TLS over multi-stream SCTP, a wrapper...

Sebastien Decugis sdecugis at
Fri Aug 15 10:45:44 CEST 2008


Following a design idea from Nikos Mavrogiannopoulos (thanks again), I 
have written a wrapper around the GNU TLS library to achieve TLS 
protection over a multi-stream SCTP connection.

The basic idea is to replace the transport functions used by gnutls for 
transport, and use an object to aggregate all the sessions and other 
data. One thread is receiving data from the socket, and queueing this 
data in per-stream FIFO lists (demultiplxing step). Then the gnutls 
"pull" function will pick data from the appropriate FIFO list, and 
actually decrypt this data. This is done by a separate thread (one per 
stream). The decrypted data is queued in another FIFO list, from which 
the user can retrieve the received data. See the header file and the 
comments at the top of the files for more information.

I know this wrapper is not very performant at session initiation because 
it does a full handshake on each pair of stream, and does not 
parallelize this process. This can be easily improved, but makes it more 
complex to debug.

I have compiled and tested this wrapper in my Linux environment ( 
libgnutls distribution release libgnutls13 2.0.4-1ubuntu2.1 ) and it 
seems to work properly. There will propably need some minor changes 
(gnutls_kx_set_priority -> gnutls_set_priority for example) to adapt it 
to the latest gnutls releases.

A test program is embedded withing the source code. To compile it, one 
has to define the STANDALONE_WRAPPER symbol. For example, to compile the 
file (under Linux Ubuntu) I use (content of the COMPIL file):
gcc -o sctp_tls -DSTANDALONE_WRAPPER -lgnutls -pthread gnutls_sctp_wrapper.c

Then simply run the ./sctp_tls program to create a SCTP socket on 
localhost:4433 and exchange TLS-protected data over it.

Please feel free to contact me if you have any question with regards to 
this peace of code.

As a final note, this wrapper was initially written as part of an 
open-source Diameter daemon implementation, called "waaad". See [1] if 
you are interested in this implementation, or want to find a more recent 
version of the wrapper source code.

I hope this code will be useful to other people as well. If you make 
improvements to this code and can share it under the same licence, 
please send me a note / patch.

Best regards,
Sebastien Decugis.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: gnutls_sctp_wrapper.c
URL: </pipermail/attachments/20080815/b7202f88/attachment.asc>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: gnutls_sctp_wrapper.h
URL: </pipermail/attachments/20080815/b7202f88/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
URL: </pipermail/attachments/20080815/b7202f88/attachment-0001.asc>

More information about the Gnutls-devel mailing list