perform sanity checks on server certificate type as soon as it is received instead...

[openssl.git] / ssl / ssl.h

diff --git a/ssl/ssl.h b/ssl/ssl.h
index b8b1ba120726e4216a27972a1e9781ec31b9b917..857cbf04b31ede6b13038c658cffb9f747d90cf5 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -654,7 +654,17 @@ struct ssl_session_st
 /* Many implementations ignore some aspects of the TLS standards such as
  * enforcing certifcate chain algorithms. When this is set we enforce them.
  */
-#define SSL_CERT_FLAG_TLS_STRICT       0x00000001L
+#define SSL_CERT_FLAG_TLS_STRICT               0x00000001L
+
+/* Suite B modes, takes same values as certificate verify flags */
+#define SSL_CERT_FLAG_SUITEB_128_LOS_ONLY      0x10000
+/* Suite B 192 bit only mode */
+#define SSL_CERT_FLAG_SUITEB_192_LOS           0x20000
+/* Suite B 128 bit mode allowing 192 bit algorithms */
+#define SSL_CERT_FLAG_SUITEB_128_LOS           0x30000
+
+/* Perform all sorts of protocol violations for testing purposes */
+#define SSL_CERT_FLAG_BROKEN_PROTCOL           0x10000000
 
 /* Flags for building certificate chains */
 /* Treat any existing certificates as untrusted CAs */
@@ -662,6 +672,28 @@ struct ssl_session_st
 /* Con't include root CA in chain */
 #define SSL_BUILD_CHAIN_FLAG_NO_ROOT   0x2
 
+/* Flags returned by SSL_check_chain */
+/* Certificate can be used with this session */
+#define CERT_PKEY_VALID                0x1
+/* Certificate can also be used for signing */
+#define CERT_PKEY_SIGN         0x2
+/* EE certificate signing algorithm OK */
+#define CERT_PKEY_EE_SIGNATURE 0x10
+/* CA signature algorithms OK */
+#define CERT_PKEY_CA_SIGNATURE 0x20
+/* EE certificate parameters OK */
+#define CERT_PKEY_EE_PARAM     0x40
+/* CA certificate parameters OK */
+#define CERT_PKEY_CA_PARAM     0x80
+/* Signing explicitly allowed as opposed to SHA1 fallback */
+#define CERT_PKEY_EXPLICIT_SIGN        0x100
+/* Client CA issuer names match (always set for server cert) */
+#define CERT_PKEY_ISSUER_NAME  0x200
+/* Cert type matches client types (always set for server cert) */
+#define CERT_PKEY_CERT_TYPE    0x400
+/* Cert chain suitable to Suite B */
+#define CERT_PKEY_SUITEB       0x800
+
 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
  * they cannot be used to clear bits. */
 
@@ -2559,6 +2591,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_HTTPS_PROXY_REQUEST                       155
 #define SSL_R_HTTP_REQUEST                              156
 #define SSL_R_ILLEGAL_PADDING                           283
+#define SSL_R_ILLEGAL_SUITEB_DIGEST                     380
 #define SSL_R_INCONSISTENT_COMPRESSION                  340
 #define SSL_R_INVALID_AUDIT_PROOF                       371
 #define SSL_R_INVALID_AUTHZ_DATA                        374
@@ -2591,6 +2624,8 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_MISSING_DH_KEY                            163
 #define SSL_R_MISSING_DH_RSA_CERT                       164
 #define SSL_R_MISSING_DSA_SIGNING_CERT                  165
+#define SSL_R_MISSING_ECDH_CERT                                 382
+#define SSL_R_MISSING_ECDSA_SIGNING_CERT                381
 #define SSL_R_MISSING_EXPORT_TMP_DH_KEY                         166
 #define SSL_R_MISSING_EXPORT_TMP_RSA_KEY                167
 #define SSL_R_MISSING_RSA_CERTIFICATE                   168
@@ -2633,6 +2668,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_NULL_SSL_METHOD_PASSED                    196
 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED           197
 #define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344
+#define SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE       379
 #define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE             297
 #define SSL_R_OPAQUE_PRF_INPUT_TOO_LONG                         327
 #define SSL_R_PACKET_LENGTH_TOO_LONG                    198
@@ -2764,6 +2800,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_UNSUPPORTED_STATUS_TYPE                   329
 #define SSL_R_USE_SRTP_NOT_NEGOTIATED                   369
 #define SSL_R_WRITE_BIO_NOT_SET                                 260
+#define SSL_R_WRONG_CERTIFICATE_TYPE                    383
 #define SSL_R_WRONG_CIPHER_RETURNED                     261
 #define SSL_R_WRONG_CURVE                               378
 #define SSL_R_WRONG_MESSAGE_TYPE                        262