[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

master 91c732f: Always check for client-certificates

From: Robert Pluim
Subject: master 91c732f: Always check for client-certificates
Date: Tue, 5 Nov 2019 03:43:40 -0500 (EST)

branch: master
commit 91c732f687a61ba130acf38d5142bec6369ebd68
Author: Robert Pluim <address@hidden>
Commit: Robert Pluim <address@hidden>

    Always check for client-certificates
    * lisp/net/network-stream.el
    (network-stream-use-client-certificates): New user option.
    (open-network-stream): If 'network-stream-use-client-certificates'
    is t, and the user hasn't specified :client-certificate, do
    certificate lookups via 'auth-source'.
    (network-stream-certificate): Only return key and certificate
    files that exist.
    * doc/lispref/processes.texi (Network): Document new
    client-certificate behavior.
    * etc/NEWS: Document 'network-stream-use-client-certificates'.
 doc/lispref/processes.texi |  8 ++++++--
 etc/NEWS                   |  6 ++++++
 lisp/net/network-stream.el | 26 ++++++++++++++++++++++++--
 3 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/doc/lispref/processes.texi b/doc/lispref/processes.texi
index 287221a..5caf0a2 100644
--- a/doc/lispref/processes.texi
+++ b/doc/lispref/processes.texi
@@ -2516,12 +2516,16 @@ Emacs will warn if the connection isn't encrypted.  
This is useful for
 protocols like @acronym{IMAP} and the like, where most users would
 expect the network traffic to be encrypted.
+@vindex network-stream-use-client-certificates
 @item :client-certificate @var{list-or-t}
 Either a list of the form @code{(@var{key-file} @var{cert-file})},
 naming the certificate key file and certificate file itself, or
 @code{t}, meaning to query @code{auth-source} for this information
-(@pxref{Top,,Overview, auth, The Auth-Source Manual}).
-Only used for @acronym{TLS} or @acronym{STARTTLS}.
+(@pxref{Help for users,,auth-source, auth, Emacs auth-source Library}).
+Only used for @acronym{TLS} or @acronym{STARTTLS}.  If
+@code{:client-certificate} is not specified, behave as if it were t,
+customize @code{network-stream-use-client-certificates} to change
 @item :return-list @var{cons-or-nil}
 The return value of this function.  If omitted or @code{nil}, return a
diff --git a/etc/NEWS b/etc/NEWS
index 7ff9df6..b6e61c7 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -322,6 +322,12 @@ Previously, this support was only available when using the 
 certificates via 'auth-source'.
+** New user option 'network-stream-use-client-certificates'.
+When non-nil, 'open-network-stream' performs lookups of client
+certificates using 'auth-source' as if ':client-certificate t' were
+specified.  Defaults to t.
 ** New function 'fill-polish-nobreak-p', to be used in 
 It blocks line breaking after a one-letter word, also in the case when
 this word is preceded by a non-space, but non-alphanumeric character.
diff --git a/lisp/net/network-stream.el b/lisp/net/network-stream.el
index 2b3292b..4050c83 100644
--- a/lisp/net/network-stream.el
+++ b/lisp/net/network-stream.el
@@ -58,6 +58,21 @@
 (defvar starttls-gnutls-program)
 (defvar starttls-program)
+(defcustom network-stream-use-client-certificates t
+  "Whether to use client certificates for network connections.
+When non-nil, `open-network-stream' will automatically look for
+matching client certificates (via 'auth-source') for a
+destination server, if it is called without a :client-certificate
+Set to nil to disable this lookup globally.  To disable on a
+per-connection basis, specify ':client-certificate nil' when
+calling `open-network-stream'."
+  :group 'network
+  :type 'boolean
+  :version "27.1")
 (defun open-network-stream (name buffer host service &rest parameters)
   "Open a TCP connection to HOST, optionally with encryption.
@@ -132,7 +147,9 @@ values:
   element is the certificate file name itself, or t, which
   means that `auth-source' will be queried for the key and the
   certificate.  This parameter will only be used when doing TLS
-  or STARTTLS connections.
+  or STARTTLS connections.  If :client-certificate is not
+  specified, behave as if it were t, customize
+  `network-stream-use-client-certificates' to change this.
 :use-starttls-if-possible is a boolean that says to do opportunistic
 STARTTLS upgrades even if Emacs doesn't have built-in TLS functionality.
@@ -181,6 +198,11 @@ gnutls-boot (as returned by `gnutls-boot-parameters')."
                       ((memq type '(tls ssl)) 'network-stream-open-tls)
                       ((eq type 'shell) 'network-stream-open-shell)
                       (t (error "Invalid connection type %s" type))))
+            (parameters
+               (if (and network-stream-use-client-certificates
+                        (not (plist-member parameters :client-certificate)))
+                   (plist-put parameters :client-certificate t)
+                 parameters))
            (setq result (funcall fun name work-buffer host service parameters))
@@ -209,7 +231,7 @@ gnutls-boot (as returned by `gnutls-boot-parameters')."
                                       :port service)))
             (key (plist-get auth-info :key))
             (cert (plist-get auth-info :cert)))
-       (and key cert
+       (and key cert (file-readable-p key) (file-readable-p cert)
             (list key cert)))))))

reply via email to

[Prev in Thread] Current Thread [Next in Thread]