From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail
From: Paul Eggert <eggert@cs.ucla.edu>
Newsgroups: gmane.emacs.devel
Subject: Re: The netsec thread
Date: Fri, 23 Aug 2019 01:19:19 -0700
Organization: UCLA Computer Science Department
Message-ID: <9308f549-adf8-e5c1-1bcd-beea2ddb0e0f@cs.ucla.edu>
References: <m3fu0ef8gg.fsf@gnus.org> <m3wotm2bta.fsf@gnus.org>
 <vz1lga1x58e.fsf@gmail.com> <86zhyh7nli.fsf@gmail.com>
 <m3h8kpniry.fsf@gnus.org> <86pnzdrn8u.fsf@gmail.com>
 <vz1o9ewkfw1.fsf@gmail.com>
 <CAM-tV-_WgrdfkP0uHJ__D01CCNf-=Nw-Dr3p2sxUUqN6F+6PAg@mail.gmail.com>
 <CAKDRQS6fiJHEuXp5ws1BaEQaYOeqwanMpYjd77PXHV4izKTObQ@mail.gmail.com>
 <m3d0hu3twb.fsf@gnus.org> <834l36koak.fsf@gnu.org> <m3y30i2d0q.fsf@gnus.org>
 <m24l35nutw.fsf@gmail.com> <m3tvb5w0rf.fsf@gnus.org>
 <m2wog1gcrg.fsf@gmail.com> <m3y30fu5cf.fsf@gnus.org>
 <m28ssfhdjo.fsf@gmail.com> <m3imrj642q.fsf@gnus.org>
 <m236inh8ad.fsf@gmail.com> <m2h86tnos5.fsf@gmail.com>
 <87pnlg7r83.fsf@mouse.gnus.org> <87o90gd1us.fsf@mouse.gnus.org>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------A23ECCB650845F6C1CACB5D4"
Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226";
	logging-data="255450"; mail-complaints-to="usenet@blaine.gmane.org"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
Cc: emacs-devel@gnu.org
To: Lars Ingebrigtsen <larsi@mouse.gnus.org>, Robert Pluim <rpluim@gmail.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Aug 23 10:19:46 2019
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.89)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1i14nQ-0014H0-Vb
	for ged-emacs-devel@m.gmane.org; Fri, 23 Aug 2019 10:19:45 +0200
Original-Received: from localhost ([::1]:52822 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1i14nP-0002TG-N2
	for ged-emacs-devel@m.gmane.org; Fri, 23 Aug 2019 04:19:43 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:42502)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <eggert@cs.ucla.edu>) id 1i14nC-0002Ru-OP
 for emacs-devel@gnu.org; Fri, 23 Aug 2019 04:19:33 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <eggert@cs.ucla.edu>) id 1i14nA-0004pP-QH
 for emacs-devel@gnu.org; Fri, 23 Aug 2019 04:19:30 -0400
Original-Received: from zimbra.cs.ucla.edu ([131.179.128.68]:44656)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <eggert@cs.ucla.edu>) id 1i14nA-0004l7-Gp
 for emacs-devel@gnu.org; Fri, 23 Aug 2019 04:19:28 -0400
Original-Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 395AB160057;
 Fri, 23 Aug 2019 01:19:25 -0700 (PDT)
Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
 with ESMTP id uXtOB6mrWFMP; Fri, 23 Aug 2019 01:19:23 -0700 (PDT)
Original-Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id B71F516005F;
 Fri, 23 Aug 2019 01:19:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id COgMC5MhJKub; Fri, 23 Aug 2019 01:19:23 -0700 (PDT)
Original-Received: from [192.168.1.9] (cpe-23-242-74-103.socal.res.rr.com
 [23.242.74.103])
 by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 8D615160057;
 Fri, 23 Aug 2019 01:19:23 -0700 (PDT)
In-Reply-To: <87o90gd1us.fsf@mouse.gnus.org>
Content-Language: en-US
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 131.179.128.68
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:239503
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/239503>

This is a multi-part message in MIME format.
--------------A23ECCB650845F6C1CACB5D4
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Lars Ingebrigtsen wrote:
> I've tried the resulting code, and everything seems to work OK to me,
> but please let me know whether you see any new TLS-related problems
> while browsing or something.

I had a problem building it on Fedora 30 which uses GnuTLS 3.6.8, because 
starting in GnuTLS 3.6 the functions gnutls_compression_get and 
gnutls_compression_get_name are deprecated and cause compile-time errors when 
one builds with --enable-gcc-warnings. If you override the compile-time errors 
the compatibility stubs in libgnutls return null values, and some 
network-stream-tests fail.

I temporarily worked around the build problem by installing the attached patch 
which omits calls to these functions in GnuTLS 3.6 and later, but this doesn't 
fix the runtime issues. Is that something you could take a look at?

--------------A23ECCB650845F6C1CACB5D4
Content-Type: text/x-patch;
 name="0001-Get-the-Gnutls-code-compiling-on-Fedora-30.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0001-Get-the-Gnutls-code-compiling-on-Fedora-30.patch"

>From 49a8c8506a8477fd27ba924f14aa196e0d0813f9 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Fri, 23 Aug 2019 01:11:12 -0700
Subject: [PATCH] Get the Gnutls code compiling on Fedora 30

The recent changes caused the build to fail on Fedora 30 when built
with --enable-gcc-warnings, among other things with diagnostics that
gnutls_compression_get and gnutls_compression_get_name are deprecated
(this started with GnuTLS 3.6).  Fix this by refusing to call these
obsolescent and now-dummy functions in GnuTLS 3.6 and later.  However,
this is just a temporary workaround to get the build working; a real
fix is needed, as network-stream-tests fail.
* src/gnutls.c (HAVE_GNUTLS_COMPRESSION_GET): New macro.
(gnutls_compression_get, gnutls_compression_get_name):
Define only if HAVE_GNUTLS_COMPRESSION_GET.
(init_gnutls_functions): Load the two functions only if
HAVE_GNUTLS_COMPRESSION_GET.
(emacs_gnutls_certificate_export_pem): Use alloca instead of xmalloc.
(Fgnutls_peer_status): Just return "NULL" if the functions
are deprecated.
(Fgnutls_format_certificate): Fix pointer signedness glitches.
* src/process.c: Fix spacing.
---
 src/gnutls.c  | 60 +++++++++++++++++++++++++++++++--------------------
 src/process.c | 26 ++++++++++------------
 2 files changed, 48 insertions(+), 38 deletions(-)

diff --git a/src/gnutls.c b/src/gnutls.c
index db452e01aa..51536b1463 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -48,6 +48,10 @@ along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>.  */
 # define HAVE_GNUTLS_ETM_STATUS
 #endif
 
+#if GNUTLS_VERSION_NUMBER < 0x030600
+# define HAVE_GNUTLS_COMPRESSION_GET
+#endif
+
 /* gnutls_mac_get_nonce_size was added in GnuTLS 3.2.0, but was
    exported only since 3.3.0. */
 #if GNUTLS_VERSION_NUMBER >= 0x030300
@@ -217,10 +221,12 @@ DEF_DLL_FN (const char *, gnutls_cipher_get_name,
 	    (gnutls_cipher_algorithm_t));
 DEF_DLL_FN (gnutls_mac_algorithm_t, gnutls_mac_get, (gnutls_session_t));
 DEF_DLL_FN (const char *, gnutls_mac_get_name, (gnutls_mac_algorithm_t));
+#ifdef HAVE_GNUTLS_COMPRESSION_GET
 DEF_DLL_FN (gnutls_compression_method_t, gnutls_compression_get,
             (gnutls_session_t));
 DEF_DLL_FN (const char *, gnutls_compression_get_name,
             (gnutls_compression_method_t));
+#endif
 DEF_DLL_FN (unsigned, gnutls_safe_renegotiation_status, (gnutls_session_t));
 
 #  ifdef HAVE_GNUTLS3
@@ -368,8 +374,10 @@ init_gnutls_functions (void)
   LOAD_DLL_FN (library, gnutls_cipher_get_name);
   LOAD_DLL_FN (library, gnutls_mac_get);
   LOAD_DLL_FN (library, gnutls_mac_get_name);
+#  ifdef HAVE_GNUTLS_COMPRESSION_GET
   LOAD_DLL_FN (library, gnutls_compression_get);
   LOAD_DLL_FN (library, gnutls_compression_get_name);
+#  endif
   LOAD_DLL_FN (library, gnutls_safe_renegotiation_status);
 #  ifdef HAVE_GNUTLS3
   LOAD_DLL_FN (library, gnutls_rnd);
@@ -462,8 +470,10 @@ init_gnutls_functions (void)
 #  define gnutls_kx_get_name fn_gnutls_kx_get_name
 #  define gnutls_mac_get fn_gnutls_mac_get
 #  define gnutls_mac_get_name fn_gnutls_mac_get_name
-#  define gnutls_compression_get fn_gnutls_compression_get
-#  define gnutls_compression_get_name fn_gnutls_compression_get_name
+#  ifdef HAVE_GNUTLS_COMPRESSION_GET
+#   define gnutls_compression_get fn_gnutls_compression_get
+#   define gnutls_compression_get_name fn_gnutls_compression_get_name
+#  endif
 #  define gnutls_safe_renegotiation_status fn_gnutls_safe_renegotiation_status
 #  define gnutls_pk_algorithm_get_name fn_gnutls_pk_algorithm_get_name
 #  define gnutls_pk_bits_to_sec_param fn_gnutls_pk_bits_to_sec_param
@@ -1082,17 +1092,18 @@ emacs_gnutls_certificate_export_pem (gnutls_x509_crt_t cert)
 
   if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
     {
-      unsigned char *buf = xmalloc(size * sizeof (unsigned char));
+      USE_SAFE_ALLOCA;
+      char *buf = SAFE_ALLOCA (size);
       err = gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_PEM, buf, &size);
       check_memory_full (err);
 
       if (err < GNUTLS_E_SUCCESS)
-        {
-          xfree (buf);
-          error ("GnuTLS certificate export error: %s", emacs_gnutls_strerror (err));
-        }
+	error ("GnuTLS certificate export error: %s",
+	       emacs_gnutls_strerror (err));
 
-      return build_string(buf);
+      Lisp_Object result = build_string (buf);
+      SAFE_FREE ();
+      return result;
     }
   else if (err < GNUTLS_E_SUCCESS)
     error ("GnuTLS certificate export error: %s", emacs_gnutls_strerror (err));
@@ -1481,20 +1492,21 @@ returned as the :certificate entry.  */)
 				  (gnutls_mac_get (state)))));
 
   /* Compression name. */
-  result = nconc2
-    (result, list2 (intern (":compression"),
-		    build_string (gnutls_compression_get_name
-				  (gnutls_compression_get (state)))));
+#ifdef HAVE_GNUTLS_COMPRESSION_GET
+  Lisp_Object compression = build_string (gnutls_compression_get_name
+					  (gnutls_compression_get (state)));
+#else
+  Lisp_Object compression = build_string ("NULL");
+#endif
+  result = nconc2 (result, list2 (intern (":compression"), compression));
 
   /* Encrypt-then-MAC. */
-  result = nconc2
-    (result, list2 (intern (":encrypt-then-mac"),
+  Lisp_Object etm_status = Qnil;
 #ifdef HAVE_GNUTLS_ETM_STATUS
-                    gnutls_session_etm_status (state) ? Qt : Qnil
-#else
-                    Qnil
+  if (gnutls_session_etm_status (state))
+    etm_status = Qt;
 #endif
-                    ));
+  result = nconc2 (result, list2 (intern (":encrypt-then-mac"), etm_status));
 
   /* Renegotiation Indication */
   result = nconc2
@@ -1561,7 +1573,8 @@ boot_error (struct Lisp_Process *p, const char *m, ...)
   va_end (ap);
 }
 
-DEFUN ("gnutls-format-certificate", Fgnutls_format_certificate, Sgnutls_format_certificate, 1, 1, 0,
+DEFUN ("gnutls-format-certificate", Fgnutls_format_certificate,
+       Sgnutls_format_certificate, 1, 1, 0,
        doc: /* Format a X.509 certificate to a string.
 
 Given a PEM-encoded X.509 certificate CERT, returns a human-readable
@@ -1578,14 +1591,14 @@ string representation.  */)
   if (err < GNUTLS_E_SUCCESS)
     error ("gnutls-format-certificate error: %s", emacs_gnutls_strerror (err));
 
-  unsigned char *crt_buf = SDATA (cert);
-  gnutls_datum_t crt_data = { crt_buf, strlen (crt_buf) };
+  gnutls_datum_t crt_data = { SDATA (cert), strlen (SSDATA (cert)) };
   err = gnutls_x509_crt_import (crt, &crt_data, GNUTLS_X509_FMT_PEM);
   check_memory_full (err);
   if (err < GNUTLS_E_SUCCESS)
     {
       gnutls_x509_crt_deinit (crt);
-      error ("gnutls-format-certificate error: %s", emacs_gnutls_strerror (err));
+      error ("gnutls-format-certificate error: %s",
+	     emacs_gnutls_strerror (err));
     }
 
   gnutls_datum_t out;
@@ -1594,7 +1607,8 @@ string representation.  */)
   if (err < GNUTLS_E_SUCCESS)
     {
       gnutls_x509_crt_deinit (crt);
-      error ("gnutls-format-certificate error: %s", emacs_gnutls_strerror (err));
+      error ("gnutls-format-certificate error: %s",
+	     emacs_gnutls_strerror (err));
     }
 
   char *out_buf = xmalloc ((out.size + 1) * sizeof (char));
diff --git a/src/process.c b/src/process.c
index 7097b7ace1..c3cc78afa2 100644
--- a/src/process.c
+++ b/src/process.c
@@ -4120,10 +4120,8 @@ usage: (make-network-process &rest ARGS)  */)
       hints.ai_socktype = socktype;
 
       msg = network_lookup_address_info_1 (host, portstring, &hints, &res);
-      if (!EQ(msg, Qt))
-        {
-          error ("%s", SSDATA (msg));
-        }
+      if (!EQ (msg, Qt))
+	error ("%s", SSDATA (msg));
 
       for (lres = res; lres; lres = lres->ai_next)
 	addrinfos = Fcons (conv_addrinfo_to_lisp (lres), addrinfos);
@@ -4593,10 +4591,12 @@ network_lookup_address_info_1 (Lisp_Object host, const char *service,
         str = SSDATA (code_convert_string_norecord
                       (build_string (str), Vlocale_coding_system, 0));
       AUTO_STRING (format, "%s/%s %s");
-      msg = CALLN (Fformat, format, host, build_string (service), build_string (str));
+      msg = CALLN (Fformat, format, host, build_string (service),
+		   build_string (str));
 #else
       AUTO_STRING (format, "%s/%s getaddrinfo error %d");
-      msg = CALLN (Fformat, format, host, build_string (service), make_number (ret));
+      msg = CALLN (Fformat, format, host, build_string (service),
+		   make_number (ret));
 #endif
     }
    return msg;
@@ -4634,18 +4634,14 @@ nil if none were found.  Each address is a vector of integers.  */)
   hints.ai_socktype = SOCK_DGRAM;
 
   msg = network_lookup_address_info_1 (name, NULL, &hints, &res);
-  if (!EQ(msg, Qt))
-    {
-      message ("%s", SSDATA(msg));
-    }
+  if (!EQ (msg, Qt))
+    message ("%s", SSDATA(msg));
   else
     {
       for (lres = res; lres; lres = lres->ai_next)
-        {
-          addresses = Fcons (conv_sockaddr_to_lisp
-                             (lres->ai_addr, lres->ai_addrlen),
-                             addresses);
-        }
+	addresses = Fcons (conv_sockaddr_to_lisp (lres->ai_addr,
+						  lres->ai_addrlen),
+			   addresses);
       addresses = Fnreverse (addresses);
 
       freeaddrinfo (res);
-- 
2.17.1


--------------A23ECCB650845F6C1CACB5D4--