| <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="rustdoc"><meta name="description" content="Source of the Rust file `/root/.cargo/git/checkouts/incubator-teaclave-crates-c8106113f74feefc/ede1f68/rustls-0.19.1/rustls/src/server/mod.rs`."><meta name="keywords" content="rust, rustlang, rust-lang"><title>mod.rs - source</title><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../SourceSerif4-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../FiraSans-Regular.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../FiraSans-Medium.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../SourceCodePro-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../SourceSerif4-Bold.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../SourceCodePro-Semibold.ttf.woff2"><link rel="stylesheet" href="../../../normalize.css"><link rel="stylesheet" href="../../../rustdoc.css" id="mainThemeStyle"><link rel="stylesheet" href="../../../ayu.css" disabled><link rel="stylesheet" href="../../../dark.css" disabled><link rel="stylesheet" href="../../../light.css" id="themeStyle"><script id="default-settings" ></script><script src="../../../storage.js"></script><script defer src="../../../source-script.js"></script><script defer src="../../../source-files.js"></script><script defer src="../../../main.js"></script><noscript><link rel="stylesheet" href="../../../noscript.css"></noscript><link rel="alternate icon" type="image/png" href="../../../favicon-16x16.png"><link rel="alternate icon" type="image/png" href="../../../favicon-32x32.png"><link rel="icon" type="image/svg+xml" href="../../../favicon.svg"></head><body class="rustdoc source"><!--[if lte IE 11]><div class="warning">This old browser is unsupported and will most likely display funky things.</div><![endif]--><nav class="sidebar"><a class="sidebar-logo" href="../../../rustls/index.html"><div class="logo-container"><img class="rust-logo" src="../../../rust-logo.svg" alt="logo"></div></a></nav><main><div class="width-limiter"><nav class="sub"><a class="sub-logo-container" href="../../../rustls/index.html"><img class="rust-logo" src="../../../rust-logo.svg" alt="logo"></a><form class="search-form"><div class="search-container"><span></span><input class="search-input" name="search" autocomplete="off" spellcheck="false" placeholder="Click or press ‘S’ to search, ‘?’ for more options…" type="search"><div id="help-button" title="help" tabindex="-1"><a href="../../../help.html">?</a></div><div id="settings-menu" tabindex="-1"><a href="../../../settings.html" title="settings"><img width="22" height="22" alt="Change settings" src="../../../wheel.svg"></a></div></div></form></nav><section id="main-content" class="content"><div class="example-wrap"><pre class="src-line-numbers"><span id="1">1</span> |
| <span id="2">2</span> |
| <span id="3">3</span> |
| <span id="4">4</span> |
| <span id="5">5</span> |
| <span id="6">6</span> |
| <span id="7">7</span> |
| <span id="8">8</span> |
| <span id="9">9</span> |
| <span id="10">10</span> |
| <span id="11">11</span> |
| <span id="12">12</span> |
| <span id="13">13</span> |
| <span id="14">14</span> |
| <span id="15">15</span> |
| <span id="16">16</span> |
| <span id="17">17</span> |
| <span id="18">18</span> |
| <span id="19">19</span> |
| <span id="20">20</span> |
| <span id="21">21</span> |
| <span id="22">22</span> |
| <span id="23">23</span> |
| <span id="24">24</span> |
| <span id="25">25</span> |
| <span id="26">26</span> |
| <span id="27">27</span> |
| <span id="28">28</span> |
| <span id="29">29</span> |
| <span id="30">30</span> |
| <span id="31">31</span> |
| <span id="32">32</span> |
| <span id="33">33</span> |
| <span id="34">34</span> |
| <span id="35">35</span> |
| <span id="36">36</span> |
| <span id="37">37</span> |
| <span id="38">38</span> |
| <span id="39">39</span> |
| <span id="40">40</span> |
| <span id="41">41</span> |
| <span id="42">42</span> |
| <span id="43">43</span> |
| <span id="44">44</span> |
| <span id="45">45</span> |
| <span id="46">46</span> |
| <span id="47">47</span> |
| <span id="48">48</span> |
| <span id="49">49</span> |
| <span id="50">50</span> |
| <span id="51">51</span> |
| <span id="52">52</span> |
| <span id="53">53</span> |
| <span id="54">54</span> |
| <span id="55">55</span> |
| <span id="56">56</span> |
| <span id="57">57</span> |
| <span id="58">58</span> |
| <span id="59">59</span> |
| <span id="60">60</span> |
| <span id="61">61</span> |
| <span id="62">62</span> |
| <span id="63">63</span> |
| <span id="64">64</span> |
| <span id="65">65</span> |
| <span id="66">66</span> |
| <span id="67">67</span> |
| <span id="68">68</span> |
| <span id="69">69</span> |
| <span id="70">70</span> |
| <span id="71">71</span> |
| <span id="72">72</span> |
| <span id="73">73</span> |
| <span id="74">74</span> |
| <span id="75">75</span> |
| <span id="76">76</span> |
| <span id="77">77</span> |
| <span id="78">78</span> |
| <span id="79">79</span> |
| <span id="80">80</span> |
| <span id="81">81</span> |
| <span id="82">82</span> |
| <span id="83">83</span> |
| <span id="84">84</span> |
| <span id="85">85</span> |
| <span id="86">86</span> |
| <span id="87">87</span> |
| <span id="88">88</span> |
| <span id="89">89</span> |
| <span id="90">90</span> |
| <span id="91">91</span> |
| <span id="92">92</span> |
| <span id="93">93</span> |
| <span id="94">94</span> |
| <span id="95">95</span> |
| <span id="96">96</span> |
| <span id="97">97</span> |
| <span id="98">98</span> |
| <span id="99">99</span> |
| <span id="100">100</span> |
| <span id="101">101</span> |
| <span id="102">102</span> |
| <span id="103">103</span> |
| <span id="104">104</span> |
| <span id="105">105</span> |
| <span id="106">106</span> |
| <span id="107">107</span> |
| <span id="108">108</span> |
| <span id="109">109</span> |
| <span id="110">110</span> |
| <span id="111">111</span> |
| <span id="112">112</span> |
| <span id="113">113</span> |
| <span id="114">114</span> |
| <span id="115">115</span> |
| <span id="116">116</span> |
| <span id="117">117</span> |
| <span id="118">118</span> |
| <span id="119">119</span> |
| <span id="120">120</span> |
| <span id="121">121</span> |
| <span id="122">122</span> |
| <span id="123">123</span> |
| <span id="124">124</span> |
| <span id="125">125</span> |
| <span id="126">126</span> |
| <span id="127">127</span> |
| <span id="128">128</span> |
| <span id="129">129</span> |
| <span id="130">130</span> |
| <span id="131">131</span> |
| <span id="132">132</span> |
| <span id="133">133</span> |
| <span id="134">134</span> |
| <span id="135">135</span> |
| <span id="136">136</span> |
| <span id="137">137</span> |
| <span id="138">138</span> |
| <span id="139">139</span> |
| <span id="140">140</span> |
| <span id="141">141</span> |
| <span id="142">142</span> |
| <span id="143">143</span> |
| <span id="144">144</span> |
| <span id="145">145</span> |
| <span id="146">146</span> |
| <span id="147">147</span> |
| <span id="148">148</span> |
| <span id="149">149</span> |
| <span id="150">150</span> |
| <span id="151">151</span> |
| <span id="152">152</span> |
| <span id="153">153</span> |
| <span id="154">154</span> |
| <span id="155">155</span> |
| <span id="156">156</span> |
| <span id="157">157</span> |
| <span id="158">158</span> |
| <span id="159">159</span> |
| <span id="160">160</span> |
| <span id="161">161</span> |
| <span id="162">162</span> |
| <span id="163">163</span> |
| <span id="164">164</span> |
| <span id="165">165</span> |
| <span id="166">166</span> |
| <span id="167">167</span> |
| <span id="168">168</span> |
| <span id="169">169</span> |
| <span id="170">170</span> |
| <span id="171">171</span> |
| <span id="172">172</span> |
| <span id="173">173</span> |
| <span id="174">174</span> |
| <span id="175">175</span> |
| <span id="176">176</span> |
| <span id="177">177</span> |
| <span id="178">178</span> |
| <span id="179">179</span> |
| <span id="180">180</span> |
| <span id="181">181</span> |
| <span id="182">182</span> |
| <span id="183">183</span> |
| <span id="184">184</span> |
| <span id="185">185</span> |
| <span id="186">186</span> |
| <span id="187">187</span> |
| <span id="188">188</span> |
| <span id="189">189</span> |
| <span id="190">190</span> |
| <span id="191">191</span> |
| <span id="192">192</span> |
| <span id="193">193</span> |
| <span id="194">194</span> |
| <span id="195">195</span> |
| <span id="196">196</span> |
| <span id="197">197</span> |
| <span id="198">198</span> |
| <span id="199">199</span> |
| <span id="200">200</span> |
| <span id="201">201</span> |
| <span id="202">202</span> |
| <span id="203">203</span> |
| <span id="204">204</span> |
| <span id="205">205</span> |
| <span id="206">206</span> |
| <span id="207">207</span> |
| <span id="208">208</span> |
| <span id="209">209</span> |
| <span id="210">210</span> |
| <span id="211">211</span> |
| <span id="212">212</span> |
| <span id="213">213</span> |
| <span id="214">214</span> |
| <span id="215">215</span> |
| <span id="216">216</span> |
| <span id="217">217</span> |
| <span id="218">218</span> |
| <span id="219">219</span> |
| <span id="220">220</span> |
| <span id="221">221</span> |
| <span id="222">222</span> |
| <span id="223">223</span> |
| <span id="224">224</span> |
| <span id="225">225</span> |
| <span id="226">226</span> |
| <span id="227">227</span> |
| <span id="228">228</span> |
| <span id="229">229</span> |
| <span id="230">230</span> |
| <span id="231">231</span> |
| <span id="232">232</span> |
| <span id="233">233</span> |
| <span id="234">234</span> |
| <span id="235">235</span> |
| <span id="236">236</span> |
| <span id="237">237</span> |
| <span id="238">238</span> |
| <span id="239">239</span> |
| <span id="240">240</span> |
| <span id="241">241</span> |
| <span id="242">242</span> |
| <span id="243">243</span> |
| <span id="244">244</span> |
| <span id="245">245</span> |
| <span id="246">246</span> |
| <span id="247">247</span> |
| <span id="248">248</span> |
| <span id="249">249</span> |
| <span id="250">250</span> |
| <span id="251">251</span> |
| <span id="252">252</span> |
| <span id="253">253</span> |
| <span id="254">254</span> |
| <span id="255">255</span> |
| <span id="256">256</span> |
| <span id="257">257</span> |
| <span id="258">258</span> |
| <span id="259">259</span> |
| <span id="260">260</span> |
| <span id="261">261</span> |
| <span id="262">262</span> |
| <span id="263">263</span> |
| <span id="264">264</span> |
| <span id="265">265</span> |
| <span id="266">266</span> |
| <span id="267">267</span> |
| <span id="268">268</span> |
| <span id="269">269</span> |
| <span id="270">270</span> |
| <span id="271">271</span> |
| <span id="272">272</span> |
| <span id="273">273</span> |
| <span id="274">274</span> |
| <span id="275">275</span> |
| <span id="276">276</span> |
| <span id="277">277</span> |
| <span id="278">278</span> |
| <span id="279">279</span> |
| <span id="280">280</span> |
| <span id="281">281</span> |
| <span id="282">282</span> |
| <span id="283">283</span> |
| <span id="284">284</span> |
| <span id="285">285</span> |
| <span id="286">286</span> |
| <span id="287">287</span> |
| <span id="288">288</span> |
| <span id="289">289</span> |
| <span id="290">290</span> |
| <span id="291">291</span> |
| <span id="292">292</span> |
| <span id="293">293</span> |
| <span id="294">294</span> |
| <span id="295">295</span> |
| <span id="296">296</span> |
| <span id="297">297</span> |
| <span id="298">298</span> |
| <span id="299">299</span> |
| <span id="300">300</span> |
| <span id="301">301</span> |
| <span id="302">302</span> |
| <span id="303">303</span> |
| <span id="304">304</span> |
| <span id="305">305</span> |
| <span id="306">306</span> |
| <span id="307">307</span> |
| <span id="308">308</span> |
| <span id="309">309</span> |
| <span id="310">310</span> |
| <span id="311">311</span> |
| <span id="312">312</span> |
| <span id="313">313</span> |
| <span id="314">314</span> |
| <span id="315">315</span> |
| <span id="316">316</span> |
| <span id="317">317</span> |
| <span id="318">318</span> |
| <span id="319">319</span> |
| <span id="320">320</span> |
| <span id="321">321</span> |
| <span id="322">322</span> |
| <span id="323">323</span> |
| <span id="324">324</span> |
| <span id="325">325</span> |
| <span id="326">326</span> |
| <span id="327">327</span> |
| <span id="328">328</span> |
| <span id="329">329</span> |
| <span id="330">330</span> |
| <span id="331">331</span> |
| <span id="332">332</span> |
| <span id="333">333</span> |
| <span id="334">334</span> |
| <span id="335">335</span> |
| <span id="336">336</span> |
| <span id="337">337</span> |
| <span id="338">338</span> |
| <span id="339">339</span> |
| <span id="340">340</span> |
| <span id="341">341</span> |
| <span id="342">342</span> |
| <span id="343">343</span> |
| <span id="344">344</span> |
| <span id="345">345</span> |
| <span id="346">346</span> |
| <span id="347">347</span> |
| <span id="348">348</span> |
| <span id="349">349</span> |
| <span id="350">350</span> |
| <span id="351">351</span> |
| <span id="352">352</span> |
| <span id="353">353</span> |
| <span id="354">354</span> |
| <span id="355">355</span> |
| <span id="356">356</span> |
| <span id="357">357</span> |
| <span id="358">358</span> |
| <span id="359">359</span> |
| <span id="360">360</span> |
| <span id="361">361</span> |
| <span id="362">362</span> |
| <span id="363">363</span> |
| <span id="364">364</span> |
| <span id="365">365</span> |
| <span id="366">366</span> |
| <span id="367">367</span> |
| <span id="368">368</span> |
| <span id="369">369</span> |
| <span id="370">370</span> |
| <span id="371">371</span> |
| <span id="372">372</span> |
| <span id="373">373</span> |
| <span id="374">374</span> |
| <span id="375">375</span> |
| <span id="376">376</span> |
| <span id="377">377</span> |
| <span id="378">378</span> |
| <span id="379">379</span> |
| <span id="380">380</span> |
| <span id="381">381</span> |
| <span id="382">382</span> |
| <span id="383">383</span> |
| <span id="384">384</span> |
| <span id="385">385</span> |
| <span id="386">386</span> |
| <span id="387">387</span> |
| <span id="388">388</span> |
| <span id="389">389</span> |
| <span id="390">390</span> |
| <span id="391">391</span> |
| <span id="392">392</span> |
| <span id="393">393</span> |
| <span id="394">394</span> |
| <span id="395">395</span> |
| <span id="396">396</span> |
| <span id="397">397</span> |
| <span id="398">398</span> |
| <span id="399">399</span> |
| <span id="400">400</span> |
| <span id="401">401</span> |
| <span id="402">402</span> |
| <span id="403">403</span> |
| <span id="404">404</span> |
| <span id="405">405</span> |
| <span id="406">406</span> |
| <span id="407">407</span> |
| <span id="408">408</span> |
| <span id="409">409</span> |
| <span id="410">410</span> |
| <span id="411">411</span> |
| <span id="412">412</span> |
| <span id="413">413</span> |
| <span id="414">414</span> |
| <span id="415">415</span> |
| <span id="416">416</span> |
| <span id="417">417</span> |
| <span id="418">418</span> |
| <span id="419">419</span> |
| <span id="420">420</span> |
| <span id="421">421</span> |
| <span id="422">422</span> |
| <span id="423">423</span> |
| <span id="424">424</span> |
| <span id="425">425</span> |
| <span id="426">426</span> |
| <span id="427">427</span> |
| <span id="428">428</span> |
| <span id="429">429</span> |
| <span id="430">430</span> |
| <span id="431">431</span> |
| <span id="432">432</span> |
| <span id="433">433</span> |
| <span id="434">434</span> |
| <span id="435">435</span> |
| <span id="436">436</span> |
| <span id="437">437</span> |
| <span id="438">438</span> |
| <span id="439">439</span> |
| <span id="440">440</span> |
| <span id="441">441</span> |
| <span id="442">442</span> |
| <span id="443">443</span> |
| <span id="444">444</span> |
| <span id="445">445</span> |
| <span id="446">446</span> |
| <span id="447">447</span> |
| <span id="448">448</span> |
| <span id="449">449</span> |
| <span id="450">450</span> |
| <span id="451">451</span> |
| <span id="452">452</span> |
| <span id="453">453</span> |
| <span id="454">454</span> |
| <span id="455">455</span> |
| <span id="456">456</span> |
| <span id="457">457</span> |
| <span id="458">458</span> |
| <span id="459">459</span> |
| <span id="460">460</span> |
| <span id="461">461</span> |
| <span id="462">462</span> |
| <span id="463">463</span> |
| <span id="464">464</span> |
| <span id="465">465</span> |
| <span id="466">466</span> |
| <span id="467">467</span> |
| <span id="468">468</span> |
| <span id="469">469</span> |
| <span id="470">470</span> |
| <span id="471">471</span> |
| <span id="472">472</span> |
| <span id="473">473</span> |
| <span id="474">474</span> |
| <span id="475">475</span> |
| <span id="476">476</span> |
| <span id="477">477</span> |
| <span id="478">478</span> |
| <span id="479">479</span> |
| <span id="480">480</span> |
| <span id="481">481</span> |
| <span id="482">482</span> |
| <span id="483">483</span> |
| <span id="484">484</span> |
| <span id="485">485</span> |
| <span id="486">486</span> |
| <span id="487">487</span> |
| <span id="488">488</span> |
| <span id="489">489</span> |
| <span id="490">490</span> |
| <span id="491">491</span> |
| <span id="492">492</span> |
| <span id="493">493</span> |
| <span id="494">494</span> |
| <span id="495">495</span> |
| <span id="496">496</span> |
| <span id="497">497</span> |
| <span id="498">498</span> |
| <span id="499">499</span> |
| <span id="500">500</span> |
| <span id="501">501</span> |
| <span id="502">502</span> |
| <span id="503">503</span> |
| <span id="504">504</span> |
| <span id="505">505</span> |
| <span id="506">506</span> |
| <span id="507">507</span> |
| <span id="508">508</span> |
| <span id="509">509</span> |
| <span id="510">510</span> |
| <span id="511">511</span> |
| <span id="512">512</span> |
| <span id="513">513</span> |
| <span id="514">514</span> |
| <span id="515">515</span> |
| <span id="516">516</span> |
| <span id="517">517</span> |
| <span id="518">518</span> |
| <span id="519">519</span> |
| <span id="520">520</span> |
| <span id="521">521</span> |
| <span id="522">522</span> |
| <span id="523">523</span> |
| <span id="524">524</span> |
| <span id="525">525</span> |
| <span id="526">526</span> |
| <span id="527">527</span> |
| <span id="528">528</span> |
| <span id="529">529</span> |
| <span id="530">530</span> |
| <span id="531">531</span> |
| <span id="532">532</span> |
| <span id="533">533</span> |
| <span id="534">534</span> |
| <span id="535">535</span> |
| <span id="536">536</span> |
| <span id="537">537</span> |
| <span id="538">538</span> |
| <span id="539">539</span> |
| <span id="540">540</span> |
| <span id="541">541</span> |
| <span id="542">542</span> |
| <span id="543">543</span> |
| <span id="544">544</span> |
| <span id="545">545</span> |
| <span id="546">546</span> |
| <span id="547">547</span> |
| <span id="548">548</span> |
| <span id="549">549</span> |
| <span id="550">550</span> |
| <span id="551">551</span> |
| <span id="552">552</span> |
| <span id="553">553</span> |
| <span id="554">554</span> |
| <span id="555">555</span> |
| <span id="556">556</span> |
| <span id="557">557</span> |
| <span id="558">558</span> |
| <span id="559">559</span> |
| <span id="560">560</span> |
| <span id="561">561</span> |
| <span id="562">562</span> |
| <span id="563">563</span> |
| <span id="564">564</span> |
| <span id="565">565</span> |
| <span id="566">566</span> |
| <span id="567">567</span> |
| <span id="568">568</span> |
| <span id="569">569</span> |
| <span id="570">570</span> |
| <span id="571">571</span> |
| <span id="572">572</span> |
| <span id="573">573</span> |
| <span id="574">574</span> |
| <span id="575">575</span> |
| <span id="576">576</span> |
| <span id="577">577</span> |
| <span id="578">578</span> |
| <span id="579">579</span> |
| <span id="580">580</span> |
| <span id="581">581</span> |
| <span id="582">582</span> |
| <span id="583">583</span> |
| <span id="584">584</span> |
| <span id="585">585</span> |
| <span id="586">586</span> |
| <span id="587">587</span> |
| <span id="588">588</span> |
| <span id="589">589</span> |
| <span id="590">590</span> |
| <span id="591">591</span> |
| <span id="592">592</span> |
| <span id="593">593</span> |
| <span id="594">594</span> |
| <span id="595">595</span> |
| <span id="596">596</span> |
| <span id="597">597</span> |
| <span id="598">598</span> |
| <span id="599">599</span> |
| <span id="600">600</span> |
| <span id="601">601</span> |
| <span id="602">602</span> |
| <span id="603">603</span> |
| <span id="604">604</span> |
| <span id="605">605</span> |
| <span id="606">606</span> |
| <span id="607">607</span> |
| <span id="608">608</span> |
| <span id="609">609</span> |
| <span id="610">610</span> |
| <span id="611">611</span> |
| <span id="612">612</span> |
| <span id="613">613</span> |
| <span id="614">614</span> |
| <span id="615">615</span> |
| <span id="616">616</span> |
| <span id="617">617</span> |
| <span id="618">618</span> |
| <span id="619">619</span> |
| <span id="620">620</span> |
| <span id="621">621</span> |
| <span id="622">622</span> |
| <span id="623">623</span> |
| <span id="624">624</span> |
| <span id="625">625</span> |
| <span id="626">626</span> |
| <span id="627">627</span> |
| <span id="628">628</span> |
| <span id="629">629</span> |
| <span id="630">630</span> |
| <span id="631">631</span> |
| <span id="632">632</span> |
| <span id="633">633</span> |
| <span id="634">634</span> |
| <span id="635">635</span> |
| <span id="636">636</span> |
| <span id="637">637</span> |
| <span id="638">638</span> |
| <span id="639">639</span> |
| <span id="640">640</span> |
| <span id="641">641</span> |
| <span id="642">642</span> |
| <span id="643">643</span> |
| <span id="644">644</span> |
| <span id="645">645</span> |
| <span id="646">646</span> |
| <span id="647">647</span> |
| <span id="648">648</span> |
| <span id="649">649</span> |
| <span id="650">650</span> |
| <span id="651">651</span> |
| <span id="652">652</span> |
| <span id="653">653</span> |
| <span id="654">654</span> |
| <span id="655">655</span> |
| <span id="656">656</span> |
| <span id="657">657</span> |
| <span id="658">658</span> |
| <span id="659">659</span> |
| <span id="660">660</span> |
| <span id="661">661</span> |
| <span id="662">662</span> |
| <span id="663">663</span> |
| <span id="664">664</span> |
| <span id="665">665</span> |
| <span id="666">666</span> |
| <span id="667">667</span> |
| <span id="668">668</span> |
| <span id="669">669</span> |
| <span id="670">670</span> |
| <span id="671">671</span> |
| <span id="672">672</span> |
| <span id="673">673</span> |
| <span id="674">674</span> |
| <span id="675">675</span> |
| <span id="676">676</span> |
| <span id="677">677</span> |
| <span id="678">678</span> |
| <span id="679">679</span> |
| <span id="680">680</span> |
| <span id="681">681</span> |
| <span id="682">682</span> |
| <span id="683">683</span> |
| <span id="684">684</span> |
| <span id="685">685</span> |
| <span id="686">686</span> |
| <span id="687">687</span> |
| <span id="688">688</span> |
| <span id="689">689</span> |
| <span id="690">690</span> |
| <span id="691">691</span> |
| <span id="692">692</span> |
| <span id="693">693</span> |
| <span id="694">694</span> |
| <span id="695">695</span> |
| <span id="696">696</span> |
| <span id="697">697</span> |
| <span id="698">698</span> |
| <span id="699">699</span> |
| <span id="700">700</span> |
| <span id="701">701</span> |
| <span id="702">702</span> |
| <span id="703">703</span> |
| <span id="704">704</span> |
| <span id="705">705</span> |
| <span id="706">706</span> |
| <span id="707">707</span> |
| <span id="708">708</span> |
| <span id="709">709</span> |
| <span id="710">710</span> |
| <span id="711">711</span> |
| <span id="712">712</span> |
| <span id="713">713</span> |
| <span id="714">714</span> |
| <span id="715">715</span> |
| <span id="716">716</span> |
| <span id="717">717</span> |
| <span id="718">718</span> |
| <span id="719">719</span> |
| <span id="720">720</span> |
| <span id="721">721</span> |
| <span id="722">722</span> |
| <span id="723">723</span> |
| <span id="724">724</span> |
| <span id="725">725</span> |
| <span id="726">726</span> |
| <span id="727">727</span> |
| <span id="728">728</span> |
| <span id="729">729</span> |
| <span id="730">730</span> |
| <span id="731">731</span> |
| <span id="732">732</span> |
| <span id="733">733</span> |
| <span id="734">734</span> |
| <span id="735">735</span> |
| <span id="736">736</span> |
| <span id="737">737</span> |
| <span id="738">738</span> |
| <span id="739">739</span> |
| <span id="740">740</span> |
| <span id="741">741</span> |
| <span id="742">742</span> |
| <span id="743">743</span> |
| <span id="744">744</span> |
| <span id="745">745</span> |
| <span id="746">746</span> |
| <span id="747">747</span> |
| <span id="748">748</span> |
| <span id="749">749</span> |
| <span id="750">750</span> |
| <span id="751">751</span> |
| <span id="752">752</span> |
| <span id="753">753</span> |
| <span id="754">754</span> |
| </pre><pre class="rust"><code><span class="kw">use </span><span class="kw">crate</span>::error::TLSError; |
| <span class="kw">use </span><span class="kw">crate</span>::key; |
| <span class="kw">use </span><span class="kw">crate</span>::keylog::{KeyLog, NoKeyLog}; |
| <span class="attribute">#[cfg(feature = <span class="string">"logging"</span>)] |
| </span><span class="kw">use </span><span class="kw">crate</span>::log::trace; |
| <span class="kw">use </span><span class="kw">crate</span>::msgs::enums::ContentType; |
| <span class="kw">use </span><span class="kw">crate</span>::msgs::enums::SignatureScheme; |
| <span class="kw">use </span><span class="kw">crate</span>::msgs::enums::{AlertDescription, HandshakeType, ProtocolVersion}; |
| <span class="kw">use </span><span class="kw">crate</span>::msgs::handshake::ServerExtension; |
| <span class="kw">use </span><span class="kw">crate</span>::msgs::message::Message; |
| <span class="kw">use </span><span class="kw">crate</span>::session::{MiddleboxCCS, Session, SessionCommon}; |
| <span class="kw">use </span><span class="kw">crate</span>::sign; |
| <span class="kw">use </span><span class="kw">crate</span>::suites::{SupportedCipherSuite, ALL_CIPHERSUITES}; |
| <span class="kw">use </span><span class="kw">crate</span>::verify; |
| |
| <span class="kw">use </span>webpki; |
| |
| <span class="kw">use </span>std::fmt; |
| <span class="kw">use </span>std::io::{<span class="self">self</span>, IoSlice}; |
| <span class="kw">use </span>std::sync::Arc; |
| |
| <span class="attribute">#[macro_use] |
| </span><span class="kw">mod </span>hs; |
| <span class="kw">mod </span>common; |
| <span class="kw">pub mod </span>handy; |
| <span class="kw">mod </span>tls12; |
| <span class="kw">mod </span>tls13; |
| |
| <span class="doccomment">/// A trait for the ability to store server session data. |
| /// |
| /// The keys and values are opaque. |
| /// |
| /// Both the keys and values should be treated as |
| /// **highly sensitive data**, containing enough key material |
| /// to break all security of the corresponding sessions. |
| /// |
| /// Implementations can be lossy (in other words, forgetting |
| /// key/value pairs) without any negative security consequences. |
| /// |
| /// However, note that `take` **must** reliably delete a returned |
| /// value. If it does not, there may be security consequences. |
| /// |
| /// `put` and `take` are mutating operations; this isn't expressed |
| /// in the type system to allow implementations freedom in |
| /// how to achieve interior mutability. `Mutex` is a common |
| /// choice. |
| </span><span class="kw">pub trait </span>StoresServerSessions: Send + Sync { |
| <span class="doccomment">/// Store session secrets encoded in `value` against `key`, |
| /// overwrites any existing value against `key`. Returns `true` |
| /// if the value was stored. |
| </span><span class="kw">fn </span>put(<span class="kw-2">&</span><span class="self">self</span>, key: Vec<u8>, value: Vec<u8>) -> bool; |
| |
| <span class="doccomment">/// Find a value with the given `key`. Return it, or None |
| /// if it doesn't exist. |
| </span><span class="kw">fn </span>get(<span class="kw-2">&</span><span class="self">self</span>, key: <span class="kw-2">&</span>[u8]) -> <span class="prelude-ty">Option</span><Vec<u8>>; |
| |
| <span class="doccomment">/// Find a value with the given `key`. Return it and delete it; |
| /// or None if it doesn't exist. |
| </span><span class="kw">fn </span>take(<span class="kw-2">&</span><span class="self">self</span>, key: <span class="kw-2">&</span>[u8]) -> <span class="prelude-ty">Option</span><Vec<u8>>; |
| } |
| |
| <span class="doccomment">/// A trait for the ability to encrypt and decrypt tickets. |
| </span><span class="kw">pub trait </span>ProducesTickets: Send + Sync { |
| <span class="doccomment">/// Returns true if this implementation will encrypt/decrypt |
| /// tickets. Should return false if this is a dummy |
| /// implementation: the server will not send the SessionTicket |
| /// extension and will not call the other functions. |
| </span><span class="kw">fn </span>enabled(<span class="kw-2">&</span><span class="self">self</span>) -> bool; |
| |
| <span class="doccomment">/// Returns the lifetime in seconds of tickets produced now. |
| /// The lifetime is provided as a hint to clients that the |
| /// ticket will not be useful after the given time. |
| /// |
| /// This lifetime must be implemented by key rolling and |
| /// erasure, *not* by storing a lifetime in the ticket. |
| /// |
| /// The objective is to limit damage to forward secrecy caused |
| /// by tickets, not just limiting their lifetime. |
| </span><span class="kw">fn </span>get_lifetime(<span class="kw-2">&</span><span class="self">self</span>) -> u32; |
| |
| <span class="doccomment">/// Encrypt and authenticate `plain`, returning the resulting |
| /// ticket. Return None if `plain` cannot be encrypted for |
| /// some reason: an empty ticket will be sent and the connection |
| /// will continue. |
| </span><span class="kw">fn </span>encrypt(<span class="kw-2">&</span><span class="self">self</span>, plain: <span class="kw-2">&</span>[u8]) -> <span class="prelude-ty">Option</span><Vec<u8>>; |
| |
| <span class="doccomment">/// Decrypt `cipher`, validating its authenticity protection |
| /// and recovering the plaintext. `cipher` is fully attacker |
| /// controlled, so this decryption must be side-channel free, |
| /// panic-proof, and otherwise bullet-proof. If the decryption |
| /// fails, return None. |
| </span><span class="kw">fn </span>decrypt(<span class="kw-2">&</span><span class="self">self</span>, cipher: <span class="kw-2">&</span>[u8]) -> <span class="prelude-ty">Option</span><Vec<u8>>; |
| } |
| |
| <span class="doccomment">/// How to choose a certificate chain and signing key for use |
| /// in server authentication. |
| </span><span class="kw">pub trait </span>ResolvesServerCert: Send + Sync { |
| <span class="doccomment">/// Choose a certificate chain and matching key given simplified |
| /// ClientHello information. |
| /// |
| /// Return `None` to abort the handshake. |
| </span><span class="kw">fn </span>resolve(<span class="kw-2">&</span><span class="self">self</span>, client_hello: ClientHello) -> <span class="prelude-ty">Option</span><sign::CertifiedKey>; |
| } |
| |
| <span class="doccomment">/// A struct representing the received Client Hello |
| </span><span class="kw">pub struct </span>ClientHello<<span class="lifetime">'a</span>> { |
| server_name: <span class="prelude-ty">Option</span><webpki::DNSNameRef<<span class="lifetime">'a</span>>>, |
| sigschemes: <span class="kw-2">&</span><span class="lifetime">'a </span>[SignatureScheme], |
| alpn: <span class="prelude-ty">Option</span><<span class="kw-2">&</span><span class="lifetime">'a </span>[<span class="kw-2">&</span><span class="lifetime">'a </span>[u8]]>, |
| } |
| |
| <span class="kw">impl</span><<span class="lifetime">'a</span>> ClientHello<<span class="lifetime">'a</span>> { |
| <span class="doccomment">/// Creates a new ClientHello |
| </span><span class="kw">fn </span>new( |
| server_name: <span class="prelude-ty">Option</span><webpki::DNSNameRef<<span class="lifetime">'a</span>>>, |
| sigschemes: <span class="kw-2">&</span><span class="lifetime">'a </span>[SignatureScheme], |
| alpn: <span class="prelude-ty">Option</span><<span class="kw-2">&</span><span class="lifetime">'a </span>[<span class="kw-2">&</span><span class="lifetime">'a </span>[u8]]>, |
| ) -> <span class="self">Self </span>{ |
| ClientHello { |
| server_name, |
| sigschemes, |
| alpn, |
| } |
| } |
| |
| <span class="doccomment">/// Get the server name indicator. |
| /// |
| /// Returns `None` if the client did not supply a SNI. |
| </span><span class="kw">pub fn </span>server_name(<span class="kw-2">&</span><span class="self">self</span>) -> <span class="prelude-ty">Option</span><webpki::DNSNameRef> { |
| <span class="self">self</span>.server_name |
| } |
| |
| <span class="doccomment">/// Get the compatible signature schemes. |
| /// |
| /// Returns standard-specified default if the client omitted this extension. |
| </span><span class="kw">pub fn </span>sigschemes(<span class="kw-2">&</span><span class="self">self</span>) -> <span class="kw-2">&</span>[SignatureScheme] { |
| <span class="self">self</span>.sigschemes |
| } |
| |
| <span class="doccomment">/// Get the alpn. |
| /// |
| /// Returns `None` if the client did not include an ALPN extension |
| </span><span class="kw">pub fn </span>alpn(<span class="kw-2">&</span><span class="self">self</span>) -> <span class="prelude-ty">Option</span><<span class="kw-2">&</span><span class="lifetime">'a </span>[<span class="kw-2">&</span><span class="lifetime">'a </span>[u8]]> { |
| <span class="self">self</span>.alpn |
| } |
| } |
| |
| <span class="doccomment">/// Common configuration for a set of server sessions. |
| /// |
| /// Making one of these can be expensive, and should be |
| /// once per process rather than once per connection. |
| </span><span class="attribute">#[derive(Clone)] |
| </span><span class="kw">pub struct </span>ServerConfig { |
| <span class="doccomment">/// List of ciphersuites, in preference order. |
| </span><span class="kw">pub </span>ciphersuites: Vec<<span class="kw-2">&</span><span class="lifetime">'static </span>SupportedCipherSuite>, |
| |
| <span class="doccomment">/// Ignore the client's ciphersuite order. Instead, |
| /// choose the top ciphersuite in the server list |
| /// which is supported by the client. |
| </span><span class="kw">pub </span>ignore_client_order: bool, |
| |
| <span class="doccomment">/// Our MTU. If None, we don't limit TLS message sizes. |
| </span><span class="kw">pub </span>mtu: <span class="prelude-ty">Option</span><usize>, |
| |
| <span class="doccomment">/// How to store client sessions. |
| </span><span class="kw">pub </span>session_storage: Arc<<span class="kw">dyn </span>StoresServerSessions + Send + Sync>, |
| |
| <span class="doccomment">/// How to produce tickets. |
| </span><span class="kw">pub </span>ticketer: Arc<<span class="kw">dyn </span>ProducesTickets>, |
| |
| <span class="doccomment">/// How to choose a server cert and key. |
| </span><span class="kw">pub </span>cert_resolver: Arc<<span class="kw">dyn </span>ResolvesServerCert>, |
| |
| <span class="doccomment">/// Protocol names we support, most preferred first. |
| /// If empty we don't do ALPN at all. |
| </span><span class="kw">pub </span>alpn_protocols: Vec<Vec<u8>>, |
| |
| <span class="doccomment">/// Supported protocol versions, in no particular order. |
| /// The default is all supported versions. |
| </span><span class="kw">pub </span>versions: Vec<ProtocolVersion>, |
| |
| <span class="doccomment">/// How to verify client certificates. |
| </span>verifier: Arc<<span class="kw">dyn </span>verify::ClientCertVerifier>, |
| |
| <span class="doccomment">/// How to output key material for debugging. The default |
| /// does nothing. |
| </span><span class="kw">pub </span>key_log: Arc<<span class="kw">dyn </span>KeyLog>, |
| |
| <span class="doccomment">/// Amount of early data to accept; 0 to disable. |
| </span><span class="attribute">#[cfg(feature = <span class="string">"quic"</span>)] </span><span class="comment">// TLS support unimplemented |
| </span><span class="attribute">#[doc(hidden)] |
| </span><span class="kw">pub </span>max_early_data_size: u32, |
| } |
| |
| <span class="kw">impl </span>ServerConfig { |
| <span class="doccomment">/// Make a `ServerConfig` with a default set of ciphersuites, |
| /// no keys/certificates, and no ALPN protocols. Session resumption |
| /// is enabled by storing up to 256 recent sessions in memory. Tickets are |
| /// disabled. |
| /// |
| /// Publicly-available web servers on the internet generally don't do client |
| /// authentication; for this use case, `client_cert_verifier` should be a |
| /// `NoClientAuth`. Otherwise, use `AllowAnyAuthenticatedClient` or another |
| /// implementation to enforce client authentication. |
| /// |
| /// We don't provide a default for `client_cert_verifier` because the safest |
| /// default, requiring client authentication, requires additional |
| /// configuration that we cannot provide reasonable defaults for. |
| </span><span class="kw">pub fn </span>new(client_cert_verifier: Arc<<span class="kw">dyn </span>verify::ClientCertVerifier>) -> ServerConfig { |
| ServerConfig::with_ciphersuites(client_cert_verifier, <span class="kw-2">&</span>ALL_CIPHERSUITES) |
| } |
| |
| <span class="doccomment">/// Make a `ServerConfig` with a custom set of ciphersuites, |
| /// no keys/certificates, and no ALPN protocols. Session resumption |
| /// is enabled by storing up to 256 recent sessions in memory. Tickets are |
| /// disabled. |
| /// |
| /// Publicly-available web servers on the internet generally don't do client |
| /// authentication; for this use case, `client_cert_verifier` should be a |
| /// `NoClientAuth`. Otherwise, use `AllowAnyAuthenticatedClient` or another |
| /// implementation to enforce client authentication. |
| /// |
| /// We don't provide a default for `client_cert_verifier` because the safest |
| /// default, requiring client authentication, requires additional |
| /// configuration that we cannot provide reasonable defaults for. |
| </span><span class="kw">pub fn </span>with_ciphersuites( |
| client_cert_verifier: Arc<<span class="kw">dyn </span>verify::ClientCertVerifier>, |
| ciphersuites: <span class="kw-2">&</span>[<span class="kw-2">&</span><span class="lifetime">'static </span>SupportedCipherSuite], |
| ) -> ServerConfig { |
| ServerConfig { |
| ciphersuites: ciphersuites.to_vec(), |
| ignore_client_order: <span class="bool-val">false</span>, |
| mtu: <span class="prelude-val">None</span>, |
| session_storage: handy::ServerSessionMemoryCache::new(<span class="number">256</span>), |
| ticketer: Arc::new(handy::NeverProducesTickets {}), |
| alpn_protocols: Vec::new(), |
| cert_resolver: Arc::new(handy::FailResolveChain {}), |
| versions: <span class="macro">vec!</span>[ProtocolVersion::TLSv1_3, ProtocolVersion::TLSv1_2], |
| verifier: client_cert_verifier, |
| key_log: Arc::new(NoKeyLog {}), |
| <span class="attribute">#[cfg(feature = <span class="string">"quic"</span>)] |
| </span>max_early_data_size: <span class="number">0</span>, |
| } |
| } |
| |
| <span class="attribute">#[doc(hidden)] |
| </span><span class="doccomment">/// We support a given TLS version if it's quoted in the configured |
| /// versions *and* at least one ciphersuite for this version is |
| /// also configured. |
| </span><span class="kw">pub fn </span>supports_version(<span class="kw-2">&</span><span class="self">self</span>, v: ProtocolVersion) -> bool { |
| <span class="self">self</span>.versions.contains(<span class="kw-2">&</span>v) |
| && <span class="self">self |
| </span>.ciphersuites |
| .iter() |
| .any(|cs| cs.usable_for_version(v)) |
| } |
| |
| <span class="attribute">#[doc(hidden)] |
| </span><span class="kw">pub fn </span>get_verifier(<span class="kw-2">&</span><span class="self">self</span>) -> <span class="kw-2">&</span><span class="kw">dyn </span>verify::ClientCertVerifier { |
| <span class="self">self</span>.verifier.as_ref() |
| } |
| |
| <span class="doccomment">/// Sets the session persistence layer to `persist`. |
| </span><span class="kw">pub fn </span>set_persistence(<span class="kw-2">&mut </span><span class="self">self</span>, persist: Arc<<span class="kw">dyn </span>StoresServerSessions + Send + Sync>) { |
| <span class="self">self</span>.session_storage = persist; |
| } |
| |
| <span class="doccomment">/// Sets a single certificate chain and matching private key. This |
| /// certificate and key is used for all subsequent connections, |
| /// irrespective of things like SNI hostname. |
| /// |
| /// Note that the end-entity certificate must have the |
| /// [Subject Alternative Name](https://tools.ietf.org/html/rfc6125#section-4.1) |
| /// extension to describe, e.g., the valid DNS name. The `commonName` field is |
| /// disregarded. |
| /// |
| /// `cert_chain` is a vector of DER-encoded certificates. |
| /// `key_der` is a DER-encoded RSA, ECDSA, or Ed25519 private key. |
| /// |
| /// This function fails if `key_der` is invalid. |
| </span><span class="kw">pub fn </span>set_single_cert( |
| <span class="kw-2">&mut </span><span class="self">self</span>, |
| cert_chain: Vec<key::Certificate>, |
| key_der: key::PrivateKey, |
| ) -> <span class="prelude-ty">Result</span><(), TLSError> { |
| <span class="kw">let </span>resolver = handy::AlwaysResolvesChain::new(cert_chain, <span class="kw-2">&</span>key_der)<span class="question-mark">?</span>; |
| <span class="self">self</span>.cert_resolver = Arc::new(resolver); |
| <span class="prelude-val">Ok</span>(()) |
| } |
| |
| <span class="doccomment">/// Sets a single certificate chain, matching private key and OCSP |
| /// response. This certificate and key is used for all subsequent |
| /// connections, irrespective of things like SNI hostname. |
| /// |
| /// `cert_chain` is a vector of DER-encoded certificates. |
| /// `key_der` is a DER-encoded RSA, ECDSA, or Ed25519 private key. |
| /// `ocsp` is a DER-encoded OCSP response. Ignored if zero length. |
| /// `scts` is an `SignedCertificateTimestampList` encoding (see RFC6962) |
| /// and is ignored if empty. |
| /// |
| /// This function fails if `key_der` is invalid. |
| </span><span class="kw">pub fn </span>set_single_cert_with_ocsp_and_sct( |
| <span class="kw-2">&mut </span><span class="self">self</span>, |
| cert_chain: Vec<key::Certificate>, |
| key_der: key::PrivateKey, |
| ocsp: Vec<u8>, |
| scts: Vec<u8>, |
| ) -> <span class="prelude-ty">Result</span><(), TLSError> { |
| <span class="kw">let </span>resolver = |
| handy::AlwaysResolvesChain::new_with_extras(cert_chain, <span class="kw-2">&</span>key_der, ocsp, scts)<span class="question-mark">?</span>; |
| <span class="self">self</span>.cert_resolver = Arc::new(resolver); |
| <span class="prelude-val">Ok</span>(()) |
| } |
| |
| <span class="doccomment">/// Set the ALPN protocol list to the given protocol names. |
| /// Overwrites any existing configured protocols. |
| /// |
| /// The first element in the `protocols` list is the most |
| /// preferred, the last is the least preferred. |
| </span><span class="kw">pub fn </span>set_protocols(<span class="kw-2">&mut </span><span class="self">self</span>, protocols: <span class="kw-2">&</span>[Vec<u8>]) { |
| <span class="self">self</span>.alpn_protocols.clear(); |
| <span class="self">self</span>.alpn_protocols |
| .extend_from_slice(protocols); |
| } |
| |
| <span class="doccomment">/// Overrides the default `ClientCertVerifier` with something else. |
| </span><span class="kw">pub fn </span>set_client_certificate_verifier( |
| <span class="kw-2">&mut </span><span class="self">self</span>, |
| verifier: Arc<<span class="kw">dyn </span>verify::ClientCertVerifier>, |
| ) { |
| <span class="self">self</span>.verifier = verifier; |
| } |
| } |
| |
| <span class="kw">pub struct </span>ServerSessionImpl { |
| <span class="kw">pub </span>config: Arc<ServerConfig>, |
| <span class="kw">pub </span>common: SessionCommon, |
| sni: <span class="prelude-ty">Option</span><webpki::DNSName>, |
| <span class="kw">pub </span>alpn_protocol: <span class="prelude-ty">Option</span><Vec<u8>>, |
| <span class="kw">pub </span>quic_params: <span class="prelude-ty">Option</span><Vec<u8>>, |
| <span class="kw">pub </span>received_resumption_data: <span class="prelude-ty">Option</span><Vec<u8>>, |
| <span class="kw">pub </span>resumption_data: Vec<u8>, |
| <span class="kw">pub </span>error: <span class="prelude-ty">Option</span><TLSError>, |
| <span class="kw">pub </span>state: <span class="prelude-ty">Option</span><Box<<span class="kw">dyn </span>hs::State + Send + Sync>>, |
| <span class="kw">pub </span>client_cert_chain: <span class="prelude-ty">Option</span><Vec<key::Certificate>>, |
| <span class="doccomment">/// Whether to reject early data even if it would otherwise be accepted |
| </span><span class="kw">pub </span>reject_early_data: bool, |
| } |
| |
| <span class="kw">impl </span>fmt::Debug <span class="kw">for </span>ServerSessionImpl { |
| <span class="kw">fn </span>fmt(<span class="kw-2">&</span><span class="self">self</span>, f: <span class="kw-2">&mut </span>fmt::Formatter) -> fmt::Result { |
| f.debug_struct(<span class="string">"ServerSessionImpl"</span>) |
| .finish() |
| } |
| } |
| |
| <span class="kw">impl </span>ServerSessionImpl { |
| <span class="kw">pub fn </span>new( |
| server_config: <span class="kw-2">&</span>Arc<ServerConfig>, |
| extra_exts: Vec<ServerExtension>, |
| ) -> ServerSessionImpl { |
| ServerSessionImpl { |
| config: server_config.clone(), |
| common: SessionCommon::new(server_config.mtu, <span class="bool-val">false</span>), |
| sni: <span class="prelude-val">None</span>, |
| alpn_protocol: <span class="prelude-val">None</span>, |
| quic_params: <span class="prelude-val">None</span>, |
| received_resumption_data: <span class="prelude-val">None</span>, |
| resumption_data: Vec::new(), |
| error: <span class="prelude-val">None</span>, |
| state: <span class="prelude-val">Some</span>(Box::new(hs::ExpectClientHello::new( |
| server_config, |
| extra_exts, |
| ))), |
| client_cert_chain: <span class="prelude-val">None</span>, |
| reject_early_data: <span class="bool-val">false</span>, |
| } |
| } |
| |
| <span class="kw">pub fn </span>wants_read(<span class="kw-2">&</span><span class="self">self</span>) -> bool { |
| <span class="comment">// We want to read more data all the time, except when we |
| // have unprocessed plaintext. This provides back-pressure |
| // to the TCP buffers. |
| // |
| // This also covers the handshake case, because we don't have |
| // readable plaintext before handshake has completed. |
| </span>!<span class="self">self</span>.common.has_readable_plaintext() |
| } |
| |
| <span class="kw">pub fn </span>wants_write(<span class="kw-2">&</span><span class="self">self</span>) -> bool { |
| !<span class="self">self</span>.common.sendable_tls.is_empty() |
| } |
| |
| <span class="kw">pub fn </span>is_handshaking(<span class="kw-2">&</span><span class="self">self</span>) -> bool { |
| !<span class="self">self</span>.common.traffic |
| } |
| |
| <span class="kw">pub fn </span>set_buffer_limit(<span class="kw-2">&mut </span><span class="self">self</span>, len: usize) { |
| <span class="self">self</span>.common.set_buffer_limit(len) |
| } |
| |
| <span class="kw">pub fn </span>process_msg(<span class="kw-2">&mut </span><span class="self">self</span>, <span class="kw-2">mut </span>msg: Message) -> <span class="prelude-ty">Result</span><(), TLSError> { |
| <span class="comment">// TLS1.3: drop CCS at any time during handshaking |
| </span><span class="kw">if let </span>MiddleboxCCS::Drop = <span class="self">self</span>.common.filter_tls13_ccs(<span class="kw-2">&</span>msg)<span class="question-mark">? </span>{ |
| <span class="macro">trace!</span>(<span class="string">"Dropping CCS"</span>); |
| <span class="kw">return </span><span class="prelude-val">Ok</span>(()); |
| } |
| |
| <span class="comment">// Decrypt if demanded by current state. |
| </span><span class="kw">if </span><span class="self">self</span>.common.record_layer.is_decrypting() { |
| <span class="kw">let </span>dm = <span class="self">self</span>.common.decrypt_incoming(msg)<span class="question-mark">?</span>; |
| msg = dm; |
| } |
| |
| <span class="comment">// For handshake messages, we need to join them before parsing |
| // and processing. |
| </span><span class="kw">if </span><span class="self">self |
| </span>.common |
| .handshake_joiner |
| .want_message(<span class="kw-2">&</span>msg) |
| { |
| <span class="self">self</span>.common |
| .handshake_joiner |
| .take_message(msg) |
| .ok_or_else(|| { |
| <span class="self">self</span>.common |
| .send_fatal_alert(AlertDescription::DecodeError); |
| TLSError::CorruptMessagePayload(ContentType::Handshake) |
| })<span class="question-mark">?</span>; |
| <span class="kw">return </span><span class="self">self</span>.process_new_handshake_messages(); |
| } |
| |
| <span class="comment">// Now we can fully parse the message payload. |
| </span>msg.decode_payload(); |
| |
| <span class="kw">if </span>msg.is_content_type(ContentType::Alert) { |
| <span class="kw">return </span><span class="self">self</span>.common.process_alert(msg); |
| } |
| |
| <span class="self">self</span>.process_main_protocol(msg) |
| } |
| |
| <span class="kw">pub fn </span>process_new_handshake_messages(<span class="kw-2">&mut </span><span class="self">self</span>) -> <span class="prelude-ty">Result</span><(), TLSError> { |
| <span class="kw">while let </span><span class="prelude-val">Some</span>(msg) = <span class="self">self |
| </span>.common |
| .handshake_joiner |
| .frames |
| .pop_front() |
| { |
| <span class="self">self</span>.process_main_protocol(msg)<span class="question-mark">?</span>; |
| } |
| |
| <span class="prelude-val">Ok</span>(()) |
| } |
| |
| <span class="kw">fn </span>queue_unexpected_alert(<span class="kw-2">&mut </span><span class="self">self</span>) { |
| <span class="self">self</span>.common |
| .send_fatal_alert(AlertDescription::UnexpectedMessage); |
| } |
| |
| <span class="kw">fn </span>maybe_send_unexpected_alert(<span class="kw-2">&mut </span><span class="self">self</span>, rc: hs::NextStateOrError) -> hs::NextStateOrError { |
| <span class="kw">match </span>rc { |
| <span class="prelude-val">Err</span>(TLSError::InappropriateMessage { .. }) |
| | <span class="prelude-val">Err</span>(TLSError::InappropriateHandshakeMessage { .. }) => { |
| <span class="self">self</span>.queue_unexpected_alert(); |
| } |
| <span class="kw">_ </span>=> {} |
| }; |
| rc |
| } |
| |
| <span class="kw">pub fn </span>process_main_protocol(<span class="kw-2">&mut </span><span class="self">self</span>, msg: Message) -> <span class="prelude-ty">Result</span><(), TLSError> { |
| <span class="kw">if </span><span class="self">self</span>.common.traffic |
| && !<span class="self">self</span>.common.is_tls13() |
| && msg.is_handshake_type(HandshakeType::ClientHello) |
| { |
| <span class="self">self</span>.common |
| .send_warning_alert(AlertDescription::NoRenegotiation); |
| <span class="kw">return </span><span class="prelude-val">Ok</span>(()); |
| } |
| |
| <span class="kw">let </span>state = <span class="self">self</span>.state.take().unwrap(); |
| <span class="kw">let </span>maybe_next_state = state.handle(<span class="self">self</span>, msg); |
| <span class="kw">let </span>next_state = <span class="self">self</span>.maybe_send_unexpected_alert(maybe_next_state)<span class="question-mark">?</span>; |
| <span class="self">self</span>.state = <span class="prelude-val">Some</span>(next_state); |
| |
| <span class="prelude-val">Ok</span>(()) |
| } |
| |
| <span class="kw">pub fn </span>process_new_packets(<span class="kw-2">&mut </span><span class="self">self</span>) -> <span class="prelude-ty">Result</span><(), TLSError> { |
| <span class="kw">if let </span><span class="prelude-val">Some</span>(<span class="kw-2">ref </span>err) = <span class="self">self</span>.error { |
| <span class="kw">return </span><span class="prelude-val">Err</span>(err.clone()); |
| } |
| |
| <span class="kw">if </span><span class="self">self</span>.common.message_deframer.desynced { |
| <span class="kw">return </span><span class="prelude-val">Err</span>(TLSError::CorruptMessage); |
| } |
| |
| <span class="kw">while let </span><span class="prelude-val">Some</span>(msg) = <span class="self">self |
| </span>.common |
| .message_deframer |
| .frames |
| .pop_front() |
| { |
| <span class="kw">match </span><span class="self">self</span>.process_msg(msg) { |
| <span class="prelude-val">Ok</span>(<span class="kw">_</span>) => {} |
| <span class="prelude-val">Err</span>(err) => { |
| <span class="self">self</span>.error = <span class="prelude-val">Some</span>(err.clone()); |
| <span class="kw">return </span><span class="prelude-val">Err</span>(err); |
| } |
| } |
| } |
| |
| <span class="prelude-val">Ok</span>(()) |
| } |
| |
| <span class="kw">pub fn </span>get_peer_certificates(<span class="kw-2">&</span><span class="self">self</span>) -> <span class="prelude-ty">Option</span><Vec<key::Certificate>> { |
| <span class="self">self</span>.client_cert_chain |
| .as_ref() |
| .map(|chain| chain.iter().cloned().collect()) |
| } |
| |
| <span class="kw">pub fn </span>get_alpn_protocol(<span class="kw-2">&</span><span class="self">self</span>) -> <span class="prelude-ty">Option</span><<span class="kw-2">&</span>[u8]> { |
| <span class="self">self</span>.alpn_protocol |
| .as_ref() |
| .map(AsRef::as_ref) |
| } |
| |
| <span class="kw">pub fn </span>get_protocol_version(<span class="kw-2">&</span><span class="self">self</span>) -> <span class="prelude-ty">Option</span><ProtocolVersion> { |
| <span class="self">self</span>.common.negotiated_version |
| } |
| |
| <span class="kw">pub fn </span>get_negotiated_ciphersuite(<span class="kw-2">&</span><span class="self">self</span>) -> <span class="prelude-ty">Option</span><<span class="kw-2">&</span><span class="lifetime">'static </span>SupportedCipherSuite> { |
| <span class="self">self</span>.common.get_suite() |
| } |
| |
| <span class="kw">pub fn </span>get_sni(<span class="kw-2">&</span><span class="self">self</span>) -> <span class="prelude-ty">Option</span><<span class="kw-2">&</span>webpki::DNSName> { |
| <span class="self">self</span>.sni.as_ref() |
| } |
| |
| <span class="kw">pub fn </span>set_sni(<span class="kw-2">&mut </span><span class="self">self</span>, value: webpki::DNSName) { |
| <span class="comment">// The SNI hostname is immutable once set. |
| </span><span class="macro">assert!</span>(<span class="self">self</span>.sni.is_none()); |
| <span class="self">self</span>.sni = <span class="prelude-val">Some</span>(value) |
| } |
| |
| <span class="kw">fn </span>export_keying_material( |
| <span class="kw-2">&</span><span class="self">self</span>, |
| output: <span class="kw-2">&mut </span>[u8], |
| label: <span class="kw-2">&</span>[u8], |
| context: <span class="prelude-ty">Option</span><<span class="kw-2">&</span>[u8]>, |
| ) -> <span class="prelude-ty">Result</span><(), TLSError> { |
| <span class="self">self</span>.state |
| .as_ref() |
| .ok_or_else(|| TLSError::HandshakeNotComplete) |
| .and_then(|st| st.export_keying_material(output, label, context)) |
| } |
| |
| <span class="kw">fn </span>send_some_plaintext(<span class="kw-2">&mut </span><span class="self">self</span>, buf: <span class="kw-2">&</span>[u8]) -> usize { |
| <span class="kw">let </span><span class="kw-2">mut </span>st = <span class="self">self</span>.state.take(); |
| st.as_mut() |
| .map(|st| st.perhaps_write_key_update(<span class="self">self</span>)); |
| <span class="self">self</span>.state = st; |
| <span class="self">self</span>.common.send_some_plaintext(buf) |
| } |
| } |
| |
| <span class="doccomment">/// This represents a single TLS server session. |
| /// |
| /// Send TLS-protected data to the peer using the `io::Write` trait implementation. |
| /// Read data from the peer using the `io::Read` trait implementation. |
| </span><span class="attribute">#[derive(Debug)] |
| </span><span class="kw">pub struct </span>ServerSession { |
| <span class="comment">// We use the pimpl idiom to hide unimportant details. |
| </span><span class="kw">pub</span>(<span class="kw">crate</span>) imp: ServerSessionImpl, |
| } |
| |
| <span class="kw">impl </span>ServerSession { |
| <span class="doccomment">/// Make a new ServerSession. `config` controls how |
| /// we behave in the TLS protocol. |
| </span><span class="kw">pub fn </span>new(config: <span class="kw-2">&</span>Arc<ServerConfig>) -> ServerSession { |
| ServerSession { |
| imp: ServerSessionImpl::new(config, <span class="macro">vec!</span>[]), |
| } |
| } |
| |
| <span class="doccomment">/// Retrieves the SNI hostname, if any, used to select the certificate and |
| /// private key. |
| /// |
| /// This returns `None` until some time after the client's SNI extension |
| /// value is processed during the handshake. It will never be `None` when |
| /// the connection is ready to send or process application data, unless the |
| /// client does not support SNI. |
| /// |
| /// This is useful for application protocols that need to enforce that the |
| /// SNI hostname matches an application layer protocol hostname. For |
| /// example, HTTP/1.1 servers commonly expect the `Host:` header field of |
| /// every request on a connection to match the hostname in the SNI extension |
| /// when the client provides the SNI extension. |
| /// |
| /// The SNI hostname is also used to match sessions during session |
| /// resumption. |
| </span><span class="kw">pub fn </span>get_sni_hostname(<span class="kw-2">&</span><span class="self">self</span>) -> <span class="prelude-ty">Option</span><<span class="kw-2">&</span>str> { |
| <span class="self">self</span>.imp |
| .get_sni() |
| .map(|s| s.as_ref().into()) |
| } |
| |
| <span class="doccomment">/// Application-controlled portion of the resumption ticket supplied by the client, if any. |
| /// |
| /// Recovered from the prior session's `set_resumption_data`. Integrity is guaranteed by rustls. |
| /// |
| /// Returns `Some` iff a valid resumption ticket has been received from the client. |
| </span><span class="kw">pub fn </span>received_resumption_data(<span class="kw-2">&</span><span class="self">self</span>) -> <span class="prelude-ty">Option</span><<span class="kw-2">&</span>[u8]> { |
| <span class="self">self</span>.imp |
| .received_resumption_data |
| .as_ref() |
| .map(|x| <span class="kw-2">&</span>x[..]) |
| } |
| |
| <span class="doccomment">/// Set the resumption data to embed in future resumption tickets supplied to the client. |
| /// |
| /// Defaults to the empty byte string. Must be less than 2^15 bytes to allow room for other |
| /// data. Should be called while `is_handshaking` returns true to ensure all transmitted |
| /// resumption tickets are affected. |
| /// |
| /// Integrity will be assured by rustls, but the data will be visible to the client. If secrecy |
| /// from the client is desired, encrypt the data separately. |
| </span><span class="kw">pub fn </span>set_resumption_data(<span class="kw-2">&mut </span><span class="self">self</span>, data: <span class="kw-2">&</span>[u8]) { |
| <span class="macro">assert!</span>(data.len() < <span class="number">2usize</span>.pow(<span class="number">15</span>)); |
| <span class="self">self</span>.imp.resumption_data = data.into(); |
| } |
| |
| <span class="doccomment">/// Explicitly discard early data, notifying the client |
| /// |
| /// Useful if invariants encoded in `received_resumption_data()` cannot be respected. |
| /// |
| /// Must be called while `is_handshaking` is true. |
| </span><span class="kw">pub fn </span>reject_early_data(<span class="kw-2">&mut </span><span class="self">self</span>) { |
| <span class="macro">assert!</span>( |
| <span class="self">self</span>.is_handshaking(), |
| <span class="string">"cannot retroactively reject early data" |
| </span>); |
| <span class="self">self</span>.imp.reject_early_data = <span class="bool-val">true</span>; |
| } |
| } |
| |
| <span class="kw">impl </span>Session <span class="kw">for </span>ServerSession { |
| <span class="kw">fn </span>read_tls(<span class="kw-2">&mut </span><span class="self">self</span>, rd: <span class="kw-2">&mut </span><span class="kw">dyn </span>io::Read) -> io::Result<usize> { |
| <span class="self">self</span>.imp.common.read_tls(rd) |
| } |
| |
| <span class="doccomment">/// Writes TLS messages to `wr`. |
| </span><span class="kw">fn </span>write_tls(<span class="kw-2">&mut </span><span class="self">self</span>, wr: <span class="kw-2">&mut </span><span class="kw">dyn </span>io::Write) -> io::Result<usize> { |
| <span class="self">self</span>.imp.common.write_tls(wr) |
| } |
| |
| <span class="kw">fn </span>process_new_packets(<span class="kw-2">&mut </span><span class="self">self</span>) -> <span class="prelude-ty">Result</span><(), TLSError> { |
| <span class="self">self</span>.imp.process_new_packets() |
| } |
| |
| <span class="kw">fn </span>wants_read(<span class="kw-2">&</span><span class="self">self</span>) -> bool { |
| <span class="self">self</span>.imp.wants_read() |
| } |
| |
| <span class="kw">fn </span>wants_write(<span class="kw-2">&</span><span class="self">self</span>) -> bool { |
| <span class="self">self</span>.imp.wants_write() |
| } |
| |
| <span class="kw">fn </span>is_handshaking(<span class="kw-2">&</span><span class="self">self</span>) -> bool { |
| <span class="self">self</span>.imp.is_handshaking() |
| } |
| |
| <span class="kw">fn </span>set_buffer_limit(<span class="kw-2">&mut </span><span class="self">self</span>, len: usize) { |
| <span class="self">self</span>.imp.set_buffer_limit(len) |
| } |
| |
| <span class="kw">fn </span>send_close_notify(<span class="kw-2">&mut </span><span class="self">self</span>) { |
| <span class="self">self</span>.imp.common.send_close_notify() |
| } |
| |
| <span class="kw">fn </span>get_peer_certificates(<span class="kw-2">&</span><span class="self">self</span>) -> <span class="prelude-ty">Option</span><Vec<key::Certificate>> { |
| <span class="self">self</span>.imp.get_peer_certificates() |
| } |
| |
| <span class="kw">fn </span>get_alpn_protocol(<span class="kw-2">&</span><span class="self">self</span>) -> <span class="prelude-ty">Option</span><<span class="kw-2">&</span>[u8]> { |
| <span class="self">self</span>.imp.get_alpn_protocol() |
| } |
| |
| <span class="kw">fn </span>get_protocol_version(<span class="kw-2">&</span><span class="self">self</span>) -> <span class="prelude-ty">Option</span><ProtocolVersion> { |
| <span class="self">self</span>.imp.get_protocol_version() |
| } |
| |
| <span class="kw">fn </span>export_keying_material( |
| <span class="kw-2">&</span><span class="self">self</span>, |
| output: <span class="kw-2">&mut </span>[u8], |
| label: <span class="kw-2">&</span>[u8], |
| context: <span class="prelude-ty">Option</span><<span class="kw-2">&</span>[u8]>, |
| ) -> <span class="prelude-ty">Result</span><(), TLSError> { |
| <span class="self">self</span>.imp |
| .export_keying_material(output, label, context) |
| } |
| |
| <span class="kw">fn </span>get_negotiated_ciphersuite(<span class="kw-2">&</span><span class="self">self</span>) -> <span class="prelude-ty">Option</span><<span class="kw-2">&</span><span class="lifetime">'static </span>SupportedCipherSuite> { |
| <span class="self">self</span>.imp.get_negotiated_ciphersuite() |
| } |
| } |
| |
| <span class="kw">impl </span>io::Read <span class="kw">for </span>ServerSession { |
| <span class="doccomment">/// Obtain plaintext data received from the peer over this TLS connection. |
| /// |
| /// If the peer closes the TLS session cleanly, this fails with an error of |
| /// kind ErrorKind::ConnectionAborted once all the pending data has been read. |
| /// No further data can be received on that connection, so the underlying TCP |
| /// connection should closed too. |
| /// |
| /// Note that support close notify varies in peer TLS libraries: many do not |
| /// support it and uncleanly close the TCP connection (this might be |
| /// vulnerable to truncation attacks depending on the application protocol). |
| /// This means applications using rustls must both handle ErrorKind::ConnectionAborted |
| /// from this function, *and* unexpected closure of the underlying TCP connection. |
| </span><span class="kw">fn </span>read(<span class="kw-2">&mut </span><span class="self">self</span>, buf: <span class="kw-2">&mut </span>[u8]) -> io::Result<usize> { |
| <span class="self">self</span>.imp.common.read(buf) |
| } |
| } |
| |
| <span class="kw">impl </span>io::Write <span class="kw">for </span>ServerSession { |
| <span class="doccomment">/// Send the plaintext `buf` to the peer, encrypting |
| /// and authenticating it. Once this function succeeds |
| /// you should call `write_tls` which will output the |
| /// corresponding TLS records. |
| /// |
| /// This function buffers plaintext sent before the |
| /// TLS handshake completes, and sends it as soon |
| /// as it can. This buffer is of *unlimited size* so |
| /// writing much data before it can be sent will |
| /// cause excess memory usage. |
| </span><span class="kw">fn </span>write(<span class="kw-2">&mut </span><span class="self">self</span>, buf: <span class="kw-2">&</span>[u8]) -> io::Result<usize> { |
| <span class="prelude-val">Ok</span>(<span class="self">self</span>.imp.send_some_plaintext(buf)) |
| } |
| |
| <span class="kw">fn </span>write_vectored(<span class="kw-2">&mut </span><span class="self">self</span>, bufs: <span class="kw-2">&</span>[IoSlice<<span class="lifetime">'_</span>>]) -> io::Result<usize> { |
| <span class="kw">let </span><span class="kw-2">mut </span>sz = <span class="number">0</span>; |
| <span class="kw">for </span>buf <span class="kw">in </span>bufs { |
| sz += <span class="self">self</span>.imp.send_some_plaintext(buf); |
| } |
| <span class="prelude-val">Ok</span>(sz) |
| } |
| |
| <span class="kw">fn </span>flush(<span class="kw-2">&mut </span><span class="self">self</span>) -> io::Result<()> { |
| <span class="self">self</span>.imp.common.flush_plaintext(); |
| <span class="prelude-val">Ok</span>(()) |
| } |
| } |
| </code></pre></div> |
| </section></div></main><div id="rustdoc-vars" data-root-path="../../../" data-current-crate="rustls" data-themes="ayu,dark,light" data-resource-suffix="" data-rustdoc-version="1.66.0-nightly (5c8bff74b 2022-10-21)" ></div></body></html> |