This fixes Bug#33780, and extends the documentation to describe how to
enable use of client certificates.
* lisp/net/network-stream.el (network-stream-certificate): Correct
order of parameters to plist-get.
(network-stream-open-tls): Pass all received parameters to
open-gnutls-stream as plist, not just :nowait.
* lisp/net/gnutls.el (open-gnutls-stream): Change optional nowait arg
to be plist. Derive nowait and client certificate(s) and keys(s) from
plist (maybe via auth-source) and pass to gnutls-boot-parameters and
gnutls-negotiate.
(network-stream-certificate): Add declare-function form for it.
* doc/misc/auth.texi (Help for users): Describe format to use for
client key/cert specification.
* doc/misc/emacs-gnutls.texi (Help For Developers): Describe usage of
optional plist argument. Add crossreference to description of
.authinfo format for client key/cert specification.
* etc/NEWS: Describe new client certificate functionality for
'open-network-stream'.
* test/lisp/net/network-stream-tests.el: Add require of network-stream.
(connect-to-tls-ipv4-nowait): Bind network-security-level to 'low
in order to bypass nsm prompting.
(connect-to-tls-ipv6-nowait): Likewise.
(open-network-stream-tls-wait): New test.
(open-network-stream-tls-nowait): New test.
(open-network-stream-tls): New test.
(open-network-stream-tls-nocert): New test.
(open-gnutls-stream-new-api-default): New test.
(open-gnutls-stream-new-api-wait): New test.
(open-gnutls-stream-old-api-wait): New test.
(open-gnutls-stream-new-api-nowait): New test.
(open-gnutls-stream-old-api-nowait): New test.
(open-gnutls-stream-new-api-errors): New test.
The new tests exercise 'open-network-stream' and the old and new
api of 'open-gnutls-stream'.
* lisp/obsolete/tls.el: Moved from lisp/net/tls.el.
* lisp/gnus/nnimap.el:
* lisp/url/url-http.el: Don't require tls, since it's obsolete.
* lisp/net/network-stream.el: Only require tls if we actually try to
use it (i.e., when (gnutls-available-p) returns nil). Declare some
functions to fix compilation warnings.
* lisp/obsolete/starttls.el: Moved from lisp/net/starttls.el.
* lisp/net/sieve-manage.el:
* lisp/net/network-stream.el: Don't require `starttls' at the
top-level, declare the variables and functions used instead.
(network-stream-open-starttls): Only require `starttls' if
needed (i.e., gnutls-available-p fails).
* etc/NEWS: Announce obsoletion.
* lisp/net/gnutls.el (open-gnutls-stream): IDNA-encode hostnames
before passing them on to gnutls for verification.
* lisp/net/network-stream.el (network-stream-open-starttls): Ditto.
* lisp/url/url-http.el (url-http--get-referer): Be IDNA-aware.
(url-http-create-request): Don't de-Unicodify host names, because
they may be IDNA names (that are later encoded).
* lisp/url/url-util.el (url-domain): Be IDNA-aware when doing
domain name computations.
Most of this change is to boilerplate commentary such as license URLs.
This change was prompted by ftp://ftp.gnu.org's going-away party,
planned for November. Change these FTP URLs to https://ftp.gnu.org
instead. Make similar changes for URLs to other organizations moving
away from FTP. Also, change HTTP to HTTPS for URLs to gnu.org and
fsf.org when this works, as this will further help defend against
man-in-the-middle attacks (for this part I omitted the MS-DOS and
MS-Windows sources and the test tarballs to keep the workload down).
HTTPS is not fully working to lists.gnu.org so I left those URLs alone
for now.
* lisp/net/dbus.el: Turn on lexical-binding.
(dbus-list-hash-table, dbus-list-known-names):
(dbus-introspect-get-node-names, dbus-introspect-get-interface-names):
(dbus-introspect-get-method-names, dbus-introspect-get-signal-names):
(dbus-introspect-get-property-names):
(dbus-introspect-get-argument-names, dbus-get-all-properties):
(dbus-property-handler, dbus-get-all-managed-objects):
(dbus-managed-object-handler): Replace add-to-list with push. Add
nreverse in some places where the APPEND argument of add-to-list was
used.
* lisp/net/network-stream.el: Turn on lexical-binding.
* lisp/net/newsticker.el: Turn on lexical-binding.
* lisp/net/shr.el: Turn on lexical-binding.
(shr-make-placeholder-image): Remove unused variable binding.
(shr-inspect-table): Replace ignored bindings with underscore.
* admin/CPP-DEFINES, configure.ac: Remove HAVE_GETADDRINFO, HAVE_H_ERRNO.
All uses removed.
* doc/lispref/processes.texi (Network, Network Processes), etc/NEWS:
Say that port numbers can be integer strings.
* lib-src/pop.c (h_errno) [!WINDOWSNT && !HAVE_H_ERRNO]: Remove decl.
(socket_connection): Assume HAVE_GETADDRINFO.
* lisp/mpc.el (mpc--proc-connect):
* lisp/net/network-stream.el (open-network-stream):
It’s now OK to use integer strings as port numbers.
* src/process.c (conv_numerical_to_lisp) [!HAVE_GETADDRINFO]: Remove.
(Fmake_network_process): Assume HAVE_GETADDRINFO.
* lisp/net/network-stream.el (network-stream-open-tls):
Postpone NSM verification when running async.
* src/process.c (Fset_process_filter): This function doesn't
need to wait.
(connect_network_socket): Set the process status to "run" only
after TLS negotiation.
(wait_for_socket_fds): Take a name parameter for more debugging.
(wait_reading_process_output): Don't change status to "run"
unless TLS negotiation has finished.
(send_process): Wait for the process here instead of
send_process_string.
(connect_network_socket): Call the network security manager.
* doc/lispref/processes.texi (Network Processes): Mention the
dns value of :nowait.
* src/process.c (Fmake_network_process): Only do async DNS if
:nowait is `dns'.
* doc/lispref/processes.texi (Network Processes): Clarify the
meaning of :tls-parameters.
* lisp/net/gnutls.el (open-gnutls-stream): Clarify :nowait.
* lisp/net/gnutls.el (gnutls-boot-parameters): Factor out into
own function.
(gnutls-negotiate): Use it.
(open-gnutls-stream): Ditto.
* src/eval.c (vformat_string): Refactor out the printing bits
from verror.
(verror): Use it.
* src/gnutls.c (boot_error): Mark failed processes with the
real error message.
* src/lisp.h: Declare vformat_string.
* lisp/net/gnutls.el (open-gnutls-stream): Pass the TLS
keywords in directly so that they can be used when doing
synchronous DNS on non-synchronous connections.
* lisp/net/network-stream.el (open-network-stream): Allow
passing in the TLS parameters directly.
* src/process.c (conv_numerical_to_lisp): New function to convert
numerical addresses to Lisp.
(Fmake_network_process): Rework the non-HAVE_ADDRINFO code
paths so that they work again.
(syms_of_process): Build fix for non-glibc systems.
* doc/misc/emacs-gnutls.texi (Help For Developers): Mention
the nowait parameter.
* lisp/net/gnutls.el (open-gnutls-stream): Allow asynchronous
connections with the new nowait parameter.
* lisp/net/network-stream.el (network-stream-open-tls): Pass
on :nowait to open-gnutls-stream.
* lisp/url/url-http.el (url-http): Don't overwrite the
sentinel created by open-gnutls-stream.
* src/gnutls.c (Fgnutls_mark_process): New function.
* src/process.c (send_process): Don't write to GnuTLS sockets that
haven't been initialised yed.
* src/process.h: New slot gnutls_wait_p.
* processes.texi (Network): Mention the new :warn-unless-encrypted
parameter to `open-network-stream'.
(Network): Mention the Network Security Manager.
* net/nsm.el: New file that implements a Network Security Manager.
* net/network-stream.el (open-network-stream): Add a new
:warn-unless-encrypted parameter.
(network-stream-open-plain): Allow warning unless encrypted.
(network-stream-open-starttls): Call the Network Security Manager.
(network-stream-open-tls): Ditto.
* net/network-stream.el (open-network-stream): Mention the new
:nogreeting parameter.
(network-stream-open-starttls): Use the :nogreeting parameter.
Fixes: debbugs:14938
* net/network-stream.el (network-stream-open-starttls): Avoid
emitting a confusing error message when the server gives a bad
response to the capability command.
* net/network-stream.el (network-stream-open-starttls): If gnutls
negotiation fails, then possibly try again with a non-encrypted
connection.
Fixes: debbugs:9017
a plain connection even if the server offered STARTTLS, and we
kinda wanted to use it, if Emacs doesn't have any STARTTLS
capability. This should make smtpmail.el work in slightly more
configurations.
