ssl_sock.h 57 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590
  1. /*
  2. * Copyright (C) 2009-2011 Teluu Inc. (http://www.teluu.com)
  3. *
  4. * This program is free software; you can redistribute it and/or modify
  5. * it under the terms of the GNU General Public License as published by
  6. * the Free Software Foundation; either version 2 of the License, or
  7. * (at your option) any later version.
  8. *
  9. * This program is distributed in the hope that it will be useful,
  10. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  12. * GNU General Public License for more details.
  13. *
  14. * You should have received a copy of the GNU General Public License
  15. * along with this program; if not, write to the Free Software
  16. * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  17. */
  18. #ifndef __PJ_SSL_SOCK_H__
  19. #define __PJ_SSL_SOCK_H__
  20. /**
  21. * @file ssl_sock.h
  22. * @brief Secure socket
  23. */
  24. #include <pj/ioqueue.h>
  25. #include <pj/sock.h>
  26. #include <pj/sock_qos.h>
  27. PJ_BEGIN_DECL
  28. /**
  29. * @defgroup PJ_SSL_SOCK Secure socket I/O
  30. * @brief Secure socket provides security on socket operation using standard
  31. * security protocols such as SSL and TLS.
  32. * @ingroup PJ_IO
  33. * @{
  34. *
  35. * Secure socket wraps normal socket and applies security features, i.e:
  36. * privacy and data integrity, on the socket traffic, using standard security
  37. * protocols such as SSL and TLS.
  38. *
  39. * Secure socket employs active socket operations, which is similar to (and
  40. * described more detail) in \ref PJ_ACTIVESOCK.
  41. */
  42. /**
  43. * This opaque structure describes the secure socket.
  44. */
  45. typedef struct pj_ssl_sock_t pj_ssl_sock_t;
  46. /**
  47. * Opaque declaration of endpoint certificate or credentials. This may contains
  48. * certificate, private key, and trusted Certificate Authorities list.
  49. */
  50. typedef struct pj_ssl_cert_t pj_ssl_cert_t;
  51. /**
  52. * Bitwise flag for SSL certificate verification.
  53. */
  54. typedef enum pj_ssl_cert_verify_flag_t
  55. {
  56. /**
  57. * No error in verification.
  58. */
  59. PJ_SSL_CERT_ESUCCESS = 0,
  60. /**
  61. * The issuer certificate cannot be found.
  62. */
  63. PJ_SSL_CERT_EISSUER_NOT_FOUND = (1 << 0),
  64. /**
  65. * The certificate is untrusted.
  66. */
  67. PJ_SSL_CERT_EUNTRUSTED = (1 << 1),
  68. /**
  69. * The certificate has expired or not yet valid.
  70. */
  71. PJ_SSL_CERT_EVALIDITY_PERIOD = (1 << 2),
  72. /**
  73. * One or more fields of the certificate cannot be decoded due to
  74. * invalid format.
  75. */
  76. PJ_SSL_CERT_EINVALID_FORMAT = (1 << 3),
  77. /**
  78. * The certificate cannot be used for the specified purpose.
  79. */
  80. PJ_SSL_CERT_EINVALID_PURPOSE = (1 << 4),
  81. /**
  82. * The issuer info in the certificate does not match to the (candidate)
  83. * issuer certificate, e.g: issuer name not match to subject name
  84. * of (candidate) issuer certificate.
  85. */
  86. PJ_SSL_CERT_EISSUER_MISMATCH = (1 << 5),
  87. /**
  88. * The CRL certificate cannot be found or cannot be read properly.
  89. */
  90. PJ_SSL_CERT_ECRL_FAILURE = (1 << 6),
  91. /**
  92. * The certificate has been revoked.
  93. */
  94. PJ_SSL_CERT_EREVOKED = (1 << 7),
  95. /**
  96. * The certificate chain length is too long.
  97. */
  98. PJ_SSL_CERT_ECHAIN_TOO_LONG = (1 << 8),
  99. /**
  100. * The certificate signature is created using a weak hashing algorithm.
  101. */
  102. PJ_SSL_CERT_EWEAK_SIGNATURE = (1 << 9),
  103. /**
  104. * The server identity does not match to any identities specified in
  105. * the certificate, e.g: subjectAltName extension, subject common name.
  106. * This flag will only be set by application as SSL socket does not
  107. * perform server identity verification.
  108. */
  109. PJ_SSL_CERT_EIDENTITY_NOT_MATCH = (1 << 30),
  110. /**
  111. * Unknown verification error.
  112. */
  113. PJ_SSL_CERT_EUNKNOWN = (1 << 31)
  114. } pj_ssl_cert_verify_flag_t;
  115. /**
  116. * Type of SSL certificate name.
  117. */
  118. typedef enum pj_ssl_cert_name_type
  119. {
  120. PJ_SSL_CERT_NAME_UNKNOWN = 0,
  121. PJ_SSL_CERT_NAME_RFC822,
  122. PJ_SSL_CERT_NAME_DNS,
  123. PJ_SSL_CERT_NAME_URI,
  124. PJ_SSL_CERT_NAME_IP
  125. } pj_ssl_cert_name_type;
  126. /**
  127. * Field type for looking up SSL certificate in the certificate stores.
  128. */
  129. typedef enum pj_ssl_cert_lookup_type
  130. {
  131. /**
  132. * No certificate to be looked up.
  133. */
  134. PJ_SSL_CERT_LOOKUP_NONE,
  135. /**
  136. * Lookup by subject, this will lookup any first certificate whose
  137. * subject containing the specified keyword. Note that subject may not
  138. * be unique in the store, so the lookup may end up selecting a wrong
  139. * certificate.
  140. */
  141. PJ_SSL_CERT_LOOKUP_SUBJECT,
  142. /**
  143. * Lookup by fingerprint/thumbprint (SHA1 hash), this will lookup
  144. * any first certificate whose fingerprint matching the specified
  145. * keyword. The keyword is an array of hash octets.
  146. */
  147. PJ_SSL_CERT_LOOKUP_FINGERPRINT,
  148. /**
  149. * Lookup by friendly name, this will lookup any first certificate
  150. * whose friendly name containing the specified keyword. Note that
  151. * friendly name may not be unique in the store, so the lookup may end up
  152. * selecting a wrong certificate.
  153. */
  154. PJ_SSL_CERT_LOOKUP_FRIENDLY_NAME
  155. } pj_ssl_cert_lookup_type;
  156. /**
  157. * Describe structure of certificate lookup criteria.
  158. */
  159. typedef struct pj_ssl_cert_lookup_criteria
  160. {
  161. /**
  162. * Certificate field type to look.
  163. */
  164. pj_ssl_cert_lookup_type type;
  165. /*
  166. * Keyword to match on the field specified in \a type.
  167. */
  168. pj_str_t keyword;
  169. } pj_ssl_cert_lookup_criteria;
  170. /**
  171. * Describe structure of certificate info.
  172. */
  173. typedef struct pj_ssl_cert_info {
  174. unsigned version; /**< Certificate version */
  175. pj_uint8_t serial_no[20]; /**< Serial number, array of
  176. octets, first index is
  177. MSB */
  178. struct {
  179. pj_str_t cn; /**< Common name */
  180. pj_str_t info; /**< One line subject, fields
  181. are separated by slash, e.g:
  182. "CN=sample.org/OU=HRD" */
  183. } subject; /**< Subject */
  184. struct {
  185. pj_str_t cn; /**< Common name */
  186. pj_str_t info; /**< One line subject, fields
  187. are separated by slash.*/
  188. } issuer; /**< Issuer */
  189. struct {
  190. pj_time_val start; /**< Validity start */
  191. pj_time_val end; /**< Validity end */
  192. pj_bool_t gmt; /**< Flag if validity date/time
  193. use GMT */
  194. } validity; /**< Validity */
  195. struct {
  196. unsigned cnt; /**< # of entry */
  197. struct {
  198. pj_ssl_cert_name_type type;
  199. /**< Name type */
  200. pj_str_t name; /**< The name */
  201. } *entry; /**< Subject alt name entry */
  202. } subj_alt_name; /**< Subject alternative
  203. name extension */
  204. pj_str_t raw; /**< Raw certificate in PEM format, only
  205. available for remote certificate. */
  206. struct {
  207. unsigned cnt; /**< # of entry */
  208. pj_str_t *cert_raw;
  209. } raw_chain;
  210. } pj_ssl_cert_info;
  211. /**
  212. * The SSL certificate buffer.
  213. */
  214. typedef pj_str_t pj_ssl_cert_buffer;
  215. /**
  216. * Create credential from files. TLS server application can provide multiple
  217. * certificates (RSA, ECC, and DSA) by supplying certificate name with "_rsa"
  218. * suffix, e.g: "pjsip_rsa.pem", the library will automatically check for
  219. * other certificates with "_ecc" and "_dsa" suffix.
  220. *
  221. * @param pool The pool.
  222. * @param CA_file The file of trusted CA list.
  223. * @param cert_file The file of certificate.
  224. * @param privkey_file The file of private key.
  225. * @param privkey_pass The password of private key, if any.
  226. * @param p_cert Pointer to credential instance to be created.
  227. *
  228. * @return PJ_SUCCESS when successful.
  229. */
  230. PJ_DECL(pj_status_t) pj_ssl_cert_load_from_files(pj_pool_t *pool,
  231. const pj_str_t *CA_file,
  232. const pj_str_t *cert_file,
  233. const pj_str_t *privkey_file,
  234. const pj_str_t *privkey_pass,
  235. pj_ssl_cert_t **p_cert);
  236. /**
  237. * Create credential from files. TLS server application can provide multiple
  238. * certificates (RSA, ECC, and DSA) by supplying certificate name with "_rsa"
  239. * suffix, e.g: "pjsip_rsa.pem", the library will automatically check for
  240. * other certificates with "_ecc" and "_dsa" suffix.
  241. *
  242. * This is the same as pj_ssl_cert_load_from_files() but also
  243. * accepts an additional param CA_path to load CA certificates from
  244. * a directory.
  245. *
  246. * @param pool The pool.
  247. * @param CA_file The file of trusted CA list.
  248. * @param CA_path The path to a directory of trusted CA list.
  249. * @param cert_file The file of certificate.
  250. * @param privkey_file The file of private key.
  251. * @param privkey_pass The password of private key, if any.
  252. * @param p_cert Pointer to credential instance to be created.
  253. *
  254. * @return PJ_SUCCESS when successful.
  255. */
  256. PJ_DECL(pj_status_t) pj_ssl_cert_load_from_files2(
  257. pj_pool_t *pool,
  258. const pj_str_t *CA_file,
  259. const pj_str_t *CA_path,
  260. const pj_str_t *cert_file,
  261. const pj_str_t *privkey_file,
  262. const pj_str_t *privkey_pass,
  263. pj_ssl_cert_t **p_cert);
  264. /**
  265. * Create credential from data buffer. The certificate expected is in
  266. * PEM format.
  267. *
  268. * @param pool The pool.
  269. * @param CA_buf The buffer of trusted CA list.
  270. * @param cert_buf The buffer of certificate.
  271. * @param privkey_buf The buffer of private key.
  272. * @param privkey_pass The password of private key, if any.
  273. * @param p_cert Pointer to credential instance to be created.
  274. *
  275. * @return PJ_SUCCESS when successful.
  276. */
  277. PJ_DECL(pj_status_t) pj_ssl_cert_load_from_buffer(pj_pool_t *pool,
  278. const pj_ssl_cert_buffer *CA_buf,
  279. const pj_ssl_cert_buffer *cert_buf,
  280. const pj_ssl_cert_buffer *privkey_buf,
  281. const pj_str_t *privkey_pass,
  282. pj_ssl_cert_t **p_cert);
  283. /**
  284. * Create credential from OS certificate store, this function will lookup
  285. * certificate using the specified criterias.
  286. *
  287. * Currently this is used by Windows Schannel backend only, it will lookup
  288. * in the Current User store first, if no certificate with the specified
  289. * criteria is not found, it will lookup in the Local Machine store.
  290. *
  291. * Note that for manual verification (e.g: when pj_ssl_sock_param.verify_peer
  292. * is disabled), the backend will provide pre-verification result against
  293. * trusted CA certificates in Current User store only (will not check CA
  294. * certificates in the Local Machine store).
  295. *
  296. * @param pool The pool.
  297. * @param criteria The lookup criteria.
  298. * @param p_cert Pointer to credential instance to be created.
  299. *
  300. * @return PJ_SUCCESS when successful.
  301. */
  302. PJ_DECL(pj_status_t) pj_ssl_cert_load_from_store(
  303. pj_pool_t *pool,
  304. const pj_ssl_cert_lookup_criteria *criteria,
  305. pj_ssl_cert_t **p_cert);
  306. /**
  307. * Dump SSL certificate info.
  308. *
  309. * @param ci The certificate info.
  310. * @param indent String for left indentation.
  311. * @param buf The buffer where certificate info will be printed on.
  312. * @param buf_size The buffer size.
  313. *
  314. * @return The length of the dump result, or -1 when buffer size
  315. * is not sufficient.
  316. */
  317. PJ_DECL(pj_ssize_t) pj_ssl_cert_info_dump(const pj_ssl_cert_info *ci,
  318. const char *indent,
  319. char *buf,
  320. pj_size_t buf_size);
  321. /**
  322. * Get SSL certificate verification error messages from verification status.
  323. *
  324. * @param verify_status The SSL certificate verification status.
  325. * @param error_strings Array of strings to receive the verification error
  326. * messages.
  327. * @param count On input it specifies maximum error messages should be
  328. * retrieved. On output it specifies the number of error
  329. * messages retrieved.
  330. *
  331. * @return PJ_SUCCESS when successful.
  332. */
  333. PJ_DECL(pj_status_t) pj_ssl_cert_get_verify_status_strings(
  334. pj_uint32_t verify_status,
  335. const char *error_strings[],
  336. unsigned *count);
  337. /**
  338. * Wipe out the keys in the SSL certificate.
  339. *
  340. * @param cert The SSL certificate.
  341. *
  342. */
  343. PJ_DECL(void) pj_ssl_cert_wipe_keys(pj_ssl_cert_t *cert);
  344. /**
  345. * Cipher suites enumeration.
  346. */
  347. typedef enum pj_ssl_cipher {
  348. /* Unsupported cipher */
  349. PJ_TLS_UNKNOWN_CIPHER = -1,
  350. /* NULL */
  351. PJ_TLS_NULL_WITH_NULL_NULL = 0x00000000,
  352. /* TLS/SSLv3 */
  353. PJ_TLS_RSA_WITH_NULL_MD5 = 0x00000001,
  354. PJ_TLS_RSA_WITH_NULL_SHA = 0x00000002,
  355. PJ_TLS_RSA_WITH_NULL_SHA256 = 0x0000003B,
  356. PJ_TLS_RSA_WITH_RC4_128_MD5 = 0x00000004,
  357. PJ_TLS_RSA_WITH_RC4_128_SHA = 0x00000005,
  358. PJ_TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x0000000A,
  359. PJ_TLS_RSA_WITH_AES_128_CBC_SHA = 0x0000002F,
  360. PJ_TLS_RSA_WITH_AES_256_CBC_SHA = 0x00000035,
  361. PJ_TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x0000003C,
  362. PJ_TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x0000003D,
  363. PJ_TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x0000000D,
  364. PJ_TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x00000010,
  365. PJ_TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x00000013,
  366. PJ_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x00000016,
  367. PJ_TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x00000030,
  368. PJ_TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x00000031,
  369. PJ_TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x00000032,
  370. PJ_TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x00000033,
  371. PJ_TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x00000036,
  372. PJ_TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x00000037,
  373. PJ_TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x00000038,
  374. PJ_TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x00000039,
  375. PJ_TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x0000003E,
  376. PJ_TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x0000003F,
  377. PJ_TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x00000040,
  378. PJ_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x00000067,
  379. PJ_TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x00000068,
  380. PJ_TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x00000069,
  381. PJ_TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x0000006A,
  382. PJ_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x0000006B,
  383. PJ_TLS_DH_anon_WITH_RC4_128_MD5 = 0x00000018,
  384. PJ_TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x0000001B,
  385. PJ_TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x00000034,
  386. PJ_TLS_DH_anon_WITH_AES_256_CBC_SHA = 0x0000003A,
  387. PJ_TLS_DH_anon_WITH_AES_128_CBC_SHA256 = 0x0000006C,
  388. PJ_TLS_DH_anon_WITH_AES_256_CBC_SHA256 = 0x0000006D,
  389. /* TLS (deprecated) */
  390. PJ_TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x00000003,
  391. PJ_TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x00000006,
  392. PJ_TLS_RSA_WITH_IDEA_CBC_SHA = 0x00000007,
  393. PJ_TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x00000008,
  394. PJ_TLS_RSA_WITH_DES_CBC_SHA = 0x00000009,
  395. PJ_TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0000000B,
  396. PJ_TLS_DH_DSS_WITH_DES_CBC_SHA = 0x0000000C,
  397. PJ_TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0000000E,
  398. PJ_TLS_DH_RSA_WITH_DES_CBC_SHA = 0x0000000F,
  399. PJ_TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x00000011,
  400. PJ_TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x00000012,
  401. PJ_TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x00000014,
  402. PJ_TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x00000015,
  403. PJ_TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x00000017,
  404. PJ_TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0x00000019,
  405. PJ_TLS_DH_anon_WITH_DES_CBC_SHA = 0x0000001A,
  406. /* SSLv3 */
  407. PJ_SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x0000001C,
  408. PJ_SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x0000001D,
  409. PJ_SSL_FORTEZZA_KEA_WITH_RC4_128_SHA = 0x0000001E,
  410. /* SSLv2 */
  411. PJ_SSL_CK_RC4_128_WITH_MD5 = 0x00010080,
  412. PJ_SSL_CK_RC4_128_EXPORT40_WITH_MD5 = 0x00020080,
  413. PJ_SSL_CK_RC2_128_CBC_WITH_MD5 = 0x00030080,
  414. PJ_SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 0x00040080,
  415. PJ_SSL_CK_IDEA_128_CBC_WITH_MD5 = 0x00050080,
  416. PJ_SSL_CK_DES_64_CBC_WITH_MD5 = 0x00060040,
  417. PJ_SSL_CK_DES_192_EDE3_CBC_WITH_MD5 = 0x000700C0
  418. } pj_ssl_cipher;
  419. /**
  420. * Get cipher list supported by SSL/TLS backend.
  421. *
  422. * @param ciphers The ciphers buffer to receive cipher list.
  423. * @param cipher_num Maximum number of ciphers to be received.
  424. *
  425. * @return PJ_SUCCESS when successful.
  426. */
  427. PJ_DECL(pj_status_t) pj_ssl_cipher_get_availables(pj_ssl_cipher ciphers[],
  428. unsigned *cipher_num);
  429. /**
  430. * Check if the specified cipher is supported by SSL/TLS backend.
  431. *
  432. * @param cipher The cipher.
  433. *
  434. * @return PJ_TRUE when supported.
  435. */
  436. PJ_DECL(pj_bool_t) pj_ssl_cipher_is_supported(pj_ssl_cipher cipher);
  437. /**
  438. * Get cipher name string.
  439. *
  440. * @param cipher The cipher.
  441. *
  442. * @return The cipher name or NULL if cipher is not recognized/
  443. * supported.
  444. */
  445. PJ_DECL(const char*) pj_ssl_cipher_name(pj_ssl_cipher cipher);
  446. /**
  447. * Get cipher ID from cipher name string. Note that on different backends
  448. * (e.g. OpenSSL or Symbian implementation), cipher names may not be
  449. * equivalent for the same cipher ID.
  450. *
  451. * @param cipher_name The cipher name string.
  452. *
  453. * @return The cipher ID or PJ_TLS_UNKNOWN_CIPHER if the cipher
  454. * name string is not recognized/supported.
  455. */
  456. PJ_DECL(pj_ssl_cipher) pj_ssl_cipher_id(const char *cipher_name);
  457. /**
  458. * Elliptic curves enumeration.
  459. */
  460. typedef enum pj_ssl_curve
  461. {
  462. PJ_TLS_UNKNOWN_CURVE = 0,
  463. PJ_TLS_CURVE_SECT163K1 = 1,
  464. PJ_TLS_CURVE_SECT163R1 = 2,
  465. PJ_TLS_CURVE_SECT163R2 = 3,
  466. PJ_TLS_CURVE_SECT193R1 = 4,
  467. PJ_TLS_CURVE_SECT193R2 = 5,
  468. PJ_TLS_CURVE_SECT233K1 = 6,
  469. PJ_TLS_CURVE_SECT233R1 = 7,
  470. PJ_TLS_CURVE_SECT239K1 = 8,
  471. PJ_TLS_CURVE_SECT283K1 = 9,
  472. PJ_TLS_CURVE_SECT283R1 = 10,
  473. PJ_TLS_CURVE_SECT409K1 = 11,
  474. PJ_TLS_CURVE_SECT409R1 = 12,
  475. PJ_TLS_CURVE_SECT571K1 = 13,
  476. PJ_TLS_CURVE_SECT571R1 = 14,
  477. PJ_TLS_CURVE_SECP160K1 = 15,
  478. PJ_TLS_CURVE_SECP160R1 = 16,
  479. PJ_TLS_CURVE_SECP160R2 = 17,
  480. PJ_TLS_CURVE_SECP192K1 = 18,
  481. PJ_TLS_CURVE_SECP192R1 = 19,
  482. PJ_TLS_CURVE_SECP224K1 = 20,
  483. PJ_TLS_CURVE_SECP224R1 = 21,
  484. PJ_TLS_CURVE_SECP256K1 = 22,
  485. PJ_TLS_CURVE_SECP256R1 = 23,
  486. PJ_TLS_CURVE_SECP384R1 = 24,
  487. PJ_TLS_CURVE_SECP521R1 = 25,
  488. PJ_TLS_CURVE_BRAINPOOLP256R1 = 26,
  489. PJ_TLS_CURVE_BRAINPOOLP384R1 = 27,
  490. PJ_TLS_CURVE_BRAINPOOLP512R1 = 28,
  491. PJ_TLS_CURVE_ARBITRARY_EXPLICIT_PRIME_CURVES = 0XFF01,
  492. PJ_TLS_CURVE_ARBITRARY_EXPLICIT_CHAR2_CURVES = 0XFF02
  493. } pj_ssl_curve;
  494. /**
  495. * Get curve list supported by SSL/TLS backend.
  496. *
  497. * @param curves The curves buffer to receive curve list.
  498. * @param curve_num Maximum number of curves to be received.
  499. *
  500. * @return PJ_SUCCESS when successful.
  501. */
  502. PJ_DECL(pj_status_t) pj_ssl_curve_get_availables(pj_ssl_curve curves[],
  503. unsigned *curve_num);
  504. /**
  505. * Check if the specified curve is supported by SSL/TLS backend.
  506. *
  507. * @param curve The curve.
  508. *
  509. * @return PJ_TRUE when supported.
  510. */
  511. PJ_DECL(pj_bool_t) pj_ssl_curve_is_supported(pj_ssl_curve curve);
  512. /**
  513. * Get curve name string.
  514. *
  515. * @param curve The curve.
  516. *
  517. * @return The curve name or NULL if curve is not recognized/
  518. * supported.
  519. */
  520. PJ_DECL(const char*) pj_ssl_curve_name(pj_ssl_curve curve);
  521. /**
  522. * Get curve ID from curve name string. Note that on different backends
  523. * (e.g. OpenSSL or Symbian implementation), curve names may not be
  524. * equivalent for the same curve ID.
  525. *
  526. * @param curve_name The curve name string.
  527. *
  528. * @return The curve ID or PJ_TLS_UNKNOWN_CURVE if the curve
  529. * name string is not recognized/supported.
  530. */
  531. PJ_DECL(pj_ssl_curve) pj_ssl_curve_id(const char *curve_name);
  532. /**
  533. * Entropy enumeration
  534. */
  535. typedef enum pj_ssl_entropy
  536. {
  537. PJ_SSL_ENTROPY_NONE = 0, /**< None */
  538. PJ_SSL_ENTROPY_EGD = 1, /**< EGD */
  539. PJ_SSL_ENTROPY_RANDOM = 2, /**< Random */
  540. PJ_SSL_ENTROPY_URANDOM = 3, /**< Urandom */
  541. PJ_SSL_ENTROPY_FILE = 4, /**< File */
  542. PJ_SSL_ENTROPY_UNKNOWN = 0x0F /**< Unknown */
  543. } pj_ssl_entropy_t;
  544. /**
  545. * This structure contains the callbacks to be called by the secure socket.
  546. */
  547. typedef struct pj_ssl_sock_cb
  548. {
  549. /**
  550. * This callback is called when a data arrives as the result of
  551. * pj_ssl_sock_start_read().
  552. *
  553. * @param ssock The secure socket.
  554. * @param data The buffer containing the new data, if any. If
  555. * the status argument is non-PJ_SUCCESS, this
  556. * argument may be NULL.
  557. * @param size The length of data in the buffer.
  558. * @param status The status of the read operation. This may contain
  559. * non-PJ_SUCCESS for example when the TCP connection
  560. * has been closed. In this case, the buffer may
  561. * contain left over data from previous callback which
  562. * the application may want to process.
  563. * @param remainder If application wishes to leave some data in the
  564. * buffer (common for TCP applications), it should
  565. * move the remainder data to the front part of the
  566. * buffer and set the remainder length here. The value
  567. * of this parameter will be ignored for datagram
  568. * sockets.
  569. *
  570. * @return PJ_TRUE if further read is desired, and PJ_FALSE
  571. * when application no longer wants to receive data.
  572. * Application may destroy the secure socket in the
  573. * callback and return PJ_FALSE here.
  574. */
  575. pj_bool_t (*on_data_read)(pj_ssl_sock_t *ssock,
  576. void *data,
  577. pj_size_t size,
  578. pj_status_t status,
  579. pj_size_t *remainder);
  580. /**
  581. * This callback is called when a packet arrives as the result of
  582. * pj_ssl_sock_start_recvfrom().
  583. *
  584. * @param ssock The secure socket.
  585. * @param data The buffer containing the packet, if any. If
  586. * the status argument is non-PJ_SUCCESS, this
  587. * argument will be set to NULL.
  588. * @param size The length of packet in the buffer. If
  589. * the status argument is non-PJ_SUCCESS, this
  590. * argument will be set to zero.
  591. * @param src_addr Source address of the packet.
  592. * @param addr_len Length of the source address.
  593. * @param status This contains
  594. *
  595. * @return PJ_TRUE if further read is desired, and PJ_FALSE
  596. * when application no longer wants to receive data.
  597. * Application may destroy the secure socket in the
  598. * callback and return PJ_FALSE here.
  599. */
  600. pj_bool_t (*on_data_recvfrom)(pj_ssl_sock_t *ssock,
  601. void *data,
  602. pj_size_t size,
  603. const pj_sockaddr_t *src_addr,
  604. int addr_len,
  605. pj_status_t status);
  606. /**
  607. * This callback is called when data has been sent.
  608. *
  609. * @param ssock The secure socket.
  610. * @param send_key Key associated with the send operation.
  611. * @param sent If value is positive non-zero it indicates the
  612. * number of data sent. When the value is negative,
  613. * it contains the error code which can be retrieved
  614. * by negating the value (i.e. status=-sent).
  615. *
  616. * @return Application may destroy the secure socket in the
  617. * callback and return PJ_FALSE here.
  618. */
  619. pj_bool_t (*on_data_sent)(pj_ssl_sock_t *ssock,
  620. pj_ioqueue_op_key_t *send_key,
  621. pj_ssize_t sent);
  622. /**
  623. * This callback is called when new connection arrives as the result
  624. * of pj_ssl_sock_start_accept(). If the status of accept operation is
  625. * needed use on_accept_complete2 instead of this callback.
  626. *
  627. * @param ssock The secure socket.
  628. * @param newsock The new incoming secure socket.
  629. * @param src_addr The source address of the connection.
  630. * @param addr_len Length of the source address.
  631. *
  632. * @return PJ_TRUE if further accept() is desired, and PJ_FALSE
  633. * when application no longer wants to accept incoming
  634. * connection. Application may destroy the secure socket
  635. * in the callback and return PJ_FALSE here.
  636. */
  637. pj_bool_t (*on_accept_complete)(pj_ssl_sock_t *ssock,
  638. pj_ssl_sock_t *newsock,
  639. const pj_sockaddr_t *src_addr,
  640. int src_addr_len);
  641. /**
  642. * This callback is called when new connection arrives as the result
  643. * of pj_ssl_sock_start_accept().
  644. *
  645. * @param asock The active socket.
  646. * @param newsock The new incoming socket.
  647. * @param src_addr The source address of the connection.
  648. * @param addr_len Length of the source address.
  649. * @param status The status of the accept operation. This may contain
  650. * non-PJ_SUCCESS for example when the TCP listener is in
  651. * bad state for example on iOS platform after the
  652. * application waking up from background.
  653. *
  654. * @return PJ_TRUE if further accept() is desired, and PJ_FALSE
  655. * when application no longer wants to accept incoming
  656. * connection. Application may destroy the active socket
  657. * in the callback and return PJ_FALSE here.
  658. */
  659. pj_bool_t (*on_accept_complete2)(pj_ssl_sock_t *ssock,
  660. pj_ssl_sock_t *newsock,
  661. const pj_sockaddr_t *src_addr,
  662. int src_addr_len,
  663. pj_status_t status);
  664. /**
  665. * This callback is called when pending connect operation has been
  666. * completed.
  667. *
  668. * @param ssock The secure socket.
  669. * @param status The connection result. If connection has been
  670. * successfully established, the status will contain
  671. * PJ_SUCCESS.
  672. *
  673. * @return Application may destroy the secure socket in the
  674. * callback and return PJ_FALSE here.
  675. */
  676. pj_bool_t (*on_connect_complete)(pj_ssl_sock_t *ssock,
  677. pj_status_t status);
  678. /**
  679. * This callback is called when certificate verification is being done.
  680. * Certification info can be obtained from #pj_ssl_sock_info. Currently
  681. * it's only implemented for OpenSSL backend.
  682. *
  683. * If this is set, the callback will always be invoked, even when peer
  684. * verification is disabled (pj_ssl_sock_param.verify_peer set to
  685. * PJ_FALSE).
  686. *
  687. * @param ssock The secure socket.
  688. * @param is_server PJ_TRUE to indicate an incoming connection.
  689. *
  690. * @return Return PJ_TRUE if verification is successful.
  691. * If verification failed, then the connection will be
  692. * dropped immediately.
  693. *
  694. */
  695. pj_bool_t (*on_verify_cb)(pj_ssl_sock_t *ssock, pj_bool_t is_server);
  696. } pj_ssl_sock_cb;
  697. /**
  698. * Enumeration of secure socket protocol types.
  699. * This can be combined using bitwise OR operation.
  700. */
  701. typedef enum pj_ssl_sock_proto
  702. {
  703. /**
  704. * Default protocol of backend.
  705. */
  706. PJ_SSL_SOCK_PROTO_DEFAULT = 0,
  707. /**
  708. * SSLv2.0 protocol.
  709. */
  710. PJ_SSL_SOCK_PROTO_SSL2 = (1 << 0),
  711. /**
  712. * SSLv3.0 protocol.
  713. */
  714. PJ_SSL_SOCK_PROTO_SSL3 = (1 << 1),
  715. /**
  716. * TLSv1.0 protocol.
  717. */
  718. PJ_SSL_SOCK_PROTO_TLS1 = (1 << 2),
  719. /**
  720. * TLSv1.1 protocol.
  721. */
  722. PJ_SSL_SOCK_PROTO_TLS1_1 = (1 << 3),
  723. /**
  724. * TLSv1.2 protocol.
  725. */
  726. PJ_SSL_SOCK_PROTO_TLS1_2 = (1 << 4),
  727. /**
  728. * TLSv1.3 protocol.
  729. */
  730. PJ_SSL_SOCK_PROTO_TLS1_3 = (1 << 5),
  731. /**
  732. * Certain backend implementation e.g:OpenSSL, has feature to enable all
  733. * protocol.
  734. */
  735. PJ_SSL_SOCK_PROTO_SSL23 = (1 << 16) - 1,
  736. PJ_SSL_SOCK_PROTO_ALL = PJ_SSL_SOCK_PROTO_SSL23,
  737. /**
  738. * DTLSv1.0 protocol.
  739. */
  740. PJ_SSL_SOCK_PROTO_DTLS1 = (1 << 16),
  741. } pj_ssl_sock_proto;
  742. /**
  743. * Definition of secure socket info structure.
  744. */
  745. typedef struct pj_ssl_sock_info
  746. {
  747. /**
  748. * Describes whether secure socket connection is established, i.e: TLS/SSL
  749. * handshaking has been done successfully.
  750. */
  751. pj_bool_t established;
  752. /**
  753. * Describes secure socket protocol being used, see #pj_ssl_sock_proto.
  754. * Use bitwise OR operation to combine the protocol type.
  755. */
  756. pj_uint32_t proto;
  757. /**
  758. * Describes cipher suite being used, this will only be set when connection
  759. * is established.
  760. */
  761. pj_ssl_cipher cipher;
  762. /**
  763. * Describes local address.
  764. */
  765. pj_sockaddr local_addr;
  766. /**
  767. * Describes remote address.
  768. */
  769. pj_sockaddr remote_addr;
  770. /**
  771. * Describes active local certificate info.
  772. */
  773. pj_ssl_cert_info *local_cert_info;
  774. /**
  775. * Describes active remote certificate info.
  776. */
  777. pj_ssl_cert_info *remote_cert_info;
  778. /**
  779. * Status of peer certificate verification.
  780. */
  781. pj_uint32_t verify_status;
  782. /**
  783. * Last native error returned by the backend.
  784. */
  785. unsigned long last_native_err;
  786. /**
  787. * Group lock assigned to the ioqueue key.
  788. */
  789. pj_grp_lock_t *grp_lock;
  790. /**
  791. * Native TLS/SSL instance of the backend. Currently only available for
  792. * OpenSSL backend (this will contain the OpenSSL "SSL" instance).
  793. */
  794. void *native_ssl;
  795. } pj_ssl_sock_info;
  796. /**
  797. * Definition of secure socket creation parameters.
  798. */
  799. typedef struct pj_ssl_sock_param
  800. {
  801. /**
  802. * Optional group lock to be assigned to the ioqueue key.
  803. *
  804. * Note that when a secure socket listener is configured with a group
  805. * lock, any new secure socket of an accepted incoming connection
  806. * will have its own group lock created automatically by the library,
  807. * this group lock can be queried via pj_ssl_sock_get_info() in the info
  808. * field pj_ssl_sock_info::grp_lock.
  809. */
  810. pj_grp_lock_t *grp_lock;
  811. /**
  812. * Specifies socket address family, either pj_AF_INET() and pj_AF_INET6().
  813. *
  814. * Default is pj_AF_INET().
  815. */
  816. int sock_af;
  817. /**
  818. * Specify socket type, either pj_SOCK_DGRAM() or pj_SOCK_STREAM().
  819. *
  820. * Default is pj_SOCK_STREAM().
  821. */
  822. int sock_type;
  823. /**
  824. * Specify the ioqueue to use. Secure socket uses the ioqueue to perform
  825. * active socket operations, see \ref PJ_ACTIVESOCK for more detail.
  826. */
  827. pj_ioqueue_t *ioqueue;
  828. /**
  829. * Specify the timer heap to use. Secure socket uses the timer to provide
  830. * auto cancelation on asynchronous operation when it takes longer time
  831. * than specified timeout period, e.g: security negotiation timeout.
  832. */
  833. pj_timer_heap_t *timer_heap;
  834. /**
  835. * Specify secure socket callbacks, see #pj_ssl_sock_cb.
  836. */
  837. pj_ssl_sock_cb cb;
  838. /**
  839. * Specify secure socket user data.
  840. */
  841. void *user_data;
  842. /**
  843. * Specify security protocol to use, see #pj_ssl_sock_proto. Use bitwise OR
  844. * operation to combine the protocol type.
  845. *
  846. * Default is PJ_SSL_SOCK_PROTO_DEFAULT.
  847. */
  848. pj_uint32_t proto;
  849. /**
  850. * Number of concurrent asynchronous operations that is to be supported
  851. * by the secure socket. This value only affects socket receive and
  852. * accept operations -- the secure socket will issue one or more
  853. * asynchronous read and accept operations based on the value of this
  854. * field. Setting this field to more than one will allow more than one
  855. * incoming data or incoming connections to be processed simultaneously
  856. * on multiprocessor systems, when the ioqueue is polled by more than
  857. * one threads.
  858. *
  859. * The default value is 1.
  860. */
  861. unsigned async_cnt;
  862. /**
  863. * The ioqueue concurrency to be forced on the socket when it is
  864. * registered to the ioqueue. See #pj_ioqueue_set_concurrency() for more
  865. * info about ioqueue concurrency.
  866. *
  867. * When this value is -1, the concurrency setting will not be forced for
  868. * this socket, and the socket will inherit the concurrency setting of
  869. * the ioqueue. When this value is zero, the secure socket will disable
  870. * concurrency for the socket. When this value is +1, the secure socket
  871. * will enable concurrency for the socket.
  872. *
  873. * The default value is -1.
  874. */
  875. int concurrency;
  876. /**
  877. * If this option is specified, the secure socket will make sure that
  878. * asynchronous send operation with stream oriented socket will only
  879. * call the callback after all data has been sent. This means that the
  880. * secure socket will automatically resend the remaining data until
  881. * all data has been sent.
  882. *
  883. * Please note that when this option is specified, it is possible that
  884. * error is reported after partial data has been sent. Also setting
  885. * this will disable the ioqueue concurrency for the socket.
  886. *
  887. * Default value is 1.
  888. */
  889. pj_bool_t whole_data;
  890. /**
  891. * Specify buffer size for sending operation. Buffering sending data
  892. * is used for allowing application to perform multiple outstanding
  893. * send operations. Whenever application specifies this setting too
  894. * small, sending operation may return PJ_ENOMEM.
  895. *
  896. * Default value is 8192 bytes.
  897. */
  898. pj_size_t send_buffer_size;
  899. /**
  900. * Specify buffer size for receiving encrypted (and perhaps compressed)
  901. * data on underlying socket. This setting is unused on Symbian, since
  902. * SSL/TLS Symbian backend, CSecureSocket, can use application buffer
  903. * directly.
  904. *
  905. * Default value is 1500.
  906. */
  907. pj_size_t read_buffer_size;
  908. /**
  909. * Number of ciphers contained in the specified cipher preference.
  910. * If this is set to zero, then the cipher list used will be determined
  911. * by the backend default (for OpenSSL backend, setting
  912. * PJ_SSL_SOCK_OSSL_CIPHERS will be used).
  913. */
  914. unsigned ciphers_num;
  915. /**
  916. * Ciphers and order preference. If empty, then default cipher list and
  917. * its default order of the backend will be used.
  918. */
  919. pj_ssl_cipher *ciphers;
  920. /**
  921. * Number of curves contained in the specified curve preference.
  922. * If this is set to zero, then default curve list of the backend
  923. * will be used.
  924. *
  925. * Default: 0 (zero).
  926. */
  927. unsigned curves_num;
  928. /**
  929. * Curves and order preference. The #pj_ssl_curve_get_availables()
  930. * can be used to check the available curves supported by backend.
  931. */
  932. pj_ssl_curve *curves;
  933. /**
  934. * The supported signature algorithms. Set the sigalgs string
  935. * using this form:
  936. * "<DIGEST>+<ALGORITHM>:<DIGEST>+<ALGORITHM>"
  937. * Digests are: "RSA", "DSA" or "ECDSA"
  938. * Algorithms are: "MD5", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512"
  939. * Example: "ECDSA+SHA256:RSA+SHA256"
  940. */
  941. pj_str_t sigalgs;
  942. /**
  943. * Reseed random number generator.
  944. * For type #PJ_SSL_ENTROPY_FILE, parameter \a entropy_path
  945. * must be set to a file.
  946. * For type #PJ_SSL_ENTROPY_EGD, parameter \a entropy_path
  947. * must be set to a socket.
  948. *
  949. * Default value is PJ_SSL_ENTROPY_NONE.
  950. */
  951. pj_ssl_entropy_t entropy_type;
  952. /**
  953. * When using a file/socket for entropy #PJ_SSL_ENTROPY_EGD or
  954. * #PJ_SSL_ENTROPY_FILE, \a entropy_path must contain the path
  955. * to entropy socket/file.
  956. *
  957. * Default value is an empty string.
  958. */
  959. pj_str_t entropy_path;
  960. /**
  961. * Security negotiation timeout. If this is set to zero (both sec and
  962. * msec), the negotiation doesn't have a timeout.
  963. *
  964. * Default value is zero.
  965. */
  966. pj_time_val timeout;
  967. /**
  968. * Specify whether endpoint should verify peer certificate.
  969. *
  970. * Default value is PJ_FALSE.
  971. */
  972. pj_bool_t verify_peer;
  973. /**
  974. * When secure socket is acting as server (handles incoming connection),
  975. * it will require the client to provide certificate.
  976. *
  977. * Default value is PJ_FALSE.
  978. */
  979. pj_bool_t require_client_cert;
  980. /**
  981. * Server name indication. When secure socket is acting as client
  982. * (perform outgoing connection) and the server may host multiple
  983. * 'virtual' servers at a single underlying network address, setting
  984. * this will allow client to tell the server a name of the server
  985. * it is contacting. This must be set to hostname and literal IP addresses
  986. * are not allowed.
  987. *
  988. * Default value is zero/not-set.
  989. */
  990. pj_str_t server_name;
  991. /**
  992. * Specify if SO_REUSEADDR should be used for listening socket. This
  993. * option will only be used with accept() operation.
  994. *
  995. * Default is PJ_FALSE.
  996. */
  997. pj_bool_t reuse_addr;
  998. /**
  999. * QoS traffic type to be set on this transport. When application wants
  1000. * to apply QoS tagging to the transport, it's preferable to set this
  1001. * field rather than \a qos_param fields since this is more portable.
  1002. *
  1003. * Default value is PJ_QOS_TYPE_BEST_EFFORT.
  1004. */
  1005. pj_qos_type qos_type;
  1006. /**
  1007. * Set the low level QoS parameters to the transport. This is a lower
  1008. * level operation than setting the \a qos_type field and may not be
  1009. * supported on all platforms.
  1010. *
  1011. * By default all settings in this structure are disabled.
  1012. */
  1013. pj_qos_params qos_params;
  1014. /**
  1015. * Specify if the transport should ignore any errors when setting the QoS
  1016. * traffic type/parameters.
  1017. *
  1018. * Default: PJ_TRUE
  1019. */
  1020. pj_bool_t qos_ignore_error;
  1021. /**
  1022. * Specify options to be set on the transport.
  1023. *
  1024. * For GnuTLS backend, by default TCP_NODELAY will be set. For other
  1025. * SSL backends, the default is no options.
  1026. *
  1027. */
  1028. pj_sockopt_params sockopt_params;
  1029. /**
  1030. * Specify if the transport should ignore any errors when setting the
  1031. * sockopt parameters.
  1032. *
  1033. * Default: PJ_TRUE
  1034. *
  1035. */
  1036. pj_bool_t sockopt_ignore_error;
  1037. /**
  1038. * Specify if should set close-on-exec flag for socket.
  1039. *
  1040. * Default: PJ_TRUE
  1041. */
  1042. pj_bool_t sock_cloexec;
  1043. /**
  1044. * Specify if renegotiation is enabled for TLSv1.2 or earlier.
  1045. *
  1046. * Default: PJ_TRUE
  1047. */
  1048. pj_bool_t enable_renegotiation;
  1049. } pj_ssl_sock_param;
  1050. /**
  1051. * The parameter for pj_ssl_sock_start_connect2().
  1052. */
  1053. typedef struct pj_ssl_start_connect_param {
  1054. /**
  1055. * The pool to allocate some internal data for the operation.
  1056. */
  1057. pj_pool_t *pool;
  1058. /**
  1059. * Local address.
  1060. */
  1061. const pj_sockaddr_t *localaddr;
  1062. /**
  1063. * Port range for socket binding, relative to the start port number
  1064. * specified in \a localaddr. This is only applicable when the start port
  1065. * number is non zero.
  1066. */
  1067. pj_uint16_t local_port_range;
  1068. /**
  1069. * Remote address.
  1070. */
  1071. const pj_sockaddr_t *remaddr;
  1072. /**
  1073. * Length of buffer containing above addresses.
  1074. */
  1075. int addr_len;
  1076. } pj_ssl_start_connect_param;
  1077. /**
  1078. * Initialize the secure socket parameters for its creation with
  1079. * the default values.
  1080. *
  1081. * @param param The parameter to be initialized.
  1082. */
  1083. PJ_DECL(void) pj_ssl_sock_param_default(pj_ssl_sock_param *param);
  1084. /**
  1085. * Duplicate pj_ssl_sock_param.
  1086. *
  1087. * @param pool Pool to allocate memory.
  1088. * @param dst Destination parameter.
  1089. * @param src Source parameter.
  1090. */
  1091. PJ_DECL(void) pj_ssl_sock_param_copy(pj_pool_t *pool,
  1092. pj_ssl_sock_param *dst,
  1093. const pj_ssl_sock_param *src);
  1094. /**
  1095. * Create secure socket instance.
  1096. *
  1097. * @param pool The pool for allocating secure socket instance.
  1098. * @param param The secure socket parameter, see #pj_ssl_sock_param.
  1099. * @param p_ssock Pointer to secure socket instance to be created.
  1100. *
  1101. * @return PJ_SUCCESS when successful.
  1102. */
  1103. PJ_DECL(pj_status_t) pj_ssl_sock_create(pj_pool_t *pool,
  1104. const pj_ssl_sock_param *param,
  1105. pj_ssl_sock_t **p_ssock);
  1106. /**
  1107. * Set secure socket certificate or credentials. Credentials may include
  1108. * certificate, private key and trusted Certification Authorities list.
  1109. * Normally, server socket must provide certificate (and private key).
  1110. * Socket client may also need to provide certificate in case requested
  1111. * by the server.
  1112. *
  1113. * @param ssock The secure socket instance.
  1114. * @param pool The pool.
  1115. * @param cert The endpoint certificate/credentials, see
  1116. * #pj_ssl_cert_t.
  1117. *
  1118. * @return PJ_SUCCESS if the operation has been successful,
  1119. * or the appropriate error code on failure.
  1120. */
  1121. PJ_DECL(pj_status_t) pj_ssl_sock_set_certificate(
  1122. pj_ssl_sock_t *ssock,
  1123. pj_pool_t *pool,
  1124. const pj_ssl_cert_t *cert);
  1125. /**
  1126. * Close and destroy the secure socket.
  1127. *
  1128. * @param ssock The secure socket.
  1129. *
  1130. * @return PJ_SUCCESS if the operation has been successful,
  1131. * or the appropriate error code on failure.
  1132. */
  1133. PJ_DECL(pj_status_t) pj_ssl_sock_close(pj_ssl_sock_t *ssock);
  1134. /**
  1135. * Associate arbitrary data with the secure socket. Application may
  1136. * inspect this data in the callbacks and associate it with higher
  1137. * level processing.
  1138. *
  1139. * @param ssock The secure socket.
  1140. * @param user_data The user data to be associated with the secure
  1141. * socket.
  1142. *
  1143. * @return PJ_SUCCESS if the operation has been successful,
  1144. * or the appropriate error code on failure.
  1145. */
  1146. PJ_DECL(pj_status_t) pj_ssl_sock_set_user_data(pj_ssl_sock_t *ssock,
  1147. void *user_data);
  1148. /**
  1149. * Retrieve the user data previously associated with this secure
  1150. * socket.
  1151. *
  1152. * @param ssock The secure socket.
  1153. *
  1154. * @return The user data.
  1155. */
  1156. PJ_DECL(void*) pj_ssl_sock_get_user_data(pj_ssl_sock_t *ssock);
  1157. /**
  1158. * Retrieve the local address and port used by specified secure socket.
  1159. *
  1160. * @param ssock The secure socket.
  1161. * @param info The info buffer to be set, see #pj_ssl_sock_info.
  1162. *
  1163. * @return PJ_SUCCESS on successful.
  1164. */
  1165. PJ_DECL(pj_status_t) pj_ssl_sock_get_info(pj_ssl_sock_t *ssock,
  1166. pj_ssl_sock_info *info);
  1167. /**
  1168. * Starts read operation on this secure socket. This function will create
  1169. * \a async_cnt number of buffers (the \a async_cnt parameter was given
  1170. * in \a pj_ssl_sock_create() function) where each buffer is \a buff_size
  1171. * long. The buffers are allocated from the specified \a pool. Once the
  1172. * buffers are created, it then issues \a async_cnt number of asynchronous
  1173. * \a recv() operations to the socket and returns back to caller. Incoming
  1174. * data on the socket will be reported back to application via the
  1175. * \a on_data_read() callback.
  1176. *
  1177. * Application only needs to call this function once to initiate read
  1178. * operations. Further read operations will be done automatically by the
  1179. * secure socket when \a on_data_read() callback returns non-zero.
  1180. *
  1181. * @param ssock The secure socket.
  1182. * @param pool Pool used to allocate buffers for incoming data.
  1183. * @param buff_size The size of each buffer, in bytes.
  1184. * @param flags Flags to be given to pj_ioqueue_recv().
  1185. *
  1186. * @return PJ_SUCCESS if the operation has been successful,
  1187. * or the appropriate error code on failure.
  1188. */
  1189. PJ_DECL(pj_status_t) pj_ssl_sock_start_read(pj_ssl_sock_t *ssock,
  1190. pj_pool_t *pool,
  1191. unsigned buff_size,
  1192. pj_uint32_t flags);
  1193. /**
  1194. * Same as #pj_ssl_sock_start_read(), except that the application
  1195. * supplies the buffers for the read operation so that the acive socket
  1196. * does not have to allocate the buffers.
  1197. *
  1198. * @param ssock The secure socket.
  1199. * @param pool Pool used to allocate buffers for incoming data.
  1200. * @param buff_size The size of each buffer, in bytes.
  1201. * @param readbuf Array of packet buffers, each has buff_size size.
  1202. * @param flags Flags to be given to pj_ioqueue_recv().
  1203. *
  1204. * @return PJ_SUCCESS if the operation has been successful,
  1205. * or the appropriate error code on failure.
  1206. */
  1207. PJ_DECL(pj_status_t) pj_ssl_sock_start_read2(pj_ssl_sock_t *ssock,
  1208. pj_pool_t *pool,
  1209. unsigned buff_size,
  1210. void *readbuf[],
  1211. pj_uint32_t flags);
  1212. /**
  1213. * Same as pj_ssl_sock_start_read(), except that this function is used
  1214. * only for datagram sockets, and it will trigger \a on_data_recvfrom()
  1215. * callback instead.
  1216. *
  1217. * @param ssock The secure socket.
  1218. * @param pool Pool used to allocate buffers for incoming data.
  1219. * @param buff_size The size of each buffer, in bytes.
  1220. * @param flags Flags to be given to pj_ioqueue_recvfrom().
  1221. *
  1222. * @return PJ_SUCCESS if the operation has been successful,
  1223. * or the appropriate error code on failure.
  1224. */
  1225. PJ_DECL(pj_status_t) pj_ssl_sock_start_recvfrom(pj_ssl_sock_t *ssock,
  1226. pj_pool_t *pool,
  1227. unsigned buff_size,
  1228. pj_uint32_t flags);
  1229. /**
  1230. * Same as #pj_ssl_sock_start_recvfrom() except that the recvfrom()
  1231. * operation takes the buffer from the argument rather than creating
  1232. * new ones.
  1233. *
  1234. * @param ssock The secure socket.
  1235. * @param pool Pool used to allocate buffers for incoming data.
  1236. * @param buff_size The size of each buffer, in bytes.
  1237. * @param readbuf Array of packet buffers, each has buff_size size.
  1238. * @param flags Flags to be given to pj_ioqueue_recvfrom().
  1239. *
  1240. * @return PJ_SUCCESS if the operation has been successful,
  1241. * or the appropriate error code on failure.
  1242. */
  1243. PJ_DECL(pj_status_t) pj_ssl_sock_start_recvfrom2(pj_ssl_sock_t *ssock,
  1244. pj_pool_t *pool,
  1245. unsigned buff_size,
  1246. void *readbuf[],
  1247. pj_uint32_t flags);
  1248. /**
  1249. * Send data using the socket.
  1250. *
  1251. * @param ssock The secure socket.
  1252. * @param send_key The operation key to send the data, which is useful
  1253. * if application wants to submit multiple pending
  1254. * send operations and want to track which exact data
  1255. * has been sent in the \a on_data_sent() callback.
  1256. * @param data The data to be sent. This data must remain valid
  1257. * until the data has been sent.
  1258. * @param size The size of the data.
  1259. * @param flags Flags to be given to pj_ioqueue_send().
  1260. *
  1261. * @return PJ_SUCCESS if data has been sent immediately, or
  1262. * PJ_EPENDING if data cannot be sent immediately or
  1263. * PJ_ENOMEM when sending buffer could not handle all
  1264. * queued data, see \a send_buffer_size. The callback
  1265. * \a on_data_sent() will be called when data is actually
  1266. * sent. Any other return value indicates error condition.
  1267. */
  1268. PJ_DECL(pj_status_t) pj_ssl_sock_send(pj_ssl_sock_t *ssock,
  1269. pj_ioqueue_op_key_t *send_key,
  1270. const void *data,
  1271. pj_ssize_t *size,
  1272. unsigned flags);
  1273. /**
  1274. * Send datagram using the socket.
  1275. *
  1276. * @param ssock The secure socket.
  1277. * @param send_key The operation key to send the data, which is useful
  1278. * if application wants to submit multiple pending
  1279. * send operations and want to track which exact data
  1280. * has been sent in the \a on_data_sent() callback.
  1281. * @param data The data to be sent. This data must remain valid
  1282. * until the data has been sent.
  1283. * @param size The size of the data.
  1284. * @param flags Flags to be given to pj_ioqueue_send().
  1285. * @param addr The destination address.
  1286. * @param addr_len Length of buffer containing destination address.
  1287. *
  1288. * @return PJ_SUCCESS if data has been sent immediately, or
  1289. * PJ_EPENDING if data cannot be sent immediately. In
  1290. * this case the \a on_data_sent() callback will be
  1291. * called when data is actually sent. Any other return
  1292. * value indicates error condition.
  1293. */
  1294. PJ_DECL(pj_status_t) pj_ssl_sock_sendto(pj_ssl_sock_t *ssock,
  1295. pj_ioqueue_op_key_t *send_key,
  1296. const void *data,
  1297. pj_ssize_t *size,
  1298. unsigned flags,
  1299. const pj_sockaddr_t *addr,
  1300. int addr_len);
  1301. /**
  1302. * Starts asynchronous socket accept() operations on this secure socket.
  1303. * This function will issue \a async_cnt number of asynchronous \a accept()
  1304. * operations to the socket and returns back to caller. Incoming
  1305. * connection on the socket will be reported back to application via the
  1306. * \a on_accept_complete() callback.
  1307. *
  1308. * Application only needs to call this function once to initiate accept()
  1309. * operations. Further accept() operations will be done automatically by
  1310. * the secure socket when \a on_accept_complete() callback returns non-zero.
  1311. *
  1312. * @param ssock The secure socket.
  1313. * @param pool Pool used to allocate some internal data for the
  1314. * operation.
  1315. * @param local_addr Local address to bind on.
  1316. * @param addr_len Length of buffer containing local address.
  1317. *
  1318. * @return PJ_SUCCESS if the operation has been successful,
  1319. * or the appropriate error code on failure.
  1320. */
  1321. PJ_DECL(pj_status_t) pj_ssl_sock_start_accept(pj_ssl_sock_t *ssock,
  1322. pj_pool_t *pool,
  1323. const pj_sockaddr_t *local_addr,
  1324. int addr_len);
  1325. /**
  1326. * Same as #pj_ssl_sock_start_accept(), but application can provide
  1327. * a secure socket parameter, which will be used to create a new secure
  1328. * socket reported in \a on_accept_complete() callback when there is
  1329. * an incoming connection.
  1330. *
  1331. * @param ssock The secure socket.
  1332. * @param pool Pool used to allocate some internal data for the
  1333. * operation.
  1334. * @param local_addr Local address to bind on.
  1335. * @param addr_len Length of buffer containing local address.
  1336. * @param newsock_param Secure socket parameter for new accepted sockets.
  1337. *
  1338. * @return PJ_SUCCESS if the operation has been successful,
  1339. * or the appropriate error code on failure.
  1340. */
  1341. PJ_DECL(pj_status_t)
  1342. pj_ssl_sock_start_accept2(pj_ssl_sock_t *ssock,
  1343. pj_pool_t *pool,
  1344. const pj_sockaddr_t *local_addr,
  1345. int addr_len,
  1346. const pj_ssl_sock_param *newsock_param);
  1347. /**
  1348. * Starts asynchronous socket connect() operation and SSL/TLS handshaking
  1349. * for this socket. Once the connection is done (either successfully or not),
  1350. * the \a on_connect_complete() callback will be called.
  1351. *
  1352. * @param ssock The secure socket.
  1353. * @param pool The pool to allocate some internal data for the
  1354. * operation.
  1355. * @param localaddr Local address.
  1356. * @param remaddr Remote address.
  1357. * @param addr_len Length of buffer containing above addresses.
  1358. *
  1359. * @return PJ_SUCCESS if connection can be established immediately
  1360. * or PJ_EPENDING if connection cannot be established
  1361. * immediately. In this case the \a on_connect_complete()
  1362. * callback will be called when connection is complete.
  1363. * Any other return value indicates error condition.
  1364. */
  1365. PJ_DECL(pj_status_t) pj_ssl_sock_start_connect(pj_ssl_sock_t *ssock,
  1366. pj_pool_t *pool,
  1367. const pj_sockaddr_t *localaddr,
  1368. const pj_sockaddr_t *remaddr,
  1369. int addr_len);
  1370. /**
  1371. * Same as #pj_ssl_sock_start_connect(), but application can provide a
  1372. * \a port_range parameter, which will be used to bind the socket to
  1373. * random port.
  1374. *
  1375. * @param ssock The secure socket.
  1376. *
  1377. * @param connect_param The parameter, refer to \a pj_ssl_start_connect_param.
  1378. *
  1379. * @return PJ_SUCCESS if connection can be established immediately
  1380. * or PJ_EPENDING if connection cannot be established
  1381. * immediately. In this case the \a on_connect_complete()
  1382. * callback will be called when connection is complete.
  1383. * Any other return value indicates error condition.
  1384. */
  1385. PJ_DECL(pj_status_t) pj_ssl_sock_start_connect2(
  1386. pj_ssl_sock_t *ssock,
  1387. pj_ssl_start_connect_param *connect_param);
  1388. /**
  1389. * Starts SSL/TLS renegotiation over an already established SSL connection
  1390. * for this socket. This operation is performed transparently, no callback
  1391. * will be called once the renegotiation completed successfully. However,
  1392. * when the renegotiation fails, the connection will be closed and callback
  1393. * \a on_data_read() will be invoked with non-PJ_SUCCESS status code.
  1394. *
  1395. * @param ssock The secure socket.
  1396. *
  1397. * @return PJ_SUCCESS if renegotiation is completed immediately,
  1398. * or PJ_EPENDING if renegotiation has been started and
  1399. * waiting for completion, or the appropriate error code
  1400. * on failure.
  1401. */
  1402. PJ_DECL(pj_status_t) pj_ssl_sock_renegotiate(pj_ssl_sock_t *ssock);
  1403. /**
  1404. * @}
  1405. */
  1406. PJ_END_DECL
  1407. #endif /* __PJ_SSL_SOCK_H__ */