1 ;;; gnutls.el --- Support SSL/TLS connections through GnuTLS
3 ;; Copyright (C) 2010-2013 Free Software Foundation, Inc.
5 ;; Author: Ted Zlatanov <tzz@lifelogs.com>
6 ;; Keywords: comm, tls, ssl, encryption
7 ;; Originally-By: Simon Josefsson (See http://josefsson.org/emacs-security/)
8 ;; Thanks-To: Lars Magne Ingebrigtsen <larsi@gnus.org>
10 ;; This file is part of GNU Emacs.
12 ;; GNU Emacs is free software: you can redistribute it and/or modify
13 ;; it under the terms of the GNU General Public License as published by
14 ;; the Free Software Foundation, either version 3 of the License, or
15 ;; (at your option) any later version.
17 ;; GNU Emacs is distributed in the hope that it will be useful,
18 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
19 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 ;; GNU General Public License for more details.
22 ;; You should have received a copy of the GNU General Public License
23 ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
27 ;; This package provides language bindings for the GnuTLS library
28 ;; using the corresponding core functions in gnutls.c. It should NOT
29 ;; be used directly, only through open-protocol-stream.
33 ;; (open-gnutls-stream "tls" "tls-buffer" "yourserver.com" "https")
34 ;; (open-gnutls-stream "tls" "tls-buffer" "imap.gmail.com" "imaps")
38 (eval-when-compile (require 'cl-lib
))
41 "Emacs interface to the GnuTLS library."
46 (defcustom gnutls-algorithm-priority nil
47 "If non-nil, this should be a TLS priority string.
48 For instance, if you want to skip the \"dhe-rsa\" algorithm,
49 set this variable to \"normal:-dhe-rsa\"."
51 :type
'(choice (const nil
)
54 (defcustom gnutls-trustfiles
56 "/etc/ssl/certs/ca-certificates.crt" ; Debian, Ubuntu, Gentoo and Arch Linux
57 "/etc/pki/tls/certs/ca-bundle.crt" ; Fedora and RHEL
58 "/etc/ssl/ca-bundle.pem" ; Suse
59 "/usr/ssl/certs/ca-bundle.crt" ; Cygwin
61 "List of CA bundle location filenames or a function returning said list.
62 The files may be in PEM or DER format, as per the GnuTLS documentation.
63 The files may not exist, in which case they will be ignored."
65 :type
'(choice (function :tag
"Function to produce list of bundle filenames")
66 (repeat (file :tag
"Bundle filename"))))
69 (defcustom gnutls-min-prime-bits
256
70 ;; Several mail servers send fewer bits than the GnuTLS default.
71 ;; Currently, 256 appears to be a reasonable choice (Bug#11267).
72 "Minimum number of prime bits accepted by GnuTLS for key exchange.
73 During a Diffie-Hellman handshake, if the server sends a prime
74 number with fewer than this number of bits, the handshake is
75 rejected. \(The smaller the prime number, the less secure the
76 key exchange is against man-in-the-middle attacks.)
78 A value of nil says to use the default GnuTLS value."
79 :type
'(choice (const :tag
"Use default value" nil
)
80 (integer :tag
"Number of bits" 512))
83 (defun open-gnutls-stream (name buffer host service
)
84 "Open a SSL/TLS connection for a service to a host.
85 Returns a subprocess-object to represent the connection.
86 Input and output work as for subprocesses; `delete-process' closes it.
87 Args are NAME BUFFER HOST SERVICE.
88 NAME is name for process. It is modified if necessary to make it unique.
89 BUFFER is the buffer (or `buffer-name') to associate with the process.
90 Process output goes at end of that buffer, unless you specify
91 an output stream or filter function to handle the output.
92 BUFFER may be also nil, meaning that this process is not associated
94 Third arg is name of the host to connect to, or its IP address.
95 Fourth arg SERVICE is name of the service desired, or an integer
96 specifying a port number to connect to.
101 \(open-gnutls-stream \"tls\"
103 \"your server goes here\"
106 This is a very simple wrapper around `gnutls-negotiate'. See its
107 documentation for the specific parameters you can use to open a
108 GnuTLS connection, including specifying the credential type,
109 trust and key files, and priority string."
110 (gnutls-negotiate :process
(open-network-stream name buffer host service
)
111 :type
'gnutls-x509pki
114 (define-error 'gnutls-error
"GnuTLS error")
116 (declare-function gnutls-boot
"gnutls.c" (proc type proplist
))
117 (declare-function gnutls-errorp
"gnutls.c" (error))
119 (cl-defun gnutls-negotiate
121 &key process type hostname priority-string
122 trustfiles crlfiles keylist min-prime-bits
123 verify-flags verify-error verify-hostname-error
125 "Negotiate a SSL/TLS connection. Returns proc. Signals gnutls-error.
127 Note arguments are passed CL style, :type TYPE instead of just TYPE.
129 TYPE is `gnutls-x509pki' (default) or `gnutls-anon'. Use nil for the default.
130 PROCESS is a process returned by `open-network-stream'.
131 HOSTNAME is the remote hostname. It must be a valid string.
132 PRIORITY-STRING is as per the GnuTLS docs, default is \"NORMAL\".
133 TRUSTFILES is a list of CA bundles. It defaults to `gnutls-trustfiles'.
134 CRLFILES is a list of CRL files.
135 KEYLIST is an alist of (client key file, client cert file) pairs.
136 MIN-PRIME-BITS is the minimum acceptable size of Diffie-Hellman keys
137 \(see `gnutls-min-prime-bits' for more information). Use nil for the
140 When VERIFY-HOSTNAME-ERROR is not nil, an error will be raised
141 when the hostname does not match the presented certificate's host
142 name. The exact verification algorithm is a basic implementation
143 of the matching described in RFC2818 (HTTPS), which takes into
144 account wildcards, and the DNSName/IPAddress subject alternative
145 name PKIX extension. See GnuTLS' gnutls_x509_crt_check_hostname
146 for details. When VERIFY-HOSTNAME-ERROR is nil, only a warning
149 When VERIFY-ERROR is not nil, an error will be raised when the
150 peer certificate verification fails as per GnuTLS'
151 gnutls_certificate_verify_peers2. Otherwise, only warnings will
152 be shown about the verification failure.
154 VERIFY-FLAGS is a numeric OR of verification flags only for
155 `gnutls-x509pki' connections. See GnuTLS' x509.h for details;
156 here's a recent version of the list.
158 GNUTLS_VERIFY_DISABLE_CA_SIGN = 1,
159 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2,
160 GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4,
161 GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8,
162 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
163 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
164 GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
165 GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
166 GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256
168 It must be omitted, a number, or nil; if omitted or nil it
169 defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
170 (let* ((type (or type
'gnutls-x509pki
))
171 (trustfiles (or trustfiles
173 (mapcar (lambda (f) (and f
(file-exists-p f
) f
))
174 (if (functionp gnutls-trustfiles
)
175 (funcall gnutls-trustfiles
)
176 gnutls-trustfiles
)))))
177 (priority-string (or priority-string
179 ((eq type
'gnutls-anon
)
180 "NORMAL:+ANON-DH:!ARCFOUR-128")
181 ((eq type
'gnutls-x509pki
)
182 (if gnutls-algorithm-priority
183 (upcase gnutls-algorithm-priority
)
185 (min-prime-bits (or min-prime-bits gnutls-min-prime-bits
))
186 (params `(:priority
,priority-string
188 :loglevel
,gnutls-log-level
189 :min-prime-bits
,min-prime-bits
190 :trustfiles
,trustfiles
193 :verify-flags
,verify-flags
194 :verify-error
,verify-error
195 :verify-hostname-error
,verify-hostname-error
199 (gnutls-message-maybe
200 (setq ret
(gnutls-boot process type params
))
203 (when (gnutls-errorp ret
)
204 ;; This is a error from the underlying C code.
205 (signal 'gnutls-error
(list process ret
)))
209 (declare-function gnutls-error-string
"gnutls.c" (error))
211 (defun gnutls-message-maybe (doit format
&rest params
)
212 "When DOIT, message with the caller name followed by FORMAT on PARAMS."
213 ;; (apply 'debug format (or params '(nil)))
214 (when (gnutls-errorp doit
)
215 (message "%s: (err=[%s] %s) %s"
217 doit
(gnutls-error-string doit
)
218 (apply 'format format
(or params
'(nil))))))
222 ;;; gnutls.el ends here