static CURLcode
gtls_connect_step1(struct connectdata *conn,
int sockindex)
{
struct SessionHandle *data = conn->data;
gnutls_session_t session;
int rc;
void *ssl_sessionid;
size_t ssl_idsize;
bool sni = TRUE; /* default is SNI enabled */
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
struct in_addr addr;
#endif
#ifndef USE_GNUTLS_PRIORITY_SET_DIRECT
static const int cipher_priority[] = {
/* These two ciphers were added to GnuTLS as late as ver. 3.0.1,
but this code path is only ever used for ver. < 2.12.0.
GNUTLS_CIPHER_AES_128_GCM,
GNUTLS_CIPHER_AES_256_GCM,
*/
GNUTLS_CIPHER_AES_128_CBC,
GNUTLS_CIPHER_AES_256_CBC,
GNUTLS_CIPHER_CAMELLIA_128_CBC,
GNUTLS_CIPHER_CAMELLIA_256_CBC,
GNUTLS_CIPHER_3DES_CBC,
};
static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
static int protocol_priority[] = { 0, 0, 0, 0 };
#else
#define GNUTLS_CIPHERS "NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509"
/* If GnuTLS was compiled without support for SRP it will error out if SRP is
requested in the priority string, so treat it specially
*/
#define GNUTLS_SRP "+SRP"
const char* prioritylist;
const char *err = NULL;
#endif
if(conn->ssl[sockindex].state == ssl_connection_complete)
/* to make us tolerant against being called more than once for the
same connection */
return CURLE_OK;
if(!gtls_inited)
Curl_gtls_init();
/* GnuTLS only supports SSLv3 and TLSv1 */
if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) {
failf(data, "GnuTLS does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
}
else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3)
sni = FALSE; /* SSLv3 has no SNI */
/* allocate a cred struct */
rc = gnutls_certificate_allocate_credentials(&conn->ssl[sockindex].cred);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_cert_all_cred() failed: %s", gnutls_strerror(rc));
return CURLE_SSL_CONNECT_ERROR;
}
#ifdef USE_TLS_SRP
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username);
rc = gnutls_srp_allocate_client_credentials(
&conn->ssl[sockindex].srp_client_cred);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_srp_allocate_client_cred() failed: %s",
gnutls_strerror(rc));
return CURLE_OUT_OF_MEMORY;
}
rc = gnutls_srp_set_client_credentials(conn->ssl[sockindex].
srp_client_cred,
data->set.ssl.username,
data->set.ssl.password);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_srp_set_client_cred() failed: %s",
gnutls_strerror(rc));
return CURLE_BAD_FUNCTION_ARGUMENT;
}
}
#endif
if(data->set.ssl.CAfile) {
/* set the trusted CA cert bundle file */
gnutls_certificate_set_verify_flags(conn->ssl[sockindex].cred,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
rc = gnutls_certificate_set_x509_trust_file(conn->ssl[sockindex].cred,
data->set.ssl.CAfile,
GNUTLS_X509_FMT_PEM);
if(rc < 0) {
infof(data, "error reading ca cert file %s (%s)\n",
data->set.ssl.CAfile, gnutls_strerror(rc));
if(data->set.ssl.verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
else
infof(data, "found %d certificates in %s\n",
rc, data->set.ssl.CAfile);
}
#ifdef HAS_CAPATH
if(data->set.ssl.CApath) {
/* set the trusted CA cert directory */
rc = gnutls_certificate_set_x509_trust_dir(conn->ssl[sockindex].cred,
data->set.ssl.CApath,
GNUTLS_X509_FMT_PEM);
if(rc < 0) {
infof(data, "error reading ca cert file %s (%s)\n",
data->set.ssl.CAfile, gnutls_strerror(rc));
if(data->set.ssl.verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
else
infof(data, "found %d certificates in %s\n",
rc, data->set.ssl.CApath);
}
#endif
#ifdef CURL_CA_FALLBACK
/* use system ca certificate store as fallback */
if(data->set.ssl.verifypeer &&
!(data->set.ssl.CAfile || data->set.ssl.CApath)) {
gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred);
}
#endif
if(data->set.ssl.CRLfile) {
/* set the CRL list file */
rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,
data->set.ssl.CRLfile,
GNUTLS_X509_FMT_PEM);
if(rc < 0) {
failf(data, "error reading crl file %s (%s)",
data->set.ssl.CRLfile, gnutls_strerror(rc));
return CURLE_SSL_CRL_BADFILE;
}
else
infof(data, "found %d CRL in %s\n",
rc, data->set.ssl.CRLfile);
}
/* Initialize TLS session as a client */
rc = gnutls_init(&conn->ssl[sockindex].session, GNUTLS_CLIENT);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_init() failed: %d", rc);
return CURLE_SSL_CONNECT_ERROR;
}
/* convenient assign */
session = conn->ssl[sockindex].session;
if((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
#ifdef ENABLE_IPV6
(0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
#endif
sni &&
(gnutls_server_name_set(session, GNUTLS_NAME_DNS, conn->host.name,
strlen(conn->host.name)) < 0))
infof(data, "WARNING: failed to configure server name indication (SNI) "
"TLS extension\n");
/* Use default priorities */
rc = gnutls_set_default_priority(session);
if(rc != GNUTLS_E_SUCCESS)
return CURLE_SSL_CONNECT_ERROR;
#ifndef USE_GNUTLS_PRIORITY_SET_DIRECT
rc = gnutls_cipher_set_priority(session, cipher_priority);
if(rc != GNUTLS_E_SUCCESS)
return CURLE_SSL_CONNECT_ERROR;
/* Sets the priority on the certificate types supported by gnutls. Priority
is higher for types specified before others. After specifying the types
you want, you must append a 0. */
rc = gnutls_certificate_type_set_priority(session, cert_type_priority);
if(rc != GNUTLS_E_SUCCESS)
return CURLE_SSL_CONNECT_ERROR;
if(data->set.ssl.cipher_list != NULL) {
failf(data, "can't pass a custom cipher list to older GnuTLS"
" versions");
return CURLE_SSL_CONNECT_ERROR;
}
switch (data->set.ssl.version) {
case CURL_SSLVERSION_SSLv3:
protocol_priority[0] = GNUTLS_SSL3;
break;
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
protocol_priority[0] = GNUTLS_TLS1_0;
protocol_priority[1] = GNUTLS_TLS1_1;
protocol_priority[2] = GNUTLS_TLS1_2;
break;
case CURL_SSLVERSION_TLSv1_0:
protocol_priority[0] = GNUTLS_TLS1_0;
break;
case CURL_SSLVERSION_TLSv1_1:
protocol_priority[0] = GNUTLS_TLS1_1;
break;
case CURL_SSLVERSION_TLSv1_2:
protocol_priority[0] = GNUTLS_TLS1_2;
break;
case CURL_SSLVERSION_SSLv2:
default:
failf(data, "GnuTLS does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
break;
}
rc = gnutls_protocol_set_priority(session, protocol_priority);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "Did you pass a valid GnuTLS cipher list?");
return CURLE_SSL_CONNECT_ERROR;
}
#else
/* Ensure +SRP comes at the *end* of all relevant strings so that it can be
* removed if a run-time error indicates that SRP is not supported by this
* GnuTLS version */
switch (data->set.ssl.version) {
case CURL_SSLVERSION_SSLv3:
prioritylist = GNUTLS_CIPHERS ":-VERS-TLS-ALL:+VERS-SSL3.0";
sni = false;
break;
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:" GNUTLS_SRP;
break;
case CURL_SSLVERSION_TLSv1_0:
prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
"+VERS-TLS1.0:" GNUTLS_SRP;
break;
case CURL_SSLVERSION_TLSv1_1:
prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
"+VERS-TLS1.1:" GNUTLS_SRP;
break;
case CURL_SSLVERSION_TLSv1_2:
prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
"+VERS-TLS1.2:" GNUTLS_SRP;
break;
case CURL_SSLVERSION_SSLv2:
default:
failf(data, "GnuTLS does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
break;
}
rc = gnutls_priority_set_direct(session, prioritylist, &err);
if((rc == GNUTLS_E_INVALID_REQUEST) && err) {
if(!strcmp(err, GNUTLS_SRP)) {
/* This GnuTLS was probably compiled without support for SRP.
* Note that fact and try again without it. */
int validprioritylen = curlx_uztosi(err - prioritylist);
char *prioritycopy = strdup(prioritylist);
if(!prioritycopy)
return CURLE_OUT_OF_MEMORY;
infof(data, "This GnuTLS does not support SRP\n");
if(validprioritylen)
/* Remove the :+SRP */
prioritycopy[validprioritylen - 1] = 0;
rc = gnutls_priority_set_direct(session, prioritycopy, &err);
free(prioritycopy);
}
}
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "Error %d setting GnuTLS cipher list starting with %s",
rc, err);
return CURLE_SSL_CONNECT_ERROR;
}
#endif
#ifdef HAS_ALPN
if(data->set.ssl_enable_alpn) {
int cur = 0;
gnutls_datum_t protocols[2];
#ifdef USE_NGHTTP2
if(data->set.httpversion >= CURL_HTTP_VERSION_2) {
protocols[cur].data = (unsigned char *)NGHTTP2_PROTO_VERSION_ID;
protocols[cur].size = NGHTTP2_PROTO_VERSION_ID_LEN;
cur++;
infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
}
#endif
protocols[cur].data = (unsigned char *)ALPN_HTTP_1_1;
protocols[cur].size = ALPN_HTTP_1_1_LENGTH;
cur++;
infof(data, "ALPN, offering %s\n", ALPN_HTTP_1_1);
gnutls_alpn_set_protocols(session, protocols, cur, 0);
}
#endif
if(data->set.str[STRING_CERT]) {
if(data->set.str[STRING_KEY_PASSWD]) {
#if HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
const unsigned int supported_key_encryption_algorithms =
GNUTLS_PKCS_USE_PKCS12_3DES | GNUTLS_PKCS_USE_PKCS12_ARCFOUR |
GNUTLS_PKCS_USE_PKCS12_RC2_40 | GNUTLS_PKCS_USE_PBES2_3DES |
GNUTLS_PKCS_USE_PBES2_AES_128 | GNUTLS_PKCS_USE_PBES2_AES_192 |
GNUTLS_PKCS_USE_PBES2_AES_256;
rc = gnutls_certificate_set_x509_key_file2(
conn->ssl[sockindex].cred,
data->set.str[STRING_CERT],
data->set.str[STRING_KEY] ?
data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
do_file_type(data->set.str[STRING_CERT_TYPE]),
data->set.str[STRING_KEY_PASSWD],
supported_key_encryption_algorithms);
if(rc != GNUTLS_E_SUCCESS) {
failf(data,
"error reading X.509 potentially-encrypted key file: %s",
gnutls_strerror(rc));
return CURLE_SSL_CONNECT_ERROR;
}
#else
failf(data, "gnutls lacks support for encrypted key files");
return CURLE_SSL_CONNECT_ERROR;
#endif
}
else {
rc = gnutls_certificate_set_x509_key_file(
conn->ssl[sockindex].cred,
data->set.str[STRING_CERT],
data->set.str[STRING_KEY] ?
data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
do_file_type(data->set.str[STRING_CERT_TYPE]) );
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "error reading X.509 key or certificate file: %s",
gnutls_strerror(rc));
return CURLE_SSL_CONNECT_ERROR;
}
}
}
#ifdef USE_TLS_SRP
/* put the credentials to the current session */
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
conn->ssl[sockindex].srp_client_cred);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_credentials_set() failed: %s", gnutls_strerror(rc));
return CURLE_SSL_CONNECT_ERROR;
}
}
else
#endif
{
rc = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
conn->ssl[sockindex].cred);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_credentials_set() failed: %s", gnutls_strerror(rc));
return CURLE_SSL_CONNECT_ERROR;
}
}
/* set the connection handle (file descriptor for the socket) */
gnutls_transport_set_ptr(session,
GNUTLS_INT_TO_POINTER_CAST(conn->sock[sockindex]));
/* register callback functions to send and receive data. */
gnutls_transport_set_push_function(session, Curl_gtls_push);
gnutls_transport_set_pull_function(session, Curl_gtls_pull);
/* lowat must be set to zero when using custom push and pull functions. */
gnutls_transport_set_lowat(session, 0);
#ifdef HAS_OCSP
if(data->set.ssl.verifystatus) {
rc = gnutls_ocsp_status_request_enable_client(session, NULL, 0, NULL);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_ocsp_status_request_enable_client() failed: %d", rc);
return CURLE_SSL_CONNECT_ERROR;
}
}
#endif
/* This might be a reconnect, so we check for a session ID in the cache
to speed up things */
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize)) {
/* we got a session id, use it! */
gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
/* Informational message */
infof (data, "SSL re-using session ID\n");
}
return CURLE_OK;
}
/**
* gnutls_init:
* @session: is a pointer to a #gnutls_session_t structure.
* @flags: indicate if this session is to be used for server or client.
*
* This function initializes the current session to null. Every
* session must be initialized before use, so internal structures can
* be allocated. This function allocates structures which can only
* be free'd by calling gnutls_deinit(). Returns %GNUTLS_E_SUCCESS (0) on success.
*
* @flags can be one of %GNUTLS_CLIENT and %GNUTLS_SERVER. For a DTLS
* entity, the flags %GNUTLS_DATAGRAM and %GNUTLS_NONBLOCK are
* also available. The latter flag will enable a non-blocking
* operation of the DTLS timers.
*
* The flag %GNUTLS_NO_REPLAY_PROTECTION will disable any
* replay protection in DTLS mode. That must only used when
* replay protection is achieved using other means.
*
* Note that since version 3.1.2 this function enables some common
* TLS extensions such as session tickets and OCSP certificate status
* request in client side by default. To prevent that use the %GNUTLS_NO_EXTENSIONS
* flag.
*
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
**/
int gnutls_init(gnutls_session_t * session, unsigned int flags)
{
int ret;
record_parameters_st *epoch;
FAIL_IF_LIB_ERROR;
*session = gnutls_calloc(1, sizeof(struct gnutls_session_int));
if (*session == NULL)
return GNUTLS_E_MEMORY_ERROR;
ret = _gnutls_epoch_alloc(*session, 0, &epoch);
if (ret < 0) {
gnutls_assert();
return GNUTLS_E_MEMORY_ERROR;
}
/* Set all NULL algos on epoch 0 */
_gnutls_epoch_set_null_algos(*session, epoch);
(*session)->security_parameters.epoch_next = 1;
(*session)->security_parameters.entity =
(flags & GNUTLS_SERVER ? GNUTLS_SERVER : GNUTLS_CLIENT);
/* the default certificate type for TLS */
(*session)->security_parameters.cert_type = DEFAULT_CERT_TYPE;
/* Initialize buffers */
_gnutls_buffer_init(&(*session)->internals.handshake_hash_buffer);
_gnutls_buffer_init(&(*session)->internals.hb_remote_data);
_gnutls_buffer_init(&(*session)->internals.hb_local_data);
_gnutls_buffer_init(&(*session)->internals.record_presend_buffer);
_mbuffer_head_init(&(*session)->internals.record_buffer);
_mbuffer_head_init(&(*session)->internals.record_send_buffer);
_mbuffer_head_init(&(*session)->internals.record_recv_buffer);
_mbuffer_head_init(&(*session)->internals.handshake_send_buffer);
_gnutls_handshake_recv_buffer_init(*session);
(*session)->internals.expire_time = DEFAULT_EXPIRE_TIME; /* one hour default */
gnutls_handshake_set_max_packet_length((*session),
MAX_HANDSHAKE_PACKET_SIZE);
/* set the socket pointers to -1;
*/
(*session)->internals.transport_recv_ptr =
(gnutls_transport_ptr_t) - 1;
(*session)->internals.transport_send_ptr =
(gnutls_transport_ptr_t) - 1;
/* set the default maximum record size for TLS
*/
(*session)->security_parameters.max_record_recv_size =
DEFAULT_MAX_RECORD_SIZE;
(*session)->security_parameters.max_record_send_size =
DEFAULT_MAX_RECORD_SIZE;
/* everything else not initialized here is initialized
* as NULL or 0. This is why calloc is used.
*/
_gnutls_handshake_internal_state_init(*session);
/* emulate old gnutls behavior for old applications that do not use the priority_*
* functions.
*/
(*session)->internals.priorities.sr = SR_PARTIAL;
#ifdef HAVE_WRITEV
gnutls_transport_set_vec_push_function(*session, system_writev);
#else
gnutls_transport_set_push_function(*session, system_write);
#endif
gnutls_transport_set_pull_function(*session, system_read);
gnutls_transport_set_errno_function(*session, system_errno);
gnutls_transport_set_pull_timeout_function(*session,
system_recv_timeout);
(*session)->internals.hb_retrans_timeout_ms = 1000;
(*session)->internals.hb_total_timeout_ms = 60000;
if (flags & GNUTLS_DATAGRAM) {
(*session)->internals.dtls.mtu = DTLS_DEFAULT_MTU;
(*session)->internals.transport = GNUTLS_DGRAM;
(*session)->internals.dtls.retrans_timeout_ms = 1000;
(*session)->internals.dtls.total_timeout_ms = 60000;
} else
(*session)->internals.transport = GNUTLS_STREAM;
if (flags & GNUTLS_NONBLOCK)
(*session)->internals.dtls.blocking = 0;
else
(*session)->internals.dtls.blocking = 1;
/* Enable useful extensions */
if ((flags & GNUTLS_CLIENT) && !(flags & GNUTLS_NO_EXTENSIONS)) {
#ifdef ENABLE_SESSION_TICKETS
gnutls_session_ticket_enable_client(*session);
#endif
#ifdef ENABLE_OCSP
gnutls_ocsp_status_request_enable_client(*session, NULL, 0,
NULL);
#endif
}
if (flags & GNUTLS_NO_REPLAY_PROTECTION)
(*session)->internals.no_replay_protection = 1;
return 0;
}
int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
const struct tls_connection_params *params)
{
int ret;
if (conn == NULL || params == NULL)
return -1;
if (params->flags & TLS_CONN_EXT_CERT_CHECK) {
wpa_printf(MSG_INFO,
"GnuTLS: tls_ext_cert_check=1 not supported");
return -1;
}
if (params->subject_match) {
wpa_printf(MSG_INFO, "GnuTLS: subject_match not supported");
return -1;
}
if (params->altsubject_match) {
wpa_printf(MSG_INFO, "GnuTLS: altsubject_match not supported");
return -1;
}
os_free(conn->suffix_match);
conn->suffix_match = NULL;
if (params->suffix_match) {
conn->suffix_match = os_strdup(params->suffix_match);
if (conn->suffix_match == NULL)
return -1;
}
#if GNUTLS_VERSION_NUMBER >= 0x030300
os_free(conn->domain_match);
conn->domain_match = NULL;
if (params->domain_match) {
conn->domain_match = os_strdup(params->domain_match);
if (conn->domain_match == NULL)
return -1;
}
#else /* < 3.3.0 */
if (params->domain_match) {
wpa_printf(MSG_INFO, "GnuTLS: domain_match not supported");
return -1;
}
#endif /* >= 3.3.0 */
conn->flags = params->flags;
if (params->openssl_ciphers) {
wpa_printf(MSG_INFO, "GnuTLS: openssl_ciphers not supported");
return -1;
}
/* TODO: gnutls_certificate_set_verify_flags(xcred, flags);
* to force peer validation(?) */
if (params->ca_cert) {
wpa_printf(MSG_DEBUG, "GnuTLS: Try to parse %s in DER format",
params->ca_cert);
ret = gnutls_certificate_set_x509_trust_file(
conn->xcred, params->ca_cert, GNUTLS_X509_FMT_DER);
if (ret < 0) {
wpa_printf(MSG_DEBUG,
"GnuTLS: Failed to read CA cert '%s' in DER format (%s) - try in PEM format",
params->ca_cert,
gnutls_strerror(ret));
ret = gnutls_certificate_set_x509_trust_file(
conn->xcred, params->ca_cert,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
wpa_printf(MSG_DEBUG,
"Failed to read CA cert '%s' in PEM format: %s",
params->ca_cert,
gnutls_strerror(ret));
return -1;
}
}
} else if (params->ca_cert_blob) {
gnutls_datum_t ca;
ca.data = (unsigned char *) params->ca_cert_blob;
ca.size = params->ca_cert_blob_len;
ret = gnutls_certificate_set_x509_trust_mem(
conn->xcred, &ca, GNUTLS_X509_FMT_DER);
if (ret < 0) {
wpa_printf(MSG_DEBUG,
"Failed to parse CA cert in DER format: %s",
gnutls_strerror(ret));
ret = gnutls_certificate_set_x509_trust_mem(
conn->xcred, &ca, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
wpa_printf(MSG_DEBUG,
"Failed to parse CA cert in PEM format: %s",
gnutls_strerror(ret));
return -1;
}
}
} else if (params->ca_path) {
wpa_printf(MSG_INFO, "GnuTLS: ca_path not supported");
return -1;
}
conn->disable_time_checks = 0;
if (params->ca_cert || params->ca_cert_blob) {
conn->verify_peer = 1;
gnutls_certificate_set_verify_function(
conn->xcred, tls_connection_verify_peer);
if (params->flags & TLS_CONN_ALLOW_SIGN_RSA_MD5) {
gnutls_certificate_set_verify_flags(
conn->xcred, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
}
if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) {
conn->disable_time_checks = 1;
gnutls_certificate_set_verify_flags(
conn->xcred,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS);
}
}
if (params->client_cert && params->private_key) {
#if GNUTLS_VERSION_NUMBER >= 0x03010b
ret = gnutls_certificate_set_x509_key_file2(
conn->xcred, params->client_cert, params->private_key,
GNUTLS_X509_FMT_DER, params->private_key_passwd, 0);
#else
/* private_key_passwd not (easily) supported here */
ret = gnutls_certificate_set_x509_key_file(
conn->xcred, params->client_cert, params->private_key,
GNUTLS_X509_FMT_DER);
#endif
if (ret < 0) {
wpa_printf(MSG_DEBUG, "Failed to read client cert/key "
"in DER format: %s", gnutls_strerror(ret));
#if GNUTLS_VERSION_NUMBER >= 0x03010b
ret = gnutls_certificate_set_x509_key_file2(
conn->xcred, params->client_cert,
params->private_key, GNUTLS_X509_FMT_PEM,
params->private_key_passwd, 0);
#else
ret = gnutls_certificate_set_x509_key_file(
conn->xcred, params->client_cert,
params->private_key, GNUTLS_X509_FMT_PEM);
#endif
if (ret < 0) {
wpa_printf(MSG_DEBUG, "Failed to read client "
"cert/key in PEM format: %s",
gnutls_strerror(ret));
return ret;
}
}
} else if (params->private_key) {
int pkcs12_ok = 0;
#ifdef PKCS12_FUNCS
/* Try to load in PKCS#12 format */
ret = gnutls_certificate_set_x509_simple_pkcs12_file(
conn->xcred, params->private_key, GNUTLS_X509_FMT_DER,
params->private_key_passwd);
if (ret != 0) {
wpa_printf(MSG_DEBUG, "Failed to load private_key in "
"PKCS#12 format: %s", gnutls_strerror(ret));
return -1;
} else
pkcs12_ok = 1;
#endif /* PKCS12_FUNCS */
if (!pkcs12_ok) {
wpa_printf(MSG_DEBUG, "GnuTLS: PKCS#12 support not "
"included");
return -1;
}
} else if (params->client_cert_blob && params->private_key_blob) {
gnutls_datum_t cert, key;
cert.data = (unsigned char *) params->client_cert_blob;
cert.size = params->client_cert_blob_len;
key.data = (unsigned char *) params->private_key_blob;
key.size = params->private_key_blob_len;
#if GNUTLS_VERSION_NUMBER >= 0x03010b
ret = gnutls_certificate_set_x509_key_mem2(
conn->xcred, &cert, &key, GNUTLS_X509_FMT_DER,
params->private_key_passwd, 0);
#else
/* private_key_passwd not (easily) supported here */
ret = gnutls_certificate_set_x509_key_mem(
conn->xcred, &cert, &key, GNUTLS_X509_FMT_DER);
#endif
if (ret < 0) {
wpa_printf(MSG_DEBUG, "Failed to read client cert/key "
"in DER format: %s", gnutls_strerror(ret));
#if GNUTLS_VERSION_NUMBER >= 0x03010b
ret = gnutls_certificate_set_x509_key_mem2(
conn->xcred, &cert, &key, GNUTLS_X509_FMT_PEM,
params->private_key_passwd, 0);
#else
/* private_key_passwd not (easily) supported here */
ret = gnutls_certificate_set_x509_key_mem(
conn->xcred, &cert, &key, GNUTLS_X509_FMT_PEM);
#endif
if (ret < 0) {
wpa_printf(MSG_DEBUG, "Failed to read client "
"cert/key in PEM format: %s",
gnutls_strerror(ret));
return ret;
}
}
} else if (params->private_key_blob) {
#ifdef PKCS12_FUNCS
gnutls_datum_t key;
key.data = (unsigned char *) params->private_key_blob;
key.size = params->private_key_blob_len;
/* Try to load in PKCS#12 format */
ret = gnutls_certificate_set_x509_simple_pkcs12_mem(
conn->xcred, &key, GNUTLS_X509_FMT_DER,
params->private_key_passwd);
if (ret != 0) {
wpa_printf(MSG_DEBUG, "Failed to load private_key in "
"PKCS#12 format: %s", gnutls_strerror(ret));
return -1;
}
#else /* PKCS12_FUNCS */
wpa_printf(MSG_DEBUG, "GnuTLS: PKCS#12 support not included");
return -1;
#endif /* PKCS12_FUNCS */
}
#if GNUTLS_VERSION_NUMBER >= 0x030103
if (params->flags & (TLS_CONN_REQUEST_OCSP | TLS_CONN_REQUIRE_OCSP)) {
ret = gnutls_ocsp_status_request_enable_client(conn->session,
NULL, 0, NULL);
if (ret != GNUTLS_E_SUCCESS) {
wpa_printf(MSG_INFO,
"GnuTLS: Failed to enable OCSP client");
return -1;
}
}
#else /* 3.1.3 */
if (params->flags & TLS_CONN_REQUIRE_OCSP) {
wpa_printf(MSG_INFO,
"GnuTLS: OCSP not supported by this version of GnuTLS");
return -1;
}
#endif /* 3.1.3 */
conn->params_set = 1;
ret = gnutls_credentials_set(conn->session, GNUTLS_CRD_CERTIFICATE,
conn->xcred);
if (ret < 0) {
wpa_printf(MSG_INFO, "Failed to configure credentials: %s",
gnutls_strerror(ret));
}
return ret;
}
