Add option to gnutls-cli to wait for resumption under TLS 1.3

gnutls-3.6.13-cli-wait-resumption.patch

@@ -0,0 +1,87 @@
+From f27358ecba654ef931c0a761a540dc9e2d2e67f0 Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Fri, 20 Mar 2020 16:37:33 +0100
+Subject: [PATCH] gnutls-cli: Add option to wait for resumption data
+
+This introduces the --waitresumption command line option which makes the
+client to wait for the resumption data until a ticket is received under
+TLS1.3.  The client will block if no ticket is received.  The new option
+has no effect if the option --resume is not provided.
+
+This is useful to force the client to wait for the resumption data when
+the server takes long to send the ticket, allowing the session
+resumption to be tested.  This is a common scenario in CI systems where
+the testing machines have limited resources.
+
+Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+---
+ src/cli-args.def |  6 ++++++
+ src/cli.c        | 21 +++++++++++++++------
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/src/cli-args.def b/src/cli-args.def
+index a8760fab9..56ae77b07 100644
+--- a/src/cli-args.def
++++ b/src/cli-args.def
+@@ -471,6 +471,12 @@ flag = {
+     doc      = "";
+ };
+ 
++flag = {
++    name     = waitresumption;
++    descrip  = "Block waiting for the resumption data under TLS1.3";
++    doc      = "This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided.";
++};
++
+ doc-section = {
+   ds-type   = 'SEE ALSO'; // or anything else
+   ds-format = 'texi';      // or texi or mdoc format
+diff --git a/src/cli.c b/src/cli.c
+index db072b930..c3d074f08 100644
+--- a/src/cli.c
++++ b/src/cli.c
+@@ -78,7 +78,7 @@
+ 
+ /* global stuff here */
+ int resume, starttls, insecure, ranges, rehandshake, udp, mtu,
+-    inline_commands;
++    inline_commands, waitresumption;
+ unsigned int global_vflags = 0;
+ char *hostname = NULL;
+ char service[32]="";
+@@ -992,11 +992,19 @@ static int try_resume(socket_st * hd)
+ 	gnutls_datum_t edata = {NULL, 0};
+ 
+ 	if (gnutls_session_is_resumed(hd->session) == 0) {
+-		/* not resumed - obtain the session data */
+-		ret = gnutls_session_get_data2(hd->session, &rdata);
+-		if (ret < 0) {
+-			rdata.data = NULL;
+-		}
++		do {
++			/* not resumed - obtain the session data */
++			ret = gnutls_session_get_data2(hd->session, &rdata);
++			if (ret < 0) {
++				rdata.data = NULL;
++			}
++
++			if ((gnutls_protocol_get_version(hd->session) != GNUTLS_TLS1_3) ||
++					((gnutls_session_get_flags(hd->session) &
++					 GNUTLS_SFLAGS_SESSION_TICKET))) {
++				break;
++			}
++		} while (waitresumption);
+ 	} else {
+ 		/* resumed - try to reuse the previous session data */
+ 		rdata.data = hd->rdata.data;
+@@ -1688,6 +1696,7 @@ static void cmd_parser(int argc, char **argv)
+ 	rehandshake = HAVE_OPT(REHANDSHAKE);
+ 	insecure = HAVE_OPT(INSECURE);
+ 	ranges = HAVE_OPT(RANGES);
++	waitresumption = HAVE_OPT(WAITRESUMPTION);
+ 
+ 	if (insecure || HAVE_OPT(VERIFY_ALLOW_BROKEN)) {
+ 		global_vflags |= GNUTLS_VERIFY_ALLOW_BROKEN;
+-- 
+2.25.4
+

gnutls.spec

@@ -1,10 +1,11 @@
 # This spec file has been automatically updated
 Version:	3.6.13
-Release: 3%{?dist}
+Release: 4%{?dist}
 Patch1:	gnutls-3.6.7-no-now-guile.patch
 Patch2:	gnutls-3.2.7-rpath.patch
 Patch3:	gnutls-3.6.13-bump-linked-libs-soname-f33.patch
 Patch4:	gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch
+Patch5:	gnutls-3.6.13-cli-wait-resumption.patch
 %bcond_without dane
 %if 0%{?rhel}
 %bcond_with guile
@@ -281,6 +282,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif
 
 %changelog
+* Mon May 25 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-4
+- Add option to gnutls-cli to wait for resumption under TLS 1.3
+
 * Tue May 19 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-3
 - Disable RSA blinding during FIPS self-tests