Add new "valid_flags" field to CERT_PKEY structure which determines what

[openssl.git] / ssl / ssl_locl.h

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index d87fd51cfa824e3ef0ad06a64496affb783aa88e..1b166caa56b556a092125cc202d6c5561deb1fae 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -280,8 +280,8 @@
 
 /* Bits for algorithm_mkey (key exchange algorithm) */
 #define SSL_kRSA               0x00000001L /* RSA key exchange */
-#define SSL_kDHr               0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */
-#define SSL_kDHd               0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */
+#define SSL_kDHr               0x00000002L /* DH cert, RSA CA cert */
+#define SSL_kDHd               0x00000004L /* DH cert, DSA CA cert */
 #define SSL_kEDH               0x00000008L /* tmp DH key no DH cert */
 #define SSL_kKRB5              0x00000010L /* Kerberos5 key exchange */
 #define SSL_kECDHr             0x00000020L /* ECDH cert, RSA CA cert */
@@ -295,7 +295,7 @@
 #define SSL_aRSA               0x00000001L /* RSA auth */
 #define SSL_aDSS               0x00000002L /* DSS auth */
 #define SSL_aNULL              0x00000004L /* no auth (i.e. use ADH or AECDH) */
-#define SSL_aDH                0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
+#define SSL_aDH                0x00000008L /* Fixed DH auth (kDHd or kDHr) */
 #define SSL_aECDH              0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
 #define SSL_aKRB5               0x00000020L /* KRB5 auth */
 #define SSL_aECDSA              0x00000040L /* ECDSA auth*/
@@ -468,12 +468,36 @@
 #define NAMED_CURVE_TYPE           3
 #endif  /* OPENSSL_NO_EC */
 
+/* Values for valid_flags in CERT_PKEY structure */
+/* Certificate inconsistent with session, key missing etc */
+#define CERT_PKEY_INVALID      0x0
+/* Certificate can be used with this sesstion */
+#define CERT_PKEY_VALID                0x1
+/* Certificate can also be used for signing */
+#define CERT_PKEY_SIGN         0x2
+
 typedef struct cert_pkey_st
        {
        X509 *x509;
        EVP_PKEY *privatekey;
        /* Digest to use when signing */
        const EVP_MD *digest;
+       /* Chain for this certificate */
+       STACK_OF(X509) *chain;
+#ifndef OPENSSL_NO_TLSEXT
+       /* authz/authz_length contain authz data for this certificate. The data
+        * is in wire format, specifically it's a series of records like:
+        *   uint8_t authz_type;  // (RFC 5878, AuthzDataFormat)
+        *   uint16_t length;
+        *   uint8_t data[length]; */
+       unsigned char *authz;
+       size_t authz_length;
+#endif
+       /* Set if CERT_PKEY can be used with current SSL session: e.g.
+        * appropriate curve, signature algorithms etc. If zero it can't be
+        * used at all.
+        */
+       int valid_flags;
        } CERT_PKEY;
 
 typedef struct cert_st
@@ -502,10 +526,32 @@ typedef struct cert_st
        EC_KEY *ecdh_tmp;
        /* Callback for generating ephemeral ECDH keys */
        EC_KEY *(*ecdh_tmp_cb)(SSL *ssl,int is_export,int keysize);
+       /* Select ECDH parameters automatically */
+       int ecdh_tmp_auto;
 #endif
-
+       /* Flags related to certificates */
+       unsigned int cert_flags;
        CERT_PKEY pkeys[SSL_PKEY_NUM];
 
+       /* signature algorithms peer reports: e.g. supported signature
+        * algorithms extension for server or as part of a certificate
+        * request for client.
+        */
+       unsigned char *peer_sigalgs;
+       /* Size of above array */
+       size_t peer_sigalgslen;
+       /* configured signature algorithms (can be NULL for default).
+        * sent in signature algorithms extension or certificate request.
+        */
+       unsigned char *conf_sigalgs;
+       /* Size of above array */
+       size_t conf_sigalgslen;
+       /* Signature algorithms shared by client and server: cached
+        * because these are used most often
+        */
+       TLS_SIGALGS *shared_sigalgs;
+       size_t shared_sigalgslen;
+
        int references; /* >1 only if SSL_copy_session_id is used */
        } CERT;
 
@@ -534,7 +580,19 @@ typedef struct sess_cert_st
 
        int references; /* actually always 1 at the moment */
        } SESS_CERT;
-
+/* Structure containing decoded values of signature algorithms extension */
+struct tls_sigalgs_st
+       {
+       /* NID of hash algorithm */
+       int hash_nid;
+       /* NID of signature algorithm */
+       int sign_nid;
+       /* Combined hash and signature NID */
+       int signandhash_nid;
+       /* Raw values used in extension */
+       unsigned char rsign;
+       unsigned char rhash;
+       };
 
 /*#define MAC_DEBUG    */
 
@@ -802,7 +860,9 @@ void ssl_clear_cipher_ctx(SSL *s);
 int ssl_clear_bad_session(SSL *s);
 CERT *ssl_cert_new(void);
 CERT *ssl_cert_dup(CERT *cert);
+void ssl_cert_set_default_md(CERT *cert);
 int ssl_cert_inst(CERT **o);
+void ssl_cert_clear_certs(CERT *c);
 void ssl_cert_free(CERT *c);
 SESS_CERT *ssl_sess_cert_new(void);
 void ssl_sess_cert_free(SESS_CERT *sc);
@@ -826,11 +886,18 @@ void ssl_update_cache(SSL *s, int mode);
 int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
                       const EVP_MD **md,int *mac_pkey_type,int *mac_secret_size, SSL_COMP **comp);
 int ssl_get_handshake_digest(int i,long *mask,const EVP_MD **md);                         
+int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain);
+int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain);
+int ssl_cert_add0_chain_cert(CERT *c, X509 *x);
+int ssl_cert_add1_chain_cert(CERT *c, X509 *x);
+
 int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
+int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l);
 int ssl_undefined_function(SSL *s);
 int ssl_undefined_void_function(void);
 int ssl_undefined_const_function(const SSL *s);
-X509 *ssl_get_server_send_cert(SSL *);
+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
+unsigned char *ssl_get_authz_data(SSL *s, size_t *authz_length);
 EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
 int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
 void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
@@ -898,7 +965,7 @@ void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len);
 int ssl3_enc(SSL *s, int send_data);
 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send_data);
 void ssl3_free_digest_list(SSL *s);
-unsigned long ssl3_output_cert_chain(SSL *s, X509 *x);
+unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk);
 SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *clnt,
                               STACK_OF(SSL_CIPHER) *srvr);
 int    ssl3_setup_buffers(SSL *s);
@@ -952,7 +1019,7 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf, int len);
 
 int dtls1_send_change_cipher_spec(SSL *s, int a, int b);
 int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen);
-unsigned long dtls1_output_cert_chain(SSL *s, X509 *x);
+unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk);
 int dtls1_read_failed(SSL *s, int code);
 int dtls1_buffer_message(SSL *s, int ccs);
 int dtls1_retransmit_message(SSL *s, unsigned short seq, 
@@ -1079,17 +1146,32 @@ SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
 #ifndef OPENSSL_NO_EC
 int tls1_ec_curve_id2nid(int curve_id);
 int tls1_ec_nid2curve_id(int nid);
+int tls1_shared_curve(SSL *s, int nmatch);
+int tls1_set_curves(unsigned char **pext, size_t *pextlen,
+                       int *curves, size_t ncurves);
+int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
+                               const char *str);
+int tls1_check_ec_server_key(SSL *s);
+int tls1_check_ec_tmp_key(SSL *s);
 #endif /* OPENSSL_NO_EC */
 
 #ifndef OPENSSL_NO_TLSEXT
+int tls1_shared_list(SSL *s,
+                       const unsigned char *l1, size_t l1len,
+                       const unsigned char *l2, size_t l2len,
+                       int nmatch);
 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 
 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 
-int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
-int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
+int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n);
+int ssl_check_clienthello_tlsext_late(SSL *s);
+int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n);
 int ssl_prepare_clienthello_tlsext(SSL *s);
 int ssl_prepare_serverhello_tlsext(SSL *s);
-int ssl_check_clienthello_tlsext(SSL *s);
-int ssl_check_serverhello_tlsext(SSL *s);
+
+/* server only */
+int tls1_send_server_supplemental_data(SSL *s);
+/* client only */
+int tls1_get_server_supplemental_data(SSL *s);
 
 #ifndef OPENSSL_NO_HEARTBEATS
 int tls1_heartbeat(SSL *s);
@@ -1111,6 +1193,12 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
 int tls12_get_sigid(const EVP_PKEY *pk);
 const EVP_MD *tls12_get_hash(unsigned char hash_alg);
 
+int tls1_set_sigalgs_list(CERT *c, const char *str);
+int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen);
+int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
+                                                               int idx);
+void tls1_set_cert_validity(SSL *s);
+
 #endif
 EVP_MD_CTX* ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md) ;
 void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
@@ -1124,7 +1212,7 @@ int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
                                          int *al);
 long ssl_get_algorithm2(SSL *s);
 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize);
-int tls12_get_req_sig_algs(SSL *s, unsigned char *p);
+size_t tls12_get_sig_algs(SSL *s, unsigned char *p);
 
 int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
 int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);