Use a simple list of symbols in GnuTLS peer verification.

* gnutls.c (Fgnutls_peer_status_warning_describe): Add function to describe a peer verification warning symbol. (Fgnutls_peer_status): Use it. (Fgnutls_boot): Use it.
author: Ted Zlatanov 2014-11-25 09:07:13 -0500
committer: Ted Zlatanov 2014-11-25 09:07:13 -0500
commit: 8608c1009dafa7bf657e8835087bb8ad81357202 (patch)
tree: 8a24eae1414f747b9982ec97dc998a3050d46266 /src
parent: 8be099a2c10ce4718e6630cef6b6ca1983617264 (diff)
download: emacs-8608c1009dafa7bf657e8835087bb8ad81357202.tar.gz
emacs-8608c1009dafa7bf657e8835087bb8ad81357202.zip
2 files changed, 69 insertions, 55 deletions
diff --git a/src/ChangeLog b/src/ChangeLog
index 220c2bfd771..922b61a92e3 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,6 +1,10 @@
 2014-11-25  Teodor Zlatanov  <tzz@lifelogs.com>
        * gnutls.c (Fgnutls_peer_status): Check GNUTLS_INITSTAGE, not gnutls_p.
+        (Fgnutls_peer_status_warning_describe): Add function to describe a
+        peer verification warning symbol.
+        (Fgnutls_peer_status): Use it.
+        (Fgnutls_boot): Use it.
 2014-11-24  Lars Magne Ingebrigtsen  <larsi@gnus.org>
diff --git a/src/gnutls.c b/src/gnutls.c
index bfa6078eabd..604c595622d 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -968,9 +968,44 @@ gnutls_certificate_details (gnutls_x509_crt_t cert)
  return res;
 }
+DEFUN ("gnutls-peer-status-warning-describe", Fgnutls_peer_status_warning_describe, Sgnutls_peer_status_warning_describe, 1, 1, 0,
+       doc: /* Describe the warning of a GnuTLS peer status from `gnutls-peer-status'.*/)
+  (Lisp_Object status_symbol)
+{
+  CHECK_SYMBOL (status_symbol);
+  if ( EQ (status_symbol, intern (":invalid")))
+    return build_string ("certificate could not be verified");
+  if ( EQ (status_symbol, intern (":revoked")) )
+    return build_string ("certificate was revoked (CRL)");
+  if ( EQ (status_symbol, intern (":self-signed")) )
+    return build_string ("certificate signer was not found (self-signed)");
+  if ( EQ (status_symbol, intern (":not-ca")) )
+    return build_string ("certificate signer is not a CA");
+  if ( EQ (status_symbol, intern (":insecure")) )
+    return build_string ("certificate was signed with an insecure algorithm");
+  if ( EQ (status_symbol, intern (":not-activated")) )
+    return build_string ("certificate is not yet activated");
+  if ( EQ (status_symbol, intern (":expired")) )
+    return build_string ("certificate has expired");
+  if ( EQ (status_symbol, intern (":no-host-match")) )
+    return build_string ("certificate host does not match hostname");
+  return Qnil;
+}
 DEFUN ("gnutls-peer-status", Fgnutls_peer_status, Sgnutls_peer_status, 1, 1, 0,
-       doc: /* Return the status of the gnutls PROC peer certificate.
+       doc: /* Describe a GnuTLS PROC peer certificate and any warnings about it.
-The return value is a property list.  */)
+The return value is a property list with top-level keys :warnings and
+:certificate.  The :warnings entry is a list of symbols you can describe with
+`gnutls-peer-status-warning-describe'. */)
  (Lisp_Object proc)
 {
  Lisp_Object warnings = Qnil, result = Qnil;
@@ -985,52 +1020,39 @@ The return value is a property list.  */)
  verification = XPROCESS (proc)->gnutls_peer_verification;
  if (verification & GNUTLS_CERT_INVALID)
-    warnings = Fcons (list2 (intern (":invalid"),
+    warnings = Fcons (intern (":invalid"), warnings);
-                             build_string("certificate could not be verified")),
-                      warnings);
  if (verification & GNUTLS_CERT_REVOKED)
-    warnings = Fcons (list2 (intern (":revoked"),
+    warnings = Fcons (intern (":revoked"), warnings);
-                             build_string("certificate was revoked (CRL)")),
-                      warnings);
  if (verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
-    warnings = Fcons (list2 (intern (":self-signed"),
+    warnings = Fcons (intern (":self-signed"), warnings);
-                             build_string("certificate signer was not found (self-signed)")),
-                      warnings);
  if (verification & GNUTLS_CERT_SIGNER_NOT_CA)
-    warnings = Fcons (list2 (intern (":not-ca"),
+    warnings = Fcons (intern (":not-ca"), warnings);
-                             build_string("certificate signer is not a CA")),
-                      warnings);
  if (verification & GNUTLS_CERT_INSECURE_ALGORITHM)
-    warnings = Fcons (list2 (intern (":insecure"),
+    warnings = Fcons (intern (":insecure"), warnings);
-                             build_string("certificate was signed with an insecure algorithm")),
-                      warnings);
  if (verification & GNUTLS_CERT_NOT_ACTIVATED)
-    warnings = Fcons (list2 (intern (":not-activated"),
+    warnings = Fcons (intern (":not-activated"), warnings);
-                             build_string("certificate is not yet activated")),
-                      warnings);
  if (verification & GNUTLS_CERT_EXPIRED)
-    warnings = Fcons (list2 (intern (":expired"),
+    warnings = Fcons (intern (":expired"), warnings);
-                             build_string("certificate has expired")),
-                      warnings);
  if (XPROCESS (proc)->gnutls_extra_peer_verification &
      CERTIFICATE_NOT_MATCHING)
-    warnings = Fcons (list2 (intern (":no-host-match"),
+    warnings = Fcons (intern (":no-host-match"), warnings);
-                             build_string("certificate host does not match hostname")),
-                      warnings);
  if (!NILP (warnings))
    result = list2 (intern (":warnings"), warnings);
-  result = nconc2 (result, list2
+  /* This could get called in the INIT stage, when the certificate is
-                   (intern (":certificate"),
+     not yet set. */
-                    gnutls_certificate_details(XPROCESS (proc)->gnutls_certificate)));
+  if ( XPROCESS (proc)->gnutls_certificate != NULL )
+    result = nconc2 (result, list2
+                     (intern (":certificate"),
+                      gnutls_certificate_details (XPROCESS (proc)->gnutls_certificate)));
  return result;
 }
@@ -1148,6 +1170,8 @@ one trustfile (usually a CA bundle).  */)
  Lisp_Object hostname;
  Lisp_Object verify_error;
  Lisp_Object prime_bits;
+  Lisp_Object warnings;
+  Lisp_Object warning;
  CHECK_PROCESS (proc);
  CHECK_SYMBOL (type);
@@ -1392,33 +1416,19 @@ one trustfile (usually a CA bundle).  */)
  XPROCESS (proc)->gnutls_peer_verification = peer_verification;
-  if (XINT (loglevel) > 0 && peer_verification & GNUTLS_CERT_INVALID)
+  warnings = Fplist_get (Fgnutls_peer_status (proc), intern (":warnings"));
-    message ("%s certificate could not be verified.", c_hostname);
+  if ( !NILP (warnings) )
+    {
-  if (peer_verification & GNUTLS_CERT_REVOKED)
+      Lisp_Object tail;
-    GNUTLS_LOG2 (1, max_log_level, "certificate was revoked (CRL):",
-                 c_hostname);
-  if (peer_verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
-    GNUTLS_LOG2 (1, max_log_level, "certificate signer was not found:",
-                 c_hostname);
-  if (peer_verification & GNUTLS_CERT_SIGNER_NOT_CA)
-    GNUTLS_LOG2 (1, max_log_level, "certificate signer is not a CA:",
-                 c_hostname);
-  if (peer_verification & GNUTLS_CERT_INSECURE_ALGORITHM)
-    GNUTLS_LOG2 (1, max_log_level,
-                 "certificate was signed with an insecure algorithm:",
-                 c_hostname);
-  if (peer_verification & GNUTLS_CERT_NOT_ACTIVATED)
-    GNUTLS_LOG2 (1, max_log_level, "certificate is not yet activated:",
-                 c_hostname);
-  if (peer_verification & GNUTLS_CERT_EXPIRED)
+      for (tail = warnings; CONSP (tail); tail = XCDR (tail))
-    GNUTLS_LOG2 (1, max_log_level, "certificate has expired:",
+        {
-                 c_hostname);
+          Lisp_Object warning = XCAR (tail);
+          Lisp_Object message = Fgnutls_peer_status_warning_describe (warning);
+          if ( !NILP (message) )
+            GNUTLS_LOG2 (1, max_log_level, "verification: %s", SDATA(message));
+        }
+    }
  if (peer_verification != 0)
    {
author	Ted Zlatanov	2014-11-25 09:07:13 -0500
committer	Ted Zlatanov	2014-11-25 09:07:13 -0500
commit	8608c1009dafa7bf657e8835087bb8ad81357202 (patch)
tree	8a24eae1414f747b9982ec97dc998a3050d46266 /src
parent	8be099a2c10ce4718e6630cef6b6ca1983617264 (diff)
download	emacs-8608c1009dafa7bf657e8835087bb8ad81357202.tar.gz emacs-8608c1009dafa7bf657e8835087bb8ad81357202.zip

diff --git a/src/ChangeLog b/src/ChangeLog index 220c2bfd771..922b61a92e3 100644 --- a/src/ChangeLog +++ b/src/ChangeLog
@@ -1,6 +1,10 @@
1	2014-11-25 Teodor Zlatanov <tzz@lifelogs.com>	1	2014-11-25 Teodor Zlatanov <tzz@lifelogs.com>
2		2
3	* gnutls.c (Fgnutls_peer_status): Check GNUTLS_INITSTAGE, not gnutls_p.	3	* gnutls.c (Fgnutls_peer_status): Check GNUTLS_INITSTAGE, not gnutls_p.
		4	(Fgnutls_peer_status_warning_describe): Add function to describe a
		5	peer verification warning symbol.
		6	(Fgnutls_peer_status): Use it.
		7	(Fgnutls_boot): Use it.
4		8
5	2014-11-24 Lars Magne Ingebrigtsen <larsi@gnus.org>	9	2014-11-24 Lars Magne Ingebrigtsen <larsi@gnus.org>
6		10


diff --git a/src/gnutls.c b/src/gnutls.c index bfa6078eabd..604c595622d 100644 --- a/src/gnutls.c +++ b/src/gnutls.c
@@ -968,9 +968,44 @@ gnutls_certificate_details (gnutls_x509_crt_t cert)
968	return res;	968	return res;
969	}	969	}
970		970
		971	DEFUN ("gnutls-peer-status-warning-describe", Fgnutls_peer_status_warning_describe, Sgnutls_peer_status_warning_describe, 1, 1, 0,
		972	doc: /* Describe the warning of a GnuTLS peer status from `gnutls-peer-status'.*/)
		973	(Lisp_Object status_symbol)
		974	{
		975	CHECK_SYMBOL (status_symbol);
		976
		977	if ( EQ (status_symbol, intern (":invalid")))
		978	return build_string ("certificate could not be verified");
		979
		980	if ( EQ (status_symbol, intern (":revoked")) )
		981	return build_string ("certificate was revoked (CRL)");
		982
		983	if ( EQ (status_symbol, intern (":self-signed")) )
		984	return build_string ("certificate signer was not found (self-signed)");
		985
		986	if ( EQ (status_symbol, intern (":not-ca")) )
		987	return build_string ("certificate signer is not a CA");
		988
		989	if ( EQ (status_symbol, intern (":insecure")) )
		990	return build_string ("certificate was signed with an insecure algorithm");
		991
		992	if ( EQ (status_symbol, intern (":not-activated")) )
		993	return build_string ("certificate is not yet activated");
		994
		995	if ( EQ (status_symbol, intern (":expired")) )
		996	return build_string ("certificate has expired");
		997
		998	if ( EQ (status_symbol, intern (":no-host-match")) )
		999	return build_string ("certificate host does not match hostname");
		1000
		1001	return Qnil;
		1002	}
		1003
971	DEFUN ("gnutls-peer-status", Fgnutls_peer_status, Sgnutls_peer_status, 1, 1, 0,	1004	DEFUN ("gnutls-peer-status", Fgnutls_peer_status, Sgnutls_peer_status, 1, 1, 0,
972	doc: /* Return the status of the gnutls PROC peer certificate.	1005	doc: /* Describe a GnuTLS PROC peer certificate and any warnings about it.
973	The return value is a property list. */)	1006	The return value is a property list with top-level keys :warnings and
		1007	:certificate. The :warnings entry is a list of symbols you can describe with
		1008	`gnutls-peer-status-warning-describe'. */)
974	(Lisp_Object proc)	1009	(Lisp_Object proc)
975	{	1010	{
976	Lisp_Object warnings = Qnil, result = Qnil;	1011	Lisp_Object warnings = Qnil, result = Qnil;
@@ -985,52 +1020,39 @@ The return value is a property list. */)
985	verification = XPROCESS (proc)->gnutls_peer_verification;	1020	verification = XPROCESS (proc)->gnutls_peer_verification;
986		1021
987	if (verification & GNUTLS_CERT_INVALID)	1022	if (verification & GNUTLS_CERT_INVALID)
988	warnings = Fcons (list2 (intern (":invalid"),	1023	warnings = Fcons (intern (":invalid"), warnings);
989	build_string("certificate could not be verified")),
990	warnings);
991		1024
992	if (verification & GNUTLS_CERT_REVOKED)	1025	if (verification & GNUTLS_CERT_REVOKED)
993	warnings = Fcons (list2 (intern (":revoked"),	1026	warnings = Fcons (intern (":revoked"), warnings);
994	build_string("certificate was revoked (CRL)")),
995	warnings);
996		1027
997	if (verification & GNUTLS_CERT_SIGNER_NOT_FOUND)	1028	if (verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
998	warnings = Fcons (list2 (intern (":self-signed"),	1029	warnings = Fcons (intern (":self-signed"), warnings);
999	build_string("certificate signer was not found (self-signed)")),
1000	warnings);
1001		1030
1002	if (verification & GNUTLS_CERT_SIGNER_NOT_CA)	1031	if (verification & GNUTLS_CERT_SIGNER_NOT_CA)
1003	warnings = Fcons (list2 (intern (":not-ca"),	1032	warnings = Fcons (intern (":not-ca"), warnings);
1004	build_string("certificate signer is not a CA")),
1005	warnings);
1006		1033
1007	if (verification & GNUTLS_CERT_INSECURE_ALGORITHM)	1034	if (verification & GNUTLS_CERT_INSECURE_ALGORITHM)
1008	warnings = Fcons (list2 (intern (":insecure"),	1035	warnings = Fcons (intern (":insecure"), warnings);
1009	build_string("certificate was signed with an insecure algorithm")),
1010	warnings);
1011		1036
1012	if (verification & GNUTLS_CERT_NOT_ACTIVATED)	1037	if (verification & GNUTLS_CERT_NOT_ACTIVATED)
1013	warnings = Fcons (list2 (intern (":not-activated"),	1038	warnings = Fcons (intern (":not-activated"), warnings);
1014	build_string("certificate is not yet activated")),
1015	warnings);
1016		1039
1017	if (verification & GNUTLS_CERT_EXPIRED)	1040	if (verification & GNUTLS_CERT_EXPIRED)
1018	warnings = Fcons (list2 (intern (":expired"),	1041	warnings = Fcons (intern (":expired"), warnings);
1019	build_string("certificate has expired")),
1020	warnings);
1021		1042
1022	if (XPROCESS (proc)->gnutls_extra_peer_verification &	1043	if (XPROCESS (proc)->gnutls_extra_peer_verification &
1023	CERTIFICATE_NOT_MATCHING)	1044	CERTIFICATE_NOT_MATCHING)
1024	warnings = Fcons (list2 (intern (":no-host-match"),	1045	warnings = Fcons (intern (":no-host-match"), warnings);
1025	build_string("certificate host does not match hostname")),
1026	warnings);
1027		1046
1028	if (!NILP (warnings))	1047	if (!NILP (warnings))
1029	result = list2 (intern (":warnings"), warnings);	1048	result = list2 (intern (":warnings"), warnings);
1030		1049
1031	result = nconc2 (result, list2	1050	/* This could get called in the INIT stage, when the certificate is
1032	(intern (":certificate"),	1051	not yet set. */
1033	gnutls_certificate_details(XPROCESS (proc)->gnutls_certificate)));	1052	if ( XPROCESS (proc)->gnutls_certificate != NULL )
		1053	result = nconc2 (result, list2
		1054	(intern (":certificate"),
		1055	gnutls_certificate_details (XPROCESS (proc)->gnutls_certificate)));
1034		1056
1035	return result;	1057	return result;
1036	}	1058	}
@@ -1148,6 +1170,8 @@ one trustfile (usually a CA bundle). */)
1148	Lisp_Object hostname;	1170	Lisp_Object hostname;
1149	Lisp_Object verify_error;	1171	Lisp_Object verify_error;
1150	Lisp_Object prime_bits;	1172	Lisp_Object prime_bits;
		1173	Lisp_Object warnings;
		1174	Lisp_Object warning;
1151		1175
1152	CHECK_PROCESS (proc);	1176	CHECK_PROCESS (proc);
1153	CHECK_SYMBOL (type);	1177	CHECK_SYMBOL (type);
@@ -1392,33 +1416,19 @@ one trustfile (usually a CA bundle). */)
1392		1416
1393	XPROCESS (proc)->gnutls_peer_verification = peer_verification;	1417	XPROCESS (proc)->gnutls_peer_verification = peer_verification;
1394		1418
1395	if (XINT (loglevel) > 0 && peer_verification & GNUTLS_CERT_INVALID)	1419	warnings = Fplist_get (Fgnutls_peer_status (proc), intern (":warnings"));
1396	message ("%s certificate could not be verified.", c_hostname);	1420	if ( !NILP (warnings) )
1397		1421	{
1398	if (peer_verification & GNUTLS_CERT_REVOKED)	1422	Lisp_Object tail;
1399	GNUTLS_LOG2 (1, max_log_level, "certificate was revoked (CRL):",
1400	c_hostname);
1401
1402	if (peer_verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
1403	GNUTLS_LOG2 (1, max_log_level, "certificate signer was not found:",
1404	c_hostname);
1405
1406	if (peer_verification & GNUTLS_CERT_SIGNER_NOT_CA)
1407	GNUTLS_LOG2 (1, max_log_level, "certificate signer is not a CA:",
1408	c_hostname);
1409
1410	if (peer_verification & GNUTLS_CERT_INSECURE_ALGORITHM)
1411	GNUTLS_LOG2 (1, max_log_level,
1412	"certificate was signed with an insecure algorithm:",
1413	c_hostname);
1414
1415	if (peer_verification & GNUTLS_CERT_NOT_ACTIVATED)
1416	GNUTLS_LOG2 (1, max_log_level, "certificate is not yet activated:",
1417	c_hostname);
1418		1423
1419	if (peer_verification & GNUTLS_CERT_EXPIRED)	1424	for (tail = warnings; CONSP (tail); tail = XCDR (tail))
1420	GNUTLS_LOG2 (1, max_log_level, "certificate has expired:",	1425	{
1421	c_hostname);	1426	Lisp_Object warning = XCAR (tail);
		1427	Lisp_Object message = Fgnutls_peer_status_warning_describe (warning);
		1428	if ( !NILP (message) )
		1429	GNUTLS_LOG2 (1, max_log_level, "verification: %s", SDATA(message));
		1430	}
		1431	}
1422		1432
1423	if (peer_verification != 0)	1433	if (peer_verification != 0)
1424	{	1434	{