In this edge case (not specified by RFC8446) we send a fatal
invalid_parameter alert, but then keep processing incoming messages.
This led to a debug assert failure when a later message also sent
an alert.
I think these uses of `doc(hidden)` are trying to implement `pub(crate)`
semantics. Perhaps it was done this way a long time ago when `pub(crate)`
wasn't a think.
This change causes an `unreachable_pub` warning for `PlaintextSink`, so
make that `pub(crate)` too.
Some external users might be using these even though they probably shouldn't
be, so this is technically a breaking change.
This avoids a couple of unnecessary allocations: the individual Payloads of the
fragmented messages were allocating and filling a Vec, and the call sites were
allocating a VecDeque to be filled with messages.
Instead, always return an iterator of BorrowedPlainMessage, which the caller can
iterate over.
Previously there were two paths that would check that a max_fragment_size was in
the acceptable range. Now there's just one path: calling set_max_fragment_size.
This provides a way to construct a MessageFragmenter with the default fragment
size that is error-free.
Stores the parsed data for a handshake message payload alongside
the encoded version to avoid having to re-encode the message when
updating the transcript hash. Also avoids encoding outgoing handshake
message payloads twice.
Dynamically load the FFI Library of trust using flutter in Android system. `Connection Failed: tls connection init failed: Interrupted system call (os error 4)`.
Make the `read_buf` feature do nothing on non-Nightly Rust.
This makes it easier for people not depending on that feature to
build/test Rustls, as demonstrated by the CI/CD changes here.
Use `rustversion` instead of `rustc_version`; `rustc_version` has more
dependencies.
`start_incoming_traffic()` doesn't need to exist as a `pub(crate)`
function, or at all, because it is only used by the function right
below it. Inline it into that function to make it clearer when
`may_receive_application_data` is set.
This previously existed, but only for QUIC.
There are some unfortunate shortcomings with the protocol design here:
Because the client must send 0-RTT data whether or not the server
accepts it or even the client hello, there must be several
disjoint methods for identifying and skipping these messages. One
of these is in the record_layer.rs, and works by trial decryption.
Another happens if the server rejects the client's hello altogether,
and skips encrypted messages between the two client hellos.
The amount of data to skip is limited but -- because the design
appears to be defective -- the quantity is expressed (in
`max_early_data_size` provided with a ticket) in units of plaintext
bytes, but skipping data requires it in units of padded, tagged
ciphertext bytes. The server cannot compute one from the other,
so we're interpretting `max_early_data_size` as both at the same time.
This means the server can send application data in its first
flight. We only do this, though, if no client auth is in play
(as otherwise we'd be sending data to an unauthenticated peer,
and that would be exceedingly bad.)
This is useful for server-speaks-first protocols, as well as
replying to a 0-RTT request in a client-speaks-first one.
In terms of code changes, this splits start_traffic() into
start_incoming_traffic() and start_outgoing_traffic().
Jacob Rothstein
Joseph Birr-Pixton
Dirkjan Ochtman
Brian Smith
amos
Xuanwo
Josh Aas
Jacob Hoffman-Andrews
randsoy
ComplexSpaces
David Cook
Jonas Schäfer