replace macros with functions

[openssl.git] / ssl / ssl.h

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 33792ea8fe788870d49f5c787071a3584c5b9869..ed87d0430222ada7d5005e276e12dc060cdf880a 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -277,37 +277,50 @@ extern "C" {
 #define SSL_TXT_LOW            "LOW"
 #define SSL_TXT_MEDIUM         "MEDIUM"
 #define SSL_TXT_HIGH           "HIGH"
-#define SSL_TXT_kFZA           "kFZA"
-#define        SSL_TXT_aFZA            "aFZA"
-#define SSL_TXT_eFZA           "eFZA"
-#define SSL_TXT_FZA            "FZA"
+#define SSL_TXT_kFZA           "kFZA" /* unused! */
+#define        SSL_TXT_aFZA            "aFZA" /* unused! */
+#define SSL_TXT_eFZA           "eFZA" /* unused! */
+#define SSL_TXT_FZA            "FZA"  /* unused! */
 
 #define        SSL_TXT_aNULL           "aNULL"
 #define        SSL_TXT_eNULL           "eNULL"
 #define        SSL_TXT_NULL            "NULL"
 
-#define SSL_TXT_kKRB5          "kKRB5"
-#define SSL_TXT_aKRB5          "aKRB5"
-#define SSL_TXT_KRB5           "KRB5"
-
 #define SSL_TXT_kRSA           "kRSA"
-#define SSL_TXT_kDHr           "kDHr"
-#define SSL_TXT_kDHd           "kDHd"
+#define SSL_TXT_kDHr           "kDHr" /* no such ciphersuites supported! */
+#define SSL_TXT_kDHd           "kDHd" /* no such ciphersuites supported! */
 #define SSL_TXT_kEDH           "kEDH"
+#define SSL_TXT_kKRB5          "kKRB5"
+#define SSL_TXT_kECDHr         "kECDHr"
+#define SSL_TXT_kECDHe         "kECDHe"
+#define SSL_TXT_kECDH          "kECDH"
+#define SSL_TXT_kEECDH         "kEECDH"
+#define SSL_TXT_kPSK            "kPSK"
+
 #define        SSL_TXT_aRSA            "aRSA"
 #define        SSL_TXT_aDSS            "aDSS"
-#define        SSL_TXT_aDH             "aDH"
+#define        SSL_TXT_aDH             "aDH" /* no such ciphersuites supported! */
+#define        SSL_TXT_aECDH           "aECDH"
+#define SSL_TXT_aKRB5          "aKRB5"
+#define SSL_TXT_aECDSA         "aECDSA"
+#define SSL_TXT_aPSK            "aPSK"
+
 #define        SSL_TXT_DSS             "DSS"
 #define SSL_TXT_DH             "DH"
-#define SSL_TXT_EDH            "EDH"
+#define SSL_TXT_EDH            "EDH" /* same as "kEDH:-ADH" */
 #define SSL_TXT_ADH            "ADH"
 #define SSL_TXT_RSA            "RSA"
+#define SSL_TXT_ECDH           "ECDH"
+#define SSL_TXT_EECDH          "EECDH" /* same as "kEECDH:-AECDH" */
+#define SSL_TXT_AECDH          "AECDH"
+#define SSL_TXT_ECDSA          "ECDSA"
 #define SSL_TXT_DES            "DES"
 #define SSL_TXT_3DES           "3DES"
 #define SSL_TXT_RC4            "RC4"
 #define SSL_TXT_RC2            "RC2"
 #define SSL_TXT_IDEA           "IDEA"
 #define SSL_TXT_AES            "AES"
+#define SSL_TXT_CAMELLIA       "CAMELLIA"
 #define SSL_TXT_MD5            "MD5"
 #define SSL_TXT_SHA1           "SHA1"
 #define SSL_TXT_SHA            "SHA"
@@ -318,11 +331,10 @@ extern "C" {
 #define SSL_TXT_SSLV2          "SSLv2"
 #define SSL_TXT_SSLV3          "SSLv3"
 #define SSL_TXT_TLSV1          "TLSv1"
-#define SSL_TXT_ALL            "ALL"
-#define SSL_TXT_ECC            "ECCdraft" /* ECC ciphersuites are not yet official */
+#define SSL_TXT_KRB5           "KRB5"
 #define SSL_TXT_PSK             "PSK"
-#define SSL_TXT_kPSK            "kPSK"
-#define SSL_TXT_aPSK            "aPSK"
+
+#define SSL_TXT_ALL            "ALL"
 
 /*
  * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
@@ -344,7 +356,8 @@ extern "C" {
 /* The following cipher list is used by default.
  * It also is substituted when an application-defined cipher list string
  * starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST        "ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */
+#define SSL_DEFAULT_CIPHER_LIST        "AES:CAMELLIA:ALL:!ADH:!AECDH:+aECDH:+kRSA:+RC4:@STRENGTH"
+/* low priority for ciphersuites w/o forwared secrecy (fixed ECDH, RSA key exchange), and for RC4 */
 
 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
 #define SSL_SENT_SHUTDOWN      1
@@ -430,18 +443,20 @@ typedef struct ssl_method_st
  * SSL_SESSION_ID ::= SEQUENCE {
  *     version                 INTEGER,        -- structure version number
  *     SSLversion              INTEGER,        -- SSL version number
- *     Cipher                  OCTET_STRING,   -- the 3 byte cipher ID
- *     Session_ID              OCTET_STRING,   -- the Session ID
- *     Master_key              OCTET_STRING,   -- the master key
- *     KRB5_principal          OCTET_STRING    -- optional Kerberos principal
- *     Key_Arg [ 0 ] IMPLICIT  OCTET_STRING,   -- the optional Key argument
+ *     Cipher                  OCTET STRING,   -- the 3 byte cipher ID
+ *     Session_ID              OCTET STRING,   -- the Session ID
+ *     Master_key              OCTET STRING,   -- the master key
+ *     KRB5_principal          OCTET STRING    -- optional Kerberos principal
+ *     Key_Arg [ 0 ] IMPLICIT  OCTET STRING,   -- the optional Key argument
  *     Time [ 1 ] EXPLICIT     INTEGER,        -- optional Start Time
  *     Timeout [ 2 ] EXPLICIT  INTEGER,        -- optional Timeout ins seconds
  *     Peer [ 3 ] EXPLICIT     X509,           -- optional Peer Certificate
- *     Session_ID_context [ 4 ] EXPLICIT OCTET_STRING,   -- the Session ID context
+ *     Session_ID_context [ 4 ] EXPLICIT OCTET STRING,   -- the Session ID context
  *     Verify_result [ 5 ] EXPLICIT INTEGER,   -- X509_V_... code for `Peer'
- *     PSK_identity_hint [ 6 ] EXPLICIT OCTET_STRING, -- PSK identity hint
- *      PSK_identity [ 7 ] EXPLICIT OCTET_STRING -- PSK identity
+ *     HostName [ 6 ] EXPLICY OCTET STRING,      -- optional HostName from servername TLS extension 
+ *     ECPointFormatList [ 7 ] OCTET STRING,     -- optional EC point format list from TLS extension
+ *     PSK_identity_hint [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity hint
+ *     PSK_identity [ 9 ] EXPLICIT OCTET STRING -- optional PSK identity
  *     }
  * Look in ssl/ssl_asn1.c for more details
  * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
@@ -507,6 +522,12 @@ typedef struct ssl_session_st
        struct ssl_session_st *prev,*next;
 #ifndef OPENSSL_NO_TLSEXT
        char *tlsext_hostname;
+#ifndef OPENSSL_NO_EC
+       size_t tlsext_ecpointformatlist_length;
+       unsigned char *tlsext_ecpointformatlist; /* peer's list */
+       size_t tlsext_ellipticcurvelist_length;
+       unsigned char *tlsext_ellipticcurvelist; /* peer's list */
+#endif /* OPENSSL_NO_EC */
 #endif
        } SSL_SESSION;
 
@@ -844,28 +865,38 @@ struct ssl_ctx_st
 #define SSL_CTX_sess_cache_full(ctx) \
        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
 
-#define SSL_CTX_sess_set_new_cb(ctx,cb)        ((ctx)->new_session_cb=(cb))
-#define SSL_CTX_sess_get_new_cb(ctx)   ((ctx)->new_session_cb)
-#define SSL_CTX_sess_set_remove_cb(ctx,cb)     ((ctx)->remove_session_cb=(cb))
-#define SSL_CTX_sess_get_remove_cb(ctx)        ((ctx)->remove_session_cb)
-#define SSL_CTX_sess_set_get_cb(ctx,cb)        ((ctx)->get_session_cb=(cb))
-#define SSL_CTX_sess_get_get_cb(ctx)   ((ctx)->get_session_cb)
-#define SSL_CTX_set_info_callback(ctx,cb)      ((ctx)->info_callback=(cb))
-#define SSL_CTX_get_info_callback(ctx)         ((ctx)->info_callback)
-#define SSL_CTX_set_client_cert_cb(ctx,cb)     ((ctx)->client_cert_cb=(cb))
-#define SSL_CTX_get_client_cert_cb(ctx)                ((ctx)->client_cert_cb)
-#define SSL_CTX_set_cookie_generate_cb(ctx,cb) ((ctx)->app_gen_cookie_cb=(cb))
-#define SSL_CTX_set_cookie_verify_cb(ctx,cb) ((ctx)->app_verify_cookie_cb=(cb))
+void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess));
+int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess);
+void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess));
+void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess);
+void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data,int len,int *copy));
+SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, unsigned char *Data, int len, int *copy);
+void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type,int val));
+void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val);
+void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
+int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len));
+void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len));
 
 #ifndef OPENSSL_NO_PSK
 /* the maximum length of the buffer given to callbacks containing the
  * resulting identity/psk */
 #define PSK_MAX_IDENTITY_LEN 128
 #define PSK_MAX_PSK_LEN 64
-#define SSL_CTX_set_psk_client_callback(ctx,cb) ((ctx)->psk_client_callback=(cb))
-#define SSL_set_psk_client_callback(ssl, cb) ((ssl)->psk_client_callback=(cb))
-#define SSL_CTX_set_psk_server_callback(ctx,cb) ((ctx)->psk_server_callback=(cb))
-#define SSL_set_psk_server_callback(ssl, cb) ((ssl)->psk_server_callback=(cb))
+void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, 
+       unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, 
+               char *identity, unsigned int max_identity_len, unsigned char *psk,
+               unsigned int max_psk_len));
+void SSL_set_psk_client_callback(SSL *ssl, 
+       unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, 
+               char *identity, unsigned int max_identity_len, unsigned char *psk,
+               unsigned int max_psk_len));
+void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, 
+       unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
+               unsigned char *psk, unsigned int max_psk_len));
+void SSL_set_psk_server_callback(SSL *ssl,
+       unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
+               unsigned char *psk, unsigned int max_psk_len));
 int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint);
 int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint);
 const char *SSL_get_psk_identity_hint(const SSL *s);
@@ -1057,6 +1088,12 @@ struct ssl_st
                                  1 : prepare 2, allow last ack just after in server callback.
                                  2 : don't call servername callback, no ack in server hello
                               */
+#ifndef OPENSSL_NO_EC
+       size_t tlsext_ecpointformatlist_length;
+       unsigned char *tlsext_ecpointformatlist; /* our list */
+       size_t tlsext_ellipticcurvelist_length;
+       unsigned char *tlsext_ellipticcurvelist; /* our list */
+#endif /* OPENSSL_NO_EC */
        SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
 #define session_ctx initial_ctx
 #else
@@ -1168,7 +1205,6 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
 #define SSL_get_timeout(a)     SSL_SESSION_get_timeout(a)
 #define SSL_set_timeout(a,b)   SSL_SESSION_set_timeout((a),(b))
 
-#if 1 /*SSLEAY_MACROS*/
 #define d2i_SSL_SESSION_bio(bp,s_id) ASN1_d2i_bio_of(SSL_SESSION,SSL_SESSION_new,d2i_SSL_SESSION,bp,s_id)
 #define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio_of(SSL_SESSION,i2d_SSL_SESSION,bp,s_id)
 #define PEM_read_SSL_SESSION(fp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read( \
@@ -1179,7 +1215,6 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
                PEM_STRING_SSL_SESSION,fp, (char *)x, NULL,NULL,0,NULL,NULL)
 #define PEM_write_bio_SSL_SESSION(bp,x) \
        PEM_ASN1_write_bio_of(SSL_SESSION,i2d_SSL_SESSION,PEM_STRING_SSL_SESSION,bp,x,NULL,NULL,0,NULL,NULL)
-#endif
 
 #define SSL_AD_REASON_OFFSET           1000 /* offset to get SSL_R_... value from SSL_AD_... */
 
@@ -1754,8 +1789,10 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL3_SETUP_KEY_BLOCK                      157
 #define SSL_F_SSL3_WRITE_BYTES                          158
 #define SSL_F_SSL3_WRITE_PENDING                        159
+#define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT                277
 #define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK        215
 #define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK       216
+#define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT                278
 #define SSL_F_SSL_BAD_METHOD                            160
 #define SSL_F_SSL_BYTES_TO_CIPHER_LIST                  161
 #define SSL_F_SSL_CERT_DUP                              221
@@ -1763,6 +1800,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_CERT_INSTANTIATE                      214
 #define SSL_F_SSL_CERT_NEW                              162
 #define SSL_F_SSL_CHECK_PRIVATE_KEY                     163
+#define SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG           279
 #define SSL_F_SSL_CIPHER_PROCESS_RULESTR                230
 #define SSL_F_SSL_CIPHER_STRENGTH_SORT                  231
 #define SSL_F_SSL_CLEAR                                         164
@@ -1829,7 +1867,10 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_VERIFY_CERT_CHAIN                     207
 #define SSL_F_SSL_WRITE                                         208
 #define SSL_F_TLS1_CHANGE_CIPHER_STATE                  209
+#define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT             274
 #define SSL_F_TLS1_ENC                                  210
+#define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT           275
+#define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT           276
 #define SSL_F_TLS1_SETUP_KEY_BLOCK                      211
 #define SSL_F_WRITE_PENDING                             212
 
@@ -1856,7 +1897,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_BAD_MESSAGE_TYPE                          114
 #define SSL_R_BAD_PACKET_LENGTH                                 115
 #define SSL_R_BAD_PROTOCOL_VERSION_NUMBER               116
-#define SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH              157
+#define SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH              316
 #define SSL_R_BAD_RESPONSE_ARGUMENT                     117
 #define SSL_R_BAD_RSA_DECRYPT                           118
 #define SSL_R_BAD_RSA_ENCRYPT                           119
@@ -1880,7 +1921,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_CIPHER_CODE_WRONG_LENGTH                  137
 #define SSL_R_CIPHER_OR_HASH_UNAVAILABLE                138
 #define SSL_R_CIPHER_TABLE_SRC_ERROR                    139
-#define SSL_R_CLIENTHELLO_TLS_EXT                       316
+#define SSL_R_CLIENTHELLO_TLSEXT                        226
 #define SSL_R_COMPRESSED_LENGTH_TOO_LONG                140
 #define SSL_R_COMPRESSION_FAILURE                       141
 #define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE   307
@@ -1895,6 +1936,10 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG           148
 #define SSL_R_DIGEST_CHECK_FAILED                       149
 #define SSL_R_DUPLICATE_COMPRESSION_ID                  309
+#define SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT            317
+#define SSL_R_ECC_CERT_NOT_FOR_SIGNING                  318
+#define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE        322
+#define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE       323
 #define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER              310
 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG                         150
 #define SSL_R_ERROR_GENERATING_TMP_RSA_KEY              282
@@ -1965,7 +2010,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED           197
 #define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE             297
 #define SSL_R_PACKET_LENGTH_TOO_LONG                    198
-#define SSL_R_PARSE_TLS_EXT                             317
+#define SSL_R_PARSE_TLSEXT                              227
 #define SSL_R_PATH_TOO_LONG                             270
 #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE                 199
 #define SSL_R_PEER_ERROR                                200
@@ -1992,12 +2037,13 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO                216
 #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO                  217
 #define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO                218
-#define SSL_R_SERVERHELLO_TLS_EXT                       318
+#define SSL_R_SERVERHELLO_TLSEXT                        275
 #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED          277
 #define SSL_R_SHORT_READ                                219
 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE     220
 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE              221
 #define SSL_R_SSL2_CONNECTION_ID_TOO_LONG               299
+#define SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT            321
 #define SSL_R_SSL3_EXT_INVALID_SERVERNAME               319
 #define SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE          320
 #define SSL_R_SSL3_SESSION_ID_TOO_LONG                  300
@@ -2039,6 +2085,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_TLSV1_UNRECOGNIZED_NAME                   1112
 #define SSL_R_TLSV1_UNSUPPORTED_EXTENSION               1110
 #define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER      232
+#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST            157
 #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
 #define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG   234
 #define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER           235