{"id":13812910,"url":"https://github.com/ezhangle/krypton","last_synced_at":"2025-05-14T22:31:18.448Z","repository":{"id":86902279,"uuid":"48126424","full_name":"ezhangle/krypton","owner":"ezhangle","description":"Embedded TLS/DTLS library, source and binary compatible OpenSSL subset","archived":false,"fork":false,"pushed_at":"2015-12-13T17:36:22.000Z","size":460,"stargazers_count":24,"open_issues_count":0,"forks_count":24,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-11-19T07:39:45.311Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ezhangle.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-12-16T18:00:55.000Z","updated_at":"2024-10-30T09:30:42.000Z","dependencies_parsed_at":"2023-03-15T03:32:47.534Z","dependency_job_id":null,"html_url":"https://github.com/ezhangle/krypton","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ezhangle%2Fkrypton","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ezhangle%2Fkrypton/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ezhangle%2Fkrypton/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ezhangle%2Fkrypton/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ezhangle","download_url":"https://codeload.github.com/ezhangle/krypton/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254239535,"owners_count":22037721,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T04:00:57.753Z","updated_at":"2025-05-14T22:31:13.363Z","avatar_url":"https://github.com/ezhangle.png","language":"C","funding_links":[],"categories":["Cryptography"],"sub_categories":["General"],"readme":"Krypton - Embedded TLS/DTLS library\n===================================\n\nKrypton is a drop-in replacement for OpenSSL.\nKrypton is a source and binary compatible OpenSSL subset. Main design goal goal\nwas to minimize static and runtime memory footprint.\n\n## Usage\n\nJust copy a single file, `krypton.c`, to your source repo.\n\nIf you're already using OpenSSL library and wish to switch to Krypton,\njust add `krypton.c` file to the build, and remove `-lssl -lcrypto` build\noptions:\n\n     OpenSSL:  cc app.c -lssl -lcrypto\n     Krypton:  cc app.c krypton.c\n\nIf you're not using OpenSSL and OpenSSL headers are not installed on you're\nworkstation, just copy over `openssl` directory to your build as well.\n\n## Supported API\n\nSee [openssl/ssl.h](openssl/ssl.h) header file for the list of supported functions.\n\n## Certificate Verification\n\n1. As a simplification, full candidate certificate chains back to a self-signed\nroot CA are not checked. The chain will run from the server cert, through all\nintermediate certs provided by the server to a single certificate in the\nclients CA store, which will be used as the trust anchor.\n\n2. Expiration dates are not checked.\n\n3. In either case, no X509 API is provided to check the subject name, alternate\nnames, dns name extensions etc. belonging to the server certificate.\n\nA possible solution for this might be to use 3rd party tools to ensure that the\nclients CA store is valid and is not used outside of expiration dates.\n\n\n## Performance\n\nApart from cryptographic primatives, which are entirely 3rd-party, there may be\nseveral optimisations and code cleanups possible.\n\nFor example:\n\n  - if not verifying, don't bother hashing servers cert\n  - make security struct be temporary\n  - assigned read/write keys/state in to main ssl struct\n  - if a packet is too big for recieve buffer, peek its size for buf realloc\n  - strip handshake header in handle_handshake(), would reduce code size\n\nProbably the bigger performance improvements would be to add session ticketing\nto avoid costly handshakes wherever possible.\n\n## Renegotiation\n\nNot supported. This wouldn't be too difficult to support:\n\n  - server: send both finished messages in hello reneg info EXT\n  - client: re-send finished message in hello reneg info EXT\n  - client: respond to hello request with a new hello\n  - debug with s_client renegotiation\n\n\n## Implementing more secure cipher modes\n\nRC4 is being phased out. The best bet for a new cipher that will ensure forward\ncompatibility is probably AES in CBC mode. This would require generating IV's\nfrom the master secret and implementing padding and CBC. However, CBC mode may\nbe phased out in favour of GCM or AEAD modes. The block cipher mode\nimplementations are probably the most complex parts of such an upgrade.\n\nMore secure HMAC functions are pretty trivial to add. X509 already requires\nSHA1 and TLS1.2 already requires SHA256. It's just a matter of wiring up the\nrelevant cipher spec ID's.\n\nMore secure key exchange protocols such as Diffie-Hellman with ECDSA would be\nrather complex to add.\n\n## Limitations\n\nIt supports only TLSv1.2 and only one cipher suite (RSA-RC4-MD5) in\nboth blocking and non-blocking socket modes.\nRenegotiation, more secure cipher suites, CRL's,\nOCSP stapling, session ticketing, client certificates, and other advanced\nfeatures are not supported.\n\nThe `SSL_read()` buffer must always be big enough.\nIf a large appdata packet is recieved and the buffer passed to SSL_read() doesn't have space for it, then some data will be discarded.\n\nSome high bits of 3-byte length fields are ignored, which could mean we fail to\nparse some messages over 64KiB in length. For example, huge certificate chains.\n\nThe code should be robust against bad message formatting. But unexpected\nmessages (such as renegotiations, or server requests for client certificates)\ncould lead to unexpected, possibly exploitable, conditions.\n\nSome timing attacks are not worked around, but there are defences against\nBleichenbacher attacks. No key material is ever scrubbed from memory. The RC4\ncipher is weak. Although the MD5 hash is weak, there are currently no known\npractical attacks when it is used in the HMAC configuration.\n\n# Contributions\n\nPeople who have agreed to the\n[Cesanta CLA](https://docs.cesanta.com/contributors_la.shtml)\ncan make contributions. Note that the CLA isn't a copyright\n_assigment_ but rather a copyright _license_.\nYou retain the copyright on your contributions.\n\n## Licensing\n\nKrypton is released under commercial and\n[GPL v.2](http://www.gnu.org/licenses/old-licenses/gpl-2.0.html) open\nsource licenses. The GPLv2 open source License does not generally permit\nincorporating this software into non-open source programs.\nFor those customers who do not wish to comply with the GPLv2 open\nsource license requirements,\n[Cesanta](https://www.cesanta.com) offers a full,\nroyalty-free commercial license and professional support\nwithout any of the GPL restrictions.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fezhangle%2Fkrypton","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fezhangle%2Fkrypton","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fezhangle%2Fkrypton/lists"}