search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
gnutls.c windows compilation fix
[emacs.git] / src / gnutls.c
blobe012a904f85735f84339ba34a7c9131d530bb0c7
1 /* GnuTLS glue for GNU Emacs.
2 Copyright (C) 2010-2014 Free Software Foundation, Inc.
3
4 This file is part of GNU Emacs.
5
6 GNU Emacs is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
10
11 GNU Emacs is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>. */
18
19 #include <config.h>
20 #include <errno.h>
21 #include <stdio.h>
22
23 #include "lisp.h"
24 #include "process.h"
25 #include "coding.h"
26
27 #ifdef HAVE_GNUTLS
28 #include <gnutls/gnutls.h>
29
30 #ifdef WINDOWSNT
31 #include <windows.h>
32 #include "w32.h"
33 #endif
34
35 static bool emacs_gnutls_handle_error (gnutls_session_t, int);
36
37 static Lisp_Object Qgnutls_dll;
38 static Lisp_Object Qgnutls_code;
39 static Lisp_Object Qgnutls_anon, Qgnutls_x509pki;
40 static Lisp_Object Qgnutls_e_interrupted, Qgnutls_e_again,
41 Qgnutls_e_invalid_session, Qgnutls_e_not_ready_for_handshake;
42 static bool gnutls_global_initialized;
43
44 /* The following are for the property list of `gnutls-boot'. */
45 static Lisp_Object QCgnutls_bootprop_priority;
46 static Lisp_Object QCgnutls_bootprop_trustfiles;
47 static Lisp_Object QCgnutls_bootprop_keylist;
48 static Lisp_Object QCgnutls_bootprop_crlfiles;
49 static Lisp_Object QCgnutls_bootprop_callbacks;
50 static Lisp_Object QCgnutls_bootprop_loglevel;
51 static Lisp_Object QCgnutls_bootprop_hostname;
52 static Lisp_Object QCgnutls_bootprop_min_prime_bits;
53 static Lisp_Object QCgnutls_bootprop_verify_flags;
54 static Lisp_Object QCgnutls_bootprop_verify_error;
55
56 /* Callback keys for `gnutls-boot'. Unused currently. */
57 static Lisp_Object QCgnutls_bootprop_callbacks_verify;
58
59 static void gnutls_log_function (int, const char *);
60 static void gnutls_log_function2 (int, const char *, const char *);
61 #ifdef HAVE_GNUTLS3
62 static void gnutls_audit_log_function (gnutls_session_t, const char *);
63 #endif
64
65 static enum
66 {
67 CERTIFICATE_NOT_MATCHING = 2,
68 } extra_peer_verification_t;
69
70 \f
71 #ifdef WINDOWSNT
72
73 /* Macro for defining functions that will be loaded from the GnuTLS DLL. */
74 #define DEF_GNUTLS_FN(rettype,func,args) static rettype (FAR CDECL *fn_##func)args
75
76 /* Macro for loading GnuTLS functions from the library. */
77 #define LOAD_GNUTLS_FN(lib,func) { \
78 fn_##func = (void *) GetProcAddress (lib, #func); \
79 if (!fn_##func) return 0; \
80 }
81
82 DEF_GNUTLS_FN (gnutls_alert_description_t, gnutls_alert_get,
83 (gnutls_session_t));
84 DEF_GNUTLS_FN (const char *, gnutls_alert_get_name,
85 (gnutls_alert_description_t));
86 DEF_GNUTLS_FN (int, gnutls_alert_send_appropriate, (gnutls_session_t, int));
87 DEF_GNUTLS_FN (int, gnutls_anon_allocate_client_credentials,
88 (gnutls_anon_client_credentials_t *));
89 DEF_GNUTLS_FN (void, gnutls_anon_free_client_credentials,
90 (gnutls_anon_client_credentials_t));
91 DEF_GNUTLS_FN (int, gnutls_bye, (gnutls_session_t, gnutls_close_request_t));
92 DEF_GNUTLS_FN (int, gnutls_certificate_allocate_credentials,
93 (gnutls_certificate_credentials_t *));
94 DEF_GNUTLS_FN (void, gnutls_certificate_free_credentials,
95 (gnutls_certificate_credentials_t));
96 DEF_GNUTLS_FN (const gnutls_datum_t *, gnutls_certificate_get_peers,
97 (gnutls_session_t, unsigned int *));
98 DEF_GNUTLS_FN (void, gnutls_certificate_set_verify_flags,
99 (gnutls_certificate_credentials_t, unsigned int));
100 DEF_GNUTLS_FN (int, gnutls_certificate_set_x509_crl_file,
101 (gnutls_certificate_credentials_t, const char *,
102 gnutls_x509_crt_fmt_t));
103 DEF_GNUTLS_FN (int, gnutls_certificate_set_x509_key_file,
104 (gnutls_certificate_credentials_t, const char *, const char *,
105 gnutls_x509_crt_fmt_t));
106 DEF_GNUTLS_FN (int, gnutls_certificate_set_x509_trust_file,
107 (gnutls_certificate_credentials_t, const char *,
108 gnutls_x509_crt_fmt_t));
109 DEF_GNUTLS_FN (gnutls_certificate_type_t, gnutls_certificate_type_get,
110 (gnutls_session_t));
111 DEF_GNUTLS_FN (int, gnutls_certificate_verify_peers2,
112 (gnutls_session_t, unsigned int *));
113 DEF_GNUTLS_FN (int, gnutls_credentials_set,
114 (gnutls_session_t, gnutls_credentials_type_t, void *));
115 DEF_GNUTLS_FN (void, gnutls_deinit, (gnutls_session_t));
116 DEF_GNUTLS_FN (void, gnutls_dh_set_prime_bits,
117 (gnutls_session_t, unsigned int));
118 DEF_GNUTLS_FN (int, gnutls_error_is_fatal, (int));
119 DEF_GNUTLS_FN (int, gnutls_global_init, (void));
120 DEF_GNUTLS_FN (void, gnutls_global_set_log_function, (gnutls_log_func));
121 #ifdef HAVE_GNUTLS3
122 DEF_GNUTLS_FN (void, gnutls_global_set_audit_log_function, (gnutls_audit_log_func));
123 #endif
124 DEF_GNUTLS_FN (void, gnutls_global_set_log_level, (int));
125 DEF_GNUTLS_FN (void, gnutls_global_set_mem_functions,
126 (gnutls_alloc_function, gnutls_alloc_function,
127 gnutls_is_secure_function, gnutls_realloc_function,
128 gnutls_free_function));
129 DEF_GNUTLS_FN (int, gnutls_handshake, (gnutls_session_t));
130 DEF_GNUTLS_FN (int, gnutls_init, (gnutls_session_t *, gnutls_connection_end_t));
131 DEF_GNUTLS_FN (int, gnutls_priority_set_direct,
132 (gnutls_session_t, const char *, const char **));
133 DEF_GNUTLS_FN (size_t, gnutls_record_check_pending, (gnutls_session_t));
134 DEF_GNUTLS_FN (ssize_t, gnutls_record_recv, (gnutls_session_t, void *, size_t));
135 DEF_GNUTLS_FN (ssize_t, gnutls_record_send,
136 (gnutls_session_t, const void *, size_t));
137 DEF_GNUTLS_FN (const char *, gnutls_strerror, (int));
138 DEF_GNUTLS_FN (void, gnutls_transport_set_errno, (gnutls_session_t, int));
139 DEF_GNUTLS_FN (const char *, gnutls_check_version, (const char *));
140 DEF_GNUTLS_FN (void, gnutls_transport_set_lowat, (gnutls_session_t, int));
141 DEF_GNUTLS_FN (void, gnutls_transport_set_ptr2,
142 (gnutls_session_t, gnutls_transport_ptr_t,
143 gnutls_transport_ptr_t));
144 DEF_GNUTLS_FN (void, gnutls_transport_set_pull_function,
145 (gnutls_session_t, gnutls_pull_func));
146 DEF_GNUTLS_FN (void, gnutls_transport_set_push_function,
147 (gnutls_session_t, gnutls_push_func));
148 DEF_GNUTLS_FN (int, gnutls_x509_crt_check_hostname,
149 (gnutls_x509_crt_t, const char *));
150 DEF_GNUTLS_FN (void, gnutls_x509_crt_deinit, (gnutls_x509_crt_t));
151 DEF_GNUTLS_FN (int, gnutls_x509_crt_import,
152 (gnutls_x509_crt_t, const gnutls_datum_t *,
153 gnutls_x509_crt_fmt_t));
154 DEF_GNUTLS_FN (int, gnutls_x509_crt_init, (gnutls_x509_crt_t *));
155 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_fingerprint,
156 (gnutls_x509_crt_t,
157 gnutls_digest_algorithm_t, void *, size_t *_buf));
158 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_version,
159 (gnutls_x509_crt_t));
160 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_serial,
161 (gnutls_x509_crt_t, void *, size_t *));
162 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_issuer_dn,
163 (gnutls_x509_crt_t, char *, size_t *));
164 DEF_GNUTLS_FN (time_t, gnutls_x509_crt_get_activation_time,
165 (gnutls_x509_crt_t));
166 DEF_GNUTLS_FN (time_t, gnutls_x509_crt_get_expiration_time,
167 (gnutls_x509_crt_t));
168 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_dn,
169 (gnutls_x509_crt_t, char *, size_t *));
170 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_pk_algorithm,
171 (gnutls_x509_crt_t, unsigned int *));
172 DEF_GNUTLS_FN (int, gnutls_pk_algorithm_get_name, (gnutls_pk_algorithm_t));
173 DEF_GNUTLS_FN (int, gnutls_pk_bits_to_sec_param,
174 (gnutls_pk_algorithm_t, unsigned int));
175 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_issuer_unique_id,
176 (gnutls_x509_crt_t, char *, size_t *));
177 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_subject_unique_id,
178 (gnutls_x509_crt_t, char *, size_t *));
179 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_signature_algorithm,
180 (gnutls_x509_crt_t));
181 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_signature,
182 (gnutls_x509_crt_t, char *, size_t *));
183 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_key_id,
184 (gnutls_x509_crt_t, unsigned int,
185 unsigned char *, size_t *_size));
186 DEF_GNUTLS_FN (const char*, gnutls_sec_param_get_name, (gnutls_sec_param_t));
187 DEF_GNUTLS_FN (const char*, gnutls_sign_algorithm_get_name,
188 (gnutls_sign_algorithm_t));
189
190 static bool
191 init_gnutls_functions (void)
192 {
193 HMODULE library;
194 int max_log_level = 1;
195
196 if (!(library = w32_delayed_load (Qgnutls_dll)))
197 {
198 GNUTLS_LOG (1, max_log_level, "GnuTLS library not found");
199 return 0;
200 }
201
202 LOAD_GNUTLS_FN (library, gnutls_alert_get);
203 LOAD_GNUTLS_FN (library, gnutls_alert_get_name);
204 LOAD_GNUTLS_FN (library, gnutls_alert_send_appropriate);
205 LOAD_GNUTLS_FN (library, gnutls_anon_allocate_client_credentials);
206 LOAD_GNUTLS_FN (library, gnutls_anon_free_client_credentials);
207 LOAD_GNUTLS_FN (library, gnutls_bye);
208 LOAD_GNUTLS_FN (library, gnutls_certificate_allocate_credentials);
209 LOAD_GNUTLS_FN (library, gnutls_certificate_free_credentials);
210 LOAD_GNUTLS_FN (library, gnutls_certificate_get_peers);
211 LOAD_GNUTLS_FN (library, gnutls_certificate_set_verify_flags);
212 LOAD_GNUTLS_FN (library, gnutls_certificate_set_x509_crl_file);
213 LOAD_GNUTLS_FN (library, gnutls_certificate_set_x509_key_file);
214 LOAD_GNUTLS_FN (library, gnutls_certificate_set_x509_trust_file);
215 LOAD_GNUTLS_FN (library, gnutls_certificate_type_get);
216 LOAD_GNUTLS_FN (library, gnutls_certificate_verify_peers2);
217 LOAD_GNUTLS_FN (library, gnutls_credentials_set);
218 LOAD_GNUTLS_FN (library, gnutls_deinit);
219 LOAD_GNUTLS_FN (library, gnutls_dh_set_prime_bits);
220 LOAD_GNUTLS_FN (library, gnutls_error_is_fatal);
221 LOAD_GNUTLS_FN (library, gnutls_global_init);
222 LOAD_GNUTLS_FN (library, gnutls_global_set_log_function);
223 #ifdef HAVE_GNUTLS3
224 LOAD_GNUTLS_FN (library, gnutls_global_set_audit_log_function);
225 #endif
226 LOAD_GNUTLS_FN (library, gnutls_global_set_log_level);
227 LOAD_GNUTLS_FN (library, gnutls_global_set_mem_functions);
228 LOAD_GNUTLS_FN (library, gnutls_handshake);
229 LOAD_GNUTLS_FN (library, gnutls_init);
230 LOAD_GNUTLS_FN (library, gnutls_priority_set_direct);
231 LOAD_GNUTLS_FN (library, gnutls_record_check_pending);
232 LOAD_GNUTLS_FN (library, gnutls_record_recv);
233 LOAD_GNUTLS_FN (library, gnutls_record_send);
234 LOAD_GNUTLS_FN (library, gnutls_strerror);
235 LOAD_GNUTLS_FN (library, gnutls_transport_set_errno);
236 LOAD_GNUTLS_FN (library, gnutls_check_version);
237 /* We don't need to call gnutls_transport_set_lowat in GnuTLS 2.11.1
238 and later, and the function was removed entirely in 3.0.0. */
239 if (!fn_gnutls_check_version ("2.11.1"))
240 LOAD_GNUTLS_FN (library, gnutls_transport_set_lowat);
241 LOAD_GNUTLS_FN (library, gnutls_transport_set_ptr2);
242 LOAD_GNUTLS_FN (library, gnutls_transport_set_pull_function);
243 LOAD_GNUTLS_FN (library, gnutls_transport_set_push_function);
244 LOAD_GNUTLS_FN (library, gnutls_x509_crt_check_hostname);
245 LOAD_GNUTLS_FN (library, gnutls_x509_crt_deinit);
246 LOAD_GNUTLS_FN (library, gnutls_x509_crt_import);
247 LOAD_GNUTLS_FN (library, gnutls_x509_crt_init);
248 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_fingerprint);
249 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_version);
250 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_serial);
251 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_issuer_dn);
252 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_activation_time);
253 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_expiration_time);
254 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_dn);
255 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_pk_algorithm);
256 LOAD_GNUTLS_FN (library, gnutls_pk_algorithm_get_name);
257 LOAD_GNUTLS_FN (library, gnutls_pk_bits_to_sec_param);
258 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_issuer_unique_id);
259 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_subject_unique_id);
260 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_signature_algorithm);
261 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_signature);
262 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_key_id);
263 LOAD_GNUTLS_FN (library, gnutls_sec_param_get_name);
264 LOAD_GNUTLS_FN (library, gnutls_sign_algorithm_get_name);
265
266 max_log_level = global_gnutls_log_level;
267
268 {
269 Lisp_Object name = CAR_SAFE (Fget (Qgnutls_dll, QCloaded_from));
270 GNUTLS_LOG2 (1, max_log_level, "GnuTLS library loaded:",
271 STRINGP (name) ? (const char *) SDATA (name) : "unknown");
272 }
273
274 return 1;
275 }
276
277 #else /* !WINDOWSNT */
278
279 #define fn_gnutls_alert_get gnutls_alert_get
280 #define fn_gnutls_alert_get_name gnutls_alert_get_name
281 #define fn_gnutls_alert_send_appropriate gnutls_alert_send_appropriate
282 #define fn_gnutls_anon_allocate_client_credentials gnutls_anon_allocate_client_credentials
283 #define fn_gnutls_anon_free_client_credentials gnutls_anon_free_client_credentials
284 #define fn_gnutls_bye gnutls_bye
285 #define fn_gnutls_certificate_allocate_credentials gnutls_certificate_allocate_credentials
286 #define fn_gnutls_certificate_free_credentials gnutls_certificate_free_credentials
287 #define fn_gnutls_certificate_get_peers gnutls_certificate_get_peers
288 #define fn_gnutls_certificate_set_verify_flags gnutls_certificate_set_verify_flags
289 #define fn_gnutls_certificate_set_x509_crl_file gnutls_certificate_set_x509_crl_file
290 #define fn_gnutls_certificate_set_x509_key_file gnutls_certificate_set_x509_key_file
291 #define fn_gnutls_certificate_set_x509_trust_file gnutls_certificate_set_x509_trust_file
292 #define fn_gnutls_certificate_type_get gnutls_certificate_type_get
293 #define fn_gnutls_certificate_verify_peers2 gnutls_certificate_verify_peers2
294 #define fn_gnutls_credentials_set gnutls_credentials_set
295 #define fn_gnutls_deinit gnutls_deinit
296 #define fn_gnutls_dh_set_prime_bits gnutls_dh_set_prime_bits
297 #define fn_gnutls_error_is_fatal gnutls_error_is_fatal
298 #define fn_gnutls_global_init gnutls_global_init
299 #define fn_gnutls_global_set_log_function gnutls_global_set_log_function
300 #ifdef HAVE_GNUTLS3
301 #define fn_gnutls_global_set_audit_log_function gnutls_global_set_audit_log_function
302 #endif
303 #define fn_gnutls_global_set_log_level gnutls_global_set_log_level
304 #define fn_gnutls_global_set_mem_functions gnutls_global_set_mem_functions
305 #define fn_gnutls_handshake gnutls_handshake
306 #define fn_gnutls_init gnutls_init
307 #define fn_gnutls_priority_set_direct gnutls_priority_set_direct
308 #define fn_gnutls_record_check_pending gnutls_record_check_pending
309 #define fn_gnutls_record_recv gnutls_record_recv
310 #define fn_gnutls_record_send gnutls_record_send
311 #define fn_gnutls_strerror gnutls_strerror
312 #ifdef WINDOWSNT
313 #define fn_gnutls_transport_set_errno gnutls_transport_set_errno
314 #endif
315 #define fn_gnutls_transport_set_ptr2 gnutls_transport_set_ptr2
316 #define fn_gnutls_x509_crt_check_hostname gnutls_x509_crt_check_hostname
317 #define fn_gnutls_x509_crt_deinit gnutls_x509_crt_deinit
318 #define fn_gnutls_x509_crt_import gnutls_x509_crt_import
319 #define fn_gnutls_x509_crt_init gnutls_x509_crt_init
320 #define fn_gnutls_x509_crt_get_fingerprint gnutls_x509_crt_get_fingerprint
321 #define fn_gnutls_x509_crt_get_version gnutls_x509_crt_get_version
322 #define fn_gnutls_x509_crt_get_serial gnutls_x509_crt_get_serial
323 #define fn_gnutls_x509_crt_get_issuer_dn gnutls_x509_crt_get_issuer_dn
324 #define fn_gnutls_x509_crt_get_activation_time gnutls_x509_crt_get_activation_time
325 #define fn_gnutls_x509_crt_get_expiration_time gnutls_x509_crt_get_expiration_time
326 #define fn_gnutls_x509_crt_get_dn gnutls_x509_crt_get_dn
327 #define fn_gnutls_x509_crt_get_pk_algorithm gnutls_x509_crt_get_pk_algorithm
328 #define fn_gnutls_pk_algorithm_get_name gnutls_pk_algorithm_get_name
329 #define fn_gnutls_pk_bits_to_sec_param gnutls_pk_bits_to_sec_param
330 #define fn_gnutls_x509_crt_get_issuer_unique_id gnutls_x509_crt_get_issuer_unique_id
331 #define fn_gnutls_x509_crt_get_subject_unique_id gnutls_x509_crt_get_subject_unique_id
332 #define fn_gnutls_x509_crt_get_signature_algorithm gnutls_x509_crt_get_signature_algorithm
333 #define fn_gnutls_x509_crt_get_signature gnutls_x509_crt_get_signature
334 #define fn_gnutls_x509_crt_get_key_id gnutls_x509_crt_get_key_id
335 #define fn_gnutls_sec_param_get_name gnutls_sec_param_get_name
336 #define fn_gnutls_sign_algorithm_get_name gnutls_sign_algorithm_get_name
337
338 #endif /* !WINDOWSNT */
339
340 \f
341 #ifdef HAVE_GNUTLS3
342 /* Function to log a simple audit message. */
343 static void
344 gnutls_audit_log_function (gnutls_session_t session, const char *string)
345 {
346 if (global_gnutls_log_level >= 1)
347 {
348 message ("gnutls.c: [audit] %s", string);
349 }
350 }
351 #endif
352
353 /* Function to log a simple message. */
354 static void
355 gnutls_log_function (int level, const char *string)
356 {
357 message ("gnutls.c: [%d] %s", level, string);
358 }
359
360 /* Function to log a message and a string. */
361 static void
362 gnutls_log_function2 (int level, const char *string, const char *extra)
363 {
364 message ("gnutls.c: [%d] %s %s", level, string, extra);
365 }
366
367 /* Function to log a message and an integer. */
368 static void
369 gnutls_log_function2i (int level, const char *string, int extra)
370 {
371 message ("gnutls.c: [%d] %s %d", level, string, extra);
372 }
373
374 static int
375 emacs_gnutls_handshake (struct Lisp_Process *proc)
376 {
377 gnutls_session_t state = proc->gnutls_state;
378 int ret;
379
380 if (proc->gnutls_initstage < GNUTLS_STAGE_HANDSHAKE_CANDO)
381 return -1;
382
383 if (proc->gnutls_initstage < GNUTLS_STAGE_TRANSPORT_POINTERS_SET)
384 {
385 #ifdef WINDOWSNT
386 /* On W32 we cannot transfer socket handles between different runtime
387 libraries, so we tell GnuTLS to use our special push/pull
388 functions. */
389 fn_gnutls_transport_set_ptr2 (state,
390 (gnutls_transport_ptr_t) proc,
391 (gnutls_transport_ptr_t) proc);
392 fn_gnutls_transport_set_push_function (state, &emacs_gnutls_push);
393 fn_gnutls_transport_set_pull_function (state, &emacs_gnutls_pull);
394
395 /* For non blocking sockets or other custom made pull/push
396 functions the gnutls_transport_set_lowat must be called, with
397 a zero low water mark value. (GnuTLS 2.10.4 documentation)
398
399 (Note: this is probably not strictly necessary as the lowat
400 value is only used when no custom pull/push functions are
401 set.) */
402 /* According to GnuTLS NEWS file, lowat level has been set to
403 zero by default in version 2.11.1, and the function
404 gnutls_transport_set_lowat was removed from the library in
405 version 2.99.0. */
406 if (!fn_gnutls_check_version ("2.11.1"))
407 fn_gnutls_transport_set_lowat (state, 0);
408 #else
409 /* This is how GnuTLS takes sockets: as file descriptors passed
410 in. For an Emacs process socket, infd and outfd are the
411 same but we use this two-argument version for clarity. */
412 fn_gnutls_transport_set_ptr2 (state,
413 (void *) (intptr_t) proc->infd,
414 (void *) (intptr_t) proc->outfd);
415 #endif
416
417 proc->gnutls_initstage = GNUTLS_STAGE_TRANSPORT_POINTERS_SET;
418 }
419
420 do
421 {
422 ret = fn_gnutls_handshake (state);
423 emacs_gnutls_handle_error (state, ret);
424 QUIT;
425 }
426 while (ret < 0 && fn_gnutls_error_is_fatal (ret) == 0);
427
428 proc->gnutls_initstage = GNUTLS_STAGE_HANDSHAKE_TRIED;
429
430 if (ret == GNUTLS_E_SUCCESS)
431 {
432 /* Here we're finally done. */
433 proc->gnutls_initstage = GNUTLS_STAGE_READY;
434 }
435 else
436 {
437 fn_gnutls_alert_send_appropriate (state, ret);
438 }
439 return ret;
440 }
441
442 ptrdiff_t
443 emacs_gnutls_record_check_pending (gnutls_session_t state)
444 {
445 return fn_gnutls_record_check_pending (state);
446 }
447
448 #ifdef WINDOWSNT
449 void
450 emacs_gnutls_transport_set_errno (gnutls_session_t state, int err)
451 {
452 fn_gnutls_transport_set_errno (state, err);
453 }
454 #endif
455
456 ptrdiff_t
457 emacs_gnutls_write (struct Lisp_Process *proc, const char *buf, ptrdiff_t nbyte)
458 {
459 ssize_t rtnval = 0;
460 ptrdiff_t bytes_written;
461 gnutls_session_t state = proc->gnutls_state;
462
463 if (proc->gnutls_initstage != GNUTLS_STAGE_READY)
464 {
465 errno = EAGAIN;
466 return 0;
467 }
468
469 bytes_written = 0;
470
471 while (nbyte > 0)
472 {
473 rtnval = fn_gnutls_record_send (state, buf, nbyte);
474
475 if (rtnval < 0)
476 {
477 if (rtnval == GNUTLS_E_INTERRUPTED)
478 continue;
479 else
480 {
481 /* If we get GNUTLS_E_AGAIN, then set errno
482 appropriately so that send_process retries the
483 correct way instead of erroring out. */
484 if (rtnval == GNUTLS_E_AGAIN)
485 errno = EAGAIN;
486 break;
487 }
488 }
489
490 buf += rtnval;
491 nbyte -= rtnval;
492 bytes_written += rtnval;
493 }
494
495 emacs_gnutls_handle_error (state, rtnval);
496 return (bytes_written);
497 }
498
499 ptrdiff_t
500 emacs_gnutls_read (struct Lisp_Process *proc, char *buf, ptrdiff_t nbyte)
501 {
502 ssize_t rtnval;
503 gnutls_session_t state = proc->gnutls_state;
504
505 int log_level = proc->gnutls_log_level;
506
507 if (proc->gnutls_initstage != GNUTLS_STAGE_READY)
508 {
509 /* If the handshake count is under the limit, try the handshake
510 again and increment the handshake count. This count is kept
511 per process (connection), not globally. */
512 if (proc->gnutls_handshakes_tried < GNUTLS_EMACS_HANDSHAKES_LIMIT)
513 {
514 proc->gnutls_handshakes_tried++;
515 emacs_gnutls_handshake (proc);
516 GNUTLS_LOG2i (5, log_level, "Retried handshake",
517 proc->gnutls_handshakes_tried);
518 return -1;
519 }
520
521 GNUTLS_LOG (2, log_level, "Giving up on handshake; resetting retries");
522 proc->gnutls_handshakes_tried = 0;
523 return 0;
524 }
525 rtnval = fn_gnutls_record_recv (state, buf, nbyte);
526 if (rtnval >= 0)
527 return rtnval;
528 else if (rtnval == GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
529 /* The peer closed the connection. */
530 return 0;
531 else if (emacs_gnutls_handle_error (state, rtnval))
532 /* non-fatal error */
533 return -1;
534 else {
535 /* a fatal error occurred */
536 return 0;
537 }
538 }
539
540 /* Report a GnuTLS error to the user.
541 Return true if the error code was successfully handled. */
542 static bool
543 emacs_gnutls_handle_error (gnutls_session_t session, int err)
544 {
545 int max_log_level = 0;
546
547 bool ret;
548 const char *str;
549
550 /* TODO: use a Lisp_Object generated by gnutls_make_error? */
551 if (err >= 0)
552 return 1;
553
554 max_log_level = global_gnutls_log_level;
555
556 /* TODO: use gnutls-error-fatalp and gnutls-error-string. */
557
558 str = fn_gnutls_strerror (err);
559 if (!str)
560 str = "unknown";
561
562 if (fn_gnutls_error_is_fatal (err))
563 {
564 ret = 0;
565 GNUTLS_LOG2 (0, max_log_level, "fatal error:", str);
566 }
567 else
568 {
569 ret = 1;
570
571 switch (err)
572 {
573 case GNUTLS_E_AGAIN:
574 GNUTLS_LOG2 (3,
575 max_log_level,
576 "retry:",
577 str);
578 default:
579 GNUTLS_LOG2 (1,
580 max_log_level,
581 "non-fatal error:",
582 str);
583 }
584 }
585
586 if (err == GNUTLS_E_WARNING_ALERT_RECEIVED
587 || err == GNUTLS_E_FATAL_ALERT_RECEIVED)
588 {
589 int alert = fn_gnutls_alert_get (session);
590 int level = (err == GNUTLS_E_FATAL_ALERT_RECEIVED) ? 0 : 1;
591 str = fn_gnutls_alert_get_name (alert);
592 if (!str)
593 str = "unknown";
594
595 GNUTLS_LOG2 (level, max_log_level, "Received alert: ", str);
596 }
597 return ret;
598 }
599
600 /* convert an integer error to a Lisp_Object; it will be either a
601 known symbol like `gnutls_e_interrupted' and `gnutls_e_again' or
602 simply the integer value of the error. GNUTLS_E_SUCCESS is mapped
603 to Qt. */
604 static Lisp_Object
605 gnutls_make_error (int err)
606 {
607 switch (err)
608 {
609 case GNUTLS_E_SUCCESS:
610 return Qt;
611 case GNUTLS_E_AGAIN:
612 return Qgnutls_e_again;
613 case GNUTLS_E_INTERRUPTED:
614 return Qgnutls_e_interrupted;
615 case GNUTLS_E_INVALID_SESSION:
616 return Qgnutls_e_invalid_session;
617 }
618
619 return make_number (err);
620 }
621
622 Lisp_Object
623 emacs_gnutls_deinit (Lisp_Object proc)
624 {
625 int log_level;
626
627 CHECK_PROCESS (proc);
628
629 if (XPROCESS (proc)->gnutls_p == 0)
630 return Qnil;
631
632 log_level = XPROCESS (proc)->gnutls_log_level;
633
634 if (XPROCESS (proc)->gnutls_x509_cred)
635 {
636 GNUTLS_LOG (2, log_level, "Deallocating x509 credentials");
637 fn_gnutls_certificate_free_credentials (XPROCESS (proc)->gnutls_x509_cred);
638 XPROCESS (proc)->gnutls_x509_cred = NULL;
639 }
640
641 if (XPROCESS (proc)->gnutls_anon_cred)
642 {
643 GNUTLS_LOG (2, log_level, "Deallocating anon credentials");
644 fn_gnutls_anon_free_client_credentials (XPROCESS (proc)->gnutls_anon_cred);
645 XPROCESS (proc)->gnutls_anon_cred = NULL;
646 }
647
648 if (XPROCESS (proc)->gnutls_state)
649 {
650 fn_gnutls_deinit (XPROCESS (proc)->gnutls_state);
651 XPROCESS (proc)->gnutls_state = NULL;
652 if (GNUTLS_INITSTAGE (proc) >= GNUTLS_STAGE_INIT)
653 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_INIT - 1;
654 }
655
656 XPROCESS (proc)->gnutls_p = 0;
657 return Qt;
658 }
659
660 DEFUN ("gnutls-get-initstage", Fgnutls_get_initstage, Sgnutls_get_initstage, 1, 1, 0,
661 doc: /* Return the GnuTLS init stage of process PROC.
662 See also `gnutls-boot'. */)
663 (Lisp_Object proc)
664 {
665 CHECK_PROCESS (proc);
666
667 return make_number (GNUTLS_INITSTAGE (proc));
668 }
669
670 DEFUN ("gnutls-errorp", Fgnutls_errorp, Sgnutls_errorp, 1, 1, 0,
671 doc: /* Return t if ERROR indicates a GnuTLS problem.
672 ERROR is an integer or a symbol with an integer `gnutls-code' property.
673 usage: (gnutls-errorp ERROR) */)
674 (Lisp_Object err)
675 {
676 if (EQ (err, Qt)) return Qnil;
677
678 return Qt;
679 }
680
681 DEFUN ("gnutls-error-fatalp", Fgnutls_error_fatalp, Sgnutls_error_fatalp, 1, 1, 0,
682 doc: /* Check if ERROR is fatal.
683 ERROR is an integer or a symbol with an integer `gnutls-code' property.
684 usage: (gnutls-error-fatalp ERROR) */)
685 (Lisp_Object err)
686 {
687 Lisp_Object code;
688
689 if (EQ (err, Qt)) return Qnil;
690
691 if (SYMBOLP (err))
692 {
693 code = Fget (err, Qgnutls_code);
694 if (NUMBERP (code))
695 {
696 err = code;
697 }
698 else
699 {
700 error ("Symbol has no numeric gnutls-code property");
701 }
702 }
703
704 if (! TYPE_RANGED_INTEGERP (int, err))
705 error ("Not an error symbol or code");
706
707 if (0 == fn_gnutls_error_is_fatal (XINT (err)))
708 return Qnil;
709
710 return Qt;
711 }
712
713 DEFUN ("gnutls-error-string", Fgnutls_error_string, Sgnutls_error_string, 1, 1, 0,
714 doc: /* Return a description of ERROR.
715 ERROR is an integer or a symbol with an integer `gnutls-code' property.
716 usage: (gnutls-error-string ERROR) */)
717 (Lisp_Object err)
718 {
719 Lisp_Object code;
720
721 if (EQ (err, Qt)) return build_string ("Not an error");
722
723 if (SYMBOLP (err))
724 {
725 code = Fget (err, Qgnutls_code);
726 if (NUMBERP (code))
727 {
728 err = code;
729 }
730 else
731 {
732 return build_string ("Symbol has no numeric gnutls-code property");
733 }
734 }
735
736 if (! TYPE_RANGED_INTEGERP (int, err))
737 return build_string ("Not an error symbol or code");
738
739 return build_string (fn_gnutls_strerror (XINT (err)));
740 }
741
742 DEFUN ("gnutls-deinit", Fgnutls_deinit, Sgnutls_deinit, 1, 1, 0,
743 doc: /* Deallocate GnuTLS resources associated with process PROC.
744 See also `gnutls-init'. */)
745 (Lisp_Object proc)
746 {
747 return emacs_gnutls_deinit (proc);
748 }
749
750 DEFUN ("gnutls-available-p", Fgnutls_available_p, Sgnutls_available_p, 0, 0, 0,
751 doc: /* Return t if GnuTLS is available in this instance of Emacs. */)
752 (void)
753 {
754 #ifdef WINDOWSNT
755 Lisp_Object found = Fassq (Qgnutls_dll, Vlibrary_cache);
756 if (CONSP (found))
757 return XCDR (found);
758 else
759 {
760 Lisp_Object status;
761 status = init_gnutls_functions () ? Qt : Qnil;
762 Vlibrary_cache = Fcons (Fcons (Qgnutls_dll, status), Vlibrary_cache);
763 return status;
764 }
765 #else
766 return Qt;
767 #endif
768 }
769
770 Lisp_Object
771 gnutls_hex_string (char *buf, size_t buf_size, char *prefix) {
772 size_t prefix_length = strlen (prefix);
773 char *string = malloc (buf_size * 3 + prefix_length);
774 Lisp_Object ret;
775
776 strcpy (string, prefix);
777
778 for (int i = 0; i < buf_size; i++)
779 sprintf (string + i * 3 + prefix_length,
780 i == buf_size - 1? "%02x": "%02x:",
781 ((unsigned char*)buf)[i]);
782
783 ret = build_string (string);
784 free (string);
785 return ret;
786 }
787
788 Lisp_Object
789 gnutls_certificate_details (gnutls_x509_crt_t cert)
790 {
791 Lisp_Object res = Qnil;
792 int err;
793
794 /* Version. */
795 {
796 int version = fn_gnutls_x509_crt_get_version (cert);
797 if (version >= GNUTLS_E_SUCCESS)
798 res = nconc2 (res, list2 (intern (":version"),
799 make_number (version)));
800 }
801
802 /* Serial. */
803 {
804 size_t serial_size = 0;
805
806 err = fn_gnutls_x509_crt_get_serial (cert, NULL, &serial_size);
807 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER) {
808 char *serial = malloc (serial_size);
809 err = fn_gnutls_x509_crt_get_serial (cert, serial, &serial_size);
810 if (err >= GNUTLS_E_SUCCESS) {
811 res = nconc2 (res, list2 (intern (":serial-number"),
812 gnutls_hex_string (serial, serial_size, "")));
813 }
814 free (serial);
815 }
816 }
817
818 /* Issuer. */
819 {
820 size_t dn_size = 0;
821
822 err = fn_gnutls_x509_crt_get_issuer_dn (cert, NULL, &dn_size);
823 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER) {
824 char *dn = malloc (dn_size);
825 err = fn_gnutls_x509_crt_get_issuer_dn (cert, dn, &dn_size);
826 if (err >= GNUTLS_E_SUCCESS)
827 res = nconc2 (res, list2 (intern (":issuer"),
828 make_string (dn, dn_size)));
829 free (dn);
830 }
831 }
832
833 /* Validity. */
834 {
835 char buf[11];
836 size_t buf_size = sizeof (buf);
837 struct tm t;
838 time_t tim = fn_gnutls_x509_crt_get_activation_time (cert);
839
840 if (gmtime_r (&tim, &t) != NULL &&
841 strftime (buf, buf_size, "%Y-%m-%d", &t) != 0)
842 res = nconc2 (res, list2 (intern (":valid-from"), build_string (buf)));
843
844 tim = fn_gnutls_x509_crt_get_expiration_time (cert);
845 if (gmtime_r (&tim, &t) != NULL &&
846 strftime (buf, buf_size, "%Y-%m-%d", &t) != 0)
847 res = nconc2 (res, list2 (intern (":valid-to"), build_string (buf)));
848 }
849
850 /* Subject. */
851 {
852 size_t dn_size = 0;
853
854 err = fn_gnutls_x509_crt_get_dn (cert, NULL, &dn_size);
855 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER) {
856 char *dn = malloc (dn_size);
857 err = fn_gnutls_x509_crt_get_dn (cert, dn, &dn_size);
858 if (err >= GNUTLS_E_SUCCESS)
859 res = nconc2 (res, list2 (intern (":subject"),
860 make_string (dn, dn_size)));
861 free (dn);
862 }
863 }
864
865 /* SubjectPublicKeyInfo. */
866 {
867 unsigned int bits;
868
869 err = fn_gnutls_x509_crt_get_pk_algorithm (cert, &bits);
870 if (err >= GNUTLS_E_SUCCESS) {
871 const char *name = fn_gnutls_pk_algorithm_get_name (err);
872 if (name)
873 res = nconc2 (res, list2 (intern (":public-key-algorithm"),
874 build_string (name)));
875
876 name = fn_gnutls_sec_param_get_name (fn_gnutls_pk_bits_to_sec_param
877 (err, bits));
878 res = nconc2 (res, list2 (intern (":certificate-security-level"),
879 build_string (name)));
880 }
881 }
882
883 /* Unique IDs. */
884 {
885 size_t buf_size = 0;
886
887 err = fn_gnutls_x509_crt_get_issuer_unique_id (cert, NULL, &buf_size);
888 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER) {
889 char *buf = malloc (buf_size);
890 err = fn_gnutls_x509_crt_get_issuer_unique_id (cert, buf, &buf_size);
891 if (err >= GNUTLS_E_SUCCESS)
892 res = nconc2 (res, list2 (intern (":issuer-unique-id"),
893 make_string (buf, buf_size)));
894 free (buf);
895 }
896
897 buf_size = 0;
898 err = fn_gnutls_x509_crt_get_subject_unique_id (cert, NULL, &buf_size);
899 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER) {
900 char *buf = malloc (buf_size);
901 err = fn_gnutls_x509_crt_get_subject_unique_id (cert, buf, &buf_size);
902 if (err >= GNUTLS_E_SUCCESS)
903 res = nconc2 (res, list2 (intern (":subject-unique-id"),
904 make_string (buf, buf_size)));
905 free (buf);
906 }
907 }
908
909 /* Signature. */
910 {
911 size_t buf_size = 0;
912
913 err = fn_gnutls_x509_crt_get_signature_algorithm (cert);
914 if (err >= GNUTLS_E_SUCCESS) {
915 const char *name = fn_gnutls_sign_algorithm_get_name (err);
916 if (name)
917 res = nconc2 (res, list2 (intern (":signature-algorithm"),
918 build_string (name)));
919
920 err = fn_gnutls_x509_crt_get_signature (cert, NULL, &buf_size);
921 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER) {
922 char *buf = malloc (buf_size);
923 err = fn_gnutls_x509_crt_get_signature (cert, buf, &buf_size);
924 if (err >= GNUTLS_E_SUCCESS) {
925 res = nconc2 (res, list2 (intern (":signature"),
926 gnutls_hex_string (buf, buf_size, "")));
927 }
928 free (buf);
929 }
930 }
931 }
932
933 /* Public key ID. */
934 {
935 size_t buf_size = 0;
936
937 err = fn_gnutls_x509_crt_get_key_id (cert, 0, NULL, &buf_size);
938 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER) {
939 unsigned char *buf = malloc (buf_size);
940 err = fn_gnutls_x509_crt_get_key_id (cert, 0, buf, &buf_size);
941 if (err >= GNUTLS_E_SUCCESS)
942 res = nconc2 (res, list2 (intern (":public-key-id"),
943 gnutls_hex_string ((char *)buf,
944 buf_size, "sha1:")));
945 free (buf);
946 }
947 }
948
949 /* Certificate fingerprint. */
950 {
951 size_t buf_size = 0;
952
953 err = fn_gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1,
954 NULL, &buf_size);
955 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER) {
956 unsigned char *buf = malloc (buf_size);
957 err = fn_gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1,
958 buf, &buf_size);
959 if (err >= GNUTLS_E_SUCCESS)
960 res = nconc2 (res, list2 (intern (":certificate-id"),
961 gnutls_hex_string ((char *)buf,
962 buf_size, "sha1:")));
963 free (buf);
964 }
965 }
966
967 return res;
968 }
969
970 DEFUN ("gnutls-peer-status", Fgnutls_peer_status, Sgnutls_peer_status, 1, 1, 0,
971 doc: /* Return the status of the gnutls PROC peer certificate.
972 The return value is a property list. */)
973 (Lisp_Object proc)
974 {
975 Lisp_Object warnings = Qnil, result = Qnil;
976 unsigned int verification;
977
978 CHECK_PROCESS (proc);
979
980 if (XPROCESS (proc)->gnutls_p == 0)
981 return Qnil;
982
983 /* Then collect any warnings already computed by the handshake. */
984 verification = XPROCESS (proc)->gnutls_peer_verification;
985
986 if (verification & GNUTLS_CERT_INVALID)
987 warnings = Fcons (list2 (intern (":invalid"),
988 build_string("certificate could not be verified")),
989 warnings);
990
991 if (verification & GNUTLS_CERT_REVOKED)
992 warnings = Fcons (list2 (intern (":revoked"),
993 build_string("certificate was revoked (CRL)")),
994 warnings);
995
996 if (verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
997 warnings = Fcons (list2 (intern (":self-signed"),
998 build_string("certificate signer was not found (self-signed)")),
999 warnings);
1000
1001 if (verification & GNUTLS_CERT_SIGNER_NOT_CA)
1002 warnings = Fcons (list2 (intern (":not-ca"),
1003 build_string("certificate signer is not a CA")),
1004 warnings);
1005
1006 if (verification & GNUTLS_CERT_INSECURE_ALGORITHM)
1007 warnings = Fcons (list2 (intern (":insecure"),
1008 build_string("certificate was signed with an insecure algorithm")),
1009 warnings);
1010
1011 if (verification & GNUTLS_CERT_NOT_ACTIVATED)
1012 warnings = Fcons (list2 (intern (":not-activated"),
1013 build_string("certificate is not yet activated")),
1014 warnings);
1015
1016 if (verification & GNUTLS_CERT_EXPIRED)
1017 warnings = Fcons (list2 (intern (":expired"),
1018 build_string("certificate has expired")),
1019 warnings);
1020
1021 if (XPROCESS (proc)->gnutls_extra_peer_verification &
1022 CERTIFICATE_NOT_MATCHING)
1023 warnings = Fcons (list2 (intern (":no-host-match"),
1024 build_string("certificate host does not match hostname")),
1025 warnings);
1026
1027 if (!NILP (warnings))
1028 result = list2 (intern (":warnings"), warnings);
1029
1030 result = nconc2 (result, list2
1031 (intern (":certificate"),
1032 gnutls_certificate_details(XPROCESS (proc)->gnutls_certificate)));
1033
1034 return result;
1035 }
1036
1037
1038 /* Initializes global GnuTLS state to defaults.
1039 Call `gnutls-global-deinit' when GnuTLS usage is no longer needed.
1040 Returns zero on success. */
1041 static Lisp_Object
1042 emacs_gnutls_global_init (void)
1043 {
1044 int ret = GNUTLS_E_SUCCESS;
1045
1046 if (!gnutls_global_initialized)
1047 {
1048 fn_gnutls_global_set_mem_functions (xmalloc, xmalloc, NULL,
1049 xrealloc, xfree);
1050 ret = fn_gnutls_global_init ();
1051 }
1052 gnutls_global_initialized = 1;
1053
1054 return gnutls_make_error (ret);
1055 }
1056
1057 #if 0
1058 /* Deinitializes global GnuTLS state.
1059 See also `gnutls-global-init'. */
1060 static Lisp_Object
1061 emacs_gnutls_global_deinit (void)
1062 {
1063 if (gnutls_global_initialized)
1064 gnutls_global_deinit ();
1065
1066 gnutls_global_initialized = 0;
1067
1068 return gnutls_make_error (GNUTLS_E_SUCCESS);
1069 }
1070 #endif
1071
1072 DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
1073 doc: /* Initialize GnuTLS client for process PROC with TYPE+PROPLIST.
1074 Currently only client mode is supported. Return a success/failure
1075 value you can check with `gnutls-errorp'.
1076
1077 TYPE is a symbol, either `gnutls-anon' or `gnutls-x509pki'.
1078 PROPLIST is a property list with the following keys:
1079
1080 :hostname is a string naming the remote host.
1081
1082 :priority is a GnuTLS priority string, defaults to "NORMAL".
1083
1084 :trustfiles is a list of PEM-encoded trust files for `gnutls-x509pki'.
1085
1086 :crlfiles is a list of PEM-encoded CRL lists for `gnutls-x509pki'.
1087
1088 :keylist is an alist of PEM-encoded key files and PEM-encoded
1089 certificates for `gnutls-x509pki'.
1090
1091 :callbacks is an alist of callback functions, see below.
1092
1093 :loglevel is the debug level requested from GnuTLS, try 4.
1094
1095 :verify-flags is a bitset as per GnuTLS'
1096 gnutls_certificate_set_verify_flags.
1097
1098 :verify-hostname-error is ignored. Pass :hostname in :verify-error
1099 instead.
1100
1101 :verify-error is a list of symbols to express verification checks or
1102 `t' to do all checks. Currently it can contain `:trustfiles' and
1103 `:hostname' to verify the certificate or the hostname respectively.
1104
1105 :min-prime-bits is the minimum accepted number of bits the client will
1106 accept in Diffie-Hellman key exchange.
1107
1108 The debug level will be set for this process AND globally for GnuTLS.
1109 So if you set it higher or lower at any point, it affects global
1110 debugging.
1111
1112 Note that the priority is set on the client. The server does not use
1113 the protocols's priority except for disabling protocols that were not
1114 specified.
1115
1116 Processes must be initialized with this function before other GnuTLS
1117 functions are used. This function allocates resources which can only
1118 be deallocated by calling `gnutls-deinit' or by calling it again.
1119
1120 The callbacks alist can have a `verify' key, associated with a
1121 verification function (UNUSED).
1122
1123 Each authentication type may need additional information in order to
1124 work. For X.509 PKI (`gnutls-x509pki'), you probably need at least
1125 one trustfile (usually a CA bundle). */)
1126 (Lisp_Object proc, Lisp_Object type, Lisp_Object proplist)
1127 {
1128 int ret = GNUTLS_E_SUCCESS;
1129 int max_log_level = 0;
1130 bool verify_error_all = 0;
1131
1132 gnutls_session_t state;
1133 gnutls_certificate_credentials_t x509_cred = NULL;
1134 gnutls_anon_client_credentials_t anon_cred = NULL;
1135 Lisp_Object global_init;
1136 char const *priority_string_ptr = "NORMAL"; /* default priority string. */
1137 unsigned int peer_verification;
1138 char *c_hostname;
1139
1140 /* Placeholders for the property list elements. */
1141 Lisp_Object priority_string;
1142 Lisp_Object trustfiles;
1143 Lisp_Object crlfiles;
1144 Lisp_Object keylist;
1145 /* Lisp_Object callbacks; */
1146 Lisp_Object loglevel;
1147 Lisp_Object hostname;
1148 Lisp_Object verify_error;
1149 Lisp_Object prime_bits;
1150
1151 CHECK_PROCESS (proc);
1152 CHECK_SYMBOL (type);
1153 CHECK_LIST (proplist);
1154
1155 if (NILP (Fgnutls_available_p ()))
1156 error ("GnuTLS not available");
1157
1158 if (!EQ (type, Qgnutls_x509pki) && !EQ (type, Qgnutls_anon))
1159 error ("Invalid GnuTLS credential type");
1160
1161 hostname = Fplist_get (proplist, QCgnutls_bootprop_hostname);
1162 priority_string = Fplist_get (proplist, QCgnutls_bootprop_priority);
1163 trustfiles = Fplist_get (proplist, QCgnutls_bootprop_trustfiles);
1164 keylist = Fplist_get (proplist, QCgnutls_bootprop_keylist);
1165 crlfiles = Fplist_get (proplist, QCgnutls_bootprop_crlfiles);
1166 loglevel = Fplist_get (proplist, QCgnutls_bootprop_loglevel);
1167 verify_error = Fplist_get (proplist, QCgnutls_bootprop_verify_error);
1168 prime_bits = Fplist_get (proplist, QCgnutls_bootprop_min_prime_bits);
1169
1170 if (EQ (verify_error, Qt))
1171 {
1172 verify_error_all = 1;
1173 }
1174 else if (NILP (Flistp (verify_error)))
1175 {
1176 error ("gnutls-boot: invalid :verify_error parameter (not a list)");
1177 }
1178
1179 if (!STRINGP (hostname))
1180 error ("gnutls-boot: invalid :hostname parameter (not a string)");
1181 c_hostname = SSDATA (hostname);
1182
1183 state = XPROCESS (proc)->gnutls_state;
1184
1185 if (TYPE_RANGED_INTEGERP (int, loglevel))
1186 {
1187 fn_gnutls_global_set_log_function (gnutls_log_function);
1188 #ifdef HAVE_GNUTLS3
1189 fn_gnutls_global_set_audit_log_function (gnutls_audit_log_function);
1190 #endif
1191 fn_gnutls_global_set_log_level (XINT (loglevel));
1192 max_log_level = XINT (loglevel);
1193 XPROCESS (proc)->gnutls_log_level = max_log_level;
1194 }
1195
1196 /* always initialize globals. */
1197 global_init = emacs_gnutls_global_init ();
1198 if (! NILP (Fgnutls_errorp (global_init)))
1199 return global_init;
1200
1201 /* Before allocating new credentials, deallocate any credentials
1202 that PROC might already have. */
1203 emacs_gnutls_deinit (proc);
1204
1205 /* Mark PROC as a GnuTLS process. */
1206 XPROCESS (proc)->gnutls_state = NULL;
1207 XPROCESS (proc)->gnutls_x509_cred = NULL;
1208 XPROCESS (proc)->gnutls_anon_cred = NULL;
1209 pset_gnutls_cred_type (XPROCESS (proc), type);
1210 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_EMPTY;
1211
1212 GNUTLS_LOG (1, max_log_level, "allocating credentials");
1213 if (EQ (type, Qgnutls_x509pki))
1214 {
1215 Lisp_Object verify_flags;
1216 unsigned int gnutls_verify_flags = GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
1217
1218 GNUTLS_LOG (2, max_log_level, "allocating x509 credentials");
1219 fn_gnutls_certificate_allocate_credentials (&x509_cred);
1220 XPROCESS (proc)->gnutls_x509_cred = x509_cred;
1221
1222 verify_flags = Fplist_get (proplist, QCgnutls_bootprop_verify_flags);
1223 if (NUMBERP (verify_flags))
1224 {
1225 gnutls_verify_flags = XINT (verify_flags);
1226 GNUTLS_LOG (2, max_log_level, "setting verification flags");
1227 }
1228 else if (NILP (verify_flags))
1229 GNUTLS_LOG (2, max_log_level, "using default verification flags");
1230 else
1231 GNUTLS_LOG (2, max_log_level, "ignoring invalid verify-flags");
1232
1233 fn_gnutls_certificate_set_verify_flags (x509_cred, gnutls_verify_flags);
1234 }
1235 else /* Qgnutls_anon: */
1236 {
1237 GNUTLS_LOG (2, max_log_level, "allocating anon credentials");
1238 fn_gnutls_anon_allocate_client_credentials (&anon_cred);
1239 XPROCESS (proc)->gnutls_anon_cred = anon_cred;
1240 }
1241
1242 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CRED_ALLOC;
1243
1244 if (EQ (type, Qgnutls_x509pki))
1245 {
1246 /* TODO: GNUTLS_X509_FMT_DER is also an option. */
1247 int file_format = GNUTLS_X509_FMT_PEM;
1248 Lisp_Object tail;
1249
1250 for (tail = trustfiles; CONSP (tail); tail = XCDR (tail))
1251 {
1252 Lisp_Object trustfile = XCAR (tail);
1253 if (STRINGP (trustfile))
1254 {
1255 GNUTLS_LOG2 (1, max_log_level, "setting the trustfile: ",
1256 SSDATA (trustfile));
1257 trustfile = ENCODE_FILE (trustfile);
1258 #ifdef WINDOWSNT
1259 /* Since GnuTLS doesn't support UTF-8 or UTF-16 encoded
1260 file names on Windows, we need to re-encode the file
1261 name using the current ANSI codepage. */
1262 trustfile = ansi_encode_filename (trustfile);
1263 #endif
1264 ret = fn_gnutls_certificate_set_x509_trust_file
1265 (x509_cred,
1266 SSDATA (trustfile),
1267 file_format);
1268
1269 if (ret < GNUTLS_E_SUCCESS)
1270 return gnutls_make_error (ret);
1271 }
1272 else
1273 {
1274 emacs_gnutls_deinit (proc);
1275 error ("Invalid trustfile");
1276 }
1277 }
1278
1279 for (tail = crlfiles; CONSP (tail); tail = XCDR (tail))
1280 {
1281 Lisp_Object crlfile = XCAR (tail);
1282 if (STRINGP (crlfile))
1283 {
1284 GNUTLS_LOG2 (1, max_log_level, "setting the CRL file: ",
1285 SSDATA (crlfile));
1286 crlfile = ENCODE_FILE (crlfile);
1287 #ifdef WINDOWSNT
1288 crlfile = ansi_encode_filename (crlfile);
1289 #endif
1290 ret = fn_gnutls_certificate_set_x509_crl_file
1291 (x509_cred, SSDATA (crlfile), file_format);
1292
1293 if (ret < GNUTLS_E_SUCCESS)
1294 return gnutls_make_error (ret);
1295 }
1296 else
1297 {
1298 emacs_gnutls_deinit (proc);
1299 error ("Invalid CRL file");
1300 }
1301 }
1302
1303 for (tail = keylist; CONSP (tail); tail = XCDR (tail))
1304 {
1305 Lisp_Object keyfile = Fcar (XCAR (tail));
1306 Lisp_Object certfile = Fcar (Fcdr (XCAR (tail)));
1307 if (STRINGP (keyfile) && STRINGP (certfile))
1308 {
1309 GNUTLS_LOG2 (1, max_log_level, "setting the client key file: ",
1310 SSDATA (keyfile));
1311 GNUTLS_LOG2 (1, max_log_level, "setting the client cert file: ",
1312 SSDATA (certfile));
1313 keyfile = ENCODE_FILE (keyfile);
1314 certfile = ENCODE_FILE (certfile);
1315 #ifdef WINDOWSNT
1316 keyfile = ansi_encode_filename (keyfile);
1317 certfile = ansi_encode_filename (certfile);
1318 #endif
1319 ret = fn_gnutls_certificate_set_x509_key_file
1320 (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
1321
1322 if (ret < GNUTLS_E_SUCCESS)
1323 return gnutls_make_error (ret);
1324 }
1325 else
1326 {
1327 emacs_gnutls_deinit (proc);
1328 error (STRINGP (keyfile) ? "Invalid client cert file"
1329 : "Invalid client key file");
1330 }
1331 }
1332 }
1333
1334 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_FILES;
1335 GNUTLS_LOG (1, max_log_level, "gnutls callbacks");
1336 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CALLBACKS;
1337
1338 /* Call gnutls_init here: */
1339
1340 GNUTLS_LOG (1, max_log_level, "gnutls_init");
1341 ret = fn_gnutls_init (&state, GNUTLS_CLIENT);
1342 XPROCESS (proc)->gnutls_state = state;
1343 if (ret < GNUTLS_E_SUCCESS)
1344 return gnutls_make_error (ret);
1345 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_INIT;
1346
1347 if (STRINGP (priority_string))
1348 {
1349 priority_string_ptr = SSDATA (priority_string);
1350 GNUTLS_LOG2 (1, max_log_level, "got non-default priority string:",
1351 priority_string_ptr);
1352 }
1353 else
1354 {
1355 GNUTLS_LOG2 (1, max_log_level, "using default priority string:",
1356 priority_string_ptr);
1357 }
1358
1359 GNUTLS_LOG (1, max_log_level, "setting the priority string");
1360 ret = fn_gnutls_priority_set_direct (state,
1361 priority_string_ptr,
1362 NULL);
1363 if (ret < GNUTLS_E_SUCCESS)
1364 return gnutls_make_error (ret);
1365
1366 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_PRIORITY;
1367
1368 if (INTEGERP (prime_bits))
1369 fn_gnutls_dh_set_prime_bits (state, XUINT (prime_bits));
1370
1371 ret = EQ (type, Qgnutls_x509pki)
1372 ? fn_gnutls_credentials_set (state, GNUTLS_CRD_CERTIFICATE, x509_cred)
1373 : fn_gnutls_credentials_set (state, GNUTLS_CRD_ANON, anon_cred);
1374 if (ret < GNUTLS_E_SUCCESS)
1375 return gnutls_make_error (ret);
1376
1377 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CRED_SET;
1378 ret = emacs_gnutls_handshake (XPROCESS (proc));
1379 if (ret < GNUTLS_E_SUCCESS)
1380 return gnutls_make_error (ret);
1381
1382 /* Now verify the peer, following
1383 http://www.gnu.org/software/gnutls/manual/html_node/Verifying-peer_0027s-certificate.html.
1384 The peer should present at least one certificate in the chain; do a
1385 check of the certificate's hostname with
1386 gnutls_x509_crt_check_hostname() against :hostname. */
1387
1388 ret = fn_gnutls_certificate_verify_peers2 (state, &peer_verification);
1389 if (ret < GNUTLS_E_SUCCESS)
1390 return gnutls_make_error (ret);
1391
1392 XPROCESS (proc)->gnutls_peer_verification = peer_verification;
1393
1394 if (XINT (loglevel) > 0 && peer_verification & GNUTLS_CERT_INVALID)
1395 message ("%s certificate could not be verified.", c_hostname);
1396
1397 if (peer_verification & GNUTLS_CERT_REVOKED)
1398 GNUTLS_LOG2 (1, max_log_level, "certificate was revoked (CRL):",
1399 c_hostname);
1400
1401 if (peer_verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
1402 GNUTLS_LOG2 (1, max_log_level, "certificate signer was not found:",
1403 c_hostname);
1404
1405 if (peer_verification & GNUTLS_CERT_SIGNER_NOT_CA)
1406 GNUTLS_LOG2 (1, max_log_level, "certificate signer is not a CA:",
1407 c_hostname);
1408
1409 if (peer_verification & GNUTLS_CERT_INSECURE_ALGORITHM)
1410 GNUTLS_LOG2 (1, max_log_level,
1411 "certificate was signed with an insecure algorithm:",
1412 c_hostname);
1413
1414 if (peer_verification & GNUTLS_CERT_NOT_ACTIVATED)
1415 GNUTLS_LOG2 (1, max_log_level, "certificate is not yet activated:",
1416 c_hostname);
1417
1418 if (peer_verification & GNUTLS_CERT_EXPIRED)
1419 GNUTLS_LOG2 (1, max_log_level, "certificate has expired:",
1420 c_hostname);
1421
1422 if (peer_verification != 0)
1423 {
1424 if (verify_error_all
1425 || !NILP (Fmember (QCgnutls_bootprop_trustfiles, verify_error)))
1426 {
1427 emacs_gnutls_deinit (proc);
1428 error ("Certificate validation failed %s, verification code %d",
1429 c_hostname, peer_verification);
1430 }
1431 else
1432 {
1433 GNUTLS_LOG2 (1, max_log_level, "certificate validation failed:",
1434 c_hostname);
1435 }
1436 }
1437
1438 /* Up to here the process is the same for X.509 certificates and
1439 OpenPGP keys. From now on X.509 certificates are assumed. This
1440 can be easily extended to work with openpgp keys as well. */
1441 if (fn_gnutls_certificate_type_get (state) == GNUTLS_CRT_X509)
1442 {
1443 gnutls_x509_crt_t gnutls_verify_cert;
1444 const gnutls_datum_t *gnutls_verify_cert_list;
1445 unsigned int gnutls_verify_cert_list_size;
1446
1447 ret = fn_gnutls_x509_crt_init (&gnutls_verify_cert);
1448 if (ret < GNUTLS_E_SUCCESS)
1449 return gnutls_make_error (ret);
1450
1451 gnutls_verify_cert_list =
1452 fn_gnutls_certificate_get_peers (state, &gnutls_verify_cert_list_size);
1453
1454 if (gnutls_verify_cert_list == NULL)
1455 {
1456 fn_gnutls_x509_crt_deinit (gnutls_verify_cert);
1457 emacs_gnutls_deinit (proc);
1458 error ("No x509 certificate was found\n");
1459 }
1460
1461 /* We only check the first certificate in the given chain. */
1462 ret = fn_gnutls_x509_crt_import (gnutls_verify_cert,
1463 &gnutls_verify_cert_list[0],
1464 GNUTLS_X509_FMT_DER);
1465
1466 if (ret < GNUTLS_E_SUCCESS)
1467 {
1468 fn_gnutls_x509_crt_deinit (gnutls_verify_cert);
1469 return gnutls_make_error (ret);
1470 }
1471
1472 XPROCESS (proc)->gnutls_certificate = gnutls_verify_cert;
1473
1474 if (!fn_gnutls_x509_crt_check_hostname (gnutls_verify_cert, c_hostname))
1475 {
1476 XPROCESS (proc)->gnutls_extra_peer_verification |=
1477 CERTIFICATE_NOT_MATCHING;
1478 if (verify_error_all
1479 || !NILP (Fmember (QCgnutls_bootprop_hostname, verify_error)))
1480 {
1481 fn_gnutls_x509_crt_deinit (gnutls_verify_cert);
1482 emacs_gnutls_deinit (proc);
1483 error ("The x509 certificate does not match \"%s\"", c_hostname);
1484 }
1485 else
1486 {
1487 GNUTLS_LOG2 (1, max_log_level, "x509 certificate does not match:",
1488 c_hostname);
1489 }
1490 }
1491 }
1492
1493 /* Set this flag only if the whole initialization succeeded. */
1494 XPROCESS (proc)->gnutls_p = 1;
1495
1496 return gnutls_make_error (ret);
1497 }
1498
1499 DEFUN ("gnutls-bye", Fgnutls_bye,
1500 Sgnutls_bye, 2, 2, 0,
1501 doc: /* Terminate current GnuTLS connection for process PROC.
1502 The connection should have been initiated using `gnutls-handshake'.
1503
1504 If CONT is not nil the TLS connection gets terminated and further
1505 receives and sends will be disallowed. If the return value is zero you
1506 may continue using the connection. If CONT is nil, GnuTLS actually
1507 sends an alert containing a close request and waits for the peer to
1508 reply with the same message. In order to reuse the connection you
1509 should wait for an EOF from the peer.
1510
1511 This function may also return `gnutls-e-again', or
1512 `gnutls-e-interrupted'. */)
1513 (Lisp_Object proc, Lisp_Object cont)
1514 {
1515 gnutls_session_t state;
1516 int ret;
1517
1518 CHECK_PROCESS (proc);
1519
1520 state = XPROCESS (proc)->gnutls_state;
1521
1522 fn_gnutls_x509_crt_deinit (XPROCESS (proc)->gnutls_certificate);
1523
1524 ret = fn_gnutls_bye (state,
1525 NILP (cont) ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
1526
1527 return gnutls_make_error (ret);
1528 }
1529
1530 void
1531 syms_of_gnutls (void)
1532 {
1533 gnutls_global_initialized = 0;
1534
1535 DEFSYM (Qgnutls_dll, "gnutls");
1536 DEFSYM (Qgnutls_code, "gnutls-code");
1537 DEFSYM (Qgnutls_anon, "gnutls-anon");
1538 DEFSYM (Qgnutls_x509pki, "gnutls-x509pki");
1539 DEFSYM (QCgnutls_bootprop_hostname, ":hostname");
1540 DEFSYM (QCgnutls_bootprop_priority, ":priority");
1541 DEFSYM (QCgnutls_bootprop_trustfiles, ":trustfiles");
1542 DEFSYM (QCgnutls_bootprop_keylist, ":keylist");
1543 DEFSYM (QCgnutls_bootprop_crlfiles, ":crlfiles");
1544 DEFSYM (QCgnutls_bootprop_callbacks, ":callbacks");
1545 DEFSYM (QCgnutls_bootprop_callbacks_verify, "verify");
1546 DEFSYM (QCgnutls_bootprop_min_prime_bits, ":min-prime-bits");
1547 DEFSYM (QCgnutls_bootprop_loglevel, ":loglevel");
1548 DEFSYM (QCgnutls_bootprop_verify_flags, ":verify-flags");
1549 DEFSYM (QCgnutls_bootprop_verify_error, ":verify-error");
1550
1551 DEFSYM (Qgnutls_e_interrupted, "gnutls-e-interrupted");
1552 Fput (Qgnutls_e_interrupted, Qgnutls_code,
1553 make_number (GNUTLS_E_INTERRUPTED));
1554
1555 DEFSYM (Qgnutls_e_again, "gnutls-e-again");
1556 Fput (Qgnutls_e_again, Qgnutls_code,
1557 make_number (GNUTLS_E_AGAIN));
1558
1559 DEFSYM (Qgnutls_e_invalid_session, "gnutls-e-invalid-session");
1560 Fput (Qgnutls_e_invalid_session, Qgnutls_code,
1561 make_number (GNUTLS_E_INVALID_SESSION));
1562
1563 DEFSYM (Qgnutls_e_not_ready_for_handshake, "gnutls-e-not-ready-for-handshake");
1564 Fput (Qgnutls_e_not_ready_for_handshake, Qgnutls_code,
1565 make_number (GNUTLS_E_APPLICATION_ERROR_MIN));
1566
1567 defsubr (&Sgnutls_get_initstage);
1568 defsubr (&Sgnutls_errorp);
1569 defsubr (&Sgnutls_error_fatalp);
1570 defsubr (&Sgnutls_error_string);
1571 defsubr (&Sgnutls_boot);
1572 defsubr (&Sgnutls_deinit);
1573 defsubr (&Sgnutls_bye);
1574 defsubr (&Sgnutls_available_p);
1575 defsubr (&Sgnutls_peer_status);
1576
1577 DEFVAR_INT ("gnutls-log-level", global_gnutls_log_level,
1578 doc: /* Logging level used by the GnuTLS functions.
1579 Set this larger than 0 to get debug output in the *Messages* buffer.
1580 1 is for important messages, 2 is for debug data, and higher numbers
1581 are as per the GnuTLS logging conventions. */);
1582 global_gnutls_log_level = 0;
1583 }
1584
1585 #endif /* HAVE_GNUTLS */
Emacs repository mirror