Bring in functions used by stunnel and exim from BoringSSL - this brings

in X509_check_host, X509_check_email, X509_check_ip, and X509_check_ip_asc, with some cleanup on the way in by myself and jsing@ ok bcook@
author: beck <> 2016-09-03 11:56:33 +0000
committer: beck <> 2016-09-03 11:56:33 +0000
commit: f62bb5c57bf8877084e218fb02cab3377d8f10c6 (patch)
tree: 939269fcc8eefdd0472b501bdf2627c9c2c72fae /src/lib/libcrypto/x509v3/x509v3.h
parent: bfb40cbd29e3a70915d1708f9660744ebfb3c110 (diff)
download: openbsd-f62bb5c57bf8877084e218fb02cab3377d8f10c6.tar.gz
openbsd-f62bb5c57bf8877084e218fb02cab3377d8f10c6.tar.bz2
openbsd-f62bb5c57bf8877084e218fb02cab3377d8f10c6.zip
1 files changed, 28 insertions, 1 deletions
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
index b45626a885..c13342f349 100644
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509v3.h,v 1.16 2015/02/10 13:28:17 jsing Exp $ */
+/* $OpenBSD: x509v3.h,v 1.17 2016/09/03 11:56:33 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -701,6 +701,33 @@ STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);
 void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
 STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
+/* Flags for X509_check_* functions */
+/* Always check subject name for host match even if subject alt names present */
+#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT    0x1
+/* Disable wildcard matching for dnsName fields and common name. */
+#define X509_CHECK_FLAG_NO_WILDCARDS    0x2
+/* Wildcards must not match a partial label. */
+#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0x4
+/* Allow (non-partial) wildcards to match multiple labels. */
+#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
+/* Constraint verifier subdomain patterns to match a single labels. */
+#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
+/*
+ * Match reference identifiers starting with "." to any sub-domain.
+ * This is a non-public flag, turned on implicitly when the subject
+ * reference identity is a DNS name.
+ */
+#define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
+int X509_check_host(X509 *x, const char *chk, size_t chklen,
+    unsigned int flags, char **peername);
+int X509_check_email(X509 *x, const char *chk, size_t chklen,
+    unsigned int flags);
+int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
+    unsigned int flags);
+int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags);
 ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
 ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
 int a2i_ipadd(unsigned char *ipout, const char *ipasc);
author	beck <>	2016-09-03 11:56:33 +0000
committer	beck <>	2016-09-03 11:56:33 +0000
commit	f62bb5c57bf8877084e218fb02cab3377d8f10c6 (patch)
tree	939269fcc8eefdd0472b501bdf2627c9c2c72fae /src/lib/libcrypto/x509v3/x509v3.h
parent	bfb40cbd29e3a70915d1708f9660744ebfb3c110 (diff)
download	openbsd-f62bb5c57bf8877084e218fb02cab3377d8f10c6.tar.gz openbsd-f62bb5c57bf8877084e218fb02cab3377d8f10c6.tar.bz2 openbsd-f62bb5c57bf8877084e218fb02cab3377d8f10c6.zip

diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h index b45626a885..c13342f349 100644 --- a/src/lib/libcrypto/x509v3/x509v3.h +++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509v3.h,v 1.16 2015/02/10 13:28:17 jsing Exp $ */	1	/* $OpenBSD: x509v3.h,v 1.17 2016/09/03 11:56:33 beck Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 1999.	3	* project 1999.
4	*/	4	*/
@@ -701,6 +701,33 @@ STACK_OF(OPENSSL_STRING) X509_REQ_get1_email(X509_REQ x);
701	void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);	701	void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
702	STACK_OF(OPENSSL_STRING) X509_get1_ocsp(X509 x);	702	STACK_OF(OPENSSL_STRING) X509_get1_ocsp(X509 x);
703		703
		704	/* Flags for X509_check_* functions */
		705	/* Always check subject name for host match even if subject alt names present */
		706	#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0x1
		707	/* Disable wildcard matching for dnsName fields and common name. */
		708	#define X509_CHECK_FLAG_NO_WILDCARDS 0x2
		709	/* Wildcards must not match a partial label. */
		710	#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0x4
		711	/* Allow (non-partial) wildcards to match multiple labels. */
		712	#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
		713	/* Constraint verifier subdomain patterns to match a single labels. */
		714	#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
		715
		716	/*
		717	* Match reference identifiers starting with "." to any sub-domain.
		718	* This is a non-public flag, turned on implicitly when the subject
		719	* reference identity is a DNS name.
		720	*/
		721	#define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
		722
		723	int X509_check_host(X509 x, const char chk, size_t chklen,
		724	unsigned int flags, char **peername);
		725	int X509_check_email(X509 x, const char chk, size_t chklen,
		726	unsigned int flags);
		727	int X509_check_ip(X509 x, const unsigned char chk, size_t chklen,
		728	unsigned int flags);
		729	int X509_check_ip_asc(X509 x, const char ipasc, unsigned int flags);
		730
704	ASN1_OCTET_STRING a2i_IPADDRESS(const char ipasc);	731	ASN1_OCTET_STRING a2i_IPADDRESS(const char ipasc);
705	ASN1_OCTET_STRING a2i_IPADDRESS_NC(const char ipasc);	732	ASN1_OCTET_STRING a2i_IPADDRESS_NC(const char ipasc);
706	int a2i_ipadd(unsigned char ipout, const char ipasc);	733	int a2i_ipadd(unsigned char ipout, const char ipasc);