mirror of
https://github.com/moparisthebest/curl
synced 2024-11-13 13:05:03 -05:00
gnutls: Support CURLOPT_KEYPASSWD
The gnutls vtls back-end was previously ignoring any password set via CURLOPT_KEYPASSWD. Presumably this was because gnutls_certificate_set_x509_key_file did not support encrypted keys. gnutls now has a gnutls_certificate_set_x509_key_file2 function that does support encrypted keys. Let's determine at compile time whether the available gnutls supports this new function. If it does then use it to pass the password. If it does not then emit a helpful diagnostic if a password is set. This is preferable to the previous behaviour of just failing to read the certificate without giving a reason in that case. Signed-off-by: Mike Crowe <mac@mcrowe.com>
This commit is contained in:
parent
7362008c1c
commit
6b56901b56
@ -1836,6 +1836,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then
|
|||||||
AC_MSG_NOTICE([Added $gtlslib to LD_LIBRARY_PATH])
|
AC_MSG_NOTICE([Added $gtlslib to LD_LIBRARY_PATH])
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
AC_CHECK_FUNCS(gnutls_certificate_set_x509_key_file2)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
@ -656,15 +656,42 @@ gtls_connect_step1(struct connectdata *conn,
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
if(data->set.str[STRING_CERT]) {
|
if(data->set.str[STRING_CERT]) {
|
||||||
if(gnutls_certificate_set_x509_key_file(
|
if(data->set.str[STRING_KEY_PASSWD]) {
|
||||||
conn->ssl[sockindex].cred,
|
#if HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
|
||||||
data->set.str[STRING_CERT],
|
const unsigned int supported_key_encryption_algorithms =
|
||||||
data->set.str[STRING_KEY] ?
|
GNUTLS_PKCS_USE_PKCS12_3DES | GNUTLS_PKCS_USE_PKCS12_ARCFOUR |
|
||||||
data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
|
GNUTLS_PKCS_USE_PKCS12_RC2_40 | GNUTLS_PKCS_USE_PBES2_3DES |
|
||||||
do_file_type(data->set.str[STRING_CERT_TYPE]) ) !=
|
GNUTLS_PKCS_USE_PBES2_AES_128 | GNUTLS_PKCS_USE_PBES2_AES_192 |
|
||||||
GNUTLS_E_SUCCESS) {
|
GNUTLS_PKCS_USE_PBES2_AES_256;
|
||||||
failf(data, "error reading X.509 key or certificate file");
|
if(gnutls_certificate_set_x509_key_file2(
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
conn->ssl[sockindex].cred,
|
||||||
|
data->set.str[STRING_CERT],
|
||||||
|
data->set.str[STRING_KEY] ?
|
||||||
|
data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
|
||||||
|
do_file_type(data->set.str[STRING_CERT_TYPE]),
|
||||||
|
data->set.str[STRING_KEY_PASSWD],
|
||||||
|
supported_key_encryption_algorithms) !=
|
||||||
|
GNUTLS_E_SUCCESS) {
|
||||||
|
failf(data,
|
||||||
|
"error reading X.509 potentially-encrypted key file");
|
||||||
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
|
#else
|
||||||
|
failf(data, "gnutls lacks support for encrypted key files");
|
||||||
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
if(gnutls_certificate_set_x509_key_file(
|
||||||
|
conn->ssl[sockindex].cred,
|
||||||
|
data->set.str[STRING_CERT],
|
||||||
|
data->set.str[STRING_KEY] ?
|
||||||
|
data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
|
||||||
|
do_file_type(data->set.str[STRING_CERT_TYPE]) ) !=
|
||||||
|
GNUTLS_E_SUCCESS) {
|
||||||
|
failf(data, "error reading X.509 key or certificate file");
|
||||||
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user