;;; tls.el --- TLS/SSL support via wrapper around GnuTLS
-;; Copyright (C) 1996, 1997, 1998, 1999, 2002, 2003, 2004,
-;; 2005, 2006, 2007 Free Software Foundation, Inc.
+;; Copyright (C) 1996-1999, 2002-2015 Free Software Foundation, Inc.
;; Author: Simon Josefsson <simon@josefsson.org>
;; Keywords: comm, tls, gnutls, ssl
;; This file is part of GNU Emacs.
-;; GNU Emacs is free software; you can redistribute it and/or modify
+;; GNU Emacs is free software: you can redistribute it and/or modify
;; it under the terms of the GNU General Public License as published by
-;; the Free Software Foundation; either version 3, or (at your option)
-;; any later version.
+;; the Free Software Foundation, either version 3 of the License, or
+;; (at your option) any later version.
;; GNU Emacs is distributed in the hope that it will be useful,
;; but WITHOUT ANY WARRANTY; without even the implied warranty of
-;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;; GNU General Public License for more details.
;; You should have received a copy of the GNU General Public License
-;; along with GNU Emacs; see the file COPYING. If not, write to the
-;; Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-;; Boston, MA 02110-1301, USA.
+;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
;;; Commentary:
;;; Code:
-(eval-and-compile
- (autoload 'format-spec "format-spec")
- (autoload 'format-spec-make "format-spec"))
+(autoload 'format-spec "format-spec")
+(autoload 'format-spec-make "format-spec")
(defgroup tls nil
"Transport Layer Security (TLS) parameters."
:group 'comm)
-(defcustom tls-program '("gnutls-cli -p %p %h"
- "gnutls-cli -p %p %h --protocols ssl3"
- "openssl s_client -connect %h:%p -no_ssl2")
+(defcustom tls-end-of-info
+ (concat
+ "\\("
+ ;; `openssl s_client' regexp. See ssl/ssl_txt.c lines 219-220.
+ ;; According to apps/s_client.c line 1515 `---' is always the last
+ ;; line that is printed by s_client before the real data.
+ "^ Verify return code: .+\n---\n\\|"
+ ;; `gnutls' regexp. See src/cli.c lines 721-.
+ "^- Simple Client Mode:\n"
+ "\\(\n\\|" ; ignore blank lines
+ ;; According to GnuTLS v2.1.5 src/cli.c lines 640-650 and 705-715
+ ;; in `main' the handshake will start after this message. If the
+ ;; handshake fails, the programs will abort.
+ "^\\*\\*\\* Starting TLS handshake\n\\)*"
+ "\\)")
+ "Regexp matching end of TLS client informational messages.
+Client data stream begins after the last character matched by
+this. The default matches `openssl s_client' (version 0.9.8c)
+and `gnutls-cli' (version 2.0.1) output."
+ :version "22.2"
+ :type 'regexp
+ :group 'tls)
+
+(defcustom tls-program '("gnutls-cli --insecure -p %p %h"
+ "gnutls-cli --insecure -p %p %h --protocols ssl3"
+ "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
"List of strings containing commands to start TLS stream to a host.
Each entry in the list is tried until a connection is successful.
%h is replaced with server hostname, %p with port to connect to.
-The program should read input on stdin and write output to
-stdout.
+The program should read input on stdin and write output to stdout.
See `tls-checktrust' on how to check trusted root certs.
successful negotiation."
:type
'(choice
+ (const :tag "Default list of commands"
+ ("gnutls-cli --insecure -p %p %h"
+ "gnutls-cli --insecure -p %p %h --protocols ssl3"
+ "openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
(list :tag "Choose commands"
:value
- ("gnutls-cli -p %p %h"
- "gnutls-cli -p %p %h --protocols ssl3"
- "openssl s_client -connect %h:%p -no_ssl2")
+ ("gnutls-cli --insecure -p %p %h"
+ "gnutls-cli --insecure -p %p %h --protocols ssl3"
+ "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
(set :inline t
;; FIXME: add brief `:tag "..."' descriptions.
;; (repeat :inline t :tag "Other" (string))
;; See `tls-checktrust':
(const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h")
(const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3")
- (const "openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2")
+ (const "openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof")
;; No trust check:
- (const "gnutls-cli -p %p %h")
- (const "gnutls-cli -p %p %h --protocols ssl3")
- (const "openssl s_client -connect %h:%p -no_ssl2"))
+ (const "gnutls-cli --insecure -p %p %h")
+ (const "gnutls-cli --insecure -p %p %h --protocols ssl3")
+ (const "openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
(repeat :inline t :tag "Other" (string)))
- (const :tag "Default list of commands"
- ("gnutls-cli -p %p %h"
- "gnutls-cli -p %p %h --protocols ssl3"
- "openssl s_client -connect %h:%p -no_ssl2"))
(list :tag "List of commands"
(repeat :tag "Command" (string))))
:version "22.1"
(defcustom tls-success "- Handshake was completed\\|SSL handshake has read "
"Regular expression indicating completed TLS handshakes.
-The default is what GNUTLS's \"gnutls-cli\" or OpenSSL's
+The default is what GnuTLS's \"gnutls-cli\" or OpenSSL's
\"openssl s_client\" outputs."
:version "22.1"
:type 'regexp
consider trustworthy, e.g.:
\(setq tls-program
- '(\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h\"
+ \\='(\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h\"
\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\"
- \"openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2\"))"
+ \"openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof\"))"
:type '(choice (const :tag "Always" t)
(const :tag "Never" nil)
(const :tag "Ask" ask))
- :version "23.0" ;; No Gnus
+ :version "23.1" ;; No Gnus
:group 'tls)
(defcustom tls-untrusted
"- Peer's certificate is NOT trusted\\|Verify return code: \\([^0] \\|.[^ ]\\)"
"Regular expression indicating failure of TLS certificate verification.
-The default is what GNUTLS's \"gnutls-cli\" or OpenSSL's
+The default is what GnuTLS's \"gnutls-cli\" or OpenSSL's
\"openssl s_client\" return in the event of unsuccessful
verification."
:type 'regexp
- :version "23.0" ;; No Gnus
+ :version "23.1" ;; No Gnus
:group 'tls)
(defcustom tls-hostmismatch
warning to this effect. There is no such feature in openssl. Set
this to nil if you want to ignore host name mismatches."
:type 'regexp
- :version "23.0" ;; No Gnus
+ :version "23.1" ;; No Gnus
:group 'tls)
-(defcustom tls-certtool-program (executable-find "certtool")
- "Name of GnuTLS certtool.
+(defcustom tls-certtool-program "certtool"
+ "Name of GnuTLS certtool.
Used by `tls-certificate-information'."
:version "22.1"
:type 'string
:group 'tls)
+(defalias 'tls-format-message
+ (if (fboundp 'format-message) 'format-message
+ ;; for Emacs < 25, and XEmacs, don't worry about quote translation.
+ 'format))
+
(defun tls-certificate-information (der)
"Parse X.509 certificate in DER format into an assoc list."
(let ((certificate (concat "-----BEGIN CERTIFICATE-----\n"
(use-temp-buffer (null buffer))
process cmd done)
(if use-temp-buffer
- (setq buffer (generate-new-buffer " TLS")))
- (message "Opening TLS connection to `%s'..." host)
- (while (and (not done) (setq cmd (pop cmds)))
- (message "Opening TLS connection with `%s'..." cmd)
- (let ((process-connection-type tls-process-connection-type)
- response)
- (setq process (start-process
- name buffer shell-file-name shell-command-switch
- (format-spec
- cmd
- (format-spec-make
- ?h host
- ?p (if (integerp port)
- (int-to-string port)
- port)))))
- (while (and process
- (memq (process-status process) '(open run))
- (save-excursion
- (set-buffer buffer) ;; XXX "blue moon" nntp.el bug
- (goto-char (point-min))
- (not (setq done (re-search-forward tls-success nil t)))))
- (unless (accept-process-output process 1)
- (sit-for 1)))
- (message "Opening TLS connection with `%s'...%s" cmd
- (if done "done" "failed"))
- (if done
- (setq done process)
- (delete-process process))))
- (when done
- (save-excursion
- (set-buffer buffer)
- (when
- (or
- (and tls-checktrust
- (progn
- (goto-char (point-min))
- (re-search-forward tls-untrusted nil t))
- (or
- (and (not (eq tls-checktrust 'ask))
- (message "The certificate presented by `%s' is NOT trusted." host))
- (not (yes-or-no-p
- (format "The certificate presented by `%s' is NOT trusted. Accept anyway? " host)))))
- (and tls-hostmismatch
- (progn
- (goto-char (point-min))
- (re-search-forward tls-hostmismatch nil t))
- (not (yes-or-no-p
- (format "Host name in certificate doesn't match `%s'. Connect anyway? " host)))))
- (setq done nil)
- (delete-process process))))
+ (setq buffer (generate-new-buffer " TLS"))
+ ;; BUFFER is a string but does not exist as a buffer object.
+ (unless (and (get-buffer buffer)
+ (buffer-name (get-buffer buffer)))
+ (generate-new-buffer buffer)))
+ (with-current-buffer buffer
+ (message "Opening TLS connection to `%s'..." host)
+ (while (and (not done) (setq cmd (pop cmds)))
+ (let ((process-connection-type tls-process-connection-type)
+ (formatted-cmd
+ (format-spec
+ cmd
+ (format-spec-make
+ ?h host
+ ?p (if (integerp port)
+ (int-to-string port)
+ port)))))
+ (message "Opening TLS connection with `%s'..." formatted-cmd)
+ (setq process (start-process
+ name buffer shell-file-name shell-command-switch
+ formatted-cmd))
+ (while (and process
+ (memq (process-status process) '(open run))
+ (progn
+ (goto-char (point-min))
+ (not (setq done (re-search-forward
+ tls-success nil t)))))
+ (unless (accept-process-output process 1)
+ (sit-for 1)))
+ (message "Opening TLS connection with `%s'...%s" formatted-cmd
+ (if done "done" "failed"))
+ (if (not done)
+ (delete-process process)
+ ;; advance point to after all informational messages that
+ ;; `openssl s_client' and `gnutls' print
+ (let ((start-of-data nil))
+ (while
+ (not (setq start-of-data
+ ;; the string matching `tls-end-of-info'
+ ;; might come in separate chunks from
+ ;; `accept-process-output', so start the
+ ;; search where `tls-success' ended
+ (save-excursion
+ (if (re-search-forward tls-end-of-info nil t)
+ (match-end 0)))))
+ (accept-process-output process 1))
+ (if start-of-data
+ ;; move point to start of client data
+ (goto-char start-of-data)))
+ (setq done process))))
+ (when (and done
+ (or
+ (and tls-checktrust
+ (save-excursion
+ (goto-char (point-min))
+ (re-search-forward tls-untrusted nil t))
+ (or
+ (and (not (eq tls-checktrust 'ask))
+ (message "The certificate presented by `%s' is \
+NOT trusted." host))
+ (not (yes-or-no-p
+ (tls-format-message "\
+The certificate presented by `%s' is NOT trusted. Accept anyway? " host)))))
+ (and tls-hostmismatch
+ (save-excursion
+ (goto-char (point-min))
+ (re-search-forward tls-hostmismatch nil t))
+ (not (yes-or-no-p
+ (format "Host name in certificate doesn't \
+match `%s'. Connect anyway? " host))))))
+ (setq done nil)
+ (delete-process process))
+ ;; Delete all the informational messages that could confuse
+ ;; future uses of `buffer'.
+ (delete-region (point-min) (point)))
(message "Opening TLS connection to `%s'...%s"
host (if done "done" "failed"))
(when use-temp-buffer
(provide 'tls)
-;;; arch-tag: 5596d1c4-facc-4bc4-94a9-9863b928d7ac
;;; tls.el ends here
projects / gnus / blobdiff