unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
To: Robert Pluim <rpluim@gmail.com>
Cc: 50507@debbugs.gnu.org, Lars Ingebrigtsen <larsi@gnus.org>,
	Eli Zaretskii <eliz@gnu.org>
Subject: bug#50507: New function in Emacs GnuTLS implementation
Date: Wed, 28 Sep 2022 23:09:46 -0400	[thread overview]
Message-ID: <CAAQmekdFa+s7oeED6xH3-bNs7mvg7gLjpNf7Ehpx3k2_LpkONA@mail.gmail.com> (raw)
In-Reply-To: <87v8p7d4oq.fsf@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 608 bytes --]

On Wed, Sep 28, 2022 at 9:11 AM Robert Pluim <rpluim@gmail.com> wrote:
>
> >>>>> On Wed, 28 Sep 2022 08:15:26 -0400, Nikolaos Chatzikonstantinou <nchatz314@gmail.com> said:
>
>
>     Nikolaos> Okay, I'm submitting this patch with corrections included, see attachment.
>
> I see a .sig attachment, but no patch (we donʼt currently require
> signing of commits at all, but I guess thereʼs nothing stopping people
> from doing it).

My bad, here it is. I also added "Copyright-paperwork-exempt: yes" (or
will this require paperwork?) and gave the helper function static
linkage in src/gnutls.c.

[-- Attachment #2: 0001-add-pass-and-flags-to-gnutls-boot-for-keylist.patch --]
[-- Type: text/x-patch, Size: 10708 bytes --]

From b11707c423773f6234746991222acd80ab3f708c Mon Sep 17 00:00:00 2001
From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
Date: Mon, 26 Sep 2022 11:08:18 -0400
Subject: [PATCH] add :pass and :flags to gnutls-boot for :keylist

* lisp/net/gnutls.el (gnutls-boot-parameters): add the keys :pass and
:flags, and update the documentation.
* src/gnutls.c (gnutls-boot): add the keys :pass and :flags, and
update the documentation.
(syms_of_gnutls): add the symbols :pass, :flags, and the symbols that
correspond to the enumeration constants of the GnuTLS enum
`gnutls_pkcs_encrypt_flags_t`.
; (key_file2_aux): private helper function that translates a list of
; symbols to its corresponding `unsigned int` value of the GnuTLS C
; enum `gnutls_pkcs_encrypt_flags_t`.

Copyright-paperwork-exempt: yes
---
 lisp/net/gnutls.el |   7 +++
 src/gnutls.c       | 104 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 111 insertions(+)

diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 6e3845aec1..9aab18b8fb 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -265,6 +265,7 @@ gnutls-boot-parameters
            &key type hostname priority-string
            trustfiles crlfiles keylist min-prime-bits
            verify-flags verify-error verify-hostname-error
+           pass flags
            &allow-other-keys)
   "Return a keyword list of parameters suitable for passing to `gnutls-boot'.
 
@@ -281,6 +282,10 @@ gnutls-boot-parameters
 VERIFY-HOSTNAME-ERROR is a backwards compatibility option for
 putting `:hostname' in VERIFY-ERROR.
 
+PASS is a string, the password of the key.
+
+FLAGS is an ORed sequence of gnutls_pkcs_encrypt_flags_t values.
+
 When VERIFY-ERROR is t or a list containing `:trustfiles', an
 error will be raised when the peer certificate verification fails
 as per GnuTLS' gnutls_certificate_verify_peers2.  Otherwise, only
@@ -358,6 +363,8 @@ gnutls-boot-parameters
                 :keylist ,keylist
                 :verify-flags ,verify-flags
                 :verify-error ,verify-error
+                :pass ,pass
+                :flags ,flags
                 :callbacks nil)))
 
 (defun gnutls--get-files (files)
diff --git a/src/gnutls.c b/src/gnutls.c
index a0de0238c4..2a6069e542 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -34,6 +34,7 @@
 # endif
 
 # if GNUTLS_VERSION_NUMBER >= 0x030200
+#  define HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
 #  define HAVE_GNUTLS_CIPHER_GET_IV_SIZE
 # endif
 
@@ -121,6 +122,9 @@ DEF_DLL_FN (int, gnutls_certificate_set_x509_crl_file,
 DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file,
 	    (gnutls_certificate_credentials_t, const char *, const char *,
 	     gnutls_x509_crt_fmt_t));
+DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file2,
+	    (gnutls_certificate_credentials_t, const char *, const char *,
+	     gnutls_x509_crt_fmt_t, const char *, unsigned int));
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
 DEF_DLL_FN (int, gnutls_certificate_set_x509_system_trust,
 	    (gnutls_certificate_credentials_t));
@@ -314,6 +318,7 @@ init_gnutls_functions (void)
   LOAD_DLL_FN (library, gnutls_certificate_set_verify_flags);
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_crl_file);
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file);
+  LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file2);
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_system_trust);
 #  endif
@@ -455,6 +460,7 @@ init_gnutls_functions (void)
 #  define gnutls_certificate_set_verify_flags fn_gnutls_certificate_set_verify_flags
 #  define gnutls_certificate_set_x509_crl_file fn_gnutls_certificate_set_x509_crl_file
 #  define gnutls_certificate_set_x509_key_file fn_gnutls_certificate_set_x509_key_file
+#  define gnutls_certificate_set_x509_key_file2 fn_gnutls_certificate_set_x509_key_file2
 #  define gnutls_certificate_set_x509_system_trust fn_gnutls_certificate_set_x509_system_trust
 #  define gnutls_certificate_set_x509_trust_file fn_gnutls_certificate_set_x509_trust_file
 #  define gnutls_certificate_type_get fn_gnutls_certificate_type_get
@@ -1774,6 +1780,57 @@ gnutls_verify_boot (Lisp_Object proc, Lisp_Object proplist)
   return gnutls_make_error (ret);
 }
 
+/* Helper function for gnutls-boot.
+
+   The key :flags receives a lisp of symbols, each of which
+   corresponds to a GnuTLS C flag, the ORed result is to be passed to
+   the function gnutls_certificate_set_x509_key_file2() as its last
+   argument.
+*/
+static unsigned int
+key_file2_aux (Lisp_Object flags)
+{
+  unsigned int rv = 0;
+  Lisp_Object tail;
+  for (tail = flags; CONSP (tail); tail = XCDR (tail))
+    {
+      Lisp_Object flag = XCAR(tail);
+      if (EQ(flag, Qgnutls_pkcs_plain))
+	rv |= GNUTLS_PKCS_PLAIN;
+      else if(EQ(flag, Qgnutls_pkcs_pkcs12_3des))
+	rv |= GNUTLS_PKCS_PKCS12_3DES;
+      else if(EQ(flag, Qgnutls_pkcs_pkcs12_arcfour))
+	rv |= GNUTLS_PKCS_PKCS12_ARCFOUR;
+      else if(EQ(flag, Qgnutls_pkcs_pkcs12_rc2_40))
+	rv |= GNUTLS_PKCS_PKCS12_RC2_40;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_3des))
+	rv |= GNUTLS_PKCS_PBES2_3DES;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_aes_128))
+	rv |= GNUTLS_PKCS_PBES2_AES_128;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_aes_192))
+	rv |= GNUTLS_PKCS_PBES2_AES_192;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_aes_256))
+	rv |= GNUTLS_PKCS_PBES2_AES_256;
+      else if(EQ(flag, Qgnutls_pkcs_null_password))
+	rv |= GNUTLS_PKCS_NULL_PASSWORD;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_des))
+	rv |= GNUTLS_PKCS_PBES2_DES;
+      else if(EQ(flag, Qgnutls_pkcs_pbes1_des_md5))
+	rv |= GNUTLS_PKCS_PBES1_DES_MD5;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_gost_tc26z))
+	rv |= GNUTLS_PKCS_PBES2_GOST_TC26Z;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_gost_cpa))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPA;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_gost_cpb))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPB;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_gost_cpc))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPC;
+      else if(EQ(flag, Qgnutls_pkcs_pbes2_gost_cpd))
+	rv |= GNUTLS_PKCS_PBES2_GOST_CPD;
+    }
+  return rv;
+}
+
 DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
        doc: /* Initialize GnuTLS client for process PROC with TYPE+PROPLIST.
 Currently only client mode is supported.  Return a success/failure
@@ -1813,6 +1870,19 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 :complete-negotiation, if non-nil, will make negotiation complete
 before returning even on non-blocking sockets.
 
+:pass, the password of the private key as per GnuTLS'
+gnutls_certificate_set_x509_key_file2.
+
+:flags, a list of symbols relating to :pass, each specifying a flag:
+GNUTLS_PKCS_PLAIN, GNUTLS_PKCS_PKCS12_3DES,
+GNUTLS_PKCS_PKCS12_ARCFOUR, GNUTLS_PKCS_PKCS12_RC2_40,
+GNUTLS_PKCS_PBES2_3DES, GNUTLS_PKCS_PBES2_AES_128,
+GNUTLS_PKCS_PBES2_AES_192, GNUTLS_PKCS_PBES2_AES_256,
+GNUTLS_PKCS_NULL_PASSWORD, GNUTLS_PKCS_PBES2_DES,
+GNUTLS_PKCS_PBES2_DES_MD5, GNUTLS_PKCS_PBES2_GOST_TC26Z,
+GNUTLS_PKCS_PBES2_GOST_CPA, GNUTLS_PKCS_PBES2_GOST_CPB,
+GNUTLS_PKCS_PBES2_GOST_CPC, GNUTLS_PKCS_PBES2_GOST_CPD.
+
 The debug level will be set for this process AND globally for GnuTLS.
 So if you set it higher or lower at any point, it affects global
 debugging.
@@ -1825,6 +1895,9 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 functions are used.  This function allocates resources which can only
 be deallocated by calling `gnutls-deinit' or by calling it again.
 
+The :pass and :flags keys are ignored with old versions of GnuTLS, and
+:flags is ignored if :pass is not specified.
+
 The callbacks alist can have a `verify' key, associated with a
 verification function (UNUSED).
 
@@ -1848,6 +1921,8 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
   Lisp_Object trustfiles;
   Lisp_Object crlfiles;
   Lisp_Object keylist;
+  Lisp_Object pass;
+  Lisp_Object flags;
   /* Lisp_Object callbacks; */
   Lisp_Object loglevel;
   Lisp_Object hostname;
@@ -1877,6 +1952,8 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
   crlfiles              = plist_get (proplist, QCcrlfiles);
   loglevel              = plist_get (proplist, QCloglevel);
   prime_bits            = plist_get (proplist, QCmin_prime_bits);
+  pass                  = plist_get (proplist, QCpass);
+  flags                 = plist_get (proplist, QCflags);
 
   if (!STRINGP (hostname))
     {
@@ -2038,8 +2115,17 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 	      keyfile = ansi_encode_filename (keyfile);
 	      certfile = ansi_encode_filename (certfile);
 # endif
+# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+	      if (STRINGP (pass))
+		ret = gnutls_certificate_set_x509_key_file2
+		  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format, SSDATA (pass), key_file2_aux (flags));
+	      else
+		ret = gnutls_certificate_set_x509_key_file
+		  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
+# else
 	      ret = gnutls_certificate_set_x509_key_file
 		(x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
+# endif
 
 	      if (ret < GNUTLS_E_SUCCESS)
 		return gnutls_make_error (ret);
@@ -2860,8 +2946,26 @@ syms_of_gnutls (void)
   DEFSYM (QCmin_prime_bits, ":min-prime-bits");
   DEFSYM (QCloglevel, ":loglevel");
   DEFSYM (QCcomplete_negotiation, ":complete-negotiation");
+  DEFSYM (QCpass, ":pass");
+  DEFSYM (QCflags, ":flags");
   DEFSYM (QCverify_flags, ":verify-flags");
   DEFSYM (QCverify_error, ":verify-error");
+  DEFSYM (Qgnutls_pkcs_plain, "GNUTLS_PKCS_PLAIN");
+  DEFSYM (Qgnutls_pkcs_pkcs12_3des, "GNUTLS_PKCS_PKCS12_3DES");
+  DEFSYM (Qgnutls_pkcs_pkcs12_arcfour, "GNUTLS_PKCS_PKCS12_ARCFOUR");
+  DEFSYM (Qgnutls_pkcs_pkcs12_rc2_40, "GNUTLS_PKCS_PKCS12_RC2_40");
+  DEFSYM (Qgnutls_pkcs_pbes2_3des, "GNUTLS_PKCS_PBES2_3DES");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_128, "GNUTLS_PKCS_PBES2_AES_128");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_192, "GNUTLS_PKCS_PBES2_AES_192");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_256, "GNUTLS_PKCS_PBES2_AES_256");
+  DEFSYM (Qgnutls_pkcs_null_password, "GNUTLS_PKCS_NULL_PASSWORD");
+  DEFSYM (Qgnutls_pkcs_pbes2_des, "GNUTLS_PKCS_PBES2_DES");
+  DEFSYM (Qgnutls_pkcs_pbes1_des_md5, "GNUTLS_PKCS_PBES1_DES_MD5");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_tc26z, "GNUTLS_PKCS_PBES2_GOST_TC26Z");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpa, "GNUTLS_PKCS_PBES2_GOST_CPA");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpb, "GNUTLS_PKCS_PBES2_GOST_CPB");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpc, "GNUTLS_PKCS_PBES2_GOST_CPC");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpd, "GNUTLS_PKCS_PBES2_GOST_CPD");
 
   DEFSYM (QCcipher_id, ":cipher-id");
   DEFSYM (QCcipher_aead_capable, ":cipher-aead-capable");
-- 
2.37.3


  reply	other threads:[~2022-09-29  3:09 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-10 10:39 bug#50507: New function in Emacs GnuTLS implementation Nikolaos Chatzikonstantinou
2021-09-10 12:39 ` Eli Zaretskii
2021-09-11 15:28   ` Nikolaos Chatzikonstantinou
2021-09-11 15:34     ` Eli Zaretskii
2021-09-11 15:52       ` Eli Zaretskii
2022-08-25 15:07     ` Lars Ingebrigtsen
2022-09-14 15:51       ` Nikolaos Chatzikonstantinou
2022-09-15  7:09         ` Lars Ingebrigtsen
2022-09-26  9:56           ` Nikolaos Chatzikonstantinou
2022-09-26 11:03             ` Lars Ingebrigtsen
2022-09-26 15:43               ` Nikolaos Chatzikonstantinou
2022-09-26 17:19                 ` Robert Pluim
2022-09-26 21:39                   ` Nikolaos Chatzikonstantinou
2022-09-27  6:29                     ` Eli Zaretskii
2022-09-28 12:15                   ` Nikolaos Chatzikonstantinou
2022-09-28 13:11                     ` Robert Pluim
2022-09-29  3:09                       ` Nikolaos Chatzikonstantinou [this message]
2022-09-29  8:17                         ` Eli Zaretskii
2022-09-29 12:35                           ` Nikolaos Chatzikonstantinou
2022-09-29 13:08                             ` Eli Zaretskii
2022-09-29  9:02                         ` Robert Pluim
2022-09-29 13:44                           ` Nikolaos Chatzikonstantinou
2022-09-29 14:08                             ` Robert Pluim
2022-09-30 10:04                               ` Nikolaos Chatzikonstantinou
2022-09-30 10:47                                 ` Eli Zaretskii
2022-09-30 13:01                                   ` Nikolaos Chatzikonstantinou
2022-09-30 13:37                                     ` Eli Zaretskii
2022-09-30 13:49                                       ` Nikolaos Chatzikonstantinou
2022-09-30 14:32                                         ` Robert Pluim
2022-09-30 16:22                                           ` Nikolaos Chatzikonstantinou
2022-10-03  7:40                                             ` Robert Pluim
2022-10-03 13:00                                               ` Nikolaos Chatzikonstantinou
2022-10-03 13:19                                                 ` Robert Pluim
2022-10-05 14:20                                                   ` Nikolaos Chatzikonstantinou
2022-12-23 15:46                                                   ` Nikolaos Chatzikonstantinou
2022-12-29  9:01                                                     ` Eli Zaretskii
2022-12-29 17:03                                                       ` Robert Pluim
2022-12-29 17:18                                                         ` Eli Zaretskii
2022-12-30 16:41                                                           ` Robert Pluim
2022-12-31  7:33                                                             ` Eli Zaretskii
2023-01-02 10:24                                                               ` Robert Pluim
2022-12-30 20:45 ` Mattias Engdegård
2022-12-30 22:59   ` Nikolaos Chatzikonstantinou
2022-12-31  7:28     ` Eli Zaretskii
2022-12-31  7:25   ` Eli Zaretskii
2022-12-31  8:58     ` Colin Baxter
2022-12-31  9:44     ` Mattias Engdegård

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAAQmekdFa+s7oeED6xH3-bNs7mvg7gLjpNf7Ehpx3k2_LpkONA@mail.gmail.com \
    --to=nchatz314@gmail.com \
    --cc=50507@debbugs.gnu.org \
    --cc=eliz@gnu.org \
    --cc=larsi@gnus.org \
    --cc=rpluim@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).