procyberian/emacs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Collect GnuTLS extensions and use them to set %DUMBFW if supported

Browse source 
* lisp/net/gnutls.el (gnutls-boot-parameters): Use it to set %DUMBFW
only when it's supported as "ClientHello Padding" (Bug#25061).

* src/gnutls.c (Fgnutls_available_p): Get extension names and
put them in the GnuTLS capabilities, using a hard-coded limit
of 100 since GnuTLS MAX_EXT_TYPES is not exported.
This commit is contained in:
Ted Zlatanov 2017-12-19 12:43:56 -05:00
parent 936136ecab
commit 21a212f9e2
No known key found for this signature in database
GPG key ID: 11F23D0A4E4B9DEE
2 changed files with 44 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

58
lisp/net/gnutls.el
View file

@ -261,33 +261,37 @@ here's a recent version of the list.
It must be omitted, a number, or nil; if omitted or nil it It must be omitted, a number, or nil; if omitted or nil it
defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT." defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
(let ((trustfiles (or trustfiles (gnutls-trustfiles))) (let* ((trustfiles (or trustfiles (gnutls-trustfiles)))
(priority-string (or priority-string (maybe-dumbfw (if (memq 'ClientHello\ Padding (gnutls-available-p))
(cond ":%DUMBFW"
((eq type 'gnutls-anon) ""))
"NORMAL:+ANON-DH:!ARCFOUR-128:%DUMBFW") (priority-string (or priority-string
((eq type 'gnutls-x509pki) (cond
(if gnutls-algorithm-priority ((eq type 'gnutls-anon)
(upcase gnutls-algorithm-priority) (concat "NORMAL:+ANON-DH:!ARCFOUR-128"
"NORMAL:%DUMBFW"))))) maybe-dumbfw))
(verify-error (or verify-error ((eq type 'gnutls-x509pki)
;; this uses the value of `gnutls-verify-error' (if gnutls-algorithm-priority
(cond (upcase gnutls-algorithm-priority)
;; if t, pass it on (concat "NORMAL" maybe-dumbfw))))))
((eq gnutls-verify-error t) (verify-error (or verify-error
t) ;; this uses the value of `gnutls-verify-error'
;; if a list, look for hostname matches (cond
((listp gnutls-verify-error) ;; if t, pass it on
(apply 'append ((eq gnutls-verify-error t)
(mapcar t)
(lambda (check) ;; if a list, look for hostname matches
(when (string-match (nth 0 check) ((listp gnutls-verify-error)
hostname) (apply 'append
(nth 1 check))) (mapcar
gnutls-verify-error))) (lambda (check)
;; else it's nil (when (string-match (nth 0 check)
(t nil)))) hostname)
(min-prime-bits (or min-prime-bits gnutls-min-prime-bits))) (nth 1 check)))
gnutls-verify-error)))
;; else it's nil
(t nil))))
(min-prime-bits (or min-prime-bits gnutls-min-prime-bits)))
(when verify-hostname-error (when verify-hostname-error
(push :hostname verify-error)) (push :hostname verify-error))

14
src/gnutls.c
View file

@ -2415,7 +2415,10 @@ GnuTLS 3 or higher : the list will contain `gnutls3'.
GnuTLS MACs : the list will contain `macs'. GnuTLS MACs : the list will contain `macs'.
GnuTLS digests : the list will contain `digests'. GnuTLS digests : the list will contain `digests'.
GnuTLS symmetric ciphers: the list will contain `ciphers'. GnuTLS symmetric ciphers: the list will contain `ciphers'.
GnuTLS AEAD ciphers : the list will contain `AEAD-ciphers'. */) GnuTLS AEAD ciphers : the list will contain `AEAD-ciphers'.
%DUMBFW : the list will contain `ClientHello\ Padding'.
Any GnuTLS extension with ID up to 100
: the list will contain its name. */)
(void) (void)
{ {
Lisp_Object capabilities = Qnil; Lisp_Object capabilities = Qnil;
@ -2436,6 +2439,15 @@ GnuTLS AEAD ciphers : the list will contain `AEAD-ciphers'. */)
capabilities = Fcons (intern("macs"), capabilities); capabilities = Fcons (intern("macs"), capabilities);
# endif /* HAVE_GNUTLS3 */ # endif /* HAVE_GNUTLS3 */
for (unsigned int ext=0; ext < 100; ext++)
{
const char* name = gnutls_ext_get_name(ext);
if (name != NULL)
{
capabilities = Fcons (intern(name), capabilities);
}
}
# ifdef WINDOWSNT # ifdef WINDOWSNT
Lisp_Object found = Fassq (Qgnutls, Vlibrary_cache); Lisp_Object found = Fassq (Qgnutls, Vlibrary_cache);
if (CONSP (found)) if (CONSP (found))