bindings/s2n-tls: solution for rotating STEKs

[jmayclin]

Problem:

There is no obvious way to rotate STEK material when using s2n-tls through the rust bindings.

s2n_config_add_ticket_crypto_key is exposed in the Rust bindings

s2n-tls/bindings/rust/s2n-tls/src/config.rs

Lines 672 to 679 in 933f379

	/// Adds a key which will be used to encrypt and decrypt session tickets. The intro_time parameter is time since
	/// the Unix epoch (Midnight, January 1st, 1970). The key must be at least 16 bytes.
	pub fn add_session_ticket_key(
	&mut self,
	key_name: &[u8],
	key: &[u8],
	intro_time: SystemTime,
	) -> Result<&mut Self, Error> {

However, this method is implemented on config::Builder so it is not available after the config is created.

Solution:

Workarounds

The one workaround that I can think of for this is using the ClientHello callback to always resolve to a "most recent" config. You would create a new config every hour with the rotation of the STEKs. This is not a pretty solution 😬

Code Changes

Ideally the add_session_ticket_key would be available on the config::Config.

• should it take a &self or &mut self?
• does it need to do any internal synchronization?

Clients currently have to implement rotation themselves, and I wonder if it might make sense to switch to something like rustls' ticketer api?

Requirements / Acceptance Criteria:

Customers should be able to rotate STEKs when using the bindings. I think as part of the acceptance criteria, we should add an example server with STEKs that rotate every hour.

[zh-jq-b]

The rustls' ticketer API is more powerful and convenience for us.