x509.h: introduced flag GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS

That flag signals the verification process, not to fail on unknown critical
extensions. This can be used when the critical extension checking in a chain
is handled externally.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

1 files changed, 4 insertions, 1 deletions

diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index c47fad1c8c..1972c91140 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -902,6 +902,8 @@ int gnutls_x509_crl_set_number(gnutls_x509_crl_t crl,
  *   check in the verification, do not consider any wildcards.
  * @GNUTLS_VERIFY_USE_TLS1_RSA: This indicates that a (raw) RSA signature is provided
  *   as in the TLS 1.0 protocol. Not all functions accept this flag.
+ * @GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS: This signals the verification
+ *   process, not to fail on unknown critical extensions.
  *
  * Enumeration of different certificate verify flags. Additional
  * verification profiles can be set using GNUTLS_PROFILE_TO_VFLAGS()
@@ -920,7 +922,8 @@ typedef enum gnutls_certificate_verify_flags {
 	GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1 << 10,
 	GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN = 1 << 11,
 	GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS = 1 << 12,
-	GNUTLS_VERIFY_USE_TLS1_RSA = 1 << 13
+	GNUTLS_VERIFY_USE_TLS1_RSA = 1 << 13,
+	GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS = 1 << 14
 	/* cannot exceed 2^24 due to GNUTLS_PROFILE_TO_VFLAGS() */
 } gnutls_certificate_verify_flags;