1 @node How to use GnuTLS in applications
2 @chapter How to use @acronym{GnuTLS} in applications
5 * Introduction to the library::
7 * Session initialization::
8 * Associating the credentials::
9 * Setting up the transport layer::
11 * Data transfer and termination::
14 * Advanced and other topics::
15 * Using the cryptographic library::
16 * Selecting cryptographic key sizes::
19 @node Introduction to the library
25 * Debugging and auditing::
27 * Callback functions::
31 @subsection General idea
33 A brief description of how @acronym{GnuTLS} works internally is shown
34 at @ref{fig:gnutls-design}. This section may become more clear after
35 having read the rest of this section.
36 As shown in the figure, there is a read-only global state that is
37 initialized once by the global initialization function. This global
38 structure, among others, contains the memory allocation functions
39 used, and structures needed for the @acronym{ASN.1} parser. This
40 structure is never modified by any @acronym{GnuTLS} function, except
41 for the deinitialization function which frees all allocated memory
42 and is called after the program has permanently
43 finished using @acronym{GnuTLS}.
45 @float Figure,fig:gnutls-design
46 @image{gnutls-internals,12cm}
47 @caption{High level design of GnuTLS.}
50 The credentials structures are used by the authentication methods, such
51 as certificate authentication. They store certificates, privates keys,
52 and other information that is needed to prove the identity to the peer,
53 and/or verify the indentity of the peer. The information stored in
54 the credentials structures is initialized once and then can be
55 shared by many @acronym{TLS} sessions.
57 A @acronym{GnuTLS} session contains all the required information
58 to handle one secure connection. The session communicates with the
59 peers using the provided functions of the transport layer.
60 Every session has a unique session ID shared with the peer.
62 Since TLS sessions can be resumed, servers need a
63 database back-end to hold the session's parameters. Every
64 @acronym{GnuTLS} session after a successful handshake calls the
65 appropriate back-end function (see @ref{resume})
66 to store the newly negotiated session. The session
67 database is examined by the server just after having received the
68 client hello@footnote{The first message in a @acronym{TLS} handshake},
69 and if the session ID sent by the client, matches a stored session,
70 the stored session will be retrieved, and the new session will be a
71 resumed one, and will share the same session ID with the previous one.
74 @subsection Error handling
76 In @acronym{GnuTLS} most functions return an integer type as a result.
77 In almost all cases a zero or a positive number means success, and a
78 negative number indicates failure, or a situation that some action has
79 to be taken. Thus negative error codes may be fatal or not.
81 Fatal errors terminate the connection immediately and further sends
82 and receives will be disallowed. Such an example is
83 @code{GNUTLS_@-E_@-DECRYPTION_@-FAILED}. Non-fatal errors may warn about
84 something, i.e., a warning alert was received, or indicate the some
85 action has to be taken. This is the case with the error code
86 @code{GNUTLS_@-E_@-REHANDSHAKE} returned by @funcref{gnutls_record_recv}.
87 This error code indicates that the server requests a re-handshake. The
88 client may ignore this request, or may reply with an alert. You can
89 test if an error code is a fatal one by using the
90 @funcref{gnutls_error_is_fatal}.
92 If any non fatal errors, that require an action, are to be returned by
93 a function, these error codes will be documented in the function's
94 reference. See @ref{Error codes}, for a description of the available
97 @node Debugging and auditing
98 @subsection Debugging and auditing
100 In many cases things may not go as expected and further information,
101 to assist debugging, from @acronym{GnuTLS} is desired.
102 Those are the cases where the @funcref{gnutls_global_set_log_level} and
103 @funcref{gnutls_global_set_log_function} are to be used. Those will print
104 verbose information on the @acronym{GnuTLS} functions internal flow.
106 @showfuncB{gnutls_global_set_log_level,gnutls_global_set_log_function}
108 When debugging is not required, important issues, such as detected
109 attacks on the protocol still need to be logged. This is provided
110 by the logging function set by
111 @funcref{gnutls_global_set_audit_log_function}. The provided function
112 will receive an message and the corresponding
113 TLS session. The session information might be used to derive IP addresses
114 or other information about the peer involved.
116 @showfuncdesc{gnutls_global_set_audit_log_function}
119 @subsection Thread safety
120 @cindex thread safety
122 The @acronym{GnuTLS} library is thread safe by design, meaning that
123 objects of the library such as TLS sessions, can be safely divided across
124 threads as long as a single thread accesses a single object. This is
125 sufficient to support a server which handles several sessions per thread.
126 If, however, an object needs to be shared across threads then access must be
127 protected with a mutex. Read-only access to objects, for example the
128 credentials holding structures, is also thread-safe.
130 The random generator of the cryptographic back-end, is not thread safe and requires
131 mutex locks which are setup by @acronym{GnuTLS}.
132 Applications can either call @funcref{gnutls_global_init} which will initialize the default
133 operating system provided locks (i.e. @code{pthreads} on GNU/Linux and
134 @code{CriticalSection} on Windows), or manually specify the locking system using
135 the function @funcref{gnutls_global_set_mutex} before calling @funcref{gnutls_global_init}.
136 Setting mutexes manually is recommended
137 only for applications that have full control of the underlying libraries. If this
138 is not the case, the use of the operating system defaults is recommended. An example of
139 non-native thread usage is shown below.
146 /* When the system mutexes are not to be used
147 * gnutls_global_set_mutex() must be called explicitly
149 gnutls_global_set_mutex (mutex_init, mutex_deinit,
150 mutex_lock, mutex_unlock);
151 gnutls_global_init();
155 @showfuncdesc{gnutls_global_set_mutex}
157 @node Callback functions
158 @subsection Callback functions
159 @cindex callback functions
161 There are several cases where @acronym{GnuTLS} may need out of
162 band input from your program. This is now implemented using some
163 callback functions, which your program is expected to register.
165 An example of this type of functions are the push and pull callbacks
166 which are used to specify the functions that will retrieve and send
167 data to the transport layer.
169 @showfuncB{gnutls_transport_set_push_function,gnutls_transport_set_pull_function}
171 Other callback functions may require more complicated input and data
172 to be allocated. Such an example is
173 @funcref{gnutls_srp_set_server_credentials_function}.
174 All callbacks should allocate and free memory using
175 @funcintref{gnutls_malloc} and @funcintref{gnutls_free}.
181 To use @acronym{GnuTLS}, you have to perform some changes to your
182 sources and your build system. The necessary changes are explained in
183 the following subsections.
189 * Building the source::
195 All the data types and functions of the @acronym{GnuTLS} library are
196 defined in the header file @file{gnutls/gnutls.h}. This must be
197 included in all programs that make use of the @acronym{GnuTLS}
201 @subsection Initialization
203 GnuTLS must be initialized before it can be used. The library is
204 initialized by calling @funcref{gnutls_global_init}. The resources
205 allocated by the initialization process can be released if the
206 application no longer has a need to call GnuTLS functions, this is
207 done by calling @funcref{gnutls_global_deinit}.
209 In order to take advantage of the internationalization features in
210 GnuTLS, such as translated error messages, the application must set
211 the current locale using @code{setlocale} before initializing GnuTLS.
214 @subsection Version check
216 It is often desirable to check that the version of `gnutls' used is
217 indeed one which fits all requirements. Even with binary
218 compatibility new features may have been introduced but due to problem
219 with the dynamic linker an old version is actually used. So you may
220 want to check that the version is okay right after program start-up.
221 See the function @funcref{gnutls_check_version}.
223 @node Building the source
224 @subsection Building the source
226 If you want to compile a source file including the
227 @file{gnutls/gnutls.h} header file, you must make sure that the
228 compiler can find it in the directory hierarchy. This is accomplished
229 by adding the path to the directory in which the header file is
230 located to the compilers include file search path (via the @option{-I}
233 However, the path to the include file is determined at the time the
234 source is configured. To solve this problem, the library uses the
235 external package @command{pkg-config} that knows the path to the
236 include file and other configuration options. The options that need
237 to be added to the compiler invocation at compile time are output by
238 the @option{--cflags} option to @command{pkg-config gnutls}. The
239 following example shows how it can be used at the command line:
242 gcc -c foo.c `pkg-config gnutls --cflags`
245 Adding the output of @samp{pkg-config gnutls --cflags} to the
246 compilers command line will ensure that the compiler can find the
247 @file{gnutls/gnutls.h} header file.
249 A similar problem occurs when linking the program with the library.
250 Again, the compiler has to find the library files. For this to work,
251 the path to the library files has to be added to the library search
252 path (via the @option{-L} option). For this, the option
253 @option{--libs} to @command{pkg-config gnutls} can be used. For
254 convenience, this option also outputs all other options that are
255 required to link the program with the library (for instance, the
256 @samp{-ltasn1} option). The example shows how to link @file{foo.o}
257 with the library to a program @command{foo}.
260 gcc -o foo foo.o `pkg-config gnutls --libs`
263 Of course you can also combine both examples to a single command by
264 specifying both options to @command{pkg-config}:
267 gcc -o foo foo.c `pkg-config gnutls --cflags --libs`
270 When a program uses the GNU autoconf system, then the following
271 line or similar can be used to detect the presence of GnuTLS.
274 PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.0.0])
276 AC_SUBST([LIBGNUTLS_CFLAGS])
277 AC_SUBST([LIBGNUTLS_LIBS])
280 @node Session initialization
281 @section Session initialization
283 In the previous sections we have discussed the global initialization
284 required for GnuTLS as well as the initialization required for each
285 authentication method's credentials (see @ref{Authentication}).
286 In this section we elaborate on the TLS or DTLS session initiation.
287 Each session is initialized using @funcref{gnutls_init} which among
288 others is used to specify the type of the connection (server or client),
289 and the underlying protocol type, i.e., datagram (UDP) or reliable (TCP).
291 @showfuncdesc{gnutls_init}
293 After the session initialization details on the allowed ciphersuites
294 and protocol versions should be set using the priority functions
295 such as @funcref{gnutls_priority_set_direct}. We elaborate on them
296 in @ref{Priority Strings}.
297 The credentials used for the key exchange method, such as certificates
298 or usernames and passwords should also be associated with the session
299 current session using @funcref{gnutls_credentials_set}.
301 @showfuncdesc{gnutls_credentials_set}
303 @node Associating the credentials
304 @section Associating the credentials
307 * Certificate credentials::
310 * Anonymous credentials::
313 Each authentication method is associated with a key exchange method, and a credentials type.
314 The contents of the credentials is method-dependent, e.g. certificates
315 for certificate authentication and should be initialized and associated
316 with a session (see @funcref{gnutls_credentials_set}). A mapping of the key exchange methods
317 with the credential types is shown in @ref{tab:key-exchange-cred}.
319 @float Table,tab:key-exchange-cred
320 @multitable @columnfractions .25 .25 .2 .2
322 @headitem Authentication method @tab Key exchange @tab Client credentials @tab Server credentials
329 @code{KX_ECDHE_ECDSA},
331 @tab @code{CRD_CERTIFICATE}
332 @tab @code{CRD_CERTIFICATE}
334 @item Password and certificate
335 @tab @code{KX_SRP_RSA}, @code{KX_SRP_DSS}
337 @tab @code{CRD_CERTIFICATE}, @code{CRD_SRP}
345 @tab @code{KX_ANON_DH},
352 @code{KX_DHE_PSK}, @code{KX_ECDHE_PSK}
357 @caption{Key exchange algorithms and the corresponding credential types.}
360 @node Certificate credentials
361 @subsection Certificates
362 @subsubheading Server certificate authentication
364 When using certificates the server is required to have at least one
365 certificate and private key pair. Clients may not hold such
366 a pair, but a server could require it. In this section we discuss
367 general issues applying to both client and server certificates. The next
368 section will elaborate on issues arising from client authentication only.
370 @showfuncB{gnutls_certificate_allocate_credentials,gnutls_certificate_free_credentials}
372 After the credentials structures are initialized, the certificate
373 and key pair must be loaded. This occurs before any @acronym{TLS}
374 session is initialized, and the same structures are reused for multiple sessions.
375 Depending on the certificate type different loading functions
376 are available, as shown below.
377 For @acronym{X.509} certificates, the functions will
378 accept and use a certificate chain that leads to a trusted
379 authority. The certificate chain must be ordered in such way that every
380 certificate certifies the one before it. The trusted authority's
381 certificate need not to be included since the peer should possess it
384 @showfuncC{gnutls_certificate_set_x509_key_mem,gnutls_certificate_set_x509_key,gnutls_certificate_set_x509_key_file}
386 @showfuncD{gnutls_certificate_set_openpgp_key_mem,gnutls_certificate_set_openpgp_key,gnutls_certificate_set_openpgp_key_file,gnutls_certificate_set_key}
388 If multiple certificates are used with the functions above each
389 client's request will be served with the certificate that matches the
390 requested name (see @ref{Server name indication}).
392 As an alternative to loading from files or buffers, a callback may be used for the
393 server or the client to specify the certificate and the key at the handshake time.
394 In that case a certificate should be selected according the peer's signature
395 algorithm preferences. To get those preferences use
396 @funcref{gnutls_sign_algorithm_get_requested}. Both functions are shown below.
398 @showfuncB{gnutls_certificate_set_retrieve_function,gnutls_sign_algorithm_get_requested}
400 The functions above do not handle the requested server name automatically.
401 A server would need to check the name requested by the client
402 using @funcref{gnutls_server_name_get}, and serve the appropriate
405 In a handshake, the negotiated cipher suite depends on the
406 certificate's parameters, so some key exchange methods might not be
407 available with all certificates. @acronym{GnuTLS} will disable
408 ciphersuites that are not compatible with the key, or the enabled
409 authentication methods. For example keys marked as sign-only, will
410 not be able to access the plain RSA ciphersuites, that require
411 decryption. It is not recommended to use RSA keys for both
412 signing and encryption. If possible use a different key for the
413 @code{DHE-RSA} which uses signing and @code{RSA} that requires decryption.
414 All the key exchange methods shown in @ref{tab:key-exchange} are
415 available in certificate authentication.
418 @subsubheading Client certificate authentication
420 If a certificate is to be requested from the client during the handshake, the server
421 will send a certificate request message. This behavior is controlled @funcref{gnutls_certificate_server_set_request}.
422 The request contains a list of the acceptable by the server certificate signers. This list
423 is constructed using the trusted certificate authorities of the server.
424 In cases where the server supports a large number of certificate authorities
425 it makes sense not to advertise all of the names to save bandwidth. That can
426 be controlled using the function @funcref{gnutls_certificate_send_x509_rdn_sequence}.
427 This however will have the side-effect of not restricting the client to certificates
428 signed by server's acceptable signers.
430 @showfuncdesc{gnutls_certificate_server_set_request}
432 @showfuncdesc{gnutls_certificate_send_x509_rdn_sequence}
435 @subsubheading Client or server certificate verification
437 Certificate verification is possible by loading the trusted
438 authorities into the credentials structure by using
439 the following functions, applicable to X.509 and OpenPGP certificates.
441 @showfuncB{gnutls_certificate_set_x509_trust_file,gnutls_certificate_set_openpgp_keyring_file}
443 The peer's certificate is not automatically verified and one
444 should call @funcref{gnutls_certificate_verify_peers2}
445 after a successful handshake to verify the certificate's signature.
446 Alternative the verification can occur during the handshake
447 by using @funcref{gnutls_certificate_set_verify_function}.
449 In order to report a detailed verification output, an alternative
450 way has to be used. For that, one should call @funcref{gnutls_certificate_get_peers}
451 to obtain the raw certificate of the peer and verify it using the
452 functions discussed in @ref{X.509 certificates}.
454 @showfuncdesc{gnutls_certificate_verify_peers2}
456 @showfuncdesc{gnutls_certificate_set_verify_function}
460 @node SRP credentials
463 The initialization functions in SRP credentials differ between
465 Clients supporting @acronym{SRP} should set the username and password
466 prior to connection, to the credentials structure.
467 Alternatively @funcref{gnutls_srp_set_client_credentials_function}
468 may be used instead, to specify a callback function that should return the
469 SRP username and password.
470 The callback is called once during the @acronym{TLS} handshake.
472 @showfuncE{gnutls_srp_allocate_server_credentials,gnutls_srp_allocate_client_credentials,gnutls_srp_free_server_credentials,gnutls_srp_free_client_credentials,gnutls_srp_set_client_credentials}
474 @showfuncdesc{gnutls_srp_set_client_credentials_function}
476 In server side the default behavior of @acronym{GnuTLS} is to read
477 the usernames and @acronym{SRP} verifiers from password files. These
478 password file format is compatible the with the @emph{Stanford srp libraries}
479 format. If a different password file format is to be used, then
480 @funcref{gnutls_srp_set_server_credentials_function} should be called,
481 to set an appropriate callback.
483 @showfuncdesc{gnutls_srp_set_server_credentials_file}
485 @showfuncdesc{gnutls_srp_set_server_credentials_function}
488 @node PSK credentials
490 The initialization functions in PSK credentials differ between
493 @showfuncD{gnutls_psk_allocate_server_credentials,gnutls_psk_allocate_client_credentials,gnutls_psk_free_server_credentials,gnutls_psk_free_client_credentials}
495 Clients supporting @acronym{PSK} should supply the username and key
496 before a TLS session is established. Alternatively
497 @funcref{gnutls_psk_set_client_credentials_function} can be used to
498 specify a callback function. This has the
499 advantage that the callback will be called only if @acronym{PSK} has
502 @showfuncA{gnutls_psk_set_client_credentials}
504 @showfuncdesc{gnutls_psk_set_client_credentials_function}
506 In server side the default behavior of @acronym{GnuTLS} is to read
507 the usernames and @acronym{PSK} keys from a password file. The
508 password file should contain usernames and keys in hexadecimal
509 format. The name of the password file can be stored to the credentials
510 structure by calling @funcref{gnutls_psk_set_server_credentials_file}. If
511 a different password file format is to be used, then
512 a callback should be set instead by @funcref{gnutls_psk_set_server_credentials_function}.
514 The server can help the client chose a suitable username and password,
515 by sending a hint. Note that there is no common profile for the PSK hint and applications
516 are discouraged to use it.
517 A server, may specify the hint by calling
518 @funcref{gnutls_psk_set_server_credentials_hint}. The client can retrieve
519 the hint, for example in the callback function, using
520 @funcref{gnutls_psk_client_get_hint}.
522 @showfuncdesc{gnutls_psk_set_server_credentials_file}
524 @showfuncC{gnutls_psk_set_server_credentials_function,gnutls_psk_set_server_credentials_hint,gnutls_psk_client_get_hint}
526 @node Anonymous credentials
527 @subsection Anonymous
528 The key exchange methods for anonymous authentication
529 might require Diffie-Hellman parameters to be generated by the server and
530 associated with an anonymous credentials structure. Check
531 @ref{Parameter generation} for more information.
532 The initialization functions for the credentials are shown below.
534 @showfuncD{gnutls_anon_allocate_server_credentials,gnutls_anon_allocate_client_credentials,gnutls_anon_free_server_credentials,gnutls_anon_free_client_credentials}
538 @node Setting up the transport layer
539 @section Setting up the transport layer
541 The next step is to setup the underlying transport layer details. The
542 Berkeley sockets are implicitly used by GnuTLS, thus a
543 call to @funcref{gnutls_transport_set_ptr2} would be sufficient to
544 specify the socket descriptor.
546 @showfuncdesc{gnutls_transport_set_ptr2}
548 @showfuncA{gnutls_transport_set_ptr}
550 If however another transport layer than TCP is selected, then
551 the following functions have to be specified.
553 @showfuncdesc{gnutls_transport_set_push_function}
554 @showfuncdesc{gnutls_transport_set_vec_push_function}
555 @showfuncdesc{gnutls_transport_set_pull_function}
557 The functions above accept a callback function which
558 should return the number of bytes written, or -1 on
559 error and should set @code{errno} appropriately.
560 In some environments, setting @code{errno} is unreliable. For example
561 Windows have several errno variables in different CRTs, or in other
562 systems it may be a non thread-local variable. If this is a concern to
563 you, call @funcref{gnutls_transport_set_errno} with the intended errno
564 value instead of setting @code{errno} directly.
566 @showfuncdesc{gnutls_transport_set_errno}
568 @acronym{GnuTLS} currently only interprets the EINTR and EAGAIN errno
569 values and returns the corresponding @acronym{GnuTLS} error codes:
571 @item @code{GNUTLS_E_INTERRUPTED}
572 @item @code{GNUTLS_E_AGAIN}
574 The EINTR and EAGAIN values are returned by interrupted system calls,
575 or when non blocking IO is used. All @acronym{GnuTLS} functions can be
576 resumed (called again), if any of the above error codes is returned.
578 In the case of DTLS it is also desirable to override the generic
579 transport functions with functions that emulate the operation
580 of @code{recvfrom} and @code{sendto}. In addition
581 @acronym{DTLS} requires timers during the receive of a handshake
582 message, set using the @funcref{gnutls_transport_set_pull_timeout_function}
583 function. To check the retransmission timers the function
584 @funcref{gnutls_dtls_get_timeout} is provided, which returns the time
585 remaining until the next retransmission, or better the time until
586 @funcref{gnutls_handshake} should be called again.
588 @showfuncdesc{gnutls_transport_set_pull_timeout_function}
589 @showfuncdesc{gnutls_dtls_get_timeout}
592 * Asynchronous operation::
596 @node Asynchronous operation
597 @subsection Asynchronous operation
598 @acronym{GnuTLS} can be used with asynchronous socket or event-driven programming.
599 During a TLS protocol session @acronym{GnuTLS} does not block for anything except
600 calculations. The only blocking operations are due to the transport layer (sockets) functions.
601 Those, however, in an asynchronous scenario are typically set to
602 non-blocking mode, which forces them to return @code{EAGAIN} error code instead of blocking.
603 In that case @acronym{GnuTLS} functions
604 will return the @code{GNUTLS_E_AGAIN} error code and can be resumed the
605 same way as a system call would. The only exception is @funcref{gnutls_record_send},
606 which if interrupted subsequent calls need not to include the data to be
607 sent (can be called with NULL argument).
609 The @funcintref{select} system call can also be used in combination with the
610 @acronym{GnuTLS} functions. @funcintref{select} allows monitoring of sockets
611 and notifies on them being ready for reading or writing data. Note however
612 that this system call cannot notify on data present in @acronym{GnuTLS}
613 read buffers, it is only applicable to the kernel sockets API. Thus if
614 you are using it for reading from a @acronym{GnuTLS} session, make sure
615 the session is read completely. That can be achieved by checking there
616 are no data waiting to be read (using @funcref{gnutls_record_check_pending}),
617 either before the @funcintref{select} system call, or after a call to
618 @funcref{gnutls_record_recv}. @acronym{GnuTLS} does not keep a write buffer,
619 thus when writing @funcintref{select} need only to be consulted.
621 In the DTLS, however, @acronym{GnuTLS} might block due to timers
622 required by the protocol. To prevent those timers from blocking a DTLS handshake,
623 the @funcref{gnutls_init} should be called with the
624 @code{GNUTLS_NONBLOCK} flag (see @ref{Session initialization}).
627 @subsection DTLS sessions
629 Because datagram TLS can operate over connections where the peer
630 of a server cannot be reliably verified, functionality is available to prevent
631 denial of service attacks. @acronym{GnuTLS} requires a server
632 to generate a secret key that is used to sign a cookie@footnote{A key of 128 bits or 16 bytes should be sufficient for this purpose.}.
633 That cookie is sent to the client using @funcref{gnutls_dtls_cookie_send}, and
634 the client must reply using the correct cookie. The server side
635 should verify the initial message sent by client using @funcref{gnutls_dtls_cookie_verify}.
636 If successful the session should be initialized and associated with
637 the cookie using @funcref{gnutls_dtls_prestate_set}, before proceeding to
640 @showfuncD{gnutls_key_generate,gnutls_dtls_cookie_send,gnutls_dtls_cookie_verify,gnutls_dtls_prestate_set}
642 Note that the above apply to server side only and they are not mandatory to be
643 used. Not using them, however, allows denial of service attacks.
644 The client side cookie handling is part of @funcref{gnutls_handshake}.
646 Datagrams are typically restricted by a maximum transfer unit (MTU). For that
647 both client and server side should set the correct maximum transfer unit for
648 the layer underneath @acronym{GnuTLS}. This will allow proper fragmentation
649 of DTLS messages and prevent messages from being silently discarded by the
650 transport layer. The ``correct'' maximum transfer unit can be obtained through
651 a path MTU discovery mechanism @xcite{RFC4821}.
653 @showfuncC{gnutls_dtls_set_mtu,gnutls_dtls_get_mtu,gnutls_dtls_get_data_mtu}
657 @section TLS handshake
658 Once a session has been initialized and a network
659 connection has been set up, TLS and DTLS protocols
660 perform a handshake. The handshake is the actual key
663 @showfuncdesc{gnutls_handshake}
665 The handshake process doesn't ensure the verification
666 of the peer's identity. When certificates are in use,
667 this can be done, either after the handshake is complete, or during
668 the handshake if @funcref{gnutls_certificate_set_verify_function}
669 has been used. In both cases the @funcref{gnutls_certificate_verify_peers2} function can be
670 used to verify the peer's certificate (see @ref{Certificate authentication}
671 for more information).
673 @showfuncA{gnutls_certificate_verify_peers2}
675 @node Data transfer and termination
676 @section Data transfer and termination
677 Once the handshake is complete and peer's identity
678 has been verified data can be exchanged. The available
679 functions resemble the POSIX @code{recv} and @code{send}
680 functions. It is suggested to use @funcref{gnutls_error_is_fatal}
681 to check whether the error codes returned by these functions are
682 fatal for the protocol or can be ignored.
684 @showfuncdesc{gnutls_record_send}
686 @showfuncdesc{gnutls_record_recv}
688 @showfuncdesc{gnutls_error_is_fatal}
690 In DTLS it is advisable to use the extended receive
691 function shown below, because it allows the extraction
692 of the sequence number. This is required in DTLS because
693 messages may arrive out of order.
695 @showfuncdesc{gnutls_record_recv_seq}
697 The @funcref{gnutls_record_check_pending} helper function is available to
698 allow checking whether data are available to be read in a @acronym{GnuTLS} session
699 buffers. Note that this function complements but does not replace @funcintref{select},
700 i.e., @funcref{gnutls_record_check_pending} reports no data to be read, @funcintref{select}
701 should be called to check for data in the network buffers.
703 @showfuncdesc{gnutls_record_check_pending}
704 @showfuncA{gnutls_record_get_direction}
706 Once a TLS or DTLS session is no longer needed, it is
707 recommended to use @funcref{gnutls_bye} to terminate the
708 session. That way the peer is notified securely about the
709 intention of termination, which allows distinguishing it
710 from a malicious connection termination.
711 A session can be deinitialized with the @funcref{gnutls_deinit} function.
713 @showfuncdesc{gnutls_bye}
714 @showfuncdesc{gnutls_deinit}
716 @node Handling alerts
717 @section Handling alerts
718 During a TLS connection alert messages may be exchanged by the
719 two peers. Those messages may be fatal, meaning the connection
720 must be terminated afterwards, or warning when something needs
721 to be reported to the peer, but without interrupting the session.
722 The error codes @code{GNUTLS_E_WARNING_ALERT_RECEIVED}
723 or @code{GNUTLS_E_FATAL_ALERT_RECEIVED} signal those alerts
724 when received, and may be returned by all GnuTLS functions that receive
725 data from the peer, being @funcref{gnutls_handshake} and @funcref{gnutls_record_recv}.
726 Alerts messages may be sent to the peer using @funcref{gnutls_alert_send}.
728 @showfuncdesc{gnutls_alert_get}
730 @showfuncdesc{gnutls_alert_send}
732 @showfuncB{gnutls_error_to_alert,gnutls_alert_get_name}
735 @node Priority Strings
736 @section Priority strings
737 @cindex Priority strings
739 In order to specify cipher suite preferences on a TLS session
740 there are priority functions that accept a string
741 specifying the enabled for the handshake algorithms.
742 That string may contain a single initial keyword such as
743 in @ref{tab:prio-keywords} and may be followed by
744 additional algorithm or special keywords.
746 @showfuncB{gnutls_priority_set_direct,gnutls_priority_set}
748 @float Table,tab:prio-keywords
749 @multitable @columnfractions .20 .70
750 @headitem Keyword @tab Description
751 @item PERFORMANCE @tab
752 All the known to be secure ciphersuites are enabled,
753 limited to 128 bit ciphers and sorted by terms of speed
754 performance. The message authenticity security level is of 64 bits or more.
757 Means all the known to be secure ciphersuites. The ciphers are sorted by security
758 margin, although the 256-bit ciphers are included as a fallback only.
759 The message authenticity security level is of 64 bits or more.
762 Means all known to be secure ciphersuites that offer a
763 security level 128-bit or more and a message authenticity
764 security level of 80 bits or more.
767 Means all the known to be secure ciphersuites that offer a
768 security level 192-bit or more and a message authenticity
769 security level of 128 bits or more.
772 Currently alias for SECURE192.
775 Means all the NSA Suite B cryptography (RFC5430) ciphersuites
776 with an 128 bit security level.
779 Means all the NSA Suite B cryptography (RFC5430) ciphersuites
780 with an 192 bit security level.
783 Means all ciphersuites are enabled, including the
784 low-security 40 bit ciphers.
787 Means nothing is enabled. This disables even protocols and
788 compression methods. It should be followed by the
789 algorithms to be enabled.
792 @caption{Supported initial keywords.}
795 Unless the initial keyword is "NONE" the defaults (in preference
796 order) are for TLS protocols TLS 1.2, TLS1.1, TLS1.0, SSL3.0; for
797 compression NULL; for certificate types X.509.
798 In key exchange algorithms when in NORMAL or SECURE levels the
799 perfect forward secrecy algorithms take precedence of the other
800 protocols. In all cases all the supported key exchange algorithms
801 are enabled@footnote{Except for the RSA-EXPORT which is only enabled in
804 Note that the SECURE levels distinguish between overall security level and
805 message authenticity security level. That is because the message
806 authenticity security level requires the adversary to break
807 the algorithms at real-time during the protocol run, whilst
808 the overall security level refers to off-line adversaries
809 (e.g. adversaries breaking the ciphertext years after it was captured).
811 The NONE keyword, if used, must followed by keywords specifying
812 the algorithms and protocols to be enabled. The other initial keywords may be
813 followed by such keywords.
814 The order with which every algorithm or protocol
815 is specified is significant. Algorithms specified before others
816 will take precedence. The supported algorithms and protocols
817 are shown in @ref{tab:prio-algorithms}.
818 To avoid collisions in order to specify a compression algorithm in
819 the priority string you have to prefix it with "COMP-", protocol versions
820 with "VERS-", signature algorithms with "SIGN-" and certificate types with "CTYPE-".
821 All other algorithms don't need a prefix. Each specified keyword can
822 be prefixed with any of the following characters.
826 appended with an algorithm will remove this algorithm.
828 appended with an algorithm will add this algorithm.
831 @float Table,tab:prio-algorithms
832 @multitable @columnfractions .20 .70
833 @headitem Type @tab Keywords
835 AES-128-CBC, AES-256-CBC, AES-128-GCM, CAMELLIA-128-CBC,
836 CAMELLIA-256-CBC, ARCFOUR-128, 3DES-CBC ARCFOUR-40. Catch all
837 name is CIPHER-ALL which will add all the algorithms from NORMAL
840 @item Key exchange @tab
841 RSA, DHE-RSA, DHE-DSS, SRP, SRP-RSA, SRP-DSS,
842 PSK, DHE-PSK, ECDHE-RSA, ANON-ECDH, ANON-DH, RSA-EXPORT. The
843 Catch all name is KX-ALL which will add all the algorithms from NORMAL
847 MD5, SHA1, SHA256, AEAD (used with
848 GCM ciphers only). All algorithms from NORMAL priority can be accessed with MAC-ALL.
850 @item Compression algorithms @tab
851 COMP-NULL, COMP-DEFLATE. Catch all is COMP-ALL.
853 @item TLS versions @tab
854 VERS-SSL3.0, VERS-TLS1.0, VERS-TLS1.1,
855 VERS-TLS1.2, VERS-DTLS1.0. Catch all is VERS-TLS-ALL.
857 @item Signature algorithms @tab
858 SIGN-RSA-SHA1, SIGN-RSA-SHA224,
859 SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-DSA-SHA1,
860 SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5. Catch all
861 is SIGN-ALL. This is only valid for TLS 1.2 and later.
863 @item Elliptic curves @tab
864 CURVE-SECP192R1, CURVE-SECP224R1, CURVE-SECP256R1, CURVE-SECP384R1, CURVE-SECP521R1. Catch all is CURVE-ALL.
867 @caption{The supported algorithm keywords in priority strings.}
870 Note that the DHE key exchange methods are generally
871 slower@footnote{It depends on the group used. Primes with
872 lesser bits are always faster, but also easier to break. See @ref{Selecting cryptographic key sizes}
873 for the acceptable security levels.} than their elliptic curves counterpart
874 (ECDHE). Moreover the plain Diffie-Hellman key exchange
875 requires parameters to be generated and associated with a credentials
876 structure by the server (see @ref{Parameter generation}).
878 The available special keywords are shown in @ref{tab:prio-special}.
880 @float Table,tab:prio-special
881 @multitable @columnfractions .45 .45
882 @headitem Keyword @tab Description
885 will enable compatibility mode. It might mean that violations
886 of the protocols are allowed as long as maximum compatibility with
887 problematic clients and servers is achieved. More specifically this
888 string would disable TLS record random padding and tolerate packets
889 over the maximum allowed TLS record.
891 @item %NO_EXTENSIONS @tab
892 will prevent the sending of any TLS extensions in client side. Note
893 that TLS 1.2 requires extensions to be used, as well as safe
894 renegotiation thus this option must be used with care.
896 @item %SERVER_PRECEDENCE @tab
897 The ciphersuite will be selected according to server priorities
898 and not the client's.
900 @item %DISABLE_SAFE_RENEGOTIATION @tab
901 will disable safe renegotiation
902 completely. Do not use unless you know what you are doing.
903 Testing purposes only.
905 @item %UNSAFE_RENEGOTIATION @tab
906 will allow handshakes and re-handshakes
907 without the safe renegotiation extension. Note that for clients
908 this mode is insecure (you may be under attack), and for servers it
909 will allow insecure clients to connect (which could be fooled by an
910 attacker). Do not use unless you know what you are doing and want
911 maximum compatibility.
913 @item %PARTIAL_RENEGOTIATION @tab
914 will allow initial handshakes to proceed,
915 but not re-handshakes. This leaves the client vulnerable to attack,
916 and servers will be compatible with non-upgraded clients for
917 initial handshakes. This is currently the default for clients and
918 servers, for compatibility reasons.
920 @item %SAFE_RENEGOTIATION @tab
921 will enforce safe renegotiation. Clients and
922 servers will refuse to talk to an insecure peer. Currently this
923 causes interoperability problems, but is required for full protection.
925 @item %SSL3_RECORD_VERSION @tab
926 will use SSL3.0 record version in client hello.
929 @item %LATEST_RECORD_VERSION @tab
930 will use the latest TLS version record version in client hello.
932 @item %VERIFY_ALLOW_SIGN_RSA_MD5 @tab
933 will allow RSA-MD5 signatures in certificate chains.
935 @item %VERIFY_ALLOW_X509_V1_CA_CRT @tab
936 will allow V1 CAs in chains.
939 @caption{Special priority string keywords.}
942 Finally the ciphersuites enabled by any priority string can be
943 listed using the @code{gnutls-cli} application (see @ref{gnutls-cli Invocation}),
944 or by using the priority functions as in @ref{Listing the ciphersuites in a priority string}.
946 Example priority strings are:
948 The default priority without the HMAC-MD5:
951 Specifying RSA with AES-128-CBC:
952 "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL"
954 Specifying the defaults except ARCFOUR-128:
955 "NORMAL:-ARCFOUR-128"
957 Enabling the 128-bit secure ciphers, while disabling SSL 3.0 and
958 enabling compression:
959 "SECURE128:-VERS-SSL3.0:+COMP-DEFLATE"
962 @node Advanced and other topics
963 @section Advanced and other topics
966 * Session resumption::
967 * Parameter generation::
968 * Keying Material Exporters::
971 * Compatibility with the OpenSSL library::
974 @node Session resumption
975 @subsection Session resumption
976 @cindex resuming sessions
977 @cindex session resumption
979 @subsubheading Client side
981 To reduce time and roundtrips spent in a handshake the client can
982 request session resumption from a server that previously shared
983 a session with. For that the client has to retrieve and store
984 the session parameters. Before establishing a new session to the same
985 server the parameters must be re-associated with the GnuTLS session
986 using @funcref{gnutls_session_set_data}.
988 @showfuncC{gnutls_session_get_data,gnutls_session_get_id,gnutls_session_set_data}
990 Keep in mind that sessions will be expired after some time, depending
991 on the server, and a server may choose not to resume a session
992 even when requested to. The expiration is to prevent temporal session keys
993 from becoming long-term keys. Also note that as a client you must enable,
994 using the priority functions, at least the algorithms used in the last session.
996 It is highly recommended for clients to enable the session ticket extension using
997 @funcref{gnutls_session_ticket_enable_client} in order to allow resumption with
998 servers that do not store any state.
1000 @showfuncA{gnutls_session_ticket_enable_client}
1002 @showfuncdesc{gnutls_session_is_resumed}
1004 @subsubheading Server side
1006 In order to support resumption a server can store
1007 the session security parameters in a local database or by using session
1008 tickets (see @ref{Session tickets}) to delegate storage to the client. Because
1009 session tickets might not be supported by all clients, servers
1010 could combine the two methods.
1012 A storing server needs to specify callback functions to store, retrieve and delete session data. These can be
1013 registered with the functions below. The stored sessions in the database can be checked using @funcref{gnutls_db_check_entry}
1016 @showfuncD{gnutls_db_set_retrieve_function,gnutls_db_set_store_function,gnutls_db_set_ptr,gnutls_db_set_remove_function}
1017 @showfuncA{gnutls_db_check_entry}
1019 A server utilizing tickets should generate ticket encryption
1020 and authentication keys using @funcref{gnutls_session_ticket_key_generate}.
1021 Those keys should be associated with the GnuTLS session using
1022 @funcref{gnutls_session_ticket_enable_server}.
1024 @showfuncdesc{gnutls_session_ticket_enable_server}
1025 @showfuncdesc{gnutls_session_ticket_key_generate}
1026 @showfuncdesc{gnutls_session_resumption_requested}
1028 A server enabling both session tickets and a storage for session data
1029 would use session tickets when clients support it and the storage otherwise.
1031 @node Parameter generation
1032 @subsection Parameter generation
1033 @cindex parameter generation
1034 @cindex generating parameters
1036 Several TLS ciphersuites require additional parameters that
1037 need to be generated or provided by the application. The
1038 Diffie-Hellman based ciphersuites (ANON-DH or DHE), require
1039 the group parameters to be provided. Those can either be
1040 be generated on the fly using @funcref{gnutls_dh_params_generate2}
1041 or imported from pregenerated data using @funcref{gnutls_dh_params_import_pkcs3}.
1042 The parameters can be used in a @acronym{TLS} session by calling
1043 @funcref{gnutls_certificate_set_dh_params} or
1044 @funcref{gnutls_anon_set_server_dh_params} for anonymous sessions.
1046 @showfuncD{gnutls_dh_params_generate2,gnutls_dh_params_import_pkcs3,gnutls_certificate_set_dh_params,gnutls_anon_set_server_dh_params}
1048 Due to the time-consuming calculations required for the generation
1049 of Diffie-Hellman parameters we suggest against performing generation
1050 of them within an application. The @code{certtool} tool can be used to
1051 generate or export known safe values that can be stored in code
1052 or in a configuration file to provide the ability to replace. We also
1053 recommend the usage of @funcref{gnutls_sec_param_to_pk_bits}
1054 (see @ref{Selecting cryptographic key sizes}) to determine
1055 the bit size of the generated parameters.
1057 Note that the information stored in the generated PKCS #3 structure
1058 changed with GnuTLS 3.0.9. Since that version the @code{privateValueLength}
1059 member of the structure is set, allowing the server utilizing the
1060 parameters to use keys of the size of the security parameter. This
1061 provides better performance in key exchange.
1063 The ciphersuites that involve the RSA-EXPORT key exchange require
1064 additional parameters. Those ciphersuites are rarely used today
1065 because they are by design insecure, thus if you have no requirement
1066 for them, the rest of this section can be skipped. The RSA-EXPORT key exchange
1067 requires 512-bit RSA keys to be generated. It is recommended those
1068 parameters to be refreshed (regenerated) in short intervals. The
1069 following functions can be used for these parameters.
1071 @showfuncD{gnutls_rsa_params_generate2,gnutls_certificate_set_rsa_export_params,gnutls_rsa_params_import_pkcs1,gnutls_rsa_params_export_pkcs1}
1073 To allow renewal of the parameters within an application without
1074 accessing the credentials, which are a shared structure,
1075 an alternative interface is available using a callback function.
1077 @showfuncdesc{gnutls_certificate_set_params_function}
1080 @node Keying Material Exporters
1081 @subsection Keying material exporters
1082 @cindex keying material exporters
1083 @cindex exporting keying material
1085 The TLS PRF can be used by other protocols to derive keys based on
1086 the TLS master secret. The API to use is @funcref{gnutls_prf}. The
1087 function needs to be provided with the label in the parameter
1088 @code{label}, and the extra data to mix in the
1089 @code{extra} parameter. Depending on whether you want to mix in the
1090 client or server random data first, you can set the
1091 @code{server_random_first} parameter.
1093 For example, after establishing a TLS session using
1094 @funcref{gnutls_handshake}, you can invoke the TLS PRF with this call:
1097 #define MYLABEL "EXPORTER-FOO"
1098 #define MYCONTEXT "some context data"
1100 rc = gnutls_prf (session, strlen (MYLABEL), MYLABEL, 0,
1101 strlen (MYCONTEXT), MYCONTEXT, 32, out);
1104 If you don't want to mix in the client/server random, there is a
1105 low-level TLS PRF interface called @funcref{gnutls_prf_raw}.
1107 @node Channel Bindings
1108 @subsection Channel bindings
1109 @cindex channel bindings
1111 In user authentication protocols (e.g., EAP or SASL mechanisms) it is
1112 useful to have a unique string that identifies the secure channel that
1113 is used, to bind together the user authentication with the secure
1114 channel. This can protect against man-in-the-middle attacks in some
1115 situations. That unique string is called a ``channel binding''. For
1116 background and discussion see @xcite{RFC5056}.
1118 In @acronym{GnuTLS} you can extract a channel binding using the
1119 @funcref{gnutls_session_channel_binding} function. Currently only the
1120 type @code{GNUTLS_CB_TLS_UNIQUE} is supported, which corresponds to
1121 the @code{tls-unique} channel binding for TLS defined in
1124 The following example describes how to print the channel binding data.
1125 Note that it must be run after a successful TLS handshake.
1132 rc = gnutls_session_channel_binding (session,
1133 GNUTLS_CB_TLS_UNIQUE,
1136 fprintf (stderr, "Channel binding error: %s\n",
1137 gnutls_strerror (rc));
1141 printf ("- Channel binding 'tls-unique': ");
1142 for (i = 0; i < cb.size; i++)
1143 printf ("%02x", cb.data[i]);
1149 @node Interoperability
1150 @subsection Interoperability
1152 The @acronym{TLS} protocols support many ciphersuites, extensions and version
1153 numbers. As a result, few implementations are
1154 not able to properly interoperate once faced with extensions or version protocols
1155 they do not support and understand. The @acronym{TLS} protocol allows for a
1156 graceful downgrade to the commonly supported options, but practice shows
1157 it is not always implemented correctly.
1159 Because there is no way to achieve maximum interoperability with broken peers
1160 without sacrificing security, @acronym{GnuTLS} ignores such peers by default.
1161 This might not be acceptable in cases where maximum compatibility
1162 is required. Thus we allow enabling compatibility with broken peers using
1163 priority strings (see @ref{Priority Strings}). A conservative priority
1164 string that would disable certain @acronym{TLS} protocol
1165 options that are known to cause compatibility problems, is shown below.
1170 For broken peers that do not tolerate TLS version numbers over TLS 1.0
1171 another priority string is:
1173 NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT
1175 This priority string will in addition to above, only enable SSL 3.0 and
1176 TLS 1.0 as protocols. Note however that
1177 there are known attacks against those protocol versions, especially over
1178 the CBC-mode ciphersuites. To mitigate them another priority string
1179 that only allows the stream cipher ARCFOUR is below.
1181 NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:-CIPHER-ALL:+ARCFOUR-128:%COMPAT
1184 @node Compatibility with the OpenSSL library
1185 @subsection Compatibility with the OpenSSL library
1188 To ease @acronym{GnuTLS}' integration with existing applications, a
1189 compatibility layer with the OpenSSL library is included
1190 in the @code{gnutls-openssl} library. This compatibility layer is not
1191 complete and it is not intended to completely re-implement the OpenSSL
1192 API with @acronym{GnuTLS}. It only provides limited source-level
1195 The prototypes for the compatibility functions are in the
1196 @file{gnutls/openssl.h} header file. The limitations
1197 imposed by the compatibility layer include:
1201 @item Error handling is not thread safe.
1205 @node Using the cryptographic library
1206 @section Using the cryptographic library
1208 @acronym{GnuTLS} is not a low-level cryptographic library, i.e.,
1209 it does not provide access to basic cryptographic primitives. However
1210 it abstracts the internal cryptographic back-end (see @ref{Cryptographic Backend}),
1211 providing symmetric crypto, hash and HMAC algorithms, as well access
1212 to the random number generation.
1215 * Symmetric cryptography::
1216 * Hash and HMAC functions::
1217 * Random number generation::
1220 @node Symmetric cryptography
1221 @subsection Symmetric cryptography
1222 @cindex symmetric cryptography
1224 The available functions to access symmetric crypto algorithms operations
1225 are shown below. The supported algorithms are the algorithms required by the TLS protocol.
1226 They are listed in @ref{tab:ciphers}.
1228 @showfuncE{gnutls_cipher_init,gnutls_cipher_encrypt2,gnutls_cipher_decrypt2,gnutls_cipher_set_iv,gnutls_cipher_deinit}
1230 In order to support authenticated encryption with associated data (AEAD) algorithms the following
1231 functions are provided to set the associated data and retrieve the authentication tag.
1233 @showfuncB{gnutls_cipher_add_auth,gnutls_cipher_tag}
1235 @node Hash and HMAC functions
1236 @subsection Hash and HMAC functions
1237 @cindex hash functions
1238 @cindex HMAC functions
1240 The available operations to access hash functions and hash-MAC (HMAC) algorithms
1241 are shown below. HMAC algorithms provided keyed hash functionality. They supported HMAC algorithms are listed in @ref{tab:macs}.
1243 @showfuncF{gnutls_hmac_init,gnutls_hmac,gnutls_hmac_output,gnutls_hmac_deinit,gnutls_hmac_get_len,gnutls_hmac_fast}
1245 The available functions to access hash functions are shown below. The supported hash functions
1246 are the same as the HMAC algorithms.
1248 @showfuncF{gnutls_hash_init,gnutls_hash,gnutls_hash_output,gnutls_hash_deinit,gnutls_hash_get_len,gnutls_hash_fast}
1250 @node Random number generation
1251 @subsection Random number generation
1252 @cindex random numbers
1254 Access to the random number generator is provided using the @funcref{gnutls_rnd}
1255 function. It allows obtaining random data of various levels.
1257 @showenumdesc{gnutls_rnd_level_t,The random number levels.}
1258 @showfuncdesc{gnutls_rnd}
1260 @node Selecting cryptographic key sizes
1261 @section Selecting cryptographic key sizes
1264 Because many algorithms are involved in TLS, it is not easy to set
1265 a consistent security level. For this reason in @ref{tab:key-sizes} we
1266 present some correspondence between key sizes of symmetric algorithms
1267 and public key algorithms based on @xcite{ECRYPT}.
1268 Those can be used to generate certificates with
1269 appropriate key sizes as well as select parameters for Diffie-Hellman and SRP
1272 @float Table,tab:key-sizes
1273 @multitable @columnfractions .10 .12 .10 .20 .32
1275 @headitem Security bits @tab RSA, DH and SRP parameter size @tab ECC key size @tab Security parameter @tab Description
1281 @tab Very short term protection against agencies
1287 @tab Legacy standard level
1293 @tab Medium-term protection
1299 @tab Long term protection
1305 @tab Foreseeable future
1308 @caption{Key sizes and security parameters.}
1311 The first column provides a security parameter in a number of bits. This
1312 gives an indication of the number of combinations to be tried by an adversary
1313 to brute force a key. For example to test all possible keys in a 112 bit security parameter
1314 @math{2^{112}} combinations have to be tried. For today's technology this is infeasible.
1315 The next two columns correlate the security
1316 parameter with actual bit sizes of parameters for DH, RSA, SRP and ECC algorithms.
1317 A mapping to @code{gnutls_sec_param_t} value is given for each security parameter, on
1318 the next column, and finally a brief description of the level.
1320 @c @showenumdesc{gnutls_sec_param_t,The @code{gnutls_sec_@-param_t} enumeration.}
1322 Note, however, that the values suggested here are nothing more than an
1323 educated guess that is valid today. There are no guarantees that an
1324 algorithm will remain unbreakable or that these values will remain
1325 constant in time. There could be scientific breakthroughs that cannot
1326 be predicted or total failure of the current public key systems by
1327 quantum computers. On the other hand though the cryptosystems used in
1328 TLS are selected in a conservative way and such catastrophic
1329 breakthroughs or failures are believed to be unlikely.
1330 The NIST publication SP 800-57 @xcite{NISTSP80057} contains a similar
1333 When using @acronym{GnuTLS} and a decision on bit sizes for a public
1334 key algorithm is required, use of the following functions is
1337 @showfuncdesc{gnutls_sec_param_to_pk_bits}
1339 @showfuncdesc{gnutls_pk_bits_to_sec_param}
1341 Those functions will convert a human understandable security parameter
1342 of @code{gnutls_sec_param_t} type, to a number of bits suitable for a public