TUN-7584: Bump go 1.20.6
Pins all docker and cfsetup builds to a specific go patch version. Also ran go fix on repo.
This commit is contained in:
parent
5f3cfe044f
commit
65247b6f0f
|
@ -4,7 +4,7 @@ jobs:
|
||||||
check:
|
check:
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
go-version: [1.19.x]
|
go-version: [1.20.x]
|
||||||
os: [ubuntu-latest, macos-latest, windows-latest]
|
os: [ubuntu-latest, macos-latest, windows-latest]
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
steps:
|
steps:
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# use a builder image for building cloudflare
|
# use a builder image for building cloudflare
|
||||||
ARG TARGET_GOOS
|
ARG TARGET_GOOS
|
||||||
ARG TARGET_GOARCH
|
ARG TARGET_GOARCH
|
||||||
FROM golang:1.19 as builder
|
FROM golang:1.20.6 as builder
|
||||||
ENV GO111MODULE=on \
|
ENV GO111MODULE=on \
|
||||||
CGO_ENABLED=0 \
|
CGO_ENABLED=0 \
|
||||||
TARGET_GOOS=${TARGET_GOOS} \
|
TARGET_GOOS=${TARGET_GOOS} \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
# use a builder image for building cloudflare
|
# use a builder image for building cloudflare
|
||||||
FROM golang:1.19 as builder
|
FROM golang:1.20.6 as builder
|
||||||
ENV GO111MODULE=on \
|
ENV GO111MODULE=on \
|
||||||
CGO_ENABLED=0
|
CGO_ENABLED=0
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
# use a builder image for building cloudflare
|
# use a builder image for building cloudflare
|
||||||
FROM golang:1.19 as builder
|
FROM golang:1.20.6 as builder
|
||||||
ENV GO111MODULE=on \
|
ENV GO111MODULE=on \
|
||||||
CGO_ENABLED=0
|
CGO_ENABLED=0
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
pinned_go: &pinned_go go=1.19.6-1
|
pinned_go: &pinned_go go=1.20.6-1
|
||||||
pinned_go_fips: &pinned_go_fips go-boring=1.19.6-1
|
pinned_go_fips: &pinned_go_fips go-boring=1.20.6-1
|
||||||
|
|
||||||
build_dir: &build_dir /cfsetup_build
|
build_dir: &build_dir /cfsetup_build
|
||||||
default-flavor: bullseye
|
default-flavor: bullseye
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
//go:build !windows && !darwin && !linux
|
//go:build !windows && !darwin && !linux
|
||||||
// +build !windows,!darwin,!linux
|
|
||||||
|
|
||||||
package main
|
package main
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
//go:build linux
|
//go:build linux
|
||||||
// +build linux
|
|
||||||
|
|
||||||
package main
|
package main
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
//go:build darwin
|
//go:build darwin
|
||||||
// +build darwin
|
|
||||||
|
|
||||||
package main
|
package main
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
//go:build ignore
|
//go:build ignore
|
||||||
// +build ignore
|
|
||||||
|
|
||||||
// TODO: Remove the above build tag and include this test when we start compiling with Golang 1.10.0+
|
// TODO: Remove the above build tag and include this test when we start compiling with Golang 1.10.0+
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
//go:build !windows
|
//go:build !windows
|
||||||
// +build !windows
|
|
||||||
|
|
||||||
package tunnel
|
package tunnel
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
//go:build !windows
|
//go:build !windows
|
||||||
// +build !windows
|
|
||||||
|
|
||||||
package updater
|
package updater
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
//go:build windows
|
//go:build windows
|
||||||
// +build windows
|
|
||||||
|
|
||||||
package main
|
package main
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
FROM golang:1.19 as builder
|
FROM golang:1.20.6 as builder
|
||||||
ENV GO111MODULE=on \
|
ENV GO111MODULE=on \
|
||||||
CGO_ENABLED=0
|
CGO_ENABLED=0
|
||||||
WORKDIR /go/src/github.com/cloudflare/cloudflared/
|
WORKDIR /go/src/github.com/cloudflare/cloudflared/
|
||||||
|
|
9
go.mod
9
go.mod
|
@ -1,6 +1,6 @@
|
||||||
module github.com/cloudflare/cloudflared
|
module github.com/cloudflare/cloudflared
|
||||||
|
|
||||||
go 1.19
|
go 1.20
|
||||||
|
|
||||||
require (
|
require (
|
||||||
github.com/cloudflare/golibs v0.0.0-20170913112048-333127dbecfc
|
github.com/cloudflare/golibs v0.0.0-20170913112048-333127dbecfc
|
||||||
|
@ -110,8 +110,5 @@ replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
|
||||||
replace github.com/quic-go/quic-go => github.com/devincarr/quic-go v0.0.0-20230502200822-d1f4edacbee7
|
replace github.com/quic-go/quic-go => github.com/devincarr/quic-go v0.0.0-20230502200822-d1f4edacbee7
|
||||||
|
|
||||||
// Post-quantum tunnel RTG-1339
|
// Post-quantum tunnel RTG-1339
|
||||||
replace (
|
// Branches go1.20 on github.com/cloudflare/qtls-pq
|
||||||
// Branches go1.19 go1.20 on github.com/cloudflare/qtls-pq
|
replace github.com/quic-go/qtls-go1-20 => github.com/cloudflare/qtls-pq v0.0.0-20230320122459-4ed280d0d633
|
||||||
github.com/quic-go/qtls-go1-19 => github.com/cloudflare/qtls-pq v0.0.0-20230320123031-3faac1a945b2
|
|
||||||
github.com/quic-go/qtls-go1-20 => github.com/cloudflare/qtls-pq v0.0.0-20230320122459-4ed280d0d633
|
|
||||||
)
|
|
||||||
|
|
4
go.sum
4
go.sum
|
@ -65,8 +65,6 @@ github.com/cloudflare/golibs v0.0.0-20170913112048-333127dbecfc h1:Dvk3ySBsOm5Ev
|
||||||
github.com/cloudflare/golibs v0.0.0-20170913112048-333127dbecfc/go.mod h1:HlgKKR8V5a1wroIDDIz3/A+T+9Janfq+7n1P5sEFdi0=
|
github.com/cloudflare/golibs v0.0.0-20170913112048-333127dbecfc/go.mod h1:HlgKKR8V5a1wroIDDIz3/A+T+9Janfq+7n1P5sEFdi0=
|
||||||
github.com/cloudflare/qtls-pq v0.0.0-20230320122459-4ed280d0d633 h1:ZTub2XMOBpxyBiJf6Q+UKqAi07yt1rZmFitriHvFd8M=
|
github.com/cloudflare/qtls-pq v0.0.0-20230320122459-4ed280d0d633 h1:ZTub2XMOBpxyBiJf6Q+UKqAi07yt1rZmFitriHvFd8M=
|
||||||
github.com/cloudflare/qtls-pq v0.0.0-20230320122459-4ed280d0d633/go.mod h1:j/igSUc4PgBMayIsBGjAFu2i7g663rm6kZrKy4htb7E=
|
github.com/cloudflare/qtls-pq v0.0.0-20230320122459-4ed280d0d633/go.mod h1:j/igSUc4PgBMayIsBGjAFu2i7g663rm6kZrKy4htb7E=
|
||||||
github.com/cloudflare/qtls-pq v0.0.0-20230320123031-3faac1a945b2 h1:0/KuLjh9lBMiXlooAdwoo+FbLVD5DABtquB0ImEFOK0=
|
|
||||||
github.com/cloudflare/qtls-pq v0.0.0-20230320123031-3faac1a945b2/go.mod h1:XzuZIjv4mF5cM205RHHW1d60PQtWGwMR6jx38YKuYHs=
|
|
||||||
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
|
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
|
||||||
github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
|
github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
|
||||||
github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
|
github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
|
||||||
|
@ -337,6 +335,8 @@ github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1
|
||||||
github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
|
github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
|
||||||
github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo=
|
github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo=
|
||||||
github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4=
|
github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4=
|
||||||
|
github.com/quic-go/qtls-go1-19 v0.3.2 h1:tFxjCFcTQzK+oMxG6Zcvp4Dq8dx4yD3dDiIiyc86Z5U=
|
||||||
|
github.com/quic-go/qtls-go1-19 v0.3.2/go.mod h1:ySOI96ew8lnoKPtSqx2BlI5wCpUVPT05RMAlajtnyOI=
|
||||||
github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
|
github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
|
||||||
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
|
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
|
||||||
github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
|
github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
//go:build !windows
|
//go:build !windows
|
||||||
// +build !windows
|
|
||||||
|
|
||||||
package proxy
|
package proxy
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
//go:build !windows
|
//go:build !windows
|
||||||
// +build !windows
|
|
||||||
|
|
||||||
package sshgen
|
package sshgen
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
//go:build darwin
|
//go:build darwin
|
||||||
// +build darwin
|
|
||||||
|
|
||||||
package token
|
package token
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
//go:build !windows && !darwin && !linux && !netbsd && !freebsd && !openbsd
|
//go:build !windows && !darwin && !linux && !netbsd && !freebsd && !openbsd
|
||||||
// +build !windows,!darwin,!linux,!netbsd,!freebsd,!openbsd
|
|
||||||
|
|
||||||
package token
|
package token
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
//go:build linux || freebsd || openbsd || netbsd
|
//go:build linux || freebsd || openbsd || netbsd
|
||||||
// +build linux freebsd openbsd netbsd
|
|
||||||
|
|
||||||
package token
|
package token
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
//go:build windows
|
//go:build windows
|
||||||
// +build windows
|
|
||||||
|
|
||||||
package token
|
package token
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
//go:build linux
|
//go:build linux
|
||||||
// +build linux
|
|
||||||
|
|
||||||
package token
|
package token
|
||||||
|
|
||||||
|
|
|
@ -1,170 +0,0 @@
|
||||||
// Copyright 2022 Cloudflare, Inc. All rights reserved. Use of this source code
|
|
||||||
// is governed by a BSD-style license that can be found in the LICENSE file.
|
|
||||||
//
|
|
||||||
// Glue to add Circl's (post-quantum) hybrid KEMs.
|
|
||||||
//
|
|
||||||
// To enable set CurvePreferences with the desired scheme as the first element:
|
|
||||||
//
|
|
||||||
// import (
|
|
||||||
// "github.com/cloudflare/circl/kem/tls"
|
|
||||||
// "github.com/cloudflare/circl/kem/hybrid"
|
|
||||||
//
|
|
||||||
// [...]
|
|
||||||
//
|
|
||||||
// config.CurvePreferences = []tls.CurveID{
|
|
||||||
// qtls.X25519Kyber512Draft00,
|
|
||||||
// qtls.X25519,
|
|
||||||
// qtls.P256,
|
|
||||||
// }
|
|
||||||
|
|
||||||
package qtls
|
|
||||||
|
|
||||||
import (
|
|
||||||
"github.com/cloudflare/circl/kem"
|
|
||||||
"github.com/cloudflare/circl/kem/hybrid"
|
|
||||||
|
|
||||||
"crypto/tls"
|
|
||||||
"fmt"
|
|
||||||
"io"
|
|
||||||
"sync"
|
|
||||||
"time"
|
|
||||||
)
|
|
||||||
|
|
||||||
// Either ecdheParameters or kem.PrivateKey
|
|
||||||
type clientKeySharePrivate interface{}
|
|
||||||
|
|
||||||
var (
|
|
||||||
X25519Kyber512Draft00 = CurveID(0xfe30)
|
|
||||||
X25519Kyber768Draft00 = CurveID(0xfe31)
|
|
||||||
invalidCurveID = CurveID(0)
|
|
||||||
)
|
|
||||||
|
|
||||||
func kemSchemeKeyToCurveID(s kem.Scheme) CurveID {
|
|
||||||
switch s.Name() {
|
|
||||||
case "Kyber512-X25519":
|
|
||||||
return X25519Kyber512Draft00
|
|
||||||
case "Kyber768-X25519":
|
|
||||||
return X25519Kyber768Draft00
|
|
||||||
default:
|
|
||||||
return invalidCurveID
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Extract CurveID from clientKeySharePrivate
|
|
||||||
func clientKeySharePrivateCurveID(ks clientKeySharePrivate) CurveID {
|
|
||||||
switch v := ks.(type) {
|
|
||||||
case kem.PrivateKey:
|
|
||||||
ret := kemSchemeKeyToCurveID(v.Scheme())
|
|
||||||
if ret == invalidCurveID {
|
|
||||||
panic("cfkem: internal error: don't know CurveID for this KEM")
|
|
||||||
}
|
|
||||||
return ret
|
|
||||||
case ecdheParameters:
|
|
||||||
return v.CurveID()
|
|
||||||
default:
|
|
||||||
panic("cfkem: internal error: unknown clientKeySharePrivate")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Returns scheme by CurveID if supported by Circl
|
|
||||||
func curveIdToCirclScheme(id CurveID) kem.Scheme {
|
|
||||||
switch id {
|
|
||||||
case X25519Kyber512Draft00:
|
|
||||||
return hybrid.Kyber512X25519()
|
|
||||||
case X25519Kyber768Draft00:
|
|
||||||
return hybrid.Kyber768X25519()
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Generate a new shared secret and encapsulates it for the packed
|
|
||||||
// public key in ppk using randomness from rnd.
|
|
||||||
func encapsulateForKem(scheme kem.Scheme, rnd io.Reader, ppk []byte) (
|
|
||||||
ct, ss []byte, alert alert, err error) {
|
|
||||||
pk, err := scheme.UnmarshalBinaryPublicKey(ppk)
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, alertIllegalParameter, fmt.Errorf("unpack pk: %w", err)
|
|
||||||
}
|
|
||||||
seed := make([]byte, scheme.EncapsulationSeedSize())
|
|
||||||
if _, err := io.ReadFull(rnd, seed); err != nil {
|
|
||||||
return nil, nil, alertInternalError, fmt.Errorf("random: %w", err)
|
|
||||||
}
|
|
||||||
ct, ss, err = scheme.EncapsulateDeterministically(pk, seed)
|
|
||||||
return ct, ss, alertIllegalParameter, err
|
|
||||||
}
|
|
||||||
|
|
||||||
// Generate a new keypair using randomness from rnd.
|
|
||||||
func generateKemKeyPair(scheme kem.Scheme, rnd io.Reader) (
|
|
||||||
kem.PublicKey, kem.PrivateKey, error) {
|
|
||||||
seed := make([]byte, scheme.SeedSize())
|
|
||||||
if _, err := io.ReadFull(rnd, seed); err != nil {
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
pk, sk := scheme.DeriveKeyPair(seed)
|
|
||||||
return pk, sk, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Events. We cannot use the same approach as used in our plain Go fork
|
|
||||||
// as we cannot change tls.Config, tls.ConnectionState, etc. Also we do
|
|
||||||
// not want to maintain a fork of quic-go itself as well. This seems
|
|
||||||
// the simplest option.
|
|
||||||
|
|
||||||
// CFEvent. There are two events: one emitted on HRR and one emitted
|
|
||||||
type CFEvent interface {
|
|
||||||
// Common to all events
|
|
||||||
ServerSide() bool // true if server-side; false if on client-side
|
|
||||||
|
|
||||||
// HRR event. Emitted when an HRR happened.
|
|
||||||
IsHRR() bool // true if this is an HRR event
|
|
||||||
|
|
||||||
// Handshake event.
|
|
||||||
IsHandshake() bool // true if this is a handshake event.
|
|
||||||
Duration() time.Duration // how long did the handshake take?
|
|
||||||
KEX() tls.CurveID // which kex was established?
|
|
||||||
}
|
|
||||||
|
|
||||||
type CFEventHandler func(CFEvent)
|
|
||||||
|
|
||||||
// Registers a handler to be called when a CFEvent is emitted; returns
|
|
||||||
// the previous handler.
|
|
||||||
func SetCFEventHandler(handler CFEventHandler) CFEventHandler {
|
|
||||||
cfEventMux.Lock()
|
|
||||||
ret := cfEventHandler
|
|
||||||
cfEventHandler = handler
|
|
||||||
cfEventMux.Unlock()
|
|
||||||
return ret
|
|
||||||
}
|
|
||||||
|
|
||||||
func raiseCFEvent(ev CFEvent) {
|
|
||||||
cfEventMux.Lock()
|
|
||||||
handler := cfEventHandler
|
|
||||||
cfEventMux.Unlock()
|
|
||||||
if handler != nil {
|
|
||||||
handler(ev)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
var (
|
|
||||||
cfEventMux sync.Mutex
|
|
||||||
cfEventHandler CFEventHandler
|
|
||||||
)
|
|
||||||
|
|
||||||
type cfEventHRR struct{ serverSide bool }
|
|
||||||
|
|
||||||
func (*cfEventHRR) IsHRR() bool { return true }
|
|
||||||
func (ev *cfEventHRR) ServerSide() bool { return ev.serverSide }
|
|
||||||
func (*cfEventHRR) IsHandshake() bool { return false }
|
|
||||||
func (ev *cfEventHRR) Duration() time.Duration { panic("wrong event") }
|
|
||||||
func (ev *cfEventHRR) KEX() tls.CurveID { panic("wrong event") }
|
|
||||||
|
|
||||||
type cfEventHandshake struct {
|
|
||||||
serverSide bool
|
|
||||||
duration time.Duration
|
|
||||||
kex tls.CurveID
|
|
||||||
}
|
|
||||||
|
|
||||||
func (*cfEventHandshake) IsHRR() bool { return false }
|
|
||||||
func (ev *cfEventHandshake) ServerSide() bool { return ev.serverSide }
|
|
||||||
func (*cfEventHandshake) IsHandshake() bool { return true }
|
|
||||||
func (ev *cfEventHandshake) Duration() time.Duration { return ev.duration }
|
|
||||||
func (ev *cfEventHandshake) KEX() tls.CurveID { return ev.kex }
|
|
|
@ -40,7 +40,7 @@ type clientHandshakeState struct {
|
||||||
|
|
||||||
var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme
|
var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme
|
||||||
|
|
||||||
func (c *Conn) makeClientHello() (*clientHelloMsg, clientKeySharePrivate, error) {
|
func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
|
||||||
config := c.config
|
config := c.config
|
||||||
if len(config.ServerName) == 0 && !config.InsecureSkipVerify {
|
if len(config.ServerName) == 0 && !config.InsecureSkipVerify {
|
||||||
return nil, nil, errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
|
return nil, nil, errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
|
||||||
|
@ -142,8 +142,11 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, clientKeySharePrivate, error)
|
||||||
hello.supportedSignatureAlgorithms = testingOnlyForceClientHelloSignatureAlgorithms
|
hello.supportedSignatureAlgorithms = testingOnlyForceClientHelloSignatureAlgorithms
|
||||||
}
|
}
|
||||||
|
|
||||||
var secret clientKeySharePrivate
|
var params ecdheParameters
|
||||||
if hello.supportedVersions[0] == VersionTLS13 {
|
if hello.supportedVersions[0] == VersionTLS13 {
|
||||||
|
if len(hello.supportedVersions) == 1 {
|
||||||
|
hello.cipherSuites = hello.cipherSuites[:0]
|
||||||
|
}
|
||||||
if hasAESGCMHardwareSupport {
|
if hasAESGCMHardwareSupport {
|
||||||
hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13...)
|
hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13...)
|
||||||
} else {
|
} else {
|
||||||
|
@ -151,37 +154,21 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, clientKeySharePrivate, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
curveID := config.curvePreferences()[0]
|
curveID := config.curvePreferences()[0]
|
||||||
if scheme := curveIdToCirclScheme(curveID); scheme != nil {
|
if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok {
|
||||||
pk, sk, err := generateKemKeyPair(scheme, config.rand())
|
return nil, nil, errors.New("tls: CurvePreferences includes unsupported curve")
|
||||||
if err != nil {
|
|
||||||
return nil, nil, fmt.Errorf("generateKemKeyPair %s: %w",
|
|
||||||
scheme.Name(), err)
|
|
||||||
}
|
|
||||||
packedPk, err := pk.MarshalBinary()
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, fmt.Errorf("pack circl public key %s: %w",
|
|
||||||
scheme.Name(), err)
|
|
||||||
}
|
|
||||||
hello.keyShares = []keyShare{{group: curveID, data: packedPk}}
|
|
||||||
secret = sk
|
|
||||||
} else {
|
|
||||||
if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok {
|
|
||||||
return nil, nil, errors.New("tls: CurvePreferences includes unsupported curve")
|
|
||||||
}
|
|
||||||
params, err := generateECDHEParameters(config.rand(), curveID)
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}}
|
|
||||||
secret = params
|
|
||||||
}
|
}
|
||||||
|
params, err = generateECDHEParameters(config.rand(), curveID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}}
|
||||||
}
|
}
|
||||||
|
|
||||||
if hello.supportedVersions[0] == VersionTLS13 && c.extraConfig != nil && c.extraConfig.GetExtensions != nil {
|
if hello.supportedVersions[0] == VersionTLS13 && c.extraConfig != nil && c.extraConfig.GetExtensions != nil {
|
||||||
hello.additionalExtensions = c.extraConfig.GetExtensions(typeClientHello)
|
hello.additionalExtensions = c.extraConfig.GetExtensions(typeClientHello)
|
||||||
}
|
}
|
||||||
|
|
||||||
return hello, secret, nil
|
return hello, params, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Conn) clientHandshake(ctx context.Context) (err error) {
|
func (c *Conn) clientHandshake(ctx context.Context) (err error) {
|
||||||
|
@ -274,14 +261,14 @@ func (c *Conn) clientHandshake(ctx context.Context) (err error) {
|
||||||
|
|
||||||
if c.vers == VersionTLS13 {
|
if c.vers == VersionTLS13 {
|
||||||
hs := &clientHandshakeStateTLS13{
|
hs := &clientHandshakeStateTLS13{
|
||||||
c: c,
|
c: c,
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
serverHello: serverHello,
|
serverHello: serverHello,
|
||||||
hello: hello,
|
hello: hello,
|
||||||
keySharePrivate: ecdheParams,
|
ecdheParams: ecdheParams,
|
||||||
session: session,
|
session: session,
|
||||||
earlySecret: earlySecret,
|
earlySecret: earlySecret,
|
||||||
binderKey: binderKey,
|
binderKey: binderKey,
|
||||||
}
|
}
|
||||||
|
|
||||||
// In TLS 1.3, session tickets are delivered after the handshake.
|
// In TLS 1.3, session tickets are delivered after the handshake.
|
||||||
|
|
|
@ -12,12 +12,10 @@ import (
|
||||||
"crypto/rsa"
|
"crypto/rsa"
|
||||||
"encoding/binary"
|
"encoding/binary"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
|
||||||
"hash"
|
"hash"
|
||||||
"sync/atomic"
|
"sync/atomic"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
circlKem "github.com/cloudflare/circl/kem"
|
|
||||||
"golang.org/x/crypto/cryptobyte"
|
"golang.org/x/crypto/cryptobyte"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -26,8 +24,7 @@ type clientHandshakeStateTLS13 struct {
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
serverHello *serverHelloMsg
|
serverHello *serverHelloMsg
|
||||||
hello *clientHelloMsg
|
hello *clientHelloMsg
|
||||||
|
ecdheParams ecdheParameters
|
||||||
keySharePrivate clientKeySharePrivate
|
|
||||||
|
|
||||||
session *clientSessionState
|
session *clientSessionState
|
||||||
earlySecret []byte
|
earlySecret []byte
|
||||||
|
@ -47,8 +44,6 @@ type clientHandshakeStateTLS13 struct {
|
||||||
func (hs *clientHandshakeStateTLS13) handshake() error {
|
func (hs *clientHandshakeStateTLS13) handshake() error {
|
||||||
c := hs.c
|
c := hs.c
|
||||||
|
|
||||||
startTime := time.Now()
|
|
||||||
|
|
||||||
if needFIPS() {
|
if needFIPS() {
|
||||||
return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
|
return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
|
||||||
}
|
}
|
||||||
|
@ -61,7 +56,7 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Consistency check on the presence of a keyShare and its parameters.
|
// Consistency check on the presence of a keyShare and its parameters.
|
||||||
if hs.keySharePrivate == nil || len(hs.hello.keyShares) != 1 {
|
if hs.ecdheParams == nil || len(hs.hello.keyShares) != 1 {
|
||||||
return c.sendAlert(alertInternalError)
|
return c.sendAlert(alertInternalError)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -119,12 +114,6 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
raiseCFEvent(&cfEventHandshake{
|
|
||||||
serverSide: false,
|
|
||||||
duration: time.Since(startTime),
|
|
||||||
kex: hs.serverHello.serverShare.group,
|
|
||||||
})
|
|
||||||
|
|
||||||
atomic.StoreUint32(&c.handshakeStatus, 1)
|
atomic.StoreUint32(&c.handshakeStatus, 1)
|
||||||
c.updateConnectionState()
|
c.updateConnectionState()
|
||||||
return nil
|
return nil
|
||||||
|
@ -201,8 +190,6 @@ func (hs *clientHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
|
||||||
func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
|
func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
|
||||||
c := hs.c
|
c := hs.c
|
||||||
|
|
||||||
raiseCFEvent(&cfEventHRR{serverSide: false})
|
|
||||||
|
|
||||||
// The first ClientHello gets double-hashed into the transcript upon a
|
// The first ClientHello gets double-hashed into the transcript upon a
|
||||||
// HelloRetryRequest. (The idea is that the server might offload transcript
|
// HelloRetryRequest. (The idea is that the server might offload transcript
|
||||||
// storage to the client in the cookie.) See RFC 8446, Section 4.4.1.
|
// storage to the client in the cookie.) See RFC 8446, Section 4.4.1.
|
||||||
|
@ -246,38 +233,21 @@ func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
|
||||||
c.sendAlert(alertIllegalParameter)
|
c.sendAlert(alertIllegalParameter)
|
||||||
return errors.New("tls: server selected unsupported group")
|
return errors.New("tls: server selected unsupported group")
|
||||||
}
|
}
|
||||||
if clientKeySharePrivateCurveID(hs.keySharePrivate) == curveID {
|
if hs.ecdheParams.CurveID() == curveID {
|
||||||
c.sendAlert(alertIllegalParameter)
|
c.sendAlert(alertIllegalParameter)
|
||||||
return errors.New("tls: server sent an unnecessary HelloRetryRequest key_share")
|
return errors.New("tls: server sent an unnecessary HelloRetryRequest key_share")
|
||||||
}
|
}
|
||||||
if scheme := curveIdToCirclScheme(curveID); scheme != nil {
|
if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok {
|
||||||
pk, sk, err := generateKemKeyPair(scheme, c.config.rand())
|
c.sendAlert(alertInternalError)
|
||||||
if err != nil {
|
return errors.New("tls: CurvePreferences includes unsupported curve")
|
||||||
c.sendAlert(alertInternalError)
|
|
||||||
return fmt.Errorf("HRR generateKeyPair %s: %w",
|
|
||||||
scheme.Name(), err)
|
|
||||||
}
|
|
||||||
packedPk, err := pk.MarshalBinary()
|
|
||||||
if err != nil {
|
|
||||||
c.sendAlert(alertInternalError)
|
|
||||||
return fmt.Errorf("HRR pack circl public key %s: %w",
|
|
||||||
scheme.Name(), err)
|
|
||||||
}
|
|
||||||
hs.keySharePrivate = sk
|
|
||||||
hs.hello.keyShares = []keyShare{{group: curveID, data: packedPk}}
|
|
||||||
} else {
|
|
||||||
if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok {
|
|
||||||
c.sendAlert(alertInternalError)
|
|
||||||
return errors.New("tls: CurvePreferences includes unsupported curve")
|
|
||||||
}
|
|
||||||
params, err := generateECDHEParameters(c.config.rand(), curveID)
|
|
||||||
if err != nil {
|
|
||||||
c.sendAlert(alertInternalError)
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
hs.keySharePrivate = params
|
|
||||||
hs.hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}}
|
|
||||||
}
|
}
|
||||||
|
params, err := generateECDHEParameters(c.config.rand(), curveID)
|
||||||
|
if err != nil {
|
||||||
|
c.sendAlert(alertInternalError)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
hs.ecdheParams = params
|
||||||
|
hs.hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}}
|
||||||
}
|
}
|
||||||
|
|
||||||
hs.hello.raw = nil
|
hs.hello.raw = nil
|
||||||
|
@ -363,7 +333,7 @@ func (hs *clientHandshakeStateTLS13) processServerHello() error {
|
||||||
c.sendAlert(alertIllegalParameter)
|
c.sendAlert(alertIllegalParameter)
|
||||||
return errors.New("tls: server did not send a key share")
|
return errors.New("tls: server did not send a key share")
|
||||||
}
|
}
|
||||||
if hs.serverHello.serverShare.group != clientKeySharePrivateCurveID(hs.keySharePrivate) {
|
if hs.serverHello.serverShare.group != hs.ecdheParams.CurveID() {
|
||||||
c.sendAlert(alertIllegalParameter)
|
c.sendAlert(alertIllegalParameter)
|
||||||
return errors.New("tls: server selected unsupported group")
|
return errors.New("tls: server selected unsupported group")
|
||||||
}
|
}
|
||||||
|
@ -401,18 +371,7 @@ func (hs *clientHandshakeStateTLS13) processServerHello() error {
|
||||||
func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
|
func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
|
||||||
c := hs.c
|
c := hs.c
|
||||||
|
|
||||||
var sharedKey []byte
|
sharedKey := hs.ecdheParams.SharedKey(hs.serverHello.serverShare.data)
|
||||||
if params, ok := hs.keySharePrivate.(ecdheParameters); ok {
|
|
||||||
sharedKey = params.SharedKey(hs.serverHello.serverShare.data)
|
|
||||||
} else if sk, ok := hs.keySharePrivate.(circlKem.PrivateKey); ok {
|
|
||||||
var err error
|
|
||||||
sharedKey, err = sk.Scheme().Decapsulate(sk, hs.serverHello.serverShare.data)
|
|
||||||
if err != nil {
|
|
||||||
c.sendAlert(alertIllegalParameter)
|
|
||||||
return fmt.Errorf("%s decaps: %w", sk.Scheme().Name(), err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if sharedKey == nil {
|
if sharedKey == nil {
|
||||||
c.sendAlert(alertIllegalParameter)
|
c.sendAlert(alertIllegalParameter)
|
||||||
return errors.New("tls: invalid server key share")
|
return errors.New("tls: invalid server key share")
|
||||||
|
|
|
@ -11,7 +11,6 @@ import (
|
||||||
"crypto/hmac"
|
"crypto/hmac"
|
||||||
"crypto/rsa"
|
"crypto/rsa"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
|
||||||
"hash"
|
"hash"
|
||||||
"io"
|
"io"
|
||||||
"sync/atomic"
|
"sync/atomic"
|
||||||
|
@ -47,8 +46,6 @@ type serverHandshakeStateTLS13 struct {
|
||||||
func (hs *serverHandshakeStateTLS13) handshake() error {
|
func (hs *serverHandshakeStateTLS13) handshake() error {
|
||||||
c := hs.c
|
c := hs.c
|
||||||
|
|
||||||
startTime := time.Now()
|
|
||||||
|
|
||||||
if needFIPS() {
|
if needFIPS() {
|
||||||
return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
|
return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
|
||||||
}
|
}
|
||||||
|
@ -88,12 +85,6 @@ func (hs *serverHandshakeStateTLS13) handshake() error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
raiseCFEvent(&cfEventHandshake{
|
|
||||||
serverSide: true,
|
|
||||||
duration: time.Since(startTime),
|
|
||||||
kex: hs.hello.serverShare.group,
|
|
||||||
})
|
|
||||||
|
|
||||||
atomic.StoreUint32(&c.handshakeStatus, 1)
|
atomic.StoreUint32(&c.handshakeStatus, 1)
|
||||||
c.updateConnectionState()
|
c.updateConnectionState()
|
||||||
return nil
|
return nil
|
||||||
|
@ -208,27 +199,17 @@ GroupSelection:
|
||||||
clientKeyShare = &hs.clientHello.keyShares[0]
|
clientKeyShare = &hs.clientHello.keyShares[0]
|
||||||
}
|
}
|
||||||
|
|
||||||
if _, ok := curveForCurveID(selectedGroup); selectedGroup != X25519 && curveIdToCirclScheme(selectedGroup) == nil && !ok {
|
if _, ok := curveForCurveID(selectedGroup); selectedGroup != X25519 && !ok {
|
||||||
c.sendAlert(alertInternalError)
|
c.sendAlert(alertInternalError)
|
||||||
return errors.New("tls: CurvePreferences includes unsupported curve")
|
return errors.New("tls: CurvePreferences includes unsupported curve")
|
||||||
}
|
}
|
||||||
if kem := curveIdToCirclScheme(selectedGroup); kem != nil {
|
params, err := generateECDHEParameters(c.config.rand(), selectedGroup)
|
||||||
ct, ss, alert, err := encapsulateForKem(kem, c.config.rand(), clientKeyShare.data)
|
if err != nil {
|
||||||
if err != nil {
|
c.sendAlert(alertInternalError)
|
||||||
c.sendAlert(alert)
|
return err
|
||||||
return fmt.Errorf("%s encap: %w", kem.Name(), err)
|
|
||||||
}
|
|
||||||
hs.hello.serverShare = keyShare{group: selectedGroup, data: ct}
|
|
||||||
hs.sharedKey = ss
|
|
||||||
} else {
|
|
||||||
params, err := generateECDHEParameters(c.config.rand(), selectedGroup)
|
|
||||||
if err != nil {
|
|
||||||
c.sendAlert(alertInternalError)
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
hs.hello.serverShare = keyShare{group: selectedGroup, data: params.PublicKey()}
|
|
||||||
hs.sharedKey = params.SharedKey(clientKeyShare.data)
|
|
||||||
}
|
}
|
||||||
|
hs.hello.serverShare = keyShare{group: selectedGroup, data: params.PublicKey()}
|
||||||
|
hs.sharedKey = params.SharedKey(clientKeyShare.data)
|
||||||
if hs.sharedKey == nil {
|
if hs.sharedKey == nil {
|
||||||
c.sendAlert(alertIllegalParameter)
|
c.sendAlert(alertIllegalParameter)
|
||||||
return errors.New("tls: invalid client key share")
|
return errors.New("tls: invalid client key share")
|
||||||
|
@ -458,8 +439,6 @@ func (hs *serverHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
|
||||||
func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) error {
|
func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) error {
|
||||||
c := hs.c
|
c := hs.c
|
||||||
|
|
||||||
raiseCFEvent(&cfEventHRR{serverSide: true})
|
|
||||||
|
|
||||||
// The first ClientHello gets double-hashed into the transcript upon a
|
// The first ClientHello gets double-hashed into the transcript upon a
|
||||||
// HelloRetryRequest. See RFC 8446, Section 4.4.1.
|
// HelloRetryRequest. See RFC 8446, Section 4.4.1.
|
||||||
if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil {
|
if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil {
|
||||||
|
|
|
@ -168,7 +168,7 @@ type ecdheKeyAgreement struct {
|
||||||
func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {
|
func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {
|
||||||
var curveID CurveID
|
var curveID CurveID
|
||||||
for _, c := range clientHello.supportedCurves {
|
for _, c := range clientHello.supportedCurves {
|
||||||
if config.supportsCurve(c) && curveIdToCirclScheme(c) == nil {
|
if config.supportsCurve(c) {
|
||||||
curveID = c
|
curveID = c
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
|
|
|
@ -258,7 +258,7 @@ github.com/prometheus/common/model
|
||||||
github.com/prometheus/procfs
|
github.com/prometheus/procfs
|
||||||
github.com/prometheus/procfs/internal/fs
|
github.com/prometheus/procfs/internal/fs
|
||||||
github.com/prometheus/procfs/internal/util
|
github.com/prometheus/procfs/internal/util
|
||||||
# github.com/quic-go/qtls-go1-19 v0.3.2 => github.com/cloudflare/qtls-pq v0.0.0-20230320123031-3faac1a945b2
|
# github.com/quic-go/qtls-go1-19 v0.3.2
|
||||||
## explicit; go 1.19
|
## explicit; go 1.19
|
||||||
github.com/quic-go/qtls-go1-19
|
github.com/quic-go/qtls-go1-19
|
||||||
# github.com/quic-go/qtls-go1-20 v0.2.2 => github.com/cloudflare/qtls-pq v0.0.0-20230320122459-4ed280d0d633
|
# github.com/quic-go/qtls-go1-20 v0.2.2 => github.com/cloudflare/qtls-pq v0.0.0-20230320122459-4ed280d0d633
|
||||||
|
@ -577,5 +577,4 @@ zombiezen.com/go/capnproto2/std/capnp/rpc
|
||||||
# github.com/prometheus/golang_client => github.com/prometheus/golang_client v1.12.1
|
# github.com/prometheus/golang_client => github.com/prometheus/golang_client v1.12.1
|
||||||
# gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
|
# gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
|
||||||
# github.com/quic-go/quic-go => github.com/devincarr/quic-go v0.0.0-20230502200822-d1f4edacbee7
|
# github.com/quic-go/quic-go => github.com/devincarr/quic-go v0.0.0-20230502200822-d1f4edacbee7
|
||||||
# github.com/quic-go/qtls-go1-19 => github.com/cloudflare/qtls-pq v0.0.0-20230320123031-3faac1a945b2
|
|
||||||
# github.com/quic-go/qtls-go1-20 => github.com/cloudflare/qtls-pq v0.0.0-20230320122459-4ed280d0d633
|
# github.com/quic-go/qtls-go1-20 => github.com/cloudflare/qtls-pq v0.0.0-20230320122459-4ed280d0d633
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
//go:build !windows
|
//go:build !windows
|
||||||
// +build !windows
|
|
||||||
|
|
||||||
package watcher
|
package watcher
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue