Move easy ssl_set_xxx() functions to work on conf
mbedtls_ssl_set_alpn_protocols
mbedtls_ssl_set_arc4_support
mbedtls_ssl_set_authmode
mbedtls_ssl_set_ciphersuites
mbedtls_ssl_set_ciphersuites_for_version
mbedtls_ssl_set_curves
mbedtls_ssl_set_dbg
mbedtls_ssl_set_dh_param
mbedtls_ssl_set_dh_param_ctx
mbedtls_ssl_set_dtls_anti_replay
mbedtls_ssl_set_dtls_badmac_limit
mbedtls_ssl_set_dtls_cookies
mbedtls_ssl_set_encrypt_then_mac
mbedtls_ssl_set_endpoint
mbedtls_ssl_set_extended_master_secret
mbedtls_ssl_set_handshake_timeout
mbedtls_ssl_legacy_renegotiation
mbedtls_ssl_set_max_version
mbedtls_ssl_set_min_version
mbedtls_ssl_set_psk_cb
mbedtls_ssl_set_renegotiation
mbedtls_ssl_set_renegotiation_enforced
mbedtls_ssl_set_renegotiation_period
mbedtls_ssl_set_session_cache
mbedtls_ssl_set_session_ticket_lifetime
mbedtls_ssl_set_sni
mbedtls_ssl_set_transport
mbedtls_ssl_set_truncated_hmac
mbedtls_ssl_set_verify
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index d515eb1..4f826e4 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1187,19 +1187,19 @@
/**
* \brief Set the current endpoint type
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param endpoint must be MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER
*
* \note This function should be called right after mbedtls_ssl_init() since
* some other ssl_set_foo() functions depend on it.
*/
-void mbedtls_ssl_set_endpoint( mbedtls_ssl_context *ssl, int endpoint );
+void mbedtls_ssl_set_endpoint( mbedtls_ssl_config *conf, int endpoint );
/**
* \brief Set the transport type (TLS or DTLS).
* Default: TLS
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param transport transport type:
* MBEDTLS_SSL_TRANSPORT_STREAM for TLS,
* MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS.
@@ -1212,12 +1212,13 @@
* doesn't block, or one that handles timeouts, see
* mbedtls_ssl_set_bio_timeout()
*/
-int mbedtls_ssl_set_transport( mbedtls_ssl_context *ssl, int transport );
+int mbedtls_ssl_set_transport( mbedtls_ssl_config *conf, int transport );
/**
* \brief Set the certificate verification mode
+ * Default: NONE on server, REQUIRED on client
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param authmode can be:
*
* MBEDTLS_SSL_VERIFY_NONE: peer certificate is not checked
@@ -1238,7 +1239,7 @@
* the verification as soon as possible. For example, REQUIRED was protecting
* against the "triple handshake" attack even before it was found.
*/
-void mbedtls_ssl_set_authmode( mbedtls_ssl_context *ssl, int authmode );
+void mbedtls_ssl_set_authmode( mbedtls_ssl_config *conf, int authmode );
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/**
@@ -1248,11 +1249,11 @@
* certificate in the chain. For implementation
* information, please see \c x509parse_verify()
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param f_vrfy verification function
* \param p_vrfy verification parameter
*/
-void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
+void mbedtls_ssl_set_verify( mbedtls_ssl_config *conf,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
void *p_vrfy );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
@@ -1271,11 +1272,11 @@
/**
* \brief Set the debug callback
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param f_dbg debug function
* \param p_dbg debug parameter
*/
-void mbedtls_ssl_set_dbg( mbedtls_ssl_context *ssl,
+void mbedtls_ssl_set_dbg( mbedtls_ssl_config *conf,
void (*f_dbg)(void *, int, const char *),
void *p_dbg );
@@ -1404,12 +1405,12 @@
* Only disable if you known this can't happen in your
* particular environment.
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param f_cookie_write Cookie write callback
* \param f_cookie_check Cookie check callback
* \param p_cookie Context for both callbacks
*/
-void mbedtls_ssl_set_dtls_cookies( mbedtls_ssl_context *ssl,
+void mbedtls_ssl_set_dtls_cookies( mbedtls_ssl_config *conf,
mbedtls_ssl_cookie_write_t *f_cookie_write,
mbedtls_ssl_cookie_check_t *f_cookie_check,
void *p_cookie );
@@ -1421,7 +1422,7 @@
* (DTLS only, no effect on TLS.)
* Default: enabled.
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param mode MBEDTLS_SSL_ANTI_REPLAY_ENABLED or MBEDTLS_SSL_ANTI_REPLAY_DISABLED.
*
* \warning Disabling this is a security risk unless the application
@@ -1431,7 +1432,7 @@
* packets and needs information about them to adjust its
* transmission strategy, then you'll want to disable this.
*/
-void mbedtls_ssl_set_dtls_anti_replay( mbedtls_ssl_context *ssl, char mode );
+void mbedtls_ssl_set_dtls_anti_replay( mbedtls_ssl_config *conf, char mode );
#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
@@ -1441,7 +1442,7 @@
* (DTLS only, no effect on TLS.)
* Default: 0 (disabled).
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param limit Limit, or 0 to disable.
*
* \note If the limit is N, then the connection is terminated when
@@ -1458,7 +1459,7 @@
* might make us waste resources checking authentication on
* many bogus packets.
*/
-void mbedtls_ssl_set_dtls_badmac_limit( mbedtls_ssl_context *ssl, unsigned limit );
+void mbedtls_ssl_set_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit );
#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
@@ -1466,7 +1467,7 @@
* \brief Set retransmit timeout values for the DTLS handshale.
* (DTLS only, no effect on TLS.)
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param min Initial timeout value in milliseconds.
* Default: 1000 (1 second).
* \param max Maximum timeout value in milliseconds.
@@ -1478,7 +1479,7 @@
* handshake latency. Lower values may increase the risk of
* network congestion by causing more retransmissions.
*/
-void mbedtls_ssl_set_handshake_timeout( mbedtls_ssl_context *ssl, uint32_t min, uint32_t max );
+void mbedtls_ssl_set_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max );
#endif /* MBEDTLS_SSL_PROTO_DTLS */
/**
@@ -1513,13 +1514,13 @@
* an entry is still valid in the future. Return 0 if
* successfully cached, return 1 otherwise.
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param f_get_cache session get callback
* \param p_get_cache session get parameter
* \param f_set_cache session set callback
* \param p_set_cache session set parameter
*/
-void mbedtls_ssl_set_session_cache( mbedtls_ssl_context *ssl,
+void mbedtls_ssl_set_session_cache( mbedtls_ssl_config *conf,
int (*f_get_cache)(void *, mbedtls_ssl_session *), void *p_get_cache,
int (*f_set_cache)(void *, const mbedtls_ssl_session *), void *p_set_cache );
#endif /* MBEDTLS_SSL_SRV_C */
@@ -1551,17 +1552,18 @@
* over the preference of the client unless
* MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE is defined!
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param ciphersuites 0-terminated list of allowed ciphersuites
*/
-void mbedtls_ssl_set_ciphersuites( mbedtls_ssl_context *ssl, const int *ciphersuites );
+void mbedtls_ssl_set_ciphersuites( mbedtls_ssl_config *conf,
+ const int *ciphersuites );
/**
* \brief Set the list of allowed ciphersuites and the
* preference order for a specific version of the protocol.
* (Only useful on the server side)
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param ciphersuites 0-terminated list of allowed ciphersuites
* \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3
* supported)
@@ -1572,7 +1574,7 @@
* \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0
* and MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
*/
-void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_context *ssl,
+void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_config *conf,
const int *ciphersuites,
int major, int minor );
@@ -1642,11 +1644,11 @@
* identity and return 0.
* Any other return value will result in a denied PSK identity.
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param f_psk PSK identity function
* \param p_psk PSK identity parameter
*/
-void mbedtls_ssl_set_psk_cb( mbedtls_ssl_context *ssl,
+void mbedtls_ssl_set_psk_cb( mbedtls_ssl_config *conf,
int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
size_t),
void *p_psk );
@@ -1658,24 +1660,24 @@
* read as hexadecimal strings (server-side only)
* (Default: MBEDTLS_DHM_RFC5114_MODP_1024_[PG])
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param dhm_P Diffie-Hellman-Merkle modulus
* \param dhm_G Diffie-Hellman-Merkle generator
*
* \return 0 if successful
*/
-int mbedtls_ssl_set_dh_param( mbedtls_ssl_context *ssl, const char *dhm_P, const char *dhm_G );
+int mbedtls_ssl_set_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G );
/**
* \brief Set the Diffie-Hellman public P and G values,
* read from existing context (server-side only)
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param dhm_ctx Diffie-Hellman-Merkle context
*
* \return 0 if successful
*/
-int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_context *ssl, mbedtls_dhm_context *dhm_ctx );
+int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx );
#endif /* MBEDTLS_DHM_C */
#if defined(MBEDTLS_SSL_SET_CURVES)
@@ -1693,11 +1695,11 @@
* Both sides: limits the set of curves used by peer to the
* listed curves for any use (ECDH(E), certificates).
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param curves Ordered list of allowed curves,
* terminated by MBEDTLS_ECP_DP_NONE.
*/
-void mbedtls_ssl_set_curves( mbedtls_ssl_context *ssl, const mbedtls_ecp_group_id *curves );
+void mbedtls_ssl_set_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves );
#endif /* MBEDTLS_SSL_SET_CURVES */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
@@ -1728,11 +1730,11 @@
* callback should return -1 to abort the handshake at this
* point.
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param f_sni verification function
* \param p_sni verification parameter
*/
-void mbedtls_ssl_set_sni( mbedtls_ssl_context *ssl,
+void mbedtls_ssl_set_sni( mbedtls_ssl_config *conf,
int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *,
size_t),
void *p_sni );
@@ -1742,13 +1744,13 @@
/**
* \brief Set the supported Application Layer Protocols.
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param protos NULL-terminated list of supported protocols,
* in decreasing preference order.
*
* \return 0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA.
*/
-int mbedtls_ssl_set_alpn_protocols( mbedtls_ssl_context *ssl, const char **protos );
+int mbedtls_ssl_set_alpn_protocols( mbedtls_ssl_config *conf, const char **protos );
/**
* \brief Get the name of the negotiated Application Layer Protocol.
@@ -1769,7 +1771,7 @@
*
* Note: This ignores ciphersuites from 'higher' versions.
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
* \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
* MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
@@ -1779,7 +1781,7 @@
* \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
* MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
*/
-int mbedtls_ssl_set_max_version( mbedtls_ssl_context *ssl, int major, int minor );
+int mbedtls_ssl_set_max_version( mbedtls_ssl_config *conf, int major, int minor );
/**
* \brief Set the minimum accepted SSL/TLS protocol version
@@ -1790,7 +1792,7 @@
*
* \note MBEDTLS_SSL_MINOR_VERSION_0 (SSL v3) should be avoided.
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
* \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
* MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
@@ -1800,7 +1802,7 @@
* \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
* MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
*/
-int mbedtls_ssl_set_min_version( mbedtls_ssl_context *ssl, int major, int minor );
+int mbedtls_ssl_set_min_version( mbedtls_ssl_config *conf, int major, int minor );
#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
/**
@@ -1834,10 +1836,10 @@
* improvement, and should not cause any interoperability
* issue (used only if the peer supports it too).
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param etm MBEDTLS_SSL_ETM_ENABLED or MBEDTLS_SSL_ETM_DISABLED
*/
-void mbedtls_ssl_set_encrypt_then_mac( mbedtls_ssl_context *ssl, char etm );
+void mbedtls_ssl_set_encrypt_then_mac( mbedtls_ssl_config *conf, char etm );
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
@@ -1849,10 +1851,10 @@
* protocol, and should not cause any interoperability issue
* (used only if the peer supports it too).
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param ems MBEDTLS_SSL_EXTENDED_MS_ENABLED or MBEDTLS_SSL_EXTENDED_MS_DISABLED
*/
-void mbedtls_ssl_set_extended_master_secret( mbedtls_ssl_context *ssl, char ems );
+void mbedtls_ssl_set_extended_master_secret( mbedtls_ssl_config *conf, char ems );
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
/**
@@ -1865,10 +1867,10 @@
* \note This function will likely be removed in future versions as
* RC4 will then be disabled by default at compile time.
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param arc4 MBEDTLS_SSL_ARC4_ENABLED or MBEDTLS_SSL_ARC4_DISABLED
*/
-void mbedtls_ssl_set_arc4_support( mbedtls_ssl_context *ssl, char arc4 );
+void mbedtls_ssl_set_arc4_support( mbedtls_ssl_config *conf, char arc4 );
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
/**
@@ -1895,13 +1897,13 @@
* (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED on client,
* MBEDTLS_SSL_TRUNC_HMAC_ENABLED on server.)
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param truncate Enable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or
* MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
*
* \return Always 0.
*/
-int mbedtls_ssl_set_truncated_hmac( mbedtls_ssl_context *ssl, int truncate );
+int mbedtls_ssl_set_truncated_hmac( mbedtls_ssl_config *conf, int truncate );
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
@@ -1942,10 +1944,10 @@
* \brief Set session ticket lifetime (server only)
* (Default: MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME (86400 secs / 1 day))
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param lifetime session ticket lifetime
*/
-void mbedtls_ssl_set_session_ticket_lifetime( mbedtls_ssl_context *ssl, int lifetime );
+void mbedtls_ssl_set_session_ticket_lifetime( mbedtls_ssl_config *conf, int lifetime );
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
@@ -1958,11 +1960,11 @@
* resource DoS by a malicious client. You should enable this on
* a client to enable server-initiated renegotiation.
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param renegotiation Enable or disable (MBEDTLS_SSL_RENEGOTIATION_ENABLED or
* MBEDTLS_SSL_RENEGOTIATION_DISABLED)
*/
-void mbedtls_ssl_set_renegotiation( mbedtls_ssl_context *ssl, int renegotiation );
+void mbedtls_ssl_set_renegotiation( mbedtls_ssl_config *conf, int renegotiation );
#endif /* MBEDTLS_SSL_RENEGOTIATION */
/**
@@ -1987,12 +1989,12 @@
* that do not support renegotiation altogether.
* (Most secure option, interoperability issues)
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param allow_legacy Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION,
* SSL_ALLOW_LEGACY_RENEGOTIATION or
* MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE)
*/
-void mbedtls_ssl_legacy_renegotiation( mbedtls_ssl_context *ssl, int allow_legacy );
+void mbedtls_ssl_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy );
#if defined(MBEDTLS_SSL_RENEGOTIATION)
/**
@@ -2027,12 +2029,12 @@
* if we receive application data from the server, we need a
* place to write it, which only happens during mbedtls_ssl_read().
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param max_records Use MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED if you don't want to
* enforce renegotiation, or a non-negative value to enforce
* it but allow for a grace period of max_records records.
*/
-void mbedtls_ssl_set_renegotiation_enforced( mbedtls_ssl_context *ssl, int max_records );
+void mbedtls_ssl_set_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records );
/**
* \brief Set record counter threshold for periodic renegotiation.
@@ -2047,11 +2049,11 @@
* Lower values can be used to enforce policies such as "keys
* must be refreshed every N packets with cipher X".
*
- * \param ssl SSL context
+ * \param conf SSL configuration
* \param period The threshold value: a big-endian 64-bit number.
* Set to 2^64 - 1 to disable periodic renegotiation
*/
-void mbedtls_ssl_set_renegotiation_period( mbedtls_ssl_context *ssl,
+void mbedtls_ssl_set_renegotiation_period( mbedtls_ssl_config *conf,
const unsigned char period[8] );
#endif /* MBEDTLS_SSL_RENEGOTIATION */