forked from quic-go/quic-go
use a type alias for the STK
This commit is contained in:
Marten Seemann
@@ -14,10 +14,16 @@ const (
|
||||
stkPrefixString
|
||||
)
|
||||
|
||||
// An STK is a source address token
|
||||
// An STK is a Source Address token.
|
||||
// It is issued by the server and sent to the client. For the client, it is an opaque blob.
|
||||
// The client can send the STK in subsequent handshakes to prove ownership of its IP address.
|
||||
type STK struct {
|
||||
// The remote address this token was issued for.
|
||||
// If the server is run on a net.UDPConn, this is the string representation of the IP address (net.IP.String())
|
||||
// Otherwise, this is the string representation of the net.Addr (net.Addr.String())
|
||||
RemoteAddr string
|
||||
SentTime time.Time
|
||||
// The time that the STK was issued (resolution 1 second)
|
||||
SentTime time.Time
|
||||
}
|
||||
|
||||
// token is the struct that is used for ASN1 serialization and deserialization
|
||||
|
||||
18
interface.go
18
interface.go
@@ -5,7 +5,8 @@ import (
|
||||
"io"
|
||||
"net"
|
||||
"time"
|
||||
|
||||
|
||||
"github.com/lucas-clemente/quic-go/handshake"
|
||||
"github.com/lucas-clemente/quic-go/internal/protocol"
|
||||
)
|
||||
|
||||
@@ -15,6 +16,9 @@ type StreamID = protocol.StreamID
|
||||
// A VersionNumber is a QUIC version number.
|
||||
type VersionNumber = protocol.VersionNumber
|
||||
|
||||
// An STK can be used to verify the ownership of the client address.
|
||||
type STK = handshake.STK
|
||||
|
||||
// Stream is the interface implemented by QUIC streams
|
||||
type Stream interface {
|
||||
// Read reads data from the stream.
|
||||
@@ -79,18 +83,6 @@ type NonFWSession interface {
|
||||
WaitUntilHandshakeComplete() error
|
||||
}
|
||||
|
||||
// An STK is a Source Address token.
|
||||
// It is issued by the server and sent to the client. For the client, it is an opaque blob.
|
||||
// The client can send the STK in subsequent handshakes to prove ownership of its IP address.
|
||||
type STK struct {
|
||||
// The remote address this token was issued for.
|
||||
// If the server is run on a net.UDPConn, this is the string representation of the IP address (net.IP.String())
|
||||
// Otherwise, this is the string representation of the net.Addr (net.Addr.String())
|
||||
remoteAddr string
|
||||
// The time that the STK was issued (resolution 1 second)
|
||||
sentTime time.Time
|
||||
}
|
||||
|
||||
// Config contains all configuration data needed for a QUIC server or client.
|
||||
type Config struct {
|
||||
// The QUIC versions that can be negotiated.
|
||||
|
||||
@@ -98,7 +98,7 @@ var defaultAcceptSTK = func(clientAddr net.Addr, stk *STK) bool {
|
||||
if stk == nil {
|
||||
return false
|
||||
}
|
||||
if time.Now().After(stk.sentTime.Add(protocol.STKExpiryTime)) {
|
||||
if time.Now().After(stk.SentTime.Add(protocol.STKExpiryTime)) {
|
||||
return false
|
||||
}
|
||||
var sourceAddr string
|
||||
@@ -107,7 +107,7 @@ var defaultAcceptSTK = func(clientAddr net.Addr, stk *STK) bool {
|
||||
} else {
|
||||
sourceAddr = clientAddr.String()
|
||||
}
|
||||
return sourceAddr == stk.remoteAddr
|
||||
return sourceAddr == stk.RemoteAddr
|
||||
}
|
||||
|
||||
// populateServerConfig populates fields in the quic.Config with their default values, if none are set
|
||||
|
||||
@@ -448,8 +448,8 @@ var _ = Describe("default source address verification", func() {
|
||||
It("accepts a token", func() {
|
||||
remoteAddr := &net.UDPAddr{IP: net.IPv4(192, 168, 0, 1)}
|
||||
stk := &STK{
|
||||
remoteAddr: "192.168.0.1",
|
||||
sentTime: time.Now().Add(-protocol.STKExpiryTime).Add(time.Second), // will expire in 1 second
|
||||
RemoteAddr: "192.168.0.1",
|
||||
SentTime: time.Now().Add(-protocol.STKExpiryTime).Add(time.Second), // will expire in 1 second
|
||||
}
|
||||
Expect(defaultAcceptSTK(remoteAddr, stk)).To(BeTrue())
|
||||
})
|
||||
@@ -462,8 +462,8 @@ var _ = Describe("default source address verification", func() {
|
||||
It("rejects a token if the address doesn't match", func() {
|
||||
remoteAddr := &net.UDPAddr{IP: net.IPv4(192, 168, 0, 1)}
|
||||
stk := &STK{
|
||||
remoteAddr: "127.0.0.1",
|
||||
sentTime: time.Now(),
|
||||
RemoteAddr: "127.0.0.1",
|
||||
SentTime: time.Now(),
|
||||
}
|
||||
Expect(defaultAcceptSTK(remoteAddr, stk)).To(BeFalse())
|
||||
})
|
||||
@@ -471,8 +471,8 @@ var _ = Describe("default source address verification", func() {
|
||||
It("accepts a token for a remote address is not a UDP address", func() {
|
||||
remoteAddr := &net.TCPAddr{IP: net.IPv4(192, 168, 0, 1), Port: 1337}
|
||||
stk := &STK{
|
||||
remoteAddr: "192.168.0.1:1337",
|
||||
sentTime: time.Now(),
|
||||
RemoteAddr: "192.168.0.1:1337",
|
||||
SentTime: time.Now(),
|
||||
}
|
||||
Expect(defaultAcceptSTK(remoteAddr, stk)).To(BeTrue())
|
||||
})
|
||||
@@ -480,8 +480,8 @@ var _ = Describe("default source address verification", func() {
|
||||
It("rejects an invalid token for a remote address is not a UDP address", func() {
|
||||
remoteAddr := &net.TCPAddr{IP: net.IPv4(192, 168, 0, 1), Port: 1337}
|
||||
stk := &STK{
|
||||
remoteAddr: "192.168.0.1:7331", // mismatching port
|
||||
sentTime: time.Now(),
|
||||
RemoteAddr: "192.168.0.1:7331", // mismatching port
|
||||
SentTime: time.Now(),
|
||||
}
|
||||
Expect(defaultAcceptSTK(remoteAddr, stk)).To(BeFalse())
|
||||
})
|
||||
@@ -489,8 +489,8 @@ var _ = Describe("default source address verification", func() {
|
||||
It("rejects an expired token", func() {
|
||||
remoteAddr := &net.UDPAddr{IP: net.IPv4(192, 168, 0, 1)}
|
||||
stk := &STK{
|
||||
remoteAddr: "192.168.0.1",
|
||||
sentTime: time.Now().Add(-protocol.STKExpiryTime).Add(-time.Second), // expired 1 second ago
|
||||
RemoteAddr: "192.168.0.1",
|
||||
SentTime: time.Now().Add(-protocol.STKExpiryTime).Add(-time.Second), // expired 1 second ago
|
||||
}
|
||||
Expect(defaultAcceptSTK(remoteAddr, stk)).To(BeFalse())
|
||||
})
|
||||
|
||||
@@ -197,11 +197,7 @@ func (s *session) setup(
|
||||
if s.perspective == protocol.PerspectiveServer {
|
||||
cryptoStream, _ := s.GetOrOpenStream(1)
|
||||
_, _ = s.AcceptStream() // don't expose the crypto stream
|
||||
verifySourceAddr := func(clientAddr net.Addr, hstk *handshake.STK) bool {
|
||||
var stk *STK
|
||||
if hstk != nil {
|
||||
stk = &STK{remoteAddr: hstk.RemoteAddr, sentTime: hstk.SentTime}
|
||||
}
|
||||
verifySourceAddr := func(clientAddr net.Addr, stk *STK) bool {
|
||||
return s.config.AcceptSTK(clientAddr, stk)
|
||||
}
|
||||
if s.version == protocol.VersionTLS {
|
||||
|
||||
@@ -256,8 +256,8 @@ var _ = Describe("Session", func() {
|
||||
stkVerify(remoteAddr, &handshake.STK{SentTime: sentTime, RemoteAddr: stkAddr.String()})
|
||||
Expect(paramClientAddr).To(Equal(remoteAddr))
|
||||
Expect(paramSTK).ToNot(BeNil())
|
||||
Expect(paramSTK.remoteAddr).To(Equal(stkAddr.String()))
|
||||
Expect(paramSTK.sentTime).To(Equal(sentTime))
|
||||
Expect(paramSTK.RemoteAddr).To(Equal(stkAddr.String()))
|
||||
Expect(paramSTK.SentTime).To(Equal(sentTime))
|
||||
})
|
||||
})
|
||||
|
||||
|
||||
Reference in New Issue
Block a user