Class SourceAddressQuicTokenHandler
- All Implemented Interfaces:
io.netty.handler.codec.quic.QuicTokenHandler
This replaces Netty's InsecureQuicTokenHandler.
The insecure handler writes the client address into the token in plaintext
with no cryptographic protection, so an attacker can trivially forge a token that
embeds a spoofed source address and pass validation — defeating the retry mechanism
and re-enabling QUIC address-spoofing / traffic-amplification attacks (a forged-source
Initial packet can elicit a large response up to initialMaxData).
This handler instead binds the client's InetSocketAddress into a keyed HMAC
(HMAC-SHA256 under a per-server random secret). A retry token is therefore:
- source-address bound: the address bytes are part of the HMAC input, so a token minted for address A does not validate for address B;
- unforgeable: without the server secret an attacker cannot produce a token that validates for any address, so the only way to obtain a valid token is to complete a Retry round-trip — which requires actually receiving the Retry packet at the claimed source address.
Http3Server.start(int) and lives for the
lifetime of the server, so tokens issued in a Retry remain valid for the immediately
following handshake. Because only IP address bytes are hashed (not the ephemeral
secret's persistence across restarts), the handler is correct for both IPv4 (4-byte)
and IPv6 (16-byte) peers.
Token layout: [VERSION(1)] [HMAC-SHA256(32)] [original-dcid(0..MAX_CONN_ID_LEN)].
validateToken(ByteBuf, InetSocketAddress) returns the offset at which the
original destination connection id begins, exactly as Netty's built-in handlers do.
-
Constructor Summary
ConstructorsConstructorDescriptionCreate a handler with a fresh random secret. -
Method Summary
Modifier and TypeMethodDescriptionintintvalidateToken(io.netty.buffer.ByteBuf token, InetSocketAddress address) booleanwriteToken(io.netty.buffer.ByteBuf out, io.netty.buffer.ByteBuf dcid, InetSocketAddress address)
-
Constructor Details
-
SourceAddressQuicTokenHandler
public SourceAddressQuicTokenHandler()Create a handler with a fresh random secret.
-
-
Method Details
-
writeToken
public boolean writeToken(io.netty.buffer.ByteBuf out, io.netty.buffer.ByteBuf dcid, InetSocketAddress address) - Specified by:
writeTokenin interfaceio.netty.handler.codec.quic.QuicTokenHandler
-
validateToken
- Specified by:
validateTokenin interfaceio.netty.handler.codec.quic.QuicTokenHandler
-
maxTokenLength
public int maxTokenLength()- Specified by:
maxTokenLengthin interfaceio.netty.handler.codec.quic.QuicTokenHandler
-