diff options
author | Benny Prijono <bennylp@teluu.com> | 2006-12-25 06:43:59 +0000 |
---|---|---|
committer | Benny Prijono <bennylp@teluu.com> | 2006-12-25 06:43:59 +0000 |
commit | d6a9dded719756a7a873f1f9a6c1d201859b0ee6 (patch) | |
tree | 9db7148d26d53dedb2c91dc8bbb5da20c163faa0 /pjsip/include | |
parent | 94aaa0ce2af8bf9799752bb6cb6c9989d60bc612 (diff) |
Major TLS work (ticket #3): asynchronous socket, rather complete TLS options, and pjsua integration. The TLS support should work in both client and server mode.
git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@861 74dad513-b988-da41-8d7b-12977e46ad98
Diffstat (limited to 'pjsip/include')
-rw-r--r-- | pjsip/include/pjsip/sip_config.h | 28 | ||||
-rw-r--r-- | pjsip/include/pjsip/sip_errno.h | 70 | ||||
-rw-r--r-- | pjsip/include/pjsip/sip_transport_tcp.h | 9 | ||||
-rw-r--r-- | pjsip/include/pjsip/sip_transport_tls.h | 142 | ||||
-rw-r--r-- | pjsip/include/pjsua-lib/pjsua.h | 15 |
5 files changed, 237 insertions, 27 deletions
diff --git a/pjsip/include/pjsip/sip_config.h b/pjsip/include/pjsip/sip_config.h index a66dc37e..6b13ee0a 100644 --- a/pjsip/include/pjsip/sip_config.h +++ b/pjsip/include/pjsip/sip_config.h @@ -200,6 +200,18 @@ /** + * The TCP incoming connection backlog number to be set in accept(). + * + * Default: 5 + * + * @see PJSIP_TLS_TRANSPORT_BACKLOG + */ +#ifndef PJSIP_TCP_TRANSPORT_BACKLOG +# define PJSIP_TCP_TRANSPORT_BACKLOG 5 +#endif + + +/** * This macro specifies whether full DNS resolution should be used. * When enabled, #pjsip_resolve() will perform asynchronous DNS SRV and * A (or AAAA, when IPv6 is supported) resolution to resolve the SIP @@ -216,6 +228,8 @@ * it should also exclude dns.o and resolve.o from PJLIB-UTIL. * * Default: 1 (enabled) + * + * @see PJSIP_MAX_RESOLVED_ADDRESSES */ #ifndef PJSIP_HAS_RESOLVER # define PJSIP_HAS_RESOLVER 1 @@ -228,6 +242,8 @@ * 32 bytes of stack memory. * * Default: 8 + * + * @see PJSIP_HAS_RESOLVER */ #ifndef PJSIP_MAX_RESOLVED_ADDRESSES # define PJSIP_MAX_RESOLVED_ADDRESSES 8 @@ -245,6 +261,18 @@ #endif +/** + * The TLS pending incoming connection backlog number to be set in accept(). + * + * Default: 5 + * + * @see PJSIP_TCP_TRANSPORT_BACKLOG + */ +#ifndef PJSIP_TLS_TRANSPORT_BACKLOG +# define PJSIP_TLS_TRANSPORT_BACKLOG 5 +#endif + + /* Endpoint. */ #define PJSIP_MAX_TIMER_COUNT (2*PJSIP_MAX_TSX_COUNT + 2*PJSIP_MAX_DIALOG_COUNT) diff --git a/pjsip/include/pjsip/sip_errno.h b/pjsip/include/pjsip/sip_errno.h index 92ca57b6..03d21ec2 100644 --- a/pjsip/include/pjsip/sip_errno.h +++ b/pjsip/include/pjsip/sip_errno.h @@ -397,6 +397,76 @@ PJ_BEGIN_DECL #define PJSIP_ESESSIONSTATE (PJSIP_ERRNO_START_PJSIP+141) /* 171141 */ +/************************************************************ + * TLS TRANSPORT ERRORS + ***********************************************************/ +/** + * @hideinitializer + * Unknown TLS error + */ +#define PJSIP_TLS_EUNKNOWN (PJSIP_ERRNO_START_PJSIP+160) /* 171160 */ +/** + * @hideinitializer + * Invalid SSL protocol method. + */ +#define PJSIP_TLS_EINVMETHOD (PJSIP_ERRNO_START_PJSIP+161) /* 171161 */ +/** + * @hideinitializer + * Error loading/verifying SSL CA list file. + */ +#define PJSIP_TLS_ECACERT (PJSIP_ERRNO_START_PJSIP+162) /* 171162 */ +/** + * @hideinitializer + * Error loading SSL certificate chain file. + */ +#define PJSIP_TLS_ECERTFILE (PJSIP_ERRNO_START_PJSIP+163) /* 171163 */ +/** + * @hideinitializer + * Error adding private key from SSL certificate file. + */ +#define PJSIP_TLS_EKEYFILE (PJSIP_ERRNO_START_PJSIP+164) /* 171164 */ +/** + * @hideinitializer + * Error setting SSL cipher list. + */ +#define PJSIP_TLS_ECIPHER (PJSIP_ERRNO_START_PJSIP+165) /* 171165 */ +/** + * @hideinitializer + * Error creating SSL context. + */ +#define PJSIP_TLS_ECTX (PJSIP_ERRNO_START_PJSIP+166) /* 171166 */ +/** + * @hideinitializer + * Error creating SSL connection object. + */ +#define PJSIP_TLS_ESSLCONN (PJSIP_ERRNO_START_PJSIP+167) /* 171167 */ +/** + * @hideinitializer + * Unknown error when performing SSL connect(). + */ +#define PJSIP_TLS_ECONNECT (PJSIP_ERRNO_START_PJSIP+168) /* 171168 */ +/** + * @hideinitializer + * Unknown error when performing SSL accept(). + */ +#define PJSIP_TLS_EACCEPT (PJSIP_ERRNO_START_PJSIP+169) /* 171169 */ +/** + * @hideinitializer + * Unknown error when sending SSL data + */ +#define PJSIP_TLS_ESEND (PJSIP_ERRNO_START_PJSIP+170) /* 171170 */ +/** + * @hideinitializer + * Unknown error when reading SSL data + */ +#define PJSIP_TLS_EREAD (PJSIP_ERRNO_START_PJSIP+171) /* 171171 */ +/** + * @hideinitializer + * SSL negotiation has exceeded the maximum configured timeout. + */ +#define PJSIP_TLS_ETIMEDOUT (PJSIP_ERRNO_START_PJSIP+172) /* 171172 */ + + PJ_END_DECL diff --git a/pjsip/include/pjsip/sip_transport_tcp.h b/pjsip/include/pjsip/sip_transport_tcp.h index db308d7d..09ab157f 100644 --- a/pjsip/include/pjsip/sip_transport_tcp.h +++ b/pjsip/include/pjsip/sip_transport_tcp.h @@ -38,15 +38,6 @@ PJ_BEGIN_DECL */ /** - * The TCP incoming connection backlog number. - * Default: 5 - */ -#ifndef PJSIP_TCP_TRANSPORT_BACKLOG -# define PJSIP_TCP_TRANSPORT_BACKLOG 5 -#endif - - -/** * Register support for SIP TCP transport by creating TCP listener on * the specified address and port. This function will create an * instance of SIP TCP transport factory and register it to the diff --git a/pjsip/include/pjsip/sip_transport_tls.h b/pjsip/include/pjsip/sip_transport_tls.h index bef81acf..adf7342c 100644 --- a/pjsip/include/pjsip/sip_transport_tls.h +++ b/pjsip/include/pjsip/sip_transport_tls.h @@ -25,6 +25,8 @@ */ #include <pjsip/sip_transport.h> +#include <pj/string.h> + PJ_BEGIN_DECL @@ -37,6 +39,138 @@ PJ_BEGIN_DECL * the transport to the framework. */ +/** SSL protocol method constants. */ +typedef enum pjsip_ssl_method +{ + PJSIP_SSL_DEFAULT_METHOD = 0, /**< Default protocol method. */ + PJSIP_TLSV1_METHOD = 1, /**< Use SSLv1 method. */ + PJSIP_SSLV2_METHOD = 2, /**< Use SSLv2 method. */ + PJSIP_SSLV3_METHOD = 3, /**< Use SSLv3 method. */ + PJSIP_SSLV23_METHOD = 23 /**< Use SSLv23 method. */ +} pjsip_ssl_method; + + +/** + * TLS transport settings. + */ +typedef struct pjsip_tls_setting +{ + /** + * Certificate of Authority (CA) list file. + */ + pj_str_t ca_list_file; + + /** + * Public endpoint certificate file, which will be used as client- + * side certificate for outgoing TLS connection, and server-side + * certificate for incoming TLS connection. + */ + pj_str_t cert_file; + + /** + * Optional private key of the endpoint certificate to be used. + */ + pj_str_t privkey_file; + + /** + * Password to open private key. + */ + pj_str_t password; + + /** + * TLS protocol method from #pjsip_ssl_method, which can be: + * - PJSIP_SSL_DEFAULT_METHOD(0): default (which will use SSLv23) + * - PJSIP_TLSV1_METHOD(1): TLSv1 + * - PJSIP_SSLV2_METHOD(2): TLSv2 + * - PJSIP_SSLV3_METHOD(3): TLSv3 + * - PJSIP_SSLV23_METHOD(23): TLSv23 + * + * Default is PJSIP_SSL_DEFAULT_METHOD (0), which will use SSLv23 + * protocol method. + */ + int method; + + /** + * TLS cipher list string in OpenSSL format. If empty, then default + * cipher list of the backend will be used. + */ + pj_str_t ciphers; + + /** + * When PJSIP is acting as a client (outgoing TLS connections), + * it will always receive a certificate from the peer. + * If \a verify_server is disabled (set to zero), PJSIP will not + * verifiy the certificate and allows TLS connections to servers + * which do not present a valid certificate. + * If \a tls_verify_server is non-zero, PJSIP verifies the server + * certificate and will close the TLS connection if the server + * certificate is not valid. + * + * This setting corresponds to OpenSSL SSL_VERIFY_PEER flag. + * Default value is zero. + */ + pj_bool_t verify_server; + + /** + * When acting as server (incoming TLS connections), setting + * \a verify_client to non-zero will cause the transport to activate + * peer verification upon receiving incoming TLS connection. + * + * This setting corresponds to OpenSSL SSL_VERIFY_PEER flag. + * Default value is zero. + */ + pj_bool_t verify_client; + + /** + * When acting as server (incoming TLS connections), reject inocming + * connection if client doesn't have a valid certificate. + * + * This setting corresponds to SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag. + * Default value is zero. + */ + pj_bool_t require_client_cert; + + /** + * TLS negotiation timeout to be applied for both outgoing and + * incoming connection. If both sec and msec member is set to zero, + * the SSL negotiation doesn't have a timeout. + */ + pj_time_val timeout; + +} pjsip_tls_setting; + + +/** + * Initialize TLS setting with default values. + * + * @param tls_opt The TLS setting to be initialized. + */ +PJ_INLINE(void) pjsip_tls_setting_default(pjsip_tls_setting *tls_opt) +{ + pj_memset(tls_opt, 0, sizeof(*tls_opt)); +} + + +/** + * Copy TLS setting. + * + * @param pool The pool to duplicate strings etc. + * @param dst Destination structure. + * @param src Source structure. + */ +PJ_INLINE(void) pjsip_tls_setting_copy(pj_pool_t *pool, + pjsip_tls_setting *dst, + const pjsip_tls_setting *src) +{ + pj_memcpy(dst, src, sizeof(*dst)); + pj_strdup_with_null(pool, &dst->ca_list_file, &src->ca_list_file); + pj_strdup_with_null(pool, &dst->cert_file, &src->cert_file); + pj_strdup_with_null(pool, &dst->privkey_file, &src->privkey_file); + pj_strdup_with_null(pool, &dst->password, &src->password); + pj_strdup_with_null(pool, &dst->ciphers, &src->ciphers); +} + + /** * Register support for SIP TLS transport by creating TLS listener on * the specified address and port. This function will create an @@ -44,9 +178,7 @@ PJ_BEGIN_DECL * transport manager. * * @param endpt The SIP endpoint. - * @param keyfile Path to keys and certificate file. - * @param password Password to open the private key. - * @param ca_list_file Path to Certificate of Authority file. + * @param opt Optional TLS settings. * @param local Optional local address to bind, or specify the * address to bind the server socket to. Both IP * interface address and port fields are optional. @@ -71,9 +203,7 @@ PJ_BEGIN_DECL * the appropriate error code. */ PJ_DECL(pj_status_t) pjsip_tls_transport_start(pjsip_endpoint *endpt, - const pj_str_t *keyfile, - const pj_str_t *password, - const pj_str_t *ca_list_file, + const pjsip_tls_setting *opt, const pj_sockaddr_in *local, const pjsip_host_port *a_name, unsigned async_cnt, diff --git a/pjsip/include/pjsua-lib/pjsua.h b/pjsip/include/pjsua-lib/pjsua.h index a964c49f..eda850a5 100644 --- a/pjsip/include/pjsua-lib/pjsua.h +++ b/pjsip/include/pjsua-lib/pjsua.h @@ -841,19 +841,9 @@ typedef struct pjsua_transport_config pjsua_stun_config stun_config; /** - * TLS root CA file path (only used for TLS transport). + * TLS settings. */ - pj_str_t tls_ca_file; - - /** - * TLS client key path (only used for TLS transport). - */ - pj_str_t tls_key_file; - - /** - * TLS password (only used for TLS transport). - */ - pj_str_t tls_password; + pjsip_tls_setting tls_setting; } pjsua_transport_config; @@ -866,6 +856,7 @@ typedef struct pjsua_transport_config PJ_INLINE(void) pjsua_transport_config_default(pjsua_transport_config *cfg) { pj_bzero(cfg, sizeof(*cfg)); + pjsip_tls_setting_default(&cfg->tls_setting); } |