Skip to content

Commit

Permalink
QUIC secret ID is now 3 bits
Browse files Browse the repository at this point in the history
  • Loading branch information
tatsuhiro-t committed Apr 5, 2024
1 parent f3ffa82 commit 78fd809
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 14 deletions.
17 changes: 11 additions & 6 deletions pkg/nghttpx/quic.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,11 @@ func writeQUICSecretFile(ingConfig *IngressConfig) error {
return nil
}

const (
idNBits = 3
idMask = ^(uint8(1<<(8-idNBits)) - 1)
)

// VerifyQUICKeyingMaterials verifies that km is a well formatted QUIC keying material.
func VerifyQUICKeyingMaterials(km []byte) error {
sc := bufio.NewScanner(bytes.NewBuffer(km))
Expand All @@ -63,7 +68,7 @@ func VerifyQUICKeyingMaterials(km []byte) error {
return fmt.Errorf("unable to decode QUIC keying materials from hex string: %w", err)
}

id := b[0] >> 6
id := b[0] >> (8 - idNBits)
mask := uint8(1 << id)

if (idBits & mask) != 0 {
Expand Down Expand Up @@ -104,7 +109,7 @@ func NewInitialQUICKeyingMaterials() ([]byte, error) {
return nil, err
}

b[0] = (b[0] & 0x3f) | byte((i << 6))
b[0] = (b[0] & ^idMask) | byte(i<<(8-idNBits))

keys[i] = hex.EncodeToString(b)
}
Expand Down Expand Up @@ -164,20 +169,20 @@ func UpdateQUICKeyingMaterialsFunc(km []byte, newKeyingMaterialFunc func() ([]by
return nil, err
}

nextID := (b[0] + 0x40) & 0xc0
nextID := (b[0] + (1 << (8 - idNBits))) & idMask

newKM, err := newKeyingMaterialFunc()
if err != nil {
return nil, err
}

newKM[0] = (newKM[0] & 0x3f) | nextID
newKM[0] = (newKM[0] & ^idMask) | nextID

var newKeysLen int
if len(keys) < 4 {
if len(keys) < 8 {
newKeysLen = len(keys) + 1
} else {
newKeysLen = 4
newKeysLen = 8
}

newKeys := make([]string, newKeysLen)
Expand Down
47 changes: 39 additions & 8 deletions pkg/nghttpx/quic_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -127,39 +127,47 @@ func TestUpdateQUICKeyingMaterialsFunc(t *testing.T) {
km: []byte("" +
"# comment\n" +
"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"40112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233",
"20112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233",
),
want: []byte("" +
"40112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"20112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"8a112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233",
"4a112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233",
),
},
{
desc: "Make sure that ID is wrapped",
km: []byte("" +
"# comment\n" +
"80112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"c0112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233",
"c0112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"e0112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233",
),
want: []byte("" +
"e0112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"c0112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"80112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"0a112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233",
),
},
{
desc: "Make sure that keying materials are limited to the latest 4 keys",
desc: "Make sure that keying materials are limited to the latest 8 keys",
km: []byte("" +
"c0112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"a0112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"80112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"60112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"40112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"20112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"c0112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233",
"e0112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233",
),
want: []byte("" +
"e0112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"c0112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"a0112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"80112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"60112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"40112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"20112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233\n" +
"0a112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233",
),
},
Expand All @@ -186,3 +194,26 @@ func TestUpdateQUICKeyingMaterialsFunc(t *testing.T) {
})
}
}

func TestNewInitialQUICKeyingMaterials(t *testing.T) {
o, err := NewInitialQUICKeyingMaterials()
if err != nil {
t.Fatalf("NewInitialQUICKeyingMaterials: %v", err)
}

keys := bytes.SplitN(o, []byte("\n"), 2)
if got, want := len(keys), 2; got != want {
t.Fatalf("len(keys) = %v, want %v", got, want)
}

for i, key := range keys {
k := make([]byte, 1)
if _, err := hex.Decode(k, key[:2]); err != nil {
t.Fatalf("hex.DecodeString: %v", err)
}

if got, want := k[0]&idMask, byte(i<<(8-idNBits)); got != want {
t.Errorf("id[%v] = %#02x, want %#02x", i, got, want)
}
}
}

0 comments on commit 78fd809

Please sign in to comment.