implement a more intuitive address validation API

2022-08-04 00:28:13 +02:00
parent 556a6e2f99
commit f2fa98c0dd
14 changed files with 352 additions and 437 deletions
--- a/integrationtests/self/handshake_drop_test.go
+++ b/integrationtests/self/handshake_drop_test.go
@@ -41,8 +41,8 @@ var _ = Describe("Handshake drop tests", func() {
 			HandshakeIdleTimeout: timeout,
 			Versions:             []protocol.VersionNumber{version},
 		})
-		if !doRetry {
-			conf.AcceptToken = func(net.Addr, *quic.Token) bool { return true }
+		if doRetry {
+			conf.RequireAddressValidation = func(net.Addr) bool { return true }
 		}
 		var tlsConf *tls.Config
 		if longCertChain {
--- a/integrationtests/self/handshake_rtt_test.go
+++ b/integrationtests/self/handshake_rtt_test.go
@@ -112,9 +112,7 @@ var _ = Describe("Handshake RTT tests", func() {
 	})

 	It("establishes a connection in 1 RTT when the server doesn't require a token", func() {
-		serverConfig.AcceptToken = func(_ net.Addr, _ *quic.Token) bool {
-			return true
-		}
+		serverConfig.RequireAddressValidation = func(net.Addr) bool { return false }
 		runServerAndProxy()
 		_, err := quic.DialAddr(
 			fmt.Sprintf("localhost:%d", proxy.LocalAddr().(*net.UDPAddr).Port),
@@ -126,9 +124,7 @@ var _ = Describe("Handshake RTT tests", func() {
 	})

 	It("establishes a connection in 2 RTTs if a HelloRetryRequest is performed", func() {
-		serverConfig.AcceptToken = func(_ net.Addr, _ *quic.Token) bool {
-			return true
-		}
+		serverConfig.RequireAddressValidation = func(net.Addr) bool { return false }
 		serverTLSConfig.CurvePreferences = []tls.CurveID{tls.CurveP384}
 		runServerAndProxy()
 		_, err := quic.DialAddr(
@@ -139,21 +135,4 @@ var _ = Describe("Handshake RTT tests", func() {
 		Expect(err).ToNot(HaveOccurred())
 		expectDurationInRTTs(2)
 	})
-
-	It("doesn't complete the handshake when the server never accepts the token", func() {
-		serverConfig.AcceptToken = func(_ net.Addr, _ *quic.Token) bool {
-			return false
-		}
-		clientConfig.HandshakeIdleTimeout = 500 * time.Millisecond
-		runServerAndProxy()
-		_, err := quic.DialAddr(
-			fmt.Sprintf("localhost:%d", proxy.LocalAddr().(*net.UDPAddr).Port),
-			getTLSClientConfig(),
-			clientConfig,
-		)
-		Expect(err).To(HaveOccurred())
-		nerr, ok := err.(net.Error)
-		Expect(ok).To(BeTrue())
-		Expect(nerr.Timeout()).To(BeTrue())
-	})
 })
--- a/integrationtests/self/handshake_test.go
+++ b/integrationtests/self/handshake_test.go
@@ -344,12 +344,7 @@ var _ = Describe("Handshake tests", func() {
 		}

 		BeforeEach(func() {
-			serverConfig.AcceptToken = func(addr net.Addr, token *quic.Token) bool {
-				if token != nil {
-					Expect(token.IsRetryToken).To(BeFalse())
-				}
-				return true
-			}
+			serverConfig.RequireAddressValidation = func(net.Addr) bool { return false }
 			var err error
 			// start the server, but don't call Accept
 			server, err = quic.ListenAddr("localhost:0", getTLSConfig(), serverConfig)
@@ -479,13 +474,7 @@ var _ = Describe("Handshake tests", func() {

 	Context("using tokens", func() {
 		It("uses tokens provided in NEW_TOKEN frames", func() {
-			tokenChan := make(chan *quic.Token, 100)
-			serverConfig.AcceptToken = func(addr net.Addr, token *quic.Token) bool {
-				if token != nil && !token.IsRetryToken {
-					tokenChan <- token
-				}
-				return true
-			}
+			serverConfig.RequireAddressValidation = func(net.Addr) bool { return false }

 			server, err := quic.ListenAddr("localhost:0", getTLSConfig(), serverConfig)
 			Expect(err).ToNot(HaveOccurred())
@@ -509,7 +498,6 @@ var _ = Describe("Handshake tests", func() {
 			Expect(err).ToNot(HaveOccurred())
 			Expect(gets).To(Receive())
 			Eventually(puts).Should(Receive())
-			Expect(tokenChan).ToNot(Receive())
 			// received a token. Close this connection.
 			Expect(conn.CloseWithError(0, "")).To(Succeed())

@@ -529,17 +517,13 @@ var _ = Describe("Handshake tests", func() {
 			Expect(err).ToNot(HaveOccurred())
 			defer conn.CloseWithError(0, "")
 			Expect(gets).To(Receive())
-			Expect(tokenChan).To(Receive())

 			Eventually(done).Should(BeClosed())
 		})

 		It("rejects invalid Retry token with the INVALID_TOKEN error", func() {
-			tokenChan := make(chan *quic.Token, 10)
-			serverConfig.AcceptToken = func(addr net.Addr, token *quic.Token) bool {
-				tokenChan <- token
-				return false
-			}
+			serverConfig.RequireAddressValidation = func(net.Addr) bool { return true }
+			serverConfig.MaxRetryTokenAge = time.Nanosecond

 			server, err := quic.ListenAddr("localhost:0", getTLSConfig(), serverConfig)
 			Expect(err).ToNot(HaveOccurred())
@@ -554,18 +538,6 @@ var _ = Describe("Handshake tests", func() {
 			var transportErr *quic.TransportError
 			Expect(errors.As(err, &transportErr)).To(BeTrue())
 			Expect(transportErr.ErrorCode).To(Equal(quic.InvalidToken))
-			// Receiving a Retry might lead the client to measure a very small RTT.
-			// Then, it sometimes would retransmit the ClientHello before receiving the ServerHello.
-			Expect(len(tokenChan)).To(BeNumerically(">=", 2))
-			token := <-tokenChan
-			Expect(token).To(BeNil())
-			token = <-tokenChan
-			Expect(token).ToNot(BeNil())
-			// If the ClientHello was retransmitted, make sure that it contained the same Retry token.
-			for i := 2; i < len(tokenChan); i++ {
-				Expect(<-tokenChan).To(Equal(token))
-			}
-			Expect(token.IsRetryToken).To(BeTrue())
 		})
 	})

--- a/integrationtests/self/packetization_test.go
+++ b/integrationtests/self/packetization_test.go
@@ -26,9 +26,9 @@ var _ = Describe("Packetization", func() {
 			"localhost:0",
 			getTLSConfig(),
 			getQuicConfig(&quic.Config{
-				AcceptToken:             func(net.Addr, *quic.Token) bool { return true },
-				DisablePathMTUDiscovery: true,
-				Tracer:                  newTracer(func() logging.ConnectionTracer { return serverTracer }),
+				RequireAddressValidation: func(net.Addr) bool { return false },
+				DisablePathMTUDiscovery:  true,
+				Tracer:                   newTracer(func() logging.ConnectionTracer { return serverTracer }),
 			}),
 		)
 		Expect(err).ToNot(HaveOccurred())
--- a/integrationtests/self/zero_rtt_test.go
+++ b/integrationtests/self/zero_rtt_test.go
@@ -56,7 +56,7 @@ var _ = Describe("0-RTT", func() {
 				tlsConf := getTLSConfig()
 				if serverConf == nil {
 					serverConf = getQuicConfig(&quic.Config{
-						AcceptToken: func(_ net.Addr, _ *quic.Token) bool { return true },
+						RequireAddressValidation: func(net.Addr) bool { return false },
 					})
 					serverConf.Versions = []protocol.VersionNumber{version}
 				}
@@ -197,9 +197,9 @@ var _ = Describe("0-RTT", func() {
 						"localhost:0",
 						tlsConf,
 						getQuicConfig(&quic.Config{
-							Versions:    []protocol.VersionNumber{version},
-							AcceptToken: func(_ net.Addr, _ *quic.Token) bool { return true },
-							Tracer:      newTracer(func() logging.ConnectionTracer { return tracer }),
+							Versions:                 []protocol.VersionNumber{version},
+							RequireAddressValidation: func(net.Addr) bool { return false },
+							Tracer:                   newTracer(func() logging.ConnectionTracer { return tracer }),
 						}),
 					)
 					Expect(err).ToNot(HaveOccurred())
@@ -255,9 +255,9 @@ var _ = Describe("0-RTT", func() {
 					"localhost:0",
 					tlsConf,
 					getQuicConfig(&quic.Config{
-						Versions:    []protocol.VersionNumber{version},
-						AcceptToken: func(_ net.Addr, _ *quic.Token) bool { return true },
-						Tracer:      newTracer(func() logging.ConnectionTracer { return tracer }),
+						Versions:                 []protocol.VersionNumber{version},
+						RequireAddressValidation: func(net.Addr) bool { return false },
+						Tracer:                   newTracer(func() logging.ConnectionTracer { return tracer }),
 					}),
 				)
 				Expect(err).ToNot(HaveOccurred())
@@ -452,8 +452,8 @@ var _ = Describe("0-RTT", func() {
 			It("doesn't reject 0-RTT when the server's transport stream limit increased", func() {
 				const maxStreams = 1
 				tlsConf, clientConf := dialAndReceiveSessionTicket(getQuicConfig(&quic.Config{
-					MaxIncomingUniStreams: maxStreams,
-					AcceptToken:           func(_ net.Addr, _ *quic.Token) bool { return true },
+					MaxIncomingUniStreams:    maxStreams,
+					RequireAddressValidation: func(net.Addr) bool { return false },
 				}))

 				tracer := newPacketTracer()
@@ -461,10 +461,10 @@ var _ = Describe("0-RTT", func() {
 					"localhost:0",
 					tlsConf,
 					getQuicConfig(&quic.Config{
-						Versions:              []protocol.VersionNumber{version},
-						AcceptToken:           func(_ net.Addr, _ *quic.Token) bool { return true },
-						MaxIncomingUniStreams: maxStreams + 1,
-						Tracer:                newTracer(func() logging.ConnectionTracer { return tracer }),
+						Versions:                 []protocol.VersionNumber{version},
+						RequireAddressValidation: func(net.Addr) bool { return false },
+						MaxIncomingUniStreams:    maxStreams + 1,
+						Tracer:                   newTracer(func() logging.ConnectionTracer { return tracer }),
 					}),
 				)
 				Expect(err).ToNot(HaveOccurred())
@@ -498,8 +498,8 @@ var _ = Describe("0-RTT", func() {
 			It("rejects 0-RTT when the server's stream limit decreased", func() {
 				const maxStreams = 42
 				tlsConf, clientConf := dialAndReceiveSessionTicket(getQuicConfig(&quic.Config{
-					MaxIncomingStreams: maxStreams,
-					AcceptToken:        func(_ net.Addr, _ *quic.Token) bool { return true },
+					MaxIncomingStreams:       maxStreams,
+					RequireAddressValidation: func(net.Addr) bool { return false },
 				}))

 				tracer := newPacketTracer()
@@ -507,10 +507,10 @@ var _ = Describe("0-RTT", func() {
 					"localhost:0",
 					tlsConf,
 					getQuicConfig(&quic.Config{
-						Versions:           []protocol.VersionNumber{version},
-						AcceptToken:        func(_ net.Addr, _ *quic.Token) bool { return true },
-						MaxIncomingStreams: maxStreams - 1,
-						Tracer:             newTracer(func() logging.ConnectionTracer { return tracer }),
+						Versions:                 []protocol.VersionNumber{version},
+						RequireAddressValidation: func(net.Addr) bool { return false },
+						MaxIncomingStreams:       maxStreams - 1,
+						Tracer:                   newTracer(func() logging.ConnectionTracer { return tracer }),
 					}),
 				)
 				Expect(err).ToNot(HaveOccurred())
@@ -537,9 +537,9 @@ var _ = Describe("0-RTT", func() {
 					"localhost:0",
 					tlsConf,
 					getQuicConfig(&quic.Config{
-						Versions:    []protocol.VersionNumber{version},
-						AcceptToken: func(_ net.Addr, _ *quic.Token) bool { return true },
-						Tracer:      newTracer(func() logging.ConnectionTracer { return tracer }),
+						Versions:                 []protocol.VersionNumber{version},
+						RequireAddressValidation: func(net.Addr) bool { return false },
+						Tracer:                   newTracer(func() logging.ConnectionTracer { return tracer }),
 					}),
 				)
 				Expect(err).ToNot(HaveOccurred())
@@ -560,16 +560,16 @@ var _ = Describe("0-RTT", func() {
 				func(addFlowControlLimit func(*quic.Config, uint64)) {
 					tracer := newPacketTracer()
 					firstConf := getQuicConfig(&quic.Config{
-						AcceptToken: func(_ net.Addr, _ *quic.Token) bool { return true },
-						Versions:    []protocol.VersionNumber{version},
+						RequireAddressValidation: func(net.Addr) bool { return false },
+						Versions:                 []protocol.VersionNumber{version},
 					})
 					addFlowControlLimit(firstConf, 3)
 					tlsConf, clientConf := dialAndReceiveSessionTicket(firstConf)

 					secondConf := getQuicConfig(&quic.Config{
-						Versions:    []protocol.VersionNumber{version},
-						AcceptToken: func(_ net.Addr, _ *quic.Token) bool { return true },
-						Tracer:      newTracer(func() logging.ConnectionTracer { return tracer }),
+						Versions:                 []protocol.VersionNumber{version},
+						RequireAddressValidation: func(net.Addr) bool { return false },
+						Tracer:                   newTracer(func() logging.ConnectionTracer { return tracer }),
 					})
 					addFlowControlLimit(secondConf, 100)
 					ln, err := quic.ListenAddrEarly(
@@ -722,9 +722,9 @@ var _ = Describe("0-RTT", func() {
 					"localhost:0",
 					tlsConf,
 					getQuicConfig(&quic.Config{
-						Versions:    []protocol.VersionNumber{version},
-						AcceptToken: func(_ net.Addr, _ *quic.Token) bool { return true },
-						Tracer:      newTracer(func() logging.ConnectionTracer { return tracer }),
+						Versions:                 []protocol.VersionNumber{version},
+						RequireAddressValidation: func(net.Addr) bool { return false },
+						Tracer:                   newTracer(func() logging.ConnectionTracer { return tracer }),
 					}),
 				)
 				Expect(err).ToNot(HaveOccurred())