Always check for client-certificates

* lisp/net/network-stream.el (network-stream-use-client-certificates): New user option. (open-network-stream): If 'network-stream-use-client-certificates' is t, and the user hasn't specified :client-certificate, do certificate lookups via 'auth-source'. (network-stream-certificate): Only return key and certificate files that exist. * doc/lispref/processes.texi (Network): Document new client-certificate behavior. * etc/NEWS: Document 'network-stream-use-client-certificates'.
2019-01-24 14:35:30 +01:00 · 2019-01-24 14:35:30 +01:00 · 91c732f687
commit 91c732f687
parent 3843711abd
3 changed files with 36 additions and 4 deletions
--- a/doc/lispref/processes.texi
+++ b/doc/lispref/processes.texi
@ -2516,12 +2516,16 @@ Emacs will warn if the connection isn't encrypted.  This is useful for
 protocols like @acronym{IMAP} and the like, where most users would
 expect the network traffic to be encrypted.

+@vindex network-stream-use-client-certificates
@item :client-certificate @var{list-or-t}
 Either a list of the form @code{(@var{key-file} @var{cert-file})},
 naming the certificate key file and certificate file itself, or
@code{t}, meaning to query @code{auth-source} for this information
-(@pxref{Top,,Overview, auth, The Auth-Source Manual}).
-Only used for @acronym{TLS} or @acronym{STARTTLS}.
+(@pxref{Help for users,,auth-source, auth, Emacs auth-source Library}).
+Only used for @acronym{TLS} or @acronym{STARTTLS}.  If
+@code{:client-certificate} is not specified, behave as if it were t,
+customize @code{network-stream-use-client-certificates} to change
+this.

@item :return-list @var{cons-or-nil}
 The return value of this function.  If omitted or @code{nil}, return a
--- a/etc/NEWS
+++ b/etc/NEWS
@ -321,6 +321,12 @@ Previously, this support was only available when using the external
 ':client-certificate t' to trigger looking up of per-server
 certificates via 'auth-source'.

+++
+** New user option 'network-stream-use-client-certificates'.
+When non-nil, 'open-network-stream' performs lookups of client
+certificates using 'auth-source' as if ':client-certificate t' were
+specified.  Defaults to t.
+
 +++
 ** New function 'fill-polish-nobreak-p', to be used in 'fill-nobreak-predicate'.
 It blocks line breaking after a one-letter word, also in the case when
--- a/lisp/net/network-stream.el
+++ b/lisp/net/network-stream.el
@ -58,6 +58,21 @@
 (defvar starttls-gnutls-program)
 (defvar starttls-program)

+(defcustom network-stream-use-client-certificates t
+  "Whether to use client certificates for network connections.
+
+When non-nil, `open-network-stream' will automatically look for
+matching client certificates (via 'auth-source') for a
+destination server, if it is called without a :client-certificate
+keyword.
+
+Set to nil to disable this lookup globally.  To disable on a
+per-connection basis, specify ':client-certificate nil' when
+calling `open-network-stream'."
+  :group 'network
+  :type 'boolean
+  :version "27.1")
+
 ;;;###autoload
 (defun open-network-stream (name buffer host service &rest parameters)
  "Open a TCP connection to HOST, optionally with encryption.
@ -132,7 +147,9 @@ values:
  element is the certificate file name itself, or t, which
  means that `auth-source' will be queried for the key and the
  certificate.  This parameter will only be used when doing TLS
-  or STARTTLS connections.
+  or STARTTLS connections.  If :client-certificate is not
+  specified, behave as if it were t, customize
+  `network-stream-use-client-certificates' to change this.

 :use-starttls-if-possible is a boolean that says to do opportunistic
 STARTTLS upgrades even if Emacs doesn't have built-in TLS functionality.
@ -181,6 +198,11 @@ gnutls-boot (as returned by `gnutls-boot-parameters')."
 		       ((memq type '(tls ssl)) 'network-stream-open-tls)
 		       ((eq type 'shell) 'network-stream-open-shell)
 		       (t (error "Invalid connection type %s" type))))
+            (parameters
+               (if (and network-stream-use-client-certificates
+                        (not (plist-member parameters :client-certificate)))
+                   (plist-put parameters :client-certificate t)
+                 parameters))
 	    result)
 	(unwind-protect
 	    (setq result (funcall fun name work-buffer host service parameters))
@ -209,7 +231,7 @@ gnutls-boot (as returned by `gnutls-boot-parameters')."
 				       :port service)))
 	     (key (plist-get auth-info :key))
 	     (cert (plist-get auth-info :cert)))
-	(and key cert
+	(and key cert (file-readable-p key) (file-readable-p cert)
 	     (list key cert)))))))

 ;;;###autoload