gnutls: fix use of pkcs11 urls for keys/certs

Fixes #16249
Forwarded-to-us-by: Carlos Henrique Lima Melara
Always use `gnutls_certificate_set_x509_key_file2()` for loading keys
and certificates, even without a password, since this function support
pkcs11 urls.

Thanks to @tatsuhiro-t for finding this out.
Help-by: Tatsuhiro Tsujikawa
Closes #16472

diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 2807f4f95f29d426b2bc47f0ca9b2d48e016dc46..698ceed546c31ee57fbda264f79aaa0420b30511 100644 (file)
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -959,7 +959,7 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
         return CURLE_SSL_CONNECT_ERROR;
       }
     }
-    else if(ssl_config->key_passwd) {
+    else {
       const unsigned int supported_key_encryption_algorithms =
         GNUTLS_PKCS_USE_PKCS12_3DES | GNUTLS_PKCS_USE_PKCS12_ARCFOUR |
         GNUTLS_PKCS_USE_PKCS12_RC2_40 | GNUTLS_PKCS_USE_PBES2_3DES |
@@ -974,22 +974,12 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
            supported_key_encryption_algorithms);
       if(rc != GNUTLS_E_SUCCESS) {
         failf(data,
-              "error reading X.509 potentially-encrypted key file: %s",
+              "error reading X.509 %skey file: %s",
+              ssl_config->key_passwd ? "potentially-encrypted " : "",
               gnutls_strerror(rc));
         return CURLE_SSL_CONNECT_ERROR;
       }
     }
-    else {
-      if(gnutls_certificate_set_x509_key_file(
-           gtls->shared_creds->creds,
-           config->clientcert,
-           ssl_config->key ? ssl_config->key : config->clientcert,
-           gnutls_do_file_type(ssl_config->cert_type) ) !=
-         GNUTLS_E_SUCCESS) {
-        failf(data, "error reading X.509 key or certificate file");
-        return CURLE_SSL_CONNECT_ERROR;
-      }
-    }
   }
 
 #ifdef USE_GNUTLS_SRP