Group PJ_SSL_SOCK¶
-
group
PJ_SSL_SOCK
Secure socket provides security on socket operation using standard security protocols such as SSL and TLS.
Secure socket wraps normal socket and applies security features, i.e: privacy and data integrity, on the socket traffic, using standard security protocols such as SSL and TLS.
Secure socket employs active socket operations, which is similar to (and described more detail) in Active socket I/O.
Typedefs
-
typedef struct pj_ssl_sock_t
pj_ssl_sock_t
¶ This opaque structure describes the secure socket.
-
typedef struct pj_ssl_cert_t
pj_ssl_cert_t
¶ Opaque declaration of endpoint certificate or credentials. This may contains certificate, private key, and trusted Certificate Authorities list.
Enums
-
enum
pj_ssl_cert_verify_flag_t
¶ Values:
-
enumerator
PJ_SSL_CERT_ESUCCESS
¶ No error in verification.
-
enumerator
PJ_SSL_CERT_EISSUER_NOT_FOUND
¶ The issuer certificate cannot be found.
-
enumerator
PJ_SSL_CERT_EUNTRUSTED
¶ The certificate is untrusted.
-
enumerator
PJ_SSL_CERT_EVALIDITY_PERIOD
¶ The certificate has expired or not yet valid.
-
enumerator
PJ_SSL_CERT_EINVALID_FORMAT
¶ One or more fields of the certificate cannot be decoded due to invalid format.
-
enumerator
PJ_SSL_CERT_EINVALID_PURPOSE
¶ The certificate cannot be used for the specified purpose.
-
enumerator
PJ_SSL_CERT_EISSUER_MISMATCH
¶ The issuer info in the certificate does not match to the (candidate) issuer certificate, e.g: issuer name not match to subject name of (candidate) issuer certificate.
-
enumerator
PJ_SSL_CERT_ECRL_FAILURE
¶ The CRL certificate cannot be found or cannot be read properly.
-
enumerator
PJ_SSL_CERT_EREVOKED
¶ The certificate has been revoked.
-
enumerator
PJ_SSL_CERT_ECHAIN_TOO_LONG
¶ The certificate chain length is too long.
-
enumerator
PJ_SSL_CERT_EIDENTITY_NOT_MATCH
¶ The server identity does not match to any identities specified in the certificate, e.g: subjectAltName extension, subject common name. This flag will only be set by application as SSL socket does not perform server identity verification.
-
enumerator
PJ_SSL_CERT_EUNKNOWN
¶ Unknown verification error.
-
enumerator
-
enum
pj_ssl_cert_name_type
¶ Values:
-
enumerator
PJ_SSL_CERT_NAME_UNKNOWN
¶
-
enumerator
PJ_SSL_CERT_NAME_RFC822
¶
-
enumerator
PJ_SSL_CERT_NAME_DNS
¶
-
enumerator
PJ_SSL_CERT_NAME_URI
¶
-
enumerator
PJ_SSL_CERT_NAME_IP
¶
-
enumerator
-
enum
pj_ssl_cipher
¶ Cipher suites enumeration.
Values:
-
enumerator
PJ_TLS_NULL_WITH_NULL_NULL
¶
-
enumerator
PJ_TLS_RSA_WITH_NULL_MD5
¶
-
enumerator
PJ_TLS_RSA_WITH_NULL_SHA
¶
-
enumerator
PJ_TLS_RSA_WITH_NULL_SHA256
¶
-
enumerator
PJ_TLS_RSA_WITH_RC4_128_MD5
¶
-
enumerator
PJ_TLS_RSA_WITH_RC4_128_SHA
¶
-
enumerator
PJ_TLS_RSA_WITH_3DES_EDE_CBC_SHA
¶
-
enumerator
PJ_TLS_RSA_WITH_AES_128_CBC_SHA
¶
-
enumerator
PJ_TLS_RSA_WITH_AES_256_CBC_SHA
¶
-
enumerator
PJ_TLS_RSA_WITH_AES_128_CBC_SHA256
¶
-
enumerator
PJ_TLS_RSA_WITH_AES_256_CBC_SHA256
¶
-
enumerator
PJ_TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
¶
-
enumerator
PJ_TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
¶
-
enumerator
PJ_TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
¶
-
enumerator
PJ_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
¶
-
enumerator
PJ_TLS_DH_DSS_WITH_AES_128_CBC_SHA
¶
-
enumerator
PJ_TLS_DH_RSA_WITH_AES_128_CBC_SHA
¶
-
enumerator
PJ_TLS_DHE_DSS_WITH_AES_128_CBC_SHA
¶
-
enumerator
PJ_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
¶
-
enumerator
PJ_TLS_DH_DSS_WITH_AES_256_CBC_SHA
¶
-
enumerator
PJ_TLS_DH_RSA_WITH_AES_256_CBC_SHA
¶
-
enumerator
PJ_TLS_DHE_DSS_WITH_AES_256_CBC_SHA
¶
-
enumerator
PJ_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
¶
-
enumerator
PJ_TLS_DH_DSS_WITH_AES_128_CBC_SHA256
¶
-
enumerator
PJ_TLS_DH_RSA_WITH_AES_128_CBC_SHA256
¶
-
enumerator
PJ_TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
¶
-
enumerator
PJ_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
¶
-
enumerator
PJ_TLS_DH_DSS_WITH_AES_256_CBC_SHA256
¶
-
enumerator
PJ_TLS_DH_RSA_WITH_AES_256_CBC_SHA256
¶
-
enumerator
PJ_TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
¶
-
enumerator
PJ_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
¶
-
enumerator
PJ_TLS_DH_anon_WITH_RC4_128_MD5
¶
-
enumerator
PJ_TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
¶
-
enumerator
PJ_TLS_DH_anon_WITH_AES_128_CBC_SHA
¶
-
enumerator
PJ_TLS_DH_anon_WITH_AES_256_CBC_SHA
¶
-
enumerator
PJ_TLS_DH_anon_WITH_AES_128_CBC_SHA256
¶
-
enumerator
PJ_TLS_DH_anon_WITH_AES_256_CBC_SHA256
¶
-
enumerator
PJ_TLS_RSA_EXPORT_WITH_RC4_40_MD5
¶
-
enumerator
PJ_TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
¶
-
enumerator
PJ_TLS_RSA_WITH_IDEA_CBC_SHA
¶
-
enumerator
PJ_TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
¶
-
enumerator
PJ_TLS_RSA_WITH_DES_CBC_SHA
¶
-
enumerator
PJ_TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
¶
-
enumerator
PJ_TLS_DH_DSS_WITH_DES_CBC_SHA
¶
-
enumerator
PJ_TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
¶
-
enumerator
PJ_TLS_DH_RSA_WITH_DES_CBC_SHA
¶
-
enumerator
PJ_TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
¶
-
enumerator
PJ_TLS_DHE_DSS_WITH_DES_CBC_SHA
¶
-
enumerator
PJ_TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
¶
-
enumerator
PJ_TLS_DHE_RSA_WITH_DES_CBC_SHA
¶
-
enumerator
PJ_TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
¶
-
enumerator
PJ_TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
¶
-
enumerator
PJ_TLS_DH_anon_WITH_DES_CBC_SHA
¶
-
enumerator
PJ_SSL_FORTEZZA_KEA_WITH_NULL_SHA
¶
-
enumerator
PJ_SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA
¶
-
enumerator
PJ_SSL_FORTEZZA_KEA_WITH_RC4_128_SHA
¶
-
enumerator
PJ_SSL_CK_RC4_128_WITH_MD5
¶
-
enumerator
PJ_SSL_CK_RC4_128_EXPORT40_WITH_MD5
¶
-
enumerator
PJ_SSL_CK_RC2_128_CBC_WITH_MD5
¶
-
enumerator
PJ_SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
¶
-
enumerator
PJ_SSL_CK_IDEA_128_CBC_WITH_MD5
¶
-
enumerator
PJ_SSL_CK_DES_64_CBC_WITH_MD5
¶
-
enumerator
PJ_SSL_CK_DES_192_EDE3_CBC_WITH_MD5
¶
-
enumerator
-
enum
pj_ssl_sock_proto
¶ Enumeration of secure socket protocol types.
Values:
-
enumerator
PJ_SSL_SOCK_PROTO_DEFAULT
¶ Default protocol of backend.
-
enumerator
PJ_SSL_SOCK_PROTO_TLS1
¶ TLSv1.0 protocol.
-
enumerator
PJ_SSL_SOCK_PROTO_SSL3
¶ SSLv3.0 protocol.
-
enumerator
PJ_SSL_SOCK_PROTO_SSL23
¶ SSLv3.0 but can roll back to SSLv2.0.
-
enumerator
PJ_SSL_SOCK_PROTO_SSL2
¶ SSLv2.0 protocol.
-
enumerator
PJ_SSL_SOCK_PROTO_DTLS1
¶ DTLSv1.0 protocol.
-
enumerator
Functions
-
pj_status_t
pj_ssl_cert_load_from_files
(pj_pool_t *pool, const pj_str_t *CA_file, const pj_str_t *cert_file, const pj_str_t *privkey_file, const pj_str_t *privkey_pass, pj_ssl_cert_t **p_cert)¶ Create credential from files.
- Parameters
CA_file – The file of trusted CA list.
cert_file – The file of certificate.
privkey_file – The file of private key.
privkey_pass – The password of private key, if any.
p_cert – Pointer to credential instance to be created.
- Returns
PJ_SUCCESS when successful.
-
pj_ssize_t
pj_ssl_cert_info_dump
(const pj_ssl_cert_info *ci, const char *indent, char *buf, pj_size_t buf_size)¶ Dump SSL certificate info.
- Parameters
ci – The certificate info.
indent – String for left indentation.
buf – The buffer where certificate info will be printed on.
buf_size – The buffer size.
- Returns
The length of the dump result, or -1 when buffer size is not sufficient.
-
pj_status_t
pj_ssl_cert_get_verify_status_strings
(pj_uint32_t verify_status, const char *error_strings[], unsigned *count)¶ Get SSL certificate verification error messages from verification status.
- Parameters
verify_status – The SSL certificate verification status.
error_strings – Array of strings to receive the verification error messages.
count – On input it specifies maximum error messages should be retrieved. On output it specifies the number of error messages retrieved.
- Returns
PJ_SUCCESS when successful.
-
pj_status_t
pj_ssl_cipher_get_availables
(pj_ssl_cipher ciphers[], unsigned *cipher_num)¶ Get cipher list supported by SSL/TLS backend.
- Parameters
ciphers – The ciphers buffer to receive cipher list.
cipher_num – Maximum number of ciphers to be received.
- Returns
PJ_SUCCESS when successful.
-
pj_bool_t
pj_ssl_cipher_is_supported
(pj_ssl_cipher cipher)¶ Check if the specified cipher is supported by SSL/TLS backend.
- Parameters
cipher – The cipher.
- Returns
PJ_TRUE when supported.
-
const char *
pj_ssl_cipher_name
(pj_ssl_cipher cipher)¶ Get cipher name string.
- Parameters
cipher – The cipher.
- Returns
The cipher name or NULL if cipher is not recognized/ supported.
-
pj_ssl_cipher
pj_ssl_cipher_id
(const char *cipher_name)¶ Get cipher ID from cipher name string.
- Parameters
cipher_name – The cipher name string.
- Returns
The cipher ID or PJ_TLS_UNKNOWN_CIPHER if the cipher name string is not recognized/supported.
-
void
pj_ssl_sock_param_default
(pj_ssl_sock_param *param)¶ Initialize the secure socket parameters for its creation with the default values.
- Parameters
param – The parameter to be initialized.
-
pj_status_t
pj_ssl_sock_create
(pj_pool_t *pool, const pj_ssl_sock_param *param, pj_ssl_sock_t **p_ssock)¶ Create secure socket instance.
- Parameters
pool – The pool for allocating secure socket instance.
param – The secure socket parameter, see pj_ssl_sock_param.
p_ssock – Pointer to secure socket instance to be created.
- Returns
PJ_SUCCESS when successful.
-
pj_status_t
pj_ssl_sock_set_certificate
(pj_ssl_sock_t *ssock, pj_pool_t *pool, const pj_ssl_cert_t *cert)¶ Set secure socket certificate or credentials. Credentials may include certificate, private key and trusted Certification Authorities list. Normally, server socket must provide certificate (and private key). Socket client may also need to provide certificate in case requested by the server.
- Parameters
ssock – The secure socket instance.
pool – The pool.
cert – The endpoint certificate/credentials, see pj_ssl_cert_t.
- Returns
PJ_SUCCESS if the operation has been successful, or the appropriate error code on failure.
-
pj_status_t
pj_ssl_sock_close
(pj_ssl_sock_t *ssock)¶ Close and destroy the secure socket.
- Parameters
ssock – The secure socket.
- Returns
PJ_SUCCESS if the operation has been successful, or the appropriate error code on failure.
-
pj_status_t
pj_ssl_sock_set_user_data
(pj_ssl_sock_t *ssock, void *user_data)¶ Associate arbitrary data with the secure socket. Application may inspect this data in the callbacks and associate it with higher level processing.
- Parameters
ssock – The secure socket.
user_data – The user data to be associated with the secure socket.
- Returns
PJ_SUCCESS if the operation has been successful, or the appropriate error code on failure.
-
void *
pj_ssl_sock_get_user_data
(pj_ssl_sock_t *ssock)¶ Retrieve the user data previously associated with this secure socket.
- Parameters
ssock – The secure socket.
- Returns
The user data.
-
pj_status_t
pj_ssl_sock_get_info
(pj_ssl_sock_t *ssock, pj_ssl_sock_info *info)¶ Retrieve the local address and port used by specified secure socket.
- Parameters
ssock – The secure socket.
info – The info buffer to be set, see pj_ssl_sock_info.
- Returns
PJ_SUCCESS on successful.
-
pj_status_t
pj_ssl_sock_start_read
(pj_ssl_sock_t *ssock, pj_pool_t *pool, unsigned buff_size, pj_uint32_t flags)¶ Starts read operation on this secure socket. This function will create async_cnt number of buffers (the async_cnt parameter was given in pj_ssl_sock_create() function) where each buffer is buff_size long. The buffers are allocated from the specified pool. Once the buffers are created, it then issues async_cnt number of asynchronous recv() operations to the socket and returns back to caller. Incoming data on the socket will be reported back to application via the on_data_read() callback.
Application only needs to call this function once to initiate read operations. Further read operations will be done automatically by the secure socket when on_data_read() callback returns non-zero.
- Parameters
ssock – The secure socket.
pool – Pool used to allocate buffers for incoming data.
buff_size – The size of each buffer, in bytes.
flags – Flags to be given to pj_ioqueue_recv().
- Returns
PJ_SUCCESS if the operation has been successful, or the appropriate error code on failure.
-
pj_status_t
pj_ssl_sock_start_read2
(pj_ssl_sock_t *ssock, pj_pool_t *pool, unsigned buff_size, void *readbuf[], pj_uint32_t flags)¶ Same as pj_ssl_sock_start_read(), except that the application supplies the buffers for the read operation so that the acive socket does not have to allocate the buffers.
- Parameters
ssock – The secure socket.
pool – Pool used to allocate buffers for incoming data.
buff_size – The size of each buffer, in bytes.
readbuf – Array of packet buffers, each has buff_size size.
flags – Flags to be given to pj_ioqueue_recv().
- Returns
PJ_SUCCESS if the operation has been successful, or the appropriate error code on failure.
-
pj_status_t
pj_ssl_sock_start_recvfrom
(pj_ssl_sock_t *ssock, pj_pool_t *pool, unsigned buff_size, pj_uint32_t flags)¶ Same as pj_ssl_sock_start_read(), except that this function is used only for datagram sockets, and it will trigger on_data_recvfrom() callback instead.
- Parameters
ssock – The secure socket.
pool – Pool used to allocate buffers for incoming data.
buff_size – The size of each buffer, in bytes.
flags – Flags to be given to pj_ioqueue_recvfrom().
- Returns
PJ_SUCCESS if the operation has been successful, or the appropriate error code on failure.
-
pj_status_t
pj_ssl_sock_start_recvfrom2
(pj_ssl_sock_t *ssock, pj_pool_t *pool, unsigned buff_size, void *readbuf[], pj_uint32_t flags)¶ Same as pj_ssl_sock_start_recvfrom() except that the recvfrom() operation takes the buffer from the argument rather than creating new ones.
- Parameters
ssock – The secure socket.
pool – Pool used to allocate buffers for incoming data.
buff_size – The size of each buffer, in bytes.
readbuf – Array of packet buffers, each has buff_size size.
flags – Flags to be given to pj_ioqueue_recvfrom().
- Returns
PJ_SUCCESS if the operation has been successful, or the appropriate error code on failure.
-
pj_status_t
pj_ssl_sock_send
(pj_ssl_sock_t *ssock, pj_ioqueue_op_key_t *send_key, const void *data, pj_ssize_t *size, unsigned flags)¶ Send data using the socket.
- Parameters
ssock – The secure socket.
send_key – The operation key to send the data, which is useful if application wants to submit multiple pending send operations and want to track which exact data has been sent in the on_data_sent() callback.
data – The data to be sent. This data must remain valid until the data has been sent.
size – The size of the data.
flags – Flags to be given to pj_ioqueue_send().
- Returns
PJ_SUCCESS if data has been sent immediately, or PJ_EPENDING if data cannot be sent immediately or PJ_ENOMEM when sending buffer could not handle all queued data, see send_buffer_size. The callback on_data_sent() will be called when data is actually sent. Any other return value indicates error condition.
-
pj_status_t
pj_ssl_sock_sendto
(pj_ssl_sock_t *ssock, pj_ioqueue_op_key_t *send_key, const void *data, pj_ssize_t *size, unsigned flags, const pj_sockaddr_t *addr, int addr_len)¶ Send datagram using the socket.
- Parameters
ssock – The secure socket.
send_key – The operation key to send the data, which is useful if application wants to submit multiple pending send operations and want to track which exact data has been sent in the on_data_sent() callback.
data – The data to be sent. This data must remain valid until the data has been sent.
size – The size of the data.
flags – Flags to be given to pj_ioqueue_send().
addr – The destination address.
addr_len – Length of buffer containing destination address.
- Returns
PJ_SUCCESS if data has been sent immediately, or PJ_EPENDING if data cannot be sent immediately. In this case the on_data_sent() callback will be called when data is actually sent. Any other return value indicates error condition.
-
pj_status_t
pj_ssl_sock_start_accept
(pj_ssl_sock_t *ssock, pj_pool_t *pool, const pj_sockaddr_t *local_addr, int addr_len)¶ Starts asynchronous socket accept() operations on this secure socket. This function will issue async_cnt number of asynchronous accept() operations to the socket and returns back to caller. Incoming connection on the socket will be reported back to application via the on_accept_complete() callback.
Application only needs to call this function once to initiate accept() operations. Further accept() operations will be done automatically by the secure socket when on_accept_complete() callback returns non-zero.
- Parameters
ssock – The secure socket.
pool – Pool used to allocate some internal data for the operation.
localaddr – Local address to bind on.
addr_len – Length of buffer containing local address.
- Returns
PJ_SUCCESS if the operation has been successful, or the appropriate error code on failure.
-
pj_status_t
pj_ssl_sock_start_connect
(pj_ssl_sock_t *ssock, pj_pool_t *pool, const pj_sockaddr_t *localaddr, const pj_sockaddr_t *remaddr, int addr_len)¶ Starts asynchronous socket connect() operation and SSL/TLS handshaking for this socket. Once the connection is done (either successfully or not), the on_connect_complete() callback will be called.
- Parameters
ssock – The secure socket.
pool – The pool to allocate some internal data for the operation.
localaddr – Local address.
remaddr – Remote address.
addr_len – Length of buffer containing above addresses.
- Returns
PJ_SUCCESS if connection can be established immediately or PJ_EPENDING if connection cannot be established immediately. In this case the on_connect_complete() callback will be called when connection is complete. Any other return value indicates error condition.
-
pj_status_t
pj_ssl_sock_renegotiate
(pj_ssl_sock_t *ssock)¶ Starts SSL/TLS renegotiation over an already established SSL connection for this socket. This operation is performed transparently, no callback will be called once the renegotiation completed successfully. However, when the renegotiation fails, the connection will be closed and callback on_data_read() will be invoked with non-PJ_SUCCESS status code.
- Parameters
ssock – The secure socket.
- Returns
PJ_SUCCESS if renegotiation is completed immediately, or PJ_EPENDING if renegotiation has been started and waiting for completion, or the appropriate error code on failure.
-
struct
pj_ssl_cert_info
¶ - #include <ssl_sock.h>
Describe structure of certificate info.
-
struct
pj_ssl_sock_cb
¶ - #include <ssl_sock.h>
This structure contains the callbacks to be called by the secure socket.
-
struct
pj_ssl_sock_info
¶ - #include <ssl_sock.h>
Definition of secure socket info structure.
-
struct
pj_ssl_sock_param
¶ - #include <ssl_sock.h>
Definition of secure socket creation parameters.
-
typedef struct pj_ssl_sock_t