tls/conn
tls-wrap-fd
(tls-wrap-fd [ctx : int fd : int] :)
bind an accepted TCP fd to a new server-side TLS conn.
| ctx | handle from tls-ctx-new with cert + key loaded. | |
| fd | accepted TCP socket (blocking; we use mbedtls_net_send/recv). |
Conn handle as :int on success; 0 on allocation or ssl_setup failure.
(let [conn (tls-wrap-fd ctx client-fd)]
(tls-handshake conn)
...
(tls-shutdown conn)
(tls-free conn))
Since: T3
tls-handshake
(tls-handshake [conn : int] :)
drive the TLS handshake to completion (blocking).
| conn | handle from tls-wrap-fd. |
0 on success; non-zero mbedTLS error code on failure (peer reset, cert mismatch, version mismatch, ...).
Since: T3
tls-read
(tls-read [conn : int buf : int len : int] :)
decrypt up to `len` bytes from the TLS stream into `buf`.
| conn | handle from tls-wrap-fd (post-handshake). | |
| buf | caller-owned destination buffer, as a raw pointer. | |
| len | buffer capacity in bytes. |
Bytes read (> 0) on success; 0 on clean close_notify from peer; negative mbedTLS error code on transport failure. Like recv(), may return fewer bytes than requested.
Since: T3
tls-write
(tls-write [conn : int buf : int len : int] :)
encrypt and send `len` bytes from `buf` over the TLS stream.
| conn | handle from tls-wrap-fd (post-handshake). | |
| buf | caller-owned source buffer, as a raw pointer. | |
| len | bytes to send. |
Bytes written (> 0) on success; negative mbedTLS error code on failure. May return fewer bytes than requested.
Since: T3
tls-shutdown
(tls-shutdown [conn : int] :)
send a close_notify alert (best-effort).
| conn | handle from tls-wrap-fd. 0 is a safe no-op. |
Since: T3
tls-free
(tls-free [conn : int] :)
release the conn's mbedTLS state. Does NOT close the fd.
| conn | handle from tls-wrap-fd. 0 is a safe no-op. |
Since: T3