|
Packit |
aea12f |
/* This example code is placed in the public domain. */
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
#ifdef HAVE_CONFIG_H
|
|
Packit |
aea12f |
#include <config.h>
|
|
Packit |
aea12f |
#endif
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
#include <stdio.h>
|
|
Packit |
aea12f |
#include <stdlib.h>
|
|
Packit |
aea12f |
#include <string.h>
|
|
Packit |
aea12f |
#include <sys/types.h>
|
|
Packit |
aea12f |
#include <sys/socket.h>
|
|
Packit |
aea12f |
#include <arpa/inet.h>
|
|
Packit |
aea12f |
#include <unistd.h>
|
|
Packit |
aea12f |
#include <assert.h>
|
|
Packit |
aea12f |
#include <gnutls/gnutls.h>
|
|
Packit |
aea12f |
#include <gnutls/x509.h>
|
|
Packit |
aea12f |
#include <gnutls/abstract.h>
|
|
Packit |
aea12f |
#include <sys/types.h>
|
|
Packit |
aea12f |
#include <sys/stat.h>
|
|
Packit |
aea12f |
#include <fcntl.h>
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* A TLS client that loads the certificate and key.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
#define CHECK(x) assert((x)>=0)
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
#define MAX_BUF 1024
|
|
Packit |
aea12f |
#define MSG "GET / HTTP/1.0\r\n\r\n"
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
#define CERT_FILE "cert.pem"
|
|
Packit |
aea12f |
#define KEY_FILE "key.pem"
|
|
Packit |
aea12f |
#define CAFILE "/etc/ssl/certs/ca-certificates.crt"
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
extern int tcp_connect(void);
|
|
Packit |
aea12f |
extern void tcp_close(int sd);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
static int
|
|
Packit |
aea12f |
cert_callback(gnutls_session_t session,
|
|
Packit |
aea12f |
const gnutls_datum_t * req_ca_rdn, int nreqs,
|
|
Packit |
aea12f |
const gnutls_pk_algorithm_t * sign_algos,
|
|
Packit |
aea12f |
int sign_algos_length, gnutls_pcert_st ** pcert,
|
|
Packit |
aea12f |
unsigned int *pcert_length, gnutls_privkey_t * pkey);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
gnutls_pcert_st pcrt;
|
|
Packit |
aea12f |
gnutls_privkey_t key;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* Load the certificate and the private key.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
static void load_keys(void)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
gnutls_datum_t data;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
CHECK(gnutls_load_file(CERT_FILE, &data));
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
CHECK(gnutls_pcert_import_x509_raw(&pcrt, &data,
|
|
Packit |
aea12f |
GNUTLS_X509_FMT_PEM, 0));
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
gnutls_free(data.data);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
CHECK(gnutls_load_file(KEY_FILE, &data));
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
CHECK(gnutls_privkey_init(&key));
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
CHECK(gnutls_privkey_import_x509_raw(key, &data,
|
|
Packit |
aea12f |
GNUTLS_X509_FMT_PEM,
|
|
Packit |
aea12f |
NULL, 0));
|
|
Packit |
aea12f |
gnutls_free(data.data);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
int main(void)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
int ret, sd, ii;
|
|
Packit |
aea12f |
gnutls_session_t session;
|
|
Packit |
aea12f |
char buffer[MAX_BUF + 1];
|
|
Packit |
aea12f |
gnutls_certificate_credentials_t xcred;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (gnutls_check_version("3.1.4") == NULL) {
|
|
Packit |
aea12f |
fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n");
|
|
Packit |
aea12f |
exit(1);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* for backwards compatibility with gnutls < 3.3.0 */
|
|
Packit |
aea12f |
CHECK(gnutls_global_init());
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
load_keys();
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* X509 stuff */
|
|
Packit |
aea12f |
CHECK(gnutls_certificate_allocate_credentials(&xcred));
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* sets the trusted cas file
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
CHECK(gnutls_certificate_set_x509_trust_file(xcred, CAFILE,
|
|
Packit |
aea12f |
GNUTLS_X509_FMT_PEM));
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
gnutls_certificate_set_retrieve_function2(xcred, cert_callback);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* Initialize TLS session
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
CHECK(gnutls_init(&session, GNUTLS_CLIENT));
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* Use default priorities */
|
|
Packit |
aea12f |
CHECK(gnutls_set_default_priority(session));
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* put the x509 credentials to the current session
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
CHECK(gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred));
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* connect to the peer
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
sd = tcp_connect();
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
gnutls_transport_set_int(session, sd);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* Perform the TLS handshake
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
ret = gnutls_handshake(session);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (ret < 0) {
|
|
Packit |
aea12f |
fprintf(stderr, "*** Handshake failed\n");
|
|
Packit |
aea12f |
gnutls_perror(ret);
|
|
Packit |
aea12f |
goto end;
|
|
Packit |
aea12f |
} else {
|
|
Packit |
aea12f |
char *desc;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
desc = gnutls_session_get_desc(session);
|
|
Packit |
aea12f |
printf("- Session info: %s\n", desc);
|
|
Packit |
aea12f |
gnutls_free(desc);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
CHECK(gnutls_record_send(session, MSG, strlen(MSG)));
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ret = gnutls_record_recv(session, buffer, MAX_BUF);
|
|
Packit |
aea12f |
if (ret == 0) {
|
|
Packit |
aea12f |
printf("- Peer has closed the TLS connection\n");
|
|
Packit |
aea12f |
goto end;
|
|
Packit |
aea12f |
} else if (ret < 0) {
|
|
Packit |
aea12f |
fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret));
|
|
Packit |
aea12f |
goto end;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
printf("- Received %d bytes: ", ret);
|
|
Packit |
aea12f |
for (ii = 0; ii < ret; ii++) {
|
|
Packit |
aea12f |
fputc(buffer[ii], stdout);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
fputs("\n", stdout);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
CHECK(gnutls_bye(session, GNUTLS_SHUT_RDWR));
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
end:
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
tcp_close(sd);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
gnutls_deinit(session);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
gnutls_certificate_free_credentials(xcred);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
gnutls_global_deinit();
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return 0;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* This callback should be associated with a session by calling
|
|
Packit |
aea12f |
* gnutls_certificate_client_set_retrieve_function( session, cert_callback),
|
|
Packit |
aea12f |
* before a handshake.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
static int
|
|
Packit |
aea12f |
cert_callback(gnutls_session_t session,
|
|
Packit |
aea12f |
const gnutls_datum_t * req_ca_rdn, int nreqs,
|
|
Packit |
aea12f |
const gnutls_pk_algorithm_t * sign_algos,
|
|
Packit |
aea12f |
int sign_algos_length, gnutls_pcert_st ** pcert,
|
|
Packit |
aea12f |
unsigned int *pcert_length, gnutls_privkey_t * pkey)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
char issuer_dn[256];
|
|
Packit |
aea12f |
int i, ret;
|
|
Packit |
aea12f |
size_t len;
|
|
Packit |
aea12f |
gnutls_certificate_type_t type;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* Print the server's trusted CAs
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
if (nreqs > 0)
|
|
Packit |
aea12f |
printf("- Server's trusted authorities:\n");
|
|
Packit |
aea12f |
else
|
|
Packit |
aea12f |
printf
|
|
Packit |
aea12f |
("- Server did not send us any trusted authorities names.\n");
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* print the names (if any) */
|
|
Packit |
aea12f |
for (i = 0; i < nreqs; i++) {
|
|
Packit |
aea12f |
len = sizeof(issuer_dn);
|
|
Packit |
aea12f |
ret = gnutls_x509_rdn_get(&req_ca_rdn[i], issuer_dn, &len;;
|
|
Packit |
aea12f |
if (ret >= 0) {
|
|
Packit |
aea12f |
printf(" [%d]: ", i);
|
|
Packit |
aea12f |
printf("%s\n", issuer_dn);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* Select a certificate and return it.
|
|
Packit |
aea12f |
* The certificate must be of any of the "sign algorithms"
|
|
Packit |
aea12f |
* supported by the server.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
type = gnutls_certificate_type_get(session);
|
|
Packit |
aea12f |
if (type == GNUTLS_CRT_X509) {
|
|
Packit |
aea12f |
*pcert_length = 1;
|
|
Packit |
aea12f |
*pcert = &pcr;;
|
|
Packit |
aea12f |
*pkey = key;
|
|
Packit |
aea12f |
} else {
|
|
Packit |
aea12f |
return -1;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return 0;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
}
|