS");
+	start("NORMAL:-VERS-ALL:+VERS-TLS1.1:%NO_EXTENSIONS");
+	start("NORMAL:-VERS-ALL:+VERS-TLS1.2:%NO_EXTENSIONS");
 }