Changeset 861 for pjproject/trunk/pjsip/include/pjsip

Timestamp:

Dec 25, 2006 6:43:59 AM (18 years ago)

Author:

bennylp

Message:

Major TLS work (ticket #3): asynchronous socket, rather complete TLS options, and pjsua integration. The TLS support should work in both client and server mode.

Location:

pjproject/trunk/pjsip/include/pjsip

Files:

• sip_config.h (modified) (4 diffs)
• sip_errno.h (modified) (1 diff)
• sip_transport_tcp.h (modified) (1 diff)
• sip_transport_tls.h (modified) (4 diffs)

pjproject/trunk/pjsip/include/pjsip/sip_config.h

@@ -201 +201 @@
 
 /**
+ * The TCP incoming connection backlog number to be set in accept().
+ *
+ * Default: 5
+ *
+ * @see PJSIP_TLS_TRANSPORT_BACKLOG
+ */
+#ifndef PJSIP_TCP_TRANSPORT_BACKLOG
+#   define PJSIP_TCP_TRANSPORT_BACKLOG  5
+#endif
+
+
+/**
  * This macro specifies whether full DNS resolution should be used.
  * When enabled, #pjsip_resolve() will perform asynchronous DNS SRV and
@@ -217 +229 @@
  *
  * Default: 1 (enabled)
+ *
+ * @see PJSIP_MAX_RESOLVED_ADDRESSES
  */
 #ifndef PJSIP_HAS_RESOLVER
@@ -229 +243 @@
  *
  * Default: 8
+ *
+ * @see PJSIP_HAS_RESOLVER
  */
 #ifndef PJSIP_MAX_RESOLVED_ADDRESSES
@@ -243 +259 @@
 #ifndef PJSIP_HAS_TLS_TRANSPORT
 #   define PJSIP_HAS_TLS_TRANSPORT          0
+#endif
+
+
+/**
+ * The TLS pending incoming connection backlog number to be set in accept().
+ *
+ * Default: 5
+ *
+ * @see PJSIP_TCP_TRANSPORT_BACKLOG
+ */
+#ifndef PJSIP_TLS_TRANSPORT_BACKLOG
+#   define PJSIP_TLS_TRANSPORT_BACKLOG      5
 #endif
 

pjproject/trunk/pjsip/include/pjsip/sip_errno.h

@@ -398 +398 @@
 
 
+/************************************************************
+ * TLS TRANSPORT ERRORS
+ ***********************************************************/
+/**
+ * @hideinitializer
+ * Unknown TLS error
+ */
+#define PJSIP_TLS_EUNKNOWN      (PJSIP_ERRNO_START_PJSIP+160)   /* 171160 */
+/**
+ * @hideinitializer
+ * Invalid SSL protocol method.
+ */
+#define PJSIP_TLS_EINVMETHOD    (PJSIP_ERRNO_START_PJSIP+161)   /* 171161 */
+/**
+ * @hideinitializer
+ * Error loading/verifying SSL CA list file.
+ */
+#define PJSIP_TLS_ECACERT       (PJSIP_ERRNO_START_PJSIP+162)   /* 171162 */
+/**
+ * @hideinitializer
+ * Error loading SSL certificate chain file.
+ */
+#define PJSIP_TLS_ECERTFILE     (PJSIP_ERRNO_START_PJSIP+163)   /* 171163 */
+/**
+ * @hideinitializer
+ * Error adding private key from SSL certificate file.
+ */
+#define PJSIP_TLS_EKEYFILE      (PJSIP_ERRNO_START_PJSIP+164)   /* 171164 */
+/**
+ * @hideinitializer
+ * Error setting SSL cipher list.
+ */
+#define PJSIP_TLS_ECIPHER       (PJSIP_ERRNO_START_PJSIP+165)   /* 171165 */
+/**
+ * @hideinitializer
+ * Error creating SSL context.
+ */
+#define PJSIP_TLS_ECTX          (PJSIP_ERRNO_START_PJSIP+166)   /* 171166 */
+/**
+ * @hideinitializer
+ * Error creating SSL connection object.
+ */
+#define PJSIP_TLS_ESSLCONN      (PJSIP_ERRNO_START_PJSIP+167)   /* 171167 */
+/**
+ * @hideinitializer
+ * Unknown error when performing SSL connect().
+ */
+#define PJSIP_TLS_ECONNECT      (PJSIP_ERRNO_START_PJSIP+168)   /* 171168 */
+/**
+ * @hideinitializer
+ * Unknown error when performing SSL accept().
+ */
+#define PJSIP_TLS_EACCEPT       (PJSIP_ERRNO_START_PJSIP+169)   /* 171169 */
+/**
+ * @hideinitializer
+ * Unknown error when sending SSL data
+ */
+#define PJSIP_TLS_ESEND         (PJSIP_ERRNO_START_PJSIP+170)   /* 171170 */
+/**
+ * @hideinitializer
+ * Unknown error when reading SSL data
+ */
+#define PJSIP_TLS_EREAD         (PJSIP_ERRNO_START_PJSIP+171)   /* 171171 */
+/**
+ * @hideinitializer
+ * SSL negotiation has exceeded the maximum configured timeout.
+ */
+#define PJSIP_TLS_ETIMEDOUT     (PJSIP_ERRNO_START_PJSIP+172)   /* 171172 */
+
+
 
 

pjproject/trunk/pjsip/include/pjsip/sip_transport_tcp.h

@@ -37 +37 @@
  * the transport to the framework.
  */
-
-/**
- * The TCP incoming connection backlog number.
- * Default: 5
- */
-#ifndef PJSIP_TCP_TRANSPORT_BACKLOG
-#   define PJSIP_TCP_TRANSPORT_BACKLOG  5
-#endif
-
 
 /**

pjproject/trunk/pjsip/include/pjsip/sip_transport_tls.h

@@ -26 +26 @@
 
 #include <pjsip/sip_transport.h>
+#include <pj/string.h>
+
 
 PJ_BEGIN_DECL
@@ -38 +40 @@
  */
 
+/** SSL protocol method constants. */
+typedef enum pjsip_ssl_method
+{
+    PJSIP_SSL_DEFAULT_METHOD    = 0,    /**< Default protocol method.   */
+    PJSIP_TLSV1_METHOD          = 1,    /**< Use SSLv1 method.          */
+    PJSIP_SSLV2_METHOD          = 2,    /**< Use SSLv2 method.          */
+    PJSIP_SSLV3_METHOD          = 3,    /**< Use SSLv3 method.          */
+    PJSIP_SSLV23_METHOD         = 23    /**< Use SSLv23 method.         */
+} pjsip_ssl_method;
+
+
+/**
+ * TLS transport settings.
+ */
+typedef struct pjsip_tls_setting
+{
+    /**
+     * Certificate of Authority (CA) list file.
+     */
+    pj_str_t    ca_list_file;
+
+    /**
+     * Public endpoint certificate file, which will be used as client-
+     * side  certificate for outgoing TLS connection, and server-side
+     * certificate for incoming TLS connection.
+     */
+    pj_str_t    cert_file;
+
+    /**
+     * Optional private key of the endpoint certificate to be used.
+     */
+    pj_str_t    privkey_file;
+
+    /**
+     * Password to open private key.
+     */
+    pj_str_t    password;
+
+    /**
+     * TLS protocol method from #pjsip_ssl_method, which can be:
+     *  - PJSIP_SSL_DEFAULT_METHOD(0):  default (which will use SSLv23)
+     *  - PJSIP_TLSV1_METHOD(1):        TLSv1
+     *  - PJSIP_SSLV2_METHOD(2):        TLSv2
+     *  - PJSIP_SSLV3_METHOD(3):        TLSv3
+     *  - PJSIP_SSLV23_METHOD(23):      TLSv23
+     *
+     * Default is PJSIP_SSL_DEFAULT_METHOD (0), which will use SSLv23
+     * protocol method.
+     */
+    int         method;
+
+    /**
+     * TLS cipher list string in OpenSSL format. If empty, then default
+     * cipher list of the backend will be used.
+     */
+    pj_str_t    ciphers;
+
+    /**
+     * When PJSIP is acting as a client (outgoing TLS connections), 
+     * it will always receive a certificate from the peer. 
+     * If \a verify_server is disabled (set to zero), PJSIP will not 
+     * verifiy the certificate and allows TLS connections to servers 
+     * which do not present a valid certificate. 
+     * If \a tls_verify_server is non-zero, PJSIP verifies the server 
+     * certificate and will close the TLS connection if the server 
+     * certificate is not valid.
+     *
+     * This setting corresponds to OpenSSL SSL_VERIFY_PEER flag.
+     * Default value is zero.
+     */
+    pj_bool_t   verify_server;
+
+    /**
+     * When acting as server (incoming TLS connections), setting
+     * \a verify_client to non-zero will cause the transport to activate
+     * peer verification upon receiving incoming TLS connection.
+     *
+     * This setting corresponds to OpenSSL SSL_VERIFY_PEER flag.
+     * Default value is zero.
+     */
+    pj_bool_t   verify_client;
+
+    /**
+     * When acting as server (incoming TLS connections), reject inocming
+     * connection if client doesn't have a valid certificate.
+     *
+     * This setting corresponds to SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag.
+     * Default value is zero.
+     */
+    pj_bool_t   require_client_cert;
+
+    /**
+     * TLS negotiation timeout to be applied for both outgoing and
+     * incoming connection. If both sec and msec member is set to zero,
+     * the SSL negotiation doesn't have a timeout.
+     */
+    pj_time_val timeout;
+
+} pjsip_tls_setting;
+
+
+/**
+ * Initialize TLS setting with default values.
+ *
+ * @param tls_opt   The TLS setting to be initialized.
+ */
+PJ_INLINE(void) pjsip_tls_setting_default(pjsip_tls_setting *tls_opt)
+{
+    pj_memset(tls_opt, 0, sizeof(*tls_opt));
+}
+
+
+/**
+ * Copy TLS setting.
+ *
+ * @param pool      The pool to duplicate strings etc.
+ * @param dst       Destination structure.
+ * @param src       Source structure.
+ */
+PJ_INLINE(void) pjsip_tls_setting_copy(pj_pool_t *pool,
+                                       pjsip_tls_setting *dst,
+                                       const pjsip_tls_setting *src)
+{
+    pj_memcpy(dst, src, sizeof(*dst));
+    pj_strdup_with_null(pool, &dst->ca_list_file, &src->ca_list_file);
+    pj_strdup_with_null(pool, &dst->cert_file, &src->cert_file);
+    pj_strdup_with_null(pool, &dst->privkey_file, &src->privkey_file);
+    pj_strdup_with_null(pool, &dst->password, &src->password);
+    pj_strdup_with_null(pool, &dst->ciphers, &src->ciphers);
+}
+
+
 /**
  * Register support for SIP TLS transport by creating TLS listener on
@@ -45 +179 @@
  *
  * @param endpt         The SIP endpoint.
- * @param keyfile       Path to keys and certificate file.
- * @param password      Password to open the private key.
- * @param ca_list_file  Path to Certificate of Authority file.
+ * @param opt           Optional TLS settings.
  * @param local         Optional local address to bind, or specify the
  *                      address to bind the server socket to. Both IP 
@@ -72 +204 @@
  */
 PJ_DECL(pj_status_t) pjsip_tls_transport_start(pjsip_endpoint *endpt,
-                                               const pj_str_t *keyfile,
-                                               const pj_str_t *password,
-                                               const pj_str_t *ca_list_file,
+                                               const pjsip_tls_setting *opt,
                                                const pj_sockaddr_in *local,
                                                const pjsip_host_port *a_name,