1 ;;; gnutls.el --- Support SSL/TLS connections through GnuTLS
3 ;; Copyright (C) 2010-2012 Free Software Foundation, Inc.
5 ;; Author: Ted Zlatanov <tzz@lifelogs.com>
6 ;; Keywords: comm, tls, ssl, encryption
7 ;; Originally-By: Simon Josefsson (See http://josefsson.org/emacs-security/)
8 ;; Thanks-To: Lars Magne Ingebrigtsen <larsi@gnus.org>
10 ;; This file is part of GNU Emacs.
12 ;; GNU Emacs is free software: you can redistribute it and/or modify
13 ;; it under the terms of the GNU General Public License as published by
14 ;; the Free Software Foundation, either version 3 of the License, or
15 ;; (at your option) any later version.
17 ;; GNU Emacs is distributed in the hope that it will be useful,
18 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
19 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 ;; GNU General Public License for more details.
22 ;; You should have received a copy of the GNU General Public License
23 ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
27 ;; This package provides language bindings for the GnuTLS library
28 ;; using the corresponding core functions in gnutls.c. It should NOT
29 ;; be used directly, only through open-protocol-stream.
33 ;; (open-gnutls-stream "tls" "tls-buffer" "yourserver.com" "https")
34 ;; (open-gnutls-stream "tls" "tls-buffer" "imap.gmail.com" "imaps")
38 (eval-when-compile (require 'cl
))
41 "Emacs interface to the GnuTLS library."
46 (defcustom gnutls-algorithm-priority nil
47 "If non-nil, this should be a TLS priority string.
48 For instance, if you want to skip the \"dhe-rsa\" algorithm,
49 set this variable to \"normal:-dhe-rsa\"."
51 :type
'(choice (const nil
)
54 (defcustom gnutls-trustfiles
56 "/etc/ssl/certs/ca-certificates.crt" ; Debian, Ubuntu, Gentoo and Arch Linux
57 "/etc/pki/tls/certs/ca-bundle.crt" ; Fedora and RHEL
58 "/etc/ssl/ca-bundle.pem" ; Suse
59 "/usr/ssl/certs/ca-bundle.crt" ; Cygwin
61 "List of CA bundle location filenames or a function returning said list.
62 The files may be in PEM or DER format, as per the GnuTLS documentation.
63 The files may not exist, in which case they will be ignored."
65 :type
'(choice (function :tag
"Function to produce list of bundle filenames")
66 (repeat (file :tag
"Bundle filename"))))
69 (defcustom gnutls-min-prime-bits nil
70 "The minimum number of bits to be used in Diffie-Hellman key exchange.
72 This sets the minimum accepted size of the key to be used in a
73 client-server handshake. If the server sends a prime with fewer than
74 the specified number of bits the handshake will fail.
76 A value of nil says to use the default gnutls value."
77 :type
'(choice (const :tag
"Use default value" nil
)
78 (integer :tag
"Number of bits" 512))
81 (defun open-gnutls-stream (name buffer host service
)
82 "Open a SSL/TLS connection for a service to a host.
83 Returns a subprocess-object to represent the connection.
84 Input and output work as for subprocesses; `delete-process' closes it.
85 Args are NAME BUFFER HOST SERVICE.
86 NAME is name for process. It is modified if necessary to make it unique.
87 BUFFER is the buffer (or `buffer-name') to associate with the process.
88 Process output goes at end of that buffer, unless you specify
89 an output stream or filter function to handle the output.
90 BUFFER may be also nil, meaning that this process is not associated
92 Third arg is name of the host to connect to, or its IP address.
93 Fourth arg SERVICE is name of the service desired, or an integer
94 specifying a port number to connect to.
99 \(open-gnutls-stream \"tls\"
101 \"your server goes here\"
104 This is a very simple wrapper around `gnutls-negotiate'. See its
105 documentation for the specific parameters you can use to open a
106 GnuTLS connection, including specifying the credential type,
107 trust and key files, and priority string."
108 (gnutls-negotiate :process
(open-network-stream name buffer host service
)
109 :type
'gnutls-x509pki
114 '(error gnutls-error
))
116 'error-message
"GnuTLS error")
118 (declare-function gnutls-boot
"gnutls.c" (proc type proplist
))
119 (declare-function gnutls-errorp
"gnutls.c" (error))
121 (defun* gnutls-negotiate
123 &key process type hostname priority-string
124 trustfiles crlfiles keylist min-prime-bits
125 verify-flags verify-error verify-hostname-error
127 "Negotiate a SSL/TLS connection. Returns proc. Signals gnutls-error.
129 Note arguments are passed CL style, :type TYPE instead of just TYPE.
131 TYPE is `gnutls-x509pki' (default) or `gnutls-anon'. Use nil for the default.
132 PROCESS is a process returned by `open-network-stream'.
133 HOSTNAME is the remote hostname. It must be a valid string.
134 PRIORITY-STRING is as per the GnuTLS docs, default is \"NORMAL\".
135 TRUSTFILES is a list of CA bundles. It defaults to `gnutls-trustfiles'.
136 CRLFILES is a list of CRL files.
137 KEYLIST is an alist of (client key file, client cert file) pairs.
138 MIN-PRIME-BITS is the minimum acceptable size of Diffie-Hellman keys
139 \(see `gnutls-min-prime-bits' for more information). Use nil for the
142 When VERIFY-HOSTNAME-ERROR is not nil, an error will be raised
143 when the hostname does not match the presented certificate's host
144 name. The exact verification algorithm is a basic implementation
145 of the matching described in RFC2818 (HTTPS), which takes into
146 account wildcards, and the DNSName/IPAddress subject alternative
147 name PKIX extension. See GnuTLS' gnutls_x509_crt_check_hostname
148 for details. When VERIFY-HOSTNAME-ERROR is nil, only a warning
151 When VERIFY-ERROR is not nil, an error will be raised when the
152 peer certificate verification fails as per GnuTLS'
153 gnutls_certificate_verify_peers2. Otherwise, only warnings will
154 be shown about the verification failure.
156 VERIFY-FLAGS is a numeric OR of verification flags only for
157 `gnutls-x509pki' connections. See GnuTLS' x509.h for details;
158 here's a recent version of the list.
160 GNUTLS_VERIFY_DISABLE_CA_SIGN = 1,
161 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2,
162 GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4,
163 GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8,
164 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
165 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
166 GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
167 GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
168 GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256
170 It must be omitted, a number, or nil; if omitted or nil it
171 defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
172 (let* ((type (or type
'gnutls-x509pki
))
173 (trustfiles (or trustfiles
175 (mapcar (lambda (f) (and f
(file-exists-p f
) f
))
176 (if (functionp gnutls-trustfiles
)
177 (funcall gnutls-trustfiles
)
178 gnutls-trustfiles
)))))
179 (priority-string (or priority-string
181 ((eq type
'gnutls-anon
)
182 "NORMAL:+ANON-DH:!ARCFOUR-128")
183 ((eq type
'gnutls-x509pki
)
184 (if gnutls-algorithm-priority
185 (upcase gnutls-algorithm-priority
)
187 (min-prime-bits (or min-prime-bits gnutls-min-prime-bits
))
188 (params `(:priority
,priority-string
190 :loglevel
,gnutls-log-level
191 :min-prime-bits
,min-prime-bits
192 :trustfiles
,trustfiles
195 :verify-flags
,verify-flags
196 :verify-error
,verify-error
197 :verify-hostname-error
,verify-hostname-error
201 (gnutls-message-maybe
202 (setq ret
(gnutls-boot process type params
))
205 (when (gnutls-errorp ret
)
206 ;; This is a error from the underlying C code.
207 (signal 'gnutls-error
(list process ret
)))
211 (declare-function gnutls-error-string
"gnutls.c" (error))
213 (defun gnutls-message-maybe (doit format
&rest params
)
214 "When DOIT, message with the caller name followed by FORMAT on PARAMS."
215 ;; (apply 'debug format (or params '(nil)))
216 (when (gnutls-errorp doit
)
217 (message "%s: (err=[%s] %s) %s"
219 doit
(gnutls-error-string doit
)
220 (apply 'format format
(or params
'(nil))))))
224 ;;; gnutls.el ends here