Replaced gnutls_certificate_verify_peers3() with the extendable gnutls_certificate_verify_peers().

That will allow adding new functionality to verification
without the need to add new functions.

3 files changed, 37 insertions, 6 deletions

diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index dfd4f8c9ec..00bc5427d0 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -355,7 +355,7 @@ may be used to verify the peer's certificate chain and identity. The flags
 are set similarly to the verification functions in the previous section.
 Note that in certain cases it is required to check the marked purpose of
 the end certificate (e.g. @code{GNUTLS_KP_TLS_WWW_SERVER}); in these case
-@funcref{gnutls_certificate_verify_peers4} should be used instead.
+@funcref{gnutls_certificate_verify_peers} should be used instead.
 
 There is also the possibility to pass some input to the verification
 functions in the form of flags. For @funcref{gnutls_x509_trust_list_verify_crt} the
diff --git a/doc/examples/ex-client-x509.c b/doc/examples/ex-client-x509.c
index dc6b2985e0..ff90ad0bec 100644
--- a/doc/examples/ex-client-x509.c
+++ b/doc/examples/ex-client-x509.c
@@ -158,9 +158,29 @@ static int _verify_certificate_callback(gnutls_session_t session)
         /* This verification function uses the trusted CAs in the credentials
          * structure. So you must have installed one or more CA certificates.
          */
-        ret = gnutls_certificate_verify_peers4(session, hostname,
-					       GNUTLS_KP_TLS_WWW_SERVER,
+
+         /* The following demonstrate two different verification functions,
+          * the more flexible gnutls_certificate_verify_peers(), as well
+          * as the old gnutls_certificate_verify_peers3(). */
+#if 1
+        {
+        gnutls_typed_vdata_st data[2];
+
+        memset(data, 0, sizeof(data));
+
+        data[0].type = GNUTLS_DT_DNS_HOSTNAME;
+        data[0].data = (void*)hostname;
+
+        data[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
+        data[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER;
+
+        ret = gnutls_certificate_verify_peers(session, data, 2,
+					      &status);
+        }
+#else
+        ret = gnutls_certificate_verify_peers3(session, hostname,
 					       &status);
+#endif
         if (ret < 0) {
                 printf("Error\n");
                 return GNUTLS_E_CERTIFICATE_ERROR;
diff --git a/doc/examples/verify.c b/doc/examples/verify.c
index 86d35808fc..2b5fa7a9c5 100644
--- a/doc/examples/verify.c
+++ b/doc/examples/verify.c
@@ -10,12 +10,17 @@
 
 #include "examples.h"
 
+/* The example below demonstrates the usage of the more powerful
+ * gnutls_certificate_verify_peers() which can be used to check
+ * the hostname, as well as the key purpose OID of the peer's
+ * certificate. */
 int verify_certificate_callback(gnutls_session_t session)
 {
         unsigned int status;
         int ret, type;
         const char *hostname;
         gnutls_datum_t out;
+        gnutls_typed_vdata_st data[2];
 
         /* read hostname */
         hostname = gnutls_session_get_ptr(session);
@@ -23,9 +28,15 @@ int verify_certificate_callback(gnutls_session_t session)
         /* This verification function uses the trusted CAs in the credentials
          * structure. So you must have installed one or more CA certificates.
          */
-        ret = gnutls_certificate_verify_peers4(session, hostname,
-                                               GNUTLS_KP_TLS_WWW_SERVER,
-                                               &status);
+        data[0].type = GNUTLS_DT_DNS_HOSTNAME;
+        data[0].data = (void*)hostname;
+        data[0].size = 0;
+
+        data[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
+        data[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER;
+        data[1].size = 0;
+        ret = gnutls_certificate_verify_peers(session, data, 2,
+                                              &status);
         if (ret < 0) {
                 printf("Error\n");
                 return GNUTLS_E_CERTIFICATE_ERROR;