Added gnutls_certificate_flags() and GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH

That allows a user of the credentials to disable the certificate matching
action. That is, to disable the calls to sign and verify on initialization.

diff --git a/lib/auth/cert.h b/lib/auth/cert.h
index c99a020e090f7005fd728303df46187d2a0fa4fd..cab6036f0b91eb060ad51f35eeaae05fa2c83c54 100644 (file)
--- a/lib/auth/cert.h
+++ b/lib/auth/cert.h
@@ -62,6 +62,7 @@ typedef struct gnutls_certificate_credentials_st {
 
        /* X509 specific stuff */
        gnutls_x509_trust_list_t tlist;
+       unsigned flags; /* gnutls_certificate_flags */
        unsigned int verify_flags;      /* flags to be used at 
                                         * certificate verification.
                                         */

diff --git a/lib/cert.c b/lib/cert.c
index 2d79c9672ea62288d762c3cd249e63a12f580388..04427775d15ce40b9d942445cde80ddafda5b988 100644 (file)
--- a/lib/cert.c
+++ b/lib/cert.c
@@ -829,6 +829,9 @@ int _gnutls_check_key_cert_match(gnutls_certificate_credentials_t res)
        gnutls_datum_t sig = {NULL, 0};
        int pk, pk2, ret;
 
+       if (res->flags & GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH)
+               return 0;
+
        pk =
            gnutls_pubkey_get_pk_algorithm(res->certs[res->ncerts - 1].
                                           cert_list[0].pubkey, NULL);

diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 4923fc93bb638dd61ba1698f4a7ecef27e2e62c6..c74dfdb66365a4c2b3c8797e70edfce451cfa97b 100644 (file)
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1542,6 +1542,19 @@ void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials_t
 unsigned int
 gnutls_certificate_get_verify_flags(gnutls_certificate_credentials_t res);
 
+/**
+ * gnutls_certificate_flags:
+ * @GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH: Skip the key and certificate matching check.
+ *
+ * Enumeration of different certificate credentials flags.
+ */
+typedef enum gnutls_certificate_flags {
+       GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH = 1
+} gnutls_certificate_flags;
+
+void gnutls_certificate_set_flags(gnutls_certificate_credentials_t,
+                                 unsigned flags);
+
 void gnutls_certificate_set_verify_limits(gnutls_certificate_credentials_t
                                          res, unsigned int max_bits,
                                          unsigned int max_depth);

diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index e0833c7592e3d4079d8f2d9e347e6c227d50234a..3a9c1c156601b3045ff3c097a4b7f35aebcdad94 100644 (file)
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1068,6 +1068,7 @@ GNUTLS_3_4
        gnutls_x509_crt_set_subject_unique_id;
        gnutls_x509_crt_set_issuer_unique_id;
        gnutls_global_init_skip;
+       gnutls_certificate_set_flags;
  local:
        *;
 };

diff --git a/lib/ui.c b/lib/ui.c
index 7aa9f06af7f1c64146d1a3ab87b37ffae8cd4d9c..95c0ee838e8049f688caabdde44e9358dfa48ded 100644 (file)
--- a/lib/ui.c
+++ b/lib/ui.c
@@ -622,6 +622,23 @@ gnutls_certificate_set_params_function(gnutls_certificate_credentials_t
        res->params_func = func;
 }
 
+/**
+ * gnutls_certificate_set_flags:
+ * @res: is a gnutls_certificate_credentials_t type
+ * @flags: are the flags of #gnutls_certificate_flags type
+ *
+ * This function will set flags to tweak the operation of
+ * the credentials structure. See the #gnutls_certificate_flags enumerations
+ * for more information on the available flags. 
+ *
+ **/
+void
+gnutls_certificate_set_flags(gnutls_certificate_credentials_t res,
+                            unsigned int flags)
+{
+       res->flags = flags;
+}
+
 /**
  * gnutls_certificate_set_verify_flags:
  * @res: is a gnutls_certificate_credentials_t type