From 91c732f687a61ba130acf38d5142bec6369ebd68 Mon Sep 17 00:00:00 2001
From: Robert Pluim <rpluim@gmail.com>
Date: Thu, 24 Jan 2019 14:35:30 +0100
Subject: [PATCH] Always check for client-certificates

* lisp/net/network-stream.el
(network-stream-use-client-certificates): New user option.
(open-network-stream): If 'network-stream-use-client-certificates'
is t, and the user hasn't specified :client-certificate, do
certificate lookups via 'auth-source'.
(network-stream-certificate): Only return key and certificate
files that exist.

* doc/lispref/processes.texi (Network): Document new
client-certificate behavior.

* etc/NEWS: Document 'network-stream-use-client-certificates'.
---
 doc/lispref/processes.texi |  8 ++++++--
 etc/NEWS                   |  6 ++++++
 lisp/net/network-stream.el | 26 ++++++++++++++++++++++++--
 3 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/doc/lispref/processes.texi b/doc/lispref/processes.texi
index 287221a184d..5caf0a24265 100644
--- a/doc/lispref/processes.texi
+++ b/doc/lispref/processes.texi
@@ -2516,12 +2516,16 @@ Emacs will warn if the connection isn't encrypted.  This is useful for
 protocols like @acronym{IMAP} and the like, where most users would
 expect the network traffic to be encrypted.
 
+@vindex network-stream-use-client-certificates
 @item :client-certificate @var{list-or-t}
 Either a list of the form @code{(@var{key-file} @var{cert-file})},
 naming the certificate key file and certificate file itself, or
 @code{t}, meaning to query @code{auth-source} for this information
-(@pxref{Top,,Overview, auth, The Auth-Source Manual}).
-Only used for @acronym{TLS} or @acronym{STARTTLS}.
+(@pxref{Help for users,,auth-source, auth, Emacs auth-source Library}).
+Only used for @acronym{TLS} or @acronym{STARTTLS}.  If
+@code{:client-certificate} is not specified, behave as if it were t,
+customize @code{network-stream-use-client-certificates} to change
+this.
 
 @item :return-list @var{cons-or-nil}
 The return value of this function.  If omitted or @code{nil}, return a
diff --git a/etc/NEWS b/etc/NEWS
index 7ff9df6e0fa..b6e61c76e2f 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -321,6 +321,12 @@ Previously, this support was only available when using the external
 ':client-certificate t' to trigger looking up of per-server
 certificates via 'auth-source'.
 
++++
+** New user option 'network-stream-use-client-certificates'.
+When non-nil, 'open-network-stream' performs lookups of client
+certificates using 'auth-source' as if ':client-certificate t' were
+specified.  Defaults to t.
+
 +++
 ** New function 'fill-polish-nobreak-p', to be used in 'fill-nobreak-predicate'.
 It blocks line breaking after a one-letter word, also in the case when
diff --git a/lisp/net/network-stream.el b/lisp/net/network-stream.el
index 2b3292b71ba..4050c83eb0c 100644
--- a/lisp/net/network-stream.el
+++ b/lisp/net/network-stream.el
@@ -58,6 +58,21 @@
 (defvar starttls-gnutls-program)
 (defvar starttls-program)
 
+(defcustom network-stream-use-client-certificates t
+  "Whether to use client certificates for network connections.
+
+When non-nil, `open-network-stream' will automatically look for
+matching client certificates (via 'auth-source') for a
+destination server, if it is called without a :client-certificate
+keyword.
+
+Set to nil to disable this lookup globally.  To disable on a
+per-connection basis, specify ':client-certificate nil' when
+calling `open-network-stream'."
+  :group 'network
+  :type 'boolean
+  :version "27.1")
+
 ;;;###autoload
 (defun open-network-stream (name buffer host service &rest parameters)
   "Open a TCP connection to HOST, optionally with encryption.
@@ -132,7 +147,9 @@ values:
   element is the certificate file name itself, or t, which
   means that `auth-source' will be queried for the key and the
   certificate.  This parameter will only be used when doing TLS
-  or STARTTLS connections.
+  or STARTTLS connections.  If :client-certificate is not
+  specified, behave as if it were t, customize
+  `network-stream-use-client-certificates' to change this.
 
 :use-starttls-if-possible is a boolean that says to do opportunistic
 STARTTLS upgrades even if Emacs doesn't have built-in TLS functionality.
@@ -181,6 +198,11 @@ gnutls-boot (as returned by `gnutls-boot-parameters')."
 		       ((memq type '(tls ssl)) 'network-stream-open-tls)
 		       ((eq type 'shell) 'network-stream-open-shell)
 		       (t (error "Invalid connection type %s" type))))
+            (parameters
+               (if (and network-stream-use-client-certificates
+                        (not (plist-member parameters :client-certificate)))
+                   (plist-put parameters :client-certificate t)
+                 parameters))
 	    result)
 	(unwind-protect
 	    (setq result (funcall fun name work-buffer host service parameters))
@@ -209,7 +231,7 @@ gnutls-boot (as returned by `gnutls-boot-parameters')."
 				       :port service)))
 	     (key (plist-get auth-info :key))
 	     (cert (plist-get auth-info :cert)))
-	(and key cert
+	(and key cert (file-readable-p key) (file-readable-p cert)
 	     (list key cert)))))))
 
 ;;;###autoload
-- 
2.39.5