xemacs-beta: src/tls.c annotate

annotate src/tls.c @ 5887:6eca500211f4

Prototype for X509_check_host() has changed, detect this in configure.ac ChangeLog addition: 2015-04-09 Aidan Kehoe <kehoea@parhasard.net> * configure.ac: If X509_check_host() is available, check the number of arguments it takes. Don't use it if it takes any number of arguments other than five. Also don't use it if <openssl/x509v3.h> does not declare it, since if that is so there is no portable way to tell how many arguments it should take, and so we would end up smashing the stack. * configure: Regenerate. src/ChangeLog addition: 2015-04-09 Aidan Kehoe <kehoea@parhasard.net> * tls.c: #include <openssl/x509v3.h> for its prototype for X509_check_host(). * tls.c (tls_open): Pass the new fifth argument to X509_check_host().

author	Aidan Kehoe <kehoea@parhasard.net>
date	Thu, 09 Apr 2015 14:27:02 +0100
parents	5d5aeb79edb4
children	a85efdabe237

rev	line source
5814 a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1 /* Transport Layer Security implementation.
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	2 Copyright (C) 2014 Jerry James
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	3
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	4 This file is part of XEmacs.
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	5
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	6 XEmacs is free software: you can redistribute it and/or modify it
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	7 under the terms of the GNU General Public License as published by the
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	8 Free Software Foundation, either version 3 of the License, or (at your
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	9 option) any later version.
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	10
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	11 XEmacs is distributed in the hope that it will be useful, but WITHOUT
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	12 ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	13 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	14 for more details.
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	15
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	16 You should have received a copy of the GNU General Public License
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	17 along with XEmacs. If not, see <http://www.gnu.org/licenses/>. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	18
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	19 /* Synched up with: Not in FSF. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	20
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	21 /* Written by Jerry James. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	22
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	23 #include <config.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	24 #include "lisp.h"
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	25 #include "lstream.h"
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	26 #include "tls.h"
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	27 #include <errno.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	28 #include <netinet/in.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	29 #include <netinet/tcp.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	30
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	31 static Lisp_Object prompt;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	32 static Lisp_Object Qread_password;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	33 Lisp_Object Qtls_error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	34
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	35 #ifdef HAVE_NSS
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	36 #include <prinit.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	37 #include <private/pprio.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	38 #include <nss.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	39 #include <pk11pub.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	40 #include <secerr.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	41 #include <secmod.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	42 #include <ssl.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	43
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	44 #define NSS_ERRSTR build_extstring (PR_ErrorToName (PR_GetError ()), Qnative)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	45
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	46 /* 0 == initialization of NSPR or NSS failed
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	47 * 1 == the NSPR and NSS libraries have been initialized successfully
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	48 */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	49 static int nss_inited;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	50
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	51 /* The model file descriptor */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	52 static PRFileDesc *nss_model;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	53
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	54 /* The PEM module */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	55 static SECMODModule *nss_pem_module;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	56
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	57 /* CA and trust objects go into slot 0. User certificates start in slot 1. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	58 static CK_SLOT_ID nss_slot_count = 1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	59
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	60 int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	61 tls_get_fd (tls_state_t *state)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	62 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	63 return PR_FileDesc2NativeHandle (state->tls_file_desc);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	64 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	65
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	66 Bytecount
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	67 tls_read (tls_state_t state, unsigned char data, Bytecount size,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	68 unsigned int allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	69 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	70 if (allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	71 QUIT;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	72 return (Bytecount) PR_Recv (state->tls_file_desc, data, size, 0, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	73 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	74
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	75 Bytecount
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	76 tls_write (tls_state_t state, const unsigned char data, Bytecount size,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	77 unsigned int allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	78 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	79 if (allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	80 QUIT;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	81 return (Bytecount) PR_Send (state->tls_file_desc, data, size, 0, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	82 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	83
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	84 int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	85 tls_close (tls_state_t *state)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	86 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	87 if (--state->tls_refcount == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	88 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	89 PRStatus status = PR_Shutdown (state->tls_file_desc, PR_SHUTDOWN_BOTH);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	90 PR_Close (state->tls_file_desc);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	91 xfree (state);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	92 return (int) status;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	93 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	94 return 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	95 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	96
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	97 tls_state_t *
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	98 tls_open (int s, const Extbyte *hostname)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	99 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	100 struct sockaddr *addr;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	101 socklen_t addrlen;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	102 PRNetAddr pr_addr;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	103 tls_state_t *nspr;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	104 const int val = 1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	105
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	106 /* Disable Nagle's algorithm */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	107 setsockopt (s, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	108
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	109 if (!nss_inited)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	110 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	111 warn_when_safe (Qtls_error, Qerror, "Cannot use NSS functions");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	112 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	113 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	114
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	115 /* Get the socket address */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	116 addrlen = 256;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	117 addr = (struct sockaddr *) xmalloc (addrlen);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	118 if (getsockname (s, addr, &addrlen) == 0 && addrlen > 256)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	119 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	120 addr = (struct sockaddr *) xrealloc (addr, addrlen);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	121 getsockname (s, addr, &addrlen);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	122 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	123
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	124 /* Create the socket */
5825 5d5aeb79edb4 Fix build with g++. Jerry James <james@xemacs.org> parents: 5815 diff changeset	125 nspr = (tls_state_t ) xmalloc (sizeof (nspr));
5814 a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	126 nspr->tls_refcount = 2;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	127 nspr->tls_file_desc =
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	128 SSL_ImportFD (nss_model, PR_OpenTCPSocket (addr->sa_family));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	129 if (nspr->tls_file_desc == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	130 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	131 xfree (addr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	132 xfree (nspr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	133 warn_when_safe (Qtls_error, Qerror, "NSS unable to open socket: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	134 PR_ErrorToName (PR_GetError ()));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	135 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	136 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	137
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	138 /* Connect to the server */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	139 memset (&pr_addr, 0, sizeof (pr_addr));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	140 if (addr->sa_family == AF_INET)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	141 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	142 struct sockaddr_in in_addr = (struct sockaddr_in ) addr;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	143 pr_addr.inet.family = in_addr->sin_family;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	144 pr_addr.inet.port = in_addr->sin_port;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	145 pr_addr.inet.ip = in_addr->sin_addr.s_addr;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	146 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	147 else
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	148 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	149 struct sockaddr_in6 in_addr = (struct sockaddr_in6 ) addr;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	150 pr_addr.ipv6.family = in_addr->sin6_family;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	151 pr_addr.ipv6.port = in_addr->sin6_port;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	152 pr_addr.ipv6.flowinfo = in_addr->sin6_flowinfo;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	153 memcpy (pr_addr.ipv6.ip.pr_s6_addr, in_addr->sin6_addr.s6_addr,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	154 sizeof (pr_addr.ipv6.ip.pr_s6_addr));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	155 pr_addr.ipv6.scope_id = in_addr->sin6_scope_id;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	156 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	157 xfree (addr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	158 if (PR_Connect (nspr->tls_file_desc, &pr_addr, PR_INTERVAL_NO_TIMEOUT)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	159 != PR_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	160 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	161 if (PR_GetError () == PR_IN_PROGRESS_ERROR)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	162 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	163 PRPollDesc pollset[2];
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	164
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	165 pollset[0].in_flags = PR_POLL_WRITE \| PR_POLL_EXCEPT;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	166 pollset[0].out_flags = 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	167 pollset[0].fd = nspr->tls_file_desc;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	168 for (;;)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	169 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	170 PRInt32 num_fds = PR_Poll (pollset, 1, PR_INTERVAL_NO_TIMEOUT);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	171 if (num_fds < 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	172 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	173 PR_Close (nspr->tls_file_desc);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	174 xfree (nspr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	175 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	176 "NSS unable to connect: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	177 PR_ErrorToName (PR_GetError ()));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	178 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	179 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	180 if (PR_GetConnectStatus (pollset) == PR_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	181 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	182 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	183 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	184 else
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	185 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	186 PR_Close (nspr->tls_file_desc);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	187 xfree (nspr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	188 warn_when_safe (Qtls_error, Qerror, "NSS unable to connect: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	189 PR_ErrorToName (PR_GetError ()));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	190 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	191 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	192 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	193
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	194 /* Perform the handshake */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	195 if (SSL_ResetHandshake (nspr->tls_file_desc, PR_FALSE) != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	196 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	197 PR_Close (nspr->tls_file_desc);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	198 xfree (nspr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	199 warn_when_safe (Qtls_error, Qerror, "NSS unable to reset handshake: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	200 PR_ErrorToName (PR_GetError ()));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	201 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	202 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	203 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	204 if (hostname != NULL &&
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	205 SSL_SetURL (nspr->tls_file_desc, hostname) != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	206 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	207 PR_Close (nspr->tls_file_desc);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	208 xfree (nspr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	209 warn_when_safe (Qtls_error, Qerror, "NSS unable to set URL (%s): %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	210 hostname, PR_ErrorToName (PR_GetError ()));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	211 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	212 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	213 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	214 if (SSL_ForceHandshake (nspr->tls_file_desc) != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	215 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	216 PR_Close (nspr->tls_file_desc);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	217 xfree (nspr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	218 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	219 "NSS unable to complete handshake: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	220 PR_ErrorToName (PR_GetError ()));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	221 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	222 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	223 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	224 return nspr;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	225 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	226
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	227 /* Set the key and certificate files to use */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	228 static void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	229 tls_set_x509_key_file (const Extbyte certfile, const Extbyte keyfile)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	230 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	231 char name[32];
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	232 void *proto_win = NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	233 PK11SlotInfo *slot = NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	234 PK11GenericObject *obj;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	235 CERTCertificate *cert;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	236 CK_ATTRIBUTE attrs[4];
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	237 CK_BBOOL cktrue = CK_TRUE, ckfalse = CK_FALSE;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	238 CK_OBJECT_CLASS objClass = CKO_PRIVATE_KEY;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	239 CK_SLOT_ID slot_id = nss_slot_count++;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	240 int retry_count = 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	241
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	242 /* Load the PEM module if it hasn't already been loaded */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	243 if (nss_pem_module == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	244 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	245 nss_pem_module = SECMOD_LoadUserModule ("library=%s name=PEM parameters=\"\"", NULL, PR_FALSE);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	246 if (nss_pem_module == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	247 signal_error (Qtls_error, "Cannot find NSS PEM module", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	248 if (!nss_pem_module->loaded)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	249 signal_error (Qtls_error, "Cannot load NSS PEM module", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	250 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	251
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	252 snprintf (name, 32U, "PEM_Token %ld", slot_id);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	253 slot = PK11_FindSlotByName (name);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	254 if (slot == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	255 signal_error (Qtls_error, "Error finding NSS slot", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	256
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	257 /* Set up the attributes for the keyfile */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	258 attrs[0].type = CKA_CLASS;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	259 attrs[0].pValue = &objClass;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	260 attrs[0].ulValueLen = sizeof (objClass);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	261 attrs[1].type = CKA_TOKEN;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	262 attrs[1].pValue = &cktrue;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	263 attrs[1].ulValueLen = sizeof (CK_BBOOL);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	264 attrs[2].type = CKA_LABEL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	265 attrs[2].pValue = (void *) keyfile;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	266 attrs[2].ulValueLen = strlen (keyfile) + 1U;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	267
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	268 /* When adding an encrypted key, the PKCS#11 will be set as removed. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	269 obj = PK11_CreateGenericObject (slot, attrs, 3, PR_FALSE);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	270 if (obj == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	271 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	272 PR_SetError (SEC_ERROR_BAD_KEY, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	273 signal_error (Qtls_error, "Bad key file", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	274 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	275
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	276 /* This will force the token to be seen as reinserted */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	277 SECMOD_WaitForAnyTokenEvent (nss_pem_module, 0, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	278 PK11_IsPresent (slot);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	279
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	280 if (PK11_Authenticate (slot, PR_TRUE, &retry_count) != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	281 signal_error (Qtls_error, "NSS: Unable to authenticate", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	282
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	283 /* Set up the attributes for the certfile */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	284 objClass = CKO_CERTIFICATE;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	285 attrs[2].pValue = (void *) certfile;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	286 attrs[2].ulValueLen = strlen (certfile) + 1U;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	287 attrs[3].type = CKA_TRUST;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	288 attrs[3].pValue = &ckfalse;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	289 attrs[3].ulValueLen = sizeof (CK_BBOOL);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	290
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	291 obj = PK11_CreateGenericObject (slot, attrs, 4, PR_FALSE);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	292 PK11_FreeSlot (slot);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	293 if (obj == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	294 signal_error (Qtls_error, "Bad certificate file", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	295 cert = PK11_FindCertFromNickname (name, proto_win);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	296 if (cert == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	297 signal_error (Qtls_error, "Cannot find certificate nickname", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	298 CERT_DestroyCertificate (cert);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	299 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	300
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	301 /* Function that gathers passwords for PKCS #11 tokens. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	302 static char *
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	303 nss_pk11_password (PK11SlotInfo slot, PRBool retry, void UNUSED (arg))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	304 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	305 Lisp_Object lsp_password, args[2];
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	306 Extbyte c_password, nss_password;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	307 const Extbyte *token_name;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	308
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	309 if (retry)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	310 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	311
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	312 token_name = PK11_GetTokenName (slot);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	313 if (token_name == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	314 token_name = "security token";
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	315 lsp_password =
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	316 call1 (Qread_password, concat2 (prompt,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	317 build_extstring (token_name, Qnative)));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	318 c_password = LISP_STRING_TO_EXTERNAL (lsp_password, Qnative);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	319 nss_password = PL_strdup (c_password);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	320
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	321 /* Wipe out the password on the stack and in the Lisp string */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	322 args[0] = lsp_password;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	323 args[1] = make_char ('*');
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	324 Ffill (2, args);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	325 memset (c_password, '*', strlen (c_password));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	326 return nss_password;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	327 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	328
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	329 void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	330 init_tls (void)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	331 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	332 SECMODModule *module;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	333
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	334 /* Check that we are using compatible versions */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	335 if (PR_VersionCheck(PR_VERSION) == PR_FALSE)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	336 signal_error (Qinternal_error,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	337 "NSPR version mismatch: expected " PR_VERSION, Qnil);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	338 if (NSS_VersionCheck(NSS_VERSION) == PR_FALSE)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	339 signal_error (Qinternal_error,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	340 "NSS version mismatch: expected " NSS_VERSION, Qnil);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	341
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	342 /* Basic initialization of both libraries */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	343 PR_Init (PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	344 if (NSS_Init ("sql:/etc/pki/nssdb") != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	345 signal_error (Qtls_error, "Error initializing NSS", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	346
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	347 /* Set the cipher suite policy */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	348 if (NSS_SetDomesticPolicy() != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	349 signal_error (Qtls_error, "NSS unable to set policy", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	350
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	351 /* Load the root certificates */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	352 module = SECMOD_LoadUserModule ("library=libnssckbi.so name=\"Root Certs\"",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	353 NULL, PR_FALSE);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	354 if (module == NULL \|\| !module->loaded)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	355 signal_error (Qtls_error, "NSS unable to load root certificates",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	356 NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	357
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	358 /* Setup password gathering */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	359 PK11_SetPasswordFunc (nss_pk11_password);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	360
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	361 /* Create the model file descriptors */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	362 nss_model = SSL_ImportFD (NULL, PR_OpenTCPSocket (PR_AF_INET));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	363 if (nss_model == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	364 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	365 nss_model = SSL_ImportFD (NULL, PR_OpenTCPSocket (PR_AF_INET6));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	366 if (nss_model == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	367 signal_error (Qtls_error, "NSS cannot create model socket",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	368 NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	369 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	370
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	371 /* Set options on the model socket */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	372 if (SSL_OptionSet (nss_model, SSL_SECURITY, PR_TRUE) != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	373 signal_error (Qtls_error, "NSS cannot enable model socket", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	374 if (SSL_OptionSet (nss_model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	375 signal_error (Qtls_error, "NSS unable to disable SSLv2", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	376 if (SSL_OptionSet (nss_model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	377 != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	378 signal_error (Qtls_error, "NSS unable to disable SSLv2 handshake",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	379 NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	380 if (SSL_OptionSet (nss_model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	381 signal_error (Qtls_error, "NSS unable to disable deflate", NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	382 if (SSL_OptionSet (nss_model, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	383 != SECSuccess)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	384 signal_error (Qtls_error, "NSS unable to ensable handshake as client",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	385 NSS_ERRSTR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	386
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	387 nss_inited = 1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	388 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	389 #endif /* HAVE_NSS */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	390
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	391 #ifdef HAVE_GNUTLS
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	392 #include <gnutls/pkcs11.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	393 #include <gnutls/x509.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	394 #include "sysfile.h"
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	395
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	396 #define GNUTLS_ERRSTR(err) build_extstring (gnutls_strerror (err), Qnative)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	397
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	398 /* The global credentials object */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	399 static gnutls_certificate_credentials_t global_cred;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	400
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	401 int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	402 tls_get_fd (tls_state_t *state)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	403 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	404 return (int)(unsigned long)gnutls_transport_get_ptr (state->tls_session);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	405 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	406
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	407 Bytecount
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	408 tls_read (tls_state_t state, unsigned char data, Bytecount size,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	409 unsigned int allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	410 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	411 ssize_t bytes;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	412
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	413 again:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	414 do
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	415 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	416 if (allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	417 QUIT;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	418 bytes = gnutls_record_recv (state->tls_session, data, size);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	419 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	420 while (bytes == GNUTLS_E_INTERRUPTED \|\| bytes == GNUTLS_E_AGAIN);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	421 switch (bytes)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	422 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	423 case GNUTLS_E_UNEXPECTED_PACKET_LENGTH:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	424 bytes = 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	425 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	426 case GNUTLS_E_REHANDSHAKE:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	427 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	428 int err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	429
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	430 do
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	431 err = gnutls_handshake (state->tls_session);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	432 while (err == GNUTLS_E_AGAIN \|\| err == GNUTLS_E_INTERRUPTED);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	433 if (err == GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	434 goto again;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	435 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	436 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	437 bytes = -1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	438 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	439 default:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	440 if (bytes < 0 && errno == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	441 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	442 errno = EPIPE;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	443 bytes = -1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	444 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	445 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	446 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	447 return (Bytecount) bytes;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	448 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	449
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	450 Bytecount
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	451 tls_write (tls_state_t state, const unsigned char data, Bytecount size,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	452 unsigned int allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	453 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	454 ssize_t bytes;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	455
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	456 do
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	457 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	458 if (allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	459 QUIT;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	460 bytes = gnutls_record_send (state->tls_session, data, size);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	461 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	462 while (bytes == GNUTLS_E_INTERRUPTED \|\| bytes == GNUTLS_E_AGAIN);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	463 if (bytes == GNUTLS_E_LARGE_PACKET)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	464 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	465 errno = EMSGSIZE;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	466 bytes = -1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	467 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	468 else if (bytes < 0 && errno == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	469 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	470 errno = EPIPE;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	471 bytes = -1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	472 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	473 return (Bytecount) bytes;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	474 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	475
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	476 int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	477 tls_close (tls_state_t *state)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	478 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	479 if (--state->tls_refcount == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	480 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	481 int fd, err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	482
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	483 fd = (int)(unsigned long)gnutls_transport_get_ptr (state->tls_session);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	484 gnutls_bye (state->tls_session, GNUTLS_SHUT_RDWR);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	485 err = retry_close (fd);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	486 gnutls_deinit (state->tls_session);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	487 xfree (state);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	488 return err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	489 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	490 return 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	491 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	492
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	493 tls_state_t *
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	494 tls_open (int s, const Extbyte *hostname)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	495 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	496 #ifndef HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	497 gnutls_x509_crt_t cert;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	498 #endif
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	499 tls_state_t *gnutls;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	500 const char *errptr = NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	501 const gnutls_datum_t *certs;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	502 unsigned int status, certslen = 0U;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	503 int err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	504 const int val = 1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	505
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	506 /* Disable Nagle's algorithm */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	507 setsockopt (s, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	508
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	509 /* Create the state object */
5825 5d5aeb79edb4 Fix build with g++. Jerry James <james@xemacs.org> parents: 5815 diff changeset	510 gnutls = (tls_state_t ) xmalloc (sizeof (gnutls));
5814 a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	511 gnutls->tls_refcount = 2;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	512
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	513 /* Initialize the session object */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	514 err = gnutls_init (&gnutls->tls_session, GNUTLS_CLIENT);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	515 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	516 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	517 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	518 warn_when_safe (Qtls_error, Qerror, "GNUTLS error in gnutls_init: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	519 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	520 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	521 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	522 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	523
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	524 /* Configure the cipher preferences */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	525 err = gnutls_priority_set_direct (gnutls->tls_session, "NORMAL", &errptr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	526 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	527 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	528 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	529 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	530 "GNUTLS error in gnutls_priority_set_direct: %s at %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	531 gnutls_strerror (err), errptr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	532 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	533 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	534 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	535
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	536 /* Install the trusted certificates */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	537 err = gnutls_credentials_set (gnutls->tls_session, GNUTLS_CRD_CERTIFICATE,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	538 global_cred);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	539 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	540 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	541 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	542 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	543 "GNUTLS error in gnutls_credentials_set: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	544 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	545 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	546 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	547 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	548
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	549 /* Associate the socket with the session object */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	550 gnutls_transport_set_ptr (gnutls->tls_session,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	551 (gnutls_transport_ptr_t)(unsigned long)s);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	552
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	553 /* Set the server name */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	554 if (hostname != NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	555 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	556 err = gnutls_server_name_set (gnutls->tls_session, GNUTLS_NAME_DNS,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	557 hostname, strlen (hostname));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	558 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	559 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	560 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	561 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	562 "GNUTLS error in gnutls_server_name_set: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	563 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	564 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	565 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	566 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	567 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	568
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	569 /* Perform the handshake */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	570 do
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	571 err = gnutls_handshake (gnutls->tls_session);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	572 while (err == GNUTLS_E_AGAIN \|\| err == GNUTLS_E_INTERRUPTED);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	573 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	574 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	575 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	576 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	577 "GNUTLS error in gnutls_handshake: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	578 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	579 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	580 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	581 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	582
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	583 /* Get the server certificate chain */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	584 certs = gnutls_certificate_get_peers (gnutls->tls_session, &certslen);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	585 if (certs == NULL \|\| certslen == 0U)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	586 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	587 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	588 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	589 "GNUTLS could not get peer certificate: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	590 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	591 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	592 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	593 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	594
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	595 /* Validate the server certificate chain */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	596 status = (unsigned int) -1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	597 #ifdef HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	598 if (hostname != NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	599 err = gnutls_certificate_verify_peers3 (gnutls->tls_session, hostname,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	600 &status);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	601 else
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	602 #endif /* HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3 */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	603 err = gnutls_certificate_verify_peers2 (gnutls->tls_session, &status);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	604 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	605 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	606 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	607 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	608 "GNUTLS could not verify peer certificate: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	609 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	610 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	611 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	612 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	613 if (status != 0U)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	614 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	615 gnutls_datum_t msg;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	616
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	617 #ifdef HAVE_GNUTLS_CERTIFICATE_VERIFICATION_STATUS_PRINT
5825 5d5aeb79edb4 Fix build with g++. Jerry James <james@xemacs.org> parents: 5815 diff changeset	618 gnutls_certificate_type_t type;
5d5aeb79edb4 Fix build with g++. Jerry James <james@xemacs.org> parents: 5815 diff changeset	619
5d5aeb79edb4 Fix build with g++. Jerry James <james@xemacs.org> parents: 5815 diff changeset	620 type = gnutls_certificate_type_get (gnutls->tls_session);
5814 a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	621 err =
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	622 gnutls_certificate_verification_status_print (status, type, &msg, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	623 #else
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	624 err = -1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	625 #endif /* HAVE_GNUTLS_CERTIFICATE_VERIFICATION_STATUS_PRINT */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	626 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	627 if (err == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	628 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	629 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	630 "GNUTLS: certificate validation failed: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	631 msg.data);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	632 gnutls_free(msg.data);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	633 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	634 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	635 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	636 else
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	637 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	638 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	639 "GNUTLS: certificate validation failed with code %u",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	640 status);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	641 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	642 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	643 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	644 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	645
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	646 #ifndef HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	647 if (hostname != NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	648 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	649 /* Match the peer certificate against the host name */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	650 err = gnutls_x509_crt_init (&cert);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	651 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	652 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	653 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	654 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	655 "GNUTLS error in gnutls_x509_crt_init: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	656 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	657 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	658 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	659 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	660
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	661 /* The peer certificate is the first certificate in the list */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	662 err = gnutls_x509_crt_import (cert, certs, GNUTLS_X509_FMT_DER);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	663 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	664 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	665 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	666 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	667 "GNUTLS error in gnutls_x509_crt_import: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	668 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	669 gnutls_x509_crt_deinit (cert);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	670 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	671 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	672 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	673
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	674 err = gnutls_x509_crt_check_hostname (cert, hostname);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	675 if (err == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	676 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	677 xfree (gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	678 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	679 "GNUTLS: hostname does not match certificate: %s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	680 gnutls_strerror (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	681 gnutls_x509_crt_deinit (cert);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	682 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	683 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	684 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	685 gnutls_x509_crt_deinit (cert);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	686 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	687 #endif /* HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3 */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	688
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	689 return gnutls;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	690 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	691
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	692 /* Set the key and certificate files to use */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	693 static void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	694 tls_set_x509_key_file (const Extbyte certfile, const Extbyte keyfile)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	695 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	696 int err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	697
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	698 err = gnutls_certificate_set_x509_key_file (global_cred, certfile, keyfile,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	699 GNUTLS_X509_FMT_PEM);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	700 if (err < GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	701 signal_error (Qtls_error, "gnutls_certificate_set_x509_key_file",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	702 GNUTLS_ERRSTR (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	703 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	704
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	705 /* Function that gathers PKCS #11 passwords. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	706 static int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	707 gnutls_pk11_password (void * UNUSED (userdata), int UNUSED (attempt),
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	708 const char token_url, const char token_label,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	709 unsigned int UNUSED (flags), char *pin, size_t pin_max)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	710 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	711 Lisp_Object lsp_password, args[5];
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	712 Extbyte *c_password;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	713 size_t len;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	714
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	715 /* Get the password from the user */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	716 args[0] = prompt;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	717 args[1] = build_extstring (token_label, Qnative);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	718 args[2] = build_ascstring (" (");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	719 args[3] = build_extstring (token_url, Qnative);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	720 args[4] = build_ascstring (")");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	721 lsp_password = call1 (Qread_password, Fconcat (5, args));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	722 c_password = LISP_STRING_TO_EXTERNAL (lsp_password, Qnative);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	723
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	724 /* Insert the password */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	725 len = strlen (c_password);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	726 if (len > pin_max)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	727 len = pin_max;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	728 memcpy (pin, c_password, len);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	729 pin[len] = '\0';
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	730
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	731 /* Wipe out the password on the stack and in the Lisp string */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	732 args[0] = lsp_password;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	733 args[1] = make_char ('*');
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	734 Ffill (2, args);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	735 memset (c_password, '*', strlen (c_password));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	736 return GNUTLS_E_SUCCESS;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	737 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	738
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	739 static void xfree_for_gnutls (void *ptr)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	740 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	741 /* GnuTLS sometimes tries to free NULL */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	742 if (ptr != NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	743 xfree (ptr);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	744 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	745
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	746 void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	747 init_tls (void)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	748 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	749 int err = GNUTLS_E_SUCCESS;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	750
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	751 /* Tell gnutls to use our memory allocation functions */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	752 gnutls_global_set_mem_functions ((void * (*)(size_t)) xmalloc,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	753 (void * (*)(size_t)) xmalloc,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	754 NULL,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	755 (void * ()(void , size_t)) xrealloc,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	756 xfree_for_gnutls);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	757
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	758 /* Initialize the library */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	759 err = gnutls_global_init ();
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	760 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	761 signal_error (Qtls_error, "gnutls_global_init", GNUTLS_ERRSTR (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	762
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	763 /* Load the trusted CA certificates */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	764 err = gnutls_certificate_allocate_credentials (&global_cred);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	765 if (err != GNUTLS_E_SUCCESS)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	766 signal_error (Qtls_error, "gnutls_certificate_allocate_credentials",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	767 GNUTLS_ERRSTR (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	768 err = gnutls_certificate_set_x509_system_trust (global_cred);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	769 if (err == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	770 signal_error (Qtls_error, "gnutls: no system certificates found", Qnil);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	771 if (err < 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	772 signal_error (Qtls_error, "gnutls_certificate_set_x509_system_trust",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	773 GNUTLS_ERRSTR (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	774
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	775 /* Setup password gathering */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	776 gnutls_pkcs11_set_pin_function (gnutls_pk11_password, NULL);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	777 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	778 #endif /* HAVE_GNUTLS */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	779
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	780 #ifdef HAVE_OPENSSL
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	781 #include <unistd.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	782 #include <openssl/conf.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	783 #include <openssl/err.h>
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	784
5887 6eca500211f4 Prototype for X509_check_host() has changed, detect this in configure.ac Aidan Kehoe <kehoea@parhasard.net> parents: 5825 diff changeset	785 #ifdef HAVE_X509_CHECK_HOST
6eca500211f4 Prototype for X509_check_host() has changed, detect this in configure.ac Aidan Kehoe <kehoea@parhasard.net> parents: 5825 diff changeset	786 #include <openssl/x509v3.h>
6eca500211f4 Prototype for X509_check_host() has changed, detect this in configure.ac Aidan Kehoe <kehoea@parhasard.net> parents: 5825 diff changeset	787 #endif
6eca500211f4 Prototype for X509_check_host() has changed, detect this in configure.ac Aidan Kehoe <kehoea@parhasard.net> parents: 5825 diff changeset	788
5814 a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	789 /* The context used to create connections */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	790 static SSL_CTX *ssl_ctx;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	791
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	792 static Lisp_Object
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	793 openssl_error_string (void)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	794 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	795 Lisp_Object args[5];
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	796 unsigned long err = ERR_get_error ();
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	797
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	798 args[0] = build_ascstring (ERR_lib_error_string (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	799 args[1] = build_ascstring (":");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	800 args[2] = build_ascstring (ERR_func_error_string (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	801 args[3] = build_ascstring (":");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	802 args[4] = build_ascstring (ERR_reason_error_string (err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	803 return Fconcat (5, args);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	804 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	805
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	806 static unsigned long
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	807 openssl_report_error_stack (const char msg, const SSL ssl)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	808 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	809 unsigned long err = ERR_get_error ();
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	810 if (err > 0UL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	811 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	812 if (ERR_GET_LIB (err) == ERR_LIB_SSL &&
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	813 ERR_GET_REASON (err) == SSL_R_CERTIFICATE_VERIFY_FAILED)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	814 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	815 long cert_err = SSL_get_verify_result (ssl);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	816 warn_when_safe (Qtls_error, Qerror, "%s:%s", msg,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	817 X509_verify_cert_error_string (cert_err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	818 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	819 else
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	820 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	821 const char *lib = ERR_lib_error_string (err);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	822 const char *func = ERR_func_error_string (err);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	823 const char *reason = ERR_reason_error_string (err);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	824 warn_when_safe (Qtls_error, Qerror, "%s:%s:%s:%s", msg,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	825 lib == NULL ? "<unknown>" : lib,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	826 func == NULL ? "<unknown>" : func,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	827 reason == NULL ? "<unknown>" : reason);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	828 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	829 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	830 return err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	831 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	832
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	833 /* Return values:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	834 * -1 = fatal error, caller should exit
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	835 * 0 = no error, caller should continue
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	836 * 1 = nonfatal error, caller should retry
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	837 */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	838 static int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	839 openssl_report_error_num (const char msg, const SSL ssl, int ret, int retry)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	840 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	841 int errno_copy = errno;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	842 int ssl_error = SSL_get_error (ssl, ret);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	843 int err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	844
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	845 switch (ssl_error)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	846 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	847 case SSL_ERROR_NONE:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	848 case SSL_ERROR_ZERO_RETURN:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	849 err = 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	850 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	851 case SSL_ERROR_WANT_READ:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	852 case SSL_ERROR_WANT_WRITE:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	853 err = retry;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	854 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	855 case SSL_ERROR_WANT_CONNECT:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	856 case SSL_ERROR_WANT_ACCEPT:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	857 case SSL_ERROR_WANT_X509_LOOKUP:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	858 err = 1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	859 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	860 case SSL_ERROR_SYSCALL:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	861 if (openssl_report_error_stack (msg, ssl) == 0UL && ret < 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	862 warn_when_safe (Qtls_error, Qerror, "%s: %s", msg,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	863 strerror (errno_copy));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	864 err = ret;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	865 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	866 case SSL_ERROR_SSL:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	867 openssl_report_error_stack (msg, ssl);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	868 err = -1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	869 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	870 default:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	871 warn_when_safe (Qtls_error, Qerror, "%s: error %d", msg, ssl_error);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	872 err = -1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	873 break;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	874 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	875 errno = errno_copy;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	876 return err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	877 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	878
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	879 int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	880 tls_get_fd (tls_state_t *state)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	881 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	882 return SSL_get_fd (state->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	883 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	884
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	885 Bytecount
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	886 tls_read (tls_state_t state, unsigned char data, Bytecount size,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	887 unsigned int allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	888 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	889 int action, bytes;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	890
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	891 if (SSL_get_shutdown (state->tls_connection))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	892 return 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	893
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	894 bytes = SSL_read (state->tls_connection, data, size);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	895 action = (bytes > 0) ? 0
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	896 : openssl_report_error_num ("SSL_read", state->tls_connection, bytes, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	897 while (bytes <= 0 && action > 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	898 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	899 if (allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	900 QUIT;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	901 bytes = SSL_read (state->tls_connection, data, size);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	902 action = (bytes > 0) ? 0
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	903 : openssl_report_error_num ("SSL_read", state->tls_connection,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	904 bytes, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	905 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	906 return (Bytecount) bytes;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	907 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	908
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	909 Bytecount
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	910 tls_write (tls_state_t state, const unsigned char data, Bytecount size,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	911 unsigned int allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	912 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	913 int action, bytes;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	914
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	915 if (SSL_get_shutdown (state->tls_connection))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	916 return 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	917
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	918 bytes = SSL_write (state->tls_connection, data, size);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	919 action = (bytes > 0) ? 0
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	920 : openssl_report_error_num ("SSL_write", state->tls_connection, bytes, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	921 while (bytes <= 0 && action > 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	922 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	923 if (allow_quit)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	924 QUIT;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	925 bytes = SSL_write (state->tls_connection, data, size);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	926 action = (bytes > 0) ? 0
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	927 : openssl_report_error_num ("SSL_write", state->tls_connection,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	928 bytes, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	929 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	930 return (Bytecount) bytes;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	931 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	932
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	933 int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	934 tls_close (tls_state_t *state)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	935 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	936 if (--state->tls_refcount == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	937 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	938 int err, fd;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	939
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	940 fd = SSL_get_fd (state->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	941 if (SSL_get_shutdown (state->tls_connection) == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	942 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	943 err = SSL_shutdown (state->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	944 if (err < 0 && errno == EBADF)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	945 err = 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	946 if (err < 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	947 openssl_report_error_num ("SSL_shutdown failed",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	948 state->tls_connection, err, 0);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	949 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	950 else
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	951 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	952 err = 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	953 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	954 close (fd);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	955 SSL_free (state->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	956 xfree (state);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	957 return err > 0 ? 0 : err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	958 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	959 return 0;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	960 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	961
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	962 tls_state_t *
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	963 tls_open (int s, const Extbyte *hostname)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	964 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	965 tls_state_t *openssl;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	966 X509 *peer_cert = NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	967 const int val = 1;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	968 int err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	969 long cert_err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	970
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	971 /* Disable Nagle's algorithm */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	972 setsockopt (s, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	973
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	974 /* Create the state object */
5825 5d5aeb79edb4 Fix build with g++. Jerry James <james@xemacs.org> parents: 5815 diff changeset	975 openssl = (tls_state_t ) xmalloc (sizeof (openssl));
5814 a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	976 openssl->tls_refcount = 2;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	977
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	978 /* Create the connection object */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	979 openssl->tls_connection = SSL_new (ssl_ctx);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	980 if (openssl->tls_connection == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	981 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	982 openssl_report_error_stack ("SSL_new failed", NULL);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	983 goto error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	984 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	985 if (SSL_set_fd (openssl->tls_connection, s) == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	986 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	987 openssl_report_error_stack ("SSL_set_fd", openssl->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	988 goto error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	989 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	990
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	991 /* Enable the ServerNameIndication extension */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	992 if (hostname != NULL &&
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	993 !SSL_set_tlsext_host_name (openssl->tls_connection, hostname))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	994 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	995 openssl_report_error_stack ("SSL_set_tlsext_host_name failed",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	996 openssl->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	997 goto error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	998 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	999
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1000 /* Perform the handshake */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1001 err = SSL_connect (openssl->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1002 while (err != 1)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1003 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1004 int action = openssl_report_error_num ("SSL_connect failed",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1005 openssl->tls_connection, err, 1);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1006 if (action < 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1007 goto error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1008 err = SSL_connect (openssl->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1009 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1010
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1011 /* Get the server certificate */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1012 peer_cert = SSL_get_peer_certificate (openssl->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1013 if (peer_cert == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1014 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1015 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1016 "Peer did not present a certificate");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1017 goto error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1018 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1019
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1020 cert_err = SSL_get_verify_result (openssl->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1021 if (cert_err != X509_V_OK)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1022 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1023 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1024 "Peer certificate verification failure:%s",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1025 X509_verify_cert_error_string (cert_err));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1026 goto error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1027 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1028
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1029 #ifdef HAVE_X509_CHECK_HOST
5887 6eca500211f4 Prototype for X509_check_host() has changed, detect this in configure.ac Aidan Kehoe <kehoea@parhasard.net> parents: 5825 diff changeset	1030 err = X509_check_host (peer_cert, (const char *) hostname,
6eca500211f4 Prototype for X509_check_host() has changed, detect this in configure.ac Aidan Kehoe <kehoea@parhasard.net> parents: 5825 diff changeset	1031 strlen (hostname), 0, NULL);
5814 a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1032 if (err < 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1033 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1034 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1035 "Out of memory while checking certificate");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1036 goto error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1037 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1038 if (err == 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1039 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1040 warn_when_safe (Qtls_error, Qerror,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1041 "Peer certificate verification failure");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1042 goto error;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1043 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1044 #endif
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1045 X509_free (peer_cert);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1046
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1047 return openssl;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1048
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1049 error:
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1050 if (openssl->tls_connection != NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1051 SSL_free (openssl->tls_connection);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1052 xfree (openssl);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1053 errno = EACCES;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1054 return NULL;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1055 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1056
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1057 /* Set the key and certificate files to use */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1058 static void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1059 tls_set_x509_key_file (const Extbyte certfile, const Extbyte keyfile)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1060 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1061 int err;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1062
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1063 err = SSL_CTX_use_PrivateKey_file (ssl_ctx, keyfile, SSL_FILETYPE_PEM);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1064 if (err <= 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1065 signal_error (Qtls_error, "SSL_CTX_use_PrivateKey_file",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1066 openssl_error_string ());
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1067 err = SSL_CTX_use_certificate_file (ssl_ctx, certfile, SSL_FILETYPE_PEM);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1068 if (err <= 0)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1069 signal_error (Qtls_error, "SSL_CTX_use_certificate_file",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1070 openssl_error_string ());
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1071 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1072
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1073 /* Function that gathers passwords for PKCS #11 tokens. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1074 static int
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1075 openssl_password (char *buf, int size, int UNUSED (rwflag),
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1076 void *UNUSED (userdata))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1077 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1078 Lisp_Object lsp_password, args[2];
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1079 Extbyte *c_password;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1080
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1081 lsp_password =
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1082 call1 (Qread_password, concat2 (prompt, build_ascstring ("PEM")));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1083 c_password = LISP_STRING_TO_EXTERNAL (lsp_password, Qnative);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1084 strncpy (buf, c_password, size);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1085
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1086 /* Wipe out the password on the stack and in the Lisp string */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1087 args[0] = lsp_password;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1088 args[1] = make_char ('*');
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1089 Ffill (2, args);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1090 memset (c_password, '*', strlen (c_password));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1091 return (int) strlen (buf);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1092 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1093
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1094 void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1095 init_tls (void)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1096 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1097 /* Load the default configuration */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1098 OPENSSL_config (NULL);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1099
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1100 /* Tell openssl to use our memory allocation functions */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1101 CRYPTO_set_mem_functions ((void * (*)(size_t)) xmalloc,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1102 (void * ()(void , size_t)) xrealloc,
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1103 xfree_1);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1104
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1105 /* Load human-readable error messages */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1106 SSL_load_error_strings ();
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1107
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1108 /* Initialize the library */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1109 SSL_library_init ();
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1110
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1111 /* Configure a client connection context, and send a handshake for the
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1112 * highest supported TLS version. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1113 ssl_ctx = SSL_CTX_new (SSLv23_client_method ());
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1114 if (ssl_ctx == NULL)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1115 signal_error (Qtls_error, "SSL_CTX_new failed", openssl_error_string ());
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1116
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1117 /* Disallow SSLv2 and disable compression. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1118 SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_SSLv2 \| SSL_OP_NO_COMPRESSION);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1119
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1120 /* Set various useful mode bits */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1121 SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE \|
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1122 SSL_MODE_AUTO_RETRY \| SSL_MODE_RELEASE_BUFFERS);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1123
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1124 /* Let the system select the ciphers */
5815 d59bfb050ca8 Fix TLS-related build failures. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: 5814 diff changeset	1125 if (SSL_CTX_set_cipher_list (ssl_ctx, "DEFAULT") != 1)
5814 a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1126 signal_error (Qtls_error, "SSL_CTX_set_cipher_list failed",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1127 openssl_error_string ());
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1128
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1129 /* Load the set of trusted root certificates. */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1130 if (!SSL_CTX_set_default_verify_paths (ssl_ctx))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1131 signal_error (Qtls_error, "SSL_CTX_set_default_verify_paths failed",
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1132 openssl_error_string ());
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1133
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1134 /* Setup password gathering */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1135 SSL_CTX_set_default_passwd_cb (ssl_ctx, openssl_password);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1136 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1137 #endif /* HAVE_OPENSSL */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1138
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1139 #ifdef WITH_TLS
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1140 tls_state_t *
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1141 tls_negotiate (int fd, const Extbyte *host, Lisp_Object keylist)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1142 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1143 Lisp_Object tail;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1144
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1145 for (tail = keylist; CONSP (tail); tail = XCDR (tail))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1146 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1147 Lisp_Object keyfile = Fcar (XCAR (tail));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1148 Lisp_Object certfile = Fcar (Fcdr (XCAR (tail)));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1149 Extbyte c_keyfile, c_certfile;
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1150
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1151 if (!STRINGP (keyfile))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1152 invalid_argument ("Keyfile must be a filename", keyfile);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1153 if (!STRINGP (certfile))
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1154 invalid_argument ("Certfile must be a filename", certfile);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1155
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1156 c_keyfile = LISP_STRING_TO_EXTERNAL (keyfile, Qfile_name);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1157 c_certfile = LISP_STRING_TO_EXTERNAL (certfile, Qfile_name);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1158 tls_set_x509_key_file (c_certfile, c_keyfile);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1159 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1160 return tls_open (fd, host);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1161 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1162 #endif /* WITH_TLS */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1163
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1164 #ifndef WITH_TLS
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1165 void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1166 init_tls (void)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1167 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1168 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1169 #endif /* !WITH_TLS */
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1170
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1171 void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1172 syms_of_tls (void)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1173 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1174 #ifdef WITH_TLS
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1175 DEFSYMBOL (Qread_password);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1176 #endif
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1177 DEFERROR (Qtls_error, "TLS error", Qerror);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1178 }
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1179
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1180 void
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1181 vars_of_tls (void)
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1182 {
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1183 #ifdef WITH_TLS
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1184 staticpro (&prompt);
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1185 prompt = build_ascstring ("Password for ");
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1186 Fprovide (intern ("tls"));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1187 #ifdef HAVE_NSS
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1188 Fprovide (intern ("tls-nss"));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1189 #endif
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1190 #ifdef HAVE_GNUTLS
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1191 Fprovide (intern ("tls-gnutls"));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1192 #endif
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1193 #ifdef HAVE_OPENSSL
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1194 Fprovide (intern ("tls-openssl"));
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1195 #endif
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1196 #endif
a216b3c2b09e Add TLS support. See xemacs-patches message with ID Jerry James <james@xemacs.org> parents: diff changeset	1197 }

Mercurial > hg > xemacs-beta

annotate src/tls.c @ 5887:6eca500211f4