aws
diff --git a/‎dc/s2n-quic-dc/src/packet/secret_control.rs‎
Lines changed: 30 additions & 2 deletions b/‎dc/s2n-quic-dc/src/packet/secret_control.rs‎
Lines changed: 30 additions & 2 deletions
diff --git a/‎dc/s2n-quic-dc/src/packet/secret_control/decoder.rs‎
Lines changed: 5 additions & 0 deletions b/‎dc/s2n-quic-dc/src/packet/secret_control/decoder.rs‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎dc/s2n-quic-dc/src/packet/secret_control/replay_detected.rs‎
Lines changed: 14 additions & 4 deletions b/‎dc/s2n-quic-dc/src/packet/secret_control/replay_detected.rs‎
Lines changed: 14 additions & 4 deletions
diff --git a/‎dc/s2n-quic-dc/src/packet/secret_control/stale_key.rs‎
Lines changed: 13 additions & 3 deletions b/‎dc/s2n-quic-dc/src/packet/secret_control/stale_key.rs‎
Lines changed: 13 additions & 3 deletions
diff --git a/‎dc/s2n-quic-dc/src/packet/secret_control/unknown_path_secret.rs‎
Lines changed: 26 additions & 6 deletions b/‎dc/s2n-quic-dc/src/packet/secret_control/unknown_path_secret.rs‎
Lines changed: 26 additions & 6 deletions
diff --git a/‎dc/s2n-quic-dc/src/packet/tag.rs‎
Lines changed: 9 additions & 6 deletions b/‎dc/s2n-quic-dc/src/packet/tag.rs‎
Lines changed: 9 additions & 6 deletions
diff --git a/‎dc/s2n-quic-dc/src/path/secret/map.rs‎
Lines changed: 46 additions & 6 deletions b/‎dc/s2n-quic-dc/src/path/secret/map.rs‎
Lines changed: 46 additions & 6 deletions
@@ -18,6 +18,11 @@ const UNKNOWN_PATH_SECRET: u8 = 0b0110_0000;
 const STALE_KEY: u8 = 0b0110_0001;
 const REPLAY_DETECTED: u8 = 0b0110_0010;
 
+/// Indicates if the packet has a queue_id field
+///
+/// This is used to route packets to the appropriate sender.
+const HAS_QUEUE_ID: u8 = 0b0000_0100;
+
 pub const MAX_PACKET_SIZE: usize = 64;
 pub const TAG_LEN: usize = 16;
 
@@ -35,6 +40,19 @@ macro_rules! impl_tag {
 
         impl Tag {
             pub const VALUE: u8 = $tag;
+            pub const VALUE_WITH_QUEUE_ID: u8 = $tag | HAS_QUEUE_ID;
+
+            pub const fn has_queue_id(&self) -> bool {
+                (self.0 & HAS_QUEUE_ID) != 0
+            }
+
+            pub fn with_queue_id(self, has_queue_id: bool) -> Self {
+                if has_queue_id {
+                    Self(self.0 | HAS_QUEUE_ID)
+                } else {
+                    self
+                }
+            }
         }
 
         impl From<Tag> for u8 {
@@ -48,7 +66,7 @@ macro_rules! impl_tag {
             impl<'a> Tag {
                 fn decode(buffer: Buffer) -> Result<Self> {
                     let (tag, buffer) = buffer.decode()?;
-                    decoder_invariant!(tag == $tag, "invalid tag");
+                    decoder_invariant!([$tag, $tag | HAS_QUEUE_ID].contains(&tag), "invalid tag");
                     Ok((Self(tag), buffer))
                 }
             }
@@ -135,8 +153,9 @@ impl<'a> Packet<'a> {
     #[inline]
     pub fn decode(buffer: DecoderBufferMut<'a>) -> Rm<'a, Self> {
         let tag = buffer.peek_byte(0)?;
+        let base_tag = tag & !HAS_QUEUE_ID;
 
-        Ok(match tag {
+        Ok(match base_tag {
             UNKNOWN_PATH_SECRET => {
                 let (packet, buffer) = unknown_path_secret::Packet::decode(buffer)?;
                 (Self::UnknownPathSecret(packet), buffer)
@@ -161,6 +180,15 @@ impl<'a> Packet<'a> {
             Self::ReplayDetected(p) => p.credential_id(),
         }
     }
+
+    #[inline]
+    pub fn queue_id(&self) -> Option<VarInt> {
+        match self {
+            Self::UnknownPathSecret(p) => p.queue_id(),
+            Self::StaleKey(p) => p.queue_id(),
+            Self::ReplayDetected(p) => p.queue_id(),
+        }
+    }
 }
 
 macro_rules! impl_convert {
 
@@ -47,6 +47,11 @@ macro_rules! impl_packet {
 
                 Some(value)
             }
+
+            #[inline]
+            pub fn queue_id(&self) -> Option<s2n_quic_core::varint::VarInt> {
+                self.value.queue_id
+            }
         }
     };
 }
 
@@ -9,8 +9,9 @@ impl_packet!(ReplayDetected);
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
 #[cfg_attr(test, derive(bolero_generator::TypeGenerator))]
 pub struct ReplayDetected {
-    pub wire_version: WireVersion,
     pub credential_id: credentials::Id,
+    pub wire_version: WireVersion,
+    pub queue_id: Option<VarInt>,
     pub rejected_key_id: VarInt,
 }
 
@@ -20,9 +21,12 @@ impl ReplayDetected {
     where
         C: seal::control::Secret,
     {
-        encoder.encode(&Tag::default());
+        encoder.encode(&Tag::default().with_queue_id(self.queue_id.is_some()));
         encoder.encode(&self.credential_id);
         encoder.encode(&self.wire_version);
+        if let Some(queue_id) = self.queue_id {
+            encoder.encode(&queue_id);
+        }
         encoder.encode(&self.rejected_key_id);
 
         encoder::finish(encoder, crypto)
@@ -38,13 +42,19 @@ impl<'a> DecoderValue<'a> for ReplayDetected {
     #[inline]
     fn decode(buffer: DecoderBuffer<'a>) -> R<'a, Self> {
         let (tag, buffer) = buffer.decode::<Tag>()?;
-        decoder_invariant!(tag == Tag::default(), "invalid tag");
         let (credential_id, buffer) = buffer.decode()?;
         let (wire_version, buffer) = buffer.decode()?;
+        let (queue_id, buffer) = if tag.has_queue_id() {
+            let (queue_id, buffer) = buffer.decode()?;
+            (Some(queue_id), buffer)
+        } else {
+            (None, buffer)
+        };
         let (rejected_key_id, buffer) = buffer.decode()?;
         let value = Self {
-            wire_version,
             credential_id,
+            wire_version,
+            queue_id,
             rejected_key_id,
         };
         Ok((value, buffer))
 
@@ -9,8 +9,9 @@ impl_packet!(StaleKey);
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
 #[cfg_attr(test, derive(bolero_generator::TypeGenerator))]
 pub struct StaleKey {
-    pub wire_version: WireVersion,
     pub credential_id: credentials::Id,
+    pub wire_version: WireVersion,
+    pub queue_id: Option<VarInt>,
     pub min_key_id: VarInt,
 }
 
@@ -20,9 +21,12 @@ impl StaleKey {
     where
         C: seal::control::Secret,
     {
-        encoder.encode(&Tag::default());
+        encoder.encode(&Tag::default().with_queue_id(self.queue_id.is_some()));
         encoder.encode(&self.credential_id);
         encoder.encode(&self.wire_version);
+        if let Some(queue_id) = self.queue_id {
+            encoder.encode(&queue_id);
+        }
         encoder.encode(&self.min_key_id);
 
         encoder::finish(encoder, crypto)
@@ -38,13 +42,19 @@ impl<'a> DecoderValue<'a> for StaleKey {
     #[inline]
     fn decode(buffer: DecoderBuffer<'a>) -> R<'a, Self> {
         let (tag, buffer) = buffer.decode::<Tag>()?;
-        decoder_invariant!(tag == Tag::default(), "invalid tag");
         let (credential_id, buffer) = buffer.decode()?;
         let (wire_version, buffer) = buffer.decode()?;
+        let (queue_id, buffer) = if tag.has_queue_id() {
+            let (queue_id, buffer) = buffer.decode()?;
+            (Some(queue_id), buffer)
+        } else {
+            (None, buffer)
+        };
         let (min_key_id, buffer) = buffer.decode()?;
         let value = Self {
             wire_version,
             credential_id,
+            queue_id,
             min_key_id,
         };
         Ok((value, buffer))
 
@@ -21,6 +21,7 @@ impl<'a> Packet<'a> {
             value: UnknownPathSecret {
                 wire_version: WireVersion::ZERO,
                 credential_id: id,
+                queue_id: None,
             },
             crypto_tag: &stateless_reset[..],
         }
@@ -48,25 +49,37 @@ impl<'a> Packet<'a> {
         aws_lc_rs::constant_time::verify_slices_are_equal(self.crypto_tag, stateless_reset).ok()?;
         Some(&self.value)
     }
+
+    #[inline]
+    pub fn queue_id(&self) -> Option<VarInt> {
+        self.value.queue_id
+    }
 }
 
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
 #[cfg_attr(test, derive(bolero_generator::TypeGenerator))]
 pub struct UnknownPathSecret {
-    pub wire_version: WireVersion,
     pub credential_id: credentials::Id,
+    pub wire_version: WireVersion,
+    pub queue_id: Option<VarInt>,
 }
 
 impl UnknownPathSecret {
-    pub const PACKET_SIZE: usize =
-        size_of::<Tag>() + size_of::<u8>() + size_of::<credentials::Id>() + TAG_LEN;
+    pub const MAX_PACKET_SIZE: usize = size_of::<Tag>()
+        + size_of::<u8>()
+        + size_of::<credentials::Id>()
+        + size_of::<VarInt>()
+        + TAG_LEN;
 
     #[inline]
     pub fn encode(&self, mut encoder: EncoderBuffer, stateless_reset_tag: &[u8; TAG_LEN]) -> usize {
         let before = encoder.len();
-        encoder.encode(&Tag::default());
+        encoder.encode(&Tag::default().with_queue_id(self.queue_id.is_some()));
         encoder.encode(&&self.credential_id[..]);
         encoder.encode(&self.wire_version);
+        if let Some(queue_id) = self.queue_id {
+            encoder.encode(&queue_id);
+        }
         encoder.encode(&&stateless_reset_tag[..]);
         let after = encoder.len();
         after - before
@@ -77,12 +90,19 @@ impl<'a> DecoderValue<'a> for UnknownPathSecret {
     #[inline]
     fn decode(buffer: DecoderBuffer<'a>) -> R<'a, Self> {
         let (tag, buffer) = buffer.decode::<Tag>()?;
-        decoder_invariant!(tag == Tag::default(), "invalid tag");
         let (credential_id, buffer) = buffer.decode()?;
         let (wire_version, buffer) = buffer.decode()?;
+        let (queue_id, buffer) = if tag.has_queue_id() {
+            let (queue_id, buffer) = buffer.decode()?;
+            (Some(queue_id), buffer)
+        } else {
+            (None, buffer)
+        };
+
         let value = Self {
             wire_version,
             credential_id,
+            queue_id,
         };
         Ok((value, buffer))
     }
@@ -102,7 +122,7 @@ mod tests {
         bolero::check!()
             .with_type::<(UnknownPathSecret, [u8; TAG_LEN])>()
             .for_each(|(value, stateless_reset)| {
-                let mut buffer = [0u8; UnknownPathSecret::PACKET_SIZE];
+                let mut buffer = [0u8; UnknownPathSecret::MAX_PACKET_SIZE];
                 let len = {
                     let encoder = s2n_codec::EncoderBuffer::new(&mut buffer);
                     value.encode(encoder, stateless_reset)
 
@@ -66,22 +66,25 @@ decoder_value!(
                     let (tag, buffer) = buffer.decode()?;
                     Ok((Self::Control(tag), buffer))
                 }
-                super::secret_control::stale_key::Tag::VALUE => {
+                super::secret_control::stale_key::Tag::VALUE
+                | super::secret_control::stale_key::Tag::VALUE_WITH_QUEUE_ID => {
                     let (tag, buffer) = buffer.decode()?;
                     Ok((Self::StaleKey(tag), buffer))
                 }
-                super::secret_control::replay_detected::Tag::VALUE => {
+                super::secret_control::replay_detected::Tag::VALUE
+                | super::secret_control::replay_detected::Tag::VALUE_WITH_QUEUE_ID => {
                     let (tag, buffer) = buffer.decode()?;
                     Ok((Self::ReplayDetected(tag), buffer))
                 }
-                super::secret_control::unknown_path_secret::Tag::VALUE => {
+                super::secret_control::unknown_path_secret::Tag::VALUE
+                | super::secret_control::unknown_path_secret::Tag::VALUE_WITH_QUEUE_ID => {
                     let (tag, buffer) = buffer.decode()?;
                     Ok((Self::UnknownPathSecret(tag), buffer))
                 }
                 // reserve this range for other packet types
-                0b0110_0011..=0b0111_1111 => Err(s2n_codec::DecoderError::InvariantViolation(
-                    "unexpected packet tag",
-                )),
+                0b0110_0011 | 0b0110_0111 | 0b0110_1000..=0b0111_1111 => Err(
+                    s2n_codec::DecoderError::InvariantViolation("unexpected packet tag"),
+                ),
                 0b1000_0000..=0b1111_1111 => Err(s2n_codec::DecoderError::InvariantViolation(
                     "only short packets are accepted",
                 )),
 
@@ -9,7 +9,7 @@ use crate::{
     stream::TransportFeatures,
 };
 use core::fmt;
-use s2n_quic_core::{dc, time};
+use s2n_quic_core::{dc, time, varint::VarInt};
 use std::{net::SocketAddr, sync::Arc};
 
 mod cleaner;
@@ -143,23 +143,29 @@ impl Map {
     pub fn open_once(
         &self,
         credentials: &Credentials,
+        queue_id: Option<VarInt>,
         control_out: &mut Vec<u8>,
     ) -> Option<open::Once> {
-        let entry = self.store.pre_authentication(credentials, control_out)?;
-        let opener = entry.uni_opener(self.clone(), credentials);
+        let entry = self
+            .store
+            .pre_authentication(credentials, queue_id, control_out)?;
+        let opener = entry.uni_opener(self.clone(), credentials, queue_id);
         Some(opener)
     }
 
     pub fn pair_for_credentials(
         &self,
         credentials: &Credentials,
+        queue_id: Option<VarInt>,
         features: &TransportFeatures,
         control_out: &mut Vec<u8>,
     ) -> Option<(entry::Bidirectional, dc::ApplicationParams)> {
-        let entry = self.store.pre_authentication(credentials, control_out)?;
+        let entry = self
+            .store
+            .pre_authentication(credentials, queue_id, control_out)?;
 
         let params = entry.parameters();
-        let keys = entry.bidi_remote(self.clone(), credentials, features);
+        let keys = entry.bidi_remote(self.clone(), credentials, queue_id, features);
 
         Some((keys, params))
     }
@@ -173,7 +179,41 @@ impl Map {
     }
 
     pub fn handle_control_packet(&self, packet: &control::Packet, peer: &SocketAddr) {
-        self.store.handle_control_packet(packet, peer)
+        match packet {
+            control::Packet::StaleKey(packet) => {
+                let _ = self.handle_stale_key_packet(packet, peer);
+            }
+            control::Packet::ReplayDetected(packet) => {
+                let _ = self.handle_replay_detected_packet(packet, peer);
+            }
+            control::Packet::UnknownPathSecret(packet) => {
+                let _ = self.handle_unknown_path_secret_packet(packet, peer);
+            }
+        }
+    }
+
+    pub fn handle_stale_key_packet<'a>(
+        &self,
+        packet: &'a control::stale_key::Packet,
+        peer: &SocketAddr,
+    ) -> Option<&'a control::StaleKey> {
+        self.store.handle_stale_key_packet(packet, peer)
+    }
+
+    pub fn handle_replay_detected_packet<'a>(
+        &self,
+        packet: &'a control::replay_detected::Packet,
+        peer: &SocketAddr,
+    ) -> Option<&'a control::ReplayDetected> {
+        self.store.handle_replay_detected_packet(packet, peer)
+    }
+
+    pub fn handle_unknown_path_secret_packet<'a>(
+        &self,
+        packet: &'a control::unknown_path_secret::Packet,
+        peer: &SocketAddr,
+    ) -> Option<&'a control::UnknownPathSecret> {
+        self.store.handle_unknown_path_secret_packet(packet, peer)
     }
 
     #[doc(hidden)]
Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,11 @@ macro_rules! impl_packet {`
`47`	`47`
`48`	`48`	`Some(value)`
`49`	`49`	`}`
	`50`	`+`
	`51`	`+ #[inline]`
	`52`	`+ pub fn queue_id(&self) -> Option<s2n_quic_core::varint::VarInt> {`
	`53`	`+ self.value.queue_id`
	`54`	`+ }`
`50`	`55`	`}`
`51`	`56`	`};`
`52`	`57`	`}`