2010-10-04 01:16:00 +00:00
|
|
|
;;; gnutls.el --- Support SSL/TLS connections through GnuTLS
|
2010-11-01 05:53:15 +00:00
|
|
|
|
2012-01-05 09:46:05 +00:00
|
|
|
;; Copyright (C) 2010-2012 Free Software Foundation, Inc.
|
2010-09-26 06:06:28 +00:00
|
|
|
|
|
|
|
;; Author: Ted Zlatanov <tzz@lifelogs.com>
|
|
|
|
;; Keywords: comm, tls, ssl, encryption
|
|
|
|
;; Originally-By: Simon Josefsson (See http://josefsson.org/emacs-security/)
|
2010-10-04 01:16:00 +00:00
|
|
|
;; Thanks-To: Lars Magne Ingebrigtsen <larsi@gnus.org>
|
2010-09-26 06:06:28 +00:00
|
|
|
|
|
|
|
;; This file is part of GNU Emacs.
|
|
|
|
|
|
|
|
;; GNU Emacs is free software: you can redistribute it and/or modify
|
|
|
|
;; it under the terms of the GNU General Public License as published by
|
|
|
|
;; the Free Software Foundation, either version 3 of the License, or
|
|
|
|
;; (at your option) any later version.
|
|
|
|
|
|
|
|
;; GNU Emacs is distributed in the hope that it will be useful,
|
|
|
|
;; but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
;; GNU General Public License for more details.
|
|
|
|
|
|
|
|
;; You should have received a copy of the GNU General Public License
|
|
|
|
;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
;;; Commentary:
|
|
|
|
|
|
|
|
;; This package provides language bindings for the GnuTLS library
|
2011-04-25 01:31:45 +00:00
|
|
|
;; using the corresponding core functions in gnutls.c. It should NOT
|
|
|
|
;; be used directly, only through open-protocol-stream.
|
2010-09-26 06:06:28 +00:00
|
|
|
|
|
|
|
;; Simple test:
|
|
|
|
;;
|
2010-10-04 01:16:00 +00:00
|
|
|
;; (open-gnutls-stream "tls" "tls-buffer" "yourserver.com" "https")
|
|
|
|
;; (open-gnutls-stream "tls" "tls-buffer" "imap.gmail.com" "imaps")
|
2010-09-26 06:06:28 +00:00
|
|
|
|
|
|
|
;;; Code:
|
|
|
|
|
2011-05-04 01:44:58 +00:00
|
|
|
(eval-when-compile (require 'cl))
|
|
|
|
|
2010-09-27 16:44:31 +00:00
|
|
|
(defgroup gnutls nil
|
|
|
|
"Emacs interface to the GnuTLS library."
|
Add missing :version tags to new defgroups and defcustoms
* window.el (window-sides-slots):
* tool-bar.el (tool-bar-position):
* term/xterm.el (xterm-extra-capabilities):
* ses.el (ses-self-reference-early-detection):
* progmodes/verilog-mode.el (verilog-auto-declare-nettype)
(verilog-auto-wire-type)
(verilog-auto-delete-trailing-whitespace)
(verilog-auto-reset-blocking-in-non, verilog-auto-inst-sort)
(verilog-auto-tieoff-declaration):
* progmodes/sql.el (sql-login-hook, sql-ansi-statement-starters)
(sql-oracle-statement-starters, sql-oracle-scan-on):
* progmodes/prolog.el (prolog-align-comments-flag)
(prolog-indent-mline-comments-flag, prolog-object-end-to-0-flag)
(prolog-left-indent-regexp, prolog-paren-indent-p)
(prolog-paren-indent, prolog-parse-mode, prolog-keywords)
(prolog-types, prolog-mode-specificators)
(prolog-determinism-specificators, prolog-directives)
(prolog-electric-newline-flag, prolog-hungry-delete-key-flag)
(prolog-electric-dot-flag)
(prolog-electric-dot-full-predicate-template)
(prolog-electric-underscore-flag, prolog-electric-tab-flag)
(prolog-electric-if-then-else-flag, prolog-electric-colon-flag)
(prolog-electric-dash-flag, prolog-old-sicstus-keys-flag)
(prolog-program-switches, prolog-prompt-regexp)
(prolog-debug-on-string, prolog-debug-off-string)
(prolog-trace-on-string, prolog-trace-off-string)
(prolog-zip-on-string, prolog-zip-off-string)
(prolog-use-standard-consult-compile-method-flag)
(prolog-use-prolog-tokenizer-flag, prolog-imenu-flag)
(prolog-imenu-max-lines, prolog-info-predicate-index)
(prolog-underscore-wordchar-flag, prolog-use-sicstus-sd)
(prolog-char-quote-workaround):
* progmodes/cc-vars.el (c-defun-tactic):
* net/tramp.el (tramp-encoding-command-interactive)
(tramp-local-end-of-line):
* net/soap-client.el (soap-client):
* net/netrc.el (netrc-file):
* net/gnutls.el (gnutls):
* minibuffer.el (completion-category-overrides)
(completion-cycle-threshold)
(completion-pcm-complete-word-inserts-delimiters):
* man.el (Man-name-local-regexp):
* mail/feedmail.el (feedmail-display-full-frame):
* international/characters.el (glyphless-char-display-control):
* eshell/em-ls.el (eshell-ls-date-format):
* emacs-lisp/cl-indent.el (lisp-lambda-list-keyword-alignment)
(lisp-lambda-list-keyword-parameter-indentation)
(lisp-lambda-list-keyword-parameter-alignment):
* doc-view.el (doc-view-image-width, doc-view-unoconv-program):
* dired-x.el (dired-omit-verbose):
* cus-theme.el (custom-theme-allow-multiple-selections):
* calc/calc.el (calc-highlight-selections-with-faces)
(calc-lu-field-reference, calc-lu-power-reference)
(calc-note-threshold):
* battery.el (battery-mode-line-limit):
* arc-mode.el (archive-7z-extract, archive-7z-expunge)
(archive-7z-update):
* allout.el (allout-prefixed-keybindings)
(allout-unprefixed-keybindings)
(allout-inhibit-auto-fill-on-headline)
(allout-flattened-numbering-abbreviation):
* allout-widgets.el (allout-widgets-auto-activation)
(allout-widgets-icons-dark-subdir)
(allout-widgets-icons-light-subdir, allout-widgets-icon-types)
(allout-widgets-theme-dark-background)
(allout-widgets-theme-light-background)
(allout-widgets-item-image-properties-emacs)
(allout-widgets-item-image-properties-xemacs)
(allout-widgets-run-unit-tests-on-load)
(allout-widgets-time-decoration-activity)
(allout-widgets-hook-error-post-time)
(allout-widgets-track-decoration):
* gnus/sieve-manage.el (sieve-manage-default-stream):
* gnus/shr.el (shr):
* gnus/nnir.el (nnir-ignored-newsgroups, nnir-summary-line-format)
(nnir-retrieve-headers-override-function)
(nnir-imap-default-search-key, nnir-notmuch-program)
(nnir-notmuch-additional-switches, nnir-notmuch-remove-prefix)
(nnir-method-default-engines):
* gnus/message.el (message-cite-reply-position):
* gnus/gssapi.el (gssapi-program):
* gnus/gravatar.el (gravatar):
* gnus/gnus-sum.el (gnus-refer-thread-use-nnir):
* gnus/gnus-registry.el (gnus-registry-unfollowed-addresses)
(gnus-registry-max-pruned-entries):
* gnus/gnus-picon.el (gnus-picon-inhibit-top-level-domains):
* gnus/gnus-int.el (gnus-after-set-mark-hook)
(gnus-before-update-mark-hook):
* gnus/gnus-async.el (gnus-async-post-fetch-function):
* gnus/auth-source.el (auth-source-cache-expiry):
Add missing :version tags to new defcustoms and defgroups.
2012-02-11 22:13:29 +00:00
|
|
|
:version "24.1"
|
2010-09-27 16:44:31 +00:00
|
|
|
:prefix "gnutls-"
|
|
|
|
:group 'net-utils)
|
|
|
|
|
2011-07-15 17:21:57 +00:00
|
|
|
(defcustom gnutls-algorithm-priority nil
|
|
|
|
"If non-nil, this should be a TLS priority string.
|
|
|
|
For instance, if you want to skip the \"dhe-rsa\" algorithm,
|
|
|
|
set this variable to \"normal:-dhe-rsa\"."
|
2012-02-12 21:40:25 +00:00
|
|
|
:group 'gnutls
|
2011-07-15 17:21:57 +00:00
|
|
|
:type '(choice (const nil)
|
2012-02-13 21:48:14 +00:00
|
|
|
string))
|
|
|
|
|
|
|
|
(defcustom gnutls-trustfiles
|
|
|
|
'(
|
|
|
|
"/etc/ssl/certs/ca-certificates.crt" ; Debian, Ubuntu, Gentoo and Arch Linux
|
|
|
|
"/etc/pki/tls/certs/ca-bundle.crt" ; Fedora and RHEL
|
|
|
|
"/etc/ssl/ca-bundle.pem" ; Suse
|
2012-02-17 13:05:20 +00:00
|
|
|
"/usr/ssl/certs/ca-bundle.crt" ; Cygwin
|
2012-02-13 21:48:14 +00:00
|
|
|
)
|
|
|
|
"List of CA bundle location filenames or a function returning said list.
|
|
|
|
The files may be in PEM or DER format, as per the GnuTLS documentation.
|
|
|
|
The files may not exist, in which case they will be ignored."
|
|
|
|
:group 'gnutls
|
|
|
|
:type '(choice (function :tag "Function to produce list of bundle filenames")
|
|
|
|
(repeat (file :tag "Bundle filename"))))
|
2011-07-15 17:21:57 +00:00
|
|
|
|
2011-07-15 17:41:24 +00:00
|
|
|
;;;###autoload
|
2012-05-15 15:16:13 +00:00
|
|
|
(defcustom gnutls-min-prime-bits 256
|
2012-05-16 02:49:19 +00:00
|
|
|
;; Several mail servers send fewer bits than the GnuTLS default.
|
|
|
|
;; Currently, 256 appears to be a reasonable choice (Bug#11267).
|
|
|
|
"Minimum number of prime bits accepted by GnuTLS for key exchange.
|
|
|
|
During a Diffie-Hellman handshake, if the server sends a prime
|
|
|
|
number with fewer than this number of bits, the handshake is
|
|
|
|
rejected. \(The smaller the prime number, the less secure the
|
|
|
|
key exchange is against man-in-the-middle attacks.)
|
2011-07-15 17:41:24 +00:00
|
|
|
|
2012-05-15 15:16:13 +00:00
|
|
|
A value of nil says to use the default GnuTLS value."
|
2011-07-15 17:41:24 +00:00
|
|
|
:type '(choice (const :tag "Use default value" nil)
|
|
|
|
(integer :tag "Number of bits" 512))
|
|
|
|
:group 'gnutls)
|
|
|
|
|
2010-10-04 01:16:00 +00:00
|
|
|
(defun open-gnutls-stream (name buffer host service)
|
|
|
|
"Open a SSL/TLS connection for a service to a host.
|
2010-09-26 06:06:28 +00:00
|
|
|
Returns a subprocess-object to represent the connection.
|
|
|
|
Input and output work as for subprocesses; `delete-process' closes it.
|
|
|
|
Args are NAME BUFFER HOST SERVICE.
|
|
|
|
NAME is name for process. It is modified if necessary to make it unique.
|
|
|
|
BUFFER is the buffer (or `buffer-name') to associate with the process.
|
|
|
|
Process output goes at end of that buffer, unless you specify
|
|
|
|
an output stream or filter function to handle the output.
|
|
|
|
BUFFER may be also nil, meaning that this process is not associated
|
|
|
|
with any buffer
|
|
|
|
Third arg is name of the host to connect to, or its IP address.
|
|
|
|
Fourth arg SERVICE is name of the service desired, or an integer
|
2010-10-04 01:16:00 +00:00
|
|
|
specifying a port number to connect to.
|
|
|
|
|
2011-04-25 01:31:45 +00:00
|
|
|
Usage example:
|
|
|
|
|
|
|
|
\(with-temp-buffer
|
|
|
|
\(open-gnutls-stream \"tls\"
|
|
|
|
\(current-buffer)
|
|
|
|
\"your server goes here\"
|
|
|
|
\"imaps\"))
|
|
|
|
|
2010-10-04 01:16:00 +00:00
|
|
|
This is a very simple wrapper around `gnutls-negotiate'. See its
|
|
|
|
documentation for the specific parameters you can use to open a
|
|
|
|
GnuTLS connection, including specifying the credential type,
|
|
|
|
trust and key files, and priority string."
|
2011-05-04 01:44:58 +00:00
|
|
|
(gnutls-negotiate :process (open-network-stream name buffer host service)
|
|
|
|
:type 'gnutls-x509pki
|
|
|
|
:hostname host))
|
2011-04-25 01:31:45 +00:00
|
|
|
|
|
|
|
(put 'gnutls-error
|
|
|
|
'error-conditions
|
|
|
|
'(error gnutls-error))
|
|
|
|
(put 'gnutls-error
|
|
|
|
'error-message "GnuTLS error")
|
2010-09-26 06:06:28 +00:00
|
|
|
|
2010-11-01 05:53:15 +00:00
|
|
|
(declare-function gnutls-boot "gnutls.c" (proc type proplist))
|
2011-04-25 13:47:23 +00:00
|
|
|
(declare-function gnutls-errorp "gnutls.c" (error))
|
2010-11-01 05:53:15 +00:00
|
|
|
|
2011-05-04 01:44:58 +00:00
|
|
|
(defun* gnutls-negotiate
|
|
|
|
(&rest spec
|
|
|
|
&key process type hostname priority-string
|
2011-07-15 17:41:24 +00:00
|
|
|
trustfiles crlfiles keylist min-prime-bits
|
|
|
|
verify-flags verify-error verify-hostname-error
|
2011-05-04 01:44:58 +00:00
|
|
|
&allow-other-keys)
|
2011-11-25 13:26:30 +00:00
|
|
|
"Negotiate a SSL/TLS connection. Returns proc. Signals gnutls-error.
|
2011-05-04 01:44:58 +00:00
|
|
|
|
|
|
|
Note arguments are passed CL style, :type TYPE instead of just TYPE.
|
|
|
|
|
2010-10-03 22:37:37 +00:00
|
|
|
TYPE is `gnutls-x509pki' (default) or `gnutls-anon'. Use nil for the default.
|
2011-05-04 01:44:58 +00:00
|
|
|
PROCESS is a process returned by `open-network-stream'.
|
2011-04-25 01:31:45 +00:00
|
|
|
HOSTNAME is the remote hostname. It must be a valid string.
|
2010-10-03 22:37:37 +00:00
|
|
|
PRIORITY-STRING is as per the GnuTLS docs, default is \"NORMAL\".
|
2012-02-13 21:48:14 +00:00
|
|
|
TRUSTFILES is a list of CA bundles. It defaults to `gnutls-trustfiles'.
|
2011-05-04 01:44:58 +00:00
|
|
|
CRLFILES is a list of CRL files.
|
|
|
|
KEYLIST is an alist of (client key file, client cert file) pairs.
|
2011-07-15 17:41:24 +00:00
|
|
|
MIN-PRIME-BITS is the minimum acceptable size of Diffie-Hellman keys
|
|
|
|
\(see `gnutls-min-prime-bits' for more information). Use nil for the
|
|
|
|
default.
|
2011-04-25 01:31:45 +00:00
|
|
|
|
|
|
|
When VERIFY-HOSTNAME-ERROR is not nil, an error will be raised
|
|
|
|
when the hostname does not match the presented certificate's host
|
|
|
|
name. The exact verification algorithm is a basic implementation
|
|
|
|
of the matching described in RFC2818 (HTTPS), which takes into
|
|
|
|
account wildcards, and the DNSName/IPAddress subject alternative
|
|
|
|
name PKIX extension. See GnuTLS' gnutls_x509_crt_check_hostname
|
|
|
|
for details. When VERIFY-HOSTNAME-ERROR is nil, only a warning
|
|
|
|
will be issued.
|
|
|
|
|
|
|
|
When VERIFY-ERROR is not nil, an error will be raised when the
|
|
|
|
peer certificate verification fails as per GnuTLS'
|
|
|
|
gnutls_certificate_verify_peers2. Otherwise, only warnings will
|
|
|
|
be shown about the verification failure.
|
|
|
|
|
|
|
|
VERIFY-FLAGS is a numeric OR of verification flags only for
|
|
|
|
`gnutls-x509pki' connections. See GnuTLS' x509.h for details;
|
|
|
|
here's a recent version of the list.
|
|
|
|
|
|
|
|
GNUTLS_VERIFY_DISABLE_CA_SIGN = 1,
|
|
|
|
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2,
|
|
|
|
GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4,
|
|
|
|
GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8,
|
|
|
|
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
|
|
|
|
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
|
|
|
|
GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
|
|
|
|
GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
|
|
|
|
GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256
|
|
|
|
|
|
|
|
It must be omitted, a number, or nil; if omitted or nil it
|
|
|
|
defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
|
2010-10-03 22:37:37 +00:00
|
|
|
(let* ((type (or type 'gnutls-x509pki))
|
2010-12-13 22:20:32 +00:00
|
|
|
(trustfiles (or trustfiles
|
2012-02-13 21:48:14 +00:00
|
|
|
(delq nil
|
|
|
|
(mapcar (lambda (f) (and f (file-exists-p f) f))
|
|
|
|
(if (functionp gnutls-trustfiles)
|
|
|
|
(funcall gnutls-trustfiles)
|
|
|
|
gnutls-trustfiles)))))
|
2010-09-26 06:06:28 +00:00
|
|
|
(priority-string (or priority-string
|
|
|
|
(cond
|
2010-10-03 22:37:37 +00:00
|
|
|
((eq type 'gnutls-anon)
|
2010-09-26 06:06:28 +00:00
|
|
|
"NORMAL:+ANON-DH:!ARCFOUR-128")
|
2010-10-03 22:37:37 +00:00
|
|
|
((eq type 'gnutls-x509pki)
|
2012-02-13 21:48:14 +00:00
|
|
|
(if gnutls-algorithm-priority
|
|
|
|
(upcase gnutls-algorithm-priority)
|
|
|
|
"NORMAL")))))
|
2011-07-15 17:41:24 +00:00
|
|
|
(min-prime-bits (or min-prime-bits gnutls-min-prime-bits))
|
2010-10-03 22:37:37 +00:00
|
|
|
(params `(:priority ,priority-string
|
2011-04-25 01:31:45 +00:00
|
|
|
:hostname ,hostname
|
2010-10-03 22:37:37 +00:00
|
|
|
:loglevel ,gnutls-log-level
|
2011-07-15 17:41:24 +00:00
|
|
|
:min-prime-bits ,min-prime-bits
|
2010-10-03 22:37:37 +00:00
|
|
|
:trustfiles ,trustfiles
|
2011-05-04 01:44:58 +00:00
|
|
|
:crlfiles ,crlfiles
|
|
|
|
:keylist ,keylist
|
2011-04-25 01:31:45 +00:00
|
|
|
:verify-flags ,verify-flags
|
|
|
|
:verify-error ,verify-error
|
|
|
|
:verify-hostname-error ,verify-hostname-error
|
2010-10-03 22:37:37 +00:00
|
|
|
:callbacks nil))
|
2010-09-26 06:06:28 +00:00
|
|
|
ret)
|
|
|
|
|
|
|
|
(gnutls-message-maybe
|
2011-05-04 01:44:58 +00:00
|
|
|
(setq ret (gnutls-boot process type params))
|
2011-04-25 01:31:45 +00:00
|
|
|
"boot: %s" params)
|
|
|
|
|
|
|
|
(when (gnutls-errorp ret)
|
|
|
|
;; This is a error from the underlying C code.
|
2011-05-04 01:44:58 +00:00
|
|
|
(signal 'gnutls-error (list process ret)))
|
2010-09-26 06:06:28 +00:00
|
|
|
|
2011-05-04 01:44:58 +00:00
|
|
|
process))
|
2010-09-26 06:06:28 +00:00
|
|
|
|
2010-11-01 05:53:15 +00:00
|
|
|
(declare-function gnutls-error-string "gnutls.c" (error))
|
|
|
|
|
2010-09-26 06:06:28 +00:00
|
|
|
(defun gnutls-message-maybe (doit format &rest params)
|
|
|
|
"When DOIT, message with the caller name followed by FORMAT on PARAMS."
|
|
|
|
;; (apply 'debug format (or params '(nil)))
|
|
|
|
(when (gnutls-errorp doit)
|
|
|
|
(message "%s: (err=[%s] %s) %s"
|
|
|
|
"gnutls.el"
|
|
|
|
doit (gnutls-error-string doit)
|
|
|
|
(apply 'format format (or params '(nil))))))
|
|
|
|
|
|
|
|
(provide 'gnutls)
|
|
|
|
|
|
|
|
;;; gnutls.el ends here
|