Macros | Functions | Variables
tortls.c File Reference
#include "lib/tls/x509.h"
#include "lib/tls/x509_internal.h"
#include "lib/tls/tortls_sys.h"
#include "lib/tls/tortls.h"
#include "lib/tls/tortls_st.h"
#include "lib/tls/tortls_internal.h"
#include "lib/log/util_bug.h"
#include "lib/intmath/cmp.h"
#include "lib/crypt_ops/crypto_rsa.h"
#include "lib/crypt_ops/crypto_rand.h"
#include "lib/net/socket.h"
#include "lib/subsys/subsys.h"
#include <time.h>

Go to the source code of this file.


#define TOR_X509_PRIVATE
#define RSA_LINK_KEY_BITS   2048
#define IDENTITY_CERT_LIFETIME   (365*24*60*60)


tor_tls_context_ttor_tls_context_get (int is_server)
int tor_errno_to_tls_error (int e)
int tor_tls_get_my_certs (int server, const tor_x509_cert_t **link_cert_out, const tor_x509_cert_t **id_cert_out)
crypto_pk_ttor_tls_get_my_client_auth_key (void)
void tor_tls_context_incref (tor_tls_context_t *ctx)
void tor_tls_context_decref (tor_tls_context_t *ctx)
void tor_tls_free_all (void)
const char * tor_tls_err_to_string (int err)
int tor_tls_context_init (unsigned flags, crypto_pk_t *client_identity, crypto_pk_t *server_identity, unsigned int key_lifetime)
int tor_tls_context_init_one (tor_tls_context_t **ppcontext, crypto_pk_t *identity, unsigned int key_lifetime, unsigned int flags, int is_client)
int tor_tls_context_init_certificates (tor_tls_context_t *result, crypto_pk_t *identity, unsigned key_lifetime, unsigned flags)
void tor_tls_set_logged_address (tor_tls_t *tls, const char *address)
int tor_tls_is_server (tor_tls_t *tls)
void tor_tls_free_ (tor_tls_t *tls)
int tor_tls_verify (int severity, tor_tls_t *tls, crypto_pk_t **identity)
static void subsys_tortls_shutdown (void)


const subsys_fns_t sys_tortls
STATIC tor_tls_context_tserver_tls_context = NULL
STATIC tor_tls_context_tclient_tls_context = NULL

Detailed Description

Wrapper functions to present a consistent interface to TLS, SSL, and X.509 functions from OpenSSL.

Definition in file tortls.c.

Macro Definition Documentation


#define IDENTITY_CERT_LIFETIME   (365*24*60*60)

How long do identity certificates live? (sec)

Definition at line 279 of file tortls.c.


#define RSA_LINK_KEY_BITS   2048

Size of the RSA key to use for our TLS link keys

Definition at line 276 of file tortls.c.

Referenced by tor_tls_context_init_certificates().

Function Documentation

◆ tor_errno_to_tls_error()

int tor_errno_to_tls_error ( int  e)

Convert an errno (or a WSAerrno on windows) into a TOR_TLS_* error code.

Definition at line 48 of file tortls.c.

◆ tor_tls_context_decref()

void tor_tls_context_decref ( tor_tls_context_t ctx)

Remove a reference to ctx, and free it if it has no more references.

Definition at line 114 of file tortls.c.

References tor_assert().

Referenced by tor_tls_free_().

◆ tor_tls_context_get()

tor_tls_context_t* tor_tls_context_get ( int  is_server)

Return the appropriate TLS context.

Definition at line 40 of file tortls.c.

References server_tls_context.

Referenced by tor_tls_get_my_certs(), tor_tls_get_my_client_auth_key(), and tor_tls_new().

◆ tor_tls_context_incref()

void tor_tls_context_incref ( tor_tls_context_t ctx)

Increase the reference count of ctx.

Definition at line 106 of file tortls.c.

◆ tor_tls_context_init()

int tor_tls_context_init ( unsigned  flags,
crypto_pk_t client_identity,
crypto_pk_t server_identity,
unsigned int  key_lifetime 

Create new global client and server TLS contexts.

If server_identity is NULL, this will not generate a server TLS context. If TOR_TLS_CTX_IS_PUBLIC_SERVER is set in flags, use the same TLS context for incoming and outgoing connections, and ignore client_identity. If one of TOR_TLS_CTX_USE_ECDHE_P{224,256} is set in flags, use that ECDHE group if possible; otherwise use the default ECDHE group.

Definition at line 177 of file tortls.c.

◆ tor_tls_context_init_certificates()

int tor_tls_context_init_certificates ( tor_tls_context_t result,
crypto_pk_t identity,
unsigned  key_lifetime,
unsigned  flags 

Initialize the certificates and keys for a TLS context result

Other arguments as for tor_tls_context_new().

Definition at line 287 of file tortls.c.

References crypto_random_hostname(), and RSA_LINK_KEY_BITS.

◆ tor_tls_context_init_one()

int tor_tls_context_init_one ( tor_tls_context_t **  ppcontext,
crypto_pk_t identity,
unsigned int  key_lifetime,
unsigned int  flags,
int  is_client 

Create a new global TLS context.

You can call this function multiple times. Each time you call it, it generates new certificates; all new connections will use the new SSL context.

Definition at line 249 of file tortls.c.

◆ tor_tls_err_to_string()

const char* tor_tls_err_to_string ( int  err)

Given a TOR_TLS_* error code, return a string equivalent.

Definition at line 150 of file tortls.c.

◆ tor_tls_free_()

void tor_tls_free_ ( tor_tls_t tls)

Release resources associated with a TLS object. Does not close the underlying file descriptor.

Definition at line 384 of file tortls.c.

References tor_tls_t::address, tor_tls_t::ssl, tor_assert(), tor_free, tor_tls_context_decref(), and tor_tls_get_n_raw_bytes().

◆ tor_tls_free_all()

void tor_tls_free_all ( void  )

Free all global TLS structures.

Definition at line 132 of file tortls.c.

◆ tor_tls_get_my_certs()

int tor_tls_get_my_certs ( int  server,
const tor_x509_cert_t **  link_cert_out,
const tor_x509_cert_t **  id_cert_out 

Set *link_cert_out and *id_cert_out to the link certificate and ID certificate that we're currently using for our V3 in-protocol handshake's certificate chain. If server is true, provide the certs that we use in server mode (auth, ID); otherwise, provide the certs that we use in client mode. (link, ID)

Definition at line 71 of file tortls.c.

References tor_tls_context_get().

Referenced by connection_or_compute_authenticate_cell_body(), connection_or_send_certs_cell(), and generate_ed_link_cert().

◆ tor_tls_get_my_client_auth_key()

crypto_pk_t* tor_tls_get_my_client_auth_key ( void  )

Return the authentication key that we use to authenticate ourselves as a client in the V3 in-protocol handshake.

Definition at line 96 of file tortls.c.

References tor_tls_context_get().

Referenced by MOCK_IMPL().

◆ tor_tls_is_server()

int tor_tls_is_server ( tor_tls_t tls)

Return whether this tls initiated the connect (client) or received it (server).

Definition at line 374 of file tortls.c.

References tor_tls_t::isServer, and tor_assert().

Referenced by connection_or_nonopen_was_started_here().

◆ tor_tls_set_logged_address()

void tor_tls_set_logged_address ( tor_tls_t tls,
const char *  address 

Make future log messages about tls display the address address.

Definition at line 364 of file tortls.c.

References tor_tls_t::address, tor_assert(), and tor_free.

◆ tor_tls_verify()

int tor_tls_verify ( int  severity,
tor_tls_t tls,
crypto_pk_t **  identity 

If the provided tls connection is authenticated and has a certificate chain that is currently valid and signed, then set *identity_key to the identity certificate's key and return 0. Else, return -1 and log complaints with log-level severity.

Definition at line 411 of file tortls.c.

References LD_PROTOCOL, log_fn, tor_assert(), tor_tls_cert_get_key(), and tor_tls_cert_is_valid().

Variable Documentation

◆ server_tls_context

STATIC tor_tls_context_t* server_tls_context = NULL

Global TLS contexts. We keep them here because nobody else needs to touch them.

Definition at line 32 of file tortls.c.

Referenced by tor_tls_context_get().

◆ sys_tortls

const subsys_fns_t sys_tortls
Initial value:
= {
.name = "tortls",
.level = -50,
.shutdown = subsys_tortls_shutdown

Definition at line 452 of file tortls.c.