Collect GnuTLS extensions and use them to set %DUMBFW if supported
* lisp/net/gnutls.el (gnutls-boot-parameters): Use it to set %DUMBFW only when it's supported as "ClientHello Padding" (Bug#25061). * src/gnutls.c (Fgnutls_available_p): Get extension names and put them in the GnuTLS capabilities, using a hard-coded limit of 100 since GnuTLS MAX_EXT_TYPES is not exported.
This commit is contained in:
Ted Zlatanov
parent
936136ecab
commit
21a212f9e2
2 changed files with 44 additions and 28 deletions
|
|
@ -261,33 +261,37 @@ here's a recent version of the list.
|
|||
|
||||
It must be omitted, a number, or nil; if omitted or nil it
|
||||
defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
|
||||
(let ((trustfiles (or trustfiles (gnutls-trustfiles)))
|
||||
(priority-string (or priority-string
|
||||
(cond
|
||||
((eq type 'gnutls-anon)
|
||||
"NORMAL:+ANON-DH:!ARCFOUR-128:%DUMBFW")
|
||||
((eq type 'gnutls-x509pki)
|
||||
(if gnutls-algorithm-priority
|
||||
(upcase gnutls-algorithm-priority)
|
||||
"NORMAL:%DUMBFW")))))
|
||||
(verify-error (or verify-error
|
||||
;; this uses the value of `gnutls-verify-error'
|
||||
(cond
|
||||
;; if t, pass it on
|
||||
((eq gnutls-verify-error t)
|
||||
t)
|
||||
;; if a list, look for hostname matches
|
||||
((listp gnutls-verify-error)
|
||||
(apply 'append
|
||||
(mapcar
|
||||
(lambda (check)
|
||||
(when (string-match (nth 0 check)
|
||||
hostname)
|
||||
(nth 1 check)))
|
||||
gnutls-verify-error)))
|
||||
;; else it's nil
|
||||
(t nil))))
|
||||
(min-prime-bits (or min-prime-bits gnutls-min-prime-bits)))
|
||||
(let* ((trustfiles (or trustfiles (gnutls-trustfiles)))
|
||||
(maybe-dumbfw (if (memq 'ClientHello\ Padding (gnutls-available-p))
|
||||
":%DUMBFW"
|
||||
""))
|
||||
(priority-string (or priority-string
|
||||
(cond
|
||||
((eq type 'gnutls-anon)
|
||||
(concat "NORMAL:+ANON-DH:!ARCFOUR-128"
|
||||
maybe-dumbfw))
|
||||
((eq type 'gnutls-x509pki)
|
||||
(if gnutls-algorithm-priority
|
||||
(upcase gnutls-algorithm-priority)
|
||||
(concat "NORMAL" maybe-dumbfw))))))
|
||||
(verify-error (or verify-error
|
||||
;; this uses the value of `gnutls-verify-error'
|
||||
(cond
|
||||
;; if t, pass it on
|
||||
((eq gnutls-verify-error t)
|
||||
t)
|
||||
;; if a list, look for hostname matches
|
||||
((listp gnutls-verify-error)
|
||||
(apply 'append
|
||||
(mapcar
|
||||
(lambda (check)
|
||||
(when (string-match (nth 0 check)
|
||||
hostname)
|
||||
(nth 1 check)))
|
||||
gnutls-verify-error)))
|
||||
;; else it's nil
|
||||
(t nil))))
|
||||
(min-prime-bits (or min-prime-bits gnutls-min-prime-bits)))
|
||||
|
||||
(when verify-hostname-error
|
||||
(push :hostname verify-error))
|
||||
|
|
|
|||
14
src/gnutls.c
14
src/gnutls.c
|
|
@ -2415,7 +2415,10 @@ GnuTLS 3 or higher : the list will contain `gnutls3'.
|
|||
GnuTLS MACs : the list will contain `macs'.
|
||||
GnuTLS digests : the list will contain `digests'.
|
||||
GnuTLS symmetric ciphers: the list will contain `ciphers'.
|
||||
GnuTLS AEAD ciphers : the list will contain `AEAD-ciphers'. */)
|
||||
GnuTLS AEAD ciphers : the list will contain `AEAD-ciphers'.
|
||||
%DUMBFW : the list will contain `ClientHello\ Padding'.
|
||||
Any GnuTLS extension with ID up to 100
|
||||
: the list will contain its name. */)
|
||||
(void)
|
||||
{
|
||||
Lisp_Object capabilities = Qnil;
|
||||
|
|
@ -2436,6 +2439,15 @@ GnuTLS AEAD ciphers : the list will contain `AEAD-ciphers'. */)
|
|||
capabilities = Fcons (intern("macs"), capabilities);
|
||||
# endif /* HAVE_GNUTLS3 */
|
||||
|
||||
for (unsigned int ext=0; ext < 100; ext++)
|
||||
{
|
||||
const char* name = gnutls_ext_get_name(ext);
|
||||
if (name != NULL)
|
||||
{
|
||||
capabilities = Fcons (intern(name), capabilities);
|
||||
}
|
||||
}
|
||||
|
||||
# ifdef WINDOWSNT
|
||||
Lisp_Object found = Fassq (Qgnutls, Vlibrary_cache);
|
||||
if (CONSP (found))
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue