From 3632cb3eaf778507070b8613684586e4e00af68b Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Tue, 30 Oct 2012 15:49:44 +0100
Subject: [PATCH] Added gnutls_certificate_update_verify_flags() to allow
 setting new flags without overriding any defaults.

---
 NEWS                            |  1 +
 doc/cha-cert-auth.texi          |  5 +++--
 lib/gnutls_ui.c                 | 25 +++++++++++++++++++++----
 lib/includes/gnutls/gnutls.h.in |  2 ++
 lib/libgnutls.map               |  1 +
 5 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/NEWS b/NEWS
index b7301b3f1..1363fc965 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,7 @@ the available revocation data validity.
 
 ** API and ABI modifications:
 gnutls_session_get_id2: Added
+gnutls_certificate_update_verify_flags: Added
 GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: Added.
 GNUTLS_CERT_REVOCATION_DATA_INVALID: Added.
 
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index cb395cbd1..72b9919e0 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -625,6 +625,7 @@ of the signature.
 
 If you are using @funcref{gnutls_certificate_verify_peers2} to verify the
 certificate chain, you can call
+@funcref{gnutls_certificate_update_verify_flags} or
 @funcref{gnutls_certificate_set_verify_flags} with the flags:
 @itemize
 @item @code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2}
@@ -633,11 +634,11 @@ certificate chain, you can call
 as in the following example:
 
 @example
-  gnutls_certificate_set_verify_flags (x509cred,
+  gnutls_certificate_update_verify_flags (x509cred,
                                        GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
 @end example
 
-This will tell the verifier algorithm to enable @code{RSA-MD5} when
+This will signal the verifier algorithm to enable @code{RSA-MD5} when
 verifying the certificates.
 
 If you are using @funcref{gnutls_x509_crt_verify} or
diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c
index 1cd53f273..8b157e76d 100644
--- a/lib/gnutls_ui.c
+++ b/lib/gnutls_ui.c
@@ -684,10 +684,9 @@ gnutls_certificate_set_params_function (gnutls_certificate_credentials_t res,
  * @res: is a gnutls_certificate_credentials_t structure
  * @flags: are the flags
  *
- * This function will set the flags to be used at verification of the
- * certificates.  Flags must be OR of the
- * #gnutls_certificate_verify_flags enumerations. The default
- * for TLS sessions is GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN.
+ * This function will set the flags to be used for verification 
+ * of certificates and override any defaults.  The provided flags must be an OR of the
+ * #gnutls_certificate_verify_flags enumerations. 
  *
  **/
 void
@@ -698,6 +697,24 @@ gnutls_certificate_set_verify_flags (gnutls_certificate_credentials_t
 }
 
 /**
+ * gnutls_certificate_update_verify_flags:
+ * @res: is a gnutls_certificate_credentials_t structure
+ * @flags: are the new flags
+ *
+ * This function will update the default flags to be used for verification 
+ * of certificates.  The provided flags must be an OR of the
+ * #gnutls_certificate_verify_flags enumerations. The default
+ * for TLS sessions is GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN.
+ *
+ **/
+void
+gnutls_certificate_update_verify_flags (gnutls_certificate_credentials_t
+                                     res, unsigned int flags)
+{
+  res->verify_flags |= flags;
+}
+
+/**
  * gnutls_certificate_set_verify_limits:
  * @res: is a gnutls_certificate_credentials structure
  * @max_bits: is the number of bits of an acceptable certificate (default 8200)
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index e60914e68..1b8c1d8f7 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1152,6 +1152,8 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t session);
                                          gnutls_dh_params_t dh_params);
   void gnutls_certificate_set_verify_flags (gnutls_certificate_credentials_t
                                             res, unsigned int flags);
+  void gnutls_certificate_update_verify_flags (gnutls_certificate_credentials_t
+                                            res, unsigned int flags);
   void gnutls_certificate_set_verify_limits (gnutls_certificate_credentials_t
                                              res, unsigned int max_bits,
                                              unsigned int max_depth);
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 751e49b7b..3cee073e5 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -858,6 +858,7 @@ GNUTLS_3_1_0 {
 	gnutls_pubkey_import_x509_raw;
 	gnutls_certificate_get_peers_subkey_id;
 	gnutls_session_get_id2;
+	gnutls_certificate_update_verify_flags;
 } GNUTLS_3_0_0;
 
 GNUTLS_PRIVATE {
-- 
2.11.4.GIT