/*!
* \internal
* \brief Should only be called by the individual field handlers
*/
static struct ast_sip_transport_state *find_or_create_temporary_state(struct ast_sip_transport *transport)
{
struct ast_sip_transport_state **state;
struct ast_sip_transport_state *new_state;
if ((new_state = find_temporary_state(transport))) {
return new_state;
}
state = ast_threadstorage_get(&temp_state_store, sizeof(state));
if (!state || *state) {
return NULL;
}
new_state = ao2_alloc(sizeof(**state), sip_transport_state_destroy);
if (!new_state) {
return NULL;
}
new_state->id = ast_strdup(ast_sorcery_object_get_id(transport));
new_state->type = transport->type;
pjsip_tls_setting_default(&new_state->tls);
new_state->tls.ciphers = new_state->ciphers;
ao2_ref(new_state, +1);
*state = new_state;
return new_state;
}
void SIPAccount::initTlsConfiguration (void)
{
// TLS listener is unique and should be only modified through IP2IP_PROFILE
setTlsListenerPort (atoi (_tlsPortStr.c_str()));
delete _tlsSetting;
_tlsSetting = new pjsip_tls_setting;
assert (_tlsSetting);
pjsip_tls_setting_default (_tlsSetting);
pj_cstr (&_tlsSetting->ca_list_file, _tlsCaListFile.c_str());
pj_cstr (&_tlsSetting->cert_file, _tlsCertificateFile.c_str());
pj_cstr (&_tlsSetting->privkey_file, _tlsPrivateKeyFile.c_str());
pj_cstr (&_tlsSetting->password, _tlsPassword.c_str());
_tlsSetting->method = sslMethodStringToPjEnum (_tlsMethod);
pj_cstr (&_tlsSetting->ciphers, _tlsCiphers.c_str());
pj_cstr (&_tlsSetting->server_name, _tlsServerName.c_str());
_tlsSetting->verify_server = _tlsVerifyServer ? PJ_TRUE: PJ_FALSE;
_tlsSetting->verify_client = _tlsVerifyClient ? PJ_TRUE: PJ_FALSE;
_tlsSetting->require_client_cert = _tlsRequireClientCertificate ? PJ_TRUE: PJ_FALSE;
_tlsSetting->timeout.sec = atol (_tlsNegotiationTimeoutSec.c_str());
_tlsSetting->timeout.msec = atol (_tlsNegotiationTimeoutMsec.c_str());
}
/*! \brief Allocator for transport */
static void *transport_alloc(const char *name)
{
struct ast_sip_transport *transport = ast_sorcery_generic_alloc(sizeof(*transport), transport_destroy);
if (!transport) {
return NULL;
}
if (ast_string_field_init(transport, 256)) {
ao2_cleanup(transport);
return NULL;
}
pjsip_tls_setting_default(&transport->tls);
transport->tls.ciphers = transport->ciphers;
return transport;
}
/*
* This is the public API to create, initialize, register, and start the
* TLS listener.
*/
PJ_DEF(pj_status_t) pjsip_tls_transport_start (pjsip_endpoint *endpt,
const pjsip_tls_setting *opt,
const pj_sockaddr_in *local,
const pjsip_host_port *a_name,
unsigned async_cnt,
pjsip_tpfactory **p_factory)
{
pj_pool_t *pool;
struct tls_listener *listener;
pj_ssl_sock_param ssock_param;
pj_sockaddr_in *listener_addr;
pj_bool_t has_listener;
pj_status_t status;
/* Sanity check */
PJ_ASSERT_RETURN(endpt && async_cnt, PJ_EINVAL);
/* Verify that address given in a_name (if any) is valid */
if (a_name && a_name->host.slen) {
pj_sockaddr_in tmp;
status = pj_sockaddr_in_init(&tmp, &a_name->host,
(pj_uint16_t)a_name->port);
if (status != PJ_SUCCESS || tmp.sin_addr.s_addr == PJ_INADDR_ANY ||
tmp.sin_addr.s_addr == PJ_INADDR_NONE)
{
/* Invalid address */
return PJ_EINVAL;
}
}
pool = pjsip_endpt_create_pool(endpt, "tlslis", POOL_LIS_INIT,
POOL_LIS_INC);
PJ_ASSERT_RETURN(pool, PJ_ENOMEM);
listener = PJ_POOL_ZALLOC_T(pool, struct tls_listener);
listener->factory.pool = pool;
listener->factory.type = PJSIP_TRANSPORT_TLS;
listener->factory.type_name = "tls";
listener->factory.flag =
pjsip_transport_get_flag_from_type(PJSIP_TRANSPORT_TLS);
pj_ansi_strcpy(listener->factory.obj_name, "tlslis");
if (opt)
pjsip_tls_setting_copy(pool, &listener->tls_setting, opt);
else
pjsip_tls_setting_default(&listener->tls_setting);
status = pj_lock_create_recursive_mutex(pool, "tlslis",
&listener->factory.lock);
if (status != PJ_SUCCESS)
goto on_error;
if (async_cnt > MAX_ASYNC_CNT)
async_cnt = MAX_ASYNC_CNT;
/* Build SSL socket param */
pj_ssl_sock_param_default(&ssock_param);
ssock_param.cb.on_accept_complete = &on_accept_complete;
ssock_param.cb.on_data_read = &on_data_read;
ssock_param.cb.on_data_sent = &on_data_sent;
ssock_param.async_cnt = async_cnt;
ssock_param.ioqueue = pjsip_endpt_get_ioqueue(endpt);
ssock_param.require_client_cert = listener->tls_setting.require_client_cert;
ssock_param.timeout = listener->tls_setting.timeout;
ssock_param.user_data = listener;
ssock_param.verify_peer = PJ_FALSE; /* avoid SSL socket closing the socket
* due to verification error */
if (ssock_param.send_buffer_size < PJSIP_MAX_PKT_LEN)
ssock_param.send_buffer_size = PJSIP_MAX_PKT_LEN;
if (ssock_param.read_buffer_size < PJSIP_MAX_PKT_LEN)
ssock_param.read_buffer_size = PJSIP_MAX_PKT_LEN;
ssock_param.ciphers_num = listener->tls_setting.ciphers_num;
ssock_param.ciphers = listener->tls_setting.ciphers;
ssock_param.qos_type = listener->tls_setting.qos_type;
ssock_param.qos_ignore_error = listener->tls_setting.qos_ignore_error;
pj_memcpy(&ssock_param.qos_params, &listener->tls_setting.qos_params,
sizeof(ssock_param.qos_params));
has_listener = PJ_FALSE;
switch(listener->tls_setting.method) {
case PJSIP_TLSV1_METHOD:
ssock_param.proto = PJ_SSL_SOCK_PROTO_TLS1;
break;
case PJSIP_SSLV2_METHOD:
ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL2;
break;
case PJSIP_SSLV3_METHOD:
ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL3;
break;
case PJSIP_SSLV23_METHOD:
ssock_param.proto = PJ_SSL_SOCK_PROTO_SSL23;
break;
default:
ssock_param.proto = PJ_SSL_SOCK_PROTO_DEFAULT;
break;
}
/* Create SSL socket */
status = pj_ssl_sock_create(pool, &ssock_param, &listener->ssock);
if (status != PJ_SUCCESS)
goto on_error;
listener_addr = (pj_sockaddr_in*)&listener->factory.local_addr;
if (local) {
pj_sockaddr_cp((pj_sockaddr_t*)listener_addr,
(const pj_sockaddr_t*)local);
} else {
pj_sockaddr_in_init(listener_addr, NULL, 0);
}
/* Check if certificate/CA list for SSL socket is set */
if (listener->tls_setting.cert_file.slen ||
listener->tls_setting.ca_list_file.slen)
{
status = pj_ssl_cert_load_from_files(pool,
&listener->tls_setting.ca_list_file,
&listener->tls_setting.cert_file,
&listener->tls_setting.privkey_file,
&listener->tls_setting.password,
&listener->cert);
if (status != PJ_SUCCESS)
goto on_error;
status = pj_ssl_sock_set_certificate(listener->ssock, pool,
listener->cert);
if (status != PJ_SUCCESS)
goto on_error;
}
/* Start accepting incoming connections. Note that some TLS/SSL backends
* may not support for SSL socket server.
*/
has_listener = PJ_FALSE;
status = pj_ssl_sock_start_accept(listener->ssock, pool,
(pj_sockaddr_t*)listener_addr,
pj_sockaddr_get_len((pj_sockaddr_t*)listener_addr));
if (status == PJ_SUCCESS || status == PJ_EPENDING) {
pj_ssl_sock_info info;
has_listener = PJ_TRUE;
/* Retrieve the bound address */
status = pj_ssl_sock_get_info(listener->ssock, &info);
if (status == PJ_SUCCESS)
pj_sockaddr_cp(listener_addr, (pj_sockaddr_t*)&info.local_addr);
} else if (status != PJ_ENOTSUP) {
goto on_error;
}
/* If published host/IP is specified, then use that address as the
* listener advertised address.
*/
if (a_name && a_name->host.slen) {
/* Copy the address */
listener->factory.addr_name = *a_name;
pj_strdup(listener->factory.pool, &listener->factory.addr_name.host,
&a_name->host);
listener->factory.addr_name.port = a_name->port;
} else {
/* No published address is given, use the bound address */
/* If the address returns 0.0.0.0, use the default
* interface address as the transport's address.
*/
if (listener_addr->sin_addr.s_addr == 0) {
pj_sockaddr hostip;
status = pj_gethostip(pj_AF_INET(), &hostip);
if (status != PJ_SUCCESS)
goto on_error;
listener_addr->sin_addr.s_addr = hostip.ipv4.sin_addr.s_addr;
}
/* Save the address name */
sockaddr_to_host_port(listener->factory.pool,
&listener->factory.addr_name, listener_addr);
}
/* If port is zero, get the bound port */
if (listener->factory.addr_name.port == 0) {
listener->factory.addr_name.port = pj_ntohs(listener_addr->sin_port);
}
pj_ansi_snprintf(listener->factory.obj_name,
sizeof(listener->factory.obj_name),
"tlslis:%d", listener->factory.addr_name.port);
/* Register to transport manager */
listener->endpt = endpt;
listener->tpmgr = pjsip_endpt_get_tpmgr(endpt);
listener->factory.create_transport2 = lis_create_transport;
listener->factory.destroy = lis_destroy;
listener->is_registered = PJ_TRUE;
status = pjsip_tpmgr_register_tpfactory(listener->tpmgr,
&listener->factory);
if (status != PJ_SUCCESS) {
listener->is_registered = PJ_FALSE;
goto on_error;
}
if (has_listener) {
PJ_LOG(4,(listener->factory.obj_name,
"SIP TLS listener is ready for incoming connections "
"at %.*s:%d",
(int)listener->factory.addr_name.host.slen,
listener->factory.addr_name.host.ptr,
listener->factory.addr_name.port));
} else {
PJ_LOG(4,(listener->factory.obj_name, "SIP TLS is ready "
"(client only)"));
}
/* Return the pointer to user */
if (p_factory) *p_factory = &listener->factory;
return PJ_SUCCESS;
on_error:
lis_destroy(&listener->factory);
return status;
}
