From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Ted Zlatanov <tzz@lifelogs.com>
Newsgroups: gmane.emacs.devel
Subject: Re: using GnuTLS 3.x and certificate checks
Date: Mon, 07 Oct 2013 18:24:39 -0400
Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos
Message-ID: <87pprgzplk.fsf@flea.lifelogs.com>
References: <87zjxumbjf.fsf@wanadoo.es> <86fvzj2gkz.fsf@gmail.com>
	<87sj3jaqfs.fsf@wanadoo.es> <83y5dazmpt.fsf@gnu.org>
	<86ehf2zefk.fsf@gmail.com> <86li9az2sw.fsf@gmail.com>
	<83hajyz1mi.fsf@gnu.org> <867gku88lx.fsf@gmail.com>
	<83a9pqysc5.fsf@gnu.org> <86sj3i6ndd.fsf@gmail.com>
	<83620eyonh.fsf@gnu.org> <86620dqmsd.fsf@gmail.com>
	<83r4j1xmim.fsf@gnu.org> <86y5d9p4oh.fsf@gmail.com>
	<83ppylxidt.fsf@gnu.org> <86txnxoz1k.fsf@gmail.com>
	<83hajxxd5c.fsf@gnu.org> <874nfxt219.fsf_-_@lifelogs.com>
	<87y5aozj3l.fsf@lifelogs.com> <87k3m8wa44.fsf@lifelogs.com>
	<877gi7wfr7.fsf@lifelogs.com>
Reply-To: emacs-devel@gnu.org
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Trace: ger.gmane.org 1381184687 26874 80.91.229.3 (7 Oct 2013 22:24:47 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Mon, 7 Oct 2013 22:24:47 +0000 (UTC)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Oct 08 00:24:51 2013
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1VTJEQ-0000zE-Os
	for ged-emacs-devel@m.gmane.org; Tue, 08 Oct 2013 00:24:51 +0200
Original-Received: from localhost ([::1]:33679 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1VTJEQ-0000QU-11
	for ged-emacs-devel@m.gmane.org; Mon, 07 Oct 2013 18:24:50 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:53596)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1VTJEJ-0000QE-Dl
	for emacs-devel@gnu.org; Mon, 07 Oct 2013 18:24:47 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1VTJEF-0007SW-5a
	for emacs-devel@gnu.org; Mon, 07 Oct 2013 18:24:43 -0400
Original-Received: from plane.gmane.org ([80.91.229.3]:42117)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1VTJEE-0007SL-R0
	for emacs-devel@gnu.org; Mon, 07 Oct 2013 18:24:39 -0400
Original-Received: from list by plane.gmane.org with local (Exim 4.69)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1VTJED-0000wE-46
	for emacs-devel@gnu.org; Tue, 08 Oct 2013 00:24:37 +0200
Original-Received: from c-98-229-61-72.hsd1.ma.comcast.net ([98.229.61.72])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <emacs-devel@gnu.org>; Tue, 08 Oct 2013 00:24:37 +0200
Original-Received: from tzz by c-98-229-61-72.hsd1.ma.comcast.net with local (Gmexim
	0.1 (Debian)) id 1AlnuQ-0007hv-00
	for <emacs-devel@gnu.org>; Tue, 08 Oct 2013 00:24:37 +0200
X-Injected-Via-Gmane: http://gmane.org/
Mail-Followup-To: emacs-devel@gnu.org
Original-Lines: 136
Original-X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: c-98-229-61-72.hsd1.ma.comcast.net
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;
	d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT=
	D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
Mail-Copies-To: never
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux)
Cancel-Lock: sha1:18AzwTzXAo03GcpSbJdJRZ4bnzI=
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 80.91.229.3
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:163975
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/163975>

--=-=-=
Content-Type: text/plain

On Wed, 05 Jun 2013 11:13:18 -0400 Ted Zlatanov <tzz@lifelogs.com> wrote: 
TZ> Without comments, I will assume a general OK on these two things:

TZ> - move to the GnuTLS 3.x API and require that version of the libraries.

Related to this discussion and to bug#14774 (audit_log function, which
is only in GnuTLS 3.x)...

I found that many platforms are still on GnuTLS 2.x.  Unfortunately I
think we should keep compatibility with 2.x for a while longer and make
the 3.x features optional.  I hate that ambiguity and testing is made
harder, but OTOH we would keep supporting many users.

Here's a simple patch that finds GnuTLS 3.x and sets HAVE_GNUTLS3.  In
that case we set the audit_log function; otherwise we keep
compatibility.  Note the configure message that GnuTLS 3.x is highly
recommended.

Let me know what you think and if I should be more forceful here.  If I
should keep the compatibility path I will also add a
`gnutls-library-version' string variable so ELisp code can use it and
start moving on the tasks listed in this thread.

Thanks
Ted


--=-=-=
Content-Type: text/x-diff
Content-Disposition: attachment; filename=gnutlsv3.patch

=== modified file 'configure.ac'
--- configure.ac	2013-09-25 03:44:34 +0000
+++ configure.ac	2013-10-07 21:11:24 +0000
@@ -2425,12 +2425,18 @@
 AC_SUBST(LIBSELINUX_LIBS)
 
 HAVE_GNUTLS=no
+HAVE_GNUTLS3=no
 if test "${with_gnutls}" = "yes" ; then
   PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 2.6.6], HAVE_GNUTLS=yes, HAVE_GNUTLS=no)
+  PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.0.0], HAVE_GNUTLS3=yes, HAVE_GNUTLS3=no)
   if test "${HAVE_GNUTLS}" = "yes"; then
     AC_DEFINE(HAVE_GNUTLS, 1, [Define if using GnuTLS.])
   fi
 
+  if test "${HAVE_GNUTLS3}" = "yes"; then
+    AC_DEFINE(HAVE_GNUTLS3, 1, [Define if using GnuTLS v3.])
+  fi
+
   # Windows loads GnuTLS dynamically
   if test "${opsys}" = "mingw32"; then
     LIBGNUTLS_LIBS=
@@ -4934,6 +4940,7 @@
 echo "  Does Emacs use access control lists?                    ${acl_summary}"
 echo "  Does Emacs use -lselinux?                               ${HAVE_LIBSELINUX}"
 echo "  Does Emacs use -lgnutls?                                ${HAVE_GNUTLS}"
+echo "  Does Emacs use -lgnutls v3 (HIGHLY RECOMMENDED)?        ${HAVE_GNUTLS3}"
 echo "  Does Emacs use -lxml2?                                  ${HAVE_LIBXML2}"
 
 echo "  Does Emacs use -lfreetype?                              ${HAVE_FREETYPE}"

=== modified file 'src/gnutls.c'
--- src/gnutls.c	2013-01-02 16:13:04 +0000
+++ src/gnutls.c	2013-10-07 22:14:55 +0000
@@ -55,6 +55,7 @@
 static Lisp_Object QCgnutls_bootprop_callbacks_verify;
 
 static void gnutls_log_function (int, const char *);
+static void gnutls_audit_log_function (gnutls_session_t, const char *);
 static void gnutls_log_function2 (int, const char*, const char*);
 
 
@@ -108,6 +109,9 @@
 DEF_GNUTLS_FN (int, gnutls_error_is_fatal, (int));
 DEF_GNUTLS_FN (int, gnutls_global_init, (void));
 DEF_GNUTLS_FN (void, gnutls_global_set_log_function, (gnutls_log_func));
+#ifdef HAVE_GNUTLS3
+DEF_GNUTLS_FN (void, gnutls_global_set_audit_log_function, (gnutls_audit_log_func));
+#endif
 DEF_GNUTLS_FN (void, gnutls_global_set_log_level, (int));
 DEF_GNUTLS_FN (void, gnutls_global_set_mem_functions,
 	       (gnutls_alloc_function, gnutls_alloc_function,
@@ -173,6 +177,9 @@
   LOAD_GNUTLS_FN (library, gnutls_error_is_fatal);
   LOAD_GNUTLS_FN (library, gnutls_global_init);
   LOAD_GNUTLS_FN (library, gnutls_global_set_log_function);
+#ifdef HAVE_GNUTLS3
+  LOAD_GNUTLS_FN (library, gnutls_global_set_audit_log_function);
+#endif
   LOAD_GNUTLS_FN (library, gnutls_global_set_log_level);
   LOAD_GNUTLS_FN (library, gnutls_global_set_mem_functions);
   LOAD_GNUTLS_FN (library, gnutls_handshake);
@@ -230,6 +237,9 @@
 #define fn_gnutls_error_is_fatal		gnutls_error_is_fatal
 #define fn_gnutls_global_init			gnutls_global_init
 #define fn_gnutls_global_set_log_function	gnutls_global_set_log_function
+#ifdef HAVE_GNUTLS3
+#define fn_gnutls_global_set_audit_log_function	gnutls_global_set_audit_log_function
+#endif
 #define fn_gnutls_global_set_log_level		gnutls_global_set_log_level
 #define fn_gnutls_global_set_mem_functions	gnutls_global_set_mem_functions
 #define fn_gnutls_handshake			gnutls_handshake
@@ -249,6 +259,16 @@
 #endif /* !WINDOWSNT */
 
 
+/* Function to log a simple audit message.  */
+static void
+gnutls_audit_log_function (gnutls_session_t session, const char* string)
+{
+  if (global_gnutls_log_level >= 1)
+    {
+      message ("gnutls.c: [audit] %s", string);
+    }
+}
+
 /* Function to log a simple message.  */
 static void
 gnutls_log_function (int level, const char* string)
@@ -797,6 +817,9 @@
   if (TYPE_RANGED_INTEGERP (int, loglevel))
     {
       fn_gnutls_global_set_log_function (gnutls_log_function);
+#ifdef HAVE_GNUTLS3
+      fn_gnutls_global_set_audit_log_function (gnutls_audit_log_function);
+#endif
       fn_gnutls_global_set_log_level (XINT (loglevel));
       max_log_level = XINT (loglevel);
       XPROCESS (proc)->gnutls_log_level = max_log_level;


--=-=-=--