DeterministicESPAsyncWebServer v6.28.0
Zero-allocation, bounded-execution async HTTP server for ESP32
Loading...
Searching...
No Matches
nts.h File Reference

Network Time Security (NTS, RFC 8915) wire codec (DETWS_ENABLE_NTS). More...

#include "ServerConfig.h"
#include <stddef.h>
#include <stdint.h>

Go to the source code of this file.

Detailed Description

Network Time Security (NTS, RFC 8915) wire codec (DETWS_ENABLE_NTS).

NTS secures NTP against spoofing. It has two wire formats, both codified here:

  • NTS-KE (Key Establishment, RFC 8915 sec 4), a short record exchange run over TLS 1.3 on port 4460: TLV records [critical|type : u16][body-length : u16][body]. The client offers a next protocol (NTPv4) + an AEAD algorithm (AES-SIV-CMAC-256); the server returns cookies + the negotiated AEAD (+ optional server/port). detws_nts_ke_record / _request build the request and detws_nts_ke_parse walks a response, surfacing each record via a callback.
  • NTS-protected NTP (RFC 8915 sec 5), NTPv4 with RFC 7822 extension fields: the Unique Identifier, the NTS Cookie, and the NTS Authenticator-and-Encrypted-Extension-Fields (AEAD nonce + ciphertext). detws_nts_ef builds a padded extension field; detws_nts_ef_unique_id / _cookie are the common ones.

Pure framing, zero heap, no stdlib, host-testable. The AES-SIV-CMAC-256 AEAD (RFC 5297) that protects the authenticator, and the TLS-exporter key derivation (sec 5.1), are the crypto integration on top - the label constants for that derivation are exposed here.

Definition in file nts.h.