diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-08-05 15:27:58 +0200 |
|---|---|---|
| committer | GitLab <gitlab@gitlab.com> | 2016-08-05 14:48:54 +0000 |
| commit | 1599afb0aaf4427cf9b0cee478054940ff24716a (patch) | |
| tree | 55c4df678b4f71bf847c766b6668524db7ce8537 | |
| parent | 4ed51aa3b9cc29fd2a020fa00b21e56e7c3776b6 (diff) | |
| download | gnutls-1599afb0aaf4427cf9b0cee478054940ff24716a.tar.gz | |
Introduced GNUTLS_CERTIFICATE_FAST_LOAD flag
This is a flag used in gnutls_certificate_set_flags() and
can be used to optimize certificate loading. It corresponds to
the GNUTLS_TL_FAST_LOAD flag for PKCS#11 trust list loading.
| -rw-r--r-- | lib/cert-session.c | 3 | ||||
| -rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 6 | ||||
| -rw-r--r-- | lib/x509.c | 15 |
3 files changed, 18 insertions, 6 deletions
diff --git a/lib/cert-session.c b/lib/cert-session.c index 19c84e5f1e..280981470c 100644 --- a/lib/cert-session.c +++ b/lib/cert-session.c @@ -178,6 +178,9 @@ gnutls_certificate_set_params_function(gnutls_certificate_credentials_t * the credentials structure. See the #gnutls_certificate_flags enumerations * for more information on the available flags. * + * For certain flags to be considered this must be the first call + * after initializing the credentials structure. + * * Since: 3.4.7 **/ void diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index b28e9010ce..3a9330da9c 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -1644,11 +1644,15 @@ gnutls_certificate_get_verify_flags(gnutls_certificate_credentials_t res); /** * gnutls_certificate_flags: * @GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH: Skip the key and certificate matching check. + * @GNUTLS_CERTIFICATE_FAST_LOAD: Skip the CA certificate enumeration where possible. + * This flag applies to gnutls_certificate_set_x509_trust_file() and gnutls_certificate_set_x509_system_trust(), + * and corresponds to %GNUTLS_TL_FAST_LOAD flag for PKCS#11 trust lists. * * Enumeration of different certificate credentials flags. */ typedef enum gnutls_certificate_flags { - GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH = 1 + GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH = 1, + GNUTLS_CERTIFICATE_FAST_LOAD = (1<<1) } gnutls_certificate_flags; void gnutls_certificate_set_flags(gnutls_certificate_credentials_t, diff --git a/lib/x509.c b/lib/x509.c index 7412557b12..f8c7681a06 100644 --- a/lib/x509.c +++ b/lib/x509.c @@ -1697,6 +1697,7 @@ gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res, return ret; } +#define CRED_FLAGS_TO_TL_FLAGS(_flags) (GNUTLS_TL_USE_IN_TLS|((_flags & GNUTLS_CERTIFICATE_FAST_LOAD)?GNUTLS_TL_FAST_LOAD:0)) /** * gnutls_certificate_set_x509_trust_file: @@ -1725,10 +1726,11 @@ gnutls_certificate_set_x509_trust_file(gnutls_certificate_credentials_t cred, const char *cafile, gnutls_x509_crt_fmt_t type) { -int ret; + int ret; + unsigned flags = CRED_FLAGS_TO_TL_FLAGS(cred->flags); ret = gnutls_x509_trust_list_add_trust_file(cred->tlist, cafile, NULL, - type, GNUTLS_TL_USE_IN_TLS, 0); + type, flags, 0); if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) return 0; @@ -1756,10 +1758,11 @@ gnutls_certificate_set_x509_trust_dir(gnutls_certificate_credentials_t cred, const char *ca_dir, gnutls_x509_crt_fmt_t type) { -int ret; + int ret; + unsigned flags = CRED_FLAGS_TO_TL_FLAGS(cred->flags); ret = gnutls_x509_trust_list_add_trust_dir(cred->tlist, ca_dir, NULL, - type, GNUTLS_TL_USE_IN_TLS, 0); + type, flags, 0); if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) return 0; @@ -1785,8 +1788,10 @@ int gnutls_certificate_set_x509_system_trust(gnutls_certificate_credentials_t cred) { + unsigned flags = CRED_FLAGS_TO_TL_FLAGS(cred->flags); + return gnutls_x509_trust_list_add_system_trust(cred->tlist, - GNUTLS_TL_USE_IN_TLS, 0); + flags, 0); } /** |