github.com/metacubex/quic-go@v0.44.1-0.20240520163451-20b689a59136/internal/handshake/token_generator.go (about) 1 package handshake 2 3 import ( 4 "bytes" 5 "encoding/asn1" 6 "fmt" 7 "net" 8 "time" 9 10 "github.com/metacubex/quic-go/internal/protocol" 11 ) 12 13 const ( 14 tokenPrefixIP byte = iota 15 tokenPrefixString 16 ) 17 18 // A Token is derived from the client address and can be used to verify the ownership of this address. 19 type Token struct { 20 IsRetryToken bool 21 SentTime time.Time 22 encodedRemoteAddr []byte 23 // only set for retry tokens 24 OriginalDestConnectionID protocol.ConnectionID 25 RetrySrcConnectionID protocol.ConnectionID 26 } 27 28 // ValidateRemoteAddr validates the address, but does not check expiration 29 func (t *Token) ValidateRemoteAddr(addr net.Addr) bool { 30 return bytes.Equal(encodeRemoteAddr(addr), t.encodedRemoteAddr) 31 } 32 33 // token is the struct that is used for ASN1 serialization and deserialization 34 type token struct { 35 IsRetryToken bool 36 RemoteAddr []byte 37 Timestamp int64 38 OriginalDestConnectionID []byte 39 RetrySrcConnectionID []byte 40 } 41 42 // A TokenGenerator generates tokens 43 type TokenGenerator struct { 44 tokenProtector tokenProtector 45 } 46 47 // NewTokenGenerator initializes a new TokenGenerator 48 func NewTokenGenerator(key TokenProtectorKey) *TokenGenerator { 49 return &TokenGenerator{tokenProtector: newTokenProtector(key)} 50 } 51 52 // NewRetryToken generates a new token for a Retry for a given source address 53 func (g *TokenGenerator) NewRetryToken( 54 raddr net.Addr, 55 origDestConnID protocol.ConnectionID, 56 retrySrcConnID protocol.ConnectionID, 57 ) ([]byte, error) { 58 data, err := asn1.Marshal(token{ 59 IsRetryToken: true, 60 RemoteAddr: encodeRemoteAddr(raddr), 61 OriginalDestConnectionID: origDestConnID.Bytes(), 62 RetrySrcConnectionID: retrySrcConnID.Bytes(), 63 Timestamp: time.Now().UnixNano(), 64 }) 65 if err != nil { 66 return nil, err 67 } 68 return g.tokenProtector.NewToken(data) 69 } 70 71 // NewToken generates a new token to be sent in a NEW_TOKEN frame 72 func (g *TokenGenerator) NewToken(raddr net.Addr) ([]byte, error) { 73 data, err := asn1.Marshal(token{ 74 RemoteAddr: encodeRemoteAddr(raddr), 75 Timestamp: time.Now().UnixNano(), 76 }) 77 if err != nil { 78 return nil, err 79 } 80 return g.tokenProtector.NewToken(data) 81 } 82 83 // DecodeToken decodes a token 84 func (g *TokenGenerator) DecodeToken(encrypted []byte) (*Token, error) { 85 // if the client didn't send any token, DecodeToken will be called with a nil-slice 86 if len(encrypted) == 0 { 87 return nil, nil 88 } 89 90 data, err := g.tokenProtector.DecodeToken(encrypted) 91 if err != nil { 92 return nil, err 93 } 94 t := &token{} 95 rest, err := asn1.Unmarshal(data, t) 96 if err != nil { 97 return nil, err 98 } 99 if len(rest) != 0 { 100 return nil, fmt.Errorf("rest when unpacking token: %d", len(rest)) 101 } 102 token := &Token{ 103 IsRetryToken: t.IsRetryToken, 104 SentTime: time.Unix(0, t.Timestamp), 105 encodedRemoteAddr: t.RemoteAddr, 106 } 107 if t.IsRetryToken { 108 token.OriginalDestConnectionID = protocol.ParseConnectionID(t.OriginalDestConnectionID) 109 token.RetrySrcConnectionID = protocol.ParseConnectionID(t.RetrySrcConnectionID) 110 } 111 return token, nil 112 } 113 114 // encodeRemoteAddr encodes a remote address such that it can be saved in the token 115 func encodeRemoteAddr(remoteAddr net.Addr) []byte { 116 if udpAddr, ok := remoteAddr.(*net.UDPAddr); ok { 117 return append([]byte{tokenPrefixIP}, udpAddr.IP...) 118 } 119 return append([]byte{tokenPrefixString}, []byte(remoteAddr.String())...) 120 }