This drastically improve the debuggability of the network parts, by
moving the task of encrypting/decrypting TLS packets from userland to
the kernel. This makes them appear in clear in strace as sendto() and
recvfrom().
I introduced a new tls-rust-ktls feature which depends on both rustls
and ktls, but isn’t enabled by default since it probably isn’t available
on every computer. It requires the tls kernel module to be loaded,
which then can offload encryption/decryption to dedicated hardware if
available.
I have tested this change on Linux 6.11 on a rk3588.
First switch to LazyLock from OnceLock, to simplify the code.
Then concatenate the colour reset escape code instead of using
format!(), since the vast majority of those strings have more capacity
than their length it will avoid a reallocation in most cases.
This allows to detect and handle dying streams without getting stuck
forever.
Timeouts are always wrong, though, so we put the burden of choosing the
right values (mostly) on the creator of a stream.
Without the early return in XmlStream::poll_next in case of the stream
footer, the read state gets recreated and the logic at the top of that
function to actually handle stream shutdown gracefully is never
triggered.
Also that logic was incorrect; the correct behaviour is to wait for the
true EOF.
This makes the stream resets a lot safer, by preventing the forbidden
send-read-reset combination of events: the reset function on the
responder side now takes the element to send right before the reset,
enforcing a send-reset pattern.
Update tokio_rustls, idna, webpki_roots.
https://github.com/rustls/rustls/releases/tag/v%2F0.22.0
> ConfigBuilder::with_safe_defaults - calls to this can simply be deleted since safe defaults are now implicit.
> OwnedTrustAnchor - use rustls_pki_types::TrustAnchor instead, and replace from_subject_spki_name_constraints with direct assignment to the struct fields.
`RootCertStore::add_trust_anchors` seems to be removed too.
Signed-off-by: Maxime “pep” Buquet <pep@bouah.net>
