From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail
From: Robert Pluim <rpluim@gmail.com>
Newsgroups: gmane.emacs.devel
Subject: Re: The netsec thread
Date: Tue, 03 Sep 2019 17:37:53 +0200
Message-ID: <m236hdqtke.fsf@gmail.com>
References: <m3fu0ef8gg.fsf@gnus.org>
 <CAKDRQS6fiJHEuXp5ws1BaEQaYOeqwanMpYjd77PXHV4izKTObQ@mail.gmail.com>
 <m3d0hu3twb.fsf@gnus.org> <834l36koak.fsf@gnu.org>
 <m3y30i2d0q.fsf@gnus.org> <m24l35nutw.fsf@gmail.com>
 <m3tvb5w0rf.fsf@gnus.org> <m2wog1gcrg.fsf@gmail.com>
 <m3y30fu5cf.fsf@gnus.org> <m28ssfhdjo.fsf@gmail.com>
 <m3imrj642q.fsf@gnus.org> <m236inh8ad.fsf@gmail.com>
 <m2h86tnos5.fsf@gmail.com> <87pnlg7r83.fsf@mouse.gnus.org>
 <87o90gd1us.fsf@mouse.gnus.org>
 <9308f549-adf8-e5c1-1bcd-beea2ddb0e0f@cs.ucla.edu>
 <87r25cb6vy.fsf@gnus.org>
 <791d5bcb-3684-c791-48f5-c1af765a5c9d@cs.ucla.edu>
 <87mufxajwq.fsf@gnus.org> <m2pnkhr9oa.fsf@gmail.com>
 <8f52a86a-bc74-47d8-f792-83ce870666fa@cs.ucla.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226";
	logging-data="84126"; mail-complaints-to="usenet@blaine.gmane.org"
Cc: Lars Ingebrigtsen <larsi@gnus.org>, emacs-devel@gnu.org
To: Paul Eggert <eggert@cs.ucla.edu>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Sep 03 18:03:01 2019
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.89)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1i5BGm-000LkA-8N
	for ged-emacs-devel@m.gmane.org; Tue, 03 Sep 2019 18:03:00 +0200
Original-Received: from localhost ([::1]:48086 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1i5BGk-0002uL-G0
	for ged-emacs-devel@m.gmane.org; Tue, 03 Sep 2019 12:02:58 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:59611)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <rpluim@gmail.com>) id 1i5Asm-0004Ie-Mx
 for emacs-devel@gnu.org; Tue, 03 Sep 2019 11:38:13 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <rpluim@gmail.com>) id 1i5Asl-0006qY-B3
 for emacs-devel@gnu.org; Tue, 03 Sep 2019 11:38:12 -0400
Original-Received: from mail-wm1-x335.google.com ([2a00:1450:4864:20::335]:54793)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <rpluim@gmail.com>) id 1i5Asl-0006pq-2r
 for emacs-devel@gnu.org; Tue, 03 Sep 2019 11:38:11 -0400
Original-Received: by mail-wm1-x335.google.com with SMTP id k2so17305088wmj.4
 for <emacs-devel@gnu.org>; Tue, 03 Sep 2019 08:38:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:mail-copies-to:gmane-reply-to-list
 :date:in-reply-to:message-id:mime-version:content-transfer-encoding;
 bh=vq3pNDyYHepJoPEkaZwq8il1MvHEJXk3drl076Mk09c=;
 b=QF05Dg5xpP3k/DT4eZyKjBnh6VLbYdmhJ6/NzPa1hs5vV5gCmZmVXg7CDEvki6jKn3
 mOJFJKq8FQI87N6I0PHenKVbKa8d2ysHimV7WhNBZx8jLQuada1eRyuNmKmqpuKFcJOA
 sD2qiVFV2xXEM/E/u/5kZ03nwV8nhgEqB4g8pH0Y9nQQooB9ycRuyd07xn97ILJgtjGG
 lQPg4bmaypUh80/lt8Ro3fajnGOAA6AFjpckWRUJ/td1R0iQJJw7ViVBU8NbXCpP63qp
 phxqqYeDsQ4nXR085sAjxpnuAs/tno76/uc1qcK7pPBZRbb9lWqfCKEOp8PpKcGcjZVS
 w66w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:mail-copies-to
 :gmane-reply-to-list:date:in-reply-to:message-id:mime-version
 :content-transfer-encoding;
 bh=vq3pNDyYHepJoPEkaZwq8il1MvHEJXk3drl076Mk09c=;
 b=hC3HLIEM00ACBU5vPwcHgULyXWo9g/JtVIVyMc6yt0FD5WwsdWsfTJ2RLxdR9V/G3H
 v/6RfhH6cr/KGlleKRKQtOLkEOXvSMkg0rli5cKmIKlnBhL9tuwoKWEEkVcm2ohcMbNP
 6SHeXwIyr8O7kCcLImLUFr9yhBBHek2v5BE0GMoljNCtD4RubeXS93rGdze1N+dpaksy
 gIZJJ6PEfm7PGU1vKX7s9PVrAklqM4Hs7RbEX3QjSCNFXUNGwC6bbEhx03zeD3WRHypx
 H2aurz1QoTa8+h0VOPBpwArbabtiNVIgLxo4aqCo/3Gt7uVtFlcaHpyO4IrS9Frhfm5H
 HEtg==
X-Gm-Message-State: APjAAAUMfg7ZW6yPFKoyWA2Pw/Kc5Ft+RIewcB6iMLd6BWJfSU4Ux4AG
 nwhN1OxHUaMnr76xIRTqmpSckdfF
X-Google-Smtp-Source: APXvYqzONLAVYRuUnjIsKcVAjNCUmulKG2wlLHn8zLlYDRLNqcC5WqMD1cYqbMuKg5hxpGImzTy+kw==
X-Received: by 2002:a7b:c40f:: with SMTP id k15mr751008wmi.99.1567525089473;
 Tue, 03 Sep 2019 08:38:09 -0700 (PDT)
Original-Received: from rpluim-mac ([149.5.228.1])
 by smtp.gmail.com with ESMTPSA id q192sm7169514wme.23.2019.09.03.08.37.54
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 Sep 2019 08:37:54 -0700 (PDT)
Mail-Copies-To: never
Gmane-Reply-To-List: yes
In-Reply-To: <8f52a86a-bc74-47d8-f792-83ce870666fa@cs.ucla.edu> (Paul Eggert's
 message of "Tue, 3 Sep 2019 06:30:25 -0700")
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-Received-From: 2a00:1450:4864:20::335
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:239815
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/239815>

>>>>> On Tue, 3 Sep 2019 06:30:25 -0700, Paul Eggert <eggert@cs.ucla.edu> s=
aid:

    Paul> Robert Pluim wrote:
    >> In a similar vein: TLS1.3 removed support for renegotiation, so shou=
ld
    >> the following in gnutls-peer-status be made conditional on TLS1.3
    >> having not been negotiated?
    >> /* Renegotiation Indication */
    >> result =3D nconc2
    >> (result, list2 (intern (":safe-renegotiation"),
    >> gnutls_safe_renegotiation_status (state) ? Qt : Qnil));

    Paul> If the Lisp code doesn't care or need it and if it's easy to supp=
ress,
    Paul> it'd make sense to do that, yes. I don't have an opinion since I =
don't
    Paul> know GnuTLS that well.

The only code that cares is NSM, which can be fixed, and it=CA=BCs easy
enough to remove as well. The GNUTLS_TLS1_3 define was added in GnuTLS
3.6.3, so we can check for the version if you prefer.

Robert

diff --git a/src/gnutls.c b/src/gnutls.c
index 042f43e291..9336f1e382 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -1519,10 +1519,13 @@ DEFUN ("gnutls-peer-status", Fgnutls_peer_status, S=
gnutls_peer_status, 1, 1, 0,
 		    gnutls_session_etm_status (state) ? Qt : Qnil));
 #endif
=20
-  /* Renegotiation Indication */
-  result =3D nconc2
-    (result, list2 (intern (":safe-renegotiation"),
-                    gnutls_safe_renegotiation_status (state) ? Qt : Qnil));
+  /* Renegotiation Indication.  Only for TLS protocol version < 1.3.   */
+#ifdef GNUTLS_TLS1_3
+  if (gnutls_protocol_get_version (state) < GNUTLS_TLS1_3)
+#endif
+    result =3D nconc2
+      (result, list2 (intern (":safe-renegotiation"),
+                      gnutls_safe_renegotiation_status (state) ? Qt : Qnil=
));
=20
   return result;
 }