diff --git a/CHANGES b/CHANGES index 9ff231672..13ef347f1 100644 --- a/CHANGES +++ b/CHANGES @@ -8,6 +8,10 @@ +Daniel (12 November 2005) +- Dima Barsky patched problem #1348930: the GnuTLS code completely ignored + client certificates! (http://curl.haxx.se/bug/view.cgi?id=1348930). + Daniel (10 November 2005) - David Lang fixed IPv6 support for TFTP! diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 4983334e5..2fd260433 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -18,6 +18,7 @@ This release includes the following changes: This release includes the following bugfixes: + o the GnuTLS code didn't support client certificates o TFTP over IPv6 works o no reverse lookups on IP addresses when ipv6-enabled o SSPI compatibility fix: using the proper DLLs diff --git a/lib/gtls.c b/lib/gtls.c index aa9d98dfa..cc33deabf 100644 --- a/lib/gtls.c +++ b/lib/gtls.c @@ -176,6 +176,18 @@ static CURLcode handshake(struct connectdata *conn, return CURLE_OK; } +static gnutls_x509_crt_fmt_t do_file_type(const char *type) +{ + if(!type || !type[0]) + return GNUTLS_X509_FMT_PEM; + if(curl_strequal(type, "PEM")) + return GNUTLS_X509_FMT_PEM; + if(curl_strequal(type, "DER")) + return GNUTLS_X509_FMT_DER; + return -1; +} + + /* * This function is called after the TCP connect has completed. Setup the TLS * layer and do all necessary magic. @@ -253,7 +265,17 @@ Curl_gtls_connect(struct connectdata *conn, if(rc < 0) return CURLE_SSL_CONNECT_ERROR; - /* put the anonymous credentials to the current session */ + if(data->set.cert) { + if( gnutls_certificate_set_x509_key_file( + conn->ssl[sockindex].cred, data->set.cert, + data->set.key != 0 ? data->set.key : data->set.cert, + do_file_type(data->set.cert_type) ) ) { + failf(data, "error reading X.509 key or certificate file"); + return CURLE_SSL_CONNECT_ERROR; + } + } + + /* put the credentials to the current session */ rc = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, conn->ssl[sockindex].cred);