Trait rustls::Session

pub trait Session: QuicExt + Read + Write + Send + Sync {
    fn read_tls(&mut self, rd: &mut dyn Read) -> Result<usize, Error>;
    fn write_tls(&mut self, wr: &mut dyn Write) -> Result<usize, Error>;
    fn process_new_packets(&mut self) -> Result<(), TLSError>;
    fn wants_read(&self) -> bool;
    fn wants_write(&self) -> bool;
    fn is_handshaking(&self) -> bool;
    fn set_buffer_limit(&mut self, limit: usize);
    fn send_close_notify(&mut self);
    fn get_peer_certificates(&self) -> Option<Vec<Certificate>>;
    fn get_alpn_protocol(&self) -> Option<&[u8]>;
    fn get_protocol_version(&self) -> Option<ProtocolVersion>;
    fn export_keying_material(
        &self,
        output: &mut [u8],
        label: &[u8],
        context: Option<&[u8]>
    ) -> Result<(), TLSError>;
    fn get_negotiated_ciphersuite(
        &self
    ) -> Option<&'static SupportedCipherSuite>;

    fn complete_io<T>(&mut self, io: &mut T) -> Result<(usize, usize), Error>
    where
        Self: Sized,
        T: Read + Write,
    { ... }
}

Generalises ClientSession and ServerSession

Required Methods

fn read_tls(&mut self, rd: &mut dyn Read) -> Result<usize, Error>

Read TLS content from rd. This method does internal buffering, so rd can supply TLS messages in arbitrary- sized chunks (like a socket or pipe might).

You should call process_new_packets each time a call to this function succeeds.

The returned error only relates to IO on rd. TLS-level errors are emitted from process_new_packets.

This function returns Ok(0) when the underlying rd does so. This typically happens when a socket is cleanly closed, or a file is at EOF.

fn write_tls(&mut self, wr: &mut dyn Write) -> Result<usize, Error>

Writes TLS messages to wr.

On success the function returns Ok(n) where n is a number of bytes written to wr, number of bytes after encoding and encryption.

Note that after function return the session buffer maybe not yet fully flushed. wants_write function can be used to check if output buffer is not empty.

fn process_new_packets(&mut self) -> Result<(), TLSError>

Processes any new packets read by a previous call to read_tls. Errors from this function relate to TLS protocol errors, and are fatal to the session. Future calls after an error will do no new work and will return the same error.

Success from this function can mean new plaintext is available: obtain it using read.

fn wants_read(&self) -> bool

Returns true if the caller should call read_tls as soon as possible.

fn wants_write(&self) -> bool

Returns true if the caller should call write_tls as soon as possible.

fn is_handshaking(&self) -> bool

Returns true if the session is currently perform the TLS handshake. During this time plaintext written to the session is buffered in memory.

fn set_buffer_limit(&mut self, limit: usize)

Sets a limit on the internal buffers used to buffer unsent plaintext (prior to completing the TLS handshake) and unsent TLS records.

By default, there is no limit. The limit can be set at any time, even if the current buffer use is higher.

fn send_close_notify(&mut self)

Queues a close_notify fatal alert to be sent in the next write_tls call. This informs the peer that the connection is being closed.

fn get_peer_certificates(&self) -> Option<Vec<Certificate>>

Retrieves the certificate chain used by the peer to authenticate.

The order of the certificate chain is as it appears in the TLS protocol: the first certificate relates to the peer, the second certifies the first, the third certifies the second, and so on.

For clients, this is the certificate chain of the server.

For servers, this is the certificate chain of the client, if client authentication was completed.

The return value is None until this value is available.

fn get_alpn_protocol(&self) -> Option<&[u8]>

Retrieves the protocol agreed with the peer via ALPN.

A return value of None after handshake completion means no protocol was agreed (because no protocols were offered or accepted by the peer).

fn get_protocol_version(&self) -> Option<ProtocolVersion>

Retrieves the protocol version agreed with the peer.

This returns None until the version is agreed.

fn export_keying_material(
    &self,
    output: &mut [u8],
    label: &[u8],
    context: Option<&[u8]>
) -> Result<(), TLSError>

Derives key material from the agreed session secrets.

This function fills in output with output.len() bytes of key material derived from the master session secret using label and context for diversification.

See RFC5705 for more details on what this does and is for.

For TLS1.3 connections, this function does not use the “early” exporter at any point.

This function fails if called prior to the handshake completing; check with is_handshaking() first.

fn get_negotiated_ciphersuite(&self) -> Option<&'static SupportedCipherSuite>

Retrieves the ciphersuite agreed with the peer.

This returns None until the ciphersuite is agreed.

Provided Methods

fn complete_io<T>(&mut self, io: &mut T) -> Result<(usize, usize), Error>where
    Self: Sized,
    T: Read + Write,

This function uses io to complete any outstanding IO for this session.

This is a convenience function which solely uses other parts of the public API.

What this means depends on the session state:

• If the session is_handshaking(), then IO is performed until the handshake is complete.
• Otherwise, if wants_write is true, write_tls is invoked until it is all written.
• Otherwise, if wants_read is true, read_tls is invoked once.

The return value is the number of bytes read from and written to io, respectively.

This function will block if io blocks.

Errors from TLS record handling (ie, from process_new_packets()) are wrapped in an io::ErrorKind::InvalidData-kind error.

Implementors

impl Session for ClientSession

impl Session for ServerSession