TUN-6637: Upgrade go version and quic-go

2025-07-28 06:09:58 +00:00 · 2022-08-08 15:49:10 +01:00
parent 7a9207a6e1
commit 046a30e3c7
219 changed files with 17578 additions and 1040 deletions
--- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/aead.go
+++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/aead.go
@@ -9,9 +9,15 @@ import (
 	"github.com/lucas-clemente/quic-go/internal/utils"
 )

-func createAEAD(suite *qtls.CipherSuiteTLS13, trafficSecret []byte) cipher.AEAD {
-	key := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, "quic key", suite.KeyLen)
-	iv := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, "quic iv", suite.IVLen())
+func createAEAD(suite *qtls.CipherSuiteTLS13, trafficSecret []byte, v protocol.VersionNumber) cipher.AEAD {
+	keyLabel := hkdfLabelKeyV1
+	ivLabel := hkdfLabelIVV1
+	if v == protocol.Version2 {
+		keyLabel = hkdfLabelKeyV2
+		ivLabel = hkdfLabelIVV2
+	}
+	key := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, keyLabel, suite.KeyLen)
+	iv := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, ivLabel, suite.IVLen())
 	return suite.AEAD(key, iv)
 }

--- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup.go
+++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup.go
@@ -113,7 +113,8 @@ type cryptoSetup struct {

 	zeroRTTParameters      *wire.TransportParameters
 	clientHelloWritten     bool
-	clientHelloWrittenChan chan *wire.TransportParameters
+	clientHelloWrittenChan chan struct{} // is closed as soon as the ClientHello is written
+	zeroRTTParametersChan  chan<- *wire.TransportParameters

 	rttStats *utils.RTTStats

@@ -238,13 +239,14 @@ func newCryptoSetup(
 		tracer.UpdatedKeyFromTLS(protocol.EncryptionInitial, protocol.PerspectiveServer)
 	}
 	extHandler := newExtensionHandler(tp.Marshal(perspective), perspective, version)
+	zeroRTTParametersChan := make(chan *wire.TransportParameters, 1)
 	cs := &cryptoSetup{
 		tlsConf:                   tlsConf,
 		initialStream:             initialStream,
 		initialSealer:             initialSealer,
 		initialOpener:             initialOpener,
 		handshakeStream:           handshakeStream,
-		aead:                      newUpdatableAEAD(rttStats, tracer, logger),
+		aead:                      newUpdatableAEAD(rttStats, tracer, logger, version),
 		readEncLevel:              protocol.EncryptionInitial,
 		writeEncLevel:             protocol.EncryptionInitial,
 		runner:                    runner,
@@ -256,7 +258,8 @@ func newCryptoSetup(
 		perspective:               perspective,
 		handshakeDone:             make(chan struct{}),
 		alertChan:                 make(chan uint8),
-		clientHelloWrittenChan:    make(chan *wire.TransportParameters, 1),
+		clientHelloWrittenChan:    make(chan struct{}),
+		zeroRTTParametersChan:     zeroRTTParametersChan,
 		messageChan:               make(chan []byte, 100),
 		isReadingHandshakeMessage: make(chan struct{}),
 		closeChan:                 make(chan struct{}),
@@ -278,7 +281,7 @@ func newCryptoSetup(
 		GetAppDataForSessionState:  cs.marshalDataForSessionState,
 		SetAppDataFromSessionState: cs.handleDataFromSessionState,
 	}
-	return cs, cs.clientHelloWrittenChan
+	return cs, zeroRTTParametersChan
 }

 func (h *cryptoSetup) ChangeConnectionID(id protocol.ConnectionID) {
@@ -308,6 +311,15 @@ func (h *cryptoSetup) RunHandshake() {
 		close(handshakeComplete)
 	}()

+	if h.perspective == protocol.PerspectiveClient {
+		select {
+		case err := <-handshakeErrChan:
+			h.onError(0, err.Error())
+			return
+		case <-h.clientHelloWrittenChan:
+		}
+	}
+
 	select {
 	case <-handshakeComplete: // return when the handshake is done
 		h.mutex.Lock()
@@ -324,7 +336,13 @@ func (h *cryptoSetup) RunHandshake() {
 }

 func (h *cryptoSetup) onError(alert uint8, message string) {
-	h.runner.OnError(qerr.NewCryptoError(alert, message))
+	var err error
+	if alert == 0 {
+		err = &qerr.TransportError{ErrorCode: qerr.InternalError, ErrorMessage: message}
+	} else {
+		err = qerr.NewCryptoError(alert, message)
+	}
+	h.runner.OnError(err)
 }

 // Close closes the crypto setup.
@@ -554,8 +572,8 @@ func (h *cryptoSetup) SetReadKey(encLevel qtls.EncryptionLevel, suite *qtls.Ciph
 			panic("Received 0-RTT read key for the client")
 		}
 		h.zeroRTTOpener = newLongHeaderOpener(
-			createAEAD(suite, trafficSecret),
-			newHeaderProtector(suite, trafficSecret, true),
+			createAEAD(suite, trafficSecret, h.version),
+			newHeaderProtector(suite, trafficSecret, true, h.version),
 		)
 		h.mutex.Unlock()
 		h.logger.Debugf("Installed 0-RTT Read keys (using %s)", tls.CipherSuiteName(suite.ID))
@@ -566,8 +584,8 @@ func (h *cryptoSetup) SetReadKey(encLevel qtls.EncryptionLevel, suite *qtls.Ciph
 	case qtls.EncryptionHandshake:
 		h.readEncLevel = protocol.EncryptionHandshake
 		h.handshakeOpener = newHandshakeOpener(
-			createAEAD(suite, trafficSecret),
-			newHeaderProtector(suite, trafficSecret, true),
+			createAEAD(suite, trafficSecret, h.version),
+			newHeaderProtector(suite, trafficSecret, true, h.version),
 			h.dropInitialKeys,
 			h.perspective,
 		)
@@ -594,8 +612,8 @@ func (h *cryptoSetup) SetWriteKey(encLevel qtls.EncryptionLevel, suite *qtls.Cip
 			panic("Received 0-RTT write key for the server")
 		}
 		h.zeroRTTSealer = newLongHeaderSealer(
-			createAEAD(suite, trafficSecret),
-			newHeaderProtector(suite, trafficSecret, true),
+			createAEAD(suite, trafficSecret, h.version),
+			newHeaderProtector(suite, trafficSecret, true, h.version),
 		)
 		h.mutex.Unlock()
 		h.logger.Debugf("Installed 0-RTT Write keys (using %s)", tls.CipherSuiteName(suite.ID))
@@ -606,8 +624,8 @@ func (h *cryptoSetup) SetWriteKey(encLevel qtls.EncryptionLevel, suite *qtls.Cip
 	case qtls.EncryptionHandshake:
 		h.writeEncLevel = protocol.EncryptionHandshake
 		h.handshakeSealer = newHandshakeSealer(
-			createAEAD(suite, trafficSecret),
-			newHeaderProtector(suite, trafficSecret, true),
+			createAEAD(suite, trafficSecret, h.version),
+			newHeaderProtector(suite, trafficSecret, true, h.version),
 			h.dropInitialKeys,
 			h.perspective,
 		)
@@ -645,12 +663,13 @@ func (h *cryptoSetup) WriteRecord(p []byte) (int, error) {
 		n, err := h.initialStream.Write(p)
 		if !h.clientHelloWritten && h.perspective == protocol.PerspectiveClient {
 			h.clientHelloWritten = true
+			close(h.clientHelloWrittenChan)
 			if h.zeroRTTSealer != nil && h.zeroRTTParameters != nil {
 				h.logger.Debugf("Doing 0-RTT.")
-				h.clientHelloWrittenChan <- h.zeroRTTParameters
+				h.zeroRTTParametersChan <- h.zeroRTTParameters
 			} else {
 				h.logger.Debugf("Not doing 0-RTT.")
-				h.clientHelloWrittenChan <- nil
+				h.zeroRTTParametersChan <- nil
 			}
 		}
 		return n, err
--- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/header_protector.go
+++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/header_protector.go
@@ -9,6 +9,7 @@ import (

 	"golang.org/x/crypto/chacha20"

+	"github.com/lucas-clemente/quic-go/internal/protocol"
 	"github.com/lucas-clemente/quic-go/internal/qtls"
 )

@@ -17,12 +18,20 @@ type headerProtector interface {
 	DecryptHeader(sample []byte, firstByte *byte, hdrBytes []byte)
 }

-func newHeaderProtector(suite *qtls.CipherSuiteTLS13, trafficSecret []byte, isLongHeader bool) headerProtector {
+func hkdfHeaderProtectionLabel(v protocol.VersionNumber) string {
+	if v == protocol.Version2 {
+		return "quicv2 hp"
+	}
+	return "quic hp"
+}
+
+func newHeaderProtector(suite *qtls.CipherSuiteTLS13, trafficSecret []byte, isLongHeader bool, v protocol.VersionNumber) headerProtector {
+	hkdfLabel := hkdfHeaderProtectionLabel(v)
 	switch suite.ID {
 	case tls.TLS_AES_128_GCM_SHA256, tls.TLS_AES_256_GCM_SHA384:
-		return newAESHeaderProtector(suite, trafficSecret, isLongHeader)
+		return newAESHeaderProtector(suite, trafficSecret, isLongHeader, hkdfLabel)
 	case tls.TLS_CHACHA20_POLY1305_SHA256:
-		return newChaChaHeaderProtector(suite, trafficSecret, isLongHeader)
+		return newChaChaHeaderProtector(suite, trafficSecret, isLongHeader, hkdfLabel)
 	default:
 		panic(fmt.Sprintf("Invalid cipher suite id: %d", suite.ID))
 	}
@@ -36,8 +45,8 @@ type aesHeaderProtector struct {

 var _ headerProtector = &aesHeaderProtector{}

-func newAESHeaderProtector(suite *qtls.CipherSuiteTLS13, trafficSecret []byte, isLongHeader bool) headerProtector {
-	hpKey := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, "quic hp", suite.KeyLen)
+func newAESHeaderProtector(suite *qtls.CipherSuiteTLS13, trafficSecret []byte, isLongHeader bool, hkdfLabel string) headerProtector {
+	hpKey := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, hkdfLabel, suite.KeyLen)
 	block, err := aes.NewCipher(hpKey)
 	if err != nil {
 		panic(fmt.Sprintf("error creating new AES cipher: %s", err))
@@ -81,8 +90,8 @@ type chachaHeaderProtector struct {

 var _ headerProtector = &chachaHeaderProtector{}

-func newChaChaHeaderProtector(suite *qtls.CipherSuiteTLS13, trafficSecret []byte, isLongHeader bool) headerProtector {
-	hpKey := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, "quic hp", suite.KeyLen)
+func newChaChaHeaderProtector(suite *qtls.CipherSuiteTLS13, trafficSecret []byte, isLongHeader bool, hkdfLabel string) headerProtector {
+	hpKey := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, hkdfLabel, suite.KeyLen)

 	p := &chachaHeaderProtector{
 		isLongHeader: isLongHeader,
--- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/initial_aead.go
+++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/initial_aead.go
@@ -12,12 +12,23 @@ import (

 var (
 	quicSaltOld = []byte{0xaf, 0xbf, 0xec, 0x28, 0x99, 0x93, 0xd2, 0x4c, 0x9e, 0x97, 0x86, 0xf1, 0x9c, 0x61, 0x11, 0xe0, 0x43, 0x90, 0xa8, 0x99}
-	quicSalt    = []byte{0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a}
+	quicSaltV1  = []byte{0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a}
+	quicSaltV2  = []byte{0xa7, 0x07, 0xc2, 0x03, 0xa5, 0x9b, 0x47, 0x18, 0x4a, 0x1d, 0x62, 0xca, 0x57, 0x04, 0x06, 0xea, 0x7a, 0xe3, 0xe5, 0xd3}
+)
+
+const (
+	hkdfLabelKeyV1 = "quic key"
+	hkdfLabelKeyV2 = "quicv2 key"
+	hkdfLabelIVV1  = "quic iv"
+	hkdfLabelIVV2  = "quicv2 iv"
 )

 func getSalt(v protocol.VersionNumber) []byte {
+	if v == protocol.Version2 {
+		return quicSaltV2
+	}
 	if v == protocol.Version1 {
-		return quicSalt
+		return quicSaltV1
 	}
 	return quicSaltOld
 }
@@ -40,14 +51,14 @@ func NewInitialAEAD(connID protocol.ConnectionID, pers protocol.Perspective, v p
 		mySecret = serverSecret
 		otherSecret = clientSecret
 	}
-	myKey, myIV := computeInitialKeyAndIV(mySecret)
-	otherKey, otherIV := computeInitialKeyAndIV(otherSecret)
+	myKey, myIV := computeInitialKeyAndIV(mySecret, v)
+	otherKey, otherIV := computeInitialKeyAndIV(otherSecret, v)

 	encrypter := qtls.AEADAESGCMTLS13(myKey, myIV)
 	decrypter := qtls.AEADAESGCMTLS13(otherKey, otherIV)

-	return newLongHeaderSealer(encrypter, newHeaderProtector(initialSuite, mySecret, true)),
-		newLongHeaderOpener(decrypter, newAESHeaderProtector(initialSuite, otherSecret, true))
+	return newLongHeaderSealer(encrypter, newHeaderProtector(initialSuite, mySecret, true, v)),
+		newLongHeaderOpener(decrypter, newAESHeaderProtector(initialSuite, otherSecret, true, hkdfHeaderProtectionLabel(v)))
 }

 func computeSecrets(connID protocol.ConnectionID, v protocol.VersionNumber) (clientSecret, serverSecret []byte) {
@@ -57,8 +68,14 @@ func computeSecrets(connID protocol.ConnectionID, v protocol.VersionNumber) (cli
 	return
 }

-func computeInitialKeyAndIV(secret []byte) (key, iv []byte) {
-	key = hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic key", 16)
-	iv = hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic iv", 12)
+func computeInitialKeyAndIV(secret []byte, v protocol.VersionNumber) (key, iv []byte) {
+	keyLabel := hkdfLabelKeyV1
+	ivLabel := hkdfLabelIVV1
+	if v == protocol.Version2 {
+		keyLabel = hkdfLabelKeyV2
+		ivLabel = hkdfLabelIVV2
+	}
+	key = hkdfExpandLabel(crypto.SHA256, secret, []byte{}, keyLabel, 16)
+	iv = hkdfExpandLabel(crypto.SHA256, secret, []byte{}, ivLabel, 12)
 	return
 }
--- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/updatable_aead.go
+++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/updatable_aead.go
@@ -55,8 +55,9 @@ type updatableAEAD struct {

 	rttStats *utils.RTTStats

-	tracer logging.ConnectionTracer
-	logger utils.Logger
+	tracer  logging.ConnectionTracer
+	logger  utils.Logger
+	version protocol.VersionNumber

 	// use a single slice to avoid allocations
 	nonceBuf []byte
@@ -67,7 +68,7 @@ var (
 	_ ShortHeaderSealer = &updatableAEAD{}
 )

-func newUpdatableAEAD(rttStats *utils.RTTStats, tracer logging.ConnectionTracer, logger utils.Logger) *updatableAEAD {
+func newUpdatableAEAD(rttStats *utils.RTTStats, tracer logging.ConnectionTracer, logger utils.Logger, version protocol.VersionNumber) *updatableAEAD {
 	return &updatableAEAD{
 		firstPacketNumber:       protocol.InvalidPacketNumber,
 		largestAcked:            protocol.InvalidPacketNumber,
@@ -77,6 +78,7 @@ func newUpdatableAEAD(rttStats *utils.RTTStats, tracer logging.ConnectionTracer,
 		rttStats:                rttStats,
 		tracer:                  tracer,
 		logger:                  logger,
+		version:                 version,
 	}
 }

@@ -100,8 +102,8 @@ func (a *updatableAEAD) rollKeys() {

 	a.nextRcvTrafficSecret = a.getNextTrafficSecret(a.suite.Hash, a.nextRcvTrafficSecret)
 	a.nextSendTrafficSecret = a.getNextTrafficSecret(a.suite.Hash, a.nextSendTrafficSecret)
-	a.nextRcvAEAD = createAEAD(a.suite, a.nextRcvTrafficSecret)
-	a.nextSendAEAD = createAEAD(a.suite, a.nextSendTrafficSecret)
+	a.nextRcvAEAD = createAEAD(a.suite, a.nextRcvTrafficSecret, a.version)
+	a.nextSendAEAD = createAEAD(a.suite, a.nextSendTrafficSecret, a.version)
 }

 func (a *updatableAEAD) startKeyDropTimer(now time.Time) {
@@ -117,27 +119,27 @@ func (a *updatableAEAD) getNextTrafficSecret(hash crypto.Hash, ts []byte) []byte
 // For the client, this function is called before SetWriteKey.
 // For the server, this function is called after SetWriteKey.
 func (a *updatableAEAD) SetReadKey(suite *qtls.CipherSuiteTLS13, trafficSecret []byte) {
-	a.rcvAEAD = createAEAD(suite, trafficSecret)
-	a.headerDecrypter = newHeaderProtector(suite, trafficSecret, false)
+	a.rcvAEAD = createAEAD(suite, trafficSecret, a.version)
+	a.headerDecrypter = newHeaderProtector(suite, trafficSecret, false, a.version)
 	if a.suite == nil {
 		a.setAEADParameters(a.rcvAEAD, suite)
 	}

 	a.nextRcvTrafficSecret = a.getNextTrafficSecret(suite.Hash, trafficSecret)
-	a.nextRcvAEAD = createAEAD(suite, a.nextRcvTrafficSecret)
+	a.nextRcvAEAD = createAEAD(suite, a.nextRcvTrafficSecret, a.version)
 }

 // For the client, this function is called after SetReadKey.
 // For the server, this function is called before SetWriteKey.
 func (a *updatableAEAD) SetWriteKey(suite *qtls.CipherSuiteTLS13, trafficSecret []byte) {
-	a.sendAEAD = createAEAD(suite, trafficSecret)
-	a.headerEncrypter = newHeaderProtector(suite, trafficSecret, false)
+	a.sendAEAD = createAEAD(suite, trafficSecret, a.version)
+	a.headerEncrypter = newHeaderProtector(suite, trafficSecret, false, a.version)
 	if a.suite == nil {
 		a.setAEADParameters(a.sendAEAD, suite)
 	}

 	a.nextSendTrafficSecret = a.getNextTrafficSecret(suite.Hash, trafficSecret)
-	a.nextSendAEAD = createAEAD(suite, a.nextSendTrafficSecret)
+	a.nextSendAEAD = createAEAD(suite, a.nextSendTrafficSecret, a.version)
 }

 func (a *updatableAEAD) setAEADParameters(aead cipher.AEAD, suite *qtls.CipherSuiteTLS13) {