Include only a single example with X.509 client. This example includes certificate verification.

6 files changed, 185 insertions, 213 deletions

diff --git a/doc/examples/Makefile.am b/doc/examples/Makefile.am
index 76afe837ab..0ed1eae2db 100644
--- a/doc/examples/Makefile.am
+++ b/doc/examples/Makefile.am
@@ -41,7 +41,7 @@ LDADD = libexamples.la				\
 CXX_LDADD = $(LDADD) \
 	../../lib/libgnutlsxx.la
 
-noinst_PROGRAMS = ex-client2 ex-client-resume ex-client-udp
+noinst_PROGRAMS = ex-client-resume ex-client-udp
 noinst_PROGRAMS += ex-cert-select ex-rfc2818
 
 if ENABLE_PKI
@@ -81,4 +81,4 @@ noinst_LTLIBRARIES = libexamples.la
 
 libexamples_la_SOURCES = examples.h ex-alert.c ex-pkcs12.c		\
 	ex-session-info.c ex-x509-info.c ex-verify.c	\
-	tcp.c udp.c ex-pkcs11-list.c
+	tcp.c udp.c ex-pkcs11-list.c verify.c
diff --git a/doc/examples/ex-client-udp.c b/doc/examples/ex-client-udp.c
index a2e6cccad6..7a0721a856 100644
--- a/doc/examples/ex-client-udp.c
+++ b/doc/examples/ex-client-udp.c
@@ -23,6 +23,7 @@
 
 extern int udp_connect (void);
 extern void udp_close (int sd);
+extern int verify_certificate_callback (gnutls_session_t session);
 
 int
 main (void)
@@ -40,6 +41,7 @@ main (void)
 
   /* sets the trusted cas file */
   gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
+  gnutls_certificate_set_verify_function (xcred, verify_certificate_callback);
 
   /* Initialize TLS session */
   gnutls_init (&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
diff --git a/doc/examples/ex-client2.c b/doc/examples/ex-client2.c
deleted file mode 100644
index e58c910143..0000000000
--- a/doc/examples/ex-client2.c
+++ /dev/null
@@ -1,118 +0,0 @@
-/* This example code is placed in the public domain. */
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <arpa/inet.h>
-#include <unistd.h>
-#include <gnutls/gnutls.h>
-
-/* A very basic TLS client, with X.509 authentication.
- */
-
-#define MAX_BUF 1024
-#define CAFILE "ca.pem"
-#define MSG "GET / HTTP/1.0\r\n\r\n"
-
-extern int tcp_connect (void);
-extern void tcp_close (int sd);
-
-int
-main (void)
-{
-  int ret, sd, ii;
-  gnutls_session_t session;
-  char buffer[MAX_BUF + 1];
-  const char *err;
-  gnutls_certificate_credentials_t xcred;
-
-  gnutls_global_init ();
-
-  /* X509 stuff */
-  gnutls_certificate_allocate_credentials (&xcred);
-
-  /* sets the trusted cas file
-   */
-  gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
-
-  /* Initialize TLS session 
-   */
-  gnutls_init (&session, GNUTLS_CLIENT);
-
-  /* Use default priorities */
-  ret = gnutls_priority_set_direct (session, "PERFORMANCE", &err);
-  if (ret < 0)
-    {
-      if (ret == GNUTLS_E_INVALID_REQUEST)
-        {
-          fprintf (stderr, "Syntax error at: %s\n", err);
-        }
-      exit (1);
-    }
-
-  /* put the x509 credentials to the current session
-   */
-  gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
-
-  /* connect to the peer
-   */
-  sd = tcp_connect ();
-
-  gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
-
-  /* Perform the TLS handshake
-   */
-  ret = gnutls_handshake (session);
-
-  if (ret < 0)
-    {
-      fprintf (stderr, "*** Handshake failed\n");
-      gnutls_perror (ret);
-      goto end;
-    }
-  else
-    {
-      printf ("- Handshake was completed\n");
-    }
-
-  gnutls_record_send (session, MSG, strlen (MSG));
-
-  ret = gnutls_record_recv (session, buffer, MAX_BUF);
-  if (ret == 0)
-    {
-      printf ("- Peer has closed the TLS connection\n");
-      goto end;
-    }
-  else if (ret < 0)
-    {
-      fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
-      goto end;
-    }
-
-  printf ("- Received %d bytes: ", ret);
-  for (ii = 0; ii < ret; ii++)
-    {
-      fputc (buffer[ii], stdout);
-    }
-  fputs ("\n", stdout);
-
-  gnutls_bye (session, GNUTLS_SHUT_RDWR);
-
-end:
-
-  tcp_close (sd);
-
-  gnutls_deinit (session);
-
-  gnutls_certificate_free_credentials (xcred);
-
-  gnutls_global_deinit ();
-
-  return 0;
-}
diff --git a/doc/examples/ex-rfc2818.c b/doc/examples/ex-rfc2818.c
index 04114f41ba..f7aa08d068 100644
--- a/doc/examples/ex-rfc2818.c
+++ b/doc/examples/ex-rfc2818.c
@@ -21,94 +21,9 @@
 
 extern int tcp_connect (void);
 extern void tcp_close (int sd);
+static int _verify_certificate_callback (gnutls_session_t session);
 
-/* This function will try to verify the peer's certificate, and
- * also check if the hostname matches, and the activation, expiration dates.
- */
-static int
-verify_certificate_callback (gnutls_session_t session)
-{
-  unsigned int status;
-  const gnutls_datum_t *cert_list;
-  unsigned int cert_list_size;
-  int ret;
-  gnutls_x509_crt_t cert;
-  const char *hostname;
-
-  /* read hostname */
-  hostname = gnutls_session_get_ptr (session);
-
-  /* This verification function uses the trusted CAs in the credentials
-   * structure. So you must have installed one or more CA certificates.
-   */
-  ret = gnutls_certificate_verify_peers2 (session, &status);
-  if (ret < 0)
-    {
-      printf ("Error\n");
-      return GNUTLS_E_CERTIFICATE_ERROR;
-    }
-
-  if (status & GNUTLS_CERT_INVALID)
-    printf ("The certificate is not trusted.\n");
-
-  if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
-    printf ("The certificate hasn't got a known issuer.\n");
-
-  if (status & GNUTLS_CERT_REVOKED)
-    printf ("The certificate has been revoked.\n");
-
-  if (status & GNUTLS_CERT_EXPIRED)
-    printf ("The certificate has expired\n");
-
-  if (status & GNUTLS_CERT_NOT_ACTIVATED)
-    printf ("The certificate is not yet activated\n");
-
-  /* Up to here the process is the same for X.509 certificates and
-   * OpenPGP keys. From now on X.509 certificates are assumed. This can
-   * be easily extended to work with openpgp keys as well.
-   */
-  if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509)
-    return GNUTLS_E_CERTIFICATE_ERROR;
-
-  if (gnutls_x509_crt_init (&cert) < 0)
-    {
-      printf ("error in initialization\n");
-      return GNUTLS_E_CERTIFICATE_ERROR;
-    }
-
-  cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
-  if (cert_list == NULL)
-    {
-      printf ("No certificate was found!\n");
-      return GNUTLS_E_CERTIFICATE_ERROR;
-    }
-
-  /* This is not a real world example, since we only check the first 
-   * certificate in the given chain.
-   */
-  if (gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
-    {
-      printf ("error parsing certificate\n");
-      return GNUTLS_E_CERTIFICATE_ERROR;
-    }
-
-
-  if (!gnutls_x509_crt_check_hostname (cert, hostname))
-    {
-      printf ("The certificate's owner does not match hostname '%s'\n",
-              hostname);
-      return GNUTLS_E_CERTIFICATE_ERROR;
-    }
-
-  gnutls_x509_crt_deinit (cert);
-
-  /* notify gnutls to continue handshake normally */
-  return 0;
-}
-
-
-int
-main (void)
+int main (void)
 {
   int ret, sd, ii;
   gnutls_session_t session;
@@ -124,9 +39,7 @@ main (void)
   /* sets the trusted cas file
    */
   gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
-  gnutls_certificate_set_verify_function (xcred, verify_certificate_callback);
-  gnutls_certificate_set_verify_flags (xcred,
-                                       GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+  gnutls_certificate_set_verify_function (xcred, _verify_certificate_callback);
 
   /* Initialize TLS session 
    */
@@ -135,7 +48,7 @@ main (void)
   gnutls_session_set_ptr (session, (void *) "my_host_name");
 
   /* Use default priorities */
-  ret = gnutls_priority_set_direct (session, "PERFORMANCE", &err);
+  ret = gnutls_priority_set_direct (session, "NORMAL", &err);
   if (ret < 0)
     {
       if (ret == GNUTLS_E_INVALID_REQUEST)
@@ -205,3 +118,88 @@ end:
 
   return 0;
 }
+
+/* This function will verify the peer's certificate, and check
+ * if the hostname matches, as well as the activation, expiration dates.
+ */
+static int
+_verify_certificate_callback (gnutls_session_t session)
+{
+  unsigned int status;
+  const gnutls_datum_t *cert_list;
+  unsigned int cert_list_size;
+  int ret;
+  gnutls_x509_crt_t cert;
+  const char *hostname;
+
+  /* read hostname */
+  hostname = gnutls_session_get_ptr (session);
+
+  /* This verification function uses the trusted CAs in the credentials
+   * structure. So you must have installed one or more CA certificates.
+   */
+  ret = gnutls_certificate_verify_peers2 (session, &status);
+  if (ret < 0)
+    {
+      printf ("Error\n");
+      return GNUTLS_E_CERTIFICATE_ERROR;
+    }
+
+  if (status & GNUTLS_CERT_INVALID)
+    printf ("The certificate is not trusted.\n");
+
+  if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
+    printf ("The certificate hasn't got a known issuer.\n");
+
+  if (status & GNUTLS_CERT_REVOKED)
+    printf ("The certificate has been revoked.\n");
+
+  if (status & GNUTLS_CERT_EXPIRED)
+    printf ("The certificate has expired\n");
+
+  if (status & GNUTLS_CERT_NOT_ACTIVATED)
+    printf ("The certificate is not yet activated\n");
+
+  /* Up to here the process is the same for X.509 certificates and
+   * OpenPGP keys. From now on X.509 certificates are assumed. This can
+   * be easily extended to work with openpgp keys as well.
+   */
+  if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509)
+    return GNUTLS_E_CERTIFICATE_ERROR;
+
+  if (gnutls_x509_crt_init (&cert) < 0)
+    {
+      printf ("error in initialization\n");
+      return GNUTLS_E_CERTIFICATE_ERROR;
+    }
+
+  cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
+  if (cert_list == NULL)
+    {
+      printf ("No certificate was found!\n");
+      return GNUTLS_E_CERTIFICATE_ERROR;
+    }
+
+  /* This is not a real world example, since we only check the first 
+   * certificate in the given chain.
+   */
+  if (gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
+    {
+      printf ("error parsing certificate\n");
+      return GNUTLS_E_CERTIFICATE_ERROR;
+    }
+
+
+  if (!gnutls_x509_crt_check_hostname (cert, hostname))
+    {
+      printf ("The certificate's owner does not match hostname '%s'\n",
+              hostname);
+      return GNUTLS_E_CERTIFICATE_ERROR;
+    }
+
+  gnutls_x509_crt_deinit (cert);
+
+  /* notify gnutls to continue handshake normally */
+  return 0;
+}
+
diff --git a/doc/examples/examples.h b/doc/examples/examples.h
index 286f4ff185..e96cb26080 100644
--- a/doc/examples/examples.h
+++ b/doc/examples/examples.h
@@ -3,8 +3,7 @@
 
 void check_alert (gnutls_session_t session, int ret);
 
-int
-write_pkcs12 (const gnutls_datum_t * cert,
+int write_pkcs12 (const gnutls_datum_t * cert,
               const gnutls_datum_t * pkcs8_key, const char *password);
 
 void verify_certificate (gnutls_session_t session, const char *hostname);
@@ -18,4 +17,6 @@ verify_certificate_chain (const char *hostname,
                           const gnutls_datum_t * cert_chain,
                           int cert_chain_length);
 
+int verify_certificate_callback (gnutls_session_t session);
+
 #endif /* EXAMPLES_H */
diff --git a/doc/examples/verify.c b/doc/examples/verify.c
new file mode 100644
index 0000000000..da7f4f7b55
--- /dev/null
+++ b/doc/examples/verify.c
@@ -0,0 +1,89 @@
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+
+int verify_certificate_callback (gnutls_session_t session)
+{
+  unsigned int status;
+  const gnutls_datum_t *cert_list;
+  unsigned int cert_list_size;
+  int ret;
+  gnutls_x509_crt_t cert;
+  const char *hostname;
+
+  /* read hostname */
+  hostname = gnutls_session_get_ptr (session);
+
+  /* This verification function uses the trusted CAs in the credentials
+   * structure. So you must have installed one or more CA certificates.
+   */
+  ret = gnutls_certificate_verify_peers2 (session, &status);
+  if (ret < 0)
+    {
+      printf ("Error\n");
+      return GNUTLS_E_CERTIFICATE_ERROR;
+    }
+
+  if (status & GNUTLS_CERT_INVALID)
+    printf ("The certificate is not trusted.\n");
+
+  if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
+    printf ("The certificate hasn't got a known issuer.\n");
+
+  if (status & GNUTLS_CERT_REVOKED)
+    printf ("The certificate has been revoked.\n");
+
+  if (status & GNUTLS_CERT_EXPIRED)
+    printf ("The certificate has expired\n");
+
+  if (status & GNUTLS_CERT_NOT_ACTIVATED)
+    printf ("The certificate is not yet activated\n");
+
+  /* Up to here the process is the same for X.509 certificates and
+   * OpenPGP keys. From now on X.509 certificates are assumed. This can
+   * be easily extended to work with openpgp keys as well.
+   */
+  if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509)
+    return GNUTLS_E_CERTIFICATE_ERROR;
+
+  if (gnutls_x509_crt_init (&cert) < 0)
+    {
+      printf ("error in initialization\n");
+      return GNUTLS_E_CERTIFICATE_ERROR;
+    }
+
+  cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
+  if (cert_list == NULL)
+    {
+      printf ("No certificate was found!\n");
+      return GNUTLS_E_CERTIFICATE_ERROR;
+    }
+
+  /* This is not a real world example, since we only check the first 
+   * certificate in the given chain.
+   */
+  if (gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
+    {
+      printf ("error parsing certificate\n");
+      return GNUTLS_E_CERTIFICATE_ERROR;
+    }
+
+
+  if (!gnutls_x509_crt_check_hostname (cert, hostname))
+    {
+      printf ("The certificate's owner does not match hostname '%s'\n",
+              hostname);
+      return GNUTLS_E_CERTIFICATE_ERROR;
+    }
+
+  gnutls_x509_crt_deinit (cert);
+
+  /* notify gnutls to continue handshake normally */
+  return 0;
+}