+(defun elpher-make-network-timer (thunk)
+ "Creates a timer to run the THUNK after `elpher-connection-timeout' seconds.
+This is just a wraper around `run-at-time' which additionally sets the
+buffer-local variable `elpher-network-timer' to allow
+`elpher-process-cleanup' to also clear the timer."
+ (let ((timer (run-at-time elpher-connection-timeout nil thunk)))
+ (setq-local elpher-network-timer timer)
+ timer))
+
+(defun elpher-get-host-response (address default-port query-string response-processor
+ &optional use-tls force-ipv4)
+ "Generic function for retrieving data from ADDRESS.
+
+When ADDRESS lacks a specific port, DEFAULT-PORT is used instead.
+QUERY-STRING is a string sent to the host specified by ADDRESS to
+illicet a response. This response is passed as an argument to the
+function RESPONSE-PROCESSOR.
+
+If non-nil, USE-TLS specifies that the connection is to be made over
+TLS. If set to gemini, the certificate verification will be disabled
+unless `elpher-gemini-TLS-cert-checks' is non-nil.
+
+If non-nil, FORCE-IPV4 causes the network connection to be made over
+ipv4 only. (The default behaviour when this is not set depends on
+the host operating system and the local network capabilities.)"
+ (if (and use-tls (not (gnutls-available-p)))
+ (error "Use of TLS requires Emacs to be compiled with GNU TLS support")
+ (unless (< (elpher-address-port address) 65536)
+ (error "Cannot establish network connection: port number > 65536"))
+ (when (and (eq use-tls 'gemini) (not elpher-gemini-TLS-cert-checks))
+ (setq-local network-security-level 'low)
+ (setq-local gnutls-verify-error nil))
+ (condition-case nil
+ (let* ((kill-buffer-query-functions nil)
+ (port (elpher-address-port address))
+ (host (elpher-address-host address))
+ (service (if (> port 0) port default-port))
+ (response-string-parts nil)
+ (bytes-received 0)
+ (hkbytes-received 0)
+ (socks (or elpher-socks-always (string-suffix-p ".onion" host)))
+ (gnutls-params (list :type 'gnutls-x509pki
+ :hostname host
+ :keylist
+ (elpher-get-current-keylist address)))
+ (timer (elpher-make-network-timer
+ (lambda ()
+ (elpher-process-cleanup)
+ (cond
+ ; Try again with IPv4
+ ((not (or force-ipv4 socks))
+ (message "Connection timed out. Retrying with IPv4.")
+ (elpher-get-host-response address default-port
+ query-string
+ response-processor
+ use-tls t))
+ ((and use-tls
+ (not (eq use-tls 'gemini))
+ (or elpher-auto-disengage-TLS
+ (y-or-n-p
+ "TLS connetion failed. Disable TLS mode and retry? ")))
+ (setq elpher-use-tls nil)
+ (elpher-get-host-response address default-port
+ query-string
+ response-processor
+ nil force-ipv4))
+ (t
+ (elpher-network-error address "Connection time-out."))))))
+ (proc (if socks (socks-open-network-stream "elpher-process" nil host service)
+ (make-network-process :name "elpher-process"
+ :host host
+ :family (and force-ipv4 'ipv4)
+ :service service
+ :buffer nil
+ :nowait t
+ :tls-parameters
+ (and use-tls
+ (cons 'gnutls-x509pki
+ (apply #'gnutls-boot-parameters
+ gnutls-params)))))))
+ (setq elpher-network-timer timer)
+ (set-process-coding-system proc 'binary 'binary)
+ (set-process-query-on-exit-flag proc nil)
+ (elpher-buffer-message (concat "Connecting to " host "..."
+ " (press 'u' to abort)"))
+ (set-process-filter proc
+ (lambda (_proc string)
+ (when timer
+ (cancel-timer timer)
+ (setq timer nil))
+ (setq bytes-received (+ bytes-received (length string)))
+ (let ((new-hkbytes-received (/ bytes-received 102400)))
+ (when (> new-hkbytes-received hkbytes-received)
+ (setq hkbytes-received new-hkbytes-received)
+ (elpher-buffer-message
+ (concat "("
+ (number-to-string (/ hkbytes-received 10.0))
+ " MB read)")
+ 1)))
+ (setq response-string-parts
+ (cons string response-string-parts))))
+ (set-process-sentinel proc
+ (lambda (proc event)
+ (when timer
+ (cancel-timer timer))
+ (condition-case the-error
+ (cond
+ ((string-prefix-p "open" event) ; request URL
+ (elpher-buffer-message
+ (concat "Connected to " host ". Receiving data..."
+ " (press 'u' to abort)"))
+ (let ((inhibit-eol-conversion t))
+ (process-send-string proc query-string)))
+ ((string-prefix-p "deleted" event)) ; do nothing
+ ((and (not response-string-parts)
+ (not (or elpher-ipv4-always force-ipv4 socks)))
+ ; Try again with IPv4
+ (message "Connection failed. Retrying with IPv4.")
+ (elpher-get-host-response address default-port
+ query-string
+ response-processor
+ use-tls t))
+ (response-string-parts
+ (elpher-with-clean-buffer
+ (insert "Data received. Rendering..."))
+ (funcall response-processor
+ (apply #'concat (reverse response-string-parts)))
+ (elpher-restore-pos))
+ (t
+ (error "No response from server")))
+ (error
+ (elpher-network-error address the-error)))))
+ (when socks
+ (if use-tls (apply #'gnutls-negotiate :process proc gnutls-params))
+ (funcall (process-sentinel proc) proc "open\n")))
+ (error
+ (elpher-process-cleanup)
+ (error "Error initiating connection to server")))))
+
+
+;;; Client-side TLS Certificate Management
+;;
+
+(defun elpher-generate-certificate (common-name key-file cert-file &optional temporary)
+ "Generate a key and a self-signed client TLS certificate using openssl.
+
+The Common Name field of the certificate is set to COMMON-NAME. The
+arguments KEY-FILE and CERT-FILE should contain the absolute paths of
+the key and certificate files to write.
+
+If TEMPORARY is non-nil, the certificate will be given an exporation
+period of one day, and the key and certificate files will be deleted
+when the certificate is no longer needed for the current session.
+
+Otherwise, the certificate will be given a 100 year expiration period
+and the files will not be deleted.