From: Nikos Mavrogiannopoulos Date: Mon, 13 Jan 2014 09:47:33 +0000 (+0100) Subject: doc update X-Git-Tag: gnutls_3_3_0pre0~353 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1d90fe4a76cdb87a583ca5e13847fb2fb8539259;p=thirdparty%2Fgnutls.git doc update --- diff --git a/NEWS b/NEWS index bc4a5bf33f..dbab24207e 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,18 @@ See the end for copying conditions. * Version 3.3.0 (unreleased) +** libgnutls: certificate verification profiles were introduced +that can be specified as flags to verification functions. They +are enumerations in gnutls_certificate_verification_profiles_t +and can be converted to flags using GNUTLS_PROFILE_TO_VFLAGS() + +** libgnutls: When specifying a priority string a corresponding +certificate verification profile is automatically set. + +** libgnutls: Increased the default security level of priority +strings to corresponding defaults. The %COMPAT keyword is extended +to revert to old defaults, by reducing the overall security level. + ** libgnutls: The initialization of the library was moved to a constructor. That is, gnutls_global_init() is no longer required unless linking with a static library or a system that does not diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index 27c76d3f71..6ca62eaccd 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -733,7 +733,9 @@ int gnutls_pkcs7_delete_crl(gnutls_pkcs7_t pkcs7, int indx); * @GNUTLS_VERIFY_DISABLE_CRL_CHECKS: Disable checking for validity * using certificate revocation lists or the available OCSP data. * - * Enumeration of different certificate verify flags. + * Enumeration of different certificate verify flags. Additional + * verification profiles can be set using GNUTLS_PROFILE_TO_VFLAGS() + * and %gnutls_certificate_verification_profiles_t. */ typedef enum gnutls_certificate_verify_flags { GNUTLS_VERIFY_DISABLE_CA_SIGN = 1 << 0, @@ -751,7 +753,7 @@ typedef enum gnutls_certificate_verify_flags { } gnutls_certificate_verify_flags; /** - * gnutls_certificate_verification_profiles: + * gnutls_certificate_verification_profiles_t: * @GNUTLS_PROFILE_LOW: A verification profile that * corresponds to @GNUTLS_SEC_PARAM_LOW (80 bits) * @GNUTLS_PROFILE_LEGACY: A verification profile that @@ -762,14 +764,14 @@ typedef enum gnutls_certificate_verify_flags { * corresponds to @GNUTLS_SEC_PARAM_HIGH (128 bits) * @GNUTLS_PROFILE_ULTRA: A verification profile that * corresponds to @GNUTLS_SEC_PARAM_ULTRA (256 bits) - * @GNUTLS_PROFILE_SUITEB128: A verification profile that +% * @GNUTLS_PROFILE_SUITEB128: A verification profile that * applies the SUITEB128 rules * @GNUTLS_PROFILE_SUITEB192: A verification profile that * applies the SUITEB192 rules * * Enumeration of different certificate verification profiles. */ -typedef enum gnutls_certificate_verification_profiles { +typedef enum gnutls_certificate_verification_profiles_t { GNUTLS_PROFILE_LOW = 2, GNUTLS_PROFILE_LEGACY = 4, GNUTLS_PROFILE_NORMAL = 5, diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 0b6feebb1b..6102361429 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -686,6 +686,11 @@ unsigned i, j; * its status. The @verify parameter will hold an OR'ed sequence of * %gnutls_certificate_status_t flags. * + * Additionally a certificate verification profile can be specified + * from the ones in %gnutls_certificate_verification_profiles_t by + * ORing the result of GNUTLS_PROFILE_TO_VFLAGS() to the verification + * flags. + * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. * @@ -801,6 +806,11 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, * In addition to that this function will also check CRLs. * The @verify parameter will hold an OR'ed sequence of %gnutls_certificate_status_t flags. * + * Additionally a certificate verification profile can be specified + * from the ones in %gnutls_certificate_verification_profiles_t by + * ORing the result of GNUTLS_PROFILE_TO_VFLAGS() to the verification + * flags. + * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. *