TUN-8052: Update go to 1.21.5

Also update golang.org/x/net and google.golang.org/grpc to fix vulnerabilities,
although cloudflared is using them in a way that is not exposed to those risks

vendor/github.com/quic-go/qtls-go1-20/cfkem.go

@@ -1,175 +0,0 @@
-// Copyright 2023 Cloudflare, Inc. All rights reserved. Use of this source code
-// is governed by a BSD-style license that can be found in the LICENSE file.
-//
-// Glue to add Circl's (post-quantum) hybrid KEMs.
-//
-// To enable set CurvePreferences with the desired scheme as the first element:
-//
-//   import (
-//      "github.com/cloudflare/circl/kem/tls"
-//      "github.com/cloudflare/circl/kem/hybrid"
-//
-//          [...]
-//
-//   config.CurvePreferences = []tls.CurveID{
-//      qtls.X25519Kyber512Draft00,
-//      qtls.X25519,
-//      qtls.P256,
-//   }
-
-package qtls
-
-import (
-	"github.com/cloudflare/circl/kem"
-	"github.com/cloudflare/circl/kem/hybrid"
-
-	"crypto/ecdh"
-	"crypto/tls"
-	"fmt"
-	"io"
-	"sync"
-	"time"
-)
-
-// Either *ecdh.PrivateKey or kem.PrivateKey
-type clientKeySharePrivate interface{}
-
-var (
-	X25519Kyber512Draft00 = CurveID(0xfe30)
-	X25519Kyber768Draft00 = CurveID(0xfe31)
-	invalidCurveID        = CurveID(0)
-)
-
-func kemSchemeKeyToCurveID(s kem.Scheme) CurveID {
-	switch s.Name() {
-	case "Kyber512-X25519":
-		return X25519Kyber512Draft00
-	case "Kyber768-X25519":
-		return X25519Kyber768Draft00
-	default:
-		return invalidCurveID
-	}
-}
-
-// Extract CurveID from clientKeySharePrivate
-func clientKeySharePrivateCurveID(ks clientKeySharePrivate) CurveID {
-	switch v := ks.(type) {
-	case kem.PrivateKey:
-		ret := kemSchemeKeyToCurveID(v.Scheme())
-		if ret == invalidCurveID {
-			panic("cfkem: internal error: don't know CurveID for this KEM")
-		}
-		return ret
-	case *ecdh.PrivateKey:
-		ret, ok := curveIDForCurve(v.Curve())
-		if !ok {
-			panic("cfkem: internal error: unknown curve")
-		}
-		return ret
-	default:
-		panic("cfkem: internal error: unknown clientKeySharePrivate")
-	}
-}
-
-// Returns scheme by CurveID if supported by Circl
-func curveIdToCirclScheme(id CurveID) kem.Scheme {
-	switch id {
-	case X25519Kyber512Draft00:
-		return hybrid.Kyber512X25519()
-	case X25519Kyber768Draft00:
-		return hybrid.Kyber768X25519()
-	}
-	return nil
-}
-
-// Generate a new shared secret and encapsulates it for the packed
-// public key in ppk using randomness from rnd.
-func encapsulateForKem(scheme kem.Scheme, rnd io.Reader, ppk []byte) (
-	ct, ss []byte, alert alert, err error) {
-	pk, err := scheme.UnmarshalBinaryPublicKey(ppk)
-	if err != nil {
-		return nil, nil, alertIllegalParameter, fmt.Errorf("unpack pk: %w", err)
-	}
-	seed := make([]byte, scheme.EncapsulationSeedSize())
-	if _, err := io.ReadFull(rnd, seed); err != nil {
-		return nil, nil, alertInternalError, fmt.Errorf("random: %w", err)
-	}
-	ct, ss, err = scheme.EncapsulateDeterministically(pk, seed)
-	return ct, ss, alertIllegalParameter, err
-}
-
-// Generate a new keypair using randomness from rnd.
-func generateKemKeyPair(scheme kem.Scheme, rnd io.Reader) (
-	kem.PublicKey, kem.PrivateKey, error) {
-	seed := make([]byte, scheme.SeedSize())
-	if _, err := io.ReadFull(rnd, seed); err != nil {
-		return nil, nil, err
-	}
-	pk, sk := scheme.DeriveKeyPair(seed)
-	return pk, sk, nil
-}
-
-// Events. We cannot use the same approach as used in our plain Go fork
-// as we cannot change tls.Config, tls.ConnectionState, etc. Also we do
-// not want to maintain a fork of quic-go itself as well. This seems
-// the simplest option.
-
-// CFEvent. There are two events: one emitted on HRR and one emitted
-type CFEvent interface {
-	// Common to all events
-	ServerSide() bool // true if server-side; false if on client-side
-
-	// HRR event. Emitted when an HRR happened.
-	IsHRR() bool // true if this is an HRR event
-
-	// Handshake event.
-	IsHandshake() bool       // true if this is a handshake event.
-	Duration() time.Duration // how long did the handshake take?
-	KEX() tls.CurveID        // which kex was established?
-}
-
-type CFEventHandler func(CFEvent)
-
-// Registers a handler to be called when a CFEvent is emitted; returns
-// the previous handler.
-func SetCFEventHandler(handler CFEventHandler) CFEventHandler {
-	cfEventMux.Lock()
-	ret := cfEventHandler
-	cfEventHandler = handler
-	cfEventMux.Unlock()
-	return ret
-}
-
-func raiseCFEvent(ev CFEvent) {
-	cfEventMux.Lock()
-	handler := cfEventHandler
-	cfEventMux.Unlock()
-	if handler != nil {
-		handler(ev)
-	}
-}
-
-var (
-	cfEventMux     sync.Mutex
-	cfEventHandler CFEventHandler
-)
-
-type cfEventHRR struct{ serverSide bool }
-
-func (*cfEventHRR) IsHRR() bool                { return true }
-func (ev *cfEventHRR) ServerSide() bool        { return ev.serverSide }
-func (*cfEventHRR) IsHandshake() bool          { return false }
-func (ev *cfEventHRR) Duration() time.Duration { panic("wrong event") }
-func (ev *cfEventHRR) KEX() tls.CurveID        { panic("wrong event") }
-
-type cfEventHandshake struct {
-	serverSide bool
-	duration   time.Duration
-	kex        tls.CurveID
-}
-
-func (*cfEventHandshake) IsHRR() bool                { return false }
-func (ev *cfEventHandshake) ServerSide() bool        { return ev.serverSide }
-func (*cfEventHandshake) IsHandshake() bool          { return true }
-func (ev *cfEventHandshake) Duration() time.Duration { return ev.duration }
-func (ev *cfEventHandshake) KEX() tls.CurveID        { return ev.kex }

vendor/github.com/quic-go/qtls-go1-20/handshake_client.go

@@ -8,6 +8,7 @@ import (
 	"bytes"
 	"context"
 	"crypto"
+	"crypto/ecdh"
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/rsa"
@@ -39,7 +40,7 @@ type clientHandshakeState struct {
 
 var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme
 
-func (c *Conn) makeClientHello() (*clientHelloMsg, clientKeySharePrivate, error) {
+func (c *Conn) makeClientHello() (*clientHelloMsg, *ecdh.PrivateKey, error) {
 	config := c.config
 	if len(config.ServerName) == 0 && !config.InsecureSkipVerify {
 		return nil, nil, errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
@@ -132,7 +133,7 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, clientKeySharePrivate, error)
 		hello.supportedSignatureAlgorithms = testingOnlyForceClientHelloSignatureAlgorithms
 	}
 
-	var secret clientKeySharePrivate
+	var key *ecdh.PrivateKey
 	if hello.supportedVersions[0] == VersionTLS13 {
 		if len(hello.supportedVersions) == 1 {
 			hello.cipherSuites = hello.cipherSuites[:0]
@@ -144,30 +145,14 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, clientKeySharePrivate, error)
 		}
 
 		curveID := config.curvePreferences()[0]
-		if scheme := curveIdToCirclScheme(curveID); scheme != nil {
-			pk, sk, err := generateKemKeyPair(scheme, config.rand())
-			if err != nil {
-				return nil, nil, fmt.Errorf("generateKemKeyPair %s: %w",
-					scheme.Name(), err)
-			}
-			packedPk, err := pk.MarshalBinary()
-			if err != nil {
-				return nil, nil, fmt.Errorf("pack circl public key %s: %w",
-					scheme.Name(), err)
-			}
-			hello.keyShares = []keyShare{{group: curveID, data: packedPk}}
-			secret = sk
-		} else {
-			if _, ok := curveForCurveID(curveID); !ok {
-				return nil, nil, errors.New("tls: CurvePreferences includes unsupported curve")
-			}
-			key, err := generateECDHEKey(config.rand(), curveID)
-			if err != nil {
-				return nil, nil, err
-			}
-			hello.keyShares = []keyShare{{group: curveID, data: key.PublicKey().Bytes()}}
-			secret = key
+		if _, ok := curveForCurveID(curveID); !ok {
+			return nil, nil, errors.New("tls: CurvePreferences includes unsupported curve")
 		}
+		key, err = generateECDHEKey(config.rand(), curveID)
+		if err != nil {
+			return nil, nil, err
+		}
+		hello.keyShares = []keyShare{{group: curveID, data: key.PublicKey().Bytes()}}
 	}
 
 	if c.quic != nil {
@@ -181,7 +166,7 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, clientKeySharePrivate, error)
 		hello.quicTransportParameters = p
 	}
 
-	return hello, secret, nil
+	return hello, key, nil
 }
 
 func (c *Conn) clientHandshake(ctx context.Context) (err error) {
@@ -261,14 +246,14 @@ func (c *Conn) clientHandshake(ctx context.Context) (err error) {
 
 	if c.vers == VersionTLS13 {
 		hs := &clientHandshakeStateTLS13{
-			c:               c,
-			ctx:             ctx,
-			serverHello:     serverHello,
-			hello:           hello,
-			keySharePrivate: ecdheKey,
-			session:         session,
-			earlySecret:     earlySecret,
-			binderKey:       binderKey,
+			c:           c,
+			ctx:         ctx,
+			serverHello: serverHello,
+			hello:       hello,
+			ecdheKey:    ecdheKey,
+			session:     session,
+			earlySecret: earlySecret,
+			binderKey:   binderKey,
 		}
 
 		// In TLS 1.3, session tickets are delivered after the handshake.

vendor/github.com/quic-go/qtls-go1-20/handshake_client_tls13.go

@@ -13,20 +13,18 @@ import (
 	"crypto/rsa"
 	"encoding/binary"
 	"errors"
-	"fmt"
 	"hash"
 	"time"
 
-	circlKem "github.com/cloudflare/circl/kem"
 	"golang.org/x/crypto/cryptobyte"
 )
 
 type clientHandshakeStateTLS13 struct {
-	c               *Conn
-	ctx             context.Context
-	serverHello     *serverHelloMsg
-	hello           *clientHelloMsg
-	keySharePrivate clientKeySharePrivate
+	c           *Conn
+	ctx         context.Context
+	serverHello *serverHelloMsg
+	hello       *clientHelloMsg
+	ecdheKey    *ecdh.PrivateKey
 
 	session     *clientSessionState
 	earlySecret []byte
@@ -46,8 +44,6 @@ type clientHandshakeStateTLS13 struct {
 func (hs *clientHandshakeStateTLS13) handshake() error {
 	c := hs.c
 
-	startTime := time.Now()
-
 	if needFIPS() {
 		return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
 	}
@@ -60,7 +56,7 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
 	}
 
 	// Consistency check on the presence of a keyShare and its parameters.
-	if hs.keySharePrivate == nil || len(hs.hello.keyShares) != 1 {
+	if hs.ecdheKey == nil || len(hs.hello.keyShares) != 1 {
 		return c.sendAlert(alertInternalError)
 	}
 
@@ -116,12 +112,6 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
 		return err
 	}
 
-	raiseCFEvent(&cfEventHandshake{
-		serverSide: false,
-		duration:   time.Since(startTime),
-		kex:        hs.serverHello.serverShare.group,
-	})
-
 	c.isHandshakeComplete.Store(true)
 
 	return nil
@@ -201,8 +191,6 @@ func (hs *clientHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
 func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
 	c := hs.c
 
-	raiseCFEvent(&cfEventHRR{serverSide: false})
-
 	// The first ClientHello gets double-hashed into the transcript upon a
 	// HelloRetryRequest. (The idea is that the server might offload transcript
 	// storage to the client in the cookie.) See RFC 8446, Section 4.4.1.
@@ -246,38 +234,21 @@ func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
 			c.sendAlert(alertIllegalParameter)
 			return errors.New("tls: server selected unsupported group")
 		}
-		if clientKeySharePrivateCurveID(hs.keySharePrivate) == curveID {
+		if sentID, _ := curveIDForCurve(hs.ecdheKey.Curve()); sentID == curveID {
 			c.sendAlert(alertIllegalParameter)
 			return errors.New("tls: server sent an unnecessary HelloRetryRequest key_share")
 		}
-		if scheme := curveIdToCirclScheme(curveID); scheme != nil {
-			pk, sk, err := generateKemKeyPair(scheme, c.config.rand())
-			if err != nil {
-				c.sendAlert(alertInternalError)
-				return fmt.Errorf("HRR generateKeyPair %s: %w",
-					scheme.Name(), err)
-			}
-			packedPk, err := pk.MarshalBinary()
-			if err != nil {
-				c.sendAlert(alertInternalError)
-				return fmt.Errorf("HRR pack circl public key %s: %w",
-					scheme.Name(), err)
-			}
-			hs.keySharePrivate = sk
-			hs.hello.keyShares = []keyShare{{group: curveID, data: packedPk}}
-		} else {
-			if _, ok := curveForCurveID(curveID); !ok {
-				c.sendAlert(alertInternalError)
-				return errors.New("tls: CurvePreferences includes unsupported curve")
-			}
-			key, err := generateECDHEKey(c.config.rand(), curveID)
-			if err != nil {
-				c.sendAlert(alertInternalError)
-				return err
-			}
-			hs.keySharePrivate = key
-			hs.hello.keyShares = []keyShare{{group: curveID, data: key.PublicKey().Bytes()}}
+		if _, ok := curveForCurveID(curveID); !ok {
+			c.sendAlert(alertInternalError)
+			return errors.New("tls: CurvePreferences includes unsupported curve")
 		}
+		key, err := generateECDHEKey(c.config.rand(), curveID)
+		if err != nil {
+			c.sendAlert(alertInternalError)
+			return err
+		}
+		hs.ecdheKey = key
+		hs.hello.keyShares = []keyShare{{group: curveID, data: key.PublicKey().Bytes()}}
 	}
 
 	hs.hello.raw = nil
@@ -364,7 +335,7 @@ func (hs *clientHandshakeStateTLS13) processServerHello() error {
 		c.sendAlert(alertIllegalParameter)
 		return errors.New("tls: server did not send a key share")
 	}
-	if hs.serverHello.serverShare.group != clientKeySharePrivateCurveID(hs.keySharePrivate) {
+	if sentID, _ := curveIDForCurve(hs.ecdheKey.Curve()); hs.serverHello.serverShare.group != sentID {
 		c.sendAlert(alertIllegalParameter)
 		return errors.New("tls: server selected unsupported group")
 	}
@@ -402,22 +373,13 @@ func (hs *clientHandshakeStateTLS13) processServerHello() error {
 func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
 	c := hs.c
 
-	var sharedKey []byte
-	var err error
-	if key, ok := hs.keySharePrivate.(*ecdh.PrivateKey); ok {
-		peerKey, err := key.Curve().NewPublicKey(hs.serverHello.serverShare.data)
-		if err == nil {
-			sharedKey, _ = key.ECDH(peerKey)
-		}
-	} else if sk, ok := hs.keySharePrivate.(circlKem.PrivateKey); ok {
-		sharedKey, err = sk.Scheme().Decapsulate(sk, hs.serverHello.serverShare.data)
-		if err != nil {
-			c.sendAlert(alertIllegalParameter)
-			return fmt.Errorf("%s decaps: %w", sk.Scheme().Name(), err)
-		}
+	peerKey, err := hs.ecdheKey.Curve().NewPublicKey(hs.serverHello.serverShare.data)
+	if err != nil {
+		c.sendAlert(alertIllegalParameter)
+		return errors.New("tls: invalid server key share")
 	}
-
-	if sharedKey == nil {
+	sharedKey, err := hs.ecdheKey.ECDH(peerKey)
+	if err != nil {
 		c.sendAlert(alertIllegalParameter)
 		return errors.New("tls: invalid server key share")
 	}

vendor/github.com/quic-go/qtls-go1-20/handshake_server_tls13.go

@@ -11,7 +11,6 @@ import (
 	"crypto/hmac"
 	"crypto/rsa"
 	"errors"
-	"fmt"
 	"hash"
 	"io"
 	"time"
@@ -47,8 +46,6 @@ type serverHandshakeStateTLS13 struct {
 func (hs *serverHandshakeStateTLS13) handshake() error {
 	c := hs.c
 
-	startTime := time.Now()
-
 	if needFIPS() {
 		return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
 	}
@@ -86,12 +83,6 @@ func (hs *serverHandshakeStateTLS13) handshake() error {
 		return err
 	}
 
-	raiseCFEvent(&cfEventHandshake{
-		serverSide: true,
-		duration:   time.Since(startTime),
-		kex:        hs.hello.serverShare.group,
-	})
-
 	c.isHandshakeComplete.Store(true)
 
 	return nil
@@ -206,38 +197,37 @@ GroupSelection:
 		clientKeyShare = &hs.clientHello.keyShares[0]
 	}
 
-	if _, ok := curveForCurveID(selectedGroup); curveIdToCirclScheme(selectedGroup) == nil && !ok {
+	if _, ok := curveForCurveID(selectedGroup); !ok {
 		c.sendAlert(alertInternalError)
 		return errors.New("tls: CurvePreferences includes unsupported curve")
 	}
-	if kem := curveIdToCirclScheme(selectedGroup); kem != nil {
-		ct, ss, alert, err := encapsulateForKem(kem, c.config.rand(), clientKeyShare.data)
-		if err != nil {
-			c.sendAlert(alert)
-			return fmt.Errorf("%s encap: %w", kem.Name(), err)
-		}
-		hs.hello.serverShare = keyShare{group: selectedGroup, data: ct}
-		hs.sharedKey = ss
-	} else {
-		key, err := generateECDHEKey(c.config.rand(), selectedGroup)
-		if err != nil {
-			c.sendAlert(alertInternalError)
-			return err
-		}
-		hs.hello.serverShare = keyShare{group: selectedGroup, data: key.PublicKey().Bytes()}
-		peerKey, err := key.Curve().NewPublicKey(clientKeyShare.data)
-		if err == nil {
-			hs.sharedKey, _ = key.ECDH(peerKey)
-		}
+	key, err := generateECDHEKey(c.config.rand(), selectedGroup)
+	if err != nil {
+		c.sendAlert(alertInternalError)
+		return err
 	}
-	if hs.sharedKey == nil {
+	hs.hello.serverShare = keyShare{group: selectedGroup, data: key.PublicKey().Bytes()}
+	peerKey, err := key.Curve().NewPublicKey(clientKeyShare.data)
+	if err != nil {
+		c.sendAlert(alertIllegalParameter)
+		return errors.New("tls: invalid client key share")
+	}
+	hs.sharedKey, err = key.ECDH(peerKey)
+	if err != nil {
 		c.sendAlert(alertIllegalParameter)
 		return errors.New("tls: invalid client key share")
 	}
 
 	if c.quic != nil {
+		// RFC 9001 Section 4.2: Clients MUST NOT offer TLS versions older than 1.3.
+		for _, v := range hs.clientHello.supportedVersions {
+			if v < VersionTLS13 {
+				c.sendAlert(alertProtocolVersion)
+				return errors.New("tls: client offered TLS version older than TLS 1.3")
+			}
+		}
+		// RFC 9001 Section 8.2.
 		if hs.clientHello.quicTransportParameters == nil {
-			// RFC 9001 Section 8.2.
 			c.sendAlert(alertMissingExtension)
 			return errors.New("tls: client did not send a quic_transport_parameters extension")
 		}
@@ -467,8 +457,6 @@ func (hs *serverHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
 func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) error {
 	c := hs.c
 
-	raiseCFEvent(&cfEventHRR{serverSide: true})
-
 	// The first ClientHello gets double-hashed into the transcript upon a
 	// HelloRetryRequest. See RFC 8446, Section 4.4.1.
 	if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil {

vendor/github.com/quic-go/qtls-go1-20/key_agreement.go

@@ -169,7 +169,7 @@ type ecdheKeyAgreement struct {
 func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {
 	var curveID CurveID
 	for _, c := range clientHello.supportedCurves {
-		if config.supportsCurve(c) && curveIdToCirclScheme(c) == nil {
+		if config.supportsCurve(c) {
 			curveID = c
 			break
 		}