🔏 Radikant-TLS-C

 🔒 TLS 1.3 

Screenshot%202025 11 30%20at%2023.01.45

Introduction

Radikant TLS is a light weight TLS (Transport Layer Security) protocol 1.3 client & server library written in C. Supporting  botu client and server mode in 1.2 and 1.3  turned into self inflicted pain. Modern servers support tls 1.3 therefore 1.2 support is completely dropped.

This library relies on Radikant Crypto for all its underlying cryptographic primitivees, utilizes Radikant Socket for socket managment and Radikant Cert for certificate management such as x509/pem etc..

This library is a proof-of-concept that TLS statemachine is doable from scratch, however currently iinsecure currently since its corner stone Radikant Crypto is currently insecure (leaks memory, secrets and non-constant time). It is an experiment how to split up TLS smaller managable modules.

In client mode the client skips verifying the server identity because PKI and root Certificate validation is not implemented in the Certificate module.

⚠️ Radikant TLS is build in top of Radikant Crypto and Radikant Cert and therefore inherits their security flaws.

TLS 1.3

Cipher Suites

cms icon

AES256
gcm

SHA384


cms icon

AES128
ccm

SHA256


cms icon

AES128
ccm-8

SHA256


cms icon

AES128
ccm

SHA256


cms icon

CHACHA20 poly1305

SHA256


Key Generation

cms icon

X25519

DJB Curve

cms icon

X448

MH Curve

cms icon

P-256

NIST Curve

cms icon

P-384

NIST Curve

cms icon

P-521

NIST Curve

Example

File Edit View Find Navigate
NetworkClient — My Mac
int main(int argc, char *argv[]) {
const char *hostname = "google.com";
const char *port = "443"; // Standard HTTPS port
int sock_fd = tcp_connect(hostname, port);
tls_context *ctx = tls_context_new(TLS_MODE_CLIENT);
tls_context_set_socket(ctx, sock_fd);
tls_connect(ctx, hostname);
tls_context_free(ctx);
return 0;
}
Ready
Run Build Debug Ln 1, Col 1
===== --- Handshake Loop: Waiting in state: EXPECTING_SERVER_KEY_EXCHANGE (4) --- ===== Received Record Header: Type: Handshake (22) Version: 0x0303 Length: 333 bytes Processing Handshake record (333 bytes total)... Found Handshake Message: Type 12, Length 329 Updated transcript. Total size: 7052 Parsing Server Key Exchange (329 bytes)... Curve: secp256r1 (0x0017) Extracted 64-byte public key (X,Y). Verifying signature... Server chose SHA256-RSA. Hashing 133 bytes. (STUB: Verification requires RSA-verify + Certificate parsing) ===== --- Handshake Loop: Waiting in state: EXPECTING_SERVER_HELLO_DONE (5) --- Received Record Header: Type: Handshake (22) Version: 0x0303 Length: 4 bytes Processing Handshake record (4 bytes total)... Found Handshake Message: Type 14, Length 0 Updated transcript. Total size: 7056 Received Server Hello Done! Building Client Key Exchange... Updated transcript. Total size: 7126 Calculated Pre-Master Secret! Pre-Master Secret: B2D8527C33CD7F3C7D8C9977CC5CE9A4EC32... Deriving keys... Master Secret: 2FDF7C23419D1EC329F454BB60F3C594D67D... Client Write Key: : 8D6BA30B21F92AC0B54DC1B25495228F Client Write IV: : 7D833F4D AES contexts initialized. Sending Change Cipher Spec... Building and Sending Finished... Calculated final handshake hash. Finished payload (verify_data): 266DCE4BBB04DDB750FD58BD Updated transcript. Total size: 7142 Sending Finished (encrypted)... Encrypting 16 bytes for record type 22
===== Handshake Complete! ===== Google: TLS Handshake SUCCESS! — Sending HTTP Request — GET / HTTP/1.1 Host: google.com Connection: close User-Agent: rtls-client/1.0 Encrypting 84 bytes for record type 23 — Receiving HTTP Response — HTTP/1.1 301 Moved Permanently Location: https://www.google.com/ Content-Type: text/html; charset=UTF-8 Date: Mon, 01 Dec 2025 03:17:22 GMT Cache-Control: public, max-age=2592000 Server: gws Content-Length: 220 
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
Google: Connection Closed By Server (Total: 851 bytes) Closing connection and freeing context. Encrypting 2 bytes for record type 21 ===== FINISHED GOOGLE.COM REQUEST =====