---
Author: Tímea Moder
Version: 1551-CNL 113 839, Rev. B
Date: 2018-02-12

---
= TLS library for TTCN-3 Toolset with TITAN, Function Description
:author: Tímea Moder
:revnumber: 1551-CNL 113 839 Rev. B
:revdate: 2018-02-12
:toc:

== How to Read This Document

This is the Function Specification for the TLS library. The TLS library are developed for the TTCN-3 Toolset with TITAN.

== Scope

The purpose of this document is to specify the content of the TLS library. The document is primarily addressed to the end users of the product. Basic knowledge of TTCN-3 <<_2, [2]>> and TITAN TTCN-3 Test Executor <<_3, [3]>> is valuable when reading this document.

== System Requirements

The TLS library is a set of TTCN-3 source code files that can be used as part of TTCN-3 test suites only. Hence, TLS library alone do not put specific requirements on the system used. However, in order to compile and execute a TTCN-3 test suite using the set of protocol modules the following system requirements must be satisfied:

* TITAN TTCN-3 Test Executor version CRL 113 200/6 R3A (6.3.pl0) or higher installed.

NOTE: This version of the protocol module is not compatible with TITAN releases earlier than CRL 113 200/6 R3A. For installation guide see <<_2, [2]>>.

* OpenSSL development library is installed. See <<_1, [1]>>.

= Protocol Modules

== Overview

The TLS library implement the control functions in a formalized way. This allows defining of test data (templates) in the TTCN-3 language <<_2, [2]>> and correct encoding/decoding of messages when executing test suites using the TITAN TTCN-3 test environment.

== Installation

The set of protocol modules can be used in developing TTCN-3 test suites using any text editor. However, to make the work more efficient a TTCN-3-enabled text editor is recommended (e.g. `nedit`, `xemacs`). Since the TLS library is used as a part of a TTCN-3 test suite, this requires TTCN-3 Test Executor be installed before the module can be compiled and executed together with other parts of the test suite. For more details on the installation of TTCN-3 Test Executor see the relevant section of <<_3, [3]>>.

== Configuration

None.

= Functional Specification

== Supported TLS Versions

The TLS library uses the OpenSSL, hence the supported SSL/TLS/DTLS versions are depends on the used version of the OpenSSL. The TLS library provides interface for:

* SSLv3
* TLSv1, TLSv1.1, TLSv1.2
* DTLSv1.0, DTLSv1.2

== TLS Object Handling Function

In order to establish TLS/DTLS connections a TLS object should be created.

[source]
----
external function TLS_New_object(
        in TLS_descriptor descr
        out integer object_id,
        in integer user_idx := -1
) return TLS_op_result;
----

The function returns the result of the object creation. The object can be referenced later by the `object_id`.

The optional `user_idx` is not used by the TLS library directly, just stored as is. It can be used a reference to another object or connection.

After the TLS/DTLS connection is not used any more the object should be destroyed.

[source]
external function TLS_Delete_object(in integer object_id) return TLS_op_result;

== TLS Descriptor

The TLS descriptor has the following fields:

* `tls_method`: +
Type: TLS_method, mandatory +
Default value: `_TLS_method_TLS_` +
Allowed values: `_TLS_method_TLS_`, `_TLS_method_DTLS_` +
It specifies which method to use: TLS/SSL or DTLS.
* `min_supported_version`, `max_supported_version` +
Type: TLS_Supported_proto_versions, optional +
Default value: `_omit_` +
Allowed values: `_TLS_SSL3_VERSION_`, `_TLS_TLS1_VERSION_`, `_TLS_TLS1_1_VERSION_`, `_TLS_TLS1_2_VERSION_`, `_TLS_DTLS1_VERSION_`, `_TLS_DTLS1_2_VERSION_` +
The minimum and the maximum version of the supported protocol.
* `ssl_key_file`: +
Type: charstring, optional +
Default value: `_omit_` +
It specifies a PEM encoded file’s path on the file system containing the server’s RSA private key.
* `ssl_certificate_file`: +
Type: charstring, optional +
Default value: `_omit_` +
It specifies a PEM encoded file’s path on the file system containing the certificate chain.
* `ssl_trustedCAlist_file`: +
Type: charstring, optional +
Default value: `_omit_` +
It specifies a PEM encoded file’s path on the file system containing the certificates of the trusted CA authorities to use.
* `ssl_cipher_list`: +
Type: charstring, optional +
Default value: `_omit_` +
It can be used to specify the allowed cipher list.
* `ssl_password`: +
Type: charstring, optional +
Default value: `_omit_` +
It specifies the password protecting the private key file.
* `ssl_verify_certificate`: +
Type: boolean, optional +
Default value: `_true_` +
It can be used to specify whether to check the certificate of the other side.
* `psk_hint`: +
Type: charstring, optional +
Default value: `_omit_` +
The server can provide a "PSK identity hint" in the `ServerKeyExchange` message. In the case where PSK identity hint is omit, the server does not send the `ServerKeyExchange` message to the client.
* `psk_identity`: +
Type: charstring, optional +
Default value: `_omit_` +
The "PSK identity" is included in the `ClientKeyExchange` message and transmitted to the server. After the negotiation for "PSK identity" is done, the client and the server can generate their pre-master secrets with the pre-shared key.
* `psk_key`: +
Type: charstring, optional +
Default value: `_omit_` +
It is the psk key in hexadecimal representation form.
* `psk_for_server`: +
Type: boolean, optional +
Default value: `_omit_` +
It can be used to specify the used psk callback function, the psk server callback or the psk client callback function will be called.

== Connection Establishment

The function to use to establish connection:

[source]
----
external function TLS_Handshake(in integer object_id,
                in boolean is_server
                in octetstring input_stream,
                out octetstring output_stream
) return TLS_op_result;
----

The function should be called repeatedly until the handshake is finished.

The return values:

* `_TLS_OK_`: handshake finished
* `_TLS_NEED_MORE_DATA_`: send the output stream to the peer if len >0, call the function again with more data from peer
* `_TLS_DATA_TO_SEND_`: send the output stream to the peer, and call the function again
* `_TLS_ERROR_`: something went wrong.

Parameters:

* `object_id`: The TLS object, created by the TLS_New_object
* `is_server`: true: server side, false: client side
* `input_stream`: The data received from the peer, or empty string
* `output_stream`: The function places the data should be sent to the peer.

== Data Exchange Function

=== Send Data to the Peer

The following function can be used to send data to the peer:

[source]
----
external function TLS_Write(in integer object_id,
            in octetstring user_data
            in octetstring input_stream,
            out octetstring output_stream
) return TLS_op_result;
----

Should be called repeatedly until returns `TLS_OK`.

The return values:

* `_TLS_OK_`: all data ready to be sent.
* `_TLS_NEED_MORE_DATA_`: send the output stream to the peer if `len >0`, call the function again with more data from peer
* `_TLS_DATA_TO_SEND_`: send the output stream to the peer, and call the function again
* `_TLS_ERROR_`: something went wrong.

Parameters:

* `object_id`: The TLS object, created by the `TLS_New_object`
* `user_data`: the data to be sent
* `input_stream`: The data received from the peer, or empty string
* `output_stream`: The function places the data should be sent to the peer.

=== Receive Data from the Peer

The following function can be used to decrypt the data received from the peer:

[source]
----
external function TLS_Read(in integer object_id,
          out octetstring user_data,
          in octetstring input_stream,
          out octetstring output_stream
) return TLS_op_result;
----

Should be called repeatedly until returns `TLS_OK`.

The return values:

* `_TLS_OK_`: all data received.
* `_TLS_NEED_MORE_DATA_`: send the output stream to the peer if `len >0`, call the function again with more data from peer
* `_TLS_DATA_TO_SEND_`: send the output stream to the peer, and call the function again
* `_TLS_ERROR_`: something went wrong.

Parameters:

* `object_id`: The TLS object, created by the `TLS_New_object`
* `user_data`: the received data
* `input_stream`: The data received from the peer, or empty string
* `output_stream`: The function places the data should be sent to the peer.

= Terminology

No specific terminology is used.

= Abbreviations

DTLS:: Datagram Transport Layer Security

TLS:: Transport Layer Secuity

TTCN-3:: Testing and Test Control Notation version 3

SSL:: Secure Socket Layer

= References

[[_1]]
[1] OpenSSL +
https://www.openssl.org/

[[_2]]
[2] ETSI ES 201 873-1 v3.2.1 (2007-02) +
The Testing and Test Control Notation version 3; Part 1: Core Language

[[_3]]
[3] User Guide for the TITAN TTCN-3 Test Executor