rustls/server/
server_conn.rs

1use alloc::boxed::Box;
2use alloc::vec::Vec;
3use core::fmt;
4use core::fmt::{Debug, Formatter};
5use core::marker::PhantomData;
6use core::ops::{Deref, DerefMut};
7#[cfg(feature = "std")]
8use std::io;
9
10use pki_types::{DnsName, UnixTime};
11
12use super::hs;
13#[cfg(feature = "std")]
14use crate::WantsVerifier;
15use crate::builder::ConfigBuilder;
16use crate::common_state::{CommonState, Side};
17#[cfg(feature = "std")]
18use crate::common_state::{Protocol, State};
19use crate::conn::{ConnectionCommon, ConnectionCore, UnbufferedConnectionCommon};
20#[cfg(doc)]
21use crate::crypto;
22use crate::crypto::CryptoProvider;
23use crate::enums::{CertificateType, CipherSuite, ProtocolVersion, SignatureScheme};
24use crate::error::Error;
25use crate::kernel::KernelConnection;
26use crate::log::trace;
27use crate::msgs::base::Payload;
28use crate::msgs::handshake::{ClientHelloPayload, ProtocolName, ServerExtension};
29use crate::msgs::message::Message;
30use crate::suites::ExtractedSecrets;
31use crate::sync::Arc;
32#[cfg(feature = "std")]
33use crate::time_provider::DefaultTimeProvider;
34use crate::time_provider::TimeProvider;
35use crate::vecbuf::ChunkVecBuffer;
36use crate::{
37    DistinguishedName, KeyLog, NamedGroup, WantsVersions, compress, sign, verify, versions,
38};
39
40/// A trait for the ability to store server session data.
41///
42/// The keys and values are opaque.
43///
44/// Inserted keys are randomly chosen by the library and have
45/// no internal structure (in other words, you may rely on all
46/// bits being uniformly random).  Queried keys are untrusted data.
47///
48/// Both the keys and values should be treated as
49/// **highly sensitive data**, containing enough key material
50/// to break all security of the corresponding sessions.
51///
52/// Implementations can be lossy (in other words, forgetting
53/// key/value pairs) without any negative security consequences.
54///
55/// However, note that `take` **must** reliably delete a returned
56/// value.  If it does not, there may be security consequences.
57///
58/// `put` and `take` are mutating operations; this isn't expressed
59/// in the type system to allow implementations freedom in
60/// how to achieve interior mutability.  `Mutex` is a common
61/// choice.
62pub trait StoresServerSessions: Debug + Send + Sync {
63    /// Store session secrets encoded in `value` against `key`,
64    /// overwrites any existing value against `key`.  Returns `true`
65    /// if the value was stored.
66    fn put(&self, key: Vec<u8>, value: Vec<u8>) -> bool;
67
68    /// Find a value with the given `key`.  Return it, or None
69    /// if it doesn't exist.
70    fn get(&self, key: &[u8]) -> Option<Vec<u8>>;
71
72    /// Find a value with the given `key`.  Return it and delete it;
73    /// or None if it doesn't exist.
74    fn take(&self, key: &[u8]) -> Option<Vec<u8>>;
75
76    /// Whether the store can cache another session. This is used to indicate to clients
77    /// whether their session can be resumed; the implementation is not required to remember
78    /// a session even if it returns `true` here.
79    fn can_cache(&self) -> bool;
80}
81
82/// A trait for the ability to encrypt and decrypt tickets.
83pub trait ProducesTickets: Debug + Send + Sync {
84    /// Returns true if this implementation will encrypt/decrypt
85    /// tickets.  Should return false if this is a dummy
86    /// implementation: the server will not send the SessionTicket
87    /// extension and will not call the other functions.
88    fn enabled(&self) -> bool;
89
90    /// Returns the lifetime in seconds of tickets produced now.
91    /// The lifetime is provided as a hint to clients that the
92    /// ticket will not be useful after the given time.
93    ///
94    /// This lifetime must be implemented by key rolling and
95    /// erasure, *not* by storing a lifetime in the ticket.
96    ///
97    /// The objective is to limit damage to forward secrecy caused
98    /// by tickets, not just limiting their lifetime.
99    fn lifetime(&self) -> u32;
100
101    /// Encrypt and authenticate `plain`, returning the resulting
102    /// ticket.  Return None if `plain` cannot be encrypted for
103    /// some reason: an empty ticket will be sent and the connection
104    /// will continue.
105    fn encrypt(&self, plain: &[u8]) -> Option<Vec<u8>>;
106
107    /// Decrypt `cipher`, validating its authenticity protection
108    /// and recovering the plaintext.  `cipher` is fully attacker
109    /// controlled, so this decryption must be side-channel free,
110    /// panic-proof, and otherwise bullet-proof.  If the decryption
111    /// fails, return None.
112    fn decrypt(&self, cipher: &[u8]) -> Option<Vec<u8>>;
113}
114
115/// How to choose a certificate chain and signing key for use
116/// in server authentication.
117///
118/// This is suitable when selecting a certificate does not require
119/// I/O or when the application is using blocking I/O anyhow.
120///
121/// For applications that use async I/O and need to do I/O to choose
122/// a certificate (for instance, fetching a certificate from a data store),
123/// the [`Acceptor`] interface is more suitable.
124pub trait ResolvesServerCert: Debug + Send + Sync {
125    /// Choose a certificate chain and matching key given simplified
126    /// ClientHello information.
127    ///
128    /// Return `None` to abort the handshake.
129    fn resolve(&self, client_hello: ClientHello<'_>) -> Option<Arc<sign::CertifiedKey>>;
130
131    /// Return true when the server only supports raw public keys.
132    fn only_raw_public_keys(&self) -> bool {
133        false
134    }
135}
136
137/// A struct representing the received Client Hello
138#[derive(Debug)]
139pub struct ClientHello<'a> {
140    pub(super) server_name: &'a Option<DnsName<'a>>,
141    pub(super) signature_schemes: &'a [SignatureScheme],
142    pub(super) alpn: Option<&'a Vec<ProtocolName>>,
143    pub(super) server_cert_types: Option<&'a [CertificateType]>,
144    pub(super) client_cert_types: Option<&'a [CertificateType]>,
145    pub(super) cipher_suites: &'a [CipherSuite],
146    /// The [certificate_authorities] extension, if it was sent by the client.
147    ///
148    /// [certificate_authorities]: https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4
149    pub(super) certificate_authorities: Option<&'a [DistinguishedName]>,
150    pub(super) named_groups: Option<&'a [NamedGroup]>,
151}
152
153impl<'a> ClientHello<'a> {
154    /// Get the server name indicator.
155    ///
156    /// Returns `None` if the client did not supply a SNI.
157    pub fn server_name(&self) -> Option<&str> {
158        self.server_name
159            .as_ref()
160            .map(<DnsName<'_> as AsRef<str>>::as_ref)
161    }
162
163    /// Get the compatible signature schemes.
164    ///
165    /// Returns standard-specified default if the client omitted this extension.
166    pub fn signature_schemes(&self) -> &[SignatureScheme] {
167        self.signature_schemes
168    }
169
170    /// Get the ALPN protocol identifiers submitted by the client.
171    ///
172    /// Returns `None` if the client did not include an ALPN extension.
173    ///
174    /// Application Layer Protocol Negotiation (ALPN) is a TLS extension that lets a client
175    /// submit a set of identifiers that each a represent an application-layer protocol.
176    /// The server will then pick its preferred protocol from the set submitted by the client.
177    /// Each identifier is represented as a byte array, although common values are often ASCII-encoded.
178    /// See the official RFC-7301 specifications at <https://datatracker.ietf.org/doc/html/rfc7301>
179    /// for more information on ALPN.
180    ///
181    /// For example, a HTTP client might specify "http/1.1" and/or "h2". Other well-known values
182    /// are listed in the at IANA registry at
183    /// <https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids>.
184    ///
185    /// The server can specify supported ALPN protocols by setting [`ServerConfig::alpn_protocols`].
186    /// During the handshake, the server will select the first protocol configured that the client supports.
187    pub fn alpn(&self) -> Option<impl Iterator<Item = &'a [u8]>> {
188        self.alpn.map(|protocols| {
189            protocols
190                .iter()
191                .map(|proto| proto.as_ref())
192        })
193    }
194
195    /// Get cipher suites.
196    pub fn cipher_suites(&self) -> &[CipherSuite] {
197        self.cipher_suites
198    }
199
200    /// Get the server certificate types offered in the ClientHello.
201    ///
202    /// Returns `None` if the client did not include a certificate type extension.
203    pub fn server_cert_types(&self) -> Option<&'a [CertificateType]> {
204        self.server_cert_types
205    }
206
207    /// Get the client certificate types offered in the ClientHello.
208    ///
209    /// Returns `None` if the client did not include a certificate type extension.
210    pub fn client_cert_types(&self) -> Option<&'a [CertificateType]> {
211        self.client_cert_types
212    }
213
214    /// Get the [certificate_authorities] extension sent by the client.
215    ///
216    /// Returns `None` if the client did not send this extension.
217    ///
218    /// [certificate_authorities]: https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4
219    pub fn certificate_authorities(&self) -> Option<&'a [DistinguishedName]> {
220        self.certificate_authorities
221    }
222
223    /// Get the [`named_groups`] extension sent by the client.
224    ///
225    /// This means different things in different versions of TLS:
226    ///
227    /// Originally it was introduced as the "[`elliptic_curves`]" extension for TLS1.2.
228    /// It described the elliptic curves supported by a client for all purposes: key
229    /// exchange, signature verification (for server authentication), and signing (for
230    /// client auth).  Later [RFC7919] extended this to include FFDHE "named groups",
231    /// but FFDHE groups in this context only relate to key exchange.
232    ///
233    /// In TLS1.3 it was renamed to "[`named_groups`]" and now describes all types
234    /// of key exchange mechanisms, and does not relate at all to elliptic curves
235    /// used for signatures.
236    ///
237    /// [`elliptic_curves`]: https://datatracker.ietf.org/doc/html/rfc4492#section-5.1.1
238    /// [RFC7919]: https://datatracker.ietf.org/doc/html/rfc7919#section-2
239    /// [`named_groups`]:https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.7
240    pub fn named_groups(&self) -> Option<&'a [NamedGroup]> {
241        self.named_groups
242    }
243}
244
245/// Common configuration for a set of server sessions.
246///
247/// Making one of these is cheap, though one of the inputs may be expensive: gathering trust roots
248/// from the operating system to add to the [`RootCertStore`] passed to a `ClientCertVerifier`
249/// builder may take on the order of a few hundred milliseconds.
250///
251/// These must be created via the [`ServerConfig::builder()`] or [`ServerConfig::builder_with_provider()`]
252/// function.
253///
254/// # Defaults
255///
256/// * [`ServerConfig::max_fragment_size`]: the default is `None` (meaning 16kB).
257/// * [`ServerConfig::session_storage`]: if the `std` feature is enabled, the default stores 256
258///   sessions in memory. If the `std` feature is not enabled, the default is to not store any
259///   sessions. In a no-std context, by enabling the `hashbrown` feature you may provide your
260///   own `session_storage` using [`ServerSessionMemoryCache`] and a `crate::lock::MakeMutex`
261///   implementation.
262/// * [`ServerConfig::alpn_protocols`]: the default is empty -- no ALPN protocol is negotiated.
263/// * [`ServerConfig::key_log`]: key material is not logged.
264/// * [`ServerConfig::send_tls13_tickets`]: 2 tickets are sent.
265/// * [`ServerConfig::cert_compressors`]: depends on the crate features, see [`compress::default_cert_compressors()`].
266/// * [`ServerConfig::cert_compression_cache`]: caches the most recently used 4 compressions
267/// * [`ServerConfig::cert_decompressors`]: depends on the crate features, see [`compress::default_cert_decompressors()`].
268///
269/// # Sharing resumption storage between `ServerConfig`s
270///
271/// In a program using many `ServerConfig`s it may improve resumption rates
272/// (which has a significant impact on connection performance) if those
273/// configs share [`ServerConfig::session_storage`] or [`ServerConfig::ticketer`].
274///
275/// However, caution is needed: other fields influence the security of a session
276/// and resumption between them can be surprising.  If sharing
277/// [`ServerConfig::session_storage`] or [`ServerConfig::ticketer`] between two
278/// `ServerConfig`s, you should also evaluate the following fields and ensure
279/// they are equivalent:
280///
281/// * `ServerConfig::verifier` -- client authentication requirements,
282/// * [`ServerConfig::cert_resolver`] -- server identities.
283///
284/// To illustrate, imagine two `ServerConfig`s `A` and `B`.  `A` requires
285/// client authentication, `B` does not.  If `A` and `B` shared a resumption store,
286/// it would be possible for a session originated by `B` (that is, an unauthenticated client)
287/// to be inserted into the store, and then resumed by `A`.  This would give a false
288/// impression to the user of `A` that the client was authenticated.  This is possible
289/// whether the resumption is performed statefully (via [`ServerConfig::session_storage`])
290/// or statelessly (via [`ServerConfig::ticketer`]).
291///
292/// _Unlike_ `ClientConfig`, rustls does not enforce any policy here.
293///
294/// [`RootCertStore`]: crate::RootCertStore
295/// [`ServerSessionMemoryCache`]: crate::server::handy::ServerSessionMemoryCache
296#[derive(Clone, Debug)]
297pub struct ServerConfig {
298    /// Source of randomness and other crypto.
299    pub(super) provider: Arc<CryptoProvider>,
300
301    /// Ignore the client's ciphersuite order. Instead,
302    /// choose the top ciphersuite in the server list
303    /// which is supported by the client.
304    pub ignore_client_order: bool,
305
306    /// The maximum size of plaintext input to be emitted in a single TLS record.
307    /// A value of None is equivalent to the [TLS maximum] of 16 kB.
308    ///
309    /// rustls enforces an arbitrary minimum of 32 bytes for this field.
310    /// Out of range values are reported as errors from [ServerConnection::new].
311    ///
312    /// Setting this value to a little less than the TCP MSS may improve latency
313    /// for stream-y workloads.
314    ///
315    /// [TLS maximum]: https://datatracker.ietf.org/doc/html/rfc8446#section-5.1
316    /// [ServerConnection::new]: crate::server::ServerConnection::new
317    pub max_fragment_size: Option<usize>,
318
319    /// How to store client sessions.
320    ///
321    /// See [ServerConfig#sharing-resumption-storage-between-serverconfigs]
322    /// for a warning related to this field.
323    pub session_storage: Arc<dyn StoresServerSessions>,
324
325    /// How to produce tickets.
326    ///
327    /// See [ServerConfig#sharing-resumption-storage-between-serverconfigs]
328    /// for a warning related to this field.
329    pub ticketer: Arc<dyn ProducesTickets>,
330
331    /// How to choose a server cert and key. This is usually set by
332    /// [ConfigBuilder::with_single_cert] or [ConfigBuilder::with_cert_resolver].
333    /// For async applications, see also [Acceptor].
334    pub cert_resolver: Arc<dyn ResolvesServerCert>,
335
336    /// Protocol names we support, most preferred first.
337    /// If empty we don't do ALPN at all.
338    pub alpn_protocols: Vec<Vec<u8>>,
339
340    /// Supported protocol versions, in no particular order.
341    /// The default is all supported versions.
342    pub(super) versions: versions::EnabledVersions,
343
344    /// How to verify client certificates.
345    pub(super) verifier: Arc<dyn verify::ClientCertVerifier>,
346
347    /// How to output key material for debugging.  The default
348    /// does nothing.
349    pub key_log: Arc<dyn KeyLog>,
350
351    /// Allows traffic secrets to be extracted after the handshake,
352    /// e.g. for kTLS setup.
353    pub enable_secret_extraction: bool,
354
355    /// Amount of early data to accept for sessions created by
356    /// this config.  Specify 0 to disable early data.  The
357    /// default is 0.
358    ///
359    /// Read the early data via [`ServerConnection::early_data`].
360    ///
361    /// The units for this are _both_ plaintext bytes, _and_ ciphertext
362    /// bytes, depending on whether the server accepts a client's early_data
363    /// or not.  It is therefore recommended to include some slop in
364    /// this value to account for the unknown amount of ciphertext
365    /// expansion in the latter case.
366    pub max_early_data_size: u32,
367
368    /// Whether the server should send "0.5RTT" data.  This means the server
369    /// sends data after its first flight of handshake messages, without
370    /// waiting for the client to complete the handshake.
371    ///
372    /// This can improve TTFB latency for either server-speaks-first protocols,
373    /// or client-speaks-first protocols when paired with "0RTT" data.  This
374    /// comes at the cost of a subtle weakening of the normal handshake
375    /// integrity guarantees that TLS provides.  Note that the initial
376    /// `ClientHello` is indirectly authenticated because it is included
377    /// in the transcript used to derive the keys used to encrypt the data.
378    ///
379    /// This only applies to TLS1.3 connections.  TLS1.2 connections cannot
380    /// do this optimisation and this setting is ignored for them.  It is
381    /// also ignored for TLS1.3 connections that even attempt client
382    /// authentication.
383    ///
384    /// This defaults to false.  This means the first application data
385    /// sent by the server comes after receiving and validating the client's
386    /// handshake up to the `Finished` message.  This is the safest option.
387    pub send_half_rtt_data: bool,
388
389    /// How many TLS1.3 tickets to send immediately after a successful
390    /// handshake.
391    ///
392    /// Because TLS1.3 tickets are single-use, this allows
393    /// a client to perform multiple resumptions.
394    ///
395    /// The default is 2.
396    ///
397    /// If this is 0, no tickets are sent and clients will not be able to
398    /// do any resumption.
399    pub send_tls13_tickets: usize,
400
401    /// If set to `true`, requires the client to support the extended
402    /// master secret extraction method defined in [RFC 7627].
403    ///
404    /// The default is `true` if the "fips" crate feature is enabled,
405    /// `false` otherwise.
406    ///
407    /// It must be set to `true` to meet FIPS requirement mentioned in section
408    /// **D.Q Transition of the TLS 1.2 KDF to Support the Extended Master
409    /// Secret** from [FIPS 140-3 IG.pdf].
410    ///
411    /// [RFC 7627]: https://datatracker.ietf.org/doc/html/rfc7627
412    /// [FIPS 140-3 IG.pdf]: https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf
413    #[cfg(feature = "tls12")]
414    pub require_ems: bool,
415
416    /// Provides the current system time
417    pub time_provider: Arc<dyn TimeProvider>,
418
419    /// How to compress the server's certificate chain.
420    ///
421    /// If a client supports this extension, and advertises support
422    /// for one of the compression algorithms included here, the
423    /// server certificate will be compressed according to [RFC8779].
424    ///
425    /// This only applies to TLS1.3 connections.  It is ignored for
426    /// TLS1.2 connections.
427    ///
428    /// [RFC8779]: https://datatracker.ietf.org/doc/rfc8879/
429    pub cert_compressors: Vec<&'static dyn compress::CertCompressor>,
430
431    /// Caching for compressed certificates.
432    ///
433    /// This is optional: [`compress::CompressionCache::Disabled`] gives
434    /// a cache that does no caching.
435    pub cert_compression_cache: Arc<compress::CompressionCache>,
436
437    /// How to decompress the clients's certificate chain.
438    ///
439    /// If this is non-empty, the [RFC8779] certificate compression
440    /// extension is offered when requesting client authentication,
441    /// and any compressed certificates are transparently decompressed
442    /// during the handshake.
443    ///
444    /// This only applies to TLS1.3 connections.  It is ignored for
445    /// TLS1.2 connections.
446    ///
447    /// [RFC8779]: https://datatracker.ietf.org/doc/rfc8879/
448    pub cert_decompressors: Vec<&'static dyn compress::CertDecompressor>,
449}
450
451impl ServerConfig {
452    /// Create a builder for a server configuration with
453    /// [the process-default `CryptoProvider`][CryptoProvider#using-the-per-process-default-cryptoprovider]
454    /// and safe protocol version defaults.
455    ///
456    /// For more information, see the [`ConfigBuilder`] documentation.
457    #[cfg(feature = "std")]
458    pub fn builder() -> ConfigBuilder<Self, WantsVerifier> {
459        Self::builder_with_protocol_versions(versions::DEFAULT_VERSIONS)
460    }
461
462    /// Create a builder for a server configuration with
463    /// [the process-default `CryptoProvider`][CryptoProvider#using-the-per-process-default-cryptoprovider]
464    /// and the provided protocol versions.
465    ///
466    /// Panics if
467    /// - the supported versions are not compatible with the provider (eg.
468    ///   the combination of ciphersuites supported by the provider and supported
469    ///   versions lead to zero cipher suites being usable),
470    /// - if a `CryptoProvider` cannot be resolved using a combination of
471    ///   the crate features and process default.
472    ///
473    /// For more information, see the [`ConfigBuilder`] documentation.
474    #[cfg(feature = "std")]
475    pub fn builder_with_protocol_versions(
476        versions: &[&'static versions::SupportedProtocolVersion],
477    ) -> ConfigBuilder<Self, WantsVerifier> {
478        // Safety assumptions:
479        // 1. that the provider has been installed (explicitly or implicitly)
480        // 2. that the process-level default provider is usable with the supplied protocol versions.
481        Self::builder_with_provider(
482            CryptoProvider::get_default_or_install_from_crate_features().clone(),
483        )
484        .with_protocol_versions(versions)
485        .unwrap()
486    }
487
488    /// Create a builder for a server configuration with a specific [`CryptoProvider`].
489    ///
490    /// This will use the provider's configured ciphersuites. You must additionally choose
491    /// which protocol versions to enable, using `with_protocol_versions` or
492    /// `with_safe_default_protocol_versions` and handling the `Result` in case a protocol
493    /// version is not supported by the provider's ciphersuites.
494    ///
495    /// For more information, see the [`ConfigBuilder`] documentation.
496    #[cfg(feature = "std")]
497    pub fn builder_with_provider(
498        provider: Arc<CryptoProvider>,
499    ) -> ConfigBuilder<Self, WantsVersions> {
500        ConfigBuilder {
501            state: WantsVersions {},
502            provider,
503            time_provider: Arc::new(DefaultTimeProvider),
504            side: PhantomData,
505        }
506    }
507
508    /// Create a builder for a server configuration with no default implementation details.
509    ///
510    /// This API must be used by `no_std` users.
511    ///
512    /// You must provide a specific [`TimeProvider`].
513    ///
514    /// You must provide a specific [`CryptoProvider`].
515    ///
516    /// This will use the provider's configured ciphersuites. You must additionally choose
517    /// which protocol versions to enable, using `with_protocol_versions` or
518    /// `with_safe_default_protocol_versions` and handling the `Result` in case a protocol
519    /// version is not supported by the provider's ciphersuites.
520    ///
521    /// For more information, see the [`ConfigBuilder`] documentation.
522    pub fn builder_with_details(
523        provider: Arc<CryptoProvider>,
524        time_provider: Arc<dyn TimeProvider>,
525    ) -> ConfigBuilder<Self, WantsVersions> {
526        ConfigBuilder {
527            state: WantsVersions {},
528            provider,
529            time_provider,
530            side: PhantomData,
531        }
532    }
533
534    /// Return `true` if connections made with this `ServerConfig` will
535    /// operate in FIPS mode.
536    ///
537    /// This is different from [`CryptoProvider::fips()`]: [`CryptoProvider::fips()`]
538    /// is concerned only with cryptography, whereas this _also_ covers TLS-level
539    /// configuration that NIST recommends.
540    pub fn fips(&self) -> bool {
541        #[cfg(feature = "tls12")]
542        {
543            self.provider.fips() && self.require_ems
544        }
545
546        #[cfg(not(feature = "tls12"))]
547        {
548            self.provider.fips()
549        }
550    }
551
552    /// Return the crypto provider used to construct this client configuration.
553    pub fn crypto_provider(&self) -> &Arc<CryptoProvider> {
554        &self.provider
555    }
556
557    /// We support a given TLS version if it's quoted in the configured
558    /// versions *and* at least one ciphersuite for this version is
559    /// also configured.
560    pub(crate) fn supports_version(&self, v: ProtocolVersion) -> bool {
561        self.versions.contains(v)
562            && self
563                .provider
564                .cipher_suites
565                .iter()
566                .any(|cs| cs.version().version == v)
567    }
568
569    #[cfg(feature = "std")]
570    pub(crate) fn supports_protocol(&self, proto: Protocol) -> bool {
571        self.provider
572            .cipher_suites
573            .iter()
574            .any(|cs| cs.usable_for_protocol(proto))
575    }
576
577    pub(super) fn current_time(&self) -> Result<UnixTime, Error> {
578        self.time_provider
579            .current_time()
580            .ok_or(Error::FailedToGetCurrentTime)
581    }
582}
583
584#[cfg(feature = "std")]
585mod connection {
586    use alloc::boxed::Box;
587    use alloc::vec::Vec;
588    use core::fmt;
589    use core::fmt::{Debug, Formatter};
590    use core::ops::{Deref, DerefMut};
591    use std::io;
592
593    use super::{Accepted, Accepting, EarlyDataState, ServerConfig, ServerConnectionData};
594    use crate::common_state::{CommonState, Context, Side};
595    use crate::conn::{ConnectionCommon, ConnectionCore};
596    use crate::error::Error;
597    use crate::server::hs;
598    use crate::suites::ExtractedSecrets;
599    use crate::sync::Arc;
600    use crate::vecbuf::ChunkVecBuffer;
601
602    /// Allows reading of early data in resumed TLS1.3 connections.
603    ///
604    /// "Early data" is also known as "0-RTT data".
605    ///
606    /// This structure implements [`std::io::Read`].
607    pub struct ReadEarlyData<'a> {
608        early_data: &'a mut EarlyDataState,
609    }
610
611    impl<'a> ReadEarlyData<'a> {
612        fn new(early_data: &'a mut EarlyDataState) -> Self {
613            ReadEarlyData { early_data }
614        }
615    }
616
617    impl io::Read for ReadEarlyData<'_> {
618        fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
619            self.early_data.read(buf)
620        }
621
622        #[cfg(read_buf)]
623        fn read_buf(&mut self, cursor: core::io::BorrowedCursor<'_>) -> io::Result<()> {
624            self.early_data.read_buf(cursor)
625        }
626    }
627
628    /// This represents a single TLS server connection.
629    ///
630    /// Send TLS-protected data to the peer using the `io::Write` trait implementation.
631    /// Read data from the peer using the `io::Read` trait implementation.
632    pub struct ServerConnection {
633        pub(super) inner: ConnectionCommon<ServerConnectionData>,
634    }
635
636    impl ServerConnection {
637        /// Make a new ServerConnection.  `config` controls how
638        /// we behave in the TLS protocol.
639        pub fn new(config: Arc<ServerConfig>) -> Result<Self, Error> {
640            Ok(Self {
641                inner: ConnectionCommon::from(ConnectionCore::for_server(config, Vec::new())?),
642            })
643        }
644
645        /// Retrieves the server name, if any, used to select the certificate and
646        /// private key.
647        ///
648        /// This returns `None` until some time after the client's server name indication
649        /// (SNI) extension value is processed during the handshake. It will never be
650        /// `None` when the connection is ready to send or process application data,
651        /// unless the client does not support SNI.
652        ///
653        /// This is useful for application protocols that need to enforce that the
654        /// server name matches an application layer protocol hostname. For
655        /// example, HTTP/1.1 servers commonly expect the `Host:` header field of
656        /// every request on a connection to match the hostname in the SNI extension
657        /// when the client provides the SNI extension.
658        ///
659        /// The server name is also used to match sessions during session resumption.
660        pub fn server_name(&self) -> Option<&str> {
661            self.inner.core.get_sni_str()
662        }
663
664        /// Application-controlled portion of the resumption ticket supplied by the client, if any.
665        ///
666        /// Recovered from the prior session's `set_resumption_data`. Integrity is guaranteed by rustls.
667        ///
668        /// Returns `Some` if and only if a valid resumption ticket has been received from the client.
669        pub fn received_resumption_data(&self) -> Option<&[u8]> {
670            self.inner
671                .core
672                .data
673                .received_resumption_data
674                .as_ref()
675                .map(|x| &x[..])
676        }
677
678        /// Set the resumption data to embed in future resumption tickets supplied to the client.
679        ///
680        /// Defaults to the empty byte string. Must be less than 2^15 bytes to allow room for other
681        /// data. Should be called while `is_handshaking` returns true to ensure all transmitted
682        /// resumption tickets are affected.
683        ///
684        /// Integrity will be assured by rustls, but the data will be visible to the client. If secrecy
685        /// from the client is desired, encrypt the data separately.
686        pub fn set_resumption_data(&mut self, data: &[u8]) {
687            assert!(data.len() < 2usize.pow(15));
688            self.inner.core.data.resumption_data = data.into();
689        }
690
691        /// Explicitly discard early data, notifying the client
692        ///
693        /// Useful if invariants encoded in `received_resumption_data()` cannot be respected.
694        ///
695        /// Must be called while `is_handshaking` is true.
696        pub fn reject_early_data(&mut self) {
697            self.inner.core.reject_early_data()
698        }
699
700        /// Returns an `io::Read` implementer you can read bytes from that are
701        /// received from a client as TLS1.3 0RTT/"early" data, during the handshake.
702        ///
703        /// This returns `None` in many circumstances, such as :
704        ///
705        /// - Early data is disabled if [`ServerConfig::max_early_data_size`] is zero (the default).
706        /// - The session negotiated with the client is not TLS1.3.
707        /// - The client just doesn't support early data.
708        /// - The connection doesn't resume an existing session.
709        /// - The client hasn't sent a full ClientHello yet.
710        pub fn early_data(&mut self) -> Option<ReadEarlyData<'_>> {
711            let data = &mut self.inner.core.data;
712            if data.early_data.was_accepted() {
713                Some(ReadEarlyData::new(&mut data.early_data))
714            } else {
715                None
716            }
717        }
718
719        /// Return true if the connection was made with a `ServerConfig` that is FIPS compatible.
720        ///
721        /// This is different from [`crate::crypto::CryptoProvider::fips()`]:
722        /// it is concerned only with cryptography, whereas this _also_ covers TLS-level
723        /// configuration that NIST recommends, as well as ECH HPKE suites if applicable.
724        pub fn fips(&self) -> bool {
725            self.inner.core.common_state.fips
726        }
727
728        /// Extract secrets, so they can be used when configuring kTLS, for example.
729        /// Should be used with care as it exposes secret key material.
730        pub fn dangerous_extract_secrets(self) -> Result<ExtractedSecrets, Error> {
731            self.inner.dangerous_extract_secrets()
732        }
733    }
734
735    impl Debug for ServerConnection {
736        fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
737            f.debug_struct("ServerConnection")
738                .finish()
739        }
740    }
741
742    impl Deref for ServerConnection {
743        type Target = ConnectionCommon<ServerConnectionData>;
744
745        fn deref(&self) -> &Self::Target {
746            &self.inner
747        }
748    }
749
750    impl DerefMut for ServerConnection {
751        fn deref_mut(&mut self) -> &mut Self::Target {
752            &mut self.inner
753        }
754    }
755
756    impl From<ServerConnection> for crate::Connection {
757        fn from(conn: ServerConnection) -> Self {
758            Self::Server(conn)
759        }
760    }
761
762    /// Handle a server-side connection before configuration is available.
763    ///
764    /// `Acceptor` allows the caller to choose a [`ServerConfig`] after reading
765    /// the [`super::ClientHello`] of an incoming connection. This is useful for servers
766    /// that choose different certificates or cipher suites based on the
767    /// characteristics of the `ClientHello`. In particular it is useful for
768    /// servers that need to do some I/O to load a certificate and its private key
769    /// and don't want to use the blocking interface provided by
770    /// [`super::ResolvesServerCert`].
771    ///
772    /// Create an Acceptor with [`Acceptor::default()`].
773    ///
774    /// # Example
775    ///
776    /// ```no_run
777    /// # #[cfg(feature = "aws_lc_rs")] {
778    /// # fn choose_server_config(
779    /// #     _: rustls::server::ClientHello,
780    /// # ) -> std::sync::Arc<rustls::ServerConfig> {
781    /// #     unimplemented!();
782    /// # }
783    /// # #[allow(unused_variables)]
784    /// # fn main() {
785    /// use rustls::server::{Acceptor, ServerConfig};
786    /// let listener = std::net::TcpListener::bind("127.0.0.1:0").unwrap();
787    /// for stream in listener.incoming() {
788    ///     let mut stream = stream.unwrap();
789    ///     let mut acceptor = Acceptor::default();
790    ///     let accepted = loop {
791    ///         acceptor.read_tls(&mut stream).unwrap();
792    ///         if let Some(accepted) = acceptor.accept().unwrap() {
793    ///             break accepted;
794    ///         }
795    ///     };
796    ///
797    ///     // For some user-defined choose_server_config:
798    ///     let config = choose_server_config(accepted.client_hello());
799    ///     let conn = accepted
800    ///         .into_connection(config)
801    ///         .unwrap();
802    ///
803    ///     // Proceed with handling the ServerConnection.
804    /// }
805    /// # }
806    /// # }
807    /// ```
808    pub struct Acceptor {
809        inner: Option<ConnectionCommon<ServerConnectionData>>,
810    }
811
812    impl Default for Acceptor {
813        /// Return an empty Acceptor, ready to receive bytes from a new client connection.
814        fn default() -> Self {
815            Self {
816                inner: Some(
817                    ConnectionCore::new(
818                        Box::new(Accepting),
819                        ServerConnectionData::default(),
820                        CommonState::new(Side::Server),
821                    )
822                    .into(),
823                ),
824            }
825        }
826    }
827
828    impl Acceptor {
829        /// Read TLS content from `rd`.
830        ///
831        /// Returns an error if this `Acceptor` has already yielded an [`Accepted`]. For more details,
832        /// refer to [`Connection::read_tls()`].
833        ///
834        /// [`Connection::read_tls()`]: crate::Connection::read_tls
835        pub fn read_tls(&mut self, rd: &mut dyn io::Read) -> Result<usize, io::Error> {
836            match &mut self.inner {
837                Some(conn) => conn.read_tls(rd),
838                None => Err(io::Error::new(
839                    io::ErrorKind::Other,
840                    "acceptor cannot read after successful acceptance",
841                )),
842            }
843        }
844
845        /// Check if a `ClientHello` message has been received.
846        ///
847        /// Returns `Ok(None)` if the complete `ClientHello` has not yet been received.
848        /// Do more I/O and then call this function again.
849        ///
850        /// Returns `Ok(Some(accepted))` if the connection has been accepted. Call
851        /// `accepted.into_connection()` to continue. Do not call this function again.
852        ///
853        /// Returns `Err((err, alert))` if an error occurred. If an alert is returned, the
854        /// application should call `alert.write()` to send the alert to the client. It should
855        /// not call `accept()` again.
856        pub fn accept(&mut self) -> Result<Option<Accepted>, (Error, AcceptedAlert)> {
857            let Some(mut connection) = self.inner.take() else {
858                return Err((
859                    Error::General("Acceptor polled after completion".into()),
860                    AcceptedAlert::empty(),
861                ));
862            };
863
864            let message = match connection.first_handshake_message() {
865                Ok(Some(msg)) => msg,
866                Ok(None) => {
867                    self.inner = Some(connection);
868                    return Ok(None);
869                }
870                Err(err) => return Err((err, AcceptedAlert::from(connection))),
871            };
872
873            let mut cx = Context::from(&mut connection);
874            let sig_schemes = match hs::process_client_hello(&message, false, &mut cx) {
875                Ok((_, sig_schemes)) => sig_schemes,
876                Err(err) => {
877                    return Err((err, AcceptedAlert::from(connection)));
878                }
879            };
880
881            Ok(Some(Accepted {
882                connection,
883                message,
884                sig_schemes,
885            }))
886        }
887    }
888
889    /// Represents a TLS alert resulting from handling the client's `ClientHello` message.
890    ///
891    /// When [`Acceptor::accept()`] returns an error, it yields an `AcceptedAlert` such that the
892    /// application can communicate failure to the client via [`AcceptedAlert::write()`].
893    pub struct AcceptedAlert(ChunkVecBuffer);
894
895    impl AcceptedAlert {
896        pub(super) fn empty() -> Self {
897            Self(ChunkVecBuffer::new(None))
898        }
899
900        /// Send the alert to the client.
901        ///
902        /// To account for short writes this function should be called repeatedly until it
903        /// returns `Ok(0)` or an error.
904        pub fn write(&mut self, wr: &mut dyn io::Write) -> Result<usize, io::Error> {
905            self.0.write_to(wr)
906        }
907
908        /// Send the alert to the client.
909        ///
910        /// This function will invoke the writer until the buffer is empty.
911        pub fn write_all(&mut self, wr: &mut dyn io::Write) -> Result<(), io::Error> {
912            while self.write(wr)? != 0 {}
913            Ok(())
914        }
915    }
916
917    impl From<ConnectionCommon<ServerConnectionData>> for AcceptedAlert {
918        fn from(conn: ConnectionCommon<ServerConnectionData>) -> Self {
919            Self(conn.core.common_state.sendable_tls)
920        }
921    }
922
923    impl Debug for AcceptedAlert {
924        fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
925            f.debug_struct("AcceptedAlert").finish()
926        }
927    }
928}
929
930#[cfg(feature = "std")]
931pub use connection::{AcceptedAlert, Acceptor, ReadEarlyData, ServerConnection};
932
933/// Unbuffered version of `ServerConnection`
934///
935/// See the [`crate::unbuffered`] module docs for more details
936pub struct UnbufferedServerConnection {
937    inner: UnbufferedConnectionCommon<ServerConnectionData>,
938}
939
940impl UnbufferedServerConnection {
941    /// Make a new ServerConnection. `config` controls how we behave in the TLS protocol.
942    pub fn new(config: Arc<ServerConfig>) -> Result<Self, Error> {
943        Ok(Self {
944            inner: UnbufferedConnectionCommon::from(ConnectionCore::for_server(
945                config,
946                Vec::new(),
947            )?),
948        })
949    }
950
951    /// Extract secrets, so they can be used when configuring kTLS, for example.
952    /// Should be used with care as it exposes secret key material.
953    #[deprecated = "dangerous_extract_secrets() does not support session tickets or \
954                    key updates, use dangerous_into_kernel_connection() instead"]
955    pub fn dangerous_extract_secrets(self) -> Result<ExtractedSecrets, Error> {
956        self.inner.dangerous_extract_secrets()
957    }
958
959    /// Extract secrets and an [`KernelConnection`] object.
960    ///
961    /// This allows you use rustls to manage keys and then manage encryption and
962    /// decryption yourself (e.g. for kTLS).
963    ///
964    /// Should be used with care as it exposes secret key material.
965    ///
966    /// See the [`crate::kernel`] documentations for details on prerequisites
967    /// for calling this method.
968    pub fn dangerous_into_kernel_connection(
969        self,
970    ) -> Result<(ExtractedSecrets, KernelConnection<ServerConnectionData>), Error> {
971        self.inner
972            .core
973            .dangerous_into_kernel_connection()
974    }
975}
976
977impl Deref for UnbufferedServerConnection {
978    type Target = UnbufferedConnectionCommon<ServerConnectionData>;
979
980    fn deref(&self) -> &Self::Target {
981        &self.inner
982    }
983}
984
985impl DerefMut for UnbufferedServerConnection {
986    fn deref_mut(&mut self) -> &mut Self::Target {
987        &mut self.inner
988    }
989}
990
991impl UnbufferedConnectionCommon<ServerConnectionData> {
992    pub(crate) fn pop_early_data(&mut self) -> Option<Vec<u8>> {
993        self.core.data.early_data.pop()
994    }
995
996    pub(crate) fn peek_early_data(&self) -> Option<&[u8]> {
997        self.core.data.early_data.peek()
998    }
999}
1000
1001/// Represents a `ClientHello` message received through the [`Acceptor`].
1002///
1003/// Contains the state required to resume the connection through [`Accepted::into_connection()`].
1004pub struct Accepted {
1005    connection: ConnectionCommon<ServerConnectionData>,
1006    message: Message<'static>,
1007    sig_schemes: Vec<SignatureScheme>,
1008}
1009
1010impl Accepted {
1011    /// Get the [`ClientHello`] for this connection.
1012    pub fn client_hello(&self) -> ClientHello<'_> {
1013        let payload = Self::client_hello_payload(&self.message);
1014        let ch = ClientHello {
1015            server_name: &self.connection.core.data.sni,
1016            signature_schemes: &self.sig_schemes,
1017            alpn: payload.alpn_extension(),
1018            server_cert_types: payload.server_certificate_extension(),
1019            client_cert_types: payload.client_certificate_extension(),
1020            cipher_suites: &payload.cipher_suites,
1021            certificate_authorities: payload.certificate_authorities_extension(),
1022            named_groups: payload.namedgroups_extension(),
1023        };
1024
1025        trace!("Accepted::client_hello(): {ch:#?}");
1026        ch
1027    }
1028
1029    /// Convert the [`Accepted`] into a [`ServerConnection`].
1030    ///
1031    /// Takes the state returned from [`Acceptor::accept()`] as well as the [`ServerConfig`] and
1032    /// [`sign::CertifiedKey`] that should be used for the session. Returns an error if
1033    /// configuration-dependent validation of the received `ClientHello` message fails.
1034    #[cfg(feature = "std")]
1035    pub fn into_connection(
1036        mut self,
1037        config: Arc<ServerConfig>,
1038    ) -> Result<ServerConnection, (Error, AcceptedAlert)> {
1039        if let Err(err) = self
1040            .connection
1041            .set_max_fragment_size(config.max_fragment_size)
1042        {
1043            // We have a connection here, but it won't contain an alert since the error
1044            // is with the fragment size configured in the `ServerConfig`.
1045            return Err((err, AcceptedAlert::empty()));
1046        }
1047
1048        self.connection.enable_secret_extraction = config.enable_secret_extraction;
1049
1050        let state = hs::ExpectClientHello::new(config, Vec::new());
1051        let mut cx = hs::ServerContext::from(&mut self.connection);
1052
1053        let ch = Self::client_hello_payload(&self.message);
1054        let new = match state.with_certified_key(self.sig_schemes, ch, &self.message, &mut cx) {
1055            Ok(new) => new,
1056            Err(err) => return Err((err, AcceptedAlert::from(self.connection))),
1057        };
1058
1059        self.connection.replace_state(new);
1060        Ok(ServerConnection {
1061            inner: self.connection,
1062        })
1063    }
1064
1065    fn client_hello_payload<'a>(message: &'a Message<'_>) -> &'a ClientHelloPayload {
1066        match &message.payload {
1067            crate::msgs::message::MessagePayload::Handshake { parsed, .. } => match &parsed.0 {
1068                crate::msgs::handshake::HandshakePayload::ClientHello(ch) => ch,
1069                _ => unreachable!(),
1070            },
1071            _ => unreachable!(),
1072        }
1073    }
1074}
1075
1076impl Debug for Accepted {
1077    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
1078        f.debug_struct("Accepted").finish()
1079    }
1080}
1081
1082#[cfg(feature = "std")]
1083struct Accepting;
1084
1085#[cfg(feature = "std")]
1086impl State<ServerConnectionData> for Accepting {
1087    fn handle<'m>(
1088        self: Box<Self>,
1089        _cx: &mut hs::ServerContext<'_>,
1090        _m: Message<'m>,
1091    ) -> Result<Box<dyn State<ServerConnectionData> + 'm>, Error>
1092    where
1093        Self: 'm,
1094    {
1095        Err(Error::General("unreachable state".into()))
1096    }
1097
1098    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1099        self
1100    }
1101}
1102
1103pub(super) enum EarlyDataState {
1104    New,
1105    Accepted {
1106        received: ChunkVecBuffer,
1107        left: usize,
1108    },
1109    Rejected,
1110}
1111
1112impl Default for EarlyDataState {
1113    fn default() -> Self {
1114        Self::New
1115    }
1116}
1117
1118impl EarlyDataState {
1119    pub(super) fn reject(&mut self) {
1120        *self = Self::Rejected;
1121    }
1122
1123    pub(super) fn accept(&mut self, max_size: usize) {
1124        *self = Self::Accepted {
1125            received: ChunkVecBuffer::new(Some(max_size)),
1126            left: max_size,
1127        };
1128    }
1129
1130    #[cfg(feature = "std")]
1131    fn was_accepted(&self) -> bool {
1132        matches!(self, Self::Accepted { .. })
1133    }
1134
1135    pub(super) fn was_rejected(&self) -> bool {
1136        matches!(self, Self::Rejected)
1137    }
1138
1139    fn peek(&self) -> Option<&[u8]> {
1140        match self {
1141            Self::Accepted { received, .. } => received.peek(),
1142            _ => None,
1143        }
1144    }
1145
1146    fn pop(&mut self) -> Option<Vec<u8>> {
1147        match self {
1148            Self::Accepted { received, .. } => received.pop(),
1149            _ => None,
1150        }
1151    }
1152
1153    #[cfg(feature = "std")]
1154    fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
1155        match self {
1156            Self::Accepted { received, .. } => received.read(buf),
1157            _ => Err(io::Error::from(io::ErrorKind::BrokenPipe)),
1158        }
1159    }
1160
1161    #[cfg(read_buf)]
1162    fn read_buf(&mut self, cursor: core::io::BorrowedCursor<'_>) -> io::Result<()> {
1163        match self {
1164            Self::Accepted { received, .. } => received.read_buf(cursor),
1165            _ => Err(io::Error::from(io::ErrorKind::BrokenPipe)),
1166        }
1167    }
1168
1169    pub(super) fn take_received_plaintext(&mut self, bytes: Payload<'_>) -> bool {
1170        let available = bytes.bytes().len();
1171        let Self::Accepted { received, left } = self else {
1172            return false;
1173        };
1174
1175        if received.apply_limit(available) != available || available > *left {
1176            return false;
1177        }
1178
1179        received.append(bytes.into_vec());
1180        *left -= available;
1181        true
1182    }
1183}
1184
1185impl Debug for EarlyDataState {
1186    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
1187        match self {
1188            Self::New => write!(f, "EarlyDataState::New"),
1189            Self::Accepted { received, left } => write!(
1190                f,
1191                "EarlyDataState::Accepted {{ received: {}, left: {} }}",
1192                received.len(),
1193                left
1194            ),
1195            Self::Rejected => write!(f, "EarlyDataState::Rejected"),
1196        }
1197    }
1198}
1199
1200impl ConnectionCore<ServerConnectionData> {
1201    pub(crate) fn for_server(
1202        config: Arc<ServerConfig>,
1203        extra_exts: Vec<ServerExtension>,
1204    ) -> Result<Self, Error> {
1205        let mut common = CommonState::new(Side::Server);
1206        common.set_max_fragment_size(config.max_fragment_size)?;
1207        common.enable_secret_extraction = config.enable_secret_extraction;
1208        common.fips = config.fips();
1209        Ok(Self::new(
1210            Box::new(hs::ExpectClientHello::new(config, extra_exts)),
1211            ServerConnectionData::default(),
1212            common,
1213        ))
1214    }
1215
1216    #[cfg(feature = "std")]
1217    pub(crate) fn reject_early_data(&mut self) {
1218        assert!(
1219            self.common_state.is_handshaking(),
1220            "cannot retroactively reject early data"
1221        );
1222        self.data.early_data.reject();
1223    }
1224
1225    #[cfg(feature = "std")]
1226    pub(crate) fn get_sni_str(&self) -> Option<&str> {
1227        self.data.get_sni_str()
1228    }
1229}
1230
1231/// State associated with a server connection.
1232#[derive(Default, Debug)]
1233pub struct ServerConnectionData {
1234    pub(super) sni: Option<DnsName<'static>>,
1235    pub(super) received_resumption_data: Option<Vec<u8>>,
1236    pub(super) resumption_data: Vec<u8>,
1237    pub(super) early_data: EarlyDataState,
1238}
1239
1240impl ServerConnectionData {
1241    #[cfg(feature = "std")]
1242    pub(super) fn get_sni_str(&self) -> Option<&str> {
1243        self.sni.as_ref().map(AsRef::as_ref)
1244    }
1245}
1246
1247impl crate::conn::SideData for ServerConnectionData {}
1248
1249#[cfg(feature = "std")]
1250#[cfg(test)]
1251mod tests {
1252    use std::format;
1253
1254    use super::*;
1255
1256    // these branches not reachable externally, unless something else goes wrong.
1257    #[test]
1258    fn test_read_in_new_state() {
1259        assert_eq!(
1260            format!("{:?}", EarlyDataState::default().read(&mut [0u8; 5])),
1261            "Err(Kind(BrokenPipe))"
1262        );
1263    }
1264
1265    #[cfg(read_buf)]
1266    #[test]
1267    fn test_read_buf_in_new_state() {
1268        use core::io::BorrowedBuf;
1269
1270        let mut buf = [0u8; 5];
1271        let mut buf: BorrowedBuf<'_> = buf.as_mut_slice().into();
1272        assert_eq!(
1273            format!("{:?}", EarlyDataState::default().read_buf(buf.unfilled())),
1274            "Err(Kind(BrokenPipe))"
1275        );
1276    }
1277}