tlssep: libtlssep-0.1 Reference Manual

tlssep

Functions

Types and Values

enum	tlssep_status_t
enum	tlssep_op_t
	tlssep_context_t
	tlssep_desc_t

Description

Functions

tlssep_init ()

tlssep_status_t
tlssep_init (tlssep_context_t *context);

This function initializes libtlssep and executes a network decorator in preparation for later creating a TLS session.

Parameters

context

a pointer to a tlssep_context_t which this function will initialize

Returns

a tlssep_status_t

tlssep_connect ()

tlssep_status_t
tlssep_connect (tlssep_context_t *context,
                int file_descriptor,
                const char *expected_name,
                char *name,
                tlssep_desc_t *desc);

This function creates a TLS session by connecting over the given file descriptor. Most commonly, the file descriptor is a socket with an existing transport-layer connection to the remote host.

Parameters

context	a pointer to a valid tlssep_context_t
file_descriptor	the file descriptor upon which to create a TLS session; usually a network socket
expected_name	a pointer to NULL or a valid string representing the name (i.e., subject-common name or subject-alternative name) which is expected to be present in the remote certificate; what is done with this depends on the configured verification engine
name	if not NULL, this function will copy the remote certificate's name to this address; the buffer must be at least `TLSSEP_MAX_COMMON_NAME_SIZE` bytes long
desc	a pointer to a tlssep_desc_t which this function will initialize

Returns

a tlssep_status_t

tlssep_accept ()

tlssep_status_t
tlssep_accept (tlssep_context_t *context,
               int file_descriptor,
               const char *expected_name,
               char *name,
               tlssep_desc_t *desc);

This function creates a TLS session by accepting on the given file descriptor. Most commonly, the file descriptor is a socket with an existing transport-layer connection to the remote host.

Parameters

context	a pointer to a valid tlssep_context_t
file_descriptor	the file descriptor upon which to create a TLS session; usually a network socket
expected_name	a pointer to NULL or a valid string representing the name (i.e., subject-common name or subject-alternative name) which is expected to be present in the remote certificate; what is done with this depends on the configured verification engine
name	if not NULL, this function will copy the remote certificate's name to this address; the buffer must be at least `TLSSEP_MAX_COMMON_NAME_SIZE` bytes long
desc	a pointer to a tlssep_desc_t which this function will initialize

Returns

a tlssep_status_t

tlssep_write ()

tlssep_status_t
tlssep_write (tlssep_desc_t *desc,
              const void *buf,
              int buf_size,
              int *bytes_written);

This function passes a number of bytes to the network decorator which will encrypt the bytes before writing them to the TLS connection.

Parameters

desc	a pointer to a valid tlssep_desc_t
buf	some buffer of bytes to write
buf_size	the number of bytes to write from `buf`
bytes_written	a pointer to an integer which this function will set to the number of bytes actually written

Returns

a tlssep_status_t

tlssep_read ()

tlssep_status_t
tlssep_read (tlssep_desc_t *desc,
             void *buf,
             int buf_size,
             int *bytes_read);

Parameters

desc	a pointer to a valid tlssep_desc_t
buf	a buffer which will hold any bytes read
buf_size	the size of `buf` in bytes
bytes_read	a pointer to an integer which this function will set to the number of bytes actually read

Returns

a tlssep_status_t

tlssep_peek ()

tlssep_status_t
tlssep_peek (tlssep_desc_t *desc,
             void *buf,
             int buf_size,
             int *bytes_read);

This function requests that a number of bytes will be read by the network decorator. The network decorator will decrypt the bytes read from the TLS connection before returning them to the application. Unlike with tlssep_read, the network decorator will not remove the bytes from its TLS buffer; thus subsequent tlssep_read/tlssep_peek calls will read the same bytes again.

Parameters

desc	a pointer to a valid tlssep_desc_t
buf	a buffer which will hold any bytes read
buf_size	the size of `buf` in bytes
bytes_read	a pointer to an integer which this function will set to the number of bytes actually read

Returns

a tlssep_status_t

tlssep_poll ()

tlssep_status_t
tlssep_poll (tlssep_desc_t *desc,
             unsigned int timeout);

This function blocks until there is data ready to be read from the TLS connection up to the limit of timeout seconds.

Parameters

desc	a pointer to a valid tlssep_desc_t
timeout	the number of seconds to wait for data before giving up

Returns

a tlssep_status_t

tlssep_setnonblock ()

tlssep_status_t
tlssep_setnonblock (tlssep_desc_t *desc);

This function sets the mode of the network decorator’s TLS file descriptor to non-blocking.

Parameters

desc

a pointer to a valid tlssep_desc_t

Returns

a tlssep_status_t

tlssep_close ()

tlssep_status_t
tlssep_close (tlssep_desc_t *desc);

This function instructs the decorator to close the given TLS connection and remove its file descriptor from the select file descriptor set. The procedure also frees any state associated with the connection

Parameters

desc

a pointer to a valid tlssep_desc_t

Returns

a tlssep_status_t

tlssep_terminate ()

tlssep_status_t
tlssep_terminate (tlssep_context_t *context);

This function instructs the network decorator to exit.

Parameters

context

a pointer to a valid tlssep_context_t

Returns

a tlssep_status_t

tlssep_strerror ()

char *
tlssep_strerror (tlssep_status_t error);

This function transforms a tlssep_status_t into its string description.

Parameters

error

a tlssep_status_t

Returns

the string description of the given tlssep_status_t

Types and Values

enum tlssep_status_t

Enum values used to specify status conditions.

Members

TLSSEP_STATUS_OK	No error
TLSSEP_STATUS_AGAIN	Try again
TLSSEP_STATUS_ERROR	Generic error
TLSSEP_STATUS_ERROR_TLS	Generic TLS error
TLSSEP_STATUS_ERROR_RPC_FAILURE	RPC failure
TLSSEP_STATUS_ERROR_ALLOCATION_FAILED	Error allocating memory
TLSSEP_STATUS_ERROR_POLL_FAILED	Error polling decorator
TLSSEP_STATUS_ERROR_SOCKET_FAILED	Error setting up a socket
TLSSEP_STATUS_ERROR_SHM_FAILED	Error setting up shared memory
TLSSEP_STATUS_ERROR_NOTIFICATION_FD_FAILED	Error setting up notification file descriptor
TLSSEP_STATUS_ERROR_DECORATOR_BAD_EXIT	Bad exit code from decorator
TLSSEP_STATUS_ERROR_DECORATOR_FORK	Fork decorator error
TLSSEP_STATUS_ERROR_DECORATOR_MISSING	Decorator missing
TLSSEP_STATUS_ERROR_DECORATOR_NOT_A_FILE	Decorator not a regular file
TLSSEP_STATUS_ERROR_DECORATOR_WRONG_PERMS	Decorator bears incorrect permissions
TLSSEP_STATUS_ERROR_DESCRIPTORS_EXHAUSTED	No more descriptors available
TLSSEP_STATUS_ERROR_TRANSMITTING_FILE_DESCRIPTOR	Error transmitting file descriptor
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERT_PATH	Decorator bad certificate path
TLSSEP_STATUS_ERROR_DECORATOR_BAD_PRIVKEY_PATH	Decorator bad private key path
TLSSEP_STATUS_ERROR_DECORATOR_BAD_PRIVKEY	Decorator bad private key
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CA_PATH	Decorator bad CA path
TLSSEP_STATUS_ERROR_DECORATOR_BAD_VERIFICATION_ENGINE	Bad verification engine
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE	Bad certificate
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_MISSING_ISSUER	Bad certificate, missing issuer
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_MISSING_CRL	Bad certificate, unable to obtain CRL
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_DECRYPT_SIGNATURE	Bad certificate, decryption of certificate signature failed
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_DECRYPT_CRL_SIGNATURE	Bad certificate, decryption of CRL signature failed
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_DECODE_ISSUER_PUBLIC_KEY	Bad certificate, public key could not be read
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_SIGNATURE	Bad certificate, invalid signature
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_CRL_SIGNATURE	Bad certificate, invalid CRL signature
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_NOT_YET_VALID	Bad certificate, not yet valid
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_EXPIRED	Bad certificate, expired
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_CRL_NOT_YET_VALID	Bad certificate, CRL not yet valid
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_CRL_EXPIRED	Bad certificate, CRL expired
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_INVALID_NOT_BEFORE	Bad certificate, invalid not before field
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_INVALID_NOT_AFTER	Bad certificate, invalid not after field
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_INVALID_CRL_LAST_UPDATE	Bad certificate, invalid CRL last update field
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_INVALID_CRL_NEXT_UPDATE	Bad certificate, invalid CRL next update field
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_SELF_SIGNED	Bad certificate, self signed
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_SELF_SIGNED_CHAIN	Bad certificate, self signed certificate in chain
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_LEAF	Bad certificate, chain of one
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_CHAIN_TOO_LONG	Bad certificate, chain too long
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_REVOKED	Bad certificate, revoked
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_INVALID_CA	Bad certificate, invalid CA certificate
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_PATH	Bad certificate, path length exceeded
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_PURPOSE	Bad certificate, unsupported certificate purpose
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_UNTRUSTED	Bad certificate, root CA not trusted
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_REJECTED	Bad certificate, rejected
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_ISSUER_MISMATCH	Bad certificate, subject issuer mismatch
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_AKID_SKID_MISMATCH	Bad certificate, subject key identifier did not match the authority key identifier of the current certificate
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_AKID_ISSUER_SERIAL_MISMATCH	Bad certificate, issuer name and serial number did not match authority key identifier of the current certificate
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_SIGN_DISALLOWED	Bad certificate, issuer not permitted to sign certificates
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_INVALID_EXTENSION	Bad certificate, invalid extension
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_INVALID_POLICY_EXTENSION	Bad certificate, invalid policy extension
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_NO_EXPLICIT_POLICY	Bad certificate, no required policy present
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_DIFFERENT_CRL_SCOPE	Bad certificate, CRLs do not match scope of certificate
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_UNSUPPORTED_EXTENSION_FEATURE	Bad certificate, unsupported extension feature
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_PERMITTED_VIOLATION	Bad certificate, constraint violation in permitted subtrees
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_EXCLUDED_VIOLATION	Bad certificate, constraint violation in excluded subtrees
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_SUBTREE_MINMAX	Bad certificate, constraints extension included minimum or maximum field
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_UNSUPPORTED_CONSTRAINT_TYPE	Bad certificate, unsupported name constraint type encountered
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_UNSUPPORTED_CONSTRAINT_SYNTAX	Bad certificate, format of the name constraint unrecognized
TLSSEP_STATUS_ERROR_DECORATOR_BAD_CERTIFICATE_CRL_PATH_VALIDATION	Bad certificate, CRL path validation error
TLSSEP_STATUS_ERROR_DECORATOR_ERROR_SETTING_FD	Failed to set file descriptor
TLSSEP_STATUS_ERROR_DECORATOR_MISSING_CERTIFICATE	Missing certificate
TLSSEP_STATUS_ERROR_DECORATOR_MISSING_CERTIFICATE_CHAIN	Could not extract peer certificate chain
TLSSEP_STATUS_ERROR_DECORATOR_CERTIFICATE_MISMATCH	Unexpected name in certificate
TLSSEP_STATUS_ERROR_DECORATOR_CERTIFICATE_NAME_CONTAINS_NULL	Name in certificate contains 0x00
TLSSEP_STATUS_ERROR_DECORATOR_SET_NONBLOCK	Unable to set file descriptor nonblocking
TLSSEP_STATUS_ERROR_DECORATOR_CLOSE	Unable to close file descriptor
TLSSEP_STATUS_ERROR_CLOSED	The TLS connection is closed
TLSSEP_STATUS_ERROR_SYSCALL	A system call returned an error
TLSSEP_STATUS_LAST

enum tlssep_op_t

Members

TLSSEP_OP_INIT
TLSSEP_OP_ACCEPT
TLSSEP_OP_CONNECT
TLSSEP_OP_WRITE
TLSSEP_OP_READ
TLSSEP_OP_PEEK
TLSSEP_OP_SETNONBLOCK
TLSSEP_OP_CLOSE
TLSSEP_OP_TERMINATE

tlssep_context_t

typedef struct {
} tlssep_context_t;

Maintains the state of a set of TLS connections, but contains no public fields. Initialize this structure by calling tlssep_init.

tlssep_desc_t

typedef struct {
	int               notificationfd;
} tlssep_desc_t;

Serves as the descriptor of a single TLS connection. An application can poll the notificationFd file descriptor to determine if there exists data which can be read from the network decorator using tlssep_read. Initialize this structure by calling tlssep_connect or tlssep_accept.