Re: [PATCH RFC] GnuTLS: Support TOFU certificate checking.

[Toke Høiland-Jørgensen]

Ted Zlatanov <address@hidden> writes:

> Wonderful work, thank you!

Glad you think so :)

> You should check in the autoconf script whether
> `gnutls_verify_stored_pubkey' is available. It's a fairly new function
> and we have to support older versions of GnuTLS without it.

Right; will look into that.

> I like the simplicity of it. It would be nice to do this inside Emacs
> itself (it's OK if it requires some kind of `emacs --batch' call,
> doesn't have to be immediate). Either way, the errors should tell us
> specifically what to run from the command line in these two cases:

I have an updated version where I split out the parameters into
:tofu-strict and :tofu-auto, where the latter will automatically add a
certificate that hasn't been seen before (and fail on mismatch only).
This might be more suitable to have turned out by default.

Removing things from the key store has to be done manually, though; but
that goes for gnutls-cli as well (and even for ssh).

>     error ("No TOFU trust entry found for hostname \"%s\" and service 
> \"%s\"", c_hostname, c_service);
>     error ("TOFU trust MISMATCH for hostname \"%s\" and service \"%s\"", 
> c_hostname, c_service);

Will update the messages to be more helpful.

> I think so. But Emacs creates a Emacs-specific homedir for the GnuPG
> keychain, for verification of the package archives, in
> `~/.emacs.d/gnupg' which is an equally valid approach. So I don't have
> a strong opinion.
>
> What's the drawback of having a dedicated Emacs store? Do any other
> programs besides `gnutls-cli` use the global GnuTLS store?

Well, any programs that use gnutls and pass NULL as the trust store will
share the site default. Using this also has the nice side effect of not
having to come up with a portable way to find a suitable file name (I'm
sure this is solved elsewhere in the emacs code but it saved me from
going looking ;)).

> If you can submit a bug with this, it would be wonderful.  I've been
> meaning to get rid of the `cl-mapcan' call anyhow.

I've submitted a bug.

> I think that's pretty tricky with GnuTLS because it expects all the
> validations to be C callbacks and just hands off the connection at the
> end. You're not supposed to interact with the session during the
> validation, IIUC. So it will probably require two attempts.

Noted. I checked what gnutls-cli does (by way of packet dumps), and it
seems to keep the connection open, presumably in the middle of the
handshake, while waiting for the user to decide whether to trust it. So
presumably something similar could be done by Emacs, and I think it's
more a matter of whether or not it's possible to call back up into lisp
from this part of the code.

> Yes, that would be nice and clean. They can simply be attached as
> symbol properties to the error. Maybe you can adjust
> `gnutls_make_error'?

I will look into it. I'm out of time to hack on this for a while, so for
now I'll just resubmit the patch with the changes noted above, and then
return to this at a later date (heh, famous last words).

-Toke