From 87e86684426cfc7c4676dc90e44a623921f7186e Mon Sep 17 00:00:00 2001
From: Lawrence Mitchell <wence@gmx.li>
Date: Fri, 15 Jul 2011 19:41:24 +0200
Subject: Allow controlling how many prime bits to use during TLS negotiation

---
 lisp/net/gnutls.el | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

(limited to 'lisp/net')

diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 14d4a2f28e..edbf9a54af 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -54,6 +54,19 @@ set this variable to \"normal:-dhe-rsa\"."
   :type '(choice (const nil)
 		 string))
 
+;;;###autoload
+(defcustom gnutls-min-prime-bits nil
+  "The minimum number of bits to be used in Diffie-Hellman key exchange.
+
+This sets the minimum accepted size of the key to be used in a
+client-server handshake.  If the server sends a prime with fewer than
+the specified number of bits the handshake will fail.
+
+A value of nil says to use the default gnutls value."
+  :type '(choice (const :tag "Use default value" nil)
+                 (integer :tag "Number of bits" 512))
+  :group 'gnutls)
+
 (defun open-gnutls-stream (name buffer host service)
   "Open a SSL/TLS connection for a service to a host.
 Returns a subprocess-object to represent the connection.
@@ -97,8 +110,8 @@ trust and key files, and priority string."
 (defun* gnutls-negotiate
     (&rest spec
            &key process type hostname priority-string
-           trustfiles crlfiles keylist verify-flags
-           verify-error verify-hostname-error
+           trustfiles crlfiles keylist min-prime-bits
+           verify-flags verify-error verify-hostname-error
            &allow-other-keys)
   "Negotiate a SSL/TLS connection.  Returns proc. Signals gnutls-error.
 
@@ -111,6 +124,9 @@ PRIORITY-STRING is as per the GnuTLS docs, default is \"NORMAL\".
 TRUSTFILES is a list of CA bundles.
 CRLFILES is a list of CRL files.
 KEYLIST is an alist of (client key file, client cert file) pairs.
+MIN-PRIME-BITS is the minimum acceptable size of Diffie-Hellman keys
+\(see `gnutls-min-prime-bits' for more information).  Use nil for the
+default.
 
 When VERIFY-HOSTNAME-ERROR is not nil, an error will be raised
 when the hostname does not match the presented certificate's host
@@ -155,9 +171,11 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
 				(if gnutls-algorithm-priority
 				    (upcase gnutls-algorithm-priority)
 				  "NORMAL")))))
+         (min-prime-bits (or min-prime-bits gnutls-min-prime-bits))
          (params `(:priority ,priority-string
                              :hostname ,hostname
                              :loglevel ,gnutls-log-level
+                             :min-prime-bits ,min-prime-bits
                              :trustfiles ,trustfiles
                              :crlfiles ,crlfiles
                              :keylist ,keylist
-- 
cgit v1.2.3