protocol-quic 0.0.0

data/ext/ngtcp2/examples/tests/test_01_handshake.py

@@ -0,0 +1,30 @@
+import pytest
+
+from .ngtcp2test import ExampleClient
+from .ngtcp2test import ExampleServer
+from .ngtcp2test import Env
+
+
+@pytest.mark.skipif(condition=len(Env.get_crypto_libs()) == 0,
+                    reason="no crypto lib examples configured")
+class TestHandshake:
+
+    @pytest.fixture(scope='class', params=Env.get_crypto_libs())
+    def server(self, env, request) -> ExampleServer:
+        s = ExampleServer(env=env, crypto_lib=request.param)
+        assert s.exists(), f'server not found: {s.path}'
+        assert s.start()
+        yield s
+        s.stop()
+
+    @pytest.fixture(scope='function', params=Env.get_crypto_libs())
+    def client(self, env, request) -> ExampleClient:
+        client = ExampleClient(env=env, crypto_lib=request.param)
+        assert client.exists()
+        yield client
+
+    def test_01_01_get(self, env: Env, server, client):
+        # run simple GET, no sessions, needs to give full handshake
+        cr = client.http_get(server, url=f'https://{env.example_domain}/')
+        assert cr.returncode == 0
+        cr.assert_non_resume_handshake()

data/ext/ngtcp2/examples/tests/test_02_resume.py

@@ -0,0 +1,46 @@
+import pytest
+
+from .ngtcp2test import ExampleClient
+from .ngtcp2test import ExampleServer
+from .ngtcp2test import Env
+
+
+@pytest.mark.skipif(condition=len(Env.get_crypto_libs()) == 0,
+                    reason="no crypto lib examples configured")
+class TestResume:
+
+    @pytest.fixture(scope='class', params=Env.get_crypto_libs())
+    def server(self, env, request) -> ExampleServer:
+        s = ExampleServer(env=env, crypto_lib=request.param)
+        assert s.exists(), f'server not found: {s.path}'
+        assert s.start()
+        yield s
+        s.stop()
+
+    @pytest.fixture(scope='function', params=Env.get_crypto_libs())
+    def client(self, env, request) -> ExampleClient:
+        client = ExampleClient(env=env, crypto_lib=request.param)
+        assert client.exists()
+        yield client
+
+    def test_02_01(self, env: Env, server, client):
+        # run GET with sessions but no early data, cleared first, then reused
+        client.clear_session()
+        cr = client.http_get(server, url=f'https://{env.example_domain}/',
+                             use_session=True,
+                             extra_args=['--disable-early-data'])
+        assert cr.returncode == 0
+        cr.assert_non_resume_handshake()
+        # Now do this again and we expect a resumption, meaning no certificate
+        cr = client.http_get(server, url=f'https://{env.example_domain}/',
+                             use_session=True,
+                             extra_args=['--disable-early-data'])
+        assert cr.returncode == 0
+        cr.assert_resume_handshake()
+        # restart the server, do it again
+        server.restart()
+        cr = client.http_get(server, url=f'https://{env.example_domain}/',
+                             use_session=True,
+                             extra_args=['--disable-early-data'])
+        assert cr.returncode == 0
+        cr.assert_non_resume_handshake()

data/ext/ngtcp2/examples/tests/test_03_earlydata.py

@@ -0,0 +1,56 @@
+import pytest
+
+from .ngtcp2test import ExampleClient
+from .ngtcp2test import ExampleServer
+from .ngtcp2test import Env
+
+
+@pytest.mark.skipif(condition=len(Env.get_crypto_libs()) == 0,
+                    reason="no crypto lib examples configured")
+class TestEarlyData:
+
+    @pytest.fixture(scope='class', params=Env.get_crypto_libs())
+    def server(self, env, request) -> ExampleServer:
+        s = ExampleServer(env=env, crypto_lib=request.param)
+        assert s.exists(), f'server not found: {s.path}'
+        assert s.start()
+        yield s
+        s.stop()
+
+    @pytest.fixture(scope='function', params=Env.get_crypto_libs())
+    def client(self, env, request) -> ExampleClient:
+        client = ExampleClient(env=env, crypto_lib=request.param)
+        assert client.exists()
+        yield client
+
+    def test_03_01(self, env: Env, server, client):
+        # run GET with sessions, cleared first, without a session, early
+        # data will not even be attempted
+        client.clear_session()
+        edata = 'This is the early data. It is not much.'
+        cr = client.http_get(server, url=f'https://{env.example_domain}/',
+                             use_session=True, data=edata)
+        assert cr.returncode == 0
+        cr.assert_non_resume_handshake()
+        # resume session, early data is sent and accepted
+        cr = client.http_get(server, url=f'https://{env.example_domain}/',
+                             use_session=True, data=edata)
+        assert cr.returncode == 0
+        cr.assert_resume_handshake()
+        assert not cr.early_data_rejected
+        # restart the server, resume, early data is attempted but will not work
+        server.restart()
+        cr = client.http_get(server, url=f'https://{env.example_domain}/',
+                             use_session=True, data=edata)
+        assert cr.returncode == 0
+        assert cr.early_data_rejected
+        cr.assert_non_resume_handshake()
+        # restart again, sent data, but not as early data
+        server.restart()
+        cr = client.http_get(server, url=f'https://{env.example_domain}/',
+                             use_session=True, data=edata,
+                             extra_args=['--disable-early-data'])
+        assert cr.returncode == 0
+        # we see no rejection, since it was not used
+        assert not cr.early_data_rejected
+        cr.assert_non_resume_handshake()

data/ext/ngtcp2/examples/tests/test_04_clientcert.py

@@ -0,0 +1,57 @@
+import pytest
+
+from .ngtcp2test import ExampleClient
+from .ngtcp2test import ExampleServer
+from .ngtcp2test import Env
+
+
+@pytest.mark.skipif(condition=len(Env.get_crypto_libs()) == 0,
+                    reason="no crypto lib examples configured")
+class TestClientCert:
+
+    @pytest.fixture(scope='class', params=Env.get_crypto_libs())
+    def server(self, env, request) -> ExampleServer:
+        s = ExampleServer(env=env, crypto_lib=request.param,
+                          verify_client=True)
+        assert s.exists(), f'server not found: {s.path}'
+        assert s.start()
+        yield s
+        s.stop()
+
+    @pytest.fixture(scope='function', params=Env.get_crypto_libs())
+    def client(self, env, request) -> ExampleClient:
+        client = ExampleClient(env=env, crypto_lib=request.param)
+        assert client.exists()
+        yield client
+
+    def test_04_01(self, env: Env, server, client):
+        # run GET with a server requesting a cert, client has none to offer
+        cr = client.http_get(server, url=f'https://{env.example_domain}/')
+        assert cr.returncode == 0
+        cr.assert_verify_null_handshake()
+        creqs = [r for r in cr.handshake if r.hsid == 13]  # CertificateRequest
+        assert len(creqs) == 1
+        creq = creqs[0].to_json()
+        certs = [r for r in cr.server.handshake if r.hsid == 11]  # Certificate
+        assert len(certs) == 1
+        crec = certs[0].to_json()
+        assert len(crec['certificate_list']) == 0
+        assert creq['context'] == crec['context']
+        # TODO: check that GET had no answer
+
+    def test_04_02(self, env: Env, server, client):
+        # run GET with a server requesting a cert, client has cert to offer
+        credentials = env.ca.get_first("clientsX")
+        cr = client.http_get(server, url=f'https://{env.example_domain}/',
+                             credentials=credentials)
+        assert cr.returncode == 0
+        cr.assert_verify_cert_handshake()
+        creqs = [r for r in cr.handshake if r.hsid == 13]  # CertificateRequest
+        assert len(creqs) == 1
+        creq = creqs[0].to_json()
+        certs = [r for r in cr.server.handshake if r.hsid == 11]  # Certificate
+        assert len(certs) == 1
+        crec = certs[0].to_json()
+        assert len(crec['certificate_list']) == 1
+        assert creq['context'] == crec['context']
+        # TODO: check that GET indeed gave a response

data/ext/ngtcp2/examples/tests/test_05_ciphers.py

@@ -0,0 +1,46 @@
+import sys
+
+import pytest
+
+from .ngtcp2test import ExampleClient
+from .ngtcp2test import ExampleServer
+from .ngtcp2test import Env
+
+
+@pytest.mark.skipif(condition=len(Env.get_crypto_libs()) == 0,
+                    reason="no crypto lib examples configured")
+class TestCiphers:
+
+    @pytest.fixture(scope='class', params=Env.get_crypto_libs())
+    def server(self, env, request) -> ExampleServer:
+        s = ExampleServer(env=env, crypto_lib=request.param)
+        assert s.exists(), f'server not found: {s.path}'
+        assert s.start()
+        yield s
+        s.stop()
+
+    @pytest.fixture(scope='function',
+                    params=Env.get_crypto_libs(configurable_ciphers=True))
+    def client(self, env, request) -> ExampleClient:
+        client = ExampleClient(env=env, crypto_lib=request.param)
+        assert client.exists()
+        yield client
+
+    @pytest.mark.parametrize('cipher', [
+        'TLS_AES_128_GCM_SHA256',
+        'TLS_AES_256_GCM_SHA384',
+        'TLS_CHACHA20_POLY1305_SHA256',
+        'TLS_AES_128_CCM_SHA256',
+    ])
+    def test_05_01_get(self, env: Env, server, client, cipher):
+        if not client.uses_cipher_config:
+            pytest.skip(f'client {client.crypto_lib} ignores cipher config\n')
+        # run simple GET, no sessions, needs to give full handshake
+        if not client.supports_cipher(cipher):
+            pytest.skip(f'client {client.crypto_lib} does not support {cipher}\n')
+        if not server.supports_cipher(cipher):
+            pytest.skip(f'server {server.crypto_lib} does not support {cipher}\n')
+        cr = client.http_get(server, url=f'https://{env.example_domain}/',
+                             ciphers=cipher)
+        assert cr.returncode == 0
+        cr.assert_non_resume_handshake()

data/ext/ngtcp2/examples/tls_client_context.h

@@ -0,0 +1,52 @@
+/*
+ * ngtcp2
+ *
+ * Copyright (c) 2020 ngtcp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#ifndef TLS_CLIENT_CONTEXT_H
+#define TLS_CLIENT_CONTEXT_H
+
+#ifdef HAVE_CONFIG_H
+#  include <config.h>
+#endif // HAVE_CONFIG_H
+
+#if defined(ENABLE_EXAMPLE_OPENSSL) && defined(WITH_EXAMPLE_OPENSSL)
+#  include "tls_client_context_openssl.h"
+#endif // ENABLE_EXAMPLE_OPENSSL && WITH_EXAMPLE_OPENSSL
+
+#if defined(ENABLE_EXAMPLE_GNUTLS) && defined(WITH_EXAMPLE_GNUTLS)
+#  include "tls_client_context_gnutls.h"
+#endif // ENABLE_EXAMPLE_GNUTLS && WITH_EXAMPLE_GNUTLS
+
+#if defined(ENABLE_EXAMPLE_BORINGSSL) && defined(WITH_EXAMPLE_BORINGSSL)
+#  include "tls_client_context_boringssl.h"
+#endif // ENABLE_EXAMPLE_BORINGSSL && WITH_EXAMPLE_BORINGSSL
+
+#if defined(ENABLE_EXAMPLE_PICOTLS) && defined(WITH_EXAMPLE_PICOTLS)
+#  include "tls_client_context_picotls.h"
+#endif // ENABLE_EXAMPLE_PICOTLS && WITH_EXAMPLE_PICOTLS
+
+#if defined(ENABLE_EXAMPLE_WOLFSSL) && defined(WITH_EXAMPLE_WOLFSSL)
+#  include "tls_client_context_wolfssl.h"
+#endif // ENABLE_EXAMPLE_WOLFSSL && WITH_EXAMPLE_WOLFSSL
+
+#endif // TLS_CLIENT_CONTEXT_H

data/ext/ngtcp2/examples/tls_client_context_boringssl.cc

@@ -0,0 +1,126 @@
+/*
+ * ngtcp2
+ *
+ * Copyright (c) 2021 ngtcp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#include "tls_client_context_boringssl.h"
+
+#include <iostream>
+#include <fstream>
+
+#include <ngtcp2/ngtcp2_crypto_boringssl.h>
+
+#include <openssl/err.h>
+
+#include "client_base.h"
+#include "template.h"
+
+extern Config config;
+
+TLSClientContext::TLSClientContext() : ssl_ctx_{nullptr} {}
+
+TLSClientContext::~TLSClientContext() {
+  if (ssl_ctx_) {
+    SSL_CTX_free(ssl_ctx_);
+  }
+}
+
+SSL_CTX *TLSClientContext::get_native_handle() const { return ssl_ctx_; }
+
+namespace {
+int new_session_cb(SSL *ssl, SSL_SESSION *session) {
+  auto f = BIO_new_file(config.session_file, "w");
+  if (f == nullptr) {
+    std::cerr << "Could not write TLS session in " << config.session_file
+              << std::endl;
+    return 0;
+  }
+
+  if (!PEM_write_bio_SSL_SESSION(f, session)) {
+    std::cerr << "Unable to write TLS session to file" << std::endl;
+  }
+
+  BIO_free(f);
+
+  return 0;
+}
+} // namespace
+
+int TLSClientContext::init(const char *private_key_file,
+                           const char *cert_file) {
+  ssl_ctx_ = SSL_CTX_new(TLS_client_method());
+  if (!ssl_ctx_) {
+    std::cerr << "SSL_CTX_new: " << ERR_error_string(ERR_get_error(), nullptr)
+              << std::endl;
+    return -1;
+  }
+
+  if (ngtcp2_crypto_boringssl_configure_client_context(ssl_ctx_) != 0) {
+    std::cerr << "ngtcp2_crypto_boringssl_configure_client_context failed"
+              << std::endl;
+    return -1;
+  }
+
+  SSL_CTX_set_default_verify_paths(ssl_ctx_);
+
+  if (SSL_CTX_set1_curves_list(ssl_ctx_, config.groups) != 1) {
+    std::cerr << "SSL_CTX_set1_curves_list failed" << std::endl;
+    return -1;
+  }
+
+  if (private_key_file && cert_file) {
+    if (SSL_CTX_use_PrivateKey_file(ssl_ctx_, private_key_file,
+                                    SSL_FILETYPE_PEM) != 1) {
+      std::cerr << "SSL_CTX_use_PrivateKey_file: "
+                << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
+      return -1;
+    }
+
+    if (SSL_CTX_use_certificate_chain_file(ssl_ctx_, cert_file) != 1) {
+      std::cerr << "SSL_CTX_use_certificate_chain_file: "
+                << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
+      return -1;
+    }
+  }
+
+  if (config.session_file) {
+    SSL_CTX_set_session_cache_mode(ssl_ctx_, SSL_SESS_CACHE_CLIENT |
+                                                 SSL_SESS_CACHE_NO_INTERNAL);
+    SSL_CTX_sess_set_new_cb(ssl_ctx_, new_session_cb);
+  }
+
+  return 0;
+}
+
+extern std::ofstream keylog_file;
+
+namespace {
+void keylog_callback(const SSL *ssl, const char *line) {
+  keylog_file.write(line, strlen(line));
+  keylog_file.put('\n');
+  keylog_file.flush();
+}
+} // namespace
+
+void TLSClientContext::enable_keylog() {
+  SSL_CTX_set_keylog_callback(ssl_ctx_, keylog_callback);
+}

data/ext/ngtcp2/examples/tls_client_context_boringssl.h

@@ -0,0 +1,49 @@
+/*
+ * ngtcp2
+ *
+ * Copyright (c) 2021 ngtcp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#ifndef TLS_CLIENT_CONTEXT_BORINGSSL_H
+#define TLS_CLIENT_CONTEXT_BORINGSSL_H
+
+#ifdef HAVE_CONFIG_H
+#  include <config.h>
+#endif // HAVE_CONFIG_H
+
+#include <openssl/ssl.h>
+
+class TLSClientContext {
+public:
+  TLSClientContext();
+  ~TLSClientContext();
+
+  int init(const char *private_key_file, const char *cert_file);
+
+  SSL_CTX *get_native_handle() const;
+
+  void enable_keylog();
+
+private:
+  SSL_CTX *ssl_ctx_;
+};
+
+#endif // TLS_CLIENT_CONTEXT_BORINGSSL_H

data/ext/ngtcp2/examples/tls_client_context_gnutls.cc

@@ -0,0 +1,74 @@
+/*
+ * ngtcp2
+ *
+ * Copyright (c) 2020 ngtcp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#include "tls_client_context_gnutls.h"
+
+#include <iostream>
+
+#include <ngtcp2/ngtcp2_crypto_gnutls.h>
+
+#include "client_base.h"
+#include "template.h"
+
+// Based on https://github.com/ueno/ngtcp2-gnutls-examples
+
+extern Config config;
+
+TLSClientContext::TLSClientContext() : cred_{nullptr} {}
+
+TLSClientContext::~TLSClientContext() {
+  gnutls_certificate_free_credentials(cred_);
+}
+
+gnutls_certificate_credentials_t TLSClientContext::get_native_handle() const {
+  return cred_;
+}
+
+int TLSClientContext::init(const char *private_key_file,
+                           const char *cert_file) {
+
+  if (auto rv = gnutls_certificate_allocate_credentials(&cred_); rv != 0) {
+    std::cerr << "gnutls_certificate_allocate_credentials failed: "
+              << gnutls_strerror(rv) << std::endl;
+    return -1;
+  }
+
+  if (auto rv = gnutls_certificate_set_x509_system_trust(cred_); rv < 0) {
+    std::cerr << "gnutls_certificate_set_x509_system_trust failed: "
+              << gnutls_strerror(rv) << std::endl;
+    return -1;
+  }
+
+  if (private_key_file != nullptr && cert_file != nullptr) {
+    if (auto rv = gnutls_certificate_set_x509_key_file(
+            cred_, cert_file, private_key_file, GNUTLS_X509_FMT_PEM);
+        rv != 0) {
+      std::cerr << "gnutls_certificate_set_x509_key_file failed: "
+                << gnutls_strerror(rv) << std::endl;
+      return -1;
+    }
+  }
+
+  return 0;
+}

data/ext/ngtcp2/examples/tls_client_context_gnutls.h

@@ -0,0 +1,50 @@
+/*
+ * ngtcp2
+ *
+ * Copyright (c) 2020 ngtcp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#ifndef TLS_CLIENT_CONTEXT_GNUTLS_H
+#define TLS_CLIENT_CONTEXT_GNUTLS_H
+
+#ifdef HAVE_CONFIG_H
+#  include <config.h>
+#endif // HAVE_CONFIG_H
+
+#include <gnutls/gnutls.h>
+
+class TLSClientContext {
+public:
+  TLSClientContext();
+  ~TLSClientContext();
+
+  int init(const char *private_key_file, const char *cert_file);
+
+  gnutls_certificate_credentials_t get_native_handle() const;
+
+  // Keylog is enabled per session.
+  void enable_keylog() {}
+
+private:
+  gnutls_certificate_credentials_t cred_;
+};
+
+#endif // TLS_CLIENT_CONTEXT_GNUTLS_H