From 5e3836055ff8697c0d0ea514fdc9e16ca4b3c424 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 11 Nov 2005 23:20:07 +0000
Subject: [PATCH] Dima Barsky patched problem #1348930: the GnuTLS code
 completely ignored client certificates!
 (http://curl.haxx.se/bug/view.cgi?id=1348930).

---
 CHANGES       |  4 ++++
 RELEASE-NOTES |  1 +
 lib/gtls.c    | 24 +++++++++++++++++++++++-
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 9ff231672c..13ef347f16 100644
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,10 @@
 
 
 
+Daniel (12 November 2005)
+- Dima Barsky patched problem #1348930: the GnuTLS code completely ignored
+  client certificates! (http://curl.haxx.se/bug/view.cgi?id=1348930).
+
 Daniel (10 November 2005)
 - David Lang fixed IPv6 support for TFTP!
 
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 4983334e5d..2fd2604332 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -18,6 +18,7 @@ This release includes the following changes:
 
 This release includes the following bugfixes:
 
+ o the GnuTLS code didn't support client certificates
  o TFTP over IPv6 works
  o no reverse lookups on IP addresses when ipv6-enabled
  o SSPI compatibility fix: using the proper DLLs
diff --git a/lib/gtls.c b/lib/gtls.c
index aa9d98dfa4..cc33deabfd 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -176,6 +176,18 @@ static CURLcode handshake(struct connectdata *conn,
   return CURLE_OK;
 }
 
+static gnutls_x509_crt_fmt_t do_file_type(const char *type)
+{
+  if(!type || !type[0])
+    return GNUTLS_X509_FMT_PEM;
+  if(curl_strequal(type, "PEM"))
+    return GNUTLS_X509_FMT_PEM;
+  if(curl_strequal(type, "DER"))
+    return GNUTLS_X509_FMT_DER;
+  return -1;
+}
+
+
 /*
  * This function is called after the TCP connect has completed. Setup the TLS
  * layer and do all necessary magic.
@@ -253,7 +265,17 @@ Curl_gtls_connect(struct connectdata *conn,
   if(rc < 0)
     return CURLE_SSL_CONNECT_ERROR;
 
-  /* put the anonymous credentials to the current session */
+  if(data->set.cert) {
+    if( gnutls_certificate_set_x509_key_file(
+          conn->ssl[sockindex].cred, data->set.cert,
+          data->set.key != 0 ? data->set.key : data->set.cert,
+          do_file_type(data->set.cert_type) ) ) {
+      failf(data, "error reading X.509 key or certificate file");
+      return CURLE_SSL_CONNECT_ERROR;
+    }
+  }
+
+  /* put the credentials to the current session */
   rc = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
                               conn->ssl[sockindex].cred);