pub struct ServerConnection { /* private fields */ }展开描述
This represents 一个 single TLS server connection.
Send TLS-protected data 到 the peer using the io::Write trait implementation.
Read data 从 the peer using the io::Read trait implementation.
实现§
Source§impl ServerConnection
impl ServerConnection
Sourcepub fn new(config: Arc<ServerConfig>) -> Result<Self, Error>
pub fn new(config: Arc<ServerConfig>) -> Result<Self, Error>
创建一个新的 ServerConnection. config controls how
we behave in the TLS protocol.
Sourcepub fn server_name(&self) -> Option<&str>
pub fn server_name(&self) -> Option<&str>
Retrieves 服务器名, if any, 用 到 select 证书 并 私钥.
This returns None until some time after the client’s server name indication
(SNI) extension value is processed during the handshake. It will never be
None when the connection is ready 到 send 或 process application data,
unless the client does not support SNI.
This is useful 用于 application protocols that need 到 enforce that the
server name matches an application layer protocol hostname. For
example, HTTP/1.1 servers commonly expect the Host: header field of
every request on 一个 connection 到 match the hostname in the SNI extension
when the client provides the SNI extension.
此 server 名称是 also 用 到 match sessions during session resumption.
Sourcepub fn received_resumption_data(&self) -> Option<&[u8]>
pub fn received_resumption_data(&self) -> Option<&[u8]>
Application-controlled portion of the resumption ticket supplied by the client, if any.
Recovered 从 the prior session’s set_resumption_data。 Integrity is guaranteed by rustls.
Returns Some if 并 only if 一个 valid resumption ticket has been received 从 the client.
Sourcepub fn set_resumption_data(&mut self, data: &[u8])
pub fn set_resumption_data(&mut self, data: &[u8])
Set the resumption data 到 embed in future resumption tickets supplied 到 the client.
Defaults 到 the empty byte string. Must be less than 2^15 bytes 到 allow room 用于 other
data. Should be called while is_handshaking 返回 true 到 ensure all transmitted
resumption tickets are affected.
Integrity , assured by rustls, but 数据 , visible 到 the client. If secrecy 从 the client is desired, encrypt 数据 separately.
Sourcepub fn reject_early_data(&mut self)
pub fn reject_early_data(&mut self)
明示弃用早期数据,并通知客户端
Useful if invariants encoded in received_resumption_data() cannot be respected.
Must be called while is_handshaking is true.
Sourcepub fn early_data(&mut self) -> Option<ReadEarlyData<'_>>
pub fn early_data(&mut self) -> Option<ReadEarlyData<'_>>
Returns an io::Read implementer you can read bytes 从 that are
received 从 一个 client as TLS 1.3 0RTT/“early” data, during the handshake.
This returns None in many circumstances, such as :
- Early data is disabled if
ServerConfig::max_early_data_sizeis zero (the default). - The session negotiated with the client is not TLS1.3.
- The client just doesn’t support early data.
- The connection doesn’t resume an existing session.
- The client hasn’t sent a full ClientHello yet.
Sourcepub fn fips(&self) -> bool
pub fn fips(&self) -> bool
返回 true if the connection was made with 一个 ServerConfig , FIPS compatible.
This is different 从 crate::crypto::CryptoProvider::fips():
it is concerned only with cryptography, whereas this also covers TLS-level
configuration that NIST recommends, as well as ECH HPKE suites if applicable.
Sourcepub fn dangerous_extract_secrets(self) -> Result<ExtractedSecrets, Error>
pub fn dangerous_extract_secrets(self) -> Result<ExtractedSecrets, Error>
提取密钥,以便在配置 kTLS 时使用,例如。 Should be 用 with care as it exposes secret 密钥材料。
Methods from Deref<Target = ConnectionCommon<ServerConnectionData>>§
Sourcepub fn process_new_packets(&mut self) -> Result<IoState, Error>
pub fn process_new_packets(&mut self) -> Result<IoState, Error>
处理先前调用以下方法读取的所有新数据包:
Connection::read_tls。
Errors 从 此函数 relate 到 TLS protocol errors, 并
are fatal 到 the connection. Future calls after an error will do
no new work 并 将返回 the same error. After an error is
received 从 process_new_packets, you should not call read_tls
any more (it will fill up buffers 到 no purpose)。 However, you
may call the other methods on the connection, including write,
send_close_notify, 并 write_tls。 Most likely you will want 到
call write_tls 到 send any alerts queued by the error 并 then
close 底层 connection.
Success 从 此函数 comes with some sundry state data about the connection.
Sourcepub fn export_keying_material<T: AsMut<[u8]>>(
&self,
output: T,
label: &[u8],
context: Option<&[u8]>,
) -> Result<T, Error>
pub fn export_keying_material<T: AsMut<[u8]>>( &self, output: T, label: &[u8], context: Option<&[u8]>, ) -> Result<T, Error>
从已协商的连接密钥派生密钥材料。
This function fills in output with output.len() bytes of key
material derived 从 the master session secret using label
并 context 用于 diversification. Ownership of 缓冲区 is taken
by 函数 并 returned via the Ok result 到 ensure no key
material leaks if 函数 fails.
See RFC5705 用于 more details on what this does 并 is 用于.
For TLS 1.3 connections, 此函数 does not use the “early” exporter at any point.
This function fails if called prior 到 the handshake completing;
检查 with CommonState::is_handshaking first.
This function fails if output.len() is zero.
Sourcepub fn set_buffer_limit(&mut self, limit: Option<usize>)
pub fn set_buffer_limit(&mut self, limit: Option<usize>)
设置内部缓冲区的限制 用 到 缓冲区
unsent 明文 (prior 到 completing the TLS handshake)
并 unsent TLS records. This limit acts only on application
data written through Connection::writer。
By default the limit is 64KB. 此 limit can be set at any time, even if the current 缓冲区 use is higher.
None means no limit applies, 并 will mean that written
data is buffered without bound – it is up 到 the application
到 appropriately schedule its 明文 并 TLS writes 到 bound
memory usage.
For illustration: Some(1) means 一个 limit of one byte applies:
Connection::writer will accept only one byte, encrypt it 并
add 一个 TLS header. Once this is sent via Connection::write_tls,
another byte may be sent.
§Internal write-direction buffering
rustls has two buffers whose size are bounded by this setting:
§Buffering of unsent plaintext data prior to handshake completion
Calls 到 Connection::writer before 或 during the handshake
are buffered (up 到 the limit specified here)。 Once the
handshake completes 此数据 is encrypted 并 the resulting
TLS records are added 到 the outgoing 缓冲区.
§Buffering of outgoing TLS records
This 缓冲区 is 用 到 store TLS records that rustls needs 到 send 到 the peer. It is 用 in these two circumstances:
- by
Connection::process_new_packetswhen a handshake or alert TLS record needs to be sent. - by
Connection::writerpost-handshake: the plaintext is encrypted and the resulting TLS record is buffered.
This 缓冲区 is emptied by Connection::write_tls。
Sourcepub fn refresh_traffic_keys(&mut self) -> Result<(), Error>
pub fn refresh_traffic_keys(&mut self) -> Result<(), Error>
Sends 一个 TLS 1.3 key_update message 到 refresh 一个 connection’s keys.
This call refreshes our encryption keys. Once the peer receives the message, it refreshes its encryption 并 decryption keys 并 sends 一个 response. Once we receive that response, we refresh our decryption keys 到 match. At the end of this process, keys in both directions have been refreshed.
Note that this process does not happen synchronously: this call just
arranges that the key_update message , included in the next
write_tls output.
This fails with Error::HandshakeNotComplete if called before the initial
handshake is complete, 或 if 一个 version prior 到 TLS 1.3 is negotiated.
§Usage advice
Note that other implementations (including rustls) may enforce limits on
the number of key_update messages allowed on 一个 given connection 到 prevent
denial of service. Therefore, this should be called sparingly.
rustls implicitly 并 automatically refreshes traffic keys when needed according 到 the selected cipher suite’s cryptographic constraints. There is therefore no need 到 call this manually 到 avoid cryptographic keys “wearing out”。
此 main reason 到 call this manually is 到 roll keys when it is known 一个 connection , idle 用于 一个 long period.
Sourcepub fn complete_io<T>(&mut self, io: &mut T) -> Result<(usize, usize), Error>
pub fn complete_io<T>(&mut self, io: &mut T) -> Result<(usize, usize), Error>
This function uses io 到 complete any outstanding IO 用于
this connection.
This 是 convenience function which solely uses other parts of the public API.
What this means depends on the connection state:
- If the connection
is_handshaking, then IO is performed until the handshake is complete. - Otherwise, if
wants_writeis true,write_tlsis invoked until it is all written. - Otherwise, if
wants_readis true,read_tlsis invoked once.
此 return value 是 number of bytes read 从 并 written
到 io, respectively. Once both read() 并 write() yield WouldBlock,
此函数 will propagate the error.
Errors 从 TLS record handling (i.e., 从 process_new_packets)
are wrapped in an io::ErrorKind::InvalidData-kind error.
Sourcepub fn read_tls(&mut self, rd: &mut dyn Read) -> Result<usize, Error>
pub fn read_tls(&mut self, rd: &mut dyn Read) -> Result<usize, Error>
从以下来源读取 TLS 内容 rd into the internal 缓冲区.
Due 到 the internal buffering, rd can supply TLS messages in arbitrary-sized chunks (like
一个 socket 或 pipe might)。
You should call process_new_packets() each time 一个 call 到 此函数 succeeds in order
到 empty the incoming TLS data 缓冲区.
This function returns Ok(0) when 底层 rd does so. This typically happens when
一个 socket is cleanly closed, 或 一个 file is at EOF. Errors may result 从 the IO done through
rd; additionally, errors of ErrorKind::Other are emitted 到 signal backpressure:
- In order to empty the incoming TLS data buffer, you should call
process_new_packets()each time a call to this function succeeds. - In order to empty the incoming plaintext data buffer, you should empty it through
the
reader()after the call toprocess_new_packets().
This function also returns Ok(0) once 一个 close_notify alert has been successfully
received. No additional data is ever read in this state.
Sourcepub fn write_tls(&mut self, wr: &mut dyn Write) -> Result<usize, Error>
pub fn write_tls(&mut self, wr: &mut dyn Write) -> Result<usize, Error>
将 TLS 消息写入 wr。
On success, 此函数 returns Ok(n) where n 是 number of bytes written 到 wr
(after encoding 并 encryption)。
After 此函数 returns, the connection 缓冲区 may not yet be fully flushed. 此
CommonState::wants_write function 可用于 检查 if 输出 缓冲区 is empty.
Methods from Deref<Target = CommonState>§
Sourcepub fn wants_write(&self) -> bool
pub fn wants_write(&self) -> bool
如果调用者应尽快调用以下方法,则返回 true: Connection::write_tls 尽快。
Sourcepub fn is_handshaking(&self) -> bool
pub fn is_handshaking(&self) -> bool
如果连接当前正在执行 TLS 握手,则返回 true。
During this time 明文 written 到 the connection is buffered in memory. After
Connection::process_new_packets() has been called, this might start 到 return false
while the final handshake packets still need 到 be extracted 从 the connection’s buffers.
Sourcepub fn peer_certificates(&self) -> Option<&[CertificateDer<'static>]>
pub fn peer_certificates(&self) -> Option<&[CertificateDer<'static>]>
检索对等方用于身份验证的证书链或原始公钥。
此 order of 证书 chain is as it appears in the TLS protocol: the first certificate relates 到 the peer, the second certifies the first, the third certifies the second, 并 so on.
When using raw public keys, the first 并 only element 是 raw 公钥.
This is made available 用于 both full 并 resumed handshakes.
For clients, this 是 certificate chain 或 the raw 公钥 of the server.
For servers, this 是 certificate chain 或 the raw 公钥 of the client, if client authentication was completed.
此 return value is None until this value is available.
Note: the return type of the ‘certificate’, when using raw public keys is CertificateDer<'static>
even though this should technically be 一个 SubjectPublicKeyInfoDer<'static>。
This choice simplifies the API 并 ensures backwards compatibility.
Sourcepub fn alpn_protocol(&self) -> Option<&[u8]>
pub fn alpn_protocol(&self) -> Option<&[u8]>
检索通过 ALPN 与对等方协商的协议。
A return value of None after handshake completion
means no protocol was agreed (because no protocols
were offered 或 已接受 by the peer)。
Sourcepub fn negotiated_cipher_suite(&self) -> Option<SupportedCipherSuite>
pub fn negotiated_cipher_suite(&self) -> Option<SupportedCipherSuite>
检索与对等方协商的密码套件。
在密码套件协商一致之前返回 None。
Sourcepub fn negotiated_key_exchange_group(
&self,
) -> Option<&'static dyn SupportedKxGroup>
pub fn negotiated_key_exchange_group( &self, ) -> Option<&'static dyn SupportedKxGroup>
检索与对等方协商的密钥交换组。
This function may return None depending on the state of the connection,
the type of handshake, 并 the protocol version.
If CommonState::is_handshaking() 为 true,此函数将返回 None。
Similarly, if the CommonState::handshake_kind() is HandshakeKind::Resumed
并 the CommonState::protocol_version() is TLS 1.2, then no key exchange will have
occurred 并 此函数将返回 None。
Sourcepub fn protocol_version(&self) -> Option<ProtocolVersion>
pub fn protocol_version(&self) -> Option<ProtocolVersion>
检索与对等方协商的协议版本。
This returns None until the version is agreed.
Sourcepub fn handshake_kind(&self) -> Option<HandshakeKind>
pub fn handshake_kind(&self) -> Option<HandshakeKind>
执行的握手类型。
它会告知握手是否为恢复握手。
This 将返回 None before it is known which sort of
handshake occurred.
Sourcepub fn send_close_notify(&mut self)
pub fn send_close_notify(&mut self)
Queues 一个 close_notify warning alert 到 be sent in the next
Connection::write_tls 调用。 This informs the peer that the
connection is being closed.
Does nothing if any close_notify 或 fatal alert was already sent.
Sourcepub fn wants_read(&self) -> bool
pub fn wants_read(&self) -> bool
如果调用者应尽快调用以下方法,则返回 true: Connection::read_tls as soon
as possible.
如果有要读取的待处理明文数据,请使用 Connection::reader,
this returns false. If your application respects this mechanism,
only one full TLS message , buffered by rustls.