Make tls1_check_chain return a set of flags indicating checks passed

[openssl.git] / ssl / ssl.h

diff --git a/ssl/ssl.h b/ssl/ssl.h
index d399fbc971d424a2da5a5c2a1dbf73d16315cd36..4c36fdb4124b59d8f0648aa095f9ae0ad9ca7e96 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -662,6 +662,26 @@ struct ssl_session_st
 /* Don't include root CA in chain */
 #define SSL_BUILD_CHAIN_FLAG_NO_ROOT   0x2
 
+/* Flags returned by SSL_check_chain */
+/* Certificate can be used with this session */
+#define CERT_PKEY_VALID                0x1
+/* Certificate can also be used for signing */
+#define CERT_PKEY_SIGN         0x2
+/* EE certificate signing algorithm OK */
+#define CERT_PKEY_EE_SIGNATURE 0x10
+/* CA signature algorithms OK */
+#define CERT_PKEY_CA_SIGNATURE 0x20
+/* EE certificate parameters OK */
+#define CERT_PKEY_EE_PARAM     0x40
+/* CA certificate parameters OK */
+#define CERT_PKEY_CA_PARAM     0x80
+/* Signing explicitly allowed as opposed to SHA1 fallback */
+#define CERT_PKEY_EXPLICIT_SIGN        0x100
+/* Client CA issuer names match (always set for server cert) */
+#define CERT_PKEY_ISSUER_NAME  0x200
+/* Cert type matches client types (always set for server cert) */
+#define CERT_PKEY_CERT_TYPE    0x400
+
 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
  * they cannot be used to clear bits. */
 
@@ -2433,6 +2453,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE                206
 #define SSL_F_SSL_VERIFY_CERT_CHAIN                     207
 #define SSL_F_SSL_WRITE                                         208
+#define SSL_F_TLS12_CHECK_PEER_SIGALG                   333
 #define SSL_F_TLS1_CERT_VERIFY_MAC                      286
 #define SSL_F_TLS1_CHANGE_CIPHER_STATE                  209
 #define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT             274