package dtls

Import Path
	github.com/pion/dtls/v2 (on go.dev)

Dependency Relation
	imports 43 packages, and imported by one package



Package-Level Type Names (total 20)


	/* sort by:  |  */
	
		CertificateRequestInfo contains information from a server's
		CertificateRequest message, which is used to demand a certificate and proof
		of control from a client.

		
			
				AcceptableCAs contains zero or more, DER-encoded, X.501
				Distinguished Names. These are the names of root or intermediate CAs
				that the server wishes the returned certificate to be signed by. An
				empty slice indicates that the server has no preference.

		
			
				SupportsCertificate returns nil if the provided certificate is supported by
				the server that sent the CertificateRequest. Otherwise, it returns an error
				describing the reason for the incompatibility.
				NOTE: original src: https://github.com/golang/go/blob/29b9a328d268d53833d2cc063d1d8b4bf6852675/src/crypto/tls/common.go#L1273



	
		CipherSuite is an interface that all DTLS CipherSuites must satisfy

		
			
				AuthenticationType controls what authentication method is using during the handshake

			
				What type of Certificate does this CipherSuite use

			( CipherSuite) Decrypt(in []byte) ([]byte, error)
			
				ECC (Elliptic Curve Cryptography) determines whether ECC extesions will be send during handshake.
				https://datatracker.ietf.org/doc/html/rfc4492#page-10

			( CipherSuite) Encrypt(pkt *recordlayer.RecordLayer, raw []byte) ([]byte, error)
			
				What Hash function is used during verification

			
				ID of CipherSuite.

			
				Called when keying material has been generated, should initialize the internal cipher

			( CipherSuite) IsInitialized() bool
			
				KeyExchangeAlgorithm controls what exchange algorithm is using during the handshake

			
				String of CipherSuite, only used for logging

		
			*github.com/pion/dtls/v2/internal/ciphersuite.Aes128Ccm
			*github.com/pion/dtls/v2/internal/ciphersuite.Aes256Ccm
			*github.com/pion/dtls/v2/internal/ciphersuite.TLSEcdheEcdsaWithAes128GcmSha256
			*github.com/pion/dtls/v2/internal/ciphersuite.TLSEcdheEcdsaWithAes256CbcSha
			*github.com/pion/dtls/v2/internal/ciphersuite.TLSEcdheEcdsaWithAes256GcmSha384
			*github.com/pion/dtls/v2/internal/ciphersuite.TLSEcdhePskWithAes128CbcSha256
			*github.com/pion/dtls/v2/internal/ciphersuite.TLSEcdheRsaWithAes128GcmSha256
			*github.com/pion/dtls/v2/internal/ciphersuite.TLSEcdheRsaWithAes256CbcSha
			*github.com/pion/dtls/v2/internal/ciphersuite.TLSEcdheRsaWithAes256GcmSha384
			*github.com/pion/dtls/v2/internal/ciphersuite.TLSPskWithAes128CbcSha256
			*github.com/pion/dtls/v2/internal/ciphersuite.TLSPskWithAes128GcmSha256
		
			 CipherSuite : expvar.Var
			 CipherSuite : fmt.Stringer


	
		CipherSuiteAuthenticationType controls what authentication method is using during the handshake for a CipherSuite


	
		CipherSuiteID is an ID for our supported CipherSuites


	
		CipherSuiteKeyExchangeAlgorithm controls what exchange algorithm is using during the handshake for a CipherSuite


	
		ClientAuthType declares the policy the server will follow for
		TLS Client Authentication.

		
			const NoClientCert
			const RequestClientCert
			const RequireAndVerifyClientCert
			const RequireAnyClientCert
			const VerifyClientCertIfGiven


	
		ClientHelloInfo contains information from a ClientHello message in order to
		guide application logic in the GetCertificate.

		
			
				CipherSuites lists the CipherSuites supported by the client (e.g.
				TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256).

			
				ServerName indicates the name of the server requested by the client
				in order to support virtual hosting. ServerName is only set if the
				client is using SNI (see RFC 4366, Section 3.1).



	
		Config is used to configure a DTLS client or server.
		After a Config is passed to a DTLS function it must not be modified.

		
			
				Certificates contains certificate chain to present to the other side of the connection.
				Server MUST set this if PSK is non-nil
				client SHOULD sets this so CertificateRequests can be handled if PSK is non-nil

			
				CipherSuites is a list of supported cipher suites.
				If CipherSuites is nil, a default list is used

			
				ClientAuth determines the server's policy for
				TLS Client Authentication. The default is NoClientCert.

			
				ClientCAs defines the set of root certificate authorities
				that servers use if required to verify a client certificate
				by the policy in ClientAuth.

			
				ConnectContextMaker is a function to make a context used in Dial(),
				Client(), Server(), and Accept(). If nil, the default ConnectContextMaker
				is used. It can be implemented as following.
				
					func ConnectContextMaker() (context.Context, func()) {
						return context.WithTimeout(context.Background(), 30*time.Second)
					}

			
				CustomCipherSuites is a list of CipherSuites that can be
				provided by the user. This allow users to user Ciphers that are reserved
				for private usage.

			
				List of Elliptic Curves to use
				
				If an ECC ciphersuite is configured and EllipticCurves is empty
				it will default to X25519, P-256, P-384 in this specific order.

			
				RequireExtendedMasterSecret determines if the "Extended Master Secret" extension
				should be disabled, requested, or required (default requested).

			
				FlightInterval controls how often we send outbound handshake messages
				defaults to time.Second

			
				GetCertificate returns a Certificate based on the given
				ClientHelloInfo. It will only be called if the client supplies SNI
				information or if Certificates is empty.
				
				If GetCertificate is nil or returns nil, then the certificate is
				retrieved from NameToCertificate. If NameToCertificate is nil, the
				best element of Certificates will be used.

			
				GetClientCertificate, if not nil, is called when a server requests a
				certificate from a client. If set, the contents of Certificates will
				be ignored.
				
				If GetClientCertificate returns an error, the handshake will be
				aborted and that error will be returned. Otherwise
				GetClientCertificate must return a non-nil Certificate. If
				Certificate.Certificate is empty then no certificate will be sent to
				the server. If this is unacceptable to the server then it may abort
				the handshake.

			
				InsecureHashes allows the use of hashing algorithms that are known
				to be vulnerable.

			
				InsecureSkipVerify controls whether a client verifies the
				server's certificate chain and host name.
				If InsecureSkipVerify is true, TLS accepts any certificate
				presented by the server and any host name in that certificate.
				In this mode, TLS is susceptible to man-in-the-middle attacks.
				This should be used only for testing.

			
				InsecureSkipVerifyHello, if true and when acting as server, allow client to
				skip hello verify phase and receive ServerHello after initial ClientHello.
				This have implication on DoS attack resistance.

			
				KeyLogWriter optionally specifies a destination for TLS master secrets
				in NSS key log format that can be used to allow external programs
				such as Wireshark to decrypt TLS connections.
				See https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format.
				Use of KeyLogWriter compromises security and should only be
				used for debugging.

			LoggerFactory logging.LoggerFactory
			
				MTU is the length at which handshake messages will be fragmented to
				fit within the maximum transmission unit (default is 1200 bytes)

			
				PSK sets the pre-shared key used by this DTLS connection
				If PSK is non-nil only PSK CipherSuites will be used

			PSKIdentityHint []byte
			
				ReplayProtectionWindow is the size of the replay attack protection window.
				Duplication of the sequence number is checked in this window size.
				Packet with sequence number older than this value compared to the latest
				accepted packet will be discarded. (default is 64)

			
				RootCAs defines the set of root certificate authorities
				that one peer uses when verifying the other peer's certificates.
				If RootCAs is nil, TLS uses the host's root CA set.

			
				SRTPProtectionProfiles are the supported protection profiles
				Clients will send this via use_srtp and assert that the server properly responds
				Servers will assert that clients send one of these profiles and will respond as needed

			
				ServerName is used to verify the hostname on the returned
				certificates unless InsecureSkipVerify is given.

			
				SessionStore is the container to store session for resumption.

			
				SignatureSchemes contains the signature and hash schemes that the peer requests to verify.

			
				List of application protocols the peer supports, for ALPN

			
				VerifyConnection, if not nil, is called after normal certificate
				verification/PSK and after VerifyPeerCertificate by either a TLS client
				or server. If it returns a non-nil error, the handshake is aborted
				and that error results.
				
				If normal verification fails then the handshake will abort before
				considering this callback. This callback will run for all connections
				regardless of InsecureSkipVerify or ClientAuth settings.

			
				VerifyPeerCertificate, if not nil, is called after normal
				certificate verification by either a client or server. It
				receives the certificate provided by the peer and also a flag
				that tells if normal verification has succeedded. If it returns a
				non-nil error, the handshake is aborted and that error results.
				
				If normal verification fails then the handshake will abort before
				considering this callback. If normal verification is disabled by
				setting InsecureSkipVerify, or (for a server) when ClientAuth is
				RequestClientCert or RequireAnyClientCert, then this callback will
				be considered but the verifiedChains will always be nil.

		
			func Client(conn net.Conn, config *Config) (*Conn, error)
			func ClientWithContext(ctx context.Context, conn net.Conn, config *Config) (*Conn, error)
			func Dial(network string, raddr *net.UDPAddr, config *Config) (*Conn, error)
			func DialWithContext(ctx context.Context, network string, raddr *net.UDPAddr, config *Config) (*Conn, error)
			func Listen(network string, laddr *net.UDPAddr, config *Config) (net.Listener, error)
			func NewListener(inner net.Listener, config *Config) (net.Listener, error)
			func Resume(state *State, conn net.Conn, config *Config) (*Conn, error)
			func Server(conn net.Conn, config *Config) (*Conn, error)
			func ServerWithContext(ctx context.Context, conn net.Conn, config *Config) (*Conn, error)


	
		Conn represents a DTLS connection

		
			
				Close closes the connection.

			
				ConnectionState returns basic DTLS details about the connection.
				Note that this replaced the `Export` function of v1.

			
				LocalAddr implements net.Conn.LocalAddr

			
				Read reads data from the connection.

			
				RemoteAddr implements net.Conn.RemoteAddr

			
				SelectedSRTPProtectionProfile returns the selected SRTPProtectionProfile

			
				SetDeadline implements net.Conn.SetDeadline

			
				SetReadDeadline implements net.Conn.SetReadDeadline

			
				SetWriteDeadline implements net.Conn.SetWriteDeadline

			
				Write writes len(p) bytes from p to the DTLS connection

		
			*Conn : github.com/pion/datachannel.ReadDeadliner
			*Conn : github.com/pion/datachannel.WriteDeadliner
			*Conn : github.com/pion/stun.Connection
			*Conn : github.com/pion/stun/v3.Connection
			*Conn : github.com/miekg/dns.Writer
			*Conn : github.com/prometheus/common/expfmt.Closer
			*Conn : internal/bisect.Writer
			*Conn : io.Closer
			*Conn : io.ReadCloser
			*Conn : io.Reader
			*Conn : io.ReadWriteCloser
			*Conn : io.ReadWriter
			*Conn : io.WriteCloser
			*Conn : io.Writer
			*Conn : net.Conn
		
			func Client(conn net.Conn, config *Config) (*Conn, error)
			func ClientWithContext(ctx context.Context, conn net.Conn, config *Config) (*Conn, error)
			func Dial(network string, raddr *net.UDPAddr, config *Config) (*Conn, error)
			func DialWithContext(ctx context.Context, network string, raddr *net.UDPAddr, config *Config) (*Conn, error)
			func Resume(state *State, conn net.Conn, config *Config) (*Conn, error)
			func Server(conn net.Conn, config *Config) (*Conn, error)
			func ServerWithContext(ctx context.Context, conn net.Conn, config *Config) (*Conn, error)


	
		ExtendedMasterSecretType declares the policy the client and server
		will follow for the Extended Master Secret extension

		
			const DisableExtendedMasterSecret
			const RequestExtendedMasterSecret
			const RequireExtendedMasterSecret


	
		FatalError indicates that the DTLS connection is no longer available.
		It is mainly caused by wrong configuration of server or client.


	
		HandshakeError indicates that the handshake failed.


	
		InternalError indicates and internal error caused by the implementation, and the DTLS connection is no longer available.
		It is mainly caused by bugs or tried to use unimplemented features.


	
		PSKCallback is called once we have the remote's PSKIdentityHint.
		If the remote provided none it will be nil


	
		Session store data needed in resumption

		
			
				ID store session id

			
				Secret store session master secret

		
			func SessionStore.Get(key []byte) (Session, error)
		
			func SessionStore.Set(key []byte, s Session) error


	
		SessionStore defines methods needed for session resumption.

		
			
				Del clean saved session.

			
				Get fetch a session.

			
				Set save a session.
				For client, use server name as key.
				For server, use session id.



	
		SRTPProtectionProfile defines the parameters and options that are in effect for the SRTP processing
		https://tools.ietf.org/html/rfc5764#section-4.1.2


	
		State holds the dtls connection state and implements both encoding.BinaryMarshaler and encoding.BinaryUnmarshaler

		
			IdentityHint []byte
			NegotiatedProtocol string
			PeerCertificates [][]byte
			SessionID []byte
		
			
				ExportKeyingMaterial returns length bytes of exported key material in a new
				slice as defined in RFC 5705.
				This allows protocols to use DTLS for key establishment, but
				then use some of the keying material for their own purposes

			
				MarshalBinary is a binary.BinaryMarshaler.MarshalBinary implementation

			
				UnmarshalBinary is a binary.BinaryUnmarshaler.UnmarshalBinary implementation

		
			*State : github.com/pion/srtp/v3.KeyingMaterialExporter
			*State : encoding.BinaryMarshaler
			*State : encoding.BinaryUnmarshaler
		
			func (*Conn).ConnectionState() State
		
			func Resume(state *State, conn net.Conn, config *Config) (*Conn, error)


	
		TemporaryError indicates that the DTLS connection is still available, but the request was failed temporary.


	
		TimeoutError indicates that the request was timed out.




Package-Level Functions (total 12)


	
		CipherSuiteName provides the same functionality as tls.CipherSuiteName
		that appeared first in Go 1.14.
		
		Our implementation differs slightly in that it takes in a CiperSuiteID,
		like the rest of our library, instead of a uint16 like crypto/tls.


	
		CipherSuites returns a list of cipher suites currently implemented by this
		package, excluding those with security issues, which are returned by
		InsecureCipherSuites.


	
		Client establishes a DTLS connection over an existing connection.
		Connection handshake will timeout using ConnectContextMaker in the Config.
		If you want to specify the timeout duration, use ClientWithContext() instead.


	
		ClientWithContext establishes a DTLS connection over an existing connection.


	
		Dial connects to the given network address and establishes a DTLS connection on top.
		Connection handshake will timeout using ConnectContextMaker in the Config.
		If you want to specify the timeout duration, use DialWithContext() instead.


	
		DialWithContext connects to the given network address and establishes a DTLS connection on top.


	
		InsecureCipherSuites returns a list of cipher suites currently implemented by
		this package and which have security issues.


	
		Listen creates a DTLS listener


	
		NewListener creates a DTLS listener which accepts connections from an inner Listener.


	
		Resume imports an already established dtls connection using a specific dtls state


	
		Server listens for incoming DTLS connections.
		Connection handshake will timeout using ConnectContextMaker in the Config.
		If you want to specify the timeout duration, use ServerWithContext() instead.


	
		ServerWithContext listens for incoming DTLS connections.




Package-Level Variables (only one)


	
		Typed errors




Package-Level Constants (total 37)


	
		CipherSuiteKeyExchangeAlgorithm Bitmask


	
		CipherSuiteKeyExchangeAlgorithm Bitmask


	
		CipherSuiteKeyExchangeAlgorithm Bitmask


	
		ExtendedMasterSecretType enums


	
		ClientAuthType enums


	
		ClientAuthType enums


	
		ExtendedMasterSecretType enums


	
		ClientAuthType enums


	
		ClientAuthType enums


	
		ExtendedMasterSecretType enums


	const SRTP_AEAD_AES_128_GCM SRTPProtectionProfile = 7 // nolint:revive,stylecheck
	const SRTP_AEAD_AES_256_GCM SRTPProtectionProfile = 8 // nolint:revive,stylecheck
	const SRTP_AES128_CM_HMAC_SHA1_32 SRTPProtectionProfile = 2 // nolint:revive,stylecheck
	const SRTP_AES128_CM_HMAC_SHA1_80 SRTPProtectionProfile = 1 // nolint:revive,stylecheck
	const SRTP_AES256_CM_SHA1_32 SRTPProtectionProfile = 4 // nolint:revive,stylecheck
	const SRTP_AES256_CM_SHA1_80 SRTPProtectionProfile = 3 // nolint:revive,stylecheck
	const SRTP_NULL_HMAC_SHA1_32 SRTPProtectionProfile = 6 // nolint:revive,stylecheck
	const SRTP_NULL_HMAC_SHA1_80 SRTPProtectionProfile = 5 // nolint:revive,stylecheck
	
		Supported Cipher Suites


	
		AES-128-GCM-SHA256


	
		AES-256-CBC-SHA


	
		Supported Cipher Suites


	
		Supported Cipher Suites


	
		Supported Cipher Suites


	
		Supported Cipher Suites


	
		Supported Cipher Suites


	
		Supported Cipher Suites


	
		Supported Cipher Suites


	
		Supported Cipher Suites


	
		Supported Cipher Suites


	
		Supported Cipher Suites


	
		ClientAuthType enums


	
		VersionDTLS12 is the DTLS version in the same style as
		VersionTLSXX from crypto/tls