From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
To: Robert Pluim <rpluim@gmail.com>
Cc: 50507@debbugs.gnu.org, Eli Zaretskii <eliz@gnu.org>, larsi@gnus.org
Subject: bug#50507: New function in Emacs GnuTLS implementation
Date: Fri, 30 Sep 2022 12:22:16 -0400 [thread overview]
Message-ID: <CAAQmekcUZ2tvUS8jUoG=0vn_sqyjOvF1mHBkbRRJy+46tCPcRw@mail.gmail.com> (raw)
In-Reply-To: <87a66haq6n.fsf@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2668 bytes --]
On Fri, Sep 30, 2022 at 10:32 AM Robert Pluim <rpluim@gmail.com> wrote:
>
> >>>>> On Fri, 30 Sep 2022 09:49:30 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
> Nikolaos> +static unsigned int
> Nikolaos> +key_file2_aux (Lisp_Object flags)
> Nikolaos> +{
> Nikolaos> + unsigned int rv = 0;
> Nikolaos> + Lisp_Object tail = flags;
> Nikolaos> + FOR_EACH_TAIL_SAFE (tail)
> Nikolaos> + {
> Nikolaos> + Lisp_Object flag = XCAR (tail);
> Nikolaos> + if (EQ (flag, Qgnutls_pkcs_plain))
> Nikolaos> + rv |= GNUTLS_PKCS_PLAIN;
> Nikolaos> + else if(EQ (flag, Qgnutls_pkcs_pkcs12_3des))
>
> Space after 'if' here and in the rest of the function
>
> Nikolaos> +# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
> Nikolaos> + if (STRINGP (pass))
> Nikolaos> + ret = gnutls_certificate_set_x509_key_file2
> Nikolaos> + (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format,
> Nikolaos> + SSDATA (pass), key_file2_aux (flags));
> Nikolaos> + else if (NILP (pass) && plist_member (proplist, QCpass))
> Nikolaos> + ret = gnutls_certificate_set_x509_key_file2
> Nikolaos> + (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format,
> Nikolaos> + NULL, key_file2_aux (flags));
> Nikolaos> + else
> Nikolaos> + ret = gnutls_certificate_set_x509_key_file
> Nikolaos> + (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
> Nikolaos> +# else
> Nikolaos> ret = gnutls_certificate_set_x509_key_file
> Nikolaos> (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
> Nikolaos> +# endif
>
> 2 minor points:
>
> - If you use an intermediate variable for
> the C version of pass, you can set it correctly based on `plist_member'
> etc, and only have one call to _file2 (as it is itʼs kind of
> difficult to quickly see the difference between the two calls)
> - I think you can then rework the #else/#endif here to avoid repetition of
> the call to the _file variant
Thanks, I worked those out too, save for the last point you made. Do
you mean this sort of thing:
#if COND
if (something)
foo();
else
bar();
#else
bar();
#endif
To be rewritten as
#if COND
if (something)
foo();
else
#endif
bar();
Because in this case, I don't trust that kind of code to survive the
test of time. Someone may come along and break it by modifying the
bar() line, and it might be a sneaky bug. It's not easy to tell.
[-- Attachment #2: 0001-add-pass-and-flags-to-gnutls-boot-for-keylist.patch --]
[-- Type: text/x-patch, Size: 11594 bytes --]
From 79682db52a825c52403cc671c5d84a0c6460cdf5 Mon Sep 17 00:00:00 2001
From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
Date: Mon, 26 Sep 2022 11:08:18 -0400
Subject: [PATCH] add :pass and :flags to gnutls-boot for :keylist
* lisp/net/gnutls.el (gnutls-boot-parameters): Add the keys :pass and
:flags, and update the documentation.
* src/gnutls.c (gnutls-boot): Add the keys :pass and :flags, and
update the documentation.
(syms_of_gnutls): Add the symbols :pass, :flags, and the symbols that
correspond to the enumeration constants of the GnuTLS enum
`gnutls_pkcs_encrypt_flags_t`.
(key_file2_aux): Private helper function that translates a list of
symbols to its corresponding `unsigned int` value of the GnuTLS C enum
`gnutls_pkcs_encrypt_flags_t`.
---
lisp/net/gnutls.el | 10 ++++
src/gnutls.c | 123 +++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 133 insertions(+)
diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 6e3845aec1..eef6559a95 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -265,6 +265,7 @@ gnutls-boot-parameters
&key type hostname priority-string
trustfiles crlfiles keylist min-prime-bits
verify-flags verify-error verify-hostname-error
+ pass flags
&allow-other-keys)
"Return a keyword list of parameters suitable for passing to `gnutls-boot'.
@@ -281,6 +282,13 @@ gnutls-boot-parameters
VERIFY-HOSTNAME-ERROR is a backwards compatibility option for
putting `:hostname' in VERIFY-ERROR.
+PASS is a string, the password of the key. It may also be nil,
+for a NULL password.
+
+FLAGS is a list of symbols corresponding to the equivalent ORed
+bitflag of the gnutls_pkcs_encrypt_flags_t enum of GnuTLS. The
+empty list corresponds to the bitflag with value 0.
+
When VERIFY-ERROR is t or a list containing `:trustfiles', an
error will be raised when the peer certificate verification fails
as per GnuTLS' gnutls_certificate_verify_peers2. Otherwise, only
@@ -358,6 +366,8 @@ gnutls-boot-parameters
:keylist ,keylist
:verify-flags ,verify-flags
:verify-error ,verify-error
+ :pass ,pass
+ :flags ,flags
:callbacks nil)))
(defun gnutls--get-files (files)
diff --git a/src/gnutls.c b/src/gnutls.c
index a0de0238c4..661a42b826 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -34,6 +34,7 @@
# endif
# if GNUTLS_VERSION_NUMBER >= 0x030200
+# define HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
# define HAVE_GNUTLS_CIPHER_GET_IV_SIZE
# endif
@@ -121,6 +122,11 @@ DEF_DLL_FN (int, gnutls_certificate_set_x509_crl_file,
DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file,
(gnutls_certificate_credentials_t, const char *, const char *,
gnutls_x509_crt_fmt_t));
+# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file2,
+ (gnutls_certificate_credentials_t, const char *, const char *,
+ gnutls_x509_crt_fmt_t, const char *, unsigned int));
+# endif
# ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
DEF_DLL_FN (int, gnutls_certificate_set_x509_system_trust,
(gnutls_certificate_credentials_t));
@@ -314,6 +320,9 @@ init_gnutls_functions (void)
LOAD_DLL_FN (library, gnutls_certificate_set_verify_flags);
LOAD_DLL_FN (library, gnutls_certificate_set_x509_crl_file);
LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file);
+# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+ LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file2);
+# endif
# ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
LOAD_DLL_FN (library, gnutls_certificate_set_x509_system_trust);
# endif
@@ -455,6 +464,9 @@ init_gnutls_functions (void)
# define gnutls_certificate_set_verify_flags fn_gnutls_certificate_set_verify_flags
# define gnutls_certificate_set_x509_crl_file fn_gnutls_certificate_set_x509_crl_file
# define gnutls_certificate_set_x509_key_file fn_gnutls_certificate_set_x509_key_file
+# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+# define gnutls_certificate_set_x509_key_file2 fn_gnutls_certificate_set_x509_key_file2
+# endif
# define gnutls_certificate_set_x509_system_trust fn_gnutls_certificate_set_x509_system_trust
# define gnutls_certificate_set_x509_trust_file fn_gnutls_certificate_set_x509_trust_file
# define gnutls_certificate_type_get fn_gnutls_certificate_type_get
@@ -1774,6 +1786,61 @@ gnutls_verify_boot (Lisp_Object proc, Lisp_Object proplist)
return gnutls_make_error (ret);
}
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+
+/* Helper function for gnutls-boot.
+
+ The key :flags receives a list of symbols, each of which
+ corresponds to a GnuTLS C flag, the ORed result is to be passed to
+ the function gnutls_certificate_set_x509_key_file2() as its last
+ argument.
+*/
+static unsigned int
+key_file2_aux (Lisp_Object flags)
+{
+ unsigned int rv = 0;
+ Lisp_Object tail = flags;
+ FOR_EACH_TAIL_SAFE (tail)
+ {
+ Lisp_Object flag = XCAR (tail);
+ if (EQ (flag, Qgnutls_pkcs_plain))
+ rv |= GNUTLS_PKCS_PLAIN;
+ else if (EQ (flag, Qgnutls_pkcs_pkcs12_3des))
+ rv |= GNUTLS_PKCS_PKCS12_3DES;
+ else if (EQ (flag, Qgnutls_pkcs_pkcs12_arcfour))
+ rv |= GNUTLS_PKCS_PKCS12_ARCFOUR;
+ else if (EQ (flag, Qgnutls_pkcs_pkcs12_rc2_40))
+ rv |= GNUTLS_PKCS_PKCS12_RC2_40;
+ else if (EQ (flag, Qgnutls_pkcs_pbes2_3des))
+ rv |= GNUTLS_PKCS_PBES2_3DES;
+ else if (EQ (flag, Qgnutls_pkcs_pbes2_aes_128))
+ rv |= GNUTLS_PKCS_PBES2_AES_128;
+ else if (EQ (flag, Qgnutls_pkcs_pbes2_aes_192))
+ rv |= GNUTLS_PKCS_PBES2_AES_192;
+ else if (EQ (flag, Qgnutls_pkcs_pbes2_aes_256))
+ rv |= GNUTLS_PKCS_PBES2_AES_256;
+ else if (EQ (flag, Qgnutls_pkcs_null_password))
+ rv |= GNUTLS_PKCS_NULL_PASSWORD;
+ else if (EQ (flag, Qgnutls_pkcs_pbes2_des))
+ rv |= GNUTLS_PKCS_PBES2_DES;
+ else if (EQ (flag, Qgnutls_pkcs_pbes1_des_md5))
+ rv |= GNUTLS_PKCS_PBES1_DES_MD5;
+ else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_tc26z))
+ rv |= GNUTLS_PKCS_PBES2_GOST_TC26Z;
+ else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpa))
+ rv |= GNUTLS_PKCS_PBES2_GOST_CPA;
+ else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpb))
+ rv |= GNUTLS_PKCS_PBES2_GOST_CPB;
+ else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpc))
+ rv |= GNUTLS_PKCS_PBES2_GOST_CPC;
+ else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpd))
+ rv |= GNUTLS_PKCS_PBES2_GOST_CPD;
+ }
+ return rv;
+}
+
+#endif /* HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2 */
+
DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
doc: /* Initialize GnuTLS client for process PROC with TYPE+PROPLIST.
Currently only client mode is supported. Return a success/failure
@@ -1813,6 +1880,21 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
:complete-negotiation, if non-nil, will make negotiation complete
before returning even on non-blocking sockets.
+:pass, the password of the private key as per GnuTLS'
+gnutls_certificate_set_x509_key_file2. Specify as nil to have a NULL
+password.
+
+:flags, a list of symbols relating to :pass, each specifying a flag:
+GNUTLS_PKCS_PLAIN, GNUTLS_PKCS_PKCS12_3DES,
+GNUTLS_PKCS_PKCS12_ARCFOUR, GNUTLS_PKCS_PKCS12_RC2_40,
+GNUTLS_PKCS_PBES2_3DES, GNUTLS_PKCS_PBES2_AES_128,
+GNUTLS_PKCS_PBES2_AES_192, GNUTLS_PKCS_PBES2_AES_256,
+GNUTLS_PKCS_NULL_PASSWORD, GNUTLS_PKCS_PBES2_DES,
+GNUTLS_PKCS_PBES2_DES_MD5, GNUTLS_PKCS_PBES2_GOST_TC26Z,
+GNUTLS_PKCS_PBES2_GOST_CPA, GNUTLS_PKCS_PBES2_GOST_CPB,
+GNUTLS_PKCS_PBES2_GOST_CPC, GNUTLS_PKCS_PBES2_GOST_CPD. If not
+specified, or if nil, the bitflag with value 0 is used.
+
The debug level will be set for this process AND globally for GnuTLS.
So if you set it higher or lower at any point, it affects global
debugging.
@@ -1825,6 +1907,9 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
functions are used. This function allocates resources which can only
be deallocated by calling `gnutls-deinit' or by calling it again.
+The :pass and :flags keys are ignored with old versions of GnuTLS, and
+:flags is ignored if :pass is not specified.
+
The callbacks alist can have a `verify' key, associated with a
verification function (UNUSED).
@@ -1842,12 +1927,15 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
Lisp_Object global_init;
char const *priority_string_ptr = "NORMAL"; /* default priority string. */
char *c_hostname;
+ const char *c_pass;
/* Placeholders for the property list elements. */
Lisp_Object priority_string;
Lisp_Object trustfiles;
Lisp_Object crlfiles;
Lisp_Object keylist;
+ Lisp_Object pass;
+ Lisp_Object flags;
/* Lisp_Object callbacks; */
Lisp_Object loglevel;
Lisp_Object hostname;
@@ -1877,6 +1965,13 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
crlfiles = plist_get (proplist, QCcrlfiles);
loglevel = plist_get (proplist, QCloglevel);
prime_bits = plist_get (proplist, QCmin_prime_bits);
+ pass = plist_get (proplist, QCpass);
+ flags = plist_get (proplist, QCflags);
+
+ if (STRINGP (pass))
+ c_pass = SSDATA (pass);
+ else
+ c_pass = NULL;
if (!STRINGP (hostname))
{
@@ -2038,8 +2133,18 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
keyfile = ansi_encode_filename (keyfile);
certfile = ansi_encode_filename (certfile);
# endif
+# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+ if (plist_member (proplist, QCpass))
+ ret = gnutls_certificate_set_x509_key_file2
+ (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format,
+ c_pass, key_file2_aux (flags));
+ else
+ ret = gnutls_certificate_set_x509_key_file
+ (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
+# else
ret = gnutls_certificate_set_x509_key_file
(x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
+# endif
if (ret < GNUTLS_E_SUCCESS)
return gnutls_make_error (ret);
@@ -2860,8 +2965,26 @@ syms_of_gnutls (void)
DEFSYM (QCmin_prime_bits, ":min-prime-bits");
DEFSYM (QCloglevel, ":loglevel");
DEFSYM (QCcomplete_negotiation, ":complete-negotiation");
+ DEFSYM (QCpass, ":pass");
+ DEFSYM (QCflags, ":flags");
DEFSYM (QCverify_flags, ":verify-flags");
DEFSYM (QCverify_error, ":verify-error");
+ DEFSYM (Qgnutls_pkcs_plain, "GNUTLS_PKCS_PLAIN");
+ DEFSYM (Qgnutls_pkcs_pkcs12_3des, "GNUTLS_PKCS_PKCS12_3DES");
+ DEFSYM (Qgnutls_pkcs_pkcs12_arcfour, "GNUTLS_PKCS_PKCS12_ARCFOUR");
+ DEFSYM (Qgnutls_pkcs_pkcs12_rc2_40, "GNUTLS_PKCS_PKCS12_RC2_40");
+ DEFSYM (Qgnutls_pkcs_pbes2_3des, "GNUTLS_PKCS_PBES2_3DES");
+ DEFSYM (Qgnutls_pkcs_pbes2_aes_128, "GNUTLS_PKCS_PBES2_AES_128");
+ DEFSYM (Qgnutls_pkcs_pbes2_aes_192, "GNUTLS_PKCS_PBES2_AES_192");
+ DEFSYM (Qgnutls_pkcs_pbes2_aes_256, "GNUTLS_PKCS_PBES2_AES_256");
+ DEFSYM (Qgnutls_pkcs_null_password, "GNUTLS_PKCS_NULL_PASSWORD");
+ DEFSYM (Qgnutls_pkcs_pbes2_des, "GNUTLS_PKCS_PBES2_DES");
+ DEFSYM (Qgnutls_pkcs_pbes1_des_md5, "GNUTLS_PKCS_PBES1_DES_MD5");
+ DEFSYM (Qgnutls_pkcs_pbes2_gost_tc26z, "GNUTLS_PKCS_PBES2_GOST_TC26Z");
+ DEFSYM (Qgnutls_pkcs_pbes2_gost_cpa, "GNUTLS_PKCS_PBES2_GOST_CPA");
+ DEFSYM (Qgnutls_pkcs_pbes2_gost_cpb, "GNUTLS_PKCS_PBES2_GOST_CPB");
+ DEFSYM (Qgnutls_pkcs_pbes2_gost_cpc, "GNUTLS_PKCS_PBES2_GOST_CPC");
+ DEFSYM (Qgnutls_pkcs_pbes2_gost_cpd, "GNUTLS_PKCS_PBES2_GOST_CPD");
DEFSYM (QCcipher_id, ":cipher-id");
DEFSYM (QCcipher_aead_capable, ":cipher-aead-capable");
--
2.37.3
next prev parent reply other threads:[~2022-09-30 16:22 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-10 10:39 bug#50507: New function in Emacs GnuTLS implementation Nikolaos Chatzikonstantinou
2021-09-10 12:39 ` Eli Zaretskii
2021-09-11 15:28 ` Nikolaos Chatzikonstantinou
2021-09-11 15:34 ` Eli Zaretskii
2021-09-11 15:52 ` Eli Zaretskii
2022-08-25 15:07 ` Lars Ingebrigtsen
2022-09-14 15:51 ` Nikolaos Chatzikonstantinou
2022-09-15 7:09 ` Lars Ingebrigtsen
2022-09-26 9:56 ` Nikolaos Chatzikonstantinou
2022-09-26 11:03 ` Lars Ingebrigtsen
2022-09-26 15:43 ` Nikolaos Chatzikonstantinou
2022-09-26 17:19 ` Robert Pluim
2022-09-26 21:39 ` Nikolaos Chatzikonstantinou
2022-09-27 6:29 ` Eli Zaretskii
2022-09-28 12:15 ` Nikolaos Chatzikonstantinou
2022-09-28 13:11 ` Robert Pluim
2022-09-29 3:09 ` Nikolaos Chatzikonstantinou
2022-09-29 8:17 ` Eli Zaretskii
2022-09-29 12:35 ` Nikolaos Chatzikonstantinou
2022-09-29 13:08 ` Eli Zaretskii
2022-09-29 9:02 ` Robert Pluim
2022-09-29 13:44 ` Nikolaos Chatzikonstantinou
2022-09-29 14:08 ` Robert Pluim
2022-09-30 10:04 ` Nikolaos Chatzikonstantinou
2022-09-30 10:47 ` Eli Zaretskii
2022-09-30 13:01 ` Nikolaos Chatzikonstantinou
2022-09-30 13:37 ` Eli Zaretskii
2022-09-30 13:49 ` Nikolaos Chatzikonstantinou
2022-09-30 14:32 ` Robert Pluim
2022-09-30 16:22 ` Nikolaos Chatzikonstantinou [this message]
2022-10-03 7:40 ` Robert Pluim
2022-10-03 13:00 ` Nikolaos Chatzikonstantinou
2022-10-03 13:19 ` Robert Pluim
2022-10-05 14:20 ` Nikolaos Chatzikonstantinou
2022-12-23 15:46 ` Nikolaos Chatzikonstantinou
2022-12-29 9:01 ` Eli Zaretskii
2022-12-29 17:03 ` Robert Pluim
2022-12-29 17:18 ` Eli Zaretskii
2022-12-30 16:41 ` Robert Pluim
2022-12-31 7:33 ` Eli Zaretskii
2023-01-02 10:24 ` Robert Pluim
2022-12-30 20:45 ` Mattias Engdegård
2022-12-30 22:59 ` Nikolaos Chatzikonstantinou
2022-12-31 7:28 ` Eli Zaretskii
2022-12-31 7:25 ` Eli Zaretskii
2022-12-31 8:58 ` Colin Baxter
2022-12-31 9:44 ` Mattias Engdegård
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAAQmekcUZ2tvUS8jUoG=0vn_sqyjOvF1mHBkbRRJy+46tCPcRw@mail.gmail.com' \
--to=nchatz314@gmail.com \
--cc=50507@debbugs.gnu.org \
--cc=eliz@gnu.org \
--cc=larsi@gnus.org \
--cc=rpluim@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).