This is a proof of concept adding module rustls::split, an alternative (currently buffered) API which splits a post-handshake TLS connection into a Reader and Writer. It demonstrates a possible API and implementation for #2761.

The API

The split() function can split a TLS 1.2/1.3 client/server connection with a completed handshake into (Reader, Writer). These types can be used independently, e.g. from different threads or asynchronous tasks. It is sometimes necessary to communicate between them (e.g. to send alerts to a misbehaving peer, or if the peer requests we update our encryption keys). But this happens quite rarely, and the user can implement that communication using their own synchronization mechanisms (e.g. mutexes or channels).

Reader implements the reader-side functionality of ConnectionCommon. It offers recv_tls() to read from the underlying stream (equivalent to read_tls() + process_new_packets()) and reader() to access buffered plaintext data. The most important difference is that recv_tls() can return a WriterAction, which the user must communicate to the Writer.

Writer implements the writer-side functionality of ConnectionCommon. It offers send_tls() (i.e. write_tls()) and writer(). In addition, it has an enact() method to consume a WriterAction from the reader.

Justification

Splitting the reader and writer can make life a lot easier for request-response protocols. Even though TLS is an ordered stream protocol, the read and write halves of a connection are not ordered wrt each other. Instead of sending a single request, waiting for a response, and then repeating, implementations can write as many requests as I/O allows and wait for the responses to arrive. In theory, this could significantly improve throughput, especially for connections and requests with high latency; but testing it with rustls has been difficult.

With this API, it is possible that WriterActions are somewhat delayed. Is this a correctness issue? I would argue not. A TLS peer's delayed response to a message could occur because of a delayed WriterAction, or simply delays in the network; the two are indistinguishable. As long as WriterActions are processed relatively quickly, and sent to the right Writer in the right order, it will be fine. The improvement in throughput (which can now be benchmarked, with this PR) is adequate justification in my eyes.

Defensive Measures

Firstly, I want to emphasize the low-level nature of this API. Even with the unbuffered API we have today, implementation error on the user's part can lead to problems. The same is true here. We can still implement defensive measures to mitigate this, but an impossible-to-misuse API is unnecessary and unwarranted.

It is important to ensure that all WriterActions are sent to the right Writer in the right order. I am ignoring timeliness.

• I have already implemented some defensive measures with #[must_use] annotations on Received and WriterAction; these mitigate the possibility of the WriterAction being dropped or ignored.
• To ensure ordering, WriterActions could include a simple monotonic counter.
• Ensuring that they reach the right Writer is more difficult; one way would be to maintain an Arc internally (as the current code does), include it in the WriterAction, and test Arc::ptr_eq.

Implementation

The rustls::split module inlines the state and methods of ClientConnection / ServerConnection, ConnectionCommon, ConnectionCore, Box, CommonState, and RecordLayer. These types combined reader and writer state and could not be used; I chose to duplicate their code rather than to break the existing codebase. The only changes to them are to make some items pub(crate)` so that I can access them.

This has resulted in a 1500-line module that combines all the important post-handshake TLS logic. It's not pretty, but it does have some benefits; every step in the process is visible at a glance and it's easier to simplify control flow. IMO, in-place encryption/decryption would be much easier to implement on this, than on the existing code; #2758 would not have been hindered the way it was.

It should be possible to refactor this module and split up its data into smaller types again; but I suspect ConnectionCommon etc. are not the ideal layout. But I don't want to put too much more effort into this right now; it's good enough to judge the API concretely and to benchmark. I don't want to waste my time if you (the maintainers) think a different approach is necessary.

Testing

Some basic initial testing shows that this code works! I was able to modify simpleclient and I can happily talk to rust-lang.org. I'll try to find tests that focus on post-handshake state, and perhaps look at BoGo.

This code needs to be integrated with rustls' benchmarking suite. I need to investigate that and figure out how to measure the maximum throughput of a request-response connection, with and without the reader-writer split. Suggestions for alternative benchmarking approaches are welcome.

Future Direction

If this approach seems feasible, I would like to make this implementation unbuffered. Now that all of the different layers of TLS logic are in one place, it's much easier to implement in-place encryption/decryption and wipe out all allocations from the hot path.

The code is only applicable to connections that have finished their handshakes. The handshaking process is significantly more complicated and would be incredibly difficult to implement like this. The core idea behind this PR is that readers and writers don't communicate that much; but that's not true during a handshake. I don't know if or how ClientConnection etc. can be implemented in terms of this code. Still, this module is already useful for users of long-lived connections; they can trade extra handshaking work for better post-handshake performance.

The code currently lacks support for TLS 1.3 session tickets. This made my life way easier, as I could then define Reader and Writer as simple concrete types. Session ticket support will require distinguishing client and server types, as well as TLS 1.2 and TLS 1.3 use. It doesn't sound fun, but it will be necessary.

Commit History / Review

I've left the commit history as-is for now. I'm happy to try to clean it up if merging this PR is on the table. While the overall diff is +1508 -40, the sum of diffs across commits is +2712 -1234; a lot of refactoring happened in-place. It may be possible to review the commits in order, but I'm sure that won't be fun. I've tried to mark down where functions come from (e.g. ConnectionCore vs CommonState), but it might not always be clear. A lot of QUIC and handshake related logic have also been removed.

Sorry about the huge chunk of code to review. I know y'all have limited time. I would suggest prioritizing the API and judging whether this design is feasible. We can talk further once I have some benchmarks.