sync: Go 1.21 with QUIC support (#208)

* sync: Go 1.21rc3, QUIC support added (#207) * sync: merge with upstream tag/go-1.21rc3 (#11) * fix: all tests pass * impl: UQUIC Transport * deps: bump up min Go version * new: uquic * fix: add QUICTransportParameter * deprecated: Go 1.19 no longer supported Go 1.19 will fail to build or pass the test once we bump up to the new version. * sync: crypto/tls: restrict RSA keys in certificates to <= 8192 bits (#209) * [release-branch.go1.21] crypto/tls: restrict RSA keys in certificates to <= 8192 bits Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. Limit this by restricting the size of RSA keys transmitted during handshakes to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. Thanks to Mateusz Poliwczak for reporting this issue. Fixes CVE-2023-29409 * build: [ci skip] boring not included * fix: typo [ci skip] * docs: replenish readme [ci skip] replace old build status badge with new ones, bump up required version noted in docs, update developer contact to reflect current status.
2025-04-03 03:57:36 +03:00 · 2023-08-03 23:22:53 -06:00 · 2023-08-03 23:22:53 -06:00 · 86e9b69fdd
commit 86e9b69fdd
parent d73321bb14
150 changed files with 13344 additions and 10239 deletions
--- a/u_conn.go
+++ b/u_conn.go
@ -16,7 +16,6 @@ import (
 	"io"
 	"net"
 	"strconv"
-	"sync/atomic"
 )

 type UConn struct {
@ -77,13 +76,13 @@ func (uconn *UConn) BuildHandshakeState() error {
 		}

 		// use default Golang ClientHello.
-		hello, ecdheParams, err := uconn.makeClientHello()
+		hello, ecdheKey, err := uconn.makeClientHello()
 		if err != nil {
 			return err
 		}

 		uconn.HandshakeState.Hello = hello.getPublicPtr()
-		uconn.HandshakeState.State13.EcdheParams = ecdheParams
+		uconn.HandshakeState.State13.EcdheKey = ecdheKey
 		uconn.HandshakeState.C = uconn.Conn
 	} else {
 		if !uconn.ClientHelloBuilt {
@ -114,10 +113,10 @@ func (uconn *UConn) BuildHandshakeState() error {
 // but the extension itself still MAY be present for mimicking purposes.
 // Session tickets to be reused - use same cache on following connections.
 func (uconn *UConn) SetSessionState(session *ClientSessionState) error {
-	uconn.HandshakeState.Session = session
 	var sessionTicket []uint8
 	if session != nil {
-		sessionTicket = session.sessionTicket
+		sessionTicket = session.ticket
+		uconn.HandshakeState.Session = session.session
 	}
 	uconn.HandshakeState.Hello.TicketSupported = true
 	uconn.HandshakeState.Hello.SessionTicket = sessionTicket
@ -182,7 +181,7 @@ func (uconn *UConn) SetSNI(sni string) {
 // It returns an error when used with HelloGolang ClientHelloID
 func (uconn *UConn) RemoveSNIExtension() error {
 	if uconn.ClientHelloID == HelloGolang {
-		return fmt.Errorf("Cannot call RemoveSNIExtension on a UConn with a HelloGolang ClientHelloID")
+		return fmt.Errorf("cannot call RemoveSNIExtension on a UConn with a HelloGolang ClientHelloID")
 	}
 	uconn.omitSNIExtension = true
 	return nil
@ -221,7 +220,7 @@ func (c *UConn) handshakeContext(ctx context.Context) (ret error) {
 	// Fast sync/atomic-based exit if there is no handshake in flight and the
 	// last one succeeded without an error. Avoids the expensive context setup
 	// and mutex for most Read and Write calls.
-	if c.handshakeComplete() {
+	if c.isHandshakeComplete.Load() {
 		return nil
 	}

@ -236,7 +235,10 @@ func (c *UConn) handshakeContext(ctx context.Context) (ret error) {
 	//
 	// The interrupter goroutine waits for the input context to be done and
 	// closes the connection if this happens before the function returns.
-	if ctx.Done() != nil {
+	if c.quic != nil {
+		c.quic.cancelc = handshakeCtx.Done()
+		c.quic.cancel = cancel
+	} else if ctx.Done() != nil {
 		done := make(chan struct{})
 		interruptRes := make(chan error, 1)
 		defer func() {
@ -264,7 +266,7 @@ func (c *UConn) handshakeContext(ctx context.Context) (ret error) {
 	if err := c.handshakeErr; err != nil {
 		return err
 	}
-	if c.handshakeComplete() {
+	if c.isHandshakeComplete.Load() {
 		return nil
 	}

@ -288,9 +290,36 @@ func (c *UConn) handshakeContext(ctx context.Context) (ret error) {
 		c.flush()
 	}

-	if c.handshakeErr == nil && !c.handshakeComplete() {
+	if c.handshakeErr == nil && !c.isHandshakeComplete.Load() {
 		c.handshakeErr = errors.New("tls: internal error: handshake should have had a result")
 	}
+	if c.handshakeErr != nil && c.isHandshakeComplete.Load() {
+		panic("tls: internal error: handshake returned an error but is marked successful")
+	}
+
+	if c.quic != nil {
+		if c.handshakeErr == nil {
+			c.quicHandshakeComplete()
+			// Provide the 1-RTT read secret now that the handshake is complete.
+			// The QUIC layer MUST NOT decrypt 1-RTT packets prior to completing
+			// the handshake (RFC 9001, Section 5.7).
+			c.quicSetReadSecret(QUICEncryptionLevelApplication, c.cipherSuite, c.in.trafficSecret)
+		} else {
+			var a alert
+			c.out.Lock()
+			if !errors.As(c.out.err, &a) {
+				a = alertInternalError
+			}
+			c.out.Unlock()
+			// Return an error which wraps both the handshake error and
+			// any alert error we may have sent, or alertInternalError
+			// if we didn't send an alert.
+			// Truncate the text of the alert to 0 characters.
+			c.handshakeErr = fmt.Errorf("%w%.0w", c.handshakeErr, AlertError(a))
+		}
+		close(c.quic.blockedc)
+		close(c.quic.signalc)
+	}

 	return c.handshakeErr
 }
@ -300,12 +329,12 @@ func (c *UConn) handshakeContext(ctx context.Context) (ret error) {
 func (c *UConn) Write(b []byte) (int, error) {
 	// interlock with Close below
 	for {
-		x := atomic.LoadInt32(&c.activeCall)
+		x := c.activeCall.Load()
 		if x&1 != 0 {
 			return 0, net.ErrClosed
 		}
-		if atomic.CompareAndSwapInt32(&c.activeCall, x, x+2) {
-			defer atomic.AddInt32(&c.activeCall, -2)
+		if c.activeCall.CompareAndSwap(x, x+2) {
+			defer c.activeCall.Add(-2)
 			break
 		}
 	}
@ -321,7 +350,7 @@ func (c *UConn) Write(b []byte) (int, error) {
 		return 0, err
 	}

-	if !c.handshakeComplete() {
+	if !c.isHandshakeComplete.Load() {
 		return 0, alertInternalError
 	}

@ -399,11 +428,11 @@ func (c *UConn) clientHandshake(ctx context.Context) (err error) {
 	}
 	// [uTLS section ends]

-	cacheKey, session, earlySecret, binderKey, err := c.loadSession(hello)
+	session, earlySecret, binderKey, err := c.loadSession(hello)
 	if err != nil {
 		return err
 	}
-	if cacheKey != "" && session != nil {
+	if session != nil {
 		defer func() {
 			// If we got a handshake failure when resuming a session, throw away
 			// the session ticket. See RFC 5077, Section 3.2.
@ -412,15 +441,21 @@ func (c *UConn) clientHandshake(ctx context.Context) (err error) {
 			// does require servers to abort on invalid binders, so we need to
 			// delete tickets to recover from a corrupted PSK.
 			if err != nil {
-				c.config.ClientSessionCache.Put(cacheKey, nil)
+				if cacheKey := c.clientSessionCacheKey(); cacheKey != "" {
+					c.config.ClientSessionCache.Put(cacheKey, nil)
+				}
 			}
 		}()
 	}

-	if !sessionIsAlreadySet { // uTLS: do not overwrite already set session
-		err = c.SetSessionState(session)
-		if err != nil {
-			return
+	cacheKey := c.clientSessionCacheKey()
+	if c.config.ClientSessionCache != nil {
+		cs, ok := c.config.ClientSessionCache.Get(cacheKey)
+		if !sessionIsAlreadySet && ok { // uTLS: do not overwrite already set session
+			err = c.SetSessionState(cs)
+			if err != nil {
+				return
+			}
 		}
 	}

@ -476,7 +511,12 @@ func (c *UConn) clientHandshake(ctx context.Context) (err error) {
 	// If we had a successful handshake and hs.session is different from
 	// the one already cached - cache a new one.
 	if cacheKey != "" && hs12.session != nil && session != hs12.session {
-		c.config.ClientSessionCache.Put(cacheKey, hs12.session)
+		hs12cs := &ClientSessionState{
+			ticket:  hs12.ticket,
+			session: hs12.session,
+		}
+
+		c.config.ClientSessionCache.Put(cacheKey, hs12cs)
 	}
 	return nil
 }
@ -508,7 +548,7 @@ func (uconn *UConn) MarshalClientHello() error {
 			if paddingExt == nil {
 				paddingExt = pe
 			} else {
-				return errors.New("Multiple padding extensions!")
+				return errors.New("multiple padding extensions!")
 			}
 		}
 	}
@ -576,7 +616,7 @@ func (uconn *UConn) GetOutKeystream(length int) ([]byte, error) {
 		// AEAD.Seal() does not mutate internal state, other ciphers might
 		return outCipher.Seal(nil, uconn.out.seq[:], zeros, nil), nil
 	}
-	return nil, errors.New("Could not convert OutCipher to cipher.AEAD")
+	return nil, errors.New("could not convert OutCipher to cipher.AEAD")
 }

 // SetTLSVers sets min and max TLS version in all appropriate places.
@ -686,7 +726,7 @@ func MakeConnWithCompleteHandshake(tcpConn net.Conn, version uint16, cipherSuite
 		}

 		// skip the handshake states
-		atomic.StoreUint32(&tlsConn.handshakeStatus, 1)
+		tlsConn.isHandshakeComplete.Store(true)
 		tlsConn.cipherSuite = cipherSuite
 		tlsConn.haveVers = true
 		tlsConn.vers = version