randomly generate the server config ID and check whether it matches

handshake/crypto_setup.go

@@ -47,7 +47,8 @@ func (h *CryptoSetup) HandleCryptoMessage(data []byte) ([]byte, error) {
 		return nil, errors.New("Session: expected CHLO")
 	}
 
-	if _, ok := cryptoData[TagSCID]; ok {
+	if scid, ok := cryptoData[TagSCID]; ok && bytes.Equal(h.scfg.ID, scid) {
+		// We have a CHLO matching our server config, we can continue with the 0-RTT handshake
 		var sharedSecret []byte
 		sharedSecret, err = h.scfg.kex.CalculateSharedKey(cryptoData[TagPUBS])
 		if err != nil {
@@ -61,6 +62,8 @@ func (h *CryptoSetup) HandleCryptoMessage(data []byte) ([]byte, error) {
 		return nil, nil
 	}
 
+	// We have an inacholate or non-matching CHLO, we now send a rejection
+
 	var chloOrNil []byte
 	if h.version > protocol.VersionNumber(30) {
 		chloOrNil = data

handshake/server_config.go

@@ -2,6 +2,7 @@ package handshake
 
 import (
 	"bytes"
+	"crypto/rand"
 
 	"github.com/lucas-clemente/quic-go/crypto"
 )
@@ -10,13 +11,20 @@ import (
 type ServerConfig struct {
 	kex crypto.KeyExchange
 	kd  *crypto.KeyData
+	ID  []byte
 }
 
 // NewServerConfig creates a new server config
 func NewServerConfig(kex crypto.KeyExchange, kd *crypto.KeyData) *ServerConfig {
+	id := make([]byte, 16)
+	_, err := rand.Reader.Read(id)
+	if err != nil {
+		panic(err)
+	}
 	return &ServerConfig{
 		kex: kex,
 		kd:  kd,
+		ID:  id,
 	}
 }
 
@@ -24,7 +32,7 @@ func NewServerConfig(kex crypto.KeyExchange, kd *crypto.KeyData) *ServerConfig {
 func (s *ServerConfig) Get() []byte {
 	var serverConfig bytes.Buffer
 	WriteHandshakeMessage(&serverConfig, TagSCFG, map[Tag][]byte{
-		TagSCID: []byte{0xC5, 0x1C, 0x73, 0x6B, 0x8F, 0x48, 0x49, 0xAE, 0xB3, 0x00, 0xA2, 0xD4, 0x4B, 0xA0, 0xCF, 0xDF},
+		TagSCID: s.ID,
 		TagKEXS: []byte("C255"),
 		TagAEAD: []byte("CC20"),
 		TagPUBS: append([]byte{0x20, 0x00, 0x00}, s.kex.PublicKey()...),

handshake/server_config_test.go

@@ -21,7 +21,9 @@ var _ = Describe("ServerConfig", func() {
 	})
 
 	It("gets the proper binary representation", func() {
-		expected := bytes.NewBuffer([]byte{0x53, 0x43, 0x46, 0x47, 0x7, 0x0, 0x0, 0x0, 0x56, 0x45, 0x52, 0x0, 0x4, 0x0, 0x0, 0x0, 0x41, 0x45, 0x41, 0x44, 0x8, 0x0, 0x0, 0x0, 0x53, 0x43, 0x49, 0x44, 0x18, 0x0, 0x0, 0x0, 0x50, 0x55, 0x42, 0x53, 0x3b, 0x0, 0x0, 0x0, 0x4b, 0x45, 0x58, 0x53, 0x3f, 0x0, 0x0, 0x0, 0x4f, 0x42, 0x49, 0x54, 0x47, 0x0, 0x0, 0x0, 0x45, 0x58, 0x50, 0x59, 0x4f, 0x0, 0x0, 0x0, 0x51, 0x30, 0x33, 0x32, 0x43, 0x43, 0x32, 0x30, 0xc5, 0x1c, 0x73, 0x6b, 0x8f, 0x48, 0x49, 0xae, 0xb3, 0x0, 0xa2, 0xd4, 0x4b, 0xa0, 0xcf, 0xdf, 0x20, 0x0, 0x0})
+		expected := bytes.NewBuffer([]byte{0x53, 0x43, 0x46, 0x47, 0x7, 0x0, 0x0, 0x0, 0x56, 0x45, 0x52, 0x0, 0x4, 0x0, 0x0, 0x0, 0x41, 0x45, 0x41, 0x44, 0x8, 0x0, 0x0, 0x0, 0x53, 0x43, 0x49, 0x44, 0x18, 0x0, 0x0, 0x0, 0x50, 0x55, 0x42, 0x53, 0x3b, 0x0, 0x0, 0x0, 0x4b, 0x45, 0x58, 0x53, 0x3f, 0x0, 0x0, 0x0, 0x4f, 0x42, 0x49, 0x54, 0x47, 0x0, 0x0, 0x0, 0x45, 0x58, 0x50, 0x59, 0x4f, 0x0, 0x0, 0x0, 0x51, 0x30, 0x33, 0x32, 0x43, 0x43, 0x32, 0x30})
+		expected.Write(scfg.ID)
+		expected.Write([]byte{0x20, 0x0, 0x0})
 		expected.Write(kex.PublicKey())
 		expected.Write([]byte{0x43, 0x32, 0x35, 0x35, 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff})
 		Expect(scfg.Get()).To(Equal(expected.Bytes()))