mirrors/uquic
1
0
Fork 0
mirror of https://github.com/refraction-networking/uquic.git synced 2025-04-04 20:57:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

move MaxTokenAge configuration option to the Transport (#4084)

Browse source
This commit is contained in:
Marten Seemann 2023-09-16 19:10:20 +07:00 committed by GitHub
parent 9b82196578
commit 1affe38703
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 14 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

4
config.go
View file

@ -53,9 +53,6 @@ func validateConfig(config *Config) error {
// it may be called with nil // it may be called with nil
func populateServerConfig(config *Config) *Config { func populateServerConfig(config *Config) *Config {
config = populateConfig(config) config = populateConfig(config)
if config.MaxTokenAge == 0 {
config.MaxTokenAge = protocol.TokenValidity
}
if config.RequireAddressValidation == nil { if config.RequireAddressValidation == nil {
config.RequireAddressValidation = func(net.Addr) bool { return false } config.RequireAddressValidation = func(net.Addr) bool { return false }
} }
@ -114,7 +111,6 @@ func populateConfig(config *Config) *Config {
Versions: versions, Versions: versions,
HandshakeIdleTimeout: handshakeIdleTimeout, HandshakeIdleTimeout: handshakeIdleTimeout,
MaxIdleTimeout: idleTimeout, MaxIdleTimeout: idleTimeout,
MaxTokenAge: config.MaxTokenAge,
RequireAddressValidation: config.RequireAddressValidation, RequireAddressValidation: config.RequireAddressValidation,
KeepAlivePeriod: config.KeepAlivePeriod, KeepAlivePeriod: config.KeepAlivePeriod,
InitialStreamReceiveWindow: initialStreamReceiveWindow, InitialStreamReceiveWindow: initialStreamReceiveWindow,

2
config_test.go
View file

@ -78,8 +78,6 @@ var _ = Describe("Config", func() {
f.Set(reflect.ValueOf(time.Second)) f.Set(reflect.ValueOf(time.Second))
case "MaxIdleTimeout": case "MaxIdleTimeout":
f.Set(reflect.ValueOf(time.Hour)) f.Set(reflect.ValueOf(time.Hour))
case "MaxTokenAge":
f.Set(reflect.ValueOf(2 * time.Hour))
case "TokenStore": case "TokenStore":
f.Set(reflect.ValueOf(NewLRUTokenStore(2, 3))) f.Set(reflect.ValueOf(NewLRUTokenStore(2, 3)))
case "InitialStreamReceiveWindow": case "InitialStreamReceiveWindow":

4
interface.go
View file

@ -268,10 +268,6 @@ type Config struct {
// See https://datatracker.ietf.org/doc/html/rfc9000#section-8 for details. // See https://datatracker.ietf.org/doc/html/rfc9000#section-8 for details.
// If not set, every client is forced to prove its remote address. // If not set, every client is forced to prove its remote address.
RequireAddressValidation func(net.Addr) bool RequireAddressValidation func(net.Addr) bool
// MaxTokenAge is the maximum age of the token presented during the handshake,
// for tokens that were issued on a previous connection.
// If not set, it defaults to 24 hours. Only valid for a server.
MaxTokenAge time.Duration
// The TokenStore stores tokens received from the server. // The TokenStore stores tokens received from the server.
// Tokens are used to skip address validation on future connection attempts. // Tokens are used to skip address validation on future connection attempts.
// The key used to store tokens is the ServerName from the tls.Config, if set // The key used to store tokens is the ServerName from the tls.Config, if set

2
internal/handshake/token_protector.go
View file

@ -61,7 +61,7 @@ func (s *tokenProtectorImpl) DecodeToken(p []byte) ([]byte, error) {
} }
func (s *tokenProtectorImpl) createAEAD(nonce []byte) (cipher.AEAD, []byte, error) { func (s *tokenProtectorImpl) createAEAD(nonce []byte) (cipher.AEAD, []byte, error) {
h := hkdf.New(sha256.New, s.key[:], nonce[:], []byte("quic-go token source")) h := hkdf.New(sha256.New, s.key[:], nonce, []byte("quic-go token source"))
key := make([]byte, 32) // use a 32 byte key, in order to select AES-256 key := make([]byte, 32) // use a 32 byte key, in order to select AES-256
if _, err := io.ReadFull(h, key); err != nil { if _, err := io.ReadFull(h, key); err != nil {
return nil, nil, err return nil, nil, err

5
server.go
View file

@ -67,6 +67,7 @@ type baseServer struct {
conn rawConn conn rawConn
tokenGenerator *handshake.TokenGenerator tokenGenerator *handshake.TokenGenerator
maxTokenAge time.Duration
connIDGenerator ConnectionIDGenerator connIDGenerator ConnectionIDGenerator
connHandler packetHandlerManager connHandler packetHandlerManager
@ -227,6 +228,7 @@ func newServer(
tracer *logging.Tracer, tracer *logging.Tracer,
onClose func(), onClose func(),
tokenGeneratorKey TokenGeneratorKey, tokenGeneratorKey TokenGeneratorKey,
maxTokenAge time.Duration,
disableVersionNegotiation bool, disableVersionNegotiation bool,
acceptEarly bool, acceptEarly bool,
) *baseServer { ) *baseServer {
@ -235,6 +237,7 @@ func newServer(
tlsConf: tlsConf, tlsConf: tlsConf,
config: config, config: config,
tokenGenerator: handshake.NewTokenGenerator(tokenGeneratorKey), tokenGenerator: handshake.NewTokenGenerator(tokenGeneratorKey),
maxTokenAge: maxTokenAge,
connIDGenerator: connIDGenerator, connIDGenerator: connIDGenerator,
connHandler: connHandler, connHandler: connHandler,
connQueue: make(chan quicConn), connQueue: make(chan quicConn),
@ -524,7 +527,7 @@ func (s *baseServer) validateToken(token *handshake.Token, addr net.Addr) bool {
if !token.ValidateRemoteAddr(addr) { if !token.ValidateRemoteAddr(addr) {
return false return false
} }
if !token.IsRetryToken && time.Since(token.SentTime) > s.config.MaxTokenAge { if !token.IsRetryToken && time.Since(token.SentTime) > s.maxTokenAge {
return false return false
} }
if token.IsRetryToken && time.Since(token.SentTime) > s.config.maxRetryTokenAge() { if token.IsRetryToken && time.Since(token.SentTime) > s.config.maxRetryTokenAge() {

2
server_test.go
View file

@ -901,7 +901,7 @@ var _ = Describe("Server", func() {
It("sends an INVALID_TOKEN error, if an expired non-retry token is received", func() { It("sends an INVALID_TOKEN error, if an expired non-retry token is received", func() {
serv.config.RequireAddressValidation = func(net.Addr) bool { return true } serv.config.RequireAddressValidation = func(net.Addr) bool { return true }
serv.config.MaxTokenAge = time.Millisecond serv.maxTokenAge = time.Millisecond
raddr := &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 1337} raddr := &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 1337}
token, err := serv.tokenGenerator.NewToken(raddr) token, err := serv.tokenGenerator.NewToken(raddr)
Expect(err).ToNot(HaveOccurred()) Expect(err).ToNot(HaveOccurred())

8
transport.go
View file

@ -63,6 +63,13 @@ type Transport struct {
// see section 8.1.3 of RFC 9000 for details. // see section 8.1.3 of RFC 9000 for details.
TokenGeneratorKey *TokenGeneratorKey TokenGeneratorKey *TokenGeneratorKey
// MaxTokenAge is the maximum age of the resumption token presented during the handshake.
// These tokens allow skipping address resumption when resuming a QUIC connection,
// and are especially useful when using 0-RTT.
// If not set, it defaults to 24 hours.
// See section 8.1.3 of RFC 9000 for details.
MaxTokenAge time.Duration
// DisableVersionNegotiationPackets disables the sending of Version Negotiation packets. // DisableVersionNegotiationPackets disables the sending of Version Negotiation packets.
// This can be useful if version information is exchanged out-of-band. // This can be useful if version information is exchanged out-of-band.
// It has no effect for clients. // It has no effect for clients.
@ -151,6 +158,7 @@ func (t *Transport) createServer(tlsConf *tls.Config, conf *Config, allow0RTT bo
t.Tracer, t.Tracer,
t.closeServer, t.closeServer,
*t.TokenGeneratorKey, *t.TokenGeneratorKey,
t.MaxTokenAge,
t.DisableVersionNegotiationPackets, t.DisableVersionNegotiationPackets,
allow0RTT, allow0RTT,
) )