Major TLS work (ticket #3): asynchronous socket, rather complete TLS options, and pjsua integration. The TLS support should work in both client and server mode.

git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@861 74dad513-b988-da41-8d7b-12977e46ad98
author: Benny Prijono <bennylp@teluu.com> 2006-12-25 06:43:59 +0000
committer: Benny Prijono <bennylp@teluu.com> 2006-12-25 06:43:59 +0000
commit: d6a9dded719756a7a873f1f9a6c1d201859b0ee6 (patch)
tree: 9db7148d26d53dedb2c91dc8bbb5da20c163faa0 /pjsip/include
parent: 94aaa0ce2af8bf9799752bb6cb6c9989d60bc612 (diff)
5 files changed, 237 insertions, 27 deletions
diff --git a/pjsip/include/pjsip/sip_config.h b/pjsip/include/pjsip/sip_config.h
index a66dc37e..6b13ee0a 100644
--- a/pjsip/include/pjsip/sip_config.h
+++ b/pjsip/include/pjsip/sip_config.h
@@ -200,6 +200,18 @@
 
 
 /**
+ * The TCP incoming connection backlog number to be set in accept().
+ *
+ * Default: 5
+ *
+ * @see PJSIP_TLS_TRANSPORT_BACKLOG
+ */
+#ifndef PJSIP_TCP_TRANSPORT_BACKLOG
+#   define PJSIP_TCP_TRANSPORT_BACKLOG	5
+#endif
+
+
+/**
  * This macro specifies whether full DNS resolution should be used.
  * When enabled, #pjsip_resolve() will perform asynchronous DNS SRV and
  * A (or AAAA, when IPv6 is supported) resolution to resolve the SIP
@@ -216,6 +228,8 @@
  * it should also exclude dns.o and resolve.o from PJLIB-UTIL.
  *
  * Default: 1 (enabled)
+ *
+ * @see PJSIP_MAX_RESOLVED_ADDRESSES
  */
 #ifndef PJSIP_HAS_RESOLVER
 #   define PJSIP_HAS_RESOLVER		1
@@ -228,6 +242,8 @@
  * 32 bytes of stack memory.
  *
  * Default: 8
+ *
+ * @see PJSIP_HAS_RESOLVER
  */
 #ifndef PJSIP_MAX_RESOLVED_ADDRESSES
 #   define PJSIP_MAX_RESOLVED_ADDRESSES	    8
@@ -245,6 +261,18 @@
 #endif
 
 
+/**
+ * The TLS pending incoming connection backlog number to be set in accept().
+ *
+ * Default: 5
+ *
+ * @see PJSIP_TCP_TRANSPORT_BACKLOG
+ */
+#ifndef PJSIP_TLS_TRANSPORT_BACKLOG
+#   define PJSIP_TLS_TRANSPORT_BACKLOG	    5
+#endif
+
+
 
 /* Endpoint. */
 #define PJSIP_MAX_TIMER_COUNT		(2*PJSIP_MAX_TSX_COUNT + 2*PJSIP_MAX_DIALOG_COUNT)
diff --git a/pjsip/include/pjsip/sip_errno.h b/pjsip/include/pjsip/sip_errno.h
index 92ca57b6..03d21ec2 100644
--- a/pjsip/include/pjsip/sip_errno.h
+++ b/pjsip/include/pjsip/sip_errno.h
@@ -397,6 +397,76 @@ PJ_BEGIN_DECL
 #define PJSIP_ESESSIONSTATE	 (PJSIP_ERRNO_START_PJSIP+141)	/* 171141 */
 
 
+/************************************************************
+ * TLS TRANSPORT ERRORS
+ ***********************************************************/
+/**
+ * @hideinitializer
+ * Unknown TLS error
+ */
+#define PJSIP_TLS_EUNKNOWN	(PJSIP_ERRNO_START_PJSIP+160)	/* 171160 */
+/**
+ * @hideinitializer
+ * Invalid SSL protocol method.
+ */
+#define PJSIP_TLS_EINVMETHOD	(PJSIP_ERRNO_START_PJSIP+161)	/* 171161 */
+/**
+ * @hideinitializer
+ * Error loading/verifying SSL CA list file.
+ */
+#define PJSIP_TLS_ECACERT	(PJSIP_ERRNO_START_PJSIP+162)	/* 171162 */
+/**
+ * @hideinitializer
+ * Error loading SSL certificate chain file.
+ */
+#define PJSIP_TLS_ECERTFILE	(PJSIP_ERRNO_START_PJSIP+163)	/* 171163 */
+/**
+ * @hideinitializer
+ * Error adding private key from SSL certificate file.
+ */
+#define PJSIP_TLS_EKEYFILE	(PJSIP_ERRNO_START_PJSIP+164)	/* 171164 */
+/**
+ * @hideinitializer
+ * Error setting SSL cipher list.
+ */
+#define PJSIP_TLS_ECIPHER	(PJSIP_ERRNO_START_PJSIP+165)	/* 171165 */
+/**
+ * @hideinitializer
+ * Error creating SSL context.
+ */
+#define PJSIP_TLS_ECTX		(PJSIP_ERRNO_START_PJSIP+166)	/* 171166 */
+/**
+ * @hideinitializer
+ * Error creating SSL connection object.
+ */
+#define PJSIP_TLS_ESSLCONN	(PJSIP_ERRNO_START_PJSIP+167)	/* 171167 */
+/**
+ * @hideinitializer
+ * Unknown error when performing SSL connect().
+ */
+#define PJSIP_TLS_ECONNECT	(PJSIP_ERRNO_START_PJSIP+168)	/* 171168 */
+/**
+ * @hideinitializer
+ * Unknown error when performing SSL accept().
+ */
+#define PJSIP_TLS_EACCEPT	(PJSIP_ERRNO_START_PJSIP+169)	/* 171169 */
+/**
+ * @hideinitializer
+ * Unknown error when sending SSL data
+ */
+#define PJSIP_TLS_ESEND		(PJSIP_ERRNO_START_PJSIP+170)	/* 171170 */
+/**
+ * @hideinitializer
+ * Unknown error when reading SSL data
+ */
+#define PJSIP_TLS_EREAD		(PJSIP_ERRNO_START_PJSIP+171)	/* 171171 */
+/**
+ * @hideinitializer
+ * SSL negotiation has exceeded the maximum configured timeout.
+ */
+#define PJSIP_TLS_ETIMEDOUT	(PJSIP_ERRNO_START_PJSIP+172)	/* 171172 */
+
+
 
 
 PJ_END_DECL
diff --git a/pjsip/include/pjsip/sip_transport_tcp.h b/pjsip/include/pjsip/sip_transport_tcp.h
index db308d7d..09ab157f 100644
--- a/pjsip/include/pjsip/sip_transport_tcp.h
+++ b/pjsip/include/pjsip/sip_transport_tcp.h
@@ -38,15 +38,6 @@ PJ_BEGIN_DECL
  */
 
 /**
- * The TCP incoming connection backlog number.
- * Default: 5
- */
-#ifndef PJSIP_TCP_TRANSPORT_BACKLOG
-#   define PJSIP_TCP_TRANSPORT_BACKLOG	5
-#endif
-
-
-/**
  * Register support for SIP TCP transport by creating TCP listener on
  * the specified address and port. This function will create an
  * instance of SIP TCP transport factory and register it to the
diff --git a/pjsip/include/pjsip/sip_transport_tls.h b/pjsip/include/pjsip/sip_transport_tls.h
index bef81acf..adf7342c 100644
--- a/pjsip/include/pjsip/sip_transport_tls.h
+++ b/pjsip/include/pjsip/sip_transport_tls.h
@@ -25,6 +25,8 @@
  */
 
 #include <pjsip/sip_transport.h>
+#include <pj/string.h>
+
 
 PJ_BEGIN_DECL
 
@@ -37,6 +39,138 @@ PJ_BEGIN_DECL
  * the transport to the framework.
  */
 
+/** SSL protocol method constants. */
+typedef enum pjsip_ssl_method
+{
+    PJSIP_SSL_DEFAULT_METHOD	= 0,	/**< Default protocol method.	*/
+    PJSIP_TLSV1_METHOD		= 1,	/**< Use SSLv1 method.		*/
+    PJSIP_SSLV2_METHOD		= 2,	/**< Use SSLv2 method.		*/
+    PJSIP_SSLV3_METHOD		= 3,	/**< Use SSLv3 method.		*/
+    PJSIP_SSLV23_METHOD		= 23	/**< Use SSLv23 method.		*/
+} pjsip_ssl_method;
+
+
+/**
+ * TLS transport settings.
+ */
+typedef struct pjsip_tls_setting
+{
+    /**
+     * Certificate of Authority (CA) list file.
+     */
+    pj_str_t	ca_list_file;
+
+    /**
+     * Public endpoint certificate file, which will be used as client-
+     * side  certificate for outgoing TLS connection, and server-side
+     * certificate for incoming TLS connection.
+     */
+    pj_str_t	cert_file;
+
+    /**
+     * Optional private key of the endpoint certificate to be used.
+     */
+    pj_str_t	privkey_file;
+
+    /**
+     * Password to open private key.
+     */
+    pj_str_t	password;
+
+    /**
+     * TLS protocol method from #pjsip_ssl_method, which can be:
+     *	- PJSIP_SSL_DEFAULT_METHOD(0):	default (which will use SSLv23)
+     *	- PJSIP_TLSV1_METHOD(1):	TLSv1
+     *	- PJSIP_SSLV2_METHOD(2):	TLSv2
+     *	- PJSIP_SSLV3_METHOD(3):	TLSv3
+     *	- PJSIP_SSLV23_METHOD(23):	TLSv23
+     *
+     * Default is PJSIP_SSL_DEFAULT_METHOD (0), which will use SSLv23
+     * protocol method.
+     */
+    int		method;
+
+    /**
+     * TLS cipher list string in OpenSSL format. If empty, then default
+     * cipher list of the backend will be used.
+     */
+    pj_str_t	ciphers;
+
+    /**
+     * When PJSIP is acting as a client (outgoing TLS connections), 
+     * it will always receive a certificate from the peer. 
+     * If \a verify_server is disabled (set to zero), PJSIP will not 
+     * verifiy the certificate and allows TLS connections to servers 
+     * which do not present a valid certificate. 
+     * If \a tls_verify_server is non-zero, PJSIP verifies the server 
+     * certificate and will close the TLS connection if the server 
+     * certificate is not valid.
+     *
+     * This setting corresponds to OpenSSL SSL_VERIFY_PEER flag.
+     * Default value is zero.
+     */
+    pj_bool_t	verify_server;
+
+    /**
+     * When acting as server (incoming TLS connections), setting
+     * \a verify_client to non-zero will cause the transport to activate
+     * peer verification upon receiving incoming TLS connection.
+     *
+     * This setting corresponds to OpenSSL SSL_VERIFY_PEER flag.
+     * Default value is zero.
+     */
+    pj_bool_t	verify_client;
+
+    /**
+     * When acting as server (incoming TLS connections), reject inocming
+     * connection if client doesn't have a valid certificate.
+     *
+     * This setting corresponds to SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag.
+     * Default value is zero.
+     */
+    pj_bool_t	require_client_cert;
+
+    /**
+     * TLS negotiation timeout to be applied for both outgoing and
+     * incoming connection. If both sec and msec member is set to zero,
+     * the SSL negotiation doesn't have a timeout.
+     */
+    pj_time_val	timeout;
+
+} pjsip_tls_setting;
+
+
+/**
+ * Initialize TLS setting with default values.
+ *
+ * @param tls_opt   The TLS setting to be initialized.
+ */
+PJ_INLINE(void) pjsip_tls_setting_default(pjsip_tls_setting *tls_opt)
+{
+    pj_memset(tls_opt, 0, sizeof(*tls_opt));
+}
+
+
+/**
+ * Copy TLS setting.
+ *
+ * @param pool	    The pool to duplicate strings etc.
+ * @param dst	    Destination structure.
+ * @param src	    Source structure.
+ */
+PJ_INLINE(void) pjsip_tls_setting_copy(pj_pool_t *pool,
+				       pjsip_tls_setting *dst,
+				       const pjsip_tls_setting *src)
+{
+    pj_memcpy(dst, src, sizeof(*dst));
+    pj_strdup_with_null(pool, &dst->ca_list_file, &src->ca_list_file);
+    pj_strdup_with_null(pool, &dst->cert_file, &src->cert_file);
+    pj_strdup_with_null(pool, &dst->privkey_file, &src->privkey_file);
+    pj_strdup_with_null(pool, &dst->password, &src->password);
+    pj_strdup_with_null(pool, &dst->ciphers, &src->ciphers);
+}
+
+
 /**
  * Register support for SIP TLS transport by creating TLS listener on
  * the specified address and port. This function will create an
@@ -44,9 +178,7 @@ PJ_BEGIN_DECL
  * transport manager.
  *
  * @param endpt		The SIP endpoint.
- * @param keyfile	Path to keys and certificate file.
- * @param password	Password to open the private key.
- * @param ca_list_file	Path to Certificate of Authority file.
+ * @param opt		Optional TLS settings.
  * @param local		Optional local address to bind, or specify the
  *			address to bind the server socket to. Both IP 
  *			interface address and port fields are optional.
@@ -71,9 +203,7 @@ PJ_BEGIN_DECL
  *			the appropriate error code.
  */
 PJ_DECL(pj_status_t) pjsip_tls_transport_start(pjsip_endpoint *endpt,
-					       const pj_str_t *keyfile,
-					       const pj_str_t *password,
-					       const pj_str_t *ca_list_file,
+					       const pjsip_tls_setting *opt,
 					       const pj_sockaddr_in *local,
 					       const pjsip_host_port *a_name,
 					       unsigned async_cnt,
diff --git a/pjsip/include/pjsua-lib/pjsua.h b/pjsip/include/pjsua-lib/pjsua.h
index a964c49f..eda850a5 100644
--- a/pjsip/include/pjsua-lib/pjsua.h
+++ b/pjsip/include/pjsua-lib/pjsua.h
@@ -841,19 +841,9 @@ typedef struct pjsua_transport_config
     pjsua_stun_config	stun_config;
 
     /**
-     * TLS root CA file path (only used for TLS transport).
+     * TLS settings.
      */
-    pj_str_t		tls_ca_file;
-
-    /**
-     * TLS client key path (only used for TLS transport).
-     */
-    pj_str_t		tls_key_file;
-
-    /**
-     * TLS password (only used for TLS transport).
-     */
-    pj_str_t		tls_password;
+    pjsip_tls_setting	tls_setting;
 
 } pjsua_transport_config;
 
@@ -866,6 +856,7 @@ typedef struct pjsua_transport_config
 PJ_INLINE(void) pjsua_transport_config_default(pjsua_transport_config *cfg)
 {
     pj_bzero(cfg, sizeof(*cfg));
+    pjsip_tls_setting_default(&cfg->tls_setting);
 }
author	Benny Prijono <bennylp@teluu.com>	2006-12-25 06:43:59 +0000
committer	Benny Prijono <bennylp@teluu.com>	2006-12-25 06:43:59 +0000
commit	d6a9dded719756a7a873f1f9a6c1d201859b0ee6 (patch)
tree	9db7148d26d53dedb2c91dc8bbb5da20c163faa0 /pjsip/include
parent	94aaa0ce2af8bf9799752bb6cb6c9989d60bc612 (diff)