rustls/server/server_conn.rs
1use alloc::boxed::Box;
2use alloc::vec::Vec;
3use core::fmt;
4use core::fmt::{Debug, Formatter};
5use core::marker::PhantomData;
6use core::ops::{Deref, DerefMut};
7#[cfg(feature = "std")]
8use std::io;
9
10use pki_types::{DnsName, UnixTime};
11
12use super::hs;
13#[cfg(feature = "std")]
14use crate::WantsVerifier;
15use crate::builder::ConfigBuilder;
16use crate::common_state::{CommonState, Side};
17#[cfg(feature = "std")]
18use crate::common_state::{Protocol, State};
19use crate::conn::{ConnectionCommon, ConnectionCore, UnbufferedConnectionCommon};
20#[cfg(doc)]
21use crate::crypto;
22use crate::crypto::CryptoProvider;
23use crate::enums::{CertificateType, CipherSuite, ProtocolVersion, SignatureScheme};
24use crate::error::Error;
25use crate::kernel::KernelConnection;
26use crate::log::trace;
27use crate::msgs::base::Payload;
28use crate::msgs::handshake::{ClientHelloPayload, ProtocolName, ServerExtension};
29use crate::msgs::message::Message;
30use crate::suites::ExtractedSecrets;
31use crate::sync::Arc;
32#[cfg(feature = "std")]
33use crate::time_provider::DefaultTimeProvider;
34use crate::time_provider::TimeProvider;
35use crate::vecbuf::ChunkVecBuffer;
36use crate::{
37 DistinguishedName, KeyLog, NamedGroup, WantsVersions, compress, sign, verify, versions,
38};
39
40/// A trait for the ability to store server session data.
41///
42/// The keys and values are opaque.
43///
44/// Inserted keys are randomly chosen by the library and have
45/// no internal structure (in other words, you may rely on all
46/// bits being uniformly random). Queried keys are untrusted data.
47///
48/// Both the keys and values should be treated as
49/// **highly sensitive data**, containing enough key material
50/// to break all security of the corresponding sessions.
51///
52/// Implementations can be lossy (in other words, forgetting
53/// key/value pairs) without any negative security consequences.
54///
55/// However, note that `take` **must** reliably delete a returned
56/// value. If it does not, there may be security consequences.
57///
58/// `put` and `take` are mutating operations; this isn't expressed
59/// in the type system to allow implementations freedom in
60/// how to achieve interior mutability. `Mutex` is a common
61/// choice.
62pub trait StoresServerSessions: Debug + Send + Sync {
63 /// Store session secrets encoded in `value` against `key`,
64 /// overwrites any existing value against `key`. Returns `true`
65 /// if the value was stored.
66 fn put(&self, key: Vec<u8>, value: Vec<u8>) -> bool;
67
68 /// Find a value with the given `key`. Return it, or None
69 /// if it doesn't exist.
70 fn get(&self, key: &[u8]) -> Option<Vec<u8>>;
71
72 /// Find a value with the given `key`. Return it and delete it;
73 /// or None if it doesn't exist.
74 fn take(&self, key: &[u8]) -> Option<Vec<u8>>;
75
76 /// Whether the store can cache another session. This is used to indicate to clients
77 /// whether their session can be resumed; the implementation is not required to remember
78 /// a session even if it returns `true` here.
79 fn can_cache(&self) -> bool;
80}
81
82/// A trait for the ability to encrypt and decrypt tickets.
83pub trait ProducesTickets: Debug + Send + Sync {
84 /// Returns true if this implementation will encrypt/decrypt
85 /// tickets. Should return false if this is a dummy
86 /// implementation: the server will not send the SessionTicket
87 /// extension and will not call the other functions.
88 fn enabled(&self) -> bool;
89
90 /// Returns the lifetime in seconds of tickets produced now.
91 /// The lifetime is provided as a hint to clients that the
92 /// ticket will not be useful after the given time.
93 ///
94 /// This lifetime must be implemented by key rolling and
95 /// erasure, *not* by storing a lifetime in the ticket.
96 ///
97 /// The objective is to limit damage to forward secrecy caused
98 /// by tickets, not just limiting their lifetime.
99 fn lifetime(&self) -> u32;
100
101 /// Encrypt and authenticate `plain`, returning the resulting
102 /// ticket. Return None if `plain` cannot be encrypted for
103 /// some reason: an empty ticket will be sent and the connection
104 /// will continue.
105 fn encrypt(&self, plain: &[u8]) -> Option<Vec<u8>>;
106
107 /// Decrypt `cipher`, validating its authenticity protection
108 /// and recovering the plaintext. `cipher` is fully attacker
109 /// controlled, so this decryption must be side-channel free,
110 /// panic-proof, and otherwise bullet-proof. If the decryption
111 /// fails, return None.
112 fn decrypt(&self, cipher: &[u8]) -> Option<Vec<u8>>;
113}
114
115/// How to choose a certificate chain and signing key for use
116/// in server authentication.
117///
118/// This is suitable when selecting a certificate does not require
119/// I/O or when the application is using blocking I/O anyhow.
120///
121/// For applications that use async I/O and need to do I/O to choose
122/// a certificate (for instance, fetching a certificate from a data store),
123/// the [`Acceptor`] interface is more suitable.
124pub trait ResolvesServerCert: Debug + Send + Sync {
125 /// Choose a certificate chain and matching key given simplified
126 /// ClientHello information.
127 ///
128 /// Return `None` to abort the handshake.
129 fn resolve(&self, client_hello: ClientHello<'_>) -> Option<Arc<sign::CertifiedKey>>;
130
131 /// Return true when the server only supports raw public keys.
132 fn only_raw_public_keys(&self) -> bool {
133 false
134 }
135}
136
137/// A struct representing the received Client Hello
138#[derive(Debug)]
139pub struct ClientHello<'a> {
140 pub(super) server_name: &'a Option<DnsName<'a>>,
141 pub(super) signature_schemes: &'a [SignatureScheme],
142 pub(super) alpn: Option<&'a Vec<ProtocolName>>,
143 pub(super) server_cert_types: Option<&'a [CertificateType]>,
144 pub(super) client_cert_types: Option<&'a [CertificateType]>,
145 pub(super) cipher_suites: &'a [CipherSuite],
146 /// The [certificate_authorities] extension, if it was sent by the client.
147 ///
148 /// [certificate_authorities]: https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4
149 pub(super) certificate_authorities: Option<&'a [DistinguishedName]>,
150 pub(super) named_groups: Option<&'a [NamedGroup]>,
151}
152
153impl<'a> ClientHello<'a> {
154 /// Get the server name indicator.
155 ///
156 /// Returns `None` if the client did not supply a SNI.
157 pub fn server_name(&self) -> Option<&str> {
158 self.server_name
159 .as_ref()
160 .map(<DnsName<'_> as AsRef<str>>::as_ref)
161 }
162
163 /// Get the compatible signature schemes.
164 ///
165 /// Returns standard-specified default if the client omitted this extension.
166 pub fn signature_schemes(&self) -> &[SignatureScheme] {
167 self.signature_schemes
168 }
169
170 /// Get the ALPN protocol identifiers submitted by the client.
171 ///
172 /// Returns `None` if the client did not include an ALPN extension.
173 ///
174 /// Application Layer Protocol Negotiation (ALPN) is a TLS extension that lets a client
175 /// submit a set of identifiers that each a represent an application-layer protocol.
176 /// The server will then pick its preferred protocol from the set submitted by the client.
177 /// Each identifier is represented as a byte array, although common values are often ASCII-encoded.
178 /// See the official RFC-7301 specifications at <https://datatracker.ietf.org/doc/html/rfc7301>
179 /// for more information on ALPN.
180 ///
181 /// For example, a HTTP client might specify "http/1.1" and/or "h2". Other well-known values
182 /// are listed in the at IANA registry at
183 /// <https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids>.
184 ///
185 /// The server can specify supported ALPN protocols by setting [`ServerConfig::alpn_protocols`].
186 /// During the handshake, the server will select the first protocol configured that the client supports.
187 pub fn alpn(&self) -> Option<impl Iterator<Item = &'a [u8]>> {
188 self.alpn.map(|protocols| {
189 protocols
190 .iter()
191 .map(|proto| proto.as_ref())
192 })
193 }
194
195 /// Get cipher suites.
196 pub fn cipher_suites(&self) -> &[CipherSuite] {
197 self.cipher_suites
198 }
199
200 /// Get the server certificate types offered in the ClientHello.
201 ///
202 /// Returns `None` if the client did not include a certificate type extension.
203 pub fn server_cert_types(&self) -> Option<&'a [CertificateType]> {
204 self.server_cert_types
205 }
206
207 /// Get the client certificate types offered in the ClientHello.
208 ///
209 /// Returns `None` if the client did not include a certificate type extension.
210 pub fn client_cert_types(&self) -> Option<&'a [CertificateType]> {
211 self.client_cert_types
212 }
213
214 /// Get the [certificate_authorities] extension sent by the client.
215 ///
216 /// Returns `None` if the client did not send this extension.
217 ///
218 /// [certificate_authorities]: https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4
219 pub fn certificate_authorities(&self) -> Option<&'a [DistinguishedName]> {
220 self.certificate_authorities
221 }
222
223 /// Get the [`named_groups`] extension sent by the client.
224 ///
225 /// This means different things in different versions of TLS:
226 ///
227 /// Originally it was introduced as the "[`elliptic_curves`]" extension for TLS1.2.
228 /// It described the elliptic curves supported by a client for all purposes: key
229 /// exchange, signature verification (for server authentication), and signing (for
230 /// client auth). Later [RFC7919] extended this to include FFDHE "named groups",
231 /// but FFDHE groups in this context only relate to key exchange.
232 ///
233 /// In TLS1.3 it was renamed to "[`named_groups`]" and now describes all types
234 /// of key exchange mechanisms, and does not relate at all to elliptic curves
235 /// used for signatures.
236 ///
237 /// [`elliptic_curves`]: https://datatracker.ietf.org/doc/html/rfc4492#section-5.1.1
238 /// [RFC7919]: https://datatracker.ietf.org/doc/html/rfc7919#section-2
239 /// [`named_groups`]:https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.7
240 pub fn named_groups(&self) -> Option<&'a [NamedGroup]> {
241 self.named_groups
242 }
243}
244
245/// Common configuration for a set of server sessions.
246///
247/// Making one of these is cheap, though one of the inputs may be expensive: gathering trust roots
248/// from the operating system to add to the [`RootCertStore`] passed to a `ClientCertVerifier`
249/// builder may take on the order of a few hundred milliseconds.
250///
251/// These must be created via the [`ServerConfig::builder()`] or [`ServerConfig::builder_with_provider()`]
252/// function.
253///
254/// # Defaults
255///
256/// * [`ServerConfig::max_fragment_size`]: the default is `None` (meaning 16kB).
257/// * [`ServerConfig::session_storage`]: if the `std` feature is enabled, the default stores 256
258/// sessions in memory. If the `std` feature is not enabled, the default is to not store any
259/// sessions. In a no-std context, by enabling the `hashbrown` feature you may provide your
260/// own `session_storage` using [`ServerSessionMemoryCache`] and a `crate::lock::MakeMutex`
261/// implementation.
262/// * [`ServerConfig::alpn_protocols`]: the default is empty -- no ALPN protocol is negotiated.
263/// * [`ServerConfig::key_log`]: key material is not logged.
264/// * [`ServerConfig::send_tls13_tickets`]: 2 tickets are sent.
265/// * [`ServerConfig::cert_compressors`]: depends on the crate features, see [`compress::default_cert_compressors()`].
266/// * [`ServerConfig::cert_compression_cache`]: caches the most recently used 4 compressions
267/// * [`ServerConfig::cert_decompressors`]: depends on the crate features, see [`compress::default_cert_decompressors()`].
268///
269/// # Sharing resumption storage between `ServerConfig`s
270///
271/// In a program using many `ServerConfig`s it may improve resumption rates
272/// (which has a significant impact on connection performance) if those
273/// configs share [`ServerConfig::session_storage`] or [`ServerConfig::ticketer`].
274///
275/// However, caution is needed: other fields influence the security of a session
276/// and resumption between them can be surprising. If sharing
277/// [`ServerConfig::session_storage`] or [`ServerConfig::ticketer`] between two
278/// `ServerConfig`s, you should also evaluate the following fields and ensure
279/// they are equivalent:
280///
281/// * `ServerConfig::verifier` -- client authentication requirements,
282/// * [`ServerConfig::cert_resolver`] -- server identities.
283///
284/// To illustrate, imagine two `ServerConfig`s `A` and `B`. `A` requires
285/// client authentication, `B` does not. If `A` and `B` shared a resumption store,
286/// it would be possible for a session originated by `B` (that is, an unauthenticated client)
287/// to be inserted into the store, and then resumed by `A`. This would give a false
288/// impression to the user of `A` that the client was authenticated. This is possible
289/// whether the resumption is performed statefully (via [`ServerConfig::session_storage`])
290/// or statelessly (via [`ServerConfig::ticketer`]).
291///
292/// _Unlike_ `ClientConfig`, rustls does not enforce any policy here.
293///
294/// [`RootCertStore`]: crate::RootCertStore
295/// [`ServerSessionMemoryCache`]: crate::server::handy::ServerSessionMemoryCache
296#[derive(Clone, Debug)]
297pub struct ServerConfig {
298 /// Source of randomness and other crypto.
299 pub(super) provider: Arc<CryptoProvider>,
300
301 /// Ignore the client's ciphersuite order. Instead,
302 /// choose the top ciphersuite in the server list
303 /// which is supported by the client.
304 pub ignore_client_order: bool,
305
306 /// The maximum size of plaintext input to be emitted in a single TLS record.
307 /// A value of None is equivalent to the [TLS maximum] of 16 kB.
308 ///
309 /// rustls enforces an arbitrary minimum of 32 bytes for this field.
310 /// Out of range values are reported as errors from [ServerConnection::new].
311 ///
312 /// Setting this value to a little less than the TCP MSS may improve latency
313 /// for stream-y workloads.
314 ///
315 /// [TLS maximum]: https://datatracker.ietf.org/doc/html/rfc8446#section-5.1
316 /// [ServerConnection::new]: crate::server::ServerConnection::new
317 pub max_fragment_size: Option<usize>,
318
319 /// How to store client sessions.
320 ///
321 /// See [ServerConfig#sharing-resumption-storage-between-serverconfigs]
322 /// for a warning related to this field.
323 pub session_storage: Arc<dyn StoresServerSessions>,
324
325 /// How to produce tickets.
326 ///
327 /// See [ServerConfig#sharing-resumption-storage-between-serverconfigs]
328 /// for a warning related to this field.
329 pub ticketer: Arc<dyn ProducesTickets>,
330
331 /// How to choose a server cert and key. This is usually set by
332 /// [ConfigBuilder::with_single_cert] or [ConfigBuilder::with_cert_resolver].
333 /// For async applications, see also [Acceptor].
334 pub cert_resolver: Arc<dyn ResolvesServerCert>,
335
336 /// Protocol names we support, most preferred first.
337 /// If empty we don't do ALPN at all.
338 pub alpn_protocols: Vec<Vec<u8>>,
339
340 /// Supported protocol versions, in no particular order.
341 /// The default is all supported versions.
342 pub(super) versions: versions::EnabledVersions,
343
344 /// How to verify client certificates.
345 pub(super) verifier: Arc<dyn verify::ClientCertVerifier>,
346
347 /// How to output key material for debugging. The default
348 /// does nothing.
349 pub key_log: Arc<dyn KeyLog>,
350
351 /// Allows traffic secrets to be extracted after the handshake,
352 /// e.g. for kTLS setup.
353 pub enable_secret_extraction: bool,
354
355 /// Amount of early data to accept for sessions created by
356 /// this config. Specify 0 to disable early data. The
357 /// default is 0.
358 ///
359 /// Read the early data via [`ServerConnection::early_data`].
360 ///
361 /// The units for this are _both_ plaintext bytes, _and_ ciphertext
362 /// bytes, depending on whether the server accepts a client's early_data
363 /// or not. It is therefore recommended to include some slop in
364 /// this value to account for the unknown amount of ciphertext
365 /// expansion in the latter case.
366 pub max_early_data_size: u32,
367
368 /// Whether the server should send "0.5RTT" data. This means the server
369 /// sends data after its first flight of handshake messages, without
370 /// waiting for the client to complete the handshake.
371 ///
372 /// This can improve TTFB latency for either server-speaks-first protocols,
373 /// or client-speaks-first protocols when paired with "0RTT" data. This
374 /// comes at the cost of a subtle weakening of the normal handshake
375 /// integrity guarantees that TLS provides. Note that the initial
376 /// `ClientHello` is indirectly authenticated because it is included
377 /// in the transcript used to derive the keys used to encrypt the data.
378 ///
379 /// This only applies to TLS1.3 connections. TLS1.2 connections cannot
380 /// do this optimisation and this setting is ignored for them. It is
381 /// also ignored for TLS1.3 connections that even attempt client
382 /// authentication.
383 ///
384 /// This defaults to false. This means the first application data
385 /// sent by the server comes after receiving and validating the client's
386 /// handshake up to the `Finished` message. This is the safest option.
387 pub send_half_rtt_data: bool,
388
389 /// How many TLS1.3 tickets to send immediately after a successful
390 /// handshake.
391 ///
392 /// Because TLS1.3 tickets are single-use, this allows
393 /// a client to perform multiple resumptions.
394 ///
395 /// The default is 2.
396 ///
397 /// If this is 0, no tickets are sent and clients will not be able to
398 /// do any resumption.
399 pub send_tls13_tickets: usize,
400
401 /// If set to `true`, requires the client to support the extended
402 /// master secret extraction method defined in [RFC 7627].
403 ///
404 /// The default is `true` if the "fips" crate feature is enabled,
405 /// `false` otherwise.
406 ///
407 /// It must be set to `true` to meet FIPS requirement mentioned in section
408 /// **D.Q Transition of the TLS 1.2 KDF to Support the Extended Master
409 /// Secret** from [FIPS 140-3 IG.pdf].
410 ///
411 /// [RFC 7627]: https://datatracker.ietf.org/doc/html/rfc7627
412 /// [FIPS 140-3 IG.pdf]: https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf
413 #[cfg(feature = "tls12")]
414 pub require_ems: bool,
415
416 /// Provides the current system time
417 pub time_provider: Arc<dyn TimeProvider>,
418
419 /// How to compress the server's certificate chain.
420 ///
421 /// If a client supports this extension, and advertises support
422 /// for one of the compression algorithms included here, the
423 /// server certificate will be compressed according to [RFC8779].
424 ///
425 /// This only applies to TLS1.3 connections. It is ignored for
426 /// TLS1.2 connections.
427 ///
428 /// [RFC8779]: https://datatracker.ietf.org/doc/rfc8879/
429 pub cert_compressors: Vec<&'static dyn compress::CertCompressor>,
430
431 /// Caching for compressed certificates.
432 ///
433 /// This is optional: [`compress::CompressionCache::Disabled`] gives
434 /// a cache that does no caching.
435 pub cert_compression_cache: Arc<compress::CompressionCache>,
436
437 /// How to decompress the clients's certificate chain.
438 ///
439 /// If this is non-empty, the [RFC8779] certificate compression
440 /// extension is offered when requesting client authentication,
441 /// and any compressed certificates are transparently decompressed
442 /// during the handshake.
443 ///
444 /// This only applies to TLS1.3 connections. It is ignored for
445 /// TLS1.2 connections.
446 ///
447 /// [RFC8779]: https://datatracker.ietf.org/doc/rfc8879/
448 pub cert_decompressors: Vec<&'static dyn compress::CertDecompressor>,
449}
450
451impl ServerConfig {
452 /// Create a builder for a server configuration with
453 /// [the process-default `CryptoProvider`][CryptoProvider#using-the-per-process-default-cryptoprovider]
454 /// and safe protocol version defaults.
455 ///
456 /// For more information, see the [`ConfigBuilder`] documentation.
457 #[cfg(feature = "std")]
458 pub fn builder() -> ConfigBuilder<Self, WantsVerifier> {
459 Self::builder_with_protocol_versions(versions::DEFAULT_VERSIONS)
460 }
461
462 /// Create a builder for a server configuration with
463 /// [the process-default `CryptoProvider`][CryptoProvider#using-the-per-process-default-cryptoprovider]
464 /// and the provided protocol versions.
465 ///
466 /// Panics if
467 /// - the supported versions are not compatible with the provider (eg.
468 /// the combination of ciphersuites supported by the provider and supported
469 /// versions lead to zero cipher suites being usable),
470 /// - if a `CryptoProvider` cannot be resolved using a combination of
471 /// the crate features and process default.
472 ///
473 /// For more information, see the [`ConfigBuilder`] documentation.
474 #[cfg(feature = "std")]
475 pub fn builder_with_protocol_versions(
476 versions: &[&'static versions::SupportedProtocolVersion],
477 ) -> ConfigBuilder<Self, WantsVerifier> {
478 // Safety assumptions:
479 // 1. that the provider has been installed (explicitly or implicitly)
480 // 2. that the process-level default provider is usable with the supplied protocol versions.
481 Self::builder_with_provider(
482 CryptoProvider::get_default_or_install_from_crate_features().clone(),
483 )
484 .with_protocol_versions(versions)
485 .unwrap()
486 }
487
488 /// Create a builder for a server configuration with a specific [`CryptoProvider`].
489 ///
490 /// This will use the provider's configured ciphersuites. You must additionally choose
491 /// which protocol versions to enable, using `with_protocol_versions` or
492 /// `with_safe_default_protocol_versions` and handling the `Result` in case a protocol
493 /// version is not supported by the provider's ciphersuites.
494 ///
495 /// For more information, see the [`ConfigBuilder`] documentation.
496 #[cfg(feature = "std")]
497 pub fn builder_with_provider(
498 provider: Arc<CryptoProvider>,
499 ) -> ConfigBuilder<Self, WantsVersions> {
500 ConfigBuilder {
501 state: WantsVersions {},
502 provider,
503 time_provider: Arc::new(DefaultTimeProvider),
504 side: PhantomData,
505 }
506 }
507
508 /// Create a builder for a server configuration with no default implementation details.
509 ///
510 /// This API must be used by `no_std` users.
511 ///
512 /// You must provide a specific [`TimeProvider`].
513 ///
514 /// You must provide a specific [`CryptoProvider`].
515 ///
516 /// This will use the provider's configured ciphersuites. You must additionally choose
517 /// which protocol versions to enable, using `with_protocol_versions` or
518 /// `with_safe_default_protocol_versions` and handling the `Result` in case a protocol
519 /// version is not supported by the provider's ciphersuites.
520 ///
521 /// For more information, see the [`ConfigBuilder`] documentation.
522 pub fn builder_with_details(
523 provider: Arc<CryptoProvider>,
524 time_provider: Arc<dyn TimeProvider>,
525 ) -> ConfigBuilder<Self, WantsVersions> {
526 ConfigBuilder {
527 state: WantsVersions {},
528 provider,
529 time_provider,
530 side: PhantomData,
531 }
532 }
533
534 /// Return `true` if connections made with this `ServerConfig` will
535 /// operate in FIPS mode.
536 ///
537 /// This is different from [`CryptoProvider::fips()`]: [`CryptoProvider::fips()`]
538 /// is concerned only with cryptography, whereas this _also_ covers TLS-level
539 /// configuration that NIST recommends.
540 pub fn fips(&self) -> bool {
541 #[cfg(feature = "tls12")]
542 {
543 self.provider.fips() && self.require_ems
544 }
545
546 #[cfg(not(feature = "tls12"))]
547 {
548 self.provider.fips()
549 }
550 }
551
552 /// Return the crypto provider used to construct this client configuration.
553 pub fn crypto_provider(&self) -> &Arc<CryptoProvider> {
554 &self.provider
555 }
556
557 /// We support a given TLS version if it's quoted in the configured
558 /// versions *and* at least one ciphersuite for this version is
559 /// also configured.
560 pub(crate) fn supports_version(&self, v: ProtocolVersion) -> bool {
561 self.versions.contains(v)
562 && self
563 .provider
564 .cipher_suites
565 .iter()
566 .any(|cs| cs.version().version == v)
567 }
568
569 #[cfg(feature = "std")]
570 pub(crate) fn supports_protocol(&self, proto: Protocol) -> bool {
571 self.provider
572 .cipher_suites
573 .iter()
574 .any(|cs| cs.usable_for_protocol(proto))
575 }
576
577 pub(super) fn current_time(&self) -> Result<UnixTime, Error> {
578 self.time_provider
579 .current_time()
580 .ok_or(Error::FailedToGetCurrentTime)
581 }
582}
583
584#[cfg(feature = "std")]
585mod connection {
586 use alloc::boxed::Box;
587 use alloc::vec::Vec;
588 use core::fmt;
589 use core::fmt::{Debug, Formatter};
590 use core::ops::{Deref, DerefMut};
591 use std::io;
592
593 use super::{Accepted, Accepting, EarlyDataState, ServerConfig, ServerConnectionData};
594 use crate::common_state::{CommonState, Context, Side};
595 use crate::conn::{ConnectionCommon, ConnectionCore};
596 use crate::error::Error;
597 use crate::server::hs;
598 use crate::suites::ExtractedSecrets;
599 use crate::sync::Arc;
600 use crate::vecbuf::ChunkVecBuffer;
601
602 /// Allows reading of early data in resumed TLS1.3 connections.
603 ///
604 /// "Early data" is also known as "0-RTT data".
605 ///
606 /// This structure implements [`std::io::Read`].
607 pub struct ReadEarlyData<'a> {
608 early_data: &'a mut EarlyDataState,
609 }
610
611 impl<'a> ReadEarlyData<'a> {
612 fn new(early_data: &'a mut EarlyDataState) -> Self {
613 ReadEarlyData { early_data }
614 }
615 }
616
617 impl io::Read for ReadEarlyData<'_> {
618 fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
619 self.early_data.read(buf)
620 }
621
622 #[cfg(read_buf)]
623 fn read_buf(&mut self, cursor: core::io::BorrowedCursor<'_>) -> io::Result<()> {
624 self.early_data.read_buf(cursor)
625 }
626 }
627
628 /// This represents a single TLS server connection.
629 ///
630 /// Send TLS-protected data to the peer using the `io::Write` trait implementation.
631 /// Read data from the peer using the `io::Read` trait implementation.
632 pub struct ServerConnection {
633 pub(super) inner: ConnectionCommon<ServerConnectionData>,
634 }
635
636 impl ServerConnection {
637 /// Make a new ServerConnection. `config` controls how
638 /// we behave in the TLS protocol.
639 pub fn new(config: Arc<ServerConfig>) -> Result<Self, Error> {
640 Ok(Self {
641 inner: ConnectionCommon::from(ConnectionCore::for_server(config, Vec::new())?),
642 })
643 }
644
645 /// Retrieves the server name, if any, used to select the certificate and
646 /// private key.
647 ///
648 /// This returns `None` until some time after the client's server name indication
649 /// (SNI) extension value is processed during the handshake. It will never be
650 /// `None` when the connection is ready to send or process application data,
651 /// unless the client does not support SNI.
652 ///
653 /// This is useful for application protocols that need to enforce that the
654 /// server name matches an application layer protocol hostname. For
655 /// example, HTTP/1.1 servers commonly expect the `Host:` header field of
656 /// every request on a connection to match the hostname in the SNI extension
657 /// when the client provides the SNI extension.
658 ///
659 /// The server name is also used to match sessions during session resumption.
660 pub fn server_name(&self) -> Option<&str> {
661 self.inner.core.get_sni_str()
662 }
663
664 /// Application-controlled portion of the resumption ticket supplied by the client, if any.
665 ///
666 /// Recovered from the prior session's `set_resumption_data`. Integrity is guaranteed by rustls.
667 ///
668 /// Returns `Some` if and only if a valid resumption ticket has been received from the client.
669 pub fn received_resumption_data(&self) -> Option<&[u8]> {
670 self.inner
671 .core
672 .data
673 .received_resumption_data
674 .as_ref()
675 .map(|x| &x[..])
676 }
677
678 /// Set the resumption data to embed in future resumption tickets supplied to the client.
679 ///
680 /// Defaults to the empty byte string. Must be less than 2^15 bytes to allow room for other
681 /// data. Should be called while `is_handshaking` returns true to ensure all transmitted
682 /// resumption tickets are affected.
683 ///
684 /// Integrity will be assured by rustls, but the data will be visible to the client. If secrecy
685 /// from the client is desired, encrypt the data separately.
686 pub fn set_resumption_data(&mut self, data: &[u8]) {
687 assert!(data.len() < 2usize.pow(15));
688 self.inner.core.data.resumption_data = data.into();
689 }
690
691 /// Explicitly discard early data, notifying the client
692 ///
693 /// Useful if invariants encoded in `received_resumption_data()` cannot be respected.
694 ///
695 /// Must be called while `is_handshaking` is true.
696 pub fn reject_early_data(&mut self) {
697 self.inner.core.reject_early_data()
698 }
699
700 /// Returns an `io::Read` implementer you can read bytes from that are
701 /// received from a client as TLS1.3 0RTT/"early" data, during the handshake.
702 ///
703 /// This returns `None` in many circumstances, such as :
704 ///
705 /// - Early data is disabled if [`ServerConfig::max_early_data_size`] is zero (the default).
706 /// - The session negotiated with the client is not TLS1.3.
707 /// - The client just doesn't support early data.
708 /// - The connection doesn't resume an existing session.
709 /// - The client hasn't sent a full ClientHello yet.
710 pub fn early_data(&mut self) -> Option<ReadEarlyData<'_>> {
711 let data = &mut self.inner.core.data;
712 if data.early_data.was_accepted() {
713 Some(ReadEarlyData::new(&mut data.early_data))
714 } else {
715 None
716 }
717 }
718
719 /// Return true if the connection was made with a `ServerConfig` that is FIPS compatible.
720 ///
721 /// This is different from [`crate::crypto::CryptoProvider::fips()`]:
722 /// it is concerned only with cryptography, whereas this _also_ covers TLS-level
723 /// configuration that NIST recommends, as well as ECH HPKE suites if applicable.
724 pub fn fips(&self) -> bool {
725 self.inner.core.common_state.fips
726 }
727
728 /// Extract secrets, so they can be used when configuring kTLS, for example.
729 /// Should be used with care as it exposes secret key material.
730 pub fn dangerous_extract_secrets(self) -> Result<ExtractedSecrets, Error> {
731 self.inner.dangerous_extract_secrets()
732 }
733 }
734
735 impl Debug for ServerConnection {
736 fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
737 f.debug_struct("ServerConnection")
738 .finish()
739 }
740 }
741
742 impl Deref for ServerConnection {
743 type Target = ConnectionCommon<ServerConnectionData>;
744
745 fn deref(&self) -> &Self::Target {
746 &self.inner
747 }
748 }
749
750 impl DerefMut for ServerConnection {
751 fn deref_mut(&mut self) -> &mut Self::Target {
752 &mut self.inner
753 }
754 }
755
756 impl From<ServerConnection> for crate::Connection {
757 fn from(conn: ServerConnection) -> Self {
758 Self::Server(conn)
759 }
760 }
761
762 /// Handle a server-side connection before configuration is available.
763 ///
764 /// `Acceptor` allows the caller to choose a [`ServerConfig`] after reading
765 /// the [`super::ClientHello`] of an incoming connection. This is useful for servers
766 /// that choose different certificates or cipher suites based on the
767 /// characteristics of the `ClientHello`. In particular it is useful for
768 /// servers that need to do some I/O to load a certificate and its private key
769 /// and don't want to use the blocking interface provided by
770 /// [`super::ResolvesServerCert`].
771 ///
772 /// Create an Acceptor with [`Acceptor::default()`].
773 ///
774 /// # Example
775 ///
776 /// ```no_run
777 /// # #[cfg(feature = "aws_lc_rs")] {
778 /// # fn choose_server_config(
779 /// # _: rustls::server::ClientHello,
780 /// # ) -> std::sync::Arc<rustls::ServerConfig> {
781 /// # unimplemented!();
782 /// # }
783 /// # #[allow(unused_variables)]
784 /// # fn main() {
785 /// use rustls::server::{Acceptor, ServerConfig};
786 /// let listener = std::net::TcpListener::bind("127.0.0.1:0").unwrap();
787 /// for stream in listener.incoming() {
788 /// let mut stream = stream.unwrap();
789 /// let mut acceptor = Acceptor::default();
790 /// let accepted = loop {
791 /// acceptor.read_tls(&mut stream).unwrap();
792 /// if let Some(accepted) = acceptor.accept().unwrap() {
793 /// break accepted;
794 /// }
795 /// };
796 ///
797 /// // For some user-defined choose_server_config:
798 /// let config = choose_server_config(accepted.client_hello());
799 /// let conn = accepted
800 /// .into_connection(config)
801 /// .unwrap();
802 ///
803 /// // Proceed with handling the ServerConnection.
804 /// }
805 /// # }
806 /// # }
807 /// ```
808 pub struct Acceptor {
809 inner: Option<ConnectionCommon<ServerConnectionData>>,
810 }
811
812 impl Default for Acceptor {
813 /// Return an empty Acceptor, ready to receive bytes from a new client connection.
814 fn default() -> Self {
815 Self {
816 inner: Some(
817 ConnectionCore::new(
818 Box::new(Accepting),
819 ServerConnectionData::default(),
820 CommonState::new(Side::Server),
821 )
822 .into(),
823 ),
824 }
825 }
826 }
827
828 impl Acceptor {
829 /// Read TLS content from `rd`.
830 ///
831 /// Returns an error if this `Acceptor` has already yielded an [`Accepted`]. For more details,
832 /// refer to [`Connection::read_tls()`].
833 ///
834 /// [`Connection::read_tls()`]: crate::Connection::read_tls
835 pub fn read_tls(&mut self, rd: &mut dyn io::Read) -> Result<usize, io::Error> {
836 match &mut self.inner {
837 Some(conn) => conn.read_tls(rd),
838 None => Err(io::Error::new(
839 io::ErrorKind::Other,
840 "acceptor cannot read after successful acceptance",
841 )),
842 }
843 }
844
845 /// Check if a `ClientHello` message has been received.
846 ///
847 /// Returns `Ok(None)` if the complete `ClientHello` has not yet been received.
848 /// Do more I/O and then call this function again.
849 ///
850 /// Returns `Ok(Some(accepted))` if the connection has been accepted. Call
851 /// `accepted.into_connection()` to continue. Do not call this function again.
852 ///
853 /// Returns `Err((err, alert))` if an error occurred. If an alert is returned, the
854 /// application should call `alert.write()` to send the alert to the client. It should
855 /// not call `accept()` again.
856 pub fn accept(&mut self) -> Result<Option<Accepted>, (Error, AcceptedAlert)> {
857 let Some(mut connection) = self.inner.take() else {
858 return Err((
859 Error::General("Acceptor polled after completion".into()),
860 AcceptedAlert::empty(),
861 ));
862 };
863
864 let message = match connection.first_handshake_message() {
865 Ok(Some(msg)) => msg,
866 Ok(None) => {
867 self.inner = Some(connection);
868 return Ok(None);
869 }
870 Err(err) => return Err((err, AcceptedAlert::from(connection))),
871 };
872
873 let mut cx = Context::from(&mut connection);
874 let sig_schemes = match hs::process_client_hello(&message, false, &mut cx) {
875 Ok((_, sig_schemes)) => sig_schemes,
876 Err(err) => {
877 return Err((err, AcceptedAlert::from(connection)));
878 }
879 };
880
881 Ok(Some(Accepted {
882 connection,
883 message,
884 sig_schemes,
885 }))
886 }
887 }
888
889 /// Represents a TLS alert resulting from handling the client's `ClientHello` message.
890 ///
891 /// When [`Acceptor::accept()`] returns an error, it yields an `AcceptedAlert` such that the
892 /// application can communicate failure to the client via [`AcceptedAlert::write()`].
893 pub struct AcceptedAlert(ChunkVecBuffer);
894
895 impl AcceptedAlert {
896 pub(super) fn empty() -> Self {
897 Self(ChunkVecBuffer::new(None))
898 }
899
900 /// Send the alert to the client.
901 ///
902 /// To account for short writes this function should be called repeatedly until it
903 /// returns `Ok(0)` or an error.
904 pub fn write(&mut self, wr: &mut dyn io::Write) -> Result<usize, io::Error> {
905 self.0.write_to(wr)
906 }
907
908 /// Send the alert to the client.
909 ///
910 /// This function will invoke the writer until the buffer is empty.
911 pub fn write_all(&mut self, wr: &mut dyn io::Write) -> Result<(), io::Error> {
912 while self.write(wr)? != 0 {}
913 Ok(())
914 }
915 }
916
917 impl From<ConnectionCommon<ServerConnectionData>> for AcceptedAlert {
918 fn from(conn: ConnectionCommon<ServerConnectionData>) -> Self {
919 Self(conn.core.common_state.sendable_tls)
920 }
921 }
922
923 impl Debug for AcceptedAlert {
924 fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
925 f.debug_struct("AcceptedAlert").finish()
926 }
927 }
928}
929
930#[cfg(feature = "std")]
931pub use connection::{AcceptedAlert, Acceptor, ReadEarlyData, ServerConnection};
932
933/// Unbuffered version of `ServerConnection`
934///
935/// See the [`crate::unbuffered`] module docs for more details
936pub struct UnbufferedServerConnection {
937 inner: UnbufferedConnectionCommon<ServerConnectionData>,
938}
939
940impl UnbufferedServerConnection {
941 /// Make a new ServerConnection. `config` controls how we behave in the TLS protocol.
942 pub fn new(config: Arc<ServerConfig>) -> Result<Self, Error> {
943 Ok(Self {
944 inner: UnbufferedConnectionCommon::from(ConnectionCore::for_server(
945 config,
946 Vec::new(),
947 )?),
948 })
949 }
950
951 /// Extract secrets, so they can be used when configuring kTLS, for example.
952 /// Should be used with care as it exposes secret key material.
953 #[deprecated = "dangerous_extract_secrets() does not support session tickets or \
954 key updates, use dangerous_into_kernel_connection() instead"]
955 pub fn dangerous_extract_secrets(self) -> Result<ExtractedSecrets, Error> {
956 self.inner.dangerous_extract_secrets()
957 }
958
959 /// Extract secrets and an [`KernelConnection`] object.
960 ///
961 /// This allows you use rustls to manage keys and then manage encryption and
962 /// decryption yourself (e.g. for kTLS).
963 ///
964 /// Should be used with care as it exposes secret key material.
965 ///
966 /// See the [`crate::kernel`] documentations for details on prerequisites
967 /// for calling this method.
968 pub fn dangerous_into_kernel_connection(
969 self,
970 ) -> Result<(ExtractedSecrets, KernelConnection<ServerConnectionData>), Error> {
971 self.inner
972 .core
973 .dangerous_into_kernel_connection()
974 }
975}
976
977impl Deref for UnbufferedServerConnection {
978 type Target = UnbufferedConnectionCommon<ServerConnectionData>;
979
980 fn deref(&self) -> &Self::Target {
981 &self.inner
982 }
983}
984
985impl DerefMut for UnbufferedServerConnection {
986 fn deref_mut(&mut self) -> &mut Self::Target {
987 &mut self.inner
988 }
989}
990
991impl UnbufferedConnectionCommon<ServerConnectionData> {
992 pub(crate) fn pop_early_data(&mut self) -> Option<Vec<u8>> {
993 self.core.data.early_data.pop()
994 }
995
996 pub(crate) fn peek_early_data(&self) -> Option<&[u8]> {
997 self.core.data.early_data.peek()
998 }
999}
1000
1001/// Represents a `ClientHello` message received through the [`Acceptor`].
1002///
1003/// Contains the state required to resume the connection through [`Accepted::into_connection()`].
1004pub struct Accepted {
1005 connection: ConnectionCommon<ServerConnectionData>,
1006 message: Message<'static>,
1007 sig_schemes: Vec<SignatureScheme>,
1008}
1009
1010impl Accepted {
1011 /// Get the [`ClientHello`] for this connection.
1012 pub fn client_hello(&self) -> ClientHello<'_> {
1013 let payload = Self::client_hello_payload(&self.message);
1014 let ch = ClientHello {
1015 server_name: &self.connection.core.data.sni,
1016 signature_schemes: &self.sig_schemes,
1017 alpn: payload.alpn_extension(),
1018 server_cert_types: payload.server_certificate_extension(),
1019 client_cert_types: payload.client_certificate_extension(),
1020 cipher_suites: &payload.cipher_suites,
1021 certificate_authorities: payload.certificate_authorities_extension(),
1022 named_groups: payload.namedgroups_extension(),
1023 };
1024
1025 trace!("Accepted::client_hello(): {ch:#?}");
1026 ch
1027 }
1028
1029 /// Convert the [`Accepted`] into a [`ServerConnection`].
1030 ///
1031 /// Takes the state returned from [`Acceptor::accept()`] as well as the [`ServerConfig`] and
1032 /// [`sign::CertifiedKey`] that should be used for the session. Returns an error if
1033 /// configuration-dependent validation of the received `ClientHello` message fails.
1034 #[cfg(feature = "std")]
1035 pub fn into_connection(
1036 mut self,
1037 config: Arc<ServerConfig>,
1038 ) -> Result<ServerConnection, (Error, AcceptedAlert)> {
1039 if let Err(err) = self
1040 .connection
1041 .set_max_fragment_size(config.max_fragment_size)
1042 {
1043 // We have a connection here, but it won't contain an alert since the error
1044 // is with the fragment size configured in the `ServerConfig`.
1045 return Err((err, AcceptedAlert::empty()));
1046 }
1047
1048 self.connection.enable_secret_extraction = config.enable_secret_extraction;
1049
1050 let state = hs::ExpectClientHello::new(config, Vec::new());
1051 let mut cx = hs::ServerContext::from(&mut self.connection);
1052
1053 let ch = Self::client_hello_payload(&self.message);
1054 let new = match state.with_certified_key(self.sig_schemes, ch, &self.message, &mut cx) {
1055 Ok(new) => new,
1056 Err(err) => return Err((err, AcceptedAlert::from(self.connection))),
1057 };
1058
1059 self.connection.replace_state(new);
1060 Ok(ServerConnection {
1061 inner: self.connection,
1062 })
1063 }
1064
1065 fn client_hello_payload<'a>(message: &'a Message<'_>) -> &'a ClientHelloPayload {
1066 match &message.payload {
1067 crate::msgs::message::MessagePayload::Handshake { parsed, .. } => match &parsed.0 {
1068 crate::msgs::handshake::HandshakePayload::ClientHello(ch) => ch,
1069 _ => unreachable!(),
1070 },
1071 _ => unreachable!(),
1072 }
1073 }
1074}
1075
1076impl Debug for Accepted {
1077 fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
1078 f.debug_struct("Accepted").finish()
1079 }
1080}
1081
1082#[cfg(feature = "std")]
1083struct Accepting;
1084
1085#[cfg(feature = "std")]
1086impl State<ServerConnectionData> for Accepting {
1087 fn handle<'m>(
1088 self: Box<Self>,
1089 _cx: &mut hs::ServerContext<'_>,
1090 _m: Message<'m>,
1091 ) -> Result<Box<dyn State<ServerConnectionData> + 'm>, Error>
1092 where
1093 Self: 'm,
1094 {
1095 Err(Error::General("unreachable state".into()))
1096 }
1097
1098 fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1099 self
1100 }
1101}
1102
1103pub(super) enum EarlyDataState {
1104 New,
1105 Accepted {
1106 received: ChunkVecBuffer,
1107 left: usize,
1108 },
1109 Rejected,
1110}
1111
1112impl Default for EarlyDataState {
1113 fn default() -> Self {
1114 Self::New
1115 }
1116}
1117
1118impl EarlyDataState {
1119 pub(super) fn reject(&mut self) {
1120 *self = Self::Rejected;
1121 }
1122
1123 pub(super) fn accept(&mut self, max_size: usize) {
1124 *self = Self::Accepted {
1125 received: ChunkVecBuffer::new(Some(max_size)),
1126 left: max_size,
1127 };
1128 }
1129
1130 #[cfg(feature = "std")]
1131 fn was_accepted(&self) -> bool {
1132 matches!(self, Self::Accepted { .. })
1133 }
1134
1135 pub(super) fn was_rejected(&self) -> bool {
1136 matches!(self, Self::Rejected)
1137 }
1138
1139 fn peek(&self) -> Option<&[u8]> {
1140 match self {
1141 Self::Accepted { received, .. } => received.peek(),
1142 _ => None,
1143 }
1144 }
1145
1146 fn pop(&mut self) -> Option<Vec<u8>> {
1147 match self {
1148 Self::Accepted { received, .. } => received.pop(),
1149 _ => None,
1150 }
1151 }
1152
1153 #[cfg(feature = "std")]
1154 fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
1155 match self {
1156 Self::Accepted { received, .. } => received.read(buf),
1157 _ => Err(io::Error::from(io::ErrorKind::BrokenPipe)),
1158 }
1159 }
1160
1161 #[cfg(read_buf)]
1162 fn read_buf(&mut self, cursor: core::io::BorrowedCursor<'_>) -> io::Result<()> {
1163 match self {
1164 Self::Accepted { received, .. } => received.read_buf(cursor),
1165 _ => Err(io::Error::from(io::ErrorKind::BrokenPipe)),
1166 }
1167 }
1168
1169 pub(super) fn take_received_plaintext(&mut self, bytes: Payload<'_>) -> bool {
1170 let available = bytes.bytes().len();
1171 let Self::Accepted { received, left } = self else {
1172 return false;
1173 };
1174
1175 if received.apply_limit(available) != available || available > *left {
1176 return false;
1177 }
1178
1179 received.append(bytes.into_vec());
1180 *left -= available;
1181 true
1182 }
1183}
1184
1185impl Debug for EarlyDataState {
1186 fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
1187 match self {
1188 Self::New => write!(f, "EarlyDataState::New"),
1189 Self::Accepted { received, left } => write!(
1190 f,
1191 "EarlyDataState::Accepted {{ received: {}, left: {} }}",
1192 received.len(),
1193 left
1194 ),
1195 Self::Rejected => write!(f, "EarlyDataState::Rejected"),
1196 }
1197 }
1198}
1199
1200impl ConnectionCore<ServerConnectionData> {
1201 pub(crate) fn for_server(
1202 config: Arc<ServerConfig>,
1203 extra_exts: Vec<ServerExtension>,
1204 ) -> Result<Self, Error> {
1205 let mut common = CommonState::new(Side::Server);
1206 common.set_max_fragment_size(config.max_fragment_size)?;
1207 common.enable_secret_extraction = config.enable_secret_extraction;
1208 common.fips = config.fips();
1209 Ok(Self::new(
1210 Box::new(hs::ExpectClientHello::new(config, extra_exts)),
1211 ServerConnectionData::default(),
1212 common,
1213 ))
1214 }
1215
1216 #[cfg(feature = "std")]
1217 pub(crate) fn reject_early_data(&mut self) {
1218 assert!(
1219 self.common_state.is_handshaking(),
1220 "cannot retroactively reject early data"
1221 );
1222 self.data.early_data.reject();
1223 }
1224
1225 #[cfg(feature = "std")]
1226 pub(crate) fn get_sni_str(&self) -> Option<&str> {
1227 self.data.get_sni_str()
1228 }
1229}
1230
1231/// State associated with a server connection.
1232#[derive(Default, Debug)]
1233pub struct ServerConnectionData {
1234 pub(super) sni: Option<DnsName<'static>>,
1235 pub(super) received_resumption_data: Option<Vec<u8>>,
1236 pub(super) resumption_data: Vec<u8>,
1237 pub(super) early_data: EarlyDataState,
1238}
1239
1240impl ServerConnectionData {
1241 #[cfg(feature = "std")]
1242 pub(super) fn get_sni_str(&self) -> Option<&str> {
1243 self.sni.as_ref().map(AsRef::as_ref)
1244 }
1245}
1246
1247impl crate::conn::SideData for ServerConnectionData {}
1248
1249#[cfg(feature = "std")]
1250#[cfg(test)]
1251mod tests {
1252 use std::format;
1253
1254 use super::*;
1255
1256 // these branches not reachable externally, unless something else goes wrong.
1257 #[test]
1258 fn test_read_in_new_state() {
1259 assert_eq!(
1260 format!("{:?}", EarlyDataState::default().read(&mut [0u8; 5])),
1261 "Err(Kind(BrokenPipe))"
1262 );
1263 }
1264
1265 #[cfg(read_buf)]
1266 #[test]
1267 fn test_read_buf_in_new_state() {
1268 use core::io::BorrowedBuf;
1269
1270 let mut buf = [0u8; 5];
1271 let mut buf: BorrowedBuf<'_> = buf.as_mut_slice().into();
1272 assert_eq!(
1273 format!("{:?}", EarlyDataState::default().read_buf(buf.unfilled())),
1274 "Err(Kind(BrokenPipe))"
1275 );
1276 }
1277}