2017-05-27 13:30:11 -06:00
|
|
|
package handshake
|
|
|
|
|
|
|
|
import (
|
|
|
|
"sync"
|
|
|
|
"time"
|
|
|
|
|
2018-02-17 13:29:53 +08:00
|
|
|
"github.com/lucas-clemente/quic-go/internal/crypto"
|
|
|
|
"github.com/lucas-clemente/quic-go/internal/protocol"
|
2017-05-27 13:30:11 -06:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
kexLifetime = protocol.EphermalKeyLifetime
|
|
|
|
kexCurrent crypto.KeyExchange
|
|
|
|
kexCurrentTime time.Time
|
|
|
|
kexMutex sync.RWMutex
|
|
|
|
)
|
|
|
|
|
|
|
|
// getEphermalKEX returns the currently active KEX, which changes every protocol.EphermalKeyLifetime
|
|
|
|
// See the explanation from the QUIC crypto doc:
|
|
|
|
//
|
|
|
|
// A single connection is the usual scope for forward security, but the security
|
|
|
|
// difference between an ephemeral key used for a single connection, and one
|
|
|
|
// used for all connections for 60 seconds is negligible. Thus we can amortise
|
|
|
|
// the Diffie-Hellman key generation at the server over all the connections in a
|
|
|
|
// small time span.
|
2018-04-18 15:48:08 -06:00
|
|
|
func getEphermalKEX() (crypto.KeyExchange, error) {
|
2017-05-27 13:30:11 -06:00
|
|
|
kexMutex.RLock()
|
2018-04-18 15:48:08 -06:00
|
|
|
res := kexCurrent
|
2017-05-27 13:30:11 -06:00
|
|
|
t := kexCurrentTime
|
|
|
|
kexMutex.RUnlock()
|
|
|
|
if res != nil && time.Since(t) < kexLifetime {
|
2018-04-18 15:48:08 -06:00
|
|
|
return res, nil
|
2017-05-27 13:30:11 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
kexMutex.Lock()
|
|
|
|
defer kexMutex.Unlock()
|
|
|
|
// Check if still unfulfilled
|
|
|
|
if kexCurrent == nil || time.Since(kexCurrentTime) > kexLifetime {
|
|
|
|
kex, err := crypto.NewCurve25519KEX()
|
|
|
|
if err != nil {
|
2018-04-18 15:48:08 -06:00
|
|
|
return nil, err
|
2017-05-27 13:30:11 -06:00
|
|
|
}
|
|
|
|
kexCurrent = kex
|
|
|
|
kexCurrentTime = time.Now()
|
2018-04-18 15:48:08 -06:00
|
|
|
return kexCurrent, nil
|
2017-05-27 13:30:11 -06:00
|
|
|
}
|
2018-04-18 15:48:08 -06:00
|
|
|
return kexCurrent, nil
|
2017-05-27 13:30:11 -06:00
|
|
|
}
|