GNU bug report logs - #10904
24.0.93; Infinite loop in GnuTLS code during Gnus nnimap-initiated SSL handshake

Previous Next

Package: emacs;

Reported by: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>

Date: Mon, 27 Feb 2012 23:57:02 UTC

Severity: normal

Found in version 24.0.93

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: 10904 <at> debbugs.gnu.org
Cc: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
Subject: bug#10904: 24.0.93; Infinite loop in GnuTLS code during Gnus nnimap-initiated SSL handshake
Date: Fri, 05 Feb 2016 18:26:46 +1100

Ted Zlatanov <tzz <at> lifelogs.com> writes:

> On Mon, 08 Dec 2014 21:06:21 +0100 Lars Magne Ingebrigtsen <larsi <at> gnus.org> wrote: 
>
> LMI> Ted Zlatanov <tzz <at> lifelogs.com> writes:
>>> I plan to follow Nikos' advice here:
>>> 
>>> http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/6017
>>> 
>>> so we'll drop from NORMAL to PERFORMANCE, basically, if the user
>>> approves.  After the 24.1 release I'll look at this.
>
> LMI> Would it make sense to just default to PERFORMANCE now that we have the
> LMI> NSM?
>
> The default priority string should correspond to the medium
> `network-security-level' so yes, I think so.  But I really think those
> two should be bound closer together, as I mentioned.

Yeah...  running with PERFORMANCE by default is perhaps hubris.  :-)
But how would we do this within the open-network-stream/nsm
framework...  Basically, with NORMAL the tls negotiation will fail.  It
would be nice if we could then let the NSM query the user for whether
they want to lower the security to PERFORMANCE and reconnect.

But that doesn't quite fit the way all of this is structured.  If the
user says "yes, go ahead and lower security", then the NSM will have to,
er, bind something, and then call open-network-stream all over again?
Sort of?

That's probably possible, but it may require some extensive tinkering
with how `nsm-verify-connection' is called...  or with how
open-network-stream structures the call to NSM.

*time passes*

Hm!  Perhaps it won't be that difficult or invasive.  This is how this
is called:

(defun network-stream-open-tls (name buffer host service parameters)
  (with-current-buffer buffer
    (let* ((start (point-max))
	   (stream
            (if (gnutls-available-p)
                (open-gnutls-stream name buffer host service
                                    (plist-get parameters :nowait))
              (open-tls-stream name buffer host service)))
	   (eoc (plist-get parameters :end-of-command)))
      ;; Check certificate validity etc.
      (when (and (gnutls-available-p) stream)
	(setq stream (nsm-verify-connection stream host service)))

So what happens here is that stream will be nil or dead from
open-gnutls-stream.  In that case, it could call nsm-verify-connection
with some special parameters, have it prompt, and then reconnect if the
user says "yes"...

Hm.  But then those stores parameters should be used the next time in
network-stream, and it doesn't have access to those stored parameters.

Gah.  This stuff is hard.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
This bug report was last modified 7 years and 40 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.