From c653a8e384f329bc9d63ef9c0995e03540a6837d Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 1 Mar 2017 11:47:17 +0100 Subject: x509.h: introduced flag GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS That flag signals the verification process, not to fail on unknown critical extensions. This can be used when the critical extension checking in a chain is handled externally. Signed-off-by: Nikos Mavrogiannopoulos --- lib/includes/gnutls/x509.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'lib/includes/gnutls/x509.h') diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index c47fad1c8c..1972c91140 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -902,6 +902,8 @@ int gnutls_x509_crl_set_number(gnutls_x509_crl_t crl, * check in the verification, do not consider any wildcards. * @GNUTLS_VERIFY_USE_TLS1_RSA: This indicates that a (raw) RSA signature is provided * as in the TLS 1.0 protocol. Not all functions accept this flag. + * @GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS: This signals the verification + * process, not to fail on unknown critical extensions. * * Enumeration of different certificate verify flags. Additional * verification profiles can be set using GNUTLS_PROFILE_TO_VFLAGS() @@ -920,7 +922,8 @@ typedef enum gnutls_certificate_verify_flags { GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1 << 10, GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN = 1 << 11, GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS = 1 << 12, - GNUTLS_VERIFY_USE_TLS1_RSA = 1 << 13 + GNUTLS_VERIFY_USE_TLS1_RSA = 1 << 13, + GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS = 1 << 14 /* cannot exceed 2^24 due to GNUTLS_PROFILE_TO_VFLAGS() */ } gnutls_certificate_verify_flags; -- cgit v1.2.1