use an array instead of a byte slice for Connection IDs

2022-08-28 16:05:56 +03:00
parent 9e0f9e62ff
commit 1aced95d41
47 changed files with 530 additions and 487 deletions
--- a/internal/handshake/initial_aead.go
+++ b/internal/handshake/initial_aead.go
@@ -62,7 +62,7 @@ func NewInitialAEAD(connID protocol.ConnectionID, pers protocol.Perspective, v p
 }

 func computeSecrets(connID protocol.ConnectionID, v protocol.VersionNumber) (clientSecret, serverSecret []byte) {
-	initialSecret := hkdf.Extract(crypto.SHA256.New, connID, getSalt(v))
+	initialSecret := hkdf.Extract(crypto.SHA256.New, connID.Bytes(), getSalt(v))
 	clientSecret = hkdfExpandLabel(crypto.SHA256, initialSecret, []byte{}, "client in", crypto.SHA256.Size())
 	serverSecret = hkdfExpandLabel(crypto.SHA256, initialSecret, []byte{}, "server in", crypto.SHA256.Size())
 	return
--- a/internal/handshake/initial_aead_test.go
+++ b/internal/handshake/initial_aead_test.go
@@ -18,7 +18,7 @@ var _ = Describe("Initial AEAD using AES-GCM", func() {
 		Expect(splitHexString("dead beef")).To(Equal([]byte{0xde, 0xad, 0xbe, 0xef}))
 	})

-	connID := protocol.ConnectionID(splitHexString("0x8394c8f03e515708"))
+	connID := protocol.ParseConnectionID(splitHexString("0x8394c8f03e515708"))

 	DescribeTable("computes the client key and IV",
 		func(v protocol.VersionNumber, expectedClientSecret, expectedKey, expectedIV []byte) {
@@ -160,7 +160,7 @@ var _ = Describe("Initial AEAD using AES-GCM", func() {

 		Context(fmt.Sprintf("using version %s", v), func() {
 			It("seals and opens", func() {
-				connectionID := protocol.ConnectionID{0x12, 0x34, 0x56, 0x78, 0x90, 0xab, 0xcd, 0xef}
+				connectionID := protocol.ParseConnectionID([]byte{0x12, 0x34, 0x56, 0x78, 0x90, 0xab, 0xcd, 0xef})
 				clientSealer, clientOpener := NewInitialAEAD(connectionID, protocol.PerspectiveClient, v)
 				serverSealer, serverOpener := NewInitialAEAD(connectionID, protocol.PerspectiveServer, v)

@@ -175,8 +175,8 @@ var _ = Describe("Initial AEAD using AES-GCM", func() {
 			})

 			It("doesn't work if initialized with different connection IDs", func() {
-				c1 := protocol.ConnectionID{0, 0, 0, 0, 0, 0, 0, 1}
-				c2 := protocol.ConnectionID{0, 0, 0, 0, 0, 0, 0, 2}
+				c1 := protocol.ParseConnectionID([]byte{0, 0, 0, 0, 0, 0, 0, 1})
+				c2 := protocol.ParseConnectionID([]byte{0, 0, 0, 0, 0, 0, 0, 2})
 				clientSealer, _ := NewInitialAEAD(c1, protocol.PerspectiveClient, v)
 				_, serverOpener := NewInitialAEAD(c2, protocol.PerspectiveServer, v)

@@ -186,7 +186,7 @@ var _ = Describe("Initial AEAD using AES-GCM", func() {
 			})

 			It("encrypts und decrypts the header", func() {
-				connID := protocol.ConnectionID{0xde, 0xca, 0xfb, 0xad}
+				connID := protocol.ParseConnectionID([]byte{0xde, 0xca, 0xfb, 0xad})
 				clientSealer, clientOpener := NewInitialAEAD(connID, protocol.PerspectiveClient, v)
 				serverSealer, serverOpener := NewInitialAEAD(connID, protocol.PerspectiveServer, v)

--- a/internal/handshake/retry_test.go
+++ b/internal/handshake/retry_test.go
@@ -9,27 +9,30 @@ import (

 var _ = Describe("Retry Integrity Check", func() {
 	It("calculates retry integrity tags", func() {
-		fooTag := GetRetryIntegrityTag([]byte("foo"), protocol.ConnectionID{1, 2, 3, 4}, protocol.VersionDraft29)
-		barTag := GetRetryIntegrityTag([]byte("bar"), protocol.ConnectionID{1, 2, 3, 4}, protocol.VersionDraft29)
+		connID := protocol.ParseConnectionID([]byte{1, 2, 3, 4})
+		fooTag := GetRetryIntegrityTag([]byte("foo"), connID, protocol.VersionDraft29)
+		barTag := GetRetryIntegrityTag([]byte("bar"), connID, protocol.VersionDraft29)
 		Expect(fooTag).ToNot(BeNil())
 		Expect(barTag).ToNot(BeNil())
 		Expect(*fooTag).ToNot(Equal(*barTag))
 	})

 	It("includes the original connection ID in the tag calculation", func() {
-		t1 := GetRetryIntegrityTag([]byte("foobar"), protocol.ConnectionID{1, 2, 3, 4}, protocol.Version1)
-		t2 := GetRetryIntegrityTag([]byte("foobar"), protocol.ConnectionID{4, 3, 2, 1}, protocol.Version1)
+		connID1 := protocol.ParseConnectionID([]byte{1, 2, 3, 4})
+		connID2 := protocol.ParseConnectionID([]byte{4, 3, 2, 1})
+		t1 := GetRetryIntegrityTag([]byte("foobar"), connID1, protocol.Version1)
+		t2 := GetRetryIntegrityTag([]byte("foobar"), connID2, protocol.Version1)
 		Expect(*t1).ToNot(Equal(*t2))
 	})

 	It("uses the test vector from the draft, for old draft versions", func() {
-		connID := protocol.ConnectionID(splitHexString("0x8394c8f03e515708"))
+		connID := protocol.ParseConnectionID(splitHexString("0x8394c8f03e515708"))
 		data := splitHexString("ffff00001d0008f067a5502a4262b574 6f6b656ed16926d81f6f9ca2953a8aa4 575e1e49")
 		Expect(GetRetryIntegrityTag(data[:len(data)-16], connID, protocol.VersionDraft29)[:]).To(Equal(data[len(data)-16:]))
 	})

 	It("uses the test vector from the draft, for version 1", func() {
-		connID := protocol.ConnectionID(splitHexString("0x8394c8f03e515708"))
+		connID := protocol.ParseConnectionID(splitHexString("0x8394c8f03e515708"))
 		data := splitHexString("ff000000010008f067a5502a4262b574 6f6b656e04a265ba2eff4d829058fb3f 0f2496ba")
 		Expect(GetRetryIntegrityTag(data[:len(data)-16], connID, protocol.Version1)[:]).To(Equal(data[len(data)-16:]))
 	})
--- a/internal/handshake/token_generator.go
+++ b/internal/handshake/token_generator.go
@@ -65,8 +65,8 @@ func (g *TokenGenerator) NewRetryToken(
 	data, err := asn1.Marshal(token{
 		IsRetryToken:             true,
 		RemoteAddr:               encodeRemoteAddr(raddr),
-		OriginalDestConnectionID: origDestConnID,
-		RetrySrcConnectionID:     retrySrcConnID,
+		OriginalDestConnectionID: origDestConnID.Bytes(),
+		RetrySrcConnectionID:     retrySrcConnID.Bytes(),
 		Timestamp:                time.Now().UnixNano(),
 	})
 	if err != nil {
@@ -112,8 +112,8 @@ func (g *TokenGenerator) DecodeToken(encrypted []byte) (*Token, error) {
 		encodedRemoteAddr: t.RemoteAddr,
 	}
 	if t.IsRetryToken {
-		token.OriginalDestConnectionID = protocol.ConnectionID(t.OriginalDestConnectionID)
-		token.RetrySrcConnectionID = protocol.ConnectionID(t.RetrySrcConnectionID)
+		token.OriginalDestConnectionID = protocol.ParseConnectionID(t.OriginalDestConnectionID)
+		token.RetrySrcConnectionID = protocol.ParseConnectionID(t.RetrySrcConnectionID)
 	}
 	return token, nil
 }
--- a/internal/handshake/token_generator_test.go
+++ b/internal/handshake/token_generator_test.go
@@ -23,7 +23,7 @@ var _ = Describe("Token Generator", func() {

 	It("generates a token", func() {
 		ip := net.IPv4(127, 0, 0, 1)
-		token, err := tokenGen.NewRetryToken(&net.UDPAddr{IP: ip, Port: 1337}, nil, nil)
+		token, err := tokenGen.NewRetryToken(&net.UDPAddr{IP: ip, Port: 1337}, protocol.ConnectionID{}, protocol.ConnectionID{})
 		Expect(err).ToNot(HaveOccurred())
 		Expect(token).ToNot(BeEmpty())
 	})
@@ -36,7 +36,7 @@ var _ = Describe("Token Generator", func() {

 	It("accepts a valid token", func() {
 		addr := &net.UDPAddr{IP: net.IPv4(192, 168, 0, 1), Port: 1337}
-		tokenEnc, err := tokenGen.NewRetryToken(addr, nil, nil)
+		tokenEnc, err := tokenGen.NewRetryToken(addr, protocol.ConnectionID{}, protocol.ConnectionID{})
 		Expect(err).ToNot(HaveOccurred())
 		token, err := tokenGen.DecodeToken(tokenEnc)
 		Expect(err).ToNot(HaveOccurred())
@@ -48,16 +48,14 @@ var _ = Describe("Token Generator", func() {
 	})

 	It("saves the connection ID", func() {
-		tokenEnc, err := tokenGen.NewRetryToken(
-			&net.UDPAddr{},
-			protocol.ConnectionID{0xde, 0xad, 0xbe, 0xef},
-			protocol.ConnectionID{0xde, 0xad, 0xc0, 0xde},
-		)
+		connID1 := protocol.ParseConnectionID([]byte{0xde, 0xad, 0xbe, 0xef})
+		connID2 := protocol.ParseConnectionID([]byte{0xde, 0xad, 0xc0, 0xde})
+		tokenEnc, err := tokenGen.NewRetryToken(&net.UDPAddr{}, connID1, connID2)
 		Expect(err).ToNot(HaveOccurred())
 		token, err := tokenGen.DecodeToken(tokenEnc)
 		Expect(err).ToNot(HaveOccurred())
-		Expect(token.OriginalDestConnectionID).To(Equal(protocol.ConnectionID{0xde, 0xad, 0xbe, 0xef}))
-		Expect(token.RetrySrcConnectionID).To(Equal(protocol.ConnectionID{0xde, 0xad, 0xc0, 0xde}))
+		Expect(token.OriginalDestConnectionID).To(Equal(connID1))
+		Expect(token.RetrySrcConnectionID).To(Equal(connID2))
 	})

 	It("rejects invalid tokens", func() {
@@ -103,7 +101,7 @@ var _ = Describe("Token Generator", func() {
 			ip := net.ParseIP(addr)
 			Expect(ip).ToNot(BeNil())
 			raddr := &net.UDPAddr{IP: ip, Port: 1337}
-			tokenEnc, err := tokenGen.NewRetryToken(raddr, nil, nil)
+			tokenEnc, err := tokenGen.NewRetryToken(raddr, protocol.ConnectionID{}, protocol.ConnectionID{})
 			Expect(err).ToNot(HaveOccurred())
 			token, err := tokenGen.DecodeToken(tokenEnc)
 			Expect(err).ToNot(HaveOccurred())
@@ -114,7 +112,7 @@ var _ = Describe("Token Generator", func() {

 	It("uses the string representation an address that is not a UDP address", func() {
 		raddr := &net.TCPAddr{IP: net.IPv4(192, 168, 13, 37), Port: 1337}
-		tokenEnc, err := tokenGen.NewRetryToken(raddr, nil, nil)
+		tokenEnc, err := tokenGen.NewRetryToken(raddr, protocol.ConnectionID{}, protocol.ConnectionID{})
 		Expect(err).ToNot(HaveOccurred())
 		token, err := tokenGen.DecodeToken(tokenEnc)
 		Expect(err).ToNot(HaveOccurred())