From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail
From: Paul Eggert <eggert@cs.ucla.edu>
Newsgroups: gmane.emacs.devel
Subject: Re: The netsec thread
Date: Tue, 3 Sep 2019 12:20:27 -0700
Organization: UCLA Computer Science Department
Message-ID: <c095aafd-b8df-1de4-3e77-7489c29a2f60@cs.ucla.edu>
References: <m3fu0ef8gg.fsf@gnus.org>
 <CAKDRQS6fiJHEuXp5ws1BaEQaYOeqwanMpYjd77PXHV4izKTObQ@mail.gmail.com>
 <m3d0hu3twb.fsf@gnus.org> <834l36koak.fsf@gnu.org> <m3y30i2d0q.fsf@gnus.org>
 <m24l35nutw.fsf@gmail.com> <m3tvb5w0rf.fsf@gnus.org>
 <m2wog1gcrg.fsf@gmail.com> <m3y30fu5cf.fsf@gnus.org>
 <m28ssfhdjo.fsf@gmail.com> <m3imrj642q.fsf@gnus.org>
 <m236inh8ad.fsf@gmail.com> <m2h86tnos5.fsf@gmail.com>
 <87pnlg7r83.fsf@mouse.gnus.org> <87o90gd1us.fsf@mouse.gnus.org>
 <9308f549-adf8-e5c1-1bcd-beea2ddb0e0f@cs.ucla.edu> <87r25cb6vy.fsf@gnus.org>
 <791d5bcb-3684-c791-48f5-c1af765a5c9d@cs.ucla.edu> <87mufxajwq.fsf@gnus.org>
 <m2pnkhr9oa.fsf@gmail.com> <8f52a86a-bc74-47d8-f792-83ce870666fa@cs.ucla.edu>
 <m236hdqtke.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------2C3DEABC64320F2775CC3DAC"
Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226";
	logging-data="140433"; mail-complaints-to="usenet@blaine.gmane.org"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
Cc: Lars Ingebrigtsen <larsi@gnus.org>, emacs-devel@gnu.org
To: Robert Pluim <rpluim@gmail.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Sep 03 21:21:36 2019
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.89)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1i5EMv-000aLJ-CH
	for ged-emacs-devel@m.gmane.org; Tue, 03 Sep 2019 21:21:33 +0200
Original-Received: from localhost ([::1]:50290 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1i5EMu-00050n-71
	for ged-emacs-devel@m.gmane.org; Tue, 03 Sep 2019 15:21:32 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:39664)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <eggert@cs.ucla.edu>) id 1i5EM4-0004yb-Pl
 for emacs-devel@gnu.org; Tue, 03 Sep 2019 15:20:41 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <eggert@cs.ucla.edu>) id 1i5EM3-0007E6-41
 for emacs-devel@gnu.org; Tue, 03 Sep 2019 15:20:40 -0400
Original-Received: from zimbra.cs.ucla.edu ([131.179.128.68]:44526)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <eggert@cs.ucla.edu>) id 1i5EM2-0007Cz-R4
 for emacs-devel@gnu.org; Tue, 03 Sep 2019 15:20:39 -0400
Original-Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 0C18F160095;
 Tue,  3 Sep 2019 12:20:37 -0700 (PDT)
Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
 with ESMTP id vorwasD_dxsk; Tue,  3 Sep 2019 12:20:36 -0700 (PDT)
Original-Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 327841600AA;
 Tue,  3 Sep 2019 12:20:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id KXACCoBdnEQm; Tue,  3 Sep 2019 12:20:36 -0700 (PDT)
Original-Received: from [192.168.1.9] (cpe-23-242-74-103.socal.res.rr.com
 [23.242.74.103])
 by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 059E8160095;
 Tue,  3 Sep 2019 12:20:36 -0700 (PDT)
In-Reply-To: <m236hdqtke.fsf@gmail.com>
Content-Language: en-US
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 131.179.128.68
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:239819
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/239819>

This is a multi-part message in MIME format.
--------------2C3DEABC64320F2775CC3DAC
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Robert Pluim wrote:
> The only code that cares is NSM, which can be fixed, and it=CA=BCs easy
> enough to remove as well. The GNUTLS_TLS1_3 define was added in GnuTLS
> 3.6.3, so we can check for the version if you prefer.

Checking for GNUTLS_TLS1_3 sounds fine (in fact, a bit better). We can ma=
ke the=20
code a bit faster/clearer by not calling gnutls_protocol_get_version twic=
e.=20
Also, it's better to not intertwine ifdefs with ifs. So, something like t=
he=20
attached patch perhaps? Though I didn't install it because NSM needs to b=
e=20
changed too and I'm not sure what you were thinking of there.

--------------2C3DEABC64320F2775CC3DAC
Content-Type: text/x-patch;
 name="0001-Don-t-mention-safe-renegotiation-in-TLS-1.3.patch"
Content-Disposition: attachment;
 filename="0001-Don-t-mention-safe-renegotiation-in-TLS-1.3.patch"
Content-Transfer-Encoding: quoted-printable

>From 0087fd988b03262e1adc04a225e18d2080327515 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 3 Sep 2019 12:16:21 -0700
Subject: [PATCH] =3D?UTF-8?q?Don=3DE2=3D80=3D99t=3D20mention=3D20:safe-re=
negotiation?=3D
 =3D?UTF-8?q?=3D20in=3D20TLS=3D201.3?=3D
MIME-Version: 1.0
Content-Type: text/plain; charset=3DUTF-8
Content-Transfer-Encoding: 8bit

* src/gnutls.c (Fgnutls_peer_status): Don=E2=80=99t put the
safe-renegotiation indication into the status in TLS 1.3, which
removed support for renegotiation.
---
 src/gnutls.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/gnutls.c b/src/gnutls.c
index 042f43e291..c74936c840 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -1487,10 +1487,10 @@ DEFUN ("gnutls-peer-status", Fgnutls_peer_status,=
 Sgnutls_peer_status, 1, 1, 0,
 				  (gnutls_kx_get (state)))));
=20
   /* Protocol name. */
+  gnutls_protocol_t proto =3D gnutls_protocol_get_version (state);
   result =3D nconc2
     (result, list2 (intern (":protocol"),
-		    build_string (gnutls_protocol_get_name
-				  (gnutls_protocol_get_version (state)))));
+		    build_string (gnutls_protocol_get_name (proto))));
=20
   /* Cipher name. */
   result =3D nconc2
@@ -1520,9 +1520,15 @@ DEFUN ("gnutls-peer-status", Fgnutls_peer_status, =
Sgnutls_peer_status, 1, 1, 0,
 #endif
=20
   /* Renegotiation Indication */
-  result =3D nconc2
-    (result, list2 (intern (":safe-renegotiation"),
-                    gnutls_safe_renegotiation_status (state) ? Qt : Qnil=
));
+#ifdef GNUTLS_TLS1_3
+  bool older_proto =3D proto < GNUTLS_TLS1_3;
+#else
+  bool older_proto =3D true;
+#endif
+  if (older_proto)
+    result =3D nconc2
+      (result, list2 (intern (":safe-renegotiation"),
+		      gnutls_safe_renegotiation_status (state) ? Qt : Qnil));
=20
   return result;
 }
--=20
2.17.1


--------------2C3DEABC64320F2775CC3DAC--