doc/examples/ex-verify-ssh.c

   1 /* This example code is placed in the public domain. */
   2
   3 #ifdef HAVE_CONFIG_H
   4 #include <config.h>
   5 #endif
   6
   7 #include <stdio.h>
   8 #include <stdlib.h>
   9 #include <string.h>
  10 #include <gnutls/gnutls.h>
  11 #include <gnutls/x509.h>
  12 #include "examples.h"
  13
  14 /* This function will verify the peer's certificate, check
  15  * if the hostname matches. In addition it will perform an
  16  * SSH-style authentication, where ultimately trusted keys
  17  * are only the keys that have been seen before.
  18  */
  19 int
  20 _ssh_verify_certificate_callback (gnutls_session_t session)
  21 {
  22   unsigned int status;
  23   const gnutls_datum_t *cert_list;
  24   unsigned int cert_list_size;
  25   int ret, type;
  26   gnutls_datum_t out;
  27   const char *hostname;
  28
  29   /* read hostname */
  30   hostname = gnutls_session_get_ptr (session);
  31
  32   /* This verification function uses the trusted CAs in the credentials
  33    * structure. So you must have installed one or more CA certificates.
  34    */
  35   ret = gnutls_certificate_verify_peers3 (session, hostname, &status);
  36   if (ret < 0)
  37     {
  38       printf ("Error\n");
  39       return GNUTLS_E_CERTIFICATE_ERROR;
  40     }
  41
  42   type = gnutls_certificate_type_get (session);
  43
  44   ret = gnutls_certificate_verification_status_print( status, type, &out, 0);
  45   if (ret < 0)
  46     {
  47       printf ("Error\n");
  48       return GNUTLS_E_CERTIFICATE_ERROR;
  49     }
  50
  51   printf ("%s", out.data);
  52
  53   gnutls_free(out.data);
  54
  55   if (status != 0) /* Certificate is not trusted */
  56       return GNUTLS_E_CERTIFICATE_ERROR;
  57
  58   /* Do SSH verification */
  59   cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
  60   if (cert_list == NULL)
  61     {
  62       printf ("No certificate was found!\n");
  63       return GNUTLS_E_CERTIFICATE_ERROR;
  64     }
  65
  66   /* service may be obtained alternatively using getservbyport() */
  67   ret = gnutls_verify_stored_pubkey(NULL, NULL, hostname, "https",
  68                                     type, &cert_list[0], 0);
  69   if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
  70     {
  71       printf("Host %s is not known.", hostname);
  72       if (status == 0)
  73         printf("Its certificate is valid for %s.\n", hostname);
  74
  75       /* the certificate must be printed and user must be asked on
  76        * whether it is trustworthy. --see gnutls_x509_crt_print() */
  77
  78       /* if not trusted */
  79       return GNUTLS_E_CERTIFICATE_ERROR;
  80     }
  81   else if (ret == GNUTLS_E_CERTIFICATE_KEY_MISMATCH)
  82     {
  83       printf("Warning: host %s is known but has another key associated.", hostname);
  84       printf("It might be that the server has multiple keys, or you are under attack\n");
  85       if (status == 0)
  86         printf("Its certificate is valid for %s.\n", hostname);
  87
  88       /* the certificate must be printed and user must be asked on
  89        * whether it is trustworthy. --see gnutls_x509_crt_print() */
  90
  91       /* if not trusted */
  92       return GNUTLS_E_CERTIFICATE_ERROR;
  93     }
  94   else if (ret < 0)
  95     {
  96       printf("gnutls_verify_stored_pubkey: %s\n", gnutls_strerror(ret));
  97       return ret;
  98     }
  99
 100   /* user trusts the key -> store it */
 101   if (ret != 0)
 102     {
 103       ret = gnutls_store_pubkey(NULL, NULL, hostname, "https",
 104                                 type, &cert_list[0], 0, 0);
 105       if (ret < 0)
 106         printf("gnutls_store_pubkey: %s\n", gnutls_strerror(ret));
 107     }
 108
 109   /* notify gnutls to continue handshake normally */
 110   return 0;
 111 }
 112