/* returns true or false, depending on whether the hostname * matches to certificate */ static int verify_openpgp_hostname (gnutls_session_t session, const char *hostname) { gnutls_openpgp_crt_t crt; const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0; int ret; cert_list = gnutls_certificate_get_peers (session, &cert_list_size); if (cert_list_size == 0) { fprintf (stderr, "No certificates found!\n"); return 0; } gnutls_openpgp_crt_init (&crt); ret = gnutls_openpgp_crt_import (crt, &cert_list[0], GNUTLS_OPENPGP_FMT_RAW); if (ret < 0) { fprintf (stderr, "Decoding error: %s\n", gnutls_strerror (ret)); return 0; } /* Check the hostname of the first certificate if it matches * the name of the host we connected to. */ if (gnutls_openpgp_crt_check_hostname (crt, hostname) == 0) { printf ("- The hostname in the certificate does NOT match '%s'\n", hostname); ret = 0; } else { printf ("- The hostname in the certificate matches '%s'.\n", hostname); ret = 1; } gnutls_openpgp_crt_deinit (crt); return ret; }
void doit(void) { gnutls_x509_crt_t x509; #ifdef ENABLE_OPENPGP gnutls_openpgp_crt_t pgp; #endif gnutls_datum_t data; int ret; ret = global_init(); if (ret < 0) fail("global_init: %d\n", ret); ret = gnutls_x509_crt_init(&x509); if (ret < 0) fail("gnutls_x509_crt_init: %d\n", ret); #ifdef ENABLE_OPENPGP ret = gnutls_openpgp_crt_init(&pgp); if (ret < 0) fail("gnutls_openpgp_crt_init: %d\n", ret); #endif if (debug) success("Testing wildcards...\n"); data.data = (unsigned char *) wildcards; data.size = strlen(wildcards); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "example.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "example.org"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example.net"); if (ret==0) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); if (debug) success("Testing pem1...\n"); data.data = (unsigned char *) pem1; data.size = strlen(pem1); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); if (debug) success("Testing pem2...\n"); data.data = (unsigned char *) pem2; data.size = strlen(pem2); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "*.example.org"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); if (debug) success("Testing pem3...\n"); data.data = (unsigned char *) pem3; data.size = strlen(pem3); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "*.example.org"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); if (debug) success("Testing pem4...\n"); data.data = (unsigned char *) pem4; data.size = strlen(pem4); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname2(x509, "www.example.org", GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo.example.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo.example.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); #ifdef SUPPORT_COMPLEX_WILDCARDS if (debug) success("Testing pem6...\n"); data.data = (unsigned char *) pem6; data.size = strlen(pem6); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo.example.org"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "bar.foo.example.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); if (debug) success("Testing pem7...\n"); data.data = (unsigned char *) pem7; data.size = strlen(pem7); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo.bar.example.org"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foobar.bar.example.org"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foobar.example.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foobazbar.example.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); #endif if (debug) success("Testing pem8...\n"); data.data = (unsigned char *) pem8; data.size = strlen(pem8); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); /* this was passing in old gnutls versions, but that was not a * good idea. See http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7380 * for a discussion. */ ret = gnutls_x509_crt_check_hostname(x509, "www.example.org"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example."); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); /* this was passing in old gnutls versions, but that was not a * good idea. See http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7380 * for a discussion. */ ret = gnutls_x509_crt_check_hostname(x509, "www.example.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example.foo.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); if (debug) success("Testing pem9...\n"); data.data = (unsigned char *) pem9; data.size = strlen(pem9); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo.example.org"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "bar.example.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); if (debug) success("Testing pem10...\n"); data.data = (unsigned char *) pem10; data.size = strlen(pem10); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "localhost"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); if (debug) success("Testing pem_too_many...\n"); data.data = (unsigned char *) pem_too_many; data.size = strlen(pem_too_many); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "localhost.gnutls.gnutls.org"); if (ret) fail("%d: Hostname verification should have failed (too many wildcards)\n", __LINE__); if (debug) success("Testing pem-ips...\n"); data.data = (unsigned char *) pem_ips; data.size = strlen(pem_ips); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "127.0.0.2"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "example.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "127.0.0.1"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "192.168.5.1"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "::1"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "fe80::3e97:eff:fe18:359a"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); if (debug) success("Testing multi-cns...\n"); data.data = (unsigned char *) multi_cns; data.size = strlen(multi_cns); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "example.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example2.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example3.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); #ifdef ENABLE_OPENPGP if (debug) success("Testing pem11...\n"); data.data = (unsigned char *) pem11; data.size = strlen(pem11); ret = gnutls_openpgp_crt_import(pgp, &data, GNUTLS_OPENPGP_FMT_BASE64); if (ret < 0) fail("%d: gnutls_openpgp_crt_import: %d\n", __LINE__, ret); ret = gnutls_openpgp_crt_check_hostname(pgp, "test.gnutls.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); gnutls_openpgp_crt_deinit(pgp); #endif gnutls_x509_crt_deinit(x509); gnutls_global_deinit(); }
static void print_openpgp_info (gnutls_session_t session, const char *hostname, int insecure) { gnutls_openpgp_crt_t crt; const gnutls_datum_t *cert_list; int cert_list_size = 0; int hostname_ok = 0; int ret; cert_list = gnutls_certificate_get_peers (session, &cert_list_size); if (cert_list_size > 0) { gnutls_datum_t cinfo; gnutls_openpgp_crt_init (&crt); ret = gnutls_openpgp_crt_import (crt, &cert_list[0], GNUTLS_OPENPGP_FMT_RAW); if (ret < 0) { fprintf (stderr, "Decoding error: %s\n", gnutls_strerror (ret)); return; } if (verbose) ret = gnutls_openpgp_crt_print (crt, GNUTLS_CRT_PRINT_FULL, &cinfo); else ret = gnutls_openpgp_crt_print (crt, GNUTLS_CRT_PRINT_ONELINE, &cinfo); if (ret == 0) { printf (" - %s\n", cinfo.data); gnutls_free (cinfo.data); } if (print_cert) { size_t size = 0; char *p = NULL; ret = gnutls_openpgp_crt_export (crt, GNUTLS_OPENPGP_FMT_BASE64, p, &size); if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { p = malloc (size); if (!p) { fprintf (stderr, "gnutls_malloc\n"); exit (1); } ret = gnutls_openpgp_crt_export (crt, GNUTLS_OPENPGP_FMT_BASE64, p, &size); } if (ret < 0) { fprintf (stderr, "Encoding error: %s\n", gnutls_strerror (ret)); return; } fputs (p, stdout); fputs ("\n", stdout); gnutls_free (p); } if (hostname != NULL) { /* Check the hostname of the first certificate if it matches * the name of the host we connected to. */ if (gnutls_openpgp_crt_check_hostname (crt, hostname) == 0) hostname_ok = 1; else hostname_ok = 2; } gnutls_openpgp_crt_deinit (crt); } if (hostname_ok == 1) { printf ("- The hostname in the certificate does NOT match '%s'\n", hostname); if (!insecure) exit (1); } else if (hostname_ok == 2) { printf ("- The hostname in the certificate matches '%s'.\n", hostname); } }
void doit (void) { gnutls_x509_crt_t x509; #ifdef ENABLE_OPENPGP gnutls_openpgp_crt_t pgp; #endif gnutls_datum_t data; int ret; ret = gnutls_global_init (); if (ret < 0) fail ("gnutls_global_init: %d\n", ret); ret = gnutls_x509_crt_init (&x509); if (ret < 0) fail ("gnutls_x509_crt_init: %d\n", ret); #ifdef ENABLE_OPENPGP ret = gnutls_openpgp_crt_init (&pgp); if (ret < 0) fail ("gnutls_openpgp_crt_init: %d\n", ret); #endif if (debug) success ("Testing pem1...\n"); data.data = pem1; data.size = strlen (pem1); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); if (debug) success ("Testing pem2...\n"); data.data = pem2; data.size = strlen (pem2); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "www.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "*.example.org"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); if (debug) success ("Testing pem3...\n"); data.data = pem3; data.size = strlen (pem3); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "www.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "*.example.org"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); if (debug) success ("Testing pem4...\n"); data.data = pem4; data.size = strlen (pem4); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "www.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo.example.com"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); if (debug) success ("Testing pem5...\n"); data.data = pem5; data.size = strlen (pem5); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "1.2.3.4"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "www.example.org"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); if (debug) success ("Testing pem6...\n"); data.data = pem6; data.size = strlen (pem6); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo.example.org"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "bar.foo.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); if (debug) success ("Testing pem7...\n"); data.data = pem7; data.size = strlen (pem7); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo.bar.example.org"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foobar.bar.example.org"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foobar.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foobazbar.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); if (debug) success ("Testing pem8...\n"); data.data = pem8; data.size = strlen (pem8); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "www.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "www.example."); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "www.example.com"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "www.example.foo.com"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); if (debug) success ("Testing pem9...\n"); data.data = pem9; data.size = strlen (pem9); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo.example.org"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "bar.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); if (debug) success ("Testing pem10...\n"); data.data = pem10; data.size = strlen (pem10); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "localhost"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); #ifdef ENABLE_OPENPGP if (debug) success ("Testing pem11...\n"); data.data = pem11; data.size = strlen (pem11); ret = gnutls_openpgp_crt_import (pgp, &data, GNUTLS_OPENPGP_FMT_BASE64); if (ret < 0) fail ("gnutls_openpgp_crt_import: %d\n", ret); ret = gnutls_openpgp_crt_check_hostname (pgp, "test.gnutls.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); gnutls_openpgp_crt_deinit (pgp); #endif gnutls_x509_crt_deinit (x509); gnutls_global_deinit (); }