[client,relay] Add QUIC support (#2962)

relay/tls/alpn.go

@@ -0,0 +1,3 @@
+package tls
+
+const nbalpn = "nb-quic"

relay/tls/client_dev.go

@@ -0,0 +1,12 @@
+//go:build devcert
+
+package tls
+
+import "crypto/tls"
+
+func ClientQUICTLSConfig() *tls.Config {
+	return &tls.Config{
+		InsecureSkipVerify: true,             // Debug mode allows insecure connections
+		NextProtos:         []string{nbalpn}, // Ensure this matches the server's ALPN
+	}
+}

relay/tls/client_prod.go

@@ -0,0 +1,11 @@
+//go:build !devcert
+
+package tls
+
+import "crypto/tls"
+
+func ClientQUICTLSConfig() *tls.Config {
+	return &tls.Config{
+		NextProtos: []string{nbalpn},
+	}
+}

relay/tls/doc.go

@@ -0,0 +1,36 @@
+// Package tls provides utilities for configuring and managing Transport Layer
+// Security (TLS) in server and client environments, with a focus on QUIC
+// protocol support and testing configurations.
+//
+// The package includes functions for cloning and customizing TLS
+// configurations as well as generating self-signed certificates for
+// development and testing purposes.
+//
+// Key Features:
+//
+//   - `ServerQUICTLSConfig`: Creates a server-side TLS configuration tailored
+//     for QUIC protocol with specified or default settings. QUIC requires a
+//     specific TLS configuration with proper ALPN (Application-Layer Protocol
+//     Negotiation) support, making the TLS settings crucial for establishing
+//     secure connections.
+//
+//   - `ClientQUICTLSConfig`: Provides a client-side TLS configuration suitable
+//     for QUIC protocol. The configuration differs between development
+//     (insecure testing) and production (strict verification).
+//
+//   - `generateTestTLSConfig`: Generates a self-signed TLS configuration for
+//     use in local development and testing scenarios.
+//
+// Usage:
+//
+// This package provides separate implementations for development and production
+// environments. The development implementation (guarded by `//go:build devcert`)
+// supports testing configurations with self-signed certificates and insecure
+// client connections. The production implementation (guarded by `//go:build
+// !devcert`) ensures that valid and secure TLS configurations are supplied
+// and used.
+//
+// The QUIC protocol is highly reliant on properly configured TLS settings,
+// and this package ensures that configurations meet the requirements for
+// secure and efficient QUIC communication.
+package tls

relay/tls/server_dev.go

@@ -0,0 +1,79 @@
+//go:build devcert
+
+package tls
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"net"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+func ServerQUICTLSConfig(originTLSCfg *tls.Config) (*tls.Config, error) {
+	if originTLSCfg == nil {
+		log.Warnf("QUIC server will use self signed certificate for testing!")
+		return generateTestTLSConfig()
+	}
+
+	cfg := originTLSCfg.Clone()
+	cfg.NextProtos = []string{nbalpn}
+	return cfg, nil
+}
+
+// GenerateTestTLSConfig creates a self-signed certificate for testing
+func generateTestTLSConfig() (*tls.Config, error) {
+	log.Infof("generating test TLS config")
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"Test Organization"},
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(time.Hour * 24 * 180), // Valid for 180 days
+		KeyUsage:  x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageServerAuth,
+		},
+		BasicConstraintsValid: true,
+		DNSNames:              []string{"localhost"},
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
+	}
+
+	// Create certificate
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	certPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: certDER,
+	})
+
+	privateKeyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
+	})
+
+	tlsCert, err := tls.X509KeyPair(certPEM, privateKeyPEM)
+	if err != nil {
+		return nil, err
+	}
+
+	return &tls.Config{
+		Certificates: []tls.Certificate{tlsCert},
+		NextProtos:   []string{nbalpn},
+	}, nil
+}

relay/tls/server_prod.go

@@ -0,0 +1,17 @@
+//go:build !devcert
+
+package tls
+
+import (
+	"crypto/tls"
+	"fmt"
+)
+
+func ServerQUICTLSConfig(originTLSCfg *tls.Config) (*tls.Config, error) {
+	if originTLSCfg == nil {
+		return nil, fmt.Errorf("valid TLS config is required for QUIC listener")
+	}
+	cfg := originTLSCfg.Clone()
+	cfg.NextProtos = []string{nbalpn}
+	return cfg, nil
+}