Merge branch 'dev' into 'master'

Modifier GNUTLS_NO_EXTENSIONS renamed to GNUTLS_NO_DEFAULT_EXTENSIONS See merge request gnutls/gnutls!1734
author: Daiki Ueno <ueno@gnu.org> 2023-03-28 11:23:40 +0000
committer: Daiki Ueno <ueno@gnu.org> 2023-03-28 11:23:40 +0000
commit: bd638cd6bc72c35b8ce1dddb0dd950071cbe36f6 (patch)
tree: 3f2f78bb0f57b1bd9161ebda0492ac8df8796cee
parent: 195be04e144b95d084eef3c4aa72b65c01fcb7c8 (diff)
parent: a398ecfc297cdcdd8255106d234eb2d99bbc7525 (diff)
download: gnutls-bd638cd6bc72c35b8ce1dddb0dd950071cbe36f6.tar.gz
10 files changed, 26 insertions, 14 deletions
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 300f98ee2b..ff7a747fc2 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -219,7 +219,7 @@ as in the example below. The detailed form is documented on `doc/scripts/gdoc`.
  *
  * Note that since version 3.1.2 this function enables some common
  * TLS extensions such as session tickets and OCSP certificate status
- * request in client side by default. To prevent that use the %GNUTLS_NO_EXTENSIONS
+ * request in client side by default. To prevent that use the %GNUTLS_NO_DEFAULT_EXTENSIONS
  * flag.
  *
  * Returns: %GNUTLS_E_SUCCESS on success, or a negative error code.
diff --git a/NEWS b/NEWS
index 2c6f448984..331c8074c8 100644
--- a/NEWS
+++ b/NEWS
@@ -2997,7 +2997,7 @@ response corresponds to the given certificate.
 
 ** libgnutls: In client side gnutls_init() enables the session ticket and
 OCSP certificate status request extensions by default. The flag
-GNUTLS_NO_EXTENSIONS can be used to prevent that.
+GNUTLS_NO_DEFAULT_EXTENSIONS can be used to prevent that.
 
 ** libgnutls: Several updates in the OpenPGP code. The generating code
 is fully RFC6091 compliant and RFC5081 support is only supported in client
diff --git a/lib/ext/ext_master_secret.c b/lib/ext/ext_master_secret.c
index a438cd7b18..95e64bd0d7 100644
--- a/lib/ext/ext_master_secret.c
+++ b/lib/ext/ext_master_secret.c
@@ -74,7 +74,7 @@ _gnutls_ext_master_secret_recv_params(gnutls_session_t session,
 {
 	ssize_t data_size = _data_size;
 
-	if ((session->internals.flags & GNUTLS_NO_EXTENSIONS) ||
+	if ((session->internals.flags & GNUTLS_NO_DEFAULT_EXTENSIONS) ||
 	    session->internals.priorities->no_extensions ||
 	    session->internals.no_ext_master_secret != 0) {
 		return 0;
@@ -106,7 +106,7 @@ static int
 _gnutls_ext_master_secret_send_params(gnutls_session_t session,
 				      gnutls_buffer_st * extdata)
 {
-	if ((session->internals.flags & GNUTLS_NO_EXTENSIONS) ||
+	if ((session->internals.flags & GNUTLS_NO_DEFAULT_EXTENSIONS) ||
 	    session->internals.priorities->no_extensions != 0 ||
 	    session->internals.no_ext_master_secret != 0) {
 		session->security_parameters.ext_master_secret = 0;
diff --git a/lib/ext/ext_master_secret.h b/lib/ext/ext_master_secret.h
index e99c97fc27..ad807b8469 100644
--- a/lib/ext/ext_master_secret.h
+++ b/lib/ext/ext_master_secret.h
@@ -23,6 +23,9 @@
 #ifndef GNUTLS_LIB_EXT_EXT_MASTER_SECRET_H
 # define GNUTLS_LIB_EXT_EXT_MASTER_SECRET_H
 
+/* Keep backward compatibility */
+# define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS
+
 # include <hello_ext.h>
 
 extern const hello_ext_entry_st ext_mod_ext_master_secret;
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index c3ff442cb7..6fe6cbc7fc 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -438,7 +438,7 @@ typedef enum {
  * @GNUTLS_DATAGRAM: Connection is datagram oriented (DTLS). Since 3.0.0.
  * @GNUTLS_NONBLOCK: Connection should not block. Since 3.0.0.
  * @GNUTLS_NO_SIGNAL: In systems where SIGPIPE is delivered on send, it will be disabled. That flag has effect in systems which support the MSG_NOSIGNAL sockets flag (since 3.4.2).
- * @GNUTLS_NO_EXTENSIONS: Do not enable any TLS extensions by default (since 3.1.2). As TLS 1.2 and later require extensions this option is considered obsolete and should not be used.
+ * @GNUTLS_NO_DEFAULT_EXTENSIONS: Do not enable any TLS extensions by default such as session tickets and OCSP certificate status request (since 3.1.2). As TLS 1.2 and later require extensions this option is considered obsolete and should not be used.
  * @GNUTLS_NO_REPLAY_PROTECTION: Disable any replay protection in DTLS. This must only be used if  replay protection is achieved using other means. Since 3.2.2.
  * @GNUTLS_ALLOW_ID_CHANGE: Allow the peer to replace its certificate, or change its ID during a rehandshake. This change is often used in attacks and thus prohibited by default. Since 3.5.0.
  * @GNUTLS_ENABLE_FALSE_START: Enable the TLS false start on client side if the negotiated ciphersuites allow it. This will enable sending data prior to the handshake being complete, and may introduce a risk of crypto failure when combined with certain key exchanged; for that GnuTLS may not enable that option in ciphersuites that are known to be not safe for false start. Since 3.5.0.
@@ -499,7 +499,7 @@ typedef enum {
 	GNUTLS_CLIENT = (1 << 1),
 	GNUTLS_DATAGRAM = (1 << 2),
 	GNUTLS_NONBLOCK = (1 << 3),
-	GNUTLS_NO_EXTENSIONS = (1 << 4),
+	GNUTLS_NO_DEFAULT_EXTENSIONS = (1 << 4),
 	GNUTLS_NO_REPLAY_PROTECTION = (1 << 5),
 	GNUTLS_NO_SIGNAL = (1 << 6),
 	GNUTLS_ALLOW_ID_CHANGE = (1 << 7),
@@ -528,7 +528,7 @@ typedef enum {
 # define GNUTLS_CLIENT (1<<1)
 # define GNUTLS_DATAGRAM (1<<2)
 # define GNUTLS_NONBLOCK (1<<3)
-# define GNUTLS_NO_EXTENSIONS (1<<4)
+# define GNUTLS_NO_DEFAULT_EXTENSIONS (1<<4)
 # define GNUTLS_NO_REPLAY_PROTECTION (1<<5)
 # define GNUTLS_NO_SIGNAL (1<<6)
 # define GNUTLS_ALLOW_ID_CHANGE (1<<7)
diff --git a/lib/state.c b/lib/state.c
index 631299846b..5d732b0f17 100644
--- a/lib/state.c
+++ b/lib/state.c
@@ -556,7 +556,7 @@ void _gnutls_handshake_internal_state_clear(gnutls_session_t session)
  *
  * Note that since version 3.1.2 this function enables some common
  * TLS extensions such as session tickets and OCSP certificate status
- * request in client side by default. To prevent that use the %GNUTLS_NO_EXTENSIONS
+ * request in client side by default. To prevent that use the %GNUTLS_NO_DEFAULT_EXTENSIONS
  * flag.
  *
  * Note that it is never mandatory to use gnutls_deinit() after this
@@ -718,7 +718,7 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags)
 	}
 
 	/* Enable useful extensions */
-	if ((flags & GNUTLS_CLIENT) && !(flags & GNUTLS_NO_EXTENSIONS)) {
+	if ((flags & GNUTLS_CLIENT) && !(flags & GNUTLS_NO_DEFAULT_EXTENSIONS)) {
 #ifdef ENABLE_OCSP
 		if (!(flags & GNUTLS_NO_STATUS_REQUEST))
 			gnutls_ocsp_status_request_enable_client(*session, NULL,
diff --git a/lib/state.h b/lib/state.h
index 4519b41ec0..15d5ad6384 100644
--- a/lib/state.h
+++ b/lib/state.h
@@ -113,4 +113,7 @@ _gnutls_PRF(gnutls_session_t session,
 
 # define DEFAULT_CERT_TYPE GNUTLS_CRT_X509
 
+/* Keep backward compatibility */
+# define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS
+
 #endif				/* GNUTLS_LIB_STATE_H */
diff --git a/src/cli.c b/src/cli.c
index 3579e1a73a..08dddb08f2 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -1637,6 +1637,9 @@ void print_priority_list(void)
 	return;
 }
 
+/* Keeps backward compatibility */
+#define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS
+
 static void cmd_parser(int argc, char **argv)
 {
 	char *rest = NULL;
@@ -1705,7 +1708,7 @@ static void cmd_parser(int argc, char **argv)
 	disable_sni = HAVE_OPT(DISABLE_SNI);
 	disable_extensions = HAVE_OPT(DISABLE_EXTENSIONS);
 	if (disable_extensions)
-		init_flags |= GNUTLS_NO_EXTENSIONS;
+		init_flags |= GNUTLS_NO_DEFAULT_EXTENSIONS;
 
 	if (HAVE_OPT(SINGLE_KEY_SHARE))
 		init_flags |= GNUTLS_KEY_SHARE_TOP;
diff --git a/tests/status-request-revoked.c b/tests/status-request-revoked.c
index cf4c8fcb2a..657dd9faf3 100644
--- a/tests/status-request-revoked.c
+++ b/tests/status-request-revoked.c
@@ -51,7 +51,7 @@ int main(void)
 # include "utils.h"
 
 /* This program tests that the client does not send the
- * status request extension if GNUTLS_NO_EXTENSIONS is set.
+ * status request extension if GNUTLS_NO_DEFAULT_EXTENSIONS is set.
  */
 
 static void server_log_func(int level, const char *str)
diff --git a/tests/status-request.c b/tests/status-request.c
index 5c165ae5f0..feb3530e17 100644
--- a/tests/status-request.c
+++ b/tests/status-request.c
@@ -51,7 +51,7 @@ int main(void)
 # include "utils.h"
 
 /* This program tests that the client does not send the
- * status request extension if GNUTLS_NO_EXTENSIONS is set.
+ * status request extension if GNUTLS_NO_DEFAULT_EXTENSIONS is set.
  */
 
 static void server_log_func(int level, const char *str)
@@ -89,6 +89,9 @@ static int status_func(gnutls_session_t session, void *ptr,
 
 # define MAX_BUF 1024
 
+/* Keep backward compatibility */
+# define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS
+
 static void client(int fd, const char *prio)
 {
 	int ret;
@@ -107,8 +110,8 @@ static void client(int fd, const char *prio)
 
 	/* Initialize TLS session
 	 */
-	assert(gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_NO_EXTENSIONS) >=
-	       0);
+	assert(gnutls_init
+	       (&session, GNUTLS_CLIENT | GNUTLS_NO_DEFAULT_EXTENSIONS) >= 0);
 
 	assert(gnutls_priority_set_direct(session, prio, NULL) >= 0);
author	Daiki Ueno <ueno@gnu.org>	2023-03-28 11:23:40 +0000
committer	Daiki Ueno <ueno@gnu.org>	2023-03-28 11:23:40 +0000
commit	bd638cd6bc72c35b8ce1dddb0dd950071cbe36f6 (patch)
tree	3f2f78bb0f57b1bd9161ebda0492ac8df8796cee
parent	195be04e144b95d084eef3c4aa72b65c01fcb7c8 (diff)
parent	a398ecfc297cdcdd8255106d234eb2d99bbc7525 (diff)
download	gnutls-bd638cd6bc72c35b8ce1dddb0dd950071cbe36f6.tar.gz