diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 07:33:12 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 07:33:12 +0000 |
| commit | 36082a2fe36ecd800d784ae44c14f1f18c66a7e9 (patch) | |
| tree | 6c68e0c0097987aff85a01dabddd34b862309a7c /doc/examples/ex-client-x509-3.1.c | |
| parent | Initial commit. (diff) | |
| download | gnutls28-36082a2fe36ecd800d784ae44c14f1f18c66a7e9.tar.xz gnutls28-36082a2fe36ecd800d784ae44c14f1f18c66a7e9.zip | |
Adding upstream version 3.7.9.upstream/3.7.9upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/examples/ex-client-x509-3.1.c')
| -rw-r--r-- | doc/examples/ex-client-x509-3.1.c | 190 |
1 files changed, 190 insertions, 0 deletions
diff --git a/doc/examples/ex-client-x509-3.1.c b/doc/examples/ex-client-x509-3.1.c new file mode 100644 index 0000000..bd7fd2f --- /dev/null +++ b/doc/examples/ex-client-x509-3.1.c @@ -0,0 +1,190 @@ +/* This example code is placed in the public domain. */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <assert.h> +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> +#include "examples.h" + +/* A very basic TLS client, with X.509 authentication and server certificate + * verification utilizing the GnuTLS 3.1.x API. + * Note that error recovery is minimal for simplicity. + */ + +#define CHECK(x) assert((x)>=0) +#define LOOP_CHECK(rval, cmd) \ + do { \ + rval = cmd; \ + } while(rval == GNUTLS_E_AGAIN || rval == GNUTLS_E_INTERRUPTED); \ + assert(rval >= 0) + +#define MAX_BUF 1024 +#define CAFILE "/etc/ssl/certs/ca-certificates.crt" +#define MSG "GET / HTTP/1.0\r\n\r\n" + +extern int tcp_connect(void); +extern void tcp_close(int sd); +static int _verify_certificate_callback(gnutls_session_t session); + +int main(void) +{ + int ret, sd, ii; + gnutls_session_t session; + char buffer[MAX_BUF + 1]; + gnutls_certificate_credentials_t xcred; + + if (gnutls_check_version("3.1.4") == NULL) { + fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n"); + exit(1); + } + + CHECK(gnutls_global_init()); + + /* X509 stuff */ + CHECK(gnutls_certificate_allocate_credentials(&xcred)); + + /* sets the trusted cas file + */ + CHECK(gnutls_certificate_set_x509_trust_file(xcred, CAFILE, + GNUTLS_X509_FMT_PEM)); + gnutls_certificate_set_verify_function(xcred, + _verify_certificate_callback); + + /* If client holds a certificate it can be set using the following: + * + gnutls_certificate_set_x509_key_file (xcred, + "cert.pem", "key.pem", + GNUTLS_X509_FMT_PEM); + */ + + /* Initialize TLS session + */ + CHECK(gnutls_init(&session, GNUTLS_CLIENT)); + + gnutls_session_set_ptr(session, (void *) "www.example.com"); + + gnutls_server_name_set(session, GNUTLS_NAME_DNS, "www.example.com", + strlen("www.example.com")); + + /* use default priorities */ + CHECK(gnutls_set_default_priority(session)); +#if 0 + /* if more fine-graned control is required */ + ret = gnutls_priority_set_direct(session, + "NORMAL", &err); + if (ret < 0) { + if (ret == GNUTLS_E_INVALID_REQUEST) { + fprintf(stderr, "Syntax error at: %s\n", err); + } + exit(1); + } +#endif + + /* put the x509 credentials to the current session + */ + CHECK(gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred)); + + /* connect to the peer + */ + sd = tcp_connect(); + + gnutls_transport_set_int(session, sd); + gnutls_handshake_set_timeout(session, + GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); + + /* Perform the TLS handshake + */ + do { + ret = gnutls_handshake(session); + } + while (ret < 0 && gnutls_error_is_fatal(ret) == 0); + + if (ret < 0) { + fprintf(stderr, "*** Handshake failed\n"); + gnutls_perror(ret); + goto end; + } else { + char *desc; + + desc = gnutls_session_get_desc(session); + printf("- Session info: %s\n", desc); + gnutls_free(desc); + } + + LOOP_CHECK(ret, gnutls_record_send(session, MSG, strlen(MSG))); + + LOOP_CHECK(ret, gnutls_record_recv(session, buffer, MAX_BUF)); + if (ret == 0) { + printf("- Peer has closed the TLS connection\n"); + goto end; + } else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) { + fprintf(stderr, "*** Warning: %s\n", gnutls_strerror(ret)); + } else if (ret < 0) { + fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret)); + goto end; + } + + if (ret > 0) { + printf("- Received %d bytes: ", ret); + for (ii = 0; ii < ret; ii++) { + fputc(buffer[ii], stdout); + } + fputs("\n", stdout); + } + + CHECK(gnutls_bye(session, GNUTLS_SHUT_RDWR)); + + end: + + tcp_close(sd); + + gnutls_deinit(session); + + gnutls_certificate_free_credentials(xcred); + + gnutls_global_deinit(); + + return 0; +} + +/* This function will verify the peer's certificate, and check + * if the hostname matches, as well as the activation, expiration dates. + */ +static int _verify_certificate_callback(gnutls_session_t session) +{ + unsigned int status; + int type; + const char *hostname; + gnutls_datum_t out; + + /* read hostname */ + hostname = gnutls_session_get_ptr(session); + + /* This verification function uses the trusted CAs in the credentials + * structure. So you must have installed one or more CA certificates. + */ + + CHECK(gnutls_certificate_verify_peers3(session, hostname, + &status)); + + type = gnutls_certificate_type_get(session); + + CHECK(gnutls_certificate_verification_status_print(status, type, + &out, 0)); + + printf("%s", out.data); + + gnutls_free(out.data); + + if (status != 0) /* Certificate is not trusted */ + return GNUTLS_E_CERTIFICATE_ERROR; + + /* notify gnutls to continue handshake normally */ + return 0; +} |