Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow app to accept/reject/retry before handshake begins
Summary of changes to `quinn` API --- Removes use_retry setting from the server config. `Endpoint::accept` now returns `Connecting` futures for which the server has not yet responded to the client or allocated state. The application can use the `Connecting` in a mostly normal way to accept the connection, or can call `reject` or `retry` to reject/retry instead. A server application could call methods such as `remote_address` and `is_validated` to implement policies ranging from simply retrying non- validated connections, thus emulating the old use_retry = true behavior, to implementing various sorts of IP address blocking systems. Of note is that this makes it possible for the server to fail to fully process a connection-creating packet even after a corresponding `Connecting` future has been delivered to the application. **This means that it is now possible for `into_0rtt` to error for incoming connections, which was not previously the case.** The error type of `into_0rtt` is changed into a new `Into0RttError` type which intentionally avoids implementing `Debug` so as to cause user code which was blindly unwrap such errors in servers to fail to compile. From what I can tell, other Rust QUIC implementations avoid this quirk by not giving the application that much manual control. Example --- Additional options are added to the server and client example to illustrate one reasonable way to use this new API. Running them as such showcases IP blocking behavior: cargo run --example server ./ --listen 127.0.0.1:4433 --stateless-retry --block 127.0.0.1:8065 cargo run --example client https://127.0.0.1:4433/Cargo.toml --host localhost --bind 127.0.0.1:8065 One thing to note is that that example places the reject condition before the retry condition. This expends slightly less effort rejecting connections, but does create a blocked IP address oracle for an attacker who can do address spoofing. Misc notes --- - Quinn-proto has a different `IncomingConnection` type for incoming connection attempts for which the server has not yet allocated state. In quinn, the `Connecting` future does the work of abstracting over this transition. - `DatagramEvent::NewConnection` now just contains `IncomingConnection`. - For borrowing reasons, two fields of `State` have been factored out into `TransmitState`, those being the fields necessary to process a `proto::Transmit`, which now gets processed from more call sites than before. - This commit establishes some new architectural precedents for some code in the `quinn::connection` module to hold a handle to the endpoint and calling methods on it that require it to lock its state. - A server endpoint no longer accepts incoming connections automatically, the application must actually be taking them and doing stuff with them. This should not be a problem for real applications, but may break certain artificial tests. - The `accept_after_close` test was completely removed because the functionality it was testing for is simply no longer supported. - Adds some entries to the .gitignore I was using for LOC coverage testing.
- Loading branch information