s2n-quic-core 0.81.0

Internal crate used by s2n-quic
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

use crate::crypto::OneRttKey;

//= https://www.rfc-editor.org/rfc/rfc9001#section-6.6
//# Endpoints MUST count the number of encrypted packets for each set of
//# keys.
pub struct Key<K> {
    key: K,

    // Keeping encrypted_packets out of the key allow keys to be immutable, which allows optimizations
    // later on.
    encrypted_packets: u64,
    decrypted_packets: u64,
    confidentiality_limit: u64,
}

#[derive(Copy, Clone, Debug)]
#[non_exhaustive]
pub struct Limits {
    /// The number of packets before the limit at which a key update will be scheduled
    pub key_update_window: u64,
}

impl Default for Limits {
    fn default() -> Self {
        Self {
            key_update_window: KEY_UPDATE_WINDOW,
        }
    }
}

const KEY_UPDATE_WINDOW: u64 = 10_000;

impl<K: OneRttKey> Key<K> {
    pub fn new(key: K) -> Self {
        Key {
            confidentiality_limit: key.aead_confidentiality_limit(),
            key,
            encrypted_packets: 0,
            decrypted_packets: 0,
        }
    }

    /// Keys used past the confidentiality_limit are expired
    #[inline]
    pub fn expired(&self) -> bool {
        // We check >= because we don't want to encrypt an additional packet if the key has
        // already been used up to the limit.
        self.encrypted_packets >= self.confidentiality_limit
    }

    /// If the key is within the update window, an update should be initiated.
    #[inline]
    pub fn needs_update(&self, limits: &Limits) -> bool {
        self.encrypted_packets
            > (self
                .confidentiality_limit
                .saturating_sub(limits.key_update_window))
    }

    pub fn derive_next_key(&self) -> K {
        self.key.derive_next_key()
    }

    #[inline]
    pub fn encrypted_packets(&self) -> u64 {
        self.encrypted_packets
    }

    #[inline]
    pub fn on_packet_encryption(&mut self) {
        self.encrypted_packets += 1;
    }

    #[inline]
    pub fn on_packet_decryption(&mut self) {
        self.decrypted_packets += 1;
    }

    #[inline]
    pub fn key_mut(&mut self) -> &mut K {
        &mut self.key
    }
}