DragonFly On-Line Manual Pages

Search: Section:  


TLS(2)                   DragonFly System Calls Manual                  TLS(2)

NAME

set_tls_area, get_tls_area -- kernel TLS (thread local storage) support

LIBRARY

Standard C Library (libc, -lc)

SYNOPSIS

#include <sys/tls.h> int set_tls_area(int which, struct tls_info *info, size_t infosize); int get_tls_area(int which, struct tls_info *info, size_t infosize);

DESCRIPTION

The set_tls_area() system call creates an entry for the TLS facility which representing thread local storage as specified by the info structure. A descriptor representing the facility is returned, or -1 if an error occurred. The facility may be cleared by specifying a NULL pointer and an infosize of 0. The get_tls_area() system call retrieves the requested TLS facility. A descriptor representing the facility is returned, or -1 if an error occurred. If you simply want the descriptor you may specify a NULL pointer and an infosize of 0. The returned descriptor and the TLS mechanism is machine-dependent. On IA32 three global segment descriptors are supported (0, 1, and 2) and the %gs load value is returned. The tls_info structure passed to set_tls_area() should first be zerod (to remain compatible with future extensions) and then initialized. struct tls_info { void *base; /* base address of TLS area */ int size; /* size of TLS area in bytes */ }; The actual implementation of the area is machine-dependent. If the kernel is unable to accommodate the supplied size it may create a larger area. If the kernel is unable to accommodate the supplied base address an error will be returned.

RETURN VALUES

A return value of 0 is returned on success, -1 on error.

EXAMPLES

/* * Pseudo example showing how the TLS system calls work on IA32. */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <errno.h> #include <sys/tls.h> int X; static int getdata(int offset); int main(int ac, char **av) { int i; int gs; struct tls_info info; info.base = &X; info.size = sizeof(X); if ((gs = set_tls_area(0, &info, sizeof(info))) < 0) { perror("setarea"); exit(1); } printf("gs = %04x\n", gs); __asm __volatile("mov %0,%%gs" : : "g" (gs) ); if (get_tls_area(0, &info, sizeof(info)) < 0) { perror("getarea"); exit(1); } printf("%p/%d\n", info.base, info.size); X = 1; printf("should be 1: %d\n", getdata(0)); X = 2; printf("should be 2: %d\n", getdata(0)); printf("this should fault:\n"); fflush(stdout); getdata(4); return(0); } static int getdata(int offset) { int rv; __asm __volatile("movl %%gs:(%0),%%eax; movl %%eax,%1" : "+r" (offset) : "m" (rv) : "ax"); return (rv); }

ERRORS

[ERANGE] The specified facility index, which, is not supported. [EINVAL] An invalid parameter has been specified. [ENOENT] (get_tls_area) The specified facility has not been initialized with sys_set_tls_area().

SEE ALSO

umtx(2)

HISTORY

The set_tls_area(), and get_tls_area() function calls first appeared in DragonFly 1.1. DragonFly 5.5 February 21, 2005 DragonFly 5.5 TLS_OCSP_PROCESS_R... DragonFly Library Functions Manual TLS_OCSP_PROCESS_R...

NAME

tls_ocsp_process_response, tls_peer_ocsp_url, tls_peer_ocsp_response_status, tls_peer_ocsp_cert_status, tls_peer_ocsp_crl_reason, tls_peer_ocsp_result, tls_peer_ocsp_revocation_time, tls_peer_ocsp_this_update, tls_peer_ocsp_next_update -- inspect an OCSP response

SYNOPSIS

#include <tls.h> int tls_ocsp_process_response(struct tls *ctx, const unsigned char *response, size_t size); const char * tls_peer_ocsp_url(struct tls *ctx); int tls_peer_ocsp_response_status(struct tls *ctx); int tls_peer_ocsp_cert_status(struct tls *ctx); int tls_peer_ocsp_crl_reason(struct tls *ctx); const char * tls_peer_ocsp_result(struct tls *ctx); time_t tls_peer_ocsp_revocation_time(struct tls *ctx); time_t tls_peer_ocsp_this_update(struct tls *ctx); time_t tls_peer_ocsp_next_update(struct tls *ctx);

DESCRIPTION

tls_ocsp_process_response() processes a raw OCSP response in response of size size to check the revocation status of the peer certificate from ctx. A successful return code of 0 indicates that the certificate has not been revoked. tls_peer_ocsp_url() returns the URL for OCSP validation of the peer cer- tificate from ctx. The following functions return information about the peer certificate from ctx that was obtained by validating a stapled OCSP response during the handshake, or via a previous call to tls_ocsp_process_response(). tls_peer_ocsp_response_status() returns the OCSP response status as per RFC 6960 section 2.3. tls_peer_ocsp_cert_status() returns the OCSP certificate status code as per RFC 6960 section 2.2. tls_peer_ocsp_crl_reason() returns the OCSP certificate revocation reason status code as per RFC 5280 section 5.3.1. tls_peer_ocsp_result() returns a textual representation of the OCSP sta- tus code returned by one of the previous three functions. If the OCSP response was valid and the certificate was not revoked, the string indi- cates the OCSP certificate status. Otherwise, the string indicates the OCSP certificate revocation reason or the OCSP error. tls_peer_ocsp_revocation_time() returns the OCSP revocation time. tls_peer_ocsp_this_update() returns the OCSP this update time. tls_peer_ocsp_next_update() returns the OCSP next update time.

RETURN VALUES

tls_ocsp_process_response() returns 0 on success or -1 on error. tls_peer_ocsp_url() and tls_peer_ocsp_result() return NULL on error or an out of memory condition. The tls_peer_ocsp_response_status() function returns one of TLS_OCSP_RESPONSE_SUCCESSFUL, TLS_OCSP_RESPONSE_MALFORMED, TLS_OCSP_RESPONSE_INTERNALERROR, TLS_OCSP_RESPONSE_TRYLATER, TLS_OCSP_RESPONSE_SIGREQUIRED, or TLS_OCSP_RESPONSE_UNAUTHORIZED on suc- cess or -1 on error. The tls_peer_ocsp_cert_status() function returns one of TLS_OCSP_CERT_GOOD, TLS_OCSP_CERT_REVOKED, or TLS_OCSP_CERT_UNKNOWN on success, and -1 on error. The tls_peer_ocsp_crl_reason() function returns one of TLS_CRL_REASON_UNSPECIFIED, TLS_CRL_REASON_KEY_COMPROMISE, TLS_CRL_REASON_CA_COMPROMISE, TLS_CRL_REASON_AFFILIATION_CHANGED, TLS_CRL_REASON_SUPERSEDED, TLS_CRL_REASON_CESSATION_OF_OPERATION, TLS_CRL_REASON_CERTIFICATE_HOLD, TLS_CRL_REASON_REMOVE_FROM_CRL, TLS_CRL_REASON_PRIVILEGE_WITHDRAWN, or TLS_CRL_REASON_AA_COMPROMISE on success or -1 on error. tls_peer_ocsp_revocation_time(), tls_peer_ocsp_this_update(), and tls_peer_ocsp_next_update() return a time in epoch-seconds on success or -1 on error.

SEE ALSO

tls_client(3), tls_config_ocsp_require_stapling(3), tls_conn_version(3), tls_connect(3), tls_handshake(3), tls_init(3)

HISTORY

These functions appeared in OpenBSD 6.1.

AUTHORS

Bob Beck <beck@openbsd.org> Marko Kreen <markokr@gmail.com> DragonFly 5.5 July 24, 2018 DragonFly 5.5

Search: Section: