hello_ext: add ClientHello extension permutation

This adds a mechanism to randomize the order of TLS extensions in the ClientHello to make fingerprinting harder. The mechanism is enabled by default and a new priority keyword %NO_EXTS_SHUFFLE has been added to turn it off. Signed-off-by: peonix <ajeetsinghchahar2@gmail.com>
author: @Ajit <ajeetsinghchahar2@gmail.com> 2023-04-01 23:05:00 +0000
committer: Daiki Ueno <ueno@gnu.org> 2023-04-01 23:05:00 +0000
commit: b6b71c8b70061eb5a489443ba82c90df948da95b (patch)
tree: f7f2681f3ef0a6af8ec6148ef260ef151775d0d8 /tests/tls13/prf-early.c
parent: b3fe5c229474a4dd0e74e955afb6bdc5d54c462d (diff)
download: gnutls-b6b71c8b70061eb5a489443ba82c90df948da95b.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/tests/tls13/prf-early.c b/tests/tls13/prf-early.c
index a21bc1c7a4..0df9a18abd 100644
--- a/tests/tls13/prf-early.c
+++ b/tests/tls13/prf-early.c
@@ -183,9 +183,9 @@ static void client(int sds[])
 		 */
 		gnutls_init(&session, GNUTLS_CLIENT);
 
-		/* Use default priorities */
+		/* Use default priorities, sets %NO_EXTS_SHUFFLE */
 		ret = gnutls_priority_set_direct(session,
-						 "NONE:+VERS-TLS1.3:+AES-256-GCM:+AEAD:+SIGN-RSA-PSS-RSAE-SHA384:+GROUP-SECP256R1",
+						 "NONE:+VERS-TLS1.3:+AES-256-GCM:+AEAD:+SIGN-RSA-PSS-RSAE-SHA384:+GROUP-SECP256R1:%NO_EXTS_SHUFFLE",
 						 &err);
 		if (ret < 0) {
 			fail("client: priority set failed (%s): %s\n",
author	@Ajit <ajeetsinghchahar2@gmail.com>	2023-04-01 23:05:00 +0000
committer	Daiki Ueno <ueno@gnu.org>	2023-04-01 23:05:00 +0000
commit	b6b71c8b70061eb5a489443ba82c90df948da95b (patch)
tree	f7f2681f3ef0a6af8ec6148ef260ef151775d0d8 /tests/tls13/prf-early.c
parent	b3fe5c229474a4dd0e74e955afb6bdc5d54c462d (diff)
download	gnutls-b6b71c8b70061eb5a489443ba82c90df948da95b.tar.gz