use go 1.12

Signed-off-by: hongming <talonwan@yunify.com>

vendor/github.com/lucas-clemente/quic-go/internal/handshake/cookie_generator.go

@@ -0,0 +1,99 @@
+package handshake
+
+import (
+	"encoding/asn1"
+	"fmt"
+	"net"
+	"time"
+)
+
+const (
+	cookiePrefixIP byte = iota
+	cookiePrefixString
+)
+
+// A Cookie is derived from the client address and can be used to verify the ownership of this address.
+type Cookie struct {
+	RemoteAddr string
+	// The time that the STK was issued (resolution 1 second)
+	SentTime time.Time
+}
+
+// token is the struct that is used for ASN1 serialization and deserialization
+type token struct {
+	Data      []byte
+	Timestamp int64
+}
+
+// A CookieGenerator generates Cookies
+type CookieGenerator struct {
+	cookieProtector cookieProtector
+}
+
+// NewCookieGenerator initializes a new CookieGenerator
+func NewCookieGenerator() (*CookieGenerator, error) {
+	cookieProtector, err := newCookieProtector()
+	if err != nil {
+		return nil, err
+	}
+	return &CookieGenerator{
+		cookieProtector: cookieProtector,
+	}, nil
+}
+
+// NewToken generates a new Cookie for a given source address
+func (g *CookieGenerator) NewToken(raddr net.Addr) ([]byte, error) {
+	data, err := asn1.Marshal(token{
+		Data:      encodeRemoteAddr(raddr),
+		Timestamp: time.Now().Unix(),
+	})
+	if err != nil {
+		return nil, err
+	}
+	return g.cookieProtector.NewToken(data)
+}
+
+// DecodeToken decodes a Cookie
+func (g *CookieGenerator) DecodeToken(encrypted []byte) (*Cookie, error) {
+	// if the client didn't send any Cookie, DecodeToken will be called with a nil-slice
+	if len(encrypted) == 0 {
+		return nil, nil
+	}
+
+	data, err := g.cookieProtector.DecodeToken(encrypted)
+	if err != nil {
+		return nil, err
+	}
+	t := &token{}
+	rest, err := asn1.Unmarshal(data, t)
+	if err != nil {
+		return nil, err
+	}
+	if len(rest) != 0 {
+		return nil, fmt.Errorf("rest when unpacking token: %d", len(rest))
+	}
+	return &Cookie{
+		RemoteAddr: decodeRemoteAddr(t.Data),
+		SentTime:   time.Unix(t.Timestamp, 0),
+	}, nil
+}
+
+// encodeRemoteAddr encodes a remote address such that it can be saved in the Cookie
+func encodeRemoteAddr(remoteAddr net.Addr) []byte {
+	if udpAddr, ok := remoteAddr.(*net.UDPAddr); ok {
+		return append([]byte{cookiePrefixIP}, udpAddr.IP...)
+	}
+	return append([]byte{cookiePrefixString}, []byte(remoteAddr.String())...)
+}
+
+// decodeRemoteAddr decodes the remote address saved in the Cookie
+func decodeRemoteAddr(data []byte) string {
+	// data will never be empty for a Cookie that we generated. Check it to be on the safe side
+	if len(data) == 0 {
+		return ""
+	}
+	if data[0] == cookiePrefixIP {
+		return net.IP(data[1:]).String()
+	}
+	return string(data[1:])
+}

vendor/github.com/lucas-clemente/quic-go/internal/handshake/cookie_protector.go

@@ -0,0 +1,86 @@
+package handshake
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"crypto/sha256"
+	"fmt"
+	"io"
+
+	"golang.org/x/crypto/hkdf"
+)
+
+// CookieProtector is used to create and verify a cookie
+type cookieProtector interface {
+	// NewToken creates a new token
+	NewToken([]byte) ([]byte, error)
+	// DecodeToken decodes a token
+	DecodeToken([]byte) ([]byte, error)
+}
+
+const (
+	cookieSecretSize = 32
+	cookieNonceSize  = 32
+)
+
+// cookieProtector is used to create and verify a cookie
+type cookieProtectorImpl struct {
+	secret []byte
+}
+
+// newCookieProtector creates a source for source address tokens
+func newCookieProtector() (cookieProtector, error) {
+	secret := make([]byte, cookieSecretSize)
+	if _, err := rand.Read(secret); err != nil {
+		return nil, err
+	}
+	return &cookieProtectorImpl{secret: secret}, nil
+}
+
+// NewToken encodes data into a new token.
+func (s *cookieProtectorImpl) NewToken(data []byte) ([]byte, error) {
+	nonce := make([]byte, cookieNonceSize)
+	if _, err := rand.Read(nonce); err != nil {
+		return nil, err
+	}
+	aead, aeadNonce, err := s.createAEAD(nonce)
+	if err != nil {
+		return nil, err
+	}
+	return append(nonce, aead.Seal(nil, aeadNonce, data, nil)...), nil
+}
+
+// DecodeToken decodes a token.
+func (s *cookieProtectorImpl) DecodeToken(p []byte) ([]byte, error) {
+	if len(p) < cookieNonceSize {
+		return nil, fmt.Errorf("Token too short: %d", len(p))
+	}
+	nonce := p[:cookieNonceSize]
+	aead, aeadNonce, err := s.createAEAD(nonce)
+	if err != nil {
+		return nil, err
+	}
+	return aead.Open(nil, aeadNonce, p[cookieNonceSize:], nil)
+}
+
+func (s *cookieProtectorImpl) createAEAD(nonce []byte) (cipher.AEAD, []byte, error) {
+	h := hkdf.New(sha256.New, s.secret, nonce, []byte("quic-go cookie source"))
+	key := make([]byte, 32) // use a 32 byte key, in order to select AES-256
+	if _, err := io.ReadFull(h, key); err != nil {
+		return nil, nil, err
+	}
+	aeadNonce := make([]byte, 12)
+	if _, err := io.ReadFull(h, aeadNonce); err != nil {
+		return nil, nil, err
+	}
+	c, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, nil, err
+	}
+	aead, err := cipher.NewGCM(c)
+	if err != nil {
+		return nil, nil, err
+	}
+	return aead, aeadNonce, nil
+}

vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup_client.go

@@ -0,0 +1,542 @@
+package handshake
+
+import (
+	"bytes"
+	"crypto/rand"
+	"crypto/tls"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+	"sync"
+	"time"
+
+	"github.com/lucas-clemente/quic-go/internal/crypto"
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+	"github.com/lucas-clemente/quic-go/internal/utils"
+	"github.com/lucas-clemente/quic-go/qerr"
+)
+
+type cryptoSetupClient struct {
+	mutex sync.RWMutex
+
+	hostname           string
+	connID             protocol.ConnectionID
+	version            protocol.VersionNumber
+	initialVersion     protocol.VersionNumber
+	negotiatedVersions []protocol.VersionNumber
+
+	cryptoStream io.ReadWriter
+
+	serverConfig *serverConfigClient
+
+	stk              []byte
+	sno              []byte
+	nonc             []byte
+	proof            []byte
+	chloForSignature []byte
+	lastSentCHLO     []byte
+	certManager      crypto.CertManager
+
+	divNonceChan         chan struct{}
+	diversificationNonce []byte
+
+	clientHelloCounter int
+	serverVerified     bool // has the certificate chain and the proof already been verified
+	keyDerivation      QuicCryptoKeyDerivationFunction
+
+	receivedSecurePacket bool
+	nullAEAD             crypto.AEAD
+	secureAEAD           crypto.AEAD
+	forwardSecureAEAD    crypto.AEAD
+
+	paramsChan     chan<- TransportParameters
+	handshakeEvent chan<- struct{}
+
+	params *TransportParameters
+
+	logger utils.Logger
+}
+
+var _ CryptoSetup = &cryptoSetupClient{}
+
+var (
+	errNoObitForClientNonce             = errors.New("CryptoSetup BUG: No OBIT for client nonce available")
+	errClientNonceAlreadyExists         = errors.New("CryptoSetup BUG: A client nonce was already generated")
+	errConflictingDiversificationNonces = errors.New("Received two different diversification nonces")
+)
+
+// NewCryptoSetupClient creates a new CryptoSetup instance for a client
+func NewCryptoSetupClient(
+	cryptoStream io.ReadWriter,
+	connID protocol.ConnectionID,
+	version protocol.VersionNumber,
+	tlsConf *tls.Config,
+	params *TransportParameters,
+	paramsChan chan<- TransportParameters,
+	handshakeEvent chan<- struct{},
+	initialVersion protocol.VersionNumber,
+	negotiatedVersions []protocol.VersionNumber,
+	logger utils.Logger,
+) (CryptoSetup, error) {
+	nullAEAD, err := crypto.NewNullAEAD(protocol.PerspectiveClient, connID, version)
+	if err != nil {
+		return nil, err
+	}
+	divNonceChan := make(chan struct{})
+	cs := &cryptoSetupClient{
+		cryptoStream:   cryptoStream,
+		hostname:       tlsConf.ServerName,
+		connID:         connID,
+		version:        version,
+		certManager:    crypto.NewCertManager(tlsConf),
+		params:         params,
+		keyDerivation:  crypto.DeriveQuicCryptoAESKeys,
+		nullAEAD:       nullAEAD,
+		paramsChan:     paramsChan,
+		handshakeEvent: handshakeEvent,
+		initialVersion: initialVersion,
+		// The server might have sent greased versions in the Version Negotiation packet.
+		// We need strip those from the list, since they won't be included in the handshake tag.
+		negotiatedVersions: protocol.StripGreasedVersions(negotiatedVersions),
+		divNonceChan:       divNonceChan,
+		logger:             logger,
+	}
+	return cs, nil
+}
+
+func (h *cryptoSetupClient) HandleCryptoStream() error {
+	messageChan := make(chan HandshakeMessage)
+	errorChan := make(chan error, 1)
+
+	go func() {
+		for {
+			message, err := ParseHandshakeMessage(h.cryptoStream)
+			if err != nil {
+				errorChan <- qerr.Error(qerr.HandshakeFailed, err.Error())
+				return
+			}
+			messageChan <- message
+		}
+	}()
+
+	for {
+		if err := h.maybeUpgradeCrypto(); err != nil {
+			return err
+		}
+
+		h.mutex.RLock()
+		sendCHLO := h.secureAEAD == nil
+		h.mutex.RUnlock()
+		if sendCHLO {
+			if err := h.sendCHLO(); err != nil {
+				return err
+			}
+		}
+
+		var message HandshakeMessage
+		select {
+		case <-h.divNonceChan:
+			// there's no message to process, but we should try upgrading the crypto again
+			continue
+		case message = <-messageChan:
+		case err := <-errorChan:
+			return err
+		}
+
+		h.logger.Debugf("Got %s", message)
+		switch message.Tag {
+		case TagREJ:
+			if err := h.handleREJMessage(message.Data); err != nil {
+				return err
+			}
+		case TagSHLO:
+			params, err := h.handleSHLOMessage(message.Data)
+			if err != nil {
+				return err
+			}
+			// blocks until the session has received the parameters
+			h.paramsChan <- *params
+			h.handshakeEvent <- struct{}{}
+			close(h.handshakeEvent)
+		default:
+			return qerr.InvalidCryptoMessageType
+		}
+	}
+}
+
+func (h *cryptoSetupClient) handleREJMessage(cryptoData map[Tag][]byte) error {
+	var err error
+
+	if stk, ok := cryptoData[TagSTK]; ok {
+		h.stk = stk
+	}
+
+	if sno, ok := cryptoData[TagSNO]; ok {
+		h.sno = sno
+	}
+
+	// TODO: what happens if the server sends a different server config in two packets?
+	if scfg, ok := cryptoData[TagSCFG]; ok {
+		h.serverConfig, err = parseServerConfig(scfg)
+		if err != nil {
+			return err
+		}
+
+		if h.serverConfig.IsExpired() {
+			return qerr.CryptoServerConfigExpired
+		}
+
+		// now that we have a server config, we can use its OBIT value to generate a client nonce
+		if len(h.nonc) == 0 {
+			err = h.generateClientNonce()
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	if proof, ok := cryptoData[TagPROF]; ok {
+		h.proof = proof
+		h.chloForSignature = h.lastSentCHLO
+	}
+
+	if crt, ok := cryptoData[TagCERT]; ok {
+		err := h.certManager.SetData(crt)
+		if err != nil {
+			return qerr.Error(qerr.InvalidCryptoMessageParameter, "Certificate data invalid")
+		}
+
+		err = h.certManager.Verify(h.hostname)
+		if err != nil {
+			h.logger.Infof("Certificate validation failed: %s", err.Error())
+			return qerr.ProofInvalid
+		}
+	}
+
+	if h.serverConfig != nil && len(h.proof) != 0 && h.certManager.GetLeafCert() != nil {
+		validProof := h.certManager.VerifyServerProof(h.proof, h.chloForSignature, h.serverConfig.Get())
+		if !validProof {
+			h.logger.Infof("Server proof verification failed")
+			return qerr.ProofInvalid
+		}
+
+		h.serverVerified = true
+	}
+
+	return nil
+}
+
+func (h *cryptoSetupClient) handleSHLOMessage(cryptoData map[Tag][]byte) (*TransportParameters, error) {
+	h.mutex.Lock()
+	defer h.mutex.Unlock()
+
+	if !h.receivedSecurePacket {
+		return nil, qerr.Error(qerr.CryptoEncryptionLevelIncorrect, "unencrypted SHLO message")
+	}
+
+	if sno, ok := cryptoData[TagSNO]; ok {
+		h.sno = sno
+	}
+
+	serverPubs, ok := cryptoData[TagPUBS]
+	if !ok {
+		return nil, qerr.Error(qerr.CryptoMessageParameterNotFound, "PUBS")
+	}
+
+	verTag, ok := cryptoData[TagVER]
+	if !ok {
+		return nil, qerr.Error(qerr.InvalidCryptoMessageParameter, "server hello missing version list")
+	}
+	if !h.validateVersionList(verTag) {
+		return nil, qerr.Error(qerr.VersionNegotiationMismatch, "Downgrade attack detected")
+	}
+
+	nonce := append(h.nonc, h.sno...)
+
+	ephermalSharedSecret, err := h.serverConfig.kex.CalculateSharedKey(serverPubs)
+	if err != nil {
+		return nil, err
+	}
+
+	leafCert := h.certManager.GetLeafCert()
+
+	h.forwardSecureAEAD, err = h.keyDerivation(
+		true,
+		ephermalSharedSecret,
+		nonce,
+		h.connID,
+		h.lastSentCHLO,
+		h.serverConfig.Get(),
+		leafCert,
+		nil,
+		protocol.PerspectiveClient,
+	)
+	if err != nil {
+		return nil, err
+	}
+	h.logger.Debugf("Creating AEAD for forward-secure encryption. Stopping to accept all lower encryption levels.")
+
+	params, err := readHelloMap(cryptoData)
+	if err != nil {
+		return nil, qerr.InvalidCryptoMessageParameter
+	}
+	return params, nil
+}
+
+func (h *cryptoSetupClient) validateVersionList(verTags []byte) bool {
+	numNegotiatedVersions := len(h.negotiatedVersions)
+	if numNegotiatedVersions == 0 {
+		return true
+	}
+	if len(verTags)%4 != 0 || len(verTags)/4 != numNegotiatedVersions {
+		return false
+	}
+
+	b := bytes.NewReader(verTags)
+	for i := 0; i < numNegotiatedVersions; i++ {
+		v, err := utils.BigEndian.ReadUint32(b)
+		if err != nil { // should never occur, since the length was already checked
+			return false
+		}
+		if protocol.VersionNumber(v) != h.negotiatedVersions[i] {
+			return false
+		}
+	}
+	return true
+}
+
+func (h *cryptoSetupClient) Open(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, protocol.EncryptionLevel, error) {
+	h.mutex.RLock()
+	defer h.mutex.RUnlock()
+
+	if h.forwardSecureAEAD != nil {
+		data, err := h.forwardSecureAEAD.Open(dst, src, packetNumber, associatedData)
+		if err == nil {
+			return data, protocol.EncryptionForwardSecure, nil
+		}
+		return nil, protocol.EncryptionUnspecified, err
+	}
+
+	if h.secureAEAD != nil {
+		data, err := h.secureAEAD.Open(dst, src, packetNumber, associatedData)
+		if err == nil {
+			h.logger.Debugf("Received first secure packet. Stopping to accept unencrypted packets.")
+			h.receivedSecurePacket = true
+			return data, protocol.EncryptionSecure, nil
+		}
+		if h.receivedSecurePacket {
+			return nil, protocol.EncryptionUnspecified, err
+		}
+	}
+	res, err := h.nullAEAD.Open(dst, src, packetNumber, associatedData)
+	if err != nil {
+		return nil, protocol.EncryptionUnspecified, err
+	}
+	return res, protocol.EncryptionUnencrypted, nil
+}
+
+func (h *cryptoSetupClient) GetSealer() (protocol.EncryptionLevel, Sealer) {
+	h.mutex.RLock()
+	defer h.mutex.RUnlock()
+	if h.forwardSecureAEAD != nil {
+		return protocol.EncryptionForwardSecure, h.forwardSecureAEAD
+	} else if h.secureAEAD != nil {
+		return protocol.EncryptionSecure, h.secureAEAD
+	} else {
+		return protocol.EncryptionUnencrypted, h.nullAEAD
+	}
+}
+
+func (h *cryptoSetupClient) GetSealerForCryptoStream() (protocol.EncryptionLevel, Sealer) {
+	return protocol.EncryptionUnencrypted, h.nullAEAD
+}
+
+func (h *cryptoSetupClient) GetSealerWithEncryptionLevel(encLevel protocol.EncryptionLevel) (Sealer, error) {
+	h.mutex.RLock()
+	defer h.mutex.RUnlock()
+
+	switch encLevel {
+	case protocol.EncryptionUnencrypted:
+		return h.nullAEAD, nil
+	case protocol.EncryptionSecure:
+		if h.secureAEAD == nil {
+			return nil, errors.New("CryptoSetupClient: no secureAEAD")
+		}
+		return h.secureAEAD, nil
+	case protocol.EncryptionForwardSecure:
+		if h.forwardSecureAEAD == nil {
+			return nil, errors.New("CryptoSetupClient: no forwardSecureAEAD")
+		}
+		return h.forwardSecureAEAD, nil
+	}
+	return nil, errors.New("CryptoSetupClient: no encryption level specified")
+}
+
+func (h *cryptoSetupClient) ConnectionState() ConnectionState {
+	h.mutex.Lock()
+	defer h.mutex.Unlock()
+	return ConnectionState{
+		HandshakeComplete: h.forwardSecureAEAD != nil,
+		PeerCertificates:  h.certManager.GetChain(),
+	}
+}
+
+func (h *cryptoSetupClient) SetDiversificationNonce(divNonce []byte) error {
+	h.mutex.Lock()
+	if len(h.diversificationNonce) > 0 {
+		defer h.mutex.Unlock()
+		if !bytes.Equal(h.diversificationNonce, divNonce) {
+			return errConflictingDiversificationNonces
+		}
+		return nil
+	}
+	h.diversificationNonce = divNonce
+	h.mutex.Unlock()
+	h.divNonceChan <- struct{}{}
+	return nil
+}
+
+func (h *cryptoSetupClient) sendCHLO() error {
+	h.clientHelloCounter++
+	if h.clientHelloCounter > protocol.MaxClientHellos {
+		return qerr.Error(qerr.CryptoTooManyRejects, fmt.Sprintf("More than %d rejects", protocol.MaxClientHellos))
+	}
+
+	b := &bytes.Buffer{}
+
+	tags, err := h.getTags()
+	if err != nil {
+		return err
+	}
+	h.addPadding(tags)
+	message := HandshakeMessage{
+		Tag:  TagCHLO,
+		Data: tags,
+	}
+
+	h.logger.Debugf("Sending %s", message)
+	message.Write(b)
+
+	_, err = h.cryptoStream.Write(b.Bytes())
+	if err != nil {
+		return err
+	}
+
+	h.lastSentCHLO = b.Bytes()
+	return nil
+}
+
+func (h *cryptoSetupClient) getTags() (map[Tag][]byte, error) {
+	tags := h.params.getHelloMap()
+	tags[TagSNI] = []byte(h.hostname)
+	tags[TagPDMD] = []byte("X509")
+
+	ccs := h.certManager.GetCommonCertificateHashes()
+	if len(ccs) > 0 {
+		tags[TagCCS] = ccs
+	}
+
+	versionTag := make([]byte, 4)
+	binary.BigEndian.PutUint32(versionTag, uint32(h.initialVersion))
+	tags[TagVER] = versionTag
+
+	if len(h.stk) > 0 {
+		tags[TagSTK] = h.stk
+	}
+	if len(h.sno) > 0 {
+		tags[TagSNO] = h.sno
+	}
+
+	if h.serverConfig != nil {
+		tags[TagSCID] = h.serverConfig.ID
+
+		leafCert := h.certManager.GetLeafCert()
+		if leafCert != nil {
+			certHash, _ := h.certManager.GetLeafCertHash()
+			xlct := make([]byte, 8)
+			binary.LittleEndian.PutUint64(xlct, certHash)
+
+			tags[TagNONC] = h.nonc
+			tags[TagXLCT] = xlct
+			tags[TagKEXS] = []byte("C255")
+			tags[TagAEAD] = []byte("AESG")
+			tags[TagPUBS] = h.serverConfig.kex.PublicKey() // TODO: check if 3 bytes need to be prepended
+		}
+	}
+
+	return tags, nil
+}
+
+// add a TagPAD to a tagMap, such that the total size will be bigger than the ClientHelloMinimumSize
+func (h *cryptoSetupClient) addPadding(tags map[Tag][]byte) {
+	var size int
+	for _, tag := range tags {
+		size += 8 + len(tag) // 4 bytes for the tag + 4 bytes for the offset + the length of the data
+	}
+	paddingSize := protocol.MinClientHelloSize - size
+	if paddingSize > 0 {
+		tags[TagPAD] = bytes.Repeat([]byte{0}, paddingSize)
+	}
+}
+
+func (h *cryptoSetupClient) maybeUpgradeCrypto() error {
+	if !h.serverVerified {
+		return nil
+	}
+
+	h.mutex.Lock()
+	defer h.mutex.Unlock()
+
+	leafCert := h.certManager.GetLeafCert()
+	if h.secureAEAD == nil && (h.serverConfig != nil && len(h.serverConfig.sharedSecret) > 0 && len(h.nonc) > 0 && len(leafCert) > 0 && len(h.diversificationNonce) > 0 && len(h.lastSentCHLO) > 0) {
+		var err error
+		var nonce []byte
+		if h.sno == nil {
+			nonce = h.nonc
+		} else {
+			nonce = append(h.nonc, h.sno...)
+		}
+
+		h.secureAEAD, err = h.keyDerivation(
+			false,
+			h.serverConfig.sharedSecret,
+			nonce,
+			h.connID,
+			h.lastSentCHLO,
+			h.serverConfig.Get(),
+			leafCert,
+			h.diversificationNonce,
+			protocol.PerspectiveClient,
+		)
+		if err != nil {
+			return err
+		}
+		h.logger.Debugf("Creating AEAD for secure encryption.")
+		h.handshakeEvent <- struct{}{}
+	}
+	return nil
+}
+
+func (h *cryptoSetupClient) generateClientNonce() error {
+	if len(h.nonc) > 0 {
+		return errClientNonceAlreadyExists
+	}
+
+	nonc := make([]byte, 32)
+	binary.BigEndian.PutUint32(nonc, uint32(time.Now().Unix()))
+
+	if len(h.serverConfig.obit) != 8 {
+		return errNoObitForClientNonce
+	}
+
+	copy(nonc[4:12], h.serverConfig.obit)
+
+	_, err := rand.Read(nonc[12:])
+	if err != nil {
+		return err
+	}
+
+	h.nonc = nonc
+	return nil
+}

vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup_server.go

@@ -0,0 +1,467 @@
+package handshake
+
+import (
+	"bytes"
+	"crypto/rand"
+	"encoding/binary"
+	"errors"
+	"io"
+	"net"
+	"sync"
+
+	"github.com/lucas-clemente/quic-go/internal/crypto"
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+	"github.com/lucas-clemente/quic-go/internal/utils"
+	"github.com/lucas-clemente/quic-go/qerr"
+)
+
+// QuicCryptoKeyDerivationFunction is used for key derivation
+type QuicCryptoKeyDerivationFunction func(forwardSecure bool, sharedSecret, nonces []byte, connID protocol.ConnectionID, chlo []byte, scfg []byte, cert []byte, divNonce []byte, pers protocol.Perspective) (crypto.AEAD, error)
+
+// KeyExchangeFunction is used to make a new KEX
+type KeyExchangeFunction func() (crypto.KeyExchange, error)
+
+// The CryptoSetupServer handles all things crypto for the Session
+type cryptoSetupServer struct {
+	mutex sync.RWMutex
+
+	connID               protocol.ConnectionID
+	remoteAddr           net.Addr
+	scfg                 *ServerConfig
+	diversificationNonce []byte
+
+	version           protocol.VersionNumber
+	supportedVersions []protocol.VersionNumber
+
+	acceptSTKCallback func(net.Addr, *Cookie) bool
+
+	nullAEAD                    crypto.AEAD
+	secureAEAD                  crypto.AEAD
+	forwardSecureAEAD           crypto.AEAD
+	receivedForwardSecurePacket bool
+	receivedSecurePacket        bool
+	sentSHLO                    chan struct{} // this channel is closed as soon as the SHLO has been written
+
+	receivedParams bool
+	paramsChan     chan<- TransportParameters
+	handshakeEvent chan<- struct{}
+
+	keyDerivation QuicCryptoKeyDerivationFunction
+	keyExchange   KeyExchangeFunction
+
+	cryptoStream io.ReadWriter
+
+	params *TransportParameters
+
+	sni string // need to fill out the ConnectionState
+
+	logger utils.Logger
+}
+
+var _ CryptoSetup = &cryptoSetupServer{}
+
+// ErrNSTPExperiment is returned when the client sends the NSTP tag in the CHLO.
+// This is an experiment implemented by Chrome in QUIC 38, which we don't support at this point.
+var ErrNSTPExperiment = qerr.Error(qerr.InvalidCryptoMessageParameter, "NSTP experiment. Unsupported")
+
+// NewCryptoSetup creates a new CryptoSetup instance for a server
+func NewCryptoSetup(
+	cryptoStream io.ReadWriter,
+	connID protocol.ConnectionID,
+	remoteAddr net.Addr,
+	version protocol.VersionNumber,
+	divNonce []byte,
+	scfg *ServerConfig,
+	params *TransportParameters,
+	supportedVersions []protocol.VersionNumber,
+	acceptSTK func(net.Addr, *Cookie) bool,
+	paramsChan chan<- TransportParameters,
+	handshakeEvent chan<- struct{},
+	logger utils.Logger,
+) (CryptoSetup, error) {
+	nullAEAD, err := crypto.NewNullAEAD(protocol.PerspectiveServer, connID, version)
+	if err != nil {
+		return nil, err
+	}
+	return &cryptoSetupServer{
+		cryptoStream:         cryptoStream,
+		connID:               connID,
+		remoteAddr:           remoteAddr,
+		version:              version,
+		supportedVersions:    supportedVersions,
+		diversificationNonce: divNonce,
+		scfg:                 scfg,
+		keyDerivation:        crypto.DeriveQuicCryptoAESKeys,
+		keyExchange:          getEphermalKEX,
+		nullAEAD:             nullAEAD,
+		params:               params,
+		acceptSTKCallback:    acceptSTK,
+		sentSHLO:             make(chan struct{}),
+		paramsChan:           paramsChan,
+		handshakeEvent:       handshakeEvent,
+		logger:               logger,
+	}, nil
+}
+
+// HandleCryptoStream reads and writes messages on the crypto stream
+func (h *cryptoSetupServer) HandleCryptoStream() error {
+	for {
+		var chloData bytes.Buffer
+		message, err := ParseHandshakeMessage(io.TeeReader(h.cryptoStream, &chloData))
+		if err != nil {
+			return qerr.HandshakeFailed
+		}
+		if message.Tag != TagCHLO {
+			return qerr.InvalidCryptoMessageType
+		}
+
+		h.logger.Debugf("Got %s", message)
+		done, err := h.handleMessage(chloData.Bytes(), message.Data)
+		if err != nil {
+			return err
+		}
+		if done {
+			return nil
+		}
+	}
+}
+
+func (h *cryptoSetupServer) handleMessage(chloData []byte, cryptoData map[Tag][]byte) (bool, error) {
+	if _, isNSTPExperiment := cryptoData[TagNSTP]; isNSTPExperiment {
+		return false, ErrNSTPExperiment
+	}
+
+	sniSlice, ok := cryptoData[TagSNI]
+	if !ok {
+		return false, qerr.Error(qerr.CryptoMessageParameterNotFound, "SNI required")
+	}
+	sni := string(sniSlice)
+	if sni == "" {
+		return false, qerr.Error(qerr.CryptoMessageParameterNotFound, "SNI required")
+	}
+	h.sni = sni
+
+	// prevent version downgrade attacks
+	// see https://groups.google.com/a/chromium.org/forum/#!topic/proto-quic/N-de9j63tCk for a discussion and examples
+	verSlice, ok := cryptoData[TagVER]
+	if !ok {
+		return false, qerr.Error(qerr.InvalidCryptoMessageParameter, "client hello missing version tag")
+	}
+	if len(verSlice) != 4 {
+		return false, qerr.Error(qerr.InvalidCryptoMessageParameter, "incorrect version tag")
+	}
+	ver := protocol.VersionNumber(binary.BigEndian.Uint32(verSlice))
+	// If the client's preferred version is not the version we are currently speaking, then the client went through a version negotiation.  In this case, we need to make sure that we actually do not support this version and that it wasn't a downgrade attack.
+	if ver != h.version && protocol.IsSupportedVersion(h.supportedVersions, ver) {
+		return false, qerr.Error(qerr.VersionNegotiationMismatch, "Downgrade attack detected")
+	}
+
+	var reply []byte
+	var err error
+
+	certUncompressed, err := h.scfg.certChain.GetLeafCert(sni)
+	if err != nil {
+		return false, err
+	}
+
+	params, err := readHelloMap(cryptoData)
+	if err != nil {
+		return false, err
+	}
+	// blocks until the session has received the parameters
+	if !h.receivedParams {
+		h.receivedParams = true
+		h.paramsChan <- *params
+	}
+
+	if !h.isInchoateCHLO(cryptoData, certUncompressed) {
+		// We have a CHLO with a proper server config ID, do a 0-RTT handshake
+		reply, err = h.handleCHLO(sni, chloData, cryptoData)
+		if err != nil {
+			return false, err
+		}
+		if _, err := h.cryptoStream.Write(reply); err != nil {
+			return false, err
+		}
+		h.handshakeEvent <- struct{}{}
+		close(h.sentSHLO)
+		return true, nil
+	}
+
+	// We have an inchoate or non-matching CHLO, we now send a rejection
+	reply, err = h.handleInchoateCHLO(sni, chloData, cryptoData)
+	if err != nil {
+		return false, err
+	}
+	_, err = h.cryptoStream.Write(reply)
+	return false, err
+}
+
+// Open a message
+func (h *cryptoSetupServer) Open(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, protocol.EncryptionLevel, error) {
+	h.mutex.RLock()
+	defer h.mutex.RUnlock()
+
+	if h.forwardSecureAEAD != nil {
+		res, err := h.forwardSecureAEAD.Open(dst, src, packetNumber, associatedData)
+		if err == nil {
+			if !h.receivedForwardSecurePacket { // this is the first forward secure packet we receive from the client
+				h.logger.Debugf("Received first forward-secure packet. Stopping to accept all lower encryption levels.")
+				h.receivedForwardSecurePacket = true
+				// wait for the send on the handshakeEvent chan
+				<-h.sentSHLO
+				close(h.handshakeEvent)
+			}
+			return res, protocol.EncryptionForwardSecure, nil
+		}
+		if h.receivedForwardSecurePacket {
+			return nil, protocol.EncryptionUnspecified, err
+		}
+	}
+	if h.secureAEAD != nil {
+		res, err := h.secureAEAD.Open(dst, src, packetNumber, associatedData)
+		if err == nil {
+			h.logger.Debugf("Received first secure packet. Stopping to accept unencrypted packets.")
+			h.receivedSecurePacket = true
+			return res, protocol.EncryptionSecure, nil
+		}
+		if h.receivedSecurePacket {
+			return nil, protocol.EncryptionUnspecified, err
+		}
+	}
+	res, err := h.nullAEAD.Open(dst, src, packetNumber, associatedData)
+	if err != nil {
+		return res, protocol.EncryptionUnspecified, err
+	}
+	return res, protocol.EncryptionUnencrypted, err
+}
+
+func (h *cryptoSetupServer) GetSealer() (protocol.EncryptionLevel, Sealer) {
+	h.mutex.RLock()
+	defer h.mutex.RUnlock()
+	if h.forwardSecureAEAD != nil {
+		return protocol.EncryptionForwardSecure, h.forwardSecureAEAD
+	}
+	return protocol.EncryptionUnencrypted, h.nullAEAD
+}
+
+func (h *cryptoSetupServer) GetSealerForCryptoStream() (protocol.EncryptionLevel, Sealer) {
+	h.mutex.RLock()
+	defer h.mutex.RUnlock()
+	if h.secureAEAD != nil {
+		return protocol.EncryptionSecure, h.secureAEAD
+	}
+	return protocol.EncryptionUnencrypted, h.nullAEAD
+}
+
+func (h *cryptoSetupServer) GetSealerWithEncryptionLevel(encLevel protocol.EncryptionLevel) (Sealer, error) {
+	h.mutex.RLock()
+	defer h.mutex.RUnlock()
+
+	switch encLevel {
+	case protocol.EncryptionUnencrypted:
+		return h.nullAEAD, nil
+	case protocol.EncryptionSecure:
+		if h.secureAEAD == nil {
+			return nil, errors.New("CryptoSetupServer: no secureAEAD")
+		}
+		return h.secureAEAD, nil
+	case protocol.EncryptionForwardSecure:
+		if h.forwardSecureAEAD == nil {
+			return nil, errors.New("CryptoSetupServer: no forwardSecureAEAD")
+		}
+		return h.forwardSecureAEAD, nil
+	}
+	return nil, errors.New("CryptoSetupServer: no encryption level specified")
+}
+
+func (h *cryptoSetupServer) isInchoateCHLO(cryptoData map[Tag][]byte, cert []byte) bool {
+	if _, ok := cryptoData[TagPUBS]; !ok {
+		return true
+	}
+	scid, ok := cryptoData[TagSCID]
+	if !ok || !bytes.Equal(h.scfg.ID, scid) {
+		return true
+	}
+	xlctTag, ok := cryptoData[TagXLCT]
+	if !ok || len(xlctTag) != 8 {
+		return true
+	}
+	xlct := binary.LittleEndian.Uint64(xlctTag)
+	if crypto.HashCert(cert) != xlct {
+		return true
+	}
+	return !h.acceptSTK(cryptoData[TagSTK])
+}
+
+func (h *cryptoSetupServer) acceptSTK(token []byte) bool {
+	stk, err := h.scfg.cookieGenerator.DecodeToken(token)
+	if err != nil {
+		h.logger.Debugf("STK invalid: %s", err.Error())
+		return false
+	}
+	return h.acceptSTKCallback(h.remoteAddr, stk)
+}
+
+func (h *cryptoSetupServer) handleInchoateCHLO(sni string, chlo []byte, cryptoData map[Tag][]byte) ([]byte, error) {
+	token, err := h.scfg.cookieGenerator.NewToken(h.remoteAddr)
+	if err != nil {
+		return nil, err
+	}
+
+	replyMap := map[Tag][]byte{
+		TagSCFG: h.scfg.Get(),
+		TagSTK:  token,
+		TagSVID: []byte("quic-go"),
+	}
+
+	if h.acceptSTK(cryptoData[TagSTK]) {
+		proof, err := h.scfg.Sign(sni, chlo)
+		if err != nil {
+			return nil, err
+		}
+
+		commonSetHashes := cryptoData[TagCCS]
+		cachedCertsHashes := cryptoData[TagCCRT]
+
+		certCompressed, err := h.scfg.GetCertsCompressed(sni, commonSetHashes, cachedCertsHashes)
+		if err != nil {
+			return nil, err
+		}
+		// Token was valid, send more details
+		replyMap[TagPROF] = proof
+		replyMap[TagCERT] = certCompressed
+	}
+
+	message := HandshakeMessage{
+		Tag:  TagREJ,
+		Data: replyMap,
+	}
+
+	var serverReply bytes.Buffer
+	message.Write(&serverReply)
+	h.logger.Debugf("Sending %s", message)
+	return serverReply.Bytes(), nil
+}
+
+func (h *cryptoSetupServer) handleCHLO(sni string, data []byte, cryptoData map[Tag][]byte) ([]byte, error) {
+	// We have a CHLO matching our server config, we can continue with the 0-RTT handshake
+	sharedSecret, err := h.scfg.kex.CalculateSharedKey(cryptoData[TagPUBS])
+	if err != nil {
+		return nil, err
+	}
+
+	h.mutex.Lock()
+	defer h.mutex.Unlock()
+
+	certUncompressed, err := h.scfg.certChain.GetLeafCert(sni)
+	if err != nil {
+		return nil, err
+	}
+
+	serverNonce := make([]byte, 32)
+	if _, err = rand.Read(serverNonce); err != nil {
+		return nil, err
+	}
+
+	clientNonce := cryptoData[TagNONC]
+	err = h.validateClientNonce(clientNonce)
+	if err != nil {
+		return nil, err
+	}
+
+	aead := cryptoData[TagAEAD]
+	if !bytes.Equal(aead, []byte("AESG")) {
+		return nil, qerr.Error(qerr.CryptoNoSupport, "Unsupported AEAD or KEXS")
+	}
+
+	kexs := cryptoData[TagKEXS]
+	if !bytes.Equal(kexs, []byte("C255")) {
+		return nil, qerr.Error(qerr.CryptoNoSupport, "Unsupported AEAD or KEXS")
+	}
+
+	h.secureAEAD, err = h.keyDerivation(
+		false,
+		sharedSecret,
+		clientNonce,
+		h.connID,
+		data,
+		h.scfg.Get(),
+		certUncompressed,
+		h.diversificationNonce,
+		protocol.PerspectiveServer,
+	)
+	if err != nil {
+		return nil, err
+	}
+	h.logger.Debugf("Creating AEAD for secure encryption.")
+	h.handshakeEvent <- struct{}{}
+
+	// Generate a new curve instance to derive the forward secure key
+	var fsNonce bytes.Buffer
+	fsNonce.Write(clientNonce)
+	fsNonce.Write(serverNonce)
+	ephermalKex, err := h.keyExchange()
+	if err != nil {
+		return nil, err
+	}
+	ephermalSharedSecret, err := ephermalKex.CalculateSharedKey(cryptoData[TagPUBS])
+	if err != nil {
+		return nil, err
+	}
+
+	h.forwardSecureAEAD, err = h.keyDerivation(
+		true,
+		ephermalSharedSecret,
+		fsNonce.Bytes(),
+		h.connID,
+		data,
+		h.scfg.Get(),
+		certUncompressed,
+		nil,
+		protocol.PerspectiveServer,
+	)
+	if err != nil {
+		return nil, err
+	}
+	h.logger.Debugf("Creating AEAD for forward-secure encryption.")
+
+	replyMap := h.params.getHelloMap()
+	// add crypto parameters
+	verTag := &bytes.Buffer{}
+	for _, v := range h.supportedVersions {
+		utils.BigEndian.WriteUint32(verTag, uint32(v))
+	}
+	replyMap[TagPUBS] = ephermalKex.PublicKey()
+	replyMap[TagSNO] = serverNonce
+	replyMap[TagVER] = verTag.Bytes()
+
+	// note that the SHLO *has* to fit into one packet
+	message := HandshakeMessage{
+		Tag:  TagSHLO,
+		Data: replyMap,
+	}
+	var reply bytes.Buffer
+	message.Write(&reply)
+	h.logger.Debugf("Sending %s", message)
+	return reply.Bytes(), nil
+}
+
+func (h *cryptoSetupServer) ConnectionState() ConnectionState {
+	h.mutex.Lock()
+	defer h.mutex.Unlock()
+	return ConnectionState{
+		ServerName:        h.sni,
+		HandshakeComplete: h.receivedForwardSecurePacket,
+	}
+}
+
+func (h *cryptoSetupServer) validateClientNonce(nonce []byte) error {
+	if len(nonce) != 32 {
+		return qerr.Error(qerr.InvalidCryptoMessageParameter, "invalid client nonce length")
+	}
+	if !bytes.Equal(nonce[4:12], h.scfg.obit) {
+		return qerr.Error(qerr.InvalidCryptoMessageParameter, "OBIT not matching")
+	}
+	return nil
+}

vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup_tls.go

@@ -0,0 +1,163 @@
+package handshake
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"sync"
+
+	"github.com/bifurcation/mint"
+	"github.com/lucas-clemente/quic-go/internal/crypto"
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+)
+
+// KeyDerivationFunction is used for key derivation
+type KeyDerivationFunction func(crypto.TLSExporter, protocol.Perspective) (crypto.AEAD, error)
+
+type cryptoSetupTLS struct {
+	mutex sync.RWMutex
+
+	perspective protocol.Perspective
+
+	keyDerivation KeyDerivationFunction
+	nullAEAD      crypto.AEAD
+	aead          crypto.AEAD
+
+	tls            mintTLS
+	conn           *cryptoStreamConn
+	handshakeEvent chan<- struct{}
+}
+
+var _ CryptoSetupTLS = &cryptoSetupTLS{}
+
+// NewCryptoSetupTLSServer creates a new TLS CryptoSetup instance for a server
+func NewCryptoSetupTLSServer(
+	cryptoStream io.ReadWriter,
+	connID protocol.ConnectionID,
+	config *mint.Config,
+	handshakeEvent chan<- struct{},
+	version protocol.VersionNumber,
+) (CryptoSetupTLS, error) {
+	nullAEAD, err := crypto.NewNullAEAD(protocol.PerspectiveServer, connID, version)
+	if err != nil {
+		return nil, err
+	}
+	conn := newCryptoStreamConn(cryptoStream)
+	tls := mint.Server(conn, config)
+	return &cryptoSetupTLS{
+		tls:            tls,
+		conn:           conn,
+		nullAEAD:       nullAEAD,
+		perspective:    protocol.PerspectiveServer,
+		keyDerivation:  crypto.DeriveAESKeys,
+		handshakeEvent: handshakeEvent,
+	}, nil
+}
+
+// NewCryptoSetupTLSClient creates a new TLS CryptoSetup instance for a client
+func NewCryptoSetupTLSClient(
+	cryptoStream io.ReadWriter,
+	connID protocol.ConnectionID,
+	config *mint.Config,
+	handshakeEvent chan<- struct{},
+	version protocol.VersionNumber,
+) (CryptoSetupTLS, error) {
+	nullAEAD, err := crypto.NewNullAEAD(protocol.PerspectiveClient, connID, version)
+	if err != nil {
+		return nil, err
+	}
+	conn := newCryptoStreamConn(cryptoStream)
+	tls := mint.Client(conn, config)
+	return &cryptoSetupTLS{
+		tls:            tls,
+		conn:           conn,
+		perspective:    protocol.PerspectiveClient,
+		nullAEAD:       nullAEAD,
+		keyDerivation:  crypto.DeriveAESKeys,
+		handshakeEvent: handshakeEvent,
+	}, nil
+}
+
+func (h *cryptoSetupTLS) HandleCryptoStream() error {
+	for {
+		if alert := h.tls.Handshake(); alert != mint.AlertNoAlert {
+			return fmt.Errorf("TLS handshake error: %s (Alert %d)", alert.String(), alert)
+		}
+		state := h.tls.ConnectionState().HandshakeState
+		if err := h.conn.Flush(); err != nil {
+			return err
+		}
+		if state == mint.StateClientConnected || state == mint.StateServerConnected {
+			break
+		}
+	}
+
+	aead, err := h.keyDerivation(h.tls, h.perspective)
+	if err != nil {
+		return err
+	}
+	h.mutex.Lock()
+	h.aead = aead
+	h.mutex.Unlock()
+
+	h.handshakeEvent <- struct{}{}
+	close(h.handshakeEvent)
+	return nil
+}
+
+func (h *cryptoSetupTLS) OpenHandshake(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, error) {
+	return h.nullAEAD.Open(dst, src, packetNumber, associatedData)
+}
+
+func (h *cryptoSetupTLS) Open1RTT(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, error) {
+	h.mutex.RLock()
+	defer h.mutex.RUnlock()
+
+	if h.aead == nil {
+		return nil, errors.New("no 1-RTT sealer")
+	}
+	return h.aead.Open(dst, src, packetNumber, associatedData)
+}
+
+func (h *cryptoSetupTLS) GetSealer() (protocol.EncryptionLevel, Sealer) {
+	h.mutex.RLock()
+	defer h.mutex.RUnlock()
+
+	if h.aead != nil {
+		return protocol.EncryptionForwardSecure, h.aead
+	}
+	return protocol.EncryptionUnencrypted, h.nullAEAD
+}
+
+func (h *cryptoSetupTLS) GetSealerWithEncryptionLevel(encLevel protocol.EncryptionLevel) (Sealer, error) {
+	errNoSealer := fmt.Errorf("CryptoSetup: no sealer with encryption level %s", encLevel.String())
+	h.mutex.RLock()
+	defer h.mutex.RUnlock()
+
+	switch encLevel {
+	case protocol.EncryptionUnencrypted:
+		return h.nullAEAD, nil
+	case protocol.EncryptionForwardSecure:
+		if h.aead == nil {
+			return nil, errNoSealer
+		}
+		return h.aead, nil
+	default:
+		return nil, errNoSealer
+	}
+}
+
+func (h *cryptoSetupTLS) GetSealerForCryptoStream() (protocol.EncryptionLevel, Sealer) {
+	return protocol.EncryptionUnencrypted, h.nullAEAD
+}
+
+func (h *cryptoSetupTLS) ConnectionState() ConnectionState {
+	h.mutex.Lock()
+	defer h.mutex.Unlock()
+	mintConnState := h.tls.ConnectionState()
+	return ConnectionState{
+		// TODO: set the ServerName, once mint exports it
+		HandshakeComplete: h.aead != nil,
+		PeerCertificates:  mintConnState.PeerCertificates,
+	}
+}

vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_stream_conn.go

@@ -0,0 +1,69 @@
+package handshake
+
+import (
+	"bytes"
+	"io"
+	"net"
+	"time"
+)
+
+type cryptoStreamConn struct {
+	buffer *bytes.Buffer
+	stream io.ReadWriter
+}
+
+var _ net.Conn = &cryptoStreamConn{}
+
+func newCryptoStreamConn(stream io.ReadWriter) *cryptoStreamConn {
+	return &cryptoStreamConn{
+		stream: stream,
+		buffer: &bytes.Buffer{},
+	}
+}
+
+func (c *cryptoStreamConn) Read(b []byte) (int, error) {
+	return c.stream.Read(b)
+}
+
+func (c *cryptoStreamConn) Write(p []byte) (int, error) {
+	return c.buffer.Write(p)
+}
+
+func (c *cryptoStreamConn) Flush() error {
+	if c.buffer.Len() == 0 {
+		return nil
+	}
+	_, err := c.stream.Write(c.buffer.Bytes())
+	c.buffer.Reset()
+	return err
+}
+
+// Close is not implemented
+func (c *cryptoStreamConn) Close() error {
+	return nil
+}
+
+// LocalAddr is not implemented
+func (c *cryptoStreamConn) LocalAddr() net.Addr {
+	return nil
+}
+
+// RemoteAddr is not implemented
+func (c *cryptoStreamConn) RemoteAddr() net.Addr {
+	return nil
+}
+
+// SetReadDeadline is not implemented
+func (c *cryptoStreamConn) SetReadDeadline(time.Time) error {
+	return nil
+}
+
+// SetWriteDeadline is not implemented
+func (c *cryptoStreamConn) SetWriteDeadline(time.Time) error {
+	return nil
+}
+
+// SetDeadline is not implemented
+func (c *cryptoStreamConn) SetDeadline(time.Time) error {
+	return nil
+}

vendor/github.com/lucas-clemente/quic-go/internal/handshake/ephermal_cache.go

@@ -0,0 +1,48 @@
+package handshake
+
+import (
+	"sync"
+	"time"
+
+	"github.com/lucas-clemente/quic-go/internal/crypto"
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+)
+
+var (
+	kexLifetime    = protocol.EphermalKeyLifetime
+	kexCurrent     crypto.KeyExchange
+	kexCurrentTime time.Time
+	kexMutex       sync.RWMutex
+)
+
+// getEphermalKEX returns the currently active KEX, which changes every protocol.EphermalKeyLifetime
+// See the explanation from the QUIC crypto doc:
+//
+// A single connection is the usual scope for forward security, but the security
+// difference between an ephemeral key used for a single connection, and one
+// used for all connections for 60 seconds is negligible. Thus we can amortise
+// the Diffie-Hellman key generation at the server over all the connections in a
+// small time span.
+func getEphermalKEX() (crypto.KeyExchange, error) {
+	kexMutex.RLock()
+	res := kexCurrent
+	t := kexCurrentTime
+	kexMutex.RUnlock()
+	if res != nil && time.Since(t) < kexLifetime {
+		return res, nil
+	}
+
+	kexMutex.Lock()
+	defer kexMutex.Unlock()
+	// Check if still unfulfilled
+	if kexCurrent == nil || time.Since(kexCurrentTime) >= kexLifetime {
+		kex, err := crypto.NewCurve25519KEX()
+		if err != nil {
+			return nil, err
+		}
+		kexCurrent = kex
+		kexCurrentTime = time.Now()
+		return kexCurrent, nil
+	}
+	return kexCurrent, nil
+}

vendor/github.com/lucas-clemente/quic-go/internal/handshake/handshake_message.go

@@ -0,0 +1,137 @@
+package handshake
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"io"
+	"sort"
+
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+	"github.com/lucas-clemente/quic-go/internal/utils"
+	"github.com/lucas-clemente/quic-go/qerr"
+)
+
+// A HandshakeMessage is a handshake message
+type HandshakeMessage struct {
+	Tag  Tag
+	Data map[Tag][]byte
+}
+
+var _ fmt.Stringer = &HandshakeMessage{}
+
+// ParseHandshakeMessage reads a crypto message
+func ParseHandshakeMessage(r io.Reader) (HandshakeMessage, error) {
+	slice4 := make([]byte, 4)
+
+	if _, err := io.ReadFull(r, slice4); err != nil {
+		return HandshakeMessage{}, err
+	}
+	messageTag := Tag(binary.LittleEndian.Uint32(slice4))
+
+	if _, err := io.ReadFull(r, slice4); err != nil {
+		return HandshakeMessage{}, err
+	}
+	nPairs := binary.LittleEndian.Uint32(slice4)
+
+	if nPairs > protocol.CryptoMaxParams {
+		return HandshakeMessage{}, qerr.CryptoTooManyEntries
+	}
+
+	index := make([]byte, nPairs*8)
+	if _, err := io.ReadFull(r, index); err != nil {
+		return HandshakeMessage{}, err
+	}
+
+	resultMap := map[Tag][]byte{}
+
+	var dataStart uint32
+	for indexPos := 0; indexPos < int(nPairs)*8; indexPos += 8 {
+		tag := Tag(binary.LittleEndian.Uint32(index[indexPos : indexPos+4]))
+		dataEnd := binary.LittleEndian.Uint32(index[indexPos+4 : indexPos+8])
+
+		dataLen := dataEnd - dataStart
+		if dataLen > protocol.CryptoParameterMaxLength {
+			return HandshakeMessage{}, qerr.Error(qerr.CryptoInvalidValueLength, "value too long")
+		}
+
+		data := make([]byte, dataLen)
+		if _, err := io.ReadFull(r, data); err != nil {
+			return HandshakeMessage{}, err
+		}
+
+		resultMap[tag] = data
+		dataStart = dataEnd
+	}
+
+	return HandshakeMessage{
+		Tag:  messageTag,
+		Data: resultMap}, nil
+}
+
+// Write writes a crypto message
+func (h HandshakeMessage) Write(b *bytes.Buffer) {
+	data := h.Data
+	utils.LittleEndian.WriteUint32(b, uint32(h.Tag))
+	utils.LittleEndian.WriteUint16(b, uint16(len(data)))
+	utils.LittleEndian.WriteUint16(b, 0)
+
+	// Save current position in the buffer, so that we can update the index in-place later
+	indexStart := b.Len()
+
+	indexData := make([]byte, 8*len(data))
+	b.Write(indexData) // Will be updated later
+
+	offset := uint32(0)
+	for i, t := range h.getTagsSorted() {
+		v := data[t]
+		b.Write(v)
+		offset += uint32(len(v))
+		binary.LittleEndian.PutUint32(indexData[i*8:], uint32(t))
+		binary.LittleEndian.PutUint32(indexData[i*8+4:], offset)
+	}
+
+	// Now we write the index data for real
+	copy(b.Bytes()[indexStart:], indexData)
+}
+
+func (h *HandshakeMessage) getTagsSorted() []Tag {
+	tags := make([]Tag, len(h.Data))
+	i := 0
+	for t := range h.Data {
+		tags[i] = t
+		i++
+	}
+	sort.Slice(tags, func(i, j int) bool {
+		return tags[i] < tags[j]
+	})
+	return tags
+}
+
+func (h HandshakeMessage) String() string {
+	var pad string
+	res := tagToString(h.Tag) + ":\n"
+	for _, tag := range h.getTagsSorted() {
+		if tag == TagPAD {
+			pad = fmt.Sprintf("\t%s: (%d bytes)\n", tagToString(tag), len(h.Data[tag]))
+		} else {
+			res += fmt.Sprintf("\t%s: %#v\n", tagToString(tag), string(h.Data[tag]))
+		}
+	}
+
+	if len(pad) > 0 {
+		res += pad
+	}
+	return res
+}
+
+func tagToString(tag Tag) string {
+	b := make([]byte, 4)
+	binary.LittleEndian.PutUint32(b, uint32(tag))
+	for i := range b {
+		if b[i] == 0 {
+			b[i] = ' '
+		}
+	}
+	return string(b)
+}

vendor/github.com/lucas-clemente/quic-go/internal/handshake/interface.go

@@ -0,0 +1,61 @@
+package handshake
+
+import (
+	"crypto/x509"
+
+	"github.com/bifurcation/mint"
+	"github.com/lucas-clemente/quic-go/internal/crypto"
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+)
+
+// Sealer seals a packet
+type Sealer interface {
+	Seal(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) []byte
+	Overhead() int
+}
+
+// mintTLS combines some methods needed to interact with mint.
+type mintTLS interface {
+	crypto.TLSExporter
+	Handshake() mint.Alert
+}
+
+// A TLSExtensionHandler sends and received the QUIC TLS extension.
+// It provides the parameters sent by the peer on a channel.
+type TLSExtensionHandler interface {
+	Send(mint.HandshakeType, *mint.ExtensionList) error
+	Receive(mint.HandshakeType, *mint.ExtensionList) error
+	GetPeerParams() <-chan TransportParameters
+}
+
+type baseCryptoSetup interface {
+	HandleCryptoStream() error
+	ConnectionState() ConnectionState
+
+	GetSealer() (protocol.EncryptionLevel, Sealer)
+	GetSealerWithEncryptionLevel(protocol.EncryptionLevel) (Sealer, error)
+	GetSealerForCryptoStream() (protocol.EncryptionLevel, Sealer)
+}
+
+// CryptoSetup is the crypto setup used by gQUIC
+type CryptoSetup interface {
+	baseCryptoSetup
+
+	Open(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, protocol.EncryptionLevel, error)
+}
+
+// CryptoSetupTLS is the crypto setup used by IETF QUIC
+type CryptoSetupTLS interface {
+	baseCryptoSetup
+
+	OpenHandshake(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, error)
+	Open1RTT(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, error)
+}
+
+// ConnectionState records basic details about the QUIC connection.
+// Warning: This API should not be considered stable and might change soon.
+type ConnectionState struct {
+	HandshakeComplete bool                // handshake is complete
+	ServerName        string              // server name requested by client, if any (server side only)
+	PeerCertificates  []*x509.Certificate // certificate chain presented by remote peer
+}

vendor/github.com/lucas-clemente/quic-go/internal/handshake/mockgen.go

@@ -0,0 +1,3 @@
+package handshake
+
+//go:generate sh -c "../mockgen_internal.sh handshake mock_mint_tls_test.go github.com/lucas-clemente/quic-go/internal/handshake mintTLS"

vendor/github.com/lucas-clemente/quic-go/internal/handshake/server_config.go

@@ -0,0 +1,73 @@
+package handshake
+
+import (
+	"bytes"
+	"crypto/rand"
+
+	"github.com/lucas-clemente/quic-go/internal/crypto"
+)
+
+// ServerConfig is a server config
+type ServerConfig struct {
+	kex             crypto.KeyExchange
+	certChain       crypto.CertChain
+	ID              []byte
+	obit            []byte
+	cookieGenerator *CookieGenerator
+}
+
+// NewServerConfig creates a new server config
+func NewServerConfig(kex crypto.KeyExchange, certChain crypto.CertChain) (*ServerConfig, error) {
+	id := make([]byte, 16)
+	_, err := rand.Read(id)
+	if err != nil {
+		return nil, err
+	}
+
+	obit := make([]byte, 8)
+	if _, err = rand.Read(obit); err != nil {
+		return nil, err
+	}
+
+	cookieGenerator, err := NewCookieGenerator()
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &ServerConfig{
+		kex:             kex,
+		certChain:       certChain,
+		ID:              id,
+		obit:            obit,
+		cookieGenerator: cookieGenerator,
+	}, nil
+}
+
+// Get the server config binary representation
+func (s *ServerConfig) Get() []byte {
+	var serverConfig bytes.Buffer
+	msg := HandshakeMessage{
+		Tag: TagSCFG,
+		Data: map[Tag][]byte{
+			TagSCID: s.ID,
+			TagKEXS: []byte("C255"),
+			TagAEAD: []byte("AESG"),
+			TagPUBS: append([]byte{0x20, 0x00, 0x00}, s.kex.PublicKey()...),
+			TagOBIT: s.obit,
+			TagEXPY: {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
+		},
+	}
+	msg.Write(&serverConfig)
+	return serverConfig.Bytes()
+}
+
+// Sign the server config and CHLO with the server's keyData
+func (s *ServerConfig) Sign(sni string, chlo []byte) ([]byte, error) {
+	return s.certChain.SignServerProof(sni, chlo, s.Get())
+}
+
+// GetCertsCompressed returns the certificate data
+func (s *ServerConfig) GetCertsCompressed(sni string, commonSetHashes, compressedHashes []byte) ([]byte, error) {
+	return s.certChain.GetCertsCompressed(sni, commonSetHashes, compressedHashes)
+}

vendor/github.com/lucas-clemente/quic-go/internal/handshake/server_config_client.go

@@ -0,0 +1,184 @@
+package handshake
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"math"
+	"time"
+
+	"github.com/lucas-clemente/quic-go/internal/crypto"
+	"github.com/lucas-clemente/quic-go/internal/utils"
+	"github.com/lucas-clemente/quic-go/qerr"
+)
+
+type serverConfigClient struct {
+	raw    []byte
+	ID     []byte
+	obit   []byte
+	expiry time.Time
+
+	kex          crypto.KeyExchange
+	sharedSecret []byte
+}
+
+var (
+	errMessageNotServerConfig = errors.New("ServerConfig must have TagSCFG")
+)
+
+// parseServerConfig parses a server config
+func parseServerConfig(data []byte) (*serverConfigClient, error) {
+	message, err := ParseHandshakeMessage(bytes.NewReader(data))
+	if err != nil {
+		return nil, err
+	}
+	if message.Tag != TagSCFG {
+		return nil, errMessageNotServerConfig
+	}
+
+	scfg := &serverConfigClient{raw: data}
+	err = scfg.parseValues(message.Data)
+	if err != nil {
+		return nil, err
+	}
+
+	return scfg, nil
+}
+
+func (s *serverConfigClient) parseValues(tagMap map[Tag][]byte) error {
+	// SCID
+	scfgID, ok := tagMap[TagSCID]
+	if !ok {
+		return qerr.Error(qerr.CryptoMessageParameterNotFound, "SCID")
+	}
+	if len(scfgID) != 16 {
+		return qerr.Error(qerr.CryptoInvalidValueLength, "SCID")
+	}
+	s.ID = scfgID
+
+	// KEXS
+	// TODO: setup Key Exchange
+	kexs, ok := tagMap[TagKEXS]
+	if !ok {
+		return qerr.Error(qerr.CryptoMessageParameterNotFound, "KEXS")
+	}
+	if len(kexs)%4 != 0 {
+		return qerr.Error(qerr.CryptoInvalidValueLength, "KEXS")
+	}
+	c255Foundat := -1
+
+	for i := 0; i < len(kexs)/4; i++ {
+		if bytes.Equal(kexs[4*i:4*i+4], []byte("C255")) {
+			c255Foundat = i
+			break
+		}
+	}
+	if c255Foundat < 0 {
+		return qerr.Error(qerr.CryptoNoSupport, "KEXS: Could not find C255, other key exchanges are not supported")
+	}
+
+	// AEAD
+	aead, ok := tagMap[TagAEAD]
+	if !ok {
+		return qerr.Error(qerr.CryptoMessageParameterNotFound, "AEAD")
+	}
+	if len(aead)%4 != 0 {
+		return qerr.Error(qerr.CryptoInvalidValueLength, "AEAD")
+	}
+	var aesgFound bool
+	for i := 0; i < len(aead)/4; i++ {
+		if bytes.Equal(aead[4*i:4*i+4], []byte("AESG")) {
+			aesgFound = true
+			break
+		}
+	}
+	if !aesgFound {
+		return qerr.Error(qerr.CryptoNoSupport, "AEAD")
+	}
+
+	// PUBS
+	pubs, ok := tagMap[TagPUBS]
+	if !ok {
+		return qerr.Error(qerr.CryptoMessageParameterNotFound, "PUBS")
+	}
+
+	var pubsKexs []struct {
+		Length uint32
+		Value  []byte
+	}
+	var lastLen uint32
+	for i := 0; i < len(pubs)-3; i += int(lastLen) + 3 {
+		// the PUBS value is always prepended by 3 byte little endian length field
+
+		err := binary.Read(bytes.NewReader([]byte{pubs[i], pubs[i+1], pubs[i+2], 0x00}), binary.LittleEndian, &lastLen)
+		if err != nil {
+			return qerr.Error(qerr.CryptoInvalidValueLength, "PUBS not decodable")
+		}
+		if lastLen == 0 {
+			return qerr.Error(qerr.CryptoInvalidValueLength, "PUBS")
+		}
+
+		if i+3+int(lastLen) > len(pubs) {
+			return qerr.Error(qerr.CryptoInvalidValueLength, "PUBS")
+		}
+
+		pubsKexs = append(pubsKexs, struct {
+			Length uint32
+			Value  []byte
+		}{lastLen, pubs[i+3 : i+3+int(lastLen)]})
+	}
+
+	if c255Foundat >= len(pubsKexs) {
+		return qerr.Error(qerr.CryptoMessageParameterNotFound, "KEXS not in PUBS")
+	}
+
+	if pubsKexs[c255Foundat].Length != 32 {
+		return qerr.Error(qerr.CryptoInvalidValueLength, "PUBS")
+	}
+
+	var err error
+	s.kex, err = crypto.NewCurve25519KEX()
+	if err != nil {
+		return err
+	}
+
+	s.sharedSecret, err = s.kex.CalculateSharedKey(pubsKexs[c255Foundat].Value)
+	if err != nil {
+		return err
+	}
+
+	// OBIT
+	obit, ok := tagMap[TagOBIT]
+	if !ok {
+		return qerr.Error(qerr.CryptoMessageParameterNotFound, "OBIT")
+	}
+	if len(obit) != 8 {
+		return qerr.Error(qerr.CryptoInvalidValueLength, "OBIT")
+	}
+	s.obit = obit
+
+	// EXPY
+	expy, ok := tagMap[TagEXPY]
+	if !ok {
+		return qerr.Error(qerr.CryptoMessageParameterNotFound, "EXPY")
+	}
+	if len(expy) != 8 {
+		return qerr.Error(qerr.CryptoInvalidValueLength, "EXPY")
+	}
+	// make sure that the value doesn't overflow an int64
+	// furthermore, values close to MaxInt64 are not a valid input to time.Unix, thus set MaxInt64/2 as the maximum value here
+	expyTimestamp := utils.MinUint64(binary.LittleEndian.Uint64(expy), math.MaxInt64/2)
+	s.expiry = time.Unix(int64(expyTimestamp), 0)
+
+	// TODO: implement VER
+
+	return nil
+}
+
+func (s *serverConfigClient) IsExpired() bool {
+	return s.expiry.Before(time.Now())
+}
+
+func (s *serverConfigClient) Get() []byte {
+	return s.raw
+}

vendor/github.com/lucas-clemente/quic-go/internal/handshake/tags.go

@@ -0,0 +1,93 @@
+package handshake
+
+// A Tag in the QUIC crypto
+type Tag uint32
+
+const (
+	// TagCHLO is a client hello
+	TagCHLO Tag = 'C' + 'H'<<8 + 'L'<<16 + 'O'<<24
+	// TagREJ is a server hello rejection
+	TagREJ Tag = 'R' + 'E'<<8 + 'J'<<16
+	// TagSCFG is a server config
+	TagSCFG Tag = 'S' + 'C'<<8 + 'F'<<16 + 'G'<<24
+
+	// TagPAD is padding
+	TagPAD Tag = 'P' + 'A'<<8 + 'D'<<16
+	// TagSNI is the server name indication
+	TagSNI Tag = 'S' + 'N'<<8 + 'I'<<16
+	// TagVER is the QUIC version
+	TagVER Tag = 'V' + 'E'<<8 + 'R'<<16
+	// TagCCS are the hashes of the common certificate sets
+	TagCCS Tag = 'C' + 'C'<<8 + 'S'<<16
+	// TagCCRT are the hashes of the cached certificates
+	TagCCRT Tag = 'C' + 'C'<<8 + 'R'<<16 + 'T'<<24
+	// TagMSPC is max streams per connection
+	TagMSPC Tag = 'M' + 'S'<<8 + 'P'<<16 + 'C'<<24
+	// TagMIDS is max incoming dyanamic streams
+	TagMIDS Tag = 'M' + 'I'<<8 + 'D'<<16 + 'S'<<24
+	// TagUAID is the user agent ID
+	TagUAID Tag = 'U' + 'A'<<8 + 'I'<<16 + 'D'<<24
+	// TagSVID is the server ID (unofficial tag by us :)
+	TagSVID Tag = 'S' + 'V'<<8 + 'I'<<16 + 'D'<<24
+	// TagTCID is truncation of the connection ID
+	TagTCID Tag = 'T' + 'C'<<8 + 'I'<<16 + 'D'<<24
+	// TagPDMD is the proof demand
+	TagPDMD Tag = 'P' + 'D'<<8 + 'M'<<16 + 'D'<<24
+	// TagSRBF is the socket receive buffer
+	TagSRBF Tag = 'S' + 'R'<<8 + 'B'<<16 + 'F'<<24
+	// TagICSL is the idle connection state lifetime
+	TagICSL Tag = 'I' + 'C'<<8 + 'S'<<16 + 'L'<<24
+	// TagNONP is the client proof nonce
+	TagNONP Tag = 'N' + 'O'<<8 + 'N'<<16 + 'P'<<24
+	// TagSCLS is the silently close timeout
+	TagSCLS Tag = 'S' + 'C'<<8 + 'L'<<16 + 'S'<<24
+	// TagCSCT is the signed cert timestamp (RFC6962) of leaf cert
+	TagCSCT Tag = 'C' + 'S'<<8 + 'C'<<16 + 'T'<<24
+	// TagCOPT are the connection options
+	TagCOPT Tag = 'C' + 'O'<<8 + 'P'<<16 + 'T'<<24
+	// TagCFCW is the initial session/connection flow control receive window
+	TagCFCW Tag = 'C' + 'F'<<8 + 'C'<<16 + 'W'<<24
+	// TagSFCW is the initial stream flow control receive window.
+	TagSFCW Tag = 'S' + 'F'<<8 + 'C'<<16 + 'W'<<24
+
+	// TagNSTP is the no STOP_WAITING experiment
+	// currently unsupported by quic-go
+	TagNSTP Tag = 'N' + 'S'<<8 + 'T'<<16 + 'P'<<24
+
+	// TagSTK is the source-address token
+	TagSTK Tag = 'S' + 'T'<<8 + 'K'<<16
+	// TagSNO is the server nonce
+	TagSNO Tag = 'S' + 'N'<<8 + 'O'<<16
+	// TagPROF is the server proof
+	TagPROF Tag = 'P' + 'R'<<8 + 'O'<<16 + 'F'<<24
+
+	// TagNONC is the client nonce
+	TagNONC Tag = 'N' + 'O'<<8 + 'N'<<16 + 'C'<<24
+	// TagXLCT is the expected leaf certificate
+	TagXLCT Tag = 'X' + 'L'<<8 + 'C'<<16 + 'T'<<24
+
+	// TagSCID is the server config ID
+	TagSCID Tag = 'S' + 'C'<<8 + 'I'<<16 + 'D'<<24
+	// TagKEXS is the list of key exchange algos
+	TagKEXS Tag = 'K' + 'E'<<8 + 'X'<<16 + 'S'<<24
+	// TagAEAD is the list of AEAD algos
+	TagAEAD Tag = 'A' + 'E'<<8 + 'A'<<16 + 'D'<<24
+	// TagPUBS is the public value for the KEX
+	TagPUBS Tag = 'P' + 'U'<<8 + 'B'<<16 + 'S'<<24
+	// TagOBIT is the client orbit
+	TagOBIT Tag = 'O' + 'B'<<8 + 'I'<<16 + 'T'<<24
+	// TagEXPY is the server config expiry
+	TagEXPY Tag = 'E' + 'X'<<8 + 'P'<<16 + 'Y'<<24
+	// TagCERT is the CERT data
+	TagCERT Tag = 0xff545243
+
+	// TagSHLO is the server hello
+	TagSHLO Tag = 'S' + 'H'<<8 + 'L'<<16 + 'O'<<24
+
+	// TagPRST is the public reset tag
+	TagPRST Tag = 'P' + 'R'<<8 + 'S'<<16 + 'T'<<24
+	// TagRSEQ is the public reset rejected packet number
+	TagRSEQ Tag = 'R' + 'S'<<8 + 'E'<<16 + 'Q'<<24
+	// TagRNON is the public reset nonce
+	TagRNON Tag = 'R' + 'N'<<8 + 'O'<<16 + 'N'<<24
+)

vendor/github.com/lucas-clemente/quic-go/internal/handshake/tls_extension.go

@@ -0,0 +1,123 @@
+package handshake
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"fmt"
+
+	"github.com/bifurcation/mint"
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+	"github.com/lucas-clemente/quic-go/internal/utils"
+)
+
+type transportParameterID uint16
+
+const quicTLSExtensionType = 0xff5
+
+const (
+	initialMaxStreamDataParameterID  transportParameterID = 0x0
+	initialMaxDataParameterID        transportParameterID = 0x1
+	initialMaxBidiStreamsParameterID transportParameterID = 0x2
+	idleTimeoutParameterID           transportParameterID = 0x3
+	maxPacketSizeParameterID         transportParameterID = 0x5
+	statelessResetTokenParameterID   transportParameterID = 0x6
+	initialMaxUniStreamsParameterID  transportParameterID = 0x8
+	disableMigrationParameterID      transportParameterID = 0x9
+)
+
+type clientHelloTransportParameters struct {
+	InitialVersion protocol.VersionNumber
+	Parameters     TransportParameters
+}
+
+func (p *clientHelloTransportParameters) Marshal() []byte {
+	const lenOffset = 4
+	b := &bytes.Buffer{}
+	utils.BigEndian.WriteUint32(b, uint32(p.InitialVersion))
+	b.Write([]byte{0, 0}) // length. Will be replaced later
+	p.Parameters.marshal(b)
+	data := b.Bytes()
+	binary.BigEndian.PutUint16(data[lenOffset:lenOffset+2], uint16(len(data)-lenOffset-2))
+	return data
+}
+
+func (p *clientHelloTransportParameters) Unmarshal(data []byte) error {
+	if len(data) < 6 {
+		return errors.New("transport parameter data too short")
+	}
+	p.InitialVersion = protocol.VersionNumber(binary.BigEndian.Uint32(data[:4]))
+	paramsLen := int(binary.BigEndian.Uint16(data[4:6]))
+	data = data[6:]
+	if len(data) != paramsLen {
+		return fmt.Errorf("expected transport parameters to be %d bytes long, have %d", paramsLen, len(data))
+	}
+	return p.Parameters.unmarshal(data)
+}
+
+type encryptedExtensionsTransportParameters struct {
+	NegotiatedVersion protocol.VersionNumber
+	SupportedVersions []protocol.VersionNumber
+	Parameters        TransportParameters
+}
+
+func (p *encryptedExtensionsTransportParameters) Marshal() []byte {
+	b := &bytes.Buffer{}
+	utils.BigEndian.WriteUint32(b, uint32(p.NegotiatedVersion))
+	b.WriteByte(uint8(4 * len(p.SupportedVersions)))
+	for _, v := range p.SupportedVersions {
+		utils.BigEndian.WriteUint32(b, uint32(v))
+	}
+	lenOffset := b.Len()
+	b.Write([]byte{0, 0}) // length. Will be replaced later
+	p.Parameters.marshal(b)
+	data := b.Bytes()
+	binary.BigEndian.PutUint16(data[lenOffset:lenOffset+2], uint16(len(data)-lenOffset-2))
+	return data
+}
+
+func (p *encryptedExtensionsTransportParameters) Unmarshal(data []byte) error {
+	if len(data) < 5 {
+		return errors.New("transport parameter data too short")
+	}
+	p.NegotiatedVersion = protocol.VersionNumber(binary.BigEndian.Uint32(data[:4]))
+	numVersions := int(data[4])
+	if numVersions%4 != 0 {
+		return fmt.Errorf("invalid length for version list: %d", numVersions)
+	}
+	numVersions /= 4
+	data = data[5:]
+	if len(data) < 4*numVersions+2 /*length field for the parameter list */ {
+		return errors.New("transport parameter data too short")
+	}
+	p.SupportedVersions = make([]protocol.VersionNumber, numVersions)
+	for i := 0; i < numVersions; i++ {
+		p.SupportedVersions[i] = protocol.VersionNumber(binary.BigEndian.Uint32(data[:4]))
+		data = data[4:]
+	}
+	paramsLen := int(binary.BigEndian.Uint16(data[:2]))
+	data = data[2:]
+	if len(data) != paramsLen {
+		return fmt.Errorf("expected transport parameters to be %d bytes long, have %d", paramsLen, len(data))
+	}
+	return p.Parameters.unmarshal(data)
+}
+
+type tlsExtensionBody struct {
+	data []byte
+}
+
+var _ mint.ExtensionBody = &tlsExtensionBody{}
+
+func (e *tlsExtensionBody) Type() mint.ExtensionType {
+	return quicTLSExtensionType
+}
+
+func (e *tlsExtensionBody) Marshal() ([]byte, error) {
+	return e.data, nil
+}
+
+func (e *tlsExtensionBody) Unmarshal(data []byte) (int, error) {
+	e.data = data
+	return len(data), nil
+}

vendor/github.com/lucas-clemente/quic-go/internal/handshake/tls_extension_handler_client.go

@@ -0,0 +1,112 @@
+package handshake
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/lucas-clemente/quic-go/qerr"
+
+	"github.com/bifurcation/mint"
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+	"github.com/lucas-clemente/quic-go/internal/utils"
+)
+
+type extensionHandlerClient struct {
+	ourParams  *TransportParameters
+	paramsChan chan TransportParameters
+
+	initialVersion    protocol.VersionNumber
+	supportedVersions []protocol.VersionNumber
+	version           protocol.VersionNumber
+
+	logger utils.Logger
+}
+
+var _ mint.AppExtensionHandler = &extensionHandlerClient{}
+var _ TLSExtensionHandler = &extensionHandlerClient{}
+
+// NewExtensionHandlerClient creates a new extension handler for the client.
+func NewExtensionHandlerClient(
+	params *TransportParameters,
+	initialVersion protocol.VersionNumber,
+	supportedVersions []protocol.VersionNumber,
+	version protocol.VersionNumber,
+	logger utils.Logger,
+) TLSExtensionHandler {
+	// The client reads the transport parameters from the Encrypted Extensions message.
+	// The paramsChan is used in the session's run loop's select statement.
+	// We have to use an unbuffered channel here to make sure that the session actually processes the transport parameters immediately.
+	paramsChan := make(chan TransportParameters)
+	return &extensionHandlerClient{
+		ourParams:         params,
+		paramsChan:        paramsChan,
+		initialVersion:    initialVersion,
+		supportedVersions: supportedVersions,
+		version:           version,
+		logger:            logger,
+	}
+}
+
+func (h *extensionHandlerClient) Send(hType mint.HandshakeType, el *mint.ExtensionList) error {
+	if hType != mint.HandshakeTypeClientHello {
+		return nil
+	}
+	h.logger.Debugf("Sending Transport Parameters: %s", h.ourParams)
+	chtp := &clientHelloTransportParameters{
+		InitialVersion: h.initialVersion,
+		Parameters:     *h.ourParams,
+	}
+	return el.Add(&tlsExtensionBody{data: chtp.Marshal()})
+}
+
+func (h *extensionHandlerClient) Receive(hType mint.HandshakeType, el *mint.ExtensionList) error {
+	ext := &tlsExtensionBody{}
+	found, err := el.Find(ext)
+	if err != nil {
+		return err
+	}
+
+	if hType != mint.HandshakeTypeEncryptedExtensions {
+		if found {
+			return fmt.Errorf("Unexpected QUIC extension in handshake message %d", hType)
+		}
+		return nil
+	}
+
+	// hType == mint.HandshakeTypeEncryptedExtensions
+	if !found {
+		return errors.New("EncryptedExtensions message didn't contain a QUIC extension")
+	}
+
+	eetp := &encryptedExtensionsTransportParameters{}
+	if err := eetp.Unmarshal(ext.data); err != nil {
+		return err
+	}
+	// check that the negotiated_version is the current version
+	if eetp.NegotiatedVersion != h.version {
+		return qerr.Error(qerr.VersionNegotiationMismatch, "current version doesn't match negotiated_version")
+	}
+	// check that the current version is included in the supported versions
+	if !protocol.IsSupportedVersion(eetp.SupportedVersions, h.version) {
+		return qerr.Error(qerr.VersionNegotiationMismatch, "current version not included in the supported versions")
+	}
+	// if version negotiation was performed, check that we would have selected the current version based on the supported versions sent by the server
+	if h.version != h.initialVersion {
+		negotiatedVersion, ok := protocol.ChooseSupportedVersion(h.supportedVersions, eetp.SupportedVersions)
+		if !ok || h.version != negotiatedVersion {
+			return qerr.Error(qerr.VersionNegotiationMismatch, "would have picked a different version")
+		}
+	}
+
+	// check that the server sent a stateless reset token
+	if len(eetp.Parameters.StatelessResetToken) == 0 {
+		return errors.New("server didn't sent stateless_reset_token")
+	}
+	h.logger.Debugf("Received Transport Parameters: %s", &eetp.Parameters)
+	h.paramsChan <- eetp.Parameters
+	return nil
+}
+
+func (h *extensionHandlerClient) GetPeerParams() <-chan TransportParameters {
+	return h.paramsChan
+}

vendor/github.com/lucas-clemente/quic-go/internal/handshake/tls_extension_handler_server.go

@@ -0,0 +1,100 @@
+package handshake
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/lucas-clemente/quic-go/qerr"
+
+	"github.com/bifurcation/mint"
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+	"github.com/lucas-clemente/quic-go/internal/utils"
+)
+
+type extensionHandlerServer struct {
+	ourParams  *TransportParameters
+	paramsChan chan TransportParameters
+
+	version           protocol.VersionNumber
+	supportedVersions []protocol.VersionNumber
+
+	logger utils.Logger
+}
+
+var _ mint.AppExtensionHandler = &extensionHandlerServer{}
+var _ TLSExtensionHandler = &extensionHandlerServer{}
+
+// NewExtensionHandlerServer creates a new extension handler for the server
+func NewExtensionHandlerServer(
+	params *TransportParameters,
+	supportedVersions []protocol.VersionNumber,
+	version protocol.VersionNumber,
+	logger utils.Logger,
+) TLSExtensionHandler {
+	// Processing the ClientHello is performed statelessly (and from a single go-routine).
+	// Therefore, we have to use a buffered chan to pass the transport parameters to that go routine.
+	paramsChan := make(chan TransportParameters, 1)
+	return &extensionHandlerServer{
+		ourParams:         params,
+		paramsChan:        paramsChan,
+		supportedVersions: supportedVersions,
+		version:           version,
+		logger:            logger,
+	}
+}
+
+func (h *extensionHandlerServer) Send(hType mint.HandshakeType, el *mint.ExtensionList) error {
+	if hType != mint.HandshakeTypeEncryptedExtensions {
+		return nil
+	}
+	h.logger.Debugf("Sending Transport Parameters: %s", h.ourParams)
+	eetp := &encryptedExtensionsTransportParameters{
+		NegotiatedVersion: h.version,
+		SupportedVersions: protocol.GetGreasedVersions(h.supportedVersions),
+		Parameters:        *h.ourParams,
+	}
+	return el.Add(&tlsExtensionBody{data: eetp.Marshal()})
+}
+
+func (h *extensionHandlerServer) Receive(hType mint.HandshakeType, el *mint.ExtensionList) error {
+	ext := &tlsExtensionBody{}
+	found, err := el.Find(ext)
+	if err != nil {
+		return err
+	}
+
+	if hType != mint.HandshakeTypeClientHello {
+		if found {
+			return fmt.Errorf("Unexpected QUIC extension in handshake message %d", hType)
+		}
+		return nil
+	}
+
+	if !found {
+		return errors.New("ClientHello didn't contain a QUIC extension")
+	}
+	chtp := &clientHelloTransportParameters{}
+	if err := chtp.Unmarshal(ext.data); err != nil {
+		return err
+	}
+
+	// perform the stateless version negotiation validation:
+	// make sure that we would have sent a Version Negotiation Packet if the client offered the initial version
+	// this is the case if and only if the initial version is not contained in the supported versions
+	if chtp.InitialVersion != h.version && protocol.IsSupportedVersion(h.supportedVersions, chtp.InitialVersion) {
+		return qerr.Error(qerr.VersionNegotiationMismatch, "Client should have used the initial version")
+	}
+
+	// check that the client didn't send a stateless reset token
+	if len(chtp.Parameters.StatelessResetToken) != 0 {
+		// TODO: return the correct error type
+		return errors.New("client sent a stateless reset token")
+	}
+	h.logger.Debugf("Received Transport Parameters: %s", &chtp.Parameters)
+	h.paramsChan <- chtp.Parameters
+	return nil
+}
+
+func (h *extensionHandlerServer) GetPeerParams() <-chan TransportParameters {
+	return h.paramsChan
+}

vendor/github.com/lucas-clemente/quic-go/internal/handshake/transport_parameters.go

@@ -0,0 +1,215 @@
+package handshake
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"sort"
+	"time"
+
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+	"github.com/lucas-clemente/quic-go/internal/utils"
+	"github.com/lucas-clemente/quic-go/qerr"
+)
+
+// errMalformedTag is returned when the tag value cannot be read
+var errMalformedTag = qerr.Error(qerr.InvalidCryptoMessageParameter, "malformed Tag value")
+
+// TransportParameters are parameters sent to the peer during the handshake
+type TransportParameters struct {
+	StreamFlowControlWindow     protocol.ByteCount
+	ConnectionFlowControlWindow protocol.ByteCount
+
+	MaxPacketSize protocol.ByteCount
+
+	MaxUniStreams  uint16 // only used for IETF QUIC
+	MaxBidiStreams uint16 // only used for IETF QUIC
+	MaxStreams     uint32 // only used for gQUIC
+
+	OmitConnectionID    bool // only used for gQUIC
+	IdleTimeout         time.Duration
+	DisableMigration    bool   // only used for IETF QUIC
+	StatelessResetToken []byte // only used for IETF QUIC
+}
+
+// readHelloMap reads the transport parameters from the tags sent in a gQUIC handshake message
+func readHelloMap(tags map[Tag][]byte) (*TransportParameters, error) {
+	params := &TransportParameters{}
+	if value, ok := tags[TagTCID]; ok {
+		v, err := utils.LittleEndian.ReadUint32(bytes.NewBuffer(value))
+		if err != nil {
+			return nil, errMalformedTag
+		}
+		params.OmitConnectionID = (v == 0)
+	}
+	if value, ok := tags[TagMIDS]; ok {
+		v, err := utils.LittleEndian.ReadUint32(bytes.NewBuffer(value))
+		if err != nil {
+			return nil, errMalformedTag
+		}
+		params.MaxStreams = v
+	}
+	if value, ok := tags[TagICSL]; ok {
+		v, err := utils.LittleEndian.ReadUint32(bytes.NewBuffer(value))
+		if err != nil {
+			return nil, errMalformedTag
+		}
+		params.IdleTimeout = utils.MaxDuration(protocol.MinRemoteIdleTimeout, time.Duration(v)*time.Second)
+	}
+	if value, ok := tags[TagSFCW]; ok {
+		v, err := utils.LittleEndian.ReadUint32(bytes.NewBuffer(value))
+		if err != nil {
+			return nil, errMalformedTag
+		}
+		params.StreamFlowControlWindow = protocol.ByteCount(v)
+	}
+	if value, ok := tags[TagCFCW]; ok {
+		v, err := utils.LittleEndian.ReadUint32(bytes.NewBuffer(value))
+		if err != nil {
+			return nil, errMalformedTag
+		}
+		params.ConnectionFlowControlWindow = protocol.ByteCount(v)
+	}
+	return params, nil
+}
+
+// GetHelloMap gets all parameters needed for the Hello message in the gQUIC handshake.
+func (p *TransportParameters) getHelloMap() map[Tag][]byte {
+	sfcw := bytes.NewBuffer([]byte{})
+	utils.LittleEndian.WriteUint32(sfcw, uint32(p.StreamFlowControlWindow))
+	cfcw := bytes.NewBuffer([]byte{})
+	utils.LittleEndian.WriteUint32(cfcw, uint32(p.ConnectionFlowControlWindow))
+	mids := bytes.NewBuffer([]byte{})
+	utils.LittleEndian.WriteUint32(mids, p.MaxStreams)
+	icsl := bytes.NewBuffer([]byte{})
+	utils.LittleEndian.WriteUint32(icsl, uint32(p.IdleTimeout/time.Second))
+
+	tags := map[Tag][]byte{
+		TagICSL: icsl.Bytes(),
+		TagMIDS: mids.Bytes(),
+		TagCFCW: cfcw.Bytes(),
+		TagSFCW: sfcw.Bytes(),
+	}
+	if p.OmitConnectionID {
+		tags[TagTCID] = []byte{0, 0, 0, 0}
+	}
+	return tags
+}
+
+func (p *TransportParameters) unmarshal(data []byte) error {
+	// needed to check that every parameter is only sent at most once
+	var parameterIDs []transportParameterID
+
+	for len(data) >= 4 {
+		paramID := transportParameterID(binary.BigEndian.Uint16(data[:2]))
+		paramLen := int(binary.BigEndian.Uint16(data[2:4]))
+		data = data[4:]
+		if len(data) < paramLen {
+			return fmt.Errorf("remaining length (%d) smaller than parameter length (%d)", len(data), paramLen)
+		}
+		parameterIDs = append(parameterIDs, paramID)
+		switch paramID {
+		case initialMaxStreamDataParameterID:
+			if paramLen != 4 {
+				return fmt.Errorf("wrong length for initial_max_stream_data: %d (expected 4)", paramLen)
+			}
+			p.StreamFlowControlWindow = protocol.ByteCount(binary.BigEndian.Uint32(data[:4]))
+		case initialMaxDataParameterID:
+			if paramLen != 4 {
+				return fmt.Errorf("wrong length for initial_max_data: %d (expected 4)", paramLen)
+			}
+			p.ConnectionFlowControlWindow = protocol.ByteCount(binary.BigEndian.Uint32(data[:4]))
+		case initialMaxBidiStreamsParameterID:
+			if paramLen != 2 {
+				return fmt.Errorf("wrong length for initial_max_stream_id_bidi: %d (expected 2)", paramLen)
+			}
+			p.MaxBidiStreams = binary.BigEndian.Uint16(data[:2])
+		case initialMaxUniStreamsParameterID:
+			if paramLen != 2 {
+				return fmt.Errorf("wrong length for initial_max_stream_id_uni: %d (expected 2)", paramLen)
+			}
+			p.MaxUniStreams = binary.BigEndian.Uint16(data[:2])
+		case idleTimeoutParameterID:
+			if paramLen != 2 {
+				return fmt.Errorf("wrong length for idle_timeout: %d (expected 2)", paramLen)
+			}
+			p.IdleTimeout = utils.MaxDuration(protocol.MinRemoteIdleTimeout, time.Duration(binary.BigEndian.Uint16(data[:2]))*time.Second)
+		case maxPacketSizeParameterID:
+			if paramLen != 2 {
+				return fmt.Errorf("wrong length for max_packet_size: %d (expected 2)", paramLen)
+			}
+			maxPacketSize := protocol.ByteCount(binary.BigEndian.Uint16(data[:2]))
+			if maxPacketSize < 1200 {
+				return fmt.Errorf("invalid value for max_packet_size: %d (minimum 1200)", maxPacketSize)
+			}
+			p.MaxPacketSize = maxPacketSize
+		case disableMigrationParameterID:
+			if paramLen != 0 {
+				return fmt.Errorf("wrong length for disable_migration: %d (expected empty)", paramLen)
+			}
+			p.DisableMigration = true
+		case statelessResetTokenParameterID:
+			if paramLen != 16 {
+				return fmt.Errorf("wrong length for stateless_reset_token: %d (expected 16)", paramLen)
+			}
+			p.StatelessResetToken = data[:16]
+		}
+		data = data[paramLen:]
+	}
+
+	// check that every transport parameter was sent at most once
+	sort.Slice(parameterIDs, func(i, j int) bool { return parameterIDs[i] < parameterIDs[j] })
+	for i := 0; i < len(parameterIDs)-1; i++ {
+		if parameterIDs[i] == parameterIDs[i+1] {
+			return fmt.Errorf("received duplicate transport parameter %#x", parameterIDs[i])
+		}
+	}
+
+	if len(data) != 0 {
+		return fmt.Errorf("should have read all data. Still have %d bytes", len(data))
+	}
+	return nil
+}
+
+func (p *TransportParameters) marshal(b *bytes.Buffer) {
+	// initial_max_stream_data
+	utils.BigEndian.WriteUint16(b, uint16(initialMaxStreamDataParameterID))
+	utils.BigEndian.WriteUint16(b, 4)
+	utils.BigEndian.WriteUint32(b, uint32(p.StreamFlowControlWindow))
+	// initial_max_data
+	utils.BigEndian.WriteUint16(b, uint16(initialMaxDataParameterID))
+	utils.BigEndian.WriteUint16(b, 4)
+	utils.BigEndian.WriteUint32(b, uint32(p.ConnectionFlowControlWindow))
+	// initial_max_bidi_streams
+	utils.BigEndian.WriteUint16(b, uint16(initialMaxBidiStreamsParameterID))
+	utils.BigEndian.WriteUint16(b, 2)
+	utils.BigEndian.WriteUint16(b, p.MaxBidiStreams)
+	// initial_max_uni_streams
+	utils.BigEndian.WriteUint16(b, uint16(initialMaxUniStreamsParameterID))
+	utils.BigEndian.WriteUint16(b, 2)
+	utils.BigEndian.WriteUint16(b, p.MaxUniStreams)
+	// idle_timeout
+	utils.BigEndian.WriteUint16(b, uint16(idleTimeoutParameterID))
+	utils.BigEndian.WriteUint16(b, 2)
+	utils.BigEndian.WriteUint16(b, uint16(p.IdleTimeout/time.Second))
+	// max_packet_size
+	utils.BigEndian.WriteUint16(b, uint16(maxPacketSizeParameterID))
+	utils.BigEndian.WriteUint16(b, 2)
+	utils.BigEndian.WriteUint16(b, uint16(protocol.MaxReceivePacketSize))
+	// disable_migration
+	if p.DisableMigration {
+		utils.BigEndian.WriteUint16(b, uint16(disableMigrationParameterID))
+		utils.BigEndian.WriteUint16(b, 0)
+	}
+	if len(p.StatelessResetToken) > 0 {
+		utils.BigEndian.WriteUint16(b, uint16(statelessResetTokenParameterID))
+		utils.BigEndian.WriteUint16(b, uint16(len(p.StatelessResetToken))) // should always be 16 bytes
+		b.Write(p.StatelessResetToken)
+	}
+}
+
+// String returns a string representation, intended for logging.
+// It should only used for IETF QUIC.
+func (p *TransportParameters) String() string {
+	return fmt.Sprintf("&handshake.TransportParameters{StreamFlowControlWindow: %#x, ConnectionFlowControlWindow: %#x, MaxBidiStreams: %d, MaxUniStreams: %d, IdleTimeout: %s}", p.StreamFlowControlWindow, p.ConnectionFlowControlWindow, p.MaxBidiStreams, p.MaxUniStreams, p.IdleTimeout)
+}