From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Wed, 18 Nov 2015 19:13:07 +0000 (+0100)
Subject: Added gnutls_certificate_flags() and GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH
X-Git-Tag: gnutls_3_5_0~547
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=84070107a45378e0981ea2bb01df73bcceb607b2;p=thirdparty%2Fgnutls.git

Added gnutls_certificate_flags() and GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH

That allows a user of the credentials to disable the certificate matching
action. That is, to disable the calls to sign and verify on initialization.
---

diff --git a/lib/auth/cert.h b/lib/auth/cert.h
index c99a020e09..cab6036f0b 100644
--- a/lib/auth/cert.h
+++ b/lib/auth/cert.h
@@ -62,6 +62,7 @@ typedef struct gnutls_certificate_credentials_st {
 
 	/* X509 specific stuff */
 	gnutls_x509_trust_list_t tlist;
+	unsigned flags; /* gnutls_certificate_flags */
 	unsigned int verify_flags;	/* flags to be used at 
 					 * certificate verification.
 					 */
diff --git a/lib/cert.c b/lib/cert.c
index 2d79c9672e..04427775d1 100644
--- a/lib/cert.c
+++ b/lib/cert.c
@@ -829,6 +829,9 @@ int _gnutls_check_key_cert_match(gnutls_certificate_credentials_t res)
 	gnutls_datum_t sig = {NULL, 0};
 	int pk, pk2, ret;
 
+	if (res->flags & GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH)
+		return 0;
+
 	pk =
 	    gnutls_pubkey_get_pk_algorithm(res->certs[res->ncerts - 1].
 					   cert_list[0].pubkey, NULL);
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 4923fc93bb..c74dfdb663 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1542,6 +1542,19 @@ void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials_t
 unsigned int
 gnutls_certificate_get_verify_flags(gnutls_certificate_credentials_t res);
 
+/**
+ * gnutls_certificate_flags:
+ * @GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH: Skip the key and certificate matching check.
+ *
+ * Enumeration of different certificate credentials flags.
+ */
+typedef enum gnutls_certificate_flags {
+	GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH = 1
+} gnutls_certificate_flags;
+
+void gnutls_certificate_set_flags(gnutls_certificate_credentials_t,
+				  unsigned flags);
+
 void gnutls_certificate_set_verify_limits(gnutls_certificate_credentials_t
 					  res, unsigned int max_bits,
 					  unsigned int max_depth);
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index e0833c7592..3a9c1c1566 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1068,6 +1068,7 @@ GNUTLS_3_4
 	gnutls_x509_crt_set_subject_unique_id;
 	gnutls_x509_crt_set_issuer_unique_id;
 	gnutls_global_init_skip;
+	gnutls_certificate_set_flags;
  local:
 	*;
 };
diff --git a/lib/ui.c b/lib/ui.c
index 7aa9f06af7..95c0ee838e 100644
--- a/lib/ui.c
+++ b/lib/ui.c
@@ -622,6 +622,23 @@ gnutls_certificate_set_params_function(gnutls_certificate_credentials_t
 	res->params_func = func;
 }
 
+/**
+ * gnutls_certificate_set_flags:
+ * @res: is a gnutls_certificate_credentials_t type
+ * @flags: are the flags of #gnutls_certificate_flags type
+ *
+ * This function will set flags to tweak the operation of
+ * the credentials structure. See the #gnutls_certificate_flags enumerations
+ * for more information on the available flags. 
+ *
+ **/
+void
+gnutls_certificate_set_flags(gnutls_certificate_credentials_t res,
+			     unsigned int flags)
+{
+	res->flags = flags;
+}
+
 /**
  * gnutls_certificate_set_verify_flags:
  * @res: is a gnutls_certificate_credentials_t type