Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 1 | /* $Id$ */ |
| 2 | /* |
| 3 | * Copyright (C) 2009 Teluu Inc. (http://www.teluu.com) |
| 4 | * |
| 5 | * This program is free software; you can redistribute it and/or modify |
| 6 | * it under the terms of the GNU General Public License as published by |
| 7 | * the Free Software Foundation; either version 2 of the License, or |
| 8 | * (at your option) any later version. |
| 9 | * |
| 10 | * This program is distributed in the hope that it will be useful, |
| 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 13 | * GNU General Public License for more details. |
| 14 | * |
| 15 | * You should have received a copy of the GNU General Public License |
| 16 | * along with this program; if not, write to the Free Software |
| 17 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| 18 | */ |
| 19 | #ifndef __PJ_SSL_SOCK_H__ |
| 20 | #define __PJ_SSL_SOCK_H__ |
| 21 | |
| 22 | /** |
| 23 | * @file ssl_sock.h |
| 24 | * @brief Secure socket |
| 25 | */ |
| 26 | |
| 27 | #include <pj/ioqueue.h> |
| 28 | #include <pj/sock.h> |
Benny Prijono | a25bc9d | 2009-11-09 08:51:34 +0000 | [diff] [blame] | 29 | #include <pj/sock_qos.h> |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 30 | |
| 31 | |
| 32 | PJ_BEGIN_DECL |
| 33 | |
| 34 | /** |
| 35 | * @defgroup PJ_SSL_SOCK Secure socket I/O |
| 36 | * @brief Secure socket provides security on socket operation using standard |
| 37 | * security protocols such as SSL and TLS. |
| 38 | * @ingroup PJ_IO |
| 39 | * @{ |
| 40 | * |
| 41 | * Secure socket wraps normal socket and applies security features, i.e: |
| 42 | * privacy and data integrity, on the socket traffic, using standard security |
| 43 | * protocols such as SSL and TLS. |
| 44 | * |
| 45 | * Secure socket employs active socket operations, which is similar to (and |
| 46 | * described more detail) in \ref PJ_ACTIVESOCK. |
| 47 | */ |
| 48 | |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 49 | |
Nanang Izzuddin | 006cc01 | 2009-10-16 03:06:13 +0000 | [diff] [blame] | 50 | /** |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 51 | * This opaque structure describes the secure socket. |
| 52 | */ |
| 53 | typedef struct pj_ssl_sock_t pj_ssl_sock_t; |
| 54 | |
Nanang Izzuddin | 006cc01 | 2009-10-16 03:06:13 +0000 | [diff] [blame] | 55 | |
| 56 | /** |
| 57 | * Opaque declaration of endpoint certificate or credentials. This may contains |
| 58 | * certificate, private key, and trusted Certificate Authorities list. |
| 59 | */ |
| 60 | typedef struct pj_ssl_cert_t pj_ssl_cert_t; |
| 61 | |
| 62 | |
| 63 | /** |
Nanang Izzuddin | ea6d3c4 | 2009-10-26 15:47:52 +0000 | [diff] [blame] | 64 | * Describe structure of certificate info. |
| 65 | */ |
| 66 | typedef struct pj_ssl_cert_info { |
| 67 | pj_str_t subject; /**< Subject. */ |
| 68 | pj_str_t issuer; /**< Issuer. */ |
| 69 | unsigned version; /**< Certificate version. */ |
| 70 | pj_time_val validity_start; /**< Validity start. */ |
| 71 | pj_time_val validity_end; /**< Validity end. */ |
| 72 | pj_bool_t validity_use_gmt; /**< Flag if validity date/time |
| 73 | use GMT. */ |
| 74 | } pj_ssl_cert_info; |
| 75 | |
| 76 | |
| 77 | /** |
Nanang Izzuddin | 006cc01 | 2009-10-16 03:06:13 +0000 | [diff] [blame] | 78 | * Create credential from files. |
| 79 | * |
| 80 | * @param CA_file The file of trusted CA list. |
| 81 | * @param cert_file The file of certificate. |
| 82 | * @param privkey_file The file of private key. |
| 83 | * @param privkey_pass The password of private key, if any. |
Nanang Izzuddin | ea6d3c4 | 2009-10-26 15:47:52 +0000 | [diff] [blame] | 84 | * @param p_cert Pointer to credential instance to be created. |
Nanang Izzuddin | 006cc01 | 2009-10-16 03:06:13 +0000 | [diff] [blame] | 85 | * |
| 86 | * @return PJ_SUCCESS when successful. |
| 87 | */ |
| 88 | PJ_DECL(pj_status_t) pj_ssl_cert_load_from_files(pj_pool_t *pool, |
| 89 | const pj_str_t *CA_file, |
| 90 | const pj_str_t *cert_file, |
| 91 | const pj_str_t *privkey_file, |
| 92 | const pj_str_t *privkey_pass, |
| 93 | pj_ssl_cert_t **p_cert); |
| 94 | |
| 95 | |
| 96 | /** |
| 97 | * Cipher suites enumeration. |
| 98 | */ |
| 99 | typedef enum pj_ssl_cipher { |
| 100 | |
| 101 | /* NULL */ |
| 102 | TLS_NULL_WITH_NULL_NULL = 0x00000000, |
| 103 | |
| 104 | /* TLS/SSLv3 */ |
| 105 | TLS_RSA_WITH_NULL_MD5 = 0x00000001, |
| 106 | TLS_RSA_WITH_NULL_SHA = 0x00000002, |
| 107 | TLS_RSA_WITH_NULL_SHA256 = 0x0000003B, |
| 108 | TLS_RSA_WITH_RC4_128_MD5 = 0x00000004, |
| 109 | TLS_RSA_WITH_RC4_128_SHA = 0x00000005, |
| 110 | TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x0000000A, |
| 111 | TLS_RSA_WITH_AES_128_CBC_SHA = 0x0000002F, |
| 112 | TLS_RSA_WITH_AES_256_CBC_SHA = 0x00000035, |
| 113 | TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x0000003C, |
| 114 | TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x0000003D, |
| 115 | TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x0000000D, |
| 116 | TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x00000010, |
| 117 | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x00000013, |
| 118 | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x00000016, |
| 119 | TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x00000030, |
| 120 | TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x00000031, |
| 121 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x00000032, |
| 122 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x00000033, |
| 123 | TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x00000036, |
| 124 | TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x00000037, |
| 125 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x00000038, |
| 126 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x00000039, |
| 127 | TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x0000003E, |
| 128 | TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x0000003F, |
| 129 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x00000040, |
| 130 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x00000067, |
| 131 | TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x00000068, |
| 132 | TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x00000069, |
| 133 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x0000006A, |
| 134 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x0000006B, |
| 135 | TLS_DH_anon_WITH_RC4_128_MD5 = 0x00000018, |
| 136 | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x0000001B, |
| 137 | TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x00000034, |
| 138 | TLS_DH_anon_WITH_AES_256_CBC_SHA = 0x0000003A, |
| 139 | TLS_DH_anon_WITH_AES_128_CBC_SHA256 = 0x0000006C, |
| 140 | TLS_DH_anon_WITH_AES_256_CBC_SHA256 = 0x0000006D, |
| 141 | |
| 142 | /* TLS (deprecated) */ |
| 143 | TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x00000003, |
| 144 | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x00000006, |
| 145 | TLS_RSA_WITH_IDEA_CBC_SHA = 0x00000007, |
| 146 | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x00000008, |
| 147 | TLS_RSA_WITH_DES_CBC_SHA = 0x00000009, |
| 148 | TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0000000B, |
| 149 | TLS_DH_DSS_WITH_DES_CBC_SHA = 0x0000000C, |
| 150 | TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0000000E, |
| 151 | TLS_DH_RSA_WITH_DES_CBC_SHA = 0x0000000F, |
| 152 | TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x00000011, |
| 153 | TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x00000012, |
| 154 | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x00000014, |
| 155 | TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x00000015, |
| 156 | TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x00000017, |
| 157 | TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0x00000019, |
| 158 | TLS_DH_anon_WITH_DES_CBC_SHA = 0x0000001A, |
| 159 | |
| 160 | /* SSLv3 */ |
| 161 | SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x0000001C, |
| 162 | SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA= 0x0000001D, |
| 163 | SSL_FORTEZZA_KEA_WITH_RC4_128_SHA = 0x0000001E, |
| 164 | |
| 165 | /* SSLv2 */ |
| 166 | SSL_CK_RC4_128_WITH_MD5 = 0x00010080, |
| 167 | SSL_CK_RC4_128_EXPORT40_WITH_MD5 = 0x00020080, |
| 168 | SSL_CK_RC2_128_CBC_WITH_MD5 = 0x00030080, |
| 169 | SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 0x00040080, |
| 170 | SSL_CK_IDEA_128_CBC_WITH_MD5 = 0x00050080, |
| 171 | SSL_CK_DES_64_CBC_WITH_MD5 = 0x00060040, |
| 172 | SSL_CK_DES_192_EDE3_CBC_WITH_MD5 = 0x000700C0 |
| 173 | |
| 174 | } pj_ssl_cipher; |
| 175 | |
| 176 | |
| 177 | /** |
| 178 | * Get cipher list supported by SSL/TLS backend. |
| 179 | * |
| 180 | * @param ciphers The ciphers buffer to receive cipher list. |
| 181 | * @param cipher_num Maximum number of ciphers to be received. |
| 182 | * |
| 183 | * @return PJ_SUCCESS when successful. |
| 184 | */ |
| 185 | PJ_DECL(pj_status_t) pj_ssl_cipher_get_availables(pj_ssl_cipher ciphers[], |
| 186 | unsigned *cipher_num); |
| 187 | |
| 188 | |
| 189 | /** |
| 190 | * Get cipher name string. |
| 191 | * |
| 192 | * @param cipher The cipher. |
| 193 | * |
| 194 | * @return The cipher name or NULL if cipher is not recognized. |
| 195 | */ |
| 196 | PJ_DECL(const char*) pj_ssl_cipher_name(pj_ssl_cipher cipher); |
| 197 | |
| 198 | |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 199 | /** |
| 200 | * This structure contains the callbacks to be called by the secure socket. |
| 201 | */ |
| 202 | typedef struct pj_ssl_sock_cb |
| 203 | { |
| 204 | /** |
| 205 | * This callback is called when a data arrives as the result of |
| 206 | * pj_ssl_sock_start_read(). |
| 207 | * |
| 208 | * @param ssock The secure socket. |
| 209 | * @param data The buffer containing the new data, if any. If |
| 210 | * the status argument is non-PJ_SUCCESS, this |
| 211 | * argument may be NULL. |
| 212 | * @param size The length of data in the buffer. |
| 213 | * @param status The status of the read operation. This may contain |
| 214 | * non-PJ_SUCCESS for example when the TCP connection |
| 215 | * has been closed. In this case, the buffer may |
| 216 | * contain left over data from previous callback which |
| 217 | * the application may want to process. |
| 218 | * @param remainder If application wishes to leave some data in the |
| 219 | * buffer (common for TCP applications), it should |
| 220 | * move the remainder data to the front part of the |
| 221 | * buffer and set the remainder length here. The value |
| 222 | * of this parameter will be ignored for datagram |
| 223 | * sockets. |
| 224 | * |
| 225 | * @return PJ_TRUE if further read is desired, and PJ_FALSE |
| 226 | * when application no longer wants to receive data. |
| 227 | * Application may destroy the secure socket in the |
| 228 | * callback and return PJ_FALSE here. |
| 229 | */ |
| 230 | pj_bool_t (*on_data_read)(pj_ssl_sock_t *ssock, |
| 231 | void *data, |
| 232 | pj_size_t size, |
| 233 | pj_status_t status, |
| 234 | pj_size_t *remainder); |
| 235 | /** |
| 236 | * This callback is called when a packet arrives as the result of |
| 237 | * pj_ssl_sock_start_recvfrom(). |
| 238 | * |
| 239 | * @param ssock The secure socket. |
| 240 | * @param data The buffer containing the packet, if any. If |
| 241 | * the status argument is non-PJ_SUCCESS, this |
| 242 | * argument will be set to NULL. |
| 243 | * @param size The length of packet in the buffer. If |
| 244 | * the status argument is non-PJ_SUCCESS, this |
| 245 | * argument will be set to zero. |
| 246 | * @param src_addr Source address of the packet. |
| 247 | * @param addr_len Length of the source address. |
| 248 | * @param status This contains |
| 249 | * |
| 250 | * @return PJ_TRUE if further read is desired, and PJ_FALSE |
| 251 | * when application no longer wants to receive data. |
| 252 | * Application may destroy the secure socket in the |
| 253 | * callback and return PJ_FALSE here. |
| 254 | */ |
| 255 | pj_bool_t (*on_data_recvfrom)(pj_ssl_sock_t *ssock, |
| 256 | void *data, |
| 257 | pj_size_t size, |
| 258 | const pj_sockaddr_t *src_addr, |
| 259 | int addr_len, |
| 260 | pj_status_t status); |
| 261 | |
| 262 | /** |
| 263 | * This callback is called when data has been sent. |
| 264 | * |
| 265 | * @param ssock The secure socket. |
| 266 | * @param send_key Key associated with the send operation. |
| 267 | * @param sent If value is positive non-zero it indicates the |
| 268 | * number of data sent. When the value is negative, |
| 269 | * it contains the error code which can be retrieved |
| 270 | * by negating the value (i.e. status=-sent). |
| 271 | * |
| 272 | * @return Application may destroy the secure socket in the |
| 273 | * callback and return PJ_FALSE here. |
| 274 | */ |
| 275 | pj_bool_t (*on_data_sent)(pj_ssl_sock_t *ssock, |
| 276 | pj_ioqueue_op_key_t *send_key, |
| 277 | pj_ssize_t sent); |
| 278 | |
| 279 | /** |
| 280 | * This callback is called when new connection arrives as the result |
| 281 | * of pj_ssl_sock_start_accept(). |
| 282 | * |
| 283 | * @param ssock The secure socket. |
| 284 | * @param newsock The new incoming secure socket. |
| 285 | * @param src_addr The source address of the connection. |
| 286 | * @param addr_len Length of the source address. |
| 287 | * |
| 288 | * @return PJ_TRUE if further accept() is desired, and PJ_FALSE |
| 289 | * when application no longer wants to accept incoming |
| 290 | * connection. Application may destroy the secure socket |
| 291 | * in the callback and return PJ_FALSE here. |
| 292 | */ |
| 293 | pj_bool_t (*on_accept_complete)(pj_ssl_sock_t *ssock, |
| 294 | pj_ssl_sock_t *newsock, |
| 295 | const pj_sockaddr_t *src_addr, |
| 296 | int src_addr_len); |
| 297 | |
| 298 | /** |
| 299 | * This callback is called when pending connect operation has been |
| 300 | * completed. |
| 301 | * |
| 302 | * @param ssock The secure socket. |
| 303 | * @param status The connection result. If connection has been |
| 304 | * successfully established, the status will contain |
| 305 | * PJ_SUCCESS. |
| 306 | * |
| 307 | * @return Application may destroy the secure socket in the |
| 308 | * callback and return PJ_FALSE here. |
| 309 | */ |
| 310 | pj_bool_t (*on_connect_complete)(pj_ssl_sock_t *ssock, |
| 311 | pj_status_t status); |
| 312 | |
| 313 | } pj_ssl_sock_cb; |
| 314 | |
| 315 | |
| 316 | /** |
| 317 | * Enumeration of secure socket protocol types. |
| 318 | */ |
| 319 | typedef enum pj_ssl_sock_proto |
| 320 | { |
| 321 | PJ_SSL_SOCK_PROTO_DEFAULT, /**< Default protocol of backend. */ |
| 322 | PJ_SSL_SOCK_PROTO_TLS1, /**< TLSv1.0 protocol. */ |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 323 | PJ_SSL_SOCK_PROTO_SSL3, /**< SSLv3.0 protocol. */ |
| 324 | PJ_SSL_SOCK_PROTO_SSL23, /**< SSLv3.0 but can roll back to |
| 325 | SSLv2.0. */ |
Nanang Izzuddin | 006cc01 | 2009-10-16 03:06:13 +0000 | [diff] [blame] | 326 | PJ_SSL_SOCK_PROTO_SSL2, /**< SSLv2.0 protocol. */ |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 327 | PJ_SSL_SOCK_PROTO_DTLS1 /**< DTLSv1.0 protocol. */ |
| 328 | } pj_ssl_sock_proto; |
| 329 | |
| 330 | |
| 331 | /** |
| 332 | * Definition of secure socket info structure. |
| 333 | */ |
| 334 | typedef struct pj_ssl_sock_info |
| 335 | { |
| 336 | /** |
| 337 | * Describes whether secure socket connection is established, i.e: TLS/SSL |
| 338 | * handshaking has been done successfully. |
| 339 | */ |
| 340 | pj_bool_t established; |
Nanang Izzuddin | ea6d3c4 | 2009-10-26 15:47:52 +0000 | [diff] [blame] | 341 | |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 342 | /** |
| 343 | * Describes secure socket protocol being used. |
| 344 | */ |
| 345 | pj_ssl_sock_proto proto; |
Nanang Izzuddin | ea6d3c4 | 2009-10-26 15:47:52 +0000 | [diff] [blame] | 346 | |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 347 | /** |
Nanang Izzuddin | 006cc01 | 2009-10-16 03:06:13 +0000 | [diff] [blame] | 348 | * Describes cipher suite being used, this will only be set when connection |
| 349 | * is established. |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 350 | */ |
Nanang Izzuddin | 006cc01 | 2009-10-16 03:06:13 +0000 | [diff] [blame] | 351 | pj_ssl_cipher cipher; |
Nanang Izzuddin | ea6d3c4 | 2009-10-26 15:47:52 +0000 | [diff] [blame] | 352 | |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 353 | /** |
| 354 | * Describes local address. |
| 355 | */ |
| 356 | pj_sockaddr local_addr; |
Nanang Izzuddin | ea6d3c4 | 2009-10-26 15:47:52 +0000 | [diff] [blame] | 357 | |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 358 | /** |
| 359 | * Describes remote address. |
| 360 | */ |
| 361 | pj_sockaddr remote_addr; |
| 362 | |
Nanang Izzuddin | ea6d3c4 | 2009-10-26 15:47:52 +0000 | [diff] [blame] | 363 | /** |
| 364 | * Describes active local certificate info. |
| 365 | */ |
| 366 | pj_ssl_cert_info local_cert_info; |
| 367 | |
| 368 | /** |
| 369 | * Describes active remote certificate info. |
| 370 | */ |
| 371 | pj_ssl_cert_info remote_cert_info; |
| 372 | |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 373 | } pj_ssl_sock_info; |
| 374 | |
Nanang Izzuddin | 006cc01 | 2009-10-16 03:06:13 +0000 | [diff] [blame] | 375 | |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 376 | /** |
| 377 | * Definition of secure socket creation parameters. |
| 378 | */ |
| 379 | typedef struct pj_ssl_sock_param |
| 380 | { |
| 381 | /** |
| 382 | * Specifies socket address family, either pj_AF_INET() and pj_AF_INET6(). |
| 383 | * |
| 384 | * Default is pj_AF_INET(). |
| 385 | */ |
| 386 | int sock_af; |
| 387 | |
| 388 | /** |
| 389 | * Specify socket type, either pj_SOCK_DGRAM() or pj_SOCK_STREAM(). |
| 390 | * |
| 391 | * Default is pj_SOCK_STREAM(). |
| 392 | */ |
| 393 | int sock_type; |
| 394 | |
| 395 | /** |
| 396 | * Specify the ioqueue to use. Secure socket uses the ioqueue to perform |
| 397 | * active socket operations, see \ref PJ_ACTIVESOCK for more detail. |
| 398 | */ |
| 399 | pj_ioqueue_t *ioqueue; |
| 400 | |
| 401 | /** |
Nanang Izzuddin | ea6d3c4 | 2009-10-26 15:47:52 +0000 | [diff] [blame] | 402 | * Specify the timer heap to use. Secure socket uses the timer to provide |
| 403 | * auto cancelation on asynchronous operation when it takes longer time |
| 404 | * than specified timeout period, e.g: security negotiation timeout. |
| 405 | */ |
| 406 | pj_timer_heap_t *timer_heap; |
| 407 | |
| 408 | /** |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 409 | * Specify secure socket callbacks, see #pj_ssl_sock_cb. |
| 410 | */ |
| 411 | pj_ssl_sock_cb cb; |
| 412 | |
| 413 | /** |
| 414 | * Specify secure socket user data. |
| 415 | */ |
| 416 | void *user_data; |
| 417 | |
| 418 | /** |
| 419 | * Specify security protocol to use, see #pj_ssl_sock_proto. |
| 420 | * |
| 421 | * Default is PJ_SSL_SOCK_PROTO_DEFAULT. |
| 422 | */ |
| 423 | pj_ssl_sock_proto proto; |
| 424 | |
| 425 | /** |
| 426 | * Number of concurrent asynchronous operations that is to be supported |
| 427 | * by the secure socket. This value only affects socket receive and |
| 428 | * accept operations -- the secure socket will issue one or more |
| 429 | * asynchronous read and accept operations based on the value of this |
| 430 | * field. Setting this field to more than one will allow more than one |
| 431 | * incoming data or incoming connections to be processed simultaneously |
| 432 | * on multiprocessor systems, when the ioqueue is polled by more than |
| 433 | * one threads. |
| 434 | * |
| 435 | * The default value is 1. |
| 436 | */ |
| 437 | unsigned async_cnt; |
| 438 | |
| 439 | /** |
| 440 | * The ioqueue concurrency to be forced on the socket when it is |
| 441 | * registered to the ioqueue. See #pj_ioqueue_set_concurrency() for more |
| 442 | * info about ioqueue concurrency. |
| 443 | * |
| 444 | * When this value is -1, the concurrency setting will not be forced for |
| 445 | * this socket, and the socket will inherit the concurrency setting of |
| 446 | * the ioqueue. When this value is zero, the secure socket will disable |
| 447 | * concurrency for the socket. When this value is +1, the secure socket |
| 448 | * will enable concurrency for the socket. |
| 449 | * |
| 450 | * The default value is -1. |
| 451 | */ |
| 452 | int concurrency; |
| 453 | |
| 454 | /** |
| 455 | * If this option is specified, the secure socket will make sure that |
| 456 | * asynchronous send operation with stream oriented socket will only |
| 457 | * call the callback after all data has been sent. This means that the |
| 458 | * secure socket will automatically resend the remaining data until |
| 459 | * all data has been sent. |
| 460 | * |
| 461 | * Please note that when this option is specified, it is possible that |
| 462 | * error is reported after partial data has been sent. Also setting |
| 463 | * this will disable the ioqueue concurrency for the socket. |
| 464 | * |
| 465 | * Default value is 1. |
| 466 | */ |
| 467 | pj_bool_t whole_data; |
| 468 | |
| 469 | /** |
Nanang Izzuddin | ea6d3c4 | 2009-10-26 15:47:52 +0000 | [diff] [blame] | 470 | * Specify buffer size for sending operation. Buffering sending data |
| 471 | * is used for allowing application to perform multiple outstanding |
| 472 | * send operations. Whenever application specifies this setting too |
| 473 | * small, sending operation may return PJ_ENOMEM. |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 474 | * |
Nanang Izzuddin | ea6d3c4 | 2009-10-26 15:47:52 +0000 | [diff] [blame] | 475 | * Default value is 8192 bytes. |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 476 | */ |
| 477 | pj_size_t send_buffer_size; |
| 478 | |
| 479 | /** |
Nanang Izzuddin | 006cc01 | 2009-10-16 03:06:13 +0000 | [diff] [blame] | 480 | * Specify buffer size for receiving encrypted (and perhaps compressed) |
| 481 | * data on underlying socket. This setting is unused on Symbian, since |
| 482 | * SSL/TLS Symbian backend, CSecureSocket, can use application buffer |
| 483 | * directly. |
| 484 | * |
| 485 | * Default value is 1500. |
| 486 | */ |
| 487 | pj_size_t read_buffer_size; |
| 488 | |
| 489 | /** |
| 490 | * Number of ciphers contained in the specified cipher preference. |
| 491 | * If this is set to zero, then default cipher list of the backend |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 492 | * will be used. |
| 493 | */ |
Nanang Izzuddin | 006cc01 | 2009-10-16 03:06:13 +0000 | [diff] [blame] | 494 | unsigned ciphers_num; |
| 495 | |
| 496 | /** |
| 497 | * Ciphers and order preference. If empty, then default cipher list and |
| 498 | * its default order of the backend will be used. |
| 499 | */ |
| 500 | pj_ssl_cipher *ciphers; |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 501 | |
| 502 | /** |
| 503 | * Security negotiation timeout. If this is set to zero (both sec and |
| 504 | * msec), the negotiation doesn't have a timeout. |
| 505 | * |
| 506 | * Default value is zero. |
| 507 | */ |
| 508 | pj_time_val timeout; |
| 509 | |
| 510 | /** |
| 511 | * Specify whether endpoint should verify peer certificate. |
| 512 | * |
| 513 | * Default value is PJ_FALSE. |
| 514 | */ |
| 515 | pj_bool_t verify_peer; |
| 516 | |
| 517 | /** |
| 518 | * When secure socket is acting as server (handles incoming connection), |
| 519 | * it will require the client to provide certificate. |
| 520 | * |
| 521 | * Default value is PJ_FALSE. |
| 522 | */ |
| 523 | pj_bool_t require_client_cert; |
| 524 | |
| 525 | /** |
| 526 | * When secure socket is acting as client (perform outgoing connection) |
| 527 | * and it needs to verify server name (e.g: host or domain name) by |
| 528 | * matching it to the name specified in the server certificate. This |
| 529 | * setting is useful when the server is hosting multiple domains for |
| 530 | * the same listening socket. |
| 531 | * |
| 532 | * Default value is zero/not-set. |
| 533 | */ |
Nanang Izzuddin | ea6d3c4 | 2009-10-26 15:47:52 +0000 | [diff] [blame] | 534 | pj_str_t server_name; |
Benny Prijono | a25bc9d | 2009-11-09 08:51:34 +0000 | [diff] [blame] | 535 | |
| 536 | /** |
| 537 | * QoS traffic type to be set on this transport. When application wants |
| 538 | * to apply QoS tagging to the transport, it's preferable to set this |
| 539 | * field rather than \a qos_param fields since this is more portable. |
| 540 | * |
| 541 | * Default value is PJ_QOS_TYPE_BEST_EFFORT. |
| 542 | */ |
| 543 | pj_qos_type qos_type; |
| 544 | |
| 545 | /** |
| 546 | * Set the low level QoS parameters to the transport. This is a lower |
| 547 | * level operation than setting the \a qos_type field and may not be |
| 548 | * supported on all platforms. |
| 549 | * |
| 550 | * By default all settings in this structure are disabled. |
| 551 | */ |
| 552 | pj_qos_params qos_params; |
| 553 | |
| 554 | /** |
| 555 | * Specify if the transport should ignore any errors when setting the QoS |
| 556 | * traffic type/parameters. |
| 557 | * |
| 558 | * Default: PJ_TRUE |
| 559 | */ |
| 560 | pj_bool_t qos_ignore_error; |
| 561 | |
| 562 | |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 563 | } pj_ssl_sock_param; |
| 564 | |
| 565 | |
| 566 | /** |
| 567 | * Initialize the secure socket parameters for its creation with |
| 568 | * the default values. |
| 569 | * |
| 570 | * @param param The parameter to be initialized. |
| 571 | */ |
| 572 | PJ_DECL(void) pj_ssl_sock_param_default(pj_ssl_sock_param *param); |
| 573 | |
| 574 | |
| 575 | /** |
| 576 | * Create secure socket instance. |
| 577 | * |
| 578 | * @param pool The pool for allocating secure socket instance. |
| 579 | * @param param The secure socket parameter, see #pj_ssl_sock_param. |
| 580 | * @param p_ssock Pointer to secure socket instance to be created. |
| 581 | * |
| 582 | * @return PJ_SUCCESS when successful. |
| 583 | */ |
| 584 | PJ_DECL(pj_status_t) pj_ssl_sock_create(pj_pool_t *pool, |
| 585 | const pj_ssl_sock_param *param, |
| 586 | pj_ssl_sock_t **p_ssock); |
| 587 | |
| 588 | |
| 589 | /** |
| 590 | * Set secure socket certificate or credentials. Credentials may include |
| 591 | * certificate, private key and trusted Certification Authorities list. |
| 592 | * Normally, server socket must provide certificate (and private key). |
| 593 | * Socket client may also need to provide certificate in case requested |
| 594 | * by the server. |
| 595 | * |
| 596 | * @param ssock The secure socket instance. |
| 597 | * @param pool The pool. |
| 598 | * @param cert The endpoint certificate/credentials, see |
| 599 | * #pj_ssl_cert_t. |
| 600 | * |
| 601 | * @return PJ_SUCCESS if the operation has been successful, |
| 602 | * or the appropriate error code on failure. |
| 603 | */ |
| 604 | PJ_DECL(pj_status_t) pj_ssl_sock_set_certificate( |
| 605 | pj_ssl_sock_t *ssock, |
| 606 | pj_pool_t *pool, |
| 607 | const pj_ssl_cert_t *cert); |
| 608 | |
| 609 | |
| 610 | /** |
| 611 | * Close and destroy the secure socket. |
| 612 | * |
| 613 | * @param ssock The secure socket. |
| 614 | * |
| 615 | * @return PJ_SUCCESS if the operation has been successful, |
| 616 | * or the appropriate error code on failure. |
| 617 | */ |
| 618 | PJ_DECL(pj_status_t) pj_ssl_sock_close(pj_ssl_sock_t *ssock); |
| 619 | |
| 620 | |
| 621 | /** |
| 622 | * Associate arbitrary data with the secure socket. Application may |
| 623 | * inspect this data in the callbacks and associate it with higher |
| 624 | * level processing. |
| 625 | * |
| 626 | * @param ssock The secure socket. |
| 627 | * @param user_data The user data to be associated with the secure |
| 628 | * socket. |
| 629 | * |
| 630 | * @return PJ_SUCCESS if the operation has been successful, |
| 631 | * or the appropriate error code on failure. |
| 632 | */ |
| 633 | PJ_DECL(pj_status_t) pj_ssl_sock_set_user_data(pj_ssl_sock_t *ssock, |
| 634 | void *user_data); |
| 635 | |
| 636 | /** |
| 637 | * Retrieve the user data previously associated with this secure |
| 638 | * socket. |
| 639 | * |
| 640 | * @param ssock The secure socket. |
| 641 | * |
| 642 | * @return The user data. |
| 643 | */ |
| 644 | PJ_DECL(void*) pj_ssl_sock_get_user_data(pj_ssl_sock_t *ssock); |
| 645 | |
| 646 | |
| 647 | /** |
| 648 | * Retrieve the local address and port used by specified secure socket. |
| 649 | * |
| 650 | * @param ssock The secure socket. |
| 651 | * @param info The info buffer to be set, see #pj_ssl_sock_info. |
| 652 | * |
| 653 | * @return PJ_SUCCESS on successful. |
| 654 | */ |
| 655 | PJ_DECL(pj_status_t) pj_ssl_sock_get_info(pj_ssl_sock_t *ssock, |
| 656 | pj_ssl_sock_info *info); |
| 657 | |
| 658 | |
| 659 | /** |
| 660 | * Starts read operation on this secure socket. This function will create |
| 661 | * \a async_cnt number of buffers (the \a async_cnt parameter was given |
| 662 | * in \a pj_ssl_sock_create() function) where each buffer is \a buff_size |
| 663 | * long. The buffers are allocated from the specified \a pool. Once the |
| 664 | * buffers are created, it then issues \a async_cnt number of asynchronous |
| 665 | * \a recv() operations to the socket and returns back to caller. Incoming |
| 666 | * data on the socket will be reported back to application via the |
| 667 | * \a on_data_read() callback. |
| 668 | * |
| 669 | * Application only needs to call this function once to initiate read |
| 670 | * operations. Further read operations will be done automatically by the |
| 671 | * secure socket when \a on_data_read() callback returns non-zero. |
| 672 | * |
| 673 | * @param ssock The secure socket. |
| 674 | * @param pool Pool used to allocate buffers for incoming data. |
| 675 | * @param buff_size The size of each buffer, in bytes. |
| 676 | * @param flags Flags to be given to pj_ioqueue_recv(). |
| 677 | * |
| 678 | * @return PJ_SUCCESS if the operation has been successful, |
| 679 | * or the appropriate error code on failure. |
| 680 | */ |
| 681 | PJ_DECL(pj_status_t) pj_ssl_sock_start_read(pj_ssl_sock_t *ssock, |
| 682 | pj_pool_t *pool, |
| 683 | unsigned buff_size, |
| 684 | pj_uint32_t flags); |
| 685 | |
| 686 | /** |
| 687 | * Same as #pj_ssl_sock_start_read(), except that the application |
| 688 | * supplies the buffers for the read operation so that the acive socket |
| 689 | * does not have to allocate the buffers. |
| 690 | * |
| 691 | * @param ssock The secure socket. |
| 692 | * @param pool Pool used to allocate buffers for incoming data. |
| 693 | * @param buff_size The size of each buffer, in bytes. |
| 694 | * @param readbuf Array of packet buffers, each has buff_size size. |
| 695 | * @param flags Flags to be given to pj_ioqueue_recv(). |
| 696 | * |
| 697 | * @return PJ_SUCCESS if the operation has been successful, |
| 698 | * or the appropriate error code on failure. |
| 699 | */ |
| 700 | PJ_DECL(pj_status_t) pj_ssl_sock_start_read2(pj_ssl_sock_t *ssock, |
| 701 | pj_pool_t *pool, |
| 702 | unsigned buff_size, |
| 703 | void *readbuf[], |
| 704 | pj_uint32_t flags); |
| 705 | |
| 706 | /** |
| 707 | * Same as pj_ssl_sock_start_read(), except that this function is used |
| 708 | * only for datagram sockets, and it will trigger \a on_data_recvfrom() |
| 709 | * callback instead. |
| 710 | * |
| 711 | * @param ssock The secure socket. |
| 712 | * @param pool Pool used to allocate buffers for incoming data. |
| 713 | * @param buff_size The size of each buffer, in bytes. |
| 714 | * @param flags Flags to be given to pj_ioqueue_recvfrom(). |
| 715 | * |
| 716 | * @return PJ_SUCCESS if the operation has been successful, |
| 717 | * or the appropriate error code on failure. |
| 718 | */ |
| 719 | PJ_DECL(pj_status_t) pj_ssl_sock_start_recvfrom(pj_ssl_sock_t *ssock, |
| 720 | pj_pool_t *pool, |
| 721 | unsigned buff_size, |
| 722 | pj_uint32_t flags); |
| 723 | |
| 724 | /** |
| 725 | * Same as #pj_ssl_sock_start_recvfrom() except that the recvfrom() |
| 726 | * operation takes the buffer from the argument rather than creating |
| 727 | * new ones. |
| 728 | * |
| 729 | * @param ssock The secure socket. |
| 730 | * @param pool Pool used to allocate buffers for incoming data. |
| 731 | * @param buff_size The size of each buffer, in bytes. |
| 732 | * @param readbuf Array of packet buffers, each has buff_size size. |
| 733 | * @param flags Flags to be given to pj_ioqueue_recvfrom(). |
| 734 | * |
| 735 | * @return PJ_SUCCESS if the operation has been successful, |
| 736 | * or the appropriate error code on failure. |
| 737 | */ |
| 738 | PJ_DECL(pj_status_t) pj_ssl_sock_start_recvfrom2(pj_ssl_sock_t *ssock, |
| 739 | pj_pool_t *pool, |
| 740 | unsigned buff_size, |
| 741 | void *readbuf[], |
| 742 | pj_uint32_t flags); |
| 743 | |
| 744 | /** |
| 745 | * Send data using the socket. |
| 746 | * |
| 747 | * @param ssock The secure socket. |
| 748 | * @param send_key The operation key to send the data, which is useful |
| 749 | * if application wants to submit multiple pending |
| 750 | * send operations and want to track which exact data |
| 751 | * has been sent in the \a on_data_sent() callback. |
| 752 | * @param data The data to be sent. This data must remain valid |
| 753 | * until the data has been sent. |
| 754 | * @param size The size of the data. |
| 755 | * @param flags Flags to be given to pj_ioqueue_send(). |
| 756 | * |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 757 | * @return PJ_SUCCESS if data has been sent immediately, or |
Nanang Izzuddin | ea6d3c4 | 2009-10-26 15:47:52 +0000 | [diff] [blame] | 758 | * PJ_EPENDING if data cannot be sent immediately or |
| 759 | * PJ_ENOMEM when sending buffer could not handle all |
| 760 | * queued data, see \a send_buffer_size. The callback |
| 761 | * \a on_data_sent() will be called when data is actually |
| 762 | * sent. Any other return value indicates error condition. |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 763 | */ |
| 764 | PJ_DECL(pj_status_t) pj_ssl_sock_send(pj_ssl_sock_t *ssock, |
| 765 | pj_ioqueue_op_key_t *send_key, |
| 766 | const void *data, |
| 767 | pj_ssize_t *size, |
| 768 | unsigned flags); |
| 769 | |
| 770 | /** |
| 771 | * Send datagram using the socket. |
| 772 | * |
| 773 | * @param ssock The secure socket. |
| 774 | * @param send_key The operation key to send the data, which is useful |
| 775 | * if application wants to submit multiple pending |
| 776 | * send operations and want to track which exact data |
| 777 | * has been sent in the \a on_data_sent() callback. |
| 778 | * @param data The data to be sent. This data must remain valid |
| 779 | * until the data has been sent. |
| 780 | * @param size The size of the data. |
| 781 | * @param flags Flags to be given to pj_ioqueue_send(). |
| 782 | * @param addr The destination address. |
| 783 | * @param addr_len Length of buffer containing destination address. |
| 784 | * |
| 785 | * @return PJ_SUCCESS if data has been sent immediately, or |
| 786 | * PJ_EPENDING if data cannot be sent immediately. In |
| 787 | * this case the \a on_data_sent() callback will be |
| 788 | * called when data is actually sent. Any other return |
| 789 | * value indicates error condition. |
| 790 | */ |
| 791 | PJ_DECL(pj_status_t) pj_ssl_sock_sendto(pj_ssl_sock_t *ssock, |
| 792 | pj_ioqueue_op_key_t *send_key, |
| 793 | const void *data, |
| 794 | pj_ssize_t *size, |
| 795 | unsigned flags, |
| 796 | const pj_sockaddr_t *addr, |
| 797 | int addr_len); |
| 798 | |
| 799 | |
| 800 | /** |
| 801 | * Starts asynchronous socket accept() operations on this secure socket. |
| 802 | * This function will issue \a async_cnt number of asynchronous \a accept() |
| 803 | * operations to the socket and returns back to caller. Incoming |
| 804 | * connection on the socket will be reported back to application via the |
| 805 | * \a on_accept_complete() callback. |
| 806 | * |
| 807 | * Application only needs to call this function once to initiate accept() |
| 808 | * operations. Further accept() operations will be done automatically by |
| 809 | * the secure socket when \a on_accept_complete() callback returns non-zero. |
| 810 | * |
| 811 | * @param ssock The secure socket. |
| 812 | * @param pool Pool used to allocate some internal data for the |
| 813 | * operation. |
| 814 | * @param localaddr Local address to bind on. |
| 815 | * @param addr_len Length of buffer containing local address. |
| 816 | * |
| 817 | * @return PJ_SUCCESS if the operation has been successful, |
| 818 | * or the appropriate error code on failure. |
| 819 | */ |
| 820 | PJ_DECL(pj_status_t) pj_ssl_sock_start_accept(pj_ssl_sock_t *ssock, |
| 821 | pj_pool_t *pool, |
| 822 | const pj_sockaddr_t *local_addr, |
| 823 | int addr_len); |
| 824 | |
| 825 | |
| 826 | /** |
| 827 | * Starts asynchronous socket connect() operation and SSL/TLS handshaking |
| 828 | * for this socket. Once the connection is done (either successfully or not), |
| 829 | * the \a on_connect_complete() callback will be called. |
| 830 | * |
| 831 | * @param ssock The secure socket. |
| 832 | * @param pool The pool to allocate some internal data for the |
| 833 | * operation. |
| 834 | * @param localaddr Local address. |
| 835 | * @param remaddr Remote address. |
| 836 | * @param addr_len Length of buffer containing above addresses. |
| 837 | * |
| 838 | * @return PJ_SUCCESS if connection can be established immediately |
| 839 | * or PJ_EPENDING if connection cannot be established |
| 840 | * immediately. In this case the \a on_connect_complete() |
| 841 | * callback will be called when connection is complete. |
| 842 | * Any other return value indicates error condition. |
| 843 | */ |
| 844 | PJ_DECL(pj_status_t) pj_ssl_sock_start_connect(pj_ssl_sock_t *ssock, |
| 845 | pj_pool_t *pool, |
| 846 | const pj_sockaddr_t *localaddr, |
| 847 | const pj_sockaddr_t *remaddr, |
| 848 | int addr_len); |
| 849 | |
| 850 | |
| 851 | /** |
Nanang Izzuddin | ea6d3c4 | 2009-10-26 15:47:52 +0000 | [diff] [blame] | 852 | * Starts SSL/TLS renegotiation over an already established SSL connection |
| 853 | * for this socket. This operation is performed transparently, no callback |
| 854 | * will be called once the renegotiation completed successfully. However, |
| 855 | * when the renegotiation fails, the connection will be closed and callback |
| 856 | * \a on_data_read() will be invoked with non-PJ_SUCCESS status code. |
| 857 | * |
| 858 | * @param ssock The secure socket. |
| 859 | * |
| 860 | * @return PJ_SUCCESS if renegotiation is completed immediately, |
| 861 | * or PJ_EPENDING if renegotiation has been started and |
| 862 | * waiting for completion, or the appropriate error code |
| 863 | * on failure. |
| 864 | */ |
| 865 | PJ_DECL(pj_status_t) pj_ssl_sock_renegotiate(pj_ssl_sock_t *ssock); |
| 866 | |
| 867 | |
| 868 | /** |
Nanang Izzuddin | 6c62bf4 | 2009-08-27 19:55:13 +0000 | [diff] [blame] | 869 | * @} |
| 870 | */ |
| 871 | |
| 872 | PJ_END_DECL |
| 873 | |
| 874 | #endif /* __PJ_SSL_SOCK_H__ */ |