Added a hostname check with the certificate in the gnutls-cli.

5 files changed, 36 insertions, 21 deletions

diff --git a/src/cli.c b/src/cli.c
index aefa580c44..16d919a1cc 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -100,6 +100,7 @@ typedef struct {
 	int fd;
 	gnutls_session session;
 	int secure;
+	const char* hostname;
 } socket_st;
 
 ssize_t socket_recv(socket_st socket, void *buffer, int buffer_size);
@@ -130,7 +131,6 @@ static int cert_callback(gnutls_session session,
 		printf
 		    ("- Server did not send us any trusted authorities names.\n");
 
-//	gnutls_alert_send(session, GNUTLS_AL_WARNING, GNUTLS_A_BAD_CERTIFICATE);
 	/* print the names (if any) */
 	for (i = 0; i < nreqs; i++) {
 		len = sizeof(issuer_dn);
@@ -286,6 +286,7 @@ int main(int argc, char **argv)
 
 	hd.secure = 0;
 	hd.fd = sd;
+	hd.hostname = hostname;
 
 	hd.session = init_tls_session(hostname);
 	if (starttls)
@@ -332,7 +333,7 @@ int main(int argc, char **argv)
 					      &session_id_size);
 
 			/* print some information */
-			print_info(hd.session);
+			print_info(hd.session, hostname);
 
 			printf("- Disconnecting\n");
 			socket_bye(&hd);
@@ -609,7 +610,7 @@ static int do_handshake(socket_st * socket)
 	if (ret == 0) {
 		socket->secure = 1;
 		/* print some information */
-		print_info(socket->session);
+		print_info(socket->session, socket->hostname);
 	}
 	return ret;
 }
diff --git a/src/common.c b/src/common.c
index 0df166de94..8149604748 100644
--- a/src/common.c
+++ b/src/common.c
@@ -5,11 +5,11 @@
 #include <gnutls/extra.h>
 #include <gnutls/x509.h>
 #include <time.h>
+#include <common.h>
 
 #define TEST_STRING
 
 int xml = 0;
-void print_cert_info(gnutls_session session);
 
 #define PRINTX(x,y) if (y[0]!=0) printf(" #   %s %s\n", x, y)
 #define PRINT_PGP_NAME(X) PRINTX( "NAME:", X.name); \
@@ -27,7 +27,7 @@ static const char *my_ctime(time_t * tv)
 
 }
 
-void print_x509_info(gnutls_session session)
+void print_x509_info(gnutls_session session, const char* hostname)
 {
 	gnutls_x509_crt crt;
 	const gnutls_datum *cert_list;
@@ -67,8 +67,19 @@ void print_x509_info(gnutls_session session)
 			return;
 		}
 
-
 		printf(" - Certificate[%d] info:\n", j);
+		
+		if (j==0 && hostname != NULL) { /* Check the hostname of the first certificate
+		             * if it matches the name of the host we
+		             * connected to.
+		             */
+		             if (gnutls_x509_crt_check_hostname( crt, hostname)==0) {
+		             	printf(" # The hostname in the certificate does NOT match '%s'.\n", hostname);
+		             } else {
+		             	printf(" # The hostname in the certificate matches '%s'.\n", hostname);
+		             }
+		}
+
 
 		if (xml) {
 #ifdef ENABLE_PKI
@@ -268,10 +279,12 @@ void print_cert_vrfy(gnutls_session session)
 		printf("- Peer's certificate is trusted\n");
 	if (status & GNUTLS_CERT_CORRUPTED)
 		printf("- Peer's certificate is corrupted\n");
+		
+	
 
 }
 
-int print_info(gnutls_session session)
+int print_info(gnutls_session session, const char* hostname)
 {
 	const char *tmp;
 	gnutls_credentials_type cred;
@@ -317,7 +330,7 @@ int print_info(gnutls_session session)
 			}
 		}
 
-		print_cert_info(session);
+		print_cert_info(session, hostname);
 
 		print_cert_vrfy(session);
 
@@ -352,14 +365,14 @@ int print_info(gnutls_session session)
 	return 0;
 }
 
-void print_cert_info(gnutls_session session)
+void print_cert_info(gnutls_session session, const char* hostname)
 {
 
 	printf("- Certificate type: ");
 	switch (gnutls_certificate_type_get(session)) {
 	case GNUTLS_CRT_X509:
 		printf("X.509\n");
-		print_x509_info(session);
+		print_x509_info(session, hostname);
 		break;
 	case GNUTLS_CRT_OPENPGP:
 		printf("OpenPGP\n");
@@ -384,7 +397,7 @@ void print_list(void)
 	printf(", SSL3.0\n");
 
 	printf("Ciphers:");
-	printf(" RIJNDAEL-128-CBC");
+	printf(" AES-128-CBC");
 	printf(", TWOFISH-128-CBC");
 	printf(", 3DES-CBC");
 	printf(", ARCFOUR\n");
@@ -448,9 +461,9 @@ void parse_ciphers(char **ciphers, int nciphers, int *cipher_priority)
 
 	if (ciphers != NULL && nciphers > 0) {
 		for (j = i = 0; i < nciphers; i++) {
-			if (strncasecmp(ciphers[i], "RIJ", 3) == 0)
+			if (strncasecmp(ciphers[i], "AES", 3) == 0)
 				cipher_priority[j++] =
-				    GNUTLS_CIPHER_RIJNDAEL_128_CBC;
+				    GNUTLS_CIPHER_AES_128_CBC;
 			if (strncasecmp(ciphers[i], "TWO", 3) == 0)
 				cipher_priority[j++] =
 				    GNUTLS_CIPHER_TWOFISH_128_CBC;
diff --git a/src/common.h b/src/common.h
index 6ffe52508f..956cb7dc37 100644
--- a/src/common.h
+++ b/src/common.h
@@ -3,9 +3,9 @@
 
 #include <gnutls/gnutls.h>
 
-int print_info( gnutls_session state);
-void print_cert_info( gnutls_session state);
-int print_list(void);
+int print_info( gnutls_session state, const char* hostname);
+void print_cert_info( gnutls_session state, const char* hostname);
+void print_list(void);
 
 void parse_comp( char** comp, int ncomp, int* comp_priority);
 void parse_kx( char** kx, int nkx, int* kx_priority);
diff --git a/src/serv.c b/src/serv.c
index 44971e6fb5..14a4b4ff43 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -476,7 +476,7 @@ static void get_response(gnutls_session session, char *request,
 	 goto unimplemented;
       *p = '\0';
    }
-//    *response = peer_print_info(session, request+4, h, response_length);
+/*    *response = peer_print_info(session, request+4, h, response_length); */
    if (http != 0) {
       *response = peer_print_info(session, response_length, h);
    } else {
@@ -526,7 +526,6 @@ int main(int argc, char **argv)
 {
    int ret, n, h;
    char topbuf[512];
-//   int optval = 1;
    char name[256];
    int accept_fd;
    struct sockaddr_in client_address;
@@ -785,7 +784,7 @@ int main(int argc, char **argv)
 			    inet_ntop(AF_INET, &client_address.sin_addr,
 				      topbuf, sizeof(topbuf)),
 			    ntohs(client_address.sin_port));
-		     print_info(j->tls_session);
+		     print_info(j->tls_session, NULL);
 		  }
 		  j->handshake_ok = 1;
 	       }
@@ -859,7 +858,7 @@ int main(int argc, char **argv)
 			    inet_ntop(AF_INET, &client_address.sin_addr,
 				      topbuf, sizeof(topbuf)),
 			    ntohs(client_address.sin_port));
-		     print_info(j->tls_session);
+		     print_info(j->tls_session, NULL);
 		  }
 		  j->handshake_ok = 1;
 	       }
diff --git a/src/tests.c b/src/tests.c
index 7b4f3d1976..7d5669f178 100644
--- a/src/tests.c
+++ b/src/tests.c
@@ -630,6 +630,8 @@ int tmp_session_id_size;
 
 }
 
+extern char* hostname;
+
 int test_certificate( gnutls_session session) {
 int ret;
 
@@ -646,7 +648,7 @@ int ret;
 	if (ret == FAILED) return ret;
 
 	printf("\n");
-	print_cert_info( session);
+	print_cert_info( session, hostname);
 
 	return SUCCEED;
 }