3296 lines
108 KiB
Diff
3296 lines
108 KiB
Diff
|
Copyright (c) 2014-2017 Savoir-faire Linux Inc.
|
||
|
|
||
|
ssl_sock: add gnutls backend
|
||
|
|
||
|
This backend is mutually exclusive with the OpenSSL one, but completely
|
||
|
compatible, and conformant to the PJSIP API. Also avoids any license issues
|
||
|
when linking statically.
|
||
|
|
||
|
The configure script is updated to select either OpenSSL or GnuTLS
|
||
|
with --enable-ssl[='...'] and a new symbol (PJ_HAS_TLS_SOCK) is introduced
|
||
|
to identify which backend is in use.
|
||
|
|
||
|
Written by
|
||
|
Vittorio Giovara <vittorio.giovara@savoirfairelinux.com>
|
||
|
Philippe Proulx <philippe.proulx@savoirfairelinux.com> and
|
||
|
Adrien Béraud <adrien.beraud@savoirfairelinux.com>
|
||
|
on behalf of Savoir-faire Linux.
|
||
|
|
||
|
---
|
||
|
diff -ru a/aconfigure b/aconfigure
|
||
|
--- a/aconfigure 2017-01-25 06:23:08.000000000 -0500
|
||
|
+++ b/aconfigure 2017-06-08 13:51:11.146810527 -0400
|
||
|
@@ -644,6 +644,8 @@
|
||
|
libcrypto_present
|
||
|
libssl_present
|
||
|
openssl_h_present
|
||
|
+libgnutls_present
|
||
|
+gnutls_h_present
|
||
|
ac_ssl_has_aes_gcm
|
||
|
ac_no_ssl
|
||
|
ac_openh264_ldflags
|
||
|
@@ -1482,8 +1484,8 @@
|
||
|
package and samples location using IPPROOT and
|
||
|
IPPSAMPLES env var or with --with-ipp and
|
||
|
--with-ipp-samples options
|
||
|
- --disable-ssl Exclude SSL support the build (default: autodetect)
|
||
|
-
|
||
|
+ --enable-ssl=backend Select 'gnutls' or 'openssl' (default) to provide
|
||
|
+ SSL support (autodetect)
|
||
|
--disable-opencore-amr Exclude OpenCORE AMR support from the build
|
||
|
(default: autodetect)
|
||
|
|
||
|
@@ -7787,17 +7789,149 @@
|
||
|
|
||
|
# Check whether --enable-ssl was given.
|
||
|
if test "${enable_ssl+set}" = set; then :
|
||
|
- enableval=$enable_ssl;
|
||
|
- if test "$enable_ssl" = "no"; then
|
||
|
- ac_no_ssl=1
|
||
|
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: Checking if SSL support is disabled... yes" >&5
|
||
|
+ enableval=$enable_ssl; if test "x$enableval" = "xgnutls"; then
|
||
|
+ ssl_backend="gnutls"
|
||
|
+ else
|
||
|
+ ssl_backend="openssl"
|
||
|
+ fi
|
||
|
+fi
|
||
|
+
|
||
|
+
|
||
|
+if test "x$enable_ssl" = "xno"; then
|
||
|
+ ac_no_ssl=1
|
||
|
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: Checking if SSL support is disabled... yes" >&5
|
||
|
$as_echo "Checking if SSL support is disabled... yes" >&6; }
|
||
|
- fi
|
||
|
+else
|
||
|
+ if test "x$with_ssl" != "xno" -a "x$with_ssl" != "x"; then
|
||
|
+ CFLAGS="$CFLAGS -I$with_ssl/include"
|
||
|
+ LDFLAGS="$LDFLAGS -L$with_ssl/lib"
|
||
|
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: Using SSL prefix... $with_ssl" >&5
|
||
|
+$as_echo "Using SSL prefix... $with_ssl" >&6; }
|
||
|
+ fi
|
||
|
+ if test "x$ssl_backend" = "xgnutls"; then
|
||
|
+ for ac_prog in $host-pkg-config pkg-config "python pkgconfig.py"
|
||
|
+do
|
||
|
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
|
||
|
+set dummy $ac_prog; ac_word=$2
|
||
|
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
|
||
|
+$as_echo_n "checking for $ac_word... " >&6; }
|
||
|
+if ${ac_cv_prog_PKG_CONFIG+:} false; then :
|
||
|
+ $as_echo_n "(cached) " >&6
|
||
|
+else
|
||
|
+ if test -n "$PKG_CONFIG"; then
|
||
|
+ ac_cv_prog_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test.
|
||
|
+else
|
||
|
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
|
||
|
+for as_dir in $PATH
|
||
|
+do
|
||
|
+ IFS=$as_save_IFS
|
||
|
+ test -z "$as_dir" && as_dir=.
|
||
|
+ for ac_exec_ext in '' $ac_executable_extensions; do
|
||
|
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
|
||
|
+ ac_cv_prog_PKG_CONFIG="$ac_prog"
|
||
|
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
|
||
|
+ break 2
|
||
|
+ fi
|
||
|
+done
|
||
|
+ done
|
||
|
+IFS=$as_save_IFS
|
||
|
+
|
||
|
+fi
|
||
|
+fi
|
||
|
+PKG_CONFIG=$ac_cv_prog_PKG_CONFIG
|
||
|
+if test -n "$PKG_CONFIG"; then
|
||
|
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
|
||
|
+$as_echo "$PKG_CONFIG" >&6; }
|
||
|
+else
|
||
|
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||
|
+$as_echo "no" >&6; }
|
||
|
+fi
|
||
|
+
|
||
|
+
|
||
|
+ test -n "$PKG_CONFIG" && break
|
||
|
+done
|
||
|
+test -n "$PKG_CONFIG" || PKG_CONFIG="none"
|
||
|
+
|
||
|
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: checking for GnuTLS installations.." >&5
|
||
|
+$as_echo "checking for GnuTLS installations.." >&6; }
|
||
|
+
|
||
|
+
|
||
|
+ ac_fn_c_check_header_mongrel "$LINENO" "gnutls/gnutls.h" "ac_cv_header_gnutls_gnutls_h" "$ac_includes_default"
|
||
|
+if test "x$ac_cv_header_gnutls_gnutls_h" = xyes; then :
|
||
|
+ gnutls_h_present=1
|
||
|
+fi
|
||
|
+
|
||
|
|
||
|
+
|
||
|
+ if test "$PKG_CONFIG" != "none"; then
|
||
|
+ if $PKG_CONFIG --exists gnutls; then
|
||
|
+ LIBS="$LIBS `$PKG_CONFIG --libs gnutls`"
|
||
|
+ libgnutls_present=1
|
||
|
+ else
|
||
|
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gnutls_certificate_set_x509_system_trust in -lgnutls" >&5
|
||
|
+$as_echo_n "checking for gnutls_certificate_set_x509_system_trust in -lgnutls... " >&6; }
|
||
|
+if ${ac_cv_lib_gnutls_gnutls_certificate_set_x509_system_trust+:} false; then :
|
||
|
+ $as_echo_n "(cached) " >&6
|
||
|
+else
|
||
|
+ ac_check_lib_save_LIBS=$LIBS
|
||
|
+LIBS="-lgnutls $LIBS"
|
||
|
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||
|
+/* end confdefs.h. */
|
||
|
+
|
||
|
+/* Override any GCC internal prototype to avoid an error.
|
||
|
+ Use char because int might match the return type of a GCC
|
||
|
+ builtin and then its argument prototype would still apply. */
|
||
|
+#ifdef __cplusplus
|
||
|
+extern "C"
|
||
|
+#endif
|
||
|
+char gnutls_certificate_set_x509_system_trust ();
|
||
|
+int
|
||
|
+main ()
|
||
|
+{
|
||
|
+return gnutls_certificate_set_x509_system_trust ();
|
||
|
+ ;
|
||
|
+ return 0;
|
||
|
+}
|
||
|
+_ACEOF
|
||
|
+if ac_fn_c_try_link "$LINENO"; then :
|
||
|
+ ac_cv_lib_gnutls_gnutls_certificate_set_x509_system_trust=yes
|
||
|
else
|
||
|
+ ac_cv_lib_gnutls_gnutls_certificate_set_x509_system_trust=no
|
||
|
+fi
|
||
|
+rm -f core conftest.err conftest.$ac_objext \
|
||
|
+ conftest$ac_exeext conftest.$ac_ext
|
||
|
+LIBS=$ac_check_lib_save_LIBS
|
||
|
+fi
|
||
|
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gnutls_gnutls_certificate_set_x509_system_trust" >&5
|
||
|
+$as_echo "$ac_cv_lib_gnutls_gnutls_certificate_set_x509_system_trust" >&6; }
|
||
|
+if test "x$ac_cv_lib_gnutls_gnutls_certificate_set_x509_system_trust" = xyes; then :
|
||
|
+ libgnutls_present=1 &&
|
||
|
+ LIBS="$LIBS -lgnutls"
|
||
|
+fi
|
||
|
|
||
|
+ fi
|
||
|
+ else
|
||
|
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: *** Warning: neither pkg-config nor python is available, disabling gnutls. ***" >&5
|
||
|
+$as_echo "*** Warning: neither pkg-config nor python is available, disabling gnutls. ***" >&6; }
|
||
|
+ fi
|
||
|
+
|
||
|
+ if test "x$gnutls_h_present" = "x1" -a "x$libgnutls_present" = "x1"; then
|
||
|
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: GnuTLS library found, SSL support enabled" >&5
|
||
|
+$as_echo "GnuTLS library found, SSL support enabled" >&6; }
|
||
|
+ # PJSIP_HAS_TLS_TRANSPORT setting follows PJ_HAS_SSL_SOCK
|
||
|
+ #AC_DEFINE(PJSIP_HAS_TLS_TRANSPORT, 1)
|
||
|
+ $as_echo "#define PJ_HAS_SSL_SOCK 1" >>confdefs.h
|
||
|
+
|
||
|
+ $as_echo "#define PJ_HAS_TLS_SOCK 1" >>confdefs.h
|
||
|
+
|
||
|
+ else
|
||
|
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: ** No GnuTLS libraries found, disabling SSL support **" >&5
|
||
|
+$as_echo "** No GnuTLS libraries found, disabling SSL support **" >&6; }
|
||
|
+ fi
|
||
|
+ else
|
||
|
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: checking for OpenSSL installations.." >&5
|
||
|
$as_echo "checking for OpenSSL installations.." >&6; }
|
||
|
+
|
||
|
if test "x$with_ssl" != "xno" -a "x$with_ssl" != "x"; then
|
||
|
CFLAGS="$CFLAGS -I$with_ssl/include"
|
||
|
LDFLAGS="$LDFLAGS -L$with_ssl/lib"
|
||
|
@@ -7971,11 +8105,10 @@
|
||
|
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ** OpenSSL libraries not found, disabling SSL support **" >&5
|
||
|
$as_echo "** OpenSSL libraries not found, disabling SSL support **" >&6; }
|
||
|
fi
|
||
|
-
|
||
|
+ fi
|
||
|
fi
|
||
|
|
||
|
|
||
|
-
|
||
|
# Check whether --with-opencore-amrnb was given.
|
||
|
if test "${with_opencore_amrnb+set}" = set; then :
|
||
|
withval=$with_opencore_amrnb; as_fn_error $? "This option is obsolete and replaced by --with-opencore-amr=DIR" "$LINENO" 5
|
||
|
diff -ru a/aconfigure.ac b/aconfigure.ac
|
||
|
--- a/aconfigure.ac 2017-01-25 06:23:08.000000000 -0500
|
||
|
+++ b/aconfigure.ac 2017-06-08 13:28:17.138135490 -0400
|
||
|
@@ -1533,18 +1533,59 @@
|
||
|
dnl # Include SSL support
|
||
|
AC_SUBST(ac_no_ssl)
|
||
|
AC_SUBST(ac_ssl_has_aes_gcm,0)
|
||
|
-AC_ARG_ENABLE(ssl,
|
||
|
- AS_HELP_STRING([--disable-ssl],
|
||
|
- [Exclude SSL support the build (default: autodetect)])
|
||
|
- ,
|
||
|
- [
|
||
|
- if test "$enable_ssl" = "no"; then
|
||
|
- [ac_no_ssl=1]
|
||
|
- AC_MSG_RESULT([Checking if SSL support is disabled... yes])
|
||
|
- fi
|
||
|
- ],
|
||
|
- [
|
||
|
+AC_ARG_ENABLE([ssl],
|
||
|
+ AS_HELP_STRING([--enable-ssl[=backend]],
|
||
|
+ [Select 'gnutls' or 'openssl' (default) to provide SSL support (autodetect)]),
|
||
|
+ [ if test "x$enableval" = "xgnutls"; then
|
||
|
+ [ssl_backend="gnutls"]
|
||
|
+ else
|
||
|
+ [ssl_backend="openssl"]
|
||
|
+ fi ])
|
||
|
+
|
||
|
+if test "x$enable_ssl" = "xno"; then
|
||
|
+ [ac_no_ssl=1]
|
||
|
+ AC_MSG_RESULT([Checking if SSL support is disabled... yes])
|
||
|
+else
|
||
|
+ if test "x$with_ssl" != "xno" -a "x$with_ssl" != "x"; then
|
||
|
+ CFLAGS="$CFLAGS -I$with_ssl/include"
|
||
|
+ LDFLAGS="$LDFLAGS -L$with_ssl/lib"
|
||
|
+ AC_MSG_RESULT([Using SSL prefix... $with_ssl])
|
||
|
+ fi
|
||
|
+ if test "x$ssl_backend" = "xgnutls"; then
|
||
|
+ AC_CHECK_PROGS(PKG_CONFIG,
|
||
|
+ $host-pkg-config pkg-config "python pkgconfig.py",
|
||
|
+ none)
|
||
|
+ AC_MSG_RESULT([checking for GnuTLS installations..])
|
||
|
+ AC_SUBST(gnutls_h_present)
|
||
|
+ AC_SUBST(libgnutls_present)
|
||
|
+ AC_CHECK_HEADER(gnutls/gnutls.h, [gnutls_h_present=1])
|
||
|
+
|
||
|
+ if test "$PKG_CONFIG" != "none"; then
|
||
|
+ if $PKG_CONFIG --exists gnutls; then
|
||
|
+ LIBS="$LIBS `$PKG_CONFIG --libs gnutls`"
|
||
|
+ libgnutls_present=1
|
||
|
+ else
|
||
|
+ AC_CHECK_LIB(gnutls,
|
||
|
+ gnutls_certificate_set_x509_system_trust,
|
||
|
+ [libgnutls_present=1 &&
|
||
|
+ LIBS="$LIBS -lgnutls"])
|
||
|
+ fi
|
||
|
+ else
|
||
|
+ AC_MSG_RESULT([*** Warning: neither pkg-config nor python is available, disabling gnutls. ***])
|
||
|
+ fi
|
||
|
+
|
||
|
+ if test "x$gnutls_h_present" = "x1" -a "x$libgnutls_present" = "x1"; then
|
||
|
+ AC_MSG_RESULT([GnuTLS library found, SSL support enabled])
|
||
|
+ # PJSIP_HAS_TLS_TRANSPORT setting follows PJ_HAS_SSL_SOCK
|
||
|
+ #AC_DEFINE(PJSIP_HAS_TLS_TRANSPORT, 1)
|
||
|
+ AC_DEFINE(PJ_HAS_SSL_SOCK, 1)
|
||
|
+ AC_DEFINE(PJ_HAS_TLS_SOCK, 1)
|
||
|
+ else
|
||
|
+ AC_MSG_RESULT([** No GnuTLS libraries found, disabling SSL support **])
|
||
|
+ fi
|
||
|
+ else
|
||
|
AC_MSG_RESULT([checking for OpenSSL installations..])
|
||
|
+
|
||
|
if test "x$with_ssl" != "xno" -a "x$with_ssl" != "x"; then
|
||
|
CFLAGS="$CFLAGS -I$with_ssl/include"
|
||
|
LDFLAGS="$LDFLAGS -L$with_ssl/lib"
|
||
|
@@ -1578,7 +1619,8 @@
|
||
|
else
|
||
|
AC_MSG_RESULT([** OpenSSL libraries not found, disabling SSL support **])
|
||
|
fi
|
||
|
- ])
|
||
|
+ fi
|
||
|
+fi
|
||
|
|
||
|
dnl # Obsolete option --with-opencore-amrnb
|
||
|
AC_ARG_WITH(opencore-amrnb,
|
||
|
diff -ru a/pjlib/build/Makefile b/pjlib/build/Makefile
|
||
|
--- a/pjlib/build/Makefile 2016-10-05 05:52:39.000000000 -0400
|
||
|
+++ b/pjlib/build/Makefile 2017-06-08 13:30:20.702138591 -0400
|
||
|
@@ -35,7 +35,7 @@
|
||
|
guid.o hash.o ip_helper_generic.o list.o lock.o log.o os_time_common.o \
|
||
|
os_info.o pool.o pool_buf.o pool_caching.o pool_dbg.o rand.o \
|
||
|
rbtree.o sock_common.o sock_qos_common.o \
|
||
|
- ssl_sock_common.o ssl_sock_ossl.o ssl_sock_dump.o \
|
||
|
+ ssl_sock_common.o ssl_sock_ossl.o ssl_sock_gtls.o ssl_sock_dump.o \
|
||
|
string.o timer.o types.o
|
||
|
export PJLIB_CFLAGS += $(_CFLAGS)
|
||
|
export PJLIB_CXXFLAGS += $(_CXXFLAGS)
|
||
|
diff -ru a/pjlib/include/pj/compat/os_auto.h.in b/pjlib/include/pj/compat/os_auto.h.in
|
||
|
--- a/pjlib/include/pj/compat/os_auto.h.in 2017-01-24 00:36:50.000000000 -0500
|
||
|
+++ b/pjlib/include/pj/compat/os_auto.h.in 2017-06-08 13:31:04.976064779 -0400
|
||
|
@@ -219,6 +219,9 @@
|
||
|
#ifndef PJ_HAS_SSL_SOCK
|
||
|
#undef PJ_HAS_SSL_SOCK
|
||
|
#endif
|
||
|
+#ifndef PJ_HAS_TLS_SOCK
|
||
|
+#undef PJ_HAS_TLS_SOCK
|
||
|
+#endif
|
||
|
|
||
|
|
||
|
#endif /* __PJ_COMPAT_OS_AUTO_H__ */
|
||
|
diff -ru a/pjlib/include/pj/config.h b/pjlib/include/pj/config.h
|
||
|
--- a/pjlib/include/pj/config.h 2017-01-25 21:29:59.000000000 -0500
|
||
|
+++ b/pjlib/include/pj/config.h 2017-06-08 13:34:27.642149351 -0400
|
||
|
@@ -888,7 +888,7 @@
|
||
|
|
||
|
/**
|
||
|
* Enable secure socket. For most platforms, this is implemented using
|
||
|
- * OpenSSL, so this will require OpenSSL to be installed. For Symbian
|
||
|
+ * OpenSSL or GnuTLS, so this will require OpenSSL or GnuTLS to be installed. For Symbian
|
||
|
* platform, this is implemented natively using CSecureSocket.
|
||
|
*
|
||
|
* Default: 0 (for now)
|
||
|
@@ -896,6 +896,10 @@
|
||
|
#ifndef PJ_HAS_SSL_SOCK
|
||
|
# define PJ_HAS_SSL_SOCK 0
|
||
|
#endif
|
||
|
+// When set to 1 secure sockets will use the GnuTLS backend than OpenSSL
|
||
|
+#ifndef PJ_HAS_TLS_SOCK
|
||
|
+# define PJ_HAS_TLS_SOCK 0
|
||
|
+#endif
|
||
|
|
||
|
|
||
|
/**
|
||
|
diff -ru a/pjlib/include/pj/ssl_sock.h b/pjlib/include/pj/ssl_sock.h
|
||
|
--- a/pjlib/include/pj/ssl_sock.h 2016-10-27 03:58:01.000000000 -0400
|
||
|
+++ b/pjlib/include/pj/ssl_sock.h 2017-06-08 13:36:16.448510381 -0400
|
||
|
@@ -184,6 +184,10 @@
|
||
|
pj_str_t raw; /**< Raw certificate in PEM format, only
|
||
|
available for remote certificate. */
|
||
|
|
||
|
+ struct {
|
||
|
+ unsigned cnt; /**< # of entry */
|
||
|
+ pj_str_t* cert_raw;
|
||
|
+ } raw_chain;
|
||
|
} pj_ssl_cert_info;
|
||
|
|
||
|
|
||
|
diff -ru a/pjlib/src/pj/ssl_sock_common.c b/pjlib/src/pj/ssl_sock_common.c
|
||
|
--- a/pjlib/src/pj/ssl_sock_common.c 2016-10-27 03:58:01.000000000 -0400
|
||
|
+++ b/pjlib/src/pj/ssl_sock_common.c 2017-06-08 13:37:17.171037628 -0400
|
||
|
@@ -35,7 +35,12 @@
|
||
|
param->async_cnt = 1;
|
||
|
param->concurrency = -1;
|
||
|
param->whole_data = PJ_TRUE;
|
||
|
+#if defined(PJ_HAS_TLS_SOCK) && PJ_HAS_TLS_SOCK == 1
|
||
|
+ // GnuTLS is allowed to send bigger chunks
|
||
|
+ param->send_buffer_size = 65536;
|
||
|
+#else
|
||
|
param->send_buffer_size = 8192;
|
||
|
+#endif
|
||
|
#if !defined(PJ_SYMBIAN) || PJ_SYMBIAN==0
|
||
|
param->read_buffer_size = 1500;
|
||
|
#endif
|
||
|
diff --git a/pjlib/src/pj/ssl_sock_gtls.c b/pjlib/src/pj/ssl_sock_gtls.c
|
||
|
new file mode 100644
|
||
|
index 0000000..37bcaba
|
||
|
--- /dev/null
|
||
|
+++ b/pjlib/src/pj/ssl_sock_gtls.c
|
||
|
@@ -0,0 +1,2877 @@
|
||
|
+/* $Id$ */
|
||
|
+/*
|
||
|
+ * Copyright (C) 2014-2016 Savoir-faire Linux. (https://www.savoirfairelinux.com)
|
||
|
+ *
|
||
|
+ * This program is free software; you can redistribute it and/or modify
|
||
|
+ * it under the terms of the GNU General Public License as published by
|
||
|
+ * the Free Software Foundation; either version 2 of the License, or
|
||
|
+ * (at your option) any later version.
|
||
|
+ *
|
||
|
+ * This program is distributed in the hope that it will be useful,
|
||
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
+ * GNU General Public License for more details.
|
||
|
+ *
|
||
|
+ * You should have received a copy of the GNU General Public License
|
||
|
+ * along with this program; if not, write to the Free Software
|
||
|
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||
|
+ */
|
||
|
+
|
||
|
+#include <pj/ssl_sock.h>
|
||
|
+#include <pj/activesock.h>
|
||
|
+#include <pj/compat/socket.h>
|
||
|
+#include <pj/assert.h>
|
||
|
+#include <pj/errno.h>
|
||
|
+#include <pj/list.h>
|
||
|
+#include <pj/lock.h>
|
||
|
+#include <pj/log.h>
|
||
|
+#include <pj/math.h>
|
||
|
+#include <pj/os.h>
|
||
|
+#include <pj/pool.h>
|
||
|
+#include <pj/string.h>
|
||
|
+#include <pj/timer.h>
|
||
|
+#include <pj/file_io.h>
|
||
|
+
|
||
|
+#if GNUTLS_VERSION_NUMBER < 0x030306 && !defined(_MSC_VER)
|
||
|
+#include <dirent.h>
|
||
|
+#endif
|
||
|
+
|
||
|
+#include <errno.h>
|
||
|
+
|
||
|
+/* Only build when PJ_HAS_SSL_SOCK and PJ_HAS_TLS_SOCK are enabled */
|
||
|
+#if defined(PJ_HAS_SSL_SOCK) && PJ_HAS_SSL_SOCK != 0 && \
|
||
|
+ defined(PJ_HAS_TLS_SOCK) && PJ_HAS_TLS_SOCK != 0
|
||
|
+
|
||
|
+#define THIS_FILE "ssl_sock_gtls.c"
|
||
|
+
|
||
|
+/* Workaround for ticket #985 */
|
||
|
+#define DELAYED_CLOSE_TIMEOUT 200
|
||
|
+
|
||
|
+/* Maximum ciphers */
|
||
|
+#define MAX_CIPHERS 100
|
||
|
+
|
||
|
+/* Standard trust locations */
|
||
|
+#define TRUST_STORE_FILE1 "/etc/ssl/certs/ca-certificates.crt"
|
||
|
+#define TRUST_STORE_FILE2 "/etc/ssl/certs/ca-bundle.crt"
|
||
|
+
|
||
|
+/* Debugging output level for GnuTLS only */
|
||
|
+#define GNUTLS_LOG_LEVEL 0
|
||
|
+
|
||
|
+/* GnuTLS includes */
|
||
|
+#include <gnutls/gnutls.h>
|
||
|
+#include <gnutls/x509.h>
|
||
|
+#include <gnutls/abstract.h>
|
||
|
+
|
||
|
+#ifdef _MSC_VER
|
||
|
+# pragma comment( lib, "libgnutls")
|
||
|
+#endif
|
||
|
+
|
||
|
+
|
||
|
+/* TLS state enumeration. */
|
||
|
+enum tls_connection_state {
|
||
|
+ TLS_STATE_NULL,
|
||
|
+ TLS_STATE_HANDSHAKING,
|
||
|
+ TLS_STATE_ESTABLISHED
|
||
|
+};
|
||
|
+
|
||
|
+/* Internal timer types. */
|
||
|
+enum timer_id {
|
||
|
+ TIMER_NONE,
|
||
|
+ TIMER_HANDSHAKE_TIMEOUT,
|
||
|
+ TIMER_CLOSE
|
||
|
+};
|
||
|
+
|
||
|
+/* Structure of SSL socket read buffer. */
|
||
|
+typedef struct read_data_t {
|
||
|
+ void *data;
|
||
|
+ pj_size_t len;
|
||
|
+} read_data_t;
|
||
|
+
|
||
|
+/*
|
||
|
+ * Get the offset of pointer to read-buffer of SSL socket from read-buffer
|
||
|
+ * of active socket. Note that both SSL socket and active socket employ
|
||
|
+ * different but correlated read-buffers (as much as async_cnt for each),
|
||
|
+ * and to make it easier/faster to find corresponding SSL socket's read-buffer
|
||
|
+ * from known active socket's read-buffer, the pointer of corresponding
|
||
|
+ * SSL socket's read-buffer is stored right after the end of active socket's
|
||
|
+ * read-buffer.
|
||
|
+ */
|
||
|
+#define OFFSET_OF_READ_DATA_PTR(ssock, asock_rbuf) \
|
||
|
+ (read_data_t**) \
|
||
|
+ ((pj_int8_t *)(asock_rbuf) + \
|
||
|
+ ssock->param.read_buffer_size)
|
||
|
+
|
||
|
+/* Structure of SSL socket write data. */
|
||
|
+typedef struct write_data_t {
|
||
|
+ PJ_DECL_LIST_MEMBER(struct write_data_t);
|
||
|
+ pj_ioqueue_op_key_t key;
|
||
|
+ pj_size_t record_len;
|
||
|
+ pj_ioqueue_op_key_t *app_key;
|
||
|
+ pj_size_t plain_data_len;
|
||
|
+ pj_size_t data_len;
|
||
|
+ unsigned flags;
|
||
|
+ union {
|
||
|
+ char content[1];
|
||
|
+ const char *ptr;
|
||
|
+ } data;
|
||
|
+} write_data_t;
|
||
|
+
|
||
|
+
|
||
|
+/* Structure of SSL socket write buffer (circular buffer). */
|
||
|
+typedef struct send_buf_t {
|
||
|
+ char *buf;
|
||
|
+ pj_size_t max_len;
|
||
|
+ char *start;
|
||
|
+ pj_size_t len;
|
||
|
+} send_buf_t;
|
||
|
+
|
||
|
+
|
||
|
+/* Circular buffer object */
|
||
|
+typedef struct circ_buf_t {
|
||
|
+ pj_size_t cap; /* maximum number of elements (must be power of 2) */
|
||
|
+ pj_size_t readp; /* index of oldest element */
|
||
|
+ pj_size_t writep; /* index at which to write new element */
|
||
|
+ pj_size_t size; /* number of elements */
|
||
|
+ pj_uint8_t *buf; /* data buffer */
|
||
|
+ pj_pool_t *pool; /* where new allocations will take place */
|
||
|
+} circ_buf_t;
|
||
|
+
|
||
|
+
|
||
|
+/* Secure socket structure definition. */
|
||
|
+struct pj_ssl_sock_t {
|
||
|
+ pj_pool_t *pool;
|
||
|
+ pj_ssl_sock_t *parent;
|
||
|
+ pj_ssl_sock_param param;
|
||
|
+ pj_ssl_sock_param newsock_param;
|
||
|
+ pj_ssl_cert_t *cert;
|
||
|
+
|
||
|
+ pj_ssl_cert_info local_cert_info;
|
||
|
+ pj_ssl_cert_info remote_cert_info;
|
||
|
+
|
||
|
+ pj_bool_t is_server;
|
||
|
+ enum tls_connection_state connection_state;
|
||
|
+ pj_ioqueue_op_key_t handshake_op_key;
|
||
|
+ pj_timer_entry timer;
|
||
|
+ pj_status_t verify_status;
|
||
|
+
|
||
|
+ int last_err;
|
||
|
+
|
||
|
+ pj_sock_t sock;
|
||
|
+ pj_activesock_t *asock;
|
||
|
+
|
||
|
+ pj_sockaddr local_addr;
|
||
|
+ pj_sockaddr rem_addr;
|
||
|
+ int addr_len;
|
||
|
+
|
||
|
+ pj_bool_t read_started;
|
||
|
+ pj_size_t read_size;
|
||
|
+ pj_uint32_t read_flags;
|
||
|
+ void **asock_rbuf;
|
||
|
+ read_data_t *ssock_rbuf;
|
||
|
+
|
||
|
+ write_data_t write_pending; /* list of pending writes */
|
||
|
+ write_data_t write_pending_empty; /* cache for write_pending */
|
||
|
+ pj_bool_t flushing_write_pend; /* flag of flushing is ongoing */
|
||
|
+ send_buf_t send_buf;
|
||
|
+ write_data_t send_pending; /* list of pending write to network */
|
||
|
+
|
||
|
+ gnutls_session_t session;
|
||
|
+ gnutls_certificate_credentials_t xcred;
|
||
|
+
|
||
|
+ circ_buf_t circ_buf_input;
|
||
|
+ pj_lock_t *circ_buf_input_mutex;
|
||
|
+
|
||
|
+ circ_buf_t circ_buf_output;
|
||
|
+ pj_lock_t *circ_buf_output_mutex;
|
||
|
+
|
||
|
+ int tls_init_count; /* library initialization counter */
|
||
|
+};
|
||
|
+
|
||
|
+
|
||
|
+/* Certificate/credential structure definition. */
|
||
|
+struct pj_ssl_cert_t {
|
||
|
+ pj_str_t CA_file;
|
||
|
+ pj_str_t CA_path;
|
||
|
+ pj_str_t cert_file;
|
||
|
+ pj_str_t privkey_file;
|
||
|
+ pj_str_t privkey_pass;
|
||
|
+};
|
||
|
+
|
||
|
+/* GnuTLS available ciphers */
|
||
|
+static unsigned tls_available_ciphers;
|
||
|
+
|
||
|
+/* Array of id/names for available ciphers */
|
||
|
+static struct tls_ciphers_t {
|
||
|
+ pj_ssl_cipher id;
|
||
|
+ const char *name;
|
||
|
+} tls_ciphers[MAX_CIPHERS];
|
||
|
+
|
||
|
+/* Last error reported somehow */
|
||
|
+static int tls_last_error;
|
||
|
+
|
||
|
+
|
||
|
+/*
|
||
|
+ *******************************************************************
|
||
|
+ * Circular buffer functions.
|
||
|
+ *******************************************************************
|
||
|
+ */
|
||
|
+
|
||
|
+static pj_status_t circ_init(pj_pool_factory *factory,
|
||
|
+ circ_buf_t *cb, pj_size_t cap)
|
||
|
+{
|
||
|
+ cb->cap = cap;
|
||
|
+ cb->readp = 0;
|
||
|
+ cb->writep = 0;
|
||
|
+ cb->size = 0;
|
||
|
+
|
||
|
+ /* Initial pool holding the buffer elements */
|
||
|
+ cb->pool = pj_pool_create(factory, "tls-circ%p", cap, cap, NULL);
|
||
|
+ if (!cb->pool)
|
||
|
+ return PJ_ENOMEM;
|
||
|
+
|
||
|
+ /* Allocate circular buffer */
|
||
|
+ cb->buf = pj_pool_alloc(cb->pool, cap);
|
||
|
+ if (!cb->buf) {
|
||
|
+ pj_pool_release(cb->pool);
|
||
|
+ return PJ_ENOMEM;
|
||
|
+ }
|
||
|
+
|
||
|
+ return PJ_SUCCESS;
|
||
|
+}
|
||
|
+
|
||
|
+static void circ_deinit(circ_buf_t *cb)
|
||
|
+{
|
||
|
+ if (cb->pool) {
|
||
|
+ pj_pool_release(cb->pool);
|
||
|
+ cb->pool = NULL;
|
||
|
+ }
|
||
|
+}
|
||
|
+
|
||
|
+static pj_bool_t circ_empty(const circ_buf_t *cb)
|
||
|
+{
|
||
|
+ return cb->size == 0;
|
||
|
+}
|
||
|
+
|
||
|
+static pj_size_t circ_size(const circ_buf_t *cb)
|
||
|
+{
|
||
|
+ return cb->size;
|
||
|
+}
|
||
|
+
|
||
|
+static pj_size_t circ_avail(const circ_buf_t *cb)
|
||
|
+{
|
||
|
+ return cb->cap - cb->size;
|
||
|
+}
|
||
|
+
|
||
|
+static void circ_read(circ_buf_t *cb, pj_uint8_t *dst, pj_size_t len)
|
||
|
+{
|
||
|
+ pj_size_t size_after = cb->cap - cb->readp;
|
||
|
+ pj_size_t tbc = PJ_MIN(size_after, len);
|
||
|
+ pj_size_t rem = len - tbc;
|
||
|
+
|
||
|
+ pj_memcpy(dst, cb->buf + cb->readp, tbc);
|
||
|
+ pj_memcpy(dst + tbc, cb->buf, rem);
|
||
|
+
|
||
|
+ cb->readp += len;
|
||
|
+ cb->readp &= (cb->cap - 1);
|
||
|
+
|
||
|
+ cb->size -= len;
|
||
|
+}
|
||
|
+
|
||
|
+static pj_status_t circ_write(circ_buf_t *cb,
|
||
|
+ const pj_uint8_t *src, pj_size_t len)
|
||
|
+{
|
||
|
+ /* Overflow condition: resize */
|
||
|
+ if (len > circ_avail(cb)) {
|
||
|
+ /* Minimum required capacity */
|
||
|
+ pj_size_t min_cap = len + cb->size;
|
||
|
+
|
||
|
+ /* Next 32-bit power of two */
|
||
|
+ min_cap--;
|
||
|
+ min_cap |= min_cap >> 1;
|
||
|
+ min_cap |= min_cap >> 2;
|
||
|
+ min_cap |= min_cap >> 4;
|
||
|
+ min_cap |= min_cap >> 8;
|
||
|
+ min_cap |= min_cap >> 16;
|
||
|
+ min_cap++;
|
||
|
+
|
||
|
+ /* Create a new pool to hold a bigger buffer, using the same factory */
|
||
|
+ pj_pool_t *pool = pj_pool_create(cb->pool->factory, "tls-circ%p",
|
||
|
+ min_cap, min_cap, NULL);
|
||
|
+ if (!pool)
|
||
|
+ return PJ_ENOMEM;
|
||
|
+
|
||
|
+ /* Allocate our new buffer */
|
||
|
+ pj_uint8_t *buf = pj_pool_alloc(pool, min_cap);
|
||
|
+ if (!buf) {
|
||
|
+ pj_pool_release(pool);
|
||
|
+ return PJ_ENOMEM;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Save old size, which we shall restore after the next read */
|
||
|
+ pj_size_t old_size = cb->size;
|
||
|
+
|
||
|
+ /* Copy old data into beginning of new buffer */
|
||
|
+ circ_read(cb, buf, cb->size);
|
||
|
+
|
||
|
+ /* Restore old size now */
|
||
|
+ cb->size = old_size;
|
||
|
+
|
||
|
+ /* Release the previous pool */
|
||
|
+ pj_pool_release(cb->pool);
|
||
|
+
|
||
|
+ /* Update circular buffer members */
|
||
|
+ cb->pool = pool;
|
||
|
+ cb->buf = buf;
|
||
|
+ cb->readp = 0;
|
||
|
+ cb->writep = cb->size;
|
||
|
+ cb->cap = min_cap;
|
||
|
+ }
|
||
|
+
|
||
|
+ pj_size_t size_after = cb->cap - cb->writep;
|
||
|
+ pj_size_t tbc = PJ_MIN(size_after, len);
|
||
|
+ pj_size_t rem = len - tbc;
|
||
|
+
|
||
|
+ pj_memcpy(cb->buf + cb->writep, src, tbc);
|
||
|
+ pj_memcpy(cb->buf, src + tbc, rem);
|
||
|
+
|
||
|
+ cb->writep += len;
|
||
|
+ cb->writep &= (cb->cap - 1);
|
||
|
+
|
||
|
+ cb->size += len;
|
||
|
+
|
||
|
+ return PJ_SUCCESS;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/*
|
||
|
+ *******************************************************************
|
||
|
+ * Static/internal functions.
|
||
|
+ *******************************************************************
|
||
|
+ */
|
||
|
+
|
||
|
+/* Convert from GnuTLS error to pj_status_t. */
|
||
|
+static pj_status_t tls_status_from_err(pj_ssl_sock_t *ssock, int err)
|
||
|
+{
|
||
|
+ pj_status_t status;
|
||
|
+
|
||
|
+ switch (err) {
|
||
|
+ case GNUTLS_E_SUCCESS:
|
||
|
+ status = PJ_SUCCESS;
|
||
|
+ break;
|
||
|
+ case GNUTLS_E_MEMORY_ERROR:
|
||
|
+ status = PJ_ENOMEM;
|
||
|
+ break;
|
||
|
+ case GNUTLS_E_LARGE_PACKET:
|
||
|
+ status = PJ_ETOOBIG;
|
||
|
+ break;
|
||
|
+ case GNUTLS_E_NO_CERTIFICATE_FOUND:
|
||
|
+ status = PJ_ENOTFOUND;
|
||
|
+ break;
|
||
|
+ case GNUTLS_E_SESSION_EOF:
|
||
|
+ status = PJ_EEOF;
|
||
|
+ break;
|
||
|
+ case GNUTLS_E_HANDSHAKE_TOO_LARGE:
|
||
|
+ status = PJ_ETOOBIG;
|
||
|
+ break;
|
||
|
+ case GNUTLS_E_EXPIRED:
|
||
|
+ status = PJ_EGONE;
|
||
|
+ break;
|
||
|
+ case GNUTLS_E_TIMEDOUT:
|
||
|
+ status = PJ_ETIMEDOUT;
|
||
|
+ break;
|
||
|
+ case GNUTLS_E_PREMATURE_TERMINATION:
|
||
|
+ status = PJ_ECANCELLED;
|
||
|
+ break;
|
||
|
+ case GNUTLS_E_INTERNAL_ERROR:
|
||
|
+ case GNUTLS_E_UNIMPLEMENTED_FEATURE:
|
||
|
+ status = PJ_EBUG;
|
||
|
+ break;
|
||
|
+ case GNUTLS_E_AGAIN:
|
||
|
+ case GNUTLS_E_INTERRUPTED:
|
||
|
+ case GNUTLS_E_REHANDSHAKE:
|
||
|
+ status = PJ_EPENDING;
|
||
|
+ break;
|
||
|
+ case GNUTLS_E_TOO_MANY_EMPTY_PACKETS:
|
||
|
+ case GNUTLS_E_TOO_MANY_HANDSHAKE_PACKETS:
|
||
|
+ case GNUTLS_E_RECORD_LIMIT_REACHED:
|
||
|
+ status = PJ_ETOOMANY;
|
||
|
+ break;
|
||
|
+ case GNUTLS_E_UNSUPPORTED_VERSION_PACKET:
|
||
|
+ case GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM:
|
||
|
+ case GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE:
|
||
|
+ case GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE:
|
||
|
+ case GNUTLS_E_X509_UNSUPPORTED_EXTENSION:
|
||
|
+ case GNUTLS_E_X509_UNSUPPORTED_CRITICAL_EXTENSION:
|
||
|
+ status = PJ_ENOTSUP;
|
||
|
+ break;
|
||
|
+ case GNUTLS_E_INVALID_SESSION:
|
||
|
+ case GNUTLS_E_INVALID_REQUEST:
|
||
|
+ case GNUTLS_E_INVALID_PASSWORD:
|
||
|
+ case GNUTLS_E_ILLEGAL_PARAMETER:
|
||
|
+ case GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION:
|
||
|
+ case GNUTLS_E_UNEXPECTED_PACKET:
|
||
|
+ case GNUTLS_E_UNEXPECTED_PACKET_LENGTH:
|
||
|
+ case GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET:
|
||
|
+ case GNUTLS_E_UNWANTED_ALGORITHM:
|
||
|
+ case GNUTLS_E_USER_ERROR:
|
||
|
+ status = PJ_EINVAL;
|
||
|
+ break;
|
||
|
+ default:
|
||
|
+ status = PJ_EUNKNOWN;
|
||
|
+ break;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Not thread safe */
|
||
|
+ tls_last_error = err;
|
||
|
+ if (ssock)
|
||
|
+ ssock->last_err = err;
|
||
|
+ return status;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Get error string from GnuTLS using tls_last_error */
|
||
|
+static pj_str_t tls_strerror(pj_status_t status,
|
||
|
+ char *buf, pj_size_t bufsize)
|
||
|
+{
|
||
|
+ pj_str_t errstr;
|
||
|
+ const char *tmp = gnutls_strerror(tls_last_error);
|
||
|
+
|
||
|
+#if defined(PJ_HAS_ERROR_STRING) && (PJ_HAS_ERROR_STRING != 0)
|
||
|
+ if (tmp) {
|
||
|
+ pj_ansi_strncpy(buf, tmp, bufsize);
|
||
|
+ errstr = pj_str(buf);
|
||
|
+ return errstr;
|
||
|
+ }
|
||
|
+#endif /* PJ_HAS_ERROR_STRING */
|
||
|
+
|
||
|
+ errstr.ptr = buf;
|
||
|
+ errstr.slen = pj_ansi_snprintf(buf, bufsize, "GnuTLS error %d: %s",
|
||
|
+ tls_last_error, tmp);
|
||
|
+ if (errstr.slen < 1 || errstr.slen >= (int) bufsize)
|
||
|
+ errstr.slen = bufsize - 1;
|
||
|
+
|
||
|
+ return errstr;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Initialize GnuTLS. */
|
||
|
+static pj_status_t tls_init(void)
|
||
|
+{
|
||
|
+ /* Register error subsystem */
|
||
|
+ pj_status_t status = pj_register_strerror(PJ_ERRNO_START_USER +
|
||
|
+ PJ_ERRNO_SPACE_SIZE * 6,
|
||
|
+ PJ_ERRNO_SPACE_SIZE,
|
||
|
+ &tls_strerror);
|
||
|
+ pj_assert(status == PJ_SUCCESS);
|
||
|
+
|
||
|
+ /* Init GnuTLS library */
|
||
|
+ int ret = gnutls_global_init();
|
||
|
+ if (ret < 0)
|
||
|
+ return tls_status_from_err(NULL, ret);
|
||
|
+
|
||
|
+ /* Init available ciphers */
|
||
|
+ if (!tls_available_ciphers) {
|
||
|
+ unsigned int i;
|
||
|
+
|
||
|
+ for (i = 0; ; i++) {
|
||
|
+ unsigned char id[2];
|
||
|
+ const char *suite = gnutls_cipher_suite_info(i, (unsigned char *)id,
|
||
|
+ NULL, NULL, NULL, NULL);
|
||
|
+ tls_ciphers[i].id = 0;
|
||
|
+ /* usually the array size is bigger than the number of available
|
||
|
+ * ciphers anyway, so by checking here we can exit the loop as soon
|
||
|
+ * as either all ciphers have been added or the array is full */
|
||
|
+ if (suite && i < PJ_ARRAY_SIZE(tls_ciphers)) {
|
||
|
+ tls_ciphers[i].id = (pj_ssl_cipher)
|
||
|
+ (pj_uint32_t) ((id[0] << 8) | id[1]);
|
||
|
+ tls_ciphers[i].name = suite;
|
||
|
+ } else
|
||
|
+ break;
|
||
|
+ }
|
||
|
+
|
||
|
+ tls_available_ciphers = i;
|
||
|
+ }
|
||
|
+
|
||
|
+ return PJ_SUCCESS;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Shutdown GnuTLS */
|
||
|
+static void tls_deinit(void)
|
||
|
+{
|
||
|
+ gnutls_global_deinit();
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Callback invoked every time a certificate has to be validated. */
|
||
|
+static int tls_cert_verify_cb(gnutls_session_t session)
|
||
|
+{
|
||
|
+ pj_ssl_sock_t *ssock;
|
||
|
+ unsigned int status;
|
||
|
+ int ret;
|
||
|
+
|
||
|
+ /* Get SSL socket instance */
|
||
|
+ ssock = (pj_ssl_sock_t *)gnutls_session_get_ptr(session);
|
||
|
+ pj_assert(ssock);
|
||
|
+
|
||
|
+ /* Support only x509 format */
|
||
|
+ ret = gnutls_certificate_type_get(session) != GNUTLS_CRT_X509;
|
||
|
+ if (ret < 0) {
|
||
|
+ ssock->verify_status |= PJ_SSL_CERT_EINVALID_FORMAT;
|
||
|
+ return GNUTLS_E_CERTIFICATE_ERROR;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Store verification status */
|
||
|
+ ret = gnutls_certificate_verify_peers2(session, &status);
|
||
|
+ if (ret < 0) {
|
||
|
+ ssock->verify_status |= PJ_SSL_CERT_EUNKNOWN;
|
||
|
+ return GNUTLS_E_CERTIFICATE_ERROR;
|
||
|
+ }
|
||
|
+ if (ssock->param.verify_peer) {
|
||
|
+ if (status & GNUTLS_CERT_INVALID) {
|
||
|
+ if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
|
||
|
+ ssock->verify_status |= PJ_SSL_CERT_EISSUER_NOT_FOUND;
|
||
|
+ else if (status & GNUTLS_CERT_EXPIRED ||
|
||
|
+ status & GNUTLS_CERT_NOT_ACTIVATED)
|
||
|
+ ssock->verify_status |= PJ_SSL_CERT_EVALIDITY_PERIOD;
|
||
|
+ else if (status & GNUTLS_CERT_SIGNER_NOT_CA ||
|
||
|
+ status & GNUTLS_CERT_INSECURE_ALGORITHM)
|
||
|
+ ssock->verify_status |= PJ_SSL_CERT_EUNTRUSTED;
|
||
|
+ else if (status & GNUTLS_CERT_UNEXPECTED_OWNER ||
|
||
|
+ status & GNUTLS_CERT_MISMATCH)
|
||
|
+ ssock->verify_status |= PJ_SSL_CERT_EISSUER_MISMATCH;
|
||
|
+ else if (status & GNUTLS_CERT_REVOKED)
|
||
|
+ ssock->verify_status |= PJ_SSL_CERT_EREVOKED;
|
||
|
+ else
|
||
|
+ ssock->verify_status |= PJ_SSL_CERT_EUNKNOWN;
|
||
|
+
|
||
|
+ return GNUTLS_E_CERTIFICATE_ERROR;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* When verification is not requested just return ok here, however
|
||
|
+ * applications can still get the verification status. */
|
||
|
+ gnutls_x509_crt_t cert;
|
||
|
+ unsigned int cert_list_size;
|
||
|
+ const gnutls_datum_t *cert_list;
|
||
|
+ int ret;
|
||
|
+
|
||
|
+ ret = gnutls_x509_crt_init(&cert);
|
||
|
+ if (ret < 0)
|
||
|
+ goto out;
|
||
|
+
|
||
|
+ cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
|
||
|
+ if (cert_list == NULL) {
|
||
|
+ ret = GNUTLS_E_NO_CERTIFICATE_FOUND;
|
||
|
+ goto out;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* TODO: verify whole chain perhaps? */
|
||
|
+ ret = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER);
|
||
|
+ if (ret < 0)
|
||
|
+ ret = gnutls_x509_crt_import(cert, &cert_list[0],
|
||
|
+ GNUTLS_X509_FMT_PEM);
|
||
|
+ if (ret < 0) {
|
||
|
+ ssock->verify_status |= PJ_SSL_CERT_EINVALID_FORMAT;
|
||
|
+ goto out;
|
||
|
+ }
|
||
|
+ ret = gnutls_x509_crt_check_hostname(cert, ssock->param.server_name.ptr);
|
||
|
+ if (ret < 0)
|
||
|
+ goto out;
|
||
|
+
|
||
|
+ gnutls_x509_crt_deinit(cert);
|
||
|
+
|
||
|
+ /* notify GnuTLS to continue handshake normally */
|
||
|
+ return GNUTLS_E_SUCCESS;
|
||
|
+
|
||
|
+out:
|
||
|
+ tls_last_error = ret;
|
||
|
+ ssock->verify_status |= PJ_SSL_CERT_EUNKNOWN;
|
||
|
+ return GNUTLS_E_CERTIFICATE_ERROR;
|
||
|
+ }
|
||
|
+
|
||
|
+ return GNUTLS_E_SUCCESS;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* gnutls_handshake() and gnutls_record_send() will call this function to
|
||
|
+ * send/write (encrypted) data */
|
||
|
+static ssize_t tls_data_push(gnutls_transport_ptr_t ptr,
|
||
|
+ const void *data, size_t len)
|
||
|
+{
|
||
|
+ pj_ssl_sock_t *ssock = (pj_ssl_sock_t *)ptr;
|
||
|
+
|
||
|
+ pj_lock_acquire(ssock->circ_buf_output_mutex);
|
||
|
+ if (circ_write(&ssock->circ_buf_output, data, len) != PJ_SUCCESS) {
|
||
|
+ pj_lock_release(ssock->circ_buf_output_mutex);
|
||
|
+
|
||
|
+ gnutls_transport_set_errno(ssock->session, ENOMEM);
|
||
|
+ return -1;
|
||
|
+ }
|
||
|
+
|
||
|
+ pj_lock_release(ssock->circ_buf_output_mutex);
|
||
|
+
|
||
|
+ return len;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* gnutls_handshake() and gnutls_record_recv() will call this function to
|
||
|
+ * receive/read (encrypted) data */
|
||
|
+static ssize_t tls_data_pull(gnutls_transport_ptr_t ptr,
|
||
|
+ void *data, pj_size_t len)
|
||
|
+{
|
||
|
+ pj_ssl_sock_t *ssock = (pj_ssl_sock_t *)ptr;
|
||
|
+
|
||
|
+ pj_lock_acquire(ssock->circ_buf_input_mutex);
|
||
|
+
|
||
|
+ if (circ_empty(&ssock->circ_buf_input)) {
|
||
|
+ pj_lock_release(ssock->circ_buf_input_mutex);
|
||
|
+
|
||
|
+ /* Data buffers not yet filled */
|
||
|
+ gnutls_transport_set_errno(ssock->session, EAGAIN);
|
||
|
+ return -1;
|
||
|
+ }
|
||
|
+
|
||
|
+ pj_size_t circ_buf_size = circ_size(&ssock->circ_buf_input);
|
||
|
+ pj_size_t read_size = PJ_MIN(circ_buf_size, len);
|
||
|
+
|
||
|
+ circ_read(&ssock->circ_buf_input, data, read_size);
|
||
|
+
|
||
|
+ pj_lock_release(ssock->circ_buf_input_mutex);
|
||
|
+
|
||
|
+ return read_size;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Append a string to the priority string, only once. */
|
||
|
+static pj_status_t tls_str_append_once(pj_str_t *dst, pj_str_t *src)
|
||
|
+{
|
||
|
+ if (pj_strstr(dst, src) == NULL) {
|
||
|
+ /* Check buffer size */
|
||
|
+ if (dst->slen + src->slen + 3 > 1024)
|
||
|
+ return PJ_ETOOMANY;
|
||
|
+
|
||
|
+ pj_strcat2(dst, ":+");
|
||
|
+ pj_strcat(dst, src);
|
||
|
+ }
|
||
|
+ return PJ_SUCCESS;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Generate priority string with user preference order. */
|
||
|
+static pj_status_t tls_priorities_set(pj_ssl_sock_t *ssock)
|
||
|
+{
|
||
|
+ char buf[1024];
|
||
|
+ char priority_buf[256];
|
||
|
+ pj_str_t cipher_list;
|
||
|
+ pj_str_t compression = pj_str("COMP-NULL");
|
||
|
+ pj_str_t server = pj_str(":%SERVER_PRECEDENCE");
|
||
|
+ int i, j, ret;
|
||
|
+ pj_str_t priority;
|
||
|
+ const char *err;
|
||
|
+
|
||
|
+ pj_strset(&cipher_list, buf, 0);
|
||
|
+ pj_strset(&priority, priority_buf, 0);
|
||
|
+
|
||
|
+ /* For each level, enable only the requested protocol */
|
||
|
+ pj_strcat2(&priority, "NORMAL:");
|
||
|
+ if (ssock->param.proto & PJ_SSL_SOCK_PROTO_TLS1_2) {
|
||
|
+ pj_strcat2(&priority, "+VERS-TLS1.2:");
|
||
|
+ }
|
||
|
+ if (ssock->param.proto & PJ_SSL_SOCK_PROTO_TLS1_1) {
|
||
|
+ pj_strcat2(&priority, "+VERS-TLS1.1:");
|
||
|
+ }
|
||
|
+ if (ssock->param.proto & PJ_SSL_SOCK_PROTO_TLS1) {
|
||
|
+ pj_strcat2(&priority, "+VERS-TLS1.0:");
|
||
|
+ }
|
||
|
+ pj_strcat2(&priority, "-VERS-SSL3.0:");
|
||
|
+ pj_strcat2(&priority, "%LATEST_RECORD_VERSION");
|
||
|
+
|
||
|
+ pj_strcat(&cipher_list, &priority);
|
||
|
+ for (i = 0; i < ssock->param.ciphers_num; i++) {
|
||
|
+ for (j = 0; ; j++) {
|
||
|
+ pj_ssl_cipher c;
|
||
|
+ const char *suite;
|
||
|
+ unsigned char id[2];
|
||
|
+ gnutls_protocol_t proto;
|
||
|
+ gnutls_kx_algorithm_t kx;
|
||
|
+ gnutls_mac_algorithm_t mac;
|
||
|
+ gnutls_cipher_algorithm_t algo;
|
||
|
+
|
||
|
+ suite = gnutls_cipher_suite_info(j, (unsigned char *)id,
|
||
|
+ &kx, &algo, &mac, &proto);
|
||
|
+ if (!suite)
|
||
|
+ break;
|
||
|
+
|
||
|
+ c = (pj_ssl_cipher) (pj_uint32_t) ((id[0] << 8) | id[1]);
|
||
|
+ if (ssock->param.ciphers[i] == c) {
|
||
|
+ char temp[256];
|
||
|
+ pj_str_t cipher_entry;
|
||
|
+
|
||
|
+ /* Protocol version */
|
||
|
+ pj_strset(&cipher_entry, temp, 0);
|
||
|
+ pj_strcat2(&cipher_entry, "VERS-");
|
||
|
+ pj_strcat2(&cipher_entry, gnutls_protocol_get_name(proto));
|
||
|
+ ret = tls_str_append_once(&cipher_list, &cipher_entry);
|
||
|
+ if (ret != PJ_SUCCESS)
|
||
|
+ return ret;
|
||
|
+
|
||
|
+ /* Cipher */
|
||
|
+ pj_strset(&cipher_entry, temp, 0);
|
||
|
+ pj_strcat2(&cipher_entry, gnutls_cipher_get_name(algo));
|
||
|
+ ret = tls_str_append_once(&cipher_list, &cipher_entry);
|
||
|
+ if (ret != PJ_SUCCESS)
|
||
|
+ return ret;
|
||
|
+
|
||
|
+ /* Mac */
|
||
|
+ pj_strset(&cipher_entry, temp, 0);
|
||
|
+ pj_strcat2(&cipher_entry, gnutls_mac_get_name(mac));
|
||
|
+ ret = tls_str_append_once(&cipher_list, &cipher_entry);
|
||
|
+ if (ret != PJ_SUCCESS)
|
||
|
+ return ret;
|
||
|
+
|
||
|
+ /* Key exchange */
|
||
|
+ pj_strset(&cipher_entry, temp, 0);
|
||
|
+ pj_strcat2(&cipher_entry, gnutls_kx_get_name(kx));
|
||
|
+ ret = tls_str_append_once(&cipher_list, &cipher_entry);
|
||
|
+ if (ret != PJ_SUCCESS)
|
||
|
+ return ret;
|
||
|
+
|
||
|
+ /* Compression is always disabled */
|
||
|
+ /* Signature is level-default */
|
||
|
+ break;
|
||
|
+ }
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Disable compression, it's a TLS-only extension after all */
|
||
|
+ tls_str_append_once(&cipher_list, &compression);
|
||
|
+
|
||
|
+ /* Server will be the one deciding which crypto to use */
|
||
|
+ if (ssock->is_server) {
|
||
|
+ if (cipher_list.slen + server.slen + 1 > sizeof(buf))
|
||
|
+ return PJ_ETOOMANY;
|
||
|
+ else
|
||
|
+ pj_strcat(&cipher_list, &server);
|
||
|
+ }
|
||
|
+
|
||
|
+ /* End the string and print it */
|
||
|
+ cipher_list.ptr[cipher_list.slen] = '\0';
|
||
|
+ PJ_LOG(5, (ssock->pool->obj_name, "Priority string: %s", cipher_list.ptr));
|
||
|
+
|
||
|
+ /* Set our priority string */
|
||
|
+ ret = gnutls_priority_set_direct(ssock->session,
|
||
|
+ cipher_list.ptr, &err);
|
||
|
+ if (ret < 0) {
|
||
|
+ tls_last_error = GNUTLS_E_INVALID_REQUEST;
|
||
|
+ return PJ_EINVAL;
|
||
|
+ }
|
||
|
+
|
||
|
+ return PJ_SUCCESS;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Load root CA file or load the installed ones. */
|
||
|
+static pj_status_t tls_trust_set(pj_ssl_sock_t *ssock)
|
||
|
+{
|
||
|
+ int ntrusts = 0;
|
||
|
+ int err;
|
||
|
+
|
||
|
+ err = gnutls_certificate_set_x509_system_trust(ssock->xcred);
|
||
|
+ if (err > 0)
|
||
|
+ ntrusts += err;
|
||
|
+ err = gnutls_certificate_set_x509_trust_file(ssock->xcred,
|
||
|
+ TRUST_STORE_FILE1,
|
||
|
+ GNUTLS_X509_FMT_PEM);
|
||
|
+ if (err > 0)
|
||
|
+ ntrusts += err;
|
||
|
+
|
||
|
+ err = gnutls_certificate_set_x509_trust_file(ssock->xcred,
|
||
|
+ TRUST_STORE_FILE2,
|
||
|
+ GNUTLS_X509_FMT_PEM);
|
||
|
+ if (err > 0)
|
||
|
+ ntrusts += err;
|
||
|
+
|
||
|
+ if (ntrusts > 0)
|
||
|
+ return PJ_SUCCESS;
|
||
|
+ else if (!ntrusts)
|
||
|
+ return PJ_ENOTFOUND;
|
||
|
+ else
|
||
|
+ return PJ_EINVAL;
|
||
|
+}
|
||
|
+
|
||
|
+#if GNUTLS_VERSION_NUMBER < 0x030306
|
||
|
+
|
||
|
+#ifdef _POSIX_PATH_MAX
|
||
|
+# define GNUTLS_PATH_MAX _POSIX_PATH_MAX
|
||
|
+#else
|
||
|
+# define GNUTLS_PATH_MAX 256
|
||
|
+#endif
|
||
|
+
|
||
|
+static
|
||
|
+int gnutls_certificate_set_x509_trust_dir(gnutls_certificate_credentials_t cred, const char *dirname, unsigned type)
|
||
|
+{
|
||
|
+ DIR *dirp;
|
||
|
+ struct dirent *d;
|
||
|
+ int ret;
|
||
|
+ int r = 0;
|
||
|
+ char path[GNUTLS_PATH_MAX];
|
||
|
+#ifndef _WIN32
|
||
|
+ struct dirent e;
|
||
|
+#endif
|
||
|
+
|
||
|
+ dirp = opendir(dirname);
|
||
|
+ if (dirp != NULL) {
|
||
|
+ do {
|
||
|
+#ifdef _WIN32
|
||
|
+ d = readdir(dirp);
|
||
|
+ if (d != NULL) {
|
||
|
+#else
|
||
|
+ ret = readdir_r(dirp, &e, &d);
|
||
|
+ if (ret == 0 && d != NULL
|
||
|
+#ifdef _DIRENT_HAVE_D_TYPE
|
||
|
+ && (d->d_type == DT_REG || d->d_type == DT_LNK || d->d_type == DT_UNKNOWN)
|
||
|
+#endif
|
||
|
+ ) {
|
||
|
+#endif
|
||
|
+ snprintf(path, sizeof(path), "%s/%s",
|
||
|
+ dirname, d->d_name);
|
||
|
+
|
||
|
+ ret = gnutls_certificate_set_x509_trust_file(cred, path, type);
|
||
|
+ if (ret >= 0)
|
||
|
+ r += ret;
|
||
|
+ }
|
||
|
+ }
|
||
|
+ while (d != NULL);
|
||
|
+ closedir(dirp);
|
||
|
+ }
|
||
|
+
|
||
|
+ return r;
|
||
|
+}
|
||
|
+
|
||
|
+#endif
|
||
|
+
|
||
|
+/* Create and initialize new GnuTLS context and instance */
|
||
|
+static pj_status_t tls_open(pj_ssl_sock_t *ssock)
|
||
|
+{
|
||
|
+ pj_ssl_cert_t *cert;
|
||
|
+ pj_status_t status;
|
||
|
+ int ret;
|
||
|
+
|
||
|
+ pj_assert(ssock);
|
||
|
+
|
||
|
+ cert = ssock->cert;
|
||
|
+
|
||
|
+ /* Even if reopening is harmless, having one instance only simplifies
|
||
|
+ * deallocating it later on */
|
||
|
+ if (!ssock->tls_init_count) {
|
||
|
+ ssock->tls_init_count++;
|
||
|
+ ret = tls_init();
|
||
|
+ if (ret < 0)
|
||
|
+ return ret;
|
||
|
+ } else
|
||
|
+ return PJ_SUCCESS;
|
||
|
+
|
||
|
+ /* Start this socket session */
|
||
|
+ ret = gnutls_init(&ssock->session, ssock->is_server ? GNUTLS_SERVER
|
||
|
+ : GNUTLS_CLIENT);
|
||
|
+ if (ret < 0)
|
||
|
+ goto out;
|
||
|
+
|
||
|
+ /* Set the ssock object to be retrieved by transport (send/recv) and by
|
||
|
+ * user data from this session */
|
||
|
+ gnutls_transport_set_ptr(ssock->session,
|
||
|
+ (gnutls_transport_ptr_t) (uintptr_t) ssock);
|
||
|
+ gnutls_session_set_ptr(ssock->session,
|
||
|
+ (gnutls_transport_ptr_t) (uintptr_t) ssock);
|
||
|
+
|
||
|
+ /* Initialize input circular buffer */
|
||
|
+ status = circ_init(ssock->pool->factory, &ssock->circ_buf_input, 512);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ return status;
|
||
|
+
|
||
|
+ /* Initialize output circular buffer */
|
||
|
+ status = circ_init(ssock->pool->factory, &ssock->circ_buf_output, 512);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ return status;
|
||
|
+
|
||
|
+ /* Set the callback that allows GnuTLS to PUSH and PULL data
|
||
|
+ * TO and FROM the transport layer */
|
||
|
+ gnutls_transport_set_push_function(ssock->session, tls_data_push);
|
||
|
+ gnutls_transport_set_pull_function(ssock->session, tls_data_pull);
|
||
|
+
|
||
|
+ /* Determine which cipher suite to support */
|
||
|
+ status = tls_priorities_set(ssock);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ return status;
|
||
|
+
|
||
|
+ /* Allocate credentials for handshaking and transmission */
|
||
|
+ ret = gnutls_certificate_allocate_credentials(&ssock->xcred);
|
||
|
+ if (ret < 0)
|
||
|
+ goto out;
|
||
|
+ gnutls_certificate_set_verify_function(ssock->xcred, tls_cert_verify_cb);
|
||
|
+
|
||
|
+ /* Load system trust file(s) */
|
||
|
+ status = tls_trust_set(ssock);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ return status;
|
||
|
+
|
||
|
+ /* Load user-provided CA, certificate and key if available */
|
||
|
+ if (cert) {
|
||
|
+ /* Load CA if one is specified. */
|
||
|
+ if (cert->CA_file.slen) {
|
||
|
+ ret = gnutls_certificate_set_x509_trust_file(ssock->xcred,
|
||
|
+ cert->CA_file.ptr,
|
||
|
+ GNUTLS_X509_FMT_PEM);
|
||
|
+ if (ret < 0)
|
||
|
+ ret = gnutls_certificate_set_x509_trust_file(ssock->xcred,
|
||
|
+ cert->CA_file.ptr,
|
||
|
+ GNUTLS_X509_FMT_DER);
|
||
|
+ if (ret < 0)
|
||
|
+ goto out;
|
||
|
+ }
|
||
|
+ if (cert->CA_path.slen) {
|
||
|
+ ret = gnutls_certificate_set_x509_trust_dir(ssock->xcred,
|
||
|
+ cert->CA_path.ptr,
|
||
|
+ GNUTLS_X509_FMT_PEM);
|
||
|
+ if (ret < 0)
|
||
|
+ ret = gnutls_certificate_set_x509_trust_dir(ssock->xcred,
|
||
|
+ cert->CA_path.ptr,
|
||
|
+ GNUTLS_X509_FMT_DER);
|
||
|
+ if (ret < 0)
|
||
|
+ goto out;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Load certificate, key and pass if one is specified */
|
||
|
+ if (cert->cert_file.slen && cert->privkey_file.slen) {
|
||
|
+ const char *prikey_file = cert->privkey_file.ptr;
|
||
|
+ const char *prikey_pass = cert->privkey_pass.slen
|
||
|
+ ? cert->privkey_pass.ptr
|
||
|
+ : NULL;
|
||
|
+ ret = gnutls_certificate_set_x509_key_file2(ssock->xcred,
|
||
|
+ cert->cert_file.ptr,
|
||
|
+ prikey_file,
|
||
|
+ GNUTLS_X509_FMT_PEM,
|
||
|
+ prikey_pass,
|
||
|
+ 0);
|
||
|
+ if (ret != GNUTLS_E_SUCCESS)
|
||
|
+ ret = gnutls_certificate_set_x509_key_file2(ssock->xcred,
|
||
|
+ cert->cert_file.ptr,
|
||
|
+ prikey_file,
|
||
|
+ GNUTLS_X509_FMT_DER,
|
||
|
+ prikey_pass,
|
||
|
+ 0);
|
||
|
+ if (ret < 0)
|
||
|
+ goto out;
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Require client certificate if asked */
|
||
|
+ if (ssock->is_server && ssock->param.require_client_cert)
|
||
|
+ gnutls_certificate_server_set_request(ssock->session,
|
||
|
+ GNUTLS_CERT_REQUIRE);
|
||
|
+
|
||
|
+ /* Finally set credentials for this session */
|
||
|
+ ret = gnutls_credentials_set(ssock->session,
|
||
|
+ GNUTLS_CRD_CERTIFICATE, ssock->xcred);
|
||
|
+ if (ret < 0)
|
||
|
+ goto out;
|
||
|
+
|
||
|
+ ret = GNUTLS_E_SUCCESS;
|
||
|
+out:
|
||
|
+ return tls_status_from_err(ssock, ret);
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Destroy GnuTLS credentials and session. */
|
||
|
+static void tls_close(pj_ssl_sock_t *ssock)
|
||
|
+{
|
||
|
+ if (ssock->session) {
|
||
|
+ gnutls_bye(ssock->session, GNUTLS_SHUT_RDWR);
|
||
|
+ gnutls_deinit(ssock->session);
|
||
|
+ ssock->session = NULL;
|
||
|
+ }
|
||
|
+
|
||
|
+ if (ssock->xcred) {
|
||
|
+ gnutls_certificate_free_credentials(ssock->xcred);
|
||
|
+ ssock->xcred = NULL;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Free GnuTLS library */
|
||
|
+ if (ssock->tls_init_count) {
|
||
|
+ ssock->tls_init_count--;
|
||
|
+ tls_deinit();
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Destroy circular buffers */
|
||
|
+ circ_deinit(&ssock->circ_buf_input);
|
||
|
+ circ_deinit(&ssock->circ_buf_output);
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Reset socket state. */
|
||
|
+static void tls_sock_reset(pj_ssl_sock_t *ssock)
|
||
|
+{
|
||
|
+ ssock->connection_state = TLS_STATE_NULL;
|
||
|
+
|
||
|
+ tls_close(ssock);
|
||
|
+
|
||
|
+ if (ssock->asock) {
|
||
|
+ pj_activesock_close(ssock->asock);
|
||
|
+ ssock->asock = NULL;
|
||
|
+ ssock->sock = PJ_INVALID_SOCKET;
|
||
|
+ }
|
||
|
+ if (ssock->sock != PJ_INVALID_SOCKET) {
|
||
|
+ pj_sock_close(ssock->sock);
|
||
|
+ ssock->sock = PJ_INVALID_SOCKET;
|
||
|
+ }
|
||
|
+
|
||
|
+ ssock->last_err = tls_last_error = GNUTLS_E_SUCCESS;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Get Common Name field string from a general name string */
|
||
|
+static void tls_cert_get_cn(const pj_str_t *gen_name, pj_str_t *cn)
|
||
|
+{
|
||
|
+ pj_str_t CN_sign = {"CN=", 3};
|
||
|
+ char *p, *q;
|
||
|
+
|
||
|
+ pj_bzero(cn, sizeof(cn));
|
||
|
+
|
||
|
+ p = pj_strstr(gen_name, &CN_sign);
|
||
|
+ if (!p)
|
||
|
+ return;
|
||
|
+
|
||
|
+ p += 3; /* shift pointer to value part */
|
||
|
+ pj_strset(cn, p, gen_name->slen - (p - gen_name->ptr));
|
||
|
+ q = pj_strchr(cn, ',');
|
||
|
+ if (q)
|
||
|
+ cn->slen = q - p;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Get certificate info; in case the certificate info is already populated,
|
||
|
+ * this function will check if the contents need updating by inspecting the
|
||
|
+ * issuer and the serial number. */
|
||
|
+static void tls_cert_get_info(pj_pool_t *pool, pj_ssl_cert_info *ci, gnutls_x509_crt_t cert)
|
||
|
+{
|
||
|
+ pj_bool_t update_needed;
|
||
|
+ char buf[512] = { 0 };
|
||
|
+ size_t bufsize = sizeof(buf);
|
||
|
+ pj_uint8_t serial_no[64] = { 0 }; /* should be >= sizeof(ci->serial_no) */
|
||
|
+ size_t serialsize = sizeof(serial_no);
|
||
|
+ size_t len = sizeof(buf);
|
||
|
+ int i, ret, seq = 0;
|
||
|
+ pj_ssl_cert_name_type type;
|
||
|
+
|
||
|
+ pj_assert(pool && ci && cert);
|
||
|
+
|
||
|
+ /* Get issuer */
|
||
|
+ gnutls_x509_crt_get_issuer_dn(cert, buf, &bufsize);
|
||
|
+
|
||
|
+ /* Get serial no */
|
||
|
+ gnutls_x509_crt_get_serial(cert, serial_no, &serialsize);
|
||
|
+
|
||
|
+ /* Check if the contents need to be updated */
|
||
|
+ update_needed = pj_strcmp2(&ci->issuer.info, buf) ||
|
||
|
+ pj_memcmp(ci->serial_no, serial_no, serialsize);
|
||
|
+ if (!update_needed)
|
||
|
+ return;
|
||
|
+
|
||
|
+ /* Update cert info */
|
||
|
+
|
||
|
+ pj_bzero(ci, sizeof(pj_ssl_cert_info));
|
||
|
+
|
||
|
+ /* Version */
|
||
|
+ ci->version = gnutls_x509_crt_get_version(cert);
|
||
|
+
|
||
|
+ /* Issuer */
|
||
|
+ pj_strdup2(pool, &ci->issuer.info, buf);
|
||
|
+ tls_cert_get_cn(&ci->issuer.info, &ci->issuer.cn);
|
||
|
+
|
||
|
+ /* Serial number */
|
||
|
+ pj_memcpy(ci->serial_no, serial_no, sizeof(ci->serial_no));
|
||
|
+
|
||
|
+ /* Subject */
|
||
|
+ bufsize = sizeof(buf);
|
||
|
+ gnutls_x509_crt_get_dn(cert, buf, &bufsize);
|
||
|
+ pj_strdup2(pool, &ci->subject.info, buf);
|
||
|
+ tls_cert_get_cn(&ci->subject.info, &ci->subject.cn);
|
||
|
+
|
||
|
+ /* Validity */
|
||
|
+ ci->validity.end.sec = gnutls_x509_crt_get_expiration_time(cert);
|
||
|
+ ci->validity.start.sec = gnutls_x509_crt_get_activation_time(cert);
|
||
|
+ ci->validity.gmt = 0;
|
||
|
+
|
||
|
+ /* Subject Alternative Name extension */
|
||
|
+ if (ci->version >= 3) {
|
||
|
+ char out[256] = { 0 };
|
||
|
+ /* Get the number of all alternate names so that we can allocate
|
||
|
+ * the correct number of bytes in subj_alt_name */
|
||
|
+ while (gnutls_x509_crt_get_subject_alt_name(cert, seq, out, &len,
|
||
|
+ NULL) != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
|
||
|
+ seq++;
|
||
|
+
|
||
|
+ ci->subj_alt_name.entry = pj_pool_calloc(pool, seq,
|
||
|
+ sizeof(*ci->subj_alt_name.entry));
|
||
|
+ if (!ci->subj_alt_name.entry) {
|
||
|
+ tls_last_error = GNUTLS_E_MEMORY_ERROR;
|
||
|
+ return;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Now populate the alternative names */
|
||
|
+ for (i = 0; i < seq; i++) {
|
||
|
+ len = sizeof(out) - 1;
|
||
|
+ ret = gnutls_x509_crt_get_subject_alt_name(cert, i, out, &len, NULL);
|
||
|
+ switch (ret) {
|
||
|
+ case GNUTLS_SAN_IPADDRESS:
|
||
|
+ type = PJ_SSL_CERT_NAME_IP;
|
||
|
+ pj_inet_ntop2(len == sizeof(pj_in6_addr) ? pj_AF_INET6()
|
||
|
+ : pj_AF_INET(),
|
||
|
+ out, buf, sizeof(buf));
|
||
|
+ break;
|
||
|
+ case GNUTLS_SAN_URI:
|
||
|
+ type = PJ_SSL_CERT_NAME_URI;
|
||
|
+ break;
|
||
|
+ case GNUTLS_SAN_RFC822NAME:
|
||
|
+ type = PJ_SSL_CERT_NAME_RFC822;
|
||
|
+ break;
|
||
|
+ case GNUTLS_SAN_DNSNAME:
|
||
|
+ type = PJ_SSL_CERT_NAME_DNS;
|
||
|
+ break;
|
||
|
+ default:
|
||
|
+ type = PJ_SSL_CERT_NAME_UNKNOWN;
|
||
|
+ break;
|
||
|
+ }
|
||
|
+
|
||
|
+ if (len && type != PJ_SSL_CERT_NAME_UNKNOWN) {
|
||
|
+ ci->subj_alt_name.entry[ci->subj_alt_name.cnt].type = type;
|
||
|
+ pj_strdup2(pool,
|
||
|
+ &ci->subj_alt_name.entry[ci->subj_alt_name.cnt].name,
|
||
|
+ type == PJ_SSL_CERT_NAME_IP ? buf : out);
|
||
|
+ ci->subj_alt_name.cnt++;
|
||
|
+ }
|
||
|
+ }
|
||
|
+ /* TODO: if no DNS alt. names were found, we could check against
|
||
|
+ * the commonName as per RFC3280. */
|
||
|
+ }
|
||
|
+}
|
||
|
+
|
||
|
+static void tls_cert_get_chain_raw(pj_pool_t *pool, pj_ssl_cert_info *ci, const gnutls_datum_t *certs, size_t certs_num)
|
||
|
+{
|
||
|
+ size_t i=0;
|
||
|
+ ci->raw_chain.cert_raw = pj_pool_calloc(pool, certs_num, sizeof(*ci->raw_chain.cert_raw));
|
||
|
+ ci->raw_chain.cnt = certs_num;
|
||
|
+ for (i=0; i < certs_num; ++i) {
|
||
|
+ const pj_str_t crt_raw = {(const char*)certs[i].data, (pj_ssize_t)certs[i].size};
|
||
|
+ pj_strdup(pool, ci->raw_chain.cert_raw+i, &crt_raw);
|
||
|
+ }
|
||
|
+}
|
||
|
+
|
||
|
+/* Update local & remote certificates info. This function should be
|
||
|
+ * called after handshake or renegotiation successfully completed. */
|
||
|
+static void tls_cert_update(pj_ssl_sock_t *ssock)
|
||
|
+{
|
||
|
+ gnutls_x509_crt_t cert = NULL;
|
||
|
+ const gnutls_datum_t *us;
|
||
|
+ const gnutls_datum_t *certs;
|
||
|
+ unsigned int certslen = 0;
|
||
|
+ int ret = GNUTLS_CERT_INVALID;
|
||
|
+
|
||
|
+ pj_assert(ssock->connection_state == TLS_STATE_ESTABLISHED);
|
||
|
+
|
||
|
+ /* Get active local certificate */
|
||
|
+ us = gnutls_certificate_get_ours(ssock->session);
|
||
|
+ if (!us)
|
||
|
+ goto us_out;
|
||
|
+
|
||
|
+ ret = gnutls_x509_crt_init(&cert);
|
||
|
+ if (ret < 0)
|
||
|
+ goto us_out;
|
||
|
+ ret = gnutls_x509_crt_import(cert, us, GNUTLS_X509_FMT_DER);
|
||
|
+ if (ret < 0)
|
||
|
+ ret = gnutls_x509_crt_import(cert, us, GNUTLS_X509_FMT_PEM);
|
||
|
+ if (ret < 0)
|
||
|
+ goto us_out;
|
||
|
+
|
||
|
+ tls_cert_get_info(ssock->pool, &ssock->local_cert_info, cert);
|
||
|
+ tls_cert_get_chain_raw(ssock->pool, &ssock->local_cert_info, us, 1);
|
||
|
+
|
||
|
+us_out:
|
||
|
+ tls_last_error = ret;
|
||
|
+ if (cert)
|
||
|
+ gnutls_x509_crt_deinit(cert);
|
||
|
+ else
|
||
|
+ pj_bzero(&ssock->local_cert_info, sizeof(pj_ssl_cert_info));
|
||
|
+
|
||
|
+ cert = NULL;
|
||
|
+
|
||
|
+ /* Get active remote certificate */
|
||
|
+ certs = gnutls_certificate_get_peers(ssock->session, &certslen);
|
||
|
+ if (certs == NULL || certslen == 0)
|
||
|
+ goto peer_out;
|
||
|
+
|
||
|
+ ret = gnutls_x509_crt_init(&cert);
|
||
|
+ if (ret < 0)
|
||
|
+ goto peer_out;
|
||
|
+
|
||
|
+ ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_PEM);
|
||
|
+ if (ret < 0)
|
||
|
+ ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);
|
||
|
+ if (ret < 0)
|
||
|
+ goto peer_out;
|
||
|
+
|
||
|
+ tls_cert_get_info(ssock->pool, &ssock->remote_cert_info, cert);
|
||
|
+ tls_cert_get_chain_raw(ssock->pool, &ssock->remote_cert_info, certs, certslen);
|
||
|
+
|
||
|
+peer_out:
|
||
|
+ tls_last_error = ret;
|
||
|
+ if (cert)
|
||
|
+ gnutls_x509_crt_deinit(cert);
|
||
|
+ else
|
||
|
+ pj_bzero(&ssock->remote_cert_info, sizeof(pj_ssl_cert_info));
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* When handshake completed:
|
||
|
+ * - notify application
|
||
|
+ * - if handshake failed, reset SSL state
|
||
|
+ * - return PJ_FALSE when SSL socket instance is destroyed by application. */
|
||
|
+static pj_bool_t on_handshake_complete(pj_ssl_sock_t *ssock,
|
||
|
+ pj_status_t status)
|
||
|
+{
|
||
|
+ pj_bool_t ret = PJ_TRUE;
|
||
|
+
|
||
|
+ /* Cancel handshake timer */
|
||
|
+ if (ssock->timer.id == TIMER_HANDSHAKE_TIMEOUT) {
|
||
|
+ pj_timer_heap_cancel(ssock->param.timer_heap, &ssock->timer);
|
||
|
+ ssock->timer.id = TIMER_NONE;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Update certificates info on successful handshake */
|
||
|
+ if (status == PJ_SUCCESS)
|
||
|
+ tls_cert_update(ssock);
|
||
|
+
|
||
|
+ /* Accepting */
|
||
|
+ if (ssock->is_server) {
|
||
|
+ if (status != PJ_SUCCESS) {
|
||
|
+ /* Handshake failed in accepting, destroy our self silently. */
|
||
|
+
|
||
|
+ char errmsg[PJ_ERR_MSG_SIZE];
|
||
|
+ char buf[PJ_INET6_ADDRSTRLEN + 10];
|
||
|
+
|
||
|
+ pj_strerror(status, errmsg, sizeof(errmsg));
|
||
|
+ PJ_LOG(3, (ssock->pool->obj_name,
|
||
|
+ "Handshake failed in accepting %s: %s",
|
||
|
+ pj_sockaddr_print(&ssock->rem_addr, buf, sizeof(buf), 3),
|
||
|
+ errmsg));
|
||
|
+
|
||
|
+ /* Workaround for ticket #985 */
|
||
|
+#if (defined(PJ_WIN32) && PJ_WIN32 != 0) || (defined(PJ_WIN64) && PJ_WIN64 != 0)
|
||
|
+ if (ssock->param.timer_heap) {
|
||
|
+ pj_time_val interval = {0, DELAYED_CLOSE_TIMEOUT};
|
||
|
+
|
||
|
+ tls_sock_reset(ssock);
|
||
|
+
|
||
|
+ ssock->timer.id = TIMER_CLOSE;
|
||
|
+ pj_time_val_normalize(&interval);
|
||
|
+ if (pj_timer_heap_schedule(ssock->param.timer_heap,
|
||
|
+ &ssock->timer, &interval) != 0)
|
||
|
+ {
|
||
|
+ ssock->timer.id = TIMER_NONE;
|
||
|
+ pj_ssl_sock_close(ssock);
|
||
|
+ }
|
||
|
+ } else
|
||
|
+#endif /* PJ_WIN32 */
|
||
|
+ {
|
||
|
+ pj_ssl_sock_close(ssock);
|
||
|
+ }
|
||
|
+
|
||
|
+ return PJ_FALSE;
|
||
|
+ }
|
||
|
+ /* Notify application the newly accepted SSL socket */
|
||
|
+ if (ssock->param.cb.on_accept_complete)
|
||
|
+ ret = (*ssock->param.cb.on_accept_complete)
|
||
|
+ (ssock->parent, ssock, (pj_sockaddr_t*)&ssock->rem_addr,
|
||
|
+ pj_sockaddr_get_len((pj_sockaddr_t*)&ssock->rem_addr));
|
||
|
+
|
||
|
+ } else { /* Connecting */
|
||
|
+ /* On failure, reset SSL socket state first, as app may try to
|
||
|
+ * reconnect in the callback. */
|
||
|
+ if (status != PJ_SUCCESS) {
|
||
|
+ /* Server disconnected us, possibly due to negotiation failure */
|
||
|
+ tls_sock_reset(ssock);
|
||
|
+ }
|
||
|
+ if (ssock->param.cb.on_connect_complete) {
|
||
|
+
|
||
|
+ ret = (*ssock->param.cb.on_connect_complete)(ssock, status);
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ return ret;
|
||
|
+}
|
||
|
+
|
||
|
+static write_data_t *alloc_send_data(pj_ssl_sock_t *ssock, pj_size_t len)
|
||
|
+{
|
||
|
+ send_buf_t *send_buf = &ssock->send_buf;
|
||
|
+ pj_size_t avail_len, skipped_len = 0;
|
||
|
+ char *reg1, *reg2;
|
||
|
+ pj_size_t reg1_len, reg2_len;
|
||
|
+ write_data_t *p;
|
||
|
+
|
||
|
+ /* Check buffer availability */
|
||
|
+ avail_len = send_buf->max_len - send_buf->len;
|
||
|
+ if (avail_len < len)
|
||
|
+ return NULL;
|
||
|
+
|
||
|
+ /* If buffer empty, reset start pointer and return it */
|
||
|
+ if (send_buf->len == 0) {
|
||
|
+ send_buf->start = send_buf->buf;
|
||
|
+ send_buf->len = len;
|
||
|
+ p = (write_data_t*)send_buf->start;
|
||
|
+ goto init_send_data;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Free space may be wrapped/splitted into two regions, so let's
|
||
|
+ * analyze them if any region can hold the write data. */
|
||
|
+ reg1 = send_buf->start + send_buf->len;
|
||
|
+ if (reg1 >= send_buf->buf + send_buf->max_len)
|
||
|
+ reg1 -= send_buf->max_len;
|
||
|
+ reg1_len = send_buf->max_len - send_buf->len;
|
||
|
+ if (reg1 + reg1_len > send_buf->buf + send_buf->max_len) {
|
||
|
+ reg1_len = send_buf->buf + send_buf->max_len - reg1;
|
||
|
+ reg2 = send_buf->buf;
|
||
|
+ reg2_len = send_buf->start - send_buf->buf;
|
||
|
+ } else {
|
||
|
+ reg2 = NULL;
|
||
|
+ reg2_len = 0;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* More buffer availability check, note that the write data must be in
|
||
|
+ * a contigue buffer. */
|
||
|
+ avail_len = PJ_MAX(reg1_len, reg2_len);
|
||
|
+ if (avail_len < len)
|
||
|
+ return NULL;
|
||
|
+
|
||
|
+ /* Get the data slot */
|
||
|
+ if (reg1_len >= len) {
|
||
|
+ p = (write_data_t*)reg1;
|
||
|
+ } else {
|
||
|
+ p = (write_data_t*)reg2;
|
||
|
+ skipped_len = reg1_len;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Update buffer length */
|
||
|
+ send_buf->len += len + skipped_len;
|
||
|
+
|
||
|
+init_send_data:
|
||
|
+ /* Init the new send data */
|
||
|
+ pj_bzero(p, sizeof(*p));
|
||
|
+ pj_list_init(p);
|
||
|
+ pj_list_push_back(&ssock->send_pending, p);
|
||
|
+
|
||
|
+ return p;
|
||
|
+}
|
||
|
+
|
||
|
+static void free_send_data(pj_ssl_sock_t *ssock, write_data_t *wdata)
|
||
|
+{
|
||
|
+ send_buf_t *buf = &ssock->send_buf;
|
||
|
+ write_data_t *spl = &ssock->send_pending;
|
||
|
+
|
||
|
+ pj_assert(!pj_list_empty(&ssock->send_pending));
|
||
|
+
|
||
|
+ /* Free slot from the buffer */
|
||
|
+ if (spl->next == wdata && spl->prev == wdata) {
|
||
|
+ /* This is the only data, reset the buffer */
|
||
|
+ buf->start = buf->buf;
|
||
|
+ buf->len = 0;
|
||
|
+ } else if (spl->next == wdata) {
|
||
|
+ /* This is the first data, shift start pointer of the buffer and
|
||
|
+ * adjust the buffer length.
|
||
|
+ */
|
||
|
+ buf->start = (char*)wdata->next;
|
||
|
+ if (wdata->next > wdata) {
|
||
|
+ buf->len -= ((char*)wdata->next - buf->start);
|
||
|
+ } else {
|
||
|
+ /* Overlapped */
|
||
|
+ pj_size_t right_len, left_len;
|
||
|
+ right_len = buf->buf + buf->max_len - (char*)wdata;
|
||
|
+ left_len = (char*)wdata->next - buf->buf;
|
||
|
+ buf->len -= (right_len + left_len);
|
||
|
+ }
|
||
|
+ } else if (spl->prev == wdata) {
|
||
|
+ /* This is the last data, just adjust the buffer length */
|
||
|
+ if (wdata->prev < wdata) {
|
||
|
+ pj_size_t jump_len;
|
||
|
+ jump_len = (char*)wdata -
|
||
|
+ ((char*)wdata->prev + wdata->prev->record_len);
|
||
|
+ buf->len -= (wdata->record_len + jump_len);
|
||
|
+ } else {
|
||
|
+ /* Overlapped */
|
||
|
+ pj_size_t right_len, left_len;
|
||
|
+ right_len = buf->buf + buf->max_len -
|
||
|
+ ((char*)wdata->prev + wdata->prev->record_len);
|
||
|
+ left_len = (char*)wdata + wdata->record_len - buf->buf;
|
||
|
+ buf->len -= (right_len + left_len);
|
||
|
+ }
|
||
|
+ }
|
||
|
+ /* For data in the middle buffer, just do nothing on the buffer. The slot
|
||
|
+ * will be freed later when freeing the first/last data. */
|
||
|
+
|
||
|
+ /* Remove the data from send pending list */
|
||
|
+ pj_list_erase(wdata);
|
||
|
+}
|
||
|
+
|
||
|
+#if 0
|
||
|
+/* Just for testing send buffer alloc/free */
|
||
|
+#include <pj/rand.h>
|
||
|
+pj_status_t pj_ssl_sock_ossl_test_send_buf(pj_pool_t *pool)
|
||
|
+{
|
||
|
+ enum { MAX_CHUNK_NUM = 20 };
|
||
|
+ unsigned chunk_size, chunk_cnt, i;
|
||
|
+ write_data_t *wdata[MAX_CHUNK_NUM] = {0};
|
||
|
+ pj_time_val now;
|
||
|
+ pj_ssl_sock_t *ssock = NULL;
|
||
|
+ pj_ssl_sock_param param;
|
||
|
+ pj_status_t status;
|
||
|
+
|
||
|
+ pj_gettimeofday(&now);
|
||
|
+ pj_srand((unsigned)now.sec);
|
||
|
+
|
||
|
+ pj_ssl_sock_param_default(¶m);
|
||
|
+ status = pj_ssl_sock_create(pool, ¶m, &ssock);
|
||
|
+ if (status != PJ_SUCCESS) {
|
||
|
+ return status;
|
||
|
+ }
|
||
|
+
|
||
|
+ if (ssock->send_buf.max_len == 0) {
|
||
|
+ ssock->send_buf.buf = (char *)
|
||
|
+ pj_pool_alloc(ssock->pool,
|
||
|
+ ssock->param.send_buffer_size);
|
||
|
+ ssock->send_buf.max_len = ssock->param.send_buffer_size;
|
||
|
+ ssock->send_buf.start = ssock->send_buf.buf;
|
||
|
+ ssock->send_buf.len = 0;
|
||
|
+ }
|
||
|
+
|
||
|
+ chunk_size = ssock->param.send_buffer_size / MAX_CHUNK_NUM / 2;
|
||
|
+ chunk_cnt = 0;
|
||
|
+ for (i = 0; i < MAX_CHUNK_NUM; i++) {
|
||
|
+ wdata[i] = alloc_send_data(ssock, pj_rand() % chunk_size + 321);
|
||
|
+ if (wdata[i])
|
||
|
+ chunk_cnt++;
|
||
|
+ else
|
||
|
+ break;
|
||
|
+ }
|
||
|
+
|
||
|
+ while (chunk_cnt) {
|
||
|
+ i = pj_rand() % MAX_CHUNK_NUM;
|
||
|
+ if (wdata[i]) {
|
||
|
+ free_send_data(ssock, wdata[i]);
|
||
|
+ wdata[i] = NULL;
|
||
|
+ chunk_cnt--;
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ if (ssock->send_buf.len != 0)
|
||
|
+ status = PJ_EBUG;
|
||
|
+
|
||
|
+ pj_ssl_sock_close(ssock);
|
||
|
+ return status;
|
||
|
+}
|
||
|
+#endif
|
||
|
+
|
||
|
+/* Flush write circular buffer to network socket. */
|
||
|
+static pj_status_t flush_circ_buf_output(pj_ssl_sock_t *ssock,
|
||
|
+ pj_ioqueue_op_key_t *send_key,
|
||
|
+ pj_size_t orig_len, unsigned flags)
|
||
|
+{
|
||
|
+ pj_ssize_t len;
|
||
|
+ write_data_t *wdata;
|
||
|
+ pj_size_t needed_len;
|
||
|
+ pj_status_t status;
|
||
|
+
|
||
|
+ pj_lock_acquire(ssock->circ_buf_output_mutex);
|
||
|
+
|
||
|
+ /* Check if there is data in the circular buffer, flush it if any */
|
||
|
+ if (circ_empty(&ssock->circ_buf_output)) {
|
||
|
+ pj_lock_release(ssock->circ_buf_output_mutex);
|
||
|
+
|
||
|
+ return PJ_SUCCESS;
|
||
|
+ }
|
||
|
+
|
||
|
+ len = circ_size(&ssock->circ_buf_output);
|
||
|
+
|
||
|
+ /* Calculate buffer size needed, and align it to 8 */
|
||
|
+ needed_len = len + sizeof(write_data_t);
|
||
|
+ needed_len = ((needed_len + 7) >> 3) << 3;
|
||
|
+
|
||
|
+ /* Allocate buffer for send data */
|
||
|
+ wdata = alloc_send_data(ssock, needed_len);
|
||
|
+ if (wdata == NULL) {
|
||
|
+ pj_lock_release(ssock->circ_buf_output_mutex);
|
||
|
+ return PJ_ENOMEM;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Copy the data and set its properties into the send data */
|
||
|
+ pj_ioqueue_op_key_init(&wdata->key, sizeof(pj_ioqueue_op_key_t));
|
||
|
+ wdata->key.user_data = wdata;
|
||
|
+ wdata->app_key = send_key;
|
||
|
+ wdata->record_len = needed_len;
|
||
|
+ wdata->data_len = len;
|
||
|
+ wdata->plain_data_len = orig_len;
|
||
|
+ wdata->flags = flags;
|
||
|
+ circ_read(&ssock->circ_buf_output, (pj_uint8_t *)&wdata->data, len);
|
||
|
+
|
||
|
+ /* Ticket #1573: Don't hold mutex while calling PJLIB socket send(). */
|
||
|
+ pj_lock_release(ssock->circ_buf_output_mutex);
|
||
|
+
|
||
|
+ /* Send it */
|
||
|
+ if (ssock->param.sock_type == pj_SOCK_STREAM()) {
|
||
|
+ status = pj_activesock_send(ssock->asock, &wdata->key,
|
||
|
+ wdata->data.content, &len,
|
||
|
+ flags);
|
||
|
+ } else {
|
||
|
+ status = pj_activesock_sendto(ssock->asock, &wdata->key,
|
||
|
+ wdata->data.content, &len,
|
||
|
+ flags,
|
||
|
+ (pj_sockaddr_t*)&ssock->rem_addr,
|
||
|
+ ssock->addr_len);
|
||
|
+ }
|
||
|
+
|
||
|
+ if (status != PJ_EPENDING) {
|
||
|
+ /* When the sending is not pending, remove the wdata from send
|
||
|
+ * pending list. */
|
||
|
+ pj_lock_acquire(ssock->circ_buf_output_mutex);
|
||
|
+ free_send_data(ssock, wdata);
|
||
|
+ pj_lock_release(ssock->circ_buf_output_mutex);
|
||
|
+ }
|
||
|
+
|
||
|
+ return status;
|
||
|
+}
|
||
|
+
|
||
|
+static void on_timer(pj_timer_heap_t *th, struct pj_timer_entry *te)
|
||
|
+{
|
||
|
+ pj_ssl_sock_t *ssock = (pj_ssl_sock_t*)te->user_data;
|
||
|
+ int timer_id = te->id;
|
||
|
+
|
||
|
+ te->id = TIMER_NONE;
|
||
|
+
|
||
|
+ PJ_UNUSED_ARG(th);
|
||
|
+
|
||
|
+ switch (timer_id) {
|
||
|
+ case TIMER_HANDSHAKE_TIMEOUT:
|
||
|
+ PJ_LOG(1, (ssock->pool->obj_name, "TLS timeout after %d.%ds",
|
||
|
+ ssock->param.timeout.sec, ssock->param.timeout.msec));
|
||
|
+
|
||
|
+ on_handshake_complete(ssock, PJ_ETIMEDOUT);
|
||
|
+ break;
|
||
|
+ case TIMER_CLOSE:
|
||
|
+ pj_ssl_sock_close(ssock);
|
||
|
+ break;
|
||
|
+ default:
|
||
|
+ pj_assert(!"Unknown timer");
|
||
|
+ break;
|
||
|
+ }
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Try to perform an asynchronous handshake */
|
||
|
+static pj_status_t tls_try_handshake(pj_ssl_sock_t *ssock)
|
||
|
+{
|
||
|
+ int ret;
|
||
|
+ pj_status_t status;
|
||
|
+
|
||
|
+ /* Perform SSL handshake */
|
||
|
+ ret = gnutls_handshake(ssock->session);
|
||
|
+
|
||
|
+ status = flush_circ_buf_output(ssock, &ssock->handshake_op_key, 0, 0);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ return status;
|
||
|
+
|
||
|
+ if (ret == GNUTLS_E_SUCCESS) {
|
||
|
+ /* System are GO */
|
||
|
+ ssock->connection_state = TLS_STATE_ESTABLISHED;
|
||
|
+ status = PJ_SUCCESS;
|
||
|
+ } else if (!gnutls_error_is_fatal(ret)) {
|
||
|
+ /* Non fatal error, retry later (busy or again) */
|
||
|
+ status = PJ_EPENDING;
|
||
|
+ } else {
|
||
|
+ /* Fatal error invalidates session, no fallback */
|
||
|
+ status = PJ_EINVAL;
|
||
|
+ }
|
||
|
+
|
||
|
+ tls_last_error = ret;
|
||
|
+
|
||
|
+ return status;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/*
|
||
|
+ *******************************************************************
|
||
|
+ * Active socket callbacks.
|
||
|
+ *******************************************************************
|
||
|
+ */
|
||
|
+
|
||
|
+/* PJ_TRUE asks the socket to read more data, PJ_FALSE takes it off the queue */
|
||
|
+static pj_bool_t asock_on_data_read(pj_activesock_t *asock, void *data,
|
||
|
+ pj_size_t size, pj_status_t status,
|
||
|
+ pj_size_t *remainder)
|
||
|
+{
|
||
|
+ pj_ssl_sock_t *ssock = (pj_ssl_sock_t *)
|
||
|
+ pj_activesock_get_user_data(asock);
|
||
|
+
|
||
|
+ pj_size_t app_remainder = 0;
|
||
|
+
|
||
|
+ if (data && size > 0) {
|
||
|
+ /* Push data into input circular buffer (for GnuTLS) */
|
||
|
+ pj_lock_acquire(ssock->circ_buf_input_mutex);
|
||
|
+ circ_write(&ssock->circ_buf_input, data, size);
|
||
|
+ pj_lock_release(ssock->circ_buf_input_mutex);
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Check if SSL handshake hasn't finished yet */
|
||
|
+ if (ssock->connection_state == TLS_STATE_HANDSHAKING) {
|
||
|
+ pj_bool_t ret = PJ_TRUE;
|
||
|
+
|
||
|
+ if (status == PJ_SUCCESS)
|
||
|
+ status = tls_try_handshake(ssock);
|
||
|
+
|
||
|
+ /* Not pending is either success or failed */
|
||
|
+ if (status != PJ_EPENDING)
|
||
|
+ ret = on_handshake_complete(ssock, status);
|
||
|
+
|
||
|
+ return ret;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* See if there is any decrypted data for the application */
|
||
|
+ if (ssock->read_started) {
|
||
|
+ do {
|
||
|
+ /* Get read data structure at the end of the data */
|
||
|
+ read_data_t *app_read_data = *(OFFSET_OF_READ_DATA_PTR(ssock, data));
|
||
|
+ int app_data_size = (int)(ssock->read_size - app_read_data->len);
|
||
|
+
|
||
|
+ /* Decrypt received data using GnuTLS (will read our input
|
||
|
+ * circular buffer) */
|
||
|
+ int decrypted_size = gnutls_record_recv(ssock->session,
|
||
|
+ ((read_data_t *)app_read_data->data) +
|
||
|
+ app_read_data->len,
|
||
|
+ app_data_size);
|
||
|
+
|
||
|
+ if (decrypted_size > 0 || status != PJ_SUCCESS) {
|
||
|
+ if (ssock->param.cb.on_data_read) {
|
||
|
+ pj_bool_t ret;
|
||
|
+ app_remainder = 0;
|
||
|
+
|
||
|
+ if (decrypted_size > 0)
|
||
|
+ app_read_data->len += decrypted_size;
|
||
|
+
|
||
|
+ ret = (*ssock->param.cb.on_data_read)(ssock,
|
||
|
+ app_read_data->data,
|
||
|
+ app_read_data->len,
|
||
|
+ status,
|
||
|
+ &app_remainder);
|
||
|
+
|
||
|
+ if (!ret) {
|
||
|
+ /* We've been destroyed */
|
||
|
+ return PJ_FALSE;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Application may have left some data to be consumed
|
||
|
+ * later as remainder */
|
||
|
+ app_read_data->len = app_remainder;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Active socket signalled connection closed/error, this has
|
||
|
+ * been signalled to the application along with any remaining
|
||
|
+ * buffer. So, let's just reset SSL socket now. */
|
||
|
+ if (status != PJ_SUCCESS) {
|
||
|
+ tls_sock_reset(ssock);
|
||
|
+ return PJ_FALSE;
|
||
|
+ }
|
||
|
+ } else if (decrypted_size == 0) {
|
||
|
+ /* Nothing more to read */
|
||
|
+
|
||
|
+ return PJ_TRUE;
|
||
|
+ } else if (decrypted_size == GNUTLS_E_AGAIN ||
|
||
|
+ decrypted_size == GNUTLS_E_INTERRUPTED) {
|
||
|
+ return PJ_TRUE;
|
||
|
+ } else if (decrypted_size == GNUTLS_E_REHANDSHAKE) {
|
||
|
+ /* Seems like we are renegotiating */
|
||
|
+ pj_status_t try_handshake_status = tls_try_handshake(ssock);
|
||
|
+
|
||
|
+ /* Not pending is either success or failed */
|
||
|
+ if (try_handshake_status != PJ_EPENDING) {
|
||
|
+ if (!on_handshake_complete(ssock, try_handshake_status)) {
|
||
|
+ return PJ_FALSE;
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ if (try_handshake_status != PJ_SUCCESS &&
|
||
|
+ try_handshake_status != PJ_EPENDING) {
|
||
|
+ return PJ_FALSE;
|
||
|
+ }
|
||
|
+ } else if (!gnutls_error_is_fatal(decrypted_size)) {
|
||
|
+ /* non-fatal error, let's just continue */
|
||
|
+ } else {
|
||
|
+ return PJ_FALSE;
|
||
|
+ }
|
||
|
+ } while (PJ_TRUE);
|
||
|
+ }
|
||
|
+
|
||
|
+ return PJ_TRUE;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Callback every time new data is available from the active socket */
|
||
|
+static pj_bool_t asock_on_data_sent(pj_activesock_t *asock,
|
||
|
+ pj_ioqueue_op_key_t *send_key,
|
||
|
+ pj_ssize_t sent)
|
||
|
+{
|
||
|
+ pj_ssl_sock_t *ssock = (pj_ssl_sock_t *)pj_activesock_get_user_data(asock);
|
||
|
+
|
||
|
+ PJ_UNUSED_ARG(send_key);
|
||
|
+ PJ_UNUSED_ARG(sent);
|
||
|
+
|
||
|
+ if (ssock->connection_state == TLS_STATE_HANDSHAKING) {
|
||
|
+ /* Initial handshaking */
|
||
|
+ pj_status_t status = tls_try_handshake(ssock);
|
||
|
+
|
||
|
+ /* Not pending is either success or failed */
|
||
|
+ if (status != PJ_EPENDING)
|
||
|
+ return on_handshake_complete(ssock, status);
|
||
|
+
|
||
|
+ } else if (send_key != &ssock->handshake_op_key) {
|
||
|
+ /* Some data has been sent, notify application */
|
||
|
+ write_data_t *wdata = (write_data_t*)send_key->user_data;
|
||
|
+ if (ssock->param.cb.on_data_sent) {
|
||
|
+ pj_bool_t ret;
|
||
|
+ pj_ssize_t sent_len;
|
||
|
+
|
||
|
+ sent_len = sent > 0 ? wdata->plain_data_len : sent;
|
||
|
+
|
||
|
+ ret = (*ssock->param.cb.on_data_sent)(ssock, wdata->app_key,
|
||
|
+ sent_len);
|
||
|
+ if (!ret) {
|
||
|
+ /* We've been destroyed */
|
||
|
+ return PJ_FALSE;
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Update write buffer state */
|
||
|
+ pj_lock_acquire(ssock->circ_buf_output_mutex);
|
||
|
+ free_send_data(ssock, wdata);
|
||
|
+ pj_lock_release(ssock->circ_buf_output_mutex);
|
||
|
+ } else {
|
||
|
+ /* SSL re-negotiation is on-progress, just do nothing */
|
||
|
+ /* FIXME: check if this is valid for GnuTLS too */
|
||
|
+ }
|
||
|
+
|
||
|
+ return PJ_TRUE;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Callback every time a new connection has been accepted (server) */
|
||
|
+static pj_bool_t asock_on_accept_complete(pj_activesock_t *asock,
|
||
|
+ pj_sock_t newsock,
|
||
|
+ const pj_sockaddr_t *src_addr,
|
||
|
+ int src_addr_len)
|
||
|
+{
|
||
|
+ pj_ssl_sock_t *ssock_parent = (pj_ssl_sock_t *)
|
||
|
+ pj_activesock_get_user_data(asock);
|
||
|
+
|
||
|
+ pj_ssl_sock_t *ssock;
|
||
|
+ pj_activesock_cb asock_cb;
|
||
|
+ pj_activesock_cfg asock_cfg;
|
||
|
+ unsigned int i;
|
||
|
+ pj_status_t status;
|
||
|
+
|
||
|
+ PJ_UNUSED_ARG(src_addr_len);
|
||
|
+
|
||
|
+ /* Create new SSL socket instance */
|
||
|
+ status = pj_ssl_sock_create(ssock_parent->pool, &ssock_parent->newsock_param,
|
||
|
+ &ssock);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ goto on_return;
|
||
|
+
|
||
|
+ /* Update new SSL socket attributes */
|
||
|
+ ssock->sock = newsock;
|
||
|
+ ssock->parent = ssock_parent;
|
||
|
+ ssock->is_server = PJ_TRUE;
|
||
|
+ if (ssock_parent->cert) {
|
||
|
+ status = pj_ssl_sock_set_certificate(ssock, ssock->pool,
|
||
|
+ ssock_parent->cert);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ goto on_return;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Apply QoS, if specified */
|
||
|
+ status = pj_sock_apply_qos2(ssock->sock, ssock->param.qos_type,
|
||
|
+ &ssock->param.qos_params, 1,
|
||
|
+ ssock->pool->obj_name, NULL);
|
||
|
+ if (status != PJ_SUCCESS && !ssock->param.qos_ignore_error)
|
||
|
+ goto on_return;
|
||
|
+
|
||
|
+ /* Update local address */
|
||
|
+ ssock->addr_len = src_addr_len;
|
||
|
+ status = pj_sock_getsockname(ssock->sock, &ssock->local_addr,
|
||
|
+ &ssock->addr_len);
|
||
|
+ if (status != PJ_SUCCESS) {
|
||
|
+ /* This fails on few envs, e.g: win IOCP, just tolerate this and
|
||
|
+ * use parent local address instead.
|
||
|
+ */
|
||
|
+ pj_sockaddr_cp(&ssock->local_addr, &ssock_parent->local_addr);
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Set remote address */
|
||
|
+ pj_sockaddr_cp(&ssock->rem_addr, src_addr);
|
||
|
+
|
||
|
+ /* Create SSL context */
|
||
|
+ status = tls_open(ssock);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ goto on_return;
|
||
|
+
|
||
|
+ /* Prepare read buffer */
|
||
|
+ ssock->asock_rbuf = (void **)pj_pool_calloc(ssock->pool,
|
||
|
+ ssock->param.async_cnt,
|
||
|
+ sizeof(void*));
|
||
|
+ if (!ssock->asock_rbuf)
|
||
|
+ return PJ_ENOMEM;
|
||
|
+
|
||
|
+ for (i = 0; i < ssock->param.async_cnt; ++i) {
|
||
|
+ ssock->asock_rbuf[i] = (void *)pj_pool_alloc(
|
||
|
+ ssock->pool,
|
||
|
+ ssock->param.read_buffer_size +
|
||
|
+ sizeof(read_data_t*));
|
||
|
+ if (!ssock->asock_rbuf[i])
|
||
|
+ return PJ_ENOMEM;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Create active socket */
|
||
|
+ pj_activesock_cfg_default(&asock_cfg);
|
||
|
+ asock_cfg.async_cnt = ssock->param.async_cnt;
|
||
|
+ asock_cfg.concurrency = ssock->param.concurrency;
|
||
|
+ asock_cfg.whole_data = PJ_TRUE;
|
||
|
+
|
||
|
+ pj_bzero(&asock_cb, sizeof(asock_cb));
|
||
|
+ asock_cb.on_data_read = asock_on_data_read;
|
||
|
+ asock_cb.on_data_sent = asock_on_data_sent;
|
||
|
+
|
||
|
+ status = pj_activesock_create(ssock->pool,
|
||
|
+ ssock->sock,
|
||
|
+ ssock->param.sock_type,
|
||
|
+ &asock_cfg,
|
||
|
+ ssock->param.ioqueue,
|
||
|
+ &asock_cb,
|
||
|
+ ssock,
|
||
|
+ &ssock->asock);
|
||
|
+
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ goto on_return;
|
||
|
+
|
||
|
+ /* Start reading */
|
||
|
+ status = pj_activesock_start_read2(ssock->asock, ssock->pool,
|
||
|
+ (unsigned)ssock->param.read_buffer_size,
|
||
|
+ ssock->asock_rbuf,
|
||
|
+ PJ_IOQUEUE_ALWAYS_ASYNC);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ goto on_return;
|
||
|
+
|
||
|
+ /* Prepare write/send state */
|
||
|
+ pj_assert(ssock->send_buf.max_len == 0);
|
||
|
+ ssock->send_buf.buf = (char *)pj_pool_alloc(ssock->pool,
|
||
|
+ ssock->param.send_buffer_size);
|
||
|
+ if (!ssock->send_buf.buf)
|
||
|
+ return PJ_ENOMEM;
|
||
|
+
|
||
|
+ ssock->send_buf.max_len = ssock->param.send_buffer_size;
|
||
|
+ ssock->send_buf.start = ssock->send_buf.buf;
|
||
|
+ ssock->send_buf.len = 0;
|
||
|
+
|
||
|
+ /* Start handshake timer */
|
||
|
+ if (ssock->param.timer_heap &&
|
||
|
+ (ssock->param.timeout.sec != 0 || ssock->param.timeout.msec != 0)) {
|
||
|
+ pj_assert(ssock->timer.id == TIMER_NONE);
|
||
|
+ ssock->timer.id = TIMER_HANDSHAKE_TIMEOUT;
|
||
|
+ status = pj_timer_heap_schedule(ssock->param.timer_heap,
|
||
|
+ &ssock->timer,
|
||
|
+ &ssock->param.timeout);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ ssock->timer.id = TIMER_NONE;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Start SSL handshake */
|
||
|
+ ssock->connection_state = TLS_STATE_HANDSHAKING;
|
||
|
+
|
||
|
+ status = tls_try_handshake(ssock);
|
||
|
+
|
||
|
+on_return:
|
||
|
+ if (ssock && status != PJ_EPENDING)
|
||
|
+ on_handshake_complete(ssock, status);
|
||
|
+
|
||
|
+ /* Must return PJ_TRUE whatever happened, as active socket must
|
||
|
+ * continue listening.
|
||
|
+ */
|
||
|
+ return PJ_TRUE;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Callback every time a new connection has been completed (client) */
|
||
|
+static pj_bool_t asock_on_connect_complete (pj_activesock_t *asock,
|
||
|
+ pj_status_t status)
|
||
|
+{
|
||
|
+ pj_ssl_sock_t *ssock = (pj_ssl_sock_t*)
|
||
|
+ pj_activesock_get_user_data(asock);
|
||
|
+
|
||
|
+ unsigned int i;
|
||
|
+ int ret;
|
||
|
+
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ goto on_return;
|
||
|
+
|
||
|
+ /* Update local address */
|
||
|
+ ssock->addr_len = sizeof(pj_sockaddr);
|
||
|
+ status = pj_sock_getsockname(ssock->sock, &ssock->local_addr,
|
||
|
+ &ssock->addr_len);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ goto on_return;
|
||
|
+
|
||
|
+ /* Create SSL context */
|
||
|
+ status = tls_open(ssock);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ goto on_return;
|
||
|
+
|
||
|
+ /* Prepare read buffer */
|
||
|
+ ssock->asock_rbuf = (void **)pj_pool_calloc(ssock->pool,
|
||
|
+ ssock->param.async_cnt,
|
||
|
+ sizeof(void *));
|
||
|
+ if (!ssock->asock_rbuf)
|
||
|
+ return PJ_ENOMEM;
|
||
|
+
|
||
|
+ for (i = 0; i < ssock->param.async_cnt; ++i) {
|
||
|
+ ssock->asock_rbuf[i] = (void *)pj_pool_alloc(
|
||
|
+ ssock->pool,
|
||
|
+ ssock->param.read_buffer_size +
|
||
|
+ sizeof(read_data_t *));
|
||
|
+ if (!ssock->asock_rbuf[i])
|
||
|
+ return PJ_ENOMEM;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Start read */
|
||
|
+ status = pj_activesock_start_read2(ssock->asock, ssock->pool,
|
||
|
+ (unsigned) ssock->param.read_buffer_size,
|
||
|
+ ssock->asock_rbuf,
|
||
|
+ PJ_IOQUEUE_ALWAYS_ASYNC);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ goto on_return;
|
||
|
+
|
||
|
+ /* Prepare write/send state */
|
||
|
+ pj_assert(ssock->send_buf.max_len == 0);
|
||
|
+ ssock->send_buf.buf = (char *)pj_pool_alloc(ssock->pool,
|
||
|
+ ssock->param.send_buffer_size);
|
||
|
+ if (!ssock->send_buf.buf)
|
||
|
+ return PJ_ENOMEM;
|
||
|
+
|
||
|
+ ssock->send_buf.max_len = ssock->param.send_buffer_size;
|
||
|
+ ssock->send_buf.start = ssock->send_buf.buf;
|
||
|
+ ssock->send_buf.len = 0;
|
||
|
+
|
||
|
+ /* Set server name to connect */
|
||
|
+ if (ssock->param.server_name.slen) {
|
||
|
+ /* Server name is null terminated already */
|
||
|
+ ret = gnutls_server_name_set(ssock->session, GNUTLS_NAME_DNS,
|
||
|
+ ssock->param.server_name.ptr,
|
||
|
+ ssock->param.server_name.slen);
|
||
|
+ if (ret < 0) {
|
||
|
+ PJ_LOG(3, (ssock->pool->obj_name,
|
||
|
+ "gnutls_server_name_set() failed: %s",
|
||
|
+ gnutls_strerror(ret)));
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Start handshake */
|
||
|
+ ssock->connection_state = TLS_STATE_HANDSHAKING;
|
||
|
+
|
||
|
+ status = tls_try_handshake(ssock);
|
||
|
+ if (status != PJ_EPENDING)
|
||
|
+ goto on_return;
|
||
|
+
|
||
|
+ return PJ_TRUE;
|
||
|
+
|
||
|
+on_return:
|
||
|
+ return on_handshake_complete(ssock, status);
|
||
|
+}
|
||
|
+
|
||
|
+static void tls_ciphers_fill(void)
|
||
|
+{
|
||
|
+ if (!tls_available_ciphers) {
|
||
|
+ tls_init();
|
||
|
+ tls_deinit();
|
||
|
+ }
|
||
|
+}
|
||
|
+
|
||
|
+/*
|
||
|
+ *******************************************************************
|
||
|
+ * API
|
||
|
+ *******************************************************************
|
||
|
+ */
|
||
|
+
|
||
|
+/* Load credentials from files. */
|
||
|
+PJ_DEF(pj_status_t) pj_ssl_cert_load_from_files(pj_pool_t *pool,
|
||
|
+ const pj_str_t *CA_file,
|
||
|
+ const pj_str_t *cert_file,
|
||
|
+ const pj_str_t *privkey_file,
|
||
|
+ const pj_str_t *privkey_pass,
|
||
|
+ pj_ssl_cert_t **p_cert)
|
||
|
+{
|
||
|
+ return pj_ssl_cert_load_from_files2(pool, CA_file, NULL, cert_file,
|
||
|
+ privkey_file, privkey_pass, p_cert);
|
||
|
+}
|
||
|
+
|
||
|
+/* Load credentials from files. */
|
||
|
+PJ_DECL(pj_status_t) pj_ssl_cert_load_from_files2(
|
||
|
+ pj_pool_t *pool,
|
||
|
+ const pj_str_t *CA_file,
|
||
|
+ const pj_str_t *CA_path,
|
||
|
+ const pj_str_t *cert_file,
|
||
|
+ const pj_str_t *privkey_file,
|
||
|
+ const pj_str_t *privkey_pass,
|
||
|
+ pj_ssl_cert_t **p_cert)
|
||
|
+{
|
||
|
+ pj_ssl_cert_t *cert;
|
||
|
+
|
||
|
+ PJ_ASSERT_RETURN(pool && (CA_file || CA_path) && cert_file &&
|
||
|
+ privkey_file,
|
||
|
+ PJ_EINVAL);
|
||
|
+
|
||
|
+ cert = PJ_POOL_ZALLOC_T(pool, pj_ssl_cert_t);
|
||
|
+ if (CA_file) {
|
||
|
+ pj_strdup_with_null(pool, &cert->CA_file, CA_file);
|
||
|
+ }
|
||
|
+ if (CA_path) {
|
||
|
+ pj_strdup_with_null(pool, &cert->CA_path, CA_path);
|
||
|
+ }
|
||
|
+ pj_strdup_with_null(pool, &cert->cert_file, cert_file);
|
||
|
+ pj_strdup_with_null(pool, &cert->privkey_file, privkey_file);
|
||
|
+ pj_strdup_with_null(pool, &cert->privkey_pass, privkey_pass);
|
||
|
+
|
||
|
+ *p_cert = cert;
|
||
|
+
|
||
|
+ return PJ_SUCCESS;
|
||
|
+}
|
||
|
+
|
||
|
+/* Store credentials. */
|
||
|
+PJ_DECL(pj_status_t) pj_ssl_sock_set_certificate(pj_ssl_sock_t *ssock,
|
||
|
+ pj_pool_t *pool,
|
||
|
+ const pj_ssl_cert_t *cert)
|
||
|
+{
|
||
|
+ pj_ssl_cert_t *cert_;
|
||
|
+
|
||
|
+ PJ_ASSERT_RETURN(ssock && pool && cert, PJ_EINVAL);
|
||
|
+
|
||
|
+ cert_ = PJ_POOL_ZALLOC_T(pool, pj_ssl_cert_t);
|
||
|
+ pj_memcpy(cert_, cert, sizeof(cert));
|
||
|
+ pj_strdup_with_null(pool, &cert_->CA_file, &cert->CA_file);
|
||
|
+ pj_strdup_with_null(pool, &cert_->CA_path, &cert->CA_path);
|
||
|
+ pj_strdup_with_null(pool, &cert_->cert_file, &cert->cert_file);
|
||
|
+ pj_strdup_with_null(pool, &cert_->privkey_file, &cert->privkey_file);
|
||
|
+ pj_strdup_with_null(pool, &cert_->privkey_pass, &cert->privkey_pass);
|
||
|
+
|
||
|
+ ssock->cert = cert_;
|
||
|
+
|
||
|
+ return PJ_SUCCESS;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Get available ciphers. */
|
||
|
+PJ_DEF(pj_status_t) pj_ssl_cipher_get_availables(pj_ssl_cipher ciphers[],
|
||
|
+ unsigned *cipher_num)
|
||
|
+{
|
||
|
+ unsigned int i;
|
||
|
+
|
||
|
+ PJ_ASSERT_RETURN(ciphers && cipher_num, PJ_EINVAL);
|
||
|
+
|
||
|
+ tls_ciphers_fill();
|
||
|
+
|
||
|
+ if (!tls_available_ciphers) {
|
||
|
+ *cipher_num = 0;
|
||
|
+ return PJ_ENOTFOUND;
|
||
|
+ }
|
||
|
+
|
||
|
+ *cipher_num = PJ_MIN(*cipher_num, tls_available_ciphers);
|
||
|
+
|
||
|
+ for (i = 0; i < *cipher_num; ++i)
|
||
|
+ ciphers[i] = tls_ciphers[i].id;
|
||
|
+
|
||
|
+ return PJ_SUCCESS;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Get cipher name string. */
|
||
|
+PJ_DEF(const char *)pj_ssl_cipher_name(pj_ssl_cipher cipher)
|
||
|
+{
|
||
|
+ unsigned int i;
|
||
|
+
|
||
|
+ tls_ciphers_fill();
|
||
|
+
|
||
|
+ for (i = 0; i < tls_available_ciphers; ++i) {
|
||
|
+ if (cipher == tls_ciphers[i].id)
|
||
|
+ return tls_ciphers[i].name;
|
||
|
+ }
|
||
|
+
|
||
|
+ return NULL;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Get cipher identifier. */
|
||
|
+PJ_DEF(pj_ssl_cipher) pj_ssl_cipher_id(const char *cipher_name)
|
||
|
+{
|
||
|
+ unsigned int i;
|
||
|
+
|
||
|
+ tls_ciphers_fill();
|
||
|
+
|
||
|
+ for (i = 0; i < tls_available_ciphers; ++i) {
|
||
|
+ if (!pj_ansi_stricmp(tls_ciphers[i].name, cipher_name))
|
||
|
+ return tls_ciphers[i].id;
|
||
|
+ }
|
||
|
+
|
||
|
+ return PJ_TLS_UNKNOWN_CIPHER;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Check if the specified cipher is supported by the TLS backend. */
|
||
|
+PJ_DEF(pj_bool_t) pj_ssl_cipher_is_supported(pj_ssl_cipher cipher)
|
||
|
+{
|
||
|
+ unsigned int i;
|
||
|
+
|
||
|
+ tls_ciphers_fill();
|
||
|
+
|
||
|
+ for (i = 0; i < tls_available_ciphers; ++i) {
|
||
|
+ if (cipher == tls_ciphers[i].id)
|
||
|
+ return PJ_TRUE;
|
||
|
+ }
|
||
|
+
|
||
|
+ return PJ_FALSE;
|
||
|
+}
|
||
|
+
|
||
|
+/* Create SSL socket instance. */
|
||
|
+PJ_DEF(pj_status_t) pj_ssl_sock_create(pj_pool_t *pool,
|
||
|
+ const pj_ssl_sock_param *param,
|
||
|
+ pj_ssl_sock_t **p_ssock)
|
||
|
+{
|
||
|
+ pj_ssl_sock_t *ssock;
|
||
|
+ pj_status_t status;
|
||
|
+
|
||
|
+ PJ_ASSERT_RETURN(pool && param && p_ssock, PJ_EINVAL);
|
||
|
+ PJ_ASSERT_RETURN(param->sock_type == pj_SOCK_STREAM(), PJ_ENOTSUP);
|
||
|
+
|
||
|
+ pool = pj_pool_create(pool->factory, "tls%p", 512, 512, NULL);
|
||
|
+
|
||
|
+ /* Create secure socket */
|
||
|
+ ssock = PJ_POOL_ZALLOC_T(pool, pj_ssl_sock_t);
|
||
|
+ ssock->pool = pool;
|
||
|
+ ssock->sock = PJ_INVALID_SOCKET;
|
||
|
+ ssock->connection_state = TLS_STATE_NULL;
|
||
|
+ pj_list_init(&ssock->write_pending);
|
||
|
+ pj_list_init(&ssock->write_pending_empty);
|
||
|
+ pj_list_init(&ssock->send_pending);
|
||
|
+ pj_timer_entry_init(&ssock->timer, 0, ssock, &on_timer);
|
||
|
+ pj_ioqueue_op_key_init(&ssock->handshake_op_key,
|
||
|
+ sizeof(pj_ioqueue_op_key_t));
|
||
|
+
|
||
|
+ /* Create secure socket mutex */
|
||
|
+ status = pj_lock_create_recursive_mutex(pool, pool->obj_name,
|
||
|
+ &ssock->circ_buf_output_mutex);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ return status;
|
||
|
+
|
||
|
+ /* Create input circular buffer mutex */
|
||
|
+ status = pj_lock_create_simple_mutex(pool, pool->obj_name,
|
||
|
+ &ssock->circ_buf_input_mutex);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ return status;
|
||
|
+
|
||
|
+ /* Create output circular buffer mutex */
|
||
|
+ status = pj_lock_create_simple_mutex(pool, pool->obj_name,
|
||
|
+ &ssock->circ_buf_output_mutex);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ return status;
|
||
|
+
|
||
|
+ /* Init secure socket param */
|
||
|
+ ssock->param = *param;
|
||
|
+ ssock->param.read_buffer_size = ((ssock->param.read_buffer_size + 7) >> 3) << 3;
|
||
|
+
|
||
|
+ if (param->ciphers_num > 0) {
|
||
|
+ unsigned int i;
|
||
|
+ ssock->param.ciphers = (pj_ssl_cipher *)
|
||
|
+ pj_pool_calloc(pool, param->ciphers_num,
|
||
|
+ sizeof(pj_ssl_cipher));
|
||
|
+ if (!ssock->param.ciphers)
|
||
|
+ return PJ_ENOMEM;
|
||
|
+
|
||
|
+ for (i = 0; i < param->ciphers_num; ++i)
|
||
|
+ ssock->param.ciphers[i] = param->ciphers[i];
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Server name must be null-terminated */
|
||
|
+ pj_strdup_with_null(pool, &ssock->param.server_name, ¶m->server_name);
|
||
|
+
|
||
|
+ /* Finally */
|
||
|
+ *p_ssock = ssock;
|
||
|
+
|
||
|
+ return PJ_SUCCESS;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/*
|
||
|
+ * Close the secure socket. This will unregister the socket from the
|
||
|
+ * ioqueue and ultimately close the socket.
|
||
|
+ */
|
||
|
+PJ_DEF(pj_status_t) pj_ssl_sock_close(pj_ssl_sock_t *ssock)
|
||
|
+{
|
||
|
+ pj_pool_t *pool;
|
||
|
+
|
||
|
+ PJ_ASSERT_RETURN(ssock, PJ_EINVAL);
|
||
|
+
|
||
|
+ if (!ssock->pool)
|
||
|
+ return PJ_SUCCESS;
|
||
|
+
|
||
|
+ if (ssock->timer.id != TIMER_NONE) {
|
||
|
+ pj_timer_heap_cancel(ssock->param.timer_heap, &ssock->timer);
|
||
|
+ ssock->timer.id = TIMER_NONE;
|
||
|
+ }
|
||
|
+
|
||
|
+ tls_sock_reset(ssock);
|
||
|
+
|
||
|
+ pj_lock_destroy(ssock->circ_buf_output_mutex);
|
||
|
+ pj_lock_destroy(ssock->circ_buf_input_mutex);
|
||
|
+
|
||
|
+ pool = ssock->pool;
|
||
|
+ ssock->pool = NULL;
|
||
|
+ if (pool)
|
||
|
+ pj_pool_release(pool);
|
||
|
+
|
||
|
+ return PJ_SUCCESS;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Associate arbitrary data with the secure socket. */
|
||
|
+PJ_DEF(pj_status_t) pj_ssl_sock_set_user_data(pj_ssl_sock_t *ssock,
|
||
|
+ void *user_data)
|
||
|
+{
|
||
|
+ PJ_ASSERT_RETURN(ssock, PJ_EINVAL);
|
||
|
+
|
||
|
+ ssock->param.user_data = user_data;
|
||
|
+ return PJ_SUCCESS;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Retrieve the user data previously associated with this secure socket. */
|
||
|
+PJ_DEF(void *)pj_ssl_sock_get_user_data(pj_ssl_sock_t *ssock)
|
||
|
+{
|
||
|
+ PJ_ASSERT_RETURN(ssock, NULL);
|
||
|
+
|
||
|
+ return ssock->param.user_data;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Retrieve the local address and port used by specified SSL socket. */
|
||
|
+PJ_DEF(pj_status_t) pj_ssl_sock_get_info (pj_ssl_sock_t *ssock,
|
||
|
+ pj_ssl_sock_info *info)
|
||
|
+{
|
||
|
+ pj_bzero(info, sizeof(*info));
|
||
|
+
|
||
|
+ /* Established flag */
|
||
|
+ info->established = (ssock->connection_state == TLS_STATE_ESTABLISHED);
|
||
|
+
|
||
|
+ /* Protocol */
|
||
|
+ info->proto = ssock->param.proto;
|
||
|
+
|
||
|
+ /* Local address */
|
||
|
+ pj_sockaddr_cp(&info->local_addr, &ssock->local_addr);
|
||
|
+
|
||
|
+ if (info->established) {
|
||
|
+ int i;
|
||
|
+ gnutls_cipher_algorithm_t lookup;
|
||
|
+ gnutls_cipher_algorithm_t cipher;
|
||
|
+
|
||
|
+ /* Current cipher */
|
||
|
+ cipher = gnutls_cipher_get(ssock->session);
|
||
|
+ for (i = 0; ; i++) {
|
||
|
+ unsigned char id[2];
|
||
|
+ const char *suite = gnutls_cipher_suite_info(i, (unsigned char *)id,
|
||
|
+ NULL, &lookup, NULL,
|
||
|
+ NULL);
|
||
|
+ if (suite) {
|
||
|
+ if (lookup == cipher) {
|
||
|
+ info->cipher = (pj_uint32_t) ((id[0] << 8) | id[1]);
|
||
|
+ break;
|
||
|
+ }
|
||
|
+ } else
|
||
|
+ break;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Remote address */
|
||
|
+ pj_sockaddr_cp(&info->remote_addr, &ssock->rem_addr);
|
||
|
+
|
||
|
+ /* Certificates info */
|
||
|
+ info->local_cert_info = &ssock->local_cert_info;
|
||
|
+ info->remote_cert_info = &ssock->remote_cert_info;
|
||
|
+
|
||
|
+ /* Verification status */
|
||
|
+ info->verify_status = ssock->verify_status;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Last known GnuTLS error code */
|
||
|
+ info->last_native_err = ssock->last_err;
|
||
|
+
|
||
|
+ return PJ_SUCCESS;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Starts read operation on this secure socket. */
|
||
|
+PJ_DEF(pj_status_t) pj_ssl_sock_start_read(pj_ssl_sock_t *ssock,
|
||
|
+ pj_pool_t *pool,
|
||
|
+ unsigned buff_size,
|
||
|
+ pj_uint32_t flags)
|
||
|
+{
|
||
|
+ void **readbuf;
|
||
|
+ unsigned int i;
|
||
|
+
|
||
|
+ PJ_ASSERT_RETURN(ssock && pool && buff_size, PJ_EINVAL);
|
||
|
+ PJ_ASSERT_RETURN(ssock->connection_state == TLS_STATE_ESTABLISHED,
|
||
|
+ PJ_EINVALIDOP);
|
||
|
+
|
||
|
+ readbuf = (void**) pj_pool_calloc(pool, ssock->param.async_cnt,
|
||
|
+ sizeof(void *));
|
||
|
+ if (!readbuf)
|
||
|
+ return PJ_ENOMEM;
|
||
|
+
|
||
|
+ for (i = 0; i < ssock->param.async_cnt; ++i) {
|
||
|
+ readbuf[i] = pj_pool_alloc(pool, buff_size);
|
||
|
+ if (!readbuf[i])
|
||
|
+ return PJ_ENOMEM;
|
||
|
+ }
|
||
|
+
|
||
|
+ return pj_ssl_sock_start_read2(ssock, pool, buff_size, readbuf, flags);
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/*
|
||
|
+ * Same as #pj_ssl_sock_start_read(), except that the application
|
||
|
+ * supplies the buffers for the read operation so that the acive socket
|
||
|
+ * does not have to allocate the buffers.
|
||
|
+ */
|
||
|
+PJ_DEF(pj_status_t) pj_ssl_sock_start_read2 (pj_ssl_sock_t *ssock,
|
||
|
+ pj_pool_t *pool,
|
||
|
+ unsigned buff_size,
|
||
|
+ void *readbuf[],
|
||
|
+ pj_uint32_t flags)
|
||
|
+{
|
||
|
+ unsigned int i;
|
||
|
+
|
||
|
+ PJ_ASSERT_RETURN(ssock && pool && buff_size && readbuf, PJ_EINVAL);
|
||
|
+ PJ_ASSERT_RETURN(ssock->connection_state == TLS_STATE_ESTABLISHED,
|
||
|
+ PJ_EINVALIDOP);
|
||
|
+
|
||
|
+ /* Create SSL socket read buffer */
|
||
|
+ ssock->ssock_rbuf = (read_data_t*)pj_pool_calloc(pool,
|
||
|
+ ssock->param.async_cnt,
|
||
|
+ sizeof(read_data_t));
|
||
|
+ if (!ssock->ssock_rbuf)
|
||
|
+ return PJ_ENOMEM;
|
||
|
+
|
||
|
+ /* Store SSL socket read buffer pointer in the activesock read buffer */
|
||
|
+ for (i = 0; i < ssock->param.async_cnt; ++i) {
|
||
|
+ read_data_t **p_ssock_rbuf =
|
||
|
+ OFFSET_OF_READ_DATA_PTR(ssock, ssock->asock_rbuf[i]);
|
||
|
+
|
||
|
+ ssock->ssock_rbuf[i].data = readbuf[i];
|
||
|
+ ssock->ssock_rbuf[i].len = 0;
|
||
|
+
|
||
|
+ *p_ssock_rbuf = &ssock->ssock_rbuf[i];
|
||
|
+ }
|
||
|
+
|
||
|
+ ssock->read_size = buff_size;
|
||
|
+ ssock->read_started = PJ_TRUE;
|
||
|
+ ssock->read_flags = flags;
|
||
|
+
|
||
|
+ return PJ_SUCCESS;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/*
|
||
|
+ * Same as pj_ssl_sock_start_read(), except that this function is used
|
||
|
+ * only for datagram sockets, and it will trigger \a on_data_recvfrom()
|
||
|
+ * callback instead.
|
||
|
+ */
|
||
|
+PJ_DEF(pj_status_t) pj_ssl_sock_start_recvfrom (pj_ssl_sock_t *ssock,
|
||
|
+ pj_pool_t *pool,
|
||
|
+ unsigned buff_size,
|
||
|
+ pj_uint32_t flags)
|
||
|
+{
|
||
|
+ PJ_UNUSED_ARG(ssock);
|
||
|
+ PJ_UNUSED_ARG(pool);
|
||
|
+ PJ_UNUSED_ARG(buff_size);
|
||
|
+ PJ_UNUSED_ARG(flags);
|
||
|
+
|
||
|
+ return PJ_ENOTSUP;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/*
|
||
|
+ * Same as #pj_ssl_sock_start_recvfrom() except that the recvfrom()
|
||
|
+ * operation takes the buffer from the argument rather than creating
|
||
|
+ * new ones.
|
||
|
+ */
|
||
|
+PJ_DEF(pj_status_t) pj_ssl_sock_start_recvfrom2 (pj_ssl_sock_t *ssock,
|
||
|
+ pj_pool_t *pool,
|
||
|
+ unsigned buff_size,
|
||
|
+ void *readbuf[],
|
||
|
+ pj_uint32_t flags)
|
||
|
+{
|
||
|
+ PJ_UNUSED_ARG(ssock);
|
||
|
+ PJ_UNUSED_ARG(pool);
|
||
|
+ PJ_UNUSED_ARG(buff_size);
|
||
|
+ PJ_UNUSED_ARG(readbuf);
|
||
|
+ PJ_UNUSED_ARG(flags);
|
||
|
+
|
||
|
+ return PJ_ENOTSUP;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/*
|
||
|
+ * Write the plain data to GnuTLS, it will be encrypted by gnutls_record_send()
|
||
|
+ * and sent via tls_data_push. Note that re-negotitation may be on progress, so
|
||
|
+ * sending data should be delayed until re-negotiation is completed.
|
||
|
+ */
|
||
|
+static pj_status_t tls_write(pj_ssl_sock_t *ssock,
|
||
|
+ pj_ioqueue_op_key_t *send_key,
|
||
|
+ const void *data, pj_ssize_t size, unsigned flags)
|
||
|
+{
|
||
|
+ pj_status_t status;
|
||
|
+ int nwritten;
|
||
|
+ pj_ssize_t total_written = 0;
|
||
|
+
|
||
|
+ /* Ask GnuTLS to encrypt our plaintext now. GnuTLS will use the push
|
||
|
+ * callback to actually write the encrypted bytes into our output circular
|
||
|
+ * buffer. GnuTLS may refuse to "send" everything at once, but since we are
|
||
|
+ * not really sending now, we will just call it again now until it succeeds
|
||
|
+ * (or fails in a fatal way). */
|
||
|
+ while (total_written < size) {
|
||
|
+ /* Try encrypting using GnuTLS */
|
||
|
+ nwritten = gnutls_record_send(ssock->session, ((read_data_t *)data) + total_written,
|
||
|
+ size);
|
||
|
+
|
||
|
+ if (nwritten > 0) {
|
||
|
+ /* Good, some data was encrypted and written */
|
||
|
+ total_written += nwritten;
|
||
|
+ } else {
|
||
|
+ /* Normally we would have to retry record_send but our internal
|
||
|
+ * state has not changed, so we have to ask for more data first.
|
||
|
+ * We will just try again later, although this should never happen.
|
||
|
+ */
|
||
|
+ return tls_status_from_err(ssock, nwritten);
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ /* All encrypted data is written to the output circular buffer;
|
||
|
+ * now send it on the socket (or notify problem). */
|
||
|
+ if (total_written == size)
|
||
|
+ status = flush_circ_buf_output(ssock, send_key, size, flags);
|
||
|
+ else
|
||
|
+ status = PJ_ENOMEM;
|
||
|
+
|
||
|
+ return status;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Flush delayed data sending in the write pending list. */
|
||
|
+static pj_status_t flush_delayed_send(pj_ssl_sock_t *ssock)
|
||
|
+{
|
||
|
+ /* Check for another ongoing flush */
|
||
|
+ if (ssock->flushing_write_pend) {
|
||
|
+ return PJ_EBUSY;
|
||
|
+ }
|
||
|
+
|
||
|
+ pj_lock_acquire(ssock->circ_buf_output_mutex);
|
||
|
+
|
||
|
+ /* Again, check for another ongoing flush */
|
||
|
+ if (ssock->flushing_write_pend) {
|
||
|
+ pj_lock_release(ssock->circ_buf_output_mutex);
|
||
|
+ return PJ_EBUSY;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Set ongoing flush flag */
|
||
|
+ ssock->flushing_write_pend = PJ_TRUE;
|
||
|
+
|
||
|
+ while (!pj_list_empty(&ssock->write_pending)) {
|
||
|
+ write_data_t *wp;
|
||
|
+ pj_status_t status;
|
||
|
+
|
||
|
+ wp = ssock->write_pending.next;
|
||
|
+
|
||
|
+ /* Ticket #1573: Don't hold mutex while calling socket send. */
|
||
|
+ pj_lock_release(ssock->circ_buf_output_mutex);
|
||
|
+
|
||
|
+ status = tls_write(ssock, &wp->key, wp->data.ptr,
|
||
|
+ wp->plain_data_len, wp->flags);
|
||
|
+ if (status != PJ_SUCCESS) {
|
||
|
+ /* Reset ongoing flush flag first. */
|
||
|
+ ssock->flushing_write_pend = PJ_FALSE;
|
||
|
+ return status;
|
||
|
+ }
|
||
|
+
|
||
|
+ pj_lock_acquire(ssock->circ_buf_output_mutex);
|
||
|
+ pj_list_erase(wp);
|
||
|
+ pj_list_push_back(&ssock->write_pending_empty, wp);
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Reset ongoing flush flag */
|
||
|
+ ssock->flushing_write_pend = PJ_FALSE;
|
||
|
+
|
||
|
+ pj_lock_release(ssock->circ_buf_output_mutex);
|
||
|
+
|
||
|
+ return PJ_SUCCESS;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/* Sending is delayed, push back the sending data into pending list. */
|
||
|
+static pj_status_t delay_send(pj_ssl_sock_t *ssock,
|
||
|
+ pj_ioqueue_op_key_t *send_key,
|
||
|
+ const void *data, pj_ssize_t size,
|
||
|
+ unsigned flags)
|
||
|
+{
|
||
|
+ write_data_t *wp;
|
||
|
+
|
||
|
+ pj_lock_acquire(ssock->circ_buf_output_mutex);
|
||
|
+
|
||
|
+ /* Init write pending instance */
|
||
|
+ if (!pj_list_empty(&ssock->write_pending_empty)) {
|
||
|
+ wp = ssock->write_pending_empty.next;
|
||
|
+ pj_list_erase(wp);
|
||
|
+ } else {
|
||
|
+ wp = PJ_POOL_ZALLOC_T(ssock->pool, write_data_t);
|
||
|
+ }
|
||
|
+
|
||
|
+ wp->app_key = send_key;
|
||
|
+ wp->plain_data_len = size;
|
||
|
+ wp->data.ptr = data;
|
||
|
+ wp->flags = flags;
|
||
|
+
|
||
|
+ pj_list_push_back(&ssock->write_pending, wp);
|
||
|
+
|
||
|
+ pj_lock_release(ssock->circ_buf_output_mutex);
|
||
|
+
|
||
|
+ /* Must return PJ_EPENDING */
|
||
|
+ return PJ_EPENDING;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/**
|
||
|
+ * Send data using the socket.
|
||
|
+ */
|
||
|
+PJ_DEF(pj_status_t) pj_ssl_sock_send(pj_ssl_sock_t *ssock,
|
||
|
+ pj_ioqueue_op_key_t *send_key,
|
||
|
+ const void *data, pj_ssize_t *size,
|
||
|
+ unsigned flags)
|
||
|
+{
|
||
|
+ pj_status_t status;
|
||
|
+
|
||
|
+ PJ_ASSERT_RETURN(ssock && data && size && (*size > 0), PJ_EINVAL);
|
||
|
+ PJ_ASSERT_RETURN(ssock->connection_state==TLS_STATE_ESTABLISHED,
|
||
|
+ PJ_EINVALIDOP);
|
||
|
+
|
||
|
+ /* Flush delayed send first. Sending data might be delayed when
|
||
|
+ * re-negotiation is on-progress. */
|
||
|
+ status = flush_delayed_send(ssock);
|
||
|
+ if (status == PJ_EBUSY) {
|
||
|
+ /* Re-negotiation or flushing is on progress, delay sending */
|
||
|
+ status = delay_send(ssock, send_key, data, *size, flags);
|
||
|
+ goto on_return;
|
||
|
+ } else if (status != PJ_SUCCESS) {
|
||
|
+ goto on_return;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Write data to SSL */
|
||
|
+ status = tls_write(ssock, send_key, data, *size, flags);
|
||
|
+ if (status == PJ_EBUSY) {
|
||
|
+ /* Re-negotiation is on progress, delay sending */
|
||
|
+ status = delay_send(ssock, send_key, data, *size, flags);
|
||
|
+ }
|
||
|
+
|
||
|
+on_return:
|
||
|
+ return status;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/**
|
||
|
+ * Send datagram using the socket.
|
||
|
+ */
|
||
|
+PJ_DEF(pj_status_t) pj_ssl_sock_sendto (pj_ssl_sock_t *ssock,
|
||
|
+ pj_ioqueue_op_key_t *send_key,
|
||
|
+ const void *data, pj_ssize_t *size,
|
||
|
+ unsigned flags,
|
||
|
+ const pj_sockaddr_t *addr, int addr_len)
|
||
|
+{
|
||
|
+ PJ_UNUSED_ARG(ssock);
|
||
|
+ PJ_UNUSED_ARG(send_key);
|
||
|
+ PJ_UNUSED_ARG(data);
|
||
|
+ PJ_UNUSED_ARG(size);
|
||
|
+ PJ_UNUSED_ARG(flags);
|
||
|
+ PJ_UNUSED_ARG(addr);
|
||
|
+ PJ_UNUSED_ARG(addr_len);
|
||
|
+
|
||
|
+ return PJ_ENOTSUP;
|
||
|
+}
|
||
|
+
|
||
|
+/**
|
||
|
+ * Starts asynchronous socket accept() operations on this secure socket.
|
||
|
+ */
|
||
|
+PJ_DEF(pj_status_t) pj_ssl_sock_start_accept (pj_ssl_sock_t *ssock,
|
||
|
+ pj_pool_t *pool,
|
||
|
+ const pj_sockaddr_t *localaddr,
|
||
|
+ int addr_len)
|
||
|
+{
|
||
|
+ return pj_ssl_sock_start_accept2(ssock, pool, localaddr, addr_len,
|
||
|
+ &ssock->param);
|
||
|
+}
|
||
|
+
|
||
|
+/**
|
||
|
+ * Starts asynchronous socket accept() operations on this secure socket.
|
||
|
+ */
|
||
|
+PJ_DEF(pj_status_t) pj_ssl_sock_start_accept2 (pj_ssl_sock_t *ssock,
|
||
|
+ pj_pool_t *pool,
|
||
|
+ const pj_sockaddr_t *localaddr,
|
||
|
+ int addr_len,
|
||
|
+ const pj_ssl_sock_param *newsock_param)
|
||
|
+{
|
||
|
+ pj_activesock_cb asock_cb;
|
||
|
+ pj_activesock_cfg asock_cfg;
|
||
|
+ pj_status_t status;
|
||
|
+
|
||
|
+ PJ_ASSERT_RETURN(ssock && pool && localaddr && addr_len, PJ_EINVAL);
|
||
|
+
|
||
|
+ /* Verify new socket parameters */
|
||
|
+ if (newsock_param->grp_lock != ssock->param.grp_lock ||
|
||
|
+ newsock_param->sock_af != ssock->param.sock_af ||
|
||
|
+ newsock_param->sock_type != ssock->param.sock_type)
|
||
|
+ {
|
||
|
+ return PJ_EINVAL;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Create socket */
|
||
|
+ status = pj_sock_socket(ssock->param.sock_af, ssock->param.sock_type, 0,
|
||
|
+ &ssock->sock);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ goto on_error;
|
||
|
+
|
||
|
+ /* Apply SO_REUSEADDR */
|
||
|
+ if (ssock->param.reuse_addr) {
|
||
|
+ int enabled = 1;
|
||
|
+ status = pj_sock_setsockopt(ssock->sock, pj_SOL_SOCKET(),
|
||
|
+ pj_SO_REUSEADDR(),
|
||
|
+ &enabled, sizeof(enabled));
|
||
|
+ if (status != PJ_SUCCESS) {
|
||
|
+ PJ_PERROR(4,(ssock->pool->obj_name, status,
|
||
|
+ "Warning: error applying SO_REUSEADDR"));
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Apply QoS, if specified */
|
||
|
+ status = pj_sock_apply_qos2(ssock->sock, ssock->param.qos_type,
|
||
|
+ &ssock->param.qos_params, 2,
|
||
|
+ ssock->pool->obj_name, NULL);
|
||
|
+ if (status != PJ_SUCCESS && !ssock->param.qos_ignore_error)
|
||
|
+ goto on_error;
|
||
|
+
|
||
|
+ /* Bind socket */
|
||
|
+ status = pj_sock_bind(ssock->sock, localaddr, addr_len);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ goto on_error;
|
||
|
+
|
||
|
+ /* Start listening to the address */
|
||
|
+ status = pj_sock_listen(ssock->sock, PJ_SOMAXCONN);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ goto on_error;
|
||
|
+
|
||
|
+ /* Create active socket */
|
||
|
+ pj_activesock_cfg_default(&asock_cfg);
|
||
|
+ asock_cfg.async_cnt = ssock->param.async_cnt;
|
||
|
+ asock_cfg.concurrency = ssock->param.concurrency;
|
||
|
+ asock_cfg.whole_data = PJ_TRUE;
|
||
|
+
|
||
|
+ pj_bzero(&asock_cb, sizeof(asock_cb));
|
||
|
+ asock_cb.on_accept_complete = asock_on_accept_complete;
|
||
|
+
|
||
|
+ status = pj_activesock_create(pool,
|
||
|
+ ssock->sock,
|
||
|
+ ssock->param.sock_type,
|
||
|
+ &asock_cfg,
|
||
|
+ ssock->param.ioqueue,
|
||
|
+ &asock_cb,
|
||
|
+ ssock,
|
||
|
+ &ssock->asock);
|
||
|
+
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ goto on_error;
|
||
|
+
|
||
|
+ /* Start accepting */
|
||
|
+ pj_ssl_sock_param_copy(pool, &ssock->newsock_param, newsock_param);
|
||
|
+ status = pj_activesock_start_accept(ssock->asock, pool);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ goto on_error;
|
||
|
+
|
||
|
+ /* Update local address */
|
||
|
+ ssock->addr_len = addr_len;
|
||
|
+ status = pj_sock_getsockname(ssock->sock, &ssock->local_addr,
|
||
|
+ &ssock->addr_len);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ pj_sockaddr_cp(&ssock->local_addr, localaddr);
|
||
|
+
|
||
|
+ ssock->is_server = PJ_TRUE;
|
||
|
+
|
||
|
+ return PJ_SUCCESS;
|
||
|
+
|
||
|
+on_error:
|
||
|
+ tls_sock_reset(ssock);
|
||
|
+ return status;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+/**
|
||
|
+ * Starts asynchronous socket connect() operation.
|
||
|
+ */
|
||
|
+PJ_DECL(pj_status_t) pj_ssl_sock_start_connect(pj_ssl_sock_t *ssock,
|
||
|
+ pj_pool_t *pool,
|
||
|
+ const pj_sockaddr_t *localaddr,
|
||
|
+ const pj_sockaddr_t *remaddr,
|
||
|
+ int addr_len)
|
||
|
+{
|
||
|
+ pj_activesock_cb asock_cb;
|
||
|
+ pj_activesock_cfg asock_cfg;
|
||
|
+ pj_status_t status;
|
||
|
+
|
||
|
+ PJ_ASSERT_RETURN(ssock && pool && localaddr && remaddr && addr_len,
|
||
|
+ PJ_EINVAL);
|
||
|
+
|
||
|
+ /* Create socket */
|
||
|
+ status = pj_sock_socket(ssock->param.sock_af, ssock->param.sock_type, 0,
|
||
|
+ &ssock->sock);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ goto on_error;
|
||
|
+
|
||
|
+ /* Apply QoS, if specified */
|
||
|
+ status = pj_sock_apply_qos2(ssock->sock, ssock->param.qos_type,
|
||
|
+ &ssock->param.qos_params, 2,
|
||
|
+ ssock->pool->obj_name, NULL);
|
||
|
+ if (status != PJ_SUCCESS && !ssock->param.qos_ignore_error)
|
||
|
+ goto on_error;
|
||
|
+
|
||
|
+ /* Bind socket */
|
||
|
+ status = pj_sock_bind(ssock->sock, localaddr, addr_len);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ goto on_error;
|
||
|
+
|
||
|
+ /* Create active socket */
|
||
|
+ pj_activesock_cfg_default(&asock_cfg);
|
||
|
+ asock_cfg.async_cnt = ssock->param.async_cnt;
|
||
|
+ asock_cfg.concurrency = ssock->param.concurrency;
|
||
|
+ asock_cfg.whole_data = PJ_TRUE;
|
||
|
+
|
||
|
+ pj_bzero(&asock_cb, sizeof(asock_cb));
|
||
|
+ asock_cb.on_connect_complete = asock_on_connect_complete;
|
||
|
+ asock_cb.on_data_read = asock_on_data_read;
|
||
|
+ asock_cb.on_data_sent = asock_on_data_sent;
|
||
|
+
|
||
|
+ status = pj_activesock_create(pool,
|
||
|
+ ssock->sock,
|
||
|
+ ssock->param.sock_type,
|
||
|
+ &asock_cfg,
|
||
|
+ ssock->param.ioqueue,
|
||
|
+ &asock_cb,
|
||
|
+ ssock,
|
||
|
+ &ssock->asock);
|
||
|
+
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ goto on_error;
|
||
|
+
|
||
|
+ /* Save remote address */
|
||
|
+ pj_sockaddr_cp(&ssock->rem_addr, remaddr);
|
||
|
+
|
||
|
+ /* Start timer */
|
||
|
+ if (ssock->param.timer_heap &&
|
||
|
+ (ssock->param.timeout.sec != 0 || ssock->param.timeout.msec != 0))
|
||
|
+ {
|
||
|
+ pj_assert(ssock->timer.id == TIMER_NONE);
|
||
|
+ ssock->timer.id = TIMER_HANDSHAKE_TIMEOUT;
|
||
|
+ status = pj_timer_heap_schedule(ssock->param.timer_heap,
|
||
|
+ &ssock->timer,
|
||
|
+ &ssock->param.timeout);
|
||
|
+ if (status != PJ_SUCCESS)
|
||
|
+ ssock->timer.id = TIMER_NONE;
|
||
|
+ }
|
||
|
+
|
||
|
+ status = pj_activesock_start_connect(ssock->asock, pool, remaddr,
|
||
|
+ addr_len);
|
||
|
+
|
||
|
+ if (status == PJ_SUCCESS)
|
||
|
+ asock_on_connect_complete(ssock->asock, PJ_SUCCESS);
|
||
|
+ else if (status != PJ_EPENDING)
|
||
|
+ goto on_error;
|
||
|
+
|
||
|
+ /* Update local address */
|
||
|
+ ssock->addr_len = addr_len;
|
||
|
+ status = pj_sock_getsockname(ssock->sock, &ssock->local_addr,
|
||
|
+ &ssock->addr_len);
|
||
|
+ /* Note that we may not get an IP address here. This can
|
||
|
+ * happen for example on Windows, where getsockname()
|
||
|
+ * would return 0.0.0.0 if socket has just started the
|
||
|
+ * async connect. In this case, just leave the local
|
||
|
+ * address with 0.0.0.0 for now; it will be updated
|
||
|
+ * once the socket is established.
|
||
|
+ */
|
||
|
+
|
||
|
+ /* Update socket state */
|
||
|
+ ssock->is_server = PJ_FALSE;
|
||
|
+
|
||
|
+ return PJ_EPENDING;
|
||
|
+
|
||
|
+on_error:
|
||
|
+ tls_sock_reset(ssock);
|
||
|
+ return status;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+PJ_DEF(pj_status_t) pj_ssl_sock_renegotiate(pj_ssl_sock_t *ssock)
|
||
|
+{
|
||
|
+ int status;
|
||
|
+
|
||
|
+ /* Nothing established yet */
|
||
|
+ PJ_ASSERT_RETURN(ssock->connection_state == TLS_STATE_ESTABLISHED,
|
||
|
+ PJ_EINVALIDOP);
|
||
|
+
|
||
|
+ /* Cannot renegotiate; we're a client */
|
||
|
+ /* FIXME: in fact maybe that's not true */
|
||
|
+ PJ_ASSERT_RETURN(!ssock->is_server, PJ_EINVALIDOP);
|
||
|
+
|
||
|
+ /* First call gnutls_rehandshake() to see if this is even possible */
|
||
|
+ status = gnutls_rehandshake(ssock->session);
|
||
|
+
|
||
|
+ if (status == GNUTLS_E_SUCCESS) {
|
||
|
+ /* Rehandshake is possible, so try a GnuTLS handshake now. The eventual
|
||
|
+ * gnutls_record_recv() calls could return a few specific values during
|
||
|
+ * this state:
|
||
|
+ *
|
||
|
+ * - GNUTLS_E_REHANDSHAKE: rehandshake message processing
|
||
|
+ * - GNUTLS_E_WARNING_ALERT_RECEIVED: client does not wish to
|
||
|
+ * renegotiate
|
||
|
+ */
|
||
|
+ ssock->connection_state = TLS_STATE_HANDSHAKING;
|
||
|
+ status = tls_try_handshake(ssock);
|
||
|
+
|
||
|
+ return status;
|
||
|
+ } else {
|
||
|
+ return tls_status_from_err(ssock, status);
|
||
|
+ }
|
||
|
+}
|
||
|
+
|
||
|
+#endif /* PJ_HAS_SSL_SOCK */
|
||
|
diff -ru a/pjlib/src/pj/ssl_sock_ossl.c b/pjlib/src/pj/ssl_sock_ossl.c
|
||
|
--- a/pjlib/src/pj/ssl_sock_ossl.c 2017-01-24 00:41:05.000000000 -0500
|
||
|
+++ b/pjlib/src/pj/ssl_sock_ossl.c 2017-06-08 13:42:15.188809557 -0400
|
||
|
@@ -32,8 +32,10 @@
|
||
|
#include <pj/timer.h>
|
||
|
|
||
|
|
||
|
-/* Only build when PJ_HAS_SSL_SOCK is enabled */
|
||
|
-#if defined(PJ_HAS_SSL_SOCK) && PJ_HAS_SSL_SOCK!=0
|
||
|
+/* Only build when PJ_HAS_SSL_SOCK is enabled and when PJ_HAS_TLS_SOCK is
|
||
|
+ * disabled (meaning GnuTLS is off) */
|
||
|
+#if defined(PJ_HAS_SSL_SOCK) && PJ_HAS_SSL_SOCK != 0 && \
|
||
|
+ defined(PJ_HAS_TLS_SOCK) && PJ_HAS_TLS_SOCK == 0
|
||
|
|
||
|
#define THIS_FILE "ssl_sock_ossl.c"
|
||
|
|
||
|
diff -ru a/pjmedia/src/pjmedia/transport_srtp.c b/pjmedia/src/pjmedia/transport_srtp.c
|
||
|
--- a/pjmedia/src/pjmedia/transport_srtp.c 2017-01-10 23:38:29.000000000 -0500
|
||
|
+++ b/pjmedia/src/pjmedia/transport_srtp.c 2017-06-08 13:43:29.727001721 -0400
|
||
|
@@ -30,7 +30,8 @@
|
||
|
|
||
|
#if defined(PJMEDIA_HAS_SRTP) && (PJMEDIA_HAS_SRTP != 0)
|
||
|
|
||
|
-#if defined(PJ_HAS_SSL_SOCK) && (PJ_HAS_SSL_SOCK != 0)
|
||
|
+#if defined(PJ_HAS_SSL_SOCK) && PJ_HAS_SSL_SOCK != 0 && \
|
||
|
+ defined(PJ_HAS_TLS_SOCK) && PJ_HAS_TLS_SOCK == 0
|
||
|
# include <openssl/rand.h>
|
||
|
|
||
|
/* Suppress compile warning of OpenSSL deprecation (OpenSSL is deprecated
|
||
|
@@ -1147,7 +1148,8 @@
|
||
|
key_ok = PJ_TRUE;
|
||
|
|
||
|
|
||
|
-#if defined(PJ_HAS_SSL_SOCK) && (PJ_HAS_SSL_SOCK != 0)
|
||
|
+#if defined(PJ_HAS_SSL_SOCK) && PJ_HAS_SSL_SOCK != 0 && \
|
||
|
+ defined(PJ_HAS_TLS_SOCK) && PJ_HAS_TLS_SOCK == 0
|
||
|
|
||
|
/* Include OpenSSL libraries for MSVC */
|
||
|
# ifdef _MSC_VER
|
||
|
|