diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-04-09 09:44:01 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-04-09 10:20:44 +0200 |
commit | e665044f1c8894993665fcc1030dc4344326797a (patch) | |
tree | 47475cf83c789016a6153bdfd76b6f8ab62c66d0 /doc/examples | |
parent | f7ad44f1b587e057070f57ceee521b8eecf060db (diff) | |
download | gnutls-e665044f1c8894993665fcc1030dc4344326797a.tar.gz |
Replaced gnutls_certificate_verify_peers3() with the extendable gnutls_certificate_verify_peers().
That will allow adding new functionality to verification
without the need to add new functions.
Diffstat (limited to 'doc/examples')
-rw-r--r-- | doc/examples/ex-client-x509.c | 24 | ||||
-rw-r--r-- | doc/examples/verify.c | 17 |
2 files changed, 36 insertions, 5 deletions
diff --git a/doc/examples/ex-client-x509.c b/doc/examples/ex-client-x509.c index dc6b2985e0..ff90ad0bec 100644 --- a/doc/examples/ex-client-x509.c +++ b/doc/examples/ex-client-x509.c @@ -158,9 +158,29 @@ static int _verify_certificate_callback(gnutls_session_t session) /* This verification function uses the trusted CAs in the credentials * structure. So you must have installed one or more CA certificates. */ - ret = gnutls_certificate_verify_peers4(session, hostname, - GNUTLS_KP_TLS_WWW_SERVER, + + /* The following demonstrate two different verification functions, + * the more flexible gnutls_certificate_verify_peers(), as well + * as the old gnutls_certificate_verify_peers3(). */ +#if 1 + { + gnutls_typed_vdata_st data[2]; + + memset(data, 0, sizeof(data)); + + data[0].type = GNUTLS_DT_DNS_HOSTNAME; + data[0].data = (void*)hostname; + + data[1].type = GNUTLS_DT_KEY_PURPOSE_OID; + data[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER; + + ret = gnutls_certificate_verify_peers(session, data, 2, + &status); + } +#else + ret = gnutls_certificate_verify_peers3(session, hostname, &status); +#endif if (ret < 0) { printf("Error\n"); return GNUTLS_E_CERTIFICATE_ERROR; diff --git a/doc/examples/verify.c b/doc/examples/verify.c index 86d35808fc..2b5fa7a9c5 100644 --- a/doc/examples/verify.c +++ b/doc/examples/verify.c @@ -10,12 +10,17 @@ #include "examples.h" +/* The example below demonstrates the usage of the more powerful + * gnutls_certificate_verify_peers() which can be used to check + * the hostname, as well as the key purpose OID of the peer's + * certificate. */ int verify_certificate_callback(gnutls_session_t session) { unsigned int status; int ret, type; const char *hostname; gnutls_datum_t out; + gnutls_typed_vdata_st data[2]; /* read hostname */ hostname = gnutls_session_get_ptr(session); @@ -23,9 +28,15 @@ int verify_certificate_callback(gnutls_session_t session) /* This verification function uses the trusted CAs in the credentials * structure. So you must have installed one or more CA certificates. */ - ret = gnutls_certificate_verify_peers4(session, hostname, - GNUTLS_KP_TLS_WWW_SERVER, - &status); + data[0].type = GNUTLS_DT_DNS_HOSTNAME; + data[0].data = (void*)hostname; + data[0].size = 0; + + data[1].type = GNUTLS_DT_KEY_PURPOSE_OID; + data[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER; + data[1].size = 0; + ret = gnutls_certificate_verify_peers(session, data, 2, + &status); if (ret < 0) { printf("Error\n"); return GNUTLS_E_CERTIFICATE_ERROR; |