]> code.delx.au - gnu-emacs/blob - src/gnutls.c
delx.au / code / gnu-emacs / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Compute C decls for DEFSYMs automatically
[gnu-emacs] / src / gnutls.c
1 /* GnuTLS glue for GNU Emacs.
2 Copyright (C) 2010-2015 Free Software Foundation, Inc.
3
4 This file is part of GNU Emacs.
5
6 GNU Emacs is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
10
11 GNU Emacs is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>. */
18
19 #include <config.h>
20 #include <errno.h>
21 #include <stdio.h>
22
23 #include "lisp.h"
24 #include "process.h"
25 #include "gnutls.h"
26 #include "coding.h"
27
28 #ifdef HAVE_GNUTLS
29 #include <gnutls/gnutls.h>
30
31 #ifdef WINDOWSNT
32 #include <windows.h>
33 #include "w32.h"
34 #endif
35
36 static bool emacs_gnutls_handle_error (gnutls_session_t, int);
37
38 static bool gnutls_global_initialized;
39
40 static void gnutls_log_function (int, const char *);
41 static void gnutls_log_function2 (int, const char *, const char *);
42 #ifdef HAVE_GNUTLS3
43 static void gnutls_audit_log_function (gnutls_session_t, const char *);
44 #endif
45
46 enum extra_peer_verification
47 {
48 CERTIFICATE_NOT_MATCHING = 2
49 };
50
51 \f
52 #ifdef WINDOWSNT
53
54 DEF_DLL_FN (gnutls_alert_description_t, gnutls_alert_get,
55 (gnutls_session_t));
56 DEF_DLL_FN (const char *, gnutls_alert_get_name,
57 (gnutls_alert_description_t));
58 DEF_DLL_FN (int, gnutls_alert_send_appropriate, (gnutls_session_t, int));
59 DEF_DLL_FN (int, gnutls_anon_allocate_client_credentials,
60 (gnutls_anon_client_credentials_t *));
61 DEF_DLL_FN (void, gnutls_anon_free_client_credentials,
62 (gnutls_anon_client_credentials_t));
63 DEF_DLL_FN (int, gnutls_bye, (gnutls_session_t, gnutls_close_request_t));
64 DEF_DLL_FN (int, gnutls_certificate_allocate_credentials,
65 (gnutls_certificate_credentials_t *));
66 DEF_DLL_FN (void, gnutls_certificate_free_credentials,
67 (gnutls_certificate_credentials_t));
68 DEF_DLL_FN (const gnutls_datum_t *, gnutls_certificate_get_peers,
69 (gnutls_session_t, unsigned int *));
70 DEF_DLL_FN (void, gnutls_certificate_set_verify_flags,
71 (gnutls_certificate_credentials_t, unsigned int));
72 DEF_DLL_FN (int, gnutls_certificate_set_x509_crl_file,
73 (gnutls_certificate_credentials_t, const char *,
74 gnutls_x509_crt_fmt_t));
75 DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file,
76 (gnutls_certificate_credentials_t, const char *, const char *,
77 gnutls_x509_crt_fmt_t));
78 # if ((GNUTLS_VERSION_MAJOR \
79 + (GNUTLS_VERSION_MINOR > 0 || GNUTLS_VERSION_PATCH >= 20)) \
80 > 3)
81 DEF_DLL_FN (int, gnutls_certificate_set_x509_system_trust,
82 (gnutls_certificate_credentials_t));
83 # endif
84 DEF_DLL_FN (int, gnutls_certificate_set_x509_trust_file,
85 (gnutls_certificate_credentials_t, const char *,
86 gnutls_x509_crt_fmt_t));
87 DEF_DLL_FN (gnutls_certificate_type_t, gnutls_certificate_type_get,
88 (gnutls_session_t));
89 DEF_DLL_FN (int, gnutls_certificate_verify_peers2,
90 (gnutls_session_t, unsigned int *));
91 DEF_DLL_FN (int, gnutls_credentials_set,
92 (gnutls_session_t, gnutls_credentials_type_t, void *));
93 DEF_DLL_FN (void, gnutls_deinit, (gnutls_session_t));
94 DEF_DLL_FN (void, gnutls_dh_set_prime_bits,
95 (gnutls_session_t, unsigned int));
96 DEF_DLL_FN (int, gnutls_dh_get_prime_bits, (gnutls_session_t));
97 DEF_DLL_FN (int, gnutls_error_is_fatal, (int));
98 DEF_DLL_FN (int, gnutls_global_init, (void));
99 DEF_DLL_FN (void, gnutls_global_set_log_function, (gnutls_log_func));
100 # ifdef HAVE_GNUTLS3
101 DEF_DLL_FN (void, gnutls_global_set_audit_log_function, (gnutls_audit_log_func));
102 # endif
103 DEF_DLL_FN (void, gnutls_global_set_log_level, (int));
104 DEF_DLL_FN (int, gnutls_handshake, (gnutls_session_t));
105 DEF_DLL_FN (int, gnutls_init, (gnutls_session_t *, unsigned int));
106 DEF_DLL_FN (int, gnutls_priority_set_direct,
107 (gnutls_session_t, const char *, const char **));
108 DEF_DLL_FN (size_t, gnutls_record_check_pending, (gnutls_session_t));
109 DEF_DLL_FN (ssize_t, gnutls_record_recv, (gnutls_session_t, void *, size_t));
110 DEF_DLL_FN (ssize_t, gnutls_record_send,
111 (gnutls_session_t, const void *, size_t));
112 DEF_DLL_FN (const char *, gnutls_strerror, (int));
113 DEF_DLL_FN (void, gnutls_transport_set_errno, (gnutls_session_t, int));
114 DEF_DLL_FN (const char *, gnutls_check_version, (const char *));
115 DEF_DLL_FN (void, gnutls_transport_set_lowat, (gnutls_session_t, int));
116 DEF_DLL_FN (void, gnutls_transport_set_ptr2,
117 (gnutls_session_t, gnutls_transport_ptr_t,
118 gnutls_transport_ptr_t));
119 DEF_DLL_FN (void, gnutls_transport_set_pull_function,
120 (gnutls_session_t, gnutls_pull_func));
121 DEF_DLL_FN (void, gnutls_transport_set_push_function,
122 (gnutls_session_t, gnutls_push_func));
123 DEF_DLL_FN (int, gnutls_x509_crt_check_hostname,
124 (gnutls_x509_crt_t, const char *));
125 DEF_DLL_FN (void, gnutls_x509_crt_deinit, (gnutls_x509_crt_t));
126 DEF_DLL_FN (int, gnutls_x509_crt_import,
127 (gnutls_x509_crt_t, const gnutls_datum_t *,
128 gnutls_x509_crt_fmt_t));
129 DEF_DLL_FN (int, gnutls_x509_crt_init, (gnutls_x509_crt_t *));
130 DEF_DLL_FN (int, gnutls_x509_crt_get_fingerprint,
131 (gnutls_x509_crt_t,
132 gnutls_digest_algorithm_t, void *, size_t *));
133 DEF_DLL_FN (int, gnutls_x509_crt_get_version,
134 (gnutls_x509_crt_t));
135 DEF_DLL_FN (int, gnutls_x509_crt_get_serial,
136 (gnutls_x509_crt_t, void *, size_t *));
137 DEF_DLL_FN (int, gnutls_x509_crt_get_issuer_dn,
138 (gnutls_x509_crt_t, char *, size_t *));
139 DEF_DLL_FN (time_t, gnutls_x509_crt_get_activation_time,
140 (gnutls_x509_crt_t));
141 DEF_DLL_FN (time_t, gnutls_x509_crt_get_expiration_time,
142 (gnutls_x509_crt_t));
143 DEF_DLL_FN (int, gnutls_x509_crt_get_dn,
144 (gnutls_x509_crt_t, char *, size_t *));
145 DEF_DLL_FN (int, gnutls_x509_crt_get_pk_algorithm,
146 (gnutls_x509_crt_t, unsigned int *));
147 DEF_DLL_FN (const char*, gnutls_pk_algorithm_get_name,
148 (gnutls_pk_algorithm_t));
149 DEF_DLL_FN (int, gnutls_pk_bits_to_sec_param,
150 (gnutls_pk_algorithm_t, unsigned int));
151 DEF_DLL_FN (int, gnutls_x509_crt_get_issuer_unique_id,
152 (gnutls_x509_crt_t, char *, size_t *));
153 DEF_DLL_FN (int, gnutls_x509_crt_get_subject_unique_id,
154 (gnutls_x509_crt_t, char *, size_t *));
155 DEF_DLL_FN (int, gnutls_x509_crt_get_signature_algorithm,
156 (gnutls_x509_crt_t));
157 DEF_DLL_FN (int, gnutls_x509_crt_get_signature,
158 (gnutls_x509_crt_t, char *, size_t *));
159 DEF_DLL_FN (int, gnutls_x509_crt_get_key_id,
160 (gnutls_x509_crt_t, unsigned int, unsigned char *, size_t *_size));
161 DEF_DLL_FN (const char*, gnutls_sec_param_get_name, (gnutls_sec_param_t));
162 DEF_DLL_FN (const char*, gnutls_sign_get_name, (gnutls_sign_algorithm_t));
163 DEF_DLL_FN (int, gnutls_server_name_set,
164 (gnutls_session_t, gnutls_server_name_type_t,
165 const void *, size_t));
166 DEF_DLL_FN (gnutls_kx_algorithm_t, gnutls_kx_get, (gnutls_session_t));
167 DEF_DLL_FN (const char*, gnutls_kx_get_name, (gnutls_kx_algorithm_t));
168 DEF_DLL_FN (gnutls_protocol_t, gnutls_protocol_get_version,
169 (gnutls_session_t));
170 DEF_DLL_FN (const char*, gnutls_protocol_get_name, (gnutls_protocol_t));
171 DEF_DLL_FN (gnutls_cipher_algorithm_t, gnutls_cipher_get,
172 (gnutls_session_t));
173 DEF_DLL_FN (const char*, gnutls_cipher_get_name,
174 (gnutls_cipher_algorithm_t));
175 DEF_DLL_FN (gnutls_mac_algorithm_t, gnutls_mac_get, (gnutls_session_t));
176 DEF_DLL_FN (const char*, gnutls_mac_get_name, (gnutls_mac_algorithm_t));
177
178
179 static bool
180 init_gnutls_functions (void)
181 {
182 HMODULE library;
183 int max_log_level = 1;
184
185 if (!(library = w32_delayed_load (Qgnutls_dll)))
186 {
187 GNUTLS_LOG (1, max_log_level, "GnuTLS library not found");
188 return 0;
189 }
190
191 LOAD_DLL_FN (library, gnutls_alert_get);
192 LOAD_DLL_FN (library, gnutls_alert_get_name);
193 LOAD_DLL_FN (library, gnutls_alert_send_appropriate);
194 LOAD_DLL_FN (library, gnutls_anon_allocate_client_credentials);
195 LOAD_DLL_FN (library, gnutls_anon_free_client_credentials);
196 LOAD_DLL_FN (library, gnutls_bye);
197 LOAD_DLL_FN (library, gnutls_certificate_allocate_credentials);
198 LOAD_DLL_FN (library, gnutls_certificate_free_credentials);
199 LOAD_DLL_FN (library, gnutls_certificate_get_peers);
200 LOAD_DLL_FN (library, gnutls_certificate_set_verify_flags);
201 LOAD_DLL_FN (library, gnutls_certificate_set_x509_crl_file);
202 LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file);
203 # if ((GNUTLS_VERSION_MAJOR \
204 + (GNUTLS_VERSION_MINOR > 0 || GNUTLS_VERSION_PATCH >= 20)) \
205 > 3)
206 LOAD_DLL_FN (library, gnutls_certificate_set_x509_system_trust);
207 # endif
208 LOAD_DLL_FN (library, gnutls_certificate_set_x509_trust_file);
209 LOAD_DLL_FN (library, gnutls_certificate_type_get);
210 LOAD_DLL_FN (library, gnutls_certificate_verify_peers2);
211 LOAD_DLL_FN (library, gnutls_credentials_set);
212 LOAD_DLL_FN (library, gnutls_deinit);
213 LOAD_DLL_FN (library, gnutls_dh_set_prime_bits);
214 LOAD_DLL_FN (library, gnutls_dh_get_prime_bits);
215 LOAD_DLL_FN (library, gnutls_error_is_fatal);
216 LOAD_DLL_FN (library, gnutls_global_init);
217 LOAD_DLL_FN (library, gnutls_global_set_log_function);
218 # ifdef HAVE_GNUTLS3
219 LOAD_DLL_FN (library, gnutls_global_set_audit_log_function);
220 # endif
221 LOAD_DLL_FN (library, gnutls_global_set_log_level);
222 LOAD_DLL_FN (library, gnutls_handshake);
223 LOAD_DLL_FN (library, gnutls_init);
224 LOAD_DLL_FN (library, gnutls_priority_set_direct);
225 LOAD_DLL_FN (library, gnutls_record_check_pending);
226 LOAD_DLL_FN (library, gnutls_record_recv);
227 LOAD_DLL_FN (library, gnutls_record_send);
228 LOAD_DLL_FN (library, gnutls_strerror);
229 LOAD_DLL_FN (library, gnutls_transport_set_errno);
230 LOAD_DLL_FN (library, gnutls_check_version);
231 /* We don't need to call gnutls_transport_set_lowat in GnuTLS 2.11.1
232 and later, and the function was removed entirely in 3.0.0. */
233 if (!fn_gnutls_check_version ("2.11.1"))
234 LOAD_DLL_FN (library, gnutls_transport_set_lowat);
235 LOAD_DLL_FN (library, gnutls_transport_set_ptr2);
236 LOAD_DLL_FN (library, gnutls_transport_set_pull_function);
237 LOAD_DLL_FN (library, gnutls_transport_set_push_function);
238 LOAD_DLL_FN (library, gnutls_x509_crt_check_hostname);
239 LOAD_DLL_FN (library, gnutls_x509_crt_deinit);
240 LOAD_DLL_FN (library, gnutls_x509_crt_import);
241 LOAD_DLL_FN (library, gnutls_x509_crt_init);
242 LOAD_DLL_FN (library, gnutls_x509_crt_get_fingerprint);
243 LOAD_DLL_FN (library, gnutls_x509_crt_get_version);
244 LOAD_DLL_FN (library, gnutls_x509_crt_get_serial);
245 LOAD_DLL_FN (library, gnutls_x509_crt_get_issuer_dn);
246 LOAD_DLL_FN (library, gnutls_x509_crt_get_activation_time);
247 LOAD_DLL_FN (library, gnutls_x509_crt_get_expiration_time);
248 LOAD_DLL_FN (library, gnutls_x509_crt_get_dn);
249 LOAD_DLL_FN (library, gnutls_x509_crt_get_pk_algorithm);
250 LOAD_DLL_FN (library, gnutls_pk_algorithm_get_name);
251 LOAD_DLL_FN (library, gnutls_pk_bits_to_sec_param);
252 LOAD_DLL_FN (library, gnutls_x509_crt_get_issuer_unique_id);
253 LOAD_DLL_FN (library, gnutls_x509_crt_get_subject_unique_id);
254 LOAD_DLL_FN (library, gnutls_x509_crt_get_signature_algorithm);
255 LOAD_DLL_FN (library, gnutls_x509_crt_get_signature);
256 LOAD_DLL_FN (library, gnutls_x509_crt_get_key_id);
257 LOAD_DLL_FN (library, gnutls_sec_param_get_name);
258 LOAD_DLL_FN (library, gnutls_sign_get_name);
259 LOAD_DLL_FN (library, gnutls_server_name_set);
260 LOAD_DLL_FN (library, gnutls_kx_get);
261 LOAD_DLL_FN (library, gnutls_kx_get_name);
262 LOAD_DLL_FN (library, gnutls_protocol_get_version);
263 LOAD_DLL_FN (library, gnutls_protocol_get_name);
264 LOAD_DLL_FN (library, gnutls_cipher_get);
265 LOAD_DLL_FN (library, gnutls_cipher_get_name);
266 LOAD_DLL_FN (library, gnutls_mac_get);
267 LOAD_DLL_FN (library, gnutls_mac_get_name);
268
269 max_log_level = global_gnutls_log_level;
270
271 {
272 Lisp_Object name = CAR_SAFE (Fget (Qgnutls_dll, QCloaded_from));
273 GNUTLS_LOG2 (1, max_log_level, "GnuTLS library loaded:",
274 STRINGP (name) ? (const char *) SDATA (name) : "unknown");
275 }
276
277 return 1;
278 }
279
280 # define gnutls_alert_get fn_gnutls_alert_get
281 # define gnutls_alert_get_name fn_gnutls_alert_get_name
282 # define gnutls_alert_send_appropriate fn_gnutls_alert_send_appropriate
283 # define gnutls_anon_allocate_client_credentials fn_gnutls_anon_allocate_client_credentials
284 # define gnutls_anon_free_client_credentials fn_gnutls_anon_free_client_credentials
285 # define gnutls_bye fn_gnutls_bye
286 # define gnutls_certificate_allocate_credentials fn_gnutls_certificate_allocate_credentials
287 # define gnutls_certificate_free_credentials fn_gnutls_certificate_free_credentials
288 # define gnutls_certificate_get_peers fn_gnutls_certificate_get_peers
289 # define gnutls_certificate_set_verify_flags fn_gnutls_certificate_set_verify_flags
290 # define gnutls_certificate_set_x509_crl_file fn_gnutls_certificate_set_x509_crl_file
291 # define gnutls_certificate_set_x509_key_file fn_gnutls_certificate_set_x509_key_file
292 # define gnutls_certificate_set_x509_system_trust fn_gnutls_certificate_set_x509_system_trust
293 # define gnutls_certificate_set_x509_trust_file fn_gnutls_certificate_set_x509_trust_file
294 # define gnutls_certificate_type_get fn_gnutls_certificate_type_get
295 # define gnutls_certificate_verify_peers2 fn_gnutls_certificate_verify_peers2
296 # define gnutls_check_version fn_gnutls_check_version
297 # define gnutls_cipher_get fn_gnutls_cipher_get
298 # define gnutls_cipher_get_name fn_gnutls_cipher_get_name
299 # define gnutls_credentials_set fn_gnutls_credentials_set
300 # define gnutls_deinit fn_gnutls_deinit
301 # define gnutls_dh_get_prime_bits fn_gnutls_dh_get_prime_bits
302 # define gnutls_dh_set_prime_bits fn_gnutls_dh_set_prime_bits
303 # define gnutls_error_is_fatal fn_gnutls_error_is_fatal
304 # define gnutls_global_init fn_gnutls_global_init
305 # define gnutls_global_set_audit_log_function fn_gnutls_global_set_audit_log_function
306 # define gnutls_global_set_log_function fn_gnutls_global_set_log_function
307 # define gnutls_global_set_log_level fn_gnutls_global_set_log_level
308 # define gnutls_handshake fn_gnutls_handshake
309 # define gnutls_init fn_gnutls_init
310 # define gnutls_kx_get fn_gnutls_kx_get
311 # define gnutls_kx_get_name fn_gnutls_kx_get_name
312 # define gnutls_mac_get fn_gnutls_mac_get
313 # define gnutls_mac_get_name fn_gnutls_mac_get_name
314 # define gnutls_pk_algorithm_get_name fn_gnutls_pk_algorithm_get_name
315 # define gnutls_pk_bits_to_sec_param fn_gnutls_pk_bits_to_sec_param
316 # define gnutls_priority_set_direct fn_gnutls_priority_set_direct
317 # define gnutls_protocol_get_name fn_gnutls_protocol_get_name
318 # define gnutls_protocol_get_version fn_gnutls_protocol_get_version
319 # define gnutls_record_check_pending fn_gnutls_record_check_pending
320 # define gnutls_record_recv fn_gnutls_record_recv
321 # define gnutls_record_send fn_gnutls_record_send
322 # define gnutls_sec_param_get_name fn_gnutls_sec_param_get_name
323 # define gnutls_server_name_set fn_gnutls_server_name_set
324 # define gnutls_sign_get_name fn_gnutls_sign_get_name
325 # define gnutls_strerror fn_gnutls_strerror
326 # define gnutls_transport_set_errno fn_gnutls_transport_set_errno
327 # define gnutls_transport_set_lowat fn_gnutls_transport_set_lowat
328 # define gnutls_transport_set_ptr2 fn_gnutls_transport_set_ptr2
329 # define gnutls_transport_set_pull_function fn_gnutls_transport_set_pull_function
330 # define gnutls_transport_set_push_function fn_gnutls_transport_set_push_function
331 # define gnutls_x509_crt_check_hostname fn_gnutls_x509_crt_check_hostname
332 # define gnutls_x509_crt_deinit fn_gnutls_x509_crt_deinit
333 # define gnutls_x509_crt_get_activation_time fn_gnutls_x509_crt_get_activation_time
334 # define gnutls_x509_crt_get_dn fn_gnutls_x509_crt_get_dn
335 # define gnutls_x509_crt_get_expiration_time fn_gnutls_x509_crt_get_expiration_time
336 # define gnutls_x509_crt_get_fingerprint fn_gnutls_x509_crt_get_fingerprint
337 # define gnutls_x509_crt_get_issuer_dn fn_gnutls_x509_crt_get_issuer_dn
338 # define gnutls_x509_crt_get_issuer_unique_id fn_gnutls_x509_crt_get_issuer_unique_id
339 # define gnutls_x509_crt_get_key_id fn_gnutls_x509_crt_get_key_id
340 # define gnutls_x509_crt_get_pk_algorithm fn_gnutls_x509_crt_get_pk_algorithm
341 # define gnutls_x509_crt_get_serial fn_gnutls_x509_crt_get_serial
342 # define gnutls_x509_crt_get_signature fn_gnutls_x509_crt_get_signature
343 # define gnutls_x509_crt_get_signature_algorithm fn_gnutls_x509_crt_get_signature_algorithm
344 # define gnutls_x509_crt_get_subject_unique_id fn_gnutls_x509_crt_get_subject_unique_id
345 # define gnutls_x509_crt_get_version fn_gnutls_x509_crt_get_version
346 # define gnutls_x509_crt_import fn_gnutls_x509_crt_import
347 # define gnutls_x509_crt_init fn_gnutls_x509_crt_init
348
349 #endif
350
351 \f
352 /* Report memory exhaustion if ERR is an out-of-memory indication. */
353 static void
354 check_memory_full (int err)
355 {
356 /* When GnuTLS exhausts memory, it doesn't say how much memory it
357 asked for, so tell the Emacs allocator that GnuTLS asked for no
358 bytes. This isn't accurate, but it's good enough. */
359 if (err == GNUTLS_E_MEMORY_ERROR)
360 memory_full (0);
361 }
362
363 #ifdef HAVE_GNUTLS3
364 /* Log a simple audit message. */
365 static void
366 gnutls_audit_log_function (gnutls_session_t session, const char *string)
367 {
368 if (global_gnutls_log_level >= 1)
369 {
370 message ("gnutls.c: [audit] %s", string);
371 }
372 }
373 #endif
374
375 /* Log a simple message. */
376 static void
377 gnutls_log_function (int level, const char *string)
378 {
379 message ("gnutls.c: [%d] %s", level, string);
380 }
381
382 /* Log a message and a string. */
383 static void
384 gnutls_log_function2 (int level, const char *string, const char *extra)
385 {
386 message ("gnutls.c: [%d] %s %s", level, string, extra);
387 }
388
389 /* Log a message and an integer. */
390 static void
391 gnutls_log_function2i (int level, const char *string, int extra)
392 {
393 message ("gnutls.c: [%d] %s %d", level, string, extra);
394 }
395
396 static int
397 emacs_gnutls_handshake (struct Lisp_Process *proc)
398 {
399 gnutls_session_t state = proc->gnutls_state;
400 int ret;
401
402 if (proc->gnutls_initstage < GNUTLS_STAGE_HANDSHAKE_CANDO)
403 return -1;
404
405 if (proc->gnutls_initstage < GNUTLS_STAGE_TRANSPORT_POINTERS_SET)
406 {
407 #ifdef WINDOWSNT
408 /* On W32 we cannot transfer socket handles between different runtime
409 libraries, so we tell GnuTLS to use our special push/pull
410 functions. */
411 gnutls_transport_set_ptr2 (state,
412 (gnutls_transport_ptr_t) proc,
413 (gnutls_transport_ptr_t) proc);
414 gnutls_transport_set_push_function (state, &emacs_gnutls_push);
415 gnutls_transport_set_pull_function (state, &emacs_gnutls_pull);
416
417 /* For non blocking sockets or other custom made pull/push
418 functions the gnutls_transport_set_lowat must be called, with
419 a zero low water mark value. (GnuTLS 2.10.4 documentation)
420
421 (Note: this is probably not strictly necessary as the lowat
422 value is only used when no custom pull/push functions are
423 set.) */
424 /* According to GnuTLS NEWS file, lowat level has been set to
425 zero by default in version 2.11.1, and the function
426 gnutls_transport_set_lowat was removed from the library in
427 version 2.99.0. */
428 if (!gnutls_check_version ("2.11.1"))
429 gnutls_transport_set_lowat (state, 0);
430 #else
431 /* This is how GnuTLS takes sockets: as file descriptors passed
432 in. For an Emacs process socket, infd and outfd are the
433 same but we use this two-argument version for clarity. */
434 gnutls_transport_set_ptr2 (state,
435 (void *) (intptr_t) proc->infd,
436 (void *) (intptr_t) proc->outfd);
437 #endif
438
439 proc->gnutls_initstage = GNUTLS_STAGE_TRANSPORT_POINTERS_SET;
440 }
441
442 do
443 {
444 ret = gnutls_handshake (state);
445 emacs_gnutls_handle_error (state, ret);
446 QUIT;
447 }
448 while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
449
450 proc->gnutls_initstage = GNUTLS_STAGE_HANDSHAKE_TRIED;
451
452 if (ret == GNUTLS_E_SUCCESS)
453 {
454 /* Here we're finally done. */
455 proc->gnutls_initstage = GNUTLS_STAGE_READY;
456 }
457 else
458 {
459 check_memory_full (gnutls_alert_send_appropriate (state, ret));
460 }
461 return ret;
462 }
463
464 ptrdiff_t
465 emacs_gnutls_record_check_pending (gnutls_session_t state)
466 {
467 return gnutls_record_check_pending (state);
468 }
469
470 #ifdef WINDOWSNT
471 void
472 emacs_gnutls_transport_set_errno (gnutls_session_t state, int err)
473 {
474 gnutls_transport_set_errno (state, err);
475 }
476 #endif
477
478 ptrdiff_t
479 emacs_gnutls_write (struct Lisp_Process *proc, const char *buf, ptrdiff_t nbyte)
480 {
481 ssize_t rtnval = 0;
482 ptrdiff_t bytes_written;
483 gnutls_session_t state = proc->gnutls_state;
484
485 if (proc->gnutls_initstage != GNUTLS_STAGE_READY)
486 {
487 errno = EAGAIN;
488 return 0;
489 }
490
491 bytes_written = 0;
492
493 while (nbyte > 0)
494 {
495 rtnval = gnutls_record_send (state, buf, nbyte);
496
497 if (rtnval < 0)
498 {
499 if (rtnval == GNUTLS_E_INTERRUPTED)
500 continue;
501 else
502 {
503 /* If we get GNUTLS_E_AGAIN, then set errno
504 appropriately so that send_process retries the
505 correct way instead of erroring out. */
506 if (rtnval == GNUTLS_E_AGAIN)
507 errno = EAGAIN;
508 break;
509 }
510 }
511
512 buf += rtnval;
513 nbyte -= rtnval;
514 bytes_written += rtnval;
515 }
516
517 emacs_gnutls_handle_error (state, rtnval);
518 return (bytes_written);
519 }
520
521 ptrdiff_t
522 emacs_gnutls_read (struct Lisp_Process *proc, char *buf, ptrdiff_t nbyte)
523 {
524 ssize_t rtnval;
525 gnutls_session_t state = proc->gnutls_state;
526
527 int log_level = proc->gnutls_log_level;
528
529 if (proc->gnutls_initstage != GNUTLS_STAGE_READY)
530 {
531 /* If the handshake count is under the limit, try the handshake
532 again and increment the handshake count. This count is kept
533 per process (connection), not globally. */
534 if (proc->gnutls_handshakes_tried < GNUTLS_EMACS_HANDSHAKES_LIMIT)
535 {
536 proc->gnutls_handshakes_tried++;
537 emacs_gnutls_handshake (proc);
538 GNUTLS_LOG2i (5, log_level, "Retried handshake",
539 proc->gnutls_handshakes_tried);
540 return -1;
541 }
542
543 GNUTLS_LOG (2, log_level, "Giving up on handshake; resetting retries");
544 proc->gnutls_handshakes_tried = 0;
545 return 0;
546 }
547 rtnval = gnutls_record_recv (state, buf, nbyte);
548 if (rtnval >= 0)
549 return rtnval;
550 else if (rtnval == GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
551 /* The peer closed the connection. */
552 return 0;
553 else if (emacs_gnutls_handle_error (state, rtnval))
554 /* non-fatal error */
555 return -1;
556 else {
557 /* a fatal error occurred */
558 return 0;
559 }
560 }
561
562 /* Report a GnuTLS error to the user.
563 Return true if the error code was successfully handled. */
564 static bool
565 emacs_gnutls_handle_error (gnutls_session_t session, int err)
566 {
567 int max_log_level = 0;
568
569 bool ret;
570 const char *str;
571
572 /* TODO: use a Lisp_Object generated by gnutls_make_error? */
573 if (err >= 0)
574 return 1;
575
576 check_memory_full (err);
577
578 max_log_level = global_gnutls_log_level;
579
580 /* TODO: use gnutls-error-fatalp and gnutls-error-string. */
581
582 str = gnutls_strerror (err);
583 if (!str)
584 str = "unknown";
585
586 if (gnutls_error_is_fatal (err))
587 {
588 ret = 0;
589 GNUTLS_LOG2 (1, max_log_level, "fatal error:", str);
590 }
591 else
592 {
593 ret = 1;
594
595 switch (err)
596 {
597 case GNUTLS_E_AGAIN:
598 GNUTLS_LOG2 (3,
599 max_log_level,
600 "retry:",
601 str);
602 default:
603 GNUTLS_LOG2 (1,
604 max_log_level,
605 "non-fatal error:",
606 str);
607 }
608 }
609
610 if (err == GNUTLS_E_WARNING_ALERT_RECEIVED
611 || err == GNUTLS_E_FATAL_ALERT_RECEIVED)
612 {
613 int alert = gnutls_alert_get (session);
614 int level = (err == GNUTLS_E_FATAL_ALERT_RECEIVED) ? 0 : 1;
615 str = gnutls_alert_get_name (alert);
616 if (!str)
617 str = "unknown";
618
619 GNUTLS_LOG2 (level, max_log_level, "Received alert: ", str);
620 }
621 return ret;
622 }
623
624 /* convert an integer error to a Lisp_Object; it will be either a
625 known symbol like `gnutls_e_interrupted' and `gnutls_e_again' or
626 simply the integer value of the error. GNUTLS_E_SUCCESS is mapped
627 to Qt. */
628 static Lisp_Object
629 gnutls_make_error (int err)
630 {
631 switch (err)
632 {
633 case GNUTLS_E_SUCCESS:
634 return Qt;
635 case GNUTLS_E_AGAIN:
636 return Qgnutls_e_again;
637 case GNUTLS_E_INTERRUPTED:
638 return Qgnutls_e_interrupted;
639 case GNUTLS_E_INVALID_SESSION:
640 return Qgnutls_e_invalid_session;
641 }
642
643 check_memory_full (err);
644 return make_number (err);
645 }
646
647 Lisp_Object
648 emacs_gnutls_deinit (Lisp_Object proc)
649 {
650 int log_level;
651
652 CHECK_PROCESS (proc);
653
654 if (XPROCESS (proc)->gnutls_p == 0)
655 return Qnil;
656
657 log_level = XPROCESS (proc)->gnutls_log_level;
658
659 if (XPROCESS (proc)->gnutls_x509_cred)
660 {
661 GNUTLS_LOG (2, log_level, "Deallocating x509 credentials");
662 gnutls_certificate_free_credentials (XPROCESS (proc)->gnutls_x509_cred);
663 XPROCESS (proc)->gnutls_x509_cred = NULL;
664 }
665
666 if (XPROCESS (proc)->gnutls_anon_cred)
667 {
668 GNUTLS_LOG (2, log_level, "Deallocating anon credentials");
669 gnutls_anon_free_client_credentials (XPROCESS (proc)->gnutls_anon_cred);
670 XPROCESS (proc)->gnutls_anon_cred = NULL;
671 }
672
673 if (XPROCESS (proc)->gnutls_state)
674 {
675 gnutls_deinit (XPROCESS (proc)->gnutls_state);
676 XPROCESS (proc)->gnutls_state = NULL;
677 if (GNUTLS_INITSTAGE (proc) >= GNUTLS_STAGE_INIT)
678 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_INIT - 1;
679 }
680
681 XPROCESS (proc)->gnutls_p = 0;
682 return Qt;
683 }
684
685 DEFUN ("gnutls-get-initstage", Fgnutls_get_initstage, Sgnutls_get_initstage, 1, 1, 0,
686 doc: /* Return the GnuTLS init stage of process PROC.
687 See also `gnutls-boot'. */)
688 (Lisp_Object proc)
689 {
690 CHECK_PROCESS (proc);
691
692 return make_number (GNUTLS_INITSTAGE (proc));
693 }
694
695 DEFUN ("gnutls-errorp", Fgnutls_errorp, Sgnutls_errorp, 1, 1, 0,
696 doc: /* Return t if ERROR indicates a GnuTLS problem.
697 ERROR is an integer or a symbol with an integer `gnutls-code' property.
698 usage: (gnutls-errorp ERROR) */)
699 (Lisp_Object err)
700 {
701 if (EQ (err, Qt)) return Qnil;
702
703 return Qt;
704 }
705
706 DEFUN ("gnutls-error-fatalp", Fgnutls_error_fatalp, Sgnutls_error_fatalp, 1, 1, 0,
707 doc: /* Return non-nil if ERROR is fatal.
708 ERROR is an integer or a symbol with an integer `gnutls-code' property.
709 Usage: (gnutls-error-fatalp ERROR) */)
710 (Lisp_Object err)
711 {
712 Lisp_Object code;
713
714 if (EQ (err, Qt)) return Qnil;
715
716 if (SYMBOLP (err))
717 {
718 code = Fget (err, Qgnutls_code);
719 if (NUMBERP (code))
720 {
721 err = code;
722 }
723 else
724 {
725 error ("Symbol has no numeric gnutls-code property");
726 }
727 }
728
729 if (! TYPE_RANGED_INTEGERP (int, err))
730 error ("Not an error symbol or code");
731
732 if (0 == gnutls_error_is_fatal (XINT (err)))
733 return Qnil;
734
735 return Qt;
736 }
737
738 DEFUN ("gnutls-error-string", Fgnutls_error_string, Sgnutls_error_string, 1, 1, 0,
739 doc: /* Return a description of ERROR.
740 ERROR is an integer or a symbol with an integer `gnutls-code' property.
741 usage: (gnutls-error-string ERROR) */)
742 (Lisp_Object err)
743 {
744 Lisp_Object code;
745
746 if (EQ (err, Qt)) return build_string ("Not an error");
747
748 if (SYMBOLP (err))
749 {
750 code = Fget (err, Qgnutls_code);
751 if (NUMBERP (code))
752 {
753 err = code;
754 }
755 else
756 {
757 return build_string ("Symbol has no numeric gnutls-code property");
758 }
759 }
760
761 if (! TYPE_RANGED_INTEGERP (int, err))
762 return build_string ("Not an error symbol or code");
763
764 return build_string (gnutls_strerror (XINT (err)));
765 }
766
767 DEFUN ("gnutls-deinit", Fgnutls_deinit, Sgnutls_deinit, 1, 1, 0,
768 doc: /* Deallocate GnuTLS resources associated with process PROC.
769 See also `gnutls-init'. */)
770 (Lisp_Object proc)
771 {
772 return emacs_gnutls_deinit (proc);
773 }
774
775 static Lisp_Object
776 gnutls_hex_string (unsigned char *buf, ptrdiff_t buf_size, const char *prefix)
777 {
778 ptrdiff_t prefix_length = strlen (prefix);
779 if ((STRING_BYTES_BOUND - prefix_length) / 3 < buf_size)
780 string_overflow ();
781 Lisp_Object ret = make_uninit_string (prefix_length + 3 * buf_size
782 - (buf_size != 0));
783 char *string = SSDATA (ret);
784 strcpy (string, prefix);
785
786 for (ptrdiff_t i = 0; i < buf_size; i++)
787 sprintf (string + i * 3 + prefix_length,
788 i == buf_size - 1 ? "%02x" : "%02x:",
789 buf[i]);
790
791 return ret;
792 }
793
794 static Lisp_Object
795 gnutls_certificate_details (gnutls_x509_crt_t cert)
796 {
797 Lisp_Object res = Qnil;
798 int err;
799 size_t buf_size;
800
801 /* Version. */
802 {
803 int version = gnutls_x509_crt_get_version (cert);
804 check_memory_full (version);
805 if (version >= GNUTLS_E_SUCCESS)
806 res = nconc2 (res, list2 (intern (":version"),
807 make_number (version)));
808 }
809
810 /* Serial. */
811 buf_size = 0;
812 err = gnutls_x509_crt_get_serial (cert, NULL, &buf_size);
813 check_memory_full (err);
814 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
815 {
816 void *serial = xmalloc (buf_size);
817 err = gnutls_x509_crt_get_serial (cert, serial, &buf_size);
818 check_memory_full (err);
819 if (err >= GNUTLS_E_SUCCESS)
820 res = nconc2 (res, list2 (intern (":serial-number"),
821 gnutls_hex_string (serial, buf_size, "")));
822 xfree (serial);
823 }
824
825 /* Issuer. */
826 buf_size = 0;
827 err = gnutls_x509_crt_get_issuer_dn (cert, NULL, &buf_size);
828 check_memory_full (err);
829 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
830 {
831 char *dn = xmalloc (buf_size);
832 err = gnutls_x509_crt_get_issuer_dn (cert, dn, &buf_size);
833 check_memory_full (err);
834 if (err >= GNUTLS_E_SUCCESS)
835 res = nconc2 (res, list2 (intern (":issuer"),
836 make_string (dn, buf_size)));
837 xfree (dn);
838 }
839
840 /* Validity. */
841 {
842 /* Add 1 to the buffer size, since 1900 is added to tm_year and
843 that might add 1 to the year length. */
844 char buf[INT_STRLEN_BOUND (int) + 1 + sizeof "-12-31"];
845 struct tm t;
846 time_t tim = gnutls_x509_crt_get_activation_time (cert);
847
848 if (gmtime_r (&tim, &t) && strftime (buf, sizeof buf, "%Y-%m-%d", &t))
849 res = nconc2 (res, list2 (intern (":valid-from"), build_string (buf)));
850
851 tim = gnutls_x509_crt_get_expiration_time (cert);
852 if (gmtime_r (&tim, &t) && strftime (buf, sizeof buf, "%Y-%m-%d", &t))
853 res = nconc2 (res, list2 (intern (":valid-to"), build_string (buf)));
854 }
855
856 /* Subject. */
857 buf_size = 0;
858 err = gnutls_x509_crt_get_dn (cert, NULL, &buf_size);
859 check_memory_full (err);
860 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
861 {
862 char *dn = xmalloc (buf_size);
863 err = gnutls_x509_crt_get_dn (cert, dn, &buf_size);
864 check_memory_full (err);
865 if (err >= GNUTLS_E_SUCCESS)
866 res = nconc2 (res, list2 (intern (":subject"),
867 make_string (dn, buf_size)));
868 xfree (dn);
869 }
870
871 /* Versions older than 2.11 doesn't have these four functions. */
872 #if GNUTLS_VERSION_NUMBER >= 0x020b00
873 /* SubjectPublicKeyInfo. */
874 {
875 unsigned int bits;
876
877 err = gnutls_x509_crt_get_pk_algorithm (cert, &bits);
878 check_memory_full (err);
879 if (err >= GNUTLS_E_SUCCESS)
880 {
881 const char *name = gnutls_pk_algorithm_get_name (err);
882 if (name)
883 res = nconc2 (res, list2 (intern (":public-key-algorithm"),
884 build_string (name)));
885
886 name = gnutls_sec_param_get_name (gnutls_pk_bits_to_sec_param
887 (err, bits));
888 res = nconc2 (res, list2 (intern (":certificate-security-level"),
889 build_string (name)));
890 }
891 }
892
893 /* Unique IDs. */
894 buf_size = 0;
895 err = gnutls_x509_crt_get_issuer_unique_id (cert, NULL, &buf_size);
896 check_memory_full (err);
897 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
898 {
899 char *buf = xmalloc (buf_size);
900 err = gnutls_x509_crt_get_issuer_unique_id (cert, buf, &buf_size);
901 check_memory_full (err);
902 if (err >= GNUTLS_E_SUCCESS)
903 res = nconc2 (res, list2 (intern (":issuer-unique-id"),
904 make_string (buf, buf_size)));
905 xfree (buf);
906 }
907
908 buf_size = 0;
909 err = gnutls_x509_crt_get_subject_unique_id (cert, NULL, &buf_size);
910 check_memory_full (err);
911 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
912 {
913 char *buf = xmalloc (buf_size);
914 err = gnutls_x509_crt_get_subject_unique_id (cert, buf, &buf_size);
915 check_memory_full (err);
916 if (err >= GNUTLS_E_SUCCESS)
917 res = nconc2 (res, list2 (intern (":subject-unique-id"),
918 make_string (buf, buf_size)));
919 xfree (buf);
920 }
921 #endif
922
923 /* Signature. */
924 err = gnutls_x509_crt_get_signature_algorithm (cert);
925 check_memory_full (err);
926 if (err >= GNUTLS_E_SUCCESS)
927 {
928 const char *name = gnutls_sign_get_name (err);
929 if (name)
930 res = nconc2 (res, list2 (intern (":signature-algorithm"),
931 build_string (name)));
932 }
933
934 /* Public key ID. */
935 buf_size = 0;
936 err = gnutls_x509_crt_get_key_id (cert, 0, NULL, &buf_size);
937 check_memory_full (err);
938 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
939 {
940 void *buf = xmalloc (buf_size);
941 err = gnutls_x509_crt_get_key_id (cert, 0, buf, &buf_size);
942 check_memory_full (err);
943 if (err >= GNUTLS_E_SUCCESS)
944 res = nconc2 (res, list2 (intern (":public-key-id"),
945 gnutls_hex_string (buf, buf_size, "sha1:")));
946 xfree (buf);
947 }
948
949 /* Certificate fingerprint. */
950 buf_size = 0;
951 err = gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1,
952 NULL, &buf_size);
953 check_memory_full (err);
954 if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
955 {
956 void *buf = xmalloc (buf_size);
957 err = gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1,
958 buf, &buf_size);
959 check_memory_full (err);
960 if (err >= GNUTLS_E_SUCCESS)
961 res = nconc2 (res, list2 (intern (":certificate-id"),
962 gnutls_hex_string (buf, buf_size, "sha1:")));
963 xfree (buf);
964 }
965
966 return res;
967 }
968
969 DEFUN ("gnutls-peer-status-warning-describe", Fgnutls_peer_status_warning_describe, Sgnutls_peer_status_warning_describe, 1, 1, 0,
970 doc: /* Describe the warning of a GnuTLS peer status from `gnutls-peer-status'. */)
971 (Lisp_Object status_symbol)
972 {
973 CHECK_SYMBOL (status_symbol);
974
975 if (EQ (status_symbol, intern (":invalid")))
976 return build_string ("certificate could not be verified");
977
978 if (EQ (status_symbol, intern (":revoked")))
979 return build_string ("certificate was revoked (CRL)");
980
981 if (EQ (status_symbol, intern (":self-signed")))
982 return build_string ("certificate signer was not found (self-signed)");
983
984 if (EQ (status_symbol, intern (":not-ca")))
985 return build_string ("certificate signer is not a CA");
986
987 if (EQ (status_symbol, intern (":insecure")))
988 return build_string ("certificate was signed with an insecure algorithm");
989
990 if (EQ (status_symbol, intern (":not-activated")))
991 return build_string ("certificate is not yet activated");
992
993 if (EQ (status_symbol, intern (":expired")))
994 return build_string ("certificate has expired");
995
996 if (EQ (status_symbol, intern (":no-host-match")))
997 return build_string ("certificate host does not match hostname");
998
999 return Qnil;
1000 }
1001
1002 DEFUN ("gnutls-peer-status", Fgnutls_peer_status, Sgnutls_peer_status, 1, 1, 0,
1003 doc: /* Describe a GnuTLS PROC peer certificate and any warnings about it.
1004 The return value is a property list with top-level keys :warnings and
1005 :certificate. The :warnings entry is a list of symbols you can describe with
1006 `gnutls-peer-status-warning-describe'. */)
1007 (Lisp_Object proc)
1008 {
1009 Lisp_Object warnings = Qnil, result = Qnil;
1010 unsigned int verification;
1011 gnutls_session_t state;
1012
1013 CHECK_PROCESS (proc);
1014
1015 if (GNUTLS_INITSTAGE (proc) < GNUTLS_STAGE_INIT)
1016 return Qnil;
1017
1018 /* Then collect any warnings already computed by the handshake. */
1019 verification = XPROCESS (proc)->gnutls_peer_verification;
1020
1021 if (verification & GNUTLS_CERT_INVALID)
1022 warnings = Fcons (intern (":invalid"), warnings);
1023
1024 if (verification & GNUTLS_CERT_REVOKED)
1025 warnings = Fcons (intern (":revoked"), warnings);
1026
1027 if (verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
1028 warnings = Fcons (intern (":self-signed"), warnings);
1029
1030 if (verification & GNUTLS_CERT_SIGNER_NOT_CA)
1031 warnings = Fcons (intern (":not-ca"), warnings);
1032
1033 if (verification & GNUTLS_CERT_INSECURE_ALGORITHM)
1034 warnings = Fcons (intern (":insecure"), warnings);
1035
1036 if (verification & GNUTLS_CERT_NOT_ACTIVATED)
1037 warnings = Fcons (intern (":not-activated"), warnings);
1038
1039 if (verification & GNUTLS_CERT_EXPIRED)
1040 warnings = Fcons (intern (":expired"), warnings);
1041
1042 if (XPROCESS (proc)->gnutls_extra_peer_verification &
1043 CERTIFICATE_NOT_MATCHING)
1044 warnings = Fcons (intern (":no-host-match"), warnings);
1045
1046 if (!NILP (warnings))
1047 result = list2 (intern (":warnings"), warnings);
1048
1049 /* This could get called in the INIT stage, when the certificate is
1050 not yet set. */
1051 if (XPROCESS (proc)->gnutls_certificate != NULL)
1052 result = nconc2 (result, list2
1053 (intern (":certificate"),
1054 gnutls_certificate_details (XPROCESS (proc)->gnutls_certificate)));
1055
1056 state = XPROCESS (proc)->gnutls_state;
1057
1058 /* Diffie-Hellman prime bits. */
1059 {
1060 int bits = gnutls_dh_get_prime_bits (state);
1061 check_memory_full (bits);
1062 if (bits > 0)
1063 result = nconc2 (result, list2 (intern (":diffie-hellman-prime-bits"),
1064 make_number (bits)));
1065 }
1066
1067 /* Key exchange. */
1068 result = nconc2
1069 (result, list2 (intern (":key-exchange"),
1070 build_string (gnutls_kx_get_name
1071 (gnutls_kx_get (state)))));
1072
1073 /* Protocol name. */
1074 result = nconc2
1075 (result, list2 (intern (":protocol"),
1076 build_string (gnutls_protocol_get_name
1077 (gnutls_protocol_get_version (state)))));
1078
1079 /* Cipher name. */
1080 result = nconc2
1081 (result, list2 (intern (":cipher"),
1082 build_string (gnutls_cipher_get_name
1083 (gnutls_cipher_get (state)))));
1084
1085 /* MAC name. */
1086 result = nconc2
1087 (result, list2 (intern (":mac"),
1088 build_string (gnutls_mac_get_name
1089 (gnutls_mac_get (state)))));
1090
1091
1092 return result;
1093 }
1094
1095 /* Initialize global GnuTLS state to defaults.
1096 Call `gnutls-global-deinit' when GnuTLS usage is no longer needed.
1097 Return zero on success. */
1098 static Lisp_Object
1099 emacs_gnutls_global_init (void)
1100 {
1101 int ret = GNUTLS_E_SUCCESS;
1102
1103 if (!gnutls_global_initialized)
1104 ret = gnutls_global_init ();
1105
1106 gnutls_global_initialized = 1;
1107
1108 return gnutls_make_error (ret);
1109 }
1110
1111 static bool
1112 gnutls_ip_address_p (char *string)
1113 {
1114 char c;
1115
1116 while ((c = *string++) != 0)
1117 if (! ((c == '.' || c == ':' || (c >= '0' && c <= '9'))))
1118 return false;
1119
1120 return true;
1121 }
1122
1123 #if 0
1124 /* Deinitialize global GnuTLS state.
1125 See also `gnutls-global-init'. */
1126 static Lisp_Object
1127 emacs_gnutls_global_deinit (void)
1128 {
1129 if (gnutls_global_initialized)
1130 gnutls_global_deinit ();
1131
1132 gnutls_global_initialized = 0;
1133
1134 return gnutls_make_error (GNUTLS_E_SUCCESS);
1135 }
1136 #endif
1137
1138 DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
1139 doc: /* Initialize GnuTLS client for process PROC with TYPE+PROPLIST.
1140 Currently only client mode is supported. Return a success/failure
1141 value you can check with `gnutls-errorp'.
1142
1143 TYPE is a symbol, either `gnutls-anon' or `gnutls-x509pki'.
1144 PROPLIST is a property list with the following keys:
1145
1146 :hostname is a string naming the remote host.
1147
1148 :priority is a GnuTLS priority string, defaults to "NORMAL".
1149
1150 :trustfiles is a list of PEM-encoded trust files for `gnutls-x509pki'.
1151
1152 :crlfiles is a list of PEM-encoded CRL lists for `gnutls-x509pki'.
1153
1154 :keylist is an alist of PEM-encoded key files and PEM-encoded
1155 certificates for `gnutls-x509pki'.
1156
1157 :callbacks is an alist of callback functions, see below.
1158
1159 :loglevel is the debug level requested from GnuTLS, try 4.
1160
1161 :verify-flags is a bitset as per GnuTLS'
1162 gnutls_certificate_set_verify_flags.
1163
1164 :verify-hostname-error is ignored. Pass :hostname in :verify-error
1165 instead.
1166
1167 :verify-error is a list of symbols to express verification checks or
1168 `t' to do all checks. Currently it can contain `:trustfiles' and
1169 `:hostname' to verify the certificate or the hostname respectively.
1170
1171 :min-prime-bits is the minimum accepted number of bits the client will
1172 accept in Diffie-Hellman key exchange.
1173
1174 The debug level will be set for this process AND globally for GnuTLS.
1175 So if you set it higher or lower at any point, it affects global
1176 debugging.
1177
1178 Note that the priority is set on the client. The server does not use
1179 the protocols's priority except for disabling protocols that were not
1180 specified.
1181
1182 Processes must be initialized with this function before other GnuTLS
1183 functions are used. This function allocates resources which can only
1184 be deallocated by calling `gnutls-deinit' or by calling it again.
1185
1186 The callbacks alist can have a `verify' key, associated with a
1187 verification function (UNUSED).
1188
1189 Each authentication type may need additional information in order to
1190 work. For X.509 PKI (`gnutls-x509pki'), you probably need at least
1191 one trustfile (usually a CA bundle). */)
1192 (Lisp_Object proc, Lisp_Object type, Lisp_Object proplist)
1193 {
1194 int ret = GNUTLS_E_SUCCESS;
1195 int max_log_level = 0;
1196 bool verify_error_all = 0;
1197
1198 gnutls_session_t state;
1199 gnutls_certificate_credentials_t x509_cred = NULL;
1200 gnutls_anon_client_credentials_t anon_cred = NULL;
1201 Lisp_Object global_init;
1202 char const *priority_string_ptr = "NORMAL"; /* default priority string. */
1203 unsigned int peer_verification;
1204 char *c_hostname;
1205
1206 /* Placeholders for the property list elements. */
1207 Lisp_Object priority_string;
1208 Lisp_Object trustfiles;
1209 Lisp_Object crlfiles;
1210 Lisp_Object keylist;
1211 /* Lisp_Object callbacks; */
1212 Lisp_Object loglevel;
1213 Lisp_Object hostname;
1214 Lisp_Object verify_error;
1215 Lisp_Object prime_bits;
1216 Lisp_Object warnings;
1217
1218 CHECK_PROCESS (proc);
1219 CHECK_SYMBOL (type);
1220 CHECK_LIST (proplist);
1221
1222 if (NILP (Fgnutls_available_p ()))
1223 error ("GnuTLS not available");
1224
1225 if (!EQ (type, Qgnutls_x509pki) && !EQ (type, Qgnutls_anon))
1226 error ("Invalid GnuTLS credential type");
1227
1228 hostname = Fplist_get (proplist, QCgnutls_bootprop_hostname);
1229 priority_string = Fplist_get (proplist, QCgnutls_bootprop_priority);
1230 trustfiles = Fplist_get (proplist, QCgnutls_bootprop_trustfiles);
1231 keylist = Fplist_get (proplist, QCgnutls_bootprop_keylist);
1232 crlfiles = Fplist_get (proplist, QCgnutls_bootprop_crlfiles);
1233 loglevel = Fplist_get (proplist, QCgnutls_bootprop_loglevel);
1234 verify_error = Fplist_get (proplist, QCgnutls_bootprop_verify_error);
1235 prime_bits = Fplist_get (proplist, QCgnutls_bootprop_min_prime_bits);
1236
1237 if (EQ (verify_error, Qt))
1238 {
1239 verify_error_all = 1;
1240 }
1241 else if (NILP (Flistp (verify_error)))
1242 {
1243 error ("gnutls-boot: invalid :verify_error parameter (not a list)");
1244 }
1245
1246 if (!STRINGP (hostname))
1247 error ("gnutls-boot: invalid :hostname parameter (not a string)");
1248 c_hostname = SSDATA (hostname);
1249
1250 state = XPROCESS (proc)->gnutls_state;
1251
1252 if (TYPE_RANGED_INTEGERP (int, loglevel))
1253 {
1254 gnutls_global_set_log_function (gnutls_log_function);
1255 #ifdef HAVE_GNUTLS3
1256 gnutls_global_set_audit_log_function (gnutls_audit_log_function);
1257 #endif
1258 gnutls_global_set_log_level (XINT (loglevel));
1259 max_log_level = XINT (loglevel);
1260 XPROCESS (proc)->gnutls_log_level = max_log_level;
1261 }
1262
1263 GNUTLS_LOG2 (1, max_log_level, "connecting to host:", c_hostname);
1264
1265 /* Always initialize globals. */
1266 global_init = emacs_gnutls_global_init ();
1267 if (! NILP (Fgnutls_errorp (global_init)))
1268 return global_init;
1269
1270 /* Before allocating new credentials, deallocate any credentials
1271 that PROC might already have. */
1272 emacs_gnutls_deinit (proc);
1273
1274 /* Mark PROC as a GnuTLS process. */
1275 XPROCESS (proc)->gnutls_state = NULL;
1276 XPROCESS (proc)->gnutls_x509_cred = NULL;
1277 XPROCESS (proc)->gnutls_anon_cred = NULL;
1278 pset_gnutls_cred_type (XPROCESS (proc), type);
1279 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_EMPTY;
1280
1281 GNUTLS_LOG (1, max_log_level, "allocating credentials");
1282 if (EQ (type, Qgnutls_x509pki))
1283 {
1284 Lisp_Object verify_flags;
1285 unsigned int gnutls_verify_flags = GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
1286
1287 GNUTLS_LOG (2, max_log_level, "allocating x509 credentials");
1288 check_memory_full (gnutls_certificate_allocate_credentials (&x509_cred));
1289 XPROCESS (proc)->gnutls_x509_cred = x509_cred;
1290
1291 verify_flags = Fplist_get (proplist, QCgnutls_bootprop_verify_flags);
1292 if (NUMBERP (verify_flags))
1293 {
1294 gnutls_verify_flags = XINT (verify_flags);
1295 GNUTLS_LOG (2, max_log_level, "setting verification flags");
1296 }
1297 else if (NILP (verify_flags))
1298 GNUTLS_LOG (2, max_log_level, "using default verification flags");
1299 else
1300 GNUTLS_LOG (2, max_log_level, "ignoring invalid verify-flags");
1301
1302 gnutls_certificate_set_verify_flags (x509_cred, gnutls_verify_flags);
1303 }
1304 else /* Qgnutls_anon: */
1305 {
1306 GNUTLS_LOG (2, max_log_level, "allocating anon credentials");
1307 check_memory_full (gnutls_anon_allocate_client_credentials (&anon_cred));
1308 XPROCESS (proc)->gnutls_anon_cred = anon_cred;
1309 }
1310
1311 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CRED_ALLOC;
1312
1313 if (EQ (type, Qgnutls_x509pki))
1314 {
1315 /* TODO: GNUTLS_X509_FMT_DER is also an option. */
1316 int file_format = GNUTLS_X509_FMT_PEM;
1317 Lisp_Object tail;
1318
1319 #if GNUTLS_VERSION_MAJOR + \
1320 (GNUTLS_VERSION_MINOR > 0 || GNUTLS_VERSION_PATCH >= 20) > 3
1321 ret = gnutls_certificate_set_x509_system_trust (x509_cred);
1322 if (ret < GNUTLS_E_SUCCESS)
1323 {
1324 check_memory_full (ret);
1325 GNUTLS_LOG2i (4, max_log_level,
1326 "setting system trust failed with code ", ret);
1327 }
1328 #endif
1329
1330 for (tail = trustfiles; CONSP (tail); tail = XCDR (tail))
1331 {
1332 Lisp_Object trustfile = XCAR (tail);
1333 if (STRINGP (trustfile))
1334 {
1335 GNUTLS_LOG2 (1, max_log_level, "setting the trustfile: ",
1336 SSDATA (trustfile));
1337 trustfile = ENCODE_FILE (trustfile);
1338 #ifdef WINDOWSNT
1339 /* Since GnuTLS doesn't support UTF-8 or UTF-16 encoded
1340 file names on Windows, we need to re-encode the file
1341 name using the current ANSI codepage. */
1342 trustfile = ansi_encode_filename (trustfile);
1343 #endif
1344 ret = gnutls_certificate_set_x509_trust_file
1345 (x509_cred,
1346 SSDATA (trustfile),
1347 file_format);
1348
1349 if (ret < GNUTLS_E_SUCCESS)
1350 return gnutls_make_error (ret);
1351 }
1352 else
1353 {
1354 emacs_gnutls_deinit (proc);
1355 error ("Invalid trustfile");
1356 }
1357 }
1358
1359 for (tail = crlfiles; CONSP (tail); tail = XCDR (tail))
1360 {
1361 Lisp_Object crlfile = XCAR (tail);
1362 if (STRINGP (crlfile))
1363 {
1364 GNUTLS_LOG2 (1, max_log_level, "setting the CRL file: ",
1365 SSDATA (crlfile));
1366 crlfile = ENCODE_FILE (crlfile);
1367 #ifdef WINDOWSNT
1368 crlfile = ansi_encode_filename (crlfile);
1369 #endif
1370 ret = gnutls_certificate_set_x509_crl_file
1371 (x509_cred, SSDATA (crlfile), file_format);
1372
1373 if (ret < GNUTLS_E_SUCCESS)
1374 return gnutls_make_error (ret);
1375 }
1376 else
1377 {
1378 emacs_gnutls_deinit (proc);
1379 error ("Invalid CRL file");
1380 }
1381 }
1382
1383 for (tail = keylist; CONSP (tail); tail = XCDR (tail))
1384 {
1385 Lisp_Object keyfile = Fcar (XCAR (tail));
1386 Lisp_Object certfile = Fcar (Fcdr (XCAR (tail)));
1387 if (STRINGP (keyfile) && STRINGP (certfile))
1388 {
1389 GNUTLS_LOG2 (1, max_log_level, "setting the client key file: ",
1390 SSDATA (keyfile));
1391 GNUTLS_LOG2 (1, max_log_level, "setting the client cert file: ",
1392 SSDATA (certfile));
1393 keyfile = ENCODE_FILE (keyfile);
1394 certfile = ENCODE_FILE (certfile);
1395 #ifdef WINDOWSNT
1396 keyfile = ansi_encode_filename (keyfile);
1397 certfile = ansi_encode_filename (certfile);
1398 #endif
1399 ret = gnutls_certificate_set_x509_key_file
1400 (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
1401
1402 if (ret < GNUTLS_E_SUCCESS)
1403 return gnutls_make_error (ret);
1404 }
1405 else
1406 {
1407 emacs_gnutls_deinit (proc);
1408 error (STRINGP (keyfile) ? "Invalid client cert file"
1409 : "Invalid client key file");
1410 }
1411 }
1412 }
1413
1414 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_FILES;
1415 GNUTLS_LOG (1, max_log_level, "gnutls callbacks");
1416 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CALLBACKS;
1417
1418 /* Call gnutls_init here: */
1419
1420 GNUTLS_LOG (1, max_log_level, "gnutls_init");
1421 ret = gnutls_init (&state, GNUTLS_CLIENT);
1422 XPROCESS (proc)->gnutls_state = state;
1423 if (ret < GNUTLS_E_SUCCESS)
1424 return gnutls_make_error (ret);
1425 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_INIT;
1426
1427 if (STRINGP (priority_string))
1428 {
1429 priority_string_ptr = SSDATA (priority_string);
1430 GNUTLS_LOG2 (1, max_log_level, "got non-default priority string:",
1431 priority_string_ptr);
1432 }
1433 else
1434 {
1435 GNUTLS_LOG2 (1, max_log_level, "using default priority string:",
1436 priority_string_ptr);
1437 }
1438
1439 GNUTLS_LOG (1, max_log_level, "setting the priority string");
1440 ret = gnutls_priority_set_direct (state, priority_string_ptr, NULL);
1441 if (ret < GNUTLS_E_SUCCESS)
1442 return gnutls_make_error (ret);
1443
1444 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_PRIORITY;
1445
1446 if (INTEGERP (prime_bits))
1447 gnutls_dh_set_prime_bits (state, XUINT (prime_bits));
1448
1449 ret = EQ (type, Qgnutls_x509pki)
1450 ? gnutls_credentials_set (state, GNUTLS_CRD_CERTIFICATE, x509_cred)
1451 : gnutls_credentials_set (state, GNUTLS_CRD_ANON, anon_cred);
1452 if (ret < GNUTLS_E_SUCCESS)
1453 return gnutls_make_error (ret);
1454
1455 if (!gnutls_ip_address_p (c_hostname))
1456 {
1457 ret = gnutls_server_name_set (state, GNUTLS_NAME_DNS, c_hostname,
1458 strlen (c_hostname));
1459 if (ret < GNUTLS_E_SUCCESS)
1460 return gnutls_make_error (ret);
1461 }
1462
1463 GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CRED_SET;
1464 ret = emacs_gnutls_handshake (XPROCESS (proc));
1465 if (ret < GNUTLS_E_SUCCESS)
1466 return gnutls_make_error (ret);
1467
1468 /* Now verify the peer, following
1469 http://www.gnu.org/software/gnutls/manual/html_node/Verifying-peer_0027s-certificate.html.
1470 The peer should present at least one certificate in the chain; do a
1471 check of the certificate's hostname with
1472 gnutls_x509_crt_check_hostname against :hostname. */
1473
1474 ret = gnutls_certificate_verify_peers2 (state, &peer_verification);
1475 if (ret < GNUTLS_E_SUCCESS)
1476 return gnutls_make_error (ret);
1477
1478 XPROCESS (proc)->gnutls_peer_verification = peer_verification;
1479
1480 warnings = Fplist_get (Fgnutls_peer_status (proc), intern (":warnings"));
1481 if (!NILP (warnings))
1482 {
1483 Lisp_Object tail;
1484 for (tail = warnings; CONSP (tail); tail = XCDR (tail))
1485 {
1486 Lisp_Object warning = XCAR (tail);
1487 Lisp_Object message = Fgnutls_peer_status_warning_describe (warning);
1488 if (!NILP (message))
1489 GNUTLS_LOG2 (1, max_log_level, "verification:", SSDATA (message));
1490 }
1491 }
1492
1493 if (peer_verification != 0)
1494 {
1495 if (verify_error_all
1496 || !NILP (Fmember (QCgnutls_bootprop_trustfiles, verify_error)))
1497 {
1498 emacs_gnutls_deinit (proc);
1499 error ("Certificate validation failed %s, verification code %d",
1500 c_hostname, peer_verification);
1501 }
1502 else
1503 {
1504 GNUTLS_LOG2 (1, max_log_level, "certificate validation failed:",
1505 c_hostname);
1506 }
1507 }
1508
1509 /* Up to here the process is the same for X.509 certificates and
1510 OpenPGP keys. From now on X.509 certificates are assumed. This
1511 can be easily extended to work with openpgp keys as well. */
1512 if (gnutls_certificate_type_get (state) == GNUTLS_CRT_X509)
1513 {
1514 gnutls_x509_crt_t gnutls_verify_cert;
1515 const gnutls_datum_t *gnutls_verify_cert_list;
1516 unsigned int gnutls_verify_cert_list_size;
1517
1518 ret = gnutls_x509_crt_init (&gnutls_verify_cert);
1519 if (ret < GNUTLS_E_SUCCESS)
1520 return gnutls_make_error (ret);
1521
1522 gnutls_verify_cert_list =
1523 gnutls_certificate_get_peers (state, &gnutls_verify_cert_list_size);
1524
1525 if (gnutls_verify_cert_list == NULL)
1526 {
1527 gnutls_x509_crt_deinit (gnutls_verify_cert);
1528 emacs_gnutls_deinit (proc);
1529 error ("No x509 certificate was found\n");
1530 }
1531
1532 /* We only check the first certificate in the given chain. */
1533 ret = gnutls_x509_crt_import (gnutls_verify_cert,
1534 &gnutls_verify_cert_list[0],
1535 GNUTLS_X509_FMT_DER);
1536
1537 if (ret < GNUTLS_E_SUCCESS)
1538 {
1539 gnutls_x509_crt_deinit (gnutls_verify_cert);
1540 return gnutls_make_error (ret);
1541 }
1542
1543 XPROCESS (proc)->gnutls_certificate = gnutls_verify_cert;
1544
1545 int err = gnutls_x509_crt_check_hostname (gnutls_verify_cert,
1546 c_hostname);
1547 check_memory_full (err);
1548 if (!err)
1549 {
1550 XPROCESS (proc)->gnutls_extra_peer_verification |=
1551 CERTIFICATE_NOT_MATCHING;
1552 if (verify_error_all
1553 || !NILP (Fmember (QCgnutls_bootprop_hostname, verify_error)))
1554 {
1555 gnutls_x509_crt_deinit (gnutls_verify_cert);
1556 emacs_gnutls_deinit (proc);
1557 error ("The x509 certificate does not match \"%s\"", c_hostname);
1558 }
1559 else
1560 {
1561 GNUTLS_LOG2 (1, max_log_level, "x509 certificate does not match:",
1562 c_hostname);
1563 }
1564 }
1565 }
1566
1567 /* Set this flag only if the whole initialization succeeded. */
1568 XPROCESS (proc)->gnutls_p = 1;
1569
1570 return gnutls_make_error (ret);
1571 }
1572
1573 DEFUN ("gnutls-bye", Fgnutls_bye,
1574 Sgnutls_bye, 2, 2, 0,
1575 doc: /* Terminate current GnuTLS connection for process PROC.
1576 The connection should have been initiated using `gnutls-handshake'.
1577
1578 If CONT is not nil the TLS connection gets terminated and further
1579 receives and sends will be disallowed. If the return value is zero you
1580 may continue using the connection. If CONT is nil, GnuTLS actually
1581 sends an alert containing a close request and waits for the peer to
1582 reply with the same message. In order to reuse the connection you
1583 should wait for an EOF from the peer.
1584
1585 This function may also return `gnutls-e-again', or
1586 `gnutls-e-interrupted'. */)
1587 (Lisp_Object proc, Lisp_Object cont)
1588 {
1589 gnutls_session_t state;
1590 int ret;
1591
1592 CHECK_PROCESS (proc);
1593
1594 state = XPROCESS (proc)->gnutls_state;
1595
1596 gnutls_x509_crt_deinit (XPROCESS (proc)->gnutls_certificate);
1597
1598 ret = gnutls_bye (state, NILP (cont) ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
1599
1600 return gnutls_make_error (ret);
1601 }
1602
1603 #endif /* HAVE_GNUTLS */
1604
1605 DEFUN ("gnutls-available-p", Fgnutls_available_p, Sgnutls_available_p, 0, 0, 0,
1606 doc: /* Return t if GnuTLS is available in this instance of Emacs. */)
1607 (void)
1608 {
1609 #ifdef HAVE_GNUTLS
1610 # ifdef WINDOWSNT
1611 Lisp_Object found = Fassq (Qgnutls_dll, Vlibrary_cache);
1612 if (CONSP (found))
1613 return XCDR (found);
1614 else
1615 {
1616 Lisp_Object status;
1617 status = init_gnutls_functions () ? Qt : Qnil;
1618 Vlibrary_cache = Fcons (Fcons (Qgnutls_dll, status), Vlibrary_cache);
1619 return status;
1620 }
1621 # else /* !WINDOWSNT */
1622 return Qt;
1623 # endif /* !WINDOWSNT */
1624 #else /* !HAVE_GNUTLS */
1625 return Qnil;
1626 #endif /* !HAVE_GNUTLS */
1627 }
1628
1629 void
1630 syms_of_gnutls (void)
1631 {
1632 #ifdef HAVE_GNUTLS
1633 gnutls_global_initialized = 0;
1634
1635 DEFSYM (Qgnutls_dll, "gnutls");
1636 DEFSYM (Qgnutls_code, "gnutls-code");
1637 DEFSYM (Qgnutls_anon, "gnutls-anon");
1638 DEFSYM (Qgnutls_x509pki, "gnutls-x509pki");
1639
1640 /* The following are for the property list of 'gnutls-boot'. */
1641 DEFSYM (QCgnutls_bootprop_hostname, ":hostname");
1642 DEFSYM (QCgnutls_bootprop_priority, ":priority");
1643 DEFSYM (QCgnutls_bootprop_trustfiles, ":trustfiles");
1644 DEFSYM (QCgnutls_bootprop_keylist, ":keylist");
1645 DEFSYM (QCgnutls_bootprop_crlfiles, ":crlfiles");
1646 DEFSYM (QCgnutls_bootprop_callbacks, ":callbacks");
1647 DEFSYM (QCgnutls_bootprop_min_prime_bits, ":min-prime-bits");
1648 DEFSYM (QCgnutls_bootprop_loglevel, ":loglevel");
1649 DEFSYM (QCgnutls_bootprop_verify_flags, ":verify-flags");
1650 DEFSYM (QCgnutls_bootprop_verify_error, ":verify-error");
1651
1652 DEFSYM (Qgnutls_e_interrupted, "gnutls-e-interrupted");
1653 Fput (Qgnutls_e_interrupted, Qgnutls_code,
1654 make_number (GNUTLS_E_INTERRUPTED));
1655
1656 DEFSYM (Qgnutls_e_again, "gnutls-e-again");
1657 Fput (Qgnutls_e_again, Qgnutls_code,
1658 make_number (GNUTLS_E_AGAIN));
1659
1660 DEFSYM (Qgnutls_e_invalid_session, "gnutls-e-invalid-session");
1661 Fput (Qgnutls_e_invalid_session, Qgnutls_code,
1662 make_number (GNUTLS_E_INVALID_SESSION));
1663
1664 DEFSYM (Qgnutls_e_not_ready_for_handshake, "gnutls-e-not-ready-for-handshake");
1665 Fput (Qgnutls_e_not_ready_for_handshake, Qgnutls_code,
1666 make_number (GNUTLS_E_APPLICATION_ERROR_MIN));
1667
1668 defsubr (&Sgnutls_get_initstage);
1669 defsubr (&Sgnutls_errorp);
1670 defsubr (&Sgnutls_error_fatalp);
1671 defsubr (&Sgnutls_error_string);
1672 defsubr (&Sgnutls_boot);
1673 defsubr (&Sgnutls_deinit);
1674 defsubr (&Sgnutls_bye);
1675 defsubr (&Sgnutls_peer_status);
1676 defsubr (&Sgnutls_peer_status_warning_describe);
1677
1678 DEFVAR_INT ("gnutls-log-level", global_gnutls_log_level,
1679 doc: /* Logging level used by the GnuTLS functions.
1680 Set this larger than 0 to get debug output in the *Messages* buffer.
1681 1 is for important messages, 2 is for debug data, and higher numbers
1682 are as per the GnuTLS logging conventions. */);
1683 global_gnutls_log_level = 0;
1684
1685 #endif /* HAVE_GNUTLS */
1686
1687 defsubr (&Sgnutls_available_p);
1688 }