From a7c4a04ed62be828b8aba170329c083bff3d6d34 Mon Sep 17 00:00:00 2001 From: peonix Date: Tue, 28 Mar 2023 09:08:40 +0530 Subject: Modifier GNUTLS_NO_EXTENSIONS renamed to GNUTLS_NO_DEFAULT_EXTENSIONS Signed-off-by: peonix --- CONTRIBUTING.md | 2 +- NEWS | 2 +- lib/ext/ext_master_secret.c | 4 ++-- lib/includes/gnutls/gnutls.h.in | 6 +++--- lib/state.c | 4 ++-- src/cli.c | 2 +- tests/status-request-revoked.c | 2 +- tests/status-request.c | 4 ++-- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 300f98ee2b..ff7a747fc2 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -219,7 +219,7 @@ as in the example below. The detailed form is documented on `doc/scripts/gdoc`. * * Note that since version 3.1.2 this function enables some common * TLS extensions such as session tickets and OCSP certificate status - * request in client side by default. To prevent that use the %GNUTLS_NO_EXTENSIONS + * request in client side by default. To prevent that use the %GNUTLS_NO_DEFAULT_EXTENSIONS * flag. * * Returns: %GNUTLS_E_SUCCESS on success, or a negative error code. diff --git a/NEWS b/NEWS index 2c6f448984..331c8074c8 100644 --- a/NEWS +++ b/NEWS @@ -2997,7 +2997,7 @@ response corresponds to the given certificate. ** libgnutls: In client side gnutls_init() enables the session ticket and OCSP certificate status request extensions by default. The flag -GNUTLS_NO_EXTENSIONS can be used to prevent that. +GNUTLS_NO_DEFAULT_EXTENSIONS can be used to prevent that. ** libgnutls: Several updates in the OpenPGP code. The generating code is fully RFC6091 compliant and RFC5081 support is only supported in client diff --git a/lib/ext/ext_master_secret.c b/lib/ext/ext_master_secret.c index a438cd7b18..95e64bd0d7 100644 --- a/lib/ext/ext_master_secret.c +++ b/lib/ext/ext_master_secret.c @@ -74,7 +74,7 @@ _gnutls_ext_master_secret_recv_params(gnutls_session_t session, { ssize_t data_size = _data_size; - if ((session->internals.flags & GNUTLS_NO_EXTENSIONS) || + if ((session->internals.flags & GNUTLS_NO_DEFAULT_EXTENSIONS) || session->internals.priorities->no_extensions || session->internals.no_ext_master_secret != 0) { return 0; @@ -106,7 +106,7 @@ static int _gnutls_ext_master_secret_send_params(gnutls_session_t session, gnutls_buffer_st * extdata) { - if ((session->internals.flags & GNUTLS_NO_EXTENSIONS) || + if ((session->internals.flags & GNUTLS_NO_DEFAULT_EXTENSIONS) || session->internals.priorities->no_extensions != 0 || session->internals.no_ext_master_secret != 0) { session->security_parameters.ext_master_secret = 0; diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index c3ff442cb7..64098c5b36 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -438,7 +438,7 @@ typedef enum { * @GNUTLS_DATAGRAM: Connection is datagram oriented (DTLS). Since 3.0.0. * @GNUTLS_NONBLOCK: Connection should not block. Since 3.0.0. * @GNUTLS_NO_SIGNAL: In systems where SIGPIPE is delivered on send, it will be disabled. That flag has effect in systems which support the MSG_NOSIGNAL sockets flag (since 3.4.2). - * @GNUTLS_NO_EXTENSIONS: Do not enable any TLS extensions by default (since 3.1.2). As TLS 1.2 and later require extensions this option is considered obsolete and should not be used. + * @GNUTLS_NO_DEFAULT_EXTENSIONS: Do not enable any TLS extensions by default (since 3.1.2). As TLS 1.2 and later require extensions this option is considered obsolete and should not be used. * @GNUTLS_NO_REPLAY_PROTECTION: Disable any replay protection in DTLS. This must only be used if replay protection is achieved using other means. Since 3.2.2. * @GNUTLS_ALLOW_ID_CHANGE: Allow the peer to replace its certificate, or change its ID during a rehandshake. This change is often used in attacks and thus prohibited by default. Since 3.5.0. * @GNUTLS_ENABLE_FALSE_START: Enable the TLS false start on client side if the negotiated ciphersuites allow it. This will enable sending data prior to the handshake being complete, and may introduce a risk of crypto failure when combined with certain key exchanged; for that GnuTLS may not enable that option in ciphersuites that are known to be not safe for false start. Since 3.5.0. @@ -499,7 +499,7 @@ typedef enum { GNUTLS_CLIENT = (1 << 1), GNUTLS_DATAGRAM = (1 << 2), GNUTLS_NONBLOCK = (1 << 3), - GNUTLS_NO_EXTENSIONS = (1 << 4), + GNUTLS_NO_DEFAULT_EXTENSIONS = (1 << 4), GNUTLS_NO_REPLAY_PROTECTION = (1 << 5), GNUTLS_NO_SIGNAL = (1 << 6), GNUTLS_ALLOW_ID_CHANGE = (1 << 7), @@ -528,7 +528,7 @@ typedef enum { # define GNUTLS_CLIENT (1<<1) # define GNUTLS_DATAGRAM (1<<2) # define GNUTLS_NONBLOCK (1<<3) -# define GNUTLS_NO_EXTENSIONS (1<<4) +# define GNUTLS_NO_DEFAULT_EXTENSIONS (1<<4) # define GNUTLS_NO_REPLAY_PROTECTION (1<<5) # define GNUTLS_NO_SIGNAL (1<<6) # define GNUTLS_ALLOW_ID_CHANGE (1<<7) diff --git a/lib/state.c b/lib/state.c index 631299846b..5d732b0f17 100644 --- a/lib/state.c +++ b/lib/state.c @@ -556,7 +556,7 @@ void _gnutls_handshake_internal_state_clear(gnutls_session_t session) * * Note that since version 3.1.2 this function enables some common * TLS extensions such as session tickets and OCSP certificate status - * request in client side by default. To prevent that use the %GNUTLS_NO_EXTENSIONS + * request in client side by default. To prevent that use the %GNUTLS_NO_DEFAULT_EXTENSIONS * flag. * * Note that it is never mandatory to use gnutls_deinit() after this @@ -718,7 +718,7 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags) } /* Enable useful extensions */ - if ((flags & GNUTLS_CLIENT) && !(flags & GNUTLS_NO_EXTENSIONS)) { + if ((flags & GNUTLS_CLIENT) && !(flags & GNUTLS_NO_DEFAULT_EXTENSIONS)) { #ifdef ENABLE_OCSP if (!(flags & GNUTLS_NO_STATUS_REQUEST)) gnutls_ocsp_status_request_enable_client(*session, NULL, diff --git a/src/cli.c b/src/cli.c index 3579e1a73a..f1eda4680f 100644 --- a/src/cli.c +++ b/src/cli.c @@ -1705,7 +1705,7 @@ static void cmd_parser(int argc, char **argv) disable_sni = HAVE_OPT(DISABLE_SNI); disable_extensions = HAVE_OPT(DISABLE_EXTENSIONS); if (disable_extensions) - init_flags |= GNUTLS_NO_EXTENSIONS; + init_flags |= GNUTLS_NO_DEFAULT_EXTENSIONS; if (HAVE_OPT(SINGLE_KEY_SHARE)) init_flags |= GNUTLS_KEY_SHARE_TOP; diff --git a/tests/status-request-revoked.c b/tests/status-request-revoked.c index cf4c8fcb2a..657dd9faf3 100644 --- a/tests/status-request-revoked.c +++ b/tests/status-request-revoked.c @@ -51,7 +51,7 @@ int main(void) # include "utils.h" /* This program tests that the client does not send the - * status request extension if GNUTLS_NO_EXTENSIONS is set. + * status request extension if GNUTLS_NO_DEFAULT_EXTENSIONS is set. */ static void server_log_func(int level, const char *str) diff --git a/tests/status-request.c b/tests/status-request.c index 5c165ae5f0..5caeef2247 100644 --- a/tests/status-request.c +++ b/tests/status-request.c @@ -51,7 +51,7 @@ int main(void) # include "utils.h" /* This program tests that the client does not send the - * status request extension if GNUTLS_NO_EXTENSIONS is set. + * status request extension if GNUTLS_NO_DEFAULT_EXTENSIONS is set. */ static void server_log_func(int level, const char *str) @@ -107,7 +107,7 @@ static void client(int fd, const char *prio) /* Initialize TLS session */ - assert(gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_NO_EXTENSIONS) >= + assert(gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_NO_DEFAULT_EXTENSIONS) >= 0); assert(gnutls_priority_set_direct(session, prio, NULL) >= 0); -- cgit v1.2.1 From 4eb6c87fedd72b6d1abf793570adc5ef63f571ee Mon Sep 17 00:00:00 2001 From: peonix Date: Tue, 28 Mar 2023 09:10:36 +0530 Subject: Updated desc for @GNUTLS_NO_DEFAULT_EXTENSIONS Signed-off-by: peonix --- lib/includes/gnutls/gnutls.h.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 64098c5b36..6fe6cbc7fc 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -438,7 +438,7 @@ typedef enum { * @GNUTLS_DATAGRAM: Connection is datagram oriented (DTLS). Since 3.0.0. * @GNUTLS_NONBLOCK: Connection should not block. Since 3.0.0. * @GNUTLS_NO_SIGNAL: In systems where SIGPIPE is delivered on send, it will be disabled. That flag has effect in systems which support the MSG_NOSIGNAL sockets flag (since 3.4.2). - * @GNUTLS_NO_DEFAULT_EXTENSIONS: Do not enable any TLS extensions by default (since 3.1.2). As TLS 1.2 and later require extensions this option is considered obsolete and should not be used. + * @GNUTLS_NO_DEFAULT_EXTENSIONS: Do not enable any TLS extensions by default such as session tickets and OCSP certificate status request (since 3.1.2). As TLS 1.2 and later require extensions this option is considered obsolete and should not be used. * @GNUTLS_NO_REPLAY_PROTECTION: Disable any replay protection in DTLS. This must only be used if replay protection is achieved using other means. Since 3.2.2. * @GNUTLS_ALLOW_ID_CHANGE: Allow the peer to replace its certificate, or change its ID during a rehandshake. This change is often used in attacks and thus prohibited by default. Since 3.5.0. * @GNUTLS_ENABLE_FALSE_START: Enable the TLS false start on client side if the negotiated ciphersuites allow it. This will enable sending data prior to the handshake being complete, and may introduce a risk of crypto failure when combined with certain key exchanged; for that GnuTLS may not enable that option in ciphersuites that are known to be not safe for false start. Since 3.5.0. -- cgit v1.2.1 From 5bee87e19f70a9ac1339828cd1a1aa90282d2bfc Mon Sep 17 00:00:00 2001 From: peonix Date: Tue, 28 Mar 2023 14:20:47 +0530 Subject: reformatted Signed-off-by: peonix --- tests/status-request.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/status-request.c b/tests/status-request.c index 5caeef2247..66057a35db 100644 --- a/tests/status-request.c +++ b/tests/status-request.c @@ -107,8 +107,8 @@ static void client(int fd, const char *prio) /* Initialize TLS session */ - assert(gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_NO_DEFAULT_EXTENSIONS) >= - 0); + assert(gnutls_init + (&session, GNUTLS_CLIENT | GNUTLS_NO_DEFAULT_EXTENSIONS) >= 0); assert(gnutls_priority_set_direct(session, prio, NULL) >= 0); -- cgit v1.2.1 From a398ecfc297cdcdd8255106d234eb2d99bbc7525 Mon Sep 17 00:00:00 2001 From: peonix Date: Tue, 28 Mar 2023 14:21:07 +0530 Subject: changes to keep backward compatibility Signed-off-by: peonix --- lib/ext/ext_master_secret.h | 3 +++ lib/state.h | 3 +++ src/cli.c | 3 +++ tests/status-request.c | 3 +++ 4 files changed, 12 insertions(+) diff --git a/lib/ext/ext_master_secret.h b/lib/ext/ext_master_secret.h index e99c97fc27..ad807b8469 100644 --- a/lib/ext/ext_master_secret.h +++ b/lib/ext/ext_master_secret.h @@ -23,6 +23,9 @@ #ifndef GNUTLS_LIB_EXT_EXT_MASTER_SECRET_H # define GNUTLS_LIB_EXT_EXT_MASTER_SECRET_H +/* Keep backward compatibility */ +# define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS + # include extern const hello_ext_entry_st ext_mod_ext_master_secret; diff --git a/lib/state.h b/lib/state.h index 4519b41ec0..15d5ad6384 100644 --- a/lib/state.h +++ b/lib/state.h @@ -113,4 +113,7 @@ _gnutls_PRF(gnutls_session_t session, # define DEFAULT_CERT_TYPE GNUTLS_CRT_X509 +/* Keep backward compatibility */ +# define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS + #endif /* GNUTLS_LIB_STATE_H */ diff --git a/src/cli.c b/src/cli.c index f1eda4680f..08dddb08f2 100644 --- a/src/cli.c +++ b/src/cli.c @@ -1637,6 +1637,9 @@ void print_priority_list(void) return; } +/* Keeps backward compatibility */ +#define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS + static void cmd_parser(int argc, char **argv) { char *rest = NULL; diff --git a/tests/status-request.c b/tests/status-request.c index 66057a35db..feb3530e17 100644 --- a/tests/status-request.c +++ b/tests/status-request.c @@ -89,6 +89,9 @@ static int status_func(gnutls_session_t session, void *ptr, # define MAX_BUF 1024 +/* Keep backward compatibility */ +# define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS + static void client(int fd, const char *prio) { int ret; -- cgit v1.2.1