-
Notifications
You must be signed in to change notification settings - Fork 0
Architecture
github-actions[bot] edited this page Jul 16, 2026
·
7 revisions
wknet 是 Windows 内核态 HTTP 客户端协议栈。公共入口是 wknet::http / wknet::websocket / wknet::crypto / wknet::codec;传输主路径为 WSK,密码学主路径为 CNG/BCrypt。不使用 WinHTTP、WinINet、SChannel,也不提供 server/入站角色。
wknet::http / websocket / crypto / codec
│
http_api 薄桥
│
session
┌─────────────┼─────────────┐
transport http1/http2/http3 ws
│ │ │
net tls codec
└──────────────┴──────────────┘
rtl
| 层 | 职责 | 调用方需知 |
|---|---|---|
| 公共 API | opaque handle、参数映射、生命周期 | 唯一稳定入口 |
| session | 路由、重定向、代理、连接池、异步、协议编排 | 拥有策略与池 |
| transport | opaque 字节流服务 | 协议层不直接碰 WSK IRP |
| net | WSK 生命周期、解析、socket | 仅内核 socket |
| tls | 握手、记录保护、会话恢复、证书校验 | 信任锚由调用方提供 |
| http1 / http2 / http3 / ws | 协议状态机 | 不拥有池策略 |
不存在独立 client 层,也不存在第二套网络连接生命周期。
wknet::http::Send* / Get* / Post*
→ 公共参数映射
→ session 编排
→ 路由 / 代理 / 连接池 / Alt-Svc
→ HTTP/1.1 | HTTP/2 | HTTP/3
→ transport → WSK 或 TLS(H3 为 QUIC over Datagram)
-
HTTPS:默认在 TCP TLS 上使用 HTTP/1.1 或 ALPN 协商的
h2。Http3ConnectMode::Auto时,若已从通过证书与策略校验的响应中学到精确h3Alt-Svc,后续请求可以优先走 HTTP/3。 -
WebSocket:由
session编排。wss可使用 RFC 8441(HTTP/2 extended CONNECT)或 HTTP/1.1 Upgrade,与 HTTP 共用 TLS、连接与取消模型。 - HTTP/3 适用范围:仅 HTTPS 且未启用代理。明文 HTTP、h2c、WebSocket,以及非 HTTP 的 ALPN,均使用既有 TCP 路径。
- 连接池字段由 session 池模块独占写入;池化连接携带 socket / transport / TLS / 可选 H2 或 H3 状态。
- 协议与 Workspace 缓冲使用堆内存;热路径缓冲常驻并复用。
- 同步 HTTP / WebSocket / TLS / 证书路径要求
PASSIVE_LEVEL,否则返回STATUS_INVALID_DEVICE_REQUEST或STATUS_INVALID_DEVICE_STATE。 - 用过异步 API 时,在驱动卸载路径调用
wknet::http::Destroy(),等待异步操作结束后再释放资源。
| 点 | 行为 |
|---|---|
| 角色 | 客户端;无入站 parser / server |
| 主路径 | 传输 WSK,密码学 CNG;不使用 WinHTTP / SChannel |
| 信任 | 信任锚、CA 包、pin、撤销证据由调用方提供;库不内置系统 CA |
| 主机名 | IP 仅匹配 iPAddress SAN;域名不回退 CN |
| 重定向 | 默认拒绝 HTTPS→HTTP;MaxRedirects 默认 10,用尽时返回当前 3xx |
| TRACE | 默认关闭;需要时设置 SendFlagAllowTrace
|
| H3 Auto | 仅从通过校验的 HTTPS 响应学习 Alt-Svc;SNI、证书与 :authority 仍绑定原 origin |
支持范围与限制的分类见 能力边界。
wknet is a Windows kernel-mode HTTP client stack. Public entry points are wknet::http, wknet::websocket, wknet::crypto, and wknet::codec. The transport main path is WSK; cryptography uses CNG/BCrypt. WinHTTP, WinINet, and SChannel are not used, and there is no server/inbound role.
wknet::http / websocket / crypto / codec
│
thin http_api bridge
│
session
┌─────────────┼─────────────┐
transport http1/http2/http3 ws
│ │ │
net tls codec
└──────────────┴──────────────┘
rtl
| Layer | Owns | Caller takeaway |
|---|---|---|
| Public API | Opaque handles, argument mapping, lifetime | The only stable surface |
| session | Routing, redirects, proxy, pool, async, protocol orchestration | Owns policy and pooling |
| transport | Opaque byte-stream services | Protocol layers never touch WSK IRPs directly |
| net | WSK lifecycle, resolution, sockets | Kernel sockets only |
| tls | Handshake, record protection, resumption, certificate validation | Trust anchors are caller-supplied |
| http1 / http2 / http3 / ws | Protocol state machines | Do not own pool policy |
There is no separate client layer and no second network connection lifecycle.
wknet::http::Send* / Get* / Post*
→ public argument mapping
→ session orchestration
→ route / proxy / pool / Alt-Svc
→ HTTP/1.1 | HTTP/2 | HTTP/3
→ transport → WSK or TLS (H3 is QUIC over Datagram)
-
HTTPS: defaults to HTTP/1.1 or ALPN-negotiated
h2over TCP TLS. WithHttp3ConnectMode::Auto, later requests may prefer HTTP/3 after an exacth3Alt-Svc is learned from a response that already passed certificate and policy checks. -
WebSocket: orchestrated by
session.wssmay use RFC 8441 (HTTP/2 extended CONNECT) or HTTP/1.1 Upgrade, sharing TLS, connection, and cancellation with HTTP. - HTTP/3 scope: HTTPS without a proxy. Cleartext HTTP, h2c, WebSocket, and non-HTTP ALPN stay on the existing TCP paths.
- Pool fields are written only by the session pool module; pooled connections carry socket, transport, TLS, and optional H2/H3 state.
- Protocol and Workspace buffers are heap-backed; hot buffers are retained and reused.
- Synchronous HTTP / WebSocket / TLS / certificate paths require
PASSIVE_LEVEL; otherwise the library returnsSTATUS_INVALID_DEVICE_REQUESTorSTATUS_INVALID_DEVICE_STATE. - After async APIs, call
wknet::http::Destroy()on the driver unload path and wait for async work to finish before releasing resources.
| Point | Behavior |
|---|---|
| Role | Client only; no inbound parser / server |
| Main path | WSK transport, CNG crypto; WinHTTP / SChannel are not used |
| Trust | Caller-supplied anchors, CA bundles, pins, and revocation evidence; no built-in system CA store |
| Hostnames | IPs match iPAddress SAN only; DNS names do not fall back to CN |
| Redirects | HTTPS→HTTP refused by default; MaxRedirects defaults to 10 and exhausted hops return the current 3xx |
| TRACE | Off by default; enable with SendFlagAllowTrace
|
| H3 Auto | Learns Alt-Svc only from HTTPS responses that already passed validation; SNI, certificate identity, and :authority remain bound to the origin |
Support scope and limits are documented in the Capability Matrix.
-
开始使用 / Get Started
-
概念与行为 / Concepts
-
协议指南 / Protocols
-
API 参考 / API Reference
-
贡献与项目 / Contribute