endpoint: use a consistent quic reset key derived from our private key

MystenLabs · Nov 15, 2022 · 3bcbd2c · 3bcbd2c
1 parent 4a7d508
commit 3bcbd2c
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 1 deletion.
diff --git a/crates/anemo/Cargo.toml b/crates/anemo/Cargo.toml
@@ -19,6 +19,7 @@ pin-project-lite = "0.2.9"
 pkcs8 = { version = "0.9.0", features = ["std"] }
 quinn = { version = "0.9.0", default-features = false, features = ["runtime-tokio", "tls-rustls", "futures-io"] }
 rand = "0.8.5"
+ring = "0.16.7"
 rcgen = "0.9.2"
 rustls = { version = "0.20.4", features = ["dangerous_configuration"] }
 serde = { version = "1.0.136", features = ["derive"] }

diff --git a/crates/anemo/src/config.rs b/crates/anemo/src/config.rs
@@ -278,6 +278,14 @@ impl EndpointConfigBuilder {
             public_key: None,
         };
 
+        // Derive our quic reset key from our private key
+        let reset_key = {
+            let mut rng = <rand::rngs::StdRng as rand::SeedableRng>::from_seed(keypair.secret_key);
+            let mut reset_key = [0; 64];
+            rand::RngCore::fill_bytes(&mut rng, &mut reset_key);
+            reset_key
+        };
+
         let server_name = self.server_name.unwrap();
         let transport_config = Arc::new(self.transport_config.unwrap_or_default());
 
@@ -307,6 +315,7 @@ impl EndpointConfigBuilder {
             quinn_client_config: client_config,
             server_name,
             transport_config,
+            reset_key,
         })
     }
 
@@ -368,6 +377,7 @@ pub(crate) struct EndpointConfig {
     server_name: String,
 
     transport_config: Arc<quinn::TransportConfig>,
+    reset_key: [u8; 64],
 }
 
 impl EndpointConfig {
@@ -383,6 +393,13 @@ impl EndpointConfig {
         &self.server_name
     }
 
+    pub fn quinn_endpoint_config(&self) -> quinn::EndpointConfig {
+        quinn::EndpointConfig::new(Arc::new(ring::hmac::Key::new(
+            ring::hmac::HMAC_SHA256,
+            &self.reset_key,
+        )))
+    }
+
     pub fn server_config(&self) -> &quinn::ServerConfig {
         &self.quinn_server_config
     }

diff --git a/crates/anemo/src/endpoint.rs b/crates/anemo/src/endpoint.rs
@@ -22,7 +22,7 @@ impl Endpoint {
         let local_addr = socket.local_addr()?;
         let server_config = config.server_config().clone();
         let endpoint = quinn::Endpoint::new(
-            Default::default(),
+            config.quinn_endpoint_config(),
             Some(server_config),
             socket,
             quinn::TokioRuntime,