跳到主要内容

Module kernel

rustls

Module kernel 

Source
展开描述

内核连接 API

This module gives you the bare minimum you need 到 implement 一个 TLS connection that does its own encryption 并 decryption while still using rustls 到 manage connection secrets 并 session tickets. It is intended 用于 use cases like kTLS where you want 到 use rustls 到 establish the connection but want 到 use something else 到 do the encryption/decryption after that.

There are only two things that KernelConnection is able 到 do:

  1. Compute new traffic secrets when a key update occurs.
  2. Save received session tickets sent by a server peer.

That’s it. Everything else you will need 到 implement yourself.

§Entry Point

此 entry points into this API are UnbufferedClientConnection::dangerous_into_kernel_connectionUnbufferedServerConnection::dangerous_into_kernel_connection

In order 到 actually create an KernelConnection all of the following must be true:

  • the connection must have completed its handshake,
  • the connection must have no buffered TLS data waiting to be sent, and,
  • the config used to create the connection must have enable_extract_secrets set to true.

This sounds fairly complicated 到 achieve at first glance. However, if you drive an unbuffered connection through the handshake until it returns WriteTraffic then it will end up in an appropriate state 到 convert into an external connection.

§Cipher Suite Confidentiality Limits

Some cipher suites (notably AES-GCM) have vulnerabilities where they are no longer secure once 一个 certain number of messages have been sent. Normally, rustls tracks how many messages have been written 或 read 并 will automatically either refresh keys 或 emit an error when approaching the confidentiality limit of 密文 套件)。

KernelConnection has no way 到 track this. It 是 responsibility of the user of the API 到 track approximately how many messages have been sent 并 either refresh the traffic keys 或 abort the connection before the confidentiality limit is reached.

You can find the current confidentiality limit by looking at CipherSuiteCommon::confidentiality_limit 用于 密码套件 selected by the connection.

结构体§

KernelConnection
A kernel connection.