2e0118d1a6
## Description This PR continues the refactoring of `netx` under the following principles: 1. do not break the rest of the tree and do not engage in extensive tree-wide refactoring yet 2. move under `netxlite` clearly related subpackages (e.g., `iox`, `netxmocks`) 3. move into `internal/netxlite/internal` stuff that is clearly private of `netxlite` 4. hide implementation details in `netxlite` pending new factories 5. refactor `tls` code in `netxlite` to clearly separate `crypto/tls` code from `utls` code After each commit, I run `go test -short -race ./...` locally. Each individual commit explains what it does. I will squash, but this operation will preserve the original commit titles, so this will give further insight on each step. ## Commits * refactor: rename netxmocks -> netxlite/mocks Part of https://github.com/ooni/probe/issues/1591 * refactor: rename quicx -> netxlite/quicx See https://github.com/ooni/probe/issues/1591 * refactor: rename iox -> netxlite/iox Regenerate sources and make sure the tests pass. See https://github.com/ooni/probe/issues/1591. * refactor(iox): move MockableReader to netxlite/mocks See https://github.com/ooni/probe/issues/1591 * refactor(netxlite): generator is an implementation detail See https://github.com/ooni/probe/issues/1591 * refactor(netxlite): separate tls and utls code See https://github.com/ooni/probe/issues/1591 * refactor(netxlite): hide most types but keep old names as legacy With this change we avoid breaking the rest of the tree, but we start hiding some implementation details a bit. Factories will follow. See https://github.com/ooni/probe/issues/1591
182 lines
5.6 KiB
Go
182 lines
5.6 KiB
Go
package errorsx
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"errors"
|
|
"net"
|
|
|
|
"github.com/lucas-clemente/quic-go"
|
|
"github.com/ooni/probe-cli/v3/internal/netxlite/quicx"
|
|
)
|
|
|
|
// QUICContextDialer is a dialer for QUIC using Context.
|
|
type QUICContextDialer interface {
|
|
// DialContext establishes a new QUIC session using the given
|
|
// network and address. The tlsConfig and the quicConfig arguments
|
|
// MUST NOT be nil. Returns either the session or an error.
|
|
DialContext(ctx context.Context, network, address string,
|
|
tlsConfig *tls.Config, quicConfig *quic.Config) (quic.EarlySession, error)
|
|
}
|
|
|
|
// QUICListener listens for QUIC connections.
|
|
type QUICListener interface {
|
|
// Listen creates a new listening UDPConn.
|
|
Listen(addr *net.UDPAddr) (quicx.UDPLikeConn, error)
|
|
}
|
|
|
|
// ErrorWrapperQUICListener is a QUICListener that wraps errors.
|
|
type ErrorWrapperQUICListener struct {
|
|
// QUICListener is the underlying listener.
|
|
QUICListener QUICListener
|
|
}
|
|
|
|
var _ QUICListener = &ErrorWrapperQUICListener{}
|
|
|
|
// Listen implements QUICListener.Listen.
|
|
func (qls *ErrorWrapperQUICListener) Listen(addr *net.UDPAddr) (quicx.UDPLikeConn, error) {
|
|
pconn, err := qls.QUICListener.Listen(addr)
|
|
if err != nil {
|
|
return nil, SafeErrWrapperBuilder{
|
|
Error: err,
|
|
Operation: QUICListenOperation,
|
|
}.MaybeBuild()
|
|
}
|
|
return &errorWrapperUDPConn{pconn}, nil
|
|
}
|
|
|
|
// errorWrapperUDPConn is a quicx.UDPLikeConn that wraps errors.
|
|
type errorWrapperUDPConn struct {
|
|
// UDPLikeConn is the underlying conn.
|
|
quicx.UDPLikeConn
|
|
}
|
|
|
|
var _ quicx.UDPLikeConn = &errorWrapperUDPConn{}
|
|
|
|
// WriteTo implements quicx.UDPLikeConn.WriteTo.
|
|
func (c *errorWrapperUDPConn) WriteTo(p []byte, addr net.Addr) (int, error) {
|
|
count, err := c.UDPLikeConn.WriteTo(p, addr)
|
|
if err != nil {
|
|
return 0, SafeErrWrapperBuilder{
|
|
Error: err,
|
|
Operation: WriteToOperation,
|
|
}.MaybeBuild()
|
|
}
|
|
return count, nil
|
|
}
|
|
|
|
// ReadFrom implements quicx.UDPLikeConn.ReadFrom.
|
|
func (c *errorWrapperUDPConn) ReadFrom(b []byte) (int, net.Addr, error) {
|
|
n, addr, err := c.UDPLikeConn.ReadFrom(b)
|
|
if err != nil {
|
|
return 0, nil, SafeErrWrapperBuilder{
|
|
Error: err,
|
|
Operation: ReadFromOperation,
|
|
}.MaybeBuild()
|
|
}
|
|
return n, addr, nil
|
|
}
|
|
|
|
// ErrorWrapperQUICDialer is a dialer that performs quic err wrapping
|
|
type ErrorWrapperQUICDialer struct {
|
|
Dialer QUICContextDialer
|
|
}
|
|
|
|
// DialContext implements ContextDialer.DialContext
|
|
func (d *ErrorWrapperQUICDialer) DialContext(
|
|
ctx context.Context, network string, host string,
|
|
tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlySession, error) {
|
|
sess, err := d.Dialer.DialContext(ctx, network, host, tlsCfg, cfg)
|
|
err = SafeErrWrapperBuilder{
|
|
Classifier: classifyQUICFailure,
|
|
Error: err,
|
|
Operation: QUICHandshakeOperation,
|
|
}.MaybeBuild()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return sess, nil
|
|
}
|
|
|
|
// classifyQUICFailure is a classifier to translate QUIC errors to OONI error strings.
|
|
func classifyQUICFailure(err error) string {
|
|
var versionNegotiation *quic.VersionNegotiationError
|
|
var statelessReset *quic.StatelessResetError
|
|
var handshakeTimeout *quic.HandshakeTimeoutError
|
|
var idleTimeout *quic.IdleTimeoutError
|
|
var transportError *quic.TransportError
|
|
|
|
if errors.As(err, &versionNegotiation) {
|
|
return FailureNoCompatibleQUICVersion
|
|
}
|
|
if errors.As(err, &statelessReset) {
|
|
return FailureConnectionReset
|
|
}
|
|
if errors.As(err, &handshakeTimeout) {
|
|
return FailureGenericTimeoutError
|
|
}
|
|
if errors.As(err, &idleTimeout) {
|
|
return FailureGenericTimeoutError
|
|
}
|
|
if errors.As(err, &transportError) {
|
|
if transportError.ErrorCode == quic.ConnectionRefused {
|
|
return FailureConnectionRefused
|
|
}
|
|
// the TLS Alert constants are taken from RFC8446
|
|
errCode := uint8(transportError.ErrorCode)
|
|
if quicIsCertificateError(errCode) {
|
|
return FailureSSLInvalidCertificate
|
|
}
|
|
// TLSAlertDecryptError and TLSAlertHandshakeFailure are summarized to a FailureSSLHandshake error because both
|
|
// alerts are caused by a failed or corrupted parameter negotiation during the TLS handshake.
|
|
if errCode == quicTLSAlertDecryptError || errCode == quicTLSAlertHandshakeFailure {
|
|
return FailureSSLHandshake
|
|
}
|
|
if errCode == quicTLSAlertUnknownCA {
|
|
return FailureSSLUnknownAuthority
|
|
}
|
|
if errCode == quicTLSUnrecognizedName {
|
|
return FailureSSLInvalidHostname
|
|
}
|
|
}
|
|
return toFailureString(err)
|
|
}
|
|
|
|
// TLS alert protocol as defined in RFC8446
|
|
const (
|
|
// Sender was unable to negotiate an acceptable set of security parameters given the options available.
|
|
quicTLSAlertHandshakeFailure = 40
|
|
|
|
// Certificate was corrupt, contained signatures that did not verify correctly, etc.
|
|
quicTLSAlertBadCertificate = 42
|
|
|
|
// Certificate was of an unsupported type.
|
|
quicTLSAlertUnsupportedCertificate = 43
|
|
|
|
// Certificate was revoked by its signer.
|
|
quicTLSAlertCertificateRevoked = 44
|
|
|
|
// Certificate has expired or is not currently valid.
|
|
quicTLSAlertCertificateExpired = 45
|
|
|
|
// Some unspecified issue arose in processing the certificate, rendering it unacceptable.
|
|
quicTLSAlertCertificateUnknown = 46
|
|
|
|
// Certificate was not accepted because the CA certificate could not be located or could not be matched with a known trust anchor.
|
|
quicTLSAlertUnknownCA = 48
|
|
|
|
// Handshake (not record layer) cryptographic operation failed.
|
|
quicTLSAlertDecryptError = 51
|
|
|
|
// Sent by servers when no server exists identified by the name provided by the client via the "server_name" extension.
|
|
quicTLSUnrecognizedName = 112
|
|
)
|
|
|
|
func quicIsCertificateError(alert uint8) bool {
|
|
return (alert == quicTLSAlertBadCertificate ||
|
|
alert == quicTLSAlertUnsupportedCertificate ||
|
|
alert == quicTLSAlertCertificateExpired ||
|
|
alert == quicTLSAlertCertificateRevoked ||
|
|
alert == quicTLSAlertCertificateUnknown)
|
|
}
|