From 80376945952943888bb34c7d4ea06972e422eca7 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Fri, 23 Aug 2019 11:50:40 -0700 Subject: [PATCH] Tweak gnutls-peer-status reporting MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit * src/gnutls.c (Fgnutls_peer_status): Report :compression and :encrypt-then-mac only if the underlying GnuTLS library has the corresponding features. This give the Elisp caller a bit more information about the peer status. * lisp/net/nsm.el (nsm-protocol-check--compression): Don’t worry about compression in newer GnuTLS versions that do not support compression. --- lisp/net/nsm.el | 3 ++- src/gnutls.c | 16 +++++++--------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el index ed700bc9b5d..5e8381075be 100644 --- a/lisp/net/nsm.el +++ b/lisp/net/nsm.el @@ -692,7 +692,8 @@ Sheffer, Holz, Saint-Andre (May 2015). \"Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)\", `https://tools.ietf.org/html/rfc7525'" (let ((compression (plist-get status :compression))) - (and (string-match "^\\bDEFLATE\\b" compression) + (and compression + (string-match "^\\bDEFLATE\\b" compression) (format-message "compression method (%s) may lead to leakage of sensitive information" compression)))) diff --git a/src/gnutls.c b/src/gnutls.c index 51536b14632..a7ef59ab919 100644 --- a/src/gnutls.c +++ b/src/gnutls.c @@ -1493,20 +1493,18 @@ returned as the :certificate entry. */) /* Compression name. */ #ifdef HAVE_GNUTLS_COMPRESSION_GET - Lisp_Object compression = build_string (gnutls_compression_get_name - (gnutls_compression_get (state))); -#else - Lisp_Object compression = build_string ("NULL"); + result = nconc2 + (result, list2 (intern (":compression"), + build_string (gnutls_compression_get_name + (gnutls_compression_get (state))))); #endif - result = nconc2 (result, list2 (intern (":compression"), compression)); /* Encrypt-then-MAC. */ - Lisp_Object etm_status = Qnil; #ifdef HAVE_GNUTLS_ETM_STATUS - if (gnutls_session_etm_status (state)) - etm_status = Qt; + result = nconc2 + (result, list2 (intern (":encrypt-then-mac"), + gnutls_session_etm_status (state) ? Qt : Qnil)); #endif - result = nconc2 (result, list2 (intern (":encrypt-then-mac"), etm_status)); /* Renegotiation Indication */ result = nconc2 -- 2.39.2