Gitiles
Code Review Sign In
review.jami.net / jami-client-android / 2cd1ce457523d0b1a4d59214491de687fba08887 / . / jni / pjproject-android / .svn / pristine / 2f / 2fd5d0049301a19b3c9879c3e15235a9b625779f.svn-base
blob: 125e9b1566b1ecc436265c4e5774c8973c81053e [file] [log] [blame]
Alexandre Lision8af73cb2013-12-10 14:11:20 -0500[diff] [blame]1/* $Id$ */
2/*
3 * Copyright (C) 2009-2011 Teluu Inc. (http://www.teluu.com)
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18 */
19
20#include <pjsip/sip_transport_tls.h>
21#include <pjsip/sip_endpoint.h>
22#include <pjsip/sip_errno.h>
23#include <pj/compat/socket.h>
24#include <pj/addr_resolv.h>
25#include <pj/ssl_sock.h>
26#include <pj/assert.h>
27#include <pj/hash.h>
28#include <pj/lock.h>
29#include <pj/log.h>
30#include <pj/os.h>
31#include <pj/pool.h>
32#include <pj/string.h>
33
34#if defined(PJSIP_HAS_TLS_TRANSPORT) && PJSIP_HAS_TLS_TRANSPORT!=0
35
36#define THIS_FILE "sip_transport_tls.c"
37
38#define MAX_ASYNC_CNT 16
39#define POOL_LIS_INIT 512
40#define POOL_LIS_INC 512
41#define POOL_TP_INIT 512
42#define POOL_TP_INC 512
43
44struct tls_listener;
45struct tls_transport;
46
47/*
48 * Definition of TLS/SSL transport listener, and it's descendant of
49 * pjsip_tpfactory.
50 */
51struct tls_listener
52{
53 pjsip_tpfactory factory;
54 pj_bool_t is_registered;
55 pjsip_endpoint *endpt;
56 pjsip_tpmgr *tpmgr;
57 pj_ssl_sock_t *ssock;
58 pj_sockaddr bound_addr;
59 pj_ssl_cert_t *cert;
60 pjsip_tls_setting tls_setting;
61};
62
63
64/*
65 * This structure is used to keep delayed transmit operation in a list.
66 * A delayed transmission occurs when application sends tx_data when
67 * the TLS connect/establishment is still in progress. These delayed
68 * transmission will be "flushed" once the socket is connected (either
69 * successfully or with errors).
70 */
71struct delayed_tdata
72{
73 PJ_DECL_LIST_MEMBER(struct delayed_tdata);
74 pjsip_tx_data_op_key *tdata_op_key;
75 pj_time_val timeout;
76};
77
78
79/*
80 * TLS/SSL transport, and it's descendant of pjsip_transport.
81 */
82struct tls_transport
83{
84 pjsip_transport base;
85 pj_bool_t is_server;
86 pj_str_t remote_name;
87
88 pj_bool_t is_registered;
89 pj_bool_t is_closing;
90 pj_status_t close_reason;
91 pj_ssl_sock_t *ssock;
92 pj_bool_t has_pending_connect;
93 pj_bool_t verify_server;
94
95 /* Keep-alive timer. */
96 pj_timer_entry ka_timer;
97 pj_time_val last_activity;
98 pjsip_tx_data_op_key ka_op_key;
99 pj_str_t ka_pkt;
100
101 /* TLS transport can only have one rdata!
102 * Otherwise chunks of incoming PDU may be received on different
103 * buffer.
104 */
105 pjsip_rx_data rdata;
106
107 /* Pending transmission list. */
108 struct delayed_tdata delayed_list;
109};
110
111
112/****************************************************************************
113 * PROTOTYPES
114 */
115
116/* This callback is called when pending accept() operation completes. */
117static pj_bool_t on_accept_complete(pj_ssl_sock_t *ssock,
118 pj_ssl_sock_t *new_ssock,
119 const pj_sockaddr_t *src_addr,
120 int src_addr_len);
121
122/* Callback on incoming data */
123static pj_bool_t on_data_read(pj_ssl_sock_t *ssock,
124 void *data,
125 pj_size_t size,
126 pj_status_t status,
127 pj_size_t *remainder);
128
129/* Callback when packet is sent */
130static pj_bool_t on_data_sent(pj_ssl_sock_t *ssock,
131 pj_ioqueue_op_key_t *send_key,
132 pj_ssize_t sent);
133
134/* This callback is called by transport manager to destroy listener */
135static pj_status_t lis_destroy(pjsip_tpfactory *factory);
136
137/* This callback is called by transport manager to create transport */
138static pj_status_t lis_create_transport(pjsip_tpfactory *factory,
139 pjsip_tpmgr *mgr,
140 pjsip_endpoint *endpt,
141 const pj_sockaddr *rem_addr,
142 int addr_len,
143 pjsip_tx_data *tdata,
144 pjsip_transport **transport);
145
146/* Common function to create and initialize transport */
147static pj_status_t tls_create(struct tls_listener *listener,
148 pj_pool_t *pool,
149 pj_ssl_sock_t *ssock,
150 pj_bool_t is_server,
151 const pj_sockaddr *local,
152 const pj_sockaddr *remote,
153 const pj_str_t *remote_name,
154 struct tls_transport **p_tls);
155
156
157static void tls_perror(const char *sender, const char *title,
158 pj_status_t status)
159{
160 char errmsg[PJ_ERR_MSG_SIZE];
161
162 pj_strerror(status, errmsg, sizeof(errmsg));
163
164 PJ_LOG(1,(sender, "%s: %s [code=%d]", title, errmsg, status));
165}
166
167
168static void sockaddr_to_host_port( pj_pool_t *pool,
169 pjsip_host_port *host_port,
170 const pj_sockaddr *addr )
171{
172 host_port->host.ptr = (char*) pj_pool_alloc(pool, PJ_INET6_ADDRSTRLEN+4);
173 pj_sockaddr_print(addr, host_port->host.ptr, PJ_INET6_ADDRSTRLEN+4, 0);
174 host_port->host.slen = pj_ansi_strlen(host_port->host.ptr);
175 host_port->port = pj_sockaddr_get_port(addr);
176}
177
178
179static void tls_init_shutdown(struct tls_transport *tls, pj_status_t status)
180{
181 pjsip_tp_state_callback state_cb;
182
183 if (tls->close_reason == PJ_SUCCESS)
184 tls->close_reason = status;
185
186 if (tls->base.is_shutdown || tls->base.is_destroying)
187 return;
188
189 /* Prevent immediate transport destroy by application, as transport
190 * state notification callback may be stacked and transport instance
191 * must remain valid at any point in the callback.
192 */
193 pjsip_transport_add_ref(&tls->base);
194
195 /* Notify application of transport disconnected state */
196 state_cb = pjsip_tpmgr_get_state_cb(tls->base.tpmgr);
197 if (state_cb) {
198 pjsip_transport_state_info state_info;
199 pjsip_tls_state_info tls_info;
200 pj_ssl_sock_info ssl_info;
201
202 /* Init transport state info */
203 pj_bzero(&state_info, sizeof(state_info));
204 state_info.status = tls->close_reason;
205
206 if (tls->ssock &&
207 pj_ssl_sock_get_info(tls->ssock, &ssl_info) == PJ_SUCCESS)
208 {
209 pj_bzero(&tls_info, sizeof(tls_info));
210 tls_info.ssl_sock_info = &ssl_info;
211 state_info.ext_info = &tls_info;
212 }
213
214 (*state_cb)(&tls->base, PJSIP_TP_STATE_DISCONNECTED, &state_info);
215 }
216
217 /* check again */
218 if (tls->base.is_shutdown || tls->base.is_destroying)
219 return;
220
221 /* We can not destroy the transport since high level objects may
222 * still keep reference to this transport. So we can only
223 * instruct transport manager to gracefully start the shutdown
224 * procedure for this transport.
225 */
226 pjsip_transport_shutdown(&tls->base);
227
228 /* Now, it is ok to destroy the transport. */
229 pjsip_transport_dec_ref(&tls->base);
230}
231
232
233/****************************************************************************
234 * The TLS listener/transport factory.
235 */
236
237/*
238 * This is the public API to create, initialize, register, and start the
239 * TLS listener.
240 */
241PJ_DEF(pj_status_t) pjsip_tls_transport_start (pjsip_endpoint *endpt,
242 const pjsip_tls_setting *opt,
243 const pj_sockaddr_in *local_in,
244 const pjsip_host_port *a_name,
245 unsigned async_cnt,
246 pjsip_tpfactory **p_factory)
247{
248 pj_sockaddr local;
249
250 if (local_in)
251 pj_sockaddr_cp(&local, local_in);
252
253 return pjsip_tls_transport_start2(endpt, opt, (local_in? &local : NULL),
254 a_name, async_cnt, p_factory);
255}
256
257PJ_DEF(pj_status_t) pjsip_tls_transport_start2( pjsip_endpoint *endpt,
258 const pjsip_tls_setting *opt,
259 const pj_sockaddr *local,
260 const pjsip_host_port *a_name,
261 unsigned async_cnt,
262 pjsip_tpfactory **p_factory)
263{
264 pj_pool_t *pool;
265 pj_bool_t is_ipv6;
266 int af;
267 struct tls_listener *listener;
268 pj_ssl_sock_param ssock_param;
269 pj_sockaddr *listener_addr;
270 pj_bool_t has_listener;
271 pj_status_t status;
272
273 /* Sanity check */
274 PJ_ASSERT_RETURN(endpt && async_cnt, PJ_EINVAL);
275
276 is_ipv6 = (local && local->addr.sa_family == pj_AF_INET6());
277 af = is_ipv6 ? pj_AF_INET6() : pj_AF_INET();
278
279 /* Verify that address given in a_name (if any) is valid */
280 if (a_name && a_name->host.slen) {
281 pj_sockaddr tmp;
282
283 status = pj_sockaddr_init(af, &tmp, &a_name->host,
284 (pj_uint16_t)a_name->port);
285 if (status != PJ_SUCCESS || !pj_sockaddr_has_addr(&tmp) ||
286 (!is_ipv6 && tmp.ipv4.sin_addr.s_addr == PJ_INADDR_NONE))
287 {
288 /* Invalid address */
289 return PJ_EINVAL;
290 }
291 }
292
293 pool = pjsip_endpt_create_pool(endpt, "tlslis", POOL_LIS_INIT,
294 POOL_LIS_INC);
295 PJ_ASSERT_RETURN(pool, PJ_ENOMEM);
296
297 listener = PJ_POOL_ZALLOC_T(pool, struct tls_listener);
298 listener->factory.pool = pool;
299 if (is_ipv6)
300 listener->factory.type = PJSIP_TRANSPORT_TLS6;
301 else
302 listener->factory.type = PJSIP_TRANSPORT_TLS;
303 listener->factory.type_name = (char*)
304 pjsip_transport_get_type_name(listener->factory.type);
305 listener->factory.flag =
306 pjsip_transport_get_flag_from_type(listener->factory.type);
307
308 pj_ansi_strcpy(listener->factory.obj_name, "tlslis");
309 if (is_ipv6)
310 pj_ansi_strcat(listener->factory.obj_name, "6");
311
312 if (opt)
313 pjsip_tls_setting_copy(pool, &listener->tls_setting, opt);
314 else
315 pjsip_tls_setting_default(&listener->tls_setting);
316
317 status = pj_lock_create_recursive_mutex(pool, listener->factory.obj_name,
318 &listener->factory.lock);
319 if (status != PJ_SUCCESS)
320 goto on_error;
321
322 if (async_cnt > MAX_ASYNC_CNT)
323 async_cnt = MAX_ASYNC_CNT;
324
325 /* Build SSL socket param */
326 pj_ssl_sock_param_default(&ssock_param);
327 ssock_param.sock_af = af;
328 ssock_param.cb.on_accept_complete = &on_accept_complete;
329 ssock_param.cb.on_data_read = &on_data_read;
330 ssock_param.cb.on_data_sent = &on_data_sent;
331 ssock_param.async_cnt = async_cnt;
332 ssock_param.ioqueue = pjsip_endpt_get_ioqueue(endpt);
333 ssock_param.require_client_cert = listener->tls_setting.require_client_cert;
334 ssock_param.timeout = listener->tls_setting.timeout;
335 ssock_param.user_data = listener;
336 ssock_param.verify_peer = PJ_FALSE; /* avoid SSL socket closing the socket
337 * due to verification error */
338 if (ssock_param.send_buffer_size < PJSIP_MAX_PKT_LEN)
339 ssock_param.send_buffer_size = PJSIP_MAX_PKT_LEN;
340 if (ssock_param.read_buffer_size < PJSIP_MAX_PKT_LEN)
341 ssock_param.read_buffer_size = PJSIP_MAX_PKT_LEN;
342 ssock_param.ciphers_num = listener->tls_setting.ciphers_num;
343 ssock_param.ciphers = listener->tls_setting.ciphers;
344 ssock_param.reuse_addr = listener->tls_setting.reuse_addr;
345 ssock_param.qos_type = listener->tls_setting.qos_type;
346 ssock_param.qos_ignore_error = listener->tls_setting.qos_ignore_error;
347 pj_memcpy(&ssock_param.qos_params, &listener->tls_setting.qos_params,
348 sizeof(ssock_param.qos_params));
349
350 has_listener = PJ_FALSE;
351
352 switch(listener->tls_setting.method) {
353 case PJSIP_TLSV1_METHOD:
354 ssock_param.proto = PJ_SSL_SOCK_PROTO_TLS1;
355 break;
356 case PJSIP_SSLV2_METHOD:
357 ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL2;
358 break;
359 case PJSIP_SSLV3_METHOD:
360 ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL3;
361 break;
362 case PJSIP_SSLV23_METHOD:
363 ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL23;
364 break;
365 default:
366 ssock_param.proto = PJ_SSL_SOCK_PROTO_DEFAULT;
367 break;
368 }
369
370 /* Create SSL socket */
371 status = pj_ssl_sock_create(pool, &ssock_param, &listener->ssock);
372 if (status != PJ_SUCCESS)
373 goto on_error;
374
375 /* Bind address may be different than factory.local_addr because
376 * factory.local_addr will be resolved below.
377 */
378 listener_addr = &listener->factory.local_addr;
379 if (local) {
380 pj_sockaddr_cp((pj_sockaddr_t*)listener_addr,
381 (const pj_sockaddr_t*)local);
382 pj_sockaddr_cp(&listener->bound_addr, local);
383 } else {
384 pj_sockaddr_init(af, listener_addr, NULL, 0);
385 pj_sockaddr_init(af, &listener->bound_addr, NULL, 0);
386 }
387
388 /* Check if certificate/CA list for SSL socket is set */
389 if (listener->tls_setting.cert_file.slen ||
390 listener->tls_setting.ca_list_file.slen)
391 {
392 status = pj_ssl_cert_load_from_files(pool,
393 &listener->tls_setting.ca_list_file,
394 &listener->tls_setting.cert_file,
395 &listener->tls_setting.privkey_file,
396 &listener->tls_setting.password,
397 &listener->cert);
398 if (status != PJ_SUCCESS)
399 goto on_error;
400
401 status = pj_ssl_sock_set_certificate(listener->ssock, pool,
402 listener->cert);
403 if (status != PJ_SUCCESS)
404 goto on_error;
405 }
406
407 /* Start accepting incoming connections. Note that some TLS/SSL backends
408 * may not support for SSL socket server.
409 */
410 has_listener = PJ_FALSE;
411
412 status = pj_ssl_sock_start_accept(listener->ssock, pool,
413 (pj_sockaddr_t*)listener_addr,
414 pj_sockaddr_get_len((pj_sockaddr_t*)listener_addr));
415 if (status == PJ_SUCCESS || status == PJ_EPENDING) {
416 pj_ssl_sock_info info;
417 has_listener = PJ_TRUE;
418
419 /* Retrieve the bound address */
420 status = pj_ssl_sock_get_info(listener->ssock, &info);
421 if (status == PJ_SUCCESS)
422 pj_sockaddr_cp(listener_addr, (pj_sockaddr_t*)&info.local_addr);
423 } else if (status != PJ_ENOTSUP) {
424 goto on_error;
425 }
426
427 /* If published host/IP is specified, then use that address as the
428 * listener advertised address.
429 */
430 if (a_name && a_name->host.slen) {
431 /* Copy the address */
432 listener->factory.addr_name = *a_name;
433 pj_strdup(listener->factory.pool, &listener->factory.addr_name.host,
434 &a_name->host);
435 listener->factory.addr_name.port = a_name->port;
436
437 } else {
438 /* No published address is given, use the bound address */
439
440 /* If the address returns 0.0.0.0, use the default
441 * interface address as the transport's address.
442 */
443 if (!pj_sockaddr_has_addr(listener_addr)) {
444 pj_sockaddr hostip;
445
446 status = pj_gethostip(af, &hostip);
447 if (status != PJ_SUCCESS)
448 goto on_error;
449
450 pj_sockaddr_copy_addr(listener_addr, &hostip);
451 }
452
453 /* Save the address name */
454 sockaddr_to_host_port(listener->factory.pool,
455 &listener->factory.addr_name, listener_addr);
456 }
457
458 /* If port is zero, get the bound port */
459 if (listener->factory.addr_name.port == 0) {
460 listener->factory.addr_name.port = pj_sockaddr_get_port(listener_addr);
461 }
462
463 pj_ansi_snprintf(listener->factory.obj_name,
464 sizeof(listener->factory.obj_name),
465 "tlslis:%d", listener->factory.addr_name.port);
466
467 /* Register to transport manager */
468 listener->endpt = endpt;
469 listener->tpmgr = pjsip_endpt_get_tpmgr(endpt);
470 listener->factory.create_transport2 = lis_create_transport;
471 listener->factory.destroy = lis_destroy;
472 listener->is_registered = PJ_TRUE;
473 status = pjsip_tpmgr_register_tpfactory(listener->tpmgr,
474 &listener->factory);
475 if (status != PJ_SUCCESS) {
476 listener->is_registered = PJ_FALSE;
477 goto on_error;
478 }
479
480 if (has_listener) {
481 PJ_LOG(4,(listener->factory.obj_name,
482 "SIP TLS listener is ready for incoming connections "
483 "at %.*s:%d",
484 (int)listener->factory.addr_name.host.slen,
485 listener->factory.addr_name.host.ptr,
486 listener->factory.addr_name.port));
487 } else {
488 PJ_LOG(4,(listener->factory.obj_name, "SIP TLS is ready "
489 "(client only)"));
490 }
491
492 /* Return the pointer to user */
493 if (p_factory) *p_factory = &listener->factory;
494
495 return PJ_SUCCESS;
496
497on_error:
498 lis_destroy(&listener->factory);
499 return status;
500}
501
502
503/* This callback is called by transport manager to destroy listener */
504static pj_status_t lis_destroy(pjsip_tpfactory *factory)
505{
506 struct tls_listener *listener = (struct tls_listener *)factory;
507
508 if (listener->is_registered) {
509 pjsip_tpmgr_unregister_tpfactory(listener->tpmgr, &listener->factory);
510 listener->is_registered = PJ_FALSE;
511 }
512
513 if (listener->ssock) {
514 pj_ssl_sock_close(listener->ssock);
515 listener->ssock = NULL;
516 }
517
518 if (listener->factory.lock) {
519 pj_lock_destroy(listener->factory.lock);
520 listener->factory.lock = NULL;
521 }
522
523 if (listener->factory.pool) {
524 pj_pool_t *pool = listener->factory.pool;
525
526 PJ_LOG(4,(listener->factory.obj_name, "SIP TLS listener destroyed"));
527
528 listener->factory.pool = NULL;
529 pj_pool_release(pool);
530 }
531
532 return PJ_SUCCESS;
533}
534
535
536/***************************************************************************/
537/*
538 * TLS Transport
539 */
540
541/*
542 * Prototypes.
543 */
544/* Called by transport manager to send message */
545static pj_status_t tls_send_msg(pjsip_transport *transport,
546 pjsip_tx_data *tdata,
547 const pj_sockaddr_t *rem_addr,
548 int addr_len,
549 void *token,
550 pjsip_transport_callback callback);
551
552/* Called by transport manager to shutdown */
553static pj_status_t tls_shutdown(pjsip_transport *transport);
554
555/* Called by transport manager to destroy transport */
556static pj_status_t tls_destroy_transport(pjsip_transport *transport);
557
558/* Utility to destroy transport */
559static pj_status_t tls_destroy(pjsip_transport *transport,
560 pj_status_t reason);
561
562/* Callback when connect completes */
563static pj_bool_t on_connect_complete(pj_ssl_sock_t *ssock,
564 pj_status_t status);
565
566/* TLS keep-alive timer callback */
567static void tls_keep_alive_timer(pj_timer_heap_t *th, pj_timer_entry *e);
568
569/*
570 * Common function to create TLS transport, called when pending accept() and
571 * pending connect() complete.
572 */
573static pj_status_t tls_create( struct tls_listener *listener,
574 pj_pool_t *pool,
575 pj_ssl_sock_t *ssock,
576 pj_bool_t is_server,
577 const pj_sockaddr *local,
578 const pj_sockaddr *remote,
579 const pj_str_t *remote_name,
580 struct tls_transport **p_tls)
581{
582 struct tls_transport *tls;
583 const pj_str_t ka_pkt = PJSIP_TLS_KEEP_ALIVE_DATA;
584 char print_addr[PJ_INET6_ADDRSTRLEN+10];
585 pj_status_t status;
586
587
588 PJ_ASSERT_RETURN(listener && ssock && local && remote && p_tls, PJ_EINVAL);
589
590
591 if (pool == NULL) {
592 pool = pjsip_endpt_create_pool(listener->endpt, "tls",
593 POOL_TP_INIT, POOL_TP_INC);
594 PJ_ASSERT_RETURN(pool != NULL, PJ_ENOMEM);
595 }
596
597 /*
598 * Create and initialize basic transport structure.
599 */
600 tls = PJ_POOL_ZALLOC_T(pool, struct tls_transport);
601 tls->is_server = is_server;
602 tls->verify_server = listener->tls_setting.verify_server;
603 pj_list_init(&tls->delayed_list);
604 tls->base.pool = pool;
605
606 pj_ansi_snprintf(tls->base.obj_name, PJ_MAX_OBJ_NAME,
607 (is_server ? "tlss%p" :"tlsc%p"), tls);
608
609 status = pj_atomic_create(pool, 0, &tls->base.ref_cnt);
610 if (status != PJ_SUCCESS) {
611 goto on_error;
612 }
613
614 status = pj_lock_create_recursive_mutex(pool, "tls", &tls->base.lock);
615 if (status != PJ_SUCCESS) {
616 goto on_error;
617 }
618
619 if (remote_name)
620 pj_strdup(pool, &tls->remote_name, remote_name);
621
622 tls->base.key.type = listener->factory.type;
623 pj_sockaddr_cp(&tls->base.key.rem_addr, remote);
624 tls->base.type_name = (char*)pjsip_transport_get_type_name(
625 (pjsip_transport_type_e)tls->base.key.type);
626 tls->base.flag = pjsip_transport_get_flag_from_type(
627 (pjsip_transport_type_e)tls->base.key.type);
628
629 tls->base.info = (char*) pj_pool_alloc(pool, 64);
630 pj_ansi_snprintf(tls->base.info, 64, "%s to %s",
631 tls->base.type_name,
632 pj_sockaddr_print(remote, print_addr,
633 sizeof(print_addr), 3));
634
635
636 tls->base.addr_len = pj_sockaddr_get_len(remote);
637 tls->base.dir = is_server? PJSIP_TP_DIR_INCOMING : PJSIP_TP_DIR_OUTGOING;
638
639 /* Set initial local address */
640 if (!pj_sockaddr_has_addr(local)) {
641 pj_sockaddr_cp(&tls->base.local_addr,
642 &listener->factory.local_addr);
643 } else {
644 pj_sockaddr_cp(&tls->base.local_addr, local);
645 }
646
647 sockaddr_to_host_port(pool, &tls->base.local_name, &tls->base.local_addr);
648 if (tls->remote_name.slen) {
649 tls->base.remote_name.host = tls->remote_name;
650 tls->base.remote_name.port = pj_sockaddr_get_port(remote);
651 } else {
652 sockaddr_to_host_port(pool, &tls->base.remote_name, remote);
653 }
654
655 tls->base.endpt = listener->endpt;
656 tls->base.tpmgr = listener->tpmgr;
657 tls->base.send_msg = &tls_send_msg;
658 tls->base.do_shutdown = &tls_shutdown;
659 tls->base.destroy = &tls_destroy_transport;
660
661 tls->ssock = ssock;
662
663 /* Register transport to transport manager */
664 status = pjsip_transport_register(listener->tpmgr, &tls->base);
665 if (status != PJ_SUCCESS) {
666 goto on_error;
667 }
668
669 tls->is_registered = PJ_TRUE;
670
671 /* Initialize keep-alive timer */
672 tls->ka_timer.user_data = (void*)tls;
673 tls->ka_timer.cb = &tls_keep_alive_timer;
674 pj_ioqueue_op_key_init(&tls->ka_op_key.key, sizeof(pj_ioqueue_op_key_t));
675 pj_strdup(tls->base.pool, &tls->ka_pkt, &ka_pkt);
676
677 /* Done setting up basic transport. */
678 *p_tls = tls;
679
680 PJ_LOG(4,(tls->base.obj_name, "TLS %s transport created",
681 (tls->is_server ? "server" : "client")));
682
683 return PJ_SUCCESS;
684
685on_error:
686 tls_destroy(&tls->base, status);
687 return status;
688}
689
690
691/* Flush all delayed transmision once the socket is connected. */
692static void tls_flush_pending_tx(struct tls_transport *tls)
693{
694 pj_time_val now;
695
696 pj_gettickcount(&now);
697 pj_lock_acquire(tls->base.lock);
698 while (!pj_list_empty(&tls->delayed_list)) {
699 struct delayed_tdata *pending_tx;
700 pjsip_tx_data *tdata;
701 pj_ioqueue_op_key_t *op_key;
702 pj_ssize_t size;
703 pj_status_t status;
704
705 pending_tx = tls->delayed_list.next;
706 pj_list_erase(pending_tx);
707
708 tdata = pending_tx->tdata_op_key->tdata;
709 op_key = (pj_ioqueue_op_key_t*)pending_tx->tdata_op_key;
710
711 if (pending_tx->timeout.sec > 0 &&
712 PJ_TIME_VAL_GT(now, pending_tx->timeout))
713 {
714 continue;
715 }
716
717 /* send! */
718 size = tdata->buf.cur - tdata->buf.start;
719 status = pj_ssl_sock_send(tls->ssock, op_key, tdata->buf.start,
720 &size, 0);
721
722 if (status != PJ_EPENDING) {
723 pj_lock_release(tls->base.lock);
724 on_data_sent(tls->ssock, op_key, size);
725 pj_lock_acquire(tls->base.lock);
726 }
727 }
728 pj_lock_release(tls->base.lock);
729}
730
731
732/* Called by transport manager to destroy transport */
733static pj_status_t tls_destroy_transport(pjsip_transport *transport)
734{
735 struct tls_transport *tls = (struct tls_transport*)transport;
736
737 /* Transport would have been unregistered by now since this callback
738 * is called by transport manager.
739 */
740 tls->is_registered = PJ_FALSE;
741
742 return tls_destroy(transport, tls->close_reason);
743}
744
745
746/* Destroy TLS transport */
747static pj_status_t tls_destroy(pjsip_transport *transport,
748 pj_status_t reason)
749{
750 struct tls_transport *tls = (struct tls_transport*)transport;
751
752 if (tls->close_reason == 0)
753 tls->close_reason = reason;
754
755 if (tls->is_registered) {
756 tls->is_registered = PJ_FALSE;
757 pjsip_transport_destroy(transport);
758
759 /* pjsip_transport_destroy will recursively call this function
760 * again.
761 */
762 return PJ_SUCCESS;
763 }
764
765 /* Mark transport as closing */
766 tls->is_closing = PJ_TRUE;
767
768 /* Stop keep-alive timer. */
769 if (tls->ka_timer.id) {
770 pjsip_endpt_cancel_timer(tls->base.endpt, &tls->ka_timer);
771 tls->ka_timer.id = PJ_FALSE;
772 }
773
774 /* Cancel all delayed transmits */
775 while (!pj_list_empty(&tls->delayed_list)) {
776 struct delayed_tdata *pending_tx;
777 pj_ioqueue_op_key_t *op_key;
778
779 pending_tx = tls->delayed_list.next;
780 pj_list_erase(pending_tx);
781
782 op_key = (pj_ioqueue_op_key_t*)pending_tx->tdata_op_key;
783
784 on_data_sent(tls->ssock, op_key, -reason);
785 }
786
787 if (tls->rdata.tp_info.pool) {
788 pj_pool_release(tls->rdata.tp_info.pool);
789 tls->rdata.tp_info.pool = NULL;
790 }
791
792 if (tls->ssock) {
793 pj_ssl_sock_close(tls->ssock);
794 tls->ssock = NULL;
795 }
796 if (tls->base.lock) {
797 pj_lock_destroy(tls->base.lock);
798 tls->base.lock = NULL;
799 }
800
801 if (tls->base.ref_cnt) {
802 pj_atomic_destroy(tls->base.ref_cnt);
803 tls->base.ref_cnt = NULL;
804 }
805
806 if (tls->base.pool) {
807 pj_pool_t *pool;
808
809 if (reason != PJ_SUCCESS) {
810 char errmsg[PJ_ERR_MSG_SIZE];
811
812 pj_strerror(reason, errmsg, sizeof(errmsg));
813 PJ_LOG(4,(tls->base.obj_name,
814 "TLS transport destroyed with reason %d: %s",
815 reason, errmsg));
816
817 } else {
818
819 PJ_LOG(4,(tls->base.obj_name,
820 "TLS transport destroyed normally"));
821
822 }
823
824 pool = tls->base.pool;
825 tls->base.pool = NULL;
826 pj_pool_release(pool);
827 }
828
829 return PJ_SUCCESS;
830}
831
832
833/*
834 * This utility function creates receive data buffers and start
835 * asynchronous recv() operations from the socket. It is called after
836 * accept() or connect() operation complete.
837 */
838static pj_status_t tls_start_read(struct tls_transport *tls)
839{
840 pj_pool_t *pool;
841 pj_uint32_t size;
842 pj_sockaddr *rem_addr;
843 void *readbuf[1];
844 pj_status_t status;
845
846 /* Init rdata */
847 pool = pjsip_endpt_create_pool(tls->base.endpt,
848 "rtd%p",
849 PJSIP_POOL_RDATA_LEN,
850 PJSIP_POOL_RDATA_INC);
851 if (!pool) {
852 tls_perror(tls->base.obj_name, "Unable to create pool", PJ_ENOMEM);
853 return PJ_ENOMEM;
854 }
855
856 tls->rdata.tp_info.pool = pool;
857
858 tls->rdata.tp_info.transport = &tls->base;
859 tls->rdata.tp_info.tp_data = tls;
860 tls->rdata.tp_info.op_key.rdata = &tls->rdata;
861 pj_ioqueue_op_key_init(&tls->rdata.tp_info.op_key.op_key,
862 sizeof(pj_ioqueue_op_key_t));
863
864 tls->rdata.pkt_info.src_addr = tls->base.key.rem_addr;
865 tls->rdata.pkt_info.src_addr_len = sizeof(tls->rdata.pkt_info.src_addr);
866 rem_addr = &tls->base.key.rem_addr;
867 pj_sockaddr_print(rem_addr, tls->rdata.pkt_info.src_name,
868 sizeof(tls->rdata.pkt_info.src_name), 0);
869 tls->rdata.pkt_info.src_port = pj_sockaddr_get_port(rem_addr);
870
871 size = sizeof(tls->rdata.pkt_info.packet);
872 readbuf[0] = tls->rdata.pkt_info.packet;
873 status = pj_ssl_sock_start_read2(tls->ssock, tls->base.pool, size,
874 readbuf, 0);
875 if (status != PJ_SUCCESS && status != PJ_EPENDING) {
876 PJ_LOG(4, (tls->base.obj_name,
877 "pj_ssl_sock_start_read() error, status=%d",
878 status));
879 return status;
880 }
881
882 return PJ_SUCCESS;
883}
884
885
886/* This callback is called by transport manager for the TLS factory
887 * to create outgoing transport to the specified destination.
888 */
889static pj_status_t lis_create_transport(pjsip_tpfactory *factory,
890 pjsip_tpmgr *mgr,
891 pjsip_endpoint *endpt,
892 const pj_sockaddr *rem_addr,
893 int addr_len,
894 pjsip_tx_data *tdata,
895 pjsip_transport **p_transport)
896{
897 struct tls_listener *listener;
898 struct tls_transport *tls;
899 pj_pool_t *pool;
900 pj_ssl_sock_t *ssock;
901 pj_ssl_sock_param ssock_param;
902 pj_sockaddr local_addr;
903 pj_str_t remote_name;
904 pj_status_t status;
905
906 /* Sanity checks */
907 PJ_ASSERT_RETURN(factory && mgr && endpt && rem_addr &&
908 addr_len && p_transport, PJ_EINVAL);
909
910 /* Check that address is a sockaddr_in or sockaddr_in6*/
911 PJ_ASSERT_RETURN((rem_addr->addr.sa_family == pj_AF_INET() &&
912 addr_len == sizeof(pj_sockaddr_in)) ||
913 (rem_addr->addr.sa_family == pj_AF_INET6() &&
914 addr_len == sizeof(pj_sockaddr_in6)), PJ_EINVAL);
915
916
917 listener = (struct tls_listener*)factory;
918
919 pool = pjsip_endpt_create_pool(listener->endpt, "tls",
920 POOL_TP_INIT, POOL_TP_INC);
921 PJ_ASSERT_RETURN(pool != NULL, PJ_ENOMEM);
922
923 /* Get remote host name from tdata */
924 if (tdata)
925 remote_name = tdata->dest_info.name;
926 else
927 pj_bzero(&remote_name, sizeof(remote_name));
928
929 /* Build SSL socket param */
930 pj_ssl_sock_param_default(&ssock_param);
931 ssock_param.sock_af = (factory->type & PJSIP_TRANSPORT_IPV6) ?
932 pj_AF_INET6() : pj_AF_INET();
933 ssock_param.cb.on_connect_complete = &on_connect_complete;
934 ssock_param.cb.on_data_read = &on_data_read;
935 ssock_param.cb.on_data_sent = &on_data_sent;
936 ssock_param.async_cnt = 1;
937 ssock_param.ioqueue = pjsip_endpt_get_ioqueue(listener->endpt);
938 ssock_param.server_name = remote_name;
939 ssock_param.timeout = listener->tls_setting.timeout;
940 ssock_param.user_data = NULL; /* pending, must be set later */
941 ssock_param.verify_peer = PJ_FALSE; /* avoid SSL socket closing the socket
942 * due to verification error */
943 if (ssock_param.send_buffer_size < PJSIP_MAX_PKT_LEN)
944 ssock_param.send_buffer_size = PJSIP_MAX_PKT_LEN;
945 if (ssock_param.read_buffer_size < PJSIP_MAX_PKT_LEN)
946 ssock_param.read_buffer_size = PJSIP_MAX_PKT_LEN;
947 ssock_param.ciphers_num = listener->tls_setting.ciphers_num;
948 ssock_param.ciphers = listener->tls_setting.ciphers;
949 ssock_param.qos_type = listener->tls_setting.qos_type;
950 ssock_param.qos_ignore_error = listener->tls_setting.qos_ignore_error;
951 pj_memcpy(&ssock_param.qos_params, &listener->tls_setting.qos_params,
952 sizeof(ssock_param.qos_params));
953
954 switch(listener->tls_setting.method) {
955 case PJSIP_TLSV1_METHOD:
956 ssock_param.proto = PJ_SSL_SOCK_PROTO_TLS1;
957 break;
958 case PJSIP_SSLV2_METHOD:
959 ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL2;
960 break;
961 case PJSIP_SSLV3_METHOD:
962 ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL3;
963 break;
964 case PJSIP_SSLV23_METHOD:
965 ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL23;
966 break;
967 default:
968 ssock_param.proto = PJ_SSL_SOCK_PROTO_DEFAULT;
969 break;
970 }
971
972 status = pj_ssl_sock_create(pool, &ssock_param, &ssock);
973 if (status != PJ_SUCCESS)
974 return status;
975
976 /* Apply SSL certificate */
977 if (listener->cert) {
978 status = pj_ssl_sock_set_certificate(ssock, pool, listener->cert);
979 if (status != PJ_SUCCESS)
980 return status;
981 }
982
983 /* Initially set bind address to listener's bind address */
984 pj_sockaddr_init(listener->bound_addr.addr.sa_family,
985 &local_addr, NULL, 0);
986 pj_sockaddr_copy_addr(&local_addr, &listener->bound_addr);
987
988 /* Create the transport descriptor */
989 status = tls_create(listener, pool, ssock, PJ_FALSE, &local_addr,
990 rem_addr, &remote_name, &tls);
991 if (status != PJ_SUCCESS)
992 return status;
993
994 /* Set the "pending" SSL socket user data */
995 pj_ssl_sock_set_user_data(tls->ssock, tls);
996
997 /* Start asynchronous connect() operation */
998 tls->has_pending_connect = PJ_TRUE;
999 status = pj_ssl_sock_start_connect(tls->ssock, tls->base.pool,
1000 (pj_sockaddr_t*)&local_addr,
1001 (pj_sockaddr_t*)rem_addr,
1002 addr_len);
1003 if (status == PJ_SUCCESS) {
1004 on_connect_complete(tls->ssock, PJ_SUCCESS);
1005 } else if (status != PJ_EPENDING) {
1006 tls_destroy(&tls->base, status);
1007 return status;
1008 }
1009
1010 if (tls->has_pending_connect) {
1011 pj_ssl_sock_info info;
1012
1013 /* Update local address, just in case local address currently set is
1014 * different now that asynchronous connect() is started.
1015 */
1016
1017 /* Retrieve the bound address */
1018 status = pj_ssl_sock_get_info(tls->ssock, &info);
1019 if (status == PJ_SUCCESS) {
1020 pj_uint16_t new_port;
1021
1022 new_port = pj_sockaddr_get_port((pj_sockaddr_t*)&info.local_addr);
1023
1024 if (pj_sockaddr_has_addr((pj_sockaddr_t*)&info.local_addr)) {
1025 /* Update sockaddr */
1026 pj_sockaddr_cp((pj_sockaddr_t*)&tls->base.local_addr,
1027 (pj_sockaddr_t*)&info.local_addr);
1028 } else if (new_port && new_port != pj_sockaddr_get_port(
1029 (pj_sockaddr_t*)&tls->base.local_addr))
1030 {
1031 /* Update port only */
1032 pj_sockaddr_set_port(&tls->base.local_addr,
1033 new_port);
1034 }
1035
1036 sockaddr_to_host_port(tls->base.pool, &tls->base.local_name,
1037 &tls->base.local_addr);
1038 }
1039
1040 PJ_LOG(4,(tls->base.obj_name,
1041 "TLS transport %.*s:%d is connecting to %.*s:%d...",
1042 (int)tls->base.local_name.host.slen,
1043 tls->base.local_name.host.ptr,
1044 tls->base.local_name.port,
1045 (int)tls->base.remote_name.host.slen,
1046 tls->base.remote_name.host.ptr,
1047 tls->base.remote_name.port));
1048 }
1049
1050 /* Done */
1051 *p_transport = &tls->base;
1052
1053 return PJ_SUCCESS;
1054}
1055
1056
1057/*
1058 * This callback is called by SSL socket when pending accept() operation
1059 * has completed.
1060 */
1061static pj_bool_t on_accept_complete(pj_ssl_sock_t *ssock,
1062 pj_ssl_sock_t *new_ssock,
1063 const pj_sockaddr_t *src_addr,
1064 int src_addr_len)
1065{
1066 struct tls_listener *listener;
1067 struct tls_transport *tls;
1068 pj_ssl_sock_info ssl_info;
1069 char addr[PJ_INET6_ADDRSTRLEN+10];
1070 pjsip_tp_state_callback state_cb;
1071 pj_sockaddr tmp_src_addr;
1072 pj_bool_t is_shutdown;
1073 pj_status_t status;
1074
1075 PJ_UNUSED_ARG(src_addr_len);
1076
1077 listener = (struct tls_listener*) pj_ssl_sock_get_user_data(ssock);
1078
1079 PJ_ASSERT_RETURN(new_ssock, PJ_TRUE);
1080
1081 PJ_LOG(4,(listener->factory.obj_name,
1082 "TLS listener %.*s:%d: got incoming TLS connection "
1083 "from %s, sock=%d",
1084 (int)listener->factory.addr_name.host.slen,
1085 listener->factory.addr_name.host.ptr,
1086 listener->factory.addr_name.port,
1087 pj_sockaddr_print(src_addr, addr, sizeof(addr), 3),
1088 new_ssock));
1089
1090 /* Retrieve SSL socket info, close the socket if this is failed
1091 * as the SSL socket info availability is rather critical here.
1092 */
1093 status = pj_ssl_sock_get_info(new_ssock, &ssl_info);
1094 if (status != PJ_SUCCESS) {
1095 pj_ssl_sock_close(new_ssock);
1096 return PJ_TRUE;
1097 }
1098
1099 /* Copy to larger buffer, just in case */
1100 pj_bzero(&tmp_src_addr, sizeof(tmp_src_addr));
1101 pj_sockaddr_cp(&tmp_src_addr, src_addr);
1102
1103 /*
1104 * Incoming connection!
1105 * Create TLS transport for the new socket.
1106 */
1107 status = tls_create( listener, NULL, new_ssock, PJ_TRUE,
1108 &listener->factory.local_addr,
1109 &tmp_src_addr, NULL, &tls);
1110
1111 if (status != PJ_SUCCESS)
1112 return PJ_TRUE;
1113
1114 /* Set the "pending" SSL socket user data */
1115 pj_ssl_sock_set_user_data(new_ssock, tls);
1116
1117 /* Prevent immediate transport destroy as application may access it
1118 * (getting info, etc) in transport state notification callback.
1119 */
1120 pjsip_transport_add_ref(&tls->base);
1121
1122 /* If there is verification error and verification is mandatory, shutdown
1123 * and destroy the transport.
1124 */
1125 if (ssl_info.verify_status && listener->tls_setting.verify_client) {
1126 if (tls->close_reason == PJ_SUCCESS)
1127 tls->close_reason = PJSIP_TLS_ECERTVERIF;
1128 pjsip_transport_shutdown(&tls->base);
1129 }
1130
1131 /* Notify transport state to application */
1132 state_cb = pjsip_tpmgr_get_state_cb(tls->base.tpmgr);
1133 if (state_cb) {
1134 pjsip_transport_state_info state_info;
1135 pjsip_tls_state_info tls_info;
1136 pjsip_transport_state tp_state;
1137
1138 /* Init transport state info */
1139 pj_bzero(&tls_info, sizeof(tls_info));
1140 pj_bzero(&state_info, sizeof(state_info));
1141 tls_info.ssl_sock_info = &ssl_info;
1142 state_info.ext_info = &tls_info;
1143
1144 /* Set transport state based on verification status */
1145 if (ssl_info.verify_status && listener->tls_setting.verify_client)
1146 {
1147 tp_state = PJSIP_TP_STATE_DISCONNECTED;
1148 state_info.status = PJSIP_TLS_ECERTVERIF;
1149 } else {
1150 tp_state = PJSIP_TP_STATE_CONNECTED;
1151 state_info.status = PJ_SUCCESS;
1152 }
1153
1154 (*state_cb)(&tls->base, tp_state, &state_info);
1155 }
1156
1157 /* Release transport reference. If transport is shutting down, it may
1158 * get destroyed here.
1159 */
1160 is_shutdown = tls->base.is_shutdown;
1161 pjsip_transport_dec_ref(&tls->base);
1162 if (is_shutdown)
1163 return PJ_TRUE;
1164
1165
1166 status = tls_start_read(tls);
1167 if (status != PJ_SUCCESS) {
1168 PJ_LOG(3,(tls->base.obj_name, "New transport cancelled"));
1169 tls_init_shutdown(tls, status);
1170 tls_destroy(&tls->base, status);
1171 } else {
1172 /* Start keep-alive timer */
1173 if (PJSIP_TLS_KEEP_ALIVE_INTERVAL) {
1174 pj_time_val delay = {PJSIP_TLS_KEEP_ALIVE_INTERVAL, 0};
1175 pjsip_endpt_schedule_timer(listener->endpt,
1176 &tls->ka_timer,
1177 &delay);
1178 tls->ka_timer.id = PJ_TRUE;
1179 pj_gettimeofday(&tls->last_activity);
1180 }
1181 }
1182
1183 return PJ_TRUE;
1184}
1185
1186
1187/*
1188 * Callback from ioqueue when packet is sent.
1189 */
1190static pj_bool_t on_data_sent(pj_ssl_sock_t *ssock,
1191 pj_ioqueue_op_key_t *op_key,
1192 pj_ssize_t bytes_sent)
1193{
1194 struct tls_transport *tls = (struct tls_transport*)
1195 pj_ssl_sock_get_user_data(ssock);
1196 pjsip_tx_data_op_key *tdata_op_key = (pjsip_tx_data_op_key*)op_key;
1197
1198 /* Note that op_key may be the op_key from keep-alive, thus
1199 * it will not have tdata etc.
1200 */
1201
1202 tdata_op_key->tdata = NULL;
1203
1204 if (tdata_op_key->callback) {
1205 /*
1206 * Notify sip_transport.c that packet has been sent.
1207 */
1208 if (bytes_sent == 0)
1209 bytes_sent = -PJ_RETURN_OS_ERROR(OSERR_ENOTCONN);
1210
1211 tdata_op_key->callback(&tls->base, tdata_op_key->token, bytes_sent);
1212
1213 /* Mark last activity time */
1214 pj_gettimeofday(&tls->last_activity);
1215
1216 }
1217
1218 /* Check for error/closure */
1219 if (bytes_sent <= 0) {
1220 pj_status_t status;
1221
1222 PJ_LOG(5,(tls->base.obj_name, "TLS send() error, sent=%d",
1223 bytes_sent));
1224
1225 status = (bytes_sent == 0) ? PJ_RETURN_OS_ERROR(OSERR_ENOTCONN) :
1226 (pj_status_t)-bytes_sent;
1227
1228 tls_init_shutdown(tls, status);
1229
1230 return PJ_FALSE;
1231 }
1232
1233 return PJ_TRUE;
1234}
1235
1236
1237/*
1238 * This callback is called by transport manager to send SIP message
1239 */
1240static pj_status_t tls_send_msg(pjsip_transport *transport,
1241 pjsip_tx_data *tdata,
1242 const pj_sockaddr_t *rem_addr,
1243 int addr_len,
1244 void *token,
1245 pjsip_transport_callback callback)
1246{
1247 struct tls_transport *tls = (struct tls_transport*)transport;
1248 pj_ssize_t size;
1249 pj_bool_t delayed = PJ_FALSE;
1250 pj_status_t status = PJ_SUCCESS;
1251
1252 /* Sanity check */
1253 PJ_ASSERT_RETURN(transport && tdata, PJ_EINVAL);
1254
1255 /* Check that there's no pending operation associated with the tdata */
1256 PJ_ASSERT_RETURN(tdata->op_key.tdata == NULL, PJSIP_EPENDINGTX);
1257
1258 /* Check the address is supported */
1259 PJ_ASSERT_RETURN(rem_addr && (addr_len==sizeof(pj_sockaddr_in) ||
1260 addr_len==sizeof(pj_sockaddr_in6)),
1261 PJ_EINVAL);
1262
1263 /* Init op key. */
1264 tdata->op_key.tdata = tdata;
1265 tdata->op_key.token = token;
1266 tdata->op_key.callback = callback;
1267
1268 /* If asynchronous connect() has not completed yet, just put the
1269 * transmit data in the pending transmission list since we can not
1270 * use the socket yet.
1271 */
1272 if (tls->has_pending_connect) {
1273
1274 /*
1275 * Looks like connect() is still in progress. Check again (this time
1276 * with holding the lock) to be sure.
1277 */
1278 pj_lock_acquire(tls->base.lock);
1279
1280 if (tls->has_pending_connect) {
1281 struct delayed_tdata *delayed_tdata;
1282
1283 /*
1284 * connect() is still in progress. Put the transmit data to
1285 * the delayed list.
1286 * Starting from #1583 (https://trac.pjsip.org/repos/ticket/1583),
1287 * we also add timeout value for the transmit data. When the
1288 * connect() is completed, the timeout value will be checked to
1289 * determine whether the transmit data needs to be sent.
1290 */
1291 delayed_tdata = PJ_POOL_ZALLOC_T(tdata->pool,
1292 struct delayed_tdata);
1293 delayed_tdata->tdata_op_key = &tdata->op_key;
1294 if (tdata->msg && tdata->msg->type == PJSIP_REQUEST_MSG) {
1295 pj_gettickcount(&delayed_tdata->timeout);
1296 delayed_tdata->timeout.msec += pjsip_cfg()->tsx.td;
1297 pj_time_val_normalize(&delayed_tdata->timeout);
1298 }
1299
1300 pj_list_push_back(&tls->delayed_list, delayed_tdata);
1301 status = PJ_EPENDING;
1302
1303 /* Prevent pj_ioqueue_send() to be called below */
1304 delayed = PJ_TRUE;
1305 }
1306
1307 pj_lock_release(tls->base.lock);
1308 }
1309
1310 if (!delayed) {
1311 /*
1312 * Transport is ready to go. Send the packet to ioqueue to be
1313 * sent asynchronously.
1314 */
1315 size = tdata->buf.cur - tdata->buf.start;
1316 status = pj_ssl_sock_send(tls->ssock,
1317 (pj_ioqueue_op_key_t*)&tdata->op_key,
1318 tdata->buf.start, &size, 0);
1319
1320 if (status != PJ_EPENDING) {
1321 /* Not pending (could be immediate success or error) */
1322 tdata->op_key.tdata = NULL;
1323
1324 /* Shutdown transport on closure/errors */
1325 if (size <= 0) {
1326
1327 PJ_LOG(5,(tls->base.obj_name, "TLS send() error, sent=%d",
1328 size));
1329
1330 if (status == PJ_SUCCESS)
1331 status = PJ_RETURN_OS_ERROR(OSERR_ENOTCONN);
1332
1333 tls_init_shutdown(tls, status);
1334 }
1335 }
1336 }
1337
1338 return status;
1339}
1340
1341
1342/*
1343 * This callback is called by transport manager to shutdown transport.
1344 */
1345static pj_status_t tls_shutdown(pjsip_transport *transport)
1346{
1347 struct tls_transport *tls = (struct tls_transport*)transport;
1348
1349 /* Stop keep-alive timer. */
1350 if (tls->ka_timer.id) {
1351 pjsip_endpt_cancel_timer(tls->base.endpt, &tls->ka_timer);
1352 tls->ka_timer.id = PJ_FALSE;
1353 }
1354
1355 return PJ_SUCCESS;
1356}
1357
1358
1359/*
1360 * Callback from ioqueue that an incoming data is received from the socket.
1361 */
1362static pj_bool_t on_data_read(pj_ssl_sock_t *ssock,
1363 void *data,
1364 pj_size_t size,
1365 pj_status_t status,
1366 pj_size_t *remainder)
1367{
1368 enum { MAX_IMMEDIATE_PACKET = 10 };
1369 struct tls_transport *tls;
1370 pjsip_rx_data *rdata;
1371
1372 PJ_UNUSED_ARG(data);
1373
1374 tls = (struct tls_transport*) pj_ssl_sock_get_user_data(ssock);
1375 rdata = &tls->rdata;
1376
1377 /* Don't do anything if transport is closing. */
1378 if (tls->is_closing) {
1379 tls->is_closing++;
1380 return PJ_FALSE;
1381 }
1382
1383 /* Houston, we have packet! Report the packet to transport manager
1384 * to be parsed.
1385 */
1386 if (status == PJ_SUCCESS) {
1387 pj_size_t size_eaten;
1388
1389 /* Mark this as an activity */
1390 pj_gettimeofday(&tls->last_activity);
1391
1392 pj_assert((void*)rdata->pkt_info.packet == data);
1393
1394 /* Init pkt_info part. */
1395 rdata->pkt_info.len = size;
1396 rdata->pkt_info.zero = 0;
1397 pj_gettimeofday(&rdata->pkt_info.timestamp);
1398
1399 /* Report to transport manager.
1400 * The transport manager will tell us how many bytes of the packet
1401 * have been processed (as valid SIP message).
1402 */
1403 size_eaten =
1404 pjsip_tpmgr_receive_packet(rdata->tp_info.transport->tpmgr,
1405 rdata);
1406
1407 pj_assert(size_eaten <= (pj_size_t)rdata->pkt_info.len);
1408
1409 /* Move unprocessed data to the front of the buffer */
1410 *remainder = size - size_eaten;
1411 if (*remainder > 0 && *remainder != size) {
1412 pj_memmove(rdata->pkt_info.packet,
1413 rdata->pkt_info.packet + size_eaten,
1414 *remainder);
1415 }
1416
1417 } else {
1418
1419 /* Transport is closed */
1420 PJ_LOG(4,(tls->base.obj_name, "TLS connection closed"));
1421
1422 tls_init_shutdown(tls, status);
1423
1424 return PJ_FALSE;
1425
1426 }
1427
1428 /* Reset pool. */
1429 pj_pool_reset(rdata->tp_info.pool);
1430
1431 return PJ_TRUE;
1432}
1433
1434
1435/*
1436 * Callback from ioqueue when asynchronous connect() operation completes.
1437 */
1438static pj_bool_t on_connect_complete(pj_ssl_sock_t *ssock,
1439 pj_status_t status)
1440{
1441 struct tls_transport *tls;
1442 pj_ssl_sock_info ssl_info;
1443 pj_sockaddr addr, *tp_addr;
1444 pjsip_tp_state_callback state_cb;
1445 pj_bool_t is_shutdown;
1446
1447 tls = (struct tls_transport*) pj_ssl_sock_get_user_data(ssock);
1448
1449 /* Check connect() status */
1450 if (status != PJ_SUCCESS) {
1451
1452 tls_perror(tls->base.obj_name, "TLS connect() error", status);
1453
1454 /* Cancel all delayed transmits */
1455 while (!pj_list_empty(&tls->delayed_list)) {
1456 struct delayed_tdata *pending_tx;
1457 pj_ioqueue_op_key_t *op_key;
1458
1459 pending_tx = tls->delayed_list.next;
1460 pj_list_erase(pending_tx);
1461
1462 op_key = (pj_ioqueue_op_key_t*)pending_tx->tdata_op_key;
1463
1464 on_data_sent(tls->ssock, op_key, -status);
1465 }
1466
1467 goto on_error;
1468 }
1469
1470 /* Retrieve SSL socket info, shutdown the transport if this is failed
1471 * as the SSL socket info availability is rather critical here.
1472 */
1473 status = pj_ssl_sock_get_info(tls->ssock, &ssl_info);
1474 if (status != PJ_SUCCESS)
1475 goto on_error;
1476
1477 /* Update (again) local address, just in case local address currently
1478 * set is different now that the socket is connected (could happen
1479 * on some systems, like old Win32 probably?).
1480 */
1481 tp_addr = &tls->base.local_addr;
1482 pj_sockaddr_cp((pj_sockaddr_t*)&addr,
1483 (pj_sockaddr_t*)&ssl_info.local_addr);
1484 if (pj_sockaddr_cmp(tp_addr, &addr) != 0) {
1485 pj_sockaddr_cp(tp_addr, &addr);
1486 sockaddr_to_host_port(tls->base.pool, &tls->base.local_name,
1487 tp_addr);
1488 }
1489
1490 /* Server identity verification based on server certificate. */
1491 if (ssl_info.remote_cert_info->version) {
1492 pj_str_t *remote_name;
1493 pj_ssl_cert_info *serv_cert = ssl_info.remote_cert_info;
1494 pj_bool_t matched = PJ_FALSE;
1495 unsigned i;
1496
1497 /* Remote name may be hostname or IP address */
1498 if (tls->remote_name.slen)
1499 remote_name = &tls->remote_name;
1500 else
1501 remote_name = &tls->base.remote_name.host;
1502
1503 /* Start matching remote name with SubjectAltName fields of
1504 * server certificate.
1505 */
1506 for (i = 0; i < serv_cert->subj_alt_name.cnt && !matched; ++i) {
1507 pj_str_t *cert_name = &serv_cert->subj_alt_name.entry[i].name;
1508
1509 switch (serv_cert->subj_alt_name.entry[i].type) {
1510 case PJ_SSL_CERT_NAME_DNS:
1511 case PJ_SSL_CERT_NAME_IP:
1512 matched = !pj_stricmp(remote_name, cert_name);
1513 break;
1514 case PJ_SSL_CERT_NAME_URI:
1515 if (pj_strnicmp2(cert_name, "sip:", 4) == 0 ||
1516 pj_strnicmp2(cert_name, "sips:", 5) == 0)
1517 {
1518 pj_str_t host_part;
1519 char *p;
1520
1521 p = pj_strchr(cert_name, ':') + 1;
1522 pj_strset(&host_part, p, cert_name->slen -
1523 (p - cert_name->ptr));
1524 matched = !pj_stricmp(remote_name, &host_part);
1525 }
1526 break;
1527 default:
1528 break;
1529 }
1530 }
1531
1532 /* When still not matched or no SubjectAltName fields in server
1533 * certificate, try with Common Name of Subject field.
1534 */
1535 if (!matched) {
1536 matched = !pj_stricmp(remote_name, &serv_cert->subject.cn);
1537 }
1538
1539 if (!matched)
1540 ssl_info.verify_status |= PJ_SSL_CERT_EIDENTITY_NOT_MATCH;
1541 }
1542
1543 /* Prevent immediate transport destroy as application may access it
1544 * (getting info, etc) in transport state notification callback.
1545 */
1546 pjsip_transport_add_ref(&tls->base);
1547
1548 /* If there is verification error and verification is mandatory, shutdown
1549 * and destroy the transport.
1550 */
1551 if (ssl_info.verify_status && tls->verify_server) {
1552 if (tls->close_reason == PJ_SUCCESS)
1553 tls->close_reason = PJSIP_TLS_ECERTVERIF;
1554 pjsip_transport_shutdown(&tls->base);
1555 }
1556
1557 /* Notify transport state to application */
1558 state_cb = pjsip_tpmgr_get_state_cb(tls->base.tpmgr);
1559 if (state_cb) {
1560 pjsip_transport_state_info state_info;
1561 pjsip_tls_state_info tls_info;
1562 pjsip_transport_state tp_state;
1563
1564 /* Init transport state info */
1565 pj_bzero(&state_info, sizeof(state_info));
1566 pj_bzero(&tls_info, sizeof(tls_info));
1567 state_info.ext_info = &tls_info;
1568 tls_info.ssl_sock_info = &ssl_info;
1569
1570 /* Set transport state based on verification status */
1571 if (ssl_info.verify_status && tls->verify_server)
1572 {
1573 tp_state = PJSIP_TP_STATE_DISCONNECTED;
1574 state_info.status = PJSIP_TLS_ECERTVERIF;
1575 } else {
1576 tp_state = PJSIP_TP_STATE_CONNECTED;
1577 state_info.status = PJ_SUCCESS;
1578 }
1579
1580 (*state_cb)(&tls->base, tp_state, &state_info);
1581 }
1582
1583 /* Release transport reference. If transport is shutting down, it may
1584 * get destroyed here.
1585 */
1586 is_shutdown = tls->base.is_shutdown;
1587 pjsip_transport_dec_ref(&tls->base);
1588 if (is_shutdown) {
1589 status = tls->close_reason;
1590 tls_perror(tls->base.obj_name, "TLS connect() error", status);
1591
1592 /* Cancel all delayed transmits */
1593 while (!pj_list_empty(&tls->delayed_list)) {
1594 struct delayed_tdata *pending_tx;
1595 pj_ioqueue_op_key_t *op_key;
1596
1597 pending_tx = tls->delayed_list.next;
1598 pj_list_erase(pending_tx);
1599
1600 op_key = (pj_ioqueue_op_key_t*)pending_tx->tdata_op_key;
1601
1602 on_data_sent(tls->ssock, op_key, -status);
1603 }
1604
1605 return PJ_FALSE;
1606 }
1607
1608
1609 /* Mark that pending connect() operation has completed. */
1610 tls->has_pending_connect = PJ_FALSE;
1611
1612 PJ_LOG(4,(tls->base.obj_name,
1613 "TLS transport %.*s:%d is connected to %.*s:%d",
1614 (int)tls->base.local_name.host.slen,
1615 tls->base.local_name.host.ptr,
1616 tls->base.local_name.port,
1617 (int)tls->base.remote_name.host.slen,
1618 tls->base.remote_name.host.ptr,
1619 tls->base.remote_name.port));
1620
1621 /* Start pending read */
1622 status = tls_start_read(tls);
1623 if (status != PJ_SUCCESS)
1624 goto on_error;
1625
1626 /* Flush all pending send operations */
1627 tls_flush_pending_tx(tls);
1628
1629 /* Start keep-alive timer */
1630 if (PJSIP_TLS_KEEP_ALIVE_INTERVAL) {
1631 pj_time_val delay = { PJSIP_TLS_KEEP_ALIVE_INTERVAL, 0 };
1632 pjsip_endpt_schedule_timer(tls->base.endpt, &tls->ka_timer,
1633 &delay);
1634 tls->ka_timer.id = PJ_TRUE;
1635 pj_gettimeofday(&tls->last_activity);
1636 }
1637
1638 return PJ_TRUE;
1639
1640on_error:
1641 tls_init_shutdown(tls, status);
1642
1643 return PJ_FALSE;
1644}
1645
1646
1647/* Transport keep-alive timer callback */
1648static void tls_keep_alive_timer(pj_timer_heap_t *th, pj_timer_entry *e)
1649{
1650 struct tls_transport *tls = (struct tls_transport*) e->user_data;
1651 pj_time_val delay;
1652 pj_time_val now;
1653 pj_ssize_t size;
1654 pj_status_t status;
1655
1656 PJ_UNUSED_ARG(th);
1657
1658 tls->ka_timer.id = PJ_TRUE;
1659
1660 pj_gettimeofday(&now);
1661 PJ_TIME_VAL_SUB(now, tls->last_activity);
1662
1663 if (now.sec > 0 && now.sec < PJSIP_TLS_KEEP_ALIVE_INTERVAL) {
1664 /* There has been activity, so don't send keep-alive */
1665 delay.sec = PJSIP_TLS_KEEP_ALIVE_INTERVAL - now.sec;
1666 delay.msec = 0;
1667
1668 pjsip_endpt_schedule_timer(tls->base.endpt, &tls->ka_timer,
1669 &delay);
1670 tls->ka_timer.id = PJ_TRUE;
1671 return;
1672 }
1673
1674 PJ_LOG(5,(tls->base.obj_name, "Sending %d byte(s) keep-alive to %.*s:%d",
1675 (int)tls->ka_pkt.slen, (int)tls->base.remote_name.host.slen,
1676 tls->base.remote_name.host.ptr,
1677 tls->base.remote_name.port));
1678
1679 /* Send the data */
1680 size = tls->ka_pkt.slen;
1681 status = pj_ssl_sock_send(tls->ssock, &tls->ka_op_key.key,
1682 tls->ka_pkt.ptr, &size, 0);
1683
1684 if (status != PJ_SUCCESS && status != PJ_EPENDING) {
1685 tls_perror(tls->base.obj_name,
1686 "Error sending keep-alive packet", status);
1687
1688 tls_init_shutdown(tls, status);
1689 return;
1690 }
1691
1692 /* Register next keep-alive */
1693 delay.sec = PJSIP_TLS_KEEP_ALIVE_INTERVAL;
1694 delay.msec = 0;
1695
1696 pjsip_endpt_schedule_timer(tls->base.endpt, &tls->ka_timer,
1697 &delay);
1698 tls->ka_timer.id = PJ_TRUE;
1699}
1700
1701#endif /* PJSIP_HAS_TLS_TRANSPORT */