From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Lawrence Mitchell Newsgroups: gmane.emacs.bugs Subject: bug#9036: [PATCH] gnutls: Add option to set minimum acceptable Diffie-Hellman key size Date: Sat, 9 Jul 2011 15:44:28 +0100 Message-ID: <87ei1zpl0x.fsf@ed.ac.uk> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: dough.gmane.org 1310223034 8047 80.91.229.12 (9 Jul 2011 14:50:34 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Sat, 9 Jul 2011 14:50:34 +0000 (UTC) To: 9036@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat Jul 09 16:50:30 2011 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1QfYrV-0005jb-Ez for geb-bug-gnu-emacs@m.gmane.org; Sat, 09 Jul 2011 16:50:29 +0200 Original-Received: from localhost ([::1]:56008 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QfYrU-00049X-AC for geb-bug-gnu-emacs@m.gmane.org; Sat, 09 Jul 2011 10:50:28 -0400 Original-Received: from eggs.gnu.org ([140.186.70.92]:53647) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QfYr9-000470-RW for bug-gnu-emacs@gnu.org; Sat, 09 Jul 2011 10:50:09 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QfYr6-0006CJ-90 for bug-gnu-emacs@gnu.org; Sat, 09 Jul 2011 10:50:07 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:41395) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QfYr5-0006Bv-RX for bug-gnu-emacs@gnu.org; Sat, 09 Jul 2011 10:50:04 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.69) (envelope-from ) id 1QfYr5-000254-Ko; Sat, 09 Jul 2011 10:50:03 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Lawrence Mitchell Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Jul 2011 14:50:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 9036 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.13102229727930 (code B ref -1); Sat, 09 Jul 2011 14:50:02 +0000 Original-Received: (at submit) by debbugs.gnu.org; 9 Jul 2011 14:49:32 +0000 Original-Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QfYqZ-00023r-Am for submit@debbugs.gnu.org; Sat, 09 Jul 2011 10:49:31 -0400 Original-Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QfYqW-00023b-8K for submit@debbugs.gnu.org; Sat, 09 Jul 2011 10:49:29 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QfYqM-00066k-Ex for submit@debbugs.gnu.org; Sat, 09 Jul 2011 10:49:22 -0400 Original-Received: from lists.gnu.org ([140.186.70.17]:36349) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QfYqM-00066e-53 for submit@debbugs.gnu.org; Sat, 09 Jul 2011 10:49:18 -0400 Original-Received: from eggs.gnu.org ([140.186.70.92]:53444) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QfYqH-0003xu-FE for bug-gnu-emacs@gnu.org; Sat, 09 Jul 2011 10:49:17 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QfYqB-00065L-HX for bug-gnu-emacs@gnu.org; Sat, 09 Jul 2011 10:49:13 -0400 Original-Received: from nougat.ucs.ed.ac.uk ([129.215.13.205]:63419) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QfYqA-000655-VY for bug-gnu-emacs@gnu.org; Sat, 09 Jul 2011 10:49:07 -0400 Original-Received: from lmtp1.ucs.ed.ac.uk (lmtp1.ucs.ed.ac.uk [129.215.149.64]) by nougat.ucs.ed.ac.uk (8.13.8/8.13.4) with ESMTP id p69EmnH8021804 for ; Sat, 9 Jul 2011 15:48:54 +0100 (BST) Original-Received: from e4300lm (02d8b348.bb.sky.com [2.216.179.72]) (authenticated user=lmitche4 mech=PLAIN bits=0) by lmtp1.ucs.ed.ac.uk (8.13.8/8.13.7) with ESMTP id p69Emlc6005612 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Sat, 9 Jul 2011 15:48:48 +0100 (BST) X-Edinburgh-Scanned: at nougat.ucs.ed.ac.uk with MIMEDefang 2.60, Sophie, Sophos Anti-Virus, Clam AntiVirus X-Scanned-By: MIMEDefang 2.60 on 129.215.13.205 X-Scanned-By: MIMEDefang 2.52 on 129.215.149.64 X-detected-operating-system: by eggs.gnu.org: Solaris 10 (beta) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list Resent-Date: Sat, 09 Jul 2011 10:50:03 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:48335 Archived-At: * gnutls.c (Qgnutls_bootprop_min_prime_bits): New variable. (Fgnutls_boot): Use it * net/gnutls.el (gnutls-min-prime-bits): New variable. (gnutls-negotiate): Use it. The default acceptable key size used by gnutls in Diffie-Hellman key exchange is larger than that advertised by many servers. Introduce a customization option to set the minimum acceptable value so that we can still connect to such servers using TLS. --- With the recent gnutls changes I could no longer send mail with STARTTLS since the smtp server I connect to only advertises a D-H key with 512bits. This is smaller than the default value gnutls allows and so the connection would be aborted. This patch adds the ability to set the minimum acceptable size of key, so that I can send email again! lisp/ChangeLog | 5 +++++ lisp/net/gnutls.el | 22 ++++++++++++++++++++-- src/ChangeLog | 5 +++++ src/gnutls.c | 16 ++++++++++++++++ 4 files changed, 46 insertions(+), 2 deletions(-) diff --git a/lisp/ChangeLog b/lisp/ChangeLog index c3162c3..ca20415 100644 --- a/lisp/ChangeLog +++ b/lisp/ChangeLog @@ -1,3 +1,8 @@ +2011-07-09 Lawrence Mitchell + + * net/gnutls.el (gnutls-min-prime-bits): New variable. + (gnutls-negotiate): Use it. + 2011-07-07 Lars Magne Ingebrigtsen * mail/smtpmail.el (smtpmail-stream-type): Note that `plain' can diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el index 67d7b2d..83726d0 100644 --- a/lisp/net/gnutls.el +++ b/lisp/net/gnutls.el @@ -47,6 +47,19 @@ :type 'integer :group 'gnutls) +;;;###autoload +(defcustom gnutls-min-prime-bits nil + "The minimum number of bits to be used in Diffie-Hellman key exchange. + +This sets the minimum accepted size of the key to be used in a +client-server handshake. If the server sends a prime with fewer than +the specified number of bits the handshake will fail. + +A value of nil says to use the default gnutls value." + :type '(choice (const :tag "Use default value" nil) + (integer :tag "Number of bits" 512)) + :group 'gnutls) + (defun open-gnutls-stream (name buffer host service) "Open a SSL/TLS connection for a service to a host. Returns a subprocess-object to represent the connection. @@ -90,8 +103,8 @@ trust and key files, and priority string." (defun* gnutls-negotiate (&rest spec &key process type hostname priority-string - trustfiles crlfiles keylist verify-flags - verify-error verify-hostname-error + trustfiles crlfiles keylist min-prime-bits + verify-flags verify-error verify-hostname-error &allow-other-keys) "Negotiate a SSL/TLS connection. Returns proc. Signals gnutls-error. @@ -104,6 +117,9 @@ PRIORITY-STRING is as per the GnuTLS docs, default is \"NORMAL\". TRUSTFILES is a list of CA bundles. CRLFILES is a list of CRL files. KEYLIST is an alist of (client key file, client cert file) pairs. +MIN-PRIME-BITS is the minimum acceptable size of Diffie-Hellman keys +\(see `gnutls-min-prime-bits' for more information). Use nil for the +default. When VERIFY-HOSTNAME-ERROR is not nil, an error will be raised when the hostname does not match the presented certificate's host @@ -146,9 +162,11 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT." "NORMAL:+ANON-DH:!ARCFOUR-128") ((eq type 'gnutls-x509pki) "NORMAL")))) + (min-prime-bits (or min-prime-bits gnutls-min-prime-bits)) (params `(:priority ,priority-string :hostname ,hostname :loglevel ,gnutls-log-level + :min-prime-bits ,min-prime-bits :trustfiles ,trustfiles :crlfiles ,crlfiles :keylist ,keylist diff --git a/src/ChangeLog b/src/ChangeLog index ac20a60..7ea45e7 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2011-07-09 Lawrence Mitchell + + * gnutls.c (Qgnutls_bootprop_min_prime_bits): New variable. + (Fgnutls_boot): Use it. + 2011-07-07 Kenichi Handa * character.h (unicode_category_t): New enum type. diff --git a/src/gnutls.c b/src/gnutls.c index 76cfa5d..26a88a7 100644 --- a/src/gnutls.c +++ b/src/gnutls.c @@ -50,6 +50,7 @@ static Lisp_Object Qgnutls_bootprop_crlfiles; static Lisp_Object Qgnutls_bootprop_callbacks; static Lisp_Object Qgnutls_bootprop_loglevel; static Lisp_Object Qgnutls_bootprop_hostname; +static Lisp_Object Qgnutls_bootprop_min_prime_bits; static Lisp_Object Qgnutls_bootprop_verify_flags; static Lisp_Object Qgnutls_bootprop_verify_hostname_error; @@ -105,6 +106,8 @@ DEF_GNUTLS_FN (int, gnutls_certificate_verify_peers2, DEF_GNUTLS_FN (int, gnutls_credentials_set, (gnutls_session_t, gnutls_credentials_type_t, void *)); DEF_GNUTLS_FN (void, gnutls_deinit, (gnutls_session_t)); +DEF_GNUTLS_FN (void, gnutls_dh_set_prime_bits, + (gnutls_session_t, unsigned int)); DEF_GNUTLS_FN (int, gnutls_error_is_fatal, (int)); DEF_GNUTLS_FN (int, gnutls_global_init, (void)); DEF_GNUTLS_FN (void, gnutls_global_set_log_function, (gnutls_log_func)); @@ -167,6 +170,7 @@ init_gnutls_functions (Lisp_Object libraries) LOAD_GNUTLS_FN (library, gnutls_certificate_verify_peers2); LOAD_GNUTLS_FN (library, gnutls_credentials_set); LOAD_GNUTLS_FN (library, gnutls_deinit); + LOAD_GNUTLS_FN (library, gnutls_dh_set_prime_bits); LOAD_GNUTLS_FN (library, gnutls_error_is_fatal); LOAD_GNUTLS_FN (library, gnutls_global_init); LOAD_GNUTLS_FN (library, gnutls_global_set_log_function); @@ -213,6 +217,7 @@ init_gnutls_functions (Lisp_Object libraries) #define fn_gnutls_certificate_verify_peers2 gnutls_certificate_verify_peers2 #define fn_gnutls_credentials_set gnutls_credentials_set #define fn_gnutls_deinit gnutls_deinit +#define fn_gnutls_dh_set_prime_bits gnutls_dh_set_prime_bits #define fn_gnutls_error_is_fatal gnutls_error_is_fatal #define fn_gnutls_global_init gnutls_global_init #define fn_gnutls_global_set_log_function gnutls_global_set_log_function @@ -641,6 +646,9 @@ gnutls_certificate_set_verify_flags. :verify-hostname-error, if non-nil, makes a hostname mismatch an error. Otherwise it will be just a warning. +:min-prime-bits is the minimum accepted number of bits the client will +accept in Diffie-Hellman key exchange. + The debug level will be set for this process AND globally for GnuTLS. So if you set it higher or lower at any point, it affects global debugging. @@ -693,6 +701,7 @@ one trustfile (usually a CA bundle). */) Lisp_Object verify_flags; /* Lisp_Object verify_error; */ Lisp_Object verify_hostname_error; + Lisp_Object prime_bits; CHECK_PROCESS (proc); CHECK_SYMBOL (type); @@ -714,6 +723,7 @@ one trustfile (usually a CA bundle). */) verify_flags = Fplist_get (proplist, Qgnutls_bootprop_verify_flags); /* verify_error = Fplist_get (proplist, Qgnutls_bootprop_verify_error); */ verify_hostname_error = Fplist_get (proplist, Qgnutls_bootprop_verify_hostname_error); + prime_bits = Fplist_get (proplist, Qgnutls_bootprop_min_prime_bits); if (!STRINGP (hostname)) error ("gnutls-boot: invalid :hostname parameter"); @@ -931,6 +941,11 @@ one trustfile (usually a CA bundle). */) GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_PRIORITY; + if (!EQ (prime_bits, Qnil)) + { + fn_gnutls_dh_set_prime_bits (state, XUINT (prime_bits)); + } + if (EQ (type, Qgnutls_x509pki)) { ret = fn_gnutls_credentials_set (state, GNUTLS_CRD_CERTIFICATE, x509_cred); @@ -1109,6 +1124,7 @@ syms_of_gnutls (void) DEFSYM (Qgnutls_bootprop_crlfiles, ":crlfiles"); DEFSYM (Qgnutls_bootprop_callbacks, ":callbacks"); DEFSYM (Qgnutls_bootprop_callbacks_verify, "verify"); + DEFSYM (Qgnutls_bootprop_min_prime_bits, ":min-prime-bits"); DEFSYM (Qgnutls_bootprop_loglevel, ":loglevel"); DEFSYM (Qgnutls_bootprop_verify_flags, ":verify-flags"); DEFSYM (Qgnutls_bootprop_verify_hostname_error, ":verify-hostname-error"); -- 1.7.6.131.g99019