Make tls1_check_chain return a set of flags indicating checks passed

[openssl.git] / ssl / ssl.h

diff --git a/ssl/ssl.h b/ssl/ssl.h
index aea244ab1dc3291fc57eb0644f40df5e570e1b81..78ead35fc7e6781d8afa663bb8385e643f73e236 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -656,6 +656,32 @@ struct ssl_session_st
  */
 #define SSL_CERT_FLAG_TLS_STRICT       0x00000001L
 
+/* Flags for building certificate chains */
+/* Treat any existing certificates as untrusted CAs */
+#define SSL_BUILD_CHAIN_FLAG_UNTRUSTED 0x1
+/* Con't include root CA in chain */
+#define SSL_BUILD_CHAIN_FLAG_NO_ROOT   0x2
+
+/* Flags returned by SSL_check_chain */
+/* Certificate can be used with this session */
+#define CERT_PKEY_VALID                0x1
+/* Certificate can also be used for signing */
+#define CERT_PKEY_SIGN         0x2
+/* EE certificate signing algorithm OK */
+#define CERT_PKEY_EE_SIGNATURE 0x10
+/* CA signature algorithms OK */
+#define CERT_PKEY_CA_SIGNATURE 0x20
+/* EE certificate parameters OK */
+#define CERT_PKEY_EE_PARAM     0x40
+/* CA certificate parameters OK */
+#define CERT_PKEY_CA_PARAM     0x80
+/* Signing explicitly allowed as opposed to SHA1 fallback */
+#define CERT_PKEY_EXPLICIT_SIGN        0x100
+/* Client CA issuer names match (always set for server cert) */
+#define CERT_PKEY_ISSUER_NAME  0x200
+/* Cert type matches client types (always set for server cert) */
+#define CERT_PKEY_CERT_TYPE    0x400
+
 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
  * they cannot be used to clear bits. */
 
@@ -1664,6 +1690,11 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_CLEAR_CERT_FLAGS              100
 #define SSL_CTRL_SET_CLIENT_SIGALGS            101
 #define SSL_CTRL_SET_CLIENT_SIGALGS_LIST       102
+#define SSL_CTRL_GET_CLIENT_CERT_TYPES         103
+#define SSL_CTRL_SET_CLIENT_CERT_TYPES         104
+#define SSL_CTRL_BUILD_CERT_CHAIN              105
+#define SSL_CTRL_SET_VERIFY_CERT_STORE         106
+#define SSL_CTRL_SET_CHAIN_CERT_STORE          107
 
 #define DTLSv1_get_timeout(ssl, arg) \
        SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
@@ -1714,6 +1745,17 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
        SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN_CERT,0,(char *)x509)
 #define SSL_CTX_add1_chain_cert(ctx,x509) \
        SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN_CERT,1,(char *)x509)
+#define SSL_CTX_build_cert_chain(ctx, flags) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL)
+
+#define SSL_CTX_set0_verify_cert_store(ctx,st) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)st)
+#define SSL_CTX_set1_verify_cert_store(ctx,st) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)st)
+#define SSL_CTX_set0_chain_cert_store(ctx,st) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)st)
+#define SSL_CTX_set1_chain_cert_store(ctx,st) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)st)
 
 #define SSL_set0_chain(ctx,sk) \
        SSL_ctrl(ctx,SSL_CTRL_CHAIN,0,(char *)sk)
@@ -1723,6 +1765,17 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
        SSL_ctrl(ctx,SSL_CTRL_CHAIN_CERT,0,(char *)x509)
 #define SSL_add1_chain_cert(ctx,x509) \
        SSL_ctrl(ctx,SSL_CTRL_CHAIN_CERT,1,(char *)x509)
+#define SSL_build_cert_chain(s, flags) \
+       SSL_ctrl(s,SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL)
+#define SSL_set0_verify_cert_store(s,st) \
+       SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)st)
+#define SSL_set1_verify_cert_store(s,st) \
+       SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)st)
+#define SSL_set0_chain_cert_store(s,st) \
+       SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)st)
+#define SSL_set1_chain_cert_store(s,st) \
+       SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)st)
+
 #define SSL_get1_curves(ctx, s) \
        SSL_ctrl(ctx,SSL_CTRL_GET_CURVES,0,(char *)s)
 #define SSL_CTX_set1_curves(ctx, clist, clistlen) \
@@ -1758,6 +1811,14 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_set1_client_sigalgs_list(ctx, s) \
        SSL_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)s)
 
+#define SSL_get0_certificate_types(s, clist) \
+       SSL_ctrl(s, SSL_CTRL_GET_CLIENT_CERT_TYPES, 0, (char *)clist)
+
+#define SSL_CTX_set1_client_certificate_types(ctx, clist, clistlen) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)clist)
+#define SSL_set1_client_certificate_types(s, clist, clistlen) \
+       SSL_ctrl(s,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)clist)
+
 #ifndef OPENSSL_NO_BIO
 BIO_METHOD *BIO_f_ssl(void);
 BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
@@ -2177,6 +2238,7 @@ void SSL_set_not_resumable_session_callback(SSL *ssl,
 
 void SSL_set_debug(SSL *s, int debug);
 int SSL_cache_hit(SSL *s);
+int SSL_is_server(SSL *s);
 
 #ifndef OPENSSL_NO_SSL_TRACE
 void SSL_trace(int write_p, int version, int content_type,
@@ -2317,6 +2379,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT                278
 #define SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT          308
 #define SSL_F_SSL_BAD_METHOD                            160
+#define SSL_F_SSL_BUILD_CERT_CHAIN                      332
 #define SSL_F_SSL_BYTES_TO_CIPHER_LIST                  161
 #define SSL_F_SSL_CERT_DUP                              221
 #define SSL_F_SSL_CERT_INST                             222
@@ -2409,6 +2472,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE                206
 #define SSL_F_SSL_VERIFY_CERT_CHAIN                     207
 #define SSL_F_SSL_WRITE                                         208
+#define SSL_F_TLS12_CHECK_PEER_SIGALG                   333
 #define SSL_F_TLS1_CERT_VERIFY_MAC                      286
 #define SSL_F_TLS1_CHANGE_CIPHER_STATE                  209
 #define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT             274
@@ -2721,6 +2785,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_USE_SRTP_NOT_NEGOTIATED                   369
 #define SSL_R_WRITE_BIO_NOT_SET                                 260
 #define SSL_R_WRONG_CIPHER_RETURNED                     261
+#define SSL_R_WRONG_CURVE                               378
 #define SSL_R_WRONG_MESSAGE_TYPE                        262
 #define SSL_R_WRONG_NUMBER_OF_KEY_BITS                  263
 #define SSL_R_WRONG_SIGNATURE_LENGTH                    264