From f5ae4f7ace1adf1f76acad9abd0a16231d758eae Mon Sep 17 00:00:00 2001
From: James M Snell <jasnell@gmail.com>
Date: Wed, 4 Dec 2019 13:23:29 -0800
Subject: [PATCH] quic: stateless reset generate strategy

Generate stateless reset token cryptographically

Fixes: https://github.com/nodejs/quic/issues/62
PR-URL: https://github.com/nodejs/quic/pull/215
Reviewed-By: Anna Henningsen <anna@addaleax.net>
---
 doc/api/errors.md                        |   4 +
 doc/api/quic.md                          |   9 ++
 lib/internal/errors.js                   |   3 +
 lib/internal/quic/core.js                |  12 ++-
 lib/internal/quic/util.js                |  14 +++
 src/node_quic.cc                         |   1 +
 src/node_quic_crypto.cc                  |  23 ++++-
 src/node_quic_crypto.h                   |  10 +-
 src/node_quic_session.cc                 |  31 +++++-
 src/node_quic_session.h                  |  24 ++++-
 src/node_quic_socket.cc                  | 123 ++++++++++++++++++-----
 src/node_quic_socket.h                   |  20 +++-
 src/node_quic_util.h                     |   3 +
 test/parallel/test-quic-client-server.js |   9 +-
 14 files changed, 244 insertions(+), 42 deletions(-)

diff --git a/doc/api/errors.md b/doc/api/errors.md
index 91895b97e7..f09d9f19ef 100644
--- a/doc/api/errors.md
+++ b/doc/api/errors.md
@@ -1671,6 +1671,10 @@ TBD
 
 TBD
 
+<a id="ERR_QUICSOCKET_INVALID_STATELESS_RESET_SECRET_LENGTH"></a>
+### ERR_QUICSOCKET_INVALID_STATELESS_RESET_SECRET_LENGTH
+TBD
+
 <a id="ERR_QUICSOCKET_LISTENING"></a>
 ### ERR_QUICSOCKET_LISTENING
 
diff --git a/doc/api/quic.md b/doc/api/quic.md
index 5392309594..48a16a884b 100644
--- a/doc/api/quic.md
+++ b/doc/api/quic.md
@@ -1596,6 +1596,15 @@ Changing TTL values is typically done for network probes or when multicasting.
 The argument to `socket.setTTL()` is a number of hops between `1` and `255`.
 The default on most systems is `64` but can vary.
 
+#### quicsocket.statelessResetCount
+<!-- YAML
+added: REPLACEME
+-->
+
+* Type: {BigInt}
+
+A `BigInt` that represents the number of stateless resets that have been sent.
+
 #### quicsocket.unref();
 <!-- YAML
 added: REPLACEME
diff --git a/lib/internal/errors.js b/lib/internal/errors.js
index 2827eb06fe..09855c8778 100644
--- a/lib/internal/errors.js
+++ b/lib/internal/errors.js
@@ -1128,6 +1128,9 @@ E('ERR_QUICSOCKET_CLOSING',
   'Cannot call %s while a QuicSocket is closing', Error);
 E('ERR_QUICSOCKET_DESTROYED',
   'Cannot call %s after a QuicSocket has been destroyed', Error);
+E('ERR_QUICSOCKET_INVALID_STATELESS_RESET_SECRET_LENGTH',
+  'The stateResetToken must be exactly 16-bytes in length',
+  Error);
 E('ERR_QUICSOCKET_LISTENING',
   'This QuicSocket is already listening', Error);
 E('ERR_QUICSOCKET_UNBOUND',
diff --git a/lib/internal/quic/core.js b/lib/internal/quic/core.js
index 1d371d7fd6..cb9a0c6eb9 100644
--- a/lib/internal/quic/core.js
+++ b/lib/internal/quic/core.js
@@ -168,6 +168,7 @@ const {
     IDX_QUIC_SOCKET_STATS_PACKETS_SENT,
     IDX_QUIC_SOCKET_STATS_SERVER_SESSIONS,
     IDX_QUIC_SOCKET_STATS_CLIENT_SESSIONS,
+    IDX_QUIC_SOCKET_STATS_STATELESS_RESET_COUNT,
     ERR_INVALID_REMOTE_TRANSPORT_PARAMS,
     ERR_INVALID_TLS_SESSION_TICKET,
     NGTCP2_PATH_VALIDATION_RESULT_FAILURE,
@@ -809,6 +810,9 @@ class QuicSocket extends EventEmitter {
 
       // Whether qlog should be enabled for sessions
       qlog,
+
+      // Stateless reset token secret (16 byte buffer)
+      statelessResetSecret
     } = validateQuicSocketOptions(options);
     super();
     const socketOptions =
@@ -827,7 +831,8 @@ class QuicSocket extends EventEmitter {
         socketOptions,
         retryTokenTimeout,
         maxConnectionsPerHost,
-        qlog);
+        qlog,
+        statelessResetSecret);
     udpHandle.quicSocket = handle;
     handle[owner_symbol] = this;
     this[async_id_symbol] = handle.getAsyncId();
@@ -1397,6 +1402,11 @@ class QuicSocket extends EventEmitter {
     return stats[IDX_QUIC_SOCKET_STATS_CLIENT_SESSIONS];
   }
 
+  get statelessResetCount() {
+    const stats = this.#stats || this[kHandle].stats;
+    return stats[IDX_QUIC_SOCKET_STATS_STATELESS_RESET_COUNT];
+  }
+
   setDiagnosticPacketLoss(options) {
     if (this.#state === kSocketDestroyed)
       throw new ERR_QUICSOCKET_DESTROYED('setDiagnosticPacketLoss');
diff --git a/lib/internal/quic/util.js b/lib/internal/quic/util.js
index 3c5e28b1cd..58f423e9ff 100644
--- a/lib/internal/quic/util.js
+++ b/lib/internal/quic/util.js
@@ -6,6 +6,7 @@ const {
     ERR_INVALID_ARG_VALUE,
     ERR_OUT_OF_RANGE,
     ERR_QUICSESSION_INVALID_DCID,
+    ERR_QUICSOCKET_INVALID_STATELESS_RESET_SECRET_LENGTH,
   },
 } = require('internal/errors');
 
@@ -369,6 +370,7 @@ function validateQuicSocketOptions(options) {
     validateAddressLRU = false,
     retryTokenTimeout = DEFAULT_RETRYTOKEN_EXPIRATION,
     qlog = false,
+    statelessResetSecret,
   } = { ...options };
   validateBindOptions(port, address);
   if (typeof type !== 'string')
@@ -411,6 +413,17 @@ function validateQuicSocketOptions(options) {
     throw new ERR_INVALID_ARG_TYPE('options.qlog', 'boolean', qlog);
   }
 
+  if (statelessResetSecret !== undefined) {
+    if (!isArrayBufferView(statelessResetSecret)) {
+      throw new ERR_INVALID_ARG_TYPE(
+        'options.statelessResetSecret',
+        ['string', 'Buffer', 'TypedArray', 'DataView'],
+        statelessResetSecret);
+    }
+    if (statelessResetSecret.length !== 16)
+      throw new ERR_QUICSOCKET_INVALID_STATELESS_RESET_SECRET_LENGTH();
+  }
+
   return {
     address,
     autoClose,
@@ -426,6 +439,7 @@ function validateQuicSocketOptions(options) {
     validateAddress: validateAddress || validateAddressLRU,
     validateAddressLRU,
     qlog,
+    statelessResetSecret,
   };
 }
 
diff --git a/src/node_quic.cc b/src/node_quic.cc
index 3c7bfab3fa..f23e9958e0 100755
--- a/src/node_quic.cc
+++ b/src/node_quic.cc
@@ -233,6 +233,7 @@ void Initialize(Local<Object> target,
   NODE_DEFINE_CONSTANT(constants, IDX_QUIC_SOCKET_STATS_PACKETS_SENT);
   NODE_DEFINE_CONSTANT(constants, IDX_QUIC_SOCKET_STATS_SERVER_SESSIONS);
   NODE_DEFINE_CONSTANT(constants, IDX_QUIC_SOCKET_STATS_CLIENT_SESSIONS);
+  NODE_DEFINE_CONSTANT(constants, IDX_QUIC_SOCKET_STATS_STATELESS_RESET_COUNT);
 
   NODE_DEFINE_CONSTANT(constants, IDX_HTTP3_QPACK_MAX_TABLE_CAPACITY);
   NODE_DEFINE_CONSTANT(constants, IDX_HTTP3_QPACK_BLOCKED_STREAMS);
diff --git a/src/node_quic_crypto.cc b/src/node_quic_crypto.cc
index 0087656ea6..56632a3c39 100644
--- a/src/node_quic_crypto.cc
+++ b/src/node_quic_crypto.cc
@@ -73,7 +73,7 @@ bool DeriveTokenKey(
     const uint8_t* rand_data,
     size_t rand_datalen,
     const ngtcp2_crypto_ctx& ctx,
-    const std::array<uint8_t, TOKEN_SECRETLEN>& token_secret) {
+    const RetryTokenSecret& token_secret) {
   TokenSecret secret;
 
   return
@@ -123,6 +123,23 @@ void GenerateRandData(uint8_t* buf, size_t len) {
 }
 }  // namespace
 
+bool GenerateResetToken(
+    uint8_t* token,
+    uint8_t* secret,
+    size_t secretlen,
+    const ngtcp2_cid* cid) {
+  ngtcp2_crypto_ctx ctx;
+  ngtcp2_crypto_ctx_initial(&ctx);
+  return NGTCP2_OK(ngtcp2_crypto_hkdf_expand(
+      token,
+      NGTCP2_STATELESS_RESET_TOKENLEN,
+      &ctx.md,
+      secret,
+      secretlen,
+      cid->data,
+      cid->datalen));
+}
+
 // The Retry Token is an encrypted token that is sent to the client
 // by the server as part of the path validation flow. The plaintext
 // format within the token is opaque and only meaningful the server.
@@ -137,7 +154,7 @@ bool GenerateRetryToken(
     size_t* tokenlen,
     const sockaddr* addr,
     const ngtcp2_cid* ocid,
-    const std::array<uint8_t, TOKEN_SECRETLEN>& token_secret) {
+    const RetryTokenSecret& token_secret) {
   std::array<uint8_t, 4096> plaintext;
 
   ngtcp2_crypto_ctx ctx;
@@ -195,7 +212,7 @@ bool InvalidRetryToken(
     ngtcp2_cid* ocid,
     const ngtcp2_pkt_hd* hd,
     const sockaddr* addr,
-    const std::array<uint8_t, TOKEN_SECRETLEN>& token_secret,
+    const RetryTokenSecret& token_secret,
     uint64_t verification_expiration) {
 
   ngtcp2_crypto_ctx ctx;
diff --git a/src/node_quic_crypto.h b/src/node_quic_crypto.h
index dcdf8ef3d1..301a5fd78f 100644
--- a/src/node_quic_crypto.h
+++ b/src/node_quic_crypto.h
@@ -63,19 +63,25 @@ bool UpdateKey(
     std::vector<uint8_t>* current_rx_secret,
     std::vector<uint8_t>* current_tx_secret);
 
+bool GenerateResetToken(
+    uint8_t* token,
+    uint8_t* secret,
+    size_t secretlen,
+    const ngtcp2_cid* cid);
+
 bool GenerateRetryToken(
     uint8_t* token,
     size_t* tokenlen,
     const sockaddr* addr,
     const ngtcp2_cid* ocid,
-    const std::array<uint8_t, TOKEN_SECRETLEN>& token_secret);
+    const RetryTokenSecret& token_secret);
 
 bool InvalidRetryToken(
     Environment* env,
     ngtcp2_cid* ocid,
     const ngtcp2_pkt_hd* hd,
     const sockaddr* addr,
-    const std::array<uint8_t, TOKEN_SECRETLEN>& token_secret,
+    const RetryTokenSecret& token_secret,
     uint64_t verification_expiration);
 
 int VerifyHostnameIdentity(SSL* ssl, const char* hostname);
diff --git a/src/node_quic_session.cc b/src/node_quic_session.cc
index aba9a958b7..8fe1451a67 100644
--- a/src/node_quic_session.cc
+++ b/src/node_quic_session.cc
@@ -678,20 +678,27 @@ void JSQuicSessionListener::OnQLog(const uint8_t* data, size_t len) {
       &str);
 }
 
-// Generates and associates a new connection ID for this QuicSession.
+// Generates a new connection ID for this QuicSession.
 // ngtcp2 will call this multiple times at the start of a new connection
 // in order to build a pool of available CIDs.
 void RandomConnectionIDStrategy::GetNewConnectionID(
     QuicSession* session,
     ngtcp2_cid* cid,
-    uint8_t* token,
     size_t cidlen) {
   cid->datalen = cidlen;
   // cidlen shouldn't ever be zero here but just in case that
   // behavior changes in ngtcp2 in the future...
   if (cidlen > 0)
     EntropySource(cid->data, cidlen);
-  EntropySource(token, NGTCP2_STATELESS_RESET_TOKENLEN);
+}
+
+void CryptoStatelessResetTokenStrategy::GetNewStatelessToken(
+    QuicSession* session,
+    ngtcp2_cid* cid,
+    uint8_t* token,
+    size_t tokenlen) {
+  ResetTokenSecret* secret = session->Socket()->GetSessionResetSecret();
+  CHECK(GenerateResetToken(token, secret->data(), secret->size(), cid));
 }
 
 // Check required capabilities were not excluded from the OpenSSL build:
@@ -1260,6 +1267,7 @@ QuicSession::QuicSession(
         reinterpret_cast<double*>(&recovery_stats_)) {
   PushListener(&default_listener_);
   SetConnectionIDStrategory(&default_connection_id_strategy_);
+  SetStatelessResetTokenStrategy(&default_stateless_reset_strategy_);
   crypto_context_.reset(new QuicCryptoContext(this, ctx, side, options));
   application_.reset(SelectApplication(this));
   if (rcid != nullptr)
@@ -1634,6 +1642,12 @@ void QuicSession::SetConnectionIDStrategory(ConnectionIDStrategy* strategy) {
   connection_id_strategy_ = strategy;
 }
 
+void QuicSession::SetStatelessResetTokenStrategy(
+    StatelessResetTokenStrategy* strategy) {
+  CHECK_NOT_NULL(strategy);
+  stateless_reset_strategy_ = strategy;
+}
+
 // Generates and associates a new connection ID for this QuicSession.
 // ngtcp2 will call this multiple times at the start of a new connection
 // in order to build a pool of available CIDs.
@@ -1643,7 +1657,16 @@ int QuicSession::GetNewConnectionID(
     size_t cidlen) {
   DCHECK(!IsFlagSet(QUICSESSION_FLAG_DESTROYED));
   CHECK_NOT_NULL(connection_id_strategy_);
-  connection_id_strategy_->GetNewConnectionID(this, cid, token, cidlen);
+  connection_id_strategy_->GetNewConnectionID(
+      this,
+      cid,
+      cidlen);
+  stateless_reset_strategy_->GetNewStatelessToken(
+      this,
+      cid,
+      token,
+      NGTCP2_STATELESS_RESET_TOKENLEN);
+
   AssociateCID(cid);
   return 0;
 }
diff --git a/src/node_quic_session.h b/src/node_quic_session.h
index 273bdbbfe1..d56b159995 100644
--- a/src/node_quic_session.h
+++ b/src/node_quic_session.h
@@ -295,7 +295,6 @@ class ConnectionIDStrategy {
   virtual void GetNewConnectionID(
       QuicSession* session,
       ngtcp2_cid* cid,
-      uint8_t* token,
       size_t cidlen) = 0;
 };
 
@@ -304,10 +303,27 @@ class RandomConnectionIDStrategy : public ConnectionIDStrategy {
   void GetNewConnectionID(
       QuicSession* session,
       ngtcp2_cid* cid,
-      uint8_t* token,
       size_t cidlen) override;
 };
 
+class StatelessResetTokenStrategy {
+ public:
+  virtual void GetNewStatelessToken(
+      QuicSession* session,
+      ngtcp2_cid* cid,
+      uint8_t* token,
+      size_t tokenlen) = 0;
+};
+
+class CryptoStatelessResetTokenStrategy : public StatelessResetTokenStrategy {
+ public:
+  void GetNewStatelessToken(
+      QuicSession* session,
+      ngtcp2_cid* cid,
+      uint8_t* token,
+      size_t tokenlen) override;
+};
+
 // The QuicCryptoContext class encapsulates all of the crypto/TLS
 // handshake details on behalf of a QuicSession.
 class QuicCryptoContext : public MemoryRetainer {
@@ -935,6 +951,7 @@ class QuicSession : public AsyncWrap,
   void RemoveListener(QuicSessionListener* listener);
 
   void SetConnectionIDStrategory(ConnectionIDStrategy* strategy);
+  void SetStatelessResetTokenStrategy(StatelessResetTokenStrategy* strategy);
 
   // Report that the stream data is flow control blocked
   void StreamDataBlocked(int64_t stream_id);
@@ -1298,6 +1315,9 @@ class QuicSession : public AsyncWrap,
   ConnectionIDStrategy* connection_id_strategy_ = nullptr;
   RandomConnectionIDStrategy default_connection_id_strategy_;
 
+  StatelessResetTokenStrategy* stateless_reset_strategy_ = nullptr;
+  CryptoStatelessResetTokenStrategy default_stateless_reset_strategy_;
+
   QuicSessionListener* listener_ = nullptr;
   JSQuicSessionListener default_listener_;
 
diff --git a/src/node_quic_socket.cc b/src/node_quic_socket.cc
index 5a0d2e369c..c6de5f33f6 100644
--- a/src/node_quic_socket.cc
+++ b/src/node_quic_socket.cc
@@ -4,6 +4,7 @@
 #include "memory_tracker-inl.h"
 #include "nghttp2/nghttp2.h"
 #include "node.h"
+#include "node_buffer.h"
 #include "node_crypto.h"
 #include "node_internals.h"
 #include "node_mem-inl.h"
@@ -24,6 +25,7 @@ namespace node {
 using crypto::EntropySource;
 using crypto::SecureContext;
 
+using v8::ArrayBufferView;
 using v8::Boolean;
 using v8::Context;
 using v8::FunctionCallbackInfo;
@@ -150,7 +152,8 @@ QuicSocket::QuicSocket(
     uint64_t retry_token_expiration,
     size_t max_connections_per_host,
     uint32_t options,
-    QlogMode qlog)
+    QlogMode qlog,
+    const uint8_t* session_reset_secret)
   : AsyncWrap(env, wrap, AsyncWrap::PROVIDER_QUICSOCKET),
     alloc_info_(MakeAllocator()),
     options_(options),
@@ -177,6 +180,19 @@ QuicSocket::QuicSocket(
   EntropySource(token_secret_.data(), token_secret_.size());
   socket_stats_.created_at = uv_hrtime();
 
+  // Set the session reset secret to the one provided or random.
+  // Note that a random secret is going to make it exceedingly
+  // difficult for the session reset token to be useful.
+  if (session_reset_secret != nullptr) {
+    memcpy(reset_token_secret_.data(),
+           session_reset_secret,
+           reset_token_secret_.size());
+  } else {
+    EntropySource(
+        reset_token_secret_.data(),
+        reset_token_secret_.size());
+  }
+
   USE(wrap->DefineOwnProperty(
       env->context(),
       env->stats_string(),
@@ -197,7 +213,8 @@ QuicSocket::~QuicSocket() {
         "  Packets Sent: %" PRIu64 "\n"
         "  Packets Ignored: %" PRIu64 "\n"
         "  Server Sessions: %" PRIu64 "\n"
-        "  Client Sessions: %" PRIu64 "\n",
+        "  Client Sessions: %" PRIu64 "\n"
+        "  Stateless Resets: %" PRIu64 "\n",
         now - socket_stats_.created_at,
         socket_stats_.bound_at > 0 ? now - socket_stats_.bound_at : 0,
         socket_stats_.listen_at > 0 ? now - socket_stats_.listen_at : 0,
@@ -207,7 +224,8 @@ QuicSocket::~QuicSocket() {
         socket_stats_.packets_sent,
         socket_stats_.packets_ignored,
         socket_stats_.server_sessions,
-        socket_stats_.client_sessions);
+        socket_stats_.client_sessions,
+        socket_stats_.stateless_reset_count);
   QuicSocketListener* listener = listener_;
   listener_->OnDestroy();
   // Remove the listener if it didn't remove itself already.
@@ -317,6 +335,17 @@ void QuicSocket::OnRecv(
   Receive(nread, std::move(buf), addr, flags);
 }
 
+namespace {
+bool IsShortHeader(
+    uint32_t version,
+    const uint8_t* pscid,
+    size_t pscidlen) {
+  return version == NGTCP2_PROTO_VER &&
+         pscid == nullptr &&
+         pscidlen == 0;
+}
+}  // namespace
+
 void QuicSocket::Receive(
     ssize_t nread,
     AllocatedBuffer buf,
@@ -382,19 +411,6 @@ void QuicSocket::Receive(
     auto scid_it = dcid_to_scid_.find(dcid_str);
     if (scid_it == std::end(dcid_to_scid_)) {
       Debug(this, "There is no existing session for dcid %s", dcid_hex.c_str());
-
-      // TODO(@jasnell): If the DCID was previously known, and there is a
-      // known stateless reset token, then we should we ought to be able
-      // to send a stateless reset at this point. It's likely that the
-      // endpoint crashed and the peer is still trying to send data.
-      // Currently, however, we don't keep track of previously used CID's
-      // and their reset tokens so we can't implement this yet. A proper
-      // implementation will track CIDs and reset tokens but only across
-      // a single restart. These will be associated with the local address
-      // (that is, a QuicSocket bound to one local port should never use
-      // the CIDs and reset tokens from a QuicSocket bound to another).
-      // It's not entirely clear how this should be implemented.
-
       // AcceptInitialPacket will first validate that the packet can be
       // accepted, then create a new server QuicSession instance if able
       // to do so. If a new instance cannot be created (for any reason),
@@ -417,7 +433,27 @@ void QuicSocket::Receive(
       // or (in the future) a CONNECTION_CLOSE packet.
       if (!session) {
         Debug(this, "Could not initialize a new server QuicSession.");
-        IncrementSocketStat(1, &socket_stats_, &socket_stats::packets_ignored);
+
+        // Ignore the packet if it's an unacceptable long header (initial)
+        if (!IsShortHeader(pversion, pscid, pscidlen)) {
+          IncrementSocketStat(
+              1, &socket_stats_,
+              &socket_stats::packets_ignored);
+        } else {
+          // Attempt to send a stateless reset. If it fails, we just ignore
+          // TODO(@jasnell): Need to verify that stateless reset is occurring
+          // correctly. Also need to determine how to test.
+          if (!SendStatelessReset(dcid, addr)) {
+            IncrementSocketStat(
+                1, &socket_stats_,
+                &socket_stats::packets_ignored);
+          } else {
+            IncrementSocketStat(
+                1, &socket_stats_,
+                &socket_stats::stateless_reset_count);
+          }
+        }
+
         return;
       }
     } else {
@@ -543,6 +579,34 @@ void QuicSocket::SendVersionNegotiation(
   Send(addr, std::move(buf), "version negotiation");
 }
 
+bool QuicSocket::SendStatelessReset(
+    const QuicCID& cid,
+    const sockaddr* addr) {
+  constexpr static size_t RANDLEN = NGTCP2_MIN_STATELESS_RESET_RANDLEN * 5;
+  uint8_t token[NGTCP2_STATELESS_RESET_TOKENLEN];
+  uint8_t random[RANDLEN];
+
+  GenerateResetToken(
+      token,
+      reset_token_secret_.data(),
+      reset_token_secret_.size(), cid.cid());
+  EntropySource(random, RANDLEN);
+
+  MallocedBuffer<char> buf(NGTCP2_MAX_PKTLEN_IPV4);
+  ssize_t nwrite =
+      ngtcp2_pkt_write_stateless_reset(
+        reinterpret_cast<uint8_t*>(buf.data),
+        NGTCP2_MAX_PKTLEN_IPV4,
+        token,
+        random,
+        RANDLEN
+      );
+    if (nwrite <= 0)
+      return false;
+    buf.Realloc(nwrite);
+    return Send(addr, std::move(buf), "stateless reset") == 0;
+}
+
 bool QuicSocket::SendRetry(
     uint32_t version,
     const QuicCID& dcid,
@@ -987,14 +1051,23 @@ void NewQuicSocket(const FunctionCallbackInfo<Value>& args) {
   CHECK_GE(retry_token_expiration, MIN_RETRYTOKEN_EXPIRATION);
   CHECK_LE(retry_token_expiration, MAX_RETRYTOKEN_EXPIRATION);
 
-  new QuicSocket(
-      env,
-      args.This(),
-      args[0].As<Object>(),
-      retry_token_expiration,
-      max_connections_per_host,
-      options,
-      args[4]->IsTrue() ? QlogMode::kEnabled : QlogMode::kDisabled);
+  const uint8_t* session_reset_secret = nullptr;
+  if (args[5]->IsArrayBufferView()) {
+    ArrayBufferViewContents<uint8_t> buf(args[5].As<ArrayBufferView>());
+    CHECK_EQ(buf.length(), TOKEN_SECRETLEN);
+    session_reset_secret = buf.data();
+  }
+
+  QuicSocket* socket =
+      new QuicSocket(
+          env,
+          args.This(),
+          args[0].As<Object>(),
+          retry_token_expiration,
+          max_connections_per_host,
+          options,
+          args[4]->IsTrue() ? QlogMode::kEnabled : QlogMode::kDisabled,
+          session_reset_secret);
 }
 
 // Enabling diagnostic packet loss enables a mode where the QuicSocket
diff --git a/src/node_quic_socket.h b/src/node_quic_socket.h
index 724f4a56e4..4550490101 100644
--- a/src/node_quic_socket.h
+++ b/src/node_quic_socket.h
@@ -54,7 +54,8 @@ enum QuicSocketStatsIdx : int {
     IDX_QUIC_SOCKET_STATS_PACKETS_IGNORED,
     IDX_QUIC_SOCKET_STATS_PACKETS_SENT,
     IDX_QUIC_SOCKET_STATS_SERVER_SESSIONS,
-    IDX_QUIC_SOCKET_STATS_CLIENT_SESSIONS
+    IDX_QUIC_SOCKET_STATS_CLIENT_SESSIONS,
+    IDX_QUIC_SOCKET_STATS_STATELESS_RESET_COUNT
 };
 
 class QuicSocket;
@@ -107,7 +108,8 @@ class QuicSocket : public AsyncWrap,
       uint64_t retry_token_expiration,
       size_t max_connections_per_host,
       uint32_t options = 0,
-      QlogMode qlog = QlogMode::kDisabled);
+      QlogMode qlog = QlogMode::kDisabled,
+      const uint8_t* session_reset_secret = nullptr);
   ~QuicSocket() override;
 
   SocketAddress* GetLocalAddress() { return &local_address_; }
@@ -157,6 +159,8 @@ class QuicSocket : public AsyncWrap,
   void IncreaseAllocatedSize(size_t size);
   void DecreaseAllocatedSize(size_t size);
 
+  ResetTokenSecret* GetSessionResetSecret() { return &reset_token_secret_; }
+
   // Implementation for UDPWrapListener
   uv_buf_t OnAlloc(size_t suggested_size) override;
   void OnRecv(ssize_t nread,
@@ -173,6 +177,10 @@ class QuicSocket : public AsyncWrap,
       const QuicCID& scid,
       const sockaddr* addr);
 
+  bool SendStatelessReset(
+      const QuicCID& cid,
+      const sockaddr* addr);
+
   void PushListener(QuicSocketListener* listener);
   void RemoveListener(QuicSocketListener* listener);
 
@@ -296,7 +304,8 @@ class QuicSocket : public AsyncWrap,
   std::string server_alpn_;
   std::unordered_map<std::string, BaseObjectPtr<QuicSession>> sessions_;
   std::unordered_map<std::string, std::string> dcid_to_scid_;
-  std::array<uint8_t, TOKEN_SECRETLEN> token_secret_;
+  RetryTokenSecret token_secret_;
+  ResetTokenSecret reset_token_secret_;
 
   // Counts the number of active connections per remote
   // address. A custom std::hash specialization for
@@ -351,8 +360,11 @@ class QuicSocket : public AsyncWrap,
     // The total number of client QuicSessions that have been
     // associated with this QuicSocket instance.
     uint64_t client_sessions;
+
+    // The total number of stateless resets that have been sent
+    uint64_t stateless_reset_count;
   };
-  socket_stats socket_stats_{0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+  socket_stats socket_stats_{};
 
   AliasedBigUint64Array stats_buffer_;
 
diff --git a/src/node_quic_util.h b/src/node_quic_util.h
index adbc794c38..5741bee0d8 100644
--- a/src/node_quic_util.h
+++ b/src/node_quic_util.h
@@ -41,6 +41,9 @@ constexpr uint64_t DEFAULT_MAX_STREAMS_UNI = 3;
 constexpr uint64_t DEFAULT_IDLE_TIMEOUT = 10 * 10000000000;
 constexpr uint64_t DEFAULT_RETRYTOKEN_EXPIRATION = 10ULL;
 
+using RetryTokenSecret = std::array<uint8_t, TOKEN_SECRETLEN>;
+using ResetTokenSecret = std::array<uint8_t, NGTCP2_STATELESS_RESET_TOKENLEN>;
+
 enum SelectPreferredAddressPolicy : int {
   // Ignore the server-provided preferred address
   QUIC_PREFERRED_ADDRESS_IGNORE,
diff --git a/test/parallel/test-quic-client-server.js b/test/parallel/test-quic-client-server.js
index e85bb268dc..ca5ed3c7e0 100644
--- a/test/parallel/test-quic-client-server.js
+++ b/test/parallel/test-quic-client-server.js
@@ -32,9 +32,16 @@ const { createSocket } = require('quic');
 
 const kServerPort = process.env.NODE_DEBUG_KEYLOG ? 5678 : 0;
 const kClientPort = process.env.NODE_DEBUG_KEYLOG ? 5679 : 0;
+const kStatelessResetToken =
+  Buffer.from('000102030405060708090A0B0C0D0E0F', 'hex');
 
 let client;
-const server = createSocket({ port: kServerPort, validateAddress: true });
+
+const server = createSocket({
+  port: kServerPort,
+  validateAddress: true,
+  statelessResetSecret: kStatelessResetToken
+});
 
 // Diagnostic Packet Loss allows packets to be randomly ignored
 // to simulate network packet loss conditions. This is not a