From 32f8b20ae5fdfa6d508d00a232b2543240cc6ca0 Mon Sep 17 00:00:00 2001 From: roc Date: Sat, 29 Jul 2023 12:18:26 +0800 Subject: [PATCH 1/4] http3: fix check for content length of the response (#3998) * fix: check response content-length other than request content-length * Update http3/client.go --------- Co-authored-by: Marten Seemann --- http3/client.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/http3/client.go b/http3/client.go index d53391f0..cc2400e2 100644 --- a/http3/client.go +++ b/http3/client.go @@ -429,8 +429,8 @@ func (c *client) doRequest(req *http.Request, conn quic.EarlyConnection, str qui // Check that the server doesn't send more data in DATA frames than indicated by the Content-Length header (if set). // See section 4.1.2 of RFC 9114. var httpStr Stream - if _, ok := req.Header["Content-Length"]; ok && req.ContentLength >= 0 { - httpStr = newLengthLimitedStream(hstr, req.ContentLength) + if _, ok := res.Header["Content-Length"]; ok && res.ContentLength >= 0 { + httpStr = newLengthLimitedStream(hstr, res.ContentLength) } else { httpStr = hstr } From 44a58dc425fc0ff2c9a5a9afa3e380d3e47f96ec Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Fri, 28 Jul 2023 21:45:45 -0700 Subject: [PATCH 2/4] ci: update Go 1.21 to rc3 (#3994) --- .github/workflows/cross-compile.yml | 2 +- .github/workflows/integration.yml | 2 +- .github/workflows/unit.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cross-compile.yml b/.github/workflows/cross-compile.yml index e0855821..042953f8 100644 --- a/.github/workflows/cross-compile.yml +++ b/.github/workflows/cross-compile.yml @@ -4,7 +4,7 @@ jobs: strategy: fail-fast: false matrix: - go: [ "1.20.x", "1.21.0-rc.2" ] + go: [ "1.20.x", "1.21.0-rc.3" ] runs-on: ${{ fromJSON(vars['CROSS_COMPILE_RUNNER_UBUNTU'] || '"ubuntu-latest"') }} name: "Cross Compilation (Go ${{matrix.go}})" steps: diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index b6e33e78..362a24ec 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -5,7 +5,7 @@ jobs: strategy: fail-fast: false matrix: - go: [ "1.20.x", "1.21.0-rc.2" ] + go: [ "1.20.x", "1.21.0-rc.3" ] runs-on: ${{ fromJSON(vars['INTEGRATION_RUNNER_UBUNTU'] || '"ubuntu-latest"') }} env: DEBUG: false # set this to true to export qlogs and save them as artifacts diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml index f436d748..fb21749f 100644 --- a/.github/workflows/unit.yml +++ b/.github/workflows/unit.yml @@ -7,7 +7,7 @@ jobs: fail-fast: false matrix: os: [ "ubuntu", "windows", "macos" ] - go: [ "1.20.x", "1.21.0-rc.2" ] + go: [ "1.20.x", "1.21.0-rc.3" ] runs-on: ${{ fromJSON(vars[format('UNIT_RUNNER_{0}', matrix.os)] || format('"{0}-latest"', matrix.os)) }} name: Unit tests (${{ matrix.os}}, Go ${{ matrix.go }}) steps: From f3a0ce1599732cb56b958c2f0903074b62a7e9bf Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Mon, 31 Jul 2023 16:32:10 -0400 Subject: [PATCH 3/4] set a net.Conn with the correct addresses on the tls.ClientHelloInfo (#4001) --- connection.go | 2 ++ fuzzing/handshake/cmd/corpus.go | 3 +++ fuzzing/handshake/fuzz.go | 3 +++ integrationtests/self/handshake_test.go | 24 ++++++++++++++++++++++++ internal/handshake/conn.go | 21 +++++++++++++++++++++ internal/handshake/crypto_setup.go | 9 +++++++++ internal/handshake/crypto_setup_test.go | 7 +++++++ 7 files changed, 69 insertions(+) create mode 100644 internal/handshake/conn.go diff --git a/connection.go b/connection.go index bb4d691e..eede6929 100644 --- a/connection.go +++ b/connection.go @@ -315,6 +315,8 @@ var newConnection = func( } cs := handshake.NewCryptoSetupServer( clientDestConnID, + conn.LocalAddr(), + conn.RemoteAddr(), params, tlsConf, conf.Allow0RTT, diff --git a/fuzzing/handshake/cmd/corpus.go b/fuzzing/handshake/cmd/corpus.go index a7e0196f..bf7b34a0 100644 --- a/fuzzing/handshake/cmd/corpus.go +++ b/fuzzing/handshake/cmd/corpus.go @@ -3,6 +3,7 @@ package main import ( "crypto/tls" "log" + "net" fuzzhandshake "github.com/quic-go/quic-go/fuzzing/handshake" "github.com/quic-go/quic-go/fuzzing/internal/helper" @@ -37,6 +38,8 @@ func main() { config.NextProtos = []string{alpn} server := handshake.NewCryptoSetupServer( protocol.ConnectionID{}, + &net.UDPAddr{IP: net.IPv6loopback, Port: 1234}, + &net.UDPAddr{IP: net.IPv6loopback, Port: 4321}, &wire.TransportParameters{ActiveConnectionIDLimit: 2}, config, false, diff --git a/fuzzing/handshake/fuzz.go b/fuzzing/handshake/fuzz.go index c89f6a9f..2c5c1259 100644 --- a/fuzzing/handshake/fuzz.go +++ b/fuzzing/handshake/fuzz.go @@ -11,6 +11,7 @@ import ( "log" "math" mrand "math/rand" + "net" "time" "github.com/quic-go/quic-go/fuzzing/internal/helper" @@ -304,6 +305,8 @@ func runHandshake(runConfig [confLen]byte, messageConfig uint8, clientConf *tls. server := handshake.NewCryptoSetupServer( protocol.ConnectionID{}, + &net.UDPAddr{IP: net.IPv6loopback, Port: 1234}, + &net.UDPAddr{IP: net.IPv6loopback, Port: 4321}, serverTP, serverConf, enable0RTTServer, diff --git a/integrationtests/self/handshake_test.go b/integrationtests/self/handshake_test.go index 2ef4dd20..9652cb0d 100644 --- a/integrationtests/self/handshake_test.go +++ b/integrationtests/self/handshake_test.go @@ -140,6 +140,30 @@ var _ = Describe("Handshake tests", func() { Expect(err).ToNot(HaveOccurred()) }) + It("has the right local and remote address on the ClientHelloInfo.Conn", func() { + var local, remote net.Addr + done := make(chan struct{}) + tlsConf := &tls.Config{ + GetConfigForClient: func(info *tls.ClientHelloInfo) (*tls.Config, error) { + defer close(done) + local = info.Conn.LocalAddr() + remote = info.Conn.RemoteAddr() + return getTLSConfig(), nil + }, + } + runServer(tlsConf) + conn, err := quic.DialAddr( + context.Background(), + fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port), + getTLSClientConfig(), + getQuicConfig(nil), + ) + Expect(err).ToNot(HaveOccurred()) + Eventually(done).Should(BeClosed()) + Expect(server.Addr()).To(Equal(local)) + Expect(conn.LocalAddr().(*net.UDPAddr).Port).To(Equal(remote.(*net.UDPAddr).Port)) + }) + It("works with a long certificate chain", func() { runServer(getTLSConfigWithLongCertChain()) _, err := quic.DialAddr( diff --git a/internal/handshake/conn.go b/internal/handshake/conn.go new file mode 100644 index 00000000..54af823b --- /dev/null +++ b/internal/handshake/conn.go @@ -0,0 +1,21 @@ +package handshake + +import ( + "net" + "time" +) + +type conn struct { + localAddr, remoteAddr net.Addr +} + +var _ net.Conn = &conn{} + +func (c *conn) Read([]byte) (int, error) { return 0, nil } +func (c *conn) Write([]byte) (int, error) { return 0, nil } +func (c *conn) Close() error { return nil } +func (c *conn) RemoteAddr() net.Addr { return c.remoteAddr } +func (c *conn) LocalAddr() net.Addr { return c.localAddr } +func (c *conn) SetReadDeadline(time.Time) error { return nil } +func (c *conn) SetWriteDeadline(time.Time) error { return nil } +func (c *conn) SetDeadline(time.Time) error { return nil } diff --git a/internal/handshake/crypto_setup.go b/internal/handshake/crypto_setup.go index 66ed04d6..b528f08e 100644 --- a/internal/handshake/crypto_setup.go +++ b/internal/handshake/crypto_setup.go @@ -6,6 +6,7 @@ import ( "crypto/tls" "errors" "fmt" + "net" "sync" "sync/atomic" "time" @@ -104,6 +105,7 @@ func NewCryptoSetupClient( // NewCryptoSetupServer creates a new crypto setup for the server func NewCryptoSetupServer( connID protocol.ConnectionID, + localAddr, remoteAddr net.Addr, tp *wire.TransportParameters, tlsConf *tls.Config, allow0RTT bool, @@ -125,6 +127,13 @@ func NewCryptoSetupServer( quicConf := &qtls.QUICConfig{TLSConfig: tlsConf} qtls.SetupConfigForServer(quicConf, cs.allow0RTT, cs.getDataForSessionTicket, cs.accept0RTT) + if quicConf.TLSConfig.GetConfigForClient != nil { + gcfc := quicConf.TLSConfig.GetConfigForClient + quicConf.TLSConfig.GetConfigForClient = func(info *tls.ClientHelloInfo) (*tls.Config, error) { + info.Conn = &conn{localAddr: localAddr, remoteAddr: remoteAddr} + return gcfc(info) + } + } cs.tlsConf = quicConf.TLSConfig cs.conn = qtls.QUICServer(quicConf) diff --git a/internal/handshake/crypto_setup_test.go b/internal/handshake/crypto_setup_test.go index e891cb9f..4b210d20 100644 --- a/internal/handshake/crypto_setup_test.go +++ b/internal/handshake/crypto_setup_test.go @@ -7,6 +7,7 @@ import ( "crypto/x509" "crypto/x509/pkix" "math/big" + "net" "time" mocktls "github.com/quic-go/quic-go/internal/mocks/tls" @@ -65,6 +66,8 @@ var _ = Describe("Crypto Setup TLS", func() { var token protocol.StatelessResetToken server := NewCryptoSetupServer( protocol.ConnectionID{}, + &net.UDPAddr{IP: net.IPv6loopback, Port: 1234}, + &net.UDPAddr{IP: net.IPv6loopback, Port: 4321}, &wire.TransportParameters{StatelessResetToken: &token}, testdata.GetTLSConfig(), false, @@ -204,6 +207,8 @@ var _ = Describe("Crypto Setup TLS", func() { } server := NewCryptoSetupServer( protocol.ConnectionID{}, + &net.UDPAddr{IP: net.IPv6loopback, Port: 1234}, + &net.UDPAddr{IP: net.IPv6loopback, Port: 4321}, serverTransportParameters, serverConf, enable0RTT, @@ -273,6 +278,8 @@ var _ = Describe("Crypto Setup TLS", func() { } server := NewCryptoSetupServer( protocol.ConnectionID{}, + &net.UDPAddr{IP: net.IPv6loopback, Port: 1234}, + &net.UDPAddr{IP: net.IPv6loopback, Port: 4321}, sTransportParameters, serverConf, false, From 1c47ebefc0660eb82bada449a5365e2aedd1e686 Mon Sep 17 00:00:00 2001 From: Ameagari <47713057+tanghaowillow@users.noreply.github.com> Date: Wed, 2 Aug 2023 09:34:42 +0800 Subject: [PATCH 4/4] check transport parameters after 0-RTT resumption (#3985) * check new transport parameters do not contain redueced limits * redefine ValidForUpdate and add tests * fix test assertion and update comment --- connection.go | 8 +++ connection_test.go | 34 +++++++++ internal/wire/transport_parameter_test.go | 88 +++++++++++++++++++++++ internal/wire/transport_parameters.go | 12 ++++ 4 files changed, 142 insertions(+) diff --git a/connection.go b/connection.go index eede6929..fdf40d19 100644 --- a/connection.go +++ b/connection.go @@ -1665,6 +1665,14 @@ func (s *connection) handleTransportParameters(params *wire.TransportParameters) ErrorMessage: err.Error(), } } + + if s.perspective == protocol.PerspectiveClient && s.peerParams != nil && s.ConnectionState().Used0RTT && !params.ValidForUpdate(s.peerParams) { + return &qerr.TransportError{ + ErrorCode: qerr.ProtocolViolation, + ErrorMessage: "server sent reduced limits after accepting 0-RTT data", + } + } + s.peerParams = params // On the client side we have to wait for handshake completion. // During a 0-RTT connection, we are only allowed to use the new transport parameters for 1-RTT packets. diff --git a/connection_test.go b/connection_test.go index 20e9872b..c3c5d2c5 100644 --- a/connection_test.go +++ b/connection_test.go @@ -3035,6 +3035,40 @@ var _ = Describe("Client Connection", func() { ErrorMessage: "expected original_destination_connection_id to equal deadbeef, is decafbad", }))) }) + + It("errors if the transport parameters contain reduced limits after knowing 0-RTT data is accepted by the server", func() { + conn.perspective = protocol.PerspectiveClient + conn.peerParams = &wire.TransportParameters{ + ActiveConnectionIDLimit: 3, + InitialMaxData: 0x5000, + InitialMaxStreamDataBidiLocal: 0x5000, + InitialMaxStreamDataBidiRemote: 1000, + InitialMaxStreamDataUni: 1000, + MaxBidiStreamNum: 500, + MaxUniStreamNum: 500, + } + params := &wire.TransportParameters{ + OriginalDestinationConnectionID: destConnID, + InitialSourceConnectionID: destConnID, + ActiveConnectionIDLimit: 3, + InitialMaxData: 0x5000, + InitialMaxStreamDataBidiLocal: 0x5000, + InitialMaxStreamDataBidiRemote: 1000, + InitialMaxStreamDataUni: 1000, + MaxBidiStreamNum: 300, + MaxUniStreamNum: 300, + } + expectClose(false, true) + processed := make(chan struct{}) + tracer.EXPECT().ReceivedTransportParameters(params).Do(func(*wire.TransportParameters) { close(processed) }) + cryptoSetup.EXPECT().ConnectionState().Return(handshake.ConnectionState{Used0RTT: true}) + paramsChan <- params + Eventually(processed).Should(BeClosed()) + Eventually(errChan).Should(Receive(MatchError(&qerr.TransportError{ + ErrorCode: qerr.ProtocolViolation, + ErrorMessage: "server sent reduced limits after accepting 0-RTT data", + }))) + }) }) Context("handling potentially injected packets", func() { diff --git a/internal/wire/transport_parameter_test.go b/internal/wire/transport_parameter_test.go index 95bfbafc..9dd306b7 100644 --- a/internal/wire/transport_parameter_test.go +++ b/internal/wire/transport_parameter_test.go @@ -612,5 +612,93 @@ var _ = Describe("Transport Parameters", func() { Expect(p.ValidFor0RTT(saved)).To(BeFalse()) }) }) + + Context("client checks the parameters after successfully sending 0-RTT data", func() { + var p TransportParameters + saved := &TransportParameters{ + InitialMaxStreamDataBidiLocal: 1, + InitialMaxStreamDataBidiRemote: 2, + InitialMaxStreamDataUni: 3, + InitialMaxData: 4, + MaxBidiStreamNum: 5, + MaxUniStreamNum: 6, + ActiveConnectionIDLimit: 7, + } + + BeforeEach(func() { + p = *saved + Expect(p.ValidForUpdate(saved)).To(BeTrue()) + }) + + It("rejects the parameters if the InitialMaxStreamDataBidiLocal was reduced", func() { + p.InitialMaxStreamDataBidiLocal = saved.InitialMaxStreamDataBidiLocal - 1 + Expect(p.ValidForUpdate(saved)).To(BeFalse()) + }) + + It("doesn't reject the parameters if the InitialMaxStreamDataBidiLocal was increased", func() { + p.InitialMaxStreamDataBidiLocal = saved.InitialMaxStreamDataBidiLocal + 1 + Expect(p.ValidForUpdate(saved)).To(BeTrue()) + }) + + It("rejects the parameters if the InitialMaxStreamDataBidiRemote was reduced", func() { + p.InitialMaxStreamDataBidiRemote = saved.InitialMaxStreamDataBidiRemote - 1 + Expect(p.ValidForUpdate(saved)).To(BeFalse()) + }) + + It("doesn't reject the parameters if the InitialMaxStreamDataBidiRemote was increased", func() { + p.InitialMaxStreamDataBidiRemote = saved.InitialMaxStreamDataBidiRemote + 1 + Expect(p.ValidForUpdate(saved)).To(BeTrue()) + }) + + It("rejects the parameters if the InitialMaxStreamDataUni was reduced", func() { + p.InitialMaxStreamDataUni = saved.InitialMaxStreamDataUni - 1 + Expect(p.ValidForUpdate(saved)).To(BeFalse()) + }) + + It("doesn't reject the parameters if the InitialMaxStreamDataUni was increased", func() { + p.InitialMaxStreamDataUni = saved.InitialMaxStreamDataUni + 1 + Expect(p.ValidForUpdate(saved)).To(BeTrue()) + }) + + It("rejects the parameters if the InitialMaxData was reduced", func() { + p.InitialMaxData = saved.InitialMaxData - 1 + Expect(p.ValidForUpdate(saved)).To(BeFalse()) + }) + + It("doesn't reject the parameters if the InitialMaxData was increased", func() { + p.InitialMaxData = saved.InitialMaxData + 1 + Expect(p.ValidForUpdate(saved)).To(BeTrue()) + }) + + It("rejects the parameters if the MaxBidiStreamNum was reduced", func() { + p.MaxBidiStreamNum = saved.MaxBidiStreamNum - 1 + Expect(p.ValidForUpdate(saved)).To(BeFalse()) + }) + + It("doesn't reject the parameters if the MaxBidiStreamNum was increased", func() { + p.MaxBidiStreamNum = saved.MaxBidiStreamNum + 1 + Expect(p.ValidForUpdate(saved)).To(BeTrue()) + }) + + It("rejects the parameters if the MaxUniStreamNum reduced", func() { + p.MaxUniStreamNum = saved.MaxUniStreamNum - 1 + Expect(p.ValidForUpdate(saved)).To(BeFalse()) + }) + + It("doesn't reject the parameters if the MaxUniStreamNum was increased", func() { + p.MaxUniStreamNum = saved.MaxUniStreamNum + 1 + Expect(p.ValidForUpdate(saved)).To(BeTrue()) + }) + + It("rejects the parameters if the ActiveConnectionIDLimit reduced", func() { + p.ActiveConnectionIDLimit = saved.ActiveConnectionIDLimit - 1 + Expect(p.ValidForUpdate(saved)).To(BeFalse()) + }) + + It("doesn't reject the parameters if the ActiveConnectionIDLimit increased", func() { + p.ActiveConnectionIDLimit = saved.ActiveConnectionIDLimit + 1 + Expect(p.ValidForUpdate(saved)).To(BeTrue()) + }) + }) }) }) diff --git a/internal/wire/transport_parameters.go b/internal/wire/transport_parameters.go index 1ec1e59d..dc0aa22f 100644 --- a/internal/wire/transport_parameters.go +++ b/internal/wire/transport_parameters.go @@ -481,6 +481,18 @@ func (p *TransportParameters) ValidFor0RTT(saved *TransportParameters) bool { p.ActiveConnectionIDLimit == saved.ActiveConnectionIDLimit } +// ValidForUpdate checks that the new transport parameters don't reduce limits after resuming a 0-RTT connection. +// It is only used on the client side. +func (p *TransportParameters) ValidForUpdate(saved *TransportParameters) bool { + return p.ActiveConnectionIDLimit >= saved.ActiveConnectionIDLimit && + p.InitialMaxData >= saved.InitialMaxData && + p.InitialMaxStreamDataBidiLocal >= saved.InitialMaxStreamDataBidiLocal && + p.InitialMaxStreamDataBidiRemote >= saved.InitialMaxStreamDataBidiRemote && + p.InitialMaxStreamDataUni >= saved.InitialMaxStreamDataUni && + p.MaxBidiStreamNum >= saved.MaxBidiStreamNum && + p.MaxUniStreamNum >= saved.MaxUniStreamNum +} + // String returns a string representation, intended for logging. func (p *TransportParameters) String() string { logString := "&wire.TransportParameters{OriginalDestinationConnectionID: %s, InitialSourceConnectionID: %s, "