]> code.delx.au - gnu-emacs/blob - src/gnutls.c
delx.au / code / gnu-emacs / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Minor cleanups for async DNS etc.
[gnu-emacs] / src / gnutls.c
1 /* GnuTLS glue for GNU Emacs.
2 Copyright (C) 2010-2016 Free Software Foundation, Inc.
3
4 This file is part of GNU Emacs.
5
6 GNU Emacs is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
10
11 GNU Emacs is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>. */
18
19 #include <config.h>
20 #include <errno.h>
21 #include <stdio.h>
22
23 #include "lisp.h"
24 #include "process.h"
25 #include "gnutls.h"
26 #include "coding.h"
27
28 #ifdef HAVE_GNUTLS
29 #include <gnutls/gnutls.h>
30
31 #ifdef WINDOWSNT
32 #include <windows.h>
33 #include "w32.h"
34 #endif
35
36 static bool emacs_gnutls_handle_error (gnutls_session_t, int);
37
38 static bool gnutls_global_initialized;
39
40 static void gnutls_log_function (int, const char *);
41 static void gnutls_log_function2 (int, const char *, const char *);
42 #ifdef HAVE_GNUTLS3
43 static void gnutls_audit_log_function (gnutls_session_t, const char *);
44 #endif
45
46 enum extra_peer_verification
47 {
48 CERTIFICATE_NOT_MATCHING = 2
49 };
50
51 \f
52 #ifdef WINDOWSNT
53
54 DEF_DLL_FN (gnutls_alert_description_t, gnutls_alert_get,
55 (gnutls_session_t));
56 DEF_DLL_FN (const char *, gnutls_alert_get_name,
57 (gnutls_alert_description_t));
58 DEF_DLL_FN (int, gnutls_alert_send_appropriate, (gnutls_session_t, int));
59 DEF_DLL_FN (int, gnutls_anon_allocate_client_credentials,
60 (gnutls_anon_client_credentials_t *));
61 DEF_DLL_FN (void, gnutls_anon_free_client_credentials,
62 (gnutls_anon_client_credentials_t));
63 DEF_DLL_FN (int, gnutls_bye, (gnutls_session_t, gnutls_close_request_t));
64 DEF_DLL_FN (int, gnutls_certificate_allocate_credentials,
65 (gnutls_certificate_credentials_t *));
66 DEF_DLL_FN (void, gnutls_certificate_free_credentials,
67 (gnutls_certificate_credentials_t));
68 DEF_DLL_FN (const gnutls_datum_t *, gnutls_certificate_get_peers,
69 (gnutls_session_t, unsigned int *));
70 DEF_DLL_FN (void, gnutls_certificate_set_verify_flags,
71 (gnutls_certificate_credentials_t, unsigned int));
72 DEF_DLL_FN (int, gnutls_certificate_set_x509_crl_file,
73 (gnutls_certificate_credentials_t, const char *,
74 gnutls_x509_crt_fmt_t));
75 DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file,
76 (gnutls_certificate_credentials_t, const char *, const char *,
77 gnutls_x509_crt_fmt_t));
78 # if ((GNUTLS_VERSION_MAJOR \
79 + (GNUTLS_VERSION_MINOR > 0 || GNUTLS_VERSION_PATCH >= 20)) \
80 > 3)
81 DEF_DLL_FN (int, gnutls_certificate_set_x509_system_trust,
82 (gnutls_certificate_credentials_t));
83 # endif
84 DEF_DLL_FN (int, gnutls_certificate_set_x509_trust_file,
85 (gnutls_certificate_credentials_t, const char *,
86 gnutls_x509_crt_fmt_t));
87 DEF_DLL_FN (gnutls_certificate_type_t, gnutls_certificate_type_get,
88 (gnutls_session_t));
89 DEF_DLL_FN (int, gnutls_certificate_verify_peers2,
90 (gnutls_session_t, unsigned int *));
91 DEF_DLL_FN (int, gnutls_credentials_set,
92 (gnutls_session_t, gnutls_credentials_type_t, void *));
93 DEF_DLL_FN (void, gnutls_deinit, (gnutls_session_t));
94 DEF_DLL_FN (void, gnutls_dh_set_prime_bits,
95 (gnutls_session_t, unsigned int));
96 DEF_DLL_FN (int, gnutls_dh_get_prime_bits, (gnutls_session_t));
97 DEF_DLL_FN (int, gnutls_error_is_fatal, (int));
98 DEF_DLL_FN (int, gnutls_global_init, (void));
99 DEF_DLL_FN (void, gnutls_global_set_log_function, (gnutls_log_func));
100 # ifdef HAVE_GNUTLS3
101 DEF_DLL_FN (void, gnutls_global_set_audit_log_function, (gnutls_audit_log_func));
102 # endif
103 DEF_DLL_FN (void, gnutls_global_set_log_level, (int));
104 DEF_DLL_FN (int, gnutls_handshake, (gnutls_session_t));
105 DEF_DLL_FN (int, gnutls_init, (gnutls_session_t *, unsigned int));
106 DEF_DLL_FN (int, gnutls_priority_set_direct,
107 (gnutls_session_t, const char *, const char **));
108 DEF_DLL_FN (size_t, gnutls_record_check_pending, (gnutls_session_t));
109 DEF_DLL_FN (ssize_t, gnutls_record_recv, (gnutls_session_t, void *, size_t));
110 DEF_DLL_FN (ssize_t, gnutls_record_send,
111 (gnutls_session_t, const void *, size_t));
112 DEF_DLL_FN (const char *, gnutls_strerror, (int));
113 DEF_DLL_FN (void, gnutls_transport_set_errno, (gnutls_session_t, int));
114 DEF_DLL_FN (const char *, gnutls_check_version, (const char *));
115 DEF_DLL_FN (void, gnutls_transport_set_lowat, (gnutls_session_t, int));
116 DEF_DLL_FN (void, gnutls_transport_set_ptr2,
117 (gnutls_session_t, gnutls_transport_ptr_t,
118 gnutls_transport_ptr_t));
119 DEF_DLL_FN (void, gnutls_transport_set_pull_function,
120 (gnutls_session_t, gnutls_pull_func));
121 DEF_DLL_FN (void, gnutls_transport_set_push_function,
122 (gnutls_session_t, gnutls_push_func));
123 DEF_DLL_FN (int, gnutls_x509_crt_check_hostname,
124 (gnutls_x509_crt_t, const char *));
125 DEF_DLL_FN (int, gnutls_x509_crt_check_issuer,
126 (gnutls_x509_crt_t, gnutls_x509_crt_t));
127 DEF_DLL_FN (void, gnutls_x509_crt_deinit, (gnutls_x509_crt_t));
128 DEF_DLL_FN (int, gnutls_x509_crt_import,
129 (gnutls_x509_crt_t, const gnutls_datum_t *,
130 gnutls_x509_crt_fmt_t));
131 DEF_DLL_FN (int, gnutls_x509_crt_init, (gnutls_x509_crt_t *));
132 DEF_DLL_FN (int, gnutls_x509_crt_get_fingerprint,
133 (gnutls_x509_crt_t,
134 gnutls_digest_algorithm_t, void *, size_t *));
135 DEF_DLL_FN (int, gnutls_x509_crt_get_version,
136 (gnutls_x509_crt_t));
137 DEF_DLL_FN (int, gnutls_x509_crt_get_serial,
138 (gnutls_x509_crt_t, void *, size_t *));
139 DEF_DLL_FN (int, gnutls_x509_crt_get_issuer_dn,
140 (gnutls_x509_crt_t, char *, size_t *));
141 DEF_DLL_FN (time_t, gnutls_x509_crt_get_activation_time,
142 (gnutls_x509_crt_t));
143 DEF_DLL_FN (time_t, gnutls_x509_crt_get_expiration_time,
144 (gnutls_x509_crt_t));
145 DEF_DLL_FN (int, gnutls_x509_crt_get_dn,
146 (gnutls_x509_crt_t, char *, size_t *));
147 DEF_DLL_FN (int, gnutls_x509_crt_get_pk_algorithm,
148 (gnutls_x509_crt_t, unsigned int *));
149 DEF_DLL_FN (const char*, gnutls_pk_algorithm_get_name,
150 (gnutls_pk_algorithm_t));
151 DEF_DLL_FN (int, gnutls_pk_bits_to_sec_param,
152 (gnutls_pk_algorithm_t, unsigned int));
153 DEF_DLL_FN (int, gnutls_x509_crt_get_issuer_unique_id,
154 (gnutls_x509_crt_t, char *, size_t *));
155 DEF_DLL_FN (int, gnutls_x509_crt_get_subject_unique_id,
156 (gnutls_x509_crt_t, char *, size_t *));
157 DEF_DLL_FN (int, gnutls_x509_crt_get_signature_algorithm,
158 (gnutls_x509_crt_t));
159 DEF_DLL_FN (int, gnutls_x509_crt_get_signature,
160 (gnutls_x509_crt_t, char *, size_t *));
161 DEF_DLL_FN (int, gnutls_x509_crt_get_key_id,
162 (gnutls_x509_crt_t, unsigned int, unsigned char *, size_t *_size));
163 DEF_DLL_FN (const char*, gnutls_sec_param_get_name, (gnutls_sec_param_t));
164 DEF_DLL_FN (const char*, gnutls_sign_get_name, (gnutls_sign_algorithm_t));
165 DEF_DLL_FN (int, gnutls_server_name_set,
166 (gnutls_session_t, gnutls_server_name_type_t,
167 const void *, size_t));
168 DEF_DLL_FN (gnutls_kx_algorithm_t, gnutls_kx_get, (gnutls_session_t));
169 DEF_DLL_FN (const char*, gnutls_kx_get_name, (gnutls_kx_algorithm_t));
170 DEF_DLL_FN (gnutls_protocol_t, gnutls_protocol_get_version,
171 (gnutls_session_t));
172 DEF_DLL_FN (const char*, gnutls_protocol_get_name, (gnutls_protocol_t));
173 DEF_DLL_FN (gnutls_cipher_algorithm_t, gnutls_cipher_get,
174 (gnutls_session_t));
175 DEF_DLL_FN (const char*, gnutls_cipher_get_name,
176 (gnutls_cipher_algorithm_t));
177 DEF_DLL_FN (gnutls_mac_algorithm_t, gnutls_mac_get, (gnutls_session_t));
178 DEF_DLL_FN (const char*, gnutls_mac_get_name, (gnutls_mac_algorithm_t));
179
180
181 static bool
182 init_gnutls_functions (void)
183 {
184 HMODULE library;
185 int max_log_level = 1;
186
187 if (!(library = w32_delayed_load (Qgnutls_dll)))
188 {
189 GNUTLS_LOG (1, max_log_level, "GnuTLS library not found");
190 return 0;
191 }
192
193 LOAD_DLL_FN (library, gnutls_alert_get);
194 LOAD_DLL_FN (library, gnutls_alert_get_name);
195 LOAD_DLL_FN (library, gnutls_alert_send_appropriate);
196 LOAD_DLL_FN (library, gnutls_anon_allocate_client_credentials);
197 LOAD_DLL_FN (library, gnutls_anon_free_client_credentials);
198 LOAD_DLL_FN (library, gnutls_bye);
199 LOAD_DLL_FN (library, gnutls_certificate_allocate_credentials);
200 LOAD_DLL_FN (library, gnutls_certificate_free_credentials);
201 LOAD_DLL_FN (library, gnutls_certificate_get_peers);
202 LOAD_DLL_FN (library, gnutls_certificate_set_verify_flags);
203 LOAD_DLL_FN (library, gnutls_certificate_set_x509_crl_file);
204 LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file);
205 # if ((GNUTLS_VERSION_MAJOR \
206 + (GNUTLS_VERSION_MINOR > 0 || GNUTLS_VERSION_PATCH >= 20)) \
207 > 3)
208 LOAD_DLL_FN (library, gnutls_certificate_set_x509_system_trust);
209 # endif
210 LOAD_DLL_FN (library, gnutls_certificate_set_x509_trust_file);
211 LOAD_DLL_FN (library, gnutls_certificate_type_get);
212 LOAD_DLL_FN (library, gnutls_certificate_verify_peers2);
213 LOAD_DLL_FN (library, gnutls_credentials_set);
214 LOAD_DLL_FN (library, gnutls_deinit);
215 LOAD_DLL_FN (library, gnutls_dh_set_prime_bits);
216 LOAD_DLL_FN (library, gnutls_dh_get_prime_bits);
217 LOAD_DLL_FN (library, gnutls_error_is_fatal);
218 LOAD_DLL_FN (library, gnutls_global_init);
219 LOAD_DLL_FN (library, gnutls_global_set_log_function);
220 # ifdef HAVE_GNUTLS3
221 LOAD_DLL_FN (library, gnutls_global_set_audit_log_function);
222 # endif
223 LOAD_DLL_FN (library, gnutls_global_set_log_level);
224 LOAD_DLL_FN (library, gnutls_handshake);
225 LOAD_DLL_FN (library, gnutls_init);
226 LOAD_DLL_FN (library, gnutls_priority_set_direct);
227 LOAD_DLL_FN (library, gnutls_record_check_pending);
228 LOAD_DLL_FN (library, gnutls_record_recv);
229 LOAD_DLL_FN (library, gnutls_record_send);
230 LOAD_DLL_FN (library, gnutls_strerror);
231 LOAD_DLL_FN (library, gnutls_transport_set_errno);
232 LOAD_DLL_FN (library, gnutls_check_version);
233 /* We don't need to call gnutls_transport_set_lowat in GnuTLS 2.11.1
234 and later, and the function was removed entirely in 3.0.0. */
235 if (!fn_gnutls_check_version ("2.11.1"))
236 LOAD_DLL_FN (library, gnutls_transport_set_lowat);
237 LOAD_DLL_FN (library, gnutls_transport_set_ptr2);
238 LOAD_DLL_FN (library, gnutls_transport_set_pull_function);
239 LOAD_DLL_FN (library, gnutls_transport_set_push_function);
240 LOAD_DLL_FN (library, gnutls_x509_crt_check_hostname);
241 LOAD_DLL_FN (library, gnutls_x509_crt_check_issuer);
242 LOAD_DLL_FN (library, gnutls_x509_crt_deinit);
243 LOAD_DLL_FN (library, gnutls_x509_crt_import);
244 LOAD_DLL_FN (library, gnutls_x509_crt_init);
245 LOAD_DLL_FN (library, gnutls_x509_crt_get_fingerprint);
246 LOAD_DLL_FN (library, gnutls_x509_crt_get_version);
247 LOAD_DLL_FN (library, gnutls_x509_crt_get_serial);
248 LOAD_DLL_FN (library, gnutls_x509_crt_get_issuer_dn);
249 LOAD_DLL_FN (library, gnutls_x509_crt_get_activation_time);
250 LOAD_DLL_FN (library, gnutls_x509_crt_get_expiration_time);
251 LOAD_DLL_FN (library, gnutls_x509_crt_get_dn);
252 LOAD_DLL_FN (library, gnutls_x509_crt_get_pk_algorithm);
253 LOAD_DLL_FN (library, gnutls_pk_algorithm_get_name);
254 LOAD_DLL_FN (library, gnutls_pk_bits_to_sec_param);
255 LOAD_DLL_FN (library, gnutls_x509_crt_get_issuer_unique_id);
256 LOAD_DLL_FN (library, gnutls_x509_crt_get_subject_unique_id);
257 LOAD_DLL_FN (library, gnutls_x509_crt_get_signature_algorithm);
258 LOAD_DLL_FN (library, gnutls_x509_crt_get_signature);
259 LOAD_DLL_FN (library, gnutls_x509_crt_get_key_id);
260 LOAD_DLL_FN (library, gnutls_sec_param_get_name);
261 LOAD_DLL_FN (library, gnutls_sign_get_name);
262 LOAD_DLL_FN (library, gnutls_server_name_set);
263 LOAD_DLL_FN (library, gnutls_kx_get);
264 LOAD_DLL_FN (library, gnutls_kx_get_name);
265 LOAD_DLL_FN (library, gnutls_protocol_get_version);
266 LOAD_DLL_FN (library, gnutls_protocol_get_name);
267 LOAD_DLL_FN (library, gnutls_cipher_get);
268 LOAD_DLL_FN (library, gnutls_cipher_get_name);
269 LOAD_DLL_FN (library, gnutls_mac_get);
270 LOAD_DLL_FN (library, gnutls_mac_get_name);
271
272 max_log_level = global_gnutls_log_level;
273
274 {
275 Lisp_Object name = CAR_SAFE (Fget (Qgnutls_dll, QCloaded_from));
276 GNUTLS_LOG2 (1, max_log_level, "GnuTLS library loaded:",
277 STRINGP (name) ? (const char *) SDATA (name) : "unknown");
278 }
279
280 return 1;
281 }
282
283 # define gnutls_alert_get fn_gnutls_alert_get
284 # define gnutls_alert_get_name fn_gnutls_alert_get_name
285 # define gnutls_alert_send_appropriate fn_gnutls_alert_send_appropriate
286 # define gnutls_anon_allocate_client_credentials fn_gnutls_anon_allocate_client_credentials
287 # define gnutls_anon_free_client_credentials fn_gnutls_anon_free_client_credentials
288 # define gnutls_bye fn_gnutls_bye
289 # define gnutls_certificate_allocate_credentials fn_gnutls_certificate_allocate_credentials
290 # define gnutls_certificate_free_credentials fn_gnutls_certificate_free_credentials
291 # define gnutls_certificate_get_peers fn_gnutls_certificate_get_peers
292 # define gnutls_certificate_set_verify_flags fn_gnutls_certificate_set_verify_flags
293 # define gnutls_certificate_set_x509_crl_file fn_gnutls_certificate_set_x509_crl_file
294 # define gnutls_certificate_set_x509_key_file fn_gnutls_certificate_set_x509_key_file
295 # define gnutls_certificate_set_x509_system_trust fn_gnutls_certificate_set_x509_system_trust
296 # define gnutls_certificate_set_x509_trust_file fn_gnutls_certificate_set_x509_trust_file
297 # define gnutls_certificate_type_get fn_gnutls_certificate_type_get
298 # define gnutls_certificate_verify_peers2 fn_gnutls_certificate_verify_peers2
299 # define gnutls_check_version fn_gnutls_check_version
300 # define gnutls_cipher_get fn_gnutls_cipher_get
301 # define gnutls_cipher_get_name fn_gnutls_cipher_get_name
302 # define gnutls_credentials_set fn_gnutls_credentials_set
303 # define gnutls_deinit fn_gnutls_deinit
304 # define gnutls_dh_get_prime_bits fn_gnutls_dh_get_prime_bits
305 # define gnutls_dh_set_prime_bits fn_gnutls_dh_set_prime_bits
306 # define gnutls_error_is_fatal fn_gnutls_error_is_fatal
307 # define gnutls_global_init fn_gnutls_global_init
308 # define gnutls_global_set_audit_log_function fn_gnutls_global_set_audit_log_function
309 # define gnutls_global_set_log_function fn_gnutls_global_set_log_function
310 # define gnutls_global_set_log_level fn_gnutls_global_set_log_level
311 # define gnutls_handshake fn_gnutls_handshake
312 # define gnutls_init fn_gnutls_init
313 # define gnutls_kx_get fn_gnutls_kx_get
314 # define gnutls_kx_get_name fn_gnutls_kx_get_name
315 # define gnutls_mac_get fn_gnutls_mac_get
316 # define gnutls_mac_get_name fn_gnutls_mac_get_name
317 # define gnutls_pk_algorithm_get_name fn_gnutls_pk_algorithm_get_name
318 # define gnutls_pk_bits_to_sec_param fn_gnutls_pk_bits_to_sec_param
319 # define gnutls_priority_set_direct fn_gnutls_priority_set_direct
320 # define gnutls_protocol_get_name fn_gnutls_protocol_get_name
321 # define gnutls_protocol_get_version fn_gnutls_protocol_get_version
322 # define gnutls_record_check_pending fn_gnutls_record_check_pending
323 # define gnutls_record_recv fn_gnutls_record_recv
324 # define gnutls_record_send fn_gnutls_record_send
325 # define gnutls_sec_param_get_name fn_gnutls_sec_param_get_name
326 # define gnutls_server_name_set fn_gnutls_server_name_set
327 # define gnutls_sign_get_name fn_gnutls_sign_get_name
328 # define gnutls_strerror fn_gnutls_strerror
329 # define gnutls_transport_set_errno fn_gnutls_transport_set_errno
330 # define gnutls_transport_set_lowat fn_gnutls_transport_set_lowat
331 # define gnutls_transport_set_ptr2 fn_gnutls_transport_set_ptr2
332 # define gnutls_transport_set_pull_function fn_gnutls_transport_set_pull_function
333 # define gnutls_transport_set_push_function fn_gnutls_transport_set_push_function
334 # define gnutls_x509_crt_check_hostname fn_gnutls_x509_crt_check_hostname
335 # define gnutls_x509_crt_check_issuer fn_gnutls_x509_crt_check_issuer
336 # define gnutls_x509_crt_deinit fn_gnutls_x509_crt_deinit
337 # define gnutls_x509_crt_get_activation_time fn_gnutls_x509_crt_get_activation_time
338 # define gnutls_x509_crt_get_dn fn_gnutls_x509_crt_get_dn
339 # define gnutls_x509_crt_get_expiration_time fn_gnutls_x509_crt_get_expiration_time
340 # define gnutls_x509_crt_get_fingerprint fn_gnutls_x509_crt_get_fingerprint
341 # define gnutls_x509_crt_get_issuer_dn fn_gnutls_x509_crt_get_issuer_dn
342 # define gnutls_x509_crt_get_issuer_unique_id fn_gnutls_x509_crt_get_issuer_unique_id
343 # define gnutls_x509_crt_get_key_id fn_gnutls_x509_crt_get_key_id
344 # define gnutls_x509_crt_get_pk_algorithm fn_gnutls_x509_crt_get_pk_algorithm
345 # define gnutls_x509_crt_get_serial fn_gnutls_x509_crt_get_serial
346 # define gnutls_x509_crt_get_signature fn_gnutls_x509_crt_get_signature
347 # define gnutls_x509_crt_get_signature_algorithm fn_gnutls_x509_crt_get_signature_algorithm
348 # define gnutls_x509_crt_get_subject_unique_id fn_gnutls_x509_crt_get_subject_unique_id
349 # define gnutls_x509_crt_get_version fn_gnutls_x509_crt_get_version
350 # define gnutls_x509_crt_import fn_gnutls_x509_crt_import
351 # define gnutls_x509_crt_init fn_gnutls_x509_crt_init
352
353 #endif
354
355 \f
356 /* Report memory exhaustion if ERR is an out-of-memory indication. */
357 static void
358 check_memory_full (int err)
359 {
360 /* When GnuTLS exhausts memory, it doesn't say how much memory it
361 asked for, so tell the Emacs allocator that GnuTLS asked for no
362 bytes. This isn't accurate, but it's good enough. */
363 if (err == GNUTLS_E_MEMORY_ERROR)
364 memory_full (0);
365 }
366
367 #ifdef HAVE_GNUTLS3
368 /* Log a simple audit message. */
369 static void
370 gnutls_audit_log_function (gnutls_session_t session, const char *string)
371 {
372 if (global_gnutls_log_level >= 1)
373 {
374 message ("gnutls.c: [audit] %s", string);
375 }
376 }
377 #endif
378
379 /* Log a simple message. */
380 static void
381 gnutls_log_function (int level, const char *string)
382 {
383 message ("gnutls.c: [%d] %s", level, string);
384 }
385
386 /* Log a message and a string. */
387 static void
388 gnutls_log_function2 (int level, const char *string, const char *extra)
389 {
390 message ("gnutls.c: [%d] %s %s", level, string, extra);
391 }
392
393 /* Log a message and an integer. */
394 static void
395 gnutls_log_function2i (int level, const char *string, int extra)
396 {
397 message ("gnutls.c: [%d] %s %d", level, string, extra);
398 }
399
400 int
401 gnutls_try_handshake (struct Lisp_Process *proc)
402 {
403 gnutls_session_t state = proc->gnutls_state;
404 int ret;
405
406 do
407 {
408 ret = gnutls_handshake (state);
409 emacs_gnutls_handle_error (state, ret);
410 QUIT;
411 }
412 while (ret < 0 && gnutls_error_is_fatal (ret) == 0
413 && ! proc->is_non_blocking_client);
414
415 proc->gnutls_initstage = GNUTLS_STAGE_HANDSHAKE_TRIED;
416
417 if (proc->is_non_blocking_client)
418 proc->gnutls_p = true;
419
420 if (ret == GNUTLS_E_SUCCESS)
421 {
422 /* Here we're finally done. */
423 proc->gnutls_initstage = GNUTLS_STAGE_READY;
424 }
425 else
426 {
427 /* check_memory_full (gnutls_alert_send_appropriate (state, ret)); */
428 }
429 return ret;
430 }
431
432 static int
433 emacs_gnutls_handshake (struct Lisp_Process *proc)
434 {
435 gnutls_session_t state = proc->gnutls_state;
436
437 if (proc->gnutls_initstage < GNUTLS_STAGE_HANDSHAKE_CANDO)
438 return -1;
439
440 if (proc->gnutls_initstage < GNUTLS_STAGE_TRANSPORT_POINTERS_SET)
441 {
442 #ifdef WINDOWSNT
443 /* On W32 we cannot transfer socket handles between different runtime
444 libraries, so we tell GnuTLS to use our special push/pull
445 functions. */
446 gnutls_transport_set_ptr2 (state,
447 (gnutls_transport_ptr_t) proc,
448 (gnutls_transport_ptr_t) proc);
449 gnutls_transport_set_push_function (state, &emacs_gnutls_push);
450 gnutls_transport_set_pull_function (state, &emacs_gnutls_pull);
451
452 /* For non blocking sockets or other custom made pull/push
453 functions the gnutls_transport_set_lowat must be called, with
454 a zero low water mark value. (GnuTLS 2.10.4 documentation)
455
456 (Note: this is probably not strictly necessary as the lowat
457 value is only used when no custom pull/push functions are
458 set.) */
459 /* According to GnuTLS NEWS file, lowat level has been set to
460 zero by default in version 2.11.1, and the function
461 gnutls_transport_set_lowat was removed from the library in
462 version 2.99.0. */
463 if (!gnutls_check_version ("2.11.1"))
464 gnutls_transport_set_lowat (state, 0);
465 #else
466 /* This is how GnuTLS takes sockets: as file descriptors passed
467 in. For an Emacs process socket, infd and outfd are the
468 same but we use this two-argument version for clarity. */
469 gnutls_transport_set_ptr2 (state,
470 (void *) (intptr_t) proc->infd,
471 (void *) (intptr_t) proc->outfd);
472 #endif
473
474 proc->gnutls_initstage = GNUTLS_STAGE_TRANSPORT_POINTERS_SET;
475 }
476
477 return gnutls_try_handshake (proc);
478 }
479
480 ptrdiff_t
481 emacs_gnutls_record_check_pending (gnutls_session_t state)
482 {
483 return gnutls_record_check_pending (state);
484 }
485
486 #ifdef WINDOWSNT
487 void
488 emacs_gnutls_transport_set_errno (gnutls_session_t state, int err)
489 {
490 gnutls_transport_set_errno (state, err);
491 }
492 #endif
493
494 ptrdiff_t
495 emacs_gnutls_write (struct Lisp_Process *proc, const char *buf, ptrdiff_t nbyte)
496 {
497 ssize_t rtnval = 0;
498 ptrdiff_t bytes_written;
499 gnutls_session_t state = proc->gnutls_state;
500
501 if (proc->gnutls_initstage != GNUTLS_STAGE_READY)
502 {
503 errno = EAGAIN;
504 return 0;
505 }
506
507 bytes_written = 0;
508
509 while (nbyte > 0)
510 {
511 rtnval = gnutls_record_send (state, buf, nbyte);
512
513 if (rtnval < 0)
514 {
515 if (rtnval == GNUTLS_E_INTERRUPTED)
516 continue;
517 else
518 {
519 /* If we get GNUTLS_E_AGAIN, then set errno
520 appropriately so that send_process retries the
521 correct way instead of erroring out. */
522 if (rtnval == GNUTLS_E_AGAIN)
523 errno = EAGAIN;
524 break;
525 }
526 }
527
528 buf += rtnval;
529 nbyte -= rtnval;
530 bytes_written += rtnval;
531 }
532
533 emacs_gnutls_handle_error (state, rtnval);
534 return (bytes_written);
535 }
536
537 ptrdiff_t
538 emacs_gnutls_read (struct Lisp_Process *proc, char *buf, ptrdiff_t nbyte)
539 {
540 ssize_t rtnval;
541 gnutls_session_t state = proc->gnutls_state;
542
543 if (proc->gnutls_initstage != GNUTLS_STAGE_READY)
544 return -1;
545
546 rtnval = gnutls_record_recv (state, buf, nbyte);
547 if (rtnval >= 0)
548 return rtnval;
549 else if (rtnval == GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
550 /* The peer closed the connection. */
551 return 0;
552 else if (emacs_gnutls_handle_error (state, rtnval))
553 /* non-fatal error */
554 return -1;
555 else {
556 /* a fatal error occurred */
557 return 0;
558 }
559 }
560
561 /* Report a GnuTLS error to the user.
562 Return true if the error code was successfully handled. */
563 static bool
564 emacs_gnutls_handle_error (gnutls_session_t session, int err)
565 {
566 int max_log_level = 0;
567
568 bool ret;
569 const char *str;
570
571 /* TODO: use a Lisp_Object generated by gnutls_make_error? */
572 if (err >= 0)
573 return 1;
574
575 check_memory_full (err);
576
577 max_log_level = global_gnutls_log_level;
578
579 /* TODO: use gnutls-error-fatalp and gnutls-error-string. */
580
581 str = gnutls_strerror (err);
582 if (!str)
583 str = "unknown";
584
585 if (gnutls_error_is_fatal (err))
586 {
587 ret = 0;
588 GNUTLS_LOG2 (1, max_log_level, "fatal error:", str);
589 }
590 else
591 {
592 ret = 1;
593
594 switch (err)
595 {
596 case GNUTLS_E_AGAIN:
597 GNUTLS_LOG2 (3,
598 max_log_level,
599 "retry:",
600 str);
601 default:
602 GNUTLS_LOG2 (1,
603 max_log_level,
604 "non-fatal error:",
605 str);
606 }
607 }
608
609 if (err == GNUTLS_E_WARNING_ALERT_RECEIVED
610 || err == GNUTLS_E_FATAL_ALERT_RECEIVED)
611 {
612 int alert = gnutls_alert_get (session);
613 int level = (err == GNUTLS_E_FATAL_ALERT_RECEIVED) ? 0 : 1;
614 str = gnutls_alert_get_name (alert);
615 if (!str)
616 str = "unknown";
617
618 GNUTLS_LOG2 (level, max_log_level, "Received alert: ", str);
619 }
620 return ret;
621 }
622
623 /* convert an integer error to a Lisp_Object; it will be either a
624 known symbol like `gnutls_e_interrupted' and `gnutls_e_again' or
625 simply the integer value of the error. GNUTLS_E_SUCCESS is mapped
626 to Qt. */
627 static Lisp_Object
628 gnutls_make_error (int err)
629 {
630 switch (err)
631 {
632 case GNUTLS_E_SUCCESS:
633 return Qt;
634 case GNUTLS_E_AGAIN:
635 return Qgnutls_e_again;
636 case GNUTLS_E_INTERRUPTED:
637 return Qgnutls_e_interrupted;
638 case GNUTLS_E_INVALID_SESSION:
639 return Qgnutls_e_invalid_session;
640 }
641
642 check_memory_full (err);
643 return make_number (err);
644 }
645
646 Lisp_Object
647 emacs_gnutls_deinit (Lisp_Object proc)
648 {
649 int log_level;
650
651 CHECK_PROCESS (proc);
652
653 if (! XPROCESS (proc)->gnutls_p)
654 return Qnil;
655
656 log_level = XPROCESS (proc)->gnutls_log_level;
657
658 if (XPROCESS (proc)->gnutls_x509_cred)
659 {
660 GNUTLS_LOG (2, log_level, "Deallocating x509 credentials");
661 gnutls_certificate_free_credentials (XPROCESS (proc)->gnutls_x509_cred);
662 XPROCESS (proc)->gnutls_x509_cred = NULL;
663 }
664
665 if (XPROCESS (proc)->gnutls_anon_cred)
666 {
667 GNUTLS_LOG (2, log_level, "Deallocating anon credentials");
668 gnutls_anon_free_client_credentials (XPROCESS (proc)->gnutls_anon_cred);
669 XPROCESS (proc)->gnutls_anon_cred = NULL;
670 }
671
672 if (XPROCESS (proc)->gnutls_state)
673 {
674 gnutls_deinit (XPROCESS (proc)->gnutls_state);
675 XPROCESS (proc)->gnutls_state = NULL;
676 if (GNUTLS_INITSTAGE (proc) >= GNUTLS_STAGE_INIT)
677 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_INIT - 1;
678 }
679
680 XPROCESS (proc)->gnutls_p = false;
681 return Qt;
682 }
683
684 DEFUN ("gnutls-asynchronous-parameters", Fgnutls_asynchronous_parameters,
685 Sgnutls_asynchronous_parameters, 2, 2, 0,
686 doc: /* Mark this process as being a pre-init GnuTLS process.
687 The second parameter is the list of parameters to feed to gnutls-boot
688 to finish setting up the connection. */)
689 (Lisp_Object proc, Lisp_Object params)
690 {
691 CHECK_PROCESS (proc);
692
693 XPROCESS (proc)->gnutls_boot_parameters = params;
694 return Qnil;
695 }
696
697 DEFUN ("gnutls-get-initstage", Fgnutls_get_initstage, Sgnutls_get_initstage, 1, 1, 0,
698 doc: /* Return the GnuTLS init stage of process PROC.
699 See also `gnutls-boot'. */)
700 (Lisp_Object proc)
701 {
702 CHECK_PROCESS (proc);
703
704 return make_number (GNUTLS_INITSTAGE (proc));
705 }
706
707 DEFUN ("gnutls-errorp", Fgnutls_errorp, Sgnutls_errorp, 1, 1, 0,
708 doc: /* Return t if ERROR indicates a GnuTLS problem.
709 ERROR is an integer or a symbol with an integer `gnutls-code' property.
710 usage: (gnutls-errorp ERROR) */
711 attributes: const)
712 (Lisp_Object err)
713 {
714 if (EQ (err, Qt)) return Qnil;
715
716 return Qt;
717 }
718
719 DEFUN ("gnutls-error-fatalp", Fgnutls_error_fatalp, Sgnutls_error_fatalp, 1, 1, 0,
720 doc: /* Return non-nil if ERROR is fatal.
721 ERROR is an integer or a symbol with an integer `gnutls-code' property.
722 Usage: (gnutls-error-fatalp ERROR) */)
723 (Lisp_Object err)
724 {
725 Lisp_Object code;
726
727 if (EQ (err, Qt)) return Qnil;
728
729 if (SYMBOLP (err))
730 {
731 code = Fget (err, Qgnutls_code);
732 if (NUMBERP (code))
733 {
734 err = code;
735 }
736 else
737 {
738 error ("Symbol has no numeric gnutls-code property");
739 }
740 }
741
742 if (! TYPE_RANGED_INTEGERP (int, err))
743 error ("Not an error symbol or code");
744
745 if (0 == gnutls_error_is_fatal (XINT (err)))
746 return Qnil;
747
748 return Qt;
749 }
750
751 DEFUN ("gnutls-error-string", Fgnutls_error_string, Sgnutls_error_string, 1, 1, 0,
752 doc: /* Return a description of ERROR.
753 ERROR is an integer or a symbol with an integer `gnutls-code' property.
754 usage: (gnutls-error-string ERROR) */)
755 (Lisp_Object err)
756 {
757 Lisp_Object code;
758
759 if (EQ (err, Qt)) return build_string ("Not an error");
760
761 if (SYMBOLP (err))
762 {
763 code = Fget (err, Qgnutls_code);
764 if (NUMBERP (code))
765 {
766 err = code;
767 }
768 else
769 {
770 return build_string ("Symbol has no numeric gnutls-code property");
771 }
772 }
773
774 if (! TYPE_RANGED_INTEGERP (int, err))
775 return build_string ("Not an error symbol or code");
776
777 return build_string (gnutls_strerror (XINT (err)));
778 }
779
780 DEFUN ("gnutls-deinit", Fgnutls_deinit, Sgnutls_deinit, 1, 1, 0,
781 doc: /* Deallocate GnuTLS resources associated with process PROC.
782 See also `gnutls-init'. */)
783 (Lisp_Object proc)
784 {
785 return emacs_gnutls_deinit (proc);
786 }
787
788 static Lisp_Object
789 gnutls_hex_string (unsigned char *buf, ptrdiff_t buf_size, const char *prefix)
790 {
791 ptrdiff_t prefix_length = strlen (prefix);
792 ptrdiff_t retlen;
793 if (INT_MULTIPLY_WRAPV (buf_size, 3, &retlen)
794 || INT_ADD_WRAPV (prefix_length - (buf_size != 0), retlen, &retlen))
795 string_overflow ();
796 Lisp_Object ret = make_uninit_string (retlen);
797 char *string = SSDATA (ret);
798 strcpy (string, prefix);
799
800 for (ptrdiff_t i = 0; i < buf_size; i++)
801 sprintf (string + i * 3 + prefix_length,
802 i == buf_size - 1 ? "%02x" : "%02x:",
803 buf[i]);
804
805 return ret;
806 }
807
808 static Lisp_Object
809 gnutls_certificate_details (gnutls_x509_crt_t cert)
810 {
811 Lisp_Object res = Qnil;
812 int err;
813 size_t buf_size;
814
815 /* Version. */
816 {
817 int version = gnutls_x509_crt_get_version (cert);
818 check_memory_full (version);
819 if (version >= GNUTLS_E_SUCCESS)
820 res = nconc2 (res, list2 (intern (":version"),
821 make_number (version)));
822 }
823
824 /* Serial. */
825 buf_size = 0;
826 err = gnutls_x509_crt_get_serial (cert, NULL, &buf_size);
827 check_memory_full (err);
828 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
829 {
830 void *serial = xmalloc (buf_size);
831 err = gnutls_x509_crt_get_serial (cert, serial, &buf_size);
832 check_memory_full (err);
833 if (err >= GNUTLS_E_SUCCESS)
834 res = nconc2 (res, list2 (intern (":serial-number"),
835 gnutls_hex_string (serial, buf_size, "")));
836 xfree (serial);
837 }
838
839 /* Issuer. */
840 buf_size = 0;
841 err = gnutls_x509_crt_get_issuer_dn (cert, NULL, &buf_size);
842 check_memory_full (err);
843 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
844 {
845 char *dn = xmalloc (buf_size);
846 err = gnutls_x509_crt_get_issuer_dn (cert, dn, &buf_size);
847 check_memory_full (err);
848 if (err >= GNUTLS_E_SUCCESS)
849 res = nconc2 (res, list2 (intern (":issuer"),
850 make_string (dn, buf_size)));
851 xfree (dn);
852 }
853
854 /* Validity. */
855 {
856 /* Add 1 to the buffer size, since 1900 is added to tm_year and
857 that might add 1 to the year length. */
858 char buf[INT_STRLEN_BOUND (int) + 1 + sizeof "-12-31"];
859 struct tm t;
860 time_t tim = gnutls_x509_crt_get_activation_time (cert);
861
862 if (gmtime_r (&tim, &t) && strftime (buf, sizeof buf, "%Y-%m-%d", &t))
863 res = nconc2 (res, list2 (intern (":valid-from"), build_string (buf)));
864
865 tim = gnutls_x509_crt_get_expiration_time (cert);
866 if (gmtime_r (&tim, &t) && strftime (buf, sizeof buf, "%Y-%m-%d", &t))
867 res = nconc2 (res, list2 (intern (":valid-to"), build_string (buf)));
868 }
869
870 /* Subject. */
871 buf_size = 0;
872 err = gnutls_x509_crt_get_dn (cert, NULL, &buf_size);
873 check_memory_full (err);
874 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
875 {
876 char *dn = xmalloc (buf_size);
877 err = gnutls_x509_crt_get_dn (cert, dn, &buf_size);
878 check_memory_full (err);
879 if (err >= GNUTLS_E_SUCCESS)
880 res = nconc2 (res, list2 (intern (":subject"),
881 make_string (dn, buf_size)));
882 xfree (dn);
883 }
884
885 /* Versions older than 2.11 doesn't have these four functions. */
886 #if GNUTLS_VERSION_NUMBER >= 0x020b00
887 /* SubjectPublicKeyInfo. */
888 {
889 unsigned int bits;
890
891 err = gnutls_x509_crt_get_pk_algorithm (cert, &bits);
892 check_memory_full (err);
893 if (err >= GNUTLS_E_SUCCESS)
894 {
895 const char *name = gnutls_pk_algorithm_get_name (err);
896 if (name)
897 res = nconc2 (res, list2 (intern (":public-key-algorithm"),
898 build_string (name)));
899
900 name = gnutls_sec_param_get_name (gnutls_pk_bits_to_sec_param
901 (err, bits));
902 res = nconc2 (res, list2 (intern (":certificate-security-level"),
903 build_string (name)));
904 }
905 }
906
907 /* Unique IDs. */
908 buf_size = 0;
909 err = gnutls_x509_crt_get_issuer_unique_id (cert, NULL, &buf_size);
910 check_memory_full (err);
911 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
912 {
913 char *buf = xmalloc (buf_size);
914 err = gnutls_x509_crt_get_issuer_unique_id (cert, buf, &buf_size);
915 check_memory_full (err);
916 if (err >= GNUTLS_E_SUCCESS)
917 res = nconc2 (res, list2 (intern (":issuer-unique-id"),
918 make_string (buf, buf_size)));
919 xfree (buf);
920 }
921
922 buf_size = 0;
923 err = gnutls_x509_crt_get_subject_unique_id (cert, NULL, &buf_size);
924 check_memory_full (err);
925 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
926 {
927 char *buf = xmalloc (buf_size);
928 err = gnutls_x509_crt_get_subject_unique_id (cert, buf, &buf_size);
929 check_memory_full (err);
930 if (err >= GNUTLS_E_SUCCESS)
931 res = nconc2 (res, list2 (intern (":subject-unique-id"),
932 make_string (buf, buf_size)));
933 xfree (buf);
934 }
935 #endif
936
937 /* Signature. */
938 err = gnutls_x509_crt_get_signature_algorithm (cert);
939 check_memory_full (err);
940 if (err >= GNUTLS_E_SUCCESS)
941 {
942 const char *name = gnutls_sign_get_name (err);
943 if (name)
944 res = nconc2 (res, list2 (intern (":signature-algorithm"),
945 build_string (name)));
946 }
947
948 /* Public key ID. */
949 buf_size = 0;
950 err = gnutls_x509_crt_get_key_id (cert, 0, NULL, &buf_size);
951 check_memory_full (err);
952 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
953 {
954 void *buf = xmalloc (buf_size);
955 err = gnutls_x509_crt_get_key_id (cert, 0, buf, &buf_size);
956 check_memory_full (err);
957 if (err >= GNUTLS_E_SUCCESS)
958 res = nconc2 (res, list2 (intern (":public-key-id"),
959 gnutls_hex_string (buf, buf_size, "sha1:")));
960 xfree (buf);
961 }
962
963 /* Certificate fingerprint. */
964 buf_size = 0;
965 err = gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1,
966 NULL, &buf_size);
967 check_memory_full (err);
968 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
969 {
970 void *buf = xmalloc (buf_size);
971 err = gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1,
972 buf, &buf_size);
973 check_memory_full (err);
974 if (err >= GNUTLS_E_SUCCESS)
975 res = nconc2 (res, list2 (intern (":certificate-id"),
976 gnutls_hex_string (buf, buf_size, "sha1:")));
977 xfree (buf);
978 }
979
980 return res;
981 }
982
983 DEFUN ("gnutls-peer-status-warning-describe", Fgnutls_peer_status_warning_describe, Sgnutls_peer_status_warning_describe, 1, 1, 0,
984 doc: /* Describe the warning of a GnuTLS peer status from `gnutls-peer-status'. */)
985 (Lisp_Object status_symbol)
986 {
987 CHECK_SYMBOL (status_symbol);
988
989 if (EQ (status_symbol, intern (":invalid")))
990 return build_string ("certificate could not be verified");
991
992 if (EQ (status_symbol, intern (":revoked")))
993 return build_string ("certificate was revoked (CRL)");
994
995 if (EQ (status_symbol, intern (":self-signed")))
996 return build_string ("certificate signer was not found (self-signed)");
997
998 if (EQ (status_symbol, intern (":unknown-ca")))
999 return build_string ("the certificate was signed by an unknown "
1000 "and therefore untrusted authority");
1001
1002 if (EQ (status_symbol, intern (":not-ca")))
1003 return build_string ("certificate signer is not a CA");
1004
1005 if (EQ (status_symbol, intern (":insecure")))
1006 return build_string ("certificate was signed with an insecure algorithm");
1007
1008 if (EQ (status_symbol, intern (":not-activated")))
1009 return build_string ("certificate is not yet activated");
1010
1011 if (EQ (status_symbol, intern (":expired")))
1012 return build_string ("certificate has expired");
1013
1014 if (EQ (status_symbol, intern (":no-host-match")))
1015 return build_string ("certificate host does not match hostname");
1016
1017 return Qnil;
1018 }
1019
1020 DEFUN ("gnutls-peer-status", Fgnutls_peer_status, Sgnutls_peer_status, 1, 1, 0,
1021 doc: /* Describe a GnuTLS PROC peer certificate and any warnings about it.
1022 The return value is a property list with top-level keys :warnings and
1023 :certificate. The :warnings entry is a list of symbols you can describe with
1024 `gnutls-peer-status-warning-describe'. */)
1025 (Lisp_Object proc)
1026 {
1027 Lisp_Object warnings = Qnil, result = Qnil;
1028 unsigned int verification;
1029 gnutls_session_t state;
1030
1031 CHECK_PROCESS (proc);
1032
1033 if (GNUTLS_INITSTAGE (proc) != GNUTLS_STAGE_READY)
1034 return Qnil;
1035
1036 /* Then collect any warnings already computed by the handshake. */
1037 verification = XPROCESS (proc)->gnutls_peer_verification;
1038
1039 if (verification & GNUTLS_CERT_INVALID)
1040 warnings = Fcons (intern (":invalid"), warnings);
1041
1042 if (verification & GNUTLS_CERT_REVOKED)
1043 warnings = Fcons (intern (":revoked"), warnings);
1044
1045 if (verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
1046 warnings = Fcons (intern (":unknown-ca"), warnings);
1047
1048 if (verification & GNUTLS_CERT_SIGNER_NOT_CA)
1049 warnings = Fcons (intern (":not-ca"), warnings);
1050
1051 if (verification & GNUTLS_CERT_INSECURE_ALGORITHM)
1052 warnings = Fcons (intern (":insecure"), warnings);
1053
1054 if (verification & GNUTLS_CERT_NOT_ACTIVATED)
1055 warnings = Fcons (intern (":not-activated"), warnings);
1056
1057 if (verification & GNUTLS_CERT_EXPIRED)
1058 warnings = Fcons (intern (":expired"), warnings);
1059
1060 if (XPROCESS (proc)->gnutls_extra_peer_verification &
1061 CERTIFICATE_NOT_MATCHING)
1062 warnings = Fcons (intern (":no-host-match"), warnings);
1063
1064 /* This could get called in the INIT stage, when the certificate is
1065 not yet set. */
1066 if (XPROCESS (proc)->gnutls_certificate != NULL &&
1067 gnutls_x509_crt_check_issuer(XPROCESS (proc)->gnutls_certificate,
1068 XPROCESS (proc)->gnutls_certificate))
1069 warnings = Fcons (intern (":self-signed"), warnings);
1070
1071 if (!NILP (warnings))
1072 result = list2 (intern (":warnings"), warnings);
1073
1074 /* This could get called in the INIT stage, when the certificate is
1075 not yet set. */
1076 if (XPROCESS (proc)->gnutls_certificate != NULL)
1077 result = nconc2 (result, list2
1078 (intern (":certificate"),
1079 gnutls_certificate_details (XPROCESS (proc)->gnutls_certificate)));
1080
1081 state = XPROCESS (proc)->gnutls_state;
1082
1083 /* Diffie-Hellman prime bits. */
1084 {
1085 int bits = gnutls_dh_get_prime_bits (state);
1086 check_memory_full (bits);
1087 if (bits > 0)
1088 result = nconc2 (result, list2 (intern (":diffie-hellman-prime-bits"),
1089 make_number (bits)));
1090 }
1091
1092 /* Key exchange. */
1093 result = nconc2
1094 (result, list2 (intern (":key-exchange"),
1095 build_string (gnutls_kx_get_name
1096 (gnutls_kx_get (state)))));
1097
1098 /* Protocol name. */
1099 result = nconc2
1100 (result, list2 (intern (":protocol"),
1101 build_string (gnutls_protocol_get_name
1102 (gnutls_protocol_get_version (state)))));
1103
1104 /* Cipher name. */
1105 result = nconc2
1106 (result, list2 (intern (":cipher"),
1107 build_string (gnutls_cipher_get_name
1108 (gnutls_cipher_get (state)))));
1109
1110 /* MAC name. */
1111 result = nconc2
1112 (result, list2 (intern (":mac"),
1113 build_string (gnutls_mac_get_name
1114 (gnutls_mac_get (state)))));
1115
1116
1117 return result;
1118 }
1119
1120 /* Initialize global GnuTLS state to defaults.
1121 Call `gnutls-global-deinit' when GnuTLS usage is no longer needed.
1122 Return zero on success. */
1123 Lisp_Object
1124 emacs_gnutls_global_init (void)
1125 {
1126 int ret = GNUTLS_E_SUCCESS;
1127
1128 if (!gnutls_global_initialized)
1129 {
1130 ret = gnutls_global_init ();
1131 if (ret == GNUTLS_E_SUCCESS)
1132 gnutls_global_initialized = 1;
1133 }
1134
1135 return gnutls_make_error (ret);
1136 }
1137
1138 static bool
1139 gnutls_ip_address_p (char *string)
1140 {
1141 char c;
1142
1143 while ((c = *string++) != 0)
1144 if (! ((c == '.' || c == ':' || (c >= '0' && c <= '9'))))
1145 return false;
1146
1147 return true;
1148 }
1149
1150 #if 0
1151 /* Deinitialize global GnuTLS state.
1152 See also `gnutls-global-init'. */
1153 static Lisp_Object
1154 emacs_gnutls_global_deinit (void)
1155 {
1156 if (gnutls_global_initialized)
1157 gnutls_global_deinit ();
1158
1159 gnutls_global_initialized = 0;
1160
1161 return gnutls_make_error (GNUTLS_E_SUCCESS);
1162 }
1163 #endif
1164
1165 static void ATTRIBUTE_FORMAT_PRINTF (2, 3)
1166 boot_error (struct Lisp_Process *p, const char *m, ...)
1167 {
1168 va_list ap;
1169 va_start (ap, m);
1170 if (p->is_non_blocking_client)
1171 pset_status (p, list2 (Qfailed, vformat_string (m, ap)));
1172 else
1173 verror (m, ap);
1174 }
1175
1176 Lisp_Object
1177 gnutls_verify_boot (Lisp_Object proc, Lisp_Object proplist)
1178 {
1179 int ret;
1180 struct Lisp_Process *p = XPROCESS (proc);
1181 gnutls_session_t state = p->gnutls_state;
1182 unsigned int peer_verification;
1183 Lisp_Object warnings;
1184 int max_log_level = p->gnutls_log_level;
1185 Lisp_Object hostname, verify_error;
1186 bool verify_error_all = false;
1187 char *c_hostname;
1188
1189 if (NILP (proplist))
1190 proplist = Fcdr (Fplist_get (p->childp, QCtls_parameters));
1191
1192 verify_error = Fplist_get (proplist, QCgnutls_bootprop_verify_error);
1193 hostname = Fplist_get (proplist, QCgnutls_bootprop_hostname);
1194
1195 if (EQ (verify_error, Qt))
1196 verify_error_all = true;
1197 else if (NILP (Flistp (verify_error)))
1198 {
1199 boot_error (p,
1200 "gnutls-boot: invalid :verify_error parameter (not a list)");
1201 return Qnil;
1202 }
1203
1204 if (!STRINGP (hostname))
1205 {
1206 boot_error (p, "gnutls-boot: invalid :hostname parameter (not a string)");
1207 return Qnil;
1208 }
1209 c_hostname = SSDATA (hostname);
1210
1211 /* Now verify the peer, following
1212 http://www.gnu.org/software/gnutls/manual/html_node/Verifying-peer_0027s-certificate.html.
1213 The peer should present at least one certificate in the chain; do a
1214 check of the certificate's hostname with
1215 gnutls_x509_crt_check_hostname against :hostname. */
1216
1217 ret = gnutls_certificate_verify_peers2 (state, &peer_verification);
1218 if (ret < GNUTLS_E_SUCCESS)
1219 return gnutls_make_error (ret);
1220
1221 XPROCESS (proc)->gnutls_peer_verification = peer_verification;
1222
1223 warnings = Fplist_get (Fgnutls_peer_status (proc), intern (":warnings"));
1224 if (!NILP (warnings))
1225 {
1226 for (Lisp_Object tail = warnings; CONSP (tail); tail = XCDR (tail))
1227 {
1228 Lisp_Object warning = XCAR (tail);
1229 Lisp_Object message = Fgnutls_peer_status_warning_describe (warning);
1230 if (!NILP (message))
1231 GNUTLS_LOG2 (1, max_log_level, "verification:", SSDATA (message));
1232 }
1233 }
1234
1235 if (peer_verification != 0)
1236 {
1237 if (verify_error_all
1238 || !NILP (Fmember (QCgnutls_bootprop_trustfiles, verify_error)))
1239 {
1240 emacs_gnutls_deinit (proc);
1241 boot_error (p,
1242 "Certificate validation failed %s, verification code %x",
1243 c_hostname, peer_verification);
1244 return Qnil;
1245 }
1246 else
1247 {
1248 GNUTLS_LOG2 (1, max_log_level, "certificate validation failed:",
1249 c_hostname);
1250 }
1251 }
1252
1253 /* Up to here the process is the same for X.509 certificates and
1254 OpenPGP keys. From now on X.509 certificates are assumed. This
1255 can be easily extended to work with openpgp keys as well. */
1256 if (gnutls_certificate_type_get (state) == GNUTLS_CRT_X509)
1257 {
1258 gnutls_x509_crt_t gnutls_verify_cert;
1259 const gnutls_datum_t *gnutls_verify_cert_list;
1260 unsigned int gnutls_verify_cert_list_size;
1261
1262 ret = gnutls_x509_crt_init (&gnutls_verify_cert);
1263 if (ret < GNUTLS_E_SUCCESS)
1264 return gnutls_make_error (ret);
1265
1266 gnutls_verify_cert_list
1267 = gnutls_certificate_get_peers (state, &gnutls_verify_cert_list_size);
1268
1269 if (gnutls_verify_cert_list == NULL)
1270 {
1271 gnutls_x509_crt_deinit (gnutls_verify_cert);
1272 emacs_gnutls_deinit (proc);
1273 boot_error (p, "No x509 certificate was found\n");
1274 return Qnil;
1275 }
1276
1277 /* Check only the first certificate in the given chain. */
1278 ret = gnutls_x509_crt_import (gnutls_verify_cert,
1279 &gnutls_verify_cert_list[0],
1280 GNUTLS_X509_FMT_DER);
1281
1282 if (ret < GNUTLS_E_SUCCESS)
1283 {
1284 gnutls_x509_crt_deinit (gnutls_verify_cert);
1285 return gnutls_make_error (ret);
1286 }
1287
1288 XPROCESS (proc)->gnutls_certificate = gnutls_verify_cert;
1289
1290 int err = gnutls_x509_crt_check_hostname (gnutls_verify_cert,
1291 c_hostname);
1292 check_memory_full (err);
1293 if (!err)
1294 {
1295 XPROCESS (proc)->gnutls_extra_peer_verification
1296 |= CERTIFICATE_NOT_MATCHING;
1297 if (verify_error_all
1298 || !NILP (Fmember (QCgnutls_bootprop_hostname, verify_error)))
1299 {
1300 gnutls_x509_crt_deinit (gnutls_verify_cert);
1301 emacs_gnutls_deinit (proc);
1302 boot_error (p, "The x509 certificate does not match \"%s\"",
1303 c_hostname);
1304 return Qnil;
1305 }
1306 else
1307 GNUTLS_LOG2 (1, max_log_level, "x509 certificate does not match:",
1308 c_hostname);
1309 }
1310 }
1311
1312 /* Set this flag only if the whole initialization succeeded. */
1313 XPROCESS (proc)->gnutls_p = true;
1314
1315 return gnutls_make_error (ret);
1316 }
1317
1318 DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
1319 doc: /* Initialize GnuTLS client for process PROC with TYPE+PROPLIST.
1320 Currently only client mode is supported. Return a success/failure
1321 value you can check with `gnutls-errorp'.
1322
1323 TYPE is a symbol, either `gnutls-anon' or `gnutls-x509pki'.
1324 PROPLIST is a property list with the following keys:
1325
1326 :hostname is a string naming the remote host.
1327
1328 :priority is a GnuTLS priority string, defaults to "NORMAL".
1329
1330 :trustfiles is a list of PEM-encoded trust files for `gnutls-x509pki'.
1331
1332 :crlfiles is a list of PEM-encoded CRL lists for `gnutls-x509pki'.
1333
1334 :keylist is an alist of PEM-encoded key files and PEM-encoded
1335 certificates for `gnutls-x509pki'.
1336
1337 :callbacks is an alist of callback functions, see below.
1338
1339 :loglevel is the debug level requested from GnuTLS, try 4.
1340
1341 :verify-flags is a bitset as per GnuTLS'
1342 gnutls_certificate_set_verify_flags.
1343
1344 :verify-hostname-error is ignored. Pass :hostname in :verify-error
1345 instead.
1346
1347 :verify-error is a list of symbols to express verification checks or
1348 t to do all checks. Currently it can contain `:trustfiles' and
1349 `:hostname' to verify the certificate or the hostname respectively.
1350
1351 :min-prime-bits is the minimum accepted number of bits the client will
1352 accept in Diffie-Hellman key exchange.
1353
1354 The debug level will be set for this process AND globally for GnuTLS.
1355 So if you set it higher or lower at any point, it affects global
1356 debugging.
1357
1358 Note that the priority is set on the client. The server does not use
1359 the protocols's priority except for disabling protocols that were not
1360 specified.
1361
1362 Processes must be initialized with this function before other GnuTLS
1363 functions are used. This function allocates resources which can only
1364 be deallocated by calling `gnutls-deinit' or by calling it again.
1365
1366 The callbacks alist can have a `verify' key, associated with a
1367 verification function (UNUSED).
1368
1369 Each authentication type may need additional information in order to
1370 work. For X.509 PKI (`gnutls-x509pki'), you probably need at least
1371 one trustfile (usually a CA bundle). */)
1372 (Lisp_Object proc, Lisp_Object type, Lisp_Object proplist)
1373 {
1374 int ret = GNUTLS_E_SUCCESS;
1375 int max_log_level = 0;
1376
1377 gnutls_session_t state;
1378 gnutls_certificate_credentials_t x509_cred = NULL;
1379 gnutls_anon_client_credentials_t anon_cred = NULL;
1380 Lisp_Object global_init;
1381 char const *priority_string_ptr = "NORMAL"; /* default priority string. */
1382 char *c_hostname;
1383
1384 /* Placeholders for the property list elements. */
1385 Lisp_Object priority_string;
1386 Lisp_Object trustfiles;
1387 Lisp_Object crlfiles;
1388 Lisp_Object keylist;
1389 /* Lisp_Object callbacks; */
1390 Lisp_Object loglevel;
1391 Lisp_Object hostname;
1392 Lisp_Object prime_bits;
1393 struct Lisp_Process *p = XPROCESS (proc);
1394
1395 CHECK_PROCESS (proc);
1396 CHECK_SYMBOL (type);
1397 CHECK_LIST (proplist);
1398
1399 if (NILP (Fgnutls_available_p ()))
1400 {
1401 boot_error (p, "GnuTLS not available");
1402 return Qnil;
1403 }
1404
1405 if (!EQ (type, Qgnutls_x509pki) && !EQ (type, Qgnutls_anon))
1406 {
1407 boot_error (p, "Invalid GnuTLS credential type");
1408 return Qnil;
1409 }
1410
1411 hostname = Fplist_get (proplist, QCgnutls_bootprop_hostname);
1412 priority_string = Fplist_get (proplist, QCgnutls_bootprop_priority);
1413 trustfiles = Fplist_get (proplist, QCgnutls_bootprop_trustfiles);
1414 keylist = Fplist_get (proplist, QCgnutls_bootprop_keylist);
1415 crlfiles = Fplist_get (proplist, QCgnutls_bootprop_crlfiles);
1416 loglevel = Fplist_get (proplist, QCgnutls_bootprop_loglevel);
1417 prime_bits = Fplist_get (proplist, QCgnutls_bootprop_min_prime_bits);
1418
1419 if (!STRINGP (hostname))
1420 {
1421 boot_error (p, "gnutls-boot: invalid :hostname parameter (not a string)");
1422 return Qnil;
1423 }
1424 c_hostname = SSDATA (hostname);
1425
1426 state = XPROCESS (proc)->gnutls_state;
1427
1428 if (TYPE_RANGED_INTEGERP (int, loglevel))
1429 {
1430 gnutls_global_set_log_function (gnutls_log_function);
1431 #ifdef HAVE_GNUTLS3
1432 gnutls_global_set_audit_log_function (gnutls_audit_log_function);
1433 #endif
1434 gnutls_global_set_log_level (XINT (loglevel));
1435 max_log_level = XINT (loglevel);
1436 XPROCESS (proc)->gnutls_log_level = max_log_level;
1437 }
1438
1439 GNUTLS_LOG2 (1, max_log_level, "connecting to host:", c_hostname);
1440
1441 /* Always initialize globals. */
1442 global_init = emacs_gnutls_global_init ();
1443 if (! NILP (Fgnutls_errorp (global_init)))
1444 return global_init;
1445
1446 /* Before allocating new credentials, deallocate any credentials
1447 that PROC might already have. */
1448 emacs_gnutls_deinit (proc);
1449
1450 /* Mark PROC as a GnuTLS process. */
1451 XPROCESS (proc)->gnutls_state = NULL;
1452 XPROCESS (proc)->gnutls_x509_cred = NULL;
1453 XPROCESS (proc)->gnutls_anon_cred = NULL;
1454 pset_gnutls_cred_type (XPROCESS (proc), type);
1455 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_EMPTY;
1456
1457 GNUTLS_LOG (1, max_log_level, "allocating credentials");
1458 if (EQ (type, Qgnutls_x509pki))
1459 {
1460 Lisp_Object verify_flags;
1461 unsigned int gnutls_verify_flags = GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
1462
1463 GNUTLS_LOG (2, max_log_level, "allocating x509 credentials");
1464 check_memory_full (gnutls_certificate_allocate_credentials (&x509_cred));
1465 XPROCESS (proc)->gnutls_x509_cred = x509_cred;
1466
1467 verify_flags = Fplist_get (proplist, QCgnutls_bootprop_verify_flags);
1468 if (NUMBERP (verify_flags))
1469 {
1470 gnutls_verify_flags = XINT (verify_flags);
1471 GNUTLS_LOG (2, max_log_level, "setting verification flags");
1472 }
1473 else if (NILP (verify_flags))
1474 GNUTLS_LOG (2, max_log_level, "using default verification flags");
1475 else
1476 GNUTLS_LOG (2, max_log_level, "ignoring invalid verify-flags");
1477
1478 gnutls_certificate_set_verify_flags (x509_cred, gnutls_verify_flags);
1479 }
1480 else /* Qgnutls_anon: */
1481 {
1482 GNUTLS_LOG (2, max_log_level, "allocating anon credentials");
1483 check_memory_full (gnutls_anon_allocate_client_credentials (&anon_cred));
1484 XPROCESS (proc)->gnutls_anon_cred = anon_cred;
1485 }
1486
1487 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CRED_ALLOC;
1488
1489 if (EQ (type, Qgnutls_x509pki))
1490 {
1491 /* TODO: GNUTLS_X509_FMT_DER is also an option. */
1492 int file_format = GNUTLS_X509_FMT_PEM;
1493 Lisp_Object tail;
1494
1495 #if GNUTLS_VERSION_MAJOR + \
1496 (GNUTLS_VERSION_MINOR > 0 || GNUTLS_VERSION_PATCH >= 20) > 3
1497 ret = gnutls_certificate_set_x509_system_trust (x509_cred);
1498 if (ret < GNUTLS_E_SUCCESS)
1499 {
1500 check_memory_full (ret);
1501 GNUTLS_LOG2i (4, max_log_level,
1502 "setting system trust failed with code ", ret);
1503 }
1504 #endif
1505
1506 for (tail = trustfiles; CONSP (tail); tail = XCDR (tail))
1507 {
1508 Lisp_Object trustfile = XCAR (tail);
1509 if (STRINGP (trustfile))
1510 {
1511 GNUTLS_LOG2 (1, max_log_level, "setting the trustfile: ",
1512 SSDATA (trustfile));
1513 trustfile = ENCODE_FILE (trustfile);
1514 #ifdef WINDOWSNT
1515 /* Since GnuTLS doesn't support UTF-8 or UTF-16 encoded
1516 file names on Windows, we need to re-encode the file
1517 name using the current ANSI codepage. */
1518 trustfile = ansi_encode_filename (trustfile);
1519 #endif
1520 ret = gnutls_certificate_set_x509_trust_file
1521 (x509_cred,
1522 SSDATA (trustfile),
1523 file_format);
1524
1525 if (ret < GNUTLS_E_SUCCESS)
1526 return gnutls_make_error (ret);
1527 }
1528 else
1529 {
1530 emacs_gnutls_deinit (proc);
1531 boot_error (p, "Invalid trustfile");
1532 return Qnil;
1533 }
1534 }
1535
1536 for (tail = crlfiles; CONSP (tail); tail = XCDR (tail))
1537 {
1538 Lisp_Object crlfile = XCAR (tail);
1539 if (STRINGP (crlfile))
1540 {
1541 GNUTLS_LOG2 (1, max_log_level, "setting the CRL file: ",
1542 SSDATA (crlfile));
1543 crlfile = ENCODE_FILE (crlfile);
1544 #ifdef WINDOWSNT
1545 crlfile = ansi_encode_filename (crlfile);
1546 #endif
1547 ret = gnutls_certificate_set_x509_crl_file
1548 (x509_cred, SSDATA (crlfile), file_format);
1549
1550 if (ret < GNUTLS_E_SUCCESS)
1551 return gnutls_make_error (ret);
1552 }
1553 else
1554 {
1555 emacs_gnutls_deinit (proc);
1556 boot_error (p, "Invalid CRL file");
1557 return Qnil;
1558 }
1559 }
1560
1561 for (tail = keylist; CONSP (tail); tail = XCDR (tail))
1562 {
1563 Lisp_Object keyfile = Fcar (XCAR (tail));
1564 Lisp_Object certfile = Fcar (Fcdr (XCAR (tail)));
1565 if (STRINGP (keyfile) && STRINGP (certfile))
1566 {
1567 GNUTLS_LOG2 (1, max_log_level, "setting the client key file: ",
1568 SSDATA (keyfile));
1569 GNUTLS_LOG2 (1, max_log_level, "setting the client cert file: ",
1570 SSDATA (certfile));
1571 keyfile = ENCODE_FILE (keyfile);
1572 certfile = ENCODE_FILE (certfile);
1573 #ifdef WINDOWSNT
1574 keyfile = ansi_encode_filename (keyfile);
1575 certfile = ansi_encode_filename (certfile);
1576 #endif
1577 ret = gnutls_certificate_set_x509_key_file
1578 (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
1579
1580 if (ret < GNUTLS_E_SUCCESS)
1581 return gnutls_make_error (ret);
1582 }
1583 else
1584 {
1585 emacs_gnutls_deinit (proc);
1586 boot_error (p, STRINGP (keyfile) ? "Invalid client cert file"
1587 : "Invalid client key file");
1588 return Qnil;
1589 }
1590 }
1591 }
1592
1593 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_FILES;
1594 GNUTLS_LOG (1, max_log_level, "gnutls callbacks");
1595 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CALLBACKS;
1596
1597 /* Call gnutls_init here: */
1598
1599 GNUTLS_LOG (1, max_log_level, "gnutls_init");
1600 ret = gnutls_init (&state, GNUTLS_CLIENT);
1601 XPROCESS (proc)->gnutls_state = state;
1602 if (ret < GNUTLS_E_SUCCESS)
1603 return gnutls_make_error (ret);
1604 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_INIT;
1605
1606 if (STRINGP (priority_string))
1607 {
1608 priority_string_ptr = SSDATA (priority_string);
1609 GNUTLS_LOG2 (1, max_log_level, "got non-default priority string:",
1610 priority_string_ptr);
1611 }
1612 else
1613 {
1614 GNUTLS_LOG2 (1, max_log_level, "using default priority string:",
1615 priority_string_ptr);
1616 }
1617
1618 GNUTLS_LOG (1, max_log_level, "setting the priority string");
1619 ret = gnutls_priority_set_direct (state, priority_string_ptr, NULL);
1620 if (ret < GNUTLS_E_SUCCESS)
1621 return gnutls_make_error (ret);
1622
1623 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_PRIORITY;
1624
1625 if (INTEGERP (prime_bits))
1626 gnutls_dh_set_prime_bits (state, XUINT (prime_bits));
1627
1628 ret = EQ (type, Qgnutls_x509pki)
1629 ? gnutls_credentials_set (state, GNUTLS_CRD_CERTIFICATE, x509_cred)
1630 : gnutls_credentials_set (state, GNUTLS_CRD_ANON, anon_cred);
1631 if (ret < GNUTLS_E_SUCCESS)
1632 return gnutls_make_error (ret);
1633
1634 if (!gnutls_ip_address_p (c_hostname))
1635 {
1636 ret = gnutls_server_name_set (state, GNUTLS_NAME_DNS, c_hostname,
1637 strlen (c_hostname));
1638 if (ret < GNUTLS_E_SUCCESS)
1639 return gnutls_make_error (ret);
1640 }
1641
1642 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CRED_SET;
1643 ret = emacs_gnutls_handshake (XPROCESS (proc));
1644 if (ret < GNUTLS_E_SUCCESS)
1645 return gnutls_make_error (ret);
1646
1647 return gnutls_verify_boot (proc, proplist);
1648 }
1649
1650 DEFUN ("gnutls-bye", Fgnutls_bye,
1651 Sgnutls_bye, 2, 2, 0,
1652 doc: /* Terminate current GnuTLS connection for process PROC.
1653 The connection should have been initiated using `gnutls-handshake'.
1654
1655 If CONT is not nil the TLS connection gets terminated and further
1656 receives and sends will be disallowed. If the return value is zero you
1657 may continue using the connection. If CONT is nil, GnuTLS actually
1658 sends an alert containing a close request and waits for the peer to
1659 reply with the same message. In order to reuse the connection you
1660 should wait for an EOF from the peer.
1661
1662 This function may also return `gnutls-e-again', or
1663 `gnutls-e-interrupted'. */)
1664 (Lisp_Object proc, Lisp_Object cont)
1665 {
1666 gnutls_session_t state;
1667 int ret;
1668
1669 CHECK_PROCESS (proc);
1670
1671 state = XPROCESS (proc)->gnutls_state;
1672
1673 gnutls_x509_crt_deinit (XPROCESS (proc)->gnutls_certificate);
1674
1675 ret = gnutls_bye (state, NILP (cont) ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
1676
1677 return gnutls_make_error (ret);
1678 }
1679
1680 #endif /* HAVE_GNUTLS */
1681
1682 DEFUN ("gnutls-available-p", Fgnutls_available_p, Sgnutls_available_p, 0, 0, 0,
1683 doc: /* Return t if GnuTLS is available in this instance of Emacs. */)
1684 (void)
1685 {
1686 #ifdef HAVE_GNUTLS
1687 # ifdef WINDOWSNT
1688 Lisp_Object found = Fassq (Qgnutls_dll, Vlibrary_cache);
1689 if (CONSP (found))
1690 return XCDR (found);
1691 else
1692 {
1693 Lisp_Object status;
1694 status = init_gnutls_functions () ? Qt : Qnil;
1695 Vlibrary_cache = Fcons (Fcons (Qgnutls_dll, status), Vlibrary_cache);
1696 return status;
1697 }
1698 # else /* !WINDOWSNT */
1699 return Qt;
1700 # endif /* !WINDOWSNT */
1701 #else /* !HAVE_GNUTLS */
1702 return Qnil;
1703 #endif /* !HAVE_GNUTLS */
1704 }
1705
1706 void
1707 syms_of_gnutls (void)
1708 {
1709 DEFSYM (Qlibgnutls_version, "libgnutls-version");
1710 Fset (Qlibgnutls_version,
1711 #ifdef HAVE_GNUTLS
1712 make_number (GNUTLS_VERSION_MAJOR * 10000
1713 + GNUTLS_VERSION_MINOR * 100
1714 + GNUTLS_VERSION_PATCH)
1715 #else
1716 make_number (-1)
1717 #endif
1718 );
1719 #ifdef HAVE_GNUTLS
1720 gnutls_global_initialized = 0;
1721
1722 DEFSYM (Qgnutls_code, "gnutls-code");
1723 DEFSYM (Qgnutls_anon, "gnutls-anon");
1724 DEFSYM (Qgnutls_x509pki, "gnutls-x509pki");
1725
1726 /* The following are for the property list of 'gnutls-boot'. */
1727 DEFSYM (QCgnutls_bootprop_hostname, ":hostname");
1728 DEFSYM (QCgnutls_bootprop_priority, ":priority");
1729 DEFSYM (QCgnutls_bootprop_trustfiles, ":trustfiles");
1730 DEFSYM (QCgnutls_bootprop_keylist, ":keylist");
1731 DEFSYM (QCgnutls_bootprop_crlfiles, ":crlfiles");
1732 DEFSYM (QCgnutls_bootprop_min_prime_bits, ":min-prime-bits");
1733 DEFSYM (QCgnutls_bootprop_loglevel, ":loglevel");
1734 DEFSYM (QCgnutls_bootprop_verify_flags, ":verify-flags");
1735 DEFSYM (QCgnutls_bootprop_verify_error, ":verify-error");
1736
1737 DEFSYM (Qgnutls_e_interrupted, "gnutls-e-interrupted");
1738 Fput (Qgnutls_e_interrupted, Qgnutls_code,
1739 make_number (GNUTLS_E_INTERRUPTED));
1740
1741 DEFSYM (Qgnutls_e_again, "gnutls-e-again");
1742 Fput (Qgnutls_e_again, Qgnutls_code,
1743 make_number (GNUTLS_E_AGAIN));
1744
1745 DEFSYM (Qgnutls_e_invalid_session, "gnutls-e-invalid-session");
1746 Fput (Qgnutls_e_invalid_session, Qgnutls_code,
1747 make_number (GNUTLS_E_INVALID_SESSION));
1748
1749 DEFSYM (Qgnutls_e_not_ready_for_handshake, "gnutls-e-not-ready-for-handshake");
1750 Fput (Qgnutls_e_not_ready_for_handshake, Qgnutls_code,
1751 make_number (GNUTLS_E_APPLICATION_ERROR_MIN));
1752
1753 defsubr (&Sgnutls_get_initstage);
1754 defsubr (&Sgnutls_asynchronous_parameters);
1755 defsubr (&Sgnutls_errorp);
1756 defsubr (&Sgnutls_error_fatalp);
1757 defsubr (&Sgnutls_error_string);
1758 defsubr (&Sgnutls_boot);
1759 defsubr (&Sgnutls_deinit);
1760 defsubr (&Sgnutls_bye);
1761 defsubr (&Sgnutls_peer_status);
1762 defsubr (&Sgnutls_peer_status_warning_describe);
1763
1764 DEFVAR_INT ("gnutls-log-level", global_gnutls_log_level,
1765 doc: /* Logging level used by the GnuTLS functions.
1766 Set this larger than 0 to get debug output in the *Messages* buffer.
1767 1 is for important messages, 2 is for debug data, and higher numbers
1768 are as per the GnuTLS logging conventions. */);
1769 global_gnutls_log_level = 0;
1770
1771 #endif /* HAVE_GNUTLS */
1772
1773 defsubr (&Sgnutls_available_p);
1774 }