Next: Cryptographic Backend, Previous: TLS Authentication Methods, Up: Internal architecture of GnuTLS [Contents][Index]
As with authentication methods, the TLS extensions handlers can be implemented using the interface shown below.
typedef int (*gnutls_ext_recv_func) (gnutls_session_t session, const unsigned char *data, size_t len); typedef int (*gnutls_ext_send_func) (gnutls_session_t session, gnutls_buffer_st *extdata);
Here there are two functions, one for receiving the extension data and one for sending. These functions have to check internally whether they operate in client or server side.
A simple example of an extension handler can be seen in
ext/srp.c
in GnuTLS’ source code. After implementing these functions,
together with the extension number they handle, they have to be registered
using _gnutls_ext_register
in
gnutls_extensions.c
typically within _gnutls_ext_init
.
Adding support for a new TLS extension is done from time to time, and
the process to do so is not difficult. Here are the steps you need to
follow if you wish to do this yourself. For sake of discussion, let’s
consider adding support for the hypothetical TLS extension
foobar
. The following section is about adding an extension to GnuTLS,
for custom application extensions you should check the exported functions
gnutls_session_ext_register or gnutls_ext_register.
configure
option like --enable-foobar
or --disable-foobar
.This step is useful when the extension code is large and it might be desirable to disable the extension under some circumstances. Otherwise it can be safely skipped.
Whether to chose enable or disable depends on whether you intend to make the extension be enabled by default. Look at existing checks (i.e., SRP, authz) for how to model the code. For example:
AC_MSG_CHECKING([whether to disable foobar support]) AC_ARG_ENABLE(foobar, AS_HELP_STRING([--disable-foobar], [disable foobar support]), ac_enable_foobar=no) if test x$ac_enable_foobar != xno; then AC_MSG_RESULT(no) AC_DEFINE(ENABLE_FOOBAR, 1, [enable foobar]) else ac_full=0 AC_MSG_RESULT(yes) fi AM_CONDITIONAL(ENABLE_FOOBAR, test "$ac_enable_foobar" != "no")
These lines should go in m4/hooks.m4
.
extensions_t
in gnutls_int.h
.A good name for the value would be GNUTLS_EXTENSION_FOOBAR. Check with http://www.iana.org/assignments/tls-extensiontype-values for allocated values. For experiments, you could pick a number but remember that some consider it a bad idea to deploy such modified version since it will lead to interoperability problems in the future when the IANA allocates that number to someone else, or when the foobar protocol is allocated another number.
_gnutls_extensions
in gnutls_extensions.c
.A typical entry would be:
int ret; #if ENABLE_FOOBAR ret = _gnutls_ext_register (&foobar_ext); if (ret != GNUTLS_E_SUCCESS) return ret; #endif
Most likely you’ll need to add an #include "ext/foobar.h"
, that
will contain something like
like:
extension_entry_st foobar_ext = { .name = "FOOBAR", .type = GNUTLS_EXTENSION_FOOBAR, .parse_type = GNUTLS_EXT_TLS, .recv_func = _foobar_recv_params, .send_func = _foobar_send_params, .pack_func = _foobar_pack, .unpack_func = _foobar_unpack, .deinit_func = NULL }
The GNUTLS_EXTENSION_FOOBAR is the integer value you added to
gnutls_int.h
earlier. In this structure you specify the
functions to read the extension from the hello message, the function
to send the reply to, and two more functions to pack and unpack from
stored session data (e.g. when resumming a session). The deinit
function
will be called to deinitialize the extension’s private parameters, if any.
Note that the conditional ENABLE_FOOBAR
definition should only be
used if step 1 with the configure
options has taken place.
The functions you are responsible to add are those mentioned in the
previous step. They should be added in a file such as ext/foobar.c
and headers should be placed in ext/foobar.h
.
As a starter, you could add this:
int _foobar_recv_params (gnutls_session_t session, const opaque * data, size_t data_size) { return 0; } int _foobar_send_params (gnutls_session_t session, gnutls_buffer_st* data) { return 0; } int _foobar_pack (extension_priv_data_t epriv, gnutls_buffer_st * ps) { /* Append the extension's internal state to buffer */ return 0; } int _foobar_unpack (gnutls_buffer_st * ps, extension_priv_data_t * epriv) { /* Read the internal state from buffer */ return 0; }
The _foobar_recv_params
function is responsible for
parsing incoming extension data (both in the client and server).
The _foobar_send_params
function is responsible for
sending extension data (both in the client and server). It should
append data to provided buffer and return a positive (or zero) number on
success or a negative error code. Previous to 3.6.0 versions of GnuTLS required
that function to return the number of bytes that were written. If zero
is returned and no bytes are appended the extension will not be sent.
If a zero byte extension is to be sent this function must return
GNUTLS_E_INT_RET_0
.
If you receive length fields that don’t match, return
GNUTLS_E_UNEXPECTED_PACKET_LENGTH
. If you receive invalid
data, return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER
. You can use
other error codes from the list in Error codes. Return 0 on success.
An extension typically stores private information in the session
data for later usage. That can be done using the functions
_gnutls_ext_set_session_data
and
_gnutls_ext_get_session_data
. You can check simple examples
at ext/max_record.c
and ext/server_name.c
extensions.
That private information can be saved and restored across session
resumption if the following functions are set:
The _foobar_pack
function is responsible for packing
internal extension data to save them in the session resumption storage.
The _foobar_unpack
function is responsible for
restoring session data from the session resumption storage.
Recall that both the client and server, send and receive parameters, and your code most likely will need to do different things depending on which mode it is in. It may be useful to make this distinction explicit in the code. Thus, for example, a better template than above would be:
int _gnutls_foobar_recv_params (gnutls_session_t session, const opaque * data, size_t data_size) { if (session->security_parameters.entity == GNUTLS_CLIENT) return foobar_recv_client (session, data, data_size); else return foobar_recv_server (session, data, data_size); } int _gnutls_foobar_send_params (gnutls_session_t session, gnutls_buffer_st * data) { if (session->security_parameters.entity == GNUTLS_CLIENT) return foobar_send_client (session, data); else return foobar_send_server (session, data); }
The functions used would be declared as static
functions, of
the appropriate prototype, in the same file.
When adding the files, you’ll need to add them to ext/Makefile.am
as well, for example:
if ENABLE_FOOBAR libgnutls_ext_la_SOURCES += ext/foobar.c ext/foobar.h endif
It might be desirable to allow users of the extension to
request use of the extension, or set extension specific data.
This can be implemented by adding extension specific function calls
that can be added to includes/gnutls/gnutls.h
,
as long as the LGPLv2.1+ applies.
The implementation of the function should lie in the ext/foobar.c
file.
To make the API available in the shared library you need to add the
symbol in lib/libgnutls.map
, so that the symbol
is exported properly.
When writing GTK-DOC style documentation for your new APIs, don’t
forget to add Since:
tags to indicate the GnuTLS version the
API was introduced in.
One such extension is HeartBeat protocol (RFC6520: https://tools.ietf.org/html/rfc6520) implementation. To enable it use option –heartbeat with example client and server supplied with gnutls:
./doc/credentials/gnutls-http-serv --priority "NORMAL:-CIPHER-ALL:+NULL" -d 100 \ --heartbeat --echo ./src/gnutls-cli --priority "NORMAL:-CIPHER-ALL:+NULL" -d 100 localhost -p 5556 \ --insecure --heartbeat
After that pasting
**HEARTBEAT**
command into gnutls-cli will trigger corresponding command on the server and it will send HeartBeat Request with random length to client.
Another way is to run capabilities check with:
./doc/credentials/gnutls-http-serv -d 100 --heartbeat ./src/gnutls-cli-debug localhost -p 5556
TLS handshake extensions allow to send so called supplemental data handshake messages [RFC4680]. This short section explains how to implement a supplemental data handshake message for a given TLS extension.
First of all, modify your extension foobar
in the way, to instruct
the handshake process to send and receive supplemental data, as shown below.
int _gnutls_foobar_recv_params (gnutls_session_t session, const opaque * data, size_t _data_size) { ... gnutls_supplemental_recv(session, 1); ... } int _gnutls_foobar_send_params (gnutls_session_t session, gnutls_buffer_st *extdata) { ... gnutls_supplemental_send(session, 1); ... }
Furthermore you’ll need two new functions _foobar_supp_recv_params
and _foobar_supp_send_params
, which must conform to the following
prototypes.
typedef int (*gnutls_supp_recv_func)(gnutls_session_t session, const unsigned char *data, size_t data_size); typedef int (*gnutls_supp_send_func)(gnutls_session_t session, gnutls_buffer_t buf);
The following example code shows how to send a “Hello World” string in the supplemental data handshake message.
int _foobar_supp_recv_params(gnutls_session_t session, const opaque *data, size_t _data_size) { uint8_t len = _data_size; unsigned char *msg; msg = gnutls_malloc(len); if (msg == NULL) return GNUTLS_E_MEMORY_ERROR; memcpy(msg, data, len); msg[len]='\0'; /* do something with msg */ gnutls_free(msg); return len; } int _foobar_supp_send_params(gnutls_session_t session, gnutls_buffer_t buf) { unsigned char *msg = "hello world"; int len = strlen(msg); if (gnutls_buffer_append_data(buf, msg, len) < 0) abort(); return len; }
Afterwards, register the new supplemental data using gnutls_session_supplemental_register, or gnutls_supplemental_register at some point in your program.
Next: Cryptographic Backend, Previous: TLS Authentication Methods, Up: Internal architecture of GnuTLS [Contents][Index]