Mercurial > hg > xemacs-beta
annotate src/tls.c @ 5891:a0e751d6c3ad
Import the #'clear-string API from GNU, use it in tls.c
src/ChangeLog addition:
2015-04-18 Aidan Kehoe <kehoea@parhasard.net>
* sequence.c (Fclear_string): New, API from GNU. Zero a string's
contents, making sure the text is not kept around even when the
string's data is reallocated because of a changed character
length.
* sequence.c (syms_of_sequence): Make it available to Lisp.
* lisp.h: Make it available to C code.
* tls.c (nss_pk11_password): Use it.
* tls.c (gnutls_pk11_password): Use it.
* tls.c (openssl_password): Use it.
tests/ChangeLog addition:
2015-04-18 Aidan Kehoe <kehoea@parhasard.net>
* automated/lisp-tests.el:
Test #'clear-string, just added. Unfortunately there's no way to
be certain from Lisp that the old password data has been erased
after realloc; it may be worth adding a test to tests.c, but
*we'll be reading memory we shouldn't be*, so that gives me pause.
author | Aidan Kehoe <kehoea@parhasard.net> |
---|---|
date | Sat, 18 Apr 2015 23:00:14 +0100 |
parents | a85efdabe237 |
children |
rev | line source |
---|---|
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1 /* Transport Layer Security implementation. |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
2 Copyright (C) 2014 Jerry James |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
3 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
4 This file is part of XEmacs. |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
5 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
6 XEmacs is free software: you can redistribute it and/or modify it |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
7 under the terms of the GNU General Public License as published by the |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
8 Free Software Foundation, either version 3 of the License, or (at your |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
9 option) any later version. |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
10 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
11 XEmacs is distributed in the hope that it will be useful, but WITHOUT |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
12 ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
13 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
14 for more details. |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
15 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
16 You should have received a copy of the GNU General Public License |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
17 along with XEmacs. If not, see <http://www.gnu.org/licenses/>. */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
18 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
19 /* Synched up with: Not in FSF. */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
20 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
21 /* Written by Jerry James. */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
22 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
23 #include <config.h> |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
24 #include "lisp.h" |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
25 #include "lstream.h" |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
26 #include "tls.h" |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
27 #include <errno.h> |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
28 #include <netinet/in.h> |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
29 #include <netinet/tcp.h> |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
30 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
31 static Lisp_Object prompt; |
5888
a85efdabe237
Call #'read-passwd when requesting a password from the user, tls.c
Aidan Kehoe <kehoea@parhasard.net>
parents:
5887
diff
changeset
|
32 static Lisp_Object Qread_passwd; |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
33 Lisp_Object Qtls_error; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
34 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
35 #ifdef HAVE_NSS |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
36 #include <prinit.h> |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
37 #include <private/pprio.h> |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
38 #include <nss.h> |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
39 #include <pk11pub.h> |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
40 #include <secerr.h> |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
41 #include <secmod.h> |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
42 #include <ssl.h> |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
43 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
44 #define NSS_ERRSTR build_extstring (PR_ErrorToName (PR_GetError ()), Qnative) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
45 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
46 /* 0 == initialization of NSPR or NSS failed |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
47 * 1 == the NSPR and NSS libraries have been initialized successfully |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
48 */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
49 static int nss_inited; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
50 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
51 /* The model file descriptor */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
52 static PRFileDesc *nss_model; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
53 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
54 /* The PEM module */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
55 static SECMODModule *nss_pem_module; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
56 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
57 /* CA and trust objects go into slot 0. User certificates start in slot 1. */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
58 static CK_SLOT_ID nss_slot_count = 1; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
59 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
60 int |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
61 tls_get_fd (tls_state_t *state) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
62 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
63 return PR_FileDesc2NativeHandle (state->tls_file_desc); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
64 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
65 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
66 Bytecount |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
67 tls_read (tls_state_t *state, unsigned char *data, Bytecount size, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
68 unsigned int allow_quit) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
69 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
70 if (allow_quit) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
71 QUIT; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
72 return (Bytecount) PR_Recv (state->tls_file_desc, data, size, 0, 0); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
73 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
74 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
75 Bytecount |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
76 tls_write (tls_state_t *state, const unsigned char *data, Bytecount size, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
77 unsigned int allow_quit) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
78 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
79 if (allow_quit) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
80 QUIT; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
81 return (Bytecount) PR_Send (state->tls_file_desc, data, size, 0, 0); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
82 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
83 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
84 int |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
85 tls_close (tls_state_t *state) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
86 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
87 if (--state->tls_refcount == 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
88 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
89 PRStatus status = PR_Shutdown (state->tls_file_desc, PR_SHUTDOWN_BOTH); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
90 PR_Close (state->tls_file_desc); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
91 xfree (state); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
92 return (int) status; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
93 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
94 return 0; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
95 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
96 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
97 tls_state_t * |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
98 tls_open (int s, const Extbyte *hostname) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
99 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
100 struct sockaddr *addr; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
101 socklen_t addrlen; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
102 PRNetAddr pr_addr; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
103 tls_state_t *nspr; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
104 const int val = 1; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
105 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
106 /* Disable Nagle's algorithm */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
107 setsockopt (s, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
108 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
109 if (!nss_inited) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
110 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
111 warn_when_safe (Qtls_error, Qerror, "Cannot use NSS functions"); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
112 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
113 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
114 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
115 /* Get the socket address */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
116 addrlen = 256; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
117 addr = (struct sockaddr *) xmalloc (addrlen); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
118 if (getsockname (s, addr, &addrlen) == 0 && addrlen > 256) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
119 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
120 addr = (struct sockaddr *) xrealloc (addr, addrlen); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
121 getsockname (s, addr, &addrlen); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
122 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
123 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
124 /* Create the socket */ |
5825 | 125 nspr = (tls_state_t *) xmalloc (sizeof (*nspr)); |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
126 nspr->tls_refcount = 2; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
127 nspr->tls_file_desc = |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
128 SSL_ImportFD (nss_model, PR_OpenTCPSocket (addr->sa_family)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
129 if (nspr->tls_file_desc == NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
130 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
131 xfree (addr); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
132 xfree (nspr); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
133 warn_when_safe (Qtls_error, Qerror, "NSS unable to open socket: %s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
134 PR_ErrorToName (PR_GetError ())); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
135 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
136 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
137 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
138 /* Connect to the server */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
139 memset (&pr_addr, 0, sizeof (pr_addr)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
140 if (addr->sa_family == AF_INET) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
141 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
142 struct sockaddr_in *in_addr = (struct sockaddr_in *) addr; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
143 pr_addr.inet.family = in_addr->sin_family; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
144 pr_addr.inet.port = in_addr->sin_port; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
145 pr_addr.inet.ip = in_addr->sin_addr.s_addr; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
146 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
147 else |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
148 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
149 struct sockaddr_in6 *in_addr = (struct sockaddr_in6 *) addr; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
150 pr_addr.ipv6.family = in_addr->sin6_family; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
151 pr_addr.ipv6.port = in_addr->sin6_port; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
152 pr_addr.ipv6.flowinfo = in_addr->sin6_flowinfo; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
153 memcpy (pr_addr.ipv6.ip.pr_s6_addr, in_addr->sin6_addr.s6_addr, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
154 sizeof (pr_addr.ipv6.ip.pr_s6_addr)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
155 pr_addr.ipv6.scope_id = in_addr->sin6_scope_id; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
156 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
157 xfree (addr); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
158 if (PR_Connect (nspr->tls_file_desc, &pr_addr, PR_INTERVAL_NO_TIMEOUT) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
159 != PR_SUCCESS) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
160 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
161 if (PR_GetError () == PR_IN_PROGRESS_ERROR) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
162 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
163 PRPollDesc pollset[2]; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
164 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
165 pollset[0].in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
166 pollset[0].out_flags = 0; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
167 pollset[0].fd = nspr->tls_file_desc; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
168 for (;;) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
169 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
170 PRInt32 num_fds = PR_Poll (pollset, 1, PR_INTERVAL_NO_TIMEOUT); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
171 if (num_fds < 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
172 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
173 PR_Close (nspr->tls_file_desc); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
174 xfree (nspr); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
175 warn_when_safe (Qtls_error, Qerror, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
176 "NSS unable to connect: %s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
177 PR_ErrorToName (PR_GetError ())); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
178 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
179 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
180 if (PR_GetConnectStatus (pollset) == PR_SUCCESS) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
181 break; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
182 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
183 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
184 else |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
185 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
186 PR_Close (nspr->tls_file_desc); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
187 xfree (nspr); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
188 warn_when_safe (Qtls_error, Qerror, "NSS unable to connect: %s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
189 PR_ErrorToName (PR_GetError ())); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
190 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
191 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
192 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
193 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
194 /* Perform the handshake */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
195 if (SSL_ResetHandshake (nspr->tls_file_desc, PR_FALSE) != SECSuccess) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
196 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
197 PR_Close (nspr->tls_file_desc); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
198 xfree (nspr); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
199 warn_when_safe (Qtls_error, Qerror, "NSS unable to reset handshake: %s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
200 PR_ErrorToName (PR_GetError ())); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
201 errno = EACCES; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
202 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
203 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
204 if (hostname != NULL && |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
205 SSL_SetURL (nspr->tls_file_desc, hostname) != SECSuccess) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
206 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
207 PR_Close (nspr->tls_file_desc); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
208 xfree (nspr); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
209 warn_when_safe (Qtls_error, Qerror, "NSS unable to set URL (%s): %s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
210 hostname, PR_ErrorToName (PR_GetError ())); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
211 errno = EACCES; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
212 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
213 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
214 if (SSL_ForceHandshake (nspr->tls_file_desc) != SECSuccess) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
215 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
216 PR_Close (nspr->tls_file_desc); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
217 xfree (nspr); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
218 warn_when_safe (Qtls_error, Qerror, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
219 "NSS unable to complete handshake: %s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
220 PR_ErrorToName (PR_GetError ())); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
221 errno = EACCES; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
222 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
223 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
224 return nspr; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
225 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
226 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
227 /* Set the key and certificate files to use */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
228 static void |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
229 tls_set_x509_key_file (const Extbyte *certfile, const Extbyte *keyfile) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
230 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
231 char name[32]; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
232 void *proto_win = NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
233 PK11SlotInfo *slot = NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
234 PK11GenericObject *obj; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
235 CERTCertificate *cert; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
236 CK_ATTRIBUTE attrs[4]; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
237 CK_BBOOL cktrue = CK_TRUE, ckfalse = CK_FALSE; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
238 CK_OBJECT_CLASS objClass = CKO_PRIVATE_KEY; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
239 CK_SLOT_ID slot_id = nss_slot_count++; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
240 int retry_count = 0; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
241 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
242 /* Load the PEM module if it hasn't already been loaded */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
243 if (nss_pem_module == NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
244 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
245 nss_pem_module = SECMOD_LoadUserModule ("library=%s name=PEM parameters=\"\"", NULL, PR_FALSE); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
246 if (nss_pem_module == NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
247 signal_error (Qtls_error, "Cannot find NSS PEM module", NSS_ERRSTR); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
248 if (!nss_pem_module->loaded) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
249 signal_error (Qtls_error, "Cannot load NSS PEM module", NSS_ERRSTR); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
250 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
251 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
252 snprintf (name, 32U, "PEM_Token %ld", slot_id); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
253 slot = PK11_FindSlotByName (name); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
254 if (slot == NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
255 signal_error (Qtls_error, "Error finding NSS slot", NSS_ERRSTR); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
256 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
257 /* Set up the attributes for the keyfile */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
258 attrs[0].type = CKA_CLASS; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
259 attrs[0].pValue = &objClass; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
260 attrs[0].ulValueLen = sizeof (objClass); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
261 attrs[1].type = CKA_TOKEN; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
262 attrs[1].pValue = &cktrue; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
263 attrs[1].ulValueLen = sizeof (CK_BBOOL); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
264 attrs[2].type = CKA_LABEL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
265 attrs[2].pValue = (void *) keyfile; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
266 attrs[2].ulValueLen = strlen (keyfile) + 1U; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
267 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
268 /* When adding an encrypted key, the PKCS#11 will be set as removed. */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
269 obj = PK11_CreateGenericObject (slot, attrs, 3, PR_FALSE); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
270 if (obj == NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
271 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
272 PR_SetError (SEC_ERROR_BAD_KEY, 0); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
273 signal_error (Qtls_error, "Bad key file", NSS_ERRSTR); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
274 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
275 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
276 /* This will force the token to be seen as reinserted */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
277 SECMOD_WaitForAnyTokenEvent (nss_pem_module, 0, 0); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
278 PK11_IsPresent (slot); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
279 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
280 if (PK11_Authenticate (slot, PR_TRUE, &retry_count) != SECSuccess) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
281 signal_error (Qtls_error, "NSS: Unable to authenticate", NSS_ERRSTR); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
282 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
283 /* Set up the attributes for the certfile */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
284 objClass = CKO_CERTIFICATE; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
285 attrs[2].pValue = (void *) certfile; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
286 attrs[2].ulValueLen = strlen (certfile) + 1U; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
287 attrs[3].type = CKA_TRUST; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
288 attrs[3].pValue = &ckfalse; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
289 attrs[3].ulValueLen = sizeof (CK_BBOOL); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
290 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
291 obj = PK11_CreateGenericObject (slot, attrs, 4, PR_FALSE); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
292 PK11_FreeSlot (slot); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
293 if (obj == NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
294 signal_error (Qtls_error, "Bad certificate file", NSS_ERRSTR); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
295 cert = PK11_FindCertFromNickname (name, proto_win); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
296 if (cert == NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
297 signal_error (Qtls_error, "Cannot find certificate nickname", NSS_ERRSTR); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
298 CERT_DestroyCertificate (cert); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
299 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
300 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
301 /* Function that gathers passwords for PKCS #11 tokens. */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
302 static char * |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
303 nss_pk11_password (PK11SlotInfo *slot, PRBool retry, void * UNUSED (arg)) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
304 { |
5891
a0e751d6c3ad
Import the #'clear-string API from GNU, use it in tls.c
Aidan Kehoe <kehoea@parhasard.net>
parents:
5888
diff
changeset
|
305 Lisp_Object lsp_password; |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
306 Extbyte *c_password, *nss_password; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
307 const Extbyte *token_name; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
308 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
309 if (retry) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
310 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
311 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
312 token_name = PK11_GetTokenName (slot); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
313 if (token_name == NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
314 token_name = "security token"; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
315 lsp_password = |
5888
a85efdabe237
Call #'read-passwd when requesting a password from the user, tls.c
Aidan Kehoe <kehoea@parhasard.net>
parents:
5887
diff
changeset
|
316 call1 (Qread_passwd, concat2 (prompt, |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
317 build_extstring (token_name, Qnative))); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
318 c_password = LISP_STRING_TO_EXTERNAL (lsp_password, Qnative); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
319 nss_password = PL_strdup (c_password); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
320 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
321 /* Wipe out the password on the stack and in the Lisp string */ |
5891
a0e751d6c3ad
Import the #'clear-string API from GNU, use it in tls.c
Aidan Kehoe <kehoea@parhasard.net>
parents:
5888
diff
changeset
|
322 Fclear_string (lsp_password); |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
323 memset (c_password, '*', strlen (c_password)); |
5891
a0e751d6c3ad
Import the #'clear-string API from GNU, use it in tls.c
Aidan Kehoe <kehoea@parhasard.net>
parents:
5888
diff
changeset
|
324 |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
325 return nss_password; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
326 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
327 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
328 void |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
329 init_tls (void) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
330 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
331 SECMODModule *module; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
332 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
333 /* Check that we are using compatible versions */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
334 if (PR_VersionCheck(PR_VERSION) == PR_FALSE) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
335 signal_error (Qinternal_error, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
336 "NSPR version mismatch: expected " PR_VERSION, Qnil); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
337 if (NSS_VersionCheck(NSS_VERSION) == PR_FALSE) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
338 signal_error (Qinternal_error, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
339 "NSS version mismatch: expected " NSS_VERSION, Qnil); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
340 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
341 /* Basic initialization of both libraries */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
342 PR_Init (PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
343 if (NSS_Init ("sql:/etc/pki/nssdb") != SECSuccess) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
344 signal_error (Qtls_error, "Error initializing NSS", NSS_ERRSTR); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
345 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
346 /* Set the cipher suite policy */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
347 if (NSS_SetDomesticPolicy() != SECSuccess) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
348 signal_error (Qtls_error, "NSS unable to set policy", NSS_ERRSTR); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
349 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
350 /* Load the root certificates */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
351 module = SECMOD_LoadUserModule ("library=libnssckbi.so name=\"Root Certs\"", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
352 NULL, PR_FALSE); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
353 if (module == NULL || !module->loaded) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
354 signal_error (Qtls_error, "NSS unable to load root certificates", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
355 NSS_ERRSTR); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
356 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
357 /* Setup password gathering */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
358 PK11_SetPasswordFunc (nss_pk11_password); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
359 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
360 /* Create the model file descriptors */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
361 nss_model = SSL_ImportFD (NULL, PR_OpenTCPSocket (PR_AF_INET)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
362 if (nss_model == NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
363 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
364 nss_model = SSL_ImportFD (NULL, PR_OpenTCPSocket (PR_AF_INET6)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
365 if (nss_model == NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
366 signal_error (Qtls_error, "NSS cannot create model socket", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
367 NSS_ERRSTR); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
368 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
369 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
370 /* Set options on the model socket */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
371 if (SSL_OptionSet (nss_model, SSL_SECURITY, PR_TRUE) != SECSuccess) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
372 signal_error (Qtls_error, "NSS cannot enable model socket", NSS_ERRSTR); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
373 if (SSL_OptionSet (nss_model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
374 signal_error (Qtls_error, "NSS unable to disable SSLv2", NSS_ERRSTR); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
375 if (SSL_OptionSet (nss_model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
376 != SECSuccess) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
377 signal_error (Qtls_error, "NSS unable to disable SSLv2 handshake", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
378 NSS_ERRSTR); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
379 if (SSL_OptionSet (nss_model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
380 signal_error (Qtls_error, "NSS unable to disable deflate", NSS_ERRSTR); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
381 if (SSL_OptionSet (nss_model, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
382 != SECSuccess) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
383 signal_error (Qtls_error, "NSS unable to ensable handshake as client", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
384 NSS_ERRSTR); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
385 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
386 nss_inited = 1; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
387 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
388 #endif /* HAVE_NSS */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
389 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
390 #ifdef HAVE_GNUTLS |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
391 #include <gnutls/pkcs11.h> |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
392 #include <gnutls/x509.h> |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
393 #include "sysfile.h" |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
394 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
395 #define GNUTLS_ERRSTR(err) build_extstring (gnutls_strerror (err), Qnative) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
396 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
397 /* The global credentials object */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
398 static gnutls_certificate_credentials_t global_cred; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
399 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
400 int |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
401 tls_get_fd (tls_state_t *state) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
402 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
403 return (int)(unsigned long)gnutls_transport_get_ptr (state->tls_session); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
404 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
405 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
406 Bytecount |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
407 tls_read (tls_state_t *state, unsigned char *data, Bytecount size, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
408 unsigned int allow_quit) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
409 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
410 ssize_t bytes; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
411 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
412 again: |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
413 do |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
414 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
415 if (allow_quit) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
416 QUIT; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
417 bytes = gnutls_record_recv (state->tls_session, data, size); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
418 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
419 while (bytes == GNUTLS_E_INTERRUPTED || bytes == GNUTLS_E_AGAIN); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
420 switch (bytes) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
421 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
422 case GNUTLS_E_UNEXPECTED_PACKET_LENGTH: |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
423 bytes = 0; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
424 break; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
425 case GNUTLS_E_REHANDSHAKE: |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
426 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
427 int err; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
428 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
429 do |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
430 err = gnutls_handshake (state->tls_session); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
431 while (err == GNUTLS_E_AGAIN || err == GNUTLS_E_INTERRUPTED); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
432 if (err == GNUTLS_E_SUCCESS) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
433 goto again; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
434 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
435 errno = EACCES; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
436 bytes = -1; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
437 break; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
438 default: |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
439 if (bytes < 0 && errno == 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
440 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
441 errno = EPIPE; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
442 bytes = -1; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
443 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
444 break; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
445 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
446 return (Bytecount) bytes; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
447 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
448 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
449 Bytecount |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
450 tls_write (tls_state_t *state, const unsigned char *data, Bytecount size, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
451 unsigned int allow_quit) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
452 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
453 ssize_t bytes; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
454 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
455 do |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
456 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
457 if (allow_quit) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
458 QUIT; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
459 bytes = gnutls_record_send (state->tls_session, data, size); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
460 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
461 while (bytes == GNUTLS_E_INTERRUPTED || bytes == GNUTLS_E_AGAIN); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
462 if (bytes == GNUTLS_E_LARGE_PACKET) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
463 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
464 errno = EMSGSIZE; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
465 bytes = -1; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
466 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
467 else if (bytes < 0 && errno == 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
468 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
469 errno = EPIPE; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
470 bytes = -1; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
471 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
472 return (Bytecount) bytes; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
473 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
474 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
475 int |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
476 tls_close (tls_state_t *state) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
477 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
478 if (--state->tls_refcount == 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
479 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
480 int fd, err; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
481 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
482 fd = (int)(unsigned long)gnutls_transport_get_ptr (state->tls_session); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
483 gnutls_bye (state->tls_session, GNUTLS_SHUT_RDWR); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
484 err = retry_close (fd); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
485 gnutls_deinit (state->tls_session); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
486 xfree (state); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
487 return err; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
488 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
489 return 0; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
490 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
491 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
492 tls_state_t * |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
493 tls_open (int s, const Extbyte *hostname) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
494 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
495 #ifndef HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
496 gnutls_x509_crt_t cert; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
497 #endif |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
498 tls_state_t *gnutls; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
499 const char *errptr = NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
500 const gnutls_datum_t *certs; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
501 unsigned int status, certslen = 0U; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
502 int err; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
503 const int val = 1; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
504 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
505 /* Disable Nagle's algorithm */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
506 setsockopt (s, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
507 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
508 /* Create the state object */ |
5825 | 509 gnutls = (tls_state_t *) xmalloc (sizeof (*gnutls)); |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
510 gnutls->tls_refcount = 2; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
511 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
512 /* Initialize the session object */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
513 err = gnutls_init (&gnutls->tls_session, GNUTLS_CLIENT); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
514 if (err != GNUTLS_E_SUCCESS) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
515 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
516 xfree (gnutls); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
517 warn_when_safe (Qtls_error, Qerror, "GNUTLS error in gnutls_init: %s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
518 gnutls_strerror (err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
519 errno = EACCES; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
520 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
521 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
522 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
523 /* Configure the cipher preferences */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
524 err = gnutls_priority_set_direct (gnutls->tls_session, "NORMAL", &errptr); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
525 if (err != GNUTLS_E_SUCCESS) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
526 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
527 xfree (gnutls); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
528 warn_when_safe (Qtls_error, Qerror, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
529 "GNUTLS error in gnutls_priority_set_direct: %s at %s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
530 gnutls_strerror (err), errptr); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
531 errno = EACCES; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
532 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
533 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
534 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
535 /* Install the trusted certificates */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
536 err = gnutls_credentials_set (gnutls->tls_session, GNUTLS_CRD_CERTIFICATE, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
537 global_cred); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
538 if (err != GNUTLS_E_SUCCESS) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
539 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
540 xfree (gnutls); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
541 warn_when_safe (Qtls_error, Qerror, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
542 "GNUTLS error in gnutls_credentials_set: %s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
543 gnutls_strerror (err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
544 errno = EACCES; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
545 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
546 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
547 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
548 /* Associate the socket with the session object */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
549 gnutls_transport_set_ptr (gnutls->tls_session, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
550 (gnutls_transport_ptr_t)(unsigned long)s); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
551 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
552 /* Set the server name */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
553 if (hostname != NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
554 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
555 err = gnutls_server_name_set (gnutls->tls_session, GNUTLS_NAME_DNS, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
556 hostname, strlen (hostname)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
557 if (err != GNUTLS_E_SUCCESS) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
558 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
559 xfree (gnutls); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
560 warn_when_safe (Qtls_error, Qerror, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
561 "GNUTLS error in gnutls_server_name_set: %s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
562 gnutls_strerror (err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
563 errno = EACCES; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
564 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
565 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
566 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
567 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
568 /* Perform the handshake */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
569 do |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
570 err = gnutls_handshake (gnutls->tls_session); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
571 while (err == GNUTLS_E_AGAIN || err == GNUTLS_E_INTERRUPTED); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
572 if (err != GNUTLS_E_SUCCESS) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
573 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
574 xfree (gnutls); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
575 warn_when_safe (Qtls_error, Qerror, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
576 "GNUTLS error in gnutls_handshake: %s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
577 gnutls_strerror (err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
578 errno = EACCES; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
579 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
580 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
581 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
582 /* Get the server certificate chain */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
583 certs = gnutls_certificate_get_peers (gnutls->tls_session, &certslen); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
584 if (certs == NULL || certslen == 0U) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
585 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
586 xfree (gnutls); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
587 warn_when_safe (Qtls_error, Qerror, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
588 "GNUTLS could not get peer certificate: %s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
589 gnutls_strerror (err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
590 errno = EACCES; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
591 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
592 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
593 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
594 /* Validate the server certificate chain */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
595 status = (unsigned int) -1; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
596 #ifdef HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
597 if (hostname != NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
598 err = gnutls_certificate_verify_peers3 (gnutls->tls_session, hostname, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
599 &status); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
600 else |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
601 #endif /* HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3 */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
602 err = gnutls_certificate_verify_peers2 (gnutls->tls_session, &status); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
603 if (err != GNUTLS_E_SUCCESS) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
604 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
605 xfree (gnutls); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
606 warn_when_safe (Qtls_error, Qerror, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
607 "GNUTLS could not verify peer certificate: %s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
608 gnutls_strerror (err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
609 errno = EACCES; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
610 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
611 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
612 if (status != 0U) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
613 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
614 gnutls_datum_t msg; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
615 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
616 #ifdef HAVE_GNUTLS_CERTIFICATE_VERIFICATION_STATUS_PRINT |
5825 | 617 gnutls_certificate_type_t type; |
618 | |
619 type = gnutls_certificate_type_get (gnutls->tls_session); | |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
620 err = |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
621 gnutls_certificate_verification_status_print (status, type, &msg, 0); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
622 #else |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
623 err = -1; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
624 #endif /* HAVE_GNUTLS_CERTIFICATE_VERIFICATION_STATUS_PRINT */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
625 xfree (gnutls); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
626 if (err == 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
627 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
628 warn_when_safe (Qtls_error, Qerror, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
629 "GNUTLS: certificate validation failed: %s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
630 msg.data); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
631 gnutls_free(msg.data); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
632 errno = EACCES; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
633 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
634 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
635 else |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
636 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
637 warn_when_safe (Qtls_error, Qerror, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
638 "GNUTLS: certificate validation failed with code %u", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
639 status); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
640 errno = EACCES; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
641 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
642 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
643 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
644 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
645 #ifndef HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
646 if (hostname != NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
647 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
648 /* Match the peer certificate against the host name */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
649 err = gnutls_x509_crt_init (&cert); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
650 if (err != GNUTLS_E_SUCCESS) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
651 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
652 xfree (gnutls); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
653 warn_when_safe (Qtls_error, Qerror, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
654 "GNUTLS error in gnutls_x509_crt_init: %s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
655 gnutls_strerror (err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
656 errno = EACCES; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
657 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
658 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
659 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
660 /* The peer certificate is the first certificate in the list */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
661 err = gnutls_x509_crt_import (cert, certs, GNUTLS_X509_FMT_DER); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
662 if (err != GNUTLS_E_SUCCESS) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
663 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
664 xfree (gnutls); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
665 warn_when_safe (Qtls_error, Qerror, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
666 "GNUTLS error in gnutls_x509_crt_import: %s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
667 gnutls_strerror (err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
668 gnutls_x509_crt_deinit (cert); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
669 errno = EACCES; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
670 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
671 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
672 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
673 err = gnutls_x509_crt_check_hostname (cert, hostname); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
674 if (err == 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
675 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
676 xfree (gnutls); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
677 warn_when_safe (Qtls_error, Qerror, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
678 "GNUTLS: hostname does not match certificate: %s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
679 gnutls_strerror (err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
680 gnutls_x509_crt_deinit (cert); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
681 errno = EACCES; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
682 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
683 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
684 gnutls_x509_crt_deinit (cert); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
685 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
686 #endif /* HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3 */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
687 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
688 return gnutls; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
689 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
690 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
691 /* Set the key and certificate files to use */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
692 static void |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
693 tls_set_x509_key_file (const Extbyte *certfile, const Extbyte *keyfile) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
694 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
695 int err; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
696 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
697 err = gnutls_certificate_set_x509_key_file (global_cred, certfile, keyfile, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
698 GNUTLS_X509_FMT_PEM); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
699 if (err < GNUTLS_E_SUCCESS) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
700 signal_error (Qtls_error, "gnutls_certificate_set_x509_key_file", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
701 GNUTLS_ERRSTR (err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
702 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
703 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
704 /* Function that gathers PKCS #11 passwords. */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
705 static int |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
706 gnutls_pk11_password (void * UNUSED (userdata), int UNUSED (attempt), |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
707 const char *token_url, const char *token_label, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
708 unsigned int UNUSED (flags), char *pin, size_t pin_max) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
709 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
710 Lisp_Object lsp_password, args[5]; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
711 Extbyte *c_password; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
712 size_t len; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
713 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
714 /* Get the password from the user */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
715 args[0] = prompt; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
716 args[1] = build_extstring (token_label, Qnative); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
717 args[2] = build_ascstring (" ("); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
718 args[3] = build_extstring (token_url, Qnative); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
719 args[4] = build_ascstring (")"); |
5888
a85efdabe237
Call #'read-passwd when requesting a password from the user, tls.c
Aidan Kehoe <kehoea@parhasard.net>
parents:
5887
diff
changeset
|
720 lsp_password = call1 (Qread_passwd, Fconcat (5, args)); |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
721 c_password = LISP_STRING_TO_EXTERNAL (lsp_password, Qnative); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
722 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
723 /* Insert the password */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
724 len = strlen (c_password); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
725 if (len > pin_max) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
726 len = pin_max; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
727 memcpy (pin, c_password, len); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
728 pin[len] = '\0'; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
729 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
730 /* Wipe out the password on the stack and in the Lisp string */ |
5891
a0e751d6c3ad
Import the #'clear-string API from GNU, use it in tls.c
Aidan Kehoe <kehoea@parhasard.net>
parents:
5888
diff
changeset
|
731 Fclear_string (lsp_password); |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
732 memset (c_password, '*', strlen (c_password)); |
5891
a0e751d6c3ad
Import the #'clear-string API from GNU, use it in tls.c
Aidan Kehoe <kehoea@parhasard.net>
parents:
5888
diff
changeset
|
733 |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
734 return GNUTLS_E_SUCCESS; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
735 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
736 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
737 static void xfree_for_gnutls (void *ptr) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
738 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
739 /* GnuTLS sometimes tries to free NULL */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
740 if (ptr != NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
741 xfree (ptr); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
742 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
743 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
744 void |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
745 init_tls (void) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
746 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
747 int err = GNUTLS_E_SUCCESS; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
748 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
749 /* Tell gnutls to use our memory allocation functions */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
750 gnutls_global_set_mem_functions ((void * (*)(size_t)) xmalloc, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
751 (void * (*)(size_t)) xmalloc, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
752 NULL, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
753 (void * (*)(void *, size_t)) xrealloc, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
754 xfree_for_gnutls); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
755 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
756 /* Initialize the library */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
757 err = gnutls_global_init (); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
758 if (err != GNUTLS_E_SUCCESS) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
759 signal_error (Qtls_error, "gnutls_global_init", GNUTLS_ERRSTR (err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
760 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
761 /* Load the trusted CA certificates */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
762 err = gnutls_certificate_allocate_credentials (&global_cred); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
763 if (err != GNUTLS_E_SUCCESS) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
764 signal_error (Qtls_error, "gnutls_certificate_allocate_credentials", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
765 GNUTLS_ERRSTR (err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
766 err = gnutls_certificate_set_x509_system_trust (global_cred); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
767 if (err == 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
768 signal_error (Qtls_error, "gnutls: no system certificates found", Qnil); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
769 if (err < 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
770 signal_error (Qtls_error, "gnutls_certificate_set_x509_system_trust", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
771 GNUTLS_ERRSTR (err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
772 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
773 /* Setup password gathering */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
774 gnutls_pkcs11_set_pin_function (gnutls_pk11_password, NULL); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
775 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
776 #endif /* HAVE_GNUTLS */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
777 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
778 #ifdef HAVE_OPENSSL |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
779 #include <unistd.h> |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
780 #include <openssl/conf.h> |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
781 #include <openssl/err.h> |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
782 |
5887
6eca500211f4
Prototype for X509_check_host() has changed, detect this in configure.ac
Aidan Kehoe <kehoea@parhasard.net>
parents:
5825
diff
changeset
|
783 #ifdef HAVE_X509_CHECK_HOST |
6eca500211f4
Prototype for X509_check_host() has changed, detect this in configure.ac
Aidan Kehoe <kehoea@parhasard.net>
parents:
5825
diff
changeset
|
784 #include <openssl/x509v3.h> |
6eca500211f4
Prototype for X509_check_host() has changed, detect this in configure.ac
Aidan Kehoe <kehoea@parhasard.net>
parents:
5825
diff
changeset
|
785 #endif |
6eca500211f4
Prototype for X509_check_host() has changed, detect this in configure.ac
Aidan Kehoe <kehoea@parhasard.net>
parents:
5825
diff
changeset
|
786 |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
787 /* The context used to create connections */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
788 static SSL_CTX *ssl_ctx; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
789 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
790 static Lisp_Object |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
791 openssl_error_string (void) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
792 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
793 Lisp_Object args[5]; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
794 unsigned long err = ERR_get_error (); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
795 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
796 args[0] = build_ascstring (ERR_lib_error_string (err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
797 args[1] = build_ascstring (":"); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
798 args[2] = build_ascstring (ERR_func_error_string (err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
799 args[3] = build_ascstring (":"); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
800 args[4] = build_ascstring (ERR_reason_error_string (err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
801 return Fconcat (5, args); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
802 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
803 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
804 static unsigned long |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
805 openssl_report_error_stack (const char *msg, const SSL *ssl) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
806 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
807 unsigned long err = ERR_get_error (); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
808 if (err > 0UL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
809 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
810 if (ERR_GET_LIB (err) == ERR_LIB_SSL && |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
811 ERR_GET_REASON (err) == SSL_R_CERTIFICATE_VERIFY_FAILED) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
812 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
813 long cert_err = SSL_get_verify_result (ssl); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
814 warn_when_safe (Qtls_error, Qerror, "%s:%s", msg, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
815 X509_verify_cert_error_string (cert_err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
816 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
817 else |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
818 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
819 const char *lib = ERR_lib_error_string (err); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
820 const char *func = ERR_func_error_string (err); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
821 const char *reason = ERR_reason_error_string (err); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
822 warn_when_safe (Qtls_error, Qerror, "%s:%s:%s:%s", msg, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
823 lib == NULL ? "<unknown>" : lib, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
824 func == NULL ? "<unknown>" : func, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
825 reason == NULL ? "<unknown>" : reason); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
826 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
827 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
828 return err; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
829 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
830 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
831 /* Return values: |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
832 * -1 = fatal error, caller should exit |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
833 * 0 = no error, caller should continue |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
834 * 1 = nonfatal error, caller should retry |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
835 */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
836 static int |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
837 openssl_report_error_num (const char *msg, const SSL *ssl, int ret, int retry) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
838 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
839 int errno_copy = errno; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
840 int ssl_error = SSL_get_error (ssl, ret); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
841 int err; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
842 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
843 switch (ssl_error) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
844 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
845 case SSL_ERROR_NONE: |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
846 case SSL_ERROR_ZERO_RETURN: |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
847 err = 0; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
848 break; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
849 case SSL_ERROR_WANT_READ: |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
850 case SSL_ERROR_WANT_WRITE: |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
851 err = retry; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
852 break; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
853 case SSL_ERROR_WANT_CONNECT: |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
854 case SSL_ERROR_WANT_ACCEPT: |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
855 case SSL_ERROR_WANT_X509_LOOKUP: |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
856 err = 1; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
857 break; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
858 case SSL_ERROR_SYSCALL: |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
859 if (openssl_report_error_stack (msg, ssl) == 0UL && ret < 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
860 warn_when_safe (Qtls_error, Qerror, "%s: %s", msg, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
861 strerror (errno_copy)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
862 err = ret; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
863 break; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
864 case SSL_ERROR_SSL: |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
865 openssl_report_error_stack (msg, ssl); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
866 err = -1; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
867 break; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
868 default: |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
869 warn_when_safe (Qtls_error, Qerror, "%s: error %d", msg, ssl_error); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
870 err = -1; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
871 break; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
872 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
873 errno = errno_copy; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
874 return err; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
875 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
876 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
877 int |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
878 tls_get_fd (tls_state_t *state) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
879 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
880 return SSL_get_fd (state->tls_connection); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
881 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
882 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
883 Bytecount |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
884 tls_read (tls_state_t *state, unsigned char *data, Bytecount size, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
885 unsigned int allow_quit) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
886 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
887 int action, bytes; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
888 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
889 if (SSL_get_shutdown (state->tls_connection)) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
890 return 0; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
891 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
892 bytes = SSL_read (state->tls_connection, data, size); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
893 action = (bytes > 0) ? 0 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
894 : openssl_report_error_num ("SSL_read", state->tls_connection, bytes, 0); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
895 while (bytes <= 0 && action > 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
896 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
897 if (allow_quit) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
898 QUIT; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
899 bytes = SSL_read (state->tls_connection, data, size); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
900 action = (bytes > 0) ? 0 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
901 : openssl_report_error_num ("SSL_read", state->tls_connection, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
902 bytes, 0); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
903 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
904 return (Bytecount) bytes; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
905 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
906 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
907 Bytecount |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
908 tls_write (tls_state_t *state, const unsigned char *data, Bytecount size, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
909 unsigned int allow_quit) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
910 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
911 int action, bytes; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
912 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
913 if (SSL_get_shutdown (state->tls_connection)) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
914 return 0; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
915 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
916 bytes = SSL_write (state->tls_connection, data, size); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
917 action = (bytes > 0) ? 0 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
918 : openssl_report_error_num ("SSL_write", state->tls_connection, bytes, 0); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
919 while (bytes <= 0 && action > 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
920 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
921 if (allow_quit) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
922 QUIT; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
923 bytes = SSL_write (state->tls_connection, data, size); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
924 action = (bytes > 0) ? 0 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
925 : openssl_report_error_num ("SSL_write", state->tls_connection, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
926 bytes, 0); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
927 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
928 return (Bytecount) bytes; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
929 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
930 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
931 int |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
932 tls_close (tls_state_t *state) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
933 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
934 if (--state->tls_refcount == 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
935 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
936 int err, fd; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
937 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
938 fd = SSL_get_fd (state->tls_connection); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
939 if (SSL_get_shutdown (state->tls_connection) == 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
940 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
941 err = SSL_shutdown (state->tls_connection); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
942 if (err < 0 && errno == EBADF) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
943 err = 0; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
944 if (err < 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
945 openssl_report_error_num ("SSL_shutdown failed", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
946 state->tls_connection, err, 0); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
947 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
948 else |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
949 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
950 err = 0; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
951 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
952 close (fd); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
953 SSL_free (state->tls_connection); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
954 xfree (state); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
955 return err > 0 ? 0 : err; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
956 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
957 return 0; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
958 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
959 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
960 tls_state_t * |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
961 tls_open (int s, const Extbyte *hostname) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
962 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
963 tls_state_t *openssl; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
964 X509 *peer_cert = NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
965 const int val = 1; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
966 int err; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
967 long cert_err; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
968 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
969 /* Disable Nagle's algorithm */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
970 setsockopt (s, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
971 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
972 /* Create the state object */ |
5825 | 973 openssl = (tls_state_t *) xmalloc (sizeof (*openssl)); |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
974 openssl->tls_refcount = 2; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
975 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
976 /* Create the connection object */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
977 openssl->tls_connection = SSL_new (ssl_ctx); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
978 if (openssl->tls_connection == NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
979 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
980 openssl_report_error_stack ("SSL_new failed", NULL); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
981 goto error; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
982 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
983 if (SSL_set_fd (openssl->tls_connection, s) == 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
984 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
985 openssl_report_error_stack ("SSL_set_fd", openssl->tls_connection); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
986 goto error; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
987 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
988 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
989 /* Enable the ServerNameIndication extension */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
990 if (hostname != NULL && |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
991 !SSL_set_tlsext_host_name (openssl->tls_connection, hostname)) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
992 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
993 openssl_report_error_stack ("SSL_set_tlsext_host_name failed", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
994 openssl->tls_connection); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
995 goto error; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
996 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
997 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
998 /* Perform the handshake */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
999 err = SSL_connect (openssl->tls_connection); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1000 while (err != 1) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1001 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1002 int action = openssl_report_error_num ("SSL_connect failed", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1003 openssl->tls_connection, err, 1); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1004 if (action < 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1005 goto error; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1006 err = SSL_connect (openssl->tls_connection); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1007 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1008 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1009 /* Get the server certificate */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1010 peer_cert = SSL_get_peer_certificate (openssl->tls_connection); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1011 if (peer_cert == NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1012 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1013 warn_when_safe (Qtls_error, Qerror, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1014 "Peer did not present a certificate"); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1015 goto error; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1016 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1017 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1018 cert_err = SSL_get_verify_result (openssl->tls_connection); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1019 if (cert_err != X509_V_OK) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1020 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1021 warn_when_safe (Qtls_error, Qerror, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1022 "Peer certificate verification failure:%s", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1023 X509_verify_cert_error_string (cert_err)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1024 goto error; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1025 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1026 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1027 #ifdef HAVE_X509_CHECK_HOST |
5887
6eca500211f4
Prototype for X509_check_host() has changed, detect this in configure.ac
Aidan Kehoe <kehoea@parhasard.net>
parents:
5825
diff
changeset
|
1028 err = X509_check_host (peer_cert, (const char *) hostname, |
6eca500211f4
Prototype for X509_check_host() has changed, detect this in configure.ac
Aidan Kehoe <kehoea@parhasard.net>
parents:
5825
diff
changeset
|
1029 strlen (hostname), 0, NULL); |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1030 if (err < 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1031 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1032 warn_when_safe (Qtls_error, Qerror, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1033 "Out of memory while checking certificate"); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1034 goto error; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1035 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1036 if (err == 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1037 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1038 warn_when_safe (Qtls_error, Qerror, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1039 "Peer certificate verification failure"); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1040 goto error; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1041 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1042 #endif |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1043 X509_free (peer_cert); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1044 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1045 return openssl; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1046 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1047 error: |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1048 if (openssl->tls_connection != NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1049 SSL_free (openssl->tls_connection); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1050 xfree (openssl); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1051 errno = EACCES; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1052 return NULL; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1053 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1054 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1055 /* Set the key and certificate files to use */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1056 static void |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1057 tls_set_x509_key_file (const Extbyte *certfile, const Extbyte *keyfile) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1058 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1059 int err; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1060 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1061 err = SSL_CTX_use_PrivateKey_file (ssl_ctx, keyfile, SSL_FILETYPE_PEM); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1062 if (err <= 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1063 signal_error (Qtls_error, "SSL_CTX_use_PrivateKey_file", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1064 openssl_error_string ()); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1065 err = SSL_CTX_use_certificate_file (ssl_ctx, certfile, SSL_FILETYPE_PEM); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1066 if (err <= 0) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1067 signal_error (Qtls_error, "SSL_CTX_use_certificate_file", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1068 openssl_error_string ()); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1069 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1070 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1071 /* Function that gathers passwords for PKCS #11 tokens. */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1072 static int |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1073 openssl_password (char *buf, int size, int UNUSED (rwflag), |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1074 void *UNUSED (userdata)) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1075 { |
5891
a0e751d6c3ad
Import the #'clear-string API from GNU, use it in tls.c
Aidan Kehoe <kehoea@parhasard.net>
parents:
5888
diff
changeset
|
1076 Lisp_Object lsp_password; |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1077 Extbyte *c_password; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1078 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1079 lsp_password = |
5888
a85efdabe237
Call #'read-passwd when requesting a password from the user, tls.c
Aidan Kehoe <kehoea@parhasard.net>
parents:
5887
diff
changeset
|
1080 call1 (Qread_passwd, concat2 (prompt, build_ascstring ("PEM: "))); |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1081 c_password = LISP_STRING_TO_EXTERNAL (lsp_password, Qnative); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1082 strncpy (buf, c_password, size); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1083 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1084 /* Wipe out the password on the stack and in the Lisp string */ |
5891
a0e751d6c3ad
Import the #'clear-string API from GNU, use it in tls.c
Aidan Kehoe <kehoea@parhasard.net>
parents:
5888
diff
changeset
|
1085 Fclear_string (lsp_password); |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1086 memset (c_password, '*', strlen (c_password)); |
5891
a0e751d6c3ad
Import the #'clear-string API from GNU, use it in tls.c
Aidan Kehoe <kehoea@parhasard.net>
parents:
5888
diff
changeset
|
1087 |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1088 return (int) strlen (buf); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1089 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1090 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1091 void |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1092 init_tls (void) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1093 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1094 /* Load the default configuration */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1095 OPENSSL_config (NULL); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1096 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1097 /* Tell openssl to use our memory allocation functions */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1098 CRYPTO_set_mem_functions ((void * (*)(size_t)) xmalloc, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1099 (void * (*)(void *, size_t)) xrealloc, |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1100 xfree_1); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1101 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1102 /* Load human-readable error messages */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1103 SSL_load_error_strings (); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1104 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1105 /* Initialize the library */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1106 SSL_library_init (); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1107 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1108 /* Configure a client connection context, and send a handshake for the |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1109 * highest supported TLS version. */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1110 ssl_ctx = SSL_CTX_new (SSLv23_client_method ()); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1111 if (ssl_ctx == NULL) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1112 signal_error (Qtls_error, "SSL_CTX_new failed", openssl_error_string ()); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1113 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1114 /* Disallow SSLv2 and disable compression. */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1115 SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1116 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1117 /* Set various useful mode bits */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1118 SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1119 SSL_MODE_AUTO_RETRY | SSL_MODE_RELEASE_BUFFERS); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1120 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1121 /* Let the system select the ciphers */ |
5815
d59bfb050ca8
Fix TLS-related build failures. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
5814
diff
changeset
|
1122 if (SSL_CTX_set_cipher_list (ssl_ctx, "DEFAULT") != 1) |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1123 signal_error (Qtls_error, "SSL_CTX_set_cipher_list failed", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1124 openssl_error_string ()); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1125 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1126 /* Load the set of trusted root certificates. */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1127 if (!SSL_CTX_set_default_verify_paths (ssl_ctx)) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1128 signal_error (Qtls_error, "SSL_CTX_set_default_verify_paths failed", |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1129 openssl_error_string ()); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1130 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1131 /* Setup password gathering */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1132 SSL_CTX_set_default_passwd_cb (ssl_ctx, openssl_password); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1133 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1134 #endif /* HAVE_OPENSSL */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1135 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1136 #ifdef WITH_TLS |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1137 tls_state_t * |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1138 tls_negotiate (int fd, const Extbyte *host, Lisp_Object keylist) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1139 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1140 Lisp_Object tail; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1141 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1142 for (tail = keylist; CONSP (tail); tail = XCDR (tail)) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1143 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1144 Lisp_Object keyfile = Fcar (XCAR (tail)); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1145 Lisp_Object certfile = Fcar (Fcdr (XCAR (tail))); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1146 Extbyte *c_keyfile, *c_certfile; |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1147 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1148 if (!STRINGP (keyfile)) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1149 invalid_argument ("Keyfile must be a filename", keyfile); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1150 if (!STRINGP (certfile)) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1151 invalid_argument ("Certfile must be a filename", certfile); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1152 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1153 c_keyfile = LISP_STRING_TO_EXTERNAL (keyfile, Qfile_name); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1154 c_certfile = LISP_STRING_TO_EXTERNAL (certfile, Qfile_name); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1155 tls_set_x509_key_file (c_certfile, c_keyfile); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1156 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1157 return tls_open (fd, host); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1158 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1159 #endif /* WITH_TLS */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1160 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1161 #ifndef WITH_TLS |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1162 void |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1163 init_tls (void) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1164 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1165 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1166 #endif /* !WITH_TLS */ |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1167 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1168 void |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1169 syms_of_tls (void) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1170 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1171 #ifdef WITH_TLS |
5888
a85efdabe237
Call #'read-passwd when requesting a password from the user, tls.c
Aidan Kehoe <kehoea@parhasard.net>
parents:
5887
diff
changeset
|
1172 DEFSYMBOL (Qread_passwd); |
5814
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1173 #endif |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1174 DEFERROR (Qtls_error, "TLS error", Qerror); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1175 } |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1176 |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1177 void |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1178 vars_of_tls (void) |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1179 { |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1180 #ifdef WITH_TLS |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1181 staticpro (&prompt); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1182 prompt = build_ascstring ("Password for "); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1183 Fprovide (intern ("tls")); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1184 #ifdef HAVE_NSS |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1185 Fprovide (intern ("tls-nss")); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1186 #endif |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1187 #ifdef HAVE_GNUTLS |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1188 Fprovide (intern ("tls-gnutls")); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1189 #endif |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1190 #ifdef HAVE_OPENSSL |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1191 Fprovide (intern ("tls-openssl")); |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1192 #endif |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1193 #endif |
a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
Jerry James <james@xemacs.org>
parents:
diff
changeset
|
1194 } |