X-Git-Url: http://cgit.sxemacs.org/?a=blobdiff_plain;f=lisp%2Ftls.el;h=48e6a42186ca1ec2318549b074b8e62a76f8057a;hb=ea3902284b96bfc95c9eeec1f63b6028b4e12871;hp=7dc563af9950fca64dea75d542bb24c3e9973388;hpb=7c6a84b07c02f34ad4b2461a5c2284b81ea56703;p=gnus diff --git a/lisp/tls.el b/lisp/tls.el index 7dc563af9..48e6a4218 100644 --- a/lisp/tls.el +++ b/lisp/tls.el @@ -1,27 +1,24 @@ ;;; tls.el --- TLS/SSL support via wrapper around GnuTLS -;; Copyright (C) 1996, 1997, 1998, 1999, 2002, 2003, 2004, -;; 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +;; Copyright (C) 1996-1999, 2002-2015 Free Software Foundation, Inc. ;; Author: Simon Josefsson ;; Keywords: comm, tls, gnutls, ssl ;; This file is part of GNU Emacs. -;; GNU Emacs is free software; you can redistribute it and/or modify +;; GNU Emacs is free software: you can redistribute it and/or modify ;; it under the terms of the GNU General Public License as published by -;; the Free Software Foundation; either version 3, or (at your option) -;; any later version. +;; the Free Software Foundation, either version 3 of the License, or +;; (at your option) any later version. ;; GNU Emacs is distributed in the hope that it will be useful, ;; but WITHOUT ANY WARRANTY; without even the implied warranty of -;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;; GNU General Public License for more details. ;; You should have received a copy of the GNU General Public License -;; along with GNU Emacs; see the file COPYING. If not, write to the -;; Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -;; Boston, MA 02110-1301, USA. +;; along with GNU Emacs. If not, see . ;;; Commentary: @@ -47,9 +44,8 @@ ;;; Code: -(eval-and-compile - (autoload 'format-spec "format-spec") - (autoload 'format-spec-make "format-spec")) +(autoload 'format-spec "format-spec") +(autoload 'format-spec-make "format-spec") (defgroup tls nil "Transport Layer Security (TLS) parameters." @@ -78,14 +74,13 @@ and `gnutls-cli' (version 2.0.1) output." :type 'regexp :group 'tls) -(defcustom tls-program '("gnutls-cli -p %p %h" - "gnutls-cli -p %p %h --protocols ssl3" - "openssl s_client -connect %h:%p -no_ssl2") +(defcustom tls-program '("gnutls-cli --insecure -p %p %h" + "gnutls-cli --insecure -p %p %h --protocols ssl3" + "openssl s_client -connect %h:%p -no_ssl2 -ign_eof") "List of strings containing commands to start TLS stream to a host. Each entry in the list is tried until a connection is successful. %h is replaced with server hostname, %p with port to connect to. -The program should read input on stdin and write output to -stdout. +The program should read input on stdin and write output to stdout. See `tls-checktrust' on how to check trusted root certs. @@ -93,27 +88,27 @@ Also see `tls-success' for what the program should output after successful negotiation." :type '(choice + (const :tag "Default list of commands" + ("gnutls-cli --insecure -p %p %h" + "gnutls-cli --insecure -p %p %h --protocols ssl3" + "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")) (list :tag "Choose commands" :value - ("gnutls-cli -p %p %h" - "gnutls-cli -p %p %h --protocols ssl3" - "openssl s_client -connect %h:%p -no_ssl2") + ("gnutls-cli --insecure -p %p %h" + "gnutls-cli --insecure -p %p %h --protocols ssl3" + "openssl s_client -connect %h:%p -no_ssl2 -ign_eof") (set :inline t ;; FIXME: add brief `:tag "..."' descriptions. ;; (repeat :inline t :tag "Other" (string)) ;; See `tls-checktrust': (const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h") (const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3") - (const "openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2") + (const "openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof") ;; No trust check: - (const "gnutls-cli -p %p %h") - (const "gnutls-cli -p %p %h --protocols ssl3") - (const "openssl s_client -connect %h:%p -no_ssl2")) + (const "gnutls-cli --insecure -p %p %h") + (const "gnutls-cli --insecure -p %p %h --protocols ssl3") + (const "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")) (repeat :inline t :tag "Other" (string))) - (const :tag "Default list of commands" - ("gnutls-cli -p %p %h" - "gnutls-cli -p %p %h --protocols ssl3" - "openssl s_client -connect %h:%p -no_ssl2")) (list :tag "List of commands" (repeat :tag "Command" (string)))) :version "22.1" @@ -127,7 +122,7 @@ successful negotiation." (defcustom tls-success "- Handshake was completed\\|SSL handshake has read " "Regular expression indicating completed TLS handshakes. -The default is what GNUTLS's \"gnutls-cli\" or OpenSSL's +The default is what GnuTLS's \"gnutls-cli\" or OpenSSL's \"openssl s_client\" outputs." :version "22.1" :type 'regexp @@ -142,9 +137,9 @@ the external program knows about the root certificates you consider trustworthy, e.g.: \(setq tls-program - '(\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h\" + \\='(\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h\" \"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\" - \"openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2\"))" + \"openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof\"))" :type '(choice (const :tag "Always" t) (const :tag "Never" nil) (const :tag "Ask" ask)) @@ -154,7 +149,7 @@ consider trustworthy, e.g.: (defcustom tls-untrusted "- Peer's certificate is NOT trusted\\|Verify return code: \\([^0] \\|.[^ ]\\)" "Regular expression indicating failure of TLS certificate verification. -The default is what GNUTLS's \"gnutls-cli\" or OpenSSL's +The default is what GnuTLS's \"gnutls-cli\" or OpenSSL's \"openssl s_client\" return in the event of unsuccessful verification." :type 'regexp @@ -172,13 +167,18 @@ this to nil if you want to ignore host name mismatches." :version "23.1" ;; No Gnus :group 'tls) -(defcustom tls-certtool-program (executable-find "certtool") - "Name of GnuTLS certtool. +(defcustom tls-certtool-program "certtool" + "Name of GnuTLS certtool. Used by `tls-certificate-information'." :version "22.1" :type 'string :group 'tls) +(defalias 'tls-format-message + (if (fboundp 'format-message) 'format-message + ;; for Emacs < 25, and XEmacs, don't worry about quote translation. + 'format)) + (defun tls-certificate-information (der) "Parse X.509 certificate in DER format into an assoc list." (let ((certificate (concat "-----BEGIN CERTIFICATE-----\n" @@ -219,22 +219,27 @@ Fourth arg PORT is an integer specifying a port to connect to." (use-temp-buffer (null buffer)) process cmd done) (if use-temp-buffer - (setq buffer (generate-new-buffer " TLS"))) + (setq buffer (generate-new-buffer " TLS")) + ;; BUFFER is a string but does not exist as a buffer object. + (unless (and (get-buffer buffer) + (buffer-name (get-buffer buffer))) + (generate-new-buffer buffer))) (with-current-buffer buffer (message "Opening TLS connection to `%s'..." host) (while (and (not done) (setq cmd (pop cmds))) - (message "Opening TLS connection with `%s'..." cmd) (let ((process-connection-type tls-process-connection-type) - response) + (formatted-cmd + (format-spec + cmd + (format-spec-make + ?h host + ?p (if (integerp port) + (int-to-string port) + port))))) + (message "Opening TLS connection with `%s'..." formatted-cmd) (setq process (start-process name buffer shell-file-name shell-command-switch - (format-spec - cmd - (format-spec-make - ?h host - ?p (if (integerp port) - (int-to-string port) - port))))) + formatted-cmd)) (while (and process (memq (process-status process) '(open run)) (progn @@ -243,7 +248,7 @@ Fourth arg PORT is an integer specifying a port to connect to." tls-success nil t))))) (unless (accept-process-output process 1) (sit-for 1))) - (message "Opening TLS connection with `%s'...%s" cmd + (message "Opening TLS connection with `%s'...%s" formatted-cmd (if done "done" "failed")) (if (not done) (delete-process process) @@ -275,8 +280,8 @@ Fourth arg PORT is an integer specifying a port to connect to." (message "The certificate presented by `%s' is \ NOT trusted." host)) (not (yes-or-no-p - (format "The certificate presented by `%s' is \ -NOT trusted. Accept anyway? " host))))) + (tls-format-message "\ +The certificate presented by `%s' is NOT trusted. Accept anyway? " host))))) (and tls-hostmismatch (save-excursion (goto-char (point-min)) @@ -285,7 +290,10 @@ NOT trusted. Accept anyway? " host))))) (format "Host name in certificate doesn't \ match `%s'. Connect anyway? " host)))))) (setq done nil) - (delete-process process))) + (delete-process process)) + ;; Delete all the informational messages that could confuse + ;; future uses of `buffer'. + (delete-region (point-min) (point))) (message "Opening TLS connection to `%s'...%s" host (if done "done" "failed")) (when use-temp-buffer @@ -295,5 +303,4 @@ match `%s'. Connect anyway? " host)))))) (provide 'tls) -;;; arch-tag: 5596d1c4-facc-4bc4-94a9-9863b928d7ac ;;; tls.el ends here