From 3632cb3eaf778507070b8613684586e4e00af68b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 30 Oct 2012 15:49:44 +0100 Subject: [PATCH] Added gnutls_certificate_update_verify_flags() to allow setting new flags without overriding any defaults. --- NEWS | 1 + doc/cha-cert-auth.texi | 5 +++-- lib/gnutls_ui.c | 25 +++++++++++++++++++++---- lib/includes/gnutls/gnutls.h.in | 2 ++ lib/libgnutls.map | 1 + 5 files changed, 28 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index b7301b3f1..1363fc965 100644 --- a/NEWS +++ b/NEWS @@ -17,6 +17,7 @@ the available revocation data validity. ** API and ABI modifications: gnutls_session_get_id2: Added +gnutls_certificate_update_verify_flags: Added GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: Added. GNUTLS_CERT_REVOCATION_DATA_INVALID: Added. diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi index cb395cbd1..72b9919e0 100644 --- a/doc/cha-cert-auth.texi +++ b/doc/cha-cert-auth.texi @@ -625,6 +625,7 @@ of the signature. If you are using @funcref{gnutls_certificate_verify_peers2} to verify the certificate chain, you can call +@funcref{gnutls_certificate_update_verify_flags} or @funcref{gnutls_certificate_set_verify_flags} with the flags: @itemize @item @code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2} @@ -633,11 +634,11 @@ certificate chain, you can call as in the following example: @example - gnutls_certificate_set_verify_flags (x509cred, + gnutls_certificate_update_verify_flags (x509cred, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5); @end example -This will tell the verifier algorithm to enable @code{RSA-MD5} when +This will signal the verifier algorithm to enable @code{RSA-MD5} when verifying the certificates. If you are using @funcref{gnutls_x509_crt_verify} or diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index 1cd53f273..8b157e76d 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -684,10 +684,9 @@ gnutls_certificate_set_params_function (gnutls_certificate_credentials_t res, * @res: is a gnutls_certificate_credentials_t structure * @flags: are the flags * - * This function will set the flags to be used at verification of the - * certificates. Flags must be OR of the - * #gnutls_certificate_verify_flags enumerations. The default - * for TLS sessions is GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN. + * This function will set the flags to be used for verification + * of certificates and override any defaults. The provided flags must be an OR of the + * #gnutls_certificate_verify_flags enumerations. * **/ void @@ -698,6 +697,24 @@ gnutls_certificate_set_verify_flags (gnutls_certificate_credentials_t } /** + * gnutls_certificate_update_verify_flags: + * @res: is a gnutls_certificate_credentials_t structure + * @flags: are the new flags + * + * This function will update the default flags to be used for verification + * of certificates. The provided flags must be an OR of the + * #gnutls_certificate_verify_flags enumerations. The default + * for TLS sessions is GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN. + * + **/ +void +gnutls_certificate_update_verify_flags (gnutls_certificate_credentials_t + res, unsigned int flags) +{ + res->verify_flags |= flags; +} + +/** * gnutls_certificate_set_verify_limits: * @res: is a gnutls_certificate_credentials structure * @max_bits: is the number of bits of an acceptable certificate (default 8200) diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index e60914e68..1b8c1d8f7 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -1152,6 +1152,8 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t session); gnutls_dh_params_t dh_params); void gnutls_certificate_set_verify_flags (gnutls_certificate_credentials_t res, unsigned int flags); + void gnutls_certificate_update_verify_flags (gnutls_certificate_credentials_t + res, unsigned int flags); void gnutls_certificate_set_verify_limits (gnutls_certificate_credentials_t res, unsigned int max_bits, unsigned int max_depth); diff --git a/lib/libgnutls.map b/lib/libgnutls.map index 751e49b7b..3cee073e5 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -858,6 +858,7 @@ GNUTLS_3_1_0 { gnutls_pubkey_import_x509_raw; gnutls_certificate_get_peers_subkey_id; gnutls_session_get_id2; + gnutls_certificate_update_verify_flags; } GNUTLS_3_0_0; GNUTLS_PRIVATE { -- 2.11.4.GIT