]> code.delx.au - gnu-emacs/blob - src/gnutls.c
delx.au / code / gnu-emacs / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge from origin/emacs-24
[gnu-emacs] / src / gnutls.c
1 /* GnuTLS glue for GNU Emacs.
2 Copyright (C) 2010-2014 Free Software Foundation, Inc.
3
4 This file is part of GNU Emacs.
5
6 GNU Emacs is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
10
11 GNU Emacs is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>. */
18
19 #include <config.h>
20 #include <errno.h>
21 #include <stdio.h>
22
23 #include "lisp.h"
24 #include "process.h"
25 #include "coding.h"
26
27 #ifdef HAVE_GNUTLS
28 #include <gnutls/gnutls.h>
29
30 #ifdef WINDOWSNT
31 #include <windows.h>
32 #include "w32.h"
33 #endif
34
35 static bool emacs_gnutls_handle_error (gnutls_session_t, int);
36
37 static Lisp_Object Qgnutls_dll;
38 static Lisp_Object Qgnutls_code;
39 static Lisp_Object Qgnutls_anon, Qgnutls_x509pki;
40 static Lisp_Object Qgnutls_e_interrupted, Qgnutls_e_again,
41 Qgnutls_e_invalid_session, Qgnutls_e_not_ready_for_handshake;
42 static bool gnutls_global_initialized;
43
44 /* The following are for the property list of `gnutls-boot'. */
45 static Lisp_Object QCgnutls_bootprop_priority;
46 static Lisp_Object QCgnutls_bootprop_trustfiles;
47 static Lisp_Object QCgnutls_bootprop_keylist;
48 static Lisp_Object QCgnutls_bootprop_crlfiles;
49 static Lisp_Object QCgnutls_bootprop_callbacks;
50 static Lisp_Object QCgnutls_bootprop_loglevel;
51 static Lisp_Object QCgnutls_bootprop_hostname;
52 static Lisp_Object QCgnutls_bootprop_min_prime_bits;
53 static Lisp_Object QCgnutls_bootprop_verify_flags;
54 static Lisp_Object QCgnutls_bootprop_verify_error;
55
56 /* Callback keys for `gnutls-boot'. Unused currently. */
57 static Lisp_Object QCgnutls_bootprop_callbacks_verify;
58
59 static void gnutls_log_function (int, const char *);
60 static void gnutls_log_function2 (int, const char *, const char *);
61 #ifdef HAVE_GNUTLS3
62 static void gnutls_audit_log_function (gnutls_session_t, const char *);
63 #endif
64
65 enum extra_peer_verification
66 {
67 CERTIFICATE_NOT_MATCHING = 2
68 };
69
70 \f
71 #ifdef WINDOWSNT
72
73 /* Macro for defining functions that will be loaded from the GnuTLS DLL. */
74 #define DEF_GNUTLS_FN(rettype,func,args) static rettype (FAR CDECL *fn_##func)args
75
76 /* Macro for loading GnuTLS functions from the library. */
77 #define LOAD_GNUTLS_FN(lib,func) { \
78 fn_##func = (void *) GetProcAddress (lib, #func); \
79 if (!fn_##func) return 0; \
80 }
81
82 DEF_GNUTLS_FN (gnutls_alert_description_t, gnutls_alert_get,
83 (gnutls_session_t));
84 DEF_GNUTLS_FN (const char *, gnutls_alert_get_name,
85 (gnutls_alert_description_t));
86 DEF_GNUTLS_FN (int, gnutls_alert_send_appropriate, (gnutls_session_t, int));
87 DEF_GNUTLS_FN (int, gnutls_anon_allocate_client_credentials,
88 (gnutls_anon_client_credentials_t *));
89 DEF_GNUTLS_FN (void, gnutls_anon_free_client_credentials,
90 (gnutls_anon_client_credentials_t));
91 DEF_GNUTLS_FN (int, gnutls_bye, (gnutls_session_t, gnutls_close_request_t));
92 DEF_GNUTLS_FN (int, gnutls_certificate_allocate_credentials,
93 (gnutls_certificate_credentials_t *));
94 DEF_GNUTLS_FN (void, gnutls_certificate_free_credentials,
95 (gnutls_certificate_credentials_t));
96 DEF_GNUTLS_FN (const gnutls_datum_t *, gnutls_certificate_get_peers,
97 (gnutls_session_t, unsigned int *));
98 DEF_GNUTLS_FN (void, gnutls_certificate_set_verify_flags,
99 (gnutls_certificate_credentials_t, unsigned int));
100 DEF_GNUTLS_FN (int, gnutls_certificate_set_x509_crl_file,
101 (gnutls_certificate_credentials_t, const char *,
102 gnutls_x509_crt_fmt_t));
103 DEF_GNUTLS_FN (int, gnutls_certificate_set_x509_key_file,
104 (gnutls_certificate_credentials_t, const char *, const char *,
105 gnutls_x509_crt_fmt_t));
106 DEF_GNUTLS_FN (int, gnutls_certificate_set_x509_trust_file,
107 (gnutls_certificate_credentials_t, const char *,
108 gnutls_x509_crt_fmt_t));
109 DEF_GNUTLS_FN (gnutls_certificate_type_t, gnutls_certificate_type_get,
110 (gnutls_session_t));
111 DEF_GNUTLS_FN (int, gnutls_certificate_verify_peers2,
112 (gnutls_session_t, unsigned int *));
113 DEF_GNUTLS_FN (int, gnutls_credentials_set,
114 (gnutls_session_t, gnutls_credentials_type_t, void *));
115 DEF_GNUTLS_FN (void, gnutls_deinit, (gnutls_session_t));
116 DEF_GNUTLS_FN (void, gnutls_dh_set_prime_bits,
117 (gnutls_session_t, unsigned int));
118 DEF_GNUTLS_FN (int, gnutls_dh_get_prime_bits, (gnutls_session_t));
119 DEF_GNUTLS_FN (int, gnutls_error_is_fatal, (int));
120 DEF_GNUTLS_FN (int, gnutls_global_init, (void));
121 DEF_GNUTLS_FN (void, gnutls_global_set_log_function, (gnutls_log_func));
122 #ifdef HAVE_GNUTLS3
123 DEF_GNUTLS_FN (void, gnutls_global_set_audit_log_function, (gnutls_audit_log_func));
124 #endif
125 DEF_GNUTLS_FN (void, gnutls_global_set_log_level, (int));
126 DEF_GNUTLS_FN (void, gnutls_global_set_mem_functions,
127 (gnutls_alloc_function, gnutls_alloc_function,
128 gnutls_is_secure_function, gnutls_realloc_function,
129 gnutls_free_function));
130 DEF_GNUTLS_FN (int, gnutls_handshake, (gnutls_session_t));
131 DEF_GNUTLS_FN (int, gnutls_init, (gnutls_session_t *, gnutls_connection_end_t));
132 DEF_GNUTLS_FN (int, gnutls_priority_set_direct,
133 (gnutls_session_t, const char *, const char **));
134 DEF_GNUTLS_FN (size_t, gnutls_record_check_pending, (gnutls_session_t));
135 DEF_GNUTLS_FN (ssize_t, gnutls_record_recv, (gnutls_session_t, void *, size_t));
136 DEF_GNUTLS_FN (ssize_t, gnutls_record_send,
137 (gnutls_session_t, const void *, size_t));
138 DEF_GNUTLS_FN (const char *, gnutls_strerror, (int));
139 DEF_GNUTLS_FN (void, gnutls_transport_set_errno, (gnutls_session_t, int));
140 DEF_GNUTLS_FN (const char *, gnutls_check_version, (const char *));
141 DEF_GNUTLS_FN (void, gnutls_transport_set_lowat, (gnutls_session_t, int));
142 DEF_GNUTLS_FN (void, gnutls_transport_set_ptr2,
143 (gnutls_session_t, gnutls_transport_ptr_t,
144 gnutls_transport_ptr_t));
145 DEF_GNUTLS_FN (void, gnutls_transport_set_pull_function,
146 (gnutls_session_t, gnutls_pull_func));
147 DEF_GNUTLS_FN (void, gnutls_transport_set_push_function,
148 (gnutls_session_t, gnutls_push_func));
149 DEF_GNUTLS_FN (int, gnutls_x509_crt_check_hostname,
150 (gnutls_x509_crt_t, const char *));
151 DEF_GNUTLS_FN (void, gnutls_x509_crt_deinit, (gnutls_x509_crt_t));
152 DEF_GNUTLS_FN (int, gnutls_x509_crt_import,
153 (gnutls_x509_crt_t, const gnutls_datum_t *,
154 gnutls_x509_crt_fmt_t));
155 DEF_GNUTLS_FN (int, gnutls_x509_crt_init, (gnutls_x509_crt_t *));
156 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_fingerprint,
157 (gnutls_x509_crt_t,
158 gnutls_digest_algorithm_t, void *, size_t *));
159 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_version,
160 (gnutls_x509_crt_t));
161 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_serial,
162 (gnutls_x509_crt_t, void *, size_t *));
163 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_issuer_dn,
164 (gnutls_x509_crt_t, char *, size_t *));
165 DEF_GNUTLS_FN (time_t, gnutls_x509_crt_get_activation_time,
166 (gnutls_x509_crt_t));
167 DEF_GNUTLS_FN (time_t, gnutls_x509_crt_get_expiration_time,
168 (gnutls_x509_crt_t));
169 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_dn,
170 (gnutls_x509_crt_t, char *, size_t *));
171 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_pk_algorithm,
172 (gnutls_x509_crt_t, unsigned int *));
173 DEF_GNUTLS_FN (const char*, gnutls_pk_algorithm_get_name,
174 (gnutls_pk_algorithm_t));
175 DEF_GNUTLS_FN (int, gnutls_pk_bits_to_sec_param,
176 (gnutls_pk_algorithm_t, unsigned int));
177 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_issuer_unique_id,
178 (gnutls_x509_crt_t, char *, size_t *));
179 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_subject_unique_id,
180 (gnutls_x509_crt_t, char *, size_t *));
181 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_signature_algorithm,
182 (gnutls_x509_crt_t));
183 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_signature,
184 (gnutls_x509_crt_t, char *, size_t *));
185 DEF_GNUTLS_FN (int, gnutls_x509_crt_get_key_id,
186 (gnutls_x509_crt_t, unsigned int,
187 unsigned char *, size_t *_size));
188 DEF_GNUTLS_FN (const char*, gnutls_sec_param_get_name, (gnutls_sec_param_t));
189 DEF_GNUTLS_FN (const char*, gnutls_sign_get_name, (gnutls_sign_algorithm_t));
190 DEF_GNUTLS_FN (int, gnutls_server_name_set, (gnutls_session_t,
191 gnutls_server_name_type_t,
192 const void *, size_t));
193 DEF_GNUTLS_FN (gnutls_kx_algorithm_t, gnutls_kx_get, (gnutls_session_t));
194 DEF_GNUTLS_FN (const char*, gnutls_kx_get_name, (gnutls_kx_algorithm_t));
195 DEF_GNUTLS_FN (gnutls_protocol_t, gnutls_protocol_get_version,
196 (gnutls_session_t));
197 DEF_GNUTLS_FN (const char*, gnutls_protocol_get_name, (gnutls_protocol_t));
198 DEF_GNUTLS_FN (gnutls_cipher_algorithm_t, gnutls_cipher_get,
199 (gnutls_session_t));
200 DEF_GNUTLS_FN (const char*, gnutls_cipher_get_name,
201 (gnutls_cipher_algorithm_t));
202 DEF_GNUTLS_FN (gnutls_mac_algorithm_t, gnutls_mac_get, (gnutls_session_t));
203 DEF_GNUTLS_FN (const char*, gnutls_mac_get_name, (gnutls_mac_algorithm_t));
204
205
206 static bool
207 init_gnutls_functions (void)
208 {
209 HMODULE library;
210 int max_log_level = 1;
211
212 if (!(library = w32_delayed_load (Qgnutls_dll)))
213 {
214 GNUTLS_LOG (1, max_log_level, "GnuTLS library not found");
215 return 0;
216 }
217
218 LOAD_GNUTLS_FN (library, gnutls_alert_get);
219 LOAD_GNUTLS_FN (library, gnutls_alert_get_name);
220 LOAD_GNUTLS_FN (library, gnutls_alert_send_appropriate);
221 LOAD_GNUTLS_FN (library, gnutls_anon_allocate_client_credentials);
222 LOAD_GNUTLS_FN (library, gnutls_anon_free_client_credentials);
223 LOAD_GNUTLS_FN (library, gnutls_bye);
224 LOAD_GNUTLS_FN (library, gnutls_certificate_allocate_credentials);
225 LOAD_GNUTLS_FN (library, gnutls_certificate_free_credentials);
226 LOAD_GNUTLS_FN (library, gnutls_certificate_get_peers);
227 LOAD_GNUTLS_FN (library, gnutls_certificate_set_verify_flags);
228 LOAD_GNUTLS_FN (library, gnutls_certificate_set_x509_crl_file);
229 LOAD_GNUTLS_FN (library, gnutls_certificate_set_x509_key_file);
230 LOAD_GNUTLS_FN (library, gnutls_certificate_set_x509_trust_file);
231 LOAD_GNUTLS_FN (library, gnutls_certificate_type_get);
232 LOAD_GNUTLS_FN (library, gnutls_certificate_verify_peers2);
233 LOAD_GNUTLS_FN (library, gnutls_credentials_set);
234 LOAD_GNUTLS_FN (library, gnutls_deinit);
235 LOAD_GNUTLS_FN (library, gnutls_dh_set_prime_bits);
236 LOAD_GNUTLS_FN (library, gnutls_dh_get_prime_bits);
237 LOAD_GNUTLS_FN (library, gnutls_error_is_fatal);
238 LOAD_GNUTLS_FN (library, gnutls_global_init);
239 LOAD_GNUTLS_FN (library, gnutls_global_set_log_function);
240 #ifdef HAVE_GNUTLS3
241 LOAD_GNUTLS_FN (library, gnutls_global_set_audit_log_function);
242 #endif
243 LOAD_GNUTLS_FN (library, gnutls_global_set_log_level);
244 LOAD_GNUTLS_FN (library, gnutls_global_set_mem_functions);
245 LOAD_GNUTLS_FN (library, gnutls_handshake);
246 LOAD_GNUTLS_FN (library, gnutls_init);
247 LOAD_GNUTLS_FN (library, gnutls_priority_set_direct);
248 LOAD_GNUTLS_FN (library, gnutls_record_check_pending);
249 LOAD_GNUTLS_FN (library, gnutls_record_recv);
250 LOAD_GNUTLS_FN (library, gnutls_record_send);
251 LOAD_GNUTLS_FN (library, gnutls_strerror);
252 LOAD_GNUTLS_FN (library, gnutls_transport_set_errno);
253 LOAD_GNUTLS_FN (library, gnutls_check_version);
254 /* We don't need to call gnutls_transport_set_lowat in GnuTLS 2.11.1
255 and later, and the function was removed entirely in 3.0.0. */
256 if (!fn_gnutls_check_version ("2.11.1"))
257 LOAD_GNUTLS_FN (library, gnutls_transport_set_lowat);
258 LOAD_GNUTLS_FN (library, gnutls_transport_set_ptr2);
259 LOAD_GNUTLS_FN (library, gnutls_transport_set_pull_function);
260 LOAD_GNUTLS_FN (library, gnutls_transport_set_push_function);
261 LOAD_GNUTLS_FN (library, gnutls_x509_crt_check_hostname);
262 LOAD_GNUTLS_FN (library, gnutls_x509_crt_deinit);
263 LOAD_GNUTLS_FN (library, gnutls_x509_crt_import);
264 LOAD_GNUTLS_FN (library, gnutls_x509_crt_init);
265 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_fingerprint);
266 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_version);
267 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_serial);
268 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_issuer_dn);
269 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_activation_time);
270 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_expiration_time);
271 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_dn);
272 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_pk_algorithm);
273 LOAD_GNUTLS_FN (library, gnutls_pk_algorithm_get_name);
274 LOAD_GNUTLS_FN (library, gnutls_pk_bits_to_sec_param);
275 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_issuer_unique_id);
276 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_subject_unique_id);
277 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_signature_algorithm);
278 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_signature);
279 LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_key_id);
280 LOAD_GNUTLS_FN (library, gnutls_sec_param_get_name);
281 LOAD_GNUTLS_FN (library, gnutls_sign_get_name);
282 LOAD_GNUTLS_FN (library, gnutls_server_name_set);
283 LOAD_GNUTLS_FN (library, gnutls_kx_get);
284 LOAD_GNUTLS_FN (library, gnutls_kx_get_name);
285 LOAD_GNUTLS_FN (library, gnutls_protocol_get_version);
286 LOAD_GNUTLS_FN (library, gnutls_protocol_get_name);
287 LOAD_GNUTLS_FN (library, gnutls_cipher_get);
288 LOAD_GNUTLS_FN (library, gnutls_cipher_get_name);
289 LOAD_GNUTLS_FN (library, gnutls_mac_get);
290 LOAD_GNUTLS_FN (library, gnutls_mac_get_name);
291
292 max_log_level = global_gnutls_log_level;
293
294 {
295 Lisp_Object name = CAR_SAFE (Fget (Qgnutls_dll, QCloaded_from));
296 GNUTLS_LOG2 (1, max_log_level, "GnuTLS library loaded:",
297 STRINGP (name) ? (const char *) SDATA (name) : "unknown");
298 }
299
300 return 1;
301 }
302
303 #else /* !WINDOWSNT */
304
305 #define fn_gnutls_alert_get gnutls_alert_get
306 #define fn_gnutls_alert_get_name gnutls_alert_get_name
307 #define fn_gnutls_alert_send_appropriate gnutls_alert_send_appropriate
308 #define fn_gnutls_anon_allocate_client_credentials gnutls_anon_allocate_client_credentials
309 #define fn_gnutls_anon_free_client_credentials gnutls_anon_free_client_credentials
310 #define fn_gnutls_bye gnutls_bye
311 #define fn_gnutls_certificate_allocate_credentials gnutls_certificate_allocate_credentials
312 #define fn_gnutls_certificate_free_credentials gnutls_certificate_free_credentials
313 #define fn_gnutls_certificate_get_peers gnutls_certificate_get_peers
314 #define fn_gnutls_certificate_set_verify_flags gnutls_certificate_set_verify_flags
315 #define fn_gnutls_certificate_set_x509_crl_file gnutls_certificate_set_x509_crl_file
316 #define fn_gnutls_certificate_set_x509_key_file gnutls_certificate_set_x509_key_file
317 #define fn_gnutls_certificate_set_x509_trust_file gnutls_certificate_set_x509_trust_file
318 #define fn_gnutls_certificate_type_get gnutls_certificate_type_get
319 #define fn_gnutls_certificate_verify_peers2 gnutls_certificate_verify_peers2
320 #define fn_gnutls_cipher_get gnutls_cipher_get
321 #define fn_gnutls_cipher_get_name gnutls_cipher_get_name
322 #define fn_gnutls_credentials_set gnutls_credentials_set
323 #define fn_gnutls_deinit gnutls_deinit
324 #define fn_gnutls_dh_get_prime_bits gnutls_dh_get_prime_bits
325 #define fn_gnutls_dh_set_prime_bits gnutls_dh_set_prime_bits
326 #define fn_gnutls_error_is_fatal gnutls_error_is_fatal
327 #define fn_gnutls_global_init gnutls_global_init
328 #ifdef HAVE_GNUTLS3
329 #define fn_gnutls_global_set_audit_log_function gnutls_global_set_audit_log_function
330 #endif
331 #define fn_gnutls_global_set_log_function gnutls_global_set_log_function
332 #define fn_gnutls_global_set_log_level gnutls_global_set_log_level
333 #define fn_gnutls_global_set_mem_functions gnutls_global_set_mem_functions
334 #define fn_gnutls_handshake gnutls_handshake
335 #define fn_gnutls_init gnutls_init
336 #define fn_gnutls_kx_get gnutls_kx_get
337 #define fn_gnutls_kx_get_name gnutls_kx_get_name
338 #define fn_gnutls_mac_get gnutls_mac_get
339 #define fn_gnutls_mac_get_name gnutls_mac_get_name
340 #define fn_gnutls_pk_algorithm_get_name gnutls_pk_algorithm_get_name
341 #define fn_gnutls_pk_bits_to_sec_param gnutls_pk_bits_to_sec_param
342 #define fn_gnutls_priority_set_direct gnutls_priority_set_direct
343 #define fn_gnutls_protocol_get_name gnutls_protocol_get_name
344 #define fn_gnutls_protocol_get_version gnutls_protocol_get_version
345 #define fn_gnutls_record_check_pending gnutls_record_check_pending
346 #define fn_gnutls_record_recv gnutls_record_recv
347 #define fn_gnutls_record_send gnutls_record_send
348 #define fn_gnutls_sec_param_get_name gnutls_sec_param_get_name
349 #define fn_gnutls_server_name_set gnutls_server_name_set
350 #define fn_gnutls_sign_get_name gnutls_sign_get_name
351 #define fn_gnutls_strerror gnutls_strerror
352 #define fn_gnutls_transport_set_ptr2 gnutls_transport_set_ptr2
353 #define fn_gnutls_x509_crt_check_hostname gnutls_x509_crt_check_hostname
354 #define fn_gnutls_x509_crt_deinit gnutls_x509_crt_deinit
355 #define fn_gnutls_x509_crt_get_activation_time gnutls_x509_crt_get_activation_time
356 #define fn_gnutls_x509_crt_get_dn gnutls_x509_crt_get_dn
357 #define fn_gnutls_x509_crt_get_expiration_time gnutls_x509_crt_get_expiration_time
358 #define fn_gnutls_x509_crt_get_fingerprint gnutls_x509_crt_get_fingerprint
359 #define fn_gnutls_x509_crt_get_issuer_dn gnutls_x509_crt_get_issuer_dn
360 #define fn_gnutls_x509_crt_get_issuer_unique_id gnutls_x509_crt_get_issuer_unique_id
361 #define fn_gnutls_x509_crt_get_key_id gnutls_x509_crt_get_key_id
362 #define fn_gnutls_x509_crt_get_pk_algorithm gnutls_x509_crt_get_pk_algorithm
363 #define fn_gnutls_x509_crt_get_serial gnutls_x509_crt_get_serial
364 #define fn_gnutls_x509_crt_get_signature_algorithm gnutls_x509_crt_get_signature_algorithm
365 #define fn_gnutls_x509_crt_get_subject_unique_id gnutls_x509_crt_get_subject_unique_id
366 #define fn_gnutls_x509_crt_get_version gnutls_x509_crt_get_version
367 #define fn_gnutls_x509_crt_import gnutls_x509_crt_import
368 #define fn_gnutls_x509_crt_init gnutls_x509_crt_init
369
370 #endif /* !WINDOWSNT */
371
372 \f
373 #ifdef HAVE_GNUTLS3
374 /* Log a simple audit message. */
375 static void
376 gnutls_audit_log_function (gnutls_session_t session, const char *string)
377 {
378 if (global_gnutls_log_level >= 1)
379 {
380 message ("gnutls.c: [audit] %s", string);
381 }
382 }
383 #endif
384
385 /* Log a simple message. */
386 static void
387 gnutls_log_function (int level, const char *string)
388 {
389 message ("gnutls.c: [%d] %s", level, string);
390 }
391
392 /* Log a message and a string. */
393 static void
394 gnutls_log_function2 (int level, const char *string, const char *extra)
395 {
396 message ("gnutls.c: [%d] %s %s", level, string, extra);
397 }
398
399 /* Log a message and an integer. */
400 static void
401 gnutls_log_function2i (int level, const char *string, int extra)
402 {
403 message ("gnutls.c: [%d] %s %d", level, string, extra);
404 }
405
406 static int
407 emacs_gnutls_handshake (struct Lisp_Process *proc)
408 {
409 gnutls_session_t state = proc->gnutls_state;
410 int ret;
411
412 if (proc->gnutls_initstage < GNUTLS_STAGE_HANDSHAKE_CANDO)
413 return -1;
414
415 if (proc->gnutls_initstage < GNUTLS_STAGE_TRANSPORT_POINTERS_SET)
416 {
417 #ifdef WINDOWSNT
418 /* On W32 we cannot transfer socket handles between different runtime
419 libraries, so we tell GnuTLS to use our special push/pull
420 functions. */
421 fn_gnutls_transport_set_ptr2 (state,
422 (gnutls_transport_ptr_t) proc,
423 (gnutls_transport_ptr_t) proc);
424 fn_gnutls_transport_set_push_function (state, &emacs_gnutls_push);
425 fn_gnutls_transport_set_pull_function (state, &emacs_gnutls_pull);
426
427 /* For non blocking sockets or other custom made pull/push
428 functions the gnutls_transport_set_lowat must be called, with
429 a zero low water mark value. (GnuTLS 2.10.4 documentation)
430
431 (Note: this is probably not strictly necessary as the lowat
432 value is only used when no custom pull/push functions are
433 set.) */
434 /* According to GnuTLS NEWS file, lowat level has been set to
435 zero by default in version 2.11.1, and the function
436 gnutls_transport_set_lowat was removed from the library in
437 version 2.99.0. */
438 if (!fn_gnutls_check_version ("2.11.1"))
439 fn_gnutls_transport_set_lowat (state, 0);
440 #else
441 /* This is how GnuTLS takes sockets: as file descriptors passed
442 in. For an Emacs process socket, infd and outfd are the
443 same but we use this two-argument version for clarity. */
444 fn_gnutls_transport_set_ptr2 (state,
445 (void *) (intptr_t) proc->infd,
446 (void *) (intptr_t) proc->outfd);
447 #endif
448
449 proc->gnutls_initstage = GNUTLS_STAGE_TRANSPORT_POINTERS_SET;
450 }
451
452 do
453 {
454 ret = fn_gnutls_handshake (state);
455 emacs_gnutls_handle_error (state, ret);
456 QUIT;
457 }
458 while (ret < 0 && fn_gnutls_error_is_fatal (ret) == 0);
459
460 proc->gnutls_initstage = GNUTLS_STAGE_HANDSHAKE_TRIED;
461
462 if (ret == GNUTLS_E_SUCCESS)
463 {
464 /* Here we're finally done. */
465 proc->gnutls_initstage = GNUTLS_STAGE_READY;
466 }
467 else
468 {
469 fn_gnutls_alert_send_appropriate (state, ret);
470 }
471 return ret;
472 }
473
474 ptrdiff_t
475 emacs_gnutls_record_check_pending (gnutls_session_t state)
476 {
477 return fn_gnutls_record_check_pending (state);
478 }
479
480 #ifdef WINDOWSNT
481 void
482 emacs_gnutls_transport_set_errno (gnutls_session_t state, int err)
483 {
484 fn_gnutls_transport_set_errno (state, err);
485 }
486 #endif
487
488 ptrdiff_t
489 emacs_gnutls_write (struct Lisp_Process *proc, const char *buf, ptrdiff_t nbyte)
490 {
491 ssize_t rtnval = 0;
492 ptrdiff_t bytes_written;
493 gnutls_session_t state = proc->gnutls_state;
494
495 if (proc->gnutls_initstage != GNUTLS_STAGE_READY)
496 {
497 errno = EAGAIN;
498 return 0;
499 }
500
501 bytes_written = 0;
502
503 while (nbyte > 0)
504 {
505 rtnval = fn_gnutls_record_send (state, buf, nbyte);
506
507 if (rtnval < 0)
508 {
509 if (rtnval == GNUTLS_E_INTERRUPTED)
510 continue;
511 else
512 {
513 /* If we get GNUTLS_E_AGAIN, then set errno
514 appropriately so that send_process retries the
515 correct way instead of erroring out. */
516 if (rtnval == GNUTLS_E_AGAIN)
517 errno = EAGAIN;
518 break;
519 }
520 }
521
522 buf += rtnval;
523 nbyte -= rtnval;
524 bytes_written += rtnval;
525 }
526
527 emacs_gnutls_handle_error (state, rtnval);
528 return (bytes_written);
529 }
530
531 ptrdiff_t
532 emacs_gnutls_read (struct Lisp_Process *proc, char *buf, ptrdiff_t nbyte)
533 {
534 ssize_t rtnval;
535 gnutls_session_t state = proc->gnutls_state;
536
537 int log_level = proc->gnutls_log_level;
538
539 if (proc->gnutls_initstage != GNUTLS_STAGE_READY)
540 {
541 /* If the handshake count is under the limit, try the handshake
542 again and increment the handshake count. This count is kept
543 per process (connection), not globally. */
544 if (proc->gnutls_handshakes_tried < GNUTLS_EMACS_HANDSHAKES_LIMIT)
545 {
546 proc->gnutls_handshakes_tried++;
547 emacs_gnutls_handshake (proc);
548 GNUTLS_LOG2i (5, log_level, "Retried handshake",
549 proc->gnutls_handshakes_tried);
550 return -1;
551 }
552
553 GNUTLS_LOG (2, log_level, "Giving up on handshake; resetting retries");
554 proc->gnutls_handshakes_tried = 0;
555 return 0;
556 }
557 rtnval = fn_gnutls_record_recv (state, buf, nbyte);
558 if (rtnval >= 0)
559 return rtnval;
560 else if (rtnval == GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
561 /* The peer closed the connection. */
562 return 0;
563 else if (emacs_gnutls_handle_error (state, rtnval))
564 /* non-fatal error */
565 return -1;
566 else {
567 /* a fatal error occurred */
568 return 0;
569 }
570 }
571
572 /* Report a GnuTLS error to the user.
573 Return true if the error code was successfully handled. */
574 static bool
575 emacs_gnutls_handle_error (gnutls_session_t session, int err)
576 {
577 int max_log_level = 0;
578
579 bool ret;
580 const char *str;
581
582 /* TODO: use a Lisp_Object generated by gnutls_make_error? */
583 if (err >= 0)
584 return 1;
585
586 max_log_level = global_gnutls_log_level;
587
588 /* TODO: use gnutls-error-fatalp and gnutls-error-string. */
589
590 str = fn_gnutls_strerror (err);
591 if (!str)
592 str = "unknown";
593
594 if (fn_gnutls_error_is_fatal (err))
595 {
596 ret = 0;
597 GNUTLS_LOG2 (1, max_log_level, "fatal error:", str);
598 }
599 else
600 {
601 ret = 1;
602
603 switch (err)
604 {
605 case GNUTLS_E_AGAIN:
606 GNUTLS_LOG2 (3,
607 max_log_level,
608 "retry:",
609 str);
610 default:
611 GNUTLS_LOG2 (1,
612 max_log_level,
613 "non-fatal error:",
614 str);
615 }
616 }
617
618 if (err == GNUTLS_E_WARNING_ALERT_RECEIVED
619 || err == GNUTLS_E_FATAL_ALERT_RECEIVED)
620 {
621 int alert = fn_gnutls_alert_get (session);
622 int level = (err == GNUTLS_E_FATAL_ALERT_RECEIVED) ? 0 : 1;
623 str = fn_gnutls_alert_get_name (alert);
624 if (!str)
625 str = "unknown";
626
627 GNUTLS_LOG2 (level, max_log_level, "Received alert: ", str);
628 }
629 return ret;
630 }
631
632 /* convert an integer error to a Lisp_Object; it will be either a
633 known symbol like `gnutls_e_interrupted' and `gnutls_e_again' or
634 simply the integer value of the error. GNUTLS_E_SUCCESS is mapped
635 to Qt. */
636 static Lisp_Object
637 gnutls_make_error (int err)
638 {
639 switch (err)
640 {
641 case GNUTLS_E_SUCCESS:
642 return Qt;
643 case GNUTLS_E_AGAIN:
644 return Qgnutls_e_again;
645 case GNUTLS_E_INTERRUPTED:
646 return Qgnutls_e_interrupted;
647 case GNUTLS_E_INVALID_SESSION:
648 return Qgnutls_e_invalid_session;
649 }
650
651 return make_number (err);
652 }
653
654 Lisp_Object
655 emacs_gnutls_deinit (Lisp_Object proc)
656 {
657 int log_level;
658
659 CHECK_PROCESS (proc);
660
661 if (XPROCESS (proc)->gnutls_p == 0)
662 return Qnil;
663
664 log_level = XPROCESS (proc)->gnutls_log_level;
665
666 if (XPROCESS (proc)->gnutls_x509_cred)
667 {
668 GNUTLS_LOG (2, log_level, "Deallocating x509 credentials");
669 fn_gnutls_certificate_free_credentials (XPROCESS (proc)->gnutls_x509_cred);
670 XPROCESS (proc)->gnutls_x509_cred = NULL;
671 }
672
673 if (XPROCESS (proc)->gnutls_anon_cred)
674 {
675 GNUTLS_LOG (2, log_level, "Deallocating anon credentials");
676 fn_gnutls_anon_free_client_credentials (XPROCESS (proc)->gnutls_anon_cred);
677 XPROCESS (proc)->gnutls_anon_cred = NULL;
678 }
679
680 if (XPROCESS (proc)->gnutls_state)
681 {
682 fn_gnutls_deinit (XPROCESS (proc)->gnutls_state);
683 XPROCESS (proc)->gnutls_state = NULL;
684 if (GNUTLS_INITSTAGE (proc) >= GNUTLS_STAGE_INIT)
685 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_INIT - 1;
686 }
687
688 XPROCESS (proc)->gnutls_p = 0;
689 return Qt;
690 }
691
692 DEFUN ("gnutls-get-initstage", Fgnutls_get_initstage, Sgnutls_get_initstage, 1, 1, 0,
693 doc: /* Return the GnuTLS init stage of process PROC.
694 See also `gnutls-boot'. */)
695 (Lisp_Object proc)
696 {
697 CHECK_PROCESS (proc);
698
699 return make_number (GNUTLS_INITSTAGE (proc));
700 }
701
702 DEFUN ("gnutls-errorp", Fgnutls_errorp, Sgnutls_errorp, 1, 1, 0,
703 doc: /* Return t if ERROR indicates a GnuTLS problem.
704 ERROR is an integer or a symbol with an integer `gnutls-code' property.
705 usage: (gnutls-errorp ERROR) */)
706 (Lisp_Object err)
707 {
708 if (EQ (err, Qt)) return Qnil;
709
710 return Qt;
711 }
712
713 DEFUN ("gnutls-error-fatalp", Fgnutls_error_fatalp, Sgnutls_error_fatalp, 1, 1, 0,
714 doc: /* Return non-nil if ERROR is fatal.
715 ERROR is an integer or a symbol with an integer `gnutls-code' property.
716 Usage: (gnutls-error-fatalp ERROR) */)
717 (Lisp_Object err)
718 {
719 Lisp_Object code;
720
721 if (EQ (err, Qt)) return Qnil;
722
723 if (SYMBOLP (err))
724 {
725 code = Fget (err, Qgnutls_code);
726 if (NUMBERP (code))
727 {
728 err = code;
729 }
730 else
731 {
732 error ("Symbol has no numeric gnutls-code property");
733 }
734 }
735
736 if (! TYPE_RANGED_INTEGERP (int, err))
737 error ("Not an error symbol or code");
738
739 if (0 == fn_gnutls_error_is_fatal (XINT (err)))
740 return Qnil;
741
742 return Qt;
743 }
744
745 DEFUN ("gnutls-error-string", Fgnutls_error_string, Sgnutls_error_string, 1, 1, 0,
746 doc: /* Return a description of ERROR.
747 ERROR is an integer or a symbol with an integer `gnutls-code' property.
748 usage: (gnutls-error-string ERROR) */)
749 (Lisp_Object err)
750 {
751 Lisp_Object code;
752
753 if (EQ (err, Qt)) return build_string ("Not an error");
754
755 if (SYMBOLP (err))
756 {
757 code = Fget (err, Qgnutls_code);
758 if (NUMBERP (code))
759 {
760 err = code;
761 }
762 else
763 {
764 return build_string ("Symbol has no numeric gnutls-code property");
765 }
766 }
767
768 if (! TYPE_RANGED_INTEGERP (int, err))
769 return build_string ("Not an error symbol or code");
770
771 return build_string (fn_gnutls_strerror (XINT (err)));
772 }
773
774 DEFUN ("gnutls-deinit", Fgnutls_deinit, Sgnutls_deinit, 1, 1, 0,
775 doc: /* Deallocate GnuTLS resources associated with process PROC.
776 See also `gnutls-init'. */)
777 (Lisp_Object proc)
778 {
779 return emacs_gnutls_deinit (proc);
780 }
781
782 static Lisp_Object
783 gnutls_hex_string (unsigned char *buf, ptrdiff_t buf_size, const char *prefix)
784 {
785 ptrdiff_t prefix_length = strlen (prefix);
786 if ((STRING_BYTES_BOUND - prefix_length) / 3 < buf_size)
787 string_overflow ();
788 Lisp_Object ret = make_uninit_string (prefix_length + 3 * buf_size
789 - (buf_size != 0));
790 char *string = SSDATA (ret);
791 strcpy (string, prefix);
792
793 for (ptrdiff_t i = 0; i < buf_size; i++)
794 sprintf (string + i * 3 + prefix_length,
795 i == buf_size - 1 ? "%02x" : "%02x:",
796 buf[i]);
797
798 return ret;
799 }
800
801 static Lisp_Object
802 gnutls_certificate_details (gnutls_x509_crt_t cert)
803 {
804 Lisp_Object res = Qnil;
805 int err;
806 size_t buf_size;
807
808 /* Version. */
809 {
810 int version = fn_gnutls_x509_crt_get_version (cert);
811 if (version >= GNUTLS_E_SUCCESS)
812 res = nconc2 (res, list2 (intern (":version"),
813 make_number (version)));
814 }
815
816 /* Serial. */
817 buf_size = 0;
818 err = fn_gnutls_x509_crt_get_serial (cert, NULL, &buf_size);
819 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
820 {
821 void *serial = xmalloc (buf_size);
822 err = fn_gnutls_x509_crt_get_serial (cert, serial, &buf_size);
823 if (err >= GNUTLS_E_SUCCESS)
824 res = nconc2 (res, list2 (intern (":serial-number"),
825 gnutls_hex_string (serial, buf_size, "")));
826 xfree (serial);
827 }
828
829 /* Issuer. */
830 buf_size = 0;
831 err = fn_gnutls_x509_crt_get_issuer_dn (cert, NULL, &buf_size);
832 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
833 {
834 char *dn = xmalloc (buf_size);
835 err = fn_gnutls_x509_crt_get_issuer_dn (cert, dn, &buf_size);
836 if (err >= GNUTLS_E_SUCCESS)
837 res = nconc2 (res, list2 (intern (":issuer"),
838 make_string (dn, buf_size)));
839 xfree (dn);
840 }
841
842 /* Validity. */
843 {
844 /* Add 1 to the buffer size, since 1900 is added to tm_year and
845 that might add 1 to the year length. */
846 char buf[INT_STRLEN_BOUND (int) + 1 + sizeof "-12-31"];
847 struct tm t;
848 time_t tim = fn_gnutls_x509_crt_get_activation_time (cert);
849
850 if (gmtime_r (&tim, &t) && strftime (buf, sizeof buf, "%Y-%m-%d", &t))
851 res = nconc2 (res, list2 (intern (":valid-from"), build_string (buf)));
852
853 tim = fn_gnutls_x509_crt_get_expiration_time (cert);
854 if (gmtime_r (&tim, &t) && strftime (buf, sizeof buf, "%Y-%m-%d", &t))
855 res = nconc2 (res, list2 (intern (":valid-to"), build_string (buf)));
856 }
857
858 /* Subject. */
859 buf_size = 0;
860 err = fn_gnutls_x509_crt_get_dn (cert, NULL, &buf_size);
861 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
862 {
863 char *dn = xmalloc (buf_size);
864 err = fn_gnutls_x509_crt_get_dn (cert, dn, &buf_size);
865 if (err >= GNUTLS_E_SUCCESS)
866 res = nconc2 (res, list2 (intern (":subject"),
867 make_string (dn, buf_size)));
868 xfree (dn);
869 }
870
871 /* Versions older than 2.11 doesn't have these four functions. */
872 #if GNUTLS_VERSION_NUMBER >= 0x020b00
873 /* SubjectPublicKeyInfo. */
874 {
875 unsigned int bits;
876
877 err = fn_gnutls_x509_crt_get_pk_algorithm (cert, &bits);
878 if (err >= GNUTLS_E_SUCCESS)
879 {
880 const char *name = fn_gnutls_pk_algorithm_get_name (err);
881 if (name)
882 res = nconc2 (res, list2 (intern (":public-key-algorithm"),
883 build_string (name)));
884
885 name = fn_gnutls_sec_param_get_name (fn_gnutls_pk_bits_to_sec_param
886 (err, bits));
887 res = nconc2 (res, list2 (intern (":certificate-security-level"),
888 build_string (name)));
889 }
890 }
891
892 /* Unique IDs. */
893 buf_size = 0;
894 err = fn_gnutls_x509_crt_get_issuer_unique_id (cert, NULL, &buf_size);
895 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
896 {
897 char *buf = xmalloc (buf_size);
898 err = fn_gnutls_x509_crt_get_issuer_unique_id (cert, buf, &buf_size);
899 if (err >= GNUTLS_E_SUCCESS)
900 res = nconc2 (res, list2 (intern (":issuer-unique-id"),
901 make_string (buf, buf_size)));
902 xfree (buf);
903 }
904
905 buf_size = 0;
906 err = fn_gnutls_x509_crt_get_subject_unique_id (cert, NULL, &buf_size);
907 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
908 {
909 char *buf = xmalloc (buf_size);
910 err = fn_gnutls_x509_crt_get_subject_unique_id (cert, buf, &buf_size);
911 if (err >= GNUTLS_E_SUCCESS)
912 res = nconc2 (res, list2 (intern (":subject-unique-id"),
913 make_string (buf, buf_size)));
914 xfree (buf);
915 }
916 #endif
917
918 /* Signature. */
919 err = fn_gnutls_x509_crt_get_signature_algorithm (cert);
920 if (err >= GNUTLS_E_SUCCESS)
921 {
922 const char *name = fn_gnutls_sign_get_name (err);
923 if (name)
924 res = nconc2 (res, list2 (intern (":signature-algorithm"),
925 build_string (name)));
926 }
927
928 /* Public key ID. */
929 buf_size = 0;
930 err = fn_gnutls_x509_crt_get_key_id (cert, 0, NULL, &buf_size);
931 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
932 {
933 void *buf = xmalloc (buf_size);
934 err = fn_gnutls_x509_crt_get_key_id (cert, 0, buf, &buf_size);
935 if (err >= GNUTLS_E_SUCCESS)
936 res = nconc2 (res, list2 (intern (":public-key-id"),
937 gnutls_hex_string (buf, buf_size, "sha1:")));
938 xfree (buf);
939 }
940
941 /* Certificate fingerprint. */
942 buf_size = 0;
943 err = fn_gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1,
944 NULL, &buf_size);
945 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
946 {
947 void *buf = xmalloc (buf_size);
948 err = fn_gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1,
949 buf, &buf_size);
950 if (err >= GNUTLS_E_SUCCESS)
951 res = nconc2 (res, list2 (intern (":certificate-id"),
952 gnutls_hex_string (buf, buf_size, "sha1:")));
953 xfree (buf);
954 }
955
956 return res;
957 }
958
959 DEFUN ("gnutls-peer-status-warning-describe", Fgnutls_peer_status_warning_describe, Sgnutls_peer_status_warning_describe, 1, 1, 0,
960 doc: /* Describe the warning of a GnuTLS peer status from `gnutls-peer-status'. */)
961 (Lisp_Object status_symbol)
962 {
963 CHECK_SYMBOL (status_symbol);
964
965 if (EQ (status_symbol, intern (":invalid")))
966 return build_string ("certificate could not be verified");
967
968 if (EQ (status_symbol, intern (":revoked")))
969 return build_string ("certificate was revoked (CRL)");
970
971 if (EQ (status_symbol, intern (":self-signed")))
972 return build_string ("certificate signer was not found (self-signed)");
973
974 if (EQ (status_symbol, intern (":not-ca")))
975 return build_string ("certificate signer is not a CA");
976
977 if (EQ (status_symbol, intern (":insecure")))
978 return build_string ("certificate was signed with an insecure algorithm");
979
980 if (EQ (status_symbol, intern (":not-activated")))
981 return build_string ("certificate is not yet activated");
982
983 if (EQ (status_symbol, intern (":expired")))
984 return build_string ("certificate has expired");
985
986 if (EQ (status_symbol, intern (":no-host-match")))
987 return build_string ("certificate host does not match hostname");
988
989 return Qnil;
990 }
991
992 DEFUN ("gnutls-peer-status", Fgnutls_peer_status, Sgnutls_peer_status, 1, 1, 0,
993 doc: /* Describe a GnuTLS PROC peer certificate and any warnings about it.
994 The return value is a property list with top-level keys :warnings and
995 :certificate. The :warnings entry is a list of symbols you can describe with
996 `gnutls-peer-status-warning-describe'. */)
997 (Lisp_Object proc)
998 {
999 Lisp_Object warnings = Qnil, result = Qnil;
1000 unsigned int verification;
1001 gnutls_session_t state;
1002
1003 CHECK_PROCESS (proc);
1004
1005 if (GNUTLS_INITSTAGE (proc) < GNUTLS_STAGE_INIT)
1006 return Qnil;
1007
1008 /* Then collect any warnings already computed by the handshake. */
1009 verification = XPROCESS (proc)->gnutls_peer_verification;
1010
1011 if (verification & GNUTLS_CERT_INVALID)
1012 warnings = Fcons (intern (":invalid"), warnings);
1013
1014 if (verification & GNUTLS_CERT_REVOKED)
1015 warnings = Fcons (intern (":revoked"), warnings);
1016
1017 if (verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
1018 warnings = Fcons (intern (":self-signed"), warnings);
1019
1020 if (verification & GNUTLS_CERT_SIGNER_NOT_CA)
1021 warnings = Fcons (intern (":not-ca"), warnings);
1022
1023 if (verification & GNUTLS_CERT_INSECURE_ALGORITHM)
1024 warnings = Fcons (intern (":insecure"), warnings);
1025
1026 if (verification & GNUTLS_CERT_NOT_ACTIVATED)
1027 warnings = Fcons (intern (":not-activated"), warnings);
1028
1029 if (verification & GNUTLS_CERT_EXPIRED)
1030 warnings = Fcons (intern (":expired"), warnings);
1031
1032 if (XPROCESS (proc)->gnutls_extra_peer_verification &
1033 CERTIFICATE_NOT_MATCHING)
1034 warnings = Fcons (intern (":no-host-match"), warnings);
1035
1036 if (!NILP (warnings))
1037 result = list2 (intern (":warnings"), warnings);
1038
1039 /* This could get called in the INIT stage, when the certificate is
1040 not yet set. */
1041 if (XPROCESS (proc)->gnutls_certificate != NULL)
1042 result = nconc2 (result, list2
1043 (intern (":certificate"),
1044 gnutls_certificate_details (XPROCESS (proc)->gnutls_certificate)));
1045
1046 state = XPROCESS (proc)->gnutls_state;
1047
1048 /* Diffie-Hellman prime bits. */
1049 {
1050 int bits = fn_gnutls_dh_get_prime_bits (state);
1051 if (bits > 0)
1052 result = nconc2 (result, list2 (intern (":diffie-hellman-prime-bits"),
1053 make_number (bits)));
1054 }
1055
1056 /* Key exchange. */
1057 result = nconc2
1058 (result, list2 (intern (":key-exchange"),
1059 build_string (fn_gnutls_kx_get_name
1060 (fn_gnutls_kx_get (state)))));
1061
1062 /* Protocol name. */
1063 result = nconc2
1064 (result, list2 (intern (":protocol"),
1065 build_string (fn_gnutls_protocol_get_name
1066 (fn_gnutls_protocol_get_version (state)))));
1067
1068 /* Cipler name. */
1069 result = nconc2
1070 (result, list2 (intern (":cipher"),
1071 build_string (fn_gnutls_cipher_get_name
1072 (fn_gnutls_cipher_get (state)))));
1073
1074 /* MAC name. */
1075 result = nconc2
1076 (result, list2 (intern (":mac"),
1077 build_string (fn_gnutls_mac_get_name
1078 (fn_gnutls_mac_get (state)))));
1079
1080
1081 return result;
1082 }
1083
1084 /* Initialize global GnuTLS state to defaults.
1085 Call `gnutls-global-deinit' when GnuTLS usage is no longer needed.
1086 Return zero on success. */
1087 static Lisp_Object
1088 emacs_gnutls_global_init (void)
1089 {
1090 int ret = GNUTLS_E_SUCCESS;
1091
1092 if (!gnutls_global_initialized)
1093 {
1094 fn_gnutls_global_set_mem_functions (xmalloc, xmalloc, NULL,
1095 xrealloc, xfree);
1096 ret = fn_gnutls_global_init ();
1097 }
1098 gnutls_global_initialized = 1;
1099
1100 return gnutls_make_error (ret);
1101 }
1102
1103 static bool
1104 gnutls_ip_address_p (char *string)
1105 {
1106 char c;
1107
1108 while ((c = *string++) != 0)
1109 if (! ((c == '.' || c == ':' || (c >= '0' && c <= '9'))))
1110 return false;
1111
1112 return true;
1113 }
1114
1115 #if 0
1116 /* Deinitialize global GnuTLS state.
1117 See also `gnutls-global-init'. */
1118 static Lisp_Object
1119 emacs_gnutls_global_deinit (void)
1120 {
1121 if (gnutls_global_initialized)
1122 gnutls_global_deinit ();
1123
1124 gnutls_global_initialized = 0;
1125
1126 return gnutls_make_error (GNUTLS_E_SUCCESS);
1127 }
1128 #endif
1129
1130 DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
1131 doc: /* Initialize GnuTLS client for process PROC with TYPE+PROPLIST.
1132 Currently only client mode is supported. Return a success/failure
1133 value you can check with `gnutls-errorp'.
1134
1135 TYPE is a symbol, either `gnutls-anon' or `gnutls-x509pki'.
1136 PROPLIST is a property list with the following keys:
1137
1138 :hostname is a string naming the remote host.
1139
1140 :priority is a GnuTLS priority string, defaults to "NORMAL".
1141
1142 :trustfiles is a list of PEM-encoded trust files for `gnutls-x509pki'.
1143
1144 :crlfiles is a list of PEM-encoded CRL lists for `gnutls-x509pki'.
1145
1146 :keylist is an alist of PEM-encoded key files and PEM-encoded
1147 certificates for `gnutls-x509pki'.
1148
1149 :callbacks is an alist of callback functions, see below.
1150
1151 :loglevel is the debug level requested from GnuTLS, try 4.
1152
1153 :verify-flags is a bitset as per GnuTLS'
1154 gnutls_certificate_set_verify_flags.
1155
1156 :verify-hostname-error is ignored. Pass :hostname in :verify-error
1157 instead.
1158
1159 :verify-error is a list of symbols to express verification checks or
1160 `t' to do all checks. Currently it can contain `:trustfiles' and
1161 `:hostname' to verify the certificate or the hostname respectively.
1162
1163 :min-prime-bits is the minimum accepted number of bits the client will
1164 accept in Diffie-Hellman key exchange.
1165
1166 The debug level will be set for this process AND globally for GnuTLS.
1167 So if you set it higher or lower at any point, it affects global
1168 debugging.
1169
1170 Note that the priority is set on the client. The server does not use
1171 the protocols's priority except for disabling protocols that were not
1172 specified.
1173
1174 Processes must be initialized with this function before other GnuTLS
1175 functions are used. This function allocates resources which can only
1176 be deallocated by calling `gnutls-deinit' or by calling it again.
1177
1178 The callbacks alist can have a `verify' key, associated with a
1179 verification function (UNUSED).
1180
1181 Each authentication type may need additional information in order to
1182 work. For X.509 PKI (`gnutls-x509pki'), you probably need at least
1183 one trustfile (usually a CA bundle). */)
1184 (Lisp_Object proc, Lisp_Object type, Lisp_Object proplist)
1185 {
1186 int ret = GNUTLS_E_SUCCESS;
1187 int max_log_level = 0;
1188 bool verify_error_all = 0;
1189
1190 gnutls_session_t state;
1191 gnutls_certificate_credentials_t x509_cred = NULL;
1192 gnutls_anon_client_credentials_t anon_cred = NULL;
1193 Lisp_Object global_init;
1194 char const *priority_string_ptr = "NORMAL"; /* default priority string. */
1195 unsigned int peer_verification;
1196 char *c_hostname;
1197
1198 /* Placeholders for the property list elements. */
1199 Lisp_Object priority_string;
1200 Lisp_Object trustfiles;
1201 Lisp_Object crlfiles;
1202 Lisp_Object keylist;
1203 /* Lisp_Object callbacks; */
1204 Lisp_Object loglevel;
1205 Lisp_Object hostname;
1206 Lisp_Object verify_error;
1207 Lisp_Object prime_bits;
1208 Lisp_Object warnings;
1209
1210 CHECK_PROCESS (proc);
1211 CHECK_SYMBOL (type);
1212 CHECK_LIST (proplist);
1213
1214 if (NILP (Fgnutls_available_p ()))
1215 error ("GnuTLS not available");
1216
1217 if (!EQ (type, Qgnutls_x509pki) && !EQ (type, Qgnutls_anon))
1218 error ("Invalid GnuTLS credential type");
1219
1220 hostname = Fplist_get (proplist, QCgnutls_bootprop_hostname);
1221 priority_string = Fplist_get (proplist, QCgnutls_bootprop_priority);
1222 trustfiles = Fplist_get (proplist, QCgnutls_bootprop_trustfiles);
1223 keylist = Fplist_get (proplist, QCgnutls_bootprop_keylist);
1224 crlfiles = Fplist_get (proplist, QCgnutls_bootprop_crlfiles);
1225 loglevel = Fplist_get (proplist, QCgnutls_bootprop_loglevel);
1226 verify_error = Fplist_get (proplist, QCgnutls_bootprop_verify_error);
1227 prime_bits = Fplist_get (proplist, QCgnutls_bootprop_min_prime_bits);
1228
1229 if (EQ (verify_error, Qt))
1230 {
1231 verify_error_all = 1;
1232 }
1233 else if (NILP (Flistp (verify_error)))
1234 {
1235 error ("gnutls-boot: invalid :verify_error parameter (not a list)");
1236 }
1237
1238 if (!STRINGP (hostname))
1239 error ("gnutls-boot: invalid :hostname parameter (not a string)");
1240 c_hostname = SSDATA (hostname);
1241
1242 state = XPROCESS (proc)->gnutls_state;
1243
1244 if (TYPE_RANGED_INTEGERP (int, loglevel))
1245 {
1246 fn_gnutls_global_set_log_function (gnutls_log_function);
1247 #ifdef HAVE_GNUTLS3
1248 fn_gnutls_global_set_audit_log_function (gnutls_audit_log_function);
1249 #endif
1250 fn_gnutls_global_set_log_level (XINT (loglevel));
1251 max_log_level = XINT (loglevel);
1252 XPROCESS (proc)->gnutls_log_level = max_log_level;
1253 }
1254
1255 GNUTLS_LOG2 (1, max_log_level, "connecting to host:", c_hostname);
1256
1257 /* Always initialize globals. */
1258 global_init = emacs_gnutls_global_init ();
1259 if (! NILP (Fgnutls_errorp (global_init)))
1260 return global_init;
1261
1262 /* Before allocating new credentials, deallocate any credentials
1263 that PROC might already have. */
1264 emacs_gnutls_deinit (proc);
1265
1266 /* Mark PROC as a GnuTLS process. */
1267 XPROCESS (proc)->gnutls_state = NULL;
1268 XPROCESS (proc)->gnutls_x509_cred = NULL;
1269 XPROCESS (proc)->gnutls_anon_cred = NULL;
1270 pset_gnutls_cred_type (XPROCESS (proc), type);
1271 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_EMPTY;
1272
1273 GNUTLS_LOG (1, max_log_level, "allocating credentials");
1274 if (EQ (type, Qgnutls_x509pki))
1275 {
1276 Lisp_Object verify_flags;
1277 unsigned int gnutls_verify_flags = GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
1278
1279 GNUTLS_LOG (2, max_log_level, "allocating x509 credentials");
1280 fn_gnutls_certificate_allocate_credentials (&x509_cred);
1281 XPROCESS (proc)->gnutls_x509_cred = x509_cred;
1282
1283 verify_flags = Fplist_get (proplist, QCgnutls_bootprop_verify_flags);
1284 if (NUMBERP (verify_flags))
1285 {
1286 gnutls_verify_flags = XINT (verify_flags);
1287 GNUTLS_LOG (2, max_log_level, "setting verification flags");
1288 }
1289 else if (NILP (verify_flags))
1290 GNUTLS_LOG (2, max_log_level, "using default verification flags");
1291 else
1292 GNUTLS_LOG (2, max_log_level, "ignoring invalid verify-flags");
1293
1294 fn_gnutls_certificate_set_verify_flags (x509_cred, gnutls_verify_flags);
1295 }
1296 else /* Qgnutls_anon: */
1297 {
1298 GNUTLS_LOG (2, max_log_level, "allocating anon credentials");
1299 fn_gnutls_anon_allocate_client_credentials (&anon_cred);
1300 XPROCESS (proc)->gnutls_anon_cred = anon_cred;
1301 }
1302
1303 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CRED_ALLOC;
1304
1305 if (EQ (type, Qgnutls_x509pki))
1306 {
1307 /* TODO: GNUTLS_X509_FMT_DER is also an option. */
1308 int file_format = GNUTLS_X509_FMT_PEM;
1309 Lisp_Object tail;
1310
1311 for (tail = trustfiles; CONSP (tail); tail = XCDR (tail))
1312 {
1313 Lisp_Object trustfile = XCAR (tail);
1314 if (STRINGP (trustfile))
1315 {
1316 GNUTLS_LOG2 (1, max_log_level, "setting the trustfile: ",
1317 SSDATA (trustfile));
1318 trustfile = ENCODE_FILE (trustfile);
1319 #ifdef WINDOWSNT
1320 /* Since GnuTLS doesn't support UTF-8 or UTF-16 encoded
1321 file names on Windows, we need to re-encode the file
1322 name using the current ANSI codepage. */
1323 trustfile = ansi_encode_filename (trustfile);
1324 #endif
1325 ret = fn_gnutls_certificate_set_x509_trust_file
1326 (x509_cred,
1327 SSDATA (trustfile),
1328 file_format);
1329
1330 if (ret < GNUTLS_E_SUCCESS)
1331 return gnutls_make_error (ret);
1332 }
1333 else
1334 {
1335 emacs_gnutls_deinit (proc);
1336 error ("Invalid trustfile");
1337 }
1338 }
1339
1340 for (tail = crlfiles; CONSP (tail); tail = XCDR (tail))
1341 {
1342 Lisp_Object crlfile = XCAR (tail);
1343 if (STRINGP (crlfile))
1344 {
1345 GNUTLS_LOG2 (1, max_log_level, "setting the CRL file: ",
1346 SSDATA (crlfile));
1347 crlfile = ENCODE_FILE (crlfile);
1348 #ifdef WINDOWSNT
1349 crlfile = ansi_encode_filename (crlfile);
1350 #endif
1351 ret = fn_gnutls_certificate_set_x509_crl_file
1352 (x509_cred, SSDATA (crlfile), file_format);
1353
1354 if (ret < GNUTLS_E_SUCCESS)
1355 return gnutls_make_error (ret);
1356 }
1357 else
1358 {
1359 emacs_gnutls_deinit (proc);
1360 error ("Invalid CRL file");
1361 }
1362 }
1363
1364 for (tail = keylist; CONSP (tail); tail = XCDR (tail))
1365 {
1366 Lisp_Object keyfile = Fcar (XCAR (tail));
1367 Lisp_Object certfile = Fcar (Fcdr (XCAR (tail)));
1368 if (STRINGP (keyfile) && STRINGP (certfile))
1369 {
1370 GNUTLS_LOG2 (1, max_log_level, "setting the client key file: ",
1371 SSDATA (keyfile));
1372 GNUTLS_LOG2 (1, max_log_level, "setting the client cert file: ",
1373 SSDATA (certfile));
1374 keyfile = ENCODE_FILE (keyfile);
1375 certfile = ENCODE_FILE (certfile);
1376 #ifdef WINDOWSNT
1377 keyfile = ansi_encode_filename (keyfile);
1378 certfile = ansi_encode_filename (certfile);
1379 #endif
1380 ret = fn_gnutls_certificate_set_x509_key_file
1381 (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
1382
1383 if (ret < GNUTLS_E_SUCCESS)
1384 return gnutls_make_error (ret);
1385 }
1386 else
1387 {
1388 emacs_gnutls_deinit (proc);
1389 error (STRINGP (keyfile) ? "Invalid client cert file"
1390 : "Invalid client key file");
1391 }
1392 }
1393 }
1394
1395 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_FILES;
1396 GNUTLS_LOG (1, max_log_level, "gnutls callbacks");
1397 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CALLBACKS;
1398
1399 /* Call gnutls_init here: */
1400
1401 GNUTLS_LOG (1, max_log_level, "gnutls_init");
1402 ret = fn_gnutls_init (&state, GNUTLS_CLIENT);
1403 XPROCESS (proc)->gnutls_state = state;
1404 if (ret < GNUTLS_E_SUCCESS)
1405 return gnutls_make_error (ret);
1406 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_INIT;
1407
1408 if (STRINGP (priority_string))
1409 {
1410 priority_string_ptr = SSDATA (priority_string);
1411 GNUTLS_LOG2 (1, max_log_level, "got non-default priority string:",
1412 priority_string_ptr);
1413 }
1414 else
1415 {
1416 GNUTLS_LOG2 (1, max_log_level, "using default priority string:",
1417 priority_string_ptr);
1418 }
1419
1420 GNUTLS_LOG (1, max_log_level, "setting the priority string");
1421 ret = fn_gnutls_priority_set_direct (state,
1422 priority_string_ptr,
1423 NULL);
1424 if (ret < GNUTLS_E_SUCCESS)
1425 return gnutls_make_error (ret);
1426
1427 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_PRIORITY;
1428
1429 if (INTEGERP (prime_bits))
1430 fn_gnutls_dh_set_prime_bits (state, XUINT (prime_bits));
1431
1432 ret = EQ (type, Qgnutls_x509pki)
1433 ? fn_gnutls_credentials_set (state, GNUTLS_CRD_CERTIFICATE, x509_cred)
1434 : fn_gnutls_credentials_set (state, GNUTLS_CRD_ANON, anon_cred);
1435 if (ret < GNUTLS_E_SUCCESS)
1436 return gnutls_make_error (ret);
1437
1438 if (!gnutls_ip_address_p (c_hostname))
1439 {
1440 ret = fn_gnutls_server_name_set (state, GNUTLS_NAME_DNS, c_hostname,
1441 strlen (c_hostname));
1442 if (ret < GNUTLS_E_SUCCESS)
1443 return gnutls_make_error (ret);
1444 }
1445
1446 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CRED_SET;
1447 ret = emacs_gnutls_handshake (XPROCESS (proc));
1448 if (ret < GNUTLS_E_SUCCESS)
1449 return gnutls_make_error (ret);
1450
1451 /* Now verify the peer, following
1452 http://www.gnu.org/software/gnutls/manual/html_node/Verifying-peer_0027s-certificate.html.
1453 The peer should present at least one certificate in the chain; do a
1454 check of the certificate's hostname with
1455 gnutls_x509_crt_check_hostname against :hostname. */
1456
1457 ret = fn_gnutls_certificate_verify_peers2 (state, &peer_verification);
1458 if (ret < GNUTLS_E_SUCCESS)
1459 return gnutls_make_error (ret);
1460
1461 XPROCESS (proc)->gnutls_peer_verification = peer_verification;
1462
1463 warnings = Fplist_get (Fgnutls_peer_status (proc), intern (":warnings"));
1464 if (!NILP (warnings))
1465 {
1466 Lisp_Object tail;
1467 for (tail = warnings; CONSP (tail); tail = XCDR (tail))
1468 {
1469 Lisp_Object warning = XCAR (tail);
1470 Lisp_Object message = Fgnutls_peer_status_warning_describe (warning);
1471 if (!NILP (message))
1472 GNUTLS_LOG2 (1, max_log_level, "verification:", SSDATA (message));
1473 }
1474 }
1475
1476 if (peer_verification != 0)
1477 {
1478 if (verify_error_all
1479 || !NILP (Fmember (QCgnutls_bootprop_trustfiles, verify_error)))
1480 {
1481 emacs_gnutls_deinit (proc);
1482 error ("Certificate validation failed %s, verification code %d",
1483 c_hostname, peer_verification);
1484 }
1485 else
1486 {
1487 GNUTLS_LOG2 (1, max_log_level, "certificate validation failed:",
1488 c_hostname);
1489 }
1490 }
1491
1492 /* Up to here the process is the same for X.509 certificates and
1493 OpenPGP keys. From now on X.509 certificates are assumed. This
1494 can be easily extended to work with openpgp keys as well. */
1495 if (fn_gnutls_certificate_type_get (state) == GNUTLS_CRT_X509)
1496 {
1497 gnutls_x509_crt_t gnutls_verify_cert;
1498 const gnutls_datum_t *gnutls_verify_cert_list;
1499 unsigned int gnutls_verify_cert_list_size;
1500
1501 ret = fn_gnutls_x509_crt_init (&gnutls_verify_cert);
1502 if (ret < GNUTLS_E_SUCCESS)
1503 return gnutls_make_error (ret);
1504
1505 gnutls_verify_cert_list =
1506 fn_gnutls_certificate_get_peers (state, &gnutls_verify_cert_list_size);
1507
1508 if (gnutls_verify_cert_list == NULL)
1509 {
1510 fn_gnutls_x509_crt_deinit (gnutls_verify_cert);
1511 emacs_gnutls_deinit (proc);
1512 error ("No x509 certificate was found\n");
1513 }
1514
1515 /* We only check the first certificate in the given chain. */
1516 ret = fn_gnutls_x509_crt_import (gnutls_verify_cert,
1517 &gnutls_verify_cert_list[0],
1518 GNUTLS_X509_FMT_DER);
1519
1520 if (ret < GNUTLS_E_SUCCESS)
1521 {
1522 fn_gnutls_x509_crt_deinit (gnutls_verify_cert);
1523 return gnutls_make_error (ret);
1524 }
1525
1526 XPROCESS (proc)->gnutls_certificate = gnutls_verify_cert;
1527
1528 if (!fn_gnutls_x509_crt_check_hostname (gnutls_verify_cert, c_hostname))
1529 {
1530 XPROCESS (proc)->gnutls_extra_peer_verification |=
1531 CERTIFICATE_NOT_MATCHING;
1532 if (verify_error_all
1533 || !NILP (Fmember (QCgnutls_bootprop_hostname, verify_error)))
1534 {
1535 fn_gnutls_x509_crt_deinit (gnutls_verify_cert);
1536 emacs_gnutls_deinit (proc);
1537 error ("The x509 certificate does not match \"%s\"", c_hostname);
1538 }
1539 else
1540 {
1541 GNUTLS_LOG2 (1, max_log_level, "x509 certificate does not match:",
1542 c_hostname);
1543 }
1544 }
1545 }
1546
1547 /* Set this flag only if the whole initialization succeeded. */
1548 XPROCESS (proc)->gnutls_p = 1;
1549
1550 return gnutls_make_error (ret);
1551 }
1552
1553 DEFUN ("gnutls-bye", Fgnutls_bye,
1554 Sgnutls_bye, 2, 2, 0,
1555 doc: /* Terminate current GnuTLS connection for process PROC.
1556 The connection should have been initiated using `gnutls-handshake'.
1557
1558 If CONT is not nil the TLS connection gets terminated and further
1559 receives and sends will be disallowed. If the return value is zero you
1560 may continue using the connection. If CONT is nil, GnuTLS actually
1561 sends an alert containing a close request and waits for the peer to
1562 reply with the same message. In order to reuse the connection you
1563 should wait for an EOF from the peer.
1564
1565 This function may also return `gnutls-e-again', or
1566 `gnutls-e-interrupted'. */)
1567 (Lisp_Object proc, Lisp_Object cont)
1568 {
1569 gnutls_session_t state;
1570 int ret;
1571
1572 CHECK_PROCESS (proc);
1573
1574 state = XPROCESS (proc)->gnutls_state;
1575
1576 fn_gnutls_x509_crt_deinit (XPROCESS (proc)->gnutls_certificate);
1577
1578 ret = fn_gnutls_bye (state,
1579 NILP (cont) ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
1580
1581 return gnutls_make_error (ret);
1582 }
1583
1584 #endif /* HAVE_GNUTLS */
1585
1586 DEFUN ("gnutls-available-p", Fgnutls_available_p, Sgnutls_available_p, 0, 0, 0,
1587 doc: /* Return t if GnuTLS is available in this instance of Emacs. */)
1588 (void)
1589 {
1590 #ifdef HAVE_GNUTLS
1591 # ifdef WINDOWSNT
1592 Lisp_Object found = Fassq (Qgnutls_dll, Vlibrary_cache);
1593 if (CONSP (found))
1594 return XCDR (found);
1595 else
1596 {
1597 Lisp_Object status;
1598 status = init_gnutls_functions () ? Qt : Qnil;
1599 Vlibrary_cache = Fcons (Fcons (Qgnutls_dll, status), Vlibrary_cache);
1600 return status;
1601 }
1602 # else /* !WINDOWSNT */
1603 return Qt;
1604 # endif /* !WINDOWSNT */
1605 #else /* !HAVE_GNUTLS */
1606 return Qnil;
1607 #endif /* !HAVE_GNUTLS */
1608 }
1609
1610 void
1611 syms_of_gnutls (void)
1612 {
1613 #ifdef HAVE_GNUTLS
1614 gnutls_global_initialized = 0;
1615
1616 DEFSYM (Qgnutls_dll, "gnutls");
1617 DEFSYM (Qgnutls_code, "gnutls-code");
1618 DEFSYM (Qgnutls_anon, "gnutls-anon");
1619 DEFSYM (Qgnutls_x509pki, "gnutls-x509pki");
1620 DEFSYM (QCgnutls_bootprop_hostname, ":hostname");
1621 DEFSYM (QCgnutls_bootprop_priority, ":priority");
1622 DEFSYM (QCgnutls_bootprop_trustfiles, ":trustfiles");
1623 DEFSYM (QCgnutls_bootprop_keylist, ":keylist");
1624 DEFSYM (QCgnutls_bootprop_crlfiles, ":crlfiles");
1625 DEFSYM (QCgnutls_bootprop_callbacks, ":callbacks");
1626 DEFSYM (QCgnutls_bootprop_callbacks_verify, "verify");
1627 DEFSYM (QCgnutls_bootprop_min_prime_bits, ":min-prime-bits");
1628 DEFSYM (QCgnutls_bootprop_loglevel, ":loglevel");
1629 DEFSYM (QCgnutls_bootprop_verify_flags, ":verify-flags");
1630 DEFSYM (QCgnutls_bootprop_verify_error, ":verify-error");
1631
1632 DEFSYM (Qgnutls_e_interrupted, "gnutls-e-interrupted");
1633 Fput (Qgnutls_e_interrupted, Qgnutls_code,
1634 make_number (GNUTLS_E_INTERRUPTED));
1635
1636 DEFSYM (Qgnutls_e_again, "gnutls-e-again");
1637 Fput (Qgnutls_e_again, Qgnutls_code,
1638 make_number (GNUTLS_E_AGAIN));
1639
1640 DEFSYM (Qgnutls_e_invalid_session, "gnutls-e-invalid-session");
1641 Fput (Qgnutls_e_invalid_session, Qgnutls_code,
1642 make_number (GNUTLS_E_INVALID_SESSION));
1643
1644 DEFSYM (Qgnutls_e_not_ready_for_handshake, "gnutls-e-not-ready-for-handshake");
1645 Fput (Qgnutls_e_not_ready_for_handshake, Qgnutls_code,
1646 make_number (GNUTLS_E_APPLICATION_ERROR_MIN));
1647
1648 defsubr (&Sgnutls_get_initstage);
1649 defsubr (&Sgnutls_errorp);
1650 defsubr (&Sgnutls_error_fatalp);
1651 defsubr (&Sgnutls_error_string);
1652 defsubr (&Sgnutls_boot);
1653 defsubr (&Sgnutls_deinit);
1654 defsubr (&Sgnutls_bye);
1655 defsubr (&Sgnutls_peer_status);
1656 defsubr (&Sgnutls_peer_status_warning_describe);
1657
1658 DEFVAR_INT ("gnutls-log-level", global_gnutls_log_level,
1659 doc: /* Logging level used by the GnuTLS functions.
1660 Set this larger than 0 to get debug output in the *Messages* buffer.
1661 1 is for important messages, 2 is for debug data, and higher numbers
1662 are as per the GnuTLS logging conventions. */);
1663 global_gnutls_log_level = 0;
1664
1665 #endif /* HAVE_GNUTLS */
1666
1667 defsubr (&Sgnutls_available_p);
1668 }