search

alibaba / xquic

XQUIC Library released by Alibaba is a cross-platform implementation of QUIC and HTTP/3 protocol.
Apache License 2.0
1.64k stars 325 forks source link

[~] added token complexity for client-server interaction #417

Open Ya-Pasha-364shy opened 1 month ago

Ya-Pasha-364shy commented 1 month ago

Hello everyone, I decided to complicate the token by double-xor encryption with an initialization vector and a connection secret, this secret is unique for each connection. I will be glad to constructive criticism and reviews.

Fixes #266 issue

Ya-Pasha-364shy commented 3 weeks ago

Hi all. Do you find these changes useful or can I close the pull request?

Yanmei-Liu commented 3 weeks ago

Hi all. Do you find these changes useful or can I close the pull request?

@Ya-Pasha-364shy Thanks for the PR, and sorry for the late reply. We find it useful but it can't be merged at the current state. There's an important issue here: The generated token need to be used during new connection handshaking in the future. While usually we used it in distributed cluster, and the servers in the cluster don't have to share state with each other. Then the current solution would cause the server can't validate the token in the future without current state.

We have discussed a new solution to solve this issue. Basically we'd like to have the modification upon your PR, and keep this PR unmerged until this new solution is merged into this branch.

Ya-Pasha-364shy commented 2 weeks ago

@Ya-Pasha-364shy Thanks for the PR, and sorry for the late reply. We find it useful but it can't be merged at the current state. There's an important issue here: The generated token need to be used during new connection handshaking in the future. While usually we used it in distributed cluster, and the servers in the cluster don't have to share state with each other. Then the current solution would cause the server can't validate the token in the future without current state.

We have discussed a new solution to solve this issue. Basically we'd like to have the modification upon your PR, and keep this PR unmerged until this new solution is merged into this branch.

Thx for feedback. I understand you, I will waiting for decision of checking new connection handshaking by token in the future. Tag me here when the new solution is merged into main.