I am back

Nikos Mavroyanopoulos nmav at hellug.gr
Tue May 16 10:06:52 CEST 2000

On Tue, May 16, 2000 at 01:31:49AM +0530, Tarun Upadhyay wrote:
> Nikos,
>     Even I am a little busy. however, I will try to work for about 2-3 hours
> every night on gnutls.
>     Unfortunately, even though I know something about encryption, I have
> never written a "real" library for web-server. So, you have to guide me a
> little. I am reading your code and figuring out things but if you could
> guide me on exactly where the functions need to be added and how they fit
> together then it could be done that much faster.
>     In a nutshell, try giving me at least a broad skeleton of handshaking
> API.

Well, the main function in the handshake protocol is gnutls_handshake().
This does actually everything. Let's say we are on the client side.
The client sends or receives hello messages (by calling gnutls_send_hello() to 
send a hello message, or _gnutls_recv_handshake(cd, state, NULL, NULL, GNUTLS_SERVER_HELLO),
to receive one. 

_gnutls_recv_handshake(...) will receive handshake messages of the
given type, and will pass the message to the right place in order
to be processed. Eg. for the SERVER_HELLO message (if it is valid) 
it will be send to _gnutls_recv_hello()).

Since we have a global state, all these functions do use the global
variables to determine what to send. Eg gnutls_send_hello() does not require
any parameters, and will determine from the state an from the available
cipher suites which to use (currently there is no way for the user 
to select the priority of cipher suites).

Then depending on the algorithm suite we should receive server
certificates, which is not implemented (dh-anon does not use that).

After that we receive the key exchange message of server by calling:
_gnutls_recv_server_kx_message(). If that message is not required by
the cipher suite, that function does nothing. (what is required and not,
can be set in gnutls_algorithms.c and gnutls_algorithms.h).

After that the client waits for the server hello done message by
calling: _gnutls_recv_handshake(cd, state, NULL, NULL, GNUTLS_SERVER_HELLO_DONE);

After that we should send the client certificates (also not implemented).
This is the time for the client to send the key exchange message
by calling: _gnutls_send_client_kx_message().

If everything was right we send the change cipher spec packet by
calling: _gnutls_send_change_cipher_spec().

This is the time to start encryption (initialize the state) with:
_gnutls_connection_state_init(state). This function initilizes and starts
encryption (so it needs secrets and random numbers to have been negotiated)

Then we send the finished packet (_gnutls_send_finished()),
and we expect the server change cipher spec packet 
( gnutls_recv_int(cd, state, GNUTLS_CHANGE_CIPHER_SPEC, NULL, 0)).

Then we receive the last message by calling _gnutls_recv_finished(cd, state),
and if everything was right, the connection was negotiated.

I know that this help may not be sufficient. Ask me if there is anything
else. (I should have updated doc/hacking)

> Thanks
> Tarun

Nikos Mavroyanopoulos
mailto:nmav at hellug.gr

More information about the Gnutls-devel mailing list