add an AddrVerified field to the ClientHelloInfo (#4360)

marten-seemann · web-flow · commit ca787d6f0095 · 2024-03-11T05:00:25.000-07:00
* add an AddressVerified field to the ClientHelloInfo

* rename ClientHelloInfo.AddressVerififed to ClientHelloInfo.AddrVerififed
diff --git a/integrationtests/self/handshake_rtt_test.go b/integrationtests/self/handshake_rtt_test.go
@@ -76,7 +76,10 @@ var _ = Describe("Handshake RTT tests", func() {
 			context.Background(),
 			fmt.Sprintf("localhost:%d", proxy.LocalAddr().(*net.UDPAddr).Port),
 			getTLSClientConfig(),
-			getQuicConfig(nil),
+			getQuicConfig(&quic.Config{GetConfigForClient: func(info *quic.ClientHelloInfo) (*quic.Config, error) {
+				Expect(info.AddrVerified).To(BeTrue())
+				return nil, nil
+			}}),
 		)
 		Expect(err).ToNot(HaveOccurred())
 		defer conn.CloseWithError(0, "")
@@ -94,7 +97,10 @@ var _ = Describe("Handshake RTT tests", func() {
 			context.Background(),
 			fmt.Sprintf("localhost:%d", proxy.LocalAddr().(*net.UDPAddr).Port),
 			getTLSClientConfig(),
-			getQuicConfig(nil),
+			getQuicConfig(&quic.Config{GetConfigForClient: func(info *quic.ClientHelloInfo) (*quic.Config, error) {
+				Expect(info.AddrVerified).To(BeFalse())
+				return nil, nil
+			}}),
 		)
 		Expect(err).ToNot(HaveOccurred())
 		defer conn.CloseWithError(0, "")
diff --git a/interface.go b/interface.go
@@ -333,8 +333,15 @@ type Config struct {
 	Tracer          func(context.Context, logging.Perspective, ConnectionID) *logging.ConnectionTracer
 }
 
+// ClientHelloInfo contains information about an incoming connection attempt.
 type ClientHelloInfo struct {
+	// RemoteAddr is the remote address on the Initial packet.
+	// Unless AddrVerified is set, the address is not yet verified, and could be a spoofed IP address.
 	RemoteAddr net.Addr
+	// AddrVerified says if the remote address was verified using QUIC's Retry mechanism.
+	// Note that the Retry mechanism costs one network roundtrip,
+	// and is not performed unless Transport.MaxUnvalidatedHandshakes is surpassed.
+	AddrVerified bool
 }
 
 // ConnectionState records basic details about a QUIC connection
diff --git a/server.go b/server.go
@@ -639,7 +639,10 @@ func (s *baseServer) handleInitialImpl(p receivedPacket, hdr *wire.Header) error
 	tracingID := nextConnTracingID()
 	config := s.config
 	if s.config.GetConfigForClient != nil {
-		conf, err := s.config.GetConfigForClient(&ClientHelloInfo{RemoteAddr: p.remoteAddr})
+		conf, err := s.config.GetConfigForClient(&ClientHelloInfo{
+			RemoteAddr:   p.remoteAddr,
+			AddrVerified: clientAddrValidated,
+		})
 		if err != nil {
 			s.logger.Debugf("Rejecting new connection due to GetConfigForClient callback")
 			delete(s.zeroRTTQueues, hdr.DestConnectionID)

Original file line number	Diff line number	Diff line change
`@@ -333,8 +333,15 @@ type Config struct {`
`333`	`333`	`Tracer func(context.Context, logging.Perspective, ConnectionID) *logging.ConnectionTracer`
`334`	`334`	`}`
`335`	`335`
	`336`	`+// ClientHelloInfo contains information about an incoming connection attempt.`
`336`	`337`	`type ClientHelloInfo struct {`
	`338`	`+ // RemoteAddr is the remote address on the Initial packet.`
	`339`	`+ // Unless AddrVerified is set, the address is not yet verified, and could be a spoofed IP address.`
`337`	`340`	`RemoteAddr net.Addr`
	`341`	`+ // AddrVerified says if the remote address was verified using QUIC's Retry mechanism.`
	`342`	`+ // Note that the Retry mechanism costs one network roundtrip,`
	`343`	`+ // and is not performed unless Transport.MaxUnvalidatedHandshakes is surpassed.`
	`344`	`+ AddrVerified bool`
`338`	`345`	`}`
`339`	`346`
`340`	`347`	`// ConnectionState records basic details about a QUIC connection`