xemacs-beta: src/tls.c annotate

annotate src/tls.c @ 5825:5d5aeb79edb4

Fix build with g++. This patch fixes various issues that cause build failures with g++ 4.8.3. See <CAHCOHQ=6yKcjQELvG8FOHXcWVez+HufUWb4FdcJKpUNhm+8B=g@mail.gmail.com> in xemacs-patches.

author	Jerry James <james@xemacs.org>
date	Thu, 06 Nov 2014 09:34:06 -0700
parents	d59bfb050ca8
children	6eca500211f4 574f0cded429

rev	line source
5814 a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1 /* Transport Layer Security implementation.
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	2 Copyright (C) 2014 Jerry James
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	3
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	4 This file is part of XEmacs.
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	5
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	6 XEmacs is free software: you can redistribute it and/or modify it
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	7 under the terms of the GNU General Public License as published by the
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	8 Free Software Foundation, either version 3 of the License, or (at your
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	9 option) any later version.
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	10
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	11 XEmacs is distributed in the hope that it will be useful, but WITHOUT
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	12 ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	13 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	14 for more details.
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	15
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	16 You should have received a copy of the GNU General Public License
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	17 along with XEmacs. If not, see <http://www.gnu.org/licenses/>. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	18
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	19 /* Synched up with: Not in FSF. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	20
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	21 /* Written by Jerry James. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	22
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	23 #include <config.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	24 #include "lisp.h"
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	25 #include "lstream.h"
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	26 #include "tls.h"
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	27 #include <errno.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	28 #include <netinet/in.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	29 #include <netinet/tcp.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	30
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	31 static Lisp_Object prompt;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	32 static Lisp_Object Qread_password;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	33 Lisp_Object Qtls_error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	34
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	35 #ifdef HAVE_NSS
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	36 #include <prinit.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	37 #include <private/pprio.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	38 #include <nss.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	39 #include <pk11pub.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	40 #include <secerr.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	41 #include <secmod.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	42 #include <ssl.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	43
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	44 #define NSS_ERRSTR build_extstring (PR_ErrorToName (PR_GetError ()), Qnative)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	45
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	46 /* 0 == initialization of NSPR or NSS failed
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	47 * 1 == the NSPR and NSS libraries have been initialized successfully
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	48 */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	49 static int nss_inited;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	50
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	51 /* The model file descriptor */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	52 static PRFileDesc *nss_model;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	53
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	54 /* The PEM module */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	55 static SECMODModule *nss_pem_module;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	56
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	57 /* CA and trust objects go into slot 0. User certificates start in slot 1. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	58 static CK_SLOT_ID nss_slot_count = 1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	59
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	60 int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	61 tls_get_fd (tls_state_t *state)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	62 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	63 return PR_FileDesc2NativeHandle (state->tls_file_desc);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	64 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	65
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	66 Bytecount
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	67 tls_read (tls_state_t state, unsigned char data, Bytecount size,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	68 unsigned int allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	69 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	70 if (allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	71 QUIT;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	72 return (Bytecount) PR_Recv (state->tls_file_desc, data, size, 0, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	73 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	74
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	75 Bytecount
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	76 tls_write (tls_state_t state, const unsigned char data, Bytecount size,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	77 unsigned int allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	78 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	79 if (allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	80 QUIT;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	81 return (Bytecount) PR_Send (state->tls_file_desc, data, size, 0, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	82 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	83
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	84 int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	85 tls_close (tls_state_t *state)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	86 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	87 if (--state->tls_refcount == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	88 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	89 PRStatus status = PR_Shutdown (state->tls_file_desc, PR_SHUTDOWN_BOTH);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	90 PR_Close (state->tls_file_desc);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	91 xfree (state);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	92 return (int) status;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	93 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	94 return 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	95 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	96
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	97 tls_state_t *
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	98 tls_open (int s, const Extbyte *hostname)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	99 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	100 struct sockaddr *addr;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	101 socklen_t addrlen;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	102 PRNetAddr pr_addr;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	103 tls_state_t *nspr;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	104 const int val = 1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	105
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	106 /* Disable Nagle's algorithm */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	107 setsockopt (s, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	108
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	109 if (!nss_inited)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	110 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	111 warn_when_safe (Qtls_error, Qerror, "Cannot use NSS functions");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	112 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	113 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	114
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	115 /* Get the socket address */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	116 addrlen = 256;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	117 addr = (struct sockaddr *) xmalloc (addrlen);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	118 if (getsockname (s, addr, &addrlen) == 0 && addrlen > 256)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	119 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	120 addr = (struct sockaddr *) xrealloc (addr, addrlen);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	121 getsockname (s, addr, &addrlen);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	122 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	123
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	124 /* Create the socket */
5825 5d5aeb79edb4 Fix build with g++. Jerry James <james@xemacs.org> parents: 5815 diff changeset	125 nspr = (tls_state_t ) xmalloc (sizeof (nspr));
5814 a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	126 nspr->tls_refcount = 2;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	127 nspr->tls_file_desc =
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	128 SSL_ImportFD (nss_model, PR_OpenTCPSocket (addr->sa_family));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	129 if (nspr->tls_file_desc == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	130 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	131 xfree (addr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	132 xfree (nspr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	133 warn_when_safe (Qtls_error, Qerror, "NSS unable to open socket: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	134 PR_ErrorToName (PR_GetError ()));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	135 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	136 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	137
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	138 /* Connect to the server */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	139 memset (&pr_addr, 0, sizeof (pr_addr));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	140 if (addr->sa_family == AF_INET)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	141 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	142 struct sockaddr_in in_addr = (struct sockaddr_in ) addr;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	143 pr_addr.inet.family = in_addr->sin_family;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	144 pr_addr.inet.port = in_addr->sin_port;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	145 pr_addr.inet.ip = in_addr->sin_addr.s_addr;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	146 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	147 else
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	148 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	149 struct sockaddr_in6 in_addr = (struct sockaddr_in6 ) addr;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	150 pr_addr.ipv6.family = in_addr->sin6_family;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	151 pr_addr.ipv6.port = in_addr->sin6_port;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	152 pr_addr.ipv6.flowinfo = in_addr->sin6_flowinfo;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	153 memcpy (pr_addr.ipv6.ip.pr_s6_addr, in_addr->sin6_addr.s6_addr,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	154 sizeof (pr_addr.ipv6.ip.pr_s6_addr));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	155 pr_addr.ipv6.scope_id = in_addr->sin6_scope_id;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	156 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	157 xfree (addr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	158 if (PR_Connect (nspr->tls_file_desc, &pr_addr, PR_INTERVAL_NO_TIMEOUT)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	159 != PR_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	160 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	161 if (PR_GetError () == PR_IN_PROGRESS_ERROR)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	162 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	163 PRPollDesc pollset[2];
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	164
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	165 pollset[0].in_flags = PR_POLL_WRITE \| PR_POLL_EXCEPT;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	166 pollset[0].out_flags = 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	167 pollset[0].fd = nspr->tls_file_desc;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	168 for (;;)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	169 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	170 PRInt32 num_fds = PR_Poll (pollset, 1, PR_INTERVAL_NO_TIMEOUT);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	171 if (num_fds < 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	172 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	173 PR_Close (nspr->tls_file_desc);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	174 xfree (nspr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	175 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	176 "NSS unable to connect: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	177 PR_ErrorToName (PR_GetError ()));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	178 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	179 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	180 if (PR_GetConnectStatus (pollset) == PR_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	181 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	182 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	183 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	184 else
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	185 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	186 PR_Close (nspr->tls_file_desc);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	187 xfree (nspr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	188 warn_when_safe (Qtls_error, Qerror, "NSS unable to connect: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	189 PR_ErrorToName (PR_GetError ()));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	190 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	191 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	192 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	193
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	194 /* Perform the handshake */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	195 if (SSL_ResetHandshake (nspr->tls_file_desc, PR_FALSE) != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	196 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	197 PR_Close (nspr->tls_file_desc);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	198 xfree (nspr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	199 warn_when_safe (Qtls_error, Qerror, "NSS unable to reset handshake: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	200 PR_ErrorToName (PR_GetError ()));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	201 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	202 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	203 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	204 if (hostname != NULL &&
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	205 SSL_SetURL (nspr->tls_file_desc, hostname) != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	206 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	207 PR_Close (nspr->tls_file_desc);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	208 xfree (nspr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	209 warn_when_safe (Qtls_error, Qerror, "NSS unable to set URL (%s): %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	210 hostname, PR_ErrorToName (PR_GetError ()));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	211 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	212 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	213 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	214 if (SSL_ForceHandshake (nspr->tls_file_desc) != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	215 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	216 PR_Close (nspr->tls_file_desc);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	217 xfree (nspr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	218 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	219 "NSS unable to complete handshake: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	220 PR_ErrorToName (PR_GetError ()));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	221 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	222 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	223 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	224 return nspr;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	225 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	226
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	227 /* Set the key and certificate files to use */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	228 static void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	229 tls_set_x509_key_file (const Extbyte certfile, const Extbyte keyfile)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	230 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	231 char name[32];
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	232 void *proto_win = NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	233 PK11SlotInfo *slot = NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	234 PK11GenericObject *obj;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	235 CERTCertificate *cert;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	236 CK_ATTRIBUTE attrs[4];
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	237 CK_BBOOL cktrue = CK_TRUE, ckfalse = CK_FALSE;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	238 CK_OBJECT_CLASS objClass = CKO_PRIVATE_KEY;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	239 CK_SLOT_ID slot_id = nss_slot_count++;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	240 int retry_count = 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	241
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	242 /* Load the PEM module if it hasn't already been loaded */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	243 if (nss_pem_module == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	244 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	245 nss_pem_module = SECMOD_LoadUserModule ("library=%s name=PEM parameters=\"\"", NULL, PR_FALSE);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	246 if (nss_pem_module == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	247 signal_error (Qtls_error, "Cannot find NSS PEM module", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	248 if (!nss_pem_module->loaded)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	249 signal_error (Qtls_error, "Cannot load NSS PEM module", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	250 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	251
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	252 snprintf (name, 32U, "PEM_Token %ld", slot_id);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	253 slot = PK11_FindSlotByName (name);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	254 if (slot == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	255 signal_error (Qtls_error, "Error finding NSS slot", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	256
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	257 /* Set up the attributes for the keyfile */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	258 attrs[0].type = CKA_CLASS;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	259 attrs[0].pValue = &objClass;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	260 attrs[0].ulValueLen = sizeof (objClass);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	261 attrs[1].type = CKA_TOKEN;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	262 attrs[1].pValue = &cktrue;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	263 attrs[1].ulValueLen = sizeof (CK_BBOOL);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	264 attrs[2].type = CKA_LABEL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	265 attrs[2].pValue = (void *) keyfile;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	266 attrs[2].ulValueLen = strlen (keyfile) + 1U;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	267
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	268 /* When adding an encrypted key, the PKCS#11 will be set as removed. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	269 obj = PK11_CreateGenericObject (slot, attrs, 3, PR_FALSE);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	270 if (obj == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	271 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	272 PR_SetError (SEC_ERROR_BAD_KEY, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	273 signal_error (Qtls_error, "Bad key file", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	274 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	275
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	276 /* This will force the token to be seen as reinserted */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	277 SECMOD_WaitForAnyTokenEvent (nss_pem_module, 0, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	278 PK11_IsPresent (slot);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	279
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	280 if (PK11_Authenticate (slot, PR_TRUE, &retry_count) != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	281 signal_error (Qtls_error, "NSS: Unable to authenticate", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	282
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	283 /* Set up the attributes for the certfile */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	284 objClass = CKO_CERTIFICATE;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	285 attrs[2].pValue = (void *) certfile;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	286 attrs[2].ulValueLen = strlen (certfile) + 1U;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	287 attrs[3].type = CKA_TRUST;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	288 attrs[3].pValue = &ckfalse;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	289 attrs[3].ulValueLen = sizeof (CK_BBOOL);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	290
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	291 obj = PK11_CreateGenericObject (slot, attrs, 4, PR_FALSE);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	292 PK11_FreeSlot (slot);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	293 if (obj == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	294 signal_error (Qtls_error, "Bad certificate file", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	295 cert = PK11_FindCertFromNickname (name, proto_win);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	296 if (cert == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	297 signal_error (Qtls_error, "Cannot find certificate nickname", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	298 CERT_DestroyCertificate (cert);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	299 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	300
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	301 /* Function that gathers passwords for PKCS #11 tokens. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	302 static char *
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	303 nss_pk11_password (PK11SlotInfo slot, PRBool retry, void UNUSED (arg))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	304 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	305 Lisp_Object lsp_password, args[2];
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	306 Extbyte c_password, nss_password;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	307 const Extbyte *token_name;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	308
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	309 if (retry)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	310 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	311
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	312 token_name = PK11_GetTokenName (slot);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	313 if (token_name == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	314 token_name = "security token";
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	315 lsp_password =
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	316 call1 (Qread_password, concat2 (prompt,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	317 build_extstring (token_name, Qnative)));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	318 c_password = LISP_STRING_TO_EXTERNAL (lsp_password, Qnative);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	319 nss_password = PL_strdup (c_password);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	320
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	321 /* Wipe out the password on the stack and in the Lisp string */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	322 args[0] = lsp_password;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	323 args[1] = make_char ('*');
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	324 Ffill (2, args);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	325 memset (c_password, '*', strlen (c_password));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	326 return nss_password;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	327 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	328
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	329 void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	330 init_tls (void)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	331 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	332 SECMODModule *module;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	333
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	334 /* Check that we are using compatible versions */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	335 if (PR_VersionCheck(PR_VERSION) == PR_FALSE)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	336 signal_error (Qinternal_error,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	337 "NSPR version mismatch: expected " PR_VERSION, Qnil);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	338 if (NSS_VersionCheck(NSS_VERSION) == PR_FALSE)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	339 signal_error (Qinternal_error,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	340 "NSS version mismatch: expected " NSS_VERSION, Qnil);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	341
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	342 /* Basic initialization of both libraries */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	343 PR_Init (PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	344 if (NSS_Init ("sql:/etc/pki/nssdb") != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	345 signal_error (Qtls_error, "Error initializing NSS", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	346
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	347 /* Set the cipher suite policy */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	348 if (NSS_SetDomesticPolicy() != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	349 signal_error (Qtls_error, "NSS unable to set policy", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	350
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	351 /* Load the root certificates */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	352 module = SECMOD_LoadUserModule ("library=libnssckbi.so name=\"Root Certs\"",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	353 NULL, PR_FALSE);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	354 if (module == NULL \|\| !module->loaded)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	355 signal_error (Qtls_error, "NSS unable to load root certificates",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	356 NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	357
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	358 /* Setup password gathering */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	359 PK11_SetPasswordFunc (nss_pk11_password);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	360
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	361 /* Create the model file descriptors */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	362 nss_model = SSL_ImportFD (NULL, PR_OpenTCPSocket (PR_AF_INET));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	363 if (nss_model == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	364 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	365 nss_model = SSL_ImportFD (NULL, PR_OpenTCPSocket (PR_AF_INET6));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	366 if (nss_model == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	367 signal_error (Qtls_error, "NSS cannot create model socket",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	368 NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	369 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	370
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	371 /* Set options on the model socket */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	372 if (SSL_OptionSet (nss_model, SSL_SECURITY, PR_TRUE) != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	373 signal_error (Qtls_error, "NSS cannot enable model socket", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	374 if (SSL_OptionSet (nss_model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	375 signal_error (Qtls_error, "NSS unable to disable SSLv2", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	376 if (SSL_OptionSet (nss_model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	377 != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	378 signal_error (Qtls_error, "NSS unable to disable SSLv2 handshake",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	379 NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	380 if (SSL_OptionSet (nss_model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	381 signal_error (Qtls_error, "NSS unable to disable deflate", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	382 if (SSL_OptionSet (nss_model, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	383 != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	384 signal_error (Qtls_error, "NSS unable to ensable handshake as client",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	385 NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	386
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	387 nss_inited = 1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	388 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	389 #endif /* HAVE_NSS */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	390
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	391 #ifdef HAVE_GNUTLS
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	392 #include <gnutls/pkcs11.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	393 #include <gnutls/x509.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	394 #include "sysfile.h"
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	395
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	396 #define GNUTLS_ERRSTR(err) build_extstring (gnutls_strerror (err), Qnative)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	397
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	398 /* The global credentials object */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	399 static gnutls_certificate_credentials_t global_cred;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	400
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	401 int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	402 tls_get_fd (tls_state_t *state)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	403 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	404 return (int)(unsigned long)gnutls_transport_get_ptr (state->tls_session);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	405 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	406
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	407 Bytecount
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	408 tls_read (tls_state_t state, unsigned char data, Bytecount size,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	409 unsigned int allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	410 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	411 ssize_t bytes;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	412
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	413 again:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	414 do
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	415 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	416 if (allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	417 QUIT;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	418 bytes = gnutls_record_recv (state->tls_session, data, size);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	419 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	420 while (bytes == GNUTLS_E_INTERRUPTED \|\| bytes == GNUTLS_E_AGAIN);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	421 switch (bytes)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	422 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	423 case GNUTLS_E_UNEXPECTED_PACKET_LENGTH:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	424 bytes = 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	425 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	426 case GNUTLS_E_REHANDSHAKE:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	427 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	428 int err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	429
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	430 do
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	431 err = gnutls_handshake (state->tls_session);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	432 while (err == GNUTLS_E_AGAIN \|\| err == GNUTLS_E_INTERRUPTED);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	433 if (err == GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	434 goto again;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	435 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	436 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	437 bytes = -1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	438 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	439 default:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	440 if (bytes < 0 && errno == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	441 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	442 errno = EPIPE;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	443 bytes = -1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	444 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	445 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	446 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	447 return (Bytecount) bytes;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	448 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	449
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	450 Bytecount
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	451 tls_write (tls_state_t state, const unsigned char data, Bytecount size,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	452 unsigned int allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	453 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	454 ssize_t bytes;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	455
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	456 do
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	457 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	458 if (allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	459 QUIT;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	460 bytes = gnutls_record_send (state->tls_session, data, size);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	461 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	462 while (bytes == GNUTLS_E_INTERRUPTED \|\| bytes == GNUTLS_E_AGAIN);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	463 if (bytes == GNUTLS_E_LARGE_PACKET)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	464 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	465 errno = EMSGSIZE;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	466 bytes = -1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	467 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	468 else if (bytes < 0 && errno == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	469 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	470 errno = EPIPE;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	471 bytes = -1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	472 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	473 return (Bytecount) bytes;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	474 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	475
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	476 int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	477 tls_close (tls_state_t *state)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	478 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	479 if (--state->tls_refcount == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	480 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	481 int fd, err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	482
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	483 fd = (int)(unsigned long)gnutls_transport_get_ptr (state->tls_session);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	484 gnutls_bye (state->tls_session, GNUTLS_SHUT_RDWR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	485 err = retry_close (fd);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	486 gnutls_deinit (state->tls_session);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	487 xfree (state);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	488 return err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	489 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	490 return 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	491 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	492
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	493 tls_state_t *
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	494 tls_open (int s, const Extbyte *hostname)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	495 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	496 #ifndef HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	497 gnutls_x509_crt_t cert;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	498 #endif
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	499 tls_state_t *gnutls;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	500 const char *errptr = NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	501 const gnutls_datum_t *certs;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	502 unsigned int status, certslen = 0U;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	503 int err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	504 const int val = 1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	505
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	506 /* Disable Nagle's algorithm */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	507 setsockopt (s, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	508
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	509 /* Create the state object */
5825 5d5aeb79edb4 Fix build with g++. Jerry James <james@xemacs.org> parents: 5815 diff changeset	510 gnutls = (tls_state_t ) xmalloc (sizeof (gnutls));
5814 a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	511 gnutls->tls_refcount = 2;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	512
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	513 /* Initialize the session object */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	514 err = gnutls_init (&gnutls->tls_session, GNUTLS_CLIENT);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	515 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	516 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	517 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	518 warn_when_safe (Qtls_error, Qerror, "GNUTLS error in gnutls_init: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	519 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	520 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	521 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	522 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	523
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	524 /* Configure the cipher preferences */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	525 err = gnutls_priority_set_direct (gnutls->tls_session, "NORMAL", &errptr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	526 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	527 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	528 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	529 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	530 "GNUTLS error in gnutls_priority_set_direct: %s at %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	531 gnutls_strerror (err), errptr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	532 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	533 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	534 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	535
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	536 /* Install the trusted certificates */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	537 err = gnutls_credentials_set (gnutls->tls_session, GNUTLS_CRD_CERTIFICATE,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	538 global_cred);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	539 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	540 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	541 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	542 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	543 "GNUTLS error in gnutls_credentials_set: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	544 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	545 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	546 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	547 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	548
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	549 /* Associate the socket with the session object */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	550 gnutls_transport_set_ptr (gnutls->tls_session,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	551 (gnutls_transport_ptr_t)(unsigned long)s);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	552
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	553 /* Set the server name */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	554 if (hostname != NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	555 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	556 err = gnutls_server_name_set (gnutls->tls_session, GNUTLS_NAME_DNS,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	557 hostname, strlen (hostname));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	558 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	559 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	560 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	561 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	562 "GNUTLS error in gnutls_server_name_set: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	563 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	564 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	565 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	566 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	567 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	568
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	569 /* Perform the handshake */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	570 do
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	571 err = gnutls_handshake (gnutls->tls_session);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	572 while (err == GNUTLS_E_AGAIN \|\| err == GNUTLS_E_INTERRUPTED);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	573 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	574 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	575 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	576 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	577 "GNUTLS error in gnutls_handshake: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	578 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	579 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	580 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	581 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	582
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	583 /* Get the server certificate chain */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	584 certs = gnutls_certificate_get_peers (gnutls->tls_session, &certslen);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	585 if (certs == NULL \|\| certslen == 0U)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	586 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	587 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	588 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	589 "GNUTLS could not get peer certificate: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	590 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	591 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	592 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	593 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	594
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	595 /* Validate the server certificate chain */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	596 status = (unsigned int) -1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	597 #ifdef HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	598 if (hostname != NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	599 err = gnutls_certificate_verify_peers3 (gnutls->tls_session, hostname,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	600 &status);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	601 else
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	602 #endif /* HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3 */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	603 err = gnutls_certificate_verify_peers2 (gnutls->tls_session, &status);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	604 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	605 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	606 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	607 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	608 "GNUTLS could not verify peer certificate: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	609 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	610 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	611 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	612 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	613 if (status != 0U)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	614 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	615 gnutls_datum_t msg;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	616
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	617 #ifdef HAVE_GNUTLS_CERTIFICATE_VERIFICATION_STATUS_PRINT
5825 5d5aeb79edb4 Fix build with g++. Jerry James <james@xemacs.org> parents: 5815 diff changeset	618 gnutls_certificate_type_t type;
5d5aeb79edb4 Fix build with g++. Jerry James <james@xemacs.org> parents: 5815 diff changeset	619
5d5aeb79edb4 Fix build with g++. Jerry James <james@xemacs.org> parents: 5815 diff changeset	620 type = gnutls_certificate_type_get (gnutls->tls_session);
5814 a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	621 err =
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	622 gnutls_certificate_verification_status_print (status, type, &msg, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	623 #else
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	624 err = -1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	625 #endif /* HAVE_GNUTLS_CERTIFICATE_VERIFICATION_STATUS_PRINT */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	626 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	627 if (err == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	628 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	629 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	630 "GNUTLS: certificate validation failed: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	631 msg.data);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	632 gnutls_free(msg.data);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	633 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	634 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	635 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	636 else
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	637 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	638 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	639 "GNUTLS: certificate validation failed with code %u",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	640 status);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	641 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	642 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	643 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	644 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	645
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	646 #ifndef HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	647 if (hostname != NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	648 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	649 /* Match the peer certificate against the host name */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	650 err = gnutls_x509_crt_init (&cert);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	651 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	652 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	653 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	654 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	655 "GNUTLS error in gnutls_x509_crt_init: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	656 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	657 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	658 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	659 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	660
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	661 /* The peer certificate is the first certificate in the list */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	662 err = gnutls_x509_crt_import (cert, certs, GNUTLS_X509_FMT_DER);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	663 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	664 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	665 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	666 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	667 "GNUTLS error in gnutls_x509_crt_import: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	668 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	669 gnutls_x509_crt_deinit (cert);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	670 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	671 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	672 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	673
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	674 err = gnutls_x509_crt_check_hostname (cert, hostname);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	675 if (err == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	676 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	677 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	678 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	679 "GNUTLS: hostname does not match certificate: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	680 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	681 gnutls_x509_crt_deinit (cert);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	682 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	683 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	684 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	685 gnutls_x509_crt_deinit (cert);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	686 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	687 #endif /* HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3 */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	688
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	689 return gnutls;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	690 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	691
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	692 /* Set the key and certificate files to use */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	693 static void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	694 tls_set_x509_key_file (const Extbyte certfile, const Extbyte keyfile)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	695 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	696 int err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	697
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	698 err = gnutls_certificate_set_x509_key_file (global_cred, certfile, keyfile,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	699 GNUTLS_X509_FMT_PEM);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	700 if (err < GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	701 signal_error (Qtls_error, "gnutls_certificate_set_x509_key_file",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	702 GNUTLS_ERRSTR (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	703 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	704
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	705 /* Function that gathers PKCS #11 passwords. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	706 static int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	707 gnutls_pk11_password (void * UNUSED (userdata), int UNUSED (attempt),
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	708 const char token_url, const char token_label,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	709 unsigned int UNUSED (flags), char *pin, size_t pin_max)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	710 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	711 Lisp_Object lsp_password, args[5];
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	712 Extbyte *c_password;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	713 size_t len;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	714
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	715 /* Get the password from the user */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	716 args[0] = prompt;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	717 args[1] = build_extstring (token_label, Qnative);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	718 args[2] = build_ascstring (" (");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	719 args[3] = build_extstring (token_url, Qnative);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	720 args[4] = build_ascstring (")");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	721 lsp_password = call1 (Qread_password, Fconcat (5, args));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	722 c_password = LISP_STRING_TO_EXTERNAL (lsp_password, Qnative);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	723
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	724 /* Insert the password */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	725 len = strlen (c_password);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	726 if (len > pin_max)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	727 len = pin_max;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	728 memcpy (pin, c_password, len);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	729 pin[len] = '\0';
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	730
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	731 /* Wipe out the password on the stack and in the Lisp string */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	732 args[0] = lsp_password;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	733 args[1] = make_char ('*');
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	734 Ffill (2, args);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	735 memset (c_password, '*', strlen (c_password));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	736 return GNUTLS_E_SUCCESS;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	737 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	738
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	739 static void xfree_for_gnutls (void *ptr)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	740 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	741 /* GnuTLS sometimes tries to free NULL */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	742 if (ptr != NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	743 xfree (ptr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	744 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	745
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	746 void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	747 init_tls (void)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	748 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	749 int err = GNUTLS_E_SUCCESS;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	750
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	751 /* Tell gnutls to use our memory allocation functions */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	752 gnutls_global_set_mem_functions ((void * (*)(size_t)) xmalloc,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	753 (void * (*)(size_t)) xmalloc,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	754 NULL,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	755 (void * ()(void , size_t)) xrealloc,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	756 xfree_for_gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	757
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	758 /* Initialize the library */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	759 err = gnutls_global_init ();
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	760 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	761 signal_error (Qtls_error, "gnutls_global_init", GNUTLS_ERRSTR (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	762
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	763 /* Load the trusted CA certificates */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	764 err = gnutls_certificate_allocate_credentials (&global_cred);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	765 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	766 signal_error (Qtls_error, "gnutls_certificate_allocate_credentials",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	767 GNUTLS_ERRSTR (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	768 err = gnutls_certificate_set_x509_system_trust (global_cred);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	769 if (err == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	770 signal_error (Qtls_error, "gnutls: no system certificates found", Qnil);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	771 if (err < 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	772 signal_error (Qtls_error, "gnutls_certificate_set_x509_system_trust",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	773 GNUTLS_ERRSTR (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	774
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	775 /* Setup password gathering */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	776 gnutls_pkcs11_set_pin_function (gnutls_pk11_password, NULL);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	777 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	778 #endif /* HAVE_GNUTLS */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	779
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	780 #ifdef HAVE_OPENSSL
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	781 #include <unistd.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	782 #include <openssl/conf.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	783 #include <openssl/err.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	784
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	785 /* The context used to create connections */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	786 static SSL_CTX *ssl_ctx;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	787
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	788 static Lisp_Object
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	789 openssl_error_string (void)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	790 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	791 Lisp_Object args[5];
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	792 unsigned long err = ERR_get_error ();
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	793
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	794 args[0] = build_ascstring (ERR_lib_error_string (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	795 args[1] = build_ascstring (":");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	796 args[2] = build_ascstring (ERR_func_error_string (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	797 args[3] = build_ascstring (":");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	798 args[4] = build_ascstring (ERR_reason_error_string (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	799 return Fconcat (5, args);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	800 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	801
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	802 static unsigned long
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	803 openssl_report_error_stack (const char msg, const SSL ssl)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	804 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	805 unsigned long err = ERR_get_error ();
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	806 if (err > 0UL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	807 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	808 if (ERR_GET_LIB (err) == ERR_LIB_SSL &&
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	809 ERR_GET_REASON (err) == SSL_R_CERTIFICATE_VERIFY_FAILED)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	810 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	811 long cert_err = SSL_get_verify_result (ssl);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	812 warn_when_safe (Qtls_error, Qerror, "%s:%s", msg,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	813 X509_verify_cert_error_string (cert_err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	814 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	815 else
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	816 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	817 const char *lib = ERR_lib_error_string (err);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	818 const char *func = ERR_func_error_string (err);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	819 const char *reason = ERR_reason_error_string (err);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	820 warn_when_safe (Qtls_error, Qerror, "%s:%s:%s:%s", msg,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	821 lib == NULL ? "<unknown>" : lib,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	822 func == NULL ? "<unknown>" : func,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	823 reason == NULL ? "<unknown>" : reason);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	824 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	825 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	826 return err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	827 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	828
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	829 /* Return values:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	830 * -1 = fatal error, caller should exit
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	831 * 0 = no error, caller should continue
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	832 * 1 = nonfatal error, caller should retry
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	833 */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	834 static int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	835 openssl_report_error_num (const char msg, const SSL ssl, int ret, int retry)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	836 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	837 int errno_copy = errno;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	838 int ssl_error = SSL_get_error (ssl, ret);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	839 int err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	840
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	841 switch (ssl_error)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	842 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	843 case SSL_ERROR_NONE:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	844 case SSL_ERROR_ZERO_RETURN:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	845 err = 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	846 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	847 case SSL_ERROR_WANT_READ:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	848 case SSL_ERROR_WANT_WRITE:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	849 err = retry;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	850 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	851 case SSL_ERROR_WANT_CONNECT:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	852 case SSL_ERROR_WANT_ACCEPT:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	853 case SSL_ERROR_WANT_X509_LOOKUP:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	854 err = 1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	855 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	856 case SSL_ERROR_SYSCALL:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	857 if (openssl_report_error_stack (msg, ssl) == 0UL && ret < 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	858 warn_when_safe (Qtls_error, Qerror, "%s: %s", msg,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	859 strerror (errno_copy));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	860 err = ret;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	861 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	862 case SSL_ERROR_SSL:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	863 openssl_report_error_stack (msg, ssl);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	864 err = -1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	865 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	866 default:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	867 warn_when_safe (Qtls_error, Qerror, "%s: error %d", msg, ssl_error);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	868 err = -1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	869 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	870 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	871 errno = errno_copy;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	872 return err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	873 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	874
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	875 int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	876 tls_get_fd (tls_state_t *state)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	877 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	878 return SSL_get_fd (state->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	879 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	880
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	881 Bytecount
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	882 tls_read (tls_state_t state, unsigned char data, Bytecount size,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	883 unsigned int allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	884 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	885 int action, bytes;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	886
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	887 if (SSL_get_shutdown (state->tls_connection))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	888 return 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	889
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	890 bytes = SSL_read (state->tls_connection, data, size);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	891 action = (bytes > 0) ? 0
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	892 : openssl_report_error_num ("SSL_read", state->tls_connection, bytes, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	893 while (bytes <= 0 && action > 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	894 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	895 if (allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	896 QUIT;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	897 bytes = SSL_read (state->tls_connection, data, size);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	898 action = (bytes > 0) ? 0
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	899 : openssl_report_error_num ("SSL_read", state->tls_connection,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	900 bytes, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	901 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	902 return (Bytecount) bytes;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	903 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	904
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	905 Bytecount
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	906 tls_write (tls_state_t state, const unsigned char data, Bytecount size,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	907 unsigned int allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	908 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	909 int action, bytes;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	910
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	911 if (SSL_get_shutdown (state->tls_connection))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	912 return 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	913
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	914 bytes = SSL_write (state->tls_connection, data, size);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	915 action = (bytes > 0) ? 0
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	916 : openssl_report_error_num ("SSL_write", state->tls_connection, bytes, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	917 while (bytes <= 0 && action > 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	918 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	919 if (allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	920 QUIT;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	921 bytes = SSL_write (state->tls_connection, data, size);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	922 action = (bytes > 0) ? 0
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	923 : openssl_report_error_num ("SSL_write", state->tls_connection,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	924 bytes, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	925 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	926 return (Bytecount) bytes;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	927 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	928
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	929 int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	930 tls_close (tls_state_t *state)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	931 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	932 if (--state->tls_refcount == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	933 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	934 int err, fd;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	935
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	936 fd = SSL_get_fd (state->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	937 if (SSL_get_shutdown (state->tls_connection) == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	938 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	939 err = SSL_shutdown (state->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	940 if (err < 0 && errno == EBADF)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	941 err = 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	942 if (err < 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	943 openssl_report_error_num ("SSL_shutdown failed",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	944 state->tls_connection, err, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	945 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	946 else
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	947 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	948 err = 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	949 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	950 close (fd);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	951 SSL_free (state->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	952 xfree (state);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	953 return err > 0 ? 0 : err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	954 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	955 return 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	956 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	957
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	958 tls_state_t *
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	959 tls_open (int s, const Extbyte *hostname)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	960 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	961 tls_state_t *openssl;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	962 X509 *peer_cert = NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	963 const int val = 1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	964 int err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	965 long cert_err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	966
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	967 /* Disable Nagle's algorithm */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	968 setsockopt (s, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	969
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	970 /* Create the state object */
5825 5d5aeb79edb4 Fix build with g++. Jerry James <james@xemacs.org> parents: 5815 diff changeset	971 openssl = (tls_state_t ) xmalloc (sizeof (openssl));
5814 a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	972 openssl->tls_refcount = 2;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	973
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	974 /* Create the connection object */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	975 openssl->tls_connection = SSL_new (ssl_ctx);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	976 if (openssl->tls_connection == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	977 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	978 openssl_report_error_stack ("SSL_new failed", NULL);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	979 goto error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	980 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	981 if (SSL_set_fd (openssl->tls_connection, s) == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	982 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	983 openssl_report_error_stack ("SSL_set_fd", openssl->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	984 goto error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	985 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	986
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	987 /* Enable the ServerNameIndication extension */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	988 if (hostname != NULL &&
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	989 !SSL_set_tlsext_host_name (openssl->tls_connection, hostname))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	990 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	991 openssl_report_error_stack ("SSL_set_tlsext_host_name failed",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	992 openssl->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	993 goto error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	994 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	995
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	996 /* Perform the handshake */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	997 err = SSL_connect (openssl->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	998 while (err != 1)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	999 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1000 int action = openssl_report_error_num ("SSL_connect failed",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1001 openssl->tls_connection, err, 1);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1002 if (action < 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1003 goto error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1004 err = SSL_connect (openssl->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1005 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1006
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1007 /* Get the server certificate */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1008 peer_cert = SSL_get_peer_certificate (openssl->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1009 if (peer_cert == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1010 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1011 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1012 "Peer did not present a certificate");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1013 goto error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1014 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1015
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1016 cert_err = SSL_get_verify_result (openssl->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1017 if (cert_err != X509_V_OK)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1018 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1019 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1020 "Peer certificate verification failure:%s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1021 X509_verify_cert_error_string (cert_err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1022 goto error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1023 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1024
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1025 #ifdef HAVE_X509_CHECK_HOST
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1026 err = X509_check_host (peer_cert, (const unsigned char *) hostname,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1027 strlen (hostname), 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1028 if (err < 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1029 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1030 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1031 "Out of memory while checking certificate");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1032 goto error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1033 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1034 if (err == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1035 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1036 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1037 "Peer certificate verification failure");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1038 goto error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1039 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1040 #endif
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1041 X509_free (peer_cert);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1042
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1043 return openssl;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1044
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1045 error:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1046 if (openssl->tls_connection != NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1047 SSL_free (openssl->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1048 xfree (openssl);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1049 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1050 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1051 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1052
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1053 /* Set the key and certificate files to use */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1054 static void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1055 tls_set_x509_key_file (const Extbyte certfile, const Extbyte keyfile)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1056 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1057 int err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1058
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1059 err = SSL_CTX_use_PrivateKey_file (ssl_ctx, keyfile, SSL_FILETYPE_PEM);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1060 if (err <= 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1061 signal_error (Qtls_error, "SSL_CTX_use_PrivateKey_file",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1062 openssl_error_string ());
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1063 err = SSL_CTX_use_certificate_file (ssl_ctx, certfile, SSL_FILETYPE_PEM);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1064 if (err <= 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1065 signal_error (Qtls_error, "SSL_CTX_use_certificate_file",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1066 openssl_error_string ());
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1067 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1068
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1069 /* Function that gathers passwords for PKCS #11 tokens. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1070 static int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1071 openssl_password (char *buf, int size, int UNUSED (rwflag),
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1072 void *UNUSED (userdata))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1073 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1074 Lisp_Object lsp_password, args[2];
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1075 Extbyte *c_password;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1076
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1077 lsp_password =
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1078 call1 (Qread_password, concat2 (prompt, build_ascstring ("PEM")));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1079 c_password = LISP_STRING_TO_EXTERNAL (lsp_password, Qnative);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1080 strncpy (buf, c_password, size);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1081
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1082 /* Wipe out the password on the stack and in the Lisp string */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1083 args[0] = lsp_password;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1084 args[1] = make_char ('*');
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1085 Ffill (2, args);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1086 memset (c_password, '*', strlen (c_password));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1087 return (int) strlen (buf);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1088 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1089
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1090 void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1091 init_tls (void)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1092 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1093 /* Load the default configuration */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1094 OPENSSL_config (NULL);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1095
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1096 /* Tell openssl to use our memory allocation functions */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1097 CRYPTO_set_mem_functions ((void * (*)(size_t)) xmalloc,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1098 (void * ()(void , size_t)) xrealloc,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1099 xfree_1);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1100
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1101 /* Load human-readable error messages */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1102 SSL_load_error_strings ();
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1103
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1104 /* Initialize the library */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1105 SSL_library_init ();
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1106
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1107 /* Configure a client connection context, and send a handshake for the
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1108 * highest supported TLS version. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1109 ssl_ctx = SSL_CTX_new (SSLv23_client_method ());
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1110 if (ssl_ctx == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1111 signal_error (Qtls_error, "SSL_CTX_new failed", openssl_error_string ());
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1112
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1113 /* Disallow SSLv2 and disable compression. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1114 SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_SSLv2 \| SSL_OP_NO_COMPRESSION);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1115
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1116 /* Set various useful mode bits */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1117 SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE \|
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1118 SSL_MODE_AUTO_RETRY \| SSL_MODE_RELEASE_BUFFERS);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1119
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1120 /* Let the system select the ciphers */
5815 d59bfb050ca8 Fix TLS-related build failures. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: 5814 diff changeset	1121 if (SSL_CTX_set_cipher_list (ssl_ctx, "DEFAULT") != 1)
5814 a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1122 signal_error (Qtls_error, "SSL_CTX_set_cipher_list failed",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1123 openssl_error_string ());
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1124
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1125 /* Load the set of trusted root certificates. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1126 if (!SSL_CTX_set_default_verify_paths (ssl_ctx))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1127 signal_error (Qtls_error, "SSL_CTX_set_default_verify_paths failed",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1128 openssl_error_string ());
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1129
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1130 /* Setup password gathering */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1131 SSL_CTX_set_default_passwd_cb (ssl_ctx, openssl_password);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1132 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1133 #endif /* HAVE_OPENSSL */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1134
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1135 #ifdef WITH_TLS
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1136 tls_state_t *
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1137 tls_negotiate (int fd, const Extbyte *host, Lisp_Object keylist)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1138 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1139 Lisp_Object tail;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1140
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1141 for (tail = keylist; CONSP (tail); tail = XCDR (tail))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1142 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1143 Lisp_Object keyfile = Fcar (XCAR (tail));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1144 Lisp_Object certfile = Fcar (Fcdr (XCAR (tail)));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1145 Extbyte c_keyfile, c_certfile;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1146
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1147 if (!STRINGP (keyfile))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1148 invalid_argument ("Keyfile must be a filename", keyfile);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1149 if (!STRINGP (certfile))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1150 invalid_argument ("Certfile must be a filename", certfile);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1151
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1152 c_keyfile = LISP_STRING_TO_EXTERNAL (keyfile, Qfile_name);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1153 c_certfile = LISP_STRING_TO_EXTERNAL (certfile, Qfile_name);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1154 tls_set_x509_key_file (c_certfile, c_keyfile);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1155 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1156 return tls_open (fd, host);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1157 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1158 #endif /* WITH_TLS */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1159
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1160 #ifndef WITH_TLS
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1161 void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1162 init_tls (void)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1163 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1164 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1165 #endif /* !WITH_TLS */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1166
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1167 void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1168 syms_of_tls (void)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1169 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1170 #ifdef WITH_TLS
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1171 DEFSYMBOL (Qread_password);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1172 #endif
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1173 DEFERROR (Qtls_error, "TLS error", Qerror);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1174 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1175
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1176 void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1177 vars_of_tls (void)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1178 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1179 #ifdef WITH_TLS
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1180 staticpro (&prompt);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1181 prompt = build_ascstring ("Password for ");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1182 Fprovide (intern ("tls"));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1183 #ifdef HAVE_NSS
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1184 Fprovide (intern ("tls-nss"));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1185 #endif
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1186 #ifdef HAVE_GNUTLS
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1187 Fprovide (intern ("tls-gnutls"));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1188 #endif
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1189 #ifdef HAVE_OPENSSL
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1190 Fprovide (intern ("tls-openssl"));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1191 #endif
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1192 #endif
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1193 }

Mercurial > hg > xemacs-beta

annotate src/tls.c @ 5825:5d5aeb79edb4