set a static QUIC resumption token generator key

marten-seemann · marten-seemann · commit 1592802d3c8d · 2023-09-24T12:39:32.000Z
diff --git a/config/config.go b/config/config.go
@@ -261,6 +261,7 @@ func (cfg *Config) addTransports(h host.Host) error {
 	}
 
 	fxopts = append(fxopts, fx.Provide(PrivKeyToStatelessResetKey))
+	fxopts = append(fxopts, fx.Provide(PrivKeyToTokenGeneratorKey))
 	if cfg.QUICReuse != nil {
 		fxopts = append(fxopts, cfg.QUICReuse...)
 	} else {
diff --git a/config/quic.go b/config/quic.go
@@ -11,7 +11,10 @@ import (
 	"github.com/quic-go/quic-go"
 )
 
-const statelessResetKeyInfo = "libp2p quic stateless reset key"
+const (
+	statelessResetKeyInfo = "libp2p quic stateless reset key"
+	tokenGeneratorKeyInfo = "libp2p quic token generator key"
+)
 
 func PrivKeyToStatelessResetKey(key crypto.PrivKey) (quic.StatelessResetKey, error) {
 	var statelessResetKey quic.StatelessResetKey
@@ -25,3 +28,16 @@ func PrivKeyToStatelessResetKey(key crypto.PrivKey) (quic.StatelessResetKey, err
 	}
 	return statelessResetKey, nil
 }
+
+func PrivKeyToTokenGeneratorKey(key crypto.PrivKey) (quic.TokenGeneratorKey, error) {
+	var tokenKey quic.TokenGeneratorKey
+	keyBytes, err := key.Raw()
+	if err != nil {
+		return tokenKey, err
+	}
+	keyReader := hkdf.New(sha256.New, keyBytes, nil, []byte(tokenGeneratorKeyInfo))
+	if _, err := io.ReadFull(keyReader, tokenKey[:]); err != nil {
+		return tokenKey, err
+	}
+	return tokenKey, nil
+}
diff --git a/p2p/net/swarm/dial_worker_test.go b/p2p/net/swarm/dial_worker_test.go
@@ -26,12 +26,13 @@ import (
 	"github.com/libp2p/go-libp2p/p2p/host/peerstore/pstoremem"
 	"github.com/libp2p/go-libp2p/p2p/muxer/yamux"
 	tptu "github.com/libp2p/go-libp2p/p2p/net/upgrader"
-	quic "github.com/libp2p/go-libp2p/p2p/transport/quic"
+	libp2pquic "github.com/libp2p/go-libp2p/p2p/transport/quic"
 	"github.com/libp2p/go-libp2p/p2p/transport/quicreuse"
 	"github.com/libp2p/go-libp2p/p2p/transport/tcp"
 
 	ma "github.com/multiformats/go-multiaddr"
 	manet "github.com/multiformats/go-multiaddr/net"
+	"github.com/quic-go/quic-go"
 	"github.com/stretchr/testify/require"
 )
 
@@ -88,11 +89,11 @@ func makeSwarmWithNoListenAddrs(t *testing.T, opts ...Option) *Swarm {
 	if err := s.AddTransport(tcpTransport); err != nil {
 		t.Fatal(err)
 	}
-	reuse, err := quicreuse.NewConnManager([32]byte{})
+	reuse, err := quicreuse.NewConnManager(quic.StatelessResetKey{}, quic.TokenGeneratorKey{})
 	if err != nil {
 		t.Fatal(err)
 	}
-	quicTransport, err := quic.NewTransport(priv, reuse, nil, nil, nil)
+	quicTransport, err := libp2pquic.NewTransport(priv, reuse, nil, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -968,7 +969,7 @@ func TestDialWorkerLoopHolePunching(t *testing.T) {
 		for i := 0; i < len(addrs); i++ {
 			delay := 10 * time.Second
 			if addrs[i].Equal(t1) {
-				//fire t1 immediately
+				// fire t1 immediately
 				delay = 0
 			} else if addrs[i].Equal(t2) {
 				// delay t2 by 100ms
diff --git a/p2p/net/swarm/swarm_addr_test.go b/p2p/net/swarm/swarm_addr_test.go
@@ -14,14 +14,15 @@ import (
 	"github.com/libp2p/go-libp2p/p2p/net/swarm"
 	swarmt "github.com/libp2p/go-libp2p/p2p/net/swarm/testing"
 	circuitv2 "github.com/libp2p/go-libp2p/p2p/protocol/circuitv2/client"
-	quic "github.com/libp2p/go-libp2p/p2p/transport/quic"
+	libp2pquic "github.com/libp2p/go-libp2p/p2p/transport/quic"
 	"github.com/libp2p/go-libp2p/p2p/transport/quicreuse"
 	"github.com/libp2p/go-libp2p/p2p/transport/tcp"
 	webtransport "github.com/libp2p/go-libp2p/p2p/transport/webtransport"
 
 	ma "github.com/multiformats/go-multiaddr"
 	"github.com/multiformats/go-multibase"
 	"github.com/multiformats/go-multihash"
+	"github.com/quic-go/quic-go"
 	"github.com/stretchr/testify/require"
 )
 
@@ -81,10 +82,10 @@ func TestDialAddressSelection(t *testing.T) {
 	tcpTr, err := tcp.NewTCPTransport(nil, nil)
 	require.NoError(t, err)
 	require.NoError(t, s.AddTransport(tcpTr))
-	reuse, err := quicreuse.NewConnManager([32]byte{})
+	reuse, err := quicreuse.NewConnManager(quic.StatelessResetKey{}, quic.TokenGeneratorKey{})
 	require.NoError(t, err)
 	defer reuse.Close()
-	quicTr, err := quic.NewTransport(priv, reuse, nil, nil, nil)
+	quicTr, err := libp2pquic.NewTransport(priv, reuse, nil, nil, nil)
 	require.NoError(t, err)
 	require.NoError(t, s.AddTransport(quicTr))
 	webtransportTr, err := webtransport.New(priv, nil, reuse, nil, nil)
diff --git a/p2p/net/swarm/swarm_dial_test.go b/p2p/net/swarm/swarm_dial_test.go
@@ -139,7 +139,7 @@ func newTestSwarmWithResolver(t *testing.T, resolver *madns.Resolver) *Swarm {
 	err = s.AddTransport(tpt)
 	require.NoError(t, err)
 
-	connmgr, err := quicreuse.NewConnManager(quic.StatelessResetKey{})
+	connmgr, err := quicreuse.NewConnManager(quic.StatelessResetKey{}, quic.TokenGeneratorKey{})
 	require.NoError(t, err)
 	quicTpt, err := libp2pquic.NewTransport(priv, connmgr, nil, nil, &network.NullResourceManager{})
 	require.NoError(t, err)
diff --git a/p2p/net/swarm/testing/testing.go b/p2p/net/swarm/testing/testing.go
@@ -21,11 +21,12 @@ import (
 	"github.com/libp2p/go-libp2p/p2p/muxer/yamux"
 	"github.com/libp2p/go-libp2p/p2p/net/swarm"
 	tptu "github.com/libp2p/go-libp2p/p2p/net/upgrader"
-	quic "github.com/libp2p/go-libp2p/p2p/transport/quic"
+	libp2pquic "github.com/libp2p/go-libp2p/p2p/transport/quic"
 	"github.com/libp2p/go-libp2p/p2p/transport/quicreuse"
 	"github.com/libp2p/go-libp2p/p2p/transport/tcp"
 
 	ma "github.com/multiformats/go-multiaddr"
+	"github.com/quic-go/quic-go"
 	"github.com/stretchr/testify/require"
 )
 
@@ -175,11 +176,11 @@ func GenSwarm(t *testing.T, opts ...Option) *swarm.Swarm {
 		}
 	}
 	if !cfg.disableQUIC {
-		reuse, err := quicreuse.NewConnManager([32]byte{})
+		reuse, err := quicreuse.NewConnManager(quic.StatelessResetKey{}, quic.TokenGeneratorKey{})
 		if err != nil {
 			t.Fatal(err)
 		}
-		quicTransport, err := quic.NewTransport(priv, reuse, nil, cfg.connectionGater, nil)
+		quicTransport, err := libp2pquic.NewTransport(priv, reuse, nil, cfg.connectionGater, nil)
 		if err != nil {
 			t.Fatal(err)
 		}
diff --git a/p2p/transport/quic/cmd/client/main.go b/p2p/transport/quic/cmd/client/main.go
@@ -8,13 +8,13 @@ import (
 	"log"
 	"os"
 
-	"github.com/libp2p/go-libp2p/p2p/transport/quicreuse"
-
 	ic "github.com/libp2p/go-libp2p/core/crypto"
 	"github.com/libp2p/go-libp2p/core/peer"
 	libp2pquic "github.com/libp2p/go-libp2p/p2p/transport/quic"
+	"github.com/libp2p/go-libp2p/p2p/transport/quicreuse"
 
 	ma "github.com/multiformats/go-multiaddr"
+	"github.com/quic-go/quic-go"
 )
 
 func main() {
@@ -41,7 +41,7 @@ func run(raddr string, p string) error {
 		return err
 	}
 
-	reuse, err := quicreuse.NewConnManager([32]byte{})
+	reuse, err := quicreuse.NewConnManager(quic.StatelessResetKey{}, quic.TokenGeneratorKey{})
 	if err != nil {
 		return err
 	}
diff --git a/p2p/transport/quic/cmd/server/main.go b/p2p/transport/quic/cmd/server/main.go
@@ -7,14 +7,14 @@ import (
 	"log"
 	"os"
 
-	"github.com/libp2p/go-libp2p/p2p/transport/quicreuse"
-
 	ic "github.com/libp2p/go-libp2p/core/crypto"
 	"github.com/libp2p/go-libp2p/core/peer"
 	tpt "github.com/libp2p/go-libp2p/core/transport"
 	libp2pquic "github.com/libp2p/go-libp2p/p2p/transport/quic"
+	"github.com/libp2p/go-libp2p/p2p/transport/quicreuse"
 
 	ma "github.com/multiformats/go-multiaddr"
+	"github.com/quic-go/quic-go"
 )
 
 func main() {
@@ -41,7 +41,7 @@ func run(port string) error {
 		return err
 	}
 
-	reuse, err := quicreuse.NewConnManager([32]byte{})
+	reuse, err := quicreuse.NewConnManager(quic.StatelessResetKey{}, quic.TokenGeneratorKey{})
 	if err != nil {
 		return err
 	}
diff --git a/p2p/transport/quic/conn_test.go b/p2p/transport/quic/conn_test.go
@@ -69,7 +69,7 @@ func runServer(t *testing.T, tr tpt.Transport, addr string) tpt.Listener {
 
 func newConnManager(t *testing.T, opts ...quicreuse.Option) *quicreuse.ConnManager {
 	t.Helper()
-	cm, err := quicreuse.NewConnManager([32]byte{}, opts...)
+	cm, err := quicreuse.NewConnManager(quic.StatelessResetKey{}, quic.TokenGeneratorKey{}, opts...)
 	require.NoError(t, err)
 	t.Cleanup(func() { cm.Close() })
 	return cm
diff --git a/p2p/transport/quicreuse/connmgr.go b/p2p/transport/quicreuse/connmgr.go
@@ -25,20 +25,23 @@ type ConnManager struct {
 	quicListenersMu sync.Mutex
 	quicListeners   map[string]quicListenerEntry
 
-	srk quic.StatelessResetKey
-	mt  *metricsTracer
+	srk      quic.StatelessResetKey
+	tokenKey quic.TokenGeneratorKey
+
+	mt *metricsTracer
 }
 
 type quicListenerEntry struct {
 	refCount int
 	ln       *quicListener
 }
 
-func NewConnManager(statelessResetKey quic.StatelessResetKey, opts ...Option) (*ConnManager, error) {
+func NewConnManager(statelessResetKey quic.StatelessResetKey, tokenKey quic.TokenGeneratorKey, opts ...Option) (*ConnManager, error) {
 	cm := &ConnManager{
 		enableReuseport: true,
 		quicListeners:   make(map[string]quicListenerEntry),
 		srk:             statelessResetKey,
+		tokenKey:        tokenKey,
 	}
 	for _, o := range opts {
 		if err := o(cm); err != nil {
@@ -153,6 +156,7 @@ func (c *ConnManager) transportForListen(network string, laddr *net.UDPAddr) (re
 		Transport: quic.Transport{
 			Conn:              conn,
 			StatelessResetKey: &c.srk,
+			TokenGeneratorKey: &c.tokenKey,
 			// The multiaddress encodes the QUIC version, thus there's no need to send Version Negotiation packets.
 			DisableVersionNegotiationPackets: true,
 		},
diff --git a/p2p/transport/quicreuse/connmgr_test.go b/p2p/transport/quicreuse/connmgr_test.go
@@ -54,7 +54,7 @@ func testListenOnSameProto(t *testing.T, enableReuseport bool) {
 	if !enableReuseport {
 		opts = append(opts, DisableReuseport())
 	}
-	cm, err := NewConnManager([32]byte{}, opts...)
+	cm, err := NewConnManager(quic.StatelessResetKey{}, quic.TokenGeneratorKey{}, opts...)
 	require.NoError(t, err)
 	defer checkClosed(t, cm)
 	defer cm.Close()
@@ -83,7 +83,7 @@ func TestConnectionPassedToQUICForListening(t *testing.T) {
 	if runtime.GOOS == "windows" {
 		t.Skip("skipping on windows. Windows doesn't support these optimizations")
 	}
-	cm, err := NewConnManager([32]byte{}, DisableReuseport())
+	cm, err := NewConnManager(quic.StatelessResetKey{}, quic.TokenGeneratorKey{}, DisableReuseport())
 	require.NoError(t, err)
 	defer cm.Close()
 
@@ -107,7 +107,7 @@ func TestConnectionPassedToQUICForListening(t *testing.T) {
 func TestAcceptErrorGetCleanedUp(t *testing.T) {
 	raddr := ma.StringCast("/ip4/127.0.0.1/udp/0/quic-v1")
 
-	cm, err := NewConnManager([32]byte{}, DisableReuseport())
+	cm, err := NewConnManager(quic.StatelessResetKey{}, quic.TokenGeneratorKey{}, DisableReuseport())
 	require.NoError(t, err)
 	defer cm.Close()
 
@@ -143,7 +143,7 @@ func TestConnectionPassedToQUICForDialing(t *testing.T) {
 	if runtime.GOOS == "windows" {
 		t.Skip("skipping on windows. Windows doesn't support these optimizations")
 	}
-	cm, err := NewConnManager([32]byte{}, DisableReuseport())
+	cm, err := NewConnManager(quic.StatelessResetKey{}, quic.TokenGeneratorKey{}, DisableReuseport())
 	require.NoError(t, err)
 	defer cm.Close()
 
@@ -218,7 +218,7 @@ func testListener(t *testing.T, enableReuseport bool) {
 	if !enableReuseport {
 		opts = append(opts, DisableReuseport())
 	}
-	cm, err := NewConnManager([32]byte{}, opts...)
+	cm, err := NewConnManager(quic.StatelessResetKey{}, quic.TokenGeneratorKey{}, opts...)
 	require.NoError(t, err)
 
 	id1, tlsConf1 := getTLSConfForProto(t, "proto1")
diff --git a/p2p/transport/webtransport/transport_test.go b/p2p/transport/webtransport/transport_test.go
@@ -97,7 +97,7 @@ func getCerthashComponent(t *testing.T, b []byte) ma.Multiaddr {
 
 func newConnManager(t *testing.T, opts ...quicreuse.Option) *quicreuse.ConnManager {
 	t.Helper()
-	cm, err := quicreuse.NewConnManager([32]byte{}, opts...)
+	cm, err := quicreuse.NewConnManager(quic.StatelessResetKey{}, quic.TokenGeneratorKey{}, opts...)
 	require.NoError(t, err)
 	t.Cleanup(func() { cm.Close() })
 	return cm

Original file line number	Diff line number	Diff line change
`@@ -261,6 +261,7 @@ func (cfg *Config) addTransports(h host.Host) error {`
`261`	`261`	`}`
`262`	`262`
`263`	`263`	`fxopts = append(fxopts, fx.Provide(PrivKeyToStatelessResetKey))`
	`264`	`+ fxopts = append(fxopts, fx.Provide(PrivKeyToTokenGeneratorKey))`
`264`	`265`	`if cfg.QUICReuse != nil {`
`265`	`266`	`fxopts = append(fxopts, cfg.QUICReuse...)`
`266`	`267`	`} else {`
Original file line number	Diff line number	Diff line change
`@@ -21,11 +21,12 @@ import (`
`21`	`21`	`"github.com/libp2p/go-libp2p/p2p/muxer/yamux"`
`22`	`22`	`"github.com/libp2p/go-libp2p/p2p/net/swarm"`
`23`	`23`	`tptu "github.com/libp2p/go-libp2p/p2p/net/upgrader"`
`24`		`- quic "github.com/libp2p/go-libp2p/p2p/transport/quic"`
	`24`	`+ libp2pquic "github.com/libp2p/go-libp2p/p2p/transport/quic"`
`25`	`25`	`"github.com/libp2p/go-libp2p/p2p/transport/quicreuse"`
`26`	`26`	`"github.com/libp2p/go-libp2p/p2p/transport/tcp"`
`27`	`27`
`28`	`28`	`ma "github.com/multiformats/go-multiaddr"`
	`29`	`+ "github.com/quic-go/quic-go"`
`29`	`30`	`"github.com/stretchr/testify/require"`
`30`	`31`	`)`
`31`	`32`
`@@ -175,11 +176,11 @@ func GenSwarm(t testing.T, opts ...Option) swarm.Swarm {`
`175`	`176`	`}`
`176`	`177`	`}`
`177`	`178`	`if !cfg.disableQUIC {`
`178`		`- reuse, err := quicreuse.NewConnManager([32]byte{})`
	`179`	`+ reuse, err := quicreuse.NewConnManager(quic.StatelessResetKey{}, quic.TokenGeneratorKey{})`
`179`	`180`	`if err != nil {`
`180`	`181`	`t.Fatal(err)`
`181`	`182`	`}`
`182`		`- quicTransport, err := quic.NewTransport(priv, reuse, nil, cfg.connectionGater, nil)`
	`183`	`+ quicTransport, err := libp2pquic.NewTransport(priv, reuse, nil, cfg.connectionGater, nil)`
`183`	`184`	`if err != nil {`
`184`	`185`	`t.Fatal(err)`
`185`	`186`	`}`