use the KEY_UPDATE_ERROR code when the peer updates keys too frequently

internal/handshake/updatable_aead.go

@@ -182,13 +182,13 @@ func (a *updatableAEAD) Open(dst, src []byte, rcvTime time.Time, pn protocol.Pac
 		// try opening the packet with the next key phase
 		dec, err := a.nextRcvAEAD.Open(dst, a.nonceBuf, src, ad)
 		if err == nil && receivedWrongInitialKeyPhase {
-			return nil, qerr.NewError(qerr.ProtocolViolation, "wrong initial key phase")
+			return nil, qerr.NewError(qerr.KeyUpdateError, "wrong initial key phase")
 		} else if err != nil {
 			return nil, ErrDecryptionFailed
 		}
 		// Opening succeeded. Check if the peer was allowed to update.
 		if a.firstSentWithCurrentKey == protocol.InvalidPacketNumber {
-			return nil, qerr.NewError(qerr.ProtocolViolation, "keys updated too quickly")
+			return nil, qerr.NewError(qerr.KeyUpdateError, "keys updated too quickly")
 		}
 		a.rollKeys()
 		// The peer initiated this key update. It's safe to drop the keys for the previous generation now.

internal/handshake/updatable_aead_test.go

@@ -208,7 +208,7 @@ var _ = Describe("Updatable AEAD", func() {
 							client.rollKeys()
 							encrypted := client.Seal(nil, msg, 0x1337, ad)
 							_, err := server.Open(nil, encrypted, time.Now(), 0x1337, protocol.KeyPhaseOne, ad)
-							Expect(err).To(MatchError("PROTOCOL_VIOLATION: wrong initial key phase"))
+							Expect(err).To(MatchError("KEY_UPDATE_ERROR: wrong initial key phase"))
 						})
 
 						It("only errors when the peer starts with key phase 1 if decrypting the packet succeeds", func() {
@@ -228,7 +228,7 @@ var _ = Describe("Updatable AEAD", func() {
 							client.rollKeys()
 							encrypted1 := client.Seal(nil, msg, 0x42, ad)
 							_, err = server.Open(nil, encrypted1, time.Now(), 0x42, protocol.KeyPhaseOne, ad)
-							Expect(err).To(MatchError("PROTOCOL_VIOLATION: keys updated too quickly"))
+							Expect(err).To(MatchError("KEY_UPDATE_ERROR: keys updated too quickly"))
 						})
 					})