From 65247b6f0f2f354eee78d9b3e3d987dff59442a8 Mon Sep 17 00:00:00 2001 From: Devin Carr Date: Wed, 26 Jul 2023 13:52:40 -0700 Subject: [PATCH] TUN-7584: Bump go 1.20.6 Pins all docker and cfsetup builds to a specific go patch version. Also ran go fix on repo. --- .github/workflows/check.yaml | 2 +- Dockerfile | 2 +- Dockerfile.amd64 | 2 +- Dockerfile.arm64 | 2 +- cfsetup.yaml | 4 +- cmd/cloudflared/generic_service.go | 1 - cmd/cloudflared/linux_service.go | 1 - cmd/cloudflared/macos_service.go | 1 - cmd/cloudflared/tunnel/configuration_test.go | 1 - cmd/cloudflared/tunnel/signal_test.go | 1 - .../updater/workers_service_test.go | 1 - cmd/cloudflared/windows_service.go | 1 - dev.Dockerfile | 2 +- go.mod | 9 +- go.sum | 4 +- proxy/proxy_posix_test.go | 1 - sshgen/sshgen_test.go | 1 - token/launch_browser_darwin.go | 1 - token/launch_browser_other.go | 1 - token/launch_browser_unix.go | 1 - token/launch_browser_windows.go | 1 - token/token_test.go | 1 - .../github.com/quic-go/qtls-go1-19/cfkem.go | 170 ------------------ .../quic-go/qtls-go1-19/handshake_client.go | 55 +++--- .../qtls-go1-19/handshake_client_tls13.go | 71 ++------ .../qtls-go1-19/handshake_server_tls13.go | 35 +--- .../quic-go/qtls-go1-19/key_agreement.go | 2 +- vendor/modules.txt | 3 +- watcher/file_test.go | 1 - 29 files changed, 57 insertions(+), 321 deletions(-) delete mode 100644 vendor/github.com/quic-go/qtls-go1-19/cfkem.go diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index 6ce913b4..c437d426 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -4,7 +4,7 @@ jobs: check: strategy: matrix: - go-version: [1.19.x] + go-version: [1.20.x] os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} steps: diff --git a/Dockerfile b/Dockerfile index 870bbbeb..06714d5a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # use a builder image for building cloudflare ARG TARGET_GOOS ARG TARGET_GOARCH -FROM golang:1.19 as builder +FROM golang:1.20.6 as builder ENV GO111MODULE=on \ CGO_ENABLED=0 \ TARGET_GOOS=${TARGET_GOOS} \ diff --git a/Dockerfile.amd64 b/Dockerfile.amd64 index b5eefc21..29d41563 100644 --- a/Dockerfile.amd64 +++ b/Dockerfile.amd64 @@ -1,5 +1,5 @@ # use a builder image for building cloudflare -FROM golang:1.19 as builder +FROM golang:1.20.6 as builder ENV GO111MODULE=on \ CGO_ENABLED=0 diff --git a/Dockerfile.arm64 b/Dockerfile.arm64 index 7995b6c3..a382e4b7 100644 --- a/Dockerfile.arm64 +++ b/Dockerfile.arm64 @@ -1,5 +1,5 @@ # use a builder image for building cloudflare -FROM golang:1.19 as builder +FROM golang:1.20.6 as builder ENV GO111MODULE=on \ CGO_ENABLED=0 diff --git a/cfsetup.yaml b/cfsetup.yaml index 4c216eff..1f5e0389 100644 --- a/cfsetup.yaml +++ b/cfsetup.yaml @@ -1,5 +1,5 @@ -pinned_go: &pinned_go go=1.19.6-1 -pinned_go_fips: &pinned_go_fips go-boring=1.19.6-1 +pinned_go: &pinned_go go=1.20.6-1 +pinned_go_fips: &pinned_go_fips go-boring=1.20.6-1 build_dir: &build_dir /cfsetup_build default-flavor: bullseye diff --git a/cmd/cloudflared/generic_service.go b/cmd/cloudflared/generic_service.go index 25872bbf..7fc8c5e6 100644 --- a/cmd/cloudflared/generic_service.go +++ b/cmd/cloudflared/generic_service.go @@ -1,5 +1,4 @@ //go:build !windows && !darwin && !linux -// +build !windows,!darwin,!linux package main diff --git a/cmd/cloudflared/linux_service.go b/cmd/cloudflared/linux_service.go index 5f333b46..72aada5e 100644 --- a/cmd/cloudflared/linux_service.go +++ b/cmd/cloudflared/linux_service.go @@ -1,5 +1,4 @@ //go:build linux -// +build linux package main diff --git a/cmd/cloudflared/macos_service.go b/cmd/cloudflared/macos_service.go index 507412f7..48d066e0 100644 --- a/cmd/cloudflared/macos_service.go +++ b/cmd/cloudflared/macos_service.go @@ -1,5 +1,4 @@ //go:build darwin -// +build darwin package main diff --git a/cmd/cloudflared/tunnel/configuration_test.go b/cmd/cloudflared/tunnel/configuration_test.go index 237bc829..07a6091e 100644 --- a/cmd/cloudflared/tunnel/configuration_test.go +++ b/cmd/cloudflared/tunnel/configuration_test.go @@ -1,5 +1,4 @@ //go:build ignore -// +build ignore // TODO: Remove the above build tag and include this test when we start compiling with Golang 1.10.0+ diff --git a/cmd/cloudflared/tunnel/signal_test.go b/cmd/cloudflared/tunnel/signal_test.go index 294ed713..8601acca 100644 --- a/cmd/cloudflared/tunnel/signal_test.go +++ b/cmd/cloudflared/tunnel/signal_test.go @@ -1,5 +1,4 @@ //go:build !windows -// +build !windows package tunnel diff --git a/cmd/cloudflared/updater/workers_service_test.go b/cmd/cloudflared/updater/workers_service_test.go index d5f8e456..b4bc4359 100644 --- a/cmd/cloudflared/updater/workers_service_test.go +++ b/cmd/cloudflared/updater/workers_service_test.go @@ -1,5 +1,4 @@ //go:build !windows -// +build !windows package updater diff --git a/cmd/cloudflared/windows_service.go b/cmd/cloudflared/windows_service.go index 79b7f431..0858439d 100644 --- a/cmd/cloudflared/windows_service.go +++ b/cmd/cloudflared/windows_service.go @@ -1,5 +1,4 @@ //go:build windows -// +build windows package main diff --git a/dev.Dockerfile b/dev.Dockerfile index 5c078cfd..b7d69b5e 100644 --- a/dev.Dockerfile +++ b/dev.Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.19 as builder +FROM golang:1.20.6 as builder ENV GO111MODULE=on \ CGO_ENABLED=0 WORKDIR /go/src/github.com/cloudflare/cloudflared/ diff --git a/go.mod b/go.mod index f25c7204..668cb7c7 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/cloudflare/cloudflared -go 1.19 +go 1.20 require ( github.com/cloudflare/golibs v0.0.0-20170913112048-333127dbecfc @@ -110,8 +110,5 @@ replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1 replace github.com/quic-go/quic-go => github.com/devincarr/quic-go v0.0.0-20230502200822-d1f4edacbee7 // Post-quantum tunnel RTG-1339 -replace ( - // Branches go1.19 go1.20 on github.com/cloudflare/qtls-pq - github.com/quic-go/qtls-go1-19 => github.com/cloudflare/qtls-pq v0.0.0-20230320123031-3faac1a945b2 - github.com/quic-go/qtls-go1-20 => github.com/cloudflare/qtls-pq v0.0.0-20230320122459-4ed280d0d633 -) +// Branches go1.20 on github.com/cloudflare/qtls-pq +replace github.com/quic-go/qtls-go1-20 => github.com/cloudflare/qtls-pq v0.0.0-20230320122459-4ed280d0d633 diff --git a/go.sum b/go.sum index 13db8be2..e34239e2 100644 --- a/go.sum +++ b/go.sum @@ -65,8 +65,6 @@ github.com/cloudflare/golibs v0.0.0-20170913112048-333127dbecfc h1:Dvk3ySBsOm5Ev github.com/cloudflare/golibs v0.0.0-20170913112048-333127dbecfc/go.mod h1:HlgKKR8V5a1wroIDDIz3/A+T+9Janfq+7n1P5sEFdi0= github.com/cloudflare/qtls-pq v0.0.0-20230320122459-4ed280d0d633 h1:ZTub2XMOBpxyBiJf6Q+UKqAi07yt1rZmFitriHvFd8M= github.com/cloudflare/qtls-pq v0.0.0-20230320122459-4ed280d0d633/go.mod h1:j/igSUc4PgBMayIsBGjAFu2i7g663rm6kZrKy4htb7E= -github.com/cloudflare/qtls-pq v0.0.0-20230320123031-3faac1a945b2 h1:0/KuLjh9lBMiXlooAdwoo+FbLVD5DABtquB0ImEFOK0= -github.com/cloudflare/qtls-pq v0.0.0-20230320123031-3faac1a945b2/go.mod h1:XzuZIjv4mF5cM205RHHW1d60PQtWGwMR6jx38YKuYHs= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= @@ -337,6 +335,8 @@ github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1 github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo= github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= +github.com/quic-go/qtls-go1-19 v0.3.2 h1:tFxjCFcTQzK+oMxG6Zcvp4Dq8dx4yD3dDiIiyc86Z5U= +github.com/quic-go/qtls-go1-19 v0.3.2/go.mod h1:ySOI96ew8lnoKPtSqx2BlI5wCpUVPT05RMAlajtnyOI= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ= diff --git a/proxy/proxy_posix_test.go b/proxy/proxy_posix_test.go index 6893995d..df927fd3 100644 --- a/proxy/proxy_posix_test.go +++ b/proxy/proxy_posix_test.go @@ -1,5 +1,4 @@ //go:build !windows -// +build !windows package proxy diff --git a/sshgen/sshgen_test.go b/sshgen/sshgen_test.go index dec55441..c605919d 100644 --- a/sshgen/sshgen_test.go +++ b/sshgen/sshgen_test.go @@ -1,5 +1,4 @@ //go:build !windows -// +build !windows package sshgen diff --git a/token/launch_browser_darwin.go b/token/launch_browser_darwin.go index a9cb9e82..13b7e4f8 100644 --- a/token/launch_browser_darwin.go +++ b/token/launch_browser_darwin.go @@ -1,5 +1,4 @@ //go:build darwin -// +build darwin package token diff --git a/token/launch_browser_other.go b/token/launch_browser_other.go index fb0c558c..c5d313a0 100644 --- a/token/launch_browser_other.go +++ b/token/launch_browser_other.go @@ -1,5 +1,4 @@ //go:build !windows && !darwin && !linux && !netbsd && !freebsd && !openbsd -// +build !windows,!darwin,!linux,!netbsd,!freebsd,!openbsd package token diff --git a/token/launch_browser_unix.go b/token/launch_browser_unix.go index 0a6adc4d..6d69ef9f 100644 --- a/token/launch_browser_unix.go +++ b/token/launch_browser_unix.go @@ -1,5 +1,4 @@ //go:build linux || freebsd || openbsd || netbsd -// +build linux freebsd openbsd netbsd package token diff --git a/token/launch_browser_windows.go b/token/launch_browser_windows.go index da0edd91..7d71c5cc 100644 --- a/token/launch_browser_windows.go +++ b/token/launch_browser_windows.go @@ -1,5 +1,4 @@ //go:build windows -// +build windows package token diff --git a/token/token_test.go b/token/token_test.go index 18bcf448..3759068d 100644 --- a/token/token_test.go +++ b/token/token_test.go @@ -1,5 +1,4 @@ //go:build linux -// +build linux package token diff --git a/vendor/github.com/quic-go/qtls-go1-19/cfkem.go b/vendor/github.com/quic-go/qtls-go1-19/cfkem.go deleted file mode 100644 index dc2f2302..00000000 --- a/vendor/github.com/quic-go/qtls-go1-19/cfkem.go +++ /dev/null @@ -1,170 +0,0 @@ -// Copyright 2022 Cloudflare, Inc. All rights reserved. Use of this source code -// is governed by a BSD-style license that can be found in the LICENSE file. -// -// Glue to add Circl's (post-quantum) hybrid KEMs. -// -// To enable set CurvePreferences with the desired scheme as the first element: -// -// import ( -// "github.com/cloudflare/circl/kem/tls" -// "github.com/cloudflare/circl/kem/hybrid" -// -// [...] -// -// config.CurvePreferences = []tls.CurveID{ -// qtls.X25519Kyber512Draft00, -// qtls.X25519, -// qtls.P256, -// } - -package qtls - -import ( - "github.com/cloudflare/circl/kem" - "github.com/cloudflare/circl/kem/hybrid" - - "crypto/tls" - "fmt" - "io" - "sync" - "time" -) - -// Either ecdheParameters or kem.PrivateKey -type clientKeySharePrivate interface{} - -var ( - X25519Kyber512Draft00 = CurveID(0xfe30) - X25519Kyber768Draft00 = CurveID(0xfe31) - invalidCurveID = CurveID(0) -) - -func kemSchemeKeyToCurveID(s kem.Scheme) CurveID { - switch s.Name() { - case "Kyber512-X25519": - return X25519Kyber512Draft00 - case "Kyber768-X25519": - return X25519Kyber768Draft00 - default: - return invalidCurveID - } -} - -// Extract CurveID from clientKeySharePrivate -func clientKeySharePrivateCurveID(ks clientKeySharePrivate) CurveID { - switch v := ks.(type) { - case kem.PrivateKey: - ret := kemSchemeKeyToCurveID(v.Scheme()) - if ret == invalidCurveID { - panic("cfkem: internal error: don't know CurveID for this KEM") - } - return ret - case ecdheParameters: - return v.CurveID() - default: - panic("cfkem: internal error: unknown clientKeySharePrivate") - } -} - -// Returns scheme by CurveID if supported by Circl -func curveIdToCirclScheme(id CurveID) kem.Scheme { - switch id { - case X25519Kyber512Draft00: - return hybrid.Kyber512X25519() - case X25519Kyber768Draft00: - return hybrid.Kyber768X25519() - } - return nil -} - -// Generate a new shared secret and encapsulates it for the packed -// public key in ppk using randomness from rnd. -func encapsulateForKem(scheme kem.Scheme, rnd io.Reader, ppk []byte) ( - ct, ss []byte, alert alert, err error) { - pk, err := scheme.UnmarshalBinaryPublicKey(ppk) - if err != nil { - return nil, nil, alertIllegalParameter, fmt.Errorf("unpack pk: %w", err) - } - seed := make([]byte, scheme.EncapsulationSeedSize()) - if _, err := io.ReadFull(rnd, seed); err != nil { - return nil, nil, alertInternalError, fmt.Errorf("random: %w", err) - } - ct, ss, err = scheme.EncapsulateDeterministically(pk, seed) - return ct, ss, alertIllegalParameter, err -} - -// Generate a new keypair using randomness from rnd. -func generateKemKeyPair(scheme kem.Scheme, rnd io.Reader) ( - kem.PublicKey, kem.PrivateKey, error) { - seed := make([]byte, scheme.SeedSize()) - if _, err := io.ReadFull(rnd, seed); err != nil { - return nil, nil, err - } - pk, sk := scheme.DeriveKeyPair(seed) - return pk, sk, nil -} - -// Events. We cannot use the same approach as used in our plain Go fork -// as we cannot change tls.Config, tls.ConnectionState, etc. Also we do -// not want to maintain a fork of quic-go itself as well. This seems -// the simplest option. - -// CFEvent. There are two events: one emitted on HRR and one emitted -type CFEvent interface { - // Common to all events - ServerSide() bool // true if server-side; false if on client-side - - // HRR event. Emitted when an HRR happened. - IsHRR() bool // true if this is an HRR event - - // Handshake event. - IsHandshake() bool // true if this is a handshake event. - Duration() time.Duration // how long did the handshake take? - KEX() tls.CurveID // which kex was established? -} - -type CFEventHandler func(CFEvent) - -// Registers a handler to be called when a CFEvent is emitted; returns -// the previous handler. -func SetCFEventHandler(handler CFEventHandler) CFEventHandler { - cfEventMux.Lock() - ret := cfEventHandler - cfEventHandler = handler - cfEventMux.Unlock() - return ret -} - -func raiseCFEvent(ev CFEvent) { - cfEventMux.Lock() - handler := cfEventHandler - cfEventMux.Unlock() - if handler != nil { - handler(ev) - } -} - -var ( - cfEventMux sync.Mutex - cfEventHandler CFEventHandler -) - -type cfEventHRR struct{ serverSide bool } - -func (*cfEventHRR) IsHRR() bool { return true } -func (ev *cfEventHRR) ServerSide() bool { return ev.serverSide } -func (*cfEventHRR) IsHandshake() bool { return false } -func (ev *cfEventHRR) Duration() time.Duration { panic("wrong event") } -func (ev *cfEventHRR) KEX() tls.CurveID { panic("wrong event") } - -type cfEventHandshake struct { - serverSide bool - duration time.Duration - kex tls.CurveID -} - -func (*cfEventHandshake) IsHRR() bool { return false } -func (ev *cfEventHandshake) ServerSide() bool { return ev.serverSide } -func (*cfEventHandshake) IsHandshake() bool { return true } -func (ev *cfEventHandshake) Duration() time.Duration { return ev.duration } -func (ev *cfEventHandshake) KEX() tls.CurveID { return ev.kex } diff --git a/vendor/github.com/quic-go/qtls-go1-19/handshake_client.go b/vendor/github.com/quic-go/qtls-go1-19/handshake_client.go index 4f52ab99..ec7dcb56 100644 --- a/vendor/github.com/quic-go/qtls-go1-19/handshake_client.go +++ b/vendor/github.com/quic-go/qtls-go1-19/handshake_client.go @@ -40,7 +40,7 @@ type clientHandshakeState struct { var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme -func (c *Conn) makeClientHello() (*clientHelloMsg, clientKeySharePrivate, error) { +func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) { config := c.config if len(config.ServerName) == 0 && !config.InsecureSkipVerify { return nil, nil, errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config") @@ -142,8 +142,11 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, clientKeySharePrivate, error) hello.supportedSignatureAlgorithms = testingOnlyForceClientHelloSignatureAlgorithms } - var secret clientKeySharePrivate + var params ecdheParameters if hello.supportedVersions[0] == VersionTLS13 { + if len(hello.supportedVersions) == 1 { + hello.cipherSuites = hello.cipherSuites[:0] + } if hasAESGCMHardwareSupport { hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13...) } else { @@ -151,37 +154,21 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, clientKeySharePrivate, error) } curveID := config.curvePreferences()[0] - if scheme := curveIdToCirclScheme(curveID); scheme != nil { - pk, sk, err := generateKemKeyPair(scheme, config.rand()) - if err != nil { - return nil, nil, fmt.Errorf("generateKemKeyPair %s: %w", - scheme.Name(), err) - } - packedPk, err := pk.MarshalBinary() - if err != nil { - return nil, nil, fmt.Errorf("pack circl public key %s: %w", - scheme.Name(), err) - } - hello.keyShares = []keyShare{{group: curveID, data: packedPk}} - secret = sk - } else { - if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok { - return nil, nil, errors.New("tls: CurvePreferences includes unsupported curve") - } - params, err := generateECDHEParameters(config.rand(), curveID) - if err != nil { - return nil, nil, err - } - hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}} - secret = params + if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok { + return nil, nil, errors.New("tls: CurvePreferences includes unsupported curve") } + params, err = generateECDHEParameters(config.rand(), curveID) + if err != nil { + return nil, nil, err + } + hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}} } if hello.supportedVersions[0] == VersionTLS13 && c.extraConfig != nil && c.extraConfig.GetExtensions != nil { hello.additionalExtensions = c.extraConfig.GetExtensions(typeClientHello) } - return hello, secret, nil + return hello, params, nil } func (c *Conn) clientHandshake(ctx context.Context) (err error) { @@ -274,14 +261,14 @@ func (c *Conn) clientHandshake(ctx context.Context) (err error) { if c.vers == VersionTLS13 { hs := &clientHandshakeStateTLS13{ - c: c, - ctx: ctx, - serverHello: serverHello, - hello: hello, - keySharePrivate: ecdheParams, - session: session, - earlySecret: earlySecret, - binderKey: binderKey, + c: c, + ctx: ctx, + serverHello: serverHello, + hello: hello, + ecdheParams: ecdheParams, + session: session, + earlySecret: earlySecret, + binderKey: binderKey, } // In TLS 1.3, session tickets are delivered after the handshake. diff --git a/vendor/github.com/quic-go/qtls-go1-19/handshake_client_tls13.go b/vendor/github.com/quic-go/qtls-go1-19/handshake_client_tls13.go index 5c484a0e..05ca1333 100644 --- a/vendor/github.com/quic-go/qtls-go1-19/handshake_client_tls13.go +++ b/vendor/github.com/quic-go/qtls-go1-19/handshake_client_tls13.go @@ -12,12 +12,10 @@ import ( "crypto/rsa" "encoding/binary" "errors" - "fmt" "hash" "sync/atomic" "time" - circlKem "github.com/cloudflare/circl/kem" "golang.org/x/crypto/cryptobyte" ) @@ -26,8 +24,7 @@ type clientHandshakeStateTLS13 struct { ctx context.Context serverHello *serverHelloMsg hello *clientHelloMsg - - keySharePrivate clientKeySharePrivate + ecdheParams ecdheParameters session *clientSessionState earlySecret []byte @@ -47,8 +44,6 @@ type clientHandshakeStateTLS13 struct { func (hs *clientHandshakeStateTLS13) handshake() error { c := hs.c - startTime := time.Now() - if needFIPS() { return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode") } @@ -61,7 +56,7 @@ func (hs *clientHandshakeStateTLS13) handshake() error { } // Consistency check on the presence of a keyShare and its parameters. - if hs.keySharePrivate == nil || len(hs.hello.keyShares) != 1 { + if hs.ecdheParams == nil || len(hs.hello.keyShares) != 1 { return c.sendAlert(alertInternalError) } @@ -119,12 +114,6 @@ func (hs *clientHandshakeStateTLS13) handshake() error { return err } - raiseCFEvent(&cfEventHandshake{ - serverSide: false, - duration: time.Since(startTime), - kex: hs.serverHello.serverShare.group, - }) - atomic.StoreUint32(&c.handshakeStatus, 1) c.updateConnectionState() return nil @@ -201,8 +190,6 @@ func (hs *clientHandshakeStateTLS13) sendDummyChangeCipherSpec() error { func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error { c := hs.c - raiseCFEvent(&cfEventHRR{serverSide: false}) - // The first ClientHello gets double-hashed into the transcript upon a // HelloRetryRequest. (The idea is that the server might offload transcript // storage to the client in the cookie.) See RFC 8446, Section 4.4.1. @@ -246,38 +233,21 @@ func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error { c.sendAlert(alertIllegalParameter) return errors.New("tls: server selected unsupported group") } - if clientKeySharePrivateCurveID(hs.keySharePrivate) == curveID { + if hs.ecdheParams.CurveID() == curveID { c.sendAlert(alertIllegalParameter) return errors.New("tls: server sent an unnecessary HelloRetryRequest key_share") } - if scheme := curveIdToCirclScheme(curveID); scheme != nil { - pk, sk, err := generateKemKeyPair(scheme, c.config.rand()) - if err != nil { - c.sendAlert(alertInternalError) - return fmt.Errorf("HRR generateKeyPair %s: %w", - scheme.Name(), err) - } - packedPk, err := pk.MarshalBinary() - if err != nil { - c.sendAlert(alertInternalError) - return fmt.Errorf("HRR pack circl public key %s: %w", - scheme.Name(), err) - } - hs.keySharePrivate = sk - hs.hello.keyShares = []keyShare{{group: curveID, data: packedPk}} - } else { - if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok { - c.sendAlert(alertInternalError) - return errors.New("tls: CurvePreferences includes unsupported curve") - } - params, err := generateECDHEParameters(c.config.rand(), curveID) - if err != nil { - c.sendAlert(alertInternalError) - return err - } - hs.keySharePrivate = params - hs.hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}} + if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok { + c.sendAlert(alertInternalError) + return errors.New("tls: CurvePreferences includes unsupported curve") } + params, err := generateECDHEParameters(c.config.rand(), curveID) + if err != nil { + c.sendAlert(alertInternalError) + return err + } + hs.ecdheParams = params + hs.hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}} } hs.hello.raw = nil @@ -363,7 +333,7 @@ func (hs *clientHandshakeStateTLS13) processServerHello() error { c.sendAlert(alertIllegalParameter) return errors.New("tls: server did not send a key share") } - if hs.serverHello.serverShare.group != clientKeySharePrivateCurveID(hs.keySharePrivate) { + if hs.serverHello.serverShare.group != hs.ecdheParams.CurveID() { c.sendAlert(alertIllegalParameter) return errors.New("tls: server selected unsupported group") } @@ -401,18 +371,7 @@ func (hs *clientHandshakeStateTLS13) processServerHello() error { func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error { c := hs.c - var sharedKey []byte - if params, ok := hs.keySharePrivate.(ecdheParameters); ok { - sharedKey = params.SharedKey(hs.serverHello.serverShare.data) - } else if sk, ok := hs.keySharePrivate.(circlKem.PrivateKey); ok { - var err error - sharedKey, err = sk.Scheme().Decapsulate(sk, hs.serverHello.serverShare.data) - if err != nil { - c.sendAlert(alertIllegalParameter) - return fmt.Errorf("%s decaps: %w", sk.Scheme().Name(), err) - } - } - + sharedKey := hs.ecdheParams.SharedKey(hs.serverHello.serverShare.data) if sharedKey == nil { c.sendAlert(alertIllegalParameter) return errors.New("tls: invalid server key share") diff --git a/vendor/github.com/quic-go/qtls-go1-19/handshake_server_tls13.go b/vendor/github.com/quic-go/qtls-go1-19/handshake_server_tls13.go index 9a2b46c1..c4706c44 100644 --- a/vendor/github.com/quic-go/qtls-go1-19/handshake_server_tls13.go +++ b/vendor/github.com/quic-go/qtls-go1-19/handshake_server_tls13.go @@ -11,7 +11,6 @@ import ( "crypto/hmac" "crypto/rsa" "errors" - "fmt" "hash" "io" "sync/atomic" @@ -47,8 +46,6 @@ type serverHandshakeStateTLS13 struct { func (hs *serverHandshakeStateTLS13) handshake() error { c := hs.c - startTime := time.Now() - if needFIPS() { return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode") } @@ -88,12 +85,6 @@ func (hs *serverHandshakeStateTLS13) handshake() error { return err } - raiseCFEvent(&cfEventHandshake{ - serverSide: true, - duration: time.Since(startTime), - kex: hs.hello.serverShare.group, - }) - atomic.StoreUint32(&c.handshakeStatus, 1) c.updateConnectionState() return nil @@ -208,27 +199,17 @@ GroupSelection: clientKeyShare = &hs.clientHello.keyShares[0] } - if _, ok := curveForCurveID(selectedGroup); selectedGroup != X25519 && curveIdToCirclScheme(selectedGroup) == nil && !ok { + if _, ok := curveForCurveID(selectedGroup); selectedGroup != X25519 && !ok { c.sendAlert(alertInternalError) return errors.New("tls: CurvePreferences includes unsupported curve") } - if kem := curveIdToCirclScheme(selectedGroup); kem != nil { - ct, ss, alert, err := encapsulateForKem(kem, c.config.rand(), clientKeyShare.data) - if err != nil { - c.sendAlert(alert) - return fmt.Errorf("%s encap: %w", kem.Name(), err) - } - hs.hello.serverShare = keyShare{group: selectedGroup, data: ct} - hs.sharedKey = ss - } else { - params, err := generateECDHEParameters(c.config.rand(), selectedGroup) - if err != nil { - c.sendAlert(alertInternalError) - return err - } - hs.hello.serverShare = keyShare{group: selectedGroup, data: params.PublicKey()} - hs.sharedKey = params.SharedKey(clientKeyShare.data) + params, err := generateECDHEParameters(c.config.rand(), selectedGroup) + if err != nil { + c.sendAlert(alertInternalError) + return err } + hs.hello.serverShare = keyShare{group: selectedGroup, data: params.PublicKey()} + hs.sharedKey = params.SharedKey(clientKeyShare.data) if hs.sharedKey == nil { c.sendAlert(alertIllegalParameter) return errors.New("tls: invalid client key share") @@ -458,8 +439,6 @@ func (hs *serverHandshakeStateTLS13) sendDummyChangeCipherSpec() error { func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) error { c := hs.c - raiseCFEvent(&cfEventHRR{serverSide: true}) - // The first ClientHello gets double-hashed into the transcript upon a // HelloRetryRequest. See RFC 8446, Section 4.4.1. if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil { diff --git a/vendor/github.com/quic-go/qtls-go1-19/key_agreement.go b/vendor/github.com/quic-go/qtls-go1-19/key_agreement.go index 8a6fd692..453a8dcf 100644 --- a/vendor/github.com/quic-go/qtls-go1-19/key_agreement.go +++ b/vendor/github.com/quic-go/qtls-go1-19/key_agreement.go @@ -168,7 +168,7 @@ type ecdheKeyAgreement struct { func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) { var curveID CurveID for _, c := range clientHello.supportedCurves { - if config.supportsCurve(c) && curveIdToCirclScheme(c) == nil { + if config.supportsCurve(c) { curveID = c break } diff --git a/vendor/modules.txt b/vendor/modules.txt index d0ab96dd..4903f9e6 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -258,7 +258,7 @@ github.com/prometheus/common/model github.com/prometheus/procfs github.com/prometheus/procfs/internal/fs github.com/prometheus/procfs/internal/util -# github.com/quic-go/qtls-go1-19 v0.3.2 => github.com/cloudflare/qtls-pq v0.0.0-20230320123031-3faac1a945b2 +# github.com/quic-go/qtls-go1-19 v0.3.2 ## explicit; go 1.19 github.com/quic-go/qtls-go1-19 # github.com/quic-go/qtls-go1-20 v0.2.2 => github.com/cloudflare/qtls-pq v0.0.0-20230320122459-4ed280d0d633 @@ -577,5 +577,4 @@ zombiezen.com/go/capnproto2/std/capnp/rpc # github.com/prometheus/golang_client => github.com/prometheus/golang_client v1.12.1 # gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1 # github.com/quic-go/quic-go => github.com/devincarr/quic-go v0.0.0-20230502200822-d1f4edacbee7 -# github.com/quic-go/qtls-go1-19 => github.com/cloudflare/qtls-pq v0.0.0-20230320123031-3faac1a945b2 # github.com/quic-go/qtls-go1-20 => github.com/cloudflare/qtls-pq v0.0.0-20230320122459-4ed280d0d633 diff --git a/watcher/file_test.go b/watcher/file_test.go index 1c20e4b1..8896104d 100644 --- a/watcher/file_test.go +++ b/watcher/file_test.go @@ -1,5 +1,4 @@ //go:build !windows -// +build !windows package watcher