2 files changed, 130 insertions, 0 deletions
diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 9f14df08a79..f828ccfc1b0 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -262,6 +262,7 @@ For the meaning of the rest of the parameters, see `gnutls-boot-parameters'."
           &key type hostname priority-string
           trustfiles crlfiles keylist min-prime-bits
           verify-flags verify-error verify-hostname-error
+           pass flags
           &allow-other-keys)
  "Return a keyword list of parameters suitable for passing to `gnutls-boot'.
@@ -278,6 +279,13 @@ default.
 VERIFY-HOSTNAME-ERROR is a backwards compatibility option for
 putting `:hostname' in VERIFY-ERROR.
+PASS is a string, the password of the key.  It may also be nil,
+for a NULL password.
+FLAGS is a list of symbols corresponding to the equivalent ORed
+bitflag of the gnutls_pkcs_encrypt_flags_t enum of GnuTLS.  The
+empty list corresponds to the bitflag with value 0.
 When VERIFY-ERROR is t or a list containing `:trustfiles', an
 error will be raised when the peer certificate verification fails
 as per GnuTLS' gnutls_certificate_verify_peers2.  Otherwise, only
@@ -355,6 +363,8 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
                :keylist ,keylist
                :verify-flags ,verify-flags
                :verify-error ,verify-error
+                :pass ,pass
+                :flags ,flags
                :callbacks nil)))
 (defun gnutls--get-files (files)
diff --git a/src/gnutls.c b/src/gnutls.c
index 4093865cae5..571f141b2ac 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -34,6 +34,7 @@ along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>.  */
 # endif
 # if GNUTLS_VERSION_NUMBER >= 0x030200
+#  define HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
 #  define HAVE_GNUTLS_CIPHER_GET_IV_SIZE
 # endif
@@ -121,6 +122,11 @@ DEF_DLL_FN (int, gnutls_certificate_set_x509_crl_file,
 DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file,
            (gnutls_certificate_credentials_t, const char *, const char *,
             gnutls_x509_crt_fmt_t));
+#  ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file2,
+            (gnutls_certificate_credentials_t, const char *, const char *,
+             gnutls_x509_crt_fmt_t, const char *, unsigned int));
+#  endif
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
 DEF_DLL_FN (int, gnutls_certificate_set_x509_system_trust,
            (gnutls_certificate_credentials_t));
@@ -314,6 +320,9 @@ init_gnutls_functions (void)
  LOAD_DLL_FN (library, gnutls_certificate_set_verify_flags);
  LOAD_DLL_FN (library, gnutls_certificate_set_x509_crl_file);
  LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file);
+#  ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+  LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file2);
+#  endif
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
  LOAD_DLL_FN (library, gnutls_certificate_set_x509_system_trust);
 #  endif
@@ -455,6 +464,9 @@ init_gnutls_functions (void)
 #  define gnutls_certificate_set_verify_flags fn_gnutls_certificate_set_verify_flags
 #  define gnutls_certificate_set_x509_crl_file fn_gnutls_certificate_set_x509_crl_file
 #  define gnutls_certificate_set_x509_key_file fn_gnutls_certificate_set_x509_key_file
+#  ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+#   define gnutls_certificate_set_x509_key_file2 fn_gnutls_certificate_set_x509_key_file2
+#  endif
 #  define gnutls_certificate_set_x509_system_trust fn_gnutls_certificate_set_x509_system_trust
 #  define gnutls_certificate_set_x509_trust_file fn_gnutls_certificate_set_x509_trust_file
 #  define gnutls_certificate_type_get fn_gnutls_certificate_type_get
@@ -1774,6 +1786,61 @@ gnutls_verify_boot (Lisp_Object proc, Lisp_Object proplist)
  return gnutls_make_error (ret);
 }
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+/* Helper function for gnutls-boot.
+   The key :flags receives a list of symbols, each of which
+   corresponds to a GnuTLS C flag, the ORed result is to be passed to
+   the function gnutls_certificate_set_x509_key_file2() as its last
+   argument.
+*/
+static unsigned int
+key_file2_aux (Lisp_Object flags)
+{
+  unsigned int rv = 0;
+  Lisp_Object tail = flags;
+  FOR_EACH_TAIL_SAFE (tail)
+    {
+      Lisp_Object flag = XCAR (tail);
+      if (EQ (flag, Qgnutls_pkcs_plain))
+        rv |= GNUTLS_PKCS_PLAIN;
+      else if (EQ (flag, Qgnutls_pkcs_pkcs12_3des))
+        rv |= GNUTLS_PKCS_PKCS12_3DES;
+      else if (EQ (flag, Qgnutls_pkcs_pkcs12_arcfour))
+        rv |= GNUTLS_PKCS_PKCS12_ARCFOUR;
+      else if (EQ (flag, Qgnutls_pkcs_pkcs12_rc2_40))
+        rv |= GNUTLS_PKCS_PKCS12_RC2_40;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_3des))
+        rv |= GNUTLS_PKCS_PBES2_3DES;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_aes_128))
+        rv |= GNUTLS_PKCS_PBES2_AES_128;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_aes_192))
+        rv |= GNUTLS_PKCS_PBES2_AES_192;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_aes_256))
+        rv |= GNUTLS_PKCS_PBES2_AES_256;
+      else if (EQ (flag, Qgnutls_pkcs_null_password))
+        rv |= GNUTLS_PKCS_NULL_PASSWORD;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_des))
+        rv |= GNUTLS_PKCS_PBES2_DES;
+      else if (EQ (flag, Qgnutls_pkcs_pbes1_des_md5))
+        rv |= GNUTLS_PKCS_PBES1_DES_MD5;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_tc26z))
+        rv |= GNUTLS_PKCS_PBES2_GOST_TC26Z;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpa))
+        rv |= GNUTLS_PKCS_PBES2_GOST_CPA;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpb))
+        rv |= GNUTLS_PKCS_PBES2_GOST_CPB;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpc))
+        rv |= GNUTLS_PKCS_PBES2_GOST_CPC;
+      else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpd))
+        rv |= GNUTLS_PKCS_PBES2_GOST_CPD;
+    }
+  return rv;
+}
+#endif /* HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2 */
 DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
       doc: /* Initialize GnuTLS client for process PROC with TYPE+PROPLIST.
 Currently only client mode is supported.  Return a success/failure
@@ -1813,6 +1880,21 @@ accept in Diffie-Hellman key exchange.
 :complete-negotiation, if non-nil, will make negotiation complete
 before returning even on non-blocking sockets.
+:pass, the password of the private key as per GnuTLS'
+gnutls_certificate_set_x509_key_file2.  Specify as nil to have a NULL
+password.
+:flags, a list of symbols relating to :pass, each specifying a flag:
+GNUTLS_PKCS_PLAIN, GNUTLS_PKCS_PKCS12_3DES,
+GNUTLS_PKCS_PKCS12_ARCFOUR, GNUTLS_PKCS_PKCS12_RC2_40,
+GNUTLS_PKCS_PBES2_3DES, GNUTLS_PKCS_PBES2_AES_128,
+GNUTLS_PKCS_PBES2_AES_192, GNUTLS_PKCS_PBES2_AES_256,
+GNUTLS_PKCS_NULL_PASSWORD, GNUTLS_PKCS_PBES2_DES,
+GNUTLS_PKCS_PBES2_DES_MD5, GNUTLS_PKCS_PBES2_GOST_TC26Z,
+GNUTLS_PKCS_PBES2_GOST_CPA, GNUTLS_PKCS_PBES2_GOST_CPB,
+GNUTLS_PKCS_PBES2_GOST_CPC, GNUTLS_PKCS_PBES2_GOST_CPD.  If not
+specified, or if nil, the bitflag with value 0 is used.
 The debug level will be set for this process AND globally for GnuTLS.
 So if you set it higher or lower at any point, it affects global
 debugging.
@@ -1825,6 +1907,9 @@ Processes must be initialized with this function before other GnuTLS
 functions are used.  This function allocates resources which can only
 be deallocated by calling `gnutls-deinit' or by calling it again.
+The :pass and :flags keys are ignored with old versions of GnuTLS, and
+:flags is ignored if :pass is not specified.
 The callbacks alist can have a `verify' key, associated with a
 verification function (UNUSED).
@@ -1842,12 +1927,15 @@ one trustfile (usually a CA bundle).  */)
  Lisp_Object global_init;
  char const *priority_string_ptr = "NORMAL"; /* default priority string.  */
  char *c_hostname;
+  const char *c_pass;
  /* Placeholders for the property list elements.  */
  Lisp_Object priority_string;
  Lisp_Object trustfiles;
  Lisp_Object crlfiles;
  Lisp_Object keylist;
+  Lisp_Object pass;
+  Lisp_Object flags;
  /* Lisp_Object callbacks; */
  Lisp_Object loglevel;
  Lisp_Object hostname;
@@ -1877,6 +1965,13 @@ one trustfile (usually a CA bundle).  */)
  crlfiles              = plist_get (proplist, QCcrlfiles);
  loglevel              = plist_get (proplist, QCloglevel);
  prime_bits            = plist_get (proplist, QCmin_prime_bits);
+  pass                  = plist_get (proplist, QCpass);
+  flags                 = plist_get (proplist, QCflags);
+  if (STRINGP (pass))
+    c_pass = SSDATA (pass);
+  else
+    c_pass = NULL;
  if (!STRINGP (hostname))
    {
@@ -2038,6 +2133,13 @@ one trustfile (usually a CA bundle).  */)
              keyfile = ansi_encode_filename (keyfile);
              certfile = ansi_encode_filename (certfile);
 # endif
+# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+              if (plist_member (proplist, QCpass))
+                ret = gnutls_certificate_set_x509_key_file2
+                  (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format,
+                   c_pass, key_file2_aux (flags));
+              else
+# endif
              ret = gnutls_certificate_set_x509_key_file
                (x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
@@ -2862,8 +2964,26 @@ level in the ones.  For builds without libgnutls, the value is -1.  */);
  DEFSYM (QCmin_prime_bits, ":min-prime-bits");
  DEFSYM (QCloglevel, ":loglevel");
  DEFSYM (QCcomplete_negotiation, ":complete-negotiation");
+  DEFSYM (QCpass, ":pass");
+  DEFSYM (QCflags, ":flags");
  DEFSYM (QCverify_flags, ":verify-flags");
  DEFSYM (QCverify_error, ":verify-error");
+  DEFSYM (Qgnutls_pkcs_plain, "GNUTLS_PKCS_PLAIN");
+  DEFSYM (Qgnutls_pkcs_pkcs12_3des, "GNUTLS_PKCS_PKCS12_3DES");
+  DEFSYM (Qgnutls_pkcs_pkcs12_arcfour, "GNUTLS_PKCS_PKCS12_ARCFOUR");
+  DEFSYM (Qgnutls_pkcs_pkcs12_rc2_40, "GNUTLS_PKCS_PKCS12_RC2_40");
+  DEFSYM (Qgnutls_pkcs_pbes2_3des, "GNUTLS_PKCS_PBES2_3DES");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_128, "GNUTLS_PKCS_PBES2_AES_128");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_192, "GNUTLS_PKCS_PBES2_AES_192");
+  DEFSYM (Qgnutls_pkcs_pbes2_aes_256, "GNUTLS_PKCS_PBES2_AES_256");
+  DEFSYM (Qgnutls_pkcs_null_password, "GNUTLS_PKCS_NULL_PASSWORD");
+  DEFSYM (Qgnutls_pkcs_pbes2_des, "GNUTLS_PKCS_PBES2_DES");
+  DEFSYM (Qgnutls_pkcs_pbes1_des_md5, "GNUTLS_PKCS_PBES1_DES_MD5");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_tc26z, "GNUTLS_PKCS_PBES2_GOST_TC26Z");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpa, "GNUTLS_PKCS_PBES2_GOST_CPA");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpb, "GNUTLS_PKCS_PBES2_GOST_CPB");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpc, "GNUTLS_PKCS_PBES2_GOST_CPC");
+  DEFSYM (Qgnutls_pkcs_pbes2_gost_cpd, "GNUTLS_PKCS_PBES2_GOST_CPD");
  DEFSYM (QCcipher_id, ":cipher-id");
  DEFSYM (QCcipher_aead_capable, ":cipher-aead-capable");

diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el index 9f14df08a79..f828ccfc1b0 100644 --- a/lisp/net/gnutls.el +++ b/lisp/net/gnutls.el
@@ -262,6 +262,7 @@ For the meaning of the rest of the parameters, see `gnutls-boot-parameters'."
262	&key type hostname priority-string	262	&key type hostname priority-string
263	trustfiles crlfiles keylist min-prime-bits	263	trustfiles crlfiles keylist min-prime-bits
264	verify-flags verify-error verify-hostname-error	264	verify-flags verify-error verify-hostname-error
		265	pass flags
265	&allow-other-keys)	266	&allow-other-keys)
266	"Return a keyword list of parameters suitable for passing to `gnutls-boot'.	267	"Return a keyword list of parameters suitable for passing to `gnutls-boot'.
267		268
@@ -278,6 +279,13 @@ default.
278	VERIFY-HOSTNAME-ERROR is a backwards compatibility option for	279	VERIFY-HOSTNAME-ERROR is a backwards compatibility option for
279	putting `:hostname' in VERIFY-ERROR.	280	putting `:hostname' in VERIFY-ERROR.
280		281
		282	PASS is a string, the password of the key. It may also be nil,
		283	for a NULL password.
		284
		285	FLAGS is a list of symbols corresponding to the equivalent ORed
		286	bitflag of the gnutls_pkcs_encrypt_flags_t enum of GnuTLS. The
		287	empty list corresponds to the bitflag with value 0.
		288
281	When VERIFY-ERROR is t or a list containing `:trustfiles', an	289	When VERIFY-ERROR is t or a list containing `:trustfiles', an
282	error will be raised when the peer certificate verification fails	290	error will be raised when the peer certificate verification fails
283	as per GnuTLS' gnutls_certificate_verify_peers2. Otherwise, only	291	as per GnuTLS' gnutls_certificate_verify_peers2. Otherwise, only
@@ -355,6 +363,8 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
355	:keylist ,keylist	363	:keylist ,keylist
356	:verify-flags ,verify-flags	364	:verify-flags ,verify-flags
357	:verify-error ,verify-error	365	:verify-error ,verify-error
		366	:pass ,pass
		367	:flags ,flags
358	:callbacks nil)))	368	:callbacks nil)))
359		369
360	(defun gnutls--get-files (files)	370	(defun gnutls--get-files (files)


diff --git a/src/gnutls.c b/src/gnutls.c index 4093865cae5..571f141b2ac 100644 --- a/src/gnutls.c +++ b/src/gnutls.c
@@ -34,6 +34,7 @@ along with GNU Emacs. If not, see <https://www.gnu.org/licenses/>. */
34	# endif	34	# endif
35		35
36	# if GNUTLS_VERSION_NUMBER >= 0x030200	36	# if GNUTLS_VERSION_NUMBER >= 0x030200
		37	# define HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
37	# define HAVE_GNUTLS_CIPHER_GET_IV_SIZE	38	# define HAVE_GNUTLS_CIPHER_GET_IV_SIZE
38	# endif	39	# endif
39		40
@@ -121,6 +122,11 @@ DEF_DLL_FN (int, gnutls_certificate_set_x509_crl_file,
121	DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file,	122	DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file,
122	(gnutls_certificate_credentials_t, const char , const char ,	123	(gnutls_certificate_credentials_t, const char , const char ,
123	gnutls_x509_crt_fmt_t));	124	gnutls_x509_crt_fmt_t));
		125	# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
		126	DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file2,
		127	(gnutls_certificate_credentials_t, const char , const char ,
		128	gnutls_x509_crt_fmt_t, const char *, unsigned int));
		129	# endif
124	# ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST	130	# ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
125	DEF_DLL_FN (int, gnutls_certificate_set_x509_system_trust,	131	DEF_DLL_FN (int, gnutls_certificate_set_x509_system_trust,
126	(gnutls_certificate_credentials_t));	132	(gnutls_certificate_credentials_t));
@@ -314,6 +320,9 @@ init_gnutls_functions (void)
314	LOAD_DLL_FN (library, gnutls_certificate_set_verify_flags);	320	LOAD_DLL_FN (library, gnutls_certificate_set_verify_flags);
315	LOAD_DLL_FN (library, gnutls_certificate_set_x509_crl_file);	321	LOAD_DLL_FN (library, gnutls_certificate_set_x509_crl_file);
316	LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file);	322	LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file);
		323	# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
		324	LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file2);
		325	# endif
317	# ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST	326	# ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
318	LOAD_DLL_FN (library, gnutls_certificate_set_x509_system_trust);	327	LOAD_DLL_FN (library, gnutls_certificate_set_x509_system_trust);
319	# endif	328	# endif
@@ -455,6 +464,9 @@ init_gnutls_functions (void)
455	# define gnutls_certificate_set_verify_flags fn_gnutls_certificate_set_verify_flags	464	# define gnutls_certificate_set_verify_flags fn_gnutls_certificate_set_verify_flags
456	# define gnutls_certificate_set_x509_crl_file fn_gnutls_certificate_set_x509_crl_file	465	# define gnutls_certificate_set_x509_crl_file fn_gnutls_certificate_set_x509_crl_file
457	# define gnutls_certificate_set_x509_key_file fn_gnutls_certificate_set_x509_key_file	466	# define gnutls_certificate_set_x509_key_file fn_gnutls_certificate_set_x509_key_file
		467	# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
		468	# define gnutls_certificate_set_x509_key_file2 fn_gnutls_certificate_set_x509_key_file2
		469	# endif
458	# define gnutls_certificate_set_x509_system_trust fn_gnutls_certificate_set_x509_system_trust	470	# define gnutls_certificate_set_x509_system_trust fn_gnutls_certificate_set_x509_system_trust
459	# define gnutls_certificate_set_x509_trust_file fn_gnutls_certificate_set_x509_trust_file	471	# define gnutls_certificate_set_x509_trust_file fn_gnutls_certificate_set_x509_trust_file
460	# define gnutls_certificate_type_get fn_gnutls_certificate_type_get	472	# define gnutls_certificate_type_get fn_gnutls_certificate_type_get
@@ -1774,6 +1786,61 @@ gnutls_verify_boot (Lisp_Object proc, Lisp_Object proplist)
1774	return gnutls_make_error (ret);	1786	return gnutls_make_error (ret);
1775	}	1787	}
1776		1788
		1789	#ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
		1790
		1791	/* Helper function for gnutls-boot.
		1792
		1793	The key :flags receives a list of symbols, each of which
		1794	corresponds to a GnuTLS C flag, the ORed result is to be passed to
		1795	the function gnutls_certificate_set_x509_key_file2() as its last
		1796	argument.
		1797	*/
		1798	static unsigned int
		1799	key_file2_aux (Lisp_Object flags)
		1800	{
		1801	unsigned int rv = 0;
		1802	Lisp_Object tail = flags;
		1803	FOR_EACH_TAIL_SAFE (tail)
		1804	{
		1805	Lisp_Object flag = XCAR (tail);
		1806	if (EQ (flag, Qgnutls_pkcs_plain))
		1807	rv \|= GNUTLS_PKCS_PLAIN;
		1808	else if (EQ (flag, Qgnutls_pkcs_pkcs12_3des))
		1809	rv \|= GNUTLS_PKCS_PKCS12_3DES;
		1810	else if (EQ (flag, Qgnutls_pkcs_pkcs12_arcfour))
		1811	rv \|= GNUTLS_PKCS_PKCS12_ARCFOUR;
		1812	else if (EQ (flag, Qgnutls_pkcs_pkcs12_rc2_40))
		1813	rv \|= GNUTLS_PKCS_PKCS12_RC2_40;
		1814	else if (EQ (flag, Qgnutls_pkcs_pbes2_3des))
		1815	rv \|= GNUTLS_PKCS_PBES2_3DES;
		1816	else if (EQ (flag, Qgnutls_pkcs_pbes2_aes_128))
		1817	rv \|= GNUTLS_PKCS_PBES2_AES_128;
		1818	else if (EQ (flag, Qgnutls_pkcs_pbes2_aes_192))
		1819	rv \|= GNUTLS_PKCS_PBES2_AES_192;
		1820	else if (EQ (flag, Qgnutls_pkcs_pbes2_aes_256))
		1821	rv \|= GNUTLS_PKCS_PBES2_AES_256;
		1822	else if (EQ (flag, Qgnutls_pkcs_null_password))
		1823	rv \|= GNUTLS_PKCS_NULL_PASSWORD;
		1824	else if (EQ (flag, Qgnutls_pkcs_pbes2_des))
		1825	rv \|= GNUTLS_PKCS_PBES2_DES;
		1826	else if (EQ (flag, Qgnutls_pkcs_pbes1_des_md5))
		1827	rv \|= GNUTLS_PKCS_PBES1_DES_MD5;
		1828	else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_tc26z))
		1829	rv \|= GNUTLS_PKCS_PBES2_GOST_TC26Z;
		1830	else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpa))
		1831	rv \|= GNUTLS_PKCS_PBES2_GOST_CPA;
		1832	else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpb))
		1833	rv \|= GNUTLS_PKCS_PBES2_GOST_CPB;
		1834	else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpc))
		1835	rv \|= GNUTLS_PKCS_PBES2_GOST_CPC;
		1836	else if (EQ (flag, Qgnutls_pkcs_pbes2_gost_cpd))
		1837	rv \|= GNUTLS_PKCS_PBES2_GOST_CPD;
		1838	}
		1839	return rv;
		1840	}
		1841
		1842	#endif /* HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2 */
		1843
1777	DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,	1844	DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
1778	doc: /* Initialize GnuTLS client for process PROC with TYPE+PROPLIST.	1845	doc: /* Initialize GnuTLS client for process PROC with TYPE+PROPLIST.
1779	Currently only client mode is supported. Return a success/failure	1846	Currently only client mode is supported. Return a success/failure
@@ -1813,6 +1880,21 @@ accept in Diffie-Hellman key exchange.
1813	:complete-negotiation, if non-nil, will make negotiation complete	1880	:complete-negotiation, if non-nil, will make negotiation complete
1814	before returning even on non-blocking sockets.	1881	before returning even on non-blocking sockets.
1815		1882
		1883	:pass, the password of the private key as per GnuTLS'
		1884	gnutls_certificate_set_x509_key_file2. Specify as nil to have a NULL
		1885	password.
		1886
		1887	:flags, a list of symbols relating to :pass, each specifying a flag:
		1888	GNUTLS_PKCS_PLAIN, GNUTLS_PKCS_PKCS12_3DES,
		1889	GNUTLS_PKCS_PKCS12_ARCFOUR, GNUTLS_PKCS_PKCS12_RC2_40,
		1890	GNUTLS_PKCS_PBES2_3DES, GNUTLS_PKCS_PBES2_AES_128,
		1891	GNUTLS_PKCS_PBES2_AES_192, GNUTLS_PKCS_PBES2_AES_256,
		1892	GNUTLS_PKCS_NULL_PASSWORD, GNUTLS_PKCS_PBES2_DES,
		1893	GNUTLS_PKCS_PBES2_DES_MD5, GNUTLS_PKCS_PBES2_GOST_TC26Z,
		1894	GNUTLS_PKCS_PBES2_GOST_CPA, GNUTLS_PKCS_PBES2_GOST_CPB,
		1895	GNUTLS_PKCS_PBES2_GOST_CPC, GNUTLS_PKCS_PBES2_GOST_CPD. If not
		1896	specified, or if nil, the bitflag with value 0 is used.
		1897
1816	The debug level will be set for this process AND globally for GnuTLS.	1898	The debug level will be set for this process AND globally for GnuTLS.
1817	So if you set it higher or lower at any point, it affects global	1899	So if you set it higher or lower at any point, it affects global
1818	debugging.	1900	debugging.
@@ -1825,6 +1907,9 @@ Processes must be initialized with this function before other GnuTLS
1825	functions are used. This function allocates resources which can only	1907	functions are used. This function allocates resources which can only
1826	be deallocated by calling `gnutls-deinit' or by calling it again.	1908	be deallocated by calling `gnutls-deinit' or by calling it again.
1827		1909
		1910	The :pass and :flags keys are ignored with old versions of GnuTLS, and
		1911	:flags is ignored if :pass is not specified.
		1912
1828	The callbacks alist can have a `verify' key, associated with a	1913	The callbacks alist can have a `verify' key, associated with a
1829	verification function (UNUSED).	1914	verification function (UNUSED).
1830		1915
@@ -1842,12 +1927,15 @@ one trustfile (usually a CA bundle). */)
1842	Lisp_Object global_init;	1927	Lisp_Object global_init;
1843	char const priority_string_ptr = "NORMAL"; / default priority string. */	1928	char const priority_string_ptr = "NORMAL"; / default priority string. */
1844	char *c_hostname;	1929	char *c_hostname;
		1930	const char *c_pass;
1845		1931
1846	/* Placeholders for the property list elements. */	1932	/* Placeholders for the property list elements. */
1847	Lisp_Object priority_string;	1933	Lisp_Object priority_string;
1848	Lisp_Object trustfiles;	1934	Lisp_Object trustfiles;
1849	Lisp_Object crlfiles;	1935	Lisp_Object crlfiles;
1850	Lisp_Object keylist;	1936	Lisp_Object keylist;
		1937	Lisp_Object pass;
		1938	Lisp_Object flags;
1851	/* Lisp_Object callbacks; */	1939	/* Lisp_Object callbacks; */
1852	Lisp_Object loglevel;	1940	Lisp_Object loglevel;
1853	Lisp_Object hostname;	1941	Lisp_Object hostname;
@@ -1877,6 +1965,13 @@ one trustfile (usually a CA bundle). */)
1877	crlfiles = plist_get (proplist, QCcrlfiles);	1965	crlfiles = plist_get (proplist, QCcrlfiles);
1878	loglevel = plist_get (proplist, QCloglevel);	1966	loglevel = plist_get (proplist, QCloglevel);
1879	prime_bits = plist_get (proplist, QCmin_prime_bits);	1967	prime_bits = plist_get (proplist, QCmin_prime_bits);
		1968	pass = plist_get (proplist, QCpass);
		1969	flags = plist_get (proplist, QCflags);
		1970
		1971	if (STRINGP (pass))
		1972	c_pass = SSDATA (pass);
		1973	else
		1974	c_pass = NULL;
1880		1975
1881	if (!STRINGP (hostname))	1976	if (!STRINGP (hostname))
1882	{	1977	{
@@ -2038,6 +2133,13 @@ one trustfile (usually a CA bundle). */)
2038	keyfile = ansi_encode_filename (keyfile);	2133	keyfile = ansi_encode_filename (keyfile);
2039	certfile = ansi_encode_filename (certfile);	2134	certfile = ansi_encode_filename (certfile);
2040	# endif	2135	# endif
		2136	# ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
		2137	if (plist_member (proplist, QCpass))
		2138	ret = gnutls_certificate_set_x509_key_file2
		2139	(x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format,
		2140	c_pass, key_file2_aux (flags));
		2141	else
		2142	# endif
2041	ret = gnutls_certificate_set_x509_key_file	2143	ret = gnutls_certificate_set_x509_key_file
2042	(x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);	2144	(x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
2043		2145
@@ -2862,8 +2964,26 @@ level in the ones. For builds without libgnutls, the value is -1. */);
2862	DEFSYM (QCmin_prime_bits, ":min-prime-bits");	2964	DEFSYM (QCmin_prime_bits, ":min-prime-bits");
2863	DEFSYM (QCloglevel, ":loglevel");	2965	DEFSYM (QCloglevel, ":loglevel");
2864	DEFSYM (QCcomplete_negotiation, ":complete-negotiation");	2966	DEFSYM (QCcomplete_negotiation, ":complete-negotiation");
		2967	DEFSYM (QCpass, ":pass");
		2968	DEFSYM (QCflags, ":flags");
2865	DEFSYM (QCverify_flags, ":verify-flags");	2969	DEFSYM (QCverify_flags, ":verify-flags");
2866	DEFSYM (QCverify_error, ":verify-error");	2970	DEFSYM (QCverify_error, ":verify-error");
		2971	DEFSYM (Qgnutls_pkcs_plain, "GNUTLS_PKCS_PLAIN");
		2972	DEFSYM (Qgnutls_pkcs_pkcs12_3des, "GNUTLS_PKCS_PKCS12_3DES");
		2973	DEFSYM (Qgnutls_pkcs_pkcs12_arcfour, "GNUTLS_PKCS_PKCS12_ARCFOUR");
		2974	DEFSYM (Qgnutls_pkcs_pkcs12_rc2_40, "GNUTLS_PKCS_PKCS12_RC2_40");
		2975	DEFSYM (Qgnutls_pkcs_pbes2_3des, "GNUTLS_PKCS_PBES2_3DES");
		2976	DEFSYM (Qgnutls_pkcs_pbes2_aes_128, "GNUTLS_PKCS_PBES2_AES_128");
		2977	DEFSYM (Qgnutls_pkcs_pbes2_aes_192, "GNUTLS_PKCS_PBES2_AES_192");
		2978	DEFSYM (Qgnutls_pkcs_pbes2_aes_256, "GNUTLS_PKCS_PBES2_AES_256");
		2979	DEFSYM (Qgnutls_pkcs_null_password, "GNUTLS_PKCS_NULL_PASSWORD");
		2980	DEFSYM (Qgnutls_pkcs_pbes2_des, "GNUTLS_PKCS_PBES2_DES");
		2981	DEFSYM (Qgnutls_pkcs_pbes1_des_md5, "GNUTLS_PKCS_PBES1_DES_MD5");
		2982	DEFSYM (Qgnutls_pkcs_pbes2_gost_tc26z, "GNUTLS_PKCS_PBES2_GOST_TC26Z");
		2983	DEFSYM (Qgnutls_pkcs_pbes2_gost_cpa, "GNUTLS_PKCS_PBES2_GOST_CPA");
		2984	DEFSYM (Qgnutls_pkcs_pbes2_gost_cpb, "GNUTLS_PKCS_PBES2_GOST_CPB");
		2985	DEFSYM (Qgnutls_pkcs_pbes2_gost_cpc, "GNUTLS_PKCS_PBES2_GOST_CPC");
		2986	DEFSYM (Qgnutls_pkcs_pbes2_gost_cpd, "GNUTLS_PKCS_PBES2_GOST_CPD");
2867		2987
2868	DEFSYM (QCcipher_id, ":cipher-id");	2988	DEFSYM (QCcipher_id, ":cipher-id");
2869	DEFSYM (QCcipher_aead_capable, ":cipher-aead-capable");	2989	DEFSYM (QCcipher_aead_capable, ":cipher-aead-capable");