|
Packit Service |
4684c1 |
\input texinfo @c -*-texinfo-*-
|
|
Packit Service |
4684c1 |
@comment %**start of header
|
|
Packit Service |
4684c1 |
@setfilename gnutls-guile.info
|
|
Packit Service |
4684c1 |
@include version-guile.texi
|
|
Packit Service |
4684c1 |
@settitle GnuTLS-Guile @value{VERSION}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@c don't indent the paragraphs.
|
|
Packit Service |
4684c1 |
@paragraphindent 0
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@c Unify some of the indices.
|
|
Packit Service |
4684c1 |
@syncodeindex tp fn
|
|
Packit Service |
4684c1 |
@syncodeindex pg cp
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@comment %**end of header
|
|
Packit Service |
4684c1 |
@finalout
|
|
Packit Service |
4684c1 |
@copying
|
|
Packit Service |
4684c1 |
This manual is last updated @value{UPDATED} for version
|
|
Packit Service |
4684c1 |
@value{VERSION} of GnuTLS.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Copyright @copyright{} 2001-2012, 2014, 2016, 2019 Free Software Foundation, Inc.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@quotation
|
|
Packit Service |
4684c1 |
Permission is granted to copy, distribute and/or modify this document
|
|
Packit Service |
4684c1 |
under the terms of the GNU Free Documentation License, Version 1.3 or
|
|
Packit Service |
4684c1 |
any later version published by the Free Software Foundation; with no
|
|
Packit Service |
4684c1 |
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A
|
|
Packit Service |
4684c1 |
copy of the license is included in the section entitled ``GNU Free
|
|
Packit Service |
4684c1 |
Documentation License''.
|
|
Packit Service |
4684c1 |
@end quotation
|
|
Packit Service |
4684c1 |
@end copying
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@dircategory Software libraries
|
|
Packit Service |
4684c1 |
@direntry
|
|
Packit Service |
4684c1 |
* GnuTLS-Guile: (gnutls-guile). GNU Transport Layer Security Library. Guile bindings.
|
|
Packit Service |
4684c1 |
@end direntry
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@titlepage
|
|
Packit Service |
4684c1 |
@title GnuTLS-Guile
|
|
Packit Service |
4684c1 |
@subtitle Guile binding for GNU TLS
|
|
Packit Service |
4684c1 |
@subtitle for version @value{VERSION}, @value{UPDATED}
|
|
Packit Service |
4684c1 |
@sp 7
|
|
Packit Service |
4684c1 |
@image{gnutls-logo,6cm,6cm}
|
|
Packit Service |
4684c1 |
@page
|
|
Packit Service |
4684c1 |
@vskip 0pt plus 1filll
|
|
Packit Service |
4684c1 |
@insertcopying
|
|
Packit Service |
4684c1 |
@end titlepage
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@macro xcite{ref}
|
|
Packit Service |
4684c1 |
[\ref\] (@pxref{Bibliography})
|
|
Packit Service |
4684c1 |
@end macro
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@contents
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@node Top
|
|
Packit Service |
4684c1 |
@top GnuTLS-Guile
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@insertcopying
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@menu
|
|
Packit Service |
4684c1 |
* Preface:: Preface.
|
|
Packit Service |
4684c1 |
* Guile Preparations:: Note on installation and environment.
|
|
Packit Service |
4684c1 |
* Guile API Conventions:: Naming conventions and other idiosyncrasies.
|
|
Packit Service |
4684c1 |
* Guile Examples:: Quick start.
|
|
Packit Service |
4684c1 |
* Guile Reference:: The Scheme GnuTLS programming interface.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
* Copying Information:: You can copy and modify this manual.
|
|
Packit Service |
4684c1 |
* Procedure Index::
|
|
Packit Service |
4684c1 |
* Concept Index::
|
|
Packit Service |
4684c1 |
@end menu
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@node Preface
|
|
Packit Service |
4684c1 |
@chapter Preface
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This manual describes the @uref{https://www.gnu.org/software/guile/,
|
|
Packit Service |
4684c1 |
GNU Guile} Scheme programming interface to GnuTLS, which is distributed
|
|
Packit Service |
4684c1 |
as part of @uref{https://gnutls.org,GnuTLS}. The reader is
|
|
Packit Service |
4684c1 |
assumed to have basic knowledge of the protocol and library. Details
|
|
Packit Service |
4684c1 |
missing from this chapter may be found in Function reference,
|
|
Packit Service |
4684c1 |
of the C API reference.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
At this stage, not all the C functions are available from Scheme, but
|
|
Packit Service |
4684c1 |
a large subset thereof is available.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@c *********************************************************************
|
|
Packit Service |
4684c1 |
@node Guile Preparations
|
|
Packit Service |
4684c1 |
@chapter Guile Preparations
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The GnuTLS Guile bindings are available for the Guile 3.0 and 2.2
|
|
Packit Service |
4684c1 |
series, as well as the legacy 2.0 and even 1.8 series.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
By default they are installed under the GnuTLS installation directory,
|
|
Packit Service |
4684c1 |
typically @file{/usr/local/share/guile/site/}). Normally Guile
|
|
Packit Service |
4684c1 |
will not find the module there without help. You may experience
|
|
Packit Service |
4684c1 |
something like this:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ guile
|
|
Packit Service |
4684c1 |
@dots{}
|
|
Packit Service |
4684c1 |
scheme@@(guile-user)> (use-modules (gnutls))
|
|
Packit Service |
4684c1 |
ERROR: no code for module (gnutls)
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
There are two ways to solve this. The first is to make sure that when
|
|
Packit Service |
4684c1 |
building GnuTLS, the Guile bindings will be installed in the same
|
|
Packit Service |
4684c1 |
place where Guile looks. You may do this by using the
|
|
Packit Service |
4684c1 |
@code{--with-guile-site-dir} parameter as follows:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ ./configure --with-guile-site-dir=no
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This will instruct GnuTLS to attempt to install the Guile bindings
|
|
Packit Service |
4684c1 |
where Guile will look for them. It will use @code{guile-config info
|
|
Packit Service |
4684c1 |
pkgdatadir} to learn the path to use.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
If Guile was installed into @code{/usr}, you may also install GnuTLS
|
|
Packit Service |
4684c1 |
using the same prefix:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ ./configure --prefix=/usr
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
If you want to specify the path to install the Guile bindings you can
|
|
Packit Service |
4684c1 |
also specify the path directly:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ ./configure --with-guile-site-dir=/opt/guile/share/guile/site
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The second solution requires some more work but may be easier to use
|
|
Packit Service |
4684c1 |
if you do not have system administrator rights to your machine. You
|
|
Packit Service |
4684c1 |
need to instruct Guile so that it finds the GnuTLS Guile bindings.
|
|
Packit Service |
4684c1 |
Either use the @code{GUILE_LOAD_PATH} environment variable as follows:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ GUILE_LOAD_PATH="/usr/local/share/guile/site:$GUILE_LOAD_PATH" guile
|
|
Packit Service |
4684c1 |
scheme@@(guile-user)> (use-modules (gnutls))
|
|
Packit Service |
4684c1 |
scheme@@(guile-user)>
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Alternatively, you can modify Guile's @code{%load-path} variable
|
|
Packit Service |
4684c1 |
(@pxref{Build Config, Guile's run-time options,, guile, The GNU Guile
|
|
Packit Service |
4684c1 |
Reference Manual}).
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
At this point, you might get an error regarding
|
|
Packit Service |
4684c1 |
@file{guile-gnutls-v-2} similar to:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
gnutls.scm:361:1: In procedure dynamic-link in expression (load-extension "guile-gnutls-v-2" "scm_init_gnutls"):
|
|
Packit Service |
4684c1 |
gnutls.scm:361:1: file: "guile-gnutls-v-2", message: "guile-gnutls-v-2.so: cannot open shared object file: No such file or directory"
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
In this case, you will need to modify the run-time linker path, for
|
|
Packit Service |
4684c1 |
example as follows:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ LD_LIBRARY_PATH=/usr/local/lib GUILE_LOAD_PATH=/usr/local/share/guile/site guile
|
|
Packit Service |
4684c1 |
scheme@@(guile-user)> (use-modules (gnutls))
|
|
Packit Service |
4684c1 |
scheme@@(guile-user)>
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To check that you got the intended GnuTLS library version, you may
|
|
Packit Service |
4684c1 |
print the version number of the loaded library as follows:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ guile
|
|
Packit Service |
4684c1 |
scheme@@(guile-user)> (use-modules (gnutls))
|
|
Packit Service |
4684c1 |
scheme@@(guile-user)> (gnutls-version)
|
|
Packit Service |
4684c1 |
"@value{VERSION}"
|
|
Packit Service |
4684c1 |
scheme@@(guile-user)>
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@c *********************************************************************
|
|
Packit Service |
4684c1 |
@node Guile API Conventions
|
|
Packit Service |
4684c1 |
@chapter Guile API Conventions
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This chapter details the conventions used by Guile API, as well as
|
|
Packit Service |
4684c1 |
specificities of the mapping of the C API to Scheme.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@menu
|
|
Packit Service |
4684c1 |
* Enumerates and Constants:: Representation of C-side constants.
|
|
Packit Service |
4684c1 |
* Procedure Names:: Naming conventions.
|
|
Packit Service |
4684c1 |
* Representation of Binary Data:: Binary data buffers.
|
|
Packit Service |
4684c1 |
* Input and Output:: Input and output.
|
|
Packit Service |
4684c1 |
* Exception Handling:: Exceptions.
|
|
Packit Service |
4684c1 |
@end menu
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@node Enumerates and Constants
|
|
Packit Service |
4684c1 |
@section Enumerates and Constants
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@cindex enumerate
|
|
Packit Service |
4684c1 |
@cindex constant
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Lots of enumerates and constants are used in the GnuTLS C API. For
|
|
Packit Service |
4684c1 |
each C enumerate type, a disjoint Scheme type is used---thus,
|
|
Packit Service |
4684c1 |
enumerate values and constants are not represented by Scheme symbols
|
|
Packit Service |
4684c1 |
nor by integers. This makes it impossible to use an enumerate value
|
|
Packit Service |
4684c1 |
of the wrong type on the Scheme side: such errors are automatically
|
|
Packit Service |
4684c1 |
detected by type-checking.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The enumerate values are bound to variables exported by the
|
|
Packit Service |
4684c1 |
@code{(gnutls)} module. These variables
|
|
Packit Service |
4684c1 |
are named according to the following convention:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@itemize
|
|
Packit Service |
4684c1 |
@item All variable names are lower-case; the underscore @code{_}
|
|
Packit Service |
4684c1 |
character used in the C API is replaced by hyphen @code{-}.
|
|
Packit Service |
4684c1 |
@item All variable names are prepended by the name of the enumerate
|
|
Packit Service |
4684c1 |
type and the slash @code{/} character.
|
|
Packit Service |
4684c1 |
@item In some cases, the variable name is made more explicit than the
|
|
Packit Service |
4684c1 |
one of the C API, e.g., by avoid abbreviations.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Consider for instance this C-side enumerate:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
typedef enum
|
|
Packit Service |
4684c1 |
@{
|
|
Packit Service |
4684c1 |
GNUTLS_CRD_CERTIFICATE = 1,
|
|
Packit Service |
4684c1 |
GNUTLS_CRD_ANON,
|
|
Packit Service |
4684c1 |
GNUTLS_CRD_SRP,
|
|
Packit Service |
4684c1 |
GNUTLS_CRD_PSK
|
|
Packit Service |
4684c1 |
@} gnutls_credentials_type_t;
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The corresponding Scheme values are bound to the following variables
|
|
Packit Service |
4684c1 |
exported by the @code{(gnutls)} module:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
credentials/certificate
|
|
Packit Service |
4684c1 |
credentials/anonymous
|
|
Packit Service |
4684c1 |
credentials/srp
|
|
Packit Service |
4684c1 |
credentials/psk
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Hopefully, most variable names can be deduced from this convention.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Scheme-side ``enumerate'' values can be compared using @code{eq?}
|
|
Packit Service |
4684c1 |
(@pxref{Equality, equality predicates,, guile, The GNU Guile Reference
|
|
Packit Service |
4684c1 |
Manual}). Consider the following example:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@findex session-cipher
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
(let ((session (make-session connection-end/client)))
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;;
|
|
Packit Service |
4684c1 |
;; ...
|
|
Packit Service |
4684c1 |
;;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;; Check the ciphering algorithm currently used by SESSION.
|
|
Packit Service |
4684c1 |
(if (eq? cipher/arcfour (session-cipher session))
|
|
Packit Service |
4684c1 |
(format #t "We're using the ARCFOUR algorithm")))
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
In addition, all enumerate values can be converted to a human-readable
|
|
Packit Service |
4684c1 |
string, in a type-specific way. For instance, @code{(cipher->string
|
|
Packit Service |
4684c1 |
cipher/arcfour)} yields @code{"ARCFOUR 128"}, while
|
|
Packit Service |
4684c1 |
@code{(key-usage->string key-usage/digital-signature)} yields
|
|
Packit Service |
4684c1 |
@code{"digital-signature"}. Note that these strings may not be
|
|
Packit Service |
4684c1 |
sufficient for use in a user interface since they are fairly concise
|
|
Packit Service |
4684c1 |
and not internationalized.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@node Procedure Names
|
|
Packit Service |
4684c1 |
@section Procedure Names
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Unlike C functions in GnuTLS, the corresponding Scheme procedures are
|
|
Packit Service |
4684c1 |
named in a way that is close to natural English. Abbreviations are
|
|
Packit Service |
4684c1 |
also avoided. For instance, the Scheme procedure corresponding to
|
|
Packit Service |
4684c1 |
@code{gnutls_certificate_set_dh_params} is named
|
|
Packit Service |
4684c1 |
@code{set-certificate-credentials-dh-parameters!}. The @code{gnutls_}
|
|
Packit Service |
4684c1 |
prefix is always omitted from variable names since a similar effect
|
|
Packit Service |
4684c1 |
can be achieved using Guile's nifty binding renaming facilities,
|
|
Packit Service |
4684c1 |
should it be needed (@pxref{Using Guile Modules,,, guile, The GNU
|
|
Packit Service |
4684c1 |
Guile Reference Manual}).
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Often Scheme procedure names differ from C function names in a way
|
|
Packit Service |
4684c1 |
that makes it clearer what objects they operate on. For example, the
|
|
Packit Service |
4684c1 |
Scheme procedure named @code{set-session-transport-port!} corresponds
|
|
Packit Service |
4684c1 |
to @code{gnutls_transport_set_ptr}, making it clear that this
|
|
Packit Service |
4684c1 |
procedure applies to session.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@node Representation of Binary Data
|
|
Packit Service |
4684c1 |
@section Representation of Binary Data
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Many procedures operate on binary data. For instance,
|
|
Packit Service |
4684c1 |
@code{pkcs3-import-dh-parameters} expects binary data as input.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@cindex bytevectors
|
|
Packit Service |
4684c1 |
@cindex SRFI-4
|
|
Packit Service |
4684c1 |
@cindex homogeneous vector
|
|
Packit Service |
4684c1 |
Binary data is represented on the Scheme side using bytevectors
|
|
Packit Service |
4684c1 |
(@pxref{Bytevectors,,, guile, The GNU Guile Reference Manual}).
|
|
Packit Service |
4684c1 |
Homogeneous vectors such as SRFI-4 @code{u8vector}s can also be
|
|
Packit Service |
4684c1 |
used@footnote{Historically, SRFI-4 @code{u8vector}s are the closest
|
|
Packit Service |
4684c1 |
thing to bytevectors that Guile 1.8 and earlier supported.}.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
As an example, generating and then exporting Diffie-Hellman parameters
|
|
Packit Service |
4684c1 |
in the PEM format can be done as follows:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@findex make-dh-parameters
|
|
Packit Service |
4684c1 |
@findex pkcs3-export-dh-parameters
|
|
Packit Service |
4684c1 |
@vindex x509-certificate-format/pem
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
(let* ((dh (make-dh-parameters 1024))
|
|
Packit Service |
4684c1 |
(pem (pkcs3-export-dh-parameters dh
|
|
Packit Service |
4684c1 |
x509-certificate-format/pem)))
|
|
Packit Service |
4684c1 |
(call-with-output-file "some-file.pem"
|
|
Packit Service |
4684c1 |
(lambda (port)
|
|
Packit Service |
4684c1 |
(uniform-vector-write pem port))))
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@node Input and Output
|
|
Packit Service |
4684c1 |
@section Input and Output
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@findex set-session-transport-port!
|
|
Packit Service |
4684c1 |
@findex set-session-transport-fd!
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The underlying transport of a TLS session can be any Scheme
|
|
Packit Service |
4684c1 |
input/output port (@pxref{Ports and File Descriptors,,, guile, The GNU
|
|
Packit Service |
4684c1 |
Guile Reference Manual}). This has to be specified using
|
|
Packit Service |
4684c1 |
@code{set-session-transport-port!}.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
However, for better performance, a raw file descriptor can be
|
|
Packit Service |
4684c1 |
specified, using @code{set-session-transport-fd!}. For instance, if
|
|
Packit Service |
4684c1 |
the transport layer is a socket port over an OS-provided socket, you
|
|
Packit Service |
4684c1 |
can use the @code{port->fdes} or @code{fileno} procedure to obtain the
|
|
Packit Service |
4684c1 |
underlying file descriptor and pass it to
|
|
Packit Service |
4684c1 |
@code{set-session-transport-fd!} (@pxref{Ports and File Descriptors,
|
|
Packit Service |
4684c1 |
@code{port->fdes} and @code{fileno},, guile, The GNU Guile Reference
|
|
Packit Service |
4684c1 |
Manual}). This would work as follows:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
(let ((socket (socket PF_INET SOCK_STREAM 0))
|
|
Packit Service |
4684c1 |
(session (make-session connection-end/client)))
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;;
|
|
Packit Service |
4684c1 |
;; Establish a TCP connection...
|
|
Packit Service |
4684c1 |
;;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;; Use the file descriptor that underlies SOCKET.
|
|
Packit Service |
4684c1 |
(set-session-transport-fd! session (fileno socket)))
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@findex session-record-port
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Once a TLS session is established, data can be communicated through it
|
|
Packit Service |
4684c1 |
(i.e., @emph{via} the TLS record layer) using the port returned by
|
|
Packit Service |
4684c1 |
@code{session-record-port}:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
(let ((session (make-session connection-end/client)))
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;;
|
|
Packit Service |
4684c1 |
;; Initialize the various parameters of SESSION, set up
|
|
Packit Service |
4684c1 |
;; a network connection, etc.
|
|
Packit Service |
4684c1 |
;;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
(let ((i/o (session-record-port session)))
|
|
Packit Service |
4684c1 |
(display "Hello peer!" i/o)
|
|
Packit Service |
4684c1 |
(let ((greetings (read i/o)))
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;; @dots{}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
(bye session close-request/rdwr))))
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@c See <https://bugs.gnu.org/22966> for details.
|
|
Packit Service |
4684c1 |
@cindex buffering
|
|
Packit Service |
4684c1 |
Note that each write to the session record port leads to the
|
|
Packit Service |
4684c1 |
transmission of an encrypted TLS ``Application Data'' packet. In the
|
|
Packit Service |
4684c1 |
above example, we create an Application Data packet for the 11 bytes for
|
|
Packit Service |
4684c1 |
the string that we write. This is not efficient both in terms of CPU
|
|
Packit Service |
4684c1 |
usage and bandwidth (each packet adds at least 5 bytes of overhead and
|
|
Packit Service |
4684c1 |
can lead to one @code{write} system call), so we recommend that
|
|
Packit Service |
4684c1 |
applications do their own buffering.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@findex record-send
|
|
Packit Service |
4684c1 |
@findex record-receive!
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
A lower-level I/O API is provided by @code{record-send} and
|
|
Packit Service |
4684c1 |
@code{record-receive!} which take a bytevector (or a SRFI-4 vector) to
|
|
Packit Service |
4684c1 |
represent the data sent or received. While it might improve
|
|
Packit Service |
4684c1 |
performance, it is much less convenient than the session record port and
|
|
Packit Service |
4684c1 |
should rarely be needed.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@node Exception Handling
|
|
Packit Service |
4684c1 |
@section Exception Handling
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@cindex exceptions
|
|
Packit Service |
4684c1 |
@cindex errors
|
|
Packit Service |
4684c1 |
@cindex @code{gnutls-error}
|
|
Packit Service |
4684c1 |
@findex error->string
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GnuTLS errors are implemented as Scheme exceptions (@pxref{Exceptions,
|
|
Packit Service |
4684c1 |
exceptions in Guile,, guile, The GNU Guile Reference Manual}). Each
|
|
Packit Service |
4684c1 |
time a GnuTLS function returns an error, an exception with key
|
|
Packit Service |
4684c1 |
@code{gnutls-error} is raised. The additional arguments that are
|
|
Packit Service |
4684c1 |
thrown include an error code and the name of the GnuTLS procedure that
|
|
Packit Service |
4684c1 |
raised the exception. The error code is pretty much like an enumerate
|
|
Packit Service |
4684c1 |
value: it is one of the @code{error/} variables exported by the
|
|
Packit Service |
4684c1 |
@code{(gnutls)} module (@pxref{Enumerates and Constants}). Exceptions
|
|
Packit Service |
4684c1 |
can be turned into error messages using the @code{error->string}
|
|
Packit Service |
4684c1 |
procedure.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The following examples illustrates how GnuTLS exceptions can be
|
|
Packit Service |
4684c1 |
handled:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
(let ((session (make-session connection-end/server)))
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;;
|
|
Packit Service |
4684c1 |
;; ...
|
|
Packit Service |
4684c1 |
;;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
(catch 'gnutls-error
|
|
Packit Service |
4684c1 |
(lambda ()
|
|
Packit Service |
4684c1 |
(handshake session))
|
|
Packit Service |
4684c1 |
(lambda (key err function . currently-unused)
|
|
Packit Service |
4684c1 |
(format (current-error-port)
|
|
Packit Service |
4684c1 |
"a GnuTLS error was raised by `~a': ~a~%"
|
|
Packit Service |
4684c1 |
function (error->string err)))))
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Again, error values can be compared using @code{eq?}:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
;; `gnutls-error' handler.
|
|
Packit Service |
4684c1 |
(lambda (key err function . currently-unused)
|
|
Packit Service |
4684c1 |
(if (eq? err error/fatal-alert-received)
|
|
Packit Service |
4684c1 |
(format (current-error-port)
|
|
Packit Service |
4684c1 |
"a fatal alert was caught!~%")
|
|
Packit Service |
4684c1 |
(format (current-error-port)
|
|
Packit Service |
4684c1 |
"something bad happened: ~a~%"
|
|
Packit Service |
4684c1 |
(error->string err))))
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Note that the @code{catch} handler is currently passed only 3
|
|
Packit Service |
4684c1 |
arguments but future versions might provide it with additional
|
|
Packit Service |
4684c1 |
arguments. Thus, it must be prepared to handle more than 3 arguments,
|
|
Packit Service |
4684c1 |
as in this example.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@c *********************************************************************
|
|
Packit Service |
4684c1 |
@node Guile Examples
|
|
Packit Service |
4684c1 |
@chapter Guile Examples
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This chapter provides examples that illustrate common use cases.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@menu
|
|
Packit Service |
4684c1 |
* Anonymous Authentication Guile Example:: Simplest client and server.
|
|
Packit Service |
4684c1 |
@end menu
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@node Anonymous Authentication Guile Example
|
|
Packit Service |
4684c1 |
@section Anonymous Authentication Guile Example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@dfn{Anonymous authentication} is very easy to use. No certificates
|
|
Packit Service |
4684c1 |
are needed by the communicating parties. Yet, it allows them to
|
|
Packit Service |
4684c1 |
benefit from end-to-end encryption and integrity checks.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The client-side code would look like this (assuming @var{some-socket}
|
|
Packit Service |
4684c1 |
is bound to an open socket port):
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@vindex connection-end/client
|
|
Packit Service |
4684c1 |
@vindex kx/anon-dh
|
|
Packit Service |
4684c1 |
@vindex close-request/rdwr
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
;; Client-side.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
(let ((client (make-session connection-end/client)))
|
|
Packit Service |
4684c1 |
;; Use the default settings.
|
|
Packit Service |
4684c1 |
(set-session-default-priority! client)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;; Don't use certificate-based authentication.
|
|
Packit Service |
4684c1 |
(set-session-certificate-type-priority! client '())
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;; Request the "anonymous Diffie-Hellman" key exchange method.
|
|
Packit Service |
4684c1 |
(set-session-kx-priority! client (list kx/anon-dh))
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;; Specify the underlying socket.
|
|
Packit Service |
4684c1 |
(set-session-transport-fd! client (fileno some-socket))
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;; Create anonymous credentials.
|
|
Packit Service |
4684c1 |
(set-session-credentials! client
|
|
Packit Service |
4684c1 |
(make-anonymous-client-credentials))
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;; Perform the TLS handshake with the server.
|
|
Packit Service |
4684c1 |
(handshake client)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;; Send data over the TLS record layer.
|
|
Packit Service |
4684c1 |
(write "hello, world!" (session-record-port client))
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;; Terminate the TLS session.
|
|
Packit Service |
4684c1 |
(bye client close-request/rdwr))
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The corresponding server would look like this (again, assuming
|
|
Packit Service |
4684c1 |
@var{some-socket} is bound to a socket port):
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@vindex connection-end/server
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
;; Server-side.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
(let ((server (make-session connection-end/server)))
|
|
Packit Service |
4684c1 |
(set-session-default-priority! server)
|
|
Packit Service |
4684c1 |
(set-session-certificate-type-priority! server '())
|
|
Packit Service |
4684c1 |
(set-session-kx-priority! server (list kx/anon-dh))
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;; Specify the underlying transport socket.
|
|
Packit Service |
4684c1 |
(set-session-transport-fd! server (fileno some-socket))
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;; Create anonymous credentials.
|
|
Packit Service |
4684c1 |
(let ((cred (make-anonymous-server-credentials))
|
|
Packit Service |
4684c1 |
(dh-params (make-dh-parameters 1024)))
|
|
Packit Service |
4684c1 |
;; Note: DH parameter generation can take some time.
|
|
Packit Service |
4684c1 |
(set-anonymous-server-dh-parameters! cred dh-params)
|
|
Packit Service |
4684c1 |
(set-session-credentials! server cred))
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;; Perform the TLS handshake with the client.
|
|
Packit Service |
4684c1 |
(handshake server)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
;; Receive data over the TLS record layer.
|
|
Packit Service |
4684c1 |
(let ((message (read (session-record-port server))))
|
|
Packit Service |
4684c1 |
(format #t "received the following message: ~a~%"
|
|
Packit Service |
4684c1 |
message)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
(bye server close-request/rdwr)))
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is it!
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@c *********************************************************************
|
|
Packit Service |
4684c1 |
@node Guile Reference
|
|
Packit Service |
4684c1 |
@chapter Guile Reference
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This chapter lists the GnuTLS Scheme procedures exported by the
|
|
Packit Service |
4684c1 |
@code{(gnutls)} module (@pxref{The Guile module system,,, guile, The
|
|
Packit Service |
4684c1 |
GNU Guile Reference Manual}).
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@include core.c.texi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@c Local Variables:
|
|
Packit Service |
4684c1 |
@c ispell-local-dictionary: "american"
|
|
Packit Service |
4684c1 |
@c End:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@include cha-copying.texi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@node Procedure Index
|
|
Packit Service |
4684c1 |
@unnumbered Procedure Index
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@printindex fn
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@node Concept Index
|
|
Packit Service |
4684c1 |
@unnumbered Concept Index
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@printindex cp
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@bye
|