]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Added support for the ALPN extension.
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Wed, 10 Apr 2013 15:18:10 +0000 (17:18 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Wed, 10 Apr 2013 15:24:56 +0000 (17:24 +0200)
12 files changed:
configure.ac
doc/cha-intro-tls.texi
lib/ext/Makefile.am
lib/ext/alpn.c [new file with mode: 0644]
lib/ext/alpn.h [new file with mode: 0644]
lib/gnutls_extensions.c
lib/gnutls_int.h
lib/includes/gnutls/gnutls.h.in
lib/libgnutls.map
m4/hooks.m4
tests/Makefile.am
tests/mini-alpn.c [new file with mode: 0644]

index 3f33c25e8a5285a4e0b1f6353bf76044aa77e74e..747eb4cc3562948da7bb25c6afb9a87a2b94fa72 100644 (file)
@@ -649,6 +649,7 @@ AC_MSG_NOTICE([Optional features:
 if features are disabled)
 
   DTLS-SRTP support:    $ac_enable_srtp
+  ALPN support:         $ac_enable_alpn
   OCSP support:         $ac_enable_ocsp
   OpenPGP support:      $ac_enable_openpgp
   SRP support:          $ac_enable_srp
index d9c90c963f5bb90626865c461d52b77ba48ca570..1e16a28fa9c225d37f3f60ff7466b4616050d03a 100644 (file)
@@ -404,6 +404,7 @@ and they will be discussed in the subsections that follow.
 * Safe renegotiation::
 * OCSP status request::
 * SRTP::
+* Application Layer Protocol Negotiation (ALPN)::
 @end menu
 
 @node Maximum fragment length negotiation
@@ -622,6 +623,20 @@ Other helper functions are listed below.
 
 @showfuncC{gnutls_srtp_get_selected_profile,gnutls_srtp_get_profile_name,gnutls_srtp_get_profile_id}
 
+@node Application Layer Protocol Negotiation (ALPN)
+@subsection Application Layer Protocol Negotiation (ALPN)
+@cindex ALPN
+@cindex Application Layer Protocol Negotiation
+
+The TLS protocol was extended in @code{draft-ietf-tls-applayerprotoneg-00} 
+to provide the application layer a method of
+negotiating the application protocol version. This allows for negotiation
+of the application protocol during the TLS handshake, thus reducing
+round-trips. The application protocol is described by an opaque
+string. To enable, use the following functions.
+
+@showfuncB{gnutls_alpn_set_protocols,gnutls_alpn_get_selected_protocol}
+
 @include sec-tls-app.texi
 
 @node On SSL 2 and older protocols
index 604fce103433d07e2cdf2457127219b180d8faa8..55724306023e922067e2f08e8426f726b13c89f7 100644 (file)
@@ -42,6 +42,10 @@ libgnutls_ext_la_SOURCES = max_record.c cert_type.c \
        status_request.h status_request.c new_record_padding.c \
        new_record_padding.h
 
+if ENABLE_ALPN
+libgnutls_ext_la_SOURCES += alpn.c alpn.h
+endif
+
 if ENABLE_DTLS_SRTP
 libgnutls_ext_la_SOURCES += srtp.c srtp.h
 endif
diff --git a/lib/ext/alpn.c b/lib/ext/alpn.c
new file mode 100644 (file)
index 0000000..4f19f07
--- /dev/null
@@ -0,0 +1,326 @@
+/*
+ * Copyright (C) 2013 Nikos Mavrogiannopoulos
+ * 
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+#include "gnutls_int.h"
+#include "gnutls_auth.h"
+#include "gnutls_errors.h"
+#include "gnutls_num.h"
+#include <ext/alpn.h>
+
+static int _gnutls_alpn_recv_params (gnutls_session_t session,
+                                     const uint8_t * data,
+                                     size_t data_size);
+static int _gnutls_alpn_send_params (gnutls_session_t session,
+                                     gnutls_buffer_st* extdata);
+
+static int _gnutls_alpn_unpack (gnutls_buffer_st * ps,
+                                extension_priv_data_t * _priv);
+static int _gnutls_alpn_pack (extension_priv_data_t _priv,
+                              gnutls_buffer_st * ps);
+static void _gnutls_alpn_deinit_data (extension_priv_data_t priv);
+
+
+extension_entry_st ext_mod_alpn = {
+  .name = "ALPN",
+  .type = GNUTLS_EXTENSION_ALPN,
+  .parse_type = GNUTLS_EXT_APPLICATION,
+
+  .recv_func = _gnutls_alpn_recv_params,
+  .send_func = _gnutls_alpn_send_params,
+  .pack_func = _gnutls_alpn_pack,
+  .unpack_func = _gnutls_alpn_unpack,
+  .deinit_func = _gnutls_alpn_deinit_data,
+};
+
+static int
+_gnutls_alpn_recv_params (gnutls_session_t session,
+                          const uint8_t *data, size_t _data_size)
+{
+  unsigned int i;
+  int ret;
+  const uint8_t *p = data;
+  unsigned len1, len;
+  ssize_t data_size = _data_size;
+  alpn_ext_st *priv;
+  extension_priv_data_t epriv;
+
+  ret =
+    _gnutls_ext_get_session_data (session, GNUTLS_EXTENSION_ALPN,
+                                  &epriv);
+  if (ret < 0)
+    return 0;
+
+  priv = epriv.ptr;
+
+  DECR_LENGTH_RET (data_size, 2, 0);
+  len = _gnutls_read_uint16 (p);
+  p += 2;
+
+  if (len > data_size)
+    return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+  
+  if (session->security_parameters.entity == GNUTLS_SERVER)
+    {
+      while(data_size > 0)
+        {
+          DECR_LENGTH_RET (data_size, 1, 0);
+          len1 = *p;
+          p += 1;
+          DECR_LENGTH_RET (data_size, len1, 0);
+      
+          for (i=0;i<priv->size;i++)
+            if (priv->protocol_size[i] == len1 && memcmp(p, priv->protocols[i], len1) == 0)
+              {
+                priv->selected_protocol = priv->protocols[i];
+                priv->selected_protocol_size = priv->protocol_size[i];
+                break;
+              }
+          p += len1;
+        }
+    }
+  else
+    {
+      DECR_LENGTH_RET (data_size, 1, 0);
+      len1 = *p;
+      p += 1;
+      DECR_LENGTH_RET (data_size, len1, 0);
+      
+      for (i=0;i<priv->size;i++)
+        if (priv->protocol_size[i] == len1 && memcmp(p, priv->protocols[i], len1) == 0)
+          {
+            priv->selected_protocol = priv->protocols[i];
+            priv->selected_protocol_size = priv->protocol_size[i];
+            break;
+          }
+      p += len1;
+    }
+
+  return 0;
+}
+
+static int
+_gnutls_alpn_send_params (gnutls_session_t session,
+                          gnutls_buffer_st* extdata)
+{
+  unsigned i;
+  int total_size = 0, ret;
+  alpn_ext_st *priv;
+  extension_priv_data_t epriv;
+
+  ret =
+    _gnutls_ext_get_session_data (session, GNUTLS_EXTENSION_ALPN,
+                                  &epriv);
+  if (ret < 0)
+    return 0;
+
+  priv = epriv.ptr;
+
+  if (priv->size == 0)
+    return 0;
+
+  if (session->security_parameters.entity == GNUTLS_SERVER)
+    {
+      if (priv->selected_protocol_size == 0)
+        return 0;
+
+      ret = _gnutls_buffer_append_prefix(extdata, 16, priv->selected_protocol_size+1);
+      if (ret < 0)
+        return gnutls_assert_val(ret);
+
+      total_size += 2;
+
+      ret = _gnutls_buffer_append_data_prefix(extdata, 8, priv->selected_protocol, priv->selected_protocol_size);
+      if (ret < 0)
+        return gnutls_assert_val(ret);
+
+      total_size += 1+priv->selected_protocol_size;
+    }
+  else
+    {
+      int t = 0;
+      for (i=0;i<priv->size;i++)
+        t += priv->protocol_size[i] + 1;
+
+      ret = _gnutls_buffer_append_prefix(extdata, 16, t);
+      if (ret < 0)
+        return gnutls_assert_val(ret);
+
+      total_size += 2;
+
+      for (i=0;i<priv->size;i++)
+        {
+          ret = _gnutls_buffer_append_data_prefix(extdata, 8, priv->protocols[i], priv->protocol_size[i]);
+          if (ret < 0)
+            return gnutls_assert_val(ret);
+
+          total_size += 1+priv->protocol_size[i];
+        }
+    }
+
+  return total_size;
+}
+
+/**
+ * gnutls_alpn_get_selected_protocol:
+ * @session: is a #gnutls_session_t structure.
+ * @protocol: will hold the protocol name
+ *
+ * This function allows you to get the negotiated protocol name. The
+ * returned protocol should be treated as opaque, constant value and
+ * only valid during the session life.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ *   otherwise a negative error code is returned.
+ *
+ * Since 3.1.11
+ **/
+int
+gnutls_alpn_get_selected_protocol (gnutls_session_t session,
+                                   gnutls_datum_t * protocol)
+{
+  alpn_ext_st *priv;
+  int ret;
+  extension_priv_data_t epriv;
+
+  ret =
+    _gnutls_ext_get_session_data (session, GNUTLS_EXTENSION_ALPN,
+                                  &epriv);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+    }
+
+  priv = epriv.ptr;
+
+  if (priv->selected_protocol_size == 0)
+    return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+
+  protocol->data = priv->selected_protocol;
+  protocol->size = priv->selected_protocol_size;
+
+  return 0;
+}
+
+/**
+ * gnutls_alpn_set_protocols:
+ * @session: is a #gnutls_session_t structure.
+ * @protocols: is the protocol names to add.
+ * @protocols_size: the number of protocols to add.
+ *
+ * This function is to be used by both clients and servers, to declare
+ * the supported ALPN protocols, which are used during peer negotiation.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ *   otherwise a negative error code is returned.
+ *
+ * Since 3.1.11
+ **/
+int
+gnutls_alpn_set_protocols (gnutls_session_t session,
+                           const gnutls_datum_t * protocols, unsigned protocols_size)
+{
+  int ret;
+  alpn_ext_st *priv;
+  extension_priv_data_t epriv;
+  unsigned i;
+
+  ret =
+    _gnutls_ext_get_session_data (session, GNUTLS_EXTENSION_ALPN,
+                                  &epriv);
+  if (ret < 0)
+    {
+      priv = gnutls_calloc (1, sizeof (*priv));
+      if (priv == NULL)
+        {
+          gnutls_assert ();
+          return GNUTLS_E_MEMORY_ERROR;
+        }
+      epriv.ptr = priv;
+      _gnutls_ext_set_session_data (session, GNUTLS_EXTENSION_ALPN,
+                                    epriv);
+    }
+  else
+    priv = epriv.ptr;
+    
+  if (protocols_size > MAX_ALPN_PROTOCOLS)
+    return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+  for (i=0;i<protocols_size;i++)
+    {
+      if (protocols[i].size >= MAX_ALPN_PROTOCOL_NAME)
+        return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+        
+      memcpy(priv->protocols[i], protocols[i].data, protocols[i].size);
+      priv->protocol_size[i] = protocols[i].size;
+      priv->size++;
+    }
+
+  return 0;
+}
+
+
+static void
+_gnutls_alpn_deinit_data (extension_priv_data_t priv)
+{
+  gnutls_free (priv.ptr);
+}
+
+static int
+_gnutls_alpn_pack (extension_priv_data_t epriv, gnutls_buffer_st * ps)
+{
+  alpn_ext_st *priv = epriv.ptr;
+  int ret;
+
+  BUFFER_APPEND_PFX4 (ps, priv->selected_protocol, priv->selected_protocol_size);
+
+  return 0;
+}
+
+static int
+_gnutls_alpn_unpack (gnutls_buffer_st * ps,
+                     extension_priv_data_t * _priv)
+{
+  alpn_ext_st *priv;
+  int ret;
+  extension_priv_data_t epriv;
+
+  priv = gnutls_calloc (1, sizeof (*priv));
+  if (priv == NULL)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_MEMORY_ERROR;
+    }
+
+  BUFFER_POP_NUM (ps, priv->protocol_size[0]);
+  BUFFER_POP (ps, &priv->protocols[0], priv->protocol_size[0]);
+  priv->size++;
+  priv->selected_protocol_size = priv->protocol_size[0];
+  priv->selected_protocol = priv->protocols[0];
+
+  epriv.ptr = priv;
+  *_priv = epriv;
+
+  return 0;
+
+error:
+  gnutls_free (priv);
+  return ret;
+}
diff --git a/lib/ext/alpn.h b/lib/ext/alpn.h
new file mode 100644 (file)
index 0000000..541bcae
--- /dev/null
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2013 Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+#ifndef EXT_ALPN_H
+#define EXT_ALPN_H
+
+#include <gnutls_extensions.h>
+
+#define MAX_ALPN_PROTOCOLS 8
+#define MAX_ALPN_PROTOCOL_NAME 32
+
+typedef struct
+{
+  uint8_t protocols[MAX_ALPN_PROTOCOLS][MAX_ALPN_PROTOCOL_NAME];
+  unsigned protocol_size[MAX_ALPN_PROTOCOLS];
+  unsigned size;
+  uint8_t *selected_protocol;
+  unsigned selected_protocol_size;
+} alpn_ext_st;
+
+extern extension_entry_st ext_mod_alpn;
+
+#endif
index f676993ece62503d8b0c6a100051f561def615fe..99ed731594aab1da15be68a50ba8a533ad70fde5 100644 (file)
@@ -40,6 +40,7 @@
 #include <ext/ecc.h>
 #include <ext/status_request.h>
 #include <ext/srtp.h>
+#include <ext/alpn.h>
 #include <ext/new_record_padding.h>
 #include <gnutls_num.h>
 
@@ -368,6 +369,12 @@ _gnutls_ext_init (void)
     return ret;
 #endif
 
+#ifdef ENABLE_ALPN
+  ret = _gnutls_ext_register (&ext_mod_alpn);
+  if (ret != GNUTLS_E_SUCCESS)
+    return ret;
+#endif
+
   return GNUTLS_E_SUCCESS;
 }
 
index 14ddfbec15e090f128817ba16fcafd62924be494..71ee6c7dcb0fc2dae2ea740444e99ef934eda7a8 100644 (file)
@@ -272,6 +272,7 @@ typedef enum extensions_t
   GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS = 13,
   GNUTLS_EXTENSION_SRTP = 14,
   GNUTLS_EXTENSION_HEARTBEAT = 15,
+  GNUTLS_EXTENSION_ALPN = 16,
   GNUTLS_EXTENSION_SESSION_TICKET = 35,
   GNUTLS_EXTENSION_NEW_RECORD_PADDING = 48015,  /* aka: 0xbeaf */
   GNUTLS_EXTENSION_SAFE_RENEGOTIATION = 65281   /* aka: 0xff01 */
index 4d16a46663cbe67329e9ba4d281a82945c79cc2d..672b7566a05b09366b7bf721e9e96103e20b8ec5 100644 (file)
@@ -1045,6 +1045,13 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t session);
   int gnutls_srtp_set_mki (gnutls_session_t session, const gnutls_datum_t *mki);
   int gnutls_srtp_get_mki (gnutls_session_t session, gnutls_datum_t *mki);
 
+/* ALPN TLS extension */
+  int gnutls_alpn_get_selected_protocol (gnutls_session_t session,
+                                   gnutls_datum_t * protocol);
+  int gnutls_alpn_set_protocols (gnutls_session_t session,
+                           const gnutls_datum_t * protocols, unsigned protocols_size);
+
+
   int gnutls_key_generate (gnutls_datum_t * key, unsigned int key_size);
 
 /* if you just want some defaults, use the following.
index 7ae94496c2864cbb0a929b9004d919f26172d0af..f2eb6bbb9f97d0fddf8e8a14c875c81a42b0ecb1 100644 (file)
@@ -908,6 +908,8 @@ GNUTLS_3_1_0 {
        gnutls_sign_algorithm_get_client;
        gnutls_certificate_set_x509_key_mem2;
        gnutls_certificate_set_x509_key_file2;
+       gnutls_alpn_get_selected_protocol;
+       gnutls_alpn_set_protocols;
 } GNUTLS_3_0_0;
 
 GNUTLS_PRIVATE {
index 905e5a4c2c8c13ddefa1516518fffe6ef5f8afdf..16f21a1532df6522fa52727e6fae9a985d377073 100644 (file)
@@ -155,6 +155,20 @@ fi
   fi
   AM_CONDITIONAL(ENABLE_DTLS_SRTP, test "$ac_enable_srtp" != "no")
 
+  AC_MSG_CHECKING([whether to disable ALPN extension])
+  AC_ARG_ENABLE(dtls-alpn-support,
+    AS_HELP_STRING([--disable-dtls-alpn-support],
+                   [disable support for the Application Layer Protocol Negotiation (ALPN) extension]),
+    ac_enable_alpn=$enableval,ac_enable_alpn=yes)
+  if test x$ac_enable_alpn != xno; then
+   AC_MSG_RESULT(no)
+   AC_DEFINE([ENABLE_ALPN], 1, [enable ALPN support])
+  else
+   ac_full=0
+   AC_MSG_RESULT(yes)
+  fi
+  AM_CONDITIONAL(ENABLE_ALPN, test "$ac_enable_alpn" != "no")
+
   ac_enable_heartbeat=yes
   AC_MSG_CHECKING([whether to disable TLS heartbeat support])
   AC_ARG_ENABLE(heartbeat-support,
index 050a9a49d99372177b31076066da36f6b927232c..08a7eb681229c4a663ba640680cd0122c063d81e 100644 (file)
@@ -67,7 +67,7 @@ ctests = mini-deflate simple gc set_pkcs12_cred certder certuniqueid  \
         nul-in-x509-names x509_altname pkcs12_encode mini-x509         \
         mini-rehandshake rng-fork mini-eagain-dtls resume-dtls \
         x509cert x509cert-tl infoaccess  \
-        mini-tdb mini-dtls-rehandshake \
+        mini-tdb mini-dtls-rehandshake mini-alpn \
         mini-termination mini-x509-cas mini-x509-2 pkcs12_simple \
         mini-emsgsize-dtls chainverify-unsorted \
         mini-dtls-heartbeat mini-x509-callbacks key-openssl            \
diff --git a/tests/mini-alpn.c b/tests/mini-alpn.c
new file mode 100644 (file)
index 0000000..8bac742
--- /dev/null
@@ -0,0 +1,322 @@
+/*
+ * Copyright (C) 2013 Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#if defined(_WIN32) || !defined(ENABLE_ALPN)
+
+int
+main (int argc, char** argv)
+{
+    exit (77);
+}
+
+#else
+
+#include <string.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/dtls.h>
+
+#include "utils.h"
+
+static void terminate (void);
+
+/* This program tests the rehandshake in DTLS
+ */
+
+static void
+server_log_func (int level, const char *str)
+{
+    fprintf (stderr, "server|<%d>| %s", level, str);
+}
+
+static void
+client_log_func (int level, const char *str)
+{
+    fprintf (stderr, "client|<%d>| %s", level, str);
+}
+
+/* These are global */
+static pid_t child;
+
+/* A very basic DTLS client, with anonymous authentication, that negotiates SRTP
+ */
+
+static void
+client (int fd, const char* protocol1, const char* protocol2)
+{
+    gnutls_session_t session;
+    int ret;
+    gnutls_datum_t proto;
+    gnutls_anon_client_credentials_t anoncred;
+    /* Need to enable anonymous KX specifically. */
+
+    gnutls_global_init ();
+
+    if (debug)
+      {
+          gnutls_global_set_log_function (client_log_func);
+          gnutls_global_set_log_level (4711);
+      }
+
+    gnutls_anon_allocate_client_credentials (&anoncred);
+
+    /* Initialize TLS session
+     */
+    gnutls_init (&session, GNUTLS_CLIENT);
+
+    /* Use default priorities */
+    gnutls_priority_set_direct (session,
+                                "NONE:+VERS-TLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
+                                NULL);
+    if (protocol1)
+      {
+        gnutls_datum_t t[2];
+        t[0].data = (void*)protocol1;
+        t[0].size = strlen(protocol1);
+        t[1].data = (void*)protocol2;
+        t[1].size = strlen(protocol2);
+        
+        ret = gnutls_alpn_set_protocols(session, t, 2);
+        if (ret < 0)
+          {
+            gnutls_perror(ret);
+            exit(1);
+          }
+      }
+
+    /* put the anonymous credentials to the current session
+     */
+    gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);
+
+    gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) fd);
+
+    /* Perform the TLS handshake
+     */
+    do
+      {
+          ret = gnutls_handshake (session);
+      }
+    while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
+
+    if (ret < 0)
+      {
+          fail ("client: Handshake failed\n");
+          gnutls_perror (ret);
+          exit (1);
+      }
+    else
+      {
+          if (debug)
+              success ("client: Handshake was completed\n");
+      }
+
+    if (debug)
+        success ("client: TLS version is: %s\n",
+                 gnutls_protocol_get_name (gnutls_protocol_get_version
+                                           (session)));
+    
+    ret = gnutls_alpn_get_selected_protocol(session, &proto);
+    if (ret < 0)
+      {
+        gnutls_perror(ret);
+        exit(1);
+      }
+
+    if (debug)
+      {
+        fprintf(stderr, "selected protocol: %.*s\n", (int)proto.size, proto.data);
+      }
+
+
+    gnutls_bye (session, GNUTLS_SHUT_WR);
+
+    close (fd);
+
+    gnutls_deinit (session);
+
+    gnutls_anon_free_client_credentials (anoncred);
+
+    gnutls_global_deinit ();
+}
+
+static void
+terminate (void)
+{
+    int status;
+
+    kill (child, SIGTERM);
+    wait (&status);
+    exit (1);
+}
+
+static void
+server (int fd, const char* protocol1, const char* protocol2)
+{
+    int ret;
+    gnutls_session_t session;
+    gnutls_anon_server_credentials_t anoncred;
+    gnutls_datum_t t[2];
+
+    /* this must be called once in the program
+     */
+    gnutls_global_init ();
+
+    if (debug)
+      {
+          gnutls_global_set_log_function (server_log_func);
+          gnutls_global_set_log_level (4711);
+      }
+
+    gnutls_anon_allocate_server_credentials (&anoncred);
+
+    gnutls_init (&session, GNUTLS_SERVER);
+
+    /* avoid calling all the priority functions, since the defaults
+     * are adequate.
+     */
+    gnutls_priority_set_direct (session,
+                                "NONE:+VERS-TLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
+                                NULL);
+
+    t[0].data = (void*)protocol1;
+    t[0].size = strlen(protocol1);
+    t[1].data = (void*)protocol2;
+    t[1].size = strlen(protocol2);
+    
+    ret = gnutls_alpn_set_protocols(session, t, 2);
+    if (ret < 0)
+      {
+        gnutls_perror(ret);
+        exit(1);
+      }
+
+    gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);
+
+    gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) fd);
+
+    do
+      {
+          ret = gnutls_handshake (session);
+      }
+    while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
+    if (ret < 0)
+      {
+          close (fd);
+          gnutls_deinit (session);
+          fail ("server: Handshake has failed (%s)\n\n",
+                gnutls_strerror (ret));
+          terminate ();
+      }
+    if (debug)
+        success ("server: Handshake was completed\n");
+
+    if (debug)
+        success ("server: TLS version is: %s\n",
+                 gnutls_protocol_get_name (gnutls_protocol_get_version
+                                           (session)));
+
+    ret = gnutls_alpn_get_selected_protocol(session, &t[0]);
+    if (ret < 0)
+      {
+        gnutls_perror(ret);
+        exit(1);
+      }
+    
+#if 0
+    if (debug)
+      {
+        success ("Protocol: %.*s\n", (int)t[0].size, t[0].data);
+      }
+#endif
+
+    /* do not wait for the peer to close the connection.
+     */
+    gnutls_bye (session, GNUTLS_SHUT_WR);
+
+    close (fd);
+    gnutls_deinit (session);
+
+    gnutls_anon_free_server_credentials (anoncred);
+
+    gnutls_global_deinit ();
+
+    if (debug)
+        success ("server: finished\n");
+}
+
+static void
+start (const char* p1, const char* p2)
+{
+    int fd[2];
+    int ret;
+
+    ret = socketpair (AF_UNIX, SOCK_STREAM, 0, fd);
+    if (ret < 0)
+      {
+          perror ("socketpair");
+          exit (1);
+      }
+
+    child = fork ();
+    if (child < 0)
+      {
+          perror ("fork");
+          fail ("fork");
+          exit (1);
+      }
+
+    if (child)
+      {
+          int status;
+          /* parent */
+
+          server (fd[0], p1, p2);
+          wait (&status);
+          if (WEXITSTATUS (status) != 0)
+              fail ("Child died with status %d\n", WEXITSTATUS (status));
+      }
+    else
+      {
+          close (fd[0]);
+          client (fd[1], p2, p1);
+          exit (0);
+      }
+}
+
+void
+doit (void)
+{
+    start ("spdy/2", "spdy/3");
+    start ("spdy/3", "spdy/2");
+}
+
+#endif /* _WIN32 */