diff --git a/gnutls-3.6.13-cli-wait-resumption.patch b/gnutls-3.6.13-cli-wait-resumption.patch new file mode 100644 index 0000000..4c56344 --- /dev/null +++ b/gnutls-3.6.13-cli-wait-resumption.patch @@ -0,0 +1,87 @@ +From f27358ecba654ef931c0a761a540dc9e2d2e67f0 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Fri, 20 Mar 2020 16:37:33 +0100 +Subject: [PATCH] gnutls-cli: Add option to wait for resumption data + +This introduces the --waitresumption command line option which makes the +client to wait for the resumption data until a ticket is received under +TLS1.3. The client will block if no ticket is received. The new option +has no effect if the option --resume is not provided. + +This is useful to force the client to wait for the resumption data when +the server takes long to send the ticket, allowing the session +resumption to be tested. This is a common scenario in CI systems where +the testing machines have limited resources. + +Signed-off-by: Anderson Toshiyuki Sasaki +--- + src/cli-args.def | 6 ++++++ + src/cli.c | 21 +++++++++++++++------ + 2 files changed, 21 insertions(+), 6 deletions(-) + +diff --git a/src/cli-args.def b/src/cli-args.def +index a8760fab9..56ae77b07 100644 +--- a/src/cli-args.def ++++ b/src/cli-args.def +@@ -471,6 +471,12 @@ flag = { + doc = ""; + }; + ++flag = { ++ name = waitresumption; ++ descrip = "Block waiting for the resumption data under TLS1.3"; ++ doc = "This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided."; ++}; ++ + doc-section = { + ds-type = 'SEE ALSO'; // or anything else + ds-format = 'texi'; // or texi or mdoc format +diff --git a/src/cli.c b/src/cli.c +index db072b930..c3d074f08 100644 +--- a/src/cli.c ++++ b/src/cli.c +@@ -78,7 +78,7 @@ + + /* global stuff here */ + int resume, starttls, insecure, ranges, rehandshake, udp, mtu, +- inline_commands; ++ inline_commands, waitresumption; + unsigned int global_vflags = 0; + char *hostname = NULL; + char service[32]=""; +@@ -992,11 +992,19 @@ static int try_resume(socket_st * hd) + gnutls_datum_t edata = {NULL, 0}; + + if (gnutls_session_is_resumed(hd->session) == 0) { +- /* not resumed - obtain the session data */ +- ret = gnutls_session_get_data2(hd->session, &rdata); +- if (ret < 0) { +- rdata.data = NULL; +- } ++ do { ++ /* not resumed - obtain the session data */ ++ ret = gnutls_session_get_data2(hd->session, &rdata); ++ if (ret < 0) { ++ rdata.data = NULL; ++ } ++ ++ if ((gnutls_protocol_get_version(hd->session) != GNUTLS_TLS1_3) || ++ ((gnutls_session_get_flags(hd->session) & ++ GNUTLS_SFLAGS_SESSION_TICKET))) { ++ break; ++ } ++ } while (waitresumption); + } else { + /* resumed - try to reuse the previous session data */ + rdata.data = hd->rdata.data; +@@ -1688,6 +1696,7 @@ static void cmd_parser(int argc, char **argv) + rehandshake = HAVE_OPT(REHANDSHAKE); + insecure = HAVE_OPT(INSECURE); + ranges = HAVE_OPT(RANGES); ++ waitresumption = HAVE_OPT(WAITRESUMPTION); + + if (insecure || HAVE_OPT(VERIFY_ALLOW_BROKEN)) { + global_vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; +-- +2.25.4 + diff --git a/gnutls.spec b/gnutls.spec index 6944fd9..bc7e6bb 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,10 +1,11 @@ # This spec file has been automatically updated Version: 3.6.13 -Release: 3%{?dist} +Release: 4%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.13-bump-linked-libs-soname-f33.patch Patch4: gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch +Patch5: gnutls-3.6.13-cli-wait-resumption.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -281,6 +282,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Mon May 25 2020 Anderson Sasaki - 3.6.13-4 +- Add option to gnutls-cli to wait for resumption under TLS 1.3 + * Tue May 19 2020 Anderson Sasaki - 3.6.13-3 - Disable RSA blinding during FIPS self-tests