Commit 6b56901b authored by Mike Crowe's avatar Mike Crowe Committed by Daniel Stenberg
Browse files

gnutls: Support CURLOPT_KEYPASSWD 



The gnutls vtls back-end was previously ignoring any password set via
CURLOPT_KEYPASSWD. Presumably this was because
gnutls_certificate_set_x509_key_file did not support encrypted keys.

gnutls now has a gnutls_certificate_set_x509_key_file2 function that
does support encrypted keys. Let's determine at compile time whether the
available gnutls supports this new function. If it does then use it to
pass the password. If it does not then emit a helpful diagnostic if a
password is set. This is preferable to the previous behaviour of just
failing to read the certificate without giving a reason in that case.

Signed-off-by: default avatarMike Crowe <mac@mcrowe.com>
parent 7362008c

configure.ac

+1 −0
Original line number Diff line number Diff line
@@ -1836,6 +1836,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 
            AC_MSG_NOTICE([Added $gtlslib to LD_LIBRARY_PATH])

          fi

        fi

        AC_CHECK_FUNCS(gnutls_certificate_set_x509_key_file2)

      fi



    fi

lib/vtls/gtls.c

+36 −9
Original line number Diff line number Diff line
@@ -656,6 +656,32 @@ gtls_connect_step1(struct connectdata *conn, 
#endif



  if(data->set.str[STRING_CERT]) {

    if(data->set.str[STRING_KEY_PASSWD]) {

#if HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2

      const unsigned int supported_key_encryption_algorithms =

        GNUTLS_PKCS_USE_PKCS12_3DES | GNUTLS_PKCS_USE_PKCS12_ARCFOUR |

        GNUTLS_PKCS_USE_PKCS12_RC2_40 | GNUTLS_PKCS_USE_PBES2_3DES |

        GNUTLS_PKCS_USE_PBES2_AES_128 | GNUTLS_PKCS_USE_PBES2_AES_192 |

        GNUTLS_PKCS_USE_PBES2_AES_256;

      if(gnutls_certificate_set_x509_key_file2(

           conn->ssl[sockindex].cred,

           data->set.str[STRING_CERT],

           data->set.str[STRING_KEY] ?

           data->set.str[STRING_KEY] : data->set.str[STRING_CERT],

           do_file_type(data->set.str[STRING_CERT_TYPE]),

           data->set.str[STRING_KEY_PASSWD],

           supported_key_encryption_algorithms) !=

         GNUTLS_E_SUCCESS) {

        failf(data,

              "error reading X.509 potentially-encrypted key file");

        return CURLE_SSL_CONNECT_ERROR;

#else

        failf(data, "gnutls lacks support for encrypted key files");

        return CURLE_SSL_CONNECT_ERROR;

#endif

      }

    }

    else {

      if(gnutls_certificate_set_x509_key_file(

           conn->ssl[sockindex].cred,

           data->set.str[STRING_CERT],
@@ -667,6 +693,7 @@ gtls_connect_step1(struct connectdata *conn, 
        return CURLE_SSL_CONNECT_ERROR;

      }

    }

  }



#ifdef USE_TLS_SRP

  /* put the credentials to the current session */