diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-30 18:51:50 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-30 18:51:50 +0100 |
| commit | c8008cae74231ac83b08a2dc995415f2fea497fc (patch) | |
| tree | ef204ab9eb6d77216f5d06e1a5a1b2fad56ed0bb /src/common.c | |
| parent | 1566caaa8063a5b4cd544c97a60cbfedcf6c7a5c (diff) | |
| download | gnutls-c8008cae74231ac83b08a2dc995415f2fea497fc.tar.gz | |
Simplified certificate verification by adding gnutls_certificate_verify_peers3().
This function combines the RFC2818 hostname check and chain verification check.
Diffstat (limited to 'src/common.c')
| -rw-r--r-- | src/common.c | 111 |
1 files changed, 1 insertions, 110 deletions
diff --git a/src/common.c b/src/common.c index 9ef83b6f81..4f3c9d895e 100644 --- a/src/common.c +++ b/src/common.c @@ -192,110 +192,7 @@ print_x509_info (gnutls_session_t session, int flag, int print_cert) } } -/* returns true or false, depending on whether the hostname - * matches to certificate */ -static int -verify_x509_hostname (gnutls_session_t session, const char *hostname) -{ - gnutls_x509_crt_t crt; - const gnutls_datum_t *cert_list; - unsigned int cert_list_size = 0; - int ret; - - cert_list = gnutls_certificate_get_peers (session, &cert_list_size); - if (cert_list_size == 0) - { - fprintf (stderr, "No certificates found!\n"); - return 0; - } - - gnutls_x509_crt_init (&crt); - ret = - gnutls_x509_crt_import (crt, &cert_list[0], - GNUTLS_X509_FMT_DER); - if (ret < 0) - { - fprintf (stderr, "Decoding error: %s\n", - gnutls_strerror (ret)); - return 0; - } - - /* Check the hostname of the first certificate if it matches - * the name of the host we connected to. - */ - if (hostname != NULL) - { - if (gnutls_x509_crt_check_hostname (crt, hostname) == 0) - { - printf - ("- The hostname in the certificate does NOT match '%s'\n", - hostname); - ret = 0; - } - else - { - printf ("- The hostname in the certificate matches '%s'.\n", - hostname); - ret = 1; - } - } - - gnutls_x509_crt_deinit (crt); - - return ret; -} - #ifdef ENABLE_OPENPGP -/* returns true or false, depending on whether the hostname - * matches to certificate */ -static int -verify_openpgp_hostname (gnutls_session_t session, const char *hostname) -{ - gnutls_openpgp_crt_t crt; - const gnutls_datum_t *cert_list; - unsigned int cert_list_size = 0; - int ret; - - cert_list = gnutls_certificate_get_peers (session, &cert_list_size); - if (cert_list_size == 0) - { - fprintf (stderr, "No certificates found!\n"); - return 0; - } - - gnutls_openpgp_crt_init (&crt); - ret = - gnutls_openpgp_crt_import (crt, &cert_list[0], - GNUTLS_OPENPGP_FMT_RAW); - if (ret < 0) - { - fprintf (stderr, "Decoding error: %s\n", - gnutls_strerror (ret)); - return 0; - } - - /* Check the hostname of the first certificate if it matches - * the name of the host we connected to. - */ - if (gnutls_openpgp_crt_check_hostname (crt, hostname) == 0) - { - printf - ("- The hostname in the certificate does NOT match '%s'\n", - hostname); - ret = 0; - } - else - { - printf ("- The hostname in the certificate matches '%s'.\n", - hostname); - ret = 1; - } - - gnutls_openpgp_crt_deinit (crt); - - return ret; -} - static void print_openpgp_info_compact (gnutls_session_t session) { @@ -419,7 +316,7 @@ cert_verify (gnutls_session_t session, const char* hostname) unsigned int status = 0; int type; - rc = gnutls_certificate_verify_peers2 (session, &status); + rc = gnutls_certificate_verify_peers3 (session, hostname, &status); if (rc == GNUTLS_E_NO_CERTIFICATE_FOUND) { printf ("- Peer did not send any certificate.\n"); @@ -460,9 +357,6 @@ cert_verify (gnutls_session_t session, const char* hostname) printf ("- Peer's certificate is NOT trusted\n"); else printf ("- Peer's certificate is trusted\n"); - - rc = verify_x509_hostname (session, hostname); - if (rc == 0) status |= GNUTLS_CERT_INVALID; } else if (type == GNUTLS_CRT_OPENPGP) { @@ -472,9 +366,6 @@ cert_verify (gnutls_session_t session, const char* hostname) printf ("- Peer's key is valid\n"); if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) printf ("- Could not find a signer of the peer's key\n"); - - rc = verify_openpgp_hostname (session, hostname); - if (rc == 0) status |= GNUTLS_CERT_INVALID; } else { |