1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
\chapter{The Library}
\section{Description}
\par
In brief \gnutls{} can be described as a library which offers
an API to access secure communication protocols. These protocols provide
privacy over insecure lines, and were designed to prevent
eavesdropping, tampering, or message forgery.
\par
Technically \gnutls{} is a portable ANSI {\bf C} based library which implements the
\tlsI{}\footnote{See section \ref{sec:tlsintro} on page \pageref{sec:tlsintro} for
a more detailed description of the protocols.} and \sslIII{} protocols,
accompanied with the required framework for authentication and
public key infrastructure.
The library is available under the GNU Lesser GPL license\footnote{A copy of the license is included
in the distribution}.
Important features of the \gnutls{} library include:
\begin{itemize}
\item Support for \tlsI{}, \tlsII{} and \sslIII{} protocols.
\item Support for both {\bf X.509} and {\bf OpenPGP} certificates.
\item Support for handling and verification of certificates.
\item Support for {\bf SRP} for \tls{} authentication.
\item Support for \tls{} {\bf Extension mechanism}.
\item Support for \tls{} {\bf Compression Methods}.
\end{itemize}
Additionally \gnutls{} provides a limited emulation API for the widely used
OpenSSL\footnote{\htmladdnormallink{http://www.openssl.org/}{http://www.openssl.org/}}
library, to ease integration with existing applications.
\par
\gnutls{} consists of three
independent parts, namely the ``TLS protocol part'', the ``Certificate part'', and
the ``Crypto backend'' part.
The `TLS protocol part' is the actual protocol implementation, and is entirely
implemented within the \gnutls{} library.
The `Certificate part' consists of the certificate parsing, and verification
functions which is partially implemented in the \gnutls{} library. The
Libtasn1\footnote{\htmladdnormallink{ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/libtasn1/}{ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/libtasn1/}}
a library which offers ASN.1 parsing capabilities, is used for the
X.509 certificate parsing functions, and
Opencdk\footnote{\htmladdnormallink{ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/opencdk/}{ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/opencdk/}}
is used for the OpenPGP key support in \gnutls{}.
The `Crypto backend' is provided by the
libgcrypt\footnote{\htmladdnormallink{ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/}{ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/}}
library.
\par
In order to ease integration in embedded systems, parts of the \gnutls{} library
can be disabled at compile time. That way a small library, with the required features,
can be generated.
\section{General Idea}
% explain how it works
A brief description of how \gnutls{} works internally is shown at
the figure \ref{fig:internals}. This section may be easier to understand
after having seen the examples on page \pageref{examples}.
\begin{figure}[htp]
\includegraphics[height=8cm,width=12cm]{internals}
\label{fig:internals}
\end{figure}
\par
As shown in the figure, there is a read-only global state that
is initialized once by the global initialization function.
This global structure, among others, contains the memory allocation
functions used, and some structures needed for the ASN.1 parser.
This structure is never modified by any \gnutls{} function, except
for the deinitialization function which frees all memory allocated in
the global structure and is called after the program has permanently finished
using \gnutls{}.
\par
The credentials structure is used by some authentication methods,
such as certificate authentication\footnote{see section \ref{certificate} on page \pageref{certificate}}.
A credentials structure may contain certificates, private keys, temporary parameters
for diffie hellman or RSA key exchange, and other stuff that may be shared
between several TLS sessions.
This structure should be initialized using the appropriate initialization
functions. For example an application which uses certificate authentication
would probably initialize the credentials, using the appropriate functions,
and put its trusted certificates in this structure. The next step is to
associate the credentials structure with each \tls{} session.
\par A \gnutls{} session contains all the required stuff for a
session to handle one secure connection. This session calls directly
to the transport layer functions, in order to communicate with the peer.
Every session has a unique session ID shared with the peer.
\par
Since TLS sessions can be resumed, servers would probably need a database
backend to hold the session's parameters. Every \gnutls{} session after
a successful handshake calls the appropriate backend function\footnote{see section \ref{resume}
on \pageref{resume} for information on initialization} to store the
newly negotiated session. The session database is examined by the server
just after having received the client hello\footnote{The first message
in a \tls{} handshake}, and if the session ID sent by the client,
matches a stored session, the stored session will be retrieved, and the
new session will be a resumed one, and will share the same session ID
with the previous one.
\input{errors}
\input{memory}
\input{callbacks}
|
