summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_vfy.h
diff options
context:
space:
mode:
authorbeck <>2016-11-05 20:14:59 +0000
committerbeck <>2016-11-05 20:14:59 +0000
commit7b6bcaa93d2188a6cb2fb807134db0f89431dac3 (patch)
tree53bfe8b60583155aa7efbd2eec5361c8d3415475 /src/lib/libcrypto/x509/x509_vfy.h
parent3deb5afd0a0dc2544bc4b40d483329904ef852b1 (diff)
downloadopenbsd-7b6bcaa93d2188a6cb2fb807134db0f89431dac3.tar.gz
openbsd-7b6bcaa93d2188a6cb2fb807134db0f89431dac3.tar.bz2
openbsd-7b6bcaa93d2188a6cb2fb807134db0f89431dac3.zip
Part one of the alt chains changes, bring in newer modifications to
VERIFY_PARAMS - based on boringssl. ok jsing@ miod@
Diffstat (limited to 'src/lib/libcrypto/x509/x509_vfy.h')
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.h34
1 files changed, 30 insertions, 4 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index e3a1db2407..4b81e8a2cd 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.h,v 1.16 2015/09/14 16:13:39 jsing Exp $ */ 1/* $OpenBSD: x509_vfy.h,v 1.17 2016/11/05 20:14:59 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -147,6 +147,8 @@ typedef struct x509_lookup_method_st
147 X509_OBJECT *ret); 147 X509_OBJECT *ret);
148 } X509_LOOKUP_METHOD; 148 } X509_LOOKUP_METHOD;
149 149
150typedef struct X509_VERIFY_PARAM_ID_st X509_VERIFY_PARAM_ID;
151
150/* This structure hold all parameters associated with a verify operation 152/* This structure hold all parameters associated with a verify operation
151 * by including an X509_VERIFY_PARAM structure in related structures the 153 * by including an X509_VERIFY_PARAM structure in related structures the
152 * parameters used can be customized 154 * parameters used can be customized
@@ -162,7 +164,8 @@ typedef struct X509_VERIFY_PARAM_st
162 int trust; /* trust setting to check */ 164 int trust; /* trust setting to check */
163 int depth; /* Verify depth */ 165 int depth; /* Verify depth */
164 STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */ 166 STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */
165 } X509_VERIFY_PARAM; 167 X509_VERIFY_PARAM_ID *id; /* opaque ID data */
168} X509_VERIFY_PARAM;
166 169
167DECLARE_STACK_OF(X509_VERIFY_PARAM) 170DECLARE_STACK_OF(X509_VERIFY_PARAM)
168 171
@@ -288,8 +291,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
288 (long)(type),NULL) 291 (long)(type),NULL)
289 292
290#define X509_V_OK 0 293#define X509_V_OK 0
291/* illegal error (for uninitialized values, to avoid X509_V_OK): 1 */ 294#define X509_V_ERR_UNSPECIFIED 1
292
293#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 295#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2
294#define X509_V_ERR_UNABLE_TO_GET_CRL 3 296#define X509_V_ERR_UNABLE_TO_GET_CRL 3
295#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 297#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4
@@ -351,6 +353,16 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
351/* The application is not happy */ 353/* The application is not happy */
352#define X509_V_ERR_APPLICATION_VERIFICATION 50 354#define X509_V_ERR_APPLICATION_VERIFICATION 50
353 355
356/* Host, email and IP check errors */
357#define X509_V_ERR_HOSTNAME_MISMATCH 62
358#define X509_V_ERR_EMAIL_MISMATCH 63
359#define X509_V_ERR_IP_ADDRESS_MISMATCH 64
360
361/* Caller error */
362#define X509_V_ERR_INVALID_CALL 65
363/* Issuer lookup error */
364#define X509_V_ERR_STORE_LOOKUP 66
365
354/* Certificate verify flags */ 366/* Certificate verify flags */
355 367
356/* Send issuer+subject checks to verify_cb */ 368/* Send issuer+subject checks to verify_cb */
@@ -383,6 +395,16 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
383#define X509_V_FLAG_USE_DELTAS 0x2000 395#define X509_V_FLAG_USE_DELTAS 0x2000
384/* Check selfsigned CA signature */ 396/* Check selfsigned CA signature */
385#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 397#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
398/* Use trusted store first */
399#define X509_V_FLAG_TRUSTED_FIRST 0x8000
400/* Allow partial chains if at least one certificate is in trusted store */
401#define X509_V_FLAG_PARTIAL_CHAIN 0x80000
402
403/* If the initial chain is not trusted, do not attempt to build an alternative
404 * chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag
405 * will force the behaviour to match that of previous versions. */
406#define X509_V_FLAG_NO_ALT_CHAINS 0x100000
407
386/* Do not check certificate or CRL validity against current time. */ 408/* Do not check certificate or CRL validity against current time. */
387#define X509_V_FLAG_NO_CHECK_TIME 0x200000 409#define X509_V_FLAG_NO_CHECK_TIME 0x200000
388 410
@@ -519,6 +541,10 @@ int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
519 ASN1_OBJECT *policy); 541 ASN1_OBJECT *policy);
520int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, 542int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
521 STACK_OF(ASN1_OBJECT) *policies); 543 STACK_OF(ASN1_OBJECT) *policies);
544int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const char *email,
545 size_t emaillen);
546int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, const unsigned char *ip,
547 size_t iplen);
522int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); 548int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);
523 549
524int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param); 550int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-15 22:04:54 +0000