2010-10-03 20:16:00 -05:00
|
|
|
;;; gnutls.el --- Support SSL/TLS connections through GnuTLS
|
2010-10-31 22:53:15 -07:00
|
|
|
|
2019-01-01 00:59:58 +00:00
|
|
|
;; Copyright (C) 2010-2019 Free Software Foundation, Inc.
|
2010-09-26 01:06:28 -05:00
|
|
|
|
|
|
|
|
;; Author: Ted Zlatanov <tzz@lifelogs.com>
|
|
|
|
|
;; Keywords: comm, tls, ssl, encryption
|
|
|
|
|
;; Originally-By: Simon Josefsson (See http://josefsson.org/emacs-security/)
|
2010-10-03 20:16:00 -05:00
|
|
|
;; Thanks-To: Lars Magne Ingebrigtsen <larsi@gnus.org>
|
2010-09-26 01:06:28 -05:00
|
|
|
|
|
|
|
|
;; This file is part of GNU Emacs.
|
|
|
|
|
|
|
|
|
|
;; GNU Emacs is free software: you can redistribute it and/or modify
|
|
|
|
|
;; it under the terms of the GNU General Public License as published by
|
|
|
|
|
;; the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
;; (at your option) any later version.
|
|
|
|
|
|
|
|
|
|
;; GNU Emacs is distributed in the hope that it will be useful,
|
|
|
|
|
;; but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
;; GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
;; You should have received a copy of the GNU General Public License
|
2017-09-13 15:52:52 -07:00
|
|
|
;; along with GNU Emacs. If not, see <https://www.gnu.org/licenses/>.
|
2010-09-26 01:06:28 -05:00
|
|
|
|
|
|
|
|
;;; Commentary:
|
|
|
|
|
|
|
|
|
|
;; This package provides language bindings for the GnuTLS library
|
2011-04-24 20:31:45 -05:00
|
|
|
;; using the corresponding core functions in gnutls.c. It should NOT
|
2016-02-14 15:08:40 +11:00
|
|
|
;; be used directly, only through open-network-stream.
|
2010-09-26 01:06:28 -05:00
|
|
|
|
|
|
|
|
;; Simple test:
|
|
|
|
|
;;
|
2010-10-03 20:16:00 -05:00
|
|
|
;; (open-gnutls-stream "tls" "tls-buffer" "yourserver.com" "https")
|
|
|
|
|
;; (open-gnutls-stream "tls" "tls-buffer" "imap.gmail.com" "imaps")
|
2010-09-26 01:06:28 -05:00
|
|
|
|
|
|
|
|
;;; Code:
|
|
|
|
|
|
2013-12-15 21:24:08 -05:00
|
|
|
(require 'cl-lib)
|
2018-04-13 16:39:17 +02:00
|
|
|
(require 'puny)
|
2011-05-03 20:44:58 -05:00
|
|
|
|
2019-01-24 11:34:34 +01:00
|
|
|
(declare-function network-stream-certificate "network-stream"
|
|
|
|
|
(host service parameters))
|
|
|
|
|
|
2010-09-27 18:44:31 +02:00
|
|
|
(defgroup gnutls nil
|
|
|
|
|
"Emacs interface to the GnuTLS library."
|
Add missing :version tags to new defgroups and defcustoms
* window.el (window-sides-slots):
* tool-bar.el (tool-bar-position):
* term/xterm.el (xterm-extra-capabilities):
* ses.el (ses-self-reference-early-detection):
* progmodes/verilog-mode.el (verilog-auto-declare-nettype)
(verilog-auto-wire-type)
(verilog-auto-delete-trailing-whitespace)
(verilog-auto-reset-blocking-in-non, verilog-auto-inst-sort)
(verilog-auto-tieoff-declaration):
* progmodes/sql.el (sql-login-hook, sql-ansi-statement-starters)
(sql-oracle-statement-starters, sql-oracle-scan-on):
* progmodes/prolog.el (prolog-align-comments-flag)
(prolog-indent-mline-comments-flag, prolog-object-end-to-0-flag)
(prolog-left-indent-regexp, prolog-paren-indent-p)
(prolog-paren-indent, prolog-parse-mode, prolog-keywords)
(prolog-types, prolog-mode-specificators)
(prolog-determinism-specificators, prolog-directives)
(prolog-electric-newline-flag, prolog-hungry-delete-key-flag)
(prolog-electric-dot-flag)
(prolog-electric-dot-full-predicate-template)
(prolog-electric-underscore-flag, prolog-electric-tab-flag)
(prolog-electric-if-then-else-flag, prolog-electric-colon-flag)
(prolog-electric-dash-flag, prolog-old-sicstus-keys-flag)
(prolog-program-switches, prolog-prompt-regexp)
(prolog-debug-on-string, prolog-debug-off-string)
(prolog-trace-on-string, prolog-trace-off-string)
(prolog-zip-on-string, prolog-zip-off-string)
(prolog-use-standard-consult-compile-method-flag)
(prolog-use-prolog-tokenizer-flag, prolog-imenu-flag)
(prolog-imenu-max-lines, prolog-info-predicate-index)
(prolog-underscore-wordchar-flag, prolog-use-sicstus-sd)
(prolog-char-quote-workaround):
* progmodes/cc-vars.el (c-defun-tactic):
* net/tramp.el (tramp-encoding-command-interactive)
(tramp-local-end-of-line):
* net/soap-client.el (soap-client):
* net/netrc.el (netrc-file):
* net/gnutls.el (gnutls):
* minibuffer.el (completion-category-overrides)
(completion-cycle-threshold)
(completion-pcm-complete-word-inserts-delimiters):
* man.el (Man-name-local-regexp):
* mail/feedmail.el (feedmail-display-full-frame):
* international/characters.el (glyphless-char-display-control):
* eshell/em-ls.el (eshell-ls-date-format):
* emacs-lisp/cl-indent.el (lisp-lambda-list-keyword-alignment)
(lisp-lambda-list-keyword-parameter-indentation)
(lisp-lambda-list-keyword-parameter-alignment):
* doc-view.el (doc-view-image-width, doc-view-unoconv-program):
* dired-x.el (dired-omit-verbose):
* cus-theme.el (custom-theme-allow-multiple-selections):
* calc/calc.el (calc-highlight-selections-with-faces)
(calc-lu-field-reference, calc-lu-power-reference)
(calc-note-threshold):
* battery.el (battery-mode-line-limit):
* arc-mode.el (archive-7z-extract, archive-7z-expunge)
(archive-7z-update):
* allout.el (allout-prefixed-keybindings)
(allout-unprefixed-keybindings)
(allout-inhibit-auto-fill-on-headline)
(allout-flattened-numbering-abbreviation):
* allout-widgets.el (allout-widgets-auto-activation)
(allout-widgets-icons-dark-subdir)
(allout-widgets-icons-light-subdir, allout-widgets-icon-types)
(allout-widgets-theme-dark-background)
(allout-widgets-theme-light-background)
(allout-widgets-item-image-properties-emacs)
(allout-widgets-item-image-properties-xemacs)
(allout-widgets-run-unit-tests-on-load)
(allout-widgets-time-decoration-activity)
(allout-widgets-hook-error-post-time)
(allout-widgets-track-decoration):
* gnus/sieve-manage.el (sieve-manage-default-stream):
* gnus/shr.el (shr):
* gnus/nnir.el (nnir-ignored-newsgroups, nnir-summary-line-format)
(nnir-retrieve-headers-override-function)
(nnir-imap-default-search-key, nnir-notmuch-program)
(nnir-notmuch-additional-switches, nnir-notmuch-remove-prefix)
(nnir-method-default-engines):
* gnus/message.el (message-cite-reply-position):
* gnus/gssapi.el (gssapi-program):
* gnus/gravatar.el (gravatar):
* gnus/gnus-sum.el (gnus-refer-thread-use-nnir):
* gnus/gnus-registry.el (gnus-registry-unfollowed-addresses)
(gnus-registry-max-pruned-entries):
* gnus/gnus-picon.el (gnus-picon-inhibit-top-level-domains):
* gnus/gnus-int.el (gnus-after-set-mark-hook)
(gnus-before-update-mark-hook):
* gnus/gnus-async.el (gnus-async-post-fetch-function):
* gnus/auth-source.el (auth-source-cache-expiry):
Add missing :version tags to new defcustoms and defgroups.
2012-02-11 14:13:29 -08:00
|
|
|
:version "24.1"
|
2010-09-27 18:44:31 +02:00
|
|
|
:prefix "gnutls-"
|
2014-11-25 11:45:20 -05:00
|
|
|
:group 'comm)
|
2010-09-27 18:44:31 +02:00
|
|
|
|
2011-07-15 19:21:57 +02:00
|
|
|
(defcustom gnutls-algorithm-priority nil
|
|
|
|
|
"If non-nil, this should be a TLS priority string.
|
|
|
|
|
For instance, if you want to skip the \"dhe-rsa\" algorithm,
|
2018-06-24 14:48:30 +02:00
|
|
|
set this variable to \"normal:-dhe-rsa\".
|
|
|
|
|
|
|
|
|
|
This variable can be useful for modifying low-level TLS
|
|
|
|
|
connection parameters (for instance if you need to connect to a
|
2018-07-08 18:22:51 +03:00
|
|
|
host that only accepts a specific algorithm). However, in
|
|
|
|
|
general, Emacs network security is handled by the Network
|
|
|
|
|
Security Manager (NSM), and the default value of nil delegates
|
|
|
|
|
the job of checking the connection security to the NSM.
|
|
|
|
|
See Info node `(emacs) Network Security'."
|
2012-02-12 16:40:25 -05:00
|
|
|
:group 'gnutls
|
2011-07-15 19:21:57 +02:00
|
|
|
:type '(choice (const nil)
|
2012-02-13 16:48:14 -05:00
|
|
|
string))
|
|
|
|
|
|
2013-12-14 13:04:09 -05:00
|
|
|
(defcustom gnutls-verify-error nil
|
2017-05-09 22:04:45 +03:00
|
|
|
"If non-nil, this should be t or a list of checks per hostname regex.
|
|
|
|
|
If nil, the default, failures in certificate verification will be
|
|
|
|
|
logged (subject to `gnutls-log-level'), but the connection will be
|
|
|
|
|
allowed to proceed.
|
|
|
|
|
If the value is a list, it should have the form
|
|
|
|
|
|
|
|
|
|
((HOST-REGEX FLAGS...) (HOST-REGEX FLAGS...) ...)
|
|
|
|
|
|
|
|
|
|
where each HOST-REGEX is a regular expression to be matched
|
2018-04-13 14:44:41 +02:00
|
|
|
against the hostname, on a first-match basis, and FLAGS is either
|
|
|
|
|
t or a list of one or more verification flags. The supported
|
|
|
|
|
flags and the corresponding conditions to be tested are:
|
2017-05-09 22:04:45 +03:00
|
|
|
|
|
|
|
|
:trustfiles -- certificate must be issued by a trusted authority.
|
|
|
|
|
:hostname -- hostname must match presented certificate's host name.
|
|
|
|
|
t -- all of the above conditions are tested.
|
|
|
|
|
|
|
|
|
|
If the condition test fails, an error will be signaled.
|
|
|
|
|
|
|
|
|
|
If the value of this variable is t, every connection will be subjected
|
2018-06-24 14:48:30 +02:00
|
|
|
to all of the tests described above.
|
|
|
|
|
|
|
|
|
|
The default value of this variable is nil, which means that no
|
|
|
|
|
checks are performed at the gnutls level. Instead the checks are
|
|
|
|
|
performed via `open-network-stream' at a higher level by the
|
|
|
|
|
Network Security Manager. See Info node `(emacs) Network
|
|
|
|
|
Security'."
|
2013-12-14 13:04:09 -05:00
|
|
|
:group 'gnutls
|
2013-12-23 07:51:51 -05:00
|
|
|
:version "24.4"
|
2013-12-14 13:04:09 -05:00
|
|
|
:type '(choice
|
|
|
|
|
(const t)
|
|
|
|
|
(repeat :tag "List of hostname regexps with flags for each"
|
|
|
|
|
(list
|
|
|
|
|
(choice :tag "Hostname"
|
|
|
|
|
(const ".*" :tag "Any hostname")
|
|
|
|
|
regexp)
|
|
|
|
|
(set (const :trustfiles)
|
|
|
|
|
(const :hostname))))))
|
|
|
|
|
|
2012-02-13 16:48:14 -05:00
|
|
|
(defcustom gnutls-trustfiles
|
|
|
|
|
'(
|
2015-12-24 18:54:41 +01:00
|
|
|
"/etc/ssl/certs/ca-certificates.crt" ; Debian, Ubuntu, Gentoo and Arch Linux
|
|
|
|
|
"/etc/pki/tls/certs/ca-bundle.crt" ; Fedora and RHEL
|
|
|
|
|
"/etc/ssl/ca-bundle.pem" ; Suse
|
|
|
|
|
"/usr/ssl/certs/ca-bundle.crt" ; Cygwin
|
|
|
|
|
"/usr/local/share/certs/ca-root-nss.crt" ; FreeBSD
|
2017-12-09 17:52:01 -05:00
|
|
|
"/etc/ssl/cert.pem" ; macOS
|
2012-02-13 16:48:14 -05:00
|
|
|
)
|
|
|
|
|
"List of CA bundle location filenames or a function returning said list.
|
|
|
|
|
The files may be in PEM or DER format, as per the GnuTLS documentation.
|
|
|
|
|
The files may not exist, in which case they will be ignored."
|
|
|
|
|
:group 'gnutls
|
|
|
|
|
:type '(choice (function :tag "Function to produce list of bundle filenames")
|
|
|
|
|
(repeat (file :tag "Bundle filename"))))
|
2011-07-15 19:21:57 +02:00
|
|
|
|
2011-07-15 19:41:24 +02:00
|
|
|
;;;###autoload
|
2012-05-15 23:16:13 +08:00
|
|
|
(defcustom gnutls-min-prime-bits 256
|
2012-05-16 10:49:19 +08:00
|
|
|
;; Several mail servers send fewer bits than the GnuTLS default.
|
|
|
|
|
;; Currently, 256 appears to be a reasonable choice (Bug#11267).
|
|
|
|
|
"Minimum number of prime bits accepted by GnuTLS for key exchange.
|
|
|
|
|
During a Diffie-Hellman handshake, if the server sends a prime
|
|
|
|
|
number with fewer than this number of bits, the handshake is
|
|
|
|
|
rejected. \(The smaller the prime number, the less secure the
|
|
|
|
|
key exchange is against man-in-the-middle attacks.)
|
2011-07-15 19:41:24 +02:00
|
|
|
|
2018-06-24 14:48:30 +02:00
|
|
|
A value of nil says to use the default GnuTLS value.
|
|
|
|
|
|
|
|
|
|
The default value of this variable is such that virtually any
|
|
|
|
|
connection can be established, whether this connection can be
|
|
|
|
|
considered cryptographically \"safe\" or not. However, Emacs
|
|
|
|
|
network security is handled at a higher level via
|
|
|
|
|
`open-network-stream' and the Network Security Manager. See Info
|
|
|
|
|
node `(emacs) Network Security'."
|
2011-07-15 19:41:24 +02:00
|
|
|
:type '(choice (const :tag "Use default value" nil)
|
|
|
|
|
(integer :tag "Number of bits" 512))
|
|
|
|
|
:group 'gnutls)
|
|
|
|
|
|
2019-01-24 11:34:34 +01:00
|
|
|
(defun open-gnutls-stream (name buffer host service &optional parameters)
|
2010-10-03 20:16:00 -05:00
|
|
|
"Open a SSL/TLS connection for a service to a host.
|
2010-09-26 01:06:28 -05:00
|
|
|
Returns a subprocess-object to represent the connection.
|
|
|
|
|
Input and output work as for subprocesses; `delete-process' closes it.
|
|
|
|
|
Args are NAME BUFFER HOST SERVICE.
|
|
|
|
|
NAME is name for process. It is modified if necessary to make it unique.
|
|
|
|
|
BUFFER is the buffer (or `buffer-name') to associate with the process.
|
|
|
|
|
Process output goes at end of that buffer, unless you specify
|
2018-02-05 19:36:27 -05:00
|
|
|
a filter function to handle the output.
|
2010-09-26 01:06:28 -05:00
|
|
|
BUFFER may be also nil, meaning that this process is not associated
|
|
|
|
|
with any buffer
|
2019-01-24 11:34:34 +01:00
|
|
|
Third arg HOST is the name of the host to connect to, or its IP address.
|
|
|
|
|
Fourth arg SERVICE is the name of the service desired, or an integer
|
2010-10-03 20:16:00 -05:00
|
|
|
specifying a port number to connect to.
|
2019-01-24 11:34:34 +01:00
|
|
|
Fifth arg PARAMETERS is an optional list of keyword/value pairs.
|
|
|
|
|
Only :client-certificate and :nowait keywords are recognized, and
|
|
|
|
|
have the same meaning as for `open-network-stream'.
|
|
|
|
|
For historical reasons PARAMETERS can also be a symbol, which is
|
|
|
|
|
interpreted the same as passing a list containing :nowait and the
|
|
|
|
|
value of that symbol.
|
2010-10-03 20:16:00 -05:00
|
|
|
|
2011-04-24 20:31:45 -05:00
|
|
|
Usage example:
|
|
|
|
|
|
2015-09-17 16:08:20 -07:00
|
|
|
(with-temp-buffer
|
|
|
|
|
(open-gnutls-stream \"tls\"
|
|
|
|
|
(current-buffer)
|
2011-04-24 20:31:45 -05:00
|
|
|
\"your server goes here\"
|
|
|
|
|
\"imaps\"))
|
|
|
|
|
|
2010-10-03 20:16:00 -05:00
|
|
|
This is a very simple wrapper around `gnutls-negotiate'. See its
|
|
|
|
|
documentation for the specific parameters you can use to open a
|
|
|
|
|
GnuTLS connection, including specifying the credential type,
|
|
|
|
|
trust and key files, and priority string."
|
2019-01-24 11:34:34 +01:00
|
|
|
(let* ((parameters
|
|
|
|
|
(cond ((symbolp parameters)
|
|
|
|
|
(list :nowait parameters))
|
|
|
|
|
((not (cl-evenp (length parameters)))
|
|
|
|
|
(error "Malformed keyword list"))
|
|
|
|
|
((consp parameters)
|
|
|
|
|
parameters)
|
|
|
|
|
(t
|
|
|
|
|
(error "Unknown parameter type"))))
|
|
|
|
|
(cert (network-stream-certificate host service parameters))
|
|
|
|
|
(keylist (and cert (list cert)))
|
|
|
|
|
(nowait (plist-get parameters :nowait))
|
|
|
|
|
(process (open-network-stream
|
|
|
|
|
name buffer host service
|
|
|
|
|
:nowait nowait
|
|
|
|
|
:tls-parameters
|
|
|
|
|
(and nowait
|
|
|
|
|
(cons 'gnutls-x509pki
|
|
|
|
|
(gnutls-boot-parameters
|
|
|
|
|
:type 'gnutls-x509pki
|
|
|
|
|
:keylist keylist
|
|
|
|
|
:hostname (puny-encode-domain host)))))))
|
2016-01-31 01:34:45 +01:00
|
|
|
(if nowait
|
2016-02-01 02:57:04 +01:00
|
|
|
process
|
2016-02-03 12:43:24 +11:00
|
|
|
(gnutls-negotiate :process process
|
2016-01-31 01:34:45 +01:00
|
|
|
:type 'gnutls-x509pki
|
2019-01-24 11:34:34 +01:00
|
|
|
:keylist keylist
|
2018-04-13 16:38:10 +02:00
|
|
|
:hostname (puny-encode-domain host)))))
|
2011-04-24 20:31:45 -05:00
|
|
|
|
* lisp/subr.el (define-error): New function.
* doc/lispref/control.texi (Signaling Errors): Refer to define-error.
(Error Symbols): Add `define-error'.
* doc/lispref/errors.texi (Standard Errors): Don't refer to `error-conditions'.
* lisp/progmodes/ada-xref.el (ada-error-file-not-found): Rename from
error-file-not-found and define with define-error.
* lisp/emacs-lisp/cl-lib.el (cl-assertion-failed): Move here from subr.el
and define with define-error.
* lisp/userlock.el (file-locked, file-supersession):
* lisp/simple.el (mark-inactive):
* lisp/progmodes/js.el (js-moz-bad-rpc, js-js-error):
* lisp/progmodes/ada-mode.el (ada-mode-errors):
* lisp/play/life.el (life-extinct):
* lisp/nxml/xsd-regexp.el (xsdre-invalid-regexp, xsdre-parse-error):
* lisp/nxml/xmltok.el (xmltok-markup-declaration-parse-error):
* lisp/nxml/rng-util.el (rng-error):
* lisp/nxml/rng-uri.el (rng-uri-error):
* lisp/nxml/rng-match.el (rng-compile-error):
* lisp/nxml/rng-cmpct.el (rng-c-incorrect-schema):
* lisp/nxml/nxml-util.el (nxml-error, nxml-file-parse-error):
* lisp/nxml/nxml-rap.el (nxml-scan-error):
* lisp/nxml/nxml-outln.el (nxml-outline-error):
* lisp/net/soap-client.el (soap-error):
* lisp/net/gnutls.el (gnutls-error):
* lisp/net/ange-ftp.el (ftp-error):
* lisp/mpc.el (mpc-proc-error):
* lisp/json.el (json-error, json-readtable-error, json-unknown-keyword)
(json-number-format, json-string-escape, json-string-format)
(json-key-format, json-object-format):
* lisp/jka-compr.el (compression-error):
* lisp/international/quail.el (quail-error):
* lisp/international/kkc.el (kkc-error):
* lisp/emacs-lisp/ert.el (ert-test-failed):
* lisp/calc/calc.el (calc-error, inexact-result, math-overflow)
(math-underflow):
* lisp/bookmark.el (bookmark-error-no-filename):
* lisp/epg.el (epg-error): Define with define-error.
2013-08-09 17:22:44 -04:00
|
|
|
(define-error 'gnutls-error "GnuTLS error")
|
2010-09-26 01:06:28 -05:00
|
|
|
|
2010-10-31 22:53:15 -07:00
|
|
|
(declare-function gnutls-boot "gnutls.c" (proc type proplist))
|
2011-04-25 15:47:23 +02:00
|
|
|
(declare-function gnutls-errorp "gnutls.c" (error))
|
2013-09-17 21:50:54 -07:00
|
|
|
(defvar gnutls-log-level) ; gnutls.c
|
2010-10-31 22:53:15 -07:00
|
|
|
|
Reduce use of (require 'cl).
* admin/bzrmerge.el: Use cl-lib.
* leim/quail/hangul.el: Don't require CL.
* leim/quail/ipa.el: Use cl-lib.
* vc/smerge-mode.el, vc/pcvs.el, vc/pcvs-util.el, vc/pcvs-info.el:
* vc/diff-mode.el, vc/cvs-status.el, uniquify.el, scroll-bar.el:
* register.el, progmodes/sh-script.el, net/gnutls.el, net/dbus.el:
* msb.el, mpc.el, minibuffer.el, international/ucs-normalize.el:
* international/quail.el, info-xref.el, imenu.el, image-mode.el:
* font-lock.el, filesets.el, edmacro.el, doc-view.el, bookmark.el:
* battery.el, avoid.el, abbrev.el: Use cl-lib.
* vc/pcvs-parse.el, vc/pcvs-defs.el, vc/log-view.el, vc/log-edit.el:
* vc/diff.el, simple.el, pcomplete.el, lpr.el, comint.el, loadhist.el:
* jit-lock.el, international/iso-ascii.el, info.el, frame.el, bs.el:
* emulation/crisp.el, electric.el, dired.el, cus-dep.el, composite.el:
* calculator.el, autorevert.el, apropos.el: Don't require CL.
* emacs-bytecomp.el (byte-recompile-directory, display-call-tree)
(byte-compile-unfold-bcf, byte-compile-check-variable):
* emacs-byte-opt.el (byte-compile-trueconstp)
(byte-compile-nilconstp):
* emacs-autoload.el (make-autoload): Use pcase.
* face-remap.el (text-scale-adjust): Simplify pcase patterns.
2012-07-10 07:51:54 -04:00
|
|
|
(cl-defun gnutls-negotiate
|
2011-05-03 20:44:58 -05:00
|
|
|
(&rest spec
|
|
|
|
|
&key process type hostname priority-string
|
2011-07-15 19:41:24 +02:00
|
|
|
trustfiles crlfiles keylist min-prime-bits
|
|
|
|
|
verify-flags verify-error verify-hostname-error
|
2011-05-03 20:44:58 -05:00
|
|
|
&allow-other-keys)
|
2011-11-25 14:26:30 +01:00
|
|
|
"Negotiate a SSL/TLS connection. Returns proc. Signals gnutls-error.
|
2011-05-03 20:44:58 -05:00
|
|
|
|
2016-02-03 12:43:24 +11:00
|
|
|
Note that arguments are passed CL style, :type TYPE instead of just TYPE.
|
2011-05-03 20:44:58 -05:00
|
|
|
|
|
|
|
|
PROCESS is a process returned by `open-network-stream'.
|
2016-02-03 12:43:24 +11:00
|
|
|
For the meaning of the rest of the parameters, see `gnutls-boot-parameters'."
|
|
|
|
|
(let* ((type (or type 'gnutls-x509pki))
|
|
|
|
|
;; The gnutls library doesn't understand files delivered via
|
|
|
|
|
;; the special handlers, so ignore all files found via those.
|
|
|
|
|
(file-name-handler-alist nil)
|
|
|
|
|
(params (gnutls-boot-parameters
|
|
|
|
|
:type type
|
|
|
|
|
:hostname hostname
|
|
|
|
|
:priority-string priority-string
|
|
|
|
|
:trustfiles trustfiles
|
|
|
|
|
:crlfiles crlfiles
|
|
|
|
|
:keylist keylist
|
|
|
|
|
:min-prime-bits min-prime-bits
|
|
|
|
|
:verify-flags verify-flags
|
|
|
|
|
:verify-error verify-error
|
|
|
|
|
:verify-hostname-error verify-hostname-error))
|
|
|
|
|
ret)
|
|
|
|
|
(gnutls-message-maybe
|
2016-03-05 17:04:23 +01:00
|
|
|
(setq ret (gnutls-boot process type
|
|
|
|
|
(append (list :complete-negotiation t)
|
|
|
|
|
params)))
|
2016-02-03 12:43:24 +11:00
|
|
|
"boot: %s" params)
|
|
|
|
|
|
|
|
|
|
(when (gnutls-errorp ret)
|
2018-02-16 15:16:15 -05:00
|
|
|
;; This is an error from the underlying C code.
|
2016-02-03 12:43:24 +11:00
|
|
|
(signal 'gnutls-error (list process ret)))
|
|
|
|
|
|
|
|
|
|
process))
|
|
|
|
|
|
|
|
|
|
(cl-defun gnutls-boot-parameters
|
|
|
|
|
(&rest spec
|
|
|
|
|
&key type hostname priority-string
|
|
|
|
|
trustfiles crlfiles keylist min-prime-bits
|
|
|
|
|
verify-flags verify-error verify-hostname-error
|
|
|
|
|
&allow-other-keys)
|
|
|
|
|
"Return a keyword list of parameters suitable for passing to `gnutls-boot'.
|
|
|
|
|
|
|
|
|
|
TYPE is `gnutls-x509pki' (default) or `gnutls-anon'. Use nil for the default.
|
2011-04-24 20:31:45 -05:00
|
|
|
HOSTNAME is the remote hostname. It must be a valid string.
|
2017-12-14 23:16:38 -05:00
|
|
|
PRIORITY-STRING is as per the GnuTLS docs, default is based on \"NORMAL\".
|
2012-02-13 16:48:14 -05:00
|
|
|
TRUSTFILES is a list of CA bundles. It defaults to `gnutls-trustfiles'.
|
2011-05-03 20:44:58 -05:00
|
|
|
CRLFILES is a list of CRL files.
|
|
|
|
|
KEYLIST is an alist of (client key file, client cert file) pairs.
|
2011-07-15 19:41:24 +02:00
|
|
|
MIN-PRIME-BITS is the minimum acceptable size of Diffie-Hellman keys
|
|
|
|
|
\(see `gnutls-min-prime-bits' for more information). Use nil for the
|
|
|
|
|
default.
|
2011-04-24 20:31:45 -05:00
|
|
|
|
2013-12-14 13:04:09 -05:00
|
|
|
VERIFY-HOSTNAME-ERROR is a backwards compatibility option for
|
|
|
|
|
putting `:hostname' in VERIFY-ERROR.
|
|
|
|
|
|
|
|
|
|
When VERIFY-ERROR is t or a list containing `:trustfiles', an
|
|
|
|
|
error will be raised when the peer certificate verification fails
|
|
|
|
|
as per GnuTLS' gnutls_certificate_verify_peers2. Otherwise, only
|
|
|
|
|
warnings will be shown about the verification failure.
|
2011-04-24 20:31:45 -05:00
|
|
|
|
2013-12-14 13:04:09 -05:00
|
|
|
When VERIFY-ERROR is t or a list containing `:hostname', an error
|
|
|
|
|
will be raised when the hostname does not match the presented
|
|
|
|
|
certificate's host name. The exact verification algorithm is a
|
|
|
|
|
basic implementation of the matching described in
|
|
|
|
|
RFC2818 (HTTPS), which takes into account wildcards, and the
|
|
|
|
|
DNSName/IPAddress subject alternative name PKIX extension. See
|
|
|
|
|
GnuTLS' gnutls_x509_crt_check_hostname for details. Otherwise,
|
|
|
|
|
only a warning will be issued.
|
|
|
|
|
|
|
|
|
|
Note that the list in `gnutls-verify-error', matched against the
|
|
|
|
|
HOSTNAME, is the default VERIFY-ERROR.
|
2011-04-24 20:31:45 -05:00
|
|
|
|
|
|
|
|
VERIFY-FLAGS is a numeric OR of verification flags only for
|
|
|
|
|
`gnutls-x509pki' connections. See GnuTLS' x509.h for details;
|
|
|
|
|
here's a recent version of the list.
|
|
|
|
|
|
|
|
|
|
GNUTLS_VERIFY_DISABLE_CA_SIGN = 1,
|
|
|
|
|
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2,
|
|
|
|
|
GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4,
|
|
|
|
|
GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8,
|
|
|
|
|
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
|
|
|
|
|
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
|
|
|
|
|
GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
|
|
|
|
|
GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
|
|
|
|
|
GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256
|
|
|
|
|
|
|
|
|
|
It must be omitted, a number, or nil; if omitted or nil it
|
|
|
|
|
defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
|
2017-12-19 12:43:56 -05:00
|
|
|
(let* ((trustfiles (or trustfiles (gnutls-trustfiles)))
|
|
|
|
|
(maybe-dumbfw (if (memq 'ClientHello\ Padding (gnutls-available-p))
|
|
|
|
|
":%DUMBFW"
|
|
|
|
|
""))
|
|
|
|
|
(priority-string (or priority-string
|
|
|
|
|
(cond
|
|
|
|
|
((eq type 'gnutls-anon)
|
|
|
|
|
(concat "NORMAL:+ANON-DH:!ARCFOUR-128"
|
|
|
|
|
maybe-dumbfw))
|
|
|
|
|
((eq type 'gnutls-x509pki)
|
|
|
|
|
(if gnutls-algorithm-priority
|
|
|
|
|
(upcase gnutls-algorithm-priority)
|
|
|
|
|
(concat "NORMAL" maybe-dumbfw))))))
|
|
|
|
|
(verify-error (or verify-error
|
|
|
|
|
;; this uses the value of `gnutls-verify-error'
|
|
|
|
|
(cond
|
|
|
|
|
;; if t, pass it on
|
|
|
|
|
((eq gnutls-verify-error t)
|
|
|
|
|
t)
|
|
|
|
|
;; if a list, look for hostname matches
|
|
|
|
|
((listp gnutls-verify-error)
|
2018-04-13 14:24:11 +02:00
|
|
|
(cadr (cl-find-if #'(lambda (x)
|
|
|
|
|
(string-match (car x) hostname))
|
|
|
|
|
gnutls-verify-error)))
|
2017-12-19 12:43:56 -05:00
|
|
|
;; else it's nil
|
|
|
|
|
(t nil))))
|
|
|
|
|
(min-prime-bits (or min-prime-bits gnutls-min-prime-bits)))
|
2013-12-14 13:04:09 -05:00
|
|
|
|
|
|
|
|
(when verify-hostname-error
|
|
|
|
|
(push :hostname verify-error))
|
|
|
|
|
|
2016-02-03 12:43:24 +11:00
|
|
|
`(:priority ,priority-string
|
|
|
|
|
:hostname ,hostname
|
|
|
|
|
:loglevel ,gnutls-log-level
|
|
|
|
|
:min-prime-bits ,min-prime-bits
|
|
|
|
|
:trustfiles ,trustfiles
|
|
|
|
|
:crlfiles ,crlfiles
|
|
|
|
|
:keylist ,keylist
|
|
|
|
|
:verify-flags ,verify-flags
|
|
|
|
|
:verify-error ,verify-error
|
|
|
|
|
:callbacks nil)))
|
2010-09-26 01:06:28 -05:00
|
|
|
|
2015-12-29 14:39:53 +01:00
|
|
|
(defun gnutls-trustfiles ()
|
|
|
|
|
"Return a list of usable trustfiles."
|
|
|
|
|
(delq nil
|
|
|
|
|
(mapcar (lambda (f) (and f (file-exists-p f) f))
|
|
|
|
|
(if (functionp gnutls-trustfiles)
|
|
|
|
|
(funcall gnutls-trustfiles)
|
|
|
|
|
gnutls-trustfiles))))
|
|
|
|
|
|
2010-10-31 22:53:15 -07:00
|
|
|
(declare-function gnutls-error-string "gnutls.c" (error))
|
|
|
|
|
|
2010-09-26 01:06:28 -05:00
|
|
|
(defun gnutls-message-maybe (doit format &rest params)
|
|
|
|
|
"When DOIT, message with the caller name followed by FORMAT on PARAMS."
|
|
|
|
|
;; (apply 'debug format (or params '(nil)))
|
|
|
|
|
(when (gnutls-errorp doit)
|
|
|
|
|
(message "%s: (err=[%s] %s) %s"
|
|
|
|
|
"gnutls.el"
|
|
|
|
|
doit (gnutls-error-string doit)
|
More-conservative ‘format’ quote restyling
Instead of restyling curved quotes for every call to ‘format’,
create a new function ‘format-message’ that does the restyling,
and using the new function instead of ‘format’ only in contexts
where this seems appropriate.
Problem reported by Dmitry Gutov and Andreas Schwab in:
http://lists.gnu.org/archive/html/emacs-devel/2015-08/msg00826.html
http://lists.gnu.org/archive/html/emacs-devel/2015-08/msg00827.html
* doc/lispref/commands.texi (Using Interactive):
* doc/lispref/control.texi (Signaling Errors, Signaling Errors):
* doc/lispref/display.texi (Displaying Messages, Progress):
* doc/lispref/elisp.texi:
* doc/lispref/help.texi (Keys in Documentation):
* doc/lispref/minibuf.texi (Minibuffer Misc):
* doc/lispref/strings.texi (Formatting Strings):
* etc/NEWS:
Document the changes.
* lisp/abbrev.el (expand-region-abbrevs):
* lisp/apropos.el (apropos-library):
* lisp/calc/calc-ext.el (calc-record-message)
(calc-user-function-list):
* lisp/calc/calc-help.el (calc-describe-key, calc-full-help):
* lisp/calc/calc-lang.el (math-read-big-balance):
* lisp/calc/calc-store.el (calc-edit-variable):
* lisp/calc/calc-units.el (math-build-units-table-buffer):
* lisp/calc/calc-yank.el (calc-edit-mode):
* lisp/calendar/icalendar.el (icalendar-export-region)
(icalendar--add-diary-entry):
* lisp/cedet/mode-local.el (mode-local-print-binding)
(mode-local-describe-bindings-2):
* lisp/cedet/semantic/complete.el (semantic-completion-message):
* lisp/cedet/semantic/edit.el (semantic-parse-changes-failed):
* lisp/cedet/semantic/wisent/comp.el (wisent-log):
* lisp/cedet/srecode/insert.el (srecode-insert-show-error-report):
* lisp/descr-text.el (describe-text-properties-1, describe-char):
* lisp/dframe.el (dframe-message):
* lisp/dired-aux.el (dired-query):
* lisp/emacs-lisp/byte-opt.el (byte-compile-log-lap-1):
* lisp/emacs-lisp/bytecomp.el (byte-compile-log)
(byte-compile-log-file, byte-compile-warn, byte-compile-form):
* lisp/emacs-lisp/cconv.el (cconv-convert, cconv--analyze-use)
(cconv-analyze-form):
* lisp/emacs-lisp/check-declare.el (check-declare-warn):
* lisp/emacs-lisp/checkdoc.el (checkdoc-this-string-valid-engine):
* lisp/emacs-lisp/cl-macs.el (cl-symbol-macrolet):
* lisp/emacs-lisp/edebug.el (edebug-format):
* lisp/emacs-lisp/eieio-core.el (eieio-oref):
* lisp/emacs-lisp/eldoc.el (eldoc-minibuffer-message)
(eldoc-message):
* lisp/emacs-lisp/elint.el (elint-file, elint-log):
* lisp/emacs-lisp/find-func.el (find-function-library):
* lisp/emacs-lisp/macroexp.el (macroexp--obsolete-warning):
* lisp/emacs-lisp/map-ynp.el (map-y-or-n-p):
* lisp/emacs-lisp/nadvice.el (advice--make-docstring):
* lisp/emacs-lisp/package.el (package-compute-transaction)
(package-install-button-action, package-delete-button-action)
(package-menu--list-to-prompt):
* lisp/emacs-lisp/timer.el (timer-event-handler):
* lisp/emacs-lisp/warnings.el (lwarn, warn):
* lisp/emulation/viper-cmd.el:
(viper-toggle-parse-sexp-ignore-comments)
(viper-kill-buffer, viper-brac-function):
* lisp/emulation/viper-macs.el (viper-record-kbd-macro):
* lisp/facemenu.el (facemenu-add-new-face):
* lisp/faces.el (face-documentation, read-face-name)
(face-read-string, read-face-font, describe-face):
* lisp/files.el (find-alternate-file, hack-local-variables)
(hack-one-local-variable--obsolete, write-file)
(basic-save-buffer, delete-directory):
* lisp/format.el (format-write-file, format-find-file)
(format-insert-file):
* lisp/help-fns.el (help-fns--key-bindings)
(help-fns--compiler-macro, help-fns--obsolete)
(help-fns--interactive-only, describe-function-1)
(describe-variable):
* lisp/help.el (describe-mode):
* lisp/info-xref.el (info-xref-output):
* lisp/info.el (Info-virtual-index-find-node)
(Info-virtual-index, info-apropos):
* lisp/international/kkc.el (kkc-error):
* lisp/international/mule-cmds.el:
(select-safe-coding-system-interactively)
(select-safe-coding-system, describe-input-method):
* lisp/international/mule-conf.el (code-offset):
* lisp/international/mule-diag.el (describe-character-set)
(list-input-methods-1):
* lisp/international/quail.el (quail-error):
* lisp/minibuffer.el (minibuffer-message):
* lisp/mpc.el (mpc--debug):
* lisp/msb.el (msb--choose-menu):
* lisp/net/ange-ftp.el (ange-ftp-message):
* lisp/net/gnutls.el (gnutls-message-maybe):
* lisp/net/newst-backend.el (newsticker--sentinel-work):
* lisp/net/newst-treeview.el (newsticker--treeview-load):
* lisp/net/nsm.el (nsm-query-user):
* lisp/net/rlogin.el (rlogin):
* lisp/net/soap-client.el (soap-warning):
* lisp/net/tramp.el (tramp-debug-message):
* lisp/nxml/nxml-outln.el (nxml-report-outline-error):
* lisp/nxml/nxml-parse.el (nxml-parse-error):
* lisp/nxml/rng-cmpct.el (rng-c-error):
* lisp/nxml/rng-match.el (rng-compile-error):
* lisp/nxml/rng-uri.el (rng-uri-error):
* lisp/obsolete/iswitchb.el (iswitchb-possible-new-buffer):
* lisp/org/org-ctags.el:
(org-ctags-ask-rebuild-tags-file-then-find-tag):
* lisp/proced.el (proced-log):
* lisp/progmodes/ebnf2ps.el (ebnf-log):
* lisp/progmodes/flymake.el (flymake-log):
* lisp/progmodes/vhdl-mode.el (vhdl-warning-when-idle):
* lisp/replace.el (occur-1):
* lisp/simple.el (execute-extended-command)
(undo-outer-limit-truncate, define-alternatives):
* lisp/startup.el (command-line):
* lisp/subr.el (error, user-error, add-to-list):
* lisp/tutorial.el (tutorial--describe-nonstandard-key)
(tutorial--find-changed-keys):
* src/callint.c (Fcall_interactively):
* src/editfns.c (Fmessage, Fmessage_box):
Restyle the quotes of format strings intended for use as a
diagnostic, when restyling seems appropriate.
* lisp/subr.el (format-message): New function.
* src/doc.c (Finternal__text_restyle): New function.
(syms_of_doc): Define it.
2015-08-23 22:38:02 -07:00
|
|
|
(apply #'format-message format (or params '(nil))))))
|
2010-09-26 01:06:28 -05:00
|
|
|
|
|
|
|
|
(provide 'gnutls)
|
|
|
|
|
|
|
|
|
|
;;; gnutls.el ends here
|