diff options
Diffstat (limited to 'openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod')
-rw-r--r-- | openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 77 |
1 files changed, 72 insertions, 5 deletions
diff --git a/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index 46cac2bea..347d48dfe 100644 --- a/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -2,7 +2,7 @@ =head1 NAME -X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies - X509 verification parameters +X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get0_peername, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc - X509 verification parameters =head1 SYNOPSIS @@ -26,6 +26,19 @@ X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_ge void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth); int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); + int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, + const char *name, size_t namelen); + int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, + const char *name, size_t namelen); + void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, + unsigned int flags); + char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param); + int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, + const char *email, size_t emaillen); + int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, + const unsigned char *ip, size_t iplen); + int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc); + =head1 DESCRIPTION These functions manipulate the B<X509_VERIFY_PARAM> structure associated with @@ -61,12 +74,63 @@ X509_VERIFY_PARAM_set_depth() sets the maximum verification depth to B<depth>. That is the maximum number of untrusted CA certificates that can appear in a chain. +X509_VERIFY_PARAM_set1_host() sets the expected DNS hostname to +B<name> clearing any previously specified host name or names. If +B<name> is NULL, or empty the list of hostnames is cleared, and +name checks are not performed on the peer certificate. If B<name> +is NUL-terminated, B<namelen> may be zero, otherwise B<namelen> +must be set to the length of B<name>. When a hostname is specified, +certificate verification automatically invokes L<X509_check_host(3)> +with flags equal to the B<flags> argument given to +B<X509_VERIFY_PARAM_set_hostflags()> (default zero). Applications +are strongly advised to use this interface in preference to explicitly +calling L<X509_check_host(3)>, hostname checks are out of scope +with the DANE-EE(3) certificate usage, and the internal check will +be suppressed as appropriate when DANE support is added to OpenSSL. + +X509_VERIFY_PARAM_add1_host() adds B<name> as an additional reference +identifer that can match the peer's certificate. Any previous names +set via X509_VERIFY_PARAM_set1_host() or X509_VERIFY_PARAM_add1_host() +are retained, no change is made if B<name> is NULL or empty. When +multiple names are configured, the peer is considered verified when +any name matches. + +X509_VERIFY_PARAM_get0_peername() returns the DNS hostname or subject +CommonName from the peer certificate that matched one of the reference +identifiers. When wildcard matching is not disabled, or when a +reference identifier specifies a parent domain (starts with ".") +rather than a hostname, the peer name may be a wildcard name or a +sub-domain of the reference identifier respectively. The return +string is allocated by the library and is no longer valid once the +associated B<param> argument is freed. Applications must not free +the return value. + +X509_VERIFY_PARAM_set1_email() sets the expected RFC822 email address to +B<email>. If B<email> is NUL-terminated, B<emaillen> may be zero, otherwise +B<emaillen> must be set to the length of B<email>. When an email address +is specified, certificate verification automatically invokes +L<X509_check_email(3)>. + +X509_VERIFY_PARAM_set1_ip() sets the expected IP address to B<ip>. +The B<ip> argument is in binary format, in network byte-order and +B<iplen> must be set to 4 for IPv4 and 16 for IPv6. When an IP +address is specified, certificate verification automatically invokes +L<X509_check_ip(3)>. + +X509_VERIFY_PARAM_set1_ip_asc() sets the expected IP address to +B<ipasc>. The B<ipasc> argument is a NUL-terminal ASCII string: +dotted decimal quad for IPv4 and colon-separated hexadecimal for +IPv6. The condensed "::" notation is supported for IPv6 addresses. + =head1 RETURN VALUES -X509_VERIFY_PARAM_set_flags(), X509_VERIFY_PARAM_clear_flags(), +X509_VERIFY_PARAM_set_flags(), X509_VERIFY_PARAM_clear_flags(), X509_VERIFY_PARAM_set_purpose(), X509_VERIFY_PARAM_set_trust(), -X509_VERIFY_PARAM_add0_policy() and X509_VERIFY_PARAM_set1_policies() return 1 -for success and 0 for failure. +X509_VERIFY_PARAM_add0_policy() X509_VERIFY_PARAM_set1_policies(), +X509_VERIFY_PARAM_set1_host(), X509_VERIFY_PARAM_set_hostflags(), +X509_VERIFY_PARAM_set1_email(), X509_VERIFY_PARAM_set1_ip() and +X509_VERIFY_PARAM_set1_ip_asc() return 1 for success and 0 for +failure. X509_VERIFY_PARAM_get_flags() returns the current verification flags. @@ -162,7 +226,10 @@ connections associated with an B<SSL_CTX> structure B<ctx>: =head1 SEE ALSO -L<X509_verify_cert(3)|X509_verify_cert(3)> +L<X509_verify_cert(3)|X509_verify_cert(3)>, +L<X509_check_host(3)|X509_check_host(3)>, +L<X509_check_email(3)|X509_check_email(3)>, +L<X509_check_ip(3)|X509_check_ip(3)> =head1 HISTORY |