commit 54f21233321b7a5ef64386f2dc11156039ae32a4
author dschinazi <dschinazi@google.com> Tue Dec 03 13:46:46 2024 -0800
committer Copybara-Service <copybara-worker@google.com> Tue Dec 03 13:47:30 2024 -0800
tree 206fc23248e5ec653897968def06192c3154f29e
parent 51484c694f99d211587d24e5d3e2634b12f978f6

Chaos Protection v2

This CL adds support for multi-packet chaos protection. While the first version of Chaos Protection would scramble the ClientHello if it fit in a CRYPTO frame in a single packet, the emergence of post-quantum cryptography has now caused the ClientHello to span multiple packets. Chaos Protection v2 now scrambles the ClientHello across packets, such that it is now required to parse all of them in order to extract information such as the SNI.

This CL also removes automatic flushing of initial crypto packets in the packet creator. This is safe because all uses of such functions are guaranteed to use a scope packed flusher anyway.

Note that --quic_enable_new_chaos_protector is still marked as enabled_blocked_by so it is safe to add new functionality behind it.

Protected by FLAGS_quic_enable_new_chaos_protector.

PiperOrigin-RevId: 702456667

quiche/quic/core/quic_connection_test.cc

diff --git a/quiche/quic/core/quic_connection_test.cc b/quiche/quic/core/quic_connection_test.cc
index 68f8594..da3e87d 100644
--- a/quiche/quic/core/quic_connection_test.cc
+++ b/quiche/quic/core/quic_connection_test.cc
@@ -341,18 +341,23 @@
   // split needlessly across packet boundaries).  As a result, we have separate
   // tests for some cases for this stream.
   QuicConsumedData SendCryptoStreamData() {
+    return SendCryptoStreamDataAtLevel(ENCRYPTION_INITIAL);
+  }
+
+  QuicConsumedData SendCryptoStreamDataAtLevel(
+      EncryptionLevel encryption_level) {
     QuicStreamOffset offset = 0;
     absl::string_view data("chlo");
     if (!QuicVersionUsesCryptoFrames(transport_version())) {
       return SendCryptoDataWithString(data, offset);
     }
-    producer_.SaveCryptoData(ENCRYPTION_INITIAL, offset, data);
+    producer_.SaveCryptoData(encryption_level, offset, data);
     size_t bytes_written;
     if (notifier_) {
       bytes_written =
-          notifier_->WriteCryptoData(ENCRYPTION_INITIAL, data.length(), offset);
+          notifier_->WriteCryptoData(encryption_level, data.length(), offset);
     } else {
-      bytes_written = QuicConnection::SendCryptoData(ENCRYPTION_INITIAL,
+      bytes_written = QuicConnection::SendCryptoData(encryption_level,
                                                      data.length(), offset);
     }
     return QuicConsumedData(bytes_written, /*fin_consumed*/ false);
@@ -4009,7 +4014,7 @@
     connection_.SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
     EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(2);
     QuicConnection::ScopedPacketFlusher flusher(&connection_);
-    connection_.SendCryptoStreamData();
+    connection_.SendCryptoStreamDataAtLevel(ENCRYPTION_FORWARD_SECURE);
     connection_.SendStreamData3();
   }
   EXPECT_EQ(0u, connection_.NumQueuedPackets());
@@ -17751,7 +17756,6 @@
   }
 }
 
-
 TEST_P(QuicConnectionTest, EcnValidationDisabled) {
   QuicConnectionPeer::DisableEcnCodepointValidation(&connection_);
   for (QuicEcnCodepoint ecn : {ECN_NOT_ECT, ECN_ECT0, ECN_ECT1, ECN_CE}) {