From 408ba9f053002b40a8061c3e0f51ca7d38302ff6 Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Wed, 18 Dec 2024 19:44:03 +0800 Subject: [PATCH] use a 24h maximum token age if Transport.MaxTokenAge is unset (#4763) --- integrationtests/self/handshake_test.go | 33 ++++++++++++++++++++----- transport.go | 6 ++++- 2 files changed, 32 insertions(+), 7 deletions(-) diff --git a/integrationtests/self/handshake_test.go b/integrationtests/self/handshake_test.go index d391a174..9f9374a8 100644 --- a/integrationtests/self/handshake_test.go +++ b/integrationtests/self/handshake_test.go @@ -432,13 +432,29 @@ func TestALPN(t *testing.T) { } func TestTokensFromNewTokenFrames(t *testing.T) { + t.Run("MaxTokenAge: 1 hour", func(t *testing.T) { + testTokensFromNewTokenFrames(t, 0, true) + }) + // If unset, the default value is 24h. + t.Run("MaxTokenAge: default", func(t *testing.T) { + testTokensFromNewTokenFrames(t, 0, true) + }) + t.Run("MaxTokenAge: very short", func(t *testing.T) { + testTokensFromNewTokenFrames(t, time.Microsecond, false) + }) +} + +func testTokensFromNewTokenFrames(t *testing.T, maxTokenAge time.Duration, expectTokenUsed bool) { addrVerifiedChan := make(chan bool, 2) quicConf := getQuicConfig(nil) quicConf.GetConfigForClient = func(info *quic.ClientHelloInfo) (*quic.Config, error) { addrVerifiedChan <- info.AddrVerified return quicConf, nil } - server, err := quic.Listen(newUPDConnLocalhost(t), getTLSConfig(), quicConf) + tr := &quic.Transport{Conn: newUPDConnLocalhost(t), MaxTokenAge: maxTokenAge} + addTracer(tr) + defer tr.Close() + server, err := tr.Listen(getTLSConfig(), quicConf) require.NoError(t, err) defer server.Close() @@ -453,10 +469,10 @@ func TestTokensFromNewTokenFrames(t *testing.T) { gets := make(chan string, 2) puts := make(chan string, 2) - tokenStore := newTokenStore(gets, puts) + ts := newTokenStore(gets, puts) ctx, cancel := context.WithTimeout(context.Background(), time.Second) defer cancel() - conn, err := quic.Dial(ctx, newUPDConnLocalhost(t), server.Addr(), getTLSClientConfig(), getQuicConfig(&quic.Config{TokenStore: tokenStore})) + conn, err := quic.Dial(ctx, newUPDConnLocalhost(t), server.Addr(), getTLSClientConfig(), getQuicConfig(&quic.Config{TokenStore: ts})) require.NoError(t, err) // verify token store was used @@ -484,15 +500,20 @@ func TestTokensFromNewTokenFrames(t *testing.T) { // received a token. Close this connection. require.NoError(t, conn.CloseWithError(0, "")) - conn, err = quic.Dial(ctx, newUPDConnLocalhost(t), server.Addr(), getTLSClientConfig(), getQuicConfig(&quic.Config{TokenStore: tokenStore})) + time.Sleep(scaleDuration(5 * time.Millisecond)) + conn, err = quic.Dial(ctx, newUPDConnLocalhost(t), server.Addr(), getTLSClientConfig(), getQuicConfig(&quic.Config{TokenStore: ts})) require.NoError(t, err) defer conn.CloseWithError(0, "") select { case addrVerified := <-addrVerifiedChan: // this time, the address was verified using the token - // TODO (#4737): check that addrVerified is true - _ = addrVerified + if expectTokenUsed { + require.True(t, addrVerified) + } else { + require.False(t, addrVerified) + } + case <-time.After(time.Second): t.Fatal("timeout waiting for addr verified") } diff --git a/transport.go b/transport.go index 100f3037..d835ea00 100644 --- a/transport.go +++ b/transport.go @@ -175,6 +175,10 @@ func (t *Transport) createServer(tlsConf *tls.Config, conf *Config, allow0RTT bo if err := t.init(false); err != nil { return nil, err } + maxTokenAge := t.MaxTokenAge + if maxTokenAge == 0 { + maxTokenAge = 24 * time.Hour + } s := newServer( t.conn, t.handlerMap, @@ -185,7 +189,7 @@ func (t *Transport) createServer(tlsConf *tls.Config, conf *Config, allow0RTT bo t.Tracer, t.closeServer, *t.TokenGeneratorKey, - t.MaxTokenAge, + maxTokenAge, t.VerifySourceAddress, t.DisableVersionNegotiationPackets, allow0RTT,