diff options
Diffstat (limited to 'lisp/net')
| -rw-r--r-- | lisp/net/gnutls.el | 79 | ||||
| -rw-r--r-- | lisp/net/network-stream.el | 5 | ||||
| -rw-r--r-- | lisp/net/tramp-sh.el | 8 | ||||
| -rw-r--r-- | lisp/net/tramp-smb.el | 2 | ||||
| -rw-r--r-- | lisp/net/tramp.el | 12 | ||||
| -rw-r--r-- | lisp/net/trampver.el | 4 |
6 files changed, 89 insertions, 21 deletions
diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el index 0929c31b6c4..8b662795665 100644 --- a/lisp/net/gnutls.el +++ b/lisp/net/gnutls.el @@ -25,7 +25,8 @@ ;;; Commentary: ;; This package provides language bindings for the GnuTLS library -;; using the corresponding core functions in gnutls.c. +;; using the corresponding core functions in gnutls.c. It should NOT +;; be used directly, only through open-protocol-stream. ;; Simple test: ;; @@ -59,26 +60,77 @@ Third arg is name of the host to connect to, or its IP address. Fourth arg SERVICE is name of the service desired, or an integer specifying a port number to connect to. +Usage example: + + \(with-temp-buffer + \(open-gnutls-stream \"tls\" + \(current-buffer) + \"your server goes here\" + \"imaps\")) + This is a very simple wrapper around `gnutls-negotiate'. See its documentation for the specific parameters you can use to open a GnuTLS connection, including specifying the credential type, trust and key files, and priority string." - (let ((proc (open-network-stream name buffer host service))) - (gnutls-negotiate proc 'gnutls-x509pki))) + (gnutls-negotiate (open-network-stream name buffer host service) + 'gnutls-x509pki + host)) + +(put 'gnutls-error + 'error-conditions + '(error gnutls-error)) +(put 'gnutls-error + 'error-message "GnuTLS error") (declare-function gnutls-boot "gnutls.c" (proc type proplist)) +(declare-function gnutls-errorp "gnutls.c" (error)) -(defun gnutls-negotiate (proc type &optional priority-string - trustfiles keyfiles) - "Negotiate a SSL/TLS connection. +(defun gnutls-negotiate (proc type hostname &optional priority-string + trustfiles keyfiles verify-flags + verify-error verify-hostname-error) + "Negotiate a SSL/TLS connection. Returns proc. Signals gnutls-error. TYPE is `gnutls-x509pki' (default) or `gnutls-anon'. Use nil for the default. PROC is a process returned by `open-network-stream'. +HOSTNAME is the remote hostname. It must be a valid string. PRIORITY-STRING is as per the GnuTLS docs, default is \"NORMAL\". TRUSTFILES is a list of CA bundles. -KEYFILES is a list of client keys." +KEYFILES is a list of client keys. + +When VERIFY-HOSTNAME-ERROR is not nil, an error will be raised +when the hostname does not match the presented certificate's host +name. The exact verification algorithm is a basic implementation +of the matching described in RFC2818 (HTTPS), which takes into +account wildcards, and the DNSName/IPAddress subject alternative +name PKIX extension. See GnuTLS' gnutls_x509_crt_check_hostname +for details. When VERIFY-HOSTNAME-ERROR is nil, only a warning +will be issued. + +When VERIFY-ERROR is not nil, an error will be raised when the +peer certificate verification fails as per GnuTLS' +gnutls_certificate_verify_peers2. Otherwise, only warnings will +be shown about the verification failure. + +VERIFY-FLAGS is a numeric OR of verification flags only for +`gnutls-x509pki' connections. See GnuTLS' x509.h for details; +here's a recent version of the list. + + GNUTLS_VERIFY_DISABLE_CA_SIGN = 1, + GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2, + GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4, + GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8, + GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16, + GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32, + GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64, + GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128, + GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256 + +It must be omitted, a number, or nil; if omitted or nil it +defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT." (let* ((type (or type 'gnutls-x509pki)) + (default-trustfile "/etc/ssl/certs/ca-certificates.crt") (trustfiles (or trustfiles - '("/etc/ssl/certs/ca-certificates.crt"))) + (when (file-exists-p default-trustfile) + (list default-trustfile)))) (priority-string (or priority-string (cond ((eq type 'gnutls-anon) @@ -86,19 +138,26 @@ KEYFILES is a list of client keys." ((eq type 'gnutls-x509pki) "NORMAL")))) (params `(:priority ,priority-string + :hostname ,hostname :loglevel ,gnutls-log-level :trustfiles ,trustfiles :keyfiles ,keyfiles + :verify-flags ,verify-flags + :verify-error ,verify-error + :verify-hostname-error ,verify-hostname-error :callbacks nil)) ret) (gnutls-message-maybe (setq ret (gnutls-boot proc type params)) - "boot: %s") + "boot: %s" params) + + (when (gnutls-errorp ret) + ;; This is a error from the underlying C code. + (signal 'gnutls-error (list proc ret))) proc)) -(declare-function gnutls-errorp "gnutls.c" (error)) (declare-function gnutls-error-string "gnutls.c" (error)) (defun gnutls-message-maybe (doit format &rest params) diff --git a/lisp/net/network-stream.el b/lisp/net/network-stream.el index 67bb7eae68e..09519e14870 100644 --- a/lisp/net/network-stream.el +++ b/lisp/net/network-stream.el @@ -46,7 +46,8 @@ (require 'starttls) (declare-function gnutls-negotiate "gnutls" - (proc type &optional priority-string trustfiles keyfiles)) + (proc type host &optional priority-string trustfiles keyfiles + verify-flags verify-error verify-hostname-error)) ;;;###autoload (defun open-network-stream (name buffer host service &rest parameters) @@ -197,7 +198,7 @@ values: (network-stream-command stream starttls-command eoc)) ;; The server said it was OK to begin STARTTLS negotiations. (if (fboundp 'open-gnutls-stream) - (gnutls-negotiate stream nil) + (gnutls-negotiate stream nil host) (unless (starttls-negotiate stream) (delete-process stream))) (if (memq (process-status stream) '(open run)) diff --git a/lisp/net/tramp-sh.el b/lisp/net/tramp-sh.el index cb4aca12edb..81e955ebbf8 100644 --- a/lisp/net/tramp-sh.el +++ b/lisp/net/tramp-sh.el @@ -2336,7 +2336,8 @@ The method used must be an out-of-band method." orig-vec 6 "%s" (mapconcat 'identity (process-command p) " ")) (tramp-compat-set-process-query-on-exit-flag p nil) - (tramp-process-actions p v tramp-actions-copy-out-of-band))) + (tramp-process-actions + p v nil tramp-actions-copy-out-of-band))) ;; Reset the transfer process properties. (tramp-message orig-vec 6 "%s" (buffer-string)) @@ -4212,7 +4213,8 @@ connection if a previous connection has died for some reason." (catch 'uname-changed (let ((p (tramp-get-connection-process vec)) (process-name (tramp-get-connection-property vec "process-name" nil)) - (process-environment (copy-sequence process-environment))) + (process-environment (copy-sequence process-environment)) + (pos (with-current-buffer (tramp-get-connection-buffer vec) (point)))) ;; If too much time has passed since last command was sent, look ;; whether process is still alive. If it isn't, kill it. When @@ -4366,7 +4368,7 @@ connection if a previous connection has died for some reason." ;; Send the command. (tramp-message vec 3 "Sending command `%s'" command) (tramp-send-command vec command t t) - (tramp-process-actions p vec tramp-actions-before-shell 60) + (tramp-process-actions p vec pos tramp-actions-before-shell 60) (tramp-message vec 3 "Found remote shell prompt on `%s'" l-host)) ;; Next hop. diff --git a/lisp/net/tramp-smb.el b/lisp/net/tramp-smb.el index 36477f7b439..5a62b71bda1 100644 --- a/lisp/net/tramp-smb.el +++ b/lisp/net/tramp-smb.el @@ -1314,7 +1314,7 @@ connection if a previous connection has died for some reason." ;; Play login scenario. (tramp-process-actions - p vec + p vec nil (if share tramp-smb-actions-with-share tramp-smb-actions-without-share)) diff --git a/lisp/net/tramp.el b/lisp/net/tramp.el index fc167d6e62e..693e082ecc8 100644 --- a/lisp/net/tramp.el +++ b/lisp/net/tramp.el @@ -3098,8 +3098,11 @@ The terminal type can be configured with `tramp-terminal-type'." (setq found (funcall action proc vec))))) found)) -(defun tramp-process-actions (proc vec actions &optional timeout) - "Perform actions until success or TIMEOUT." +(defun tramp-process-actions (proc vec pos actions &optional timeout) + "Perform ACTIONS until success or TIMEOUT. +PROC and VEC indicate the remote connection to be used. POS, if +set, is the starting point of the region to be deleted in the +connection buffer." ;; Preserve message for `progress-reporter'. (tramp-compat-with-temp-message "" ;; Enable auth-source and password-cache. @@ -3124,7 +3127,10 @@ The terminal type can be configured with `tramp-terminal-type'." (cond ((eq exit 'permission-denied) "Permission denied") ((eq exit 'process-died) "Process died") - (t "Login failed")))))))) + (t "Login failed")))) + (when (numberp pos) + (with-current-buffer (tramp-get-connection-buffer vec) + (let (buffer-read-only) (delete-region pos (point))))))))) :;; Utility functions: diff --git a/lisp/net/trampver.el b/lisp/net/trampver.el index 462b8f11397..7b4c6fd75b1 100644 --- a/lisp/net/trampver.el +++ b/lisp/net/trampver.el @@ -31,7 +31,7 @@ ;; should be changed only there. ;;;###tramp-autoload -(defconst tramp-version "2.2.1" +(defconst tramp-version "2.2.2-pre" "This version of Tramp.") ;;;###tramp-autoload @@ -44,7 +44,7 @@ (= emacs-major-version 21) (>= emacs-minor-version 4))) "ok" - (format "Tramp 2.2.1 is not fit for %s" + (format "Tramp 2.2.2-pre is not fit for %s" (when (string-match "^.*$" (emacs-version)) (match-string 0 (emacs-version))))))) (unless (string-match "\\`ok\\'" x) (error "%s" x))) |