Changeset 2950 for pjproject

Timestamp:

Oct 16, 2009 3:06:13 AM (15 years ago)

Author:

nanang

Message:

Ticket #957:

• Added SSL socket abstraction with OpenSSL backend.
• Updated cipher data type and added cipher constants (Symbian SSL socket has also been updated).
• Updated SIP TLS transport to allow setting certificate/credential (via file).

Location:

pjproject/trunk

Files:

• pjlib/include/pj/ssl_sock.h (modified) (5 diffs)
• pjlib/src/pj/ssl_sock_common.c (modified) (3 diffs)
• pjlib/src/pj/ssl_sock_ossl.c (added)
• pjlib/src/pj/ssl_sock_symbian.cpp (modified) (6 diffs)
• pjsip/src/pjsip/sip_transport_tls.c (modified) (10 diffs)

pjproject/trunk/pjlib/include/pj/ssl_sock.h

@@ -46 +46 @@
  */
 
-/**
- * Opaque declaration of certificate or endpoint credentials. This may contains
- * certificate, private key, and trusted Certificate Authorities lists.
+
+ /**
+ * This opaque structure describes the secure socket.
+ */
+typedef struct pj_ssl_sock_t pj_ssl_sock_t;
+
+
+/**
+ * Opaque declaration of endpoint certificate or credentials. This may contains
+ * certificate, private key, and trusted Certificate Authorities list.
  */
 typedef struct pj_ssl_cert_t pj_ssl_cert_t;
 
-/**
- * This opaque structure describes the secure socket.
- */
-typedef struct pj_ssl_sock_t pj_ssl_sock_t;
+
+/**
+ * Create credential from files.
+ *
+ * @param CA_file       The file of trusted CA list.
+ * @param cert_file     The file of certificate.
+ * @param privkey_file  The file of private key.
+ * @param privkey_pass  The password of private key, if any.
+ *
+ * @return              PJ_SUCCESS when successful.
+ */
+PJ_DECL(pj_status_t) pj_ssl_cert_load_from_files(pj_pool_t *pool,
+                                                 const pj_str_t *CA_file,
+                                                 const pj_str_t *cert_file,
+                                                 const pj_str_t *privkey_file,
+                                                 const pj_str_t *privkey_pass,
+                                                 pj_ssl_cert_t **p_cert);
+
+
+/** 
+ * Cipher suites enumeration.
+ */
+typedef enum pj_ssl_cipher {
+
+    /* NULL */
+    TLS_NULL_WITH_NULL_NULL               = 0x00000000,
+
+    /* TLS/SSLv3 */
+    TLS_RSA_WITH_NULL_MD5                 = 0x00000001,
+    TLS_RSA_WITH_NULL_SHA                 = 0x00000002,
+    TLS_RSA_WITH_NULL_SHA256              = 0x0000003B,
+    TLS_RSA_WITH_RC4_128_MD5              = 0x00000004,
+    TLS_RSA_WITH_RC4_128_SHA              = 0x00000005,
+    TLS_RSA_WITH_3DES_EDE_CBC_SHA         = 0x0000000A,
+    TLS_RSA_WITH_AES_128_CBC_SHA          = 0x0000002F,
+    TLS_RSA_WITH_AES_256_CBC_SHA          = 0x00000035,
+    TLS_RSA_WITH_AES_128_CBC_SHA256       = 0x0000003C,
+    TLS_RSA_WITH_AES_256_CBC_SHA256       = 0x0000003D,
+    TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA      = 0x0000000D,
+    TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA      = 0x00000010,
+    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA     = 0x00000013,
+    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA     = 0x00000016,
+    TLS_DH_DSS_WITH_AES_128_CBC_SHA       = 0x00000030,
+    TLS_DH_RSA_WITH_AES_128_CBC_SHA       = 0x00000031,
+    TLS_DHE_DSS_WITH_AES_128_CBC_SHA      = 0x00000032,
+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA      = 0x00000033,
+    TLS_DH_DSS_WITH_AES_256_CBC_SHA       = 0x00000036,
+    TLS_DH_RSA_WITH_AES_256_CBC_SHA       = 0x00000037,
+    TLS_DHE_DSS_WITH_AES_256_CBC_SHA      = 0x00000038,
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA      = 0x00000039,
+    TLS_DH_DSS_WITH_AES_128_CBC_SHA256    = 0x0000003E,
+    TLS_DH_RSA_WITH_AES_128_CBC_SHA256    = 0x0000003F,
+    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256   = 0x00000040,
+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256   = 0x00000067,
+    TLS_DH_DSS_WITH_AES_256_CBC_SHA256    = 0x00000068,
+    TLS_DH_RSA_WITH_AES_256_CBC_SHA256    = 0x00000069,
+    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256   = 0x0000006A,
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256   = 0x0000006B,
+    TLS_DH_anon_WITH_RC4_128_MD5          = 0x00000018,
+    TLS_DH_anon_WITH_3DES_EDE_CBC_SHA     = 0x0000001B,
+    TLS_DH_anon_WITH_AES_128_CBC_SHA      = 0x00000034,
+    TLS_DH_anon_WITH_AES_256_CBC_SHA      = 0x0000003A,
+    TLS_DH_anon_WITH_AES_128_CBC_SHA256   = 0x0000006C,
+    TLS_DH_anon_WITH_AES_256_CBC_SHA256   = 0x0000006D,
+
+    /* TLS (deprecated) */
+    TLS_RSA_EXPORT_WITH_RC4_40_MD5        = 0x00000003,
+    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5    = 0x00000006,
+    TLS_RSA_WITH_IDEA_CBC_SHA             = 0x00000007,
+    TLS_RSA_EXPORT_WITH_DES40_CBC_SHA     = 0x00000008,
+    TLS_RSA_WITH_DES_CBC_SHA              = 0x00000009,
+    TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA  = 0x0000000B,
+    TLS_DH_DSS_WITH_DES_CBC_SHA           = 0x0000000C,
+    TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA  = 0x0000000E,
+    TLS_DH_RSA_WITH_DES_CBC_SHA           = 0x0000000F,
+    TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x00000011,
+    TLS_DHE_DSS_WITH_DES_CBC_SHA          = 0x00000012,
+    TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x00000014,
+    TLS_DHE_RSA_WITH_DES_CBC_SHA          = 0x00000015,
+    TLS_DH_anon_EXPORT_WITH_RC4_40_MD5    = 0x00000017,
+    TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0x00000019,
+    TLS_DH_anon_WITH_DES_CBC_SHA          = 0x0000001A,
+
+    /* SSLv3 */
+    SSL_FORTEZZA_KEA_WITH_NULL_SHA        = 0x0000001C,
+    SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA= 0x0000001D,
+    SSL_FORTEZZA_KEA_WITH_RC4_128_SHA     = 0x0000001E,
+    
+    /* SSLv2 */
+    SSL_CK_RC4_128_WITH_MD5               = 0x00010080,
+    SSL_CK_RC4_128_EXPORT40_WITH_MD5      = 0x00020080,
+    SSL_CK_RC2_128_CBC_WITH_MD5           = 0x00030080,
+    SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5  = 0x00040080,
+    SSL_CK_IDEA_128_CBC_WITH_MD5          = 0x00050080,
+    SSL_CK_DES_64_CBC_WITH_MD5            = 0x00060040,
+    SSL_CK_DES_192_EDE3_CBC_WITH_MD5      = 0x000700C0
+
+} pj_ssl_cipher;
+
+
+/**
+ * Get cipher list supported by SSL/TLS backend.
+ *
+ * @param ciphers       The ciphers buffer to receive cipher list.
+ * @param cipher_num    Maximum number of ciphers to be received.
+ *
+ * @return              PJ_SUCCESS when successful.
+ */
+PJ_DECL(pj_status_t) pj_ssl_cipher_get_availables(pj_ssl_cipher ciphers[],
+                                                  unsigned *cipher_num);
+
+
+/**
+ * Get cipher name string.
+ *
+ * @param cipher        The cipher.
+ *
+ * @return              The cipher name or NULL if cipher is not recognized.
+ */
+PJ_DECL(const char*) pj_ssl_cipher_name(pj_ssl_cipher cipher);
+
 
 /**
@@ -181 +305 @@
     PJ_SSL_SOCK_PROTO_DEFAULT,      /**< Default protocol of backend.   */
     PJ_SSL_SOCK_PROTO_TLS1,         /**< TLSv1.0 protocol.              */
-    PJ_SSL_SOCK_PROTO_SSL2,         /**< SSLv2.0 protocol.              */
     PJ_SSL_SOCK_PROTO_SSL3,         /**< SSLv3.0 protocol.              */
     PJ_SSL_SOCK_PROTO_SSL23,        /**< SSLv3.0 but can roll back to 
                                          SSLv2.0.                       */
+    PJ_SSL_SOCK_PROTO_SSL2,         /**< SSLv2.0 protocol.              */
     PJ_SSL_SOCK_PROTO_DTLS1         /**< DTLSv1.0 protocol.             */
 } pj_ssl_sock_proto;
@@ -204 +328 @@
     pj_ssl_sock_proto proto;
     /**
-     * Describes cipher suite being used, this can be known only when 
-     * connection is established.
-     */
-    pj_str_t cipher;
+     * Describes cipher suite being used, this will only be set when connection
+     * is established.
+     */
+    pj_ssl_cipher cipher;
     /**
      * Describes local address.
@@ -218 +342 @@
    
 } pj_ssl_sock_info;
+
 
 /**
@@ -317 +442 @@
 
     /**
-     * Cipher list string. If empty, then default cipher list of the backend 
+     * Specify buffer size for receiving encrypted (and perhaps compressed)
+     * data on underlying socket. This setting is unused on Symbian, since 
+     * SSL/TLS Symbian backend, CSecureSocket, can use application buffer 
+     * directly.
+     *
+     * Default value is 1500.
+     */
+    pj_size_t read_buffer_size;
+
+    /**
+     * Number of ciphers contained in the specified cipher preference. 
+     * If this is set to zero, then default cipher list of the backend 
      * will be used.
      */
-    pj_str_t ciphers;
+    unsigned ciphers_num;
+
+    /**
+     * Ciphers and order preference. If empty, then default cipher list and
+     * its default order of the backend will be used.
+     */
+    pj_ssl_cipher *ciphers;
 
     /**

pjproject/trunk/pjlib/src/pj/ssl_sock_common.c

@@ -18 +18 @@
  */
 #include <pj/ssl_sock.h>
+#include <pj/errno.h>
 #include <pj/string.h>
+
+/* Cipher name structure */
+typedef struct cipher_name_t {
+    pj_ssl_cipher    cipher;
+    const char      *name;
+} cipher_name_t;
+
+/* Cipher name constants */
+static cipher_name_t cipher_names[] =
+{
+    {TLS_NULL_WITH_NULL_NULL,               "NULL"},
+
+    /* TLS/SSLv3 */
+    {TLS_RSA_WITH_NULL_MD5,                 "TLS_RSA_WITH_NULL_MD5"},
+    {TLS_RSA_WITH_NULL_SHA,                 "TLS_RSA_WITH_NULL_SHA"},
+    {TLS_RSA_WITH_NULL_SHA256,              "TLS_RSA_WITH_NULL_SHA256"},
+    {TLS_RSA_WITH_RC4_128_MD5,              "TLS_RSA_WITH_RC4_128_MD5"},
+    {TLS_RSA_WITH_RC4_128_SHA,              "TLS_RSA_WITH_RC4_128_SHA"},
+    {TLS_RSA_WITH_3DES_EDE_CBC_SHA,         "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
+    {TLS_RSA_WITH_AES_128_CBC_SHA,          "TLS_RSA_WITH_AES_128_CBC_SHA"},
+    {TLS_RSA_WITH_AES_256_CBC_SHA,          "TLS_RSA_WITH_AES_256_CBC_SHA"},
+    {TLS_RSA_WITH_AES_128_CBC_SHA256,       "TLS_RSA_WITH_AES_128_CBC_SHA256"},
+    {TLS_RSA_WITH_AES_256_CBC_SHA256,       "TLS_RSA_WITH_AES_256_CBC_SHA256"},
+    {TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,      "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA"},
+    {TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,      "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA"},
+    {TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,     "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"},
+    {TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,     "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"},
+    {TLS_DH_DSS_WITH_AES_128_CBC_SHA,       "TLS_DH_DSS_WITH_AES_128_CBC_SHA"},
+    {TLS_DH_RSA_WITH_AES_128_CBC_SHA,       "TLS_DH_RSA_WITH_AES_128_CBC_SHA"},
+    {TLS_DHE_DSS_WITH_AES_128_CBC_SHA,      "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"},
+    {TLS_DHE_RSA_WITH_AES_128_CBC_SHA,      "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"},
+    {TLS_DH_DSS_WITH_AES_256_CBC_SHA,       "TLS_DH_DSS_WITH_AES_256_CBC_SHA"},
+    {TLS_DH_RSA_WITH_AES_256_CBC_SHA,       "TLS_DH_RSA_WITH_AES_256_CBC_SHA"},
+    {TLS_DHE_DSS_WITH_AES_256_CBC_SHA,      "TLS_DHE_DSS_WITH_AES_256_CBC_SHA"},
+    {TLS_DHE_RSA_WITH_AES_256_CBC_SHA,      "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"},
+    {TLS_DH_DSS_WITH_AES_128_CBC_SHA256,    "TLS_DH_DSS_WITH_AES_128_CBC_SHA256"},
+    {TLS_DH_RSA_WITH_AES_128_CBC_SHA256,    "TLS_DH_RSA_WITH_AES_128_CBC_SHA256"},
+    {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,   "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"},
+    {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,   "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"},
+    {TLS_DH_DSS_WITH_AES_256_CBC_SHA256,    "TLS_DH_DSS_WITH_AES_256_CBC_SHA256"},
+    {TLS_DH_RSA_WITH_AES_256_CBC_SHA256,    "TLS_DH_RSA_WITH_AES_256_CBC_SHA256"},
+    {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,   "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"},
+    {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,   "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"},
+    {TLS_DH_anon_WITH_RC4_128_MD5,          "TLS_DH_anon_WITH_RC4_128_MD5"},
+    {TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,     "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA"},
+    {TLS_DH_anon_WITH_AES_128_CBC_SHA,      "TLS_DH_anon_WITH_AES_128_CBC_SHA"},
+    {TLS_DH_anon_WITH_AES_256_CBC_SHA,      "TLS_DH_anon_WITH_AES_256_CBC_SHA"},
+    {TLS_DH_anon_WITH_AES_128_CBC_SHA256,   "TLS_DH_anon_WITH_AES_128_CBC_SHA256"},
+    {TLS_DH_anon_WITH_AES_256_CBC_SHA256,   "TLS_DH_anon_WITH_AES_256_CBC_SHA256"},
+
+    /* TLS (deprecated) */
+    {TLS_RSA_EXPORT_WITH_RC4_40_MD5,        "TLS_RSA_EXPORT_WITH_RC4_40_MD5"},
+    {TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,    "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5"},
+    {TLS_RSA_WITH_IDEA_CBC_SHA,             "TLS_RSA_WITH_IDEA_CBC_SHA"},
+    {TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,     "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA"},
+    {TLS_RSA_WITH_DES_CBC_SHA,              "TLS_RSA_WITH_DES_CBC_SHA"},
+    {TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,  "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA"},
+    {TLS_DH_DSS_WITH_DES_CBC_SHA,           "TLS_DH_DSS_WITH_DES_CBC_SHA"},
+    {TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,  "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA"},
+    {TLS_DH_RSA_WITH_DES_CBC_SHA,           "TLS_DH_RSA_WITH_DES_CBC_SHA"},
+    {TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"},
+    {TLS_DHE_DSS_WITH_DES_CBC_SHA,          "TLS_DHE_DSS_WITH_DES_CBC_SHA"},
+    {TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"},
+    {TLS_DHE_RSA_WITH_DES_CBC_SHA,          "TLS_DHE_RSA_WITH_DES_CBC_SHA"},
+    {TLS_DH_anon_EXPORT_WITH_RC4_40_MD5,    "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5"},
+    {TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA"},
+    {TLS_DH_anon_WITH_DES_CBC_SHA,          "TLS_DH_anon_WITH_DES_CBC_SHA"},
+
+    /* SSLv3 */
+    {SSL_FORTEZZA_KEA_WITH_NULL_SHA,        "SSL_FORTEZZA_KEA_WITH_NULL_SHA"},
+    {SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA,"SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA"},
+    {SSL_FORTEZZA_KEA_WITH_RC4_128_SHA,     "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA"},
+
+    /* SSLv2 */
+    {SSL_CK_RC4_128_WITH_MD5,               "SSL_CK_RC4_128_WITH_MD5"},
+    {SSL_CK_RC4_128_EXPORT40_WITH_MD5,      "SSL_CK_RC4_128_EXPORT40_WITH_MD5"},
+    {SSL_CK_RC2_128_CBC_WITH_MD5,           "SSL_CK_RC2_128_CBC_WITH_MD5"},
+    {SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,  "SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5"},
+    {SSL_CK_IDEA_128_CBC_WITH_MD5,          "SSL_CK_IDEA_128_CBC_WITH_MD5"},
+    {SSL_CK_DES_64_CBC_WITH_MD5,            "SSL_CK_DES_64_CBC_WITH_MD5"},
+    {SSL_CK_DES_192_EDE3_CBC_WITH_MD5,      "SSL_CK_DES_192_EDE3_CBC_WITH_MD5"}
+};
+
 
 /*
  * Initialize the SSL socket configuration with the default values.
  */
-PJ_DECL(void) pj_ssl_sock_param_default(pj_ssl_sock_param *param)
+PJ_DEF(void) pj_ssl_sock_param_default(pj_ssl_sock_param *param)
 {
     pj_bzero(param, sizeof(*param));
@@ -33 +117 @@
     param->concurrency = -1;
     param->whole_data = PJ_TRUE;
-#if PJ_SYMBIAN
     param->send_buffer_size = 8192;
+#if !defined(PJ_SYMBIAN) || PJ_SYMBIAN==0
+    param->read_buffer_size = 1500;
 #endif
 
@@ -42 +127 @@
 
 
+PJ_DEF(const char*) pj_ssl_cipher_name(pj_ssl_cipher cipher)
+{
+    unsigned i, n;
+
+    n = PJ_ARRAY_SIZE(cipher_names);
+    for (i = 0; i < n; ++i) {
+        if (cipher == cipher_names[i].cipher)
+            return cipher_names[i].name;
+    }
+
+    return NULL;
+}

pjproject/trunk/pjlib/src/pj/ssl_sock_symbian.cpp

@@ -21 +21 @@
 #include <pj/assert.h>
 #include <pj/errno.h>
+#include <pj/math.h>
 #include <pj/pool.h>
 #include <pj/sock.h>
@@ -414 +415 @@
     pj_ssl_sock_proto    proto;
     pj_time_val          timeout;
-    pj_str_t             ciphers;
+    unsigned             ciphers_num;
+    pj_ssl_cipher       *ciphers;
     pj_str_t             servername;
 };
 
+
+/*
+ * Get cipher list supported by SSL/TLS backend.
+ */
+PJ_DEF(pj_status_t) pj_ssl_cipher_get_availables (pj_ssl_cipher ciphers[],
+                                                  unsigned *cipher_num)
+{
+    /* Available ciphers */
+    static pj_ssl_cipher ciphers_[64];
+    static unsigned ciphers_num_ = 0;
+    unsigned i;
+
+    PJ_ASSERT_RETURN(ciphers && cipher_num, PJ_EINVAL);
+    
+    if (ciphers_num_ == 0) {
+        RSocket sock;
+        CSecureSocket *secure_sock;
+        TPtrC16 proto(_L16("TLS1.0"));
+
+        secure_sock = CSecureSocket::NewL(sock, proto);
+        if (secure_sock) {
+            TBuf8<128> ciphers_buf(0);
+            secure_sock->AvailableCipherSuites(ciphers_buf);
+            
+            ciphers_num_ = ciphers_buf.Length() / 2;
+            if (ciphers_num_ > PJ_ARRAY_SIZE(ciphers_))
+                ciphers_num_ = PJ_ARRAY_SIZE(ciphers_);
+            for (i = 0; i < ciphers_num_; ++i)
+                ciphers_[i] = (pj_ssl_cipher)ciphers_buf[i*2];
+        }
+        
+        delete secure_sock;
+    }
+    
+    if (ciphers_num_ == 0) {
+        return PJ_ENOTFOUND;
+    }
+    
+    *cipher_num = PJ_MIN(*cipher_num, ciphers_num_);
+    for (i = 0; i < *cipher_num; ++i)
+        ciphers[i] = ciphers_[i];
+    
+    return PJ_SUCCESS;
+}
 
 /*
@@ -445 +491 @@
     ssock->cb = param->cb;
     ssock->user_data = param->user_data;
-    pj_strdup_with_null(pool, &ssock->ciphers, &param->ciphers);
+    ssock->ciphers_num = param->ciphers_num;
+    if (param->ciphers_num > 0) {
+        unsigned i;
+        ssock->ciphers = (pj_ssl_cipher*)
+                         pj_pool_calloc(pool, param->ciphers_num, 
+                                        sizeof(pj_ssl_cipher));
+        for (i = 0; i < param->ciphers_num; ++i)
+            ssock->ciphers[i] = param->ciphers[i];
+    }
     pj_strdup_with_null(pool, &ssock->servername, &param->servername);
 
@@ -452 +506 @@
 
     return PJ_SUCCESS;
+}
+
+
+PJ_DEF(pj_status_t) pj_ssl_cert_load_from_files(pj_pool_t *pool,
+                                                const pj_str_t *CA_file,
+                                                const pj_str_t *cert_file,
+                                                const pj_str_t *privkey_file,
+                                                const pj_str_t *privkey_pass,
+                                                pj_ssl_cert_t **p_cert)
+{
+    PJ_UNUSED_ARG(pool);
+    PJ_UNUSED_ARG(CA_file);
+    PJ_UNUSED_ARG(cert_file);
+    PJ_UNUSED_ARG(privkey_file);
+    PJ_UNUSED_ARG(privkey_pass);
+    PJ_UNUSED_ARG(p_cert);
+    return PJ_ENOTSUP;
 }
 
@@ -522 +593 @@
                                           pj_ssl_sock_info *info)
 {
-    const char *cipher_names[0x1B] = {
-        "TLS_RSA_WITH_NULL_MD5",
-        "TLS_RSA_WITH_NULL_SHA",
-        "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
-        "TLS_RSA_WITH_RC4_128_MD5",
-        "TLS_RSA_WITH_RC4_128_SHA",
-        "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
-        "TLS_RSA_WITH_IDEA_CBC_SHA",
-        "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
-        "TLS_RSA_WITH_DES_CBC_SHA",
-        "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
-        "TLS_DH_DSS_WITH_DES_CBC_SHA",
-        "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
-        "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
-        "TLS_DH_RSA_WITH_DES_CBC_SHA",
-        "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
-        "TLS_DHE_DSS_WITH_DES_CBC_SHA",
-        "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
-        "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
-        "TLS_DHE_RSA_WITH_DES_CBC_SHA",
-        "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
-        "TLS_DH_anon_WITH_RC4_128_MD5",
-        "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
-        "TLS_DH_anon_WITH_DES_CBC_SHA",
-        "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA"
-    };
-    
     PJ_ASSERT_RETURN(ssock && info, PJ_EINVAL);
     
@@ -571 +612 @@
     }
 
-    /* Remote address */
-    pj_sockaddr_cp((pj_sockaddr_t*)&info->remote_addr, 
-                   (pj_sockaddr_t*)&ssock->rem_addr);
-
-    /* Cipher suite */
     if (info->established) {
-        TBuf8<8> cipher;
+        /* Cipher suite */
+        TBuf8<4> cipher;
         if (ssock->sock->GetCipher(cipher) == KErrNone) {
-            TLex8 lex(cipher);
-            TUint cipher_code = cipher[1];    
-            if (cipher_code>=1 && cipher_code<=0x1B)
-                info->cipher = pj_str((char*)cipher_names[cipher_code-1]); 
-        }
+            info->cipher = (pj_ssl_cipher)cipher[1]; 
+        }
+
+        /* Remote address */
+        pj_sockaddr_cp((pj_sockaddr_t*)&info->remote_addr, 
+                   (pj_sockaddr_t*)&ssock->rem_addr);
     }
 

pjproject/trunk/pjsip/src/pjsip/sip_transport_tls.c

@@ -241 +241 @@
     ssock_param.cb.on_data_sent = &on_data_sent;
     ssock_param.async_cnt = async_cnt;
-    ssock_param.ciphers = listener->tls_setting.ciphers;
     ssock_param.ioqueue = pjsip_endpt_get_ioqueue(endpt);
     ssock_param.require_client_cert = listener->tls_setting.require_client_cert;
@@ -248 +247 @@
     ssock_param.user_data = listener;
     ssock_param.verify_peer = listener->tls_setting.verify_client;
+    if (ssock_param.send_buffer_size < PJSIP_MAX_PKT_LEN)
+        ssock_param.send_buffer_size = PJSIP_MAX_PKT_LEN;
+    if (ssock_param.read_buffer_size < PJSIP_MAX_PKT_LEN)
+        ssock_param.read_buffer_size = PJSIP_MAX_PKT_LEN;
+
+    has_listener = PJ_FALSE;
 
     switch(listener->tls_setting.method) {
@@ -280 +285 @@
     }
 
+    /* Check if certificate for SSL socket is set */
+    if (listener->tls_setting.cert_file.slen) 
+    {
+        pj_ssl_cert_t *cert;
+
+        status = pj_ssl_cert_load_from_files(pool,
+                        &listener->tls_setting.ca_list_file,
+                        &listener->tls_setting.cert_file,
+                        &listener->tls_setting.privkey_file,
+                        &listener->tls_setting.password,
+                        &cert);
+        if (status != PJ_SUCCESS)
+            goto on_error;
+
+        status = pj_ssl_sock_set_certificate(listener->ssock, pool, cert);
+        if (status != PJ_SUCCESS)
+            goto on_error;
+    }
+
     /* Start accepting incoming connections. Note that some TLS/SSL backends
      * may not support for SSL socket server.
      */
     has_listener = PJ_FALSE;
+
     status = pj_ssl_sock_start_accept(listener->ssock, pool, 
                           (pj_sockaddr_t*)listener_addr, 
@@ -352 +377 @@
     }
 
-    PJ_LOG(4,(listener->factory.obj_name, 
-             "SIP TLS listener is ready%s at %.*s:%d",
-             (has_listener?" for incoming connections":""),
-             (int)listener->factory.addr_name.host.slen,
-             listener->factory.addr_name.host.ptr,
-             listener->factory.addr_name.port));
+    if (has_listener) {
+        PJ_LOG(4,(listener->factory.obj_name, 
+                 "SIP TLS listener is ready for incoming connections "
+                 "at %.*s:%d",
+                 (int)listener->factory.addr_name.host.slen,
+                 listener->factory.addr_name.host.ptr,
+                 listener->factory.addr_name.port));
+    } else {
+        PJ_LOG(4,(listener->factory.obj_name, "SIP TLS is ready "
+                  "(client only)"));
+    }
 
     /* Return the pointer to user */
@@ -757 +787 @@
     ssock_param.cb.on_data_sent = &on_data_sent;
     ssock_param.async_cnt = 1;
-    ssock_param.ciphers = listener->tls_setting.ciphers;
     ssock_param.ioqueue = pjsip_endpt_get_ioqueue(listener->endpt);
-    PJ_TODO(SET_PROPER_SERVERNAME_BASED_ON_TARGET);
+    PJ_TODO(set_proper_servername_based_on_target);
+    PJ_TODO(synchronize_tls_cipher_type_with_ssl_sock_cipher_type);
     ssock_param.servername = listener->tls_setting.server_name;
     ssock_param.timeout = listener->tls_setting.timeout;
     ssock_param.user_data = NULL; /* pending, must be set later */
     ssock_param.verify_peer = listener->tls_setting.verify_server;
-    
+    if (ssock_param.send_buffer_size < PJSIP_MAX_PKT_LEN)
+        ssock_param.send_buffer_size = PJSIP_MAX_PKT_LEN;
+    if (ssock_param.read_buffer_size < PJSIP_MAX_PKT_LEN)
+        ssock_param.read_buffer_size = PJSIP_MAX_PKT_LEN;
+
     switch(listener->tls_setting.method) {
     case PJSIP_TLSV1_METHOD:
@@ -894 +928 @@
                          (const pj_sockaddr_in*)&listener->factory.local_addr,
                          (const pj_sockaddr_in*)src_addr, &tls);
+    
     if (status == PJ_SUCCESS) {
+        /* Set the "pending" SSL socket user data */
+        pj_ssl_sock_set_user_data(new_ssock, tls);
+
         status = tls_start_read(tls);
         if (status != PJ_SUCCESS) {
@@ -1173 +1211 @@
     tls = (struct tls_transport*) pj_ssl_sock_get_user_data(ssock);
 
-    /* Mark that pending connect() operation has completed. */
-    tls->has_pending_connect = PJ_FALSE;
-
     /* Check connect() status */
     if (status != PJ_SUCCESS) {
@@ -1203 +1238 @@
         return PJ_FALSE;
     }
-
-    PJ_LOG(4,(tls->base.obj_name, 
-              "TLS transport %.*s:%d is connected to %.*s:%d",
-              (int)tls->base.local_name.host.slen,
-              tls->base.local_name.host.ptr,
-              tls->base.local_name.port,
-              (int)tls->base.remote_name.host.slen,
-              tls->base.remote_name.host.ptr,
-              tls->base.remote_name.port));
-
 
     /* Update (again) local address, just in case local address currently
@@ -1234 +1259 @@
     }
 
+    PJ_LOG(4,(tls->base.obj_name, 
+              "TLS transport %.*s:%d is connected to %.*s:%d",
+              (int)tls->base.local_name.host.slen,
+              tls->base.local_name.host.ptr,
+              tls->base.local_name.port,
+              (int)tls->base.remote_name.host.slen,
+              tls->base.remote_name.host.ptr,
+              tls->base.remote_name.port));
+
+    /* Mark that pending connect() operation has completed. */
+    tls->has_pending_connect = PJ_FALSE;
+
     /* Start pending read */
     status = tls_start_read(tls);
@@ -1262 +1299 @@
 }
 
+
 /* Transport keep-alive timer callback */
 static void tls_keep_alive_timer(pj_timer_heap_t *th, pj_timer_entry *e)