Gitiles
Code Review Sign In
review.jami.net / jami-client-android / 975128424bad893d75e68175800351a15f449a70 / . / jni / pjproject-android / .svn / pristine / 5b / 5b9ffd87d9e07e0538749d14cda4a6e86f9bd268.svn-base
blob: dc83ab8b128c29b7868b16f5956dbe8d6aaf6f92 [file] [log] [blame]
Tristan Matthews0a329cc2013-07-17 13:20:14 -0400[diff] [blame]1/* $Id$ */
2/*
3 * Copyright (C) 2009-2011 Teluu Inc. (http://www.teluu.com)
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18 */
19
20#include <pjsip/sip_transport_tls.h>
21#include <pjsip/sip_endpoint.h>
22#include <pjsip/sip_errno.h>
23#include <pj/compat/socket.h>
24#include <pj/addr_resolv.h>
25#include <pj/ssl_sock.h>
26#include <pj/assert.h>
27#include <pj/hash.h>
28#include <pj/lock.h>
29#include <pj/log.h>
30#include <pj/os.h>
31#include <pj/pool.h>
32#include <pj/string.h>
33
34#if defined(PJSIP_HAS_TLS_TRANSPORT) && PJSIP_HAS_TLS_TRANSPORT!=0
35
36#define THIS_FILE "sip_transport_tls.c"
37
38#define MAX_ASYNC_CNT 16
39#define POOL_LIS_INIT 512
40#define POOL_LIS_INC 512
41#define POOL_TP_INIT 512
42#define POOL_TP_INC 512
43
44struct tls_listener;
45struct tls_transport;
46
47/*
48 * Definition of TLS/SSL transport listener, and it's descendant of
49 * pjsip_tpfactory.
50 */
51struct tls_listener
52{
53 pjsip_tpfactory factory;
54 pj_bool_t is_registered;
55 pjsip_endpoint *endpt;
56 pjsip_tpmgr *tpmgr;
57 pj_ssl_sock_t *ssock;
58 pj_sockaddr bound_addr;
59 pj_ssl_cert_t *cert;
60 pjsip_tls_setting tls_setting;
61};
62
63
64/*
65 * This structure is used to keep delayed transmit operation in a list.
66 * A delayed transmission occurs when application sends tx_data when
67 * the TLS connect/establishment is still in progress. These delayed
68 * transmission will be "flushed" once the socket is connected (either
69 * successfully or with errors).
70 */
71struct delayed_tdata
72{
73 PJ_DECL_LIST_MEMBER(struct delayed_tdata);
74 pjsip_tx_data_op_key *tdata_op_key;
75 pj_time_val timeout;
76};
77
78
79/*
80 * TLS/SSL transport, and it's descendant of pjsip_transport.
81 */
82struct tls_transport
83{
84 pjsip_transport base;
85 pj_bool_t is_server;
86 pj_str_t remote_name;
87
88 pj_bool_t is_registered;
89 pj_bool_t is_closing;
90 pj_status_t close_reason;
91 pj_ssl_sock_t *ssock;
92 pj_bool_t has_pending_connect;
93 pj_bool_t verify_server;
94
95 /* Keep-alive timer. */
96 pj_timer_entry ka_timer;
97 pj_time_val last_activity;
98 pjsip_tx_data_op_key ka_op_key;
99 pj_str_t ka_pkt;
100
101 /* TLS transport can only have one rdata!
102 * Otherwise chunks of incoming PDU may be received on different
103 * buffer.
104 */
105 pjsip_rx_data rdata;
106
107 /* Pending transmission list. */
108 struct delayed_tdata delayed_list;
109};
110
111
112/****************************************************************************
113 * PROTOTYPES
114 */
115
116/* This callback is called when pending accept() operation completes. */
117static pj_bool_t on_accept_complete(pj_ssl_sock_t *ssock,
118 pj_ssl_sock_t *new_ssock,
119 const pj_sockaddr_t *src_addr,
120 int src_addr_len);
121
122/* Callback on incoming data */
123static pj_bool_t on_data_read(pj_ssl_sock_t *ssock,
124 void *data,
125 pj_size_t size,
126 pj_status_t status,
127 pj_size_t *remainder);
128
129/* Callback when packet is sent */
130static pj_bool_t on_data_sent(pj_ssl_sock_t *ssock,
131 pj_ioqueue_op_key_t *send_key,
132 pj_ssize_t sent);
133
134/* This callback is called by transport manager to destroy listener */
135static pj_status_t lis_destroy(pjsip_tpfactory *factory);
136
137/* This callback is called by transport manager to create transport */
138static pj_status_t lis_create_transport(pjsip_tpfactory *factory,
139 pjsip_tpmgr *mgr,
140 pjsip_endpoint *endpt,
141 const pj_sockaddr *rem_addr,
142 int addr_len,
143 pjsip_tx_data *tdata,
144 pjsip_transport **transport);
145
146/* Common function to create and initialize transport */
147static pj_status_t tls_create(struct tls_listener *listener,
148 pj_pool_t *pool,
149 pj_ssl_sock_t *ssock,
150 pj_bool_t is_server,
151 const pj_sockaddr *local,
152 const pj_sockaddr *remote,
153 const pj_str_t *remote_name,
154 struct tls_transport **p_tls);
155
156
157static void tls_perror(const char *sender, const char *title,
158 pj_status_t status)
159{
160 char errmsg[PJ_ERR_MSG_SIZE];
161
162 pj_strerror(status, errmsg, sizeof(errmsg));
163
164 PJ_LOG(1,(sender, "%s: %s [code=%d]", title, errmsg, status));
165}
166
167
168static void sockaddr_to_host_port( pj_pool_t *pool,
169 pjsip_host_port *host_port,
170 const pj_sockaddr *addr )
171{
172 host_port->host.ptr = (char*) pj_pool_alloc(pool, PJ_INET6_ADDRSTRLEN+4);
173 pj_sockaddr_print(addr, host_port->host.ptr, PJ_INET6_ADDRSTRLEN+4, 0);
174 host_port->host.slen = pj_ansi_strlen(host_port->host.ptr);
175 host_port->port = pj_sockaddr_get_port(addr);
176}
177
178
179static void tls_init_shutdown(struct tls_transport *tls, pj_status_t status)
180{
181 pjsip_tp_state_callback state_cb;
182
183 if (tls->close_reason == PJ_SUCCESS)
184 tls->close_reason = status;
185
186 if (tls->base.is_shutdown)
187 return;
188
189 /* Prevent immediate transport destroy by application, as transport
190 * state notification callback may be stacked and transport instance
191 * must remain valid at any point in the callback.
192 */
193 pjsip_transport_add_ref(&tls->base);
194
195 /* Notify application of transport disconnected state */
196 state_cb = pjsip_tpmgr_get_state_cb(tls->base.tpmgr);
197 if (state_cb) {
198 pjsip_transport_state_info state_info;
199 pjsip_tls_state_info tls_info;
200 pj_ssl_sock_info ssl_info;
201
202 /* Init transport state info */
203 pj_bzero(&state_info, sizeof(state_info));
204 state_info.status = tls->close_reason;
205
206 if (tls->ssock &&
207 pj_ssl_sock_get_info(tls->ssock, &ssl_info) == PJ_SUCCESS)
208 {
209 pj_bzero(&tls_info, sizeof(tls_info));
210 tls_info.ssl_sock_info = &ssl_info;
211 state_info.ext_info = &tls_info;
212 }
213
214 (*state_cb)(&tls->base, PJSIP_TP_STATE_DISCONNECTED, &state_info);
215 }
216
217 /* We can not destroy the transport since high level objects may
218 * still keep reference to this transport. So we can only
219 * instruct transport manager to gracefully start the shutdown
220 * procedure for this transport.
221 */
222 pjsip_transport_shutdown(&tls->base);
223
224 /* Now, it is ok to destroy the transport. */
225 pjsip_transport_dec_ref(&tls->base);
226}
227
228
229/****************************************************************************
230 * The TLS listener/transport factory.
231 */
232
233/*
234 * This is the public API to create, initialize, register, and start the
235 * TLS listener.
236 */
237PJ_DEF(pj_status_t) pjsip_tls_transport_start (pjsip_endpoint *endpt,
238 const pjsip_tls_setting *opt,
239 const pj_sockaddr_in *local_in,
240 const pjsip_host_port *a_name,
241 unsigned async_cnt,
242 pjsip_tpfactory **p_factory)
243{
244 pj_sockaddr local;
245
246 if (local_in)
247 pj_sockaddr_cp(&local, local_in);
248
249 return pjsip_tls_transport_start2(endpt, opt, (local_in? &local : NULL),
250 a_name, async_cnt, p_factory);
251}
252
253PJ_DEF(pj_status_t) pjsip_tls_transport_start2( pjsip_endpoint *endpt,
254 const pjsip_tls_setting *opt,
255 const pj_sockaddr *local,
256 const pjsip_host_port *a_name,
257 unsigned async_cnt,
258 pjsip_tpfactory **p_factory)
259{
260 pj_pool_t *pool;
261 pj_bool_t is_ipv6;
262 int af;
263 struct tls_listener *listener;
264 pj_ssl_sock_param ssock_param;
265 pj_sockaddr *listener_addr;
266 pj_bool_t has_listener;
267 pj_status_t status;
268
269 /* Sanity check */
270 PJ_ASSERT_RETURN(endpt && async_cnt, PJ_EINVAL);
271
272 is_ipv6 = (local && local->addr.sa_family == pj_AF_INET6());
273 af = is_ipv6 ? pj_AF_INET6() : pj_AF_INET();
274
275 /* Verify that address given in a_name (if any) is valid */
276 if (a_name && a_name->host.slen) {
277 pj_sockaddr tmp;
278
279 status = pj_sockaddr_init(af, &tmp, &a_name->host,
280 (pj_uint16_t)a_name->port);
281 if (status != PJ_SUCCESS || !pj_sockaddr_has_addr(&tmp) ||
282 (!is_ipv6 && tmp.ipv4.sin_addr.s_addr == PJ_INADDR_NONE))
283 {
284 /* Invalid address */
285 return PJ_EINVAL;
286 }
287 }
288
289 pool = pjsip_endpt_create_pool(endpt, "tlslis", POOL_LIS_INIT,
290 POOL_LIS_INC);
291 PJ_ASSERT_RETURN(pool, PJ_ENOMEM);
292
293 listener = PJ_POOL_ZALLOC_T(pool, struct tls_listener);
294 listener->factory.pool = pool;
295 if (is_ipv6)
296 listener->factory.type = PJSIP_TRANSPORT_TLS6;
297 else
298 listener->factory.type = PJSIP_TRANSPORT_TLS;
299 listener->factory.type_name = (char*)
300 pjsip_transport_get_type_name(listener->factory.type);
301 listener->factory.flag =
302 pjsip_transport_get_flag_from_type(listener->factory.type);
303
304 pj_ansi_strcpy(listener->factory.obj_name, "tlslis");
305 if (is_ipv6)
306 pj_ansi_strcat(listener->factory.obj_name, "6");
307
308 if (opt)
309 pjsip_tls_setting_copy(pool, &listener->tls_setting, opt);
310 else
311 pjsip_tls_setting_default(&listener->tls_setting);
312
313 status = pj_lock_create_recursive_mutex(pool, listener->factory.obj_name,
314 &listener->factory.lock);
315 if (status != PJ_SUCCESS)
316 goto on_error;
317
318 if (async_cnt > MAX_ASYNC_CNT)
319 async_cnt = MAX_ASYNC_CNT;
320
321 /* Build SSL socket param */
322 pj_ssl_sock_param_default(&ssock_param);
323 ssock_param.sock_af = af;
324 ssock_param.cb.on_accept_complete = &on_accept_complete;
325 ssock_param.cb.on_data_read = &on_data_read;
326 ssock_param.cb.on_data_sent = &on_data_sent;
327 ssock_param.async_cnt = async_cnt;
328 ssock_param.ioqueue = pjsip_endpt_get_ioqueue(endpt);
329 ssock_param.require_client_cert = listener->tls_setting.require_client_cert;
330 ssock_param.timeout = listener->tls_setting.timeout;
331 ssock_param.user_data = listener;
332 ssock_param.verify_peer = PJ_FALSE; /* avoid SSL socket closing the socket
333 * due to verification error */
334 if (ssock_param.send_buffer_size < PJSIP_MAX_PKT_LEN)
335 ssock_param.send_buffer_size = PJSIP_MAX_PKT_LEN;
336 if (ssock_param.read_buffer_size < PJSIP_MAX_PKT_LEN)
337 ssock_param.read_buffer_size = PJSIP_MAX_PKT_LEN;
338 ssock_param.ciphers_num = listener->tls_setting.ciphers_num;
339 ssock_param.ciphers = listener->tls_setting.ciphers;
340 ssock_param.reuse_addr = listener->tls_setting.reuse_addr;
341 ssock_param.qos_type = listener->tls_setting.qos_type;
342 ssock_param.qos_ignore_error = listener->tls_setting.qos_ignore_error;
343 pj_memcpy(&ssock_param.qos_params, &listener->tls_setting.qos_params,
344 sizeof(ssock_param.qos_params));
345
346 has_listener = PJ_FALSE;
347
348 switch(listener->tls_setting.method) {
349 case PJSIP_TLSV1_METHOD:
350 ssock_param.proto = PJ_SSL_SOCK_PROTO_TLS1;
351 break;
352 case PJSIP_SSLV2_METHOD:
353 ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL2;
354 break;
355 case PJSIP_SSLV3_METHOD:
356 ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL3;
357 break;
358 case PJSIP_SSLV23_METHOD:
359 ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL23;
360 break;
361 default:
362 ssock_param.proto = PJ_SSL_SOCK_PROTO_DEFAULT;
363 break;
364 }
365
366 /* Create SSL socket */
367 status = pj_ssl_sock_create(pool, &ssock_param, &listener->ssock);
368 if (status != PJ_SUCCESS)
369 goto on_error;
370
371 /* Bind address may be different than factory.local_addr because
372 * factory.local_addr will be resolved below.
373 */
374 listener_addr = &listener->factory.local_addr;
375 if (local) {
376 pj_sockaddr_cp((pj_sockaddr_t*)listener_addr,
377 (const pj_sockaddr_t*)local);
378 pj_sockaddr_cp(&listener->bound_addr, local);
379 } else {
380 pj_sockaddr_init(af, listener_addr, NULL, 0);
381 pj_sockaddr_init(af, &listener->bound_addr, NULL, 0);
382 }
383
384 /* Check if certificate/CA list for SSL socket is set */
385 if (listener->tls_setting.cert_file.slen ||
386 listener->tls_setting.ca_list_file.slen)
387 {
388 status = pj_ssl_cert_load_from_files(pool,
389 &listener->tls_setting.ca_list_file,
390 &listener->tls_setting.cert_file,
391 &listener->tls_setting.privkey_file,
392 &listener->tls_setting.password,
393 &listener->cert);
394 if (status != PJ_SUCCESS)
395 goto on_error;
396
397 status = pj_ssl_sock_set_certificate(listener->ssock, pool,
398 listener->cert);
399 if (status != PJ_SUCCESS)
400 goto on_error;
401 }
402
403 /* Start accepting incoming connections. Note that some TLS/SSL backends
404 * may not support for SSL socket server.
405 */
406 has_listener = PJ_FALSE;
407
408 status = pj_ssl_sock_start_accept(listener->ssock, pool,
409 (pj_sockaddr_t*)listener_addr,
410 pj_sockaddr_get_len((pj_sockaddr_t*)listener_addr));
411 if (status == PJ_SUCCESS || status == PJ_EPENDING) {
412 pj_ssl_sock_info info;
413 has_listener = PJ_TRUE;
414
415 /* Retrieve the bound address */
416 status = pj_ssl_sock_get_info(listener->ssock, &info);
417 if (status == PJ_SUCCESS)
418 pj_sockaddr_cp(listener_addr, (pj_sockaddr_t*)&info.local_addr);
419 } else if (status != PJ_ENOTSUP) {
420 goto on_error;
421 }
422
423 /* If published host/IP is specified, then use that address as the
424 * listener advertised address.
425 */
426 if (a_name && a_name->host.slen) {
427 /* Copy the address */
428 listener->factory.addr_name = *a_name;
429 pj_strdup(listener->factory.pool, &listener->factory.addr_name.host,
430 &a_name->host);
431 listener->factory.addr_name.port = a_name->port;
432
433 } else {
434 /* No published address is given, use the bound address */
435
436 /* If the address returns 0.0.0.0, use the default
437 * interface address as the transport's address.
438 */
439 if (!pj_sockaddr_has_addr(listener_addr)) {
440 pj_sockaddr hostip;
441
442 status = pj_gethostip(af, &hostip);
443 if (status != PJ_SUCCESS)
444 goto on_error;
445
446 pj_sockaddr_copy_addr(listener_addr, &hostip);
447 }
448
449 /* Save the address name */
450 sockaddr_to_host_port(listener->factory.pool,
451 &listener->factory.addr_name, listener_addr);
452 }
453
454 /* If port is zero, get the bound port */
455 if (listener->factory.addr_name.port == 0) {
456 listener->factory.addr_name.port = pj_sockaddr_get_port(listener_addr);
457 }
458
459 pj_ansi_snprintf(listener->factory.obj_name,
460 sizeof(listener->factory.obj_name),
461 "tlslis:%d", listener->factory.addr_name.port);
462
463 /* Register to transport manager */
464 listener->endpt = endpt;
465 listener->tpmgr = pjsip_endpt_get_tpmgr(endpt);
466 listener->factory.create_transport2 = lis_create_transport;
467 listener->factory.destroy = lis_destroy;
468 listener->is_registered = PJ_TRUE;
469 status = pjsip_tpmgr_register_tpfactory(listener->tpmgr,
470 &listener->factory);
471 if (status != PJ_SUCCESS) {
472 listener->is_registered = PJ_FALSE;
473 goto on_error;
474 }
475
476 if (has_listener) {
477 PJ_LOG(4,(listener->factory.obj_name,
478 "SIP TLS listener is ready for incoming connections "
479 "at %.*s:%d",
480 (int)listener->factory.addr_name.host.slen,
481 listener->factory.addr_name.host.ptr,
482 listener->factory.addr_name.port));
483 } else {
484 PJ_LOG(4,(listener->factory.obj_name, "SIP TLS is ready "
485 "(client only)"));
486 }
487
488 /* Return the pointer to user */
489 if (p_factory) *p_factory = &listener->factory;
490
491 return PJ_SUCCESS;
492
493on_error:
494 lis_destroy(&listener->factory);
495 return status;
496}
497
498
499/* This callback is called by transport manager to destroy listener */
500static pj_status_t lis_destroy(pjsip_tpfactory *factory)
501{
502 struct tls_listener *listener = (struct tls_listener *)factory;
503
504 if (listener->is_registered) {
505 pjsip_tpmgr_unregister_tpfactory(listener->tpmgr, &listener->factory);
506 listener->is_registered = PJ_FALSE;
507 }
508
509 if (listener->ssock) {
510 pj_ssl_sock_close(listener->ssock);
511 listener->ssock = NULL;
512 }
513
514 if (listener->factory.lock) {
515 pj_lock_destroy(listener->factory.lock);
516 listener->factory.lock = NULL;
517 }
518
519 if (listener->factory.pool) {
520 pj_pool_t *pool = listener->factory.pool;
521
522 PJ_LOG(4,(listener->factory.obj_name, "SIP TLS listener destroyed"));
523
524 listener->factory.pool = NULL;
525 pj_pool_release(pool);
526 }
527
528 return PJ_SUCCESS;
529}
530
531
532/***************************************************************************/
533/*
534 * TLS Transport
535 */
536
537/*
538 * Prototypes.
539 */
540/* Called by transport manager to send message */
541static pj_status_t tls_send_msg(pjsip_transport *transport,
542 pjsip_tx_data *tdata,
543 const pj_sockaddr_t *rem_addr,
544 int addr_len,
545 void *token,
546 pjsip_transport_callback callback);
547
548/* Called by transport manager to shutdown */
549static pj_status_t tls_shutdown(pjsip_transport *transport);
550
551/* Called by transport manager to destroy transport */
552static pj_status_t tls_destroy_transport(pjsip_transport *transport);
553
554/* Utility to destroy transport */
555static pj_status_t tls_destroy(pjsip_transport *transport,
556 pj_status_t reason);
557
558/* Callback when connect completes */
559static pj_bool_t on_connect_complete(pj_ssl_sock_t *ssock,
560 pj_status_t status);
561
562/* TLS keep-alive timer callback */
563static void tls_keep_alive_timer(pj_timer_heap_t *th, pj_timer_entry *e);
564
565/*
566 * Common function to create TLS transport, called when pending accept() and
567 * pending connect() complete.
568 */
569static pj_status_t tls_create( struct tls_listener *listener,
570 pj_pool_t *pool,
571 pj_ssl_sock_t *ssock,
572 pj_bool_t is_server,
573 const pj_sockaddr *local,
574 const pj_sockaddr *remote,
575 const pj_str_t *remote_name,
576 struct tls_transport **p_tls)
577{
578 struct tls_transport *tls;
579 const pj_str_t ka_pkt = PJSIP_TLS_KEEP_ALIVE_DATA;
580 char print_addr[PJ_INET6_ADDRSTRLEN+10];
581 pj_status_t status;
582
583
584 PJ_ASSERT_RETURN(listener && ssock && local && remote && p_tls, PJ_EINVAL);
585
586
587 if (pool == NULL) {
588 pool = pjsip_endpt_create_pool(listener->endpt, "tls",
589 POOL_TP_INIT, POOL_TP_INC);
590 PJ_ASSERT_RETURN(pool != NULL, PJ_ENOMEM);
591 }
592
593 /*
594 * Create and initialize basic transport structure.
595 */
596 tls = PJ_POOL_ZALLOC_T(pool, struct tls_transport);
597 tls->is_server = is_server;
598 tls->verify_server = listener->tls_setting.verify_server;
599 pj_list_init(&tls->delayed_list);
600 tls->base.pool = pool;
601
602 pj_ansi_snprintf(tls->base.obj_name, PJ_MAX_OBJ_NAME,
603 (is_server ? "tlss%p" :"tlsc%p"), tls);
604
605 status = pj_atomic_create(pool, 0, &tls->base.ref_cnt);
606 if (status != PJ_SUCCESS) {
607 goto on_error;
608 }
609
610 status = pj_lock_create_recursive_mutex(pool, "tls", &tls->base.lock);
611 if (status != PJ_SUCCESS) {
612 goto on_error;
613 }
614
615 if (remote_name)
616 pj_strdup(pool, &tls->remote_name, remote_name);
617
618 tls->base.key.type = listener->factory.type;
619 pj_sockaddr_cp(&tls->base.key.rem_addr, remote);
620 tls->base.type_name = (char*)pjsip_transport_get_type_name(
621 (pjsip_transport_type_e)tls->base.key.type);
622 tls->base.flag = pjsip_transport_get_flag_from_type(
623 (pjsip_transport_type_e)tls->base.key.type);
624
625 tls->base.info = (char*) pj_pool_alloc(pool, 64);
626 pj_ansi_snprintf(tls->base.info, 64, "%s to %s",
627 tls->base.type_name,
628 pj_sockaddr_print(remote, print_addr,
629 sizeof(print_addr), 3));
630
631
632 tls->base.addr_len = pj_sockaddr_get_len(remote);
633 tls->base.dir = is_server? PJSIP_TP_DIR_INCOMING : PJSIP_TP_DIR_OUTGOING;
634
635 /* Set initial local address */
636 if (!pj_sockaddr_has_addr(local)) {
637 pj_sockaddr_cp(&tls->base.local_addr,
638 &listener->factory.local_addr);
639 } else {
640 pj_sockaddr_cp(&tls->base.local_addr, local);
641 }
642
643 sockaddr_to_host_port(pool, &tls->base.local_name, &tls->base.local_addr);
644 if (tls->remote_name.slen) {
645 tls->base.remote_name.host = tls->remote_name;
646 tls->base.remote_name.port = pj_sockaddr_get_port(remote);
647 } else {
648 sockaddr_to_host_port(pool, &tls->base.remote_name, remote);
649 }
650
651 tls->base.endpt = listener->endpt;
652 tls->base.tpmgr = listener->tpmgr;
653 tls->base.send_msg = &tls_send_msg;
654 tls->base.do_shutdown = &tls_shutdown;
655 tls->base.destroy = &tls_destroy_transport;
656
657 tls->ssock = ssock;
658
659 /* Register transport to transport manager */
660 status = pjsip_transport_register(listener->tpmgr, &tls->base);
661 if (status != PJ_SUCCESS) {
662 goto on_error;
663 }
664
665 tls->is_registered = PJ_TRUE;
666
667 /* Initialize keep-alive timer */
668 tls->ka_timer.user_data = (void*)tls;
669 tls->ka_timer.cb = &tls_keep_alive_timer;
670 pj_ioqueue_op_key_init(&tls->ka_op_key.key, sizeof(pj_ioqueue_op_key_t));
671 pj_strdup(tls->base.pool, &tls->ka_pkt, &ka_pkt);
672
673 /* Done setting up basic transport. */
674 *p_tls = tls;
675
676 PJ_LOG(4,(tls->base.obj_name, "TLS %s transport created",
677 (tls->is_server ? "server" : "client")));
678
679 return PJ_SUCCESS;
680
681on_error:
682 tls_destroy(&tls->base, status);
683 return status;
684}
685
686
687/* Flush all delayed transmision once the socket is connected. */
688static void tls_flush_pending_tx(struct tls_transport *tls)
689{
690 pj_time_val now;
691
692 pj_gettickcount(&now);
693 pj_lock_acquire(tls->base.lock);
694 while (!pj_list_empty(&tls->delayed_list)) {
695 struct delayed_tdata *pending_tx;
696 pjsip_tx_data *tdata;
697 pj_ioqueue_op_key_t *op_key;
698 pj_ssize_t size;
699 pj_status_t status;
700
701 pending_tx = tls->delayed_list.next;
702 pj_list_erase(pending_tx);
703
704 tdata = pending_tx->tdata_op_key->tdata;
705 op_key = (pj_ioqueue_op_key_t*)pending_tx->tdata_op_key;
706
707 if (pending_tx->timeout.sec > 0 &&
708 PJ_TIME_VAL_GT(now, pending_tx->timeout))
709 {
710 continue;
711 }
712
713 /* send! */
714 size = tdata->buf.cur - tdata->buf.start;
715 status = pj_ssl_sock_send(tls->ssock, op_key, tdata->buf.start,
716 &size, 0);
717
718 if (status != PJ_EPENDING) {
719 pj_lock_release(tls->base.lock);
720 on_data_sent(tls->ssock, op_key, size);
721 pj_lock_acquire(tls->base.lock);
722 }
723 }
724 pj_lock_release(tls->base.lock);
725}
726
727
728/* Called by transport manager to destroy transport */
729static pj_status_t tls_destroy_transport(pjsip_transport *transport)
730{
731 struct tls_transport *tls = (struct tls_transport*)transport;
732
733 /* Transport would have been unregistered by now since this callback
734 * is called by transport manager.
735 */
736 tls->is_registered = PJ_FALSE;
737
738 return tls_destroy(transport, tls->close_reason);
739}
740
741
742/* Destroy TLS transport */
743static pj_status_t tls_destroy(pjsip_transport *transport,
744 pj_status_t reason)
745{
746 struct tls_transport *tls = (struct tls_transport*)transport;
747
748 if (tls->close_reason == 0)
749 tls->close_reason = reason;
750
751 if (tls->is_registered) {
752 tls->is_registered = PJ_FALSE;
753 pjsip_transport_destroy(transport);
754
755 /* pjsip_transport_destroy will recursively call this function
756 * again.
757 */
758 return PJ_SUCCESS;
759 }
760
761 /* Mark transport as closing */
762 tls->is_closing = PJ_TRUE;
763
764 /* Stop keep-alive timer. */
765 if (tls->ka_timer.id) {
766 pjsip_endpt_cancel_timer(tls->base.endpt, &tls->ka_timer);
767 tls->ka_timer.id = PJ_FALSE;
768 }
769
770 /* Cancel all delayed transmits */
771 while (!pj_list_empty(&tls->delayed_list)) {
772 struct delayed_tdata *pending_tx;
773 pj_ioqueue_op_key_t *op_key;
774
775 pending_tx = tls->delayed_list.next;
776 pj_list_erase(pending_tx);
777
778 op_key = (pj_ioqueue_op_key_t*)pending_tx->tdata_op_key;
779
780 on_data_sent(tls->ssock, op_key, -reason);
781 }
782
783 if (tls->rdata.tp_info.pool) {
784 pj_pool_release(tls->rdata.tp_info.pool);
785 tls->rdata.tp_info.pool = NULL;
786 }
787
788 if (tls->ssock) {
789 pj_ssl_sock_close(tls->ssock);
790 tls->ssock = NULL;
791 }
792 if (tls->base.lock) {
793 pj_lock_destroy(tls->base.lock);
794 tls->base.lock = NULL;
795 }
796
797 if (tls->base.ref_cnt) {
798 pj_atomic_destroy(tls->base.ref_cnt);
799 tls->base.ref_cnt = NULL;
800 }
801
802 if (tls->base.pool) {
803 pj_pool_t *pool;
804
805 if (reason != PJ_SUCCESS) {
806 char errmsg[PJ_ERR_MSG_SIZE];
807
808 pj_strerror(reason, errmsg, sizeof(errmsg));
809 PJ_LOG(4,(tls->base.obj_name,
810 "TLS transport destroyed with reason %d: %s",
811 reason, errmsg));
812
813 } else {
814
815 PJ_LOG(4,(tls->base.obj_name,
816 "TLS transport destroyed normally"));
817
818 }
819
820 pool = tls->base.pool;
821 tls->base.pool = NULL;
822 pj_pool_release(pool);
823 }
824
825 return PJ_SUCCESS;
826}
827
828
829/*
830 * This utility function creates receive data buffers and start
831 * asynchronous recv() operations from the socket. It is called after
832 * accept() or connect() operation complete.
833 */
834static pj_status_t tls_start_read(struct tls_transport *tls)
835{
836 pj_pool_t *pool;
837 pj_uint32_t size;
838 pj_sockaddr *rem_addr;
839 void *readbuf[1];
840 pj_status_t status;
841
842 /* Init rdata */
843 pool = pjsip_endpt_create_pool(tls->base.endpt,
844 "rtd%p",
845 PJSIP_POOL_RDATA_LEN,
846 PJSIP_POOL_RDATA_INC);
847 if (!pool) {
848 tls_perror(tls->base.obj_name, "Unable to create pool", PJ_ENOMEM);
849 return PJ_ENOMEM;
850 }
851
852 tls->rdata.tp_info.pool = pool;
853
854 tls->rdata.tp_info.transport = &tls->base;
855 tls->rdata.tp_info.tp_data = tls;
856 tls->rdata.tp_info.op_key.rdata = &tls->rdata;
857 pj_ioqueue_op_key_init(&tls->rdata.tp_info.op_key.op_key,
858 sizeof(pj_ioqueue_op_key_t));
859
860 tls->rdata.pkt_info.src_addr = tls->base.key.rem_addr;
861 tls->rdata.pkt_info.src_addr_len = sizeof(tls->rdata.pkt_info.src_addr);
862 rem_addr = &tls->base.key.rem_addr;
863 pj_sockaddr_print(rem_addr, tls->rdata.pkt_info.src_name,
864 sizeof(tls->rdata.pkt_info.src_name), 0);
865 tls->rdata.pkt_info.src_port = pj_sockaddr_get_port(rem_addr);
866
867 size = sizeof(tls->rdata.pkt_info.packet);
868 readbuf[0] = tls->rdata.pkt_info.packet;
869 status = pj_ssl_sock_start_read2(tls->ssock, tls->base.pool, size,
870 readbuf, 0);
871 if (status != PJ_SUCCESS && status != PJ_EPENDING) {
872 PJ_LOG(4, (tls->base.obj_name,
873 "pj_ssl_sock_start_read() error, status=%d",
874 status));
875 return status;
876 }
877
878 return PJ_SUCCESS;
879}
880
881
882/* This callback is called by transport manager for the TLS factory
883 * to create outgoing transport to the specified destination.
884 */
885static pj_status_t lis_create_transport(pjsip_tpfactory *factory,
886 pjsip_tpmgr *mgr,
887 pjsip_endpoint *endpt,
888 const pj_sockaddr *rem_addr,
889 int addr_len,
890 pjsip_tx_data *tdata,
891 pjsip_transport **p_transport)
892{
893 struct tls_listener *listener;
894 struct tls_transport *tls;
895 pj_pool_t *pool;
896 pj_ssl_sock_t *ssock;
897 pj_ssl_sock_param ssock_param;
898 pj_sockaddr local_addr;
899 pj_str_t remote_name;
900 pj_status_t status;
901
902 /* Sanity checks */
903 PJ_ASSERT_RETURN(factory && mgr && endpt && rem_addr &&
904 addr_len && p_transport, PJ_EINVAL);
905
906 /* Check that address is a sockaddr_in or sockaddr_in6*/
907 PJ_ASSERT_RETURN((rem_addr->addr.sa_family == pj_AF_INET() &&
908 addr_len == sizeof(pj_sockaddr_in)) ||
909 (rem_addr->addr.sa_family == pj_AF_INET6() &&
910 addr_len == sizeof(pj_sockaddr_in6)), PJ_EINVAL);
911
912
913 listener = (struct tls_listener*)factory;
914
915 pool = pjsip_endpt_create_pool(listener->endpt, "tls",
916 POOL_TP_INIT, POOL_TP_INC);
917 PJ_ASSERT_RETURN(pool != NULL, PJ_ENOMEM);
918
919 /* Get remote host name from tdata */
920 if (tdata)
921 remote_name = tdata->dest_info.name;
922 else
923 pj_bzero(&remote_name, sizeof(remote_name));
924
925 /* Build SSL socket param */
926 pj_ssl_sock_param_default(&ssock_param);
927 ssock_param.sock_af = (factory->type & PJSIP_TRANSPORT_IPV6) ?
928 pj_AF_INET6() : pj_AF_INET();
929 ssock_param.cb.on_connect_complete = &on_connect_complete;
930 ssock_param.cb.on_data_read = &on_data_read;
931 ssock_param.cb.on_data_sent = &on_data_sent;
932 ssock_param.async_cnt = 1;
933 ssock_param.ioqueue = pjsip_endpt_get_ioqueue(listener->endpt);
934 ssock_param.server_name = remote_name;
935 ssock_param.timeout = listener->tls_setting.timeout;
936 ssock_param.user_data = NULL; /* pending, must be set later */
937 ssock_param.verify_peer = PJ_FALSE; /* avoid SSL socket closing the socket
938 * due to verification error */
939 if (ssock_param.send_buffer_size < PJSIP_MAX_PKT_LEN)
940 ssock_param.send_buffer_size = PJSIP_MAX_PKT_LEN;
941 if (ssock_param.read_buffer_size < PJSIP_MAX_PKT_LEN)
942 ssock_param.read_buffer_size = PJSIP_MAX_PKT_LEN;
943 ssock_param.ciphers_num = listener->tls_setting.ciphers_num;
944 ssock_param.ciphers = listener->tls_setting.ciphers;
945 ssock_param.qos_type = listener->tls_setting.qos_type;
946 ssock_param.qos_ignore_error = listener->tls_setting.qos_ignore_error;
947 pj_memcpy(&ssock_param.qos_params, &listener->tls_setting.qos_params,
948 sizeof(ssock_param.qos_params));
949
950 switch(listener->tls_setting.method) {
951 case PJSIP_TLSV1_METHOD:
952 ssock_param.proto = PJ_SSL_SOCK_PROTO_TLS1;
953 break;
954 case PJSIP_SSLV2_METHOD:
955 ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL2;
956 break;
957 case PJSIP_SSLV3_METHOD:
958 ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL3;
959 break;
960 case PJSIP_SSLV23_METHOD:
961 ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL23;
962 break;
963 default:
964 ssock_param.proto = PJ_SSL_SOCK_PROTO_DEFAULT;
965 break;
966 }
967
968 status = pj_ssl_sock_create(pool, &ssock_param, &ssock);
969 if (status != PJ_SUCCESS)
970 return status;
971
972 /* Apply SSL certificate */
973 if (listener->cert) {
974 status = pj_ssl_sock_set_certificate(ssock, pool, listener->cert);
975 if (status != PJ_SUCCESS)
976 return status;
977 }
978
979 /* Initially set bind address to listener's bind address */
980 pj_sockaddr_init(listener->bound_addr.addr.sa_family,
981 &local_addr, NULL, 0);
982 pj_sockaddr_copy_addr(&local_addr, &listener->bound_addr);
983
984 /* Create the transport descriptor */
985 status = tls_create(listener, pool, ssock, PJ_FALSE, &local_addr,
986 rem_addr, &remote_name, &tls);
987 if (status != PJ_SUCCESS)
988 return status;
989
990 /* Set the "pending" SSL socket user data */
991 pj_ssl_sock_set_user_data(tls->ssock, tls);
992
993 /* Start asynchronous connect() operation */
994 tls->has_pending_connect = PJ_TRUE;
995 status = pj_ssl_sock_start_connect(tls->ssock, tls->base.pool,
996 (pj_sockaddr_t*)&local_addr,
997 (pj_sockaddr_t*)rem_addr,
998 addr_len);
999 if (status == PJ_SUCCESS) {
1000 on_connect_complete(tls->ssock, PJ_SUCCESS);
1001 } else if (status != PJ_EPENDING) {
1002 tls_destroy(&tls->base, status);
1003 return status;
1004 }
1005
1006 if (tls->has_pending_connect) {
1007 pj_ssl_sock_info info;
1008
1009 /* Update local address, just in case local address currently set is
1010 * different now that asynchronous connect() is started.
1011 */
1012
1013 /* Retrieve the bound address */
1014 status = pj_ssl_sock_get_info(tls->ssock, &info);
1015 if (status == PJ_SUCCESS) {
1016 pj_uint16_t new_port;
1017
1018 new_port = pj_sockaddr_get_port((pj_sockaddr_t*)&info.local_addr);
1019
1020 if (pj_sockaddr_has_addr((pj_sockaddr_t*)&info.local_addr)) {
1021 /* Update sockaddr */
1022 pj_sockaddr_cp((pj_sockaddr_t*)&tls->base.local_addr,
1023 (pj_sockaddr_t*)&info.local_addr);
1024 } else if (new_port && new_port != pj_sockaddr_get_port(
1025 (pj_sockaddr_t*)&tls->base.local_addr))
1026 {
1027 /* Update port only */
1028 pj_sockaddr_set_port(&tls->base.local_addr,
1029 new_port);
1030 }
1031
1032 sockaddr_to_host_port(tls->base.pool, &tls->base.local_name,
1033 &tls->base.local_addr);
1034 }
1035
1036 PJ_LOG(4,(tls->base.obj_name,
1037 "TLS transport %.*s:%d is connecting to %.*s:%d...",
1038 (int)tls->base.local_name.host.slen,
1039 tls->base.local_name.host.ptr,
1040 tls->base.local_name.port,
1041 (int)tls->base.remote_name.host.slen,
1042 tls->base.remote_name.host.ptr,
1043 tls->base.remote_name.port));
1044 }
1045
1046 /* Done */
1047 *p_transport = &tls->base;
1048
1049 return PJ_SUCCESS;
1050}
1051
1052
1053/*
1054 * This callback is called by SSL socket when pending accept() operation
1055 * has completed.
1056 */
1057static pj_bool_t on_accept_complete(pj_ssl_sock_t *ssock,
1058 pj_ssl_sock_t *new_ssock,
1059 const pj_sockaddr_t *src_addr,
1060 int src_addr_len)
1061{
1062 struct tls_listener *listener;
1063 struct tls_transport *tls;
1064 pj_ssl_sock_info ssl_info;
1065 char addr[PJ_INET6_ADDRSTRLEN+10];
1066 pjsip_tp_state_callback state_cb;
1067 pj_sockaddr tmp_src_addr;
1068 pj_bool_t is_shutdown;
1069 pj_status_t status;
1070
1071 PJ_UNUSED_ARG(src_addr_len);
1072
1073 listener = (struct tls_listener*) pj_ssl_sock_get_user_data(ssock);
1074
1075 PJ_ASSERT_RETURN(new_ssock, PJ_TRUE);
1076
1077 PJ_LOG(4,(listener->factory.obj_name,
1078 "TLS listener %.*s:%d: got incoming TLS connection "
1079 "from %s, sock=%d",
1080 (int)listener->factory.addr_name.host.slen,
1081 listener->factory.addr_name.host.ptr,
1082 listener->factory.addr_name.port,
1083 pj_sockaddr_print(src_addr, addr, sizeof(addr), 3),
1084 new_ssock));
1085
1086 /* Retrieve SSL socket info, close the socket if this is failed
1087 * as the SSL socket info availability is rather critical here.
1088 */
1089 status = pj_ssl_sock_get_info(new_ssock, &ssl_info);
1090 if (status != PJ_SUCCESS) {
1091 pj_ssl_sock_close(new_ssock);
1092 return PJ_TRUE;
1093 }
1094
1095 /* Copy to larger buffer, just in case */
1096 pj_bzero(&tmp_src_addr, sizeof(tmp_src_addr));
1097 pj_sockaddr_cp(&tmp_src_addr, src_addr);
1098
1099 /*
1100 * Incoming connection!
1101 * Create TLS transport for the new socket.
1102 */
1103 status = tls_create( listener, NULL, new_ssock, PJ_TRUE,
1104 &listener->factory.local_addr,
1105 &tmp_src_addr, NULL, &tls);
1106
1107 if (status != PJ_SUCCESS)
1108 return PJ_TRUE;
1109
1110 /* Set the "pending" SSL socket user data */
1111 pj_ssl_sock_set_user_data(new_ssock, tls);
1112
1113 /* Prevent immediate transport destroy as application may access it
1114 * (getting info, etc) in transport state notification callback.
1115 */
1116 pjsip_transport_add_ref(&tls->base);
1117
1118 /* If there is verification error and verification is mandatory, shutdown
1119 * and destroy the transport.
1120 */
1121 if (ssl_info.verify_status && listener->tls_setting.verify_client) {
1122 if (tls->close_reason == PJ_SUCCESS)
1123 tls->close_reason = PJSIP_TLS_ECERTVERIF;
1124 pjsip_transport_shutdown(&tls->base);
1125 }
1126
1127 /* Notify transport state to application */
1128 state_cb = pjsip_tpmgr_get_state_cb(tls->base.tpmgr);
1129 if (state_cb) {
1130 pjsip_transport_state_info state_info;
1131 pjsip_tls_state_info tls_info;
1132 pjsip_transport_state tp_state;
1133
1134 /* Init transport state info */
1135 pj_bzero(&tls_info, sizeof(tls_info));
1136 pj_bzero(&state_info, sizeof(state_info));
1137 tls_info.ssl_sock_info = &ssl_info;
1138 state_info.ext_info = &tls_info;
1139
1140 /* Set transport state based on verification status */
1141 if (ssl_info.verify_status && listener->tls_setting.verify_client)
1142 {
1143 tp_state = PJSIP_TP_STATE_DISCONNECTED;
1144 state_info.status = PJSIP_TLS_ECERTVERIF;
1145 } else {
1146 tp_state = PJSIP_TP_STATE_CONNECTED;
1147 state_info.status = PJ_SUCCESS;
1148 }
1149
1150 (*state_cb)(&tls->base, tp_state, &state_info);
1151 }
1152
1153 /* Release transport reference. If transport is shutting down, it may
1154 * get destroyed here.
1155 */
1156 is_shutdown = tls->base.is_shutdown;
1157 pjsip_transport_dec_ref(&tls->base);
1158 if (is_shutdown)
1159 return PJ_TRUE;
1160
1161
1162 status = tls_start_read(tls);
1163 if (status != PJ_SUCCESS) {
1164 PJ_LOG(3,(tls->base.obj_name, "New transport cancelled"));
1165 tls_init_shutdown(tls, status);
1166 tls_destroy(&tls->base, status);
1167 } else {
1168 /* Start keep-alive timer */
1169 if (PJSIP_TLS_KEEP_ALIVE_INTERVAL) {
1170 pj_time_val delay = {PJSIP_TLS_KEEP_ALIVE_INTERVAL, 0};
1171 pjsip_endpt_schedule_timer(listener->endpt,
1172 &tls->ka_timer,
1173 &delay);
1174 tls->ka_timer.id = PJ_TRUE;
1175 pj_gettimeofday(&tls->last_activity);
1176 }
1177 }
1178
1179 return PJ_TRUE;
1180}
1181
1182
1183/*
1184 * Callback from ioqueue when packet is sent.
1185 */
1186static pj_bool_t on_data_sent(pj_ssl_sock_t *ssock,
1187 pj_ioqueue_op_key_t *op_key,
1188 pj_ssize_t bytes_sent)
1189{
1190 struct tls_transport *tls = (struct tls_transport*)
1191 pj_ssl_sock_get_user_data(ssock);
1192 pjsip_tx_data_op_key *tdata_op_key = (pjsip_tx_data_op_key*)op_key;
1193
1194 /* Note that op_key may be the op_key from keep-alive, thus
1195 * it will not have tdata etc.
1196 */
1197
1198 tdata_op_key->tdata = NULL;
1199
1200 if (tdata_op_key->callback) {
1201 /*
1202 * Notify sip_transport.c that packet has been sent.
1203 */
1204 if (bytes_sent == 0)
1205 bytes_sent = -PJ_RETURN_OS_ERROR(OSERR_ENOTCONN);
1206
1207 tdata_op_key->callback(&tls->base, tdata_op_key->token, bytes_sent);
1208
1209 /* Mark last activity time */
1210 pj_gettimeofday(&tls->last_activity);
1211
1212 }
1213
1214 /* Check for error/closure */
1215 if (bytes_sent <= 0) {
1216 pj_status_t status;
1217
1218 PJ_LOG(5,(tls->base.obj_name, "TLS send() error, sent=%d",
1219 bytes_sent));
1220
1221 status = (bytes_sent == 0) ? PJ_RETURN_OS_ERROR(OSERR_ENOTCONN) :
1222 (pj_status_t)-bytes_sent;
1223
1224 tls_init_shutdown(tls, status);
1225
1226 return PJ_FALSE;
1227 }
1228
1229 return PJ_TRUE;
1230}
1231
1232
1233/*
1234 * This callback is called by transport manager to send SIP message
1235 */
1236static pj_status_t tls_send_msg(pjsip_transport *transport,
1237 pjsip_tx_data *tdata,
1238 const pj_sockaddr_t *rem_addr,
1239 int addr_len,
1240 void *token,
1241 pjsip_transport_callback callback)
1242{
1243 struct tls_transport *tls = (struct tls_transport*)transport;
1244 pj_ssize_t size;
1245 pj_bool_t delayed = PJ_FALSE;
1246 pj_status_t status = PJ_SUCCESS;
1247
1248 /* Sanity check */
1249 PJ_ASSERT_RETURN(transport && tdata, PJ_EINVAL);
1250
1251 /* Check that there's no pending operation associated with the tdata */
1252 PJ_ASSERT_RETURN(tdata->op_key.tdata == NULL, PJSIP_EPENDINGTX);
1253
1254 /* Check the address is supported */
1255 PJ_ASSERT_RETURN(rem_addr && (addr_len==sizeof(pj_sockaddr_in) ||
1256 addr_len==sizeof(pj_sockaddr_in6)),
1257 PJ_EINVAL);
1258
1259 /* Init op key. */
1260 tdata->op_key.tdata = tdata;
1261 tdata->op_key.token = token;
1262 tdata->op_key.callback = callback;
1263
1264 /* If asynchronous connect() has not completed yet, just put the
1265 * transmit data in the pending transmission list since we can not
1266 * use the socket yet.
1267 */
1268 if (tls->has_pending_connect) {
1269
1270 /*
1271 * Looks like connect() is still in progress. Check again (this time
1272 * with holding the lock) to be sure.
1273 */
1274 pj_lock_acquire(tls->base.lock);
1275
1276 if (tls->has_pending_connect) {
1277 struct delayed_tdata *delayed_tdata;
1278
1279 /*
1280 * connect() is still in progress. Put the transmit data to
1281 * the delayed list.
1282 * Starting from #1583 (https://trac.pjsip.org/repos/ticket/1583),
1283 * we also add timeout value for the transmit data. When the
1284 * connect() is completed, the timeout value will be checked to
1285 * determine whether the transmit data needs to be sent.
1286 */
1287 delayed_tdata = PJ_POOL_ZALLOC_T(tdata->pool,
1288 struct delayed_tdata);
1289 delayed_tdata->tdata_op_key = &tdata->op_key;
1290 if (tdata->msg && tdata->msg->type == PJSIP_REQUEST_MSG) {
1291 pj_gettickcount(&delayed_tdata->timeout);
1292 delayed_tdata->timeout.msec += pjsip_cfg()->tsx.td;
1293 pj_time_val_normalize(&delayed_tdata->timeout);
1294 }
1295
1296 pj_list_push_back(&tls->delayed_list, delayed_tdata);
1297 status = PJ_EPENDING;
1298
1299 /* Prevent pj_ioqueue_send() to be called below */
1300 delayed = PJ_TRUE;
1301 }
1302
1303 pj_lock_release(tls->base.lock);
1304 }
1305
1306 if (!delayed) {
1307 /*
1308 * Transport is ready to go. Send the packet to ioqueue to be
1309 * sent asynchronously.
1310 */
1311 size = tdata->buf.cur - tdata->buf.start;
1312 status = pj_ssl_sock_send(tls->ssock,
1313 (pj_ioqueue_op_key_t*)&tdata->op_key,
1314 tdata->buf.start, &size, 0);
1315
1316 if (status != PJ_EPENDING) {
1317 /* Not pending (could be immediate success or error) */
1318 tdata->op_key.tdata = NULL;
1319
1320 /* Shutdown transport on closure/errors */
1321 if (size <= 0) {
1322
1323 PJ_LOG(5,(tls->base.obj_name, "TLS send() error, sent=%d",
1324 size));
1325
1326 if (status == PJ_SUCCESS)
1327 status = PJ_RETURN_OS_ERROR(OSERR_ENOTCONN);
1328
1329 tls_init_shutdown(tls, status);
1330 }
1331 }
1332 }
1333
1334 return status;
1335}
1336
1337
1338/*
1339 * This callback is called by transport manager to shutdown transport.
1340 */
1341static pj_status_t tls_shutdown(pjsip_transport *transport)
1342{
1343 struct tls_transport *tls = (struct tls_transport*)transport;
1344
1345 /* Stop keep-alive timer. */
1346 if (tls->ka_timer.id) {
1347 pjsip_endpt_cancel_timer(tls->base.endpt, &tls->ka_timer);
1348 tls->ka_timer.id = PJ_FALSE;
1349 }
1350
1351 return PJ_SUCCESS;
1352}
1353
1354
1355/*
1356 * Callback from ioqueue that an incoming data is received from the socket.
1357 */
1358static pj_bool_t on_data_read(pj_ssl_sock_t *ssock,
1359 void *data,
1360 pj_size_t size,
1361 pj_status_t status,
1362 pj_size_t *remainder)
1363{
1364 enum { MAX_IMMEDIATE_PACKET = 10 };
1365 struct tls_transport *tls;
1366 pjsip_rx_data *rdata;
1367
1368 PJ_UNUSED_ARG(data);
1369
1370 tls = (struct tls_transport*) pj_ssl_sock_get_user_data(ssock);
1371 rdata = &tls->rdata;
1372
1373 /* Don't do anything if transport is closing. */
1374 if (tls->is_closing) {
1375 tls->is_closing++;
1376 return PJ_FALSE;
1377 }
1378
1379 /* Houston, we have packet! Report the packet to transport manager
1380 * to be parsed.
1381 */
1382 if (status == PJ_SUCCESS) {
1383 pj_size_t size_eaten;
1384
1385 /* Mark this as an activity */
1386 pj_gettimeofday(&tls->last_activity);
1387
1388 pj_assert((void*)rdata->pkt_info.packet == data);
1389
1390 /* Init pkt_info part. */
1391 rdata->pkt_info.len = size;
1392 rdata->pkt_info.zero = 0;
1393 pj_gettimeofday(&rdata->pkt_info.timestamp);
1394
1395 /* Report to transport manager.
1396 * The transport manager will tell us how many bytes of the packet
1397 * have been processed (as valid SIP message).
1398 */
1399 size_eaten =
1400 pjsip_tpmgr_receive_packet(rdata->tp_info.transport->tpmgr,
1401 rdata);
1402
1403 pj_assert(size_eaten <= (pj_size_t)rdata->pkt_info.len);
1404
1405 /* Move unprocessed data to the front of the buffer */
1406 *remainder = size - size_eaten;
1407 if (*remainder > 0 && *remainder != size) {
1408 pj_memmove(rdata->pkt_info.packet,
1409 rdata->pkt_info.packet + size_eaten,
1410 *remainder);
1411 }
1412
1413 } else {
1414
1415 /* Transport is closed */
1416 PJ_LOG(4,(tls->base.obj_name, "TLS connection closed"));
1417
1418 tls_init_shutdown(tls, status);
1419
1420 return PJ_FALSE;
1421
1422 }
1423
1424 /* Reset pool. */
1425 pj_pool_reset(rdata->tp_info.pool);
1426
1427 return PJ_TRUE;
1428}
1429
1430
1431/*
1432 * Callback from ioqueue when asynchronous connect() operation completes.
1433 */
1434static pj_bool_t on_connect_complete(pj_ssl_sock_t *ssock,
1435 pj_status_t status)
1436{
1437 struct tls_transport *tls;
1438 pj_ssl_sock_info ssl_info;
1439 pj_sockaddr addr, *tp_addr;
1440 pjsip_tp_state_callback state_cb;
1441 pj_bool_t is_shutdown;
1442
1443 tls = (struct tls_transport*) pj_ssl_sock_get_user_data(ssock);
1444
1445 /* Check connect() status */
1446 if (status != PJ_SUCCESS) {
1447
1448 tls_perror(tls->base.obj_name, "TLS connect() error", status);
1449
1450 /* Cancel all delayed transmits */
1451 while (!pj_list_empty(&tls->delayed_list)) {
1452 struct delayed_tdata *pending_tx;
1453 pj_ioqueue_op_key_t *op_key;
1454
1455 pending_tx = tls->delayed_list.next;
1456 pj_list_erase(pending_tx);
1457
1458 op_key = (pj_ioqueue_op_key_t*)pending_tx->tdata_op_key;
1459
1460 on_data_sent(tls->ssock, op_key, -status);
1461 }
1462
1463 goto on_error;
1464 }
1465
1466 /* Retrieve SSL socket info, shutdown the transport if this is failed
1467 * as the SSL socket info availability is rather critical here.
1468 */
1469 status = pj_ssl_sock_get_info(tls->ssock, &ssl_info);
1470 if (status != PJ_SUCCESS)
1471 goto on_error;
1472
1473 /* Update (again) local address, just in case local address currently
1474 * set is different now that the socket is connected (could happen
1475 * on some systems, like old Win32 probably?).
1476 */
1477 tp_addr = &tls->base.local_addr;
1478 pj_sockaddr_cp((pj_sockaddr_t*)&addr,
1479 (pj_sockaddr_t*)&ssl_info.local_addr);
1480 if (pj_sockaddr_cmp(tp_addr, &addr) != 0) {
1481 pj_sockaddr_cp(tp_addr, &addr);
1482 sockaddr_to_host_port(tls->base.pool, &tls->base.local_name,
1483 tp_addr);
1484 }
1485
1486 /* Server identity verification based on server certificate. */
1487 if (ssl_info.remote_cert_info->version) {
1488 pj_str_t *remote_name;
1489 pj_ssl_cert_info *serv_cert = ssl_info.remote_cert_info;
1490 pj_bool_t matched = PJ_FALSE;
1491 unsigned i;
1492
1493 /* Remote name may be hostname or IP address */
1494 if (tls->remote_name.slen)
1495 remote_name = &tls->remote_name;
1496 else
1497 remote_name = &tls->base.remote_name.host;
1498
1499 /* Start matching remote name with SubjectAltName fields of
1500 * server certificate.
1501 */
1502 for (i = 0; i < serv_cert->subj_alt_name.cnt && !matched; ++i) {
1503 pj_str_t *cert_name = &serv_cert->subj_alt_name.entry[i].name;
1504
1505 switch (serv_cert->subj_alt_name.entry[i].type) {
1506 case PJ_SSL_CERT_NAME_DNS:
1507 case PJ_SSL_CERT_NAME_IP:
1508 matched = !pj_stricmp(remote_name, cert_name);
1509 break;
1510 case PJ_SSL_CERT_NAME_URI:
1511 if (pj_strnicmp2(cert_name, "sip:", 4) == 0 ||
1512 pj_strnicmp2(cert_name, "sips:", 5) == 0)
1513 {
1514 pj_str_t host_part;
1515 char *p;
1516
1517 p = pj_strchr(cert_name, ':') + 1;
1518 pj_strset(&host_part, p, cert_name->slen -
1519 (p - cert_name->ptr));
1520 matched = !pj_stricmp(remote_name, &host_part);
1521 }
1522 break;
1523 default:
1524 break;
1525 }
1526 }
1527
1528 /* When still not matched or no SubjectAltName fields in server
1529 * certificate, try with Common Name of Subject field.
1530 */
1531 if (!matched) {
1532 matched = !pj_stricmp(remote_name, &serv_cert->subject.cn);
1533 }
1534
1535 if (!matched)
1536 ssl_info.verify_status |= PJ_SSL_CERT_EIDENTITY_NOT_MATCH;
1537 }
1538
1539 /* Prevent immediate transport destroy as application may access it
1540 * (getting info, etc) in transport state notification callback.
1541 */
1542 pjsip_transport_add_ref(&tls->base);
1543
1544 /* If there is verification error and verification is mandatory, shutdown
1545 * and destroy the transport.
1546 */
1547 if (ssl_info.verify_status && tls->verify_server) {
1548 if (tls->close_reason == PJ_SUCCESS)
1549 tls->close_reason = PJSIP_TLS_ECERTVERIF;
1550 pjsip_transport_shutdown(&tls->base);
1551 }
1552
1553 /* Notify transport state to application */
1554 state_cb = pjsip_tpmgr_get_state_cb(tls->base.tpmgr);
1555 if (state_cb) {
1556 pjsip_transport_state_info state_info;
1557 pjsip_tls_state_info tls_info;
1558 pjsip_transport_state tp_state;
1559
1560 /* Init transport state info */
1561 pj_bzero(&state_info, sizeof(state_info));
1562 pj_bzero(&tls_info, sizeof(tls_info));
1563 state_info.ext_info = &tls_info;
1564 tls_info.ssl_sock_info = &ssl_info;
1565
1566 /* Set transport state based on verification status */
1567 if (ssl_info.verify_status && tls->verify_server)
1568 {
1569 tp_state = PJSIP_TP_STATE_DISCONNECTED;
1570 state_info.status = PJSIP_TLS_ECERTVERIF;
1571 } else {
1572 tp_state = PJSIP_TP_STATE_CONNECTED;
1573 state_info.status = PJ_SUCCESS;
1574 }
1575
1576 (*state_cb)(&tls->base, tp_state, &state_info);
1577 }
1578
1579 /* Release transport reference. If transport is shutting down, it may
1580 * get destroyed here.
1581 */
1582 is_shutdown = tls->base.is_shutdown;
1583 pjsip_transport_dec_ref(&tls->base);
1584 if (is_shutdown) {
1585 status = tls->close_reason;
1586 tls_perror(tls->base.obj_name, "TLS connect() error", status);
1587
1588 /* Cancel all delayed transmits */
1589 while (!pj_list_empty(&tls->delayed_list)) {
1590 struct delayed_tdata *pending_tx;
1591 pj_ioqueue_op_key_t *op_key;
1592
1593 pending_tx = tls->delayed_list.next;
1594 pj_list_erase(pending_tx);
1595
1596 op_key = (pj_ioqueue_op_key_t*)pending_tx->tdata_op_key;
1597
1598 on_data_sent(tls->ssock, op_key, -status);
1599 }
1600
1601 return PJ_FALSE;
1602 }
1603
1604
1605 /* Mark that pending connect() operation has completed. */
1606 tls->has_pending_connect = PJ_FALSE;
1607
1608 PJ_LOG(4,(tls->base.obj_name,
1609 "TLS transport %.*s:%d is connected to %.*s:%d",
1610 (int)tls->base.local_name.host.slen,
1611 tls->base.local_name.host.ptr,
1612 tls->base.local_name.port,
1613 (int)tls->base.remote_name.host.slen,
1614 tls->base.remote_name.host.ptr,
1615 tls->base.remote_name.port));
1616
1617 /* Start pending read */
1618 status = tls_start_read(tls);
1619 if (status != PJ_SUCCESS)
1620 goto on_error;
1621
1622 /* Flush all pending send operations */
1623 tls_flush_pending_tx(tls);
1624
1625 /* Start keep-alive timer */
1626 if (PJSIP_TLS_KEEP_ALIVE_INTERVAL) {
1627 pj_time_val delay = { PJSIP_TLS_KEEP_ALIVE_INTERVAL, 0 };
1628 pjsip_endpt_schedule_timer(tls->base.endpt, &tls->ka_timer,
1629 &delay);
1630 tls->ka_timer.id = PJ_TRUE;
1631 pj_gettimeofday(&tls->last_activity);
1632 }
1633
1634 return PJ_TRUE;
1635
1636on_error:
1637 tls_init_shutdown(tls, status);
1638
1639 return PJ_FALSE;
1640}
1641
1642
1643/* Transport keep-alive timer callback */
1644static void tls_keep_alive_timer(pj_timer_heap_t *th, pj_timer_entry *e)
1645{
1646 struct tls_transport *tls = (struct tls_transport*) e->user_data;
1647 pj_time_val delay;
1648 pj_time_val now;
1649 pj_ssize_t size;
1650 pj_status_t status;
1651
1652 PJ_UNUSED_ARG(th);
1653
1654 tls->ka_timer.id = PJ_TRUE;
1655
1656 pj_gettimeofday(&now);
1657 PJ_TIME_VAL_SUB(now, tls->last_activity);
1658
1659 if (now.sec > 0 && now.sec < PJSIP_TLS_KEEP_ALIVE_INTERVAL) {
1660 /* There has been activity, so don't send keep-alive */
1661 delay.sec = PJSIP_TLS_KEEP_ALIVE_INTERVAL - now.sec;
1662 delay.msec = 0;
1663
1664 pjsip_endpt_schedule_timer(tls->base.endpt, &tls->ka_timer,
1665 &delay);
1666 tls->ka_timer.id = PJ_TRUE;
1667 return;
1668 }
1669
1670 PJ_LOG(5,(tls->base.obj_name, "Sending %d byte(s) keep-alive to %.*s:%d",
1671 (int)tls->ka_pkt.slen, (int)tls->base.remote_name.host.slen,
1672 tls->base.remote_name.host.ptr,
1673 tls->base.remote_name.port));
1674
1675 /* Send the data */
1676 size = tls->ka_pkt.slen;
1677 status = pj_ssl_sock_send(tls->ssock, &tls->ka_op_key.key,
1678 tls->ka_pkt.ptr, &size, 0);
1679
1680 if (status != PJ_SUCCESS && status != PJ_EPENDING) {
1681 tls_perror(tls->base.obj_name,
1682 "Error sending keep-alive packet", status);
1683
1684 tls_init_shutdown(tls, status);
1685 return;
1686 }
1687
1688 /* Register next keep-alive */
1689 delay.sec = PJSIP_TLS_KEEP_ALIVE_INTERVAL;
1690 delay.msec = 0;
1691
1692 pjsip_endpt_schedule_timer(tls->base.endpt, &tls->ka_timer,
1693 &delay);
1694 tls->ka_timer.id = PJ_TRUE;
1695}
1696
1697#endif /* PJSIP_HAS_TLS_TRANSPORT */