Merge branch 'quic-go:master' into uquic

.github/workflows/cross-compile.yml

@@ -4,7 +4,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go: [ "1.20.x", "1.21.0-rc.2" ]
+        go: [ "1.20.x", "1.21.0-rc.3" ]
     runs-on: ${{ fromJSON(vars['CROSS_COMPILE_RUNNER_UBUNTU'] || '"ubuntu-latest"') }}
     name: "Cross Compilation (Go ${{matrix.go}})"
     steps:

.github/workflows/integration.yml

@@ -5,7 +5,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go: [ "1.20.x", "1.21.0-rc.2" ]
+        go: [ "1.20.x", "1.21.0-rc.3" ]
     runs-on: ${{ fromJSON(vars['INTEGRATION_RUNNER_UBUNTU'] || '"ubuntu-latest"') }}
     env:
       DEBUG: false # set this to true to export qlogs and save them as artifacts

.github/workflows/unit.yml

@@ -7,7 +7,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ "ubuntu", "windows", "macos" ]
-        go: [ "1.20.x", "1.21.0-rc.2" ]
+        go: [ "1.20.x", "1.21.0-rc.3" ]
     runs-on: ${{ fromJSON(vars[format('UNIT_RUNNER_{0}', matrix.os)] || format('"{0}-latest"', matrix.os)) }}
     name: Unit tests (${{ matrix.os}}, Go ${{ matrix.go }})
     steps:

connection.go

@@ -316,6 +316,8 @@ var newConnection = func(
 	}
 	cs := handshake.NewCryptoSetupServer(
 		clientDestConnID,
+		conn.LocalAddr(),
+		conn.RemoteAddr(),
 		params,
 		tlsConf,
 		conf.Allow0RTT,
@@ -1811,6 +1813,14 @@ func (s *connection) handleTransportParameters(params *wire.TransportParameters)
 			ErrorMessage: err.Error(),
 		}
 	}
+
+	if s.perspective == protocol.PerspectiveClient && s.peerParams != nil && s.ConnectionState().Used0RTT && !params.ValidForUpdate(s.peerParams) {
+		return &qerr.TransportError{
+			ErrorCode:    qerr.ProtocolViolation,
+			ErrorMessage: "server sent reduced limits after accepting 0-RTT data",
+		}
+	}
+
 	s.peerParams = params
 	// On the client side we have to wait for handshake completion.
 	// During a 0-RTT connection, we are only allowed to use the new transport parameters for 1-RTT packets.

connection_test.go

@@ -3036,6 +3036,40 @@ var _ = Describe("Client Connection", func() {
 				ErrorMessage: "expected original_destination_connection_id to equal deadbeef, is decafbad",
 			})))
 		})
+
+		It("errors if the transport parameters contain reduced limits after knowing 0-RTT data is accepted by the server", func() {
+			conn.perspective = protocol.PerspectiveClient
+			conn.peerParams = &wire.TransportParameters{
+				ActiveConnectionIDLimit:        3,
+				InitialMaxData:                 0x5000,
+				InitialMaxStreamDataBidiLocal:  0x5000,
+				InitialMaxStreamDataBidiRemote: 1000,
+				InitialMaxStreamDataUni:        1000,
+				MaxBidiStreamNum:               500,
+				MaxUniStreamNum:                500,
+			}
+			params := &wire.TransportParameters{
+				OriginalDestinationConnectionID: destConnID,
+				InitialSourceConnectionID:       destConnID,
+				ActiveConnectionIDLimit:         3,
+				InitialMaxData:                  0x5000,
+				InitialMaxStreamDataBidiLocal:   0x5000,
+				InitialMaxStreamDataBidiRemote:  1000,
+				InitialMaxStreamDataUni:         1000,
+				MaxBidiStreamNum:                300,
+				MaxUniStreamNum:                 300,
+			}
+			expectClose(false, true)
+			processed := make(chan struct{})
+			tracer.EXPECT().ReceivedTransportParameters(params).Do(func(*wire.TransportParameters) { close(processed) })
+			cryptoSetup.EXPECT().ConnectionState().Return(handshake.ConnectionState{Used0RTT: true})
+			paramsChan <- params
+			Eventually(processed).Should(BeClosed())
+			Eventually(errChan).Should(Receive(MatchError(&qerr.TransportError{
+				ErrorCode:    qerr.ProtocolViolation,
+				ErrorMessage: "server sent reduced limits after accepting 0-RTT data",
+			})))
+		})
 	})
 
 	Context("handling potentially injected packets", func() {

fuzzing/handshake/cmd/corpus.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"log"
+	"net"
 
 	tls "github.com/refraction-networking/utls"
 
@@ -38,6 +39,8 @@ func main() {
 	config.NextProtos = []string{alpn}
 	server := handshake.NewCryptoSetupServer(
 		protocol.ConnectionID{},
+		&net.UDPAddr{IP: net.IPv6loopback, Port: 1234},
+		&net.UDPAddr{IP: net.IPv6loopback, Port: 4321},
 		&wire.TransportParameters{ActiveConnectionIDLimit: 2},
 		config,
 		false,

fuzzing/handshake/fuzz.go

@@ -10,6 +10,7 @@ import (
 	"log"
 	"math"
 	mrand "math/rand"
+	"net"
 	"time"
 
 	tls "github.com/refraction-networking/utls"
@@ -305,6 +306,8 @@ func runHandshake(runConfig [confLen]byte, messageConfig uint8, clientConf *tls.
 
 	server := handshake.NewCryptoSetupServer(
 		protocol.ConnectionID{},
+		&net.UDPAddr{IP: net.IPv6loopback, Port: 1234},
+		&net.UDPAddr{IP: net.IPv6loopback, Port: 4321},
 		serverTP,
 		serverConf,
 		enable0RTTServer,

http3/client.go

@@ -450,8 +450,8 @@ func (c *client) doRequest(req *http.Request, conn quic.EarlyConnection, str qui
 	// Check that the server doesn't send more data in DATA frames than indicated by the Content-Length header (if set).
 	// See section 4.1.2 of RFC 9114.
 	var httpStr Stream
-	if _, ok := req.Header["Content-Length"]; ok && req.ContentLength >= 0 {
-		httpStr = newLengthLimitedStream(hstr, req.ContentLength)
+	if _, ok := res.Header["Content-Length"]; ok && res.ContentLength >= 0 {
+		httpStr = newLengthLimitedStream(hstr, res.ContentLength)
 	} else {
 		httpStr = hstr
 	}

integrationtests/self/handshake_test.go

@@ -141,6 +141,30 @@ var _ = Describe("Handshake tests", func() {
 			Expect(err).ToNot(HaveOccurred())
 		})
 
+		It("has the right local and remote address on the ClientHelloInfo.Conn", func() {
+			var local, remote net.Addr
+			done := make(chan struct{})
+			tlsConf := &tls.Config{
+				GetConfigForClient: func(info *tls.ClientHelloInfo) (*tls.Config, error) {
+					defer close(done)
+					local = info.Conn.LocalAddr()
+					remote = info.Conn.RemoteAddr()
+					return getTLSConfig(), nil
+				},
+			}
+			runServer(tlsConf)
+			conn, err := quic.DialAddr(
+				context.Background(),
+				fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
+				getTLSClientConfig(),
+				getQuicConfig(nil),
+			)
+			Expect(err).ToNot(HaveOccurred())
+			Eventually(done).Should(BeClosed())
+			Expect(server.Addr()).To(Equal(local))
+			Expect(conn.LocalAddr().(*net.UDPAddr).Port).To(Equal(remote.(*net.UDPAddr).Port))
+		})
+
 		It("works with a long certificate chain", func() {
 			runServer(getTLSConfigWithLongCertChain())
 			_, err := quic.DialAddr(

internal/handshake/conn.go

@@ -0,0 +1,21 @@
+package handshake
+
+import (
+	"net"
+	"time"
+)
+
+type conn struct {
+	localAddr, remoteAddr net.Addr
+}
+
+var _ net.Conn = &conn{}
+
+func (c *conn) Read([]byte) (int, error)         { return 0, nil }
+func (c *conn) Write([]byte) (int, error)        { return 0, nil }
+func (c *conn) Close() error                     { return nil }
+func (c *conn) RemoteAddr() net.Addr             { return c.remoteAddr }
+func (c *conn) LocalAddr() net.Addr              { return c.localAddr }
+func (c *conn) SetReadDeadline(time.Time) error  { return nil }
+func (c *conn) SetWriteDeadline(time.Time) error { return nil }
+func (c *conn) SetDeadline(time.Time) error      { return nil }

internal/handshake/crypto_setup.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -140,6 +141,7 @@ func NewUCryptoSetupClient(
 // NewCryptoSetupServer creates a new crypto setup for the server
 func NewCryptoSetupServer(
 	connID protocol.ConnectionID,
+	localAddr, remoteAddr net.Addr,
 	tp *wire.TransportParameters,
 	tlsConf *tls.Config,
 	allow0RTT bool,
@@ -161,6 +163,13 @@ func NewCryptoSetupServer(
 
 	quicConf := &qtls.QUICConfig{TLSConfig: tlsConf}
 	qtls.SetupConfigForServer(quicConf, cs.allow0RTT, cs.getDataForSessionTicket, cs.accept0RTT)
+	if quicConf.TLSConfig.GetConfigForClient != nil {
+		gcfc := quicConf.TLSConfig.GetConfigForClient
+		quicConf.TLSConfig.GetConfigForClient = func(info *tls.ClientHelloInfo) (*tls.Config, error) {
+			info.Conn = &conn{localAddr: localAddr, remoteAddr: remoteAddr}
+			return gcfc(info)
+		}
+	}
 
 	cs.tlsConf = quicConf.TLSConfig
 	cs.conn = qtls.QUICServer(quicConf)

internal/handshake/crypto_setup_test.go

@@ -6,6 +6,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"math/big"
+	"net"
 	"time"
 
 	tls "github.com/refraction-networking/utls"
@@ -66,6 +67,8 @@ var _ = Describe("Crypto Setup TLS", func() {
 		var token protocol.StatelessResetToken
 		server := NewCryptoSetupServer(
 			protocol.ConnectionID{},
+			&net.UDPAddr{IP: net.IPv6loopback, Port: 1234},
+			&net.UDPAddr{IP: net.IPv6loopback, Port: 4321},
 			&wire.TransportParameters{StatelessResetToken: &token},
 			testdata.GetTLSConfig(),
 			false,
@@ -205,6 +208,8 @@ var _ = Describe("Crypto Setup TLS", func() {
 			}
 			server := NewCryptoSetupServer(
 				protocol.ConnectionID{},
+				&net.UDPAddr{IP: net.IPv6loopback, Port: 1234},
+				&net.UDPAddr{IP: net.IPv6loopback, Port: 4321},
 				serverTransportParameters,
 				serverConf,
 				enable0RTT,
@@ -274,6 +279,8 @@ var _ = Describe("Crypto Setup TLS", func() {
 			}
 			server := NewCryptoSetupServer(
 				protocol.ConnectionID{},
+				&net.UDPAddr{IP: net.IPv6loopback, Port: 1234},
+				&net.UDPAddr{IP: net.IPv6loopback, Port: 4321},
 				sTransportParameters,
 				serverConf,
 				false,

internal/wire/transport_parameter_test.go

@@ -612,5 +612,93 @@ var _ = Describe("Transport Parameters", func() {
 				Expect(p.ValidFor0RTT(saved)).To(BeFalse())
 			})
 		})
+
+		Context("client checks the parameters after successfully sending 0-RTT data", func() {
+			var p TransportParameters
+			saved := &TransportParameters{
+				InitialMaxStreamDataBidiLocal:  1,
+				InitialMaxStreamDataBidiRemote: 2,
+				InitialMaxStreamDataUni:        3,
+				InitialMaxData:                 4,
+				MaxBidiStreamNum:               5,
+				MaxUniStreamNum:                6,
+				ActiveConnectionIDLimit:        7,
+			}
+
+			BeforeEach(func() {
+				p = *saved
+				Expect(p.ValidForUpdate(saved)).To(BeTrue())
+			})
+
+			It("rejects the parameters if the InitialMaxStreamDataBidiLocal was reduced", func() {
+				p.InitialMaxStreamDataBidiLocal = saved.InitialMaxStreamDataBidiLocal - 1
+				Expect(p.ValidForUpdate(saved)).To(BeFalse())
+			})
+
+			It("doesn't reject the parameters if the InitialMaxStreamDataBidiLocal was increased", func() {
+				p.InitialMaxStreamDataBidiLocal = saved.InitialMaxStreamDataBidiLocal + 1
+				Expect(p.ValidForUpdate(saved)).To(BeTrue())
+			})
+
+			It("rejects the parameters if the InitialMaxStreamDataBidiRemote was reduced", func() {
+				p.InitialMaxStreamDataBidiRemote = saved.InitialMaxStreamDataBidiRemote - 1
+				Expect(p.ValidForUpdate(saved)).To(BeFalse())
+			})
+
+			It("doesn't reject the parameters if the InitialMaxStreamDataBidiRemote was increased", func() {
+				p.InitialMaxStreamDataBidiRemote = saved.InitialMaxStreamDataBidiRemote + 1
+				Expect(p.ValidForUpdate(saved)).To(BeTrue())
+			})
+
+			It("rejects the parameters if the InitialMaxStreamDataUni was reduced", func() {
+				p.InitialMaxStreamDataUni = saved.InitialMaxStreamDataUni - 1
+				Expect(p.ValidForUpdate(saved)).To(BeFalse())
+			})
+
+			It("doesn't reject the parameters if the InitialMaxStreamDataUni was increased", func() {
+				p.InitialMaxStreamDataUni = saved.InitialMaxStreamDataUni + 1
+				Expect(p.ValidForUpdate(saved)).To(BeTrue())
+			})
+
+			It("rejects the parameters if the InitialMaxData was reduced", func() {
+				p.InitialMaxData = saved.InitialMaxData - 1
+				Expect(p.ValidForUpdate(saved)).To(BeFalse())
+			})
+
+			It("doesn't reject the parameters if the InitialMaxData was increased", func() {
+				p.InitialMaxData = saved.InitialMaxData + 1
+				Expect(p.ValidForUpdate(saved)).To(BeTrue())
+			})
+
+			It("rejects the parameters if the MaxBidiStreamNum was reduced", func() {
+				p.MaxBidiStreamNum = saved.MaxBidiStreamNum - 1
+				Expect(p.ValidForUpdate(saved)).To(BeFalse())
+			})
+
+			It("doesn't reject the parameters if the MaxBidiStreamNum was increased", func() {
+				p.MaxBidiStreamNum = saved.MaxBidiStreamNum + 1
+				Expect(p.ValidForUpdate(saved)).To(BeTrue())
+			})
+
+			It("rejects the parameters if the MaxUniStreamNum reduced", func() {
+				p.MaxUniStreamNum = saved.MaxUniStreamNum - 1
+				Expect(p.ValidForUpdate(saved)).To(BeFalse())
+			})
+
+			It("doesn't reject the parameters if the MaxUniStreamNum was increased", func() {
+				p.MaxUniStreamNum = saved.MaxUniStreamNum + 1
+				Expect(p.ValidForUpdate(saved)).To(BeTrue())
+			})
+
+			It("rejects the parameters if the ActiveConnectionIDLimit reduced", func() {
+				p.ActiveConnectionIDLimit = saved.ActiveConnectionIDLimit - 1
+				Expect(p.ValidForUpdate(saved)).To(BeFalse())
+			})
+
+			It("doesn't reject the parameters if the ActiveConnectionIDLimit increased", func() {
+				p.ActiveConnectionIDLimit = saved.ActiveConnectionIDLimit + 1
+				Expect(p.ValidForUpdate(saved)).To(BeTrue())
+			})
+		})
 	})
 })

internal/wire/transport_parameters.go

@@ -491,6 +491,18 @@ func (p *TransportParameters) ValidFor0RTT(saved *TransportParameters) bool {
 		p.ActiveConnectionIDLimit == saved.ActiveConnectionIDLimit
 }
 
+// ValidForUpdate checks that the new transport parameters don't reduce limits after resuming a 0-RTT connection.
+// It is only used on the client side.
+func (p *TransportParameters) ValidForUpdate(saved *TransportParameters) bool {
+	return p.ActiveConnectionIDLimit >= saved.ActiveConnectionIDLimit &&
+		p.InitialMaxData >= saved.InitialMaxData &&
+		p.InitialMaxStreamDataBidiLocal >= saved.InitialMaxStreamDataBidiLocal &&
+		p.InitialMaxStreamDataBidiRemote >= saved.InitialMaxStreamDataBidiRemote &&
+		p.InitialMaxStreamDataUni >= saved.InitialMaxStreamDataUni &&
+		p.MaxBidiStreamNum >= saved.MaxBidiStreamNum &&
+		p.MaxUniStreamNum >= saved.MaxUniStreamNum
+}
+
 // String returns a string representation, intended for logging.
 func (p *TransportParameters) String() string {
 	logString := "&wire.TransportParameters{OriginalDestinationConnectionID: %s, InitialSourceConnectionID: %s, "