From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail
From: Paul Eggert <eggert@cs.ucla.edu>
Newsgroups: gmane.emacs.devel
Subject: Re: The netsec thread
Date: Thu, 5 Sep 2019 11:50:17 -0700
Organization: UCLA Computer Science Department
Message-ID: <eb36204c-8117-ce72-9153-0f56fbc4ed0c@cs.ucla.edu>
References: <m3fu0ef8gg.fsf@gnus.org> <m3y30fu5cf.fsf@gnus.org>
 <m28ssfhdjo.fsf@gmail.com> <m3imrj642q.fsf@gnus.org>
 <m236inh8ad.fsf@gmail.com> <m2h86tnos5.fsf@gmail.com>
 <87pnlg7r83.fsf@mouse.gnus.org> <87o90gd1us.fsf@mouse.gnus.org>
 <9308f549-adf8-e5c1-1bcd-beea2ddb0e0f@cs.ucla.edu> <87r25cb6vy.fsf@gnus.org>
 <791d5bcb-3684-c791-48f5-c1af765a5c9d@cs.ucla.edu> <87mufxajwq.fsf@gnus.org>
 <m2pnkhr9oa.fsf@gmail.com> <8f52a86a-bc74-47d8-f792-83ce870666fa@cs.ucla.edu>
 <m236hdqtke.fsf@gmail.com> <c095aafd-b8df-1de4-3e77-7489c29a2f60@cs.ucla.edu>
 <m2y2z5p2rl.fsf@gmail.com> <87sgpcdx3l.fsf@gnus.org>
 <m2pnkfonyf.fsf@gmail.com> <96152e36-3acc-0968-99e1-69b435003d65@cs.ucla.edu>
 <m2zhjjwwvt.fsf@gmail.com> <m2zhjjkkll.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------74C67CDD1DD9078D8F2C8844"
Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226";
	logging-data="10549"; mail-complaints-to="usenet@blaine.gmane.org"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
Cc: Lars Ingebrigtsen <larsi@gnus.org>, emacs-devel@gnu.org
To: Robert Pluim <rpluim@gmail.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Sep 05 20:51:03 2019
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.89)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1i5wqU-0002aO-GI
	for ged-emacs-devel@m.gmane.org; Thu, 05 Sep 2019 20:51:02 +0200
Original-Received: from localhost ([::1]:49038 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1i5wqT-00044K-0e
	for ged-emacs-devel@m.gmane.org; Thu, 05 Sep 2019 14:51:01 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:39559)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <eggert@cs.ucla.edu>) id 1i5wpr-000448-28
 for emacs-devel@gnu.org; Thu, 05 Sep 2019 14:50:24 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <eggert@cs.ucla.edu>) id 1i5wpp-0003CV-Be
 for emacs-devel@gnu.org; Thu, 05 Sep 2019 14:50:22 -0400
Original-Received: from zimbra.cs.ucla.edu ([131.179.128.68]:50766)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <eggert@cs.ucla.edu>) id 1i5wpo-0003AY-OQ
 for emacs-devel@gnu.org; Thu, 05 Sep 2019 14:50:21 -0400
Original-Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 87F86160101;
 Thu,  5 Sep 2019 11:50:18 -0700 (PDT)
Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
 with ESMTP id gHOYy8eys-wx; Thu,  5 Sep 2019 11:50:17 -0700 (PDT)
Original-Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 5C77A160172;
 Thu,  5 Sep 2019 11:50:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id yH0jxrcmbkO2; Thu,  5 Sep 2019 11:50:17 -0700 (PDT)
Original-Received: from Penguin.CS.UCLA.EDU (Penguin.CS.UCLA.EDU [131.179.64.200])
 by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 3BE5D160101;
 Thu,  5 Sep 2019 11:50:17 -0700 (PDT)
Openpgp: preference=signencrypt
Autocrypt: addr=eggert@cs.ucla.edu; prefer-encrypt=mutual; keydata=
 xsFNBEyAcmQBEADAAyH2xoTu7ppG5D3a8FMZEon74dCvc4+q1XA2J2tBy2pwaTqfhpxxdGA9
 Jj50UJ3PD4bSUEgN8tLZ0san47l5XTAFLi2456ciSl5m8sKaHlGdt9XmAAtmXqeZVIYX/UFS
 96fDzf4xhEmm/y7LbYEPQdUdxu47xA5KhTYp5bltF3WYDz1Ygd7gx07Auwp7iw7eNvnoDTAl
 KAl8KYDZzbDNCQGEbpY3efZIvPdeI+FWQN4W+kghy+P6au6PrIIhYraeua7XDdb2LS1en3Ss
 mE3QjqfRqI/A2ue8JMwsvXe/WK38Ezs6x74iTaqI3AFH6ilAhDqpMnd/msSESNFt76DiO1ZK
 QMr9amVPknjfPmJISqdhgB1DlEdw34sROf6V8mZw0xfqT6PKE46LcFefzs0kbg4GORf8vjG2
 Sf1tk5eU8MBiyN/bZ03bKNjNYMpODDQQwuP84kYLkX2wBxxMAhBxwbDVZudzxDZJ1C2VXujC
 OJVxq2kljBM9ETYuUGqd75AW2LXrLw6+MuIsHFAYAgRr7+KcwDgBAfwhPBYX34nSSiHlmLC+
 KaHLeCLF5ZI2vKm3HEeCTtlOg7xZEONgwzL+fdKo+D6SoC8RRxJKs8a3sVfI4t6CnrQzvJbB
 n6gxdgCu5i29J1QCYrCYvql2UyFPAK+do99/1jOXT4m2836j1wARAQABzSBQYXVsIEVnZ2Vy
 dCA8ZWdnZXJ0QGNzLnVjbGEuZWR1PsLBfgQTAQIAKAUCTIByZAIbAwUJEswDAAYLCQgHAwIG
 FQgCCQoLBBYCAwECH 
In-Reply-To: <m2zhjjkkll.fsf@gmail.com>
Content-Language: en-US
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 131.179.128.68
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:239875
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/239875>

This is a multi-part message in MIME format.
--------------74C67CDD1DD9078D8F2C8844
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

On 9/5/19 5:12 AM, Robert Pluim wrote:
> GNUTLS_TLS1_3 is not a define, it=CA=BCs an enum, so we can=CA=BCt
> check for it with the pre-processor. I guess that means we have to
> check based on the GnuTLS version

There's a simpler way; I installed the attached.

By the way, can you verify that :safe-renegotiation is also irrelevant=20
for DTLS? I'm asking because GNUTLS_DTLS1_2 etc. are greater than=20
GNUTLS_TLS1_3 and so "proto <=3D GNUTLS_TLS1_2" yields 0 for them. I=20
assume that since DTLS is for datagrams there is no renegotiation and so=20
no :safe-renegotation is needed, but I don't know DTLS (I don't even=20
know whether Emacs supports DTLS) and it'd be helpful to get a=20
more-expert opinion. Thanks.

--------------74C67CDD1DD9078D8F2C8844
Content-Type: text/x-patch;
 name="0001-Port-safe-renegotiation-test-to-GnuTLS-3.6.3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0001-Port-safe-renegotiation-test-to-GnuTLS-3.6.3.patch"

>From 457aee407a6ac0e1ee4c12b9ba919282cce246a3 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 5 Sep 2019 11:42:56 -0700
Subject: [PATCH] Port :safe-renegotiation test to GnuTLS < 3.6.3

Problem reported by Robert Pluim in
https://lists.gnu.org/r/emacs-devel/2019-09/msg00127.html
* src/gnutls.c (Fgnutls_peer_status): Simplify test for
whether the :safe-renegotiation result is needed, so that it
works all the way back to GnuTLS 2.12.2.
---
 src/gnutls.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/src/gnutls.c b/src/gnutls.c
index c74936c840..d43534b5ae 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -1520,12 +1520,7 @@ DEFUN ("gnutls-peer-status", Fgnutls_peer_status, Sgnutls_peer_status, 1, 1, 0,
 #endif
 
   /* Renegotiation Indication */
-#ifdef GNUTLS_TLS1_3
-  bool older_proto = proto < GNUTLS_TLS1_3;
-#else
-  bool older_proto = true;
-#endif
-  if (older_proto)
+  if (proto <= GNUTLS_TLS1_2)
     result = nconc2
       (result, list2 (intern (":safe-renegotiation"),
 		      gnutls_safe_renegotiation_status (state) ? Qt : Qnil));
-- 
2.21.0


--------------74C67CDD1DD9078D8F2C8844--