Commit | Line | Data |
---|---|---|
01b2d1dd SJ |
1 | ;;; tls.el --- TLS/SSL support via wrapper around GnuTLS |
2 | ||
ba318903 | 3 | ;; Copyright (C) 1996-1999, 2002-2014 Free Software Foundation, Inc. |
01b2d1dd SJ |
4 | |
5 | ;; Author: Simon Josefsson <simon@josefsson.org> | |
6 | ;; Keywords: comm, tls, gnutls, ssl | |
7 | ||
8 | ;; This file is part of GNU Emacs. | |
9 | ||
874a927a | 10 | ;; GNU Emacs is free software: you can redistribute it and/or modify |
01b2d1dd | 11 | ;; it under the terms of the GNU General Public License as published by |
874a927a GM |
12 | ;; the Free Software Foundation, either version 3 of the License, or |
13 | ;; (at your option) any later version. | |
01b2d1dd SJ |
14 | |
15 | ;; GNU Emacs is distributed in the hope that it will be useful, | |
16 | ;; but WITHOUT ANY WARRANTY; without even the implied warranty of | |
874a927a | 17 | ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
01b2d1dd SJ |
18 | ;; GNU General Public License for more details. |
19 | ||
20 | ;; You should have received a copy of the GNU General Public License | |
874a927a | 21 | ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>. |
01b2d1dd SJ |
22 | |
23 | ;;; Commentary: | |
24 | ||
25 | ;; This package implements a simple wrapper around "gnutls-cli" to | |
26 | ;; make Emacs support TLS/SSL. | |
27 | ;; | |
28 | ;; Usage is the same as `open-network-stream', i.e.: | |
29 | ;; | |
30 | ;; (setq tmp (open-tls-stream "test" (current-buffer) "news.mozilla.org" 563)) | |
31 | ;; ... | |
32 | ;; #<process test> | |
33 | ;; (process-send-string tmp "mode reader\n") | |
34 | ;; 200 secnews.netscape.com Netscape-Collabra/3.52 03615 NNRP ready ... | |
35 | ;; nil | |
36 | ;; (process-send-string tmp "quit\n") | |
37 | ;; 205 | |
38 | ;; nil | |
39 | ||
40 | ;; To use this package as a replacement for ssl.el by William M. Perry | |
41 | ;; <wmperry@cs.indiana.edu>, you need to evaluate the following: | |
42 | ;; | |
43 | ;; (defalias 'open-ssl-stream 'open-tls-stream) | |
44 | ||
45 | ;;; Code: | |
46 | ||
3c5fa30a GM |
47 | (autoload 'format-spec "format-spec") |
48 | (autoload 'format-spec-make "format-spec") | |
01b2d1dd SJ |
49 | |
50 | (defgroup tls nil | |
51 | "Transport Layer Security (TLS) parameters." | |
52 | :group 'comm) | |
53 | ||
59c95dc2 | 54 | (defcustom tls-end-of-info |
cd6db47c GM |
55 | (concat |
56 | "\\(" | |
57 | ;; `openssl s_client' regexp. See ssl/ssl_txt.c lines 219-220. | |
58 | ;; According to apps/s_client.c line 1515 `---' is always the last | |
59 | ;; line that is printed by s_client before the real data. | |
60 | "^ Verify return code: .+\n---\n\\|" | |
61 | ;; `gnutls' regexp. See src/cli.c lines 721-. | |
62 | "^- Simple Client Mode:\n" | |
63 | "\\(\n\\|" ; ignore blank lines | |
2cddada0 | 64 | ;; According to GnuTLS v2.1.5 src/cli.c lines 640-650 and 705-715 |
7b63c073 | 65 | ;; in `main' the handshake will start after this message. If the |
2cddada0 | 66 | ;; handshake fails, the programs will abort. |
cd6db47c GM |
67 | "^\\*\\*\\* Starting TLS handshake\n\\)*" |
68 | "\\)") | |
59c95dc2 GM |
69 | "Regexp matching end of TLS client informational messages. |
70 | Client data stream begins after the last character matched by | |
71 | this. The default matches `openssl s_client' (version 0.9.8c) | |
72 | and `gnutls-cli' (version 2.0.1) output." | |
73 | :version "22.2" | |
74 | :type 'regexp | |
75 | :group 'tls) | |
76 | ||
aecb42aa LMI |
77 | (defcustom tls-program '("gnutls-cli --insecure -p %p %h" |
78 | "gnutls-cli --insecure -p %p %h --protocols ssl3" | |
a1d16a7b | 79 | "openssl s_client -connect %h:%p -no_ssl2 -ign_eof") |
01b2d1dd SJ |
80 | "List of strings containing commands to start TLS stream to a host. |
81 | Each entry in the list is tried until a connection is successful. | |
4a3c7686 | 82 | %h is replaced with server hostname, %p with port to connect to. |
7644aa97 | 83 | The program should read input on stdin and write output to stdout. |
b890d447 MB |
84 | |
85 | See `tls-checktrust' on how to check trusted root certs. | |
86 | ||
87 | Also see `tls-success' for what the program should output after | |
88 | successful negotiation." | |
89 | :type | |
90 | '(choice | |
f10331bf AS |
91 | (const :tag "Default list of commands" |
92 | ("gnutls-cli --insecure -p %p %h" | |
93 | "gnutls-cli --insecure -p %p %h --protocols ssl3" | |
94 | "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")) | |
b890d447 MB |
95 | (list :tag "Choose commands" |
96 | :value | |
f10331bf AS |
97 | ("gnutls-cli --insecure -p %p %h" |
98 | "gnutls-cli --insecure -p %p %h --protocols ssl3" | |
d55fe5bb | 99 | "openssl s_client -connect %h:%p -no_ssl2 -ign_eof") |
b890d447 MB |
100 | (set :inline t |
101 | ;; FIXME: add brief `:tag "..."' descriptions. | |
102 | ;; (repeat :inline t :tag "Other" (string)) | |
103 | ;; See `tls-checktrust': | |
104 | (const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h") | |
105 | (const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3") | |
d55fe5bb | 106 | (const "openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof") |
b890d447 | 107 | ;; No trust check: |
f10331bf AS |
108 | (const "gnutls-cli --insecure -p %p %h") |
109 | (const "gnutls-cli --insecure -p %p %h --protocols ssl3") | |
d55fe5bb | 110 | (const "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")) |
b890d447 | 111 | (repeat :inline t :tag "Other" (string))) |
b890d447 MB |
112 | (list :tag "List of commands" |
113 | (repeat :tag "Command" (string)))) | |
3031d8b0 | 114 | :version "22.1" |
01b2d1dd SJ |
115 | :group 'tls) |
116 | ||
117 | (defcustom tls-process-connection-type nil | |
b890d447 | 118 | "Value for `process-connection-type' to use when starting TLS process." |
bf247b6e | 119 | :version "22.1" |
01b2d1dd SJ |
120 | :type 'boolean |
121 | :group 'tls) | |
122 | ||
3031d8b0 | 123 | (defcustom tls-success "- Handshake was completed\\|SSL handshake has read " |
b890d447 | 124 | "Regular expression indicating completed TLS handshakes. |
321decc8 | 125 | The default is what GnuTLS's \"gnutls-cli\" or OpenSSL's |
3031d8b0 | 126 | \"openssl s_client\" outputs." |
bf247b6e | 127 | :version "22.1" |
01b2d1dd SJ |
128 | :type 'regexp |
129 | :group 'tls) | |
130 | ||
b890d447 MB |
131 | (defcustom tls-checktrust nil |
132 | "Indicate if certificates should be checked against trusted root certs. | |
133 | If this is `ask', the user can decide whether to accept an | |
134 | untrusted certificate. You may have to adapt `tls-program' in | |
135 | order to make this feature work properly, i.e., to ensure that | |
136 | the external program knows about the root certificates you | |
137 | consider trustworthy, e.g.: | |
138 | ||
139 | \(setq tls-program | |
140 | '(\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h\" | |
141 | \"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\" | |
d55fe5bb | 142 | \"openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof\"))" |
b890d447 MB |
143 | :type '(choice (const :tag "Always" t) |
144 | (const :tag "Never" nil) | |
145 | (const :tag "Ask" ask)) | |
dd22fbf6 | 146 | :version "23.1" ;; No Gnus |
b890d447 MB |
147 | :group 'tls) |
148 | ||
149 | (defcustom tls-untrusted | |
150 | "- Peer's certificate is NOT trusted\\|Verify return code: \\([^0] \\|.[^ ]\\)" | |
151 | "Regular expression indicating failure of TLS certificate verification. | |
321decc8 | 152 | The default is what GnuTLS's \"gnutls-cli\" or OpenSSL's |
b890d447 MB |
153 | \"openssl s_client\" return in the event of unsuccessful |
154 | verification." | |
155 | :type 'regexp | |
dd22fbf6 | 156 | :version "23.1" ;; No Gnus |
b890d447 MB |
157 | :group 'tls) |
158 | ||
159 | (defcustom tls-hostmismatch | |
160 | "# The hostname in the certificate does NOT match" | |
161 | "Regular expression indicating a host name mismatch in certificate. | |
162 | When the host name specified in the certificate doesn't match the | |
163 | name of the host you are connecting to, gnutls-cli issues a | |
164 | warning to this effect. There is no such feature in openssl. Set | |
165 | this to nil if you want to ignore host name mismatches." | |
166 | :type 'regexp | |
dd22fbf6 | 167 | :version "23.1" ;; No Gnus |
b890d447 MB |
168 | :group 'tls) |
169 | ||
9c61f806 GM |
170 | (defcustom tls-certtool-program "certtool" |
171 | "Name of GnuTLS certtool. | |
18965008 | 172 | Used by `tls-certificate-information'." |
bf247b6e | 173 | :version "22.1" |
9bdd0e16 | 174 | :type 'string |
18965008 SJ |
175 | :group 'tls) |
176 | ||
177 | (defun tls-certificate-information (der) | |
178 | "Parse X.509 certificate in DER format into an assoc list." | |
179 | (let ((certificate (concat "-----BEGIN CERTIFICATE-----\n" | |
180 | (base64-encode-string der) | |
181 | "\n-----END CERTIFICATE-----\n")) | |
182 | (exit-code 0)) | |
183 | (with-current-buffer (get-buffer-create " *certtool*") | |
184 | (erase-buffer) | |
185 | (insert certificate) | |
186 | (setq exit-code (condition-case () | |
187 | (call-process-region (point-min) (point-max) | |
188 | tls-certtool-program | |
189 | t (list (current-buffer) nil) t | |
190 | "--certificate-info") | |
191 | (error -1))) | |
192 | (if (/= exit-code 0) | |
193 | nil | |
194 | (let ((vals nil)) | |
195 | (goto-char (point-min)) | |
196 | (while (re-search-forward "^\\([^:]+\\): \\(.*\\)" nil t) | |
197 | (push (cons (match-string 1) (match-string 2)) vals)) | |
198 | (nreverse vals)))))) | |
199 | ||
a1d16a7b | 200 | (defun open-tls-stream (name buffer host port) |
3031d8b0 | 201 | "Open a TLS connection for a port to a host. |
01b2d1dd SJ |
202 | Returns a subprocess-object to represent the connection. |
203 | Input and output work as for subprocesses; `delete-process' closes it. | |
3031d8b0 | 204 | Args are NAME BUFFER HOST PORT. |
01b2d1dd | 205 | NAME is name for process. It is modified if necessary to make it unique. |
b890d447 | 206 | BUFFER is the buffer (or buffer name) to associate with the process. |
01b2d1dd SJ |
207 | Process output goes at end of that buffer, unless you specify |
208 | an output stream or filter function to handle the output. | |
209 | BUFFER may be also nil, meaning that this process is not associated | |
210 | with any buffer | |
211 | Third arg is name of the host to connect to, or its IP address. | |
3031d8b0 | 212 | Fourth arg PORT is an integer specifying a port to connect to." |
0ad32c54 CY |
213 | (let ((cmds tls-program) |
214 | (use-temp-buffer (null buffer)) | |
215 | process cmd done) | |
216 | (if use-temp-buffer | |
3c2dbd94 KY |
217 | (setq buffer (generate-new-buffer " TLS")) |
218 | ;; BUFFER is a string but does not exist as a buffer object. | |
219 | (unless (and (get-buffer buffer) | |
220 | (buffer-name (get-buffer buffer))) | |
221 | (generate-new-buffer buffer))) | |
cd6db47c | 222 | (with-current-buffer buffer |
59c95dc2 GM |
223 | (message "Opening TLS connection to `%s'..." host) |
224 | (while (and (not done) (setq cmd (pop cmds))) | |
59c95dc2 | 225 | (let ((process-connection-type tls-process-connection-type) |
8ed4a859 MH |
226 | (formatted-cmd |
227 | (format-spec | |
228 | cmd | |
229 | (format-spec-make | |
230 | ?h host | |
231 | ?p (if (integerp port) | |
232 | (int-to-string port) | |
4d6769e1 | 233 | port))))) |
8ed4a859 | 234 | (message "Opening TLS connection with `%s'..." formatted-cmd) |
59c95dc2 GM |
235 | (setq process (start-process |
236 | name buffer shell-file-name shell-command-switch | |
8ed4a859 | 237 | formatted-cmd)) |
59c95dc2 GM |
238 | (while (and process |
239 | (memq (process-status process) '(open run)) | |
240 | (progn | |
241 | (goto-char (point-min)) | |
0a4d4654 GM |
242 | (not (setq done (re-search-forward |
243 | tls-success nil t))))) | |
59c95dc2 GM |
244 | (unless (accept-process-output process 1) |
245 | (sit-for 1))) | |
8ed4a859 | 246 | (message "Opening TLS connection with `%s'...%s" formatted-cmd |
59c95dc2 | 247 | (if done "done" "failed")) |
0a4d4654 GM |
248 | (if (not done) |
249 | (delete-process process) | |
250 | ;; advance point to after all informational messages that | |
251 | ;; `openssl s_client' and `gnutls' print | |
252 | (let ((start-of-data nil)) | |
253 | (while | |
ea666a77 RS |
254 | (not (setq start-of-data |
255 | ;; the string matching `tls-end-of-info' | |
256 | ;; might come in separate chunks from | |
257 | ;; `accept-process-output', so start the | |
258 | ;; search where `tls-success' ended | |
259 | (save-excursion | |
260 | (if (re-search-forward tls-end-of-info nil t) | |
261 | (match-end 0))))) | |
0a4d4654 GM |
262 | (accept-process-output process 1)) |
263 | (if start-of-data | |
264 | ;; move point to start of client data | |
265 | (goto-char start-of-data))) | |
ea666a77 | 266 | (setq done process)))) |
0a4d4654 GM |
267 | (when (and done |
268 | (or | |
269 | (and tls-checktrust | |
270 | (save-excursion | |
271 | (goto-char (point-min)) | |
272 | (re-search-forward tls-untrusted nil t)) | |
273 | (or | |
274 | (and (not (eq tls-checktrust 'ask)) | |
275 | (message "The certificate presented by `%s' is \ | |
276 | NOT trusted." host)) | |
277 | (not (yes-or-no-p | |
278 | (format "The certificate presented by `%s' is \ | |
279 | NOT trusted. Accept anyway? " host))))) | |
280 | (and tls-hostmismatch | |
281 | (save-excursion | |
282 | (goto-char (point-min)) | |
283 | (re-search-forward tls-hostmismatch nil t)) | |
284 | (not (yes-or-no-p | |
285 | (format "Host name in certificate doesn't \ | |
286 | match `%s'. Connect anyway? " host)))))) | |
287 | (setq done nil) | |
28f5da6d TZ |
288 | (delete-process process)) |
289 | ;; Delete all the informational messages that could confuse | |
290 | ;; future uses of `buffer'. | |
291 | (delete-region (point-min) (point))) | |
0a4d4654 GM |
292 | (message "Opening TLS connection to `%s'...%s" |
293 | host (if done "done" "failed")) | |
0ad32c54 | 294 | (when use-temp-buffer |
b7131d2f | 295 | (if done (set-process-buffer process nil)) |
0ad32c54 | 296 | (kill-buffer buffer)) |
01b2d1dd SJ |
297 | done)) |
298 | ||
299 | (provide 'tls) | |
300 | ||
301 | ;;; tls.el ends here |