Tor
0.4.7.0-alpha-dev
|
#include "lib/crypt_ops/crypto_rsa.h"
#include "lib/testsupport/testsupport.h"
#include "lib/net/nettypes.h"
Go to the source code of this file.
Macros | |
#define | MIN_TOR_TLS_ERROR_VAL_ -9 |
#define | TOR_TLS_ERROR_MISC -9 |
#define | TOR_TLS_ERROR_IO -8 |
#define | TOR_TLS_ERROR_CONNREFUSED -7 |
#define | TOR_TLS_ERROR_CONNRESET -6 |
#define | TOR_TLS_ERROR_NO_ROUTE -5 |
#define | TOR_TLS_ERROR_TIMEOUT -4 |
#define | TOR_TLS_CLOSE -3 |
#define | TOR_TLS_WANTREAD -2 |
#define | TOR_TLS_WANTWRITE -1 |
#define | TOR_TLS_DONE 0 |
#define | CASE_TOR_TLS_ERROR_ANY_NONIO |
#define | CASE_TOR_TLS_ERROR_ANY |
#define | TOR_TLS_IS_ERROR(rv) ((rv) < TOR_TLS_CLOSE) |
#define | TOR_TLS_CTX_IS_PUBLIC_SERVER (1u<<0) |
#define | TOR_TLS_CTX_USE_ECDHE_P256 (1u<<1) |
#define | TOR_TLS_CTX_USE_ECDHE_P224 (1u<<2) |
#define | tor_tls_free(tls) FREE_AND_NULL(tor_tls_t, tor_tls_free_, (tls)) |
#define | check_no_tls_errors() STMT_NIL |
Functions | |
const char * | tor_tls_err_to_string (int err) |
void | tor_tls_get_state_description (tor_tls_t *tls, char *buf, size_t sz) |
void | tor_tls_free_all (void) |
void | tor_tls_init (void) |
void | tls_log_errors (tor_tls_t *tls, int severity, int domain, const char *doing) |
const char * | tor_tls_get_last_error_msg (const tor_tls_t *tls) |
int | tor_tls_context_init (unsigned flags, crypto_pk_t *client_identity, crypto_pk_t *server_identity, unsigned int key_lifetime) |
void | tor_tls_context_incref (tor_tls_context_t *ctx) |
void | tor_tls_context_decref (tor_tls_context_t *ctx) |
tor_tls_context_t * | tor_tls_context_get (int is_server) |
tor_tls_t * | tor_tls_new (tor_socket_t sock, int is_server) |
void | tor_tls_set_logged_address (tor_tls_t *tls, const char *address) |
void | tor_tls_set_renegotiate_callback (tor_tls_t *tls, void(*cb)(tor_tls_t *, void *arg), void *arg) |
int | tor_tls_is_server (tor_tls_t *tls) |
void | tor_tls_release_socket (tor_tls_t *tls) |
void | tor_tls_free_ (tor_tls_t *tls) |
int | tor_tls_peer_has_cert (tor_tls_t *tls) |
struct tor_x509_cert_t * | tor_tls_get_peer_cert (tor_tls_t *tls) |
struct tor_x509_cert_t * | tor_tls_get_own_cert (tor_tls_t *tls) |
int | tor_tls_verify (int severity, tor_tls_t *tls, crypto_pk_t **identity) |
int | tor_tls_read (tor_tls_t *tls, char *cp, size_t len) |
int | tor_tls_write (tor_tls_t *tls, const char *cp, size_t n) |
int | tor_tls_handshake (tor_tls_t *tls) |
int | tor_tls_finish_handshake (tor_tls_t *tls) |
void | tor_tls_unblock_renegotiation (tor_tls_t *tls) |
void | tor_tls_block_renegotiation (tor_tls_t *tls) |
void | tor_tls_assert_renegotiation_unblocked (tor_tls_t *tls) |
int | tor_tls_get_pending_bytes (tor_tls_t *tls) |
size_t | tor_tls_get_forced_write_size (tor_tls_t *tls) |
void | tor_tls_get_n_raw_bytes (tor_tls_t *tls, size_t *n_read, size_t *n_written) |
int | tor_tls_get_buffer_sizes (tor_tls_t *tls, size_t *rbuf_capacity, size_t *rbuf_bytes, size_t *wbuf_capacity, size_t *wbuf_bytes) |
double | tls_get_write_overhead_ratio (void) |
int | tor_tls_used_v1_handshake (tor_tls_t *tls) |
int | tor_tls_get_num_server_handshakes (tor_tls_t *tls) |
int | tor_tls_server_got_renegotiate (tor_tls_t *tls) |
int | tor_tls_cert_matches_key (const tor_tls_t *tls, const struct tor_x509_cert_t *cert) |
int | tor_tls_get_tlssecrets (tor_tls_t *tls, uint8_t *secrets_out) |
int | tor_tls_export_key_material (tor_tls_t *tls, uint8_t *secrets_out, const uint8_t *context, size_t context_len, const char *label) |
int | tor_tls_get_my_certs (int server, const struct tor_x509_cert_t **link_cert_out, const struct tor_x509_cert_t **id_cert_out) |
crypto_pk_t * | tor_tls_get_my_client_auth_key (void) |
const char * | tor_tls_get_ciphersuite_name (tor_tls_t *tls) |
int | evaluate_ecgroup_for_tls (const char *ecgroup) |
#define CASE_TOR_TLS_ERROR_ANY |
Use this macro in a switch statement to catch any TLS error. That way, if more errors are added, your switches will still work.
#define CASE_TOR_TLS_ERROR_ANY_NONIO |
int evaluate_ecgroup_for_tls | ( | const char * | ecgroup | ) |
Check whether the ECC group requested is supported by the current OpenSSL library instance. Return 1 if the group is supported, and 0 if not.
Definition at line 863 of file tortls_nss.c.
double tls_get_write_overhead_ratio | ( | void | ) |
Return a ratio of the bytes that TLS has sent to the bytes that we've told it to send. Used to track whether our TLS records are getting too tiny.
Definition at line 712 of file tortls_nss.c.
Referenced by log_heartbeat().
void tls_log_errors | ( | tor_tls_t * | tls, |
int | severity, | ||
int | domain, | ||
const char * | doing | ||
) |
Log all pending tls errors at level severity in log domain domain. Use doing to describe our current activities.
Definition at line 362 of file tortls_nss.c.
Referenced by tor_tls_export_key_material(), and tor_tls_get_pending_bytes().
void tor_tls_assert_renegotiation_unblocked | ( | tor_tls_t * | tls | ) |
Assert that the flags that allow legacy renegotiation are still set
Definition at line 650 of file tortls_nss.c.
void tor_tls_block_renegotiation | ( | tor_tls_t * | tls | ) |
If this version of openssl supports it, turn off renegotiation on tls. (Our protocol never requires this for security, but it's nice to use belt-and-suspenders here.)
Definition at line 643 of file tortls_nss.c.
Referenced by connection_or_block_renegotiation().
void tor_tls_context_decref | ( | tor_tls_context_t * | ctx | ) |
Remove a reference to ctx, and free it if it has no more references.
Definition at line 119 of file tortls.c.
Referenced by tor_tls_context_init_one().
tor_tls_context_t* tor_tls_context_get | ( | int | is_server | ) |
Return the appropriate TLS context.
Definition at line 45 of file tortls.c.
Referenced by tor_tls_get_my_certs(), tor_tls_get_my_client_auth_key(), and tor_tls_new().
void tor_tls_context_incref | ( | tor_tls_context_t * | ctx | ) |
int tor_tls_context_init | ( | unsigned | flags, |
crypto_pk_t * | client_identity, | ||
crypto_pk_t * | server_identity, | ||
unsigned int | key_lifetime | ||
) |
Create new global client and server TLS contexts.
If server_identity is NULL, this will not generate a server TLS context. If TOR_TLS_CTX_IS_PUBLIC_SERVER is set in flags, use the same TLS context for incoming and outgoing connections, and ignore client_identity. If one of TOR_TLS_CTX_USE_ECDHE_P{224,256} is set in flags, use that ECDHE group if possible; otherwise use the default ECDHE group.
const char* tor_tls_err_to_string | ( | int | err | ) |
int tor_tls_export_key_material | ( | tor_tls_t * | tls, |
uint8_t * | secrets_out, | ||
const uint8_t * | context, | ||
size_t | context_len, | ||
const char * | label | ||
) |
Using the RFC5705 key material exporting construction, and the provided context (context_len bytes long) and label (a NUL-terminated string), compute a 32-byte secret in secrets_out that only the parties to this TLS session can compute. Return 0 on success; -1 on failure; and -2 on failure caused by OpenSSL bug 7712.
Definition at line 809 of file tortls_nss.c.
int tor_tls_finish_handshake | ( | tor_tls_t * | tls | ) |
Perform the final part of the initial TLS handshake on tls. This should be called for the first handshake only: it determines whether the v1 or the v2 handshake was used, and adjusts things for the renegotiation handshake as appropriate.
tor_tls_handshake() calls this on its own; you only need to call this if bufferevent is doing the handshake for you.
Definition at line 627 of file tortls_nss.c.
void tor_tls_free_ | ( | tor_tls_t * | tls | ) |
void tor_tls_free_all | ( | void | ) |
int tor_tls_get_buffer_sizes | ( | tor_tls_t * | tls, |
size_t * | rbuf_capacity, | ||
size_t * | rbuf_bytes, | ||
size_t * | wbuf_capacity, | ||
size_t * | wbuf_bytes | ||
) |
Examine the amount of memory used and available for buffers in tls. Set *rbuf_capacity to the amount of storage allocated for the read buffer and *rbuf_bytes to the amount actually used. Set *wbuf_capacity to the amount of storage allocated for the write buffer and *wbuf_bytes to the amount actually used.
Return 0 on success, -1 on failure.
Definition at line 697 of file tortls_nss.c.
size_t tor_tls_get_forced_write_size | ( | tor_tls_t * | tls | ) |
If tls requires that the next write be of a particular size, return that size. Otherwise, return 0.
Definition at line 669 of file tortls_nss.c.
Referenced by flush_chunk_tls().
const char* tor_tls_get_last_error_msg | ( | const tor_tls_t * | tls | ) |
Return a string representing more detail about the last error received on TLS.
May return null if no error was found.
Definition at line 397 of file tortls_nss.c.
crypto_pk_t* tor_tls_get_my_client_auth_key | ( | void | ) |
Return the authentication key that we use to authenticate ourselves as a client in the V3 in-protocol handshake.
Definition at line 101 of file tortls.c.
Referenced by connection_or_send_authenticate_cell().
void tor_tls_get_n_raw_bytes | ( | tor_tls_t * | tls, |
size_t * | n_read, | ||
size_t * | n_written | ||
) |
Sets n_read and n_written to the number of bytes read and written, respectively, on the raw socket used by tls since the last time this function was called on tls.
Definition at line 677 of file tortls_nss.c.
Referenced by tor_tls_free_().
struct tor_x509_cert_t* tor_tls_get_own_cert | ( | tor_tls_t * | tls | ) |
Return a newly allocated copy of the cerficate we used on the connection, or NULL if somehow we didn't use one.
Definition at line 551 of file tortls_nss.c.
Referenced by connection_or_send_certs_cell().
struct tor_x509_cert_t* tor_tls_get_peer_cert | ( | tor_tls_t * | tls | ) |
Return a newly allocated copy of the peer certificate, or NULL if there isn't one.
Definition at line 541 of file tortls_nss.c.
int tor_tls_get_pending_bytes | ( | tor_tls_t * | tls | ) |
Return the number of bytes available for reading from tls.
Definition at line 657 of file tortls_nss.c.
void tor_tls_get_state_description | ( | tor_tls_t * | tls, |
char * | buf, | ||
size_t | sz | ||
) |
Write a description of the current state of tls into the sz-byte buffer at buf.
Definition at line 346 of file tortls_nss.c.
Referenced by connection_or_get_state_description().
int tor_tls_get_tlssecrets | ( | tor_tls_t * | tls, |
uint8_t * | secrets_out | ||
) |
Set the DIGEST256_LEN buffer at secrets_out to the value used in the v3 handshake to prove that the client knows the TLS secrets for the connection tls. Return 0 on success, -1 on failure.
Definition at line 795 of file tortls_nss.c.
int tor_tls_handshake | ( | tor_tls_t * | tls | ) |
Perform initial handshake on tls. When finished, returns TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
Definition at line 609 of file tortls_nss.c.
void tor_tls_init | ( | void | ) |
Initialize OpenSSL, unless it has already been initialized.
Definition at line 356 of file tortls_nss.c.
Referenced by tor_tls_context_new().
int tor_tls_is_server | ( | tor_tls_t * | tls | ) |
Return whether this tls initiated the connect (client) or received it (server).
Definition at line 379 of file tortls.c.
Referenced by connection_or_nonopen_was_started_here().
tor_tls_t* tor_tls_new | ( | tor_socket_t | sock, |
int | isServer | ||
) |
Create a new TLS object from a file descriptor, and a flag to determine whether it is functioning as a server.
Definition at line 409 of file tortls_nss.c.
Referenced by connection_tls_start_handshake().
int tor_tls_peer_has_cert | ( | tor_tls_t * | tls | ) |
Return true iff this TLS connection is authenticated.
Definition at line 532 of file tortls_nss.c.
int tor_tls_read | ( | tor_tls_t * | tls, |
char * | cp, | ||
size_t | len | ||
) |
Underlying function for TLS reading. Reads up to len characters from tls into cp. On success, returns the number of characters read. On failure, returns TOR_TLS_ERROR, TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
Definition at line 562 of file tortls_nss.c.
Referenced by read_to_chunk_tls().
void tor_tls_release_socket | ( | tor_tls_t * | tls | ) |
Tell the TLS library that the underlying socket for tls has been closed, and the library should not attempt to free that socket itself.
Definition at line 484 of file tortls_nss.c.
int tor_tls_server_got_renegotiate | ( | tor_tls_t * | tls | ) |
Return true iff the server TLS connection tls got the renegotiation request it was waiting for.
Definition at line 729 of file tortls_nss.c.
void tor_tls_set_logged_address | ( | tor_tls_t * | tls, |
const char * | address | ||
) |
void tor_tls_set_renegotiate_callback | ( | tor_tls_t * | tls, |
void(*)(tor_tls_t *, void *arg) | cb, | ||
void * | arg | ||
) |
Set cb to be called with argument arg whenever tls next gets a client-side renegotiate in the middle of a read. Do not invoke this function until after initial handshaking is done!
Definition at line 468 of file tortls_nss.c.
Referenced by connection_or_block_renegotiation().
void tor_tls_unblock_renegotiation | ( | tor_tls_t * | tls | ) |
If this version of openssl requires it, turn on renegotiation on tls.
Definition at line 636 of file tortls_nss.c.
int tor_tls_used_v1_handshake | ( | tor_tls_t * | tls | ) |
Return true iff the initial TLS connection at tls did not use a v2 TLS handshake. Output is undefined if the handshake isn't finished.
Definition at line 720 of file tortls_nss.c.
int tor_tls_verify | ( | int | severity, |
tor_tls_t * | tls, | ||
crypto_pk_t ** | identity | ||
) |
int tor_tls_write | ( | tor_tls_t * | tls, |
const char * | cp, | ||
size_t | n | ||
) |
Underlying function for TLS writing. Write up to n characters from cp onto tls. On success, returns the number of characters written. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
Definition at line 585 of file tortls_nss.c.
Referenced by flush_chunk_tls().