add suite B chain validation flags and associated verify errors

[oweals/openssl.git] / crypto / x509 / x509_vfy.h

diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index ee40e7fe82583f93b39e3531f1a3c2360f138c83..5703045216b87cc52fc93d8ca0766a5cd0f95689 100644 (file)
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -173,6 +173,12 @@ typedef struct X509_VERIFY_PARAM_st
        int trust;              /* trust setting to check */
        int depth;              /* Verify depth */
        STACK_OF(ASN1_OBJECT) *policies;        /* Permissible policies */
+       unsigned char *host;    /* If not NULL hostname to match */
+       size_t hostlen;
+       unsigned char *email;   /* If not NULL email address to match */
+       size_t emaillen;
+       unsigned char *ip;      /* If not NULL IP address to match */
+       size_t iplen;           /* Length of IP address */
        } X509_VERIFY_PARAM;
 
 DECLARE_STACK_OF(X509_VERIFY_PARAM)
@@ -354,6 +360,19 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define                X509_V_ERR_UNSUPPORTED_NAME_SYNTAX              53
 #define                X509_V_ERR_CRL_PATH_VALIDATION_ERROR            54
 
+/* Suite B mode algorithm violation */
+#define                X509_V_ERR_SUITE_B_INVALID_VERSION              56
+#define                X509_V_ERR_SUITE_B_INVALID_ALGORITHM            57
+#define                X509_V_ERR_SUITE_B_INVALID_CURVE                58
+#define                X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM  59
+#define                X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED              60
+#define                X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61
+
+/* Host, email and IP check errors */
+#define                X509_V_ERR_HOSTNAME_MISMATCH                    62
+#define                X509_V_ERR_EMAIL_MISMATCH                       63
+#define                X509_V_ERR_IP_ADDRESS_MISMATCH                  64
+
 /* The application is not happy */
 #define                X509_V_ERR_APPLICATION_VERIFICATION             50
 
@@ -391,6 +410,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define X509_V_FLAG_CHECK_SS_SIGNATURE         0x4000
 /* Use trusted store first */
 #define X509_V_FLAG_TRUSTED_FIRST              0x8000
+/* Suite B 128 bit only mode: not normally used */
+#define X509_V_FLAG_SUITEB_128_LOS_ONLY                0x10000
+/* Suite B 192 bit only mode */
+#define X509_V_FLAG_SUITEB_192_LOS             0x20000
+/* Suite B 128 bit mode allowing 192 bit algorithms */
+#define X509_V_FLAG_SUITEB_128_LOS             0x30000
 
 /* Allow partial chains if at least one certificate is in trusted store */
 #define X509_V_FLAG_PARTIAL_CHAIN              0x80000
@@ -530,6 +555,15 @@ int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
                                                ASN1_OBJECT *policy);
 int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, 
                                        STACK_OF(ASN1_OBJECT) *policies);
+
+int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
+                               const unsigned char *name, size_t namelen);
+int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
+                               const unsigned char *email, size_t emaillen);
+int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
+                                       const unsigned char *ip, size_t iplen);
+int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc);
+
 int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);
 
 int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param);