quic: expose limits via PacketKey trait

2023-12-19 12:21:05 +01:00 · 2023-12-19 12:21:05 +01:00 · 542b12ca89
parent 3e4630fb8f
commit 542b12ca89
4 changed files with 66 additions and 2 deletions
--- a/rustls/src/crypto/aws_lc_rs/tls13.rs
+++ b/rustls/src/crypto/aws_lc_rs/tls13.rs
@ -33,6 +33,8 @@ pub(crate) static TLS13_CHACHA20_POLY1305_SHA256_INTERNAL: &Tls13CipherSuite = &
    quic: Some(&super::quic::KeyBuilder {
        packet_alg: &aead::CHACHA20_POLY1305,
        header_alg: &aead::quic::CHACHA20,
+        confidentiality_limit: u64::MAX,
+        integrity_limit: 1 << 36,
    }),
 };

@ -50,6 +52,8 @@ pub static TLS13_AES_256_GCM_SHA384: SupportedCipherSuite =
        quic: Some(&super::quic::KeyBuilder {
            packet_alg: &aead::AES_256_GCM,
            header_alg: &aead::quic::AES_256,
+            confidentiality_limit: 1 << 23,
+            integrity_limit: 1 << 52,
        }),
    });

@ -69,6 +73,8 @@ pub(crate) static TLS13_AES_128_GCM_SHA256_INTERNAL: &Tls13CipherSuite = &Tls13C
    quic: Some(&super::quic::KeyBuilder {
        packet_alg: &aead::AES_128_GCM,
        header_alg: &aead::quic::AES_128,
+        confidentiality_limit: 1 << 23,
+        integrity_limit: 1 << 52,
    }),
 };

--- a/rustls/src/crypto/ring/quic.rs
+++ b/rustls/src/crypto/ring/quic.rs
@ -100,15 +100,31 @@ pub(crate) struct PacketKey {
    key: aead::LessSafeKey,
    /// Computes unique nonces for each packet
    iv: Iv,
+    /// Confidentiality limit (see [`CipherSuiteCommon::confidentiality_limit`][csc-limit])
+    ///
+    /// [csc-limit]: crate::crypto::CipherSuiteCommon::confidentiality_limit
+    confidentiality_limit: u64,
+    /// Integrity limit (see [`CipherSuiteCommon::integrity_limit`][csc-limit])
+    ///
+    /// [csc-limit]: crate::crypto::CipherSuiteCommon::integrity_limit
+    integrity_limit: u64,
 }

 impl PacketKey {
-    pub(crate) fn new(key: AeadKey, iv: Iv, aead_algorithm: &'static aead::Algorithm) -> Self {
+    pub(crate) fn new(
+        key: AeadKey,
+        iv: Iv,
+        confidentiality_limit: u64,
+        integrity_limit: u64,
+        aead_algorithm: &'static aead::Algorithm,
+    ) -> Self {
        Self {
            key: aead::LessSafeKey::new(
                aead::UnboundKey::new(aead_algorithm, key.as_ref()).unwrap(),
            ),
            iv,
+            confidentiality_limit,
+            integrity_limit,
        }
    }
 }
@ -158,16 +174,38 @@ impl quic::PacketKey for PacketKey {
    fn tag_len(&self) -> usize {
        self.key.algorithm().tag_len()
    }
+
+    /// Confidentiality limit (see [`CipherSuiteCommon::confidentiality_limit`][csc-limit])
+    ///
+    /// [csc-limit]: crate::crypto::CipherSuiteCommon::confidentiality_limit
+    fn confidentiality_limit(&self) -> u64 {
+        self.confidentiality_limit
+    }
+
+    /// Integrity limit (see [`CipherSuiteCommon::integrity_limit`][csc-limit])
+    ///
+    /// [csc-limit]: crate::crypto::CipherSuiteCommon::integrity_limit
+    fn integrity_limit(&self) -> u64 {
+        self.integrity_limit
+    }
 }

 pub(crate) struct KeyBuilder {
    pub(crate) packet_alg: &'static aead::Algorithm,
    pub(crate) header_alg: &'static aead::quic::Algorithm,
+    pub(crate) confidentiality_limit: u64,
+    pub(crate) integrity_limit: u64,
 }

 impl crate::quic::Algorithm for KeyBuilder {
    fn packet_key(&self, key: AeadKey, iv: Iv) -> Box<dyn quic::PacketKey> {
-        Box::new(super::quic::PacketKey::new(key, iv, self.packet_alg))
+        Box::new(super::quic::PacketKey::new(
+            key,
+            iv,
+            self.confidentiality_limit,
+            self.integrity_limit,
+            self.packet_alg,
+        ))
    }

    fn header_protection_key(&self, key: AeadKey) -> Box<dyn quic::HeaderProtectionKey> {
--- a/rustls/src/crypto/ring/tls13.rs
+++ b/rustls/src/crypto/ring/tls13.rs
@ -33,6 +33,8 @@ pub(crate) static TLS13_CHACHA20_POLY1305_SHA256_INTERNAL: &Tls13CipherSuite = &
    quic: Some(&super::quic::KeyBuilder {
        packet_alg: &aead::CHACHA20_POLY1305,
        header_alg: &aead::quic::CHACHA20,
+        confidentiality_limit: u64::MAX,
+        integrity_limit: 1 << 36,
    }),
 };

@ -50,6 +52,8 @@ pub static TLS13_AES_256_GCM_SHA384: SupportedCipherSuite =
        quic: Some(&super::quic::KeyBuilder {
            packet_alg: &aead::AES_256_GCM,
            header_alg: &aead::quic::AES_256,
+            confidentiality_limit: 1 << 23,
+            integrity_limit: 1 << 52,
        }),
    });

@ -69,6 +73,8 @@ pub(crate) static TLS13_AES_128_GCM_SHA256_INTERNAL: &Tls13CipherSuite = &Tls13C
    quic: Some(&super::quic::KeyBuilder {
        packet_alg: &aead::AES_128_GCM,
        header_alg: &aead::quic::AES_128,
+        confidentiality_limit: 1 << 23,
+        integrity_limit: 1 << 52,
    }),
 };

--- a/rustls/src/quic.rs
+++ b/rustls/src/quic.rs
@ -705,6 +705,20 @@ pub trait PacketKey: Send + Sync {

    /// Tag length for the underlying AEAD algorithm
    fn tag_len(&self) -> usize;
+
+    /// Number of messages that can be safely encrypted with a single key of this type.
+    ///
+    /// See [`CipherSuiteCommon::confidentiality_limit`][csc-limit].
+    ///
+    /// [csc-limit]: crate::crypto::CipherSuiteCommon::confidentiality_limit
+    fn confidentiality_limit(&self) -> u64;
+
+    /// Number of messages that can be safely authenticated with a single key of this type.
+    ///
+    /// See [`CipherSuiteCommon::integrity_limit`][csc-limit].
+    ///
+    /// [csc-limit]: crate::crypto::CipherSuiteCommon::integrity_limit
+    fn integrity_limit(&self) -> u64;
 }

 /// Packet protection keys for bidirectional 1-RTT communication