commit 25bebdfd32b2534f1f3b6d558753203e091b6aa1
parent c4abe187844a84c25e3488823fd8a8e49102e9d5
Author: MikoĊaj Lenczewski <Miko.Lenczewski@arm.com>
Date: Fri, 17 Apr 2026 22:20:34 +0100
Merge other files
Diffstat:
| A | NOTES.txt | | | 4 | ++++ |
| M | build.sh | | | 5 | ++--- |
| M | clean.sh | | | 2 | +- |
| A | common.h | | | 102 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| D | net.h | | | 11 | ----------- |
| A | test-client.c | | | 115 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | test-server.c | | | 119 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| D | test.c | | | 47 | ----------------------------------------------- |
| M | tls.h | | | 307 | ++++++++++++++++++++++++++++++++++++++++++++++++++----------------------------- |
9 files changed, 536 insertions(+), 176 deletions(-)
diff --git a/NOTES.txt b/NOTES.txt
@@ -0,0 +1,4 @@
+https://datatracker.ietf.org/doc/html/rfc8446
+https://tls13.xargs.org/
+https://datatracker.ietf.org/doc/html/rfc2246
+https://tls12.xargs.org/
diff --git a/build.sh b/build.sh
@@ -2,6 +2,5 @@
set -ex
-mkdir -p bin
-
-cc -o bin/tls-test test.c -Wall -Wextra -std=c11 -O0 -g3
+cc -o test-client test-client.c -std=c11 -O0 -g3 -Wall -Wextra
+cc -o test-server test-server.c -std=c11 -O0 -g3 -Wall -Wextra
diff --git a/clean.sh b/clean.sh
@@ -2,4 +2,4 @@
set -ex
-rm -rf bin
+rm -f test-client test-server
diff --git a/common.h b/common.h
@@ -0,0 +1,102 @@
+#ifndef COMMON_H
+#define COMMON_H
+
+#define _GNU_SOURCE 1
+
+#include <stddef.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+
+static int
+get_socket(char *host, char *port, int passive)
+{
+ struct addrinfo hints = {
+ .ai_family = AF_UNSPEC,
+ .ai_socktype = SOCK_STREAM,
+ .ai_protocol = IPPROTO_TCP,
+ }, *addrinfo, *ptr;
+
+ int res;
+ if ((res = getaddrinfo(host, port, &hints, &addrinfo))) {
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(res));
+ return -1;
+ }
+
+ int fd;
+ for (ptr = addrinfo; ptr; ptr = ptr->ai_next) {
+ fd = socket(ptr->ai_family, ptr->ai_socktype, ptr->ai_protocol);
+ if (fd < 0)
+ continue;
+
+ if (passive && bind(fd, ptr->ai_addr, ptr->ai_addrlen) < 0) {
+ close(fd);
+ fd = -1;
+ continue;
+ } else if (connect(fd, ptr->ai_addr, ptr->ai_addrlen) < 0) {
+ close(fd);
+ fd = -1;
+ continue;
+ }
+
+ break;
+ }
+
+ freeaddrinfo(addrinfo);
+
+ return fd;
+}
+
+static int
+get_client_socket(char *host, char *port)
+{
+ return get_socket(host, port, 0);
+}
+
+static int
+get_server_socket(char *host, char *port)
+{
+ int fd = get_socket(host, port, 1);
+ if (fd < 0)
+ return fd;
+
+ listen(fd, 16);
+
+ return fd;
+}
+
+static int
+recvall(int fd, char *buf, size_t len)
+{
+ do {
+ ssize_t curr = recv(fd, buf, len, 0);
+ if (curr < 0)
+ return -1;
+
+ buf += curr;
+ len -= curr;
+ } while (len);
+
+ return 0;
+}
+
+static int
+sendall(int fd, char *buf, size_t len)
+{
+ do {
+ ssize_t curr = send(fd, buf, len, 0);
+ if (curr < 0)
+ return -1;
+
+ buf += curr;
+ len -= curr;
+ } while (len);
+
+ return 0;
+}
+
+#endif /* COMMON_H */
diff --git a/net.h b/net.h
@@ -1,11 +0,0 @@
-#ifndef NET_H
-#define NET_H
-
-#define _GNU_SOURCE 1
-#define _POSIX_C_SOURCE 200809L
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netdb.h>
-
-#endif /* NET_H */
diff --git a/test-client.c b/test-client.c
@@ -0,0 +1,115 @@
+#define _GNU_SOURCE 1
+
+#include "tls.h"
+
+#include "common.h"
+
+int
+main(int argc, char **argv)
+{
+ if (argc < 3) {
+ fprintf(stderr, "Usage: %s <host> <port>\n", argv[0]);
+ exit(EXIT_FAILURE);
+ }
+
+ char *host = argv[1], *port = argv[2];
+
+ int sock = get_client_socket(host, port);
+ if (sock < 0) {
+ fprintf(stderr, "Failed to connect to %s:%s\n", host, port);
+ exit(EXIT_FAILURE);
+ }
+
+ // plaintext buffer
+ char buf[4096];
+ size_t buf_cap = sizeof buf, buf_cur = 0, buf_len = 0;
+
+ // ciphertext buffer
+ char tlsbuf[TLS_RECORD_MAX_SIZE];
+ size_t tlsbuf_cap = sizeof tlsbuf, tlsbuf_len = 0;
+
+ // setup client tls session state
+ struct tls_session session;
+ tls_session_init(&session, TLS_VERSION_1_3, tlsbuf, sizeof tlsbuf);
+
+ char client_privkey[32], client_pubkey[32];
+ // TODO: generate keys using x25519
+
+ tls_session_set_keys(&session, TLS_KEX_X25519,
+ client_privkey, sizeof client_privkey,
+ client_pubkey, sizeof client_pubkey);
+
+ char client_certificate[8192];
+ // TODO: generate certificate
+ tls_session_set_cert(&session,
+ client_certificate, sizeof client_certificate);
+
+ // start client tls handshake
+ tls_session_client_handshake(&session);
+
+ int run = 1;
+ while (run) {
+ enum tls_step step = tls_session_step(&session);
+
+ switch (step) {
+ case TLS_STEP_WANT_RECV: { // need to fetch data from remote
+ size_t cap;
+ void *tlsbuf = tls_session_recv(&session, &cap);
+
+ int res;
+ if ((res = recv(sock, tlsbuf, cap, 0)) < 0)
+ __builtin_trap();
+
+ tls_session_recv_commit(&session, res);
+ } break;
+
+ case TLS_STEP_WANT_SEND: { // need to flush data to remote
+ size_t len;
+ void *tlsbuf = tls_session_send(&session, &len);
+ if (sendall(sock, tlsbuf, len) < 0)
+ __builtin_trap();
+
+ tls_session_send_commit(&session, &len);
+ } break;
+
+ case TLS_STEP_HANDSHAKE: { // need to progress handshake fsm
+ tls_session_client_handshake(&session);
+ } break;
+
+ case TLS_STEP_HANDSHAKE_UPDATE_KEYS: { // reached key limits, need update
+ tls_session_update_keys();
+ } break;
+
+ case TLS_STEP_HANDSHAKE_ALERT: { // received alert (warning or error)
+ __builtin_trap();
+ } break;
+
+ case TLS_STEP_HANDSHAKE_FINISHED: {
+ buf_len = sprintf(buf, "ping\n");
+
+ // TODO: how to signal to start a write?
+ } break;
+
+ case TLS_STEP_HAVE_RECORD: { // received complete tls record
+ tls_session_pull(&session, buf, sizeof buf, &buf_len);
+ printf("read msg: %.*s\n", (int) buf_len, buf);
+ } break;
+
+ case TLS_STEP_WANT_RECORD: { // want data to fill tls record
+ buf_cur += tls_session_push(&session, buf, buf_len - buf_cur);
+ if (buf_cur == buf_cap)
+ tls_session_flush(&session);
+ } break;
+
+ case TLS_STEP_END: {
+ run = 0;
+ } break;
+ }
+ }
+
+ close(sock);
+
+ exit(EXIT_SUCCESS);
+}
+
+#include "tls.c"
diff --git a/test-server.c b/test-server.c
@@ -0,0 +1,119 @@
+#define _GNU_SOURCE 1
+
+#include "tls.h"
+
+#include "common.h"
+
+int
+main(int argc, char **argv)
+{
+ if (argc < 3) {
+ fprintf(stderr, "Usage: %s <host> <port>\n", argv[0]);
+ exit(EXIT_FAILURE);
+ }
+
+ char *host = argv[1], *port = argv[2];
+
+ int serv = get_server_socket(host, port);
+ if (serv < 0) {
+ fprintf(stderr, "Failed to listen on %s:%s\n", host, port);
+ exit(EXIT_FAILURE);
+ }
+
+ // get client socket
+ int sock = accept(serv);
+
+ // plaintext buffer
+ char buf[4096];
+ size_t buf_cap = sizeof buf, buf_cur = 0, buf_len = 0;
+
+ // ciphertext buffer
+ char tlsbuf[TLS_RECORD_MAX_SIZE];
+ size_t tlsbuf_cap = sizeof tlsbuf, tlsbuf_len = 0;
+
+ // setup client tls session state
+ struct tls_session session;
+ tls_session_init(&session, TLS_VERSION_1_3, tlsbuf, sizeof tlsbuf);
+
+ char server_privkey[32], server_pubkey[32];
+ // TODO: generate keys using x25519
+
+ tls_session_set_keys(&session, TLS_KEX_X25519,
+ server_privkey, sizeof server_privkey,
+ server_pubkey, sizeof server_pubkey);
+
+ char server_certificate[8192];
+ // TODO: generate certificate
+ tls_session_set_cert(&session,
+ server_certificate, sizeof server_certificate);
+
+ // start client tls handshake
+ tls_session_server_handshake(&session);
+
+ int run = 1;
+ while (run) {
+ enum tls_step step = tls_session_step(&session);
+
+ switch (step) {
+ case TLS_STEP_WANT_RECV: { // need to fetch data from remote
+ size_t cap;
+ void *tlsbuf = tls_session_recv(&session, &cap);
+
+ int res;
+ if ((res = recv(sock, tlsbuf, cap, 0)) < 0)
+ __builtin_trap();
+
+ tls_session_recv_commit(&session, res);
+ } break;
+
+ case TLS_STEP_WANT_SEND: { // need to flush data to remote
+ size_t len;
+ void *tlsbuf = tls_session_send(&session, &len);
+ if (sendall(sock, tlsbuf, len) < 0)
+ __builtin_trap();
+
+ tls_session_send_commit(&session, &len);
+ } break;
+
+ case TLS_STEP_HANDSHAKE: { // need to progress handshake fsm
+ tls_session_client_handshake(&session);
+ } break;
+
+ case TLS_STEP_UPDATE_KEYS: { // reached key limits, need update
+ tls_session_update_keys();
+ } break;
+
+ case TLS_STEP_ALERT: { // received alert (warning or error)
+ __builtin_trap();
+ } break;
+
+ case TLS_HANDSHAKE_FINISHED: {
+ // TODO: how to signal to wait for a read?
+ } break;
+
+ case TLS_STEP_HAVE_RECORD: { // received complete tls record
+ tls_session_pull(&session, buf, sizeof buf, &buf_len);
+ printf("read msg: %.*s\n", (int) buf_len, buf);
+ } break;
+
+ case TLS_STEP_WANT_RECORD: { // want data to fill tls record
+ buf_cur += tls_session_push(&session, buf, buf_len - buf_cur);
+ if (buf_cur == buf_cap)
+ tls_session_flush(&session);
+ } break;
+
+ case TLS_STEP_END: {
+ run = 0;
+ } break;
+ }
+ }
+
+ shutdown(sock, SHUT_RDWR);
+ close(sock);
+
+ close(serv);
+
+ exit(EXIT_SUCCESS);
+}
+
+#include "tls.c"
diff --git a/test.c b/test.c
@@ -1,47 +0,0 @@
-#define _GNU_SOURCE 1
-#define _POSIX_C_SOURCE 200809L
-
-#include "tls.h"
-
-#include <assert.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netdb.h>
-
-#include "net.h"
-
-int
-main(int argc, char **argv)
-{
- if (argc < 2) {
- fprintf(stderr, "Usage: %s <url>\n", argv[0]);
- exit(EXIT_FAILURE);
- }
-
- char *url = argv[1];
-
- int socket = create_socket(url);
- if (socket < 0) {
- fprintf(stderr, "Failed to connect to url: %s\n", url);
- exit(EXIT_FAILURE);
- }
-
- /* tls state */
- char tlsbuf[4096];
-
- struct tls_session tls_session;
- tls_session_init(&tls);
-
- /* http state */
- char buf[4096];
-
- close(socket);
-
- exit(EXIT_SUCCESS);
-}
-
-#include "tls.c"
diff --git a/tls.h b/tls.h
@@ -9,31 +9,72 @@
* see: https://datatracker.ietf.org/doc/html/rfc8446
*/
-enum tls_protocol_version {
- TLS_PROTOCOL_TLS10 = 0x0301,
- TLS_PROTOCOL_TLS11 = 0x0302,
- TLS_PROTOCOL_TLS12 = 0x0303,
+/* record - tls record layer funcitons */
+
+#define TLS_INNER_PLAINTEXT_MAX_SIZE (1 << 14) // 16K
+
+#define TLS_RECORD_CONTENT_TYPE_SIZE 1
+#define TLS_RECORD_AEAD_EXPANSION_SIZE 255
+
+#define TLS_RECORD_MAX_SIZE \
+ (TLS_INNER_PLAINTEXT_MAX_SIZE \
+ + TLS_RECORD_CONTENT_TYPE_SIZE \
+ + TLS_RECORD_AEAD_EXPANSION_SIZE)
+
+enum tls_content_type {
+ TLS_CONTENT_INVALID = 0,
+ TLS_CONTENT_CHANGE_CIPHER_SPEC = 20,
+ TLS_CONTENT_ALERT = 21,
+ TLS_CONTENT_HANDSHAKE = 22,
+ TLS_CONTENT_APPLICATION_DATA = 23,
+ _TLS_CONTENT_MAX = 255,
+};
+
+struct tls_plaintext {
+ enum tls_content_type type;
+ uint16_t protocol_version;
+ uint16_t length;
+ uint8_t *fragment;
+};
+
+struct tls_inner_plaintext {
+ uint8_t *fragment;
+ /* uint16_t length = tls_plaintext.length; */
+ enum tls_content_type type;
+ uint8_t padding;
+};
+
+struct tls_ciphertext {
+ /* enum tls_content_type type = TLS_CONTENT_APPLICATION_DATA; */
+ /* uint16_t protocol_version = 0x0303 */
+ uint16_t length;
+ uint8_t *encrypted;
+};
+
+/* tls - tls functions */
+
+enum tls_version {
+ TLS_VERSION_1_3,
};
enum tls_handshake_type {
- TLS_HANDHAKE_CLIENT_HELLO = 1,
- TLS_HANDHAKE_SERVER_HELLO = 2,
- TLS_HANDHAKE_NEW_SESSION_TICKET = 4,
- TLS_HANDHAKE_END_OF_EARLY_DATA = 5,
- TLS_HANDHAKE_ENCRYPTED_EXTENSION = 8,
- TLS_HANDHAKE_CERTIFICATE = 11,
- TLS_HANDHAKE_CERTIFICATE_REQUEST = 13,
- TLS_HANDHAKE_CERTIFICATE_VERIFY = 15,
- TLS_HANDHAKE_FINISHED = 20,
- TLS_HANDHAKE_KEY_UPDATE = 24,
- TLS_HANDHAKE_MESSAGE_HASH = 254,
- _TLS_HANDHAKE_TYPE_MAX = 255,
+ TLS_HANDSHAKE_CLIENT_HELLO = 1,
+ TLS_HANDSHAKE_SERVER_HELLO = 2,
+ TLS_HANDSHAKE_NEW_SESSION_TICKET = 4,
+ TLS_HANDSHAKE_END_OF_EARLY_DATA = 5,
+ TLS_HANDSHAKE_ENCRYPTED_EXTENISONS = 8,
+ TLS_HANDSHAKE_CERTIFICATE = 11,
+ TLS_HANDSHAKE_CERTIFICATE_REQUEST = 13,
+ TLS_HANDSHAKE_CERTIFICATE_VERIFY = 15,
+ TLS_HANDSHAKE_FINISHED = 20,
+ TLS_HANDSHAKE_KEY_UPDATE = 24,
+ TLS_HANDSHAKE_MESSAGE_HASH = 254,
+ _TLS_HANDSHAKE_MAX = 255
};
struct tls_handshake {
enum tls_handshake_type type;
- uint32_t len;
- uint8_t *data;
+ uint32_t length;
};
enum tls_extension_type {
@@ -42,7 +83,7 @@ enum tls_extension_type {
TLS_EXTENSION_STATUS_REQUEST = 5,
TLS_EXTENSION_SUPPORTED_GROUPS = 10,
TLS_EXTENSION_SIGNATURE_ALGORITHMS = 13,
- TLS_EXTENSION_USE_STRP = 14,
+ TLS_EXTENSION_USE_SRTP = 14,
TLS_EXTENSION_HEARTBEAT = 15,
TLS_EXTENSION_ALPN = 16,
TLS_EXTENSION_SIGNED_CERTIFICATE_TIMESTAMP = 18,
@@ -53,137 +94,135 @@ enum tls_extension_type {
TLS_EXTENSION_EARLY_DATA = 42,
TLS_EXTENSION_SUPPORTED_VERSIONS = 43,
TLS_EXTENSION_COOKIE = 44,
- TLS_EXTENSION_PSK_KEY_EXCHANGE_MODES = 45,
+ TLS_EXTENSION_PSK_KEX_MODES = 45,
TLS_EXTENSION_CERTIFICATE_AUTHORITIES = 47,
TLS_EXTENSION_OID_FILTERS = 48,
TLS_EXTENSION_POST_HANDSHAKE_AUTH = 49,
TLS_EXTENSION_SIGNATURE_ALGORITHMS_CERT = 50,
TLS_EXTENSION_KEY_SHARE = 51,
+ _TLS_EXTENSION_MAX = 65535,
};
-struct tls_extension {
- enum tls_extension_type type;
- uint32_t len;
- uint8_t *data;
+struct tls_cookie {
+ uint8_t *cookie;
};
enum tls_signature_scheme {
- /* RSASSA-PKCS1 */
- TLS_RSA_PKCS1_SHA256 = 0x0401,
- TLS_RSA_PKCS1_SHA384 = 0x0501,
- TLS_RSA_PKCS1_SHA512 = 0x0601,
+ TLS_SIGNATURE_RSA_PKCS1_SHA256 = 0x0401,
+ TLS_SIGNATURE_RSA_PKCS1_SHA384 = 0x0501,
+ TLS_SIGNATURE_RSA_PKCS1_SHA512 = 0x0601,
- /* ECDSA */
- TLS_ECDSA_SECP256R1_SHA256 = 0x0403,
- TLS_ECDSA_SECP384R1_SHA384 = 0x0503,
- TLS_ECDSA_SECP521R1_SHA512 = 0x0603,
+ TLS_SIGNATURE_ECDSA_SECP256R1_SHA256 = 0x0403,
+ TLS_SIGNATURE_ECDSA_SECP384R1_SHA384 = 0x0503,
+ TLS_SIGNATURE_ECDSA_SECP521R1_SHA512 = 0x0603,
- /* RSASSA-PSS with public key OID rsaEncryption */
- TLS_RSA_PSS_RSAE_SHA256 = 0x0804,
- TLS_RSA_PSS_RSAE_SHA384 = 0x0805,
- TLS_RSA_PSS_RSAE_SHA512 = 0x0806,
+ TLS_SIGNATURE_RSA_PSS_RSAE_SHA256 = 0x0804,
+ TLS_SIGNATURE_RSA_PSS_RSAE_SHA384 = 0x0805,
+ TLS_SIGNATURE_RSA_PSS_RSAE_SHA512 = 0x0806,
- /* EdDSA */
- TLS_ED25519 = 0x0807,
- TLS_ED448 = 0x0808,
+ TLS_SIGNATURE_ED25519 = 0x0807,
+ TLS_SIGNATURE_ED448 = 0x0808,
- /* RSASSA-PSS with public key OID RSASSA-PSS */
- TLS_RSA_PSS_PSS_SHA256 = 0x0809,
- TLS_RSA_PSS_PSS_SHA384 = 0x080a,
- TLS_RSA_PSS_PSS_SHA512 = 0x080b,
+ TLS_SIGNATURE_RSA_PSS_PSS_SHA256 = 0x0809,
+ TLS_SIGNATURE_RSA_PSS_PSS_SHA384 = 0x080a,
+ TLS_SIGNATURE_RSA_PSS_PSS_SHA512 = 0x080b,
- /* legacy */
- TLS_RSA_PKCS1_SHA1 = 0x0201,
- TLS_ECDSA_SHA1 = 0x0203,
+ TLS_SIGNATURE_RSA_PKCS1_SHA1 = 0x0201,
+ TLS_SIGNATURE_ECDSA_SHA1 = 0x0203,
};
enum tls_named_group {
- /* ecdhe */
- TLS_SECP256R1 = 0x0017,
- TLS_SECP384R1 = 0x0018,
- TLS_SECP521R1 = 0x0019,
- TLS_X25519 = 0x001d,
- TLS_X448 = 0x001e,
+ TLS_NAMED_GROUP_SECP256R1 = 0x0017,
+ TLS_NAMED_GROUP_SECP384R1 = 0x0018,
+ TLS_NAMED_GROUP_SECP521R1 = 0x0019,
+
+ TLS_NAMED_GROUP_X25519 = 0x001d,
+ TLS_NAMED_GROUP_X448 = 0x001e,
+
+ TLS_NAMED_GROUP_FFDHE2048 = 0x0100,
+ TLS_NAMED_GROUP_FFDHE3072 = 0x0101,
+ TLS_NAMED_GROUP_FFDHE4096 = 0x0102,
+ TLS_NAMED_GROUP_FFDHE6144 = 0x0103,
+ TLS_NAMED_GROUP_FFDHE8192 = 0x0104,
- /* ffdhe */
- TLS_FFDHE2048 = 0x0100,
- TLS_FFDHE3072 = 0x0101,
- TLS_FFDHE4096 = 0x0102,
- TLS_FFDHE6144 = 0x0103,
- TLS_FFDHE8192 = 0x0104,
+ TLS_NAMED_GROUP_FFDHE_PRIVATE_USE_MIN = 0x01fc,
+ TLS_NAMED_GROUP_FFDHE_PRIVATE_USE_MAX = 0x01fe,
- TLS_FFDHE_PRIVATE_USE_BEGIN = 0x01fc,
- TLS_FFDHE_PRIVATE_USE_END = 0x01ff,
- TLS_ECDHE_PRIVATE_USE_BEGIN = 0xfe00,
- TLS_ECDHE_PRIVATE_USE_END = 0xfeff,
+ TLS_NAMED_GROUP_ECDHE_PRIVATE_USE_MIN = 0xfe00,
+ TLS_NAMED_GROUP_ECDHE_PRIVATE_USE_MAX = 0xfeff,
};
-enum tls_psk_key_exchange_mode {
- TLS_PSK_KE,
- TLS_PSK_DHE_KE,
+struct tls_key_share_entry {
+ enum tls_named_group group;
+ uint8_t *key_exchange;
};
-struct tls_handshake {
- enum tls_handshake_type type;
- uint32_t length;
+enum tls_psk_kex_modes {
+ TLS_PSK_KEX = 0,
+ TLS_PSK_DHE_KEX = 1,
+ _TLS_PSK_MAX = 255,
};
-struct tls_random {
- uint8_t v[32];
+struct tls_psk_identity {
+ uint8_t *identity;
+ uint32_t obfuscated_ticket_age;
};
-struct tls_session {
+struct tls_psk_binder_entry {
+ uint8_t *data;
+};
+enum tls_certificate_type {
+ TLS_CERTIFICATE_X509 = 0,
+ TLS_CERTFICAITE_RAW_PUBLIC_KEY = 2,
+ _TLS_CERTIFICATE_MAX = 255,
};
-enum tls_record_type {
- TLS_RECORD_INVALID = 0,
- TLS_RECORD_CHANGE_CIPHER_SPEC = 20,
- TLS_RECORD_ALERT = 21,
- TLS_RECORD_HANDSHAKE = 22,
- TLS_RECORD_APPLICATION_DATA = 23,
+struct tls_new_session_ticket {
+ uint32_t lifetime;
+ uint32_t age_add;
+ uint8_t *nonce;
+ uint8_t *ticket;
};
-struct tls_record {
- enum tls_record_type type;
- enum tls_protocol_version version;
- uint16_t len;
- uint8_t *fragment;
+enum tls_key_update_request {
+ TLS_KEY_UPDATE_NOT_REQUESTED,
+ TLS_KEY_UPDATE_REQUESTED,
};
enum tls_alert_level {
- TLS_ALERT_WARNING = 1,
- TLS_ALERT_FATAL = 2,
+ TLS_WARNING = 1,
+ TLS_FATAL = 2,
};
enum tls_alert_description {
- TLS_ALERT_CLOSE_NOTIFY = 0,
- TLS_ALERT_UNEXPECTED_MESSAGE = 10,
- TLS_ALERT_BAD_RECORD_MAC = 20,
- TLS_ALERT_RECORD_OVERFLOW = 22,
- TLS_ALERT_HANDSHAKE_FAILURE = 40,
- TLS_ALERT_BAD_CERTIFICATE = 42,
- TLS_ALERT_UNSUPPORTED_CERTIFICATE = 43,
- TLS_ALERT_CERTIFICATE_REVOKED = 44,
- TLS_ALERT_CERTIFICATE_EXPIRED = 45,
- TLS_ALERT_CERTIFICATE_UNKNOWN = 46,
- TLS_ALERT_ILLEGAL_PARAMETER = 47,
- TLS_ALERT_UNKNOWN_CA = 48,
- TLS_ALERT_ACCESS_DENIED = 49,
- TLS_ALERT_DECODE_ERROR = 50,
- TLS_ALERT_DECRYPT_ERROR = 51,
- TLS_ALERT_PROTOCOL_VERSION = 70,
- TLS_ALERT_INSUFFICIENT_SECURITY = 71,
- TLS_ALERT_INTERNAL_ERROR = 80,
- TLS_ALERT_INAPPROPRIATE_FALLBACK = 86,
- TLS_ALERT_USER_CANCELED = 90,
- TLS_ALSERT_MISSING_EXTENSION = 109,
- TLS_ALERT_UNSUPPORTED_EXTENSION = 110,
- TLS_ALERT_UNRECOGNIZED_NAME = 112,
- TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE = 113,
- TLS_ALERT_UNKNOWN_PSK_IDENTITY = 115,
- TLS_ALERT_CERTIFICATE_REQUIRED = 116,
- TLS_ALERT_NO_APPLICATION_PROTOCOL = 120,
+ TLS_ALERT_CLOSE_NOTIFY = 0,
+ TLS_ALERT_UNEXPECTED_MESSAGE = 10,
+ TLS_ALERT_BAD_RECORD_MAC = 20,
+ TLS_ALERT_RECORD_OVERFLOW = 22,
+ TLS_ALERT_HANDSHAKE_FAILURE = 40,
+ TLS_ALERT_BAD_CERTIFICATE = 42,
+ TLS_ALERT_UNSUPPORTED_CERTIFICATE = 43,
+ TLS_ALERT_CERTIFICATE_REVOKED = 44,
+ TLS_ALERT_CERTIFICATE_EXPIRED = 45,
+ TLS_ALERT_CERTIFICATE_UNKNOWN = 46,
+ TLS_ALERT_ILLEGAL_PARAMETER = 47,
+ TLS_ALERT_UNKNOWN_CA = 48,
+ TLS_ALERT_ACCESS_DENIED = 49,
+ TLS_ALERT_DECODE_ERROR = 50,
+ TLS_ALERT_DECRYPT_ERROR = 51,
+ TLS_ALERT_PROTOCOL_VERSION = 70,
+ TLS_ALERT_INSUFFICIENT_SECURITY = 71,
+ TLS_ALERT_INTERNAL_ERROR = 80,
+ TLS_ALERT_INAPPROPRIATE_FALLBACK = 86,
+ TLS_ALERT_USER_CANCELED = 90,
+ TLS_ALERT_MISSING_EXTENSION = 109,
+ TLS_ALERT_UNSUPPORTED_EXTENSION = 110,
+ TLS_ALERT_UNRECOGNISED_NAME = 112,
+ TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE = 113,
+ TLS_ALERT_UNKNOWN_PSK_IDENTITY = 115,
+ TLS_ALERT_CERTIFICATE_REQUIRED = 116,
+ TLS_ALERT_NO_APPLICATION_PROTOCOL = 120,
};
struct tls_alert {
@@ -191,8 +230,48 @@ struct tls_alert {
enum tls_alert_description description;
};
-/* stub crypto implementation
- * --
- */
+struct tls_session {
+ uint8_t *buf;
+ size_t cap, len;
+};
+
+void
+tls_session_init();
+
+void
+tls_session_set_keys();
+
+void
+tls_session_set_cert();
+
+void
+tls_session_set_psk();
+
+void
+tls_session_server_handshake();
+
+void
+tls_session_client_handshake();
+
+void
+tls_session_step();
+
+uint8_t *
+tls_session_recv();
+
+void
+tls_session_recv_commit();
+
+uint8_t *
+tls_session_send();
+
+void
+tls_session_send_commit();
+
+tls_session_pull();
+tls_session_push();
+tls_session_flush();
+
+/* crypto - replace with real crypto library */
#endif /* TLS_H */
