Symbols ![]()
loading...
Files ![]()
loading...
mbedTLS library
mbedTLS is a library defining the following symbols:Most used functions
Name
Location
Summary
Initialize an MPI context. This makes the MPI ready to be set or freed, but does not define a value for the MPI.
Securely zeroize a buffer The function is meant to wipe the data contained in a buffer so that it can no longer be recovered even if the program memory is later compromised. Call this function on sensitive data stored on the stack before returning from a function, and on sensitive data stored on the heap before freeing the heap object. It is extremely difficult to guarantee that calls to mbedtls_platform_zeroize() are not removed by aggressive compiler optimizations in a portable way. For this reason, Mbed TLS provides the configuration option MBEDTLS_PLATFORM_ZEROIZE_ALT, which allows users to configure mbedtls_platform_zeroize() to use a suitable implementation for their platform and needs
Get the tag and length of the tag. Check for the requested tag. Updates the pointer to immediately behind the tag and length.
Read at most 'len' characters. If no error occurs, the actual amount read is returned.
Initialize a context Just makes the context ready to be used or freed safely.
Update record layer This function roughly separates the implementation of the logic of (D)TLS from the implementation of the secure transport. The record layer takes as input an untrusted underlying transport (stream or datagram) and transforms it into a serially multiplexed, secure transport, which conceptually provides the following: (1) Three datagram based, content-agnostic transports for handshake, alert and CCS messages. (2) One stream- or datagram-based transport for application data. (3) Functionality for changing the underlying transform securing the contents. The interface to this functionality is given as follows: a Updating [Currently implemented by mbedtls_ssl_read_record] Check if and on which of the four 'ports' data is pending: Nothing, a controlling datagram of type (1), or application data (2). In any case data is present, internal buffers provide access to the data for the user to process it. Consumption of type (1) datagrams is done automatically on the next update, invalidating that the internal buffers for previous datagrams, while consumption of application data (2) is user-controlled. b Reading of application data [Currently manual adaption of ssl->in_offt pointer] As mentioned in the last paragraph, consumption of data is different from the automatic consumption of control datagrams (1) because application data is treated as a stream. c Tracking availability of application data [Currently manually through decreasing ssl->in_msglen] For efficiency and to retain datagram semantics for application data in case of DTLS, the record layer provides functionality for checking how much application data is still available in the internal buffer. d Changing the transformation securing the communication. Given an opaque implementation of the record layer in the above sense, it should be possible to implement the logic of (D)TLS on top of it without the need to know anything about the record layer's internals. This is done e.g. in all the handshake handling functions, and in the application data reading function mbedtls_ssl_read.
Write at most 'len' characters. If no error occurs, the actual amount read is returned.
This function returns the message-digest information associated with the given digest type.
Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chained list. For CRTs in PEM encoding, the function parses permissively: if at least one certificate can be parsed, the function returns the number of certificates for which parsing failed (hence \c 0 if all certificates were parsed successfully). If no certificate could be parsed, the function returns the first (negative) error encountered during parsing. PEM encoded certificates may be interleaved by other data such as human readable descriptions of their content, as long as the certificates are enclosed in the PEM specific '-----{BEGIN/END} CERTIFICATE-----' delimiters.
Quick access to an EC context inside a PK context. \warning You must make sure the PK context actually holds an EC context before using this function!
Return the number of bits up to and including the most significant bit of value \c 1. * \note This is same as the one-based index of the most significant bit of value \c 1.
This function starts a SHA-384 or SHA-512 checksum calculation.
This function feeds an input buffer into an ongoing SHA-512 checksum calculation.
Perform the SSL handshake \warning If this function returns something other than \c 0, #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE, #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using the SSL context for reading or writing, and either free it or call \c mbedtls_ssl_session_reset() on it before re-using it for a new connection; the current connection must be closed.
Create a receiving socket on bind_ip:port in the chosen protocol. If bind_ip == NULL, all interfaces are bound.
Free referenced items in an SSL session including the peer certificate and clear memory
This function selects the message digest algorithm to use, and allocates internal structures. It should be called after mbedtls_md_init() or mbedtls_md_free(). Makes it necessary to call mbedtls_md_free() later.
This function sets up an ECP group context from a standardized set of domain parameters.
Perform a multiplication of an MPI with an unsigned integer: X = A * b
Get the length of an ASN.1 element. Updates the pointer to immediately behind the length.
This function finishes the SHA-512 operation, and writes the result to the output buffer. This function is for internal use only.
This function processes a single data block within the ongoing SHA-512 computation.
This function starts a SHA-224 or SHA-256 checksum calculation.
This function processes a single data block within the ongoing SHA-256 computation. This function is for internal use only.
Entropy poll callback for a hardware source \warning This is not provided by mbed TLS! See \c MBEDTLS_ENTROPY_HARDWARE_ALT in config.h.
Read at most 'len' application data bytes \warning If this function returns something other than a positive value, #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE, #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or #MBEDTLS_ERR_SSL_CLIENT_RECONNECT, you must stop using the SSL context for reading or writing, and either free it or call \c mbedtls_ssl_session_reset() on it before re-using it for a new connection; the current connection must be closed.
Try to write exactly 'len' application data bytes \warning This function will do partial writes in some cases. If the return value is non-negative but less than length, the function must be called again with updated arguments: buf + ret, len - ret (if ret is the return value) until it returns a value equal to the last 'len' argument. \warning If this function returns something other than a non-negative value, #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE, #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using the SSL context for reading or writing, and either free it or call \c mbedtls_ssl_session_reset() on it before re-using it for a new connection; the current connection must be closed.
Initialize an SSL configuration context Just makes the context ready for mbedtls_ssl_config_defaults() or mbedtls_ssl_config_free().
Load reasonnable default SSL configuration values. (You need to call mbedtls_ssl_config_init() first.)
Initialize an SSL context Just makes the context ready for mbedtls_ssl_setup() or mbedtls_ssl_free()
Set up an SSL context for use \warning The conf structure will be accessed during the session. It must not be modified or freed as long as the session is active. \warning This function must be called exactly once per context. Calling mbedtls_ssl_setup again is not supported, even if no session is active.
Set the underlying BIO callbacks for write, read and read-with-timeout.
Retrieve entropy from the accumulator (Maximum length: MBEDTLS_ENTROPY_BLOCK_SIZE) (Thread-safe if MBEDTLS_THREADING_C is enabled)
This function initializes the CTR_DRBG context, and prepares it for mbedtls_ctr_drbg_seed() or mbedtls_ctr_drbg_free().
This function seeds and sets up the CTR_DRBG entropy source for future reseeds.
Retrieve an integer ASN.1 tag and its value. Updates the pointer to immediately behind the full tag.
This function initializes a message-digest context without binding it to a particular message-digest algorithm. This function should always be called first. It prepares the context for mbedtls_md_setup() for binding it to a message-digest algorithm.
This function clears the internal structure of \p ctx and frees any embedded internal structure, but does not free \p ctx itself. If you have called mbedtls_md_setup() on \p ctx, you must call mbedtls_md_free() when you are no longer using the context. Calling this function if you have previously called mbedtls_md_init() and nothing else is optional. You must not call this function if you have not called mbedtls_md_init().
This function extracts the message-digest size from the message-digest information structure.
Export an MPI into unsigned big endian binary data of fixed size.
This function performs multiplication of a point by an integer: \p R = \p m * \p P in a restartable way. \see mbedtls_ecp_mul()
This function calculates the SHA-512 or SHA-384 checksum of a buffer. The function allocates the context, performs the calculation, and frees the context. The SHA-512 result is calculated as output = SHA-512(input buffer).
This function performs an AES single-block encryption or decryption operation. It performs the operation defined in the \p mode parameter (encrypt or decrypt), on the input data buffer defined in the \p input parameter. mbedtls_aes_init(), and either mbedtls_aes_setkey_enc() or mbedtls_aes_setkey_dec() must be called before the first call to this API with the same context.
This function feeds an input buffer into an ongoing SHA-256 checksum calculation.
This function finishes the SHA-256 operation, and writes the result to the output buffer.
Free referenced items in an SSL transform context and clear memory
Read at most 'len' characters, blocking for at most 'timeout' seconds. If no error occurs, the actual amount read is returned.
This function frees and clears the cipher-specific context of \p ctx. Freeing \p ctx itself remains the responsibility of the caller.
The generic cipher update function. It encrypts or decrypts using the given cipher context. Writes as many block-sized blocks of data as possible to output. Any data that cannot be written immediately is either added to the next block, or flushed when mbedtls_cipher_finish() is called. Exception: For MBEDTLS_MODE_ECB, expects a single block in size. For example, 16 Bytes for AES.
This function sets the HMAC key and prepares to authenticate a new message. Call this function after mbedtls_md_setup(), to use the MD context for an HMAC calculation, then call mbedtls_md_hmac_update() to provide the input data, and mbedtls_md_hmac_finish() to get the HMAC value.
This function feeds an input buffer into an ongoing HMAC computation. Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset() before calling this function. You may call this function multiple times to pass the input piecewise. Afterwards, call mbedtls_md_hmac_finish().
This function finishes the HMAC operation, and writes the result to the output buffer. Call this function after mbedtls_md_hmac_starts() and mbedtls_md_hmac_update() to get the HMAC value. Afterwards you may either call mbedtls_md_free() to clear the context, or call mbedtls_md_hmac_reset() to reuse the context with the same HMAC key.
This function retrieves the information defined in mbedtls_ecp_curve_info() for all supported curves in order of preference.
This function retrieves curve information from an internal group identifier.
Initialize a PK context with the information given and allocates the type-specific PK subcontext.
Parse a single DER formatted certificate and add it to the chained list.
Perform a safe conditional copy of MPI which doesn't reveal whether the condition was true or not.
Return the number of bits of value \c 0 before the least significant bit of value \c 1.
This function initializes the specified AES context. It must be the first API called before using the context.
Read a buffer for PEM information and store the resulting data into the specified context buffers.
Retrieve a bitstring ASN.1 tag without unused bits and its value. Updates the pointer to the beginning of the bit/octet string.
Retrieve an AlgorithmIdentifier ASN.1 sequence. Updates the pointer to immediately behind the full AlgorithmIdentifier.
This function sets up the ECDH context with the information given. This function should be called after mbedtls_ecdh_init() but before mbedtls_ecdh_make_params(). There is no need to call this function before mbedtls_ecdh_read_params(). This is the first function used by a TLS server for ECDHE ciphersuites.
This function initializes and fills the cipher-context structure with the appropriate values. It also clears the structure. \internal Currently, the function also clears the structure. In future versions, the caller will be required to call mbedtls_cipher_init() on the structure first.
This function initializes an ECP group context without loading any domain parameters.
This function performs a scalar multiplication of a point by an integer: \p R = \p m * \p P. It is not thread-safe to use same group in multiple threads.
Restartable version of \c mbedtls_crt_verify_with_profile()
Write a string in ASN.1 format using a specific string encoding tag.
This function finishes the GCM operation and generates the authentication tag. It wraps up the GCM stream, and generates the tag. The tag can have a maximum length of 16 Bytes.
This function calculates the SHA-224 or SHA-256 checksum of a buffer. The function allocates the context, performs the calculation, and frees the context. The SHA-256 result is calculated as output = SHA-256(input buffer).
Free referenced items in an SSL handshake context and clear memory
Set or reset the hostname to check against the received server certificate. It sets the ServerName TLS extension, too, if that extension is enabled. (client-side only) Hostname set to the one provided on success (cleared when NULL). On allocation failure hostname is cleared. On too long input failure, old hostname is unchanged.
Reset an already initialized SSL context for re-use while retaining application-set variables, function pointers and data.
Set the certificate verification mode Default: NONE on server, REQUIRED on client MBEDTLS_SSL_VERIFY_NONE: peer certificate is not checked (default on server) (insecure on client) MBEDTLS_SSL_VERIFY_OPTIONAL: peer certificate is checked, however the handshake continues even if verification failed; mbedtls_ssl_get_verify_result() can be called after the handshake is complete. MBEDTLS_SSL_VERIFY_REQUIRED: peer *must* present a valid certificate, handshake is aborted if verification failed. (default on client)
Returns an informational string about the verification status of a certificate.
This function returns the mode of operation for the cipher. For example, MBEDTLS_MODE_CBC.
Retrieve a boolean ASN.1 tag and its value. Updates the pointer to immediately behind the full tag.
Retrieve a bitstring ASN.1 tag and its value. Updates the pointer to immediately behind the full tag.
Retrieve a MPI value from an integer ASN.1 tag. Updates the pointer to immediately behind the full tag.
Store the certificate DN in printable form into buf; no more than size characters will be written.
Check a given mbedtls_x509_time against the system time and tell if it's in the past.
Check a given mbedtls_x509_time against the system time and tell if it's in the future.
This function derives and exports the shared secret. This is the last function used by both TLS client and servers. \see ecp.h
This function feeds an input buffer into an ongoing message-digest computation. You must call mbedtls_md_starts() before calling this function. You may call this function multiple times. Afterwards, call mbedtls_md_finish().
This function prepares to authenticate a new message with the same key as the previous HMAC operation. You may call this function after mbedtls_md_hmac_finish(). Afterwards call mbedtls_md_hmac_update() to pass the new input.
This function retrieves curve information from a TLS NamedCurve value.
This function copies the contents of group \p src into group \p dst.
This function exports a point as a TLS ECPoint record defined in RFC 4492, Section 5.4.
This function extracts an elliptic curve group ID from a TLS ECParameters record as defined in RFC 4492, Section 5.4.
This function sets up an ECDSA context from an EC key pair. \see ecp.h
This function generates an ECDH keypair on an elliptic curve. This function performs the first of two core computations implemented during the ECDH key exchange. The second core computation is performed by mbedtls_ecdh_compute_shared(). \see ecp.h
This function resizes an MPI downwards, keeping at least the specified number of limbs. If \c X is smaller than \c nblimbs, it is resized up instead.
This function performs multiplication and addition of two points by integers: \p R = \p m * \p P + \p n * \p Q in a restartable way. \see \c mbedtls_ecp_muladd()
This function checks that a point is a valid public key on this curve. It only checks that the point is non-zero, has valid coordinates and lies on the curve. It does not verify that it is indeed a multiple of \p G. This additional check is computationally more expensive, is not required by standards, and should not be necessary if the group used has a small cofactor. In particular, it is useless for the NIST groups which all have a cofactor of 1.
This function checks that an \p mbedtls_mpi is a valid private key for this curve.
Internal AES block encryption function. This is only exposed to allow overriding it using \c MBEDTLS_AES_ENCRYPT_ALT.
Internal AES block decryption function. This is only exposed to allow overriding it using see \c MBEDTLS_AES_DECRYPT_ALT.
This function reseeds the CTR_DRBG context, that is extracts data from the entropy source.
Write a arbitrary-precision number (#MBEDTLS_ASN1_INTEGER) in ASN.1 format.
Perform a CAMELLIA key schedule operation for encryption.
This function associates a GCM context with a cipher algorithm and a key.
This function performs GCM encryption or decryption of a buffer. \warning When this function performs a decryption, it outputs the authentication tag and does not verify that the data is authentic. You should use this function to perform encryption only. For decryption, use mbedtls_gcm_auth_decrypt() instead.
This function feeds an input buffer into an ongoing GCM encryption or decryption operation. ` The function expects input to be a multiple of 16 Bytes. Only the last call before calling mbedtls_gcm_finish() can be less than 16 Bytes.
This function returns the block size of the given cipher.
Return the current maximum outgoing record payload in bytes. This takes into account the config.h setting \c MBEDTLS_SSL_OUT_CONTENT_LEN, the configured and negotiated max fragment length extension if used, and for DTLS the path MTU as configured and current record expansion. \sa mbedtls_ssl_set_mtu() \sa mbedtls_ssl_get_max_frag_len() \sa mbedtls_ssl_get_record_expansion()
Perform a single step of the SSL handshake \warning If this function returns something other than \c 0, #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE, #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using the SSL context for reading or writing, and either free it or call \c mbedtls_ssl_session_reset() on it before re-using it for a new connection; the current connection must be closed.
Parses and splits an ASN.1 "SEQUENCE OF " Updated the pointer to immediately behind the full sequence tag.
Retrieve an AlgorithmIdentifier ASN.1 sequence with NULL or no params. Updates the pointer to immediately behind the full AlgorithmIdentifier.
Store the certificate serial in printable form into buf; no more than size characters will be written.
This function generates an EC key pair and exports its in the format used in a TLS ServerKeyExchange handshake message. This is the second function used by a TLS server for ECDHE ciphersuites. (It is called after mbedtls_ecdh_setup().) \see ecp.h
This function parses the ECDHE parameters in a TLS ServerKeyExchange handshake message. \see ecp.h
This function generates a public key and exports it as a TLS ClientKeyExchange payload. This is the second function used by a TLS client for ECDH(E) ciphersuites. \see ecp.h
This function parses and processes the ECDHE payload of a TLS ClientKeyExchange message. This is the third function used by a TLS server for ECDH(E) ciphersuites. (It is called after mbedtls_ecdh_setup() and mbedtls_ecdh_make_params().) \see ecp.h
Return the name of the ciphersuite associated with the given ID
The generic cipher finalization function. If data still needs to be flushed from an incomplete block, the data contained in it is padded to the size of the last block, and written to the \p output buffer.
This function starts a message-digest computation. You must call this function after setting up the context with mbedtls_md_setup(), and before passing data with mbedtls_md_update().
This function finishes the digest operation, and writes the result to the output buffer. Call this function after a call to mbedtls_md_starts(), followed by any number of calls to mbedtls_md_update(). Afterwards, you may either clear the context with mbedtls_md_free(), or call mbedtls_md_starts() to reuse the context for another digest operation with the same algorithm.
This function calculates the message-digest of a buffer, with respect to a configurable message-digest algorithm in a single call. The result is calculated as Output = message_digest(input buffer).
This function retrieves the cipher-information structure associated with the given cipher type.
This function retrieves the cipher-information structure associated with the given cipher ID, key size and mode.
This function retrieves the list of internal group identifiers of all supported curves in the order of preference.
This function exports an elliptic curve as a TLS ECParameters record as defined in RFC 4492, Section 5.4.
This function computes the ECDSA signature and writes it to a buffer, serialized as defined in RFC-4492: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS). \warning It is not thread-safe to use the same context in multiple threads. \see ecp.h
This function computes the ECDSA signature and writes it to a buffer, in a restartable way. \see \c mbedtls_ecdsa_write_signature()
This function reads and verifies an ECDSA signature. \see ecp.h
This function reads and verifies an ECDSA signature, in a restartable way. \see \c mbedtls_ecdsa_read_signature()
Verify signature, with options. (Includes verification of the padding depending on type.)
This function computes the shared secret. This function performs the second of two core computations implemented during the ECDH key exchange. The first core computation is performed by mbedtls_ecdh_gen_public(). \see ecp.h
Perform a division with remainder of an MPI by an integer: A = Q * b + R
Perform a modular reduction with respect to an integer. r = A mod b
This function generates a keypair with a configurable base point.
This function checks that the keypair objects \p pub and \p prv have the same group and the same public point, and that the private key in \p prv is consistent with the public key.
Adds an entropy source to poll (Thread-safe if MBEDTLS_THREADING_C is enabled)
This function updates the state of the CTR_DRBG context.
This function updates a CTR_DRBG instance with additional data and uses it to generate random data.
Write a NULL tag (#MBEDTLS_ASN1_NULL) with zero data in ASN.1 format.
Write an OID tag (#MBEDTLS_ASN1_OID) and data in ASN.1 format.
Perform a CAMELLIA key schedule operation for decryption.
Perform a CAMELLIA-ECB block encryption/decryption operation.
This function initializes the specified GCM context, to make references valid, and prepares the context for mbedtls_gcm_setkey() or mbedtls_gcm_free(). The function does not bind the GCM context to a particular cipher, nor set the key. For this purpose, use mbedtls_gcm_setkey().
This function performs a GCM authenticated decryption of a buffer.
This function clears a GCM context and the underlying cipher sub-context.
Translate an X.509 attribute type OID into the short name (e.g. the OID for an X520 Common Name into "CN")
Check if there is data already read from the underlying transport but not yet processed.
Return the number of application data bytes remaining to be read from the current record.
Return the (maximum) number of bytes added by the record layer: header + encryption/MAC overhead (inc. padding)
Return the peer certificate from the current connection Note: Can be NULL in case no certificate was sent during the handshake. Different calls for the same connection can return the same or different pointers for the same certificate and even a different certificate altogether. The peer cert CAN change in a single connection if renegotiation is performed.
Save session in order to resume it later (client-side only) Session data is copied to presented session structure. \sa mbedtls_ssl_set_session()
Set the timeout period for mbedtls_ssl_read() (Default: no timeout.)
Set the session cache callbacks (server-side only) If not set, no session resuming is done (except if session tickets are enabled too). The session cache has the responsibility to check for stale entries based on timeout. See RFC 5246 for recommendations. Warning: session.peer_cert is cleared by the SSL/TLS layer on connection shutdown, so do not cache the pointer! Either set it to NULL or make a full copy of the certificate. The get callback is called once during the initial handshake to enable session resuming. The get function has the following parameters: (void *parameter, mbedtls_ssl_session *session) If a valid entry is found, it should fill the master of the session object with the cached values and return 0, return 1 otherwise. Optionally peer_cert can be set as well if it is properly present in cache entry. The set callback is called once during the initial handshake to enable session resuming after the entire handshake has been finished. The set function has the following parameters: (void *parameter, const mbedtls_ssl_session *session). The function should create a cache entry for future retrieval based on the data in the session structure and should keep in mind that the mbedtls_ssl_session object presented (and all its referenced data) is cleared by the SSL/TLS layer when the connection is terminated. It is recommended to add metadata to determine if an entry is still valid in the future. Return 0 if successfully cached, return 1 otherwise.
Request resumption of session (client-side only) Session data is copied from presented session structure. \sa mbedtls_ssl_get_session()
Set the list of allowed ciphersuites and the preference order. First in the list has the highest preference. (Overrides all version-specific lists) The ciphersuites array is not copied, and must remain valid for the lifetime of the ssl_config. Note: The server uses its own preferences over the preference of the client unless MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE is defined!
Set the list of allowed ciphersuites and the preference order for a specific version of the protocol. (Only useful on the server side) The ciphersuites array is not copied, and must remain valid for the lifetime of the ssl_config.
Set the allowed curves in order of preference. (Default: all defined curves.) On server: this only affects selection of the ECDHE curve; the curves used for ECDH and ECDSA are determined by the list of available certificates instead. On client: this affects the list of curves offered for any use. The server can override our preference order. Both sides: limits the set of curves accepted for use in ECDHE and in the peer's end-entity certificate.
Set the allowed hashes for signatures during the handshake. (Default: all available hashes except MD5.)
Set the maximum supported version sent from the client side and/or accepted at the server side (Default: MBEDTLS_SSL_MAX_MAJOR_VERSION, MBEDTLS_SSL_MAX_MINOR_VERSION)
Set the minimum accepted SSL/TLS protocol version (Default: TLS 1.0)
Whether to send a list of acceptable CAs in CertificateRequest messages. (Default: do send)
Prevent or allow legacy renegotiation. (Default: MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION allows connections to be established even if the peer does not support secure renegotiation, but does not allow renegotiation to take place if not secure. (Interoperable and secure option) MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION allows renegotiations with non-upgraded peers. Allowing legacy renegotiation makes the connection vulnerable to specific man in the middle attacks. (See RFC 5746) (Most interoperable and least secure option) MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE breaks off connections if peer does not support secure renegotiation. Results in interoperability issues with non-upgraded peers that do not support renegotiation altogether. (Most secure option, interoperability issues)
This function performs any platform-specific initialization operations. Its implementation is platform-specific, and unless platform-specific code is provided, it does nothing.
This function performs any platform teardown operations. Its implementation is platform-specific, and unless platform-specific code is provided, it does nothing.
Find a specific named_data entry in a sequence or list based on the OID.
Free all entries in a mbedtls_asn1_named_data list Head will be set to NULL
This function sets up an ECDH context from an EC key. It is used by clients and servers in place of the ServerKeyEchange for static ECDH, and imports ECDH parameters from the EC key information of a certificate. \see ecp.h
Return the ID of the ciphersuite associated with the given name
Set the verification callback (Optional). If set, the verify callback is called for each certificate in the chain. For implementation information, please see \c mbedtls_x509_crt_verify()
Set the debug callback The callback has the following argument: void * opaque context for the callback int debug level const char * file name int line number const char * message
This function adds additional data for AEAD ciphers. Currently supported with GCM and ChaCha20+Poly1305. This must be called exactly once, after mbedtls_cipher_reset().
This function writes a tag for AEAD ciphers. Currently supported with GCM and ChaCha20+Poly1305. This must be called after mbedtls_cipher_finish().
This function checks the tag for AEAD ciphers. Currently supported with GCM and ChaCha20+Poly1305. This must be called after mbedtls_cipher_finish().
The generic all-in-one encryption/decryption function, for all ciphers except AEAD constructs.
This function selects the message digest algorithm to use, and allocates internal structures. It should be called after mbedtls_md_init() or mbedtls_md_free(). Makes it necessary to call mbedtls_md_free() later. \deprecated Superseded by mbedtls_md_setup() in 2.0.0
This function clones the state of an message-digest context. \warning This function clones the message-digest state, not the HMAC state.
This function extracts the message-digest type from the message-digest information structure.
This function extracts the message-digest name from the message-digest information structure.
This function calculates the full generic HMAC on the input buffer with the provided key. The function allocates the context, performs the calculation, and frees the context. The HMAC result is calculated as output = generic HMAC(hmac key, input buffer).
This function computes the ECDSA signature of a previously-hashed message. \see ecp.h
This function verifies the ECDSA signature of a previously-hashed message. \see ecp.h
This function retrieves the list of ciphers supported by the generic cipher module.
This function retrieves the cipher-information structure associated with the given cipher name.
This function retrieves curve information from a human-readable name.
This function imports a non-zero point from two ASCII strings.
This function sets up an ECP group context from a TLS ECParameters record as defined in RFC 4492, Section 5.4.
This function generates an ECDSA keypair on the given curve. \see ecp.h
Verify the certificate signature The verify callback is a user-supplied callback that can clear / modify / add flags for a certificate. If set, the verification callback is called for each certificate in the chain (from the trust-ca down to the presented crt). The parameters for the callback are: (void *parameter, mbedtls_x509_crt *crt, int certificate_depth, int *flags). With the flags representing current flags for that specific certificate and the certificate depth from the bottom (Peer cert depth = 0). All flags left after returning from the callback are also returned to the application. The function should return 0 for anything (including invalid certificates) other than fatal error, as a non-zero return code immediately aborts the verification process. For fatal errors, a specific error code should be used (different from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR can be used if no better code is available.
Verify the certificate signature according to profile
Perform a safe conditional swap which doesn't reveal whether the condition was true or not.
This function performs multiplication and addition of two points by integers: \p R = \p m * \p P + \p n * \p Q It is not thread-safe to use same group in multiple threads.
This function returns the list of digests supported by the generic digest module.
This function returns the message-digest information associated with the given digest name.
Trigger an extra gather poll for the accumulator (Thread-safe if MBEDTLS_THREADING_C is enabled)
Add data to the accumulator manually (Thread-safe if MBEDTLS_THREADING_C is enabled)
This function turns prediction resistance on or off. The default value is off.
This function sets the amount of entropy grabbed on each seed or reseed. The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
This function sets the reseed interval. The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL.
Write an AlgorithmIdentifier sequence in ASN.1 format.
Write a boolean tag (#MBEDTLS_ASN1_BOOLEAN) and value in ASN.1 format.
Write an int tag (#MBEDTLS_ASN1_INTEGER) and value in ASN.1 format.
Write a UTF8 string in ASN.1 format using the UTF8String string encoding tag (#MBEDTLS_ASN1_PRINTABLE_STRING).
Write a string in ASN.1 format using the PrintableString string encoding tag (#MBEDTLS_ASN1_PRINTABLE_STRING).
Write a string in ASN.1 format using the IA5String string encoding tag (#MBEDTLS_ASN1_IA5_STRING).
Write a bitstring tag (#MBEDTLS_ASN1_BIT_STRING) and value in ASN.1 format.
Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING) and value in ASN.1 format.
Create or find a specific named_data entry for writing in a sequence or list based on the OID. If not already in there, a new entry is added to the head of the list. Warning: Destructive behaviour for the val data!
Translate an ASN.1 OID into its numeric representation (e.g. "\x2A\x86\x48\x86\xF7\x0D" into "1.2.840.113549")
This function returns the size of the IV or nonce of the cipher, in Bytes.
This function returns the name of the given cipher as a string.
Parse a DER-encoded CRL and append it to the chained list
Miller-Rabin primality test. \warning If \p X is potentially generated by an adversary, for example when validating cryptographic parameters that you didn't generate yourself and that are supposed to be prime, then \p rounds should be at least the half of the security strength of the cryptographic algorithm. On the other hand, if \p X is chosen uniformly or non-adversially (as is the case when mbedtls_mpi_gen_prime calls this function), then \p rounds can be much lower.
Initialize use of stack-based memory allocator. The stack-based allocator does memory management inside the presented buffer and does not call calloc() and free(). It sets the global mbedtls_calloc() and mbedtls_free() pointers to its own functions. (Provided mbedtls_calloc() and mbedtls_free() are thread-safe if MBEDTLS_THREADING_C is defined)
Free the mutex for thread-safety and clear remaining memory
Determine when the allocator should automatically verify the state of the entire chain of headers / meta-data. (Default: MBEDTLS_MEMORY_VERIFY_NONE)
Verifies that all headers in the memory buffer are correct and contain sane values. Helps debug buffer-overflow errors. Prints out first failure if MBEDTLS_MEMORY_DEBUG is defined. Prints out full header information if MBEDTLS_MEMORY_DEBUG is defined. (Includes stack trace information for each block if MBEDTLS_MEMORY_BACKTRACE is defined as well).
Set the threshold error level to handle globally all debug output. Debug messages that have a level over the threshold value are discarded. (Default value: 0 = No debug )
Print a message to the debug output. This function is always used through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl context, file and line number parameters. \attention This function is intended for INTERNAL usage within the library only.
Print the return value of a function to the debug output. This function is always used through the MBEDTLS_SSL_DEBUG_RET() macro, which supplies the ssl context, file and line number parameters. \attention This function is intended for INTERNAL usage within the library only.
Output a buffer of size len bytes to the debug output. This function is always used through the MBEDTLS_SSL_DEBUG_BUF() macro, which supplies the ssl context, file and line number parameters. \attention This function is intended for INTERNAL usage within the library only.
Print a MPI variable to the debug output. This function is always used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the ssl context, file and line number parameters. \attention This function is intended for INTERNAL usage within the library only.
Print an ECP point to the debug output. This function is always used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the ssl context, file and line number parameters. \attention This function is intended for INTERNAL usage within the library only.
Print a X.509 certificate structure to the debug output. This function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro, which supplies the ssl context, file and line number parameters. \attention This function is intended for INTERNAL usage within the library only.
Print a field of the ECDH structure in the SSL context to the debug output. This function is always used through the MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file and line number parameters. \attention This function is intended for INTERNAL usage within the library only.
Translate a mbed TLS error code into a string representation, Result is truncated if necessary and always includes a terminating null byte.
This function imports a set of core parameters into an RSA context. Any sequence of calls to this function should be followed by a call to mbedtls_rsa_complete(), which checks and completes the provided information to a ready-for-use public or private RSA key.
This function imports core RSA parameters, in raw big-endian binary format, into an RSA context. Any sequence of calls to this function should be followed by a call to mbedtls_rsa_complete(), which checks and completes the provided information to a ready-for-use public or private RSA key.
This function completes an RSA context from a set of imported core parameters. To setup an RSA public key, precisely \p N and \p E must have been imported. To setup an RSA private key, sufficient information must be present for the other parameters to be derivable. The default implementation supports the following: Derive \p P, \p Q from \p N, \p D, \p E. Derive \p N, \p D from \p P, \p Q, \p E. Alternative implementations need not support these. If this function runs successfully, it guarantees that the RSA context can be used for RSA operations without the risk of failure or crash. \warning This function need not perform consistency checks for the imported parameters. In particular, parameters that are not needed by the implementation might be silently discarded and left unchecked. To check the consistency of the key material, see mbedtls_rsa_check_privkey().
This function exports the core parameters of an RSA key. If this function runs successfully, the non-NULL buffers pointed to by \p N, \p P, \p Q, \p D, and \p E are fully written, with additional unused space filled leading by zero Bytes. Possible reasons for returning #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED: An alternative RSA implementation is in use, which stores the key externally, and either cannot or should not export it into RAM. A SW or HW implementation might not support a certain deduction. For example, \p P, \p Q from \p N, \p D, and \p E if the former are not part of the implementation. If the function fails due to an unsupported operation, the RSA context stays intact and remains usable.
This function exports core parameters of an RSA key in raw big-endian binary format. If this function runs successfully, the non-NULL buffers pointed to by \p N, \p P, \p Q, \p D, and \p E are fully written, with additional unused space filled leading by zero Bytes. Possible reasons for returning #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED: An alternative RSA implementation is in use, which stores the key externally, and either cannot or should not export it into RAM. A SW or HW implementation might not support a certain deduction. For example, \p P, \p Q from \p N, \p D, and \p E if the former are not part of the implementation. If the function fails due to an unsupported operation, the RSA context stays intact and remains usable.
This function sets padding for an already initialized RSA context. See mbedtls_rsa_init() for details.
This function checks if a context contains at least an RSA public key. If the function runs successfully, it is guaranteed that enough information is present to perform an RSA public key operation using mbedtls_rsa_public().
This function checks if a context contains an RSA private key and perform basic consistency checks. \warning This function should catch accidental misconfigurations like swapping of parameters, but it cannot establish full trust in neither the quality nor the consistency of the key material that was used to setup the given RSA context: Consistency: Imported parameters that are irrelevant for the implementation might be silently dropped. If dropped, the current function does not have access to them, and therefore cannot check them. See mbedtls_rsa_complete(). If you want to check the consistency of the entire content of an PKCS1-encoded RSA private key, for example, you should use mbedtls_rsa_validate_params() before setting up the RSA context. Additionally, if the implementation performs empirical checks, these checks substantiate but do not guarantee consistency. Quality: This function is not expected to perform extended quality assessments like checking that the prime factors are safe. Additionally, it is the responsibility of the user to ensure the trustworthiness of the source of his RSA parameters, which goes beyond what is effectively checkable by the library.
This function checks a public-private RSA key pair. It checks each of the contexts, and makes sure they match.
This function performs an RSA private key operation. \warning It is deprecated and a security risk to not provide a PRNG here and thereby prevent the use of blinding. Future versions of the library may enforce the presence of a PRNG.
This function adds the message padding, then performs an RSA operation. It is the generic wrapper for performing a PKCS#1 encryption operation using the \p mode from the context. \deprecated It is deprecated and discouraged to call this function in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library are likely to remove the \p mode argument and have it implicitly set to #MBEDTLS_RSA_PUBLIC.
This function performs a PKCS#1 v1.5 encryption operation (RSAES-PKCS1-v1_5-ENCRYPT). \deprecated It is deprecated and discouraged to call this function in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library are likely to remove the \p mode argument and have it implicitly set to #MBEDTLS_RSA_PUBLIC.
This function performs a PKCS#1 v2.1 OAEP encryption operation (RSAES-OAEP-ENCRYPT). \deprecated It is deprecated and discouraged to call this function in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library are likely to remove the \p mode argument and have it implicitly set to #MBEDTLS_RSA_PUBLIC.
This function performs an RSA operation, then removes the message padding. It is the generic wrapper for performing a PKCS#1 decryption operation using the \p mode from the context. \deprecated It is deprecated and discouraged to call this function in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library are likely to remove the \p mode argument and have it implicitly set to #MBEDTLS_RSA_PRIVATE.
This function performs a PKCS#1 v1.5 decryption operation (RSAES-PKCS1-v1_5-DECRYPT). \deprecated It is deprecated and discouraged to call this function in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library are likely to remove the \p mode argument and have it implicitly set to #MBEDTLS_RSA_PRIVATE.
This function performs a PKCS#1 v2.1 OAEP decryption operation (RSAES-OAEP-DECRYPT). \deprecated It is deprecated and discouraged to call this function in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library are likely to remove the \p mode argument and have it implicitly set to #MBEDTLS_RSA_PRIVATE.
This function performs a private RSA operation to sign a message digest using PKCS#1. It is the generic wrapper for performing a PKCS#1 signature using the \p mode from the context. \deprecated It is deprecated and discouraged to call this function in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library are likely to remove the \p mode argument and have it implicitly set to #MBEDTLS_RSA_PRIVATE.
This function performs a PKCS#1 v1.5 signature operation (RSASSA-PKCS1-v1_5-SIGN). \deprecated It is deprecated and discouraged to call this function in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library are likely to remove the \p mode argument and have it implicitly set to #MBEDTLS_RSA_PRIVATE.
This function performs a PKCS#1 v2.1 PSS signature operation (RSASSA-PSS-SIGN). \deprecated It is deprecated and discouraged to call this function in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library are likely to remove the \p mode argument and have it implicitly set to #MBEDTLS_RSA_PRIVATE.
This function performs a public RSA operation and checks the message digest. This is the generic wrapper for performing a PKCS#1 verification using the mode from the context. \deprecated It is deprecated and discouraged to call this function in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library are likely to remove the \p mode argument and have it set to #MBEDTLS_RSA_PUBLIC.
This function performs a PKCS#1 v1.5 verification operation (RSASSA-PKCS1-v1_5-VERIFY). \deprecated It is deprecated and discouraged to call this function in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library are likely to remove the \p mode argument and have it set to #MBEDTLS_RSA_PUBLIC.
This function performs a PKCS#1 v2.1 PSS verification operation (RSASSA-PSS-VERIFY). The hash function for the MGF mask generating function is that specified in the RSA context. \deprecated It is deprecated and discouraged to call this function in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library are likely to remove the \p mode argument and have it implicitly set to #MBEDTLS_RSA_PUBLIC.
This function performs a PKCS#1 v2.1 PSS verification operation (RSASSA-PSS-VERIFY). The hash function for the MGF mask generating function is that specified in \p mgf1_hash_id.
Initialize DES context \warning DES is considered a weak cipher and its use constitutes a security risk. We recommend considering stronger ciphers instead.
Clear DES context \warning DES is considered a weak cipher and its use constitutes a security risk. We recommend considering stronger ciphers instead.
Initialize MD5 context \warning MD5 is considered a weak message digest and its use constitutes a security risk. We recommend considering stronger message digests instead.
Clear MD5 context \warning MD5 is considered a weak message digest and its use constitutes a security risk. We recommend considering stronger message digests instead.
Clone (the state of) an MD5 context \warning MD5 is considered a weak message digest and its use constitutes a security risk. We recommend considering stronger message digests instead.
MD5 context setup \warning MD5 is considered a weak message digest and its use constitutes a security risk. We recommend considering stronger message digests instead.
MD5 process buffer \warning MD5 is considered a weak message digest and its use constitutes a security risk. We recommend considering stronger message digests instead.
MD5 final digest \warning MD5 is considered a weak message digest and its use constitutes a security risk. We recommend considering stronger message digests instead.
MD5 process data block (internal use only) \warning MD5 is considered a weak message digest and its use constitutes a security risk. We recommend considering stronger message digests instead.
Output = MD5( input buffer ) \warning MD5 is considered a weak message digest and its use constitutes a security risk. We recommend considering stronger message digests instead.
Set key parity on the given key to odd. DES keys are 56 bits long, but each byte is padded with a parity bit to allow verification. \warning DES is considered a weak cipher and its use constitutes a security risk. We recommend considering stronger ciphers instead.
Check that key parity on the given key is odd. DES keys are 56 bits long, but each byte is padded with a parity bit to allow verification. \warning DES is considered a weak cipher and its use constitutes a security risk. We recommend considering stronger ciphers instead.
Check that key is not a weak or semi-weak DES key \warning DES is considered a weak cipher and its use constitutes a security risk. We recommend considering stronger ciphers instead.
DES key schedule (56-bit, encryption) \warning DES is considered a weak cipher and its use constitutes a security risk. We recommend considering stronger ciphers instead.
DES key schedule (56-bit, decryption) \warning DES is considered a weak cipher and its use constitutes a security risk. We recommend considering stronger ciphers instead.
DES-ECB block encryption/decryption \warning DES is considered a weak cipher and its use constitutes a security risk. We recommend considering stronger ciphers instead.
Internal function for key expansion. (Only exposed to allow overriding it, see MBEDTLS_DES_SETKEY_ALT) \warning DES is considered a weak cipher and its use constitutes a security risk. We recommend considering stronger ciphers instead.
Other commonly used symbols
Name
Location
Summary
Wrapper type for sockets. Currently backed by just a file descriptor, but might be more in the future (eg two file descriptors for combined IPv4 + IPv6 support, or additional structures for hand-made UDP demultiplexing).
The ECP group structure. We consider two types of curve equations: Short Weierstrass: y^2 = x^3 + A x + B mod P (SEC1 + RFC-4492) Montgomery: y^2 = x^3 + A x^2 + x mod P (Curve25519, Curve448) In both cases, the generator (\p G) for a prime-order subgroup is fixed. For Short Weierstrass, this subgroup is the whole curve, and its cardinality is denoted by \p N. Our code requires that \p N is an odd prime as mbedtls_ecp_mul() requires an odd number, and mbedtls_ecdsa_sign() requires that it is prime for blinding purposes. For Montgomery curves, we do not store \p A, but (A + 2) / 4, which is the quantity used in the formulas. Additionally, \p nbits is not the size of \p N but the required size for private keys. If \p modp is NULL, reduction modulo \p P is done using a generic algorithm. Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the range of 0..2^(2*pbits)-1, and transforms it in-place to an integer which is congruent mod \p P to the given MPI, and is close enough to \p pbits in size, so that it may be efficiently brought in the 0..P-1 range by a few additions or subtractions. Therefore, it is only an approximative modular reduction. It must return 0 on success and non-zero on failure.
SSL/TLS configuration to be shared between mbedtls_ssl_context structures.
The ECP key-pair structure. A generic key-pair that may be used for ECDSA and fixed ECDH, for example.
This structure is used for storing ciphersuite information
The SHA-512 context structure. The structure is used both for SHA-384 and for SHA-512 checksum calculations. The choice between these two is made in the call to mbedtls_sha512_starts_ret().
The SHA-256 context structure. The structure is used both for SHA-256 and for SHA-224 checksum calculations. The choice between these two is made in the call to mbedtls_sha256_starts_ret().
Message digest information. Allows message digest functions to be called in a generic way.
\warning Performing multiple operations concurrently on the same ECDSA context is not supported; objects of this type should not be shared between multiple threads. The ECDH context structure.
Cipher information. Allows calling cipher functions in a generic way.
No data of requested type currently available on underlying transport.
Security profile for certificate verification. All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
Certificate revocation list structure. Every CRL may have multiple entries.
Internal error (eg, unexpected failure in lower-level module)
MD5 context structure \warning MD5 is considered a weak message digest and its use constitutes a security risk. We recommend considering stronger message digests instead.
Build flag from an algorithm/curve identifier (pk, md, ecp) Since 0 is always XXX_NONE, ignore it.
Processing of the ClientHello handshake message failed.
Base cipher information. The non-mode specific functions and values.
Processing of the ServerHello handshake message failed.
DES context structure \warning DES is considered a weak cipher and its use constitutes a security risk. We recommend considering stronger ciphers instead.
The context is invalid, eg because it was free()ed.
Verification chain as built by \c mbedtls_crt_verify_chain()
For Short Weierstrass: The number of bits in \p P. For Montgomery curves: the number of bits in the private keys.
Processing of the ServerKeyExchange handshake message failed.
The peer notified us that the connection is going to be closed.
The CRT/CRL/CSR format is invalid, e.g. different type expected.
Item in a verification chain: cert and flags for it
The key size used by the cipher (compile-time choice: 256 bits).
Error when trying to determine the length or invalid length.
Processing of the CertificateVerify handshake message failed.
The cipher key length, in bits. This is the default length for variable sized ciphers. Includes parity bits for ciphers like DES.
Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1.
Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1.
Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256
The requested feature is not available, for example, the requested curve is not supported.
Certificate revocation list entry. Contains the CA-specific serial numbers and revocation dates.
Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+
Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA
The certificate is signed with an unacceptable key (eg bad curve, RSA too short).
Optional list of Subject Alternative Names (Only dNSName supported).
The certificate Common Name (CN) does not match with the expected CN.
The certificate is not correctly signed by the trusted CA.
The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).
Processing of the CertificateRequest handshake message failed.
IV or nonce size, in Bytes. For ciphers that accept variable IV sizes, this is the recommended size.
Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise.
Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS
Default security profile. Should provide a good balance between security and compatibility with current deployments.
The input arguments are negative or result in illegal output.
The pubkey tag or value is invalid (only RSA and EC are supported).
Certificate verification failed, e.g. CRL, CA or signature check failed.
The input (entropy + additional data) is too large.
Bitflag comprised of MBEDTLS_CIPHER_VARIABLE_IV_LEN and MBEDTLS_CIPHER_VARIABLE_KEY_LEN indicating whether the cipher supports variable IV or variable key sizes, respectively.
Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number for XTS-mode.
Options for RSASSA-PSS signature verification. See \c mbedtls_rsa_rsassa_pss_verify_ext()
Optional Netscape certificate type extension value: See the values in x509.h
The input argument for division is zero, which is not allowed.
The buffer contains a valid signature followed by more data.
\name DER constants These constants comply with the DER encoded ASN.1 type tags. DER encoding uses hexadecimal representation. An example DER sequence is:\n - 0x02 -- tag indicating INTEGER - 0x01 -- length in octets - 0x05 -- value Such sequences are typically read into \c ::mbedtls_x509_buf.
Maximum number of intermediate CAs in a verification chain. That is, maximum length of the chain, excluding the end-entity certificate and the trusted root certificate. Set this to a low value to prevent an adversary from making you waste resources verifying an overlong certificate chain.
A fatal error occured, eg the chain is too long or the vrfy callback failed.
Max size of verification chain: end-entity + intermediates + trusted root
No client certification received from the client, but required by the authentication mode.
The own private key or pre-shared key is not set, but needed.
Processing of the ClientKeyExchange handshake message failed.
Internal-only message signaling that further message-processing should be done
Unaligned data buffer. This buffer can hold 32 extra Bytes, which can be used for one of the following purposes: Alignment if VIA padlock is used. Simplifying key expansion in the 256-bit case by generating an extra round key.
This determines whether prediction resistance is enabled, that is whether to systematically reseed before each random generation.
pkcs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1 }
Unavailable feature, e.g. hashing/encryption combination.
Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1.
Expected next default profile. Recommended for new deployments. Currently targets a 128-bit security level, except for RSA-2048.
Given private key password does not allow for correct decryption.
Elliptic curve is unsupported (only NIST curves are supported).
The buffer contains a valid signature followed by more data.
The context is invalid. For example, because it was freed.
Compares an mbedtls_asn1_buf structure to a reference OID. Only works for 'defined' oid_str values (MBEDTLS_OID_HMAC_SHA1), you cannot use a 'unsigned char *oid' here!
Unavailable feature, e.g. RSA hashing/encryption combination.
Signature algorithms do not match. (see \c ::mbedtls_x509_crt sig_oid)
The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).
The CRL is signed with an unacceptable key (eg bad curve, RSA too short).
Our own certificate(s) is/are too large to send in an SSL message.
The own certificate is not set, but needed by the server.
Processing of the ServerHelloDone handshake message failed.
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public.
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret.
Public key type mismatch (eg, asked for RSA key exchange and presented EC key)
Unexpected message at ServerHello in renegotiation.
None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages).
The amount of entropy used per seed by default: 48 with SHA-512. 32 with SHA-256.
{ joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) Private Internet Extensions { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }
id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 }
id-mbedtls_sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 }
id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 }
id-mbedtls_sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 }
id-hmacWithSHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 8 }
id-hmacWithSHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 9 }
id-hmacWithSHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 10 }
id-hmacWithSHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 11 }
desCBC OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7 }
des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) -- us(840) rsadsi(113549) encryptionAlgorithm(3) 7 }
Given private key password does not allow for correct decryption.
\file check_config.h Consistency checks for configuration options
\file entropy_poll.h Platform-specific and custom entropy polling functions
Key length in bits, including parity, for DES in two-key EDE.
Key length in bits, including parity, for DES in three-key EDE.
Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1.
Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1.
Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256
Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA
Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS
\file platform.h This file contains the definitions and functions of the Mbed TLS platform abstraction layer. The platform abstraction layer removes the need for the library to directly link to standard C library functions or operating system services, making the library easier to port and embed. Application developers and users of the library can provide their own implementations of these functions, or implementations specific to their platform, which can be statically linked to the library or dynamically configured at runtime.
The requested feature is not supported by the platform
\file net_sockets.h Network sockets abstraction layer to integrate Mbed TLS into a BSD-style sockets API. The network sockets module provides an example integration of the Mbed TLS library into a BSD sockets implementation. The module is intended to be an example of how Mbed TLS can be integrated into a networking stack, as well as to be Mbed TLS's network integration for its supported platforms. The module is intended only to be used with the Mbed TLS library and is not intended to be used by third party application software directly. The supported platforms are as follows: * Microsoft Windows and Windows CE * POSIX/Unix platforms including Linux, OS X
An error occurred while reading from or writing to a file.
\file ecp.h This file provides an API for Elliptic Curves over GF(P) (ECP). The use of ECP in cryptography and TLS is defined in Standards for Efficient Cryptography Group (SECG): SEC1 Elliptic Curve Cryptography and RFC-4492: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS). RFC-2409: The Internet Key Exchange (IKE) defines ECP group types.
Operation in progress, call again with the same parameters to continue.
\file ssl_ciphersuites.h SSL Ciphersuites for mbed TLS
\file md.h This file contains the generic message-digest wrapper. \author Adriaan de Jong <dejong@fox-it.com>
\file ecdsa.h This file contains ECDSA definitions and functions. The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in Standards for Efficient Cryptography Group (SECG): SEC1 Elliptic Curve Cryptography. The use of ECDSA for TLS is defined in RFC-4492: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS).
\file cipher.h This file contains an abstraction interface for use with the cipher primitives provided by the library. It provides a common interface to all of the available cipher operations. \author Adriaan de Jong <dejong@fox-it.com>
\file platform_util.h Common and shared functions used by multiple modules in the Mbed TLS library.
\file ecdh.h This file contains ECDH definitions and functions. The Elliptic Curve Diffie-Hellman (ECDH) protocol is an anonymous key agreement protocol allowing two parties to establish a shared secret over an insecure channel. Each party must have an elliptic-curve public–private key pair. For more information, see NIST SP 800-56A Rev. 2: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography.
Processing of the ChangeCipherSpec handshake message failed.
Hardware acceleration function skipped / left alone data
Processing of the NewSessionTicket handshake message failed.
Internal-only message signaling that a message arrived early.
A cryptographic operation is in progress. Try again later.
\file debug.h Functions for controlling and providing debug output from the library.
\file sha512.h This file contains SHA-384 and SHA-512 definitions and functions. The Secure Hash Algorithms 384 and 512 (SHA-384 and SHA-512) cryptographic hash functions are defined in FIPS 180-4: Secure Hash Standard (SHS).
\file ctr_drbg.h This file contains CTR_DRBG definitions and functions. CTR_DRBG is a standardized way of building a PRNG from a block-cipher in counter mode operation, as defined in NIST SP 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators. The Mbed TLS implementation of CTR_DRBG uses AES-256 (default) or AES-128 as the underlying block cipher. \warning Using 128-bit keys for CTR_DRBG limits the security of generated keys and operations that use random values generated to 128-bit security.
\file aes.h This file contains AES definitions and functions. The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt and decrypt information. For more information, see FIPS Publication 197: Advanced Encryption Standard and ISO/IEC 18033-2:2006: Information technology -- Security techniques -- Encryption algorithms -- Part 2: Asymmetric ciphers. The AES-XTS block mode is standardized by NIST SP 800-38E and described in detail by IEEE P1619 .
Feature not available. For example, an unsupported AES key size.
\file memory_buffer_alloc.h Buffer-based memory allocator
\file cipher_internal.h Cipher wrappers. \author Adriaan de Jong <dejong@fox-it.com>
\file gcm.h This file contains GCM definitions and functions. The Galois/Counter Mode (GCM) for 128-bit block ciphers is defined in D. McGrew, J. Viega, The Galois/Counter Mode of Operation (GCM), Natl. Inst. Stand. Technol. For more information on GCM, see NIST SP 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC.
\file ecp_internal.h Function declarations for alternative implementation of elliptic curve point arithmetic.
\file md_internal.h Message digest wrappers. \warning This in an internal header. Do not include directly. \author Adriaan de Jong <dejong@fox-it.com>
\file sha256.h This file contains SHA-224 and SHA-256 definitions and functions. The Secure Hash Algorithms 224 and 256 (SHA-224 and SHA-256) cryptographic hash functions are defined in FIPS 180-4: Secure Hash Standard (SHS).
Selects padding mode: #MBEDTLS_RSA_PKCS_V15 for 1.5 padding and #MBEDTLS_RSA_PKCS_V21 for OAEP or PSS.
Hash identifier of mbedtls_md_type_t type, as specified in md.h for use in the MGF mask generating function used in the EME-OAEP and EMSA-PSS encodings.
id-domainComponent AttributeType:= {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) domainComponent(25)} id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 }
id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 }
anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 5 }
pkcs-12 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 12 }
id-mbedtls_md2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 2 }
id-mbedtls_md4 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 4 }
id-mbedtls_md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5 }
id-mbedtls_sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 }
id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 }
aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 1 }
id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 } id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}
pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10}
pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11}
pbeWithSHAAnd128BitRC4 OBJECT IDENTIFIER ::= {pkcs-12PbeIds 1}
pbeWithSHAAnd40BitRC4 OBJECT IDENTIFIER ::= {pkcs-12PbeIds 2}
pbeWithSHAAnd3-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 3}
pbeWithSHAAnd2-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 4}
pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5}
pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6}
\file rsa.h This file provides an API for the RSA public-key cryptosystem. The RSA public-key cryptosystem is defined in Public-Key Cryptography Standards (PKCS) #1 v1.5: RSA Encryption and Public-Key Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography Specifications.
The implementation does not offer the requested operation, for example, because of security violations or lack of functionality.
\file des.h DES block cipher \warning DES is considered a weak cipher and its use constitutes a security risk. We recommend considering stronger ciphers instead.
\file md5.h MD5 message digest algorithm (hash function) \warning MD5 is considered a weak message digest and its use constitutes a security risk. We recommend considering stronger message digests instead.
\file pk_internal.h Public Key abstraction layer: wrapper functions
\file pkcs11.h Wrapper for PKCS#11 library libpkcs11-helper \author Adriaan de Jong <dejong@fox-it.com>
\file ssl_internal.h Internal functions shared by the SSL modules
Dependencies
mbedTLS depends on the following libraries: