TUN-6637: Upgrade go version and quic-go

vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/interfaces.go

@@ -23,6 +23,10 @@ type Packet struct {
 	skippedPacket           bool
 }
 
+func (p *Packet) outstanding() bool {
+	return !p.declaredLost && !p.skippedPacket && !p.IsPathMTUProbePacket
+}
+
 // SentPacketHandler handles ACKs received for outgoing packets
 type SentPacketHandler interface {
 	// SentPacket may modify the packet

vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/sent_packet_handler.go

@@ -598,7 +598,7 @@ func (h *sentPacketHandler) detectLostPackets(now time.Time, encLevel protocol.E
 			pnSpace.lossTime = lossTime
 		}
 		if packetLost {
-			p.declaredLost = true
+			p = pnSpace.history.DeclareLost(p)
 			// the bytes in flight need to be reduced no matter if the frames in this packet will be retransmitted
 			h.removeFromBytesInFlight(p)
 			h.queueFramesForRetransmission(p)
@@ -767,7 +767,7 @@ func (h *sentPacketHandler) QueueProbePacket(encLevel protocol.EncryptionLevel)
 	// TODO: don't declare the packet lost here.
 	// Keep track of acknowledged frames instead.
 	h.removeFromBytesInFlight(p)
-	p.declaredLost = true
+	pnSpace.history.DeclareLost(p)
 	return true
 }
 

vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/sent_packet_history.go

@@ -9,18 +9,20 @@ import (
 )
 
 type sentPacketHistory struct {
-	rttStats    *utils.RTTStats
-	packetList  *PacketList
-	packetMap   map[protocol.PacketNumber]*PacketElement
-	highestSent protocol.PacketNumber
+	rttStats              *utils.RTTStats
+	outstandingPacketList *PacketList
+	etcPacketList         *PacketList
+	packetMap             map[protocol.PacketNumber]*PacketElement
+	highestSent           protocol.PacketNumber
 }
 
 func newSentPacketHistory(rttStats *utils.RTTStats) *sentPacketHistory {
 	return &sentPacketHistory{
-		rttStats:    rttStats,
-		packetList:  NewPacketList(),
-		packetMap:   make(map[protocol.PacketNumber]*PacketElement),
-		highestSent: protocol.InvalidPacketNumber,
+		rttStats:              rttStats,
+		outstandingPacketList: NewPacketList(),
+		etcPacketList:         NewPacketList(),
+		packetMap:             make(map[protocol.PacketNumber]*PacketElement),
+		highestSent:           protocol.InvalidPacketNumber,
 	}
 }
 
@@ -30,7 +32,7 @@ func (h *sentPacketHistory) SentPacket(p *Packet, isAckEliciting bool) {
 	}
 	// Skipped packet numbers.
 	for pn := h.highestSent + 1; pn < p.PacketNumber; pn++ {
-		el := h.packetList.PushBack(Packet{
+		el := h.etcPacketList.PushBack(Packet{
 			PacketNumber:    pn,
 			EncryptionLevel: p.EncryptionLevel,
 			SendTime:        p.SendTime,
@@ -41,7 +43,12 @@ func (h *sentPacketHistory) SentPacket(p *Packet, isAckEliciting bool) {
 	h.highestSent = p.PacketNumber
 
 	if isAckEliciting {
-		el := h.packetList.PushBack(*p)
+		var el *PacketElement
+		if p.outstanding() {
+			el = h.outstandingPacketList.PushBack(*p)
+		} else {
+			el = h.etcPacketList.PushBack(*p)
+		}
 		h.packetMap[p.PacketNumber] = el
 	}
 }
@@ -49,10 +56,25 @@ func (h *sentPacketHistory) SentPacket(p *Packet, isAckEliciting bool) {
 // Iterate iterates through all packets.
 func (h *sentPacketHistory) Iterate(cb func(*Packet) (cont bool, err error)) error {
 	cont := true
-	var next *PacketElement
-	for el := h.packetList.Front(); cont && el != nil; el = next {
+	outstandingEl := h.outstandingPacketList.Front()
+	etcEl := h.etcPacketList.Front()
+	var el *PacketElement
+	// whichever has the next packet number is returned first
+	for cont {
+		if outstandingEl == nil || (etcEl != nil && etcEl.Value.PacketNumber < outstandingEl.Value.PacketNumber) {
+			el = etcEl
+		} else {
+			el = outstandingEl
+		}
+		if el == nil {
+			return nil
+		}
+		if el == outstandingEl {
+			outstandingEl = outstandingEl.Next()
+		} else {
+			etcEl = etcEl.Next()
+		}
 		var err error
-		next = el.Next()
 		cont, err = cb(&el.Value)
 		if err != nil {
 			return err
@@ -61,15 +83,13 @@ func (h *sentPacketHistory) Iterate(cb func(*Packet) (cont bool, err error)) err
 	return nil
 }
 
-// FirstOutStanding returns the first outstanding packet.
+// FirstOutstanding returns the first outstanding packet.
 func (h *sentPacketHistory) FirstOutstanding() *Packet {
-	for el := h.packetList.Front(); el != nil; el = el.Next() {
-		p := &el.Value
-		if !p.declaredLost && !p.skippedPacket && !p.IsPathMTUProbePacket {
-			return p
-		}
+	el := h.outstandingPacketList.Front()
+	if el == nil {
+		return nil
 	}
-	return nil
+	return &el.Value
 }
 
 func (h *sentPacketHistory) Len() int {
@@ -81,28 +101,53 @@ func (h *sentPacketHistory) Remove(p protocol.PacketNumber) error {
 	if !ok {
 		return fmt.Errorf("packet %d not found in sent packet history", p)
 	}
-	h.packetList.Remove(el)
+	h.outstandingPacketList.Remove(el)
+	h.etcPacketList.Remove(el)
 	delete(h.packetMap, p)
 	return nil
 }
 
 func (h *sentPacketHistory) HasOutstandingPackets() bool {
-	return h.FirstOutstanding() != nil
+	return h.outstandingPacketList.Len() > 0
 }
 
 func (h *sentPacketHistory) DeleteOldPackets(now time.Time) {
 	maxAge := 3 * h.rttStats.PTO(false)
 	var nextEl *PacketElement
-	for el := h.packetList.Front(); el != nil; el = nextEl {
+	// we don't iterate outstandingPacketList, as we should not delete outstanding packets.
+	// being outstanding for more than 3*PTO should only happen in the case of drastic RTT changes.
+	for el := h.etcPacketList.Front(); el != nil; el = nextEl {
 		nextEl = el.Next()
 		p := el.Value
 		if p.SendTime.After(now.Add(-maxAge)) {
 			break
 		}
-		if !p.skippedPacket && !p.declaredLost { // should only happen in the case of drastic RTT changes
-			continue
-		}
 		delete(h.packetMap, p.PacketNumber)
-		h.packetList.Remove(el)
+		h.etcPacketList.Remove(el)
 	}
 }
+
+func (h *sentPacketHistory) DeclareLost(p *Packet) *Packet {
+	el, ok := h.packetMap[p.PacketNumber]
+	if !ok {
+		return nil
+	}
+	// try to remove it from both lists, as we don't know which one it currently belongs to.
+	// Remove is a no-op for elements that are not in the list.
+	h.outstandingPacketList.Remove(el)
+	h.etcPacketList.Remove(el)
+	p.declaredLost = true
+	// move it to the correct position in the etc list (based on the packet number)
+	for el = h.etcPacketList.Back(); el != nil; el = el.Prev() {
+		if el.Value.PacketNumber < p.PacketNumber {
+			break
+		}
+	}
+	if el == nil {
+		el = h.etcPacketList.PushFront(*p)
+	} else {
+		el = h.etcPacketList.InsertAfter(*p, el)
+	}
+	h.packetMap[p.PacketNumber] = el
+	return &el.Value
+}

vendor/github.com/lucas-clemente/quic-go/internal/handshake/aead.go

@@ -9,9 +9,15 @@ import (
 	"github.com/lucas-clemente/quic-go/internal/utils"
 )
 
-func createAEAD(suite *qtls.CipherSuiteTLS13, trafficSecret []byte) cipher.AEAD {
-	key := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, "quic key", suite.KeyLen)
-	iv := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, "quic iv", suite.IVLen())
+func createAEAD(suite *qtls.CipherSuiteTLS13, trafficSecret []byte, v protocol.VersionNumber) cipher.AEAD {
+	keyLabel := hkdfLabelKeyV1
+	ivLabel := hkdfLabelIVV1
+	if v == protocol.Version2 {
+		keyLabel = hkdfLabelKeyV2
+		ivLabel = hkdfLabelIVV2
+	}
+	key := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, keyLabel, suite.KeyLen)
+	iv := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, ivLabel, suite.IVLen())
 	return suite.AEAD(key, iv)
 }
 

vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup.go

@@ -113,7 +113,8 @@ type cryptoSetup struct {
 
 	zeroRTTParameters      *wire.TransportParameters
 	clientHelloWritten     bool
-	clientHelloWrittenChan chan *wire.TransportParameters
+	clientHelloWrittenChan chan struct{} // is closed as soon as the ClientHello is written
+	zeroRTTParametersChan  chan<- *wire.TransportParameters
 
 	rttStats *utils.RTTStats
 
@@ -238,13 +239,14 @@ func newCryptoSetup(
 		tracer.UpdatedKeyFromTLS(protocol.EncryptionInitial, protocol.PerspectiveServer)
 	}
 	extHandler := newExtensionHandler(tp.Marshal(perspective), perspective, version)
+	zeroRTTParametersChan := make(chan *wire.TransportParameters, 1)
 	cs := &cryptoSetup{
 		tlsConf:                   tlsConf,
 		initialStream:             initialStream,
 		initialSealer:             initialSealer,
 		initialOpener:             initialOpener,
 		handshakeStream:           handshakeStream,
-		aead:                      newUpdatableAEAD(rttStats, tracer, logger),
+		aead:                      newUpdatableAEAD(rttStats, tracer, logger, version),
 		readEncLevel:              protocol.EncryptionInitial,
 		writeEncLevel:             protocol.EncryptionInitial,
 		runner:                    runner,
@@ -256,7 +258,8 @@ func newCryptoSetup(
 		perspective:               perspective,
 		handshakeDone:             make(chan struct{}),
 		alertChan:                 make(chan uint8),
-		clientHelloWrittenChan:    make(chan *wire.TransportParameters, 1),
+		clientHelloWrittenChan:    make(chan struct{}),
+		zeroRTTParametersChan:     zeroRTTParametersChan,
 		messageChan:               make(chan []byte, 100),
 		isReadingHandshakeMessage: make(chan struct{}),
 		closeChan:                 make(chan struct{}),
@@ -278,7 +281,7 @@ func newCryptoSetup(
 		GetAppDataForSessionState:  cs.marshalDataForSessionState,
 		SetAppDataFromSessionState: cs.handleDataFromSessionState,
 	}
-	return cs, cs.clientHelloWrittenChan
+	return cs, zeroRTTParametersChan
 }
 
 func (h *cryptoSetup) ChangeConnectionID(id protocol.ConnectionID) {
@@ -308,6 +311,15 @@ func (h *cryptoSetup) RunHandshake() {
 		close(handshakeComplete)
 	}()
 
+	if h.perspective == protocol.PerspectiveClient {
+		select {
+		case err := <-handshakeErrChan:
+			h.onError(0, err.Error())
+			return
+		case <-h.clientHelloWrittenChan:
+		}
+	}
+
 	select {
 	case <-handshakeComplete: // return when the handshake is done
 		h.mutex.Lock()
@@ -324,7 +336,13 @@ func (h *cryptoSetup) RunHandshake() {
 }
 
 func (h *cryptoSetup) onError(alert uint8, message string) {
-	h.runner.OnError(qerr.NewCryptoError(alert, message))
+	var err error
+	if alert == 0 {
+		err = &qerr.TransportError{ErrorCode: qerr.InternalError, ErrorMessage: message}
+	} else {
+		err = qerr.NewCryptoError(alert, message)
+	}
+	h.runner.OnError(err)
 }
 
 // Close closes the crypto setup.
@@ -554,8 +572,8 @@ func (h *cryptoSetup) SetReadKey(encLevel qtls.EncryptionLevel, suite *qtls.Ciph
 			panic("Received 0-RTT read key for the client")
 		}
 		h.zeroRTTOpener = newLongHeaderOpener(
-			createAEAD(suite, trafficSecret),
-			newHeaderProtector(suite, trafficSecret, true),
+			createAEAD(suite, trafficSecret, h.version),
+			newHeaderProtector(suite, trafficSecret, true, h.version),
 		)
 		h.mutex.Unlock()
 		h.logger.Debugf("Installed 0-RTT Read keys (using %s)", tls.CipherSuiteName(suite.ID))
@@ -566,8 +584,8 @@ func (h *cryptoSetup) SetReadKey(encLevel qtls.EncryptionLevel, suite *qtls.Ciph
 	case qtls.EncryptionHandshake:
 		h.readEncLevel = protocol.EncryptionHandshake
 		h.handshakeOpener = newHandshakeOpener(
-			createAEAD(suite, trafficSecret),
-			newHeaderProtector(suite, trafficSecret, true),
+			createAEAD(suite, trafficSecret, h.version),
+			newHeaderProtector(suite, trafficSecret, true, h.version),
 			h.dropInitialKeys,
 			h.perspective,
 		)
@@ -594,8 +612,8 @@ func (h *cryptoSetup) SetWriteKey(encLevel qtls.EncryptionLevel, suite *qtls.Cip
 			panic("Received 0-RTT write key for the server")
 		}
 		h.zeroRTTSealer = newLongHeaderSealer(
-			createAEAD(suite, trafficSecret),
-			newHeaderProtector(suite, trafficSecret, true),
+			createAEAD(suite, trafficSecret, h.version),
+			newHeaderProtector(suite, trafficSecret, true, h.version),
 		)
 		h.mutex.Unlock()
 		h.logger.Debugf("Installed 0-RTT Write keys (using %s)", tls.CipherSuiteName(suite.ID))
@@ -606,8 +624,8 @@ func (h *cryptoSetup) SetWriteKey(encLevel qtls.EncryptionLevel, suite *qtls.Cip
 	case qtls.EncryptionHandshake:
 		h.writeEncLevel = protocol.EncryptionHandshake
 		h.handshakeSealer = newHandshakeSealer(
-			createAEAD(suite, trafficSecret),
-			newHeaderProtector(suite, trafficSecret, true),
+			createAEAD(suite, trafficSecret, h.version),
+			newHeaderProtector(suite, trafficSecret, true, h.version),
 			h.dropInitialKeys,
 			h.perspective,
 		)
@@ -645,12 +663,13 @@ func (h *cryptoSetup) WriteRecord(p []byte) (int, error) {
 		n, err := h.initialStream.Write(p)
 		if !h.clientHelloWritten && h.perspective == protocol.PerspectiveClient {
 			h.clientHelloWritten = true
+			close(h.clientHelloWrittenChan)
 			if h.zeroRTTSealer != nil && h.zeroRTTParameters != nil {
 				h.logger.Debugf("Doing 0-RTT.")
-				h.clientHelloWrittenChan <- h.zeroRTTParameters
+				h.zeroRTTParametersChan <- h.zeroRTTParameters
 			} else {
 				h.logger.Debugf("Not doing 0-RTT.")
-				h.clientHelloWrittenChan <- nil
+				h.zeroRTTParametersChan <- nil
 			}
 		}
 		return n, err

vendor/github.com/lucas-clemente/quic-go/internal/handshake/header_protector.go

@@ -9,6 +9,7 @@ import (
 
 	"golang.org/x/crypto/chacha20"
 
+	"github.com/lucas-clemente/quic-go/internal/protocol"
 	"github.com/lucas-clemente/quic-go/internal/qtls"
 )
 
@@ -17,12 +18,20 @@ type headerProtector interface {
 	DecryptHeader(sample []byte, firstByte *byte, hdrBytes []byte)
 }
 
-func newHeaderProtector(suite *qtls.CipherSuiteTLS13, trafficSecret []byte, isLongHeader bool) headerProtector {
+func hkdfHeaderProtectionLabel(v protocol.VersionNumber) string {
+	if v == protocol.Version2 {
+		return "quicv2 hp"
+	}
+	return "quic hp"
+}
+
+func newHeaderProtector(suite *qtls.CipherSuiteTLS13, trafficSecret []byte, isLongHeader bool, v protocol.VersionNumber) headerProtector {
+	hkdfLabel := hkdfHeaderProtectionLabel(v)
 	switch suite.ID {
 	case tls.TLS_AES_128_GCM_SHA256, tls.TLS_AES_256_GCM_SHA384:
-		return newAESHeaderProtector(suite, trafficSecret, isLongHeader)
+		return newAESHeaderProtector(suite, trafficSecret, isLongHeader, hkdfLabel)
 	case tls.TLS_CHACHA20_POLY1305_SHA256:
-		return newChaChaHeaderProtector(suite, trafficSecret, isLongHeader)
+		return newChaChaHeaderProtector(suite, trafficSecret, isLongHeader, hkdfLabel)
 	default:
 		panic(fmt.Sprintf("Invalid cipher suite id: %d", suite.ID))
 	}
@@ -36,8 +45,8 @@ type aesHeaderProtector struct {
 
 var _ headerProtector = &aesHeaderProtector{}
 
-func newAESHeaderProtector(suite *qtls.CipherSuiteTLS13, trafficSecret []byte, isLongHeader bool) headerProtector {
-	hpKey := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, "quic hp", suite.KeyLen)
+func newAESHeaderProtector(suite *qtls.CipherSuiteTLS13, trafficSecret []byte, isLongHeader bool, hkdfLabel string) headerProtector {
+	hpKey := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, hkdfLabel, suite.KeyLen)
 	block, err := aes.NewCipher(hpKey)
 	if err != nil {
 		panic(fmt.Sprintf("error creating new AES cipher: %s", err))
@@ -81,8 +90,8 @@ type chachaHeaderProtector struct {
 
 var _ headerProtector = &chachaHeaderProtector{}
 
-func newChaChaHeaderProtector(suite *qtls.CipherSuiteTLS13, trafficSecret []byte, isLongHeader bool) headerProtector {
-	hpKey := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, "quic hp", suite.KeyLen)
+func newChaChaHeaderProtector(suite *qtls.CipherSuiteTLS13, trafficSecret []byte, isLongHeader bool, hkdfLabel string) headerProtector {
+	hpKey := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, hkdfLabel, suite.KeyLen)
 
 	p := &chachaHeaderProtector{
 		isLongHeader: isLongHeader,

vendor/github.com/lucas-clemente/quic-go/internal/handshake/initial_aead.go

@@ -12,12 +12,23 @@ import (
 
 var (
 	quicSaltOld = []byte{0xaf, 0xbf, 0xec, 0x28, 0x99, 0x93, 0xd2, 0x4c, 0x9e, 0x97, 0x86, 0xf1, 0x9c, 0x61, 0x11, 0xe0, 0x43, 0x90, 0xa8, 0x99}
-	quicSalt    = []byte{0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a}
+	quicSaltV1  = []byte{0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a}
+	quicSaltV2  = []byte{0xa7, 0x07, 0xc2, 0x03, 0xa5, 0x9b, 0x47, 0x18, 0x4a, 0x1d, 0x62, 0xca, 0x57, 0x04, 0x06, 0xea, 0x7a, 0xe3, 0xe5, 0xd3}
+)
+
+const (
+	hkdfLabelKeyV1 = "quic key"
+	hkdfLabelKeyV2 = "quicv2 key"
+	hkdfLabelIVV1  = "quic iv"
+	hkdfLabelIVV2  = "quicv2 iv"
 )
 
 func getSalt(v protocol.VersionNumber) []byte {
+	if v == protocol.Version2 {
+		return quicSaltV2
+	}
 	if v == protocol.Version1 {
-		return quicSalt
+		return quicSaltV1
 	}
 	return quicSaltOld
 }
@@ -40,14 +51,14 @@ func NewInitialAEAD(connID protocol.ConnectionID, pers protocol.Perspective, v p
 		mySecret = serverSecret
 		otherSecret = clientSecret
 	}
-	myKey, myIV := computeInitialKeyAndIV(mySecret)
-	otherKey, otherIV := computeInitialKeyAndIV(otherSecret)
+	myKey, myIV := computeInitialKeyAndIV(mySecret, v)
+	otherKey, otherIV := computeInitialKeyAndIV(otherSecret, v)
 
 	encrypter := qtls.AEADAESGCMTLS13(myKey, myIV)
 	decrypter := qtls.AEADAESGCMTLS13(otherKey, otherIV)
 
-	return newLongHeaderSealer(encrypter, newHeaderProtector(initialSuite, mySecret, true)),
-		newLongHeaderOpener(decrypter, newAESHeaderProtector(initialSuite, otherSecret, true))
+	return newLongHeaderSealer(encrypter, newHeaderProtector(initialSuite, mySecret, true, v)),
+		newLongHeaderOpener(decrypter, newAESHeaderProtector(initialSuite, otherSecret, true, hkdfHeaderProtectionLabel(v)))
 }
 
 func computeSecrets(connID protocol.ConnectionID, v protocol.VersionNumber) (clientSecret, serverSecret []byte) {
@@ -57,8 +68,14 @@ func computeSecrets(connID protocol.ConnectionID, v protocol.VersionNumber) (cli
 	return
 }
 
-func computeInitialKeyAndIV(secret []byte) (key, iv []byte) {
-	key = hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic key", 16)
-	iv = hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic iv", 12)
+func computeInitialKeyAndIV(secret []byte, v protocol.VersionNumber) (key, iv []byte) {
+	keyLabel := hkdfLabelKeyV1
+	ivLabel := hkdfLabelIVV1
+	if v == protocol.Version2 {
+		keyLabel = hkdfLabelKeyV2
+		ivLabel = hkdfLabelIVV2
+	}
+	key = hkdfExpandLabel(crypto.SHA256, secret, []byte{}, keyLabel, 16)
+	iv = hkdfExpandLabel(crypto.SHA256, secret, []byte{}, ivLabel, 12)
 	return
 }

vendor/github.com/lucas-clemente/quic-go/internal/handshake/updatable_aead.go

@@ -55,8 +55,9 @@ type updatableAEAD struct {
 
 	rttStats *utils.RTTStats
 
-	tracer logging.ConnectionTracer
-	logger utils.Logger
+	tracer  logging.ConnectionTracer
+	logger  utils.Logger
+	version protocol.VersionNumber
 
 	// use a single slice to avoid allocations
 	nonceBuf []byte
@@ -67,7 +68,7 @@ var (
 	_ ShortHeaderSealer = &updatableAEAD{}
 )
 
-func newUpdatableAEAD(rttStats *utils.RTTStats, tracer logging.ConnectionTracer, logger utils.Logger) *updatableAEAD {
+func newUpdatableAEAD(rttStats *utils.RTTStats, tracer logging.ConnectionTracer, logger utils.Logger, version protocol.VersionNumber) *updatableAEAD {
 	return &updatableAEAD{
 		firstPacketNumber:       protocol.InvalidPacketNumber,
 		largestAcked:            protocol.InvalidPacketNumber,
@@ -77,6 +78,7 @@ func newUpdatableAEAD(rttStats *utils.RTTStats, tracer logging.ConnectionTracer,
 		rttStats:                rttStats,
 		tracer:                  tracer,
 		logger:                  logger,
+		version:                 version,
 	}
 }
 
@@ -100,8 +102,8 @@ func (a *updatableAEAD) rollKeys() {
 
 	a.nextRcvTrafficSecret = a.getNextTrafficSecret(a.suite.Hash, a.nextRcvTrafficSecret)
 	a.nextSendTrafficSecret = a.getNextTrafficSecret(a.suite.Hash, a.nextSendTrafficSecret)
-	a.nextRcvAEAD = createAEAD(a.suite, a.nextRcvTrafficSecret)
-	a.nextSendAEAD = createAEAD(a.suite, a.nextSendTrafficSecret)
+	a.nextRcvAEAD = createAEAD(a.suite, a.nextRcvTrafficSecret, a.version)
+	a.nextSendAEAD = createAEAD(a.suite, a.nextSendTrafficSecret, a.version)
 }
 
 func (a *updatableAEAD) startKeyDropTimer(now time.Time) {
@@ -117,27 +119,27 @@ func (a *updatableAEAD) getNextTrafficSecret(hash crypto.Hash, ts []byte) []byte
 // For the client, this function is called before SetWriteKey.
 // For the server, this function is called after SetWriteKey.
 func (a *updatableAEAD) SetReadKey(suite *qtls.CipherSuiteTLS13, trafficSecret []byte) {
-	a.rcvAEAD = createAEAD(suite, trafficSecret)
-	a.headerDecrypter = newHeaderProtector(suite, trafficSecret, false)
+	a.rcvAEAD = createAEAD(suite, trafficSecret, a.version)
+	a.headerDecrypter = newHeaderProtector(suite, trafficSecret, false, a.version)
 	if a.suite == nil {
 		a.setAEADParameters(a.rcvAEAD, suite)
 	}
 
 	a.nextRcvTrafficSecret = a.getNextTrafficSecret(suite.Hash, trafficSecret)
-	a.nextRcvAEAD = createAEAD(suite, a.nextRcvTrafficSecret)
+	a.nextRcvAEAD = createAEAD(suite, a.nextRcvTrafficSecret, a.version)
 }
 
 // For the client, this function is called after SetReadKey.
 // For the server, this function is called before SetWriteKey.
 func (a *updatableAEAD) SetWriteKey(suite *qtls.CipherSuiteTLS13, trafficSecret []byte) {
-	a.sendAEAD = createAEAD(suite, trafficSecret)
-	a.headerEncrypter = newHeaderProtector(suite, trafficSecret, false)
+	a.sendAEAD = createAEAD(suite, trafficSecret, a.version)
+	a.headerEncrypter = newHeaderProtector(suite, trafficSecret, false, a.version)
 	if a.suite == nil {
 		a.setAEADParameters(a.sendAEAD, suite)
 	}
 
 	a.nextSendTrafficSecret = a.getNextTrafficSecret(suite.Hash, trafficSecret)
-	a.nextSendAEAD = createAEAD(suite, a.nextSendTrafficSecret)
+	a.nextSendAEAD = createAEAD(suite, a.nextSendTrafficSecret, a.version)
 }
 
 func (a *updatableAEAD) setAEADParameters(aead cipher.AEAD, suite *qtls.CipherSuiteTLS13) {

vendor/github.com/lucas-clemente/quic-go/internal/protocol/params.go

@@ -137,8 +137,7 @@ const MaxAckFrameSize ByteCount = 1000
 // The size is chosen such that a DATAGRAM frame fits into a QUIC packet.
 const DefaultMaxDatagramFrameSize ByteCount = 1220
 
-// DatagramRcvQueueLen is the length of the receive queue for DATAGRAM frames.
-// See https://datatracker.ietf.org/doc/draft-pauly-quic-datagram/.
+// DatagramRcvQueueLen is the length of the receive queue for DATAGRAM frames (RFC 9221)
 const DatagramRcvQueueLen = 128
 
 // MaxNumAckRanges is the maximum number of ACK ranges that we send in an ACK frame.

vendor/github.com/lucas-clemente/quic-go/internal/protocol/version.go

@@ -23,11 +23,12 @@ const (
 	VersionUnknown  VersionNumber = math.MaxUint32
 	VersionDraft29  VersionNumber = 0xff00001d
 	Version1        VersionNumber = 0x1
+	Version2        VersionNumber = 0x709a50c4
 )
 
 // SupportedVersions lists the versions that the server supports
 // must be in sorted descending order
-var SupportedVersions = []VersionNumber{Version1, VersionDraft29}
+var SupportedVersions = []VersionNumber{Version1, Version2, VersionDraft29}
 
 // IsValidVersion says if the version is known to quic-go
 func IsValidVersion(v VersionNumber) bool {
@@ -50,6 +51,8 @@ func (vn VersionNumber) String() string {
 		return "draft-29"
 	case Version1:
 		return "v1"
+	case Version2:
+		return "v2"
 	default:
 		if vn.isGQUIC() {
 			return fmt.Sprintf("gQUIC %d", vn.toGQUICVersion())

vendor/github.com/lucas-clemente/quic-go/internal/qtls/go118.go

@@ -1,5 +1,5 @@
-//go:build go1.18
-// +build go1.18
+//go:build go1.18 && !go1.19
+// +build go1.18,!go1.19
 
 package qtls
 

vendor/github.com/lucas-clemente/quic-go/internal/qtls/go119.go

@@ -3,4 +3,98 @@
 
 package qtls
 
-var _ int = "The version of quic-go you're using can't be built on Go 1.19 yet. For more details, please see https://github.com/lucas-clemente/quic-go/wiki/quic-go-and-Go-versions."
+import (
+	"crypto"
+	"crypto/cipher"
+	"crypto/tls"
+	"net"
+	"unsafe"
+
+	"github.com/marten-seemann/qtls-go1-19"
+)
+
+type (
+	// Alert is a TLS alert
+	Alert = qtls.Alert
+	// A Certificate is qtls.Certificate.
+	Certificate = qtls.Certificate
+	// CertificateRequestInfo contains information about a certificate request.
+	CertificateRequestInfo = qtls.CertificateRequestInfo
+	// A CipherSuiteTLS13 is a cipher suite for TLS 1.3
+	CipherSuiteTLS13 = qtls.CipherSuiteTLS13
+	// ClientHelloInfo contains information about a ClientHello.
+	ClientHelloInfo = qtls.ClientHelloInfo
+	// ClientSessionCache is a cache used for session resumption.
+	ClientSessionCache = qtls.ClientSessionCache
+	// ClientSessionState is a state needed for session resumption.
+	ClientSessionState = qtls.ClientSessionState
+	// A Config is a qtls.Config.
+	Config = qtls.Config
+	// A Conn is a qtls.Conn.
+	Conn = qtls.Conn
+	// ConnectionState contains information about the state of the connection.
+	ConnectionState = qtls.ConnectionStateWith0RTT
+	// EncryptionLevel is the encryption level of a message.
+	EncryptionLevel = qtls.EncryptionLevel
+	// Extension is a TLS extension
+	Extension = qtls.Extension
+	// ExtraConfig is the qtls.ExtraConfig
+	ExtraConfig = qtls.ExtraConfig
+	// RecordLayer is a qtls RecordLayer.
+	RecordLayer = qtls.RecordLayer
+)
+
+const (
+	// EncryptionHandshake is the Handshake encryption level
+	EncryptionHandshake = qtls.EncryptionHandshake
+	// Encryption0RTT is the 0-RTT encryption level
+	Encryption0RTT = qtls.Encryption0RTT
+	// EncryptionApplication is the application data encryption level
+	EncryptionApplication = qtls.EncryptionApplication
+)
+
+// AEADAESGCMTLS13 creates a new AES-GCM AEAD for TLS 1.3
+func AEADAESGCMTLS13(key, fixedNonce []byte) cipher.AEAD {
+	return qtls.AEADAESGCMTLS13(key, fixedNonce)
+}
+
+// Client returns a new TLS client side connection.
+func Client(conn net.Conn, config *Config, extraConfig *ExtraConfig) *Conn {
+	return qtls.Client(conn, config, extraConfig)
+}
+
+// Server returns a new TLS server side connection.
+func Server(conn net.Conn, config *Config, extraConfig *ExtraConfig) *Conn {
+	return qtls.Server(conn, config, extraConfig)
+}
+
+func GetConnectionState(conn *Conn) ConnectionState {
+	return conn.ConnectionStateWith0RTT()
+}
+
+// ToTLSConnectionState extracts the tls.ConnectionState
+func ToTLSConnectionState(cs ConnectionState) tls.ConnectionState {
+	return cs.ConnectionState
+}
+
+type cipherSuiteTLS13 struct {
+	ID     uint16
+	KeyLen int
+	AEAD   func(key, fixedNonce []byte) cipher.AEAD
+	Hash   crypto.Hash
+}
+
+//go:linkname cipherSuiteTLS13ByID github.com/marten-seemann/qtls-go1-19.cipherSuiteTLS13ByID
+func cipherSuiteTLS13ByID(id uint16) *cipherSuiteTLS13
+
+// CipherSuiteTLS13ByID gets a TLS 1.3 cipher suite.
+func CipherSuiteTLS13ByID(id uint16) *CipherSuiteTLS13 {
+	val := cipherSuiteTLS13ByID(id)
+	cs := (*cipherSuiteTLS13)(unsafe.Pointer(val))
+	return &qtls.CipherSuiteTLS13{
+		ID:     cs.ID,
+		KeyLen: cs.KeyLen,
+		AEAD:   cs.AEAD,
+		Hash:   cs.Hash,
+	}
+}

vendor/github.com/lucas-clemente/quic-go/internal/qtls/go120.go

@@ -0,0 +1,6 @@
+//go:build go1.20
+// +build go1.20
+
+package qtls
+
+var _ int = "The version of quic-go you're using can't be built on Go 1.20 yet. For more details, please see https://github.com/lucas-clemente/quic-go/wiki/quic-go-and-Go-versions."

vendor/github.com/lucas-clemente/quic-go/internal/wire/extended_header.go

@@ -127,18 +127,32 @@ func (h *ExtendedHeader) Write(b *bytes.Buffer, ver protocol.VersionNumber) erro
 	return h.writeShortHeader(b, ver)
 }
 
-func (h *ExtendedHeader) writeLongHeader(b *bytes.Buffer, _ protocol.VersionNumber) error {
+func (h *ExtendedHeader) writeLongHeader(b *bytes.Buffer, version protocol.VersionNumber) error {
 	var packetType uint8
-	//nolint:exhaustive
-	switch h.Type {
-	case protocol.PacketTypeInitial:
-		packetType = 0x0
-	case protocol.PacketType0RTT:
-		packetType = 0x1
-	case protocol.PacketTypeHandshake:
-		packetType = 0x2
-	case protocol.PacketTypeRetry:
-		packetType = 0x3
+	if version == protocol.Version2 {
+		//nolint:exhaustive
+		switch h.Type {
+		case protocol.PacketTypeInitial:
+			packetType = 0b01
+		case protocol.PacketType0RTT:
+			packetType = 0b10
+		case protocol.PacketTypeHandshake:
+			packetType = 0b11
+		case protocol.PacketTypeRetry:
+			packetType = 0b00
+		}
+	} else {
+		//nolint:exhaustive
+		switch h.Type {
+		case protocol.PacketTypeInitial:
+			packetType = 0b00
+		case protocol.PacketType0RTT:
+			packetType = 0b01
+		case protocol.PacketTypeHandshake:
+			packetType = 0b10
+		case protocol.PacketTypeRetry:
+			packetType = 0b11
+		}
 	}
 	firstByte := 0xc0 | packetType<<4
 	if h.Type != protocol.PacketTypeRetry {

vendor/github.com/lucas-clemente/quic-go/internal/wire/header.go

@@ -53,10 +53,14 @@ func Is0RTTPacket(b []byte) bool {
 	if b[0]&0x80 == 0 {
 		return false
 	}
-	if !protocol.IsSupportedVersion(protocol.SupportedVersions, protocol.VersionNumber(binary.BigEndian.Uint32(b[1:5]))) {
+	version := protocol.VersionNumber(binary.BigEndian.Uint32(b[1:5]))
+	if !protocol.IsSupportedVersion(protocol.SupportedVersions, version) {
 		return false
 	}
-	return b[0]&0x30>>4 == 0x1
+	if version == protocol.Version2 {
+		return b[0]>>4&0b11 == 0b10
+	}
+	return b[0]>>4&0b11 == 0b01
 }
 
 var ErrUnsupportedVersion = errors.New("unsupported version")
@@ -179,15 +183,28 @@ func (h *Header) parseLongHeader(b *bytes.Reader) error {
 		return ErrUnsupportedVersion
 	}
 
-	switch (h.typeByte & 0x30) >> 4 {
-	case 0x0:
-		h.Type = protocol.PacketTypeInitial
-	case 0x1:
-		h.Type = protocol.PacketType0RTT
-	case 0x2:
-		h.Type = protocol.PacketTypeHandshake
-	case 0x3:
-		h.Type = protocol.PacketTypeRetry
+	if h.Version == protocol.Version2 {
+		switch h.typeByte >> 4 & 0b11 {
+		case 0b00:
+			h.Type = protocol.PacketTypeRetry
+		case 0b01:
+			h.Type = protocol.PacketTypeInitial
+		case 0b10:
+			h.Type = protocol.PacketType0RTT
+		case 0b11:
+			h.Type = protocol.PacketTypeHandshake
+		}
+	} else {
+		switch h.typeByte >> 4 & 0b11 {
+		case 0b00:
+			h.Type = protocol.PacketTypeInitial
+		case 0b01:
+			h.Type = protocol.PacketType0RTT
+		case 0b10:
+			h.Type = protocol.PacketTypeHandshake
+		case 0b11:
+			h.Type = protocol.PacketTypeRetry
+		}
 	}
 
 	if h.Type == protocol.PacketTypeRetry {

vendor/github.com/lucas-clemente/quic-go/internal/wire/transport_parameters.go

@@ -42,7 +42,7 @@ const (
 	activeConnectionIDLimitParameterID         transportParameterID = 0xe
 	initialSourceConnectionIDParameterID       transportParameterID = 0xf
 	retrySourceConnectionIDParameterID         transportParameterID = 0x10
-	// https://datatracker.ietf.org/doc/draft-ietf-quic-datagram/
+	// RFC 9221
 	maxDatagramFrameSizeParameterID transportParameterID = 0x20
 )
 

vendor/github.com/lucas-clemente/quic-go/internal/wire/version_negotiation.go

@@ -35,7 +35,7 @@ func ParseVersionNegotiationPacket(b *bytes.Reader) (*Header, []protocol.Version
 }
 
 // ComposeVersionNegotiation composes a Version Negotiation
-func ComposeVersionNegotiation(destConnID, srcConnID protocol.ConnectionID, versions []protocol.VersionNumber) ([]byte, error) {
+func ComposeVersionNegotiation(destConnID, srcConnID protocol.ConnectionID, versions []protocol.VersionNumber) []byte {
 	greasedVersions := protocol.GetGreasedVersions(versions)
 	expectedLen := 1 /* type byte */ + 4 /* version field */ + 1 /* dest connection ID length field */ + destConnID.Len() + 1 /* src connection ID length field */ + srcConnID.Len() + len(greasedVersions)*4
 	buf := bytes.NewBuffer(make([]byte, 0, expectedLen))
@@ -50,5 +50,5 @@ func ComposeVersionNegotiation(destConnID, srcConnID protocol.ConnectionID, vers
 	for _, v := range greasedVersions {
 		utils.BigEndian.WriteUint32(buf, uint32(v))
 	}
-	return buf.Bytes(), nil
+	return buf.Bytes()
 }