docs/4.0-migration-guide/function-prototype-changes.md

## Function prototype changes

A number of existing functions now take a different list of arguments, mostly to migrate them to the PSA API.

### Public functions no longer take a RNG callback

Functions that need randomness no longer take an RNG callback in the form of `f_rng, p_rng` arguments. Instead, they use the PSA Crypto random generator (accessible as `psa_generate_random()`). All software using the X.509 or SSL modules must call `psa_crypto_init()` before calling any of the functions listed here.

### RNG removal in X.509

The following function prototypes have been changed in `mbedtls/x509_crt.h`:

```c
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
                              int (*f_rng)(void *, unsigned char *, size_t),
                              void *p_rng);

int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
                              int (*f_rng)(void *, unsigned char *, size_t),
                              void *p_rng);
```

to

```c
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size);

int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size);
```

The following function prototypes have been changed in `mbedtls/x509_csr.h`:
```c
int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
                              int (*f_rng)(void *, unsigned char *, size_t),
                              void *p_rng);

int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
                              int (*f_rng)(void *, unsigned char *, size_t),
                              void *p_rng);
```

to

```c
int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size);

int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size);
```

### RNG removal in SSL

The following function prototype has been changed in `mbedtls/ssl_cookie.h`:

```c
int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
                             int (*f_rng)(void *, unsigned char *, size_t),
                             void *p_rng);
```

to

```c
int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx);
```

### Removal of `mbedtls_ssl_conf_rng`

`mbedtls_ssl_conf_rng()` has been removed from the library. Its sole purpose was to configure the RNG used for TLS, but now the PSA Crypto random generator is used throughout the library.

### Changes to mbedtls_ssl_ticket_setup

In the arguments of the function `mbedtls_ssl_ticket_setup()`, the `mbedtls_cipher_type_t` argument specifying the AEAD mechanism for ticket protection has been replaced by an equivalent PSA description consisting of a key type, a size and an algorithm. Also, the function no longer takes RNG arguments.

The prototype in `mbedtls/ssl_ticket.h` has changed from

```c
int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
                             mbedtls_f_rng_t *f_rng, void *p_rng,
                             mbedtls_cipher_type_t cipher,
                             uint32_t lifetime);
```

to

```c
int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
                             psa_algorithm_t alg, psa_key_type_t key_type, psa_key_bits_t key_bits,
                             uint32_t lifetime);
```
Generalize the section on function prototype changes Not everything will be about PSA. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 21:14:24 +02:00			`## Function prototype changes`
Generalize section to other function prototype changes Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 17:06:28 +02:00
Generalize the section on function prototype changes Not everything will be about PSA. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 21:14:24 +02:00			`A number of existing functions now take a different list of arguments, mostly to migrate them to the PSA API.`
Move the X.509 and SSL content from the crypto migration guide Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 16:43:49 +02:00
			`### Public functions no longer take a RNG callback`

Copyediting and wording improvements Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 16:52:01 +02:00			Functions that need randomness no longer take an RNG callback in the form of `f_rng, p_rng` arguments. Instead, they use the PSA Crypto random generator (accessible as `psa_generate_random()`). All software using the X.509 or SSL modules must call `psa_crypto_init()` before calling any of the functions listed here.
Move the X.509 and SSL content from the crypto migration guide Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 16:43:49 +02:00
Generalize section to other function prototype changes Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 17:06:28 +02:00			`### RNG removal in X.509`
Move the X.509 and SSL content from the crypto migration guide Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 16:43:49 +02:00
Copyediting and wording improvements Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 16:52:01 +02:00			The following function prototypes have been changed in `mbedtls/x509_crt.h`:
Move the X.509 and SSL content from the crypto migration guide Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 16:43:49 +02:00
			```c
			`int mbedtls_x509write_crt_der(mbedtls_x509write_cert ctx, unsigned char buf, size_t size,`
			`int (f_rng)(void , unsigned char *, size_t),`
			`void *p_rng);`

			`int mbedtls_x509write_crt_pem(mbedtls_x509write_cert ctx, unsigned char buf, size_t size,`
			`int (f_rng)(void , unsigned char *, size_t),`
			`void *p_rng);`
			```

			`to`

			```c
			`int mbedtls_x509write_crt_der(mbedtls_x509write_cert ctx, unsigned char buf, size_t size);`

			`int mbedtls_x509write_crt_pem(mbedtls_x509write_cert ctx, unsigned char buf, size_t size);`
			```

Copyediting and wording improvements Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 16:52:01 +02:00			The following function prototypes have been changed in `mbedtls/x509_csr.h`:
Move the X.509 and SSL content from the crypto migration guide Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 16:43:49 +02:00			```c
Copyediting and wording improvements Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 16:52:01 +02:00			`int mbedtls_x509write_csr_der(mbedtls_x509write_csr ctx, unsigned char buf, size_t size,`
			`int (f_rng)(void , unsigned char *, size_t),`
			`void *p_rng);`

			`int mbedtls_x509write_csr_pem(mbedtls_x509write_csr ctx, unsigned char buf, size_t size,`
			`int (f_rng)(void , unsigned char *, size_t),`
			`void *p_rng);`
Move the X.509 and SSL content from the crypto migration guide Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 16:43:49 +02:00			```

Copyediting and wording improvements Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 16:52:01 +02:00			`to`

Move the X.509 and SSL content from the crypto migration guide Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 16:43:49 +02:00			```c
Copyediting and wording improvements Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 16:52:01 +02:00			`int mbedtls_x509write_csr_der(mbedtls_x509write_csr ctx, unsigned char buf, size_t size);`

Move the X.509 and SSL content from the crypto migration guide Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 16:43:49 +02:00			`int mbedtls_x509write_csr_pem(mbedtls_x509write_csr ctx, unsigned char buf, size_t size);`
			```

Generalize section to other function prototype changes Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 17:06:28 +02:00			`### RNG removal in SSL`
Move the X.509 and SSL content from the crypto migration guide Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 16:43:49 +02:00
Consolidate changes to mbedtls_ssl_ticket_setup() Describe the change to the cipher mechanism specification. Consolidate that with the removal of the RNG arguments. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 17:13:57 +02:00			The following function prototype has been changed in `mbedtls/ssl_cookie.h`:
Move the X.509 and SSL content from the crypto migration guide Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 16:43:49 +02:00
			```c
			`int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,`
			`int (f_rng)(void , unsigned char *, size_t),`
			`void *p_rng);`
			```

			`to`

			```c
			`int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx);`
			```

			### Removal of `mbedtls_ssl_conf_rng`

Copyediting and wording improvements Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 16:52:01 +02:00			`mbedtls_ssl_conf_rng()` has been removed from the library. Its sole purpose was to configure the RNG used for TLS, but now the PSA Crypto random generator is used throughout the library.
Consolidate changes to mbedtls_ssl_ticket_setup() Describe the change to the cipher mechanism specification. Consolidate that with the removal of the RNG arguments. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2025-06-25 17:13:57 +02:00
			`### Changes to mbedtls_ssl_ticket_setup`

			In the arguments of the function `mbedtls_ssl_ticket_setup()`, the `mbedtls_cipher_type_t` argument specifying the AEAD mechanism for ticket protection has been replaced by an equivalent PSA description consisting of a key type, a size and an algorithm. Also, the function no longer takes RNG arguments.

			The prototype in `mbedtls/ssl_ticket.h` has changed from

			```c
			`int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,`
			`mbedtls_f_rng_t f_rng, void p_rng,`
			`mbedtls_cipher_type_t cipher,`
			`uint32_t lifetime);`
			```

			`to`

			```c
			`int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,`
			`psa_algorithm_t alg, psa_key_type_t key_type, psa_key_bits_t key_bits,`
			`uint32_t lifetime);`
			```