DragonFly On-Line Manual Pages

Search: Section:  


TLS(2)                   DragonFly System Calls Manual                  TLS(2)

NAME

set_tls_area, get_tls_area -- kernel TLS (thread local storage) support

LIBRARY

Standard C Library (libc, -lc)

SYNOPSIS

#include <sys/tls.h> int set_tls_area(int which, struct tls_info *info, size_t infosize); int get_tls_area(int which, struct tls_info *info, size_t infosize);

DESCRIPTION

The set_tls_area() system call creates an entry for the TLS facility which representing thread local storage as specified by the info structure. A descriptor representing the facility is returned, or -1 if an error occurred. The facility may be cleared by specifying a NULL pointer and an infosize of 0. The get_tls_area() system call retrieves the requested TLS facility. A descriptor representing the facility is returned, or -1 if an error occurred. If you simply want the descriptor you may specify a NULL pointer and an infosize of 0. The returned descriptor and the TLS mechanism is machine-dependent. On IA32 three global segment descriptors are supported (0, 1, and 2) and the %gs load value is returned. The tls_info structure passed to set_tls_area() should first be zerod (to remain compatible with future extensions) and then initialized. struct tls_info { void *base; /* base address of TLS area */ int size; /* size of TLS area in bytes */ }; The actual implementation of the area is machine-dependent. If the kernel is unable to accommodate the supplied size it may create a larger area. If the kernel is unable to accommodate the supplied base address an error will be returned.

RETURN VALUES

A return value of 0 is returned on success, -1 on error.

EXAMPLES

/* * Pseudo example showing how the TLS system calls work on IA32. */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <errno.h> #include <sys/tls.h> int X; static int getdata(int offset); int main(int ac, char **av) { int i; int gs; struct tls_info info; info.base = &X; info.size = sizeof(X); if ((gs = set_tls_area(0, &info, sizeof(info))) < 0) { perror("setarea"); exit(1); } printf("gs = %04x\n", gs); __asm __volatile("mov %0,%%gs" : : "g" (gs) ); if (get_tls_area(0, &info, sizeof(info)) < 0) { perror("getarea"); exit(1); } printf("%p/%d\n", info.base, info.size); X = 1; printf("should be 1: %d\n", getdata(0)); X = 2; printf("should be 2: %d\n", getdata(0)); printf("this should fault:\n"); fflush(stdout); getdata(4); return(0); } static int getdata(int offset) { int rv; __asm __volatile("movl %%gs:(%0),%%eax; movl %%eax,%1" : "+r" (offset) : "m" (rv) : "ax"); return (rv); }

ERRORS

[ERANGE] The specified facility index, which, is not supported. [EINVAL] An invalid parameter has been specified. [ENOENT] (get_tls_area) The specified facility has not been initialized with sys_set_tls_area().

SEE ALSO

umtx(2)

HISTORY

The set_tls_area(), and get_tls_area() function calls first appeared in DragonFly 1.1. DragonFly 5.5 February 21, 2005 DragonFly 5.5 TLS_OCSP_PROCESS_RESPONSE(3) DragonFly Library Functions Manual

NAME

tls_ocsp_process_response, tls_peer_ocsp_url, tls_peer_ocsp_response_status, tls_peer_ocsp_cert_status, tls_peer_ocsp_crl_reason, tls_peer_ocsp_result, tls_peer_ocsp_revocation_time, tls_peer_ocsp_this_update, tls_peer_ocsp_next_update - inspect an OCSP response

SYNOPSIS

#include <tls.h> int tls_ocsp_process_response(struct tls *ctx, const unsigned char *response, size_t size); const char * tls_peer_ocsp_url(struct tls *ctx); int tls_peer_ocsp_response_status(struct tls *ctx); int tls_peer_ocsp_cert_status(struct tls *ctx); int tls_peer_ocsp_crl_reason(struct tls *ctx); const char * tls_peer_ocsp_result(struct tls *ctx); time_t tls_peer_ocsp_revocation_time(struct tls *ctx); time_t tls_peer_ocsp_this_update(struct tls *ctx); time_t tls_peer_ocsp_next_update(struct tls *ctx);

DESCRIPTION

tls_ocsp_process_response() processes a raw OCSP response in response of size size to check the revocation status of the peer certificate from ctx. A successful return code of 0 indicates that the certificate has not been revoked. tls_peer_ocsp_url() returns the URL for OCSP validation of the peer certificate from ctx. The following functions return information about the peer certificate from ctx that was obtained by validating a stapled OCSP response during the handshake, or via a previous call to tls_ocsp_process_response(). tls_peer_ocsp_response_status() returns the OCSP response status as per RFC 6960 section 2.3. tls_peer_ocsp_cert_status() returns the OCSP certificate status code as per RFC 6960 section 2.2. tls_peer_ocsp_crl_reason() returns the OCSP certificate revocation reason status code as per RFC 5280 section 5.3.1. tls_peer_ocsp_result() returns a textual representation of the OCSP status code returned by one of the previous three functions. If the OCSP response was valid and the certificate was not revoked, the string indicates the OCSP certificate status. Otherwise, the string indicates the OCSP certificate revocation reason or the OCSP error. tls_peer_ocsp_revocation_time() returns the OCSP revocation time. tls_peer_ocsp_this_update() returns the OCSP this update time. tls_peer_ocsp_next_update() returns the OCSP next update time.

RETURN VALUES

tls_ocsp_process_response() returns 0 on success or -1 on error. tls_peer_ocsp_url() and tls_peer_ocsp_result() return NULL on error or an out of memory condition. The tls_peer_ocsp_response_status() function returns one of TLS_OCSP_RESPONSE_SUCCESSFUL, TLS_OCSP_RESPONSE_MALFORMED, TLS_OCSP_RESPONSE_INTERNALERROR, TLS_OCSP_RESPONSE_TRYLATER, TLS_OCSP_RESPONSE_SIGREQUIRED, or TLS_OCSP_RESPONSE_UNAUTHORIZED on success or -1 on error. The tls_peer_ocsp_cert_status() function returns one of TLS_OCSP_CERT_GOOD, TLS_OCSP_CERT_REVOKED, or TLS_OCSP_CERT_UNKNOWN on success, and -1 on error. The tls_peer_ocsp_crl_reason() function returns one of TLS_CRL_REASON_UNSPECIFIED, TLS_CRL_REASON_KEY_COMPROMISE, TLS_CRL_REASON_CA_COMPROMISE, TLS_CRL_REASON_AFFILIATION_CHANGED, TLS_CRL_REASON_SUPERSEDED, TLS_CRL_REASON_CESSATION_OF_OPERATION, TLS_CRL_REASON_CERTIFICATE_HOLD, TLS_CRL_REASON_REMOVE_FROM_CRL, TLS_CRL_REASON_PRIVILEGE_WITHDRAWN, or TLS_CRL_REASON_AA_COMPROMISE on success or -1 on error. tls_peer_ocsp_revocation_time(), tls_peer_ocsp_this_update(), and tls_peer_ocsp_next_update() return a time in epoch-seconds on success or -1 on error.

SEE ALSO

tls_client(3), tls_config_ocsp_require_stapling(3), tls_conn_version(3), tls_connect(3), tls_handshake(3), tls_init(3)

HISTORY

These functions appeared in OpenBSD 6.1.

AUTHORS

Bob Beck <beck@openbsd.org> Marko Kreen <markokr@gmail.com> DragonFly 5.9-DEVELOPMENT July 24, 2018 DragonFly 5.9-DEVELOPMENT

Search: Section: