Make QUIC token secrets configurable#13397
Open
bneradt wants to merge 1 commit into
Open
Conversation
QUIC address-validation and stateless-reset tokens use fixed compile-time secrets, allowing anyone with the source to reproduce valid token MACs. This replaces the fixed values with reloadable 32-byte keys and a random per-process fallback. Multiple file keys allow rotation without immediately invalidating address-validation tokens, and HMAC-SHA256 protects all token types. This also rejects malformed tokens before parsing and adds coverage for file loading, key rotation, invalid files, and fallback-key stability.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens QUIC token security in ATS by replacing fixed, compile-time secrets for address-validation (Retry/Resumption) and stateless-reset tokens with reloadable 32-byte secret keys (plus a per-process random fallback when unset). It integrates the new key material into the config reload flow and updates token generation/validation to use HMAC-SHA256, including stricter malformed-token rejection.
Changes:
- Add a reloadable record (
proxy.config.quic.server.token_key.filename) and wire it into mgmt’s config reread triggers. - Introduce
QUICTokenKeyConfigto load/rotate one-or-more 32-byte keys (or generate a stable per-process random key when unset). - Update QUIC token generation/validation to HMAC-SHA256 and add unit tests + admin documentation for key files and rotation.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/records/RecordsConfig.cc | Adds the new reloadable QUIC token key filename record. |
| src/mgmt/config/FileManager.cc | Ensures the QUIC token key filename record participates in reread/reload triggering (like SSL ticket keys). |
| src/iocore/net/unit_tests/test_QUICTokenKeyConfig.cc | Adds Catch2 coverage for key loading, rotation behavior, invalid key files, and random-fallback stability. |
| src/iocore/net/quic/QUICTypes.cc | Switches token MACs to HMAC-SHA256, validates against multiple keys, and rejects malformed tokens before parsing. |
| src/iocore/net/quic/QUICConfig.cc | Implements QUICTokenKeyConfig (load/generate/cleanse) and starts it during QUIC startup. |
| src/iocore/net/CMakeLists.txt | Builds the new QUIC token key unit test when QUIC is enabled. |
| include/iocore/net/quic/QUICTypes.h | Introduces MAC_LENGTH, hardens token buffer construction, and initializes _token_len safely. |
| include/iocore/net/quic/QUICConfig.h | Declares QUICTokenKeyConfig{,Params} public interfaces and key storage types. |
| doc/admin-guide/files/records.yaml.en.rst | Documents the new record, key file format/rotation semantics, and clarifies proxy.config.quic.instance_id semantics. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
QUIC address-validation and stateless-reset tokens use fixed
compile-time secrets, allowing anyone with the source to reproduce
valid token MACs.
This replaces the fixed values with reloadable 32-byte keys and a
random per-process fallback. Multiple file keys allow rotation without
immediately invalidating address-validation tokens, and HMAC-SHA256
protects all token types.
This also rejects malformed tokens before parsing and adds coverage for
file loading, key rotation, invalid files, and fallback-key stability.