External Function Dependencies

mbed TLS is as loosely coupled as possible and does not rely on any external libraries for its code. It does use a number of standard libc function calls. This page describes which external calls are present and how easily they can be removed if no support for that function is available; it describes mbed TLS 2.0, focusing on the core library only (excluding examples programs and test suites, but including selftest functions as they are part of the library).

Some of the dependencies are controlled by configuration flags, see "How do I configure mbed TLS", and see "How do I port mbed TLS to a new environment or OS" for a full description of how to configure those configuration flags to port mbed TLS to a new environment.

Signals and alarms

Both net.c and timing.c use signal handlers. timing.c uses it in a part that is only used in example programs as support code. Within net.c it does serve a purpose. This dependency can be removed by disabling or adapting the example programs, and using alternate I/O callbacks instead of net.c in the SSL/TLS layer.

Functions covered: signal()

Only timing.c uses alarm(). This code is only used in examples programs as support code. Not in the actual library. This dependency can easily be removed.

Functions covered: alarm()


Only net.c uses select(), for the purposes of sleeping (only used in example programs, not the library) or providing blocking reads with timeouts. This dependency can be removed by using alternate I/O callbacks instead of net.c in the SSL/TLS layer.

Functions covered: select()

Network/Socket based functions

The network and socket based functions are only used in the network module (net.c). As the SSL/TLS part only used function pointers, it's easy to replace these dependencies with something else (like lwIP) as long as the behavior is similar.

Functions covered: on Windows, functions form the Windows Sockets API, and on Unix: accept(), bind(), close(), connect(), fcntl(), freeaddrinfo(), getaddrinfo(), getsockname(), getsockopt(), listen(), read(), recvfrom(), setsockopt(), shutdown(), socket(), write()

Time related functions

The Timing module (timing.c) used gettimeofday() in order to determine elapsed time with millisecond resolution. This is optionally used in the SSL/TLS layer for DTLS retransmission timers via callbacks. This dependency can be avoided by providing your own implementation of these callbacks to the SSL/TLS layer.

The Timing module may also use gettimeofday() if it doesn't know how to access the CPU cycle counter on your platform, or if MBEDTLS_HAVE_ASM is disabled. This is only used in examples programs (currently only benchmark.c) as a support function. This dependency can be easily removed.

Functions covered: gettimeofday()

If MBEDTLS_HAVE_TIME is defined, time() will be used by the SSL/TLS core modules, as well as the provided implementation of the following callback: SSL session cache, SSL session tickets, DTLS hello cookies. All these modules only rely on time differences. In other words, they do no need time() to return the correct time, much less the correct date. This dependency can be removed by disabling MBEDTLS_HAVE_TIME in config.h, but you may loose some features, such as time-based rotation of session ticket keys.

Functions covered: time() (relative)

If MBEDTLS_HAVE_TIME_DATE is defined, time() and gmtime() are used by x509parse.c to check if a certificate has expired. This dependency can be removed by disabling MBEDTLS_HAVE_TIME_DATE, but then date-based certificate expiration will not be used (revocation via CRLs for example will of course still work).

Functions covered: time() (absolute), gmtime()

File (stream) functions

If MBEDTLS_FS_IO is defined, file functions are used in the MD layers for file hashing (mbedtls_md_file()). In addition X509 Parsing (x509parse.c) uses the file functions for reading certificate, CSR and CRL files; it also uses readdir() for mbedtls_x509_crt_parse_path(). The PK layer uses file functions for reading keys from files. The MPI module (bignum.c) uses fwrite for writing MPIs to files and streams. The entropy, CTR-DRBG and HMAC_DRBG modules uses file functions for reading and update seed files. All can be disabled by commenting MBEDTLS_FS_IO in config.h.

Functions covered: fclose(), ferror(), fgets(), fopen(), fread(), fseek(), ftell(), fwrite(), readdir(), closedir()

Dynamic memory functions

A number of modules (ASN1, Bignum/MPI, Cipher, DHM, ECP, MD, PEM, PK, PKCS11, SSL/TLS, X.509) use dynamic memory allocation. Starting from the mbed TLS 1.3 branch, you can provide your own implementations, and we even provide a buffer-based memory allocator. Check out this guide on Letting mbed TLS use static memory instead of the heap

Functions covered: free(), calloc()

Memory functions

memcmp(), memcpy() and memset() are really basic in any system and used in a lot of spots. Let's assume everybody has support for these.

Functions covered: memcmp(), memcpy(), memset()

memmove() is used as an optimization in the SSL/TLS module. This dependency is easy to remove by replacing with a for loop.

Functions covered: memmove()

String functions

The printf() function is used in all the self test functions, controlled by the MBEDTLS_SELF_TEST configuration flags. In addition in the MPI module (bignum.c), mbedtls_mpi_write_file() uses printf() to print to stdout if MBEDTLS_FS_IO is defined. Theses dependencies are easy to disable in config.h. It is also possible to provide your own implementation via the platform layer, see MBEDTLS_PLATFORM_PRINTF_ALT for example.

Functions covered: printf()

The snprintf() function is used in the X.509 module for the various mbedtls_x509_xxx_info() functions and mbedtls_x509_crt_parse_path(). It is also used by the SSL debug module (debug.c) for formatting debug messaged, by error.c for mbedtls_strerror() and by oid.c for mbedtls_oid_get_numeric_string() (not used in the library). It is possible to provide your own implementation via the platform layer, see MBEDTLS_PLATFORM_PRINTF_ALT for example.

Functions covered: snprintf()

The other string functions are used in actual core scenarios. There are workarounds possible in any of there scenarios.

Functions covered: strcmp(), strlen(), strncmp() strncpy(), strstr()

Random function

The rand() function is used only in the selftests of the RSA module (rsa.c). These can be disabled by MBEDTLS_SELF_TEST.

Functions covered: rand()

Variable argument functions

To make a half-compatible snprintf() function under Windows, va_start(), va_end(), and vsnprintf() are used. All three are also used in the Debug module (debug.c). The latter can be removed by commenting MBEDTLS_DEBUG_C.

Functions covered: va_start(), va_end(), vsnprintf()

Did this help?