New verify-error GnuTLS interface for certificate validation

* net/gnutls.el (gnutls-verify-error): New defcustom to control the behavior when a certificate fails validation. Defaults to old behavior: never abort, just warn. (gnutls-negotiate): Use it. * gnutls.c: Replace `:verify_hostname_error' with `:verify_error', now a list of certificate validation checks that will abort a connection with an error. (Fgnutls_boot): Document it and use it.
author: Ted Zlatanov 2013-12-14 13:04:09 -0500
committer: Ted Zlatanov 2013-12-14 13:04:09 -0500
commit: 31b4827ea9ba8d22deb17c0593f0f555a33e1fa4 (patch)
tree: dbfcb55f9fa3edc10623b34d5cf964a9a1167f7d /lisp/net
parent: f93cc74f04312c1b27bfcc870c1782083525fc61 (diff)
download: emacs-31b4827ea9ba8d22deb17c0593f0f555a33e1fa4.tar.gz
emacs-31b4827ea9ba8d22deb17c0593f0f555a33e1fa4.zip
1 files changed, 52 insertions, 15 deletions
diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 923b108c708..5bf9adc2b53 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -51,6 +51,19 @@ set this variable to \"normal:-dhe-rsa\"."
  :type '(choice (const nil)
                 string))
+(defcustom gnutls-verify-error nil
+  "If non-nil, this should be a list of checks per hostname regex or t."
+  :group 'gnutls
+  :type '(choice
+          (const t)
+          (repeat :tag "List of hostname regexps with flags for each"
+           (list
+            (choice :tag "Hostname"
+                    (const ".*" :tag "Any hostname")
+                    regexp)
+            (set (const :trustfiles)
+                 (const :hostname))))))
 (defcustom gnutls-trustfiles
  '(
    "/etc/ssl/certs/ca-certificates.crt" ; Debian, Ubuntu, Gentoo and Arch Linux
@@ -138,19 +151,25 @@ MIN-PRIME-BITS is the minimum acceptable size of Diffie-Hellman keys
 \(see `gnutls-min-prime-bits' for more information).  Use nil for the
 default.
-When VERIFY-HOSTNAME-ERROR is not nil, an error will be raised
+VERIFY-HOSTNAME-ERROR is a backwards compatibility option for
-when the hostname does not match the presented certificate's host
+putting `:hostname' in VERIFY-ERROR.
-name.  The exact verification algorithm is a basic implementation
-of the matching described in RFC2818 (HTTPS), which takes into
+When VERIFY-ERROR is t or a list containing `:trustfiles', an
-account wildcards, and the DNSName/IPAddress subject alternative
+error will be raised when the peer certificate verification fails
-name PKIX extension.  See GnuTLS' gnutls_x509_crt_check_hostname
+as per GnuTLS' gnutls_certificate_verify_peers2.  Otherwise, only
-for details.  When VERIFY-HOSTNAME-ERROR is nil, only a warning
+warnings will be shown about the verification failure.
-will be issued.
-When VERIFY-ERROR is not nil, an error will be raised when the
+When VERIFY-ERROR is t or a list containing `:hostname', an error
-peer certificate verification fails as per GnuTLS'
+will be raised when the hostname does not match the presented
-gnutls_certificate_verify_peers2.  Otherwise, only warnings will
+certificate's host name.  The exact verification algorithm is a
-be shown about the verification failure.
+basic implementation of the matching described in
+RFC2818 (HTTPS), which takes into account wildcards, and the
+DNSName/IPAddress subject alternative name PKIX extension.  See
+GnuTLS' gnutls_x509_crt_check_hostname for details.  Otherwise,
+only a warning will be issued.
+Note that the list in `gnutls-verify-error', matched against the
+HOSTNAME, is the default VERIFY-ERROR.
 VERIFY-FLAGS is a numeric OR of verification flags only for
 `gnutls-x509pki' connections.  See GnuTLS' x509.h for details;
@@ -183,8 +202,28 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
                                (if gnutls-algorithm-priority
                                    (upcase gnutls-algorithm-priority)
                                  "NORMAL")))))
+         (verify-error (or verify-error
+                           ;; this uses the value of `gnutls-verify-error'
+                           (cond
+                            ;; if t, pass it on
+                            ((eq gnutls-verify-error t)
+                             t)
+                            ;; if a list, look for hostname matches
+                            ((listp gnutls-verify-error)
+                             (mapcan
+                              (lambda (check)
+                                (when (string-match (car check) hostname)
+                                  (cdr check)))
+                              gnutls-verify-error))
+                            ;; else it's nil
+                            (t nil))))
         (min-prime-bits (or min-prime-bits gnutls-min-prime-bits))
-         (params `(:priority ,priority-string
+         params ret)
+    (when verify-hostname-error
+      (push :hostname verify-error))
+    (setq params `(:priority ,priority-string
                             :hostname ,hostname
                             :loglevel ,gnutls-log-level
                             :min-prime-bits ,min-prime-bits
@@ -193,9 +232,7 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
                             :keylist ,keylist
                             :verify-flags ,verify-flags
                             :verify-error ,verify-error
-                             :verify-hostname-error ,verify-hostname-error
                             :callbacks nil))
-         ret)
    (gnutls-message-maybe
     (setq ret (gnutls-boot process type params))
author	Ted Zlatanov	2013-12-14 13:04:09 -0500
committer	Ted Zlatanov	2013-12-14 13:04:09 -0500
commit	31b4827ea9ba8d22deb17c0593f0f555a33e1fa4 (patch)
tree	dbfcb55f9fa3edc10623b34d5cf964a9a1167f7d /lisp/net
parent	f93cc74f04312c1b27bfcc870c1782083525fc61 (diff)
download	emacs-31b4827ea9ba8d22deb17c0593f0f555a33e1fa4.tar.gz emacs-31b4827ea9ba8d22deb17c0593f0f555a33e1fa4.zip

diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el index 923b108c708..5bf9adc2b53 100644 --- a/lisp/net/gnutls.el +++ b/lisp/net/gnutls.el
@@ -51,6 +51,19 @@ set this variable to \"normal:-dhe-rsa\"."
51	:type '(choice (const nil)	51	:type '(choice (const nil)
52	string))	52	string))
53		53
		54	(defcustom gnutls-verify-error nil
		55	"If non-nil, this should be a list of checks per hostname regex or t."
		56	:group 'gnutls
		57	:type '(choice
		58	(const t)
		59	(repeat :tag "List of hostname regexps with flags for each"
		60	(list
		61	(choice :tag "Hostname"
		62	(const ".*" :tag "Any hostname")
		63	regexp)
		64	(set (const :trustfiles)
		65	(const :hostname))))))
		66
54	(defcustom gnutls-trustfiles	67	(defcustom gnutls-trustfiles
55	'(	68	'(
56	"/etc/ssl/certs/ca-certificates.crt" ; Debian, Ubuntu, Gentoo and Arch Linux	69	"/etc/ssl/certs/ca-certificates.crt" ; Debian, Ubuntu, Gentoo and Arch Linux
@@ -138,19 +151,25 @@ MIN-PRIME-BITS is the minimum acceptable size of Diffie-Hellman keys
138	\(see `gnutls-min-prime-bits' for more information). Use nil for the	151	\(see `gnutls-min-prime-bits' for more information). Use nil for the
139	default.	152	default.
140		153
141	When VERIFY-HOSTNAME-ERROR is not nil, an error will be raised	154	VERIFY-HOSTNAME-ERROR is a backwards compatibility option for
142	when the hostname does not match the presented certificate's host	155	putting `:hostname' in VERIFY-ERROR.
143	name. The exact verification algorithm is a basic implementation	156
144	of the matching described in RFC2818 (HTTPS), which takes into	157	When VERIFY-ERROR is t or a list containing `:trustfiles', an
145	account wildcards, and the DNSName/IPAddress subject alternative	158	error will be raised when the peer certificate verification fails
146	name PKIX extension. See GnuTLS' gnutls_x509_crt_check_hostname	159	as per GnuTLS' gnutls_certificate_verify_peers2. Otherwise, only
147	for details. When VERIFY-HOSTNAME-ERROR is nil, only a warning	160	warnings will be shown about the verification failure.
148	will be issued.
149		161
150	When VERIFY-ERROR is not nil, an error will be raised when the	162	When VERIFY-ERROR is t or a list containing `:hostname', an error
151	peer certificate verification fails as per GnuTLS'	163	will be raised when the hostname does not match the presented
152	gnutls_certificate_verify_peers2. Otherwise, only warnings will	164	certificate's host name. The exact verification algorithm is a
153	be shown about the verification failure.	165	basic implementation of the matching described in
		166	RFC2818 (HTTPS), which takes into account wildcards, and the
		167	DNSName/IPAddress subject alternative name PKIX extension. See
		168	GnuTLS' gnutls_x509_crt_check_hostname for details. Otherwise,
		169	only a warning will be issued.
		170
		171	Note that the list in `gnutls-verify-error', matched against the
		172	HOSTNAME, is the default VERIFY-ERROR.
154		173
155	VERIFY-FLAGS is a numeric OR of verification flags only for	174	VERIFY-FLAGS is a numeric OR of verification flags only for
156	`gnutls-x509pki' connections. See GnuTLS' x509.h for details;	175	`gnutls-x509pki' connections. See GnuTLS' x509.h for details;
@@ -183,8 +202,28 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
183	(if gnutls-algorithm-priority	202	(if gnutls-algorithm-priority
184	(upcase gnutls-algorithm-priority)	203	(upcase gnutls-algorithm-priority)
185	"NORMAL")))))	204	"NORMAL")))))
		205	(verify-error (or verify-error
		206	;; this uses the value of `gnutls-verify-error'
		207	(cond
		208	;; if t, pass it on
		209	((eq gnutls-verify-error t)
		210	t)
		211	;; if a list, look for hostname matches
		212	((listp gnutls-verify-error)
		213	(mapcan
		214	(lambda (check)
		215	(when (string-match (car check) hostname)
		216	(cdr check)))
		217	gnutls-verify-error))
		218	;; else it's nil
		219	(t nil))))
186	(min-prime-bits (or min-prime-bits gnutls-min-prime-bits))	220	(min-prime-bits (or min-prime-bits gnutls-min-prime-bits))
187	(params `(:priority ,priority-string	221	params ret)
		222
		223	(when verify-hostname-error
		224	(push :hostname verify-error))
		225
		226	(setq params `(:priority ,priority-string
188	:hostname ,hostname	227	:hostname ,hostname
189	:loglevel ,gnutls-log-level	228	:loglevel ,gnutls-log-level
190	:min-prime-bits ,min-prime-bits	229	:min-prime-bits ,min-prime-bits
@@ -193,9 +232,7 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
193	:keylist ,keylist	232	:keylist ,keylist
194	:verify-flags ,verify-flags	233	:verify-flags ,verify-flags
195	:verify-error ,verify-error	234	:verify-error ,verify-error
196	:verify-hostname-error ,verify-hostname-error
197	:callbacks nil))	235	:callbacks nil))
198	ret)
199		236
200	(gnutls-message-maybe	237	(gnutls-message-maybe
201	(setq ret (gnutls-boot process type params))	238	(setq ret (gnutls-boot process type params))