Switch to QUIC draft-25

Author: jlaine

docs/http_client.py

@@ -8,7 +8,7 @@
 
 
 async def http_client(host, port):
-    configuration = QuicConfiguration(alpn_protocols=["hq-23"])
+    configuration = QuicConfiguration(alpn_protocols=["hq-25"])
 
     async with connect(host, port, configuration=configuration) as connection:
         reader, writer = await connection.create_stream()

src/aioquic/h0/connection.py

@@ -4,7 +4,7 @@
 from aioquic.quic.connection import QuicConnection
 from aioquic.quic.events import QuicEvent, StreamDataReceived
 
-H0_ALPN = ["hq-24", "hq-23"]
+H0_ALPN = ["hq-25"]
 
 
 class H0Connection:

src/aioquic/h3/connection.py

@@ -19,7 +19,7 @@
 
 logger = logging.getLogger("http3")
 
-H3_ALPN = ["h3-24", "h3-23"]
+H3_ALPN = ["h3-25"]
 
 
 class ErrorCode(IntEnum):

src/aioquic/quic/configuration.py

@@ -68,7 +68,7 @@ class QuicConfiguration:
     private_key: Any = None
     quantum_readiness_test: bool = False
     supported_versions: List[int] = field(
-        default_factory=lambda: [QuicProtocolVersion.DRAFT_24]
+        default_factory=lambda: [QuicProtocolVersion.DRAFT_25]
     )
     verify_mode: Optional[int] = None
 

src/aioquic/quic/connection.py

@@ -25,6 +25,7 @@
     QuicProtocolVersion,
     QuicStreamFrame,
     QuicTransportParameters,
+    get_retry_integrity_tag,
     get_spin_bit,
     is_long_header,
     pull_ack_frame,
@@ -283,6 +284,7 @@ def __init__(
         # things to send
         self._close_pending = False
         self._datagrams_pending: Deque[bytes] = deque()
+        self._handshake_done_pending = False
         self._ping_pending: List[int] = []
         self._probe_pending = False
         self._retire_connection_ids: List[int] = []
@@ -324,6 +326,7 @@ def __init__(
             0x1B: (self._handle_path_response_frame, EPOCHS("01")),
             0x1C: (self._handle_connection_close_frame, EPOCHS("IH1")),
             0x1D: (self._handle_connection_close_frame, EPOCHS("1")),
+            0x1E: (self._handle_handshake_done_frame, EPOCHS("1")),
             0x30: (self._handle_datagram_frame, EPOCHS("01")),
             0x31: (self._handle_datagram_frame, EPOCHS("01")),
         }
@@ -666,10 +669,18 @@ def receive_datagram(self, data: bytes, addr: NetworkAddress, now: float) -> Non
                 return
 
             if self._is_client and header.packet_type == PACKET_TYPE_RETRY:
-                # stateless retry
+                # calculate stateless retry integrity tag
+                integrity_tag = get_retry_integrity_tag(
+                    version=header.version,
+                    source_cid=header.source_cid,
+                    destination_cid=header.destination_cid,
+                    original_destination_cid=self._peer_cid,
+                    retry_token=header.token,
+                )
+
                 if (
                     header.destination_cid == self.host_cid
-                    and header.original_destination_cid == self._peer_cid
+                    and header.integrity_tag == integrity_tag
                     and not self._stateless_retry_count
                 ):
                     if self._quic_logger is not None:
@@ -862,12 +873,13 @@ def receive_datagram(self, data: bytes, addr: NetworkAddress, now: float) -> Non
                 self._network_paths.insert(0, network_path)
 
             # record packet as received
-            if packet_number > space.largest_received_packet:
-                space.largest_received_packet = packet_number
-                space.largest_received_time = now
-            space.ack_queue.add(packet_number)
-            if is_ack_eliciting and space.ack_at is None:
-                space.ack_at = now + self._ack_delay
+            if not space.discarded:
+                if packet_number > space.largest_received_packet:
+                    space.largest_received_packet = packet_number
+                    space.largest_received_time = now
+                space.ack_queue.add(packet_number)
+                if is_ack_eliciting and space.ack_at is None:
+                    space.ack_at = now + self._ack_delay
 
     def request_key_update(self) -> None:
         """
@@ -1019,6 +1031,7 @@ def _discard_epoch(self, epoch: tls.Epoch) -> None:
         self._logger.debug("Discarding epoch %s", epoch)
         self._cryptos[epoch].teardown()
         self._loss.discard_space(self._spaces[epoch])
+        self._spaces[epoch].discarded = True
 
     def _find_network_path(self, addr: NetworkAddress) -> QuicNetworkPath:
         # check existing network paths
@@ -1191,15 +1204,6 @@ def _handle_ack_frame(
             now=context.time,
         )
 
-        # check if we can discard handshake keys
-        if (
-            not self._handshake_confirmed
-            and self._handshake_complete
-            and context.epoch == tls.Epoch.ONE_RTT
-        ):
-            self._discard_epoch(tls.Epoch.HANDSHAKE)
-            self._handshake_confirmed = True
-
     def _handle_connection_close_frame(
         self, context: QuicReceiveContext, frame_type: int, buf: Buffer
     ) -> None:
@@ -1291,6 +1295,13 @@ def _handle_crypto_frame(
                 tls.State.SERVER_POST_HANDSHAKE,
             ]:
                 self._handshake_complete = True
+
+                # for servers, the handshake is now confirmed
+                if not self._is_client:
+                    self._discard_epoch(tls.Epoch.HANDSHAKE)
+                    self._handshake_confirmed = True
+                    self._handshake_done_pending = True
+
                 self._loss.is_client_without_1rtt = False
                 self._replenish_connection_ids()
                 self._events.append(
@@ -1352,6 +1363,30 @@ def _handle_datagram_frame(
 
         self._events.append(events.DatagramFrameReceived(data=data))
 
+    def _handle_handshake_done_frame(
+        self, context: QuicReceiveContext, frame_type: int, buf: Buffer
+    ) -> None:
+        """
+        Handle a HANDSHAKE_DONE frame.
+        """
+        # log frame
+        if self._quic_logger is not None:
+            context.quic_logger_frames.append(
+                self._quic_logger.encode_handshake_done_frame()
+            )
+
+        if not self._is_client:
+            raise QuicConnectionError(
+                error_code=QuicErrorCode.PROTOCOL_VIOLATION,
+                frame_type=frame_type,
+                reason_phrase="Clients must not send HANDSHAKE_DONE frames",
+            )
+
+        #  for clients, the handshake is now confirmed
+        if not self._handshake_confirmed:
+            self._discard_epoch(tls.Epoch.HANDSHAKE)
+            self._handshake_confirmed = True
+
     def _handle_max_data_frame(
         self, context: QuicReceiveContext, frame_type: int, buf: Buffer
     ) -> None:
@@ -1765,6 +1800,13 @@ def _on_ack_delivery(
         if delivery == QuicDeliveryState.ACKED:
             space.ack_queue.subtract(0, highest_acked + 1)
 
+    def _on_handshake_done_delivery(self, delivery: QuicDeliveryState) -> None:
+        """
+        Callback when a HANDSHAKE_DONE frame is acknowledged or lost.
+        """
+        if delivery != QuicDeliveryState.ACKED:
+            self._handshake_done_pending = True
+
     def _on_max_data_delivery(self, delivery: QuicDeliveryState) -> None:
         """
         Callback when a MAX_DATA frame is acknowledged or lost.
@@ -2063,6 +2105,11 @@ def _write_application(
                 if space.ack_at is not None and space.ack_at <= now:
                     self._write_ack_frame(builder=builder, space=space, now=now)
 
+                # HANDSHAKE_DONE
+                if self._handshake_done_pending:
+                    self._write_handshake_done_frame(builder=builder)
+                    self._handshake_done_pending = False
+
                 # PATH CHALLENGE
                 if (
                     not network_path.is_validated
@@ -2329,6 +2376,17 @@ def _write_datagram_frame(
 
         return True
 
+    def _write_handshake_done_frame(self, builder: QuicPacketBuilder) -> None:
+        builder.start_frame(
+            QuicFrameType.HANDSHAKE_DONE, self._on_handshake_done_delivery,
+        )
+
+        # log frame
+        if self._quic_logger is not None:
+            builder.quic_logger_frames.append(
+                self._quic_logger.encode_handshake_done_frame()
+            )
+
     def _write_new_connection_id_frame(
         self, builder: QuicPacketBuilder, connection_id: QuicConnectionId
     ) -> None:

src/aioquic/quic/logger.py

@@ -83,6 +83,9 @@ def encode_datagram_frame(self, length: int) -> Dict:
             "length": length,
         }
 
+    def encode_handshake_done_frame(self) -> Dict:
+        return {"frame_type": "handshake_done"}
+
     def encode_max_data_frame(self, maximum: int) -> Dict:
         return {"frame_type": "max_data", "maximum": str(maximum)}
 

src/aioquic/quic/packet.py

@@ -1,9 +1,12 @@
+import binascii
 import ipaddress
 import os
 from dataclasses import dataclass
 from enum import IntEnum
 from typing import List, Optional, Tuple
 
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+
 from ..buffer import Buffer
 from ..tls import pull_block, push_block
 from .rangeset import RangeSet
@@ -21,6 +24,9 @@
 
 CONNECTION_ID_MAX_SIZE = 20
 PACKET_NUMBER_MAX_SIZE = 4
+RETRY_AEAD_KEY = binascii.unhexlify("4d32ecdb2a2133c841e4043df27d4430")
+RETRY_AEAD_NONCE = binascii.unhexlify("4d1611d05513a552c587d575")
+RETRY_INTEGRITY_SIZE = 16
 
 
 class QuicErrorCode(IntEnum):
@@ -33,14 +39,16 @@ class QuicErrorCode(IntEnum):
     FINAL_SIZE_ERROR = 0x6
     FRAME_ENCODING_ERROR = 0x7
     TRANSPORT_PARAMETER_ERROR = 0x8
+    CONNECTION_ID_LIMIT_ERROR = 0x9
     PROTOCOL_VIOLATION = 0xA
+    INVALID_TOKEN = 0xB
     CRYPTO_BUFFER_EXCEEDED = 0xD
     CRYPTO_ERROR = 0x100
 
 
 class QuicProtocolVersion(IntEnum):
     NEGOTIATION = 0
-    DRAFT_24 = 0xFF000018
+    DRAFT_25 = 0xFF000019
 
 
 @dataclass
@@ -50,8 +58,8 @@ class QuicHeader:
     packet_type: int
     destination_cid: bytes
     source_cid: bytes
-    original_destination_cid: bytes = b""
     token: bytes = b""
+    integrity_tag: bytes = b""
     rest_length: int = 0
 
 
@@ -72,6 +80,42 @@ def decode_packet_number(truncated: int, num_bits: int, expected: int) -> int:
         return candidate
 
 
+def get_retry_integrity_tag(
+    version: int,
+    source_cid: bytes,
+    destination_cid: bytes,
+    original_destination_cid: bytes,
+    retry_token: bytes,
+) -> bytes:
+    """
+    Calculate the integrity tag for a RETRY packet.
+    """
+    # build Retry pseudo packet
+    buf = Buffer(
+        capacity=8
+        + len(destination_cid)
+        + len(source_cid)
+        + len(original_destination_cid)
+        + len(retry_token)
+    )
+    buf.push_uint8(len(original_destination_cid))
+    buf.push_bytes(original_destination_cid)
+    buf.push_uint8(PACKET_TYPE_RETRY)
+    buf.push_uint32(version)
+    buf.push_uint8(len(destination_cid))
+    buf.push_bytes(destination_cid)
+    buf.push_uint8(len(source_cid))
+    buf.push_bytes(source_cid)
+    buf.push_bytes(retry_token)
+    assert buf.eof()
+
+    # run AES-128-GCM
+    aead = AESGCM(RETRY_AEAD_KEY)
+    integrity_tag = aead.encrypt(RETRY_AEAD_NONCE, b"", buf.data)
+    assert len(integrity_tag) == RETRY_INTEGRITY_SIZE
+    return integrity_tag
+
+
 def get_spin_bit(first_byte: int) -> bool:
     return bool(first_byte & PACKET_SPIN_BIT)
 
@@ -83,7 +127,7 @@ def is_long_header(first_byte: int) -> bool:
 def pull_quic_header(buf: Buffer, host_cid_length: Optional[int] = None) -> QuicHeader:
     first_byte = buf.pull_uint8()
 
-    original_destination_cid = b""
+    integrity_tag = b""
     token = b""
     if is_long_header(first_byte):
         # long header packet
@@ -115,11 +159,9 @@ def pull_quic_header(buf: Buffer, host_cid_length: Optional[int] = None) -> Quic
                 token = buf.pull_bytes(token_length)
                 rest_length = buf.pull_uint_var()
             elif packet_type == PACKET_TYPE_RETRY:
-                original_destination_cid_length = buf.pull_uint8()
-                original_destination_cid = buf.pull_bytes(
-                    original_destination_cid_length
-                )
-                token = buf.pull_bytes(buf.capacity - buf.tell())
+                token_length = buf.capacity - buf.tell() - RETRY_INTEGRITY_SIZE
+                token = buf.pull_bytes(token_length)
+                integrity_tag = buf.pull_bytes(RETRY_INTEGRITY_SIZE)
                 rest_length = 0
             else:
                 rest_length = buf.pull_uint_var()
@@ -130,8 +172,8 @@ def pull_quic_header(buf: Buffer, host_cid_length: Optional[int] = None) -> Quic
             packet_type=packet_type,
             destination_cid=destination_cid,
             source_cid=source_cid,
-            original_destination_cid=original_destination_cid,
             token=token,
+            integrity_tag=integrity_tag,
             rest_length=rest_length,
         )
     else:
@@ -159,11 +201,20 @@ def encode_quic_retry(
     original_destination_cid: bytes,
     retry_token: bytes,
 ) -> bytes:
+    # calculate integrity tag
+    integrity_tag = get_retry_integrity_tag(
+        version=version,
+        source_cid=source_cid,
+        destination_cid=destination_cid,
+        original_destination_cid=original_destination_cid,
+        retry_token=retry_token,
+    )
+
     buf = Buffer(
-        capacity=8
+        capacity=7
         + len(destination_cid)
         + len(source_cid)
-        + len(original_destination_cid)
+        + len(integrity_tag)
         + len(retry_token)
     )
     buf.push_uint8(PACKET_TYPE_RETRY)
@@ -172,9 +223,9 @@ def encode_quic_retry(
     buf.push_bytes(destination_cid)
     buf.push_uint8(len(source_cid))
     buf.push_bytes(source_cid)
-    buf.push_uint8(len(original_destination_cid))
-    buf.push_bytes(original_destination_cid)
     buf.push_bytes(retry_token)
+    buf.push_bytes(integrity_tag)
+    assert buf.eof()
     return buf.data
 
 
@@ -368,6 +419,7 @@ class QuicFrameType(IntEnum):
     PATH_RESPONSE = 0x1B
     TRANSPORT_CLOSE = 0x1C
     APPLICATION_CLOSE = 0x1D
+    HANDSHAKE_DONE = 0x1E
     DATAGRAM = 0x30
     DATAGRAM_WITH_LENGTH = 0x31