Macros | Functions
tortls.h File Reference

Headers for tortls.c. More...

#include "lib/crypt_ops/crypto_rsa.h"
#include "lib/testsupport/testsupport.h"
#include "lib/net/nettypes.h"

Go to the source code of this file.


#define MIN_TOR_TLS_ERROR_VAL_   -9
#define TOR_TLS_ERROR_MISC   -9
#define TOR_TLS_ERROR_IO   -8
#define TOR_TLS_CLOSE   -3
#define TOR_TLS_WANTREAD   -2
#define TOR_TLS_WANTWRITE   -1
#define TOR_TLS_DONE   0
#define TOR_TLS_IS_ERROR(rv)   ((rv) < TOR_TLS_CLOSE)
#define TOR_TLS_CTX_IS_PUBLIC_SERVER   (1u<<0)
#define TOR_TLS_CTX_USE_ECDHE_P256   (1u<<1)
#define TOR_TLS_CTX_USE_ECDHE_P224   (1u<<2)
#define tor_tls_free(tls)   FREE_AND_NULL(tor_tls_t, tor_tls_free_, (tls))
#define check_no_tls_errors()   STMT_NIL


const char * tor_tls_err_to_string (int err)
void tor_tls_get_state_description (tor_tls_t *tls, char *buf, size_t sz)
void tor_tls_free_all (void)
void tor_tls_init (void)
void tls_log_errors (tor_tls_t *tls, int severity, int domain, const char *doing)
const char * tor_tls_get_last_error_msg (const tor_tls_t *tls)
int tor_tls_context_init (unsigned flags, crypto_pk_t *client_identity, crypto_pk_t *server_identity, unsigned int key_lifetime)
void tor_tls_context_incref (tor_tls_context_t *ctx)
void tor_tls_context_decref (tor_tls_context_t *ctx)
tor_tls_context_ttor_tls_context_get (int is_server)
tor_tls_ttor_tls_new (tor_socket_t sock, int is_server)
void tor_tls_set_logged_address (tor_tls_t *tls, const char *address)
void tor_tls_set_renegotiate_callback (tor_tls_t *tls, void(*cb)(tor_tls_t *, void *arg), void *arg)
int tor_tls_is_server (tor_tls_t *tls)
void tor_tls_release_socket (tor_tls_t *tls)
void tor_tls_free_ (tor_tls_t *tls)
int tor_tls_peer_has_cert (tor_tls_t *tls)
struct tor_x509_cert_t * tor_tls_get_peer_cert (tor_tls_t *tls)
struct tor_x509_cert_t * tor_tls_get_own_cert (tor_tls_t *tls)
int tor_tls_verify (int severity, tor_tls_t *tls, crypto_pk_t **identity)
int tor_tls_read (tor_tls_t *tls, char *cp, size_t len)
int tor_tls_write (tor_tls_t *tls, const char *cp, size_t n)
int tor_tls_handshake (tor_tls_t *tls)
int tor_tls_finish_handshake (tor_tls_t *tls)
void tor_tls_unblock_renegotiation (tor_tls_t *tls)
void tor_tls_block_renegotiation (tor_tls_t *tls)
void tor_tls_assert_renegotiation_unblocked (tor_tls_t *tls)
int tor_tls_get_pending_bytes (tor_tls_t *tls)
size_t tor_tls_get_forced_write_size (tor_tls_t *tls)
void tor_tls_get_n_raw_bytes (tor_tls_t *tls, size_t *n_read, size_t *n_written)
int tor_tls_get_buffer_sizes (tor_tls_t *tls, size_t *rbuf_capacity, size_t *rbuf_bytes, size_t *wbuf_capacity, size_t *wbuf_bytes)
double tls_get_write_overhead_ratio (void)
int tor_tls_used_v1_handshake (tor_tls_t *tls)
int tor_tls_get_num_server_handshakes (tor_tls_t *tls)
int tor_tls_server_got_renegotiate (tor_tls_t *tls)
int tor_tls_cert_matches_key (const tor_tls_t *tls, const struct tor_x509_cert_t *cert)
int tor_tls_get_tlssecrets (tor_tls_t *tls, uint8_t *secrets_out)
int tor_tls_export_key_material (tor_tls_t *tls, uint8_t *secrets_out, const uint8_t *context, size_t context_len, const char *label)
int tor_tls_get_my_certs (int server, const struct tor_x509_cert_t **link_cert_out, const struct tor_x509_cert_t **id_cert_out)
crypto_pk_ttor_tls_get_my_client_auth_key (void)
const char * tor_tls_get_ciphersuite_name (tor_tls_t *tls)
int evaluate_ecgroup_for_tls (const char *ecgroup)

Detailed Description

Headers for tortls.c.

Definition in file tortls.h.

Macro Definition Documentation



Use this macro in a switch statement to catch any TLS error. That way, if more errors are added, your switches will still work.

Definition at line 62 of file tortls.h.



Collection of case statements for all TLS errors that are not due to underlying IO failure.

Definition at line 53 of file tortls.h.

Function Documentation

◆ evaluate_ecgroup_for_tls()

int evaluate_ecgroup_for_tls ( const char *  ecgroup)

Check whether the ECC group requested is supported by the current OpenSSL library instance. Return 1 if the group is supported, and 0 if not.

Definition at line 818 of file tortls_nss.c.

◆ tls_get_write_overhead_ratio()

double tls_get_write_overhead_ratio ( void  )

Return a ratio of the bytes that TLS has sent to the bytes that we've told it to send. Used to track whether our TLS records are getting too tiny.

Definition at line 702 of file tortls_nss.c.

Referenced by log_heartbeat().

◆ tls_log_errors()

void tls_log_errors ( tor_tls_t tls,
int  severity,
int  domain,
const char *  doing 

Log all pending tls errors at level severity in log domain domain. Use doing to describe our current activities.

Definition at line 362 of file tortls_nss.c.

Referenced by tor_tls_export_key_material(), and tor_tls_get_pending_bytes().

◆ tor_tls_assert_renegotiation_unblocked()

void tor_tls_assert_renegotiation_unblocked ( tor_tls_t tls)

Assert that the flags that allow legacy renegotiation are still set

Definition at line 640 of file tortls_nss.c.

◆ tor_tls_block_renegotiation()

void tor_tls_block_renegotiation ( tor_tls_t tls)

If this version of openssl supports it, turn off renegotiation on tls. (Our protocol never requires this for security, but it's nice to use belt-and-suspenders here.)

Definition at line 633 of file tortls_nss.c.

Referenced by connection_or_block_renegotiation().

◆ tor_tls_context_decref()

void tor_tls_context_decref ( tor_tls_context_t ctx)

Remove a reference to ctx, and free it if it has no more references.

Definition at line 119 of file tortls.c.

Referenced by tor_tls_context_init_one().

◆ tor_tls_context_get()

tor_tls_context_t* tor_tls_context_get ( int  is_server)

Return the appropriate TLS context.

Definition at line 45 of file tortls.c.

Referenced by tor_tls_get_my_certs(), tor_tls_get_my_client_auth_key(), and tor_tls_new().

◆ tor_tls_context_incref()

void tor_tls_context_incref ( tor_tls_context_t ctx)

Increase the reference count of ctx.

Definition at line 111 of file tortls.c.

◆ tor_tls_context_init()

int tor_tls_context_init ( unsigned  flags,
crypto_pk_t client_identity,
crypto_pk_t server_identity,
unsigned int  key_lifetime 

Create new global client and server TLS contexts.

If server_identity is NULL, this will not generate a server TLS context. If TOR_TLS_CTX_IS_PUBLIC_SERVER is set in flags, use the same TLS context for incoming and outgoing connections, and ignore client_identity. If one of TOR_TLS_CTX_USE_ECDHE_P{224,256} is set in flags, use that ECDHE group if possible; otherwise use the default ECDHE group.

Definition at line 182 of file tortls.c.

◆ tor_tls_err_to_string()

const char* tor_tls_err_to_string ( int  err)

Given a TOR_TLS_* error code, return a string equivalent.

Definition at line 155 of file tortls.c.

◆ tor_tls_export_key_material()

int tor_tls_export_key_material ( tor_tls_t tls,
uint8_t *  secrets_out,
const uint8_t *  context,
size_t  context_len,
const char *  label 

Using the RFC5705 key material exporting construction, and the provided context (context_len bytes long) and label (a NUL-terminated string), compute a 32-byte secret in secrets_out that only the parties to this TLS session can compute. Return 0 on success; -1 on failure; and -2 on failure caused by OpenSSL bug 7712.

Definition at line 764 of file tortls_nss.c.

◆ tor_tls_finish_handshake()

int tor_tls_finish_handshake ( tor_tls_t tls)

Perform the final part of the initial TLS handshake on tls. This should be called for the first handshake only: it determines whether the v1 or the v2 handshake was used, and adjusts things for the renegotiation handshake as appropriate.

tor_tls_handshake() calls this on its own; you only need to call this if bufferevent is doing the handshake for you.

Definition at line 617 of file tortls_nss.c.

◆ tor_tls_free_()

void tor_tls_free_ ( tor_tls_t tls)

Release resources associated with a TLS object. Does not close the underlying file descriptor.

Definition at line 389 of file tortls.c.

◆ tor_tls_free_all()

void tor_tls_free_all ( void  )

Free all global TLS structures.

Definition at line 137 of file tortls.c.

◆ tor_tls_get_buffer_sizes()

int tor_tls_get_buffer_sizes ( tor_tls_t tls,
size_t *  rbuf_capacity,
size_t *  rbuf_bytes,
size_t *  wbuf_capacity,
size_t *  wbuf_bytes 

Examine the amount of memory used and available for buffers in tls. Set *rbuf_capacity to the amount of storage allocated for the read buffer and *rbuf_bytes to the amount actually used. Set *wbuf_capacity to the amount of storage allocated for the write buffer and *wbuf_bytes to the amount actually used.

Return 0 on success, -1 on failure.

Definition at line 687 of file tortls_nss.c.

◆ tor_tls_get_forced_write_size()

size_t tor_tls_get_forced_write_size ( tor_tls_t tls)

If tls requires that the next write be of a particular size, return that size. Otherwise, return 0.

Definition at line 659 of file tortls_nss.c.

Referenced by flush_chunk_tls().

◆ tor_tls_get_last_error_msg()

const char* tor_tls_get_last_error_msg ( const tor_tls_t tls)

Return a string representing more detail about the last error received on TLS.

May return null if no error was found.

Definition at line 397 of file tortls_nss.c.

◆ tor_tls_get_my_client_auth_key()

crypto_pk_t* tor_tls_get_my_client_auth_key ( void  )

Return the authentication key that we use to authenticate ourselves as a client in the V3 in-protocol handshake.

Definition at line 101 of file tortls.c.

Referenced by connection_or_send_authenticate_cell().

◆ tor_tls_get_n_raw_bytes()

void tor_tls_get_n_raw_bytes ( tor_tls_t tls,
size_t *  n_read,
size_t *  n_written 

Sets n_read and n_written to the number of bytes read and written, respectively, on the raw socket used by tls since the last time this function was called on tls.

Definition at line 667 of file tortls_nss.c.

Referenced by tor_tls_free_().

◆ tor_tls_get_own_cert()

struct tor_x509_cert_t* tor_tls_get_own_cert ( tor_tls_t tls)

Return a newly allocated copy of the cerficate we used on the connection, or NULL if somehow we didn't use one.

Definition at line 541 of file tortls_nss.c.

Referenced by connection_or_send_certs_cell().

◆ tor_tls_get_peer_cert()

struct tor_x509_cert_t* tor_tls_get_peer_cert ( tor_tls_t tls)

Return a newly allocated copy of the peer certificate, or NULL if there isn't one.

Definition at line 531 of file tortls_nss.c.

◆ tor_tls_get_pending_bytes()

int tor_tls_get_pending_bytes ( tor_tls_t tls)

Return the number of bytes available for reading from tls.

Definition at line 647 of file tortls_nss.c.

◆ tor_tls_get_state_description()

void tor_tls_get_state_description ( tor_tls_t tls,
char *  buf,
size_t  sz 

Write a description of the current state of tls into the sz-byte buffer at buf.

Definition at line 346 of file tortls_nss.c.

Referenced by connection_or_get_state_description().

◆ tor_tls_get_tlssecrets()

int tor_tls_get_tlssecrets ( tor_tls_t tls,
uint8_t *  secrets_out 

Set the DIGEST256_LEN buffer at secrets_out to the value used in the v3 handshake to prove that the client knows the TLS secrets for the connection tls. Return 0 on success, -1 on failure.

Definition at line 750 of file tortls_nss.c.

◆ tor_tls_handshake()

int tor_tls_handshake ( tor_tls_t tls)

Perform initial handshake on tls. When finished, returns TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.

Definition at line 599 of file tortls_nss.c.

◆ tor_tls_init()

void tor_tls_init ( void  )

Initialize OpenSSL, unless it has already been initialized.

Definition at line 356 of file tortls_nss.c.

Referenced by tor_tls_context_new().

◆ tor_tls_is_server()

int tor_tls_is_server ( tor_tls_t tls)

Return whether this tls initiated the connect (client) or received it (server).

Definition at line 379 of file tortls.c.

Referenced by connection_or_nonopen_was_started_here().

◆ tor_tls_new()

tor_tls_t* tor_tls_new ( tor_socket_t  sock,
int  isServer 

Create a new TLS object from a file descriptor, and a flag to determine whether it is functioning as a server.

Definition at line 409 of file tortls_nss.c.

Referenced by connection_tls_start_handshake().

◆ tor_tls_peer_has_cert()

int tor_tls_peer_has_cert ( tor_tls_t tls)

Return true iff this TLS connection is authenticated.

Definition at line 522 of file tortls_nss.c.

◆ tor_tls_read()

int tor_tls_read ( tor_tls_t tls,
char *  cp,
size_t  len 

Underlying function for TLS reading. Reads up to len characters from tls into cp. On success, returns the number of characters read. On failure, returns TOR_TLS_ERROR, TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.

Definition at line 552 of file tortls_nss.c.

Referenced by read_to_chunk_tls().

◆ tor_tls_release_socket()

void tor_tls_release_socket ( tor_tls_t tls)

Tell the TLS library that the underlying socket for tls has been closed, and the library should not attempt to free that socket itself.

Definition at line 474 of file tortls_nss.c.

◆ tor_tls_server_got_renegotiate()

int tor_tls_server_got_renegotiate ( tor_tls_t tls)

Return true iff the server TLS connection tls got the renegotiation request it was waiting for.

Definition at line 719 of file tortls_nss.c.

◆ tor_tls_set_logged_address()

void tor_tls_set_logged_address ( tor_tls_t tls,
const char *  address 

Make future log messages about tls display the address address.

Definition at line 369 of file tortls.c.

◆ tor_tls_set_renegotiate_callback()

void tor_tls_set_renegotiate_callback ( tor_tls_t tls,
void(*)(tor_tls_t *, void *arg)  cb,
void *  arg 

Set cb to be called with argument arg whenever tls next gets a client-side renegotiate in the middle of a read. Do not invoke this function until after initial handshaking is done!

Definition at line 458 of file tortls_nss.c.

Referenced by connection_or_block_renegotiation().

◆ tor_tls_unblock_renegotiation()

void tor_tls_unblock_renegotiation ( tor_tls_t tls)

If this version of openssl requires it, turn on renegotiation on tls.

Definition at line 626 of file tortls_nss.c.

◆ tor_tls_used_v1_handshake()

int tor_tls_used_v1_handshake ( tor_tls_t tls)

Return true iff the initial TLS connection at tls did not use a v2 TLS handshake. Output is undefined if the handshake isn't finished.

Definition at line 710 of file tortls_nss.c.

◆ tor_tls_verify()

int tor_tls_verify ( int  severity,
tor_tls_t tls,
crypto_pk_t **  identity 

If the provided tls connection is authenticated and has a certificate chain that is currently valid and signed, then set *identity_key to the identity certificate's key and return 0. Else, return -1 and log complaints with log-level severity.

Definition at line 416 of file tortls.c.

◆ tor_tls_write()

int tor_tls_write ( tor_tls_t tls,
const char *  cp,
size_t  n 

Underlying function for TLS writing. Write up to n characters from cp onto tls. On success, returns the number of characters written. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.

Definition at line 575 of file tortls_nss.c.

Referenced by flush_chunk_tls().

Definition: tortls.h:53