Changeset 3942 for pjproject/branches/1.x/pjsip-apps/src/pjsua/pjsua_app.c

Timestamp:

Jan 16, 2012 5:05:47 AM (12 years ago)

Author:

nanang

Message:

Close #1014:

• Added configurable ciphers setting in SIP TLS transport and pjsua app.
• Added API pj_ssl_cipher_is_supported().

File:

• pjproject/branches/1.x/pjsip-apps/src/pjsua/pjsua_app.c (modified) (11 diffs)

pjproject/branches/1.x/pjsip-apps/src/pjsua/pjsua_app.c

@@ -252 +252 @@
     puts  ("  --stun-srv=FORMAT   Set STUN server host or domain. This option may be");
     puts  ("                      specified more than once. FORMAT is hostdom[:PORT]");
+
+#if defined(PJSIP_HAS_TLS_TRANSPORT) && (PJSIP_HAS_TLS_TRANSPORT != 0)
     puts  ("");
     puts  ("TLS Options:");
@@ -263 +265 @@
     puts  ("  --tls-neg-timeout   Specify TLS negotiation timeout (default=no)");
     puts  ("  --tls-srv-name      Specify TLS server name for multihosting server");
+    puts  ("  --tls-cipher        Specify prefered TLS cipher (optional).");
+    puts  ("                      May be specified multiple times");
+#endif
 
     puts  ("");
@@ -530 +535 @@
            OPT_USE_TLS, OPT_TLS_CA_FILE, OPT_TLS_CERT_FILE, OPT_TLS_PRIV_FILE,
            OPT_TLS_PASSWORD, OPT_TLS_VERIFY_SERVER, OPT_TLS_VERIFY_CLIENT,
-           OPT_TLS_NEG_TIMEOUT, OPT_TLS_SRV_NAME,
+           OPT_TLS_NEG_TIMEOUT, OPT_TLS_SRV_NAME, OPT_TLS_CIPHER,
            OPT_CAPTURE_DEV, OPT_PLAYBACK_DEV,
            OPT_CAPTURE_LAT, OPT_PLAYBACK_LAT, OPT_NO_TONES, OPT_JB_MAX_SIZE,
@@ -629 +634 @@
         { "duration",   1, 0, OPT_DURATION},
         { "thread-cnt", 1, 0, OPT_THREAD_CNT},
+#if defined(PJSIP_HAS_TLS_TRANSPORT) && (PJSIP_HAS_TLS_TRANSPORT != 0)
         { "use-tls",    0, 0, OPT_USE_TLS}, 
         { "tls-ca-file",1, 0, OPT_TLS_CA_FILE},
@@ -638 +644 @@
         { "tls-neg-timeout", 1, 0, OPT_TLS_NEG_TIMEOUT},
         { "tls-srv-name", 1, 0, OPT_TLS_SRV_NAME},
+        { "tls-cipher", 1, 0, OPT_TLS_CIPHER},
+#endif
         { "capture-dev",    1, 0, OPT_CAPTURE_DEV},
         { "playback-dev",   1, 0, OPT_PLAYBACK_DEV},
@@ -1304 +1312 @@
             break;
 
+#if defined(PJSIP_HAS_TLS_TRANSPORT) && (PJSIP_HAS_TLS_TRANSPORT != 0)
         case OPT_USE_TLS:
             cfg->use_tls = PJ_TRUE;
-#if !defined(PJSIP_HAS_TLS_TRANSPORT) || PJSIP_HAS_TLS_TRANSPORT==0
-            PJ_LOG(1,(THIS_FILE, "Error: TLS support is not configured"));
-            return -1;
-#endif
             break;
             
         case OPT_TLS_CA_FILE:
             cfg->udp_cfg.tls_setting.ca_list_file = pj_str(pj_optarg);
-#if !defined(PJSIP_HAS_TLS_TRANSPORT) || PJSIP_HAS_TLS_TRANSPORT==0
-            PJ_LOG(1,(THIS_FILE, "Error: TLS support is not configured"));
-            return -1;
-#endif
             break;
             
         case OPT_TLS_CERT_FILE:
             cfg->udp_cfg.tls_setting.cert_file = pj_str(pj_optarg);
-#if !defined(PJSIP_HAS_TLS_TRANSPORT) || PJSIP_HAS_TLS_TRANSPORT==0
-            PJ_LOG(1,(THIS_FILE, "Error: TLS support is not configured"));
-            return -1;
-#endif
             break;
             
@@ -1334 +1331 @@
         case OPT_TLS_PASSWORD:
             cfg->udp_cfg.tls_setting.password = pj_str(pj_optarg);
-#if !defined(PJSIP_HAS_TLS_TRANSPORT) || PJSIP_HAS_TLS_TRANSPORT==0
-            PJ_LOG(1,(THIS_FILE, "Error: TLS support is not configured"));
-            return -1;
-#endif
             break;
 
@@ -1356 +1349 @@
             cfg->udp_cfg.tls_setting.server_name = pj_str(pj_optarg);
             break;
+        case OPT_TLS_CIPHER:
+            {
+                pj_ssl_cipher cipher;
+
+                if (pj_ansi_strnicmp(pj_optarg, "0x", 2) == 0) {
+                    pj_str_t cipher_st = pj_str(pj_optarg + 2);
+                    cipher = pj_strtoul2(&cipher_st, NULL, 16);
+                } else {
+                    cipher = atoi(pj_optarg);
+                }
+
+                if (pj_ssl_cipher_is_supported(cipher)) {
+                    static pj_ssl_cipher tls_ciphers[128];
+
+                    tls_ciphers[cfg->udp_cfg.tls_setting.ciphers_num++] = cipher;
+                    cfg->udp_cfg.tls_setting.ciphers = tls_ciphers;
+                } else {
+                    pj_ssl_cipher ciphers[128];
+                    unsigned j, ciphers_cnt;
+
+                    ciphers_cnt = PJ_ARRAY_SIZE(ciphers);
+                    pj_ssl_cipher_get_availables(ciphers, &ciphers_cnt);
+                    
+                    PJ_LOG(1,(THIS_FILE, "Cipher \"%s\" is not supported by "
+                                         "TLS/SSL backend.", pj_optarg));
+                    printf("Available TLS/SSL ciphers (%d):\n", ciphers_cnt);
+                    for (j=0; j<ciphers_cnt; ++j)
+                        printf("- 0x%06X: %s\n", ciphers[j], pj_ssl_cipher_name(ciphers[j]));
+                    return -1;
+                }
+            }
+            break;
+#endif /* PJSIP_HAS_TLS_TRANSPORT */
 
         case OPT_CAPTURE_DEV:
@@ -1774 +1800 @@
     }
 
+#if defined(PJSIP_HAS_TLS_TRANSPORT) && (PJSIP_HAS_TLS_TRANSPORT != 0)
     /* TLS */
     if (config->use_tls)
@@ -1821 +1848 @@
         pj_strcat2(&cfg, line);
     }
+
+    for (i=0; i<config->udp_cfg.tls_setting.ciphers_num; ++i) {
+        pj_ansi_sprintf(line, "--tls-cipher 0x%06X # %s\n",
+                        config->udp_cfg.tls_setting.ciphers[i],
+                        pj_ssl_cipher_name(config->udp_cfg.tls_setting.ciphers[i]));
+        pj_strcat2(&cfg, line);
+    }
+#endif
 
     pj_strcat2(&cfg, "\n#\n# Media settings:\n#\n");
@@ -3006 +3041 @@
         const char *verif_msgs[32];
         unsigned verif_msg_cnt;
+
+        /* Dump server TLS cipher */
+        PJ_LOG(4,(THIS_FILE, "TLS cipher used: 0x%06X/%s",
+                  ssl_sock_info->cipher,
+                  pj_ssl_cipher_name(ssl_sock_info->cipher) ));
 
         /* Dump server TLS certificate */