lisp/net/gnutls.el

   1 ;;; gnutls.el --- Support SSL/TLS connections through GnuTLS
   2
   3 ;; Copyright (C) 2010-2012 Free Software Foundation, Inc.
   4
   5 ;; Author: Ted Zlatanov <tzz@lifelogs.com>
   6 ;; Keywords: comm, tls, ssl, encryption
   7 ;; Originally-By: Simon Josefsson (See http://josefsson.org/emacs-security/)
   8 ;; Thanks-To: Lars Magne Ingebrigtsen <larsi@gnus.org>
   9
  10 ;; This file is part of GNU Emacs.
  11
  12 ;; GNU Emacs is free software: you can redistribute it and/or modify
  13 ;; it under the terms of the GNU General Public License as published by
  14 ;; the Free Software Foundation, either version 3 of the License, or
  15 ;; (at your option) any later version.
  16
  17 ;; GNU Emacs is distributed in the hope that it will be useful,
  18 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
  19 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  20 ;; GNU General Public License for more details.
  21
  22 ;; You should have received a copy of the GNU General Public License
  23 ;; along with GNU Emacs.  If not, see <http://www.gnu.org/licenses/>.
  24
  25 ;;; Commentary:
  26
  27 ;; This package provides language bindings for the GnuTLS library
  28 ;; using the corresponding core functions in gnutls.c.  It should NOT
  29 ;; be used directly, only through open-protocol-stream.
  30
  31 ;; Simple test:
  32 ;;
  33 ;; (open-gnutls-stream "tls" "tls-buffer" "yourserver.com" "https")
  34 ;; (open-gnutls-stream "tls" "tls-buffer" "imap.gmail.com" "imaps")
  35
  36 ;;; Code:
  37
  38 (eval-when-compile (require 'cl))
  39
  40 (defgroup gnutls nil
  41   "Emacs interface to the GnuTLS library."
  42   :version "24.1"
  43   :prefix "gnutls-"
  44   :group 'net-utils)
  45
  46 (defcustom gnutls-algorithm-priority nil
  47   "If non-nil, this should be a TLS priority string.
  48 For instance, if you want to skip the \"dhe-rsa\" algorithm,
  49 set this variable to \"normal:-dhe-rsa\"."
  50   :group 'gnutls
  51   :type '(choice (const nil)
  52                  string))
  53
  54 ;;;###autoload
  55 (defcustom gnutls-min-prime-bits nil
  56   "The minimum number of bits to be used in Diffie-Hellman key exchange.
  57
  58 This sets the minimum accepted size of the key to be used in a
  59 client-server handshake.  If the server sends a prime with fewer than
  60 the specified number of bits the handshake will fail.
  61
  62 A value of nil says to use the default gnutls value."
  63   :type '(choice (const :tag "Use default value" nil)
  64                  (integer :tag "Number of bits" 512))
  65   :group 'gnutls)
  66
  67 (defun open-gnutls-stream (name buffer host service)
  68   "Open a SSL/TLS connection for a service to a host.
  69 Returns a subprocess-object to represent the connection.
  70 Input and output work as for subprocesses; `delete-process' closes it.
  71 Args are NAME BUFFER HOST SERVICE.
  72 NAME is name for process.  It is modified if necessary to make it unique.
  73 BUFFER is the buffer (or `buffer-name') to associate with the process.
  74  Process output goes at end of that buffer, unless you specify
  75  an output stream or filter function to handle the output.
  76  BUFFER may be also nil, meaning that this process is not associated
  77  with any buffer
  78 Third arg is name of the host to connect to, or its IP address.
  79 Fourth arg SERVICE is name of the service desired, or an integer
  80 specifying a port number to connect to.
  81
  82 Usage example:
  83
  84   \(with-temp-buffer
  85     \(open-gnutls-stream \"tls\"
  86                         \(current-buffer)
  87                         \"your server goes here\"
  88                         \"imaps\"))
  89
  90 This is a very simple wrapper around `gnutls-negotiate'.  See its
  91 documentation for the specific parameters you can use to open a
  92 GnuTLS connection, including specifying the credential type,
  93 trust and key files, and priority string."
  94   (gnutls-negotiate :process (open-network-stream name buffer host service)
  95                     :type 'gnutls-x509pki
  96                     :hostname host))
  97
  98 (put 'gnutls-error
  99      'error-conditions
 100      '(error gnutls-error))
 101 (put 'gnutls-error
 102      'error-message "GnuTLS error")
 103
 104 (declare-function gnutls-boot "gnutls.c" (proc type proplist))
 105 (declare-function gnutls-errorp "gnutls.c" (error))
 106
 107 (defun* gnutls-negotiate
 108     (&rest spec
 109            &key process type hostname priority-string
 110            trustfiles crlfiles keylist min-prime-bits
 111            verify-flags verify-error verify-hostname-error
 112            &allow-other-keys)
 113   "Negotiate a SSL/TLS connection.  Returns proc.  Signals gnutls-error.
 114
 115 Note arguments are passed CL style, :type TYPE instead of just TYPE.
 116
 117 TYPE is `gnutls-x509pki' (default) or `gnutls-anon'.  Use nil for the default.
 118 PROCESS is a process returned by `open-network-stream'.
 119 HOSTNAME is the remote hostname.  It must be a valid string.
 120 PRIORITY-STRING is as per the GnuTLS docs, default is \"NORMAL\".
 121 TRUSTFILES is a list of CA bundles.
 122 CRLFILES is a list of CRL files.
 123 KEYLIST is an alist of (client key file, client cert file) pairs.
 124 MIN-PRIME-BITS is the minimum acceptable size of Diffie-Hellman keys
 125 \(see `gnutls-min-prime-bits' for more information).  Use nil for the
 126 default.
 127
 128 When VERIFY-HOSTNAME-ERROR is not nil, an error will be raised
 129 when the hostname does not match the presented certificate's host
 130 name.  The exact verification algorithm is a basic implementation
 131 of the matching described in RFC2818 (HTTPS), which takes into
 132 account wildcards, and the DNSName/IPAddress subject alternative
 133 name PKIX extension.  See GnuTLS' gnutls_x509_crt_check_hostname
 134 for details.  When VERIFY-HOSTNAME-ERROR is nil, only a warning
 135 will be issued.
 136
 137 When VERIFY-ERROR is not nil, an error will be raised when the
 138 peer certificate verification fails as per GnuTLS'
 139 gnutls_certificate_verify_peers2.  Otherwise, only warnings will
 140 be shown about the verification failure.
 141
 142 VERIFY-FLAGS is a numeric OR of verification flags only for
 143 `gnutls-x509pki' connections.  See GnuTLS' x509.h for details;
 144 here's a recent version of the list.
 145
 146     GNUTLS_VERIFY_DISABLE_CA_SIGN = 1,
 147     GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2,
 148     GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4,
 149     GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8,
 150     GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
 151     GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
 152     GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
 153     GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
 154     GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256
 155
 156 It must be omitted, a number, or nil; if omitted or nil it
 157 defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
 158   (let* ((type (or type 'gnutls-x509pki))
 159          (default-trustfile "/etc/ssl/certs/ca-certificates.crt")
 160          (trustfiles (or trustfiles
 161                          (when (file-exists-p default-trustfile)
 162                            (list default-trustfile))))
 163          (priority-string (or priority-string
 164                               (cond
 165                                ((eq type 'gnutls-anon)
 166                                 "NORMAL:+ANON-DH:!ARCFOUR-128")
 167                                ((eq type 'gnutls-x509pki)
 168                                 (if gnutls-algorithm-priority
 169                                     (upcase gnutls-algorithm-priority)
 170                                   "NORMAL")))))
 171          (min-prime-bits (or min-prime-bits gnutls-min-prime-bits))
 172          (params `(:priority ,priority-string
 173                              :hostname ,hostname
 174                              :loglevel ,gnutls-log-level
 175                              :min-prime-bits ,min-prime-bits
 176                              :trustfiles ,trustfiles
 177                              :crlfiles ,crlfiles
 178                              :keylist ,keylist
 179                              :verify-flags ,verify-flags
 180                              :verify-error ,verify-error
 181                              :verify-hostname-error ,verify-hostname-error
 182                              :callbacks nil))
 183          ret)
 184
 185     (gnutls-message-maybe
 186      (setq ret (gnutls-boot process type params))
 187      "boot: %s" params)
 188
 189     (when (gnutls-errorp ret)
 190       ;; This is a error from the underlying C code.
 191       (signal 'gnutls-error (list process ret)))
 192
 193     process))
 194
 195 (declare-function gnutls-error-string "gnutls.c" (error))
 196
 197 (defun gnutls-message-maybe (doit format &rest params)
 198   "When DOIT, message with the caller name followed by FORMAT on PARAMS."
 199   ;; (apply 'debug format (or params '(nil)))
 200   (when (gnutls-errorp doit)
 201     (message "%s: (err=[%s] %s) %s"
 202              "gnutls.el"
 203              doit (gnutls-error-string doit)
 204              (apply 'format format (or params '(nil))))))
 205
 206 (provide 'gnutls)
 207
 208 ;;; gnutls.el ends here