source-git / gnutls

Clone
Source Code
GIT

Blame doc/examples/ex-client-x509-3.1.c

c8 c8s master
  1.   c8s
  2.   doc
  3.   examples
  4.   ex-client-x509-3.1.c
Blob History Raw
Packit Service 4684c1 
/* This example code is placed in the public domain. */
Packit Service 4684c1
Packit Service 4684c1 
#ifdef HAVE_CONFIG_H
Packit Service 4684c1 
#include <config.h>
Packit Service 4684c1 
#endif
Packit Service 4684c1
Packit Service 4684c1 
#include <stdio.h>
Packit Service 4684c1 
#include <stdlib.h>
Packit Service 4684c1 
#include <string.h>
Packit Service 4684c1 
#include <assert.h>
Packit Service 4684c1 
#include <gnutls/gnutls.h>
Packit Service 4684c1 
#include <gnutls/x509.h>
Packit Service 4684c1 
#include "examples.h"
Packit Service 4684c1
Packit Service 4684c1 
/* A very basic TLS client, with X.509 authentication and server certificate
Packit Service 4684c1 
 * verification utilizing the GnuTLS 3.1.x API.
Packit Service 4684c1 
 * Note that error recovery is minimal for simplicity.
Packit Service 4684c1 
 */
Packit Service 4684c1
Packit Service 4684c1 
#define CHECK(x) assert((x)>=0)
Packit Service 4684c1 
#define LOOP_CHECK(rval, cmd) \
Packit Service 4684c1 
        do { \
Packit Service 4684c1 
                rval = cmd; \
Packit Service 4684c1 
        } while(rval == GNUTLS_E_AGAIN || rval == GNUTLS_E_INTERRUPTED); \
Packit Service 4684c1 
        assert(rval >= 0)
Packit Service 4684c1
Packit Service 4684c1 
#define MAX_BUF 1024
Packit Service 4684c1 
#define CAFILE "/etc/ssl/certs/ca-certificates.crt"
Packit Service 4684c1 
#define MSG "GET / HTTP/1.0\r\n\r\n"
Packit Service 4684c1
Packit Service 4684c1 
extern int tcp_connect(void);
Packit Service 4684c1 
extern void tcp_close(int sd);
Packit Service 4684c1 
static int _verify_certificate_callback(gnutls_session_t session);
Packit Service 4684c1
Packit Service 4684c1 
int main(void)
Packit Service 4684c1 
{
Packit Service 4684c1 
        int ret, sd, ii;
Packit Service 4684c1 
        gnutls_session_t session;
Packit Service 4684c1 
        char buffer[MAX_BUF + 1];
Packit Service 4684c1 
        gnutls_certificate_credentials_t xcred;
Packit Service 4684c1
Packit Service 4684c1 
        if (gnutls_check_version("3.1.4") == NULL) {
Packit Service 4684c1 
                fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n");
Packit Service 4684c1 
                exit(1);
Packit Service 4684c1 
        }
Packit Service 4684c1
Packit Service 4684c1 
        CHECK(gnutls_global_init());
Packit Service 4684c1
Packit Service 4684c1 
        /* X509 stuff */
Packit Service 4684c1 
        CHECK(gnutls_certificate_allocate_credentials(&xcred));
Packit Service 4684c1
Packit Service 4684c1 
        /* sets the trusted cas file
Packit Service 4684c1 
         */
Packit Service 4684c1 
        CHECK(gnutls_certificate_set_x509_trust_file(xcred, CAFILE,
Packit Service 4684c1 
                                                     GNUTLS_X509_FMT_PEM));
Packit Service 4684c1 
        gnutls_certificate_set_verify_function(xcred,
Packit Service 4684c1 
                                               _verify_certificate_callback);
Packit Service 4684c1
Packit Service 4684c1 
        /* If client holds a certificate it can be set using the following:
Packit Service 4684c1 
         *
Packit Service 4684c1 
         gnutls_certificate_set_x509_key_file (xcred,
Packit Service 4684c1 
         "cert.pem", "key.pem",
Packit Service 4684c1 
         GNUTLS_X509_FMT_PEM);
Packit Service 4684c1 
         */
Packit Service 4684c1
Packit Service 4684c1 
        /* Initialize TLS session
Packit Service 4684c1 
         */
Packit Service 4684c1 
        CHECK(gnutls_init(&session, GNUTLS_CLIENT));
Packit Service 4684c1
Packit Service 4684c1 
        gnutls_session_set_ptr(session, (void *) "www.example.com");
Packit Service 4684c1
Packit Service 4684c1 
        gnutls_server_name_set(session, GNUTLS_NAME_DNS, "www.example.com",
Packit Service 4684c1 
                               strlen("www.example.com"));
Packit Service 4684c1
Packit Service 4684c1 
        /* use default priorities */
Packit Service 4684c1 
        CHECK(gnutls_set_default_priority(session));
Packit Service 4684c1 
#if 0
Packit Service 4684c1 
	/* if more fine-graned control is required */
Packit Service 4684c1 
        ret = gnutls_priority_set_direct(session,
Packit Service 4684c1 
                                         "NORMAL", &err;;
Packit Service 4684c1 
        if (ret < 0) {
Packit Service 4684c1 
                if (ret == GNUTLS_E_INVALID_REQUEST) {
Packit Service 4684c1 
                        fprintf(stderr, "Syntax error at: %s\n", err);
Packit Service 4684c1 
                }
Packit Service 4684c1 
                exit(1);
Packit Service 4684c1 
        }
Packit Service 4684c1 
#endif
Packit Service 4684c1
Packit Service 4684c1 
        /* put the x509 credentials to the current session
Packit Service 4684c1 
         */
Packit Service 4684c1 
        CHECK(gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred));
Packit Service 4684c1
Packit Service 4684c1 
        /* connect to the peer
Packit Service 4684c1 
         */
Packit Service 4684c1 
        sd = tcp_connect();
Packit Service 4684c1
Packit Service 4684c1 
        gnutls_transport_set_int(session, sd);
Packit Service 4684c1 
        gnutls_handshake_set_timeout(session,
Packit Service 4684c1 
                                     GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
Packit Service 4684c1
Packit Service 4684c1 
        /* Perform the TLS handshake
Packit Service 4684c1 
         */
Packit Service 4684c1 
        do {
Packit Service 4684c1 
                ret = gnutls_handshake(session);
Packit Service 4684c1 
        }
Packit Service 4684c1 
        while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
Packit Service 4684c1
Packit Service 4684c1 
        if (ret < 0) {
Packit Service 4684c1 
                fprintf(stderr, "*** Handshake failed\n");
Packit Service 4684c1 
                gnutls_perror(ret);
Packit Service 4684c1 
                goto end;
Packit Service 4684c1 
        } else {
Packit Service 4684c1 
                char *desc;
Packit Service 4684c1
Packit Service 4684c1 
                desc = gnutls_session_get_desc(session);
Packit Service 4684c1 
                printf("- Session info: %s\n", desc);
Packit Service 4684c1 
                gnutls_free(desc);
Packit Service 4684c1 
        }
Packit Service 4684c1
Packit Service 4684c1 
        LOOP_CHECK(ret, gnutls_record_send(session, MSG, strlen(MSG)));
Packit Service 4684c1
Packit Service 4684c1 
        LOOP_CHECK(ret, gnutls_record_recv(session, buffer, MAX_BUF));
Packit Service 4684c1 
        if (ret == 0) {
Packit Service 4684c1 
                printf("- Peer has closed the TLS connection\n");
Packit Service 4684c1 
                goto end;
Packit Service 4684c1 
        } else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) {
Packit Service 4684c1 
                fprintf(stderr, "*** Warning: %s\n", gnutls_strerror(ret));
Packit Service 4684c1 
        } else if (ret < 0) {
Packit Service 4684c1 
                fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret));
Packit Service 4684c1 
                goto end;
Packit Service 4684c1 
        }
Packit Service 4684c1
Packit Service 4684c1 
        if (ret > 0) {
Packit Service 4684c1 
                printf("- Received %d bytes: ", ret);
Packit Service 4684c1 
                for (ii = 0; ii < ret; ii++) {
Packit Service 4684c1 
                        fputc(buffer[ii], stdout);
Packit Service 4684c1 
                }
Packit Service 4684c1 
                fputs("\n", stdout);
Packit Service 4684c1 
        }
Packit Service 4684c1
Packit Service 4684c1 
        CHECK(gnutls_bye(session, GNUTLS_SHUT_RDWR));
Packit Service 4684c1
Packit Service 4684c1 
      end:
Packit Service 4684c1
Packit Service 4684c1 
        tcp_close(sd);
Packit Service 4684c1
Packit Service 4684c1 
        gnutls_deinit(session);
Packit Service 4684c1
Packit Service 4684c1 
        gnutls_certificate_free_credentials(xcred);
Packit Service 4684c1
Packit Service 4684c1 
        gnutls_global_deinit();
Packit Service 4684c1
Packit Service 4684c1 
        return 0;
Packit Service 4684c1 
}
Packit Service 4684c1
Packit Service 4684c1 
/* This function will verify the peer's certificate, and check
Packit Service 4684c1 
 * if the hostname matches, as well as the activation, expiration dates.
Packit Service 4684c1 
 */
Packit Service 4684c1 
static int _verify_certificate_callback(gnutls_session_t session)
Packit Service 4684c1 
{
Packit Service 4684c1 
        unsigned int status;
Packit Service 4684c1 
        int type;
Packit Service 4684c1 
        const char *hostname;
Packit Service 4684c1 
        gnutls_datum_t out;
Packit Service 4684c1
Packit Service 4684c1 
        /* read hostname */
Packit Service 4684c1 
        hostname = gnutls_session_get_ptr(session);
Packit Service 4684c1
Packit Service 4684c1 
        /* This verification function uses the trusted CAs in the credentials
Packit Service 4684c1 
         * structure. So you must have installed one or more CA certificates.
Packit Service 4684c1 
         */
Packit Service 4684c1
Packit Service 4684c1 
        CHECK(gnutls_certificate_verify_peers3(session, hostname,
Packit Service 4684c1 
					       &status));
Packit Service 4684c1
Packit Service 4684c1 
        type = gnutls_certificate_type_get(session);
Packit Service 4684c1
Packit Service 4684c1 
        CHECK(gnutls_certificate_verification_status_print(status, type,
Packit Service 4684c1 
                                                           &out, 0));
Packit Service 4684c1
Packit Service 4684c1 
        printf("%s", out.data);
Packit Service 4684c1
Packit Service 4684c1 
        gnutls_free(out.data);
Packit Service 4684c1
Packit Service 4684c1 
        if (status != 0)        /* Certificate is not trusted */
Packit Service 4684c1 
                return GNUTLS_E_CERTIFICATE_ERROR;
Packit Service 4684c1
Packit Service 4684c1 
        /* notify gnutls to continue handshake normally */
Packit Service 4684c1 
        return 0;
Packit Service 4684c1 
}

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation