void doit(void) { gnutls_certificate_credentials_t x509_cred; gnutls_certificate_allocate_credentials(&x509_cred); /* The file does not need to exist for this test */ gnutls_certificate_set_ocsp_status_request_file (x509_cred, "ocsp-status.der", 0); gnutls_certificate_set_ocsp_status_request_file (x509_cred, "ocsp-status.der", 0); gnutls_certificate_free_credentials(x509_cred); }
int main(void) { int listen_sd; int sd, ret; gnutls_certificate_credentials_t x509_cred; gnutls_priority_t priority_cache; struct sockaddr_in sa_serv; struct sockaddr_in sa_cli; socklen_t client_len; char topbuf[512]; gnutls_session_t session; char buffer[MAX_BUF + 1]; int optval = 1; /* for backwards compatibility with gnutls < 3.3.0 */ CHECK(gnutls_global_init()); CHECK(gnutls_certificate_allocate_credentials(&x509_cred)); CHECK(gnutls_certificate_set_x509_trust_file(x509_cred, CAFILE, GNUTLS_X509_FMT_PEM)); CHECK(gnutls_certificate_set_x509_crl_file(x509_cred, CRLFILE, GNUTLS_X509_FMT_PEM)); /* The following code sets the certificate key pair as well as, * an OCSP response which corresponds to it. It is possible * to set multiple key-pairs and multiple OCSP status responses * (the latter since 3.5.6). See the manual pages of the individual * functions for more information. */ CHECK(gnutls_certificate_set_x509_key_file(x509_cred, CERTFILE, KEYFILE, GNUTLS_X509_FMT_PEM)); CHECK(gnutls_certificate_set_ocsp_status_request_file(x509_cred, OCSP_STATUS_FILE, 0)); CHECK(gnutls_priority_init(&priority_cache, NULL, NULL)); /* Instead of the default options as shown above one could specify * additional options such as server precedence in ciphersuite selection * as follows: * gnutls_priority_init2(&priority_cache, * "%SERVER_PRECEDENCE", * NULL, GNUTLS_PRIORITY_INIT_DEF_APPEND); */ #if GNUTLS_VERSION_NUMBER >= 0x030506 /* only available since GnuTLS 3.5.6, on previous versions see * gnutls_certificate_set_dh_params(). */ gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_MEDIUM); #endif /* Socket operations */ listen_sd = socket(AF_INET, SOCK_STREAM, 0); memset(&sa_serv, '\0', sizeof(sa_serv)); sa_serv.sin_family = AF_INET; sa_serv.sin_addr.s_addr = INADDR_ANY; sa_serv.sin_port = htons(PORT); /* Server Port number */ setsockopt(listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval, sizeof(int)); bind(listen_sd, (struct sockaddr *) &sa_serv, sizeof(sa_serv)); listen(listen_sd, 1024); printf("Server ready. Listening to port '%d'.\n\n", PORT); client_len = sizeof(sa_cli); for (;;) { CHECK(gnutls_init(&session, GNUTLS_SERVER)); CHECK(gnutls_priority_set(session, priority_cache)); CHECK(gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred)); /* We don't request any certificate from the client. * If we did we would need to verify it. One way of * doing that is shown in the "Verifying a certificate" * example. */ gnutls_certificate_server_set_request(session, GNUTLS_CERT_IGNORE); gnutls_handshake_set_timeout(session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); sd = accept(listen_sd, (struct sockaddr *) &sa_cli, &client_len); printf("- connection from %s, port %d\n", inet_ntop(AF_INET, &sa_cli.sin_addr, topbuf, sizeof(topbuf)), ntohs(sa_cli.sin_port)); gnutls_transport_set_int(session, sd); LOOP_CHECK(ret, gnutls_handshake(session)); if (ret < 0) { close(sd); gnutls_deinit(session); fprintf(stderr, "*** Handshake has failed (%s)\n\n", gnutls_strerror(ret)); continue; } printf("- Handshake was completed\n"); /* see the Getting peer's information example */ /* print_info(session); */ for (;;) { LOOP_CHECK(ret, gnutls_record_recv(session, buffer, MAX_BUF)); if (ret == 0) { printf ("\n- Peer has closed the GnuTLS connection\n"); break; } else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) { fprintf(stderr, "*** Warning: %s\n", gnutls_strerror(ret)); } else if (ret < 0) { fprintf(stderr, "\n*** Received corrupted " "data(%d). Closing the connection.\n\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ CHECK(gnutls_record_send(session, buffer, ret)); } } printf("\n"); /* do not wait for the peer to close the connection. */ LOOP_CHECK(ret, gnutls_bye(session, GNUTLS_SHUT_WR)); close(sd); gnutls_deinit(session); } close(listen_sd); gnutls_certificate_free_credentials(x509_cred); gnutls_priority_deinit(priority_cache); gnutls_global_deinit(); return 0; }
void doit(void) { int ret; gnutls_certificate_credentials_t xcred; gnutls_certificate_credentials_t clicred; const char *certfile; const char *ocspfile1; char certname[TMPNAME_SIZE], ocspname1[TMPNAME_SIZE]; time_t t; FILE *fp; global_init(); gnutls_global_set_time_function(mytime); assert(gnutls_certificate_allocate_credentials(&xcred) >= 0); assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); certfile = get_tmpname(certname); fp = fopen(certfile, "wb"); if (fp == NULL) fail("error in fopen\n"); assert(fwrite(server_localhost_ca3_cert_chain_pem, 1, strlen(server_localhost_ca3_cert_chain_pem), fp)>0); assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0); fclose(fp); /* set cert with localhost name */ ret = gnutls_certificate_set_x509_key_file2(xcred, certfile, certfile, GNUTLS_X509_FMT_PEM, NULL, 0); if (ret < 0) fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret)); fp = fopen(certfile, "wb"); if (fp == NULL) fail("error in fopen\n"); assert(fwrite(server_localhost6_ca3_cert_chain_pem, 1, strlen(server_localhost6_ca3_cert_chain_pem), fp)>0); assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0); fclose(fp); gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK); /* set OCSP response */ ocspfile1 = get_tmpname(ocspname1); fp = fopen(ocspfile1, "wb"); if (fp == NULL) fail("error in fopen\n"); assert(fwrite(ocsp_resp1.data, 1, ocsp_resp1.size, fp)>0); fclose(fp); ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, 0); if (ret < 0) fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); t = gnutls_certificate_get_ocsp_expiration(xcred, 0, 0, 0); if (t != 1511689427) fail("error in OCSP validity time: %ld\n", (long int)t); t = gnutls_certificate_get_ocsp_expiration(xcred, 0, 1, 0); if (t != -1) fail("error in OCSP validity time: %ld\n", (long int)t); t = gnutls_certificate_get_ocsp_expiration(xcred, 0, -1, 0); if (t != 1511689427) fail("error in OCSP validity time: %ld\n", (long int)t); /* make sure that our invalid OCSP responses are not considered in verification */ gnutls_certificate_set_verify_flags(clicred, GNUTLS_VERIFY_DISABLE_CRL_CHECKS); if (gnutls_certificate_get_verify_flags(clicred) != GNUTLS_VERIFY_DISABLE_CRL_CHECKS) fail("error in gnutls_certificate_set_verify_flags\n"); ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) { fail("error in setting trust cert: %s\n", gnutls_strerror(ret)); } test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost", &ocsp_resp1, check_response, NULL); /* the DNS name of the first cert */ test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost", &ocsp_resp1, check_response, NULL); /* the DNS name of the first cert */ gnutls_certificate_free_credentials(xcred); gnutls_certificate_free_credentials(clicred); gnutls_global_deinit(); remove(ocspfile1); remove(certfile); }