Context

ktls_core::context

Struct Context 

Source 
pub struct Context<C: TlsSession> { /* private fields */ }
Expand description

The context for managing a kTLS connection.

Implementations§

Source§

impl<C: TlsSession> Context<C>

Source

pub fn new(session: C, buffer: Option<Buffer>) -> Self

Creates a new kTLS context with the given TLS session and optional buffer (can be TLS early data received from peer during handshake, or pre-allocated buffer).

Source

pub const fn state(&self) -> &State

Returns the current kTLS connection state.

Source

pub const fn buffer(&self) -> &Buffer

Returns a reference to the buffer.

Source

pub const fn buffer_mut(&mut self) -> &mut Buffer

Returns a mutable reference to the buffer.

Source

pub fn refresh_traffic_keys<S: AsFd>(&mut self, socket: &S) -> Result<()>

Sends a TLS 1.3 key_update message to refresh a connection’s keys.

This call refreshes our encryption keys. Once the peer receives the message, it refreshes its encryption and decryption keys and sends a response. Once we receive that response, we refresh our decryption keys to match. At the end of this process, keys in both directions have been refreshed.

§Notes

Note that TLS implementations may enforce limits on the number of key_update messages allowed on a given connection to prevent denial of service. Therefore, this should be called sparingly.

Since the kernel will never implicitly and automatically trigger key updates according to the selected cipher suite’s cryptographic constraints, the application is responsible for calling this method as needed to maintain security.

§Known Issues

Under the condition that both parties are kTLS offloaded and the server program uses the Tokio asynchronous runtime, if the server initiates a Key Update and then immediately performs a read I/O operation, it will cause the program to hang (the read I/O operation returns EAGAIN but the task waker does not seem to be registered correctly). This issue needs further investigation.

Only Linux kernel 6.16 or later fully supports runtime key updates.

§Errors
  • Updating the TX secret fails.
  • Sending the KeyUpdate message fails.
  • Setting the TX secret on the socket fails.
Source

pub fn handle_io_error<S: AsFd>(&mut self, socket: &S, err: Error) -> Result<()>

Handles io::Errors from I/O operations on kTLS-configured sockets.

§Overview

When a socket is configured with kTLS, it can be used like a normal socket for data transmission - the kernel transparently handles encryption and decryption. However, TLS control messages (e.g., TLS alerts) from peers cannot be processed automatically by the kernel, which returns EIO to notify userspace.

This method helps handle such errors appropriately:

  • EIO: Attempts to process any received TLS control messages. Returns Ok(()) on success, allowing the caller to retry the operation.
  • Interrupted: Indicates the operation was interrupted by a signal. Returns Ok(()), allowing the caller to retry the operation.
  • WouldBlock: Indicates the operation would block (e.g., non-blocking socket). Returns Ok(()), allowing the caller to retry the operation.
  • BrokenPipe: Marks the stream as closed.
  • Other errors: Aborts the connection with an internal_error alert and returns the original error.
§Notes

Incorrect usage of this method MAY lead to unexpected behavior.

§Errors

Returns the original io::Error if it cannot be recovered from.

Source

pub fn shutdown<S: AsFd>(&mut self, socket: &S)

Closes the read side of the kTLS connection and sends a close_notify alert to the peer.

Trait Implementations§

Source§

impl<C: Debug + TlsSession> Debug for Context<C>

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

§

impl<C> Freeze for Context<C>
where C: Freeze,

§

impl<C> RefUnwindSafe for Context<C>
where C: RefUnwindSafe,

§

impl<C> Send for Context<C>
where C: Send,

§

impl<C> Sync for Context<C>
where C: Sync,

§

impl<C> Unpin for Context<C>
where C: Unpin,

§

impl<C> UnwindSafe for Context<C>
where C: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.