diff options
Diffstat (limited to 'vendor')
171 files changed, 8668 insertions, 5407 deletions
diff --git a/vendor/github.com/lucas-clemente/aes12/cipher_generic.go b/vendor/github.com/lucas-clemente/aes12/cipher_generic.go index a9a6abd55..6861677f8 100644 --- a/vendor/github.com/lucas-clemente/aes12/cipher_generic.go +++ b/vendor/github.com/lucas-clemente/aes12/cipher_generic.go @@ -2,7 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -// +build !amd64,!s390x +// +build !amd64 package aes12 diff --git a/vendor/github.com/lucas-clemente/quic-go/buffer_pool.go b/vendor/github.com/lucas-clemente/quic-go/buffer_pool.go index 5032ca7f1..6b233696f 100644 --- a/vendor/github.com/lucas-clemente/quic-go/buffer_pool.go +++ b/vendor/github.com/lucas-clemente/quic-go/buffer_pool.go @@ -8,19 +8,20 @@ import ( var bufferPool sync.Pool -func getPacketBuffer() []byte { - return bufferPool.Get().([]byte) +func getPacketBuffer() *[]byte { + return bufferPool.Get().(*[]byte) } -func putPacketBuffer(buf []byte) { - if cap(buf) != int(protocol.MaxReceivePacketSize) { +func putPacketBuffer(buf *[]byte) { + if cap(*buf) != int(protocol.MaxReceivePacketSize) { panic("putPacketBuffer called with packet of wrong size!") } - bufferPool.Put(buf[:0]) + bufferPool.Put(buf) } func init() { bufferPool.New = func() interface{} { - return make([]byte, 0, protocol.MaxReceivePacketSize) + b := make([]byte, 0, protocol.MaxReceivePacketSize) + return &b } } diff --git a/vendor/github.com/lucas-clemente/quic-go/client.go b/vendor/github.com/lucas-clemente/quic-go/client.go index 955c908eb..1906abdf9 100644 --- a/vendor/github.com/lucas-clemente/quic-go/client.go +++ b/vendor/github.com/lucas-clemente/quic-go/client.go @@ -38,6 +38,8 @@ type client struct { version protocol.VersionNumber session packetHandler + + logger utils.Logger } var ( @@ -85,6 +87,14 @@ func Dial( } } + // check that all versions are actually supported + if config != nil { + for _, v := range config.Versions { + if !protocol.IsValidVersion(v) { + return nil, fmt.Errorf("%s is not a valid QUIC version", v) + } + } + } clientConfig := populateClientConfig(config) c := &client{ conn: &conn{pconn: pconn, currentAddr: remoteAddr}, @@ -94,9 +104,10 @@ func Dial( config: clientConfig, version: clientConfig.Versions[0], versionNegotiationChan: make(chan struct{}), + logger: utils.DefaultLogger, } - utils.Infof("Starting new connection to %s (%s -> %s), connectionID %x, version %s", hostname, c.conn.LocalAddr().String(), c.conn.RemoteAddr().String(), c.connectionID, c.version) + c.logger.Infof("Starting new connection to %s (%s -> %s), connectionID %x, version %s", hostname, c.conn.LocalAddr().String(), c.conn.RemoteAddr().String(), c.connectionID, c.version) if err := c.dial(); err != nil { return nil, err @@ -132,6 +143,18 @@ func populateClientConfig(config *Config) *Config { if maxReceiveConnectionFlowControlWindow == 0 { maxReceiveConnectionFlowControlWindow = protocol.DefaultMaxReceiveConnectionFlowControlWindowClient } + maxIncomingStreams := config.MaxIncomingStreams + if maxIncomingStreams == 0 { + maxIncomingStreams = protocol.DefaultMaxIncomingStreams + } else if maxIncomingStreams < 0 { + maxIncomingStreams = 0 + } + maxIncomingUniStreams := config.MaxIncomingUniStreams + if maxIncomingUniStreams == 0 { + maxIncomingUniStreams = protocol.DefaultMaxIncomingUniStreams + } else if maxIncomingUniStreams < 0 { + maxIncomingUniStreams = 0 + } return &Config{ Versions: versions, @@ -140,7 +163,9 @@ func populateClientConfig(config *Config) *Config { RequestConnectionIDOmission: config.RequestConnectionIDOmission, MaxReceiveStreamFlowControlWindow: maxReceiveStreamFlowControlWindow, MaxReceiveConnectionFlowControlWindow: maxReceiveConnectionFlowControlWindow, - KeepAlive: config.KeepAlive, + MaxIncomingStreams: maxIncomingStreams, + MaxIncomingUniStreams: maxIncomingUniStreams, + KeepAlive: config.KeepAlive, } } @@ -171,12 +196,11 @@ func (c *client) dialTLS() error { ConnectionFlowControlWindow: protocol.ReceiveConnectionFlowControlWindow, IdleTimeout: c.config.IdleTimeout, OmitConnectionID: c.config.RequestConnectionIDOmission, - // TODO(#523): make these values configurable - MaxBidiStreamID: protocol.MaxBidiStreamID(protocol.MaxIncomingStreams, protocol.PerspectiveClient), - MaxUniStreamID: protocol.MaxUniStreamID(protocol.MaxIncomingStreams, protocol.PerspectiveClient), + MaxBidiStreams: uint16(c.config.MaxIncomingStreams), + MaxUniStreams: uint16(c.config.MaxIncomingUniStreams), } csc := handshake.NewCryptoStreamConn(nil) - extHandler := handshake.NewExtensionHandlerClient(params, c.initialVersion, c.config.Versions, c.version) + extHandler := handshake.NewExtensionHandlerClient(params, c.initialVersion, c.config.Versions, c.version, c.logger) mintConf, err := tlsToMintConfig(c.tlsConf, protocol.PerspectiveClient) if err != nil { return err @@ -193,7 +217,7 @@ func (c *client) dialTLS() error { if err != handshake.ErrCloseSessionForRetry { return err } - utils.Infof("Received a Retry packet. Recreating session.") + c.logger.Infof("Received a Retry packet. Recreating session.") if err := c.createNewTLSSession(extHandler.GetPeerParams(), c.version); err != nil { return err } @@ -216,7 +240,7 @@ func (c *client) establishSecureConnection() error { go func() { runErr = c.session.run() // returns as soon as the session is closed close(errorChan) - utils.Infof("Connection %x closed.", c.connectionID) + c.logger.Infof("Connection %x closed.", c.connectionID) if runErr != handshake.ErrCloseSessionForRetry && runErr != errCloseSessionForNewVersion { c.conn.Close() } @@ -245,7 +269,7 @@ func (c *client) listen() { for { var n int var addr net.Addr - data := getPacketBuffer() + data := *getPacketBuffer() data = data[:protocol.MaxReceivePacketSize] // The packet size should not exceed protocol.MaxReceivePacketSize bytes // If it does, we only read a truncated packet, which will then end up undecryptable @@ -270,7 +294,7 @@ func (c *client) handlePacket(remoteAddr net.Addr, packet []byte) { r := bytes.NewReader(packet) hdr, err := wire.ParseHeaderSentByServer(r, c.version) if err != nil { - utils.Errorf("error parsing packet from %s: %s", remoteAddr.String(), err.Error()) + c.logger.Errorf("error parsing packet from %s: %s", remoteAddr.String(), err.Error()) // drop this packet if we can't parse the header return } @@ -293,15 +317,15 @@ func (c *client) handlePacket(remoteAddr net.Addr, packet []byte) { // check if the remote address and the connection ID match // otherwise this might be an attacker trying to inject a PUBLIC_RESET to kill the connection if cr.Network() != remoteAddr.Network() || cr.String() != remoteAddr.String() || hdr.ConnectionID != c.connectionID { - utils.Infof("Received a spoofed Public Reset. Ignoring.") + c.logger.Infof("Received a spoofed Public Reset. Ignoring.") return } pr, err := wire.ParsePublicReset(r) if err != nil { - utils.Infof("Received a Public Reset. An error occurred parsing the packet: %s", err) + c.logger.Infof("Received a Public Reset. An error occurred parsing the packet: %s", err) return } - utils.Infof("Received Public Reset, rejected packet number: %#x.", pr.RejectedPacketNumber) + c.logger.Infof("Received Public Reset, rejected packet number: %#x.", pr.RejectedPacketNumber) c.session.closeRemote(qerr.Error(qerr.PublicReset, fmt.Sprintf("Received a Public Reset for packet number %#x", pr.RejectedPacketNumber))) return } @@ -347,6 +371,8 @@ func (c *client) handleVersionNegotiationPacket(hdr *wire.Header) error { } } + c.logger.Infof("Received a Version Negotiation Packet. Supported Versions: %s", hdr.SupportedVersions) + newVersion, ok := protocol.ChooseSupportedVersion(c.config.Versions, hdr.SupportedVersions) if !ok { return qerr.InvalidVersion @@ -362,7 +388,7 @@ func (c *client) handleVersionNegotiationPacket(hdr *wire.Header) error { if err != nil { return err } - utils.Infof("Switching to QUIC version %s. New connection ID: %x", newVersion, c.connectionID) + c.logger.Infof("Switching to QUIC version %s. New connection ID: %x", newVersion, c.connectionID) c.session.Close(errCloseSessionForNewVersion) return nil } @@ -379,6 +405,7 @@ func (c *client) createNewGQUICSession() (err error) { c.config, c.initialVersion, c.negotiatedVersions, + c.logger, ) return err } @@ -398,6 +425,7 @@ func (c *client) createNewTLSSession( c.tls, paramsChan, 1, + c.logger, ) return err } diff --git a/vendor/github.com/lucas-clemente/quic-go/example/client/main.go b/vendor/github.com/lucas-clemente/quic-go/example/client/main.go index 2a28c1612..23f045c84 100644 --- a/vendor/github.com/lucas-clemente/quic-go/example/client/main.go +++ b/vendor/github.com/lucas-clemente/quic-go/example/client/main.go @@ -19,12 +19,14 @@ func main() { flag.Parse() urls := flag.Args() + logger := utils.DefaultLogger + if *verbose { - utils.SetLogLevel(utils.LogLevelDebug) + logger.SetLogLevel(utils.LogLevelDebug) } else { - utils.SetLogLevel(utils.LogLevelInfo) + logger.SetLogLevel(utils.LogLevelInfo) } - utils.SetLogTimeFormat("") + logger.SetLogTimeFormat("") versions := protocol.SupportedVersions if *tls { @@ -42,21 +44,21 @@ func main() { var wg sync.WaitGroup wg.Add(len(urls)) for _, addr := range urls { - utils.Infof("GET %s", addr) + logger.Infof("GET %s", addr) go func(addr string) { rsp, err := hclient.Get(addr) if err != nil { panic(err) } - utils.Infof("Got response for %s: %#v", addr, rsp) + logger.Infof("Got response for %s: %#v", addr, rsp) body := &bytes.Buffer{} _, err = io.Copy(body, rsp.Body) if err != nil { panic(err) } - utils.Infof("Request Body:") - utils.Infof("%s", body.Bytes()) + logger.Infof("Request Body:") + logger.Infof("%s", body.Bytes()) wg.Done() }(addr) } diff --git a/vendor/github.com/lucas-clemente/quic-go/example/main.go b/vendor/github.com/lucas-clemente/quic-go/example/main.go index 35aaa85c6..e83fb8703 100644 --- a/vendor/github.com/lucas-clemente/quic-go/example/main.go +++ b/vendor/github.com/lucas-clemente/quic-go/example/main.go @@ -91,7 +91,7 @@ func init() { } } if err != nil { - utils.Infof("Error receiving upload: %#v", err) + utils.DefaultLogger.Infof("Error receiving upload: %#v", err) } } io.WriteString(w, `<html><body><form action="/demo/upload" method="post" enctype="multipart/form-data"> @@ -126,12 +126,14 @@ func main() { tls := flag.Bool("tls", false, "activate support for IETF QUIC (work in progress)") flag.Parse() + logger := utils.DefaultLogger + if *verbose { - utils.SetLogLevel(utils.LogLevelDebug) + logger.SetLogLevel(utils.LogLevelDebug) } else { - utils.SetLogLevel(utils.LogLevelInfo) + logger.SetLogLevel(utils.LogLevelInfo) } - utils.SetLogTimeFormat("") + logger.SetLogTimeFormat("") versions := protocol.SupportedVersions if *tls { diff --git a/vendor/github.com/lucas-clemente/quic-go/h2quic/client.go b/vendor/github.com/lucas-clemente/quic-go/h2quic/client.go index f506867dc..409808827 100644 --- a/vendor/github.com/lucas-clemente/quic-go/h2quic/client.go +++ b/vendor/github.com/lucas-clemente/quic-go/h2quic/client.go @@ -46,6 +46,8 @@ type client struct { requestWriter *requestWriter responses map[protocol.StreamID]chan *http.Response + + logger utils.Logger } var _ http.RoundTripper = &client{} @@ -75,6 +77,7 @@ func newClient( opts: opts, headerErrored: make(chan struct{}), dialer: dialer, + logger: utils.DefaultLogger, } } @@ -95,7 +98,7 @@ func (c *client) dial() error { if err != nil { return err } - c.requestWriter = newRequestWriter(c.headerStream) + c.requestWriter = newRequestWriter(c.headerStream, c.logger) go c.handleHeaderStream() return nil } @@ -108,7 +111,9 @@ func (c *client) handleHeaderStream() { for err == nil { err = c.readResponse(h2framer, decoder) } - utils.Debugf("Error handling header stream: %s", err) + if quicErr, ok := err.(*qerr.QuicError); !ok || quicErr.ErrorCode != qerr.PeerGoingAway { + c.logger.Debugf("Error handling header stream: %s", err) + } c.headerErr = qerr.Error(qerr.InvalidHeadersStreamData, err.Error()) // stop all running request close(c.headerErrored) @@ -202,6 +207,7 @@ func (c *client) RoundTrip(req *http.Request) (*http.Response, error) { bodySent = true } + ctx := req.Context() for !(bodySent && receivedResponse) { select { case res = <-responseChan: @@ -214,8 +220,16 @@ func (c *client) RoundTrip(req *http.Request) (*http.Response, error) { if err != nil { return nil, err } + case <-ctx.Done(): + // error code 6 signals that stream was canceled + dataStream.CancelRead(6) + dataStream.CancelWrite(6) + c.mutex.Lock() + delete(c.responses, dataStream.StreamID()) + c.mutex.Unlock() + return nil, ctx.Err() case <-c.headerErrored: - // an error occured on the header stream + // an error occurred on the header stream _ = c.CloseWithError(c.headerErr) return nil, c.headerErr } diff --git a/vendor/github.com/lucas-clemente/quic-go/h2quic/request_writer.go b/vendor/github.com/lucas-clemente/quic-go/h2quic/request_writer.go index 3f323691f..ddaaa741d 100644 --- a/vendor/github.com/lucas-clemente/quic-go/h2quic/request_writer.go +++ b/vendor/github.com/lucas-clemente/quic-go/h2quic/request_writer.go @@ -23,13 +23,16 @@ type requestWriter struct { henc *hpack.Encoder hbuf bytes.Buffer // HPACK encoder writes into this + + logger utils.Logger } const defaultUserAgent = "quic-go" -func newRequestWriter(headerStream quic.Stream) *requestWriter { +func newRequestWriter(headerStream quic.Stream, logger utils.Logger) *requestWriter { rw := &requestWriter{ headerStream: headerStream, + logger: logger, } rw.henc = hpack.NewEncoder(&rw.hbuf) return rw @@ -76,9 +79,8 @@ func (w *requestWriter) encodeHeaders(req *http.Request, addGzipHeader bool, tra if !validPseudoPath(path) { if req.URL.Opaque != "" { return nil, fmt.Errorf("invalid request :path %q from URL.Opaque = %q", orig, req.URL.Opaque) - } else { - return nil, fmt.Errorf("invalid request :path %q", orig) } + return nil, fmt.Errorf("invalid request :path %q", orig) } } } @@ -157,7 +159,7 @@ func (w *requestWriter) encodeHeaders(req *http.Request, addGzipHeader bool, tra } func (w *requestWriter) writeHeader(name, value string) { - utils.Debugf("http2: Transport encoding header %q = %q", name, value) + w.logger.Debugf("http2: Transport encoding header %q = %q", name, value) w.henc.WriteField(hpack.HeaderField{Name: name, Value: value}) } diff --git a/vendor/github.com/lucas-clemente/quic-go/h2quic/response.go b/vendor/github.com/lucas-clemente/quic-go/h2quic/response.go index 13efdf849..d5dd21941 100644 --- a/vendor/github.com/lucas-clemente/quic-go/h2quic/response.go +++ b/vendor/github.com/lucas-clemente/quic-go/h2quic/response.go @@ -3,7 +3,6 @@ package h2quic import ( "bytes" "errors" - "io" "io/ioutil" "net/http" "net/textproto" @@ -16,7 +15,7 @@ import ( // copied from net/http2/transport.go var errResponseHeaderListSize = errors.New("http2: response header list larger than advertised limit") -var noBody io.ReadCloser = ioutil.NopCloser(bytes.NewReader(nil)) +var noBody = ioutil.NopCloser(bytes.NewReader(nil)) // from the handleResponse function func responseFromHeaders(f *http2.MetaHeadersFrame) (*http.Response, error) { @@ -33,16 +32,7 @@ func responseFromHeaders(f *http2.MetaHeadersFrame) (*http.Response, error) { return nil, errors.New("malformed non-numeric status pseudo header") } - if statusCode == 100 { - // TODO: handle this - - // traceGot100Continue(cs.trace) - // if cs.on100 != nil { - // cs.on100() // forces any write delay timer to fire - // } - // cs.pastHeaders = false // do it all again - // return nil, nil - } + // TODO: handle statusCode == 100 header := make(http.Header) res := &http.Response{ @@ -78,13 +68,7 @@ func setLength(res *http.Response, isHead, streamEnded bool) *http.Response { if clens := res.Header["Content-Length"]; len(clens) == 1 { if clen64, err := strconv.ParseInt(clens[0], 10, 64); err == nil { res.ContentLength = clen64 - } else { - // TODO: care? unlike http/1, it won't mess up our framing, so it's - // more safe smuggling-wise to ignore. } - } else if len(clens) > 1 { - // TODO: care? unlike http/1, it won't mess up our framing, so it's - // more safe smuggling-wise to ignore. } } return res diff --git a/vendor/github.com/lucas-clemente/quic-go/h2quic/response_writer.go b/vendor/github.com/lucas-clemente/quic-go/h2quic/response_writer.go index 1dd4e928a..25b77a54c 100644 --- a/vendor/github.com/lucas-clemente/quic-go/h2quic/response_writer.go +++ b/vendor/github.com/lucas-clemente/quic-go/h2quic/response_writer.go @@ -24,15 +24,24 @@ type responseWriter struct { header http.Header status int // status code passed to WriteHeader headerWritten bool + + logger utils.Logger } -func newResponseWriter(headerStream quic.Stream, headerStreamMutex *sync.Mutex, dataStream quic.Stream, dataStreamID protocol.StreamID) *responseWriter { +func newResponseWriter( + headerStream quic.Stream, + headerStreamMutex *sync.Mutex, + dataStream quic.Stream, + dataStreamID protocol.StreamID, + logger utils.Logger, +) *responseWriter { return &responseWriter{ header: http.Header{}, headerStream: headerStream, headerStreamMutex: headerStreamMutex, dataStream: dataStream, dataStreamID: dataStreamID, + logger: logger, } } @@ -57,7 +66,7 @@ func (w *responseWriter) WriteHeader(status int) { } } - utils.Infof("Responding with %d", status) + w.logger.Infof("Responding with %d", status) w.headerStreamMutex.Lock() defer w.headerStreamMutex.Unlock() h2framer := http2.NewFramer(w.headerStream, nil) @@ -67,7 +76,7 @@ func (w *responseWriter) WriteHeader(status int) { BlockFragment: headers.Bytes(), }) if err != nil { - utils.Errorf("could not write h2 header: %s", err.Error()) + w.logger.Errorf("could not write h2 header: %s", err.Error()) } } diff --git a/vendor/github.com/lucas-clemente/quic-go/h2quic/server.go b/vendor/github.com/lucas-clemente/quic-go/h2quic/server.go index 329edfd0d..a2412bd16 100644 --- a/vendor/github.com/lucas-clemente/quic-go/h2quic/server.go +++ b/vendor/github.com/lucas-clemente/quic-go/h2quic/server.go @@ -53,6 +53,8 @@ type Server struct { closed bool supportedVersionsAsString string + + logger utils.Logger // will be set by Server.serveImpl() } // ListenAndServe listens on the UDP address s.Addr and calls s.Handler to handle HTTP/2 requests on incoming connections. @@ -88,6 +90,7 @@ func (s *Server) serveImpl(tlsConfig *tls.Config, conn net.PacketConn) error { if s.Server == nil { return errors.New("use of h2quic.Server without http.Server") } + s.logger = utils.DefaultLogger s.listenerMutex.Lock() if s.closed { s.listenerMutex.Unlock() @@ -138,7 +141,7 @@ func (s *Server) handleHeaderStream(session streamCreator) { // In this case, the session has already logged the error, so we don't // need to log it again. if _, ok := err.(*qerr.QuicError); !ok { - utils.Errorf("error handling h2 request: %s", err.Error()) + s.logger.Errorf("error handling h2 request: %s", err.Error()) } session.Close(err) return @@ -160,7 +163,7 @@ func (s *Server) handleRequest(session streamCreator, headerStream quic.Stream, } headers, err := hpackDecoder.DecodeFull(h2headersFrame.HeaderBlockFragment()) if err != nil { - utils.Errorf("invalid http2 headers encoding: %s", err.Error()) + s.logger.Errorf("invalid http2 headers encoding: %s", err.Error()) return err } @@ -169,10 +172,10 @@ func (s *Server) handleRequest(session streamCreator, headerStream quic.Stream, return err } - if utils.Debug() { - utils.Infof("%s %s%s, on data stream %d", req.Method, req.Host, req.RequestURI, h2headersFrame.StreamID) + if s.logger.Debug() { + s.logger.Infof("%s %s%s, on data stream %d", req.Method, req.Host, req.RequestURI, h2headersFrame.StreamID) } else { - utils.Infof("%s %s%s", req.Method, req.Host, req.RequestURI) + s.logger.Infof("%s %s%s", req.Method, req.Host, req.RequestURI) } dataStream, err := session.GetOrOpenStream(protocol.StreamID(h2headersFrame.StreamID)) @@ -201,7 +204,7 @@ func (s *Server) handleRequest(session streamCreator, headerStream quic.Stream, req.RemoteAddr = session.RemoteAddr().String() - responseWriter := newResponseWriter(headerStream, headerStreamMutex, dataStream, protocol.StreamID(h2headersFrame.StreamID)) + responseWriter := newResponseWriter(headerStream, headerStreamMutex, dataStream, protocol.StreamID(h2headersFrame.StreamID), s.logger) handler := s.Handler if handler == nil { @@ -215,7 +218,7 @@ func (s *Server) handleRequest(session streamCreator, headerStream quic.Stream, const size = 64 << 10 buf := make([]byte, size) buf = buf[:runtime.Stack(buf, false)] - utils.Errorf("http: panic serving: %v\n%s", p, buf) + s.logger.Errorf("http: panic serving: %v\n%s", p, buf) panicked = true } }() diff --git a/vendor/github.com/lucas-clemente/quic-go/integrationtests/tools/proxy/proxy.go b/vendor/github.com/lucas-clemente/quic-go/integrationtests/tools/proxy/proxy.go index 5b1dc21d0..d12a3baea 100644 --- a/vendor/github.com/lucas-clemente/quic-go/integrationtests/tools/proxy/proxy.go +++ b/vendor/github.com/lucas-clemente/quic-go/integrationtests/tools/proxy/proxy.go @@ -7,6 +7,7 @@ import ( "time" "github.com/lucas-clemente/quic-go/internal/protocol" + "github.com/lucas-clemente/quic-go/internal/utils" ) // Connection is a UDP connection @@ -43,6 +44,8 @@ func (d Direction) String() string { } } +// Is says if one direction matches another direction. +// For example, incoming matches both incoming and both, but not outgoing. func (d Direction) Is(dir Direction) bool { if d == DirectionBoth || dir == DirectionBoth { return true @@ -92,6 +95,8 @@ type QuicProxy struct { // Mapping from client addresses (as host:port) to connection clientDict map[string]*connection + + logger utils.Logger } // NewQuicProxy creates a new UDP proxy @@ -129,14 +134,23 @@ func NewQuicProxy(local string, version protocol.VersionNumber, opts *Opts) (*Qu dropPacket: packetDropper, delayPacket: packetDelayer, version: version, + logger: utils.DefaultLogger, } + p.logger.Debugf("Starting UDP Proxy %s <-> %s", conn.LocalAddr(), raddr) go p.runProxy() return &p, nil } // Close stops the UDP Proxy func (p *QuicProxy) Close() error { + p.mutex.Lock() + defer p.mutex.Unlock() + for _, c := range p.clientDict { + if err := c.ServerConn.Close(); err != nil { + return err + } + } return p.conn.Close() } @@ -189,19 +203,27 @@ func (p *QuicProxy) runProxy() error { packetCount := atomic.AddUint64(&conn.incomingPacketCounter, 1) if p.dropPacket(DirectionIncoming, packetCount) { + if p.logger.Debug() { + p.logger.Debugf("dropping incoming packet %d (%d bytes)", packetCount, n) + } continue } // Send the packet to the server delay := p.delayPacket(DirectionIncoming, packetCount) if delay != 0 { + if p.logger.Debug() { + p.logger.Debugf("delaying incoming packet %d (%d bytes) to %s by %s", packetCount, n, conn.ServerConn.RemoteAddr(), delay) + } time.AfterFunc(delay, func() { // TODO: handle error _, _ = conn.ServerConn.Write(raw) }) } else { - _, err := conn.ServerConn.Write(raw) - if err != nil { + if p.logger.Debug() { + p.logger.Debugf("forwarding incoming packet %d (%d bytes) to %s", packetCount, n, conn.ServerConn.RemoteAddr()) + } + if _, err := conn.ServerConn.Write(raw); err != nil { return err } } @@ -221,18 +243,26 @@ func (p *QuicProxy) runConnection(conn *connection) error { packetCount := atomic.AddUint64(&conn.outgoingPacketCounter, 1) if p.dropPacket(DirectionOutgoing, packetCount) { + if p.logger.Debug() { + p.logger.Debugf("dropping outgoing packet %d (%d bytes)", packetCount, n) + } continue } delay := p.delayPacket(DirectionOutgoing, packetCount) if delay != 0 { + if p.logger.Debug() { + p.logger.Debugf("delaying outgoing packet %d (%d bytes) to %s by %s", packetCount, n, conn.ClientAddr, delay) + } time.AfterFunc(delay, func() { // TODO: handle error _, _ = p.conn.WriteToUDP(raw, conn.ClientAddr) }) } else { - _, err := p.conn.WriteToUDP(raw, conn.ClientAddr) - if err != nil { + if p.logger.Debug() { + p.logger.Debugf("forwarding outgoing packet %d (%d bytes) to %s", packetCount, n, conn.ClientAddr) + } + if _, err := p.conn.WriteToUDP(raw, conn.ClientAddr); err != nil { return err } } diff --git a/vendor/github.com/lucas-clemente/quic-go/integrationtests/tools/testlog/testlog.go b/vendor/github.com/lucas-clemente/quic-go/integrationtests/tools/testlog/testlog.go index 783531627..c987ddb73 100644 --- a/vendor/github.com/lucas-clemente/quic-go/integrationtests/tools/testlog/testlog.go +++ b/vendor/github.com/lucas-clemente/quic-go/integrationtests/tools/testlog/testlog.go @@ -30,7 +30,7 @@ var _ = BeforeEach(func() { logFile, err = os.Create(logFileName) Expect(err).ToNot(HaveOccurred()) log.SetOutput(logFile) - utils.SetLogLevel(utils.LogLevelDebug) + utils.DefaultLogger.SetLogLevel(utils.LogLevelDebug) } }) diff --git a/vendor/github.com/lucas-clemente/quic-go/integrationtests/tools/testserver/server.go b/vendor/github.com/lucas-clemente/quic-go/integrationtests/tools/testserver/server.go index 909f560b2..70ba2dda5 100644 --- a/vendor/github.com/lucas-clemente/quic-go/integrationtests/tools/testserver/server.go +++ b/vendor/github.com/lucas-clemente/quic-go/integrationtests/tools/testserver/server.go @@ -22,7 +22,9 @@ const ( ) var ( - PRData = GeneratePRData(dataLen) + // PRData contains dataLen bytes of pseudo-random data. + PRData = GeneratePRData(dataLen) + // PRDataLong contains dataLenLong bytes of pseudo-random data. PRDataLong = GeneratePRData(dataLenLong) server *h2quic.Server @@ -105,11 +107,13 @@ func StartQuicServer(versions []protocol.VersionNumber) { }() } +// StopQuicServer stops the h2quic.Server. func StopQuicServer() { Expect(server.Close()).NotTo(HaveOccurred()) Eventually(stoppedServing).Should(BeClosed()) } +// Port returns the UDP port of the QUIC server. func Port() string { return port } diff --git a/vendor/github.com/lucas-clemente/quic-go/interface.go b/vendor/github.com/lucas-clemente/quic-go/interface.go index b0a18293d..3ab64afdc 100644 --- a/vendor/github.com/lucas-clemente/quic-go/interface.go +++ b/vendor/github.com/lucas-clemente/quic-go/interface.go @@ -16,6 +16,9 @@ type StreamID = protocol.StreamID // A VersionNumber is a QUIC version number. type VersionNumber = protocol.VersionNumber +// VersionGQUIC39 is gQUIC version 39. +const VersionGQUIC39 = protocol.Version39 + // A Cookie can be used to verify the ownership of the client address. type Cookie = handshake.Cookie @@ -113,15 +116,25 @@ type StreamError interface { // A Session is a QUIC connection between two peers. type Session interface { // AcceptStream returns the next stream opened by the peer, blocking until one is available. - // Since stream 1 is reserved for the crypto stream, the first stream is either 2 (for a client) or 3 (for a server). AcceptStream() (Stream, error) - // OpenStream opens a new QUIC stream, returning a special error when the peer's concurrent stream limit is reached. - // New streams always have the smallest possible stream ID. - // TODO: Enable testing for the special error + // AcceptUniStream returns the next unidirectional stream opened by the peer, blocking until one is available. + AcceptUniStream() (ReceiveStream, error) + // OpenStream opens a new bidirectional QUIC stream. + // It returns a special error when the peer's concurrent stream limit is reached. + // There is no signaling to the peer about new streams: + // The peer can only accept the stream after data has been sent on the stream. + // TODO(#1152): Enable testing for the special error OpenStream() (Stream, error) - // OpenStreamSync opens a new QUIC stream, blocking until the peer's concurrent stream limit allows a new stream to be opened. - // It always picks the smallest possible stream ID. + // OpenStreamSync opens a new bidirectional QUIC stream. + // It blocks until the peer's concurrent stream limit allows a new stream to be opened. OpenStreamSync() (Stream, error) + // OpenUniStream opens a new outgoing unidirectional QUIC stream. + // It returns a special error when the peer's concurrent stream limit is reached. + // TODO(#1152): Enable testing for the special error + OpenUniStream() (SendStream, error) + // OpenUniStreamSync opens a new outgoing unidirectional QUIC stream. + // It blocks until the peer's concurrent stream limit allows a new stream to be opened. + OpenUniStreamSync() (SendStream, error) // LocalAddr returns the local address. LocalAddr() net.Addr // RemoteAddr returns the address of the peer. @@ -166,6 +179,17 @@ type Config struct { // MaxReceiveConnectionFlowControlWindow is the connection-level flow control window for receiving data. // If this value is zero, it will default to 1.5 MB for the server and 15 MB for the client. MaxReceiveConnectionFlowControlWindow uint64 + // MaxIncomingStreams is the maximum number of concurrent bidirectional streams that a peer is allowed to open. + // If not set, it will default to 100. + // If set to a negative value, it doesn't allow any bidirectional streams. + // Values larger than 65535 (math.MaxUint16) are invalid. + MaxIncomingStreams int + // MaxIncomingUniStreams is the maximum number of concurrent unidirectional streams that a peer is allowed to open. + // This value doesn't have any effect in Google QUIC. + // If not set, it will default to 100. + // If set to a negative value, it doesn't allow any unidirectional streams. + // Values larger than 65535 (math.MaxUint16) are invalid. + MaxIncomingUniStreams int // KeepAlive defines whether this peer will periodically send PING frames to keep the connection alive. KeepAlive bool } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/gen.go b/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/gen.go new file mode 100644 index 000000000..32235f81a --- /dev/null +++ b/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/gen.go @@ -0,0 +1,3 @@ +package ackhandler + +//go:generate genny -pkg ackhandler -in ../utils/linkedlist/linkedlist.go -out packet_linkedlist.go gen Item=Packet diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/interfaces.go b/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/interfaces.go index 09b2c0172..43027dcfb 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/interfaces.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/interfaces.go @@ -10,15 +10,13 @@ import ( // SentPacketHandler handles ACKs received for outgoing packets type SentPacketHandler interface { // SentPacket may modify the packet - SentPacket(packet *Packet) error + SentPacket(packet *Packet) + SentPacketsAsRetransmission(packets []*Packet, retransmissionOf protocol.PacketNumber) ReceivedAck(ackFrame *wire.AckFrame, withPacketNumber protocol.PacketNumber, encLevel protocol.EncryptionLevel, recvTime time.Time) error SetHandshakeComplete() - // SendingAllowed says if a packet can be sent. - // Sending packets might not be possible because: - // * we're congestion limited - // * we're tracking the maximum number of sent packets - SendingAllowed() bool + // The SendMode determines if and what kind of packets can be sent. + SendMode() SendMode // TimeUntilSend is the time when the next packet should be sent. // It is used for pacing packets. TimeUntilSend() time.Time @@ -32,10 +30,10 @@ type SentPacketHandler interface { GetStopWaitingFrame(force bool) *wire.StopWaitingFrame GetLowestPacketNotConfirmedAcked() protocol.PacketNumber DequeuePacketForRetransmission() (packet *Packet) - GetLeastUnacked() protocol.PacketNumber + GetPacketNumberLen(protocol.PacketNumber) protocol.PacketNumberLen GetAlarmTimeout() time.Time - OnAlarm() + OnAlarm() error } // ReceivedPacketHandler handles ACKs needed to send for incoming packets diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/packet.go b/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/packet.go index e4213a0b6..9673a85c7 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/packet.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/packet.go @@ -8,28 +8,22 @@ import ( ) // A Packet is a packet -// +gen linkedlist type Packet struct { PacketNumber protocol.PacketNumber + PacketType protocol.PacketType Frames []wire.Frame Length protocol.ByteCount EncryptionLevel protocol.EncryptionLevel + SendTime time.Time largestAcked protocol.PacketNumber // if the packet contains an ACK, the LargestAcked value of that ACK - sendTime time.Time -} -// GetFramesForRetransmission gets all the frames for retransmission -func (p *Packet) GetFramesForRetransmission() []wire.Frame { - var fs []wire.Frame - for _, frame := range p.Frames { - switch frame.(type) { - case *wire.AckFrame: - continue - case *wire.StopWaitingFrame: - continue - } - fs = append(fs, frame) - } - return fs + // There are two reasons why a packet cannot be retransmitted: + // * it was already retransmitted + // * this packet is a retransmission, and we already received an ACK for the original packet + canBeRetransmitted bool + includedInBytesInFlight bool + retransmittedAs []protocol.PacketNumber + isRetransmission bool // we need a separate bool here because 0 is a valid packet number + retransmissionOf protocol.PacketNumber } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/packet_linkedlist.go b/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/packet_linkedlist.go index a827b214e..bb74f4ef9 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/packet_linkedlist.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/packet_linkedlist.go @@ -1,13 +1,10 @@ -// Generated by: main -// TypeWriter: linkedlist -// Directive: +gen on Packet +// This file was automatically generated by genny. +// Any changes will be lost if this file is regenerated. +// see https://github.com/cheekybits/genny package ackhandler -// List is a modification of http://golang.org/pkg/container/list/ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. +// Linked list implementation from the Go standard library. // PacketElement is an element of a linked list. type PacketElement struct { @@ -41,8 +38,7 @@ func (e *PacketElement) Prev() *PacketElement { return nil } -// PacketList represents a doubly linked list. -// The zero value for PacketList is an empty list ready to use. +// PacketList is a linked list of Packets. type PacketList struct { root PacketElement // sentinel list element, only &root, root.prev, and root.next are used len int // current list length excluding (this) sentinel element @@ -63,7 +59,7 @@ func NewPacketList() *PacketList { return new(PacketList).Init() } // The complexity is O(1). func (l *PacketList) Len() int { return l.len } -// Front returns the first element of list l or nil. +// Front returns the first element of list l or nil if the list is empty. func (l *PacketList) Front() *PacketElement { if l.len == 0 { return nil @@ -71,7 +67,7 @@ func (l *PacketList) Front() *PacketElement { return l.root.next } -// Back returns the last element of list l or nil. +// Back returns the last element of list l or nil if the list is empty. func (l *PacketList) Back() *PacketElement { if l.len == 0 { return nil @@ -79,7 +75,7 @@ func (l *PacketList) Back() *PacketElement { return l.root.prev } -// lazyInit lazily initializes a zero PacketList value. +// lazyInit lazily initializes a zero List value. func (l *PacketList) lazyInit() { if l.root.next == nil { l.Init() @@ -98,7 +94,7 @@ func (l *PacketList) insert(e, at *PacketElement) *PacketElement { return e } -// insertValue is a convenience wrapper for insert(&PacketElement{Value: v}, at). +// insertValue is a convenience wrapper for insert(&Element{Value: v}, at). func (l *PacketList) insertValue(v Packet, at *PacketElement) *PacketElement { return l.insert(&PacketElement{Value: v}, at) } @@ -116,10 +112,11 @@ func (l *PacketList) remove(e *PacketElement) *PacketElement { // Remove removes e from l if e is an element of list l. // It returns the element value e.Value. +// The element must not be nil. func (l *PacketList) Remove(e *PacketElement) Packet { if e.list == l { // if e.list == l, l must have been initialized when e was inserted - // in l or l == nil (e is a zero PacketElement) and l.remove will crash + // in l or l == nil (e is a zero Element) and l.remove will crash l.remove(e) } return e.Value @@ -139,46 +136,51 @@ func (l *PacketList) PushBack(v Packet) *PacketElement { // InsertBefore inserts a new element e with value v immediately before mark and returns e. // If mark is not an element of l, the list is not modified. +// The mark must not be nil. func (l *PacketList) InsertBefore(v Packet, mark *PacketElement) *PacketElement { if mark.list != l { return nil } - // see comment in PacketList.Remove about initialization of l + // see comment in List.Remove about initialization of l return l.insertValue(v, mark.prev) } // InsertAfter inserts a new element e with value v immediately after mark and returns e. // If mark is not an element of l, the list is not modified. +// The mark must not be nil. func (l *PacketList) InsertAfter(v Packet, mark *PacketElement) *PacketElement { if mark.list != l { return nil } - // see comment in PacketList.Remove about initialization of l + // see comment in List.Remove about initialization of l return l.insertValue(v, mark) } // MoveToFront moves element e to the front of list l. // If e is not an element of l, the list is not modified. +// The element must not be nil. func (l *PacketList) MoveToFront(e *PacketElement) { if e.list != l || l.root.next == e { return } - // see comment in PacketList.Remove about initialization of l + // see comment in List.Remove about initialization of l l.insert(l.remove(e), &l.root) } // MoveToBack moves element e to the back of list l. // If e is not an element of l, the list is not modified. +// The element must not be nil. func (l *PacketList) MoveToBack(e *PacketElement) { if e.list != l || l.root.prev == e { return } - // see comment in PacketList.Remove about initialization of l + // see comment in List.Remove about initialization of l l.insert(l.remove(e), l.root.prev) } // MoveBefore moves element e to its new position before mark. // If e or mark is not an element of l, or e == mark, the list is not modified. +// The element and mark must not be nil. func (l *PacketList) MoveBefore(e, mark *PacketElement) { if e.list != l || e == mark || mark.list != l { return @@ -187,7 +189,8 @@ func (l *PacketList) MoveBefore(e, mark *PacketElement) { } // MoveAfter moves element e to its new position after mark. -// If e is not an element of l, or e == mark, the list is not modified. +// If e or mark is not an element of l, or e == mark, the list is not modified. +// The element and mark must not be nil. func (l *PacketList) MoveAfter(e, mark *PacketElement) { if e.list != l || e == mark || mark.list != l { return @@ -196,7 +199,7 @@ func (l *PacketList) MoveAfter(e, mark *PacketElement) { } // PushBackList inserts a copy of an other list at the back of list l. -// The lists l and other may be the same. +// The lists l and other may be the same. They must not be nil. func (l *PacketList) PushBackList(other *PacketList) { l.lazyInit() for i, e := other.Len(), other.Front(); i > 0; i, e = i-1, e.Next() { @@ -205,7 +208,7 @@ func (l *PacketList) PushBackList(other *PacketList) { } // PushFrontList inserts a copy of an other list at the front of list l. -// The lists l and other may be the same. +// The lists l and other may be the same. They must not be nil. func (l *PacketList) PushFrontList(other *PacketList) { l.lazyInit() for i, e := other.Len(), other.Back(); i > 0; i, e = i-1, e.Prev() { diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/received_packet_handler.go b/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/received_packet_handler.go index c316af4aa..10200f4cf 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/received_packet_handler.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/received_packet_handler.go @@ -3,7 +3,9 @@ package ackhandler import ( "time" + "github.com/lucas-clemente/quic-go/internal/congestion" "github.com/lucas-clemente/quic-go/internal/protocol" + "github.com/lucas-clemente/quic-go/internal/utils" "github.com/lucas-clemente/quic-go/internal/wire" ) @@ -15,6 +17,7 @@ type receivedPacketHandler struct { packetHistory *receivedPacketHistory ackSendDelay time.Duration + rttStats *congestion.RTTStats packetsReceivedSinceLastAck int retransmittablePacketsReceivedSinceLastAck int @@ -25,29 +28,54 @@ type receivedPacketHandler struct { version protocol.VersionNumber } +const ( + // maximum delay that can be applied to an ACK for a retransmittable packet + ackSendDelay = 25 * time.Millisecond + // initial maximum number of retransmittable packets received before sending an ack. + initialRetransmittablePacketsBeforeAck = 2 + // number of retransmittable that an ACK is sent for + retransmittablePacketsBeforeAck = 10 + // 1/5 RTT delay when doing ack decimation + ackDecimationDelay = 1.0 / 4 + // 1/8 RTT delay when doing ack decimation + shortAckDecimationDelay = 1.0 / 8 + // Minimum number of packets received before ack decimation is enabled. + // This intends to avoid the beginning of slow start, when CWNDs may be + // rapidly increasing. + minReceivedBeforeAckDecimation = 100 + // Maximum number of packets to ack immediately after a missing packet for + // fast retransmission to kick in at the sender. This limit is created to + // reduce the number of acks sent that have no benefit for fast retransmission. + // Set to the number of nacks needed for fast retransmit plus one for protection + // against an ack loss + maxPacketsAfterNewMissing = 4 +) + // NewReceivedPacketHandler creates a new receivedPacketHandler -func NewReceivedPacketHandler(version protocol.VersionNumber) ReceivedPacketHandler { +func NewReceivedPacketHandler(rttStats *congestion.RTTStats, version protocol.VersionNumber) ReceivedPacketHandler { return &receivedPacketHandler{ packetHistory: newReceivedPacketHistory(), - ackSendDelay: protocol.AckSendDelay, + ackSendDelay: ackSendDelay, + rttStats: rttStats, version: version, } } func (h *receivedPacketHandler) ReceivedPacket(packetNumber protocol.PacketNumber, rcvTime time.Time, shouldInstigateAck bool) error { + if packetNumber < h.ignoreBelow { + return nil + } + + isMissing := h.isMissing(packetNumber) if packetNumber > h.largestObserved { h.largestObserved = packetNumber h.largestObservedReceivedTime = rcvTime } - if packetNumber < h.ignoreBelow { - return nil - } - if err := h.packetHistory.ReceivedPacket(packetNumber); err != nil { return err } - h.maybeQueueAck(packetNumber, rcvTime, shouldInstigateAck) + h.maybeQueueAck(packetNumber, rcvTime, shouldInstigateAck, isMissing) return nil } @@ -58,35 +86,68 @@ func (h *receivedPacketHandler) IgnoreBelow(p protocol.PacketNumber) { h.packetHistory.DeleteBelow(p) } -func (h *receivedPacketHandler) maybeQueueAck(packetNumber protocol.PacketNumber, rcvTime time.Time, shouldInstigateAck bool) { - h.packetsReceivedSinceLastAck++ - - if shouldInstigateAck { - h.retransmittablePacketsReceivedSinceLastAck++ +// isMissing says if a packet was reported missing in the last ACK. +func (h *receivedPacketHandler) isMissing(p protocol.PacketNumber) bool { + if h.lastAck == nil { + return false } + return p < h.lastAck.LargestAcked && !h.lastAck.AcksPacket(p) +} - // always ack the first packet +func (h *receivedPacketHandler) hasNewMissingPackets() bool { if h.lastAck == nil { - h.ackQueued = true + return false } + highestRange := h.packetHistory.GetHighestAckRange() + return highestRange.First >= h.lastAck.LargestAcked && highestRange.Len() <= maxPacketsAfterNewMissing +} - // if the packet number is smaller than the largest acked packet, it must have been reported missing with the last ACK - // note that it cannot be a duplicate because they're already filtered out by ReceivedPacket() - if h.lastAck != nil && packetNumber < h.lastAck.LargestAcked { +// maybeQueueAck queues an ACK, if necessary. +// It is implemented analogously to Chrome's QuicConnection::MaybeQueueAck() +// in ACK_DECIMATION_WITH_REORDERING mode. +func (h *receivedPacketHandler) maybeQueueAck(packetNumber protocol.PacketNumber, rcvTime time.Time, shouldInstigateAck, wasMissing bool) { + h.packetsReceivedSinceLastAck++ + + // always ack the first packet + if h.lastAck == nil { h.ackQueued = true + return } - // check if a new missing range above the previously was created - if h.lastAck != nil && h.packetHistory.GetHighestAckRange().First > h.lastAck.LargestAcked { + // Send an ACK if this packet was reported missing in an ACK sent before. + // Ack decimation with reordering relies on the timer to send an ACK, but if + // missing packets we reported in the previous ack, send an ACK immediately. + if wasMissing { h.ackQueued = true } if !h.ackQueued && shouldInstigateAck { - if h.retransmittablePacketsReceivedSinceLastAck >= protocol.RetransmittablePacketsBeforeAck { - h.ackQueued = true + h.retransmittablePacketsReceivedSinceLastAck++ + + if packetNumber > minReceivedBeforeAckDecimation { + // ack up to 10 packets at once + if h.retransmittablePacketsReceivedSinceLastAck >= retransmittablePacketsBeforeAck { + h.ackQueued = true + } else if h.ackAlarm.IsZero() { + // wait for the minimum of the ack decimation delay or the delayed ack time before sending an ack + ackDelay := utils.MinDuration(ackSendDelay, time.Duration(float64(h.rttStats.MinRTT())*float64(ackDecimationDelay))) + h.ackAlarm = rcvTime.Add(ackDelay) + } } else { - if h.ackAlarm.IsZero() { - h.ackAlarm = rcvTime.Add(h.ackSendDelay) + // send an ACK every 2 retransmittable packets + if h.retransmittablePacketsReceivedSinceLastAck >= initialRetransmittablePacketsBeforeAck { + h.ackQueued = true + } else if h.ackAlarm.IsZero() { + h.ackAlarm = rcvTime.Add(ackSendDelay) + } + } + // If there are new missing packets to report, set a short timer to send an ACK. + if h.hasNewMissingPackets() { + // wait the minimum of 1/8 min RTT and the existing ack time + ackDelay := float64(h.rttStats.MinRTT()) * float64(shortAckDecimationDelay) + ackTime := rcvTime.Add(time.Duration(ackDelay)) + if h.ackAlarm.IsZero() || h.ackAlarm.After(ackTime) { + h.ackAlarm = ackTime } } } @@ -118,7 +179,6 @@ func (h *receivedPacketHandler) GetAckFrame() *wire.AckFrame { h.ackQueued = false h.packetsReceivedSinceLastAck = 0 h.retransmittablePacketsReceivedSinceLastAck = 0 - return ack } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/send_mode.go b/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/send_mode.go new file mode 100644 index 000000000..61573a478 --- /dev/null +++ b/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/send_mode.go @@ -0,0 +1,36 @@ +package ackhandler + +import "fmt" + +// The SendMode says what kind of packets can be sent. +type SendMode uint8 + +const ( + // SendNone means that no packets should be sent + SendNone SendMode = iota + // SendAck means an ACK-only packet should be sent + SendAck + // SendRetransmission means that retransmissions should be sent + SendRetransmission + // SendRTO means that an RTO probe packet should be sent + SendRTO + // SendAny packet should be sent + SendAny +) + +func (s SendMode) String() string { + switch s { + case SendNone: + return "none" + case SendAck: + return "ack" + case SendRetransmission: + return "retransmission" + case SendRTO: + return "rto" + case SendAny: + return "any" + default: + return fmt.Sprintf("invalid send mode: %d", s) + } +} diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/sent_packet_handler.go b/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/sent_packet_handler.go index 08b4ee5a3..72ab4df8f 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/sent_packet_handler.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/sent_packet_handler.go @@ -1,7 +1,6 @@ package ackhandler import ( - "errors" "fmt" "math" "time" @@ -30,13 +29,13 @@ const ( maxRTOTimeout = 60 * time.Second ) -// ErrDuplicateOrOutOfOrderAck occurs when a duplicate or an out-of-order ACK is received -var ErrDuplicateOrOutOfOrderAck = errors.New("SentPacketHandler: Duplicate or out-of-order ACK") - type sentPacketHandler struct { - lastSentPacketNumber protocol.PacketNumber - nextPacketSendTime time.Time - skippedPackets []protocol.PacketNumber + lastSentPacketNumber protocol.PacketNumber + lastSentRetransmittablePacketTime time.Time + lastSentHandshakePacketTime time.Time + + nextPacketSendTime time.Time + skippedPackets []protocol.PacketNumber largestAcked protocol.PacketNumber largestReceivedPacketWithAck protocol.PacketNumber @@ -44,8 +43,9 @@ type sentPacketHandler struct { // example: we send an ACK for packets 90-100 with packet number 20 // once we receive an ACK from the peer for packet 20, the lowestPacketNotConfirmedAcked is 101 lowestPacketNotConfirmedAcked protocol.PacketNumber + largestSentBeforeRTO protocol.PacketNumber - packetHistory *PacketList + packetHistory *sentPacketHistory stopWaitingManager stopWaitingManager retransmissionQueue []*Packet @@ -61,16 +61,20 @@ type sentPacketHandler struct { // The number of times an RTO has been sent without receiving an ack. rtoCount uint32 + // The number of RTO probe packets that should be sent. + numRTOs int // The time at which the next packet will be considered lost based on early transmit or exceeding the reordering window in time. lossTime time.Time // The alarm timeout alarm time.Time + + logger utils.Logger } // NewSentPacketHandler creates a new sentPacketHandler -func NewSentPacketHandler(rttStats *congestion.RTTStats) SentPacketHandler { +func NewSentPacketHandler(rttStats *congestion.RTTStats, logger utils.Logger) SentPacketHandler { congestion := congestion.NewCubicSender( congestion.DefaultClock{}, rttStats, @@ -80,16 +84,17 @@ func NewSentPacketHandler(rttStats *congestion.RTTStats) SentPacketHandler { ) return &sentPacketHandler{ - packetHistory: NewPacketList(), + packetHistory: newSentPacketHistory(), stopWaitingManager: stopWaitingManager{}, rttStats: rttStats, congestion: congestion, + logger: logger, } } func (h *sentPacketHandler) lowestUnacked() protocol.PacketNumber { - if f := h.packetHistory.Front(); f != nil { - return f.Value.PacketNumber + if p := h.packetHistory.FirstOutstanding(); p != nil { + return p.PacketNumber } return h.largestAcked + 1 } @@ -101,30 +106,51 @@ func (h *sentPacketHandler) SetHandshakeComplete() { queue = append(queue, packet) } } + var handshakePackets []*Packet + h.packetHistory.Iterate(func(p *Packet) (bool, error) { + if p.EncryptionLevel != protocol.EncryptionForwardSecure { + handshakePackets = append(handshakePackets, p) + } + return true, nil + }) + for _, p := range handshakePackets { + h.packetHistory.Remove(p.PacketNumber) + } h.retransmissionQueue = queue h.handshakeComplete = true } -func (h *sentPacketHandler) SentPacket(packet *Packet) error { - if protocol.PacketNumber(len(h.retransmissionQueue)+h.packetHistory.Len()+1) > protocol.MaxTrackedSentPackets { - return errors.New("Too many outstanding non-acked and non-retransmitted packets") +func (h *sentPacketHandler) SentPacket(packet *Packet) { + if isRetransmittable := h.sentPacketImpl(packet); isRetransmittable { + h.packetHistory.SentPacket(packet) + h.updateLossDetectionAlarm() + } +} + +func (h *sentPacketHandler) SentPacketsAsRetransmission(packets []*Packet, retransmissionOf protocol.PacketNumber) { + var p []*Packet + for _, packet := range packets { + if isRetransmittable := h.sentPacketImpl(packet); isRetransmittable { + p = append(p, packet) + } } + h.packetHistory.SentPacketsAsRetransmission(p, retransmissionOf) + h.updateLossDetectionAlarm() +} +func (h *sentPacketHandler) sentPacketImpl(packet *Packet) bool /* isRetransmittable */ { for p := h.lastSentPacketNumber + 1; p < packet.PacketNumber; p++ { h.skippedPackets = append(h.skippedPackets, p) - if len(h.skippedPackets) > protocol.MaxTrackedSkippedPackets { h.skippedPackets = h.skippedPackets[1:] } } - now := time.Now() h.lastSentPacketNumber = packet.PacketNumber - var largestAcked protocol.PacketNumber if len(packet.Frames) > 0 { if ackFrame, ok := packet.Frames[0].(*wire.AckFrame); ok { - largestAcked = ackFrame.LargestAcked + packet.largestAcked = ackFrame.LargestAcked } } @@ -132,24 +158,21 @@ func (h *sentPacketHandler) SentPacket(packet *Packet) error { isRetransmittable := len(packet.Frames) != 0 if isRetransmittable { - packet.sendTime = now - packet.largestAcked = largestAcked + if packet.EncryptionLevel < protocol.EncryptionForwardSecure { + h.lastSentHandshakePacketTime = packet.SendTime + } + h.lastSentRetransmittablePacketTime = packet.SendTime + packet.includedInBytesInFlight = true h.bytesInFlight += packet.Length - h.packetHistory.PushBack(*packet) + packet.canBeRetransmitted = true + if h.numRTOs > 0 { + h.numRTOs-- + } } + h.congestion.OnPacketSent(packet.SendTime, h.bytesInFlight, packet.PacketNumber, packet.Length, isRetransmittable) - h.congestion.OnPacketSent( - now, - h.bytesInFlight, - packet.PacketNumber, - packet.Length, - isRetransmittable, - ) - - h.nextPacketSendTime = utils.MaxTime(h.nextPacketSendTime, now).Add(h.congestion.TimeUntilSend(h.bytesInFlight)) - - h.updateLossDetectionAlarm(now) - return nil + h.nextPacketSendTime = utils.MaxTime(h.nextPacketSendTime, packet.SendTime).Add(h.congestion.TimeUntilSend(h.bytesInFlight)) + return isRetransmittable } func (h *sentPacketHandler) ReceivedAck(ackFrame *wire.AckFrame, withPacketNumber protocol.PacketNumber, encLevel protocol.EncryptionLevel, rcvTime time.Time) error { @@ -157,26 +180,19 @@ func (h *sentPacketHandler) ReceivedAck(ackFrame *wire.AckFrame, withPacketNumbe return qerr.Error(qerr.InvalidAckData, "Received ACK for an unsent package") } - // duplicate or out-of-order ACK - // if withPacketNumber <= h.largestReceivedPacketWithAck && withPacketNumber != 0 { - if withPacketNumber <= h.largestReceivedPacketWithAck { - return ErrDuplicateOrOutOfOrderAck - } - h.largestReceivedPacketWithAck = withPacketNumber - - // ignore repeated ACK (ACKs that don't have a higher LargestAcked than the last ACK) - if ackFrame.LargestAcked < h.lowestUnacked() { + // duplicate or out of order ACK + if withPacketNumber != 0 && withPacketNumber <= h.largestReceivedPacketWithAck { + h.logger.Debugf("Ignoring ACK frame (duplicate or out of order).") return nil } - h.largestAcked = ackFrame.LargestAcked + h.largestReceivedPacketWithAck = withPacketNumber + h.largestAcked = utils.MaxPacketNumber(h.largestAcked, ackFrame.LargestAcked) if h.skippedPacketsAcked(ackFrame) { return qerr.Error(qerr.InvalidAckData, "Received an ACK for a skipped packet number") } - rttUpdated := h.maybeUpdateRTT(ackFrame.LargestAcked, ackFrame.DelayTime, rcvTime) - - if rttUpdated { + if rttUpdated := h.maybeUpdateRTT(ackFrame.LargestAcked, ackFrame.DelayTime, rcvTime); rttUpdated { h.congestion.MaybeExitSlowStart() } @@ -185,24 +201,29 @@ func (h *sentPacketHandler) ReceivedAck(ackFrame *wire.AckFrame, withPacketNumbe return err } - if len(ackedPackets) > 0 { - for _, p := range ackedPackets { - if encLevel < p.Value.EncryptionLevel { - return fmt.Errorf("Received ACK with encryption level %s that acks a packet %d (encryption level %s)", encLevel, p.Value.PacketNumber, p.Value.EncryptionLevel) - } - // largestAcked == 0 either means that the packet didn't contain an ACK, or it just acked packet 0 - // It is safe to ignore the corner case of packets that just acked packet 0, because - // the lowestPacketNotConfirmedAcked is only used to limit the number of ACK ranges we will send. - if p.Value.largestAcked != 0 { - h.lowestPacketNotConfirmedAcked = utils.MaxPacketNumber(h.lowestPacketNotConfirmedAcked, p.Value.largestAcked+1) - } - h.onPacketAcked(p) - h.congestion.OnPacketAcked(p.Value.PacketNumber, p.Value.Length, h.bytesInFlight) + priorInFlight := h.bytesInFlight + for _, p := range ackedPackets { + if encLevel < p.EncryptionLevel { + return fmt.Errorf("Received ACK with encryption level %s that acks a packet %d (encryption level %s)", encLevel, p.PacketNumber, p.EncryptionLevel) + } + // largestAcked == 0 either means that the packet didn't contain an ACK, or it just acked packet 0 + // It is safe to ignore the corner case of packets that just acked packet 0, because + // the lowestPacketNotConfirmedAcked is only used to limit the number of ACK ranges we will send. + if p.largestAcked != 0 { + h.lowestPacketNotConfirmedAcked = utils.MaxPacketNumber(h.lowestPacketNotConfirmedAcked, p.largestAcked+1) + } + if err := h.onPacketAcked(p); err != nil { + return err + } + if p.includedInBytesInFlight { + h.congestion.OnPacketAcked(p.PacketNumber, p.Length, priorInFlight) } } - h.detectLostPackets(rcvTime) - h.updateLossDetectionAlarm(rcvTime) + if err := h.detectLostPackets(rcvTime, priorInFlight); err != nil { + return err + } + h.updateLossDetectionAlarm() h.garbageCollectSkippedPackets() h.stopWaitingManager.ReceivedAck(ackFrame) @@ -214,59 +235,50 @@ func (h *sentPacketHandler) GetLowestPacketNotConfirmedAcked() protocol.PacketNu return h.lowestPacketNotConfirmedAcked } -func (h *sentPacketHandler) determineNewlyAckedPackets(ackFrame *wire.AckFrame) ([]*PacketElement, error) { - var ackedPackets []*PacketElement +func (h *sentPacketHandler) determineNewlyAckedPackets(ackFrame *wire.AckFrame) ([]*Packet, error) { + var ackedPackets []*Packet ackRangeIndex := 0 - for el := h.packetHistory.Front(); el != nil; el = el.Next() { - packet := el.Value - packetNumber := packet.PacketNumber - + err := h.packetHistory.Iterate(func(p *Packet) (bool, error) { // Ignore packets below the LowestAcked - if packetNumber < ackFrame.LowestAcked { - continue + if p.PacketNumber < ackFrame.LowestAcked { + return true, nil } // Break after LargestAcked is reached - if packetNumber > ackFrame.LargestAcked { - break + if p.PacketNumber > ackFrame.LargestAcked { + return false, nil } if ackFrame.HasMissingRanges() { ackRange := ackFrame.AckRanges[len(ackFrame.AckRanges)-1-ackRangeIndex] - for packetNumber > ackRange.Last && ackRangeIndex < len(ackFrame.AckRanges)-1 { + for p.PacketNumber > ackRange.Last && ackRangeIndex < len(ackFrame.AckRanges)-1 { ackRangeIndex++ ackRange = ackFrame.AckRanges[len(ackFrame.AckRanges)-1-ackRangeIndex] } - if packetNumber >= ackRange.First { // packet i contained in ACK range - if packetNumber > ackRange.Last { - return nil, fmt.Errorf("BUG: ackhandler would have acked wrong packet 0x%x, while evaluating range 0x%x -> 0x%x", packetNumber, ackRange.First, ackRange.Last) + if p.PacketNumber >= ackRange.First { // packet i contained in ACK range + if p.PacketNumber > ackRange.Last { + return false, fmt.Errorf("BUG: ackhandler would have acked wrong packet 0x%x, while evaluating range 0x%x -> 0x%x", p.PacketNumber, ackRange.First, ackRange.Last) } - ackedPackets = append(ackedPackets, el) + ackedPackets = append(ackedPackets, p) } } else { - ackedPackets = append(ackedPackets, el) + ackedPackets = append(ackedPackets, p) } - } - return ackedPackets, nil + return true, nil + }) + return ackedPackets, err } func (h *sentPacketHandler) maybeUpdateRTT(largestAcked protocol.PacketNumber, ackDelay time.Duration, rcvTime time.Time) bool { - for el := h.packetHistory.Front(); el != nil; el = el.Next() { - packet := el.Value - if packet.PacketNumber == largestAcked { - h.rttStats.UpdateRTT(rcvTime.Sub(packet.sendTime), ackDelay, rcvTime) - return true - } - // Packets are sorted by number, so we can stop searching - if packet.PacketNumber > largestAcked { - break - } + if p := h.packetHistory.GetPacket(largestAcked); p != nil { + h.rttStats.UpdateRTT(rcvTime.Sub(p.SendTime), ackDelay, rcvTime) + return true } return false } -func (h *sentPacketHandler) updateLossDetectionAlarm(now time.Time) { +func (h *sentPacketHandler) updateLossDetectionAlarm() { // Cancel the alarm if no packets are outstanding if h.packetHistory.Len() == 0 { h.alarm = time.Time{} @@ -275,76 +287,152 @@ func (h *sentPacketHandler) updateLossDetectionAlarm(now time.Time) { // TODO(#497): TLP if !h.handshakeComplete { - h.alarm = now.Add(h.computeHandshakeTimeout()) + h.alarm = h.lastSentHandshakePacketTime.Add(h.computeHandshakeTimeout()) } else if !h.lossTime.IsZero() { // Early retransmit timer or time loss detection. h.alarm = h.lossTime } else { // RTO - h.alarm = now.Add(h.computeRTOTimeout()) + h.alarm = h.lastSentRetransmittablePacketTime.Add(h.computeRTOTimeout()) } } -func (h *sentPacketHandler) detectLostPackets(now time.Time) { +func (h *sentPacketHandler) detectLostPackets(now time.Time, priorInFlight protocol.ByteCount) error { h.lossTime = time.Time{} maxRTT := float64(utils.MaxDuration(h.rttStats.LatestRTT(), h.rttStats.SmoothedRTT())) delayUntilLost := time.Duration((1.0 + timeReorderingFraction) * maxRTT) - var lostPackets []*PacketElement - for el := h.packetHistory.Front(); el != nil; el = el.Next() { - packet := el.Value - + var lostPackets []*Packet + h.packetHistory.Iterate(func(packet *Packet) (bool, error) { if packet.PacketNumber > h.largestAcked { - break + return false, nil } - timeSinceSent := now.Sub(packet.sendTime) + timeSinceSent := now.Sub(packet.SendTime) if timeSinceSent > delayUntilLost { - lostPackets = append(lostPackets, el) + lostPackets = append(lostPackets, packet) } else if h.lossTime.IsZero() { // Note: This conditional is only entered once per call h.lossTime = now.Add(delayUntilLost - timeSinceSent) } - } - - if len(lostPackets) > 0 { - for _, p := range lostPackets { - h.queuePacketForRetransmission(p) - h.congestion.OnPacketLost(p.Value.PacketNumber, p.Value.Length, h.bytesInFlight) + return true, nil + }) + + for _, p := range lostPackets { + // the bytes in flight need to be reduced no matter if this packet will be retransmitted + if p.includedInBytesInFlight { + h.bytesInFlight -= p.Length + h.congestion.OnPacketLost(p.PacketNumber, p.Length, priorInFlight) } + if p.canBeRetransmitted { + // queue the packet for retransmission, and report the loss to the congestion controller + h.logger.Debugf("\tQueueing packet %#x because it was detected lost", p.PacketNumber) + if err := h.queuePacketForRetransmission(p); err != nil { + return err + } + } + h.packetHistory.Remove(p.PacketNumber) } + return nil } -func (h *sentPacketHandler) OnAlarm() { +func (h *sentPacketHandler) OnAlarm() error { now := time.Now() // TODO(#497): TLP + var err error if !h.handshakeComplete { - h.queueHandshakePacketsForRetransmission() h.handshakeCount++ + err = h.queueHandshakePacketsForRetransmission() } else if !h.lossTime.IsZero() { // Early retransmit or time loss detection - h.detectLostPackets(now) + err = h.detectLostPackets(now, h.bytesInFlight) } else { // RTO - h.retransmitOldestTwoPackets() h.rtoCount++ + h.numRTOs += 2 + err = h.queueRTOs() } - - h.updateLossDetectionAlarm(now) + if err != nil { + return err + } + h.updateLossDetectionAlarm() + return nil } func (h *sentPacketHandler) GetAlarmTimeout() time.Time { return h.alarm } -func (h *sentPacketHandler) onPacketAcked(packetElement *PacketElement) { - h.bytesInFlight -= packetElement.Value.Length +func (h *sentPacketHandler) onPacketAcked(p *Packet) error { + // This happens if a packet and its retransmissions is acked in the same ACK. + // As soon as we process the first one, this will remove all the retransmissions, + // so we won't find the retransmitted packet number later. + if packet := h.packetHistory.GetPacket(p.PacketNumber); packet == nil { + return nil + } + + // only report the acking of this packet to the congestion controller if: + // * it is a retransmittable packet + // * this packet wasn't retransmitted yet + if p.isRetransmission { + // that the parent doesn't exist is expected to happen every time the original packet was already acked + if parent := h.packetHistory.GetPacket(p.retransmissionOf); parent != nil { + if len(parent.retransmittedAs) == 1 { + parent.retransmittedAs = nil + } else { + // remove this packet from the slice of retransmission + retransmittedAs := make([]protocol.PacketNumber, 0, len(parent.retransmittedAs)-1) + for _, pn := range parent.retransmittedAs { + if pn != p.PacketNumber { + retransmittedAs = append(retransmittedAs, pn) + } + } + parent.retransmittedAs = retransmittedAs + } + } + } + // this also applies to packets that have been retransmitted as probe packets + if p.includedInBytesInFlight { + h.bytesInFlight -= p.Length + } + if h.rtoCount > 0 { + h.verifyRTO(p.PacketNumber) + } + if err := h.stopRetransmissionsFor(p); err != nil { + return err + } h.rtoCount = 0 h.handshakeCount = 0 // TODO(#497): h.tlpCount = 0 - h.packetHistory.Remove(packetElement) + return h.packetHistory.Remove(p.PacketNumber) +} + +func (h *sentPacketHandler) stopRetransmissionsFor(p *Packet) error { + if err := h.packetHistory.MarkCannotBeRetransmitted(p.PacketNumber); err != nil { + return err + } + for _, r := range p.retransmittedAs { + packet := h.packetHistory.GetPacket(r) + if packet == nil { + return fmt.Errorf("sent packet handler BUG: marking packet as not retransmittable %d (retransmission of %d) not found in history", r, p.PacketNumber) + } + h.stopRetransmissionsFor(packet) + } + return nil +} + +func (h *sentPacketHandler) verifyRTO(pn protocol.PacketNumber) { + if pn <= h.largestSentBeforeRTO { + h.logger.Debugf("Spurious RTO detected. Received an ACK for %#x (largest sent before RTO: %#x)", pn, h.largestSentBeforeRTO) + // Replace SRTT with latest_rtt and increase the variance to prevent + // a spurious RTO from happening again. + h.rttStats.ExpireSmoothedMetrics() + return + } + h.logger.Debugf("RTO verified. Received an ACK for %#x (largest sent before RTO: %#x", pn, h.largestSentBeforeRTO) + h.congestion.OnRetransmissionTimeout(true) } func (h *sentPacketHandler) DequeuePacketForRetransmission() *Packet { @@ -359,26 +447,42 @@ func (h *sentPacketHandler) DequeuePacketForRetransmission() *Packet { return packet } -func (h *sentPacketHandler) GetLeastUnacked() protocol.PacketNumber { - return h.lowestUnacked() +func (h *sentPacketHandler) GetPacketNumberLen(p protocol.PacketNumber) protocol.PacketNumberLen { + return protocol.GetPacketNumberLengthForHeader(p, h.lowestUnacked()) } func (h *sentPacketHandler) GetStopWaitingFrame(force bool) *wire.StopWaitingFrame { return h.stopWaitingManager.GetStopWaitingFrame(force) } -func (h *sentPacketHandler) SendingAllowed() bool { - cwnd := h.congestion.GetCongestionWindow() - congestionLimited := h.bytesInFlight > cwnd - maxTrackedLimited := protocol.PacketNumber(len(h.retransmissionQueue)+h.packetHistory.Len()) >= protocol.MaxTrackedSentPackets - if congestionLimited { - utils.Debugf("Congestion limited: bytes in flight %d, window %d", h.bytesInFlight, cwnd) - } - // Workaround for #555: - // Always allow sending of retransmissions. This should probably be limited - // to RTOs, but we currently don't have a nice way of distinguishing them. - haveRetransmissions := len(h.retransmissionQueue) > 0 - return !maxTrackedLimited && (!congestionLimited || haveRetransmissions) +func (h *sentPacketHandler) SendMode() SendMode { + numTrackedPackets := len(h.retransmissionQueue) + h.packetHistory.Len() + + // Don't send any packets if we're keeping track of the maximum number of packets. + // Note that since MaxOutstandingSentPackets is smaller than MaxTrackedSentPackets, + // we will stop sending out new data when reaching MaxOutstandingSentPackets, + // but still allow sending of retransmissions and ACKs. + if numTrackedPackets >= protocol.MaxTrackedSentPackets { + h.logger.Debugf("Limited by the number of tracked packets: tracking %d packets, maximum %d", numTrackedPackets, protocol.MaxTrackedSentPackets) + return SendNone + } + if h.numRTOs > 0 { + return SendRTO + } + // Only send ACKs if we're congestion limited. + if cwnd := h.congestion.GetCongestionWindow(); h.bytesInFlight > cwnd { + h.logger.Debugf("Congestion limited: bytes in flight %d, window %d", h.bytesInFlight, cwnd) + return SendAck + } + // Send retransmissions first, if there are any. + if len(h.retransmissionQueue) > 0 { + return SendRetransmission + } + if numTrackedPackets >= protocol.MaxOutstandingSentPackets { + h.logger.Debugf("Max outstanding limited: tracking %d packets, maximum: %d", numTrackedPackets, protocol.MaxOutstandingSentPackets) + return SendAck + } + return SendAny } func (h *sentPacketHandler) TimeUntilSend() time.Time { @@ -386,6 +490,10 @@ func (h *sentPacketHandler) TimeUntilSend() time.Time { } func (h *sentPacketHandler) ShouldSendNumPackets() int { + if h.numRTOs > 0 { + // RTO probes should not be paced, but must be sent immediately. + return h.numRTOs + } delay := h.congestion.TimeUntilSend(h.bytesInFlight) if delay == 0 || delay > protocol.MinPacingDelay { return 1 @@ -393,45 +501,50 @@ func (h *sentPacketHandler) ShouldSendNumPackets() int { return int(math.Ceil(float64(protocol.MinPacingDelay) / float64(delay))) } -func (h *sentPacketHandler) retransmitOldestTwoPackets() { - if p := h.packetHistory.Front(); p != nil { - h.queueRTO(p) - } - if p := h.packetHistory.Front(); p != nil { - h.queueRTO(p) +// retransmit the oldest two packets +func (h *sentPacketHandler) queueRTOs() error { + h.largestSentBeforeRTO = h.lastSentPacketNumber + // Queue the first two outstanding packets for retransmission. + // This does NOT declare this packets as lost: + // They are still tracked in the packet history and count towards the bytes in flight. + for i := 0; i < 2; i++ { + if p := h.packetHistory.FirstOutstanding(); p != nil { + h.logger.Debugf("\tQueueing packet %#x for retransmission (RTO)", p.PacketNumber) + if err := h.queuePacketForRetransmission(p); err != nil { + return err + } + } } + return nil } -func (h *sentPacketHandler) queueRTO(el *PacketElement) { - packet := &el.Value - utils.Debugf( - "\tQueueing packet 0x%x for retransmission (RTO), %d outstanding", - packet.PacketNumber, - h.packetHistory.Len(), - ) - h.queuePacketForRetransmission(el) - h.congestion.OnPacketLost(packet.PacketNumber, packet.Length, h.bytesInFlight) - h.congestion.OnRetransmissionTimeout(true) -} - -func (h *sentPacketHandler) queueHandshakePacketsForRetransmission() { - var handshakePackets []*PacketElement - for el := h.packetHistory.Front(); el != nil; el = el.Next() { - if el.Value.EncryptionLevel < protocol.EncryptionForwardSecure { - handshakePackets = append(handshakePackets, el) +func (h *sentPacketHandler) queueHandshakePacketsForRetransmission() error { + var handshakePackets []*Packet + h.packetHistory.Iterate(func(p *Packet) (bool, error) { + if p.canBeRetransmitted && p.EncryptionLevel < protocol.EncryptionForwardSecure { + handshakePackets = append(handshakePackets, p) + } + return true, nil + }) + for _, p := range handshakePackets { + h.logger.Debugf("\tQueueing packet %#x as a handshake retransmission", p.PacketNumber) + if err := h.queuePacketForRetransmission(p); err != nil { + return err } } - for _, el := range handshakePackets { - h.queuePacketForRetransmission(el) - } + return nil } -func (h *sentPacketHandler) queuePacketForRetransmission(packetElement *PacketElement) { - packet := &packetElement.Value - h.bytesInFlight -= packet.Length - h.retransmissionQueue = append(h.retransmissionQueue, packet) - h.packetHistory.Remove(packetElement) - h.stopWaitingManager.QueuedRetransmissionForPacketNumber(packet.PacketNumber) +func (h *sentPacketHandler) queuePacketForRetransmission(p *Packet) error { + if !p.canBeRetransmitted { + return fmt.Errorf("sent packet handler BUG: packet %d already queued for retransmission", p.PacketNumber) + } + if err := h.packetHistory.MarkCannotBeRetransmitted(p.PacketNumber); err != nil { + return err + } + h.retransmissionQueue = append(h.retransmissionQueue, p) + h.stopWaitingManager.QueuedRetransmissionForPacketNumber(p.PacketNumber) + return nil } func (h *sentPacketHandler) computeHandshakeTimeout() time.Duration { @@ -446,9 +559,12 @@ func (h *sentPacketHandler) computeHandshakeTimeout() time.Duration { } func (h *sentPacketHandler) computeRTOTimeout() time.Duration { - rto := h.congestion.RetransmissionDelay() - if rto == 0 { + var rto time.Duration + rtt := h.rttStats.SmoothedRTT() + if rtt == 0 { rto = defaultRTOTimeout + } else { + rto = rtt + 4*h.rttStats.MeanDeviation() } rto = utils.MaxDuration(rto, minRTOTimeout) // Exponential backoff diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/sent_packet_history.go b/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/sent_packet_history.go new file mode 100644 index 000000000..38a2a0e50 --- /dev/null +++ b/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler/sent_packet_history.go @@ -0,0 +1,127 @@ +package ackhandler + +import ( + "fmt" + + "github.com/lucas-clemente/quic-go/internal/protocol" +) + +type sentPacketHistory struct { + packetList *PacketList + packetMap map[protocol.PacketNumber]*PacketElement + + firstOutstanding *PacketElement +} + +func newSentPacketHistory() *sentPacketHistory { + return &sentPacketHistory{ + packetList: NewPacketList(), + packetMap: make(map[protocol.PacketNumber]*PacketElement), + } +} + +func (h *sentPacketHistory) SentPacket(p *Packet) { + h.sentPacketImpl(p) +} + +func (h *sentPacketHistory) sentPacketImpl(p *Packet) *PacketElement { + el := h.packetList.PushBack(*p) + h.packetMap[p.PacketNumber] = el + if h.firstOutstanding == nil { + h.firstOutstanding = el + } + return el +} + +func (h *sentPacketHistory) SentPacketsAsRetransmission(packets []*Packet, retransmissionOf protocol.PacketNumber) { + retransmission, ok := h.packetMap[retransmissionOf] + // The retransmitted packet is not present anymore. + // This can happen if it was acked in between dequeueing of the retransmission and sending. + // Just treat the retransmissions as normal packets. + // TODO: This won't happen if we clear packets queued for retransmission on new ACKs. + if !ok { + for _, packet := range packets { + h.sentPacketImpl(packet) + } + return + } + retransmission.Value.retransmittedAs = make([]protocol.PacketNumber, len(packets)) + for i, packet := range packets { + retransmission.Value.retransmittedAs[i] = packet.PacketNumber + el := h.sentPacketImpl(packet) + el.Value.isRetransmission = true + el.Value.retransmissionOf = retransmissionOf + } +} + +func (h *sentPacketHistory) GetPacket(p protocol.PacketNumber) *Packet { + if el, ok := h.packetMap[p]; ok { + return &el.Value + } + return nil +} + +// Iterate iterates through all packets. +// The callback must not modify the history. +func (h *sentPacketHistory) Iterate(cb func(*Packet) (cont bool, err error)) error { + cont := true + for el := h.packetList.Front(); cont && el != nil; el = el.Next() { + var err error + cont, err = cb(&el.Value) + if err != nil { + return err + } + } + return nil +} + +// FirstOutStanding returns the first outstanding packet. +// It must not be modified (e.g. retransmitted). +// Use DequeueFirstPacketForRetransmission() to retransmit it. +func (h *sentPacketHistory) FirstOutstanding() *Packet { + if h.firstOutstanding == nil { + return nil + } + return &h.firstOutstanding.Value +} + +// QueuePacketForRetransmission marks a packet for retransmission. +// A packet can only be queued once. +func (h *sentPacketHistory) MarkCannotBeRetransmitted(pn protocol.PacketNumber) error { + el, ok := h.packetMap[pn] + if !ok { + return fmt.Errorf("sent packet history: packet %d not found", pn) + } + el.Value.canBeRetransmitted = false + if el == h.firstOutstanding { + h.readjustFirstOutstanding() + } + return nil +} + +// readjustFirstOutstanding readjusts the pointer to the first outstanding packet. +// This is necessary every time the first outstanding packet is deleted or retransmitted. +func (h *sentPacketHistory) readjustFirstOutstanding() { + el := h.firstOutstanding.Next() + for el != nil && !el.Value.canBeRetransmitted { + el = el.Next() + } + h.firstOutstanding = el +} + +func (h *sentPacketHistory) Len() int { + return len(h.packetMap) +} + +func (h *sentPacketHistory) Remove(p protocol.PacketNumber) error { + el, ok := h.packetMap[p] + if !ok { + return fmt.Errorf("packet %d not found in sent packet history", p) + } + if el == h.firstOutstanding { + h.readjustFirstOutstanding() + } + h.packetList.Remove(el) + delete(h.packetMap, p) + return nil +} diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/congestion/cubic_sender.go b/vendor/github.com/lucas-clemente/quic-go/internal/congestion/cubic_sender.go index 1ab59535f..21f019424 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/congestion/cubic_sender.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/congestion/cubic_sender.go @@ -292,11 +292,3 @@ func (c *cubicSender) OnConnectionMigration() { func (c *cubicSender) SetSlowStartLargeReduction(enabled bool) { c.slowStartLargeReduction = enabled } - -// RetransmissionDelay gives the time to retransmission -func (c *cubicSender) RetransmissionDelay() time.Duration { - if c.rttStats.SmoothedRTT() == 0 { - return 0 - } - return c.rttStats.SmoothedRTT() + c.rttStats.MeanDeviation()*4 -} diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/congestion/interface.go b/vendor/github.com/lucas-clemente/quic-go/internal/congestion/interface.go index 3c09428fd..28950dd0c 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/congestion/interface.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/congestion/interface.go @@ -17,7 +17,6 @@ type SendAlgorithm interface { SetNumEmulatedConnections(n int) OnRetransmissionTimeout(packetsRetransmitted bool) OnConnectionMigration() - RetransmissionDelay() time.Duration // Experiments SetSlowStartLargeReduction(enabled bool) diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/congestion/rtt_stats.go b/vendor/github.com/lucas-clemente/quic-go/internal/congestion/rtt_stats.go index 9e5e4541a..599e350fb 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/congestion/rtt_stats.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/congestion/rtt_stats.go @@ -84,7 +84,6 @@ func (r *RTTStats) SetRecentMinRTTwindow(recentMinRTTwindow time.Duration) { // UpdateRTT updates the RTT based on a new sample. func (r *RTTStats) UpdateRTT(sendDelta, ackDelay time.Duration, now time.Time) { if sendDelta == utils.InfDuration || sendDelta <= 0 { - utils.Debugf("Ignoring measured sendDelta, because it's is either infinite, zero, or negative: %d", sendDelta/time.Microsecond) return } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/crypto/cert_chain.go b/vendor/github.com/lucas-clemente/quic-go/internal/crypto/cert_chain.go index f3bc9fbf0..0c728fd25 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/crypto/cert_chain.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/crypto/cert_chain.go @@ -55,28 +55,28 @@ func (c *certChain) GetLeafCert(sni string) ([]byte, error) { return cert.Certificate[0], nil } -func (cc *certChain) getCertForSNI(sni string) (*tls.Certificate, error) { - c := cc.config - c, err := maybeGetConfigForClient(c, sni) +func (c *certChain) getCertForSNI(sni string) (*tls.Certificate, error) { + conf := c.config + conf, err := maybeGetConfigForClient(conf, sni) if err != nil { return nil, err } // The rest of this function is mostly copied from crypto/tls.getCertificate - if c.GetCertificate != nil { - cert, err := c.GetCertificate(&tls.ClientHelloInfo{ServerName: sni}) + if conf.GetCertificate != nil { + cert, err := conf.GetCertificate(&tls.ClientHelloInfo{ServerName: sni}) if cert != nil || err != nil { return cert, err } } - if len(c.Certificates) == 0 { + if len(conf.Certificates) == 0 { return nil, errNoMatchingCertificate } - if len(c.Certificates) == 1 || c.NameToCertificate == nil { + if len(conf.Certificates) == 1 || conf.NameToCertificate == nil { // There's only one choice, so no point doing any work. - return &c.Certificates[0], nil + return &conf.Certificates[0], nil } name := strings.ToLower(sni) @@ -84,7 +84,7 @@ func (cc *certChain) getCertForSNI(sni string) (*tls.Certificate, error) { name = name[:len(name)-1] } - if cert, ok := c.NameToCertificate[name]; ok { + if cert, ok := conf.NameToCertificate[name]; ok { return cert, nil } @@ -94,13 +94,13 @@ func (cc *certChain) getCertForSNI(sni string) (*tls.Certificate, error) { for i := range labels { labels[i] = "*" candidate := strings.Join(labels, ".") - if cert, ok := c.NameToCertificate[candidate]; ok { + if cert, ok := conf.NameToCertificate[candidate]; ok { return cert, nil } } // If nothing matches, return the first certificate. - return &c.Certificates[0], nil + return &conf.Certificates[0], nil } func maybeGetConfigForClient(c *tls.Config, sni string) (*tls.Config, error) { diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/crypto/curve_25519.go b/vendor/github.com/lucas-clemente/quic-go/internal/crypto/curve_25519.go index a570d6b31..fd25b00fc 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/crypto/curve_25519.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/crypto/curve_25519.go @@ -21,10 +21,6 @@ func NewCurve25519KEX() (KeyExchange, error) { if _, err := rand.Read(c.secret[:]); err != nil { return nil, errors.New("Curve25519: could not create private key") } - // See https://cr.yp.to/ecdh.html - c.secret[0] &= 248 - c.secret[31] &= 127 - c.secret[31] |= 64 curve25519.ScalarBaseMult(&c.public, &c.secret) return c, nil } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/crypto/key_derivation.go b/vendor/github.com/lucas-clemente/quic-go/internal/crypto/key_derivation.go index 316bd1b3b..89b9e1f12 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/crypto/key_derivation.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/crypto/key_derivation.go @@ -1,13 +1,16 @@ package crypto import ( + "crypto" + "encoding/binary" + "github.com/bifurcation/mint" "github.com/lucas-clemente/quic-go/internal/protocol" ) const ( - clientExporterLabel = "EXPORTER-QUIC client 1-RTT Secret" - serverExporterLabel = "EXPORTER-QUIC server 1-RTT Secret" + clientExporterLabel = "EXPORTER-QUIC client 1rtt" + serverExporterLabel = "EXPORTER-QUIC server 1rtt" ) // A TLSExporter gets the negotiated ciphersuite and computes exporter @@ -16,6 +19,14 @@ type TLSExporter interface { ComputeExporter(label string, context []byte, keyLength int) ([]byte, error) } +func qhkdfExpand(secret []byte, label string, length int) []byte { + qlabel := make([]byte, 2+1+5+len(label)) + binary.BigEndian.PutUint16(qlabel[0:2], uint16(length)) + qlabel[2] = uint8(5 + len(label)) + copy(qlabel[3:], []byte("QUIC "+label)) + return mint.HkdfExpand(crypto.SHA256, secret, qlabel, length) +} + // DeriveAESKeys derives the AES keys and creates a matching AES-GCM AEAD instance func DeriveAESKeys(tls TLSExporter, pers protocol.Perspective) (AEAD, error) { var myLabel, otherLabel string @@ -43,7 +54,7 @@ func computeKeyAndIV(tls TLSExporter, label string) (key, iv []byte, err error) if err != nil { return nil, nil, err } - key = mint.HkdfExpandLabel(cs.Hash, secret, "key", nil, cs.KeyLen) - iv = mint.HkdfExpandLabel(cs.Hash, secret, "iv", nil, cs.IvLen) + key = qhkdfExpand(secret, "key", cs.KeyLen) + iv = qhkdfExpand(secret, "iv", cs.IvLen) return key, iv, nil } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/crypto/null_aead_aesgcm.go b/vendor/github.com/lucas-clemente/quic-go/internal/crypto/null_aead_aesgcm.go index a647ad7f6..92c6362f4 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/crypto/null_aead_aesgcm.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/crypto/null_aead_aesgcm.go @@ -8,7 +8,7 @@ import ( "github.com/lucas-clemente/quic-go/internal/protocol" ) -var quicVersion1Salt = []byte{0xaf, 0xc8, 0x24, 0xec, 0x5f, 0xc7, 0x7e, 0xca, 0x1e, 0x9d, 0x36, 0xf3, 0x7f, 0xb2, 0xd4, 0x65, 0x18, 0xc3, 0x66, 0x39} +var quicVersion1Salt = []byte{0x9c, 0x10, 0x8f, 0x98, 0x52, 0x0a, 0x5c, 0x5c, 0x32, 0x96, 0x8e, 0x95, 0x0e, 0x8a, 0x2c, 0x5f, 0xe0, 0x6d, 0x6c, 0x38} func newNullAEADAESGCM(connectionID protocol.ConnectionID, pers protocol.Perspective) (AEAD, error) { clientSecret, serverSecret := computeSecrets(connectionID) @@ -31,14 +31,14 @@ func newNullAEADAESGCM(connectionID protocol.ConnectionID, pers protocol.Perspec func computeSecrets(connectionID protocol.ConnectionID) (clientSecret, serverSecret []byte) { connID := make([]byte, 8) binary.BigEndian.PutUint64(connID, uint64(connectionID)) - cleartextSecret := mint.HkdfExtract(crypto.SHA256, []byte(quicVersion1Salt), connID) - clientSecret = mint.HkdfExpandLabel(crypto.SHA256, cleartextSecret, "QUIC client cleartext Secret", []byte{}, crypto.SHA256.Size()) - serverSecret = mint.HkdfExpandLabel(crypto.SHA256, cleartextSecret, "QUIC server cleartext Secret", []byte{}, crypto.SHA256.Size()) + handshakeSecret := mint.HkdfExtract(crypto.SHA256, quicVersion1Salt, connID) + clientSecret = qhkdfExpand(handshakeSecret, "client hs", crypto.SHA256.Size()) + serverSecret = qhkdfExpand(handshakeSecret, "server hs", crypto.SHA256.Size()) return } func computeNullAEADKeyAndIV(secret []byte) (key, iv []byte) { - key = mint.HkdfExpandLabel(crypto.SHA256, secret, "key", nil, 16) - iv = mint.HkdfExpandLabel(crypto.SHA256, secret, "iv", nil, 12) + key = qhkdfExpand(secret, "key", 16) + iv = qhkdfExpand(secret, "iv", 12) return } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/crypto/null_aead_fnv128a.go b/vendor/github.com/lucas-clemente/quic-go/internal/crypto/null_aead_fnv128a.go index ecc4010bd..6c50ab908 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/crypto/null_aead_fnv128a.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/crypto/null_aead_fnv128a.go @@ -1,10 +1,11 @@ package crypto import ( - "encoding/binary" + "bytes" "errors" + "fmt" + "hash/fnv" - "github.com/lucas-clemente/fnv128a" "github.com/lucas-clemente/quic-go/internal/protocol" ) @@ -21,7 +22,7 @@ func (n *nullAEADFNV128a) Open(dst, src []byte, packetNumber protocol.PacketNumb return nil, errors.New("NullAEAD: ciphertext cannot be less than 12 bytes long") } - hash := fnv128a.New() + hash := fnv.New128a() hash.Write(associatedData) hash.Write(src[12:]) if n.perspective == protocol.PerspectiveServer { @@ -29,13 +30,13 @@ func (n *nullAEADFNV128a) Open(dst, src []byte, packetNumber protocol.PacketNumb } else { hash.Write([]byte("Server")) } - testHigh, testLow := hash.Sum128() + sum := make([]byte, 0, 16) + sum = hash.Sum(sum) + // The tag is written in little endian, so we need to reverse the slice. + reverse(sum) - low := binary.LittleEndian.Uint64(src) - high := binary.LittleEndian.Uint32(src[8:]) - - if uint32(testHigh&0xffffffff) != high || testLow != low { - return nil, errors.New("NullAEAD: failed to authenticate received data") + if !bytes.Equal(sum[:12], src[:12]) { + return nil, fmt.Errorf("NullAEAD: failed to authenticate received data (%#v vs %#v)", sum[:12], src[:12]) } return src[12:], nil } @@ -48,7 +49,7 @@ func (n *nullAEADFNV128a) Seal(dst, src []byte, packetNumber protocol.PacketNumb dst = dst[:12+len(src)] } - hash := fnv128a.New() + hash := fnv.New128a() hash.Write(associatedData) hash.Write(src) @@ -57,15 +58,22 @@ func (n *nullAEADFNV128a) Seal(dst, src []byte, packetNumber protocol.PacketNumb } else { hash.Write([]byte("Client")) } - - high, low := hash.Sum128() + sum := make([]byte, 0, 16) + sum = hash.Sum(sum) + // The tag is written in little endian, so we need to reverse the slice. + reverse(sum) copy(dst[12:], src) - binary.LittleEndian.PutUint64(dst, low) - binary.LittleEndian.PutUint32(dst[8:], uint32(high)) + copy(dst, sum[:12]) return dst } func (n *nullAEADFNV128a) Overhead() int { return 12 } + +func reverse(a []byte) { + for left, right := 0, len(a)-1; left < right; left, right = left+1, right-1 { + a[left], a[right] = a[right], a[left] + } +} diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/flowcontrol/base_flow_controller.go b/vendor/github.com/lucas-clemente/quic-go/internal/flowcontrol/base_flow_controller.go index 3a5c01615..fb92f0842 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/flowcontrol/base_flow_controller.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/flowcontrol/base_flow_controller.go @@ -25,6 +25,8 @@ type baseFlowController struct { epochStartTime time.Time epochStartOffset protocol.ByteCount rttStats *congestion.RTTStats + + logger utils.Logger } func (c *baseFlowController) AddBytesSent(n protocol.ByteCount) { diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/flowcontrol/connection_flow_controller.go b/vendor/github.com/lucas-clemente/quic-go/internal/flowcontrol/connection_flow_controller.go index 975cc5836..c4f6e125e 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/flowcontrol/connection_flow_controller.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/flowcontrol/connection_flow_controller.go @@ -22,6 +22,7 @@ func NewConnectionFlowController( receiveWindow protocol.ByteCount, maxReceiveWindow protocol.ByteCount, rttStats *congestion.RTTStats, + logger utils.Logger, ) ConnectionFlowController { return &connectionFlowController{ baseFlowController: baseFlowController{ @@ -29,6 +30,7 @@ func NewConnectionFlowController( receiveWindow: receiveWindow, receiveWindowSize: receiveWindow, maxReceiveWindowSize: maxReceiveWindow, + logger: logger, }, } } @@ -65,7 +67,7 @@ func (c *connectionFlowController) GetWindowUpdate() protocol.ByteCount { oldWindowSize := c.receiveWindowSize offset := c.baseFlowController.getWindowUpdate() if oldWindowSize < c.receiveWindowSize { - utils.Debugf("Increasing receive flow control window for the connection to %d kB", c.receiveWindowSize/(1<<10)) + c.logger.Debugf("Increasing receive flow control window for the connection to %d kB", c.receiveWindowSize/(1<<10)) } c.mutex.Unlock() return offset diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/flowcontrol/stream_flow_controller.go b/vendor/github.com/lucas-clemente/quic-go/internal/flowcontrol/stream_flow_controller.go index 51ecfe7f0..16bef2613 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/flowcontrol/stream_flow_controller.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/flowcontrol/stream_flow_controller.go @@ -31,6 +31,7 @@ func NewStreamFlowController( maxReceiveWindow protocol.ByteCount, initialSendWindow protocol.ByteCount, rttStats *congestion.RTTStats, + logger utils.Logger, ) StreamFlowController { return &streamFlowController{ streamID: streamID, @@ -42,6 +43,7 @@ func NewStreamFlowController( receiveWindowSize: receiveWindow, maxReceiveWindowSize: maxReceiveWindow, sendWindow: initialSendWindow, + logger: logger, }, } } @@ -137,7 +139,7 @@ func (c *streamFlowController) GetWindowUpdate() protocol.ByteCount { oldWindowSize := c.receiveWindowSize offset := c.baseFlowController.getWindowUpdate() if c.receiveWindowSize > oldWindowSize { // auto-tuning enlarged the window size - utils.Debugf("Increasing receive flow control window for the connection to %d kB", c.receiveWindowSize/(1<<10)) + c.logger.Debugf("Increasing receive flow control window for the connection to %d kB", c.receiveWindowSize/(1<<10)) if c.contributesToConnection { c.connection.EnsureMinimumWindowSize(protocol.ByteCount(float64(c.receiveWindowSize) * protocol.ConnectionFlowControlMultiplier)) } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/cookie_handler.go b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/cookie_handler.go index 1d3052c49..bc2bd8e57 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/cookie_handler.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/cookie_handler.go @@ -7,15 +7,20 @@ import ( "github.com/lucas-clemente/quic-go/internal/utils" ) +// A CookieHandler generates and validates cookies. +// The cookie is sent in the TLS Retry. +// By including the cookie in its ClientHello, a client can proof ownership of its source address. type CookieHandler struct { - callback func(net.Addr, *Cookie) bool - + callback func(net.Addr, *Cookie) bool cookieGenerator *CookieGenerator + + logger utils.Logger } var _ mint.CookieHandler = &CookieHandler{} -func NewCookieHandler(callback func(net.Addr, *Cookie) bool) (*CookieHandler, error) { +// NewCookieHandler creates a new CookieHandler. +func NewCookieHandler(callback func(net.Addr, *Cookie) bool, logger utils.Logger) (*CookieHandler, error) { cookieGenerator, err := NewCookieGenerator() if err != nil { return nil, err @@ -23,9 +28,11 @@ func NewCookieHandler(callback func(net.Addr, *Cookie) bool) (*CookieHandler, er return &CookieHandler{ callback: callback, cookieGenerator: cookieGenerator, + logger: logger, }, nil } +// Generate a new cookie for a mint connection. func (h *CookieHandler) Generate(conn *mint.Conn) ([]byte, error) { if h.callback(conn.RemoteAddr(), nil) { return nil, nil @@ -33,10 +40,11 @@ func (h *CookieHandler) Generate(conn *mint.Conn) ([]byte, error) { return h.cookieGenerator.NewToken(conn.RemoteAddr()) } +// Validate a cookie. func (h *CookieHandler) Validate(conn *mint.Conn, token []byte) bool { data, err := h.cookieGenerator.DecodeToken(token) if err != nil { - utils.Debugf("Couldn't decode cookie from %s: %s", conn.RemoteAddr(), err.Error()) + h.logger.Debugf("Couldn't decode cookie from %s: %s", conn.RemoteAddr(), err.Error()) return false } return h.callback(conn.RemoteAddr(), data) diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup_client.go b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup_client.go index cb500b583..0700399a8 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup_client.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup_client.go @@ -38,13 +38,12 @@ type cryptoSetupClient struct { lastSentCHLO []byte certManager crypto.CertManager - divNonceChan chan []byte + divNonceChan <-chan []byte diversificationNonce []byte clientHelloCounter int serverVerified bool // has the certificate chain and the proof already been verified keyDerivation QuicCryptoKeyDerivationFunction - keyExchange KeyExchangeFunction receivedSecurePacket bool nullAEAD crypto.AEAD @@ -55,6 +54,8 @@ type cryptoSetupClient struct { handshakeEvent chan<- struct{} params *TransportParameters + + logger utils.Logger } var _ CryptoSetup = &cryptoSetupClient{} @@ -77,12 +78,14 @@ func NewCryptoSetupClient( handshakeEvent chan<- struct{}, initialVersion protocol.VersionNumber, negotiatedVersions []protocol.VersionNumber, -) (CryptoSetup, error) { + logger utils.Logger, +) (CryptoSetup, chan<- []byte, error) { nullAEAD, err := crypto.NewNullAEAD(protocol.PerspectiveClient, connID, version) if err != nil { - return nil, err + return nil, nil, err } - return &cryptoSetupClient{ + divNonceChan := make(chan []byte) + cs := &cryptoSetupClient{ cryptoStream: cryptoStream, hostname: hostname, connID: connID, @@ -90,14 +93,15 @@ func NewCryptoSetupClient( certManager: crypto.NewCertManager(tlsConfig), params: params, keyDerivation: crypto.DeriveQuicCryptoAESKeys, - keyExchange: getEphermalKEX, nullAEAD: nullAEAD, paramsChan: paramsChan, handshakeEvent: handshakeEvent, initialVersion: initialVersion, negotiatedVersions: negotiatedVersions, - divNonceChan: make(chan []byte), - }, nil + divNonceChan: divNonceChan, + logger: logger, + } + return cs, divNonceChan, nil } func (h *cryptoSetupClient) HandleCryptoStream() error { @@ -146,7 +150,7 @@ func (h *cryptoSetupClient) HandleCryptoStream() error { return err } - utils.Debugf("Got %s", message) + h.logger.Debugf("Got %s", message) switch message.Tag { case TagREJ: if err := h.handleREJMessage(message.Data); err != nil { @@ -211,7 +215,7 @@ func (h *cryptoSetupClient) handleREJMessage(cryptoData map[Tag][]byte) error { err = h.certManager.Verify(h.hostname) if err != nil { - utils.Infof("Certificate validation failed: %s", err.Error()) + h.logger.Infof("Certificate validation failed: %s", err.Error()) return qerr.ProofInvalid } } @@ -219,7 +223,7 @@ func (h *cryptoSetupClient) handleREJMessage(cryptoData map[Tag][]byte) error { if h.serverConfig != nil && len(h.proof) != 0 && h.certManager.GetLeafCert() != nil { validProof := h.certManager.VerifyServerProof(h.proof, h.chloForSignature, h.serverConfig.Get()) if !validProof { - utils.Infof("Server proof verification failed") + h.logger.Infof("Server proof verification failed") return qerr.ProofInvalid } @@ -373,14 +377,6 @@ func (h *cryptoSetupClient) GetSealerWithEncryptionLevel(encLevel protocol.Encry return nil, errors.New("CryptoSetupClient: no encryption level specified") } -func (h *cryptoSetupClient) DiversificationNonce() []byte { - panic("not needed for cryptoSetupClient") -} - -func (h *cryptoSetupClient) SetDiversificationNonce(data []byte) { - h.divNonceChan <- data -} - func (h *cryptoSetupClient) ConnectionState() ConnectionState { h.mutex.Lock() defer h.mutex.Unlock() @@ -408,7 +404,7 @@ func (h *cryptoSetupClient) sendCHLO() error { Data: tags, } - utils.Debugf("Sending %s", message) + h.logger.Debugf("Sending %s", message) message.Write(b) _, err = h.cryptoStream.Write(b.Bytes()) diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup_server.go b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup_server.go index 7d5f32ee8..d977f6553 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup_server.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup_server.go @@ -19,7 +19,7 @@ import ( type QuicCryptoKeyDerivationFunction func(forwardSecure bool, sharedSecret, nonces []byte, connID protocol.ConnectionID, chlo []byte, scfg []byte, cert []byte, divNonce []byte, pers protocol.Perspective) (crypto.AEAD, error) // KeyExchangeFunction is used to make a new KEX -type KeyExchangeFunction func() crypto.KeyExchange +type KeyExchangeFunction func() (crypto.KeyExchange, error) // The CryptoSetupServer handles all things crypto for the Session type cryptoSetupServer struct { @@ -54,6 +54,8 @@ type cryptoSetupServer struct { params *TransportParameters sni string // need to fill out the ConnectionState + + logger utils.Logger } var _ CryptoSetup = &cryptoSetupServer{} @@ -73,32 +75,36 @@ func NewCryptoSetup( connID protocol.ConnectionID, remoteAddr net.Addr, version protocol.VersionNumber, + divNonce []byte, scfg *ServerConfig, params *TransportParameters, supportedVersions []protocol.VersionNumber, acceptSTK func(net.Addr, *Cookie) bool, paramsChan chan<- TransportParameters, handshakeEvent chan<- struct{}, + logger utils.Logger, ) (CryptoSetup, error) { nullAEAD, err := crypto.NewNullAEAD(protocol.PerspectiveServer, connID, version) if err != nil { return nil, err } return &cryptoSetupServer{ - cryptoStream: cryptoStream, - connID: connID, - remoteAddr: remoteAddr, - version: version, - supportedVersions: supportedVersions, - scfg: scfg, - keyDerivation: crypto.DeriveQuicCryptoAESKeys, - keyExchange: getEphermalKEX, - nullAEAD: nullAEAD, - params: params, - acceptSTKCallback: acceptSTK, - sentSHLO: make(chan struct{}), - paramsChan: paramsChan, - handshakeEvent: handshakeEvent, + cryptoStream: cryptoStream, + connID: connID, + remoteAddr: remoteAddr, + version: version, + supportedVersions: supportedVersions, + diversificationNonce: divNonce, + scfg: scfg, + keyDerivation: crypto.DeriveQuicCryptoAESKeys, + keyExchange: getEphermalKEX, + nullAEAD: nullAEAD, + params: params, + acceptSTKCallback: acceptSTK, + sentSHLO: make(chan struct{}), + paramsChan: paramsChan, + handshakeEvent: handshakeEvent, + logger: logger, }, nil } @@ -114,7 +120,7 @@ func (h *cryptoSetupServer) HandleCryptoStream() error { return qerr.InvalidCryptoMessageType } - utils.Debugf("Got %s", message) + h.logger.Debugf("Got %s", message) done, err := h.handleMessage(chloData.Bytes(), message.Data) if err != nil { return err @@ -297,7 +303,7 @@ func (h *cryptoSetupServer) isInchoateCHLO(cryptoData map[Tag][]byte, cert []byt func (h *cryptoSetupServer) acceptSTK(token []byte) bool { stk, err := h.scfg.cookieGenerator.DecodeToken(token) if err != nil { - utils.Debugf("STK invalid: %s", err.Error()) + h.logger.Debugf("STK invalid: %s", err.Error()) return false } return h.acceptSTKCallback(h.remoteAddr, stk) @@ -340,7 +346,7 @@ func (h *cryptoSetupServer) handleInchoateCHLO(sni string, chlo []byte, cryptoDa var serverReply bytes.Buffer message.Write(&serverReply) - utils.Debugf("Sending %s", message) + h.logger.Debugf("Sending %s", message) return serverReply.Bytes(), nil } @@ -364,11 +370,6 @@ func (h *cryptoSetupServer) handleCHLO(sni string, data []byte, cryptoData map[T return nil, err } - h.diversificationNonce = make([]byte, 32) - if _, err = rand.Read(h.diversificationNonce); err != nil { - return nil, err - } - clientNonce := cryptoData[TagNONC] err = h.validateClientNonce(clientNonce) if err != nil { @@ -405,7 +406,10 @@ func (h *cryptoSetupServer) handleCHLO(sni string, data []byte, cryptoData map[T var fsNonce bytes.Buffer fsNonce.Write(clientNonce) fsNonce.Write(serverNonce) - ephermalKex := h.keyExchange() + ephermalKex, err := h.keyExchange() + if err != nil { + return nil, err + } ephermalSharedSecret, err := ephermalKex.CalculateSharedKey(cryptoData[TagPUBS]) if err != nil { return nil, err @@ -429,7 +433,7 @@ func (h *cryptoSetupServer) handleCHLO(sni string, data []byte, cryptoData map[T replyMap := h.params.getHelloMap() // add crypto parameters verTag := &bytes.Buffer{} - for _, v := range protocol.GetGreasedVersions(h.supportedVersions) { + for _, v := range h.supportedVersions { utils.BigEndian.WriteUint32(verTag, uint32(v)) } replyMap[TagPUBS] = ephermalKex.PublicKey() @@ -443,19 +447,10 @@ func (h *cryptoSetupServer) handleCHLO(sni string, data []byte, cryptoData map[T } var reply bytes.Buffer message.Write(&reply) - utils.Debugf("Sending %s", message) + h.logger.Debugf("Sending %s", message) return reply.Bytes(), nil } -// DiversificationNonce returns the diversification nonce -func (h *cryptoSetupServer) DiversificationNonce() []byte { - return h.diversificationNonce -} - -func (h *cryptoSetupServer) SetDiversificationNonce(data []byte) { - panic("not needed for cryptoSetupServer") -} - func (h *cryptoSetupServer) ConnectionState() ConnectionState { h.mutex.Lock() defer h.mutex.Unlock() diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup_tls.go b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup_tls.go index 54dfe1c03..43f854068 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup_tls.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/crypto_setup_tls.go @@ -31,6 +31,8 @@ type cryptoSetupTLS struct { handshakeEvent chan<- struct{} } +var _ CryptoSetupTLS = &cryptoSetupTLS{} + // NewCryptoSetupTLSServer creates a new TLS CryptoSetup instance for a server func NewCryptoSetupTLSServer( tls MintTLS, @@ -38,7 +40,7 @@ func NewCryptoSetupTLSServer( nullAEAD crypto.AEAD, handshakeEvent chan<- struct{}, version protocol.VersionNumber, -) CryptoSetup { +) CryptoSetupTLS { return &cryptoSetupTLS{ tls: tls, cryptoStream: cryptoStream, @@ -57,7 +59,7 @@ func NewCryptoSetupTLSClient( handshakeEvent chan<- struct{}, tls MintTLS, version protocol.VersionNumber, -) (CryptoSetup, error) { +) (CryptoSetupTLS, error) { nullAEAD, err := crypto.NewNullAEAD(protocol.PerspectiveClient, connID, version) if err != nil { return nil, err @@ -107,22 +109,18 @@ handshakeLoop: return nil } -func (h *cryptoSetupTLS) Open(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, protocol.EncryptionLevel, error) { +func (h *cryptoSetupTLS) OpenHandshake(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, error) { + return h.nullAEAD.Open(dst, src, packetNumber, associatedData) +} + +func (h *cryptoSetupTLS) Open1RTT(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, error) { h.mutex.RLock() defer h.mutex.RUnlock() - if h.aead != nil { - data, err := h.aead.Open(dst, src, packetNumber, associatedData) - if err != nil { - return nil, protocol.EncryptionUnspecified, err - } - return data, protocol.EncryptionForwardSecure, nil + if h.aead == nil { + return nil, errors.New("no 1-RTT sealer") } - data, err := h.nullAEAD.Open(dst, src, packetNumber, associatedData) - if err != nil { - return nil, protocol.EncryptionUnspecified, err - } - return data, protocol.EncryptionUnencrypted, nil + return h.aead.Open(dst, src, packetNumber, associatedData) } func (h *cryptoSetupTLS) GetSealer() (protocol.EncryptionLevel, Sealer) { @@ -157,14 +155,6 @@ func (h *cryptoSetupTLS) GetSealerForCryptoStream() (protocol.EncryptionLevel, S return protocol.EncryptionUnencrypted, h.nullAEAD } -func (h *cryptoSetupTLS) DiversificationNonce() []byte { - panic("diversification nonce not needed for TLS") -} - -func (h *cryptoSetupTLS) SetDiversificationNonce([]byte) { - panic("diversification nonce not needed for TLS") -} - func (h *cryptoSetupTLS) ConnectionState() ConnectionState { h.mutex.Lock() defer h.mutex.Unlock() diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/ephermal_cache.go b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/ephermal_cache.go index 3bccbef06..728715835 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/ephermal_cache.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/ephermal_cache.go @@ -6,7 +6,6 @@ import ( "github.com/lucas-clemente/quic-go/internal/crypto" "github.com/lucas-clemente/quic-go/internal/protocol" - "github.com/lucas-clemente/quic-go/internal/utils" ) var ( @@ -24,13 +23,13 @@ var ( // used for all connections for 60 seconds is negligible. Thus we can amortise // the Diffie-Hellman key generation at the server over all the connections in a // small time span. -func getEphermalKEX() (res crypto.KeyExchange) { +func getEphermalKEX() (crypto.KeyExchange, error) { kexMutex.RLock() - res = kexCurrent + res := kexCurrent t := kexCurrentTime kexMutex.RUnlock() if res != nil && time.Since(t) < kexLifetime { - return res + return res, nil } kexMutex.Lock() @@ -39,12 +38,11 @@ func getEphermalKEX() (res crypto.KeyExchange) { if kexCurrent == nil || time.Since(kexCurrentTime) > kexLifetime { kex, err := crypto.NewCurve25519KEX() if err != nil { - utils.Errorf("could not set KEX: %s", err.Error()) - return kexCurrent + return nil, err } kexCurrent = kex kexCurrentTime = time.Now() - return kexCurrent + return kexCurrent, nil } - return kexCurrent + return kexCurrent, nil } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/handshake_message.go b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/handshake_message.go index c09db26a4..cfbd2193b 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/handshake_message.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/handshake_message.go @@ -84,7 +84,7 @@ func (h HandshakeMessage) Write(b *bytes.Buffer) { offset := uint32(0) for i, t := range h.getTagsSorted() { - v := data[Tag(t)] + v := data[t] b.Write(v) offset += uint32(len(v)) binary.LittleEndian.PutUint32(indexData[i*8:], uint32(t)) @@ -111,8 +111,7 @@ func (h *HandshakeMessage) getTagsSorted() []Tag { func (h HandshakeMessage) String() string { var pad string res := tagToString(h.Tag) + ":\n" - for _, t := range h.getTagsSorted() { - tag := Tag(t) + for _, tag := range h.getTagsSorted() { if tag == TagPAD { pad = fmt.Sprintf("\t%s: (%d bytes)\n", tagToString(tag), len(h.Data[tag])) } else { diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/interface.go b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/interface.go index 0fd673313..8d8fd5455 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/interface.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/interface.go @@ -35,13 +35,8 @@ type MintTLS interface { SetCryptoStream(io.ReadWriter) } -// CryptoSetup is a crypto setup -type CryptoSetup interface { - Open(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, protocol.EncryptionLevel, error) +type baseCryptoSetup interface { HandleCryptoStream() error - // TODO: clean up this interface - DiversificationNonce() []byte // only needed for cryptoSetupServer - SetDiversificationNonce([]byte) // only needed for cryptoSetupClient ConnectionState() ConnectionState GetSealer() (protocol.EncryptionLevel, Sealer) @@ -49,6 +44,21 @@ type CryptoSetup interface { GetSealerForCryptoStream() (protocol.EncryptionLevel, Sealer) } +// CryptoSetup is the crypto setup used by gQUIC +type CryptoSetup interface { + baseCryptoSetup + + Open(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, protocol.EncryptionLevel, error) +} + +// CryptoSetupTLS is the crypto setup used by IETF QUIC +type CryptoSetupTLS interface { + baseCryptoSetup + + OpenHandshake(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, error) + Open1RTT(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, error) +} + // ConnectionState records basic details about the QUIC connection. // Warning: This API should not be considered stable and might change soon. type ConnectionState struct { diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/server_config.go b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/server_config.go index 2b7fba67b..b015750b5 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/server_config.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/server_config.go @@ -9,10 +9,10 @@ import ( // ServerConfig is a server config type ServerConfig struct { - kex crypto.KeyExchange - certChain crypto.CertChain - ID []byte - obit []byte + kex crypto.KeyExchange + certChain crypto.CertChain + ID []byte + obit []byte cookieGenerator *CookieGenerator } @@ -36,10 +36,10 @@ func NewServerConfig(kex crypto.KeyExchange, certChain crypto.CertChain) (*Serve } return &ServerConfig{ - kex: kex, - certChain: certChain, - ID: id, - obit: obit, + kex: kex, + certChain: certChain, + ID: id, + obit: obit, cookieGenerator: cookieGenerator, }, nil } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/server_config_client.go b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/server_config_client.go index eb042f6ff..0d6521a42 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/server_config_client.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/server_config_client.go @@ -102,32 +102,37 @@ func (s *serverConfigClient) parseValues(tagMap map[Tag][]byte) error { return qerr.Error(qerr.CryptoMessageParameterNotFound, "PUBS") } - var pubs_kexs []struct{Length uint32; Value []byte} - var last_len uint32 - - for i := 0; i < len(pubs)-3; i += int(last_len)+3 { + var pubsKexs []struct { + Length uint32 + Value []byte + } + var lastLen uint32 + for i := 0; i < len(pubs)-3; i += int(lastLen) + 3 { // the PUBS value is always prepended by 3 byte little endian length field - err := binary.Read(bytes.NewReader([]byte{pubs[i], pubs[i+1], pubs[i+2], 0x00}), binary.LittleEndian, &last_len); + err := binary.Read(bytes.NewReader([]byte{pubs[i], pubs[i+1], pubs[i+2], 0x00}), binary.LittleEndian, &lastLen) if err != nil { return qerr.Error(qerr.CryptoInvalidValueLength, "PUBS not decodable") } - if last_len == 0 { + if lastLen == 0 { return qerr.Error(qerr.CryptoInvalidValueLength, "PUBS") } - if i+3+int(last_len) > len(pubs) { + if i+3+int(lastLen) > len(pubs) { return qerr.Error(qerr.CryptoInvalidValueLength, "PUBS") } - pubs_kexs = append(pubs_kexs, struct{Length uint32; Value []byte}{last_len, pubs[i+3:i+3+int(last_len)]}) + pubsKexs = append(pubsKexs, struct { + Length uint32 + Value []byte + }{lastLen, pubs[i+3 : i+3+int(lastLen)]}) } - if c255Foundat >= len(pubs_kexs) { + if c255Foundat >= len(pubsKexs) { return qerr.Error(qerr.CryptoMessageParameterNotFound, "KEXS not in PUBS") } - if pubs_kexs[c255Foundat].Length != 32 { + if pubsKexs[c255Foundat].Length != 32 { return qerr.Error(qerr.CryptoInvalidValueLength, "PUBS") } @@ -137,8 +142,7 @@ func (s *serverConfigClient) parseValues(tagMap map[Tag][]byte) error { return err } - - s.sharedSecret, err = s.kex.CalculateSharedKey(pubs_kexs[c255Foundat].Value) + s.sharedSecret, err = s.kex.CalculateSharedKey(pubsKexs[c255Foundat].Value) if err != nil { return err } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/tls_extension.go b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/tls_extension.go index c6e8b35d3..98ad3a578 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/tls_extension.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/tls_extension.go @@ -9,14 +9,14 @@ type transportParameterID uint16 const quicTLSExtensionType = 26 const ( - initialMaxStreamDataParameterID transportParameterID = 0x0 - initialMaxDataParameterID transportParameterID = 0x1 - initialMaxStreamIDBiDiParameterID transportParameterID = 0x2 - idleTimeoutParameterID transportParameterID = 0x3 - omitConnectionIDParameterID transportParameterID = 0x4 - maxPacketSizeParameterID transportParameterID = 0x5 - statelessResetTokenParameterID transportParameterID = 0x6 - initialMaxStreamIDUniParameterID transportParameterID = 0x8 + initialMaxStreamDataParameterID transportParameterID = 0x0 + initialMaxDataParameterID transportParameterID = 0x1 + initialMaxStreamsBiDiParameterID transportParameterID = 0x2 + idleTimeoutParameterID transportParameterID = 0x3 + omitConnectionIDParameterID transportParameterID = 0x4 + maxPacketSizeParameterID transportParameterID = 0x5 + statelessResetTokenParameterID transportParameterID = 0x6 + initialMaxStreamsUniParameterID transportParameterID = 0x8 ) type transportParameter struct { diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/tls_extension_handler_client.go b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/tls_extension_handler_client.go index 20d2d06ba..8e711be58 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/tls_extension_handler_client.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/tls_extension_handler_client.go @@ -3,13 +3,13 @@ package handshake import ( "errors" "fmt" - "math" "github.com/lucas-clemente/quic-go/qerr" "github.com/bifurcation/mint" "github.com/bifurcation/mint/syntax" "github.com/lucas-clemente/quic-go/internal/protocol" + "github.com/lucas-clemente/quic-go/internal/utils" ) type extensionHandlerClient struct { @@ -19,6 +19,8 @@ type extensionHandlerClient struct { initialVersion protocol.VersionNumber supportedVersions []protocol.VersionNumber version protocol.VersionNumber + + logger utils.Logger } var _ mint.AppExtensionHandler = &extensionHandlerClient{} @@ -30,14 +32,19 @@ func NewExtensionHandlerClient( initialVersion protocol.VersionNumber, supportedVersions []protocol.VersionNumber, version protocol.VersionNumber, + logger utils.Logger, ) TLSExtensionHandler { - paramsChan := make(chan TransportParameters, 1) + // The client reads the transport parameters from the Encrypted Extensions message. + // The paramsChan is used in the session's run loop's select statement. + // We have to use an unbuffered channel here to make sure that the session actually processes the transport parameters immediately. + paramsChan := make(chan TransportParameters) return &extensionHandlerClient{ ourParams: params, paramsChan: paramsChan, initialVersion: initialVersion, supportedVersions: supportedVersions, version: version, + logger: logger, } } @@ -46,6 +53,7 @@ func (h *extensionHandlerClient) Send(hType mint.HandshakeType, el *mint.Extensi return nil } + h.logger.Debugf("Sending Transport Parameters: %s", h.ourParams) data, err := syntax.Marshal(clientHelloTransportParameters{ InitialVersion: uint32(h.initialVersion), Parameters: h.ourParams.getTransportParameters(), @@ -63,17 +71,12 @@ func (h *extensionHandlerClient) Receive(hType mint.HandshakeType, el *mint.Exte return err } - if hType != mint.HandshakeTypeEncryptedExtensions && hType != mint.HandshakeTypeNewSessionTicket { + if hType != mint.HandshakeTypeEncryptedExtensions { if found { return fmt.Errorf("Unexpected QUIC extension in handshake message %d", hType) } return nil } - if hType == mint.HandshakeTypeNewSessionTicket { - // the extension it's optional in the NewSessionTicket message - // TODO: handle this - return nil - } // hType == mint.HandshakeTypeEncryptedExtensions if !found { @@ -119,12 +122,11 @@ func (h *extensionHandlerClient) Receive(hType mint.HandshakeType, el *mint.Exte // TODO: return the right error here return errors.New("server didn't sent stateless_reset_token") } - params, err := readTransportParamters(eetp.Parameters) + params, err := readTransportParameters(eetp.Parameters) if err != nil { return err } - // TODO(#878): remove this when implementing the MAX_STREAM_ID frame - params.MaxStreams = math.MaxUint32 + h.logger.Debugf("Received Transport Parameters: %s", params) h.paramsChan <- *params return nil } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/tls_extension_handler_server.go b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/tls_extension_handler_server.go index 3e7e2705f..138fc21bd 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/tls_extension_handler_server.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/tls_extension_handler_server.go @@ -10,6 +10,7 @@ import ( "github.com/bifurcation/mint" "github.com/bifurcation/mint/syntax" "github.com/lucas-clemente/quic-go/internal/protocol" + "github.com/lucas-clemente/quic-go/internal/utils" ) type extensionHandlerServer struct { @@ -18,6 +19,8 @@ type extensionHandlerServer struct { version protocol.VersionNumber supportedVersions []protocol.VersionNumber + + logger utils.Logger } var _ mint.AppExtensionHandler = &extensionHandlerServer{} @@ -28,13 +31,17 @@ func NewExtensionHandlerServer( params *TransportParameters, supportedVersions []protocol.VersionNumber, version protocol.VersionNumber, + logger utils.Logger, ) TLSExtensionHandler { + // Processing the ClientHello is performed statelessly (and from a single go-routine). + // Therefore, we have to use a buffered chan to pass the transport parameters to that go routine. paramsChan := make(chan TransportParameters, 1) return &extensionHandlerServer{ ourParams: params, paramsChan: paramsChan, supportedVersions: supportedVersions, version: version, + logger: logger, } } @@ -53,6 +60,7 @@ func (h *extensionHandlerServer) Send(hType mint.HandshakeType, el *mint.Extensi for i, v := range supportedVersions { versions[i] = uint32(v) } + h.logger.Debugf("Sending Transport Parameters: %s", h.ourParams) data, err := syntax.Marshal(encryptedExtensionsTransportParameters{ NegotiatedVersion: uint32(h.version), SupportedVersions: versions, @@ -100,10 +108,11 @@ func (h *extensionHandlerServer) Receive(hType mint.HandshakeType, el *mint.Exte return errors.New("client sent a stateless reset token") } } - params, err := readTransportParamters(chtp.Parameters) + params, err := readTransportParameters(chtp.Parameters) if err != nil { return err } + h.logger.Debugf("Received Transport Parameters: %s", params) h.paramsChan <- *params return nil } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/transport_parameters.go b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/transport_parameters.go index a02835823..fce1e3f21 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/handshake/transport_parameters.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/handshake/transport_parameters.go @@ -20,9 +20,11 @@ type TransportParameters struct { StreamFlowControlWindow protocol.ByteCount ConnectionFlowControlWindow protocol.ByteCount - MaxBidiStreamID protocol.StreamID // only used for IETF QUIC - MaxUniStreamID protocol.StreamID // only used for IETF QUIC - MaxStreams uint32 // only used for gQUIC + MaxPacketSize protocol.ByteCount + + MaxUniStreams uint16 // only used for IETF QUIC + MaxBidiStreams uint16 // only used for IETF QUIC + MaxStreams uint32 // only used for gQUIC OmitConnectionID bool IdleTimeout time.Duration @@ -93,7 +95,7 @@ func (p *TransportParameters) getHelloMap() map[Tag][]byte { } // readTransportParameters reads the transport parameters sent in the QUIC TLS extension -func readTransportParamters(paramsList []transportParameter) (*TransportParameters, error) { +func readTransportParameters(paramsList []transportParameter) (*TransportParameters, error) { params := &TransportParameters{} var foundInitialMaxStreamData bool @@ -114,18 +116,16 @@ func readTransportParamters(paramsList []transportParameter) (*TransportParamete return nil, fmt.Errorf("wrong length for initial_max_data: %d (expected 4)", len(p.Value)) } params.ConnectionFlowControlWindow = protocol.ByteCount(binary.BigEndian.Uint32(p.Value)) - case initialMaxStreamIDBiDiParameterID: - if len(p.Value) != 4 { - return nil, fmt.Errorf("wrong length for initial_max_stream_id_bidi: %d (expected 4)", len(p.Value)) + case initialMaxStreamsBiDiParameterID: + if len(p.Value) != 2 { + return nil, fmt.Errorf("wrong length for initial_max_stream_id_bidi: %d (expected 2)", len(p.Value)) } - // TODO(#1154): validate the stream ID - params.MaxBidiStreamID = protocol.StreamID(binary.BigEndian.Uint32(p.Value)) - case initialMaxStreamIDUniParameterID: - if len(p.Value) != 4 { - return nil, fmt.Errorf("wrong length for initial_max_stream_id_uni: %d (expected 4)", len(p.Value)) + params.MaxBidiStreams = binary.BigEndian.Uint16(p.Value) + case initialMaxStreamsUniParameterID: + if len(p.Value) != 2 { + return nil, fmt.Errorf("wrong length for initial_max_stream_id_uni: %d (expected 2)", len(p.Value)) } - // TODO(#1154): validate the stream ID - params.MaxUniStreamID = protocol.StreamID(binary.BigEndian.Uint32(p.Value)) + params.MaxUniStreams = binary.BigEndian.Uint16(p.Value) case idleTimeoutParameterID: foundIdleTimeout = true if len(p.Value) != 2 { @@ -137,6 +137,15 @@ func readTransportParamters(paramsList []transportParameter) (*TransportParamete return nil, fmt.Errorf("wrong length for omit_connection_id: %d (expected empty)", len(p.Value)) } params.OmitConnectionID = true + case maxPacketSizeParameterID: + if len(p.Value) != 2 { + return nil, fmt.Errorf("wrong length for max_packet_size: %d (expected 2)", len(p.Value)) + } + maxPacketSize := protocol.ByteCount(binary.BigEndian.Uint16(p.Value)) + if maxPacketSize < 1200 { + return nil, fmt.Errorf("invalid value for max_packet_size: %d (minimum 1200)", maxPacketSize) + } + params.MaxPacketSize = maxPacketSize } } @@ -153,10 +162,10 @@ func (p *TransportParameters) getTransportParameters() []transportParameter { binary.BigEndian.PutUint32(initialMaxStreamData, uint32(p.StreamFlowControlWindow)) initialMaxData := make([]byte, 4) binary.BigEndian.PutUint32(initialMaxData, uint32(p.ConnectionFlowControlWindow)) - initialMaxBidiStreamID := make([]byte, 4) - binary.BigEndian.PutUint32(initialMaxBidiStreamID, uint32(p.MaxBidiStreamID)) - initialMaxUniStreamID := make([]byte, 4) - binary.BigEndian.PutUint32(initialMaxUniStreamID, uint32(p.MaxUniStreamID)) + initialMaxBidiStreamID := make([]byte, 2) + binary.BigEndian.PutUint16(initialMaxBidiStreamID, p.MaxBidiStreams) + initialMaxUniStreamID := make([]byte, 2) + binary.BigEndian.PutUint16(initialMaxUniStreamID, p.MaxUniStreams) idleTimeout := make([]byte, 2) binary.BigEndian.PutUint16(idleTimeout, uint16(p.IdleTimeout/time.Second)) maxPacketSize := make([]byte, 2) @@ -164,8 +173,8 @@ func (p *TransportParameters) getTransportParameters() []transportParameter { params := []transportParameter{ {initialMaxStreamDataParameterID, initialMaxStreamData}, {initialMaxDataParameterID, initialMaxData}, - {initialMaxStreamIDBiDiParameterID, initialMaxBidiStreamID}, - {initialMaxStreamIDUniParameterID, initialMaxUniStreamID}, + {initialMaxStreamsBiDiParameterID, initialMaxBidiStreamID}, + {initialMaxStreamsUniParameterID, initialMaxUniStreamID}, {idleTimeoutParameterID, idleTimeout}, {maxPacketSizeParameterID, maxPacketSize}, } @@ -174,3 +183,9 @@ func (p *TransportParameters) getTransportParameters() []transportParameter { } return params } + +// String returns a string representation, intended for logging. +// It should only used for IETF QUIC. +func (p *TransportParameters) String() string { + return fmt.Sprintf("&handshake.TransportParameters{StreamFlowControlWindow: %#x, ConnectionFlowControlWindow: %#x, MaxBidiStreams: %d, MaxUniStreams: %d, OmitConnectionID: %t, IdleTimeout: %s}", p.StreamFlowControlWindow, p.ConnectionFlowControlWindow, p.MaxBidiStreams, p.MaxUniStreams, p.OmitConnectionID, p.IdleTimeout) +} diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/mocks/ackhandler/sent_packet_handler.go b/vendor/github.com/lucas-clemente/quic-go/internal/mocks/ackhandler/sent_packet_handler.go index b28a970ad..b11d999a2 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/mocks/ackhandler/sent_packet_handler.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/mocks/ackhandler/sent_packet_handler.go @@ -61,18 +61,6 @@ func (mr *MockSentPacketHandlerMockRecorder) GetAlarmTimeout() *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAlarmTimeout", reflect.TypeOf((*MockSentPacketHandler)(nil).GetAlarmTimeout)) } -// GetLeastUnacked mocks base method -func (m *MockSentPacketHandler) GetLeastUnacked() protocol.PacketNumber { - ret := m.ctrl.Call(m, "GetLeastUnacked") - ret0, _ := ret[0].(protocol.PacketNumber) - return ret0 -} - -// GetLeastUnacked indicates an expected call of GetLeastUnacked -func (mr *MockSentPacketHandlerMockRecorder) GetLeastUnacked() *gomock.Call { - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetLeastUnacked", reflect.TypeOf((*MockSentPacketHandler)(nil).GetLeastUnacked)) -} - // GetLowestPacketNotConfirmedAcked mocks base method func (m *MockSentPacketHandler) GetLowestPacketNotConfirmedAcked() protocol.PacketNumber { ret := m.ctrl.Call(m, "GetLowestPacketNotConfirmedAcked") @@ -85,6 +73,18 @@ func (mr *MockSentPacketHandlerMockRecorder) GetLowestPacketNotConfirmedAcked() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetLowestPacketNotConfirmedAcked", reflect.TypeOf((*MockSentPacketHandler)(nil).GetLowestPacketNotConfirmedAcked)) } +// GetPacketNumberLen mocks base method +func (m *MockSentPacketHandler) GetPacketNumberLen(arg0 protocol.PacketNumber) protocol.PacketNumberLen { + ret := m.ctrl.Call(m, "GetPacketNumberLen", arg0) + ret0, _ := ret[0].(protocol.PacketNumberLen) + return ret0 +} + +// GetPacketNumberLen indicates an expected call of GetPacketNumberLen +func (mr *MockSentPacketHandlerMockRecorder) GetPacketNumberLen(arg0 interface{}) *gomock.Call { + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPacketNumberLen", reflect.TypeOf((*MockSentPacketHandler)(nil).GetPacketNumberLen), arg0) +} + // GetStopWaitingFrame mocks base method func (m *MockSentPacketHandler) GetStopWaitingFrame(arg0 bool) *wire.StopWaitingFrame { ret := m.ctrl.Call(m, "GetStopWaitingFrame", arg0) @@ -98,8 +98,10 @@ func (mr *MockSentPacketHandlerMockRecorder) GetStopWaitingFrame(arg0 interface{ } // OnAlarm mocks base method -func (m *MockSentPacketHandler) OnAlarm() { - m.ctrl.Call(m, "OnAlarm") +func (m *MockSentPacketHandler) OnAlarm() error { + ret := m.ctrl.Call(m, "OnAlarm") + ret0, _ := ret[0].(error) + return ret0 } // OnAlarm indicates an expected call of OnAlarm @@ -119,23 +121,21 @@ func (mr *MockSentPacketHandlerMockRecorder) ReceivedAck(arg0, arg1, arg2, arg3 return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReceivedAck", reflect.TypeOf((*MockSentPacketHandler)(nil).ReceivedAck), arg0, arg1, arg2, arg3) } -// SendingAllowed mocks base method -func (m *MockSentPacketHandler) SendingAllowed() bool { - ret := m.ctrl.Call(m, "SendingAllowed") - ret0, _ := ret[0].(bool) +// SendMode mocks base method +func (m *MockSentPacketHandler) SendMode() ackhandler.SendMode { + ret := m.ctrl.Call(m, "SendMode") + ret0, _ := ret[0].(ackhandler.SendMode) return ret0 } -// SendingAllowed indicates an expected call of SendingAllowed -func (mr *MockSentPacketHandlerMockRecorder) SendingAllowed() *gomock.Call { - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SendingAllowed", reflect.TypeOf((*MockSentPacketHandler)(nil).SendingAllowed)) +// SendMode indicates an expected call of SendMode +func (mr *MockSentPacketHandlerMockRecorder) SendMode() *gomock.Call { + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SendMode", reflect.TypeOf((*MockSentPacketHandler)(nil).SendMode)) } // SentPacket mocks base method -func (m *MockSentPacketHandler) SentPacket(arg0 *ackhandler.Packet) error { - ret := m.ctrl.Call(m, "SentPacket", arg0) - ret0, _ := ret[0].(error) - return ret0 +func (m *MockSentPacketHandler) SentPacket(arg0 *ackhandler.Packet) { + m.ctrl.Call(m, "SentPacket", arg0) } // SentPacket indicates an expected call of SentPacket @@ -143,6 +143,16 @@ func (mr *MockSentPacketHandlerMockRecorder) SentPacket(arg0 interface{}) *gomoc return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SentPacket", reflect.TypeOf((*MockSentPacketHandler)(nil).SentPacket), arg0) } +// SentPacketsAsRetransmission mocks base method +func (m *MockSentPacketHandler) SentPacketsAsRetransmission(arg0 []*ackhandler.Packet, arg1 protocol.PacketNumber) { + m.ctrl.Call(m, "SentPacketsAsRetransmission", arg0, arg1) +} + +// SentPacketsAsRetransmission indicates an expected call of SentPacketsAsRetransmission +func (mr *MockSentPacketHandlerMockRecorder) SentPacketsAsRetransmission(arg0, arg1 interface{}) *gomock.Call { + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SentPacketsAsRetransmission", reflect.TypeOf((*MockSentPacketHandler)(nil).SentPacketsAsRetransmission), arg0, arg1) +} + // SetHandshakeComplete mocks base method func (m *MockSentPacketHandler) SetHandshakeComplete() { m.ctrl.Call(m, "SetHandshakeComplete") diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/mocks/congestion.go b/vendor/github.com/lucas-clemente/quic-go/internal/mocks/congestion.go index fec7b6c14..b86ccfea6 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/mocks/congestion.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/mocks/congestion.go @@ -109,18 +109,6 @@ func (mr *MockSendAlgorithmMockRecorder) OnRetransmissionTimeout(arg0 interface{ return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OnRetransmissionTimeout", reflect.TypeOf((*MockSendAlgorithm)(nil).OnRetransmissionTimeout), arg0) } -// RetransmissionDelay mocks base method -func (m *MockSendAlgorithm) RetransmissionDelay() time.Duration { - ret := m.ctrl.Call(m, "RetransmissionDelay") - ret0, _ := ret[0].(time.Duration) - return ret0 -} - -// RetransmissionDelay indicates an expected call of RetransmissionDelay -func (mr *MockSendAlgorithmMockRecorder) RetransmissionDelay() *gomock.Call { - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RetransmissionDelay", reflect.TypeOf((*MockSendAlgorithm)(nil).RetransmissionDelay)) -} - // SetNumEmulatedConnections mocks base method func (m *MockSendAlgorithm) SetNumEmulatedConnections(arg0 int) { m.ctrl.Call(m, "SetNumEmulatedConnections", arg0) diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/protocol/protocol.go b/vendor/github.com/lucas-clemente/quic-go/internal/protocol/protocol.go index 0901b19eb..2821d2cd9 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/protocol/protocol.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/protocol/protocol.go @@ -27,14 +27,14 @@ const ( type PacketType uint8 const ( - // PacketTypeInitial is the packet type of a Initial packet - PacketTypeInitial PacketType = 2 + // PacketTypeInitial is the packet type of an Initial packet + PacketTypeInitial PacketType = 0x7f // PacketTypeRetry is the packet type of a Retry packet - PacketTypeRetry PacketType = 3 - // PacketTypeHandshake is the packet type of a Cleartext packet - PacketTypeHandshake PacketType = 4 + PacketTypeRetry PacketType = 0x7e + // PacketTypeHandshake is the packet type of a Handshake packet + PacketTypeHandshake PacketType = 0x7d // PacketType0RTT is the packet type of a 0-RTT packet - PacketType0RTT PacketType = 5 + PacketType0RTT PacketType = 0x7c ) func (t PacketType) String() string { @@ -77,11 +77,11 @@ const DefaultTCPMSS ByteCount = 1460 // MinClientHelloSize is the minimum size the server expects an inchoate CHLO to have (in gQUIC) const MinClientHelloSize = 1024 -// MinInitialPacketSize is the minimum size an Initial packet (in IETF QUIC) is requried to have. +// MinInitialPacketSize is the minimum size an Initial packet (in IETF QUIC) is required to have. const MinInitialPacketSize = 1200 // MaxClientHellos is the maximum number of times we'll send a client hello // The value 3 accounts for: // * one failure due to an incorrect or missing source-address token -// * one failure due the server's certificate chain being unavailible and the server being unwilling to send it without a valid source-address token +// * one failure due the server's certificate chain being unavailable and the server being unwilling to send it without a valid source-address token const MaxClientHellos = 3 diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/protocol/server_parameters.go b/vendor/github.com/lucas-clemente/quic-go/internal/protocol/server_parameters.go index 61e5a2dfc..96ebbdcd7 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/protocol/server_parameters.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/protocol/server_parameters.go @@ -2,9 +2,11 @@ package protocol import "time" -// MaxPacketSize is the maximum packet size that we use for sending packets. -// It includes the QUIC packet header, but excludes the UDP and IP header. -const MaxPacketSize ByteCount = 1200 +// MaxPacketSizeIPv4 is the maximum packet size that we use for sending IPv4 packets. +const MaxPacketSizeIPv4 = 1252 + +// MaxPacketSizeIPv6 is the maximum packet size that we use for sending IPv6 packets. +const MaxPacketSizeIPv6 = 1232 // NonForwardSecurePacketSizeReduction is the number of bytes a non forward-secure packet has to be smaller than a forward-secure packet // This makes sure that those packets can always be retransmitted without splitting the contained StreamFrames @@ -24,10 +26,6 @@ const MaxUndecryptablePackets = 10 // This timeout allows the Go scheduler to switch to the Go rountine that reads the crypto stream and to escalate the crypto const PublicResetTimeout = 500 * time.Millisecond -// AckSendDelay is the maximum delay that can be applied to an ACK for a retransmittable packet -// This is the value Chromium is using -const AckSendDelay = 25 * time.Millisecond - // ReceiveStreamFlowControlWindow is the stream-level flow control window for receiving data // This is the value that Google servers are using const ReceiveStreamFlowControlWindow = (1 << 10) * 32 // 32 kB @@ -59,8 +57,11 @@ const ConnectionFlowControlMultiplier = 1.5 // WindowUpdateThreshold is the fraction of the receive window that has to be consumed before an higher offset is advertised to the client const WindowUpdateThreshold = 0.25 -// MaxIncomingStreams is the maximum number of streams that a peer may open -const MaxIncomingStreams = 100 +// DefaultMaxIncomingStreams is the maximum number of streams that a peer may open +const DefaultMaxIncomingStreams = 100 + +// DefaultMaxIncomingUniStreams is the maximum number of unidirectional streams that a peer may open +const DefaultMaxIncomingUniStreams = 100 // MaxStreamsMultiplier is the slack the client is allowed for the maximum number of streams per connection, needed e.g. when packets are out of order or dropped. The minimum of this procentual increase and the absolute increment specified by MaxStreamsMinimumIncrement is used. const MaxStreamsMultiplier = 1.1 @@ -68,10 +69,6 @@ const MaxStreamsMultiplier = 1.1 // MaxStreamsMinimumIncrement is the slack the client is allowed for the maximum number of streams per connection, needed e.g. when packets are out of order or dropped. The minimum of this absolute increment and the procentual increase specified by MaxStreamsMultiplier is used. const MaxStreamsMinimumIncrement = 10 -// MaxNewStreamIDDelta is the maximum difference between and a newly opened Stream and the highest StreamID that a client has ever opened -// note that the number of streams is half this value, since the client can only open streams with open StreamID -const MaxNewStreamIDDelta = 4 * MaxIncomingStreams - // MaxSessionUnprocessedPackets is the max number of packets stored in each session that are not yet processed. const MaxSessionUnprocessedPackets = DefaultMaxCongestionWindow @@ -84,8 +81,15 @@ const MaxTrackedSkippedPackets = 10 // CookieExpiryTime is the valid time of a cookie const CookieExpiryTime = 24 * time.Hour -// MaxTrackedSentPackets is maximum number of sent packets saved for either later retransmission or entropy calculation -const MaxTrackedSentPackets = 2 * DefaultMaxCongestionWindow +// MaxOutstandingSentPackets is maximum number of packets saved for retransmission. +// When reached, it imposes a soft limit on sending new packets: +// Sending ACKs and retransmission is still allowed, but now new regular packets can be sent. +const MaxOutstandingSentPackets = 2 * DefaultMaxCongestionWindow + +// MaxTrackedSentPackets is maximum number of sent packets saved for retransmission. +// When reached, no more packets will be sent. +// This value *must* be larger than MaxOutstandingSentPackets. +const MaxTrackedSentPackets = MaxOutstandingSentPackets * 5 / 4 // MaxTrackedReceivedAckRanges is the maximum number of ACK ranges tracked const MaxTrackedReceivedAckRanges = DefaultMaxCongestionWindow @@ -93,9 +97,6 @@ const MaxTrackedReceivedAckRanges = DefaultMaxCongestionWindow // MaxNonRetransmittableAcks is the maximum number of packets containing an ACK, but no retransmittable frames, that we send in a row const MaxNonRetransmittableAcks = 19 -// RetransmittablePacketsBeforeAck is the number of retransmittable that an ACK is sent for -const RetransmittablePacketsBeforeAck = 10 - // MaxStreamFrameSorterGaps is the maximum number of gaps between received StreamFrames // prevents DoS attacks against the streamFrameSorter const MaxStreamFrameSorterGaps = 1000 diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/protocol/version.go b/vendor/github.com/lucas-clemente/quic-go/internal/protocol/version.go index 3135ca853..d5f2f37bb 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/protocol/version.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/protocol/version.go @@ -4,10 +4,11 @@ import ( "crypto/rand" "encoding/binary" "fmt" + "math" ) // VersionNumber is a version number as int -type VersionNumber int32 +type VersionNumber uint32 // gQUIC version range as defined in the wiki: https://github.com/quicwg/base-drafts/wiki/QUIC-Versions const ( @@ -20,7 +21,7 @@ const ( Version39 VersionNumber = gquicVersion0 + 3*0x100 + 0x9 + iota VersionTLS VersionNumber = 101 VersionWhatever VersionNumber = 0 // for when the version doesn't matter - VersionUnknown VersionNumber = -1 + VersionUnknown VersionNumber = math.MaxUint32 ) // SupportedVersions lists the versions that the server supports @@ -29,6 +30,11 @@ var SupportedVersions = []VersionNumber{ Version39, } +// IsValidVersion says if the version is known to quic-go +func IsValidVersion(v VersionNumber) bool { + return v == VersionTLS || IsSupportedVersion(SupportedVersions, v) +} + // UsesTLS says if this QUIC version uses TLS 1.3 for the handshake func (vn VersionNumber) UsesTLS() bool { return vn == VersionTLS @@ -46,7 +52,7 @@ func (vn VersionNumber) String() string { if vn.isGQUIC() { return fmt.Sprintf("gQUIC %d", vn.toGQUICVersion()) } - return fmt.Sprintf("%d", vn) + return fmt.Sprintf("%#x", uint32(vn)) } } @@ -71,6 +77,11 @@ func (vn VersionNumber) UsesIETFFrameFormat() bool { return vn != Version39 } +// UsesStopWaitingFrames tells if this version uses STOP_WAITING frames +func (vn VersionNumber) UsesStopWaitingFrames() bool { + return vn == Version39 +} + // StreamContributesToConnectionFlowControl says if a stream contributes to connection-level flow control func (vn VersionNumber) StreamContributesToConnectionFlowControl(id StreamID) bool { if id == vn.CryptoStreamID() { diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/utils/byteinterval_linkedlist.go b/vendor/github.com/lucas-clemente/quic-go/internal/utils/byteinterval_linkedlist.go index 545fc2038..096023ef2 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/utils/byteinterval_linkedlist.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/utils/byteinterval_linkedlist.go @@ -1,13 +1,10 @@ -// Generated by: main -// TypeWriter: linkedlist -// Directive: +gen on ByteInterval +// This file was automatically generated by genny. +// Any changes will be lost if this file is regenerated. +// see https://github.com/cheekybits/genny package utils -// List is a modification of http://golang.org/pkg/container/list/ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. +// Linked list implementation from the Go standard library. // ByteIntervalElement is an element of a linked list. type ByteIntervalElement struct { @@ -41,8 +38,7 @@ func (e *ByteIntervalElement) Prev() *ByteIntervalElement { return nil } -// ByteIntervalList represents a doubly linked list. -// The zero value for ByteIntervalList is an empty list ready to use. +// ByteIntervalList is a linked list of ByteIntervals. type ByteIntervalList struct { root ByteIntervalElement // sentinel list element, only &root, root.prev, and root.next are used len int // current list length excluding (this) sentinel element @@ -63,7 +59,7 @@ func NewByteIntervalList() *ByteIntervalList { return new(ByteIntervalList).Init // The complexity is O(1). func (l *ByteIntervalList) Len() int { return l.len } -// Front returns the first element of list l or nil. +// Front returns the first element of list l or nil if the list is empty. func (l *ByteIntervalList) Front() *ByteIntervalElement { if l.len == 0 { return nil @@ -71,7 +67,7 @@ func (l *ByteIntervalList) Front() *ByteIntervalElement { return l.root.next } -// Back returns the last element of list l or nil. +// Back returns the last element of list l or nil if the list is empty. func (l *ByteIntervalList) Back() *ByteIntervalElement { if l.len == 0 { return nil @@ -79,7 +75,7 @@ func (l *ByteIntervalList) Back() *ByteIntervalElement { return l.root.prev } -// lazyInit lazily initializes a zero ByteIntervalList value. +// lazyInit lazily initializes a zero List value. func (l *ByteIntervalList) lazyInit() { if l.root.next == nil { l.Init() @@ -98,7 +94,7 @@ func (l *ByteIntervalList) insert(e, at *ByteIntervalElement) *ByteIntervalEleme return e } -// insertValue is a convenience wrapper for insert(&ByteIntervalElement{Value: v}, at). +// insertValue is a convenience wrapper for insert(&Element{Value: v}, at). func (l *ByteIntervalList) insertValue(v ByteInterval, at *ByteIntervalElement) *ByteIntervalElement { return l.insert(&ByteIntervalElement{Value: v}, at) } @@ -116,10 +112,11 @@ func (l *ByteIntervalList) remove(e *ByteIntervalElement) *ByteIntervalElement { // Remove removes e from l if e is an element of list l. // It returns the element value e.Value. +// The element must not be nil. func (l *ByteIntervalList) Remove(e *ByteIntervalElement) ByteInterval { if e.list == l { // if e.list == l, l must have been initialized when e was inserted - // in l or l == nil (e is a zero ByteIntervalElement) and l.remove will crash + // in l or l == nil (e is a zero Element) and l.remove will crash l.remove(e) } return e.Value @@ -139,46 +136,51 @@ func (l *ByteIntervalList) PushBack(v ByteInterval) *ByteIntervalElement { // InsertBefore inserts a new element e with value v immediately before mark and returns e. // If mark is not an element of l, the list is not modified. +// The mark must not be nil. func (l *ByteIntervalList) InsertBefore(v ByteInterval, mark *ByteIntervalElement) *ByteIntervalElement { if mark.list != l { return nil } - // see comment in ByteIntervalList.Remove about initialization of l + // see comment in List.Remove about initialization of l return l.insertValue(v, mark.prev) } // InsertAfter inserts a new element e with value v immediately after mark and returns e. // If mark is not an element of l, the list is not modified. +// The mark must not be nil. func (l *ByteIntervalList) InsertAfter(v ByteInterval, mark *ByteIntervalElement) *ByteIntervalElement { if mark.list != l { return nil } - // see comment in ByteIntervalList.Remove about initialization of l + // see comment in List.Remove about initialization of l return l.insertValue(v, mark) } // MoveToFront moves element e to the front of list l. // If e is not an element of l, the list is not modified. +// The element must not be nil. func (l *ByteIntervalList) MoveToFront(e *ByteIntervalElement) { if e.list != l || l.root.next == e { return } - // see comment in ByteIntervalList.Remove about initialization of l + // see comment in List.Remove about initialization of l l.insert(l.remove(e), &l.root) } // MoveToBack moves element e to the back of list l. // If e is not an element of l, the list is not modified. +// The element must not be nil. func (l *ByteIntervalList) MoveToBack(e *ByteIntervalElement) { if e.list != l || l.root.prev == e { return } - // see comment in ByteIntervalList.Remove about initialization of l + // see comment in List.Remove about initialization of l l.insert(l.remove(e), l.root.prev) } // MoveBefore moves element e to its new position before mark. // If e or mark is not an element of l, or e == mark, the list is not modified. +// The element and mark must not be nil. func (l *ByteIntervalList) MoveBefore(e, mark *ByteIntervalElement) { if e.list != l || e == mark || mark.list != l { return @@ -187,7 +189,8 @@ func (l *ByteIntervalList) MoveBefore(e, mark *ByteIntervalElement) { } // MoveAfter moves element e to its new position after mark. -// If e is not an element of l, or e == mark, the list is not modified. +// If e or mark is not an element of l, or e == mark, the list is not modified. +// The element and mark must not be nil. func (l *ByteIntervalList) MoveAfter(e, mark *ByteIntervalElement) { if e.list != l || e == mark || mark.list != l { return @@ -196,7 +199,7 @@ func (l *ByteIntervalList) MoveAfter(e, mark *ByteIntervalElement) { } // PushBackList inserts a copy of an other list at the back of list l. -// The lists l and other may be the same. +// The lists l and other may be the same. They must not be nil. func (l *ByteIntervalList) PushBackList(other *ByteIntervalList) { l.lazyInit() for i, e := other.Len(), other.Front(); i > 0; i, e = i-1, e.Next() { @@ -205,7 +208,7 @@ func (l *ByteIntervalList) PushBackList(other *ByteIntervalList) { } // PushFrontList inserts a copy of an other list at the front of list l. -// The lists l and other may be the same. +// The lists l and other may be the same. They must not be nil. func (l *ByteIntervalList) PushFrontList(other *ByteIntervalList) { l.lazyInit() for i, e := other.Len(), other.Back(); i > 0; i, e = i-1, e.Prev() { diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/utils/gen.go b/vendor/github.com/lucas-clemente/quic-go/internal/utils/gen.go new file mode 100644 index 000000000..bb839be66 --- /dev/null +++ b/vendor/github.com/lucas-clemente/quic-go/internal/utils/gen.go @@ -0,0 +1,4 @@ +package utils + +//go:generate genny -pkg utils -in linkedlist/linkedlist.go -out byteinterval_linkedlist.go gen Item=ByteInterval +//go:generate genny -pkg utils -in linkedlist/linkedlist.go -out packetinterval_linkedlist.go gen Item=PacketInterval diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/utils/linkedlist/linkedlist.go b/vendor/github.com/lucas-clemente/quic-go/internal/utils/linkedlist/linkedlist.go new file mode 100644 index 000000000..74b815a81 --- /dev/null +++ b/vendor/github.com/lucas-clemente/quic-go/internal/utils/linkedlist/linkedlist.go @@ -0,0 +1,218 @@ +package linkedlist + +import "github.com/cheekybits/genny/generic" + +// Linked list implementation from the Go standard library. + +// Item is a generic type. +type Item generic.Type + +// ItemElement is an element of a linked list. +type ItemElement struct { + // Next and previous pointers in the doubly-linked list of elements. + // To simplify the implementation, internally a list l is implemented + // as a ring, such that &l.root is both the next element of the last + // list element (l.Back()) and the previous element of the first list + // element (l.Front()). + next, prev *ItemElement + + // The list to which this element belongs. + list *ItemList + + // The value stored with this element. + Value Item +} + +// Next returns the next list element or nil. +func (e *ItemElement) Next() *ItemElement { + if p := e.next; e.list != nil && p != &e.list.root { + return p + } + return nil +} + +// Prev returns the previous list element or nil. +func (e *ItemElement) Prev() *ItemElement { + if p := e.prev; e.list != nil && p != &e.list.root { + return p + } + return nil +} + +// ItemList is a linked list of Items. +type ItemList struct { + root ItemElement // sentinel list element, only &root, root.prev, and root.next are used + len int // current list length excluding (this) sentinel element +} + +// Init initializes or clears list l. +func (l *ItemList) Init() *ItemList { + l.root.next = &l.root + l.root.prev = &l.root + l.len = 0 + return l +} + +// NewItemList returns an initialized list. +func NewItemList() *ItemList { return new(ItemList).Init() } + +// Len returns the number of elements of list l. +// The complexity is O(1). +func (l *ItemList) Len() int { return l.len } + +// Front returns the first element of list l or nil if the list is empty. +func (l *ItemList) Front() *ItemElement { + if l.len == 0 { + return nil + } + return l.root.next +} + +// Back returns the last element of list l or nil if the list is empty. +func (l *ItemList) Back() *ItemElement { + if l.len == 0 { + return nil + } + return l.root.prev +} + +// lazyInit lazily initializes a zero List value. +func (l *ItemList) lazyInit() { + if l.root.next == nil { + l.Init() + } +} + +// insert inserts e after at, increments l.len, and returns e. +func (l *ItemList) insert(e, at *ItemElement) *ItemElement { + n := at.next + at.next = e + e.prev = at + e.next = n + n.prev = e + e.list = l + l.len++ + return e +} + +// insertValue is a convenience wrapper for insert(&Element{Value: v}, at). +func (l *ItemList) insertValue(v Item, at *ItemElement) *ItemElement { + return l.insert(&ItemElement{Value: v}, at) +} + +// remove removes e from its list, decrements l.len, and returns e. +func (l *ItemList) remove(e *ItemElement) *ItemElement { + e.prev.next = e.next + e.next.prev = e.prev + e.next = nil // avoid memory leaks + e.prev = nil // avoid memory leaks + e.list = nil + l.len-- + return e +} + +// Remove removes e from l if e is an element of list l. +// It returns the element value e.Value. +// The element must not be nil. +func (l *ItemList) Remove(e *ItemElement) Item { + if e.list == l { + // if e.list == l, l must have been initialized when e was inserted + // in l or l == nil (e is a zero Element) and l.remove will crash + l.remove(e) + } + return e.Value +} + +// PushFront inserts a new element e with value v at the front of list l and returns e. +func (l *ItemList) PushFront(v Item) *ItemElement { + l.lazyInit() + return l.insertValue(v, &l.root) +} + +// PushBack inserts a new element e with value v at the back of list l and returns e. +func (l *ItemList) PushBack(v Item) *ItemElement { + l.lazyInit() + return l.insertValue(v, l.root.prev) +} + +// InsertBefore inserts a new element e with value v immediately before mark and returns e. +// If mark is not an element of l, the list is not modified. +// The mark must not be nil. +func (l *ItemList) InsertBefore(v Item, mark *ItemElement) *ItemElement { + if mark.list != l { + return nil + } + // see comment in List.Remove about initialization of l + return l.insertValue(v, mark.prev) +} + +// InsertAfter inserts a new element e with value v immediately after mark and returns e. +// If mark is not an element of l, the list is not modified. +// The mark must not be nil. +func (l *ItemList) InsertAfter(v Item, mark *ItemElement) *ItemElement { + if mark.list != l { + return nil + } + // see comment in List.Remove about initialization of l + return l.insertValue(v, mark) +} + +// MoveToFront moves element e to the front of list l. +// If e is not an element of l, the list is not modified. +// The element must not be nil. +func (l *ItemList) MoveToFront(e *ItemElement) { + if e.list != l || l.root.next == e { + return + } + // see comment in List.Remove about initialization of l + l.insert(l.remove(e), &l.root) +} + +// MoveToBack moves element e to the back of list l. +// If e is not an element of l, the list is not modified. +// The element must not be nil. +func (l *ItemList) MoveToBack(e *ItemElement) { + if e.list != l || l.root.prev == e { + return + } + // see comment in List.Remove about initialization of l + l.insert(l.remove(e), l.root.prev) +} + +// MoveBefore moves element e to its new position before mark. +// If e or mark is not an element of l, or e == mark, the list is not modified. +// The element and mark must not be nil. +func (l *ItemList) MoveBefore(e, mark *ItemElement) { + if e.list != l || e == mark || mark.list != l { + return + } + l.insert(l.remove(e), mark.prev) +} + +// MoveAfter moves element e to its new position after mark. +// If e or mark is not an element of l, or e == mark, the list is not modified. +// The element and mark must not be nil. +func (l *ItemList) MoveAfter(e, mark *ItemElement) { + if e.list != l || e == mark || mark.list != l { + return + } + l.insert(l.remove(e), mark) +} + +// PushBackList inserts a copy of an other list at the back of list l. +// The lists l and other may be the same. They must not be nil. +func (l *ItemList) PushBackList(other *ItemList) { + l.lazyInit() + for i, e := other.Len(), other.Front(); i > 0; i, e = i-1, e.Next() { + l.insertValue(e.Value, l.root.prev) + } +} + +// PushFrontList inserts a copy of an other list at the front of list l. +// The lists l and other may be the same. They must not be nil. +func (l *ItemList) PushFrontList(other *ItemList) { + l.lazyInit() + for i, e := other.Len(), other.Back(); i > 0; i, e = i-1, e.Prev() { + l.insertValue(e.Value, &l.root) + } +} diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/utils/log.go b/vendor/github.com/lucas-clemente/quic-go/internal/utils/log.go index 342d8ddca..62a3d075e 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/utils/log.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/utils/log.go @@ -11,8 +11,6 @@ import ( // LogLevel of quic-go type LogLevel uint8 -const logEnv = "QUIC_GO_LOG_LEVEL" - const ( // LogLevelNothing disables LogLevelNothing LogLevel = iota @@ -24,72 +22,92 @@ const ( LogLevelDebug ) -var ( - logLevel = LogLevelNothing - timeFormat = "" -) +const logEnv = "QUIC_GO_LOG_LEVEL" + +// A Logger logs. +type Logger interface { + SetLogLevel(LogLevel) + SetLogTimeFormat(format string) + Debug() bool + + Errorf(format string, args ...interface{}) + Infof(format string, args ...interface{}) + Debugf(format string, args ...interface{}) +} + +// DefaultLogger is used by quic-go for logging. +var DefaultLogger Logger + +type defaultLogger struct { + logLevel LogLevel + timeFormat string +} + +var _ Logger = &defaultLogger{} // SetLogLevel sets the log level -func SetLogLevel(level LogLevel) { - logLevel = level +func (l *defaultLogger) SetLogLevel(level LogLevel) { + l.logLevel = level } // SetLogTimeFormat sets the format of the timestamp // an empty string disables the logging of timestamps -func SetLogTimeFormat(format string) { +func (l *defaultLogger) SetLogTimeFormat(format string) { log.SetFlags(0) // disable timestamp logging done by the log package - timeFormat = format + l.timeFormat = format } // Debugf logs something -func Debugf(format string, args ...interface{}) { - if logLevel == LogLevelDebug { - logMessage(format, args...) +func (l *defaultLogger) Debugf(format string, args ...interface{}) { + if l.logLevel == LogLevelDebug { + l.logMessage(format, args...) } } // Infof logs something -func Infof(format string, args ...interface{}) { - if logLevel >= LogLevelInfo { - logMessage(format, args...) +func (l *defaultLogger) Infof(format string, args ...interface{}) { + if l.logLevel >= LogLevelInfo { + l.logMessage(format, args...) } } // Errorf logs something -func Errorf(format string, args ...interface{}) { - if logLevel >= LogLevelError { - logMessage(format, args...) +func (l *defaultLogger) Errorf(format string, args ...interface{}) { + if l.logLevel >= LogLevelError { + l.logMessage(format, args...) } } -func logMessage(format string, args ...interface{}) { - if len(timeFormat) > 0 { - log.Printf(time.Now().Format(timeFormat)+" "+format, args...) +func (l *defaultLogger) logMessage(format string, args ...interface{}) { + if len(l.timeFormat) > 0 { + log.Printf(time.Now().Format(l.timeFormat)+" "+format, args...) } else { log.Printf(format, args...) } } // Debug returns true if the log level is LogLevelDebug -func Debug() bool { - return logLevel == LogLevelDebug +func (l *defaultLogger) Debug() bool { + return l.logLevel == LogLevelDebug } func init() { - readLoggingEnv() + DefaultLogger = &defaultLogger{} + DefaultLogger.SetLogLevel(readLoggingEnv()) } -func readLoggingEnv() { +func readLoggingEnv() LogLevel { switch strings.ToLower(os.Getenv(logEnv)) { case "": - return + return LogLevelNothing case "debug": - logLevel = LogLevelDebug + return LogLevelDebug case "info": - logLevel = LogLevelInfo + return LogLevelInfo case "error": - logLevel = LogLevelError + return LogLevelError default: fmt.Fprintln(os.Stderr, "invalid quic-go log level, see https://github.com/lucas-clemente/quic-go/wiki/Logging") + return LogLevelNothing } } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/utils/packet_interval.go b/vendor/github.com/lucas-clemente/quic-go/internal/utils/packet_interval.go index f49b0c426..62cc8b9cb 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/utils/packet_interval.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/utils/packet_interval.go @@ -3,7 +3,6 @@ package utils import "github.com/lucas-clemente/quic-go/internal/protocol" // PacketInterval is an interval from one PacketNumber to the other -// +gen linkedlist type PacketInterval struct { Start protocol.PacketNumber End protocol.PacketNumber diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/utils/packetinterval_linkedlist.go b/vendor/github.com/lucas-clemente/quic-go/internal/utils/packetinterval_linkedlist.go index e3431d68c..b461e85a9 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/utils/packetinterval_linkedlist.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/utils/packetinterval_linkedlist.go @@ -1,13 +1,10 @@ -// Generated by: main -// TypeWriter: linkedlist -// Directive: +gen on PacketInterval +// This file was automatically generated by genny. +// Any changes will be lost if this file is regenerated. +// see https://github.com/cheekybits/genny package utils -// List is a modification of http://golang.org/pkg/container/list/ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. +// Linked list implementation from the Go standard library. // PacketIntervalElement is an element of a linked list. type PacketIntervalElement struct { @@ -41,8 +38,7 @@ func (e *PacketIntervalElement) Prev() *PacketIntervalElement { return nil } -// PacketIntervalList represents a doubly linked list. -// The zero value for PacketIntervalList is an empty list ready to use. +// PacketIntervalList is a linked list of PacketIntervals. type PacketIntervalList struct { root PacketIntervalElement // sentinel list element, only &root, root.prev, and root.next are used len int // current list length excluding (this) sentinel element @@ -63,7 +59,7 @@ func NewPacketIntervalList() *PacketIntervalList { return new(PacketIntervalList // The complexity is O(1). func (l *PacketIntervalList) Len() int { return l.len } -// Front returns the first element of list l or nil. +// Front returns the first element of list l or nil if the list is empty. func (l *PacketIntervalList) Front() *PacketIntervalElement { if l.len == 0 { return nil @@ -71,7 +67,7 @@ func (l *PacketIntervalList) Front() *PacketIntervalElement { return l.root.next } -// Back returns the last element of list l or nil. +// Back returns the last element of list l or nil if the list is empty. func (l *PacketIntervalList) Back() *PacketIntervalElement { if l.len == 0 { return nil @@ -79,7 +75,7 @@ func (l *PacketIntervalList) Back() *PacketIntervalElement { return l.root.prev } -// lazyInit lazily initializes a zero PacketIntervalList value. +// lazyInit lazily initializes a zero List value. func (l *PacketIntervalList) lazyInit() { if l.root.next == nil { l.Init() @@ -98,7 +94,7 @@ func (l *PacketIntervalList) insert(e, at *PacketIntervalElement) *PacketInterva return e } -// insertValue is a convenience wrapper for insert(&PacketIntervalElement{Value: v}, at). +// insertValue is a convenience wrapper for insert(&Element{Value: v}, at). func (l *PacketIntervalList) insertValue(v PacketInterval, at *PacketIntervalElement) *PacketIntervalElement { return l.insert(&PacketIntervalElement{Value: v}, at) } @@ -116,10 +112,11 @@ func (l *PacketIntervalList) remove(e *PacketIntervalElement) *PacketIntervalEle // Remove removes e from l if e is an element of list l. // It returns the element value e.Value. +// The element must not be nil. func (l *PacketIntervalList) Remove(e *PacketIntervalElement) PacketInterval { if e.list == l { // if e.list == l, l must have been initialized when e was inserted - // in l or l == nil (e is a zero PacketIntervalElement) and l.remove will crash + // in l or l == nil (e is a zero Element) and l.remove will crash l.remove(e) } return e.Value @@ -139,46 +136,51 @@ func (l *PacketIntervalList) PushBack(v PacketInterval) *PacketIntervalElement { // InsertBefore inserts a new element e with value v immediately before mark and returns e. // If mark is not an element of l, the list is not modified. +// The mark must not be nil. func (l *PacketIntervalList) InsertBefore(v PacketInterval, mark *PacketIntervalElement) *PacketIntervalElement { if mark.list != l { return nil } - // see comment in PacketIntervalList.Remove about initialization of l + // see comment in List.Remove about initialization of l return l.insertValue(v, mark.prev) } // InsertAfter inserts a new element e with value v immediately after mark and returns e. // If mark is not an element of l, the list is not modified. +// The mark must not be nil. func (l *PacketIntervalList) InsertAfter(v PacketInterval, mark *PacketIntervalElement) *PacketIntervalElement { if mark.list != l { return nil } - // see comment in PacketIntervalList.Remove about initialization of l + // see comment in List.Remove about initialization of l return l.insertValue(v, mark) } // MoveToFront moves element e to the front of list l. // If e is not an element of l, the list is not modified. +// The element must not be nil. func (l *PacketIntervalList) MoveToFront(e *PacketIntervalElement) { if e.list != l || l.root.next == e { return } - // see comment in PacketIntervalList.Remove about initialization of l + // see comment in List.Remove about initialization of l l.insert(l.remove(e), &l.root) } // MoveToBack moves element e to the back of list l. // If e is not an element of l, the list is not modified. +// The element must not be nil. func (l *PacketIntervalList) MoveToBack(e *PacketIntervalElement) { if e.list != l || l.root.prev == e { return } - // see comment in PacketIntervalList.Remove about initialization of l + // see comment in List.Remove about initialization of l l.insert(l.remove(e), l.root.prev) } // MoveBefore moves element e to its new position before mark. // If e or mark is not an element of l, or e == mark, the list is not modified. +// The element and mark must not be nil. func (l *PacketIntervalList) MoveBefore(e, mark *PacketIntervalElement) { if e.list != l || e == mark || mark.list != l { return @@ -187,7 +189,8 @@ func (l *PacketIntervalList) MoveBefore(e, mark *PacketIntervalElement) { } // MoveAfter moves element e to its new position after mark. -// If e is not an element of l, or e == mark, the list is not modified. +// If e or mark is not an element of l, or e == mark, the list is not modified. +// The element and mark must not be nil. func (l *PacketIntervalList) MoveAfter(e, mark *PacketIntervalElement) { if e.list != l || e == mark || mark.list != l { return @@ -196,7 +199,7 @@ func (l *PacketIntervalList) MoveAfter(e, mark *PacketIntervalElement) { } // PushBackList inserts a copy of an other list at the back of list l. -// The lists l and other may be the same. +// The lists l and other may be the same. They must not be nil. func (l *PacketIntervalList) PushBackList(other *PacketIntervalList) { l.lazyInit() for i, e := other.Len(), other.Front(); i > 0; i, e = i-1, e.Next() { @@ -205,7 +208,7 @@ func (l *PacketIntervalList) PushBackList(other *PacketIntervalList) { } // PushFrontList inserts a copy of an other list at the front of list l. -// The lists l and other may be the same. +// The lists l and other may be the same. They must not be nil. func (l *PacketIntervalList) PushFrontList(other *PacketIntervalList) { l.lazyInit() for i, e := other.Len(), other.Back(); i > 0; i, e = i-1, e.Prev() { diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/utils/streamframe_interval.go b/vendor/github.com/lucas-clemente/quic-go/internal/utils/streamframe_interval.go index 3c8325b25..ec16d251b 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/utils/streamframe_interval.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/utils/streamframe_interval.go @@ -3,7 +3,6 @@ package utils import "github.com/lucas-clemente/quic-go/internal/protocol" // ByteInterval is an interval from one ByteCount to the other -// +gen linkedlist type ByteInterval struct { Start protocol.ByteCount End protocol.ByteCount diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/utils/timer.go b/vendor/github.com/lucas-clemente/quic-go/internal/utils/timer.go index 7f8ffc7a0..20eaacd08 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/utils/timer.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/utils/timer.go @@ -31,7 +31,7 @@ func (t *Timer) Reset(deadline time.Time) { if !t.t.Stop() && !t.read { <-t.t.C } - t.t.Reset(deadline.Sub(time.Now())) + t.t.Reset(time.Until(deadline)) t.read = false t.deadline = deadline diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/ack_frame.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/ack_frame.go index 996b771b4..1a95bb9f3 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/ack_frame.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/ack_frame.go @@ -24,8 +24,8 @@ type AckFrame struct { DelayTime time.Duration } -// ParseAckFrame reads an ACK frame -func ParseAckFrame(r *bytes.Reader, version protocol.VersionNumber) (*AckFrame, error) { +// parseAckFrame reads an ACK frame +func parseAckFrame(r *bytes.Reader, version protocol.VersionNumber) (*AckFrame, error) { if !version.UsesIETFFrameFormat() { return parseAckFrameLegacy(r, version) } @@ -60,7 +60,7 @@ func ParseAckFrame(r *bytes.Reader, version protocol.VersionNumber) (*AckFrame, if ackBlock > frame.LargestAcked { return nil, errors.New("invalid first ACK range") } - smallest := frame.LargestAcked - protocol.PacketNumber(ackBlock) + smallest := frame.LargestAcked - ackBlock // read all the other ACK ranges if numBlocks > 0 { @@ -86,7 +86,7 @@ func ParseAckFrame(r *bytes.Reader, version protocol.VersionNumber) (*AckFrame, if ackBlock > largest { return nil, errInvalidAckRanges } - smallest = largest - protocol.PacketNumber(ackBlock) + smallest = largest - ackBlock frame.AckRanges = append(frame.AckRanges, AckRange{First: smallest, Last: largest}) } @@ -144,7 +144,7 @@ func (f *AckFrame) Length(version protocol.VersionNumber) protocol.ByteCount { return f.lengthLegacy(version) } - length := 1 + utils.VarIntLen(uint64(f.LargestAcked)) + utils.VarIntLen(uint64(encodeAckDelay(f.DelayTime))) + length := 1 + utils.VarIntLen(uint64(f.LargestAcked)) + utils.VarIntLen(encodeAckDelay(f.DelayTime)) var lowestInFirstRange protocol.PacketNumber if f.HasMissingRanges() { diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/ack_range.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/ack_range.go index c561762d3..783528e65 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/ack_range.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/ack_range.go @@ -7,3 +7,8 @@ type AckRange struct { First protocol.PacketNumber Last protocol.PacketNumber } + +// Len returns the number of packets contained in this ACK range +func (r AckRange) Len() protocol.PacketNumber { + return r.Last - r.First + 1 +} diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/blocked_frame.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/blocked_frame.go index e4cad2d6d..1d3e56e59 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/blocked_frame.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/blocked_frame.go @@ -12,8 +12,8 @@ type BlockedFrame struct { Offset protocol.ByteCount } -// ParseBlockedFrame parses a BLOCKED frame -func ParseBlockedFrame(r *bytes.Reader, _ protocol.VersionNumber) (*BlockedFrame, error) { +// parseBlockedFrame parses a BLOCKED frame +func parseBlockedFrame(r *bytes.Reader, _ protocol.VersionNumber) (*BlockedFrame, error) { if _, err := r.ReadByte(); err != nil { return nil, err } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/blocked_frame_legacy.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/blocked_frame_legacy.go index 41cf0ee7e..9943e1668 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/blocked_frame_legacy.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/blocked_frame_legacy.go @@ -11,11 +11,11 @@ type blockedFrameLegacy struct { StreamID protocol.StreamID } -// ParseBlockedFrameLegacy parses a BLOCKED frame (in gQUIC format) +// parseBlockedFrameLegacy parses a BLOCKED frame (in gQUIC format) // The frame returned is // * a STREAM_BLOCKED frame, if the BLOCKED applies to a stream // * a BLOCKED frame, if the BLOCKED applies to the connection -func ParseBlockedFrameLegacy(r *bytes.Reader, _ protocol.VersionNumber) (Frame, error) { +func parseBlockedFrameLegacy(r *bytes.Reader, _ protocol.VersionNumber) (Frame, error) { if _, err := r.ReadByte(); err != nil { // read the TypeByte return nil, err } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/connection_close_frame.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/connection_close_frame.go index a2a7e9667..667ded744 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/connection_close_frame.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/connection_close_frame.go @@ -17,8 +17,8 @@ type ConnectionCloseFrame struct { ReasonPhrase string } -// ParseConnectionCloseFrame reads a CONNECTION_CLOSE frame -func ParseConnectionCloseFrame(r *bytes.Reader, version protocol.VersionNumber) (*ConnectionCloseFrame, error) { +// parseConnectionCloseFrame reads a CONNECTION_CLOSE frame +func parseConnectionCloseFrame(r *bytes.Reader, version protocol.VersionNumber) (*ConnectionCloseFrame, error) { if _, err := r.ReadByte(); err != nil { // read the TypeByte return nil, err } @@ -48,7 +48,7 @@ func ParseConnectionCloseFrame(r *bytes.Reader, version protocol.VersionNumber) reasonPhraseLen = uint64(length) } - // shortcut to prevent the unneccessary allocation of dataLen bytes + // shortcut to prevent the unnecessary allocation of dataLen bytes // if the dataLen is larger than the remaining length of the packet // reading the whole reason phrase would result in EOF when attempting to READ if int(reasonPhraseLen) > r.Len() { @@ -62,7 +62,7 @@ func ParseConnectionCloseFrame(r *bytes.Reader, version protocol.VersionNumber) } return &ConnectionCloseFrame{ - ErrorCode: qerr.ErrorCode(errorCode), + ErrorCode: errorCode, ReasonPhrase: string(reasonPhrase), }, nil } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/frame_parser.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/frame_parser.go new file mode 100644 index 000000000..6911446f9 --- /dev/null +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/frame_parser.go @@ -0,0 +1,152 @@ +package wire + +import ( + "bytes" + "fmt" + + "github.com/lucas-clemente/quic-go/internal/protocol" + "github.com/lucas-clemente/quic-go/qerr" +) + +// ParseNextFrame parses the next frame +// It skips PADDING frames. +func ParseNextFrame(r *bytes.Reader, hdr *Header, v protocol.VersionNumber) (Frame, error) { + if r.Len() == 0 { + return nil, nil + } + typeByte, _ := r.ReadByte() + if typeByte == 0x0 { // PADDING frame + return ParseNextFrame(r, hdr, v) + } + r.UnreadByte() + + if !v.UsesIETFFrameFormat() { + return parseGQUICFrame(r, typeByte, hdr, v) + } + return parseIETFFrame(r, typeByte, v) +} + +func parseIETFFrame(r *bytes.Reader, typeByte byte, v protocol.VersionNumber) (Frame, error) { + var frame Frame + var err error + if typeByte&0xf8 == 0x10 { + frame, err = parseStreamFrame(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidStreamData, err.Error()) + } + return frame, err + } + // TODO: implement all IETF QUIC frame types + switch typeByte { + case 0x1: + frame, err = parseRstStreamFrame(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidRstStreamData, err.Error()) + } + case 0x2: + frame, err = parseConnectionCloseFrame(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidConnectionCloseData, err.Error()) + } + case 0x4: + frame, err = parseMaxDataFrame(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidWindowUpdateData, err.Error()) + } + case 0x5: + frame, err = parseMaxStreamDataFrame(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidWindowUpdateData, err.Error()) + } + case 0x6: + frame, err = parseMaxStreamIDFrame(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidFrameData, err.Error()) + } + case 0x7: + frame, err = parsePingFrame(r, v) + case 0x8: + frame, err = parseBlockedFrame(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidBlockedData, err.Error()) + } + case 0x9: + frame, err = parseStreamBlockedFrame(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidBlockedData, err.Error()) + } + case 0xa: + frame, err = parseStreamIDBlockedFrame(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidFrameData, err.Error()) + } + case 0xc: + frame, err = parseStopSendingFrame(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidFrameData, err.Error()) + } + case 0xe: + frame, err = parseAckFrame(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidAckData, err.Error()) + } + default: + err = qerr.Error(qerr.InvalidFrameData, fmt.Sprintf("unknown type byte 0x%x", typeByte)) + } + return frame, err +} + +func parseGQUICFrame(r *bytes.Reader, typeByte byte, hdr *Header, v protocol.VersionNumber) (Frame, error) { + var frame Frame + var err error + if typeByte&0x80 == 0x80 { + frame, err = parseStreamFrame(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidStreamData, err.Error()) + } + return frame, err + } else if typeByte&0xc0 == 0x40 { + frame, err = parseAckFrame(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidAckData, err.Error()) + } + return frame, err + } + switch typeByte { + case 0x1: + frame, err = parseRstStreamFrame(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidRstStreamData, err.Error()) + } + case 0x2: + frame, err = parseConnectionCloseFrame(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidConnectionCloseData, err.Error()) + } + case 0x3: + frame, err = parseGoawayFrame(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidGoawayData, err.Error()) + } + case 0x4: + frame, err = parseWindowUpdateFrame(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidWindowUpdateData, err.Error()) + } + case 0x5: + frame, err = parseBlockedFrameLegacy(r, v) + if err != nil { + err = qerr.Error(qerr.InvalidBlockedData, err.Error()) + } + case 0x6: + frame, err = parseStopWaitingFrame(r, hdr.PacketNumber, hdr.PacketNumberLen, v) + if err != nil { + err = qerr.Error(qerr.InvalidStopWaitingData, err.Error()) + } + case 0x7: + frame, err = parsePingFrame(r, v) + default: + err = qerr.Error(qerr.InvalidFrameData, fmt.Sprintf("unknown type byte 0x%x", typeByte)) + } + return frame, err +} diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/goaway_frame.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/goaway_frame.go index fd5aca921..86bf2b439 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/goaway_frame.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/goaway_frame.go @@ -16,8 +16,8 @@ type GoawayFrame struct { ReasonPhrase string } -// ParseGoawayFrame parses a GOAWAY frame -func ParseGoawayFrame(r *bytes.Reader, _ protocol.VersionNumber) (*GoawayFrame, error) { +// parseGoawayFrame parses a GOAWAY frame +func parseGoawayFrame(r *bytes.Reader, _ protocol.VersionNumber) (*GoawayFrame, error) { frame := &GoawayFrame{} if _, err := r.ReadByte(); err != nil { @@ -41,7 +41,7 @@ func ParseGoawayFrame(r *bytes.Reader, _ protocol.VersionNumber) (*GoawayFrame, return nil, err } - if reasonPhraseLen > uint16(protocol.MaxPacketSize) { + if reasonPhraseLen > uint16(protocol.MaxReceivePacketSize) { return nil, qerr.Error(qerr.InvalidGoawayData, "reason phrase too long") } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/header.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/header.go index 19c45c3ee..fc346f3f4 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/header.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/header.go @@ -4,6 +4,7 @@ import ( "bytes" "github.com/lucas-clemente/quic-go/internal/protocol" + "github.com/lucas-clemente/quic-go/internal/utils" ) // Header is the header of a QUIC packet. @@ -50,6 +51,7 @@ func ParseHeaderSentByServer(b *bytes.Reader, version protocol.VersionNumber) (* // the client knows the version that this packet was sent with isPublicHeader = !version.UsesTLS() } + return parsePacketHeader(b, protocol.PerspectiveServer, isPublicHeader) } @@ -61,12 +63,13 @@ func ParseHeaderSentByClient(b *bytes.Reader) (*Header, error) { } _ = b.UnreadByte() // unread the type byte - // If this is a gQUIC header 0x80 and 0x40 will be set to 0. - // If this is an IETF QUIC header there are two options: - // * either 0x80 will be 1 (for the Long Header) - // * or 0x40 (the Connection ID Flag) will be 0 (for the Short Header), since we don't the client to omit it - isPublicHeader := typeByte&0xc0 == 0 - + // In an IETF QUIC packet header + // * either 0x80 is set (for the Long Header) + // * or 0x8 is unset (for the Short Header) + // In a gQUIC Public Header + // * 0x80 is always unset and + // * and 0x8 is always set (this is the Connection ID flag, which the client always sets) + isPublicHeader := typeByte&0x88 == 0x8 return parsePacketHeader(b, protocol.PerspectiveClient, isPublicHeader) } @@ -101,10 +104,10 @@ func (h *Header) GetLength(pers protocol.Perspective, version protocol.VersionNu } // Log logs the Header -func (h *Header) Log() { +func (h *Header) Log(logger utils.Logger) { if h.isPublicHeader { - h.logPublicHeader() + h.logPublicHeader(logger) } else { - h.logHeader() + h.logHeader(logger) } } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/ietf_header.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/ietf_header.go index 88bd139fb..01bf0a26b 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/ietf_header.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/ietf_header.go @@ -2,6 +2,7 @@ package wire import ( "bytes" + "errors" "fmt" "github.com/lucas-clemente/quic-go/internal/protocol" @@ -31,15 +32,9 @@ func parseLongHeader(b *bytes.Reader, sentBy protocol.Perspective, typeByte byte if err != nil { return nil, err } - pn, err := utils.BigEndian.ReadUint32(b) - if err != nil { - return nil, err - } h := &Header{ - ConnectionID: protocol.ConnectionID(connID), - PacketNumber: protocol.PacketNumber(pn), - PacketNumberLen: protocol.PacketNumberLen4, - Version: protocol.VersionNumber(v), + ConnectionID: protocol.ConnectionID(connID), + Version: protocol.VersionNumber(v), } if v == 0 { // version negotiation packet if sentBy == protocol.PerspectiveClient { @@ -60,6 +55,12 @@ func parseLongHeader(b *bytes.Reader, sentBy protocol.Perspective, typeByte byte return h, nil } h.IsLongHeader = true + pn, err := utils.BigEndian.ReadUint32(b) + if err != nil { + return nil, err + } + h.PacketNumber = protocol.PacketNumber(pn) + h.PacketNumberLen = protocol.PacketNumberLen4 h.Type = protocol.PacketType(typeByte & 0x7f) if sentBy == protocol.PerspectiveClient && (h.Type != protocol.PacketTypeInitial && h.Type != protocol.PacketTypeHandshake && h.Type != protocol.PacketType0RTT) { return nil, qerr.Error(qerr.InvalidPacketHeader, fmt.Sprintf("Received packet with invalid packet type: %d", h.Type)) @@ -71,26 +72,40 @@ func parseLongHeader(b *bytes.Reader, sentBy protocol.Perspective, typeByte byte } func parseShortHeader(b *bytes.Reader, typeByte byte) (*Header, error) { - hasConnID := typeByte&0x40 > 0 + omitConnID := typeByte&0x40 > 0 var connID uint64 - if hasConnID { + if !omitConnID { var err error connID, err = utils.BigEndian.ReadUint64(b) if err != nil { return nil, err } } - pnLen := 1 << ((typeByte & 0x3) - 1) + // bit 4 must be set, bit 5 must be unset + if typeByte&0x18 != 0x10 { + return nil, errors.New("invalid bit 4 and 5") + } + var pnLen protocol.PacketNumberLen + switch typeByte & 0x7 { + case 0x0: + pnLen = protocol.PacketNumberLen1 + case 0x1: + pnLen = protocol.PacketNumberLen2 + case 0x2: + pnLen = protocol.PacketNumberLen4 + default: + return nil, errors.New("invalid short header type") + } pn, err := utils.BigEndian.ReadUintN(b, uint8(pnLen)) if err != nil { return nil, err } return &Header{ KeyPhase: int(typeByte&0x20) >> 5, - OmitConnectionID: !hasConnID, + OmitConnectionID: omitConnID, ConnectionID: protocol.ConnectionID(connID), PacketNumber: protocol.PacketNumber(pn), - PacketNumberLen: protocol.PacketNumberLen(pnLen), + PacketNumberLen: pnLen, }, nil } @@ -112,17 +127,17 @@ func (h *Header) writeLongHeader(b *bytes.Buffer) error { } func (h *Header) writeShortHeader(b *bytes.Buffer) error { - typeByte := byte(h.KeyPhase << 5) - if !h.OmitConnectionID { + typeByte := byte(0x10) + typeByte ^= byte(h.KeyPhase << 5) + if h.OmitConnectionID { typeByte ^= 0x40 } switch h.PacketNumberLen { case protocol.PacketNumberLen1: - typeByte ^= 0x1 case protocol.PacketNumberLen2: - typeByte ^= 0x2 + typeByte ^= 0x1 case protocol.PacketNumberLen4: - typeByte ^= 0x3 + typeByte ^= 0x2 default: return fmt.Errorf("invalid packet number length: %d", h.PacketNumberLen) } @@ -159,14 +174,14 @@ func (h *Header) getHeaderLength() (protocol.ByteCount, error) { return length, nil } -func (h *Header) logHeader() { +func (h *Header) logHeader(logger utils.Logger) { if h.IsLongHeader { - utils.Debugf(" Long Header{Type: %s, ConnectionID: %#x, PacketNumber: %#x, Version: %s}", h.Type, h.ConnectionID, h.PacketNumber, h.Version) + logger.Debugf(" Long Header{Type: %s, ConnectionID: %#x, PacketNumber: %#x, Version: %s}", h.Type, h.ConnectionID, h.PacketNumber, h.Version) } else { connID := "(omitted)" if !h.OmitConnectionID { connID = fmt.Sprintf("%#x", h.ConnectionID) } - utils.Debugf(" Short Header{ConnectionID: %s, PacketNumber: %#x, PacketNumberLen: %d, KeyPhase: %d}", connID, h.PacketNumber, h.PacketNumberLen, h.KeyPhase) + logger.Debugf(" Short Header{ConnectionID: %s, PacketNumber: %#x, PacketNumberLen: %d, KeyPhase: %d}", connID, h.PacketNumber, h.PacketNumberLen, h.KeyPhase) } } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/log.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/log.go index 0e72ea98a..eaf5b1ea9 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/log.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/log.go @@ -3,8 +3,8 @@ package wire import "github.com/lucas-clemente/quic-go/internal/utils" // LogFrame logs a frame, either sent or received -func LogFrame(frame Frame, sent bool) { - if !utils.Debug() { +func LogFrame(logger utils.Logger, frame Frame, sent bool) { + if !logger.Debug() { return } dir := "<-" @@ -13,16 +13,16 @@ func LogFrame(frame Frame, sent bool) { } switch f := frame.(type) { case *StreamFrame: - utils.Debugf("\t%s &wire.StreamFrame{StreamID: %d, FinBit: %t, Offset: 0x%x, Data length: 0x%x, Offset + Data length: 0x%x}", dir, f.StreamID, f.FinBit, f.Offset, f.DataLen(), f.Offset+f.DataLen()) + logger.Debugf("\t%s &wire.StreamFrame{StreamID: %d, FinBit: %t, Offset: 0x%x, Data length: 0x%x, Offset + Data length: 0x%x}", dir, f.StreamID, f.FinBit, f.Offset, f.DataLen(), f.Offset+f.DataLen()) case *StopWaitingFrame: if sent { - utils.Debugf("\t%s &wire.StopWaitingFrame{LeastUnacked: 0x%x, PacketNumberLen: 0x%x}", dir, f.LeastUnacked, f.PacketNumberLen) + logger.Debugf("\t%s &wire.StopWaitingFrame{LeastUnacked: 0x%x, PacketNumberLen: 0x%x}", dir, f.LeastUnacked, f.PacketNumberLen) } else { - utils.Debugf("\t%s &wire.StopWaitingFrame{LeastUnacked: 0x%x}", dir, f.LeastUnacked) + logger.Debugf("\t%s &wire.StopWaitingFrame{LeastUnacked: 0x%x}", dir, f.LeastUnacked) } case *AckFrame: - utils.Debugf("\t%s &wire.AckFrame{LargestAcked: 0x%x, LowestAcked: 0x%x, AckRanges: %#v, DelayTime: %s}", dir, f.LargestAcked, f.LowestAcked, f.AckRanges, f.DelayTime.String()) + logger.Debugf("\t%s &wire.AckFrame{LargestAcked: 0x%x, LowestAcked: 0x%x, AckRanges: %#v, DelayTime: %s}", dir, f.LargestAcked, f.LowestAcked, f.AckRanges, f.DelayTime.String()) default: - utils.Debugf("\t%s %#v", dir, frame) + logger.Debugf("\t%s %#v", dir, frame) } } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/max_data_frame.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/max_data_frame.go index 8ba4fc09a..0bca27da8 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/max_data_frame.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/max_data_frame.go @@ -12,8 +12,8 @@ type MaxDataFrame struct { ByteOffset protocol.ByteCount } -// ParseMaxDataFrame parses a MAX_DATA frame -func ParseMaxDataFrame(r *bytes.Reader, version protocol.VersionNumber) (*MaxDataFrame, error) { +// parseMaxDataFrame parses a MAX_DATA frame +func parseMaxDataFrame(r *bytes.Reader, version protocol.VersionNumber) (*MaxDataFrame, error) { // read the TypeByte if _, err := r.ReadByte(); err != nil { return nil, err diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/max_stream_data_frame.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/max_stream_data_frame.go index e88f245b5..6d8be236d 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/max_stream_data_frame.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/max_stream_data_frame.go @@ -13,8 +13,8 @@ type MaxStreamDataFrame struct { ByteOffset protocol.ByteCount } -// ParseMaxStreamDataFrame parses a MAX_STREAM_DATA frame -func ParseMaxStreamDataFrame(r *bytes.Reader, version protocol.VersionNumber) (*MaxStreamDataFrame, error) { +// parseMaxStreamDataFrame parses a MAX_STREAM_DATA frame +func parseMaxStreamDataFrame(r *bytes.Reader, version protocol.VersionNumber) (*MaxStreamDataFrame, error) { frame := &MaxStreamDataFrame{} // read the TypeByte diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/max_stream_id_frame.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/max_stream_id_frame.go index 31e51ae3d..9f5424daa 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/max_stream_id_frame.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/max_stream_id_frame.go @@ -12,8 +12,8 @@ type MaxStreamIDFrame struct { StreamID protocol.StreamID } -// ParseMaxStreamIDFrame parses a MAX_STREAM_ID frame -func ParseMaxStreamIDFrame(r *bytes.Reader, _ protocol.VersionNumber) (*MaxStreamIDFrame, error) { +// parseMaxStreamIDFrame parses a MAX_STREAM_ID frame +func parseMaxStreamIDFrame(r *bytes.Reader, _ protocol.VersionNumber) (*MaxStreamIDFrame, error) { // read the Type byte if _, err := r.ReadByte(); err != nil { return nil, err diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/ping_frame.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/ping_frame.go index ac4fd7d25..bc1dedac0 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/ping_frame.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/ping_frame.go @@ -9,8 +9,8 @@ import ( // A PingFrame is a ping frame type PingFrame struct{} -// ParsePingFrame parses a Ping frame -func ParsePingFrame(r *bytes.Reader, version protocol.VersionNumber) (*PingFrame, error) { +// parsePingFrame parses a Ping frame +func parsePingFrame(r *bytes.Reader, version protocol.VersionNumber) (*PingFrame, error) { frame := &PingFrame{} _, err := r.ReadByte() diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/public_header.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/public_header.go index e4c997557..af996b292 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/public_header.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/public_header.go @@ -20,6 +20,9 @@ var ( // writePublicHeader writes a Public Header. func (h *Header) writePublicHeader(b *bytes.Buffer, pers protocol.Perspective, _ protocol.VersionNumber) error { + if h.VersionFlag && pers == protocol.PerspectiveServer { + return errors.New("PublicHeader: Writing of Version Negotiation Packets not supported") + } if h.VersionFlag && h.ResetFlag { return errResetAndVersionFlagSet } @@ -134,10 +137,9 @@ func parsePublicHeader(b *bytes.Reader, packetSentBy protocol.Perspective) (*Hea } } + // Contrary to what the gQUIC wire spec says, the 0x4 bit only indicates the presence of the diversification nonce for packets sent by the server. + // It doesn't have any meaning when sent by the client. if packetSentBy == protocol.PerspectiveServer && publicFlagByte&0x04 > 0 { - // TODO: remove the if once the Google servers send the correct value - // assume that a packet doesn't contain a diversification nonce if the version flag or the reset flag is set, no matter what the public flag says - // see https://github.com/lucas-clemente/quic-go/issues/232 if !header.VersionFlag && !header.ResetFlag { header.DiversificationNonce = make([]byte, 32) if _, err := io.ReadFull(b, header.DiversificationNonce); err != nil { @@ -148,7 +150,7 @@ func parsePublicHeader(b *bytes.Reader, packetSentBy protocol.Perspective) (*Hea // Version (optional) if !header.ResetFlag && header.VersionFlag { - if packetSentBy == protocol.PerspectiveServer { // parse the version negotiaton packet + if packetSentBy == protocol.PerspectiveServer { // parse the version negotiation packet if b.Len() == 0 { return nil, qerr.Error(qerr.InvalidVersionNegotiationPacket, "empty version list") } @@ -229,14 +231,14 @@ func (h *Header) hasPacketNumber(packetSentBy protocol.Perspective) bool { return true } -func (h *Header) logPublicHeader() { +func (h *Header) logPublicHeader(logger utils.Logger) { connID := "(omitted)" if !h.OmitConnectionID { connID = fmt.Sprintf("%#x", h.ConnectionID) } ver := "(unset)" if h.Version != 0 { - ver = fmt.Sprintf("%s", h.Version) + ver = h.Version.String() } - utils.Debugf(" Public Header{ConnectionID: %s, PacketNumber: %#x, PacketNumberLen: %d, Version: %s, DiversificationNonce: %#v}", connID, h.PacketNumber, h.PacketNumberLen, ver, h.DiversificationNonce) + logger.Debugf(" Public Header{ConnectionID: %s, PacketNumber: %#x, PacketNumberLen: %d, Version: %s, DiversificationNonce: %#v}", connID, h.PacketNumber, h.PacketNumberLen, ver, h.DiversificationNonce) } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/rst_stream_frame.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/rst_stream_frame.go index ea25f381d..209422c28 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/rst_stream_frame.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/rst_stream_frame.go @@ -16,8 +16,8 @@ type RstStreamFrame struct { ByteOffset protocol.ByteCount } -// ParseRstStreamFrame parses a RST_STREAM frame -func ParseRstStreamFrame(r *bytes.Reader, version protocol.VersionNumber) (*RstStreamFrame, error) { +// parseRstStreamFrame parses a RST_STREAM frame +func parseRstStreamFrame(r *bytes.Reader, version protocol.VersionNumber) (*RstStreamFrame, error) { if _, err := r.ReadByte(); err != nil { // read the TypeByte return nil, err } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/stop_sending_frame.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/stop_sending_frame.go index 2a33756bd..b5e698047 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/stop_sending_frame.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/stop_sending_frame.go @@ -13,8 +13,8 @@ type StopSendingFrame struct { ErrorCode protocol.ApplicationErrorCode } -// ParseStopSendingFrame parses a STOP_SENDING frame -func ParseStopSendingFrame(r *bytes.Reader, _ protocol.VersionNumber) (*StopSendingFrame, error) { +// parseStopSendingFrame parses a STOP_SENDING frame +func parseStopSendingFrame(r *bytes.Reader, _ protocol.VersionNumber) (*StopSendingFrame, error) { if _, err := r.ReadByte(); err != nil { // read the TypeByte return nil, err } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/stop_waiting_frame.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/stop_waiting_frame.go index 4ee9578e6..b87606ad3 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/stop_waiting_frame.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/stop_waiting_frame.go @@ -56,8 +56,8 @@ func (f *StopWaitingFrame) Length(_ protocol.VersionNumber) protocol.ByteCount { return 1 + protocol.ByteCount(f.PacketNumberLen) } -// ParseStopWaitingFrame parses a StopWaiting frame -func ParseStopWaitingFrame(r *bytes.Reader, packetNumber protocol.PacketNumber, packetNumberLen protocol.PacketNumberLen, _ protocol.VersionNumber) (*StopWaitingFrame, error) { +// parseStopWaitingFrame parses a StopWaiting frame +func parseStopWaitingFrame(r *bytes.Reader, packetNumber protocol.PacketNumber, packetNumberLen protocol.PacketNumberLen, _ protocol.VersionNumber) (*StopWaitingFrame, error) { frame := &StopWaitingFrame{} // read the TypeByte diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/stream_blocked_frame.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/stream_blocked_frame.go index 625698cd1..a083a9f59 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/stream_blocked_frame.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/stream_blocked_frame.go @@ -13,8 +13,8 @@ type StreamBlockedFrame struct { Offset protocol.ByteCount } -// ParseStreamBlockedFrame parses a STREAM_BLOCKED frame -func ParseStreamBlockedFrame(r *bytes.Reader, _ protocol.VersionNumber) (*StreamBlockedFrame, error) { +// parseStreamBlockedFrame parses a STREAM_BLOCKED frame +func parseStreamBlockedFrame(r *bytes.Reader, _ protocol.VersionNumber) (*StreamBlockedFrame, error) { if _, err := r.ReadByte(); err != nil { // read the TypeByte return nil, err } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/stream_frame.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/stream_frame.go index 5168e315c..d848127ae 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/stream_frame.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/stream_frame.go @@ -19,8 +19,8 @@ type StreamFrame struct { Data []byte } -// ParseStreamFrame reads a STREAM frame -func ParseStreamFrame(r *bytes.Reader, version protocol.VersionNumber) (*StreamFrame, error) { +// parseStreamFrame reads a STREAM frame +func parseStreamFrame(r *bytes.Reader, version protocol.VersionNumber) (*StreamFrame, error) { if !version.UsesIETFFrameFormat() { return parseLegacyStreamFrame(r, version) } @@ -56,7 +56,7 @@ func ParseStreamFrame(r *bytes.Reader, version protocol.VersionNumber) (*StreamF if err != nil { return nil, err } - // shortcut to prevent the unneccessary allocation of dataLen bytes + // shortcut to prevent the unnecessary allocation of dataLen bytes // if the dataLen is larger than the remaining length of the packet // reading the packet contents would result in EOF when attempting to READ if dataLen > uint64(r.Len()) { @@ -76,7 +76,8 @@ func ParseStreamFrame(r *bytes.Reader, version protocol.VersionNumber) (*StreamF if frame.Offset+frame.DataLen() > protocol.MaxByteCount { return nil, qerr.Error(qerr.InvalidStreamData, "data overflows maximum offset") } - if !frame.FinBit && frame.DataLen() == 0 { + // empty frames are only allowed if they have offset 0 or the FIN bit set + if frame.DataLen() == 0 && !frame.FinBit && frame.Offset != 0 { return nil, qerr.EmptyStreamFrameNoFin } return frame, nil diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/stream_frame_legacy.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/stream_frame_legacy.go index a01618e1a..a2b159dc2 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/stream_frame_legacy.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/stream_frame_legacy.go @@ -52,7 +52,7 @@ func parseLegacyStreamFrame(r *bytes.Reader, _ protocol.VersionNumber) (*StreamF } } - // shortcut to prevent the unneccessary allocation of dataLen bytes + // shortcut to prevent the unnecessary allocation of dataLen bytes // if the dataLen is larger than the remaining length of the packet // reading the packet contents would result in EOF when attempting to READ if int(dataLen) > r.Len() { diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/stream_id_blocked_frame.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/stream_id_blocked_frame.go index 7b390a4d9..6476eb9de 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/stream_id_blocked_frame.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/stream_id_blocked_frame.go @@ -12,8 +12,8 @@ type StreamIDBlockedFrame struct { StreamID protocol.StreamID } -// ParseStreamIDBlockedFrame parses a STREAM_ID_BLOCKED frame -func ParseStreamIDBlockedFrame(r *bytes.Reader, _ protocol.VersionNumber) (*StreamIDBlockedFrame, error) { +// parseStreamIDBlockedFrame parses a STREAM_ID_BLOCKED frame +func parseStreamIDBlockedFrame(r *bytes.Reader, _ protocol.VersionNumber) (*StreamIDBlockedFrame, error) { if _, err := r.ReadByte(); err != nil { return nil, err } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/version_negotiation.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/version_negotiation.go index b20c43c2d..cf72fc2e6 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/version_negotiation.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/version_negotiation.go @@ -10,50 +10,29 @@ import ( // ComposeGQUICVersionNegotiation composes a Version Negotiation Packet for gQUIC func ComposeGQUICVersionNegotiation(connID protocol.ConnectionID, versions []protocol.VersionNumber) []byte { - fullReply := &bytes.Buffer{} - ph := Header{ - ConnectionID: connID, - PacketNumber: 1, - VersionFlag: true, - IsVersionNegotiation: true, - } - if err := ph.writePublicHeader(fullReply, protocol.PerspectiveServer, protocol.VersionWhatever); err != nil { - utils.Errorf("error composing version negotiation packet: %s", err.Error()) - return nil + buf := bytes.NewBuffer(make([]byte, 0, 1+8+len(versions)*4)) + buf.Write([]byte{0x1 | 0x8}) // type byte + utils.BigEndian.WriteUint64(buf, uint64(connID)) + for _, v := range versions { + utils.BigEndian.WriteUint32(buf, uint32(v)) } - writeVersions(fullReply, versions) - return fullReply.Bytes() + return buf.Bytes() } // ComposeVersionNegotiation composes a Version Negotiation according to the IETF draft func ComposeVersionNegotiation( connID protocol.ConnectionID, - pn protocol.PacketNumber, versions []protocol.VersionNumber, ) []byte { - fullReply := &bytes.Buffer{} + greasedVersions := protocol.GetGreasedVersions(versions) + buf := bytes.NewBuffer(make([]byte, 0, 1+8+4+len(greasedVersions)*4)) r := make([]byte, 1) _, _ = rand.Read(r) // ignore the error here. It is not critical to have perfect random here. - h := Header{ - IsLongHeader: true, - Type: protocol.PacketType(r[0] | 0x80), - ConnectionID: connID, - PacketNumber: pn, - Version: 0, - IsVersionNegotiation: true, - } - if err := h.writeHeader(fullReply); err != nil { - utils.Errorf("error composing version negotiation packet: %s", err.Error()) - return nil - } - writeVersions(fullReply, versions) - return fullReply.Bytes() -} - -// writeVersions writes the versions for a Version Negotiation Packet. -// It inserts one reserved version number at a random position. -func writeVersions(buf *bytes.Buffer, supported []protocol.VersionNumber) { - for _, v := range protocol.GetGreasedVersions(supported) { + buf.WriteByte(r[0] | 0x80) + utils.BigEndian.WriteUint64(buf, uint64(connID)) + utils.BigEndian.WriteUint32(buf, 0) // version 0 + for _, v := range greasedVersions { utils.BigEndian.WriteUint32(buf, uint32(v)) } + return buf.Bytes() } diff --git a/vendor/github.com/lucas-clemente/quic-go/internal/wire/window_update_frame.go b/vendor/github.com/lucas-clemente/quic-go/internal/wire/window_update_frame.go index 8f7556e75..606e25cf2 100644 --- a/vendor/github.com/lucas-clemente/quic-go/internal/wire/window_update_frame.go +++ b/vendor/github.com/lucas-clemente/quic-go/internal/wire/window_update_frame.go @@ -12,11 +12,11 @@ type windowUpdateFrame struct { ByteOffset protocol.ByteCount } -// ParseWindowUpdateFrame parses a WINDOW_UPDATE frame +// parseWindowUpdateFrame parses a WINDOW_UPDATE frame // The frame returned is // * a MAX_STREAM_DATA frame, if the WINDOW_UPDATE applies to a stream // * a MAX_DATA frame, if the WINDOW_UPDATE applies to the connection -func ParseWindowUpdateFrame(r *bytes.Reader, _ protocol.VersionNumber) (Frame, error) { +func parseWindowUpdateFrame(r *bytes.Reader, _ protocol.VersionNumber) (Frame, error) { if _, err := r.ReadByte(); err != nil { // read the TypeByte return nil, err } diff --git a/vendor/github.com/lucas-clemente/quic-go/mint_utils.go b/vendor/github.com/lucas-clemente/quic-go/mint_utils.go index 578aecca9..b32a09057 100644 --- a/vendor/github.com/lucas-clemente/quic-go/mint_utils.go +++ b/vendor/github.com/lucas-clemente/quic-go/mint_utils.go @@ -6,6 +6,7 @@ import ( "crypto/tls" "crypto/x509" "errors" + "fmt" "io" "github.com/bifurcation/mint" @@ -76,6 +77,7 @@ func tlsToMintConfig(tlsConf *tls.Config, pers protocol.Perspective) (*mint.Conf mconf.ServerName = tlsConf.ServerName mconf.InsecureSkipVerify = tlsConf.InsecureSkipVerify mconf.Certificates = make([]*mint.Certificate, len(tlsConf.Certificates)) + mconf.RootCAs = tlsConf.RootCAs mconf.VerifyPeerCertificate = tlsConf.VerifyPeerCertificate for i, certChain := range tlsConf.Certificates { mconf.Certificates[i] = &mint.Certificate{ @@ -106,41 +108,47 @@ func tlsToMintConfig(tlsConf *tls.Config, pers protocol.Perspective) (*mint.Conf // unpackInitialOrRetryPacket unpacks packets Initial and Retry packets // These packets must contain a STREAM_FRAME for the crypto stream, starting at offset 0. -func unpackInitialPacket(aead crypto.AEAD, hdr *wire.Header, data []byte, version protocol.VersionNumber) (*wire.StreamFrame, error) { - unpacker := &packetUnpacker{aead: &nullAEAD{aead}, version: version} - packet, err := unpacker.Unpack(hdr.Raw, hdr, data) +func unpackInitialPacket(aead crypto.AEAD, hdr *wire.Header, data []byte, logger utils.Logger, version protocol.VersionNumber) (*wire.StreamFrame, error) { + decrypted, err := aead.Open(data[:0], data, hdr.PacketNumber, hdr.Raw) if err != nil { return nil, err } var frame *wire.StreamFrame - for _, f := range packet.frames { + r := bytes.NewReader(decrypted) + for { + f, err := wire.ParseNextFrame(r, hdr, version) + if err != nil { + return nil, err + } var ok bool - frame, ok = f.(*wire.StreamFrame) - if ok { + if frame, ok = f.(*wire.StreamFrame); ok || frame == nil { break } } if frame == nil { return nil, errors.New("Packet doesn't contain a STREAM_FRAME") } + if frame.StreamID != version.CryptoStreamID() { + return nil, fmt.Errorf("Received STREAM_FRAME for wrong stream (Stream ID %d)", frame.StreamID) + } // We don't need a check for the stream ID here. // The packetUnpacker checks that there's no unencrypted stream data except for the crypto stream. if frame.Offset != 0 { return nil, errors.New("received stream data with non-zero offset") } - if utils.Debug() { - utils.Debugf("<- Reading packet 0x%x (%d bytes) for connection %x", hdr.PacketNumber, len(data)+len(hdr.Raw), hdr.ConnectionID) - hdr.Log() - wire.LogFrame(frame, false) + if logger.Debug() { + logger.Debugf("<- Reading packet 0x%x (%d bytes) for connection %x", hdr.PacketNumber, len(data)+len(hdr.Raw), hdr.ConnectionID) + hdr.Log(logger) + wire.LogFrame(logger, frame, false) } return frame, nil } // packUnencryptedPacket provides a low-overhead way to pack a packet. // It is supposed to be used in the early stages of the handshake, before a session (which owns a packetPacker) is available. -func packUnencryptedPacket(aead crypto.AEAD, hdr *wire.Header, f wire.Frame, pers protocol.Perspective) ([]byte, error) { - raw := getPacketBuffer() - buffer := bytes.NewBuffer(raw) +func packUnencryptedPacket(aead crypto.AEAD, hdr *wire.Header, f wire.Frame, pers protocol.Perspective, logger utils.Logger) ([]byte, error) { + raw := *getPacketBuffer() + buffer := bytes.NewBuffer(raw[:0]) if err := hdr.Write(buffer, pers, hdr.Version); err != nil { return nil, err } @@ -151,10 +159,10 @@ func packUnencryptedPacket(aead crypto.AEAD, hdr *wire.Header, f wire.Frame, per raw = raw[0:buffer.Len()] _ = aead.Seal(raw[payloadStartIndex:payloadStartIndex], raw[payloadStartIndex:], hdr.PacketNumber, raw[:payloadStartIndex]) raw = raw[0 : buffer.Len()+aead.Overhead()] - if utils.Debug() { - utils.Debugf("-> Sending packet 0x%x (%d bytes) for connection %x, %s", hdr.PacketNumber, len(raw), hdr.ConnectionID, protocol.EncryptionUnencrypted) - hdr.Log() - wire.LogFrame(f, true) + if logger.Debug() { + logger.Debugf("-> Sending packet 0x%x (%d bytes) for connection %x, %s", hdr.PacketNumber, len(raw), hdr.ConnectionID, protocol.EncryptionUnencrypted) + hdr.Log(logger) + wire.LogFrame(logger, f, true) } return raw, nil } diff --git a/vendor/github.com/lucas-clemente/quic-go/mockgen.go b/vendor/github.com/lucas-clemente/quic-go/mockgen.go index 3802a8633..65f385468 100644 --- a/vendor/github.com/lucas-clemente/quic-go/mockgen.go +++ b/vendor/github.com/lucas-clemente/quic-go/mockgen.go @@ -9,4 +9,8 @@ package quic //go:generate sh -c "./mockgen_private.sh quic mock_crypto_stream_test.go github.com/lucas-clemente/quic-go cryptoStreamI CryptoStream" //go:generate sh -c "./mockgen_private.sh quic mock_stream_manager_test.go github.com/lucas-clemente/quic-go streamManager StreamManager" //go:generate sh -c "sed -i '' 's/quic_go.//g' mock_stream_getter_test.go mock_stream_manager_test.go" +//go:generate sh -c "./mockgen_private.sh quic mock_unpacker_test.go github.com/lucas-clemente/quic-go unpacker Unpacker" +//go:generate sh -c "sed -i '' 's/quic_go.//g' mock_unpacker_test.go mock_unpacker_test.go" +//go:generate sh -c "./mockgen_private.sh quic mock_quic_aead_test.go github.com/lucas-clemente/quic-go quicAEAD QuicAEAD" +//go:generate sh -c "./mockgen_private.sh quic mock_gquic_aead_test.go github.com/lucas-clemente/quic-go gQUICAEAD GQUICAEAD" //go:generate sh -c "goimports -w mock*_test.go" diff --git a/vendor/github.com/lucas-clemente/quic-go/packet_packer.go b/vendor/github.com/lucas-clemente/quic-go/packet_packer.go index 1a8e688c8..e4fa653a5 100644 --- a/vendor/github.com/lucas-clemente/quic-go/packet_packer.go +++ b/vendor/github.com/lucas-clemente/quic-go/packet_packer.go @@ -4,11 +4,14 @@ import ( "bytes" "errors" "fmt" + "net" "sync" + "time" "github.com/lucas-clemente/quic-go/internal/ackhandler" "github.com/lucas-clemente/quic-go/internal/handshake" "github.com/lucas-clemente/quic-go/internal/protocol" + "github.com/lucas-clemente/quic-go/internal/utils" "github.com/lucas-clemente/quic-go/internal/wire" ) @@ -19,6 +22,23 @@ type packedPacket struct { encryptionLevel protocol.EncryptionLevel } +func (p *packedPacket) ToAckHandlerPacket() *ackhandler.Packet { + return &ackhandler.Packet{ + PacketNumber: p.header.PacketNumber, + PacketType: p.header.Type, + Frames: p.frames, + Length: protocol.ByteCount(len(p.raw)), + EncryptionLevel: p.encryptionLevel, + SendTime: time.Now(), + } +} + +type sealingManager interface { + GetSealer() (protocol.EncryptionLevel, handshake.Sealer) + GetSealerForCryptoStream() (protocol.EncryptionLevel, handshake.Sealer) + GetSealerWithEncryptionLevel(protocol.EncryptionLevel) (handshake.Sealer, error) +} + type streamFrameSource interface { HasCryptoStreamData() bool PopCryptoStreamFrame(protocol.ByteCount) *wire.StreamFrame @@ -29,9 +49,11 @@ type packetPacker struct { connectionID protocol.ConnectionID perspective protocol.Perspective version protocol.VersionNumber - cryptoSetup handshake.CryptoSetup + divNonce []byte + cryptoSetup sealingManager packetNumberGenerator *packetNumberGenerator + getPacketNumberLen func(protocol.PacketNumber) protocol.PacketNumberLen streams streamFrameSource controlFrameMutex sync.Mutex @@ -39,26 +61,45 @@ type packetPacker struct { stopWaiting *wire.StopWaitingFrame ackFrame *wire.AckFrame - leastUnacked protocol.PacketNumber omitConnectionID bool + maxPacketSize protocol.ByteCount hasSentPacket bool // has the packetPacker already sent a packet numNonRetransmittableAcks int } func newPacketPacker(connectionID protocol.ConnectionID, initialPacketNumber protocol.PacketNumber, - cryptoSetup handshake.CryptoSetup, + getPacketNumberLen func(protocol.PacketNumber) protocol.PacketNumberLen, + remoteAddr net.Addr, // only used for determining the max packet size + divNonce []byte, + cryptoSetup sealingManager, streamFramer streamFrameSource, perspective protocol.Perspective, version protocol.VersionNumber, ) *packetPacker { + maxPacketSize := protocol.ByteCount(protocol.MinInitialPacketSize) + // If this is not a UDP address, we don't know anything about the MTU. + // Use the minimum size of an Initial packet as the max packet size. + if udpAddr, ok := remoteAddr.(*net.UDPAddr); ok { + // If ip is not an IPv4 address, To4 returns nil. + // Note that there might be some corner cases, where this is not correct. + // See https://stackoverflow.com/questions/22751035/golang-distinguish-ipv4-ipv6. + if udpAddr.IP.To4() == nil { + maxPacketSize = protocol.MaxPacketSizeIPv6 + } else { + maxPacketSize = protocol.MaxPacketSizeIPv4 + } + } return &packetPacker{ cryptoSetup: cryptoSetup, + divNonce: divNonce, connectionID: connectionID, perspective: perspective, version: version, streams: streamFramer, + getPacketNumberLen: getPacketNumberLen, packetNumberGenerator: newPacketNumberGenerator(initialPacketNumber, protocol.SkipPacketAveragePeriodLength), + maxPacketSize: maxPacketSize, } } @@ -99,18 +140,124 @@ func (p *packetPacker) PackAckPacket() (*packedPacket, error) { }, err } -// PackHandshakeRetransmission retransmits a handshake packet, that was sent with less than forward-secure encryption -func (p *packetPacker) PackHandshakeRetransmission(packet *ackhandler.Packet) (*packedPacket, error) { - if packet.EncryptionLevel == protocol.EncryptionForwardSecure { - return nil, errors.New("PacketPacker BUG: forward-secure encrypted handshake packets don't need special treatment") +// PackRetransmission packs a retransmission +// For packets sent after completion of the handshake, it might happen that 2 packets have to be sent. +// This can happen e.g. when a longer packet number is used in the header. +func (p *packetPacker) PackRetransmission(packet *ackhandler.Packet) ([]*packedPacket, error) { + if packet.EncryptionLevel != protocol.EncryptionForwardSecure { + p, err := p.packHandshakeRetransmission(packet) + return []*packedPacket{p}, err + } + + var controlFrames []wire.Frame + var streamFrames []*wire.StreamFrame + for _, f := range packet.Frames { + if sf, ok := f.(*wire.StreamFrame); ok { + sf.DataLenPresent = true + streamFrames = append(streamFrames, sf) + } else { + controlFrames = append(controlFrames, f) + } + } + + var packets []*packedPacket + encLevel, sealer := p.cryptoSetup.GetSealer() + for len(controlFrames) > 0 || len(streamFrames) > 0 { + var frames []wire.Frame + var payloadLength protocol.ByteCount + + header := p.getHeader(encLevel) + headerLength, err := header.GetLength(p.perspective, p.version) + if err != nil { + return nil, err + } + maxSize := p.maxPacketSize - protocol.ByteCount(sealer.Overhead()) - headerLength + + // for gQUIC: add a STOP_WAITING for *every* retransmission + if p.version.UsesStopWaitingFrames() { + if p.stopWaiting == nil { + return nil, errors.New("PacketPacker BUG: Handshake retransmissions must contain a STOP_WAITING frame") + } + // create a new StopWaitingFrame, since we might need to send more than one packet as a retransmission + swf := &wire.StopWaitingFrame{ + LeastUnacked: p.stopWaiting.LeastUnacked, + PacketNumber: header.PacketNumber, + PacketNumberLen: header.PacketNumberLen, + } + payloadLength += swf.Length(p.version) + frames = append(frames, swf) + } + + for len(controlFrames) > 0 { + frame := controlFrames[0] + length := frame.Length(p.version) + if payloadLength+length > maxSize { + break + } + payloadLength += length + frames = append(frames, frame) + controlFrames = controlFrames[1:] + } + + // temporarily increase the maxFrameSize by the (minimum) length of the DataLen field + // this leads to a properly sized packet in all cases, since we do all the packet length calculations with StreamFrames that have the DataLen set + // however, for the last STREAM frame in the packet, we can omit the DataLen, thus yielding a packet of exactly the correct size + // for gQUIC STREAM frames, DataLen is always 2 bytes + // for IETF draft style STREAM frames, the length is encoded to either 1 or 2 bytes + if p.version.UsesIETFFrameFormat() { + maxSize++ + } else { + maxSize += 2 + } + for len(streamFrames) > 0 && payloadLength+protocol.MinStreamFrameSize < maxSize { + // TODO: optimize by setting DataLenPresent = false on all but the last STREAM frame + frame := streamFrames[0] + frameToAdd := frame + + sf, err := frame.MaybeSplitOffFrame(maxSize-payloadLength, p.version) + if err != nil { + return nil, err + } + if sf != nil { + frameToAdd = sf + } else { + streamFrames = streamFrames[1:] + } + payloadLength += frameToAdd.Length(p.version) + frames = append(frames, frameToAdd) + } + if sf, ok := frames[len(frames)-1].(*wire.StreamFrame); ok { + sf.DataLenPresent = false + } + raw, err := p.writeAndSealPacket(header, frames, sealer) + if err != nil { + return nil, err + } + packets = append(packets, &packedPacket{ + header: header, + raw: raw, + frames: frames, + encryptionLevel: encLevel, + }) } + p.stopWaiting = nil + return packets, nil +} + +// packHandshakeRetransmission retransmits a handshake packet, that was sent with less than forward-secure encryption +func (p *packetPacker) packHandshakeRetransmission(packet *ackhandler.Packet) (*packedPacket, error) { sealer, err := p.cryptoSetup.GetSealerWithEncryptionLevel(packet.EncryptionLevel) if err != nil { return nil, err } + // make sure that the retransmission for an Initial packet is sent as an Initial packet + if packet.PacketType == protocol.PacketTypeInitial { + p.hasSentPacket = false + } header := p.getHeader(packet.EncryptionLevel) + header.Type = packet.PacketType var frames []wire.Frame - if !p.version.UsesIETFFrameFormat() { // for gQUIC: pack a STOP_WAITING first + if p.version.UsesStopWaitingFrames() { // for gQUIC: pack a STOP_WAITING first if p.stopWaiting == nil { return nil, errors.New("PacketPacker BUG: Handshake retransmissions must contain a STOP_WAITING frame") } @@ -155,7 +302,7 @@ func (p *packetPacker) PackPacket() (*packedPacket, error) { p.stopWaiting.PacketNumberLen = header.PacketNumberLen } - maxSize := protocol.MaxPacketSize - protocol.ByteCount(sealer.Overhead()) - headerLength + maxSize := p.maxPacketSize - protocol.ByteCount(sealer.Overhead()) - headerLength payloadFrames, err := p.composeNextPacket(maxSize, p.canSendData(encLevel)) if err != nil { return nil, err @@ -204,7 +351,7 @@ func (p *packetPacker) packCryptoPacket() (*packedPacket, error) { if err != nil { return nil, err } - maxLen := protocol.MaxPacketSize - protocol.ByteCount(sealer.Overhead()) - protocol.NonForwardSecurePacketSizeReduction - headerLength + maxLen := p.maxPacketSize - protocol.ByteCount(sealer.Overhead()) - protocol.NonForwardSecurePacketSizeReduction - headerLength sf := p.streams.PopCryptoStreamFrame(maxLen) sf.DataLenPresent = false frames := []wire.Frame{sf} @@ -261,7 +408,7 @@ func (p *packetPacker) composeNextPacket( // temporarily increase the maxFrameSize by the (minimum) length of the DataLen field // this leads to a properly sized packet in all cases, since we do all the packet length calculations with StreamFrames that have the DataLen set - // however, for the last StreamFrame in the packet, we can omit the DataLen, thus yielding a packet of exactly the correct size + // however, for the last STREAM frame in the packet, we can omit the DataLen, thus yielding a packet of exactly the correct size // for gQUIC STREAM frames, DataLen is always 2 bytes // for IETF draft style STREAM frames, the length is encoded to either 1 or 2 bytes if p.version.UsesIETFFrameFormat() { @@ -296,7 +443,7 @@ func (p *packetPacker) QueueControlFrame(frame wire.Frame) { func (p *packetPacker) getHeader(encLevel protocol.EncryptionLevel) *wire.Header { pnum := p.packetNumberGenerator.Peek() - packetNumberLen := protocol.GetPacketNumberLengthForHeader(pnum, p.leastUnacked) + packetNumberLen := p.getPacketNumberLen(pnum) header := &wire.Header{ ConnectionID: p.connectionID, @@ -319,7 +466,7 @@ func (p *packetPacker) getHeader(encLevel protocol.EncryptionLevel) *wire.Header } if !p.version.UsesTLS() { if p.perspective == protocol.PerspectiveServer && encLevel == protocol.EncryptionSecure { - header.DiversificationNonce = p.cryptoSetup.DiversificationNonce() + header.DiversificationNonce = p.divNonce } if p.perspective == protocol.PerspectiveClient && encLevel != protocol.EncryptionForwardSecure { header.VersionFlag = true @@ -338,8 +485,8 @@ func (p *packetPacker) writeAndSealPacket( payloadFrames []wire.Frame, sealer handshake.Sealer, ) ([]byte, error) { - raw := getPacketBuffer() - buffer := bytes.NewBuffer(raw) + raw := *getPacketBuffer() + buffer := bytes.NewBuffer(raw[:0]) if err := header.Write(buffer, p.perspective, p.version); err != nil { return nil, err @@ -367,8 +514,8 @@ func (p *packetPacker) writeAndSealPacket( } } - if size := protocol.ByteCount(buffer.Len() + sealer.Overhead()); size > protocol.MaxPacketSize { - return nil, fmt.Errorf("PacketPacker BUG: packet too large (%d bytes, allowed %d bytes)", size, protocol.MaxPacketSize) + if size := protocol.ByteCount(buffer.Len() + sealer.Overhead()); size > p.maxPacketSize { + return nil, fmt.Errorf("PacketPacker BUG: packet too large (%d bytes, allowed %d bytes)", size, p.maxPacketSize) } raw = raw[0:buffer.Len()] @@ -390,10 +537,10 @@ func (p *packetPacker) canSendData(encLevel protocol.EncryptionLevel) bool { return encLevel == protocol.EncryptionForwardSecure } -func (p *packetPacker) SetLeastUnacked(leastUnacked protocol.PacketNumber) { - p.leastUnacked = leastUnacked -} - func (p *packetPacker) SetOmitConnectionID() { p.omitConnectionID = true } + +func (p *packetPacker) SetMaxPacketSize(size protocol.ByteCount) { + p.maxPacketSize = utils.MinByteCount(p.maxPacketSize, size) +} diff --git a/vendor/github.com/lucas-clemente/quic-go/packet_unpacker.go b/vendor/github.com/lucas-clemente/quic-go/packet_unpacker.go index 45bdc0fa8..994979072 100644 --- a/vendor/github.com/lucas-clemente/quic-go/packet_unpacker.go +++ b/vendor/github.com/lucas-clemente/quic-go/packet_unpacker.go @@ -2,7 +2,6 @@ package quic import ( "bytes" - "fmt" "github.com/lucas-clemente/quic-go/internal/protocol" "github.com/lucas-clemente/quic-go/internal/wire" @@ -14,51 +13,65 @@ type unpackedPacket struct { frames []wire.Frame } -type quicAEAD interface { +type gQUICAEAD interface { Open(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, protocol.EncryptionLevel, error) } -type packetUnpacker struct { +type quicAEAD interface { + OpenHandshake(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, error) + Open1RTT(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, error) +} + +type packetUnpackerBase struct { version protocol.VersionNumber - aead quicAEAD } -func (u *packetUnpacker) Unpack(headerBinary []byte, hdr *wire.Header, data []byte) (*unpackedPacket, error) { - buf := getPacketBuffer() - defer putPacketBuffer(buf) - decrypted, encryptionLevel, err := u.aead.Open(buf, data, hdr.PacketNumber, headerBinary) - if err != nil { - // Wrap err in quicError so that public reset is sent by session - return nil, qerr.Error(qerr.DecryptionFailure, err.Error()) - } +func (u *packetUnpackerBase) parseFrames(decrypted []byte, hdr *wire.Header) ([]wire.Frame, error) { r := bytes.NewReader(decrypted) - if r.Len() == 0 { return nil, qerr.MissingPayload } fs := make([]wire.Frame, 0, 2) - // Read all frames in the packet - for r.Len() > 0 { - typeByte, _ := r.ReadByte() - if typeByte == 0x0 { // PADDING frame - continue - } - r.UnreadByte() - - frame, err := u.parseFrame(r, typeByte, hdr) + for { + frame, err := wire.ParseNextFrame(r, hdr, u.version) if err != nil { return nil, err } - if sf, ok := frame.(*wire.StreamFrame); ok { - if sf.StreamID != u.version.CryptoStreamID() && encryptionLevel <= protocol.EncryptionUnencrypted { - return nil, qerr.Error(qerr.UnencryptedStreamData, fmt.Sprintf("received unencrypted stream data on stream %d", sf.StreamID)) - } - } - if frame != nil { - fs = append(fs, frame) + if frame == nil { + break } + fs = append(fs, frame) + } + return fs, nil +} + +// The packetUnpackerGQUIC unpacks gQUIC packets. +type packetUnpackerGQUIC struct { + packetUnpackerBase + aead gQUICAEAD +} + +var _ unpacker = &packetUnpackerGQUIC{} + +func newPacketUnpackerGQUIC(aead gQUICAEAD, version protocol.VersionNumber) unpacker { + return &packetUnpackerGQUIC{ + packetUnpackerBase: packetUnpackerBase{version: version}, + aead: aead, + } +} + +func (u *packetUnpackerGQUIC) Unpack(headerBinary []byte, hdr *wire.Header, data []byte) (*unpackedPacket, error) { + decrypted, encryptionLevel, err := u.aead.Open(data[:0], data, hdr.PacketNumber, headerBinary) + if err != nil { + // Wrap err in quicError so that public reset is sent by session + return nil, qerr.Error(qerr.DecryptionFailure, err.Error()) + } + + fs, err := u.parseFrames(decrypted, hdr) + if err != nil { + return nil, err } return &unpackedPacket{ @@ -67,134 +80,48 @@ func (u *packetUnpacker) Unpack(headerBinary []byte, hdr *wire.Header, data []by }, nil } -func (u *packetUnpacker) parseFrame(r *bytes.Reader, typeByte byte, hdr *wire.Header) (wire.Frame, error) { - if u.version.UsesIETFFrameFormat() { - return u.parseIETFFrame(r, typeByte, hdr) - } - return u.parseGQUICFrame(r, typeByte, hdr) +// The packetUnpacker unpacks IETF QUIC packets. +type packetUnpacker struct { + packetUnpackerBase + aead quicAEAD } -func (u *packetUnpacker) parseIETFFrame(r *bytes.Reader, typeByte byte, hdr *wire.Header) (wire.Frame, error) { - var frame wire.Frame - var err error - if typeByte&0xf8 == 0x10 { - frame, err = wire.ParseStreamFrame(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidStreamData, err.Error()) - } - return frame, err - } - // TODO: implement all IETF QUIC frame types - switch typeByte { - case 0x1: - frame, err = wire.ParseRstStreamFrame(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidRstStreamData, err.Error()) - } - case 0x2: - frame, err = wire.ParseConnectionCloseFrame(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidConnectionCloseData, err.Error()) - } - case 0x4: - frame, err = wire.ParseMaxDataFrame(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidWindowUpdateData, err.Error()) - } - case 0x5: - frame, err = wire.ParseMaxStreamDataFrame(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidWindowUpdateData, err.Error()) - } - case 0x6: - frame, err = wire.ParseMaxStreamIDFrame(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidFrameData, err.Error()) - } - case 0x7: - frame, err = wire.ParsePingFrame(r, u.version) - case 0x8: - frame, err = wire.ParseBlockedFrame(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidBlockedData, err.Error()) - } - case 0x9: - frame, err = wire.ParseStreamBlockedFrame(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidBlockedData, err.Error()) - } - case 0xa: - frame, err = wire.ParseStreamIDBlockedFrame(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidFrameData, err.Error()) - } - case 0xc: - frame, err = wire.ParseStopSendingFrame(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidFrameData, err.Error()) - } - case 0xe: - frame, err = wire.ParseAckFrame(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidAckData, err.Error()) - } - default: - err = qerr.Error(qerr.InvalidFrameData, fmt.Sprintf("unknown type byte 0x%x", typeByte)) +var _ unpacker = &packetUnpacker{} + +func newPacketUnpacker(aead quicAEAD, version protocol.VersionNumber) unpacker { + return &packetUnpacker{ + packetUnpackerBase: packetUnpackerBase{version: version}, + aead: aead, } - return frame, err } -func (u *packetUnpacker) parseGQUICFrame(r *bytes.Reader, typeByte byte, hdr *wire.Header) (wire.Frame, error) { - var frame wire.Frame +func (u *packetUnpacker) Unpack(headerBinary []byte, hdr *wire.Header, data []byte) (*unpackedPacket, error) { + buf := *getPacketBuffer() + buf = buf[:0] + defer putPacketBuffer(&buf) + + var decrypted []byte + var encryptionLevel protocol.EncryptionLevel var err error - if typeByte&0x80 == 0x80 { - frame, err = wire.ParseStreamFrame(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidStreamData, err.Error()) - } - return frame, err - } else if typeByte&0xc0 == 0x40 { - frame, err = wire.ParseAckFrame(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidAckData, err.Error()) - } - return frame, err + if hdr.IsLongHeader { + decrypted, err = u.aead.OpenHandshake(buf, data, hdr.PacketNumber, headerBinary) + encryptionLevel = protocol.EncryptionUnencrypted + } else { + decrypted, err = u.aead.Open1RTT(buf, data, hdr.PacketNumber, headerBinary) + encryptionLevel = protocol.EncryptionForwardSecure } - switch typeByte { - case 0x1: - frame, err = wire.ParseRstStreamFrame(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidRstStreamData, err.Error()) - } - case 0x2: - frame, err = wire.ParseConnectionCloseFrame(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidConnectionCloseData, err.Error()) - } - case 0x3: - frame, err = wire.ParseGoawayFrame(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidGoawayData, err.Error()) - } - case 0x4: - frame, err = wire.ParseWindowUpdateFrame(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidWindowUpdateData, err.Error()) - } - case 0x5: - frame, err = wire.ParseBlockedFrameLegacy(r, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidBlockedData, err.Error()) - } - case 0x6: - frame, err = wire.ParseStopWaitingFrame(r, hdr.PacketNumber, hdr.PacketNumberLen, u.version) - if err != nil { - err = qerr.Error(qerr.InvalidStopWaitingData, err.Error()) - } - case 0x7: - frame, err = wire.ParsePingFrame(r, u.version) - default: - err = qerr.Error(qerr.InvalidFrameData, fmt.Sprintf("unknown type byte 0x%x", typeByte)) + if err != nil { + // Wrap err in quicError so that public reset is sent by session + return nil, qerr.Error(qerr.DecryptionFailure, err.Error()) + } + + fs, err := u.parseFrames(decrypted, hdr) + if err != nil { + return nil, err } - return frame, err + + return &unpackedPacket{ + encryptionLevel: encryptionLevel, + frames: fs, + }, nil } diff --git a/vendor/github.com/lucas-clemente/quic-go/qerr/quic_error.go b/vendor/github.com/lucas-clemente/quic-go/qerr/quic_error.go index 9e1956fdc..42d08c4c5 100644 --- a/vendor/github.com/lucas-clemente/quic-go/qerr/quic_error.go +++ b/vendor/github.com/lucas-clemente/quic-go/qerr/quic_error.go @@ -2,8 +2,6 @@ package qerr import ( "fmt" - - "github.com/lucas-clemente/quic-go/internal/utils" ) // ErrorCode can be used as a normal error without reason. @@ -31,6 +29,7 @@ func (e *QuicError) Error() string { return fmt.Sprintf("%s: %s", e.ErrorCode.String(), e.ErrorMessage) } +// Timeout says if this error is a timeout. func (e *QuicError) Timeout() bool { switch e.ErrorCode { case NetworkIdleTimeout, @@ -50,6 +49,5 @@ func ToQuicError(err error) *QuicError { case ErrorCode: return Error(e, "") } - utils.Errorf("Internal error: %v", err) return Error(InternalError, err.Error()) } diff --git a/vendor/github.com/lucas-clemente/quic-go/receive_stream.go b/vendor/github.com/lucas-clemente/quic-go/receive_stream.go index 9ae216f6e..9fc158f1a 100644 --- a/vendor/github.com/lucas-clemente/quic-go/receive_stream.go +++ b/vendor/github.com/lucas-clemente/quic-go/receive_stream.go @@ -124,7 +124,7 @@ func (s *receiveStream) Read(p []byte) (int, error) { } else { select { case <-s.readChan: - case <-time.After(deadline.Sub(time.Now())): + case <-time.After(time.Until(deadline)): } } s.mutex.Lock() diff --git a/vendor/github.com/lucas-clemente/quic-go/send_stream.go b/vendor/github.com/lucas-clemente/quic-go/send_stream.go index 86aed1534..62ef44560 100644 --- a/vendor/github.com/lucas-clemente/quic-go/send_stream.go +++ b/vendor/github.com/lucas-clemente/quic-go/send_stream.go @@ -116,7 +116,7 @@ func (s *sendStream) Write(p []byte) (int, error) { } else { select { case <-s.writeChan: - case <-time.After(deadline.Sub(time.Now())): + case <-time.After(time.Until(deadline)): } } s.mutex.Lock() diff --git a/vendor/github.com/lucas-clemente/quic-go/server.go b/vendor/github.com/lucas-clemente/quic-go/server.go index dc23b8687..1e56f0b91 100644 --- a/vendor/github.com/lucas-clemente/quic-go/server.go +++ b/vendor/github.com/lucas-clemente/quic-go/server.go @@ -4,6 +4,7 @@ import ( "bytes" "crypto/tls" "errors" + "fmt" "net" "sync" "time" @@ -49,8 +50,10 @@ type server struct { errorChan chan struct{} // set as members, so they can be set in the tests - newSession func(conn connection, v protocol.VersionNumber, connectionID protocol.ConnectionID, sCfg *handshake.ServerConfig, tlsConf *tls.Config, config *Config) (packetHandler, error) + newSession func(conn connection, v protocol.VersionNumber, connectionID protocol.ConnectionID, sCfg *handshake.ServerConfig, tlsConf *tls.Config, config *Config, logger utils.Logger) (packetHandler, error) deleteClosedSessionsAfter time.Duration + + logger utils.Logger } var _ Listener = &server{} @@ -85,9 +88,12 @@ func Listen(conn net.PacketConn, tlsConf *tls.Config, config *Config) (Listener, } config = populateServerConfig(config) - // check if any of the supported versions supports TLS var supportsTLS bool for _, v := range config.Versions { + if !protocol.IsValidVersion(v) { + return nil, fmt.Errorf("%s is not a valid QUIC version", v) + } + // check if any of the supported versions supports TLS if v.UsesTLS() { supportsTLS = true break @@ -106,6 +112,7 @@ func Listen(conn net.PacketConn, tlsConf *tls.Config, config *Config) (Listener, sessionQueue: make(chan Session, 5), errorChan: make(chan struct{}), supportsTLS: supportsTLS, + logger: utils.DefaultLogger, } if supportsTLS { if err := s.setupTLS(); err != nil { @@ -113,16 +120,16 @@ func Listen(conn net.PacketConn, tlsConf *tls.Config, config *Config) (Listener, } } go s.serve() - utils.Debugf("Listening for %s connections on %s", conn.LocalAddr().Network(), conn.LocalAddr().String()) + s.logger.Debugf("Listening for %s connections on %s", conn.LocalAddr().Network(), conn.LocalAddr().String()) return s, nil } func (s *server) setupTLS() error { - cookieHandler, err := handshake.NewCookieHandler(s.config.AcceptCookie) + cookieHandler, err := handshake.NewCookieHandler(s.config.AcceptCookie, s.logger) if err != nil { return err } - serverTLS, sessionChan, err := newServerTLS(s.conn, s.config, cookieHandler, s.tlsConf) + serverTLS, sessionChan, err := newServerTLS(s.conn, s.config, cookieHandler, s.tlsConf, s.logger) if err != nil { return err } @@ -136,10 +143,11 @@ func (s *server) setupTLS() error { case tlsSession := <-sessionChan: connID := tlsSession.connID sess := tlsSession.sess + s.sessionsMutex.Lock() if _, ok := s.sessions[connID]; ok { // drop this session if it already exists - return + s.sessionsMutex.Unlock() + continue } - s.sessionsMutex.Lock() s.sessions[connID] = sess s.sessionsMutex.Unlock() s.runHandshakeAndSession(sess, connID) @@ -198,6 +206,18 @@ func populateServerConfig(config *Config) *Config { if maxReceiveConnectionFlowControlWindow == 0 { maxReceiveConnectionFlowControlWindow = protocol.DefaultMaxReceiveConnectionFlowControlWindowServer } + maxIncomingStreams := config.MaxIncomingStreams + if maxIncomingStreams == 0 { + maxIncomingStreams = protocol.DefaultMaxIncomingStreams + } else if maxIncomingStreams < 0 { + maxIncomingStreams = 0 + } + maxIncomingUniStreams := config.MaxIncomingUniStreams + if maxIncomingUniStreams == 0 { + maxIncomingUniStreams = protocol.DefaultMaxIncomingUniStreams + } else if maxIncomingUniStreams < 0 { + maxIncomingUniStreams = 0 + } return &Config{ Versions: versions, @@ -207,13 +227,15 @@ func populateServerConfig(config *Config) *Config { KeepAlive: config.KeepAlive, MaxReceiveStreamFlowControlWindow: maxReceiveStreamFlowControlWindow, MaxReceiveConnectionFlowControlWindow: maxReceiveConnectionFlowControlWindow, + MaxIncomingStreams: maxIncomingStreams, + MaxIncomingUniStreams: maxIncomingUniStreams, } } // serve listens on an existing PacketConn func (s *server) serve() { for { - data := getPacketBuffer() + data := *getPacketBuffer() data = data[:protocol.MaxReceivePacketSize] // The packet size should not exceed protocol.MaxReceivePacketSize bytes // If it does, we only read a truncated packet, which will then end up undecryptable @@ -226,7 +248,7 @@ func (s *server) serve() { } data = data[:n] if err := s.handlePacket(s.conn, remoteAddr, data); err != nil { - utils.Errorf("error handling packet: %s", err.Error()) + s.logger.Errorf("error handling packet: %s", err.Error()) } } } @@ -309,12 +331,12 @@ func (s *server) handlePacket(pconn net.PacketConn, remoteAddr net.Addr, packet var pr *wire.PublicReset pr, err = wire.ParsePublicReset(r) if err != nil { - utils.Infof("Received a Public Reset for connection %x. An error occurred parsing the packet.") + s.logger.Infof("Received a Public Reset for connection %x. An error occurred parsing the packet.", hdr.ConnectionID) } else { - utils.Infof("Received a Public Reset for connection %x, rejected packet number: 0x%x.", hdr.ConnectionID, pr.RejectedPacketNumber) + s.logger.Infof("Received a Public Reset for connection %x, rejected packet number: 0x%x.", hdr.ConnectionID, pr.RejectedPacketNumber) } } else { - utils.Infof("Received Public Reset for unknown connection %x.", hdr.ConnectionID) + s.logger.Infof("Received Public Reset for unknown connection %x.", hdr.ConnectionID) } return nil } @@ -341,7 +363,7 @@ func (s *server) handlePacket(pconn net.PacketConn, remoteAddr net.Addr, packet if len(packet) < protocol.MinClientHelloSize+len(hdr.Raw) { return errors.New("dropping small packet with unknown version") } - utils.Infof("Client offered version %s, sending Version Negotiation Packet", hdr.Version) + s.logger.Infof("Client offered version %s, sending Version Negotiation Packet", hdr.Version) _, err := pconn.WriteTo(wire.ComposeGQUICVersionNegotiation(hdr.ConnectionID, s.config.Versions), remoteAddr) return err } @@ -358,7 +380,7 @@ func (s *server) handlePacket(pconn net.PacketConn, remoteAddr net.Addr, packet return errors.New("Server BUG: negotiated version not supported") } - utils.Infof("Serving new connection: %x, version %s from %v", hdr.ConnectionID, version, remoteAddr) + s.logger.Infof("Serving new connection: %x, version %s from %v", hdr.ConnectionID, version, remoteAddr) session, err = s.newSession( &conn{pconn: pconn, currentAddr: remoteAddr}, version, @@ -366,6 +388,7 @@ func (s *server) handlePacket(pconn net.PacketConn, remoteAddr net.Addr, packet s.scfg, s.tlsConf, s.config, + s.logger, ) if err != nil { return err diff --git a/vendor/github.com/lucas-clemente/quic-go/server_tls.go b/vendor/github.com/lucas-clemente/quic-go/server_tls.go index 5f270e349..9f3874090 100644 --- a/vendor/github.com/lucas-clemente/quic-go/server_tls.go +++ b/vendor/github.com/lucas-clemente/quic-go/server_tls.go @@ -21,9 +21,12 @@ type nullAEAD struct { var _ quicAEAD = &nullAEAD{} -func (n *nullAEAD) Open(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, protocol.EncryptionLevel, error) { - data, err := n.aead.Open(dst, src, packetNumber, associatedData) - return data, protocol.EncryptionUnencrypted, err +func (n *nullAEAD) OpenHandshake(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, error) { + return n.aead.Open(dst, src, packetNumber, associatedData) +} + +func (n *nullAEAD) Open1RTT(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, error) { + return nil, errors.New("no 1-RTT keys") } type tlsSession struct { @@ -36,11 +39,12 @@ type serverTLS struct { config *Config supportedVersions []protocol.VersionNumber mintConf *mint.Config - cookieProtector mint.CookieProtector params *handshake.TransportParameters newMintConn func(*handshake.CryptoStreamConn, protocol.VersionNumber) (handshake.MintTLS, <-chan handshake.TransportParameters, error) sessionChan chan<- tlsSession + + logger utils.Logger } func newServerTLS( @@ -48,6 +52,7 @@ func newServerTLS( config *Config, cookieHandler *handshake.CookieHandler, tlsConf *tls.Config, + logger utils.Logger, ) (*serverTLS, <-chan tlsSession, error) { mconf, err := tlsToMintConfig(tlsConf, protocol.PerspectiveServer) if err != nil { @@ -72,20 +77,20 @@ func newServerTLS( StreamFlowControlWindow: protocol.ReceiveStreamFlowControlWindow, ConnectionFlowControlWindow: protocol.ReceiveConnectionFlowControlWindow, IdleTimeout: config.IdleTimeout, - // TODO(#523): make these values configurable - MaxBidiStreamID: protocol.MaxBidiStreamID(protocol.MaxIncomingStreams, protocol.PerspectiveServer), - MaxUniStreamID: protocol.MaxUniStreamID(protocol.MaxIncomingStreams, protocol.PerspectiveServer), + MaxBidiStreams: uint16(config.MaxIncomingStreams), + MaxUniStreams: uint16(config.MaxIncomingUniStreams), }, + logger: logger, } s.newMintConn = s.newMintConnImpl return s, sessionChan, nil } func (s *serverTLS) HandleInitial(remoteAddr net.Addr, hdr *wire.Header, data []byte) { - utils.Debugf("Received a Packet. Handling it statelessly.") + s.logger.Debugf("Received a Packet. Handling it statelessly.") sess, err := s.handleInitialImpl(remoteAddr, hdr, data) if err != nil { - utils.Errorf("Error occured handling initial packet: %s", err) + s.logger.Errorf("Error occurred handling initial packet: %s", err) return } if sess == nil { // a stateless reset was done @@ -99,7 +104,7 @@ func (s *serverTLS) HandleInitial(remoteAddr net.Addr, hdr *wire.Header, data [] // will be set to s.newMintConn by the constructor func (s *serverTLS) newMintConnImpl(bc *handshake.CryptoStreamConn, v protocol.VersionNumber) (handshake.MintTLS, <-chan handshake.TransportParameters, error) { - extHandler := handshake.NewExtensionHandlerServer(s.params, s.config.Versions, v) + extHandler := handshake.NewExtensionHandlerServer(s.params, s.config.Versions, v, s.logger) conf := s.mintConf.Clone() conf.ExtensionHandler = extHandler return newMintController(bc, conf, protocol.PerspectiveServer), extHandler.GetPeerParams(), nil @@ -117,7 +122,7 @@ func (s *serverTLS) sendConnectionClose(remoteAddr net.Addr, clientHdr *wire.Hea PacketNumber: 1, // random packet number Version: clientHdr.Version, } - data, err := packUnencryptedPacket(aead, replyHdr, ccf, protocol.PerspectiveServer) + data, err := packUnencryptedPacket(aead, replyHdr, ccf, protocol.PerspectiveServer, s.logger) if err != nil { return err } @@ -131,8 +136,8 @@ func (s *serverTLS) handleInitialImpl(remoteAddr net.Addr, hdr *wire.Header, dat } // check version, if not matching send VNP if !protocol.IsSupportedVersion(s.supportedVersions, hdr.Version) { - utils.Debugf("Client offered version %s, sending VersionNegotiationPacket", hdr.Version) - _, err := s.conn.WriteTo(wire.ComposeVersionNegotiation(hdr.ConnectionID, hdr.PacketNumber, s.supportedVersions), remoteAddr) + s.logger.Debugf("Client offered version %s, sending VersionNegotiationPacket", hdr.Version) + _, err := s.conn.WriteTo(wire.ComposeVersionNegotiation(hdr.ConnectionID, s.supportedVersions), remoteAddr) return nil, err } @@ -141,15 +146,15 @@ func (s *serverTLS) handleInitialImpl(remoteAddr net.Addr, hdr *wire.Header, dat if err != nil { return nil, err } - frame, err := unpackInitialPacket(aead, hdr, data, hdr.Version) + frame, err := unpackInitialPacket(aead, hdr, data, s.logger, hdr.Version) if err != nil { - utils.Debugf("Error unpacking initial packet: %s", err) + s.logger.Debugf("Error unpacking initial packet: %s", err) return nil, nil } sess, err := s.handleUnpackedInitial(remoteAddr, hdr, frame, aead) if err != nil { if ccerr := s.sendConnectionClose(remoteAddr, hdr, aead, err); ccerr != nil { - utils.Debugf("Error sending CONNECTION_CLOSE: ", ccerr) + s.logger.Debugf("Error sending CONNECTION_CLOSE: %s", ccerr) } return nil, err } @@ -179,7 +184,7 @@ func (s *serverTLS) handleUnpackedInitial(remoteAddr net.Addr, hdr *wire.Header, StreamID: version.CryptoStreamID(), Data: bc.GetDataForWriting(), } - data, err := packUnencryptedPacket(aead, replyHdr, f, protocol.PerspectiveServer) + data, err := packUnencryptedPacket(aead, replyHdr, f, protocol.PerspectiveServer, s.logger) if err != nil { return nil, err } @@ -209,6 +214,7 @@ func (s *serverTLS) handleUnpackedInitial(remoteAddr net.Addr, hdr *wire.Header, aead, ¶ms, version, + s.logger, ) if err != nil { return nil, err diff --git a/vendor/github.com/lucas-clemente/quic-go/session.go b/vendor/github.com/lucas-clemente/quic-go/session.go index 49c616511..ed73637ce 100644 --- a/vendor/github.com/lucas-clemente/quic-go/session.go +++ b/vendor/github.com/lucas-clemente/quic-go/session.go @@ -2,6 +2,7 @@ package quic import ( "context" + "crypto/rand" "crypto/tls" "errors" "fmt" @@ -33,14 +34,22 @@ type streamManager interface { GetOrOpenSendStream(protocol.StreamID) (sendStreamI, error) GetOrOpenReceiveStream(protocol.StreamID) (receiveStreamI, error) OpenStream() (Stream, error) + OpenUniStream() (SendStream, error) OpenStreamSync() (Stream, error) + OpenUniStreamSync() (SendStream, error) AcceptStream() (Stream, error) + AcceptUniStream() (ReceiveStream, error) DeleteStream(protocol.StreamID) error UpdateLimits(*handshake.TransportParameters) HandleMaxStreamIDFrame(*wire.MaxStreamIDFrame) error CloseWithError(error) } +type cryptoStreamHandler interface { + HandleCryptoStream() error + ConnectionState() handshake.ConnectionState +} + type receivedPacket struct { remoteAddr net.Addr header *wire.Header @@ -81,7 +90,8 @@ type session struct { unpacker unpacker packer *packetPacker - cryptoSetup handshake.CryptoSetup + cryptoStreamHandler cryptoStreamHandler + divNonceChan chan<- []byte // only set for the client receivedPackets chan *receivedPacket sendingScheduled chan struct{} @@ -108,7 +118,9 @@ type session struct { handshakeChan chan error handshakeComplete bool - lastRcvdPacketNumber protocol.PacketNumber + receivedFirstPacket bool // since packet numbers start at 0, we can't use largestRcvdPacketNumber != 0 for this + receivedFirstForwardSecurePacket bool + lastRcvdPacketNumber protocol.PacketNumber // Used to calculate the next packet number from the truncated wire // representation, and sent back in public reset packets largestRcvdPacketNumber protocol.PacketNumber @@ -124,6 +136,8 @@ type session struct { // keepAlivePingSent stores whether a Ping frame was sent to the peer or not // it is reset as soon as we receive a packet from the peer keepAlivePingSent bool + + logger utils.Logger } var _ Session = &session{} @@ -137,6 +151,7 @@ func newSession( scfg *handshake.ServerConfig, tlsConf *tls.Config, config *Config, + logger utils.Logger, ) (packetHandler, error) { paramsChan := make(chan handshake.TransportParameters) handshakeEvent := make(chan struct{}, 1) @@ -148,31 +163,51 @@ func newSession( config: config, handshakeEvent: handshakeEvent, paramsChan: paramsChan, + logger: logger, } s.preSetup() transportParams := &handshake.TransportParameters{ StreamFlowControlWindow: protocol.ReceiveStreamFlowControlWindow, ConnectionFlowControlWindow: protocol.ReceiveConnectionFlowControlWindow, - MaxStreams: protocol.MaxIncomingStreams, + MaxStreams: uint32(s.config.MaxIncomingStreams), IdleTimeout: s.config.IdleTimeout, } + divNonce := make([]byte, 32) + if _, err := rand.Read(divNonce); err != nil { + return nil, err + } cs, err := newCryptoSetup( s.cryptoStream, s.connectionID, s.conn.RemoteAddr(), s.version, + divNonce, scfg, transportParams, s.config.Versions, s.config.AcceptCookie, paramsChan, handshakeEvent, + s.logger, ) if err != nil { return nil, err } - s.cryptoSetup = cs - return s, s.postSetup(1) + s.cryptoStreamHandler = cs + s.unpacker = newPacketUnpackerGQUIC(cs, s.version) + s.streamsMap = newStreamsMapLegacy(s.newStream, s.config.MaxIncomingStreams, s.perspective) + s.streamFramer = newStreamFramer(s.cryptoStream, s.streamsMap, s.version) + s.packer = newPacketPacker(s.connectionID, + 1, + s.sentPacketHandler.GetPacketNumberLen, + s.RemoteAddr(), + divNonce, + cs, + s.streamFramer, + s.perspective, + s.version, + ) + return s, s.postSetup() } // declare this as a variable, so that we can it mock it in the tests @@ -184,7 +219,8 @@ var newClientSession = func( tlsConf *tls.Config, config *Config, initialVersion protocol.VersionNumber, - negotiatedVersions []protocol.VersionNumber, // needed for validation of the GQUIC version negotiaton + negotiatedVersions []protocol.VersionNumber, // needed for validation of the GQUIC version negotiation + logger utils.Logger, ) (packetHandler, error) { paramsChan := make(chan handshake.TransportParameters) handshakeEvent := make(chan struct{}, 1) @@ -196,16 +232,17 @@ var newClientSession = func( config: config, handshakeEvent: handshakeEvent, paramsChan: paramsChan, + logger: logger, } s.preSetup() transportParams := &handshake.TransportParameters{ StreamFlowControlWindow: protocol.ReceiveStreamFlowControlWindow, ConnectionFlowControlWindow: protocol.ReceiveConnectionFlowControlWindow, - MaxStreams: protocol.MaxIncomingStreams, + MaxStreams: uint32(s.config.MaxIncomingStreams), IdleTimeout: s.config.IdleTimeout, OmitConnectionID: s.config.RequestConnectionIDOmission, } - cs, err := newCryptoSetupClient( + cs, divNonceChan, err := newCryptoSetupClient( s.cryptoStream, hostname, s.connectionID, @@ -216,12 +253,27 @@ var newClientSession = func( handshakeEvent, initialVersion, negotiatedVersions, + s.logger, ) if err != nil { return nil, err } - s.cryptoSetup = cs - return s, s.postSetup(1) + s.cryptoStreamHandler = cs + s.divNonceChan = divNonceChan + s.unpacker = newPacketUnpackerGQUIC(cs, s.version) + s.streamsMap = newStreamsMapLegacy(s.newStream, s.config.MaxIncomingStreams, s.perspective) + s.streamFramer = newStreamFramer(s.cryptoStream, s.streamsMap, s.version) + s.packer = newPacketPacker(s.connectionID, + 1, + s.sentPacketHandler.GetPacketNumberLen, + s.RemoteAddr(), + nil, // no diversification nonce + cs, + s.streamFramer, + s.perspective, + s.version, + ) + return s, s.postSetup() } func newTLSServerSession( @@ -234,6 +286,7 @@ func newTLSServerSession( nullAEAD crypto.AEAD, peerParams *handshake.TransportParameters, v protocol.VersionNumber, + logger utils.Logger, ) (packetHandler, error) { handshakeEvent := make(chan struct{}, 1) s := &session{ @@ -243,21 +296,35 @@ func newTLSServerSession( perspective: protocol.PerspectiveServer, version: v, handshakeEvent: handshakeEvent, + logger: logger, } s.preSetup() - s.cryptoSetup = handshake.NewCryptoSetupTLSServer( + cs := handshake.NewCryptoSetupTLSServer( tls, cryptoStreamConn, nullAEAD, handshakeEvent, v, ) - if err := s.postSetup(initialPacketNumber); err != nil { + s.cryptoStreamHandler = cs + s.streamsMap = newStreamsMap(s, s.newFlowController, s.config.MaxIncomingStreams, s.config.MaxIncomingUniStreams, s.perspective, s.version) + s.streamFramer = newStreamFramer(s.cryptoStream, s.streamsMap, s.version) + s.packer = newPacketPacker(s.connectionID, + initialPacketNumber, + s.sentPacketHandler.GetPacketNumberLen, + s.RemoteAddr(), + nil, // no diversification nonce + cs, + s.streamFramer, + s.perspective, + s.version, + ) + if err := s.postSetup(); err != nil { return nil, err } s.peerParams = peerParams s.processTransportParameters(peerParams) - s.unpacker = &packetUnpacker{aead: s.cryptoSetup, version: s.version} + s.unpacker = newPacketUnpacker(cs, s.version) return s, nil } @@ -271,6 +338,7 @@ var newTLSClientSession = func( tls handshake.MintTLS, paramsChan <-chan handshake.TransportParameters, initialPacketNumber protocol.PacketNumber, + logger utils.Logger, ) (packetHandler, error) { handshakeEvent := make(chan struct{}, 1) s := &session{ @@ -281,6 +349,7 @@ var newTLSClientSession = func( version: v, handshakeEvent: handshakeEvent, paramsChan: paramsChan, + logger: logger, } s.preSetup() tls.SetCryptoStream(s.cryptoStream) @@ -295,21 +364,36 @@ var newTLSClientSession = func( if err != nil { return nil, err } - s.cryptoSetup = cs - return s, s.postSetup(initialPacketNumber) + s.cryptoStreamHandler = cs + s.unpacker = newPacketUnpacker(cs, s.version) + s.streamsMap = newStreamsMap(s, s.newFlowController, s.config.MaxIncomingStreams, s.config.MaxIncomingUniStreams, s.perspective, s.version) + s.streamFramer = newStreamFramer(s.cryptoStream, s.streamsMap, s.version) + s.packer = newPacketPacker(s.connectionID, + initialPacketNumber, + s.sentPacketHandler.GetPacketNumberLen, + s.RemoteAddr(), + nil, // no diversification nonce + cs, + s.streamFramer, + s.perspective, + s.version, + ) + return s, s.postSetup() } func (s *session) preSetup() { s.rttStats = &congestion.RTTStats{} + s.sentPacketHandler = ackhandler.NewSentPacketHandler(s.rttStats, s.logger) s.connFlowController = flowcontrol.NewConnectionFlowController( protocol.ReceiveConnectionFlowControlWindow, protocol.ByteCount(s.config.MaxReceiveConnectionFlowControlWindow), s.rttStats, + s.logger, ) s.cryptoStream = s.newCryptoStream() } -func (s *session) postSetup(initialPacketNumber protocol.PacketNumber) error { +func (s *session) postSetup() error { s.handshakeChan = make(chan error, 1) s.receivedPackets = make(chan *receivedPacket, protocol.MaxSessionUnprocessedPackets) s.closeChan = make(chan closeError, 1) @@ -322,24 +406,8 @@ func (s *session) postSetup(initialPacketNumber protocol.PacketNumber) error { s.lastNetworkActivityTime = now s.sessionCreationTime = now - s.sentPacketHandler = ackhandler.NewSentPacketHandler(s.rttStats) - s.receivedPacketHandler = ackhandler.NewReceivedPacketHandler(s.version) - - if s.version.UsesTLS() { - s.streamsMap = newStreamsMap(s, s.newFlowController, s.perspective, s.version) - } else { - s.streamsMap = newStreamsMapLegacy(s.newStream, s.perspective) - } - s.streamFramer = newStreamFramer(s.cryptoStream, s.streamsMap, s.version) - s.packer = newPacketPacker(s.connectionID, - initialPacketNumber, - s.cryptoSetup, - s.streamFramer, - s.perspective, - s.version, - ) + s.receivedPacketHandler = ackhandler.NewReceivedPacketHandler(s.rttStats, s.version) s.windowUpdateQueue = newWindowUpdateQueue(s.streamsMap, s.cryptoStream, s.packer.QueueControlFrame) - s.unpacker = &packetUnpacker{aead: s.cryptoSetup, version: s.version} return nil } @@ -348,13 +416,12 @@ func (s *session) run() error { defer s.ctxCancel() go func() { - if err := s.cryptoSetup.HandleCryptoStream(); err != nil { + if err := s.cryptoStreamHandler.HandleCryptoStream(); err != nil { s.Close(err) } }() var closeErr closeError - handshakeEvent := s.handshakeEvent runLoop: for { @@ -363,6 +430,9 @@ runLoop: select { case closeErr = <-s.closeChan: break runLoop + case _, ok := <-s.handshakeEvent: + // when the handshake is completed, the channel will be closed + s.handleHandshakeEvent(!ok) default: } @@ -390,31 +460,21 @@ runLoop: } // This is a bit unclean, but works properly, since the packet always // begins with the public header and we never copy it. - putPacketBuffer(p.header.Raw) + putPacketBuffer(&p.header.Raw) case p := <-s.paramsChan: s.processTransportParameters(&p) - case _, ok := <-handshakeEvent: - if !ok { // the aeadChanged chan was closed. This means that the handshake is completed. - s.handshakeComplete = true - handshakeEvent = nil // prevent this case from ever being selected again - s.sentPacketHandler.SetHandshakeComplete() - if !s.version.UsesTLS() && s.perspective == protocol.PerspectiveClient { - // In gQUIC, there's no equivalent to the Finished message in TLS - // The server knows that the handshake is complete when it receives the first forward-secure packet sent by the client. - // We need to make sure that the client actually sends such a packet. - s.packer.QueueControlFrame(&wire.PingFrame{}) - } - close(s.handshakeChan) - } else { - s.tryDecryptingQueuedPackets() - } + case _, ok := <-s.handshakeEvent: + // when the handshake is completed, the channel will be closed + s.handleHandshakeEvent(!ok) } now := time.Now() if timeout := s.sentPacketHandler.GetAlarmTimeout(); !timeout.IsZero() && timeout.Before(now) { - // This could cause packets to be retransmitted, so check it before trying - // to send packets. - s.sentPacketHandler.OnAlarm() + // This could cause packets to be retransmitted. + // Check it before trying to send packets. + if err := s.sentPacketHandler.OnAlarm(); err != nil { + s.closeLocal(err) + } } var pacingDeadline time.Time @@ -462,7 +522,7 @@ func (s *session) Context() context.Context { } func (s *session) ConnectionState() ConnectionState { - return s.cryptoSetup.ConnectionState() + return s.cryptoStreamHandler.ConnectionState() } func (s *session) maybeResetTimer() { @@ -493,11 +553,27 @@ func (s *session) maybeResetTimer() { s.timer.Reset(deadline) } +func (s *session) handleHandshakeEvent(completed bool) { + if !completed { + s.tryDecryptingQueuedPackets() + return + } + s.handshakeComplete = true + s.handshakeEvent = nil // prevent this case from ever being selected again + if !s.version.UsesTLS() && s.perspective == protocol.PerspectiveClient { + // In gQUIC, there's no equivalent to the Finished message in TLS + // The server knows that the handshake is complete when it receives the first forward-secure packet sent by the client. + // We need to make sure that the client actually sends such a packet. + s.packer.QueueControlFrame(&wire.PingFrame{}) + s.scheduleSending() + } + close(s.handshakeChan) +} + func (s *session) handlePacketImpl(p *receivedPacket) error { if s.perspective == protocol.PerspectiveClient { - diversificationNonce := p.header.DiversificationNonce - if len(diversificationNonce) > 0 { - s.cryptoSetup.SetDiversificationNonce(diversificationNonce) + if divNonce := p.header.DiversificationNonce; len(divNonce) > 0 { + s.divNonceChan <- divNonce } } @@ -506,6 +582,7 @@ func (s *session) handlePacketImpl(p *receivedPacket) error { p.rcvTime = time.Now() } + s.receivedFirstPacket = true s.lastNetworkActivityTime = p.rcvTime s.keepAlivePingSent = false hdr := p.header @@ -519,26 +596,39 @@ func (s *session) handlePacketImpl(p *receivedPacket) error { ) packet, err := s.unpacker.Unpack(hdr.Raw, hdr, data) - if utils.Debug() { + if s.logger.Debug() { if err != nil { - utils.Debugf("<- Reading packet 0x%x (%d bytes) for connection %x", hdr.PacketNumber, len(data)+len(hdr.Raw), hdr.ConnectionID) + s.logger.Debugf("<- Reading packet 0x%x (%d bytes) for connection %x", hdr.PacketNumber, len(data)+len(hdr.Raw), hdr.ConnectionID) } else { - utils.Debugf("<- Reading packet 0x%x (%d bytes) for connection %x, %s", hdr.PacketNumber, len(data)+len(hdr.Raw), hdr.ConnectionID, packet.encryptionLevel) + s.logger.Debugf("<- Reading packet 0x%x (%d bytes) for connection %x, %s", hdr.PacketNumber, len(data)+len(hdr.Raw), hdr.ConnectionID, packet.encryptionLevel) } - hdr.Log() + hdr.Log(s.logger) } // if the decryption failed, this might be a packet sent by an attacker if err != nil { return err } + // In TLS 1.3, the client considers the handshake complete as soon as + // it received the server's Finished message and sent its Finished. + // We have to wait for the first forward-secure packet from the server before + // deleting all handshake packets from the history. + if !s.receivedFirstForwardSecurePacket && packet.encryptionLevel == protocol.EncryptionForwardSecure { + s.receivedFirstForwardSecurePacket = true + s.sentPacketHandler.SetHandshakeComplete() + } + s.lastRcvdPacketNumber = hdr.PacketNumber // Only do this after decrypting, so we are sure the packet is not attacker-controlled s.largestRcvdPacketNumber = utils.MaxPacketNumber(s.largestRcvdPacketNumber, hdr.PacketNumber) - isRetransmittable := ackhandler.HasRetransmittableFrames(packet.frames) - if err = s.receivedPacketHandler.ReceivedPacket(hdr.PacketNumber, p.rcvTime, isRetransmittable); err != nil { - return err + // If this is a Retry packet, there's no need to send an ACK. + // The session will be closed and recreated as soon as the crypto setup processed the HRR. + if hdr.Type != protocol.PacketTypeRetry { + isRetransmittable := ackhandler.HasRetransmittableFrames(packet.frames) + if err := s.receivedPacketHandler.ReceivedPacket(hdr.PacketNumber, p.rcvTime, isRetransmittable); err != nil { + return err + } } return s.handleFrames(packet.frames, packet.encryptionLevel) @@ -547,10 +637,10 @@ func (s *session) handlePacketImpl(p *receivedPacket) error { func (s *session) handleFrames(fs []wire.Frame, encLevel protocol.EncryptionLevel) error { for _, ff := range fs { var err error - wire.LogFrame(ff, false) + wire.LogFrame(s.logger, ff, false) switch frame := ff.(type) { case *wire.StreamFrame: - err = s.handleStreamFrame(frame) + err = s.handleStreamFrame(frame, encLevel) case *wire.AckFrame: err = s.handleAckFrame(frame, encLevel) case *wire.ConnectionCloseFrame: @@ -577,12 +667,7 @@ func (s *session) handleFrames(fs []wire.Frame, encLevel protocol.EncryptionLeve } if err != nil { - switch err { - case ackhandler.ErrDuplicateOrOutOfOrderAck: - // Can happen e.g. when packets thought missing arrive late - default: - return err - } + return err } } return nil @@ -598,12 +683,14 @@ func (s *session) handlePacket(p *receivedPacket) { } } -func (s *session) handleStreamFrame(frame *wire.StreamFrame) error { +func (s *session) handleStreamFrame(frame *wire.StreamFrame, encLevel protocol.EncryptionLevel) error { if frame.StreamID == s.version.CryptoStreamID() { if frame.FinBit { return errors.New("Received STREAM frame with FIN bit for the crypto stream") } return s.cryptoStream.handleStreamFrame(frame) + } else if encLevel <= protocol.EncryptionUnencrypted { + return qerr.Error(qerr.UnencryptedStreamData, fmt.Sprintf("received unencrypted stream data on stream %d", frame.StreamID)) } str, err := s.streamsMap.GetOrOpenReceiveStream(frame.StreamID) if err != nil { @@ -713,9 +800,9 @@ func (s *session) handleCloseError(closeErr closeError) error { } // Don't log 'normal' reasons if quicErr.ErrorCode == qerr.PeerGoingAway || quicErr.ErrorCode == qerr.NetworkIdleTimeout { - utils.Infof("Closing connection %x", s.connectionID) + s.logger.Infof("Closing connection %x", s.connectionID) } else { - utils.Errorf("Closing session with error: %s", closeErr.err.Error()) + s.logger.Errorf("Closing session with error: %s", closeErr.err.Error()) } s.cryptoStream.closeForShutdown(quicErr) @@ -744,6 +831,9 @@ func (s *session) processTransportParameters(params *handshake.TransportParamete if params.OmitConnectionID { s.packer.SetOmitConnectionID() } + if params.MaxPacketSize != 0 { + s.packer.SetMaxPacketSize(params.MaxPacketSize) + } s.connFlowController.UpdateSendWindow(params.ConnectionFlowControlWindow) // the crypto stream is the only open stream at this moment // so we don't need to update stream flow control windows @@ -751,23 +841,75 @@ func (s *session) processTransportParameters(params *handshake.TransportParamete func (s *session) sendPackets() error { s.pacingDeadline = time.Time{} - if !s.sentPacketHandler.SendingAllowed() { // if congestion limited, at least try sending an ACK frame - return s.maybeSendAckOnlyPacket() + + sendMode := s.sentPacketHandler.SendMode() + if sendMode == ackhandler.SendNone { // shortcut: return immediately if there's nothing to send + return nil } + numPackets := s.sentPacketHandler.ShouldSendNumPackets() - for i := 0; i < numPackets; i++ { - sentPacket, err := s.sendPacket() - if err != nil { - return err + var numPacketsSent int +sendLoop: + for { + switch sendMode { + case ackhandler.SendNone: + break sendLoop + case ackhandler.SendAck: + // We can at most send a single ACK only packet. + // There will only be a new ACK after receiving new packets. + // SendAck is only returned when we're congestion limited, so we don't need to set the pacingt timer. + return s.maybeSendAckOnlyPacket() + case ackhandler.SendRTO: + // try to send a retransmission first + sentPacket, err := s.maybeSendRetransmission() + if err != nil { + return err + } + if !sentPacket { + // In RTO mode, a probe packet has to be sent. + // Add a PING frame to make sure a (retransmittable) packet will be sent. + s.queueControlFrame(&wire.PingFrame{}) + sentPacket, err := s.sendPacket() + if err != nil { + return err + } + if !sentPacket { + return errors.New("session BUG: expected a packet to be sent in RTO mode") + } + } + numPacketsSent++ + case ackhandler.SendRetransmission: + sentPacket, err := s.maybeSendRetransmission() + if err != nil { + return err + } + if sentPacket { + numPacketsSent++ + // This can happen if a retransmission queued, but it wasn't necessary to send it. + // e.g. when an Initial is queued, but we already received a packet from the server. + } + case ackhandler.SendAny: + sentPacket, err := s.sendPacket() + if err != nil { + return err + } + if !sentPacket { + break sendLoop + } + numPacketsSent++ + default: + return fmt.Errorf("BUG: invalid send mode %d", sendMode) } - // If no packet was sent, or we're congestion limit, we're done here. - if !sentPacket || !s.sentPacketHandler.SendingAllowed() { - return nil + if numPacketsSent >= numPackets { + break } + sendMode = s.sentPacketHandler.SendMode() } // Only start the pacing timer if we sent as many packets as we were allowed. // There will probably be more to send when calling sendPacket again. - s.pacingDeadline = s.sentPacketHandler.TimeUntilSend() + if numPacketsSent == numPackets { + s.pacingDeadline = s.sentPacketHandler.TimeUntilSend() + } return nil } @@ -778,7 +920,7 @@ func (s *session) maybeSendAckOnlyPacket() error { } s.packer.QueueControlFrame(ack) - if !s.version.UsesIETFFrameFormat() { // for gQUIC, maybe add a STOP_WAITING + if s.version.UsesStopWaitingFrames() { // for gQUIC, maybe add a STOP_WAITING if swf := s.sentPacketHandler.GetStopWaitingFrame(false); swf != nil { s.packer.QueueControlFrame(swf) } @@ -787,12 +929,57 @@ func (s *session) maybeSendAckOnlyPacket() error { if err != nil { return err } + s.sentPacketHandler.SentPacket(packet.ToAckHandlerPacket()) return s.sendPackedPacket(packet) } -func (s *session) sendPacket() (bool, error) { - s.packer.SetLeastUnacked(s.sentPacketHandler.GetLeastUnacked()) +// maybeSendRetransmission sends retransmissions for at most one packet. +// It takes care that Initials aren't retransmitted, if a packet from the server was already received. +func (s *session) maybeSendRetransmission() (bool, error) { + var retransmitPacket *ackhandler.Packet + for { + retransmitPacket = s.sentPacketHandler.DequeuePacketForRetransmission() + if retransmitPacket == nil { + return false, nil + } + + // Don't retransmit Initial packets if we already received a response. + // An Initial might have been retransmitted multiple times before we receive a response. + // As soon as we receive one response, we don't need to send any more Initials. + if s.receivedFirstPacket && retransmitPacket.PacketType == protocol.PacketTypeInitial { + s.logger.Debugf("Skipping retransmission of packet %d. Already received a response to an Initial.", retransmitPacket.PacketNumber) + continue + } + break + } + + if retransmitPacket.EncryptionLevel != protocol.EncryptionForwardSecure { + s.logger.Debugf("\tDequeueing handshake retransmission for packet 0x%x", retransmitPacket.PacketNumber) + } else { + s.logger.Debugf("\tDequeueing retransmission for packet 0x%x", retransmitPacket.PacketNumber) + } + if s.version.UsesStopWaitingFrames() { + s.packer.QueueControlFrame(s.sentPacketHandler.GetStopWaitingFrame(true)) + } + packets, err := s.packer.PackRetransmission(retransmitPacket) + if err != nil { + return false, err + } + ackhandlerPackets := make([]*ackhandler.Packet, len(packets)) + for i, packet := range packets { + ackhandlerPackets[i] = packet.ToAckHandlerPacket() + } + s.sentPacketHandler.SentPacketsAsRetransmission(ackhandlerPackets, retransmitPacket.PacketNumber) + for _, packet := range packets { + if err := s.sendPackedPacket(packet); err != nil { + return false, err + } + } + return true, nil +} + +func (s *session) sendPacket() (bool, error) { if offset := s.connFlowController.GetWindowUpdate(); offset != 0 { s.packer.QueueControlFrame(&wire.MaxDataFrame{ByteOffset: offset}) } @@ -801,58 +988,20 @@ func (s *session) sendPacket() (bool, error) { } s.windowUpdateQueue.QueueAll() - ack := s.receivedPacketHandler.GetAckFrame() - if ack != nil { + if ack := s.receivedPacketHandler.GetAckFrame(); ack != nil { s.packer.QueueControlFrame(ack) - } - - // check for retransmissions first - for { - retransmitPacket := s.sentPacketHandler.DequeuePacketForRetransmission() - if retransmitPacket == nil { - break - } - - // retransmit handshake packets - if retransmitPacket.EncryptionLevel != protocol.EncryptionForwardSecure { - utils.Debugf("\tDequeueing handshake retransmission for packet 0x%x", retransmitPacket.PacketNumber) - if !s.version.UsesIETFFrameFormat() { - s.packer.QueueControlFrame(s.sentPacketHandler.GetStopWaitingFrame(true)) - } - packet, err := s.packer.PackHandshakeRetransmission(retransmitPacket) - if err != nil { - return false, err - } - if err := s.sendPackedPacket(packet); err != nil { - return false, err - } - return true, nil - } - - // queue all retransmittable frames sent in forward-secure packets - utils.Debugf("\tDequeueing retransmission for packet 0x%x", retransmitPacket.PacketNumber) - // resend the frames that were in the packet - for _, frame := range retransmitPacket.GetFramesForRetransmission() { - // TODO: only retransmit WINDOW_UPDATEs if they actually enlarge the window - switch f := frame.(type) { - case *wire.StreamFrame: - s.streamFramer.AddFrameForRetransmission(f) - default: - s.packer.QueueControlFrame(frame) + if s.version.UsesStopWaitingFrames() { + if swf := s.sentPacketHandler.GetStopWaitingFrame(false); swf != nil { + s.packer.QueueControlFrame(swf) } } } - hasRetransmission := s.streamFramer.HasFramesForRetransmission() - if !s.version.UsesIETFFrameFormat() && (ack != nil || hasRetransmission) { - if swf := s.sentPacketHandler.GetStopWaitingFrame(hasRetransmission); swf != nil { - s.packer.QueueControlFrame(swf) - } - } packet, err := s.packer.PackPacket() if err != nil || packet == nil { return false, err } + s.sentPacketHandler.SentPacket(packet.ToAckHandlerPacket()) if err := s.sendPackedPacket(packet); err != nil { return false, err } @@ -860,22 +1009,12 @@ func (s *session) sendPacket() (bool, error) { } func (s *session) sendPackedPacket(packet *packedPacket) error { - defer putPacketBuffer(packet.raw) - err := s.sentPacketHandler.SentPacket(&ackhandler.Packet{ - PacketNumber: packet.header.PacketNumber, - Frames: packet.frames, - Length: protocol.ByteCount(len(packet.raw)), - EncryptionLevel: packet.encryptionLevel, - }) - if err != nil { - return err - } + defer putPacketBuffer(&packet.raw) s.logPacket(packet) return s.conn.Write(packet.raw) } func (s *session) sendConnectionClose(quicErr *qerr.QuicError) error { - s.packer.SetLeastUnacked(s.sentPacketHandler.GetLeastUnacked()) packet, err := s.packer.PackConnectionClose(&wire.ConnectionCloseFrame{ ErrorCode: quicErr.ErrorCode, ReasonPhrase: quicErr.ErrorMessage, @@ -888,14 +1027,14 @@ func (s *session) sendConnectionClose(quicErr *qerr.QuicError) error { } func (s *session) logPacket(packet *packedPacket) { - if !utils.Debug() { + if !s.logger.Debug() { // We don't need to allocate the slices for calling the format functions return } - utils.Debugf("-> Sending packet 0x%x (%d bytes) for connection %x, %s", packet.header.PacketNumber, len(packet.raw), s.connectionID, packet.encryptionLevel) - packet.header.Log() + s.logger.Debugf("-> Sending packet 0x%x (%d bytes) for connection %x, %s", packet.header.PacketNumber, len(packet.raw), s.connectionID, packet.encryptionLevel) + packet.header.Log(s.logger) for _, frame := range packet.frames { - wire.LogFrame(frame, true) + wire.LogFrame(s.logger, frame, true) } } @@ -919,6 +1058,10 @@ func (s *session) AcceptStream() (Stream, error) { return s.streamsMap.AcceptStream() } +func (s *session) AcceptUniStream() (ReceiveStream, error) { + return s.streamsMap.AcceptUniStream() +} + // OpenStream opens a stream func (s *session) OpenStream() (Stream, error) { return s.streamsMap.OpenStream() @@ -928,6 +1071,14 @@ func (s *session) OpenStreamSync() (Stream, error) { return s.streamsMap.OpenStreamSync() } +func (s *session) OpenUniStream() (SendStream, error) { + return s.streamsMap.OpenUniStream() +} + +func (s *session) OpenUniStreamSync() (SendStream, error) { + return s.streamsMap.OpenUniStreamSync() +} + func (s *session) newStream(id protocol.StreamID) streamI { flowController := s.newFlowController(id) return newStream(id, s, flowController, s.version) @@ -946,6 +1097,7 @@ func (s *session) newFlowController(id protocol.StreamID) flowcontrol.StreamFlow protocol.ByteCount(s.config.MaxReceiveStreamFlowControlWindow), initialSendWindow, s.rttStats, + s.logger, ) } @@ -959,12 +1111,13 @@ func (s *session) newCryptoStream() cryptoStreamI { protocol.ByteCount(s.config.MaxReceiveStreamFlowControlWindow), 0, s.rttStats, + s.logger, ) return newCryptoStream(s, flowController, s.version) } func (s *session) sendPublicReset(rejectedPacketNumber protocol.PacketNumber) error { - utils.Infof("Sending public reset for connection %x, packet number %d", s.connectionID, rejectedPacketNumber) + s.logger.Infof("Sending public reset for connection %x, packet number %d", s.connectionID, rejectedPacketNumber) return s.conn.Write(wire.WritePublicReset(s.connectionID, rejectedPacketNumber, 0)) } @@ -978,7 +1131,7 @@ func (s *session) scheduleSending() { func (s *session) tryQueueingUndecryptablePacket(p *receivedPacket) { if s.handshakeComplete { - utils.Debugf("Received undecryptable packet from %s after the handshake: %#v, %d bytes data", p.remoteAddr.String(), p.header, len(p.data)) + s.logger.Debugf("Received undecryptable packet from %s after the handshake: %#v, %d bytes data", p.remoteAddr.String(), p.header, len(p.data)) return } if len(s.undecryptablePackets)+1 > protocol.MaxUndecryptablePackets { @@ -987,10 +1140,10 @@ func (s *session) tryQueueingUndecryptablePacket(p *receivedPacket) { s.receivedTooManyUndecrytablePacketsTime = time.Now() s.maybeResetTimer() } - utils.Infof("Dropping undecrytable packet 0x%x (undecryptable packet queue full)", p.header.PacketNumber) + s.logger.Infof("Dropping undecrytable packet 0x%x (undecryptable packet queue full)", p.header.PacketNumber) return } - utils.Infof("Queueing packet 0x%x for later decryption", p.header.PacketNumber) + s.logger.Infof("Queueing packet 0x%x for later decryption", p.header.PacketNumber) s.undecryptablePackets = append(s.undecryptablePackets, p) } @@ -1026,7 +1179,6 @@ func (s *session) LocalAddr() net.Addr { return s.conn.LocalAddr() } -// RemoteAddr returns the net.Addr of the client func (s *session) RemoteAddr() net.Addr { return s.conn.RemoteAddr() } diff --git a/vendor/github.com/lucas-clemente/quic-go/stream_framer.go b/vendor/github.com/lucas-clemente/quic-go/stream_framer.go index 933d642bd..c453f8647 100644 --- a/vendor/github.com/lucas-clemente/quic-go/stream_framer.go +++ b/vendor/github.com/lucas-clemente/quic-go/stream_framer.go @@ -12,8 +12,6 @@ type streamFramer struct { cryptoStream cryptoStreamI version protocol.VersionNumber - retransmissionQueue []*wire.StreamFrame - streamQueueMutex sync.Mutex activeStreams map[protocol.StreamID]struct{} streamQueue []protocol.StreamID @@ -33,10 +31,6 @@ func newStreamFramer( } } -func (f *streamFramer) AddFrameForRetransmission(frame *wire.StreamFrame) { - f.retransmissionQueue = append(f.retransmissionQueue, frame) -} - func (f *streamFramer) AddActiveStream(id protocol.StreamID) { if id == f.version.CryptoStreamID() { // the crypto stream is handled separately f.streamQueueMutex.Lock() @@ -52,15 +46,6 @@ func (f *streamFramer) AddActiveStream(id protocol.StreamID) { f.streamQueueMutex.Unlock() } -func (f *streamFramer) PopStreamFrames(maxLen protocol.ByteCount) []*wire.StreamFrame { - fs, currentLen := f.maybePopFramesForRetransmission(maxLen) - return append(fs, f.maybePopNormalFrames(maxLen-currentLen)...) -} - -func (f *streamFramer) HasFramesForRetransmission() bool { - return len(f.retransmissionQueue) > 0 -} - func (f *streamFramer) HasCryptoStreamData() bool { f.streamQueueMutex.Lock() hasCryptoStreamData := f.hasCryptoStreamData @@ -76,34 +61,7 @@ func (f *streamFramer) PopCryptoStreamFrame(maxLen protocol.ByteCount) *wire.Str return frame } -func (f *streamFramer) maybePopFramesForRetransmission(maxTotalLen protocol.ByteCount) (res []*wire.StreamFrame, currentLen protocol.ByteCount) { - for len(f.retransmissionQueue) > 0 { - frame := f.retransmissionQueue[0] - frame.DataLenPresent = true - - maxLen := maxTotalLen - currentLen - if frame.Length(f.version) > maxLen && maxLen < protocol.MinStreamFrameSize { - break - } - - splitFrame, err := frame.MaybeSplitOffFrame(maxLen, f.version) - if err != nil { // maxLen is too small. Can't split frame - break - } - if splitFrame != nil { // frame was split - res = append(res, splitFrame) - currentLen += splitFrame.Length(f.version) - break - } - - f.retransmissionQueue = f.retransmissionQueue[1:] - res = append(res, frame) - currentLen += frame.Length(f.version) - } - return -} - -func (f *streamFramer) maybePopNormalFrames(maxTotalLen protocol.ByteCount) []*wire.StreamFrame { +func (f *streamFramer) PopStreamFrames(maxTotalLen protocol.ByteCount) []*wire.StreamFrame { var currentLen protocol.ByteCount var frames []*wire.StreamFrame f.streamQueueMutex.Lock() diff --git a/vendor/github.com/lucas-clemente/quic-go/streams_map.go b/vendor/github.com/lucas-clemente/quic-go/streams_map.go index c3ce2ef4d..b9a56d6b6 100644 --- a/vendor/github.com/lucas-clemente/quic-go/streams_map.go +++ b/vendor/github.com/lucas-clemente/quic-go/streams_map.go @@ -35,6 +35,8 @@ var _ streamManager = &streamsMap{} func newStreamsMap( sender streamSender, newFlowController func(protocol.StreamID) flowcontrol.StreamFlowController, + maxIncomingStreams int, + maxIncomingUniStreams int, perspective protocol.Perspective, version protocol.VersionNumber, ) streamManager { @@ -46,7 +48,7 @@ func newStreamsMap( var firstOutgoingBidiStream, firstOutgoingUniStream, firstIncomingBidiStream, firstIncomingUniStream protocol.StreamID if perspective == protocol.PerspectiveServer { firstOutgoingBidiStream = 1 - firstIncomingBidiStream = 4 // the crypto stream is handled separatedly + firstIncomingBidiStream = 4 // the crypto stream is handled separately firstOutgoingUniStream = 3 firstIncomingUniStream = 2 } else { @@ -69,11 +71,10 @@ func newStreamsMap( newBidiStream, sender.queueControlFrame, ) - // TODO(#523): make these values configurable m.incomingBidiStreams = newIncomingBidiStreamsMap( firstIncomingBidiStream, - protocol.MaxBidiStreamID(protocol.MaxIncomingStreams, perspective), - protocol.MaxIncomingStreams, + protocol.MaxBidiStreamID(maxIncomingStreams, perspective), + maxIncomingStreams, sender.queueControlFrame, newBidiStream, ) @@ -82,11 +83,10 @@ func newStreamsMap( newUniSendStream, sender.queueControlFrame, ) - // TODO(#523): make these values configurable m.incomingUniStreams = newIncomingUniStreamsMap( firstIncomingUniStream, - protocol.MaxUniStreamID(protocol.MaxIncomingStreams, perspective), - protocol.MaxIncomingStreams, + protocol.MaxUniStreamID(maxIncomingUniStreams, perspective), + maxIncomingUniStreams, sender.queueControlFrame, newUniReceiveStream, ) @@ -206,8 +206,14 @@ func (m *streamsMap) HandleMaxStreamIDFrame(f *wire.MaxStreamIDFrame) error { } func (m *streamsMap) UpdateLimits(p *handshake.TransportParameters) { - m.outgoingBidiStreams.SetMaxStream(p.MaxBidiStreamID) - m.outgoingUniStreams.SetMaxStream(p.MaxUniStreamID) + // Max{Uni,Bidi}StreamID returns the highest stream ID that the peer is allowed to open. + // Invert the perspective to determine the value that we are allowed to open. + peerPers := protocol.PerspectiveServer + if m.perspective == protocol.PerspectiveServer { + peerPers = protocol.PerspectiveClient + } + m.outgoingBidiStreams.SetMaxStream(protocol.MaxBidiStreamID(int(p.MaxBidiStreams), peerPers)) + m.outgoingUniStreams.SetMaxStream(protocol.MaxUniStreamID(int(p.MaxUniStreams), peerPers)) } func (m *streamsMap) CloseWithError(err error) { diff --git a/vendor/github.com/lucas-clemente/quic-go/streams_map_generic_helper.go b/vendor/github.com/lucas-clemente/quic-go/streams_map_generic_helper.go new file mode 100644 index 000000000..f48db212d --- /dev/null +++ b/vendor/github.com/lucas-clemente/quic-go/streams_map_generic_helper.go @@ -0,0 +1,11 @@ +package quic + +import "github.com/cheekybits/genny/generic" + +// In the auto-generated streams maps, we need to be able to close the streams. +// Therefore, extend the generic.Type with the stream close method. +// This definition must be in a file that Genny doesn't process. +type item interface { + generic.Type + closeForShutdown(error) +} diff --git a/vendor/github.com/lucas-clemente/quic-go/streams_map_incoming_bidi.go b/vendor/github.com/lucas-clemente/quic-go/streams_map_incoming_bidi.go index 8a35f044f..317f5e237 100644 --- a/vendor/github.com/lucas-clemente/quic-go/streams_map_incoming_bidi.go +++ b/vendor/github.com/lucas-clemente/quic-go/streams_map_incoming_bidi.go @@ -69,20 +69,25 @@ func (m *incomingBidiStreamsMap) AcceptStream() (streamI, error) { } func (m *incomingBidiStreamsMap) GetOrOpenStream(id protocol.StreamID) (streamI, error) { + m.mutex.RLock() if id > m.maxStream { + m.mutex.RUnlock() return nil, fmt.Errorf("peer tried to open stream %d (current limit: %d)", id, m.maxStream) } // if the id is smaller than the highest we accepted // * this stream exists in the map, and we can return it, or // * this stream was already closed, then we can return the nil if id <= m.highestStream { - m.mutex.RLock() s := m.streams[id] m.mutex.RUnlock() return s, nil } + m.mutex.RUnlock() m.mutex.Lock() + // no need to check the two error conditions from above again + // * maxStream can only increase, so if the id was valid before, it definitely is valid now + // * highestStream is only modified by this function var start protocol.StreamID if m.highestStream == 0 { start = m.nextStream @@ -118,6 +123,9 @@ func (m *incomingBidiStreamsMap) DeleteStream(id protocol.StreamID) error { func (m *incomingBidiStreamsMap) CloseWithError(err error) { m.mutex.Lock() m.closeErr = err + for _, str := range m.streams { + str.closeForShutdown(err) + } m.mutex.Unlock() m.cond.Broadcast() } diff --git a/vendor/github.com/lucas-clemente/quic-go/streams_map_incoming_generic.go b/vendor/github.com/lucas-clemente/quic-go/streams_map_incoming_generic.go index 830b690d9..58f1ccbe2 100644 --- a/vendor/github.com/lucas-clemente/quic-go/streams_map_incoming_generic.go +++ b/vendor/github.com/lucas-clemente/quic-go/streams_map_incoming_generic.go @@ -67,20 +67,25 @@ func (m *incomingItemsMap) AcceptStream() (item, error) { } func (m *incomingItemsMap) GetOrOpenStream(id protocol.StreamID) (item, error) { + m.mutex.RLock() if id > m.maxStream { + m.mutex.RUnlock() return nil, fmt.Errorf("peer tried to open stream %d (current limit: %d)", id, m.maxStream) } // if the id is smaller than the highest we accepted // * this stream exists in the map, and we can return it, or // * this stream was already closed, then we can return the nil if id <= m.highestStream { - m.mutex.RLock() s := m.streams[id] m.mutex.RUnlock() return s, nil } + m.mutex.RUnlock() m.mutex.Lock() + // no need to check the two error conditions from above again + // * maxStream can only increase, so if the id was valid before, it definitely is valid now + // * highestStream is only modified by this function var start protocol.StreamID if m.highestStream == 0 { start = m.nextStream @@ -116,6 +121,9 @@ func (m *incomingItemsMap) DeleteStream(id protocol.StreamID) error { func (m *incomingItemsMap) CloseWithError(err error) { m.mutex.Lock() m.closeErr = err + for _, str := range m.streams { + str.closeForShutdown(err) + } m.mutex.Unlock() m.cond.Broadcast() } diff --git a/vendor/github.com/lucas-clemente/quic-go/streams_map_incoming_uni.go b/vendor/github.com/lucas-clemente/quic-go/streams_map_incoming_uni.go index 9091d6357..8e775aac5 100644 --- a/vendor/github.com/lucas-clemente/quic-go/streams_map_incoming_uni.go +++ b/vendor/github.com/lucas-clemente/quic-go/streams_map_incoming_uni.go @@ -69,20 +69,25 @@ func (m *incomingUniStreamsMap) AcceptStream() (receiveStreamI, error) { } func (m *incomingUniStreamsMap) GetOrOpenStream(id protocol.StreamID) (receiveStreamI, error) { + m.mutex.RLock() if id > m.maxStream { + m.mutex.RUnlock() return nil, fmt.Errorf("peer tried to open stream %d (current limit: %d)", id, m.maxStream) } // if the id is smaller than the highest we accepted // * this stream exists in the map, and we can return it, or // * this stream was already closed, then we can return the nil if id <= m.highestStream { - m.mutex.RLock() s := m.streams[id] m.mutex.RUnlock() return s, nil } + m.mutex.RUnlock() m.mutex.Lock() + // no need to check the two error conditions from above again + // * maxStream can only increase, so if the id was valid before, it definitely is valid now + // * highestStream is only modified by this function var start protocol.StreamID if m.highestStream == 0 { start = m.nextStream @@ -118,6 +123,9 @@ func (m *incomingUniStreamsMap) DeleteStream(id protocol.StreamID) error { func (m *incomingUniStreamsMap) CloseWithError(err error) { m.mutex.Lock() m.closeErr = err + for _, str := range m.streams { + str.closeForShutdown(err) + } m.mutex.Unlock() m.cond.Broadcast() } diff --git a/vendor/github.com/lucas-clemente/quic-go/streams_map_legacy.go b/vendor/github.com/lucas-clemente/quic-go/streams_map_legacy.go index 152f20e5c..240eeea11 100644 --- a/vendor/github.com/lucas-clemente/quic-go/streams_map_legacy.go +++ b/vendor/github.com/lucas-clemente/quic-go/streams_map_legacy.go @@ -39,11 +39,10 @@ var _ streamManager = &streamsMapLegacy{} var errMapAccess = errors.New("streamsMap: Error accessing the streams map") -func newStreamsMapLegacy(newStream func(protocol.StreamID) streamI, pers protocol.Perspective) streamManager { +func newStreamsMapLegacy(newStream func(protocol.StreamID) streamI, maxStreams int, pers protocol.Perspective) streamManager { // add some tolerance to the maximum incoming streams value - maxStreams := uint32(protocol.MaxIncomingStreams) maxIncomingStreams := utils.MaxUint32( - maxStreams+protocol.MaxStreamsMinimumIncrement, + uint32(maxStreams)+protocol.MaxStreamsMinimumIncrement, uint32(float64(maxStreams)*float64(protocol.MaxStreamsMultiplier)), ) sm := streamsMapLegacy{ @@ -131,7 +130,10 @@ func (m *streamsMapLegacy) openRemoteStream(id protocol.StreamID) (streamI, erro if m.numIncomingStreams >= m.maxIncomingStreams { return nil, qerr.TooManyOpenStreams } - if id+protocol.MaxNewStreamIDDelta < m.highestStreamOpenedByPeer { + // maxNewStreamIDDelta is the maximum difference between and a newly opened Stream and the highest StreamID that a client has ever opened + // note that the number of streams is half this value, since the client can only open streams with open StreamID + maxStreamIDDelta := protocol.StreamID(4 * m.maxIncomingStreams) + if id+maxStreamIDDelta < m.highestStreamOpenedByPeer { return nil, qerr.Error(qerr.InvalidStreamID, fmt.Sprintf("attempted to open stream %d, which is a lot smaller than the highest opened stream, %d", id, m.highestStreamOpenedByPeer)) } @@ -185,6 +187,14 @@ func (m *streamsMapLegacy) OpenStreamSync() (Stream, error) { } } +func (m *streamsMapLegacy) OpenUniStream() (SendStream, error) { + return nil, errors.New("gQUIC doesn't support unidirectional streams") +} + +func (m *streamsMapLegacy) OpenUniStreamSync() (SendStream, error) { + return nil, errors.New("gQUIC doesn't support unidirectional streams") +} + // AcceptStream returns the next stream opened by the peer // it blocks until a new stream is opened func (m *streamsMapLegacy) AcceptStream() (Stream, error) { @@ -206,6 +216,10 @@ func (m *streamsMapLegacy) AcceptStream() (Stream, error) { return str, nil } +func (m *streamsMapLegacy) AcceptUniStream() (ReceiveStream, error) { + return nil, errors.New("gQUIC doesn't support unidirectional streams") +} + func (m *streamsMapLegacy) DeleteStream(id protocol.StreamID) error { m.mutex.Lock() defer m.mutex.Unlock() diff --git a/vendor/github.com/lucas-clemente/quic-go/streams_map_outgoing_bidi.go b/vendor/github.com/lucas-clemente/quic-go/streams_map_outgoing_bidi.go index d2c92dec2..ea9f47e60 100644 --- a/vendor/github.com/lucas-clemente/quic-go/streams_map_outgoing_bidi.go +++ b/vendor/github.com/lucas-clemente/quic-go/streams_map_outgoing_bidi.go @@ -85,10 +85,11 @@ func (m *outgoingBidiStreamsMap) openStreamImpl() (streamI, error) { } func (m *outgoingBidiStreamsMap) GetStream(id protocol.StreamID) (streamI, error) { + m.mutex.RLock() if id >= m.nextStream { + m.mutex.RUnlock() return nil, qerr.Error(qerr.InvalidStreamID, fmt.Sprintf("peer attempted to open stream %d", id)) } - m.mutex.RLock() s := m.streams[id] m.mutex.RUnlock() return s, nil @@ -117,6 +118,9 @@ func (m *outgoingBidiStreamsMap) SetMaxStream(id protocol.StreamID) { func (m *outgoingBidiStreamsMap) CloseWithError(err error) { m.mutex.Lock() m.closeErr = err + for _, str := range m.streams { + str.closeForShutdown(err) + } m.cond.Broadcast() m.mutex.Unlock() } diff --git a/vendor/github.com/lucas-clemente/quic-go/streams_map_outgoing_generic.go b/vendor/github.com/lucas-clemente/quic-go/streams_map_outgoing_generic.go index 5a2836026..f4b3eb619 100644 --- a/vendor/github.com/lucas-clemente/quic-go/streams_map_outgoing_generic.go +++ b/vendor/github.com/lucas-clemente/quic-go/streams_map_outgoing_generic.go @@ -4,14 +4,11 @@ import ( "fmt" "sync" - "github.com/cheekybits/genny/generic" "github.com/lucas-clemente/quic-go/internal/protocol" "github.com/lucas-clemente/quic-go/internal/wire" "github.com/lucas-clemente/quic-go/qerr" ) -type item generic.Type - //go:generate genny -in $GOFILE -out streams_map_outgoing_bidi.go gen "item=streamI Item=BidiStream" //go:generate genny -in $GOFILE -out streams_map_outgoing_uni.go gen "item=sendStreamI Item=UniStream" type outgoingItemsMap struct { @@ -86,10 +83,11 @@ func (m *outgoingItemsMap) openStreamImpl() (item, error) { } func (m *outgoingItemsMap) GetStream(id protocol.StreamID) (item, error) { + m.mutex.RLock() if id >= m.nextStream { + m.mutex.RUnlock() return nil, qerr.Error(qerr.InvalidStreamID, fmt.Sprintf("peer attempted to open stream %d", id)) } - m.mutex.RLock() s := m.streams[id] m.mutex.RUnlock() return s, nil @@ -118,6 +116,9 @@ func (m *outgoingItemsMap) SetMaxStream(id protocol.StreamID) { func (m *outgoingItemsMap) CloseWithError(err error) { m.mutex.Lock() m.closeErr = err + for _, str := range m.streams { + str.closeForShutdown(err) + } m.cond.Broadcast() m.mutex.Unlock() } diff --git a/vendor/github.com/lucas-clemente/quic-go/streams_map_outgoing_uni.go b/vendor/github.com/lucas-clemente/quic-go/streams_map_outgoing_uni.go index 77511b780..6ad0348c4 100644 --- a/vendor/github.com/lucas-clemente/quic-go/streams_map_outgoing_uni.go +++ b/vendor/github.com/lucas-clemente/quic-go/streams_map_outgoing_uni.go @@ -85,10 +85,11 @@ func (m *outgoingUniStreamsMap) openStreamImpl() (sendStreamI, error) { } func (m *outgoingUniStreamsMap) GetStream(id protocol.StreamID) (sendStreamI, error) { + m.mutex.RLock() if id >= m.nextStream { + m.mutex.RUnlock() return nil, qerr.Error(qerr.InvalidStreamID, fmt.Sprintf("peer attempted to open stream %d", id)) } - m.mutex.RLock() s := m.streams[id] m.mutex.RUnlock() return s, nil @@ -117,6 +118,9 @@ func (m *outgoingUniStreamsMap) SetMaxStream(id protocol.StreamID) { func (m *outgoingUniStreamsMap) CloseWithError(err error) { m.mutex.Lock() m.closeErr = err + for _, str := range m.streams { + str.closeForShutdown(err) + } m.cond.Broadcast() m.mutex.Unlock() } diff --git a/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/client-state-machine.go b/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/client-state-machine.go index ddd021816..ffca45ef4 100644 --- a/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/client-state-machine.go +++ b/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/client-state-machine.go @@ -50,7 +50,7 @@ import ( // WAIT_FINISHED RekeyIn; [Send(EOED);] RekeyOut; [SendCert; SendCV;] SendFin; RekeyOut; // CONNECTED StoreTicket || (RekeyIn; [RekeyOut]) -type ClientStateStart struct { +type clientStateStart struct { Config *Config Opts ConnectionOptions Params ConnectionParameters @@ -61,13 +61,13 @@ type ClientStateStart struct { hsCtx HandshakeContext } -var _ HandshakeState = &ClientStateStart{} +var _ HandshakeState = &clientStateStart{} -func (state ClientStateStart) State() State { +func (state clientStateStart) State() State { return StateClientStart } -func (state ClientStateStart) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { +func (state clientStateStart) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { // key_shares offeredDH := map[NamedGroup][]byte{} ks := KeyShareExtension{ @@ -268,7 +268,7 @@ func (state ClientStateStart) Next(hr handshakeMessageReader) (HandshakeState, [ logf(logTypeHandshake, "[ClientStateStart] -> [ClientStateWaitSH]") state.hsCtx.SetVersion(tls12Version) // Everything after this should be 1.2. - nextState := ClientStateWaitSH{ + nextState := clientStateWaitSH{ Config: state.Config, Opts: state.Opts, Params: state.Params, @@ -298,7 +298,7 @@ func (state ClientStateStart) Next(hr handshakeMessageReader) (HandshakeState, [ return nextState, toSend, AlertNoAlert } -type ClientStateWaitSH struct { +type clientStateWaitSH struct { Config *Config Opts ConnectionOptions Params ConnectionParameters @@ -315,13 +315,13 @@ type ClientStateWaitSH struct { clientHello *HandshakeMessage } -var _ HandshakeState = &ClientStateWaitSH{} +var _ HandshakeState = &clientStateWaitSH{} -func (state ClientStateWaitSH) State() State { +func (state clientStateWaitSH) State() State { return StateClientWaitSH } -func (state ClientStateWaitSH) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { +func (state clientStateWaitSH) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { hm, alert := hr.ReadMessage() if alert != AlertNoAlert { return nil, nil, alert @@ -413,7 +413,7 @@ func (state ClientStateWaitSH) Next(hr handshakeMessageReader) (HandshakeState, } logf(logTypeHandshake, "[ClientStateWaitSH] -> [ClientStateStart]") - return ClientStateStart{ + return clientStateStart{ Config: state.Config, Opts: state.Opts, hsCtx: state.hsCtx, @@ -517,7 +517,7 @@ func (state ClientStateWaitSH) Next(hr handshakeMessageReader) (HandshakeState, serverHandshakeKeys := makeTrafficKeys(params, serverHandshakeTrafficSecret) logf(logTypeHandshake, "[ClientStateWaitSH] -> [ClientStateWaitEE]") - nextState := ClientStateWaitEE{ + nextState := clientStateWaitEE{ Config: state.Config, Params: state.Params, hsCtx: state.hsCtx, @@ -533,7 +533,7 @@ func (state ClientStateWaitSH) Next(hr handshakeMessageReader) (HandshakeState, return nextState, toSend, AlertNoAlert } -type ClientStateWaitEE struct { +type clientStateWaitEE struct { Config *Config Params ConnectionParameters hsCtx HandshakeContext @@ -544,13 +544,13 @@ type ClientStateWaitEE struct { serverHandshakeTrafficSecret []byte } -var _ HandshakeState = &ClientStateWaitEE{} +var _ HandshakeState = &clientStateWaitEE{} -func (state ClientStateWaitEE) State() State { +func (state clientStateWaitEE) State() State { return StateClientWaitEE } -func (state ClientStateWaitEE) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { +func (state clientStateWaitEE) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { hm, alert := hr.ReadMessage() if alert != AlertNoAlert { return nil, nil, alert @@ -598,7 +598,7 @@ func (state ClientStateWaitEE) Next(hr handshakeMessageReader) (HandshakeState, if state.Params.UsingPSK { logf(logTypeHandshake, "[ClientStateWaitEE] -> [ClientStateWaitFinished]") - nextState := ClientStateWaitFinished{ + nextState := clientStateWaitFinished{ Params: state.Params, hsCtx: state.hsCtx, cryptoParams: state.cryptoParams, @@ -612,7 +612,7 @@ func (state ClientStateWaitEE) Next(hr handshakeMessageReader) (HandshakeState, } logf(logTypeHandshake, "[ClientStateWaitEE] -> [ClientStateWaitCertCR]") - nextState := ClientStateWaitCertCR{ + nextState := clientStateWaitCertCR{ Config: state.Config, Params: state.Params, hsCtx: state.hsCtx, @@ -625,7 +625,7 @@ func (state ClientStateWaitEE) Next(hr handshakeMessageReader) (HandshakeState, return nextState, nil, AlertNoAlert } -type ClientStateWaitCertCR struct { +type clientStateWaitCertCR struct { Config *Config Params ConnectionParameters hsCtx HandshakeContext @@ -636,13 +636,13 @@ type ClientStateWaitCertCR struct { serverHandshakeTrafficSecret []byte } -var _ HandshakeState = &ClientStateWaitCertCR{} +var _ HandshakeState = &clientStateWaitCertCR{} -func (state ClientStateWaitCertCR) State() State { +func (state clientStateWaitCertCR) State() State { return StateClientWaitCertCR } -func (state ClientStateWaitCertCR) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { +func (state clientStateWaitCertCR) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { hm, alert := hr.ReadMessage() if alert != AlertNoAlert { return nil, nil, alert @@ -663,7 +663,7 @@ func (state ClientStateWaitCertCR) Next(hr handshakeMessageReader) (HandshakeSta switch body := bodyGeneric.(type) { case *CertificateBody: logf(logTypeHandshake, "[ClientStateWaitCertCR] -> [ClientStateWaitCV]") - nextState := ClientStateWaitCV{ + nextState := clientStateWaitCV{ Config: state.Config, Params: state.Params, hsCtx: state.hsCtx, @@ -686,7 +686,7 @@ func (state ClientStateWaitCertCR) Next(hr handshakeMessageReader) (HandshakeSta state.Params.UsingClientAuth = true logf(logTypeHandshake, "[ClientStateWaitCertCR] -> [ClientStateWaitCert]") - nextState := ClientStateWaitCert{ + nextState := clientStateWaitCert{ Config: state.Config, Params: state.Params, hsCtx: state.hsCtx, @@ -703,7 +703,7 @@ func (state ClientStateWaitCertCR) Next(hr handshakeMessageReader) (HandshakeSta return nil, nil, AlertUnexpectedMessage } -type ClientStateWaitCert struct { +type clientStateWaitCert struct { Config *Config Params ConnectionParameters hsCtx HandshakeContext @@ -717,13 +717,13 @@ type ClientStateWaitCert struct { serverHandshakeTrafficSecret []byte } -var _ HandshakeState = &ClientStateWaitCert{} +var _ HandshakeState = &clientStateWaitCert{} -func (state ClientStateWaitCert) State() State { +func (state clientStateWaitCert) State() State { return StateClientWaitCert } -func (state ClientStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { +func (state clientStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { hm, alert := hr.ReadMessage() if alert != AlertNoAlert { return nil, nil, alert @@ -742,7 +742,7 @@ func (state ClientStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState state.handshakeHash.Write(hm.Marshal()) logf(logTypeHandshake, "[ClientStateWaitCert] -> [ClientStateWaitCV]") - nextState := ClientStateWaitCV{ + nextState := clientStateWaitCV{ Config: state.Config, Params: state.Params, hsCtx: state.hsCtx, @@ -757,7 +757,7 @@ func (state ClientStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState return nextState, nil, AlertNoAlert } -type ClientStateWaitCV struct { +type clientStateWaitCV struct { Config *Config Params ConnectionParameters hsCtx HandshakeContext @@ -772,13 +772,13 @@ type ClientStateWaitCV struct { serverHandshakeTrafficSecret []byte } -var _ HandshakeState = &ClientStateWaitCV{} +var _ HandshakeState = &clientStateWaitCV{} -func (state ClientStateWaitCV) State() State { +func (state clientStateWaitCV) State() State { return StateClientWaitCV } -func (state ClientStateWaitCV) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { +func (state clientStateWaitCV) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { hm, alert := hr.ReadMessage() if alert != AlertNoAlert { return nil, nil, alert @@ -843,7 +843,7 @@ func (state ClientStateWaitCV) Next(hr handshakeMessageReader) (HandshakeState, state.handshakeHash.Write(hm.Marshal()) logf(logTypeHandshake, "[ClientStateWaitCV] -> [ClientStateWaitFinished]") - nextState := ClientStateWaitFinished{ + nextState := clientStateWaitFinished{ Params: state.Params, hsCtx: state.hsCtx, cryptoParams: state.cryptoParams, @@ -859,7 +859,7 @@ func (state ClientStateWaitCV) Next(hr handshakeMessageReader) (HandshakeState, return nextState, nil, AlertNoAlert } -type ClientStateWaitFinished struct { +type clientStateWaitFinished struct { Params ConnectionParameters hsCtx HandshakeContext cryptoParams CipherSuiteParams @@ -875,13 +875,13 @@ type ClientStateWaitFinished struct { serverHandshakeTrafficSecret []byte } -var _ HandshakeState = &ClientStateWaitFinished{} +var _ HandshakeState = &clientStateWaitFinished{} -func (state ClientStateWaitFinished) State() State { +func (state clientStateWaitFinished) State() State { return StateClientWaitFinished } -func (state ClientStateWaitFinished) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { +func (state clientStateWaitFinished) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { hm, alert := hr.ReadMessage() if alert != AlertNoAlert { return nil, nil, alert @@ -1046,7 +1046,7 @@ func (state ClientStateWaitFinished) Next(hr handshakeMessageReader) (HandshakeS }...) logf(logTypeHandshake, "[ClientStateWaitFinished] -> [StateConnected]") - nextState := StateConnected{ + nextState := stateConnected{ Params: state.Params, hsCtx: state.hsCtx, isClient: true, diff --git a/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/common.go b/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/common.go index 565d15e32..0fdba6020 100644 --- a/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/common.go +++ b/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/common.go @@ -201,6 +201,8 @@ func (s State) String() string { return "Client WAIT_CV" case StateClientWaitFinished: return "Client WAIT_FINISHED" + case StateClientWaitCertCR: + return "Client WAIT_CERT_CR" case StateClientConnected: return "Client CONNECTED" case StateServerStart: diff --git a/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/conn.go b/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/conn.go index ffbead3fc..0ce05b2a8 100644 --- a/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/conn.go +++ b/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/conn.go @@ -265,7 +265,7 @@ type Conn struct { EarlyData []byte - state StateConnected + state stateConnected hState HandshakeState handshakeMutex sync.Mutex handshakeAlert Alert @@ -345,7 +345,7 @@ func (c *Conn) consumeRecord() error { } var connected bool - c.state, connected = state.(StateConnected) + c.state, connected = state.(stateConnected) if !connected { logf(logTypeHandshake, "Disconnected after state transition: %v", alert) c.sendAlert(alert) @@ -385,7 +385,7 @@ func (c *Conn) consumeRecord() error { // Read application data up to the size of buffer. Handshake and alert records // are consumed by the Conn object directly. func (c *Conn) Read(buffer []byte) (int, error) { - if _, connected := c.hState.(StateConnected); !connected && c.config.NonBlocking { + if _, connected := c.hState.(stateConnected); !connected { return 0, errors.New("Read called before the handshake completed") } logf(logTypeHandshake, "conn.Read with buffer = %d", len(buffer)) @@ -661,7 +661,7 @@ func (c *Conn) HandshakeSetup() Alert { } if c.isClient { - state, actions, alert = ClientStateStart{Config: c.config, Opts: opts, hsCtx: c.hsCtx}.Next(nil) + state, actions, alert = clientStateStart{Config: c.config, Opts: opts, hsCtx: c.hsCtx}.Next(nil) if alert != AlertNoAlert { logf(logTypeHandshake, "Error initializing client state: %v", alert) return alert @@ -688,7 +688,7 @@ func (c *Conn) HandshakeSetup() Alert { return AlertInternalError } } - state = ServerStateStart{Config: c.config, conn: c, hsCtx: c.hsCtx} + state = serverStateStart{Config: c.config, conn: c, hsCtx: c.hsCtx} } c.hState = state @@ -751,7 +751,7 @@ func (c *Conn) Handshake() Alert { logf(logTypeHandshake, "(Re-)entering handshake, state=%v", c.hState) state := c.hState - _, connected := state.(StateConnected) + _, connected := state.(stateConnected) hmr := &handshakeMessageReaderImpl{hsCtx: &c.hsCtx} for !connected { @@ -784,9 +784,9 @@ func (c *Conn) Handshake() Alert { c.hState = state logf(logTypeHandshake, "state is now %s", c.GetHsState()) - _, connected = state.(StateConnected) + _, connected = state.(stateConnected) if connected { - c.state = state.(StateConnected) + c.state = state.(stateConnected) c.handshakeComplete = true } @@ -852,7 +852,7 @@ func (c *Conn) GetHsState() State { } func (c *Conn) ComputeExporter(label string, context []byte, keyLength int) ([]byte, error) { - _, connected := c.hState.(StateConnected) + _, connected := c.hState.(stateConnected) if !connected { return nil, fmt.Errorf("Cannot compute exporter when state is not connected") } diff --git a/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/crypto.go b/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/crypto.go index 5fa70d4f4..ef7397d82 100644 --- a/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/crypto.go +++ b/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/crypto.go @@ -11,9 +11,11 @@ import ( "crypto/rand" "crypto/rsa" "crypto/x509" + "crypto/x509/pkix" "encoding/asn1" "fmt" "math/big" + "time" "golang.org/x/crypto/curve25519" @@ -616,3 +618,50 @@ func makeTrafficKeys(params CipherSuiteParams, secret []byte) keySet { iv: HkdfExpandLabel(params.Hash, secret, "iv", []byte{}, params.IvLen), } } + +func MakeNewSelfSignedCert(name string, alg SignatureScheme) (crypto.Signer, *x509.Certificate, error) { + priv, err := newSigningKey(alg) + if err != nil { + return nil, nil, err + } + + cert, err := newSelfSigned(name, alg, priv) + if err != nil { + return nil, nil, err + } + return priv, cert, nil +} + +func newSelfSigned(name string, alg SignatureScheme, priv crypto.Signer) (*x509.Certificate, error) { + sigAlg, ok := x509AlgMap[alg] + if !ok { + return nil, fmt.Errorf("tls.selfsigned: Unknown signature algorithm [%04x]", alg) + } + if len(name) == 0 { + return nil, fmt.Errorf("tls.selfsigned: No name provided") + } + + serial, err := rand.Int(rand.Reader, big.NewInt(0xA0A0A0A0)) + if err != nil { + return nil, err + } + + template := &x509.Certificate{ + SerialNumber: serial, + NotBefore: time.Now(), + NotAfter: time.Now().AddDate(0, 0, 1), + SignatureAlgorithm: sigAlg, + Subject: pkix.Name{CommonName: name}, + DNSNames: []string{name}, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyAgreement | x509.KeyUsageKeyEncipherment, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + } + der, err := x509.CreateCertificate(prng, template, template, priv.Public(), priv) + if err != nil { + return nil, err + } + + // It is safe to ignore the error here because we're parsing known-good data + cert, _ := x509.ParseCertificate(der) + return cert, nil +} diff --git a/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/server-state-machine.go b/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/server-state-machine.go index c3c916101..0b851f404 100644 --- a/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/server-state-machine.go +++ b/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/server-state-machine.go @@ -71,19 +71,19 @@ type cookie struct { ApplicationCookie []byte `tls:"head=2"` } -type ServerStateStart struct { +type serverStateStart struct { Config *Config conn *Conn hsCtx HandshakeContext } -var _ HandshakeState = &ServerStateStart{} +var _ HandshakeState = &serverStateStart{} -func (state ServerStateStart) State() State { +func (state serverStateStart) State() State { return StateServerStart } -func (state ServerStateStart) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { +func (state serverStateStart) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { hm, alert := hr.ReadMessage() if alert != AlertNoAlert { return nil, nil, alert @@ -381,7 +381,7 @@ func (state ServerStateStart) Next(hr handshakeMessageReader) (HandshakeState, [ logf(logTypeHandshake, "[ServerStateStart] -> [ServerStateNegotiated]") state.hsCtx.SetVersion(tls12Version) // Everything after this should be 1.2. - return ServerStateNegotiated{ + return serverStateNegotiated{ Config: state.Config, Params: connParams, hsCtx: state.hsCtx, @@ -401,7 +401,7 @@ func (state ServerStateStart) Next(hr handshakeMessageReader) (HandshakeState, [ }, nil, AlertNoAlert } -func (state *ServerStateStart) generateHRR(cs CipherSuite, legacySessionId []byte, +func (state *serverStateStart) generateHRR(cs CipherSuite, legacySessionId []byte, cookieExt *CookieExtension) (*HandshakeMessage, error) { var helloRetryRequest *HandshakeMessage hrr := &ServerHelloBody{ @@ -442,7 +442,7 @@ func (state *ServerStateStart) generateHRR(cs CipherSuite, legacySessionId []byt return helloRetryRequest, nil } -type ServerStateNegotiated struct { +type serverStateNegotiated struct { Config *Config Params ConnectionParameters hsCtx HandshakeContext @@ -460,13 +460,13 @@ type ServerStateNegotiated struct { clientHello *HandshakeMessage } -var _ HandshakeState = &ServerStateNegotiated{} +var _ HandshakeState = &serverStateNegotiated{} -func (state ServerStateNegotiated) State() State { +func (state serverStateNegotiated) State() State { return StateServerNegotiated } -func (state ServerStateNegotiated) Next(_ handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { +func (state serverStateNegotiated) Next(_ handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { // Create the ServerHello sh := &ServerHelloBody{ Version: tls12Version, @@ -717,7 +717,7 @@ func (state ServerStateNegotiated) Next(_ handshakeMessageReader) (HandshakeStat clientEarlyTrafficKeys := makeTrafficKeys(params, state.clientEarlyTrafficSecret) logf(logTypeHandshake, "[ServerStateNegotiated] -> [ServerStateWaitEOED]") - nextState := ServerStateWaitEOED{ + nextState := serverStateWaitEOED{ Config: state.Config, Params: state.Params, hsCtx: state.hsCtx, @@ -741,7 +741,7 @@ func (state ServerStateNegotiated) Next(_ handshakeMessageReader) (HandshakeStat RekeyIn{epoch: EpochHandshakeData, KeySet: clientHandshakeKeys}, ReadPastEarlyData{}, }...) - waitFlight2 := ServerStateWaitFlight2{ + waitFlight2 := serverStateWaitFlight2{ Config: state.Config, Params: state.Params, hsCtx: state.hsCtx, @@ -756,7 +756,7 @@ func (state ServerStateNegotiated) Next(_ handshakeMessageReader) (HandshakeStat return waitFlight2, toSend, AlertNoAlert } -type ServerStateWaitEOED struct { +type serverStateWaitEOED struct { Config *Config Params ConnectionParameters hsCtx HandshakeContext @@ -769,13 +769,13 @@ type ServerStateWaitEOED struct { exporterSecret []byte } -var _ HandshakeState = &ServerStateWaitEOED{} +var _ HandshakeState = &serverStateWaitEOED{} -func (state ServerStateWaitEOED) State() State { +func (state serverStateWaitEOED) State() State { return StateServerWaitEOED } -func (state ServerStateWaitEOED) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { +func (state serverStateWaitEOED) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { hm, alert := hr.ReadMessage() if alert != AlertNoAlert { return nil, nil, alert @@ -798,7 +798,7 @@ func (state ServerStateWaitEOED) Next(hr handshakeMessageReader) (HandshakeState toSend := []HandshakeAction{ RekeyIn{epoch: EpochHandshakeData, KeySet: clientHandshakeKeys}, } - waitFlight2 := ServerStateWaitFlight2{ + waitFlight2 := serverStateWaitFlight2{ Config: state.Config, Params: state.Params, hsCtx: state.hsCtx, @@ -813,7 +813,7 @@ func (state ServerStateWaitEOED) Next(hr handshakeMessageReader) (HandshakeState return waitFlight2, toSend, AlertNoAlert } -type ServerStateWaitFlight2 struct { +type serverStateWaitFlight2 struct { Config *Config Params ConnectionParameters hsCtx HandshakeContext @@ -826,16 +826,16 @@ type ServerStateWaitFlight2 struct { exporterSecret []byte } -var _ HandshakeState = &ServerStateWaitFlight2{} +var _ HandshakeState = &serverStateWaitFlight2{} -func (state ServerStateWaitFlight2) State() State { +func (state serverStateWaitFlight2) State() State { return StateServerWaitFlight2 } -func (state ServerStateWaitFlight2) Next(_ handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { +func (state serverStateWaitFlight2) Next(_ handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { if state.Params.UsingClientAuth { logf(logTypeHandshake, "[ServerStateWaitFlight2] -> [ServerStateWaitCert]") - nextState := ServerStateWaitCert{ + nextState := serverStateWaitCert{ Config: state.Config, Params: state.Params, hsCtx: state.hsCtx, @@ -851,7 +851,7 @@ func (state ServerStateWaitFlight2) Next(_ handshakeMessageReader) (HandshakeSta } logf(logTypeHandshake, "[ServerStateWaitFlight2] -> [ServerStateWaitFinished]") - nextState := ServerStateWaitFinished{ + nextState := serverStateWaitFinished{ Params: state.Params, hsCtx: state.hsCtx, cryptoParams: state.cryptoParams, @@ -865,7 +865,7 @@ func (state ServerStateWaitFlight2) Next(_ handshakeMessageReader) (HandshakeSta return nextState, nil, AlertNoAlert } -type ServerStateWaitCert struct { +type serverStateWaitCert struct { Config *Config Params ConnectionParameters hsCtx HandshakeContext @@ -878,13 +878,13 @@ type ServerStateWaitCert struct { exporterSecret []byte } -var _ HandshakeState = &ServerStateWaitCert{} +var _ HandshakeState = &serverStateWaitCert{} -func (state ServerStateWaitCert) State() State { +func (state serverStateWaitCert) State() State { return StateServerWaitCert } -func (state ServerStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { +func (state serverStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { hm, alert := hr.ReadMessage() if alert != AlertNoAlert { return nil, nil, alert @@ -906,7 +906,7 @@ func (state ServerStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState logf(logTypeHandshake, "[ServerStateWaitCert] WARNING client did not provide a certificate") logf(logTypeHandshake, "[ServerStateWaitCert] -> [ServerStateWaitFinished]") - nextState := ServerStateWaitFinished{ + nextState := serverStateWaitFinished{ Params: state.Params, hsCtx: state.hsCtx, cryptoParams: state.cryptoParams, @@ -921,7 +921,7 @@ func (state ServerStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState } logf(logTypeHandshake, "[ServerStateWaitCert] -> [ServerStateWaitCV]") - nextState := ServerStateWaitCV{ + nextState := serverStateWaitCV{ Config: state.Config, Params: state.Params, hsCtx: state.hsCtx, @@ -937,7 +937,7 @@ func (state ServerStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState return nextState, nil, AlertNoAlert } -type ServerStateWaitCV struct { +type serverStateWaitCV struct { Config *Config Params ConnectionParameters hsCtx HandshakeContext @@ -954,13 +954,13 @@ type ServerStateWaitCV struct { clientCertificate *CertificateBody } -var _ HandshakeState = &ServerStateWaitCV{} +var _ HandshakeState = &serverStateWaitCV{} -func (state ServerStateWaitCV) State() State { +func (state serverStateWaitCV) State() State { return StateServerWaitCV } -func (state ServerStateWaitCV) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { +func (state serverStateWaitCV) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { hm, alert := hr.ReadMessage() if alert != AlertNoAlert { return nil, nil, alert @@ -1005,7 +1005,7 @@ func (state ServerStateWaitCV) Next(hr handshakeMessageReader) (HandshakeState, state.handshakeHash.Write(hm.Marshal()) logf(logTypeHandshake, "[ServerStateWaitCV] -> [ServerStateWaitFinished]") - nextState := ServerStateWaitFinished{ + nextState := serverStateWaitFinished{ Params: state.Params, hsCtx: state.hsCtx, cryptoParams: state.cryptoParams, @@ -1021,7 +1021,7 @@ func (state ServerStateWaitCV) Next(hr handshakeMessageReader) (HandshakeState, return nextState, nil, AlertNoAlert } -type ServerStateWaitFinished struct { +type serverStateWaitFinished struct { Params ConnectionParameters hsCtx HandshakeContext cryptoParams CipherSuiteParams @@ -1037,13 +1037,13 @@ type ServerStateWaitFinished struct { exporterSecret []byte } -var _ HandshakeState = &ServerStateWaitFinished{} +var _ HandshakeState = &serverStateWaitFinished{} -func (state ServerStateWaitFinished) State() State { +func (state serverStateWaitFinished) State() State { return StateServerWaitFinished } -func (state ServerStateWaitFinished) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { +func (state serverStateWaitFinished) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { hm, alert := hr.ReadMessage() if alert != AlertNoAlert { return nil, nil, alert @@ -1083,7 +1083,7 @@ func (state ServerStateWaitFinished) Next(hr handshakeMessageReader) (HandshakeS clientTrafficKeys := makeTrafficKeys(state.cryptoParams, state.clientTrafficSecret) logf(logTypeHandshake, "[ServerStateWaitFinished] -> [StateConnected]") - nextState := StateConnected{ + nextState := stateConnected{ Params: state.Params, hsCtx: state.hsCtx, isClient: false, diff --git a/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/state-machine.go b/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/state-machine.go index 556fc09d7..7639c5f65 100644 --- a/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/state-machine.go +++ b/vendor/github.com/lucas-clemente/quic-go/vendor/github.com/bifurcation/mint/state-machine.go @@ -81,8 +81,8 @@ func (hc *HandshakeContext) SetVersion(version uint16) { } } -// StateConnected is symmetric between client and server -type StateConnected struct { +// stateConnected is symmetric between client and server +type stateConnected struct { Params ConnectionParameters hsCtx HandshakeContext isClient bool @@ -95,16 +95,16 @@ type StateConnected struct { verifiedChains [][]*x509.Certificate } -var _ HandshakeState = &StateConnected{} +var _ HandshakeState = &stateConnected{} -func (state StateConnected) State() State { +func (state stateConnected) State() State { if state.isClient { return StateClientConnected } return StateServerConnected } -func (state *StateConnected) KeyUpdate(request KeyUpdateRequest) ([]HandshakeAction, Alert) { +func (state *stateConnected) KeyUpdate(request KeyUpdateRequest) ([]HandshakeAction, Alert) { var trafficKeys keySet if state.isClient { state.clientTrafficSecret = HkdfExpandLabel(state.cryptoParams.Hash, state.clientTrafficSecret, @@ -130,7 +130,7 @@ func (state *StateConnected) KeyUpdate(request KeyUpdateRequest) ([]HandshakeAct return toSend, AlertNoAlert } -func (state *StateConnected) NewSessionTicket(length int, lifetime, earlyDataLifetime uint32) ([]HandshakeAction, Alert) { +func (state *stateConnected) NewSessionTicket(length int, lifetime, earlyDataLifetime uint32) ([]HandshakeAction, Alert) { tkt, err := NewSessionTicket(length, lifetime) if err != nil { logf(logTypeHandshake, "[StateConnected] Error generating NewSessionTicket: %v", err) @@ -172,11 +172,11 @@ func (state *StateConnected) NewSessionTicket(length int, lifetime, earlyDataLif } // Next does nothing for this state. -func (state StateConnected) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { +func (state stateConnected) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) { return state, nil, AlertNoAlert } -func (state StateConnected) ProcessMessage(hm *HandshakeMessage) (HandshakeState, []HandshakeAction, Alert) { +func (state stateConnected) ProcessMessage(hm *HandshakeMessage) (HandshakeState, []HandshakeAction, Alert) { if hm == nil { logf(logTypeHandshake, "[StateConnected] Unexpected message") return nil, nil, AlertUnexpectedMessage diff --git a/vendor/github.com/xenolf/lego/acme/messages.go b/vendor/github.com/xenolf/lego/acme/messages.go deleted file mode 100644 index 79ccf154e..000000000 --- a/vendor/github.com/xenolf/lego/acme/messages.go +++ /dev/null @@ -1,115 +0,0 @@ -package acme - -import ( - "time" - - "gopkg.in/square/go-jose.v1" -) - -type directory struct { - NewAuthzURL string `json:"new-authz"` - NewCertURL string `json:"new-cert"` - NewRegURL string `json:"new-reg"` - RevokeCertURL string `json:"revoke-cert"` -} - -type registrationMessage struct { - Resource string `json:"resource"` - Contact []string `json:"contact"` - Delete bool `json:"delete,omitempty"` -} - -// Registration is returned by the ACME server after the registration -// The client implementation should save this registration somewhere. -type Registration struct { - Resource string `json:"resource,omitempty"` - ID int `json:"id"` - Key jose.JsonWebKey `json:"key"` - Contact []string `json:"contact"` - Agreement string `json:"agreement,omitempty"` - Authorizations string `json:"authorizations,omitempty"` - Certificates string `json:"certificates,omitempty"` -} - -// RegistrationResource represents all important informations about a registration -// of which the client needs to keep track itself. -type RegistrationResource struct { - Body Registration `json:"body,omitempty"` - URI string `json:"uri,omitempty"` - NewAuthzURL string `json:"new_authzr_uri,omitempty"` - TosURL string `json:"terms_of_service,omitempty"` -} - -type authorizationResource struct { - Body authorization - Domain string - NewCertURL string - AuthURL string -} - -type authorization struct { - Resource string `json:"resource,omitempty"` - Identifier identifier `json:"identifier"` - Status string `json:"status,omitempty"` - Expires time.Time `json:"expires,omitempty"` - Challenges []challenge `json:"challenges,omitempty"` - Combinations [][]int `json:"combinations,omitempty"` -} - -type identifier struct { - Type string `json:"type"` - Value string `json:"value"` -} - -type validationRecord struct { - URI string `json:"url,omitempty"` - Hostname string `json:"hostname,omitempty"` - Port string `json:"port,omitempty"` - ResolvedAddresses []string `json:"addressesResolved,omitempty"` - UsedAddress string `json:"addressUsed,omitempty"` -} - -type challenge struct { - Resource string `json:"resource,omitempty"` - Type Challenge `json:"type,omitempty"` - Status string `json:"status,omitempty"` - URI string `json:"uri,omitempty"` - Token string `json:"token,omitempty"` - KeyAuthorization string `json:"keyAuthorization,omitempty"` - TLS bool `json:"tls,omitempty"` - Iterations int `json:"n,omitempty"` - Error RemoteError `json:"error,omitempty"` - ValidationRecords []validationRecord `json:"validationRecord,omitempty"` -} - -type csrMessage struct { - Resource string `json:"resource,omitempty"` - Csr string `json:"csr"` - Authorizations []string `json:"authorizations"` -} - -type revokeCertMessage struct { - Resource string `json:"resource"` - Certificate string `json:"certificate"` -} - -type deactivateAuthMessage struct { - Resource string `json:"resource,omitempty"` - Status string `jsom:"status"` -} - -// CertificateResource represents a CA issued certificate. -// PrivateKey, Certificate and IssuerCertificate are all -// already PEM encoded and can be directly written to disk. -// Certificate may be a certificate bundle, depending on the -// options supplied to create it. -type CertificateResource struct { - Domain string `json:"domain"` - CertURL string `json:"certUrl"` - CertStableURL string `json:"certStableUrl"` - AccountRef string `json:"accountRef,omitempty"` - PrivateKey []byte `json:"-"` - Certificate []byte `json:"-"` - IssuerCertificate []byte `json:"-"` - CSR []byte `json:"-"` -} diff --git a/vendor/github.com/xenolf/lego/acme/tls_sni_challenge.go b/vendor/github.com/xenolf/lego/acme/tls_sni_challenge.go deleted file mode 100644 index 34383cbfa..000000000 --- a/vendor/github.com/xenolf/lego/acme/tls_sni_challenge.go +++ /dev/null @@ -1,67 +0,0 @@ -package acme - -import ( - "crypto/rsa" - "crypto/sha256" - "crypto/tls" - "encoding/hex" - "fmt" - "log" -) - -type tlsSNIChallenge struct { - jws *jws - validate validateFunc - provider ChallengeProvider -} - -func (t *tlsSNIChallenge) Solve(chlng challenge, domain string) error { - // FIXME: https://github.com/ietf-wg-acme/acme/pull/22 - // Currently we implement this challenge to track boulder, not the current spec! - - logf("[INFO][%s] acme: Trying to solve TLS-SNI-01", domain) - - // Generate the Key Authorization for the challenge - keyAuth, err := getKeyAuthorization(chlng.Token, t.jws.privKey) - if err != nil { - return err - } - - err = t.provider.Present(domain, chlng.Token, keyAuth) - if err != nil { - return fmt.Errorf("[%s] error presenting token: %v", domain, err) - } - defer func() { - err := t.provider.CleanUp(domain, chlng.Token, keyAuth) - if err != nil { - log.Printf("[%s] error cleaning up: %v", domain, err) - } - }() - return t.validate(t.jws, domain, chlng.URI, challenge{Resource: "challenge", Type: chlng.Type, Token: chlng.Token, KeyAuthorization: keyAuth}) -} - -// TLSSNI01ChallengeCert returns a certificate and target domain for the `tls-sni-01` challenge -func TLSSNI01ChallengeCert(keyAuth string) (tls.Certificate, string, error) { - // generate a new RSA key for the certificates - tempPrivKey, err := generatePrivateKey(RSA2048) - if err != nil { - return tls.Certificate{}, "", err - } - rsaPrivKey := tempPrivKey.(*rsa.PrivateKey) - rsaPrivPEM := pemEncode(rsaPrivKey) - - zBytes := sha256.Sum256([]byte(keyAuth)) - z := hex.EncodeToString(zBytes[:sha256.Size]) - domain := fmt.Sprintf("%s.%s.acme.invalid", z[:32], z[32:]) - tempCertPEM, err := generatePemCert(rsaPrivKey, domain) - if err != nil { - return tls.Certificate{}, "", err - } - - certificate, err := tls.X509KeyPair(tempCertPEM, rsaPrivPEM) - if err != nil { - return tls.Certificate{}, "", err - } - - return certificate, domain, nil -} diff --git a/vendor/github.com/xenolf/lego/acme/tls_sni_challenge_server.go b/vendor/github.com/xenolf/lego/acme/tls_sni_challenge_server.go deleted file mode 100644 index df00fbb5a..000000000 --- a/vendor/github.com/xenolf/lego/acme/tls_sni_challenge_server.go +++ /dev/null @@ -1,62 +0,0 @@ -package acme - -import ( - "crypto/tls" - "fmt" - "net" - "net/http" -) - -// TLSProviderServer implements ChallengeProvider for `TLS-SNI-01` challenge -// It may be instantiated without using the NewTLSProviderServer function if -// you want only to use the default values. -type TLSProviderServer struct { - iface string - port string - done chan bool - listener net.Listener -} - -// NewTLSProviderServer creates a new TLSProviderServer on the selected interface and port. -// Setting iface and / or port to an empty string will make the server fall back to -// the "any" interface and port 443 respectively. -func NewTLSProviderServer(iface, port string) *TLSProviderServer { - return &TLSProviderServer{iface: iface, port: port} -} - -// Present makes the keyAuth available as a cert -func (s *TLSProviderServer) Present(domain, token, keyAuth string) error { - if s.port == "" { - s.port = "443" - } - - cert, _, err := TLSSNI01ChallengeCert(keyAuth) - if err != nil { - return err - } - - tlsConf := new(tls.Config) - tlsConf.Certificates = []tls.Certificate{cert} - - s.listener, err = tls.Listen("tcp", net.JoinHostPort(s.iface, s.port), tlsConf) - if err != nil { - return fmt.Errorf("Could not start HTTPS server for challenge -> %v", err) - } - - s.done = make(chan bool) - go func() { - http.Serve(s.listener, nil) - s.done <- true - }() - return nil -} - -// CleanUp closes the HTTP server. -func (s *TLSProviderServer) CleanUp(domain, token, keyAuth string) error { - if s.listener == nil { - return nil - } - s.listener.Close() - <-s.done - return nil -} diff --git a/vendor/github.com/xenolf/lego/acme/LICENSE b/vendor/github.com/xenolf/lego/acmev2/LICENSE index 270cba089..270cba089 100644 --- a/vendor/github.com/xenolf/lego/acme/LICENSE +++ b/vendor/github.com/xenolf/lego/acmev2/LICENSE diff --git a/vendor/github.com/xenolf/lego/acme/challenges.go b/vendor/github.com/xenolf/lego/acmev2/challenges.go index 857900507..cf7bd7f75 100644 --- a/vendor/github.com/xenolf/lego/acme/challenges.go +++ b/vendor/github.com/xenolf/lego/acmev2/challenges.go @@ -7,9 +7,6 @@ const ( // HTTP01 is the "http-01" ACME challenge https://github.com/ietf-wg-acme/acme/blob/master/draft-ietf-acme-acme.md#http // Note: HTTP01ChallengePath returns the URL path to fulfill this challenge HTTP01 = Challenge("http-01") - // TLSSNI01 is the "tls-sni-01" ACME challenge https://github.com/ietf-wg-acme/acme/blob/master/draft-ietf-acme-acme.md#tls-with-server-name-indication-tls-sni - // Note: TLSSNI01ChallengeCert returns a certificate to fulfill this challenge - TLSSNI01 = Challenge("tls-sni-01") // DNS01 is the "dns-01" ACME challenge https://github.com/ietf-wg-acme/acme/blob/master/draft-ietf-acme-acme.md#dns // Note: DNS01Record returns a DNS record which will fulfill this challenge DNS01 = Challenge("dns-01") diff --git a/vendor/github.com/xenolf/lego/acme/client.go b/vendor/github.com/xenolf/lego/acmev2/client.go index bcb844371..904f07fbc 100644 --- a/vendor/github.com/xenolf/lego/acme/client.go +++ b/vendor/github.com/xenolf/lego/acmev2/client.go @@ -5,13 +5,11 @@ import ( "crypto" "crypto/x509" "encoding/base64" - "encoding/json" "errors" "fmt" "io/ioutil" "log" "net" - "net/http" "regexp" "strconv" "strings" @@ -82,27 +80,26 @@ func NewClient(caDirURL string, user User, keyType KeyType) (*Client, error) { return nil, fmt.Errorf("get directory at '%s': %v", caDirURL, err) } - if dir.NewRegURL == "" { + if dir.NewAccountURL == "" { return nil, errors.New("directory missing new registration URL") } - if dir.NewAuthzURL == "" { - return nil, errors.New("directory missing new authz URL") + if dir.NewOrderURL == "" { + return nil, errors.New("directory missing new order URL") } - if dir.NewCertURL == "" { - return nil, errors.New("directory missing new certificate URL") - } - if dir.RevokeCertURL == "" { + /*if dir.RevokeCertURL == "" { return nil, errors.New("directory missing revoke certificate URL") - } + }*/ - jws := &jws{privKey: privKey, directoryURL: caDirURL} + jws := &jws{privKey: privKey, getNonceURL: dir.NewNonceURL} + if reg := user.GetRegistration(); reg != nil { + jws.kid = reg.URI + } // REVIEW: best possibility? // Add all available solvers with the right index as per ACME // spec to this map. Otherwise they won`t be found. solvers := make(map[Challenge]solver) solvers[HTTP01] = &httpChallenge{jws: jws, validate: validate, provider: &HTTPProviderServer{}} - solvers[TLSSNI01] = &tlsSNIChallenge{jws: jws, validate: validate, provider: &TLSProviderServer{}} return &Client{directory: dir, user: user, jws: jws, keyType: keyType, solvers: solvers}, nil } @@ -112,8 +109,6 @@ func (c *Client) SetChallengeProvider(challenge Challenge, p ChallengeProvider) switch challenge { case HTTP01: c.solvers[challenge] = &httpChallenge{jws: c.jws, validate: validate, provider: p} - case TLSSNI01: - c.solvers[challenge] = &tlsSNIChallenge{jws: c.jws, validate: validate, provider: p} case DNS01: c.solvers[challenge] = &dnsChallenge{jws: c.jws, validate: validate, provider: p} default: @@ -141,24 +136,6 @@ func (c *Client) SetHTTPAddress(iface string) error { return nil } -// SetTLSAddress specifies a custom interface:port to be used for TLS based challenges. -// If this option is not used, the default port 443 and all interfaces will be used. -// To only specify a port and no interface use the ":port" notation. -// -// NOTE: This REPLACES any custom TLS-SNI provider previously set by calling -// c.SetChallengeProvider with the default TLS-SNI challenge provider. -func (c *Client) SetTLSAddress(iface string) error { - host, port, err := net.SplitHostPort(iface) - if err != nil { - return err - } - - if chlng, ok := c.solvers[TLSSNI01]; ok { - chlng.(*tlsSNIChallenge).provider = NewTLSProviderServer(host, port) - } - return nil -} - // ExcludeChallenges explicitly removes challenges from the pool for solving. func (c *Client) ExcludeChallenges(challenges []Challenge) { // Loop through all challenges and delete the requested one if found. @@ -167,59 +144,69 @@ func (c *Client) ExcludeChallenges(challenges []Challenge) { } } +// GetToSURL returns the current ToS URL from the Directory +func (c *Client) GetToSURL() string { + return c.directory.Meta.TermsOfService +} + // Register the current account to the ACME server. -func (c *Client) Register() (*RegistrationResource, error) { +func (c *Client) Register(tosAgreed bool) (*RegistrationResource, error) { if c == nil || c.user == nil { return nil, errors.New("acme: cannot register a nil client or user") } logf("[INFO] acme: Registering account for %s", c.user.GetEmail()) - regMsg := registrationMessage{ - Resource: "new-reg", - } + accMsg := accountMessage{} if c.user.GetEmail() != "" { - regMsg.Contact = []string{"mailto:" + c.user.GetEmail()} + accMsg.Contact = []string{"mailto:" + c.user.GetEmail()} } else { - regMsg.Contact = []string{} + accMsg.Contact = []string{} } + accMsg.TermsOfServiceAgreed = tosAgreed - var serverReg Registration - var regURI string - hdr, err := postJSON(c.jws, c.directory.NewRegURL, regMsg, &serverReg) + var serverReg accountMessage + hdr, err := postJSON(c.jws, c.directory.NewAccountURL, accMsg, &serverReg) if err != nil { remoteErr, ok := err.(RemoteError) if ok && remoteErr.StatusCode == 409 { - regURI = hdr.Get("Location") - regMsg = registrationMessage{ - Resource: "reg", - } - if hdr, err = postJSON(c.jws, regURI, regMsg, &serverReg); err != nil { - return nil, err - } } else { return nil, err } } - reg := &RegistrationResource{Body: serverReg} + reg := &RegistrationResource{ + URI: hdr.Get("Location"), + Body: serverReg, + } + c.jws.kid = reg.URI - links := parseLinks(hdr["Link"]) + return reg, nil +} + +// ResolveAccountByKey will attempt to look up an account using the given account key +// and return its registration resource. +func (c *Client) ResolveAccountByKey() (*RegistrationResource, error) { + logf("[INFO] acme: Trying to resolve account by key") - if regURI == "" { - regURI = hdr.Get("Location") + acc := accountMessage{OnlyReturnExisting: true} + hdr, err := postJSON(c.jws, c.directory.NewAccountURL, acc, nil) + if err != nil { + return nil, err } - reg.URI = regURI - if links["terms-of-service"] != "" { - reg.TosURL = links["terms-of-service"] + + accountLink := hdr.Get("Location") + if accountLink == "" { + return nil, errors.New("Server did not return the account link") } - if links["next"] != "" { - reg.NewAuthzURL = links["next"] - } else { - return nil, errors.New("acme: The server did not return 'next' link to proceed") + var retAccount accountMessage + c.jws.kid = accountLink + hdr, err = postJSON(c.jws, accountLink, accountMessage{}, &retAccount) + if err != nil { + return nil, err } - return reg, nil + return &RegistrationResource{URI: accountLink, Body: retAccount}, nil } // DeleteRegistration deletes the client's user registration from the ACME @@ -230,12 +217,11 @@ func (c *Client) DeleteRegistration() error { } logf("[INFO] acme: Deleting account for %s", c.user.GetEmail()) - regMsg := registrationMessage{ - Resource: "reg", - Delete: true, + accMsg := accountMessage{ + Status: "deactivated", } - _, err := postJSON(c.jws, c.user.GetRegistration().URI, regMsg, nil) + _, err := postJSON(c.jws, c.user.GetRegistration().URI, accMsg, nil) if err != nil { return err } @@ -255,46 +241,23 @@ func (c *Client) QueryRegistration() (*RegistrationResource, error) { // Log the URL here instead of the email as the email may not be set logf("[INFO] acme: Querying account for %s", c.user.GetRegistration().URI) - regMsg := registrationMessage{ - Resource: "reg", - } + accMsg := accountMessage{} - var serverReg Registration - hdr, err := postJSON(c.jws, c.user.GetRegistration().URI, regMsg, &serverReg) + var serverReg accountMessage + _, err := postJSON(c.jws, c.user.GetRegistration().URI, accMsg, &serverReg) if err != nil { return nil, err } reg := &RegistrationResource{Body: serverReg} - links := parseLinks(hdr["Link"]) // Location: header is not returned so this needs to be populated off of // existing URI reg.URI = c.user.GetRegistration().URI - if links["terms-of-service"] != "" { - reg.TosURL = links["terms-of-service"] - } - - if links["next"] != "" { - reg.NewAuthzURL = links["next"] - } else { - return nil, errors.New("acme: No new-authz link in response to registration query") - } return reg, nil } -// AgreeToTOS updates the Client registration and sends the agreement to -// the server. -func (c *Client) AgreeToTOS() error { - reg := c.user.GetRegistration() - - reg.Body.Agreement = c.user.GetRegistration().TosURL - reg.Body.Resource = "reg" - _, err := postJSON(c.jws, c.user.GetRegistration().URI, c.user.GetRegistration().Body, nil) - return err -} - // ObtainCertificateForCSR tries to obtain a certificate matching the CSR passed into it. // The domains are inferred from the CommonName and SubjectAltNames, if any. The private key // for this CSR is not required. @@ -302,7 +265,7 @@ func (c *Client) AgreeToTOS() error { // your issued certificate as a bundle. // This function will never return a partial certificate. If one domain in the list fails, // the whole certificate will fail. -func (c *Client) ObtainCertificateForCSR(csr x509.CertificateRequest, bundle bool) (CertificateResource, map[string]error) { +func (c *Client) ObtainCertificateForCSR(csr x509.CertificateRequest, bundle bool) (CertificateResource, error) { // figure out what domains it concerns // start with the common name domains := []string{csr.Subject.CommonName} @@ -327,35 +290,44 @@ DNSNames: logf("[INFO][%s] acme: Obtaining SAN certificate given a CSR", strings.Join(domains, ", ")) } - challenges, failures := c.getChallenges(domains) - // If any challenge fails - return. Do not generate partial SAN certificates. - if len(failures) > 0 { - for _, auth := range challenges { + order, err := c.createOrderForIdentifiers(domains) + if err != nil { + return CertificateResource{}, err + } + authz, err := c.getAuthzForOrder(order) + if err != nil { + // If any challenge fails, return. Do not generate partial SAN certificates. + /*for _, auth := range authz { c.disableAuthz(auth) - } - - return CertificateResource{}, failures + }*/ + return CertificateResource{}, err } - errs := c.solveChallenges(challenges) - // If any challenge fails - return. Do not generate partial SAN certificates. - if len(errs) > 0 { - return CertificateResource{}, errs + err = c.solveChallengeForAuthz(authz) + if err != nil { + // If any challenge fails, return. Do not generate partial SAN certificates. + return CertificateResource{}, err } logf("[INFO][%s] acme: Validations succeeded; requesting certificates", strings.Join(domains, ", ")) - cert, err := c.requestCertificateForCsr(challenges, bundle, csr.Raw, nil) + failures := make(ObtainError) + cert, err := c.requestCertificateForCsr(order, bundle, csr.Raw, nil) if err != nil { - for _, chln := range challenges { - failures[chln.Domain] = err + for _, chln := range authz { + failures[chln.Identifier.Value] = err } } // Add the CSR to the certificate so that it can be used for renewals. cert.CSR = pemEncode(&csr) - return cert, failures + // do not return an empty failures map, because + // it would still be a non-nil error value + if len(failures) > 0 { + return cert, failures + } + return cert, nil } // ObtainCertificate tries to obtain a single certificate using all domains passed into it. @@ -367,39 +339,52 @@ DNSNames: // your issued certificate as a bundle. // This function will never return a partial certificate. If one domain in the list fails, // the whole certificate will fail. -func (c *Client) ObtainCertificate(domains []string, bundle bool, privKey crypto.PrivateKey, mustStaple bool) (CertificateResource, map[string]error) { +func (c *Client) ObtainCertificate(domains []string, bundle bool, privKey crypto.PrivateKey, mustStaple bool) (CertificateResource, error) { + if len(domains) == 0 { + return CertificateResource{}, errors.New("No domains to obtain a certificate for") + } + if bundle { logf("[INFO][%s] acme: Obtaining bundled SAN certificate", strings.Join(domains, ", ")) } else { logf("[INFO][%s] acme: Obtaining SAN certificate", strings.Join(domains, ", ")) } - challenges, failures := c.getChallenges(domains) - // If any challenge fails - return. Do not generate partial SAN certificates. - if len(failures) > 0 { - for _, auth := range challenges { + order, err := c.createOrderForIdentifiers(domains) + if err != nil { + return CertificateResource{}, err + } + authz, err := c.getAuthzForOrder(order) + if err != nil { + // If any challenge fails, return. Do not generate partial SAN certificates. + /*for _, auth := range authz { c.disableAuthz(auth) - } - - return CertificateResource{}, failures + }*/ + return CertificateResource{}, err } - errs := c.solveChallenges(challenges) - // If any challenge fails - return. Do not generate partial SAN certificates. - if len(errs) > 0 { - return CertificateResource{}, errs + err = c.solveChallengeForAuthz(authz) + if err != nil { + // If any challenge fails, return. Do not generate partial SAN certificates. + return CertificateResource{}, err } logf("[INFO][%s] acme: Validations succeeded; requesting certificates", strings.Join(domains, ", ")) - cert, err := c.requestCertificate(challenges, bundle, privKey, mustStaple) + failures := make(ObtainError) + cert, err := c.requestCertificateForOrder(order, bundle, privKey, mustStaple) if err != nil { - for _, chln := range challenges { - failures[chln.Domain] = err + for _, auth := range authz { + failures[auth.Identifier.Value] = err } } - return cert, failures + // do not return an empty failures map, because + // it would still be a non-nil error value + if len(failures) > 0 { + return cert, failures + } + return cert, nil } // RevokeCertificate takes a PEM encoded certificate or bundle and tries to revoke it at the CA. @@ -416,7 +401,7 @@ func (c *Client) RevokeCertificate(certificate []byte) error { encodedCert := base64.URLEncoding.EncodeToString(x509Cert.Raw) - _, err = postJSON(c.jws, c.directory.RevokeCertURL, revokeCertMessage{Resource: "revoke-cert", Certificate: encodedCert}, nil) + _, err = postJSON(c.jws, c.directory.RevokeCertURL, revokeCertMessage{Certificate: encodedCert}, nil) return err } @@ -454,7 +439,7 @@ func (c *Client) RenewCertificate(cert CertificateResource, bundle, mustStaple b return CertificateResource{}, err } newCert, failures := c.ObtainCertificateForCSR(*csr, bundle) - return newCert, failures[cert.Domain] + return newCert, failures } var privKey crypto.PrivateKey @@ -466,7 +451,6 @@ func (c *Client) RenewCertificate(cert CertificateResource, bundle, mustStaple b } var domains []string - var failures map[string]error // check for SAN certificate if len(x509Cert.DNSNames) > 1 { domains = append(domains, x509Cert.Subject.CommonName) @@ -480,133 +464,139 @@ func (c *Client) RenewCertificate(cert CertificateResource, bundle, mustStaple b domains = append(domains, x509Cert.Subject.CommonName) } - newCert, failures := c.ObtainCertificate(domains, bundle, privKey, mustStaple) - return newCert, failures[cert.Domain] + newCert, err := c.ObtainCertificate(domains, bundle, privKey, mustStaple) + return newCert, err +} + +func (c *Client) createOrderForIdentifiers(domains []string) (orderResource, error) { + + var identifiers []identifier + for _, domain := range domains { + identifiers = append(identifiers, identifier{Type: "dns", Value: domain}) + } + + order := orderMessage{ + Identifiers: identifiers, + } + + var response orderMessage + hdr, err := postJSON(c.jws, c.directory.NewOrderURL, order, &response) + if err != nil { + return orderResource{}, err + } + + orderRes := orderResource{ + URL: hdr.Get("Location"), + Domains: domains, + orderMessage: response, + } + return orderRes, nil } // Looks through the challenge combinations to find a solvable match. // Then solves the challenges in series and returns. -func (c *Client) solveChallenges(challenges []authorizationResource) map[string]error { +func (c *Client) solveChallengeForAuthz(authorizations []authorization) error { + failures := make(ObtainError) + // loop through the resources, basically through the domains. - failures := make(map[string]error) - for _, authz := range challenges { - if authz.Body.Status == "valid" { + for _, authz := range authorizations { + if authz.Status == "valid" { // Boulder might recycle recent validated authz (see issue #267) - logf("[INFO][%s] acme: Authorization already valid; skipping challenge", authz.Domain) + logf("[INFO][%s] acme: Authorization already valid; skipping challenge", authz.Identifier.Value) continue } + // no solvers - no solving - if solvers := c.chooseSolvers(authz.Body, authz.Domain); solvers != nil { - for i, solver := range solvers { - // TODO: do not immediately fail if one domain fails to validate. - err := solver.Solve(authz.Body.Challenges[i], authz.Domain) - if err != nil { - c.disableAuthz(authz) - failures[authz.Domain] = err - } + if i, solver := c.chooseSolver(authz, authz.Identifier.Value); solver != nil { + err := solver.Solve(authz.Challenges[i], authz.Identifier.Value) + if err != nil { + //c.disableAuthz(authz.Identifier) + failures[authz.Identifier.Value] = err } } else { - c.disableAuthz(authz) - failures[authz.Domain] = fmt.Errorf("[%s] acme: Could not determine solvers", authz.Domain) + //c.disableAuthz(authz) + failures[authz.Identifier.Value] = fmt.Errorf("[%s] acme: Could not determine solvers", authz.Identifier.Value) } } - return failures + // be careful not to return an empty failures map, for + // even an empty ObtainError is a non-nil error value + if len(failures) > 0 { + return failures + } + return nil } -// Checks all combinations from the server and returns an array of -// solvers which should get executed in series. -func (c *Client) chooseSolvers(auth authorization, domain string) map[int]solver { - for _, combination := range auth.Combinations { - solvers := make(map[int]solver) - for _, idx := range combination { - if solver, ok := c.solvers[auth.Challenges[idx].Type]; ok { - solvers[idx] = solver - } else { - logf("[INFO][%s] acme: Could not find solver for: %s", domain, auth.Challenges[idx].Type) - } - } - - // If we can solve the whole combination, return the solvers - if len(solvers) == len(combination) { - return solvers +// Checks all challenges from the server in order and returns the first matching solver. +func (c *Client) chooseSolver(auth authorization, domain string) (int, solver) { + for i, challenge := range auth.Challenges { + if solver, ok := c.solvers[Challenge(challenge.Type)]; ok { + return i, solver } + logf("[INFO][%s] acme: Could not find solver for: %s", domain, challenge.Type) } - return nil + return 0, nil } // Get the challenges needed to proof our identifier to the ACME server. -func (c *Client) getChallenges(domains []string) ([]authorizationResource, map[string]error) { - resc, errc := make(chan authorizationResource), make(chan domainError) +func (c *Client) getAuthzForOrder(order orderResource) ([]authorization, error) { + resc, errc := make(chan authorization), make(chan domainError) delay := time.Second / overallRequestLimit - for _, domain := range domains { + for _, authzURL := range order.Authorizations { time.Sleep(delay) - go func(domain string) { - authMsg := authorization{Resource: "new-authz", Identifier: identifier{Type: "dns", Value: domain}} + go func(authzURL string) { var authz authorization - hdr, err := postJSON(c.jws, c.user.GetRegistration().NewAuthzURL, authMsg, &authz) + _, err := getJSON(authzURL, &authz) if err != nil { - errc <- domainError{Domain: domain, Error: err} + errc <- domainError{Domain: authz.Identifier.Value, Error: err} return } - links := parseLinks(hdr["Link"]) - if links["next"] == "" { - logf("[ERROR][%s] acme: Server did not provide next link to proceed", domain) - errc <- domainError{Domain: domain, Error: errors.New("Server did not provide next link to proceed")} - return - } - - resc <- authorizationResource{Body: authz, NewCertURL: links["next"], AuthURL: hdr.Get("Location"), Domain: domain} - }(domain) + resc <- authz + }(authzURL) } - responses := make(map[string]authorizationResource) - failures := make(map[string]error) - for i := 0; i < len(domains); i++ { + var responses []authorization + failures := make(ObtainError) + for i := 0; i < len(order.Authorizations); i++ { select { case res := <-resc: - responses[res.Domain] = res + responses = append(responses, res) case err := <-errc: failures[err.Domain] = err.Error } } - challenges := make([]authorizationResource, 0, len(responses)) - for _, domain := range domains { - if challenge, ok := responses[domain]; ok { - challenges = append(challenges, challenge) - } - } - - logAuthz(challenges) + logAuthz(order) close(resc) close(errc) - return challenges, failures + // be careful to not return an empty failures map; + // even if empty, they become non-nil error values + if len(failures) > 0 { + return responses, failures + } + return responses, nil } -func logAuthz(authz []authorizationResource) { - for _, auth := range authz { - logf("[INFO][%s] AuthURL: %s", auth.Domain, auth.AuthURL) +func logAuthz(order orderResource) { + for i, auth := range order.Authorizations { + logf("[INFO][%s] AuthURL: %s", order.Identifiers[i].Value, auth) } } // cleanAuthz loops through the passed in slice and disables any auths which are not "valid" -func (c *Client) disableAuthz(auth authorizationResource) error { +func (c *Client) disableAuthz(authURL string) error { var disabledAuth authorization - _, err := postJSON(c.jws, auth.AuthURL, deactivateAuthMessage{Resource: "authz", Status: "deactivated"}, &disabledAuth) + _, err := postJSON(c.jws, authURL, deactivateAuthMessage{Status: "deactivated"}, &disabledAuth) return err } -func (c *Client) requestCertificate(authz []authorizationResource, bundle bool, privKey crypto.PrivateKey, mustStaple bool) (CertificateResource, error) { - if len(authz) == 0 { - return CertificateResource{}, errors.New("Passed no authorizations to requestCertificate!") - } +func (c *Client) requestCertificateForOrder(order orderResource, bundle bool, privKey crypto.PrivateKey, mustStaple bool) (CertificateResource, error) { var err error if privKey == nil { @@ -617,50 +607,60 @@ func (c *Client) requestCertificate(authz []authorizationResource, bundle bool, } // determine certificate name(s) based on the authorization resources - commonName := authz[0] + commonName := order.Domains[0] var san []string - for _, auth := range authz[1:] { - san = append(san, auth.Domain) + for _, auth := range order.Identifiers { + san = append(san, auth.Value) } // TODO: should the CSR be customizable? - csr, err := generateCsr(privKey, commonName.Domain, san, mustStaple) + csr, err := generateCsr(privKey, commonName, san, mustStaple) if err != nil { return CertificateResource{}, err } - return c.requestCertificateForCsr(authz, bundle, csr, pemEncode(privKey)) + return c.requestCertificateForCsr(order, bundle, csr, pemEncode(privKey)) } -func (c *Client) requestCertificateForCsr(authz []authorizationResource, bundle bool, csr []byte, privateKeyPem []byte) (CertificateResource, error) { - commonName := authz[0] +func (c *Client) requestCertificateForCsr(order orderResource, bundle bool, csr []byte, privateKeyPem []byte) (CertificateResource, error) { + commonName := order.Domains[0] - var authURLs []string - for _, auth := range authz[1:] { - authURLs = append(authURLs, auth.AuthURL) + csrString := base64.RawURLEncoding.EncodeToString(csr) + var retOrder orderMessage + _, error := postJSON(c.jws, order.Finalize, csrMessage{Csr: csrString}, &retOrder) + if error != nil { + return CertificateResource{}, error } - csrString := base64.URLEncoding.EncodeToString(csr) - jsonBytes, err := json.Marshal(csrMessage{Resource: "new-cert", Csr: csrString, Authorizations: authURLs}) - if err != nil { - return CertificateResource{}, err - } - - resp, err := c.jws.post(commonName.NewCertURL, jsonBytes) - if err != nil { - return CertificateResource{}, err + if retOrder.Status == "invalid" { + return CertificateResource{}, error } certRes := CertificateResource{ - Domain: commonName.Domain, - CertURL: resp.Header.Get("Location"), + Domain: commonName, + CertURL: retOrder.Certificate, PrivateKey: privateKeyPem, } + if retOrder.Status == "valid" { + // if the certificate is available right away, short cut! + ok, err := c.checkCertResponse(retOrder, &certRes, bundle) + if err != nil { + return CertificateResource{}, err + } + + if ok { + return certRes, nil + } + } + maxChecks := 1000 for i := 0; i < maxChecks; i++ { - done, err := c.checkCertResponse(resp, &certRes, bundle) - resp.Body.Close() + _, err := getJSON(order.URL, &retOrder) + if err != nil { + return CertificateResource{}, err + } + done, err := c.checkCertResponse(retOrder, &certRes, bundle) if err != nil { return CertificateResource{}, err } @@ -670,43 +670,36 @@ func (c *Client) requestCertificateForCsr(authz []authorizationResource, bundle if i == maxChecks-1 { return CertificateResource{}, fmt.Errorf("polled for certificate %d times; giving up", i) } - resp, err = httpGet(certRes.CertURL) - if err != nil { - return CertificateResource{}, err - } } return certRes, nil } -// checkCertResponse checks resp to see if a certificate is contained in the -// response, and if so, loads it into certRes and returns true. If the cert -// is not yet ready, it returns false. This function honors the waiting period -// required by the Retry-After header of the response, if specified. This -// function may read from resp.Body but does NOT close it. The certRes input +// checkCertResponse checks to see if the certificate is ready and a link is contained in the +// response. if so, loads it into certRes and returns true. If the cert +// is not yet ready, it returns false. The certRes input // should already have the Domain (common name) field populated. If bundle is // true, the certificate will be bundled with the issuer's cert. -func (c *Client) checkCertResponse(resp *http.Response, certRes *CertificateResource, bundle bool) (bool, error) { - switch resp.StatusCode { - case 201, 202: - cert, err := ioutil.ReadAll(limitReader(resp.Body, maxBodySize)) +func (c *Client) checkCertResponse(order orderMessage, certRes *CertificateResource, bundle bool) (bool, error) { + + switch order.Status { + case "valid": + resp, err := httpGet(order.Certificate) if err != nil { return false, err } - // The server returns a body with a length of zero if the - // certificate was not ready at the time this request completed. - // Otherwise the body is the certificate. - if len(cert) > 0 { - certRes.CertStableURL = resp.Header.Get("Content-Location") - certRes.AccountRef = c.user.GetRegistration().URI + cert, err := ioutil.ReadAll(limitReader(resp.Body, maxBodySize)) + if err != nil { + return false, err + } - issuedCert := pemEncode(derCertificateBytes(cert)) + // The issuer certificate link is always supplied via an "up" link + // in the response headers of a new certificate. + links := parseLinks(resp.Header["Link"]) + if link, ok := links["up"]; ok { + issuerCert, err := c.getIssuerCertificate(link) - // The issuer certificate link is always supplied via an "up" link - // in the response headers of a new certificate. - links := parseLinks(resp.Header["Link"]) - issuerCert, err := c.getIssuerCertificate(links["up"]) if err != nil { // If we fail to acquire the issuer cert, return the issued certificate - do not fail. logf("[WARNING][%s] acme: Could not bundle issuer certificate: %v", certRes.Domain, err) @@ -716,31 +709,26 @@ func (c *Client) checkCertResponse(resp *http.Response, certRes *CertificateReso // If bundle is true, we want to return a certificate bundle. // To do this, we append the issuer cert to the issued cert. if bundle { - issuedCert = append(issuedCert, issuerCert...) + cert = append(cert, issuerCert...) } - } - - certRes.Certificate = issuedCert - certRes.IssuerCertificate = issuerCert - logf("[INFO][%s] Server responded with a certificate.", certRes.Domain) - return true, nil - } - // The certificate was granted but is not yet issued. - // Check retry-after and loop. - ra := resp.Header.Get("Retry-After") - retryAfter, err := strconv.Atoi(ra) - if err != nil { - return false, err + certRes.IssuerCertificate = issuerCert + } } - logf("[INFO][%s] acme: Server responded with status 202; retrying after %ds", certRes.Domain, retryAfter) - time.Sleep(time.Duration(retryAfter) * time.Second) + certRes.Certificate = cert + certRes.CertURL = order.Certificate + certRes.CertStableURL = order.Certificate + logf("[INFO][%s] Server responded with a certificate.", certRes.Domain) + return true, nil + case "processing": return false, nil - default: - return false, handleHTTPError(resp) + case "invalid": + return false, errors.New("Order has invalid state: invalid") } + + return false, nil } // getIssuerCertificate requests the issuer certificate @@ -786,10 +774,10 @@ func parseLinks(links []string) map[string]string { // validate makes the ACME server start validating a // challenge response, only returning once it is done. -func validate(j *jws, domain, uri string, chlng challenge) error { - var challengeResponse challenge +func validate(j *jws, domain, uri string, c challenge) error { + var chlng challenge - hdr, err := postJSON(j, uri, chlng, &challengeResponse) + hdr, err := postJSON(j, uri, c, &chlng) if err != nil { return err } @@ -797,27 +785,27 @@ func validate(j *jws, domain, uri string, chlng challenge) error { // After the path is sent, the ACME server will access our server. // Repeatedly check the server for an updated status on our request. for { - switch challengeResponse.Status { + switch chlng.Status { case "valid": logf("[INFO][%s] The server validated our request", domain) return nil case "pending": break case "invalid": - return handleChallengeError(challengeResponse) + return handleChallengeError(chlng) default: - return errors.New("The server returned an unexpected state.") + return errors.New("The server returned an unexpected state") } ra, err := strconv.Atoi(hdr.Get("Retry-After")) if err != nil { // The ACME server MUST return a Retry-After. // If it doesn't, we'll just poll hard. - ra = 1 + ra = 5 } time.Sleep(time.Duration(ra) * time.Second) - hdr, err = getJSON(uri, &challengeResponse) + hdr, err = getJSON(uri, &chlng) if err != nil { return err } diff --git a/vendor/github.com/xenolf/lego/acme/crypto.go b/vendor/github.com/xenolf/lego/acmev2/crypto.go index fa868a90d..e50ca30d8 100644 --- a/vendor/github.com/xenolf/lego/acme/crypto.go +++ b/vendor/github.com/xenolf/lego/acmev2/crypto.go @@ -17,12 +17,12 @@ import ( "io/ioutil" "math/big" "net/http" - "strings" "time" "encoding/asn1" "golang.org/x/crypto/ocsp" + jose "gopkg.in/square/go-jose.v2" ) // KeyType represents the key algo as well as the key size or curve to use. @@ -136,9 +136,9 @@ func getKeyAuthorization(token string, key interface{}) (string, error) { } // Generate the Key Authorization for the challenge - jwk := keyAsJWK(publicKey) + jwk := &jose.JSONWebKey{Key: publicKey} if jwk == nil { - return "", errors.New("Could not generate JWK from key.") + return "", errors.New("Could not generate JWK from key") } thumbBytes, err := jwk.Thumbprint(crypto.SHA256) if err != nil { @@ -146,11 +146,7 @@ func getKeyAuthorization(token string, key interface{}) (string, error) { } // unpad the base64URL - keyThumb := base64.URLEncoding.EncodeToString(thumbBytes) - index := strings.Index(keyThumb, "=") - if index != -1 { - keyThumb = keyThumb[:index] - } + keyThumb := base64.RawURLEncoding.EncodeToString(thumbBytes) return token + "." + keyThumb, nil } @@ -177,7 +173,7 @@ func parsePEMBundle(bundle []byte) ([]*x509.Certificate, error) { } if len(certificates) == 0 { - return nil, errors.New("No certificates were found while parsing the bundle.") + return nil, errors.New("No certificates were found while parsing the bundle") } return certificates, nil diff --git a/vendor/github.com/xenolf/lego/acme/dns_challenge.go b/vendor/github.com/xenolf/lego/acmev2/dns_challenge.go index 30f2170ff..d129dacc6 100644 --- a/vendor/github.com/xenolf/lego/acme/dns_challenge.go +++ b/vendor/github.com/xenolf/lego/acmev2/dns_challenge.go @@ -11,7 +11,6 @@ import ( "time" "github.com/miekg/dns" - "golang.org/x/net/publicsuffix" ) type preCheckDNSFunc func(fqdn, value string) (bool, error) @@ -30,6 +29,7 @@ var defaultNameservers = []string{ "google-public-dns-b.google.com:53", } +// RecursiveNameservers are used to pre-check DNS propagations var RecursiveNameservers = getNameservers(defaultResolvConf, defaultNameservers) // DNSTimeout is used to override the default DNS timeout of 10 seconds. @@ -58,8 +58,7 @@ func getNameservers(path string, defaults []string) []string { func DNS01Record(domain, keyAuth string) (fqdn string, value string, ttl int) { keyAuthShaBytes := sha256.Sum256([]byte(keyAuth)) // base64URL encoding without padding - keyAuthSha := base64.URLEncoding.EncodeToString(keyAuthShaBytes[:sha256.Size]) - value = strings.TrimRight(keyAuthSha, "=") + value = base64.RawURLEncoding.EncodeToString(keyAuthShaBytes[:sha256.Size]) ttl = 120 fqdn = fmt.Sprintf("_acme-challenge.%s.", domain) return @@ -115,7 +114,7 @@ func (s *dnsChallenge) Solve(chlng challenge, domain string) error { return err } - return s.validate(s.jws, domain, chlng.URI, challenge{Resource: "challenge", Type: chlng.Type, Token: chlng.Token, KeyAuthorization: keyAuth}) + return s.validate(s.jws, domain, chlng.URL, challenge{Type: chlng.Type, Token: chlng.Token, KeyAuthorization: keyAuth}) } // checkDNSPropagation checks if the expected TXT record has been propagated to all authoritative nameservers. @@ -194,7 +193,7 @@ func dnsQuery(fqdn string, rtype uint16, nameservers []string, recursive bool) ( if err == dns.ErrTruncated { tcp := &dns.Client{Net: "tcp", Timeout: DNSTimeout} - // If the TCP request suceeds, the err will reset to nil + // If the TCP request succeeds, the err will reset to nil in, _, err = tcp.Exchange(m, ns) } @@ -242,10 +241,6 @@ func FindZoneByFqdn(fqdn string, nameservers []string) (string, error) { labelIndexes := dns.Split(fqdn) for _, index := range labelIndexes { domain := fqdn[index:] - // Give up if we have reached the TLD - if isTLD(domain) { - break - } in, err := dnsQuery(domain, dns.TypeSOA, nameservers, true) if err != nil { @@ -260,6 +255,13 @@ func FindZoneByFqdn(fqdn string, nameservers []string) (string, error) { // Check if we got a SOA RR in the answer section if in.Rcode == dns.RcodeSuccess { + + // CNAME records cannot/should not exist at the root of a zone. + // So we skip a domain when a CNAME is found. + if dnsMsgContainsCNAME(in) { + continue + } + for _, ans := range in.Answer { if soa, ok := ans.(*dns.SOA); ok { zone := soa.Hdr.Name @@ -273,10 +275,12 @@ func FindZoneByFqdn(fqdn string, nameservers []string) (string, error) { return "", fmt.Errorf("Could not find the start of authority") } -func isTLD(domain string) bool { - publicsuffix, _ := publicsuffix.PublicSuffix(UnFqdn(domain)) - if publicsuffix == UnFqdn(domain) { - return true +// dnsMsgContainsCNAME checks for a CNAME answer in msg +func dnsMsgContainsCNAME(msg *dns.Msg) bool { + for _, ans := range msg.Answer { + if _, ok := ans.(*dns.CNAME); ok { + return true + } } return false } diff --git a/vendor/github.com/xenolf/lego/acme/dns_challenge_manual.go b/vendor/github.com/xenolf/lego/acmev2/dns_challenge_manual.go index 240384e60..240384e60 100644 --- a/vendor/github.com/xenolf/lego/acme/dns_challenge_manual.go +++ b/vendor/github.com/xenolf/lego/acmev2/dns_challenge_manual.go diff --git a/vendor/github.com/xenolf/lego/acme/error.go b/vendor/github.com/xenolf/lego/acmev2/error.go index e4bc934c2..78694debe 100644 --- a/vendor/github.com/xenolf/lego/acme/error.go +++ b/vendor/github.com/xenolf/lego/acmev2/error.go @@ -1,6 +1,7 @@ package acme import ( + "bytes" "encoding/json" "fmt" "io/ioutil" @@ -9,8 +10,8 @@ import ( ) const ( - tosAgreementError = "Must agree to subscriber agreement before any further actions" - invalidNonceError = "JWS has invalid anti-replay nonce" + tosAgreementError = "Terms of service have changed" + invalidNonceError = "urn:ietf:params:acme:error:badNonce" ) // RemoteError is the base type for all errors specific to the ACME protocol. @@ -42,27 +43,23 @@ type domainError struct { Error error } -type challengeError struct { - RemoteError - records []validationRecord -} +// ObtainError is returned when there are specific errors available +// per domain. For example in ObtainCertificate +type ObtainError map[string]error -func (c challengeError) Error() string { - - var errStr string - for _, validation := range c.records { - errStr = errStr + fmt.Sprintf("\tValidation for %s:%s\n\tResolved to:\n\t\t%s\n\tUsed: %s\n\n", - validation.Hostname, validation.Port, strings.Join(validation.ResolvedAddresses, "\n\t\t"), validation.UsedAddress) +func (e ObtainError) Error() string { + buffer := bytes.NewBufferString("acme: Error -> One or more domains had a problem:\n") + for dom, err := range e { + buffer.WriteString(fmt.Sprintf("[%s] %s\n", dom, err)) } - - return fmt.Sprintf("%s\nError Detail:\n%s", c.RemoteError.Error(), errStr) + return buffer.String() } func handleHTTPError(resp *http.Response) error { var errorDetail RemoteError contentType := resp.Header.Get("Content-Type") - if contentType == "application/json" || contentType == "application/problem+json" { + if contentType == "application/json" || strings.HasPrefix(contentType, "application/problem+json") { err := json.NewDecoder(resp.Body).Decode(&errorDetail) if err != nil { return err @@ -82,7 +79,7 @@ func handleHTTPError(resp *http.Response) error { return TOSError{errorDetail} } - if errorDetail.StatusCode == http.StatusBadRequest && strings.HasPrefix(errorDetail.Detail, invalidNonceError) { + if errorDetail.StatusCode == http.StatusBadRequest && errorDetail.Type == invalidNonceError { return NonceError{errorDetail} } @@ -90,5 +87,5 @@ func handleHTTPError(resp *http.Response) error { } func handleChallengeError(chlng challenge) error { - return challengeError{chlng.Error, chlng.ValidationRecords} + return chlng.Error } diff --git a/vendor/github.com/xenolf/lego/acme/http.go b/vendor/github.com/xenolf/lego/acmev2/http.go index fd6018a10..b93e53445 100644 --- a/vendor/github.com/xenolf/lego/acme/http.go +++ b/vendor/github.com/xenolf/lego/acmev2/http.go @@ -18,6 +18,7 @@ var UserAgent string // HTTPClient is an HTTP client with a reasonable timeout value. var HTTPClient = http.Client{ Transport: &http.Transport{ + Proxy: http.ProxyFromEnvironment, Dial: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, @@ -101,7 +102,7 @@ func getJSON(uri string, respBody interface{}) (http.Header, error) { func postJSON(j *jws, uri string, reqBody, respBody interface{}) (http.Header, error) { jsonBytes, err := json.Marshal(reqBody) if err != nil { - return nil, errors.New("Failed to marshal network message...") + return nil, errors.New("Failed to marshal network message") } resp, err := j.post(uri, jsonBytes) diff --git a/vendor/github.com/xenolf/lego/acme/http_challenge.go b/vendor/github.com/xenolf/lego/acmev2/http_challenge.go index 95cb1fd81..b6c969fe2 100644 --- a/vendor/github.com/xenolf/lego/acme/http_challenge.go +++ b/vendor/github.com/xenolf/lego/acmev2/http_challenge.go @@ -37,5 +37,5 @@ func (s *httpChallenge) Solve(chlng challenge, domain string) error { } }() - return s.validate(s.jws, domain, chlng.URI, challenge{Resource: "challenge", Type: chlng.Type, Token: chlng.Token, KeyAuthorization: keyAuth}) + return s.validate(s.jws, domain, chlng.URL, challenge{Type: chlng.Type, Token: chlng.Token, KeyAuthorization: keyAuth}) } diff --git a/vendor/github.com/xenolf/lego/acme/http_challenge_server.go b/vendor/github.com/xenolf/lego/acmev2/http_challenge_server.go index 64c6a8280..64c6a8280 100644 --- a/vendor/github.com/xenolf/lego/acme/http_challenge_server.go +++ b/vendor/github.com/xenolf/lego/acmev2/http_challenge_server.go diff --git a/vendor/github.com/xenolf/lego/acme/jws.go b/vendor/github.com/xenolf/lego/acmev2/jws.go index a39434342..9b87e437a 100644 --- a/vendor/github.com/xenolf/lego/acme/jws.go +++ b/vendor/github.com/xenolf/lego/acmev2/jws.go @@ -10,37 +10,27 @@ import ( "net/http" "sync" - "gopkg.in/square/go-jose.v1" + "gopkg.in/square/go-jose.v2" ) type jws struct { - directoryURL string - privKey crypto.PrivateKey - nonces nonceManager -} - -func keyAsJWK(key interface{}) *jose.JsonWebKey { - switch k := key.(type) { - case *ecdsa.PublicKey: - return &jose.JsonWebKey{Key: k, Algorithm: "EC"} - case *rsa.PublicKey: - return &jose.JsonWebKey{Key: k, Algorithm: "RSA"} - - default: - return nil - } + getNonceURL string + privKey crypto.PrivateKey + kid string + nonces nonceManager } // Posts a JWS signed message to the specified URL. // It does NOT close the response body, so the caller must // do that if no error was returned. func (j *jws) post(url string, content []byte) (*http.Response, error) { - signedContent, err := j.signContent(content) + signedContent, err := j.signContent(url, content) if err != nil { return nil, fmt.Errorf("Failed to sign content -> %s", err.Error()) } - resp, err := httpPost(url, "application/jose+json", bytes.NewBuffer([]byte(signedContent.FullSerialize()))) + data := bytes.NewBuffer([]byte(signedContent.FullSerialize())) + resp, err := httpPost(url, "application/jose+json", data) if err != nil { return nil, fmt.Errorf("Failed to HTTP POST to %s -> %s", url, err.Error()) } @@ -53,7 +43,7 @@ func (j *jws) post(url string, content []byte) (*http.Response, error) { return resp, nil } -func (j *jws) signContent(content []byte) (*jose.JsonWebSignature, error) { +func (j *jws) signContent(url string, content []byte) (*jose.JSONWebSignature, error) { var alg jose.SignatureAlgorithm switch k := j.privKey.(type) { @@ -67,11 +57,28 @@ func (j *jws) signContent(content []byte) (*jose.JsonWebSignature, error) { } } - signer, err := jose.NewSigner(alg, j.privKey) + jsonKey := jose.JSONWebKey{ + Key: j.privKey, + KeyID: j.kid, + } + + signKey := jose.SigningKey{ + Algorithm: alg, + Key: jsonKey, + } + options := jose.SignerOptions{ + NonceSource: j, + ExtraHeaders: make(map[jose.HeaderKey]interface{}), + } + options.ExtraHeaders["url"] = url + if j.kid == "" { + options.EmbedJWK = true + } + + signer, err := jose.NewSigner(signKey, &options) if err != nil { return nil, fmt.Errorf("Failed to create jose signer -> %s", err.Error()) } - signer.SetNonceSource(j) signed, err := signer.Sign(content) if err != nil { @@ -85,7 +92,7 @@ func (j *jws) Nonce() (string, error) { return nonce, nil } - return getNonce(j.directoryURL) + return getNonce(j.getNonceURL) } type nonceManager struct { @@ -124,7 +131,7 @@ func getNonce(url string) (string, error) { func getNonceFromResponse(resp *http.Response) (string, error) { nonce := resp.Header.Get("Replay-Nonce") if nonce == "" { - return "", fmt.Errorf("Server did not respond with a proper nonce header.") + return "", fmt.Errorf("Server did not respond with a proper nonce header") } return nonce, nil diff --git a/vendor/github.com/xenolf/lego/acmev2/messages.go b/vendor/github.com/xenolf/lego/acmev2/messages.go new file mode 100644 index 000000000..0b7344372 --- /dev/null +++ b/vendor/github.com/xenolf/lego/acmev2/messages.go @@ -0,0 +1,104 @@ +package acme + +import ( + "time" +) + +// RegistrationResource represents all important informations about a registration +// of which the client needs to keep track itself. +type RegistrationResource struct { + Body accountMessage `json:"body,omitempty"` + URI string `json:"uri,omitempty"` +} + +type directory struct { + NewNonceURL string `json:"newNonce"` + NewAccountURL string `json:"newAccount"` + NewOrderURL string `json:"newOrder"` + RevokeCertURL string `json:"revokeCert"` + KeyChangeURL string `json:"keyChange"` + Meta struct { + TermsOfService string `json:"termsOfService"` + Website string `json:"website"` + CaaIdentities []string `json:"caaIdentities"` + ExternalAccountRequired bool `json:"externalAccountRequired"` + } `json:"meta"` +} + +type accountMessage struct { + Status string `json:"status,omitempty"` + Contact []string `json:"contact,omitempty"` + TermsOfServiceAgreed bool `json:"termsOfServiceAgreed,omitempty"` + Orders string `json:"orders,omitempty"` + OnlyReturnExisting bool `json:"onlyReturnExisting,omitempty"` +} + +type orderResource struct { + URL string `json:"url,omitempty"` + Domains []string `json:"domains,omitempty"` + orderMessage `json:"body,omitempty"` +} + +type orderMessage struct { + Status string `json:"status,omitempty"` + Expires string `json:"expires,omitempty"` + Identifiers []identifier `json:"identifiers"` + NotBefore string `json:"notBefore,omitempty"` + NotAfter string `json:"notAfter,omitempty"` + Authorizations []string `json:"authorizations,omitempty"` + Finalize string `json:"finalize,omitempty"` + Certificate string `json:"certificate,omitempty"` +} + +type authorization struct { + Status string `json:"status"` + Expires time.Time `json:"expires"` + Identifier identifier `json:"identifier"` + Challenges []challenge `json:"challenges"` +} + +type identifier struct { + Type string `json:"type"` + Value string `json:"value"` +} + +type challenge struct { + URL string `json:"url"` + Type string `json:"type"` + Status string `json:"status"` + Token string `json:"token"` + Validated time.Time `json:"validated"` + KeyAuthorization string `json:"keyAuthorization"` + Error RemoteError `json:"error"` +} + +type csrMessage struct { + Csr string `json:"csr"` +} + +type emptyObjectMessage struct { +} + +type revokeCertMessage struct { + Certificate string `json:"certificate"` +} + +type deactivateAuthMessage struct { + Status string `jsom:"status"` +} + +// CertificateResource represents a CA issued certificate. +// PrivateKey, Certificate and IssuerCertificate are all +// already PEM encoded and can be directly written to disk. +// Certificate may be a certificate bundle, depending on the +// options supplied to create it. +type CertificateResource struct { + Domain string `json:"domain"` + CertURL string `json:"certUrl"` + CertStableURL string `json:"certStableUrl"` + AccountRef string `json:"accountRef,omitempty"` + PrivateKey []byte `json:"-"` + Certificate []byte `json:"-"` + IssuerCertificate []byte `json:"-"` + CSR []byte `json:"-"` +} diff --git a/vendor/github.com/xenolf/lego/acme/pop_challenge.go b/vendor/github.com/xenolf/lego/acmev2/pop_challenge.go index 8d2a213b0..8d2a213b0 100644 --- a/vendor/github.com/xenolf/lego/acme/pop_challenge.go +++ b/vendor/github.com/xenolf/lego/acmev2/pop_challenge.go diff --git a/vendor/github.com/xenolf/lego/acme/provider.go b/vendor/github.com/xenolf/lego/acmev2/provider.go index d177ff07a..d177ff07a 100644 --- a/vendor/github.com/xenolf/lego/acme/provider.go +++ b/vendor/github.com/xenolf/lego/acmev2/provider.go diff --git a/vendor/github.com/xenolf/lego/acme/utils.go b/vendor/github.com/xenolf/lego/acmev2/utils.go index 2fa0db304..2fa0db304 100644 --- a/vendor/github.com/xenolf/lego/acme/utils.go +++ b/vendor/github.com/xenolf/lego/acmev2/utils.go diff --git a/vendor/golang.org/x/crypto/acme/acme.go b/vendor/golang.org/x/crypto/acme/acme.go deleted file mode 100644 index 4e409be6d..000000000 --- a/vendor/golang.org/x/crypto/acme/acme.go +++ /dev/null @@ -1,1086 +0,0 @@ -// Copyright 2015 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package acme provides an implementation of the -// Automatic Certificate Management Environment (ACME) spec. -// See https://tools.ietf.org/html/draft-ietf-acme-acme-02 for details. -// -// Most common scenarios will want to use autocert subdirectory instead, -// which provides automatic access to certificates from Let's Encrypt -// and any other ACME-based CA. -// -// This package is a work in progress and makes no API stability promises. -package acme - -import ( - "bytes" - "context" - "crypto" - "crypto/ecdsa" - "crypto/elliptic" - "crypto/rand" - "crypto/sha256" - "crypto/tls" - "crypto/x509" - "encoding/base64" - "encoding/hex" - "encoding/json" - "encoding/pem" - "errors" - "fmt" - "io" - "io/ioutil" - "math/big" - "net/http" - "strconv" - "strings" - "sync" - "time" -) - -// LetsEncryptURL is the Directory endpoint of Let's Encrypt CA. -const LetsEncryptURL = "https://acme-v01.api.letsencrypt.org/directory" - -const ( - maxChainLen = 5 // max depth and breadth of a certificate chain - maxCertSize = 1 << 20 // max size of a certificate, in bytes - - // Max number of collected nonces kept in memory. - // Expect usual peak of 1 or 2. - maxNonces = 100 -) - -// CertOption is an optional argument type for Client methods which manipulate -// certificate data. -type CertOption interface { - privateCertOpt() -} - -// WithKey creates an option holding a private/public key pair. -// The private part signs a certificate, and the public part represents the signee. -func WithKey(key crypto.Signer) CertOption { - return &certOptKey{key} -} - -type certOptKey struct { - key crypto.Signer -} - -func (*certOptKey) privateCertOpt() {} - -// WithTemplate creates an option for specifying a certificate template. -// See x509.CreateCertificate for template usage details. -// -// In TLSSNIxChallengeCert methods, the template is also used as parent, -// resulting in a self-signed certificate. -// The DNSNames field of t is always overwritten for tls-sni challenge certs. -func WithTemplate(t *x509.Certificate) CertOption { - return (*certOptTemplate)(t) -} - -type certOptTemplate x509.Certificate - -func (*certOptTemplate) privateCertOpt() {} - -// Client is an ACME client. -// The only required field is Key. An example of creating a client with a new key -// is as follows: -// -// key, err := rsa.GenerateKey(rand.Reader, 2048) -// if err != nil { -// log.Fatal(err) -// } -// client := &Client{Key: key} -// -type Client struct { - // Key is the account key used to register with a CA and sign requests. - // Key.Public() must return a *rsa.PublicKey or *ecdsa.PublicKey. - Key crypto.Signer - - // HTTPClient optionally specifies an HTTP client to use - // instead of http.DefaultClient. - HTTPClient *http.Client - - // DirectoryURL points to the CA directory endpoint. - // If empty, LetsEncryptURL is used. - // Mutating this value after a successful call of Client's Discover method - // will have no effect. - DirectoryURL string - - dirMu sync.Mutex // guards writes to dir - dir *Directory // cached result of Client's Discover method - - noncesMu sync.Mutex - nonces map[string]struct{} // nonces collected from previous responses -} - -// Discover performs ACME server discovery using c.DirectoryURL. -// -// It caches successful result. So, subsequent calls will not result in -// a network round-trip. This also means mutating c.DirectoryURL after successful call -// of this method will have no effect. -func (c *Client) Discover(ctx context.Context) (Directory, error) { - c.dirMu.Lock() - defer c.dirMu.Unlock() - if c.dir != nil { - return *c.dir, nil - } - - dirURL := c.DirectoryURL - if dirURL == "" { - dirURL = LetsEncryptURL - } - res, err := c.get(ctx, dirURL) - if err != nil { - return Directory{}, err - } - defer res.Body.Close() - c.addNonce(res.Header) - if res.StatusCode != http.StatusOK { - return Directory{}, responseError(res) - } - - var v struct { - Reg string `json:"new-reg"` - Authz string `json:"new-authz"` - Cert string `json:"new-cert"` - Revoke string `json:"revoke-cert"` - Meta struct { - Terms string `json:"terms-of-service"` - Website string `json:"website"` - CAA []string `json:"caa-identities"` - } - } - if err := json.NewDecoder(res.Body).Decode(&v); err != nil { - return Directory{}, err - } - c.dir = &Directory{ - RegURL: v.Reg, - AuthzURL: v.Authz, - CertURL: v.Cert, - RevokeURL: v.Revoke, - Terms: v.Meta.Terms, - Website: v.Meta.Website, - CAA: v.Meta.CAA, - } - return *c.dir, nil -} - -// CreateCert requests a new certificate using the Certificate Signing Request csr encoded in DER format. -// The exp argument indicates the desired certificate validity duration. CA may issue a certificate -// with a different duration. -// If the bundle argument is true, the returned value will also contain the CA (issuer) certificate chain. -// -// In the case where CA server does not provide the issued certificate in the response, -// CreateCert will poll certURL using c.FetchCert, which will result in additional round-trips. -// In such scenario the caller can cancel the polling with ctx. -// -// CreateCert returns an error if the CA's response or chain was unreasonably large. -// Callers are encouraged to parse the returned value to ensure the certificate is valid and has the expected features. -func (c *Client) CreateCert(ctx context.Context, csr []byte, exp time.Duration, bundle bool) (der [][]byte, certURL string, err error) { - if _, err := c.Discover(ctx); err != nil { - return nil, "", err - } - - req := struct { - Resource string `json:"resource"` - CSR string `json:"csr"` - NotBefore string `json:"notBefore,omitempty"` - NotAfter string `json:"notAfter,omitempty"` - }{ - Resource: "new-cert", - CSR: base64.RawURLEncoding.EncodeToString(csr), - } - now := timeNow() - req.NotBefore = now.Format(time.RFC3339) - if exp > 0 { - req.NotAfter = now.Add(exp).Format(time.RFC3339) - } - - res, err := c.retryPostJWS(ctx, c.Key, c.dir.CertURL, req) - if err != nil { - return nil, "", err - } - defer res.Body.Close() - if res.StatusCode != http.StatusCreated { - return nil, "", responseError(res) - } - - curl := res.Header.Get("Location") // cert permanent URL - if res.ContentLength == 0 { - // no cert in the body; poll until we get it - cert, err := c.FetchCert(ctx, curl, bundle) - return cert, curl, err - } - // slurp issued cert and CA chain, if requested - cert, err := c.responseCert(ctx, res, bundle) - return cert, curl, err -} - -// FetchCert retrieves already issued certificate from the given url, in DER format. -// It retries the request until the certificate is successfully retrieved, -// context is cancelled by the caller or an error response is received. -// -// The returned value will also contain the CA (issuer) certificate if the bundle argument is true. -// -// FetchCert returns an error if the CA's response or chain was unreasonably large. -// Callers are encouraged to parse the returned value to ensure the certificate is valid -// and has expected features. -func (c *Client) FetchCert(ctx context.Context, url string, bundle bool) ([][]byte, error) { - for { - res, err := c.get(ctx, url) - if err != nil { - return nil, err - } - defer res.Body.Close() - if res.StatusCode == http.StatusOK { - return c.responseCert(ctx, res, bundle) - } - if res.StatusCode > 299 { - return nil, responseError(res) - } - d := retryAfter(res.Header.Get("Retry-After"), 3*time.Second) - select { - case <-time.After(d): - // retry - case <-ctx.Done(): - return nil, ctx.Err() - } - } -} - -// RevokeCert revokes a previously issued certificate cert, provided in DER format. -// -// The key argument, used to sign the request, must be authorized -// to revoke the certificate. It's up to the CA to decide which keys are authorized. -// For instance, the key pair of the certificate may be authorized. -// If the key is nil, c.Key is used instead. -func (c *Client) RevokeCert(ctx context.Context, key crypto.Signer, cert []byte, reason CRLReasonCode) error { - if _, err := c.Discover(ctx); err != nil { - return err - } - - body := &struct { - Resource string `json:"resource"` - Cert string `json:"certificate"` - Reason int `json:"reason"` - }{ - Resource: "revoke-cert", - Cert: base64.RawURLEncoding.EncodeToString(cert), - Reason: int(reason), - } - if key == nil { - key = c.Key - } - res, err := c.retryPostJWS(ctx, key, c.dir.RevokeURL, body) - if err != nil { - return err - } - defer res.Body.Close() - if res.StatusCode != http.StatusOK { - return responseError(res) - } - return nil -} - -// AcceptTOS always returns true to indicate the acceptance of a CA's Terms of Service -// during account registration. See Register method of Client for more details. -func AcceptTOS(tosURL string) bool { return true } - -// Register creates a new account registration by following the "new-reg" flow. -// It returns registered account. The a argument is not modified. -// -// The registration may require the caller to agree to the CA's Terms of Service (TOS). -// If so, and the account has not indicated the acceptance of the terms (see Account for details), -// Register calls prompt with a TOS URL provided by the CA. Prompt should report -// whether the caller agrees to the terms. To always accept the terms, the caller can use AcceptTOS. -func (c *Client) Register(ctx context.Context, a *Account, prompt func(tosURL string) bool) (*Account, error) { - if _, err := c.Discover(ctx); err != nil { - return nil, err - } - - var err error - if a, err = c.doReg(ctx, c.dir.RegURL, "new-reg", a); err != nil { - return nil, err - } - var accept bool - if a.CurrentTerms != "" && a.CurrentTerms != a.AgreedTerms { - accept = prompt(a.CurrentTerms) - } - if accept { - a.AgreedTerms = a.CurrentTerms - a, err = c.UpdateReg(ctx, a) - } - return a, err -} - -// GetReg retrieves an existing registration. -// The url argument is an Account URI. -func (c *Client) GetReg(ctx context.Context, url string) (*Account, error) { - a, err := c.doReg(ctx, url, "reg", nil) - if err != nil { - return nil, err - } - a.URI = url - return a, nil -} - -// UpdateReg updates an existing registration. -// It returns an updated account copy. The provided account is not modified. -func (c *Client) UpdateReg(ctx context.Context, a *Account) (*Account, error) { - uri := a.URI - a, err := c.doReg(ctx, uri, "reg", a) - if err != nil { - return nil, err - } - a.URI = uri - return a, nil -} - -// Authorize performs the initial step in an authorization flow. -// The caller will then need to choose from and perform a set of returned -// challenges using c.Accept in order to successfully complete authorization. -// -// If an authorization has been previously granted, the CA may return -// a valid authorization (Authorization.Status is StatusValid). If so, the caller -// need not fulfill any challenge and can proceed to requesting a certificate. -func (c *Client) Authorize(ctx context.Context, domain string) (*Authorization, error) { - if _, err := c.Discover(ctx); err != nil { - return nil, err - } - - type authzID struct { - Type string `json:"type"` - Value string `json:"value"` - } - req := struct { - Resource string `json:"resource"` - Identifier authzID `json:"identifier"` - }{ - Resource: "new-authz", - Identifier: authzID{Type: "dns", Value: domain}, - } - res, err := c.retryPostJWS(ctx, c.Key, c.dir.AuthzURL, req) - if err != nil { - return nil, err - } - defer res.Body.Close() - if res.StatusCode != http.StatusCreated { - return nil, responseError(res) - } - - var v wireAuthz - if err := json.NewDecoder(res.Body).Decode(&v); err != nil { - return nil, fmt.Errorf("acme: invalid response: %v", err) - } - if v.Status != StatusPending && v.Status != StatusValid { - return nil, fmt.Errorf("acme: unexpected status: %s", v.Status) - } - return v.authorization(res.Header.Get("Location")), nil -} - -// GetAuthorization retrieves an authorization identified by the given URL. -// -// If a caller needs to poll an authorization until its status is final, -// see the WaitAuthorization method. -func (c *Client) GetAuthorization(ctx context.Context, url string) (*Authorization, error) { - res, err := c.get(ctx, url) - if err != nil { - return nil, err - } - defer res.Body.Close() - if res.StatusCode != http.StatusOK && res.StatusCode != http.StatusAccepted { - return nil, responseError(res) - } - var v wireAuthz - if err := json.NewDecoder(res.Body).Decode(&v); err != nil { - return nil, fmt.Errorf("acme: invalid response: %v", err) - } - return v.authorization(url), nil -} - -// RevokeAuthorization relinquishes an existing authorization identified -// by the given URL. -// The url argument is an Authorization.URI value. -// -// If successful, the caller will be required to obtain a new authorization -// using the Authorize method before being able to request a new certificate -// for the domain associated with the authorization. -// -// It does not revoke existing certificates. -func (c *Client) RevokeAuthorization(ctx context.Context, url string) error { - req := struct { - Resource string `json:"resource"` - Status string `json:"status"` - Delete bool `json:"delete"` - }{ - Resource: "authz", - Status: "deactivated", - Delete: true, - } - res, err := c.retryPostJWS(ctx, c.Key, url, req) - if err != nil { - return err - } - defer res.Body.Close() - if res.StatusCode != http.StatusOK { - return responseError(res) - } - return nil -} - -// WaitAuthorization polls an authorization at the given URL -// until it is in one of the final states, StatusValid or StatusInvalid, -// or the context is done. -// -// It returns a non-nil Authorization only if its Status is StatusValid. -// In all other cases WaitAuthorization returns an error. -// If the Status is StatusInvalid, the returned error is of type *AuthorizationError. -func (c *Client) WaitAuthorization(ctx context.Context, url string) (*Authorization, error) { - sleep := sleeper(ctx) - for { - res, err := c.get(ctx, url) - if err != nil { - return nil, err - } - retry := res.Header.Get("Retry-After") - if res.StatusCode != http.StatusOK && res.StatusCode != http.StatusAccepted { - res.Body.Close() - if err := sleep(retry, 1); err != nil { - return nil, err - } - continue - } - var raw wireAuthz - err = json.NewDecoder(res.Body).Decode(&raw) - res.Body.Close() - if err != nil { - if err := sleep(retry, 0); err != nil { - return nil, err - } - continue - } - if raw.Status == StatusValid { - return raw.authorization(url), nil - } - if raw.Status == StatusInvalid { - return nil, raw.error(url) - } - if err := sleep(retry, 0); err != nil { - return nil, err - } - } -} - -// GetChallenge retrieves the current status of an challenge. -// -// A client typically polls a challenge status using this method. -func (c *Client) GetChallenge(ctx context.Context, url string) (*Challenge, error) { - res, err := c.get(ctx, url) - if err != nil { - return nil, err - } - defer res.Body.Close() - if res.StatusCode != http.StatusOK && res.StatusCode != http.StatusAccepted { - return nil, responseError(res) - } - v := wireChallenge{URI: url} - if err := json.NewDecoder(res.Body).Decode(&v); err != nil { - return nil, fmt.Errorf("acme: invalid response: %v", err) - } - return v.challenge(), nil -} - -// Accept informs the server that the client accepts one of its challenges -// previously obtained with c.Authorize. -// -// The server will then perform the validation asynchronously. -func (c *Client) Accept(ctx context.Context, chal *Challenge) (*Challenge, error) { - auth, err := keyAuth(c.Key.Public(), chal.Token) - if err != nil { - return nil, err - } - - req := struct { - Resource string `json:"resource"` - Type string `json:"type"` - Auth string `json:"keyAuthorization"` - }{ - Resource: "challenge", - Type: chal.Type, - Auth: auth, - } - res, err := c.retryPostJWS(ctx, c.Key, chal.URI, req) - if err != nil { - return nil, err - } - defer res.Body.Close() - // Note: the protocol specifies 200 as the expected response code, but - // letsencrypt seems to be returning 202. - if res.StatusCode != http.StatusOK && res.StatusCode != http.StatusAccepted { - return nil, responseError(res) - } - - var v wireChallenge - if err := json.NewDecoder(res.Body).Decode(&v); err != nil { - return nil, fmt.Errorf("acme: invalid response: %v", err) - } - return v.challenge(), nil -} - -// DNS01ChallengeRecord returns a DNS record value for a dns-01 challenge response. -// A TXT record containing the returned value must be provisioned under -// "_acme-challenge" name of the domain being validated. -// -// The token argument is a Challenge.Token value. -func (c *Client) DNS01ChallengeRecord(token string) (string, error) { - ka, err := keyAuth(c.Key.Public(), token) - if err != nil { - return "", err - } - b := sha256.Sum256([]byte(ka)) - return base64.RawURLEncoding.EncodeToString(b[:]), nil -} - -// HTTP01ChallengeResponse returns the response for an http-01 challenge. -// Servers should respond with the value to HTTP requests at the URL path -// provided by HTTP01ChallengePath to validate the challenge and prove control -// over a domain name. -// -// The token argument is a Challenge.Token value. -func (c *Client) HTTP01ChallengeResponse(token string) (string, error) { - return keyAuth(c.Key.Public(), token) -} - -// HTTP01ChallengePath returns the URL path at which the response for an http-01 challenge -// should be provided by the servers. -// The response value can be obtained with HTTP01ChallengeResponse. -// -// The token argument is a Challenge.Token value. -func (c *Client) HTTP01ChallengePath(token string) string { - return "/.well-known/acme-challenge/" + token -} - -// TLSSNI01ChallengeCert creates a certificate for TLS-SNI-01 challenge response. -// Servers can present the certificate to validate the challenge and prove control -// over a domain name. -// -// The implementation is incomplete in that the returned value is a single certificate, -// computed only for Z0 of the key authorization. ACME CAs are expected to update -// their implementations to use the newer version, TLS-SNI-02. -// For more details on TLS-SNI-01 see https://tools.ietf.org/html/draft-ietf-acme-acme-01#section-7.3. -// -// The token argument is a Challenge.Token value. -// If a WithKey option is provided, its private part signs the returned cert, -// and the public part is used to specify the signee. -// If no WithKey option is provided, a new ECDSA key is generated using P-256 curve. -// -// The returned certificate is valid for the next 24 hours and must be presented only when -// the server name of the client hello matches exactly the returned name value. -func (c *Client) TLSSNI01ChallengeCert(token string, opt ...CertOption) (cert tls.Certificate, name string, err error) { - ka, err := keyAuth(c.Key.Public(), token) - if err != nil { - return tls.Certificate{}, "", err - } - b := sha256.Sum256([]byte(ka)) - h := hex.EncodeToString(b[:]) - name = fmt.Sprintf("%s.%s.acme.invalid", h[:32], h[32:]) - cert, err = tlsChallengeCert([]string{name}, opt) - if err != nil { - return tls.Certificate{}, "", err - } - return cert, name, nil -} - -// TLSSNI02ChallengeCert creates a certificate for TLS-SNI-02 challenge response. -// Servers can present the certificate to validate the challenge and prove control -// over a domain name. For more details on TLS-SNI-02 see -// https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.3. -// -// The token argument is a Challenge.Token value. -// If a WithKey option is provided, its private part signs the returned cert, -// and the public part is used to specify the signee. -// If no WithKey option is provided, a new ECDSA key is generated using P-256 curve. -// -// The returned certificate is valid for the next 24 hours and must be presented only when -// the server name in the client hello matches exactly the returned name value. -func (c *Client) TLSSNI02ChallengeCert(token string, opt ...CertOption) (cert tls.Certificate, name string, err error) { - b := sha256.Sum256([]byte(token)) - h := hex.EncodeToString(b[:]) - sanA := fmt.Sprintf("%s.%s.token.acme.invalid", h[:32], h[32:]) - - ka, err := keyAuth(c.Key.Public(), token) - if err != nil { - return tls.Certificate{}, "", err - } - b = sha256.Sum256([]byte(ka)) - h = hex.EncodeToString(b[:]) - sanB := fmt.Sprintf("%s.%s.ka.acme.invalid", h[:32], h[32:]) - - cert, err = tlsChallengeCert([]string{sanA, sanB}, opt) - if err != nil { - return tls.Certificate{}, "", err - } - return cert, sanA, nil -} - -// doReg sends all types of registration requests. -// The type of request is identified by typ argument, which is a "resource" -// in the ACME spec terms. -// -// A non-nil acct argument indicates whether the intention is to mutate data -// of the Account. Only Contact and Agreement of its fields are used -// in such cases. -func (c *Client) doReg(ctx context.Context, url string, typ string, acct *Account) (*Account, error) { - req := struct { - Resource string `json:"resource"` - Contact []string `json:"contact,omitempty"` - Agreement string `json:"agreement,omitempty"` - }{ - Resource: typ, - } - if acct != nil { - req.Contact = acct.Contact - req.Agreement = acct.AgreedTerms - } - res, err := c.retryPostJWS(ctx, c.Key, url, req) - if err != nil { - return nil, err - } - defer res.Body.Close() - if res.StatusCode < 200 || res.StatusCode > 299 { - return nil, responseError(res) - } - - var v struct { - Contact []string - Agreement string - Authorizations string - Certificates string - } - if err := json.NewDecoder(res.Body).Decode(&v); err != nil { - return nil, fmt.Errorf("acme: invalid response: %v", err) - } - var tos string - if v := linkHeader(res.Header, "terms-of-service"); len(v) > 0 { - tos = v[0] - } - var authz string - if v := linkHeader(res.Header, "next"); len(v) > 0 { - authz = v[0] - } - return &Account{ - URI: res.Header.Get("Location"), - Contact: v.Contact, - AgreedTerms: v.Agreement, - CurrentTerms: tos, - Authz: authz, - Authorizations: v.Authorizations, - Certificates: v.Certificates, - }, nil -} - -// retryPostJWS will retry calls to postJWS if there is a badNonce error, -// clearing the stored nonces after each error. -// If the response was 4XX-5XX, then responseError is called on the body, -// the body is closed, and the error returned. -func (c *Client) retryPostJWS(ctx context.Context, key crypto.Signer, url string, body interface{}) (*http.Response, error) { - sleep := sleeper(ctx) - for { - res, err := c.postJWS(ctx, key, url, body) - if err != nil { - return nil, err - } - // handle errors 4XX-5XX with responseError - if res.StatusCode >= 400 && res.StatusCode <= 599 { - err := responseError(res) - res.Body.Close() - // according to spec badNonce is urn:ietf:params:acme:error:badNonce - // however, acme servers in the wild return their version of the error - // https://tools.ietf.org/html/draft-ietf-acme-acme-02#section-5.4 - if ae, ok := err.(*Error); ok && strings.HasSuffix(strings.ToLower(ae.ProblemType), ":badnonce") { - // clear any nonces that we might've stored that might now be - // considered bad - c.clearNonces() - retry := res.Header.Get("Retry-After") - if err := sleep(retry, 1); err != nil { - return nil, err - } - continue - } - return nil, err - } - return res, nil - } -} - -// postJWS signs the body with the given key and POSTs it to the provided url. -// The body argument must be JSON-serializable. -func (c *Client) postJWS(ctx context.Context, key crypto.Signer, url string, body interface{}) (*http.Response, error) { - nonce, err := c.popNonce(ctx, url) - if err != nil { - return nil, err - } - b, err := jwsEncodeJSON(body, key, nonce) - if err != nil { - return nil, err - } - res, err := c.post(ctx, url, "application/jose+json", bytes.NewReader(b)) - if err != nil { - return nil, err - } - c.addNonce(res.Header) - return res, nil -} - -// popNonce returns a nonce value previously stored with c.addNonce -// or fetches a fresh one from the given URL. -func (c *Client) popNonce(ctx context.Context, url string) (string, error) { - c.noncesMu.Lock() - defer c.noncesMu.Unlock() - if len(c.nonces) == 0 { - return c.fetchNonce(ctx, url) - } - var nonce string - for nonce = range c.nonces { - delete(c.nonces, nonce) - break - } - return nonce, nil -} - -// clearNonces clears any stored nonces -func (c *Client) clearNonces() { - c.noncesMu.Lock() - defer c.noncesMu.Unlock() - c.nonces = make(map[string]struct{}) -} - -// addNonce stores a nonce value found in h (if any) for future use. -func (c *Client) addNonce(h http.Header) { - v := nonceFromHeader(h) - if v == "" { - return - } - c.noncesMu.Lock() - defer c.noncesMu.Unlock() - if len(c.nonces) >= maxNonces { - return - } - if c.nonces == nil { - c.nonces = make(map[string]struct{}) - } - c.nonces[v] = struct{}{} -} - -func (c *Client) httpClient() *http.Client { - if c.HTTPClient != nil { - return c.HTTPClient - } - return http.DefaultClient -} - -func (c *Client) get(ctx context.Context, urlStr string) (*http.Response, error) { - req, err := http.NewRequest("GET", urlStr, nil) - if err != nil { - return nil, err - } - return c.do(ctx, req) -} - -func (c *Client) head(ctx context.Context, urlStr string) (*http.Response, error) { - req, err := http.NewRequest("HEAD", urlStr, nil) - if err != nil { - return nil, err - } - return c.do(ctx, req) -} - -func (c *Client) post(ctx context.Context, urlStr, contentType string, body io.Reader) (*http.Response, error) { - req, err := http.NewRequest("POST", urlStr, body) - if err != nil { - return nil, err - } - req.Header.Set("Content-Type", contentType) - return c.do(ctx, req) -} - -func (c *Client) do(ctx context.Context, req *http.Request) (*http.Response, error) { - res, err := c.httpClient().Do(req.WithContext(ctx)) - if err != nil { - select { - case <-ctx.Done(): - // Prefer the unadorned context error. - // (The acme package had tests assuming this, previously from ctxhttp's - // behavior, predating net/http supporting contexts natively) - // TODO(bradfitz): reconsider this in the future. But for now this - // requires no test updates. - return nil, ctx.Err() - default: - return nil, err - } - } - return res, nil -} - -func (c *Client) fetchNonce(ctx context.Context, url string) (string, error) { - resp, err := c.head(ctx, url) - if err != nil { - return "", err - } - defer resp.Body.Close() - nonce := nonceFromHeader(resp.Header) - if nonce == "" { - if resp.StatusCode > 299 { - return "", responseError(resp) - } - return "", errors.New("acme: nonce not found") - } - return nonce, nil -} - -func nonceFromHeader(h http.Header) string { - return h.Get("Replay-Nonce") -} - -func (c *Client) responseCert(ctx context.Context, res *http.Response, bundle bool) ([][]byte, error) { - b, err := ioutil.ReadAll(io.LimitReader(res.Body, maxCertSize+1)) - if err != nil { - return nil, fmt.Errorf("acme: response stream: %v", err) - } - if len(b) > maxCertSize { - return nil, errors.New("acme: certificate is too big") - } - cert := [][]byte{b} - if !bundle { - return cert, nil - } - - // Append CA chain cert(s). - // At least one is required according to the spec: - // https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-6.3.1 - up := linkHeader(res.Header, "up") - if len(up) == 0 { - return nil, errors.New("acme: rel=up link not found") - } - if len(up) > maxChainLen { - return nil, errors.New("acme: rel=up link is too large") - } - for _, url := range up { - cc, err := c.chainCert(ctx, url, 0) - if err != nil { - return nil, err - } - cert = append(cert, cc...) - } - return cert, nil -} - -// responseError creates an error of Error type from resp. -func responseError(resp *http.Response) error { - // don't care if ReadAll returns an error: - // json.Unmarshal will fail in that case anyway - b, _ := ioutil.ReadAll(resp.Body) - e := &wireError{Status: resp.StatusCode} - if err := json.Unmarshal(b, e); err != nil { - // this is not a regular error response: - // populate detail with anything we received, - // e.Status will already contain HTTP response code value - e.Detail = string(b) - if e.Detail == "" { - e.Detail = resp.Status - } - } - return e.error(resp.Header) -} - -// chainCert fetches CA certificate chain recursively by following "up" links. -// Each recursive call increments the depth by 1, resulting in an error -// if the recursion level reaches maxChainLen. -// -// First chainCert call starts with depth of 0. -func (c *Client) chainCert(ctx context.Context, url string, depth int) ([][]byte, error) { - if depth >= maxChainLen { - return nil, errors.New("acme: certificate chain is too deep") - } - - res, err := c.get(ctx, url) - if err != nil { - return nil, err - } - defer res.Body.Close() - if res.StatusCode != http.StatusOK { - return nil, responseError(res) - } - b, err := ioutil.ReadAll(io.LimitReader(res.Body, maxCertSize+1)) - if err != nil { - return nil, err - } - if len(b) > maxCertSize { - return nil, errors.New("acme: certificate is too big") - } - chain := [][]byte{b} - - uplink := linkHeader(res.Header, "up") - if len(uplink) > maxChainLen { - return nil, errors.New("acme: certificate chain is too large") - } - for _, up := range uplink { - cc, err := c.chainCert(ctx, up, depth+1) - if err != nil { - return nil, err - } - chain = append(chain, cc...) - } - - return chain, nil -} - -// linkHeader returns URI-Reference values of all Link headers -// with relation-type rel. -// See https://tools.ietf.org/html/rfc5988#section-5 for details. -func linkHeader(h http.Header, rel string) []string { - var links []string - for _, v := range h["Link"] { - parts := strings.Split(v, ";") - for _, p := range parts { - p = strings.TrimSpace(p) - if !strings.HasPrefix(p, "rel=") { - continue - } - if v := strings.Trim(p[4:], `"`); v == rel { - links = append(links, strings.Trim(parts[0], "<>")) - } - } - } - return links -} - -// sleeper returns a function that accepts the Retry-After HTTP header value -// and an increment that's used with backoff to increasingly sleep on -// consecutive calls until the context is done. If the Retry-After header -// cannot be parsed, then backoff is used with a maximum sleep time of 10 -// seconds. -func sleeper(ctx context.Context) func(ra string, inc int) error { - var count int - return func(ra string, inc int) error { - count += inc - d := backoff(count, 10*time.Second) - d = retryAfter(ra, d) - wakeup := time.NewTimer(d) - defer wakeup.Stop() - select { - case <-ctx.Done(): - return ctx.Err() - case <-wakeup.C: - return nil - } - } -} - -// retryAfter parses a Retry-After HTTP header value, -// trying to convert v into an int (seconds) or use http.ParseTime otherwise. -// It returns d if v cannot be parsed. -func retryAfter(v string, d time.Duration) time.Duration { - if i, err := strconv.Atoi(v); err == nil { - return time.Duration(i) * time.Second - } - t, err := http.ParseTime(v) - if err != nil { - return d - } - return t.Sub(timeNow()) -} - -// backoff computes a duration after which an n+1 retry iteration should occur -// using truncated exponential backoff algorithm. -// -// The n argument is always bounded between 0 and 30. -// The max argument defines upper bound for the returned value. -func backoff(n int, max time.Duration) time.Duration { - if n < 0 { - n = 0 - } - if n > 30 { - n = 30 - } - var d time.Duration - if x, err := rand.Int(rand.Reader, big.NewInt(1000)); err == nil { - d = time.Duration(x.Int64()) * time.Millisecond - } - d += time.Duration(1<<uint(n)) * time.Second - if d > max { - return max - } - return d -} - -// keyAuth generates a key authorization string for a given token. -func keyAuth(pub crypto.PublicKey, token string) (string, error) { - th, err := JWKThumbprint(pub) - if err != nil { - return "", err - } - return fmt.Sprintf("%s.%s", token, th), nil -} - -// tlsChallengeCert creates a temporary certificate for TLS-SNI challenges -// with the given SANs and auto-generated public/private key pair. -// To create a cert with a custom key pair, specify WithKey option. -func tlsChallengeCert(san []string, opt []CertOption) (tls.Certificate, error) { - var ( - key crypto.Signer - tmpl *x509.Certificate - ) - for _, o := range opt { - switch o := o.(type) { - case *certOptKey: - if key != nil { - return tls.Certificate{}, errors.New("acme: duplicate key option") - } - key = o.key - case *certOptTemplate: - var t = *(*x509.Certificate)(o) // shallow copy is ok - tmpl = &t - default: - // package's fault, if we let this happen: - panic(fmt.Sprintf("unsupported option type %T", o)) - } - } - if key == nil { - var err error - if key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader); err != nil { - return tls.Certificate{}, err - } - } - if tmpl == nil { - tmpl = &x509.Certificate{ - SerialNumber: big.NewInt(1), - NotBefore: time.Now(), - NotAfter: time.Now().Add(24 * time.Hour), - BasicConstraintsValid: true, - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, - } - } - tmpl.DNSNames = san - - der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key.Public(), key) - if err != nil { - return tls.Certificate{}, err - } - return tls.Certificate{ - Certificate: [][]byte{der}, - PrivateKey: key, - }, nil -} - -// encodePEM returns b encoded as PEM with block of type typ. -func encodePEM(typ string, b []byte) []byte { - pb := &pem.Block{Type: typ, Bytes: b} - return pem.EncodeToMemory(pb) -} - -// timeNow is useful for testing for fixed current time. -var timeNow = time.Now diff --git a/vendor/golang.org/x/crypto/acme/autocert/autocert.go b/vendor/golang.org/x/crypto/acme/autocert/autocert.go deleted file mode 100644 index a478eff54..000000000 --- a/vendor/golang.org/x/crypto/acme/autocert/autocert.go +++ /dev/null @@ -1,819 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package autocert provides automatic access to certificates from Let's Encrypt -// and any other ACME-based CA. -// -// This package is a work in progress and makes no API stability promises. -package autocert - -import ( - "bytes" - "context" - "crypto" - "crypto/ecdsa" - "crypto/elliptic" - "crypto/rand" - "crypto/rsa" - "crypto/tls" - "crypto/x509" - "crypto/x509/pkix" - "encoding/pem" - "errors" - "fmt" - "io" - mathrand "math/rand" - "net/http" - "strconv" - "strings" - "sync" - "time" - - "golang.org/x/crypto/acme" -) - -// createCertRetryAfter is how much time to wait before removing a failed state -// entry due to an unsuccessful createCert call. -// This is a variable instead of a const for testing. -// TODO: Consider making it configurable or an exp backoff? -var createCertRetryAfter = time.Minute - -// pseudoRand is safe for concurrent use. -var pseudoRand *lockedMathRand - -func init() { - src := mathrand.NewSource(timeNow().UnixNano()) - pseudoRand = &lockedMathRand{rnd: mathrand.New(src)} -} - -// AcceptTOS is a Manager.Prompt function that always returns true to -// indicate acceptance of the CA's Terms of Service during account -// registration. -func AcceptTOS(tosURL string) bool { return true } - -// HostPolicy specifies which host names the Manager is allowed to respond to. -// It returns a non-nil error if the host should be rejected. -// The returned error is accessible via tls.Conn.Handshake and its callers. -// See Manager's HostPolicy field and GetCertificate method docs for more details. -type HostPolicy func(ctx context.Context, host string) error - -// HostWhitelist returns a policy where only the specified host names are allowed. -// Only exact matches are currently supported. Subdomains, regexp or wildcard -// will not match. -func HostWhitelist(hosts ...string) HostPolicy { - whitelist := make(map[string]bool, len(hosts)) - for _, h := range hosts { - whitelist[h] = true - } - return func(_ context.Context, host string) error { - if !whitelist[host] { - return errors.New("acme/autocert: host not configured") - } - return nil - } -} - -// defaultHostPolicy is used when Manager.HostPolicy is not set. -func defaultHostPolicy(context.Context, string) error { - return nil -} - -// Manager is a stateful certificate manager built on top of acme.Client. -// It obtains and refreshes certificates automatically, -// as well as providing them to a TLS server via tls.Config. -// -// To preserve issued certificates and improve overall performance, -// use a cache implementation of Cache. For instance, DirCache. -type Manager struct { - // Prompt specifies a callback function to conditionally accept a CA's Terms of Service (TOS). - // The registration may require the caller to agree to the CA's TOS. - // If so, Manager calls Prompt with a TOS URL provided by the CA. Prompt should report - // whether the caller agrees to the terms. - // - // To always accept the terms, the callers can use AcceptTOS. - Prompt func(tosURL string) bool - - // Cache optionally stores and retrieves previously-obtained certificates. - // If nil, certs will only be cached for the lifetime of the Manager. - // - // Manager passes the Cache certificates data encoded in PEM, with private/public - // parts combined in a single Cache.Put call, private key first. - Cache Cache - - // HostPolicy controls which domains the Manager will attempt - // to retrieve new certificates for. It does not affect cached certs. - // - // If non-nil, HostPolicy is called before requesting a new cert. - // If nil, all hosts are currently allowed. This is not recommended, - // as it opens a potential attack where clients connect to a server - // by IP address and pretend to be asking for an incorrect host name. - // Manager will attempt to obtain a certificate for that host, incorrectly, - // eventually reaching the CA's rate limit for certificate requests - // and making it impossible to obtain actual certificates. - // - // See GetCertificate for more details. - HostPolicy HostPolicy - - // RenewBefore optionally specifies how early certificates should - // be renewed before they expire. - // - // If zero, they're renewed 30 days before expiration. - RenewBefore time.Duration - - // Client is used to perform low-level operations, such as account registration - // and requesting new certificates. - // If Client is nil, a zero-value acme.Client is used with acme.LetsEncryptURL - // directory endpoint and a newly-generated ECDSA P-256 key. - // - // Mutating the field after the first call of GetCertificate method will have no effect. - Client *acme.Client - - // Email optionally specifies a contact email address. - // This is used by CAs, such as Let's Encrypt, to notify about problems - // with issued certificates. - // - // If the Client's account key is already registered, Email is not used. - Email string - - // ForceRSA makes the Manager generate certificates with 2048-bit RSA keys. - // - // If false, a default is used. Currently the default - // is EC-based keys using the P-256 curve. - ForceRSA bool - - clientMu sync.Mutex - client *acme.Client // initialized by acmeClient method - - stateMu sync.Mutex - state map[string]*certState // keyed by domain name - - // tokenCert is keyed by token domain name, which matches server name - // of ClientHello. Keys always have ".acme.invalid" suffix. - tokenCertMu sync.RWMutex - tokenCert map[string]*tls.Certificate - - // renewal tracks the set of domains currently running renewal timers. - // It is keyed by domain name. - renewalMu sync.Mutex - renewal map[string]*domainRenewal -} - -// GetCertificate implements the tls.Config.GetCertificate hook. -// It provides a TLS certificate for hello.ServerName host, including answering -// *.acme.invalid (TLS-SNI) challenges. All other fields of hello are ignored. -// -// If m.HostPolicy is non-nil, GetCertificate calls the policy before requesting -// a new cert. A non-nil error returned from m.HostPolicy halts TLS negotiation. -// The error is propagated back to the caller of GetCertificate and is user-visible. -// This does not affect cached certs. See HostPolicy field description for more details. -func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) { - if m.Prompt == nil { - return nil, errors.New("acme/autocert: Manager.Prompt not set") - } - - name := hello.ServerName - if name == "" { - return nil, errors.New("acme/autocert: missing server name") - } - if !strings.Contains(strings.Trim(name, "."), ".") { - return nil, errors.New("acme/autocert: server name component count invalid") - } - if strings.ContainsAny(name, `/\`) { - return nil, errors.New("acme/autocert: server name contains invalid character") - } - - ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) - defer cancel() - - // check whether this is a token cert requested for TLS-SNI challenge - if strings.HasSuffix(name, ".acme.invalid") { - m.tokenCertMu.RLock() - defer m.tokenCertMu.RUnlock() - if cert := m.tokenCert[name]; cert != nil { - return cert, nil - } - if cert, err := m.cacheGet(ctx, name); err == nil { - return cert, nil - } - // TODO: cache error results? - return nil, fmt.Errorf("acme/autocert: no token cert for %q", name) - } - - // regular domain - name = strings.TrimSuffix(name, ".") // golang.org/issue/18114 - cert, err := m.cert(ctx, name) - if err == nil { - return cert, nil - } - if err != ErrCacheMiss { - return nil, err - } - - // first-time - if err := m.hostPolicy()(ctx, name); err != nil { - return nil, err - } - cert, err = m.createCert(ctx, name) - if err != nil { - return nil, err - } - m.cachePut(ctx, name, cert) - return cert, nil -} - -// cert returns an existing certificate either from m.state or cache. -// If a certificate is found in cache but not in m.state, the latter will be filled -// with the cached value. -func (m *Manager) cert(ctx context.Context, name string) (*tls.Certificate, error) { - m.stateMu.Lock() - if s, ok := m.state[name]; ok { - m.stateMu.Unlock() - s.RLock() - defer s.RUnlock() - return s.tlscert() - } - defer m.stateMu.Unlock() - cert, err := m.cacheGet(ctx, name) - if err != nil { - return nil, err - } - signer, ok := cert.PrivateKey.(crypto.Signer) - if !ok { - return nil, errors.New("acme/autocert: private key cannot sign") - } - if m.state == nil { - m.state = make(map[string]*certState) - } - s := &certState{ - key: signer, - cert: cert.Certificate, - leaf: cert.Leaf, - } - m.state[name] = s - go m.renew(name, s.key, s.leaf.NotAfter) - return cert, nil -} - -// cacheGet always returns a valid certificate, or an error otherwise. -// If a cached certficate exists but is not valid, ErrCacheMiss is returned. -func (m *Manager) cacheGet(ctx context.Context, domain string) (*tls.Certificate, error) { - if m.Cache == nil { - return nil, ErrCacheMiss - } - data, err := m.Cache.Get(ctx, domain) - if err != nil { - return nil, err - } - - // private - priv, pub := pem.Decode(data) - if priv == nil || !strings.Contains(priv.Type, "PRIVATE") { - return nil, ErrCacheMiss - } - privKey, err := parsePrivateKey(priv.Bytes) - if err != nil { - return nil, err - } - - // public - var pubDER [][]byte - for len(pub) > 0 { - var b *pem.Block - b, pub = pem.Decode(pub) - if b == nil { - break - } - pubDER = append(pubDER, b.Bytes) - } - if len(pub) > 0 { - // Leftover content not consumed by pem.Decode. Corrupt. Ignore. - return nil, ErrCacheMiss - } - - // verify and create TLS cert - leaf, err := validCert(domain, pubDER, privKey) - if err != nil { - return nil, ErrCacheMiss - } - tlscert := &tls.Certificate{ - Certificate: pubDER, - PrivateKey: privKey, - Leaf: leaf, - } - return tlscert, nil -} - -func (m *Manager) cachePut(ctx context.Context, domain string, tlscert *tls.Certificate) error { - if m.Cache == nil { - return nil - } - - // contains PEM-encoded data - var buf bytes.Buffer - - // private - switch key := tlscert.PrivateKey.(type) { - case *ecdsa.PrivateKey: - if err := encodeECDSAKey(&buf, key); err != nil { - return err - } - case *rsa.PrivateKey: - b := x509.MarshalPKCS1PrivateKey(key) - pb := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: b} - if err := pem.Encode(&buf, pb); err != nil { - return err - } - default: - return errors.New("acme/autocert: unknown private key type") - } - - // public - for _, b := range tlscert.Certificate { - pb := &pem.Block{Type: "CERTIFICATE", Bytes: b} - if err := pem.Encode(&buf, pb); err != nil { - return err - } - } - - return m.Cache.Put(ctx, domain, buf.Bytes()) -} - -func encodeECDSAKey(w io.Writer, key *ecdsa.PrivateKey) error { - b, err := x509.MarshalECPrivateKey(key) - if err != nil { - return err - } - pb := &pem.Block{Type: "EC PRIVATE KEY", Bytes: b} - return pem.Encode(w, pb) -} - -// createCert starts the domain ownership verification and returns a certificate -// for that domain upon success. -// -// If the domain is already being verified, it waits for the existing verification to complete. -// Either way, createCert blocks for the duration of the whole process. -func (m *Manager) createCert(ctx context.Context, domain string) (*tls.Certificate, error) { - // TODO: maybe rewrite this whole piece using sync.Once - state, err := m.certState(domain) - if err != nil { - return nil, err - } - // state may exist if another goroutine is already working on it - // in which case just wait for it to finish - if !state.locked { - state.RLock() - defer state.RUnlock() - return state.tlscert() - } - - // We are the first; state is locked. - // Unblock the readers when domain ownership is verified - // and the we got the cert or the process failed. - defer state.Unlock() - state.locked = false - - der, leaf, err := m.authorizedCert(ctx, state.key, domain) - if err != nil { - // Remove the failed state after some time, - // making the manager call createCert again on the following TLS hello. - time.AfterFunc(createCertRetryAfter, func() { - defer testDidRemoveState(domain) - m.stateMu.Lock() - defer m.stateMu.Unlock() - // Verify the state hasn't changed and it's still invalid - // before deleting. - s, ok := m.state[domain] - if !ok { - return - } - if _, err := validCert(domain, s.cert, s.key); err == nil { - return - } - delete(m.state, domain) - }) - return nil, err - } - state.cert = der - state.leaf = leaf - go m.renew(domain, state.key, state.leaf.NotAfter) - return state.tlscert() -} - -// certState returns a new or existing certState. -// If a new certState is returned, state.exist is false and the state is locked. -// The returned error is non-nil only in the case where a new state could not be created. -func (m *Manager) certState(domain string) (*certState, error) { - m.stateMu.Lock() - defer m.stateMu.Unlock() - if m.state == nil { - m.state = make(map[string]*certState) - } - // existing state - if state, ok := m.state[domain]; ok { - return state, nil - } - - // new locked state - var ( - err error - key crypto.Signer - ) - if m.ForceRSA { - key, err = rsa.GenerateKey(rand.Reader, 2048) - } else { - key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) - } - if err != nil { - return nil, err - } - - state := &certState{ - key: key, - locked: true, - } - state.Lock() // will be unlocked by m.certState caller - m.state[domain] = state - return state, nil -} - -// authorizedCert starts domain ownership verification process and requests a new cert upon success. -// The key argument is the certificate private key. -func (m *Manager) authorizedCert(ctx context.Context, key crypto.Signer, domain string) (der [][]byte, leaf *x509.Certificate, err error) { - if err := m.verify(ctx, domain); err != nil { - return nil, nil, err - } - client, err := m.acmeClient(ctx) - if err != nil { - return nil, nil, err - } - csr, err := certRequest(key, domain) - if err != nil { - return nil, nil, err - } - der, _, err = client.CreateCert(ctx, csr, 0, true) - if err != nil { - return nil, nil, err - } - leaf, err = validCert(domain, der, key) - if err != nil { - return nil, nil, err - } - return der, leaf, nil -} - -// verify starts a new identifier (domain) authorization flow. -// It prepares a challenge response and then blocks until the authorization -// is marked as "completed" by the CA (either succeeded or failed). -// -// verify returns nil iff the verification was successful. -func (m *Manager) verify(ctx context.Context, domain string) error { - client, err := m.acmeClient(ctx) - if err != nil { - return err - } - - // start domain authorization and get the challenge - authz, err := client.Authorize(ctx, domain) - if err != nil { - return err - } - // maybe don't need to at all - if authz.Status == acme.StatusValid { - return nil - } - - // pick a challenge: prefer tls-sni-02 over tls-sni-01 - // TODO: consider authz.Combinations - var chal *acme.Challenge - for _, c := range authz.Challenges { - if c.Type == "tls-sni-02" { - chal = c - break - } - if c.Type == "tls-sni-01" { - chal = c - } - } - if chal == nil { - return errors.New("acme/autocert: no supported challenge type found") - } - - // create a token cert for the challenge response - var ( - cert tls.Certificate - name string - ) - switch chal.Type { - case "tls-sni-01": - cert, name, err = client.TLSSNI01ChallengeCert(chal.Token) - case "tls-sni-02": - cert, name, err = client.TLSSNI02ChallengeCert(chal.Token) - default: - err = fmt.Errorf("acme/autocert: unknown challenge type %q", chal.Type) - } - if err != nil { - return err - } - m.putTokenCert(ctx, name, &cert) - defer func() { - // verification has ended at this point - // don't need token cert anymore - go m.deleteTokenCert(name) - }() - - // ready to fulfill the challenge - if _, err := client.Accept(ctx, chal); err != nil { - return err - } - // wait for the CA to validate - _, err = client.WaitAuthorization(ctx, authz.URI) - return err -} - -// putTokenCert stores the cert under the named key in both m.tokenCert map -// and m.Cache. -func (m *Manager) putTokenCert(ctx context.Context, name string, cert *tls.Certificate) { - m.tokenCertMu.Lock() - defer m.tokenCertMu.Unlock() - if m.tokenCert == nil { - m.tokenCert = make(map[string]*tls.Certificate) - } - m.tokenCert[name] = cert - m.cachePut(ctx, name, cert) -} - -// deleteTokenCert removes the token certificate for the specified domain name -// from both m.tokenCert map and m.Cache. -func (m *Manager) deleteTokenCert(name string) { - m.tokenCertMu.Lock() - defer m.tokenCertMu.Unlock() - delete(m.tokenCert, name) - if m.Cache != nil { - m.Cache.Delete(context.Background(), name) - } -} - -// renew starts a cert renewal timer loop, one per domain. -// -// The loop is scheduled in two cases: -// - a cert was fetched from cache for the first time (wasn't in m.state) -// - a new cert was created by m.createCert -// -// The key argument is a certificate private key. -// The exp argument is the cert expiration time (NotAfter). -func (m *Manager) renew(domain string, key crypto.Signer, exp time.Time) { - m.renewalMu.Lock() - defer m.renewalMu.Unlock() - if m.renewal[domain] != nil { - // another goroutine is already on it - return - } - if m.renewal == nil { - m.renewal = make(map[string]*domainRenewal) - } - dr := &domainRenewal{m: m, domain: domain, key: key} - m.renewal[domain] = dr - dr.start(exp) -} - -// stopRenew stops all currently running cert renewal timers. -// The timers are not restarted during the lifetime of the Manager. -func (m *Manager) stopRenew() { - m.renewalMu.Lock() - defer m.renewalMu.Unlock() - for name, dr := range m.renewal { - delete(m.renewal, name) - dr.stop() - } -} - -func (m *Manager) accountKey(ctx context.Context) (crypto.Signer, error) { - const keyName = "acme_account.key" - - genKey := func() (*ecdsa.PrivateKey, error) { - return ecdsa.GenerateKey(elliptic.P256(), rand.Reader) - } - - if m.Cache == nil { - return genKey() - } - - data, err := m.Cache.Get(ctx, keyName) - if err == ErrCacheMiss { - key, err := genKey() - if err != nil { - return nil, err - } - var buf bytes.Buffer - if err := encodeECDSAKey(&buf, key); err != nil { - return nil, err - } - if err := m.Cache.Put(ctx, keyName, buf.Bytes()); err != nil { - return nil, err - } - return key, nil - } - if err != nil { - return nil, err - } - - priv, _ := pem.Decode(data) - if priv == nil || !strings.Contains(priv.Type, "PRIVATE") { - return nil, errors.New("acme/autocert: invalid account key found in cache") - } - return parsePrivateKey(priv.Bytes) -} - -func (m *Manager) acmeClient(ctx context.Context) (*acme.Client, error) { - m.clientMu.Lock() - defer m.clientMu.Unlock() - if m.client != nil { - return m.client, nil - } - - client := m.Client - if client == nil { - client = &acme.Client{DirectoryURL: acme.LetsEncryptURL} - } - if client.Key == nil { - var err error - client.Key, err = m.accountKey(ctx) - if err != nil { - return nil, err - } - } - var contact []string - if m.Email != "" { - contact = []string{"mailto:" + m.Email} - } - a := &acme.Account{Contact: contact} - _, err := client.Register(ctx, a, m.Prompt) - if ae, ok := err.(*acme.Error); err == nil || ok && ae.StatusCode == http.StatusConflict { - // conflict indicates the key is already registered - m.client = client - err = nil - } - return m.client, err -} - -func (m *Manager) hostPolicy() HostPolicy { - if m.HostPolicy != nil { - return m.HostPolicy - } - return defaultHostPolicy -} - -func (m *Manager) renewBefore() time.Duration { - if m.RenewBefore > renewJitter { - return m.RenewBefore - } - return 720 * time.Hour // 30 days -} - -// certState is ready when its mutex is unlocked for reading. -type certState struct { - sync.RWMutex - locked bool // locked for read/write - key crypto.Signer // private key for cert - cert [][]byte // DER encoding - leaf *x509.Certificate // parsed cert[0]; always non-nil if cert != nil -} - -// tlscert creates a tls.Certificate from s.key and s.cert. -// Callers should wrap it in s.RLock() and s.RUnlock(). -func (s *certState) tlscert() (*tls.Certificate, error) { - if s.key == nil { - return nil, errors.New("acme/autocert: missing signer") - } - if len(s.cert) == 0 { - return nil, errors.New("acme/autocert: missing certificate") - } - return &tls.Certificate{ - PrivateKey: s.key, - Certificate: s.cert, - Leaf: s.leaf, - }, nil -} - -// certRequest creates a certificate request for the given common name cn -// and optional SANs. -func certRequest(key crypto.Signer, cn string, san ...string) ([]byte, error) { - req := &x509.CertificateRequest{ - Subject: pkix.Name{CommonName: cn}, - DNSNames: san, - } - return x509.CreateCertificateRequest(rand.Reader, req, key) -} - -// Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates -// PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys. -// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three. -// -// Inspired by parsePrivateKey in crypto/tls/tls.go. -func parsePrivateKey(der []byte) (crypto.Signer, error) { - if key, err := x509.ParsePKCS1PrivateKey(der); err == nil { - return key, nil - } - if key, err := x509.ParsePKCS8PrivateKey(der); err == nil { - switch key := key.(type) { - case *rsa.PrivateKey: - return key, nil - case *ecdsa.PrivateKey: - return key, nil - default: - return nil, errors.New("acme/autocert: unknown private key type in PKCS#8 wrapping") - } - } - if key, err := x509.ParseECPrivateKey(der); err == nil { - return key, nil - } - - return nil, errors.New("acme/autocert: failed to parse private key") -} - -// validCert parses a cert chain provided as der argument and verifies the leaf, der[0], -// corresponds to the private key, as well as the domain match and expiration dates. -// It doesn't do any revocation checking. -// -// The returned value is the verified leaf cert. -func validCert(domain string, der [][]byte, key crypto.Signer) (leaf *x509.Certificate, err error) { - // parse public part(s) - var n int - for _, b := range der { - n += len(b) - } - pub := make([]byte, n) - n = 0 - for _, b := range der { - n += copy(pub[n:], b) - } - x509Cert, err := x509.ParseCertificates(pub) - if len(x509Cert) == 0 { - return nil, errors.New("acme/autocert: no public key found") - } - // verify the leaf is not expired and matches the domain name - leaf = x509Cert[0] - now := timeNow() - if now.Before(leaf.NotBefore) { - return nil, errors.New("acme/autocert: certificate is not valid yet") - } - if now.After(leaf.NotAfter) { - return nil, errors.New("acme/autocert: expired certificate") - } - if err := leaf.VerifyHostname(domain); err != nil { - return nil, err - } - // ensure the leaf corresponds to the private key - switch pub := leaf.PublicKey.(type) { - case *rsa.PublicKey: - prv, ok := key.(*rsa.PrivateKey) - if !ok { - return nil, errors.New("acme/autocert: private key type does not match public key type") - } - if pub.N.Cmp(prv.N) != 0 { - return nil, errors.New("acme/autocert: private key does not match public key") - } - case *ecdsa.PublicKey: - prv, ok := key.(*ecdsa.PrivateKey) - if !ok { - return nil, errors.New("acme/autocert: private key type does not match public key type") - } - if pub.X.Cmp(prv.X) != 0 || pub.Y.Cmp(prv.Y) != 0 { - return nil, errors.New("acme/autocert: private key does not match public key") - } - default: - return nil, errors.New("acme/autocert: unknown public key algorithm") - } - return leaf, nil -} - -func retryAfter(v string) time.Duration { - if i, err := strconv.Atoi(v); err == nil { - return time.Duration(i) * time.Second - } - if t, err := http.ParseTime(v); err == nil { - return t.Sub(timeNow()) - } - return time.Second -} - -type lockedMathRand struct { - sync.Mutex - rnd *mathrand.Rand -} - -func (r *lockedMathRand) int63n(max int64) int64 { - r.Lock() - n := r.rnd.Int63n(max) - r.Unlock() - return n -} - -// For easier testing. -var ( - timeNow = time.Now - - // Called when a state is removed. - testDidRemoveState = func(domain string) {} -) diff --git a/vendor/golang.org/x/crypto/acme/autocert/cache.go b/vendor/golang.org/x/crypto/acme/autocert/cache.go deleted file mode 100644 index 61a5fd239..000000000 --- a/vendor/golang.org/x/crypto/acme/autocert/cache.go +++ /dev/null @@ -1,130 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package autocert - -import ( - "context" - "errors" - "io/ioutil" - "os" - "path/filepath" -) - -// ErrCacheMiss is returned when a certificate is not found in cache. -var ErrCacheMiss = errors.New("acme/autocert: certificate cache miss") - -// Cache is used by Manager to store and retrieve previously obtained certificates -// as opaque data. -// -// The key argument of the methods refers to a domain name but need not be an FQDN. -// Cache implementations should not rely on the key naming pattern. -type Cache interface { - // Get returns a certificate data for the specified key. - // If there's no such key, Get returns ErrCacheMiss. - Get(ctx context.Context, key string) ([]byte, error) - - // Put stores the data in the cache under the specified key. - // Underlying implementations may use any data storage format, - // as long as the reverse operation, Get, results in the original data. - Put(ctx context.Context, key string, data []byte) error - - // Delete removes a certificate data from the cache under the specified key. - // If there's no such key in the cache, Delete returns nil. - Delete(ctx context.Context, key string) error -} - -// DirCache implements Cache using a directory on the local filesystem. -// If the directory does not exist, it will be created with 0700 permissions. -type DirCache string - -// Get reads a certificate data from the specified file name. -func (d DirCache) Get(ctx context.Context, name string) ([]byte, error) { - name = filepath.Join(string(d), name) - var ( - data []byte - err error - done = make(chan struct{}) - ) - go func() { - data, err = ioutil.ReadFile(name) - close(done) - }() - select { - case <-ctx.Done(): - return nil, ctx.Err() - case <-done: - } - if os.IsNotExist(err) { - return nil, ErrCacheMiss - } - return data, err -} - -// Put writes the certificate data to the specified file name. -// The file will be created with 0600 permissions. -func (d DirCache) Put(ctx context.Context, name string, data []byte) error { - if err := os.MkdirAll(string(d), 0700); err != nil { - return err - } - - done := make(chan struct{}) - var err error - go func() { - defer close(done) - var tmp string - if tmp, err = d.writeTempFile(name, data); err != nil { - return - } - select { - case <-ctx.Done(): - // Don't overwrite the file if the context was canceled. - default: - newName := filepath.Join(string(d), name) - err = os.Rename(tmp, newName) - } - }() - select { - case <-ctx.Done(): - return ctx.Err() - case <-done: - } - return err -} - -// Delete removes the specified file name. -func (d DirCache) Delete(ctx context.Context, name string) error { - name = filepath.Join(string(d), name) - var ( - err error - done = make(chan struct{}) - ) - go func() { - err = os.Remove(name) - close(done) - }() - select { - case <-ctx.Done(): - return ctx.Err() - case <-done: - } - if err != nil && !os.IsNotExist(err) { - return err - } - return nil -} - -// writeTempFile writes b to a temporary file, closes the file and returns its path. -func (d DirCache) writeTempFile(prefix string, b []byte) (string, error) { - // TempFile uses 0600 permissions - f, err := ioutil.TempFile(string(d), prefix) - if err != nil { - return "", err - } - if _, err := f.Write(b); err != nil { - f.Close() - return "", err - } - return f.Name(), f.Close() -} diff --git a/vendor/golang.org/x/crypto/acme/autocert/listener.go b/vendor/golang.org/x/crypto/acme/autocert/listener.go deleted file mode 100644 index d744df0ed..000000000 --- a/vendor/golang.org/x/crypto/acme/autocert/listener.go +++ /dev/null @@ -1,160 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package autocert - -import ( - "crypto/tls" - "log" - "net" - "os" - "path/filepath" - "runtime" - "time" -) - -// NewListener returns a net.Listener that listens on the standard TLS -// port (443) on all interfaces and returns *tls.Conn connections with -// LetsEncrypt certificates for the provided domain or domains. -// -// It enables one-line HTTPS servers: -// -// log.Fatal(http.Serve(autocert.NewListener("example.com"), handler)) -// -// NewListener is a convenience function for a common configuration. -// More complex or custom configurations can use the autocert.Manager -// type instead. -// -// Use of this function implies acceptance of the LetsEncrypt Terms of -// Service. If domains is not empty, the provided domains are passed -// to HostWhitelist. If domains is empty, the listener will do -// LetsEncrypt challenges for any requested domain, which is not -// recommended. -// -// Certificates are cached in a "golang-autocert" directory under an -// operating system-specific cache or temp directory. This may not -// be suitable for servers spanning multiple machines. -// -// The returned listener uses a *tls.Config that enables HTTP/2, and -// should only be used with servers that support HTTP/2. -// -// The returned Listener also enables TCP keep-alives on the accepted -// connections. The returned *tls.Conn are returned before their TLS -// handshake has completed. -func NewListener(domains ...string) net.Listener { - m := &Manager{ - Prompt: AcceptTOS, - } - if len(domains) > 0 { - m.HostPolicy = HostWhitelist(domains...) - } - dir := cacheDir() - if err := os.MkdirAll(dir, 0700); err != nil { - log.Printf("warning: autocert.NewListener not using a cache: %v", err) - } else { - m.Cache = DirCache(dir) - } - return m.Listener() -} - -// Listener listens on the standard TLS port (443) on all interfaces -// and returns a net.Listener returning *tls.Conn connections. -// -// The returned listener uses a *tls.Config that enables HTTP/2, and -// should only be used with servers that support HTTP/2. -// -// The returned Listener also enables TCP keep-alives on the accepted -// connections. The returned *tls.Conn are returned before their TLS -// handshake has completed. -// -// Unlike NewListener, it is the caller's responsibility to initialize -// the Manager m's Prompt, Cache, HostPolicy, and other desired options. -func (m *Manager) Listener() net.Listener { - ln := &listener{ - m: m, - conf: &tls.Config{ - GetCertificate: m.GetCertificate, // bonus: panic on nil m - NextProtos: []string{"h2", "http/1.1"}, // Enable HTTP/2 - }, - } - ln.tcpListener, ln.tcpListenErr = net.Listen("tcp", ":443") - return ln -} - -type listener struct { - m *Manager - conf *tls.Config - - tcpListener net.Listener - tcpListenErr error -} - -func (ln *listener) Accept() (net.Conn, error) { - if ln.tcpListenErr != nil { - return nil, ln.tcpListenErr - } - conn, err := ln.tcpListener.Accept() - if err != nil { - return nil, err - } - tcpConn := conn.(*net.TCPConn) - - // Because Listener is a convenience function, help out with - // this too. This is not possible for the caller to set once - // we return a *tcp.Conn wrapping an inaccessible net.Conn. - // If callers don't want this, they can do things the manual - // way and tweak as needed. But this is what net/http does - // itself, so copy that. If net/http changes, we can change - // here too. - tcpConn.SetKeepAlive(true) - tcpConn.SetKeepAlivePeriod(3 * time.Minute) - - return tls.Server(tcpConn, ln.conf), nil -} - -func (ln *listener) Addr() net.Addr { - if ln.tcpListener != nil { - return ln.tcpListener.Addr() - } - // net.Listen failed. Return something non-nil in case callers - // call Addr before Accept: - return &net.TCPAddr{IP: net.IP{0, 0, 0, 0}, Port: 443} -} - -func (ln *listener) Close() error { - if ln.tcpListenErr != nil { - return ln.tcpListenErr - } - return ln.tcpListener.Close() -} - -func homeDir() string { - if runtime.GOOS == "windows" { - return os.Getenv("HOMEDRIVE") + os.Getenv("HOMEPATH") - } - if h := os.Getenv("HOME"); h != "" { - return h - } - return "/" -} - -func cacheDir() string { - const base = "golang-autocert" - switch runtime.GOOS { - case "darwin": - return filepath.Join(homeDir(), "Library", "Caches", base) - case "windows": - for _, ev := range []string{"APPDATA", "CSIDL_APPDATA", "TEMP", "TMP"} { - if v := os.Getenv(ev); v != "" { - return filepath.Join(v, base) - } - } - // Worst case: - return filepath.Join(homeDir(), base) - } - if xdg := os.Getenv("XDG_CACHE_HOME"); xdg != "" { - return filepath.Join(xdg, base) - } - return filepath.Join(homeDir(), ".cache", base) -} diff --git a/vendor/golang.org/x/crypto/acme/autocert/renewal.go b/vendor/golang.org/x/crypto/acme/autocert/renewal.go deleted file mode 100644 index 6c5da2bc8..000000000 --- a/vendor/golang.org/x/crypto/acme/autocert/renewal.go +++ /dev/null @@ -1,124 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package autocert - -import ( - "context" - "crypto" - "sync" - "time" -) - -// renewJitter is the maximum deviation from Manager.RenewBefore. -const renewJitter = time.Hour - -// domainRenewal tracks the state used by the periodic timers -// renewing a single domain's cert. -type domainRenewal struct { - m *Manager - domain string - key crypto.Signer - - timerMu sync.Mutex - timer *time.Timer -} - -// start starts a cert renewal timer at the time -// defined by the certificate expiration time exp. -// -// If the timer is already started, calling start is a noop. -func (dr *domainRenewal) start(exp time.Time) { - dr.timerMu.Lock() - defer dr.timerMu.Unlock() - if dr.timer != nil { - return - } - dr.timer = time.AfterFunc(dr.next(exp), dr.renew) -} - -// stop stops the cert renewal timer. -// If the timer is already stopped, calling stop is a noop. -func (dr *domainRenewal) stop() { - dr.timerMu.Lock() - defer dr.timerMu.Unlock() - if dr.timer == nil { - return - } - dr.timer.Stop() - dr.timer = nil -} - -// renew is called periodically by a timer. -// The first renew call is kicked off by dr.start. -func (dr *domainRenewal) renew() { - dr.timerMu.Lock() - defer dr.timerMu.Unlock() - if dr.timer == nil { - return - } - - ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute) - defer cancel() - // TODO: rotate dr.key at some point? - next, err := dr.do(ctx) - if err != nil { - next = renewJitter / 2 - next += time.Duration(pseudoRand.int63n(int64(next))) - } - dr.timer = time.AfterFunc(next, dr.renew) - testDidRenewLoop(next, err) -} - -// do is similar to Manager.createCert but it doesn't lock a Manager.state item. -// Instead, it requests a new certificate independently and, upon success, -// replaces dr.m.state item with a new one and updates cache for the given domain. -// -// It may return immediately if the expiration date of the currently cached cert -// is far enough in the future. -// -// The returned value is a time interval after which the renewal should occur again. -func (dr *domainRenewal) do(ctx context.Context) (time.Duration, error) { - // a race is likely unavoidable in a distributed environment - // but we try nonetheless - if tlscert, err := dr.m.cacheGet(ctx, dr.domain); err == nil { - next := dr.next(tlscert.Leaf.NotAfter) - if next > dr.m.renewBefore()+renewJitter { - return next, nil - } - } - - der, leaf, err := dr.m.authorizedCert(ctx, dr.key, dr.domain) - if err != nil { - return 0, err - } - state := &certState{ - key: dr.key, - cert: der, - leaf: leaf, - } - tlscert, err := state.tlscert() - if err != nil { - return 0, err - } - dr.m.cachePut(ctx, dr.domain, tlscert) - dr.m.stateMu.Lock() - defer dr.m.stateMu.Unlock() - // m.state is guaranteed to be non-nil at this point - dr.m.state[dr.domain] = state - return dr.next(leaf.NotAfter), nil -} - -func (dr *domainRenewal) next(expiry time.Time) time.Duration { - d := expiry.Sub(timeNow()) - dr.m.renewBefore() - // add a bit of randomness to renew deadline - n := pseudoRand.int63n(int64(renewJitter)) - d -= time.Duration(n) - if d < 0 { - return 0 - } - return d -} - -var testDidRenewLoop = func(next time.Duration, err error) {} diff --git a/vendor/golang.org/x/crypto/acme/jws.go b/vendor/golang.org/x/crypto/acme/jws.go deleted file mode 100644 index 6cbca25de..000000000 --- a/vendor/golang.org/x/crypto/acme/jws.go +++ /dev/null @@ -1,153 +0,0 @@ -// Copyright 2015 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package acme - -import ( - "crypto" - "crypto/ecdsa" - "crypto/rand" - "crypto/rsa" - "crypto/sha256" - _ "crypto/sha512" // need for EC keys - "encoding/base64" - "encoding/json" - "fmt" - "math/big" -) - -// jwsEncodeJSON signs claimset using provided key and a nonce. -// The result is serialized in JSON format. -// See https://tools.ietf.org/html/rfc7515#section-7. -func jwsEncodeJSON(claimset interface{}, key crypto.Signer, nonce string) ([]byte, error) { - jwk, err := jwkEncode(key.Public()) - if err != nil { - return nil, err - } - alg, sha := jwsHasher(key) - if alg == "" || !sha.Available() { - return nil, ErrUnsupportedKey - } - phead := fmt.Sprintf(`{"alg":%q,"jwk":%s,"nonce":%q}`, alg, jwk, nonce) - phead = base64.RawURLEncoding.EncodeToString([]byte(phead)) - cs, err := json.Marshal(claimset) - if err != nil { - return nil, err - } - payload := base64.RawURLEncoding.EncodeToString(cs) - hash := sha.New() - hash.Write([]byte(phead + "." + payload)) - sig, err := jwsSign(key, sha, hash.Sum(nil)) - if err != nil { - return nil, err - } - - enc := struct { - Protected string `json:"protected"` - Payload string `json:"payload"` - Sig string `json:"signature"` - }{ - Protected: phead, - Payload: payload, - Sig: base64.RawURLEncoding.EncodeToString(sig), - } - return json.Marshal(&enc) -} - -// jwkEncode encodes public part of an RSA or ECDSA key into a JWK. -// The result is also suitable for creating a JWK thumbprint. -// https://tools.ietf.org/html/rfc7517 -func jwkEncode(pub crypto.PublicKey) (string, error) { - switch pub := pub.(type) { - case *rsa.PublicKey: - // https://tools.ietf.org/html/rfc7518#section-6.3.1 - n := pub.N - e := big.NewInt(int64(pub.E)) - // Field order is important. - // See https://tools.ietf.org/html/rfc7638#section-3.3 for details. - return fmt.Sprintf(`{"e":"%s","kty":"RSA","n":"%s"}`, - base64.RawURLEncoding.EncodeToString(e.Bytes()), - base64.RawURLEncoding.EncodeToString(n.Bytes()), - ), nil - case *ecdsa.PublicKey: - // https://tools.ietf.org/html/rfc7518#section-6.2.1 - p := pub.Curve.Params() - n := p.BitSize / 8 - if p.BitSize%8 != 0 { - n++ - } - x := pub.X.Bytes() - if n > len(x) { - x = append(make([]byte, n-len(x)), x...) - } - y := pub.Y.Bytes() - if n > len(y) { - y = append(make([]byte, n-len(y)), y...) - } - // Field order is important. - // See https://tools.ietf.org/html/rfc7638#section-3.3 for details. - return fmt.Sprintf(`{"crv":"%s","kty":"EC","x":"%s","y":"%s"}`, - p.Name, - base64.RawURLEncoding.EncodeToString(x), - base64.RawURLEncoding.EncodeToString(y), - ), nil - } - return "", ErrUnsupportedKey -} - -// jwsSign signs the digest using the given key. -// It returns ErrUnsupportedKey if the key type is unknown. -// The hash is used only for RSA keys. -func jwsSign(key crypto.Signer, hash crypto.Hash, digest []byte) ([]byte, error) { - switch key := key.(type) { - case *rsa.PrivateKey: - return key.Sign(rand.Reader, digest, hash) - case *ecdsa.PrivateKey: - r, s, err := ecdsa.Sign(rand.Reader, key, digest) - if err != nil { - return nil, err - } - rb, sb := r.Bytes(), s.Bytes() - size := key.Params().BitSize / 8 - if size%8 > 0 { - size++ - } - sig := make([]byte, size*2) - copy(sig[size-len(rb):], rb) - copy(sig[size*2-len(sb):], sb) - return sig, nil - } - return nil, ErrUnsupportedKey -} - -// jwsHasher indicates suitable JWS algorithm name and a hash function -// to use for signing a digest with the provided key. -// It returns ("", 0) if the key is not supported. -func jwsHasher(key crypto.Signer) (string, crypto.Hash) { - switch key := key.(type) { - case *rsa.PrivateKey: - return "RS256", crypto.SHA256 - case *ecdsa.PrivateKey: - switch key.Params().Name { - case "P-256": - return "ES256", crypto.SHA256 - case "P-384": - return "ES384", crypto.SHA384 - case "P-521": - return "ES512", crypto.SHA512 - } - } - return "", 0 -} - -// JWKThumbprint creates a JWK thumbprint out of pub -// as specified in https://tools.ietf.org/html/rfc7638. -func JWKThumbprint(pub crypto.PublicKey) (string, error) { - jwk, err := jwkEncode(pub) - if err != nil { - return "", err - } - b := sha256.Sum256([]byte(jwk)) - return base64.RawURLEncoding.EncodeToString(b[:]), nil -} diff --git a/vendor/golang.org/x/crypto/acme/types.go b/vendor/golang.org/x/crypto/acme/types.go deleted file mode 100644 index ab4de0b88..000000000 --- a/vendor/golang.org/x/crypto/acme/types.go +++ /dev/null @@ -1,295 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package acme - -import ( - "errors" - "fmt" - "net/http" - "strings" - "time" -) - -// ACME server response statuses used to describe Authorization and Challenge states. -const ( - StatusUnknown = "unknown" - StatusPending = "pending" - StatusProcessing = "processing" - StatusValid = "valid" - StatusInvalid = "invalid" - StatusRevoked = "revoked" -) - -// CRLReasonCode identifies the reason for a certificate revocation. -type CRLReasonCode int - -// CRL reason codes as defined in RFC 5280. -const ( - CRLReasonUnspecified CRLReasonCode = 0 - CRLReasonKeyCompromise CRLReasonCode = 1 - CRLReasonCACompromise CRLReasonCode = 2 - CRLReasonAffiliationChanged CRLReasonCode = 3 - CRLReasonSuperseded CRLReasonCode = 4 - CRLReasonCessationOfOperation CRLReasonCode = 5 - CRLReasonCertificateHold CRLReasonCode = 6 - CRLReasonRemoveFromCRL CRLReasonCode = 8 - CRLReasonPrivilegeWithdrawn CRLReasonCode = 9 - CRLReasonAACompromise CRLReasonCode = 10 -) - -// ErrUnsupportedKey is returned when an unsupported key type is encountered. -var ErrUnsupportedKey = errors.New("acme: unknown key type; only RSA and ECDSA are supported") - -// Error is an ACME error, defined in Problem Details for HTTP APIs doc -// http://tools.ietf.org/html/draft-ietf-appsawg-http-problem. -type Error struct { - // StatusCode is The HTTP status code generated by the origin server. - StatusCode int - // ProblemType is a URI reference that identifies the problem type, - // typically in a "urn:acme:error:xxx" form. - ProblemType string - // Detail is a human-readable explanation specific to this occurrence of the problem. - Detail string - // Header is the original server error response headers. - // It may be nil. - Header http.Header -} - -func (e *Error) Error() string { - return fmt.Sprintf("%d %s: %s", e.StatusCode, e.ProblemType, e.Detail) -} - -// AuthorizationError indicates that an authorization for an identifier -// did not succeed. -// It contains all errors from Challenge items of the failed Authorization. -type AuthorizationError struct { - // URI uniquely identifies the failed Authorization. - URI string - - // Identifier is an AuthzID.Value of the failed Authorization. - Identifier string - - // Errors is a collection of non-nil error values of Challenge items - // of the failed Authorization. - Errors []error -} - -func (a *AuthorizationError) Error() string { - e := make([]string, len(a.Errors)) - for i, err := range a.Errors { - e[i] = err.Error() - } - return fmt.Sprintf("acme: authorization error for %s: %s", a.Identifier, strings.Join(e, "; ")) -} - -// RateLimit reports whether err represents a rate limit error and -// any Retry-After duration returned by the server. -// -// See the following for more details on rate limiting: -// https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-5.6 -func RateLimit(err error) (time.Duration, bool) { - e, ok := err.(*Error) - if !ok { - return 0, false - } - // Some CA implementations may return incorrect values. - // Use case-insensitive comparison. - if !strings.HasSuffix(strings.ToLower(e.ProblemType), ":ratelimited") { - return 0, false - } - if e.Header == nil { - return 0, true - } - return retryAfter(e.Header.Get("Retry-After"), 0), true -} - -// Account is a user account. It is associated with a private key. -type Account struct { - // URI is the account unique ID, which is also a URL used to retrieve - // account data from the CA. - URI string - - // Contact is a slice of contact info used during registration. - Contact []string - - // The terms user has agreed to. - // A value not matching CurrentTerms indicates that the user hasn't agreed - // to the actual Terms of Service of the CA. - AgreedTerms string - - // Actual terms of a CA. - CurrentTerms string - - // Authz is the authorization URL used to initiate a new authz flow. - Authz string - - // Authorizations is a URI from which a list of authorizations - // granted to this account can be fetched via a GET request. - Authorizations string - - // Certificates is a URI from which a list of certificates - // issued for this account can be fetched via a GET request. - Certificates string -} - -// Directory is ACME server discovery data. -type Directory struct { - // RegURL is an account endpoint URL, allowing for creating new - // and modifying existing accounts. - RegURL string - - // AuthzURL is used to initiate Identifier Authorization flow. - AuthzURL string - - // CertURL is a new certificate issuance endpoint URL. - CertURL string - - // RevokeURL is used to initiate a certificate revocation flow. - RevokeURL string - - // Term is a URI identifying the current terms of service. - Terms string - - // Website is an HTTP or HTTPS URL locating a website - // providing more information about the ACME server. - Website string - - // CAA consists of lowercase hostname elements, which the ACME server - // recognises as referring to itself for the purposes of CAA record validation - // as defined in RFC6844. - CAA []string -} - -// Challenge encodes a returned CA challenge. -// Its Error field may be non-nil if the challenge is part of an Authorization -// with StatusInvalid. -type Challenge struct { - // Type is the challenge type, e.g. "http-01", "tls-sni-02", "dns-01". - Type string - - // URI is where a challenge response can be posted to. - URI string - - // Token is a random value that uniquely identifies the challenge. - Token string - - // Status identifies the status of this challenge. - Status string - - // Error indicates the reason for an authorization failure - // when this challenge was used. - // The type of a non-nil value is *Error. - Error error -} - -// Authorization encodes an authorization response. -type Authorization struct { - // URI uniquely identifies a authorization. - URI string - - // Status identifies the status of an authorization. - Status string - - // Identifier is what the account is authorized to represent. - Identifier AuthzID - - // Challenges that the client needs to fulfill in order to prove possession - // of the identifier (for pending authorizations). - // For final authorizations, the challenges that were used. - Challenges []*Challenge - - // A collection of sets of challenges, each of which would be sufficient - // to prove possession of the identifier. - // Clients must complete a set of challenges that covers at least one set. - // Challenges are identified by their indices in the challenges array. - // If this field is empty, the client needs to complete all challenges. - Combinations [][]int -} - -// AuthzID is an identifier that an account is authorized to represent. -type AuthzID struct { - Type string // The type of identifier, e.g. "dns". - Value string // The identifier itself, e.g. "example.org". -} - -// wireAuthz is ACME JSON representation of Authorization objects. -type wireAuthz struct { - Status string - Challenges []wireChallenge - Combinations [][]int - Identifier struct { - Type string - Value string - } -} - -func (z *wireAuthz) authorization(uri string) *Authorization { - a := &Authorization{ - URI: uri, - Status: z.Status, - Identifier: AuthzID{Type: z.Identifier.Type, Value: z.Identifier.Value}, - Combinations: z.Combinations, // shallow copy - Challenges: make([]*Challenge, len(z.Challenges)), - } - for i, v := range z.Challenges { - a.Challenges[i] = v.challenge() - } - return a -} - -func (z *wireAuthz) error(uri string) *AuthorizationError { - err := &AuthorizationError{ - URI: uri, - Identifier: z.Identifier.Value, - } - for _, raw := range z.Challenges { - if raw.Error != nil { - err.Errors = append(err.Errors, raw.Error.error(nil)) - } - } - return err -} - -// wireChallenge is ACME JSON challenge representation. -type wireChallenge struct { - URI string `json:"uri"` - Type string - Token string - Status string - Error *wireError -} - -func (c *wireChallenge) challenge() *Challenge { - v := &Challenge{ - URI: c.URI, - Type: c.Type, - Token: c.Token, - Status: c.Status, - } - if v.Status == "" { - v.Status = StatusPending - } - if c.Error != nil { - v.Error = c.Error.error(nil) - } - return v -} - -// wireError is a subset of fields of the Problem Details object -// as described in https://tools.ietf.org/html/rfc7807#section-3.1. -type wireError struct { - Status int - Type string - Detail string -} - -func (e *wireError) error(h http.Header) *Error { - return &Error{ - StatusCode: e.Status, - ProblemType: e.Type, - Detail: e.Detail, - Header: h, - } -} diff --git a/vendor/golang.org/x/crypto/acme/LICENSE b/vendor/golang.org/x/crypto/ed25519/LICENSE index 6a66aea5e..6a66aea5e 100644 --- a/vendor/golang.org/x/crypto/acme/LICENSE +++ b/vendor/golang.org/x/crypto/ed25519/LICENSE diff --git a/vendor/golang.org/x/crypto/ed25519/ed25519.go b/vendor/golang.org/x/crypto/ed25519/ed25519.go new file mode 100644 index 000000000..a57771a1e --- /dev/null +++ b/vendor/golang.org/x/crypto/ed25519/ed25519.go @@ -0,0 +1,188 @@ +// Copyright 2016 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package ed25519 implements the Ed25519 signature algorithm. See +// https://ed25519.cr.yp.to/. +// +// These functions are also compatible with the “Ed25519” function defined in +// RFC 8032. +package ed25519 + +// This code is a port of the public domain, “ref10” implementation of ed25519 +// from SUPERCOP. + +import ( + "bytes" + "crypto" + cryptorand "crypto/rand" + "crypto/sha512" + "errors" + "io" + "strconv" + + "golang.org/x/crypto/ed25519/internal/edwards25519" +) + +const ( + // PublicKeySize is the size, in bytes, of public keys as used in this package. + PublicKeySize = 32 + // PrivateKeySize is the size, in bytes, of private keys as used in this package. + PrivateKeySize = 64 + // SignatureSize is the size, in bytes, of signatures generated and verified by this package. + SignatureSize = 64 +) + +// PublicKey is the type of Ed25519 public keys. +type PublicKey []byte + +// PrivateKey is the type of Ed25519 private keys. It implements crypto.Signer. +type PrivateKey []byte + +// Public returns the PublicKey corresponding to priv. +func (priv PrivateKey) Public() crypto.PublicKey { + publicKey := make([]byte, PublicKeySize) + copy(publicKey, priv[32:]) + return PublicKey(publicKey) +} + +// Sign signs the given message with priv. +// Ed25519 performs two passes over messages to be signed and therefore cannot +// handle pre-hashed messages. Thus opts.HashFunc() must return zero to +// indicate the message hasn't been hashed. This can be achieved by passing +// crypto.Hash(0) as the value for opts. +func (priv PrivateKey) Sign(rand io.Reader, message []byte, opts crypto.SignerOpts) (signature []byte, err error) { + if opts.HashFunc() != crypto.Hash(0) { + return nil, errors.New("ed25519: cannot sign hashed message") + } + + return Sign(priv, message), nil +} + +// GenerateKey generates a public/private key pair using entropy from rand. +// If rand is nil, crypto/rand.Reader will be used. +func GenerateKey(rand io.Reader) (publicKey PublicKey, privateKey PrivateKey, err error) { + if rand == nil { + rand = cryptorand.Reader + } + + privateKey = make([]byte, PrivateKeySize) + publicKey = make([]byte, PublicKeySize) + _, err = io.ReadFull(rand, privateKey[:32]) + if err != nil { + return nil, nil, err + } + + digest := sha512.Sum512(privateKey[:32]) + digest[0] &= 248 + digest[31] &= 127 + digest[31] |= 64 + + var A edwards25519.ExtendedGroupElement + var hBytes [32]byte + copy(hBytes[:], digest[:]) + edwards25519.GeScalarMultBase(&A, &hBytes) + var publicKeyBytes [32]byte + A.ToBytes(&publicKeyBytes) + + copy(privateKey[32:], publicKeyBytes[:]) + copy(publicKey, publicKeyBytes[:]) + + return publicKey, privateKey, nil +} + +// Sign signs the message with privateKey and returns a signature. It will +// panic if len(privateKey) is not PrivateKeySize. +func Sign(privateKey PrivateKey, message []byte) []byte { + if l := len(privateKey); l != PrivateKeySize { + panic("ed25519: bad private key length: " + strconv.Itoa(l)) + } + + h := sha512.New() + h.Write(privateKey[:32]) + + var digest1, messageDigest, hramDigest [64]byte + var expandedSecretKey [32]byte + h.Sum(digest1[:0]) + copy(expandedSecretKey[:], digest1[:]) + expandedSecretKey[0] &= 248 + expandedSecretKey[31] &= 63 + expandedSecretKey[31] |= 64 + + h.Reset() + h.Write(digest1[32:]) + h.Write(message) + h.Sum(messageDigest[:0]) + + var messageDigestReduced [32]byte + edwards25519.ScReduce(&messageDigestReduced, &messageDigest) + var R edwards25519.ExtendedGroupElement + edwards25519.GeScalarMultBase(&R, &messageDigestReduced) + + var encodedR [32]byte + R.ToBytes(&encodedR) + + h.Reset() + h.Write(encodedR[:]) + h.Write(privateKey[32:]) + h.Write(message) + h.Sum(hramDigest[:0]) + var hramDigestReduced [32]byte + edwards25519.ScReduce(&hramDigestReduced, &hramDigest) + + var s [32]byte + edwards25519.ScMulAdd(&s, &hramDigestReduced, &expandedSecretKey, &messageDigestReduced) + + signature := make([]byte, SignatureSize) + copy(signature[:], encodedR[:]) + copy(signature[32:], s[:]) + + return signature +} + +// Verify reports whether sig is a valid signature of message by publicKey. It +// will panic if len(publicKey) is not PublicKeySize. +func Verify(publicKey PublicKey, message, sig []byte) bool { + if l := len(publicKey); l != PublicKeySize { + panic("ed25519: bad public key length: " + strconv.Itoa(l)) + } + + if len(sig) != SignatureSize || sig[63]&224 != 0 { + return false + } + + var A edwards25519.ExtendedGroupElement + var publicKeyBytes [32]byte + copy(publicKeyBytes[:], publicKey) + if !A.FromBytes(&publicKeyBytes) { + return false + } + edwards25519.FeNeg(&A.X, &A.X) + edwards25519.FeNeg(&A.T, &A.T) + + h := sha512.New() + h.Write(sig[:32]) + h.Write(publicKey[:]) + h.Write(message) + var digest [64]byte + h.Sum(digest[:0]) + + var hReduced [32]byte + edwards25519.ScReduce(&hReduced, &digest) + + var R edwards25519.ProjectiveGroupElement + var s [32]byte + copy(s[:], sig[32:]) + + // https://tools.ietf.org/html/rfc8032#section-5.1.7 requires that s be in + // the range [0, order) in order to prevent signature malleability. + if !edwards25519.ScMinimal(&s) { + return false + } + + edwards25519.GeDoubleScalarMultVartime(&R, &hReduced, &A, &s) + + var checkR [32]byte + R.ToBytes(&checkR) + return bytes.Equal(sig[:32], checkR[:]) +} diff --git a/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go b/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go new file mode 100644 index 000000000..e39f086c1 --- /dev/null +++ b/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go @@ -0,0 +1,1422 @@ +// Copyright 2016 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package edwards25519 + +// These values are from the public domain, “ref10” implementation of ed25519 +// from SUPERCOP. + +// d is a constant in the Edwards curve equation. +var d = FieldElement{ + -10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116, +} + +// d2 is 2*d. +var d2 = FieldElement{ + -21827239, -5839606, -30745221, 13898782, 229458, 15978800, -12551817, -6495438, 29715968, 9444199, +} + +// SqrtM1 is the square-root of -1 in the field. +var SqrtM1 = FieldElement{ + -32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482, +} + +// A is a constant in the Montgomery-form of curve25519. +var A = FieldElement{ + 486662, 0, 0, 0, 0, 0, 0, 0, 0, 0, +} + +// bi contains precomputed multiples of the base-point. See the Ed25519 paper +// for a discussion about how these values are used. +var bi = [8]PreComputedGroupElement{ + { + FieldElement{25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605}, + FieldElement{-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378}, + FieldElement{-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546}, + }, + { + FieldElement{15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024}, + FieldElement{16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574}, + FieldElement{30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357}, + }, + { + FieldElement{10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380}, + FieldElement{4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306}, + FieldElement{19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942}, + }, + { + FieldElement{5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766}, + FieldElement{-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701}, + FieldElement{28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300}, + }, + { + FieldElement{-22518993, -6692182, 14201702, -8745502, -23510406, 8844726, 18474211, -1361450, -13062696, 13821877}, + FieldElement{-6455177, -7839871, 3374702, -4740862, -27098617, -10571707, 31655028, -7212327, 18853322, -14220951}, + FieldElement{4566830, -12963868, -28974889, -12240689, -7602672, -2830569, -8514358, -10431137, 2207753, -3209784}, + }, + { + FieldElement{-25154831, -4185821, 29681144, 7868801, -6854661, -9423865, -12437364, -663000, -31111463, -16132436}, + FieldElement{25576264, -2703214, 7349804, -11814844, 16472782, 9300885, 3844789, 15725684, 171356, 6466918}, + FieldElement{23103977, 13316479, 9739013, -16149481, 817875, -15038942, 8965339, -14088058, -30714912, 16193877}, + }, + { + FieldElement{-33521811, 3180713, -2394130, 14003687, -16903474, -16270840, 17238398, 4729455, -18074513, 9256800}, + FieldElement{-25182317, -4174131, 32336398, 5036987, -21236817, 11360617, 22616405, 9761698, -19827198, 630305}, + FieldElement{-13720693, 2639453, -24237460, -7406481, 9494427, -5774029, -6554551, -15960994, -2449256, -14291300}, + }, + { + FieldElement{-3151181, -5046075, 9282714, 6866145, -31907062, -863023, -18940575, 15033784, 25105118, -7894876}, + FieldElement{-24326370, 15950226, -31801215, -14592823, -11662737, -5090925, 1573892, -2625887, 2198790, -15804619}, + FieldElement{-3099351, 10324967, -2241613, 7453183, -5446979, -2735503, -13812022, -16236442, -32461234, -12290683}, + }, +} + +// base contains precomputed multiples of the base-point. See the Ed25519 paper +// for a discussion about how these values are used. +var base = [32][8]PreComputedGroupElement{ + { + { + FieldElement{25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605}, + FieldElement{-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378}, + FieldElement{-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546}, + }, + { + FieldElement{-12815894, -12976347, -21581243, 11784320, -25355658, -2750717, -11717903, -3814571, -358445, -10211303}, + FieldElement{-21703237, 6903825, 27185491, 6451973, -29577724, -9554005, -15616551, 11189268, -26829678, -5319081}, + FieldElement{26966642, 11152617, 32442495, 15396054, 14353839, -12752335, -3128826, -9541118, -15472047, -4166697}, + }, + { + FieldElement{15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024}, + FieldElement{16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574}, + FieldElement{30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357}, + }, + { + FieldElement{-17036878, 13921892, 10945806, -6033431, 27105052, -16084379, -28926210, 15006023, 3284568, -6276540}, + FieldElement{23599295, -8306047, -11193664, -7687416, 13236774, 10506355, 7464579, 9656445, 13059162, 10374397}, + FieldElement{7798556, 16710257, 3033922, 2874086, 28997861, 2835604, 32406664, -3839045, -641708, -101325}, + }, + { + FieldElement{10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380}, + FieldElement{4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306}, + FieldElement{19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942}, + }, + { + FieldElement{-15371964, -12862754, 32573250, 4720197, -26436522, 5875511, -19188627, -15224819, -9818940, -12085777}, + FieldElement{-8549212, 109983, 15149363, 2178705, 22900618, 4543417, 3044240, -15689887, 1762328, 14866737}, + FieldElement{-18199695, -15951423, -10473290, 1707278, -17185920, 3916101, -28236412, 3959421, 27914454, 4383652}, + }, + { + FieldElement{5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766}, + FieldElement{-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701}, + FieldElement{28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300}, + }, + { + FieldElement{14499471, -2729599, -33191113, -4254652, 28494862, 14271267, 30290735, 10876454, -33154098, 2381726}, + FieldElement{-7195431, -2655363, -14730155, 462251, -27724326, 3941372, -6236617, 3696005, -32300832, 15351955}, + FieldElement{27431194, 8222322, 16448760, -3907995, -18707002, 11938355, -32961401, -2970515, 29551813, 10109425}, + }, + }, + { + { + FieldElement{-13657040, -13155431, -31283750, 11777098, 21447386, 6519384, -2378284, -1627556, 10092783, -4764171}, + FieldElement{27939166, 14210322, 4677035, 16277044, -22964462, -12398139, -32508754, 12005538, -17810127, 12803510}, + FieldElement{17228999, -15661624, -1233527, 300140, -1224870, -11714777, 30364213, -9038194, 18016357, 4397660}, + }, + { + FieldElement{-10958843, -7690207, 4776341, -14954238, 27850028, -15602212, -26619106, 14544525, -17477504, 982639}, + FieldElement{29253598, 15796703, -2863982, -9908884, 10057023, 3163536, 7332899, -4120128, -21047696, 9934963}, + FieldElement{5793303, 16271923, -24131614, -10116404, 29188560, 1206517, -14747930, 4559895, -30123922, -10897950}, + }, + { + FieldElement{-27643952, -11493006, 16282657, -11036493, 28414021, -15012264, 24191034, 4541697, -13338309, 5500568}, + FieldElement{12650548, -1497113, 9052871, 11355358, -17680037, -8400164, -17430592, 12264343, 10874051, 13524335}, + FieldElement{25556948, -3045990, 714651, 2510400, 23394682, -10415330, 33119038, 5080568, -22528059, 5376628}, + }, + { + FieldElement{-26088264, -4011052, -17013699, -3537628, -6726793, 1920897, -22321305, -9447443, 4535768, 1569007}, + FieldElement{-2255422, 14606630, -21692440, -8039818, 28430649, 8775819, -30494562, 3044290, 31848280, 12543772}, + FieldElement{-22028579, 2943893, -31857513, 6777306, 13784462, -4292203, -27377195, -2062731, 7718482, 14474653}, + }, + { + FieldElement{2385315, 2454213, -22631320, 46603, -4437935, -15680415, 656965, -7236665, 24316168, -5253567}, + FieldElement{13741529, 10911568, -33233417, -8603737, -20177830, -1033297, 33040651, -13424532, -20729456, 8321686}, + FieldElement{21060490, -2212744, 15712757, -4336099, 1639040, 10656336, 23845965, -11874838, -9984458, 608372}, + }, + { + FieldElement{-13672732, -15087586, -10889693, -7557059, -6036909, 11305547, 1123968, -6780577, 27229399, 23887}, + FieldElement{-23244140, -294205, -11744728, 14712571, -29465699, -2029617, 12797024, -6440308, -1633405, 16678954}, + FieldElement{-29500620, 4770662, -16054387, 14001338, 7830047, 9564805, -1508144, -4795045, -17169265, 4904953}, + }, + { + FieldElement{24059557, 14617003, 19037157, -15039908, 19766093, -14906429, 5169211, 16191880, 2128236, -4326833}, + FieldElement{-16981152, 4124966, -8540610, -10653797, 30336522, -14105247, -29806336, 916033, -6882542, -2986532}, + FieldElement{-22630907, 12419372, -7134229, -7473371, -16478904, 16739175, 285431, 2763829, 15736322, 4143876}, + }, + { + FieldElement{2379352, 11839345, -4110402, -5988665, 11274298, 794957, 212801, -14594663, 23527084, -16458268}, + FieldElement{33431127, -11130478, -17838966, -15626900, 8909499, 8376530, -32625340, 4087881, -15188911, -14416214}, + FieldElement{1767683, 7197987, -13205226, -2022635, -13091350, 448826, 5799055, 4357868, -4774191, -16323038}, + }, + }, + { + { + FieldElement{6721966, 13833823, -23523388, -1551314, 26354293, -11863321, 23365147, -3949732, 7390890, 2759800}, + FieldElement{4409041, 2052381, 23373853, 10530217, 7676779, -12885954, 21302353, -4264057, 1244380, -12919645}, + FieldElement{-4421239, 7169619, 4982368, -2957590, 30256825, -2777540, 14086413, 9208236, 15886429, 16489664}, + }, + { + FieldElement{1996075, 10375649, 14346367, 13311202, -6874135, -16438411, -13693198, 398369, -30606455, -712933}, + FieldElement{-25307465, 9795880, -2777414, 14878809, -33531835, 14780363, 13348553, 12076947, -30836462, 5113182}, + FieldElement{-17770784, 11797796, 31950843, 13929123, -25888302, 12288344, -30341101, -7336386, 13847711, 5387222}, + }, + { + FieldElement{-18582163, -3416217, 17824843, -2340966, 22744343, -10442611, 8763061, 3617786, -19600662, 10370991}, + FieldElement{20246567, -14369378, 22358229, -543712, 18507283, -10413996, 14554437, -8746092, 32232924, 16763880}, + FieldElement{9648505, 10094563, 26416693, 14745928, -30374318, -6472621, 11094161, 15689506, 3140038, -16510092}, + }, + { + FieldElement{-16160072, 5472695, 31895588, 4744994, 8823515, 10365685, -27224800, 9448613, -28774454, 366295}, + FieldElement{19153450, 11523972, -11096490, -6503142, -24647631, 5420647, 28344573, 8041113, 719605, 11671788}, + FieldElement{8678025, 2694440, -6808014, 2517372, 4964326, 11152271, -15432916, -15266516, 27000813, -10195553}, + }, + { + FieldElement{-15157904, 7134312, 8639287, -2814877, -7235688, 10421742, 564065, 5336097, 6750977, -14521026}, + FieldElement{11836410, -3979488, 26297894, 16080799, 23455045, 15735944, 1695823, -8819122, 8169720, 16220347}, + FieldElement{-18115838, 8653647, 17578566, -6092619, -8025777, -16012763, -11144307, -2627664, -5990708, -14166033}, + }, + { + FieldElement{-23308498, -10968312, 15213228, -10081214, -30853605, -11050004, 27884329, 2847284, 2655861, 1738395}, + FieldElement{-27537433, -14253021, -25336301, -8002780, -9370762, 8129821, 21651608, -3239336, -19087449, -11005278}, + FieldElement{1533110, 3437855, 23735889, 459276, 29970501, 11335377, 26030092, 5821408, 10478196, 8544890}, + }, + { + FieldElement{32173121, -16129311, 24896207, 3921497, 22579056, -3410854, 19270449, 12217473, 17789017, -3395995}, + FieldElement{-30552961, -2228401, -15578829, -10147201, 13243889, 517024, 15479401, -3853233, 30460520, 1052596}, + FieldElement{-11614875, 13323618, 32618793, 8175907, -15230173, 12596687, 27491595, -4612359, 3179268, -9478891}, + }, + { + FieldElement{31947069, -14366651, -4640583, -15339921, -15125977, -6039709, -14756777, -16411740, 19072640, -9511060}, + FieldElement{11685058, 11822410, 3158003, -13952594, 33402194, -4165066, 5977896, -5215017, 473099, 5040608}, + FieldElement{-20290863, 8198642, -27410132, 11602123, 1290375, -2799760, 28326862, 1721092, -19558642, -3131606}, + }, + }, + { + { + FieldElement{7881532, 10687937, 7578723, 7738378, -18951012, -2553952, 21820786, 8076149, -27868496, 11538389}, + FieldElement{-19935666, 3899861, 18283497, -6801568, -15728660, -11249211, 8754525, 7446702, -5676054, 5797016}, + FieldElement{-11295600, -3793569, -15782110, -7964573, 12708869, -8456199, 2014099, -9050574, -2369172, -5877341}, + }, + { + FieldElement{-22472376, -11568741, -27682020, 1146375, 18956691, 16640559, 1192730, -3714199, 15123619, 10811505}, + FieldElement{14352098, -3419715, -18942044, 10822655, 32750596, 4699007, -70363, 15776356, -28886779, -11974553}, + FieldElement{-28241164, -8072475, -4978962, -5315317, 29416931, 1847569, -20654173, -16484855, 4714547, -9600655}, + }, + { + FieldElement{15200332, 8368572, 19679101, 15970074, -31872674, 1959451, 24611599, -4543832, -11745876, 12340220}, + FieldElement{12876937, -10480056, 33134381, 6590940, -6307776, 14872440, 9613953, 8241152, 15370987, 9608631}, + FieldElement{-4143277, -12014408, 8446281, -391603, 4407738, 13629032, -7724868, 15866074, -28210621, -8814099}, + }, + { + FieldElement{26660628, -15677655, 8393734, 358047, -7401291, 992988, -23904233, 858697, 20571223, 8420556}, + FieldElement{14620715, 13067227, -15447274, 8264467, 14106269, 15080814, 33531827, 12516406, -21574435, -12476749}, + FieldElement{236881, 10476226, 57258, -14677024, 6472998, 2466984, 17258519, 7256740, 8791136, 15069930}, + }, + { + FieldElement{1276410, -9371918, 22949635, -16322807, -23493039, -5702186, 14711875, 4874229, -30663140, -2331391}, + FieldElement{5855666, 4990204, -13711848, 7294284, -7804282, 1924647, -1423175, -7912378, -33069337, 9234253}, + FieldElement{20590503, -9018988, 31529744, -7352666, -2706834, 10650548, 31559055, -11609587, 18979186, 13396066}, + }, + { + FieldElement{24474287, 4968103, 22267082, 4407354, 24063882, -8325180, -18816887, 13594782, 33514650, 7021958}, + FieldElement{-11566906, -6565505, -21365085, 15928892, -26158305, 4315421, -25948728, -3916677, -21480480, 12868082}, + FieldElement{-28635013, 13504661, 19988037, -2132761, 21078225, 6443208, -21446107, 2244500, -12455797, -8089383}, + }, + { + FieldElement{-30595528, 13793479, -5852820, 319136, -25723172, -6263899, 33086546, 8957937, -15233648, 5540521}, + FieldElement{-11630176, -11503902, -8119500, -7643073, 2620056, 1022908, -23710744, -1568984, -16128528, -14962807}, + FieldElement{23152971, 775386, 27395463, 14006635, -9701118, 4649512, 1689819, 892185, -11513277, -15205948}, + }, + { + FieldElement{9770129, 9586738, 26496094, 4324120, 1556511, -3550024, 27453819, 4763127, -19179614, 5867134}, + FieldElement{-32765025, 1927590, 31726409, -4753295, 23962434, -16019500, 27846559, 5931263, -29749703, -16108455}, + FieldElement{27461885, -2977536, 22380810, 1815854, -23033753, -3031938, 7283490, -15148073, -19526700, 7734629}, + }, + }, + { + { + FieldElement{-8010264, -9590817, -11120403, 6196038, 29344158, -13430885, 7585295, -3176626, 18549497, 15302069}, + FieldElement{-32658337, -6171222, -7672793, -11051681, 6258878, 13504381, 10458790, -6418461, -8872242, 8424746}, + FieldElement{24687205, 8613276, -30667046, -3233545, 1863892, -1830544, 19206234, 7134917, -11284482, -828919}, + }, + { + FieldElement{11334899, -9218022, 8025293, 12707519, 17523892, -10476071, 10243738, -14685461, -5066034, 16498837}, + FieldElement{8911542, 6887158, -9584260, -6958590, 11145641, -9543680, 17303925, -14124238, 6536641, 10543906}, + FieldElement{-28946384, 15479763, -17466835, 568876, -1497683, 11223454, -2669190, -16625574, -27235709, 8876771}, + }, + { + FieldElement{-25742899, -12566864, -15649966, -846607, -33026686, -796288, -33481822, 15824474, -604426, -9039817}, + FieldElement{10330056, 70051, 7957388, -9002667, 9764902, 15609756, 27698697, -4890037, 1657394, 3084098}, + FieldElement{10477963, -7470260, 12119566, -13250805, 29016247, -5365589, 31280319, 14396151, -30233575, 15272409}, + }, + { + FieldElement{-12288309, 3169463, 28813183, 16658753, 25116432, -5630466, -25173957, -12636138, -25014757, 1950504}, + FieldElement{-26180358, 9489187, 11053416, -14746161, -31053720, 5825630, -8384306, -8767532, 15341279, 8373727}, + FieldElement{28685821, 7759505, -14378516, -12002860, -31971820, 4079242, 298136, -10232602, -2878207, 15190420}, + }, + { + FieldElement{-32932876, 13806336, -14337485, -15794431, -24004620, 10940928, 8669718, 2742393, -26033313, -6875003}, + FieldElement{-1580388, -11729417, -25979658, -11445023, -17411874, -10912854, 9291594, -16247779, -12154742, 6048605}, + FieldElement{-30305315, 14843444, 1539301, 11864366, 20201677, 1900163, 13934231, 5128323, 11213262, 9168384}, + }, + { + FieldElement{-26280513, 11007847, 19408960, -940758, -18592965, -4328580, -5088060, -11105150, 20470157, -16398701}, + FieldElement{-23136053, 9282192, 14855179, -15390078, -7362815, -14408560, -22783952, 14461608, 14042978, 5230683}, + FieldElement{29969567, -2741594, -16711867, -8552442, 9175486, -2468974, 21556951, 3506042, -5933891, -12449708}, + }, + { + FieldElement{-3144746, 8744661, 19704003, 4581278, -20430686, 6830683, -21284170, 8971513, -28539189, 15326563}, + FieldElement{-19464629, 10110288, -17262528, -3503892, -23500387, 1355669, -15523050, 15300988, -20514118, 9168260}, + FieldElement{-5353335, 4488613, -23803248, 16314347, 7780487, -15638939, -28948358, 9601605, 33087103, -9011387}, + }, + { + FieldElement{-19443170, -15512900, -20797467, -12445323, -29824447, 10229461, -27444329, -15000531, -5996870, 15664672}, + FieldElement{23294591, -16632613, -22650781, -8470978, 27844204, 11461195, 13099750, -2460356, 18151676, 13417686}, + FieldElement{-24722913, -4176517, -31150679, 5988919, -26858785, 6685065, 1661597, -12551441, 15271676, -15452665}, + }, + }, + { + { + FieldElement{11433042, -13228665, 8239631, -5279517, -1985436, -725718, -18698764, 2167544, -6921301, -13440182}, + FieldElement{-31436171, 15575146, 30436815, 12192228, -22463353, 9395379, -9917708, -8638997, 12215110, 12028277}, + FieldElement{14098400, 6555944, 23007258, 5757252, -15427832, -12950502, 30123440, 4617780, -16900089, -655628}, + }, + { + FieldElement{-4026201, -15240835, 11893168, 13718664, -14809462, 1847385, -15819999, 10154009, 23973261, -12684474}, + FieldElement{-26531820, -3695990, -1908898, 2534301, -31870557, -16550355, 18341390, -11419951, 32013174, -10103539}, + FieldElement{-25479301, 10876443, -11771086, -14625140, -12369567, 1838104, 21911214, 6354752, 4425632, -837822}, + }, + { + FieldElement{-10433389, -14612966, 22229858, -3091047, -13191166, 776729, -17415375, -12020462, 4725005, 14044970}, + FieldElement{19268650, -7304421, 1555349, 8692754, -21474059, -9910664, 6347390, -1411784, -19522291, -16109756}, + FieldElement{-24864089, 12986008, -10898878, -5558584, -11312371, -148526, 19541418, 8180106, 9282262, 10282508}, + }, + { + FieldElement{-26205082, 4428547, -8661196, -13194263, 4098402, -14165257, 15522535, 8372215, 5542595, -10702683}, + FieldElement{-10562541, 14895633, 26814552, -16673850, -17480754, -2489360, -2781891, 6993761, -18093885, 10114655}, + FieldElement{-20107055, -929418, 31422704, 10427861, -7110749, 6150669, -29091755, -11529146, 25953725, -106158}, + }, + { + FieldElement{-4234397, -8039292, -9119125, 3046000, 2101609, -12607294, 19390020, 6094296, -3315279, 12831125}, + FieldElement{-15998678, 7578152, 5310217, 14408357, -33548620, -224739, 31575954, 6326196, 7381791, -2421839}, + FieldElement{-20902779, 3296811, 24736065, -16328389, 18374254, 7318640, 6295303, 8082724, -15362489, 12339664}, + }, + { + FieldElement{27724736, 2291157, 6088201, -14184798, 1792727, 5857634, 13848414, 15768922, 25091167, 14856294}, + FieldElement{-18866652, 8331043, 24373479, 8541013, -701998, -9269457, 12927300, -12695493, -22182473, -9012899}, + FieldElement{-11423429, -5421590, 11632845, 3405020, 30536730, -11674039, -27260765, 13866390, 30146206, 9142070}, + }, + { + FieldElement{3924129, -15307516, -13817122, -10054960, 12291820, -668366, -27702774, 9326384, -8237858, 4171294}, + FieldElement{-15921940, 16037937, 6713787, 16606682, -21612135, 2790944, 26396185, 3731949, 345228, -5462949}, + FieldElement{-21327538, 13448259, 25284571, 1143661, 20614966, -8849387, 2031539, -12391231, -16253183, -13582083}, + }, + { + FieldElement{31016211, -16722429, 26371392, -14451233, -5027349, 14854137, 17477601, 3842657, 28012650, -16405420}, + FieldElement{-5075835, 9368966, -8562079, -4600902, -15249953, 6970560, -9189873, 16292057, -8867157, 3507940}, + FieldElement{29439664, 3537914, 23333589, 6997794, -17555561, -11018068, -15209202, -15051267, -9164929, 6580396}, + }, + }, + { + { + FieldElement{-12185861, -7679788, 16438269, 10826160, -8696817, -6235611, 17860444, -9273846, -2095802, 9304567}, + FieldElement{20714564, -4336911, 29088195, 7406487, 11426967, -5095705, 14792667, -14608617, 5289421, -477127}, + FieldElement{-16665533, -10650790, -6160345, -13305760, 9192020, -1802462, 17271490, 12349094, 26939669, -3752294}, + }, + { + FieldElement{-12889898, 9373458, 31595848, 16374215, 21471720, 13221525, -27283495, -12348559, -3698806, 117887}, + FieldElement{22263325, -6560050, 3984570, -11174646, -15114008, -566785, 28311253, 5358056, -23319780, 541964}, + FieldElement{16259219, 3261970, 2309254, -15534474, -16885711, -4581916, 24134070, -16705829, -13337066, -13552195}, + }, + { + FieldElement{9378160, -13140186, -22845982, -12745264, 28198281, -7244098, -2399684, -717351, 690426, 14876244}, + FieldElement{24977353, -314384, -8223969, -13465086, 28432343, -1176353, -13068804, -12297348, -22380984, 6618999}, + FieldElement{-1538174, 11685646, 12944378, 13682314, -24389511, -14413193, 8044829, -13817328, 32239829, -5652762}, + }, + { + FieldElement{-18603066, 4762990, -926250, 8885304, -28412480, -3187315, 9781647, -10350059, 32779359, 5095274}, + FieldElement{-33008130, -5214506, -32264887, -3685216, 9460461, -9327423, -24601656, 14506724, 21639561, -2630236}, + FieldElement{-16400943, -13112215, 25239338, 15531969, 3987758, -4499318, -1289502, -6863535, 17874574, 558605}, + }, + { + FieldElement{-13600129, 10240081, 9171883, 16131053, -20869254, 9599700, 33499487, 5080151, 2085892, 5119761}, + FieldElement{-22205145, -2519528, -16381601, 414691, -25019550, 2170430, 30634760, -8363614, -31999993, -5759884}, + FieldElement{-6845704, 15791202, 8550074, -1312654, 29928809, -12092256, 27534430, -7192145, -22351378, 12961482}, + }, + { + FieldElement{-24492060, -9570771, 10368194, 11582341, -23397293, -2245287, 16533930, 8206996, -30194652, -5159638}, + FieldElement{-11121496, -3382234, 2307366, 6362031, -135455, 8868177, -16835630, 7031275, 7589640, 8945490}, + FieldElement{-32152748, 8917967, 6661220, -11677616, -1192060, -15793393, 7251489, -11182180, 24099109, -14456170}, + }, + { + FieldElement{5019558, -7907470, 4244127, -14714356, -26933272, 6453165, -19118182, -13289025, -6231896, -10280736}, + FieldElement{10853594, 10721687, 26480089, 5861829, -22995819, 1972175, -1866647, -10557898, -3363451, -6441124}, + FieldElement{-17002408, 5906790, 221599, -6563147, 7828208, -13248918, 24362661, -2008168, -13866408, 7421392}, + }, + { + FieldElement{8139927, -6546497, 32257646, -5890546, 30375719, 1886181, -21175108, 15441252, 28826358, -4123029}, + FieldElement{6267086, 9695052, 7709135, -16603597, -32869068, -1886135, 14795160, -7840124, 13746021, -1742048}, + FieldElement{28584902, 7787108, -6732942, -15050729, 22846041, -7571236, -3181936, -363524, 4771362, -8419958}, + }, + }, + { + { + FieldElement{24949256, 6376279, -27466481, -8174608, -18646154, -9930606, 33543569, -12141695, 3569627, 11342593}, + FieldElement{26514989, 4740088, 27912651, 3697550, 19331575, -11472339, 6809886, 4608608, 7325975, -14801071}, + FieldElement{-11618399, -14554430, -24321212, 7655128, -1369274, 5214312, -27400540, 10258390, -17646694, -8186692}, + }, + { + FieldElement{11431204, 15823007, 26570245, 14329124, 18029990, 4796082, -31446179, 15580664, 9280358, -3973687}, + FieldElement{-160783, -10326257, -22855316, -4304997, -20861367, -13621002, -32810901, -11181622, -15545091, 4387441}, + FieldElement{-20799378, 12194512, 3937617, -5805892, -27154820, 9340370, -24513992, 8548137, 20617071, -7482001}, + }, + { + FieldElement{-938825, -3930586, -8714311, 16124718, 24603125, -6225393, -13775352, -11875822, 24345683, 10325460}, + FieldElement{-19855277, -1568885, -22202708, 8714034, 14007766, 6928528, 16318175, -1010689, 4766743, 3552007}, + FieldElement{-21751364, -16730916, 1351763, -803421, -4009670, 3950935, 3217514, 14481909, 10988822, -3994762}, + }, + { + FieldElement{15564307, -14311570, 3101243, 5684148, 30446780, -8051356, 12677127, -6505343, -8295852, 13296005}, + FieldElement{-9442290, 6624296, -30298964, -11913677, -4670981, -2057379, 31521204, 9614054, -30000824, 12074674}, + FieldElement{4771191, -135239, 14290749, -13089852, 27992298, 14998318, -1413936, -1556716, 29832613, -16391035}, + }, + { + FieldElement{7064884, -7541174, -19161962, -5067537, -18891269, -2912736, 25825242, 5293297, -27122660, 13101590}, + FieldElement{-2298563, 2439670, -7466610, 1719965, -27267541, -16328445, 32512469, -5317593, -30356070, -4190957}, + FieldElement{-30006540, 10162316, -33180176, 3981723, -16482138, -13070044, 14413974, 9515896, 19568978, 9628812}, + }, + { + FieldElement{33053803, 199357, 15894591, 1583059, 27380243, -4580435, -17838894, -6106839, -6291786, 3437740}, + FieldElement{-18978877, 3884493, 19469877, 12726490, 15913552, 13614290, -22961733, 70104, 7463304, 4176122}, + FieldElement{-27124001, 10659917, 11482427, -16070381, 12771467, -6635117, -32719404, -5322751, 24216882, 5944158}, + }, + { + FieldElement{8894125, 7450974, -2664149, -9765752, -28080517, -12389115, 19345746, 14680796, 11632993, 5847885}, + FieldElement{26942781, -2315317, 9129564, -4906607, 26024105, 11769399, -11518837, 6367194, -9727230, 4782140}, + FieldElement{19916461, -4828410, -22910704, -11414391, 25606324, -5972441, 33253853, 8220911, 6358847, -1873857}, + }, + { + FieldElement{801428, -2081702, 16569428, 11065167, 29875704, 96627, 7908388, -4480480, -13538503, 1387155}, + FieldElement{19646058, 5720633, -11416706, 12814209, 11607948, 12749789, 14147075, 15156355, -21866831, 11835260}, + FieldElement{19299512, 1155910, 28703737, 14890794, 2925026, 7269399, 26121523, 15467869, -26560550, 5052483}, + }, + }, + { + { + FieldElement{-3017432, 10058206, 1980837, 3964243, 22160966, 12322533, -6431123, -12618185, 12228557, -7003677}, + FieldElement{32944382, 14922211, -22844894, 5188528, 21913450, -8719943, 4001465, 13238564, -6114803, 8653815}, + FieldElement{22865569, -4652735, 27603668, -12545395, 14348958, 8234005, 24808405, 5719875, 28483275, 2841751}, + }, + { + FieldElement{-16420968, -1113305, -327719, -12107856, 21886282, -15552774, -1887966, -315658, 19932058, -12739203}, + FieldElement{-11656086, 10087521, -8864888, -5536143, -19278573, -3055912, 3999228, 13239134, -4777469, -13910208}, + FieldElement{1382174, -11694719, 17266790, 9194690, -13324356, 9720081, 20403944, 11284705, -14013818, 3093230}, + }, + { + FieldElement{16650921, -11037932, -1064178, 1570629, -8329746, 7352753, -302424, 16271225, -24049421, -6691850}, + FieldElement{-21911077, -5927941, -4611316, -5560156, -31744103, -10785293, 24123614, 15193618, -21652117, -16739389}, + FieldElement{-9935934, -4289447, -25279823, 4372842, 2087473, 10399484, 31870908, 14690798, 17361620, 11864968}, + }, + { + FieldElement{-11307610, 6210372, 13206574, 5806320, -29017692, -13967200, -12331205, -7486601, -25578460, -16240689}, + FieldElement{14668462, -12270235, 26039039, 15305210, 25515617, 4542480, 10453892, 6577524, 9145645, -6443880}, + FieldElement{5974874, 3053895, -9433049, -10385191, -31865124, 3225009, -7972642, 3936128, -5652273, -3050304}, + }, + { + FieldElement{30625386, -4729400, -25555961, -12792866, -20484575, 7695099, 17097188, -16303496, -27999779, 1803632}, + FieldElement{-3553091, 9865099, -5228566, 4272701, -5673832, -16689700, 14911344, 12196514, -21405489, 7047412}, + FieldElement{20093277, 9920966, -11138194, -5343857, 13161587, 12044805, -32856851, 4124601, -32343828, -10257566}, + }, + { + FieldElement{-20788824, 14084654, -13531713, 7842147, 19119038, -13822605, 4752377, -8714640, -21679658, 2288038}, + FieldElement{-26819236, -3283715, 29965059, 3039786, -14473765, 2540457, 29457502, 14625692, -24819617, 12570232}, + FieldElement{-1063558, -11551823, 16920318, 12494842, 1278292, -5869109, -21159943, -3498680, -11974704, 4724943}, + }, + { + FieldElement{17960970, -11775534, -4140968, -9702530, -8876562, -1410617, -12907383, -8659932, -29576300, 1903856}, + FieldElement{23134274, -14279132, -10681997, -1611936, 20684485, 15770816, -12989750, 3190296, 26955097, 14109738}, + FieldElement{15308788, 5320727, -30113809, -14318877, 22902008, 7767164, 29425325, -11277562, 31960942, 11934971}, + }, + { + FieldElement{-27395711, 8435796, 4109644, 12222639, -24627868, 14818669, 20638173, 4875028, 10491392, 1379718}, + FieldElement{-13159415, 9197841, 3875503, -8936108, -1383712, -5879801, 33518459, 16176658, 21432314, 12180697}, + FieldElement{-11787308, 11500838, 13787581, -13832590, -22430679, 10140205, 1465425, 12689540, -10301319, -13872883}, + }, + }, + { + { + FieldElement{5414091, -15386041, -21007664, 9643570, 12834970, 1186149, -2622916, -1342231, 26128231, 6032912}, + FieldElement{-26337395, -13766162, 32496025, -13653919, 17847801, -12669156, 3604025, 8316894, -25875034, -10437358}, + FieldElement{3296484, 6223048, 24680646, -12246460, -23052020, 5903205, -8862297, -4639164, 12376617, 3188849}, + }, + { + FieldElement{29190488, -14659046, 27549113, -1183516, 3520066, -10697301, 32049515, -7309113, -16109234, -9852307}, + FieldElement{-14744486, -9309156, 735818, -598978, -20407687, -5057904, 25246078, -15795669, 18640741, -960977}, + FieldElement{-6928835, -16430795, 10361374, 5642961, 4910474, 12345252, -31638386, -494430, 10530747, 1053335}, + }, + { + FieldElement{-29265967, -14186805, -13538216, -12117373, -19457059, -10655384, -31462369, -2948985, 24018831, 15026644}, + FieldElement{-22592535, -3145277, -2289276, 5953843, -13440189, 9425631, 25310643, 13003497, -2314791, -15145616}, + FieldElement{-27419985, -603321, -8043984, -1669117, -26092265, 13987819, -27297622, 187899, -23166419, -2531735}, + }, + { + FieldElement{-21744398, -13810475, 1844840, 5021428, -10434399, -15911473, 9716667, 16266922, -5070217, 726099}, + FieldElement{29370922, -6053998, 7334071, -15342259, 9385287, 2247707, -13661962, -4839461, 30007388, -15823341}, + FieldElement{-936379, 16086691, 23751945, -543318, -1167538, -5189036, 9137109, 730663, 9835848, 4555336}, + }, + { + FieldElement{-23376435, 1410446, -22253753, -12899614, 30867635, 15826977, 17693930, 544696, -11985298, 12422646}, + FieldElement{31117226, -12215734, -13502838, 6561947, -9876867, -12757670, -5118685, -4096706, 29120153, 13924425}, + FieldElement{-17400879, -14233209, 19675799, -2734756, -11006962, -5858820, -9383939, -11317700, 7240931, -237388}, + }, + { + FieldElement{-31361739, -11346780, -15007447, -5856218, -22453340, -12152771, 1222336, 4389483, 3293637, -15551743}, + FieldElement{-16684801, -14444245, 11038544, 11054958, -13801175, -3338533, -24319580, 7733547, 12796905, -6335822}, + FieldElement{-8759414, -10817836, -25418864, 10783769, -30615557, -9746811, -28253339, 3647836, 3222231, -11160462}, + }, + { + FieldElement{18606113, 1693100, -25448386, -15170272, 4112353, 10045021, 23603893, -2048234, -7550776, 2484985}, + FieldElement{9255317, -3131197, -12156162, -1004256, 13098013, -9214866, 16377220, -2102812, -19802075, -3034702}, + FieldElement{-22729289, 7496160, -5742199, 11329249, 19991973, -3347502, -31718148, 9936966, -30097688, -10618797}, + }, + { + FieldElement{21878590, -5001297, 4338336, 13643897, -3036865, 13160960, 19708896, 5415497, -7360503, -4109293}, + FieldElement{27736861, 10103576, 12500508, 8502413, -3413016, -9633558, 10436918, -1550276, -23659143, -8132100}, + FieldElement{19492550, -12104365, -29681976, -852630, -3208171, 12403437, 30066266, 8367329, 13243957, 8709688}, + }, + }, + { + { + FieldElement{12015105, 2801261, 28198131, 10151021, 24818120, -4743133, -11194191, -5645734, 5150968, 7274186}, + FieldElement{2831366, -12492146, 1478975, 6122054, 23825128, -12733586, 31097299, 6083058, 31021603, -9793610}, + FieldElement{-2529932, -2229646, 445613, 10720828, -13849527, -11505937, -23507731, 16354465, 15067285, -14147707}, + }, + { + FieldElement{7840942, 14037873, -33364863, 15934016, -728213, -3642706, 21403988, 1057586, -19379462, -12403220}, + FieldElement{915865, -16469274, 15608285, -8789130, -24357026, 6060030, -17371319, 8410997, -7220461, 16527025}, + FieldElement{32922597, -556987, 20336074, -16184568, 10903705, -5384487, 16957574, 52992, 23834301, 6588044}, + }, + { + FieldElement{32752030, 11232950, 3381995, -8714866, 22652988, -10744103, 17159699, 16689107, -20314580, -1305992}, + FieldElement{-4689649, 9166776, -25710296, -10847306, 11576752, 12733943, 7924251, -2752281, 1976123, -7249027}, + FieldElement{21251222, 16309901, -2983015, -6783122, 30810597, 12967303, 156041, -3371252, 12331345, -8237197}, + }, + { + FieldElement{8651614, -4477032, -16085636, -4996994, 13002507, 2950805, 29054427, -5106970, 10008136, -4667901}, + FieldElement{31486080, 15114593, -14261250, 12951354, 14369431, -7387845, 16347321, -13662089, 8684155, -10532952}, + FieldElement{19443825, 11385320, 24468943, -9659068, -23919258, 2187569, -26263207, -6086921, 31316348, 14219878}, + }, + { + FieldElement{-28594490, 1193785, 32245219, 11392485, 31092169, 15722801, 27146014, 6992409, 29126555, 9207390}, + FieldElement{32382935, 1110093, 18477781, 11028262, -27411763, -7548111, -4980517, 10843782, -7957600, -14435730}, + FieldElement{2814918, 7836403, 27519878, -7868156, -20894015, -11553689, -21494559, 8550130, 28346258, 1994730}, + }, + { + FieldElement{-19578299, 8085545, -14000519, -3948622, 2785838, -16231307, -19516951, 7174894, 22628102, 8115180}, + FieldElement{-30405132, 955511, -11133838, -15078069, -32447087, -13278079, -25651578, 3317160, -9943017, 930272}, + FieldElement{-15303681, -6833769, 28856490, 1357446, 23421993, 1057177, 24091212, -1388970, -22765376, -10650715}, + }, + { + FieldElement{-22751231, -5303997, -12907607, -12768866, -15811511, -7797053, -14839018, -16554220, -1867018, 8398970}, + FieldElement{-31969310, 2106403, -4736360, 1362501, 12813763, 16200670, 22981545, -6291273, 18009408, -15772772}, + FieldElement{-17220923, -9545221, -27784654, 14166835, 29815394, 7444469, 29551787, -3727419, 19288549, 1325865}, + }, + { + FieldElement{15100157, -15835752, -23923978, -1005098, -26450192, 15509408, 12376730, -3479146, 33166107, -8042750}, + FieldElement{20909231, 13023121, -9209752, 16251778, -5778415, -8094914, 12412151, 10018715, 2213263, -13878373}, + FieldElement{32529814, -11074689, 30361439, -16689753, -9135940, 1513226, 22922121, 6382134, -5766928, 8371348}, + }, + }, + { + { + FieldElement{9923462, 11271500, 12616794, 3544722, -29998368, -1721626, 12891687, -8193132, -26442943, 10486144}, + FieldElement{-22597207, -7012665, 8587003, -8257861, 4084309, -12970062, 361726, 2610596, -23921530, -11455195}, + FieldElement{5408411, -1136691, -4969122, 10561668, 24145918, 14240566, 31319731, -4235541, 19985175, -3436086}, + }, + { + FieldElement{-13994457, 16616821, 14549246, 3341099, 32155958, 13648976, -17577068, 8849297, 65030, 8370684}, + FieldElement{-8320926, -12049626, 31204563, 5839400, -20627288, -1057277, -19442942, 6922164, 12743482, -9800518}, + FieldElement{-2361371, 12678785, 28815050, 4759974, -23893047, 4884717, 23783145, 11038569, 18800704, 255233}, + }, + { + FieldElement{-5269658, -1773886, 13957886, 7990715, 23132995, 728773, 13393847, 9066957, 19258688, -14753793}, + FieldElement{-2936654, -10827535, -10432089, 14516793, -3640786, 4372541, -31934921, 2209390, -1524053, 2055794}, + FieldElement{580882, 16705327, 5468415, -2683018, -30926419, -14696000, -7203346, -8994389, -30021019, 7394435}, + }, + { + FieldElement{23838809, 1822728, -15738443, 15242727, 8318092, -3733104, -21672180, -3492205, -4821741, 14799921}, + FieldElement{13345610, 9759151, 3371034, -16137791, 16353039, 8577942, 31129804, 13496856, -9056018, 7402518}, + FieldElement{2286874, -4435931, -20042458, -2008336, -13696227, 5038122, 11006906, -15760352, 8205061, 1607563}, + }, + { + FieldElement{14414086, -8002132, 3331830, -3208217, 22249151, -5594188, 18364661, -2906958, 30019587, -9029278}, + FieldElement{-27688051, 1585953, -10775053, 931069, -29120221, -11002319, -14410829, 12029093, 9944378, 8024}, + FieldElement{4368715, -3709630, 29874200, -15022983, -20230386, -11410704, -16114594, -999085, -8142388, 5640030}, + }, + { + FieldElement{10299610, 13746483, 11661824, 16234854, 7630238, 5998374, 9809887, -16694564, 15219798, -14327783}, + FieldElement{27425505, -5719081, 3055006, 10660664, 23458024, 595578, -15398605, -1173195, -18342183, 9742717}, + FieldElement{6744077, 2427284, 26042789, 2720740, -847906, 1118974, 32324614, 7406442, 12420155, 1994844}, + }, + { + FieldElement{14012521, -5024720, -18384453, -9578469, -26485342, -3936439, -13033478, -10909803, 24319929, -6446333}, + FieldElement{16412690, -4507367, 10772641, 15929391, -17068788, -4658621, 10555945, -10484049, -30102368, -4739048}, + FieldElement{22397382, -7767684, -9293161, -12792868, 17166287, -9755136, -27333065, 6199366, 21880021, -12250760}, + }, + { + FieldElement{-4283307, 5368523, -31117018, 8163389, -30323063, 3209128, 16557151, 8890729, 8840445, 4957760}, + FieldElement{-15447727, 709327, -6919446, -10870178, -29777922, 6522332, -21720181, 12130072, -14796503, 5005757}, + FieldElement{-2114751, -14308128, 23019042, 15765735, -25269683, 6002752, 10183197, -13239326, -16395286, -2176112}, + }, + }, + { + { + FieldElement{-19025756, 1632005, 13466291, -7995100, -23640451, 16573537, -32013908, -3057104, 22208662, 2000468}, + FieldElement{3065073, -1412761, -25598674, -361432, -17683065, -5703415, -8164212, 11248527, -3691214, -7414184}, + FieldElement{10379208, -6045554, 8877319, 1473647, -29291284, -12507580, 16690915, 2553332, -3132688, 16400289}, + }, + { + FieldElement{15716668, 1254266, -18472690, 7446274, -8448918, 6344164, -22097271, -7285580, 26894937, 9132066}, + FieldElement{24158887, 12938817, 11085297, -8177598, -28063478, -4457083, -30576463, 64452, -6817084, -2692882}, + FieldElement{13488534, 7794716, 22236231, 5989356, 25426474, -12578208, 2350710, -3418511, -4688006, 2364226}, + }, + { + FieldElement{16335052, 9132434, 25640582, 6678888, 1725628, 8517937, -11807024, -11697457, 15445875, -7798101}, + FieldElement{29004207, -7867081, 28661402, -640412, -12794003, -7943086, 31863255, -4135540, -278050, -15759279}, + FieldElement{-6122061, -14866665, -28614905, 14569919, -10857999, -3591829, 10343412, -6976290, -29828287, -10815811}, + }, + { + FieldElement{27081650, 3463984, 14099042, -4517604, 1616303, -6205604, 29542636, 15372179, 17293797, 960709}, + FieldElement{20263915, 11434237, -5765435, 11236810, 13505955, -10857102, -16111345, 6493122, -19384511, 7639714}, + FieldElement{-2830798, -14839232, 25403038, -8215196, -8317012, -16173699, 18006287, -16043750, 29994677, -15808121}, + }, + { + FieldElement{9769828, 5202651, -24157398, -13631392, -28051003, -11561624, -24613141, -13860782, -31184575, 709464}, + FieldElement{12286395, 13076066, -21775189, -1176622, -25003198, 4057652, -32018128, -8890874, 16102007, 13205847}, + FieldElement{13733362, 5599946, 10557076, 3195751, -5557991, 8536970, -25540170, 8525972, 10151379, 10394400}, + }, + { + FieldElement{4024660, -16137551, 22436262, 12276534, -9099015, -2686099, 19698229, 11743039, -33302334, 8934414}, + FieldElement{-15879800, -4525240, -8580747, -2934061, 14634845, -698278, -9449077, 3137094, -11536886, 11721158}, + FieldElement{17555939, -5013938, 8268606, 2331751, -22738815, 9761013, 9319229, 8835153, -9205489, -1280045}, + }, + { + FieldElement{-461409, -7830014, 20614118, 16688288, -7514766, -4807119, 22300304, 505429, 6108462, -6183415}, + FieldElement{-5070281, 12367917, -30663534, 3234473, 32617080, -8422642, 29880583, -13483331, -26898490, -7867459}, + FieldElement{-31975283, 5726539, 26934134, 10237677, -3173717, -605053, 24199304, 3795095, 7592688, -14992079}, + }, + { + FieldElement{21594432, -14964228, 17466408, -4077222, 32537084, 2739898, 6407723, 12018833, -28256052, 4298412}, + FieldElement{-20650503, -11961496, -27236275, 570498, 3767144, -1717540, 13891942, -1569194, 13717174, 10805743}, + FieldElement{-14676630, -15644296, 15287174, 11927123, 24177847, -8175568, -796431, 14860609, -26938930, -5863836}, + }, + }, + { + { + FieldElement{12962541, 5311799, -10060768, 11658280, 18855286, -7954201, 13286263, -12808704, -4381056, 9882022}, + FieldElement{18512079, 11319350, -20123124, 15090309, 18818594, 5271736, -22727904, 3666879, -23967430, -3299429}, + FieldElement{-6789020, -3146043, 16192429, 13241070, 15898607, -14206114, -10084880, -6661110, -2403099, 5276065}, + }, + { + FieldElement{30169808, -5317648, 26306206, -11750859, 27814964, 7069267, 7152851, 3684982, 1449224, 13082861}, + FieldElement{10342826, 3098505, 2119311, 193222, 25702612, 12233820, 23697382, 15056736, -21016438, -8202000}, + FieldElement{-33150110, 3261608, 22745853, 7948688, 19370557, -15177665, -26171976, 6482814, -10300080, -11060101}, + }, + { + FieldElement{32869458, -5408545, 25609743, 15678670, -10687769, -15471071, 26112421, 2521008, -22664288, 6904815}, + FieldElement{29506923, 4457497, 3377935, -9796444, -30510046, 12935080, 1561737, 3841096, -29003639, -6657642}, + FieldElement{10340844, -6630377, -18656632, -2278430, 12621151, -13339055, 30878497, -11824370, -25584551, 5181966}, + }, + { + FieldElement{25940115, -12658025, 17324188, -10307374, -8671468, 15029094, 24396252, -16450922, -2322852, -12388574}, + FieldElement{-21765684, 9916823, -1300409, 4079498, -1028346, 11909559, 1782390, 12641087, 20603771, -6561742}, + FieldElement{-18882287, -11673380, 24849422, 11501709, 13161720, -4768874, 1925523, 11914390, 4662781, 7820689}, + }, + { + FieldElement{12241050, -425982, 8132691, 9393934, 32846760, -1599620, 29749456, 12172924, 16136752, 15264020}, + FieldElement{-10349955, -14680563, -8211979, 2330220, -17662549, -14545780, 10658213, 6671822, 19012087, 3772772}, + FieldElement{3753511, -3421066, 10617074, 2028709, 14841030, -6721664, 28718732, -15762884, 20527771, 12988982}, + }, + { + FieldElement{-14822485, -5797269, -3707987, 12689773, -898983, -10914866, -24183046, -10564943, 3299665, -12424953}, + FieldElement{-16777703, -15253301, -9642417, 4978983, 3308785, 8755439, 6943197, 6461331, -25583147, 8991218}, + FieldElement{-17226263, 1816362, -1673288, -6086439, 31783888, -8175991, -32948145, 7417950, -30242287, 1507265}, + }, + { + FieldElement{29692663, 6829891, -10498800, 4334896, 20945975, -11906496, -28887608, 8209391, 14606362, -10647073}, + FieldElement{-3481570, 8707081, 32188102, 5672294, 22096700, 1711240, -33020695, 9761487, 4170404, -2085325}, + FieldElement{-11587470, 14855945, -4127778, -1531857, -26649089, 15084046, 22186522, 16002000, -14276837, -8400798}, + }, + { + FieldElement{-4811456, 13761029, -31703877, -2483919, -3312471, 7869047, -7113572, -9620092, 13240845, 10965870}, + FieldElement{-7742563, -8256762, -14768334, -13656260, -23232383, 12387166, 4498947, 14147411, 29514390, 4302863}, + FieldElement{-13413405, -12407859, 20757302, -13801832, 14785143, 8976368, -5061276, -2144373, 17846988, -13971927}, + }, + }, + { + { + FieldElement{-2244452, -754728, -4597030, -1066309, -6247172, 1455299, -21647728, -9214789, -5222701, 12650267}, + FieldElement{-9906797, -16070310, 21134160, 12198166, -27064575, 708126, 387813, 13770293, -19134326, 10958663}, + FieldElement{22470984, 12369526, 23446014, -5441109, -21520802, -9698723, -11772496, -11574455, -25083830, 4271862}, + }, + { + FieldElement{-25169565, -10053642, -19909332, 15361595, -5984358, 2159192, 75375, -4278529, -32526221, 8469673}, + FieldElement{15854970, 4148314, -8893890, 7259002, 11666551, 13824734, -30531198, 2697372, 24154791, -9460943}, + FieldElement{15446137, -15806644, 29759747, 14019369, 30811221, -9610191, -31582008, 12840104, 24913809, 9815020}, + }, + { + FieldElement{-4709286, -5614269, -31841498, -12288893, -14443537, 10799414, -9103676, 13438769, 18735128, 9466238}, + FieldElement{11933045, 9281483, 5081055, -5183824, -2628162, -4905629, -7727821, -10896103, -22728655, 16199064}, + FieldElement{14576810, 379472, -26786533, -8317236, -29426508, -10812974, -102766, 1876699, 30801119, 2164795}, + }, + { + FieldElement{15995086, 3199873, 13672555, 13712240, -19378835, -4647646, -13081610, -15496269, -13492807, 1268052}, + FieldElement{-10290614, -3659039, -3286592, 10948818, 23037027, 3794475, -3470338, -12600221, -17055369, 3565904}, + FieldElement{29210088, -9419337, -5919792, -4952785, 10834811, -13327726, -16512102, -10820713, -27162222, -14030531}, + }, + { + FieldElement{-13161890, 15508588, 16663704, -8156150, -28349942, 9019123, -29183421, -3769423, 2244111, -14001979}, + FieldElement{-5152875, -3800936, -9306475, -6071583, 16243069, 14684434, -25673088, -16180800, 13491506, 4641841}, + FieldElement{10813417, 643330, -19188515, -728916, 30292062, -16600078, 27548447, -7721242, 14476989, -12767431}, + }, + { + FieldElement{10292079, 9984945, 6481436, 8279905, -7251514, 7032743, 27282937, -1644259, -27912810, 12651324}, + FieldElement{-31185513, -813383, 22271204, 11835308, 10201545, 15351028, 17099662, 3988035, 21721536, -3148940}, + FieldElement{10202177, -6545839, -31373232, -9574638, -32150642, -8119683, -12906320, 3852694, 13216206, 14842320}, + }, + { + FieldElement{-15815640, -10601066, -6538952, -7258995, -6984659, -6581778, -31500847, 13765824, -27434397, 9900184}, + FieldElement{14465505, -13833331, -32133984, -14738873, -27443187, 12990492, 33046193, 15796406, -7051866, -8040114}, + FieldElement{30924417, -8279620, 6359016, -12816335, 16508377, 9071735, -25488601, 15413635, 9524356, -7018878}, + }, + { + FieldElement{12274201, -13175547, 32627641, -1785326, 6736625, 13267305, 5237659, -5109483, 15663516, 4035784}, + FieldElement{-2951309, 8903985, 17349946, 601635, -16432815, -4612556, -13732739, -15889334, -22258478, 4659091}, + FieldElement{-16916263, -4952973, -30393711, -15158821, 20774812, 15897498, 5736189, 15026997, -2178256, -13455585}, + }, + }, + { + { + FieldElement{-8858980, -2219056, 28571666, -10155518, -474467, -10105698, -3801496, 278095, 23440562, -290208}, + FieldElement{10226241, -5928702, 15139956, 120818, -14867693, 5218603, 32937275, 11551483, -16571960, -7442864}, + FieldElement{17932739, -12437276, -24039557, 10749060, 11316803, 7535897, 22503767, 5561594, -3646624, 3898661}, + }, + { + FieldElement{7749907, -969567, -16339731, -16464, -25018111, 15122143, -1573531, 7152530, 21831162, 1245233}, + FieldElement{26958459, -14658026, 4314586, 8346991, -5677764, 11960072, -32589295, -620035, -30402091, -16716212}, + FieldElement{-12165896, 9166947, 33491384, 13673479, 29787085, 13096535, 6280834, 14587357, -22338025, 13987525}, + }, + { + FieldElement{-24349909, 7778775, 21116000, 15572597, -4833266, -5357778, -4300898, -5124639, -7469781, -2858068}, + FieldElement{9681908, -6737123, -31951644, 13591838, -6883821, 386950, 31622781, 6439245, -14581012, 4091397}, + FieldElement{-8426427, 1470727, -28109679, -1596990, 3978627, -5123623, -19622683, 12092163, 29077877, -14741988}, + }, + { + FieldElement{5269168, -6859726, -13230211, -8020715, 25932563, 1763552, -5606110, -5505881, -20017847, 2357889}, + FieldElement{32264008, -15407652, -5387735, -1160093, -2091322, -3946900, 23104804, -12869908, 5727338, 189038}, + FieldElement{14609123, -8954470, -6000566, -16622781, -14577387, -7743898, -26745169, 10942115, -25888931, -14884697}, + }, + { + FieldElement{20513500, 5557931, -15604613, 7829531, 26413943, -2019404, -21378968, 7471781, 13913677, -5137875}, + FieldElement{-25574376, 11967826, 29233242, 12948236, -6754465, 4713227, -8940970, 14059180, 12878652, 8511905}, + FieldElement{-25656801, 3393631, -2955415, -7075526, -2250709, 9366908, -30223418, 6812974, 5568676, -3127656}, + }, + { + FieldElement{11630004, 12144454, 2116339, 13606037, 27378885, 15676917, -17408753, -13504373, -14395196, 8070818}, + FieldElement{27117696, -10007378, -31282771, -5570088, 1127282, 12772488, -29845906, 10483306, -11552749, -1028714}, + FieldElement{10637467, -5688064, 5674781, 1072708, -26343588, -6982302, -1683975, 9177853, -27493162, 15431203}, + }, + { + FieldElement{20525145, 10892566, -12742472, 12779443, -29493034, 16150075, -28240519, 14943142, -15056790, -7935931}, + FieldElement{-30024462, 5626926, -551567, -9981087, 753598, 11981191, 25244767, -3239766, -3356550, 9594024}, + FieldElement{-23752644, 2636870, -5163910, -10103818, 585134, 7877383, 11345683, -6492290, 13352335, -10977084}, + }, + { + FieldElement{-1931799, -5407458, 3304649, -12884869, 17015806, -4877091, -29783850, -7752482, -13215537, -319204}, + FieldElement{20239939, 6607058, 6203985, 3483793, -18386976, -779229, -20723742, 15077870, -22750759, 14523817}, + FieldElement{27406042, -6041657, 27423596, -4497394, 4996214, 10002360, -28842031, -4545494, -30172742, -4805667}, + }, + }, + { + { + FieldElement{11374242, 12660715, 17861383, -12540833, 10935568, 1099227, -13886076, -9091740, -27727044, 11358504}, + FieldElement{-12730809, 10311867, 1510375, 10778093, -2119455, -9145702, 32676003, 11149336, -26123651, 4985768}, + FieldElement{-19096303, 341147, -6197485, -239033, 15756973, -8796662, -983043, 13794114, -19414307, -15621255}, + }, + { + FieldElement{6490081, 11940286, 25495923, -7726360, 8668373, -8751316, 3367603, 6970005, -1691065, -9004790}, + FieldElement{1656497, 13457317, 15370807, 6364910, 13605745, 8362338, -19174622, -5475723, -16796596, -5031438}, + FieldElement{-22273315, -13524424, -64685, -4334223, -18605636, -10921968, -20571065, -7007978, -99853, -10237333}, + }, + { + FieldElement{17747465, 10039260, 19368299, -4050591, -20630635, -16041286, 31992683, -15857976, -29260363, -5511971}, + FieldElement{31932027, -4986141, -19612382, 16366580, 22023614, 88450, 11371999, -3744247, 4882242, -10626905}, + FieldElement{29796507, 37186, 19818052, 10115756, -11829032, 3352736, 18551198, 3272828, -5190932, -4162409}, + }, + { + FieldElement{12501286, 4044383, -8612957, -13392385, -32430052, 5136599, -19230378, -3529697, 330070, -3659409}, + FieldElement{6384877, 2899513, 17807477, 7663917, -2358888, 12363165, 25366522, -8573892, -271295, 12071499}, + FieldElement{-8365515, -4042521, 25133448, -4517355, -6211027, 2265927, -32769618, 1936675, -5159697, 3829363}, + }, + { + FieldElement{28425966, -5835433, -577090, -4697198, -14217555, 6870930, 7921550, -6567787, 26333140, 14267664}, + FieldElement{-11067219, 11871231, 27385719, -10559544, -4585914, -11189312, 10004786, -8709488, -21761224, 8930324}, + FieldElement{-21197785, -16396035, 25654216, -1725397, 12282012, 11008919, 1541940, 4757911, -26491501, -16408940}, + }, + { + FieldElement{13537262, -7759490, -20604840, 10961927, -5922820, -13218065, -13156584, 6217254, -15943699, 13814990}, + FieldElement{-17422573, 15157790, 18705543, 29619, 24409717, -260476, 27361681, 9257833, -1956526, -1776914}, + FieldElement{-25045300, -10191966, 15366585, 15166509, -13105086, 8423556, -29171540, 12361135, -18685978, 4578290}, + }, + { + FieldElement{24579768, 3711570, 1342322, -11180126, -27005135, 14124956, -22544529, 14074919, 21964432, 8235257}, + FieldElement{-6528613, -2411497, 9442966, -5925588, 12025640, -1487420, -2981514, -1669206, 13006806, 2355433}, + FieldElement{-16304899, -13605259, -6632427, -5142349, 16974359, -10911083, 27202044, 1719366, 1141648, -12796236}, + }, + { + FieldElement{-12863944, -13219986, -8318266, -11018091, -6810145, -4843894, 13475066, -3133972, 32674895, 13715045}, + FieldElement{11423335, -5468059, 32344216, 8962751, 24989809, 9241752, -13265253, 16086212, -28740881, -15642093}, + FieldElement{-1409668, 12530728, -6368726, 10847387, 19531186, -14132160, -11709148, 7791794, -27245943, 4383347}, + }, + }, + { + { + FieldElement{-28970898, 5271447, -1266009, -9736989, -12455236, 16732599, -4862407, -4906449, 27193557, 6245191}, + FieldElement{-15193956, 5362278, -1783893, 2695834, 4960227, 12840725, 23061898, 3260492, 22510453, 8577507}, + FieldElement{-12632451, 11257346, -32692994, 13548177, -721004, 10879011, 31168030, 13952092, -29571492, -3635906}, + }, + { + FieldElement{3877321, -9572739, 32416692, 5405324, -11004407, -13656635, 3759769, 11935320, 5611860, 8164018}, + FieldElement{-16275802, 14667797, 15906460, 12155291, -22111149, -9039718, 32003002, -8832289, 5773085, -8422109}, + FieldElement{-23788118, -8254300, 1950875, 8937633, 18686727, 16459170, -905725, 12376320, 31632953, 190926}, + }, + { + FieldElement{-24593607, -16138885, -8423991, 13378746, 14162407, 6901328, -8288749, 4508564, -25341555, -3627528}, + FieldElement{8884438, -5884009, 6023974, 10104341, -6881569, -4941533, 18722941, -14786005, -1672488, 827625}, + FieldElement{-32720583, -16289296, -32503547, 7101210, 13354605, 2659080, -1800575, -14108036, -24878478, 1541286}, + }, + { + FieldElement{2901347, -1117687, 3880376, -10059388, -17620940, -3612781, -21802117, -3567481, 20456845, -1885033}, + FieldElement{27019610, 12299467, -13658288, -1603234, -12861660, -4861471, -19540150, -5016058, 29439641, 15138866}, + FieldElement{21536104, -6626420, -32447818, -10690208, -22408077, 5175814, -5420040, -16361163, 7779328, 109896}, + }, + { + FieldElement{30279744, 14648750, -8044871, 6425558, 13639621, -743509, 28698390, 12180118, 23177719, -554075}, + FieldElement{26572847, 3405927, -31701700, 12890905, -19265668, 5335866, -6493768, 2378492, 4439158, -13279347}, + FieldElement{-22716706, 3489070, -9225266, -332753, 18875722, -1140095, 14819434, -12731527, -17717757, -5461437}, + }, + { + FieldElement{-5056483, 16566551, 15953661, 3767752, -10436499, 15627060, -820954, 2177225, 8550082, -15114165}, + FieldElement{-18473302, 16596775, -381660, 15663611, 22860960, 15585581, -27844109, -3582739, -23260460, -8428588}, + FieldElement{-32480551, 15707275, -8205912, -5652081, 29464558, 2713815, -22725137, 15860482, -21902570, 1494193}, + }, + { + FieldElement{-19562091, -14087393, -25583872, -9299552, 13127842, 759709, 21923482, 16529112, 8742704, 12967017}, + FieldElement{-28464899, 1553205, 32536856, -10473729, -24691605, -406174, -8914625, -2933896, -29903758, 15553883}, + FieldElement{21877909, 3230008, 9881174, 10539357, -4797115, 2841332, 11543572, 14513274, 19375923, -12647961}, + }, + { + FieldElement{8832269, -14495485, 13253511, 5137575, 5037871, 4078777, 24880818, -6222716, 2862653, 9455043}, + FieldElement{29306751, 5123106, 20245049, -14149889, 9592566, 8447059, -2077124, -2990080, 15511449, 4789663}, + FieldElement{-20679756, 7004547, 8824831, -9434977, -4045704, -3750736, -5754762, 108893, 23513200, 16652362}, + }, + }, + { + { + FieldElement{-33256173, 4144782, -4476029, -6579123, 10770039, -7155542, -6650416, -12936300, -18319198, 10212860}, + FieldElement{2756081, 8598110, 7383731, -6859892, 22312759, -1105012, 21179801, 2600940, -9988298, -12506466}, + FieldElement{-24645692, 13317462, -30449259, -15653928, 21365574, -10869657, 11344424, 864440, -2499677, -16710063}, + }, + { + FieldElement{-26432803, 6148329, -17184412, -14474154, 18782929, -275997, -22561534, 211300, 2719757, 4940997}, + FieldElement{-1323882, 3911313, -6948744, 14759765, -30027150, 7851207, 21690126, 8518463, 26699843, 5276295}, + FieldElement{-13149873, -6429067, 9396249, 365013, 24703301, -10488939, 1321586, 149635, -15452774, 7159369}, + }, + { + FieldElement{9987780, -3404759, 17507962, 9505530, 9731535, -2165514, 22356009, 8312176, 22477218, -8403385}, + FieldElement{18155857, -16504990, 19744716, 9006923, 15154154, -10538976, 24256460, -4864995, -22548173, 9334109}, + FieldElement{2986088, -4911893, 10776628, -3473844, 10620590, -7083203, -21413845, 14253545, -22587149, 536906}, + }, + { + FieldElement{4377756, 8115836, 24567078, 15495314, 11625074, 13064599, 7390551, 10589625, 10838060, -15420424}, + FieldElement{-19342404, 867880, 9277171, -3218459, -14431572, -1986443, 19295826, -15796950, 6378260, 699185}, + FieldElement{7895026, 4057113, -7081772, -13077756, -17886831, -323126, -716039, 15693155, -5045064, -13373962}, + }, + { + FieldElement{-7737563, -5869402, -14566319, -7406919, 11385654, 13201616, 31730678, -10962840, -3918636, -9669325}, + FieldElement{10188286, -15770834, -7336361, 13427543, 22223443, 14896287, 30743455, 7116568, -21786507, 5427593}, + FieldElement{696102, 13206899, 27047647, -10632082, 15285305, -9853179, 10798490, -4578720, 19236243, 12477404}, + }, + { + FieldElement{-11229439, 11243796, -17054270, -8040865, -788228, -8167967, -3897669, 11180504, -23169516, 7733644}, + FieldElement{17800790, -14036179, -27000429, -11766671, 23887827, 3149671, 23466177, -10538171, 10322027, 15313801}, + FieldElement{26246234, 11968874, 32263343, -5468728, 6830755, -13323031, -15794704, -101982, -24449242, 10890804}, + }, + { + FieldElement{-31365647, 10271363, -12660625, -6267268, 16690207, -13062544, -14982212, 16484931, 25180797, -5334884}, + FieldElement{-586574, 10376444, -32586414, -11286356, 19801893, 10997610, 2276632, 9482883, 316878, 13820577}, + FieldElement{-9882808, -4510367, -2115506, 16457136, -11100081, 11674996, 30756178, -7515054, 30696930, -3712849}, + }, + { + FieldElement{32988917, -9603412, 12499366, 7910787, -10617257, -11931514, -7342816, -9985397, -32349517, 7392473}, + FieldElement{-8855661, 15927861, 9866406, -3649411, -2396914, -16655781, -30409476, -9134995, 25112947, -2926644}, + FieldElement{-2504044, -436966, 25621774, -5678772, 15085042, -5479877, -24884878, -13526194, 5537438, -13914319}, + }, + }, + { + { + FieldElement{-11225584, 2320285, -9584280, 10149187, -33444663, 5808648, -14876251, -1729667, 31234590, 6090599}, + FieldElement{-9633316, 116426, 26083934, 2897444, -6364437, -2688086, 609721, 15878753, -6970405, -9034768}, + FieldElement{-27757857, 247744, -15194774, -9002551, 23288161, -10011936, -23869595, 6503646, 20650474, 1804084}, + }, + { + FieldElement{-27589786, 15456424, 8972517, 8469608, 15640622, 4439847, 3121995, -10329713, 27842616, -202328}, + FieldElement{-15306973, 2839644, 22530074, 10026331, 4602058, 5048462, 28248656, 5031932, -11375082, 12714369}, + FieldElement{20807691, -7270825, 29286141, 11421711, -27876523, -13868230, -21227475, 1035546, -19733229, 12796920}, + }, + { + FieldElement{12076899, -14301286, -8785001, -11848922, -25012791, 16400684, -17591495, -12899438, 3480665, -15182815}, + FieldElement{-32361549, 5457597, 28548107, 7833186, 7303070, -11953545, -24363064, -15921875, -33374054, 2771025}, + FieldElement{-21389266, 421932, 26597266, 6860826, 22486084, -6737172, -17137485, -4210226, -24552282, 15673397}, + }, + { + FieldElement{-20184622, 2338216, 19788685, -9620956, -4001265, -8740893, -20271184, 4733254, 3727144, -12934448}, + FieldElement{6120119, 814863, -11794402, -622716, 6812205, -15747771, 2019594, 7975683, 31123697, -10958981}, + FieldElement{30069250, -11435332, 30434654, 2958439, 18399564, -976289, 12296869, 9204260, -16432438, 9648165}, + }, + { + FieldElement{32705432, -1550977, 30705658, 7451065, -11805606, 9631813, 3305266, 5248604, -26008332, -11377501}, + FieldElement{17219865, 2375039, -31570947, -5575615, -19459679, 9219903, 294711, 15298639, 2662509, -16297073}, + FieldElement{-1172927, -7558695, -4366770, -4287744, -21346413, -8434326, 32087529, -1222777, 32247248, -14389861}, + }, + { + FieldElement{14312628, 1221556, 17395390, -8700143, -4945741, -8684635, -28197744, -9637817, -16027623, -13378845}, + FieldElement{-1428825, -9678990, -9235681, 6549687, -7383069, -468664, 23046502, 9803137, 17597934, 2346211}, + FieldElement{18510800, 15337574, 26171504, 981392, -22241552, 7827556, -23491134, -11323352, 3059833, -11782870}, + }, + { + FieldElement{10141598, 6082907, 17829293, -1947643, 9830092, 13613136, -25556636, -5544586, -33502212, 3592096}, + FieldElement{33114168, -15889352, -26525686, -13343397, 33076705, 8716171, 1151462, 1521897, -982665, -6837803}, + FieldElement{-32939165, -4255815, 23947181, -324178, -33072974, -12305637, -16637686, 3891704, 26353178, 693168}, + }, + { + FieldElement{30374239, 1595580, -16884039, 13186931, 4600344, 406904, 9585294, -400668, 31375464, 14369965}, + FieldElement{-14370654, -7772529, 1510301, 6434173, -18784789, -6262728, 32732230, -13108839, 17901441, 16011505}, + FieldElement{18171223, -11934626, -12500402, 15197122, -11038147, -15230035, -19172240, -16046376, 8764035, 12309598}, + }, + }, + { + { + FieldElement{5975908, -5243188, -19459362, -9681747, -11541277, 14015782, -23665757, 1228319, 17544096, -10593782}, + FieldElement{5811932, -1715293, 3442887, -2269310, -18367348, -8359541, -18044043, -15410127, -5565381, 12348900}, + FieldElement{-31399660, 11407555, 25755363, 6891399, -3256938, 14872274, -24849353, 8141295, -10632534, -585479}, + }, + { + FieldElement{-12675304, 694026, -5076145, 13300344, 14015258, -14451394, -9698672, -11329050, 30944593, 1130208}, + FieldElement{8247766, -6710942, -26562381, -7709309, -14401939, -14648910, 4652152, 2488540, 23550156, -271232}, + FieldElement{17294316, -3788438, 7026748, 15626851, 22990044, 113481, 2267737, -5908146, -408818, -137719}, + }, + { + FieldElement{16091085, -16253926, 18599252, 7340678, 2137637, -1221657, -3364161, 14550936, 3260525, -7166271}, + FieldElement{-4910104, -13332887, 18550887, 10864893, -16459325, -7291596, -23028869, -13204905, -12748722, 2701326}, + FieldElement{-8574695, 16099415, 4629974, -16340524, -20786213, -6005432, -10018363, 9276971, 11329923, 1862132}, + }, + { + FieldElement{14763076, -15903608, -30918270, 3689867, 3511892, 10313526, -21951088, 12219231, -9037963, -940300}, + FieldElement{8894987, -3446094, 6150753, 3013931, 301220, 15693451, -31981216, -2909717, -15438168, 11595570}, + FieldElement{15214962, 3537601, -26238722, -14058872, 4418657, -15230761, 13947276, 10730794, -13489462, -4363670}, + }, + { + FieldElement{-2538306, 7682793, 32759013, 263109, -29984731, -7955452, -22332124, -10188635, 977108, 699994}, + FieldElement{-12466472, 4195084, -9211532, 550904, -15565337, 12917920, 19118110, -439841, -30534533, -14337913}, + FieldElement{31788461, -14507657, 4799989, 7372237, 8808585, -14747943, 9408237, -10051775, 12493932, -5409317}, + }, + { + FieldElement{-25680606, 5260744, -19235809, -6284470, -3695942, 16566087, 27218280, 2607121, 29375955, 6024730}, + FieldElement{842132, -2794693, -4763381, -8722815, 26332018, -12405641, 11831880, 6985184, -9940361, 2854096}, + FieldElement{-4847262, -7969331, 2516242, -5847713, 9695691, -7221186, 16512645, 960770, 12121869, 16648078}, + }, + { + FieldElement{-15218652, 14667096, -13336229, 2013717, 30598287, -464137, -31504922, -7882064, 20237806, 2838411}, + FieldElement{-19288047, 4453152, 15298546, -16178388, 22115043, -15972604, 12544294, -13470457, 1068881, -12499905}, + FieldElement{-9558883, -16518835, 33238498, 13506958, 30505848, -1114596, -8486907, -2630053, 12521378, 4845654}, + }, + { + FieldElement{-28198521, 10744108, -2958380, 10199664, 7759311, -13088600, 3409348, -873400, -6482306, -12885870}, + FieldElement{-23561822, 6230156, -20382013, 10655314, -24040585, -11621172, 10477734, -1240216, -3113227, 13974498}, + FieldElement{12966261, 15550616, -32038948, -1615346, 21025980, -629444, 5642325, 7188737, 18895762, 12629579}, + }, + }, + { + { + FieldElement{14741879, -14946887, 22177208, -11721237, 1279741, 8058600, 11758140, 789443, 32195181, 3895677}, + FieldElement{10758205, 15755439, -4509950, 9243698, -4879422, 6879879, -2204575, -3566119, -8982069, 4429647}, + FieldElement{-2453894, 15725973, -20436342, -10410672, -5803908, -11040220, -7135870, -11642895, 18047436, -15281743}, + }, + { + FieldElement{-25173001, -11307165, 29759956, 11776784, -22262383, -15820455, 10993114, -12850837, -17620701, -9408468}, + FieldElement{21987233, 700364, -24505048, 14972008, -7774265, -5718395, 32155026, 2581431, -29958985, 8773375}, + FieldElement{-25568350, 454463, -13211935, 16126715, 25240068, 8594567, 20656846, 12017935, -7874389, -13920155}, + }, + { + FieldElement{6028182, 6263078, -31011806, -11301710, -818919, 2461772, -31841174, -5468042, -1721788, -2776725}, + FieldElement{-12278994, 16624277, 987579, -5922598, 32908203, 1248608, 7719845, -4166698, 28408820, 6816612}, + FieldElement{-10358094, -8237829, 19549651, -12169222, 22082623, 16147817, 20613181, 13982702, -10339570, 5067943}, + }, + { + FieldElement{-30505967, -3821767, 12074681, 13582412, -19877972, 2443951, -19719286, 12746132, 5331210, -10105944}, + FieldElement{30528811, 3601899, -1957090, 4619785, -27361822, -15436388, 24180793, -12570394, 27679908, -1648928}, + FieldElement{9402404, -13957065, 32834043, 10838634, -26580150, -13237195, 26653274, -8685565, 22611444, -12715406}, + }, + { + FieldElement{22190590, 1118029, 22736441, 15130463, -30460692, -5991321, 19189625, -4648942, 4854859, 6622139}, + FieldElement{-8310738, -2953450, -8262579, -3388049, -10401731, -271929, 13424426, -3567227, 26404409, 13001963}, + FieldElement{-31241838, -15415700, -2994250, 8939346, 11562230, -12840670, -26064365, -11621720, -15405155, 11020693}, + }, + { + FieldElement{1866042, -7949489, -7898649, -10301010, 12483315, 13477547, 3175636, -12424163, 28761762, 1406734}, + FieldElement{-448555, -1777666, 13018551, 3194501, -9580420, -11161737, 24760585, -4347088, 25577411, -13378680}, + FieldElement{-24290378, 4759345, -690653, -1852816, 2066747, 10693769, -29595790, 9884936, -9368926, 4745410}, + }, + { + FieldElement{-9141284, 6049714, -19531061, -4341411, -31260798, 9944276, -15462008, -11311852, 10931924, -11931931}, + FieldElement{-16561513, 14112680, -8012645, 4817318, -8040464, -11414606, -22853429, 10856641, -20470770, 13434654}, + FieldElement{22759489, -10073434, -16766264, -1871422, 13637442, -10168091, 1765144, -12654326, 28445307, -5364710}, + }, + { + FieldElement{29875063, 12493613, 2795536, -3786330, 1710620, 15181182, -10195717, -8788675, 9074234, 1167180}, + FieldElement{-26205683, 11014233, -9842651, -2635485, -26908120, 7532294, -18716888, -9535498, 3843903, 9367684}, + FieldElement{-10969595, -6403711, 9591134, 9582310, 11349256, 108879, 16235123, 8601684, -139197, 4242895}, + }, + }, + { + { + FieldElement{22092954, -13191123, -2042793, -11968512, 32186753, -11517388, -6574341, 2470660, -27417366, 16625501}, + FieldElement{-11057722, 3042016, 13770083, -9257922, 584236, -544855, -7770857, 2602725, -27351616, 14247413}, + FieldElement{6314175, -10264892, -32772502, 15957557, -10157730, 168750, -8618807, 14290061, 27108877, -1180880}, + }, + { + FieldElement{-8586597, -7170966, 13241782, 10960156, -32991015, -13794596, 33547976, -11058889, -27148451, 981874}, + FieldElement{22833440, 9293594, -32649448, -13618667, -9136966, 14756819, -22928859, -13970780, -10479804, -16197962}, + FieldElement{-7768587, 3326786, -28111797, 10783824, 19178761, 14905060, 22680049, 13906969, -15933690, 3797899}, + }, + { + FieldElement{21721356, -4212746, -12206123, 9310182, -3882239, -13653110, 23740224, -2709232, 20491983, -8042152}, + FieldElement{9209270, -15135055, -13256557, -6167798, -731016, 15289673, 25947805, 15286587, 30997318, -6703063}, + FieldElement{7392032, 16618386, 23946583, -8039892, -13265164, -1533858, -14197445, -2321576, 17649998, -250080}, + }, + { + FieldElement{-9301088, -14193827, 30609526, -3049543, -25175069, -1283752, -15241566, -9525724, -2233253, 7662146}, + FieldElement{-17558673, 1763594, -33114336, 15908610, -30040870, -12174295, 7335080, -8472199, -3174674, 3440183}, + FieldElement{-19889700, -5977008, -24111293, -9688870, 10799743, -16571957, 40450, -4431835, 4862400, 1133}, + }, + { + FieldElement{-32856209, -7873957, -5422389, 14860950, -16319031, 7956142, 7258061, 311861, -30594991, -7379421}, + FieldElement{-3773428, -1565936, 28985340, 7499440, 24445838, 9325937, 29727763, 16527196, 18278453, 15405622}, + FieldElement{-4381906, 8508652, -19898366, -3674424, -5984453, 15149970, -13313598, 843523, -21875062, 13626197}, + }, + { + FieldElement{2281448, -13487055, -10915418, -2609910, 1879358, 16164207, -10783882, 3953792, 13340839, 15928663}, + FieldElement{31727126, -7179855, -18437503, -8283652, 2875793, -16390330, -25269894, -7014826, -23452306, 5964753}, + FieldElement{4100420, -5959452, -17179337, 6017714, -18705837, 12227141, -26684835, 11344144, 2538215, -7570755}, + }, + { + FieldElement{-9433605, 6123113, 11159803, -2156608, 30016280, 14966241, -20474983, 1485421, -629256, -15958862}, + FieldElement{-26804558, 4260919, 11851389, 9658551, -32017107, 16367492, -20205425, -13191288, 11659922, -11115118}, + FieldElement{26180396, 10015009, -30844224, -8581293, 5418197, 9480663, 2231568, -10170080, 33100372, -1306171}, + }, + { + FieldElement{15121113, -5201871, -10389905, 15427821, -27509937, -15992507, 21670947, 4486675, -5931810, -14466380}, + FieldElement{16166486, -9483733, -11104130, 6023908, -31926798, -1364923, 2340060, -16254968, -10735770, -10039824}, + FieldElement{28042865, -3557089, -12126526, 12259706, -3717498, -6945899, 6766453, -8689599, 18036436, 5803270}, + }, + }, + { + { + FieldElement{-817581, 6763912, 11803561, 1585585, 10958447, -2671165, 23855391, 4598332, -6159431, -14117438}, + FieldElement{-31031306, -14256194, 17332029, -2383520, 31312682, -5967183, 696309, 50292, -20095739, 11763584}, + FieldElement{-594563, -2514283, -32234153, 12643980, 12650761, 14811489, 665117, -12613632, -19773211, -10713562}, + }, + { + FieldElement{30464590, -11262872, -4127476, -12734478, 19835327, -7105613, -24396175, 2075773, -17020157, 992471}, + FieldElement{18357185, -6994433, 7766382, 16342475, -29324918, 411174, 14578841, 8080033, -11574335, -10601610}, + FieldElement{19598397, 10334610, 12555054, 2555664, 18821899, -10339780, 21873263, 16014234, 26224780, 16452269}, + }, + { + FieldElement{-30223925, 5145196, 5944548, 16385966, 3976735, 2009897, -11377804, -7618186, -20533829, 3698650}, + FieldElement{14187449, 3448569, -10636236, -10810935, -22663880, -3433596, 7268410, -10890444, 27394301, 12015369}, + FieldElement{19695761, 16087646, 28032085, 12999827, 6817792, 11427614, 20244189, -1312777, -13259127, -3402461}, + }, + { + FieldElement{30860103, 12735208, -1888245, -4699734, -16974906, 2256940, -8166013, 12298312, -8550524, -10393462}, + FieldElement{-5719826, -11245325, -1910649, 15569035, 26642876, -7587760, -5789354, -15118654, -4976164, 12651793}, + FieldElement{-2848395, 9953421, 11531313, -5282879, 26895123, -12697089, -13118820, -16517902, 9768698, -2533218}, + }, + { + FieldElement{-24719459, 1894651, -287698, -4704085, 15348719, -8156530, 32767513, 12765450, 4940095, 10678226}, + FieldElement{18860224, 15980149, -18987240, -1562570, -26233012, -11071856, -7843882, 13944024, -24372348, 16582019}, + FieldElement{-15504260, 4970268, -29893044, 4175593, -20993212, -2199756, -11704054, 15444560, -11003761, 7989037}, + }, + { + FieldElement{31490452, 5568061, -2412803, 2182383, -32336847, 4531686, -32078269, 6200206, -19686113, -14800171}, + FieldElement{-17308668, -15879940, -31522777, -2831, -32887382, 16375549, 8680158, -16371713, 28550068, -6857132}, + FieldElement{-28126887, -5688091, 16837845, -1820458, -6850681, 12700016, -30039981, 4364038, 1155602, 5988841}, + }, + { + FieldElement{21890435, -13272907, -12624011, 12154349, -7831873, 15300496, 23148983, -4470481, 24618407, 8283181}, + FieldElement{-33136107, -10512751, 9975416, 6841041, -31559793, 16356536, 3070187, -7025928, 1466169, 10740210}, + FieldElement{-1509399, -15488185, -13503385, -10655916, 32799044, 909394, -13938903, -5779719, -32164649, -15327040}, + }, + { + FieldElement{3960823, -14267803, -28026090, -15918051, -19404858, 13146868, 15567327, 951507, -3260321, -573935}, + FieldElement{24740841, 5052253, -30094131, 8961361, 25877428, 6165135, -24368180, 14397372, -7380369, -6144105}, + FieldElement{-28888365, 3510803, -28103278, -1158478, -11238128, -10631454, -15441463, -14453128, -1625486, -6494814}, + }, + }, + { + { + FieldElement{793299, -9230478, 8836302, -6235707, -27360908, -2369593, 33152843, -4885251, -9906200, -621852}, + FieldElement{5666233, 525582, 20782575, -8038419, -24538499, 14657740, 16099374, 1468826, -6171428, -15186581}, + FieldElement{-4859255, -3779343, -2917758, -6748019, 7778750, 11688288, -30404353, -9871238, -1558923, -9863646}, + }, + { + FieldElement{10896332, -7719704, 824275, 472601, -19460308, 3009587, 25248958, 14783338, -30581476, -15757844}, + FieldElement{10566929, 12612572, -31944212, 11118703, -12633376, 12362879, 21752402, 8822496, 24003793, 14264025}, + FieldElement{27713862, -7355973, -11008240, 9227530, 27050101, 2504721, 23886875, -13117525, 13958495, -5732453}, + }, + { + FieldElement{-23481610, 4867226, -27247128, 3900521, 29838369, -8212291, -31889399, -10041781, 7340521, -15410068}, + FieldElement{4646514, -8011124, -22766023, -11532654, 23184553, 8566613, 31366726, -1381061, -15066784, -10375192}, + FieldElement{-17270517, 12723032, -16993061, 14878794, 21619651, -6197576, 27584817, 3093888, -8843694, 3849921}, + }, + { + FieldElement{-9064912, 2103172, 25561640, -15125738, -5239824, 9582958, 32477045, -9017955, 5002294, -15550259}, + FieldElement{-12057553, -11177906, 21115585, -13365155, 8808712, -12030708, 16489530, 13378448, -25845716, 12741426}, + FieldElement{-5946367, 10645103, -30911586, 15390284, -3286982, -7118677, 24306472, 15852464, 28834118, -7646072}, + }, + { + FieldElement{-17335748, -9107057, -24531279, 9434953, -8472084, -583362, -13090771, 455841, 20461858, 5491305}, + FieldElement{13669248, -16095482, -12481974, -10203039, -14569770, -11893198, -24995986, 11293807, -28588204, -9421832}, + FieldElement{28497928, 6272777, -33022994, 14470570, 8906179, -1225630, 18504674, -14165166, 29867745, -8795943}, + }, + { + FieldElement{-16207023, 13517196, -27799630, -13697798, 24009064, -6373891, -6367600, -13175392, 22853429, -4012011}, + FieldElement{24191378, 16712145, -13931797, 15217831, 14542237, 1646131, 18603514, -11037887, 12876623, -2112447}, + FieldElement{17902668, 4518229, -411702, -2829247, 26878217, 5258055, -12860753, 608397, 16031844, 3723494}, + }, + { + FieldElement{-28632773, 12763728, -20446446, 7577504, 33001348, -13017745, 17558842, -7872890, 23896954, -4314245}, + FieldElement{-20005381, -12011952, 31520464, 605201, 2543521, 5991821, -2945064, 7229064, -9919646, -8826859}, + FieldElement{28816045, 298879, -28165016, -15920938, 19000928, -1665890, -12680833, -2949325, -18051778, -2082915}, + }, + { + FieldElement{16000882, -344896, 3493092, -11447198, -29504595, -13159789, 12577740, 16041268, -19715240, 7847707}, + FieldElement{10151868, 10572098, 27312476, 7922682, 14825339, 4723128, -32855931, -6519018, -10020567, 3852848}, + FieldElement{-11430470, 15697596, -21121557, -4420647, 5386314, 15063598, 16514493, -15932110, 29330899, -15076224}, + }, + }, + { + { + FieldElement{-25499735, -4378794, -15222908, -6901211, 16615731, 2051784, 3303702, 15490, -27548796, 12314391}, + FieldElement{15683520, -6003043, 18109120, -9980648, 15337968, -5997823, -16717435, 15921866, 16103996, -3731215}, + FieldElement{-23169824, -10781249, 13588192, -1628807, -3798557, -1074929, -19273607, 5402699, -29815713, -9841101}, + }, + { + FieldElement{23190676, 2384583, -32714340, 3462154, -29903655, -1529132, -11266856, 8911517, -25205859, 2739713}, + FieldElement{21374101, -3554250, -33524649, 9874411, 15377179, 11831242, -33529904, 6134907, 4931255, 11987849}, + FieldElement{-7732, -2978858, -16223486, 7277597, 105524, -322051, -31480539, 13861388, -30076310, 10117930}, + }, + { + FieldElement{-29501170, -10744872, -26163768, 13051539, -25625564, 5089643, -6325503, 6704079, 12890019, 15728940}, + FieldElement{-21972360, -11771379, -951059, -4418840, 14704840, 2695116, 903376, -10428139, 12885167, 8311031}, + FieldElement{-17516482, 5352194, 10384213, -13811658, 7506451, 13453191, 26423267, 4384730, 1888765, -5435404}, + }, + { + FieldElement{-25817338, -3107312, -13494599, -3182506, 30896459, -13921729, -32251644, -12707869, -19464434, -3340243}, + FieldElement{-23607977, -2665774, -526091, 4651136, 5765089, 4618330, 6092245, 14845197, 17151279, -9854116}, + FieldElement{-24830458, -12733720, -15165978, 10367250, -29530908, -265356, 22825805, -7087279, -16866484, 16176525}, + }, + { + FieldElement{-23583256, 6564961, 20063689, 3798228, -4740178, 7359225, 2006182, -10363426, -28746253, -10197509}, + FieldElement{-10626600, -4486402, -13320562, -5125317, 3432136, -6393229, 23632037, -1940610, 32808310, 1099883}, + FieldElement{15030977, 5768825, -27451236, -2887299, -6427378, -15361371, -15277896, -6809350, 2051441, -15225865}, + }, + { + FieldElement{-3362323, -7239372, 7517890, 9824992, 23555850, 295369, 5148398, -14154188, -22686354, 16633660}, + FieldElement{4577086, -16752288, 13249841, -15304328, 19958763, -14537274, 18559670, -10759549, 8402478, -9864273}, + FieldElement{-28406330, -1051581, -26790155, -907698, -17212414, -11030789, 9453451, -14980072, 17983010, 9967138}, + }, + { + FieldElement{-25762494, 6524722, 26585488, 9969270, 24709298, 1220360, -1677990, 7806337, 17507396, 3651560}, + FieldElement{-10420457, -4118111, 14584639, 15971087, -15768321, 8861010, 26556809, -5574557, -18553322, -11357135}, + FieldElement{2839101, 14284142, 4029895, 3472686, 14402957, 12689363, -26642121, 8459447, -5605463, -7621941}, + }, + { + FieldElement{-4839289, -3535444, 9744961, 2871048, 25113978, 3187018, -25110813, -849066, 17258084, -7977739}, + FieldElement{18164541, -10595176, -17154882, -1542417, 19237078, -9745295, 23357533, -15217008, 26908270, 12150756}, + FieldElement{-30264870, -7647865, 5112249, -7036672, -1499807, -6974257, 43168, -5537701, -32302074, 16215819}, + }, + }, + { + { + FieldElement{-6898905, 9824394, -12304779, -4401089, -31397141, -6276835, 32574489, 12532905, -7503072, -8675347}, + FieldElement{-27343522, -16515468, -27151524, -10722951, 946346, 16291093, 254968, 7168080, 21676107, -1943028}, + FieldElement{21260961, -8424752, -16831886, -11920822, -23677961, 3968121, -3651949, -6215466, -3556191, -7913075}, + }, + { + FieldElement{16544754, 13250366, -16804428, 15546242, -4583003, 12757258, -2462308, -8680336, -18907032, -9662799}, + FieldElement{-2415239, -15577728, 18312303, 4964443, -15272530, -12653564, 26820651, 16690659, 25459437, -4564609}, + FieldElement{-25144690, 11425020, 28423002, -11020557, -6144921, -15826224, 9142795, -2391602, -6432418, -1644817}, + }, + { + FieldElement{-23104652, 6253476, 16964147, -3768872, -25113972, -12296437, -27457225, -16344658, 6335692, 7249989}, + FieldElement{-30333227, 13979675, 7503222, -12368314, -11956721, -4621693, -30272269, 2682242, 25993170, -12478523}, + FieldElement{4364628, 5930691, 32304656, -10044554, -8054781, 15091131, 22857016, -10598955, 31820368, 15075278}, + }, + { + FieldElement{31879134, -8918693, 17258761, 90626, -8041836, -4917709, 24162788, -9650886, -17970238, 12833045}, + FieldElement{19073683, 14851414, -24403169, -11860168, 7625278, 11091125, -19619190, 2074449, -9413939, 14905377}, + FieldElement{24483667, -11935567, -2518866, -11547418, -1553130, 15355506, -25282080, 9253129, 27628530, -7555480}, + }, + { + FieldElement{17597607, 8340603, 19355617, 552187, 26198470, -3176583, 4593324, -9157582, -14110875, 15297016}, + FieldElement{510886, 14337390, -31785257, 16638632, 6328095, 2713355, -20217417, -11864220, 8683221, 2921426}, + FieldElement{18606791, 11874196, 27155355, -5281482, -24031742, 6265446, -25178240, -1278924, 4674690, 13890525}, + }, + { + FieldElement{13609624, 13069022, -27372361, -13055908, 24360586, 9592974, 14977157, 9835105, 4389687, 288396}, + FieldElement{9922506, -519394, 13613107, 5883594, -18758345, -434263, -12304062, 8317628, 23388070, 16052080}, + FieldElement{12720016, 11937594, -31970060, -5028689, 26900120, 8561328, -20155687, -11632979, -14754271, -10812892}, + }, + { + FieldElement{15961858, 14150409, 26716931, -665832, -22794328, 13603569, 11829573, 7467844, -28822128, 929275}, + FieldElement{11038231, -11582396, -27310482, -7316562, -10498527, -16307831, -23479533, -9371869, -21393143, 2465074}, + FieldElement{20017163, -4323226, 27915242, 1529148, 12396362, 15675764, 13817261, -9658066, 2463391, -4622140}, + }, + { + FieldElement{-16358878, -12663911, -12065183, 4996454, -1256422, 1073572, 9583558, 12851107, 4003896, 12673717}, + FieldElement{-1731589, -15155870, -3262930, 16143082, 19294135, 13385325, 14741514, -9103726, 7903886, 2348101}, + FieldElement{24536016, -16515207, 12715592, -3862155, 1511293, 10047386, -3842346, -7129159, -28377538, 10048127}, + }, + }, + { + { + FieldElement{-12622226, -6204820, 30718825, 2591312, -10617028, 12192840, 18873298, -7297090, -32297756, 15221632}, + FieldElement{-26478122, -11103864, 11546244, -1852483, 9180880, 7656409, -21343950, 2095755, 29769758, 6593415}, + FieldElement{-31994208, -2907461, 4176912, 3264766, 12538965, -868111, 26312345, -6118678, 30958054, 8292160}, + }, + { + FieldElement{31429822, -13959116, 29173532, 15632448, 12174511, -2760094, 32808831, 3977186, 26143136, -3148876}, + FieldElement{22648901, 1402143, -22799984, 13746059, 7936347, 365344, -8668633, -1674433, -3758243, -2304625}, + FieldElement{-15491917, 8012313, -2514730, -12702462, -23965846, -10254029, -1612713, -1535569, -16664475, 8194478}, + }, + { + FieldElement{27338066, -7507420, -7414224, 10140405, -19026427, -6589889, 27277191, 8855376, 28572286, 3005164}, + FieldElement{26287124, 4821776, 25476601, -4145903, -3764513, -15788984, -18008582, 1182479, -26094821, -13079595}, + FieldElement{-7171154, 3178080, 23970071, 6201893, -17195577, -4489192, -21876275, -13982627, 32208683, -1198248}, + }, + { + FieldElement{-16657702, 2817643, -10286362, 14811298, 6024667, 13349505, -27315504, -10497842, -27672585, -11539858}, + FieldElement{15941029, -9405932, -21367050, 8062055, 31876073, -238629, -15278393, -1444429, 15397331, -4130193}, + FieldElement{8934485, -13485467, -23286397, -13423241, -32446090, 14047986, 31170398, -1441021, -27505566, 15087184}, + }, + { + FieldElement{-18357243, -2156491, 24524913, -16677868, 15520427, -6360776, -15502406, 11461896, 16788528, -5868942}, + FieldElement{-1947386, 16013773, 21750665, 3714552, -17401782, -16055433, -3770287, -10323320, 31322514, -11615635}, + FieldElement{21426655, -5650218, -13648287, -5347537, -28812189, -4920970, -18275391, -14621414, 13040862, -12112948}, + }, + { + FieldElement{11293895, 12478086, -27136401, 15083750, -29307421, 14748872, 14555558, -13417103, 1613711, 4896935}, + FieldElement{-25894883, 15323294, -8489791, -8057900, 25967126, -13425460, 2825960, -4897045, -23971776, -11267415}, + FieldElement{-15924766, -5229880, -17443532, 6410664, 3622847, 10243618, 20615400, 12405433, -23753030, -8436416}, + }, + { + FieldElement{-7091295, 12556208, -20191352, 9025187, -17072479, 4333801, 4378436, 2432030, 23097949, -566018}, + FieldElement{4565804, -16025654, 20084412, -7842817, 1724999, 189254, 24767264, 10103221, -18512313, 2424778}, + FieldElement{366633, -11976806, 8173090, -6890119, 30788634, 5745705, -7168678, 1344109, -3642553, 12412659}, + }, + { + FieldElement{-24001791, 7690286, 14929416, -168257, -32210835, -13412986, 24162697, -15326504, -3141501, 11179385}, + FieldElement{18289522, -14724954, 8056945, 16430056, -21729724, 7842514, -6001441, -1486897, -18684645, -11443503}, + FieldElement{476239, 6601091, -6152790, -9723375, 17503545, -4863900, 27672959, 13403813, 11052904, 5219329}, + }, + }, + { + { + FieldElement{20678546, -8375738, -32671898, 8849123, -5009758, 14574752, 31186971, -3973730, 9014762, -8579056}, + FieldElement{-13644050, -10350239, -15962508, 5075808, -1514661, -11534600, -33102500, 9160280, 8473550, -3256838}, + FieldElement{24900749, 14435722, 17209120, -15292541, -22592275, 9878983, -7689309, -16335821, -24568481, 11788948}, + }, + { + FieldElement{-3118155, -11395194, -13802089, 14797441, 9652448, -6845904, -20037437, 10410733, -24568470, -1458691}, + FieldElement{-15659161, 16736706, -22467150, 10215878, -9097177, 7563911, 11871841, -12505194, -18513325, 8464118}, + FieldElement{-23400612, 8348507, -14585951, -861714, -3950205, -6373419, 14325289, 8628612, 33313881, -8370517}, + }, + { + FieldElement{-20186973, -4967935, 22367356, 5271547, -1097117, -4788838, -24805667, -10236854, -8940735, -5818269}, + FieldElement{-6948785, -1795212, -32625683, -16021179, 32635414, -7374245, 15989197, -12838188, 28358192, -4253904}, + FieldElement{-23561781, -2799059, -32351682, -1661963, -9147719, 10429267, -16637684, 4072016, -5351664, 5596589}, + }, + { + FieldElement{-28236598, -3390048, 12312896, 6213178, 3117142, 16078565, 29266239, 2557221, 1768301, 15373193}, + FieldElement{-7243358, -3246960, -4593467, -7553353, -127927, -912245, -1090902, -4504991, -24660491, 3442910}, + FieldElement{-30210571, 5124043, 14181784, 8197961, 18964734, -11939093, 22597931, 7176455, -18585478, 13365930}, + }, + { + FieldElement{-7877390, -1499958, 8324673, 4690079, 6261860, 890446, 24538107, -8570186, -9689599, -3031667}, + FieldElement{25008904, -10771599, -4305031, -9638010, 16265036, 15721635, 683793, -11823784, 15723479, -15163481}, + FieldElement{-9660625, 12374379, -27006999, -7026148, -7724114, -12314514, 11879682, 5400171, 519526, -1235876}, + }, + { + FieldElement{22258397, -16332233, -7869817, 14613016, -22520255, -2950923, -20353881, 7315967, 16648397, 7605640}, + FieldElement{-8081308, -8464597, -8223311, 9719710, 19259459, -15348212, 23994942, -5281555, -9468848, 4763278}, + FieldElement{-21699244, 9220969, -15730624, 1084137, -25476107, -2852390, 31088447, -7764523, -11356529, 728112}, + }, + { + FieldElement{26047220, -11751471, -6900323, -16521798, 24092068, 9158119, -4273545, -12555558, -29365436, -5498272}, + FieldElement{17510331, -322857, 5854289, 8403524, 17133918, -3112612, -28111007, 12327945, 10750447, 10014012}, + FieldElement{-10312768, 3936952, 9156313, -8897683, 16498692, -994647, -27481051, -666732, 3424691, 7540221}, + }, + { + FieldElement{30322361, -6964110, 11361005, -4143317, 7433304, 4989748, -7071422, -16317219, -9244265, 15258046}, + FieldElement{13054562, -2779497, 19155474, 469045, -12482797, 4566042, 5631406, 2711395, 1062915, -5136345}, + FieldElement{-19240248, -11254599, -29509029, -7499965, -5835763, 13005411, -6066489, 12194497, 32960380, 1459310}, + }, + }, + { + { + FieldElement{19852034, 7027924, 23669353, 10020366, 8586503, -6657907, 394197, -6101885, 18638003, -11174937}, + FieldElement{31395534, 15098109, 26581030, 8030562, -16527914, -5007134, 9012486, -7584354, -6643087, -5442636}, + FieldElement{-9192165, -2347377, -1997099, 4529534, 25766844, 607986, -13222, 9677543, -32294889, -6456008}, + }, + { + FieldElement{-2444496, -149937, 29348902, 8186665, 1873760, 12489863, -30934579, -7839692, -7852844, -8138429}, + FieldElement{-15236356, -15433509, 7766470, 746860, 26346930, -10221762, -27333451, 10754588, -9431476, 5203576}, + FieldElement{31834314, 14135496, -770007, 5159118, 20917671, -16768096, -7467973, -7337524, 31809243, 7347066}, + }, + { + FieldElement{-9606723, -11874240, 20414459, 13033986, 13716524, -11691881, 19797970, -12211255, 15192876, -2087490}, + FieldElement{-12663563, -2181719, 1168162, -3804809, 26747877, -14138091, 10609330, 12694420, 33473243, -13382104}, + FieldElement{33184999, 11180355, 15832085, -11385430, -1633671, 225884, 15089336, -11023903, -6135662, 14480053}, + }, + { + FieldElement{31308717, -5619998, 31030840, -1897099, 15674547, -6582883, 5496208, 13685227, 27595050, 8737275}, + FieldElement{-20318852, -15150239, 10933843, -16178022, 8335352, -7546022, -31008351, -12610604, 26498114, 66511}, + FieldElement{22644454, -8761729, -16671776, 4884562, -3105614, -13559366, 30540766, -4286747, -13327787, -7515095}, + }, + { + FieldElement{-28017847, 9834845, 18617207, -2681312, -3401956, -13307506, 8205540, 13585437, -17127465, 15115439}, + FieldElement{23711543, -672915, 31206561, -8362711, 6164647, -9709987, -33535882, -1426096, 8236921, 16492939}, + FieldElement{-23910559, -13515526, -26299483, -4503841, 25005590, -7687270, 19574902, 10071562, 6708380, -6222424}, + }, + { + FieldElement{2101391, -4930054, 19702731, 2367575, -15427167, 1047675, 5301017, 9328700, 29955601, -11678310}, + FieldElement{3096359, 9271816, -21620864, -15521844, -14847996, -7592937, -25892142, -12635595, -9917575, 6216608}, + FieldElement{-32615849, 338663, -25195611, 2510422, -29213566, -13820213, 24822830, -6146567, -26767480, 7525079}, + }, + { + FieldElement{-23066649, -13985623, 16133487, -7896178, -3389565, 778788, -910336, -2782495, -19386633, 11994101}, + FieldElement{21691500, -13624626, -641331, -14367021, 3285881, -3483596, -25064666, 9718258, -7477437, 13381418}, + FieldElement{18445390, -4202236, 14979846, 11622458, -1727110, -3582980, 23111648, -6375247, 28535282, 15779576}, + }, + { + FieldElement{30098053, 3089662, -9234387, 16662135, -21306940, 11308411, -14068454, 12021730, 9955285, -16303356}, + FieldElement{9734894, -14576830, -7473633, -9138735, 2060392, 11313496, -18426029, 9924399, 20194861, 13380996}, + FieldElement{-26378102, -7965207, -22167821, 15789297, -18055342, -6168792, -1984914, 15707771, 26342023, 10146099}, + }, + }, + { + { + FieldElement{-26016874, -219943, 21339191, -41388, 19745256, -2878700, -29637280, 2227040, 21612326, -545728}, + FieldElement{-13077387, 1184228, 23562814, -5970442, -20351244, -6348714, 25764461, 12243797, -20856566, 11649658}, + FieldElement{-10031494, 11262626, 27384172, 2271902, 26947504, -15997771, 39944, 6114064, 33514190, 2333242}, + }, + { + FieldElement{-21433588, -12421821, 8119782, 7219913, -21830522, -9016134, -6679750, -12670638, 24350578, -13450001}, + FieldElement{-4116307, -11271533, -23886186, 4843615, -30088339, 690623, -31536088, -10406836, 8317860, 12352766}, + FieldElement{18200138, -14475911, -33087759, -2696619, -23702521, -9102511, -23552096, -2287550, 20712163, 6719373}, + }, + { + FieldElement{26656208, 6075253, -7858556, 1886072, -28344043, 4262326, 11117530, -3763210, 26224235, -3297458}, + FieldElement{-17168938, -14854097, -3395676, -16369877, -19954045, 14050420, 21728352, 9493610, 18620611, -16428628}, + FieldElement{-13323321, 13325349, 11432106, 5964811, 18609221, 6062965, -5269471, -9725556, -30701573, -16479657}, + }, + { + FieldElement{-23860538, -11233159, 26961357, 1640861, -32413112, -16737940, 12248509, -5240639, 13735342, 1934062}, + FieldElement{25089769, 6742589, 17081145, -13406266, 21909293, -16067981, -15136294, -3765346, -21277997, 5473616}, + FieldElement{31883677, -7961101, 1083432, -11572403, 22828471, 13290673, -7125085, 12469656, 29111212, -5451014}, + }, + { + FieldElement{24244947, -15050407, -26262976, 2791540, -14997599, 16666678, 24367466, 6388839, -10295587, 452383}, + FieldElement{-25640782, -3417841, 5217916, 16224624, 19987036, -4082269, -24236251, -5915248, 15766062, 8407814}, + FieldElement{-20406999, 13990231, 15495425, 16395525, 5377168, 15166495, -8917023, -4388953, -8067909, 2276718}, + }, + { + FieldElement{30157918, 12924066, -17712050, 9245753, 19895028, 3368142, -23827587, 5096219, 22740376, -7303417}, + FieldElement{2041139, -14256350, 7783687, 13876377, -25946985, -13352459, 24051124, 13742383, -15637599, 13295222}, + FieldElement{33338237, -8505733, 12532113, 7977527, 9106186, -1715251, -17720195, -4612972, -4451357, -14669444}, + }, + { + FieldElement{-20045281, 5454097, -14346548, 6447146, 28862071, 1883651, -2469266, -4141880, 7770569, 9620597}, + FieldElement{23208068, 7979712, 33071466, 8149229, 1758231, -10834995, 30945528, -1694323, -33502340, -14767970}, + FieldElement{1439958, -16270480, -1079989, -793782, 4625402, 10647766, -5043801, 1220118, 30494170, -11440799}, + }, + { + FieldElement{-5037580, -13028295, -2970559, -3061767, 15640974, -6701666, -26739026, 926050, -1684339, -13333647}, + FieldElement{13908495, -3549272, 30919928, -6273825, -21521863, 7989039, 9021034, 9078865, 3353509, 4033511}, + FieldElement{-29663431, -15113610, 32259991, -344482, 24295849, -12912123, 23161163, 8839127, 27485041, 7356032}, + }, + }, + { + { + FieldElement{9661027, 705443, 11980065, -5370154, -1628543, 14661173, -6346142, 2625015, 28431036, -16771834}, + FieldElement{-23839233, -8311415, -25945511, 7480958, -17681669, -8354183, -22545972, 14150565, 15970762, 4099461}, + FieldElement{29262576, 16756590, 26350592, -8793563, 8529671, -11208050, 13617293, -9937143, 11465739, 8317062}, + }, + { + FieldElement{-25493081, -6962928, 32500200, -9419051, -23038724, -2302222, 14898637, 3848455, 20969334, -5157516}, + FieldElement{-20384450, -14347713, -18336405, 13884722, -33039454, 2842114, -21610826, -3649888, 11177095, 14989547}, + FieldElement{-24496721, -11716016, 16959896, 2278463, 12066309, 10137771, 13515641, 2581286, -28487508, 9930240}, + }, + { + FieldElement{-17751622, -2097826, 16544300, -13009300, -15914807, -14949081, 18345767, -13403753, 16291481, -5314038}, + FieldElement{-33229194, 2553288, 32678213, 9875984, 8534129, 6889387, -9676774, 6957617, 4368891, 9788741}, + FieldElement{16660756, 7281060, -10830758, 12911820, 20108584, -8101676, -21722536, -8613148, 16250552, -11111103}, + }, + { + FieldElement{-19765507, 2390526, -16551031, 14161980, 1905286, 6414907, 4689584, 10604807, -30190403, 4782747}, + FieldElement{-1354539, 14736941, -7367442, -13292886, 7710542, -14155590, -9981571, 4383045, 22546403, 437323}, + FieldElement{31665577, -12180464, -16186830, 1491339, -18368625, 3294682, 27343084, 2786261, -30633590, -14097016}, + }, + { + FieldElement{-14467279, -683715, -33374107, 7448552, 19294360, 14334329, -19690631, 2355319, -19284671, -6114373}, + FieldElement{15121312, -15796162, 6377020, -6031361, -10798111, -12957845, 18952177, 15496498, -29380133, 11754228}, + FieldElement{-2637277, -13483075, 8488727, -14303896, 12728761, -1622493, 7141596, 11724556, 22761615, -10134141}, + }, + { + FieldElement{16918416, 11729663, -18083579, 3022987, -31015732, -13339659, -28741185, -12227393, 32851222, 11717399}, + FieldElement{11166634, 7338049, -6722523, 4531520, -29468672, -7302055, 31474879, 3483633, -1193175, -4030831}, + FieldElement{-185635, 9921305, 31456609, -13536438, -12013818, 13348923, 33142652, 6546660, -19985279, -3948376}, + }, + { + FieldElement{-32460596, 11266712, -11197107, -7899103, 31703694, 3855903, -8537131, -12833048, -30772034, -15486313}, + FieldElement{-18006477, 12709068, 3991746, -6479188, -21491523, -10550425, -31135347, -16049879, 10928917, 3011958}, + FieldElement{-6957757, -15594337, 31696059, 334240, 29576716, 14796075, -30831056, -12805180, 18008031, 10258577}, + }, + { + FieldElement{-22448644, 15655569, 7018479, -4410003, -30314266, -1201591, -1853465, 1367120, 25127874, 6671743}, + FieldElement{29701166, -14373934, -10878120, 9279288, -17568, 13127210, 21382910, 11042292, 25838796, 4642684}, + FieldElement{-20430234, 14955537, -24126347, 8124619, -5369288, -5990470, 30468147, -13900640, 18423289, 4177476}, + }, + }, +} diff --git a/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go b/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go new file mode 100644 index 000000000..fd03c252a --- /dev/null +++ b/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go @@ -0,0 +1,1793 @@ +// Copyright 2016 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package edwards25519 + +import "encoding/binary" + +// This code is a port of the public domain, “ref10” implementation of ed25519 +// from SUPERCOP. + +// FieldElement represents an element of the field GF(2^255 - 19). An element +// t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77 +// t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on +// context. +type FieldElement [10]int32 + +var zero FieldElement + +func FeZero(fe *FieldElement) { + copy(fe[:], zero[:]) +} + +func FeOne(fe *FieldElement) { + FeZero(fe) + fe[0] = 1 +} + +func FeAdd(dst, a, b *FieldElement) { + dst[0] = a[0] + b[0] + dst[1] = a[1] + b[1] + dst[2] = a[2] + b[2] + dst[3] = a[3] + b[3] + dst[4] = a[4] + b[4] + dst[5] = a[5] + b[5] + dst[6] = a[6] + b[6] + dst[7] = a[7] + b[7] + dst[8] = a[8] + b[8] + dst[9] = a[9] + b[9] +} + +func FeSub(dst, a, b *FieldElement) { + dst[0] = a[0] - b[0] + dst[1] = a[1] - b[1] + dst[2] = a[2] - b[2] + dst[3] = a[3] - b[3] + dst[4] = a[4] - b[4] + dst[5] = a[5] - b[5] + dst[6] = a[6] - b[6] + dst[7] = a[7] - b[7] + dst[8] = a[8] - b[8] + dst[9] = a[9] - b[9] +} + +func FeCopy(dst, src *FieldElement) { + copy(dst[:], src[:]) +} + +// Replace (f,g) with (g,g) if b == 1; +// replace (f,g) with (f,g) if b == 0. +// +// Preconditions: b in {0,1}. +func FeCMove(f, g *FieldElement, b int32) { + b = -b + f[0] ^= b & (f[0] ^ g[0]) + f[1] ^= b & (f[1] ^ g[1]) + f[2] ^= b & (f[2] ^ g[2]) + f[3] ^= b & (f[3] ^ g[3]) + f[4] ^= b & (f[4] ^ g[4]) + f[5] ^= b & (f[5] ^ g[5]) + f[6] ^= b & (f[6] ^ g[6]) + f[7] ^= b & (f[7] ^ g[7]) + f[8] ^= b & (f[8] ^ g[8]) + f[9] ^= b & (f[9] ^ g[9]) +} + +func load3(in []byte) int64 { + var r int64 + r = int64(in[0]) + r |= int64(in[1]) << 8 + r |= int64(in[2]) << 16 + return r +} + +func load4(in []byte) int64 { + var r int64 + r = int64(in[0]) + r |= int64(in[1]) << 8 + r |= int64(in[2]) << 16 + r |= int64(in[3]) << 24 + return r +} + +func FeFromBytes(dst *FieldElement, src *[32]byte) { + h0 := load4(src[:]) + h1 := load3(src[4:]) << 6 + h2 := load3(src[7:]) << 5 + h3 := load3(src[10:]) << 3 + h4 := load3(src[13:]) << 2 + h5 := load4(src[16:]) + h6 := load3(src[20:]) << 7 + h7 := load3(src[23:]) << 5 + h8 := load3(src[26:]) << 4 + h9 := (load3(src[29:]) & 8388607) << 2 + + FeCombine(dst, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9) +} + +// FeToBytes marshals h to s. +// Preconditions: +// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. +// +// Write p=2^255-19; q=floor(h/p). +// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))). +// +// Proof: +// Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4. +// Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4. +// +// Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9). +// Then 0<y<1. +// +// Write r=h-pq. +// Have 0<=r<=p-1=2^255-20. +// Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1. +// +// Write x=r+19(2^-255)r+y. +// Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q. +// +// Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1)) +// so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q. +func FeToBytes(s *[32]byte, h *FieldElement) { + var carry [10]int32 + + q := (19*h[9] + (1 << 24)) >> 25 + q = (h[0] + q) >> 26 + q = (h[1] + q) >> 25 + q = (h[2] + q) >> 26 + q = (h[3] + q) >> 25 + q = (h[4] + q) >> 26 + q = (h[5] + q) >> 25 + q = (h[6] + q) >> 26 + q = (h[7] + q) >> 25 + q = (h[8] + q) >> 26 + q = (h[9] + q) >> 25 + + // Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. + h[0] += 19 * q + // Goal: Output h-2^255 q, which is between 0 and 2^255-20. + + carry[0] = h[0] >> 26 + h[1] += carry[0] + h[0] -= carry[0] << 26 + carry[1] = h[1] >> 25 + h[2] += carry[1] + h[1] -= carry[1] << 25 + carry[2] = h[2] >> 26 + h[3] += carry[2] + h[2] -= carry[2] << 26 + carry[3] = h[3] >> 25 + h[4] += carry[3] + h[3] -= carry[3] << 25 + carry[4] = h[4] >> 26 + h[5] += carry[4] + h[4] -= carry[4] << 26 + carry[5] = h[5] >> 25 + h[6] += carry[5] + h[5] -= carry[5] << 25 + carry[6] = h[6] >> 26 + h[7] += carry[6] + h[6] -= carry[6] << 26 + carry[7] = h[7] >> 25 + h[8] += carry[7] + h[7] -= carry[7] << 25 + carry[8] = h[8] >> 26 + h[9] += carry[8] + h[8] -= carry[8] << 26 + carry[9] = h[9] >> 25 + h[9] -= carry[9] << 25 + // h10 = carry9 + + // Goal: Output h[0]+...+2^255 h10-2^255 q, which is between 0 and 2^255-20. + // Have h[0]+...+2^230 h[9] between 0 and 2^255-1; + // evidently 2^255 h10-2^255 q = 0. + // Goal: Output h[0]+...+2^230 h[9]. + + s[0] = byte(h[0] >> 0) + s[1] = byte(h[0] >> 8) + s[2] = byte(h[0] >> 16) + s[3] = byte((h[0] >> 24) | (h[1] << 2)) + s[4] = byte(h[1] >> 6) + s[5] = byte(h[1] >> 14) + s[6] = byte((h[1] >> 22) | (h[2] << 3)) + s[7] = byte(h[2] >> 5) + s[8] = byte(h[2] >> 13) + s[9] = byte((h[2] >> 21) | (h[3] << 5)) + s[10] = byte(h[3] >> 3) + s[11] = byte(h[3] >> 11) + s[12] = byte((h[3] >> 19) | (h[4] << 6)) + s[13] = byte(h[4] >> 2) + s[14] = byte(h[4] >> 10) + s[15] = byte(h[4] >> 18) + s[16] = byte(h[5] >> 0) + s[17] = byte(h[5] >> 8) + s[18] = byte(h[5] >> 16) + s[19] = byte((h[5] >> 24) | (h[6] << 1)) + s[20] = byte(h[6] >> 7) + s[21] = byte(h[6] >> 15) + s[22] = byte((h[6] >> 23) | (h[7] << 3)) + s[23] = byte(h[7] >> 5) + s[24] = byte(h[7] >> 13) + s[25] = byte((h[7] >> 21) | (h[8] << 4)) + s[26] = byte(h[8] >> 4) + s[27] = byte(h[8] >> 12) + s[28] = byte((h[8] >> 20) | (h[9] << 6)) + s[29] = byte(h[9] >> 2) + s[30] = byte(h[9] >> 10) + s[31] = byte(h[9] >> 18) +} + +func FeIsNegative(f *FieldElement) byte { + var s [32]byte + FeToBytes(&s, f) + return s[0] & 1 +} + +func FeIsNonZero(f *FieldElement) int32 { + var s [32]byte + FeToBytes(&s, f) + var x uint8 + for _, b := range s { + x |= b + } + x |= x >> 4 + x |= x >> 2 + x |= x >> 1 + return int32(x & 1) +} + +// FeNeg sets h = -f +// +// Preconditions: +// |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. +// +// Postconditions: +// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. +func FeNeg(h, f *FieldElement) { + h[0] = -f[0] + h[1] = -f[1] + h[2] = -f[2] + h[3] = -f[3] + h[4] = -f[4] + h[5] = -f[5] + h[6] = -f[6] + h[7] = -f[7] + h[8] = -f[8] + h[9] = -f[9] +} + +func FeCombine(h *FieldElement, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64) { + var c0, c1, c2, c3, c4, c5, c6, c7, c8, c9 int64 + + /* + |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38)) + i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8 + |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19)) + i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9 + */ + + c0 = (h0 + (1 << 25)) >> 26 + h1 += c0 + h0 -= c0 << 26 + c4 = (h4 + (1 << 25)) >> 26 + h5 += c4 + h4 -= c4 << 26 + /* |h0| <= 2^25 */ + /* |h4| <= 2^25 */ + /* |h1| <= 1.51*2^58 */ + /* |h5| <= 1.51*2^58 */ + + c1 = (h1 + (1 << 24)) >> 25 + h2 += c1 + h1 -= c1 << 25 + c5 = (h5 + (1 << 24)) >> 25 + h6 += c5 + h5 -= c5 << 25 + /* |h1| <= 2^24; from now on fits into int32 */ + /* |h5| <= 2^24; from now on fits into int32 */ + /* |h2| <= 1.21*2^59 */ + /* |h6| <= 1.21*2^59 */ + + c2 = (h2 + (1 << 25)) >> 26 + h3 += c2 + h2 -= c2 << 26 + c6 = (h6 + (1 << 25)) >> 26 + h7 += c6 + h6 -= c6 << 26 + /* |h2| <= 2^25; from now on fits into int32 unchanged */ + /* |h6| <= 2^25; from now on fits into int32 unchanged */ + /* |h3| <= 1.51*2^58 */ + /* |h7| <= 1.51*2^58 */ + + c3 = (h3 + (1 << 24)) >> 25 + h4 += c3 + h3 -= c3 << 25 + c7 = (h7 + (1 << 24)) >> 25 + h8 += c7 + h7 -= c7 << 25 + /* |h3| <= 2^24; from now on fits into int32 unchanged */ + /* |h7| <= 2^24; from now on fits into int32 unchanged */ + /* |h4| <= 1.52*2^33 */ + /* |h8| <= 1.52*2^33 */ + + c4 = (h4 + (1 << 25)) >> 26 + h5 += c4 + h4 -= c4 << 26 + c8 = (h8 + (1 << 25)) >> 26 + h9 += c8 + h8 -= c8 << 26 + /* |h4| <= 2^25; from now on fits into int32 unchanged */ + /* |h8| <= 2^25; from now on fits into int32 unchanged */ + /* |h5| <= 1.01*2^24 */ + /* |h9| <= 1.51*2^58 */ + + c9 = (h9 + (1 << 24)) >> 25 + h0 += c9 * 19 + h9 -= c9 << 25 + /* |h9| <= 2^24; from now on fits into int32 unchanged */ + /* |h0| <= 1.8*2^37 */ + + c0 = (h0 + (1 << 25)) >> 26 + h1 += c0 + h0 -= c0 << 26 + /* |h0| <= 2^25; from now on fits into int32 unchanged */ + /* |h1| <= 1.01*2^24 */ + + h[0] = int32(h0) + h[1] = int32(h1) + h[2] = int32(h2) + h[3] = int32(h3) + h[4] = int32(h4) + h[5] = int32(h5) + h[6] = int32(h6) + h[7] = int32(h7) + h[8] = int32(h8) + h[9] = int32(h9) +} + +// FeMul calculates h = f * g +// Can overlap h with f or g. +// +// Preconditions: +// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. +// |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. +// +// Postconditions: +// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. +// +// Notes on implementation strategy: +// +// Using schoolbook multiplication. +// Karatsuba would save a little in some cost models. +// +// Most multiplications by 2 and 19 are 32-bit precomputations; +// cheaper than 64-bit postcomputations. +// +// There is one remaining multiplication by 19 in the carry chain; +// one *19 precomputation can be merged into this, +// but the resulting data flow is considerably less clean. +// +// There are 12 carries below. +// 10 of them are 2-way parallelizable and vectorizable. +// Can get away with 11 carries, but then data flow is much deeper. +// +// With tighter constraints on inputs, can squeeze carries into int32. +func FeMul(h, f, g *FieldElement) { + f0 := int64(f[0]) + f1 := int64(f[1]) + f2 := int64(f[2]) + f3 := int64(f[3]) + f4 := int64(f[4]) + f5 := int64(f[5]) + f6 := int64(f[6]) + f7 := int64(f[7]) + f8 := int64(f[8]) + f9 := int64(f[9]) + + f1_2 := int64(2 * f[1]) + f3_2 := int64(2 * f[3]) + f5_2 := int64(2 * f[5]) + f7_2 := int64(2 * f[7]) + f9_2 := int64(2 * f[9]) + + g0 := int64(g[0]) + g1 := int64(g[1]) + g2 := int64(g[2]) + g3 := int64(g[3]) + g4 := int64(g[4]) + g5 := int64(g[5]) + g6 := int64(g[6]) + g7 := int64(g[7]) + g8 := int64(g[8]) + g9 := int64(g[9]) + + g1_19 := int64(19 * g[1]) /* 1.4*2^29 */ + g2_19 := int64(19 * g[2]) /* 1.4*2^30; still ok */ + g3_19 := int64(19 * g[3]) + g4_19 := int64(19 * g[4]) + g5_19 := int64(19 * g[5]) + g6_19 := int64(19 * g[6]) + g7_19 := int64(19 * g[7]) + g8_19 := int64(19 * g[8]) + g9_19 := int64(19 * g[9]) + + h0 := f0*g0 + f1_2*g9_19 + f2*g8_19 + f3_2*g7_19 + f4*g6_19 + f5_2*g5_19 + f6*g4_19 + f7_2*g3_19 + f8*g2_19 + f9_2*g1_19 + h1 := f0*g1 + f1*g0 + f2*g9_19 + f3*g8_19 + f4*g7_19 + f5*g6_19 + f6*g5_19 + f7*g4_19 + f8*g3_19 + f9*g2_19 + h2 := f0*g2 + f1_2*g1 + f2*g0 + f3_2*g9_19 + f4*g8_19 + f5_2*g7_19 + f6*g6_19 + f7_2*g5_19 + f8*g4_19 + f9_2*g3_19 + h3 := f0*g3 + f1*g2 + f2*g1 + f3*g0 + f4*g9_19 + f5*g8_19 + f6*g7_19 + f7*g6_19 + f8*g5_19 + f9*g4_19 + h4 := f0*g4 + f1_2*g3 + f2*g2 + f3_2*g1 + f4*g0 + f5_2*g9_19 + f6*g8_19 + f7_2*g7_19 + f8*g6_19 + f9_2*g5_19 + h5 := f0*g5 + f1*g4 + f2*g3 + f3*g2 + f4*g1 + f5*g0 + f6*g9_19 + f7*g8_19 + f8*g7_19 + f9*g6_19 + h6 := f0*g6 + f1_2*g5 + f2*g4 + f3_2*g3 + f4*g2 + f5_2*g1 + f6*g0 + f7_2*g9_19 + f8*g8_19 + f9_2*g7_19 + h7 := f0*g7 + f1*g6 + f2*g5 + f3*g4 + f4*g3 + f5*g2 + f6*g1 + f7*g0 + f8*g9_19 + f9*g8_19 + h8 := f0*g8 + f1_2*g7 + f2*g6 + f3_2*g5 + f4*g4 + f5_2*g3 + f6*g2 + f7_2*g1 + f8*g0 + f9_2*g9_19 + h9 := f0*g9 + f1*g8 + f2*g7 + f3*g6 + f4*g5 + f5*g4 + f6*g3 + f7*g2 + f8*g1 + f9*g0 + + FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9) +} + +func feSquare(f *FieldElement) (h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64) { + f0 := int64(f[0]) + f1 := int64(f[1]) + f2 := int64(f[2]) + f3 := int64(f[3]) + f4 := int64(f[4]) + f5 := int64(f[5]) + f6 := int64(f[6]) + f7 := int64(f[7]) + f8 := int64(f[8]) + f9 := int64(f[9]) + f0_2 := int64(2 * f[0]) + f1_2 := int64(2 * f[1]) + f2_2 := int64(2 * f[2]) + f3_2 := int64(2 * f[3]) + f4_2 := int64(2 * f[4]) + f5_2 := int64(2 * f[5]) + f6_2 := int64(2 * f[6]) + f7_2 := int64(2 * f[7]) + f5_38 := 38 * f5 // 1.31*2^30 + f6_19 := 19 * f6 // 1.31*2^30 + f7_38 := 38 * f7 // 1.31*2^30 + f8_19 := 19 * f8 // 1.31*2^30 + f9_38 := 38 * f9 // 1.31*2^30 + + h0 = f0*f0 + f1_2*f9_38 + f2_2*f8_19 + f3_2*f7_38 + f4_2*f6_19 + f5*f5_38 + h1 = f0_2*f1 + f2*f9_38 + f3_2*f8_19 + f4*f7_38 + f5_2*f6_19 + h2 = f0_2*f2 + f1_2*f1 + f3_2*f9_38 + f4_2*f8_19 + f5_2*f7_38 + f6*f6_19 + h3 = f0_2*f3 + f1_2*f2 + f4*f9_38 + f5_2*f8_19 + f6*f7_38 + h4 = f0_2*f4 + f1_2*f3_2 + f2*f2 + f5_2*f9_38 + f6_2*f8_19 + f7*f7_38 + h5 = f0_2*f5 + f1_2*f4 + f2_2*f3 + f6*f9_38 + f7_2*f8_19 + h6 = f0_2*f6 + f1_2*f5_2 + f2_2*f4 + f3_2*f3 + f7_2*f9_38 + f8*f8_19 + h7 = f0_2*f7 + f1_2*f6 + f2_2*f5 + f3_2*f4 + f8*f9_38 + h8 = f0_2*f8 + f1_2*f7_2 + f2_2*f6 + f3_2*f5_2 + f4*f4 + f9*f9_38 + h9 = f0_2*f9 + f1_2*f8 + f2_2*f7 + f3_2*f6 + f4_2*f5 + + return +} + +// FeSquare calculates h = f*f. Can overlap h with f. +// +// Preconditions: +// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. +// +// Postconditions: +// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. +func FeSquare(h, f *FieldElement) { + h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 := feSquare(f) + FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9) +} + +// FeSquare2 sets h = 2 * f * f +// +// Can overlap h with f. +// +// Preconditions: +// |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. +// +// Postconditions: +// |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. +// See fe_mul.c for discussion of implementation strategy. +func FeSquare2(h, f *FieldElement) { + h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 := feSquare(f) + + h0 += h0 + h1 += h1 + h2 += h2 + h3 += h3 + h4 += h4 + h5 += h5 + h6 += h6 + h7 += h7 + h8 += h8 + h9 += h9 + + FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9) +} + +func FeInvert(out, z *FieldElement) { + var t0, t1, t2, t3 FieldElement + var i int + + FeSquare(&t0, z) // 2^1 + FeSquare(&t1, &t0) // 2^2 + for i = 1; i < 2; i++ { // 2^3 + FeSquare(&t1, &t1) + } + FeMul(&t1, z, &t1) // 2^3 + 2^0 + FeMul(&t0, &t0, &t1) // 2^3 + 2^1 + 2^0 + FeSquare(&t2, &t0) // 2^4 + 2^2 + 2^1 + FeMul(&t1, &t1, &t2) // 2^4 + 2^3 + 2^2 + 2^1 + 2^0 + FeSquare(&t2, &t1) // 5,4,3,2,1 + for i = 1; i < 5; i++ { // 9,8,7,6,5 + FeSquare(&t2, &t2) + } + FeMul(&t1, &t2, &t1) // 9,8,7,6,5,4,3,2,1,0 + FeSquare(&t2, &t1) // 10..1 + for i = 1; i < 10; i++ { // 19..10 + FeSquare(&t2, &t2) + } + FeMul(&t2, &t2, &t1) // 19..0 + FeSquare(&t3, &t2) // 20..1 + for i = 1; i < 20; i++ { // 39..20 + FeSquare(&t3, &t3) + } + FeMul(&t2, &t3, &t2) // 39..0 + FeSquare(&t2, &t2) // 40..1 + for i = 1; i < 10; i++ { // 49..10 + FeSquare(&t2, &t2) + } + FeMul(&t1, &t2, &t1) // 49..0 + FeSquare(&t2, &t1) // 50..1 + for i = 1; i < 50; i++ { // 99..50 + FeSquare(&t2, &t2) + } + FeMul(&t2, &t2, &t1) // 99..0 + FeSquare(&t3, &t2) // 100..1 + for i = 1; i < 100; i++ { // 199..100 + FeSquare(&t3, &t3) + } + FeMul(&t2, &t3, &t2) // 199..0 + FeSquare(&t2, &t2) // 200..1 + for i = 1; i < 50; i++ { // 249..50 + FeSquare(&t2, &t2) + } + FeMul(&t1, &t2, &t1) // 249..0 + FeSquare(&t1, &t1) // 250..1 + for i = 1; i < 5; i++ { // 254..5 + FeSquare(&t1, &t1) + } + FeMul(out, &t1, &t0) // 254..5,3,1,0 +} + +func fePow22523(out, z *FieldElement) { + var t0, t1, t2 FieldElement + var i int + + FeSquare(&t0, z) + for i = 1; i < 1; i++ { + FeSquare(&t0, &t0) + } + FeSquare(&t1, &t0) + for i = 1; i < 2; i++ { + FeSquare(&t1, &t1) + } + FeMul(&t1, z, &t1) + FeMul(&t0, &t0, &t1) + FeSquare(&t0, &t0) + for i = 1; i < 1; i++ { + FeSquare(&t0, &t0) + } + FeMul(&t0, &t1, &t0) + FeSquare(&t1, &t0) + for i = 1; i < 5; i++ { + FeSquare(&t1, &t1) + } + FeMul(&t0, &t1, &t0) + FeSquare(&t1, &t0) + for i = 1; i < 10; i++ { + FeSquare(&t1, &t1) + } + FeMul(&t1, &t1, &t0) + FeSquare(&t2, &t1) + for i = 1; i < 20; i++ { + FeSquare(&t2, &t2) + } + FeMul(&t1, &t2, &t1) + FeSquare(&t1, &t1) + for i = 1; i < 10; i++ { + FeSquare(&t1, &t1) + } + FeMul(&t0, &t1, &t0) + FeSquare(&t1, &t0) + for i = 1; i < 50; i++ { + FeSquare(&t1, &t1) + } + FeMul(&t1, &t1, &t0) + FeSquare(&t2, &t1) + for i = 1; i < 100; i++ { + FeSquare(&t2, &t2) + } + FeMul(&t1, &t2, &t1) + FeSquare(&t1, &t1) + for i = 1; i < 50; i++ { + FeSquare(&t1, &t1) + } + FeMul(&t0, &t1, &t0) + FeSquare(&t0, &t0) + for i = 1; i < 2; i++ { + FeSquare(&t0, &t0) + } + FeMul(out, &t0, z) +} + +// Group elements are members of the elliptic curve -x^2 + y^2 = 1 + d * x^2 * +// y^2 where d = -121665/121666. +// +// Several representations are used: +// ProjectiveGroupElement: (X:Y:Z) satisfying x=X/Z, y=Y/Z +// ExtendedGroupElement: (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT +// CompletedGroupElement: ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T +// PreComputedGroupElement: (y+x,y-x,2dxy) + +type ProjectiveGroupElement struct { + X, Y, Z FieldElement +} + +type ExtendedGroupElement struct { + X, Y, Z, T FieldElement +} + +type CompletedGroupElement struct { + X, Y, Z, T FieldElement +} + +type PreComputedGroupElement struct { + yPlusX, yMinusX, xy2d FieldElement +} + +type CachedGroupElement struct { + yPlusX, yMinusX, Z, T2d FieldElement +} + +func (p *ProjectiveGroupElement) Zero() { + FeZero(&p.X) + FeOne(&p.Y) + FeOne(&p.Z) +} + +func (p *ProjectiveGroupElement) Double(r *CompletedGroupElement) { + var t0 FieldElement + + FeSquare(&r.X, &p.X) + FeSquare(&r.Z, &p.Y) + FeSquare2(&r.T, &p.Z) + FeAdd(&r.Y, &p.X, &p.Y) + FeSquare(&t0, &r.Y) + FeAdd(&r.Y, &r.Z, &r.X) + FeSub(&r.Z, &r.Z, &r.X) + FeSub(&r.X, &t0, &r.Y) + FeSub(&r.T, &r.T, &r.Z) +} + +func (p *ProjectiveGroupElement) ToBytes(s *[32]byte) { + var recip, x, y FieldElement + + FeInvert(&recip, &p.Z) + FeMul(&x, &p.X, &recip) + FeMul(&y, &p.Y, &recip) + FeToBytes(s, &y) + s[31] ^= FeIsNegative(&x) << 7 +} + +func (p *ExtendedGroupElement) Zero() { + FeZero(&p.X) + FeOne(&p.Y) + FeOne(&p.Z) + FeZero(&p.T) +} + +func (p *ExtendedGroupElement) Double(r *CompletedGroupElement) { + var q ProjectiveGroupElement + p.ToProjective(&q) + q.Double(r) +} + +func (p *ExtendedGroupElement) ToCached(r *CachedGroupElement) { + FeAdd(&r.yPlusX, &p.Y, &p.X) + FeSub(&r.yMinusX, &p.Y, &p.X) + FeCopy(&r.Z, &p.Z) + FeMul(&r.T2d, &p.T, &d2) +} + +func (p *ExtendedGroupElement) ToProjective(r *ProjectiveGroupElement) { + FeCopy(&r.X, &p.X) + FeCopy(&r.Y, &p.Y) + FeCopy(&r.Z, &p.Z) +} + +func (p *ExtendedGroupElement) ToBytes(s *[32]byte) { + var recip, x, y FieldElement + + FeInvert(&recip, &p.Z) + FeMul(&x, &p.X, &recip) + FeMul(&y, &p.Y, &recip) + FeToBytes(s, &y) + s[31] ^= FeIsNegative(&x) << 7 +} + +func (p *ExtendedGroupElement) FromBytes(s *[32]byte) bool { + var u, v, v3, vxx, check FieldElement + + FeFromBytes(&p.Y, s) + FeOne(&p.Z) + FeSquare(&u, &p.Y) + FeMul(&v, &u, &d) + FeSub(&u, &u, &p.Z) // y = y^2-1 + FeAdd(&v, &v, &p.Z) // v = dy^2+1 + + FeSquare(&v3, &v) + FeMul(&v3, &v3, &v) // v3 = v^3 + FeSquare(&p.X, &v3) + FeMul(&p.X, &p.X, &v) + FeMul(&p.X, &p.X, &u) // x = uv^7 + + fePow22523(&p.X, &p.X) // x = (uv^7)^((q-5)/8) + FeMul(&p.X, &p.X, &v3) + FeMul(&p.X, &p.X, &u) // x = uv^3(uv^7)^((q-5)/8) + + var tmpX, tmp2 [32]byte + + FeSquare(&vxx, &p.X) + FeMul(&vxx, &vxx, &v) + FeSub(&check, &vxx, &u) // vx^2-u + if FeIsNonZero(&check) == 1 { + FeAdd(&check, &vxx, &u) // vx^2+u + if FeIsNonZero(&check) == 1 { + return false + } + FeMul(&p.X, &p.X, &SqrtM1) + + FeToBytes(&tmpX, &p.X) + for i, v := range tmpX { + tmp2[31-i] = v + } + } + + if FeIsNegative(&p.X) != (s[31] >> 7) { + FeNeg(&p.X, &p.X) + } + + FeMul(&p.T, &p.X, &p.Y) + return true +} + +func (p *CompletedGroupElement) ToProjective(r *ProjectiveGroupElement) { + FeMul(&r.X, &p.X, &p.T) + FeMul(&r.Y, &p.Y, &p.Z) + FeMul(&r.Z, &p.Z, &p.T) +} + +func (p *CompletedGroupElement) ToExtended(r *ExtendedGroupElement) { + FeMul(&r.X, &p.X, &p.T) + FeMul(&r.Y, &p.Y, &p.Z) + FeMul(&r.Z, &p.Z, &p.T) + FeMul(&r.T, &p.X, &p.Y) +} + +func (p *PreComputedGroupElement) Zero() { + FeOne(&p.yPlusX) + FeOne(&p.yMinusX) + FeZero(&p.xy2d) +} + +func geAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement) { + var t0 FieldElement + + FeAdd(&r.X, &p.Y, &p.X) + FeSub(&r.Y, &p.Y, &p.X) + FeMul(&r.Z, &r.X, &q.yPlusX) + FeMul(&r.Y, &r.Y, &q.yMinusX) + FeMul(&r.T, &q.T2d, &p.T) + FeMul(&r.X, &p.Z, &q.Z) + FeAdd(&t0, &r.X, &r.X) + FeSub(&r.X, &r.Z, &r.Y) + FeAdd(&r.Y, &r.Z, &r.Y) + FeAdd(&r.Z, &t0, &r.T) + FeSub(&r.T, &t0, &r.T) +} + +func geSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement) { + var t0 FieldElement + + FeAdd(&r.X, &p.Y, &p.X) + FeSub(&r.Y, &p.Y, &p.X) + FeMul(&r.Z, &r.X, &q.yMinusX) + FeMul(&r.Y, &r.Y, &q.yPlusX) + FeMul(&r.T, &q.T2d, &p.T) + FeMul(&r.X, &p.Z, &q.Z) + FeAdd(&t0, &r.X, &r.X) + FeSub(&r.X, &r.Z, &r.Y) + FeAdd(&r.Y, &r.Z, &r.Y) + FeSub(&r.Z, &t0, &r.T) + FeAdd(&r.T, &t0, &r.T) +} + +func geMixedAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement) { + var t0 FieldElement + + FeAdd(&r.X, &p.Y, &p.X) + FeSub(&r.Y, &p.Y, &p.X) + FeMul(&r.Z, &r.X, &q.yPlusX) + FeMul(&r.Y, &r.Y, &q.yMinusX) + FeMul(&r.T, &q.xy2d, &p.T) + FeAdd(&t0, &p.Z, &p.Z) + FeSub(&r.X, &r.Z, &r.Y) + FeAdd(&r.Y, &r.Z, &r.Y) + FeAdd(&r.Z, &t0, &r.T) + FeSub(&r.T, &t0, &r.T) +} + +func geMixedSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement) { + var t0 FieldElement + + FeAdd(&r.X, &p.Y, &p.X) + FeSub(&r.Y, &p.Y, &p.X) + FeMul(&r.Z, &r.X, &q.yMinusX) + FeMul(&r.Y, &r.Y, &q.yPlusX) + FeMul(&r.T, &q.xy2d, &p.T) + FeAdd(&t0, &p.Z, &p.Z) + FeSub(&r.X, &r.Z, &r.Y) + FeAdd(&r.Y, &r.Z, &r.Y) + FeSub(&r.Z, &t0, &r.T) + FeAdd(&r.T, &t0, &r.T) +} + +func slide(r *[256]int8, a *[32]byte) { + for i := range r { + r[i] = int8(1 & (a[i>>3] >> uint(i&7))) + } + + for i := range r { + if r[i] != 0 { + for b := 1; b <= 6 && i+b < 256; b++ { + if r[i+b] != 0 { + if r[i]+(r[i+b]<<uint(b)) <= 15 { + r[i] += r[i+b] << uint(b) + r[i+b] = 0 + } else if r[i]-(r[i+b]<<uint(b)) >= -15 { + r[i] -= r[i+b] << uint(b) + for k := i + b; k < 256; k++ { + if r[k] == 0 { + r[k] = 1 + break + } + r[k] = 0 + } + } else { + break + } + } + } + } + } +} + +// GeDoubleScalarMultVartime sets r = a*A + b*B +// where a = a[0]+256*a[1]+...+256^31 a[31]. +// and b = b[0]+256*b[1]+...+256^31 b[31]. +// B is the Ed25519 base point (x,4/5) with x positive. +func GeDoubleScalarMultVartime(r *ProjectiveGroupElement, a *[32]byte, A *ExtendedGroupElement, b *[32]byte) { + var aSlide, bSlide [256]int8 + var Ai [8]CachedGroupElement // A,3A,5A,7A,9A,11A,13A,15A + var t CompletedGroupElement + var u, A2 ExtendedGroupElement + var i int + + slide(&aSlide, a) + slide(&bSlide, b) + + A.ToCached(&Ai[0]) + A.Double(&t) + t.ToExtended(&A2) + + for i := 0; i < 7; i++ { + geAdd(&t, &A2, &Ai[i]) + t.ToExtended(&u) + u.ToCached(&Ai[i+1]) + } + + r.Zero() + + for i = 255; i >= 0; i-- { + if aSlide[i] != 0 || bSlide[i] != 0 { + break + } + } + + for ; i >= 0; i-- { + r.Double(&t) + + if aSlide[i] > 0 { + t.ToExtended(&u) + geAdd(&t, &u, &Ai[aSlide[i]/2]) + } else if aSlide[i] < 0 { + t.ToExtended(&u) + geSub(&t, &u, &Ai[(-aSlide[i])/2]) + } + + if bSlide[i] > 0 { + t.ToExtended(&u) + geMixedAdd(&t, &u, &bi[bSlide[i]/2]) + } else if bSlide[i] < 0 { + t.ToExtended(&u) + geMixedSub(&t, &u, &bi[(-bSlide[i])/2]) + } + + t.ToProjective(r) + } +} + +// equal returns 1 if b == c and 0 otherwise, assuming that b and c are +// non-negative. +func equal(b, c int32) int32 { + x := uint32(b ^ c) + x-- + return int32(x >> 31) +} + +// negative returns 1 if b < 0 and 0 otherwise. +func negative(b int32) int32 { + return (b >> 31) & 1 +} + +func PreComputedGroupElementCMove(t, u *PreComputedGroupElement, b int32) { + FeCMove(&t.yPlusX, &u.yPlusX, b) + FeCMove(&t.yMinusX, &u.yMinusX, b) + FeCMove(&t.xy2d, &u.xy2d, b) +} + +func selectPoint(t *PreComputedGroupElement, pos int32, b int32) { + var minusT PreComputedGroupElement + bNegative := negative(b) + bAbs := b - (((-bNegative) & b) << 1) + + t.Zero() + for i := int32(0); i < 8; i++ { + PreComputedGroupElementCMove(t, &base[pos][i], equal(bAbs, i+1)) + } + FeCopy(&minusT.yPlusX, &t.yMinusX) + FeCopy(&minusT.yMinusX, &t.yPlusX) + FeNeg(&minusT.xy2d, &t.xy2d) + PreComputedGroupElementCMove(t, &minusT, bNegative) +} + +// GeScalarMultBase computes h = a*B, where +// a = a[0]+256*a[1]+...+256^31 a[31] +// B is the Ed25519 base point (x,4/5) with x positive. +// +// Preconditions: +// a[31] <= 127 +func GeScalarMultBase(h *ExtendedGroupElement, a *[32]byte) { + var e [64]int8 + + for i, v := range a { + e[2*i] = int8(v & 15) + e[2*i+1] = int8((v >> 4) & 15) + } + + // each e[i] is between 0 and 15 and e[63] is between 0 and 7. + + carry := int8(0) + for i := 0; i < 63; i++ { + e[i] += carry + carry = (e[i] + 8) >> 4 + e[i] -= carry << 4 + } + e[63] += carry + // each e[i] is between -8 and 8. + + h.Zero() + var t PreComputedGroupElement + var r CompletedGroupElement + for i := int32(1); i < 64; i += 2 { + selectPoint(&t, i/2, int32(e[i])) + geMixedAdd(&r, h, &t) + r.ToExtended(h) + } + + var s ProjectiveGroupElement + + h.Double(&r) + r.ToProjective(&s) + s.Double(&r) + r.ToProjective(&s) + s.Double(&r) + r.ToProjective(&s) + s.Double(&r) + r.ToExtended(h) + + for i := int32(0); i < 64; i += 2 { + selectPoint(&t, i/2, int32(e[i])) + geMixedAdd(&r, h, &t) + r.ToExtended(h) + } +} + +// The scalars are GF(2^252 + 27742317777372353535851937790883648493). + +// Input: +// a[0]+256*a[1]+...+256^31*a[31] = a +// b[0]+256*b[1]+...+256^31*b[31] = b +// c[0]+256*c[1]+...+256^31*c[31] = c +// +// Output: +// s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l +// where l = 2^252 + 27742317777372353535851937790883648493. +func ScMulAdd(s, a, b, c *[32]byte) { + a0 := 2097151 & load3(a[:]) + a1 := 2097151 & (load4(a[2:]) >> 5) + a2 := 2097151 & (load3(a[5:]) >> 2) + a3 := 2097151 & (load4(a[7:]) >> 7) + a4 := 2097151 & (load4(a[10:]) >> 4) + a5 := 2097151 & (load3(a[13:]) >> 1) + a6 := 2097151 & (load4(a[15:]) >> 6) + a7 := 2097151 & (load3(a[18:]) >> 3) + a8 := 2097151 & load3(a[21:]) + a9 := 2097151 & (load4(a[23:]) >> 5) + a10 := 2097151 & (load3(a[26:]) >> 2) + a11 := (load4(a[28:]) >> 7) + b0 := 2097151 & load3(b[:]) + b1 := 2097151 & (load4(b[2:]) >> 5) + b2 := 2097151 & (load3(b[5:]) >> 2) + b3 := 2097151 & (load4(b[7:]) >> 7) + b4 := 2097151 & (load4(b[10:]) >> 4) + b5 := 2097151 & (load3(b[13:]) >> 1) + b6 := 2097151 & (load4(b[15:]) >> 6) + b7 := 2097151 & (load3(b[18:]) >> 3) + b8 := 2097151 & load3(b[21:]) + b9 := 2097151 & (load4(b[23:]) >> 5) + b10 := 2097151 & (load3(b[26:]) >> 2) + b11 := (load4(b[28:]) >> 7) + c0 := 2097151 & load3(c[:]) + c1 := 2097151 & (load4(c[2:]) >> 5) + c2 := 2097151 & (load3(c[5:]) >> 2) + c3 := 2097151 & (load4(c[7:]) >> 7) + c4 := 2097151 & (load4(c[10:]) >> 4) + c5 := 2097151 & (load3(c[13:]) >> 1) + c6 := 2097151 & (load4(c[15:]) >> 6) + c7 := 2097151 & (load3(c[18:]) >> 3) + c8 := 2097151 & load3(c[21:]) + c9 := 2097151 & (load4(c[23:]) >> 5) + c10 := 2097151 & (load3(c[26:]) >> 2) + c11 := (load4(c[28:]) >> 7) + var carry [23]int64 + + s0 := c0 + a0*b0 + s1 := c1 + a0*b1 + a1*b0 + s2 := c2 + a0*b2 + a1*b1 + a2*b0 + s3 := c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0 + s4 := c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0 + s5 := c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0 + s6 := c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0 + s7 := c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0 + s8 := c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0 + s9 := c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0 + s10 := c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0 + s11 := c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0 + s12 := a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1 + s13 := a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2 + s14 := a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3 + s15 := a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4 + s16 := a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5 + s17 := a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6 + s18 := a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7 + s19 := a8*b11 + a9*b10 + a10*b9 + a11*b8 + s20 := a9*b11 + a10*b10 + a11*b9 + s21 := a10*b11 + a11*b10 + s22 := a11 * b11 + s23 := int64(0) + + carry[0] = (s0 + (1 << 20)) >> 21 + s1 += carry[0] + s0 -= carry[0] << 21 + carry[2] = (s2 + (1 << 20)) >> 21 + s3 += carry[2] + s2 -= carry[2] << 21 + carry[4] = (s4 + (1 << 20)) >> 21 + s5 += carry[4] + s4 -= carry[4] << 21 + carry[6] = (s6 + (1 << 20)) >> 21 + s7 += carry[6] + s6 -= carry[6] << 21 + carry[8] = (s8 + (1 << 20)) >> 21 + s9 += carry[8] + s8 -= carry[8] << 21 + carry[10] = (s10 + (1 << 20)) >> 21 + s11 += carry[10] + s10 -= carry[10] << 21 + carry[12] = (s12 + (1 << 20)) >> 21 + s13 += carry[12] + s12 -= carry[12] << 21 + carry[14] = (s14 + (1 << 20)) >> 21 + s15 += carry[14] + s14 -= carry[14] << 21 + carry[16] = (s16 + (1 << 20)) >> 21 + s17 += carry[16] + s16 -= carry[16] << 21 + carry[18] = (s18 + (1 << 20)) >> 21 + s19 += carry[18] + s18 -= carry[18] << 21 + carry[20] = (s20 + (1 << 20)) >> 21 + s21 += carry[20] + s20 -= carry[20] << 21 + carry[22] = (s22 + (1 << 20)) >> 21 + s23 += carry[22] + s22 -= carry[22] << 21 + + carry[1] = (s1 + (1 << 20)) >> 21 + s2 += carry[1] + s1 -= carry[1] << 21 + carry[3] = (s3 + (1 << 20)) >> 21 + s4 += carry[3] + s3 -= carry[3] << 21 + carry[5] = (s5 + (1 << 20)) >> 21 + s6 += carry[5] + s5 -= carry[5] << 21 + carry[7] = (s7 + (1 << 20)) >> 21 + s8 += carry[7] + s7 -= carry[7] << 21 + carry[9] = (s9 + (1 << 20)) >> 21 + s10 += carry[9] + s9 -= carry[9] << 21 + carry[11] = (s11 + (1 << 20)) >> 21 + s12 += carry[11] + s11 -= carry[11] << 21 + carry[13] = (s13 + (1 << 20)) >> 21 + s14 += carry[13] + s13 -= carry[13] << 21 + carry[15] = (s15 + (1 << 20)) >> 21 + s16 += carry[15] + s15 -= carry[15] << 21 + carry[17] = (s17 + (1 << 20)) >> 21 + s18 += carry[17] + s17 -= carry[17] << 21 + carry[19] = (s19 + (1 << 20)) >> 21 + s20 += carry[19] + s19 -= carry[19] << 21 + carry[21] = (s21 + (1 << 20)) >> 21 + s22 += carry[21] + s21 -= carry[21] << 21 + + s11 += s23 * 666643 + s12 += s23 * 470296 + s13 += s23 * 654183 + s14 -= s23 * 997805 + s15 += s23 * 136657 + s16 -= s23 * 683901 + s23 = 0 + + s10 += s22 * 666643 + s11 += s22 * 470296 + s12 += s22 * 654183 + s13 -= s22 * 997805 + s14 += s22 * 136657 + s15 -= s22 * 683901 + s22 = 0 + + s9 += s21 * 666643 + s10 += s21 * 470296 + s11 += s21 * 654183 + s12 -= s21 * 997805 + s13 += s21 * 136657 + s14 -= s21 * 683901 + s21 = 0 + + s8 += s20 * 666643 + s9 += s20 * 470296 + s10 += s20 * 654183 + s11 -= s20 * 997805 + s12 += s20 * 136657 + s13 -= s20 * 683901 + s20 = 0 + + s7 += s19 * 666643 + s8 += s19 * 470296 + s9 += s19 * 654183 + s10 -= s19 * 997805 + s11 += s19 * 136657 + s12 -= s19 * 683901 + s19 = 0 + + s6 += s18 * 666643 + s7 += s18 * 470296 + s8 += s18 * 654183 + s9 -= s18 * 997805 + s10 += s18 * 136657 + s11 -= s18 * 683901 + s18 = 0 + + carry[6] = (s6 + (1 << 20)) >> 21 + s7 += carry[6] + s6 -= carry[6] << 21 + carry[8] = (s8 + (1 << 20)) >> 21 + s9 += carry[8] + s8 -= carry[8] << 21 + carry[10] = (s10 + (1 << 20)) >> 21 + s11 += carry[10] + s10 -= carry[10] << 21 + carry[12] = (s12 + (1 << 20)) >> 21 + s13 += carry[12] + s12 -= carry[12] << 21 + carry[14] = (s14 + (1 << 20)) >> 21 + s15 += carry[14] + s14 -= carry[14] << 21 + carry[16] = (s16 + (1 << 20)) >> 21 + s17 += carry[16] + s16 -= carry[16] << 21 + + carry[7] = (s7 + (1 << 20)) >> 21 + s8 += carry[7] + s7 -= carry[7] << 21 + carry[9] = (s9 + (1 << 20)) >> 21 + s10 += carry[9] + s9 -= carry[9] << 21 + carry[11] = (s11 + (1 << 20)) >> 21 + s12 += carry[11] + s11 -= carry[11] << 21 + carry[13] = (s13 + (1 << 20)) >> 21 + s14 += carry[13] + s13 -= carry[13] << 21 + carry[15] = (s15 + (1 << 20)) >> 21 + s16 += carry[15] + s15 -= carry[15] << 21 + + s5 += s17 * 666643 + s6 += s17 * 470296 + s7 += s17 * 654183 + s8 -= s17 * 997805 + s9 += s17 * 136657 + s10 -= s17 * 683901 + s17 = 0 + + s4 += s16 * 666643 + s5 += s16 * 470296 + s6 += s16 * 654183 + s7 -= s16 * 997805 + s8 += s16 * 136657 + s9 -= s16 * 683901 + s16 = 0 + + s3 += s15 * 666643 + s4 += s15 * 470296 + s5 += s15 * 654183 + s6 -= s15 * 997805 + s7 += s15 * 136657 + s8 -= s15 * 683901 + s15 = 0 + + s2 += s14 * 666643 + s3 += s14 * 470296 + s4 += s14 * 654183 + s5 -= s14 * 997805 + s6 += s14 * 136657 + s7 -= s14 * 683901 + s14 = 0 + + s1 += s13 * 666643 + s2 += s13 * 470296 + s3 += s13 * 654183 + s4 -= s13 * 997805 + s5 += s13 * 136657 + s6 -= s13 * 683901 + s13 = 0 + + s0 += s12 * 666643 + s1 += s12 * 470296 + s2 += s12 * 654183 + s3 -= s12 * 997805 + s4 += s12 * 136657 + s5 -= s12 * 683901 + s12 = 0 + + carry[0] = (s0 + (1 << 20)) >> 21 + s1 += carry[0] + s0 -= carry[0] << 21 + carry[2] = (s2 + (1 << 20)) >> 21 + s3 += carry[2] + s2 -= carry[2] << 21 + carry[4] = (s4 + (1 << 20)) >> 21 + s5 += carry[4] + s4 -= carry[4] << 21 + carry[6] = (s6 + (1 << 20)) >> 21 + s7 += carry[6] + s6 -= carry[6] << 21 + carry[8] = (s8 + (1 << 20)) >> 21 + s9 += carry[8] + s8 -= carry[8] << 21 + carry[10] = (s10 + (1 << 20)) >> 21 + s11 += carry[10] + s10 -= carry[10] << 21 + + carry[1] = (s1 + (1 << 20)) >> 21 + s2 += carry[1] + s1 -= carry[1] << 21 + carry[3] = (s3 + (1 << 20)) >> 21 + s4 += carry[3] + s3 -= carry[3] << 21 + carry[5] = (s5 + (1 << 20)) >> 21 + s6 += carry[5] + s5 -= carry[5] << 21 + carry[7] = (s7 + (1 << 20)) >> 21 + s8 += carry[7] + s7 -= carry[7] << 21 + carry[9] = (s9 + (1 << 20)) >> 21 + s10 += carry[9] + s9 -= carry[9] << 21 + carry[11] = (s11 + (1 << 20)) >> 21 + s12 += carry[11] + s11 -= carry[11] << 21 + + s0 += s12 * 666643 + s1 += s12 * 470296 + s2 += s12 * 654183 + s3 -= s12 * 997805 + s4 += s12 * 136657 + s5 -= s12 * 683901 + s12 = 0 + + carry[0] = s0 >> 21 + s1 += carry[0] + s0 -= carry[0] << 21 + carry[1] = s1 >> 21 + s2 += carry[1] + s1 -= carry[1] << 21 + carry[2] = s2 >> 21 + s3 += carry[2] + s2 -= carry[2] << 21 + carry[3] = s3 >> 21 + s4 += carry[3] + s3 -= carry[3] << 21 + carry[4] = s4 >> 21 + s5 += carry[4] + s4 -= carry[4] << 21 + carry[5] = s5 >> 21 + s6 += carry[5] + s5 -= carry[5] << 21 + carry[6] = s6 >> 21 + s7 += carry[6] + s6 -= carry[6] << 21 + carry[7] = s7 >> 21 + s8 += carry[7] + s7 -= carry[7] << 21 + carry[8] = s8 >> 21 + s9 += carry[8] + s8 -= carry[8] << 21 + carry[9] = s9 >> 21 + s10 += carry[9] + s9 -= carry[9] << 21 + carry[10] = s10 >> 21 + s11 += carry[10] + s10 -= carry[10] << 21 + carry[11] = s11 >> 21 + s12 += carry[11] + s11 -= carry[11] << 21 + + s0 += s12 * 666643 + s1 += s12 * 470296 + s2 += s12 * 654183 + s3 -= s12 * 997805 + s4 += s12 * 136657 + s5 -= s12 * 683901 + s12 = 0 + + carry[0] = s0 >> 21 + s1 += carry[0] + s0 -= carry[0] << 21 + carry[1] = s1 >> 21 + s2 += carry[1] + s1 -= carry[1] << 21 + carry[2] = s2 >> 21 + s3 += carry[2] + s2 -= carry[2] << 21 + carry[3] = s3 >> 21 + s4 += carry[3] + s3 -= carry[3] << 21 + carry[4] = s4 >> 21 + s5 += carry[4] + s4 -= carry[4] << 21 + carry[5] = s5 >> 21 + s6 += carry[5] + s5 -= carry[5] << 21 + carry[6] = s6 >> 21 + s7 += carry[6] + s6 -= carry[6] << 21 + carry[7] = s7 >> 21 + s8 += carry[7] + s7 -= carry[7] << 21 + carry[8] = s8 >> 21 + s9 += carry[8] + s8 -= carry[8] << 21 + carry[9] = s9 >> 21 + s10 += carry[9] + s9 -= carry[9] << 21 + carry[10] = s10 >> 21 + s11 += carry[10] + s10 -= carry[10] << 21 + + s[0] = byte(s0 >> 0) + s[1] = byte(s0 >> 8) + s[2] = byte((s0 >> 16) | (s1 << 5)) + s[3] = byte(s1 >> 3) + s[4] = byte(s1 >> 11) + s[5] = byte((s1 >> 19) | (s2 << 2)) + s[6] = byte(s2 >> 6) + s[7] = byte((s2 >> 14) | (s3 << 7)) + s[8] = byte(s3 >> 1) + s[9] = byte(s3 >> 9) + s[10] = byte((s3 >> 17) | (s4 << 4)) + s[11] = byte(s4 >> 4) + s[12] = byte(s4 >> 12) + s[13] = byte((s4 >> 20) | (s5 << 1)) + s[14] = byte(s5 >> 7) + s[15] = byte((s5 >> 15) | (s6 << 6)) + s[16] = byte(s6 >> 2) + s[17] = byte(s6 >> 10) + s[18] = byte((s6 >> 18) | (s7 << 3)) + s[19] = byte(s7 >> 5) + s[20] = byte(s7 >> 13) + s[21] = byte(s8 >> 0) + s[22] = byte(s8 >> 8) + s[23] = byte((s8 >> 16) | (s9 << 5)) + s[24] = byte(s9 >> 3) + s[25] = byte(s9 >> 11) + s[26] = byte((s9 >> 19) | (s10 << 2)) + s[27] = byte(s10 >> 6) + s[28] = byte((s10 >> 14) | (s11 << 7)) + s[29] = byte(s11 >> 1) + s[30] = byte(s11 >> 9) + s[31] = byte(s11 >> 17) +} + +// Input: +// s[0]+256*s[1]+...+256^63*s[63] = s +// +// Output: +// s[0]+256*s[1]+...+256^31*s[31] = s mod l +// where l = 2^252 + 27742317777372353535851937790883648493. +func ScReduce(out *[32]byte, s *[64]byte) { + s0 := 2097151 & load3(s[:]) + s1 := 2097151 & (load4(s[2:]) >> 5) + s2 := 2097151 & (load3(s[5:]) >> 2) + s3 := 2097151 & (load4(s[7:]) >> 7) + s4 := 2097151 & (load4(s[10:]) >> 4) + s5 := 2097151 & (load3(s[13:]) >> 1) + s6 := 2097151 & (load4(s[15:]) >> 6) + s7 := 2097151 & (load3(s[18:]) >> 3) + s8 := 2097151 & load3(s[21:]) + s9 := 2097151 & (load4(s[23:]) >> 5) + s10 := 2097151 & (load3(s[26:]) >> 2) + s11 := 2097151 & (load4(s[28:]) >> 7) + s12 := 2097151 & (load4(s[31:]) >> 4) + s13 := 2097151 & (load3(s[34:]) >> 1) + s14 := 2097151 & (load4(s[36:]) >> 6) + s15 := 2097151 & (load3(s[39:]) >> 3) + s16 := 2097151 & load3(s[42:]) + s17 := 2097151 & (load4(s[44:]) >> 5) + s18 := 2097151 & (load3(s[47:]) >> 2) + s19 := 2097151 & (load4(s[49:]) >> 7) + s20 := 2097151 & (load4(s[52:]) >> 4) + s21 := 2097151 & (load3(s[55:]) >> 1) + s22 := 2097151 & (load4(s[57:]) >> 6) + s23 := (load4(s[60:]) >> 3) + + s11 += s23 * 666643 + s12 += s23 * 470296 + s13 += s23 * 654183 + s14 -= s23 * 997805 + s15 += s23 * 136657 + s16 -= s23 * 683901 + s23 = 0 + + s10 += s22 * 666643 + s11 += s22 * 470296 + s12 += s22 * 654183 + s13 -= s22 * 997805 + s14 += s22 * 136657 + s15 -= s22 * 683901 + s22 = 0 + + s9 += s21 * 666643 + s10 += s21 * 470296 + s11 += s21 * 654183 + s12 -= s21 * 997805 + s13 += s21 * 136657 + s14 -= s21 * 683901 + s21 = 0 + + s8 += s20 * 666643 + s9 += s20 * 470296 + s10 += s20 * 654183 + s11 -= s20 * 997805 + s12 += s20 * 136657 + s13 -= s20 * 683901 + s20 = 0 + + s7 += s19 * 666643 + s8 += s19 * 470296 + s9 += s19 * 654183 + s10 -= s19 * 997805 + s11 += s19 * 136657 + s12 -= s19 * 683901 + s19 = 0 + + s6 += s18 * 666643 + s7 += s18 * 470296 + s8 += s18 * 654183 + s9 -= s18 * 997805 + s10 += s18 * 136657 + s11 -= s18 * 683901 + s18 = 0 + + var carry [17]int64 + + carry[6] = (s6 + (1 << 20)) >> 21 + s7 += carry[6] + s6 -= carry[6] << 21 + carry[8] = (s8 + (1 << 20)) >> 21 + s9 += carry[8] + s8 -= carry[8] << 21 + carry[10] = (s10 + (1 << 20)) >> 21 + s11 += carry[10] + s10 -= carry[10] << 21 + carry[12] = (s12 + (1 << 20)) >> 21 + s13 += carry[12] + s12 -= carry[12] << 21 + carry[14] = (s14 + (1 << 20)) >> 21 + s15 += carry[14] + s14 -= carry[14] << 21 + carry[16] = (s16 + (1 << 20)) >> 21 + s17 += carry[16] + s16 -= carry[16] << 21 + + carry[7] = (s7 + (1 << 20)) >> 21 + s8 += carry[7] + s7 -= carry[7] << 21 + carry[9] = (s9 + (1 << 20)) >> 21 + s10 += carry[9] + s9 -= carry[9] << 21 + carry[11] = (s11 + (1 << 20)) >> 21 + s12 += carry[11] + s11 -= carry[11] << 21 + carry[13] = (s13 + (1 << 20)) >> 21 + s14 += carry[13] + s13 -= carry[13] << 21 + carry[15] = (s15 + (1 << 20)) >> 21 + s16 += carry[15] + s15 -= carry[15] << 21 + + s5 += s17 * 666643 + s6 += s17 * 470296 + s7 += s17 * 654183 + s8 -= s17 * 997805 + s9 += s17 * 136657 + s10 -= s17 * 683901 + s17 = 0 + + s4 += s16 * 666643 + s5 += s16 * 470296 + s6 += s16 * 654183 + s7 -= s16 * 997805 + s8 += s16 * 136657 + s9 -= s16 * 683901 + s16 = 0 + + s3 += s15 * 666643 + s4 += s15 * 470296 + s5 += s15 * 654183 + s6 -= s15 * 997805 + s7 += s15 * 136657 + s8 -= s15 * 683901 + s15 = 0 + + s2 += s14 * 666643 + s3 += s14 * 470296 + s4 += s14 * 654183 + s5 -= s14 * 997805 + s6 += s14 * 136657 + s7 -= s14 * 683901 + s14 = 0 + + s1 += s13 * 666643 + s2 += s13 * 470296 + s3 += s13 * 654183 + s4 -= s13 * 997805 + s5 += s13 * 136657 + s6 -= s13 * 683901 + s13 = 0 + + s0 += s12 * 666643 + s1 += s12 * 470296 + s2 += s12 * 654183 + s3 -= s12 * 997805 + s4 += s12 * 136657 + s5 -= s12 * 683901 + s12 = 0 + + carry[0] = (s0 + (1 << 20)) >> 21 + s1 += carry[0] + s0 -= carry[0] << 21 + carry[2] = (s2 + (1 << 20)) >> 21 + s3 += carry[2] + s2 -= carry[2] << 21 + carry[4] = (s4 + (1 << 20)) >> 21 + s5 += carry[4] + s4 -= carry[4] << 21 + carry[6] = (s6 + (1 << 20)) >> 21 + s7 += carry[6] + s6 -= carry[6] << 21 + carry[8] = (s8 + (1 << 20)) >> 21 + s9 += carry[8] + s8 -= carry[8] << 21 + carry[10] = (s10 + (1 << 20)) >> 21 + s11 += carry[10] + s10 -= carry[10] << 21 + + carry[1] = (s1 + (1 << 20)) >> 21 + s2 += carry[1] + s1 -= carry[1] << 21 + carry[3] = (s3 + (1 << 20)) >> 21 + s4 += carry[3] + s3 -= carry[3] << 21 + carry[5] = (s5 + (1 << 20)) >> 21 + s6 += carry[5] + s5 -= carry[5] << 21 + carry[7] = (s7 + (1 << 20)) >> 21 + s8 += carry[7] + s7 -= carry[7] << 21 + carry[9] = (s9 + (1 << 20)) >> 21 + s10 += carry[9] + s9 -= carry[9] << 21 + carry[11] = (s11 + (1 << 20)) >> 21 + s12 += carry[11] + s11 -= carry[11] << 21 + + s0 += s12 * 666643 + s1 += s12 * 470296 + s2 += s12 * 654183 + s3 -= s12 * 997805 + s4 += s12 * 136657 + s5 -= s12 * 683901 + s12 = 0 + + carry[0] = s0 >> 21 + s1 += carry[0] + s0 -= carry[0] << 21 + carry[1] = s1 >> 21 + s2 += carry[1] + s1 -= carry[1] << 21 + carry[2] = s2 >> 21 + s3 += carry[2] + s2 -= carry[2] << 21 + carry[3] = s3 >> 21 + s4 += carry[3] + s3 -= carry[3] << 21 + carry[4] = s4 >> 21 + s5 += carry[4] + s4 -= carry[4] << 21 + carry[5] = s5 >> 21 + s6 += carry[5] + s5 -= carry[5] << 21 + carry[6] = s6 >> 21 + s7 += carry[6] + s6 -= carry[6] << 21 + carry[7] = s7 >> 21 + s8 += carry[7] + s7 -= carry[7] << 21 + carry[8] = s8 >> 21 + s9 += carry[8] + s8 -= carry[8] << 21 + carry[9] = s9 >> 21 + s10 += carry[9] + s9 -= carry[9] << 21 + carry[10] = s10 >> 21 + s11 += carry[10] + s10 -= carry[10] << 21 + carry[11] = s11 >> 21 + s12 += carry[11] + s11 -= carry[11] << 21 + + s0 += s12 * 666643 + s1 += s12 * 470296 + s2 += s12 * 654183 + s3 -= s12 * 997805 + s4 += s12 * 136657 + s5 -= s12 * 683901 + s12 = 0 + + carry[0] = s0 >> 21 + s1 += carry[0] + s0 -= carry[0] << 21 + carry[1] = s1 >> 21 + s2 += carry[1] + s1 -= carry[1] << 21 + carry[2] = s2 >> 21 + s3 += carry[2] + s2 -= carry[2] << 21 + carry[3] = s3 >> 21 + s4 += carry[3] + s3 -= carry[3] << 21 + carry[4] = s4 >> 21 + s5 += carry[4] + s4 -= carry[4] << 21 + carry[5] = s5 >> 21 + s6 += carry[5] + s5 -= carry[5] << 21 + carry[6] = s6 >> 21 + s7 += carry[6] + s6 -= carry[6] << 21 + carry[7] = s7 >> 21 + s8 += carry[7] + s7 -= carry[7] << 21 + carry[8] = s8 >> 21 + s9 += carry[8] + s8 -= carry[8] << 21 + carry[9] = s9 >> 21 + s10 += carry[9] + s9 -= carry[9] << 21 + carry[10] = s10 >> 21 + s11 += carry[10] + s10 -= carry[10] << 21 + + out[0] = byte(s0 >> 0) + out[1] = byte(s0 >> 8) + out[2] = byte((s0 >> 16) | (s1 << 5)) + out[3] = byte(s1 >> 3) + out[4] = byte(s1 >> 11) + out[5] = byte((s1 >> 19) | (s2 << 2)) + out[6] = byte(s2 >> 6) + out[7] = byte((s2 >> 14) | (s3 << 7)) + out[8] = byte(s3 >> 1) + out[9] = byte(s3 >> 9) + out[10] = byte((s3 >> 17) | (s4 << 4)) + out[11] = byte(s4 >> 4) + out[12] = byte(s4 >> 12) + out[13] = byte((s4 >> 20) | (s5 << 1)) + out[14] = byte(s5 >> 7) + out[15] = byte((s5 >> 15) | (s6 << 6)) + out[16] = byte(s6 >> 2) + out[17] = byte(s6 >> 10) + out[18] = byte((s6 >> 18) | (s7 << 3)) + out[19] = byte(s7 >> 5) + out[20] = byte(s7 >> 13) + out[21] = byte(s8 >> 0) + out[22] = byte(s8 >> 8) + out[23] = byte((s8 >> 16) | (s9 << 5)) + out[24] = byte(s9 >> 3) + out[25] = byte(s9 >> 11) + out[26] = byte((s9 >> 19) | (s10 << 2)) + out[27] = byte(s10 >> 6) + out[28] = byte((s10 >> 14) | (s11 << 7)) + out[29] = byte(s11 >> 1) + out[30] = byte(s11 >> 9) + out[31] = byte(s11 >> 17) +} + +// order is the order of Curve25519 in little-endian form. +var order = [4]uint64{0x5812631a5cf5d3ed, 0x14def9dea2f79cd6, 0, 0x1000000000000000} + +// ScMinimal returns true if the given scalar is less than the order of the +// curve. +func ScMinimal(scalar *[32]byte) bool { + for i := 3; ; i-- { + v := binary.LittleEndian.Uint64(scalar[i*8:]) + if v > order[i] { + return false + } else if v < order[i] { + break + } else if i == 0 { + return false + } + } + + return true +} diff --git a/vendor/gopkg.in/square/go-jose.v1/shared.go b/vendor/gopkg.in/square/go-jose.v1/shared.go deleted file mode 100644 index 9d895a912..000000000 --- a/vendor/gopkg.in/square/go-jose.v1/shared.go +++ /dev/null @@ -1,224 +0,0 @@ -/*- - * Copyright 2014 Square Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package jose - -import ( - "crypto/elliptic" - "errors" - "fmt" -) - -// KeyAlgorithm represents a key management algorithm. -type KeyAlgorithm string - -// SignatureAlgorithm represents a signature (or MAC) algorithm. -type SignatureAlgorithm string - -// ContentEncryption represents a content encryption algorithm. -type ContentEncryption string - -// CompressionAlgorithm represents an algorithm used for plaintext compression. -type CompressionAlgorithm string - -var ( - // ErrCryptoFailure represents an error in cryptographic primitive. This - // occurs when, for example, a message had an invalid authentication tag or - // could not be decrypted. - ErrCryptoFailure = errors.New("square/go-jose: error in cryptographic primitive") - - // ErrUnsupportedAlgorithm indicates that a selected algorithm is not - // supported. This occurs when trying to instantiate an encrypter for an - // algorithm that is not yet implemented. - ErrUnsupportedAlgorithm = errors.New("square/go-jose: unknown/unsupported algorithm") - - // ErrUnsupportedKeyType indicates that the given key type/format is not - // supported. This occurs when trying to instantiate an encrypter and passing - // it a key of an unrecognized type or with unsupported parameters, such as - // an RSA private key with more than two primes. - ErrUnsupportedKeyType = errors.New("square/go-jose: unsupported key type/format") - - // ErrNotSupported serialization of object is not supported. This occurs when - // trying to compact-serialize an object which can't be represented in - // compact form. - ErrNotSupported = errors.New("square/go-jose: compact serialization not supported for object") - - // ErrUnprotectedNonce indicates that while parsing a JWS or JWE object, a - // nonce header parameter was included in an unprotected header object. - ErrUnprotectedNonce = errors.New("square/go-jose: Nonce parameter included in unprotected header") -) - -// Key management algorithms -const ( - RSA1_5 = KeyAlgorithm("RSA1_5") // RSA-PKCS1v1.5 - RSA_OAEP = KeyAlgorithm("RSA-OAEP") // RSA-OAEP-SHA1 - RSA_OAEP_256 = KeyAlgorithm("RSA-OAEP-256") // RSA-OAEP-SHA256 - A128KW = KeyAlgorithm("A128KW") // AES key wrap (128) - A192KW = KeyAlgorithm("A192KW") // AES key wrap (192) - A256KW = KeyAlgorithm("A256KW") // AES key wrap (256) - DIRECT = KeyAlgorithm("dir") // Direct encryption - ECDH_ES = KeyAlgorithm("ECDH-ES") // ECDH-ES - ECDH_ES_A128KW = KeyAlgorithm("ECDH-ES+A128KW") // ECDH-ES + AES key wrap (128) - ECDH_ES_A192KW = KeyAlgorithm("ECDH-ES+A192KW") // ECDH-ES + AES key wrap (192) - ECDH_ES_A256KW = KeyAlgorithm("ECDH-ES+A256KW") // ECDH-ES + AES key wrap (256) - A128GCMKW = KeyAlgorithm("A128GCMKW") // AES-GCM key wrap (128) - A192GCMKW = KeyAlgorithm("A192GCMKW") // AES-GCM key wrap (192) - A256GCMKW = KeyAlgorithm("A256GCMKW") // AES-GCM key wrap (256) - PBES2_HS256_A128KW = KeyAlgorithm("PBES2-HS256+A128KW") // PBES2 + HMAC-SHA256 + AES key wrap (128) - PBES2_HS384_A192KW = KeyAlgorithm("PBES2-HS384+A192KW") // PBES2 + HMAC-SHA384 + AES key wrap (192) - PBES2_HS512_A256KW = KeyAlgorithm("PBES2-HS512+A256KW") // PBES2 + HMAC-SHA512 + AES key wrap (256) -) - -// Signature algorithms -const ( - HS256 = SignatureAlgorithm("HS256") // HMAC using SHA-256 - HS384 = SignatureAlgorithm("HS384") // HMAC using SHA-384 - HS512 = SignatureAlgorithm("HS512") // HMAC using SHA-512 - RS256 = SignatureAlgorithm("RS256") // RSASSA-PKCS-v1.5 using SHA-256 - RS384 = SignatureAlgorithm("RS384") // RSASSA-PKCS-v1.5 using SHA-384 - RS512 = SignatureAlgorithm("RS512") // RSASSA-PKCS-v1.5 using SHA-512 - ES256 = SignatureAlgorithm("ES256") // ECDSA using P-256 and SHA-256 - ES384 = SignatureAlgorithm("ES384") // ECDSA using P-384 and SHA-384 - ES512 = SignatureAlgorithm("ES512") // ECDSA using P-521 and SHA-512 - PS256 = SignatureAlgorithm("PS256") // RSASSA-PSS using SHA256 and MGF1-SHA256 - PS384 = SignatureAlgorithm("PS384") // RSASSA-PSS using SHA384 and MGF1-SHA384 - PS512 = SignatureAlgorithm("PS512") // RSASSA-PSS using SHA512 and MGF1-SHA512 -) - -// Content encryption algorithms -const ( - A128CBC_HS256 = ContentEncryption("A128CBC-HS256") // AES-CBC + HMAC-SHA256 (128) - A192CBC_HS384 = ContentEncryption("A192CBC-HS384") // AES-CBC + HMAC-SHA384 (192) - A256CBC_HS512 = ContentEncryption("A256CBC-HS512") // AES-CBC + HMAC-SHA512 (256) - A128GCM = ContentEncryption("A128GCM") // AES-GCM (128) - A192GCM = ContentEncryption("A192GCM") // AES-GCM (192) - A256GCM = ContentEncryption("A256GCM") // AES-GCM (256) -) - -// Compression algorithms -const ( - NONE = CompressionAlgorithm("") // No compression - DEFLATE = CompressionAlgorithm("DEF") // DEFLATE (RFC 1951) -) - -// rawHeader represents the JOSE header for JWE/JWS objects (used for parsing). -type rawHeader struct { - Alg string `json:"alg,omitempty"` - Enc ContentEncryption `json:"enc,omitempty"` - Zip CompressionAlgorithm `json:"zip,omitempty"` - Crit []string `json:"crit,omitempty"` - Apu *byteBuffer `json:"apu,omitempty"` - Apv *byteBuffer `json:"apv,omitempty"` - Epk *JsonWebKey `json:"epk,omitempty"` - Iv *byteBuffer `json:"iv,omitempty"` - Tag *byteBuffer `json:"tag,omitempty"` - Jwk *JsonWebKey `json:"jwk,omitempty"` - Kid string `json:"kid,omitempty"` - Nonce string `json:"nonce,omitempty"` -} - -// JoseHeader represents the read-only JOSE header for JWE/JWS objects. -type JoseHeader struct { - KeyID string - JsonWebKey *JsonWebKey - Algorithm string - Nonce string -} - -// sanitized produces a cleaned-up header object from the raw JSON. -func (parsed rawHeader) sanitized() JoseHeader { - return JoseHeader{ - KeyID: parsed.Kid, - JsonWebKey: parsed.Jwk, - Algorithm: parsed.Alg, - Nonce: parsed.Nonce, - } -} - -// Merge headers from src into dst, giving precedence to headers from l. -func (dst *rawHeader) merge(src *rawHeader) { - if src == nil { - return - } - - if dst.Alg == "" { - dst.Alg = src.Alg - } - if dst.Enc == "" { - dst.Enc = src.Enc - } - if dst.Zip == "" { - dst.Zip = src.Zip - } - if dst.Crit == nil { - dst.Crit = src.Crit - } - if dst.Crit == nil { - dst.Crit = src.Crit - } - if dst.Apu == nil { - dst.Apu = src.Apu - } - if dst.Apv == nil { - dst.Apv = src.Apv - } - if dst.Epk == nil { - dst.Epk = src.Epk - } - if dst.Iv == nil { - dst.Iv = src.Iv - } - if dst.Tag == nil { - dst.Tag = src.Tag - } - if dst.Kid == "" { - dst.Kid = src.Kid - } - if dst.Jwk == nil { - dst.Jwk = src.Jwk - } - if dst.Nonce == "" { - dst.Nonce = src.Nonce - } -} - -// Get JOSE name of curve -func curveName(crv elliptic.Curve) (string, error) { - switch crv { - case elliptic.P256(): - return "P-256", nil - case elliptic.P384(): - return "P-384", nil - case elliptic.P521(): - return "P-521", nil - default: - return "", fmt.Errorf("square/go-jose: unsupported/unknown elliptic curve") - } -} - -// Get size of curve in bytes -func curveSize(crv elliptic.Curve) int { - bits := crv.Params().BitSize - - div := bits / 8 - mod := bits % 8 - - if mod == 0 { - return div - } - - return div + 1 -} diff --git a/vendor/gopkg.in/square/go-jose.v1/signing.go b/vendor/gopkg.in/square/go-jose.v1/signing.go deleted file mode 100644 index e64f8ab8d..000000000 --- a/vendor/gopkg.in/square/go-jose.v1/signing.go +++ /dev/null @@ -1,258 +0,0 @@ -/*- - * Copyright 2014 Square Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package jose - -import ( - "crypto/ecdsa" - "crypto/rsa" - "errors" - "fmt" -) - -// NonceSource represents a source of random nonces to go into JWS objects -type NonceSource interface { - Nonce() (string, error) -} - -// Signer represents a signer which takes a payload and produces a signed JWS object. -type Signer interface { - Sign(payload []byte) (*JsonWebSignature, error) - SetNonceSource(source NonceSource) - SetEmbedJwk(embed bool) -} - -// MultiSigner represents a signer which supports multiple recipients. -type MultiSigner interface { - Sign(payload []byte) (*JsonWebSignature, error) - SetNonceSource(source NonceSource) - SetEmbedJwk(embed bool) - AddRecipient(alg SignatureAlgorithm, signingKey interface{}) error -} - -type payloadSigner interface { - signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) -} - -type payloadVerifier interface { - verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error -} - -type genericSigner struct { - recipients []recipientSigInfo - nonceSource NonceSource - embedJwk bool -} - -type recipientSigInfo struct { - sigAlg SignatureAlgorithm - keyID string - publicKey *JsonWebKey - signer payloadSigner -} - -// NewSigner creates an appropriate signer based on the key type -func NewSigner(alg SignatureAlgorithm, signingKey interface{}) (Signer, error) { - // NewMultiSigner never fails (currently) - signer := NewMultiSigner() - - err := signer.AddRecipient(alg, signingKey) - if err != nil { - return nil, err - } - - return signer, nil -} - -// NewMultiSigner creates a signer for multiple recipients -func NewMultiSigner() MultiSigner { - return &genericSigner{ - recipients: []recipientSigInfo{}, - embedJwk: true, - } -} - -// newVerifier creates a verifier based on the key type -func newVerifier(verificationKey interface{}) (payloadVerifier, error) { - switch verificationKey := verificationKey.(type) { - case *rsa.PublicKey: - return &rsaEncrypterVerifier{ - publicKey: verificationKey, - }, nil - case *ecdsa.PublicKey: - return &ecEncrypterVerifier{ - publicKey: verificationKey, - }, nil - case []byte: - return &symmetricMac{ - key: verificationKey, - }, nil - case *JsonWebKey: - return newVerifier(verificationKey.Key) - default: - return nil, ErrUnsupportedKeyType - } -} - -func (ctx *genericSigner) AddRecipient(alg SignatureAlgorithm, signingKey interface{}) error { - recipient, err := makeJWSRecipient(alg, signingKey) - if err != nil { - return err - } - - ctx.recipients = append(ctx.recipients, recipient) - return nil -} - -func makeJWSRecipient(alg SignatureAlgorithm, signingKey interface{}) (recipientSigInfo, error) { - switch signingKey := signingKey.(type) { - case *rsa.PrivateKey: - return newRSASigner(alg, signingKey) - case *ecdsa.PrivateKey: - return newECDSASigner(alg, signingKey) - case []byte: - return newSymmetricSigner(alg, signingKey) - case *JsonWebKey: - recipient, err := makeJWSRecipient(alg, signingKey.Key) - if err != nil { - return recipientSigInfo{}, err - } - recipient.keyID = signingKey.KeyID - return recipient, nil - default: - return recipientSigInfo{}, ErrUnsupportedKeyType - } -} - -func (ctx *genericSigner) Sign(payload []byte) (*JsonWebSignature, error) { - obj := &JsonWebSignature{} - obj.payload = payload - obj.Signatures = make([]Signature, len(ctx.recipients)) - - for i, recipient := range ctx.recipients { - protected := &rawHeader{ - Alg: string(recipient.sigAlg), - } - - if recipient.publicKey != nil && ctx.embedJwk { - protected.Jwk = recipient.publicKey - } - if recipient.keyID != "" { - protected.Kid = recipient.keyID - } - - if ctx.nonceSource != nil { - nonce, err := ctx.nonceSource.Nonce() - if err != nil { - return nil, fmt.Errorf("square/go-jose: Error generating nonce: %v", err) - } - protected.Nonce = nonce - } - - serializedProtected := mustSerializeJSON(protected) - - input := []byte(fmt.Sprintf("%s.%s", - base64URLEncode(serializedProtected), - base64URLEncode(payload))) - - signatureInfo, err := recipient.signer.signPayload(input, recipient.sigAlg) - if err != nil { - return nil, err - } - - signatureInfo.protected = protected - obj.Signatures[i] = signatureInfo - } - - return obj, nil -} - -// SetNonceSource provides or updates a nonce pool to the first recipients. -// After this method is called, the signer will consume one nonce per -// signature, returning an error it is unable to get a nonce. -func (ctx *genericSigner) SetNonceSource(source NonceSource) { - ctx.nonceSource = source -} - -// SetEmbedJwk specifies if the signing key should be embedded in the protected -// header, if any. It defaults to 'true', though that may change in the future. -// Note that the use of embedded JWKs in the signature header can be dangerous, -// as you cannot assume that the key received in a payload is trusted. -func (ctx *genericSigner) SetEmbedJwk(embed bool) { - ctx.embedJwk = embed -} - -// Verify validates the signature on the object and returns the payload. -// This function does not support multi-signature, if you desire multi-sig -// verification use VerifyMulti instead. -// -// Be careful when verifying signatures based on embedded JWKs inside the -// payload header. You cannot assume that the key received in a payload is -// trusted. -func (obj JsonWebSignature) Verify(verificationKey interface{}) ([]byte, error) { - verifier, err := newVerifier(verificationKey) - if err != nil { - return nil, err - } - - if len(obj.Signatures) > 1 { - return nil, errors.New("square/go-jose: too many signatures in payload; expecting only one") - } - - signature := obj.Signatures[0] - headers := signature.mergedHeaders() - if len(headers.Crit) > 0 { - // Unsupported crit header - return nil, ErrCryptoFailure - } - - input := obj.computeAuthData(&signature) - alg := SignatureAlgorithm(headers.Alg) - err = verifier.verifyPayload(input, signature.Signature, alg) - if err == nil { - return obj.payload, nil - } - - return nil, ErrCryptoFailure -} - -// VerifyMulti validates (one of the multiple) signatures on the object and -// returns the index of the signature that was verified, along with the signature -// object and the payload. We return the signature and index to guarantee that -// callers are getting the verified value. -func (obj JsonWebSignature) VerifyMulti(verificationKey interface{}) (int, Signature, []byte, error) { - verifier, err := newVerifier(verificationKey) - if err != nil { - return -1, Signature{}, nil, err - } - - for i, signature := range obj.Signatures { - headers := signature.mergedHeaders() - if len(headers.Crit) > 0 { - // Unsupported crit header - continue - } - - input := obj.computeAuthData(&signature) - alg := SignatureAlgorithm(headers.Alg) - err := verifier.verifyPayload(input, signature.Signature, alg) - if err == nil { - return i, signature, obj.payload, nil - } - } - - return -1, Signature{}, nil, ErrCryptoFailure -} diff --git a/vendor/gopkg.in/square/go-jose.v1/LICENSE b/vendor/gopkg.in/square/go-jose.v2/LICENSE index d64569567..d64569567 100644 --- a/vendor/gopkg.in/square/go-jose.v1/LICENSE +++ b/vendor/gopkg.in/square/go-jose.v2/LICENSE diff --git a/vendor/gopkg.in/square/go-jose.v1/asymmetric.go b/vendor/gopkg.in/square/go-jose.v2/asymmetric.go index cd36c21da..15e9d11a2 100644 --- a/vendor/gopkg.in/square/go-jose.v1/asymmetric.go +++ b/vendor/gopkg.in/square/go-jose.v2/asymmetric.go @@ -28,7 +28,9 @@ import ( "fmt" "math/big" - "gopkg.in/square/go-jose.v1/cipher" + "golang.org/x/crypto/ed25519" + "gopkg.in/square/go-jose.v2/cipher" + "gopkg.in/square/go-jose.v2/json" ) // A generic RSA-based encrypter/verifier @@ -46,6 +48,10 @@ type ecEncrypterVerifier struct { publicKey *ecdsa.PublicKey } +type edEncrypterVerifier struct { + publicKey ed25519.PublicKey +} + // A key generator for ECDH-ES type ecKeyGenerator struct { size int @@ -58,6 +64,10 @@ type ecDecrypterSigner struct { privateKey *ecdsa.PrivateKey } +type edDecrypterSigner struct { + privateKey ed25519.PrivateKey +} + // newRSARecipient creates recipientKeyInfo based on the given key. func newRSARecipient(keyAlg KeyAlgorithm, publicKey *rsa.PublicKey) (recipientKeyInfo, error) { // Verify that key management algorithm is supported by this encrypter @@ -94,7 +104,7 @@ func newRSASigner(sigAlg SignatureAlgorithm, privateKey *rsa.PrivateKey) (recipi return recipientSigInfo{ sigAlg: sigAlg, - publicKey: &JsonWebKey{ + publicKey: &JSONWebKey{ Key: &privateKey.PublicKey, }, signer: &rsaDecrypterSigner{ @@ -103,6 +113,25 @@ func newRSASigner(sigAlg SignatureAlgorithm, privateKey *rsa.PrivateKey) (recipi }, nil } +func newEd25519Signer(sigAlg SignatureAlgorithm, privateKey ed25519.PrivateKey) (recipientSigInfo, error) { + if sigAlg != EdDSA { + return recipientSigInfo{}, ErrUnsupportedAlgorithm + } + + if privateKey == nil { + return recipientSigInfo{}, errors.New("invalid private key") + } + return recipientSigInfo{ + sigAlg: sigAlg, + publicKey: &JSONWebKey{ + Key: privateKey.Public(), + }, + signer: &edDecrypterSigner{ + privateKey: privateKey, + }, + }, nil +} + // newECDHRecipient creates recipientKeyInfo based on the given key. func newECDHRecipient(keyAlg KeyAlgorithm, publicKey *ecdsa.PublicKey) (recipientKeyInfo, error) { // Verify that key management algorithm is supported by this encrypter @@ -139,7 +168,7 @@ func newECDSASigner(sigAlg SignatureAlgorithm, privateKey *ecdsa.PrivateKey) (re return recipientSigInfo{ sigAlg: sigAlg, - publicKey: &JsonWebKey{ + publicKey: &JSONWebKey{ Key: &privateKey.PublicKey, }, signer: &ecDecrypterSigner{ @@ -178,7 +207,7 @@ func (ctx rsaEncrypterVerifier) encrypt(cek []byte, alg KeyAlgorithm) ([]byte, e // Decrypt the given payload and return the content encryption key. func (ctx rsaDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) { - return ctx.decrypt(recipient.encryptedKey, KeyAlgorithm(headers.Alg), generator) + return ctx.decrypt(recipient.encryptedKey, headers.getAlgorithm(), generator) } // Decrypt the given payload. Based on the key encryption algorithm, @@ -366,10 +395,15 @@ func (ctx ecKeyGenerator) genKey() ([]byte, rawHeader, error) { out := josecipher.DeriveECDHES(ctx.algID, []byte{}, []byte{}, priv, ctx.publicKey, ctx.size) + b, err := json.Marshal(&JSONWebKey{ + Key: &priv.PublicKey, + }) + if err != nil { + return nil, nil, err + } + headers := rawHeader{ - Epk: &JsonWebKey{ - Key: &priv.PublicKey, - }, + headerEPK: makeRawMessage(b), } return out, headers, nil @@ -377,11 +411,15 @@ func (ctx ecKeyGenerator) genKey() ([]byte, rawHeader, error) { // Decrypt the given payload and return the content encryption key. func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) { - if headers.Epk == nil { + epk, err := headers.getEPK() + if err != nil { + return nil, errors.New("square/go-jose: invalid epk header") + } + if epk == nil { return nil, errors.New("square/go-jose: missing epk header") } - publicKey, ok := headers.Epk.Key.(*ecdsa.PublicKey) + publicKey, ok := epk.Key.(*ecdsa.PublicKey) if publicKey == nil || !ok { return nil, errors.New("square/go-jose: invalid epk header") } @@ -390,19 +428,26 @@ func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientI return nil, errors.New("square/go-jose: invalid public key in epk header") } - apuData := headers.Apu.bytes() - apvData := headers.Apv.bytes() + apuData, err := headers.getAPU() + if err != nil { + return nil, errors.New("square/go-jose: invalid apu header") + } + apvData, err := headers.getAPV() + if err != nil { + return nil, errors.New("square/go-jose: invalid apv header") + } deriveKey := func(algID string, size int) []byte { - return josecipher.DeriveECDHES(algID, apuData, apvData, ctx.privateKey, publicKey, size) + return josecipher.DeriveECDHES(algID, apuData.bytes(), apvData.bytes(), ctx.privateKey, publicKey, size) } var keySize int - switch KeyAlgorithm(headers.Alg) { + algorithm := headers.getAlgorithm() + switch algorithm { case ECDH_ES: // ECDH-ES uses direct key agreement, no key unwrapping necessary. - return deriveKey(string(headers.Enc), generator.keySize()), nil + return deriveKey(string(headers.getEncryption()), generator.keySize()), nil case ECDH_ES_A128KW: keySize = 16 case ECDH_ES_A192KW: @@ -413,7 +458,7 @@ func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientI return nil, ErrUnsupportedAlgorithm } - key := deriveKey(headers.Alg, keySize) + key := deriveKey(string(algorithm), keySize) block, err := aes.NewCipher(key) if err != nil { return nil, err @@ -421,6 +466,32 @@ func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientI return josecipher.KeyUnwrap(block, recipient.encryptedKey) } +func (ctx edDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) { + if alg != EdDSA { + return Signature{}, ErrUnsupportedAlgorithm + } + + sig, err := ctx.privateKey.Sign(randReader, payload, crypto.Hash(0)) + if err != nil { + return Signature{}, err + } + + return Signature{ + Signature: sig, + protected: &rawHeader{}, + }, nil +} + +func (ctx edEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error { + if alg != EdDSA { + return ErrUnsupportedAlgorithm + } + ok := ed25519.Verify(ctx.publicKey, payload, signature) + if !ok { + return errors.New("square/go-jose: ed25519 signature failed to verify") + } + return nil +} // Sign the given payload func (ctx ecDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) { @@ -457,7 +528,7 @@ func (ctx ecDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) keyBytes := curveBits / 8 if curveBits%8 > 0 { - keyBytes += 1 + keyBytes++ } // We serialize the outpus (r and s) into big-endian byte arrays and pad diff --git a/vendor/gopkg.in/square/go-jose.v1/cipher/cbc_hmac.go b/vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac.go index 126b85ce2..126b85ce2 100644 --- a/vendor/gopkg.in/square/go-jose.v1/cipher/cbc_hmac.go +++ b/vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac.go diff --git a/vendor/gopkg.in/square/go-jose.v1/cipher/concat_kdf.go b/vendor/gopkg.in/square/go-jose.v2/cipher/concat_kdf.go index f62c3bdba..f62c3bdba 100644 --- a/vendor/gopkg.in/square/go-jose.v1/cipher/concat_kdf.go +++ b/vendor/gopkg.in/square/go-jose.v2/cipher/concat_kdf.go diff --git a/vendor/gopkg.in/square/go-jose.v1/cipher/ecdh_es.go b/vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es.go index f23d49e1f..c128e327f 100644 --- a/vendor/gopkg.in/square/go-jose.v1/cipher/ecdh_es.go +++ b/vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es.go @@ -28,7 +28,7 @@ import ( // size may be at most 1<<16 bytes (64 KiB). func DeriveECDHES(alg string, apuData, apvData []byte, priv *ecdsa.PrivateKey, pub *ecdsa.PublicKey, size int) []byte { if size > 1<<16 { - panic("ECDH-ES output size too large, must be less than 1<<16") + panic("ECDH-ES output size too large, must be less than or equal to 1<<16") } // algId, partyUInfo, partyVInfo inputs must be prefixed with the length diff --git a/vendor/gopkg.in/square/go-jose.v1/cipher/key_wrap.go b/vendor/gopkg.in/square/go-jose.v2/cipher/key_wrap.go index 1d36d5015..1d36d5015 100644 --- a/vendor/gopkg.in/square/go-jose.v1/cipher/key_wrap.go +++ b/vendor/gopkg.in/square/go-jose.v2/cipher/key_wrap.go diff --git a/vendor/gopkg.in/square/go-jose.v1/crypter.go b/vendor/gopkg.in/square/go-jose.v2/crypter.go index b3bdaec80..0681c8119 100644 --- a/vendor/gopkg.in/square/go-jose.v1/crypter.go +++ b/vendor/gopkg.in/square/go-jose.v2/crypter.go @@ -22,21 +22,15 @@ import ( "errors" "fmt" "reflect" + + "gopkg.in/square/go-jose.v2/json" ) // Encrypter represents an encrypter which produces an encrypted JWE object. type Encrypter interface { - Encrypt(plaintext []byte) (*JsonWebEncryption, error) - EncryptWithAuthData(plaintext []byte, aad []byte) (*JsonWebEncryption, error) - SetCompression(alg CompressionAlgorithm) -} - -// MultiEncrypter represents an encrypter which supports multiple recipients. -type MultiEncrypter interface { - Encrypt(plaintext []byte) (*JsonWebEncryption, error) - EncryptWithAuthData(plaintext []byte, aad []byte) (*JsonWebEncryption, error) - SetCompression(alg CompressionAlgorithm) - AddRecipient(alg KeyAlgorithm, encryptionKey interface{}) error + Encrypt(plaintext []byte) (*JSONWebEncryption, error) + EncryptWithAuthData(plaintext []byte, aad []byte) (*JSONWebEncryption, error) + Options() EncrypterOptions } // A generic content cipher @@ -69,6 +63,7 @@ type genericEncrypter struct { cipher contentCipher recipients []recipientKeyInfo keyGenerator keyGenerator + extraHeaders map[HeaderKey]interface{} } type recipientKeyInfo struct { @@ -77,18 +72,54 @@ type recipientKeyInfo struct { keyEncrypter keyEncrypter } -// SetCompression sets a compression algorithm to be applied before encryption. -func (ctx *genericEncrypter) SetCompression(compressionAlg CompressionAlgorithm) { - ctx.compressionAlg = compressionAlg +// EncrypterOptions represents options that can be set on new encrypters. +type EncrypterOptions struct { + Compression CompressionAlgorithm + + // Optional map of additional keys to be inserted into the protected header + // of a JWS object. Some specifications which make use of JWS like to insert + // additional values here. All values must be JSON-serializable. + ExtraHeaders map[HeaderKey]interface{} +} + +// WithHeader adds an arbitrary value to the ExtraHeaders map, initializing it +// if necessary. It returns itself and so can be used in a fluent style. +func (eo *EncrypterOptions) WithHeader(k HeaderKey, v interface{}) *EncrypterOptions { + if eo.ExtraHeaders == nil { + eo.ExtraHeaders = map[HeaderKey]interface{}{} + } + eo.ExtraHeaders[k] = v + return eo +} + +// WithContentType adds a content type ("cty") header and returns the updated +// EncrypterOptions. +func (eo *EncrypterOptions) WithContentType(contentType ContentType) *EncrypterOptions { + return eo.WithHeader(HeaderContentType, contentType) +} + +// WithType adds a type ("typ") header and returns the updated EncrypterOptions. +func (eo *EncrypterOptions) WithType(typ ContentType) *EncrypterOptions { + return eo.WithHeader(HeaderType, typ) +} + +// Recipient represents an algorithm/key to encrypt messages to. +type Recipient struct { + Algorithm KeyAlgorithm + Key interface{} + KeyID string } // NewEncrypter creates an appropriate encrypter based on the key type -func NewEncrypter(alg KeyAlgorithm, enc ContentEncryption, encryptionKey interface{}) (Encrypter, error) { +func NewEncrypter(enc ContentEncryption, rcpt Recipient, opts *EncrypterOptions) (Encrypter, error) { encrypter := &genericEncrypter{ - contentAlg: enc, - compressionAlg: NONE, - recipients: []recipientKeyInfo{}, - cipher: getContentCipher(enc), + contentAlg: enc, + recipients: []recipientKeyInfo{}, + cipher: getContentCipher(enc), + } + if opts != nil { + encrypter.compressionAlg = opts.Compression + encrypter.extraHeaders = opts.ExtraHeaders } if encrypter.cipher == nil { @@ -97,15 +128,16 @@ func NewEncrypter(alg KeyAlgorithm, enc ContentEncryption, encryptionKey interfa var keyID string var rawKey interface{} - switch encryptionKey := encryptionKey.(type) { - case *JsonWebKey: - keyID = encryptionKey.KeyID - rawKey = encryptionKey.Key + switch encryptionKey := rcpt.Key.(type) { + case JSONWebKey: + keyID, rawKey = encryptionKey.KeyID, encryptionKey.Key + case *JSONWebKey: + keyID, rawKey = encryptionKey.KeyID, encryptionKey.Key default: rawKey = encryptionKey } - switch alg { + switch rcpt.Algorithm { case DIRECT: // Direct encryption mode must be treated differently if reflect.TypeOf(rawKey) != reflect.TypeOf([]byte{}) { @@ -114,11 +146,12 @@ func NewEncrypter(alg KeyAlgorithm, enc ContentEncryption, encryptionKey interfa encrypter.keyGenerator = staticKeyGenerator{ key: rawKey.([]byte), } - recipient, _ := newSymmetricRecipient(alg, rawKey.([]byte)) - if keyID != "" { - recipient.keyID = keyID + recipientInfo, _ := newSymmetricRecipient(rcpt.Algorithm, rawKey.([]byte)) + recipientInfo.keyID = keyID + if rcpt.KeyID != "" { + recipientInfo.keyID = rcpt.KeyID } - encrypter.recipients = []recipientKeyInfo{recipient} + encrypter.recipients = []recipientKeyInfo{recipientInfo} return encrypter, nil case ECDH_ES: // ECDH-ES (w/o key wrapping) is similar to DIRECT mode @@ -131,55 +164,72 @@ func NewEncrypter(alg KeyAlgorithm, enc ContentEncryption, encryptionKey interfa algID: string(enc), publicKey: rawKey.(*ecdsa.PublicKey), } - recipient, _ := newECDHRecipient(alg, rawKey.(*ecdsa.PublicKey)) - if keyID != "" { - recipient.keyID = keyID + recipientInfo, _ := newECDHRecipient(rcpt.Algorithm, rawKey.(*ecdsa.PublicKey)) + recipientInfo.keyID = keyID + if rcpt.KeyID != "" { + recipientInfo.keyID = rcpt.KeyID } - encrypter.recipients = []recipientKeyInfo{recipient} + encrypter.recipients = []recipientKeyInfo{recipientInfo} return encrypter, nil default: // Can just add a standard recipient encrypter.keyGenerator = randomKeyGenerator{ size: encrypter.cipher.keySize(), } - err := encrypter.AddRecipient(alg, encryptionKey) + err := encrypter.addRecipient(rcpt) return encrypter, err } } // NewMultiEncrypter creates a multi-encrypter based on the given parameters -func NewMultiEncrypter(enc ContentEncryption) (MultiEncrypter, error) { +func NewMultiEncrypter(enc ContentEncryption, rcpts []Recipient, opts *EncrypterOptions) (Encrypter, error) { cipher := getContentCipher(enc) if cipher == nil { return nil, ErrUnsupportedAlgorithm } + if rcpts == nil || len(rcpts) == 0 { + return nil, fmt.Errorf("square/go-jose: recipients is nil or empty") + } encrypter := &genericEncrypter{ - contentAlg: enc, - compressionAlg: NONE, - recipients: []recipientKeyInfo{}, - cipher: cipher, + contentAlg: enc, + recipients: []recipientKeyInfo{}, + cipher: cipher, keyGenerator: randomKeyGenerator{ size: cipher.keySize(), }, } + if opts != nil { + encrypter.compressionAlg = opts.Compression + } + + for _, recipient := range rcpts { + err := encrypter.addRecipient(recipient) + if err != nil { + return nil, err + } + } + return encrypter, nil } -func (ctx *genericEncrypter) AddRecipient(alg KeyAlgorithm, encryptionKey interface{}) (err error) { - var recipient recipientKeyInfo +func (ctx *genericEncrypter) addRecipient(recipient Recipient) (err error) { + var recipientInfo recipientKeyInfo - switch alg { + switch recipient.Algorithm { case DIRECT, ECDH_ES: - return fmt.Errorf("square/go-jose: key algorithm '%s' not supported in multi-recipient mode", alg) + return fmt.Errorf("square/go-jose: key algorithm '%s' not supported in multi-recipient mode", recipient.Algorithm) } - recipient, err = makeJWERecipient(alg, encryptionKey) + recipientInfo, err = makeJWERecipient(recipient.Algorithm, recipient.Key) + if recipient.KeyID != "" { + recipientInfo.keyID = recipient.KeyID + } if err == nil { - ctx.recipients = append(ctx.recipients, recipient) + ctx.recipients = append(ctx.recipients, recipientInfo) } return err } @@ -192,11 +242,9 @@ func makeJWERecipient(alg KeyAlgorithm, encryptionKey interface{}) (recipientKey return newECDHRecipient(alg, encryptionKey) case []byte: return newSymmetricRecipient(alg, encryptionKey) - case *JsonWebKey: + case *JSONWebKey: recipient, err := makeJWERecipient(alg, encryptionKey.Key) - if err == nil && encryptionKey.KeyID != "" { - recipient.keyID = encryptionKey.KeyID - } + recipient.keyID = encryptionKey.KeyID return recipient, err default: return recipientKeyInfo{}, ErrUnsupportedKeyType @@ -218,7 +266,9 @@ func newDecrypter(decryptionKey interface{}) (keyDecrypter, error) { return &symmetricKeyCipher{ key: decryptionKey, }, nil - case *JsonWebKey: + case JSONWebKey: + return newDecrypter(decryptionKey.Key) + case *JSONWebKey: return newDecrypter(decryptionKey.Key) default: return nil, ErrUnsupportedKeyType @@ -226,18 +276,21 @@ func newDecrypter(decryptionKey interface{}) (keyDecrypter, error) { } // Implementation of encrypt method producing a JWE object. -func (ctx *genericEncrypter) Encrypt(plaintext []byte) (*JsonWebEncryption, error) { +func (ctx *genericEncrypter) Encrypt(plaintext []byte) (*JSONWebEncryption, error) { return ctx.EncryptWithAuthData(plaintext, nil) } // Implementation of encrypt method producing a JWE object. -func (ctx *genericEncrypter) EncryptWithAuthData(plaintext, aad []byte) (*JsonWebEncryption, error) { - obj := &JsonWebEncryption{} +func (ctx *genericEncrypter) EncryptWithAuthData(plaintext, aad []byte) (*JSONWebEncryption, error) { + obj := &JSONWebEncryption{} obj.aad = aad - obj.protected = &rawHeader{ - Enc: ctx.contentAlg, + obj.protected = &rawHeader{} + err := obj.protected.set(headerEncryption, ctx.contentAlg) + if err != nil { + return nil, err } + obj.recipients = make([]recipientInfo, len(ctx.recipients)) if len(ctx.recipients) == 0 { @@ -257,9 +310,16 @@ func (ctx *genericEncrypter) EncryptWithAuthData(plaintext, aad []byte) (*JsonWe return nil, err } - recipient.header.Alg = string(info.keyAlg) + err = recipient.header.set(headerAlgorithm, info.keyAlg) + if err != nil { + return nil, err + } + if info.keyID != "" { - recipient.header.Kid = info.keyID + err = recipient.header.set(headerKeyID, info.keyID) + if err != nil { + return nil, err + } } obj.recipients[i] = recipient } @@ -277,7 +337,18 @@ func (ctx *genericEncrypter) EncryptWithAuthData(plaintext, aad []byte) (*JsonWe return nil, err } - obj.protected.Zip = ctx.compressionAlg + err = obj.protected.set(headerCompression, ctx.compressionAlg) + if err != nil { + return nil, err + } + } + + for k, v := range ctx.extraHeaders { + b, err := json.Marshal(v) + if err != nil { + return nil, err + } + (*obj.protected)[k] = makeRawMessage(b) } authData := obj.computeAuthData() @@ -293,17 +364,29 @@ func (ctx *genericEncrypter) EncryptWithAuthData(plaintext, aad []byte) (*JsonWe return obj, nil } +func (ctx *genericEncrypter) Options() EncrypterOptions { + return EncrypterOptions{ + Compression: ctx.compressionAlg, + ExtraHeaders: ctx.extraHeaders, + } +} + // Decrypt and validate the object and return the plaintext. Note that this // function does not support multi-recipient, if you desire multi-recipient // decryption use DecryptMulti instead. -func (obj JsonWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) { +func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) { headers := obj.mergedHeaders(nil) if len(obj.recipients) > 1 { return nil, errors.New("square/go-jose: too many recipients in payload; expecting only one") } - if len(headers.Crit) > 0 { + critical, err := headers.getCritical() + if err != nil { + return nil, fmt.Errorf("square/go-jose: invalid crit header") + } + + if len(critical) > 0 { return nil, fmt.Errorf("square/go-jose: unsupported crit header") } @@ -312,9 +395,9 @@ func (obj JsonWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) return nil, err } - cipher := getContentCipher(headers.Enc) + cipher := getContentCipher(headers.getEncryption()) if cipher == nil { - return nil, fmt.Errorf("square/go-jose: unsupported enc value '%s'", string(headers.Enc)) + return nil, fmt.Errorf("square/go-jose: unsupported enc value '%s'", string(headers.getEncryption())) } generator := randomKeyGenerator{ @@ -344,8 +427,8 @@ func (obj JsonWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) } // The "zip" header parameter may only be present in the protected header. - if obj.protected.Zip != "" { - plaintext, err = decompress(obj.protected.Zip, plaintext) + if comp := obj.protected.getCompression(); comp != "" { + plaintext, err = decompress(comp, plaintext) } return plaintext, err @@ -355,21 +438,27 @@ func (obj JsonWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) // with support for multiple recipients. It returns the index of the recipient // for which the decryption was successful, the merged headers for that recipient, // and the plaintext. -func (obj JsonWebEncryption) DecryptMulti(decryptionKey interface{}) (int, JoseHeader, []byte, error) { +func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) { globalHeaders := obj.mergedHeaders(nil) - if len(globalHeaders.Crit) > 0 { - return -1, JoseHeader{}, nil, fmt.Errorf("square/go-jose: unsupported crit header") + critical, err := globalHeaders.getCritical() + if err != nil { + return -1, Header{}, nil, fmt.Errorf("square/go-jose: invalid crit header") + } + + if len(critical) > 0 { + return -1, Header{}, nil, fmt.Errorf("square/go-jose: unsupported crit header") } decrypter, err := newDecrypter(decryptionKey) if err != nil { - return -1, JoseHeader{}, nil, err + return -1, Header{}, nil, err } - cipher := getContentCipher(globalHeaders.Enc) + encryption := globalHeaders.getEncryption() + cipher := getContentCipher(encryption) if cipher == nil { - return -1, JoseHeader{}, nil, fmt.Errorf("square/go-jose: unsupported enc value '%s'", string(globalHeaders.Enc)) + return -1, Header{}, nil, fmt.Errorf("square/go-jose: unsupported enc value '%s'", string(encryption)) } generator := randomKeyGenerator{ @@ -404,13 +493,18 @@ func (obj JsonWebEncryption) DecryptMulti(decryptionKey interface{}) (int, JoseH } if plaintext == nil || err != nil { - return -1, JoseHeader{}, nil, ErrCryptoFailure + return -1, Header{}, nil, ErrCryptoFailure } // The "zip" header parameter may only be present in the protected header. - if obj.protected.Zip != "" { - plaintext, err = decompress(obj.protected.Zip, plaintext) + if comp := obj.protected.getCompression(); comp != "" { + plaintext, err = decompress(comp, plaintext) + } + + sanitized, err := headers.sanitized() + if err != nil { + return -1, Header{}, nil, fmt.Errorf("square/go-jose: failed to sanitize header: %v", err) } - return index, headers.sanitized(), plaintext, err + return index, sanitized, plaintext, err } diff --git a/vendor/gopkg.in/square/go-jose.v1/doc.go b/vendor/gopkg.in/square/go-jose.v2/doc.go index b4cd1e989..dd1387f3f 100644 --- a/vendor/gopkg.in/square/go-jose.v1/doc.go +++ b/vendor/gopkg.in/square/go-jose.v2/doc.go @@ -17,10 +17,11 @@ /* Package jose aims to provide an implementation of the Javascript Object Signing -and Encryption set of standards. For the moment, it mainly focuses on -encryption and signing based on the JSON Web Encryption and JSON Web Signature -standards. The library supports both the compact and full serialization -formats, and has optional support for multiple recipients. +and Encryption set of standards. It implements encryption and signing based on +the JSON Web Encryption and JSON Web Signature standards, with optional JSON +Web Token support available in a sub-package. The library supports both the +compact and full serialization formats, and has optional support for multiple +recipients. */ -package jose // import "gopkg.in/square/go-jose.v1" +package jose diff --git a/vendor/gopkg.in/square/go-jose.v1/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go index dde0a42db..9f37ef465 100644 --- a/vendor/gopkg.in/square/go-jose.v1/encoding.go +++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go @@ -21,29 +21,14 @@ import ( "compress/flate" "encoding/base64" "encoding/binary" + "encoding/json" "io" "math/big" "regexp" - "strings" - - "gopkg.in/square/go-jose.v1/json" ) var stripWhitespaceRegex = regexp.MustCompile("\\s") -// Url-safe base64 encode that strips padding -func base64URLEncode(data []byte) string { - var result = base64.URLEncoding.EncodeToString(data) - return strings.TrimRight(result, "=") -} - -// Url-safe base64 decoder that adds padding -func base64URLDecode(data string) ([]byte, error) { - var missing = (4 - len(data)%4) % 4 - data += strings.Repeat("=", missing) - return base64.URLEncoding.DecodeString(data) -} - // Helper function to serialize known-good objects. // Precondition: value is not a nil pointer. func mustSerializeJSON(value interface{}) []byte { @@ -162,7 +147,7 @@ func (b *byteBuffer) UnmarshalJSON(data []byte) error { return nil } - decoded, err := base64URLDecode(encoded) + decoded, err := base64.RawURLEncoding.DecodeString(encoded) if err != nil { return err } @@ -173,7 +158,7 @@ func (b *byteBuffer) UnmarshalJSON(data []byte) error { } func (b *byteBuffer) base64() string { - return base64URLEncode(b.data) + return base64.RawURLEncoding.EncodeToString(b.data) } func (b *byteBuffer) bytes() []byte { diff --git a/vendor/gopkg.in/square/go-jose.v1/jose-util/main.go b/vendor/gopkg.in/square/go-jose.v2/jose-util/main.go index 7ae93ee76..272d9f08f 100644 --- a/vendor/gopkg.in/square/go-jose.v1/jose-util/main.go +++ b/vendor/gopkg.in/square/go-jose.v2/jose-util/main.go @@ -22,7 +22,7 @@ import ( "os" "gopkg.in/alecthomas/kingpin.v2" - "gopkg.in/square/go-jose.v1" + "gopkg.in/square/go-jose.v2" ) var ( @@ -50,7 +50,7 @@ var ( ) func main() { - app.Version("v1") + app.Version("v2") command := kingpin.MustParse(app.Parse(os.Args[1:])) @@ -63,13 +63,13 @@ func main() { switch command { case "encrypt": - pub, err := jose.LoadPublicKey(keyBytes) + pub, err := LoadPublicKey(keyBytes) exitOnError(err, "unable to read public key") alg := jose.KeyAlgorithm(*algFlag) enc := jose.ContentEncryption(*encFlag) - crypter, err := jose.NewEncrypter(alg, enc, pub) + crypter, err := jose.NewEncrypter(enc, jose.Recipient{Algorithm: alg, Key: pub}, nil) exitOnError(err, "unable to instantiate encrypter") obj, err := crypter.Encrypt(readInput(*inFile)) @@ -85,7 +85,7 @@ func main() { writeOutput(*outFile, []byte(msg)) case "decrypt": - priv, err := jose.LoadPrivateKey(keyBytes) + priv, err := LoadPrivateKey(keyBytes) exitOnError(err, "unable to read private key") obj, err := jose.ParseEncrypted(string(readInput(*inFile))) @@ -96,11 +96,11 @@ func main() { writeOutput(*outFile, plaintext) case "sign": - signingKey, err := jose.LoadPrivateKey(keyBytes) + signingKey, err := LoadPrivateKey(keyBytes) exitOnError(err, "unable to read private key") alg := jose.SignatureAlgorithm(*sigAlgFlag) - signer, err := jose.NewSigner(alg, signingKey) + signer, err := jose.NewSigner(jose.SigningKey{Algorithm: alg, Key: signingKey}, nil) exitOnError(err, "unable to make signer") obj, err := signer.Sign(readInput(*inFile)) @@ -116,8 +116,8 @@ func main() { writeOutput(*outFile, []byte(msg)) case "verify": - verificationKey, err := jose.LoadPublicKey(keyBytes) - exitOnError(err, "unable to read private key") + verificationKey, err := LoadPublicKey(keyBytes) + exitOnError(err, "unable to read public key") obj, err := jose.ParseSigned(string(readInput(*inFile))) exitOnError(err, "unable to parse message") @@ -133,13 +133,13 @@ func main() { var err error switch *formatFlag { case "", "JWE": - var jwe *jose.JsonWebEncryption + var jwe *jose.JSONWebEncryption jwe, err = jose.ParseEncrypted(input) if err == nil { serialized = jwe.FullSerialize() } case "JWS": - var jws *jose.JsonWebSignature + var jws *jose.JSONWebSignature jws, err = jose.ParseSigned(input) if err == nil { serialized = jws.FullSerialize() diff --git a/vendor/gopkg.in/square/go-jose.v1/utils.go b/vendor/gopkg.in/square/go-jose.v2/jose-util/utils.go index 4ca2bc06b..4dccf1020 100644 --- a/vendor/gopkg.in/square/go-jose.v1/utils.go +++ b/vendor/gopkg.in/square/go-jose.v2/jose-util/utils.go @@ -14,15 +14,32 @@ * limitations under the License. */ -package jose +package main import ( "crypto/x509" "encoding/pem" + "errors" "fmt" + "gopkg.in/square/go-jose.v2" ) -// LoadPublicKey loads a public key from PEM/DER-encoded data. +func LoadJSONWebKey(json []byte, pub bool) (*jose.JSONWebKey, error) { + var jwk jose.JSONWebKey + err := jwk.UnmarshalJSON(json) + if err != nil { + return nil, err + } + if !jwk.Valid() { + return nil, errors.New("invalid JWK key") + } + if jwk.IsPublic() != pub { + return nil, errors.New("priv/pub JWK key mismatch") + } + return &jwk, nil +} + +// LoadPublicKey loads a public key from PEM/DER/JWK-encoded data. func LoadPublicKey(data []byte) (interface{}, error) { input := data @@ -42,10 +59,15 @@ func LoadPublicKey(data []byte) (interface{}, error) { return cert.PublicKey, nil } - return nil, fmt.Errorf("square/go-jose: parse error, got '%s' and '%s'", err0, err1) + jwk, err2 := LoadJSONWebKey(data, true) + if err2 == nil { + return jwk, nil + } + + return nil, fmt.Errorf("square/go-jose: parse error, got '%s', '%s' and '%s'", err0, err1, err2) } -// LoadPrivateKey loads a private key from PEM/DER-encoded data. +// LoadPrivateKey loads a private key from PEM/DER/JWK-encoded data. func LoadPrivateKey(data []byte) (interface{}, error) { input := data @@ -70,5 +92,10 @@ func LoadPrivateKey(data []byte) (interface{}, error) { return priv, nil } - return nil, fmt.Errorf("square/go-jose: parse error, got '%s', '%s' and '%s'", err0, err1, err2) + jwk, err3 := LoadJSONWebKey(input, false) + if err3 == nil { + return jwk, nil + } + + return nil, fmt.Errorf("square/go-jose: parse error, got '%s', '%s', '%s' and '%s'", err0, err1, err2, err3) } diff --git a/vendor/gopkg.in/square/go-jose.v1/json/decode.go b/vendor/gopkg.in/square/go-jose.v2/json/decode.go index 37457e5a8..37457e5a8 100644 --- a/vendor/gopkg.in/square/go-jose.v1/json/decode.go +++ b/vendor/gopkg.in/square/go-jose.v2/json/decode.go diff --git a/vendor/gopkg.in/square/go-jose.v1/json/encode.go b/vendor/gopkg.in/square/go-jose.v2/json/encode.go index 1dae8bb7c..1dae8bb7c 100644 --- a/vendor/gopkg.in/square/go-jose.v1/json/encode.go +++ b/vendor/gopkg.in/square/go-jose.v2/json/encode.go diff --git a/vendor/gopkg.in/square/go-jose.v1/json/indent.go b/vendor/gopkg.in/square/go-jose.v2/json/indent.go index 7cd9f4db1..7cd9f4db1 100644 --- a/vendor/gopkg.in/square/go-jose.v1/json/indent.go +++ b/vendor/gopkg.in/square/go-jose.v2/json/indent.go diff --git a/vendor/gopkg.in/square/go-jose.v1/json/scanner.go b/vendor/gopkg.in/square/go-jose.v2/json/scanner.go index ee6622e8c..ee6622e8c 100644 --- a/vendor/gopkg.in/square/go-jose.v1/json/scanner.go +++ b/vendor/gopkg.in/square/go-jose.v2/json/scanner.go diff --git a/vendor/gopkg.in/square/go-jose.v1/json/stream.go b/vendor/gopkg.in/square/go-jose.v2/json/stream.go index 8ddcf4d27..8ddcf4d27 100644 --- a/vendor/gopkg.in/square/go-jose.v1/json/stream.go +++ b/vendor/gopkg.in/square/go-jose.v2/json/stream.go diff --git a/vendor/gopkg.in/square/go-jose.v1/json/tags.go b/vendor/gopkg.in/square/go-jose.v2/json/tags.go index c38fd5102..c38fd5102 100644 --- a/vendor/gopkg.in/square/go-jose.v1/json/tags.go +++ b/vendor/gopkg.in/square/go-jose.v2/json/tags.go diff --git a/vendor/gopkg.in/square/go-jose.v1/jwe.go b/vendor/gopkg.in/square/go-jose.v2/jwe.go index 7eb8956d2..f2176cfb0 100644 --- a/vendor/gopkg.in/square/go-jose.v1/jwe.go +++ b/vendor/gopkg.in/square/go-jose.v2/jwe.go @@ -17,14 +17,14 @@ package jose import ( + "encoding/base64" + "encoding/json" "fmt" "strings" - - "gopkg.in/square/go-jose.v1/json" ) -// rawJsonWebEncryption represents a raw JWE JSON object. Used for parsing/serializing. -type rawJsonWebEncryption struct { +// rawJSONWebEncryption represents a raw JWE JSON object. Used for parsing/serializing. +type rawJSONWebEncryption struct { Protected *byteBuffer `json:"protected,omitempty"` Unprotected *rawHeader `json:"unprotected,omitempty"` Header *rawHeader `json:"header,omitempty"` @@ -42,13 +42,13 @@ type rawRecipientInfo struct { EncryptedKey string `json:"encrypted_key,omitempty"` } -// JsonWebEncryption represents an encrypted JWE object after parsing. -type JsonWebEncryption struct { - Header JoseHeader +// JSONWebEncryption represents an encrypted JWE object after parsing. +type JSONWebEncryption struct { + Header Header protected, unprotected *rawHeader recipients []recipientInfo aad, iv, ciphertext, tag []byte - original *rawJsonWebEncryption + original *rawJSONWebEncryption } // recipientInfo represents a raw JWE Per-Recipient header JSON object after parsing. @@ -58,7 +58,7 @@ type recipientInfo struct { } // GetAuthData retrieves the (optional) authenticated data attached to the object. -func (obj JsonWebEncryption) GetAuthData() []byte { +func (obj JSONWebEncryption) GetAuthData() []byte { if obj.aad != nil { out := make([]byte, len(obj.aad)) copy(out, obj.aad) @@ -69,7 +69,7 @@ func (obj JsonWebEncryption) GetAuthData() []byte { } // Get the merged header values -func (obj JsonWebEncryption) mergedHeaders(recipient *recipientInfo) rawHeader { +func (obj JSONWebEncryption) mergedHeaders(recipient *recipientInfo) rawHeader { out := rawHeader{} out.merge(obj.protected) out.merge(obj.unprotected) @@ -82,26 +82,26 @@ func (obj JsonWebEncryption) mergedHeaders(recipient *recipientInfo) rawHeader { } // Get the additional authenticated data from a JWE object. -func (obj JsonWebEncryption) computeAuthData() []byte { +func (obj JSONWebEncryption) computeAuthData() []byte { var protected string if obj.original != nil { protected = obj.original.Protected.base64() } else { - protected = base64URLEncode(mustSerializeJSON((obj.protected))) + protected = base64.RawURLEncoding.EncodeToString(mustSerializeJSON((obj.protected))) } output := []byte(protected) if obj.aad != nil { output = append(output, '.') - output = append(output, []byte(base64URLEncode(obj.aad))...) + output = append(output, []byte(base64.RawURLEncoding.EncodeToString(obj.aad))...) } return output } // ParseEncrypted parses an encrypted message in compact or full serialization format. -func ParseEncrypted(input string) (*JsonWebEncryption, error) { +func ParseEncrypted(input string) (*JSONWebEncryption, error) { input = stripWhitespace(input) if strings.HasPrefix(input, "{") { return parseEncryptedFull(input) @@ -111,8 +111,8 @@ func ParseEncrypted(input string) (*JsonWebEncryption, error) { } // parseEncryptedFull parses a message in compact format. -func parseEncryptedFull(input string) (*JsonWebEncryption, error) { - var parsed rawJsonWebEncryption +func parseEncryptedFull(input string) (*JSONWebEncryption, error) { + var parsed rawJSONWebEncryption err := json.Unmarshal([]byte(input), &parsed) if err != nil { return nil, err @@ -122,16 +122,22 @@ func parseEncryptedFull(input string) (*JsonWebEncryption, error) { } // sanitized produces a cleaned-up JWE object from the raw JSON. -func (parsed *rawJsonWebEncryption) sanitized() (*JsonWebEncryption, error) { - obj := &JsonWebEncryption{ +func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) { + obj := &JSONWebEncryption{ original: parsed, unprotected: parsed.Unprotected, } // Check that there is not a nonce in the unprotected headers - if (parsed.Unprotected != nil && parsed.Unprotected.Nonce != "") || - (parsed.Header != nil && parsed.Header.Nonce != "") { - return nil, ErrUnprotectedNonce + if parsed.Unprotected != nil { + if nonce := parsed.Unprotected.getNonce(); nonce != "" { + return nil, ErrUnprotectedNonce + } + } + if parsed.Header != nil { + if nonce := parsed.Header.getNonce(); nonce != "" { + return nil, ErrUnprotectedNonce + } } if parsed.Protected != nil && len(parsed.Protected.bytes()) > 0 { @@ -143,11 +149,16 @@ func (parsed *rawJsonWebEncryption) sanitized() (*JsonWebEncryption, error) { // Note: this must be called _after_ we parse the protected header, // otherwise fields from the protected header will not get picked up. - obj.Header = obj.mergedHeaders(nil).sanitized() + var err error + mergedHeaders := obj.mergedHeaders(nil) + obj.Header, err = mergedHeaders.sanitized() + if err != nil { + return nil, fmt.Errorf("square/go-jose: cannot sanitize merged headers: %v (%v)", err, mergedHeaders) + } if len(parsed.Recipients) == 0 { obj.recipients = []recipientInfo{ - recipientInfo{ + { header: parsed.Header, encryptedKey: parsed.EncryptedKey.bytes(), }, @@ -155,13 +166,13 @@ func (parsed *rawJsonWebEncryption) sanitized() (*JsonWebEncryption, error) { } else { obj.recipients = make([]recipientInfo, len(parsed.Recipients)) for r := range parsed.Recipients { - encryptedKey, err := base64URLDecode(parsed.Recipients[r].EncryptedKey) + encryptedKey, err := base64.RawURLEncoding.DecodeString(parsed.Recipients[r].EncryptedKey) if err != nil { return nil, err } // Check that there is not a nonce in the unprotected header - if parsed.Recipients[r].Header != nil && parsed.Recipients[r].Header.Nonce != "" { + if parsed.Recipients[r].Header != nil && parsed.Recipients[r].Header.getNonce() != "" { return nil, ErrUnprotectedNonce } @@ -172,7 +183,7 @@ func (parsed *rawJsonWebEncryption) sanitized() (*JsonWebEncryption, error) { for _, recipient := range obj.recipients { headers := obj.mergedHeaders(&recipient) - if headers.Alg == "" || headers.Enc == "" { + if headers.getAlgorithm() == "" || headers.getEncryption() == "" { return nil, fmt.Errorf("square/go-jose: message is missing alg/enc headers") } } @@ -186,38 +197,38 @@ func (parsed *rawJsonWebEncryption) sanitized() (*JsonWebEncryption, error) { } // parseEncryptedCompact parses a message in compact format. -func parseEncryptedCompact(input string) (*JsonWebEncryption, error) { +func parseEncryptedCompact(input string) (*JSONWebEncryption, error) { parts := strings.Split(input, ".") if len(parts) != 5 { return nil, fmt.Errorf("square/go-jose: compact JWE format must have five parts") } - rawProtected, err := base64URLDecode(parts[0]) + rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0]) if err != nil { return nil, err } - encryptedKey, err := base64URLDecode(parts[1]) + encryptedKey, err := base64.RawURLEncoding.DecodeString(parts[1]) if err != nil { return nil, err } - iv, err := base64URLDecode(parts[2]) + iv, err := base64.RawURLEncoding.DecodeString(parts[2]) if err != nil { return nil, err } - ciphertext, err := base64URLDecode(parts[3]) + ciphertext, err := base64.RawURLEncoding.DecodeString(parts[3]) if err != nil { return nil, err } - tag, err := base64URLDecode(parts[4]) + tag, err := base64.RawURLEncoding.DecodeString(parts[4]) if err != nil { return nil, err } - raw := &rawJsonWebEncryption{ + raw := &rawJSONWebEncryption{ Protected: newBuffer(rawProtected), EncryptedKey: newBuffer(encryptedKey), Iv: newBuffer(iv), @@ -229,7 +240,7 @@ func parseEncryptedCompact(input string) (*JsonWebEncryption, error) { } // CompactSerialize serializes an object using the compact serialization format. -func (obj JsonWebEncryption) CompactSerialize() (string, error) { +func (obj JSONWebEncryption) CompactSerialize() (string, error) { if len(obj.recipients) != 1 || obj.unprotected != nil || obj.protected == nil || obj.recipients[0].header != nil { return "", ErrNotSupported @@ -239,16 +250,16 @@ func (obj JsonWebEncryption) CompactSerialize() (string, error) { return fmt.Sprintf( "%s.%s.%s.%s.%s", - base64URLEncode(serializedProtected), - base64URLEncode(obj.recipients[0].encryptedKey), - base64URLEncode(obj.iv), - base64URLEncode(obj.ciphertext), - base64URLEncode(obj.tag)), nil + base64.RawURLEncoding.EncodeToString(serializedProtected), + base64.RawURLEncoding.EncodeToString(obj.recipients[0].encryptedKey), + base64.RawURLEncoding.EncodeToString(obj.iv), + base64.RawURLEncoding.EncodeToString(obj.ciphertext), + base64.RawURLEncoding.EncodeToString(obj.tag)), nil } // FullSerialize serializes an object using the full JSON serialization format. -func (obj JsonWebEncryption) FullSerialize() string { - raw := rawJsonWebEncryption{ +func (obj JSONWebEncryption) FullSerialize() string { + raw := rawJSONWebEncryption{ Unprotected: obj.unprotected, Iv: newBuffer(obj.iv), Ciphertext: newBuffer(obj.ciphertext), @@ -262,7 +273,7 @@ func (obj JsonWebEncryption) FullSerialize() string { for _, recipient := range obj.recipients { info := rawRecipientInfo{ Header: recipient.header, - EncryptedKey: base64URLEncode(recipient.encryptedKey), + EncryptedKey: base64.RawURLEncoding.EncodeToString(recipient.encryptedKey), } raw.Recipients = append(raw.Recipients, info) } diff --git a/vendor/gopkg.in/square/go-jose.v2/jwk-keygen/main.go b/vendor/gopkg.in/square/go-jose.v2/jwk-keygen/main.go new file mode 100644 index 000000000..d3fc4966f --- /dev/null +++ b/vendor/gopkg.in/square/go-jose.v2/jwk-keygen/main.go @@ -0,0 +1,200 @@ +/*- + * Copyright 2017 Square Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package main + +import ( + "crypto" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "encoding/base32" + "errors" + "fmt" + "golang.org/x/crypto/ed25519" + "io" + "os" + + "gopkg.in/alecthomas/kingpin.v2" + "gopkg.in/square/go-jose.v2" +) + +var ( + app = kingpin.New("jwk-keygen", "A command-line utility to generate public/pirvate keypairs in JWK format.") + + use = app.Flag("use", "Desrired key use").Required().Enum("enc", "sig") + alg = app.Flag("alg", "Generate key to be used for ALG").Required().Enum( + // `sig` + string(jose.ES256), string(jose.ES384), string(jose.ES512), string(jose.EdDSA), + string(jose.RS256), string(jose.RS384), string(jose.RS512), string(jose.PS256), string(jose.PS384), string(jose.PS512), + // `enc` + string(jose.RSA1_5), string(jose.RSA_OAEP), string(jose.RSA_OAEP_256), + string(jose.ECDH_ES), string(jose.ECDH_ES_A128KW), string(jose.ECDH_ES_A192KW), string(jose.ECDH_ES_A256KW), + ) + bits = app.Flag("bits", "Key size in bits").Int() + kid = app.Flag("kid", "Key ID").String() + kidRand = app.Flag("kid-rand", "Generate random Key ID").Bool() +) + +// KeygenSig generates keypair for corresponding SignatureAlgorithm. +func KeygenSig(alg jose.SignatureAlgorithm, bits int) (crypto.PublicKey, crypto.PrivateKey, error) { + switch alg { + case jose.ES256, jose.ES384, jose.ES512, jose.EdDSA: + keylen := map[jose.SignatureAlgorithm]int{ + jose.ES256: 256, + jose.ES384: 384, + jose.ES512: 521, // sic! + jose.EdDSA: 256, + } + if bits != 0 && bits != keylen[alg] { + return nil, nil, errors.New("this `alg` does not support arbitrary key length") + } + case jose.RS256, jose.RS384, jose.RS512, jose.PS256, jose.PS384, jose.PS512: + if bits == 0 { + bits = 2048 + } + if bits < 2048 { + return nil, nil, errors.New("too short key for RSA `alg`, 2048+ is required") + } + } + switch alg { + case jose.ES256: + // The cryptographic operations are implemented using constant-time algorithms. + key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + return key.Public(), key, err + case jose.ES384: + // NB: The cryptographic operations do not use constant-time algorithms. + key, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader) + return key.Public(), key, err + case jose.ES512: + // NB: The cryptographic operations do not use constant-time algorithms. + key, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader) + return key.Public(), key, err + case jose.EdDSA: + pub, key, err := ed25519.GenerateKey(rand.Reader) + return pub, key, err + case jose.RS256, jose.RS384, jose.RS512, jose.PS256, jose.PS384, jose.PS512: + key, err := rsa.GenerateKey(rand.Reader, bits) + return key.Public(), key, err + default: + return nil, nil, errors.New("unknown `alg` for `use` = `sig`") + } +} + +// KeygenEnc generates keypair for corresponding KeyAlgorithm. +func KeygenEnc(alg jose.KeyAlgorithm, bits int) (crypto.PublicKey, crypto.PrivateKey, error) { + switch alg { + case jose.RSA1_5, jose.RSA_OAEP, jose.RSA_OAEP_256: + if bits == 0 { + bits = 2048 + } + if bits < 2048 { + return nil, nil, errors.New("too short key for RSA `alg`, 2048+ is required") + } + key, err := rsa.GenerateKey(rand.Reader, bits) + return key.Public(), key, err + case jose.ECDH_ES, jose.ECDH_ES_A128KW, jose.ECDH_ES_A192KW, jose.ECDH_ES_A256KW: + var crv elliptic.Curve + switch bits { + case 0, 256: + crv = elliptic.P256() + case 384: + crv = elliptic.P384() + case 521: + crv = elliptic.P521() + default: + return nil, nil, errors.New("unknown elliptic curve bit length, use one of 256, 384, 521") + } + key, err := ecdsa.GenerateKey(crv, rand.Reader) + return key.Public(), key, err + default: + return nil, nil, errors.New("unknown `alg` for `use` = `enc`") + } +} + +func main() { + app.Version("v2") + kingpin.MustParse(app.Parse(os.Args[1:])) + + if *kidRand { + if *kid == "" { + b := make([]byte, 5) + _, err := rand.Read(b) + app.FatalIfError(err, "can't Read() crypto/rand") + *kid = base32.StdEncoding.EncodeToString(b) + } else { + app.FatalUsage("can't combine --kid and --kid-rand") + } + } + + var privKey crypto.PublicKey + var pubKey crypto.PrivateKey + var err error + switch *use { + case "sig": + pubKey, privKey, err = KeygenSig(jose.SignatureAlgorithm(*alg), *bits) + case "enc": + pubKey, privKey, err = KeygenEnc(jose.KeyAlgorithm(*alg), *bits) + } + app.FatalIfError(err, "unable to generate key") + + priv := jose.JSONWebKey{Key: privKey, KeyID: *kid, Algorithm: *alg, Use: *use} + pub := jose.JSONWebKey{Key: pubKey, KeyID: *kid, Algorithm: *alg, Use: *use} + + if priv.IsPublic() || !pub.IsPublic() || !priv.Valid() || !pub.Valid() { + app.Fatalf("invalid keys were generated") + } + + privJS, err := priv.MarshalJSON() + app.FatalIfError(err, "can't Marshal private key to JSON") + pubJS, err := pub.MarshalJSON() + app.FatalIfError(err, "can't Marshal public key to JSON") + + if *kid == "" { + fmt.Printf("==> jwk_%s.pub <==\n", *alg) + fmt.Println(string(pubJS)) + fmt.Printf("==> jwk_%s <==\n", *alg) + fmt.Println(string(privJS)) + } else { + // JWK Thumbprint (RFC7638) is not used for key id because of + // lack of canonical representation. + fname := fmt.Sprintf("jwk_%s_%s_%s", *use, *alg, *kid) + err = writeNewFile(fname+".pub", pubJS, 0444) + app.FatalIfError(err, "can't write public key to file %s.pub", fname) + fmt.Printf("Written public key to %s.pub\n", fname) + err = writeNewFile(fname, privJS, 0400) + app.FatalIfError(err, "cant' write private key to file %s", fname) + fmt.Printf("Written private key to %s\n", fname) + } +} + +// writeNewFile is shameless copy-paste from ioutil.WriteFile with a bit +// different flags for OpenFile. +func writeNewFile(filename string, data []byte, perm os.FileMode) error { + f, err := os.OpenFile(filename, os.O_WRONLY|os.O_CREATE|os.O_EXCL, perm) + if err != nil { + return err + } + n, err := f.Write(data) + if err == nil && n < len(data) { + err = io.ErrShortWrite + } + if err1 := f.Close(); err == nil { + err = err1 + } + return err +} diff --git a/vendor/gopkg.in/square/go-jose.v1/jwk.go b/vendor/gopkg.in/square/go-jose.v2/jwk.go index 505dd700e..d81bc4075 100644 --- a/vendor/gopkg.in/square/go-jose.v1/jwk.go +++ b/vendor/gopkg.in/square/go-jose.v2/jwk.go @@ -29,11 +29,13 @@ import ( "reflect" "strings" - "gopkg.in/square/go-jose.v1/json" + "golang.org/x/crypto/ed25519" + + "gopkg.in/square/go-jose.v2/json" ) -// rawJsonWebKey represents a public or private key in JWK format, used for parsing/serializing. -type rawJsonWebKey struct { +// rawJSONWebKey represents a public or private key in JWK format, used for parsing/serializing. +type rawJSONWebKey struct { Use string `json:"use,omitempty"` Kty string `json:"kty,omitempty"` Kid string `json:"kid,omitempty"` @@ -58,8 +60,8 @@ type rawJsonWebKey struct { X5c []string `json:"x5c,omitempty"` } -// JsonWebKey represents a public or private key in JWK format. -type JsonWebKey struct { +// JSONWebKey represents a public or private key in JWK format. +type JSONWebKey struct { Key interface{} Certificates []*x509.Certificate KeyID string @@ -68,15 +70,19 @@ type JsonWebKey struct { } // MarshalJSON serializes the given key to its JSON representation. -func (k JsonWebKey) MarshalJSON() ([]byte, error) { - var raw *rawJsonWebKey +func (k JSONWebKey) MarshalJSON() ([]byte, error) { + var raw *rawJSONWebKey var err error switch key := k.Key.(type) { + case ed25519.PublicKey: + raw = fromEdPublicKey(key) case *ecdsa.PublicKey: raw, err = fromEcPublicKey(key) case *rsa.PublicKey: raw = fromRsaPublicKey(key) + case ed25519.PrivateKey: + raw, err = fromEdPrivateKey(key) case *ecdsa.PrivateKey: raw, err = fromEcPrivateKey(key) case *rsa.PrivateKey: @@ -103,8 +109,8 @@ func (k JsonWebKey) MarshalJSON() ([]byte, error) { } // UnmarshalJSON reads a key from its JSON representation. -func (k *JsonWebKey) UnmarshalJSON(data []byte) (err error) { - var raw rawJsonWebKey +func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) { + var raw rawJSONWebKey err = json.Unmarshal(data, &raw) if err != nil { return err @@ -126,12 +132,22 @@ func (k *JsonWebKey) UnmarshalJSON(data []byte) (err error) { } case "oct": key, err = raw.symmetricKey() + case "OKP": + if raw.Crv == "Ed25519" && raw.X != nil { + if raw.D != nil { + key, err = raw.edPrivateKey() + } else { + key, err = raw.edPublicKey() + } + } else { + err = fmt.Errorf("square/go-jose: unknown curve %s'", raw.Crv) + } default: err = fmt.Errorf("square/go-jose: unknown json web key type '%s'", raw.Kty) } if err == nil { - *k = JsonWebKey{Key: key, KeyID: raw.Kid, Algorithm: raw.Alg, Use: raw.Use} + *k = JSONWebKey{Key: key, KeyID: raw.Kid, Algorithm: raw.Alg, Use: raw.Use} } k.Certificates = make([]*x509.Certificate, len(raw.X5c)) @@ -149,17 +165,17 @@ func (k *JsonWebKey) UnmarshalJSON(data []byte) (err error) { return } -// JsonWebKeySet represents a JWK Set object. -type JsonWebKeySet struct { - Keys []JsonWebKey `json:"keys"` +// JSONWebKeySet represents a JWK Set object. +type JSONWebKeySet struct { + Keys []JSONWebKey `json:"keys"` } // Key convenience method returns keys by key ID. Specification states // that a JWK Set "SHOULD" use distinct key IDs, but allows for some // cases where they are not distinct. Hence method returns a slice -// of JsonWebKeys. -func (s *JsonWebKeySet) Key(kid string) []JsonWebKey { - var keys []JsonWebKey +// of JSONWebKeys. +func (s *JSONWebKeySet) Key(kid string) []JSONWebKey { + var keys []JSONWebKey for _, key := range s.Keys { if key.KeyID == kid { keys = append(keys, key) @@ -171,6 +187,7 @@ func (s *JsonWebKeySet) Key(kid string) []JsonWebKey { const rsaThumbprintTemplate = `{"e":"%s","kty":"RSA","n":"%s"}` const ecThumbprintTemplate = `{"crv":"%s","kty":"EC","x":"%s","y":"%s"}` +const edThumbprintTemplate = `{"crv":"%s","kty":"OKP",x":"%s"}` func ecThumbprintInput(curve elliptic.Curve, x, y *big.Int) (string, error) { coordLength := curveSize(curve) @@ -190,12 +207,20 @@ func rsaThumbprintInput(n *big.Int, e int) (string, error) { newBuffer(n.Bytes()).base64()), nil } +func edThumbprintInput(ed ed25519.PublicKey) (string, error) { + crv := "Ed25519" + return fmt.Sprintf(edThumbprintTemplate, crv, + newFixedSizeBuffer(ed, 32).base64()), nil +} + // Thumbprint computes the JWK Thumbprint of a key using the // indicated hash algorithm. -func (k *JsonWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) { +func (k *JSONWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) { var input string var err error switch key := k.Key.(type) { + case ed25519.PublicKey: + input, err = edThumbprintInput(key) case *ecdsa.PublicKey: input, err = ecThumbprintInput(key.Curve, key.X, key.Y) case *ecdsa.PrivateKey: @@ -204,6 +229,8 @@ func (k *JsonWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) { input, err = rsaThumbprintInput(key.N, key.E) case *rsa.PrivateKey: input, err = rsaThumbprintInput(key.N, key.E) + case ed25519.PrivateKey: + input, err = edThumbprintInput(ed25519.PublicKey(key[0:32])) default: return nil, fmt.Errorf("square/go-jose: unknown key type '%s'", reflect.TypeOf(key)) } @@ -218,17 +245,36 @@ func (k *JsonWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) { } // IsPublic returns true if the JWK represents a public key (not symmetric, not private). -func (k *JsonWebKey) IsPublic() bool { +func (k *JSONWebKey) IsPublic() bool { switch k.Key.(type) { - case *ecdsa.PublicKey, *rsa.PublicKey: + case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey: return true default: return false } } +// Public creates JSONWebKey with corresponding publik key if JWK represents asymmetric private key. +func (k *JSONWebKey) Public() JSONWebKey { + if k.IsPublic() { + return *k + } + ret := *k + switch key := k.Key.(type) { + case *ecdsa.PrivateKey: + ret.Key = key.Public() + case *rsa.PrivateKey: + ret.Key = key.Public() + case ed25519.PrivateKey: + ret.Key = key.Public() + default: + return JSONWebKey{} // returning invalid key + } + return ret +} + // Valid checks that the key contains the expected parameters. -func (k *JsonWebKey) Valid() bool { +func (k *JSONWebKey) Valid() bool { if k.Key == nil { return false } @@ -249,13 +295,21 @@ func (k *JsonWebKey) Valid() bool { if key.N == nil || key.E == 0 || key.D == nil || len(key.Primes) < 2 { return false } + case ed25519.PublicKey: + if len(key) != 32 { + return false + } + case ed25519.PrivateKey: + if len(key) != 64 { + return false + } default: return false } return true } -func (key rawJsonWebKey) rsaPublicKey() (*rsa.PublicKey, error) { +func (key rawJSONWebKey) rsaPublicKey() (*rsa.PublicKey, error) { if key.N == nil || key.E == nil { return nil, fmt.Errorf("square/go-jose: invalid RSA key, missing n/e values") } @@ -266,15 +320,23 @@ func (key rawJsonWebKey) rsaPublicKey() (*rsa.PublicKey, error) { }, nil } -func fromRsaPublicKey(pub *rsa.PublicKey) *rawJsonWebKey { - return &rawJsonWebKey{ +func fromEdPublicKey(pub ed25519.PublicKey) *rawJSONWebKey { + return &rawJSONWebKey{ + Kty: "OKP", + Crv: "Ed25519", + X: newBuffer(pub), + } +} + +func fromRsaPublicKey(pub *rsa.PublicKey) *rawJSONWebKey { + return &rawJSONWebKey{ Kty: "RSA", N: newBuffer(pub.N.Bytes()), E: newBufferFromInt(uint64(pub.E)), } } -func (key rawJsonWebKey) ecPublicKey() (*ecdsa.PublicKey, error) { +func (key rawJSONWebKey) ecPublicKey() (*ecdsa.PublicKey, error) { var curve elliptic.Curve switch key.Crv { case "P-256": @@ -305,7 +367,7 @@ func (key rawJsonWebKey) ecPublicKey() (*ecdsa.PublicKey, error) { }, nil } -func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJsonWebKey, error) { +func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJSONWebKey, error) { if pub == nil || pub.X == nil || pub.Y == nil { return nil, fmt.Errorf("square/go-jose: invalid EC key (nil, or X/Y missing)") } @@ -324,7 +386,7 @@ func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJsonWebKey, error) { return nil, fmt.Errorf("square/go-jose: invalid EC key (X/Y too large)") } - key := &rawJsonWebKey{ + key := &rawJSONWebKey{ Kty: "EC", Crv: name, X: newFixedSizeBuffer(xBytes, size), @@ -334,7 +396,37 @@ func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJsonWebKey, error) { return key, nil } -func (key rawJsonWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) { +func (key rawJSONWebKey) edPrivateKey() (ed25519.PrivateKey, error) { + var missing []string + switch { + case key.D == nil: + missing = append(missing, "D") + case key.X == nil: + missing = append(missing, "X") + } + + if len(missing) > 0 { + return nil, fmt.Errorf("square/go-jose: invalid Ed25519 private key, missing %s value(s)", strings.Join(missing, ", ")) + } + + privateKey := make([]byte, ed25519.PrivateKeySize) + copy(privateKey[0:32], key.X.bytes()) + copy(privateKey[32:], key.D.bytes()) + rv := ed25519.PrivateKey(privateKey) + return rv, nil +} + +func (key rawJSONWebKey) edPublicKey() (ed25519.PublicKey, error) { + if key.X == nil { + return nil, fmt.Errorf("square/go-jose: invalid Ed key, missing x value") + } + publicKey := make([]byte, ed25519.PublicKeySize) + copy(publicKey[0:32], key.X.bytes()) + rv := ed25519.PublicKey(publicKey) + return rv, nil +} + +func (key rawJSONWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) { var missing []string switch { case key.N == nil: @@ -379,7 +471,14 @@ func (key rawJsonWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) { return rv, err } -func fromRsaPrivateKey(rsa *rsa.PrivateKey) (*rawJsonWebKey, error) { +func fromEdPrivateKey(ed ed25519.PrivateKey) (*rawJSONWebKey, error) { + raw := fromEdPublicKey(ed25519.PublicKey(ed[0:32])) + + raw.D = newBuffer(ed[32:]) + return raw, nil +} + +func fromRsaPrivateKey(rsa *rsa.PrivateKey) (*rawJSONWebKey, error) { if len(rsa.Primes) != 2 { return nil, ErrUnsupportedKeyType } @@ -393,7 +492,7 @@ func fromRsaPrivateKey(rsa *rsa.PrivateKey) (*rawJsonWebKey, error) { return raw, nil } -func (key rawJsonWebKey) ecPrivateKey() (*ecdsa.PrivateKey, error) { +func (key rawJSONWebKey) ecPrivateKey() (*ecdsa.PrivateKey, error) { var curve elliptic.Curve switch key.Crv { case "P-256": @@ -427,7 +526,7 @@ func (key rawJsonWebKey) ecPrivateKey() (*ecdsa.PrivateKey, error) { }, nil } -func fromEcPrivateKey(ec *ecdsa.PrivateKey) (*rawJsonWebKey, error) { +func fromEcPrivateKey(ec *ecdsa.PrivateKey) (*rawJSONWebKey, error) { raw, err := fromEcPublicKey(&ec.PublicKey) if err != nil { return nil, err @@ -442,14 +541,14 @@ func fromEcPrivateKey(ec *ecdsa.PrivateKey) (*rawJsonWebKey, error) { return raw, nil } -func fromSymmetricKey(key []byte) (*rawJsonWebKey, error) { - return &rawJsonWebKey{ +func fromSymmetricKey(key []byte) (*rawJSONWebKey, error) { + return &rawJSONWebKey{ Kty: "oct", K: newBuffer(key), }, nil } -func (key rawJsonWebKey) symmetricKey() ([]byte, error) { +func (key rawJSONWebKey) symmetricKey() ([]byte, error) { if key.K == nil { return nil, fmt.Errorf("square/go-jose: invalid OCT (symmetric) key, missing k value") } diff --git a/vendor/gopkg.in/square/go-jose.v1/jws.go b/vendor/gopkg.in/square/go-jose.v2/jws.go index 04a2a1530..d7d3d6007 100644 --- a/vendor/gopkg.in/square/go-jose.v1/jws.go +++ b/vendor/gopkg.in/square/go-jose.v2/jws.go @@ -17,15 +17,16 @@ package jose import ( + "encoding/base64" "errors" "fmt" "strings" - "gopkg.in/square/go-jose.v1/json" + "gopkg.in/square/go-jose.v2/json" ) -// rawJsonWebSignature represents a raw JWS JSON object. Used for parsing/serializing. -type rawJsonWebSignature struct { +// rawJSONWebSignature represents a raw JWS JSON object. Used for parsing/serializing. +type rawJSONWebSignature struct { Payload *byteBuffer `json:"payload,omitempty"` Signatures []rawSignatureInfo `json:"signatures,omitempty"` Protected *byteBuffer `json:"protected,omitempty"` @@ -40,8 +41,8 @@ type rawSignatureInfo struct { Signature *byteBuffer `json:"signature,omitempty"` } -// JsonWebSignature represents a signed JWS object after parsing. -type JsonWebSignature struct { +// JSONWebSignature represents a signed JWS object after parsing. +type JSONWebSignature struct { payload []byte // Signatures attached to this object (may be more than one for multi-sig). // Be careful about accessing these directly, prefer to use Verify() or @@ -51,8 +52,19 @@ type JsonWebSignature struct { // Signature represents a single signature over the JWS payload and protected header. type Signature struct { - // Header fields, such as the signature algorithm - Header JoseHeader + // Merged header fields. Contains both protected and unprotected header + // values. Prefer using Protected and Unprotected fields instead of this. + // Values in this header may or may not have been signed and in general + // should not be trusted. + Header Header + + // Protected header. Values in this header were signed and + // will be verified as part of the signature verification process. + Protected Header + + // Unprotected header. Values in this header were not signed + // and in general should not be trusted. + Unprotected Header // The actual signature value Signature []byte @@ -63,7 +75,7 @@ type Signature struct { } // ParseSigned parses a signed message in compact or full serialization format. -func ParseSigned(input string) (*JsonWebSignature, error) { +func ParseSigned(input string) (*JSONWebSignature, error) { input = stripWhitespace(input) if strings.HasPrefix(input, "{") { return parseSignedFull(input) @@ -81,25 +93,25 @@ func (sig Signature) mergedHeaders() rawHeader { } // Compute data to be signed -func (obj JsonWebSignature) computeAuthData(signature *Signature) []byte { +func (obj JSONWebSignature) computeAuthData(signature *Signature) []byte { var serializedProtected string if signature.original != nil && signature.original.Protected != nil { serializedProtected = signature.original.Protected.base64() } else if signature.protected != nil { - serializedProtected = base64URLEncode(mustSerializeJSON(signature.protected)) + serializedProtected = base64.RawURLEncoding.EncodeToString(mustSerializeJSON(signature.protected)) } else { serializedProtected = "" } return []byte(fmt.Sprintf("%s.%s", serializedProtected, - base64URLEncode(obj.payload))) + base64.RawURLEncoding.EncodeToString(obj.payload))) } // parseSignedFull parses a message in full format. -func parseSignedFull(input string) (*JsonWebSignature, error) { - var parsed rawJsonWebSignature +func parseSignedFull(input string) (*JSONWebSignature, error) { + var parsed rawJSONWebSignature err := json.Unmarshal([]byte(input), &parsed) if err != nil { return nil, err @@ -109,12 +121,12 @@ func parseSignedFull(input string) (*JsonWebSignature, error) { } // sanitized produces a cleaned-up JWS object from the raw JSON. -func (parsed *rawJsonWebSignature) sanitized() (*JsonWebSignature, error) { +func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) { if parsed.Payload == nil { return nil, fmt.Errorf("square/go-jose: missing payload in JWS message") } - obj := &JsonWebSignature{ + obj := &JSONWebSignature{ payload: parsed.Payload.bytes(), Signatures: make([]Signature, len(parsed.Signatures)), } @@ -131,7 +143,7 @@ func (parsed *rawJsonWebSignature) sanitized() (*JsonWebSignature, error) { } // Check that there is not a nonce in the unprotected header - if parsed.Header != nil && parsed.Header.Nonce != "" { + if parsed.Header != nil && parsed.Header.getNonce() != "" { return nil, ErrUnprotectedNonce } @@ -152,10 +164,28 @@ func (parsed *rawJsonWebSignature) sanitized() (*JsonWebSignature, error) { Signature: parsed.Signature, } - signature.Header = signature.mergedHeaders().sanitized() + var err error + signature.Header, err = signature.mergedHeaders().sanitized() + if err != nil { + return nil, err + } + + if signature.header != nil { + signature.Unprotected, err = signature.header.sanitized() + if err != nil { + return nil, err + } + } + + if signature.protected != nil { + signature.Protected, err = signature.protected.sanitized() + if err != nil { + return nil, err + } + } // As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded. - jwk := signature.Header.JsonWebKey + jwk := signature.Header.JSONWebKey if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) { return nil, errors.New("square/go-jose: invalid embedded jwk, must be public key") } @@ -173,15 +203,34 @@ func (parsed *rawJsonWebSignature) sanitized() (*JsonWebSignature, error) { } // Check that there is not a nonce in the unprotected header - if sig.Header != nil && sig.Header.Nonce != "" { + if sig.Header != nil && sig.Header.getNonce() != "" { return nil, ErrUnprotectedNonce } - obj.Signatures[i].Header = obj.Signatures[i].mergedHeaders().sanitized() + var err error + obj.Signatures[i].Header, err = obj.Signatures[i].mergedHeaders().sanitized() + if err != nil { + return nil, err + } + + if obj.Signatures[i].header != nil { + obj.Signatures[i].Unprotected, err = obj.Signatures[i].header.sanitized() + if err != nil { + return nil, err + } + } + + if obj.Signatures[i].protected != nil { + obj.Signatures[i].Protected, err = obj.Signatures[i].protected.sanitized() + if err != nil { + return nil, err + } + } + obj.Signatures[i].Signature = sig.Signature.bytes() // As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded. - jwk := obj.Signatures[i].Header.JsonWebKey + jwk := obj.Signatures[i].Header.JSONWebKey if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) { return nil, errors.New("square/go-jose: invalid embedded jwk, must be public key") } @@ -197,28 +246,28 @@ func (parsed *rawJsonWebSignature) sanitized() (*JsonWebSignature, error) { } // parseSignedCompact parses a message in compact format. -func parseSignedCompact(input string) (*JsonWebSignature, error) { +func parseSignedCompact(input string) (*JSONWebSignature, error) { parts := strings.Split(input, ".") if len(parts) != 3 { return nil, fmt.Errorf("square/go-jose: compact JWS format must have three parts") } - rawProtected, err := base64URLDecode(parts[0]) + rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0]) if err != nil { return nil, err } - payload, err := base64URLDecode(parts[1]) + payload, err := base64.RawURLEncoding.DecodeString(parts[1]) if err != nil { return nil, err } - signature, err := base64URLDecode(parts[2]) + signature, err := base64.RawURLEncoding.DecodeString(parts[2]) if err != nil { return nil, err } - raw := &rawJsonWebSignature{ + raw := &rawJSONWebSignature{ Payload: newBuffer(payload), Protected: newBuffer(rawProtected), Signature: newBuffer(signature), @@ -227,7 +276,7 @@ func parseSignedCompact(input string) (*JsonWebSignature, error) { } // CompactSerialize serializes an object using the compact serialization format. -func (obj JsonWebSignature) CompactSerialize() (string, error) { +func (obj JSONWebSignature) CompactSerialize() (string, error) { if len(obj.Signatures) != 1 || obj.Signatures[0].header != nil || obj.Signatures[0].protected == nil { return "", ErrNotSupported } @@ -236,14 +285,14 @@ func (obj JsonWebSignature) CompactSerialize() (string, error) { return fmt.Sprintf( "%s.%s.%s", - base64URLEncode(serializedProtected), - base64URLEncode(obj.payload), - base64URLEncode(obj.Signatures[0].Signature)), nil + base64.RawURLEncoding.EncodeToString(serializedProtected), + base64.RawURLEncoding.EncodeToString(obj.payload), + base64.RawURLEncoding.EncodeToString(obj.Signatures[0].Signature)), nil } // FullSerialize serializes an object using the full JSON serialization format. -func (obj JsonWebSignature) FullSerialize() string { - raw := rawJsonWebSignature{ +func (obj JSONWebSignature) FullSerialize() string { + raw := rawJSONWebSignature{ Payload: newBuffer(obj.payload), } diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/builder.go b/vendor/gopkg.in/square/go-jose.v2/jwt/builder.go new file mode 100644 index 000000000..686ec80a4 --- /dev/null +++ b/vendor/gopkg.in/square/go-jose.v2/jwt/builder.go @@ -0,0 +1,334 @@ +/*- + * Copyright 2016 Zbigniew Mandziejewicz + * Copyright 2016 Square, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package jwt + +import ( + "bytes" + "reflect" + + "gopkg.in/square/go-jose.v2/json" + + "gopkg.in/square/go-jose.v2" +) + +// Builder is a utility for making JSON Web Tokens. Calls can be chained, and +// errors are accumulated until the final call to CompactSerialize/FullSerialize. +type Builder interface { + // Claims encodes claims into JWE/JWS form. Multiple calls will merge claims + // into single JSON object. If you are passing private claims, make sure to set + // struct field tags to specify the name for the JSON key to be used when + // serializing. + Claims(i interface{}) Builder + // Token builds a JSONWebToken from provided data. + Token() (*JSONWebToken, error) + // FullSerialize serializes a token using the full serialization format. + FullSerialize() (string, error) + // CompactSerialize serializes a token using the compact serialization format. + CompactSerialize() (string, error) +} + +// NestedBuilder is a utility for making Signed-Then-Encrypted JSON Web Tokens. +// Calls can be chained, and errors are accumulated until final call to +// CompactSerialize/FullSerialize. +type NestedBuilder interface { + // Claims encodes claims into JWE/JWS form. Multiple calls will merge claims + // into single JSON object. If you are passing private claims, make sure to set + // struct field tags to specify the name for the JSON key to be used when + // serializing. + Claims(i interface{}) NestedBuilder + // Token builds a NestedJSONWebToken from provided data. + Token() (*NestedJSONWebToken, error) + // FullSerialize serializes a token using the full serialization format. + FullSerialize() (string, error) + // CompactSerialize serializes a token using the compact serialization format. + CompactSerialize() (string, error) +} + +type builder struct { + payload map[string]interface{} + err error +} + +type signedBuilder struct { + builder + sig jose.Signer +} + +type encryptedBuilder struct { + builder + enc jose.Encrypter +} + +type nestedBuilder struct { + builder + sig jose.Signer + enc jose.Encrypter +} + +// Signed creates builder for signed tokens. +func Signed(sig jose.Signer) Builder { + return &signedBuilder{ + sig: sig, + } +} + +// Encrypted creates builder for encrypted tokens. +func Encrypted(enc jose.Encrypter) Builder { + return &encryptedBuilder{ + enc: enc, + } +} + +// SignedAndEncrypted creates builder for signed-then-encrypted tokens. +// ErrInvalidContentType will be returned if encrypter doesn't have JWT content type. +func SignedAndEncrypted(sig jose.Signer, enc jose.Encrypter) NestedBuilder { + if contentType, _ := enc.Options().ExtraHeaders[jose.HeaderContentType].(jose.ContentType); contentType != "JWT" { + return &nestedBuilder{ + builder: builder{ + err: ErrInvalidContentType, + }, + } + } + return &nestedBuilder{ + sig: sig, + enc: enc, + } +} + +func (b builder) claims(i interface{}) builder { + if b.err != nil { + return b + } + + m, ok := i.(map[string]interface{}) + switch { + case ok: + return b.merge(m) + case reflect.Indirect(reflect.ValueOf(i)).Kind() == reflect.Struct: + m, err := normalize(i) + if err != nil { + return builder{ + err: err, + } + } + return b.merge(m) + default: + return builder{ + err: ErrInvalidClaims, + } + } +} + +func normalize(i interface{}) (map[string]interface{}, error) { + m := make(map[string]interface{}) + + raw, err := json.Marshal(i) + if err != nil { + return nil, err + } + + d := json.NewDecoder(bytes.NewReader(raw)) + d.UseNumber() + + if err := d.Decode(&m); err != nil { + return nil, err + } + + return m, nil +} + +func (b *builder) merge(m map[string]interface{}) builder { + p := make(map[string]interface{}) + for k, v := range b.payload { + p[k] = v + } + for k, v := range m { + p[k] = v + } + + return builder{ + payload: p, + } +} + +func (b *builder) token(p func(interface{}) ([]byte, error), h []jose.Header) (*JSONWebToken, error) { + return &JSONWebToken{ + payload: p, + Headers: h, + }, nil +} + +func (b *signedBuilder) Claims(i interface{}) Builder { + return &signedBuilder{ + builder: b.builder.claims(i), + sig: b.sig, + } +} + +func (b *signedBuilder) Token() (*JSONWebToken, error) { + sig, err := b.sign() + if err != nil { + return nil, err + } + + h := make([]jose.Header, len(sig.Signatures)) + for i, v := range sig.Signatures { + h[i] = v.Header + } + + return b.builder.token(sig.Verify, h) +} + +func (b *signedBuilder) CompactSerialize() (string, error) { + sig, err := b.sign() + if err != nil { + return "", err + } + + return sig.CompactSerialize() +} + +func (b *signedBuilder) FullSerialize() (string, error) { + sig, err := b.sign() + if err != nil { + return "", err + } + + return sig.FullSerialize(), nil +} + +func (b *signedBuilder) sign() (*jose.JSONWebSignature, error) { + if b.err != nil { + return nil, b.err + } + + p, err := json.Marshal(b.payload) + if err != nil { + return nil, err + } + + return b.sig.Sign(p) +} + +func (b *encryptedBuilder) Claims(i interface{}) Builder { + return &encryptedBuilder{ + builder: b.builder.claims(i), + enc: b.enc, + } +} + +func (b *encryptedBuilder) CompactSerialize() (string, error) { + enc, err := b.encrypt() + if err != nil { + return "", err + } + + return enc.CompactSerialize() +} + +func (b *encryptedBuilder) FullSerialize() (string, error) { + enc, err := b.encrypt() + if err != nil { + return "", err + } + + return enc.FullSerialize(), nil +} + +func (b *encryptedBuilder) Token() (*JSONWebToken, error) { + enc, err := b.encrypt() + if err != nil { + return nil, err + } + + return b.builder.token(enc.Decrypt, []jose.Header{enc.Header}) +} + +func (b *encryptedBuilder) encrypt() (*jose.JSONWebEncryption, error) { + if b.err != nil { + return nil, b.err + } + + p, err := json.Marshal(b.payload) + if err != nil { + return nil, err + } + + return b.enc.Encrypt(p) +} + +func (b *nestedBuilder) Claims(i interface{}) NestedBuilder { + return &nestedBuilder{ + builder: b.builder.claims(i), + sig: b.sig, + enc: b.enc, + } +} + +func (b *nestedBuilder) Token() (*NestedJSONWebToken, error) { + enc, err := b.signAndEncrypt() + if err != nil { + return nil, err + } + + return &NestedJSONWebToken{ + enc: enc, + Headers: []jose.Header{enc.Header}, + }, nil +} + +func (b *nestedBuilder) CompactSerialize() (string, error) { + enc, err := b.signAndEncrypt() + if err != nil { + return "", err + } + + return enc.CompactSerialize() +} + +func (b *nestedBuilder) FullSerialize() (string, error) { + enc, err := b.signAndEncrypt() + if err != nil { + return "", err + } + + return enc.FullSerialize(), nil +} + +func (b *nestedBuilder) signAndEncrypt() (*jose.JSONWebEncryption, error) { + if b.err != nil { + return nil, b.err + } + + p, err := json.Marshal(b.payload) + if err != nil { + return nil, err + } + + sig, err := b.sig.Sign(p) + if err != nil { + return nil, err + } + + p2, err := sig.CompactSerialize() + if err != nil { + return nil, err + } + + return b.enc.Encrypt([]byte(p2)) +} diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/claims.go b/vendor/gopkg.in/square/go-jose.v2/jwt/claims.go new file mode 100644 index 000000000..60de94002 --- /dev/null +++ b/vendor/gopkg.in/square/go-jose.v2/jwt/claims.go @@ -0,0 +1,115 @@ +/*- + * Copyright 2016 Zbigniew Mandziejewicz + * Copyright 2016 Square, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package jwt + +import ( + "encoding/json" + "strconv" + "time" +) + +// Claims represents public claim values (as specified in RFC 7519). +type Claims struct { + Issuer string `json:"iss,omitempty"` + Subject string `json:"sub,omitempty"` + Audience Audience `json:"aud,omitempty"` + Expiry NumericDate `json:"exp,omitempty"` + NotBefore NumericDate `json:"nbf,omitempty"` + IssuedAt NumericDate `json:"iat,omitempty"` + ID string `json:"jti,omitempty"` +} + +// NumericDate represents date and time as the number of seconds since the +// epoch, including leap seconds. Non-integer values can be represented +// in the serialized format, but we round to the nearest second. +type NumericDate int64 + +// NewNumericDate constructs NumericDate from time.Time value. +func NewNumericDate(t time.Time) NumericDate { + if t.IsZero() { + return NumericDate(0) + } + + // While RFC 7519 technically states that NumericDate values may be + // non-integer values, we don't bother serializing timestamps in + // claims with sub-second accurancy and just round to the nearest + // second instead. Not convined sub-second accuracy is useful here. + return NumericDate(t.Unix()) +} + +// MarshalJSON serializes the given NumericDate into its JSON representation. +func (n NumericDate) MarshalJSON() ([]byte, error) { + return []byte(strconv.FormatInt(int64(n), 10)), nil +} + +// UnmarshalJSON reads a date from its JSON representation. +func (n *NumericDate) UnmarshalJSON(b []byte) error { + s := string(b) + + f, err := strconv.ParseFloat(s, 64) + if err != nil { + return ErrUnmarshalNumericDate + } + + *n = NumericDate(f) + return nil +} + +// Time returns time.Time representation of NumericDate. +func (n NumericDate) Time() time.Time { + return time.Unix(int64(n), 0) +} + +// Audience represents the recipents that the token is intended for. +type Audience []string + +// UnmarshalJSON reads an audience from its JSON representation. +func (s *Audience) UnmarshalJSON(b []byte) error { + var v interface{} + if err := json.Unmarshal(b, &v); err != nil { + return err + } + + switch v := v.(type) { + case string: + *s = []string{v} + case []interface{}: + a := make([]string, len(v)) + for i, e := range v { + s, ok := e.(string) + if !ok { + return ErrUnmarshalAudience + } + a[i] = s + } + *s = a + default: + return ErrUnmarshalAudience + } + + return nil +} + +func (s Audience) Contains(v string) bool { + for _, a := range s { + if a == v { + return true + } + } + return false +} diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/doc.go b/vendor/gopkg.in/square/go-jose.v2/jwt/doc.go new file mode 100644 index 000000000..4cf97b54e --- /dev/null +++ b/vendor/gopkg.in/square/go-jose.v2/jwt/doc.go @@ -0,0 +1,22 @@ +/*- + * Copyright 2017 Square Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + +Package jwt provides an implementation of the JSON Web Token standard. + +*/ +package jwt diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/errors.go b/vendor/gopkg.in/square/go-jose.v2/jwt/errors.go new file mode 100644 index 000000000..6507dfb28 --- /dev/null +++ b/vendor/gopkg.in/square/go-jose.v2/jwt/errors.go @@ -0,0 +1,50 @@ +/*- + * Copyright 2016 Zbigniew Mandziejewicz + * Copyright 2016 Square, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package jwt + +import "errors" + +// ErrUnmarshalAudience indicates that aud claim could not be unmarshalled. +var ErrUnmarshalAudience = errors.New("square/go-jose/jwt: expected string or array value to unmarshal to Audience") + +// ErrUnmarshalNumericDate indicates that JWT NumericDate could not be unmarshalled. +var ErrUnmarshalNumericDate = errors.New("square/go-jose/jwt: expected number value to unmarshal NumericDate") + +// ErrInvalidClaims indicates that given claims have invalid type. +var ErrInvalidClaims = errors.New("square/go-jose/jwt: expected claims to be value convertible into JSON object") + +// ErrInvalidIssuer indicates invalid iss claim. +var ErrInvalidIssuer = errors.New("square/go-jose/jwt: validation failed, invalid issuer claim (iss)") + +// ErrInvalidSubject indicates invalid sub claim. +var ErrInvalidSubject = errors.New("square/go-jose/jwt: validation failed, invalid subject claim (sub)") + +// ErrInvalidAudience indicated invalid aud claim. +var ErrInvalidAudience = errors.New("square/go-jose/jwt: validation failed, invalid audience claim (aud)") + +// ErrInvalidID indicates invalid jti claim. +var ErrInvalidID = errors.New("square/go-jose/jwt: validation failed, invalid ID claim (jti)") + +// ErrNotValidYet indicates that token is used before time indicated in nbf claim. +var ErrNotValidYet = errors.New("square/go-jose/jwt: validation failed, token not valid yet (nbf)") + +// ErrExpired indicates that token is used after expiry time indicated in exp claim. +var ErrExpired = errors.New("square/go-jose/jwt: validation failed, token is expired (exp)") + +// ErrInvalidContentType indicated that token requires JWT cty header. +var ErrInvalidContentType = errors.New("square/go-jose/jwt: expected content type to be JWT (cty header)") diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/jwt.go b/vendor/gopkg.in/square/go-jose.v2/jwt/jwt.go new file mode 100644 index 000000000..2155b2d27 --- /dev/null +++ b/vendor/gopkg.in/square/go-jose.v2/jwt/jwt.go @@ -0,0 +1,113 @@ +/*- + * Copyright 2016 Zbigniew Mandziejewicz + * Copyright 2016 Square, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package jwt + +import ( + "gopkg.in/square/go-jose.v2" + "gopkg.in/square/go-jose.v2/json" + "strings" +) + +// JSONWebToken represents a JSON Web Token (as specified in RFC7519). +type JSONWebToken struct { + payload func(k interface{}) ([]byte, error) + Headers []jose.Header +} + +type NestedJSONWebToken struct { + enc *jose.JSONWebEncryption + Headers []jose.Header +} + +// Claims deserializes a JSONWebToken into dest using the provided key. +func (t *JSONWebToken) Claims(key interface{}, dest ...interface{}) error { + b, err := t.payload(key) + if err != nil { + return err + } + + for _, d := range dest { + if err := json.Unmarshal(b, d); err != nil { + return err + } + } + + return nil +} + +func (t *NestedJSONWebToken) Decrypt(decryptionKey interface{}) (*JSONWebToken, error) { + b, err := t.enc.Decrypt(decryptionKey) + if err != nil { + return nil, err + } + + sig, err := ParseSigned(string(b)) + if err != nil { + return nil, err + } + + return sig, nil +} + +// ParseSigned parses token from JWS form. +func ParseSigned(s string) (*JSONWebToken, error) { + sig, err := jose.ParseSigned(s) + if err != nil { + return nil, err + } + headers := make([]jose.Header, len(sig.Signatures)) + for i, signature := range sig.Signatures { + headers[i] = signature.Header + } + + return &JSONWebToken{ + payload: sig.Verify, + Headers: headers, + }, nil +} + +// ParseEncrypted parses token from JWE form. +func ParseEncrypted(s string) (*JSONWebToken, error) { + enc, err := jose.ParseEncrypted(s) + if err != nil { + return nil, err + } + + return &JSONWebToken{ + payload: enc.Decrypt, + Headers: []jose.Header{enc.Header}, + }, nil +} + +// ParseSignedAndEncrypted parses signed-then-encrypted token from JWE form. +func ParseSignedAndEncrypted(s string) (*NestedJSONWebToken, error) { + enc, err := jose.ParseEncrypted(s) + if err != nil { + return nil, err + } + + contentType, _ := enc.Header.ExtraHeaders[jose.HeaderContentType].(string) + if strings.ToUpper(contentType) != "JWT" { + return nil, ErrInvalidContentType + } + + return &NestedJSONWebToken{ + enc: enc, + Headers: []jose.Header{enc.Header}, + }, nil +} diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/validation.go b/vendor/gopkg.in/square/go-jose.v2/jwt/validation.go new file mode 100644 index 000000000..fdcee371b --- /dev/null +++ b/vendor/gopkg.in/square/go-jose.v2/jwt/validation.go @@ -0,0 +1,89 @@ +/*- + * Copyright 2016 Zbigniew Mandziejewicz + * Copyright 2016 Square, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package jwt + +import "time" + +const ( + // DefaultLeeway defines the default leeway for matching NotBefore/Expiry claims. + DefaultLeeway = 1.0 * time.Minute +) + +// Expected defines values used for protected claims validation. +// If field has zero value then validation is skipped. +type Expected struct { + // Issuer matches the "iss" claim exactly. + Issuer string + // Subject matches the "sub" claim exactly. + Subject string + // Audience matches the values in "aud" claim, regardless of their order. + Audience Audience + // ID matches the "jti" claim exactly. + ID string + // Time matches the "exp" and "ebf" claims with leeway. + Time time.Time +} + +// WithTime copies expectations with new time. +func (e Expected) WithTime(t time.Time) Expected { + e.Time = t + return e +} + +// Validate checks claims in a token against expected values. +// A default leeway value of one minute is used to compare time values. +func (c Claims) Validate(e Expected) error { + return c.ValidateWithLeeway(e, DefaultLeeway) +} + +// ValidateWithLeeway checks claims in a token against expected values. A +// custom leeway may be specified for comparing time values. You may pass a +// zero value to check time values with no leeway, but you should not that +// numeric date values are rounded to the nearest second and sub-second +// precision is not supported. +func (c Claims) ValidateWithLeeway(e Expected, leeway time.Duration) error { + if e.Issuer != "" && e.Issuer != c.Issuer { + return ErrInvalidIssuer + } + + if e.Subject != "" && e.Subject != c.Subject { + return ErrInvalidSubject + } + + if e.ID != "" && e.ID != c.ID { + return ErrInvalidID + } + + if len(e.Audience) != 0 { + for _, v := range e.Audience { + if !c.Audience.Contains(v) { + return ErrInvalidAudience + } + } + } + + if !e.Time.IsZero() && e.Time.Add(leeway).Before(c.NotBefore.Time()) { + return ErrNotValidYet + } + + if !e.Time.IsZero() && e.Time.Add(-leeway).After(c.Expiry.Time()) { + return ErrExpired + } + + return nil +} diff --git a/vendor/gopkg.in/square/go-jose.v2/shared.go b/vendor/gopkg.in/square/go-jose.v2/shared.go new file mode 100644 index 000000000..4c19dc382 --- /dev/null +++ b/vendor/gopkg.in/square/go-jose.v2/shared.go @@ -0,0 +1,417 @@ +/*- + * Copyright 2014 Square Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package jose + +import ( + "crypto/elliptic" + "errors" + "fmt" + + "gopkg.in/square/go-jose.v2/json" +) + +// KeyAlgorithm represents a key management algorithm. +type KeyAlgorithm string + +// SignatureAlgorithm represents a signature (or MAC) algorithm. +type SignatureAlgorithm string + +// ContentEncryption represents a content encryption algorithm. +type ContentEncryption string + +// CompressionAlgorithm represents an algorithm used for plaintext compression. +type CompressionAlgorithm string + +// ContentType represents type of the contained data. +type ContentType string + +var ( + // ErrCryptoFailure represents an error in cryptographic primitive. This + // occurs when, for example, a message had an invalid authentication tag or + // could not be decrypted. + ErrCryptoFailure = errors.New("square/go-jose: error in cryptographic primitive") + + // ErrUnsupportedAlgorithm indicates that a selected algorithm is not + // supported. This occurs when trying to instantiate an encrypter for an + // algorithm that is not yet implemented. + ErrUnsupportedAlgorithm = errors.New("square/go-jose: unknown/unsupported algorithm") + + // ErrUnsupportedKeyType indicates that the given key type/format is not + // supported. This occurs when trying to instantiate an encrypter and passing + // it a key of an unrecognized type or with unsupported parameters, such as + // an RSA private key with more than two primes. + ErrUnsupportedKeyType = errors.New("square/go-jose: unsupported key type/format") + + // ErrNotSupported serialization of object is not supported. This occurs when + // trying to compact-serialize an object which can't be represented in + // compact form. + ErrNotSupported = errors.New("square/go-jose: compact serialization not supported for object") + + // ErrUnprotectedNonce indicates that while parsing a JWS or JWE object, a + // nonce header parameter was included in an unprotected header object. + ErrUnprotectedNonce = errors.New("square/go-jose: Nonce parameter included in unprotected header") +) + +// Key management algorithms +const ( + ED25519 = KeyAlgorithm("ED25519") + RSA1_5 = KeyAlgorithm("RSA1_5") // RSA-PKCS1v1.5 + RSA_OAEP = KeyAlgorithm("RSA-OAEP") // RSA-OAEP-SHA1 + RSA_OAEP_256 = KeyAlgorithm("RSA-OAEP-256") // RSA-OAEP-SHA256 + A128KW = KeyAlgorithm("A128KW") // AES key wrap (128) + A192KW = KeyAlgorithm("A192KW") // AES key wrap (192) + A256KW = KeyAlgorithm("A256KW") // AES key wrap (256) + DIRECT = KeyAlgorithm("dir") // Direct encryption + ECDH_ES = KeyAlgorithm("ECDH-ES") // ECDH-ES + ECDH_ES_A128KW = KeyAlgorithm("ECDH-ES+A128KW") // ECDH-ES + AES key wrap (128) + ECDH_ES_A192KW = KeyAlgorithm("ECDH-ES+A192KW") // ECDH-ES + AES key wrap (192) + ECDH_ES_A256KW = KeyAlgorithm("ECDH-ES+A256KW") // ECDH-ES + AES key wrap (256) + A128GCMKW = KeyAlgorithm("A128GCMKW") // AES-GCM key wrap (128) + A192GCMKW = KeyAlgorithm("A192GCMKW") // AES-GCM key wrap (192) + A256GCMKW = KeyAlgorithm("A256GCMKW") // AES-GCM key wrap (256) + PBES2_HS256_A128KW = KeyAlgorithm("PBES2-HS256+A128KW") // PBES2 + HMAC-SHA256 + AES key wrap (128) + PBES2_HS384_A192KW = KeyAlgorithm("PBES2-HS384+A192KW") // PBES2 + HMAC-SHA384 + AES key wrap (192) + PBES2_HS512_A256KW = KeyAlgorithm("PBES2-HS512+A256KW") // PBES2 + HMAC-SHA512 + AES key wrap (256) +) + +// Signature algorithms +const ( + EdDSA = SignatureAlgorithm("EdDSA") + HS256 = SignatureAlgorithm("HS256") // HMAC using SHA-256 + HS384 = SignatureAlgorithm("HS384") // HMAC using SHA-384 + HS512 = SignatureAlgorithm("HS512") // HMAC using SHA-512 + RS256 = SignatureAlgorithm("RS256") // RSASSA-PKCS-v1.5 using SHA-256 + RS384 = SignatureAlgorithm("RS384") // RSASSA-PKCS-v1.5 using SHA-384 + RS512 = SignatureAlgorithm("RS512") // RSASSA-PKCS-v1.5 using SHA-512 + ES256 = SignatureAlgorithm("ES256") // ECDSA using P-256 and SHA-256 + ES384 = SignatureAlgorithm("ES384") // ECDSA using P-384 and SHA-384 + ES512 = SignatureAlgorithm("ES512") // ECDSA using P-521 and SHA-512 + PS256 = SignatureAlgorithm("PS256") // RSASSA-PSS using SHA256 and MGF1-SHA256 + PS384 = SignatureAlgorithm("PS384") // RSASSA-PSS using SHA384 and MGF1-SHA384 + PS512 = SignatureAlgorithm("PS512") // RSASSA-PSS using SHA512 and MGF1-SHA512 +) + +// Content encryption algorithms +const ( + A128CBC_HS256 = ContentEncryption("A128CBC-HS256") // AES-CBC + HMAC-SHA256 (128) + A192CBC_HS384 = ContentEncryption("A192CBC-HS384") // AES-CBC + HMAC-SHA384 (192) + A256CBC_HS512 = ContentEncryption("A256CBC-HS512") // AES-CBC + HMAC-SHA512 (256) + A128GCM = ContentEncryption("A128GCM") // AES-GCM (128) + A192GCM = ContentEncryption("A192GCM") // AES-GCM (192) + A256GCM = ContentEncryption("A256GCM") // AES-GCM (256) +) + +// Compression algorithms +const ( + NONE = CompressionAlgorithm("") // No compression + DEFLATE = CompressionAlgorithm("DEF") // DEFLATE (RFC 1951) +) + +// A key in the protected header of a JWS object. Use of the Header... +// constants is preferred to enhance type safety. +type HeaderKey string + +const ( + HeaderType HeaderKey = "typ" // string + HeaderContentType = "cty" // string + + // These are set by go-jose and shouldn't need to be set by consumers of the + // library. + headerAlgorithm = "alg" // string + headerEncryption = "enc" // ContentEncryption + headerCompression = "zip" // CompressionAlgorithm + headerCritical = "crit" // []string + + headerAPU = "apu" // *byteBuffer + headerAPV = "apv" // *byteBuffer + headerEPK = "epk" // *JSONWebKey + headerIV = "iv" // *byteBuffer + headerTag = "tag" // *byteBuffer + + headerJWK = "jwk" // *JSONWebKey + headerKeyID = "kid" // string + headerNonce = "nonce" // string +) + +// rawHeader represents the JOSE header for JWE/JWS objects (used for parsing). +// +// The decoding of the constituent items is deferred because we want to marshal +// some members into particular structs rather than generic maps, but at the +// same time we need to receive any extra fields unhandled by this library to +// pass through to consuming code in case it wants to examine them. +type rawHeader map[HeaderKey]*json.RawMessage + +// Header represents the read-only JOSE header for JWE/JWS objects. +type Header struct { + KeyID string + JSONWebKey *JSONWebKey + Algorithm string + Nonce string + + // Any headers not recognised above get unmarshaled from JSON in a generic + // manner and placed in this map. + ExtraHeaders map[HeaderKey]interface{} +} + +func (parsed rawHeader) set(k HeaderKey, v interface{}) error { + b, err := json.Marshal(v) + if err != nil { + return err + } + + parsed[k] = makeRawMessage(b) + return nil +} + +// getString gets a string from the raw JSON, defaulting to "". +func (parsed rawHeader) getString(k HeaderKey) string { + v, ok := parsed[k] + if !ok { + return "" + } + var s string + err := json.Unmarshal(*v, &s) + if err != nil { + return "" + } + return s +} + +// getByteBuffer gets a byte buffer from the raw JSON. Returns (nil, nil) if +// not specified. +func (parsed rawHeader) getByteBuffer(k HeaderKey) (*byteBuffer, error) { + v := parsed[k] + if v == nil { + return nil, nil + } + var bb *byteBuffer + err := json.Unmarshal(*v, &bb) + if err != nil { + return nil, err + } + return bb, nil +} + +// getAlgorithm extracts parsed "alg" from the raw JSON as a KeyAlgorithm. +func (parsed rawHeader) getAlgorithm() KeyAlgorithm { + return KeyAlgorithm(parsed.getString(headerAlgorithm)) +} + +// getSignatureAlgorithm extracts parsed "alg" from the raw JSON as a SignatureAlgorithm. +func (parsed rawHeader) getSignatureAlgorithm() SignatureAlgorithm { + return SignatureAlgorithm(parsed.getString(headerAlgorithm)) +} + +// getEncryption extracts parsed "enc" from the raw JSON. +func (parsed rawHeader) getEncryption() ContentEncryption { + return ContentEncryption(parsed.getString(headerEncryption)) +} + +// getCompression extracts parsed "zip" from the raw JSON. +func (parsed rawHeader) getCompression() CompressionAlgorithm { + return CompressionAlgorithm(parsed.getString(headerCompression)) +} + +func (parsed rawHeader) getNonce() string { + return parsed.getString(headerNonce) +} + +// getEPK extracts parsed "epk" from the raw JSON. +func (parsed rawHeader) getEPK() (*JSONWebKey, error) { + v := parsed[headerEPK] + if v == nil { + return nil, nil + } + var epk *JSONWebKey + err := json.Unmarshal(*v, &epk) + if err != nil { + return nil, err + } + return epk, nil +} + +// getAPU extracts parsed "apu" from the raw JSON. +func (parsed rawHeader) getAPU() (*byteBuffer, error) { + return parsed.getByteBuffer(headerAPU) +} + +// getAPV extracts parsed "apv" from the raw JSON. +func (parsed rawHeader) getAPV() (*byteBuffer, error) { + return parsed.getByteBuffer(headerAPV) +} + +// getIV extracts parsed "iv" frpom the raw JSON. +func (parsed rawHeader) getIV() (*byteBuffer, error) { + return parsed.getByteBuffer(headerIV) +} + +// getTag extracts parsed "tag" frpom the raw JSON. +func (parsed rawHeader) getTag() (*byteBuffer, error) { + return parsed.getByteBuffer(headerTag) +} + +// getJWK extracts parsed "jwk" from the raw JSON. +func (parsed rawHeader) getJWK() (*JSONWebKey, error) { + v := parsed[headerJWK] + if v == nil { + return nil, nil + } + var jwk *JSONWebKey + err := json.Unmarshal(*v, &jwk) + if err != nil { + return nil, err + } + return jwk, nil +} + +// getCritical extracts parsed "crit" from the raw JSON. If omitted, it +// returns an empty slice. +func (parsed rawHeader) getCritical() ([]string, error) { + v := parsed[headerCritical] + if v == nil { + return nil, nil + } + + var q []string + err := json.Unmarshal(*v, &q) + if err != nil { + return nil, err + } + return q, nil +} + +// sanitized produces a cleaned-up header object from the raw JSON. +func (parsed rawHeader) sanitized() (h Header, err error) { + for k, v := range parsed { + if v == nil { + continue + } + switch k { + case headerJWK: + var jwk *JSONWebKey + err = json.Unmarshal(*v, &jwk) + if err != nil { + err = fmt.Errorf("failed to unmarshal JWK: %v: %#v", err, string(*v)) + return + } + h.JSONWebKey = jwk + case headerKeyID: + var s string + err = json.Unmarshal(*v, &s) + if err != nil { + err = fmt.Errorf("failed to unmarshal key ID: %v: %#v", err, string(*v)) + return + } + h.KeyID = s + case headerAlgorithm: + var s string + err = json.Unmarshal(*v, &s) + if err != nil { + err = fmt.Errorf("failed to unmarshal algorithm: %v: %#v", err, string(*v)) + return + } + h.Algorithm = s + case headerNonce: + var s string + err = json.Unmarshal(*v, &s) + if err != nil { + err = fmt.Errorf("failed to unmarshal nonce: %v: %#v", err, string(*v)) + return + } + h.Nonce = s + default: + if h.ExtraHeaders == nil { + h.ExtraHeaders = map[HeaderKey]interface{}{} + } + var v2 interface{} + err = json.Unmarshal(*v, &v2) + if err != nil { + err = fmt.Errorf("failed to unmarshal value: %v: %#v", err, string(*v)) + return + } + h.ExtraHeaders[k] = v2 + } + } + return +} + +func (dst rawHeader) isSet(k HeaderKey) bool { + dvr := dst[k] + if dvr == nil { + return false + } + + var dv interface{} + err := json.Unmarshal(*dvr, &dv) + if err != nil { + return true + } + + if dvStr, ok := dv.(string); ok { + return dvStr != "" + } + + return true +} + +// Merge headers from src into dst, giving precedence to headers from l. +func (dst rawHeader) merge(src *rawHeader) { + if src == nil { + return + } + + for k, v := range *src { + if dst.isSet(k) { + continue + } + + dst[k] = v + } +} + +// Get JOSE name of curve +func curveName(crv elliptic.Curve) (string, error) { + switch crv { + case elliptic.P256(): + return "P-256", nil + case elliptic.P384(): + return "P-384", nil + case elliptic.P521(): + return "P-521", nil + default: + return "", fmt.Errorf("square/go-jose: unsupported/unknown elliptic curve") + } +} + +// Get size of curve in bytes +func curveSize(crv elliptic.Curve) int { + bits := crv.Params().BitSize + + div := bits / 8 + mod := bits % 8 + + if mod == 0 { + return div + } + + return div + 1 +} + +func makeRawMessage(b []byte) *json.RawMessage { + rm := json.RawMessage(b) + return &rm +} diff --git a/vendor/gopkg.in/square/go-jose.v2/signing.go b/vendor/gopkg.in/square/go-jose.v2/signing.go new file mode 100644 index 000000000..13e956d66 --- /dev/null +++ b/vendor/gopkg.in/square/go-jose.v2/signing.go @@ -0,0 +1,343 @@ +/*- + * Copyright 2014 Square Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package jose + +import ( + "crypto/ecdsa" + "crypto/rsa" + "encoding/base64" + "errors" + "fmt" + + "golang.org/x/crypto/ed25519" + + "gopkg.in/square/go-jose.v2/json" +) + +// NonceSource represents a source of random nonces to go into JWS objects +type NonceSource interface { + Nonce() (string, error) +} + +// Signer represents a signer which takes a payload and produces a signed JWS object. +type Signer interface { + Sign(payload []byte) (*JSONWebSignature, error) + Options() SignerOptions +} + +// SigningKey represents an algorithm/key used to sign a message. +type SigningKey struct { + Algorithm SignatureAlgorithm + Key interface{} +} + +// SignerOptions represents options that can be set when creating signers. +type SignerOptions struct { + NonceSource NonceSource + EmbedJWK bool + + // Optional map of additional keys to be inserted into the protected header + // of a JWS object. Some specifications which make use of JWS like to insert + // additional values here. All values must be JSON-serializable. + ExtraHeaders map[HeaderKey]interface{} +} + +// WithHeader adds an arbitrary value to the ExtraHeaders map, initializing it +// if necessary. It returns itself and so can be used in a fluent style. +func (so *SignerOptions) WithHeader(k HeaderKey, v interface{}) *SignerOptions { + if so.ExtraHeaders == nil { + so.ExtraHeaders = map[HeaderKey]interface{}{} + } + so.ExtraHeaders[k] = v + return so +} + +// WithContentType adds a content type ("cty") header and returns the updated +// SignerOptions. +func (so *SignerOptions) WithContentType(contentType ContentType) *SignerOptions { + return so.WithHeader(HeaderContentType, contentType) +} + +// WithType adds a type ("typ") header and returns the updated SignerOptions. +func (so *SignerOptions) WithType(typ ContentType) *SignerOptions { + return so.WithHeader(HeaderType, typ) +} + +type payloadSigner interface { + signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) +} + +type payloadVerifier interface { + verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error +} + +type genericSigner struct { + recipients []recipientSigInfo + nonceSource NonceSource + embedJWK bool + extraHeaders map[HeaderKey]interface{} +} + +type recipientSigInfo struct { + sigAlg SignatureAlgorithm + publicKey *JSONWebKey + signer payloadSigner +} + +// NewSigner creates an appropriate signer based on the key type +func NewSigner(sig SigningKey, opts *SignerOptions) (Signer, error) { + return NewMultiSigner([]SigningKey{sig}, opts) +} + +// NewMultiSigner creates a signer for multiple recipients +func NewMultiSigner(sigs []SigningKey, opts *SignerOptions) (Signer, error) { + signer := &genericSigner{recipients: []recipientSigInfo{}} + + if opts != nil { + signer.nonceSource = opts.NonceSource + signer.embedJWK = opts.EmbedJWK + signer.extraHeaders = opts.ExtraHeaders + } + + for _, sig := range sigs { + err := signer.addRecipient(sig.Algorithm, sig.Key) + if err != nil { + return nil, err + } + } + + return signer, nil +} + +// newVerifier creates a verifier based on the key type +func newVerifier(verificationKey interface{}) (payloadVerifier, error) { + switch verificationKey := verificationKey.(type) { + case ed25519.PublicKey: + return &edEncrypterVerifier{ + publicKey: verificationKey, + }, nil + case *rsa.PublicKey: + return &rsaEncrypterVerifier{ + publicKey: verificationKey, + }, nil + case *ecdsa.PublicKey: + return &ecEncrypterVerifier{ + publicKey: verificationKey, + }, nil + case []byte: + return &symmetricMac{ + key: verificationKey, + }, nil + case JSONWebKey: + return newVerifier(verificationKey.Key) + case *JSONWebKey: + return newVerifier(verificationKey.Key) + default: + return nil, ErrUnsupportedKeyType + } +} + +func (ctx *genericSigner) addRecipient(alg SignatureAlgorithm, signingKey interface{}) error { + recipient, err := makeJWSRecipient(alg, signingKey) + if err != nil { + return err + } + + ctx.recipients = append(ctx.recipients, recipient) + return nil +} + +func makeJWSRecipient(alg SignatureAlgorithm, signingKey interface{}) (recipientSigInfo, error) { + switch signingKey := signingKey.(type) { + case ed25519.PrivateKey: + return newEd25519Signer(alg, signingKey) + case *rsa.PrivateKey: + return newRSASigner(alg, signingKey) + case *ecdsa.PrivateKey: + return newECDSASigner(alg, signingKey) + case []byte: + return newSymmetricSigner(alg, signingKey) + case JSONWebKey: + return newJWKSigner(alg, signingKey) + case *JSONWebKey: + return newJWKSigner(alg, *signingKey) + default: + return recipientSigInfo{}, ErrUnsupportedKeyType + } +} + +func newJWKSigner(alg SignatureAlgorithm, signingKey JSONWebKey) (recipientSigInfo, error) { + recipient, err := makeJWSRecipient(alg, signingKey.Key) + if err != nil { + return recipientSigInfo{}, err + } + if recipient.publicKey != nil { + // recipient.publicKey is a JWK synthesized for embedding when recipientSigInfo + // was created for the inner key (such as a RSA or ECDSA public key). It contains + // the pub key for embedding, but doesn't have extra params like key id. + publicKey := signingKey + publicKey.Key = recipient.publicKey.Key + recipient.publicKey = &publicKey + + // This should be impossible, but let's check anyway. + if !recipient.publicKey.IsPublic() { + return recipientSigInfo{}, errors.New("square/go-jose: public key was unexpectedly not public") + } + } + return recipient, nil +} + +func (ctx *genericSigner) Sign(payload []byte) (*JSONWebSignature, error) { + obj := &JSONWebSignature{} + obj.payload = payload + obj.Signatures = make([]Signature, len(ctx.recipients)) + + for i, recipient := range ctx.recipients { + protected := map[HeaderKey]interface{}{ + headerAlgorithm: string(recipient.sigAlg), + } + + if recipient.publicKey != nil { + // We want to embed the JWK or set the kid header, but not both. Having a protected + // header that contains an embedded JWK while also simultaneously containing the kid + // header is confusing, and at least in ACME the two are considered to be mutually + // exclusive. The fact that both can exist at the same time is a somewhat unfortunate + // result of the JOSE spec. We've decided that this library will only include one or + // the other to avoid this confusion. + // + // See https://github.com/square/go-jose/issues/157 for more context. + if ctx.embedJWK { + protected[headerJWK] = recipient.publicKey + } else { + protected[headerKeyID] = recipient.publicKey.KeyID + } + } + + if ctx.nonceSource != nil { + nonce, err := ctx.nonceSource.Nonce() + if err != nil { + return nil, fmt.Errorf("square/go-jose: Error generating nonce: %v", err) + } + protected[headerNonce] = nonce + } + + for k, v := range ctx.extraHeaders { + protected[k] = v + } + + serializedProtected := mustSerializeJSON(protected) + + input := []byte(fmt.Sprintf("%s.%s", + base64.RawURLEncoding.EncodeToString(serializedProtected), + base64.RawURLEncoding.EncodeToString(payload))) + + signatureInfo, err := recipient.signer.signPayload(input, recipient.sigAlg) + if err != nil { + return nil, err + } + + signatureInfo.protected = &rawHeader{} + for k, v := range protected { + b, err := json.Marshal(v) + if err != nil { + return nil, fmt.Errorf("square/go-jose: Error marshalling item %#v: %v", k, err) + } + (*signatureInfo.protected)[k] = makeRawMessage(b) + } + obj.Signatures[i] = signatureInfo + } + + return obj, nil +} + +func (ctx *genericSigner) Options() SignerOptions { + return SignerOptions{ + NonceSource: ctx.nonceSource, + EmbedJWK: ctx.embedJWK, + ExtraHeaders: ctx.extraHeaders, + } +} + +// Verify validates the signature on the object and returns the payload. +// This function does not support multi-signature, if you desire multi-sig +// verification use VerifyMulti instead. +// +// Be careful when verifying signatures based on embedded JWKs inside the +// payload header. You cannot assume that the key received in a payload is +// trusted. +func (obj JSONWebSignature) Verify(verificationKey interface{}) ([]byte, error) { + verifier, err := newVerifier(verificationKey) + if err != nil { + return nil, err + } + + if len(obj.Signatures) > 1 { + return nil, errors.New("square/go-jose: too many signatures in payload; expecting only one") + } + + signature := obj.Signatures[0] + headers := signature.mergedHeaders() + critical, err := headers.getCritical() + if err != nil { + return nil, err + } + if len(critical) > 0 { + // Unsupported crit header + return nil, ErrCryptoFailure + } + + input := obj.computeAuthData(&signature) + alg := headers.getSignatureAlgorithm() + err = verifier.verifyPayload(input, signature.Signature, alg) + if err == nil { + return obj.payload, nil + } + + return nil, ErrCryptoFailure +} + +// VerifyMulti validates (one of the multiple) signatures on the object and +// returns the index of the signature that was verified, along with the signature +// object and the payload. We return the signature and index to guarantee that +// callers are getting the verified value. +func (obj JSONWebSignature) VerifyMulti(verificationKey interface{}) (int, Signature, []byte, error) { + verifier, err := newVerifier(verificationKey) + if err != nil { + return -1, Signature{}, nil, err + } + + for i, signature := range obj.Signatures { + headers := signature.mergedHeaders() + critical, err := headers.getCritical() + if err != nil { + continue + } + if len(critical) > 0 { + // Unsupported crit header + continue + } + + input := obj.computeAuthData(&signature) + alg := headers.getSignatureAlgorithm() + err = verifier.verifyPayload(input, signature.Signature, alg) + if err == nil { + return i, signature, obj.payload, nil + } + } + + return -1, Signature{}, nil, ErrCryptoFailure +} diff --git a/vendor/gopkg.in/square/go-jose.v1/symmetric.go b/vendor/gopkg.in/square/go-jose.v2/symmetric.go index 51f8cb394..5be00f925 100644 --- a/vendor/gopkg.in/square/go-jose.v1/symmetric.go +++ b/vendor/gopkg.in/square/go-jose.v2/symmetric.go @@ -25,10 +25,11 @@ import ( "crypto/sha512" "crypto/subtle" "errors" + "fmt" "hash" "io" - "gopkg.in/square/go-jose.v1/cipher" + "gopkg.in/square/go-jose.v2/cipher" ) // Random reader (stubbed out in tests) @@ -229,11 +230,12 @@ func (ctx *symmetricKeyCipher) encryptKey(cek []byte, alg KeyAlgorithm) (recipie return recipientInfo{}, err } + header := &rawHeader{} + header.set(headerIV, newBuffer(parts.iv)) + header.set(headerTag, newBuffer(parts.tag)) + return recipientInfo{ - header: &rawHeader{ - Iv: newBuffer(parts.iv), - Tag: newBuffer(parts.tag), - }, + header: header, encryptedKey: parts.ciphertext, }, nil case A128KW, A192KW, A256KW: @@ -258,7 +260,7 @@ func (ctx *symmetricKeyCipher) encryptKey(cek []byte, alg KeyAlgorithm) (recipie // Decrypt the content encryption key. func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) { - switch KeyAlgorithm(headers.Alg) { + switch headers.getAlgorithm() { case DIRECT: cek := make([]byte, len(ctx.key)) copy(cek, ctx.key) @@ -266,10 +268,19 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien case A128GCMKW, A192GCMKW, A256GCMKW: aead := newAESGCM(len(ctx.key)) + iv, err := headers.getIV() + if err != nil { + return nil, fmt.Errorf("square/go-jose: invalid IV: %v", err) + } + tag, err := headers.getTag() + if err != nil { + return nil, fmt.Errorf("square/go-jose: invalid tag: %v", err) + } + parts := &aeadParts{ - iv: headers.Iv.bytes(), + iv: iv.bytes(), ciphertext: recipient.encryptedKey, - tag: headers.Tag.bytes(), + tag: tag.bytes(), } cek, err := aead.decrypt(ctx.key, []byte{}, parts) diff --git a/vendor/manifest b/vendor/manifest index 47fe1d7e3..91a401c7d 100644 --- a/vendor/manifest +++ b/vendor/manifest @@ -137,7 +137,7 @@ "importpath": "github.com/lucas-clemente/aes12", "repository": "https://github.com/lucas-clemente/aes12", "vcs": "git", - "revision": "25700e67be5c860bcc999137275b9ef8b65932bd", + "revision": "cd47fb39b79f867c6e4e5cd39cf7abd799f71670", "branch": "master", "notests": true }, @@ -153,7 +153,7 @@ "importpath": "github.com/lucas-clemente/quic-go", "repository": "https://github.com/lucas-clemente/quic-go", "vcs": "git", - "revision": "d71850eb2ff581620f2f5742b558a97de22c13f6", + "revision": "da7708e47066ab0aff0f20f66b21c1f329db1eff", "branch": "master", "notests": true }, @@ -198,12 +198,12 @@ "notests": true }, { - "importpath": "github.com/xenolf/lego/acme", + "importpath": "github.com/xenolf/lego/acmev2", "repository": "https://github.com/xenolf/lego", "vcs": "git", - "revision": "4dde48a9b9916926a8dd4f69639c8dba40930355", - "branch": "master", - "path": "/acme", + "revision": "fad2257e11ae4ff31ed03739386873aa405dec2d", + "branch": "acmev2", + "path": "/acmev2", "notests": true }, { @@ -216,21 +216,21 @@ "notests": true }, { - "importpath": "golang.org/x/crypto/acme", + "importpath": "golang.org/x/crypto/curve25519", "repository": "https://go.googlesource.com/crypto", "vcs": "git", - "revision": "2faea1465de239e4babd8f5905cc25b781712442", + "revision": "94eea52f7b742c7cbe0b03b22f0c4c8631ece122", "branch": "master", - "path": "acme", + "path": "curve25519", "notests": true }, { - "importpath": "golang.org/x/crypto/curve25519", + "importpath": "golang.org/x/crypto/ed25519", "repository": "https://go.googlesource.com/crypto", "vcs": "git", - "revision": "94eea52f7b742c7cbe0b03b22f0c4c8631ece122", + "revision": "c4a91bd4f524f10d064139674cf55852e055ad01", "branch": "master", - "path": "curve25519", + "path": "/ed25519", "notests": true }, { @@ -455,10 +455,10 @@ "notests": true }, { - "importpath": "gopkg.in/square/go-jose.v1", - "repository": "https://gopkg.in/square/go-jose.v1", + "importpath": "gopkg.in/square/go-jose.v2", + "repository": "https://gopkg.in/square/go-jose.v2", "vcs": "git", - "revision": "aa2e30fdd1fe9dd3394119af66451ae790d50e0d", + "revision": "6ee92191fea850cdcab9a18867abf5f521cdbadb", "branch": "master", "notests": true }, |