Re: [Bug-wget] [PATCH] PFS runtime check

Sat, 07 Sep 2013 12:39:58 -0700 

Am Samstag, 7. September 2013, 12:16:56 schrieb Daniel Kahn Gillmor:
> On 09/07/2013 12:10 PM, Daniel Kahn Gillmor wrote:
> > it might be better to do a runtime check (e.g. using
> > gnutls_check_version(NULL) >= 0x030204) instead of a compile-time check.
> 
> sigh.  that is of course the wrong code.  to do a proper runtime check,
> it should be:
> 
>  if (gnutls_check_version("3.2.4"))
>     err = gnutls_priority_set_direct (session, "PFS", NULL);
>  else
>     err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);

Of course that is much better than a compile time check.
I was not aware of gnutls_check_version(), thanks for your review !

@Giuseppe: Please apply the attached patch.

Tim

>From df5275a504a6d410b084aa9f5023f7638a2731a1 Mon Sep 17 00:00:00 2001
From: Tim Ruehsen <[email protected]>
Date: Sat, 7 Sep 2013 21:34:37 +0200
Subject: [PATCH] PFS runtime check

---
 src/ChangeLog | 6 ++++++
 src/gnutls.c  | 9 ++++-----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index ee7a53e..787c9c6 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,9 @@
+2013-09-07  Tim Ruehsen  <[email protected]>
+
+	* gnutls.c (ssl_connect_wget): use gnutls_check_version()
+	  to check if option "PFS" is available
+	  Reported by: Daniel Kahn Gillmor <[email protected]>
+
 2013-09-03  Tim Ruehsen  <[email protected]>
 
 	* main.c: Add new value 'PFS' to --secure-protocol to
diff --git a/src/gnutls.c b/src/gnutls.c
index ce61d06..94dfaed 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -443,11 +443,10 @@ ssl_connect_wget (int fd, const char *hostname)
       err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", NULL);
       break;
     case secure_protocol_pfs:
-#if defined (GNUTLS_VERSION_NUMBER) && GNUTLS_VERSION_NUMBER >= 0x030204
-      err = gnutls_priority_set_direct (session, "PFS", NULL);
-#else
-      err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
-#endif
+      if (gnutls_check_version("3.2.4"))
+        err = gnutls_priority_set_direct (session, "PFS", NULL);
+      else
+        err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
       break;
     default:
       abort ();
-- 
1.8.4.rc3

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to