Here is another patch which adds the CURLINFO_GNUTLS_SESSION option to curl_easy_getinfo. It exposes the GnuTLS session to clients, which is useful if clients need to inspect certificate chains or other properties of the TLS connection. Naturally, the option only works if cURL was compiled with GnuTLS support (hence the GNUTLS in the name). This patch should be completely independent from my previous patch to support CURLINFO_CERTINFO with GnuTLS, and I think it is generally more useful as it allows applications to access certificates via the nice GnuTLS X509 APIs instead of having to parse the strings.
This time I did also update the man page to document the new option; I used 7.33.0 as the version number for the introduction in hope that this makes it in time for the merge window (we need this for the GNU Name System). Happy hacking! Christian On 09/18/2013 10:14 PM, Christian Grothoff wrote: > Here's a little patch to get CURLINFO_CERTINFO to do something > meaningful if libcurl was compiled to use GnuTLS instead of OpenSSL. > > As described in the log, I'd prefer to get PEM as the returned text to > the client, but the OpenSSL API doesn't allow that either. Would you > be happy with a patch to add an option CURLINFO_CERTINFO_PEM that would > return the server certificate in PEM format for machine-processing? > > Happy hacking! > > Christian
From 549e464a82580fb4cfb6ab928d679e897633ae91 Mon Sep 17 00:00:00 2001 From: Christian Grothoff <[email protected]> Date: Fri, 20 Sep 2013 16:27:10 +0200 Subject: [PATCH 2/2] Adding CURLINFO_GNUTLS_SESSION option for direct access to GnuTLS session. This adds support for CURLINFO_GNUTLS_SESSION in curl_easy_getinfo, which is useful for clients that want to inspect certificate chains and other TLS session information. --- docs/libcurl/curl_easy_getinfo.3 | 9 +++++++++ include/curl/curl.h | 6 +++--- lib/getinfo.c | 23 +++++++++++++++++++++++ 3 files changed, 35 insertions(+), 3 deletions(-) diff --git a/docs/libcurl/curl_easy_getinfo.3 b/docs/libcurl/curl_easy_getinfo.3 index 62d8ae4..c5a509c 100644 --- a/docs/libcurl/curl_easy_getinfo.3 +++ b/docs/libcurl/curl_easy_getinfo.3 @@ -221,6 +221,15 @@ provided in a series of data in the format "name:content" where the content is for the specific named data. See also the certinfo.c example. NOTE: this option is only available in libcurl built with OpenSSL support. (Added in 7.19.1) + +.IP CURLINFO_GNUTLS_SESSION +Pass a pointer to a 'gnutls_session' and you'll get it set to point to the +respective GnuTLS session used by this request. This can then be used to +extract certificate information in a format convenient for further +processing, such as manual validation. NOTE: this +option is only available in libcurl built with GnuTLS support. (Added in +7.33.0) + .IP CURLINFO_CONDITION_UNMET Pass a pointer to a long to receive the number 1 if the condition provided in the previous request didn't match (see \fICURLOPT_TIMECONDITION\fP). Alas, if diff --git a/include/curl/curl.h b/include/curl/curl.h index 4e09cf7..a63ee67 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -1388,8 +1388,7 @@ typedef enum { CINIT(ADDRESS_SCOPE, LONG, 171), /* Collect certificate chain info and allow it to get retrievable with - CURLINFO_CERTINFO after the transfer is complete. (Unfortunately) only - working with OpenSSL-powered builds. */ + CURLINFO_CERTINFO after the transfer is complete. */ CINIT(CERTINFO, LONG, 172), /* "name" and "pwd" to use when fetching. */ @@ -2031,9 +2030,10 @@ typedef enum { CURLINFO_PRIMARY_PORT = CURLINFO_LONG + 40, CURLINFO_LOCAL_IP = CURLINFO_STRING + 41, CURLINFO_LOCAL_PORT = CURLINFO_LONG + 42, + CURLINFO_GNUTLS_SESSION = CURLINFO_SLIST + 43, /* Fill in new entries below here! */ - CURLINFO_LASTONE = 42 + CURLINFO_LASTONE = 43 } CURLINFO; /* CURLINFO_RESPONSE_CODE is the new name for the option previously known as diff --git a/lib/getinfo.c b/lib/getinfo.c index 3d09dc6..36197c2 100644 --- a/lib/getinfo.c +++ b/lib/getinfo.c @@ -277,7 +277,30 @@ static CURLcode getinfo_slist(struct SessionHandle *data, CURLINFO info, ptr.to_certinfo = &data->info.certs; *param_slistp = ptr.to_slist; break; +#ifdef USE_GNUTLS + case CURLINFO_GNUTLS_SESSION: + { + union { + gnutls_session session; + struct curl_slist * to_slist; + } gptr; + struct connectdata *conn; + unsigned int sockindex; + conn = data->easy_conn; + sockindex = 0; + while((sockindex < sizeof(conn->ssl)/sizeof(conn->ssl[0])) && + (! conn->ssl[sockindex].use)) sockindex++; + if(sockindex == sizeof(conn->ssl)/sizeof(conn->ssl[0])) { + *param_slistp = NULL; + break; + } + gptr.session = conn->ssl[sockindex].session; + *param_slistp = gptr.to_slist; + break; + } + break; +#endif default: return CURLE_BAD_FUNCTION_ARGUMENT; } -- 1.7.10.4
0x48426C7E.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
