bug#50507: New function in Emacs GnuTLS implementation

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello bug-gnu-emacs,

I am looking at the src/gnutls.c:gnutls-boot function for the purpose of
modifying it to use the function gnutls_certificate_set_x509_key_file2
instead of gnutls_certificate_set_x509_key_file. (Note the missing `2')

The reason for this addition would be to protect the key with a
password. Note that the pass parameter may be NULL.

Moreover, the Emacs functionality could do with more than just file
access; users could provide their certificates and keys that lie in
memory instead of a file. This may be useful.

I am sending this e-mail to gauge interest in this as a proposal. It
makes sense to me but I am not very experienced. How does one submit
a patch for Emacs? Is it via the mailing lists by attaching a diff
hunk?

Thank you for your attention.

Regards,
Nikolaos Chatzikonstantinou
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHHHUCYKNdWl5h845DtNR6zceZEgFAmE7NYYACgkQDtNR6zce
ZEgSjg//SDJzOtoYZBeGZ5FbXeR52Tt11+ztXlwFpgk+aIW5PNu+XzWMci7kp0BL
vxYkXKaKINHC8FM393r2wFxWbBf+Jss1tqtATl56s3VWwowXU4X7II+qI5hkjJok
jC6lRhxkPkhCNijDXBXxMTwGEoKo6/qiRzFCb46C5lGkYahsvNMZQGagadGV3tde
JFKhBHIR6W6JGGqkKgXZ4CL1627elzUBooLA0QfY8jzM8JOErCRo5tgD/A6omE/K
Uot9EMAOIAOID2XQQ8fPATSUxAqrlV9HvLW0fo+xE4jCraEhmhHNyFyWAnb3uCB9
LD9OOmN6xC9QeN6B0DVbv1VVYhCn78APEEXuglUv57LSkCGJteUh7zphwbKwwdbk
81ifniPlwnzjGIiq5B6dCYRQD2wCdVOczF7Nu8Zjoo9DQxUC/TiY3r5HnlSSUZVv
Msqfd/kdCVv19+JhZe5CKcTTPjXgdeJLR442Q/WD101KPtvdIkoZjBzoSnbd7tcC
qfj3X88xnVPJWmPViFNHVSD0EhCha6jCdLz0NF9ttacaoxrg5ocyg2itBLKTy7V9
excqFwCkxjfDMIOmMTES/a2TZ3bisJRc6XrGPgYYy7eAaXmLaynrxpqO7vOCGYiW
kYtBR8dgPLU3UYivn0KKgbyDeZdSNNZ008/mmIwPHIEh6FOvFLk=
=kjif
-----END PGP SIGNATURE-----

bug#50507: New function in Emacs GnuTLS implementation

[Eli Zaretskii]

> From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
> Date: Fri, 10 Sep 2021 19:39:52 +0900
> 
> I am looking at the src/gnutls.c:gnutls-boot function for the purpose of
> modifying it to use the function gnutls_certificate_set_x509_key_file2
> instead of gnutls_certificate_set_x509_key_file. (Note the missing `2')
> 
> The reason for this addition would be to protect the key with a
> password. Note that the pass parameter may be NULL.

Do you intend to make the change unconditionally, or do you intend to
make it an optional feature?

And what is the minimal GnuTLS version which provided this function?

> I am sending this e-mail to gauge interest in this as a proposal. It
> makes sense to me but I am not very experienced. How does one submit
> a patch for Emacs? Is it via the mailing lists by attaching a diff
> hunk?

Yes, you provide a patch as an attachment, preferably in the "git
format-patch" format.  See the file CONTRIBUTE in the Emacs Git
repository for more details.

Thanks.

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> From: Eli Zaretskii <eliz@gnu.org>
> Date: Fri, 10 Sep 2021 15:39:35 +0300
> > From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
> > Date: Fri, 10 Sep 2021 19:39:52 +0900
> >
> > I am looking at the src/gnutls.c:gnutls-boot function for the
> > purpose of modifying it to use the function
> > gnutls_certificate_set_x509_key_file2
> > instead of gnutls_certificate_set_x509_key_file. (Note the missing
> > `2')
> >
> > The reason for this addition would be to protect the key with a
> > password. Note that the pass parameter may be NULL.
>
> Do you intend to make the change unconditionally, or do you intend to
> make it an optional feature?
>
> And what is the minimal GnuTLS version which provided this function?

I intend to introduce new functions without changing any of the others.
The following functions were added at 2013-04-08:

        gnutls_certificate_set_x509_key_file2
        gnutls_certificate_set_x509_key_mem2

Versions after 3.2 and 3.1.11 include them. Although it appears
straightforward to introduce them, my plan is to spend some time
acclimating myself with GnuTLS and the Emacs implementation to ensure
that I did it right, and then I'll submit a patch. Does it sound good?

Regards,
Nikolaos Chatzikonstantinou
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHHHUCYKNdWl5h845DtNR6zceZEgFAmE8yqkACgkQDtNR6zce
ZEjF9hAAyoLaoIbMEmzaJ/TrzTyucic4L78LTYyoMMAB7UgNgWFwhRZ+6POUc2N2
UiIjuz5JBGtpUIBgQS/DOyzZppZxGyJMa+VeIu1rEypk6NYw4XVVgXgOg2kEpM5R
WBgdFmafsyUmNWwr9xEs8QtfaXE0qVlQA4TIXNJSI7iZsgK6B/WZbez1TBbiOign
Wydgzvvb9NcRRvMUV5BHxFMfTt7dDWiN2jpCx7mYizcjWnSiAwB/75H82YAGCIa+
vHKwGGX3Fl+k6bkd9dNeaNXX//seKecgOzipodu2KeahgY3AXSxL+t9jPIwRU0gp
dfm/h6qc9189WZ1hvigFpEgvU44Uc2yUUyDFQ+Gp7dLAaLo1KHsD9jVnG7WFtMBw
Owcz7CwD4nYHGBwqucijrtAjurclvus7Yuqh1aayMkYySjJCN0IoQOMmbpVYUbaZ
lP83wooZ4C624x0hSMIQNtAoDSB5en05ny71DkPTTozDvkED5vxfZkoARaSnQFiO
NeirllWwz07ZQck1PvoJXgOUvytUEf5OS4pJNvLX11/qGUzfwBWA1ZWO3mHAPHAx
K3iMUxWtRF0VnpvS6X1dXj0MYIhhJ/aEpYh/IL4uPyQrfrWoMUEmDgw3LNPB01Er
tqGpeSiWbQ/YSE6AERoYf+gsuaHnsOMWwxyznwvkWWfn12I4/34=
=qL1/
-----END PGP SIGNATURE-----

bug#50507: New function in Emacs GnuTLS implementation

[Eli Zaretskii]

> From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
> Date: Sun, 12 Sep 2021 00:28:33 +0900
> Cc: 50507@debbugs.gnu.org
> 
> > > The reason for this addition would be to protect the key with a
> > > password. Note that the pass parameter may be NULL.
> >
> > Do you intend to make the change unconditionally, or do you intend to
> > make it an optional feature?
> >
> > And what is the minimal GnuTLS version which provided this function?
> 
> I intend to introduce new functions without changing any of the others.
> The following functions were added at 2013-04-08:
> 
>         gnutls_certificate_set_x509_key_file2
>         gnutls_certificate_set_x509_key_mem2
> 
> Versions after 3.2 and 3.1.11 include them. Although it appears
> straightforward to introduce them, my plan is to spend some time
> acclimating myself with GnuTLS and the Emacs implementation to ensure
> that I did it right, and then I'll submit a patch. Does it sound good?

Yes, SGTM.  Thank you very much for working on this.

bug#50507: New function in Emacs GnuTLS implementation

[Eli Zaretskii]

> Date: Sat, 11 Sep 2021 18:34:31 +0300
> From: Eli Zaretskii <eliz@gnu.org>
> Cc: 50507@debbugs.gnu.org
> 
> > Versions after 3.2 and 3.1.11 include them. Although it appears
> > straightforward to introduce them, my plan is to spend some time
> > acclimating myself with GnuTLS and the Emacs implementation to ensure
> > that I did it right, and then I'll submit a patch. Does it sound good?
> 
> Yes, SGTM.  Thank you very much for working on this.

And, of course, don't hesitate to ask questions if something in the
existing implementation is unclear.

bug#50507: New function in Emacs GnuTLS implementation

[Lars Ingebrigtsen]

Nikolaos Chatzikonstantinou <nchatz314@gmail.com> writes:

> Versions after 3.2 and 3.1.11 include them. Although it appears
> straightforward to introduce them, my plan is to spend some time
> acclimating myself with GnuTLS and the Emacs implementation to ensure
> that I did it right, and then I'll submit a patch. Does it sound good?

Sounds good to me.

This was almost a year ago -- did you get any further with this?

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

On Thu, Aug 25, 2022 at 11:07 AM Lars Ingebrigtsen <larsi@gnus.org> wrote:
>
> Nikolaos Chatzikonstantinou <nchatz314@gmail.com> writes:
>
> > Versions after 3.2 and 3.1.11 include them. Although it appears
> > straightforward to introduce them, my plan is to spend some time
> > acclimating myself with GnuTLS and the Emacs implementation to ensure
> > that I did it right, and then I'll submit a patch. Does it sound good?
>
> Sounds good to me.
>
> This was almost a year ago -- did you get any further with this?

Thanks for reminding me of this.

I spent my time learning some cryptography and doing other
things, unrelated to Emacs. I feel better equipped now to tackle
this issue, but it will take some time, I expect a month or
less. Luckily I have a lot of free time right now.

My goal is to increase the completion of the Emacs wrapper of
GnuTLS. Originally I cared only to add enough to implement
encryption-at-rest for the circe IRC client.

bug#50507: New function in Emacs GnuTLS implementation

[Lars Ingebrigtsen]

Nikolaos Chatzikonstantinou <nchatz314@gmail.com> writes:

> I spent my time learning some cryptography and doing other
> things, unrelated to Emacs. I feel better equipped now to tackle
> this issue, but it will take some time, I expect a month or
> less. Luckily I have a lot of free time right now.
>
> My goal is to increase the completion of the Emacs wrapper of
> GnuTLS. Originally I cared only to add enough to implement
> encryption-at-rest for the circe IRC client.

Great; looking forward to it.

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

On Thu, Sep 15, 2022 at 3:09 AM Lars Ingebrigtsen <larsi@gnus.org> wrote:
>
> Nikolaos Chatzikonstantinou <nchatz314@gmail.com> writes:
> >
> > My goal is to increase the completion of the Emacs wrapper of
> > GnuTLS. Originally I cared only to add enough to implement
> > encryption-at-rest for the circe IRC client.
>
> Great; looking forward to it.

I have a small update.

I looked into src/gnutls.c to see which functions are implemented. In
total, there's 19 functions defined with DEFUN,

    gnutls-hash-digest
    gnutls-format-certificate
    gnutls-peer-status-warning-describe
    gnutls-peer-status
    gnutls-deinit
    gnutls-hash-mac
    gnutls-errorp
    gnutls-error-fatalp
    gnutls-error-string
    gnutls-macs
    gnutls-digests
    gnutls-ciphers
    gnutls-available-p
    gnutls-boot
    gnutls-bye
    gnutls-asynchronous-parameters
    gnutls-get-initstage
    gnutls-symmetric-encrypt
    gnutls-symmetric-decrypt

However, I suspect that this API is not used by most
packages. Instead, these functions are called from Emacs'
make-network-process and friends in src/process.c. If I just dump new
gnutls functions in src/gnutls.c, they might not be accessible for
use, or I might duplicate functionality.

Before I make sensible changes to src/gnutls.c, I would need to
understand better how the functions are used in
src/process.c. However, that file is lacking function
comments. Therefore, since I'll be studying it anyhow, I suggest that
my first patch will be C documentation for those functions in
src/process.c.

bug#50507: New function in Emacs GnuTLS implementation

[Lars Ingebrigtsen]

Nikolaos Chatzikonstantinou <nchatz314@gmail.com> writes:

> However, I suspect that this API is not used by most
> packages. Instead, these functions are called from Emacs'
> make-network-process and friends in src/process.c. If I just dump new
> gnutls functions in src/gnutls.c, they might not be accessible for
> use, or I might duplicate functionality.

I'm not sure I understand what you mean here.  The point was to use
gnutls_certificate_set_x509_key_file2 instead of
gnutls_certificate_set_x509_key_file in gnutls.c -- so that should be an
internal change in gnutls.c that nothing else should need to know about.

> Before I make sensible changes to src/gnutls.c, I would need to
> understand better how the functions are used in
> src/process.c. However, that file is lacking function
> comments. Therefore, since I'll be studying it anyhow, I suggest that
> my first patch will be C documentation for those functions in
> src/process.c.

process.c has an abundance of comments already, but if there's further
comments that would be helpful, that's welcome, of course.

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

[-- Attachment #1: Type: text/plain, Size: 1190 bytes --]

On Mon, Sep 26, 2022 at 7:03 AM Lars Ingebrigtsen <larsi@gnus.org> wrote:
>
> Nikolaos Chatzikonstantinou <nchatz314@gmail.com> writes:
>
> > However, I suspect that this API is not used by most
> > packages. Instead, these functions are called from Emacs'
> > make-network-process and friends in src/process.c. If I just dump new
> > gnutls functions in src/gnutls.c, they might not be accessible for
> > use, or I might duplicate functionality.
>
> I'm not sure I understand what you mean here.  The point was to use
> gnutls_certificate_set_x509_key_file2 instead of
> gnutls_certificate_set_x509_key_file in gnutls.c -- so that should be an
> internal change in gnutls.c that nothing else should need to know about.

Ah yes, thanks for setting me straight. I should start with
that. Actually, this is not too complicated, and I just prepared this
patch save for one thing: how should the ORed values be passed in the
last parameter?

In C, it is an 'unsigned int' of ORed values of type
'gnutls_pkcs_encrypt_flags_t', whose enumeration constants are
detailed here,
<https://gnutls.org/reference/gnutls-x509.html#gnutls-pkcs-encrypt-flags-t>

See the patch attached (do not merge yet?).

[-- Attachment #2: 0001-fix-gnutls-add-possibility-of-password-for-key-file.patch.sig --]
[-- Type: application/pgp-signature, Size: 6679 bytes --]

[-- Attachment #3: 0001-fix-gnutls-add-possibility-of-password-for-key-file.patch --]
[-- Type: text/x-patch, Size: 5783 bytes --]

From 94eec43843d5d0225a29d3574f8738719f9e4239 Mon Sep 17 00:00:00 2001
From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
Date: Mon, 26 Sep 2022 11:08:18 -0400
Subject: [PATCH] fix(gnutls): add possibility of password for key-file

The GnuTLS function

    gnutls_certificate_set_x509_key_file

is replaced by its second version

    gnutls_certificate_set_x509_key_file2

and the definitions of gnutls-boot and gnutls-boot-parameters are
modified to include the :pass and :flags keys, which are additional
parameters in the second version.

Signed-off-by: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
---
 lisp/net/gnutls.el |  7 +++++++
 src/gnutls.c       | 19 +++++++++++++++++--
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 6e3845aec1..9aab18b8fb 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -265,6 +265,7 @@ gnutls-boot-parameters
            &key type hostname priority-string
            trustfiles crlfiles keylist min-prime-bits
            verify-flags verify-error verify-hostname-error
+           pass flags
            &allow-other-keys)
   "Return a keyword list of parameters suitable for passing to `gnutls-boot'.
 
@@ -281,6 +282,10 @@ gnutls-boot-parameters
 VERIFY-HOSTNAME-ERROR is a backwards compatibility option for
 putting `:hostname' in VERIFY-ERROR.
 
+PASS is a string, the password of the key.
+
+FLAGS is an ORed sequence of gnutls_pkcs_encrypt_flags_t values.
+
 When VERIFY-ERROR is t or a list containing `:trustfiles', an
 error will be raised when the peer certificate verification fails
 as per GnuTLS' gnutls_certificate_verify_peers2.  Otherwise, only
@@ -358,6 +363,8 @@ gnutls-boot-parameters
                 :keylist ,keylist
                 :verify-flags ,verify-flags
                 :verify-error ,verify-error
+                :pass ,pass
+                :flags ,flags
                 :callbacks nil)))
 
 (defun gnutls--get-files (files)
diff --git a/src/gnutls.c b/src/gnutls.c
index a0de0238c4..c45771c58d 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -121,6 +121,9 @@ DEF_DLL_FN (int, gnutls_certificate_set_x509_crl_file,
 DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file,
 	    (gnutls_certificate_credentials_t, const char *, const char *,
 	     gnutls_x509_crt_fmt_t));
+DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file2,
+	    (gnutls_certificate_credentials_t, const char *, const char *,
+	     gnutls_x509_crt_fmt_t, const char *, unsigned int));
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
 DEF_DLL_FN (int, gnutls_certificate_set_x509_system_trust,
 	    (gnutls_certificate_credentials_t));
@@ -314,6 +317,7 @@ init_gnutls_functions (void)
   LOAD_DLL_FN (library, gnutls_certificate_set_verify_flags);
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_crl_file);
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file);
+  LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file2);
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_system_trust);
 #  endif
@@ -455,6 +459,7 @@ init_gnutls_functions (void)
 #  define gnutls_certificate_set_verify_flags fn_gnutls_certificate_set_verify_flags
 #  define gnutls_certificate_set_x509_crl_file fn_gnutls_certificate_set_x509_crl_file
 #  define gnutls_certificate_set_x509_key_file fn_gnutls_certificate_set_x509_key_file
+#  define gnutls_certificate_set_x509_key_file2 fn_gnutls_certificate_set_x509_key_file2
 #  define gnutls_certificate_set_x509_system_trust fn_gnutls_certificate_set_x509_system_trust
 #  define gnutls_certificate_set_x509_trust_file fn_gnutls_certificate_set_x509_trust_file
 #  define gnutls_certificate_type_get fn_gnutls_certificate_type_get
@@ -1813,6 +1818,10 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 :complete-negotiation, if non-nil, will make negotiation complete
 before returning even on non-blocking sockets.
 
+:pass, the password of the private key.
+
+:flags, an ORed sequence of gnutls_pkcs_encrypt_flags_t.
+
 The debug level will be set for this process AND globally for GnuTLS.
 So if you set it higher or lower at any point, it affects global
 debugging.
@@ -1848,6 +1857,8 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
   Lisp_Object trustfiles;
   Lisp_Object crlfiles;
   Lisp_Object keylist;
+  Lisp_Object pass;
+  Lisp_Object flags;
   /* Lisp_Object callbacks; */
   Lisp_Object loglevel;
   Lisp_Object hostname;
@@ -1877,6 +1888,8 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
   crlfiles              = plist_get (proplist, QCcrlfiles);
   loglevel              = plist_get (proplist, QCloglevel);
   prime_bits            = plist_get (proplist, QCmin_prime_bits);
+  pass                  = plist_get (proplist, QCpass);
+  flags                 = plist_get (proplist, QCflags);
 
   if (!STRINGP (hostname))
     {
@@ -2038,8 +2051,8 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 	      keyfile = ansi_encode_filename (keyfile);
 	      certfile = ansi_encode_filename (certfile);
 # endif
-	      ret = gnutls_certificate_set_x509_key_file
-		(x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
+	      ret = gnutls_certificate_set_x509_key_file2
+		(x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format, SSDATA (pass), XUFIXNUM (flags));
 
 	      if (ret < GNUTLS_E_SUCCESS)
 		return gnutls_make_error (ret);
@@ -2860,6 +2873,8 @@ syms_of_gnutls (void)
   DEFSYM (QCmin_prime_bits, ":min-prime-bits");
   DEFSYM (QCloglevel, ":loglevel");
   DEFSYM (QCcomplete_negotiation, ":complete-negotiation");
+  DEFSYM (QCpass, ":pass");
+  DEFSYM (QCflags, ":flags");
   DEFSYM (QCverify_flags, ":verify-flags");
   DEFSYM (QCverify_error, ":verify-error");
 
-- 
2.37.3

bug#50507: New function in Emacs GnuTLS implementation

[Robert Pluim]

>>>>> On Mon, 26 Sep 2022 11:43:41 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
    Nikolaos> Date: Mon, 26 Sep 2022 11:08:18 -0400
    Nikolaos> Subject: [PATCH] fix(gnutls): add possibility of password for key-file

    Nikolaos> The GnuTLS function

    Nikolaos>     gnutls_certificate_set_x509_key_file

    Nikolaos> is replaced by its second version

    Nikolaos>     gnutls_certificate_set_x509_key_file2

    Nikolaos> and the definitions of gnutls-boot and gnutls-boot-parameters are
    Nikolaos> modified to include the :pass and :flags keys, which are additional
    Nikolaos> parameters in the second version.

    Nikolaos> Signed-off-by: Nikolaos Chatzikonstantinou
    Nikolaos> <nchatz314@gmail.com>

We donʼt use Signed-off-by, and the commit message has some rules
which are described in CONTRIBUTE (start at "** Commit messages" and
read up to and including "** Committing your changes")

    Nikolaos> +PASS is a string, the password of the key.
    Nikolaos> +
    Nikolaos> +FLAGS is an ORed sequence of gnutls_pkcs_encrypt_flags_t values.
    Nikolaos> +

Youʼre at the lisp level here. Perhaps you could define a mapping from
the C-level enum to lisp defconsts or similar? Or you could define it
as taking a list of flags, and then the C-code can take care of ORing
them.

    Nikolaos> +  pass                  = plist_get (proplist, QCpass);
    Nikolaos> +  flags                 = plist_get (proplist, QCflags);

pass and flags will both be 'nil' here if theyʼre not specified, so
that....

    Nikolaos>    if (!STRINGP (hostname))
    Nikolaos>      {
    Nikolaos> @@ -2038,8 +2051,8 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
    Nikolaos>  	      keyfile = ansi_encode_filename (keyfile);
    Nikolaos>  	      certfile = ansi_encode_filename (certfile);
    Nikolaos>  # endif
    Nikolaos> -	      ret = gnutls_certificate_set_x509_key_file
    Nikolaos> -		(x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
    Nikolaos> +	      ret = gnutls_certificate_set_x509_key_file2
    Nikolaos> +		(x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format, SSDATA (pass), XUFIXNUM (flags));

...this is likely to fail in that case. Or maybe not, I havenʼt tested
it, but XUFIXNUM(nil) in a build with asserts enabled will trigger an
assert and exit, I think.

In any case, if youʼre going to replace _file with _file2, you should
describe the new constraints on the arguments. e.g. Maybe having pass
as nil is OK, but then you need to say that, or maybe you need to fall
back to _file if :pass is not specified.

Robert
-- 

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

On Mon, Sep 26, 2022 at 1:19 PM Robert Pluim <rpluim@gmail.com> wrote:
>
> >>>>> On Mon, 26 Sep 2022 11:43:41 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
>     Nikolaos> Date: Mon, 26 Sep 2022 11:08:18 -0400
>     Nikolaos> Subject: [PATCH] fix(gnutls): add possibility of password for key-file
>
>     Nikolaos> The GnuTLS function
>
>     Nikolaos>     gnutls_certificate_set_x509_key_file
>
>     Nikolaos> is replaced by its second version
>
>     Nikolaos>     gnutls_certificate_set_x509_key_file2
>
>     Nikolaos> and the definitions of gnutls-boot and gnutls-boot-parameters are
>     Nikolaos> modified to include the :pass and :flags keys, which are additional
>     Nikolaos> parameters in the second version.
>
>     Nikolaos> +PASS is a string, the password of the key.
>     Nikolaos> +
>     Nikolaos> +FLAGS is an ORed sequence of gnutls_pkcs_encrypt_flags_t values.
>     Nikolaos> +
>
> Youʼre at the lisp level here. Perhaps you could define a mapping from
> the C-level enum to lisp defconsts or similar? Or you could define it
> as taking a list of flags, and then the C-code can take care of ORing
> them.

Does Emacs code have a way to signal this C-to-lisp enum-to-defconst
map? Otherwise I will go with the keywords option.

>     Nikolaos> +  pass                  = plist_get (proplist, QCpass);
>     Nikolaos> +  flags                 = plist_get (proplist, QCflags);
>
> pass and flags will both be 'nil' here if theyʼre not specified, so
> that....
>
> <removed>
>
> ...this is likely to fail in that case. Or maybe not, I havenʼt tested
> it, but XUFIXNUM(nil) in a build with asserts enabled will trigger an
> assert and exit, I think.

Thanks, I will look into this.

> In any case, if youʼre going to replace _file with _file2, you should
> describe the new constraints on the arguments. e.g. Maybe having pass
> as nil is OK, but then you need to say that, or maybe you need to fall
> back to _file if :pass is not specified.

Okay, will do. The first version of the function exists since 0.4.0
but the second appeared "recently" in 3.2.0 (released on June
2013). Should I put some preprocessor #if checks? How would the
docstring be affected? Instead of duplicating the string (can't put
#if inside its body, it's already in a macro), perhaps I should write
that the feature is "only supported with GnuTLS 3.2.0 and above")

bug#50507: New function in Emacs GnuTLS implementation

[Eli Zaretskii]

> From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
> Date: Mon, 26 Sep 2022 17:39:09 -0400
> Cc: Lars Ingebrigtsen <larsi@gnus.org>, 50507@debbugs.gnu.org, Eli Zaretskii <eliz@gnu.org>
> 
> > In any case, if youʼre going to replace _file with _file2, you should
> > describe the new constraints on the arguments. e.g. Maybe having pass
> > as nil is OK, but then you need to say that, or maybe you need to fall
> > back to _file if :pass is not specified.
> 
> Okay, will do. The first version of the function exists since 0.4.0
> but the second appeared "recently" in 3.2.0 (released on June
> 2013). Should I put some preprocessor #if checks?

Yes, we already have those in gnutls.c.  Example:

  # if GNUTLS_VERSION_NUMBER >= 0x030014
  #  define HAVE_GNUTLS_X509_SYSTEM_TRUST
  # endif

> How would the docstring be affected? Instead of duplicating the
> string (can't put #if inside its body, it's already in a macro),
> perhaps I should write that the feature is "only supported with
> GnuTLS 3.2.0 and above")

You don't have to mention the GnuTLS version explicitly, you can say
something more vague, like "supported by recent enough GnuTLS".

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

[-- Attachment #1: Type: text/plain, Size: 1141 bytes --]

On Mon, Sep 26, 2022 at 1:19 PM Robert Pluim <rpluim@gmail.com> wrote:
>
> >>>>> On Mon, 26 Sep 2022 11:43:41 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
>     Nikolaos> Date: Mon, 26 Sep 2022 11:08:18 -0400
>     Nikolaos> Subject: [PATCH] fix(gnutls): add possibility of password for key-file
>
>     Nikolaos> The GnuTLS function
>
>     Nikolaos>     gnutls_certificate_set_x509_key_file
>
>     Nikolaos> is replaced by its second version
>
>     Nikolaos>     gnutls_certificate_set_x509_key_file2
>
>     Nikolaos> and the definitions of gnutls-boot and gnutls-boot-parameters are
>     Nikolaos> modified to include the :pass and :flags keys, which are additional
>     Nikolaos> parameters in the second version.
>
>     Nikolaos> Signed-off-by: Nikolaos Chatzikonstantinou
>     Nikolaos> <nchatz314@gmail.com>
>
> We donʼt use Signed-off-by, and the commit message has some rules
> which are described in CONTRIBUTE (start at "** Commit messages" and
> read up to and including "** Committing your changes")

Okay, I'm submitting this patch with corrections included, see attachment.

[-- Attachment #2: 0001-add-pass-and-flags-to-gnutls-boot-for-keylist.patch.sig --]
[-- Type: application/pgp-signature, Size: 11551 bytes --]

bug#50507: New function in Emacs GnuTLS implementation

[Robert Pluim]

>>>>> On Wed, 28 Sep 2022 08:15:26 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:


    Nikolaos> Okay, I'm submitting this patch with corrections included, see attachment.

I see a .sig attachment, but no patch (we donʼt currently require
signing of commits at all, but I guess thereʼs nothing stopping people
from doing it).

Regards

Robert
-- 

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

[-- Attachment #1: Type: text/plain, Size: 608 bytes --]

On Wed, Sep 28, 2022 at 9:11 AM Robert Pluim <rpluim@gmail.com> wrote:
>
> >>>>> On Wed, 28 Sep 2022 08:15:26 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
>
>
>     Nikolaos> Okay, I'm submitting this patch with corrections included, see attachment.
>
> I see a .sig attachment, but no patch (we donʼt currently require
> signing of commits at all, but I guess thereʼs nothing stopping people
> from doing it).

My bad, here it is. I also added "Copyright-paperwork-exempt: yes" (or
will this require paperwork?) and gave the helper function static
linkage in src/gnutls.c.

[-- Attachment #2: 0001-add-pass-and-flags-to-gnutls-boot-for-keylist.patch --]
[-- Type: text/x-patch, Size: 10708 bytes --]

From b11707c423773f6234746991222acd80ab3f708c Mon Sep 17 00:00:00 2001
From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
Date: Mon, 26 Sep 2022 11:08:18 -0400
Subject: [PATCH] add :pass and :flags to gnutls-boot for :keylist

* lisp/net/gnutls.el (gnutls-boot-parameters): add the keys :pass and
:flags, and update the documentation.
* src/gnutls.c (gnutls-boot): add the keys :pass and :flags, and
update the documentation.
(syms_of_gnutls): add the symbols :pass, :flags, and the symbols that
correspond to the enumeration constants of the GnuTLS enum
`gnutls_pkcs_encrypt_flags_t`.
; (key_file2_aux): private helper function that translates a list of
; symbols to its corresponding `unsigned int` value of the GnuTLS C
; enum `gnutls_pkcs_encrypt_flags_t`.

Copyright-paperwork-exempt: yes
---
 lisp/net/gnutls.el |   7 +++
 src/gnutls.c       | 104 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 111 insertions(+)

diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 6e3845aec1..9aab18b8fb 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -265,6 +265,7 @@ gnutls-boot-parameters
            &key type hostname priority-string
            trustfiles crlfiles keylist min-prime-bits
            verify-flags verify-error verify-hostname-error
+           pass flags
            &allow-other-keys)
   "Return a keyword list of parameters suitable for passing to `gnutls-boot'.
 
@@ -281,6 +282,10 @@ gnutls-boot-parameters
 VERIFY-HOSTNAME-ERROR is a backwards compatibility option for
 putting `:hostname' in VERIFY-ERROR.
 
+PASS is a string, the password of the key.
+
+FLAGS is an ORed sequence of gnutls_pkcs_encrypt_flags_t values.
+
 When VERIFY-ERROR is t or a list containing `:trustfiles', an
 error will be raised when the peer certificate verification fails
 as per GnuTLS' gnutls_certificate_verify_peers2.  Otherwise, only
@@ -358,6 +363,8 @@ gnutls-boot-parameters
                 :keylist ,keylist
                 :verify-flags ,verify-flags
                 :verify-error ,verify-error
+                :pass ,pass
+                :flags ,flags
                 :callbacks nil)))
 
 (defun gnutls--get-files (files)
diff --git a/src/gnutls.c b/src/gnutls.c
index a0de0238c4..2a6069e542 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -34,6 +34,7 @@
 # endif
 
 # if GNUTLS_VERSION_NUMBER >= 0x030200
+#  define HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
 #  define HAVE_GNUTLS_CIPHER_GET_IV_SIZE
 # endif
 
@@ -121,6 +122,9 @@ DEF_DLL_FN (int, gnutls_certificate_set_x509_crl_file,
 DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file,
 	    (gnutls_certificate_credentials_t, const char *, const char *,
 	     gnutls_x509_crt_fmt_t));
+DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file2,
+	    (gnutls_certificate_credentials_t, const char *, const char *,
+	     gnutls_x509_crt_fmt_t, const char *, unsigned int));
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
 DEF_DLL_FN (int, gnutls_certificate_set_x509_system_trust,
 	    (gnutls_certificate_credentials_t));
@@ -314,6 +318,7 @@ init_gnutls_functions (void)
   LOAD_DLL_FN (library, gnutls_certificate_set_verify_flags);
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_crl_file);
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file);
+  LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file2);
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_system_trust);
 #  endif
@@ -455,6 +460,7 @@ init_gnutls_functions (void)
 #  define gnutls_certificate_set_verify_flags fn_gnutls_certificate_set_verify_flags
 #  define gnutls_certificate_set_x509_crl_file fn_gnutls_certificate_set_x509_crl_file
 #  define gnutls_certificate_set_x509_key_file fn_gnutls_certificate_set_x509_key_file
+#  define gnutls_certificate_set_x509_key_file2 fn_gnutls_certificate_set_x509_key_file2
 #  define gnutls_certificate_set_x509_system_trust fn_gnutls_certificate_set_x509_system_trust
 #  define gnutls_certificate_set_x509_trust_file fn_gnutls_certificate_set_x509_trust_file
 #  define gnutls_certificate_type_get fn_gnutls_certificate_type_get
@@ -1774,6 +1780,57 @@ gnutls_verify_boot (Lisp_Object proc, Lisp_Object proplist)
   return gnutls_make_error (ret);
 }
 
+/* Helper function for gnutls-boot.
+
+   The key :flags receives a lisp of symbols, each of which
+   corresponds to a GnuTLS C flag, the ORed result is to be passed to
+   the function gnutls_certificate_set_x509_key_file2() as its last
+   argument.
+*/
+static unsigned int
+key_file2_aux (Lisp_Object flags)
+{
+  unsigned int rv = 0;
+  Lisp_Object tail;
+  for (tail = flags; CONSP (tail); tail = XCDR (tail))
+    {
+      Lisp_Object flag = XCAR(tail);
+      if (EQ(flag, Qgnutls_pkcs_plain))
+	rv |= GNUTLS_PKCS_PLAIN;
+      else if(EQ(flag, Qgnutls_pkcs_pkcs12_3des))
+	rv |= GNUTLS_PKCS_PKCS12_3DES;
+      else if(EQ(flag, Qgnutls_pkcs_pkcs12_arcfour))
+	rv |= GNUTLS_PKCS_PKCS12_ARCFOUR;
+      else if(EQ(flag, Qgnutls_pkcs_pkcs12_rc2_40))
+	rv |= GNUTLS_PKCS_PKCS12_RC2_40;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_3des))
+	rv |= GNUTLS_PKCS_PBES2_3DES;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_aes_128))
+	rv |= GNUTLS_PKCS_PBES2_AES_128;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_aes_192))
+	rv |= GNUTLS_PKCS_PBES2_AES_192;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_aes_256))
+	rv |= GNUTLS_PKCS_PBES2_AES_256;
+      else if(EQ(flag, Qgnutls_pkcs_null_password))
+	rv |= GNUTLS_PKCS_NULL_PASSWORD;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_des))
+	rv |= GNUTLS_PKCS_PBES2_DES;
+      else if(EQ(flag, Qgnutls_pkcs_pbes1_des_md5))
+	rv |= GNUTLS_PKCS_PBES1_DES_MD5;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_gost_tc26z))
+	rv |= GNUTLS_PKCS_PBES2_GOST_TC26Z;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_gost_cpa))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPA;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_gost_cpb))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPB;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_gost_cpc))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPC;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_gost_cpd))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPD;
+    }
+  return rv;
+}
+
 DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
        doc: /* Initialize GnuTLS client for process PROC with TYPE+PROPLIST.
 Currently only client mode is supported.  Return a success/failure
@@ -1813,6 +1870,19 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 :complete-negotiation, if non-nil, will make negotiation complete
 before returning even on non-blocking sockets.
 
+:pass, the password of the private key as per GnuTLS'
+gnutls_certificate_set_x509_key_file2.
+
+:flags, a list of symbols relating to :pass, each specifying a flag:
+GNUTLS_PKCS_PLAIN, GNUTLS_PKCS_PKCS12_3DES,
+GNUTLS_PKCS_PKCS12_ARCFOUR, GNUTLS_PKCS_PKCS12_RC2_40,
+GNUTLS_PKCS_PBES2_3DES, GNUTLS_PKCS_PBES2_AES_128,
+GNUTLS_PKCS_PBES2_AES_192, GNUTLS_PKCS_PBES2_AES_256,
+GNUTLS_PKCS_NULL_PASSWORD, GNUTLS_PKCS_PBES2_DES,
+GNUTLS_PKCS_PBES2_DES_MD5, GNUTLS_PKCS_PBES2_GOST_TC26Z,
+GNUTLS_PKCS_PBES2_GOST_CPA, GNUTLS_PKCS_PBES2_GOST_CPB,
+GNUTLS_PKCS_PBES2_GOST_CPC, GNUTLS_PKCS_PBES2_GOST_CPD.
+
 The debug level will be set for this process AND globally for GnuTLS.
 So if you set it higher or lower at any point, it affects global
 debugging.
@@ -1825,6 +1895,9 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 functions are used.  This function allocates resources which can only
 be deallocated by calling `gnutls-deinit' or by calling it again.
 
+The :pass and :flags keys are ignored with old versions of GnuTLS, and
+:flags is ignored if :pass is not specified.
+
 The callbacks alist can have a `verify' key, associated with a
 verification function (UNUSED).
 
@@ -1848,6 +1921,8 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
   Lisp_Object trustfiles;
   Lisp_Object crlfiles;
   Lisp_Object keylist;
+  Lisp_Object pass;
+  Lisp_Object flags;
   /* Lisp_Object callbacks; */
   Lisp_Object loglevel;
   Lisp_Object hostname;
@@ -1877,6 +1952,8 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
   crlfiles              = plist_get (proplist, QCcrlfiles);
   loglevel              = plist_get (proplist, QCloglevel);
   prime_bits            = plist_get (proplist, QCmin_prime_bits);
+  pass                  = plist_get (proplist, QCpass);
+  flags                 = plist_get (proplist, QCflags);
 
   if (!STRINGP (hostname))
     {
@@ -2038,8 +2115,17 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 	      keyfile = ansi_encode_filename (keyfile);
 	      certfile = ansi_encode_filename (certfile);
 # endif
+# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+	      if (STRINGP (pass))
+		ret = gnutls_certificate_set_x509_key_file2
+		  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format, SSDATA (pass), key_file2_aux (flags));
+	      else
+		ret = gnutls_certificate_set_x509_key_file
+		  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
+# else
 	      ret = gnutls_certificate_set_x509_key_file
 		(x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
+# endif
 
 	      if (ret < GNUTLS_E_SUCCESS)
 		return gnutls_make_error (ret);
@@ -2860,8 +2946,26 @@ syms_of_gnutls (void)
   DEFSYM (QCmin_prime_bits, ":min-prime-bits");
   DEFSYM (QCloglevel, ":loglevel");
   DEFSYM (QCcomplete_negotiation, ":complete-negotiation");
+  DEFSYM (QCpass, ":pass");
+  DEFSYM (QCflags, ":flags");
   DEFSYM (QCverify_flags, ":verify-flags");
   DEFSYM (QCverify_error, ":verify-error");
+  DEFSYM (Qgnutls_pkcs_plain, "GNUTLS_PKCS_PLAIN");
+  DEFSYM (Qgnutls_pkcs_pkcs12_3des, "GNUTLS_PKCS_PKCS12_3DES");
+  DEFSYM (Qgnutls_pkcs_pkcs12_arcfour, "GNUTLS_PKCS_PKCS12_ARCFOUR");
+  DEFSYM (Qgnutls_pkcs_pkcs12_rc2_40, "GNUTLS_PKCS_PKCS12_RC2_40");
+  DEFSYM (Qgnutls_pkcs_pbes2_3des, "GNUTLS_PKCS_PBES2_3DES");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_128, "GNUTLS_PKCS_PBES2_AES_128");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_192, "GNUTLS_PKCS_PBES2_AES_192");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_256, "GNUTLS_PKCS_PBES2_AES_256");
+  DEFSYM (Qgnutls_pkcs_null_password, "GNUTLS_PKCS_NULL_PASSWORD");
+  DEFSYM (Qgnutls_pkcs_pbes2_des, "GNUTLS_PKCS_PBES2_DES");
+  DEFSYM (Qgnutls_pkcs_pbes1_des_md5, "GNUTLS_PKCS_PBES1_DES_MD5");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_tc26z, "GNUTLS_PKCS_PBES2_GOST_TC26Z");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpa, "GNUTLS_PKCS_PBES2_GOST_CPA");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpb, "GNUTLS_PKCS_PBES2_GOST_CPB");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpc, "GNUTLS_PKCS_PBES2_GOST_CPC");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpd, "GNUTLS_PKCS_PBES2_GOST_CPD");
 
   DEFSYM (QCcipher_id, ":cipher-id");
   DEFSYM (QCcipher_aead_capable, ":cipher-aead-capable");
-- 
2.37.3

bug#50507: New function in Emacs GnuTLS implementation

[Eli Zaretskii]

> From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
> Date: Wed, 28 Sep 2022 23:09:46 -0400
> Cc: 50507@debbugs.gnu.org, Lars Ingebrigtsen <larsi@gnus.org>, Eli Zaretskii <eliz@gnu.org>
> 
> I also added "Copyright-paperwork-exempt: yes" (or will this require
> paperwork?)

The patch is large enough to require it, yes.

Would you like me to send you the legal form to start the paperwork?

Thanks.

bug#50507: New function in Emacs GnuTLS implementation

[Robert Pluim]

>>>>> On Wed, 28 Sep 2022 23:09:46 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:

    Nikolaos> On Wed, Sep 28, 2022 at 9:11 AM Robert Pluim <rpluim@gmail.com> wrote:
    >> 
    >> >>>>> On Wed, 28 Sep 2022 08:15:26 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
    >> 
    >> 
    Nikolaos> Okay, I'm submitting this patch with corrections included, see attachment.
    >> 
    >> I see a .sig attachment, but no patch (we donʼt currently require
    >> signing of commits at all, but I guess thereʼs nothing stopping people
    >> from doing it).

    Nikolaos> My bad, here it is. I also added "Copyright-paperwork-exempt: yes" (or
    Nikolaos> will this require paperwork?) and gave the helper function static
    Nikolaos> linkage in src/gnutls.c.

Eli answered that. A few nits below

    Nikolaos> From b11707c423773f6234746991222acd80ab3f708c Mon Sep 17 00:00:00 2001
    Nikolaos> From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
    Nikolaos> Date: Mon, 26 Sep 2022 11:08:18 -0400
    Nikolaos> Subject: [PATCH] add :pass and :flags to gnutls-boot for :keylist

    Nikolaos> * lisp/net/gnutls.el (gnutls-boot-parameters): add the keys :pass and
    Nikolaos> :flags, and update the documentation.
    Nikolaos> * src/gnutls.c (gnutls-boot): add the keys :pass and :flags, and
    Nikolaos> update the documentation.
    Nikolaos> (syms_of_gnutls): add the symbols :pass, :flags, and the symbols that
    Nikolaos> correspond to the enumeration constants of the GnuTLS enum
    Nikolaos> `gnutls_pkcs_encrypt_flags_t`.
    Nikolaos> ; (key_file2_aux): private helper function that translates a list of
    Nikolaos> ; symbols to its corresponding `unsigned int` value of the GnuTLS C
    Nikolaos> ; enum `gnutls_pkcs_encrypt_flags_t`.

Each description of a change is a sentence, and should start with a
capital letter. The lines starting with ';' should not start with ';'

    Nikolaos> +PASS is a string, the password of the key.
    Nikolaos> +
    Nikolaos> +FLAGS is an ORed sequence of gnutls_pkcs_encrypt_flags_t values.
    Nikolaos> +

This is now a list of symbols, so the docstring needs adjusting.

    Nikolaos> +/* Helper function for gnutls-boot.
    Nikolaos> +
    Nikolaos> +   The key :flags receives a lisp of symbols, each of which

s/lisp/list/

    Nikolaos> +   corresponds to a GnuTLS C flag, the ORed result is to be passed to
    Nikolaos> +   the function gnutls_certificate_set_x509_key_file2() as its last
    Nikolaos> +   argument.
    Nikolaos> +*/
    Nikolaos> +static unsigned int
    Nikolaos> +key_file2_aux (Lisp_Object flags)
    Nikolaos> +{
    Nikolaos> +  unsigned int rv = 0;
    Nikolaos> +  Lisp_Object tail;
    Nikolaos> +  for (tail = flags; CONSP (tail); tail = XCDR (tail))

We have some convenience macros in lisp.h for traversing lists, one of
which is FOR_EACH_TAIL. The reason to prefer it is that it will detect
circular lists, which is good practice since this list will come from
the user level, so it could be anything :-)

Also, the function is only relevant if
HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2 is defined, so you could
wrap it in a #ifdef

    Nikolaos> +The :pass and :flags keys are ignored with old versions of GnuTLS, and
    Nikolaos> +:flags is ignored if :pass is not specified.
    Nikolaos> +

Maybe mention that not specifying :flags or passing :flags nil means
passing '0' to the GnuTLS function?

    Nikolaos> +# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
    Nikolaos> +	      if (STRINGP (pass))
    Nikolaos> +		ret = gnutls_certificate_set_x509_key_file2
    Nikolaos> +		  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format, SSDATA (pass), key_file2_aux (flags));

I think you should re-wrap this line.

    Nikolaos> +  DEFSYM (Qgnutls_pkcs_plain, "GNUTLS_PKCS_PLAIN");
    Nikolaos> +  DEFSYM (Qgnutls_pkcs_pkcs12_3des, "GNUTLS_PKCS_PKCS12_3DES");
    Nikolaos> +  DEFSYM (Qgnutls_pkcs_pkcs12_arcfour, "GNUTLS_PKCS_PKCS12_ARCFOUR");
    Nikolaos> +  DEFSYM (Qgnutls_pkcs_pkcs12_rc2_40, "GNUTLS_PKCS_PKCS12_RC2_40");
    Nikolaos> +  DEFSYM (Qgnutls_pkcs_pbes2_3des, "GNUTLS_PKCS_PBES2_3DES");
    Nikolaos> +  DEFSYM (Qgnutls_pkcs_pbes2_aes_128, "GNUTLS_PKCS_PBES2_AES_128");
    Nikolaos> +  DEFSYM (Qgnutls_pkcs_pbes2_aes_192, "GNUTLS_PKCS_PBES2_AES_192");
    Nikolaos> +  DEFSYM (Qgnutls_pkcs_pbes2_aes_256, "GNUTLS_PKCS_PBES2_AES_256");
    Nikolaos> +  DEFSYM (Qgnutls_pkcs_null_password, "GNUTLS_PKCS_NULL_PASSWORD");
    Nikolaos> +  DEFSYM (Qgnutls_pkcs_pbes2_des, "GNUTLS_PKCS_PBES2_DES");
    Nikolaos> +  DEFSYM (Qgnutls_pkcs_pbes1_des_md5, "GNUTLS_PKCS_PBES1_DES_MD5");
    Nikolaos> +  DEFSYM (Qgnutls_pkcs_pbes2_gost_tc26z, "GNUTLS_PKCS_PBES2_GOST_TC26Z");
    Nikolaos> +  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpa, "GNUTLS_PKCS_PBES2_GOST_CPA");
    Nikolaos> +  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpb, "GNUTLS_PKCS_PBES2_GOST_CPB");
    Nikolaos> +  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpc, "GNUTLS_PKCS_PBES2_GOST_CPC");
    Nikolaos> +  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpd, "GNUTLS_PKCS_PBES2_GOST_CPD");

All this is kind of awkward, but apart from doing DEFVAR_LISP Iʼm not
aware of how to define a lisp level symbol with a value (it would
allow you to simplify `key_file2_aux', since you could just extract
the values directly from the symbols).

Robert
-- 

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

On Thu, Sep 29, 2022 at 4:17 AM Eli Zaretskii <eliz@gnu.org> wrote:
>
> > From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
> > Date: Wed, 28 Sep 2022 23:09:46 -0400
> > Cc: 50507@debbugs.gnu.org, Lars Ingebrigtsen <larsi@gnus.org>, Eli Zaretskii <eliz@gnu.org>
> >
> > I also added "Copyright-paperwork-exempt: yes" (or will this require
> > paperwork?)
>
> The patch is large enough to require it, yes.
>
> Would you like me to send you the legal form to start the paperwork?
>
> Thanks.

Yes, please send me the legal form.

Regards,
Nikolaos Chatzikonstantinou

bug#50507: New function in Emacs GnuTLS implementation

[Eli Zaretskii]

> From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
> Date: Thu, 29 Sep 2022 08:35:40 -0400
> Cc: rpluim@gmail.com, 50507@debbugs.gnu.org, larsi@gnus.org
> 
> On Thu, Sep 29, 2022 at 4:17 AM Eli Zaretskii <eliz@gnu.org> wrote:
> >
> > > From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
> > > Date: Wed, 28 Sep 2022 23:09:46 -0400
> > > Cc: 50507@debbugs.gnu.org, Lars Ingebrigtsen <larsi@gnus.org>, Eli Zaretskii <eliz@gnu.org>
> > >
> > > I also added "Copyright-paperwork-exempt: yes" (or will this require
> > > paperwork?)
> >
> > The patch is large enough to require it, yes.
> >
> > Would you like me to send you the legal form to start the paperwork?
> >
> > Thanks.
> 
> Yes, please send me the legal form.

Form sent off-list.

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

On Thu, Sep 29, 2022 at 5:02 AM Robert Pluim <rpluim@gmail.com> wrote:
>
> >>>>> On Wed, 28 Sep 2022 23:09:46 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
>
>     Nikolaos> From b11707c423773f6234746991222acd80ab3f708c Mon Sep 17 00:00:00 2001
>     Nikolaos> From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
>     Nikolaos> Date: Mon, 26 Sep 2022 11:08:18 -0400
>     Nikolaos> Subject: [PATCH] add :pass and :flags to gnutls-boot for :keylist
>
>     Nikolaos> +   corresponds to a GnuTLS C flag, the ORed result is to be passed to
>     Nikolaos> +   the function gnutls_certificate_set_x509_key_file2() as its last
>     Nikolaos> +   argument.
>     Nikolaos> +*/
>     Nikolaos> +static unsigned int
>     Nikolaos> +key_file2_aux (Lisp_Object flags)
>     Nikolaos> +{
>     Nikolaos> +  unsigned int rv = 0;
>     Nikolaos> +  Lisp_Object tail;
>     Nikolaos> +  for (tail = flags; CONSP (tail); tail = XCDR (tail))
>
> We have some convenience macros in lisp.h for traversing lists, one of
> which is FOR_EACH_TAIL. The reason to prefer it is that it will detect
> circular lists, which is good practice since this list will come from
> the user level, so it could be anything :-)

Good point. I opted for FOR_EACH_TAIL_SAFE, which seems even better
for this case. As documented in ChangeLog.3, it's the right one when
the operation is idempotent, which an OR of flags is. (repeated flags
do not alter the result.)

>     Nikolaos> +The :pass and :flags keys are ignored with old versions of GnuTLS, and
>     Nikolaos> +:flags is ignored if :pass is not specified.
>     Nikolaos> +
>
> Maybe mention that not specifying :flags or passing :flags nil means
> passing '0' to the GnuTLS function?

Yes, and on that note, I discovered two things. One, the value 0 is
special; it has meaning but it is not an enumeration constant. I
documented this appropriately. Two, the password may be NULL instead
of a string.

How can I differentiate between `:pass nil` and not specifying
`:pass`? I would like to do this because in the former case I'm
calling ...key_file2() and in the latter I'm calling the original
...key_file().

>     Nikolaos> +  DEFSYM (Qgnutls_pkcs_plain, "GNUTLS_PKCS_PLAIN");
<removed a few more such lines>
>     Nikolaos> +  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpd, "GNUTLS_PKCS_PBES2_GOST_CPD");
>
> All this is kind of awkward, but apart from doing DEFVAR_LISP Iʼm not
> aware of how to define a lisp level symbol with a value (it would
> allow you to simplify `key_file2_aux', since you could just extract
> the values directly from the symbols).

I am now comparing against intern("GNUTLS_PKCS_PLAIN") and so on.

I will hold off the submission of the final patch until I figure out
the :pass issue that I mentioned above.

Regards,
Nikolaos Chatzikonstantinou

bug#50507: New function in Emacs GnuTLS implementation

[Robert Pluim]

>>>>> On Thu, 29 Sep 2022 09:44:09 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
    >> 
    >> We have some convenience macros in lisp.h for traversing lists, one of
    >> which is FOR_EACH_TAIL. The reason to prefer it is that it will detect
    >> circular lists, which is good practice since this list will come from
    >> the user level, so it could be anything :-)

    Nikolaos> Good point. I opted for FOR_EACH_TAIL_SAFE, which seems even better
    Nikolaos> for this case. As documented in ChangeLog.3, it's the right one when
    Nikolaos> the operation is idempotent, which an OR of flags is. (repeated flags
    Nikolaos> do not alter the result.)

OK

    Nikolaos> +The :pass and :flags keys are ignored with old versions of GnuTLS, and
    Nikolaos> +:flags is ignored if :pass is not specified.
    Nikolaos> +
    >> 
    >> Maybe mention that not specifying :flags or passing :flags nil means
    >> passing '0' to the GnuTLS function?

    Nikolaos> Yes, and on that note, I discovered two things. One, the value 0 is
    Nikolaos> special; it has meaning but it is not an enumeration constant. I
    Nikolaos> documented this appropriately. Two, the password may be NULL instead
    Nikolaos> of a string.

OK. I guess youʼre mapping ':pass nil' to that?

    Nikolaos> How can I differentiate between `:pass nil` and not specifying
    Nikolaos> `:pass`? I would like to do this because in the former case I'm
    Nikolaos> calling ...key_file2() and in the latter I'm calling the original
    Nikolaos> ...key_file().

Youʼd do `plist-member' to check if thereʼs a `:pass' in the plist at
all, and then `plist-get' to extract the value.

    Nikolaos> +  DEFSYM (Qgnutls_pkcs_plain, "GNUTLS_PKCS_PLAIN");
    Nikolaos> <removed a few more such lines>
    Nikolaos> +  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpd, "GNUTLS_PKCS_PBES2_GOST_CPD");
    >> 
    >> All this is kind of awkward, but apart from doing DEFVAR_LISP Iʼm not
    >> aware of how to define a lisp level symbol with a value (it would
    >> allow you to simplify `key_file2_aux', since you could just extract
    >> the values directly from the symbols).

    Nikolaos> I am now comparing against intern("GNUTLS_PKCS_PLAIN") and so on.

I guess thatʼs another option, but itʼs not the preferred
solution. Anyway, letʼs not let the perfect be the enemy of the good.

Thanks

Robert
-- 

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

[-- Attachment #1: Type: text/plain, Size: 1877 bytes --]

On Thu, Sep 29, 2022 at 10:08 AM Robert Pluim <rpluim@gmail.com> wrote:
>
> >>>>> On Thu, 29 Sep 2022 09:44:09 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
>     Nikolaos> +The :pass and :flags keys are ignored with old versions of GnuTLS, and
>     Nikolaos> +:flags is ignored if :pass is not specified.
>     Nikolaos> +
>     >>
>     >> Maybe mention that not specifying :flags or passing :flags nil means
>     >> passing '0' to the GnuTLS function?
>
>     Nikolaos> Yes, and on that note, I discovered two things. One, the value 0 is
>     Nikolaos> special; it has meaning but it is not an enumeration constant. I
>     Nikolaos> documented this appropriately. Two, the password may be NULL instead
>     Nikolaos> of a string.
>
> OK. I guess youʼre mapping ':pass nil' to that?

Yes.

>     Nikolaos> +  DEFSYM (Qgnutls_pkcs_plain, "GNUTLS_PKCS_PLAIN");
>     Nikolaos> <removed a few more such lines>
>     Nikolaos> +  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpd, "GNUTLS_PKCS_PBES2_GOST_CPD");
>     >>
>     >> All this is kind of awkward, but apart from doing DEFVAR_LISP Iʼm not
>     >> aware of how to define a lisp level symbol with a value (it would
>     >> allow you to simplify `key_file2_aux', since you could just extract
>     >> the values directly from the symbols).
>
>     Nikolaos> I am now comparing against intern("GNUTLS_PKCS_PLAIN") and so on.
>
> I guess thatʼs another option, but itʼs not the preferred
> solution. Anyway, letʼs not let the perfect be the enemy of the good.

I went with intern. There were some additional #if checks to avoid
dynamically loading the symbol on library Windows if it is not
available. I used plist_member() to differentiate between `:pass nil`
and not specifying `:pass`, and I documented this in the docstrings.

Regards,
Nikolaos Chatzikonstantinou

[-- Attachment #2: 0001-add-pass-and-flags-to-gnutls-boot-for-keylist.patch --]
[-- Type: text/x-patch, Size: 10435 bytes --]

From 3100c17f8455a3894ca27c9872548daa1a1fb905 Mon Sep 17 00:00:00 2001
From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
Date: Mon, 26 Sep 2022 11:08:18 -0400
Subject: [PATCH] add :pass and :flags to gnutls-boot for :keylist

* lisp/net/gnutls.el (gnutls-boot-parameters): Add the keys :pass and
:flags, and update the documentation.
* src/gnutls.c (gnutls-boot): Add the keys :pass and :flags, and
update the documentation.
(syms_of_gnutls): Add the symbols :pass, :flags, and the symbols that
correspond to the enumeration constants of the GnuTLS enum
`gnutls_pkcs_encrypt_flags_t`.
(key_file2_aux): Private helper function that translates a list of
symbols to its corresponding `unsigned int` value of the GnuTLS C enum
`gnutls_pkcs_encrypt_flags_t`.
---
 lisp/net/gnutls.el |  10 +++++
 src/gnutls.c       | 105 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 115 insertions(+)

diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 6e3845aec1..eef6559a95 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -265,6 +265,7 @@ gnutls-boot-parameters
            &key type hostname priority-string
            trustfiles crlfiles keylist min-prime-bits
            verify-flags verify-error verify-hostname-error
+           pass flags
            &allow-other-keys)
   "Return a keyword list of parameters suitable for passing to `gnutls-boot'.
 
@@ -281,6 +282,13 @@ gnutls-boot-parameters
 VERIFY-HOSTNAME-ERROR is a backwards compatibility option for
 putting `:hostname' in VERIFY-ERROR.
 
+PASS is a string, the password of the key.  It may also be nil,
+for a NULL password.
+
+FLAGS is a list of symbols corresponding to the equivalent ORed
+bitflag of the gnutls_pkcs_encrypt_flags_t enum of GnuTLS.  The
+empty list corresponds to the bitflag with value 0.
+
 When VERIFY-ERROR is t or a list containing `:trustfiles', an
 error will be raised when the peer certificate verification fails
 as per GnuTLS' gnutls_certificate_verify_peers2.  Otherwise, only
@@ -358,6 +366,8 @@ gnutls-boot-parameters
                 :keylist ,keylist
                 :verify-flags ,verify-flags
                 :verify-error ,verify-error
+                :pass ,pass
+                :flags ,flags
                 :callbacks nil)))
 
 (defun gnutls--get-files (files)
diff --git a/src/gnutls.c b/src/gnutls.c
index a0de0238c4..ccfbb58881 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -34,6 +34,7 @@
 # endif
 
 # if GNUTLS_VERSION_NUMBER >= 0x030200
+#  define HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
 #  define HAVE_GNUTLS_CIPHER_GET_IV_SIZE
 # endif
 
@@ -121,6 +122,11 @@ DEF_DLL_FN (int, gnutls_certificate_set_x509_crl_file,
 DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file,
 	    (gnutls_certificate_credentials_t, const char *, const char *,
 	     gnutls_x509_crt_fmt_t));
+#  ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file2,
+	    (gnutls_certificate_credentials_t, const char *, const char *,
+	     gnutls_x509_crt_fmt_t, const char *, unsigned int));
+#  endif
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
 DEF_DLL_FN (int, gnutls_certificate_set_x509_system_trust,
 	    (gnutls_certificate_credentials_t));
@@ -314,6 +320,9 @@ init_gnutls_functions (void)
   LOAD_DLL_FN (library, gnutls_certificate_set_verify_flags);
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_crl_file);
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file);
+#  ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+  LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file2);
+#  endif
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_system_trust);
 #  endif
@@ -455,6 +464,9 @@ init_gnutls_functions (void)
 #  define gnutls_certificate_set_verify_flags fn_gnutls_certificate_set_verify_flags
 #  define gnutls_certificate_set_x509_crl_file fn_gnutls_certificate_set_x509_crl_file
 #  define gnutls_certificate_set_x509_key_file fn_gnutls_certificate_set_x509_key_file
+#  ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+#   define gnutls_certificate_set_x509_key_file2 fn_gnutls_certificate_set_x509_key_file2
+#  endif
 #  define gnutls_certificate_set_x509_system_trust fn_gnutls_certificate_set_x509_system_trust
 #  define gnutls_certificate_set_x509_trust_file fn_gnutls_certificate_set_x509_trust_file
 #  define gnutls_certificate_type_get fn_gnutls_certificate_type_get
@@ -1774,6 +1786,61 @@ gnutls_verify_boot (Lisp_Object proc, Lisp_Object proplist)
   return gnutls_make_error (ret);
 }
 
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+
+/* Helper function for gnutls-boot.
+
+   The key :flags receives a list of symbols, each of which
+   corresponds to a GnuTLS C flag, the ORed result is to be passed to
+   the function gnutls_certificate_set_x509_key_file2() as its last
+   argument.
+*/
+static unsigned int
+key_file2_aux (Lisp_Object flags)
+{
+  unsigned int rv = 0;
+  Lisp_Object tail = flags;
+  FOR_EACH_TAIL_SAFE (tail)
+    {
+      Lisp_Object flag = XCAR (tail);
+      if (EQ (flag, intern ("GNUTLS_PKCS_PLAIN")))
+	rv |= GNUTLS_PKCS_PLAIN;
+      else if(EQ (flag, intern ("GNUTLS_PKCS_PKCS12_3DES")))
+	rv |= GNUTLS_PKCS_PKCS12_3DES;
+      else if(EQ (flag, intern ("GNUTLS_PKCS_PKCS12_ARCFOUR")))
+	rv |= GNUTLS_PKCS_PKCS12_ARCFOUR;
+      else if(EQ (flag, intern ("GNUTLS_PKCS_PKCS12_RC2_40")))
+	rv |= GNUTLS_PKCS_PKCS12_RC2_40;
+      else if(EQ (flag, intern ("GNUTLS_PKCS_PBES2_3DES")))
+	rv |= GNUTLS_PKCS_PBES2_3DES;
+      else if(EQ (flag, intern ("GNUTLS_PKCS_PBES2_AES_128")))
+	rv |= GNUTLS_PKCS_PBES2_AES_128;
+      else if(EQ (flag, intern ("GNUTLS_PKCS_PBES2_AES_192")))
+	rv |= GNUTLS_PKCS_PBES2_AES_192;
+      else if(EQ (flag, intern ("GNUTLS_PKCS_PBES2_AES_256")))
+	rv |= GNUTLS_PKCS_PBES2_AES_256;
+      else if(EQ (flag, intern ("GNUTLS_PKCS_NULL_PASSWORD")))
+	rv |= GNUTLS_PKCS_NULL_PASSWORD;
+      else if(EQ (flag, intern ("GNUTLS_PKCS_PBES2_DES")))
+	rv |= GNUTLS_PKCS_PBES2_DES;
+      else if(EQ (flag, intern ("GNUTLS_PKCS_PBES1_DES_MD5")))
+	rv |= GNUTLS_PKCS_PBES1_DES_MD5;
+      else if(EQ (flag, intern ("gnutls_pkcs_pbes2_gost_TC26Z")))
+	rv |= GNUTLS_PKCS_PBES2_GOST_TC26Z;
+      else if(EQ (flag, intern ("GNUTLS_PKCS_PBES2_GOST_CPA")))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPA;
+      else if(EQ (flag, intern ("GNUTLS_PKCS_PBES2_GOST_CPB")))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPB;
+      else if(EQ (flag, intern ("GNUTLS_PKCS_PBES2_GOST_CPC")))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPC;
+      else if(EQ (flag, intern ("GNUTLS_PKCS_PBES2_GOST_CPD")))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPD;
+    }
+  return rv;
+}
+
+#endif /* HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2 */
+
 DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
        doc: /* Initialize GnuTLS client for process PROC with TYPE+PROPLIST.
 Currently only client mode is supported.  Return a success/failure
@@ -1813,6 +1880,21 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 :complete-negotiation, if non-nil, will make negotiation complete
 before returning even on non-blocking sockets.
 
+:pass, the password of the private key as per GnuTLS'
+gnutls_certificate_set_x509_key_file2.  Specify as nil to have a NULL
+password.
+
+:flags, a list of symbols relating to :pass, each specifying a flag:
+GNUTLS_PKCS_PLAIN, GNUTLS_PKCS_PKCS12_3DES,
+GNUTLS_PKCS_PKCS12_ARCFOUR, GNUTLS_PKCS_PKCS12_RC2_40,
+GNUTLS_PKCS_PBES2_3DES, GNUTLS_PKCS_PBES2_AES_128,
+GNUTLS_PKCS_PBES2_AES_192, GNUTLS_PKCS_PBES2_AES_256,
+GNUTLS_PKCS_NULL_PASSWORD, GNUTLS_PKCS_PBES2_DES,
+GNUTLS_PKCS_PBES2_DES_MD5, GNUTLS_PKCS_PBES2_GOST_TC26Z,
+GNUTLS_PKCS_PBES2_GOST_CPA, GNUTLS_PKCS_PBES2_GOST_CPB,
+GNUTLS_PKCS_PBES2_GOST_CPC, GNUTLS_PKCS_PBES2_GOST_CPD.  If not
+specified, or if nil, the bitflag with value 0 is used.
+
 The debug level will be set for this process AND globally for GnuTLS.
 So if you set it higher or lower at any point, it affects global
 debugging.
@@ -1825,6 +1907,9 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 functions are used.  This function allocates resources which can only
 be deallocated by calling `gnutls-deinit' or by calling it again.
 
+The :pass and :flags keys are ignored with old versions of GnuTLS, and
+:flags is ignored if :pass is not specified.
+
 The callbacks alist can have a `verify' key, associated with a
 verification function (UNUSED).
 
@@ -1848,6 +1933,8 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
   Lisp_Object trustfiles;
   Lisp_Object crlfiles;
   Lisp_Object keylist;
+  Lisp_Object pass;
+  Lisp_Object flags;
   /* Lisp_Object callbacks; */
   Lisp_Object loglevel;
   Lisp_Object hostname;
@@ -1877,6 +1964,8 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
   crlfiles              = plist_get (proplist, QCcrlfiles);
   loglevel              = plist_get (proplist, QCloglevel);
   prime_bits            = plist_get (proplist, QCmin_prime_bits);
+  pass                  = plist_get (proplist, QCpass);
+  flags                 = plist_get (proplist, QCflags);
 
   if (!STRINGP (hostname))
     {
@@ -2038,8 +2127,22 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 	      keyfile = ansi_encode_filename (keyfile);
 	      certfile = ansi_encode_filename (certfile);
 # endif
+# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+	      if (STRINGP (pass))
+		ret = gnutls_certificate_set_x509_key_file2
+		  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format,
+		   SSDATA (pass), key_file2_aux (flags));
+	      else if (NILP (pass) && plist_member (proplist, QCpass))
+		ret = gnutls_certificate_set_x509_key_file2
+		  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format,
+		   NULL, key_file2_aux (flags));
+	      else
+		ret = gnutls_certificate_set_x509_key_file
+		  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
+# else
 	      ret = gnutls_certificate_set_x509_key_file
 		(x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
+# endif
 
 	      if (ret < GNUTLS_E_SUCCESS)
 		return gnutls_make_error (ret);
@@ -2860,6 +2963,8 @@ syms_of_gnutls (void)
   DEFSYM (QCmin_prime_bits, ":min-prime-bits");
   DEFSYM (QCloglevel, ":loglevel");
   DEFSYM (QCcomplete_negotiation, ":complete-negotiation");
+  DEFSYM (QCpass, ":pass");
+  DEFSYM (QCflags, ":flags");
   DEFSYM (QCverify_flags, ":verify-flags");
   DEFSYM (QCverify_error, ":verify-error");
 
-- 
2.37.3

bug#50507: New function in Emacs GnuTLS implementation

[Eli Zaretskii]

> From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
> Date: Fri, 30 Sep 2022 06:04:30 -0400
> Cc: 50507@debbugs.gnu.org, Lars Ingebrigtsen <larsi@gnus.org>, Eli Zaretskii <eliz@gnu.org>
> 
> 
> On Thu, Sep 29, 2022 at 10:08 AM Robert Pluim <rpluim@gmail.com> wrote:
> >
> > >>>>> On Thu, 29 Sep 2022 09:44:09 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
> >     Nikolaos> +The :pass and :flags keys are ignored with old versions of GnuTLS, and
> >     Nikolaos> +:flags is ignored if :pass is not specified.
> >     Nikolaos> +
> >     >>
> >     >> Maybe mention that not specifying :flags or passing :flags nil means
> >     >> passing '0' to the GnuTLS function?
> >
> >     Nikolaos> Yes, and on that note, I discovered two things. One, the value 0 is
> >     Nikolaos> special; it has meaning but it is not an enumeration constant. I
> >     Nikolaos> documented this appropriately. Two, the password may be NULL instead
> >     Nikolaos> of a string.
> >
> > OK. I guess youʼre mapping ':pass nil' to that?
> 
> Yes.
> 
> >     Nikolaos> +  DEFSYM (Qgnutls_pkcs_plain, "GNUTLS_PKCS_PLAIN");
> >     Nikolaos> <removed a few more such lines>
> >     Nikolaos> +  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpd, "GNUTLS_PKCS_PBES2_GOST_CPD");
> >     >>
> >     >> All this is kind of awkward, but apart from doing DEFVAR_LISP Iʼm not
> >     >> aware of how to define a lisp level symbol with a value (it would
> >     >> allow you to simplify `key_file2_aux', since you could just extract
> >     >> the values directly from the symbols).
> >
> >     Nikolaos> I am now comparing against intern("GNUTLS_PKCS_PLAIN") and so on.
> >
> > I guess thatʼs another option, but itʼs not the preferred
> > solution. Anyway, letʼs not let the perfect be the enemy of the good.
> 
> I went with intern.

Why not use DEFSYM and then compare against the static symbols?  That
is more efficient, since the intern call is avoided at run time.

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

On Fri, Sep 30, 2022 at 6:47 AM Eli Zaretskii <eliz@gnu.org> wrote:
>
> > From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
> > Date: Fri, 30 Sep 2022 06:04:30 -0400
> > Cc: 50507@debbugs.gnu.org, Lars Ingebrigtsen <larsi@gnus.org>, Eli Zaretskii <eliz@gnu.org>
> >
> >
> > On Thu, Sep 29, 2022 at 10:08 AM Robert Pluim <rpluim@gmail.com> wrote:
> > >
> > > >>>>> On Thu, 29 Sep 2022 09:44:09 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
> > >     Nikolaos> +The :pass and :flags keys are ignored with old versions of GnuTLS, and
> > >     Nikolaos> +:flags is ignored if :pass is not specified.
> > >     Nikolaos> +
> > >     >>
> > >     >> Maybe mention that not specifying :flags or passing :flags nil means
> > >     >> passing '0' to the GnuTLS function?
> > >
> > >     Nikolaos> Yes, and on that note, I discovered two things. One, the value 0 is
> > >     Nikolaos> special; it has meaning but it is not an enumeration constant. I
> > >     Nikolaos> documented this appropriately. Two, the password may be NULL instead
> > >     Nikolaos> of a string.
> > >
> > > OK. I guess youʼre mapping ':pass nil' to that?
> >
> > Yes.
> >
> > >     Nikolaos> +  DEFSYM (Qgnutls_pkcs_plain, "GNUTLS_PKCS_PLAIN");
> > >     Nikolaos> <removed a few more such lines>
> > >     Nikolaos> +  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpd, "GNUTLS_PKCS_PBES2_GOST_CPD");
> > >     >>
> > >     >> All this is kind of awkward, but apart from doing DEFVAR_LISP Iʼm not
> > >     >> aware of how to define a lisp level symbol with a value (it would
> > >     >> allow you to simplify `key_file2_aux', since you could just extract
> > >     >> the values directly from the symbols).
> > >
> > >     Nikolaos> I am now comparing against intern("GNUTLS_PKCS_PLAIN") and so on.
> > >
> > > I guess thatʼs another option, but itʼs not the preferred
> > > solution. Anyway, letʼs not let the perfect be the enemy of the good.
> >
> > I went with intern.
>
> Why not use DEFSYM and then compare against the static symbols?  That
> is more efficient, since the intern call is avoided at run time.

I did not understand the differences between DEFSYM() and
intern(). Can DEFSYM() be used outside of syms_of_gnutls()? In
particular can I (and, should I?) call it inside the key_file2_aux()
function?

bug#50507: New function in Emacs GnuTLS implementation

[Eli Zaretskii]

> From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
> Date: Fri, 30 Sep 2022 09:01:06 -0400
> Cc: rpluim@gmail.com, 50507@debbugs.gnu.org, larsi@gnus.org
> 
> On Fri, Sep 30, 2022 at 6:47 AM Eli Zaretskii <eliz@gnu.org> wrote:
> >
> > > I went with intern.
> >
> > Why not use DEFSYM and then compare against the static symbols?  That
> > is more efficient, since the intern call is avoided at run time.
> 
> I did not understand the differences between DEFSYM() and
> intern(). Can DEFSYM() be used outside of syms_of_gnutls()?

Why do you need to use DEFSYM outside of syms_of_gnutls?

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

[-- Attachment #1: Type: text/plain, Size: 787 bytes --]

On Fri, Sep 30, 2022 at 9:37 AM Eli Zaretskii <eliz@gnu.org> wrote:
>
> > From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
> > Date: Fri, 30 Sep 2022 09:01:06 -0400
> > Cc: rpluim@gmail.com, 50507@debbugs.gnu.org, larsi@gnus.org
> >
> > On Fri, Sep 30, 2022 at 6:47 AM Eli Zaretskii <eliz@gnu.org> wrote:
> > >
> > > > I went with intern.
> > >
> > > Why not use DEFSYM and then compare against the static symbols?  That
> > > is more efficient, since the intern call is avoided at run time.
> >
> > I did not understand the differences between DEFSYM() and
> > intern(). Can DEFSYM() be used outside of syms_of_gnutls()?
>
> Why do you need to use DEFSYM outside of syms_of_gnutls?

Nevermind, I had general confusion on how the internals work. Here is
the update, using DEFSYM.

[-- Attachment #2: 0001-add-pass-and-flags-to-gnutls-boot-for-keylist.patch --]
[-- Type: text/x-patch, Size: 11459 bytes --]

From 48eeb16b7206fedbf2d0cb92c6fd7ace6cb2deda Mon Sep 17 00:00:00 2001
From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
Date: Mon, 26 Sep 2022 11:08:18 -0400
Subject: [PATCH] add :pass and :flags to gnutls-boot for :keylist

* lisp/net/gnutls.el (gnutls-boot-parameters): Add the keys :pass and
:flags, and update the documentation.
* src/gnutls.c (gnutls-boot): Add the keys :pass and :flags, and
update the documentation.
(syms_of_gnutls): Add the symbols :pass, :flags, and the symbols that
correspond to the enumeration constants of the GnuTLS enum
`gnutls_pkcs_encrypt_flags_t`.
(key_file2_aux): Private helper function that translates a list of
symbols to its corresponding `unsigned int` value of the GnuTLS C enum
`gnutls_pkcs_encrypt_flags_t`.
---
 lisp/net/gnutls.el |  10 ++++
 src/gnutls.c       | 121 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 131 insertions(+)

diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 6e3845aec1..eef6559a95 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -265,6 +265,7 @@ gnutls-boot-parameters
            &key type hostname priority-string
            trustfiles crlfiles keylist min-prime-bits
            verify-flags verify-error verify-hostname-error
+           pass flags
            &allow-other-keys)
   "Return a keyword list of parameters suitable for passing to `gnutls-boot'.
 
@@ -281,6 +282,13 @@ gnutls-boot-parameters
 VERIFY-HOSTNAME-ERROR is a backwards compatibility option for
 putting `:hostname' in VERIFY-ERROR.
 
+PASS is a string, the password of the key.  It may also be nil,
+for a NULL password.
+
+FLAGS is a list of symbols corresponding to the equivalent ORed
+bitflag of the gnutls_pkcs_encrypt_flags_t enum of GnuTLS.  The
+empty list corresponds to the bitflag with value 0.
+
 When VERIFY-ERROR is t or a list containing `:trustfiles', an
 error will be raised when the peer certificate verification fails
 as per GnuTLS' gnutls_certificate_verify_peers2.  Otherwise, only
@@ -358,6 +366,8 @@ gnutls-boot-parameters
                 :keylist ,keylist
                 :verify-flags ,verify-flags
                 :verify-error ,verify-error
+                :pass ,pass
+                :flags ,flags
                 :callbacks nil)))
 
 (defun gnutls--get-files (files)
diff --git a/src/gnutls.c b/src/gnutls.c
index a0de0238c4..bc9b195cdd 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -34,6 +34,7 @@
 # endif
 
 # if GNUTLS_VERSION_NUMBER >= 0x030200
+#  define HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
 #  define HAVE_GNUTLS_CIPHER_GET_IV_SIZE
 # endif
 
@@ -121,6 +122,11 @@ DEF_DLL_FN (int, gnutls_certificate_set_x509_crl_file,
 DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file,
 	    (gnutls_certificate_credentials_t, const char *, const char *,
 	     gnutls_x509_crt_fmt_t));
+#  ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file2,
+	    (gnutls_certificate_credentials_t, const char *, const char *,
+	     gnutls_x509_crt_fmt_t, const char *, unsigned int));
+#  endif
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
 DEF_DLL_FN (int, gnutls_certificate_set_x509_system_trust,
 	    (gnutls_certificate_credentials_t));
@@ -314,6 +320,9 @@ init_gnutls_functions (void)
   LOAD_DLL_FN (library, gnutls_certificate_set_verify_flags);
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_crl_file);
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file);
+#  ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+  LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file2);
+#  endif
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_system_trust);
 #  endif
@@ -455,6 +464,9 @@ init_gnutls_functions (void)
 #  define gnutls_certificate_set_verify_flags fn_gnutls_certificate_set_verify_flags
 #  define gnutls_certificate_set_x509_crl_file fn_gnutls_certificate_set_x509_crl_file
 #  define gnutls_certificate_set_x509_key_file fn_gnutls_certificate_set_x509_key_file
+#  ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+#   define gnutls_certificate_set_x509_key_file2 fn_gnutls_certificate_set_x509_key_file2
+#  endif
 #  define gnutls_certificate_set_x509_system_trust fn_gnutls_certificate_set_x509_system_trust
 #  define gnutls_certificate_set_x509_trust_file fn_gnutls_certificate_set_x509_trust_file
 #  define gnutls_certificate_type_get fn_gnutls_certificate_type_get
@@ -1774,6 +1786,61 @@ gnutls_verify_boot (Lisp_Object proc, Lisp_Object proplist)
   return gnutls_make_error (ret);
 }
 
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+
+/* Helper function for gnutls-boot.
+
+   The key :flags receives a list of symbols, each of which
+   corresponds to a GnuTLS C flag, the ORed result is to be passed to
+   the function gnutls_certificate_set_x509_key_file2() as its last
+   argument.
+*/
+static unsigned int
+key_file2_aux (Lisp_Object flags)
+{
+  unsigned int rv = 0;
+  Lisp_Object tail = flags;
+  FOR_EACH_TAIL_SAFE (tail)
+    {
+      Lisp_Object flag = XCAR (tail);
+      if (EQ (flag, Qgnutls_pkcs_plain))
+	rv |= GNUTLS_PKCS_PLAIN;
+      else if(EQ (flag, Qgnutls_pkcs_pkcs12_3des))
+	rv |= GNUTLS_PKCS_PKCS12_3DES;
+      else if(EQ (flag, Qgnutls_pkcs_pkcs12_arcfour))
+	rv |= GNUTLS_PKCS_PKCS12_ARCFOUR;
+      else if(EQ (flag, Qgnutls_pkcs_pkcs12_rc2_40))
+	rv |= GNUTLS_PKCS_PKCS12_RC2_40;
+      else if(EQ (flag, Qgnutls_pkcs_pbes2_3des))
+	rv |= GNUTLS_PKCS_PBES2_3DES;
+      else if(EQ (flag, Qgnutls_pkcs_pbes2_aes_128))
+	rv |= GNUTLS_PKCS_PBES2_AES_128;
+      else if(EQ (flag, Qgnutls_pkcs_pbes2_aes_192))
+	rv |= GNUTLS_PKCS_PBES2_AES_192;
+      else if(EQ (flag, Qgnutls_pkcs_pbes2_aes_256))
+	rv |= GNUTLS_PKCS_PBES2_AES_256;
+      else if(EQ (flag, Qgnutls_pkcs_null_password))
+	rv |= GNUTLS_PKCS_NULL_PASSWORD;
+      else if(EQ (flag, Qgnutls_pkcs_pbes2_des))
+	rv |= GNUTLS_PKCS_PBES2_DES;
+      else if(EQ (flag, Qgnutls_pkcs_pbes1_des_md5))
+	rv |= GNUTLS_PKCS_PBES1_DES_MD5;
+      else if(EQ (flag, Qgnutls_pkcs_pbes2_gost_tc26z))
+	rv |= GNUTLS_PKCS_PBES2_GOST_TC26Z;
+      else if(EQ (flag, Qgnutls_pkcs_pbes2_gost_cpa))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPA;
+      else if(EQ (flag, Qgnutls_pkcs_pbes2_gost_cpb))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPB;
+      else if(EQ (flag, Qgnutls_pkcs_pbes2_gost_cpc))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPC;
+      else if(EQ (flag, Qgnutls_pkcs_pbes2_gost_cpd))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPD;
+    }
+  return rv;
+}
+
+#endif /* HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2 */
+
 DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
        doc: /* Initialize GnuTLS client for process PROC with TYPE+PROPLIST.
 Currently only client mode is supported.  Return a success/failure
@@ -1813,6 +1880,21 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 :complete-negotiation, if non-nil, will make negotiation complete
 before returning even on non-blocking sockets.
 
+:pass, the password of the private key as per GnuTLS'
+gnutls_certificate_set_x509_key_file2.  Specify as nil to have a NULL
+password.
+
+:flags, a list of symbols relating to :pass, each specifying a flag:
+GNUTLS_PKCS_PLAIN, GNUTLS_PKCS_PKCS12_3DES,
+GNUTLS_PKCS_PKCS12_ARCFOUR, GNUTLS_PKCS_PKCS12_RC2_40,
+GNUTLS_PKCS_PBES2_3DES, GNUTLS_PKCS_PBES2_AES_128,
+GNUTLS_PKCS_PBES2_AES_192, GNUTLS_PKCS_PBES2_AES_256,
+GNUTLS_PKCS_NULL_PASSWORD, GNUTLS_PKCS_PBES2_DES,
+GNUTLS_PKCS_PBES2_DES_MD5, GNUTLS_PKCS_PBES2_GOST_TC26Z,
+GNUTLS_PKCS_PBES2_GOST_CPA, GNUTLS_PKCS_PBES2_GOST_CPB,
+GNUTLS_PKCS_PBES2_GOST_CPC, GNUTLS_PKCS_PBES2_GOST_CPD.  If not
+specified, or if nil, the bitflag with value 0 is used.
+
 The debug level will be set for this process AND globally for GnuTLS.
 So if you set it higher or lower at any point, it affects global
 debugging.
@@ -1825,6 +1907,9 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 functions are used.  This function allocates resources which can only
 be deallocated by calling `gnutls-deinit' or by calling it again.
 
+The :pass and :flags keys are ignored with old versions of GnuTLS, and
+:flags is ignored if :pass is not specified.
+
 The callbacks alist can have a `verify' key, associated with a
 verification function (UNUSED).
 
@@ -1848,6 +1933,8 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
   Lisp_Object trustfiles;
   Lisp_Object crlfiles;
   Lisp_Object keylist;
+  Lisp_Object pass;
+  Lisp_Object flags;
   /* Lisp_Object callbacks; */
   Lisp_Object loglevel;
   Lisp_Object hostname;
@@ -1877,6 +1964,8 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
   crlfiles              = plist_get (proplist, QCcrlfiles);
   loglevel              = plist_get (proplist, QCloglevel);
   prime_bits            = plist_get (proplist, QCmin_prime_bits);
+  pass                  = plist_get (proplist, QCpass);
+  flags                 = plist_get (proplist, QCflags);
 
   if (!STRINGP (hostname))
     {
@@ -2038,8 +2127,22 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 	      keyfile = ansi_encode_filename (keyfile);
 	      certfile = ansi_encode_filename (certfile);
 # endif
+# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+	      if (STRINGP (pass))
+		ret = gnutls_certificate_set_x509_key_file2
+		  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format,
+		   SSDATA (pass), key_file2_aux (flags));
+	      else if (NILP (pass) && plist_member (proplist, QCpass))
+		ret = gnutls_certificate_set_x509_key_file2
+		  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format,
+		   NULL, key_file2_aux (flags));
+	      else
+		ret = gnutls_certificate_set_x509_key_file
+		  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
+# else
 	      ret = gnutls_certificate_set_x509_key_file
 		(x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
+# endif
 
 	      if (ret < GNUTLS_E_SUCCESS)
 		return gnutls_make_error (ret);
@@ -2860,8 +2963,26 @@ syms_of_gnutls (void)
   DEFSYM (QCmin_prime_bits, ":min-prime-bits");
   DEFSYM (QCloglevel, ":loglevel");
   DEFSYM (QCcomplete_negotiation, ":complete-negotiation");
+  DEFSYM (QCpass, ":pass");
+  DEFSYM (QCflags, ":flags");
   DEFSYM (QCverify_flags, ":verify-flags");
   DEFSYM (QCverify_error, ":verify-error");
+  DEFSYM (Qgnutls_pkcs_plain, "GNUTLS_PKCS_PLAIN");
+  DEFSYM (Qgnutls_pkcs_pkcs12_3des, "GNUTLS_PKCS_PKCS12_3DES");
+  DEFSYM (Qgnutls_pkcs_pkcs12_arcfour, "GNUTLS_PKCS_PKCS12_ARCFOUR");
+  DEFSYM (Qgnutls_pkcs_pkcs12_rc2_40, "GNUTLS_PKCS_PKCS12_RC2_40");
+  DEFSYM (Qgnutls_pkcs_pbes2_3des, "GNUTLS_PKCS_PBES2_3DES");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_128, "GNUTLS_PKCS_PBES2_AES_128");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_192, "GNUTLS_PKCS_PBES2_AES_192");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_256, "GNUTLS_PKCS_PBES2_AES_256");
+  DEFSYM (Qgnutls_pkcs_null_password, "GNUTLS_PKCS_NULL_PASSWORD");
+  DEFSYM (Qgnutls_pkcs_pbes2_des, "GNUTLS_PKCS_PBES2_DES");
+  DEFSYM (Qgnutls_pkcs_pbes1_des_md5, "GNUTLS_PKCS_PBES1_DES_MD5");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_tc26z, "GNUTLS_PKCS_PBES2_GOST_TC26Z");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpa, "GNUTLS_PKCS_PBES2_GOST_CPA");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpb, "GNUTLS_PKCS_PBES2_GOST_CPB");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpc, "GNUTLS_PKCS_PBES2_GOST_CPC");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpd, "GNUTLS_PKCS_PBES2_GOST_CPD");
 
   DEFSYM (QCcipher_id, ":cipher-id");
   DEFSYM (QCcipher_aead_capable, ":cipher-aead-capable");
-- 
2.37.3

bug#50507: New function in Emacs GnuTLS implementation

[Robert Pluim]

>>>>> On Fri, 30 Sep 2022 09:49:30 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
    Nikolaos> +static unsigned int
    Nikolaos> +key_file2_aux (Lisp_Object flags)
    Nikolaos> +{
    Nikolaos> +  unsigned int rv = 0;
    Nikolaos> +  Lisp_Object tail = flags;
    Nikolaos> +  FOR_EACH_TAIL_SAFE (tail)
    Nikolaos> +    {
    Nikolaos> +      Lisp_Object flag = XCAR (tail);
    Nikolaos> +      if (EQ (flag, Qgnutls_pkcs_plain))
    Nikolaos> +	rv |= GNUTLS_PKCS_PLAIN;
    Nikolaos> +      else if(EQ (flag, Qgnutls_pkcs_pkcs12_3des))

Space after 'if' here and in the rest of the function

    Nikolaos> +# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
    Nikolaos> +	      if (STRINGP (pass))
    Nikolaos> +		ret = gnutls_certificate_set_x509_key_file2
    Nikolaos> +		  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format,
    Nikolaos> +		   SSDATA (pass), key_file2_aux (flags));
    Nikolaos> +	      else if (NILP (pass) && plist_member (proplist, QCpass))
    Nikolaos> +		ret = gnutls_certificate_set_x509_key_file2
    Nikolaos> +		  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format,
    Nikolaos> +		   NULL, key_file2_aux (flags));
    Nikolaos> +	      else
    Nikolaos> +		ret = gnutls_certificate_set_x509_key_file
    Nikolaos> +		  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
    Nikolaos> +# else
    Nikolaos>  	      ret = gnutls_certificate_set_x509_key_file
    Nikolaos>  		(x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
    Nikolaos> +# endif

2 minor points:

- If you use an intermediate variable for
the C version of pass, you can set it correctly based on `plist_member'
etc, and only have one call to _file2 (as it is itʼs kind of
difficult to quickly see the difference between the two calls)
- I think you can then rework the #else/#endif here to avoid repetition of
the call to the  _file variant

Robert
-- 

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

[-- Attachment #1: Type: text/plain, Size: 2668 bytes --]

On Fri, Sep 30, 2022 at 10:32 AM Robert Pluim <rpluim@gmail.com> wrote:
>
> >>>>> On Fri, 30 Sep 2022 09:49:30 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
>     Nikolaos> +static unsigned int
>     Nikolaos> +key_file2_aux (Lisp_Object flags)
>     Nikolaos> +{
>     Nikolaos> +  unsigned int rv = 0;
>     Nikolaos> +  Lisp_Object tail = flags;
>     Nikolaos> +  FOR_EACH_TAIL_SAFE (tail)
>     Nikolaos> +    {
>     Nikolaos> +      Lisp_Object flag = XCAR (tail);
>     Nikolaos> +      if (EQ (flag, Qgnutls_pkcs_plain))
>     Nikolaos> + rv |= GNUTLS_PKCS_PLAIN;
>     Nikolaos> +      else if(EQ (flag, Qgnutls_pkcs_pkcs12_3des))
>
> Space after 'if' here and in the rest of the function
>
>     Nikolaos> +# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
>     Nikolaos> +       if (STRINGP (pass))
>     Nikolaos> +         ret = gnutls_certificate_set_x509_key_file2
>     Nikolaos> +           (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format,
>     Nikolaos> +            SSDATA (pass), key_file2_aux (flags));
>     Nikolaos> +       else if (NILP (pass) && plist_member (proplist, QCpass))
>     Nikolaos> +         ret = gnutls_certificate_set_x509_key_file2
>     Nikolaos> +           (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format,
>     Nikolaos> +            NULL, key_file2_aux (flags));
>     Nikolaos> +       else
>     Nikolaos> +         ret = gnutls_certificate_set_x509_key_file
>     Nikolaos> +           (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
>     Nikolaos> +# else
>     Nikolaos>         ret = gnutls_certificate_set_x509_key_file
>     Nikolaos>           (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
>     Nikolaos> +# endif
>
> 2 minor points:
>
> - If you use an intermediate variable for
> the C version of pass, you can set it correctly based on `plist_member'
> etc, and only have one call to _file2 (as it is itʼs kind of
> difficult to quickly see the difference between the two calls)
> - I think you can then rework the #else/#endif here to avoid repetition of
> the call to the  _file variant

Thanks, I worked those out too, save for the last point you made. Do
you mean this sort of thing:

  #if COND
  if (something)
    foo();
  else
    bar();
  #else
  bar();
  #endif

To be rewritten as

  #if COND
  if (something)
    foo();
  else
  #endif
  bar();

Because in this case, I don't trust that kind of code to survive the
test of time. Someone may come along and break it by modifying the
bar() line, and it might be a sneaky bug. It's not easy to tell.

[-- Attachment #2: 0001-add-pass-and-flags-to-gnutls-boot-for-keylist.patch --]
[-- Type: text/x-patch, Size: 11594 bytes --]

From 79682db52a825c52403cc671c5d84a0c6460cdf5 Mon Sep 17 00:00:00 2001
From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
Date: Mon, 26 Sep 2022 11:08:18 -0400
Subject: [PATCH] add :pass and :flags to gnutls-boot for :keylist

* lisp/net/gnutls.el (gnutls-boot-parameters): Add the keys :pass and
:flags, and update the documentation.
* src/gnutls.c (gnutls-boot): Add the keys :pass and :flags, and
update the documentation.
(syms_of_gnutls): Add the symbols :pass, :flags, and the symbols that
correspond to the enumeration constants of the GnuTLS enum
`gnutls_pkcs_encrypt_flags_t`.
(key_file2_aux): Private helper function that translates a list of
symbols to its corresponding `unsigned int` value of the GnuTLS C enum
`gnutls_pkcs_encrypt_flags_t`.
---
 lisp/net/gnutls.el |  10 ++++
 src/gnutls.c       | 123 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 133 insertions(+)

diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 6e3845aec1..eef6559a95 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -265,6 +265,7 @@ gnutls-boot-parameters
            &key type hostname priority-string
            trustfiles crlfiles keylist min-prime-bits
            verify-flags verify-error verify-hostname-error
+           pass flags
            &allow-other-keys)
   "Return a keyword list of parameters suitable for passing to `gnutls-boot'.
 
@@ -281,6 +282,13 @@ gnutls-boot-parameters
 VERIFY-HOSTNAME-ERROR is a backwards compatibility option for
 putting `:hostname' in VERIFY-ERROR.
 
+PASS is a string, the password of the key.  It may also be nil,
+for a NULL password.
+
+FLAGS is a list of symbols corresponding to the equivalent ORed
+bitflag of the gnutls_pkcs_encrypt_flags_t enum of GnuTLS.  The
+empty list corresponds to the bitflag with value 0.
+
 When VERIFY-ERROR is t or a list containing `:trustfiles', an
 error will be raised when the peer certificate verification fails
 as per GnuTLS' gnutls_certificate_verify_peers2.  Otherwise, only
@@ -358,6 +366,8 @@ gnutls-boot-parameters
                 :keylist ,keylist
                 :verify-flags ,verify-flags
                 :verify-error ,verify-error
+                :pass ,pass
+                :flags ,flags
                 :callbacks nil)))
 
 (defun gnutls--get-files (files)
diff --git a/src/gnutls.c b/src/gnutls.c
index a0de0238c4..661a42b826 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -34,6 +34,7 @@
 # endif
 
 # if GNUTLS_VERSION_NUMBER >= 0x030200
+#  define HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
 #  define HAVE_GNUTLS_CIPHER_GET_IV_SIZE
 # endif
 
@@ -121,6 +122,11 @@ DEF_DLL_FN (int, gnutls_certificate_set_x509_crl_file,
 DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file,
 	    (gnutls_certificate_credentials_t, const char *, const char *,
 	     gnutls_x509_crt_fmt_t));
+#  ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file2,
+	    (gnutls_certificate_credentials_t, const char *, const char *,
+	     gnutls_x509_crt_fmt_t, const char *, unsigned int));
+#  endif
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
 DEF_DLL_FN (int, gnutls_certificate_set_x509_system_trust,
 	    (gnutls_certificate_credentials_t));
@@ -314,6 +320,9 @@ init_gnutls_functions (void)
   LOAD_DLL_FN (library, gnutls_certificate_set_verify_flags);
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_crl_file);
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file);
+#  ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+  LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file2);
+#  endif
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_system_trust);
 #  endif
@@ -455,6 +464,9 @@ init_gnutls_functions (void)
 #  define gnutls_certificate_set_verify_flags fn_gnutls_certificate_set_verify_flags
 #  define gnutls_certificate_set_x509_crl_file fn_gnutls_certificate_set_x509_crl_file
 #  define gnutls_certificate_set_x509_key_file fn_gnutls_certificate_set_x509_key_file
+#  ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+#   define gnutls_certificate_set_x509_key_file2 fn_gnutls_certificate_set_x509_key_file2
+#  endif
 #  define gnutls_certificate_set_x509_system_trust fn_gnutls_certificate_set_x509_system_trust
 #  define gnutls_certificate_set_x509_trust_file fn_gnutls_certificate_set_x509_trust_file
 #  define gnutls_certificate_type_get fn_gnutls_certificate_type_get
@@ -1774,6 +1786,61 @@ gnutls_verify_boot (Lisp_Object proc, Lisp_Object proplist)
   return gnutls_make_error (ret);
 }
 
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+
+/* Helper function for gnutls-boot.
+
+   The key :flags receives a list of symbols, each of which
+   corresponds to a GnuTLS C flag, the ORed result is to be passed to
+   the function gnutls_certificate_set_x509_key_file2() as its last
+   argument.
+*/
+static unsigned int
+key_file2_aux (Lisp_Object flags)
+{
+  unsigned int rv = 0;
+  Lisp_Object tail = flags;
+  FOR_EACH_TAIL_SAFE (tail)
+    {
+      Lisp_Object flag = XCAR (tail);
+      if (EQ (flag, Qgnutls_pkcs_plain))
+	rv |= GNUTLS_PKCS_PLAIN;
+      else if (EQ (flag, Qgnutls_pkcs_pkcs12_3des))
+	rv |= GNUTLS_PKCS_PKCS12_3DES;
+      else if (EQ (flag, Qgnutls_pkcs_pkcs12_arcfour))
+	rv |= GNUTLS_PKCS_PKCS12_ARCFOUR;
+      else if (EQ (flag, Qgnutls_pkcs_pkcs12_rc2_40))
+	rv |= GNUTLS_PKCS_PKCS12_RC2_40;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_3des))
+	rv |= GNUTLS_PKCS_PBES2_3DES;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_aes_128))
+	rv |= GNUTLS_PKCS_PBES2_AES_128;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_aes_192))
+	rv |= GNUTLS_PKCS_PBES2_AES_192;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_aes_256))
+	rv |= GNUTLS_PKCS_PBES2_AES_256;
+      else if (EQ (flag, Qgnutls_pkcs_null_password))
+	rv |= GNUTLS_PKCS_NULL_PASSWORD;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_des))
+	rv |= GNUTLS_PKCS_PBES2_DES;
+      else if (EQ (flag, Qgnutls_pkcs_pbes1_des_md5))
+	rv |= GNUTLS_PKCS_PBES1_DES_MD5;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_tc26z))
+	rv |= GNUTLS_PKCS_PBES2_GOST_TC26Z;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpa))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPA;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpb))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPB;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpc))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPC;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpd))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPD;
+    }
+  return rv;
+}
+
+#endif /* HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2 */
+
 DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
        doc: /* Initialize GnuTLS client for process PROC with TYPE+PROPLIST.
 Currently only client mode is supported.  Return a success/failure
@@ -1813,6 +1880,21 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 :complete-negotiation, if non-nil, will make negotiation complete
 before returning even on non-blocking sockets.
 
+:pass, the password of the private key as per GnuTLS'
+gnutls_certificate_set_x509_key_file2.  Specify as nil to have a NULL
+password.
+
+:flags, a list of symbols relating to :pass, each specifying a flag:
+GNUTLS_PKCS_PLAIN, GNUTLS_PKCS_PKCS12_3DES,
+GNUTLS_PKCS_PKCS12_ARCFOUR, GNUTLS_PKCS_PKCS12_RC2_40,
+GNUTLS_PKCS_PBES2_3DES, GNUTLS_PKCS_PBES2_AES_128,
+GNUTLS_PKCS_PBES2_AES_192, GNUTLS_PKCS_PBES2_AES_256,
+GNUTLS_PKCS_NULL_PASSWORD, GNUTLS_PKCS_PBES2_DES,
+GNUTLS_PKCS_PBES2_DES_MD5, GNUTLS_PKCS_PBES2_GOST_TC26Z,
+GNUTLS_PKCS_PBES2_GOST_CPA, GNUTLS_PKCS_PBES2_GOST_CPB,
+GNUTLS_PKCS_PBES2_GOST_CPC, GNUTLS_PKCS_PBES2_GOST_CPD.  If not
+specified, or if nil, the bitflag with value 0 is used.
+
 The debug level will be set for this process AND globally for GnuTLS.
 So if you set it higher or lower at any point, it affects global
 debugging.
@@ -1825,6 +1907,9 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 functions are used.  This function allocates resources which can only
 be deallocated by calling `gnutls-deinit' or by calling it again.
 
+The :pass and :flags keys are ignored with old versions of GnuTLS, and
+:flags is ignored if :pass is not specified.
+
 The callbacks alist can have a `verify' key, associated with a
 verification function (UNUSED).
 
@@ -1842,12 +1927,15 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
   Lisp_Object global_init;
   char const *priority_string_ptr = "NORMAL"; /* default priority string.  */
   char *c_hostname;
+  const char *c_pass;
 
   /* Placeholders for the property list elements.  */
   Lisp_Object priority_string;
   Lisp_Object trustfiles;
   Lisp_Object crlfiles;
   Lisp_Object keylist;
+  Lisp_Object pass;
+  Lisp_Object flags;
   /* Lisp_Object callbacks; */
   Lisp_Object loglevel;
   Lisp_Object hostname;
@@ -1877,6 +1965,13 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
   crlfiles              = plist_get (proplist, QCcrlfiles);
   loglevel              = plist_get (proplist, QCloglevel);
   prime_bits            = plist_get (proplist, QCmin_prime_bits);
+  pass                  = plist_get (proplist, QCpass);
+  flags                 = plist_get (proplist, QCflags);
+
+  if (STRINGP (pass))
+    c_pass = SSDATA (pass);
+  else
+    c_pass = NULL;
 
   if (!STRINGP (hostname))
     {
@@ -2038,8 +2133,18 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 	      keyfile = ansi_encode_filename (keyfile);
 	      certfile = ansi_encode_filename (certfile);
 # endif
+# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+	      if (plist_member (proplist, QCpass))
+		ret = gnutls_certificate_set_x509_key_file2
+		  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format,
+		   c_pass, key_file2_aux (flags));
+	      else
+		ret = gnutls_certificate_set_x509_key_file
+		  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
+# else
 	      ret = gnutls_certificate_set_x509_key_file
 		(x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
+# endif
 
 	      if (ret < GNUTLS_E_SUCCESS)
 		return gnutls_make_error (ret);
@@ -2860,8 +2965,26 @@ syms_of_gnutls (void)
   DEFSYM (QCmin_prime_bits, ":min-prime-bits");
   DEFSYM (QCloglevel, ":loglevel");
   DEFSYM (QCcomplete_negotiation, ":complete-negotiation");
+  DEFSYM (QCpass, ":pass");
+  DEFSYM (QCflags, ":flags");
   DEFSYM (QCverify_flags, ":verify-flags");
   DEFSYM (QCverify_error, ":verify-error");
+  DEFSYM (Qgnutls_pkcs_plain, "GNUTLS_PKCS_PLAIN");
+  DEFSYM (Qgnutls_pkcs_pkcs12_3des, "GNUTLS_PKCS_PKCS12_3DES");
+  DEFSYM (Qgnutls_pkcs_pkcs12_arcfour, "GNUTLS_PKCS_PKCS12_ARCFOUR");
+  DEFSYM (Qgnutls_pkcs_pkcs12_rc2_40, "GNUTLS_PKCS_PKCS12_RC2_40");
+  DEFSYM (Qgnutls_pkcs_pbes2_3des, "GNUTLS_PKCS_PBES2_3DES");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_128, "GNUTLS_PKCS_PBES2_AES_128");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_192, "GNUTLS_PKCS_PBES2_AES_192");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_256, "GNUTLS_PKCS_PBES2_AES_256");
+  DEFSYM (Qgnutls_pkcs_null_password, "GNUTLS_PKCS_NULL_PASSWORD");
+  DEFSYM (Qgnutls_pkcs_pbes2_des, "GNUTLS_PKCS_PBES2_DES");
+  DEFSYM (Qgnutls_pkcs_pbes1_des_md5, "GNUTLS_PKCS_PBES1_DES_MD5");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_tc26z, "GNUTLS_PKCS_PBES2_GOST_TC26Z");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpa, "GNUTLS_PKCS_PBES2_GOST_CPA");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpb, "GNUTLS_PKCS_PBES2_GOST_CPB");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpc, "GNUTLS_PKCS_PBES2_GOST_CPC");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpd, "GNUTLS_PKCS_PBES2_GOST_CPD");
 
   DEFSYM (QCcipher_id, ":cipher-id");
   DEFSYM (QCcipher_aead_capable, ":cipher-aead-capable");
-- 
2.37.3

bug#50507: New function in Emacs GnuTLS implementation

[Robert Pluim]

>>>>> On Fri, 30 Sep 2022 12:22:16 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
    Nikolaos>   #if COND
    Nikolaos>   if (something)
    Nikolaos>     foo();
    Nikolaos>   else
    Nikolaos>     bar();
    Nikolaos>   #else
    Nikolaos>   bar();
    Nikolaos>   #endif

    Nikolaos> To be rewritten as

    Nikolaos>   #if COND
    Nikolaos>   if (something)
    Nikolaos>     foo();
    Nikolaos>   else
    Nikolaos>   #endif
    Nikolaos>   bar();

    Nikolaos> Because in this case, I don't trust that kind of code to survive the
    Nikolaos> test of time. Someone may come along and break it by modifying the
    Nikolaos> bar() line, and it might be a sneaky bug. It's not easy to tell.

In the first version thereʼs the risk that one of the calls to 'bar'
will be changed and the other missed.

In the second version thereʼs only one 'bar' to change. If someone
changes the 'bar' code so it doesnʼt compile under COND, thatʼs
immediately obvious.

Robert
-- 

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

[-- Attachment #1: Type: text/plain, Size: 1184 bytes --]

On Mon, Oct 3, 2022 at 3:40 AM Robert Pluim <rpluim@gmail.com> wrote:
>
> >>>>> On Fri, 30 Sep 2022 12:22:16 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
>     Nikolaos>   #if COND
>     Nikolaos>   if (something)
>     Nikolaos>     foo();
>     Nikolaos>   else
>     Nikolaos>     bar();
>     Nikolaos>   #else
>     Nikolaos>   bar();
>     Nikolaos>   #endif
>
>     Nikolaos> To be rewritten as
>
>     Nikolaos>   #if COND
>     Nikolaos>   if (something)
>     Nikolaos>     foo();
>     Nikolaos>   else
>     Nikolaos>   #endif
>     Nikolaos>   bar();
>
>     Nikolaos> Because in this case, I don't trust that kind of code to survive the
>     Nikolaos> test of time. Someone may come along and break it by modifying the
>     Nikolaos> bar() line, and it might be a sneaky bug. It's not easy to tell.
>
> In the first version thereʼs the risk that one of the calls to 'bar'
> will be changed and the other missed.
>
> In the second version thereʼs only one 'bar' to change. If someone
> changes the 'bar' code so it doesnʼt compile under COND, thatʼs
> immediately obvious.

Okay then, I have the fixed patch here.

[-- Attachment #2: 0001-add-pass-and-flags-to-gnutls-boot-for-keylist.patch --]
[-- Type: text/x-patch, Size: 11418 bytes --]

From e868861425615ace9bc5efa8cf0a51cfa2130d21 Mon Sep 17 00:00:00 2001
From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
Date: Mon, 26 Sep 2022 11:08:18 -0400
Subject: [PATCH] add :pass and :flags to gnutls-boot for :keylist

* lisp/net/gnutls.el (gnutls-boot-parameters): Add the keys :pass and
:flags, and update the documentation.
* src/gnutls.c (gnutls-boot): Add the keys :pass and :flags, and
update the documentation.
(syms_of_gnutls): Add the symbols :pass, :flags, and the symbols that
correspond to the enumeration constants of the GnuTLS enum
`gnutls_pkcs_encrypt_flags_t`.
(key_file2_aux): Private helper function that translates a list of
symbols to its corresponding `unsigned int` value of the GnuTLS C enum
`gnutls_pkcs_encrypt_flags_t`.
---
 lisp/net/gnutls.el |  10 ++++
 src/gnutls.c       | 120 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 130 insertions(+)

diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 6e3845aec1..eef6559a95 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -265,6 +265,7 @@ gnutls-boot-parameters
            &key type hostname priority-string
            trustfiles crlfiles keylist min-prime-bits
            verify-flags verify-error verify-hostname-error
+           pass flags
            &allow-other-keys)
   "Return a keyword list of parameters suitable for passing to `gnutls-boot'.
 
@@ -281,6 +282,13 @@ gnutls-boot-parameters
 VERIFY-HOSTNAME-ERROR is a backwards compatibility option for
 putting `:hostname' in VERIFY-ERROR.
 
+PASS is a string, the password of the key.  It may also be nil,
+for a NULL password.
+
+FLAGS is a list of symbols corresponding to the equivalent ORed
+bitflag of the gnutls_pkcs_encrypt_flags_t enum of GnuTLS.  The
+empty list corresponds to the bitflag with value 0.
+
 When VERIFY-ERROR is t or a list containing `:trustfiles', an
 error will be raised when the peer certificate verification fails
 as per GnuTLS' gnutls_certificate_verify_peers2.  Otherwise, only
@@ -358,6 +366,8 @@ gnutls-boot-parameters
                 :keylist ,keylist
                 :verify-flags ,verify-flags
                 :verify-error ,verify-error
+                :pass ,pass
+                :flags ,flags
                 :callbacks nil)))
 
 (defun gnutls--get-files (files)
diff --git a/src/gnutls.c b/src/gnutls.c
index a0de0238c4..1522dac1b8 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -34,6 +34,7 @@
 # endif
 
 # if GNUTLS_VERSION_NUMBER >= 0x030200
+#  define HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
 #  define HAVE_GNUTLS_CIPHER_GET_IV_SIZE
 # endif
 
@@ -121,6 +122,11 @@ DEF_DLL_FN (int, gnutls_certificate_set_x509_crl_file,
 DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file,
 	    (gnutls_certificate_credentials_t, const char *, const char *,
 	     gnutls_x509_crt_fmt_t));
+#  ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file2,
+	    (gnutls_certificate_credentials_t, const char *, const char *,
+	     gnutls_x509_crt_fmt_t, const char *, unsigned int));
+#  endif
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
 DEF_DLL_FN (int, gnutls_certificate_set_x509_system_trust,
 	    (gnutls_certificate_credentials_t));
@@ -314,6 +320,9 @@ init_gnutls_functions (void)
   LOAD_DLL_FN (library, gnutls_certificate_set_verify_flags);
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_crl_file);
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file);
+#  ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+  LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file2);
+#  endif
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_system_trust);
 #  endif
@@ -455,6 +464,9 @@ init_gnutls_functions (void)
 #  define gnutls_certificate_set_verify_flags fn_gnutls_certificate_set_verify_flags
 #  define gnutls_certificate_set_x509_crl_file fn_gnutls_certificate_set_x509_crl_file
 #  define gnutls_certificate_set_x509_key_file fn_gnutls_certificate_set_x509_key_file
+#  ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+#   define gnutls_certificate_set_x509_key_file2 fn_gnutls_certificate_set_x509_key_file2
+#  endif
 #  define gnutls_certificate_set_x509_system_trust fn_gnutls_certificate_set_x509_system_trust
 #  define gnutls_certificate_set_x509_trust_file fn_gnutls_certificate_set_x509_trust_file
 #  define gnutls_certificate_type_get fn_gnutls_certificate_type_get
@@ -1774,6 +1786,61 @@ gnutls_verify_boot (Lisp_Object proc, Lisp_Object proplist)
   return gnutls_make_error (ret);
 }
 
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+
+/* Helper function for gnutls-boot.
+
+   The key :flags receives a list of symbols, each of which
+   corresponds to a GnuTLS C flag, the ORed result is to be passed to
+   the function gnutls_certificate_set_x509_key_file2() as its last
+   argument.
+*/
+static unsigned int
+key_file2_aux (Lisp_Object flags)
+{
+  unsigned int rv = 0;
+  Lisp_Object tail = flags;
+  FOR_EACH_TAIL_SAFE (tail)
+    {
+      Lisp_Object flag = XCAR (tail);
+      if (EQ (flag, Qgnutls_pkcs_plain))
+	rv |= GNUTLS_PKCS_PLAIN;
+      else if (EQ (flag, Qgnutls_pkcs_pkcs12_3des))
+	rv |= GNUTLS_PKCS_PKCS12_3DES;
+      else if (EQ (flag, Qgnutls_pkcs_pkcs12_arcfour))
+	rv |= GNUTLS_PKCS_PKCS12_ARCFOUR;
+      else if (EQ (flag, Qgnutls_pkcs_pkcs12_rc2_40))
+	rv |= GNUTLS_PKCS_PKCS12_RC2_40;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_3des))
+	rv |= GNUTLS_PKCS_PBES2_3DES;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_aes_128))
+	rv |= GNUTLS_PKCS_PBES2_AES_128;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_aes_192))
+	rv |= GNUTLS_PKCS_PBES2_AES_192;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_aes_256))
+	rv |= GNUTLS_PKCS_PBES2_AES_256;
+      else if (EQ (flag, Qgnutls_pkcs_null_password))
+	rv |= GNUTLS_PKCS_NULL_PASSWORD;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_des))
+	rv |= GNUTLS_PKCS_PBES2_DES;
+      else if (EQ (flag, Qgnutls_pkcs_pbes1_des_md5))
+	rv |= GNUTLS_PKCS_PBES1_DES_MD5;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_tc26z))
+	rv |= GNUTLS_PKCS_PBES2_GOST_TC26Z;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpa))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPA;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpb))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPB;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpc))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPC;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpd))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPD;
+    }
+  return rv;
+}
+
+#endif /* HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2 */
+
 DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
        doc: /* Initialize GnuTLS client for process PROC with TYPE+PROPLIST.
 Currently only client mode is supported.  Return a success/failure
@@ -1813,6 +1880,21 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 :complete-negotiation, if non-nil, will make negotiation complete
 before returning even on non-blocking sockets.
 
+:pass, the password of the private key as per GnuTLS'
+gnutls_certificate_set_x509_key_file2.  Specify as nil to have a NULL
+password.
+
+:flags, a list of symbols relating to :pass, each specifying a flag:
+GNUTLS_PKCS_PLAIN, GNUTLS_PKCS_PKCS12_3DES,
+GNUTLS_PKCS_PKCS12_ARCFOUR, GNUTLS_PKCS_PKCS12_RC2_40,
+GNUTLS_PKCS_PBES2_3DES, GNUTLS_PKCS_PBES2_AES_128,
+GNUTLS_PKCS_PBES2_AES_192, GNUTLS_PKCS_PBES2_AES_256,
+GNUTLS_PKCS_NULL_PASSWORD, GNUTLS_PKCS_PBES2_DES,
+GNUTLS_PKCS_PBES2_DES_MD5, GNUTLS_PKCS_PBES2_GOST_TC26Z,
+GNUTLS_PKCS_PBES2_GOST_CPA, GNUTLS_PKCS_PBES2_GOST_CPB,
+GNUTLS_PKCS_PBES2_GOST_CPC, GNUTLS_PKCS_PBES2_GOST_CPD.  If not
+specified, or if nil, the bitflag with value 0 is used.
+
 The debug level will be set for this process AND globally for GnuTLS.
 So if you set it higher or lower at any point, it affects global
 debugging.
@@ -1825,6 +1907,9 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 functions are used.  This function allocates resources which can only
 be deallocated by calling `gnutls-deinit' or by calling it again.
 
+The :pass and :flags keys are ignored with old versions of GnuTLS, and
+:flags is ignored if :pass is not specified.
+
 The callbacks alist can have a `verify' key, associated with a
 verification function (UNUSED).
 
@@ -1842,12 +1927,15 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
   Lisp_Object global_init;
   char const *priority_string_ptr = "NORMAL"; /* default priority string.  */
   char *c_hostname;
+  const char *c_pass;
 
   /* Placeholders for the property list elements.  */
   Lisp_Object priority_string;
   Lisp_Object trustfiles;
   Lisp_Object crlfiles;
   Lisp_Object keylist;
+  Lisp_Object pass;
+  Lisp_Object flags;
   /* Lisp_Object callbacks; */
   Lisp_Object loglevel;
   Lisp_Object hostname;
@@ -1877,6 +1965,13 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
   crlfiles              = plist_get (proplist, QCcrlfiles);
   loglevel              = plist_get (proplist, QCloglevel);
   prime_bits            = plist_get (proplist, QCmin_prime_bits);
+  pass                  = plist_get (proplist, QCpass);
+  flags                 = plist_get (proplist, QCflags);
+
+  if (STRINGP (pass))
+    c_pass = SSDATA (pass);
+  else
+    c_pass = NULL;
 
   if (!STRINGP (hostname))
     {
@@ -2037,6 +2132,13 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 # ifdef WINDOWSNT
 	      keyfile = ansi_encode_filename (keyfile);
 	      certfile = ansi_encode_filename (certfile);
+# endif
+# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+	      if (plist_member (proplist, QCpass))
+		ret = gnutls_certificate_set_x509_key_file2
+		  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format,
+		   c_pass, key_file2_aux (flags));
+	      else
 # endif
 	      ret = gnutls_certificate_set_x509_key_file
 		(x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
@@ -2860,8 +2962,26 @@ syms_of_gnutls (void)
   DEFSYM (QCmin_prime_bits, ":min-prime-bits");
   DEFSYM (QCloglevel, ":loglevel");
   DEFSYM (QCcomplete_negotiation, ":complete-negotiation");
+  DEFSYM (QCpass, ":pass");
+  DEFSYM (QCflags, ":flags");
   DEFSYM (QCverify_flags, ":verify-flags");
   DEFSYM (QCverify_error, ":verify-error");
+  DEFSYM (Qgnutls_pkcs_plain, "GNUTLS_PKCS_PLAIN");
+  DEFSYM (Qgnutls_pkcs_pkcs12_3des, "GNUTLS_PKCS_PKCS12_3DES");
+  DEFSYM (Qgnutls_pkcs_pkcs12_arcfour, "GNUTLS_PKCS_PKCS12_ARCFOUR");
+  DEFSYM (Qgnutls_pkcs_pkcs12_rc2_40, "GNUTLS_PKCS_PKCS12_RC2_40");
+  DEFSYM (Qgnutls_pkcs_pbes2_3des, "GNUTLS_PKCS_PBES2_3DES");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_128, "GNUTLS_PKCS_PBES2_AES_128");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_192, "GNUTLS_PKCS_PBES2_AES_192");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_256, "GNUTLS_PKCS_PBES2_AES_256");
+  DEFSYM (Qgnutls_pkcs_null_password, "GNUTLS_PKCS_NULL_PASSWORD");
+  DEFSYM (Qgnutls_pkcs_pbes2_des, "GNUTLS_PKCS_PBES2_DES");
+  DEFSYM (Qgnutls_pkcs_pbes1_des_md5, "GNUTLS_PKCS_PBES1_DES_MD5");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_tc26z, "GNUTLS_PKCS_PBES2_GOST_TC26Z");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpa, "GNUTLS_PKCS_PBES2_GOST_CPA");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpb, "GNUTLS_PKCS_PBES2_GOST_CPB");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpc, "GNUTLS_PKCS_PBES2_GOST_CPC");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpd, "GNUTLS_PKCS_PBES2_GOST_CPD");
 
   DEFSYM (QCcipher_id, ":cipher-id");
   DEFSYM (QCcipher_aead_capable, ":cipher-aead-capable");
-- 
2.37.3

bug#50507: New function in Emacs GnuTLS implementation

[Robert Pluim]

>>>>> On Mon, 3 Oct 2022 09:00:26 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:

    Nikolaos> Okay then, I have the fixed patch here.

Thanks, no further comment from me, I guess weʼre waiting on the
paperwork now.

Regards

Robert
-- 

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

On Mon, Oct 3, 2022 at 9:19 AM Robert Pluim <rpluim@gmail.com> wrote:
>
> >>>>> On Mon, 3 Oct 2022 09:00:26 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
>
>     Nikolaos> Okay then, I have the fixed patch here.
>
> Thanks, no further comment from me, I guess weʼre waiting on the
> paperwork now.

Alas I hit a snag with the paperwork, so it will have to wait a few months...

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

On Mon, Oct 3, 2022 at 4:19 PM Robert Pluim <rpluim@gmail.com> wrote:
>
> >>>>> On Mon, 3 Oct 2022 09:00:26 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
>
>     Nikolaos> Okay then, I have the fixed patch here.
>
> Thanks, no further comment from me, I guess weʼre waiting on the
> paperwork now.

The assignment was signed and accepted and now you can proceed with the patch.

Regards,
Nikolaos Chatzikonstantinou

bug#50507: New function in Emacs GnuTLS implementation

[Eli Zaretskii]

> From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
> Date: Fri, 23 Dec 2022 17:46:15 +0200
> Cc: 50507@debbugs.gnu.org, Eli Zaretskii <eliz@gnu.org>, larsi@gnus.org
> 
> On Mon, Oct 3, 2022 at 4:19 PM Robert Pluim <rpluim@gmail.com> wrote:
> >
> > >>>>> On Mon, 3 Oct 2022 09:00:26 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
> >
> >     Nikolaos> Okay then, I have the fixed patch here.
> >
> > Thanks, no further comment from me, I guess weʼre waiting on the
> > paperwork now.
> 
> The assignment was signed and accepted and now you can proceed with the patch.

Robert, are you going to take care of this, or should I do it?

Thanks.

bug#50507: New function in Emacs GnuTLS implementation

[Robert Pluim]

[-- Attachment #1: Type: text/plain, Size: 880 bytes --]

On Thu, Dec 29, 2022, 10:00 Eli Zaretskii <eliz@gnu.org> wrote:

> > From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
> > Date: Fri, 23 Dec 2022 17:46:15 +0200
> > Cc: 50507@debbugs.gnu.org, Eli Zaretskii <eliz@gnu.org>, larsi@gnus.org
> >
> > On Mon, Oct 3, 2022 at 4:19 PM Robert Pluim <rpluim@gmail.com> wrote:
> > >
> > > >>>>> On Mon, 3 Oct 2022 09:00:26 -0400, Nikolaos Chatzikonstantinou <
> nchatz314@gmail.com> said:
> > >
> > >     Nikolaos> Okay then, I have the fixed patch here.
> > >
> > > Thanks, no further comment from me, I guess weʼre waiting on the
> > > paperwork now.
> >
> > The assignment was signed and accepted and now you can proceed with the
> patch.
>
> Robert, are you going to take care of this, or should I do it?
>
> Thanks.
>


Hi Eli,

I can get to it tomorrow. For master I presume?

Thanks

Robert

>

[-- Attachment #2: Type: text/html, Size: 2073 bytes --]

bug#50507: New function in Emacs GnuTLS implementation

[Eli Zaretskii]

> From: Robert Pluim <rpluim@gmail.com>
> Date: Thu, 29 Dec 2022 18:03:25 +0100
> Cc: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>, 50507@debbugs.gnu.org, 
> 	Lars Magne Ingebrigtsen <larsi@gnus.org>
> 
> I can get to it tomorrow.

Sure, there's no rush.

> For master I presume?

Yes, thanks.

bug#50507: New function in Emacs GnuTLS implementation

[Robert Pluim]

tags 50507 fixed
close 50507 30.1
quit

Done (with a very minor change to the commit message: I added the bug
number).

I tested with and without GnuTLS builds on GNU/Linux. The MS-Windows
changes looked sane, but I didnʼt test those.

Thanks for this.

Closing.
Committed as e9983b1b635

bug#50507: New function in Emacs GnuTLS implementation

[Mattias Engdegård]

After e9983b1b63, the build of master fails on emba.gnu.org which perhaps uses a slightly older gnutls. Errors below.

CC       gnutls.o
gnutls.c: In function 'key_file2_aux':
gnutls.c:1829:8: error: 'GNUTLS_PKCS_PBES2_GOST_TC26Z' undeclared (first use in this function)
  rv |= GNUTLS_PKCS_PBES2_GOST_TC26Z;
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
gnutls.c:1829:8: note: each undeclared identifier is reported only once for each function it appears in
gnutls.c:1831:8: error: 'GNUTLS_PKCS_PBES2_GOST_CPA' undeclared (first use in this function)
  rv |= GNUTLS_PKCS_PBES2_GOST_CPA;
        ^~~~~~~~~~~~~~~~~~~~~~~~~~
gnutls.c:1833:8: error: 'GNUTLS_PKCS_PBES2_GOST_CPB' undeclared (first use in this function)
  rv |= GNUTLS_PKCS_PBES2_GOST_CPB;
        ^~~~~~~~~~~~~~~~~~~~~~~~~~
gnutls.c:1835:8: error: 'GNUTLS_PKCS_PBES2_GOST_CPC' undeclared (first use in this function)
  rv |= GNUTLS_PKCS_PBES2_GOST_CPC;
        ^~~~~~~~~~~~~~~~~~~~~~~~~~
gnutls.c:1837:8: error: 'GNUTLS_PKCS_PBES2_GOST_CPD' undeclared (first use in this function)
  rv |= GNUTLS_PKCS_PBES2_GOST_CPD;
        ^~~~~~~~~~~~~~~~~~~~~~~~~~

bug#50507: New function in Emacs GnuTLS implementation

[Nikolaos Chatzikonstantinou]

> On 30 Dec 2022, at 10:45 PM, Mattias Engdegård <mattias.engdegard@gmail.com> wrote:
> 
> After e9983b1b63, the build of master fails on emba.gnu.org which perhaps uses a slightly older gnutls. Errors below.
> 
> CC       gnutls.o
> gnutls.c: In function 'key_file2_aux':
> gnutls.c:1829:8: error: 'GNUTLS_PKCS_PBES2_GOST_TC26Z' undeclared (first use in this function)
>  rv |= GNUTLS_PKCS_PBES2_GOST_TC26Z;
>        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
> gnutls.c:1829:8: note: each undeclared identifier is reported only once for each function it appears in
> gnutls.c:1831:8: error: 'GNUTLS_PKCS_PBES2_GOST_CPA' undeclared (first use in this function)
>  rv |= GNUTLS_PKCS_PBES2_GOST_CPA;
>        ^~~~~~~~~~~~~~~~~~~~~~~~~~
> gnutls.c:1833:8: error: 'GNUTLS_PKCS_PBES2_GOST_CPB' undeclared (first use in this function)
>  rv |= GNUTLS_PKCS_PBES2_GOST_CPB;
>        ^~~~~~~~~~~~~~~~~~~~~~~~~~
> gnutls.c:1835:8: error: 'GNUTLS_PKCS_PBES2_GOST_CPC' undeclared (first use in this function)
>  rv |= GNUTLS_PKCS_PBES2_GOST_CPC;
>        ^~~~~~~~~~~~~~~~~~~~~~~~~~
> gnutls.c:1837:8: error: 'GNUTLS_PKCS_PBES2_GOST_CPD' undeclared (first use in this function)
>  rv |= GNUTLS_PKCS_PBES2_GOST_CPD;
>        ^~~~~~~~~~~~~~~~~~~~~~~~~~
> 

I can work on this tomorrow and fix it. I think it needs preprocessor guards on the version.

Regards,
Nikolaos Chatzikonstantinou

bug#50507: New function in Emacs GnuTLS implementation

[Eli Zaretskii]

> From: Mattias Engdegård <mattias.engdegard@gmail.com>
> Date: Fri, 30 Dec 2022 21:45:10 +0100
> Cc: 50507@debbugs.gnu.org,
>  Robert Pluim <rpluim@gmail.com>,
>  Eli Zaretskii <eliz@gnu.org>
> 
> After e9983b1b63, the build of master fails on emba.gnu.org which perhaps uses a slightly older gnutls. Errors below.

Thanks, should be fixed now.

bug#50507: New function in Emacs GnuTLS implementation

[Eli Zaretskii]

> From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
> Date: Sat, 31 Dec 2022 00:59:09 +0200
> Cc: 50507@debbugs.gnu.org, Robert Pluim <rpluim@gmail.com>,
>  Eli Zaretskii <eliz@gnu.org>
> 
> > gnutls.c:1837:8: error: 'GNUTLS_PKCS_PBES2_GOST_CPD' undeclared (first use in this function)
> >  rv |= GNUTLS_PKCS_PBES2_GOST_CPD;
> >        ^~~~~~~~~~~~~~~~~~~~~~~~~~
> > 
> 
> I can work on this tomorrow and fix it. I think it needs preprocessor guards on the version.

Since GnuTLS's documentation doesn't bother specifying when these
constants were introduced (some in 3.5.x, some in 3.6.x), I preferred
to condition the use of each constant by its being defined, instead of
conditioning on versions.

bug#50507: New function in Emacs GnuTLS implementation

[Eli Zaretskii]

> From: Robert Pluim <rpluim@gmail.com>
> Cc: 50507@debbugs.gnu.org, Eli Zaretskii <eliz@gnu.org> ,  larsi@gnus.org
> Date: Fri, 30 Dec 2022 17:41:58 +0100
> 
> Done (with a very minor change to the commit message: I added the bug
> number).
> 
> I tested with and without GnuTLS builds on GNU/Linux. The MS-Windows
> changes looked sane, but I didnʼt test those.

Thanks, the basic HTTPS connectivity seems to work on MS-Windows after
the change.  Are there any special tests of the new functionality I
should try?  There aren't any tests for this in the test suite,
AFAICT.

bug#50507: New function in Emacs GnuTLS implementation

[Colin Baxter]

>>>>> Eli Zaretskii <eliz@gnu.org> writes:

    >> From: Mattias Engdegård <mattias.engdegard@gmail.com> Date: Fri,
    >> 30 Dec 2022 21:45:10 +0100 Cc: 50507@debbugs.gnu.org, Robert
    >> Pluim <rpluim@gmail.com>, Eli Zaretskii <eliz@gnu.org>
    >> 
    >> After e9983b1b63, the build of master fails on emba.gnu.org which
    >> perhaps uses a slightly older gnutls. Errors below.

    > Thanks, should be fixed now.

It is. Thank you.

Best wishes,

bug#50507: New function in Emacs GnuTLS implementation

[Mattias Engdegård]

31 dec. 2022 kl. 08.25 skrev Eli Zaretskii <eliz@gnu.org>:

> Thanks, should be fixed now.

Good -- emba.gnu.org seems happy.

bug#50507: New function in Emacs GnuTLS implementation

[Robert Pluim]

>>>>> On Sat, 31 Dec 2022 09:33:20 +0200, Eli Zaretskii <eliz@gnu.org> said:

    >> From: Robert Pluim <rpluim@gmail.com>
    >> Cc: 50507@debbugs.gnu.org, Eli Zaretskii <eliz@gnu.org> ,  larsi@gnus.org
    >> Date: Fri, 30 Dec 2022 17:41:58 +0100
    >> 
    >> Done (with a very minor change to the commit message: I added the bug
    >> number).
    >> 
    >> I tested with and without GnuTLS builds on GNU/Linux. The MS-Windows
    >> changes looked sane, but I didnʼt test those.

    Eli> Thanks, the basic HTTPS connectivity seems to work on MS-Windows after
    Eli> the change.  Are there any special tests of the new functionality I
    Eli> should try?  There aren't any tests for this in the test suite,
    Eli> AFAICT.

There are no tests for TLS connections with client side certificates
at all, let alone password protected ones. They must work, nobody has
ever complained about them 😺

Robert
--