Update vendored quic-go

- Use chacha20 fork with 2^32-1 counter value fix

vendor/github.com/marten-seemann/chacha20/chacha_generic.go → vendor/github.com/Psiphon-Labs/chacha20/chacha_generic.go

@@ -10,7 +10,7 @@ import (
 	"crypto/cipher"
 	"encoding/binary"
 
-	"github.com/marten-seemann/chacha20/internal/subtle"
+	"github.com/Psiphon-Labs/chacha20/internal/subtle"
 )
 
 // assert that *Cipher implements cipher.Stream
@@ -19,11 +19,12 @@ var _ cipher.Stream = (*Cipher)(nil)
 // Cipher is a stateful instance of ChaCha20 using a particular key
 // and nonce. A *Cipher implements the cipher.Stream interface.
 type Cipher struct {
-	key     [8]uint32
-	counter uint32 // incremented after each block
-	nonce   [3]uint32
-	buf     [bufSize]byte // buffer for unused keystream bytes
-	len     int           // number of unused keystream bytes at end of buf
+	key      [8]uint32
+	counter  uint32 // incremented after each block
+	overflow bool
+	nonce    [3]uint32
+	buf      [bufSize]byte // buffer for unused keystream bytes
+	len      int           // number of unused keystream bytes at end of buf
 }
 
 // New creates a new ChaCha20 stream cipher with the given key and nonce.
@@ -97,7 +98,12 @@ func (s *Cipher) XORKeyStream(dst, src []byte) {
 		return
 	}
 	if haveAsm {
-		if uint64(len(src))+uint64(s.counter)*64 > (1<<38)-64 {
+
+		// [Psiphon]
+		//
+		// Allow up to 2^32 blocks.
+
+		if uint64(len(src))+uint64(s.counter)*64 > (1 << 38) {
 			panic("chacha20: counter overflow")
 		}
 		s.xorKeyStreamAsm(dst, src)
@@ -120,6 +126,11 @@ func (s *Cipher) XORKeyStream(dst, src []byte) {
 	n := len(src)
 	src, dst = src[:n:n], dst[:n:n] // BCE hint
 	for i := 0; i < n; i += 64 {
+
+		if s.overflow {
+			panic("chacha20: counter overflow")
+		}
+
 		// calculate the remainder of the first round
 		s0, s4, s8, s12 := quarterRound(j0, s.key[0], s.key[4], s.counter)
 
@@ -164,7 +175,25 @@ func (s *Cipher) XORKeyStream(dst, src []byte) {
 		// increment the counter
 		s.counter += 1
 		if s.counter == 0 {
-			panic("chacha20: counter overflow")
+
+			// [Psiphon]
+			//
+			// Don't panic immediately, as the counter will wrap here when it's 2^31-1,
+			// and that's a valid value. Do panic after overflow is set and any further
+			// blocks are processed.
+			//
+			// https://tools.ietf.org/html/rfc7539#section-2.3.2: ChaCha20 "limits the
+			// use of a single (key,nonce) combination to 2^32 blocks".
+			//
+			// The 2^31-1 counter value occurs in practise in QUIC header protection,
+			// https://tools.ietf.org/html/draft-ietf-quic-tls-24#section-5.4.4, which
+			// initializes the counter using 4 bytes of sampled ciphertext.
+			//
+			// In OpenSSL, chacha20 will operate on 2^32 blocks before applying its
+			// overflow logic:
+			// https://github.com/openssl/openssl/blob/706457b7bda7fdbab426b8dce83b318908339da4/crypto/evp/e_chacha20_poly1305.c#L94-L104.
+
+			s.overflow = true
 		}
 
 		// pad to 64 bytes if needed

vendor/github.com/Psiphon-Labs/quic-go/internal/handshake/header_protector.go

@@ -5,7 +5,7 @@ import (
 	"crypto/cipher"
 	"fmt"
 
-	"github.com/marten-seemann/chacha20"
+	"github.com/Psiphon-Labs/chacha20"
 	"github.com/marten-seemann/qtls"
 )
 

vendor/vendor.json

@@ -20,6 +20,18 @@
 			"revision": "94750aa2185e6ee4217105064949acace0156564",
 			"revisionTime": "2019-07-31T17:17:12Z"
 		},
+		{
+			"checksumSHA1": "C5OwxfDa6nvLoxP3WBaCp7ufW60=",
+			"path": "github.com/Psiphon-Labs/chacha20",
+			"revision": "899a4be528633ecf678f45e4f6b177d0f89b9e7c",
+			"revisionTime": "2020-01-28T19:13:10Z"
+		},
+		{
+			"checksumSHA1": "zNTA9RmD/BcIWRfZWF/DIhULpK0=",
+			"path": "github.com/Psiphon-Labs/chacha20/internal/subtle",
+			"revision": "899a4be528633ecf678f45e4f6b177d0f89b9e7c",
+			"revisionTime": "2020-01-28T19:13:10Z"
+		},
 		{
 			"checksumSHA1": "d3DwsdacdFn1/KCG/2uPV1PwR3s=",
 			"path": "github.com/Psiphon-Labs/dns",
@@ -65,8 +77,8 @@
 		{
 			"checksumSHA1": "8MdwAjQlha5clFXwY1ayF4vNGAQ=",
 			"path": "github.com/Psiphon-Labs/quic-go",
-			"revision": "abf539ac596a6017b6eb8904f7342da8daab8df1",
-			"revisionTime": "2020-01-16T02:28:06Z"
+			"revision": "738e15bfe6c3d7a0ccc91e2f237e5554ab6a35a6",
+			"revisionTime": "2020-01-28T19:39:28Z"
 		},
 		{
 			"checksumSHA1": "VMJLFpeoJ56PTQxR0wEkkiQTr1s=",
@@ -340,22 +352,6 @@
 			"revision": "ae77be60afb1dcacde03767a8c37337fad28ac14",
 			"revisionTime": "2017-05-10T13:15:34Z"
 		},
-		{
-			"checksumSHA1": "j4eMhpVKh7QbPBE/vZL+VxQwJT0=",
-			"path": "github.com/marten-seemann/chacha20",
-			"revision": "36564989294fee5f3957d3e3fbfc655e10786ec0",
-			"revisionTime": "2019-09-06T10:21:14Z",
-			"version": "v0.2.0",
-			"versionExact": "v0.2.0"
-		},
-		{
-			"checksumSHA1": "xJ/ZPgaoP3Gd5ETWGhqufsqptuw=",
-			"path": "github.com/marten-seemann/chacha20/internal/subtle",
-			"revision": "36564989294fee5f3957d3e3fbfc655e10786ec0",
-			"revisionTime": "2019-09-06T10:21:14Z",
-			"version": "v0.2.0",
-			"versionExact": "v0.2.0"
-		},
 		{
 			"checksumSHA1": "Urc++6mqm/jcr3SSL/MMN5v7Owk=",
 			"path": "github.com/marten-seemann/qpack",