Mercurial > hg > xemacs-beta
changeset 5814:a216b3c2b09e
Add TLS support. See xemacs-patches message with ID
<CAHCOHQk6FNm2xf=XiGEpPq43+7WOzNZ=SuD9V79o3wb9WVCTrQ@mail.gmail.com>.
| author | Jerry James <james@xemacs.org> |
|---|---|
| date | Tue, 07 Oct 2014 21:16:10 -0600 |
| parents | 36dddf9d90d1 |
| children | d59bfb050ca8 |
| files | ChangeLog configure configure.ac lisp/ChangeLog lisp/code-process.el src/ChangeLog src/Makefile.in.in src/config.h.in src/console-tty.c src/doc.c src/emacs.c src/event-stream.c src/event-unixoid.c src/events.h src/file-coding.c src/fileio.c src/gpmevent.c src/lisp.h src/lread.c src/lstream.c src/lstream.h src/process-nt.c src/process-unix.c src/process.c src/procimpl.h src/tls.c src/tls.h |
| diffstat | 27 files changed, 2232 insertions(+), 67 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Thu Oct 02 10:19:00 2014 +0200 +++ b/ChangeLog Tue Oct 07 21:16:10 2014 -0600 @@ -1,3 +1,7 @@ +2014-10-07 Jerry James <james@xemacs.org> + + * configure.ac: Add TLS support. + 2014-02-11 Jerry James <james@xemacs.org> * .hgignore: Add man/Makefile.
--- a/configure Thu Oct 02 10:19:00 2014 +0200 +++ b/configure Tue Oct 07 21:16:10 2014 -0600 @@ -1006,6 +1006,8 @@ with_dnet enable_ipv6_cname with_ipv6_cname +enable_tls +with_tls enable_rel_alloc with_rel_alloc enable_dlmalloc @@ -1938,6 +1940,9 @@ --with-ipv6-cname Try IPv6 information first when canonicalizing host names. This option has no effect unless system supports getaddrinfo(3) and getnameinfo(3). + --with-tls=TYPE Support TLS connections. TYPE must be one of "nss", + "gnutls", and "openssl". If TYPE is omitted or + "yes", support is determined automatically. Memory allocation options ------------------------- @@ -4922,6 +4927,22 @@ else with_ipv6_cname="no" fi; +# If --with-tls or --without-tls were given then copy the value to the +# equivalent enable_tls variable. +if test "${with_tls+set}" = set; then + enable_tls="$with_tls" +fi; +# If -enable-tls or --disable-tls were given then copy the value to the +# equivalent with_tls variable. +if test "${enable_tls+set}" = set; then + with_tls="$enable_tls" +fi; +# Check whether --with-tls or --without-tls was given. +if test "${with_tls+set}" = set; then + enableval="$with_tls" + withval="$with_tls" + +fi; # If --with-rel-alloc or --without-rel-alloc were given then copy the value to the # equivalent enable_rel-alloc variable. @@ -21000,6 +21021,318 @@ fi +if test "$with_tls" = "yes"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gnutls_global_init in -lgnutls" >&5 +$as_echo_n "checking for gnutls_global_init in -lgnutls... " >&6; } +if ${ac_cv_lib_gnutls_gnutls_global_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lgnutls $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char gnutls_global_init (); +int +main () +{ +return gnutls_global_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_gnutls_gnutls_global_init=yes +else + ac_cv_lib_gnutls_gnutls_global_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gnutls_gnutls_global_init" >&5 +$as_echo "$ac_cv_lib_gnutls_gnutls_global_init" >&6; } +if test "x$ac_cv_lib_gnutls_gnutls_global_init" = xyes; then : + with_tls=gnutls +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS_InitContext in -lnss3" >&5 +$as_echo_n "checking for NSS_InitContext in -lnss3... " >&6; } +if ${ac_cv_lib_nss3_NSS_InitContext+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnss3 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char NSS_InitContext (); +int +main () +{ +return NSS_InitContext (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nss3_NSS_InitContext=yes +else + ac_cv_lib_nss3_NSS_InitContext=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_NSS_InitContext" >&5 +$as_echo "$ac_cv_lib_nss3_NSS_InitContext" >&6; } +if test "x$ac_cv_lib_nss3_NSS_InitContext" = xyes; then : + with_tls=nss +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_library_init in -lssl" >&5 +$as_echo_n "checking for SSL_library_init in -lssl... " >&6; } +if ${ac_cv_lib_ssl_SSL_library_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lssl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char SSL_library_init (); +int +main () +{ +return SSL_library_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_ssl_SSL_library_init=yes +else + ac_cv_lib_ssl_SSL_library_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_library_init" >&5 +$as_echo "$ac_cv_lib_ssl_SSL_library_init" >&6; } +if test "x$ac_cv_lib_ssl_SSL_library_init" = xyes; then : + with_tls=openssl +else + with_tls=no +fi + +fi + +fi + +elif test "$with_tls" = "gnutls"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gnutls_global_init in -lgnutls" >&5 +$as_echo_n "checking for gnutls_global_init in -lgnutls... " >&6; } +if ${ac_cv_lib_gnutls_gnutls_global_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lgnutls $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char gnutls_global_init (); +int +main () +{ +return gnutls_global_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_gnutls_gnutls_global_init=yes +else + ac_cv_lib_gnutls_gnutls_global_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gnutls_gnutls_global_init" >&5 +$as_echo "$ac_cv_lib_gnutls_gnutls_global_init" >&6; } +if test "x$ac_cv_lib_gnutls_gnutls_global_init" = xyes; then : + with_tls=gnutls +else + { echo "Error:" "Required gnutls support cannot be provided." >&2; exit 1; } +fi + +elif test "$with_tls" = "nss"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS_InitContext in -lnss3" >&5 +$as_echo_n "checking for NSS_InitContext in -lnss3... " >&6; } +if ${ac_cv_lib_nss3_NSS_InitContext+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnss3 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char NSS_InitContext (); +int +main () +{ +return NSS_InitContext (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nss3_NSS_InitContext=yes +else + ac_cv_lib_nss3_NSS_InitContext=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_NSS_InitContext" >&5 +$as_echo "$ac_cv_lib_nss3_NSS_InitContext" >&6; } +if test "x$ac_cv_lib_nss3_NSS_InitContext" = xyes; then : + with_tls=nss +else + { echo "Error:" "Required NSS support cannot be provided." >&2; exit 1; } +fi + +elif test "$with_tls" = "openssl"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_library_init in -lssl" >&5 +$as_echo_n "checking for SSL_library_init in -lssl... " >&6; } +if ${ac_cv_lib_ssl_SSL_library_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lssl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char SSL_library_init (); +int +main () +{ +return SSL_library_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_ssl_SSL_library_init=yes +else + ac_cv_lib_ssl_SSL_library_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_library_init" >&5 +$as_echo "$ac_cv_lib_ssl_SSL_library_init" >&6; } +if test "x$ac_cv_lib_ssl_SSL_library_init" = xyes; then : + with_tls=openssl +else + { echo "Error:" "Required openssl support cannot be provided." >&2; exit 1; } +fi + +fi +if test "$with_tls" != "no"; then + $as_echo "#define WITH_TLS 1" >>confdefs.h + + if test "$with_tls" = "gnutls"; then + $as_echo "#define HAVE_GNUTLS 1" >>confdefs.h + + gnutls_cflags=`pkg-config --cflags gnutls` + if test "$?" = 0; then + CPPFLAGS=""$gnutls_cflags" $CPPFLAGS" && if test "$verbose" = "yes"; then echo " Prepending \""$gnutls_cflags"\" to \$CPPFLAGS"; fi + fi + gnutls_libs=`pkg-config --libs gnutls` + if test "$?" = 0; then + LDFLAGS=""$gnutls_libs" $LDFLAGS" && if test "$verbose" = "yes"; then echo " Prepending \""$gnutls_libs"\" to \$LDFLAGS"; fi + fi + ac_fn_c_check_func "$LINENO" "gnutls_certificate_verification_status_print" "ac_cv_func_gnutls_certificate_verification_status_print" +if test "x$ac_cv_func_gnutls_certificate_verification_status_print" = xyes; then : + $as_echo "#define HAVE_GNUTLS_CERTIFICATE_VERIFICATION_STATUS_PRINT 1" >>confdefs.h + +fi + + ac_fn_c_check_func "$LINENO" "gnutls_certificate_verify_peers3" "ac_cv_func_gnutls_certificate_verify_peers3" +if test "x$ac_cv_func_gnutls_certificate_verify_peers3" = xyes; then : + $as_echo "#define HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3 1" >>confdefs.h + +fi + + elif test "$with_tls" = "nss"; then + $as_echo "#define HAVE_NSS 1" >>confdefs.h + + nss_cflags=`pkg-config --cflags nss` + if test "$?" = 0; then + CPPFLAGS=""$nss_cflags" $CPPFLAGS" && if test "$verbose" = "yes"; then echo " Prepending \""$nss_cflags"\" to \$CPPFLAGS"; fi + fi + nss_libs=`pkg-config --libs nss` + if test "$?" = 0; then + LDFLAGS=""$nss_libs" $LDFLAGS" && if test "$verbose" = "yes"; then echo " Prepending \""$nss_libs"\" to \$LDFLAGS"; fi + fi + else + $as_echo "#define HAVE_OPENSSL 1" >>confdefs.h + + openssl_cflags=`pkg-config --cflags openssl` + if test "$?" = 0; then + CPPFLAGS=""$openssl_cflags" $CPPFLAGS" && if test "$verbose" = "yes"; then echo " Prepending \""$openssl_cflags"\" to \$CPPFLAGS"; fi + fi + openssl_libs=`pkg-config --libs openssl` + if test "$?" = 0; then + LDFLAGS=""$openssl_libs" $LDFLAGS" && if test "$verbose" = "yes"; then echo " Prepending \""$openssl_libs"\" to \$LDFLAGS"; fi + fi + ac_fn_c_check_func "$LINENO" "X509_check_host" "ac_cv_func_X509_check_host" +if test "x$ac_cv_func_X509_check_host" = xyes; then : + $as_echo "#define HAVE_X509_CHECK_HOST 1" >>confdefs.h + +fi + + fi +fi + if test "$cross_compiling" = yes; then : { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} @@ -21806,12 +22139,18 @@ test -n "$with_mail_locking" && echo " Compiling in support for \"$with_mail_locking\" mail spool file locking method." echo " -Other Features:" +Network:" test "$with_ipv6_cname" = no && echo " Inhibiting IPv6 canonicalization at startup." test "$with_tooltalk" = yes && echo " Compiling in support for ToolTalk." test "$with_workshop" = yes && echo " Compiling in support for Sun WorkShop." test "$with_socks" = yes && echo " Compiling in support for SOCKS." test "$with_dnet" = yes && echo " Compiling in support for DNET." +test "$with_tls" = nss && echo " Compiling in support for TLS with NSS." +test "$with_tls" = gnutls && echo " Compiling in support for TLS with gnutls." +test "$with_tls" = openssl && echo " Compiling in support for TLS with OpenSSL." + +echo " +Other Features:" test "$with_modules" = "yes" && echo " Compiling in support for dynamic shared object modules." test "$with_bignum" = "gmp" && echo " Compiling in support for more number types using the GNU MP library." test "$with_bignum" = "mpir" && echo " Compiling in support for more number types using the MPIR library."
--- a/configure.ac Thu Oct 02 10:19:00 2014 +0200 +++ b/configure.ac Tue Oct 07 21:16:10 2014 -0600 @@ -917,6 +917,9 @@ XE_MERGED_ARG([ipv6-cname], AS_HELP_STRING([--with-ipv6-cname],[Try IPv6 information first when canonicalizing host names. This option has no effect unless system supports getaddrinfo(3) and getnameinfo(3).]), [], [with_ipv6_cname="no"]) +XE_MERGED_ARG([tls], + AS_HELP_STRING([--with-tls=TYPE],[Support TLS connections. TYPE must be one of "nss", "gnutls", and "openssl". If TYPE is omitted or "yes", support is determined automatically.]), + [], []) dnl XE_HELP_SUBSECTION([Memory allocation options]) XE_MERGED_ARG([rel-alloc], @@ -5328,6 +5331,61 @@ AC_DEFINE(WITH_MP) fi +dnl TLS support +if test "$with_tls" = "yes"; then + AC_CHECK_LIB(gnutls, gnutls_global_init, [with_tls=gnutls], + AC_CHECK_LIB(nss3, NSS_InitContext, [with_tls=nss], + AC_CHECK_LIB(ssl, SSL_library_init, [with_tls=openssl], [with_tls=no]))) +elif test "$with_tls" = "gnutls"; then + AC_CHECK_LIB(gnutls, gnutls_global_init, [with_tls=gnutls], + [XE_DIE("Required gnutls support cannot be provided.")]) +elif test "$with_tls" = "nss"; then + AC_CHECK_LIB(nss3, NSS_InitContext, [with_tls=nss], + [XE_DIE("Required NSS support cannot be provided.")]) +elif test "$with_tls" = "openssl"; then + AC_CHECK_LIB(ssl, SSL_library_init, [with_tls=openssl], + [XE_DIE("Required openssl support cannot be provided.")]) +fi +if test "$with_tls" != "no"; then + AC_DEFINE(WITH_TLS) + if test "$with_tls" = "gnutls"; then + AC_DEFINE(HAVE_GNUTLS) + gnutls_cflags=`pkg-config --cflags gnutls` + if test "$?" = 0; then + XE_PREPEND("$gnutls_cflags", CPPFLAGS) + fi + gnutls_libs=`pkg-config --libs gnutls` + if test "$?" = 0; then + XE_PREPEND("$gnutls_libs", LDFLAGS) + fi + AC_CHECK_FUNC(gnutls_certificate_verification_status_print, + [AC_DEFINE(HAVE_GNUTLS_CERTIFICATE_VERIFICATION_STATUS_PRINT)]) + AC_CHECK_FUNC(gnutls_certificate_verify_peers3, + [AC_DEFINE(HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3)]) + elif test "$with_tls" = "nss"; then + AC_DEFINE(HAVE_NSS) + nss_cflags=`pkg-config --cflags nss` + if test "$?" = 0; then + XE_PREPEND("$nss_cflags", CPPFLAGS) + fi + nss_libs=`pkg-config --libs nss` + if test "$?" = 0; then + XE_PREPEND("$nss_libs", LDFLAGS) + fi + else + AC_DEFINE(HAVE_OPENSSL) + openssl_cflags=`pkg-config --cflags openssl` + if test "$?" = 0; then + XE_PREPEND("$openssl_cflags", CPPFLAGS) + fi + openssl_libs=`pkg-config --libs openssl` + if test "$?" = 0; then + XE_PREPEND("$openssl_libs", LDFLAGS) + fi + AC_CHECK_FUNC(X509_check_host, [AC_DEFINE(HAVE_X509_CHECK_HOST)]) + fi +fi + dnl Unfortunately, just because we can link doesn't mean we can run. dnl One of the above link tests may have succeeded but caused resulting dnl executables to fail to run. Also any tests using AC_RUN_IFELSE will @@ -5959,12 +6017,18 @@ test -n "$with_mail_locking" && echo " Compiling in support for \"$with_mail_locking\" mail spool file locking method." echo " -Other Features:" +Network:" test "$with_ipv6_cname" = no && echo " Inhibiting IPv6 canonicalization at startup." test "$with_tooltalk" = yes && echo " Compiling in support for ToolTalk." test "$with_workshop" = yes && echo " Compiling in support for Sun WorkShop." test "$with_socks" = yes && echo " Compiling in support for SOCKS." test "$with_dnet" = yes && echo " Compiling in support for DNET." +test "$with_tls" = nss && echo " Compiling in support for TLS with NSS." +test "$with_tls" = gnutls && echo " Compiling in support for TLS with gnutls." +test "$with_tls" = openssl && echo " Compiling in support for TLS with OpenSSL." + +echo " +Other Features:" test "$with_modules" = "yes" && echo " Compiling in support for dynamic shared object modules." test "$with_bignum" = "gmp" && echo " Compiling in support for more number types using the GNU MP library." test "$with_bignum" = "mpir" && echo " Compiling in support for more number types using the MPIR library."
--- a/lisp/ChangeLog Thu Oct 02 10:19:00 2014 +0200 +++ b/lisp/ChangeLog Tue Oct 07 21:16:10 2014 -0600 @@ -1,3 +1,14 @@ +2014-10-07 Jerry James <james@xemacs.org> + + * code-process.el (network-stream-get-response): + (network-stream-command): + (network-stream-open-plain): + (network-stream-open-tls): + (network-stream-certificate): + (network-stream-open-starttls): + (network-stream-open-shell): New functions. + (open-network-stream): Accept Emacs-compatible arguments. + 2014-09-27 Michael Sperber <mike@xemacs.org> * custom.el (defcustom):
--- a/lisp/code-process.el Thu Oct 02 10:19:00 2014 +0200 +++ b/lisp/code-process.el Tue Oct 07 21:16:10 2014 -0600 @@ -271,9 +271,169 @@ See also the function `find-operation-coding-system'.") -(defun open-network-stream (name buffer host service &optional protocol) +(defun network-stream-get-response (stream start end-of-command) + (when end-of-command + (with-current-buffer (process-buffer stream) + (save-excursion + (goto-char start) + (while (and (memq (process-status stream) '(open run)) + (not (re-search-forward end-of-command nil t))) + (accept-process-output stream 0 50) + (goto-char start)) + ;; Return the data we got back, or nil if the process died. + (unless (= start (point)) + (buffer-substring start (point))))))) + +(defun network-stream-command (stream command eoc) + (when command + (let ((start (point-max (process-buffer stream)))) + (process-send-string stream command) + (network-stream-get-response stream start eoc)))) + +(defun network-stream-open-plain (name buffer host service parameters) + (let ((start (point buffer)) + (stream + (open-network-stream-internal name buffer host service + (plist-get parameters :protocol)))) + (list stream + (network-stream-get-response stream start + (plist-get parameters :end-of-command)) + nil + 'plain))) + +(defun network-stream-open-tls (name buffer host service parameters) + (with-current-buffer buffer + (let* ((start (point-max)) + (stream + (open-network-stream-internal name buffer host service + (plist-get parameters :protocol) t))) + (if (null stream) + (list nil nil nil 'plain) + (let ((eoc (plist-get parameters :end-of-command)) + (capability-command (plist-get parameters :capability-command))) + (list stream + (network-stream-get-response stream start eoc) + (network-stream-command stream capability-command eoc) + 'tls)))))) + +(defun network-stream-certificate (host service parameters) + (let ((spec (plist-get :client-certificate parameters))) + (cond + ((listp spec) + ;; Either nil or a list with a key/certificate pair. + spec) + ((eq spec t) + (when (fboundp 'auth-source-search) + (let* ((auth-info + (car (auth-source-search :max 1 + :host host + :port service))) + (key (plist-get auth-info :key)) + (cert (plist-get auth-info :cert))) + (and key cert + (list key cert)))))))) + +(defun network-stream-open-starttls (name buffer host service parameters) + (let* ((start (point buffer)) + (require-tls (eq (plist-get parameters :type) 'starttls)) + (starttls-function (plist-get parameters :starttls-function)) + (success-string (plist-get parameters :success)) + (capability-command (plist-get parameters :capability-command)) + (eoc (plist-get parameters :end-of-command)) + (eo-capa (or (plist-get parameters :end-of-capability) eoc)) + (protocol (plist-get parameters :protocol)) + ;; Return (STREAM GREETING CAPABILITIES RESULTING-TYPE) + (stream (open-network-stream-internal name buffer host service + protocol)) + (greeting (and (not (plist-get parameters :nogreeting)) + (network-stream-get-response stream start eoc))) + (capabilities (network-stream-command stream capability-command + eo-capa)) + (resulting-type 'plain) + starttls-available starttls-command error) + + ;; First check whether the server supports STARTTLS at all. + (when (and capabilities success-string starttls-function) + (setq starttls-command + (funcall starttls-function capabilities))) + ;; If we have built-in STARTTLS support, try to upgrade the + ;; connection. + (when (and starttls-command + (setq starttls-available t) + (not (eq (plist-get parameters :type) 'plain))) + (when (let ((response + (network-stream-command stream starttls-command eoc))) + (and response (string-match success-string response))) + ;; The server said it was OK to begin STARTTLS negotiations. + (let ((cert (network-stream-certificate host service parameters))) + (condition-case nil + (tls-negotiate stream host (and cert (list cert))) + ;; If we get a tls-specific error (for instance if the + ;; certificate the server gives us is completely syntactically + ;; invalid), then close the connection and possibly (further + ;; down) try to create a non-encrypted connection. + (gnutls-error (delete-process stream)))) + (if (memq (process-status stream) '(open run)) + (setq resulting-type 'tls) + ;; We didn't successfully negotiate STARTTLS; if TLS + ;; isn't demanded, reopen an unencrypted connection. + (unless require-tls + (setq stream + (make-network-process :name name :buffer buffer + :host host :service service)) + (network-stream-get-response stream start eoc))) + ;; Re-get the capabilities, which may have now changed. + (setq capabilities + (network-stream-command stream capability-command eo-capa)))) + + ;; If TLS is mandatory, close the connection if it's unencrypted. + (when (and require-tls + ;; ... but Emacs wasn't able to -- either no built-in + ;; support, or no gnutls-cli installed. + (eq resulting-type 'plain)) + (setq error + (if (or (null starttls-command) + starttls-available) + "Server does not support TLS" + ;; See `starttls-available-p'. If this predicate + ;; changes to allow running under Windows, the error + ;; message below should be amended. + (if (memq system-type '(windows-nt ms-dos)) + (concat "Emacs does not support TLS") + (concat "Emacs does not support TLS, and no external `" + (if starttls-use-gnutls + starttls-gnutls-program + starttls-program) + "' program was found")))) + (delete-process stream) + (setq stream nil)) + ;; Return value: + (list stream greeting capabilities resulting-type error))) + +;; Requires that format-spec.el from gnus be loaded +(defun network-stream-open-shell (name buffer host service parameters) + (require 'format-spec) + (let* ((capability-command (plist-get parameters :capability-command)) + (eo-capa (plist-get parameters :end-of-capability)) + (eoc (plist-get parameters :end-of-command)) + (start (point buffer)) + (stream (let ((process-connection-type nil)) + (start-process name buffer shell-file-name + shell-command-switch + (format-spec + (plist-get parameters :shell-command) + (format-spec-make + ?s host + ?p service)))))) + (list stream + (network-stream-get-response stream start eoc) + (network-stream-command stream capability-command (or eo-capa eoc)) + 'plain))) + +(defun open-network-stream (name buffer host service &rest parameters) "Open a TCP connection for a service to a host. -Return a process object to represent the connection. +Normally, return a process object to represent the connection. If the +:return-list parameter is non-NIL, instead return a list; see below. Input and output work as for subprocesses; `delete-process' closes it. NAME is name for process. It is modified if necessary to make it unique. BUFFER is the buffer (or buffer-name) to associate with the process. @@ -284,9 +444,64 @@ Third arg is name of the host to connect to, or its IP address. Fourth arg SERVICE is name of the service desired, or an integer specifying a port number to connect to. -Fifth argument PROTOCOL is a network protocol. Currently 'tcp - (Transmission Control Protocol) and 'udp (User Datagram Protocol) are - supported. When omitted, 'tcp is assumed. + +The remaining PARAMETERS should be a sequence of keywords and values: +- :protocol is a network protocol. Currently 'tcp (Transmission Control + Protocol) and 'udp (User Datagram Protocol) are supported. When + omitted, 'tcp is assumed. +- :type specifies the connection type; it is one of the following: + nil or `network': begin with an ordinary network connection, and if + the parameters :success and :capability-command are also + supplied, try to upgrade to an encrypted connection via + STARTTLS. If that fails (e.g., HOST does not support TLS), + retain an unencrypted connection. + `plain': an ordinary, unencrypted network connection. + `starttls': begin with an ordinary network connection and try to + upgrade via STARTTLS. If that fails, drop the connection + and return a killed process object. + `tls': a TLS connection. + `ssl': a synonym for `tls'. + `shell': a shell connection. +- :return-list specifies this function's return value. + If omitted or nil, return a process object as usual. Otherwise, return + (PROC . PROPS), where PROC is a process object and PROPS is a plist of + connection properties, with these keywords: + :greeting: the greeting returned by HOST (a string), or nil. + :capabilities: a string representing HOST's capabilities, or nil if none + could be found. + :type: the resulting connection type, `plain' (unencrypted) or `tls' + (encrypted). +- :end-of-command specifies a regexp matching the end of a command. +- :end-of-capability specifies a regexp matching the end of the response + to the command specified for :capability-command. It defaults to the + regexp specified for :end-of-command. +- :success specifies a regexp matching a message indicating a successful + STARTTLS negotiation. For example, the default should be \"^3\" for an + NNTP connection. +- :capability-command specifies a command used to query HOST for its + capabilities. For example, this should be \"1 CAPABILITY\\r\\n\" for + IMAP. +- :starttls-function specifies a function for handling STARTTLS. This + function should take one parameter, the response to the capability + command, and should return the command to switch on STARTTLS if the + server supports it, or nil otherwise. +- :always-query-capabilities, if non-nil, indicates that the server should + be queried for capabilities even if constructing a `plain' network + connection. +- :client-certificate is either a list (certificate-key-filename + certificate-filename), or `t', meaning that `auth-source' will be + queried for the key and certificate. This parameter is used only when + constructing a TLS or STARTTLS connection. +- :use-starttls-if-possible, if non-nil, indicates that STARTTLS should + be used even if TLS support is not compiled in to XEmacs. +- :nogreeting, if non-nil, indicates that we should not wait for a + greeting from the server. +- :nowait, if non-nil, indicates that an asynchronous connection should be + made, if possible. NOTE: this is currently unimplemented. + +For backwards compatibility, if exactly five arguments are given, the fifth +must be one of nil, 'tcp, or 'udp. Both nil and 'tcp select TCP (Transmission +Control Protocol) and 'udp selects UDP (User Datagram Protocol). Output via `process-send-string' and input via buffer or filter (see `set-process-filter') are stream-oriented. That means UDP datagrams are @@ -315,6 +530,8 @@ You can change the coding systems later on using `set-process-coding-system', `set-process-input-coding-system', or `set-process-output-coding-system'." + (when (and (car parameters) (not (cdr parameters))) + (setq parameters (list :protocol (car parameters)))) (let (cs-r cs-w) (let (ret) (catch 'found @@ -351,8 +568,44 @@ (coding-system-for-write (or coding-system-for-write cs-w (cdr default-network-coding-system) - 'raw-text))) - (open-network-stream-internal name buffer host service protocol)))) + 'raw-text)) + (type (plist-get parameters :type)) + (return-list (plist-get parameters :return-list)) + (capability-command (plist-get parameters :capability-command))) + (if (and (not return-list) + (or (eq type 'plain) + (and (or (null type) (eq type 'network)) + (not (and (plist-get parameters :success) + capability-command))))) + ;; The simplest case: a plain connection + (open-network-stream-internal name buffer host service + (plist-get parameters :protocol)) + (let ((work-buffer (or buffer + (generate-new-buffer " *stream buffer*"))) + (fun (cond ((and (eq type 'plain) + (not (plist-get parameters + :always-query-capabilities))) + #'network-stream-open-plain) + ((memq type '(nil network starttls plain)) + #'network-stream-open-starttls) + ((memq type '(tls ssl)) #'network-stream-open-tls) + ((eq type 'shell) 'network-stream-open-shell) + (t (error "Invalid connection type" type)))) + result) + (unwind-protect + (setq result + (funcall fun name work-buffer host service parameters)) + (unless buffer + (and (processp (car result)) + (set-process-buffer (car result) nil)) + (kill-buffer work-buffer))) + (if return-list + (list (car result) + :greeting (nth 1 result) + :capabilities (nth 2 result) + :type (nth 3 result) + :error (nth 4 result)) + (car result))))))) (defun set-buffer-process-coding-system (decoding encoding) "Set coding systems for the process associated with the current buffer.
--- a/src/ChangeLog Thu Oct 02 10:19:00 2014 +0200 +++ b/src/ChangeLog Tue Oct 07 21:16:10 2014 -0600 @@ -1,3 +1,45 @@ +2014-10-07 Jerry James <james@xemacs.org> + + * Makefile.in.in: Add tls.o to the link. + * config.h.in: Add TLS symbols (WITH_TLS, etc.). + * emacs.c (main_1): Call new functions in tls.c. + * events.h (STREAM_USE_TLS): New macro. + * lisp.h (Ffill): Export for nss_pk11_password. + * lstream.c (Lstream_tls_p): New function. + (Lstream_tls_negotiate): New function. + (struct filedesc_stream): Add tls_state member. + (make_filedesc_stream_1): Add state parameter. Use tls_get_fd. + (make_filedesc_input_stream): Add state parameter. + (make_filedesc_output_stream): Ditto. + (filedesc_reader): Use tls_read if tls_state is non-null. + (filedesc_writer): Use tls_write if tls_state is non-null. + (filedesc_closer): Use tls_close if tls_state is non-null. + (filedesc_tls_p): New function. + (fildesc_tls_negotiater): New function. + * lstream.h (Lstream_implementation): Add tls_p and tls_negotiater + members. + * process-nt.c (nt_open_network_stream): Add tls parameter. + * process-unix.c (unix_open_network_stream): Ditto. Call TLS + functions to set up the socket, if requested. + * process.c (tls_connection_p): New function. + (print_process): Use it. + (Fopen_network_stream_internal): Add optional tls argument. + (Ftls_negotiate): New function. + * tls.c: New file, with NSS, gnutls, and OpenSSL implementations. + * tls.h: New file. + + * console-tty.c (tty_init_console): + * doc.c (extract_object_file_name): + (unparesseuxify_doc_string): + * event-stream.c (Fopen_dribble_file): + * event-unixoid.c (event_stream_unixoid_create_io_streams): + * file-coding.c (Ffind_coding_system_magic_cookie_in_file): + * fileio.c (Finsert_file_contents_internal): + (Fwrite_region_internal): + * gpmevent.c (tty_get_foreign_selection): + * lread.c (Fload_internal): Supply new tls arg to + make_filedesc_input_stream and make_filedesc_output_stream. + 2014-09-30 Marcus Crestani <crestani@informatik.uni-tuebingen.de> * editfns.c (Fencode_time): Switch signs when calculating the time
--- a/src/Makefile.in.in Thu Oct 02 10:19:00 2014 +0200 +++ b/src/Makefile.in.in Tue Oct 07 21:16:10 2014 -0600 @@ -296,8 +296,8 @@ rangetab.o realpath.o redisplay.o redisplay-output.o regex.o\ search.o select.o sequence.o $(sheap_objs) $(shlib_objs) signal.o sound.o\ specifier.o strftime.o $(sunpro_objs) symbols.o syntax.o sysdep.o\ - text.o $(tooltalk_objs) $(tty_objs) undo.o unicode.o $(x_objs) $(x_gui_objs)\ - widget.o window.o $(win32_objs) + text.o tls.o $(tooltalk_objs) $(tty_objs) undo.o unicode.o \ + $(x_objs) $(x_gui_objs) widget.o window.o $(win32_objs) obj_rtl = $(objs:.o=.c.rtl)
--- a/src/config.h.in Thu Oct 02 10:19:00 2014 +0200 +++ b/src/config.h.in Tue Oct 07 21:16:10 2014 -0600 @@ -499,6 +499,15 @@ /* Compile in support for SOCKS? */ #undef HAVE_SOCKS +/* Compile in support for TLS */ +#undef WITH_TLS +#undef HAVE_NSS +#undef HAVE_GNUTLS +#undef HAVE_GNUTLS_CERTIFICATE_VERIFICATION_STATUS_PRINT +#undef HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3 +#undef HAVE_OPENSSL +#undef HAVE_X509_CHECK_HOST + /* Compile in support for X pixmaps via the `xpm' library? */ #undef HAVE_XPM #undef FOR_MSW
--- a/src/console-tty.c Thu Oct 02 10:19:00 2014 +0200 +++ b/src/console-tty.c Tue Oct 07 21:16:10 2014 -0600 @@ -137,7 +137,8 @@ } /* set_descriptor_non_blocking (tty_con->infd); */ - tty_con->instream = make_filedesc_input_stream (tty_con->infd, 0, -1, 0); + tty_con->instream = make_filedesc_input_stream (tty_con->infd, 0, -1, 0, + NULL); Lstream_set_buffering (XLSTREAM (tty_con->instream), LSTREAM_UNBUFFERED, 0); tty_con->instream = make_coding_input_stream (XLSTREAM (tty_con->instream), @@ -145,7 +146,8 @@ CODING_DECODE, LSTREAM_FL_READ_ONE_BYTE_AT_A_TIME); Lstream_set_buffering (XLSTREAM (tty_con->instream), LSTREAM_UNBUFFERED, 0); - tty_con->outstream = make_filedesc_output_stream (tty_con->outfd, 0, -1, 0); + tty_con->outstream = make_filedesc_output_stream (tty_con->outfd, 0, -1, 0, + NULL); tty_con->outstream = make_coding_output_stream (XLSTREAM (tty_con->outstream), get_coding_system_for_text_file (Qterminal, 0),
--- a/src/doc.c Thu Oct 02 10:19:00 2014 +0200 +++ b/src/doc.c Tue Oct 07 21:16:10 2014 -0600 @@ -72,7 +72,7 @@ goto done; } - fdstream = make_filedesc_input_stream (fd, 0, -1, 0); + fdstream = make_filedesc_input_stream (fd, 0, -1, 0, NULL); Lstream_set_buffering (XLSTREAM (fdstream), LSTREAM_UNBUFFERED, 0); instream = make_coding_input_stream @@ -187,7 +187,7 @@ goto done; } - fdstream = make_filedesc_input_stream (fd, 0, -1, 0); + fdstream = make_filedesc_input_stream (fd, 0, -1, 0, NULL); Lstream_set_buffering (XLSTREAM (fdstream), LSTREAM_UNBUFFERED, 0); instream = make_coding_input_stream
--- a/src/emacs.c Thu Oct 02 10:19:00 2014 +0200 +++ b/src/emacs.c Tue Oct 07 21:16:10 2014 -0600 @@ -437,6 +437,7 @@ #include "sysfile.h" #include "systime.h" #include "sysproc.h" /* for qxe_getpid() */ +#include "tls.h" #ifdef QUANTIFY #include <quantify.h> @@ -1605,6 +1606,7 @@ syms_of_scrollbar (); #endif syms_of_text (); + syms_of_tls (); #ifdef HAVE_TOOLBARS syms_of_toolbar (); #endif @@ -2215,6 +2217,7 @@ vars_of_symbols (); vars_of_syntax (); vars_of_text (); + vars_of_tls (); #ifdef HAVE_TOOLBARS vars_of_toolbar (); #endif @@ -2677,6 +2680,8 @@ init_device_tty (); #endif init_console_stream (restart); /* Create the first console */ + if (initialized && !restart) + init_tls (); /* try to get the actual pathname of the exec file we are running */ if (!restart)
--- a/src/event-stream.c Thu Oct 02 10:19:00 2014 +0200 +++ b/src/event-stream.c Tue Oct 07 21:16:10 2014 -0600 @@ -4862,7 +4862,8 @@ CREAT_MODE); if (fd < 0) report_file_error ("Unable to create dribble file", filename); - Vdribble_file = make_filedesc_output_stream (fd, 0, 0, LSTR_CLOSING); + Vdribble_file = make_filedesc_output_stream (fd, 0, 0, LSTR_CLOSING, + NULL); #ifdef MULE Vdribble_file = make_coding_output_stream
--- a/src/event-unixoid.c Thu Oct 02 10:19:00 2014 +0200 +++ b/src/event-unixoid.c Tue Oct 07 21:16:10 2014 -0600 @@ -357,6 +357,7 @@ USID* err_usid, int flags) { + tls_state_t *tls_state; int infd, outfd, errfd; /* Decode inhandle and outhandle. Their meaning depends on the process implementation being used. */ @@ -366,17 +367,22 @@ outfd = (EMACS_INT) outhandle; errfd = (EMACS_INT) errhandle; + tls_state = (flags & STREAM_USE_TLS) ? (tls_state_t *) inhandle : NULL; + *instream = (infd >= 0 - ? make_filedesc_input_stream (infd, 0, -1, 0) + ? make_filedesc_input_stream (infd, 0, -1, + tls_state ? LSTR_BLOCKED_OK : 0, + tls_state) : Qnil); *outstream = (outfd >= 0 - ? make_filedesc_output_stream (outfd, 0, -1, LSTR_BLOCKED_OK) + ? make_filedesc_output_stream (outfd, 0, -1, LSTR_BLOCKED_OK, + tls_state) : Qnil); *errstream = (errfd >= 0 - ? make_filedesc_input_stream (errfd, 0, -1, 0) - : Qnil); + ? make_filedesc_input_stream (errfd, 0, -1, 0, tls_state) + : Qnil); /* FLAGS is process->pty_flag for UNIX_PROCESSES */ if ((flags & STREAM_PTY_FLUSHING) && outfd >= 0)
--- a/src/events.h Thu Oct 02 10:19:00 2014 +0200 +++ b/src/events.h Tue Oct 07 21:16:10 2014 -0600 @@ -72,6 +72,7 @@ /* Flags for create_io_streams_cb() FLAGS parameter */ #define STREAM_PTY_FLUSHING 0x0001 #define STREAM_NETWORK_CONNECTION 0x0002 +#define STREAM_USE_TLS 0x0004 extern struct event_stream *event_stream;
--- a/src/file-coding.c Thu Oct 02 10:19:00 2014 +0200 +++ b/src/file-coding.c Tue Oct 07 21:16:10 2014 -0600 @@ -4342,7 +4342,7 @@ goto badopen; } - lstream = make_filedesc_input_stream (fd, 0, -1, 0); + lstream = make_filedesc_input_stream (fd, 0, -1, 0, NULL); Lstream_set_buffering (XLSTREAM (lstream), LSTREAM_UNBUFFERED, 0); nread = Lstream_read (XLSTREAM (lstream), buf, sizeof (buf)); err = Lstream_errno (XLSTREAM (lstream));
--- a/src/fileio.c Thu Oct 02 10:19:00 2014 +0200 +++ b/src/fileio.c Tue Oct 07 21:16:10 2014 -0600 @@ -3177,7 +3177,7 @@ Charbpos cur_point = BUF_PT (buf); struct gcpro ngcpro1; Lisp_Object stream = make_filedesc_input_stream (fd, 0, total, - LSTR_ALLOW_QUIT); + LSTR_ALLOW_QUIT, NULL); Charcount last_tell = -1; NGCPRO1 (stream); @@ -3516,7 +3516,7 @@ that need to be made, and there could be a large latency for each request. So I've increased the buffer size to 64K.) */ - outstream = make_filedesc_output_stream (desc, 0, -1, 0); + outstream = make_filedesc_output_stream (desc, 0, -1, 0, NULL); Lstream_set_buffering (XLSTREAM (outstream), LSTREAM_BLOCKN_BUFFERED, 65536); outstream =
--- a/src/gpmevent.c Thu Oct 02 10:19:00 2014 +0200 +++ b/src/gpmevent.c Tue Oct 07 21:16:10 2014 -0600 @@ -244,7 +244,8 @@ ** done. */ output_stream = make_resizing_buffer_output_stream (); - terminal_stream = make_filedesc_input_stream (fd, 0, -1, LSTR_BLOCKED_OK); + terminal_stream = make_filedesc_input_stream (fd, 0, -1, LSTR_BLOCKED_OK, + NULL); output_string = Qnil; /* #### We should arguably use a specbind() and an unwind routine here,
--- a/src/lisp.h Thu Oct 02 10:19:00 2014 +0200 +++ b/src/lisp.h Tue Oct 07 21:16:10 2014 -0600 @@ -5768,6 +5768,8 @@ Bytecount fast_lisp_string_match (Lisp_Object, Lisp_Object); extern Fixnum warn_about_possibly_incompatible_back_references; +/* Defined in sequence.c */ +EXFUN (Ffill, MANY); /* Defined in signal.c */ void init_interrupts_late (void);
--- a/src/lread.c Thu Oct 02 10:19:00 2014 +0200 +++ b/src/lread.c Tue Oct 07 21:16:10 2014 -0600 @@ -714,7 +714,7 @@ struct gcpro ngcpro1; NGCPRO1 (lispstream); - lispstream = make_filedesc_input_stream (fd, 0, -1, LSTR_CLOSING); + lispstream = make_filedesc_input_stream (fd, 0, -1, LSTR_CLOSING, NULL); /* 64K is used for normal files; 8K should be OK here because Lisp files aren't really all that big. */ Lstream_set_buffering (XLSTREAM (lispstream), LSTREAM_BLOCKN_BUFFERED,
--- a/src/lstream.c Thu Oct 02 10:19:00 2014 +0200 +++ b/src/lstream.c Tue Oct 07 21:16:10 2014 -0600 @@ -28,6 +28,7 @@ #include "buffer.h" #include "insdel.h" #include "lstream.h" +#include "tls.h" #include "sysfile.h" @@ -990,6 +991,25 @@ Lstream_unread (lstr, &ch, 1); } +/* Detect an active TLS session */ + +int +Lstream_tls_p (Lstream *lstr) +{ + return (lstr->imp->tls_p) ? (lstr->imp->tls_p) (lstr) : 0; +} + +/* STARTTLS negotiation */ + +int +Lstream_tls_negotiate (Lstream *instr, Lstream *outstr, const Extbyte *host, + Lisp_Object keylist) +{ + return (instr->imp->tls_negotiater) + ? (instr->imp->tls_negotiater) (instr, outstr, host, keylist) + : 0; +} + /************************ some stream implementations *********************/ @@ -1117,6 +1137,7 @@ struct filedesc_stream { + tls_state_t *tls_state; int fd; int pty_max_bytes; Ibyte eof_char; @@ -1142,11 +1163,12 @@ ignored when writing); -1 for unlimited. */ static Lisp_Object make_filedesc_stream_1 (int filedesc, int offset, int count, int flags, - const char *mode) + tls_state_t *state, const char *mode) { Lstream *lstr = Lstream_new (lstream_filedesc, mode); struct filedesc_stream *fstr = FILEDESC_STREAM_DATA (lstr); - fstr->fd = filedesc; + fstr->tls_state = state; + fstr->fd = state ? tls_get_fd (state) : filedesc; fstr->closing = !!(flags & LSTR_CLOSING); fstr->allow_quit = !!(flags & LSTR_ALLOW_QUIT); fstr->blocked_ok = !!(flags & LSTR_BLOCKED_OK); @@ -1154,7 +1176,7 @@ fstr->blocking_error_p = 0; fstr->chars_sans_newline = 0; fstr->saved_errno = 0; - fstr->starting_pos = lseek (filedesc, offset, SEEK_CUR); + fstr->starting_pos = lseek (fstr->fd, offset, SEEK_CUR); fstr->current_pos = max (fstr->starting_pos, 0); if (count < 0) fstr->end_pos = -1; @@ -1184,15 +1206,17 @@ */ Lisp_Object -make_filedesc_input_stream (int filedesc, int offset, int count, int flags) +make_filedesc_input_stream (int filedesc, int offset, int count, int flags, + tls_state_t *state) { - return make_filedesc_stream_1 (filedesc, offset, count, flags, "r"); + return make_filedesc_stream_1 (filedesc, offset, count, flags, state, "r"); } Lisp_Object -make_filedesc_output_stream (int filedesc, int offset, int count, int flags) +make_filedesc_output_stream (int filedesc, int offset, int count, int flags, + tls_state_t *state) { - return make_filedesc_stream_1 (filedesc, offset, count, flags, "w"); + return make_filedesc_stream_1 (filedesc, offset, count, flags, state, "w"); } static Bytecount @@ -1203,9 +1227,11 @@ str->saved_errno = 0; if (str->end_pos >= 0) size = min (size, (Bytecount) (str->end_pos - str->current_pos)); - nread = str->allow_quit ? - read_allowing_quit (str->fd, data, size) : - retry_read (str->fd, data, size); + nread = str->tls_state + ? tls_read (str->tls_state, data, size, str->allow_quit) + : (str->allow_quit ? + read_allowing_quit (str->fd, data, size) : + retry_read (str->fd, data, size)); if (nread > 0) str->current_pos += nread; if (nread == 0) @@ -1268,9 +1294,11 @@ /**** start of non-PTY-crap ****/ if (size > 0) - retval = str->allow_quit ? - write_allowing_quit (str->fd, data, size) : - retry_write (str->fd, data, size); + retval = str->tls_state + ? tls_write (str->tls_state, data, size, str->allow_quit) + : (str->allow_quit ? + write_allowing_quit (str->fd, data, size) : + retry_write (str->fd, data, size)); else retval = 0; if (retval < 0 && errno_would_block_p (errno) && str->blocked_ok) @@ -1409,7 +1437,9 @@ filedesc_closer (Lstream *stream) { struct filedesc_stream *str = FILEDESC_STREAM_DATA (stream); - if (str->closing) + if (str->tls_state) + return tls_close (str->tls_state); + else if (str->closing) return retry_close (str->fd); else return 0; @@ -1439,6 +1469,32 @@ return str->fd; } +static int +filedesc_tls_p (Lstream *stream) +{ + struct filedesc_stream *str = FILEDESC_STREAM_DATA (stream); + return str->tls_state != NULL; +} + +static int +filedesc_tls_negotiater (Lstream *instream, Lstream *outstream, + const Extbyte *host, Lisp_Object keylist) +{ + struct filedesc_stream *in_str, *out_str; + + if (!LSTREAM_TYPE_P (outstream, filedesc)) + invalid_argument ("STARTTLS applies to file descriptor streams only", + wrap_lstream (outstream)); + + in_str = FILEDESC_STREAM_DATA (instream); + out_str = FILEDESC_STREAM_DATA (outstream); + in_str->tls_state = out_str->tls_state = + tls_negotiate (out_str->fd, host, keylist); + if (out_str->tls_state != NULL) + in_str->fd = out_str->fd = tls_get_fd (out_str->tls_state); + return out_str->tls_state != NULL; +} + /*********** read from a Lisp string ***********/ #define LISP_STRING_STREAM_DATA(stream) LSTREAM_TYPE_DATA (stream, lisp_string) @@ -1961,6 +2017,8 @@ LSTREAM_HAS_METHOD (filedesc, rewinder); LSTREAM_HAS_METHOD (filedesc, seekable_p); LSTREAM_HAS_METHOD (filedesc, closer); + LSTREAM_HAS_METHOD (filedesc, tls_p); + LSTREAM_HAS_METHOD (filedesc, tls_negotiater); LSTREAM_HAS_METHOD (lisp_string, reader); LSTREAM_HAS_METHOD (lisp_string, rewinder);
--- a/src/lstream.h Thu Oct 02 10:19:00 2014 +0200 +++ b/src/lstream.h Tue Oct 07 21:16:10 2014 -0600 @@ -24,6 +24,8 @@ #ifndef INCLUDED_lstream_h_ #define INCLUDED_lstream_h_ +#include "tls.h" + /************************************************************************/ /* definition of Lstream object */ /************************************************************************/ @@ -208,6 +210,12 @@ /* Mark this object for garbage collection. Same semantics as a standard Lisp_Object marker. This function can be NULL. */ Lisp_Object (*marker) (Lisp_Object lstream); + /* Return nonzero if this stream is using a TLS connection */ + int (*tls_p) (Lstream *stream); + /* Perform STARTTLS negotiation on a pair of streams, one for input and one + for output. Both are transformed if negotiation is successful. */ + int (*tls_negotiater) (Lstream *instream, Lstream *outstream, + const Extbyte *host, Lisp_Object keylist); } Lstream_implementation; #define DEFINE_LSTREAM_IMPLEMENTATION(name, c_name) \ @@ -318,6 +326,10 @@ int Lstream_close (Lstream *lstr); int Lstream_close_noflush (Lstream *lstr); +int Lstream_tls_p (Lstream *lstr); +int Lstream_tls_negotiate (Lstream *instr, Lstream *outstr, + const Extbyte *host, Lisp_Object keylist); + void Lstream_delete (Lstream *lstr); void Lstream_set_character_mode (Lstream *str); void Lstream_unset_character_mode (Lstream *lstr); @@ -464,9 +476,9 @@ Lisp_Object make_stdio_input_stream (FILE *stream, int flags); Lisp_Object make_stdio_output_stream (FILE *stream, int flags); Lisp_Object make_filedesc_input_stream (int filedesc, int offset, int count, - int flags); + int flags, tls_state_t *state); Lisp_Object make_filedesc_output_stream (int filedesc, int offset, int count, - int flags); + int flags, tls_state_t *state); void filedesc_stream_set_pty_flushing (Lstream *stream, int pty_max_bytes, Ibyte eof_char);
--- a/src/process-nt.c Thu Oct 02 10:19:00 2014 +0200 +++ b/src/process-nt.c Tue Oct 07 21:16:10 2014 -0600 @@ -1324,7 +1324,8 @@ static void nt_open_network_stream (Lisp_Object name, Lisp_Object host, Lisp_Object service, - Lisp_Object protocol, void **vinfd, void **voutfd) + Lisp_Object protocol, void **vinfd, void **voutfd, + Boolint tls) { struct sockaddr_in address; SOCKET s;
--- a/src/process-unix.c Thu Oct 02 10:19:00 2014 +0200 +++ b/src/process-unix.c Tue Oct 07 21:16:10 2014 -0600 @@ -43,6 +43,7 @@ #include "sysdep.h" #include "window.h" #include "file-coding.h" +#include "tls.h" #include <setjmp.h> #include "sysdir.h" @@ -1857,10 +1858,12 @@ static void unix_open_network_stream (Lisp_Object name, Lisp_Object host, Lisp_Object service, Lisp_Object protocol, - void **vinfd, void **voutfd) + void **vinfd, void **voutfd, Boolint tls) { EMACS_INT inch; EMACS_INT outch; + tls_state_t *tls_state = NULL; + Extbyte *ext_host = NULL; volatile int s = -1; volatile int port; volatile int retry = 0; @@ -1869,6 +1872,7 @@ int retval; CHECK_STRING (host); + ext_host = LISP_STRING_TO_EXTERNAL (host, Qunix_host_name_encoding); if (!EQ (protocol, Qtcp) && !EQ (protocol, Qudp)) invalid_constant ("Unsupported protocol", protocol); @@ -1879,7 +1883,6 @@ struct addrinfo hints, *res; struct addrinfo * volatile lres; Extbyte *portstring; - Extbyte *ext_host; Extbyte portbuf[128]; /* * Caution: service can either be a string or int. @@ -1907,7 +1910,6 @@ else /* EQ (protocol, Qudp) */ hints.ai_socktype = SOCK_DGRAM; hints.ai_protocol = 0; - ext_host = LISP_STRING_TO_EXTERNAL (host, Qunix_host_name_encoding); retval = getaddrinfo (ext_host, portstring, &hints, &res); if (retval != 0) { @@ -1960,16 +1962,19 @@ int family = address.sin_family; #endif - if (EQ (protocol, Qtcp)) - s = socket (family, SOCK_STREAM, 0); - else /* EQ (protocol, Qudp) */ - s = socket (family, SOCK_DGRAM, 0); + if (!tls || TLS_SETUP_SOCK) + { + if (EQ (protocol, Qtcp)) + s = socket (family, SOCK_STREAM, 0); + else /* EQ (protocol, Qudp) */ + s = socket (family, SOCK_DGRAM, 0); - if (s < 0) - { - xerrno = errno; - failed_connect = 0; - continue; + if (s < 0) + { + xerrno = errno; + failed_connect = 0; + continue; + } } loop: @@ -1988,10 +1993,20 @@ can_break_system_calls = 1; #ifdef USE_GETADDRINFO - retval = connect (s, lres->ai_addr, lres->ai_addrlen); + retval = (!tls || TLS_SETUP_SOCK) + ? connect (s, lres->ai_addr, lres->ai_addrlen) + : 0; #else - retval = connect (s, (struct sockaddr *) &address, sizeof (address)); + retval = (!tls || TLS_SETUP_SOCK) + ? connect (s, (struct sockaddr *) &address, sizeof (address)) + : 0; #endif + if (retval == 0 && tls) + { + tls_state = tls_open (s, ext_host); + retval = (tls_state == NULL) ? -1 : 0; + } + can_break_system_calls = 0; if (retval == -1 && errno != EISCONN) { @@ -2020,8 +2035,11 @@ } failed_connect = 1; - retry_close (s); - s = -1; + if (!tls || TLS_SETUP_SOCK) + { + retry_close (s); + s = -1; + } continue; } @@ -2052,7 +2070,7 @@ freeaddrinfo (res); #endif - if (s < 0) + if ((!tls && s < 0) || (tls && tls_state == NULL)) { errno = xerrno; @@ -2064,6 +2082,14 @@ } } + if (tls) + { + set_socket_nonblocking_maybe (tls_get_fd (tls_state), port, "tcp"); + *vinfd = (void *) tls_state; + *voutfd = (void *) tls_state; + return; + } + inch = s; outch = dup (s); if (outch < 0)
--- a/src/process.c Thu Oct 02 10:19:00 2014 +0200 +++ b/src/process.c Tue Oct 07 21:16:10 2014 -0600 @@ -142,6 +142,15 @@ return Qnil; } +static int +tls_connection_p (Lisp_Object process) +{ + Lisp_Process *p = XPROCESS (process); + Lstream *in = XLSTREAM (DATA_INSTREAM (p)); + Lstream *out = XLSTREAM (DATA_OUTSTREAM (p)); + return Lstream_tls_p (in) || Lstream_tls_p (out); +} + static void print_process (Lisp_Object obj, Lisp_Object printcharfun, int escapeflag) { @@ -157,9 +166,11 @@ else { int netp = network_connection_p (obj); + int tlsp = netp && tls_connection_p (obj); write_ascstring (printcharfun, - netp ? GETTEXT ("#<network connection ") : - GETTEXT ("#<process ")); + tlsp ? GETTEXT ("#<tls network connection ") : + (netp ? GETTEXT ("#<network connection ") : + GETTEXT ("#<process "))); print_internal (process->name, printcharfun, 1); write_ascstring (printcharfun, (netp ? " " : " pid ")); print_internal (process->pid, printcharfun, 1); @@ -844,7 +855,7 @@ connection has no PID; you cannot signal it. All you can do is deactivate and close it via delete-process */ -DEFUN ("open-network-stream-internal", Fopen_network_stream_internal, 4, 5, +DEFUN ("open-network-stream-internal", Fopen_network_stream_internal, 4, 6, 0, /* Open a TCP connection for a service to a host. Return a process object to represent the connection. @@ -863,6 +874,9 @@ Optional fifth arg PROTOCOL is a network protocol. Currently only `tcp' (Transmission Control Protocol) and `udp' (User Datagram Protocol) are supported. When omitted, `tcp' is assumed. +Optional sixth arg TLS is a boolean. If it is NIL, a standard network stream + is opened. If it is non-NIL, a TLS network stream is opened if TLS support + is available; otherwise an error is signaled. Output via `process-send-string' and input via buffer or filter (see `set-process-filter') are stream-oriented. That means UDP datagrams are @@ -871,12 +885,13 @@ are usually fine.) Note further that the UDP protocol does not guard against lost packets. */ - (name, buffer, host, service, protocol)) + (name, buffer, host, service, protocol, tls)) { /* This function can GC */ Lisp_Object process = Qnil; struct gcpro gcpro1, gcpro2, gcpro3, gcpro4, gcpro5, ngcpro1; void *inch, *outch; + int flags; GCPRO5 (name, buffer, host, service, protocol); CHECK_STRING (name); @@ -889,7 +904,7 @@ /* Since this code is inside HAVE_SOCKETS, existence of open_network_stream is mandatory */ PROCMETH (open_network_stream, (name, host, service, protocol, - &inch, &outch)); + &inch, &outch, !NILP(tls))); if (!NILP (buffer)) buffer = Fget_buffer_create (buffer); @@ -898,9 +913,11 @@ XPROCESS (process)->pid = Fcons (service, host); XPROCESS (process)->buffer = buffer; + flags = STREAM_NETWORK_CONNECTION; + if (!NILP (tls)) + flags |= STREAM_USE_TLS; init_process_io_handles (XPROCESS (process), (void *) inch, (void *) outch, - (void *) -1, - STREAM_NETWORK_CONNECTION); + (void *) -1, flags); event_stream_select_process (XPROCESS (process), 1, 1); @@ -909,6 +926,29 @@ return process; } +DEFUN ("tls-negotiate", Ftls_negotiate, 3, 3, 0, /* + "Negotiate a SSL/TLS connection. Returns PROCESS if negotiation is +successful, NIL otherwise. + +PROCESS is a process returned by `open-network-stream'. +HOSTNAME is the remote hostname. It must be a valid string. +KEYLIST is an alist of (client key file, client cert file) pairs. +*/ + (process, hostname, keylist)) +{ + Lisp_Process *p; + Lstream *in, *out; + Extbyte *ext_host; + + CHECK_PROCESS (process); + CHECK_STRING (hostname); + p = XPROCESS (process); + in = XLSTREAM (DATA_INSTREAM (p)); + out = XLSTREAM (DATA_OUTSTREAM (p)); + ext_host = LISP_STRING_TO_EXTERNAL (hostname, Qunix_host_name_encoding); + return Lstream_tls_negotiate (in, out, ext_host, keylist) ? process : Qnil; +} + #ifdef HAVE_MULTICAST DEFUN ("open-multicast-group-internal", Fopen_multicast_group_internal, 5, 5, 0, /* @@ -2601,6 +2641,7 @@ DEFSUBR (Fstart_process_internal); #ifdef HAVE_SOCKETS DEFSUBR (Fopen_network_stream_internal); + DEFSUBR (Ftls_negotiate); #ifdef HAVE_MULTICAST DEFSUBR (Fopen_multicast_group_internal); #endif /* HAVE_MULTICAST */
--- a/src/procimpl.h Thu Oct 02 10:19:00 2014 +0200 +++ b/src/procimpl.h Tue Oct 07 21:16:10 2014 -0600 @@ -49,7 +49,7 @@ #ifdef HAVE_SOCKETS void (*open_network_stream) (Lisp_Object name, Lisp_Object host, Lisp_Object service, Lisp_Object protocol, - void** vinfd, void** voutfd); + void** vinfd, void** voutfd, Boolint tls); #ifdef HAVE_MULTICAST void (*open_multicast_group) (Lisp_Object name, Lisp_Object dest, Lisp_Object port, Lisp_Object ttl,
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/tls.c Tue Oct 07 21:16:10 2014 -0600 @@ -0,0 +1,1191 @@ +/* Transport Layer Security implementation. + Copyright (C) 2014 Jerry James + +This file is part of XEmacs. + +XEmacs is free software: you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation, either version 3 of the License, or (at your +option) any later version. + +XEmacs is distributed in the hope that it will be useful, but WITHOUT +ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +for more details. + +You should have received a copy of the GNU General Public License +along with XEmacs. If not, see <http://www.gnu.org/licenses/>. */ + +/* Synched up with: Not in FSF. */ + +/* Written by Jerry James. */ + +#include <config.h> +#include "lisp.h" +#include "lstream.h" +#include "tls.h" +#include <errno.h> +#include <netinet/in.h> +#include <netinet/tcp.h> + +static Lisp_Object prompt; +static Lisp_Object Qread_password; +Lisp_Object Qtls_error; + +#ifdef HAVE_NSS +#include <prinit.h> +#include <private/pprio.h> +#include <nss.h> +#include <pk11pub.h> +#include <secerr.h> +#include <secmod.h> +#include <ssl.h> + +#define NSS_ERRSTR build_extstring (PR_ErrorToName (PR_GetError ()), Qnative) + +/* 0 == initialization of NSPR or NSS failed + * 1 == the NSPR and NSS libraries have been initialized successfully + */ +static int nss_inited; + +/* The model file descriptor */ +static PRFileDesc *nss_model; + +/* The PEM module */ +static SECMODModule *nss_pem_module; + +/* CA and trust objects go into slot 0. User certificates start in slot 1. */ +static CK_SLOT_ID nss_slot_count = 1; + +int +tls_get_fd (tls_state_t *state) +{ + return PR_FileDesc2NativeHandle (state->tls_file_desc); +} + +Bytecount +tls_read (tls_state_t *state, unsigned char *data, Bytecount size, + unsigned int allow_quit) +{ + if (allow_quit) + QUIT; + return (Bytecount) PR_Recv (state->tls_file_desc, data, size, 0, 0); +} + +Bytecount +tls_write (tls_state_t *state, const unsigned char *data, Bytecount size, + unsigned int allow_quit) +{ + if (allow_quit) + QUIT; + return (Bytecount) PR_Send (state->tls_file_desc, data, size, 0, 0); +} + +int +tls_close (tls_state_t *state) +{ + if (--state->tls_refcount == 0) + { + PRStatus status = PR_Shutdown (state->tls_file_desc, PR_SHUTDOWN_BOTH); + PR_Close (state->tls_file_desc); + xfree (state); + return (int) status; + } + return 0; +} + +tls_state_t * +tls_open (int s, const Extbyte *hostname) +{ + struct sockaddr *addr; + socklen_t addrlen; + PRNetAddr pr_addr; + tls_state_t *nspr; + const int val = 1; + + /* Disable Nagle's algorithm */ + setsockopt (s, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val)); + + if (!nss_inited) + { + warn_when_safe (Qtls_error, Qerror, "Cannot use NSS functions"); + return NULL; + } + + /* Get the socket address */ + addrlen = 256; + addr = (struct sockaddr *) xmalloc (addrlen); + if (getsockname (s, addr, &addrlen) == 0 && addrlen > 256) + { + addr = (struct sockaddr *) xrealloc (addr, addrlen); + getsockname (s, addr, &addrlen); + } + + /* Create the socket */ + nspr = xmalloc (sizeof (*nspr)); + nspr->tls_refcount = 2; + nspr->tls_file_desc = + SSL_ImportFD (nss_model, PR_OpenTCPSocket (addr->sa_family)); + if (nspr->tls_file_desc == NULL) + { + xfree (addr); + xfree (nspr); + warn_when_safe (Qtls_error, Qerror, "NSS unable to open socket: %s", + PR_ErrorToName (PR_GetError ())); + return NULL; + } + + /* Connect to the server */ + memset (&pr_addr, 0, sizeof (pr_addr)); + if (addr->sa_family == AF_INET) + { + struct sockaddr_in *in_addr = (struct sockaddr_in *) addr; + pr_addr.inet.family = in_addr->sin_family; + pr_addr.inet.port = in_addr->sin_port; + pr_addr.inet.ip = in_addr->sin_addr.s_addr; + } + else + { + struct sockaddr_in6 *in_addr = (struct sockaddr_in6 *) addr; + pr_addr.ipv6.family = in_addr->sin6_family; + pr_addr.ipv6.port = in_addr->sin6_port; + pr_addr.ipv6.flowinfo = in_addr->sin6_flowinfo; + memcpy (pr_addr.ipv6.ip.pr_s6_addr, in_addr->sin6_addr.s6_addr, + sizeof (pr_addr.ipv6.ip.pr_s6_addr)); + pr_addr.ipv6.scope_id = in_addr->sin6_scope_id; + } + xfree (addr); + if (PR_Connect (nspr->tls_file_desc, &pr_addr, PR_INTERVAL_NO_TIMEOUT) + != PR_SUCCESS) + { + if (PR_GetError () == PR_IN_PROGRESS_ERROR) + { + PRPollDesc pollset[2]; + + pollset[0].in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT; + pollset[0].out_flags = 0; + pollset[0].fd = nspr->tls_file_desc; + for (;;) + { + PRInt32 num_fds = PR_Poll (pollset, 1, PR_INTERVAL_NO_TIMEOUT); + if (num_fds < 0) + { + PR_Close (nspr->tls_file_desc); + xfree (nspr); + warn_when_safe (Qtls_error, Qerror, + "NSS unable to connect: %s", + PR_ErrorToName (PR_GetError ())); + return NULL; + } + if (PR_GetConnectStatus (pollset) == PR_SUCCESS) + break; + } + } + else + { + PR_Close (nspr->tls_file_desc); + xfree (nspr); + warn_when_safe (Qtls_error, Qerror, "NSS unable to connect: %s", + PR_ErrorToName (PR_GetError ())); + return NULL; + } + } + + /* Perform the handshake */ + if (SSL_ResetHandshake (nspr->tls_file_desc, PR_FALSE) != SECSuccess) + { + PR_Close (nspr->tls_file_desc); + xfree (nspr); + warn_when_safe (Qtls_error, Qerror, "NSS unable to reset handshake: %s", + PR_ErrorToName (PR_GetError ())); + errno = EACCES; + return NULL; + } + if (hostname != NULL && + SSL_SetURL (nspr->tls_file_desc, hostname) != SECSuccess) + { + PR_Close (nspr->tls_file_desc); + xfree (nspr); + warn_when_safe (Qtls_error, Qerror, "NSS unable to set URL (%s): %s", + hostname, PR_ErrorToName (PR_GetError ())); + errno = EACCES; + return NULL; + } + if (SSL_ForceHandshake (nspr->tls_file_desc) != SECSuccess) + { + PR_Close (nspr->tls_file_desc); + xfree (nspr); + warn_when_safe (Qtls_error, Qerror, + "NSS unable to complete handshake: %s", + PR_ErrorToName (PR_GetError ())); + errno = EACCES; + return NULL; + } + return nspr; +} + +/* Set the key and certificate files to use */ +static void +tls_set_x509_key_file (const Extbyte *certfile, const Extbyte *keyfile) +{ + char name[32]; + void *proto_win = NULL; + PK11SlotInfo *slot = NULL; + PK11GenericObject *obj; + CERTCertificate *cert; + CK_ATTRIBUTE attrs[4]; + CK_BBOOL cktrue = CK_TRUE, ckfalse = CK_FALSE; + CK_OBJECT_CLASS objClass = CKO_PRIVATE_KEY; + CK_SLOT_ID slot_id = nss_slot_count++; + int retry_count = 0; + + /* Load the PEM module if it hasn't already been loaded */ + if (nss_pem_module == NULL) + { + nss_pem_module = SECMOD_LoadUserModule ("library=%s name=PEM parameters=\"\"", NULL, PR_FALSE); + if (nss_pem_module == NULL) + signal_error (Qtls_error, "Cannot find NSS PEM module", NSS_ERRSTR); + if (!nss_pem_module->loaded) + signal_error (Qtls_error, "Cannot load NSS PEM module", NSS_ERRSTR); + } + + snprintf (name, 32U, "PEM_Token %ld", slot_id); + slot = PK11_FindSlotByName (name); + if (slot == NULL) + signal_error (Qtls_error, "Error finding NSS slot", NSS_ERRSTR); + + /* Set up the attributes for the keyfile */ + attrs[0].type = CKA_CLASS; + attrs[0].pValue = &objClass; + attrs[0].ulValueLen = sizeof (objClass); + attrs[1].type = CKA_TOKEN; + attrs[1].pValue = &cktrue; + attrs[1].ulValueLen = sizeof (CK_BBOOL); + attrs[2].type = CKA_LABEL; + attrs[2].pValue = (void *) keyfile; + attrs[2].ulValueLen = strlen (keyfile) + 1U; + + /* When adding an encrypted key, the PKCS#11 will be set as removed. */ + obj = PK11_CreateGenericObject (slot, attrs, 3, PR_FALSE); + if (obj == NULL) + { + PR_SetError (SEC_ERROR_BAD_KEY, 0); + signal_error (Qtls_error, "Bad key file", NSS_ERRSTR); + } + + /* This will force the token to be seen as reinserted */ + SECMOD_WaitForAnyTokenEvent (nss_pem_module, 0, 0); + PK11_IsPresent (slot); + + if (PK11_Authenticate (slot, PR_TRUE, &retry_count) != SECSuccess) + signal_error (Qtls_error, "NSS: Unable to authenticate", NSS_ERRSTR); + + /* Set up the attributes for the certfile */ + objClass = CKO_CERTIFICATE; + attrs[2].pValue = (void *) certfile; + attrs[2].ulValueLen = strlen (certfile) + 1U; + attrs[3].type = CKA_TRUST; + attrs[3].pValue = &ckfalse; + attrs[3].ulValueLen = sizeof (CK_BBOOL); + + obj = PK11_CreateGenericObject (slot, attrs, 4, PR_FALSE); + PK11_FreeSlot (slot); + if (obj == NULL) + signal_error (Qtls_error, "Bad certificate file", NSS_ERRSTR); + cert = PK11_FindCertFromNickname (name, proto_win); + if (cert == NULL) + signal_error (Qtls_error, "Cannot find certificate nickname", NSS_ERRSTR); + CERT_DestroyCertificate (cert); +} + +/* Function that gathers passwords for PKCS #11 tokens. */ +static char * +nss_pk11_password (PK11SlotInfo *slot, PRBool retry, void * UNUSED (arg)) +{ + Lisp_Object lsp_password, args[2]; + Extbyte *c_password, *nss_password; + const Extbyte *token_name; + + if (retry) + return NULL; + + token_name = PK11_GetTokenName (slot); + if (token_name == NULL) + token_name = "security token"; + lsp_password = + call1 (Qread_password, concat2 (prompt, + build_extstring (token_name, Qnative))); + c_password = LISP_STRING_TO_EXTERNAL (lsp_password, Qnative); + nss_password = PL_strdup (c_password); + + /* Wipe out the password on the stack and in the Lisp string */ + args[0] = lsp_password; + args[1] = make_char ('*'); + Ffill (2, args); + memset (c_password, '*', strlen (c_password)); + return nss_password; +} + +void +init_tls (void) +{ + SECMODModule *module; + + /* Check that we are using compatible versions */ + if (PR_VersionCheck(PR_VERSION) == PR_FALSE) + signal_error (Qinternal_error, + "NSPR version mismatch: expected " PR_VERSION, Qnil); + if (NSS_VersionCheck(NSS_VERSION) == PR_FALSE) + signal_error (Qinternal_error, + "NSS version mismatch: expected " NSS_VERSION, Qnil); + + /* Basic initialization of both libraries */ + PR_Init (PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); + if (NSS_Init ("sql:/etc/pki/nssdb") != SECSuccess) + signal_error (Qtls_error, "Error initializing NSS", NSS_ERRSTR); + + /* Set the cipher suite policy */ + if (NSS_SetDomesticPolicy() != SECSuccess) + signal_error (Qtls_error, "NSS unable to set policy", NSS_ERRSTR); + + /* Load the root certificates */ + module = SECMOD_LoadUserModule ("library=libnssckbi.so name=\"Root Certs\"", + NULL, PR_FALSE); + if (module == NULL || !module->loaded) + signal_error (Qtls_error, "NSS unable to load root certificates", + NSS_ERRSTR); + + /* Setup password gathering */ + PK11_SetPasswordFunc (nss_pk11_password); + + /* Create the model file descriptors */ + nss_model = SSL_ImportFD (NULL, PR_OpenTCPSocket (PR_AF_INET)); + if (nss_model == NULL) + { + nss_model = SSL_ImportFD (NULL, PR_OpenTCPSocket (PR_AF_INET6)); + if (nss_model == NULL) + signal_error (Qtls_error, "NSS cannot create model socket", + NSS_ERRSTR); + } + + /* Set options on the model socket */ + if (SSL_OptionSet (nss_model, SSL_SECURITY, PR_TRUE) != SECSuccess) + signal_error (Qtls_error, "NSS cannot enable model socket", NSS_ERRSTR); + if (SSL_OptionSet (nss_model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) + signal_error (Qtls_error, "NSS unable to disable SSLv2", NSS_ERRSTR); + if (SSL_OptionSet (nss_model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) + != SECSuccess) + signal_error (Qtls_error, "NSS unable to disable SSLv2 handshake", + NSS_ERRSTR); + if (SSL_OptionSet (nss_model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) + signal_error (Qtls_error, "NSS unable to disable deflate", NSS_ERRSTR); + if (SSL_OptionSet (nss_model, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE) + != SECSuccess) + signal_error (Qtls_error, "NSS unable to ensable handshake as client", + NSS_ERRSTR); + + nss_inited = 1; +} +#endif /* HAVE_NSS */ + +#ifdef HAVE_GNUTLS +#include <gnutls/pkcs11.h> +#include <gnutls/x509.h> +#include "sysfile.h" + +#define GNUTLS_ERRSTR(err) build_extstring (gnutls_strerror (err), Qnative) + +/* The global credentials object */ +static gnutls_certificate_credentials_t global_cred; + +int +tls_get_fd (tls_state_t *state) +{ + return (int)(unsigned long)gnutls_transport_get_ptr (state->tls_session); +} + +Bytecount +tls_read (tls_state_t *state, unsigned char *data, Bytecount size, + unsigned int allow_quit) +{ + ssize_t bytes; + + again: + do + { + if (allow_quit) + QUIT; + bytes = gnutls_record_recv (state->tls_session, data, size); + } + while (bytes == GNUTLS_E_INTERRUPTED || bytes == GNUTLS_E_AGAIN); + switch (bytes) + { + case GNUTLS_E_UNEXPECTED_PACKET_LENGTH: + bytes = 0; + break; + case GNUTLS_E_REHANDSHAKE: + { + int err; + + do + err = gnutls_handshake (state->tls_session); + while (err == GNUTLS_E_AGAIN || err == GNUTLS_E_INTERRUPTED); + if (err == GNUTLS_E_SUCCESS) + goto again; + } + errno = EACCES; + bytes = -1; + break; + default: + if (bytes < 0 && errno == 0) + { + errno = EPIPE; + bytes = -1; + } + break; + } + return (Bytecount) bytes; +} + +Bytecount +tls_write (tls_state_t *state, const unsigned char *data, Bytecount size, + unsigned int allow_quit) +{ + ssize_t bytes; + + do + { + if (allow_quit) + QUIT; + bytes = gnutls_record_send (state->tls_session, data, size); + } + while (bytes == GNUTLS_E_INTERRUPTED || bytes == GNUTLS_E_AGAIN); + if (bytes == GNUTLS_E_LARGE_PACKET) + { + errno = EMSGSIZE; + bytes = -1; + } + else if (bytes < 0 && errno == 0) + { + errno = EPIPE; + bytes = -1; + } + return (Bytecount) bytes; +} + +int +tls_close (tls_state_t *state) +{ + if (--state->tls_refcount == 0) + { + int fd, err; + + fd = (int)(unsigned long)gnutls_transport_get_ptr (state->tls_session); + gnutls_bye (state->tls_session, GNUTLS_SHUT_RDWR); + err = retry_close (fd); + gnutls_deinit (state->tls_session); + xfree (state); + return err; + } + return 0; +} + +tls_state_t * +tls_open (int s, const Extbyte *hostname) +{ +#ifndef HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3 + gnutls_x509_crt_t cert; +#endif + tls_state_t *gnutls; + const char *errptr = NULL; + const gnutls_datum_t *certs; + unsigned int status, certslen = 0U; + int err; + const int val = 1; + + /* Disable Nagle's algorithm */ + setsockopt (s, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val)); + + /* Create the state object */ + gnutls = xmalloc (sizeof (*gnutls)); + gnutls->tls_refcount = 2; + + /* Initialize the session object */ + err = gnutls_init (&gnutls->tls_session, GNUTLS_CLIENT); + if (err != GNUTLS_E_SUCCESS) + { + xfree (gnutls); + warn_when_safe (Qtls_error, Qerror, "GNUTLS error in gnutls_init: %s", + gnutls_strerror (err)); + errno = EACCES; + return NULL; + } + + /* Configure the cipher preferences */ + err = gnutls_priority_set_direct (gnutls->tls_session, "NORMAL", &errptr); + if (err != GNUTLS_E_SUCCESS) + { + xfree (gnutls); + warn_when_safe (Qtls_error, Qerror, + "GNUTLS error in gnutls_priority_set_direct: %s at %s", + gnutls_strerror (err), errptr); + errno = EACCES; + return NULL; + } + + /* Install the trusted certificates */ + err = gnutls_credentials_set (gnutls->tls_session, GNUTLS_CRD_CERTIFICATE, + global_cred); + if (err != GNUTLS_E_SUCCESS) + { + xfree (gnutls); + warn_when_safe (Qtls_error, Qerror, + "GNUTLS error in gnutls_credentials_set: %s", + gnutls_strerror (err)); + errno = EACCES; + return NULL; + } + + /* Associate the socket with the session object */ + gnutls_transport_set_ptr (gnutls->tls_session, + (gnutls_transport_ptr_t)(unsigned long)s); + + /* Set the server name */ + if (hostname != NULL) + { + err = gnutls_server_name_set (gnutls->tls_session, GNUTLS_NAME_DNS, + hostname, strlen (hostname)); + if (err != GNUTLS_E_SUCCESS) + { + xfree (gnutls); + warn_when_safe (Qtls_error, Qerror, + "GNUTLS error in gnutls_server_name_set: %s", + gnutls_strerror (err)); + errno = EACCES; + return NULL; + } + } + + /* Perform the handshake */ + do + err = gnutls_handshake (gnutls->tls_session); + while (err == GNUTLS_E_AGAIN || err == GNUTLS_E_INTERRUPTED); + if (err != GNUTLS_E_SUCCESS) + { + xfree (gnutls); + warn_when_safe (Qtls_error, Qerror, + "GNUTLS error in gnutls_handshake: %s", + gnutls_strerror (err)); + errno = EACCES; + return NULL; + } + + /* Get the server certificate chain */ + certs = gnutls_certificate_get_peers (gnutls->tls_session, &certslen); + if (certs == NULL || certslen == 0U) + { + xfree (gnutls); + warn_when_safe (Qtls_error, Qerror, + "GNUTLS could not get peer certificate: %s", + gnutls_strerror (err)); + errno = EACCES; + return NULL; + } + + /* Validate the server certificate chain */ + status = (unsigned int) -1; +#ifdef HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3 + if (hostname != NULL) + err = gnutls_certificate_verify_peers3 (gnutls->tls_session, hostname, + &status); + else +#endif /* HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3 */ + err = gnutls_certificate_verify_peers2 (gnutls->tls_session, &status); + if (err != GNUTLS_E_SUCCESS) + { + xfree (gnutls); + warn_when_safe (Qtls_error, Qerror, + "GNUTLS could not verify peer certificate: %s", + gnutls_strerror (err)); + errno = EACCES; + return NULL; + } + if (status != 0U) + { + gnutls_datum_t msg; + +#ifdef HAVE_GNUTLS_CERTIFICATE_VERIFICATION_STATUS_PRINT + int type = gnutls_certificate_type_get (gnutls->tls_session); + err = + gnutls_certificate_verification_status_print (status, type, &msg, 0); +#else + err = -1; +#endif /* HAVE_GNUTLS_CERTIFICATE_VERIFICATION_STATUS_PRINT */ + xfree (gnutls); + if (err == 0) + { + warn_when_safe (Qtls_error, Qerror, + "GNUTLS: certificate validation failed: %s", + msg.data); + gnutls_free(msg.data); + errno = EACCES; + return NULL; + } + else + { + warn_when_safe (Qtls_error, Qerror, + "GNUTLS: certificate validation failed with code %u", + status); + errno = EACCES; + return NULL; + } + } + +#ifndef HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3 + if (hostname != NULL) + { + /* Match the peer certificate against the host name */ + err = gnutls_x509_crt_init (&cert); + if (err != GNUTLS_E_SUCCESS) + { + xfree (gnutls); + warn_when_safe (Qtls_error, Qerror, + "GNUTLS error in gnutls_x509_crt_init: %s", + gnutls_strerror (err)); + errno = EACCES; + return NULL; + } + + /* The peer certificate is the first certificate in the list */ + err = gnutls_x509_crt_import (cert, certs, GNUTLS_X509_FMT_DER); + if (err != GNUTLS_E_SUCCESS) + { + xfree (gnutls); + warn_when_safe (Qtls_error, Qerror, + "GNUTLS error in gnutls_x509_crt_import: %s", + gnutls_strerror (err)); + gnutls_x509_crt_deinit (cert); + errno = EACCES; + return NULL; + } + + err = gnutls_x509_crt_check_hostname (cert, hostname); + if (err == 0) + { + xfree (gnutls); + warn_when_safe (Qtls_error, Qerror, + "GNUTLS: hostname does not match certificate: %s", + gnutls_strerror (err)); + gnutls_x509_crt_deinit (cert); + errno = EACCES; + return NULL; + } + gnutls_x509_crt_deinit (cert); + } +#endif /* HAVE_GNUTLS_CERTIFICATE_VERIFY_PEERS3 */ + + return gnutls; +} + +/* Set the key and certificate files to use */ +static void +tls_set_x509_key_file (const Extbyte *certfile, const Extbyte *keyfile) +{ + int err; + + err = gnutls_certificate_set_x509_key_file (global_cred, certfile, keyfile, + GNUTLS_X509_FMT_PEM); + if (err < GNUTLS_E_SUCCESS) + signal_error (Qtls_error, "gnutls_certificate_set_x509_key_file", + GNUTLS_ERRSTR (err)); +} + +/* Function that gathers PKCS #11 passwords. */ +static int +gnutls_pk11_password (void * UNUSED (userdata), int UNUSED (attempt), + const char *token_url, const char *token_label, + unsigned int UNUSED (flags), char *pin, size_t pin_max) +{ + Lisp_Object lsp_password, args[5]; + Extbyte *c_password; + size_t len; + + /* Get the password from the user */ + args[0] = prompt; + args[1] = build_extstring (token_label, Qnative); + args[2] = build_ascstring (" ("); + args[3] = build_extstring (token_url, Qnative); + args[4] = build_ascstring (")"); + lsp_password = call1 (Qread_password, Fconcat (5, args)); + c_password = LISP_STRING_TO_EXTERNAL (lsp_password, Qnative); + + /* Insert the password */ + len = strlen (c_password); + if (len > pin_max) + len = pin_max; + memcpy (pin, c_password, len); + pin[len] = '\0'; + + /* Wipe out the password on the stack and in the Lisp string */ + args[0] = lsp_password; + args[1] = make_char ('*'); + Ffill (2, args); + memset (c_password, '*', strlen (c_password)); + return GNUTLS_E_SUCCESS; +} + +static void xfree_for_gnutls (void *ptr) +{ + /* GnuTLS sometimes tries to free NULL */ + if (ptr != NULL) + xfree (ptr); +} + +void +init_tls (void) +{ + int err = GNUTLS_E_SUCCESS; + + /* Tell gnutls to use our memory allocation functions */ + gnutls_global_set_mem_functions ((void * (*)(size_t)) xmalloc, + (void * (*)(size_t)) xmalloc, + NULL, + (void * (*)(void *, size_t)) xrealloc, + xfree_for_gnutls); + + /* Initialize the library */ + err = gnutls_global_init (); + if (err != GNUTLS_E_SUCCESS) + signal_error (Qtls_error, "gnutls_global_init", GNUTLS_ERRSTR (err)); + + /* Load the trusted CA certificates */ + err = gnutls_certificate_allocate_credentials (&global_cred); + if (err != GNUTLS_E_SUCCESS) + signal_error (Qtls_error, "gnutls_certificate_allocate_credentials", + GNUTLS_ERRSTR (err)); + err = gnutls_certificate_set_x509_system_trust (global_cred); + if (err == 0) + signal_error (Qtls_error, "gnutls: no system certificates found", Qnil); + if (err < 0) + signal_error (Qtls_error, "gnutls_certificate_set_x509_system_trust", + GNUTLS_ERRSTR (err)); + + /* Setup password gathering */ + gnutls_pkcs11_set_pin_function (gnutls_pk11_password, NULL); +} +#endif /* HAVE_GNUTLS */ + +#ifdef HAVE_OPENSSL +#include <unistd.h> +#include <openssl/conf.h> +#include <openssl/err.h> + +/* The context used to create connections */ +static SSL_CTX *ssl_ctx; + +static Lisp_Object +openssl_error_string (void) +{ + Lisp_Object args[5]; + unsigned long err = ERR_get_error (); + + args[0] = build_ascstring (ERR_lib_error_string (err)); + args[1] = build_ascstring (":"); + args[2] = build_ascstring (ERR_func_error_string (err)); + args[3] = build_ascstring (":"); + args[4] = build_ascstring (ERR_reason_error_string (err)); + return Fconcat (5, args); +} + +static unsigned long +openssl_report_error_stack (const char *msg, const SSL *ssl) +{ + unsigned long err = ERR_get_error (); + if (err > 0UL) + { + if (ERR_GET_LIB (err) == ERR_LIB_SSL && + ERR_GET_REASON (err) == SSL_R_CERTIFICATE_VERIFY_FAILED) + { + long cert_err = SSL_get_verify_result (ssl); + warn_when_safe (Qtls_error, Qerror, "%s:%s", msg, + X509_verify_cert_error_string (cert_err)); + } + else + { + const char *lib = ERR_lib_error_string (err); + const char *func = ERR_func_error_string (err); + const char *reason = ERR_reason_error_string (err); + warn_when_safe (Qtls_error, Qerror, "%s:%s:%s:%s", msg, + lib == NULL ? "<unknown>" : lib, + func == NULL ? "<unknown>" : func, + reason == NULL ? "<unknown>" : reason); + } + } + return err; +} + +/* Return values: + * -1 = fatal error, caller should exit + * 0 = no error, caller should continue + * 1 = nonfatal error, caller should retry + */ +static int +openssl_report_error_num (const char *msg, const SSL *ssl, int ret, int retry) +{ + int errno_copy = errno; + int ssl_error = SSL_get_error (ssl, ret); + int err; + + switch (ssl_error) + { + case SSL_ERROR_NONE: + case SSL_ERROR_ZERO_RETURN: + err = 0; + break; + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: + err = retry; + break; + case SSL_ERROR_WANT_CONNECT: + case SSL_ERROR_WANT_ACCEPT: + case SSL_ERROR_WANT_X509_LOOKUP: + err = 1; + break; + case SSL_ERROR_SYSCALL: + if (openssl_report_error_stack (msg, ssl) == 0UL && ret < 0) + warn_when_safe (Qtls_error, Qerror, "%s: %s", msg, + strerror (errno_copy)); + err = ret; + break; + case SSL_ERROR_SSL: + openssl_report_error_stack (msg, ssl); + err = -1; + break; + default: + warn_when_safe (Qtls_error, Qerror, "%s: error %d", msg, ssl_error); + err = -1; + break; + } + errno = errno_copy; + return err; +} + +int +tls_get_fd (tls_state_t *state) +{ + return SSL_get_fd (state->tls_connection); +} + +Bytecount +tls_read (tls_state_t *state, unsigned char *data, Bytecount size, + unsigned int allow_quit) +{ + int action, bytes; + + if (SSL_get_shutdown (state->tls_connection)) + return 0; + + bytes = SSL_read (state->tls_connection, data, size); + action = (bytes > 0) ? 0 + : openssl_report_error_num ("SSL_read", state->tls_connection, bytes, 0); + while (bytes <= 0 && action > 0) + { + if (allow_quit) + QUIT; + bytes = SSL_read (state->tls_connection, data, size); + action = (bytes > 0) ? 0 + : openssl_report_error_num ("SSL_read", state->tls_connection, + bytes, 0); + } + return (Bytecount) bytes; +} + +Bytecount +tls_write (tls_state_t *state, const unsigned char *data, Bytecount size, + unsigned int allow_quit) +{ + int action, bytes; + + if (SSL_get_shutdown (state->tls_connection)) + return 0; + + bytes = SSL_write (state->tls_connection, data, size); + action = (bytes > 0) ? 0 + : openssl_report_error_num ("SSL_write", state->tls_connection, bytes, 0); + while (bytes <= 0 && action > 0) + { + if (allow_quit) + QUIT; + bytes = SSL_write (state->tls_connection, data, size); + action = (bytes > 0) ? 0 + : openssl_report_error_num ("SSL_write", state->tls_connection, + bytes, 0); + } + return (Bytecount) bytes; +} + +int +tls_close (tls_state_t *state) +{ + if (--state->tls_refcount == 0) + { + int err, fd; + + fd = SSL_get_fd (state->tls_connection); + if (SSL_get_shutdown (state->tls_connection) == 0) + { + err = SSL_shutdown (state->tls_connection); + if (err < 0 && errno == EBADF) + err = 0; + if (err < 0) + openssl_report_error_num ("SSL_shutdown failed", + state->tls_connection, err, 0); + } + else + { + err = 0; + } + close (fd); + SSL_free (state->tls_connection); + xfree (state); + return err > 0 ? 0 : err; + } + return 0; +} + +tls_state_t * +tls_open (int s, const Extbyte *hostname) +{ + tls_state_t *openssl; + X509 *peer_cert = NULL; + const int val = 1; + int err; + long cert_err; + + /* Disable Nagle's algorithm */ + setsockopt (s, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val)); + + /* Create the state object */ + openssl = xmalloc (sizeof (*openssl)); + openssl->tls_refcount = 2; + + /* Create the connection object */ + openssl->tls_connection = SSL_new (ssl_ctx); + if (openssl->tls_connection == NULL) + { + openssl_report_error_stack ("SSL_new failed", NULL); + goto error; + } + if (SSL_set_fd (openssl->tls_connection, s) == 0) + { + openssl_report_error_stack ("SSL_set_fd", openssl->tls_connection); + goto error; + } + + /* Enable the ServerNameIndication extension */ + if (hostname != NULL && + !SSL_set_tlsext_host_name (openssl->tls_connection, hostname)) + { + openssl_report_error_stack ("SSL_set_tlsext_host_name failed", + openssl->tls_connection); + goto error; + } + + /* Perform the handshake */ + err = SSL_connect (openssl->tls_connection); + while (err != 1) + { + int action = openssl_report_error_num ("SSL_connect failed", + openssl->tls_connection, err, 1); + if (action < 0) + goto error; + err = SSL_connect (openssl->tls_connection); + } + + /* Get the server certificate */ + peer_cert = SSL_get_peer_certificate (openssl->tls_connection); + if (peer_cert == NULL) + { + warn_when_safe (Qtls_error, Qerror, + "Peer did not present a certificate"); + goto error; + } + + cert_err = SSL_get_verify_result (openssl->tls_connection); + if (cert_err != X509_V_OK) + { + warn_when_safe (Qtls_error, Qerror, + "Peer certificate verification failure:%s", + X509_verify_cert_error_string (cert_err)); + goto error; + } + +#ifdef HAVE_X509_CHECK_HOST + err = X509_check_host (peer_cert, (const unsigned char *) hostname, + strlen (hostname), 0); + if (err < 0) + { + warn_when_safe (Qtls_error, Qerror, + "Out of memory while checking certificate"); + goto error; + } + if (err == 0) + { + warn_when_safe (Qtls_error, Qerror, + "Peer certificate verification failure"); + goto error; + } +#endif + X509_free (peer_cert); + + return openssl; + + error: + if (openssl->tls_connection != NULL) + SSL_free (openssl->tls_connection); + xfree (openssl); + errno = EACCES; + return NULL; +} + +/* Set the key and certificate files to use */ +static void +tls_set_x509_key_file (const Extbyte *certfile, const Extbyte *keyfile) +{ + int err; + + err = SSL_CTX_use_PrivateKey_file (ssl_ctx, keyfile, SSL_FILETYPE_PEM); + if (err <= 0) + signal_error (Qtls_error, "SSL_CTX_use_PrivateKey_file", + openssl_error_string ()); + err = SSL_CTX_use_certificate_file (ssl_ctx, certfile, SSL_FILETYPE_PEM); + if (err <= 0) + signal_error (Qtls_error, "SSL_CTX_use_certificate_file", + openssl_error_string ()); +} + +/* Function that gathers passwords for PKCS #11 tokens. */ +static int +openssl_password (char *buf, int size, int UNUSED (rwflag), + void *UNUSED (userdata)) +{ + Lisp_Object lsp_password, args[2]; + Extbyte *c_password; + + lsp_password = + call1 (Qread_password, concat2 (prompt, build_ascstring ("PEM"))); + c_password = LISP_STRING_TO_EXTERNAL (lsp_password, Qnative); + strncpy (buf, c_password, size); + + /* Wipe out the password on the stack and in the Lisp string */ + args[0] = lsp_password; + args[1] = make_char ('*'); + Ffill (2, args); + memset (c_password, '*', strlen (c_password)); + return (int) strlen (buf); +} + +void +init_tls (void) +{ + /* Load the default configuration */ + OPENSSL_config (NULL); + + /* Tell openssl to use our memory allocation functions */ + CRYPTO_set_mem_functions ((void * (*)(size_t)) xmalloc, + (void * (*)(void *, size_t)) xrealloc, + xfree_1); + + /* Load human-readable error messages */ + SSL_load_error_strings (); + + /* Initialize the library */ + SSL_library_init (); + + /* Configure a client connection context, and send a handshake for the + * highest supported TLS version. */ + ssl_ctx = SSL_CTX_new (SSLv23_client_method ()); + if (ssl_ctx == NULL) + signal_error (Qtls_error, "SSL_CTX_new failed", openssl_error_string ()); + + /* Disallow SSLv2 and disable compression. */ + SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION); + + /* Set various useful mode bits */ + SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | + SSL_MODE_AUTO_RETRY | SSL_MODE_RELEASE_BUFFERS); + + /* Let the system select the ciphers */ + if (SSL_CTX_set_cipher_list (ssl_ctx, "PROFILE=SYSTEM") != 1) + signal_error (Qtls_error, "SSL_CTX_set_cipher_list failed", + openssl_error_string ()); + + /* Load the set of trusted root certificates. */ + if (!SSL_CTX_set_default_verify_paths (ssl_ctx)) + signal_error (Qtls_error, "SSL_CTX_set_default_verify_paths failed", + openssl_error_string ()); + + /* Setup password gathering */ + SSL_CTX_set_default_passwd_cb (ssl_ctx, openssl_password); +} +#endif /* HAVE_OPENSSL */ + +#ifdef WITH_TLS +tls_state_t * +tls_negotiate (int fd, const Extbyte *host, Lisp_Object keylist) +{ + Lisp_Object tail; + + for (tail = keylist; CONSP (tail); tail = XCDR (tail)) + { + Lisp_Object keyfile = Fcar (XCAR (tail)); + Lisp_Object certfile = Fcar (Fcdr (XCAR (tail))); + Extbyte *c_keyfile, *c_certfile; + + if (!STRINGP (keyfile)) + invalid_argument ("Keyfile must be a filename", keyfile); + if (!STRINGP (certfile)) + invalid_argument ("Certfile must be a filename", certfile); + + c_keyfile = LISP_STRING_TO_EXTERNAL (keyfile, Qfile_name); + c_certfile = LISP_STRING_TO_EXTERNAL (certfile, Qfile_name); + tls_set_x509_key_file (c_certfile, c_keyfile); + } + return tls_open (fd, host); +} +#endif /* WITH_TLS */ + +#ifndef WITH_TLS +void +init_tls (void) +{ +} +#endif /* !WITH_TLS */ + +void +syms_of_tls (void) +{ +#ifdef WITH_TLS + DEFSYMBOL (Qread_password); +#endif + DEFERROR (Qtls_error, "TLS error", Qerror); +} + +void +vars_of_tls (void) +{ +#ifdef WITH_TLS + staticpro (&prompt); + prompt = build_ascstring ("Password for "); + Fprovide (intern ("tls")); +#ifdef HAVE_NSS + Fprovide (intern ("tls-nss")); +#endif +#ifdef HAVE_GNUTLS + Fprovide (intern ("tls-gnutls")); +#endif +#ifdef HAVE_OPENSSL + Fprovide (intern ("tls-openssl")); +#endif +#endif +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/tls.h Tue Oct 07 21:16:10 2014 -0600 @@ -0,0 +1,96 @@ +/* Transport Layer Security implementation -- header file. + Copyright (C) 2014 Jerry James + +This file is part of XEmacs. + +XEmacs is free software: you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation, either version 3 of the License, or (at your +option) any later version. + +XEmacs is distributed in the hope that it will be useful, but WITHOUT +ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +for more details. + +You should have received a copy of the GNU General Public License +along with XEmacs. If not, see <http://www.gnu.org/licenses/>. */ + +/* Synched up with: Not in FSF. */ + +/* Written by Jerry James. */ + +#ifndef INCLUDED_tls_h_ +#define INCLUDED_tls_h_ + +extern Lisp_Object Qtls_error; + +void syms_of_tls (void); +void vars_of_tls (void); +void init_tls (void); + +#ifdef WITH_TLS + +#ifdef HAVE_NSS +#include <prio.h> + +#define TLS_SETUP_SOCK 0 + +typedef struct tls_state +{ + PRFileDesc *tls_file_desc; + int tls_refcount; +} tls_state_t; +#endif + +#ifdef HAVE_GNUTLS +#include <gnutls/gnutls.h> + +#define TLS_SETUP_SOCK 1 + +typedef struct tls_state +{ + gnutls_session_t tls_session; + int tls_refcount; +} tls_state_t; +#endif + +#ifdef HAVE_OPENSSL +# include <openssl/ssl.h> + +#define TLS_SETUP_SOCK 1 + +typedef struct tls_state +{ + SSL *tls_connection; + int tls_refcount; +} tls_state_t; +#endif + +tls_state_t *tls_open (int, const Extbyte *); +tls_state_t *tls_negotiate (int, const Extbyte *, Lisp_Object); +void tls_close_connection (tls_state_t *); +Lisp_Object make_tls_output_stream (tls_state_t *); +Lisp_Object make_tls_input_stream (tls_state_t *); +int tls_get_fd (tls_state_t *); +Bytecount tls_read (tls_state_t *, unsigned char *, Bytecount, unsigned int); +Bytecount tls_write (tls_state_t *, const unsigned char *, Bytecount, + unsigned int); +int tls_close (tls_state_t *); +#else /* WITH_TLS */ +typedef int tls_state_t; +#define TLS_SETUP_SOCK 1 +#define tls_open(x,y) \ + signal_error (Qtls_error, "TLS support unavailable", Qnil), NULL +#define tls_negotiate(x,y,z) NULL +#define make_tls_input_stream(x) \ + signal_error (Qtls_error, "TLS support unavailable", Qnil), NULL +#define make_tls_output_stream(x) \ + signal_error (Qtls_error, "TLS support unavailable", Qnil), NULL +#define tls_get_fd(x, y) -1 +#define tls_read(w,x,y,z) -1 +#define tls_write(w,x,y,z) -1 +#define tls_close(x) -1 +#endif /* WITH_TLS */ + +#endif /* INCLUDED_tls_h_ */