1
/* $Id: ssl_sock_ossl.c 4624 2013-10-21 06:37:30Z ming $ */
3
* Copyright (C) 2009-2011 Teluu Inc. (http://www.teluu.com)
5
* This program is free software; you can redistribute it and/or modify
6
* it under the terms of the GNU General Public License as published by
7
* the Free Software Foundation; either version 2 of the License, or
8
* (at your option) any later version.
10
* This program is distributed in the hope that it will be useful,
11
* but WITHOUT ANY WARRANTY; without even the implied warranty of
12
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13
* GNU General Public License for more details.
15
* You should have received a copy of the GNU General Public License
16
* along with this program; if not, write to the Free Software
17
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19
#include <pj/ssl_sock.h>
20
#include <pj/activesock.h>
21
#include <pj/compat/socket.h>
22
#include <pj/assert.h>
30
#include <pj/string.h>
34
/* Only build when PJ_HAS_SSL_SOCK is enabled */
35
#if defined(PJ_HAS_SSL_SOCK) && PJ_HAS_SSL_SOCK!=0
37
#define THIS_FILE "ssl_sock_ossl.c"
39
/* Workaround for ticket #985 */
40
#define DELAYED_CLOSE_TIMEOUT 200
43
#define MAX_CIPHERS 100
46
* Include OpenSSL headers
48
#include <openssl/bio.h>
49
#include <openssl/ssl.h>
50
#include <openssl/err.h>
51
#include <openssl/x509v3.h>
55
# pragma comment( lib, "libeay32")
56
# pragma comment( lib, "ssleay32")
61
* SSL/TLS state enumeration.
65
SSL_STATE_HANDSHAKING,
70
* Internal timer types.
75
TIMER_HANDSHAKE_TIMEOUT,
80
* Structure of SSL socket read buffer.
82
typedef struct read_data_t
89
* Get the offset of pointer to read-buffer of SSL socket from read-buffer
90
* of active socket. Note that both SSL socket and active socket employ
91
* different but correlated read-buffers (as much as async_cnt for each),
92
* and to make it easier/faster to find corresponding SSL socket's read-buffer
93
* from known active socket's read-buffer, the pointer of corresponding
94
* SSL socket's read-buffer is stored right after the end of active socket's
97
#define OFFSET_OF_READ_DATA_PTR(ssock, asock_rbuf) \
99
((pj_int8_t*)(asock_rbuf) + \
100
ssock->param.read_buffer_size)
103
* Structure of SSL socket write data.
105
typedef struct write_data_t {
106
PJ_DECL_LIST_MEMBER(struct write_data_t);
107
pj_ioqueue_op_key_t key;
108
pj_size_t record_len;
109
pj_ioqueue_op_key_t *app_key;
110
pj_size_t plain_data_len;
120
* Structure of SSL socket write buffer (circular buffer).
122
typedef struct send_buf_t {
130
* Secure socket structure definition.
135
pj_ssl_sock_t *parent;
136
pj_ssl_sock_param param;
139
pj_ssl_cert_info local_cert_info;
140
pj_ssl_cert_info remote_cert_info;
143
enum ssl_state ssl_state;
144
pj_ioqueue_op_key_t handshake_op_key;
145
pj_timer_entry timer;
146
pj_status_t verify_status;
148
unsigned long last_err;
151
pj_activesock_t *asock;
153
pj_sockaddr local_addr;
154
pj_sockaddr rem_addr;
157
pj_bool_t read_started;
159
pj_uint32_t read_flags;
161
read_data_t *ssock_rbuf;
163
write_data_t write_pending;/* list of pending write to OpenSSL */
164
write_data_t write_pending_empty; /* cache for write_pending */
165
pj_bool_t flushing_write_pend; /* flag of flushing is ongoing*/
167
write_data_t send_pending; /* list of pending write to network */
168
pj_lock_t *write_mutex; /* protect write BIO and send_buf */
178
* Certificate/credential structure definition.
184
pj_str_t privkey_file;
185
pj_str_t privkey_pass;
189
static write_data_t* alloc_send_data(pj_ssl_sock_t *ssock, pj_size_t len);
190
static void free_send_data(pj_ssl_sock_t *ssock, write_data_t *wdata);
191
static pj_status_t flush_delayed_send(pj_ssl_sock_t *ssock);
194
*******************************************************************
195
* Static/internal functions.
196
*******************************************************************
200
* Mapping from OpenSSL error codes to pjlib error space.
203
#define PJ_SSL_ERRNO_START (PJ_ERRNO_START_USER + \
204
PJ_ERRNO_SPACE_SIZE*6)
206
#define PJ_SSL_ERRNO_SPACE_SIZE PJ_ERRNO_SPACE_SIZE
208
/* Expected maximum value of reason component in OpenSSL error code */
209
#define MAX_OSSL_ERR_REASON 1200
211
static pj_status_t STATUS_FROM_SSL_ERR(pj_ssl_sock_t *ssock,
216
/* General SSL error, dig more from OpenSSL error queue */
217
if (err == SSL_ERROR_SSL)
218
err = ERR_get_error();
220
/* OpenSSL error range is much wider than PJLIB errno space, so
221
* if it exceeds the space, only the error reason will be kept.
222
* Note that the last native error will be kept as is and can be
223
* retrieved via SSL socket info.
225
status = ERR_GET_LIB(err)*MAX_OSSL_ERR_REASON + ERR_GET_REASON(err);
226
if (status > PJ_SSL_ERRNO_SPACE_SIZE)
227
status = ERR_GET_REASON(err);
229
status += PJ_SSL_ERRNO_START;
230
ssock->last_err = err;
234
static pj_status_t GET_SSL_STATUS(pj_ssl_sock_t *ssock)
236
return STATUS_FROM_SSL_ERR(ssock, ERR_get_error());
241
* Get error string of OpenSSL.
243
static pj_str_t ssl_strerror(pj_status_t status,
244
char *buf, pj_size_t bufsize)
247
unsigned long ssl_err = status;
251
ssl_err -= PJ_SSL_ERRNO_START;
252
l = ssl_err / MAX_OSSL_ERR_REASON;
253
r = ssl_err % MAX_OSSL_ERR_REASON;
254
ssl_err = ERR_PACK(l, 0, r);
257
#if defined(PJ_HAS_ERROR_STRING) && (PJ_HAS_ERROR_STRING != 0)
260
const char *tmp = NULL;
261
tmp = ERR_reason_error_string(ssl_err);
263
pj_ansi_strncpy(buf, tmp, bufsize);
264
errstr = pj_str(buf);
269
#endif /* PJ_HAS_ERROR_STRING */
272
errstr.slen = pj_ansi_snprintf(buf, bufsize,
273
"Unknown OpenSSL error %lu",
275
if (errstr.slen < 1 || errstr.slen >= (int)bufsize)
276
errstr.slen = bufsize - 1;
281
/* OpenSSL library initialization counter */
282
static int openssl_init_count;
284
/* OpenSSL available ciphers */
285
static unsigned openssl_cipher_num;
286
static struct openssl_ciphers_t {
289
} openssl_ciphers[MAX_CIPHERS];
291
/* OpenSSL application data index */
292
static int sslsock_idx;
295
/* Initialize OpenSSL */
296
static pj_status_t init_openssl(void)
300
if (openssl_init_count)
303
openssl_init_count = 1;
305
/* Register error subsystem */
306
status = pj_register_strerror(PJ_SSL_ERRNO_START,
307
PJ_SSL_ERRNO_SPACE_SIZE,
309
pj_assert(status == PJ_SUCCESS);
311
/* Init OpenSSL lib */
313
SSL_load_error_strings();
314
OpenSSL_add_all_algorithms();
316
/* Init available ciphers */
317
if (openssl_cipher_num == 0) {
318
SSL_METHOD *meth = NULL;
321
STACK_OF(SSL_CIPHER) *sk_cipher;
324
meth = (SSL_METHOD*)SSLv23_server_method();
326
meth = (SSL_METHOD*)TLSv1_server_method();
328
meth = (SSL_METHOD*)SSLv3_server_method();
329
#ifndef OPENSSL_NO_SSL2
331
meth = (SSL_METHOD*)SSLv2_server_method();
335
ctx=SSL_CTX_new(meth);
336
SSL_CTX_set_cipher_list(ctx, "ALL");
339
sk_cipher = SSL_get_ciphers(ssl);
341
n = sk_SSL_CIPHER_num(sk_cipher);
342
if (n > PJ_ARRAY_SIZE(openssl_ciphers))
343
n = PJ_ARRAY_SIZE(openssl_ciphers);
345
for (i = 0; i < n; ++i) {
347
c = sk_SSL_CIPHER_value(sk_cipher,i);
348
openssl_ciphers[i].id = (pj_ssl_cipher)
349
(pj_uint32_t)c->id & 0x00FFFFFF;
350
openssl_ciphers[i].name = SSL_CIPHER_get_name(c);
356
openssl_cipher_num = n;
359
/* Create OpenSSL application data index for SSL socket */
360
sslsock_idx = SSL_get_ex_new_index(0, "SSL socket", NULL, NULL, NULL);
366
/* Shutdown OpenSSL */
367
static void shutdown_openssl(void)
369
PJ_UNUSED_ARG(openssl_init_count);
373
/* SSL password callback. */
374
static int password_cb(char *buf, int num, int rwflag, void *user_data)
376
pj_ssl_cert_t *cert = (pj_ssl_cert_t*) user_data;
378
PJ_UNUSED_ARG(rwflag);
380
if(num < cert->privkey_pass.slen)
383
pj_memcpy(buf, cert->privkey_pass.ptr, cert->privkey_pass.slen);
384
return (int)cert->privkey_pass.slen;
388
/* SSL password callback. */
389
static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
391
pj_ssl_sock_t *ssock;
395
/* Get SSL instance */
396
ossl_ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
397
SSL_get_ex_data_X509_STORE_CTX_idx());
400
/* Get SSL socket instance */
401
ssock = SSL_get_ex_data(ossl_ssl, sslsock_idx);
404
/* Store verification status */
405
err = X509_STORE_CTX_get_error(x509_ctx);
410
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
411
ssock->verify_status |= PJ_SSL_CERT_EISSUER_NOT_FOUND;
414
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
415
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
416
case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
417
case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
418
ssock->verify_status |= PJ_SSL_CERT_EINVALID_FORMAT;
421
case X509_V_ERR_CERT_NOT_YET_VALID:
422
case X509_V_ERR_CERT_HAS_EXPIRED:
423
ssock->verify_status |= PJ_SSL_CERT_EVALIDITY_PERIOD;
426
case X509_V_ERR_UNABLE_TO_GET_CRL:
427
case X509_V_ERR_CRL_NOT_YET_VALID:
428
case X509_V_ERR_CRL_HAS_EXPIRED:
429
case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
430
case X509_V_ERR_CRL_SIGNATURE_FAILURE:
431
case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
432
case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
433
ssock->verify_status |= PJ_SSL_CERT_ECRL_FAILURE;
436
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
437
case X509_V_ERR_CERT_UNTRUSTED:
438
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
439
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
440
ssock->verify_status |= PJ_SSL_CERT_EUNTRUSTED;
443
case X509_V_ERR_CERT_SIGNATURE_FAILURE:
444
case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
445
case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
446
case X509_V_ERR_AKID_SKID_MISMATCH:
447
case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
448
case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
449
ssock->verify_status |= PJ_SSL_CERT_EISSUER_MISMATCH;
452
case X509_V_ERR_CERT_REVOKED:
453
ssock->verify_status |= PJ_SSL_CERT_EREVOKED;
456
case X509_V_ERR_INVALID_PURPOSE:
457
case X509_V_ERR_CERT_REJECTED:
458
case X509_V_ERR_INVALID_CA:
459
ssock->verify_status |= PJ_SSL_CERT_EINVALID_PURPOSE;
462
case X509_V_ERR_CERT_CHAIN_TOO_LONG: /* not really used */
463
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
464
ssock->verify_status |= PJ_SSL_CERT_ECHAIN_TOO_LONG;
468
case X509_V_ERR_OUT_OF_MEM:
470
ssock->verify_status |= PJ_SSL_CERT_EUNKNOWN;
474
/* When verification is not requested just return ok here, however
475
* application can still get the verification status.
477
if (PJ_FALSE == ssock->param.verify_peer)
483
/* Setting SSL sock cipher list */
484
static pj_status_t set_cipher_list(pj_ssl_sock_t *ssock);
487
/* Create and initialize new SSL context and instance */
488
static pj_status_t create_ssl(pj_ssl_sock_t *ssock)
490
SSL_METHOD *ssl_method;
500
/* Make sure OpenSSL library has been initialized */
503
/* Determine SSL method to use */
504
switch (ssock->param.proto) {
505
case PJ_SSL_SOCK_PROTO_DEFAULT:
506
case PJ_SSL_SOCK_PROTO_TLS1:
507
ssl_method = (SSL_METHOD*)TLSv1_method();
509
#ifndef OPENSSL_NO_SSL2
510
case PJ_SSL_SOCK_PROTO_SSL2:
511
ssl_method = (SSL_METHOD*)SSLv2_method();
514
case PJ_SSL_SOCK_PROTO_SSL3:
515
ssl_method = (SSL_METHOD*)SSLv3_method();
517
case PJ_SSL_SOCK_PROTO_SSL23:
518
ssl_method = (SSL_METHOD*)SSLv23_method();
520
//case PJ_SSL_SOCK_PROTO_DTLS1:
521
//ssl_method = (SSL_METHOD*)DTLSv1_method();
527
/* Create SSL context */
528
ctx = SSL_CTX_new(ssl_method);
530
return GET_SSL_STATUS(ssock);
533
/* Apply credentials */
535
/* Load CA list if one is specified. */
536
if (cert->CA_file.slen) {
538
rc = SSL_CTX_load_verify_locations(ctx, cert->CA_file.ptr, NULL);
541
status = GET_SSL_STATUS(ssock);
542
PJ_LOG(1,(ssock->pool->obj_name, "Error loading CA list file "
543
"'%s'", cert->CA_file.ptr));
549
/* Set password callback */
550
if (cert->privkey_pass.slen) {
551
SSL_CTX_set_default_passwd_cb(ctx, password_cb);
552
SSL_CTX_set_default_passwd_cb_userdata(ctx, cert);
556
/* Load certificate if one is specified */
557
if (cert->cert_file.slen) {
559
/* Load certificate chain from file into ctx */
560
rc = SSL_CTX_use_certificate_chain_file(ctx, cert->cert_file.ptr);
563
status = GET_SSL_STATUS(ssock);
564
PJ_LOG(1,(ssock->pool->obj_name, "Error loading certificate "
565
"chain file '%s'", cert->cert_file.ptr));
572
/* Load private key if one is specified */
573
if (cert->privkey_file.slen) {
574
/* Adds the first private key found in file to ctx */
575
rc = SSL_CTX_use_PrivateKey_file(ctx, cert->privkey_file.ptr,
579
status = GET_SSL_STATUS(ssock);
580
PJ_LOG(1,(ssock->pool->obj_name, "Error adding private key "
581
"from '%s'", cert->privkey_file.ptr));
588
/* Create SSL instance */
589
ssock->ossl_ctx = ctx;
590
ssock->ossl_ssl = SSL_new(ssock->ossl_ctx);
591
if (ssock->ossl_ssl == NULL) {
592
return GET_SSL_STATUS(ssock);
595
/* Set SSL sock as application data of SSL instance */
596
SSL_set_ex_data(ssock->ossl_ssl, sslsock_idx, ssock);
598
/* SSL verification options */
599
mode = SSL_VERIFY_PEER;
600
if (ssock->is_server && ssock->param.require_client_cert)
601
mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
603
SSL_set_verify(ssock->ossl_ssl, mode, &verify_cb);
605
/* Set cipher list */
606
status = set_cipher_list(ssock);
607
if (status != PJ_SUCCESS)
611
ssock->ossl_rbio = BIO_new(BIO_s_mem());
612
ssock->ossl_wbio = BIO_new(BIO_s_mem());
613
(void)BIO_set_close(ssock->ossl_rbio, BIO_CLOSE);
614
(void)BIO_set_close(ssock->ossl_wbio, BIO_CLOSE);
615
SSL_set_bio(ssock->ossl_ssl, ssock->ossl_rbio, ssock->ossl_wbio);
621
/* Destroy SSL context and instance */
622
static void destroy_ssl(pj_ssl_sock_t *ssock)
624
/* Destroy SSL instance */
625
if (ssock->ossl_ssl) {
626
SSL_shutdown(ssock->ossl_ssl);
627
SSL_free(ssock->ossl_ssl); /* this will also close BIOs */
628
ssock->ossl_ssl = NULL;
631
/* Destroy SSL context */
632
if (ssock->ossl_ctx) {
633
SSL_CTX_free(ssock->ossl_ctx);
634
ssock->ossl_ctx = NULL;
637
/* Potentially shutdown OpenSSL library if this is the last
644
/* Reset SSL socket state */
645
static void reset_ssl_sock_state(pj_ssl_sock_t *ssock)
647
ssock->ssl_state = SSL_STATE_NULL;
652
pj_activesock_close(ssock->asock);
654
ssock->sock = PJ_INVALID_SOCKET;
656
if (ssock->sock != PJ_INVALID_SOCKET) {
657
pj_sock_close(ssock->sock);
658
ssock->sock = PJ_INVALID_SOCKET;
661
/* Upon error, OpenSSL may leave any error description in the thread
662
* error queue, which sometime may cause next call to SSL API returning
663
* false error alarm, e.g: in Linux, SSL_CTX_use_certificate_chain_file()
664
* returning false error after a handshake error (in different SSL_CTX!).
665
* For now, just clear thread error queue here.
671
/* Generate cipher list with user preference order in OpenSSL format */
672
static pj_status_t set_cipher_list(pj_ssl_sock_t *ssock)
675
pj_str_t cipher_list;
676
STACK_OF(SSL_CIPHER) *sk_cipher;
680
if (ssock->param.ciphers_num == 0)
683
pj_strset(&cipher_list, buf, 0);
685
/* Set SSL with ALL available ciphers */
686
SSL_set_cipher_list(ssock->ossl_ssl, "ALL");
688
/* Generate user specified cipher list in OpenSSL format */
689
sk_cipher = SSL_get_ciphers(ssock->ossl_ssl);
690
for (i = 0; i < ssock->param.ciphers_num; ++i) {
691
for (j = 0; j < sk_SSL_CIPHER_num(sk_cipher); ++j) {
693
c = sk_SSL_CIPHER_value(sk_cipher, j);
694
if (ssock->param.ciphers[i] == (pj_ssl_cipher)
695
((pj_uint32_t)c->id & 0x00FFFFFF))
699
c_name = SSL_CIPHER_get_name(c);
701
/* Check buffer size */
702
if (cipher_list.slen + pj_ansi_strlen(c_name) + 2 > sizeof(buf)) {
703
pj_assert(!"Insufficient temporary buffer for cipher");
707
/* Add colon separator */
708
if (cipher_list.slen)
709
pj_strcat2(&cipher_list, ":");
712
pj_strcat2(&cipher_list, c_name);
718
/* Put NULL termination in the generated cipher list */
719
cipher_list.ptr[cipher_list.slen] = '\0';
721
/* Finally, set chosen cipher list */
722
ret = SSL_set_cipher_list(ssock->ossl_ssl, buf);
724
return GET_SSL_STATUS(ssock);
731
/* Parse OpenSSL ASN1_TIME to pj_time_val and GMT info */
732
static pj_bool_t parse_ossl_asn1_time(pj_time_val *tv, pj_bool_t *gmt,
735
unsigned long parts[7] = {0};
742
utc = tm->type == V_ASN1_UTCTIME;
748
*gmt = (*end == 'Z');
751
for (i = 0; i < 7 && p < end; ++i) {
755
/* 4 digits year part for non-UTC time format */
758
/* fraction of seconds */
760
st.slen = end - p + 1;
762
/* other parts always 2 digits length */
767
parts[i] = pj_strtoul(&st);
771
/* encode parts to pj_time_val */
774
pt.year += (pt.year < 50)? 2000:1900;
775
pt.mon = parts[1] - 1;
782
pj_time_encode(&pt, tv);
788
/* Get Common Name field string from a general name string */
789
static void get_cn_from_gen_name(const pj_str_t *gen_name, pj_str_t *cn)
791
pj_str_t CN_sign = {"/CN=", 4};
794
pj_bzero(cn, sizeof(cn));
796
p = pj_strstr(gen_name, &CN_sign);
800
p += 4; /* shift pointer to value part */
801
pj_strset(cn, p, gen_name->slen - (p - gen_name->ptr));
802
q = pj_strchr(cn, '/');
808
/* Get certificate info from OpenSSL X509, in case the certificate info
809
* hal already populated, this function will check if the contents need
810
* to be updated by inspecting the issuer and the serial number.
812
static void get_cert_info(pj_pool_t *pool, pj_ssl_cert_info *ci, X509 *x)
814
pj_bool_t update_needed;
816
pj_uint8_t serial_no[64] = {0}; /* should be >= sizeof(ci->serial_no) */
819
GENERAL_NAMES *names = NULL;
821
pj_assert(pool && ci && x);
824
X509_NAME_oneline(X509_get_issuer_name(x), buf, sizeof(buf));
827
p = (pj_uint8_t*) M_ASN1_STRING_data(X509_get_serialNumber(x));
828
len = M_ASN1_STRING_length(X509_get_serialNumber(x));
829
if (len > sizeof(ci->serial_no))
830
len = sizeof(ci->serial_no);
831
pj_memcpy(serial_no + sizeof(ci->serial_no) - len, p, len);
833
/* Check if the contents need to be updated. */
834
update_needed = pj_strcmp2(&ci->issuer.info, buf) ||
835
pj_memcmp(ci->serial_no, serial_no, sizeof(ci->serial_no));
839
/* Update cert info */
841
pj_bzero(ci, sizeof(pj_ssl_cert_info));
844
ci->version = X509_get_version(x) + 1;
847
pj_strdup2(pool, &ci->issuer.info, buf);
848
get_cn_from_gen_name(&ci->issuer.info, &ci->issuer.cn);
851
pj_memcpy(ci->serial_no, serial_no, sizeof(ci->serial_no));
854
pj_strdup2(pool, &ci->subject.info,
855
X509_NAME_oneline(X509_get_subject_name(x),
857
get_cn_from_gen_name(&ci->subject.info, &ci->subject.cn);
860
parse_ossl_asn1_time(&ci->validity.start, &ci->validity.gmt,
861
X509_get_notBefore(x));
862
parse_ossl_asn1_time(&ci->validity.end, &ci->validity.gmt,
863
X509_get_notAfter(x));
865
/* Subject Alternative Name extension */
866
if (ci->version >= 3) {
867
names = (GENERAL_NAMES*) X509_get_ext_d2i(x, NID_subject_alt_name,
873
cnt = sk_GENERAL_NAME_num(names);
874
ci->subj_alt_name.entry = pj_pool_calloc(pool, cnt,
875
sizeof(*ci->subj_alt_name.entry));
877
for (i = 0; i < cnt; ++i) {
878
unsigned char *p = 0;
879
pj_ssl_cert_name_type type = PJ_SSL_CERT_NAME_UNKNOWN;
880
const GENERAL_NAME *name;
882
name = sk_GENERAL_NAME_value(names, i);
884
switch (name->type) {
886
len = ASN1_STRING_to_UTF8(&p, name->d.ia5);
887
type = PJ_SSL_CERT_NAME_RFC822;
890
len = ASN1_STRING_to_UTF8(&p, name->d.ia5);
891
type = PJ_SSL_CERT_NAME_DNS;
894
len = ASN1_STRING_to_UTF8(&p, name->d.ia5);
895
type = PJ_SSL_CERT_NAME_URI;
898
p = ASN1_STRING_data(name->d.ip);
899
len = ASN1_STRING_length(name->d.ip);
900
type = PJ_SSL_CERT_NAME_IP;
906
if (p && len && type != PJ_SSL_CERT_NAME_UNKNOWN) {
907
ci->subj_alt_name.entry[ci->subj_alt_name.cnt].type = type;
908
if (type == PJ_SSL_CERT_NAME_IP) {
909
int af = pj_AF_INET();
910
if (len == sizeof(pj_in6_addr)) af = pj_AF_INET6();
911
pj_inet_ntop2(af, p, buf, sizeof(buf));
913
&ci->subj_alt_name.entry[ci->subj_alt_name.cnt].name,
917
&ci->subj_alt_name.entry[ci->subj_alt_name.cnt].name,
921
ci->subj_alt_name.cnt++;
928
/* Update local & remote certificates info. This function should be
929
* called after handshake or renegotiation successfully completed.
931
static void update_certs_info(pj_ssl_sock_t *ssock)
935
pj_assert(ssock->ssl_state == SSL_STATE_ESTABLISHED);
937
/* Active local certificate */
938
x = SSL_get_certificate(ssock->ossl_ssl);
940
get_cert_info(ssock->pool, &ssock->local_cert_info, x);
941
/* Don't free local's X509! */
943
pj_bzero(&ssock->local_cert_info, sizeof(pj_ssl_cert_info));
946
/* Active remote certificate */
947
x = SSL_get_peer_certificate(ssock->ossl_ssl);
949
get_cert_info(ssock->pool, &ssock->remote_cert_info, x);
950
/* Free peer's X509 */
953
pj_bzero(&ssock->remote_cert_info, sizeof(pj_ssl_cert_info));
958
/* When handshake completed:
959
* - notify application
960
* - if handshake failed, reset SSL state
961
* - return PJ_FALSE when SSL socket instance is destroyed by application.
963
static pj_bool_t on_handshake_complete(pj_ssl_sock_t *ssock,
966
/* Cancel handshake timer */
967
if (ssock->timer.id == TIMER_HANDSHAKE_TIMEOUT) {
968
pj_timer_heap_cancel(ssock->param.timer_heap, &ssock->timer);
969
ssock->timer.id = TIMER_NONE;
972
/* Update certificates info on successful handshake */
973
if (status == PJ_SUCCESS)
974
update_certs_info(ssock);
977
if (ssock->is_server) {
978
if (status != PJ_SUCCESS) {
979
/* Handshake failed in accepting, destroy our self silently. */
981
char errmsg[PJ_ERR_MSG_SIZE];
982
char buf[PJ_INET6_ADDRSTRLEN+10];
984
pj_strerror(status, errmsg, sizeof(errmsg));
985
PJ_LOG(3,(ssock->pool->obj_name, "Handshake failed in accepting "
987
pj_sockaddr_print(&ssock->rem_addr, buf, sizeof(buf), 3),
990
/* Workaround for ticket #985 */
991
#if (defined(PJ_WIN32) && PJ_WIN32!=0) || (defined(PJ_WIN64) && PJ_WIN64!=0)
992
if (ssock->param.timer_heap) {
993
pj_time_val interval = {0, DELAYED_CLOSE_TIMEOUT};
995
reset_ssl_sock_state(ssock);
997
ssock->timer.id = TIMER_CLOSE;
998
pj_time_val_normalize(&interval);
999
if (pj_timer_heap_schedule(ssock->param.timer_heap,
1000
&ssock->timer, &interval) != 0)
1002
ssock->timer.id = TIMER_NONE;
1003
pj_ssl_sock_close(ssock);
1006
#endif /* PJ_WIN32 */
1008
pj_ssl_sock_close(ssock);
1012
/* Notify application the newly accepted SSL socket */
1013
if (ssock->param.cb.on_accept_complete) {
1015
ret = (*ssock->param.cb.on_accept_complete)
1016
(ssock->parent, ssock, (pj_sockaddr_t*)&ssock->rem_addr,
1017
pj_sockaddr_get_len((pj_sockaddr_t*)&ssock->rem_addr));
1018
if (ret == PJ_FALSE)
1025
/* On failure, reset SSL socket state first, as app may try to
1026
* reconnect in the callback.
1028
if (status != PJ_SUCCESS) {
1029
/* Server disconnected us, possibly due to SSL nego failure */
1030
if (status == PJ_EEOF) {
1032
err = ERR_get_error();
1033
if (err != SSL_ERROR_NONE)
1034
status = STATUS_FROM_SSL_ERR(ssock, err);
1036
reset_ssl_sock_state(ssock);
1038
if (ssock->param.cb.on_connect_complete) {
1040
ret = (*ssock->param.cb.on_connect_complete)(ssock, status);
1041
if (ret == PJ_FALSE)
1049
static write_data_t* alloc_send_data(pj_ssl_sock_t *ssock, pj_size_t len)
1051
send_buf_t *send_buf = &ssock->send_buf;
1052
pj_size_t avail_len, skipped_len = 0;
1054
pj_size_t reg1_len, reg2_len;
1057
/* Check buffer availability */
1058
avail_len = send_buf->max_len - send_buf->len;
1059
if (avail_len < len)
1062
/* If buffer empty, reset start pointer and return it */
1063
if (send_buf->len == 0) {
1064
send_buf->start = send_buf->buf;
1065
send_buf->len = len;
1066
p = (write_data_t*)send_buf->start;
1067
goto init_send_data;
1070
/* Free space may be wrapped/splitted into two regions, so let's
1071
* analyze them if any region can hold the write data.
1073
reg1 = send_buf->start + send_buf->len;
1074
if (reg1 >= send_buf->buf + send_buf->max_len)
1075
reg1 -= send_buf->max_len;
1076
reg1_len = send_buf->max_len - send_buf->len;
1077
if (reg1 + reg1_len > send_buf->buf + send_buf->max_len) {
1078
reg1_len = send_buf->buf + send_buf->max_len - reg1;
1079
reg2 = send_buf->buf;
1080
reg2_len = send_buf->start - send_buf->buf;
1086
/* More buffer availability check, note that the write data must be in
1087
* a contigue buffer.
1089
avail_len = PJ_MAX(reg1_len, reg2_len);
1090
if (avail_len < len)
1093
/* Get the data slot */
1094
if (reg1_len >= len) {
1095
p = (write_data_t*)reg1;
1097
p = (write_data_t*)reg2;
1098
skipped_len = reg1_len;
1101
/* Update buffer length */
1102
send_buf->len += len + skipped_len;
1105
/* Init the new send data */
1106
pj_bzero(p, sizeof(*p));
1108
pj_list_push_back(&ssock->send_pending, p);
1113
static void free_send_data(pj_ssl_sock_t *ssock, write_data_t *wdata)
1115
send_buf_t *buf = &ssock->send_buf;
1116
write_data_t *spl = &ssock->send_pending;
1118
pj_assert(!pj_list_empty(&ssock->send_pending));
1120
/* Free slot from the buffer */
1121
if (spl->next == wdata && spl->prev == wdata) {
1122
/* This is the only data, reset the buffer */
1123
buf->start = buf->buf;
1125
} else if (spl->next == wdata) {
1126
/* This is the first data, shift start pointer of the buffer and
1127
* adjust the buffer length.
1129
buf->start = (char*)wdata->next;
1130
if (wdata->next > wdata) {
1131
buf->len -= ((char*)wdata->next - buf->start);
1134
pj_size_t right_len, left_len;
1135
right_len = buf->buf + buf->max_len - (char*)wdata;
1136
left_len = (char*)wdata->next - buf->buf;
1137
buf->len -= (right_len + left_len);
1139
} else if (spl->prev == wdata) {
1140
/* This is the last data, just adjust the buffer length */
1141
if (wdata->prev < wdata) {
1143
jump_len = (char*)wdata -
1144
((char*)wdata->prev + wdata->prev->record_len);
1145
buf->len -= (wdata->record_len + jump_len);
1148
pj_size_t right_len, left_len;
1149
right_len = buf->buf + buf->max_len -
1150
((char*)wdata->prev + wdata->prev->record_len);
1151
left_len = (char*)wdata + wdata->record_len - buf->buf;
1152
buf->len -= (right_len + left_len);
1155
/* For data in the middle buffer, just do nothing on the buffer. The slot
1156
* will be freed later when freeing the first/last data.
1159
/* Remove the data from send pending list */
1160
pj_list_erase(wdata);
1164
/* Just for testing send buffer alloc/free */
1165
#include <pj/rand.h>
1166
pj_status_t pj_ssl_sock_ossl_test_send_buf(pj_pool_t *pool)
1168
enum { MAX_CHUNK_NUM = 20 };
1169
unsigned chunk_size, chunk_cnt, i;
1170
write_data_t *wdata[MAX_CHUNK_NUM] = {0};
1172
pj_ssl_sock_t *ssock = NULL;
1173
pj_ssl_sock_param param;
1176
pj_gettimeofday(&now);
1177
pj_srand((unsigned)now.sec);
1179
pj_ssl_sock_param_default(¶m);
1180
status = pj_ssl_sock_create(pool, ¶m, &ssock);
1181
if (status != PJ_SUCCESS) {
1185
if (ssock->send_buf.max_len == 0) {
1186
ssock->send_buf.buf = (char*)
1187
pj_pool_alloc(ssock->pool,
1188
ssock->param.send_buffer_size);
1189
ssock->send_buf.max_len = ssock->param.send_buffer_size;
1190
ssock->send_buf.start = ssock->send_buf.buf;
1191
ssock->send_buf.len = 0;
1194
chunk_size = ssock->param.send_buffer_size / MAX_CHUNK_NUM / 2;
1196
for (i = 0; i < MAX_CHUNK_NUM; i++) {
1197
wdata[i] = alloc_send_data(ssock, pj_rand() % chunk_size + 321);
1205
i = pj_rand() % MAX_CHUNK_NUM;
1207
free_send_data(ssock, wdata[i]);
1213
if (ssock->send_buf.len != 0)
1216
pj_ssl_sock_close(ssock);
1222
/* Flush write BIO to network socket. Note that any access to write BIO
1223
* MUST be serialized, so mutex protection must cover any call to OpenSSL
1224
* API (that possibly generate data for write BIO) along with the call to
1225
* this function (flushing all data in write BIO generated by above
1226
* OpenSSL API call).
1228
static pj_status_t flush_write_bio(pj_ssl_sock_t *ssock,
1229
pj_ioqueue_op_key_t *send_key,
1235
write_data_t *wdata;
1236
pj_size_t needed_len;
1239
pj_lock_acquire(ssock->write_mutex);
1241
/* Check if there is data in write BIO, flush it if any */
1242
if (!BIO_pending(ssock->ossl_wbio)) {
1243
pj_lock_release(ssock->write_mutex);
1247
/* Get data and its length */
1248
len = BIO_get_mem_data(ssock->ossl_wbio, &data);
1250
pj_lock_release(ssock->write_mutex);
1254
/* Calculate buffer size needed, and align it to 8 */
1255
needed_len = len + sizeof(write_data_t);
1256
needed_len = ((needed_len + 7) >> 3) << 3;
1258
/* Allocate buffer for send data */
1259
wdata = alloc_send_data(ssock, needed_len);
1260
if (wdata == NULL) {
1261
pj_lock_release(ssock->write_mutex);
1265
/* Copy the data and set its properties into the send data */
1266
pj_ioqueue_op_key_init(&wdata->key, sizeof(pj_ioqueue_op_key_t));
1267
wdata->key.user_data = wdata;
1268
wdata->app_key = send_key;
1269
wdata->record_len = needed_len;
1270
wdata->data_len = len;
1271
wdata->plain_data_len = orig_len;
1272
wdata->flags = flags;
1273
pj_memcpy(&wdata->data, data, len);
1275
/* Reset write BIO */
1276
(void)BIO_reset(ssock->ossl_wbio);
1278
/* Ticket #1573: Don't hold mutex while calling PJLIB socket send(). */
1279
pj_lock_release(ssock->write_mutex);
1282
if (ssock->param.sock_type == pj_SOCK_STREAM()) {
1283
status = pj_activesock_send(ssock->asock, &wdata->key,
1284
wdata->data.content, &len,
1287
status = pj_activesock_sendto(ssock->asock, &wdata->key,
1288
wdata->data.content, &len,
1290
(pj_sockaddr_t*)&ssock->rem_addr,
1294
if (status != PJ_EPENDING) {
1295
/* When the sending is not pending, remove the wdata from send
1298
pj_lock_acquire(ssock->write_mutex);
1299
free_send_data(ssock, wdata);
1300
pj_lock_release(ssock->write_mutex);
1307
static void on_timer(pj_timer_heap_t *th, struct pj_timer_entry *te)
1309
pj_ssl_sock_t *ssock = (pj_ssl_sock_t*)te->user_data;
1310
int timer_id = te->id;
1312
te->id = TIMER_NONE;
1317
case TIMER_HANDSHAKE_TIMEOUT:
1318
PJ_LOG(1,(ssock->pool->obj_name, "SSL timeout after %d.%ds",
1319
ssock->param.timeout.sec, ssock->param.timeout.msec));
1321
on_handshake_complete(ssock, PJ_ETIMEDOUT);
1324
pj_ssl_sock_close(ssock);
1327
pj_assert(!"Unknown timer");
1333
/* Asynchronouse handshake */
1334
static pj_status_t do_handshake(pj_ssl_sock_t *ssock)
1339
/* Perform SSL handshake */
1340
pj_lock_acquire(ssock->write_mutex);
1341
err = SSL_do_handshake(ssock->ossl_ssl);
1342
pj_lock_release(ssock->write_mutex);
1344
/* SSL_do_handshake() may put some pending data into SSL write BIO,
1347
status = flush_write_bio(ssock, &ssock->handshake_op_key, 0, 0);
1348
if (status != PJ_SUCCESS && status != PJ_EPENDING) {
1353
err = SSL_get_error(ssock->ossl_ssl, err);
1354
if (err != SSL_ERROR_NONE && err != SSL_ERROR_WANT_READ)
1356
/* Handshake fails */
1357
status = STATUS_FROM_SSL_ERR(ssock, err);
1362
/* Check if handshake has been completed */
1363
if (SSL_is_init_finished(ssock->ossl_ssl)) {
1364
ssock->ssl_state = SSL_STATE_ESTABLISHED;
1373
*******************************************************************
1374
* Active socket callbacks.
1375
*******************************************************************
1378
static pj_bool_t asock_on_data_read (pj_activesock_t *asock,
1382
pj_size_t *remainder)
1384
pj_ssl_sock_t *ssock = (pj_ssl_sock_t*)
1385
pj_activesock_get_user_data(asock);
1388
/* Socket error or closed */
1389
if (data && size > 0) {
1390
/* Consume the whole data */
1391
nwritten = BIO_write(ssock->ossl_rbio, data, (int)size);
1392
if (nwritten < size) {
1393
status = GET_SSL_STATUS(ssock);
1398
/* Check if SSL handshake hasn't finished yet */
1399
if (ssock->ssl_state == SSL_STATE_HANDSHAKING) {
1400
pj_bool_t ret = PJ_TRUE;
1402
if (status == PJ_SUCCESS)
1403
status = do_handshake(ssock);
1405
/* Not pending is either success or failed */
1406
if (status != PJ_EPENDING)
1407
ret = on_handshake_complete(ssock, status);
1412
/* See if there is any decrypted data for the application */
1413
if (ssock->read_started) {
1415
read_data_t *buf = *(OFFSET_OF_READ_DATA_PTR(ssock, data));
1416
void *data_ = (pj_int8_t*)buf->data + buf->len;
1417
int size_ = (int)(ssock->read_size - buf->len);
1419
/* SSL_read() may write some data to BIO write when re-negotiation
1420
* is on progress, so let's protect it with write mutex.
1422
pj_lock_acquire(ssock->write_mutex);
1423
size_ = SSL_read(ssock->ossl_ssl, data_, size_);
1424
pj_lock_release(ssock->write_mutex);
1426
if (size_ > 0 || status != PJ_SUCCESS) {
1427
if (ssock->param.cb.on_data_read) {
1429
pj_size_t remainder_ = 0;
1434
ret = (*ssock->param.cb.on_data_read)(ssock, buf->data,
1438
/* We've been destroyed */
1442
/* Application may have left some data to be consumed
1445
buf->len = remainder_;
1448
/* Active socket signalled connection closed/error, this has
1449
* been signalled to the application along with any remaining
1450
* buffer. So, let's just reset SSL socket now.
1452
if (status != PJ_SUCCESS) {
1453
reset_ssl_sock_state(ssock);
1459
int err = SSL_get_error(ssock->ossl_ssl, (int)size);
1461
/* SSL might just return SSL_ERROR_WANT_READ in
1464
if (err != SSL_ERROR_NONE && err != SSL_ERROR_WANT_READ)
1466
/* Reset SSL socket state, then return PJ_FALSE */
1467
status = STATUS_FROM_SSL_ERR(ssock, err);
1468
reset_ssl_sock_state(ssock);
1472
status = do_handshake(ssock);
1473
if (status == PJ_SUCCESS) {
1474
/* Renegotiation completed */
1476
/* Update certificates */
1477
update_certs_info(ssock);
1479
// Ticket #1573: Don't hold mutex while calling
1480
// PJLIB socket send().
1481
//pj_lock_acquire(ssock->write_mutex);
1482
status = flush_delayed_send(ssock);
1483
//pj_lock_release(ssock->write_mutex);
1485
/* If flushing is ongoing, treat it as success */
1486
if (status == PJ_EBUSY)
1487
status = PJ_SUCCESS;
1489
if (status != PJ_SUCCESS && status != PJ_EPENDING) {
1490
PJ_PERROR(1,(ssock->pool->obj_name, status,
1491
"Failed to flush delayed send"));
1494
} else if (status != PJ_EPENDING) {
1495
PJ_PERROR(1,(ssock->pool->obj_name, status,
1496
"Renegotiation failed"));
1508
if (ssock->ssl_state == SSL_STATE_HANDSHAKING)
1509
return on_handshake_complete(ssock, status);
1511
if (ssock->read_started && ssock->param.cb.on_data_read) {
1513
ret = (*ssock->param.cb.on_data_read)(ssock, NULL, 0, status,
1516
/* We've been destroyed */
1521
reset_ssl_sock_state(ssock);
1526
static pj_bool_t asock_on_data_sent (pj_activesock_t *asock,
1527
pj_ioqueue_op_key_t *send_key,
1530
pj_ssl_sock_t *ssock = (pj_ssl_sock_t*)
1531
pj_activesock_get_user_data(asock);
1533
PJ_UNUSED_ARG(send_key);
1534
PJ_UNUSED_ARG(sent);
1536
if (ssock->ssl_state == SSL_STATE_HANDSHAKING) {
1537
/* Initial handshaking */
1540
status = do_handshake(ssock);
1541
/* Not pending is either success or failed */
1542
if (status != PJ_EPENDING)
1543
return on_handshake_complete(ssock, status);
1545
} else if (send_key != &ssock->handshake_op_key) {
1546
/* Some data has been sent, notify application */
1547
write_data_t *wdata = (write_data_t*)send_key->user_data;
1548
if (ssock->param.cb.on_data_sent) {
1550
pj_ssize_t sent_len;
1552
sent_len = (sent > 0)? wdata->plain_data_len : sent;
1553
ret = (*ssock->param.cb.on_data_sent)(ssock, wdata->app_key,
1556
/* We've been destroyed */
1561
/* Update write buffer state */
1562
pj_lock_acquire(ssock->write_mutex);
1563
free_send_data(ssock, wdata);
1564
pj_lock_release(ssock->write_mutex);
1567
/* SSL re-negotiation is on-progress, just do nothing */
1574
static pj_bool_t asock_on_accept_complete (pj_activesock_t *asock,
1576
const pj_sockaddr_t *src_addr,
1579
pj_ssl_sock_t *ssock_parent = (pj_ssl_sock_t*)
1580
pj_activesock_get_user_data(asock);
1581
pj_ssl_sock_t *ssock;
1582
pj_activesock_cb asock_cb;
1583
pj_activesock_cfg asock_cfg;
1587
PJ_UNUSED_ARG(src_addr_len);
1589
/* Create new SSL socket instance */
1590
status = pj_ssl_sock_create(ssock_parent->pool, &ssock_parent->param,
1592
if (status != PJ_SUCCESS)
1595
/* Update new SSL socket attributes */
1596
ssock->sock = newsock;
1597
ssock->parent = ssock_parent;
1598
ssock->is_server = PJ_TRUE;
1599
if (ssock_parent->cert) {
1600
status = pj_ssl_sock_set_certificate(ssock, ssock->pool,
1601
ssock_parent->cert);
1602
if (status != PJ_SUCCESS)
1606
/* Apply QoS, if specified */
1607
status = pj_sock_apply_qos2(ssock->sock, ssock->param.qos_type,
1608
&ssock->param.qos_params, 1,
1609
ssock->pool->obj_name, NULL);
1610
if (status != PJ_SUCCESS && !ssock->param.qos_ignore_error)
1613
/* Update local address */
1614
ssock->addr_len = src_addr_len;
1615
status = pj_sock_getsockname(ssock->sock, &ssock->local_addr,
1617
if (status != PJ_SUCCESS) {
1618
/* This fails on few envs, e.g: win IOCP, just tolerate this and
1619
* use parent local address instead.
1621
pj_sockaddr_cp(&ssock->local_addr, &ssock_parent->local_addr);
1624
/* Set remote address */
1625
pj_sockaddr_cp(&ssock->rem_addr, src_addr);
1627
/* Create SSL context */
1628
status = create_ssl(ssock);
1629
if (status != PJ_SUCCESS)
1632
/* Prepare read buffer */
1633
ssock->asock_rbuf = (void**)pj_pool_calloc(ssock->pool,
1634
ssock->param.async_cnt,
1636
for (i = 0; i<ssock->param.async_cnt; ++i) {
1637
ssock->asock_rbuf[i] = (void*) pj_pool_alloc(
1639
ssock->param.read_buffer_size +
1640
sizeof(read_data_t*));
1643
/* Create active socket */
1644
pj_activesock_cfg_default(&asock_cfg);
1645
asock_cfg.async_cnt = ssock->param.async_cnt;
1646
asock_cfg.concurrency = ssock->param.concurrency;
1647
asock_cfg.whole_data = PJ_TRUE;
1649
pj_bzero(&asock_cb, sizeof(asock_cb));
1650
asock_cb.on_data_read = asock_on_data_read;
1651
asock_cb.on_data_sent = asock_on_data_sent;
1653
status = pj_activesock_create(ssock->pool,
1655
ssock->param.sock_type,
1657
ssock->param.ioqueue,
1662
if (status != PJ_SUCCESS)
1666
status = pj_activesock_start_read2(ssock->asock, ssock->pool,
1667
(unsigned)ssock->param.read_buffer_size,
1669
PJ_IOQUEUE_ALWAYS_ASYNC);
1670
if (status != PJ_SUCCESS)
1673
/* Prepare write/send state */
1674
pj_assert(ssock->send_buf.max_len == 0);
1675
ssock->send_buf.buf = (char*)
1676
pj_pool_alloc(ssock->pool,
1677
ssock->param.send_buffer_size);
1678
ssock->send_buf.max_len = ssock->param.send_buffer_size;
1679
ssock->send_buf.start = ssock->send_buf.buf;
1680
ssock->send_buf.len = 0;
1682
/* Start handshake timer */
1683
if (ssock->param.timer_heap && (ssock->param.timeout.sec != 0 ||
1684
ssock->param.timeout.msec != 0))
1686
pj_assert(ssock->timer.id == TIMER_NONE);
1687
ssock->timer.id = TIMER_HANDSHAKE_TIMEOUT;
1688
status = pj_timer_heap_schedule(ssock->param.timer_heap,
1690
&ssock->param.timeout);
1691
if (status != PJ_SUCCESS)
1692
ssock->timer.id = TIMER_NONE;
1695
/* Start SSL handshake */
1696
ssock->ssl_state = SSL_STATE_HANDSHAKING;
1697
SSL_set_accept_state(ssock->ossl_ssl);
1698
status = do_handshake(ssock);
1701
if (ssock && status != PJ_EPENDING)
1702
on_handshake_complete(ssock, status);
1704
/* Must return PJ_TRUE whatever happened, as active socket must
1705
* continue listening.
1711
static pj_bool_t asock_on_connect_complete (pj_activesock_t *asock,
1714
pj_ssl_sock_t *ssock = (pj_ssl_sock_t*)
1715
pj_activesock_get_user_data(asock);
1718
if (status != PJ_SUCCESS)
1721
/* Update local address */
1722
ssock->addr_len = sizeof(pj_sockaddr);
1723
status = pj_sock_getsockname(ssock->sock, &ssock->local_addr,
1725
if (status != PJ_SUCCESS)
1728
/* Create SSL context */
1729
status = create_ssl(ssock);
1730
if (status != PJ_SUCCESS)
1733
/* Prepare read buffer */
1734
ssock->asock_rbuf = (void**)pj_pool_calloc(ssock->pool,
1735
ssock->param.async_cnt,
1737
for (i = 0; i<ssock->param.async_cnt; ++i) {
1738
ssock->asock_rbuf[i] = (void*) pj_pool_alloc(
1740
ssock->param.read_buffer_size +
1741
sizeof(read_data_t*));
1745
status = pj_activesock_start_read2(ssock->asock, ssock->pool,
1746
(unsigned)ssock->param.read_buffer_size,
1748
PJ_IOQUEUE_ALWAYS_ASYNC);
1749
if (status != PJ_SUCCESS)
1752
/* Prepare write/send state */
1753
pj_assert(ssock->send_buf.max_len == 0);
1754
ssock->send_buf.buf = (char*)
1755
pj_pool_alloc(ssock->pool,
1756
ssock->param.send_buffer_size);
1757
ssock->send_buf.max_len = ssock->param.send_buffer_size;
1758
ssock->send_buf.start = ssock->send_buf.buf;
1759
ssock->send_buf.len = 0;
1761
#ifdef SSL_set_tlsext_host_name
1762
/* Set server name to connect */
1763
if (ssock->param.server_name.slen) {
1764
/* Server name is null terminated already */
1765
if (!SSL_set_tlsext_host_name(ssock->ossl_ssl,
1766
ssock->param.server_name.ptr))
1768
char err_str[PJ_ERR_MSG_SIZE];
1770
ERR_error_string_n(ERR_get_error(), err_str, sizeof(err_str));
1771
PJ_LOG(3,(ssock->pool->obj_name, "SSL_set_tlsext_host_name() "
1772
"failed: %s", err_str));
1777
/* Start SSL handshake */
1778
ssock->ssl_state = SSL_STATE_HANDSHAKING;
1779
SSL_set_connect_state(ssock->ossl_ssl);
1781
status = do_handshake(ssock);
1782
if (status != PJ_EPENDING)
1788
return on_handshake_complete(ssock, status);
1794
*******************************************************************
1796
*******************************************************************
1799
/* Load credentials from files. */
1800
PJ_DEF(pj_status_t) pj_ssl_cert_load_from_files (pj_pool_t *pool,
1801
const pj_str_t *CA_file,
1802
const pj_str_t *cert_file,
1803
const pj_str_t *privkey_file,
1804
const pj_str_t *privkey_pass,
1805
pj_ssl_cert_t **p_cert)
1807
pj_ssl_cert_t *cert;
1809
PJ_ASSERT_RETURN(pool && CA_file && cert_file && privkey_file, PJ_EINVAL);
1811
cert = PJ_POOL_ZALLOC_T(pool, pj_ssl_cert_t);
1812
pj_strdup_with_null(pool, &cert->CA_file, CA_file);
1813
pj_strdup_with_null(pool, &cert->cert_file, cert_file);
1814
pj_strdup_with_null(pool, &cert->privkey_file, privkey_file);
1815
pj_strdup_with_null(pool, &cert->privkey_pass, privkey_pass);
1823
/* Set SSL socket credentials. */
1824
PJ_DECL(pj_status_t) pj_ssl_sock_set_certificate(
1825
pj_ssl_sock_t *ssock,
1827
const pj_ssl_cert_t *cert)
1829
pj_ssl_cert_t *cert_;
1831
PJ_ASSERT_RETURN(ssock && pool && cert, PJ_EINVAL);
1833
cert_ = PJ_POOL_ZALLOC_T(pool, pj_ssl_cert_t);
1834
pj_memcpy(cert_, cert, sizeof(cert));
1835
pj_strdup_with_null(pool, &cert_->CA_file, &cert->CA_file);
1836
pj_strdup_with_null(pool, &cert_->cert_file, &cert->cert_file);
1837
pj_strdup_with_null(pool, &cert_->privkey_file, &cert->privkey_file);
1838
pj_strdup_with_null(pool, &cert_->privkey_pass, &cert->privkey_pass);
1840
ssock->cert = cert_;
1846
/* Get available ciphers. */
1847
PJ_DEF(pj_status_t) pj_ssl_cipher_get_availables(pj_ssl_cipher ciphers[],
1848
unsigned *cipher_num)
1852
PJ_ASSERT_RETURN(ciphers && cipher_num, PJ_EINVAL);
1854
if (openssl_cipher_num == 0) {
1859
if (openssl_cipher_num == 0) {
1861
return PJ_ENOTFOUND;
1864
*cipher_num = PJ_MIN(*cipher_num, openssl_cipher_num);
1866
for (i = 0; i < *cipher_num; ++i)
1867
ciphers[i] = openssl_ciphers[i].id;
1873
/* Get cipher name string */
1874
PJ_DEF(const char*) pj_ssl_cipher_name(pj_ssl_cipher cipher)
1878
if (openssl_cipher_num == 0) {
1883
for (i = 0; i < openssl_cipher_num; ++i) {
1884
if (cipher == openssl_ciphers[i].id)
1885
return openssl_ciphers[i].name;
1891
/* Check if the specified cipher is supported by SSL/TLS backend. */
1892
PJ_DEF(pj_bool_t) pj_ssl_cipher_is_supported(pj_ssl_cipher cipher)
1896
if (openssl_cipher_num == 0) {
1901
for (i = 0; i < openssl_cipher_num; ++i) {
1902
if (cipher == openssl_ciphers[i].id)
1911
* Create SSL socket instance.
1913
PJ_DEF(pj_status_t) pj_ssl_sock_create (pj_pool_t *pool,
1914
const pj_ssl_sock_param *param,
1915
pj_ssl_sock_t **p_ssock)
1917
pj_ssl_sock_t *ssock;
1920
PJ_ASSERT_RETURN(pool && param && p_ssock, PJ_EINVAL);
1921
PJ_ASSERT_RETURN(param->sock_type == pj_SOCK_STREAM(), PJ_ENOTSUP);
1923
pool = pj_pool_create(pool->factory, "ssl%p", 512, 512, NULL);
1925
/* Create secure socket */
1926
ssock = PJ_POOL_ZALLOC_T(pool, pj_ssl_sock_t);
1928
ssock->sock = PJ_INVALID_SOCKET;
1929
ssock->ssl_state = SSL_STATE_NULL;
1930
pj_list_init(&ssock->write_pending);
1931
pj_list_init(&ssock->write_pending_empty);
1932
pj_list_init(&ssock->send_pending);
1933
pj_timer_entry_init(&ssock->timer, 0, ssock, &on_timer);
1934
pj_ioqueue_op_key_init(&ssock->handshake_op_key,
1935
sizeof(pj_ioqueue_op_key_t));
1937
/* Create secure socket mutex */
1938
status = pj_lock_create_recursive_mutex(pool, pool->obj_name,
1939
&ssock->write_mutex);
1940
if (status != PJ_SUCCESS)
1943
/* Init secure socket param */
1944
ssock->param = *param;
1945
ssock->param.read_buffer_size = ((ssock->param.read_buffer_size+7)>>3)<<3;
1946
if (param->ciphers_num > 0) {
1948
ssock->param.ciphers = (pj_ssl_cipher*)
1949
pj_pool_calloc(pool, param->ciphers_num,
1950
sizeof(pj_ssl_cipher));
1951
for (i = 0; i < param->ciphers_num; ++i)
1952
ssock->param.ciphers[i] = param->ciphers[i];
1955
/* Server name must be null-terminated */
1956
pj_strdup_with_null(pool, &ssock->param.server_name,
1957
¶m->server_name);
1967
* Close the secure socket. This will unregister the socket from the
1968
* ioqueue and ultimately close the socket.
1970
PJ_DEF(pj_status_t) pj_ssl_sock_close(pj_ssl_sock_t *ssock)
1974
PJ_ASSERT_RETURN(ssock, PJ_EINVAL);
1979
if (ssock->timer.id != TIMER_NONE) {
1980
pj_timer_heap_cancel(ssock->param.timer_heap, &ssock->timer);
1981
ssock->timer.id = TIMER_NONE;
1984
reset_ssl_sock_state(ssock);
1985
pj_lock_destroy(ssock->write_mutex);
1990
pj_pool_release(pool);
1997
* Associate arbitrary data with the secure socket.
1999
PJ_DEF(pj_status_t) pj_ssl_sock_set_user_data(pj_ssl_sock_t *ssock,
2002
PJ_ASSERT_RETURN(ssock, PJ_EINVAL);
2004
ssock->param.user_data = user_data;
2010
* Retrieve the user data previously associated with this secure
2013
PJ_DEF(void*) pj_ssl_sock_get_user_data(pj_ssl_sock_t *ssock)
2015
PJ_ASSERT_RETURN(ssock, NULL);
2017
return ssock->param.user_data;
2022
* Retrieve the local address and port used by specified SSL socket.
2024
PJ_DEF(pj_status_t) pj_ssl_sock_get_info (pj_ssl_sock_t *ssock,
2025
pj_ssl_sock_info *info)
2027
pj_bzero(info, sizeof(*info));
2029
/* Established flag */
2030
info->established = (ssock->ssl_state == SSL_STATE_ESTABLISHED);
2033
info->proto = ssock->param.proto;
2036
pj_sockaddr_cp(&info->local_addr, &ssock->local_addr);
2038
if (info->established) {
2039
const SSL_CIPHER *cipher;
2041
/* Current cipher */
2042
cipher = SSL_get_current_cipher(ssock->ossl_ssl);
2043
info->cipher = (cipher->id & 0x00FFFFFF);
2045
/* Remote address */
2046
pj_sockaddr_cp(&info->remote_addr, &ssock->rem_addr);
2048
/* Certificates info */
2049
info->local_cert_info = &ssock->local_cert_info;
2050
info->remote_cert_info = &ssock->remote_cert_info;
2052
/* Verification status */
2053
info->verify_status = ssock->verify_status;
2056
/* Last known OpenSSL error code */
2057
info->last_native_err = ssock->last_err;
2064
* Starts read operation on this secure socket.
2066
PJ_DEF(pj_status_t) pj_ssl_sock_start_read (pj_ssl_sock_t *ssock,
2074
PJ_ASSERT_RETURN(ssock && pool && buff_size, PJ_EINVAL);
2075
PJ_ASSERT_RETURN(ssock->ssl_state==SSL_STATE_ESTABLISHED, PJ_EINVALIDOP);
2077
readbuf = (void**) pj_pool_calloc(pool, ssock->param.async_cnt,
2080
for (i=0; i<ssock->param.async_cnt; ++i) {
2081
readbuf[i] = pj_pool_alloc(pool, buff_size);
2084
return pj_ssl_sock_start_read2(ssock, pool, buff_size,
2090
* Same as #pj_ssl_sock_start_read(), except that the application
2091
* supplies the buffers for the read operation so that the acive socket
2092
* does not have to allocate the buffers.
2094
PJ_DEF(pj_status_t) pj_ssl_sock_start_read2 (pj_ssl_sock_t *ssock,
2102
PJ_ASSERT_RETURN(ssock && pool && buff_size && readbuf, PJ_EINVAL);
2103
PJ_ASSERT_RETURN(ssock->ssl_state==SSL_STATE_ESTABLISHED, PJ_EINVALIDOP);
2105
/* Create SSL socket read buffer */
2106
ssock->ssock_rbuf = (read_data_t*)pj_pool_calloc(pool,
2107
ssock->param.async_cnt,
2108
sizeof(read_data_t));
2110
/* Store SSL socket read buffer pointer in the activesock read buffer */
2111
for (i=0; i<ssock->param.async_cnt; ++i) {
2112
read_data_t **p_ssock_rbuf =
2113
OFFSET_OF_READ_DATA_PTR(ssock, ssock->asock_rbuf[i]);
2115
ssock->ssock_rbuf[i].data = readbuf[i];
2116
ssock->ssock_rbuf[i].len = 0;
2118
*p_ssock_rbuf = &ssock->ssock_rbuf[i];
2121
ssock->read_size = buff_size;
2122
ssock->read_started = PJ_TRUE;
2123
ssock->read_flags = flags;
2130
* Same as pj_ssl_sock_start_read(), except that this function is used
2131
* only for datagram sockets, and it will trigger \a on_data_recvfrom()
2134
PJ_DEF(pj_status_t) pj_ssl_sock_start_recvfrom (pj_ssl_sock_t *ssock,
2139
PJ_UNUSED_ARG(ssock);
2140
PJ_UNUSED_ARG(pool);
2141
PJ_UNUSED_ARG(buff_size);
2142
PJ_UNUSED_ARG(flags);
2149
* Same as #pj_ssl_sock_start_recvfrom() except that the recvfrom()
2150
* operation takes the buffer from the argument rather than creating
2153
PJ_DEF(pj_status_t) pj_ssl_sock_start_recvfrom2 (pj_ssl_sock_t *ssock,
2159
PJ_UNUSED_ARG(ssock);
2160
PJ_UNUSED_ARG(pool);
2161
PJ_UNUSED_ARG(buff_size);
2162
PJ_UNUSED_ARG(readbuf);
2163
PJ_UNUSED_ARG(flags);
2168
/* Write plain data to SSL and flush write BIO. */
2169
static pj_status_t ssl_write(pj_ssl_sock_t *ssock,
2170
pj_ioqueue_op_key_t *send_key,
2178
/* Write the plain data to SSL, after SSL encrypts it, write BIO will
2179
* contain the secured data to be sent via socket. Note that re-
2180
* negotitation may be on progress, so sending data should be delayed
2181
* until re-negotiation is completed.
2183
pj_lock_acquire(ssock->write_mutex);
2184
nwritten = SSL_write(ssock->ossl_ssl, data, (int)size);
2185
pj_lock_release(ssock->write_mutex);
2187
if (nwritten == size) {
2188
/* All data written, flush write BIO to network socket */
2189
status = flush_write_bio(ssock, send_key, size, flags);
2190
} else if (nwritten <= 0) {
2191
/* SSL failed to process the data, it may just that re-negotiation
2195
err = SSL_get_error(ssock->ossl_ssl, nwritten);
2196
if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_NONE) {
2197
/* Re-negotiation is on progress, flush re-negotiation data */
2198
status = flush_write_bio(ssock, &ssock->handshake_op_key, 0, 0);
2199
if (status == PJ_SUCCESS || status == PJ_EPENDING)
2200
/* Just return PJ_EBUSY when re-negotiation is on progress */
2203
/* Some problem occured */
2204
status = STATUS_FROM_SSL_ERR(ssock, err);
2207
/* nwritten < *size, shouldn't happen, unless write BIO cannot hold
2208
* the whole secured data, perhaps because of insufficient memory.
2216
/* Flush delayed data sending in the write pending list. */
2217
static pj_status_t flush_delayed_send(pj_ssl_sock_t *ssock)
2219
/* Check for another ongoing flush */
2220
if (ssock->flushing_write_pend)
2223
pj_lock_acquire(ssock->write_mutex);
2225
/* Again, check for another ongoing flush */
2226
if (ssock->flushing_write_pend) {
2227
pj_lock_release(ssock->write_mutex);
2231
/* Set ongoing flush flag */
2232
ssock->flushing_write_pend = PJ_TRUE;
2234
while (!pj_list_empty(&ssock->write_pending)) {
2238
wp = ssock->write_pending.next;
2240
/* Ticket #1573: Don't hold mutex while calling socket send. */
2241
pj_lock_release(ssock->write_mutex);
2243
status = ssl_write(ssock, &wp->key, wp->data.ptr,
2244
wp->plain_data_len, wp->flags);
2245
if (status != PJ_SUCCESS) {
2246
/* Reset ongoing flush flag first. */
2247
ssock->flushing_write_pend = PJ_FALSE;
2251
pj_lock_acquire(ssock->write_mutex);
2253
pj_list_push_back(&ssock->write_pending_empty, wp);
2256
/* Reset ongoing flush flag */
2257
ssock->flushing_write_pend = PJ_FALSE;
2259
pj_lock_release(ssock->write_mutex);
2264
/* Sending is delayed, push back the sending data into pending list. */
2265
static pj_status_t delay_send (pj_ssl_sock_t *ssock,
2266
pj_ioqueue_op_key_t *send_key,
2273
pj_lock_acquire(ssock->write_mutex);
2275
/* Init write pending instance */
2276
if (!pj_list_empty(&ssock->write_pending_empty)) {
2277
wp = ssock->write_pending_empty.next;
2280
wp = PJ_POOL_ZALLOC_T(ssock->pool, write_data_t);
2283
wp->app_key = send_key;
2284
wp->plain_data_len = size;
2285
wp->data.ptr = data;
2288
pj_list_push_back(&ssock->write_pending, wp);
2290
pj_lock_release(ssock->write_mutex);
2292
/* Must return PJ_EPENDING */
2297
* Send data using the socket.
2299
PJ_DEF(pj_status_t) pj_ssl_sock_send (pj_ssl_sock_t *ssock,
2300
pj_ioqueue_op_key_t *send_key,
2307
PJ_ASSERT_RETURN(ssock && data && size && (*size>0), PJ_EINVAL);
2308
PJ_ASSERT_RETURN(ssock->ssl_state==SSL_STATE_ESTABLISHED, PJ_EINVALIDOP);
2310
// Ticket #1573: Don't hold mutex while calling PJLIB socket send().
2311
//pj_lock_acquire(ssock->write_mutex);
2313
/* Flush delayed send first. Sending data might be delayed when
2314
* re-negotiation is on-progress.
2316
status = flush_delayed_send(ssock);
2317
if (status == PJ_EBUSY) {
2318
/* Re-negotiation or flushing is on progress, delay sending */
2319
status = delay_send(ssock, send_key, data, *size, flags);
2321
} else if (status != PJ_SUCCESS) {
2325
/* Write data to SSL */
2326
status = ssl_write(ssock, send_key, data, *size, flags);
2327
if (status == PJ_EBUSY) {
2328
/* Re-negotiation is on progress, delay sending */
2329
status = delay_send(ssock, send_key, data, *size, flags);
2333
//pj_lock_release(ssock->write_mutex);
2339
* Send datagram using the socket.
2341
PJ_DEF(pj_status_t) pj_ssl_sock_sendto (pj_ssl_sock_t *ssock,
2342
pj_ioqueue_op_key_t *send_key,
2346
const pj_sockaddr_t *addr,
2349
PJ_UNUSED_ARG(ssock);
2350
PJ_UNUSED_ARG(send_key);
2351
PJ_UNUSED_ARG(data);
2352
PJ_UNUSED_ARG(size);
2353
PJ_UNUSED_ARG(flags);
2354
PJ_UNUSED_ARG(addr);
2355
PJ_UNUSED_ARG(addr_len);
2362
* Starts asynchronous socket accept() operations on this secure socket.
2364
PJ_DEF(pj_status_t) pj_ssl_sock_start_accept (pj_ssl_sock_t *ssock,
2366
const pj_sockaddr_t *localaddr,
2369
pj_activesock_cb asock_cb;
2370
pj_activesock_cfg asock_cfg;
2373
PJ_ASSERT_RETURN(ssock && pool && localaddr && addr_len, PJ_EINVAL);
2376
status = pj_sock_socket(ssock->param.sock_af, ssock->param.sock_type, 0,
2378
if (status != PJ_SUCCESS)
2381
/* Apply SO_REUSEADDR */
2382
if (ssock->param.reuse_addr) {
2384
status = pj_sock_setsockopt(ssock->sock, pj_SOL_SOCKET(),
2386
&enabled, sizeof(enabled));
2387
if (status != PJ_SUCCESS) {
2388
PJ_PERROR(4,(ssock->pool->obj_name, status,
2389
"Warning: error applying SO_REUSEADDR"));
2393
/* Apply QoS, if specified */
2394
status = pj_sock_apply_qos2(ssock->sock, ssock->param.qos_type,
2395
&ssock->param.qos_params, 2,
2396
ssock->pool->obj_name, NULL);
2397
if (status != PJ_SUCCESS && !ssock->param.qos_ignore_error)
2401
status = pj_sock_bind(ssock->sock, localaddr, addr_len);
2402
if (status != PJ_SUCCESS)
2405
/* Start listening to the address */
2406
status = pj_sock_listen(ssock->sock, PJ_SOMAXCONN);
2407
if (status != PJ_SUCCESS)
2410
/* Create active socket */
2411
pj_activesock_cfg_default(&asock_cfg);
2412
asock_cfg.async_cnt = ssock->param.async_cnt;
2413
asock_cfg.concurrency = ssock->param.concurrency;
2414
asock_cfg.whole_data = PJ_TRUE;
2416
pj_bzero(&asock_cb, sizeof(asock_cb));
2417
asock_cb.on_accept_complete = asock_on_accept_complete;
2419
status = pj_activesock_create(pool,
2421
ssock->param.sock_type,
2423
ssock->param.ioqueue,
2428
if (status != PJ_SUCCESS)
2431
/* Start accepting */
2432
status = pj_activesock_start_accept(ssock->asock, pool);
2433
if (status != PJ_SUCCESS)
2436
/* Update local address */
2437
ssock->addr_len = addr_len;
2438
status = pj_sock_getsockname(ssock->sock, &ssock->local_addr,
2440
if (status != PJ_SUCCESS)
2441
pj_sockaddr_cp(&ssock->local_addr, localaddr);
2443
ssock->is_server = PJ_TRUE;
2448
reset_ssl_sock_state(ssock);
2454
* Starts asynchronous socket connect() operation.
2456
PJ_DECL(pj_status_t) pj_ssl_sock_start_connect(pj_ssl_sock_t *ssock,
2458
const pj_sockaddr_t *localaddr,
2459
const pj_sockaddr_t *remaddr,
2462
pj_activesock_cb asock_cb;
2463
pj_activesock_cfg asock_cfg;
2466
PJ_ASSERT_RETURN(ssock && pool && localaddr && remaddr && addr_len,
2470
status = pj_sock_socket(ssock->param.sock_af, ssock->param.sock_type, 0,
2472
if (status != PJ_SUCCESS)
2475
/* Apply QoS, if specified */
2476
status = pj_sock_apply_qos2(ssock->sock, ssock->param.qos_type,
2477
&ssock->param.qos_params, 2,
2478
ssock->pool->obj_name, NULL);
2479
if (status != PJ_SUCCESS && !ssock->param.qos_ignore_error)
2483
status = pj_sock_bind(ssock->sock, localaddr, addr_len);
2484
if (status != PJ_SUCCESS)
2487
/* Create active socket */
2488
pj_activesock_cfg_default(&asock_cfg);
2489
asock_cfg.async_cnt = ssock->param.async_cnt;
2490
asock_cfg.concurrency = ssock->param.concurrency;
2491
asock_cfg.whole_data = PJ_TRUE;
2493
pj_bzero(&asock_cb, sizeof(asock_cb));
2494
asock_cb.on_connect_complete = asock_on_connect_complete;
2495
asock_cb.on_data_read = asock_on_data_read;
2496
asock_cb.on_data_sent = asock_on_data_sent;
2498
status = pj_activesock_create(pool,
2500
ssock->param.sock_type,
2502
ssock->param.ioqueue,
2507
if (status != PJ_SUCCESS)
2510
/* Save remote address */
2511
pj_sockaddr_cp(&ssock->rem_addr, remaddr);
2514
if (ssock->param.timer_heap && (ssock->param.timeout.sec != 0 ||
2515
ssock->param.timeout.msec != 0))
2517
pj_assert(ssock->timer.id == TIMER_NONE);
2518
ssock->timer.id = TIMER_HANDSHAKE_TIMEOUT;
2519
status = pj_timer_heap_schedule(ssock->param.timer_heap,
2521
&ssock->param.timeout);
2522
if (status != PJ_SUCCESS)
2523
ssock->timer.id = TIMER_NONE;
2526
status = pj_activesock_start_connect(ssock->asock, pool, remaddr,
2529
if (status == PJ_SUCCESS)
2530
asock_on_connect_complete(ssock->asock, PJ_SUCCESS);
2531
else if (status != PJ_EPENDING)
2534
/* Update local address */
2535
ssock->addr_len = addr_len;
2536
status = pj_sock_getsockname(ssock->sock, &ssock->local_addr,
2538
/* Note that we may not get an IP address here. This can
2539
* happen for example on Windows, where getsockname()
2540
* would return 0.0.0.0 if socket has just started the
2541
* async connect. In this case, just leave the local
2542
* address with 0.0.0.0 for now; it will be updated
2543
* once the socket is established.
2546
/* Update SSL state */
2547
ssock->is_server = PJ_FALSE;
2552
reset_ssl_sock_state(ssock);
2557
PJ_DEF(pj_status_t) pj_ssl_sock_renegotiate(pj_ssl_sock_t *ssock)
2562
PJ_ASSERT_RETURN(ssock->ssl_state == SSL_STATE_ESTABLISHED, PJ_EINVALIDOP);
2564
if (SSL_renegotiate_pending(ssock->ossl_ssl))
2567
ret = SSL_renegotiate(ssock->ossl_ssl);
2569
status = GET_SSL_STATUS(ssock);
2571
status = do_handshake(ssock);
2577
#endif /* PJ_HAS_SSL_SOCK */