Add new "valid_flags" field to CERT_PKEY structure which determines what
the certificate can be used for (if anything). Set valid_flags field
in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
to have similar checks in it.

Add new "cert_flags" field to CERT structure and include a "strict mode".
This enforces some TLS certificate requirements (such as only permitting
certificate signature algorithms contained in the supported algorithms
extension) which some implementations ignore: this option should be used
with caution as it could cause interoperability issues.
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index dad84dc..993f6e4 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3921,6 +3921,8 @@
 		allow = srvr;
 		}
 
+	tls1_set_cert_validity(s);
+
 	for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
 		{
 		c=sk_SSL_CIPHER_value(prio,i);