1
/* $Id: sip_transport_tls.c 4726 2014-02-04 04:56:50Z ming $ */
3
* Copyright (C) 2009-2011 Teluu Inc. (http://www.teluu.com)
5
* This program is free software; you can redistribute it and/or modify
6
* it under the terms of the GNU General Public License as published by
7
* the Free Software Foundation; either version 2 of the License, or
8
* (at your option) any later version.
10
* This program is distributed in the hope that it will be useful,
11
* but WITHOUT ANY WARRANTY; without even the implied warranty of
12
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13
* GNU General Public License for more details.
15
* You should have received a copy of the GNU General Public License
16
* along with this program; if not, write to the Free Software
17
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20
#include <pjsip/sip_transport_tls.h>
21
#include <pjsip/sip_endpoint.h>
22
#include <pjsip/sip_errno.h>
23
#include <pj/compat/socket.h>
24
#include <pj/addr_resolv.h>
25
#include <pj/ssl_sock.h>
26
#include <pj/assert.h>
32
#include <pj/string.h>
34
#if defined(PJSIP_HAS_TLS_TRANSPORT) && PJSIP_HAS_TLS_TRANSPORT!=0
36
#define THIS_FILE "sip_transport_tls.c"
38
#define MAX_ASYNC_CNT 16
39
#define POOL_LIS_INIT 512
40
#define POOL_LIS_INC 512
41
#define POOL_TP_INIT 512
42
#define POOL_TP_INC 512
48
* Definition of TLS/SSL transport listener, and it's descendant of
53
pjsip_tpfactory factory;
54
pj_bool_t is_registered;
55
pjsip_endpoint *endpt;
58
pj_sockaddr bound_addr;
60
pjsip_tls_setting tls_setting;
65
* This structure is used to keep delayed transmit operation in a list.
66
* A delayed transmission occurs when application sends tx_data when
67
* the TLS connect/establishment is still in progress. These delayed
68
* transmission will be "flushed" once the socket is connected (either
69
* successfully or with errors).
73
PJ_DECL_LIST_MEMBER(struct delayed_tdata);
74
pjsip_tx_data_op_key *tdata_op_key;
80
* TLS/SSL transport, and it's descendant of pjsip_transport.
88
pj_bool_t is_registered;
90
pj_status_t close_reason;
92
pj_bool_t has_pending_connect;
93
pj_bool_t verify_server;
95
/* Keep-alive timer. */
96
pj_timer_entry ka_timer;
97
pj_time_val last_activity;
98
pjsip_tx_data_op_key ka_op_key;
101
/* TLS transport can only have one rdata!
102
* Otherwise chunks of incoming PDU may be received on different
107
/* Pending transmission list. */
108
struct delayed_tdata delayed_list;
112
/****************************************************************************
116
/* This callback is called when pending accept() operation completes. */
117
static pj_bool_t on_accept_complete(pj_ssl_sock_t *ssock,
118
pj_ssl_sock_t *new_ssock,
119
const pj_sockaddr_t *src_addr,
122
/* Callback on incoming data */
123
static pj_bool_t on_data_read(pj_ssl_sock_t *ssock,
127
pj_size_t *remainder);
129
/* Callback when packet is sent */
130
static pj_bool_t on_data_sent(pj_ssl_sock_t *ssock,
131
pj_ioqueue_op_key_t *send_key,
134
/* This callback is called by transport manager to destroy listener */
135
static pj_status_t lis_destroy(pjsip_tpfactory *factory);
137
/* This callback is called by transport manager to create transport */
138
static pj_status_t lis_create_transport(pjsip_tpfactory *factory,
140
pjsip_endpoint *endpt,
141
const pj_sockaddr *rem_addr,
143
pjsip_tx_data *tdata,
144
pjsip_transport **transport);
146
/* Common function to create and initialize transport */
147
static pj_status_t tls_create(struct tls_listener *listener,
149
pj_ssl_sock_t *ssock,
151
const pj_sockaddr *local,
152
const pj_sockaddr *remote,
153
const pj_str_t *remote_name,
154
struct tls_transport **p_tls);
157
static void tls_perror(const char *sender, const char *title,
160
char errmsg[PJ_ERR_MSG_SIZE];
162
pj_strerror(status, errmsg, sizeof(errmsg));
164
PJ_LOG(1,(sender, "%s: %s [code=%d]", title, errmsg, status));
168
static void sockaddr_to_host_port( pj_pool_t *pool,
169
pjsip_host_port *host_port,
170
const pj_sockaddr *addr )
172
host_port->host.ptr = (char*) pj_pool_alloc(pool, PJ_INET6_ADDRSTRLEN+4);
173
pj_sockaddr_print(addr, host_port->host.ptr, PJ_INET6_ADDRSTRLEN+4, 0);
174
host_port->host.slen = pj_ansi_strlen(host_port->host.ptr);
175
host_port->port = pj_sockaddr_get_port(addr);
179
static void tls_init_shutdown(struct tls_transport *tls, pj_status_t status)
181
pjsip_tp_state_callback state_cb;
183
if (tls->close_reason == PJ_SUCCESS)
184
tls->close_reason = status;
186
if (tls->base.is_shutdown || tls->base.is_destroying)
189
/* Prevent immediate transport destroy by application, as transport
190
* state notification callback may be stacked and transport instance
191
* must remain valid at any point in the callback.
193
pjsip_transport_add_ref(&tls->base);
195
/* Notify application of transport disconnected state */
196
state_cb = pjsip_tpmgr_get_state_cb(tls->base.tpmgr);
198
pjsip_transport_state_info state_info;
199
pjsip_tls_state_info tls_info;
200
pj_ssl_sock_info ssl_info;
202
/* Init transport state info */
203
pj_bzero(&state_info, sizeof(state_info));
204
state_info.status = tls->close_reason;
207
pj_ssl_sock_get_info(tls->ssock, &ssl_info) == PJ_SUCCESS)
209
pj_bzero(&tls_info, sizeof(tls_info));
210
tls_info.ssl_sock_info = &ssl_info;
211
state_info.ext_info = &tls_info;
214
(*state_cb)(&tls->base, PJSIP_TP_STATE_DISCONNECTED, &state_info);
218
if (tls->base.is_shutdown || tls->base.is_destroying) {
219
pjsip_transport_dec_ref(&tls->base);
223
/* We can not destroy the transport since high level objects may
224
* still keep reference to this transport. So we can only
225
* instruct transport manager to gracefully start the shutdown
226
* procedure for this transport.
228
pjsip_transport_shutdown(&tls->base);
230
/* Now, it is ok to destroy the transport. */
231
pjsip_transport_dec_ref(&tls->base);
235
/****************************************************************************
236
* The TLS listener/transport factory.
240
* This is the public API to create, initialize, register, and start the
243
PJ_DEF(pj_status_t) pjsip_tls_transport_start (pjsip_endpoint *endpt,
244
const pjsip_tls_setting *opt,
245
const pj_sockaddr_in *local_in,
246
const pjsip_host_port *a_name,
248
pjsip_tpfactory **p_factory)
253
pj_sockaddr_cp(&local, local_in);
255
return pjsip_tls_transport_start2(endpt, opt, (local_in? &local : NULL),
256
a_name, async_cnt, p_factory);
259
PJ_DEF(pj_status_t) pjsip_tls_transport_start2( pjsip_endpoint *endpt,
260
const pjsip_tls_setting *opt,
261
const pj_sockaddr *local,
262
const pjsip_host_port *a_name,
264
pjsip_tpfactory **p_factory)
269
struct tls_listener *listener;
270
pj_ssl_sock_param ssock_param;
271
pj_sockaddr *listener_addr;
272
pj_bool_t has_listener;
276
PJ_ASSERT_RETURN(endpt && async_cnt, PJ_EINVAL);
278
is_ipv6 = (local && local->addr.sa_family == pj_AF_INET6());
279
af = is_ipv6 ? pj_AF_INET6() : pj_AF_INET();
281
/* Verify that address given in a_name (if any) is valid */
282
if (a_name && a_name->host.slen) {
285
status = pj_sockaddr_init(af, &tmp, &a_name->host,
286
(pj_uint16_t)a_name->port);
287
if (status != PJ_SUCCESS || !pj_sockaddr_has_addr(&tmp) ||
288
(!is_ipv6 && tmp.ipv4.sin_addr.s_addr == PJ_INADDR_NONE))
290
/* Invalid address */
295
pool = pjsip_endpt_create_pool(endpt, "tlslis", POOL_LIS_INIT,
297
PJ_ASSERT_RETURN(pool, PJ_ENOMEM);
299
listener = PJ_POOL_ZALLOC_T(pool, struct tls_listener);
300
listener->factory.pool = pool;
302
listener->factory.type = PJSIP_TRANSPORT_TLS6;
304
listener->factory.type = PJSIP_TRANSPORT_TLS;
305
listener->factory.type_name = (char*)
306
pjsip_transport_get_type_name(listener->factory.type);
307
listener->factory.flag =
308
pjsip_transport_get_flag_from_type(listener->factory.type);
310
pj_ansi_strcpy(listener->factory.obj_name, "tlslis");
312
pj_ansi_strcat(listener->factory.obj_name, "6");
315
pjsip_tls_setting_copy(pool, &listener->tls_setting, opt);
317
pjsip_tls_setting_default(&listener->tls_setting);
319
status = pj_lock_create_recursive_mutex(pool, listener->factory.obj_name,
320
&listener->factory.lock);
321
if (status != PJ_SUCCESS)
324
if (async_cnt > MAX_ASYNC_CNT)
325
async_cnt = MAX_ASYNC_CNT;
327
/* Build SSL socket param */
328
pj_ssl_sock_param_default(&ssock_param);
329
ssock_param.sock_af = af;
330
ssock_param.cb.on_accept_complete = &on_accept_complete;
331
ssock_param.cb.on_data_read = &on_data_read;
332
ssock_param.cb.on_data_sent = &on_data_sent;
333
ssock_param.async_cnt = async_cnt;
334
ssock_param.ioqueue = pjsip_endpt_get_ioqueue(endpt);
335
ssock_param.require_client_cert = listener->tls_setting.require_client_cert;
336
ssock_param.timeout = listener->tls_setting.timeout;
337
ssock_param.user_data = listener;
338
ssock_param.verify_peer = PJ_FALSE; /* avoid SSL socket closing the socket
339
* due to verification error */
340
if (ssock_param.send_buffer_size < PJSIP_MAX_PKT_LEN)
341
ssock_param.send_buffer_size = PJSIP_MAX_PKT_LEN;
342
if (ssock_param.read_buffer_size < PJSIP_MAX_PKT_LEN)
343
ssock_param.read_buffer_size = PJSIP_MAX_PKT_LEN;
344
ssock_param.ciphers_num = listener->tls_setting.ciphers_num;
345
ssock_param.ciphers = listener->tls_setting.ciphers;
346
ssock_param.reuse_addr = listener->tls_setting.reuse_addr;
347
ssock_param.qos_type = listener->tls_setting.qos_type;
348
ssock_param.qos_ignore_error = listener->tls_setting.qos_ignore_error;
349
pj_memcpy(&ssock_param.qos_params, &listener->tls_setting.qos_params,
350
sizeof(ssock_param.qos_params));
352
has_listener = PJ_FALSE;
354
switch(listener->tls_setting.method) {
355
case PJSIP_TLSV1_METHOD:
356
ssock_param.proto = PJ_SSL_SOCK_PROTO_TLS1;
358
case PJSIP_SSLV2_METHOD:
359
ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL2;
361
case PJSIP_SSLV3_METHOD:
362
ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL3;
364
case PJSIP_SSLV23_METHOD:
365
ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL23;
368
ssock_param.proto = PJ_SSL_SOCK_PROTO_DEFAULT;
372
/* Create SSL socket */
373
status = pj_ssl_sock_create(pool, &ssock_param, &listener->ssock);
374
if (status != PJ_SUCCESS)
377
/* Bind address may be different than factory.local_addr because
378
* factory.local_addr will be resolved below.
380
listener_addr = &listener->factory.local_addr;
382
pj_sockaddr_cp((pj_sockaddr_t*)listener_addr,
383
(const pj_sockaddr_t*)local);
384
pj_sockaddr_cp(&listener->bound_addr, local);
386
pj_sockaddr_init(af, listener_addr, NULL, 0);
387
pj_sockaddr_init(af, &listener->bound_addr, NULL, 0);
390
/* Check if certificate/CA list for SSL socket is set */
391
if (listener->tls_setting.cert_file.slen ||
392
listener->tls_setting.ca_list_file.slen)
394
status = pj_ssl_cert_load_from_files(pool,
395
&listener->tls_setting.ca_list_file,
396
&listener->tls_setting.cert_file,
397
&listener->tls_setting.privkey_file,
398
&listener->tls_setting.password,
400
if (status != PJ_SUCCESS)
403
status = pj_ssl_sock_set_certificate(listener->ssock, pool,
405
if (status != PJ_SUCCESS)
409
/* Start accepting incoming connections. Note that some TLS/SSL backends
410
* may not support for SSL socket server.
412
has_listener = PJ_FALSE;
414
status = pj_ssl_sock_start_accept(listener->ssock, pool,
415
(pj_sockaddr_t*)listener_addr,
416
pj_sockaddr_get_len((pj_sockaddr_t*)listener_addr));
417
if (status == PJ_SUCCESS || status == PJ_EPENDING) {
418
pj_ssl_sock_info info;
419
has_listener = PJ_TRUE;
421
/* Retrieve the bound address */
422
status = pj_ssl_sock_get_info(listener->ssock, &info);
423
if (status == PJ_SUCCESS)
424
pj_sockaddr_cp(listener_addr, (pj_sockaddr_t*)&info.local_addr);
425
} else if (status != PJ_ENOTSUP) {
429
/* If published host/IP is specified, then use that address as the
430
* listener advertised address.
432
if (a_name && a_name->host.slen) {
433
/* Copy the address */
434
listener->factory.addr_name = *a_name;
435
pj_strdup(listener->factory.pool, &listener->factory.addr_name.host,
437
listener->factory.addr_name.port = a_name->port;
440
/* No published address is given, use the bound address */
442
/* If the address returns 0.0.0.0, use the default
443
* interface address as the transport's address.
445
if (!pj_sockaddr_has_addr(listener_addr)) {
448
status = pj_gethostip(af, &hostip);
449
if (status != PJ_SUCCESS)
452
pj_sockaddr_copy_addr(listener_addr, &hostip);
455
/* Save the address name */
456
sockaddr_to_host_port(listener->factory.pool,
457
&listener->factory.addr_name, listener_addr);
460
/* If port is zero, get the bound port */
461
if (listener->factory.addr_name.port == 0) {
462
listener->factory.addr_name.port = pj_sockaddr_get_port(listener_addr);
465
pj_ansi_snprintf(listener->factory.obj_name,
466
sizeof(listener->factory.obj_name),
467
"tlslis:%d", listener->factory.addr_name.port);
469
/* Register to transport manager */
470
listener->endpt = endpt;
471
listener->tpmgr = pjsip_endpt_get_tpmgr(endpt);
472
listener->factory.create_transport2 = lis_create_transport;
473
listener->factory.destroy = lis_destroy;
474
listener->is_registered = PJ_TRUE;
475
status = pjsip_tpmgr_register_tpfactory(listener->tpmgr,
477
if (status != PJ_SUCCESS) {
478
listener->is_registered = PJ_FALSE;
483
PJ_LOG(4,(listener->factory.obj_name,
484
"SIP TLS listener is ready for incoming connections "
486
(int)listener->factory.addr_name.host.slen,
487
listener->factory.addr_name.host.ptr,
488
listener->factory.addr_name.port));
490
PJ_LOG(4,(listener->factory.obj_name, "SIP TLS is ready "
494
/* Return the pointer to user */
495
if (p_factory) *p_factory = &listener->factory;
500
lis_destroy(&listener->factory);
505
/* This callback is called by transport manager to destroy listener */
506
static pj_status_t lis_destroy(pjsip_tpfactory *factory)
508
struct tls_listener *listener = (struct tls_listener *)factory;
510
if (listener->is_registered) {
511
pjsip_tpmgr_unregister_tpfactory(listener->tpmgr, &listener->factory);
512
listener->is_registered = PJ_FALSE;
515
if (listener->ssock) {
516
pj_ssl_sock_close(listener->ssock);
517
listener->ssock = NULL;
520
if (listener->factory.lock) {
521
pj_lock_destroy(listener->factory.lock);
522
listener->factory.lock = NULL;
525
if (listener->factory.pool) {
526
pj_pool_t *pool = listener->factory.pool;
528
PJ_LOG(4,(listener->factory.obj_name, "SIP TLS listener destroyed"));
530
listener->factory.pool = NULL;
531
pj_pool_release(pool);
538
/***************************************************************************/
546
/* Called by transport manager to send message */
547
static pj_status_t tls_send_msg(pjsip_transport *transport,
548
pjsip_tx_data *tdata,
549
const pj_sockaddr_t *rem_addr,
552
pjsip_transport_callback callback);
554
/* Called by transport manager to shutdown */
555
static pj_status_t tls_shutdown(pjsip_transport *transport);
557
/* Called by transport manager to destroy transport */
558
static pj_status_t tls_destroy_transport(pjsip_transport *transport);
560
/* Utility to destroy transport */
561
static pj_status_t tls_destroy(pjsip_transport *transport,
564
/* Callback when connect completes */
565
static pj_bool_t on_connect_complete(pj_ssl_sock_t *ssock,
568
/* TLS keep-alive timer callback */
569
static void tls_keep_alive_timer(pj_timer_heap_t *th, pj_timer_entry *e);
572
* Common function to create TLS transport, called when pending accept() and
573
* pending connect() complete.
575
static pj_status_t tls_create( struct tls_listener *listener,
577
pj_ssl_sock_t *ssock,
579
const pj_sockaddr *local,
580
const pj_sockaddr *remote,
581
const pj_str_t *remote_name,
582
struct tls_transport **p_tls)
584
struct tls_transport *tls;
585
const pj_str_t ka_pkt = PJSIP_TLS_KEEP_ALIVE_DATA;
586
char print_addr[PJ_INET6_ADDRSTRLEN+10];
590
PJ_ASSERT_RETURN(listener && ssock && local && remote && p_tls, PJ_EINVAL);
594
pool = pjsip_endpt_create_pool(listener->endpt, "tls",
595
POOL_TP_INIT, POOL_TP_INC);
596
PJ_ASSERT_RETURN(pool != NULL, PJ_ENOMEM);
600
* Create and initialize basic transport structure.
602
tls = PJ_POOL_ZALLOC_T(pool, struct tls_transport);
603
tls->is_server = is_server;
604
tls->verify_server = listener->tls_setting.verify_server;
605
pj_list_init(&tls->delayed_list);
606
tls->base.pool = pool;
608
pj_ansi_snprintf(tls->base.obj_name, PJ_MAX_OBJ_NAME,
609
(is_server ? "tlss%p" :"tlsc%p"), tls);
611
status = pj_atomic_create(pool, 0, &tls->base.ref_cnt);
612
if (status != PJ_SUCCESS) {
616
status = pj_lock_create_recursive_mutex(pool, "tls", &tls->base.lock);
617
if (status != PJ_SUCCESS) {
622
pj_strdup(pool, &tls->remote_name, remote_name);
624
tls->base.key.type = listener->factory.type;
625
pj_sockaddr_cp(&tls->base.key.rem_addr, remote);
626
tls->base.type_name = (char*)pjsip_transport_get_type_name(
627
(pjsip_transport_type_e)tls->base.key.type);
628
tls->base.flag = pjsip_transport_get_flag_from_type(
629
(pjsip_transport_type_e)tls->base.key.type);
631
tls->base.info = (char*) pj_pool_alloc(pool, 64);
632
pj_ansi_snprintf(tls->base.info, 64, "%s to %s",
634
pj_sockaddr_print(remote, print_addr,
635
sizeof(print_addr), 3));
638
tls->base.addr_len = pj_sockaddr_get_len(remote);
639
tls->base.dir = is_server? PJSIP_TP_DIR_INCOMING : PJSIP_TP_DIR_OUTGOING;
641
/* Set initial local address */
642
if (!pj_sockaddr_has_addr(local)) {
643
pj_sockaddr_cp(&tls->base.local_addr,
644
&listener->factory.local_addr);
646
pj_sockaddr_cp(&tls->base.local_addr, local);
649
sockaddr_to_host_port(pool, &tls->base.local_name, &tls->base.local_addr);
650
if (tls->remote_name.slen) {
651
tls->base.remote_name.host = tls->remote_name;
652
tls->base.remote_name.port = pj_sockaddr_get_port(remote);
654
sockaddr_to_host_port(pool, &tls->base.remote_name, remote);
657
tls->base.endpt = listener->endpt;
658
tls->base.tpmgr = listener->tpmgr;
659
tls->base.send_msg = &tls_send_msg;
660
tls->base.do_shutdown = &tls_shutdown;
661
tls->base.destroy = &tls_destroy_transport;
665
/* Register transport to transport manager */
666
status = pjsip_transport_register(listener->tpmgr, &tls->base);
667
if (status != PJ_SUCCESS) {
671
tls->is_registered = PJ_TRUE;
673
/* Initialize keep-alive timer */
674
tls->ka_timer.user_data = (void*)tls;
675
tls->ka_timer.cb = &tls_keep_alive_timer;
676
pj_ioqueue_op_key_init(&tls->ka_op_key.key, sizeof(pj_ioqueue_op_key_t));
677
pj_strdup(tls->base.pool, &tls->ka_pkt, &ka_pkt);
679
/* Done setting up basic transport. */
682
PJ_LOG(4,(tls->base.obj_name, "TLS %s transport created",
683
(tls->is_server ? "server" : "client")));
688
tls_destroy(&tls->base, status);
693
/* Flush all delayed transmision once the socket is connected. */
694
static void tls_flush_pending_tx(struct tls_transport *tls)
698
pj_gettickcount(&now);
699
pj_lock_acquire(tls->base.lock);
700
while (!pj_list_empty(&tls->delayed_list)) {
701
struct delayed_tdata *pending_tx;
702
pjsip_tx_data *tdata;
703
pj_ioqueue_op_key_t *op_key;
707
pending_tx = tls->delayed_list.next;
708
pj_list_erase(pending_tx);
710
tdata = pending_tx->tdata_op_key->tdata;
711
op_key = (pj_ioqueue_op_key_t*)pending_tx->tdata_op_key;
713
if (pending_tx->timeout.sec > 0 &&
714
PJ_TIME_VAL_GT(now, pending_tx->timeout))
720
size = tdata->buf.cur - tdata->buf.start;
721
status = pj_ssl_sock_send(tls->ssock, op_key, tdata->buf.start,
724
if (status != PJ_EPENDING) {
725
pj_lock_release(tls->base.lock);
726
on_data_sent(tls->ssock, op_key, size);
727
pj_lock_acquire(tls->base.lock);
730
pj_lock_release(tls->base.lock);
734
/* Called by transport manager to destroy transport */
735
static pj_status_t tls_destroy_transport(pjsip_transport *transport)
737
struct tls_transport *tls = (struct tls_transport*)transport;
739
/* Transport would have been unregistered by now since this callback
740
* is called by transport manager.
742
tls->is_registered = PJ_FALSE;
744
return tls_destroy(transport, tls->close_reason);
748
/* Destroy TLS transport */
749
static pj_status_t tls_destroy(pjsip_transport *transport,
752
struct tls_transport *tls = (struct tls_transport*)transport;
754
if (tls->close_reason == 0)
755
tls->close_reason = reason;
757
if (tls->is_registered) {
758
tls->is_registered = PJ_FALSE;
759
pjsip_transport_destroy(transport);
761
/* pjsip_transport_destroy will recursively call this function
767
/* Mark transport as closing */
768
tls->is_closing = PJ_TRUE;
770
/* Stop keep-alive timer. */
771
if (tls->ka_timer.id) {
772
pjsip_endpt_cancel_timer(tls->base.endpt, &tls->ka_timer);
773
tls->ka_timer.id = PJ_FALSE;
776
/* Cancel all delayed transmits */
777
while (!pj_list_empty(&tls->delayed_list)) {
778
struct delayed_tdata *pending_tx;
779
pj_ioqueue_op_key_t *op_key;
781
pending_tx = tls->delayed_list.next;
782
pj_list_erase(pending_tx);
784
op_key = (pj_ioqueue_op_key_t*)pending_tx->tdata_op_key;
786
on_data_sent(tls->ssock, op_key, -reason);
789
if (tls->rdata.tp_info.pool) {
790
pj_pool_release(tls->rdata.tp_info.pool);
791
tls->rdata.tp_info.pool = NULL;
795
pj_ssl_sock_close(tls->ssock);
798
if (tls->base.lock) {
799
pj_lock_destroy(tls->base.lock);
800
tls->base.lock = NULL;
803
if (tls->base.ref_cnt) {
804
pj_atomic_destroy(tls->base.ref_cnt);
805
tls->base.ref_cnt = NULL;
808
if (tls->base.pool) {
811
if (reason != PJ_SUCCESS) {
812
char errmsg[PJ_ERR_MSG_SIZE];
814
pj_strerror(reason, errmsg, sizeof(errmsg));
815
PJ_LOG(4,(tls->base.obj_name,
816
"TLS transport destroyed with reason %d: %s",
821
PJ_LOG(4,(tls->base.obj_name,
822
"TLS transport destroyed normally"));
826
pool = tls->base.pool;
827
tls->base.pool = NULL;
828
pj_pool_release(pool);
836
* This utility function creates receive data buffers and start
837
* asynchronous recv() operations from the socket. It is called after
838
* accept() or connect() operation complete.
840
static pj_status_t tls_start_read(struct tls_transport *tls)
844
pj_sockaddr *rem_addr;
849
pool = pjsip_endpt_create_pool(tls->base.endpt,
851
PJSIP_POOL_RDATA_LEN,
852
PJSIP_POOL_RDATA_INC);
854
tls_perror(tls->base.obj_name, "Unable to create pool", PJ_ENOMEM);
858
tls->rdata.tp_info.pool = pool;
860
tls->rdata.tp_info.transport = &tls->base;
861
tls->rdata.tp_info.tp_data = tls;
862
tls->rdata.tp_info.op_key.rdata = &tls->rdata;
863
pj_ioqueue_op_key_init(&tls->rdata.tp_info.op_key.op_key,
864
sizeof(pj_ioqueue_op_key_t));
866
tls->rdata.pkt_info.src_addr = tls->base.key.rem_addr;
867
tls->rdata.pkt_info.src_addr_len = sizeof(tls->rdata.pkt_info.src_addr);
868
rem_addr = &tls->base.key.rem_addr;
869
pj_sockaddr_print(rem_addr, tls->rdata.pkt_info.src_name,
870
sizeof(tls->rdata.pkt_info.src_name), 0);
871
tls->rdata.pkt_info.src_port = pj_sockaddr_get_port(rem_addr);
873
size = sizeof(tls->rdata.pkt_info.packet);
874
readbuf[0] = tls->rdata.pkt_info.packet;
875
status = pj_ssl_sock_start_read2(tls->ssock, tls->base.pool, size,
877
if (status != PJ_SUCCESS && status != PJ_EPENDING) {
878
PJ_LOG(4, (tls->base.obj_name,
879
"pj_ssl_sock_start_read() error, status=%d",
888
/* This callback is called by transport manager for the TLS factory
889
* to create outgoing transport to the specified destination.
891
static pj_status_t lis_create_transport(pjsip_tpfactory *factory,
893
pjsip_endpoint *endpt,
894
const pj_sockaddr *rem_addr,
896
pjsip_tx_data *tdata,
897
pjsip_transport **p_transport)
899
struct tls_listener *listener;
900
struct tls_transport *tls;
902
pj_ssl_sock_t *ssock;
903
pj_ssl_sock_param ssock_param;
904
pj_sockaddr local_addr;
905
pj_str_t remote_name;
909
PJ_ASSERT_RETURN(factory && mgr && endpt && rem_addr &&
910
addr_len && p_transport, PJ_EINVAL);
912
/* Check that address is a sockaddr_in or sockaddr_in6*/
913
PJ_ASSERT_RETURN((rem_addr->addr.sa_family == pj_AF_INET() &&
914
addr_len == sizeof(pj_sockaddr_in)) ||
915
(rem_addr->addr.sa_family == pj_AF_INET6() &&
916
addr_len == sizeof(pj_sockaddr_in6)), PJ_EINVAL);
919
listener = (struct tls_listener*)factory;
921
pool = pjsip_endpt_create_pool(listener->endpt, "tls",
922
POOL_TP_INIT, POOL_TP_INC);
923
PJ_ASSERT_RETURN(pool != NULL, PJ_ENOMEM);
925
/* Get remote host name from tdata */
927
remote_name = tdata->dest_info.name;
929
pj_bzero(&remote_name, sizeof(remote_name));
931
/* Build SSL socket param */
932
pj_ssl_sock_param_default(&ssock_param);
933
ssock_param.sock_af = (factory->type & PJSIP_TRANSPORT_IPV6) ?
934
pj_AF_INET6() : pj_AF_INET();
935
ssock_param.cb.on_connect_complete = &on_connect_complete;
936
ssock_param.cb.on_data_read = &on_data_read;
937
ssock_param.cb.on_data_sent = &on_data_sent;
938
ssock_param.async_cnt = 1;
939
ssock_param.ioqueue = pjsip_endpt_get_ioqueue(listener->endpt);
940
ssock_param.server_name = remote_name;
941
ssock_param.timeout = listener->tls_setting.timeout;
942
ssock_param.user_data = NULL; /* pending, must be set later */
943
ssock_param.verify_peer = PJ_FALSE; /* avoid SSL socket closing the socket
944
* due to verification error */
945
if (ssock_param.send_buffer_size < PJSIP_MAX_PKT_LEN)
946
ssock_param.send_buffer_size = PJSIP_MAX_PKT_LEN;
947
if (ssock_param.read_buffer_size < PJSIP_MAX_PKT_LEN)
948
ssock_param.read_buffer_size = PJSIP_MAX_PKT_LEN;
949
ssock_param.ciphers_num = listener->tls_setting.ciphers_num;
950
ssock_param.ciphers = listener->tls_setting.ciphers;
951
ssock_param.qos_type = listener->tls_setting.qos_type;
952
ssock_param.qos_ignore_error = listener->tls_setting.qos_ignore_error;
953
pj_memcpy(&ssock_param.qos_params, &listener->tls_setting.qos_params,
954
sizeof(ssock_param.qos_params));
956
switch(listener->tls_setting.method) {
957
case PJSIP_TLSV1_METHOD:
958
ssock_param.proto = PJ_SSL_SOCK_PROTO_TLS1;
960
case PJSIP_SSLV2_METHOD:
961
ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL2;
963
case PJSIP_SSLV3_METHOD:
964
ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL3;
966
case PJSIP_SSLV23_METHOD:
967
ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL23;
970
ssock_param.proto = PJ_SSL_SOCK_PROTO_DEFAULT;
974
status = pj_ssl_sock_create(pool, &ssock_param, &ssock);
975
if (status != PJ_SUCCESS)
978
/* Apply SSL certificate */
979
if (listener->cert) {
980
status = pj_ssl_sock_set_certificate(ssock, pool, listener->cert);
981
if (status != PJ_SUCCESS)
985
/* Initially set bind address to listener's bind address */
986
pj_sockaddr_init(listener->bound_addr.addr.sa_family,
987
&local_addr, NULL, 0);
988
pj_sockaddr_copy_addr(&local_addr, &listener->bound_addr);
990
/* Create the transport descriptor */
991
status = tls_create(listener, pool, ssock, PJ_FALSE, &local_addr,
992
rem_addr, &remote_name, &tls);
993
if (status != PJ_SUCCESS)
996
/* Set the "pending" SSL socket user data */
997
pj_ssl_sock_set_user_data(tls->ssock, tls);
999
/* Start asynchronous connect() operation */
1000
tls->has_pending_connect = PJ_TRUE;
1001
status = pj_ssl_sock_start_connect(tls->ssock, tls->base.pool,
1002
(pj_sockaddr_t*)&local_addr,
1003
(pj_sockaddr_t*)rem_addr,
1005
if (status == PJ_SUCCESS) {
1006
on_connect_complete(tls->ssock, PJ_SUCCESS);
1007
} else if (status != PJ_EPENDING) {
1008
tls_destroy(&tls->base, status);
1012
if (tls->has_pending_connect) {
1013
pj_ssl_sock_info info;
1015
/* Update local address, just in case local address currently set is
1016
* different now that asynchronous connect() is started.
1019
/* Retrieve the bound address */
1020
status = pj_ssl_sock_get_info(tls->ssock, &info);
1021
if (status == PJ_SUCCESS) {
1022
pj_uint16_t new_port;
1024
new_port = pj_sockaddr_get_port((pj_sockaddr_t*)&info.local_addr);
1026
if (pj_sockaddr_has_addr((pj_sockaddr_t*)&info.local_addr)) {
1027
/* Update sockaddr */
1028
pj_sockaddr_cp((pj_sockaddr_t*)&tls->base.local_addr,
1029
(pj_sockaddr_t*)&info.local_addr);
1030
} else if (new_port && new_port != pj_sockaddr_get_port(
1031
(pj_sockaddr_t*)&tls->base.local_addr))
1033
/* Update port only */
1034
pj_sockaddr_set_port(&tls->base.local_addr,
1038
sockaddr_to_host_port(tls->base.pool, &tls->base.local_name,
1039
&tls->base.local_addr);
1042
PJ_LOG(4,(tls->base.obj_name,
1043
"TLS transport %.*s:%d is connecting to %.*s:%d...",
1044
(int)tls->base.local_name.host.slen,
1045
tls->base.local_name.host.ptr,
1046
tls->base.local_name.port,
1047
(int)tls->base.remote_name.host.slen,
1048
tls->base.remote_name.host.ptr,
1049
tls->base.remote_name.port));
1053
*p_transport = &tls->base;
1060
* This callback is called by SSL socket when pending accept() operation
1063
static pj_bool_t on_accept_complete(pj_ssl_sock_t *ssock,
1064
pj_ssl_sock_t *new_ssock,
1065
const pj_sockaddr_t *src_addr,
1068
struct tls_listener *listener;
1069
struct tls_transport *tls;
1070
pj_ssl_sock_info ssl_info;
1071
char addr[PJ_INET6_ADDRSTRLEN+10];
1072
pjsip_tp_state_callback state_cb;
1073
pj_sockaddr tmp_src_addr;
1074
pj_bool_t is_shutdown;
1077
PJ_UNUSED_ARG(src_addr_len);
1079
listener = (struct tls_listener*) pj_ssl_sock_get_user_data(ssock);
1081
PJ_ASSERT_RETURN(new_ssock, PJ_TRUE);
1083
PJ_LOG(4,(listener->factory.obj_name,
1084
"TLS listener %.*s:%d: got incoming TLS connection "
1086
(int)listener->factory.addr_name.host.slen,
1087
listener->factory.addr_name.host.ptr,
1088
listener->factory.addr_name.port,
1089
pj_sockaddr_print(src_addr, addr, sizeof(addr), 3),
1092
/* Retrieve SSL socket info, close the socket if this is failed
1093
* as the SSL socket info availability is rather critical here.
1095
status = pj_ssl_sock_get_info(new_ssock, &ssl_info);
1096
if (status != PJ_SUCCESS) {
1097
pj_ssl_sock_close(new_ssock);
1101
/* Copy to larger buffer, just in case */
1102
pj_bzero(&tmp_src_addr, sizeof(tmp_src_addr));
1103
pj_sockaddr_cp(&tmp_src_addr, src_addr);
1106
* Incoming connection!
1107
* Create TLS transport for the new socket.
1109
status = tls_create( listener, NULL, new_ssock, PJ_TRUE,
1110
&listener->factory.local_addr,
1111
&tmp_src_addr, NULL, &tls);
1113
if (status != PJ_SUCCESS)
1116
/* Set the "pending" SSL socket user data */
1117
pj_ssl_sock_set_user_data(new_ssock, tls);
1119
/* Prevent immediate transport destroy as application may access it
1120
* (getting info, etc) in transport state notification callback.
1122
pjsip_transport_add_ref(&tls->base);
1124
/* If there is verification error and verification is mandatory, shutdown
1125
* and destroy the transport.
1127
if (ssl_info.verify_status && listener->tls_setting.verify_client) {
1128
if (tls->close_reason == PJ_SUCCESS)
1129
tls->close_reason = PJSIP_TLS_ECERTVERIF;
1130
pjsip_transport_shutdown(&tls->base);
1133
/* Notify transport state to application */
1134
state_cb = pjsip_tpmgr_get_state_cb(tls->base.tpmgr);
1136
pjsip_transport_state_info state_info;
1137
pjsip_tls_state_info tls_info;
1138
pjsip_transport_state tp_state;
1140
/* Init transport state info */
1141
pj_bzero(&tls_info, sizeof(tls_info));
1142
pj_bzero(&state_info, sizeof(state_info));
1143
tls_info.ssl_sock_info = &ssl_info;
1144
state_info.ext_info = &tls_info;
1146
/* Set transport state based on verification status */
1147
if (ssl_info.verify_status && listener->tls_setting.verify_client)
1149
tp_state = PJSIP_TP_STATE_DISCONNECTED;
1150
state_info.status = PJSIP_TLS_ECERTVERIF;
1152
tp_state = PJSIP_TP_STATE_CONNECTED;
1153
state_info.status = PJ_SUCCESS;
1156
(*state_cb)(&tls->base, tp_state, &state_info);
1159
/* Release transport reference. If transport is shutting down, it may
1160
* get destroyed here.
1162
is_shutdown = tls->base.is_shutdown;
1163
pjsip_transport_dec_ref(&tls->base);
1168
status = tls_start_read(tls);
1169
if (status != PJ_SUCCESS) {
1170
PJ_LOG(3,(tls->base.obj_name, "New transport cancelled"));
1171
tls_init_shutdown(tls, status);
1172
tls_destroy(&tls->base, status);
1174
/* Start keep-alive timer */
1175
if (PJSIP_TLS_KEEP_ALIVE_INTERVAL) {
1176
pj_time_val delay = {PJSIP_TLS_KEEP_ALIVE_INTERVAL, 0};
1177
pjsip_endpt_schedule_timer(listener->endpt,
1180
tls->ka_timer.id = PJ_TRUE;
1181
pj_gettimeofday(&tls->last_activity);
1190
* Callback from ioqueue when packet is sent.
1192
static pj_bool_t on_data_sent(pj_ssl_sock_t *ssock,
1193
pj_ioqueue_op_key_t *op_key,
1194
pj_ssize_t bytes_sent)
1196
struct tls_transport *tls = (struct tls_transport*)
1197
pj_ssl_sock_get_user_data(ssock);
1198
pjsip_tx_data_op_key *tdata_op_key = (pjsip_tx_data_op_key*)op_key;
1200
/* Note that op_key may be the op_key from keep-alive, thus
1201
* it will not have tdata etc.
1204
tdata_op_key->tdata = NULL;
1206
if (tdata_op_key->callback) {
1208
* Notify sip_transport.c that packet has been sent.
1210
if (bytes_sent == 0)
1211
bytes_sent = -PJ_RETURN_OS_ERROR(OSERR_ENOTCONN);
1213
tdata_op_key->callback(&tls->base, tdata_op_key->token, bytes_sent);
1215
/* Mark last activity time */
1216
pj_gettimeofday(&tls->last_activity);
1220
/* Check for error/closure */
1221
if (bytes_sent <= 0) {
1224
PJ_LOG(5,(tls->base.obj_name, "TLS send() error, sent=%d",
1227
status = (bytes_sent == 0) ? PJ_RETURN_OS_ERROR(OSERR_ENOTCONN) :
1228
(pj_status_t)-bytes_sent;
1230
tls_init_shutdown(tls, status);
1240
* This callback is called by transport manager to send SIP message
1242
static pj_status_t tls_send_msg(pjsip_transport *transport,
1243
pjsip_tx_data *tdata,
1244
const pj_sockaddr_t *rem_addr,
1247
pjsip_transport_callback callback)
1249
struct tls_transport *tls = (struct tls_transport*)transport;
1251
pj_bool_t delayed = PJ_FALSE;
1252
pj_status_t status = PJ_SUCCESS;
1255
PJ_ASSERT_RETURN(transport && tdata, PJ_EINVAL);
1257
/* Check that there's no pending operation associated with the tdata */
1258
PJ_ASSERT_RETURN(tdata->op_key.tdata == NULL, PJSIP_EPENDINGTX);
1260
/* Check the address is supported */
1261
PJ_ASSERT_RETURN(rem_addr && (addr_len==sizeof(pj_sockaddr_in) ||
1262
addr_len==sizeof(pj_sockaddr_in6)),
1266
tdata->op_key.tdata = tdata;
1267
tdata->op_key.token = token;
1268
tdata->op_key.callback = callback;
1270
/* If asynchronous connect() has not completed yet, just put the
1271
* transmit data in the pending transmission list since we can not
1272
* use the socket yet.
1274
if (tls->has_pending_connect) {
1277
* Looks like connect() is still in progress. Check again (this time
1278
* with holding the lock) to be sure.
1280
pj_lock_acquire(tls->base.lock);
1282
if (tls->has_pending_connect) {
1283
struct delayed_tdata *delayed_tdata;
1286
* connect() is still in progress. Put the transmit data to
1288
* Starting from #1583 (https://trac.pjsip.org/repos/ticket/1583),
1289
* we also add timeout value for the transmit data. When the
1290
* connect() is completed, the timeout value will be checked to
1291
* determine whether the transmit data needs to be sent.
1293
delayed_tdata = PJ_POOL_ZALLOC_T(tdata->pool,
1294
struct delayed_tdata);
1295
delayed_tdata->tdata_op_key = &tdata->op_key;
1296
if (tdata->msg && tdata->msg->type == PJSIP_REQUEST_MSG) {
1297
pj_gettickcount(&delayed_tdata->timeout);
1298
delayed_tdata->timeout.msec += pjsip_cfg()->tsx.td;
1299
pj_time_val_normalize(&delayed_tdata->timeout);
1302
pj_list_push_back(&tls->delayed_list, delayed_tdata);
1303
status = PJ_EPENDING;
1305
/* Prevent pj_ioqueue_send() to be called below */
1309
pj_lock_release(tls->base.lock);
1314
* Transport is ready to go. Send the packet to ioqueue to be
1315
* sent asynchronously.
1317
size = tdata->buf.cur - tdata->buf.start;
1318
status = pj_ssl_sock_send(tls->ssock,
1319
(pj_ioqueue_op_key_t*)&tdata->op_key,
1320
tdata->buf.start, &size, 0);
1322
if (status != PJ_EPENDING) {
1323
/* Not pending (could be immediate success or error) */
1324
tdata->op_key.tdata = NULL;
1326
/* Shutdown transport on closure/errors */
1329
PJ_LOG(5,(tls->base.obj_name, "TLS send() error, sent=%d",
1332
if (status == PJ_SUCCESS)
1333
status = PJ_RETURN_OS_ERROR(OSERR_ENOTCONN);
1335
tls_init_shutdown(tls, status);
1345
* This callback is called by transport manager to shutdown transport.
1347
static pj_status_t tls_shutdown(pjsip_transport *transport)
1349
struct tls_transport *tls = (struct tls_transport*)transport;
1351
/* Stop keep-alive timer. */
1352
if (tls->ka_timer.id) {
1353
pjsip_endpt_cancel_timer(tls->base.endpt, &tls->ka_timer);
1354
tls->ka_timer.id = PJ_FALSE;
1362
* Callback from ioqueue that an incoming data is received from the socket.
1364
static pj_bool_t on_data_read(pj_ssl_sock_t *ssock,
1368
pj_size_t *remainder)
1370
enum { MAX_IMMEDIATE_PACKET = 10 };
1371
struct tls_transport *tls;
1372
pjsip_rx_data *rdata;
1374
PJ_UNUSED_ARG(data);
1376
tls = (struct tls_transport*) pj_ssl_sock_get_user_data(ssock);
1377
rdata = &tls->rdata;
1379
/* Don't do anything if transport is closing. */
1380
if (tls->is_closing) {
1385
/* Houston, we have packet! Report the packet to transport manager
1388
if (status == PJ_SUCCESS) {
1389
pj_size_t size_eaten;
1391
/* Mark this as an activity */
1392
pj_gettimeofday(&tls->last_activity);
1394
pj_assert((void*)rdata->pkt_info.packet == data);
1396
/* Init pkt_info part. */
1397
rdata->pkt_info.len = size;
1398
rdata->pkt_info.zero = 0;
1399
pj_gettimeofday(&rdata->pkt_info.timestamp);
1401
/* Report to transport manager.
1402
* The transport manager will tell us how many bytes of the packet
1403
* have been processed (as valid SIP message).
1406
pjsip_tpmgr_receive_packet(rdata->tp_info.transport->tpmgr,
1409
pj_assert(size_eaten <= (pj_size_t)rdata->pkt_info.len);
1411
/* Move unprocessed data to the front of the buffer */
1412
*remainder = size - size_eaten;
1413
if (*remainder > 0 && *remainder != size) {
1414
pj_memmove(rdata->pkt_info.packet,
1415
rdata->pkt_info.packet + size_eaten,
1421
/* Transport is closed */
1422
PJ_LOG(4,(tls->base.obj_name, "TLS connection closed"));
1424
tls_init_shutdown(tls, status);
1431
pj_pool_reset(rdata->tp_info.pool);
1438
* Callback from ioqueue when asynchronous connect() operation completes.
1440
static pj_bool_t on_connect_complete(pj_ssl_sock_t *ssock,
1443
struct tls_transport *tls;
1444
pj_ssl_sock_info ssl_info;
1445
pj_sockaddr addr, *tp_addr;
1446
pjsip_tp_state_callback state_cb;
1447
pj_bool_t is_shutdown;
1449
tls = (struct tls_transport*) pj_ssl_sock_get_user_data(ssock);
1451
/* Check connect() status */
1452
if (status != PJ_SUCCESS) {
1454
tls_perror(tls->base.obj_name, "TLS connect() error", status);
1456
/* Cancel all delayed transmits */
1457
while (!pj_list_empty(&tls->delayed_list)) {
1458
struct delayed_tdata *pending_tx;
1459
pj_ioqueue_op_key_t *op_key;
1461
pending_tx = tls->delayed_list.next;
1462
pj_list_erase(pending_tx);
1464
op_key = (pj_ioqueue_op_key_t*)pending_tx->tdata_op_key;
1466
on_data_sent(tls->ssock, op_key, -status);
1472
/* Retrieve SSL socket info, shutdown the transport if this is failed
1473
* as the SSL socket info availability is rather critical here.
1475
status = pj_ssl_sock_get_info(tls->ssock, &ssl_info);
1476
if (status != PJ_SUCCESS)
1479
/* Update (again) local address, just in case local address currently
1480
* set is different now that the socket is connected (could happen
1481
* on some systems, like old Win32 probably?).
1483
tp_addr = &tls->base.local_addr;
1484
pj_sockaddr_cp((pj_sockaddr_t*)&addr,
1485
(pj_sockaddr_t*)&ssl_info.local_addr);
1486
if (pj_sockaddr_cmp(tp_addr, &addr) != 0) {
1487
pj_sockaddr_cp(tp_addr, &addr);
1488
sockaddr_to_host_port(tls->base.pool, &tls->base.local_name,
1492
/* Server identity verification based on server certificate. */
1493
if (ssl_info.remote_cert_info->version) {
1494
pj_str_t *remote_name;
1495
pj_ssl_cert_info *serv_cert = ssl_info.remote_cert_info;
1496
pj_bool_t matched = PJ_FALSE;
1499
/* Remote name may be hostname or IP address */
1500
if (tls->remote_name.slen)
1501
remote_name = &tls->remote_name;
1503
remote_name = &tls->base.remote_name.host;
1505
/* Start matching remote name with SubjectAltName fields of
1506
* server certificate.
1508
for (i = 0; i < serv_cert->subj_alt_name.cnt && !matched; ++i) {
1509
pj_str_t *cert_name = &serv_cert->subj_alt_name.entry[i].name;
1511
switch (serv_cert->subj_alt_name.entry[i].type) {
1512
case PJ_SSL_CERT_NAME_DNS:
1513
case PJ_SSL_CERT_NAME_IP:
1514
matched = !pj_stricmp(remote_name, cert_name);
1516
case PJ_SSL_CERT_NAME_URI:
1517
if (pj_strnicmp2(cert_name, "sip:", 4) == 0 ||
1518
pj_strnicmp2(cert_name, "sips:", 5) == 0)
1523
p = pj_strchr(cert_name, ':') + 1;
1524
pj_strset(&host_part, p, cert_name->slen -
1525
(p - cert_name->ptr));
1526
matched = !pj_stricmp(remote_name, &host_part);
1534
/* When still not matched or no SubjectAltName fields in server
1535
* certificate, try with Common Name of Subject field.
1538
matched = !pj_stricmp(remote_name, &serv_cert->subject.cn);
1542
ssl_info.verify_status |= PJ_SSL_CERT_EIDENTITY_NOT_MATCH;
1545
/* Prevent immediate transport destroy as application may access it
1546
* (getting info, etc) in transport state notification callback.
1548
pjsip_transport_add_ref(&tls->base);
1550
/* If there is verification error and verification is mandatory, shutdown
1551
* and destroy the transport.
1553
if (ssl_info.verify_status && tls->verify_server) {
1554
if (tls->close_reason == PJ_SUCCESS)
1555
tls->close_reason = PJSIP_TLS_ECERTVERIF;
1556
pjsip_transport_shutdown(&tls->base);
1559
/* Notify transport state to application */
1560
state_cb = pjsip_tpmgr_get_state_cb(tls->base.tpmgr);
1562
pjsip_transport_state_info state_info;
1563
pjsip_tls_state_info tls_info;
1564
pjsip_transport_state tp_state;
1566
/* Init transport state info */
1567
pj_bzero(&state_info, sizeof(state_info));
1568
pj_bzero(&tls_info, sizeof(tls_info));
1569
state_info.ext_info = &tls_info;
1570
tls_info.ssl_sock_info = &ssl_info;
1572
/* Set transport state based on verification status */
1573
if (ssl_info.verify_status && tls->verify_server)
1575
tp_state = PJSIP_TP_STATE_DISCONNECTED;
1576
state_info.status = PJSIP_TLS_ECERTVERIF;
1578
tp_state = PJSIP_TP_STATE_CONNECTED;
1579
state_info.status = PJ_SUCCESS;
1582
(*state_cb)(&tls->base, tp_state, &state_info);
1585
/* Release transport reference. If transport is shutting down, it may
1586
* get destroyed here.
1588
is_shutdown = tls->base.is_shutdown;
1589
pjsip_transport_dec_ref(&tls->base);
1591
status = tls->close_reason;
1592
tls_perror(tls->base.obj_name, "TLS connect() error", status);
1594
/* Cancel all delayed transmits */
1595
while (!pj_list_empty(&tls->delayed_list)) {
1596
struct delayed_tdata *pending_tx;
1597
pj_ioqueue_op_key_t *op_key;
1599
pending_tx = tls->delayed_list.next;
1600
pj_list_erase(pending_tx);
1602
op_key = (pj_ioqueue_op_key_t*)pending_tx->tdata_op_key;
1604
on_data_sent(tls->ssock, op_key, -status);
1611
/* Mark that pending connect() operation has completed. */
1612
tls->has_pending_connect = PJ_FALSE;
1614
PJ_LOG(4,(tls->base.obj_name,
1615
"TLS transport %.*s:%d is connected to %.*s:%d",
1616
(int)tls->base.local_name.host.slen,
1617
tls->base.local_name.host.ptr,
1618
tls->base.local_name.port,
1619
(int)tls->base.remote_name.host.slen,
1620
tls->base.remote_name.host.ptr,
1621
tls->base.remote_name.port));
1623
/* Start pending read */
1624
status = tls_start_read(tls);
1625
if (status != PJ_SUCCESS)
1628
/* Flush all pending send operations */
1629
tls_flush_pending_tx(tls);
1631
/* Start keep-alive timer */
1632
if (PJSIP_TLS_KEEP_ALIVE_INTERVAL) {
1633
pj_time_val delay = { PJSIP_TLS_KEEP_ALIVE_INTERVAL, 0 };
1634
pjsip_endpt_schedule_timer(tls->base.endpt, &tls->ka_timer,
1636
tls->ka_timer.id = PJ_TRUE;
1637
pj_gettimeofday(&tls->last_activity);
1643
tls_init_shutdown(tls, status);
1649
/* Transport keep-alive timer callback */
1650
static void tls_keep_alive_timer(pj_timer_heap_t *th, pj_timer_entry *e)
1652
struct tls_transport *tls = (struct tls_transport*) e->user_data;
1660
tls->ka_timer.id = PJ_TRUE;
1662
pj_gettimeofday(&now);
1663
PJ_TIME_VAL_SUB(now, tls->last_activity);
1665
if (now.sec > 0 && now.sec < PJSIP_TLS_KEEP_ALIVE_INTERVAL) {
1666
/* There has been activity, so don't send keep-alive */
1667
delay.sec = PJSIP_TLS_KEEP_ALIVE_INTERVAL - now.sec;
1670
pjsip_endpt_schedule_timer(tls->base.endpt, &tls->ka_timer,
1672
tls->ka_timer.id = PJ_TRUE;
1676
PJ_LOG(5,(tls->base.obj_name, "Sending %d byte(s) keep-alive to %.*s:%d",
1677
(int)tls->ka_pkt.slen, (int)tls->base.remote_name.host.slen,
1678
tls->base.remote_name.host.ptr,
1679
tls->base.remote_name.port));
1682
size = tls->ka_pkt.slen;
1683
status = pj_ssl_sock_send(tls->ssock, &tls->ka_op_key.key,
1684
tls->ka_pkt.ptr, &size, 0);
1686
if (status != PJ_SUCCESS && status != PJ_EPENDING) {
1687
tls_perror(tls->base.obj_name,
1688
"Error sending keep-alive packet", status);
1690
tls_init_shutdown(tls, status);
1694
/* Register next keep-alive */
1695
delay.sec = PJSIP_TLS_KEEP_ALIVE_INTERVAL;
1698
pjsip_endpt_schedule_timer(tls->base.endpt, &tls->ka_timer,
1700
tls->ka_timer.id = PJ_TRUE;
1703
#endif /* PJSIP_HAS_TLS_TRANSPORT */