Class SourceAddressQuicTokenHandler

java.lang.Object
org.mockserver.netty.http3.SourceAddressQuicTokenHandler
All Implemented Interfaces:
io.netty.handler.codec.quic.QuicTokenHandler

public final class SourceAddressQuicTokenHandler extends Object implements io.netty.handler.codec.quic.QuicTokenHandler
Source-address-validating QUIC retry token handler (stateless retry, RFC 9000 §8.1).

This replaces Netty's InsecureQuicTokenHandler. The insecure handler writes the client address into the token in plaintext with no cryptographic protection, so an attacker can trivially forge a token that embeds a spoofed source address and pass validation — defeating the retry mechanism and re-enabling QUIC address-spoofing / traffic-amplification attacks (a forged-source Initial packet can elicit a large response up to initialMaxData).

This handler instead binds the client's InetSocketAddress into a keyed HMAC (HMAC-SHA256 under a per-server random secret). A retry token is therefore:

  • source-address bound: the address bytes are part of the HMAC input, so a token minted for address A does not validate for address B;
  • unforgeable: without the server secret an attacker cannot produce a token that validates for any address, so the only way to obtain a valid token is to complete a Retry round-trip — which requires actually receiving the Retry packet at the claimed source address.
The secret is generated once per Http3Server.start(int) and lives for the lifetime of the server, so tokens issued in a Retry remain valid for the immediately following handshake. Because only IP address bytes are hashed (not the ephemeral secret's persistence across restarts), the handler is correct for both IPv4 (4-byte) and IPv6 (16-byte) peers.

Token layout: [VERSION(1)] [HMAC-SHA256(32)] [original-dcid(0..MAX_CONN_ID_LEN)]. validateToken(ByteBuf, InetSocketAddress) returns the offset at which the original destination connection id begins, exactly as Netty's built-in handlers do.

  • Constructor Details

    • SourceAddressQuicTokenHandler

      public SourceAddressQuicTokenHandler()
      Create a handler with a fresh random secret.
  • Method Details

    • writeToken

      public boolean writeToken(io.netty.buffer.ByteBuf out, io.netty.buffer.ByteBuf dcid, InetSocketAddress address)
      Specified by:
      writeToken in interface io.netty.handler.codec.quic.QuicTokenHandler
    • validateToken

      public int validateToken(io.netty.buffer.ByteBuf token, InetSocketAddress address)
      Specified by:
      validateToken in interface io.netty.handler.codec.quic.QuicTokenHandler
    • maxTokenLength

      public int maxTokenLength()
      Specified by:
      maxTokenLength in interface io.netty.handler.codec.quic.QuicTokenHandler