Initial commit - tls

commit c4abe187844a84c25e3488823fd8a8e49102e9d5
Author: Mikołaj Lenczewski <mblenczewski@gmail.com>
Date:   Fri, 17 Apr 2026 21:46:58 +0100

Initial commit

Diffstat:
A .gitignore  | 5 +++++
A build.sh  | 7 +++++++
A clean.sh  | 5 +++++
A net.h  | 11 +++++++++++
A test.c  | 47 +++++++++++++++++++++++++++++++++++++++++++++++
A tls.c  | 1 +
A tls.h  | 198 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A tls13.pdf  | 0

8 files changed, 274 insertions(+), 0 deletions(-)
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,5 @@
+bin/
+
+**/.*.swp
+imgui.ini
+tags
diff --git a/build.sh b/build.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -ex
+
+mkdir -p bin
+
+cc -o bin/tls-test test.c -Wall -Wextra -std=c11 -O0 -g3
diff --git a/clean.sh b/clean.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -ex
+
+rm -rf bin
diff --git a/net.h b/net.h
@@ -0,0 +1,11 @@
+#ifndef NET_H
+#define NET_H
+
+#define _GNU_SOURCE 1
+#define _POSIX_C_SOURCE 200809L
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+
+#endif /* NET_H */
diff --git a/test.c b/test.c
@@ -0,0 +1,47 @@
+#define _GNU_SOURCE 1
+#define _POSIX_C_SOURCE 200809L
+
+#include "tls.h"
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+
+#include "net.h"
+
+int
+main(int argc, char **argv)
+{
+	if (argc < 2) {
+		fprintf(stderr, "Usage: %s <url>\n", argv[0]);
+		exit(EXIT_FAILURE);
+	}
+
+	char *url = argv[1];
+
+	int socket = create_socket(url);
+	if (socket < 0) {
+		fprintf(stderr, "Failed to connect to url: %s\n", url);
+		exit(EXIT_FAILURE);
+	}
+
+	/* tls state */
+	char tlsbuf[4096];
+
+	struct tls_session tls_session;
+	tls_session_init(&tls);
+
+	/* http state */
+	char buf[4096];
+
+	close(socket);
+
+	exit(EXIT_SUCCESS);
+}
+
+#include "tls.c"
diff --git a/tls.c b/tls.c
@@ -0,0 +1 @@
+#include "tls.h"
diff --git a/tls.h b/tls.h
@@ -0,0 +1,198 @@
+#ifndef TLS_H
+#define TLS_H
+
+#include <stdint.h>
+#include <stdlib.h>
+
+/* tls 1.3
+ * --
+ *  see: https://datatracker.ietf.org/doc/html/rfc8446
+ */
+
+enum tls_protocol_version {
+	TLS_PROTOCOL_TLS10 = 0x0301,
+	TLS_PROTOCOL_TLS11 = 0x0302,
+	TLS_PROTOCOL_TLS12 = 0x0303,
+};
+
+enum tls_handshake_type {
+	TLS_HANDHAKE_CLIENT_HELLO		= 1,
+	TLS_HANDHAKE_SERVER_HELLO		= 2,
+	TLS_HANDHAKE_NEW_SESSION_TICKET		= 4,
+	TLS_HANDHAKE_END_OF_EARLY_DATA		= 5,
+	TLS_HANDHAKE_ENCRYPTED_EXTENSION	= 8,
+	TLS_HANDHAKE_CERTIFICATE		= 11,
+	TLS_HANDHAKE_CERTIFICATE_REQUEST	= 13,
+	TLS_HANDHAKE_CERTIFICATE_VERIFY		= 15,
+	TLS_HANDHAKE_FINISHED			= 20,
+	TLS_HANDHAKE_KEY_UPDATE			= 24,
+	TLS_HANDHAKE_MESSAGE_HASH		= 254,
+	_TLS_HANDHAKE_TYPE_MAX			= 255,
+};
+
+struct tls_handshake {
+	enum tls_handshake_type type;
+	uint32_t len;
+	uint8_t *data;
+};
+
+enum tls_extension_type {
+	TLS_EXTENSION_SERVER_NAME			= 0,
+	TLS_EXTENSION_MAX_FRAGMENT_LENGTH		= 1,
+	TLS_EXTENSION_STATUS_REQUEST			= 5,
+	TLS_EXTENSION_SUPPORTED_GROUPS			= 10,
+	TLS_EXTENSION_SIGNATURE_ALGORITHMS		= 13,
+	TLS_EXTENSION_USE_STRP				= 14,
+	TLS_EXTENSION_HEARTBEAT				= 15,
+	TLS_EXTENSION_ALPN				= 16,
+	TLS_EXTENSION_SIGNED_CERTIFICATE_TIMESTAMP	= 18,
+	TLS_EXTENSION_CLIENT_CERTIFICATE_TYPE		= 19,
+	TLS_EXTENSION_SERVER_CERTIFICATE_TYPE		= 20,
+	TLS_EXTENSION_PADDING				= 21,
+	TLS_EXTENSION_PSK				= 41,
+	TLS_EXTENSION_EARLY_DATA			= 42,
+	TLS_EXTENSION_SUPPORTED_VERSIONS		= 43,
+	TLS_EXTENSION_COOKIE				= 44,
+	TLS_EXTENSION_PSK_KEY_EXCHANGE_MODES		= 45,
+	TLS_EXTENSION_CERTIFICATE_AUTHORITIES		= 47,
+	TLS_EXTENSION_OID_FILTERS			= 48,
+	TLS_EXTENSION_POST_HANDSHAKE_AUTH		= 49,
+	TLS_EXTENSION_SIGNATURE_ALGORITHMS_CERT		= 50,
+	TLS_EXTENSION_KEY_SHARE				= 51,
+};
+
+struct tls_extension {
+	enum tls_extension_type type;
+	uint32_t len;
+	uint8_t *data;
+};
+
+enum tls_signature_scheme {
+	/* RSASSA-PKCS1 */
+	TLS_RSA_PKCS1_SHA256		= 0x0401,
+	TLS_RSA_PKCS1_SHA384		= 0x0501,
+	TLS_RSA_PKCS1_SHA512		= 0x0601,
+
+	/* ECDSA */
+	TLS_ECDSA_SECP256R1_SHA256	= 0x0403,
+	TLS_ECDSA_SECP384R1_SHA384	= 0x0503,
+	TLS_ECDSA_SECP521R1_SHA512	= 0x0603,
+
+	/* RSASSA-PSS with public key OID rsaEncryption */
+	TLS_RSA_PSS_RSAE_SHA256		= 0x0804,
+	TLS_RSA_PSS_RSAE_SHA384		= 0x0805,
+	TLS_RSA_PSS_RSAE_SHA512		= 0x0806,
+
+	/* EdDSA */
+	TLS_ED25519			= 0x0807,
+	TLS_ED448			= 0x0808,
+
+	/* RSASSA-PSS with public key OID RSASSA-PSS */
+	TLS_RSA_PSS_PSS_SHA256		= 0x0809,
+	TLS_RSA_PSS_PSS_SHA384		= 0x080a,
+	TLS_RSA_PSS_PSS_SHA512		= 0x080b,
+
+	/* legacy */
+	TLS_RSA_PKCS1_SHA1		= 0x0201,
+	TLS_ECDSA_SHA1			= 0x0203,
+};
+
+enum tls_named_group {
+	/* ecdhe */
+	TLS_SECP256R1			= 0x0017,
+	TLS_SECP384R1			= 0x0018,
+	TLS_SECP521R1			= 0x0019,
+	TLS_X25519			= 0x001d,
+	TLS_X448			= 0x001e,
+
+	/* ffdhe */
+	TLS_FFDHE2048			= 0x0100,
+	TLS_FFDHE3072			= 0x0101,
+	TLS_FFDHE4096			= 0x0102,
+	TLS_FFDHE6144			= 0x0103,
+	TLS_FFDHE8192			= 0x0104,
+
+	TLS_FFDHE_PRIVATE_USE_BEGIN	= 0x01fc,
+	TLS_FFDHE_PRIVATE_USE_END	= 0x01ff,
+	TLS_ECDHE_PRIVATE_USE_BEGIN	= 0xfe00,
+	TLS_ECDHE_PRIVATE_USE_END	= 0xfeff,
+};
+
+enum tls_psk_key_exchange_mode {
+	TLS_PSK_KE,
+	TLS_PSK_DHE_KE,
+};
+
+struct tls_handshake {
+	enum tls_handshake_type type;
+	uint32_t length;
+};
+
+struct tls_random {
+	uint8_t v[32];
+};
+
+struct tls_session {
+
+};
+
+enum tls_record_type {
+	TLS_RECORD_INVALID		= 0,
+	TLS_RECORD_CHANGE_CIPHER_SPEC	= 20,
+	TLS_RECORD_ALERT		= 21,
+	TLS_RECORD_HANDSHAKE		= 22,
+	TLS_RECORD_APPLICATION_DATA	= 23,
+};
+
+struct tls_record {
+	enum tls_record_type type;
+	enum tls_protocol_version version;
+	uint16_t len;
+	uint8_t *fragment;
+};
+
+enum tls_alert_level {
+	TLS_ALERT_WARNING	= 1,
+	TLS_ALERT_FATAL		= 2,
+};
+
+enum tls_alert_description {
+	TLS_ALERT_CLOSE_NOTIFY			= 0,
+	TLS_ALERT_UNEXPECTED_MESSAGE		= 10,
+	TLS_ALERT_BAD_RECORD_MAC		= 20,
+	TLS_ALERT_RECORD_OVERFLOW		= 22,
+	TLS_ALERT_HANDSHAKE_FAILURE		= 40,
+	TLS_ALERT_BAD_CERTIFICATE		= 42,
+	TLS_ALERT_UNSUPPORTED_CERTIFICATE	= 43,
+	TLS_ALERT_CERTIFICATE_REVOKED		= 44,
+	TLS_ALERT_CERTIFICATE_EXPIRED		= 45,
+	TLS_ALERT_CERTIFICATE_UNKNOWN		= 46,
+	TLS_ALERT_ILLEGAL_PARAMETER		= 47,
+	TLS_ALERT_UNKNOWN_CA			= 48,
+	TLS_ALERT_ACCESS_DENIED			= 49,
+	TLS_ALERT_DECODE_ERROR			= 50,
+	TLS_ALERT_DECRYPT_ERROR			= 51,
+	TLS_ALERT_PROTOCOL_VERSION		= 70,
+	TLS_ALERT_INSUFFICIENT_SECURITY		= 71,
+	TLS_ALERT_INTERNAL_ERROR		= 80,
+	TLS_ALERT_INAPPROPRIATE_FALLBACK	= 86,
+	TLS_ALERT_USER_CANCELED			= 90,
+	TLS_ALSERT_MISSING_EXTENSION		= 109,
+	TLS_ALERT_UNSUPPORTED_EXTENSION		= 110,
+	TLS_ALERT_UNRECOGNIZED_NAME		= 112,
+	TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE = 113,
+	TLS_ALERT_UNKNOWN_PSK_IDENTITY		= 115,
+	TLS_ALERT_CERTIFICATE_REQUIRED		= 116,
+	TLS_ALERT_NO_APPLICATION_PROTOCOL	= 120,
+};
+
+struct tls_alert {
+	enum tls_alert_level level;
+	enum tls_alert_description description;
+};
+
+/* stub crypto implementation
+ * --
+ */
+
+#endif /* TLS_H */
diff --git a/tls13.pdf b/tls13.pdf
Binary files differ.

	tls tls.git
	git clone git://git.lenczewski.org/tls.git
	Log \| Files \| Refs

A	.gitignore	\|	5	+++++
A	build.sh	\|	7	+++++++
A	clean.sh	\|	5	+++++
A	net.h	\|	11	+++++++++++
A	test.c	\|	47	+++++++++++++++++++++++++++++++++++++++++++++++
A	tls.c	\|	1	+
A	tls.h	\|	198	+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A	tls13.pdf	\|	0