fix the definition of the authentication header

tuic/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "tuic"
-version = "5.0.0-pre-alpha.0"
+version = "5.0.0-pre-alpha.1"
 authors = ["EAimTY <ea.imty@gmail.com>"]
 description = "Delicately-TUICed 0-RTT proxy protocol"
 categories = ["network-programming"]

tuic/SPEC.md

@@ -55,7 +55,7 @@ Command `Connect` and `Packet` carry payload (stream / packet fragment)
 where:
 
 - `UUID` - client UUID
-- `TOKEN` - client token. The client UUID is hashed into a 256-bit long token using [TLS Keying Material Exporter](https://www.rfc-editor.org/rfc/rfc5705) on current TLS session. While exporting, both the `label` and `context` should be the client UUID
+- `TOKEN` - client token. The client raw password is hashed into a 256-bit long token using [TLS Keying Material Exporter](https://www.rfc-editor.org/rfc/rfc5705) on current TLS session. While exporting, the `label` should be the client UUID and the `context` should be the raw password.
 
 #### `Connect`
 
@@ -194,4 +194,6 @@ When there is any ongoing relaying task, the client should send a `Heartbeat` co
 
 ## Error Handling
 
-Note that there is no response for any command. If the server receives a command that is not valid, or encounters any error during the processing (e.g. the target address is unreachable, authentication failure), there is no *standard* way to deal with it. The behavior is implementation-defined.
+Note that there is no response for any command. If the server receives a command that is not valid, or encounters any error during the processing (e.g. the target address is unreachable, authentication failure), there is no *standard* way to deal with it. The behavior is implementation-defined. The server may close the QUIC connection, or just ignore the command.
+
+For example, if the server receives a `Connect` command with an unreachable target address, it may close `bidirectional_stream` to indicate the error.

tuic/src/model/authenticate.rs

@@ -13,12 +13,16 @@ struct Tx {
 }
 
 impl Authenticate<side::Tx> {
-    pub(super) fn new(uuid: Uuid, exporter: impl KeyingMaterialExporter) -> Self {
+    pub(super) fn new(
+        uuid: Uuid,
+        password: impl AsRef<[u8]>,
+        exporter: impl KeyingMaterialExporter,
+    ) -> Self {
         Self {
             inner: Side::Tx(Tx {
                 header: Header::Authenticate(AuthenticateHeader::new(
                     uuid,
-                    exporter.export_keying_material(uuid.as_ref(), uuid.as_ref()),
+                    exporter.export_keying_material(uuid.as_ref(), password.as_ref()),
                 )),
             }),
             _marker: side::Tx,
@@ -58,9 +62,13 @@ impl Authenticate<side::Rx> {
     }
 
     /// Returns whether the token is valid
-    pub fn is_valid(&self, exporter: impl KeyingMaterialExporter) -> bool {
+    pub fn is_valid(
+        &self,
+        password: impl AsRef<[u8]>,
+        exporter: impl KeyingMaterialExporter,
+    ) -> bool {
         let Side::Rx(rx) = &self.inner else { unreachable!() };
-        rx.token == exporter.export_keying_material(rx.uuid.as_ref(), rx.uuid.as_ref())
+        rx.token == exporter.export_keying_material(rx.uuid.as_ref(), password.as_ref())
     }
 }
 

tuic/src/model/mod.rs

@@ -59,9 +59,10 @@ where
     pub fn send_authenticate(
         &self,
         uuid: Uuid,
+        password: impl AsRef<[u8]>,
         exporter: impl KeyingMaterialExporter,
     ) -> Authenticate<side::Tx> {
-        Authenticate::<side::Tx>::new(uuid, exporter)
+        Authenticate::<side::Tx>::new(uuid, password, exporter)
     }
 
     /// Receives an `Authenticate`