X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl.h;h=09b5da00e2d18db7a29633e56c9bc3350259702b;hp=a327daa6e7e17a61761c8c6b22fb4bfc9d305b67;hb=29113688a1b56d92a6e8dd50faa186751d2b2e96;hpb=a897502cd9e4bf3d1fe7ccd0838643b3ca44031c

diff --git a/ssl/ssl.h b/ssl/ssl.h
index a327daa6e7..09b5da00e2 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -654,7 +654,44 @@ struct ssl_session_st
 /* Many implementations ignore some aspects of the TLS standards such as
  * enforcing certifcate chain algorithms. When this is set we enforce them.
  */
-#define SSL_CERT_FLAG_TLS_STRICT	0x00000001L
+#define SSL_CERT_FLAG_TLS_STRICT		0x00000001L
+
+/* Suite B modes, takes same values as certificate verify flags */
+#define SSL_CERT_FLAG_SUITEB_128_LOS_ONLY	0x10000
+/* Suite B 192 bit only mode */
+#define SSL_CERT_FLAG_SUITEB_192_LOS		0x20000
+/* Suite B 128 bit mode allowing 192 bit algorithms */
+#define SSL_CERT_FLAG_SUITEB_128_LOS		0x30000
+
+
+
+/* Flags for building certificate chains */
+/* Treat any existing certificates as untrusted CAs */
+#define SSL_BUILD_CHAIN_FLAG_UNTRUSTED	0x1
+/* Don't include root CA in chain */
+#define SSL_BUILD_CHAIN_FLAG_NO_ROOT	0x2
+
+/* Flags returned by SSL_check_chain */
+/* Certificate can be used with this session */
+#define CERT_PKEY_VALID		0x1
+/* Certificate can also be used for signing */
+#define CERT_PKEY_SIGN		0x2
+/* EE certificate signing algorithm OK */
+#define CERT_PKEY_EE_SIGNATURE	0x10
+/* CA signature algorithms OK */
+#define CERT_PKEY_CA_SIGNATURE	0x20
+/* EE certificate parameters OK */
+#define CERT_PKEY_EE_PARAM	0x40
+/* CA certificate parameters OK */
+#define CERT_PKEY_CA_PARAM	0x80
+/* Signing explicitly allowed as opposed to SHA1 fallback */
+#define CERT_PKEY_EXPLICIT_SIGN	0x100
+/* Client CA issuer names match (always set for server cert) */
+#define CERT_PKEY_ISSUER_NAME	0x200
+/* Cert type matches client types (always set for server cert) */
+#define CERT_PKEY_CERT_TYPE	0x400
+/* Cert chain suitable to Suite B */
+#define CERT_PKEY_SUITEB	0x800
 
 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
  * they cannot be used to clear bits. */
@@ -1657,6 +1694,13 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_SET_CLIENT_SIGALGS_LIST	102
 #define SSL_CTRL_GET_CLIENT_CERT_TYPES		103
 #define SSL_CTRL_SET_CLIENT_CERT_TYPES		104
+#define SSL_CTRL_BUILD_CERT_CHAIN		105
+#define SSL_CTRL_SET_VERIFY_CERT_STORE		106
+#define SSL_CTRL_SET_CHAIN_CERT_STORE		107
+#define SSL_CTRL_GET_PEER_SIGNATURE_NID		108
+#define SSL_CTRL_GET_SERVER_TMP_KEY		109
+#define SSL_CTRL_GET_RAW_CIPHERLIST		110
+#define SSL_CTRL_GET_EC_POINT_FORMATS		111
 
 #define DTLSv1_get_timeout(ssl, arg) \
 	SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
@@ -1707,6 +1751,17 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 	SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN_CERT,0,(char *)x509)
 #define SSL_CTX_add1_chain_cert(ctx,x509) \
 	SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN_CERT,1,(char *)x509)
+#define SSL_CTX_build_cert_chain(ctx, flags) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL)
+
+#define SSL_CTX_set0_verify_cert_store(ctx,st) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)st)
+#define SSL_CTX_set1_verify_cert_store(ctx,st) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)st)
+#define SSL_CTX_set0_chain_cert_store(ctx,st) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)st)
+#define SSL_CTX_set1_chain_cert_store(ctx,st) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)st)
 
 #define SSL_set0_chain(ctx,sk) \
 	SSL_ctrl(ctx,SSL_CTRL_CHAIN,0,(char *)sk)
@@ -1716,6 +1771,17 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 	SSL_ctrl(ctx,SSL_CTRL_CHAIN_CERT,0,(char *)x509)
 #define SSL_add1_chain_cert(ctx,x509) \
 	SSL_ctrl(ctx,SSL_CTRL_CHAIN_CERT,1,(char *)x509)
+#define SSL_build_cert_chain(s, flags) \
+	SSL_ctrl(s,SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL)
+#define SSL_set0_verify_cert_store(s,st) \
+	SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)st)
+#define SSL_set1_verify_cert_store(s,st) \
+	SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)st)
+#define SSL_set0_chain_cert_store(s,st) \
+	SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)st)
+#define SSL_set1_chain_cert_store(s,st) \
+	SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)st)
+
 #define SSL_get1_curves(ctx, s) \
 	SSL_ctrl(ctx,SSL_CTRL_GET_CURVES,0,(char *)s)
 #define SSL_CTX_set1_curves(ctx, clist, clistlen) \
@@ -1759,6 +1825,18 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_set1_client_certificate_types(s, clist, clistlen) \
 	SSL_ctrl(s,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)clist)
 
+#define SSL_get_peer_signature_nid(s, pn) \
+	SSL_ctrl(s,SSL_CTRL_GET_PEER_SIGNATURE_NID,0,pn)
+
+#define SSL_get_server_tmp_key(s, pk) \
+	SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk)
+
+#define SSL_get0_raw_cipherlist(s, plst) \
+	SSL_ctrl(s,SSL_CTRL_GET_RAW_CIPHERLIST,0,plst)
+
+#define SSL_get0_ec_point_formats(s, plst) \
+	SSL_ctrl(s,SSL_CTRL_GET_EC_POINT_FORMATS,0,plst)
+
 #ifndef OPENSSL_NO_BIO
 BIO_METHOD *BIO_f_ssl(void);
 BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
@@ -2161,6 +2239,8 @@ void *SSL_COMP_get_compression_methods(void);
 int SSL_COMP_add_compression_method(int id,void *cm);
 #endif
 
+const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);
+
 /* TLS extensions functions */
 int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
 
@@ -2174,6 +2254,12 @@ void SSL_set_debug(SSL *s, int debug);
 int SSL_cache_hit(SSL *s);
 int SSL_is_server(SSL *s);
 
+#ifndef OPENSSL_NO_SSL_TRACE
+void SSL_trace(int write_p, int version, int content_type,
+		const void *buf, size_t len, SSL *ssl, void *arg);
+const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c);
+#endif
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
@@ -2185,6 +2271,7 @@ void ERR_load_SSL_strings(void);
 /* Function codes. */
 #define SSL_F_AUTHZ_FIND_DATA				 330
 #define SSL_F_AUTHZ_VALIDATE				 323
+#define SSL_F_CHECK_SUITEB_CIPHER_LIST			 331
 #define SSL_F_CLIENT_CERTIFICATE			 100
 #define SSL_F_CLIENT_FINISHED				 167
 #define SSL_F_CLIENT_HELLO				 101
@@ -2308,6 +2395,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT		 278
 #define SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT		 308
 #define SSL_F_SSL_BAD_METHOD				 160
+#define SSL_F_SSL_BUILD_CERT_CHAIN			 332
 #define SSL_F_SSL_BYTES_TO_CIPHER_LIST			 161
 #define SSL_F_SSL_CERT_DUP				 221
 #define SSL_F_SSL_CERT_INST				 222
@@ -2401,6 +2489,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE		 206
 #define SSL_F_SSL_VERIFY_CERT_CHAIN			 207
 #define SSL_F_SSL_WRITE					 208
+#define SSL_F_TLS12_CHECK_PEER_SIGALG			 333
 #define SSL_F_TLS1_CERT_VERIFY_MAC			 286
 #define SSL_F_TLS1_CHANGE_CIPHER_STATE			 209
 #define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT		 274
@@ -2507,6 +2596,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_HTTPS_PROXY_REQUEST			 155
 #define SSL_R_HTTP_REQUEST				 156
 #define SSL_R_ILLEGAL_PADDING				 283
+#define SSL_R_ILLEGAL_SUITEB_DIGEST			 380
 #define SSL_R_INCONSISTENT_COMPRESSION			 340
 #define SSL_R_INVALID_AUDIT_PROOF			 371
 #define SSL_R_INVALID_AUTHZ_DATA			 374
@@ -2539,6 +2629,8 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_MISSING_DH_KEY				 163
 #define SSL_R_MISSING_DH_RSA_CERT			 164
 #define SSL_R_MISSING_DSA_SIGNING_CERT			 165
+#define SSL_R_MISSING_ECDH_CERT				 382
+#define SSL_R_MISSING_ECDSA_SIGNING_CERT		 381
 #define SSL_R_MISSING_EXPORT_TMP_DH_KEY			 166
 #define SSL_R_MISSING_EXPORT_TMP_RSA_KEY		 167
 #define SSL_R_MISSING_RSA_CERTIFICATE			 168
@@ -2581,6 +2673,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_NULL_SSL_METHOD_PASSED			 196
 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED		 197
 #define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344
+#define SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE	 379
 #define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE		 297
 #define SSL_R_OPAQUE_PRF_INPUT_TOO_LONG			 327
 #define SSL_R_PACKET_LENGTH_TOO_LONG			 198
@@ -2712,7 +2805,9 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_UNSUPPORTED_STATUS_TYPE			 329
 #define SSL_R_USE_SRTP_NOT_NEGOTIATED			 369
 #define SSL_R_WRITE_BIO_NOT_SET				 260
+#define SSL_R_WRONG_CERTIFICATE_TYPE			 383
 #define SSL_R_WRONG_CIPHER_RETURNED			 261
+#define SSL_R_WRONG_CURVE				 378
 #define SSL_R_WRONG_MESSAGE_TYPE			 262
 #define SSL_R_WRONG_NUMBER_OF_KEY_BITS			 263
 #define SSL_R_WRONG_SIGNATURE_LENGTH			 264