voice-gateway/pjlib/include/pj/ssl_sock.h

/* 
 * Copyright (C) 2009-2011 Teluu Inc. (http://www.teluu.com)
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA 
 */
#ifndef __PJ_SSL_SOCK_H__
#define __PJ_SSL_SOCK_H__

/**
 * @file ssl_sock.h
 * @brief Secure socket
 */

#include <pj/ioqueue.h>
#include <pj/sock.h>
#include <pj/sock_qos.h>


PJ_BEGIN_DECL

/**
 * @defgroup PJ_SSL_SOCK Secure socket I/O
 * @brief Secure socket provides security on socket operation using standard
 * security protocols such as SSL and TLS.
 * @ingroup PJ_IO
 * @{
 *
 * Secure socket wraps normal socket and applies security features, i.e: 
 * privacy and data integrity, on the socket traffic, using standard security
 * protocols such as SSL and TLS.
 *
 * Secure socket employs active socket operations, which is similar to (and
 * described more detail) in \ref PJ_ACTIVESOCK.
 */


 /**
 * This opaque structure describes the secure socket.
 */
typedef struct pj_ssl_sock_t pj_ssl_sock_t;


/**
 * Opaque declaration of endpoint certificate or credentials. This may contains
 * certificate, private key, and trusted Certificate Authorities list.
 */
typedef struct pj_ssl_cert_t pj_ssl_cert_t;


/**
 * Bitwise flag for SSL certificate verification.
 */
typedef enum pj_ssl_cert_verify_flag_t
{
    /**
     * No error in verification.
     */
    PJ_SSL_CERT_ESUCCESS                                = 0,

    /**
     * The issuer certificate cannot be found.
     */
    PJ_SSL_CERT_EISSUER_NOT_FOUND                       = (1 << 0),

    /**
     * The certificate is untrusted.
     */
    PJ_SSL_CERT_EUNTRUSTED                              = (1 << 1),

    /**
     * The certificate has expired or not yet valid.
     */
    PJ_SSL_CERT_EVALIDITY_PERIOD                        = (1 << 2),

    /**
     * One or more fields of the certificate cannot be decoded due to
     * invalid format.
     */
    PJ_SSL_CERT_EINVALID_FORMAT                         = (1 << 3),

    /**
     * The certificate cannot be used for the specified purpose.
     */
    PJ_SSL_CERT_EINVALID_PURPOSE                        = (1 << 4),

    /**
     * The issuer info in the certificate does not match to the (candidate) 
     * issuer certificate, e.g: issuer name not match to subject name
     * of (candidate) issuer certificate.
     */
    PJ_SSL_CERT_EISSUER_MISMATCH                        = (1 << 5),

    /**
     * The CRL certificate cannot be found or cannot be read properly.
     */
    PJ_SSL_CERT_ECRL_FAILURE                            = (1 << 6),

    /**
     * The certificate has been revoked.
     */
    PJ_SSL_CERT_EREVOKED                                = (1 << 7),

    /**
     * The certificate chain length is too long.
     */
    PJ_SSL_CERT_ECHAIN_TOO_LONG                         = (1 << 8),

    /**
     * The certificate signature is created using a weak hashing algorithm.
     */
    PJ_SSL_CERT_EWEAK_SIGNATURE                         = (1 << 9),

    /**
     * The server identity does not match to any identities specified in 
     * the certificate, e.g: subjectAltName extension, subject common name.
     * This flag will only be set by application as SSL socket does not 
     * perform server identity verification.
     */
    PJ_SSL_CERT_EIDENTITY_NOT_MATCH                     = (1 << 30),

    /**
     * Unknown verification error.
     */
    PJ_SSL_CERT_EUNKNOWN                                = (1 << 31)

} pj_ssl_cert_verify_flag_t;


/**
 * Type of SSL certificate name.
 */
typedef enum pj_ssl_cert_name_type
{
    PJ_SSL_CERT_NAME_UNKNOWN = 0,
    PJ_SSL_CERT_NAME_RFC822,
    PJ_SSL_CERT_NAME_DNS,
    PJ_SSL_CERT_NAME_URI,
    PJ_SSL_CERT_NAME_IP
} pj_ssl_cert_name_type;

/**
 * Field type for looking up SSL certificate in the certificate stores.
 */
typedef enum pj_ssl_cert_lookup_type
{
    /**
     * No certificate to be looked up.
     */
    PJ_SSL_CERT_LOOKUP_NONE,

    /**
     * Lookup by subject, this will lookup any first certificate whose
     * subject containing the specified keyword. Note that subject may not
     * be unique in the store, so the lookup may end up selecting a wrong
     * certificate.
     */
    PJ_SSL_CERT_LOOKUP_SUBJECT,

    /**
     * Lookup by fingerprint/thumbprint (SHA1 hash), this will lookup
     * any first certificate whose fingerprint matching the specified
     * keyword. The keyword is an array of hash octets.
     */
    PJ_SSL_CERT_LOOKUP_FINGERPRINT,

    /**
     * Lookup by friendly name, this will lookup any first certificate
     * whose friendly name containing the specified keyword. Note that
     * friendly name may not be unique in the store, so the lookup may end up
     * selecting a wrong certificate.
     */
    PJ_SSL_CERT_LOOKUP_FRIENDLY_NAME

} pj_ssl_cert_lookup_type;

/**
 * Describe structure of certificate lookup criteria.
 */
typedef struct pj_ssl_cert_lookup_criteria
{
    /**
     * Certificate field type to look.
     */
    pj_ssl_cert_lookup_type type;

    /*
     * Keyword to match on the field specified in \a type.
     */
    pj_str_t                keyword;

} pj_ssl_cert_lookup_criteria;


/**
 * Describe structure of certificate info.
 */
typedef struct pj_ssl_cert_info {

    unsigned    version;            /**< Certificate version    */

    pj_uint8_t  serial_no[20];      /**< Serial number, array of
                                         octets, first index is
                                         MSB                    */

    struct {
        pj_str_t        cn;         /**< Common name            */
        pj_str_t        info;       /**< One line subject, fields
                                         are separated by slash, e.g:
                                         "CN=sample.org/OU=HRD" */
    } subject;                      /**< Subject                */

    struct {
        pj_str_t        cn;         /**< Common name            */
        pj_str_t        info;       /**< One line subject, fields
                                         are separated by slash.*/
    } issuer;                       /**< Issuer                 */

    struct {
        pj_time_val     start;      /**< Validity start         */
        pj_time_val     end;        /**< Validity end           */
        pj_bool_t       gmt;        /**< Flag if validity date/time 
                                         use GMT                */
    } validity;                     /**< Validity               */

    struct {
        unsigned        cnt;        /**< # of entry             */
        struct {
            pj_ssl_cert_name_type type;
                                    /**< Name type              */
            pj_str_t    name;       /**< The name               */
        } *entry;                   /**< Subject alt name entry */
    } subj_alt_name;                /**< Subject alternative
                                         name extension         */

    pj_str_t raw;                   /**< Raw certificate in PEM format, only
                                         available for remote certificate. */

    struct {
        unsigned        cnt;        /**< # of entry     */
        pj_str_t       *cert_raw;
    } raw_chain;

} pj_ssl_cert_info;

/**
 * The SSL certificate buffer.
 */
typedef pj_str_t pj_ssl_cert_buffer;

/**
 * Create credential from files. TLS server application can provide multiple
 * certificates (RSA, ECC, and DSA) by supplying certificate name with "_rsa"
 * suffix, e.g: "pjsip_rsa.pem", the library will automatically check for
 * other certificates with "_ecc" and "_dsa" suffix.
 *
 * @param pool          The pool.
 * @param CA_file       The file of trusted CA list.
 * @param cert_file     The file of certificate.
 * @param privkey_file  The file of private key.
 * @param privkey_pass  The password of private key, if any.
 * @param p_cert        Pointer to credential instance to be created.
 *
 * @return              PJ_SUCCESS when successful.
 */
PJ_DECL(pj_status_t) pj_ssl_cert_load_from_files(pj_pool_t *pool,
                                                 const pj_str_t *CA_file,
                                                 const pj_str_t *cert_file,
                                                 const pj_str_t *privkey_file,
                                                 const pj_str_t *privkey_pass,
                                                 pj_ssl_cert_t **p_cert);

/**
 * Create credential from files. TLS server application can provide multiple
 * certificates (RSA, ECC, and DSA) by supplying certificate name with "_rsa"
 * suffix, e.g: "pjsip_rsa.pem", the library will automatically check for
 * other certificates with "_ecc" and "_dsa" suffix.
 *
 * This is the same as pj_ssl_cert_load_from_files() but also
 * accepts an additional param CA_path to load CA certificates from
 * a directory.
 *
 * @param pool          The pool.
 * @param CA_file       The file of trusted CA list.
 * @param CA_path       The path to a directory of trusted CA list.
 * @param cert_file     The file of certificate.
 * @param privkey_file  The file of private key.
 * @param privkey_pass  The password of private key, if any.
 * @param p_cert        Pointer to credential instance to be created.
 *
 * @return              PJ_SUCCESS when successful.
 */
PJ_DECL(pj_status_t) pj_ssl_cert_load_from_files2(
                                                pj_pool_t *pool,
                                                const pj_str_t *CA_file,
                                                const pj_str_t *CA_path,
                                                const pj_str_t *cert_file,
                                                const pj_str_t *privkey_file,
                                                const pj_str_t *privkey_pass,
                                                pj_ssl_cert_t **p_cert);


/**
 * Create credential from data buffer. The certificate expected is in 
 * PEM format.
 *
 * @param pool          The pool.
 * @param CA_buf        The buffer of trusted CA list.
 * @param cert_buf      The buffer of certificate.
 * @param privkey_buf   The buffer of private key.
 * @param privkey_pass  The password of private key, if any.
 * @param p_cert        Pointer to credential instance to be created.
 *
 * @return              PJ_SUCCESS when successful.
 */
PJ_DECL(pj_status_t) pj_ssl_cert_load_from_buffer(pj_pool_t *pool,
                                        const pj_ssl_cert_buffer *CA_buf,
                                        const pj_ssl_cert_buffer *cert_buf,
                                        const pj_ssl_cert_buffer *privkey_buf,
                                        const pj_str_t *privkey_pass,
                                        pj_ssl_cert_t **p_cert);

/**
 * Create credential from OS certificate store, this function will lookup
 * certificate using the specified criterias.
 *
 * Currently this is used by Windows Schannel backend only, it will lookup
 * in the Current User store first, if no certificate with the specified
 * criteria is not found, it will lookup in the Local Machine store.
 *
 * Note that for manual verification (e.g: when pj_ssl_sock_param.verify_peer
 * is disabled), the backend will provide pre-verification result against
 * trusted CA certificates in Current User store only (will not check CA
 * certificates in the Local Machine store).
 *
 * @param pool              The pool.
 * @param criteria          The lookup criteria.
 * @param p_cert            Pointer to credential instance to be created.
 *
 * @return                  PJ_SUCCESS when successful.
 */
PJ_DECL(pj_status_t) pj_ssl_cert_load_from_store(
                                pj_pool_t *pool,
                                const pj_ssl_cert_lookup_criteria *criteria,
                                pj_ssl_cert_t **p_cert);

/**
 * Dump SSL certificate info.
 *
 * @param ci            The certificate info.
 * @param indent        String for left indentation.
 * @param buf           The buffer where certificate info will be printed on.
 * @param buf_size      The buffer size.
 *
 * @return              The length of the dump result, or -1 when buffer size
 *                      is not sufficient.
 */
PJ_DECL(pj_ssize_t) pj_ssl_cert_info_dump(const pj_ssl_cert_info *ci,
                                          const char *indent,
                                          char *buf,
                                          pj_size_t buf_size);


/**
 * Get SSL certificate verification error messages from verification status.
 *
 * @param verify_status The SSL certificate verification status.
 * @param error_strings Array of strings to receive the verification error 
 *                      messages.
 * @param count         On input it specifies maximum error messages should be
 *                      retrieved. On output it specifies the number of error
 *                      messages retrieved.
 *
 * @return              PJ_SUCCESS when successful.
 */
PJ_DECL(pj_status_t) pj_ssl_cert_get_verify_status_strings(
                                                 pj_uint32_t verify_status, 
                                                 const char *error_strings[],
                                                 unsigned *count);

/** 
 * Wipe out the keys in the SSL certificate. 
 *
 * @param cert          The SSL certificate. 
 *
 */
PJ_DECL(void) pj_ssl_cert_wipe_keys(pj_ssl_cert_t *cert);


/** 
 * Cipher suites enumeration.
 */
typedef enum pj_ssl_cipher {

    /* Unsupported cipher */
    PJ_TLS_UNKNOWN_CIPHER                       = -1,

    /* NULL */
    PJ_TLS_NULL_WITH_NULL_NULL                  = 0x00000000,

    /* TLS/SSLv3 */
    PJ_TLS_RSA_WITH_NULL_MD5                    = 0x00000001,
    PJ_TLS_RSA_WITH_NULL_SHA                    = 0x00000002,
    PJ_TLS_RSA_WITH_NULL_SHA256                 = 0x0000003B,
    PJ_TLS_RSA_WITH_RC4_128_MD5                 = 0x00000004,
    PJ_TLS_RSA_WITH_RC4_128_SHA                 = 0x00000005,
    PJ_TLS_RSA_WITH_3DES_EDE_CBC_SHA            = 0x0000000A,
    PJ_TLS_RSA_WITH_AES_128_CBC_SHA             = 0x0000002F,
    PJ_TLS_RSA_WITH_AES_256_CBC_SHA             = 0x00000035,
    PJ_TLS_RSA_WITH_AES_128_CBC_SHA256          = 0x0000003C,
    PJ_TLS_RSA_WITH_AES_256_CBC_SHA256          = 0x0000003D,
    PJ_TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA         = 0x0000000D,
    PJ_TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA         = 0x00000010,
    PJ_TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA        = 0x00000013,
    PJ_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA        = 0x00000016,
    PJ_TLS_DH_DSS_WITH_AES_128_CBC_SHA          = 0x00000030,
    PJ_TLS_DH_RSA_WITH_AES_128_CBC_SHA          = 0x00000031,
    PJ_TLS_DHE_DSS_WITH_AES_128_CBC_SHA         = 0x00000032,
    PJ_TLS_DHE_RSA_WITH_AES_128_CBC_SHA         = 0x00000033,
    PJ_TLS_DH_DSS_WITH_AES_256_CBC_SHA          = 0x00000036,
    PJ_TLS_DH_RSA_WITH_AES_256_CBC_SHA          = 0x00000037,
    PJ_TLS_DHE_DSS_WITH_AES_256_CBC_SHA         = 0x00000038,
    PJ_TLS_DHE_RSA_WITH_AES_256_CBC_SHA         = 0x00000039,
    PJ_TLS_DH_DSS_WITH_AES_128_CBC_SHA256       = 0x0000003E,
    PJ_TLS_DH_RSA_WITH_AES_128_CBC_SHA256       = 0x0000003F,
    PJ_TLS_DHE_DSS_WITH_AES_128_CBC_SHA256      = 0x00000040,
    PJ_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256      = 0x00000067,
    PJ_TLS_DH_DSS_WITH_AES_256_CBC_SHA256       = 0x00000068,
    PJ_TLS_DH_RSA_WITH_AES_256_CBC_SHA256       = 0x00000069,
    PJ_TLS_DHE_DSS_WITH_AES_256_CBC_SHA256      = 0x0000006A,
    PJ_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256      = 0x0000006B,
    PJ_TLS_DH_anon_WITH_RC4_128_MD5             = 0x00000018,
    PJ_TLS_DH_anon_WITH_3DES_EDE_CBC_SHA        = 0x0000001B,
    PJ_TLS_DH_anon_WITH_AES_128_CBC_SHA         = 0x00000034,
    PJ_TLS_DH_anon_WITH_AES_256_CBC_SHA         = 0x0000003A,
    PJ_TLS_DH_anon_WITH_AES_128_CBC_SHA256      = 0x0000006C,
    PJ_TLS_DH_anon_WITH_AES_256_CBC_SHA256      = 0x0000006D,

    /* TLS (deprecated) */
    PJ_TLS_RSA_EXPORT_WITH_RC4_40_MD5           = 0x00000003,
    PJ_TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5       = 0x00000006,
    PJ_TLS_RSA_WITH_IDEA_CBC_SHA                = 0x00000007,
    PJ_TLS_RSA_EXPORT_WITH_DES40_CBC_SHA        = 0x00000008,
    PJ_TLS_RSA_WITH_DES_CBC_SHA                 = 0x00000009,
    PJ_TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA     = 0x0000000B,
    PJ_TLS_DH_DSS_WITH_DES_CBC_SHA              = 0x0000000C,
    PJ_TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA     = 0x0000000E,
    PJ_TLS_DH_RSA_WITH_DES_CBC_SHA              = 0x0000000F,
    PJ_TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA    = 0x00000011,
    PJ_TLS_DHE_DSS_WITH_DES_CBC_SHA             = 0x00000012,
    PJ_TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA    = 0x00000014,
    PJ_TLS_DHE_RSA_WITH_DES_CBC_SHA             = 0x00000015,
    PJ_TLS_DH_anon_EXPORT_WITH_RC4_40_MD5       = 0x00000017,
    PJ_TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA    = 0x00000019,
    PJ_TLS_DH_anon_WITH_DES_CBC_SHA             = 0x0000001A,

    /* SSLv3 */
    PJ_SSL_FORTEZZA_KEA_WITH_NULL_SHA           = 0x0000001C,
    PJ_SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA   = 0x0000001D,
    PJ_SSL_FORTEZZA_KEA_WITH_RC4_128_SHA        = 0x0000001E,
    
    /* SSLv2 */
    PJ_SSL_CK_RC4_128_WITH_MD5                  = 0x00010080,
    PJ_SSL_CK_RC4_128_EXPORT40_WITH_MD5         = 0x00020080,
    PJ_SSL_CK_RC2_128_CBC_WITH_MD5              = 0x00030080,
    PJ_SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5     = 0x00040080,
    PJ_SSL_CK_IDEA_128_CBC_WITH_MD5             = 0x00050080,
    PJ_SSL_CK_DES_64_CBC_WITH_MD5               = 0x00060040,
    PJ_SSL_CK_DES_192_EDE3_CBC_WITH_MD5         = 0x000700C0

} pj_ssl_cipher;


/**
 * Get cipher list supported by SSL/TLS backend.
 *
 * @param ciphers       The ciphers buffer to receive cipher list.
 * @param cipher_num    Maximum number of ciphers to be received.
 *
 * @return              PJ_SUCCESS when successful.
 */
PJ_DECL(pj_status_t) pj_ssl_cipher_get_availables(pj_ssl_cipher ciphers[],
                                                  unsigned *cipher_num);


/**
 * Check if the specified cipher is supported by SSL/TLS backend.
 *
 * @param cipher        The cipher.
 *
 * @return              PJ_TRUE when supported.
 */
PJ_DECL(pj_bool_t) pj_ssl_cipher_is_supported(pj_ssl_cipher cipher);


/**
 * Get cipher name string.
 *
 * @param cipher        The cipher.
 *
 * @return              The cipher name or NULL if cipher is not recognized/
 *                      supported.
 */
PJ_DECL(const char*) pj_ssl_cipher_name(pj_ssl_cipher cipher);


/**
 * Get cipher ID from cipher name string. Note that on different backends
 * (e.g. OpenSSL or Symbian implementation), cipher names may not be
 * equivalent for the same cipher ID.
 *
 * @param cipher_name   The cipher name string.
 *
 * @return              The cipher ID or PJ_TLS_UNKNOWN_CIPHER if the cipher
 *                      name string is not recognized/supported.
 */
PJ_DECL(pj_ssl_cipher) pj_ssl_cipher_id(const char *cipher_name);

/**
 * Elliptic curves enumeration.
 */
typedef enum pj_ssl_curve
{
        PJ_TLS_UNKNOWN_CURVE            = 0,
        PJ_TLS_CURVE_SECT163K1          = 1,
        PJ_TLS_CURVE_SECT163R1          = 2,
        PJ_TLS_CURVE_SECT163R2          = 3,
        PJ_TLS_CURVE_SECT193R1          = 4,
        PJ_TLS_CURVE_SECT193R2          = 5,
        PJ_TLS_CURVE_SECT233K1          = 6,
        PJ_TLS_CURVE_SECT233R1          = 7,
        PJ_TLS_CURVE_SECT239K1          = 8,
        PJ_TLS_CURVE_SECT283K1          = 9,
        PJ_TLS_CURVE_SECT283R1          = 10,
        PJ_TLS_CURVE_SECT409K1          = 11,
        PJ_TLS_CURVE_SECT409R1          = 12,
        PJ_TLS_CURVE_SECT571K1          = 13,
        PJ_TLS_CURVE_SECT571R1          = 14,
        PJ_TLS_CURVE_SECP160K1          = 15,
        PJ_TLS_CURVE_SECP160R1          = 16,
        PJ_TLS_CURVE_SECP160R2          = 17,
        PJ_TLS_CURVE_SECP192K1          = 18,
        PJ_TLS_CURVE_SECP192R1          = 19,
        PJ_TLS_CURVE_SECP224K1          = 20,
        PJ_TLS_CURVE_SECP224R1          = 21,
        PJ_TLS_CURVE_SECP256K1          = 22,
        PJ_TLS_CURVE_SECP256R1          = 23,
        PJ_TLS_CURVE_SECP384R1          = 24,
        PJ_TLS_CURVE_SECP521R1          = 25,
        PJ_TLS_CURVE_BRAINPOOLP256R1    = 26,
        PJ_TLS_CURVE_BRAINPOOLP384R1    = 27,
        PJ_TLS_CURVE_BRAINPOOLP512R1    = 28,
        PJ_TLS_CURVE_ARBITRARY_EXPLICIT_PRIME_CURVES    = 0XFF01,
        PJ_TLS_CURVE_ARBITRARY_EXPLICIT_CHAR2_CURVES    = 0XFF02
} pj_ssl_curve;

/**
 * Get curve list supported by SSL/TLS backend.
 *
 * @param curves        The curves buffer to receive curve list.
 * @param curve_num     Maximum number of curves to be received.
 *
 * @return              PJ_SUCCESS when successful.
 */
PJ_DECL(pj_status_t) pj_ssl_curve_get_availables(pj_ssl_curve curves[],
                                                 unsigned *curve_num);

/**
 * Check if the specified curve is supported by SSL/TLS backend.
 *
 * @param curve         The curve.
 *
 * @return              PJ_TRUE when supported.
 */
PJ_DECL(pj_bool_t) pj_ssl_curve_is_supported(pj_ssl_curve curve);


/**
 * Get curve name string.
 *
 * @param curve         The curve.
 *
 * @return              The curve name or NULL if curve is not recognized/
 *                      supported.
 */
PJ_DECL(const char*) pj_ssl_curve_name(pj_ssl_curve curve);

/**
 * Get curve ID from curve name string. Note that on different backends
 * (e.g. OpenSSL or Symbian implementation), curve names may not be
 * equivalent for the same curve ID.
 *
 * @param curve_name    The curve name string.
 *
 * @return              The curve ID or PJ_TLS_UNKNOWN_CURVE if the curve
 *                      name string is not recognized/supported.
 */
PJ_DECL(pj_ssl_curve) pj_ssl_curve_id(const char *curve_name);

/**
 * Entropy enumeration
 */
typedef enum pj_ssl_entropy
{
        PJ_SSL_ENTROPY_NONE     = 0,    /**< None */
        PJ_SSL_ENTROPY_EGD      = 1,    /**< EGD */
        PJ_SSL_ENTROPY_RANDOM   = 2,    /**< Random */
        PJ_SSL_ENTROPY_URANDOM  = 3,    /**< Urandom */
        PJ_SSL_ENTROPY_FILE     = 4,    /**< File */
        PJ_SSL_ENTROPY_UNKNOWN  = 0x0F  /**< Unknown */
} pj_ssl_entropy_t;

/**
 * This structure contains the callbacks to be called by the secure socket.
 */
typedef struct pj_ssl_sock_cb
{
    /**
     * This callback is called when a data arrives as the result of
     * pj_ssl_sock_start_read().
     *
     * @param ssock     The secure socket.
     * @param data      The buffer containing the new data, if any. If 
     *                  the status argument is non-PJ_SUCCESS, this 
     *                  argument may be NULL.
     * @param size      The length of data in the buffer.
     * @param status    The status of the read operation. This may contain
     *                  non-PJ_SUCCESS for example when the TCP connection
     *                  has been closed. In this case, the buffer may
     *                  contain left over data from previous callback which
     *                  the application may want to process.
     * @param remainder If application wishes to leave some data in the 
     *                  buffer (common for TCP applications), it should 
     *                  move the remainder data to the front part of the 
     *                  buffer and set the remainder length here. The value
     *                  of this parameter will be ignored for datagram
     *                  sockets.
     *
     * @return          PJ_TRUE if further read is desired, and PJ_FALSE 
     *                  when application no longer wants to receive data.
     *                  Application may destroy the secure socket in the
     *                  callback and return PJ_FALSE here.
     */
    pj_bool_t (*on_data_read)(pj_ssl_sock_t *ssock,
                              void *data,
                              pj_size_t size,
                              pj_status_t status,
                              pj_size_t *remainder);
    /**
     * This callback is called when a packet arrives as the result of
     * pj_ssl_sock_start_recvfrom().
     *
     * @param ssock     The secure socket.
     * @param data      The buffer containing the packet, if any. If 
     *                  the status argument is non-PJ_SUCCESS, this 
     *                  argument will be set to NULL.
     * @param size      The length of packet in the buffer. If 
     *                  the status argument is non-PJ_SUCCESS, this 
     *                  argument will be set to zero.
     * @param src_addr  Source address of the packet.
     * @param addr_len  Length of the source address.
     * @param status    This contains
     *
     * @return          PJ_TRUE if further read is desired, and PJ_FALSE 
     *                  when application no longer wants to receive data.
     *                  Application may destroy the secure socket in the
     *                  callback and return PJ_FALSE here.
     */
    pj_bool_t (*on_data_recvfrom)(pj_ssl_sock_t *ssock,
                                  void *data,
                                  pj_size_t size,
                                  const pj_sockaddr_t *src_addr,
                                  int addr_len,
                                  pj_status_t status);

    /**
     * This callback is called when data has been sent.
     *
     * @param ssock     The secure socket.
     * @param send_key  Key associated with the send operation.
     * @param sent      If value is positive non-zero it indicates the
     *                  number of data sent. When the value is negative,
     *                  it contains the error code which can be retrieved
     *                  by negating the value (i.e. status=-sent).
     *
     * @return          Application may destroy the secure socket in the
     *                  callback and return PJ_FALSE here.
     */
    pj_bool_t (*on_data_sent)(pj_ssl_sock_t *ssock,
                              pj_ioqueue_op_key_t *send_key,
                              pj_ssize_t sent);

    /**
     * This callback is called when new connection arrives as the result
     * of pj_ssl_sock_start_accept(). If the status of accept operation is
     * needed use on_accept_complete2 instead of this callback.
     *
     * @param ssock     The secure socket.
     * @param newsock   The new incoming secure socket.
     * @param src_addr  The source address of the connection.
     * @param addr_len  Length of the source address.
     *
     * @return          PJ_TRUE if further accept() is desired, and PJ_FALSE
     *                  when application no longer wants to accept incoming
     *                  connection. Application may destroy the secure socket
     *                  in the callback and return PJ_FALSE here.
     */
    pj_bool_t (*on_accept_complete)(pj_ssl_sock_t *ssock,
                                    pj_ssl_sock_t *newsock,
                                    const pj_sockaddr_t *src_addr,
                                    int src_addr_len);
    /**
     * This callback is called when new connection arrives as the result
     * of pj_ssl_sock_start_accept().
     *
     * @param asock     The active socket.
     * @param newsock   The new incoming socket.
     * @param src_addr  The source address of the connection.
     * @param addr_len  Length of the source address.
     * @param status    The status of the accept operation. This may contain
     *                  non-PJ_SUCCESS for example when the TCP listener is in
     *                  bad state for example on iOS platform after the
     *                  application waking up from background.
     *
     * @return          PJ_TRUE if further accept() is desired, and PJ_FALSE
     *                  when application no longer wants to accept incoming
     *                  connection. Application may destroy the active socket
     *                  in the callback and return PJ_FALSE here.
     */
    pj_bool_t (*on_accept_complete2)(pj_ssl_sock_t *ssock,
                                     pj_ssl_sock_t *newsock,
                                     const pj_sockaddr_t *src_addr,
                                     int src_addr_len, 
                                     pj_status_t status);

    /**
     * This callback is called when pending connect operation has been
     * completed.
     *
     * @param ssock     The secure socket.
     * @param status    The connection result. If connection has been
     *                  successfully established, the status will contain
     *                  PJ_SUCCESS.
     *
     * @return          Application may destroy the secure socket in the
     *                  callback and return PJ_FALSE here. 
     */
    pj_bool_t (*on_connect_complete)(pj_ssl_sock_t *ssock,
                                     pj_status_t status);
    
    /**
     * This callback is called when certificate verification is being done.
     * Certification info can be obtained from #pj_ssl_sock_info. Currently
     * it's only implemented for OpenSSL backend.
     *
     * If this is set, the callback will always be invoked, even when peer
     * verification is disabled (pj_ssl_sock_param.verify_peer set to
     * PJ_FALSE).
     *
     * @param ssock     The secure socket.
     * @param is_server PJ_TRUE to indicate an incoming connection.
     *
     * @return          Return PJ_TRUE if verification is successful. 
     *                  If verification failed, then the connection will be 
     *                  dropped immediately.
     * 
     */
    pj_bool_t (*on_verify_cb)(pj_ssl_sock_t *ssock, pj_bool_t is_server);

} pj_ssl_sock_cb;


/** 
 * Enumeration of secure socket protocol types.
 * This can be combined using bitwise OR operation.
 */
typedef enum pj_ssl_sock_proto
{
    /**
     * Default protocol of backend. 
     */   
    PJ_SSL_SOCK_PROTO_DEFAULT = 0,

    /** 
     * SSLv2.0 protocol.          
     */
    PJ_SSL_SOCK_PROTO_SSL2    = (1 << 0),

    /** 
     * SSLv3.0 protocol.          
     */
    PJ_SSL_SOCK_PROTO_SSL3    = (1 << 1),

    /**
     * TLSv1.0 protocol.          
     */
    PJ_SSL_SOCK_PROTO_TLS1    = (1 << 2),

    /** 
     * TLSv1.1 protocol.
     */
    PJ_SSL_SOCK_PROTO_TLS1_1  = (1 << 3),

    /**
     * TLSv1.2 protocol.
     */
    PJ_SSL_SOCK_PROTO_TLS1_2  = (1 << 4),

    /**
     * TLSv1.3 protocol.
     */
    PJ_SSL_SOCK_PROTO_TLS1_3  = (1 << 5),

    /** 
     * Certain backend implementation e.g:OpenSSL, has feature to enable all
     * protocol. 
     */
    PJ_SSL_SOCK_PROTO_SSL23   = (1 << 16) - 1,
    PJ_SSL_SOCK_PROTO_ALL = PJ_SSL_SOCK_PROTO_SSL23,

    /**
     * DTLSv1.0 protocol.         
     */
    PJ_SSL_SOCK_PROTO_DTLS1   = (1 << 16),

} pj_ssl_sock_proto;


/**
 * Definition of secure socket info structure.
 */
typedef struct pj_ssl_sock_info 
{
    /**
     * Describes whether secure socket connection is established, i.e: TLS/SSL 
     * handshaking has been done successfully.
     */
    pj_bool_t established;

    /**
     * Describes secure socket protocol being used, see #pj_ssl_sock_proto. 
     * Use bitwise OR operation to combine the protocol type.
     */
    pj_uint32_t proto;

    /**
     * Describes cipher suite being used, this will only be set when connection
     * is established.
     */
    pj_ssl_cipher cipher;

    /**
     * Describes local address.
     */
    pj_sockaddr local_addr;

    /**
     * Describes remote address.
     */
    pj_sockaddr remote_addr;
   
    /**
     * Describes active local certificate info.
     */
    pj_ssl_cert_info *local_cert_info;
   
    /**
     * Describes active remote certificate info.
     */
    pj_ssl_cert_info *remote_cert_info;

    /**
     * Status of peer certificate verification.
     */
    pj_uint32_t         verify_status;

    /**
     * Last native error returned by the backend.
     */
    unsigned long       last_native_err;

    /**
     * Group lock assigned to the ioqueue key.
     */
    pj_grp_lock_t *grp_lock;

    /**
     * Native TLS/SSL instance of the backend. Currently only available for
     * OpenSSL backend (this will contain the OpenSSL "SSL" instance).
     */
    void *native_ssl;

} pj_ssl_sock_info;


/**
 * Definition of secure socket creation parameters.
 */
typedef struct pj_ssl_sock_param
{
    /**
     * Optional group lock to be assigned to the ioqueue key.
     *
     * Note that when a secure socket listener is configured with a group
     * lock, any new secure socket of an accepted incoming connection
     * will have its own group lock created automatically by the library,
     * this group lock can be queried via pj_ssl_sock_get_info() in the info
     * field pj_ssl_sock_info::grp_lock.
     */
    pj_grp_lock_t *grp_lock;

    /**
     * Specifies socket address family, either pj_AF_INET() and pj_AF_INET6().
     *
     * Default is pj_AF_INET().
     */
    int sock_af;

    /**
     * Specify socket type, either pj_SOCK_DGRAM() or pj_SOCK_STREAM().
     *
     * Default is pj_SOCK_STREAM().
     */
    int sock_type;

    /**
     * Specify the ioqueue to use. Secure socket uses the ioqueue to perform
     * active socket operations, see \ref PJ_ACTIVESOCK for more detail.
     */
    pj_ioqueue_t *ioqueue;

    /**
     * Specify the timer heap to use. Secure socket uses the timer to provide
     * auto cancelation on asynchronous operation when it takes longer time 
     * than specified timeout period, e.g: security negotiation timeout.
     */
    pj_timer_heap_t *timer_heap;

    /**
     * Specify secure socket callbacks, see #pj_ssl_sock_cb.
     */
    pj_ssl_sock_cb cb;

    /**
     * Specify secure socket user data.
     */
    void *user_data;

    /**
     * Specify security protocol to use, see #pj_ssl_sock_proto. Use bitwise OR 
     * operation to combine the protocol type.
     *
     * Default is PJ_SSL_SOCK_PROTO_DEFAULT.
     */
    pj_uint32_t proto;

    /**
     * Number of concurrent asynchronous operations that is to be supported
     * by the secure socket. This value only affects socket receive and
     * accept operations -- the secure socket will issue one or more 
     * asynchronous read and accept operations based on the value of this
     * field. Setting this field to more than one will allow more than one
     * incoming data or incoming connections to be processed simultaneously
     * on multiprocessor systems, when the ioqueue is polled by more than
     * one threads.
     *
     * The default value is 1.
     */
    unsigned async_cnt;

    /**
     * The ioqueue concurrency to be forced on the socket when it is 
     * registered to the ioqueue. See #pj_ioqueue_set_concurrency() for more
     * info about ioqueue concurrency.
     *
     * When this value is -1, the concurrency setting will not be forced for
     * this socket, and the socket will inherit the concurrency setting of 
     * the ioqueue. When this value is zero, the secure socket will disable
     * concurrency for the socket. When this value is +1, the secure socket
     * will enable concurrency for the socket.
     *
     * The default value is -1.
     */
    int concurrency;

    /**
     * If this option is specified, the secure socket will make sure that
     * asynchronous send operation with stream oriented socket will only
     * call the callback after all data has been sent. This means that the
     * secure socket will automatically resend the remaining data until
     * all data has been sent.
     *
     * Please note that when this option is specified, it is possible that
     * error is reported after partial data has been sent. Also setting
     * this will disable the ioqueue concurrency for the socket.
     *
     * Default value is 1.
     */
    pj_bool_t whole_data;

    /**
     * Specify buffer size for sending operation. Buffering sending data
     * is used for allowing application to perform multiple outstanding 
     * send operations. Whenever application specifies this setting too
     * small, sending operation may return PJ_ENOMEM.
     *  
     * Default value is 8192 bytes.
     */
    pj_size_t send_buffer_size;

    /**
     * Specify buffer size for receiving encrypted (and perhaps compressed)
     * data on underlying socket. This setting is unused on Symbian, since 
     * SSL/TLS Symbian backend, CSecureSocket, can use application buffer 
     * directly.
     *
     * Default value is 1500.
     */
    pj_size_t read_buffer_size;

    /**
     * Number of ciphers contained in the specified cipher preference. 
     * If this is set to zero, then the cipher list used will be determined
     * by the backend default (for OpenSSL backend, setting 
     * PJ_SSL_SOCK_OSSL_CIPHERS will be used).
     */
    unsigned ciphers_num;

    /**
     * Ciphers and order preference. If empty, then default cipher list and
     * its default order of the backend will be used.
     */
    pj_ssl_cipher *ciphers;

    /**
     * Number of curves contained in the specified curve preference.
     * If this is set to zero, then default curve list of the backend
     * will be used.
     *
     * Default: 0 (zero).
     */
    unsigned curves_num;

    /**
     * Curves and order preference. The #pj_ssl_curve_get_availables()
     * can be used to check the available curves supported by backend.
     */
    pj_ssl_curve *curves;

    /**
     * The supported signature algorithms. Set the sigalgs string
     * using this form:
     * "<DIGEST>+<ALGORITHM>:<DIGEST>+<ALGORITHM>"
     * Digests are: "RSA", "DSA" or "ECDSA"
     * Algorithms are: "MD5", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512"
     * Example: "ECDSA+SHA256:RSA+SHA256"
     */
    pj_str_t    sigalgs;

    /**
     * Reseed random number generator.
     * For type #PJ_SSL_ENTROPY_FILE, parameter \a entropy_path
     * must be set to a file.
     * For type #PJ_SSL_ENTROPY_EGD, parameter \a entropy_path
     * must be set to a socket.
     *
     * Default value is PJ_SSL_ENTROPY_NONE.
    */
    pj_ssl_entropy_t    entropy_type;

    /**
     * When using a file/socket for entropy #PJ_SSL_ENTROPY_EGD or
     * #PJ_SSL_ENTROPY_FILE, \a entropy_path must contain the path
     * to entropy socket/file.
     *
     * Default value is an empty string.
     */
    pj_str_t            entropy_path;

    /**
     * Security negotiation timeout. If this is set to zero (both sec and 
     * msec), the negotiation doesn't have a timeout.
     *
     * Default value is zero.
     */
    pj_time_val timeout;

    /**
     * Specify whether endpoint should verify peer certificate.
     *
     * Default value is PJ_FALSE.
     */
    pj_bool_t verify_peer;
    
    /**
     * When secure socket is acting as server (handles incoming connection),
     * it will require the client to provide certificate.
     *
     * Default value is PJ_FALSE.
     */
    pj_bool_t require_client_cert;

    /**
     * Server name indication. When secure socket is acting as client 
     * (perform outgoing connection) and the server may host multiple
     * 'virtual' servers at a single underlying network address, setting
     * this will allow client to tell the server a name of the server
     * it is contacting. This must be set to hostname and literal IP addresses
     * are not allowed.
     *
     * Default value is zero/not-set.
     */
    pj_str_t server_name;

    /**
     * Specify if SO_REUSEADDR should be used for listening socket. This
     * option will only be used with accept() operation.
     *
     * Default is PJ_FALSE.
     */
    pj_bool_t reuse_addr;

    /**
     * QoS traffic type to be set on this transport. When application wants
     * to apply QoS tagging to the transport, it's preferable to set this
     * field rather than \a qos_param fields since this is more portable.
     *
     * Default value is PJ_QOS_TYPE_BEST_EFFORT.
     */
    pj_qos_type qos_type;

    /**
     * Set the low level QoS parameters to the transport. This is a lower
     * level operation than setting the \a qos_type field and may not be
     * supported on all platforms.
     *
     * By default all settings in this structure are disabled.
     */
    pj_qos_params qos_params;

    /**
     * Specify if the transport should ignore any errors when setting the QoS
     * traffic type/parameters.
     *
     * Default: PJ_TRUE
     */
    pj_bool_t qos_ignore_error;

    /**
     * Specify options to be set on the transport. 
     *
     * For GnuTLS backend, by default TCP_NODELAY will be set. For other
     * SSL backends, the default is no options.
     * 
     */
    pj_sockopt_params sockopt_params;

    /**
     * Specify if the transport should ignore any errors when setting the 
     * sockopt parameters.
     *
     * Default: PJ_TRUE
     * 
     */
    pj_bool_t sockopt_ignore_error;

    /**
     * Specify if should set close-on-exec flag for socket.
     *
     * Default: PJ_TRUE
    */
    pj_bool_t sock_cloexec;

    /**
     * Specify if renegotiation is enabled for TLSv1.2 or earlier.
     * 
     * Default: PJ_TRUE
     */
    pj_bool_t enable_renegotiation;

} pj_ssl_sock_param;


/**
 * The parameter for pj_ssl_sock_start_connect2().
 */
typedef struct pj_ssl_start_connect_param {
    /**
     * The pool to allocate some internal data for the operation.
     */
    pj_pool_t *pool;

    /**
     * Local address.
     */
    const pj_sockaddr_t *localaddr;

    /**
     * Port range for socket binding, relative to the start port number
     * specified in \a localaddr. This is only applicable when the start port
     * number is non zero.
     */
    pj_uint16_t local_port_range;

    /**
     * Remote address.
     */
    const pj_sockaddr_t *remaddr;

    /**
     * Length of buffer containing above addresses.
     */
    int addr_len;

} pj_ssl_start_connect_param;


/**
 * Initialize the secure socket parameters for its creation with 
 * the default values.
 *
 * @param param         The parameter to be initialized.
 */
PJ_DECL(void) pj_ssl_sock_param_default(pj_ssl_sock_param *param);


/**
 * Duplicate pj_ssl_sock_param.
 *
 * @param pool  Pool to allocate memory.
 * @param dst   Destination parameter.
 * @param src   Source parameter.
 */
PJ_DECL(void) pj_ssl_sock_param_copy(pj_pool_t *pool, 
                                     pj_ssl_sock_param *dst,
                                     const pj_ssl_sock_param *src);


/**
 * Create secure socket instance.
 *
 * @param pool          The pool for allocating secure socket instance.
 * @param param         The secure socket parameter, see #pj_ssl_sock_param.
 * @param p_ssock       Pointer to secure socket instance to be created.
 *
 * @return              PJ_SUCCESS when successful.
 */
PJ_DECL(pj_status_t) pj_ssl_sock_create(pj_pool_t *pool,
                                        const pj_ssl_sock_param *param,
                                        pj_ssl_sock_t **p_ssock);


/**
 * Set secure socket certificate or credentials. Credentials may include 
 * certificate, private key and trusted Certification Authorities list. 
 * Normally, server socket must provide certificate (and private key).
 * Socket client may also need to provide certificate in case requested
 * by the server.
 *
 * @param ssock         The secure socket instance.
 * @param pool          The pool.
 * @param cert          The endpoint certificate/credentials, see
 *                      #pj_ssl_cert_t.
 *
 * @return              PJ_SUCCESS if the operation has been successful,
 *                      or the appropriate error code on failure.
 */
PJ_DECL(pj_status_t) pj_ssl_sock_set_certificate(
                                            pj_ssl_sock_t *ssock,
                                            pj_pool_t *pool,
                                            const pj_ssl_cert_t *cert);


/**
 * Close and destroy the secure socket.
 *
 * @param ssock         The secure socket.
 *
 * @return              PJ_SUCCESS if the operation has been successful,
 *                      or the appropriate error code on failure.
 */
PJ_DECL(pj_status_t) pj_ssl_sock_close(pj_ssl_sock_t *ssock);


/**
 * Associate arbitrary data with the secure socket. Application may
 * inspect this data in the callbacks and associate it with higher
 * level processing.
 *
 * @param ssock         The secure socket.
 * @param user_data     The user data to be associated with the secure
 *                      socket.
 *
 * @return              PJ_SUCCESS if the operation has been successful,
 *                      or the appropriate error code on failure.
 */
PJ_DECL(pj_status_t) pj_ssl_sock_set_user_data(pj_ssl_sock_t *ssock,
                                               void *user_data);

/**
 * Retrieve the user data previously associated with this secure
 * socket.
 *
 * @param ssock         The secure socket.
 *
 * @return              The user data.
 */
PJ_DECL(void*) pj_ssl_sock_get_user_data(pj_ssl_sock_t *ssock);


/**
 * Retrieve the local address and port used by specified secure socket.
 *
 * @param ssock         The secure socket.
 * @param info          The info buffer to be set, see #pj_ssl_sock_info.
 *
 * @return              PJ_SUCCESS on successful.
 */
PJ_DECL(pj_status_t) pj_ssl_sock_get_info(pj_ssl_sock_t *ssock,
                                          pj_ssl_sock_info *info);


/**
 * Starts read operation on this secure socket. This function will create
 * \a async_cnt number of buffers (the \a async_cnt parameter was given
 * in \a pj_ssl_sock_create() function) where each buffer is \a buff_size
 * long. The buffers are allocated from the specified \a pool. Once the 
 * buffers are created, it then issues \a async_cnt number of asynchronous
 * \a recv() operations to the socket and returns back to caller. Incoming
 * data on the socket will be reported back to application via the 
 * \a on_data_read() callback.
 *
 * Application only needs to call this function once to initiate read
 * operations. Further read operations will be done automatically by the
 * secure socket when \a on_data_read() callback returns non-zero. 
 *
 * @param ssock         The secure socket.
 * @param pool          Pool used to allocate buffers for incoming data.
 * @param buff_size     The size of each buffer, in bytes.
 * @param flags         Flags to be given to pj_ioqueue_recv().
 *
 * @return              PJ_SUCCESS if the operation has been successful,
 *                      or the appropriate error code on failure.
 */
PJ_DECL(pj_status_t) pj_ssl_sock_start_read(pj_ssl_sock_t *ssock,
                                            pj_pool_t *pool,
                                            unsigned buff_size,
                                            pj_uint32_t flags);

/**
 * Same as #pj_ssl_sock_start_read(), except that the application
 * supplies the buffers for the read operation so that the acive socket
 * does not have to allocate the buffers.
 *
 * @param ssock         The secure socket.
 * @param pool          Pool used to allocate buffers for incoming data.
 * @param buff_size     The size of each buffer, in bytes.
 * @param readbuf       Array of packet buffers, each has buff_size size.
 * @param flags         Flags to be given to pj_ioqueue_recv().
 *
 * @return              PJ_SUCCESS if the operation has been successful,
 *                      or the appropriate error code on failure.
 */
PJ_DECL(pj_status_t) pj_ssl_sock_start_read2(pj_ssl_sock_t *ssock,
                                             pj_pool_t *pool,
                                             unsigned buff_size,
                                             void *readbuf[],
                                             pj_uint32_t flags);

/**
 * Same as pj_ssl_sock_start_read(), except that this function is used
 * only for datagram sockets, and it will trigger \a on_data_recvfrom()
 * callback instead.
 *
 * @param ssock         The secure socket.
 * @param pool          Pool used to allocate buffers for incoming data.
 * @param buff_size     The size of each buffer, in bytes.
 * @param flags         Flags to be given to pj_ioqueue_recvfrom().
 *
 * @return              PJ_SUCCESS if the operation has been successful,
 *                      or the appropriate error code on failure.
 */
PJ_DECL(pj_status_t) pj_ssl_sock_start_recvfrom(pj_ssl_sock_t *ssock,
                                                pj_pool_t *pool,
                                                unsigned buff_size,
                                                pj_uint32_t flags);

/**
 * Same as #pj_ssl_sock_start_recvfrom() except that the recvfrom() 
 * operation takes the buffer from the argument rather than creating
 * new ones.
 *
 * @param ssock         The secure socket.
 * @param pool          Pool used to allocate buffers for incoming data.
 * @param buff_size     The size of each buffer, in bytes.
 * @param readbuf       Array of packet buffers, each has buff_size size.
 * @param flags         Flags to be given to pj_ioqueue_recvfrom().
 *
 * @return              PJ_SUCCESS if the operation has been successful,
 *                      or the appropriate error code on failure.
 */
PJ_DECL(pj_status_t) pj_ssl_sock_start_recvfrom2(pj_ssl_sock_t *ssock,
                                                 pj_pool_t *pool,
                                                 unsigned buff_size,
                                                 void *readbuf[],
                                                 pj_uint32_t flags);

/**
 * Send data using the socket.
 *
 * @param ssock         The secure socket.
 * @param send_key      The operation key to send the data, which is useful
 *                      if application wants to submit multiple pending
 *                      send operations and want to track which exact data 
 *                      has been sent in the \a on_data_sent() callback.
 * @param data          The data to be sent. This data must remain valid
 *                      until the data has been sent.
 * @param size          The size of the data.
 * @param flags         Flags to be given to pj_ioqueue_send().
 *
 * @return              PJ_SUCCESS if data has been sent immediately, or
 *                      PJ_EPENDING if data cannot be sent immediately or
 *                      PJ_ENOMEM when sending buffer could not handle all
 *                      queued data, see \a send_buffer_size. The callback
 *                      \a on_data_sent() will be called when data is actually
 *                      sent. Any other return value indicates error condition.
 */
PJ_DECL(pj_status_t) pj_ssl_sock_send(pj_ssl_sock_t *ssock,
                                      pj_ioqueue_op_key_t *send_key,
                                      const void *data,
                                      pj_ssize_t *size,
                                      unsigned flags);

/**
 * Send datagram using the socket.
 *
 * @param ssock         The secure socket.
 * @param send_key      The operation key to send the data, which is useful
 *                      if application wants to submit multiple pending
 *                      send operations and want to track which exact data 
 *                      has been sent in the \a on_data_sent() callback.
 * @param data          The data to be sent. This data must remain valid
 *                      until the data has been sent.
 * @param size          The size of the data.
 * @param flags         Flags to be given to pj_ioqueue_send().
 * @param addr          The destination address.
 * @param addr_len      Length of buffer containing destination address.
 *
 * @return              PJ_SUCCESS if data has been sent immediately, or
 *                      PJ_EPENDING if data cannot be sent immediately. In
 *                      this case the \a on_data_sent() callback will be
 *                      called when data is actually sent. Any other return
 *                      value indicates error condition.
 */
PJ_DECL(pj_status_t) pj_ssl_sock_sendto(pj_ssl_sock_t *ssock,
                                        pj_ioqueue_op_key_t *send_key,
                                        const void *data,
                                        pj_ssize_t *size,
                                        unsigned flags,
                                        const pj_sockaddr_t *addr,
                                        int addr_len);


/**
 * Starts asynchronous socket accept() operations on this secure socket. 
 * This function will issue \a async_cnt number of asynchronous \a accept() 
 * operations to the socket and returns back to caller. Incoming
 * connection on the socket will be reported back to application via the
 * \a on_accept_complete() callback.
 *
 * Application only needs to call this function once to initiate accept()
 * operations. Further accept() operations will be done automatically by 
 * the secure socket when \a on_accept_complete() callback returns non-zero.
 *
 * @param ssock         The secure socket.
 * @param pool          Pool used to allocate some internal data for the
 *                      operation.
 * @param local_addr    Local address to bind on.
 * @param addr_len      Length of buffer containing local address.
 *
 * @return              PJ_SUCCESS if the operation has been successful,
 *                      or the appropriate error code on failure.
 */
PJ_DECL(pj_status_t) pj_ssl_sock_start_accept(pj_ssl_sock_t *ssock,
                                              pj_pool_t *pool,
                                              const pj_sockaddr_t *local_addr,
                                              int addr_len);


/**
 * Same as #pj_ssl_sock_start_accept(), but application can provide
 * a secure socket parameter, which will be used to create a new secure
 * socket reported in \a on_accept_complete() callback when there is
 * an incoming connection.
 *
 * @param ssock         The secure socket.
 * @param pool          Pool used to allocate some internal data for the
 *                      operation.
 * @param local_addr    Local address to bind on.
 * @param addr_len      Length of buffer containing local address.
 * @param newsock_param Secure socket parameter for new accepted sockets.
 *
 * @return              PJ_SUCCESS if the operation has been successful,
 *                      or the appropriate error code on failure.
 */
PJ_DECL(pj_status_t)
pj_ssl_sock_start_accept2(pj_ssl_sock_t *ssock,
                          pj_pool_t *pool,
                          const pj_sockaddr_t *local_addr,
                          int addr_len,
                          const pj_ssl_sock_param *newsock_param);


/**
 * Starts asynchronous socket connect() operation and SSL/TLS handshaking 
 * for this socket. Once the connection is done (either successfully or not),
 * the \a on_connect_complete() callback will be called.
 *
 * @param ssock         The secure socket.
 * @param pool          The pool to allocate some internal data for the
 *                      operation.
 * @param localaddr     Local address.
 * @param remaddr       Remote address.
 * @param addr_len      Length of buffer containing above addresses.
 *
 * @return              PJ_SUCCESS if connection can be established immediately
 *                      or PJ_EPENDING if connection cannot be established 
 *                      immediately. In this case the \a on_connect_complete()
 *                      callback will be called when connection is complete. 
 *                      Any other return value indicates error condition.
 */
PJ_DECL(pj_status_t) pj_ssl_sock_start_connect(pj_ssl_sock_t *ssock,
                                               pj_pool_t *pool,
                                               const pj_sockaddr_t *localaddr,
                                               const pj_sockaddr_t *remaddr,
                                               int addr_len);

/**
 * Same as #pj_ssl_sock_start_connect(), but application can provide a 
 * \a port_range parameter, which will be used to bind the socket to 
 * random port.
 *
 * @param ssock         The secure socket.
 *
 * @param connect_param The parameter, refer to \a pj_ssl_start_connect_param.
 *
 * @return              PJ_SUCCESS if connection can be established immediately
 *                      or PJ_EPENDING if connection cannot be established 
 *                      immediately. In this case the \a on_connect_complete()
 *                      callback will be called when connection is complete. 
 *                      Any other return value indicates error condition.
 */
PJ_DECL(pj_status_t) pj_ssl_sock_start_connect2(
                              pj_ssl_sock_t *ssock,
                              pj_ssl_start_connect_param *connect_param);

/**
 * Starts SSL/TLS renegotiation over an already established SSL connection
 * for this socket. This operation is performed transparently, no callback 
 * will be called once the renegotiation completed successfully. However, 
 * when the renegotiation fails, the connection will be closed and callback
 * \a on_data_read() will be invoked with non-PJ_SUCCESS status code.
 *
 * @param ssock         The secure socket.
 *
 * @return              PJ_SUCCESS if renegotiation is completed immediately,
 *                      or PJ_EPENDING if renegotiation has been started and
 *                      waiting for completion, or the appropriate error code 
 *                      on failure.
 */
PJ_DECL(pj_status_t) pj_ssl_sock_renegotiate(pj_ssl_sock_t *ssock);

/**
 * @}
 */

PJ_END_DECL

#endif  /* __PJ_SSL_SOCK_H__ */