feat(s2n-quic): Lazy-init duplicate filter (#2345)

Mark-Simulacrum · web-flow · commit 6b872aa172df · 2024-10-08T17:00:06.000-06:00
This avoids a 1MB allocation per endpoint if we never receive a valid
token (as is typical, since users need to explicitly opt-in to this with
a limiter impl).
diff --git a/quic/s2n-quic/src/provider/address_token/default.rs b/quic/s2n-quic/src/provider/address_token/default.rs
@@ -28,17 +28,15 @@ struct BaseKey {
     //= https://www.rfc-editor.org/rfc/rfc9000#section-8.1.4
     //# To protect against such attacks, servers MUST ensure that
     //# replay of tokens is prevented or limited.
-    duplicate_filter: cuckoofilter::CuckooFilter<HashHasher>,
+    duplicate_filter: Option<cuckoofilter::CuckooFilter<HashHasher>>,
 }
 
 impl BaseKey {
     pub fn new(active_duration: Duration) -> Self {
         Self {
             active_duration,
             key: None,
-            duplicate_filter: cuckoofilter::CuckooFilter::with_capacity(
-                cuckoofilter::DEFAULT_CAPACITY,
-            ),
+            duplicate_filter: None,
         }
     }
 
@@ -70,8 +68,7 @@ impl BaseKey {
 
         // TODO clear the filter instead of recreating. This is pending a merge to crates.io
         // (https://github.com/axiomhq/rust-cuckoofilter/pull/52)
-        self.duplicate_filter =
-            cuckoofilter::CuckooFilter::with_capacity(cuckoofilter::DEFAULT_CAPACITY);
+        self.duplicate_filter = None;
 
         self.key = Some((expires_at, key));
 
@@ -201,7 +198,8 @@ impl Format {
     ) -> Option<connection::InitialId> {
         if self.keys[token.header.key_id() as usize]
             .duplicate_filter
-            .contains(token)
+            .as_ref()
+            .map_or(false, |f| f.contains(token))
         {
             return None;
         }
@@ -216,6 +214,9 @@ impl Format {
             // continue the connection if the filter fails.
             let _ = self.keys[token.header.key_id() as usize]
                 .duplicate_filter
+                .get_or_insert_with(|| {
+                    cuckoofilter::CuckooFilter::with_capacity(cuckoofilter::DEFAULT_CAPACITY)
+                })
                 .add(token);
 
             return token.original_destination_connection_id();
