diff options
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | doc/tex/ex-serv-pgp.tex | 7 | ||||
-rw-r--r-- | includes/gnutls/x509.h | 2 | ||||
-rw-r--r-- | src/cli.c | 7 | ||||
-rw-r--r-- | src/common.c | 33 | ||||
-rw-r--r-- | src/common.h | 6 | ||||
-rw-r--r-- | src/serv.c | 7 | ||||
-rw-r--r-- | src/tests.c | 4 |
8 files changed, 41 insertions, 28 deletions
@@ -1,7 +1,8 @@ Version 0.9.8 - Updated the SRP implementation to follow the latest draft (draft-ietf-tls-srp-05). -- Improved the gnutls-cli behaviour in error handling. +- Improved the gnutls-cli behaviour in error handling, + and added a check for the peer's hostname. - Use versioned symbols in the library (where available). - RIJNDAEL ciphersuites were renamed to AES. diff --git a/doc/tex/ex-serv-pgp.tex b/doc/tex/ex-serv-pgp.tex index d44752e1de..d4db2dc902 100644 --- a/doc/tex/ex-serv-pgp.tex +++ b/doc/tex/ex-serv-pgp.tex @@ -58,7 +58,6 @@ gnutls_session initialize_tls_session() gnutls_dh_params dh_params; static int generate_dh_params(void) { -gnutls_datum prime, generator; /* Generate Diffie Hellman parameters - for use with DHE * kx algorithms. These should be discarded and regenerated @@ -66,12 +65,8 @@ gnutls_datum prime, generator; * security requirements. */ gnutls_dh_params_init( &dh_params); - gnutls_dh_params_generate( &prime, &generator, DH_BITS); - gnutls_dh_params_set( dh_params, prime, generator, DH_BITS); + gnutls_dh_params_generate2( dh_params, DH_BITS); - gnutls_free( prime.data); - gnutls_free( generator.data); - return 0; } diff --git a/includes/gnutls/x509.h b/includes/gnutls/x509.h index 7d848deb46..3ad5275b5a 100644 --- a/includes/gnutls/x509.h +++ b/includes/gnutls/x509.h @@ -61,6 +61,8 @@ int gnutls_x509_crt_get_dn(gnutls_x509_crt cert, char *buf, int *sizeof_buf); int gnutls_x509_crt_get_dn_by_oid(gnutls_x509_crt cert, const char* oid, int indx, char *buf, int *sizeof_buf); +int gnutls_x509_crt_check_hostname(gnutls_x509_crt cert, + const char *hostname); int gnutls_x509_crt_get_signature_algorithm(gnutls_x509_crt cert); int gnutls_x509_crt_get_version(gnutls_x509_crt cert); @@ -100,6 +100,7 @@ typedef struct { int fd; gnutls_session session; int secure; + const char* hostname; } socket_st; ssize_t socket_recv(socket_st socket, void *buffer, int buffer_size); @@ -130,7 +131,6 @@ static int cert_callback(gnutls_session session, printf ("- Server did not send us any trusted authorities names.\n"); -// gnutls_alert_send(session, GNUTLS_AL_WARNING, GNUTLS_A_BAD_CERTIFICATE); /* print the names (if any) */ for (i = 0; i < nreqs; i++) { len = sizeof(issuer_dn); @@ -286,6 +286,7 @@ int main(int argc, char **argv) hd.secure = 0; hd.fd = sd; + hd.hostname = hostname; hd.session = init_tls_session(hostname); if (starttls) @@ -332,7 +333,7 @@ int main(int argc, char **argv) &session_id_size); /* print some information */ - print_info(hd.session); + print_info(hd.session, hostname); printf("- Disconnecting\n"); socket_bye(&hd); @@ -609,7 +610,7 @@ static int do_handshake(socket_st * socket) if (ret == 0) { socket->secure = 1; /* print some information */ - print_info(socket->session); + print_info(socket->session, socket->hostname); } return ret; } diff --git a/src/common.c b/src/common.c index 0df166de94..8149604748 100644 --- a/src/common.c +++ b/src/common.c @@ -5,11 +5,11 @@ #include <gnutls/extra.h> #include <gnutls/x509.h> #include <time.h> +#include <common.h> #define TEST_STRING int xml = 0; -void print_cert_info(gnutls_session session); #define PRINTX(x,y) if (y[0]!=0) printf(" # %s %s\n", x, y) #define PRINT_PGP_NAME(X) PRINTX( "NAME:", X.name); \ @@ -27,7 +27,7 @@ static const char *my_ctime(time_t * tv) } -void print_x509_info(gnutls_session session) +void print_x509_info(gnutls_session session, const char* hostname) { gnutls_x509_crt crt; const gnutls_datum *cert_list; @@ -67,8 +67,19 @@ void print_x509_info(gnutls_session session) return; } - printf(" - Certificate[%d] info:\n", j); + + if (j==0 && hostname != NULL) { /* Check the hostname of the first certificate + * if it matches the name of the host we + * connected to. + */ + if (gnutls_x509_crt_check_hostname( crt, hostname)==0) { + printf(" # The hostname in the certificate does NOT match '%s'.\n", hostname); + } else { + printf(" # The hostname in the certificate matches '%s'.\n", hostname); + } + } + if (xml) { #ifdef ENABLE_PKI @@ -268,10 +279,12 @@ void print_cert_vrfy(gnutls_session session) printf("- Peer's certificate is trusted\n"); if (status & GNUTLS_CERT_CORRUPTED) printf("- Peer's certificate is corrupted\n"); + + } -int print_info(gnutls_session session) +int print_info(gnutls_session session, const char* hostname) { const char *tmp; gnutls_credentials_type cred; @@ -317,7 +330,7 @@ int print_info(gnutls_session session) } } - print_cert_info(session); + print_cert_info(session, hostname); print_cert_vrfy(session); @@ -352,14 +365,14 @@ int print_info(gnutls_session session) return 0; } -void print_cert_info(gnutls_session session) +void print_cert_info(gnutls_session session, const char* hostname) { printf("- Certificate type: "); switch (gnutls_certificate_type_get(session)) { case GNUTLS_CRT_X509: printf("X.509\n"); - print_x509_info(session); + print_x509_info(session, hostname); break; case GNUTLS_CRT_OPENPGP: printf("OpenPGP\n"); @@ -384,7 +397,7 @@ void print_list(void) printf(", SSL3.0\n"); printf("Ciphers:"); - printf(" RIJNDAEL-128-CBC"); + printf(" AES-128-CBC"); printf(", TWOFISH-128-CBC"); printf(", 3DES-CBC"); printf(", ARCFOUR\n"); @@ -448,9 +461,9 @@ void parse_ciphers(char **ciphers, int nciphers, int *cipher_priority) if (ciphers != NULL && nciphers > 0) { for (j = i = 0; i < nciphers; i++) { - if (strncasecmp(ciphers[i], "RIJ", 3) == 0) + if (strncasecmp(ciphers[i], "AES", 3) == 0) cipher_priority[j++] = - GNUTLS_CIPHER_RIJNDAEL_128_CBC; + GNUTLS_CIPHER_AES_128_CBC; if (strncasecmp(ciphers[i], "TWO", 3) == 0) cipher_priority[j++] = GNUTLS_CIPHER_TWOFISH_128_CBC; diff --git a/src/common.h b/src/common.h index 6ffe52508f..956cb7dc37 100644 --- a/src/common.h +++ b/src/common.h @@ -3,9 +3,9 @@ #include <gnutls/gnutls.h> -int print_info( gnutls_session state); -void print_cert_info( gnutls_session state); -int print_list(void); +int print_info( gnutls_session state, const char* hostname); +void print_cert_info( gnutls_session state, const char* hostname); +void print_list(void); void parse_comp( char** comp, int ncomp, int* comp_priority); void parse_kx( char** kx, int nkx, int* kx_priority); diff --git a/src/serv.c b/src/serv.c index 44971e6fb5..14a4b4ff43 100644 --- a/src/serv.c +++ b/src/serv.c @@ -476,7 +476,7 @@ static void get_response(gnutls_session session, char *request, goto unimplemented; *p = '\0'; } -// *response = peer_print_info(session, request+4, h, response_length); +/* *response = peer_print_info(session, request+4, h, response_length); */ if (http != 0) { *response = peer_print_info(session, response_length, h); } else { @@ -526,7 +526,6 @@ int main(int argc, char **argv) { int ret, n, h; char topbuf[512]; -// int optval = 1; char name[256]; int accept_fd; struct sockaddr_in client_address; @@ -785,7 +784,7 @@ int main(int argc, char **argv) inet_ntop(AF_INET, &client_address.sin_addr, topbuf, sizeof(topbuf)), ntohs(client_address.sin_port)); - print_info(j->tls_session); + print_info(j->tls_session, NULL); } j->handshake_ok = 1; } @@ -859,7 +858,7 @@ int main(int argc, char **argv) inet_ntop(AF_INET, &client_address.sin_addr, topbuf, sizeof(topbuf)), ntohs(client_address.sin_port)); - print_info(j->tls_session); + print_info(j->tls_session, NULL); } j->handshake_ok = 1; } diff --git a/src/tests.c b/src/tests.c index 7b4f3d1976..7d5669f178 100644 --- a/src/tests.c +++ b/src/tests.c @@ -630,6 +630,8 @@ int tmp_session_id_size; } +extern char* hostname; + int test_certificate( gnutls_session session) { int ret; @@ -646,7 +648,7 @@ int ret; if (ret == FAILED) return ret; printf("\n"); - print_cert_info( session); + print_cert_info( session, hostname); return SUCCEED; } |