diff options
| -rw-r--r-- | doc/cha-gtls-app.texi | 22 | ||||
| -rw-r--r-- | doc/examples/ex-serv-x509.c | 9 | ||||
| -rw-r--r-- | lib/ext/status_request.c | 3 | ||||
| -rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 4 | ||||
| -rw-r--r-- | lib/x509.c | 81 | ||||
| -rw-r--r-- | tests/Makefile.am | 2 | ||||
| -rw-r--r-- | tests/set_key.c | 2 | ||||
| -rw-r--r-- | tests/set_x509_key.c | 2 | ||||
| -rw-r--r-- | tests/set_x509_key_file.c | 5 | ||||
| -rw-r--r-- | tests/set_x509_key_file_legacy.c | 176 | ||||
| -rw-r--r-- | tests/set_x509_key_file_ocsp_multi.c | 2 | ||||
| -rw-r--r-- | tests/set_x509_key_file_ocsp_multi2.c | 2 | ||||
| -rw-r--r-- | tests/set_x509_key_utf8.c | 2 |
13 files changed, 285 insertions, 27 deletions
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 63843124c8..7ee6ce81ae 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -82,11 +82,23 @@ resumed one, and will share the same session ID with the previous one. @node Error handling @subsection Error handling -There two types of @acronym{GnuTLS} functions. One type returns -a boolean true (non-zero) or false (zero) value, which are set -to return an unsigned integer type. The other type returns a -signed integer type with zero indicating success and a negative -value indicating failure. +There two types of @acronym{GnuTLS} functions. The first type returns +a boolean value, true (non-zero) or false (zero) value; these functions +are defined to return an unsigned integer type. The other type returns a +signed integer type with zero (or a positive number) indicating +success and a negative value indicating failure. For the latter +type it is recommended to check for errors as following. +@example + ret = gnutls_function(); + if (ret < 0) @{ + return -1; + @} +@end example +The above example checks for a failure condition rather than +for explicit success (e.g., equality to zero). That has the advantage +that future extensions of the API can be extended to provide +additional information via positive returned values (see for example +@funcref{gnutls_certificate_set_x509_key_file}). For certain operations such as TLS handshake and TLS packet receive there is the notion of fatal and non-fatal error codes. diff --git a/doc/examples/ex-serv-x509.c b/doc/examples/ex-serv-x509.c index e67c9592b5..4bf1940b89 100644 --- a/doc/examples/ex-serv-x509.c +++ b/doc/examples/ex-serv-x509.c @@ -63,11 +63,16 @@ int main(void) CHECK(gnutls_certificate_set_x509_crl_file(x509_cred, CRLFILE, GNUTLS_X509_FMT_PEM)); + /* The following code sets the certificate key pair as well as, + * an OCSP response which corresponds to it. It is possible + * to set multiple key-pairs and multiple OCSP status responses + * (the latter since 3.5.6). See the manual pages of the individual + * functions for more information. + */ CHECK(gnutls_certificate_set_x509_key_file(x509_cred, CERTFILE, KEYFILE, GNUTLS_X509_FMT_PEM)); - /* loads an OCSP status request if available */ CHECK(gnutls_certificate_set_ocsp_status_request_file(x509_cred, OCSP_STATUS_FILE, 0)); @@ -75,9 +80,11 @@ int main(void) CHECK(gnutls_priority_init(&priority_cache, "PERFORMANCE:%SERVER_PRECEDENCE", NULL)); +#if GNUTLS_VERSION_NUMBER >= 0x030506 /* only available since GnuTLS 3.5.6, on previous versions see * gnutls_certificate_set_dh_params(). */ gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_MEDIUM); +#endif /* Socket operations */ diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c index 01d0266151..203b481132 100644 --- a/lib/ext/status_request.c +++ b/lib/ext/status_request.c @@ -475,7 +475,8 @@ static int file_ocsp_func(gnutls_session_t session, void *ptr, * file accesses. * * Note: the ability to set multiple OCSP responses per credential - * structure via @idx was added in version 3.5.5. + * structure via @idx was added in version 3.5.6 with the + * %GNUTLS_CERTIFICATE_API_V2 flag. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, * otherwise a negative error code is returned. diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 2d5f5097b7..a90918742b 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -1661,11 +1661,13 @@ gnutls_certificate_get_verify_flags(gnutls_certificate_credentials_t res); /** * gnutls_certificate_flags: * @GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH: Skip the key and certificate matching check. + * @GNUTLS_CERTIFICATE_API_V2: If set the gnutls_certificate_set_*key* functions will return an index of the added key pair instead of zero. * * Enumeration of different certificate credentials flags. */ typedef enum gnutls_certificate_flags { - GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH = 1 + GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH = 1, + GNUTLS_CERTIFICATE_API_V2 = (1<<1) } gnutls_certificate_flags; void gnutls_certificate_set_flags(gnutls_certificate_credentials_t, diff --git a/lib/x509.c b/lib/x509.c index 9dcef3b65d..aa5ea5177c 100644 --- a/lib/x509.c +++ b/lib/x509.c @@ -57,6 +57,13 @@ * some x509 certificate parsing functions. */ +#define CRED_RET_SUCCESS(cred) \ + if (cred->flags & GNUTLS_CERTIFICATE_API_V2) { \ + return cred->ncerts-1; \ + } else { \ + return 0; \ + } + /* fifteen days */ #define MAX_OCSP_VALIDITY_SECS (15*60*60*24) #ifdef ENABLE_OCSP @@ -986,7 +993,12 @@ read_key_file(gnutls_certificate_credentials_t res, * The @key may be %NULL if you are using a sign callback, see * gnutls_sign_callback_set(). * - * Returns: An index of the inserted certificate chain on success (greater or equal to zero), or a negative error code. + * Note that, this function by default returns zero on success and a negative value on error. + * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set on the credentials structure + * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. + * + * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). + * **/ int gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials_t res, @@ -1022,7 +1034,11 @@ gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials_t res, * The @key may be %NULL if you are using a sign callback, see * gnutls_sign_callback_set(). * - * Returns: An index of the inserted certificate chain on success (greater or equal to zero), or a negative error code. + * Note that, this function by default returns zero on success and a negative value on error. + * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set on the credentials structure + * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. + * + * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). **/ int gnutls_certificate_set_x509_key_mem2(gnutls_certificate_credentials_t res, @@ -1052,8 +1068,7 @@ gnutls_certificate_set_x509_key_mem2(gnutls_certificate_credentials_t res, return ret; } - /* return the index of the chain */ - return res->ncerts-1; + CRED_RET_SUCCESS(res); } int @@ -1115,7 +1130,11 @@ certificate_credentials_append_pkey(gnutls_certificate_credentials_t res, * If that function fails to load the @res type is at an undefined state, it must * not be reused to load other keys or certificates. * - * Returns: An index of the inserted certificate chain on success (greater or equal to zero), or a negative error code. + * Note that, this function by default returns zero on success and a negative value on error. + * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set on the credentials structure + * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. + * + * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). * * Since: 2.4.0 **/ @@ -1197,7 +1216,7 @@ gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res, return ret; } - return res->ncerts-1; + CRED_RET_SUCCESS(res); cleanup: gnutls_free(pcerts); @@ -1219,11 +1238,12 @@ gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res, * gnutls_certificate_set_x509_key_mem2(). The returned key must be deallocated * with gnutls_x509_privkey_deinit() when no longer needed. * + * The @index matches the return value of gnutls_certificate_set_x509_key() and friends + * functions, when the %GNUTLS_CERTIFICATE_API_V2 flag is set. + * * If there is no key with the given index, * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. If the key with the * given index is not a X.509 key, %GNUTLS_E_INVALID_REQUEST is returned. - * The @index matches the value gnutls_certificate_set_x509_key() and friends - * functions. * * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code. * @@ -1258,8 +1278,10 @@ gnutls_certificate_get_x509_key(gnutls_certificate_credentials_t res, * certificate list must be deallocated with gnutls_x509_crt_deinit(), and the * list itself must be freed with gnutls_free(). * - * The @index matches the value gnutls_certificate_set_x509_key() and friends - * functions. If there is no certificate with the given index, + * The @index matches the return value of gnutls_certificate_set_x509_key() and friends + * functions, when the %GNUTLS_CERTIFICATE_API_V2 flag is set. + * + * If there is no certificate with the given index, * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. If the certificate * with the given index is not a X.509 certificate, %GNUTLS_E_INVALID_REQUEST * is returned. The returned certificates must be deinitialized after @@ -1329,7 +1351,11 @@ gnutls_certificate_get_x509_crt(gnutls_certificate_credentials_t res, * If that function fails to load the @res structure is at an undefined state, it must * not be reused to load other keys or certificates. * - * Returns: An index of the inserted certificate chain on success (greater or equal to zero), or a negative error code. + * Note that, this function by default returns zero on success and a negative value on error. + * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set on the credentials structure + * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. + * + * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). * * Since: 3.0 **/ @@ -1421,7 +1447,7 @@ gnutls_certificate_set_key(gnutls_certificate_credentials_t res, goto cleanup; } - return res->ncerts-1; + CRED_RET_SUCCESS(res); cleanup: _gnutls_str_array_clear(&str_names); @@ -1502,7 +1528,11 @@ gnutls_certificate_get_trust_list(gnutls_certificate_credentials_t res, * If that function fails to load the @res structure is at an undefined state, it must * not be reused to load other keys or certificates. * - * Returns: An index of the inserted certificate chain on success (greater or equal to zero), or a negative error code. + * Note that, this function by default returns zero on success and a negative value on error. + * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set on the credentials structure + * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. + * + * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). * * Since: 3.1.11 **/ @@ -1550,7 +1580,11 @@ gnutls_certificate_set_x509_key_file(gnutls_certificate_credentials_t res, * If that function fails to load the @res structure is at an undefined state, it must * not be reused to load other keys or certificates. * - * Returns: An index of the inserted certificate chain on success (greater or equal to zero), or a negative error code. + * Note that, this function by default returns zero on success and a negative value on error. + * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set on the credentials structure + * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. + * + * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). * **/ int @@ -1580,7 +1614,7 @@ gnutls_certificate_set_x509_key_file2(gnutls_certificate_credentials_t res, return ret; } - return res->ncerts-1; + CRED_RET_SUCCESS(res); } /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this @@ -1972,7 +2006,11 @@ int ret; * complexity that would make it harder to use this functionality at * all. * - * Returns: An index of the inserted certificate chain on success (greater or equal to zero), or a negative error code. + * Note that, this function by default returns zero on success and a negative value on error. + * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set on the credentials structure + * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. + * + * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). * **/ int @@ -2028,7 +2066,11 @@ int * complexity that would make it harder to use this functionality at * all. * - * Returns: An index of the inserted certificate chain on success (greater or equal to zero), or a negative error code. + * Note that, this function by default returns zero on success and a negative value on error. + * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set on the credentials structure + * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. + * + * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). * * Since: 2.8.0 **/ @@ -2098,7 +2140,10 @@ int } } - ret = idx; + if (res->flags & GNUTLS_CERTIFICATE_API_V2) + ret = idx; + else + ret = 0; done: if (chain) { diff --git a/tests/Makefile.am b/tests/Makefile.am index 12c5b7ae5e..a0a85afe5e 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -116,7 +116,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \ client_dsa_key server_ecdsa_key tls-session-ext-register tls-session-supplemental \ multi-alerts naked-alerts pkcs7-cat-parse set_known_dh_params_x509 \ set_known_dh_params_anon set_known_dh_params_psk session-tickets-ok \ - session-tickets-missing + session-tickets-missing set_x509_key_file_legacy if HAVE_SECCOMP_TESTS ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp diff --git a/tests/set_key.c b/tests/set_key.c index 3097d81749..38c1d52c9e 100644 --- a/tests/set_key.c +++ b/tests/set_key.c @@ -134,6 +134,8 @@ static void basic(void) assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0); + gnutls_certificate_set_flags(x509_cred, GNUTLS_CERTIFICATE_API_V2); + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); diff --git a/tests/set_x509_key.c b/tests/set_x509_key.c index 306bcd0809..6a189540d9 100644 --- a/tests/set_x509_key.c +++ b/tests/set_x509_key.c @@ -156,6 +156,8 @@ static void basic(void) assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0); + gnutls_certificate_set_flags(x509_cred, GNUTLS_CERTIFICATE_API_V2); + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); diff --git a/tests/set_x509_key_file.c b/tests/set_x509_key_file.c index b76e6d6377..504e6dc609 100644 --- a/tests/set_x509_key_file.c +++ b/tests/set_x509_key_file.c @@ -21,6 +21,9 @@ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA */ +/* This test checks the behavior of gnutls_certificate_set_x509_key_file2() + * when the GNUTLS_CERTIFICATE_API_V2 is set */ + #ifdef HAVE_CONFIG_H #include <config.h> #endif @@ -136,6 +139,8 @@ void doit(void) assert(gnutls_certificate_allocate_credentials(&xcred) >= 0); assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); + gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_API_V2); + ret = gnutls_certificate_set_x509_trust_mem(clicred, &subca3_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); diff --git a/tests/set_x509_key_file_legacy.c b/tests/set_x509_key_file_legacy.c new file mode 100644 index 0000000000..143b9120b2 --- /dev/null +++ b/tests/set_x509_key_file_legacy.c @@ -0,0 +1,176 @@ +/* + * Copyright (C) 2014-2016 Nikos Mavrogiannopoulos + * Copyright (C) 2016 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* This test checks the behavior of gnutls_certificate_set_x509_key_file2() + * when the GNUTLS_CERTIFICATE_API_V2 is not set */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <assert.h> +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> + +#include "cert-common.h" +#include "utils.h" + +static time_t mytime(time_t * t) +{ + time_t then = 1470002400; + if (t) + *t = then; + + return then; +} + +static void compare(const gnutls_datum_t *der, const void *ipem) +{ + gnutls_datum_t pem = {(void*)ipem, strlen((char*)ipem)}; + gnutls_datum_t new_der; + int ret; + + ret = gnutls_pem_base64_decode2("CERTIFICATE", &pem, &new_der); + if (ret < 0) { + fail("error: %s\n", gnutls_strerror(ret)); + } + + if (der->size != new_der.size || memcmp(der->data, new_der.data, der->size) != 0) { + fail("error in %d: %s\n", __LINE__, "cert don't match"); + exit(1); + } + gnutls_free(new_der.data); + return; +} + +static unsigned set_cert(gnutls_certificate_credentials_t xcred, const gnutls_datum_t *key, const gnutls_datum_t *cert) +{ + const char *certfile; + FILE *fp; + int ret; + + certfile = get_tmpname(NULL); + + fp = fopen(certfile, "w"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(cert->data, 1, cert->size, fp)>0); + assert(fwrite(key->data, 1, key->size, fp)>0); + fclose(fp); + + ret = gnutls_certificate_set_x509_key_file2(xcred, certfile, certfile, + GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret < 0) + fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret)); + + /* return index */ + return ret; +} + +static void verify_written_cert(gnutls_certificate_credentials_t xcred, unsigned idx, const gnutls_datum_t *cert, unsigned ncerts) +{ + int ret; + gnutls_datum_t tcert = {NULL, 0}; + + /* verify whether the stored certificate match the ones we have */ + ret = gnutls_certificate_get_crt_raw(xcred, idx, 0, &tcert); + if (ret < 0) { + fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + exit(1); + } + + compare(&tcert, cert->data); + + if (ncerts > 1) { + ret = gnutls_certificate_get_crt_raw(xcred, idx, 1, &tcert); + if (ret < 0) { + fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + exit(1); + } + + /* skip headers of first cert */ + compare(&tcert, cert->data+2); + } +} + +void doit(void) +{ + int ret; + gnutls_certificate_credentials_t xcred, clicred; + const char *keyfile = "./certs/ecc256.pem"; + const char *certfile = "does-not-exist.pem"; + unsigned idx, i; + + global_init(); + assert(gnutls_certificate_allocate_credentials(&xcred) >= 0); + gnutls_global_set_time_function(mytime); + track_temp_files(); + + /* this will fail */ + ret = gnutls_certificate_set_x509_key_file2(xcred, certfile, keyfile, + GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret != GNUTLS_E_FILE_ERROR) + fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret)); + + gnutls_certificate_free_credentials(xcred); + + assert(gnutls_certificate_allocate_credentials(&xcred) >= 0); + assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); + + ret = gnutls_certificate_set_x509_trust_mem(clicred, &subca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); + + success("Testing store of certificates\n"); + + idx = set_cert(xcred, &server_ca3_key, &server_ca3_localhost6_cert_chain); + verify_written_cert(xcred, idx, &server_ca3_localhost6_cert_chain, 2); + assert(idx == 0); + + success("Tested store of %d\n", idx); + + idx = set_cert(xcred, &server_ca3_key, &server_ca3_localhost_cert); + assert(idx == 0); + + success("Tested store of %d\n", idx); + + test_cli_serv(xcred, clicred, "NORMAL", "localhost", NULL, NULL, NULL); /* the DNS name of the first cert */ + + idx = set_cert(xcred, &server_key, &server_cert); + assert(idx == 0); + + success("Tested store of %d\n", idx); + + for (i=0;i<16;i++) { + idx = set_cert(xcred, &server_ecc_key, &server_ecc_cert); + assert(idx == 0); + success("Tested store of %d\n", idx); + } + + gnutls_certificate_free_credentials(xcred); + gnutls_certificate_free_credentials(clicred); + gnutls_global_deinit(); + delete_temp_files(); +} diff --git a/tests/set_x509_key_file_ocsp_multi.c b/tests/set_x509_key_file_ocsp_multi.c index 2f0e903bad..b2847055e0 100644 --- a/tests/set_x509_key_file_ocsp_multi.c +++ b/tests/set_x509_key_file_ocsp_multi.c @@ -115,6 +115,8 @@ void doit(void) assert(gnutls_certificate_allocate_credentials(&xcred) >= 0); assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); + gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_API_V2); + certfile1 = get_tmpname(certname1); /* set cert with localhost name */ diff --git a/tests/set_x509_key_file_ocsp_multi2.c b/tests/set_x509_key_file_ocsp_multi2.c index d9b7c637bb..10c1b81a6f 100644 --- a/tests/set_x509_key_file_ocsp_multi2.c +++ b/tests/set_x509_key_file_ocsp_multi2.c @@ -126,6 +126,8 @@ void doit(void) assert(gnutls_certificate_allocate_credentials(&xcred) >= 0); assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); + gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_API_V2); + certfile1 = get_tmpname(certname1); /* set cert with localhost name */ diff --git a/tests/set_x509_key_utf8.c b/tests/set_x509_key_utf8.c index 496bd57c92..838ec84028 100644 --- a/tests/set_x509_key_utf8.c +++ b/tests/set_x509_key_utf8.c @@ -160,6 +160,8 @@ void doit(void) assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0); + gnutls_certificate_set_flags(x509_cred, GNUTLS_CERTIFICATE_API_V2); + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); |