From 640ae7d2fd43c0f84b7badbcb9f68a99c240e00a Mon Sep 17 00:00:00 2001 From: EAimTY Date: Sun, 5 Feb 2023 11:50:49 +0900 Subject: [PATCH] fix the definition of the authentication header --- tuic/Cargo.toml | 2 +- tuic/SPEC.md | 6 ++++-- tuic/src/model/authenticate.rs | 16 ++++++++++++---- tuic/src/model/mod.rs | 3 ++- 4 files changed, 19 insertions(+), 8 deletions(-) diff --git a/tuic/Cargo.toml b/tuic/Cargo.toml index 0fb1a00..5f3f531 100644 --- a/tuic/Cargo.toml +++ b/tuic/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "tuic" -version = "5.0.0-pre-alpha.0" +version = "5.0.0-pre-alpha.1" authors = ["EAimTY "] description = "Delicately-TUICed 0-RTT proxy protocol" categories = ["network-programming"] diff --git a/tuic/SPEC.md b/tuic/SPEC.md index 09ec73b..fe246d8 100644 --- a/tuic/SPEC.md +++ b/tuic/SPEC.md @@ -55,7 +55,7 @@ Command `Connect` and `Packet` carry payload (stream / packet fragment) where: - `UUID` - client UUID -- `TOKEN` - client token. The client UUID is hashed into a 256-bit long token using [TLS Keying Material Exporter](https://www.rfc-editor.org/rfc/rfc5705) on current TLS session. While exporting, both the `label` and `context` should be the client UUID +- `TOKEN` - client token. The client raw password is hashed into a 256-bit long token using [TLS Keying Material Exporter](https://www.rfc-editor.org/rfc/rfc5705) on current TLS session. While exporting, the `label` should be the client UUID and the `context` should be the raw password. #### `Connect` @@ -194,4 +194,6 @@ When there is any ongoing relaying task, the client should send a `Heartbeat` co ## Error Handling -Note that there is no response for any command. If the server receives a command that is not valid, or encounters any error during the processing (e.g. the target address is unreachable, authentication failure), there is no *standard* way to deal with it. The behavior is implementation-defined. +Note that there is no response for any command. If the server receives a command that is not valid, or encounters any error during the processing (e.g. the target address is unreachable, authentication failure), there is no *standard* way to deal with it. The behavior is implementation-defined. The server may close the QUIC connection, or just ignore the command. + +For example, if the server receives a `Connect` command with an unreachable target address, it may close `bidirectional_stream` to indicate the error. diff --git a/tuic/src/model/authenticate.rs b/tuic/src/model/authenticate.rs index b49c3d2..305cd40 100644 --- a/tuic/src/model/authenticate.rs +++ b/tuic/src/model/authenticate.rs @@ -13,12 +13,16 @@ struct Tx { } impl Authenticate { - pub(super) fn new(uuid: Uuid, exporter: impl KeyingMaterialExporter) -> Self { + pub(super) fn new( + uuid: Uuid, + password: impl AsRef<[u8]>, + exporter: impl KeyingMaterialExporter, + ) -> Self { Self { inner: Side::Tx(Tx { header: Header::Authenticate(AuthenticateHeader::new( uuid, - exporter.export_keying_material(uuid.as_ref(), uuid.as_ref()), + exporter.export_keying_material(uuid.as_ref(), password.as_ref()), )), }), _marker: side::Tx, @@ -58,9 +62,13 @@ impl Authenticate { } /// Returns whether the token is valid - pub fn is_valid(&self, exporter: impl KeyingMaterialExporter) -> bool { + pub fn is_valid( + &self, + password: impl AsRef<[u8]>, + exporter: impl KeyingMaterialExporter, + ) -> bool { let Side::Rx(rx) = &self.inner else { unreachable!() }; - rx.token == exporter.export_keying_material(rx.uuid.as_ref(), rx.uuid.as_ref()) + rx.token == exporter.export_keying_material(rx.uuid.as_ref(), password.as_ref()) } } diff --git a/tuic/src/model/mod.rs b/tuic/src/model/mod.rs index 9354ee1..b69caa9 100644 --- a/tuic/src/model/mod.rs +++ b/tuic/src/model/mod.rs @@ -59,9 +59,10 @@ where pub fn send_authenticate( &self, uuid: Uuid, + password: impl AsRef<[u8]>, exporter: impl KeyingMaterialExporter, ) -> Authenticate { - Authenticate::::new(uuid, exporter) + Authenticate::::new(uuid, password, exporter) } /// Receives an `Authenticate`