diff options
Diffstat (limited to 'doc/examples/ex-client-x509.c')
| -rw-r--r-- | doc/examples/ex-client-x509.c | 95 |
1 files changed, 22 insertions, 73 deletions
diff --git a/doc/examples/ex-client-x509.c b/doc/examples/ex-client-x509.c index 8ee429a1b2..25cd076e7e 100644 --- a/doc/examples/ex-client-x509.c +++ b/doc/examples/ex-client-x509.c @@ -22,18 +22,19 @@ extern int tcp_connect(void); extern void tcp_close(int sd); -static int _verify_certificate_callback(gnutls_session_t session); int main(void) { - int ret, sd, ii; + int ret, sd, ii, type; gnutls_session_t session; char buffer[MAX_BUF + 1]; const char *err; + unsigned status; gnutls_certificate_credentials_t xcred; + gnutls_datum_t out; - if (gnutls_check_version("3.1.4") == NULL) { - fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n"); + if (gnutls_check_version("3.3.23") == NULL) { + fprintf(stderr, "GnuTLS 3.3.23 or later is required for this example\n"); exit(1); } @@ -47,8 +48,6 @@ int main(void) */ gnutls_certificate_set_x509_trust_file(xcred, CAFILE, GNUTLS_X509_FMT_PEM); - gnutls_certificate_set_verify_function(xcred, - _verify_certificate_callback); /* If client holds a certificate it can be set using the following: * @@ -66,7 +65,7 @@ int main(void) gnutls_server_name_set(session, GNUTLS_NAME_DNS, "my_host_name", strlen("my_host_name")); - /* use default priorities */ + /* It is recommended to use the default priorities */ gnutls_set_default_priority(session); #if 0 /* if more fine-graned control is required */ @@ -83,6 +82,7 @@ int main(void) /* put the x509 credentials to the current session */ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + gnutls_session_set_verify_cert(session, "my_host_name", 0); /* connect to the peer */ @@ -98,7 +98,6 @@ int main(void) ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); - if (ret < 0) { fprintf(stderr, "*** Handshake failed\n"); gnutls_perror(ret); @@ -111,6 +110,21 @@ int main(void) gnutls_free(desc); } + /* check certificate verification status */ + type = gnutls_certificate_type_get(session); + status = gnutls_session_get_verify_cert_status(session); + ret = + gnutls_certificate_verification_status_print(status, type, + &out, 0); + if (ret < 0) { + printf("Error\n"); + return GNUTLS_E_CERTIFICATE_ERROR; + } + + printf("%s", out.data); + gnutls_free(out.data); + + /* send data */ gnutls_record_send(session, MSG, strlen(MSG)); ret = gnutls_record_recv(session, buffer, MAX_BUF); @@ -146,68 +160,3 @@ int main(void) return 0; } - -/* This function will verify the peer's certificate, and check - * if the hostname matches, as well as the activation, expiration dates. - */ -static int _verify_certificate_callback(gnutls_session_t session) -{ - unsigned int status; - int ret, type; - const char *hostname; - gnutls_datum_t out; - - /* read hostname */ - hostname = gnutls_session_get_ptr(session); - - /* This verification function uses the trusted CAs in the credentials - * structure. So you must have installed one or more CA certificates. - */ - - /* The following demonstrate two different verification functions, - * the more flexible gnutls_certificate_verify_peers(), as well - * as the old gnutls_certificate_verify_peers3(). */ -#if 1 - { - gnutls_typed_vdata_st data[2]; - - memset(data, 0, sizeof(data)); - - data[0].type = GNUTLS_DT_DNS_HOSTNAME; - data[0].data = (void*)hostname; - - data[1].type = GNUTLS_DT_KEY_PURPOSE_OID; - data[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER; - - ret = gnutls_certificate_verify_peers(session, data, 2, - &status); - } -#else - ret = gnutls_certificate_verify_peers3(session, hostname, - &status); -#endif - if (ret < 0) { - printf("Error\n"); - return GNUTLS_E_CERTIFICATE_ERROR; - } - - type = gnutls_certificate_type_get(session); - - ret = - gnutls_certificate_verification_status_print(status, type, - &out, 0); - if (ret < 0) { - printf("Error\n"); - return GNUTLS_E_CERTIFICATE_ERROR; - } - - printf("%s", out.data); - - gnutls_free(out.data); - - if (status != 0) /* Certificate is not trusted */ - return GNUTLS_E_CERTIFICATE_ERROR; - - /* notify gnutls to continue handshake normally */ - return 0; -} |