diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-08-24 13:19:51 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-08-24 13:19:53 +0200 |
commit | 25f2b0814401d1e9c98f3fdc833e09b3c877fc72 (patch) | |
tree | 321568db92ed3036a575db1530d11b6763a2db7a /doc/examples | |
parent | ee67aa067421dea331f0c7b2e9f719833bb2b5e5 (diff) | |
download | gnutls-25f2b0814401d1e9c98f3fdc833e09b3c877fc72.tar.gz |
examples: simplify the X.509 client example by using the new verification API
Diffstat (limited to 'doc/examples')
-rw-r--r-- | doc/examples/ex-client-x509.c | 90 |
1 files changed, 20 insertions, 70 deletions
diff --git a/doc/examples/ex-client-x509.c b/doc/examples/ex-client-x509.c index 98c4c577fa..1478d82b26 100644 --- a/doc/examples/ex-client-x509.c +++ b/doc/examples/ex-client-x509.c @@ -22,13 +22,15 @@ extern int tcp_connect(void); extern void tcp_close(int sd); -static int _verify_certificate_callback(gnutls_session_t session); int main(void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; + gnutls_datum_t out; + int type; + unsigned status; #if 0 const char *err; #endif @@ -49,8 +51,6 @@ int main(void) */ gnutls_certificate_set_x509_trust_file(xcred, CAFILE, GNUTLS_X509_FMT_PEM); - gnutls_certificate_set_verify_function(xcred, - _verify_certificate_callback); /* If client holds a certificate it can be set using the following: * @@ -68,7 +68,7 @@ int main(void) gnutls_server_name_set(session, GNUTLS_NAME_DNS, "my_host_name", strlen("my_host_name")); - /* use default priorities */ + /* It is recommended to use the default priorities */ gnutls_set_default_priority(session); #if 0 /* if more fine-graned control is required */ @@ -85,6 +85,7 @@ int main(void) /* put the x509 credentials to the current session */ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + gnutls_session_auto_verify_cert(session, "my_host_name", 0); /* connect to the peer */ @@ -100,7 +101,6 @@ int main(void) ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); - if (ret < 0) { fprintf(stderr, "*** Handshake failed\n"); gnutls_perror(ret); @@ -113,6 +113,21 @@ int main(void) gnutls_free(desc); } + /* check certificate verification status */ + type = gnutls_certificate_type_get(session); + status = gnutls_session_get_verify_cert_status(session); + ret = + gnutls_certificate_verification_status_print(status, type, + &out, 0); + if (ret < 0) { + printf("Error\n"); + return GNUTLS_E_CERTIFICATE_ERROR; + } + + printf("%s", out.data); + gnutls_free(out.data); + + /* send data */ gnutls_record_send(session, MSG, strlen(MSG)); ret = gnutls_record_recv(session, buffer, MAX_BUF); @@ -148,68 +163,3 @@ int main(void) return 0; } - -/* This function will verify the peer's certificate, and check - * if the hostname matches, as well as the activation, expiration dates. - */ -static int _verify_certificate_callback(gnutls_session_t session) -{ - unsigned int status; - int ret, type; - const char *hostname; - gnutls_datum_t out; - - /* read hostname */ - hostname = gnutls_session_get_ptr(session); - - /* This verification function uses the trusted CAs in the credentials - * structure. So you must have installed one or more CA certificates. - */ - - /* The following demonstrate two different verification functions, - * the more flexible gnutls_certificate_verify_peers(), as well - * as the old gnutls_certificate_verify_peers3(). */ -#if 1 - { - gnutls_typed_vdata_st data[2]; - - memset(data, 0, sizeof(data)); - - data[0].type = GNUTLS_DT_DNS_HOSTNAME; - data[0].data = (void*)hostname; - - data[1].type = GNUTLS_DT_KEY_PURPOSE_OID; - data[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER; - - ret = gnutls_certificate_verify_peers(session, data, 2, - &status); - } -#else - ret = gnutls_certificate_verify_peers3(session, hostname, - &status); -#endif - if (ret < 0) { - printf("Error\n"); - return GNUTLS_E_CERTIFICATE_ERROR; - } - - type = gnutls_certificate_type_get(session); - - ret = - gnutls_certificate_verification_status_print(status, type, - &out, 0); - if (ret < 0) { - printf("Error\n"); - return GNUTLS_E_CERTIFICATE_ERROR; - } - - printf("%s", out.data); - - gnutls_free(out.data); - - if (status != 0) /* Certificate is not trusted */ - return GNUTLS_E_CERTIFICATE_ERROR; - - /* notify gnutls to continue handshake normally */ - return 0; -} |