Some changes to preserve binary compatibility.

5 files changed, 36 insertions, 24 deletions

diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in
index 932196ccb9..81b39d8415 100644
--- a/lib/gnutls.h.in.in
+++ b/lib/gnutls.h.in.in
@@ -111,18 +111,18 @@ typedef enum gnutls_handshake_description { GNUTLS_HANDSHAKE_HELLO_REQUEST,
  */
 #define GNUTLS_CERT_NOT_TRUSTED GNUTLS_CERT_INVALID
 typedef enum gnutls_certificate_status { 
-	GNUTLS_CERT_INVALID=1, /* will be set if the certificate
+	GNUTLS_CERT_INVALID=2, /* will be set if the certificate
 				* was not verified.
 				*/
-	GNUTLS_CERT_REVOKED=2,  /* in X.509 this will be set only if CRLs are checked
+	GNUTLS_CERT_REVOKED=32, /* in X.509 this will be set only if CRLs are checked
 				 */
 
 	/* Those are extra information about the verification
 	 * process. Will be set only if the certificate was 
 	 * not verified.
 	 */
-	GNUTLS_CERT_SIGNER_NOT_FOUND=4,
-	GNUTLS_CERT_SIGNER_NOT_CA=8
+	GNUTLS_CERT_SIGNER_NOT_FOUND=64,
+	GNUTLS_CERT_SIGNER_NOT_CA=128
 } gnutls_certificate_status;
 
 typedef enum gnutls_certificate_request { GNUTLS_CERT_IGNORE, GNUTLS_CERT_REQUEST=1, GNUTLS_CERT_REQUIRE } gnutls_certificate_request;
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index d9d1274b2d..7581280fe9 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -107,18 +107,18 @@ typedef struct { opaque pint[3]; } uint24;
 typedef enum ChangeCipherSpecType { GNUTLS_TYPE_CHANGE_CIPHER_SPEC=1 } ChangeCipherSpecType;
 
 typedef enum gnutls_certificate_status { 
-	GNUTLS_CERT_INVALID=1, /* will be set if the certificate
+	GNUTLS_CERT_INVALID=2, /* will be set if the certificate
 				* was not verified.
 				*/
-	GNUTLS_CERT_REVOKED=2,  /* in X.509 this will be set only if CRLs are checked
+	GNUTLS_CERT_REVOKED=32, /* in X.509 this will be set only if CRLs are checked
 				 */
 
 	/* Those are extra information about the verification
 	 * process. Will be set only if the certificate was 
 	 * not verified.
 	 */
-	GNUTLS_CERT_SIGNER_NOT_FOUND=4,
-	GNUTLS_CERT_SIGNER_NOT_CA=8
+	GNUTLS_CERT_SIGNER_NOT_FOUND=64,
+	GNUTLS_CERT_SIGNER_NOT_CA=128
 } gnutls_certificate_status;
 
 typedef enum gnutls_certificate_request { GNUTLS_CERT_IGNORE, GNUTLS_CERT_REQUEST=1, GNUTLS_CERT_REQUIRE } gnutls_certificate_request;
diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c
index 63463c841b..affe903b02 100644
--- a/lib/x509/pkcs12_bag.c
+++ b/lib/x509/pkcs12_bag.c
@@ -31,7 +31,7 @@
 #include <gnutls_errors.h>
 #include <common.h>
 #include <pkcs12.h>
-
+#include <privkey.h>
 
 /**
   * gnutls_pkcs12_bag_init - This function initializes a gnutls_pkcs12_bag structure
@@ -542,7 +542,7 @@ gnutls_datum dec;
   * gnutls_pkcs12_bag_encrypt - This function will encrypt a bag
   * @bag: The bag
   * @pass: The password used for encryption
-  * @flags: should be zero for now
+  * @flags: should be one of gnutls_pkcs_encrypt_flags elements bitwise or'd
   *
   * This function will encrypt the given bag and return 0 on success.
   *
@@ -553,6 +553,7 @@ int ret;
 ASN1_TYPE safe_cont = ASN1_TYPE_EMPTY;
 gnutls_datum der = {NULL, 0};
 gnutls_datum enc = {NULL, 0};
+schema_id id;
 
 	if (bag->element[0].type == GNUTLS_BAG_ENCRYPTED) {
 		gnutls_assert();
@@ -579,9 +580,19 @@ gnutls_datum enc = {NULL, 0};
         	return ret;
         }
 
+	if (flags & GNUTLS_PKCS_PLAIN) {
+		gnutls_assert();
+		return GNUTLS_E_INVALID_REQUEST;
+	}
+	
+	if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR) id = PKCS12_ARCFOUR_SHA1;
+	else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40) id = PKCS12_RC2_40_SHA1;
+	else if (flags & GNUTLS_PKCS_USE_PBES2_3DES) id = PBES2;
+	else id = PKCS12_3DES_SHA1;
+
 	/* Now encrypt them.
 	 */
-	ret = _gnutls_pkcs7_encrypt_data( PKCS12_3DES_SHA1, &der, pass, &enc);
+	ret = _gnutls_pkcs7_encrypt_data( id, &der, pass, &enc);
 
 	_gnutls_free_datum( &der);
 
diff --git a/lib/x509/privkey.h b/lib/x509/privkey.h
index 91f80e09b2..56dfd26190 100644
--- a/lib/x509/privkey.h
+++ b/lib/x509/privkey.h
@@ -1,11 +1,12 @@
-typedef enum gnutls_privkey_pkcs8_flags {
-	GNUTLS_PKCS8_PLAIN=1,  /* if set the private key will not
+typedef enum gnutls_pkcs_encrypt_flags {
+	GNUTLS_PKCS_PLAIN=1,  /* if set the private key will not
 			        * be encrypted.
 				*/
-	GNUTLS_PKCS8_USE_PKCS12_3DES,
-	GNUTLS_PKCS8_USE_PKCS12_ARCFOUR,
-	GNUTLS_PKCS8_USE_PKCS12_RC2_40
-} gnutls_privkey_pkcs8_flags;
+	GNUTLS_PKCS_USE_PKCS12_3DES=2,
+	GNUTLS_PKCS_USE_PKCS12_ARCFOUR=4,
+	GNUTLS_PKCS_USE_PKCS12_RC2_40=8,
+	GNUTLS_PKCS_USE_PBES2_3DES=16
+} gnutls_pkcs_encrypt_flags;
 
 int gnutls_x509_privkey_import(gnutls_x509_privkey key, const gnutls_datum * data,
 	gnutls_x509_crt_fmt format);
diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
index d4e1c5ca76..b6a835dfa1 100644
--- a/lib/x509/privkey_pkcs8.c
+++ b/lib/x509/privkey_pkcs8.c
@@ -374,7 +374,7 @@ int encode_to_pkcs8_key( schema_id schema, const gnutls_datum * der_key,
   * @key: Holds the key
   * @format: the format of output params. One of PEM or DER.
   * @password: the password that will be used to encrypt the key
-  * @flags: an ORed sequence of gnutls_privkey_pkcs8_flags
+  * @flags: an ORed sequence of gnutls_pkcs_encrypt_flags
   * @output_data: will contain a private key PEM or DER encoded
   * @output_data_size: holds the size of output_data (and will be replaced by the actual size of parameters)
   *
@@ -415,17 +415,17 @@ int gnutls_x509_privkey_export_pkcs8(gnutls_x509_privkey key,
 		return ret;
 	}
 
-	if (flags & GNUTLS_PKCS8_USE_PKCS12_3DES)
+	if (flags & GNUTLS_PKCS_USE_PKCS12_3DES)
 		schema = PKCS12_3DES_SHA1;
-	else if (flags & GNUTLS_PKCS8_USE_PKCS12_ARCFOUR)
+	else if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR)
 		schema = PKCS12_ARCFOUR_SHA1;
-	else if (flags & GNUTLS_PKCS8_USE_PKCS12_RC2_40)
+	else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40)
 		schema = PKCS12_RC2_40_SHA1;
 	else
 		schema = PBES2;
 
 
-	if ((flags & GNUTLS_PKCS8_PLAIN) || password == NULL) 
+	if ((flags & GNUTLS_PKCS_PLAIN) || password == NULL) 
 	{
 		_gnutls_free_datum(&tmp);
 
@@ -800,7 +800,7 @@ int decode_private_key_info(const gnutls_datum * der,
   * @data: The DER or PEM encoded key.
   * @format: One of DER or PEM
   * @password: the password to decrypt the key (if it is encrypted)
-  * @flags: an ORed sequence of gnutls_privkey_pkcs8_flags
+  * @flags: use 0.
   *
   * This function will convert the given DER or PEM encoded PKCS8 2.0 encrypted key
   * to the native gnutls_x509_privkey format. The output will be stored in 'key'.
@@ -859,7 +859,7 @@ int gnutls_x509_privkey_import_pkcs8(gnutls_x509_privkey key,
 		need_free = 1;
 	}
 
-	if (flags & GNUTLS_PKCS8_PLAIN || password == NULL) {
+	if (flags & GNUTLS_PKCS_PLAIN || password == NULL) {
 		result = decode_private_key_info(&_data, key, &key->key);
 	} else {		/* encrypted. */
 		result = decode_pkcs8_key(&_data, password, key, &key->key);