handshake: do not send TLS extensions under DTLS and vice versatmp-prohibit-tls-dtls-mix

That is, introduce the notion of TLS-only and DTLS-only extensions,
providing a framework to prevent sending extensions which are registered
for example for TLS 1.3, under DTLS and vice versa.

Resolves #440

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

1 files changed, 5 insertions, 1 deletions

diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index b6473b98b5..fd3b07af78 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -2761,6 +2761,8 @@ typedef enum {
  * @GNUTLS_EXT_FLAG_EE: This extension can be present in encrypted extensions message
  * @GNUTLS_EXT_FLAG_HRR: This extension can be present in hello retry request message
  * @GNUTLS_EXT_FLAG_IGNORE_CLIENT_REQUEST: When flag is present, this extension will be send even if the server didn't advertise it. An extension of this type is the Cookie TLS1.3 extension.
+ * @GNUTLS_EXT_FLAG_DTLS: This extension can be present under DTLS; otherwise ignored.
+ * @GNUTLS_EXT_FLAG_TLS: This extension can be present under TLS; otherwise ignored.
  *
  * Enumeration of different TLS extension registration flags.
  */
@@ -2771,7 +2773,9 @@ typedef enum {
   GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO = (1<<3),
   GNUTLS_EXT_FLAG_EE = (1<<4), /* ENCRYPTED */
   GNUTLS_EXT_FLAG_HRR = (1<<5),
-  GNUTLS_EXT_FLAG_IGNORE_CLIENT_REQUEST = (1<<6)
+  GNUTLS_EXT_FLAG_IGNORE_CLIENT_REQUEST = (1<<6),
+  GNUTLS_EXT_FLAG_TLS = (1<<7),
+  GNUTLS_EXT_FLAG_DTLS = (1<<8)
 } gnutls_ext_flags_t;
 
 /* Register a custom tls extension