]> code.delx.au - gnu-emacs/blob - src/gnutls.c
delx.au / code / gnu-emacs / blob


c7efbcc7cc9ccea721e80a05961d08e5e691d3d8
[gnu-emacs] / src / gnutls.c
1 /* GnuTLS glue for GNU Emacs.
2 Copyright (C) 2010-2016 Free Software Foundation, Inc.
3
4 This file is part of GNU Emacs.
5
6 GNU Emacs is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or (at
9 your option) any later version.
10
11 GNU Emacs is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>. */
18
19 #include <config.h>
20 #include <errno.h>
21 #include <stdio.h>
22
23 #include "lisp.h"
24 #include "process.h"
25 #include "gnutls.h"
26 #include "coding.h"
27
28 #ifdef HAVE_GNUTLS
29 #include <gnutls/gnutls.h>
30
31 #ifdef WINDOWSNT
32 #include <windows.h>
33 #include "w32.h"
34 #endif
35
36 static bool emacs_gnutls_handle_error (gnutls_session_t, int);
37
38 static bool gnutls_global_initialized;
39
40 static void gnutls_log_function (int, const char *);
41 static void gnutls_log_function2 (int, const char *, const char *);
42 #ifdef HAVE_GNUTLS3
43 static void gnutls_audit_log_function (gnutls_session_t, const char *);
44 #endif
45
46 enum extra_peer_verification
47 {
48 CERTIFICATE_NOT_MATCHING = 2
49 };
50
51 \f
52 #ifdef WINDOWSNT
53
54 DEF_DLL_FN (gnutls_alert_description_t, gnutls_alert_get,
55 (gnutls_session_t));
56 DEF_DLL_FN (const char *, gnutls_alert_get_name,
57 (gnutls_alert_description_t));
58 DEF_DLL_FN (int, gnutls_alert_send_appropriate, (gnutls_session_t, int));
59 DEF_DLL_FN (int, gnutls_anon_allocate_client_credentials,
60 (gnutls_anon_client_credentials_t *));
61 DEF_DLL_FN (void, gnutls_anon_free_client_credentials,
62 (gnutls_anon_client_credentials_t));
63 DEF_DLL_FN (int, gnutls_bye, (gnutls_session_t, gnutls_close_request_t));
64 DEF_DLL_FN (int, gnutls_certificate_allocate_credentials,
65 (gnutls_certificate_credentials_t *));
66 DEF_DLL_FN (void, gnutls_certificate_free_credentials,
67 (gnutls_certificate_credentials_t));
68 DEF_DLL_FN (const gnutls_datum_t *, gnutls_certificate_get_peers,
69 (gnutls_session_t, unsigned int *));
70 DEF_DLL_FN (void, gnutls_certificate_set_verify_flags,
71 (gnutls_certificate_credentials_t, unsigned int));
72 DEF_DLL_FN (int, gnutls_certificate_set_x509_crl_file,
73 (gnutls_certificate_credentials_t, const char *,
74 gnutls_x509_crt_fmt_t));
75 DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file,
76 (gnutls_certificate_credentials_t, const char *, const char *,
77 gnutls_x509_crt_fmt_t));
78 # if ((GNUTLS_VERSION_MAJOR \
79 + (GNUTLS_VERSION_MINOR > 0 || GNUTLS_VERSION_PATCH >= 20)) \
80 > 3)
81 DEF_DLL_FN (int, gnutls_certificate_set_x509_system_trust,
82 (gnutls_certificate_credentials_t));
83 # endif
84 DEF_DLL_FN (int, gnutls_certificate_set_x509_trust_file,
85 (gnutls_certificate_credentials_t, const char *,
86 gnutls_x509_crt_fmt_t));
87 DEF_DLL_FN (gnutls_certificate_type_t, gnutls_certificate_type_get,
88 (gnutls_session_t));
89 DEF_DLL_FN (int, gnutls_certificate_verify_peers2,
90 (gnutls_session_t, unsigned int *));
91 DEF_DLL_FN (int, gnutls_credentials_set,
92 (gnutls_session_t, gnutls_credentials_type_t, void *));
93 DEF_DLL_FN (void, gnutls_deinit, (gnutls_session_t));
94 DEF_DLL_FN (void, gnutls_dh_set_prime_bits,
95 (gnutls_session_t, unsigned int));
96 DEF_DLL_FN (int, gnutls_dh_get_prime_bits, (gnutls_session_t));
97 DEF_DLL_FN (int, gnutls_error_is_fatal, (int));
98 DEF_DLL_FN (int, gnutls_global_init, (void));
99 DEF_DLL_FN (void, gnutls_global_set_log_function, (gnutls_log_func));
100 # ifdef HAVE_GNUTLS3
101 DEF_DLL_FN (void, gnutls_global_set_audit_log_function, (gnutls_audit_log_func));
102 # endif
103 DEF_DLL_FN (void, gnutls_global_set_log_level, (int));
104 DEF_DLL_FN (int, gnutls_handshake, (gnutls_session_t));
105 DEF_DLL_FN (int, gnutls_init, (gnutls_session_t *, unsigned int));
106 DEF_DLL_FN (int, gnutls_priority_set_direct,
107 (gnutls_session_t, const char *, const char **));
108 DEF_DLL_FN (size_t, gnutls_record_check_pending, (gnutls_session_t));
109 DEF_DLL_FN (ssize_t, gnutls_record_recv, (gnutls_session_t, void *, size_t));
110 DEF_DLL_FN (ssize_t, gnutls_record_send,
111 (gnutls_session_t, const void *, size_t));
112 DEF_DLL_FN (const char *, gnutls_strerror, (int));
113 DEF_DLL_FN (void, gnutls_transport_set_errno, (gnutls_session_t, int));
114 DEF_DLL_FN (const char *, gnutls_check_version, (const char *));
115 DEF_DLL_FN (void, gnutls_transport_set_lowat, (gnutls_session_t, int));
116 DEF_DLL_FN (void, gnutls_transport_set_ptr2,
117 (gnutls_session_t, gnutls_transport_ptr_t,
118 gnutls_transport_ptr_t));
119 DEF_DLL_FN (void, gnutls_transport_set_pull_function,
120 (gnutls_session_t, gnutls_pull_func));
121 DEF_DLL_FN (void, gnutls_transport_set_push_function,
122 (gnutls_session_t, gnutls_push_func));
123 DEF_DLL_FN (int, gnutls_x509_crt_check_hostname,
124 (gnutls_x509_crt_t, const char *));
125 DEF_DLL_FN (int, gnutls_x509_crt_check_issuer,
126 (gnutls_x509_crt_t, gnutls_x509_crt_t));
127 DEF_DLL_FN (void, gnutls_x509_crt_deinit, (gnutls_x509_crt_t));
128 DEF_DLL_FN (int, gnutls_x509_crt_import,
129 (gnutls_x509_crt_t, const gnutls_datum_t *,
130 gnutls_x509_crt_fmt_t));
131 DEF_DLL_FN (int, gnutls_x509_crt_init, (gnutls_x509_crt_t *));
132 DEF_DLL_FN (int, gnutls_x509_crt_get_fingerprint,
133 (gnutls_x509_crt_t,
134 gnutls_digest_algorithm_t, void *, size_t *));
135 DEF_DLL_FN (int, gnutls_x509_crt_get_version,
136 (gnutls_x509_crt_t));
137 DEF_DLL_FN (int, gnutls_x509_crt_get_serial,
138 (gnutls_x509_crt_t, void *, size_t *));
139 DEF_DLL_FN (int, gnutls_x509_crt_get_issuer_dn,
140 (gnutls_x509_crt_t, char *, size_t *));
141 DEF_DLL_FN (time_t, gnutls_x509_crt_get_activation_time,
142 (gnutls_x509_crt_t));
143 DEF_DLL_FN (time_t, gnutls_x509_crt_get_expiration_time,
144 (gnutls_x509_crt_t));
145 DEF_DLL_FN (int, gnutls_x509_crt_get_dn,
146 (gnutls_x509_crt_t, char *, size_t *));
147 DEF_DLL_FN (int, gnutls_x509_crt_get_pk_algorithm,
148 (gnutls_x509_crt_t, unsigned int *));
149 DEF_DLL_FN (const char*, gnutls_pk_algorithm_get_name,
150 (gnutls_pk_algorithm_t));
151 DEF_DLL_FN (int, gnutls_pk_bits_to_sec_param,
152 (gnutls_pk_algorithm_t, unsigned int));
153 DEF_DLL_FN (int, gnutls_x509_crt_get_issuer_unique_id,
154 (gnutls_x509_crt_t, char *, size_t *));
155 DEF_DLL_FN (int, gnutls_x509_crt_get_subject_unique_id,
156 (gnutls_x509_crt_t, char *, size_t *));
157 DEF_DLL_FN (int, gnutls_x509_crt_get_signature_algorithm,
158 (gnutls_x509_crt_t));
159 DEF_DLL_FN (int, gnutls_x509_crt_get_signature,
160 (gnutls_x509_crt_t, char *, size_t *));
161 DEF_DLL_FN (int, gnutls_x509_crt_get_key_id,
162 (gnutls_x509_crt_t, unsigned int, unsigned char *, size_t *_size));
163 DEF_DLL_FN (const char*, gnutls_sec_param_get_name, (gnutls_sec_param_t));
164 DEF_DLL_FN (const char*, gnutls_sign_get_name, (gnutls_sign_algorithm_t));
165 DEF_DLL_FN (int, gnutls_server_name_set,
166 (gnutls_session_t, gnutls_server_name_type_t,
167 const void *, size_t));
168 DEF_DLL_FN (gnutls_kx_algorithm_t, gnutls_kx_get, (gnutls_session_t));
169 DEF_DLL_FN (const char*, gnutls_kx_get_name, (gnutls_kx_algorithm_t));
170 DEF_DLL_FN (gnutls_protocol_t, gnutls_protocol_get_version,
171 (gnutls_session_t));
172 DEF_DLL_FN (const char*, gnutls_protocol_get_name, (gnutls_protocol_t));
173 DEF_DLL_FN (gnutls_cipher_algorithm_t, gnutls_cipher_get,
174 (gnutls_session_t));
175 DEF_DLL_FN (const char*, gnutls_cipher_get_name,
176 (gnutls_cipher_algorithm_t));
177 DEF_DLL_FN (gnutls_mac_algorithm_t, gnutls_mac_get, (gnutls_session_t));
178 DEF_DLL_FN (const char*, gnutls_mac_get_name, (gnutls_mac_algorithm_t));
179
180
181 static bool
182 init_gnutls_functions (void)
183 {
184 HMODULE library;
185 int max_log_level = 1;
186
187 if (!(library = w32_delayed_load (Qgnutls)))
188 {
189 GNUTLS_LOG (1, max_log_level, "GnuTLS library not found");
190 return 0;
191 }
192
193 LOAD_DLL_FN (library, gnutls_alert_get);
194 LOAD_DLL_FN (library, gnutls_alert_get_name);
195 LOAD_DLL_FN (library, gnutls_alert_send_appropriate);
196 LOAD_DLL_FN (library, gnutls_anon_allocate_client_credentials);
197 LOAD_DLL_FN (library, gnutls_anon_free_client_credentials);
198 LOAD_DLL_FN (library, gnutls_bye);
199 LOAD_DLL_FN (library, gnutls_certificate_allocate_credentials);
200 LOAD_DLL_FN (library, gnutls_certificate_free_credentials);
201 LOAD_DLL_FN (library, gnutls_certificate_get_peers);
202 LOAD_DLL_FN (library, gnutls_certificate_set_verify_flags);
203 LOAD_DLL_FN (library, gnutls_certificate_set_x509_crl_file);
204 LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file);
205 # if ((GNUTLS_VERSION_MAJOR \
206 + (GNUTLS_VERSION_MINOR > 0 || GNUTLS_VERSION_PATCH >= 20)) \
207 > 3)
208 LOAD_DLL_FN (library, gnutls_certificate_set_x509_system_trust);
209 # endif
210 LOAD_DLL_FN (library, gnutls_certificate_set_x509_trust_file);
211 LOAD_DLL_FN (library, gnutls_certificate_type_get);
212 LOAD_DLL_FN (library, gnutls_certificate_verify_peers2);
213 LOAD_DLL_FN (library, gnutls_credentials_set);
214 LOAD_DLL_FN (library, gnutls_deinit);
215 LOAD_DLL_FN (library, gnutls_dh_set_prime_bits);
216 LOAD_DLL_FN (library, gnutls_dh_get_prime_bits);
217 LOAD_DLL_FN (library, gnutls_error_is_fatal);
218 LOAD_DLL_FN (library, gnutls_global_init);
219 LOAD_DLL_FN (library, gnutls_global_set_log_function);
220 # ifdef HAVE_GNUTLS3
221 LOAD_DLL_FN (library, gnutls_global_set_audit_log_function);
222 # endif
223 LOAD_DLL_FN (library, gnutls_global_set_log_level);
224 LOAD_DLL_FN (library, gnutls_handshake);
225 LOAD_DLL_FN (library, gnutls_init);
226 LOAD_DLL_FN (library, gnutls_priority_set_direct);
227 LOAD_DLL_FN (library, gnutls_record_check_pending);
228 LOAD_DLL_FN (library, gnutls_record_recv);
229 LOAD_DLL_FN (library, gnutls_record_send);
230 LOAD_DLL_FN (library, gnutls_strerror);
231 LOAD_DLL_FN (library, gnutls_transport_set_errno);
232 LOAD_DLL_FN (library, gnutls_check_version);
233 /* We don't need to call gnutls_transport_set_lowat in GnuTLS 2.11.1
234 and later, and the function was removed entirely in 3.0.0. */
235 if (!fn_gnutls_check_version ("2.11.1"))
236 LOAD_DLL_FN (library, gnutls_transport_set_lowat);
237 LOAD_DLL_FN (library, gnutls_transport_set_ptr2);
238 LOAD_DLL_FN (library, gnutls_transport_set_pull_function);
239 LOAD_DLL_FN (library, gnutls_transport_set_push_function);
240 LOAD_DLL_FN (library, gnutls_x509_crt_check_hostname);
241 LOAD_DLL_FN (library, gnutls_x509_crt_check_issuer);
242 LOAD_DLL_FN (library, gnutls_x509_crt_deinit);
243 LOAD_DLL_FN (library, gnutls_x509_crt_import);
244 LOAD_DLL_FN (library, gnutls_x509_crt_init);
245 LOAD_DLL_FN (library, gnutls_x509_crt_get_fingerprint);
246 LOAD_DLL_FN (library, gnutls_x509_crt_get_version);
247 LOAD_DLL_FN (library, gnutls_x509_crt_get_serial);
248 LOAD_DLL_FN (library, gnutls_x509_crt_get_issuer_dn);
249 LOAD_DLL_FN (library, gnutls_x509_crt_get_activation_time);
250 LOAD_DLL_FN (library, gnutls_x509_crt_get_expiration_time);
251 LOAD_DLL_FN (library, gnutls_x509_crt_get_dn);
252 LOAD_DLL_FN (library, gnutls_x509_crt_get_pk_algorithm);
253 LOAD_DLL_FN (library, gnutls_pk_algorithm_get_name);
254 LOAD_DLL_FN (library, gnutls_pk_bits_to_sec_param);
255 LOAD_DLL_FN (library, gnutls_x509_crt_get_issuer_unique_id);
256 LOAD_DLL_FN (library, gnutls_x509_crt_get_subject_unique_id);
257 LOAD_DLL_FN (library, gnutls_x509_crt_get_signature_algorithm);
258 LOAD_DLL_FN (library, gnutls_x509_crt_get_signature);
259 LOAD_DLL_FN (library, gnutls_x509_crt_get_key_id);
260 LOAD_DLL_FN (library, gnutls_sec_param_get_name);
261 LOAD_DLL_FN (library, gnutls_sign_get_name);
262 LOAD_DLL_FN (library, gnutls_server_name_set);
263 LOAD_DLL_FN (library, gnutls_kx_get);
264 LOAD_DLL_FN (library, gnutls_kx_get_name);
265 LOAD_DLL_FN (library, gnutls_protocol_get_version);
266 LOAD_DLL_FN (library, gnutls_protocol_get_name);
267 LOAD_DLL_FN (library, gnutls_cipher_get);
268 LOAD_DLL_FN (library, gnutls_cipher_get_name);
269 LOAD_DLL_FN (library, gnutls_mac_get);
270 LOAD_DLL_FN (library, gnutls_mac_get_name);
271
272 max_log_level = global_gnutls_log_level;
273
274 {
275 Lisp_Object name = CAR_SAFE (Fget (Qgnutls, QCloaded_from));
276 GNUTLS_LOG2 (1, max_log_level, "GnuTLS library loaded:",
277 STRINGP (name) ? (const char *) SDATA (name) : "unknown");
278 }
279
280 return 1;
281 }
282
283 # define gnutls_alert_get fn_gnutls_alert_get
284 # define gnutls_alert_get_name fn_gnutls_alert_get_name
285 # define gnutls_alert_send_appropriate fn_gnutls_alert_send_appropriate
286 # define gnutls_anon_allocate_client_credentials fn_gnutls_anon_allocate_client_credentials
287 # define gnutls_anon_free_client_credentials fn_gnutls_anon_free_client_credentials
288 # define gnutls_bye fn_gnutls_bye
289 # define gnutls_certificate_allocate_credentials fn_gnutls_certificate_allocate_credentials
290 # define gnutls_certificate_free_credentials fn_gnutls_certificate_free_credentials
291 # define gnutls_certificate_get_peers fn_gnutls_certificate_get_peers
292 # define gnutls_certificate_set_verify_flags fn_gnutls_certificate_set_verify_flags
293 # define gnutls_certificate_set_x509_crl_file fn_gnutls_certificate_set_x509_crl_file
294 # define gnutls_certificate_set_x509_key_file fn_gnutls_certificate_set_x509_key_file
295 # define gnutls_certificate_set_x509_system_trust fn_gnutls_certificate_set_x509_system_trust
296 # define gnutls_certificate_set_x509_trust_file fn_gnutls_certificate_set_x509_trust_file
297 # define gnutls_certificate_type_get fn_gnutls_certificate_type_get
298 # define gnutls_certificate_verify_peers2 fn_gnutls_certificate_verify_peers2
299 # define gnutls_check_version fn_gnutls_check_version
300 # define gnutls_cipher_get fn_gnutls_cipher_get
301 # define gnutls_cipher_get_name fn_gnutls_cipher_get_name
302 # define gnutls_credentials_set fn_gnutls_credentials_set
303 # define gnutls_deinit fn_gnutls_deinit
304 # define gnutls_dh_get_prime_bits fn_gnutls_dh_get_prime_bits
305 # define gnutls_dh_set_prime_bits fn_gnutls_dh_set_prime_bits
306 # define gnutls_error_is_fatal fn_gnutls_error_is_fatal
307 # define gnutls_global_init fn_gnutls_global_init
308 # define gnutls_global_set_audit_log_function fn_gnutls_global_set_audit_log_function
309 # define gnutls_global_set_log_function fn_gnutls_global_set_log_function
310 # define gnutls_global_set_log_level fn_gnutls_global_set_log_level
311 # define gnutls_handshake fn_gnutls_handshake
312 # define gnutls_init fn_gnutls_init
313 # define gnutls_kx_get fn_gnutls_kx_get
314 # define gnutls_kx_get_name fn_gnutls_kx_get_name
315 # define gnutls_mac_get fn_gnutls_mac_get
316 # define gnutls_mac_get_name fn_gnutls_mac_get_name
317 # define gnutls_pk_algorithm_get_name fn_gnutls_pk_algorithm_get_name
318 # define gnutls_pk_bits_to_sec_param fn_gnutls_pk_bits_to_sec_param
319 # define gnutls_priority_set_direct fn_gnutls_priority_set_direct
320 # define gnutls_protocol_get_name fn_gnutls_protocol_get_name
321 # define gnutls_protocol_get_version fn_gnutls_protocol_get_version
322 # define gnutls_record_check_pending fn_gnutls_record_check_pending
323 # define gnutls_record_recv fn_gnutls_record_recv
324 # define gnutls_record_send fn_gnutls_record_send
325 # define gnutls_sec_param_get_name fn_gnutls_sec_param_get_name
326 # define gnutls_server_name_set fn_gnutls_server_name_set
327 # define gnutls_sign_get_name fn_gnutls_sign_get_name
328 # define gnutls_strerror fn_gnutls_strerror
329 # define gnutls_transport_set_errno fn_gnutls_transport_set_errno
330 # define gnutls_transport_set_lowat fn_gnutls_transport_set_lowat
331 # define gnutls_transport_set_ptr2 fn_gnutls_transport_set_ptr2
332 # define gnutls_transport_set_pull_function fn_gnutls_transport_set_pull_function
333 # define gnutls_transport_set_push_function fn_gnutls_transport_set_push_function
334 # define gnutls_x509_crt_check_hostname fn_gnutls_x509_crt_check_hostname
335 # define gnutls_x509_crt_check_issuer fn_gnutls_x509_crt_check_issuer
336 # define gnutls_x509_crt_deinit fn_gnutls_x509_crt_deinit
337 # define gnutls_x509_crt_get_activation_time fn_gnutls_x509_crt_get_activation_time
338 # define gnutls_x509_crt_get_dn fn_gnutls_x509_crt_get_dn
339 # define gnutls_x509_crt_get_expiration_time fn_gnutls_x509_crt_get_expiration_time
340 # define gnutls_x509_crt_get_fingerprint fn_gnutls_x509_crt_get_fingerprint
341 # define gnutls_x509_crt_get_issuer_dn fn_gnutls_x509_crt_get_issuer_dn
342 # define gnutls_x509_crt_get_issuer_unique_id fn_gnutls_x509_crt_get_issuer_unique_id
343 # define gnutls_x509_crt_get_key_id fn_gnutls_x509_crt_get_key_id
344 # define gnutls_x509_crt_get_pk_algorithm fn_gnutls_x509_crt_get_pk_algorithm
345 # define gnutls_x509_crt_get_serial fn_gnutls_x509_crt_get_serial
346 # define gnutls_x509_crt_get_signature fn_gnutls_x509_crt_get_signature
347 # define gnutls_x509_crt_get_signature_algorithm fn_gnutls_x509_crt_get_signature_algorithm
348 # define gnutls_x509_crt_get_subject_unique_id fn_gnutls_x509_crt_get_subject_unique_id
349 # define gnutls_x509_crt_get_version fn_gnutls_x509_crt_get_version
350 # define gnutls_x509_crt_import fn_gnutls_x509_crt_import
351 # define gnutls_x509_crt_init fn_gnutls_x509_crt_init
352
353 #endif
354
355 \f
356 /* Report memory exhaustion if ERR is an out-of-memory indication. */
357 static void
358 check_memory_full (int err)
359 {
360 /* When GnuTLS exhausts memory, it doesn't say how much memory it
361 asked for, so tell the Emacs allocator that GnuTLS asked for no
362 bytes. This isn't accurate, but it's good enough. */
363 if (err == GNUTLS_E_MEMORY_ERROR)
364 memory_full (0);
365 }
366
367 #ifdef HAVE_GNUTLS3
368 /* Log a simple audit message. */
369 static void
370 gnutls_audit_log_function (gnutls_session_t session, const char *string)
371 {
372 if (global_gnutls_log_level >= 1)
373 {
374 message ("gnutls.c: [audit] %s", string);
375 }
376 }
377 #endif
378
379 /* Log a simple message. */
380 static void
381 gnutls_log_function (int level, const char *string)
382 {
383 message ("gnutls.c: [%d] %s", level, string);
384 }
385
386 /* Log a message and a string. */
387 static void
388 gnutls_log_function2 (int level, const char *string, const char *extra)
389 {
390 message ("gnutls.c: [%d] %s %s", level, string, extra);
391 }
392
393 /* Log a message and an integer. */
394 static void
395 gnutls_log_function2i (int level, const char *string, int extra)
396 {
397 message ("gnutls.c: [%d] %s %d", level, string, extra);
398 }
399
400 int
401 gnutls_try_handshake (struct Lisp_Process *proc)
402 {
403 gnutls_session_t state = proc->gnutls_state;
404 int ret;
405 bool non_blocking = proc->is_non_blocking_client;
406
407 if (proc->gnutls_complete_negotiation_p)
408 non_blocking = false;
409
410 if (non_blocking)
411 proc->gnutls_p = true;
412
413 do
414 {
415 ret = gnutls_handshake (state);
416 emacs_gnutls_handle_error (state, ret);
417 QUIT;
418 }
419 while (ret < 0
420 && gnutls_error_is_fatal (ret) == 0
421 && ! non_blocking);
422
423 proc->gnutls_initstage = GNUTLS_STAGE_HANDSHAKE_TRIED;
424
425 if (ret == GNUTLS_E_SUCCESS)
426 {
427 /* Here we're finally done. */
428 proc->gnutls_initstage = GNUTLS_STAGE_READY;
429 }
430 else
431 {
432 /* check_memory_full (gnutls_alert_send_appropriate (state, ret)); */
433 }
434 return ret;
435 }
436
437 static int
438 emacs_gnutls_handshake (struct Lisp_Process *proc)
439 {
440 gnutls_session_t state = proc->gnutls_state;
441
442 if (proc->gnutls_initstage < GNUTLS_STAGE_HANDSHAKE_CANDO)
443 return -1;
444
445 if (proc->gnutls_initstage < GNUTLS_STAGE_TRANSPORT_POINTERS_SET)
446 {
447 #ifdef WINDOWSNT
448 /* On W32 we cannot transfer socket handles between different runtime
449 libraries, so we tell GnuTLS to use our special push/pull
450 functions. */
451 gnutls_transport_set_ptr2 (state,
452 (gnutls_transport_ptr_t) proc,
453 (gnutls_transport_ptr_t) proc);
454 gnutls_transport_set_push_function (state, &emacs_gnutls_push);
455 gnutls_transport_set_pull_function (state, &emacs_gnutls_pull);
456
457 /* For non blocking sockets or other custom made pull/push
458 functions the gnutls_transport_set_lowat must be called, with
459 a zero low water mark value. (GnuTLS 2.10.4 documentation)
460
461 (Note: this is probably not strictly necessary as the lowat
462 value is only used when no custom pull/push functions are
463 set.) */
464 /* According to GnuTLS NEWS file, lowat level has been set to
465 zero by default in version 2.11.1, and the function
466 gnutls_transport_set_lowat was removed from the library in
467 version 2.99.0. */
468 if (!gnutls_check_version ("2.11.1"))
469 gnutls_transport_set_lowat (state, 0);
470 #else
471 /* This is how GnuTLS takes sockets: as file descriptors passed
472 in. For an Emacs process socket, infd and outfd are the
473 same but we use this two-argument version for clarity. */
474 gnutls_transport_set_ptr2 (state,
475 (void *) (intptr_t) proc->infd,
476 (void *) (intptr_t) proc->outfd);
477 #endif
478
479 proc->gnutls_initstage = GNUTLS_STAGE_TRANSPORT_POINTERS_SET;
480 }
481
482 return gnutls_try_handshake (proc);
483 }
484
485 ptrdiff_t
486 emacs_gnutls_record_check_pending (gnutls_session_t state)
487 {
488 return gnutls_record_check_pending (state);
489 }
490
491 #ifdef WINDOWSNT
492 void
493 emacs_gnutls_transport_set_errno (gnutls_session_t state, int err)
494 {
495 gnutls_transport_set_errno (state, err);
496 }
497 #endif
498
499 ptrdiff_t
500 emacs_gnutls_write (struct Lisp_Process *proc, const char *buf, ptrdiff_t nbyte)
501 {
502 ssize_t rtnval = 0;
503 ptrdiff_t bytes_written;
504 gnutls_session_t state = proc->gnutls_state;
505
506 if (proc->gnutls_initstage != GNUTLS_STAGE_READY)
507 {
508 errno = EAGAIN;
509 return 0;
510 }
511
512 bytes_written = 0;
513
514 while (nbyte > 0)
515 {
516 rtnval = gnutls_record_send (state, buf, nbyte);
517
518 if (rtnval < 0)
519 {
520 if (rtnval == GNUTLS_E_INTERRUPTED)
521 continue;
522 else
523 {
524 /* If we get GNUTLS_E_AGAIN, then set errno
525 appropriately so that send_process retries the
526 correct way instead of erroring out. */
527 if (rtnval == GNUTLS_E_AGAIN)
528 errno = EAGAIN;
529 break;
530 }
531 }
532
533 buf += rtnval;
534 nbyte -= rtnval;
535 bytes_written += rtnval;
536 }
537
538 emacs_gnutls_handle_error (state, rtnval);
539 return (bytes_written);
540 }
541
542 ptrdiff_t
543 emacs_gnutls_read (struct Lisp_Process *proc, char *buf, ptrdiff_t nbyte)
544 {
545 ssize_t rtnval;
546 gnutls_session_t state = proc->gnutls_state;
547
548 if (proc->gnutls_initstage != GNUTLS_STAGE_READY)
549 {
550 errno = EAGAIN;
551 return -1;
552 }
553
554 rtnval = gnutls_record_recv (state, buf, nbyte);
555 if (rtnval >= 0)
556 return rtnval;
557 else if (rtnval == GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
558 /* The peer closed the connection. */
559 return 0;
560 else if (emacs_gnutls_handle_error (state, rtnval))
561 /* non-fatal error */
562 return -1;
563 else {
564 /* a fatal error occurred */
565 return 0;
566 }
567 }
568
569 /* Report a GnuTLS error to the user.
570 Return true if the error code was successfully handled. */
571 static bool
572 emacs_gnutls_handle_error (gnutls_session_t session, int err)
573 {
574 int max_log_level = 0;
575
576 bool ret;
577 const char *str;
578
579 /* TODO: use a Lisp_Object generated by gnutls_make_error? */
580 if (err >= 0)
581 return 1;
582
583 check_memory_full (err);
584
585 max_log_level = global_gnutls_log_level;
586
587 /* TODO: use gnutls-error-fatalp and gnutls-error-string. */
588
589 str = gnutls_strerror (err);
590 if (!str)
591 str = "unknown";
592
593 if (gnutls_error_is_fatal (err))
594 {
595 ret = 0;
596 GNUTLS_LOG2 (1, max_log_level, "fatal error:", str);
597 }
598 else
599 {
600 ret = 1;
601
602 switch (err)
603 {
604 case GNUTLS_E_AGAIN:
605 GNUTLS_LOG2 (3,
606 max_log_level,
607 "retry:",
608 str);
609 default:
610 GNUTLS_LOG2 (1,
611 max_log_level,
612 "non-fatal error:",
613 str);
614 }
615 }
616
617 if (err == GNUTLS_E_WARNING_ALERT_RECEIVED
618 || err == GNUTLS_E_FATAL_ALERT_RECEIVED)
619 {
620 int alert = gnutls_alert_get (session);
621 int level = (err == GNUTLS_E_FATAL_ALERT_RECEIVED) ? 0 : 1;
622 str = gnutls_alert_get_name (alert);
623 if (!str)
624 str = "unknown";
625
626 GNUTLS_LOG2 (level, max_log_level, "Received alert: ", str);
627 }
628 return ret;
629 }
630
631 /* convert an integer error to a Lisp_Object; it will be either a
632 known symbol like `gnutls_e_interrupted' and `gnutls_e_again' or
633 simply the integer value of the error. GNUTLS_E_SUCCESS is mapped
634 to Qt. */
635 static Lisp_Object
636 gnutls_make_error (int err)
637 {
638 switch (err)
639 {
640 case GNUTLS_E_SUCCESS:
641 return Qt;
642 case GNUTLS_E_AGAIN:
643 return Qgnutls_e_again;
644 case GNUTLS_E_INTERRUPTED:
645 return Qgnutls_e_interrupted;
646 case GNUTLS_E_INVALID_SESSION:
647 return Qgnutls_e_invalid_session;
648 }
649
650 check_memory_full (err);
651 return make_number (err);
652 }
653
654 Lisp_Object
655 emacs_gnutls_deinit (Lisp_Object proc)
656 {
657 int log_level;
658
659 CHECK_PROCESS (proc);
660
661 if (! XPROCESS (proc)->gnutls_p)
662 return Qnil;
663
664 log_level = XPROCESS (proc)->gnutls_log_level;
665
666 if (XPROCESS (proc)->gnutls_x509_cred)
667 {
668 GNUTLS_LOG (2, log_level, "Deallocating x509 credentials");
669 gnutls_certificate_free_credentials (XPROCESS (proc)->gnutls_x509_cred);
670 XPROCESS (proc)->gnutls_x509_cred = NULL;
671 }
672
673 if (XPROCESS (proc)->gnutls_anon_cred)
674 {
675 GNUTLS_LOG (2, log_level, "Deallocating anon credentials");
676 gnutls_anon_free_client_credentials (XPROCESS (proc)->gnutls_anon_cred);
677 XPROCESS (proc)->gnutls_anon_cred = NULL;
678 }
679
680 if (XPROCESS (proc)->gnutls_state)
681 {
682 gnutls_deinit (XPROCESS (proc)->gnutls_state);
683 XPROCESS (proc)->gnutls_state = NULL;
684 if (GNUTLS_INITSTAGE (proc) >= GNUTLS_STAGE_INIT)
685 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_INIT - 1;
686 }
687
688 XPROCESS (proc)->gnutls_p = false;
689 return Qt;
690 }
691
692 DEFUN ("gnutls-asynchronous-parameters", Fgnutls_asynchronous_parameters,
693 Sgnutls_asynchronous_parameters, 2, 2, 0,
694 doc: /* Mark this process as being a pre-init GnuTLS process.
695 The second parameter is the list of parameters to feed to gnutls-boot
696 to finish setting up the connection. */)
697 (Lisp_Object proc, Lisp_Object params)
698 {
699 CHECK_PROCESS (proc);
700
701 XPROCESS (proc)->gnutls_boot_parameters = params;
702 return Qnil;
703 }
704
705 DEFUN ("gnutls-get-initstage", Fgnutls_get_initstage, Sgnutls_get_initstage, 1, 1, 0,
706 doc: /* Return the GnuTLS init stage of process PROC.
707 See also `gnutls-boot'. */)
708 (Lisp_Object proc)
709 {
710 CHECK_PROCESS (proc);
711
712 return make_number (GNUTLS_INITSTAGE (proc));
713 }
714
715 DEFUN ("gnutls-errorp", Fgnutls_errorp, Sgnutls_errorp, 1, 1, 0,
716 doc: /* Return t if ERROR indicates a GnuTLS problem.
717 ERROR is an integer or a symbol with an integer `gnutls-code' property.
718 usage: (gnutls-errorp ERROR) */
719 attributes: const)
720 (Lisp_Object err)
721 {
722 if (EQ (err, Qt)
723 || EQ (err, Qgnutls_e_again))
724 return Qnil;
725
726 return Qt;
727 }
728
729 DEFUN ("gnutls-error-fatalp", Fgnutls_error_fatalp, Sgnutls_error_fatalp, 1, 1, 0,
730 doc: /* Return non-nil if ERROR is fatal.
731 ERROR is an integer or a symbol with an integer `gnutls-code' property.
732 Usage: (gnutls-error-fatalp ERROR) */)
733 (Lisp_Object err)
734 {
735 Lisp_Object code;
736
737 if (EQ (err, Qt)) return Qnil;
738
739 if (SYMBOLP (err))
740 {
741 code = Fget (err, Qgnutls_code);
742 if (NUMBERP (code))
743 {
744 err = code;
745 }
746 else
747 {
748 error ("Symbol has no numeric gnutls-code property");
749 }
750 }
751
752 if (! TYPE_RANGED_INTEGERP (int, err))
753 error ("Not an error symbol or code");
754
755 if (0 == gnutls_error_is_fatal (XINT (err)))
756 return Qnil;
757
758 return Qt;
759 }
760
761 DEFUN ("gnutls-error-string", Fgnutls_error_string, Sgnutls_error_string, 1, 1, 0,
762 doc: /* Return a description of ERROR.
763 ERROR is an integer or a symbol with an integer `gnutls-code' property.
764 usage: (gnutls-error-string ERROR) */)
765 (Lisp_Object err)
766 {
767 Lisp_Object code;
768
769 if (EQ (err, Qt)) return build_string ("Not an error");
770
771 if (SYMBOLP (err))
772 {
773 code = Fget (err, Qgnutls_code);
774 if (NUMBERP (code))
775 {
776 err = code;
777 }
778 else
779 {
780 return build_string ("Symbol has no numeric gnutls-code property");
781 }
782 }
783
784 if (! TYPE_RANGED_INTEGERP (int, err))
785 return build_string ("Not an error symbol or code");
786
787 return build_string (gnutls_strerror (XINT (err)));
788 }
789
790 DEFUN ("gnutls-deinit", Fgnutls_deinit, Sgnutls_deinit, 1, 1, 0,
791 doc: /* Deallocate GnuTLS resources associated with process PROC.
792 See also `gnutls-init'. */)
793 (Lisp_Object proc)
794 {
795 return emacs_gnutls_deinit (proc);
796 }
797
798 static Lisp_Object
799 gnutls_hex_string (unsigned char *buf, ptrdiff_t buf_size, const char *prefix)
800 {
801 ptrdiff_t prefix_length = strlen (prefix);
802 ptrdiff_t retlen;
803 if (INT_MULTIPLY_WRAPV (buf_size, 3, &retlen)
804 || INT_ADD_WRAPV (prefix_length - (buf_size != 0), retlen, &retlen))
805 string_overflow ();
806 Lisp_Object ret = make_uninit_string (retlen);
807 char *string = SSDATA (ret);
808 strcpy (string, prefix);
809
810 for (ptrdiff_t i = 0; i < buf_size; i++)
811 sprintf (string + i * 3 + prefix_length,
812 i == buf_size - 1 ? "%02x" : "%02x:",
813 buf[i]);
814
815 return ret;
816 }
817
818 static Lisp_Object
819 gnutls_certificate_details (gnutls_x509_crt_t cert)
820 {
821 Lisp_Object res = Qnil;
822 int err;
823 size_t buf_size;
824
825 /* Version. */
826 {
827 int version = gnutls_x509_crt_get_version (cert);
828 check_memory_full (version);
829 if (version >= GNUTLS_E_SUCCESS)
830 res = nconc2 (res, list2 (intern (":version"),
831 make_number (version)));
832 }
833
834 /* Serial. */
835 buf_size = 0;
836 err = gnutls_x509_crt_get_serial (cert, NULL, &buf_size);
837 check_memory_full (err);
838 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
839 {
840 void *serial = xmalloc (buf_size);
841 err = gnutls_x509_crt_get_serial (cert, serial, &buf_size);
842 check_memory_full (err);
843 if (err >= GNUTLS_E_SUCCESS)
844 res = nconc2 (res, list2 (intern (":serial-number"),
845 gnutls_hex_string (serial, buf_size, "")));
846 xfree (serial);
847 }
848
849 /* Issuer. */
850 buf_size = 0;
851 err = gnutls_x509_crt_get_issuer_dn (cert, NULL, &buf_size);
852 check_memory_full (err);
853 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
854 {
855 char *dn = xmalloc (buf_size);
856 err = gnutls_x509_crt_get_issuer_dn (cert, dn, &buf_size);
857 check_memory_full (err);
858 if (err >= GNUTLS_E_SUCCESS)
859 res = nconc2 (res, list2 (intern (":issuer"),
860 make_string (dn, buf_size)));
861 xfree (dn);
862 }
863
864 /* Validity. */
865 {
866 /* Add 1 to the buffer size, since 1900 is added to tm_year and
867 that might add 1 to the year length. */
868 char buf[INT_STRLEN_BOUND (int) + 1 + sizeof "-12-31"];
869 struct tm t;
870 time_t tim = gnutls_x509_crt_get_activation_time (cert);
871
872 if (gmtime_r (&tim, &t) && strftime (buf, sizeof buf, "%Y-%m-%d", &t))
873 res = nconc2 (res, list2 (intern (":valid-from"), build_string (buf)));
874
875 tim = gnutls_x509_crt_get_expiration_time (cert);
876 if (gmtime_r (&tim, &t) && strftime (buf, sizeof buf, "%Y-%m-%d", &t))
877 res = nconc2 (res, list2 (intern (":valid-to"), build_string (buf)));
878 }
879
880 /* Subject. */
881 buf_size = 0;
882 err = gnutls_x509_crt_get_dn (cert, NULL, &buf_size);
883 check_memory_full (err);
884 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
885 {
886 char *dn = xmalloc (buf_size);
887 err = gnutls_x509_crt_get_dn (cert, dn, &buf_size);
888 check_memory_full (err);
889 if (err >= GNUTLS_E_SUCCESS)
890 res = nconc2 (res, list2 (intern (":subject"),
891 make_string (dn, buf_size)));
892 xfree (dn);
893 }
894
895 /* Versions older than 2.11 doesn't have these four functions. */
896 #if GNUTLS_VERSION_NUMBER >= 0x020b00
897 /* SubjectPublicKeyInfo. */
898 {
899 unsigned int bits;
900
901 err = gnutls_x509_crt_get_pk_algorithm (cert, &bits);
902 check_memory_full (err);
903 if (err >= GNUTLS_E_SUCCESS)
904 {
905 const char *name = gnutls_pk_algorithm_get_name (err);
906 if (name)
907 res = nconc2 (res, list2 (intern (":public-key-algorithm"),
908 build_string (name)));
909
910 name = gnutls_sec_param_get_name (gnutls_pk_bits_to_sec_param
911 (err, bits));
912 res = nconc2 (res, list2 (intern (":certificate-security-level"),
913 build_string (name)));
914 }
915 }
916
917 /* Unique IDs. */
918 buf_size = 0;
919 err = gnutls_x509_crt_get_issuer_unique_id (cert, NULL, &buf_size);
920 check_memory_full (err);
921 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
922 {
923 char *buf = xmalloc (buf_size);
924 err = gnutls_x509_crt_get_issuer_unique_id (cert, buf, &buf_size);
925 check_memory_full (err);
926 if (err >= GNUTLS_E_SUCCESS)
927 res = nconc2 (res, list2 (intern (":issuer-unique-id"),
928 make_string (buf, buf_size)));
929 xfree (buf);
930 }
931
932 buf_size = 0;
933 err = gnutls_x509_crt_get_subject_unique_id (cert, NULL, &buf_size);
934 check_memory_full (err);
935 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
936 {
937 char *buf = xmalloc (buf_size);
938 err = gnutls_x509_crt_get_subject_unique_id (cert, buf, &buf_size);
939 check_memory_full (err);
940 if (err >= GNUTLS_E_SUCCESS)
941 res = nconc2 (res, list2 (intern (":subject-unique-id"),
942 make_string (buf, buf_size)));
943 xfree (buf);
944 }
945 #endif
946
947 /* Signature. */
948 err = gnutls_x509_crt_get_signature_algorithm (cert);
949 check_memory_full (err);
950 if (err >= GNUTLS_E_SUCCESS)
951 {
952 const char *name = gnutls_sign_get_name (err);
953 if (name)
954 res = nconc2 (res, list2 (intern (":signature-algorithm"),
955 build_string (name)));
956 }
957
958 /* Public key ID. */
959 buf_size = 0;
960 err = gnutls_x509_crt_get_key_id (cert, 0, NULL, &buf_size);
961 check_memory_full (err);
962 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
963 {
964 void *buf = xmalloc (buf_size);
965 err = gnutls_x509_crt_get_key_id (cert, 0, buf, &buf_size);
966 check_memory_full (err);
967 if (err >= GNUTLS_E_SUCCESS)
968 res = nconc2 (res, list2 (intern (":public-key-id"),
969 gnutls_hex_string (buf, buf_size, "sha1:")));
970 xfree (buf);
971 }
972
973 /* Certificate fingerprint. */
974 buf_size = 0;
975 err = gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1,
976 NULL, &buf_size);
977 check_memory_full (err);
978 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
979 {
980 void *buf = xmalloc (buf_size);
981 err = gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1,
982 buf, &buf_size);
983 check_memory_full (err);
984 if (err >= GNUTLS_E_SUCCESS)
985 res = nconc2 (res, list2 (intern (":certificate-id"),
986 gnutls_hex_string (buf, buf_size, "sha1:")));
987 xfree (buf);
988 }
989
990 return res;
991 }
992
993 DEFUN ("gnutls-peer-status-warning-describe", Fgnutls_peer_status_warning_describe, Sgnutls_peer_status_warning_describe, 1, 1, 0,
994 doc: /* Describe the warning of a GnuTLS peer status from `gnutls-peer-status'. */)
995 (Lisp_Object status_symbol)
996 {
997 CHECK_SYMBOL (status_symbol);
998
999 if (EQ (status_symbol, intern (":invalid")))
1000 return build_string ("certificate could not be verified");
1001
1002 if (EQ (status_symbol, intern (":revoked")))
1003 return build_string ("certificate was revoked (CRL)");
1004
1005 if (EQ (status_symbol, intern (":self-signed")))
1006 return build_string ("certificate signer was not found (self-signed)");
1007
1008 if (EQ (status_symbol, intern (":unknown-ca")))
1009 return build_string ("the certificate was signed by an unknown "
1010 "and therefore untrusted authority");
1011
1012 if (EQ (status_symbol, intern (":not-ca")))
1013 return build_string ("certificate signer is not a CA");
1014
1015 if (EQ (status_symbol, intern (":insecure")))
1016 return build_string ("certificate was signed with an insecure algorithm");
1017
1018 if (EQ (status_symbol, intern (":not-activated")))
1019 return build_string ("certificate is not yet activated");
1020
1021 if (EQ (status_symbol, intern (":expired")))
1022 return build_string ("certificate has expired");
1023
1024 if (EQ (status_symbol, intern (":no-host-match")))
1025 return build_string ("certificate host does not match hostname");
1026
1027 return Qnil;
1028 }
1029
1030 DEFUN ("gnutls-peer-status", Fgnutls_peer_status, Sgnutls_peer_status, 1, 1, 0,
1031 doc: /* Describe a GnuTLS PROC peer certificate and any warnings about it.
1032 The return value is a property list with top-level keys :warnings and
1033 :certificate. The :warnings entry is a list of symbols you can describe with
1034 `gnutls-peer-status-warning-describe'. */)
1035 (Lisp_Object proc)
1036 {
1037 Lisp_Object warnings = Qnil, result = Qnil;
1038 unsigned int verification;
1039 gnutls_session_t state;
1040
1041 CHECK_PROCESS (proc);
1042
1043 if (GNUTLS_INITSTAGE (proc) != GNUTLS_STAGE_READY)
1044 return Qnil;
1045
1046 /* Then collect any warnings already computed by the handshake. */
1047 verification = XPROCESS (proc)->gnutls_peer_verification;
1048
1049 if (verification & GNUTLS_CERT_INVALID)
1050 warnings = Fcons (intern (":invalid"), warnings);
1051
1052 if (verification & GNUTLS_CERT_REVOKED)
1053 warnings = Fcons (intern (":revoked"), warnings);
1054
1055 if (verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
1056 warnings = Fcons (intern (":unknown-ca"), warnings);
1057
1058 if (verification & GNUTLS_CERT_SIGNER_NOT_CA)
1059 warnings = Fcons (intern (":not-ca"), warnings);
1060
1061 if (verification & GNUTLS_CERT_INSECURE_ALGORITHM)
1062 warnings = Fcons (intern (":insecure"), warnings);
1063
1064 if (verification & GNUTLS_CERT_NOT_ACTIVATED)
1065 warnings = Fcons (intern (":not-activated"), warnings);
1066
1067 if (verification & GNUTLS_CERT_EXPIRED)
1068 warnings = Fcons (intern (":expired"), warnings);
1069
1070 if (XPROCESS (proc)->gnutls_extra_peer_verification &
1071 CERTIFICATE_NOT_MATCHING)
1072 warnings = Fcons (intern (":no-host-match"), warnings);
1073
1074 /* This could get called in the INIT stage, when the certificate is
1075 not yet set. */
1076 if (XPROCESS (proc)->gnutls_certificate != NULL &&
1077 gnutls_x509_crt_check_issuer(XPROCESS (proc)->gnutls_certificate,
1078 XPROCESS (proc)->gnutls_certificate))
1079 warnings = Fcons (intern (":self-signed"), warnings);
1080
1081 if (!NILP (warnings))
1082 result = list2 (intern (":warnings"), warnings);
1083
1084 /* This could get called in the INIT stage, when the certificate is
1085 not yet set. */
1086 if (XPROCESS (proc)->gnutls_certificate != NULL)
1087 result = nconc2 (result, list2
1088 (intern (":certificate"),
1089 gnutls_certificate_details (XPROCESS (proc)->gnutls_certificate)));
1090
1091 state = XPROCESS (proc)->gnutls_state;
1092
1093 /* Diffie-Hellman prime bits. */
1094 {
1095 int bits = gnutls_dh_get_prime_bits (state);
1096 check_memory_full (bits);
1097 if (bits > 0)
1098 result = nconc2 (result, list2 (intern (":diffie-hellman-prime-bits"),
1099 make_number (bits)));
1100 }
1101
1102 /* Key exchange. */
1103 result = nconc2
1104 (result, list2 (intern (":key-exchange"),
1105 build_string (gnutls_kx_get_name
1106 (gnutls_kx_get (state)))));
1107
1108 /* Protocol name. */
1109 result = nconc2
1110 (result, list2 (intern (":protocol"),
1111 build_string (gnutls_protocol_get_name
1112 (gnutls_protocol_get_version (state)))));
1113
1114 /* Cipher name. */
1115 result = nconc2
1116 (result, list2 (intern (":cipher"),
1117 build_string (gnutls_cipher_get_name
1118 (gnutls_cipher_get (state)))));
1119
1120 /* MAC name. */
1121 result = nconc2
1122 (result, list2 (intern (":mac"),
1123 build_string (gnutls_mac_get_name
1124 (gnutls_mac_get (state)))));
1125
1126
1127 return result;
1128 }
1129
1130 /* Initialize global GnuTLS state to defaults.
1131 Call `gnutls-global-deinit' when GnuTLS usage is no longer needed.
1132 Return zero on success. */
1133 Lisp_Object
1134 emacs_gnutls_global_init (void)
1135 {
1136 int ret = GNUTLS_E_SUCCESS;
1137
1138 if (!gnutls_global_initialized)
1139 {
1140 ret = gnutls_global_init ();
1141 if (ret == GNUTLS_E_SUCCESS)
1142 gnutls_global_initialized = 1;
1143 }
1144
1145 return gnutls_make_error (ret);
1146 }
1147
1148 static bool
1149 gnutls_ip_address_p (char *string)
1150 {
1151 char c;
1152
1153 while ((c = *string++) != 0)
1154 if (! ((c == '.' || c == ':' || (c >= '0' && c <= '9'))))
1155 return false;
1156
1157 return true;
1158 }
1159
1160 #if 0
1161 /* Deinitialize global GnuTLS state.
1162 See also `gnutls-global-init'. */
1163 static Lisp_Object
1164 emacs_gnutls_global_deinit (void)
1165 {
1166 if (gnutls_global_initialized)
1167 gnutls_global_deinit ();
1168
1169 gnutls_global_initialized = 0;
1170
1171 return gnutls_make_error (GNUTLS_E_SUCCESS);
1172 }
1173 #endif
1174
1175 static void ATTRIBUTE_FORMAT_PRINTF (2, 3)
1176 boot_error (struct Lisp_Process *p, const char *m, ...)
1177 {
1178 va_list ap;
1179 va_start (ap, m);
1180 if (p->is_non_blocking_client)
1181 pset_status (p, list2 (Qfailed, vformat_string (m, ap)));
1182 else
1183 verror (m, ap);
1184 va_end (ap);
1185 }
1186
1187 Lisp_Object
1188 gnutls_verify_boot (Lisp_Object proc, Lisp_Object proplist)
1189 {
1190 int ret;
1191 struct Lisp_Process *p = XPROCESS (proc);
1192 gnutls_session_t state = p->gnutls_state;
1193 unsigned int peer_verification;
1194 Lisp_Object warnings;
1195 int max_log_level = p->gnutls_log_level;
1196 Lisp_Object hostname, verify_error;
1197 bool verify_error_all = false;
1198 char *c_hostname;
1199
1200 if (NILP (proplist))
1201 proplist = Fcdr (Fplist_get (p->childp, QCtls_parameters));
1202
1203 verify_error = Fplist_get (proplist, QCverify_error);
1204 hostname = Fplist_get (proplist, QChostname);
1205
1206 if (EQ (verify_error, Qt))
1207 verify_error_all = true;
1208 else if (NILP (Flistp (verify_error)))
1209 {
1210 boot_error (p,
1211 "gnutls-boot: invalid :verify_error parameter (not a list)");
1212 return Qnil;
1213 }
1214
1215 if (!STRINGP (hostname))
1216 {
1217 boot_error (p, "gnutls-boot: invalid :hostname parameter (not a string)");
1218 return Qnil;
1219 }
1220 c_hostname = SSDATA (hostname);
1221
1222 /* Now verify the peer, following
1223 http://www.gnu.org/software/gnutls/manual/html_node/Verifying-peer_0027s-certificate.html.
1224 The peer should present at least one certificate in the chain; do a
1225 check of the certificate's hostname with
1226 gnutls_x509_crt_check_hostname against :hostname. */
1227
1228 ret = gnutls_certificate_verify_peers2 (state, &peer_verification);
1229 if (ret < GNUTLS_E_SUCCESS)
1230 return gnutls_make_error (ret);
1231
1232 XPROCESS (proc)->gnutls_peer_verification = peer_verification;
1233
1234 warnings = Fplist_get (Fgnutls_peer_status (proc), intern (":warnings"));
1235 if (!NILP (warnings))
1236 {
1237 for (Lisp_Object tail = warnings; CONSP (tail); tail = XCDR (tail))
1238 {
1239 Lisp_Object warning = XCAR (tail);
1240 Lisp_Object message = Fgnutls_peer_status_warning_describe (warning);
1241 if (!NILP (message))
1242 GNUTLS_LOG2 (1, max_log_level, "verification:", SSDATA (message));
1243 }
1244 }
1245
1246 if (peer_verification != 0)
1247 {
1248 if (verify_error_all
1249 || !NILP (Fmember (QCtrustfiles, verify_error)))
1250 {
1251 emacs_gnutls_deinit (proc);
1252 boot_error (p,
1253 "Certificate validation failed %s, verification code %x",
1254 c_hostname, peer_verification);
1255 return Qnil;
1256 }
1257 else
1258 {
1259 GNUTLS_LOG2 (1, max_log_level, "certificate validation failed:",
1260 c_hostname);
1261 }
1262 }
1263
1264 /* Up to here the process is the same for X.509 certificates and
1265 OpenPGP keys. From now on X.509 certificates are assumed. This
1266 can be easily extended to work with openpgp keys as well. */
1267 if (gnutls_certificate_type_get (state) == GNUTLS_CRT_X509)
1268 {
1269 gnutls_x509_crt_t gnutls_verify_cert;
1270 const gnutls_datum_t *gnutls_verify_cert_list;
1271 unsigned int gnutls_verify_cert_list_size;
1272
1273 ret = gnutls_x509_crt_init (&gnutls_verify_cert);
1274 if (ret < GNUTLS_E_SUCCESS)
1275 return gnutls_make_error (ret);
1276
1277 gnutls_verify_cert_list
1278 = gnutls_certificate_get_peers (state, &gnutls_verify_cert_list_size);
1279
1280 if (gnutls_verify_cert_list == NULL)
1281 {
1282 gnutls_x509_crt_deinit (gnutls_verify_cert);
1283 emacs_gnutls_deinit (proc);
1284 boot_error (p, "No x509 certificate was found\n");
1285 return Qnil;
1286 }
1287
1288 /* Check only the first certificate in the given chain. */
1289 ret = gnutls_x509_crt_import (gnutls_verify_cert,
1290 &gnutls_verify_cert_list[0],
1291 GNUTLS_X509_FMT_DER);
1292
1293 if (ret < GNUTLS_E_SUCCESS)
1294 {
1295 gnutls_x509_crt_deinit (gnutls_verify_cert);
1296 return gnutls_make_error (ret);
1297 }
1298
1299 XPROCESS (proc)->gnutls_certificate = gnutls_verify_cert;
1300
1301 int err = gnutls_x509_crt_check_hostname (gnutls_verify_cert,
1302 c_hostname);
1303 check_memory_full (err);
1304 if (!err)
1305 {
1306 XPROCESS (proc)->gnutls_extra_peer_verification
1307 |= CERTIFICATE_NOT_MATCHING;
1308 if (verify_error_all
1309 || !NILP (Fmember (QChostname, verify_error)))
1310 {
1311 gnutls_x509_crt_deinit (gnutls_verify_cert);
1312 emacs_gnutls_deinit (proc);
1313 boot_error (p, "The x509 certificate does not match \"%s\"",
1314 c_hostname);
1315 return Qnil;
1316 }
1317 else
1318 GNUTLS_LOG2 (1, max_log_level, "x509 certificate does not match:",
1319 c_hostname);
1320 }
1321 }
1322
1323 /* Set this flag only if the whole initialization succeeded. */
1324 XPROCESS (proc)->gnutls_p = true;
1325
1326 return gnutls_make_error (ret);
1327 }
1328
1329 DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
1330 doc: /* Initialize GnuTLS client for process PROC with TYPE+PROPLIST.
1331 Currently only client mode is supported. Return a success/failure
1332 value you can check with `gnutls-errorp'.
1333
1334 TYPE is a symbol, either `gnutls-anon' or `gnutls-x509pki'.
1335 PROPLIST is a property list with the following keys:
1336
1337 :hostname is a string naming the remote host.
1338
1339 :priority is a GnuTLS priority string, defaults to "NORMAL".
1340
1341 :trustfiles is a list of PEM-encoded trust files for `gnutls-x509pki'.
1342
1343 :crlfiles is a list of PEM-encoded CRL lists for `gnutls-x509pki'.
1344
1345 :keylist is an alist of PEM-encoded key files and PEM-encoded
1346 certificates for `gnutls-x509pki'.
1347
1348 :callbacks is an alist of callback functions, see below.
1349
1350 :loglevel is the debug level requested from GnuTLS, try 4.
1351
1352 :verify-flags is a bitset as per GnuTLS'
1353 gnutls_certificate_set_verify_flags.
1354
1355 :verify-hostname-error is ignored. Pass :hostname in :verify-error
1356 instead.
1357
1358 :verify-error is a list of symbols to express verification checks or
1359 t to do all checks. Currently it can contain `:trustfiles' and
1360 `:hostname' to verify the certificate or the hostname respectively.
1361
1362 :min-prime-bits is the minimum accepted number of bits the client will
1363 accept in Diffie-Hellman key exchange.
1364
1365 :complete-negotiation, if non-nil, will make negotiation complete
1366 before returning even on non-blocking sockets.
1367
1368 The debug level will be set for this process AND globally for GnuTLS.
1369 So if you set it higher or lower at any point, it affects global
1370 debugging.
1371
1372 Note that the priority is set on the client. The server does not use
1373 the protocols's priority except for disabling protocols that were not
1374 specified.
1375
1376 Processes must be initialized with this function before other GnuTLS
1377 functions are used. This function allocates resources which can only
1378 be deallocated by calling `gnutls-deinit' or by calling it again.
1379
1380 The callbacks alist can have a `verify' key, associated with a
1381 verification function (UNUSED).
1382
1383 Each authentication type may need additional information in order to
1384 work. For X.509 PKI (`gnutls-x509pki'), you probably need at least
1385 one trustfile (usually a CA bundle). */)
1386 (Lisp_Object proc, Lisp_Object type, Lisp_Object proplist)
1387 {
1388 int ret = GNUTLS_E_SUCCESS;
1389 int max_log_level = 0;
1390
1391 gnutls_session_t state;
1392 gnutls_certificate_credentials_t x509_cred = NULL;
1393 gnutls_anon_client_credentials_t anon_cred = NULL;
1394 Lisp_Object global_init;
1395 char const *priority_string_ptr = "NORMAL"; /* default priority string. */
1396 char *c_hostname;
1397
1398 /* Placeholders for the property list elements. */
1399 Lisp_Object priority_string;
1400 Lisp_Object trustfiles;
1401 Lisp_Object crlfiles;
1402 Lisp_Object keylist;
1403 /* Lisp_Object callbacks; */
1404 Lisp_Object loglevel;
1405 Lisp_Object hostname;
1406 Lisp_Object prime_bits;
1407 struct Lisp_Process *p = XPROCESS (proc);
1408
1409 CHECK_PROCESS (proc);
1410 CHECK_SYMBOL (type);
1411 CHECK_LIST (proplist);
1412
1413 if (NILP (Fgnutls_available_p ()))
1414 {
1415 boot_error (p, "GnuTLS not available");
1416 return Qnil;
1417 }
1418
1419 if (!EQ (type, Qgnutls_x509pki) && !EQ (type, Qgnutls_anon))
1420 {
1421 boot_error (p, "Invalid GnuTLS credential type");
1422 return Qnil;
1423 }
1424
1425 hostname = Fplist_get (proplist, QChostname);
1426 priority_string = Fplist_get (proplist, QCpriority);
1427 trustfiles = Fplist_get (proplist, QCtrustfiles);
1428 keylist = Fplist_get (proplist, QCkeylist);
1429 crlfiles = Fplist_get (proplist, QCcrlfiles);
1430 loglevel = Fplist_get (proplist, QCloglevel);
1431 prime_bits = Fplist_get (proplist, QCmin_prime_bits);
1432
1433 if (!STRINGP (hostname))
1434 {
1435 boot_error (p, "gnutls-boot: invalid :hostname parameter (not a string)");
1436 return Qnil;
1437 }
1438 c_hostname = SSDATA (hostname);
1439
1440 state = XPROCESS (proc)->gnutls_state;
1441
1442 if (TYPE_RANGED_INTEGERP (int, loglevel))
1443 {
1444 gnutls_global_set_log_function (gnutls_log_function);
1445 #ifdef HAVE_GNUTLS3
1446 gnutls_global_set_audit_log_function (gnutls_audit_log_function);
1447 #endif
1448 gnutls_global_set_log_level (XINT (loglevel));
1449 max_log_level = XINT (loglevel);
1450 XPROCESS (proc)->gnutls_log_level = max_log_level;
1451 }
1452
1453 GNUTLS_LOG2 (1, max_log_level, "connecting to host:", c_hostname);
1454
1455 /* Always initialize globals. */
1456 global_init = emacs_gnutls_global_init ();
1457 if (! NILP (Fgnutls_errorp (global_init)))
1458 return global_init;
1459
1460 /* Before allocating new credentials, deallocate any credentials
1461 that PROC might already have. */
1462 emacs_gnutls_deinit (proc);
1463
1464 /* Mark PROC as a GnuTLS process. */
1465 XPROCESS (proc)->gnutls_state = NULL;
1466 XPROCESS (proc)->gnutls_x509_cred = NULL;
1467 XPROCESS (proc)->gnutls_anon_cred = NULL;
1468 pset_gnutls_cred_type (XPROCESS (proc), type);
1469 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_EMPTY;
1470
1471 GNUTLS_LOG (1, max_log_level, "allocating credentials");
1472 if (EQ (type, Qgnutls_x509pki))
1473 {
1474 Lisp_Object verify_flags;
1475 unsigned int gnutls_verify_flags = GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
1476
1477 GNUTLS_LOG (2, max_log_level, "allocating x509 credentials");
1478 check_memory_full (gnutls_certificate_allocate_credentials (&x509_cred));
1479 XPROCESS (proc)->gnutls_x509_cred = x509_cred;
1480
1481 verify_flags = Fplist_get (proplist, QCverify_flags);
1482 if (NUMBERP (verify_flags))
1483 {
1484 gnutls_verify_flags = XINT (verify_flags);
1485 GNUTLS_LOG (2, max_log_level, "setting verification flags");
1486 }
1487 else if (NILP (verify_flags))
1488 GNUTLS_LOG (2, max_log_level, "using default verification flags");
1489 else
1490 GNUTLS_LOG (2, max_log_level, "ignoring invalid verify-flags");
1491
1492 gnutls_certificate_set_verify_flags (x509_cred, gnutls_verify_flags);
1493 }
1494 else /* Qgnutls_anon: */
1495 {
1496 GNUTLS_LOG (2, max_log_level, "allocating anon credentials");
1497 check_memory_full (gnutls_anon_allocate_client_credentials (&anon_cred));
1498 XPROCESS (proc)->gnutls_anon_cred = anon_cred;
1499 }
1500
1501 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CRED_ALLOC;
1502
1503 if (EQ (type, Qgnutls_x509pki))
1504 {
1505 /* TODO: GNUTLS_X509_FMT_DER is also an option. */
1506 int file_format = GNUTLS_X509_FMT_PEM;
1507 Lisp_Object tail;
1508
1509 #if GNUTLS_VERSION_MAJOR + \
1510 (GNUTLS_VERSION_MINOR > 0 || GNUTLS_VERSION_PATCH >= 20) > 3
1511 ret = gnutls_certificate_set_x509_system_trust (x509_cred);
1512 if (ret < GNUTLS_E_SUCCESS)
1513 {
1514 check_memory_full (ret);
1515 GNUTLS_LOG2i (4, max_log_level,
1516 "setting system trust failed with code ", ret);
1517 }
1518 #endif
1519
1520 for (tail = trustfiles; CONSP (tail); tail = XCDR (tail))
1521 {
1522 Lisp_Object trustfile = XCAR (tail);
1523 if (STRINGP (trustfile))
1524 {
1525 GNUTLS_LOG2 (1, max_log_level, "setting the trustfile: ",
1526 SSDATA (trustfile));
1527 trustfile = ENCODE_FILE (trustfile);
1528 #ifdef WINDOWSNT
1529 /* Since GnuTLS doesn't support UTF-8 or UTF-16 encoded
1530 file names on Windows, we need to re-encode the file
1531 name using the current ANSI codepage. */
1532 trustfile = ansi_encode_filename (trustfile);
1533 #endif
1534 ret = gnutls_certificate_set_x509_trust_file
1535 (x509_cred,
1536 SSDATA (trustfile),
1537 file_format);
1538
1539 if (ret < GNUTLS_E_SUCCESS)
1540 return gnutls_make_error (ret);
1541 }
1542 else
1543 {
1544 emacs_gnutls_deinit (proc);
1545 boot_error (p, "Invalid trustfile");
1546 return Qnil;
1547 }
1548 }
1549
1550 for (tail = crlfiles; CONSP (tail); tail = XCDR (tail))
1551 {
1552 Lisp_Object crlfile = XCAR (tail);
1553 if (STRINGP (crlfile))
1554 {
1555 GNUTLS_LOG2 (1, max_log_level, "setting the CRL file: ",
1556 SSDATA (crlfile));
1557 crlfile = ENCODE_FILE (crlfile);
1558 #ifdef WINDOWSNT
1559 crlfile = ansi_encode_filename (crlfile);
1560 #endif
1561 ret = gnutls_certificate_set_x509_crl_file
1562 (x509_cred, SSDATA (crlfile), file_format);
1563
1564 if (ret < GNUTLS_E_SUCCESS)
1565 return gnutls_make_error (ret);
1566 }
1567 else
1568 {
1569 emacs_gnutls_deinit (proc);
1570 boot_error (p, "Invalid CRL file");
1571 return Qnil;
1572 }
1573 }
1574
1575 for (tail = keylist; CONSP (tail); tail = XCDR (tail))
1576 {
1577 Lisp_Object keyfile = Fcar (XCAR (tail));
1578 Lisp_Object certfile = Fcar (Fcdr (XCAR (tail)));
1579 if (STRINGP (keyfile) && STRINGP (certfile))
1580 {
1581 GNUTLS_LOG2 (1, max_log_level, "setting the client key file: ",
1582 SSDATA (keyfile));
1583 GNUTLS_LOG2 (1, max_log_level, "setting the client cert file: ",
1584 SSDATA (certfile));
1585 keyfile = ENCODE_FILE (keyfile);
1586 certfile = ENCODE_FILE (certfile);
1587 #ifdef WINDOWSNT
1588 keyfile = ansi_encode_filename (keyfile);
1589 certfile = ansi_encode_filename (certfile);
1590 #endif
1591 ret = gnutls_certificate_set_x509_key_file
1592 (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
1593
1594 if (ret < GNUTLS_E_SUCCESS)
1595 return gnutls_make_error (ret);
1596 }
1597 else
1598 {
1599 emacs_gnutls_deinit (proc);
1600 boot_error (p, STRINGP (keyfile) ? "Invalid client cert file"
1601 : "Invalid client key file");
1602 return Qnil;
1603 }
1604 }
1605 }
1606
1607 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_FILES;
1608 GNUTLS_LOG (1, max_log_level, "gnutls callbacks");
1609 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CALLBACKS;
1610
1611 /* Call gnutls_init here: */
1612
1613 GNUTLS_LOG (1, max_log_level, "gnutls_init");
1614 ret = gnutls_init (&state, GNUTLS_CLIENT);
1615 XPROCESS (proc)->gnutls_state = state;
1616 if (ret < GNUTLS_E_SUCCESS)
1617 return gnutls_make_error (ret);
1618 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_INIT;
1619
1620 if (STRINGP (priority_string))
1621 {
1622 priority_string_ptr = SSDATA (priority_string);
1623 GNUTLS_LOG2 (1, max_log_level, "got non-default priority string:",
1624 priority_string_ptr);
1625 }
1626 else
1627 {
1628 GNUTLS_LOG2 (1, max_log_level, "using default priority string:",
1629 priority_string_ptr);
1630 }
1631
1632 GNUTLS_LOG (1, max_log_level, "setting the priority string");
1633 ret = gnutls_priority_set_direct (state, priority_string_ptr, NULL);
1634 if (ret < GNUTLS_E_SUCCESS)
1635 return gnutls_make_error (ret);
1636
1637 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_PRIORITY;
1638
1639 if (INTEGERP (prime_bits))
1640 gnutls_dh_set_prime_bits (state, XUINT (prime_bits));
1641
1642 ret = EQ (type, Qgnutls_x509pki)
1643 ? gnutls_credentials_set (state, GNUTLS_CRD_CERTIFICATE, x509_cred)
1644 : gnutls_credentials_set (state, GNUTLS_CRD_ANON, anon_cred);
1645 if (ret < GNUTLS_E_SUCCESS)
1646 return gnutls_make_error (ret);
1647
1648 if (!gnutls_ip_address_p (c_hostname))
1649 {
1650 ret = gnutls_server_name_set (state, GNUTLS_NAME_DNS, c_hostname,
1651 strlen (c_hostname));
1652 if (ret < GNUTLS_E_SUCCESS)
1653 return gnutls_make_error (ret);
1654 }
1655
1656 XPROCESS (proc)->gnutls_complete_negotiation_p =
1657 !NILP (Fplist_get (proplist, QCcomplete_negotiation));
1658 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CRED_SET;
1659 ret = emacs_gnutls_handshake (XPROCESS (proc));
1660 if (ret < GNUTLS_E_SUCCESS)
1661 return gnutls_make_error (ret);
1662
1663 return gnutls_verify_boot (proc, proplist);
1664 }
1665
1666 DEFUN ("gnutls-bye", Fgnutls_bye,
1667 Sgnutls_bye, 2, 2, 0,
1668 doc: /* Terminate current GnuTLS connection for process PROC.
1669 The connection should have been initiated using `gnutls-handshake'.
1670
1671 If CONT is not nil the TLS connection gets terminated and further
1672 receives and sends will be disallowed. If the return value is zero you
1673 may continue using the connection. If CONT is nil, GnuTLS actually
1674 sends an alert containing a close request and waits for the peer to
1675 reply with the same message. In order to reuse the connection you
1676 should wait for an EOF from the peer.
1677
1678 This function may also return `gnutls-e-again', or
1679 `gnutls-e-interrupted'. */)
1680 (Lisp_Object proc, Lisp_Object cont)
1681 {
1682 gnutls_session_t state;
1683 int ret;
1684
1685 CHECK_PROCESS (proc);
1686
1687 state = XPROCESS (proc)->gnutls_state;
1688
1689 gnutls_x509_crt_deinit (XPROCESS (proc)->gnutls_certificate);
1690
1691 ret = gnutls_bye (state, NILP (cont) ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
1692
1693 return gnutls_make_error (ret);
1694 }
1695
1696 #endif /* HAVE_GNUTLS */
1697
1698 DEFUN ("gnutls-available-p", Fgnutls_available_p, Sgnutls_available_p, 0, 0, 0,
1699 doc: /* Return t if GnuTLS is available in this instance of Emacs. */)
1700 (void)
1701 {
1702 #ifdef HAVE_GNUTLS
1703 # ifdef WINDOWSNT
1704 Lisp_Object found = Fassq (Qgnutls, Vlibrary_cache);
1705 if (CONSP (found))
1706 return XCDR (found);
1707 else
1708 {
1709 Lisp_Object status;
1710 status = init_gnutls_functions () ? Qt : Qnil;
1711 Vlibrary_cache = Fcons (Fcons (Qgnutls, status), Vlibrary_cache);
1712 return status;
1713 }
1714 # else /* !WINDOWSNT */
1715 return Qt;
1716 # endif /* !WINDOWSNT */
1717 #else /* !HAVE_GNUTLS */
1718 return Qnil;
1719 #endif /* !HAVE_GNUTLS */
1720 }
1721
1722 void
1723 syms_of_gnutls (void)
1724 {
1725 DEFSYM (Qlibgnutls_version, "libgnutls-version");
1726 Fset (Qlibgnutls_version,
1727 #ifdef HAVE_GNUTLS
1728 make_number (GNUTLS_VERSION_MAJOR * 10000
1729 + GNUTLS_VERSION_MINOR * 100
1730 + GNUTLS_VERSION_PATCH)
1731 #else
1732 make_number (-1)
1733 #endif
1734 );
1735 #ifdef HAVE_GNUTLS
1736 gnutls_global_initialized = 0;
1737
1738 DEFSYM (Qgnutls_code, "gnutls-code");
1739 DEFSYM (Qgnutls_anon, "gnutls-anon");
1740 DEFSYM (Qgnutls_x509pki, "gnutls-x509pki");
1741
1742 /* The following are for the property list of 'gnutls-boot'. */
1743 DEFSYM (QChostname, ":hostname");
1744 DEFSYM (QCpriority, ":priority");
1745 DEFSYM (QCtrustfiles, ":trustfiles");
1746 DEFSYM (QCkeylist, ":keylist");
1747 DEFSYM (QCcrlfiles, ":crlfiles");
1748 DEFSYM (QCmin_prime_bits, ":min-prime-bits");
1749 DEFSYM (QCloglevel, ":loglevel");
1750 DEFSYM (QCcomplete_negotiation, ":complete-negotiation");
1751 DEFSYM (QCverify_flags, ":verify-flags");
1752 DEFSYM (QCverify_error, ":verify-error");
1753
1754 DEFSYM (Qgnutls_e_interrupted, "gnutls-e-interrupted");
1755 Fput (Qgnutls_e_interrupted, Qgnutls_code,
1756 make_number (GNUTLS_E_INTERRUPTED));
1757
1758 DEFSYM (Qgnutls_e_again, "gnutls-e-again");
1759 Fput (Qgnutls_e_again, Qgnutls_code,
1760 make_number (GNUTLS_E_AGAIN));
1761
1762 DEFSYM (Qgnutls_e_invalid_session, "gnutls-e-invalid-session");
1763 Fput (Qgnutls_e_invalid_session, Qgnutls_code,
1764 make_number (GNUTLS_E_INVALID_SESSION));
1765
1766 DEFSYM (Qgnutls_e_not_ready_for_handshake, "gnutls-e-not-ready-for-handshake");
1767 Fput (Qgnutls_e_not_ready_for_handshake, Qgnutls_code,
1768 make_number (GNUTLS_E_APPLICATION_ERROR_MIN));
1769
1770 defsubr (&Sgnutls_get_initstage);
1771 defsubr (&Sgnutls_asynchronous_parameters);
1772 defsubr (&Sgnutls_errorp);
1773 defsubr (&Sgnutls_error_fatalp);
1774 defsubr (&Sgnutls_error_string);
1775 defsubr (&Sgnutls_boot);
1776 defsubr (&Sgnutls_deinit);
1777 defsubr (&Sgnutls_bye);
1778 defsubr (&Sgnutls_peer_status);
1779 defsubr (&Sgnutls_peer_status_warning_describe);
1780
1781 DEFVAR_INT ("gnutls-log-level", global_gnutls_log_level,
1782 doc: /* Logging level used by the GnuTLS functions.
1783 Set this larger than 0 to get debug output in the *Messages* buffer.
1784 1 is for important messages, 2 is for debug data, and higher numbers
1785 are as per the GnuTLS logging conventions. */);
1786 global_gnutls_log_level = 0;
1787
1788 #endif /* HAVE_GNUTLS */
1789
1790 defsubr (&Sgnutls_available_p);
1791 }