// Copyright (c) 2026 Charles KWON OhJun (charleskwonohjun@gmail.com)
// All rights reserved.

package pgserver

import (
	"crypto/tls"
	"net"
)

// upgradeToTLS wraps the underlying net.Conn in a tls.Server using
// the configured *tls.Config and performs the TLS handshake. The
// returned net.Conn is the encrypted stream; pgproto3 sees only
// plaintext on top of it.
//
// Phase 6 expands this with mTLS / SNI / cert pinning. v1.0 just
// does the basic upgrade — sufficient for `psql sslmode=require`.
func upgradeToTLS(conn net.Conn, cfg *tls.Config) (net.Conn, error) {
	tlsConn := tls.Server(conn, cfg)
	if err := tlsConn.Handshake(); err != nil {
		return nil, err
	}
	return tlsConn, nil
}