When strict SCT fails record verification failure

Since with SSL_VERIFY_NONE, the connection may continue and the session may even be cached, we should save some evidence that the chain was not sufficiently verified and would have been rejected with SSL_VERIFY_PEER. To that end when a CT callback returs failure we set the verify result to X509_V_ERR_NO_VALID_SCTS. Note: We only run the CT callback in the first place if the verify result is still X509_V_OK prior to start of the callback. RT #4502 Reviewed-by: Tim Hudson <tjh@openssl.org>
author: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-05-13 00:36:56 -0400
committer: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-05-19 00:25:42 -0400
commit: f75b34c8c81d7277fa002120d4c8dc36c39d1ff5 (patch)
tree: 118cb3d0ae80b77e3f8e729005ca67bfe3eb5daf /include
parent: a5a3722bc185b2baaaa183dcaafaf17b3d07a5fa (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index 44f1f16991..3adfaa3f2a 100644
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -158,11 +158,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 # define         X509_V_ERR_EE_KEY_TOO_SMALL                     66
 # define         X509_V_ERR_CA_KEY_TOO_SMALL                     67
 # define         X509_V_ERR_CA_MD_TOO_WEAK                       68
-
 /* Caller error */
 # define         X509_V_ERR_INVALID_CALL                         69
 /* Issuer lookup error */
 # define         X509_V_ERR_STORE_LOOKUP                         70
+/* Certificate transparency */
+# define         X509_V_ERR_NO_VALID_SCTS                        71
 
 /* Certificate verify flags */
author	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-05-13 00:36:56 -0400
committer	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-05-19 00:25:42 -0400
commit	f75b34c8c81d7277fa002120d4c8dc36c39d1ff5 (patch)
tree	118cb3d0ae80b77e3f8e729005ca67bfe3eb5daf /include
parent	a5a3722bc185b2baaaa183dcaafaf17b3d07a5fa (diff)