diff options
author | Ted Zlatanov <tzz@lifelogs.com> | 2017-12-19 12:43:56 -0500 |
---|---|---|
committer | Ted Zlatanov <tzz@lifelogs.com> | 2017-12-19 12:43:56 -0500 |
commit | 21a212f9e256a05a0fc67260d338d612cba77266 (patch) | |
tree | c9591613b9122827a7d657adddbc672a48006c16 /lisp/net/gnutls.el | |
parent | 936136ecab567a2ca320df080595a5fd2693b4c3 (diff) | |
download | emacs-21a212f9e256a05a0fc67260d338d612cba77266.tar.gz |
Collect GnuTLS extensions and use them to set %DUMBFW if supported
* lisp/net/gnutls.el (gnutls-boot-parameters): Use it to set %DUMBFW
only when it's supported as "ClientHello Padding" (Bug#25061).
* src/gnutls.c (Fgnutls_available_p): Get extension names and
put them in the GnuTLS capabilities, using a hard-coded limit
of 100 since GnuTLS MAX_EXT_TYPES is not exported.
Diffstat (limited to 'lisp/net/gnutls.el')
-rw-r--r-- | lisp/net/gnutls.el | 58 |
1 files changed, 31 insertions, 27 deletions
diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el index a406b0b07fd..608b6cfe9e8 100644 --- a/lisp/net/gnutls.el +++ b/lisp/net/gnutls.el @@ -261,33 +261,37 @@ here's a recent version of the list. It must be omitted, a number, or nil; if omitted or nil it defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT." - (let ((trustfiles (or trustfiles (gnutls-trustfiles))) - (priority-string (or priority-string - (cond - ((eq type 'gnutls-anon) - "NORMAL:+ANON-DH:!ARCFOUR-128:%DUMBFW") - ((eq type 'gnutls-x509pki) - (if gnutls-algorithm-priority - (upcase gnutls-algorithm-priority) - "NORMAL:%DUMBFW"))))) - (verify-error (or verify-error - ;; this uses the value of `gnutls-verify-error' - (cond - ;; if t, pass it on - ((eq gnutls-verify-error t) - t) - ;; if a list, look for hostname matches - ((listp gnutls-verify-error) - (apply 'append - (mapcar - (lambda (check) - (when (string-match (nth 0 check) - hostname) - (nth 1 check))) - gnutls-verify-error))) - ;; else it's nil - (t nil)))) - (min-prime-bits (or min-prime-bits gnutls-min-prime-bits))) + (let* ((trustfiles (or trustfiles (gnutls-trustfiles))) + (maybe-dumbfw (if (memq 'ClientHello\ Padding (gnutls-available-p)) + ":%DUMBFW" + "")) + (priority-string (or priority-string + (cond + ((eq type 'gnutls-anon) + (concat "NORMAL:+ANON-DH:!ARCFOUR-128" + maybe-dumbfw)) + ((eq type 'gnutls-x509pki) + (if gnutls-algorithm-priority + (upcase gnutls-algorithm-priority) + (concat "NORMAL" maybe-dumbfw)))))) + (verify-error (or verify-error + ;; this uses the value of `gnutls-verify-error' + (cond + ;; if t, pass it on + ((eq gnutls-verify-error t) + t) + ;; if a list, look for hostname matches + ((listp gnutls-verify-error) + (apply 'append + (mapcar + (lambda (check) + (when (string-match (nth 0 check) + hostname) + (nth 1 check))) + gnutls-verify-error))) + ;; else it's nil + (t nil)))) + (min-prime-bits (or min-prime-bits gnutls-min-prime-bits))) (when verify-hostname-error (push :hostname verify-error)) |