Trait ProducesTickets

pub trait ProducesTickets:
    Debug
    + Send
    + Sync {
    // Required methods
    fn enabled(&self) -> bool;
    fn lifetime(&self) -> u32;
    fn encrypt(&self, plain: &[u8]) -> Option<Vec<u8>>;
    fn decrypt(&self, cipher: &[u8]) -> Option<Vec<u8>>;
}

A trait for the ability to encrypt and decrypt tickets.

Required Methods

fn enabled(&self) -> bool

Returns true if this implementation will encrypt/decrypt tickets. Should return false if this is a dummy implementation: the server will not send the SessionTicket extension and will not call the other functions.

fn lifetime(&self) -> u32

Returns the lifetime in seconds of tickets produced now. The lifetime is provided as a hint to clients that the ticket will not be useful after the given time.

This lifetime must be implemented by key rolling and erasure, not by storing a lifetime in the ticket.

The objective is to limit damage to forward secrecy caused by tickets, not just limiting their lifetime.

fn encrypt(&self, plain: &[u8]) -> Option<Vec<u8>>

Encrypt and authenticate plain, returning the resulting ticket. Return None if plain cannot be encrypted for some reason: an empty ticket will be sent and the connection will continue.

fn decrypt(&self, cipher: &[u8]) -> Option<Vec<u8>>

Decrypt cipher, validating its authenticity protection and recovering the plaintext. cipher is fully attacker controlled, so this decryption must be side-channel free, panic-proof, and otherwise bullet-proof. If the decryption fails, return None.

Implementors

impl ProducesTickets for TicketRotator

impl ProducesTickets for TicketSwitcher