From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Simon Josefsson <simon@josefsson.org>
Newsgroups: gmane.comp.encryption.gpg.gnutls.devel,gmane.emacs.devel
Subject: Re: Emacs core TLS support
Date: Tue, 21 Sep 2010 13:37:42 +0200
Message-ID: <87eicn2upl.fsf@mocca.josefsson.org>
References: <878wc1vfh3.fsf@lifelogs.com> <87r5ptpnz2.fsf@stupidchicken.com>
	<871vhsvkut.fsf@lifelogs.com> <jwvbpgw1yp2.fsf-monnier+emacs@gnu.org>
	<87d41csktn.fsf@lifelogs.com> <87k4v0n0m8.fsf@lifelogs.com>
	<87wrrvfnc4.fsf@lifelogs.com> <m3zkwqhixi.fsf@carbon.jhcloos.org>
	<87r5i2d00q.fsf@lifelogs.com> <87zkwqijye.fsf@stupidchicken.com>
	<878w4actmg.fsf@lifelogs.com> <877hju123h.fsf@stupidchicken.com>
	<8762yklrdk.fsf@lifelogs.com> <jwvlj7fg7gk.fsf-monnier+emacs@gnu.org>
	<87wrqzhrjv.fsf@lifelogs.com> <jwvmxruehco.fsf-monnier+emacs@gnu.org>
	<87fwxmihyz.fsf@lifelogs.com> <8762ycfhqo.fsf@lifelogs.com>
	<AANLkTim_joNAMDoUACseNbTwVEn6dOAexWzb7PKML7K2@mail.gmail.com>
	<87d3sf9soo.fsf@lifelogs.com>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: dough.gmane.org 1285069101 5148 80.91.229.12 (21 Sep 2010 11:38:21 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Tue, 21 Sep 2010 11:38:21 +0000 (UTC)
Cc: gnutls-devel@gnu.org, emacs-devel@gnu.org
To: Ted Zlatanov <tzz@lifelogs.com>
Original-X-From: gnutls-devel-bounces+pgp-gnutls-dev=m.gmane.org@gnu.org Tue Sep 21 13:38:19 2010
Return-path: <gnutls-devel-bounces+pgp-gnutls-dev=m.gmane.org@gnu.org>
Envelope-to: pgp-gnutls-dev@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <gnutls-devel-bounces+pgp-gnutls-dev=m.gmane.org@gnu.org>)
	id 1Oy1Aw-0006O3-SY
	for pgp-gnutls-dev@m.gmane.org; Tue, 21 Sep 2010 13:38:19 +0200
Original-Received: from localhost ([127.0.0.1]:36834 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1Oy1Aw-0005QQ-7b
	for pgp-gnutls-dev@m.gmane.org; Tue, 21 Sep 2010 07:38:18 -0400
Original-Received: from [140.186.70.92] (port=32807 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Oy1Ap-0005Nm-8r
	for gnutls-devel@gnu.org; Tue, 21 Sep 2010 07:38:16 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <simon@josefsson.org>) id 1Oy1Af-0003fk-W2
	for gnutls-devel@gnu.org; Tue, 21 Sep 2010 07:38:10 -0400
Original-Received: from yxa-v.extundo.com ([83.241.177.39]:55291)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <simon@josefsson.org>)
	id 1Oy1Af-0003f5-LS; Tue, 21 Sep 2010 07:38:01 -0400
Original-Received: from mocca (c80-216-27-64.bredband.comhem.se [80.216.27.64])
	(authenticated bits=0)
	by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id
	o8LBbo76032641
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
	Tue, 21 Sep 2010 13:37:52 +0200
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:100921:gnutls-devel@gnu.org::3O3iCAEmIeBaTuvS:4BCq
X-Hashcash: 1:22:100921:emacs-devel@gnu.org::0K07LJPRxH37MH3P:WUNB
X-Hashcash: 1:22:100921:tzz@lifelogs.com::AYr+WcmFWVVcK9wp:06rRT
In-Reply-To: <87d3sf9soo.fsf@lifelogs.com> (Ted Zlatanov's message of "Wed, 15
	Sep 2010 06:01:27 -0500")
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.2 (gnu/linux)
X-Virus-Scanned: clamav-milter 0.96.1 at yxa-v
X-Virus-Status: Clean
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 1)
X-BeenThere: gnutls-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: GnuTLS development discussions <gnutls-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/gnutls-devel>,
	<mailto:gnutls-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/gnutls-devel>
List-Post: <mailto:gnutls-devel@gnu.org>
List-Help: <mailto:gnutls-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/gnutls-devel>,
	<mailto:gnutls-devel-request@gnu.org?subject=subscribe>
Original-Sender: gnutls-devel-bounces+pgp-gnutls-dev=m.gmane.org@gnu.org
Errors-To: gnutls-devel-bounces+pgp-gnutls-dev=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.comp.encryption.gpg.gnutls.devel:4527 gmane.emacs.devel:130572
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/130572>

Ted Zlatanov <tzz@lifelogs.com> writes:

> +(defconst gnutls-version "0.3.1")

This should be removed.  If the GnuTLS version is at all interesting for
elisp callers, there could be an elisp function gnutls-check-version
that in C calls gnutls_check_version.

> +(defun open-ssl-stream (name buffer host service)
> +  "Open a SSL connection for a service to a host.

I suggest using 'TLS' or possibly 'SSL/TLS' consistently in
documentation.  Is 'open-ssl-stream' for backwards compatibility?
Otherwise I suggest 'open-tls-stream'.

> +
> +;; (open-ssl-stream "tls" "tls-buffer" "yourserver.com" "https")

Looks like debug code that should be removed?

> +(defun starttls-negotiate (proc &optional priority-string
> +                                credentials credentials-file)
> +  "Negotiate a SSL or TLS connection.

Here I suggest 'TLS' or 'SSL/TLS' instead.

> +PRIORITY-STRING is as per the GnuTLS docs.

Maybe there could be an info hyperlink here?

> +                               "/tmp/ca.pem"

This should be fixed, naturally.
> +
> +         (priority-string (or priority-string
> +                              (cond
> +                               ((eq credentials 'gnutls-anon)
> +                                "PERFORMANCE:+ANON-DH:!ARCFOUR-128")
> +                               ((eq credentials 'gnutls-x509pki)
> +                                "PERFORMANCE"))))

I think NORMAL should be used instead of PERFORMANCE here.

> +    (gnutls-message-maybe
> +     (setq ret (gnutls-boot proc priority-string credentials credentials-file))
> +     "boot: %s")

How much debug code do we want to retain?  I'm not sure.

> +(defun starttls-open-stream (name buffer host service)
> +  "Open a TLS connection for a service to a host.

'TLS' or 'SSL/TLS' again.

> +DEFUN ("gnutls-global-init", Fgnutls_global_init,
> +       Sgnutls_global_init, 0, 0, 0,
> +       doc: /* Initializes global GNU TLS state to defaults.
> +Call `gnutls-global-deinit' when GNU TLS usage is no longer needed.
> +Returns zero on success.  */)
...
> +DEFUN ("gnutls-global-deinit", Fgnutls_global_deinit,
> +       Sgnutls_global_deinit, 0, 0, 0,
> +       doc: /* Deinitializes global GNU TLS state.
> +See also `gnutls-global-init'.  */)

I think this shouldn't be exposed to Elisp, Emacs startup code could
initialize GnuTLS directly.

> +DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 6, 0,
> +       doc: /* Initializes client-mode GnuTLS for process PROC.
> +Currently only client mode is supported.  Returns a success/failure
> +value you can check with `gnutls-errorp'.
> +
> +PRIORITY_STRING is a string describing the priority.
> +TYPE is either `gnutls-anon' or `gnutls-x509pki'.
> +TRUSTFILE is a PEM encoded trust file for `gnutls-x509pki'.
> +KEYFILE is ... for `gnutls-x509pki' (TODO).
> +CALLBACK is ... for `gnutls-x509pki' (TODO).

Two comments here: 1) The name is a bit generic..?  2) The design makes
it a bit difficult to support multiple credentials.  The GnuTLS API
allows clients to have several credentials (X.509, OpenPGP, etc).
Perhaps copying the GnuTLS API further is more flexible.

Good work.  I think you are getting there!

/Simon