add suite B chain validation flags and associated verify errors

[oweals/openssl.git] / crypto / x509 / x509_vfy.h

diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index 40089cf50fcf91eecdf4957a56bf521bcfac7be7..5703045216b87cc52fc93d8ca0766a5cd0f95689 100644 (file)
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -360,6 +360,14 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define                X509_V_ERR_UNSUPPORTED_NAME_SYNTAX              53
 #define                X509_V_ERR_CRL_PATH_VALIDATION_ERROR            54
 
+/* Suite B mode algorithm violation */
+#define                X509_V_ERR_SUITE_B_INVALID_VERSION              56
+#define                X509_V_ERR_SUITE_B_INVALID_ALGORITHM            57
+#define                X509_V_ERR_SUITE_B_INVALID_CURVE                58
+#define                X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM  59
+#define                X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED              60
+#define                X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61
+
 /* Host, email and IP check errors */
 #define                X509_V_ERR_HOSTNAME_MISMATCH                    62
 #define                X509_V_ERR_EMAIL_MISMATCH                       63
@@ -402,6 +410,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define X509_V_FLAG_CHECK_SS_SIGNATURE         0x4000
 /* Use trusted store first */
 #define X509_V_FLAG_TRUSTED_FIRST              0x8000
+/* Suite B 128 bit only mode: not normally used */
+#define X509_V_FLAG_SUITEB_128_LOS_ONLY                0x10000
+/* Suite B 192 bit only mode */
+#define X509_V_FLAG_SUITEB_192_LOS             0x20000
+/* Suite B 128 bit mode allowing 192 bit algorithms */
+#define X509_V_FLAG_SUITEB_128_LOS             0x30000
 
 /* Allow partial chains if at least one certificate is in trusted store */
 #define X509_V_FLAG_PARTIAL_CHAIN              0x80000