-;;; gnutls.el --- Support SSL and TLS connections through GnuTLS
-;; Copyright (C) 2010 Free Software Foundation, Inc.
+;;; gnutls.el --- Support SSL/TLS connections through GnuTLS
+
+;; Copyright (C) 2010-2011 Free Software Foundation, Inc.
;; Author: Ted Zlatanov <tzz@lifelogs.com>
;; Keywords: comm, tls, ssl, encryption
;; Originally-By: Simon Josefsson (See http://josefsson.org/emacs-security/)
+;; Thanks-To: Lars Magne Ingebrigtsen <larsi@gnus.org>
;; This file is part of GNU Emacs.
;;; Commentary:
;; This package provides language bindings for the GnuTLS library
-;; using the corresponding core functions in gnutls.c.
+;; using the corresponding core functions in gnutls.c. It should NOT
+;; be used directly, only through open-protocol-stream.
;; Simple test:
;;
-;; (setq jas (open-ssl-stream "ssl" (current-buffer) "www.pdc.kth.se" 443))
-;; (process-send-string jas "GET /\r\n\r\n")
+;; (open-gnutls-stream "tls" "tls-buffer" "yourserver.com" "https")
+;; (open-gnutls-stream "tls" "tls-buffer" "imap.gmail.com" "imaps")
;;; Code:
+(eval-when-compile (require 'cl))
+
(defgroup gnutls nil
"Emacs interface to the GnuTLS library."
:prefix "gnutls-"
:group 'net-utils)
-(defcustom gnutls-log-level 2
+(defcustom gnutls-log-level 0
"Logging level to be used by `starttls-negotiate' and GnuTLS."
:type 'integer
:group 'gnutls)
-(defun open-ssl-stream (name buffer host service)
- "Open a SSL connection for a service to a host.
+(defun open-gnutls-stream (name buffer host service)
+ "Open a SSL/TLS connection for a service to a host.
Returns a subprocess-object to represent the connection.
Input and output work as for subprocesses; `delete-process' closes it.
Args are NAME BUFFER HOST SERVICE.
with any buffer
Third arg is name of the host to connect to, or its IP address.
Fourth arg SERVICE is name of the service desired, or an integer
-specifying a port number to connect to."
- (let ((proc (open-network-stream name buffer host service)))
- (starttls-negotiate proc nil 'gnutls-x509pki)))
-
-;; (open-ssl-stream "tls" "tls-buffer" "yourserver.com" "https")
-(defun starttls-negotiate (proc &optional priority-string
- credentials credentials-file)
- "Negotiate a SSL or TLS connection.
-PROC is the process returned by `starttls-open-stream'.
-PRIORITY-STRING is as per the GnuTLS docs.
-CREDENTIALS is `gnutls-x509pki' or `gnutls-anon'.
-CREDENTIALS-FILE is a filename with meaning dependent on CREDENTIALS."
- (let* ((credentials (or credentials 'gnutls-x509pki))
- (credentials-file (or credentials-file
- "/etc/ssl/certs/ca-certificates.crt"
- ;"/etc/ssl/certs/ca.pem"
- ))
-
+specifying a port number to connect to.
+
+Usage example:
+
+ \(with-temp-buffer
+ \(open-gnutls-stream \"tls\"
+ \(current-buffer)
+ \"your server goes here\"
+ \"imaps\"))
+
+This is a very simple wrapper around `gnutls-negotiate'. See its
+documentation for the specific parameters you can use to open a
+GnuTLS connection, including specifying the credential type,
+trust and key files, and priority string."
+ (gnutls-negotiate :process (open-network-stream name buffer host service)
+ :type 'gnutls-x509pki
+ :hostname host))
+
+(put 'gnutls-error
+ 'error-conditions
+ '(error gnutls-error))
+(put 'gnutls-error
+ 'error-message "GnuTLS error")
+
+(declare-function gnutls-boot "gnutls.c" (proc type proplist))
+(declare-function gnutls-errorp "gnutls.c" (error))
+
+(defun* gnutls-negotiate
+ (&rest spec
+ &key process type hostname priority-string
+ trustfiles crlfiles keylist verify-flags
+ verify-error verify-hostname-error
+ &allow-other-keys)
+ "Negotiate a SSL/TLS connection. Returns proc. Signals gnutls-error.
+
+Note arguments are passed CL style, :type TYPE instead of just TYPE.
+
+TYPE is `gnutls-x509pki' (default) or `gnutls-anon'. Use nil for the default.
+PROCESS is a process returned by `open-network-stream'.
+HOSTNAME is the remote hostname. It must be a valid string.
+PRIORITY-STRING is as per the GnuTLS docs, default is \"NORMAL\".
+TRUSTFILES is a list of CA bundles.
+CRLFILES is a list of CRL files.
+KEYLIST is an alist of (client key file, client cert file) pairs.
+
+When VERIFY-HOSTNAME-ERROR is not nil, an error will be raised
+when the hostname does not match the presented certificate's host
+name. The exact verification algorithm is a basic implementation
+of the matching described in RFC2818 (HTTPS), which takes into
+account wildcards, and the DNSName/IPAddress subject alternative
+name PKIX extension. See GnuTLS' gnutls_x509_crt_check_hostname
+for details. When VERIFY-HOSTNAME-ERROR is nil, only a warning
+will be issued.
+
+When VERIFY-ERROR is not nil, an error will be raised when the
+peer certificate verification fails as per GnuTLS'
+gnutls_certificate_verify_peers2. Otherwise, only warnings will
+be shown about the verification failure.
+
+VERIFY-FLAGS is a numeric OR of verification flags only for
+`gnutls-x509pki' connections. See GnuTLS' x509.h for details;
+here's a recent version of the list.
+
+ GNUTLS_VERIFY_DISABLE_CA_SIGN = 1,
+ GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2,
+ GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4,
+ GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8,
+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
+ GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
+ GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256
+
+It must be omitted, a number, or nil; if omitted or nil it
+defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
+ (let* ((type (or type 'gnutls-x509pki))
+ (default-trustfile "/etc/ssl/certs/ca-certificates.crt")
+ (trustfiles (or trustfiles
+ (when (file-exists-p default-trustfile)
+ (list default-trustfile))))
(priority-string (or priority-string
(cond
- ((eq credentials 'gnutls-anon)
+ ((eq type 'gnutls-anon)
"NORMAL:+ANON-DH:!ARCFOUR-128")
- ((eq credentials 'gnutls-x509pki)
+ ((eq type 'gnutls-x509pki)
"NORMAL"))))
+ (params `(:priority ,priority-string
+ :hostname ,hostname
+ :loglevel ,gnutls-log-level
+ :trustfiles ,trustfiles
+ :crlfiles ,crlfiles
+ :keylist ,keylist
+ :verify-flags ,verify-flags
+ :verify-error ,verify-error
+ :verify-hostname-error ,verify-hostname-error
+ :callbacks nil))
ret)
(gnutls-message-maybe
- (setq ret (gnutls-boot proc priority-string
- credentials credentials-file
- nil nil gnutls-log-level))
- "boot: %s")
+ (setq ret (gnutls-boot process type params))
+ "boot: %s" params)
(when (gnutls-errorp ret)
- (error "Could not boot GnuTLS for this process"));
-
- (let ((ret 'gnutls-e-again)
- (n 25000))
- (while (and (not (eq ret t))
- (not (gnutls-error-fatalp ret))
- (> n 0))
- (setq n (1- n))
- (setq ret (gnutls-handshake proc))
- )
- (if (gnutls-errorp ret)
- (progn
- (message "Ouch, error return %s (%s)"
- ret (gnutls-error-string ret))
- (setq proc nil))
- (message "Handshake complete %s." ret)))
- proc))
-
-(defun starttls-open-stream (name buffer host service)
- "Open a TLS connection for a service to a host.
-Returns a subprocess-object to represent the connection.
-Input and output work as for subprocesses; `delete-process' closes it.
-Args are NAME BUFFER HOST SERVICE.
-NAME is name for process. It is modified if necessary to make it unique.
-BUFFER is the buffer (or `buffer-name') to associate with the process.
- Process output goes at end of that buffer, unless you specify
- an output stream or filter function to handle the output.
- BUFFER may be also nil, meaning that this process is not associated
- with any buffer
-Third arg is name of the host to connect to, or its IP address.
-Fourth arg SERVICE is name of the service desired, or an integer
-specifying a port number to connect to."
- (open-network-stream name buffer host service))
+ ;; This is a error from the underlying C code.
+ (signal 'gnutls-error (list process ret)))
+
+ process))
+
+(declare-function gnutls-error-string "gnutls.c" (error))
(defun gnutls-message-maybe (doit format &rest params)
"When DOIT, message with the caller name followed by FORMAT on PARAMS."
doit (gnutls-error-string doit)
(apply 'format format (or params '(nil))))))
-(provide 'ssl)
(provide 'gnutls)
-(provide 'starttls)
;;; gnutls.el ends here