ReactOS  0.4.15-dev-1150-g593bcce
ssl.h File Reference

SSL/TLS functions. More...

#include "config.h"
#include "bignum.h"
#include "ecp.h"
#include "ssl_ciphersuites.h"
#include "x509_crt.h"
#include "x509_crl.h"
#include "dhm.h"
#include "ecdh.h"
Include dependency graph for ssl.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes

union  mbedtls_ssl_premaster_secret
 
struct  mbedtls_ssl_session
 
struct  mbedtls_ssl_config
 
struct  mbedtls_ssl_context
 

Macros

#define MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE   -0x7080
 
#define MBEDTLS_ERR_SSL_BAD_INPUT_DATA   -0x7100
 
#define MBEDTLS_ERR_SSL_INVALID_MAC   -0x7180
 
#define MBEDTLS_ERR_SSL_INVALID_RECORD   -0x7200
 
#define MBEDTLS_ERR_SSL_CONN_EOF   -0x7280
 
#define MBEDTLS_ERR_SSL_UNKNOWN_CIPHER   -0x7300
 
#define MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN   -0x7380
 
#define MBEDTLS_ERR_SSL_NO_RNG   -0x7400
 
#define MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE   -0x7480
 
#define MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE   -0x7500
 
#define MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED   -0x7580
 
#define MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED   -0x7600
 
#define MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED   -0x7680
 
#define MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE   -0x7700
 
#define MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE   -0x7780
 
#define MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED   -0x7800
 
#define MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY   -0x7880
 
#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO   -0x7900
 
#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO   -0x7980
 
#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE   -0x7A00
 
#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST   -0x7A80
 
#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE   -0x7B00
 
#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE   -0x7B80
 
#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE   -0x7C00
 
#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP   -0x7C80
 
#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS   -0x7D00
 
#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY   -0x7D80
 
#define MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC   -0x7E00
 
#define MBEDTLS_ERR_SSL_BAD_HS_FINISHED   -0x7E80
 
#define MBEDTLS_ERR_SSL_ALLOC_FAILED   -0x7F00
 
#define MBEDTLS_ERR_SSL_HW_ACCEL_FAILED   -0x7F80
 
#define MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH   -0x6F80
 
#define MBEDTLS_ERR_SSL_COMPRESSION_FAILED   -0x6F00
 
#define MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION   -0x6E80
 
#define MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET   -0x6E00
 
#define MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED   -0x6D80
 
#define MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH   -0x6D00
 
#define MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY   -0x6C80
 
#define MBEDTLS_ERR_SSL_INTERNAL_ERROR   -0x6C00
 
#define MBEDTLS_ERR_SSL_COUNTER_WRAPPING   -0x6B80
 
#define MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO   -0x6B00
 
#define MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED   -0x6A80
 
#define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL   -0x6A00
 
#define MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE   -0x6980
 
#define MBEDTLS_ERR_SSL_WANT_READ   -0x6900
 
#define MBEDTLS_ERR_SSL_WANT_WRITE   -0x6880
 
#define MBEDTLS_ERR_SSL_TIMEOUT   -0x6800
 
#define MBEDTLS_ERR_SSL_CLIENT_RECONNECT   -0x6780
 
#define MBEDTLS_ERR_SSL_UNEXPECTED_RECORD   -0x6700
 
#define MBEDTLS_ERR_SSL_NON_FATAL   -0x6680
 
#define MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH   -0x6600
 
#define MBEDTLS_ERR_SSL_BAD_CONFIG   -0x5E80
 
#define MBEDTLS_SSL_MAJOR_VERSION_3   3
 
#define MBEDTLS_SSL_MINOR_VERSION_0   0
 
#define MBEDTLS_SSL_MINOR_VERSION_1   1
 
#define MBEDTLS_SSL_MINOR_VERSION_2   2
 
#define MBEDTLS_SSL_MINOR_VERSION_3   3
 
#define MBEDTLS_SSL_TRANSPORT_STREAM   0
 
#define MBEDTLS_SSL_TRANSPORT_DATAGRAM   1
 
#define MBEDTLS_SSL_MAX_HOST_NAME_LEN   255
 
#define MBEDTLS_SSL_MAX_ALPN_NAME_LEN   255
 
#define MBEDTLS_SSL_MAX_ALPN_LIST_LEN   65535
 
#define MBEDTLS_SSL_MAX_FRAG_LEN_NONE   0
 
#define MBEDTLS_SSL_MAX_FRAG_LEN_512   1
 
#define MBEDTLS_SSL_MAX_FRAG_LEN_1024   2
 
#define MBEDTLS_SSL_MAX_FRAG_LEN_2048   3
 
#define MBEDTLS_SSL_MAX_FRAG_LEN_4096   4
 
#define MBEDTLS_SSL_MAX_FRAG_LEN_INVALID   5
 
#define MBEDTLS_SSL_IS_CLIENT   0
 
#define MBEDTLS_SSL_IS_SERVER   1
 
#define MBEDTLS_SSL_IS_NOT_FALLBACK   0
 
#define MBEDTLS_SSL_IS_FALLBACK   1
 
#define MBEDTLS_SSL_EXTENDED_MS_DISABLED   0
 
#define MBEDTLS_SSL_EXTENDED_MS_ENABLED   1
 
#define MBEDTLS_SSL_ETM_DISABLED   0
 
#define MBEDTLS_SSL_ETM_ENABLED   1
 
#define MBEDTLS_SSL_COMPRESS_NULL   0
 
#define MBEDTLS_SSL_COMPRESS_DEFLATE   1
 
#define MBEDTLS_SSL_VERIFY_NONE   0
 
#define MBEDTLS_SSL_VERIFY_OPTIONAL   1
 
#define MBEDTLS_SSL_VERIFY_REQUIRED   2
 
#define MBEDTLS_SSL_VERIFY_UNSET   3 /* Used only for sni_authmode */
 
#define MBEDTLS_SSL_LEGACY_RENEGOTIATION   0
 
#define MBEDTLS_SSL_SECURE_RENEGOTIATION   1
 
#define MBEDTLS_SSL_RENEGOTIATION_DISABLED   0
 
#define MBEDTLS_SSL_RENEGOTIATION_ENABLED   1
 
#define MBEDTLS_SSL_ANTI_REPLAY_DISABLED   0
 
#define MBEDTLS_SSL_ANTI_REPLAY_ENABLED   1
 
#define MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED   -1
 
#define MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT   16
 
#define MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION   0
 
#define MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION   1
 
#define MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE   2
 
#define MBEDTLS_SSL_TRUNC_HMAC_DISABLED   0
 
#define MBEDTLS_SSL_TRUNC_HMAC_ENABLED   1
 
#define MBEDTLS_SSL_TRUNCATED_HMAC_LEN   10 /* 80 bits, rfc 6066 section 7 */
 
#define MBEDTLS_SSL_SESSION_TICKETS_DISABLED   0
 
#define MBEDTLS_SSL_SESSION_TICKETS_ENABLED   1
 
#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED   0
 
#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED   1
 
#define MBEDTLS_SSL_ARC4_ENABLED   0
 
#define MBEDTLS_SSL_ARC4_DISABLED   1
 
#define MBEDTLS_SSL_PRESET_DEFAULT   0
 
#define MBEDTLS_SSL_PRESET_SUITEB   2
 
#define MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED   1
 
#define MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED   0
 
#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN   1000
 
#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX   60000
 
#define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN   12
 
#define MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO   0xFF
 
#define MBEDTLS_SSL_FALLBACK_SCSV_VALUE   0x5600
 
#define MBEDTLS_SSL_HASH_NONE   0
 
#define MBEDTLS_SSL_HASH_MD5   1
 
#define MBEDTLS_SSL_HASH_SHA1   2
 
#define MBEDTLS_SSL_HASH_SHA224   3
 
#define MBEDTLS_SSL_HASH_SHA256   4
 
#define MBEDTLS_SSL_HASH_SHA384   5
 
#define MBEDTLS_SSL_HASH_SHA512   6
 
#define MBEDTLS_SSL_SIG_ANON   0
 
#define MBEDTLS_SSL_SIG_RSA   1
 
#define MBEDTLS_SSL_SIG_ECDSA   3
 
#define MBEDTLS_SSL_CERT_TYPE_RSA_SIGN   1
 
#define MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN   64
 
#define MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC   20
 
#define MBEDTLS_SSL_MSG_ALERT   21
 
#define MBEDTLS_SSL_MSG_HANDSHAKE   22
 
#define MBEDTLS_SSL_MSG_APPLICATION_DATA   23
 
#define MBEDTLS_SSL_ALERT_LEVEL_WARNING   1
 
#define MBEDTLS_SSL_ALERT_LEVEL_FATAL   2
 
#define MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY   0 /* 0x00 */
 
#define MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE   10 /* 0x0A */
 
#define MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC   20 /* 0x14 */
 
#define MBEDTLS_SSL_ALERT_MSG_DECRYPTION_FAILED   21 /* 0x15 */
 
#define MBEDTLS_SSL_ALERT_MSG_RECORD_OVERFLOW   22 /* 0x16 */
 
#define MBEDTLS_SSL_ALERT_MSG_DECOMPRESSION_FAILURE   30 /* 0x1E */
 
#define MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE   40 /* 0x28 */
 
#define MBEDTLS_SSL_ALERT_MSG_NO_CERT   41 /* 0x29 */
 
#define MBEDTLS_SSL_ALERT_MSG_BAD_CERT   42 /* 0x2A */
 
#define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT   43 /* 0x2B */
 
#define MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED   44 /* 0x2C */
 
#define MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED   45 /* 0x2D */
 
#define MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN   46 /* 0x2E */
 
#define MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER   47 /* 0x2F */
 
#define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA   48 /* 0x30 */
 
#define MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED   49 /* 0x31 */
 
#define MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR   50 /* 0x32 */
 
#define MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR   51 /* 0x33 */
 
#define MBEDTLS_SSL_ALERT_MSG_EXPORT_RESTRICTION   60 /* 0x3C */
 
#define MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION   70 /* 0x46 */
 
#define MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY   71 /* 0x47 */
 
#define MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR   80 /* 0x50 */
 
#define MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK   86 /* 0x56 */
 
#define MBEDTLS_SSL_ALERT_MSG_USER_CANCELED   90 /* 0x5A */
 
#define MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION   100 /* 0x64 */
 
#define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT   110 /* 0x6E */
 
#define MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME   112 /* 0x70 */
 
#define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY   115 /* 0x73 */
 
#define MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL   120 /* 0x78 */
 
#define MBEDTLS_SSL_HS_HELLO_REQUEST   0
 
#define MBEDTLS_SSL_HS_CLIENT_HELLO   1
 
#define MBEDTLS_SSL_HS_SERVER_HELLO   2
 
#define MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST   3
 
#define MBEDTLS_SSL_HS_NEW_SESSION_TICKET   4
 
#define MBEDTLS_SSL_HS_CERTIFICATE   11
 
#define MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE   12
 
#define MBEDTLS_SSL_HS_CERTIFICATE_REQUEST   13
 
#define MBEDTLS_SSL_HS_SERVER_HELLO_DONE   14
 
#define MBEDTLS_SSL_HS_CERTIFICATE_VERIFY   15
 
#define MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE   16
 
#define MBEDTLS_SSL_HS_FINISHED   20
 
#define MBEDTLS_TLS_EXT_SERVERNAME   0
 
#define MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME   0
 
#define MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH   1
 
#define MBEDTLS_TLS_EXT_TRUNCATED_HMAC   4
 
#define MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES   10
 
#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS   11
 
#define MBEDTLS_TLS_EXT_SIG_ALG   13
 
#define MBEDTLS_TLS_EXT_ALPN   16
 
#define MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC   22 /* 0x16 */
 
#define MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET   0x0017 /* 23 */
 
#define MBEDTLS_TLS_EXT_SESSION_TICKET   35
 
#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP   256 /* experimental */
 
#define MBEDTLS_TLS_EXT_RENEGOTIATION_INFO   0xFF01
 
#define MBEDTLS_PSK_MAX_LEN   32 /* 256 bits */
 
#define MBEDTLS_PREMASTER_SIZE   sizeof( union mbedtls_ssl_premaster_secret )
 
SECTION: Module settings

The configuration options you can set for this module are in this section. Either change them in config.h or define them on the compiler command line.

#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME   86400
 
#define MBEDTLS_SSL_MAX_CONTENT_LEN   16384
 

Typedefs

typedef int mbedtls_ssl_send_t(void *ctx, const unsigned char *buf, size_t len)
 Callback type: send data on the network. More...
 
typedef int mbedtls_ssl_recv_t(void *ctx, unsigned char *buf, size_t len)
 Callback type: receive data from the network. More...
 
typedef int mbedtls_ssl_recv_timeout_t(void *ctx, unsigned char *buf, size_t len, uint32_t timeout)
 Callback type: receive data from the network, with timeout. More...
 
typedef void mbedtls_ssl_set_timer_t(void *ctx, uint32_t int_ms, uint32_t fin_ms)
 Callback type: set a pair of timers/delays to watch. More...
 
typedef int mbedtls_ssl_get_timer_t(void *ctx)
 Callback type: get status of timers/delays. More...
 
typedef struct mbedtls_ssl_session mbedtls_ssl_session
 
typedef struct mbedtls_ssl_context mbedtls_ssl_context
 
typedef struct mbedtls_ssl_config mbedtls_ssl_config
 
typedef struct mbedtls_ssl_transform mbedtls_ssl_transform
 
typedef struct mbedtls_ssl_handshake_params mbedtls_ssl_handshake_params
 
typedef struct mbedtls_ssl_sig_hash_set_t mbedtls_ssl_sig_hash_set_t
 
typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert
 
typedef int mbedtls_ssl_ticket_write_t(void *p_ticket, const mbedtls_ssl_session *session, unsigned char *start, const unsigned char *end, size_t *tlen, uint32_t *lifetime)
 Callback type: generate and write session ticket. More...
 
typedef int mbedtls_ssl_ticket_parse_t(void *p_ticket, mbedtls_ssl_session *session, unsigned char *buf, size_t len)
 Callback type: parse and load session ticket. More...
 
typedef int mbedtls_ssl_cookie_write_t(void *ctx, unsigned char **p, unsigned char *end, const unsigned char *info, size_t ilen)
 Callback type: generate a cookie. More...
 
typedef int mbedtls_ssl_cookie_check_t(void *ctx, const unsigned char *cookie, size_t clen, const unsigned char *info, size_t ilen)
 Callback type: verify a cookie. More...
 

Enumerations

enum  mbedtls_ssl_states {
  MBEDTLS_SSL_HELLO_REQUEST, MBEDTLS_SSL_CLIENT_HELLO, MBEDTLS_SSL_SERVER_HELLO, MBEDTLS_SSL_SERVER_CERTIFICATE,
  MBEDTLS_SSL_SERVER_KEY_EXCHANGE, MBEDTLS_SSL_CERTIFICATE_REQUEST, MBEDTLS_SSL_SERVER_HELLO_DONE, MBEDTLS_SSL_CLIENT_CERTIFICATE,
  MBEDTLS_SSL_CLIENT_KEY_EXCHANGE, MBEDTLS_SSL_CERTIFICATE_VERIFY, MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC, MBEDTLS_SSL_CLIENT_FINISHED,
  MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC, MBEDTLS_SSL_SERVER_FINISHED, MBEDTLS_SSL_FLUSH_BUFFERS, MBEDTLS_SSL_HANDSHAKE_WRAPUP,
  MBEDTLS_SSL_HANDSHAKE_OVER, MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT
}
 

Functions

const charmbedtls_ssl_get_ciphersuite_name (const int ciphersuite_id)
 Return the name of the ciphersuite associated with the given ID. More...
 
int mbedtls_ssl_get_ciphersuite_id (const char *ciphersuite_name)
 Return the ID of the ciphersuite associated with the given name. More...
 
void mbedtls_ssl_init (mbedtls_ssl_context *ssl)
 Initialize an SSL context Just makes the context ready for mbedtls_ssl_setup() or mbedtls_ssl_free() More...
 
int mbedtls_ssl_setup (mbedtls_ssl_context *ssl, const mbedtls_ssl_config *conf)
 Set up an SSL context for use. More...
 
int mbedtls_ssl_session_reset (mbedtls_ssl_context *ssl)
 Reset an already initialized SSL context for re-use while retaining application-set variables, function pointers and data. More...
 
void mbedtls_ssl_conf_endpoint (mbedtls_ssl_config *conf, int endpoint)
 Set the current endpoint type. More...
 
void mbedtls_ssl_conf_transport (mbedtls_ssl_config *conf, int transport)
 Set the transport type (TLS or DTLS). Default: TLS. More...
 
void mbedtls_ssl_conf_authmode (mbedtls_ssl_config *conf, int authmode)
 Set the certificate verification mode Default: NONE on server, REQUIRED on client. More...
 
void mbedtls_ssl_conf_verify (mbedtls_ssl_config *conf, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
 Set the verification callback (Optional). More...
 
void mbedtls_ssl_conf_rng (mbedtls_ssl_config *conf, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
 Set the random number generator callback. More...
 
void mbedtls_ssl_conf_dbg (mbedtls_ssl_config *conf, void(*f_dbg)(void *, int, const char *, int, const char *), void *p_dbg)
 Set the debug callback. More...
 
void mbedtls_ssl_set_bio (mbedtls_ssl_context *ssl, void *p_bio, mbedtls_ssl_send_t *f_send, mbedtls_ssl_recv_t *f_recv, mbedtls_ssl_recv_timeout_t *f_recv_timeout)
 Set the underlying BIO callbacks for write, read and read-with-timeout. More...
 
void mbedtls_ssl_conf_read_timeout (mbedtls_ssl_config *conf, uint32_t timeout)
 Set the timeout period for mbedtls_ssl_read() (Default: no timeout.) More...
 
void mbedtls_ssl_set_timer_cb (mbedtls_ssl_context *ssl, void *p_timer, mbedtls_ssl_set_timer_t *f_set_timer, mbedtls_ssl_get_timer_t *f_get_timer)
 Set the timer callbacks (Mandatory for DTLS.) More...
 
int mbedtls_ssl_set_session (mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session)
 Request resumption of session (client-side only) Session data is copied from presented session structure. More...
 
void mbedtls_ssl_conf_ciphersuites (mbedtls_ssl_config *conf, const int *ciphersuites)
 Set the list of allowed ciphersuites and the preference order. First in the list has the highest preference. (Overrides all version-specific lists) More...
 
void mbedtls_ssl_conf_ciphersuites_for_version (mbedtls_ssl_config *conf, const int *ciphersuites, int major, int minor)
 Set the list of allowed ciphersuites and the preference order for a specific version of the protocol. (Only useful on the server side) More...
 
void mbedtls_ssl_conf_cert_profile (mbedtls_ssl_config *conf, const mbedtls_x509_crt_profile *profile)
 Set the X.509 security profile used for verification. More...
 
void mbedtls_ssl_conf_ca_chain (mbedtls_ssl_config *conf, mbedtls_x509_crt *ca_chain, mbedtls_x509_crl *ca_crl)
 Set the data required to verify peer certificate. More...
 
int mbedtls_ssl_conf_own_cert (mbedtls_ssl_config *conf, mbedtls_x509_crt *own_cert, mbedtls_pk_context *pk_key)
 Set own certificate chain and private key. More...
 
void mbedtls_ssl_conf_dhm_min_bitlen (mbedtls_ssl_config *conf, unsigned int bitlen)
 Set the minimum length for Diffie-Hellman parameters. (Client-side only.) (Default: 1024 bits.) More...
 
void mbedtls_ssl_conf_curves (mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves)
 Set the allowed curves in order of preference. (Default: all defined curves.) More...
 
void mbedtls_ssl_conf_sig_hashes (mbedtls_ssl_config *conf, const int *hashes)
 Set the allowed hashes for signatures during the handshake. (Default: all available hashes except MD5.) More...
 
int mbedtls_ssl_set_hostname (mbedtls_ssl_context *ssl, const char *hostname)
 Set or reset the hostname to check against the received server certificate. It sets the ServerName TLS extension, too, if that extension is enabled. (client-side only) More...
 
int mbedtls_ssl_set_hs_own_cert (mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_cert, mbedtls_pk_context *pk_key)
 Set own certificate and key for the current handshake. More...
 
void mbedtls_ssl_set_hs_ca_chain (mbedtls_ssl_context *ssl, mbedtls_x509_crt *ca_chain, mbedtls_x509_crl *ca_crl)
 Set the data required to verify peer certificate for the current handshake. More...
 
void mbedtls_ssl_set_hs_authmode (mbedtls_ssl_context *ssl, int authmode)
 Set authmode for the current handshake. More...
 
void mbedtls_ssl_conf_sni (mbedtls_ssl_config *conf, int(*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t), void *p_sni)
 Set server side ServerName TLS extension callback (optional, server-side only). More...
 
int mbedtls_ssl_conf_alpn_protocols (mbedtls_ssl_config *conf, const char **protos)
 Set the supported Application Layer Protocols. More...
 
const charmbedtls_ssl_get_alpn_protocol (const mbedtls_ssl_context *ssl)
 Get the name of the negotiated Application Layer Protocol. This function should be called after the handshake is completed. More...
 
void mbedtls_ssl_conf_max_version (mbedtls_ssl_config *conf, int major, int minor)
 Set the maximum supported version sent from the client side and/or accepted at the server side (Default: MBEDTLS_SSL_MAX_MAJOR_VERSION, MBEDTLS_SSL_MAX_MINOR_VERSION) More...
 
void mbedtls_ssl_conf_min_version (mbedtls_ssl_config *conf, int major, int minor)
 Set the minimum accepted SSL/TLS protocol version (Default: TLS 1.0) More...
 
void mbedtls_ssl_conf_encrypt_then_mac (mbedtls_ssl_config *conf, char etm)
 Enable or disable Encrypt-then-MAC (Default: MBEDTLS_SSL_ETM_ENABLED) More...
 
void mbedtls_ssl_conf_extended_master_secret (mbedtls_ssl_config *conf, char ems)
 Enable or disable Extended Master Secret negotiation. (Default: MBEDTLS_SSL_EXTENDED_MS_ENABLED) More...
 
void mbedtls_ssl_conf_arc4_support (mbedtls_ssl_config *conf, char arc4)
 Disable or enable support for RC4 (Default: MBEDTLS_SSL_ARC4_DISABLED) More...
 
int mbedtls_ssl_conf_max_frag_len (mbedtls_ssl_config *conf, unsigned char mfl_code)
 Set the maximum fragment length to emit and/or negotiate. (Typical: MBEDTLS_SSL_MAX_CONTENT_LEN, by default that is set to 2^14 bytes) (Server: set maximum fragment length to emit, usually negotiated by the client during handshake) (Client: set maximum fragment length to emit and negotiate with the server during handshake) (Default: MBEDTLS_SSL_MAX_FRAG_LEN_NONE) More...
 
void mbedtls_ssl_conf_truncated_hmac (mbedtls_ssl_config *conf, int truncate)
 Activate negotiation of truncated HMAC (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED) More...
 
void mbedtls_ssl_conf_cbc_record_splitting (mbedtls_ssl_config *conf, char split)
 Enable / Disable 1/n-1 record splitting (Default: MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED) More...
 
void mbedtls_ssl_conf_session_tickets (mbedtls_ssl_config *conf, int use_tickets)
 Enable / Disable session tickets (client only). (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.) More...
 
void mbedtls_ssl_conf_renegotiation (mbedtls_ssl_config *conf, int renegotiation)
 Enable / Disable renegotiation support for connection when initiated by peer (Default: MBEDTLS_SSL_RENEGOTIATION_DISABLED) More...
 
void mbedtls_ssl_conf_legacy_renegotiation (mbedtls_ssl_config *conf, int allow_legacy)
 Prevent or allow legacy renegotiation. (Default: MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) More...
 
void mbedtls_ssl_conf_renegotiation_enforced (mbedtls_ssl_config *conf, int max_records)
 Enforce renegotiation requests. (Default: enforced, max_records = 16) More...
 
void mbedtls_ssl_conf_renegotiation_period (mbedtls_ssl_config *conf, const unsigned char period[8])
 Set record counter threshold for periodic renegotiation. (Default: 2^48 - 1) More...
 
size_t mbedtls_ssl_get_bytes_avail (const mbedtls_ssl_context *ssl)
 Return the number of data bytes available to read. More...
 
uint32_t mbedtls_ssl_get_verify_result (const mbedtls_ssl_context *ssl)
 Return the result of the certificate verification. More...
 
const charmbedtls_ssl_get_ciphersuite (const mbedtls_ssl_context *ssl)
 Return the name of the current ciphersuite. More...
 
const charmbedtls_ssl_get_version (const mbedtls_ssl_context *ssl)
 Return the current SSL version (SSLv3/TLSv1/etc) More...
 
int mbedtls_ssl_get_record_expansion (const mbedtls_ssl_context *ssl)
 Return the (maximum) number of bytes added by the record layer: header + encryption/MAC overhead (inc. padding) More...
 
size_t mbedtls_ssl_get_max_frag_len (const mbedtls_ssl_context *ssl)
 Return the maximum fragment length (payload, in bytes). This is the value negotiated with peer if any, or the locally configured value. More...
 
const mbedtls_x509_crtmbedtls_ssl_get_peer_cert (const mbedtls_ssl_context *ssl)
 Return the peer certificate from the current connection. More...
 
int mbedtls_ssl_get_session (const mbedtls_ssl_context *ssl, mbedtls_ssl_session *session)
 Save session in order to resume it later (client-side only) Session data is copied to presented session structure. More...
 
int mbedtls_ssl_handshake (mbedtls_ssl_context *ssl)
 Perform the SSL handshake. More...
 
int mbedtls_ssl_handshake_step (mbedtls_ssl_context *ssl)
 Perform a single step of the SSL handshake. More...
 
int mbedtls_ssl_renegotiate (mbedtls_ssl_context *ssl)
 Initiate an SSL renegotiation on the running connection. Client: perform the renegotiation right now. Server: request renegotiation, which will be performed during the next call to mbedtls_ssl_read() if honored by client. More...
 
int mbedtls_ssl_read (mbedtls_ssl_context *ssl, unsigned char *buf, size_t len)
 Read at most 'len' application data bytes. More...
 
int mbedtls_ssl_write (mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len)
 Try to write exactly 'len' application data bytes. More...
 
int mbedtls_ssl_send_alert_message (mbedtls_ssl_context *ssl, unsigned char level, unsigned char message)
 Send an alert message. More...
 
int mbedtls_ssl_close_notify (mbedtls_ssl_context *ssl)
 Notify the peer that the connection is being closed. More...
 
void mbedtls_ssl_free (mbedtls_ssl_context *ssl)
 Free referenced items in an SSL context and clear memory. More...
 
void mbedtls_ssl_config_init (mbedtls_ssl_config *conf)
 Initialize an SSL configuration context Just makes the context ready for mbedtls_ssl_config_defaults() or mbedtls_ssl_config_free(). More...
 
int mbedtls_ssl_config_defaults (mbedtls_ssl_config *conf, int endpoint, int transport, int preset)
 Load reasonnable default SSL configuration values. (You need to call mbedtls_ssl_config_init() first.) More...
 
void mbedtls_ssl_config_free (mbedtls_ssl_config *conf)
 Free an SSL configuration context. More...
 
void mbedtls_ssl_session_init (mbedtls_ssl_session *session)
 Initialize SSL session structure. More...
 
void mbedtls_ssl_session_free (mbedtls_ssl_session *session)
 Free referenced items in an SSL session including the peer certificate and clear memory. More...
 

Detailed Description

SSL/TLS functions.

Definition in file ssl.h.

Macro Definition Documentation

◆ MBEDTLS_ERR_SSL_ALLOC_FAILED

#define MBEDTLS_ERR_SSL_ALLOC_FAILED   -0x7F00

Memory allocation failed

Definition at line 118 of file ssl.h.

◆ MBEDTLS_ERR_SSL_BAD_CONFIG

#define MBEDTLS_ERR_SSL_BAD_CONFIG   -0x5E80

Invalid value in SSL config

Definition at line 140 of file ssl.h.

◆ MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE

#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE   -0x7A00

Processing of the Certificate handshake message failed.

Definition at line 108 of file ssl.h.

◆ MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST

#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST   -0x7A80

Processing of the CertificateRequest handshake message failed.

Definition at line 109 of file ssl.h.

◆ MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY

#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY   -0x7D80

Processing of the CertificateVerify handshake message failed.

Definition at line 115 of file ssl.h.

◆ MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC

#define MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC   -0x7E00

Processing of the ChangeCipherSpec handshake message failed.

Definition at line 116 of file ssl.h.

◆ MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO

#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO   -0x7900

Processing of the ClientHello handshake message failed.

Definition at line 106 of file ssl.h.

◆ MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE

#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE   -0x7C00

Processing of the ClientKeyExchange handshake message failed.

Definition at line 112 of file ssl.h.

◆ MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS

#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS   -0x7D00

Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret.

Definition at line 114 of file ssl.h.

◆ MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP

#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP   -0x7C80

Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public.

Definition at line 113 of file ssl.h.

◆ MBEDTLS_ERR_SSL_BAD_HS_FINISHED

#define MBEDTLS_ERR_SSL_BAD_HS_FINISHED   -0x7E80

Processing of the Finished handshake message failed.

Definition at line 117 of file ssl.h.

◆ MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET

#define MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET   -0x6E00

Processing of the NewSessionTicket handshake message failed.

Definition at line 123 of file ssl.h.

◆ MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION

#define MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION   -0x6E80

Handshake protocol not within min/max boundaries

Definition at line 122 of file ssl.h.

◆ MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO

#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO   -0x7980

Processing of the ServerHello handshake message failed.

Definition at line 107 of file ssl.h.

◆ MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE

#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE   -0x7B80

Processing of the ServerHelloDone handshake message failed.

Definition at line 111 of file ssl.h.

◆ MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE

#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE   -0x7B00

Processing of the ServerKeyExchange handshake message failed.

Definition at line 110 of file ssl.h.

◆ MBEDTLS_ERR_SSL_BAD_INPUT_DATA

#define MBEDTLS_ERR_SSL_BAD_INPUT_DATA   -0x7100

Bad input parameters to function.

Definition at line 90 of file ssl.h.

◆ MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL

#define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL   -0x6A00

A buffer is too small to receive or write a message

Definition at line 131 of file ssl.h.

◆ MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED

#define MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED   -0x7680

No CA Chain is set, but required to operate.

Definition at line 101 of file ssl.h.

◆ MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED

#define MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED   -0x7580

The own certificate is not set, but needed by the server.

Definition at line 99 of file ssl.h.

◆ MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE

#define MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE   -0x7500

Our own certificate(s) is/are too large to send in an SSL message.

Definition at line 98 of file ssl.h.

◆ MBEDTLS_ERR_SSL_CLIENT_RECONNECT

#define MBEDTLS_ERR_SSL_CLIENT_RECONNECT   -0x6780

The client initiated a reconnect from the same port.

Definition at line 136 of file ssl.h.

◆ MBEDTLS_ERR_SSL_COMPRESSION_FAILED

#define MBEDTLS_ERR_SSL_COMPRESSION_FAILED   -0x6F00

Processing of the compression / decompression failed

Definition at line 121 of file ssl.h.

◆ MBEDTLS_ERR_SSL_CONN_EOF

#define MBEDTLS_ERR_SSL_CONN_EOF   -0x7280

The connection indicated an EOF.

Definition at line 93 of file ssl.h.

◆ MBEDTLS_ERR_SSL_COUNTER_WRAPPING

#define MBEDTLS_ERR_SSL_COUNTER_WRAPPING   -0x6B80

A counter would wrap (eg, too many messages exchanged).

Definition at line 128 of file ssl.h.

◆ MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE

#define MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE   -0x7780

A fatal alert message was received from our peer.

Definition at line 103 of file ssl.h.

◆ MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE

#define MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE   -0x7080

The requested feature is not available.

Definition at line 89 of file ssl.h.

◆ MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED

#define MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED   -0x6A80

DTLS client must retry for hello verification

Definition at line 130 of file ssl.h.

◆ MBEDTLS_ERR_SSL_HW_ACCEL_FAILED

#define MBEDTLS_ERR_SSL_HW_ACCEL_FAILED   -0x7F80

Hardware acceleration function returned with error

Definition at line 119 of file ssl.h.

◆ MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH

#define MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH   -0x6F80

Hardware acceleration function skipped / left alone data

Definition at line 120 of file ssl.h.

◆ MBEDTLS_ERR_SSL_INTERNAL_ERROR

#define MBEDTLS_ERR_SSL_INTERNAL_ERROR   -0x6C00

Internal error (eg, unexpected failure in lower-level module)

Definition at line 127 of file ssl.h.

◆ MBEDTLS_ERR_SSL_INVALID_MAC

#define MBEDTLS_ERR_SSL_INVALID_MAC   -0x7180

Verification of the message MAC failed.

Definition at line 91 of file ssl.h.

◆ MBEDTLS_ERR_SSL_INVALID_RECORD

#define MBEDTLS_ERR_SSL_INVALID_RECORD   -0x7200

An invalid SSL record was received.

Definition at line 92 of file ssl.h.

◆ MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH

#define MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH   -0x6600

Couldn't set the hash for verifying CertificateVerify

Definition at line 139 of file ssl.h.

◆ MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN

#define MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN   -0x7380

The server has no ciphersuites in common with the client.

Definition at line 95 of file ssl.h.

◆ MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE

#define MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE   -0x7480

No client certification received from the client, but required by the authentication mode.

Definition at line 97 of file ssl.h.

◆ MBEDTLS_ERR_SSL_NO_RNG

#define MBEDTLS_ERR_SSL_NO_RNG   -0x7400

No RNG was provided to the SSL module.

Definition at line 96 of file ssl.h.

◆ MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE

#define MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE   -0x6980

None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages).

Definition at line 132 of file ssl.h.

◆ MBEDTLS_ERR_SSL_NON_FATAL

#define MBEDTLS_ERR_SSL_NON_FATAL   -0x6680

The alert message received indicates a non-fatal error.

Definition at line 138 of file ssl.h.

◆ MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY

#define MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY   -0x7880

The peer notified us that the connection is going to be closed.

Definition at line 105 of file ssl.h.

◆ MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED

#define MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED   -0x7800

Verification of our peer failed.

Definition at line 104 of file ssl.h.

◆ MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH

#define MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH   -0x6D00

Public key type mismatch (eg, asked for RSA key exchange and presented EC key)

Definition at line 125 of file ssl.h.

◆ MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED

#define MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED   -0x7600

The own private key or pre-shared key is not set, but needed.

Definition at line 100 of file ssl.h.

◆ MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED

#define MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED   -0x6D80

Session ticket has expired.

Definition at line 124 of file ssl.h.

◆ MBEDTLS_ERR_SSL_TIMEOUT

#define MBEDTLS_ERR_SSL_TIMEOUT   -0x6800

The operation timed out.

Definition at line 135 of file ssl.h.

◆ MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE

#define MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE   -0x7700

An unexpected message was received from our peer.

Definition at line 102 of file ssl.h.

◆ MBEDTLS_ERR_SSL_UNEXPECTED_RECORD

#define MBEDTLS_ERR_SSL_UNEXPECTED_RECORD   -0x6700

Record header looks valid but is not expected.

Definition at line 137 of file ssl.h.

◆ MBEDTLS_ERR_SSL_UNKNOWN_CIPHER

#define MBEDTLS_ERR_SSL_UNKNOWN_CIPHER   -0x7300

An unknown cipher was received.

Definition at line 94 of file ssl.h.

◆ MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY

#define MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY   -0x6C80

Unknown identity received (eg, PSK identity)

Definition at line 126 of file ssl.h.

◆ MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO

#define MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO   -0x6B00

Unexpected message at ServerHello in renegotiation.

Definition at line 129 of file ssl.h.

◆ MBEDTLS_ERR_SSL_WANT_READ

#define MBEDTLS_ERR_SSL_WANT_READ   -0x6900

Connection requires a read call.

Definition at line 133 of file ssl.h.

◆ MBEDTLS_ERR_SSL_WANT_WRITE

#define MBEDTLS_ERR_SSL_WANT_WRITE   -0x6880

Connection requires a write call.

Definition at line 134 of file ssl.h.

◆ MBEDTLS_PREMASTER_SIZE

#define MBEDTLS_PREMASTER_SIZE   sizeof( union mbedtls_ssl_premaster_secret )

Definition at line 418 of file ssl.h.

◆ MBEDTLS_PSK_MAX_LEN

#define MBEDTLS_PSK_MAX_LEN   32 /* 256 bits */

Definition at line 381 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_LEVEL_FATAL

#define MBEDTLS_SSL_ALERT_LEVEL_FATAL   2

Definition at line 306 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_LEVEL_WARNING

#define MBEDTLS_SSL_ALERT_LEVEL_WARNING   1

Definition at line 305 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED

#define MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED   49 /* 0x31 */

Definition at line 323 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_BAD_CERT

#define MBEDTLS_SSL_ALERT_MSG_BAD_CERT   42 /* 0x2A */

Definition at line 316 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC

#define MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC   20 /* 0x14 */

Definition at line 310 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED

#define MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED   45 /* 0x2D */

Definition at line 319 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED

#define MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED   44 /* 0x2C */

Definition at line 318 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN

#define MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN   46 /* 0x2E */

Definition at line 320 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY

#define MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY   0 /* 0x00 */

Definition at line 308 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR

#define MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR   50 /* 0x32 */

Definition at line 324 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_DECOMPRESSION_FAILURE

#define MBEDTLS_SSL_ALERT_MSG_DECOMPRESSION_FAILURE   30 /* 0x1E */

Definition at line 313 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR

#define MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR   51 /* 0x33 */

Definition at line 325 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_DECRYPTION_FAILED

#define MBEDTLS_SSL_ALERT_MSG_DECRYPTION_FAILED   21 /* 0x15 */

Definition at line 311 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_EXPORT_RESTRICTION

#define MBEDTLS_SSL_ALERT_MSG_EXPORT_RESTRICTION   60 /* 0x3C */

Definition at line 326 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE

#define MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE   40 /* 0x28 */

Definition at line 314 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER

#define MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER   47 /* 0x2F */

Definition at line 321 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK

#define MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK   86 /* 0x56 */

Definition at line 330 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY

#define MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY   71 /* 0x47 */

Definition at line 328 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR

#define MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR   80 /* 0x50 */

Definition at line 329 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL

#define MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL   120 /* 0x78 */

Definition at line 336 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_NO_CERT

#define MBEDTLS_SSL_ALERT_MSG_NO_CERT   41 /* 0x29 */

Definition at line 315 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION

#define MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION   100 /* 0x64 */

Definition at line 332 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION

#define MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION   70 /* 0x46 */

Definition at line 327 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_RECORD_OVERFLOW

#define MBEDTLS_SSL_ALERT_MSG_RECORD_OVERFLOW   22 /* 0x16 */

Definition at line 312 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE

#define MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE   10 /* 0x0A */

Definition at line 309 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA

#define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA   48 /* 0x30 */

Definition at line 322 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY

#define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY   115 /* 0x73 */

Definition at line 335 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME

#define MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME   112 /* 0x70 */

Definition at line 334 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT

#define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT   43 /* 0x2B */

Definition at line 317 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT

#define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT   110 /* 0x6E */

Definition at line 333 of file ssl.h.

◆ MBEDTLS_SSL_ALERT_MSG_USER_CANCELED

#define MBEDTLS_SSL_ALERT_MSG_USER_CANCELED   90 /* 0x5A */

Definition at line 331 of file ssl.h.

◆ MBEDTLS_SSL_ANTI_REPLAY_DISABLED

#define MBEDTLS_SSL_ANTI_REPLAY_DISABLED   0

Definition at line 194 of file ssl.h.

◆ MBEDTLS_SSL_ANTI_REPLAY_ENABLED

#define MBEDTLS_SSL_ANTI_REPLAY_ENABLED   1

Definition at line 195 of file ssl.h.

◆ MBEDTLS_SSL_ARC4_DISABLED

#define MBEDTLS_SSL_ARC4_DISABLED   1

Definition at line 215 of file ssl.h.

◆ MBEDTLS_SSL_ARC4_ENABLED

#define MBEDTLS_SSL_ARC4_ENABLED   0

Definition at line 214 of file ssl.h.

◆ MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED

#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED   0

Definition at line 211 of file ssl.h.

◆ MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED

#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED   1

Definition at line 212 of file ssl.h.

◆ MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED

#define MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED   0

Definition at line 221 of file ssl.h.

◆ MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED

#define MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED   1

Definition at line 220 of file ssl.h.

◆ MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN

#define MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN   64

Definition at line 295 of file ssl.h.

◆ MBEDTLS_SSL_CERT_TYPE_RSA_SIGN

#define MBEDTLS_SSL_CERT_TYPE_RSA_SIGN   1

Definition at line 294 of file ssl.h.

◆ MBEDTLS_SSL_COMPRESS_DEFLATE

#define MBEDTLS_SSL_COMPRESS_DEFLATE   1

Definition at line 181 of file ssl.h.

◆ MBEDTLS_SSL_COMPRESS_NULL

#define MBEDTLS_SSL_COMPRESS_NULL   0

Definition at line 180 of file ssl.h.

◆ MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME

#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME   86400

Lifetime of session tickets (if enabled)

Definition at line 239 of file ssl.h.

◆ MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX

#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX   60000

Definition at line 228 of file ssl.h.

◆ MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN

#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN   1000

Definition at line 227 of file ssl.h.

◆ MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO

#define MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO   0xFF

renegotiation info ext

Definition at line 271 of file ssl.h.

◆ MBEDTLS_SSL_ETM_DISABLED

#define MBEDTLS_SSL_ETM_DISABLED   0

Definition at line 177 of file ssl.h.

◆ MBEDTLS_SSL_ETM_ENABLED

#define MBEDTLS_SSL_ETM_ENABLED   1

Definition at line 178 of file ssl.h.

◆ MBEDTLS_SSL_EXTENDED_MS_DISABLED

#define MBEDTLS_SSL_EXTENDED_MS_DISABLED   0

Definition at line 174 of file ssl.h.

◆ MBEDTLS_SSL_EXTENDED_MS_ENABLED

#define MBEDTLS_SSL_EXTENDED_MS_ENABLED   1

Definition at line 175 of file ssl.h.

◆ MBEDTLS_SSL_FALLBACK_SCSV_VALUE

#define MBEDTLS_SSL_FALLBACK_SCSV_VALUE   0x5600

RFC 7507 section 2

Definition at line 272 of file ssl.h.

◆ MBEDTLS_SSL_HASH_MD5

#define MBEDTLS_SSL_HASH_MD5   1

Definition at line 279 of file ssl.h.

◆ MBEDTLS_SSL_HASH_NONE

#define MBEDTLS_SSL_HASH_NONE   0

Definition at line 278 of file ssl.h.

◆ MBEDTLS_SSL_HASH_SHA1

#define MBEDTLS_SSL_HASH_SHA1   2

Definition at line 280 of file ssl.h.

◆ MBEDTLS_SSL_HASH_SHA224

#define MBEDTLS_SSL_HASH_SHA224   3

Definition at line 281 of file ssl.h.

◆ MBEDTLS_SSL_HASH_SHA256

#define MBEDTLS_SSL_HASH_SHA256   4

Definition at line 282 of file ssl.h.

◆ MBEDTLS_SSL_HASH_SHA384

#define MBEDTLS_SSL_HASH_SHA384   5

Definition at line 283 of file ssl.h.

◆ MBEDTLS_SSL_HASH_SHA512

#define MBEDTLS_SSL_HASH_SHA512   6

Definition at line 284 of file ssl.h.

◆ MBEDTLS_SSL_HS_CERTIFICATE

#define MBEDTLS_SSL_HS_CERTIFICATE   11

Definition at line 343 of file ssl.h.

◆ MBEDTLS_SSL_HS_CERTIFICATE_REQUEST

#define MBEDTLS_SSL_HS_CERTIFICATE_REQUEST   13

Definition at line 345 of file ssl.h.

◆ MBEDTLS_SSL_HS_CERTIFICATE_VERIFY

#define MBEDTLS_SSL_HS_CERTIFICATE_VERIFY   15

Definition at line 347 of file ssl.h.

◆ MBEDTLS_SSL_HS_CLIENT_HELLO

#define MBEDTLS_SSL_HS_CLIENT_HELLO   1

Definition at line 339 of file ssl.h.

◆ MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE

#define MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE   16

Definition at line 348 of file ssl.h.

◆ MBEDTLS_SSL_HS_FINISHED

#define MBEDTLS_SSL_HS_FINISHED   20

Definition at line 349 of file ssl.h.

◆ MBEDTLS_SSL_HS_HELLO_REQUEST

#define MBEDTLS_SSL_HS_HELLO_REQUEST   0

Definition at line 338 of file ssl.h.

◆ MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST

#define MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST   3

Definition at line 341 of file ssl.h.

◆ MBEDTLS_SSL_HS_NEW_SESSION_TICKET

#define MBEDTLS_SSL_HS_NEW_SESSION_TICKET   4

Definition at line 342 of file ssl.h.

◆ MBEDTLS_SSL_HS_SERVER_HELLO

#define MBEDTLS_SSL_HS_SERVER_HELLO   2

Definition at line 340 of file ssl.h.

◆ MBEDTLS_SSL_HS_SERVER_HELLO_DONE

#define MBEDTLS_SSL_HS_SERVER_HELLO_DONE   14

Definition at line 346 of file ssl.h.

◆ MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE

#define MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE   12

Definition at line 344 of file ssl.h.

◆ MBEDTLS_SSL_IS_CLIENT

#define MBEDTLS_SSL_IS_CLIENT   0

Definition at line 168 of file ssl.h.

◆ MBEDTLS_SSL_IS_FALLBACK

#define MBEDTLS_SSL_IS_FALLBACK   1

Definition at line 172 of file ssl.h.

◆ MBEDTLS_SSL_IS_NOT_FALLBACK

#define MBEDTLS_SSL_IS_NOT_FALLBACK   0

Definition at line 171 of file ssl.h.

◆ MBEDTLS_SSL_IS_SERVER

#define MBEDTLS_SSL_IS_SERVER   1

Definition at line 169 of file ssl.h.

◆ MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION

#define MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION   1

Definition at line 201 of file ssl.h.

◆ MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE

#define MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE   2

Definition at line 202 of file ssl.h.

◆ MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION

#define MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION   0

Definition at line 200 of file ssl.h.

◆ MBEDTLS_SSL_LEGACY_RENEGOTIATION

#define MBEDTLS_SSL_LEGACY_RENEGOTIATION   0

Definition at line 188 of file ssl.h.

◆ MBEDTLS_SSL_MAJOR_VERSION_3

#define MBEDTLS_SSL_MAJOR_VERSION_3   3

Definition at line 145 of file ssl.h.

◆ MBEDTLS_SSL_MAX_ALPN_LIST_LEN

#define MBEDTLS_SSL_MAX_ALPN_LIST_LEN   65535

Maximum size in bytes of list in alpn ext., RFC 7301

Definition at line 157 of file ssl.h.

◆ MBEDTLS_SSL_MAX_ALPN_NAME_LEN

#define MBEDTLS_SSL_MAX_ALPN_NAME_LEN   255

Maximum size in bytes of a protocol name in alpn ext., RFC 7301

Definition at line 155 of file ssl.h.

◆ MBEDTLS_SSL_MAX_CONTENT_LEN

#define MBEDTLS_SSL_MAX_CONTENT_LEN   16384

Size of the input / output buffer

Definition at line 254 of file ssl.h.

◆ MBEDTLS_SSL_MAX_FRAG_LEN_1024

#define MBEDTLS_SSL_MAX_FRAG_LEN_1024   2

MaxFragmentLength 2^10

Definition at line 163 of file ssl.h.

◆ MBEDTLS_SSL_MAX_FRAG_LEN_2048

#define MBEDTLS_SSL_MAX_FRAG_LEN_2048   3

MaxFragmentLength 2^11

Definition at line 164 of file ssl.h.

◆ MBEDTLS_SSL_MAX_FRAG_LEN_4096

#define MBEDTLS_SSL_MAX_FRAG_LEN_4096   4

MaxFragmentLength 2^12

Definition at line 165 of file ssl.h.

◆ MBEDTLS_SSL_MAX_FRAG_LEN_512

#define MBEDTLS_SSL_MAX_FRAG_LEN_512   1

MaxFragmentLength 2^9

Definition at line 162 of file ssl.h.

◆ MBEDTLS_SSL_MAX_FRAG_LEN_INVALID

#define MBEDTLS_SSL_MAX_FRAG_LEN_INVALID   5

first invalid value

Definition at line 166 of file ssl.h.

◆ MBEDTLS_SSL_MAX_FRAG_LEN_NONE

#define MBEDTLS_SSL_MAX_FRAG_LEN_NONE   0

don't use this extension

Definition at line 161 of file ssl.h.

◆ MBEDTLS_SSL_MAX_HOST_NAME_LEN

#define MBEDTLS_SSL_MAX_HOST_NAME_LEN   255

Maximum host name defined in RFC 1035

Definition at line 154 of file ssl.h.

◆ MBEDTLS_SSL_MINOR_VERSION_0

#define MBEDTLS_SSL_MINOR_VERSION_0   0

SSL v3.0

Definition at line 146 of file ssl.h.

◆ MBEDTLS_SSL_MINOR_VERSION_1

#define MBEDTLS_SSL_MINOR_VERSION_1   1

TLS v1.0

Definition at line 147 of file ssl.h.

◆ MBEDTLS_SSL_MINOR_VERSION_2

#define MBEDTLS_SSL_MINOR_VERSION_2   2

TLS v1.1

Definition at line 148 of file ssl.h.

◆ MBEDTLS_SSL_MINOR_VERSION_3

#define MBEDTLS_SSL_MINOR_VERSION_3   3

TLS v1.2

Definition at line 149 of file ssl.h.

◆ MBEDTLS_SSL_MSG_ALERT

#define MBEDTLS_SSL_MSG_ALERT   21

Definition at line 301 of file ssl.h.

◆ MBEDTLS_SSL_MSG_APPLICATION_DATA

#define MBEDTLS_SSL_MSG_APPLICATION_DATA   23

Definition at line 303 of file ssl.h.

◆ MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC

#define MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC   20

Definition at line 300 of file ssl.h.

◆ MBEDTLS_SSL_MSG_HANDSHAKE

#define MBEDTLS_SSL_MSG_HANDSHAKE   22

Definition at line 302 of file ssl.h.

◆ MBEDTLS_SSL_PRESET_DEFAULT

#define MBEDTLS_SSL_PRESET_DEFAULT   0

Definition at line 217 of file ssl.h.

◆ MBEDTLS_SSL_PRESET_SUITEB

#define MBEDTLS_SSL_PRESET_SUITEB   2

Definition at line 218 of file ssl.h.

◆ MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT

#define MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT   16

Definition at line 198 of file ssl.h.

◆ MBEDTLS_SSL_RENEGOTIATION_DISABLED

#define MBEDTLS_SSL_RENEGOTIATION_DISABLED   0

Definition at line 191 of file ssl.h.

◆ MBEDTLS_SSL_RENEGOTIATION_ENABLED

#define MBEDTLS_SSL_RENEGOTIATION_ENABLED   1

Definition at line 192 of file ssl.h.

◆ MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED

#define MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED   -1

Definition at line 197 of file ssl.h.

◆ MBEDTLS_SSL_SECURE_RENEGOTIATION

#define MBEDTLS_SSL_SECURE_RENEGOTIATION   1

Definition at line 189 of file ssl.h.

◆ MBEDTLS_SSL_SESSION_TICKETS_DISABLED

#define MBEDTLS_SSL_SESSION_TICKETS_DISABLED   0

Definition at line 208 of file ssl.h.

◆ MBEDTLS_SSL_SESSION_TICKETS_ENABLED

#define MBEDTLS_SSL_SESSION_TICKETS_ENABLED   1

Definition at line 209 of file ssl.h.

◆ MBEDTLS_SSL_SIG_ANON

#define MBEDTLS_SSL_SIG_ANON   0

Definition at line 286 of file ssl.h.

◆ MBEDTLS_SSL_SIG_ECDSA

#define MBEDTLS_SSL_SIG_ECDSA   3

Definition at line 288 of file ssl.h.

◆ MBEDTLS_SSL_SIG_RSA

#define MBEDTLS_SSL_SIG_RSA   1

Definition at line 287 of file ssl.h.

◆ MBEDTLS_SSL_TRANSPORT_DATAGRAM

#define MBEDTLS_SSL_TRANSPORT_DATAGRAM   1

DTLS

Definition at line 152 of file ssl.h.

◆ MBEDTLS_SSL_TRANSPORT_STREAM

#define MBEDTLS_SSL_TRANSPORT_STREAM   0

TLS

Definition at line 151 of file ssl.h.

◆ MBEDTLS_SSL_TRUNC_HMAC_DISABLED

#define MBEDTLS_SSL_TRUNC_HMAC_DISABLED   0

Definition at line 204 of file ssl.h.

◆ MBEDTLS_SSL_TRUNC_HMAC_ENABLED

#define MBEDTLS_SSL_TRUNC_HMAC_ENABLED   1

Definition at line 205 of file ssl.h.

◆ MBEDTLS_SSL_TRUNCATED_HMAC_LEN

#define MBEDTLS_SSL_TRUNCATED_HMAC_LEN   10 /* 80 bits, rfc 6066 section 7 */

Definition at line 206 of file ssl.h.

◆ MBEDTLS_SSL_VERIFY_DATA_MAX_LEN

#define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN   12

Definition at line 265 of file ssl.h.

◆ MBEDTLS_SSL_VERIFY_NONE

#define MBEDTLS_SSL_VERIFY_NONE   0

Definition at line 183 of file ssl.h.

◆ MBEDTLS_SSL_VERIFY_OPTIONAL

#define MBEDTLS_SSL_VERIFY_OPTIONAL   1

Definition at line 184 of file ssl.h.

◆ MBEDTLS_SSL_VERIFY_REQUIRED

#define MBEDTLS_SSL_VERIFY_REQUIRED   2

Definition at line 185 of file ssl.h.

◆ MBEDTLS_SSL_VERIFY_UNSET

#define MBEDTLS_SSL_VERIFY_UNSET   3 /* Used only for sni_authmode */

Definition at line 186 of file ssl.h.

◆ MBEDTLS_TLS_EXT_ALPN

#define MBEDTLS_TLS_EXT_ALPN   16

Definition at line 366 of file ssl.h.

◆ MBEDTLS_TLS_EXT_ECJPAKE_KKPP

#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP   256 /* experimental */

Definition at line 373 of file ssl.h.

◆ MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC

#define MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC   22 /* 0x16 */

Definition at line 368 of file ssl.h.

◆ MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET

#define MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET   0x0017 /* 23 */

Definition at line 369 of file ssl.h.

◆ MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH

#define MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH   1

Definition at line 357 of file ssl.h.

◆ MBEDTLS_TLS_EXT_RENEGOTIATION_INFO

#define MBEDTLS_TLS_EXT_RENEGOTIATION_INFO   0xFF01

Definition at line 375 of file ssl.h.

◆ MBEDTLS_TLS_EXT_SERVERNAME

#define MBEDTLS_TLS_EXT_SERVERNAME   0

Definition at line 354 of file ssl.h.

◆ MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME

#define MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME   0

Definition at line 355 of file ssl.h.

◆ MBEDTLS_TLS_EXT_SESSION_TICKET

#define MBEDTLS_TLS_EXT_SESSION_TICKET   35

Definition at line 371 of file ssl.h.

◆ MBEDTLS_TLS_EXT_SIG_ALG

#define MBEDTLS_TLS_EXT_SIG_ALG   13

Definition at line 364 of file ssl.h.

◆ MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES

#define MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES   10

Definition at line 361 of file ssl.h.

◆ MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS

#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS   11

Definition at line 362 of file ssl.h.

◆ MBEDTLS_TLS_EXT_TRUNCATED_HMAC

#define MBEDTLS_TLS_EXT_TRUNCATED_HMAC   4

Definition at line 359 of file ssl.h.

Typedef Documentation

◆ mbedtls_ssl_config

Definition at line 564 of file ssl.h.

◆ mbedtls_ssl_context

Definition at line 563 of file ssl.h.

◆ mbedtls_ssl_cookie_check_t

typedef int mbedtls_ssl_cookie_check_t(void *ctx, const unsigned char *cookie, size_t clen, const unsigned char *info, size_t ilen)

Callback type: verify a cookie.

Parameters
ctxContext for the callback
cookieCookie to verify
clenLength of cookie
infoClient ID info that was passed to mbedtls_ssl_set_client_transport_id()
ilenLength of info in bytes
Returns
The callback must return 0 if cookie is valid, or a negative error code.

Definition at line 1354 of file ssl.h.

◆ mbedtls_ssl_cookie_write_t

typedef int mbedtls_ssl_cookie_write_t(void *ctx, unsigned char **p, unsigned char *end, const unsigned char *info, size_t ilen)

Callback type: generate a cookie.

Parameters
ctxContext for the callback
pBuffer to write to, must be updated to point right after the cookie
endPointer to one past the end of the output buffer
infoClient ID info that was passed to mbedtls_ssl_set_client_transport_id()
ilenLength of info in bytes
Returns
The callback must return 0 on success, or a negative error code.

Definition at line 1337 of file ssl.h.

◆ mbedtls_ssl_get_timer_t

typedef int mbedtls_ssl_get_timer_t(void *ctx)

Callback type: get status of timers/delays.

Parameters
ctxContext pointer
Returns
This callback must return: -1 if cancelled (fin_ms == 0), 0 if none of the delays have passed, 1 if only the intermediate delay has passed, 2 if the final delay has passed.

Definition at line 558 of file ssl.h.

◆ mbedtls_ssl_handshake_params

◆ mbedtls_ssl_key_cert

Definition at line 571 of file ssl.h.

◆ mbedtls_ssl_recv_t

typedef int mbedtls_ssl_recv_t(void *ctx, unsigned char *buf, size_t len)

Callback type: receive data from the network.

Note
That callback may be either blocking or non-blocking.
Parameters
ctxContext for the receive callback (typically a file descriptor)
bufBuffer to write the received data to
lenLength of the receive buffer
Returns
The callback must return the number of bytes received, or a non-zero error code. If performing non-blocking I/O, MBEDTLS_ERR_SSL_WANT_READ must be returned when the operation would block.
Note
The callback may receive fewer bytes than the length of the buffer. It must always return the number of bytes actually received and written to the buffer.

Definition at line 491 of file ssl.h.

◆ mbedtls_ssl_recv_timeout_t

typedef int mbedtls_ssl_recv_timeout_t(void *ctx, unsigned char *buf, size_t len, uint32_t timeout)

Callback type: receive data from the network, with timeout.

Note
That callback must block until data is received, or the timeout delay expires, or the operation is interrupted by a signal.
Parameters
ctxContext for the receive callback (typically a file descriptor)
bufBuffer to write the received data to
lenLength of the receive buffer
timeoutMaximum nomber of millisecondes to wait for data 0 means no timeout (potentially waiting forever)
Returns
The callback must return the number of bytes received, or a non-zero error code: MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out, MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal.
Note
The callback may receive fewer bytes than the length of the buffer. It must always return the number of bytes actually received and written to the buffer.

Definition at line 517 of file ssl.h.

◆ mbedtls_ssl_send_t

typedef int mbedtls_ssl_send_t(void *ctx, const unsigned char *buf, size_t len)

Callback type: send data on the network.

Note
That callback may be either blocking or non-blocking.
Parameters
ctxContext for the send callback (typically a file descriptor)
bufBuffer holding the data to send
lenLength of the data to send
Returns
The callback must return the number of bytes sent if any, or a non-zero error code. If performing non-blocking I/O, MBEDTLS_ERR_SSL_WANT_WRITE must be returned when the operation would block.
Note
The callback is allowed to send fewer bytes than requested. It must always return the number of bytes actually sent.

Definition at line 468 of file ssl.h.

◆ mbedtls_ssl_session

Definition at line 562 of file ssl.h.

◆ mbedtls_ssl_set_timer_t

typedef void mbedtls_ssl_set_timer_t(void *ctx, uint32_t int_ms, uint32_t fin_ms)

Callback type: set a pair of timers/delays to watch.

Parameters
ctxContext pointer
int_msIntermediate delay in milliseconds
fin_msFinal delay in milliseconds 0 cancels the current timer.
Note
This callback must at least store the necessary information for the associated mbedtls_ssl_get_timer_t callback to return correct information.
If using a event-driven style of programming, an event must be generated when the final delay is passed. The event must cause a call to mbedtls_ssl_handshake() with the proper SSL context to be scheduled. Care must be taken to ensure that at most one such call happens at a time.
Only one timer at a time must be running. Calling this function while a timer is running must cancel it. Cancelled timers must not generate any event.

Definition at line 543 of file ssl.h.

◆ mbedtls_ssl_sig_hash_set_t

◆ mbedtls_ssl_ticket_parse_t

typedef int mbedtls_ssl_ticket_parse_t(void *p_ticket, mbedtls_ssl_session *session, unsigned char *buf, size_t len)

Callback type: parse and load session ticket.

Note
This describes what a callback implementation should do. This callback should parse a session ticket as generated by the corresponding mbedtls_ssl_ticket_write_t function, and, if the ticket is authentic and valid, load the session.
The implementation is allowed to modify the first len bytes of the input buffer, eg to use it as a temporary area for the decrypted ticket contents.
Parameters
p_ticketContext for the callback
sessionSSL session to be loaded
bufStart of the buffer containing the ticket
lenLength of the ticket.
Returns
0 if successful, or MBEDTLS_ERR_SSL_INVALID_MAC if not authentic, or MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED if expired, or any other non-zero code for other failures.

Definition at line 1281 of file ssl.h.

◆ mbedtls_ssl_ticket_write_t

typedef int mbedtls_ssl_ticket_write_t(void *p_ticket, const mbedtls_ssl_session *session, unsigned char *start, const unsigned char *end, size_t *tlen, uint32_t *lifetime)

Callback type: generate and write session ticket.

Note
This describes what a callback implementation should do. This callback should generate an encrypted and authenticated ticket for the session and write it to the output buffer. Here, ticket means the opaque ticket part of the NewSessionTicket structure of RFC 5077.
Parameters
p_ticketContext for the callback
sessionSSL session to be written in the ticket
startStart of the output buffer
endEnd of the output buffer
tlenOn exit, holds the length written
lifetimeOn exit, holds the lifetime of the ticket in seconds
Returns
0 if successful, or a specific MBEDTLS_ERR_XXX code.

Definition at line 1222 of file ssl.h.

◆ mbedtls_ssl_transform

Definition at line 567 of file ssl.h.

Enumeration Type Documentation

◆ mbedtls_ssl_states

Enumerator
MBEDTLS_SSL_HELLO_REQUEST 
MBEDTLS_SSL_CLIENT_HELLO 
MBEDTLS_SSL_SERVER_HELLO 
MBEDTLS_SSL_SERVER_CERTIFICATE 
MBEDTLS_SSL_SERVER_KEY_EXCHANGE 
MBEDTLS_SSL_CERTIFICATE_REQUEST 
MBEDTLS_SSL_SERVER_HELLO_DONE 
MBEDTLS_SSL_CLIENT_CERTIFICATE 
MBEDTLS_SSL_CLIENT_KEY_EXCHANGE 
MBEDTLS_SSL_CERTIFICATE_VERIFY 
MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC 
MBEDTLS_SSL_CLIENT_FINISHED 
MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC 
MBEDTLS_SSL_SERVER_FINISHED 
MBEDTLS_SSL_FLUSH_BUFFERS 
MBEDTLS_SSL_HANDSHAKE_WRAPUP 
MBEDTLS_SSL_HANDSHAKE_OVER 
MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET 
MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT 

Definition at line 427 of file ssl.h.

428 {
448 }

Function Documentation

◆ mbedtls_ssl_close_notify()

int mbedtls_ssl_close_notify ( mbedtls_ssl_context ssl)

Notify the peer that the connection is being closed.

Parameters
sslSSL context
Returns
0 if successful, or a specific SSL error code.
Note
If this function returns something other than 0 or MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context becomes unusable, and you should either free it or call mbedtls_ssl_session_reset() on it before re-using it for a new connection; the current connection must be closed.

◆ mbedtls_ssl_conf_alpn_protocols()

int mbedtls_ssl_conf_alpn_protocols ( mbedtls_ssl_config conf,
const char **  protos 
)

Set the supported Application Layer Protocols.

Parameters
confSSL configuration
protosPointer to a NULL-terminated list of supported protocols, in decreasing preference order. The pointer to the list is recorded by the library for later reference as required, so the lifetime of the table must be atleast as long as the lifetime of the SSL configuration structure.
Returns
0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA.

◆ mbedtls_ssl_conf_arc4_support()

void mbedtls_ssl_conf_arc4_support ( mbedtls_ssl_config conf,
char  arc4 
)

Disable or enable support for RC4 (Default: MBEDTLS_SSL_ARC4_DISABLED)

Warning
Use of RC4 in DTLS/TLS has been prohibited by RFC 7465 for security reasons. Use at your own risk.
Note
This function is deprecated and will likely be removed in a future version of the library. RC4 is disabled by default at compile time and needs to be actively enabled for use with legacy systems.
Parameters
confSSL configuration
arc4MBEDTLS_SSL_ARC4_ENABLED or MBEDTLS_SSL_ARC4_DISABLED

◆ mbedtls_ssl_conf_authmode()

void mbedtls_ssl_conf_authmode ( mbedtls_ssl_config conf,
int  authmode 
)

Set the certificate verification mode Default: NONE on server, REQUIRED on client.

Parameters
confSSL configuration
authmodecan be:

MBEDTLS_SSL_VERIFY_NONE: peer certificate is not checked (default on server) (insecure on client)

MBEDTLS_SSL_VERIFY_OPTIONAL: peer certificate is checked, however the handshake continues even if verification failed; mbedtls_ssl_get_verify_result() can be called after the handshake is complete.

MBEDTLS_SSL_VERIFY_REQUIRED: peer must present a valid certificate, handshake is aborted if verification failed. (default on client)

Note
On client, MBEDTLS_SSL_VERIFY_REQUIRED is the recommended mode. With MBEDTLS_SSL_VERIFY_OPTIONAL, the user needs to call mbedtls_ssl_get_verify_result() at the right time(s), which may not be obvious, while REQUIRED always perform the verification as soon as possible. For example, REQUIRED was protecting against the "triple handshake" attack even before it was found.

◆ mbedtls_ssl_conf_ca_chain()

void mbedtls_ssl_conf_ca_chain ( mbedtls_ssl_config conf,
mbedtls_x509_crt ca_chain,
mbedtls_x509_crl ca_crl 
)

Set the data required to verify peer certificate.

Note
See mbedtls_x509_crt_verify() for notes regarding the parameters ca_chain (maps to trust_ca for that function) and ca_crl.
Parameters
confSSL configuration
ca_chaintrusted CA chain (meaning all fully trusted top-level CAs)
ca_crltrusted CA CRLs

◆ mbedtls_ssl_conf_cbc_record_splitting()

void mbedtls_ssl_conf_cbc_record_splitting ( mbedtls_ssl_config conf,
char  split 
)

Enable / Disable 1/n-1 record splitting (Default: MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED)

Note
Only affects SSLv3 and TLS 1.0, not higher versions. Does not affect non-CBC ciphersuites in any version.
Parameters
confSSL configuration
splitMBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED or MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED

◆ mbedtls_ssl_conf_cert_profile()

void mbedtls_ssl_conf_cert_profile ( mbedtls_ssl_config conf,
const mbedtls_x509_crt_profile profile 
)

Set the X.509 security profile used for verification.

Note
The restrictions are enforced for all certificates in the chain. However, signatures in the handshake are not covered by this setting but by mbedtls_ssl_conf_sig_hashes().
Parameters
confSSL configuration
profileProfile to use

◆ mbedtls_ssl_conf_ciphersuites()

void mbedtls_ssl_conf_ciphersuites ( mbedtls_ssl_config conf,
const int ciphersuites 
)

Set the list of allowed ciphersuites and the preference order. First in the list has the highest preference. (Overrides all version-specific lists)

The ciphersuites array is not copied, and must remain valid for the lifetime of the ssl_config.

Note: The server uses its own preferences over the preference of the client unless MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE is defined!

Parameters
confSSL configuration
ciphersuites0-terminated list of allowed ciphersuites

◆ mbedtls_ssl_conf_ciphersuites_for_version()

void mbedtls_ssl_conf_ciphersuites_for_version ( mbedtls_ssl_config conf,
const int ciphersuites,
int  major,
int  minor 
)

Set the list of allowed ciphersuites and the preference order for a specific version of the protocol. (Only useful on the server side)

The ciphersuites array is not copied, and must remain valid for the lifetime of the ssl_config.

Parameters
confSSL configuration
ciphersuites0-terminated list of allowed ciphersuites
majorMajor version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
minorMinor version number (MBEDTLS_SSL_MINOR_VERSION_0, MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2, MBEDTLS_SSL_MINOR_VERSION_3 supported)
Note
With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2

◆ mbedtls_ssl_conf_curves()

void mbedtls_ssl_conf_curves ( mbedtls_ssl_config conf,
const mbedtls_ecp_group_id curves 
)

Set the allowed curves in order of preference. (Default: all defined curves.)

On server: this only affects selection of the ECDHE curve; the curves used for ECDH and ECDSA are determined by the list of available certificates instead.

On client: this affects the list of curves offered for any use. The server can override our preference order.

Both sides: limits the set of curves accepted for use in ECDHE and in the peer's end-entity certificate.

Note
This has no influence on which curves are allowed inside the certificate chains, see mbedtls_ssl_conf_cert_profile() for that. For the end-entity certificate however, the key will be accepted only if it is allowed both by this list and by the cert profile.
This list should be ordered by decreasing preference (preferred curve first).
Parameters
confSSL configuration
curvesOrdered list of allowed curves, terminated by MBEDTLS_ECP_DP_NONE.

◆ mbedtls_ssl_conf_dbg()

void mbedtls_ssl_conf_dbg ( mbedtls_ssl_config conf,
void(*)(void *, int, const char *, int, const char *)  f_dbg,
void p_dbg 
)

Set the debug callback.

            The callback has the following argument:
            void *           opaque context for the callback
            int              debug level
            const char *     file name
            int              line number
            const char *     message
Parameters
confSSL configuration
f_dbgdebug function
p_dbgdebug parameter

◆ mbedtls_ssl_conf_dhm_min_bitlen()

void mbedtls_ssl_conf_dhm_min_bitlen ( mbedtls_ssl_config conf,
unsigned int  bitlen 
)

Set the minimum length for Diffie-Hellman parameters. (Client-side only.) (Default: 1024 bits.)

Parameters
confSSL configuration
bitlenMinimum bit length of the DHM prime

◆ mbedtls_ssl_conf_encrypt_then_mac()

void mbedtls_ssl_conf_encrypt_then_mac ( mbedtls_ssl_config conf,
char  etm 
)

Enable or disable Encrypt-then-MAC (Default: MBEDTLS_SSL_ETM_ENABLED)

Note
This should always be enabled, it is a security improvement, and should not cause any interoperability issue (used only if the peer supports it too).
Parameters
confSSL configuration
etmMBEDTLS_SSL_ETM_ENABLED or MBEDTLS_SSL_ETM_DISABLED

◆ mbedtls_ssl_conf_endpoint()

void mbedtls_ssl_conf_endpoint ( mbedtls_ssl_config conf,
int  endpoint 
)

Set the current endpoint type.

Parameters
confSSL configuration
endpointmust be MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER

◆ mbedtls_ssl_conf_extended_master_secret()

void mbedtls_ssl_conf_extended_master_secret ( mbedtls_ssl_config conf,
char  ems 
)

Enable or disable Extended Master Secret negotiation. (Default: MBEDTLS_SSL_EXTENDED_MS_ENABLED)

Note
This should always be enabled, it is a security fix to the protocol, and should not cause any interoperability issue (used only if the peer supports it too).
Parameters
confSSL configuration
emsMBEDTLS_SSL_EXTENDED_MS_ENABLED or MBEDTLS_SSL_EXTENDED_MS_DISABLED

◆ mbedtls_ssl_conf_legacy_renegotiation()

void mbedtls_ssl_conf_legacy_renegotiation ( mbedtls_ssl_config conf,
int  allow_legacy 
)

Prevent or allow legacy renegotiation. (Default: MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION)

MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION allows connections to be established even if the peer does not support secure renegotiation, but does not allow renegotiation to take place if not secure. (Interoperable and secure option)

MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION allows renegotiations with non-upgraded peers. Allowing legacy renegotiation makes the connection vulnerable to specific man in the middle attacks. (See RFC 5746) (Most interoperable and least secure option)

MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE breaks off connections if peer does not support secure renegotiation. Results in interoperability issues with non-upgraded peers that do not support renegotiation altogether. (Most secure option, interoperability issues)

Parameters
confSSL configuration
allow_legacyPrevent or allow (SSL_NO_LEGACY_RENEGOTIATION, SSL_ALLOW_LEGACY_RENEGOTIATION or MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE)

◆ mbedtls_ssl_conf_max_frag_len()

int mbedtls_ssl_conf_max_frag_len ( mbedtls_ssl_config conf,
unsigned char  mfl_code 
)

Set the maximum fragment length to emit and/or negotiate. (Typical: MBEDTLS_SSL_MAX_CONTENT_LEN, by default that is set to 2^14 bytes) (Server: set maximum fragment length to emit, usually negotiated by the client during handshake) (Client: set maximum fragment length to emit and negotiate with the server during handshake) (Default: MBEDTLS_SSL_MAX_FRAG_LEN_NONE)

Note
With TLS, this currently only affects ApplicationData (sent with mbedtls_ssl_read()), not handshake messages. With DTLS, this affects both ApplicationData and handshake.
On the client side, the maximum fragment length extension will not be used, unless the maximum fragment length has been set via this function to a value different than MBEDTLS_SSL_MAX_FRAG_LEN_NONE.
This sets the maximum length for a record's payload, excluding record overhead that will be added to it, see mbedtls_ssl_get_record_expansion().
Parameters
confSSL configuration
mfl_codeCode for maximum fragment length (allowed values: MBEDTLS_SSL_MAX_FRAG_LEN_512, MBEDTLS_SSL_MAX_FRAG_LEN_1024, MBEDTLS_SSL_MAX_FRAG_LEN_2048, MBEDTLS_SSL_MAX_FRAG_LEN_4096)
Returns
0 if successful or MBEDTLS_ERR_SSL_BAD_INPUT_DATA

◆ mbedtls_ssl_conf_max_version()

void mbedtls_ssl_conf_max_version ( mbedtls_ssl_config conf,
int  major,
int  minor 
)

Set the maximum supported version sent from the client side and/or accepted at the server side (Default: MBEDTLS_SSL_MAX_MAJOR_VERSION, MBEDTLS_SSL_MAX_MINOR_VERSION)

Note
This ignores ciphersuites from higher versions.
With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
Parameters
confSSL configuration
majorMajor version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
minorMinor version number (MBEDTLS_SSL_MINOR_VERSION_0, MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2, MBEDTLS_SSL_MINOR_VERSION_3 supported)

◆ mbedtls_ssl_conf_min_version()

void mbedtls_ssl_conf_min_version ( mbedtls_ssl_config conf,
int  major,
int  minor 
)

Set the minimum accepted SSL/TLS protocol version (Default: TLS 1.0)

Note
Input outside of the SSL_MAX_XXXXX_VERSION and SSL_MIN_XXXXX_VERSION range is ignored.
MBEDTLS_SSL_MINOR_VERSION_0 (SSL v3) should be avoided.
With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
Parameters
confSSL configuration
majorMajor version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
minorMinor version number (MBEDTLS_SSL_MINOR_VERSION_0, MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2, MBEDTLS_SSL_MINOR_VERSION_3 supported)

◆ mbedtls_ssl_conf_own_cert()

int mbedtls_ssl_conf_own_cert ( mbedtls_ssl_config conf,
mbedtls_x509_crt own_cert,
mbedtls_pk_context pk_key 
)

Set own certificate chain and private key.

Note
own_cert should contain in order from the bottom up your certificate chain. The top certificate (self-signed) can be omitted.
On server, this function can be called multiple times to provision more than one cert/key pair (eg one ECDSA, one RSA with SHA-256, one RSA with SHA-1). An adequate certificate will be selected according to the client's advertised capabilities. In case multiple certificates are adequate, preference is given to the one set by the first call to this function, then second, etc.
On client, only the first call has any effect. That is, only one client certificate can be provisioned. The server's preferences in its CertficateRequest message will be ignored and our only cert will be sent regardless of whether it matches those preferences - the server can then decide what it wants to do with it.
The provided pk_key needs to match the public key in the first certificate in own_cert, or all handshakes using that certificate will fail. It is your responsibility to ensure that; this function will not perform any check. You may use mbedtls_pk_check_pair() in order to perform this check yourself, but be aware that this function can be computationally expensive on some key types.
Parameters
confSSL configuration
own_certown public certificate chain
pk_keyown private key
Returns
0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED

◆ mbedtls_ssl_conf_read_timeout()

void mbedtls_ssl_conf_read_timeout ( mbedtls_ssl_config conf,
uint32_t  timeout 
)

Set the timeout period for mbedtls_ssl_read() (Default: no timeout.)

Parameters
confSSL configuration context
timeoutTimeout value in milliseconds. Use 0 for no timeout (default).
Note
With blocking I/O, this will only work if a non-NULL f_recv_timeout was set with mbedtls_ssl_set_bio(). With non-blocking I/O, this will only work if timer callbacks were set with mbedtls_ssl_set_timer_cb().
With non-blocking I/O, you may also skip this function altogether and handle timeouts at the application layer.

◆ mbedtls_ssl_conf_renegotiation()

void mbedtls_ssl_conf_renegotiation ( mbedtls_ssl_config conf,
int  renegotiation 
)

Enable / Disable renegotiation support for connection when initiated by peer (Default: MBEDTLS_SSL_RENEGOTIATION_DISABLED)

Warning
It is recommended to always disable renegotation unless you know you need it and you know what you're doing. In the past, there have been several issues associated with renegotiation or a poor understanding of its properties.
Note
Server-side, enabling renegotiation also makes the server susceptible to a resource DoS by a malicious client.
Parameters
confSSL configuration
renegotiationEnable or disable (MBEDTLS_SSL_RENEGOTIATION_ENABLED or MBEDTLS_SSL_RENEGOTIATION_DISABLED)

◆ mbedtls_ssl_conf_renegotiation_enforced()

void mbedtls_ssl_conf_renegotiation_enforced ( mbedtls_ssl_config conf,
int  max_records 
)

Enforce renegotiation requests. (Default: enforced, max_records = 16)

When we request a renegotiation, the peer can comply or ignore the request. This function allows us to decide whether to enforce our renegotiation requests by closing the connection if the peer doesn't comply.

However, records could already be in transit from the peer when the request is emitted. In order to increase reliability, we can accept a number of records before the expected handshake records.

The optimal value is highly dependent on the specific usage scenario.

Note
With DTLS and server-initiated renegotiation, the HelloRequest is retransmited every time mbedtls_ssl_read() times out or receives Application Data, until:
  • max_records records have beens seen, if it is >= 0, or
  • the number of retransmits that would happen during an actual handshake has been reached. Please remember the request might be lost a few times if you consider setting max_records to a really low value.
Warning
On client, the grace period can only happen during mbedtls_ssl_read(), as opposed to mbedtls_ssl_write() and mbedtls_ssl_renegotiate() which always behave as if max_record was 0. The reason is, if we receive application data from the server, we need a place to write it, which only happens during mbedtls_ssl_read().
Parameters
confSSL configuration
max_recordsUse MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED if you don't want to enforce renegotiation, or a non-negative value to enforce it but allow for a grace period of max_records records.

◆ mbedtls_ssl_conf_renegotiation_period()

void mbedtls_ssl_conf_renegotiation_period ( mbedtls_ssl_config conf,
const unsigned char  period[8] 
)

Set record counter threshold for periodic renegotiation. (Default: 2^48 - 1)

Renegotiation is automatically triggered when a record counter (outgoing or ingoing) crosses the defined threshold. The default value is meant to prevent the connection from being closed when the counter is about to reached its maximal value (it is not allowed to wrap).

Lower values can be used to enforce policies such as "keys must be refreshed every N packets with cipher X".

The renegotiation period can be disabled by setting conf->disable_renegotiation to MBEDTLS_SSL_RENEGOTIATION_DISABLED.

Note
When the configured transport is MBEDTLS_SSL_TRANSPORT_DATAGRAM the maximum renegotiation period is 2^48 - 1, and for MBEDTLS_SSL_TRANSPORT_STREAM, the maximum renegotiation period is 2^64 - 1.
Parameters
confSSL configuration
periodThe threshold value: a big-endian 64-bit number.

◆ mbedtls_ssl_conf_rng()

void mbedtls_ssl_conf_rng ( mbedtls_ssl_config conf,
int(*)(void *, unsigned char *, size_t f_rng,
void p_rng 
)

Set the random number generator callback.

Parameters
confSSL configuration
f_rngRNG function
p_rngRNG parameter

◆ mbedtls_ssl_conf_session_tickets()

void mbedtls_ssl_conf_session_tickets ( mbedtls_ssl_config conf,
int  use_tickets 
)

Enable / Disable session tickets (client only). (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.)

Note
On server, use mbedtls_ssl_conf_session_tickets_cb().
Parameters
confSSL configuration
use_ticketsEnable or disable (MBEDTLS_SSL_SESSION_TICKETS_ENABLED or MBEDTLS_SSL_SESSION_TICKETS_DISABLED)

◆ mbedtls_ssl_conf_sig_hashes()

void mbedtls_ssl_conf_sig_hashes ( mbedtls_ssl_config conf,
const int hashes 
)

Set the allowed hashes for signatures during the handshake. (Default: all available hashes except MD5.)

Note
This only affects which hashes are offered and can be used for signatures during the handshake. Hashes for message authentication and the TLS PRF are controlled by the ciphersuite, see mbedtls_ssl_conf_ciphersuites(). Hashes used for certificate signature are controlled by the verification profile, see mbedtls_ssl_conf_cert_profile().
This list should be ordered by decreasing preference (preferred hash first).
Parameters
confSSL configuration
hashesOrdered list of allowed signature hashes, terminated by MBEDTLS_MD_NONE.

◆ mbedtls_ssl_conf_sni()

void mbedtls_ssl_conf_sni ( mbedtls_ssl_config conf,
int(*)(void *, mbedtls_ssl_context *, const unsigned char *, size_t f_sni,
void p_sni 
)

Set server side ServerName TLS extension callback (optional, server-side only).

If set, the ServerName callback is called whenever the server receives a ServerName TLS extension from the client during a handshake. The ServerName callback has the following parameters: (void *parameter, mbedtls_ssl_context *ssl, const unsigned char *hostname, size_t len). If a suitable certificate is found, the callback must set the certificate(s) and key(s) to use with mbedtls_ssl_set_hs_own_cert() (can be called repeatedly), and may optionally adjust the CA and associated CRL with mbedtls_ssl_set_hs_ca_chain() as well as the client authentication mode with mbedtls_ssl_set_hs_authmode(), then must return 0. If no matching name is found, the callback must either set a default cert, or return non-zero to abort the handshake at this point.

Parameters
confSSL configuration
f_sniverification function
p_sniverification parameter

◆ mbedtls_ssl_conf_transport()

void mbedtls_ssl_conf_transport ( mbedtls_ssl_config conf,
int  transport 
)

Set the transport type (TLS or DTLS). Default: TLS.

Note
For DTLS, you must either provide a recv callback that doesn't block, or one that handles timeouts, see mbedtls_ssl_set_bio(). You also need to provide timer callbacks with mbedtls_ssl_set_timer_cb().
Parameters
confSSL configuration
transporttransport type: MBEDTLS_SSL_TRANSPORT_STREAM for TLS, MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS.

◆ mbedtls_ssl_conf_truncated_hmac()

void mbedtls_ssl_conf_truncated_hmac ( mbedtls_ssl_config conf,
int  truncate 
)

Activate negotiation of truncated HMAC (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED)

Parameters
confSSL configuration
truncateEnable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or MBEDTLS_SSL_TRUNC_HMAC_DISABLED)

◆ mbedtls_ssl_conf_verify()

void mbedtls_ssl_conf_verify ( mbedtls_ssl_config conf,
int(*)(void *, mbedtls_x509_crt *, int, uint32_t *)  f_vrfy,
void p_vrfy 
)

Set the verification callback (Optional).

            If set, the verify callback is called for each
            certificate in the chain. For implementation
            information, please see \c mbedtls_x509_crt_verify()
Parameters
confSSL configuration
f_vrfyverification function
p_vrfyverification parameter

◆ mbedtls_ssl_config_defaults()

int mbedtls_ssl_config_defaults ( mbedtls_ssl_config conf,
int  endpoint,
int  transport,
int  preset 
)

Load reasonnable default SSL configuration values. (You need to call mbedtls_ssl_config_init() first.)

Parameters
confSSL configuration context
endpointMBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER
transportMBEDTLS_SSL_TRANSPORT_STREAM for TLS, or MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS
preseta MBEDTLS_SSL_PRESET_XXX value
Note
See mbedtls_ssl_conf_transport() for notes on DTLS.
Returns
0 if successful, or MBEDTLS_ERR_XXX_ALLOC_FAILED on memory allocation error.

◆ mbedtls_ssl_config_free()

void mbedtls_ssl_config_free ( mbedtls_ssl_config conf)

Free an SSL configuration context.

Parameters
confSSL configuration context

◆ mbedtls_ssl_config_init()

void mbedtls_ssl_config_init ( mbedtls_ssl_config conf)

Initialize an SSL configuration context Just makes the context ready for mbedtls_ssl_config_defaults() or mbedtls_ssl_config_free().

Note
You need to call mbedtls_ssl_config_defaults() unless you manually set all of the relevant fields yourself.
Parameters
confSSL configuration context

◆ mbedtls_ssl_free()

void mbedtls_ssl_free ( mbedtls_ssl_context ssl)

Free referenced items in an SSL context and clear memory.

Parameters
sslSSL context

◆ mbedtls_ssl_get_alpn_protocol()

const char* mbedtls_ssl_get_alpn_protocol ( const mbedtls_ssl_context ssl)

Get the name of the negotiated Application Layer Protocol. This function should be called after the handshake is completed.

Parameters
sslSSL context
Returns
Protcol name, or NULL if no protocol was negotiated.

◆ mbedtls_ssl_get_bytes_avail()

size_t mbedtls_ssl_get_bytes_avail ( const mbedtls_ssl_context ssl)

Return the number of data bytes available to read.

Parameters
sslSSL context
Returns
how many bytes are available in the read buffer

◆ mbedtls_ssl_get_ciphersuite()

const char* mbedtls_ssl_get_ciphersuite ( const mbedtls_ssl_context ssl)

Return the name of the current ciphersuite.

Parameters
sslSSL context
Returns
a string containing the ciphersuite name

◆ mbedtls_ssl_get_ciphersuite_id()

int mbedtls_ssl_get_ciphersuite_id ( const char ciphersuite_name)

Return the ID of the ciphersuite associated with the given name.

Parameters
ciphersuite_nameSSL ciphersuite name
Returns
the ID with the ciphersuite or 0 if not found

◆ mbedtls_ssl_get_ciphersuite_name()

const char* mbedtls_ssl_get_ciphersuite_name ( const int  ciphersuite_id)

Return the name of the ciphersuite associated with the given ID.

Parameters
ciphersuite_idSSL ciphersuite ID
Returns
a string containing the ciphersuite name

◆ mbedtls_ssl_get_max_frag_len()

size_t mbedtls_ssl_get_max_frag_len ( const mbedtls_ssl_context ssl)

Return the maximum fragment length (payload, in bytes). This is the value negotiated with peer if any, or the locally configured value.

Note
With DTLS, mbedtls_ssl_write() will return an error if called with a larger length value. With TLS, mbedtls_ssl_write() will fragment the input if necessary and return the number of bytes written; it is up to the caller to call mbedtls_ssl_write() again in order to send the remaining bytes if any.
Parameters
sslSSL context
Returns
Current maximum fragment length.

◆ mbedtls_ssl_get_peer_cert()

const mbedtls_x509_crt* mbedtls_ssl_get_peer_cert ( const mbedtls_ssl_context ssl)

Return the peer certificate from the current connection.

            Note: Can be NULL in case no certificate was sent during
            the handshake. Different calls for the same connection can
            return the same or different pointers for the same
            certificate and even a different certificate altogether.
            The peer cert CAN change in a single connection if
            renegotiation is performed.
Parameters
sslSSL context
Returns
the current peer certificate

◆ mbedtls_ssl_get_record_expansion()

int mbedtls_ssl_get_record_expansion ( const mbedtls_ssl_context ssl)

Return the (maximum) number of bytes added by the record layer: header + encryption/MAC overhead (inc. padding)

Parameters
sslSSL context
Returns
Current maximum record expansion in bytes, or MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if compression is enabled, which makes expansion much less predictable

◆ mbedtls_ssl_get_session()

int mbedtls_ssl_get_session ( const mbedtls_ssl_context ssl,
mbedtls_ssl_session session 
)

Save session in order to resume it later (client-side only) Session data is copied to presented session structure.

Parameters
sslSSL context
sessionsession context
Returns
0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed, MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used server-side or arguments are otherwise invalid.
Note
Only the server certificate is copied, and not the full chain, so you should not attempt to validate the certificate again by calling mbedtls_x509_crt_verify() on it. Instead, you should use the results from the verification in the original handshake by calling mbedtls_ssl_get_verify_result() after loading the session again into a new SSL context using mbedtls_ssl_set_session().
Once the session object is not needed anymore, you should free it by calling mbedtls_ssl_session_free().
See also
mbedtls_ssl_set_session()

◆ mbedtls_ssl_get_verify_result()

uint32_t mbedtls_ssl_get_verify_result ( const mbedtls_ssl_context ssl)

Return the result of the certificate verification.

Parameters
sslThe SSL context to use.
Returns
0 if the certificate verification was successful.
-1u if the result is not available. This may happen e.g. if the handshake aborts early, or a verification callback returned a fatal error.
A bitwise combination of MBEDTLS_X509_BADCERT_XXX and MBEDTLS_X509_BADCRL_XXX failure flags; see x509.h.

◆ mbedtls_ssl_get_version()

const char* mbedtls_ssl_get_version ( const mbedtls_ssl_context ssl)

Return the current SSL version (SSLv3/TLSv1/etc)

Parameters
sslSSL context
Returns
a string containing the SSL version

◆ mbedtls_ssl_handshake()

int mbedtls_ssl_handshake ( mbedtls_ssl_context ssl)

Perform the SSL handshake.

Parameters
sslSSL context
Returns
0 if successful, or MBEDTLS_ERR_SSL_WANT_READ or MBEDTLS_ERR_SSL_WANT_WRITE, or MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED (see below), or a specific SSL error code.
Note
If this function returns something other than 0 or MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context becomes unusable, and you should either free it or call mbedtls_ssl_session_reset() on it before re-using it for a new connection; the current connection must be closed.
If DTLS is in use, then you may choose to handle MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED specially for logging purposes, as it is an expected return value rather than an actual error, but you still need to reset/free the context.

◆ mbedtls_ssl_handshake_step()

int mbedtls_ssl_handshake_step ( mbedtls_ssl_context ssl)

Perform a single step of the SSL handshake.

Note
The state of the context (ssl->state) will be at the next state after execution of this function. Do not call this function if state is MBEDTLS_SSL_HANDSHAKE_OVER.
If this function returns something other than 0 or MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context becomes unusable, and you should either free it or call mbedtls_ssl_session_reset() on it before re-using it for a new connection; the current connection must be closed.
Parameters
sslSSL context
Returns
0 if successful, or MBEDTLS_ERR_SSL_WANT_READ or MBEDTLS_ERR_SSL_WANT_WRITE, or a specific SSL error code.

◆ mbedtls_ssl_init()

void mbedtls_ssl_init ( mbedtls_ssl_context ssl)

Initialize an SSL context Just makes the context ready for mbedtls_ssl_setup() or mbedtls_ssl_free()

Parameters
sslSSL context

◆ mbedtls_ssl_read()

int mbedtls_ssl_read ( mbedtls_ssl_context ssl,
unsigned char buf,
size_t  len 
)

Read at most 'len' application data bytes.

Parameters
sslSSL context
bufbuffer that will hold the data
lenmaximum number of bytes to read
Returns
the number of bytes read, or 0 for EOF, or MBEDTLS_ERR_SSL_WANT_READ or MBEDTLS_ERR_SSL_WANT_WRITE, or MBEDTLS_ERR_SSL_CLIENT_RECONNECT (see below), or another negative error code.
Note
If this function returns something other than a positive value or MBEDTLS_ERR_SSL_WANT_READ/WRITE or MBEDTLS_ERR_SSL_CLIENT_RECONNECT, then the ssl context becomes unusable, and you should either free it or call mbedtls_ssl_session_reset() on it before re-using it for a new connection; the current connection must be closed.
When this function return MBEDTLS_ERR_SSL_CLIENT_RECONNECT (which can only happen server-side), it means that a client is initiating a new connection using the same source port. You can either treat that as a connection close and wait for the client to resend a ClientHello, or directly continue with mbedtls_ssl_handshake() with the same context (as it has beeen reset internally). Either way, you should make sure this is seen by the application as a new connection: application state, if any, should be reset, and most importantly the identity of the client must be checked again. WARNING: not validating the identity of the client again, or not transmitting the new identity to the application layer, would allow authentication bypass!

◆ mbedtls_ssl_renegotiate()

int mbedtls_ssl_renegotiate ( mbedtls_ssl_context ssl)

Initiate an SSL renegotiation on the running connection. Client: perform the renegotiation right now. Server: request renegotiation, which will be performed during the next call to mbedtls_ssl_read() if honored by client.

Parameters
sslSSL context
Returns
0 if successful, or any mbedtls_ssl_handshake() return value.
Note
If this function returns something other than 0 or MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context becomes unusable, and you should either free it or call mbedtls_ssl_session_reset() on it before re-using it for a new connection; the current connection must be closed.

◆ mbedtls_ssl_send_alert_message()

int mbedtls_ssl_send_alert_message ( mbedtls_ssl_context ssl,
unsigned char  level,
unsigned char  message 
)

Send an alert message.

Parameters
sslSSL context
levelThe alert level of the message (MBEDTLS_SSL_ALERT_LEVEL_WARNING or MBEDTLS_SSL_ALERT_LEVEL_FATAL)
messageThe alert message (SSL_ALERT_MSG_*)
Returns
0 if successful, or a specific SSL error code.
Note
If this function returns something other than 0 or MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context becomes unusable, and you should either free it or call mbedtls_ssl_session_reset() on it before re-using it for a new connection; the current connection must be closed.

◆ mbedtls_ssl_session_free()

void mbedtls_ssl_session_free ( mbedtls_ssl_session session)

Free referenced items in an SSL session including the peer certificate and clear memory.

Note
A session object can be freed even if the SSL context that was used to retrieve the session is still in use.
Parameters
sessionSSL session

◆ mbedtls_ssl_session_init()

void mbedtls_ssl_session_init ( mbedtls_ssl_session session)

Initialize SSL session structure.

Parameters
sessionSSL session

◆ mbedtls_ssl_session_reset()

int mbedtls_ssl_session_reset ( mbedtls_ssl_context ssl)

Reset an already initialized SSL context for re-use while retaining application-set variables, function pointers and data.

Parameters
sslSSL context
Returns
0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED, MBEDTLS_ERR_SSL_HW_ACCEL_FAILED or MBEDTLS_ERR_SSL_COMPRESSION_FAILED

◆ mbedtls_ssl_set_bio()

void mbedtls_ssl_set_bio ( mbedtls_ssl_context ssl,
void p_bio,
mbedtls_ssl_send_t f_send,
mbedtls_ssl_recv_t f_recv,
mbedtls_ssl_recv_timeout_t f_recv_timeout 
)

Set the underlying BIO callbacks for write, read and read-with-timeout.

Parameters
sslSSL context
p_bioparameter (context) shared by BIO callbacks
f_sendwrite callback
f_recvread callback
f_recv_timeoutblocking read callback with timeout.
Note
One of f_recv or f_recv_timeout can be NULL, in which case the other is used. If both are non-NULL, f_recv_timeout is used and f_recv is ignored (as if it were NULL).
The two most common use cases are:
  • non-blocking I/O, f_recv != NULL, f_recv_timeout == NULL
  • blocking I/O, f_recv == NULL, f_recv_timout != NULL
For DTLS, you need to provide either a non-NULL f_recv_timeout callback, or a f_recv that doesn't block.
See the documentations of mbedtls_ssl_sent_t, mbedtls_ssl_recv_t and mbedtls_ssl_recv_timeout_t for the conventions those callbacks must follow.
On some platforms, net_sockets.c provides mbedtls_net_send(), mbedtls_net_recv() and mbedtls_net_recv_timeout() that are suitable to be used here.

◆ mbedtls_ssl_set_hostname()

int mbedtls_ssl_set_hostname ( mbedtls_ssl_context ssl,
const char hostname 
)

Set or reset the hostname to check against the received server certificate. It sets the ServerName TLS extension, too, if that extension is enabled. (client-side only)

Parameters
sslSSL context
hostnamethe server hostname, may be NULL to clear hostname
Note
Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN.
Returns
0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on too long input hostname.

Hostname set to the one provided on success (cleared when NULL). On allocation failure hostname is cleared. On too long input failure, old hostname is unchanged.

◆ mbedtls_ssl_set_hs_authmode()

void mbedtls_ssl_set_hs_authmode ( mbedtls_ssl_context ssl,
int  authmode 
)

Set authmode for the current handshake.

Note
Same as mbedtls_ssl_conf_authmode() but for use within the SNI callback.
Parameters
sslSSL context
authmodeMBEDTLS_SSL_VERIFY_NONE, MBEDTLS_SSL_VERIFY_OPTIONAL or MBEDTLS_SSL_VERIFY_REQUIRED

◆ mbedtls_ssl_set_hs_ca_chain()

void mbedtls_ssl_set_hs_ca_chain ( mbedtls_ssl_context ssl,
mbedtls_x509_crt ca_chain,
mbedtls_x509_crl ca_crl 
)

Set the data required to verify peer certificate for the current handshake.

Note
Same as mbedtls_ssl_conf_ca_chain() but for use within the SNI callback.
Parameters
sslSSL context
ca_chaintrusted CA chain (meaning all fully trusted top-level CAs)
ca_crltrusted CA CRLs

◆ mbedtls_ssl_set_hs_own_cert()

int mbedtls_ssl_set_hs_own_cert ( mbedtls_ssl_context ssl,
mbedtls_x509_crt own_cert,
mbedtls_pk_context pk_key 
)

Set own certificate and key for the current handshake.

Note
Same as mbedtls_ssl_conf_own_cert() but for use within the SNI callback.
Parameters
sslSSL context
own_certown public certificate chain
pk_keyown private key
Returns
0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED

◆ mbedtls_ssl_set_session()

int mbedtls_ssl_set_session ( mbedtls_ssl_context ssl,
const mbedtls_ssl_session session 
)

Request resumption of session (client-side only) Session data is copied from presented session structure.

Parameters
sslSSL context
sessionsession context
Returns
0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed, MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used server-side or arguments are otherwise invalid
See also
mbedtls_ssl_get_session()

◆ mbedtls_ssl_set_timer_cb()

void mbedtls_ssl_set_timer_cb ( mbedtls_ssl_context ssl,
void p_timer,
mbedtls_ssl_set_timer_t f_set_timer,
mbedtls_ssl_get_timer_t f_get_timer 
)

Set the timer callbacks (Mandatory for DTLS.)

Parameters
sslSSL context
p_timerparameter (context) shared by timer callbacks
f_set_timerset timer callback
f_get_timerget timer callback. Must return:
Note
See the documentation of mbedtls_ssl_set_timer_t and mbedtls_ssl_get_timer_t for the conventions this pair of callbacks must follow.
On some platforms, timing.c provides mbedtls_timing_set_delay() and mbedtls_timing_get_delay() that are suitable for using here, except if using an event-driven style.
See also the "DTLS tutorial" article in our knowledge base. https://tls.mbed.org/kb/how-to/dtls-tutorial

◆ mbedtls_ssl_setup()

int mbedtls_ssl_setup ( mbedtls_ssl_context ssl,
const mbedtls_ssl_config conf 
)

Set up an SSL context for use.

Note
No copy of the configuration context is made, it can be shared by many mbedtls_ssl_context structures.
Warning
The conf structure will be accessed during the session. It must not be modified or freed as long as the session is active.
This function must be called exactly once per context. Calling mbedtls_ssl_setup again is not supported, even if no session is active.
Parameters
sslSSL context
confSSL configuration to use
Returns
0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed

◆ mbedtls_ssl_write()

int mbedtls_ssl_write ( mbedtls_ssl_context ssl,
const unsigned char buf,
size_t  len 
)

Try to write exactly 'len' application data bytes.

Warning
This function will do partial writes in some cases. If the return value is non-negative but less than length, the function must be called again with updated arguments: buf + ret, len - ret (if ret is the return value) until it returns a value equal to the last 'len' argument.
Parameters
sslSSL context
bufbuffer holding the data
lenhow many bytes must be written
Returns
the number of bytes actually written (may be less than len), or MBEDTLS_ERR_SSL_WANT_WRITE or MBEDTLS_ERR_SSL_WANT_READ, or another negative error code.
Note
If this function returns something other than 0, a positive value or MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop using the SSL context for reading or writing, and either free it or call mbedtls_ssl_session_reset() on it before re-using it for a new connection; the current connection must be closed.
When this function returns MBEDTLS_ERR_SSL_WANT_WRITE/READ, it must be called later with the same arguments, until it returns a value greater that or equal to 0. When the function returns MBEDTLS_ERR_SSL_WANT_WRITE there may be some partial data in the output buffer, however this is not yet sent.
If the requested length is greater than the maximum fragment length (either the built-in limit or the one set or negotiated with the peer), then:
  • with TLS, less bytes than requested are written.
  • with DTLS, MBEDTLS_ERR_SSL_BAD_INPUT_DATA is returned. mbedtls_ssl_get_max_frag_len() may be used to query the active maximum fragment length.
Attempting to write 0 bytes will result in an empty TLS application record being sent.