Merge from trunk.
[emacs.git] / src / gnutls.c
blobfc651d2c7e49b6587c7771494991da3dcfedee2c
1 /* GnuTLS glue for GNU Emacs.
2 Copyright (C) 2010-2011 Free Software Foundation, Inc.
4 This file is part of GNU Emacs.
6 GNU Emacs is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
11 GNU Emacs is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>. */
19 #include <config.h>
20 #include <errno.h>
21 #include <setjmp.h>
23 #include "lisp.h"
24 #include "process.h"
26 #ifdef HAVE_GNUTLS
27 #include <gnutls/gnutls.h>
29 #ifdef WINDOWSNT
30 #include <windows.h>
31 #include "w32.h"
32 #endif
34 static int
35 emacs_gnutls_handle_error (gnutls_session_t, int err);
37 static Lisp_Object Qgnutls_dll;
38 static Lisp_Object Qgnutls_code;
39 static Lisp_Object Qgnutls_anon, Qgnutls_x509pki;
40 static Lisp_Object Qgnutls_e_interrupted, Qgnutls_e_again,
41 Qgnutls_e_invalid_session, Qgnutls_e_not_ready_for_handshake;
42 static int gnutls_global_initialized;
44 /* The following are for the property list of `gnutls-boot'. */
45 static Lisp_Object Qgnutls_bootprop_priority;
46 static Lisp_Object Qgnutls_bootprop_trustfiles;
47 static Lisp_Object Qgnutls_bootprop_keylist;
48 static Lisp_Object Qgnutls_bootprop_crlfiles;
49 static Lisp_Object Qgnutls_bootprop_callbacks;
50 static Lisp_Object Qgnutls_bootprop_loglevel;
51 static Lisp_Object Qgnutls_bootprop_hostname;
52 static Lisp_Object Qgnutls_bootprop_min_prime_bits;
53 static Lisp_Object Qgnutls_bootprop_verify_flags;
54 static Lisp_Object Qgnutls_bootprop_verify_hostname_error;
56 /* Callback keys for `gnutls-boot'. Unused currently. */
57 static Lisp_Object Qgnutls_bootprop_callbacks_verify;
59 static void gnutls_log_function (int, const char *);
60 static void gnutls_log_function2 (int, const char*, const char*);
63 #ifdef WINDOWSNT
65 /* Macro for defining functions that will be loaded from the GnuTLS DLL. */
66 #define DEF_GNUTLS_FN(rettype,func,args) static rettype (FAR CDECL *fn_##func)args
68 /* Macro for loading GnuTLS functions from the library. */
69 #define LOAD_GNUTLS_FN(lib,func) { \
70 fn_##func = (void *) GetProcAddress (lib, #func); \
71 if (!fn_##func) return 0; \
74 DEF_GNUTLS_FN (gnutls_alert_description_t, gnutls_alert_get,
75 (gnutls_session_t));
76 DEF_GNUTLS_FN (const char *, gnutls_alert_get_name,
77 (gnutls_alert_description_t));
78 DEF_GNUTLS_FN (int, gnutls_alert_send_appropriate, (gnutls_session_t, int));
79 DEF_GNUTLS_FN (int, gnutls_anon_allocate_client_credentials,
80 (gnutls_anon_client_credentials_t *));
81 DEF_GNUTLS_FN (void, gnutls_anon_free_client_credentials,
82 (gnutls_anon_client_credentials_t));
83 DEF_GNUTLS_FN (int, gnutls_bye, (gnutls_session_t, gnutls_close_request_t));
84 DEF_GNUTLS_FN (int, gnutls_certificate_allocate_credentials,
85 (gnutls_certificate_credentials_t *));
86 DEF_GNUTLS_FN (void, gnutls_certificate_free_credentials,
87 (gnutls_certificate_credentials_t));
88 DEF_GNUTLS_FN (const gnutls_datum_t *, gnutls_certificate_get_peers,
89 (gnutls_session_t, unsigned int *));
90 DEF_GNUTLS_FN (void, gnutls_certificate_set_verify_flags,
91 (gnutls_certificate_credentials_t, unsigned int));
92 DEF_GNUTLS_FN (int, gnutls_certificate_set_x509_crl_file,
93 (gnutls_certificate_credentials_t, const char *,
94 gnutls_x509_crt_fmt_t));
95 DEF_GNUTLS_FN (int, gnutls_certificate_set_x509_key_file,
96 (gnutls_certificate_credentials_t, const char *, const char *,
97 gnutls_x509_crt_fmt_t));
98 DEF_GNUTLS_FN (int, gnutls_certificate_set_x509_trust_file,
99 (gnutls_certificate_credentials_t, const char *,
100 gnutls_x509_crt_fmt_t));
101 DEF_GNUTLS_FN (gnutls_certificate_type_t, gnutls_certificate_type_get,
102 (gnutls_session_t));
103 DEF_GNUTLS_FN (int, gnutls_certificate_verify_peers2,
104 (gnutls_session_t, unsigned int *));
105 DEF_GNUTLS_FN (int, gnutls_credentials_set,
106 (gnutls_session_t, gnutls_credentials_type_t, void *));
107 DEF_GNUTLS_FN (void, gnutls_deinit, (gnutls_session_t));
108 DEF_GNUTLS_FN (void, gnutls_dh_set_prime_bits,
109 (gnutls_session_t, unsigned int));
110 DEF_GNUTLS_FN (int, gnutls_error_is_fatal, (int));
111 DEF_GNUTLS_FN (int, gnutls_global_init, (void));
112 DEF_GNUTLS_FN (void, gnutls_global_set_log_function, (gnutls_log_func));
113 DEF_GNUTLS_FN (void, gnutls_global_set_log_level, (int));
114 DEF_GNUTLS_FN (void, gnutls_global_set_mem_functions,
115 (gnutls_alloc_function, gnutls_alloc_function,
116 gnutls_is_secure_function, gnutls_realloc_function,
117 gnutls_free_function));
118 DEF_GNUTLS_FN (int, gnutls_handshake, (gnutls_session_t));
119 DEF_GNUTLS_FN (int, gnutls_init, (gnutls_session_t *, gnutls_connection_end_t));
120 DEF_GNUTLS_FN (int, gnutls_priority_set_direct,
121 (gnutls_session_t, const char *, const char **));
122 DEF_GNUTLS_FN (size_t, gnutls_record_check_pending, (gnutls_session_t));
123 DEF_GNUTLS_FN (ssize_t, gnutls_record_recv, (gnutls_session_t, void *, size_t));
124 DEF_GNUTLS_FN (ssize_t, gnutls_record_send,
125 (gnutls_session_t, const void *, size_t));
126 DEF_GNUTLS_FN (const char *, gnutls_strerror, (int));
127 DEF_GNUTLS_FN (void, gnutls_transport_set_errno, (gnutls_session_t, int));
128 DEF_GNUTLS_FN (void, gnutls_transport_set_lowat, (gnutls_session_t, int));
129 DEF_GNUTLS_FN (void, gnutls_transport_set_ptr2,
130 (gnutls_session_t, gnutls_transport_ptr_t,
131 gnutls_transport_ptr_t));
132 DEF_GNUTLS_FN (void, gnutls_transport_set_pull_function,
133 (gnutls_session_t, gnutls_pull_func));
134 DEF_GNUTLS_FN (void, gnutls_transport_set_push_function,
135 (gnutls_session_t, gnutls_push_func));
136 DEF_GNUTLS_FN (int, gnutls_x509_crt_check_hostname,
137 (gnutls_x509_crt_t, const char *));
138 DEF_GNUTLS_FN (void, gnutls_x509_crt_deinit, (gnutls_x509_crt_t));
139 DEF_GNUTLS_FN (int, gnutls_x509_crt_import,
140 (gnutls_x509_crt_t, const gnutls_datum_t *,
141 gnutls_x509_crt_fmt_t));
142 DEF_GNUTLS_FN (int, gnutls_x509_crt_init, (gnutls_x509_crt_t *));
144 static int
145 init_gnutls_functions (Lisp_Object libraries)
147 HMODULE library;
148 int max_log_level = 1;
150 if (!(library = w32_delayed_load (libraries, Qgnutls_dll)))
152 GNUTLS_LOG (1, max_log_level, "GnuTLS library not found");
153 return 0;
156 LOAD_GNUTLS_FN (library, gnutls_alert_get);
157 LOAD_GNUTLS_FN (library, gnutls_alert_get_name);
158 LOAD_GNUTLS_FN (library, gnutls_alert_send_appropriate);
159 LOAD_GNUTLS_FN (library, gnutls_anon_allocate_client_credentials);
160 LOAD_GNUTLS_FN (library, gnutls_anon_free_client_credentials);
161 LOAD_GNUTLS_FN (library, gnutls_bye);
162 LOAD_GNUTLS_FN (library, gnutls_certificate_allocate_credentials);
163 LOAD_GNUTLS_FN (library, gnutls_certificate_free_credentials);
164 LOAD_GNUTLS_FN (library, gnutls_certificate_get_peers);
165 LOAD_GNUTLS_FN (library, gnutls_certificate_set_verify_flags);
166 LOAD_GNUTLS_FN (library, gnutls_certificate_set_x509_crl_file);
167 LOAD_GNUTLS_FN (library, gnutls_certificate_set_x509_key_file);
168 LOAD_GNUTLS_FN (library, gnutls_certificate_set_x509_trust_file);
169 LOAD_GNUTLS_FN (library, gnutls_certificate_type_get);
170 LOAD_GNUTLS_FN (library, gnutls_certificate_verify_peers2);
171 LOAD_GNUTLS_FN (library, gnutls_credentials_set);
172 LOAD_GNUTLS_FN (library, gnutls_deinit);
173 LOAD_GNUTLS_FN (library, gnutls_dh_set_prime_bits);
174 LOAD_GNUTLS_FN (library, gnutls_error_is_fatal);
175 LOAD_GNUTLS_FN (library, gnutls_global_init);
176 LOAD_GNUTLS_FN (library, gnutls_global_set_log_function);
177 LOAD_GNUTLS_FN (library, gnutls_global_set_log_level);
178 LOAD_GNUTLS_FN (library, gnutls_global_set_mem_functions);
179 LOAD_GNUTLS_FN (library, gnutls_handshake);
180 LOAD_GNUTLS_FN (library, gnutls_init);
181 LOAD_GNUTLS_FN (library, gnutls_priority_set_direct);
182 LOAD_GNUTLS_FN (library, gnutls_record_check_pending);
183 LOAD_GNUTLS_FN (library, gnutls_record_recv);
184 LOAD_GNUTLS_FN (library, gnutls_record_send);
185 LOAD_GNUTLS_FN (library, gnutls_strerror);
186 LOAD_GNUTLS_FN (library, gnutls_transport_set_errno);
187 LOAD_GNUTLS_FN (library, gnutls_transport_set_lowat);
188 LOAD_GNUTLS_FN (library, gnutls_transport_set_ptr2);
189 LOAD_GNUTLS_FN (library, gnutls_transport_set_pull_function);
190 LOAD_GNUTLS_FN (library, gnutls_transport_set_push_function);
191 LOAD_GNUTLS_FN (library, gnutls_x509_crt_check_hostname);
192 LOAD_GNUTLS_FN (library, gnutls_x509_crt_deinit);
193 LOAD_GNUTLS_FN (library, gnutls_x509_crt_import);
194 LOAD_GNUTLS_FN (library, gnutls_x509_crt_init);
196 max_log_level = global_gnutls_log_level;
198 GNUTLS_LOG2 (1, max_log_level, "GnuTLS library loaded:",
199 SDATA (Fget (Qgnutls_dll, QCloaded_from)));
200 return 1;
203 #else /* !WINDOWSNT */
205 #define fn_gnutls_alert_get gnutls_alert_get
206 #define fn_gnutls_alert_get_name gnutls_alert_get_name
207 #define fn_gnutls_alert_send_appropriate gnutls_alert_send_appropriate
208 #define fn_gnutls_anon_allocate_client_credentials gnutls_anon_allocate_client_credentials
209 #define fn_gnutls_anon_free_client_credentials gnutls_anon_free_client_credentials
210 #define fn_gnutls_bye gnutls_bye
211 #define fn_gnutls_certificate_allocate_credentials gnutls_certificate_allocate_credentials
212 #define fn_gnutls_certificate_free_credentials gnutls_certificate_free_credentials
213 #define fn_gnutls_certificate_get_peers gnutls_certificate_get_peers
214 #define fn_gnutls_certificate_set_verify_flags gnutls_certificate_set_verify_flags
215 #define fn_gnutls_certificate_set_x509_crl_file gnutls_certificate_set_x509_crl_file
216 #define fn_gnutls_certificate_set_x509_key_file gnutls_certificate_set_x509_key_file
217 #define fn_gnutls_certificate_set_x509_trust_file gnutls_certificate_set_x509_trust_file
218 #define fn_gnutls_certificate_type_get gnutls_certificate_type_get
219 #define fn_gnutls_certificate_verify_peers2 gnutls_certificate_verify_peers2
220 #define fn_gnutls_credentials_set gnutls_credentials_set
221 #define fn_gnutls_deinit gnutls_deinit
222 #define fn_gnutls_dh_set_prime_bits gnutls_dh_set_prime_bits
223 #define fn_gnutls_error_is_fatal gnutls_error_is_fatal
224 #define fn_gnutls_global_init gnutls_global_init
225 #define fn_gnutls_global_set_log_function gnutls_global_set_log_function
226 #define fn_gnutls_global_set_log_level gnutls_global_set_log_level
227 #define fn_gnutls_global_set_mem_functions gnutls_global_set_mem_functions
228 #define fn_gnutls_handshake gnutls_handshake
229 #define fn_gnutls_init gnutls_init
230 #define fn_gnutls_priority_set_direct gnutls_priority_set_direct
231 #define fn_gnutls_record_check_pending gnutls_record_check_pending
232 #define fn_gnutls_record_recv gnutls_record_recv
233 #define fn_gnutls_record_send gnutls_record_send
234 #define fn_gnutls_strerror gnutls_strerror
235 #define fn_gnutls_transport_set_errno gnutls_transport_set_errno
236 #define fn_gnutls_transport_set_ptr2 gnutls_transport_set_ptr2
237 #define fn_gnutls_x509_crt_check_hostname gnutls_x509_crt_check_hostname
238 #define fn_gnutls_x509_crt_deinit gnutls_x509_crt_deinit
239 #define fn_gnutls_x509_crt_import gnutls_x509_crt_import
240 #define fn_gnutls_x509_crt_init gnutls_x509_crt_init
242 #endif /* !WINDOWSNT */
245 static void
246 gnutls_log_function (int level, const char* string)
248 message ("gnutls.c: [%d] %s", level, string);
251 static void
252 gnutls_log_function2 (int level, const char* string, const char* extra)
254 message ("gnutls.c: [%d] %s %s", level, string, extra);
257 static int
258 emacs_gnutls_handshake (struct Lisp_Process *proc)
260 gnutls_session_t state = proc->gnutls_state;
261 int ret;
263 if (proc->gnutls_initstage < GNUTLS_STAGE_HANDSHAKE_CANDO)
264 return -1;
266 if (proc->gnutls_initstage < GNUTLS_STAGE_TRANSPORT_POINTERS_SET)
268 #ifdef WINDOWSNT
269 /* On W32 we cannot transfer socket handles between different runtime
270 libraries, so we tell GnuTLS to use our special push/pull
271 functions. */
272 fn_gnutls_transport_set_ptr2 (state,
273 (gnutls_transport_ptr_t) proc,
274 (gnutls_transport_ptr_t) proc);
275 fn_gnutls_transport_set_push_function (state, &emacs_gnutls_push);
276 fn_gnutls_transport_set_pull_function (state, &emacs_gnutls_pull);
278 /* For non blocking sockets or other custom made pull/push
279 functions the gnutls_transport_set_lowat must be called, with
280 a zero low water mark value. (GnuTLS 2.10.4 documentation)
282 (Note: this is probably not strictly necessary as the lowat
283 value is only used when no custom pull/push functions are
284 set.) */
285 fn_gnutls_transport_set_lowat (state, 0);
286 #else
287 /* This is how GnuTLS takes sockets: as file descriptors passed
288 in. For an Emacs process socket, infd and outfd are the
289 same but we use this two-argument version for clarity. */
290 fn_gnutls_transport_set_ptr2 (state,
291 (gnutls_transport_ptr_t) (long) proc->infd,
292 (gnutls_transport_ptr_t) (long) proc->outfd);
293 #endif
295 proc->gnutls_initstage = GNUTLS_STAGE_TRANSPORT_POINTERS_SET;
300 ret = fn_gnutls_handshake (state);
301 emacs_gnutls_handle_error (state, ret);
303 while (ret < 0 && fn_gnutls_error_is_fatal (ret) == 0);
305 proc->gnutls_initstage = GNUTLS_STAGE_HANDSHAKE_TRIED;
307 if (ret == GNUTLS_E_SUCCESS)
309 /* Here we're finally done. */
310 proc->gnutls_initstage = GNUTLS_STAGE_READY;
312 else
314 fn_gnutls_alert_send_appropriate (state, ret);
316 return ret;
320 emacs_gnutls_record_check_pending (gnutls_session_t state)
322 return fn_gnutls_record_check_pending (state);
325 void
326 emacs_gnutls_transport_set_errno (gnutls_session_t state, int err)
328 fn_gnutls_transport_set_errno (state, err);
331 EMACS_INT
332 emacs_gnutls_write (struct Lisp_Process *proc, const char *buf, EMACS_INT nbyte)
334 ssize_t rtnval = 0;
335 EMACS_INT bytes_written;
336 gnutls_session_t state = proc->gnutls_state;
338 if (proc->gnutls_initstage != GNUTLS_STAGE_READY) {
339 #ifdef EWOULDBLOCK
340 errno = EWOULDBLOCK;
341 #endif
342 #ifdef EAGAIN
343 errno = EAGAIN;
344 #endif
345 return 0;
348 bytes_written = 0;
350 while (nbyte > 0)
352 rtnval = fn_gnutls_record_send (state, buf, nbyte);
354 if (rtnval < 0)
356 if (rtnval == GNUTLS_E_AGAIN || rtnval == GNUTLS_E_INTERRUPTED)
357 continue;
358 else
359 break;
362 buf += rtnval;
363 nbyte -= rtnval;
364 bytes_written += rtnval;
367 emacs_gnutls_handle_error (state, rtnval);
368 return (bytes_written);
371 EMACS_INT
372 emacs_gnutls_read (struct Lisp_Process *proc, char *buf, EMACS_INT nbyte)
374 ssize_t rtnval;
375 gnutls_session_t state = proc->gnutls_state;
377 if (proc->gnutls_initstage != GNUTLS_STAGE_READY)
379 emacs_gnutls_handshake (proc);
380 return -1;
382 rtnval = fn_gnutls_record_recv (state, buf, nbyte);
383 if (rtnval >= 0)
384 return rtnval;
385 else if (rtnval == GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
386 /* The peer closed the connection. */
387 return 0;
388 else if (emacs_gnutls_handle_error (state, rtnval) == 0)
389 /* non-fatal error */
390 return -1;
391 else {
392 /* a fatal error occurred */
393 return 0;
397 /* report a GnuTLS error to the user.
398 Returns zero if the error code was successfully handled. */
399 static int
400 emacs_gnutls_handle_error (gnutls_session_t session, int err)
402 int max_log_level = 0;
404 int ret;
405 const char *str;
407 /* TODO: use a Lisp_Object generated by gnutls_make_error? */
408 if (err >= 0)
409 return 0;
411 max_log_level = global_gnutls_log_level;
413 /* TODO: use gnutls-error-fatalp and gnutls-error-string. */
415 str = fn_gnutls_strerror (err);
416 if (!str)
417 str = "unknown";
419 if (fn_gnutls_error_is_fatal (err))
421 ret = err;
422 GNUTLS_LOG2 (0, max_log_level, "fatal error:", str);
424 else
426 ret = 0;
427 GNUTLS_LOG2 (1, max_log_level, "non-fatal error:", str);
428 /* TODO: EAGAIN AKA Qgnutls_e_again should be level 2. */
431 if (err == GNUTLS_E_WARNING_ALERT_RECEIVED
432 || err == GNUTLS_E_FATAL_ALERT_RECEIVED)
434 int alert = fn_gnutls_alert_get (session);
435 int level = (err == GNUTLS_E_FATAL_ALERT_RECEIVED) ? 0 : 1;
436 str = fn_gnutls_alert_get_name (alert);
437 if (!str)
438 str = "unknown";
440 GNUTLS_LOG2 (level, max_log_level, "Received alert: ", str);
442 return ret;
445 /* convert an integer error to a Lisp_Object; it will be either a
446 known symbol like `gnutls_e_interrupted' and `gnutls_e_again' or
447 simply the integer value of the error. GNUTLS_E_SUCCESS is mapped
448 to Qt. */
449 static Lisp_Object
450 gnutls_make_error (int err)
452 switch (err)
454 case GNUTLS_E_SUCCESS:
455 return Qt;
456 case GNUTLS_E_AGAIN:
457 return Qgnutls_e_again;
458 case GNUTLS_E_INTERRUPTED:
459 return Qgnutls_e_interrupted;
460 case GNUTLS_E_INVALID_SESSION:
461 return Qgnutls_e_invalid_session;
464 return make_number (err);
467 DEFUN ("gnutls-get-initstage", Fgnutls_get_initstage, Sgnutls_get_initstage, 1, 1, 0,
468 doc: /* Return the GnuTLS init stage of process PROC.
469 See also `gnutls-boot'. */)
470 (Lisp_Object proc)
472 CHECK_PROCESS (proc);
474 return make_number (GNUTLS_INITSTAGE (proc));
477 DEFUN ("gnutls-errorp", Fgnutls_errorp, Sgnutls_errorp, 1, 1, 0,
478 doc: /* Return t if ERROR indicates a GnuTLS problem.
479 ERROR is an integer or a symbol with an integer `gnutls-code' property.
480 usage: (gnutls-errorp ERROR) */)
481 (Lisp_Object err)
483 if (EQ (err, Qt)) return Qnil;
485 return Qt;
488 DEFUN ("gnutls-error-fatalp", Fgnutls_error_fatalp, Sgnutls_error_fatalp, 1, 1, 0,
489 doc: /* Check if ERROR is fatal.
490 ERROR is an integer or a symbol with an integer `gnutls-code' property.
491 usage: (gnutls-error-fatalp ERROR) */)
492 (Lisp_Object err)
494 Lisp_Object code;
496 if (EQ (err, Qt)) return Qnil;
498 if (SYMBOLP (err))
500 code = Fget (err, Qgnutls_code);
501 if (NUMBERP (code))
503 err = code;
505 else
507 error ("Symbol has no numeric gnutls-code property");
511 if (!NUMBERP (err))
512 error ("Not an error symbol or code");
514 if (0 == fn_gnutls_error_is_fatal (XINT (err)))
515 return Qnil;
517 return Qt;
520 DEFUN ("gnutls-error-string", Fgnutls_error_string, Sgnutls_error_string, 1, 1, 0,
521 doc: /* Return a description of ERROR.
522 ERROR is an integer or a symbol with an integer `gnutls-code' property.
523 usage: (gnutls-error-string ERROR) */)
524 (Lisp_Object err)
526 Lisp_Object code;
528 if (EQ (err, Qt)) return build_string ("Not an error");
530 if (SYMBOLP (err))
532 code = Fget (err, Qgnutls_code);
533 if (NUMBERP (code))
535 err = code;
537 else
539 return build_string ("Symbol has no numeric gnutls-code property");
543 if (!NUMBERP (err))
544 return build_string ("Not an error symbol or code");
546 return build_string (fn_gnutls_strerror (XINT (err)));
549 DEFUN ("gnutls-deinit", Fgnutls_deinit, Sgnutls_deinit, 1, 1, 0,
550 doc: /* Deallocate GnuTLS resources associated with process PROC.
551 See also `gnutls-init'. */)
552 (Lisp_Object proc)
554 gnutls_session_t state;
556 CHECK_PROCESS (proc);
557 state = XPROCESS (proc)->gnutls_state;
559 if (GNUTLS_INITSTAGE (proc) >= GNUTLS_STAGE_INIT)
561 fn_gnutls_deinit (state);
562 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_INIT - 1;
565 return Qt;
568 DEFUN ("gnutls-available-p", Fgnutls_available_p, Sgnutls_available_p, 0, 0, 0,
569 doc: /* Return t if GnuTLS is available in this instance of Emacs. */)
570 (void)
572 #ifdef WINDOWSNT
573 Lisp_Object found = Fassq (Qgnutls_dll, Vlibrary_cache);
574 if (CONSP (found))
575 return XCDR (found);
576 else
578 Lisp_Object status;
579 status = init_gnutls_functions (Vdynamic_library_alist) ? Qt : Qnil;
580 Vlibrary_cache = Fcons (Fcons (Qgnutls_dll, status), Vlibrary_cache);
581 return status;
583 #else
584 return Qt;
585 #endif
589 /* Initializes global GnuTLS state to defaults.
590 Call `gnutls-global-deinit' when GnuTLS usage is no longer needed.
591 Returns zero on success. */
592 static Lisp_Object
593 emacs_gnutls_global_init (void)
595 int ret = GNUTLS_E_SUCCESS;
597 if (!gnutls_global_initialized)
599 fn_gnutls_global_set_mem_functions (xmalloc, xmalloc, NULL,
600 xrealloc, xfree);
601 ret = fn_gnutls_global_init ();
603 gnutls_global_initialized = 1;
605 return gnutls_make_error (ret);
608 #if 0
609 /* Deinitializes global GnuTLS state.
610 See also `gnutls-global-init'. */
611 static Lisp_Object
612 emacs_gnutls_global_deinit (void)
614 if (gnutls_global_initialized)
615 gnutls_global_deinit ();
617 gnutls_global_initialized = 0;
619 return gnutls_make_error (GNUTLS_E_SUCCESS);
621 #endif
623 DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
624 doc: /* Initialize GnuTLS client for process PROC with TYPE+PROPLIST.
625 Currently only client mode is supported. Returns a success/failure
626 value you can check with `gnutls-errorp'.
628 TYPE is a symbol, either `gnutls-anon' or `gnutls-x509pki'.
629 PROPLIST is a property list with the following keys:
631 :hostname is a string naming the remote host.
633 :priority is a GnuTLS priority string, defaults to "NORMAL".
635 :trustfiles is a list of PEM-encoded trust files for `gnutls-x509pki'.
637 :crlfiles is a list of PEM-encoded CRL lists for `gnutls-x509pki'.
639 :keylist is an alist of PEM-encoded key files and PEM-encoded
640 certificates for `gnutls-x509pki'.
642 :callbacks is an alist of callback functions, see below.
644 :loglevel is the debug level requested from GnuTLS, try 4.
646 :verify-flags is a bitset as per GnuTLS'
647 gnutls_certificate_set_verify_flags.
649 :verify-hostname-error, if non-nil, makes a hostname mismatch an
650 error. Otherwise it will be just a warning.
652 :min-prime-bits is the minimum accepted number of bits the client will
653 accept in Diffie-Hellman key exchange.
655 The debug level will be set for this process AND globally for GnuTLS.
656 So if you set it higher or lower at any point, it affects global
657 debugging.
659 Note that the priority is set on the client. The server does not use
660 the protocols's priority except for disabling protocols that were not
661 specified.
663 Processes must be initialized with this function before other GnuTLS
664 functions are used. This function allocates resources which can only
665 be deallocated by calling `gnutls-deinit' or by calling it again.
667 The callbacks alist can have a `verify' key, associated with a
668 verification function (UNUSED).
670 Each authentication type may need additional information in order to
671 work. For X.509 PKI (`gnutls-x509pki'), you probably need at least
672 one trustfile (usually a CA bundle). */)
673 (Lisp_Object proc, Lisp_Object type, Lisp_Object proplist)
675 int ret = GNUTLS_E_SUCCESS;
677 int max_log_level = 0;
679 /* TODO: GNUTLS_X509_FMT_DER is also an option. */
680 int file_format = GNUTLS_X509_FMT_PEM;
682 unsigned int gnutls_verify_flags = GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
683 gnutls_x509_crt_t gnutls_verify_cert;
684 unsigned int gnutls_verify_cert_list_size;
685 const gnutls_datum_t *gnutls_verify_cert_list;
687 gnutls_session_t state;
688 gnutls_certificate_credentials_t x509_cred;
689 gnutls_anon_client_credentials_t anon_cred;
690 Lisp_Object global_init;
691 char const *priority_string_ptr = "NORMAL"; /* default priority string. */
692 Lisp_Object tail;
693 unsigned int peer_verification;
694 char* c_hostname;
696 /* Placeholders for the property list elements. */
697 Lisp_Object priority_string;
698 Lisp_Object trustfiles;
699 Lisp_Object crlfiles;
700 Lisp_Object keylist;
701 /* Lisp_Object callbacks; */
702 Lisp_Object loglevel;
703 Lisp_Object hostname;
704 Lisp_Object verify_flags;
705 /* Lisp_Object verify_error; */
706 Lisp_Object verify_hostname_error;
707 Lisp_Object prime_bits;
709 CHECK_PROCESS (proc);
710 CHECK_SYMBOL (type);
711 CHECK_LIST (proplist);
713 if (NILP (Fgnutls_available_p ()))
715 error ("GnuTLS not available");
716 return gnutls_make_error (GNUTLS_EMACS_ERROR_NOT_LOADED);
719 hostname = Fplist_get (proplist, Qgnutls_bootprop_hostname);
720 priority_string = Fplist_get (proplist, Qgnutls_bootprop_priority);
721 trustfiles = Fplist_get (proplist, Qgnutls_bootprop_trustfiles);
722 keylist = Fplist_get (proplist, Qgnutls_bootprop_keylist);
723 crlfiles = Fplist_get (proplist, Qgnutls_bootprop_crlfiles);
724 /* callbacks = Fplist_get (proplist, Qgnutls_bootprop_callbacks); */
725 loglevel = Fplist_get (proplist, Qgnutls_bootprop_loglevel);
726 verify_flags = Fplist_get (proplist, Qgnutls_bootprop_verify_flags);
727 /* verify_error = Fplist_get (proplist, Qgnutls_bootprop_verify_error); */
728 verify_hostname_error = Fplist_get (proplist, Qgnutls_bootprop_verify_hostname_error);
729 prime_bits = Fplist_get (proplist, Qgnutls_bootprop_min_prime_bits);
731 if (!STRINGP (hostname))
732 error ("gnutls-boot: invalid :hostname parameter");
734 c_hostname = SSDATA (hostname);
736 state = XPROCESS (proc)->gnutls_state;
737 XPROCESS (proc)->gnutls_p = 1;
739 if (NUMBERP (loglevel))
741 fn_gnutls_global_set_log_function (gnutls_log_function);
742 fn_gnutls_global_set_log_level (XINT (loglevel));
743 max_log_level = XINT (loglevel);
744 XPROCESS (proc)->gnutls_log_level = max_log_level;
747 /* always initialize globals. */
748 global_init = emacs_gnutls_global_init ();
749 if (! NILP (Fgnutls_errorp (global_init)))
750 return global_init;
752 /* deinit and free resources. */
753 if (GNUTLS_INITSTAGE (proc) >= GNUTLS_STAGE_CRED_ALLOC)
755 GNUTLS_LOG (1, max_log_level, "deallocating credentials");
757 if (EQ (type, Qgnutls_x509pki))
759 GNUTLS_LOG (2, max_log_level, "deallocating x509 credentials");
760 x509_cred = XPROCESS (proc)->gnutls_x509_cred;
761 fn_gnutls_certificate_free_credentials (x509_cred);
763 else if (EQ (type, Qgnutls_anon))
765 GNUTLS_LOG (2, max_log_level, "deallocating anon credentials");
766 anon_cred = XPROCESS (proc)->gnutls_anon_cred;
767 fn_gnutls_anon_free_client_credentials (anon_cred);
769 else
771 error ("unknown credential type");
772 ret = GNUTLS_EMACS_ERROR_INVALID_TYPE;
775 if (GNUTLS_INITSTAGE (proc) >= GNUTLS_STAGE_INIT)
777 GNUTLS_LOG (1, max_log_level, "deallocating x509 credentials");
778 Fgnutls_deinit (proc);
782 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_EMPTY;
784 GNUTLS_LOG (1, max_log_level, "allocating credentials");
786 if (EQ (type, Qgnutls_x509pki))
788 GNUTLS_LOG (2, max_log_level, "allocating x509 credentials");
789 x509_cred = XPROCESS (proc)->gnutls_x509_cred;
790 fn_gnutls_certificate_allocate_credentials (&x509_cred);
792 if (NUMBERP (verify_flags))
794 gnutls_verify_flags = XINT (verify_flags);
795 GNUTLS_LOG (2, max_log_level, "setting verification flags");
797 else if (NILP (verify_flags))
799 /* The default is already GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT. */
800 GNUTLS_LOG (2, max_log_level, "using default verification flags");
802 else
804 /* The default is already GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT. */
805 GNUTLS_LOG (2, max_log_level, "ignoring invalid verify-flags");
807 fn_gnutls_certificate_set_verify_flags (x509_cred, gnutls_verify_flags);
809 else if (EQ (type, Qgnutls_anon))
811 GNUTLS_LOG (2, max_log_level, "allocating anon credentials");
812 anon_cred = XPROCESS (proc)->gnutls_anon_cred;
813 fn_gnutls_anon_allocate_client_credentials (&anon_cred);
815 else
817 error ("unknown credential type");
818 ret = GNUTLS_EMACS_ERROR_INVALID_TYPE;
821 if (ret < GNUTLS_E_SUCCESS)
822 return gnutls_make_error (ret);
824 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CRED_ALLOC;
826 if (EQ (type, Qgnutls_x509pki))
828 for (tail = trustfiles; !NILP (tail); tail = Fcdr (tail))
830 Lisp_Object trustfile = Fcar (tail);
831 if (STRINGP (trustfile))
833 GNUTLS_LOG2 (1, max_log_level, "setting the trustfile: ",
834 SSDATA (trustfile));
835 ret = fn_gnutls_certificate_set_x509_trust_file
836 (x509_cred,
837 SSDATA (trustfile),
838 file_format);
840 if (ret < GNUTLS_E_SUCCESS)
841 return gnutls_make_error (ret);
843 else
845 error ("Sorry, GnuTLS can't use non-string trustfile %s",
846 SDATA (trustfile));
850 for (tail = crlfiles; !NILP (tail); tail = Fcdr (tail))
852 Lisp_Object crlfile = Fcar (tail);
853 if (STRINGP (crlfile))
855 GNUTLS_LOG2 (1, max_log_level, "setting the CRL file: ",
856 SSDATA (crlfile));
857 ret = fn_gnutls_certificate_set_x509_crl_file
858 (x509_cred,
859 SSDATA (crlfile),
860 file_format);
862 if (ret < GNUTLS_E_SUCCESS)
863 return gnutls_make_error (ret);
865 else
867 error ("Sorry, GnuTLS can't use non-string CRL file %s",
868 SDATA (crlfile));
872 for (tail = keylist; !NILP (tail); tail = Fcdr (tail))
874 Lisp_Object keyfile = Fcar (Fcar (tail));
875 Lisp_Object certfile = Fcar (Fcdr (tail));
876 if (STRINGP (keyfile) && STRINGP (certfile))
878 GNUTLS_LOG2 (1, max_log_level, "setting the client key file: ",
879 SSDATA (keyfile));
880 GNUTLS_LOG2 (1, max_log_level, "setting the client cert file: ",
881 SSDATA (certfile));
882 ret = fn_gnutls_certificate_set_x509_key_file
883 (x509_cred,
884 SSDATA (certfile),
885 SSDATA (keyfile),
886 file_format);
888 if (ret < GNUTLS_E_SUCCESS)
889 return gnutls_make_error (ret);
891 else
893 if (STRINGP (keyfile))
894 error ("Sorry, GnuTLS can't use non-string client cert file %s",
895 SDATA (certfile));
896 else
897 error ("Sorry, GnuTLS can't use non-string client key file %s",
898 SDATA (keyfile));
903 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_FILES;
905 GNUTLS_LOG (1, max_log_level, "gnutls callbacks");
907 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CALLBACKS;
909 #ifdef HAVE_GNUTLS_CALLBACK_CERTIFICATE_VERIFY
910 #else
911 #endif
913 GNUTLS_LOG (1, max_log_level, "gnutls_init");
915 ret = fn_gnutls_init (&state, GNUTLS_CLIENT);
917 if (ret < GNUTLS_E_SUCCESS)
918 return gnutls_make_error (ret);
920 XPROCESS (proc)->gnutls_state = state;
922 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_INIT;
924 if (STRINGP (priority_string))
926 priority_string_ptr = SSDATA (priority_string);
927 GNUTLS_LOG2 (1, max_log_level, "got non-default priority string:",
928 priority_string_ptr);
930 else
932 GNUTLS_LOG2 (1, max_log_level, "using default priority string:",
933 priority_string_ptr);
936 GNUTLS_LOG (1, max_log_level, "setting the priority string");
938 ret = fn_gnutls_priority_set_direct (state,
939 priority_string_ptr,
940 NULL);
942 if (ret < GNUTLS_E_SUCCESS)
943 return gnutls_make_error (ret);
945 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_PRIORITY;
947 if (!EQ (prime_bits, Qnil))
949 fn_gnutls_dh_set_prime_bits (state, XUINT (prime_bits));
952 if (EQ (type, Qgnutls_x509pki))
954 ret = fn_gnutls_credentials_set (state, GNUTLS_CRD_CERTIFICATE, x509_cred);
956 else if (EQ (type, Qgnutls_anon))
958 ret = fn_gnutls_credentials_set (state, GNUTLS_CRD_ANON, anon_cred);
960 else
962 error ("unknown credential type");
963 ret = GNUTLS_EMACS_ERROR_INVALID_TYPE;
966 if (ret < GNUTLS_E_SUCCESS)
967 return gnutls_make_error (ret);
969 XPROCESS (proc)->gnutls_anon_cred = anon_cred;
970 XPROCESS (proc)->gnutls_x509_cred = x509_cred;
971 XPROCESS (proc)->gnutls_cred_type = type;
973 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CRED_SET;
975 ret = emacs_gnutls_handshake (XPROCESS (proc));
977 if (ret < GNUTLS_E_SUCCESS)
978 return gnutls_make_error (ret);
980 /* Now verify the peer, following
981 http://www.gnu.org/software/gnutls/manual/html_node/Verifying-peer_0027s-certificate.html.
982 The peer should present at least one certificate in the chain; do a
983 check of the certificate's hostname with
984 gnutls_x509_crt_check_hostname() against :hostname. */
986 ret = fn_gnutls_certificate_verify_peers2 (state, &peer_verification);
988 if (ret < GNUTLS_E_SUCCESS)
989 return gnutls_make_error (ret);
991 if (XINT (loglevel) > 0 && peer_verification & GNUTLS_CERT_INVALID)
992 message ("%s certificate could not be verified.",
993 c_hostname);
995 if (peer_verification & GNUTLS_CERT_REVOKED)
996 GNUTLS_LOG2 (1, max_log_level, "certificate was revoked (CRL):",
997 c_hostname);
999 if (peer_verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
1000 GNUTLS_LOG2 (1, max_log_level, "certificate signer was not found:",
1001 c_hostname);
1003 if (peer_verification & GNUTLS_CERT_SIGNER_NOT_CA)
1004 GNUTLS_LOG2 (1, max_log_level, "certificate signer is not a CA:",
1005 c_hostname);
1007 if (peer_verification & GNUTLS_CERT_INSECURE_ALGORITHM)
1008 GNUTLS_LOG2 (1, max_log_level,
1009 "certificate was signed with an insecure algorithm:",
1010 c_hostname);
1012 if (peer_verification & GNUTLS_CERT_NOT_ACTIVATED)
1013 GNUTLS_LOG2 (1, max_log_level, "certificate is not yet activated:",
1014 c_hostname);
1016 if (peer_verification & GNUTLS_CERT_EXPIRED)
1017 GNUTLS_LOG2 (1, max_log_level, "certificate has expired:",
1018 c_hostname);
1020 if (peer_verification != 0)
1022 if (NILP (verify_hostname_error))
1024 GNUTLS_LOG2 (1, max_log_level, "certificate validation failed:",
1025 c_hostname);
1027 else
1029 error ("Certificate validation failed %s, verification code %d",
1030 c_hostname, peer_verification);
1034 /* Up to here the process is the same for X.509 certificates and
1035 OpenPGP keys. From now on X.509 certificates are assumed. This
1036 can be easily extended to work with openpgp keys as well. */
1037 if (fn_gnutls_certificate_type_get (state) == GNUTLS_CRT_X509)
1039 ret = fn_gnutls_x509_crt_init (&gnutls_verify_cert);
1041 if (ret < GNUTLS_E_SUCCESS)
1042 return gnutls_make_error (ret);
1044 gnutls_verify_cert_list =
1045 fn_gnutls_certificate_get_peers (state, &gnutls_verify_cert_list_size);
1047 if (NULL == gnutls_verify_cert_list)
1049 error ("No x509 certificate was found!\n");
1052 /* We only check the first certificate in the given chain. */
1053 ret = fn_gnutls_x509_crt_import (gnutls_verify_cert,
1054 &gnutls_verify_cert_list[0],
1055 GNUTLS_X509_FMT_DER);
1057 if (ret < GNUTLS_E_SUCCESS)
1059 fn_gnutls_x509_crt_deinit (gnutls_verify_cert);
1060 return gnutls_make_error (ret);
1063 if (!fn_gnutls_x509_crt_check_hostname (gnutls_verify_cert, c_hostname))
1065 if (NILP (verify_hostname_error))
1067 GNUTLS_LOG2 (1, max_log_level, "x509 certificate does not match:",
1068 c_hostname);
1070 else
1072 fn_gnutls_x509_crt_deinit (gnutls_verify_cert);
1073 error ("The x509 certificate does not match \"%s\"",
1074 c_hostname);
1078 fn_gnutls_x509_crt_deinit (gnutls_verify_cert);
1081 return gnutls_make_error (ret);
1084 DEFUN ("gnutls-bye", Fgnutls_bye,
1085 Sgnutls_bye, 2, 2, 0,
1086 doc: /* Terminate current GnuTLS connection for process PROC.
1087 The connection should have been initiated using `gnutls-handshake'.
1089 If CONT is not nil the TLS connection gets terminated and further
1090 receives and sends will be disallowed. If the return value is zero you
1091 may continue using the connection. If CONT is nil, GnuTLS actually
1092 sends an alert containing a close request and waits for the peer to
1093 reply with the same message. In order to reuse the connection you
1094 should wait for an EOF from the peer.
1096 This function may also return `gnutls-e-again', or
1097 `gnutls-e-interrupted'. */)
1098 (Lisp_Object proc, Lisp_Object cont)
1100 gnutls_session_t state;
1101 int ret;
1103 CHECK_PROCESS (proc);
1105 state = XPROCESS (proc)->gnutls_state;
1107 ret = fn_gnutls_bye (state,
1108 NILP (cont) ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
1110 return gnutls_make_error (ret);
1113 void
1114 syms_of_gnutls (void)
1116 gnutls_global_initialized = 0;
1118 DEFSYM (Qgnutls_dll, "gnutls");
1119 DEFSYM (Qgnutls_code, "gnutls-code");
1120 DEFSYM (Qgnutls_anon, "gnutls-anon");
1121 DEFSYM (Qgnutls_x509pki, "gnutls-x509pki");
1122 DEFSYM (Qgnutls_bootprop_hostname, ":hostname");
1123 DEFSYM (Qgnutls_bootprop_priority, ":priority");
1124 DEFSYM (Qgnutls_bootprop_trustfiles, ":trustfiles");
1125 DEFSYM (Qgnutls_bootprop_keylist, ":keylist");
1126 DEFSYM (Qgnutls_bootprop_crlfiles, ":crlfiles");
1127 DEFSYM (Qgnutls_bootprop_callbacks, ":callbacks");
1128 DEFSYM (Qgnutls_bootprop_callbacks_verify, "verify");
1129 DEFSYM (Qgnutls_bootprop_min_prime_bits, ":min-prime-bits");
1130 DEFSYM (Qgnutls_bootprop_loglevel, ":loglevel");
1131 DEFSYM (Qgnutls_bootprop_verify_flags, ":verify-flags");
1132 DEFSYM (Qgnutls_bootprop_verify_hostname_error, ":verify-hostname-error");
1134 DEFSYM (Qgnutls_e_interrupted, "gnutls-e-interrupted");
1135 Fput (Qgnutls_e_interrupted, Qgnutls_code,
1136 make_number (GNUTLS_E_INTERRUPTED));
1138 DEFSYM (Qgnutls_e_again, "gnutls-e-again");
1139 Fput (Qgnutls_e_again, Qgnutls_code,
1140 make_number (GNUTLS_E_AGAIN));
1142 DEFSYM (Qgnutls_e_invalid_session, "gnutls-e-invalid-session");
1143 Fput (Qgnutls_e_invalid_session, Qgnutls_code,
1144 make_number (GNUTLS_E_INVALID_SESSION));
1146 DEFSYM (Qgnutls_e_not_ready_for_handshake, "gnutls-e-not-ready-for-handshake");
1147 Fput (Qgnutls_e_not_ready_for_handshake, Qgnutls_code,
1148 make_number (GNUTLS_E_APPLICATION_ERROR_MIN));
1150 defsubr (&Sgnutls_get_initstage);
1151 defsubr (&Sgnutls_errorp);
1152 defsubr (&Sgnutls_error_fatalp);
1153 defsubr (&Sgnutls_error_string);
1154 defsubr (&Sgnutls_boot);
1155 defsubr (&Sgnutls_deinit);
1156 defsubr (&Sgnutls_bye);
1157 defsubr (&Sgnutls_available_p);
1159 DEFVAR_INT ("gnutls-log-level", global_gnutls_log_level,
1160 doc: /* Logging level used by the GnuTLS functions. */);
1161 global_gnutls_log_level = 0;
1164 #endif /* HAVE_GNUTLS */