Trait rustls::Connection [−][src]
pub trait Connection: QuicExt + Send + Sync {}Show methods
fn read_tls(&mut self, rd: &mut dyn Read) -> Result<usize, Error>; fn write_tls(&mut self, wr: &mut dyn Write) -> Result<usize, Error>; fn reader(&mut self) -> Reader<'_>ⓘ; fn writer(&mut self) -> Writer<'_>ⓘ; fn process_new_packets(&mut self) -> Result<IoState, Error>; fn wants_read(&self) -> bool; fn wants_write(&self) -> bool; fn is_handshaking(&self) -> bool; fn set_buffer_limit(&mut self, limit: Option<usize>); fn send_close_notify(&mut self); fn peer_certificates(&self) -> Option<&[Certificate]>; fn alpn_protocol(&self) -> Option<&[u8]>; fn protocol_version(&self) -> Option<ProtocolVersion>; fn export_keying_material(
&self,
output: &mut [u8],
label: &[u8],
context: Option<&[u8]>
) -> Result<(), Error>; fn negotiated_cipher_suite(&self) -> Option<SupportedCipherSuite>; fn complete_io<T>(&mut self, io: &mut T) -> Result<(usize, usize), Error>
where
Self: Sized,
T: Read + Write, { ... }
Expand description
Generalises ClientConnection and ServerConnection
Required methods
Read TLS content from rd. This method does internal
buffering, so rd can supply TLS messages in arbitrary-
sized chunks (like a socket or pipe might).
You should call process_new_packets each time a call to
this function succeeds.
The returned error only relates to IO on rd. TLS-level
errors are emitted from process_new_packets.
This function returns Ok(0) when the underlying rd does
so. This typically happens when a socket is cleanly closed,
or a file is at EOF.
Writes TLS messages to wr.
On success the function returns Ok(n) where n is a number
of bytes written to wr, number of bytes after encoding and
encryption.
Note that after function return the connection buffer maybe not
yet fully flushed. Connection::wants_write function can be used
to check if output buffer is not empty.
Returns an object that allows reading plaintext.
Returns an object that allows writing plaintext.
fn process_new_packets(&mut self) -> Result<IoState, Error>
fn process_new_packets(&mut self) -> Result<IoState, Error>Processes any new packets read by a previous call to
Connection::read_tls.
Errors from this function relate to TLS protocol errors, and
are fatal to the connection. Future calls after an error will do
no new work and will return the same error. After an error is
received from process_new_packets, you should not call read_tls
any more (it will fill up buffers to no purpose). However, you
may call the other methods on the connection, including write,
send_close_notify, and write_tls. Most likely you will want to
call write_tls to send any alerts queued by the error and then
close the underlying connection.
Success from this function comes with some sundry state data about the connection.
fn wants_read(&self) -> bool
fn wants_read(&self) -> boolReturns true if the caller should call Connection::read_tls as soon
as possible.
If there is pending plaintext data to read with Connection::reader,
this returns false. If your application respects this mechanism,
only one full TLS message will be buffered by rustls.
fn wants_write(&self) -> bool
fn wants_write(&self) -> boolReturns true if the caller should call Connection::write_tls as soon
as possible.
fn is_handshaking(&self) -> bool
fn is_handshaking(&self) -> boolReturns true if the connection is currently performing the TLS handshake.
During this time plaintext written to the connection is buffered in memory. After
Connection::process_new_packets has been called, this might start to return false
while the final handshake packets still need to be extracted from the connection’s buffers.
fn set_buffer_limit(&mut self, limit: Option<usize>)
fn set_buffer_limit(&mut self, limit: Option<usize>)Sets a limit on the internal buffers used to buffer
unsent plaintext (prior to completing the TLS handshake)
and unsent TLS records. This limit acts only on application
data written through Connection::writer.
By default the limit is 64KB. The limit can be set at any time, even if the current buffer use is higher.
None means no limit applies, and will mean that written
data is buffered without bound – it is up to the application
to appropriately schedule its plaintext and TLS writes to bound
memory usage.
For illustration: Some(1) means a limit of one byte applies:
Connection::writer will accept only one byte, encrypt it and
add a TLS header. Once this is sent via Connection::write_tls,
another byte may be sent.
Internal write-direction buffering
rustls has two buffers whose size are bounded by this setting:
Buffering of unsent plaintext data prior to handshake completion
Calls to Connection::writer before or during the handshake
are buffered (up to the limit specified here). Once the
handshake completes this data is encrypted and the resulting
TLS records are added to the outgoing buffer.
Buffering of outgoing TLS records
This buffer is used to store TLS records that rustls needs to send to the peer. It is used in these two circumstances:
- by
Connection::process_new_packetswhen a handshake or alert TLS record needs to be sent. - by
Connection::writerpost-handshake: the plaintext is encrypted and the resulting TLS record is buffered.
This buffer is emptied by Connection::write_tls.
fn send_close_notify(&mut self)
fn send_close_notify(&mut self)Queues a close_notify warning alert to be sent in the next
Connection::write_tls call. This informs the peer that the
connection is being closed.
fn peer_certificates(&self) -> Option<&[Certificate]>
fn peer_certificates(&self) -> Option<&[Certificate]>Retrieves the certificate chain used by the peer to authenticate.
The order of the certificate chain is as it appears in the TLS protocol: the first certificate relates to the peer, the second certifies the first, the third certifies the second, and so on.
This is made available for both full and resumed handshakes.
For clients, this is the certificate chain of the server.
For servers, this is the certificate chain of the client, if client authentication was completed.
The return value is None until this value is available.
Retrieves the protocol agreed with the peer via ALPN.
A return value of None after handshake completion
means no protocol was agreed (because no protocols
were offered or accepted by the peer).
fn protocol_version(&self) -> Option<ProtocolVersion>
fn protocol_version(&self) -> Option<ProtocolVersion>Retrieves the protocol version agreed with the peer.
This returns None until the version is agreed.
Derives key material from the agreed connection secrets.
This function fills in output with output.len() bytes of key
material derived from the master session secret using label
and context for diversification.
See RFC5705 for more details on what this does and is for.
For TLS1.3 connections, this function does not use the “early” exporter at any point.
This function fails if called prior to the handshake completing;
check with Connection::is_handshaking first.
fn negotiated_cipher_suite(&self) -> Option<SupportedCipherSuite>
fn negotiated_cipher_suite(&self) -> Option<SupportedCipherSuite>Retrieves the ciphersuite agreed with the peer.
This returns None until the ciphersuite is agreed.
Provided methods
This function uses io to complete any outstanding IO for
this connection.
This is a convenience function which solely uses other parts of the public API.
What this means depends on the connection state:
- If the connection
is_handshaking, then IO is performed until the handshake is complete. - Otherwise, if
wants_writeis true,write_tlsis invoked until it is all written. - Otherwise, if
wants_readis true,read_tlsis invoked once.
The return value is the number of bytes read from and written
to io, respectively.
This function will block if io blocks.
Errors from TLS record handling (i.e., from process_new_packets)
are wrapped in an io::ErrorKind::InvalidData-kind error.