removed deprecated flag

diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index e990843ef086ada06037926096efe836feafb057..0701b1fb34a397a04ab13502b0b10eaa36f2140d 100644 (file)
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -857,15 +857,13 @@ static void enable_server_precedence(gnutls_priority_t c)
 {
        c->server_precedence = 1;
 }
-static void enable_verify_allow_v1_ca_crt(gnutls_priority_t c)
-{
-       c->additional_verify_flags |=
-               GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
-}
 static void enable_new_padding(gnutls_priority_t c)
 {
        c->new_record_padding = 1;
 }
+static void dummy_func(gnutls_priority_t c)
+{
+}
 
 #include <priority_options.h>
 

diff --git a/lib/includes/gnutls/compat.h b/lib/includes/gnutls/compat.h
index 178e341cad547d3f1043330f725490fbb1517aeb..7aca578b9b83ded5f74b7f429c6a06c94156ce59 100644 (file)
--- a/lib/includes/gnutls/compat.h
+++ b/lib/includes/gnutls/compat.h
@@ -113,6 +113,9 @@ typedef gnutls_datum_t gnutls_datum _GNUTLS_GCC_ATTR_DEPRECATED;
 typedef gnutls_transport_ptr_t gnutls_transport_ptr
     _GNUTLS_GCC_ATTR_DEPRECATED;
 
+/* Old verification flags */
+#define GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT  (0)
+
 /* Old SRP alerts removed in 2.1.x because the TLS-SRP RFC was
    modified to use the PSK alert. */
 #define GNUTLS_A_MISSING_SRP_USERNAME GNUTLS_A_UNKNOWN_PSK_IDENTITY

diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index ec6aa13811714c97392cbfe500cfc9deaf4e99a3..ad562fb7ba309efb6548551fd09929d0c53d91f5 100644 (file)
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -739,7 +739,6 @@ int gnutls_pkcs7_delete_crl(gnutls_pkcs7_t pkcs7, int indx);
  */
 typedef enum gnutls_certificate_verify_flags {
        GNUTLS_VERIFY_DISABLE_CA_SIGN = 1 << 0,
-       GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 1 << 1,
        GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 1 << 2,
        GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 1 << 3,
        GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 1 << 4,

diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 40ccc088196e2957e940e81b6cf8c8c60ecfe85e..9ee26d394c1f61945293d79e94b28fe4c75e63b0 100644 (file)
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -847,7 +847,6 @@ _gnutls_x509_verify_certificate(const gnutls_x509_crt_t * certificate_list,
                 * certificates can exist in a supplied chain.
                 */
                if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) {
-                       flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
                        flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
                }
                if ((ret =

diff --git a/src/certtool.c b/src/certtool.c
index c3fc5edb7633e33f8e42add4f8e209eb83103935..303eeb204771353b8b1df72fda471a774643c1ce 100644 (file)
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -2343,9 +2343,7 @@ _verify_x509_mem(const void *cert, int cert_size, const void *ca,
        ret =
            gnutls_x509_trust_list_verify_crt(list, x509_cert_list,
                                              x509_ncerts,
-                                             GNUTLS_VERIFY_DO_NOT_ALLOW_SAME
-                                             |
-                                             GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+                                             GNUTLS_VERIFY_DO_NOT_ALLOW_SAME,
                                              &output,
                                              detailed_verification);
        if (ret < 0) {

diff --git a/tests/chainverify.c b/tests/chainverify.c
index 132eecf8e57427a60182d85d111a41e7eef4148b..669fce2832993c7a878093cdd47d9d9a8d63a15c 100644 (file)
--- a/tests/chainverify.c
+++ b/tests/chainverify.c
@@ -878,7 +878,7 @@ static struct
     0,
     GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
   { "verisign.com v1 ok", verisign_com_chain, &verisign_com_chain[3],
-    GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+    GNUTLS_VERIFY_DISABLE_TIME_CHECKS,
     0 },
   { "citibank.com v1 fail", citibank_com_chain, &citibank_com_chain[2],
     GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
@@ -887,17 +887,17 @@ static struct
   { "self signed", pem_self_cert, &pem_self_cert[0],
     GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0 },
   { "ca=false", thea_chain, &thea_chain[1],
-    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+    0,
     GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
   { "ca=false2", thea_chain, &thea_chain[1],
     0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
   { "hbci v1 fail", hbci_chain, &hbci_chain[2],
     GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID},
   { "hbci v1 ok expired", hbci_chain, &hbci_chain[2],
-    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+    0,
     GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
   { "hbci v1 ok", hbci_chain, &hbci_chain[2],
-    GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+    GNUTLS_VERIFY_DISABLE_TIME_CHECKS,
     0 },
   { "rsa-md5 fail", mayfirst_chain, &mayfirst_chain[1],
     0, GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
@@ -928,10 +928,10 @@ static struct
     GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0 },
 
   { "v1ca expired", v1ca, &v1ca[2],
-    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+    0,
     GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID  },
   { "v1ca ok", v1ca, &v1ca[2],
-    GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+    GNUTLS_VERIFY_DISABLE_TIME_CHECKS,
     0 },
   { "v1ca2 expired", v1ca, &v1ca[2],
     GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT,