[gnutls-devel] gnutls 3.5.5

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Oct 22 14:57:29 CEST 2016

On Sat, 2016-10-22 at 11:58 +0200, Andreas Metzler wrote:

> > My expectation was that few software will check for equality with
> > zero,
> > mainly due to the examples which use the <0 pattern, and that even
> > if
> > they did, the fact that the first certificate index would be zero,
> > will
> > mitigate any issue (most applications load a single certificate).
> > 
> > Do you think this is going to cause issues? Most likely we can
> > still
> > revert the change by introducing a flag in
> > gnutls_certificate_set_flags() which can enable the behavior of
> > returning indexes, instead of returning them by default.
> Hello,
> I have just started browsing over
> <https://codesearch.debian.net/search?q=gnutls_certificate_set_%5B%5E
> +%5D*key>.
> While checking for ret < 0 is common some software does not:

Thank you for checking that. Maybe in that case we should explicitly
enable returning indexes. An idea is to make:
gnutls_certificate_set_flags(cred, GNUTLS_CERTIFICATE_API_V2);

and then all the gnutls_certificate_set_*key will return indexes
instead of zero.

That would be an inconvenience, but it may be better to keep the API
identical to prevent such issues.


More information about the Gnutls-devel mailing list