External Function Dependencies
mbed TLS is as loosely coupled as possible and does not rely on any external libraries for its code. It does use a number of standard libc function calls. This page describes which external calls are present and how easily they can be removed if no support for that function is available; it describes mbed TLS 2.0, focusing on the core library only (excluding examples programs and test suites, but including selftest functions as they are part of the library).
Some of the dependencies are controlled by configuration flags, see "How do I configure mbed TLS", and see "How do I port mbed TLS to a new environment or OS" for a full description of how to configure those configuration flags to port mbed TLS to a new environment.
Signals and alarms
Both net.c and timing.c use signal handlers. timing.c uses it in a part that is only used in example programs as support code. Within net.c it does serve a purpose. This dependency can be removed by disabling or adapting the example programs, and using alternate I/O callbacks instead of net.c in the SSL/TLS layer.
Only timing.c uses
alarm(). This code is only used in examples programs as support code. Not in the actual library. This dependency can easily be removed.
Only net.c uses
select(), for the purposes of sleeping (only used in example programs, not the library) or providing blocking reads with timeouts. This dependency can be removed by using alternate I/O callbacks instead of net.c in the SSL/TLS layer.
Network/Socket based functions
The network and socket based functions are only used in the network module (net.c). As the SSL/TLS part only used function pointers, it's easy to replace these dependencies with something else (like lwIP) as long as the behavior is similar.
Functions covered: on Windows, functions form the Windows Sockets API, and on Unix:
Time related functions
The Timing module (timing.c) used
gettimeofday() in order to determine elapsed time with millisecond resolution. This is optionally used in the SSL/TLS layer for DTLS retransmission timers via callbacks. This dependency can be avoided by providing your own implementation of these callbacks to the SSL/TLS layer.
The Timing module may also use
gettimeofday() if it doesn't know how to access the CPU cycle counter on your platform, or if MBEDTLS_HAVE_ASM is disabled. This is only used in examples programs (currently only benchmark.c) as a support function. This dependency can be easily removed.
If MBEDTLS_HAVE_TIME is defined,
time() will be used by the SSL/TLS core modules, as well as the provided implementation of the following callback: SSL session cache, SSL session tickets, DTLS hello cookies. All these modules only rely on time differences. In other words, they do no need
time() to return the correct time, much less the correct date. This dependency can be removed by disabling MBEDTLS_HAVE_TIME in config.h, but you may loose some features, such as time-based rotation of session ticket keys.
If MBEDTLS_HAVE_TIME_DATE is defined,
gmtime() are used by x509parse.c to check if a certificate has expired. This dependency can be removed by disabling MBEDTLS_HAVE_TIME_DATE, but then date-based certificate expiration will not be used (revocation via CRLs for example will of course still work).
File (stream) functions
If MBEDTLS_FS_IO is defined, file functions are used in the MD layers for file hashing (
mbedtls_md_file()). In addition X509 Parsing (x509parse.c) uses the file functions for reading certificate, CSR and CRL files; it also uses
mbedtls_x509_crt_parse_path(). The PK layer uses file functions for reading keys from files. The MPI module (bignum.c) uses fwrite for writing MPIs to files and streams. The entropy, CTR-DRBG and HMAC_DRBG modules uses file functions for reading and update seed files. All can be disabled by commenting MBEDTLS_FS_IO in config.h.
Dynamic memory functions
A number of modules (ASN1, Bignum/MPI, Cipher, DHM, ECP, MD, PEM, PK, PKCS11, SSL/TLS, X.509) use dynamic memory allocation. Starting from the mbed TLS 1.3 branch, you can provide your own implementations, and we even provide a buffer-based memory allocator. Check out this guide on Letting mbed TLS use static memory instead of the heap
memset() are really basic in any system and used in a lot of spots. Let's assume everybody has support for these.
memmove() is used as an optimization in the SSL/TLS module. This dependency is easy to remove by replacing with a for loop.
printf() function is used in all the self test functions, controlled by the MBEDTLS_SELF_TEST configuration flags. In addition in the MPI module (bignum.c),
printf() to print to
stdout if MBEDTLS_FS_IO is defined. Theses dependencies are easy to disable in config.h. It is also possible to provide your own implementation via the platform layer, see MBEDTLS_PLATFORM_PRINTF_ALT for example.
snprintf() function is used in the X.509 module for the various
mbedtls_x509_xxx_info() functions and
mbedtls_x509_crt_parse_path(). It is also used by the SSL debug module (debug.c) for formatting debug messaged, by error.c for
mbedtls_strerror() and by oid.c for
mbedtls_oid_get_numeric_string() (not used in the library). It is possible to provide your own implementation via the platform layer, see MBEDTLS_PLATFORM_PRINTF_ALT for example.
The other string functions are used in actual core scenarios. There are workarounds possible in any of there scenarios.
rand() function is used only in the selftests of the RSA module (rsa.c). These can be disabled by MBEDTLS_SELF_TEST.
Variable argument functions
To make a half-compatible
snprintf() function under Windows,
vsnprintf() are used. All three are also used in the Debug module (debug.c). The latter can be removed by commenting MBEDTLS_DEBUG_C.