package dtls

Import Path
	github.com/pion/dtls/v3 (on go.dev)

Dependency Relation
	imports 43 packages, and imported by 3 packages



Package-Level Type Names (total 20)


	/* sort by:  |  */
	
		CertificateRequestInfo contains information from a server's
		CertificateRequest message, which is used to demand a certificate and proof
		of control from a client.

		
			
				AcceptableCAs contains zero or more, DER-encoded, X.501
				Distinguished Names. These are the names of root or intermediate CAs
				that the server wishes the returned certificate to be signed by. An
				empty slice indicates that the server has no preference.

		
			
				SupportsCertificate returns nil if the provided certificate is supported by
				the server that sent the CertificateRequest. Otherwise, it returns an error
				describing the reason for the incompatibility.
				NOTE: original src:
				https://github.com/golang/go/blob/29b9a328d268d53833d2cc063d1d8b4bf6852675/src/crypto/tls/common.go#L1273



	
		CipherSuite is an interface that all DTLS CipherSuites must satisfy.

		
			
				AuthenticationType controls what authentication method is using during the handshake

			
				What type of Certificate does this CipherSuite use

			( CipherSuite) Decrypt(h recordlayer.Header, in []byte) ([]byte, error)
			
				ECC (Elliptic Curve Cryptography) determines whether ECC extesions will be send during handshake.
				https://datatracker.ietf.org/doc/html/rfc4492#page-10

			( CipherSuite) Encrypt(pkt *recordlayer.RecordLayer, raw []byte) ([]byte, error)
			
				What Hash function is used during verification

			
				ID of CipherSuite.

			
				Called when keying material has been generated, should initialize the internal cipher

			( CipherSuite) IsInitialized() bool
			
				KeyExchangeAlgorithm controls what exchange algorithm is using during the handshake

			
				String of CipherSuite, only used for logging

		
			*github.com/pion/dtls/v3/internal/ciphersuite.Aes128Ccm
			*github.com/pion/dtls/v3/internal/ciphersuite.Aes256Ccm
			*github.com/pion/dtls/v3/internal/ciphersuite.TLSEcdheEcdsaWithAes128GcmSha256
			*github.com/pion/dtls/v3/internal/ciphersuite.TLSEcdheEcdsaWithAes256CbcSha
			*github.com/pion/dtls/v3/internal/ciphersuite.TLSEcdheEcdsaWithAes256GcmSha384
			*github.com/pion/dtls/v3/internal/ciphersuite.TLSEcdhePskWithAes128CbcSha256
			*github.com/pion/dtls/v3/internal/ciphersuite.TLSEcdheRsaWithAes128GcmSha256
			*github.com/pion/dtls/v3/internal/ciphersuite.TLSEcdheRsaWithAes256CbcSha
			*github.com/pion/dtls/v3/internal/ciphersuite.TLSEcdheRsaWithAes256GcmSha384
			*github.com/pion/dtls/v3/internal/ciphersuite.TLSPskWithAes128CbcSha256
			*github.com/pion/dtls/v3/internal/ciphersuite.TLSPskWithAes128GcmSha256
		
			 CipherSuite : expvar.Var
			 CipherSuite : fmt.Stringer


	
		CipherSuiteAuthenticationType controls what authentication method is using during the handshake for a CipherSuite.


	
		CipherSuiteID is an ID for our supported CipherSuites.


	
		CipherSuiteKeyExchangeAlgorithm controls what exchange algorithm is using during the handshake for a CipherSuite.


	
		ClientAuthType declares the policy the server will follow for
		TLS Client Authentication.

		
			func github.com/pion/webrtc/v4.(*SettingEngine).SetDTLSClientAuth(clientAuth ClientAuthType)
		
			const NoClientCert
			const RequestClientCert
			const RequireAndVerifyClientCert
			const RequireAnyClientCert
			const VerifyClientCertIfGiven


	
		ClientHelloInfo contains information from a ClientHello message in order to
		guide application logic in the GetCertificate.

		
			
				CipherSuites lists the CipherSuites supported by the client (e.g.
				TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256).

			
				RandomBytes stores the client hello random bytes

			
				ServerName indicates the name of the server requested by the client
				in order to support virtual hosting. ServerName is only set if the
				client is using SNI (see RFC 4366, Section 3.1).



	
		Config is used to configure a DTLS client or server.
		After a Config is passed to a DTLS function it must not be modified.

		
			
				CertificateRequestMessageHook, if not nil, is called when a Certificate Request
				message is sent from a server. The returned handshake message replaces the original message.

			
				Certificates contains certificate chain to present to the other side of the connection.
				Server MUST set this if PSK is non-nil
				client SHOULD sets this so CertificateRequests can be handled if PSK is non-nil

			
				CipherSuites is a list of supported cipher suites.
				If CipherSuites is nil, a default list is used

			
				ClientAuth determines the server's policy for
				TLS Client Authentication. The default is NoClientCert.

			
				ClientCAs defines the set of root certificate authorities
				that servers use if required to verify a client certificate
				by the policy in ClientAuth.

			
				ClientHelloMessageHook, if not nil, is called when a Client Hello message is sent
				from a client. The returned handshake message replaces the original message.

			
				ConnectionIDGenerator generates connection identifiers that should be
				sent by the remote party if it supports the DTLS Connection Identifier
				extension, as determined during the handshake. Generated connection
				identifiers must always have the same length. Returning a zero-length
				connection identifier indicates that the local party supports sending
				connection identifiers but does not require the remote party to send
				them. A nil ConnectionIDGenerator indicates that connection identifiers
				are not supported.
				https://datatracker.ietf.org/doc/html/rfc9146

			
				CustomCipherSuites is a list of CipherSuites that can be
				provided by the user. This allow users to user Ciphers that are reserved
				for private usage.

			
				DisableRetransmitBackoff can be used to the disable the backoff feature
				when sending outbound messages as specified in RFC 4347 4.2.4.1

			
				List of Elliptic Curves to use
				
				If an ECC ciphersuite is configured and EllipticCurves is empty
				it will default to X25519, P-256, P-384 in this specific order.

			
				RequireExtendedMasterSecret determines if the "Extended Master Secret" extension
				should be disabled, requested, or required (default requested).

			
				FlightInterval controls how often we send outbound handshake messages
				defaults to time.Second

			
				GetCertificate returns a Certificate based on the given
				ClientHelloInfo. It will only be called if the client supplies SNI
				information or if Certificates is empty.
				
				If GetCertificate is nil or returns nil, then the certificate is
				retrieved from NameToCertificate. If NameToCertificate is nil, the
				best element of Certificates will be used.

			
				GetClientCertificate, if not nil, is called when a server requests a
				certificate from a client. If set, the contents of Certificates will
				be ignored.
				
				If GetClientCertificate returns an error, the handshake will be
				aborted and that error will be returned. Otherwise
				GetClientCertificate must return a non-nil Certificate. If
				Certificate.Certificate is empty then no certificate will be sent to
				the server. If this is unacceptable to the server then it may abort
				the handshake.

			
				HelloRandomBytesGenerator generates custom client hello random bytes.

			
				InsecureHashes allows the use of hashing algorithms that are known
				to be vulnerable.

			
				InsecureSkipVerify controls whether a client verifies the
				server's certificate chain and host name.
				If InsecureSkipVerify is true, TLS accepts any certificate
				presented by the server and any host name in that certificate.
				In this mode, TLS is susceptible to man-in-the-middle attacks.
				This should be used only for testing.

			
				InsecureSkipVerifyHello, if true and when acting as server, allow client to
				skip hello verify phase and receive ServerHello after initial ClientHello.
				This have implication on DoS attack resistance.

			
				KeyLogWriter optionally specifies a destination for TLS master secrets
				in NSS key log format that can be used to allow external programs
				such as Wireshark to decrypt TLS connections.
				See https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format.
				Use of KeyLogWriter compromises security and should only be
				used for debugging.

			LoggerFactory logging.LoggerFactory
			
				MTU is the length at which handshake messages will be fragmented to
				fit within the maximum transmission unit (default is 1200 bytes)

			
				OnConnectionAttempt is fired Whenever a connection attempt is made,
				the server or application can call this callback function.
				The callback function can then implement logic to handle the connection attempt, such as logging the attempt,
				checking against a list of blocked IPs, or counting the attempts to prevent brute force attacks.
				If the callback function returns an error, the connection attempt will be aborted.

			
				PSK sets the pre-shared key used by this DTLS connection
				If PSK is non-nil only PSK CipherSuites will be used

			PSKIdentityHint []byte
			
				PaddingLengthGenerator generates the number of padding bytes used to
				inflate ciphertext size in order to obscure content size from observers.
				The length of the content is passed to the generator such that both
				deterministic and random padding schemes can be applied while not
				exceeding maximum record size.
				If no PaddingLengthGenerator is specified, padding will not be applied.
				https://datatracker.ietf.org/doc/html/rfc9146#section-4

			
				ReplayProtectionWindow is the size of the replay attack protection window.
				Duplication of the sequence number is checked in this window size.
				Packet with sequence number older than this value compared to the latest
				accepted packet will be discarded. (default is 64)

			
				RootCAs defines the set of root certificate authorities
				that one peer uses when verifying the other peer's certificates.
				If RootCAs is nil, TLS uses the host's root CA set.

			
				SRTPMasterKeyIdentifier value (if any) is sent via the use_srtp
				extension for Clients and Servers

			
				SRTPProtectionProfiles are the supported protection profiles
				Clients will send this via use_srtp and assert that the server properly responds
				Servers will assert that clients send one of these profiles and will respond as needed

			
				ServerHelloMessageHook, if not nil, is called when a Server Hello message is sent
				from a server. The returned handshake message replaces the original message.

			
				ServerName is used to verify the hostname on the returned
				certificates unless InsecureSkipVerify is given.

			
				SessionStore is the container to store session for resumption.

			
				SignatureSchemes contains the signature and hash schemes that the peer requests to verify.

			
				List of application protocols the peer supports, for ALPN

			
				VerifyConnection, if not nil, is called after normal certificate
				verification/PSK and after VerifyPeerCertificate by either a TLS client
				or server. If it returns a non-nil error, the handshake is aborted
				and that error results.
				
				If normal verification fails then the handshake will abort before
				considering this callback. This callback will run for all connections
				regardless of InsecureSkipVerify or ClientAuth settings.

			
				VerifyPeerCertificate, if not nil, is called after normal
				certificate verification by either a client or server. It
				receives the certificate provided by the peer and also a flag
				that tells if normal verification has succeedded. If it returns a
				non-nil error, the handshake is aborted and that error results.
				
				If normal verification fails then the handshake will abort before
				considering this callback. If normal verification is disabled by
				setting InsecureSkipVerify, or (for a server) when ClientAuth is
				RequestClientCert or RequireAnyClientCert, then this callback will
				be considered but the verifiedChains will always be nil.

		
			func Client(conn net.PacketConn, rAddr net.Addr, config *Config) (*Conn, error)
			func Dial(network string, rAddr *net.UDPAddr, config *Config) (*Conn, error)
			func Listen(network string, laddr *net.UDPAddr, config *Config) (net.Listener, error)
			func NewListener(inner dtlsnet.PacketListener, config *Config) (net.Listener, error)
			func Resume(state *State, conn net.PacketConn, rAddr net.Addr, config *Config) (*Conn, error)
			func Server(conn net.PacketConn, rAddr net.Addr, config *Config) (*Conn, error)


	
		Conn represents a DTLS connection.

		
			
				Close closes the connection.

			
				ConnectionState returns basic DTLS details about the connection.
				Note that this replaced the `Export` function of v1.

			
				Handshake runs the client or server DTLS handshake
				protocol if it has not yet been run.
				
				Most uses of this package need not call Handshake explicitly: the
				first [Conn.Read] or [Conn.Write] will call it automatically.
				
				For control over canceling or setting a timeout on a handshake, use
				[Conn.HandshakeContext].

			
				HandshakeContext runs the client or server DTLS handshake
				protocol if it has not yet been run.
				
				The provided Context must be non-nil. If the context is canceled before
				the handshake is complete, the handshake is interrupted and an error is returned.
				Once the handshake has completed, cancellation of the context will not affect the
				connection.
				
				Most uses of this package need not call HandshakeContext explicitly: the
				first [Conn.Read] or [Conn.Write] will call it automatically.

			
				LocalAddr implements net.Conn.LocalAddr.

			
				Read reads data from the connection.

			
				RemoteAddr implements net.Conn.RemoteAddr.

			
				RemoteSRTPMasterKeyIdentifier returns the MasterKeyIdentifier value from the use_srtp.

			
				SelectedSRTPProtectionProfile returns the selected SRTPProtectionProfile.

			
				SetDeadline implements net.Conn.SetDeadline.

			
				SetReadDeadline implements net.Conn.SetReadDeadline.

			
				SetWriteDeadline implements net.Conn.SetWriteDeadline.

			
				Write writes len(payload) bytes from payload to the DTLS connection.

		
			*Conn : github.com/pion/datachannel.ReadDeadliner
			*Conn : github.com/pion/datachannel.WriteDeadliner
			*Conn : github.com/pion/stun.Connection
			*Conn : github.com/pion/stun/v3.Connection
			*Conn : github.com/miekg/dns.Writer
			*Conn : github.com/prometheus/common/expfmt.Closer
			*Conn : internal/bisect.Writer
			*Conn : io.Closer
			*Conn : io.ReadCloser
			*Conn : io.Reader
			*Conn : io.ReadWriteCloser
			*Conn : io.ReadWriter
			*Conn : io.WriteCloser
			*Conn : io.Writer
			*Conn : net.Conn
		
			func Client(conn net.PacketConn, rAddr net.Addr, config *Config) (*Conn, error)
			func Dial(network string, rAddr *net.UDPAddr, config *Config) (*Conn, error)
			func Resume(state *State, conn net.PacketConn, rAddr net.Addr, config *Config) (*Conn, error)
			func Server(conn net.PacketConn, rAddr net.Addr, config *Config) (*Conn, error)


	
		ExtendedMasterSecretType declares the policy the client and server
		will follow for the Extended Master Secret extension.

		
			func github.com/pion/webrtc/v4.(*SettingEngine).SetDTLSExtendedMasterSecret(extendedMasterSecret ExtendedMasterSecretType)
		
			const DisableExtendedMasterSecret
			const RequestExtendedMasterSecret
			const RequireExtendedMasterSecret


	
		FatalError indicates that the DTLS connection is no longer available.
		It is mainly caused by wrong configuration of server or client.


	
		HandshakeError indicates that the handshake failed.


	
		InternalError indicates and internal error caused by the implementation,
		and the DTLS connection is no longer available.
		It is mainly caused by bugs or tried to use unimplemented features.


	
		PSKCallback is called once we have the remote's PSKIdentityHint.
		If the remote provided none it will be nil.


	
		Session store data needed in resumption.

		
			
				ID store session id

			
				Secret store session master secret

		
			func SessionStore.Get(key []byte) (Session, error)
		
			func SessionStore.Set(key []byte, s Session) error


	
		SessionStore defines methods needed for session resumption.

		
			
				Del clean saved session.

			
				Get fetch a session.

			
				Set save a session.
				For client, use server name as key.
				For server, use session id.



	
		SRTPProtectionProfile defines the parameters and options that are in effect for the SRTP processing
		https://tools.ietf.org/html/rfc5764#section-4.1.2


	
		State holds the dtls connection state and implements both encoding.BinaryMarshaler and
		encoding.BinaryUnmarshaler.

		
			CipherSuiteID CipherSuiteID
			IdentityHint []byte
			NegotiatedProtocol string
			PeerCertificates [][]byte
			SessionID []byte
		
			
				ExportKeyingMaterial returns length bytes of exported key material in a new
				slice as defined in RFC 5705.
				This allows protocols to use DTLS for key establishment, but
				then use some of the keying material for their own purposes.

			
				MarshalBinary is a binary.BinaryMarshaler.MarshalBinary implementation.

			
				RemoteRandomBytes returns the remote client hello random bytes.

			
				UnmarshalBinary is a binary.BinaryUnmarshaler.UnmarshalBinary implementation.

		
			*State : github.com/pion/srtp/v3.KeyingMaterialExporter
			*State : encoding.BinaryMarshaler
			*State : encoding.BinaryUnmarshaler
		
			func (*Conn).ConnectionState() (State, bool)
		
			func Resume(state *State, conn net.PacketConn, rAddr net.Addr, config *Config) (*Conn, error)


	
		TemporaryError indicates that the DTLS connection is still available, but the request was failed temporary.


	
		TimeoutError indicates that the request was timed out.




Package-Level Functions (total 11)


	
		CipherSuiteName provides the same functionality as tls.CipherSuiteName
		that appeared first in Go 1.14.
		
		Our implementation differs slightly in that it takes in a CiperSuiteID,
		like the rest of our library, instead of a uint16 like crypto/tls.


	
		CipherSuites returns a list of cipher suites currently implemented by this
		package, excluding those with security issues, which are returned by
		InsecureCipherSuites.


	
		Client establishes a DTLS connection over an existing connection.


	
		Dial connects to the given network address and establishes a DTLS connection on top.


	
		InsecureCipherSuites returns a list of cipher suites currently implemented by
		this package and which have security issues.


	
		Listen creates a DTLS listener.


	
		NewListener creates a DTLS listener which accepts connections from an inner Listener.


	
		OnlySendCIDGenerator enables sending Connection IDs negotiated with a peer,
		but indicates to the peer that sending Connection IDs in return is not
		necessary.


	
		RandomCIDGenerator is a random Connection ID generator where CID is the
		specified size. Specifying a size of 0 will indicate to peers that sending a
		Connection ID is not necessary.


	
		Resume imports an already established dtls connection using a specific dtls state.


	
		Server listens for incoming DTLS connections.




Package-Level Variables (only one)


	
		Typed errors.




Package-Level Constants (total 37)


	
		CipherSuiteKeyExchangeAlgorithm Bitmask.


	
		CipherSuiteKeyExchangeAlgorithm Bitmask.


	
		CipherSuiteKeyExchangeAlgorithm Bitmask.


	
		ExtendedMasterSecretType enums.


	
		ClientAuthType enums.


	
		ClientAuthType enums.


	
		ExtendedMasterSecretType enums.


	
		ClientAuthType enums.


	
		ClientAuthType enums.


	
		ExtendedMasterSecretType enums.


	const SRTP_AEAD_AES_128_GCM SRTPProtectionProfile = 7 // nolint:revive,stylecheck
	const SRTP_AEAD_AES_256_GCM SRTPProtectionProfile = 8 // nolint:revive,stylecheck
	const SRTP_AES128_CM_HMAC_SHA1_32 SRTPProtectionProfile = 2 // nolint:revive,stylecheck
	const SRTP_AES128_CM_HMAC_SHA1_80 SRTPProtectionProfile = 1 // nolint:revive,stylecheck
	const SRTP_AES256_CM_SHA1_32 SRTPProtectionProfile = 4 // nolint:revive,stylecheck
	const SRTP_AES256_CM_SHA1_80 SRTPProtectionProfile = 3 // nolint:revive,stylecheck
	const SRTP_NULL_HMAC_SHA1_32 SRTPProtectionProfile = 6 // nolint:revive,stylecheck
	const SRTP_NULL_HMAC_SHA1_80 SRTPProtectionProfile = 5 // nolint:revive,stylecheck
	
		Supported Cipher Suites.


	
		AES-128-GCM-SHA256


	
		AES-256-CBC-SHA


	
		Supported Cipher Suites.


	
		Supported Cipher Suites.


	
		Supported Cipher Suites.


	
		Supported Cipher Suites.


	
		Supported Cipher Suites.


	
		Supported Cipher Suites.


	
		Supported Cipher Suites.


	
		Supported Cipher Suites.


	
		Supported Cipher Suites.


	
		Supported Cipher Suites.


	
		ClientAuthType enums.


	
		VersionDTLS12 is the DTLS version in the same style as
		VersionTLSXX from crypto/tls.