Radikant-TLS-C

Introduction

Radikant TLS is a light weight TLS (Transport Layer Security) protocol 1.3 client & server library written in C. Supporting botu client and server mode in 1.2 and 1.3 turned into self inflicted pain. Modern servers support tls 1.3 therefore 1.2 support is completely dropped.

This library relies on Radikant Crypto for all its underlying cryptographic primitivees, utilizes Radikant Socket for socket managment and Radikant Cert for certificate management such as x509/pem etc..

This library is a proof-of-concept that TLS statemachine is doable from scratch, however currently it is insecure currently since its corner stone Radikant Crypto is currently insecure (leaks memory, secrets and non-constant time). It is a demonstration/experiment how to split up TLS smaller managable modules.

Currently in client mode the client skips verifying the server identity because PKI and root Certificate validation is not implemented in the Certificate module.

TLS 1.3

Cipher Suites

AES256 GCM SHA384

Tx

AES128 CCM SHA256

Tx

AES128
CCM 8
SHA256

Txt

AES128
CCM
SHA256

Tx

CHACHA20 POLY1305 SHA256

tx

Key Generation

X25519

Tx

X448

Tx

P-256

Txt

P-384

Tx

P-521

tx


int main(int argc, char *argv[]) {
    const char *hostname = "google.com";
    const char *port = "443"; // Standard HTTPS port

    int sock_fd = tcp_connect(hostname, port);
    tls_context *ctx = tls_context_new(TLS_MODE_CLIENT);
    tls_context_set_socket(ctx, sock_fd);
    tls_connect(ctx, hostname);
    tls_context_free(ctx); 
    return 0;
}

===== --- Handshake Loop: Waiting in state: EXPECTING_SERVER_KEY_EXCHANGE (4) --- ===== Received Record Header: Type: Handshake (22) Version: 0x0303 Length: 333 bytes Processing Handshake record (333 bytes total)... Found Handshake Message: Type 12, Length 329 Updated transcript. Total size: 7052 Parsing Server Key Exchange (329 bytes)... Curve: secp256r1 (0x0017) Extracted 64-byte public key (X,Y). Verifying signature... Server chose SHA256-RSA. Hashing 133 bytes. (STUB: Verification requires RSA-verify + Certificate parsing) ===== --- Handshake Loop: Waiting in state: EXPECTING_SERVER_HELLO_DONE (5) --- Received Record Header: Type: Handshake (22) Version: 0x0303 Length: 4 bytes Processing Handshake record (4 bytes total)... Found Handshake Message: Type 14, Length 0 Updated transcript. Total size: 7056 Received Server Hello Done! Building Client Key Exchange... Updated transcript. Total size: 7126 Calculated Pre-Master Secret! Pre-Master Secret: B2D8527C33CD7F3C7D8C9977CC5CE9A4EC32... Deriving keys... Master Secret: 2FDF7C23419D1EC329F454BB60F3C594D67D... Client Write Key: : 8D6BA30B21F92AC0B54DC1B25495228F Client Write IV: : 7D833F4D AES contexts initialized. Sending Change Cipher Spec... Building and Sending Finished... Calculated final handshake hash. Finished payload (verify_data): 266DCE4BBB04DDB750FD58BD Updated transcript. Total size: 7142 Sending Finished (encrypted)... Encrypting 16 bytes for record type 22

===== Handshake Complete! ===== Google: TLS Handshake SUCCESS! — Sending HTTP Request — GET / HTTP/1.1 Host: google.com Connection: close User-Agent: rtls-client/1.0 Encrypting 84 bytes for record type 23 — Receiving HTTP Response — HTTP/1.1 301 Moved Permanently Location: https://www.google.com/ Content-Type: text/html; charset=UTF-8 Date: Mon, 01 Dec 2025 03:17:22 GMT Cache-Control: public, max-age=2592000 Server: gws Content-Length: 220

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

Google: Connection Closed By Server (Total: 851 bytes) Closing connection and freeing context. Encrypting 2 bytes for record type 21 ===== FINISHED GOOGLE.COM REQUEST =====