pub struct ConnectionCommon<Data> { }Interface shared by client and server connections.
Source§ SourceProcesses any new packets read by a previous call to Connection::read_tls.
Errors from this function relate to TLS protocol errors, and are fatal to the connection. Future calls after an error will do no new work and will return the same error. After an error is received from process_new_packets, you should not call read_tls any more (it will fill up buffers to no purpose). However, you may call the other methods on the connection, including write, send_close_notify, and write_tls. Most likely you will want to call write_tls to send any alerts queued by the error and then close the underlying connection.
Success from this function comes with some sundry state data about the connection.
SourceDerives key material from the agreed connection secrets.
This function fills in output with output.len() bytes of key material derived from the master session secret using label and context for diversification. Ownership of the buffer is taken by the function and returned via the Ok result to ensure no key material leaks if the function fails.
See RFC5705 for more details on what this does and is for.
For TLS1.3 connections, this function does not use the “early” exporter at any point.
This function fails if called prior to the handshake completing; check with CommonState::is_handshaking first.
This function fails if output.len() is zero.
Extract secrets, so they can be used when configuring kTLS, for example. Should be used with care as it exposes secret key material.
SourceSets a limit on the internal buffers used to buffer unsent plaintext (prior to completing the TLS handshake) and unsent TLS records. This limit acts only on application data written through Connection::writer.
By default the limit is 64KB. The limit can be set at any time, even if the current buffer use is higher.
None means no limit applies, and will mean that written data is buffered without bound – it is up to the application to appropriately schedule its plaintext and TLS writes to bound memory usage.
For illustration: Some(1) means a limit of one byte applies: Connection::writer will accept only one byte, encrypt it and add a TLS header. Once this is sent via Connection::write_tls, another byte may be sent.
rustls has two buffers whose size are bounded by this setting:
§Buffering of unsent plaintext data prior to handshake completionCalls to Connection::writer before or during the handshake are buffered (up to the limit specified here). Once the handshake completes this data is encrypted and the resulting TLS records are added to the outgoing buffer.
This buffer is used to store TLS records that rustls needs to send to the peer. It is used in these two circumstances:
Connection::process_new_packets when a handshake or alert TLS record needs to be sent.Connection::writer post-handshake: the plaintext is encrypted and the resulting TLS record is buffered.This buffer is emptied by Connection::write_tls.
Sends a TLS1.3 key_update message to refresh a connection’s keys.
This call refreshes our encryption keys. Once the peer receives the message, it refreshes its encryption and decryption keys and sends a response. Once we receive that response, we refresh our decryption keys to match. At the end of this process, keys in both directions have been refreshed.
Note that this process does not happen synchronously: this call just arranges that the key_update message will be included in the next write_tls output.
This fails with Error::HandshakeNotComplete if called before the initial handshake is complete, or if a version prior to TLS1.3 is negotiated.
Note that other implementations (including rustls) may enforce limits on the number of key_update messages allowed on a given connection to prevent denial of service. Therefore, this should be called sparingly.
rustls implicitly and automatically refreshes traffic keys when needed according to the selected cipher suite’s cryptographic constraints. There is therefore no need to call this manually to avoid cryptographic keys “wearing out”.
The main reason to call this manually is to roll keys when it is known a connection will be idle for a long period.
Source§ SourceAvailable on crate feature std only.
Returns an object that allows reading plaintext.
SourceAvailable on crate feature std only.
Returns an object that allows writing plaintext.
SourceAvailable on crate feature std only.
This function uses io to complete any outstanding IO for this connection.
This is a convenience function which solely uses other parts of the public API.
What this means depends on the connection state:
is_handshaking, then IO is performed until the handshake is complete.wants_write is true, write_tls is invoked until it is all written.wants_read is true, read_tls is invoked once.The return value is the number of bytes read from and written to io, respectively. Once both read() and write() yield WouldBlock, this function will propagate the error.
Errors from TLS record handling (i.e., from process_new_packets) are wrapped in an io::ErrorKind::InvalidData-kind error.
Available on crate feature std only.
Read TLS content from rd into the internal buffer.
Due to the internal buffering, rd can supply TLS messages in arbitrary-sized chunks (like a socket or pipe might).
You should call process_new_packets() each time a call to this function succeeds in order to empty the incoming TLS data buffer.
This function returns Ok(0) when the underlying rd does so. This typically happens when a socket is cleanly closed, or a file is at EOF. Errors may result from the IO done through rd; additionally, errors of ErrorKind::Other are emitted to signal backpressure:
process_new_packets() each time a call to this function succeeds.reader() after the call to process_new_packets().This function also returns Ok(0) once a close_notify alert has been successfully received. No additional data is ever read in this state.
Available on crate feature std only.
Writes TLS messages to wr.
On success, this function returns Ok(n) where n is a number of bytes written to wr (after encoding and encryption).
After this function returns, the connection buffer may not yet be fully flushed. The CommonState::wants_write function can be used to check if the output buffer is empty.
Returns true if the caller should call Connection::write_tls as soon as possible.
Returns true if the connection is currently performing the TLS handshake.
During this time plaintext written to the connection is buffered in memory. After Connection::process_new_packets() has been called, this might start to return false while the final handshake packets still need to be extracted from the connection’s buffers.
Retrieves the certificate chain or the raw public key used by the peer to authenticate.
The order of the certificate chain is as it appears in the TLS protocol: the first certificate relates to the peer, the second certifies the first, the third certifies the second, and so on.
When using raw public keys, the first and only element is the raw public key.
This is made available for both full and resumed handshakes.
For clients, this is the certificate chain or the raw public key of the server.
For servers, this is the certificate chain or the raw public key of the client, if client authentication was completed.
The return value is None until this value is available.
Note: the return type of the ‘certificate’, when using raw public keys is CertificateDer<'static> even though this should technically be a SubjectPublicKeyInfoDer<'static>. This choice simplifies the API and ensures backwards compatibility.
Retrieves the protocol agreed with the peer via ALPN.
A return value of None after handshake completion means no protocol was agreed (because no protocols were offered or accepted by the peer).
Retrieves the ciphersuite agreed with the peer.
This returns None until the ciphersuite is agreed.
Source SourceRetrieves the protocol version agreed with the peer.
This returns None until the version is agreed.
Which kind of handshake was performed.
This tells you whether the handshake was a resumption or not.
This will return None before it is known which sort of handshake occurred.
Queues a close_notify warning alert to be sent in the next Connection::write_tls call. This informs the peer that the connection is being closed.
Does nothing if any close_notify or fatal alert was already sent.
Returns true if the caller should call Connection::read_tls as soon as possible.
If there is pending plaintext data to read with Connection::reader, this returns false. If your application respects this mechanism, only one full TLS message will be buffered by rustls.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4