Google Git
Sign in
quiche/quiche.git/72ae18c47b16f04846c080ee1467f55555cffacc^!/.
commit
72ae18c47b16f04846c080ee1467f55555cffacc
[log]
author
QUICHE team <quiche-dev@google.com>
Mon Dec 04 14:07:50 2023 -0800
committer
Copybara-Service <copybara-worker@google.com>
Mon Dec 04 14:09:22 2023 -0800
tree
d0c4ddfc46e3f5ae7f637928ab48168e70b2eeb1
parent
a8631ca60e7cb3153a3e84510feebbc4b5441864 [diff]
No public description

PiperOrigin-RevId: 587835279

diff --git a/quiche/quic/core/crypto/quic_crypto_client_config.h b/quiche/quic/core/crypto/quic_crypto_client_config.h
index 35433f3..e0cc26c 100644
--- a/quiche/quic/core/crypto/quic_crypto_client_config.h
+++ b/quiche/quic/core/crypto/quic_crypto_client_config.h

@@ -403,6 +403,13 @@
   bool pad_full_hello() const { return pad_full_hello_; }
   void set_pad_full_hello(bool new_value) { pad_full_hello_ = new_value; }
 
+#if BORINGSSL_API_VERSION >= 27
+  bool alps_use_new_codepoint() const { return alps_use_new_codepoint_; }
+  void set_alps_use_new_codepoint(bool new_value) {
+    alps_use_new_codepoint_ = new_value;
+  }
+#endif  // BORINGSSL_API_VERSION
+
  private:
   // Sets the members to reasonable, default values.
   void SetDefaults();
@@ -474,6 +481,11 @@
   // other means of verifying the client.
   bool pad_inchoate_hello_ = true;
   bool pad_full_hello_ = true;
+
+#if BORINGSSL_API_VERSION >= 27
+  // Set whether ALPS uses the new codepoint or not.
+  bool alps_use_new_codepoint_ = false;
+#endif  // BORINGSSL_API_VERSION
 };
 
 }  // namespace quic

diff --git a/quiche/quic/core/quic_flags_list.h b/quiche/quic/core/quic_flags_list.h
index b5537c3..dc53509 100644
--- a/quiche/quic/core/quic_flags_list.h
+++ b/quiche/quic/core/quic_flags_list.h

@@ -45,6 +45,8 @@
 QUIC_FLAG(quic_reloadable_flag_quic_can_send_ack_frequency, true)
 // If true, allow client to enable BBRv2 on server via connection option \'B2ON\'.
 QUIC_FLAG(quic_reloadable_flag_quic_allow_client_enabled_bbr_v2, true)
+// If true, allow quic to use new ALPS codepoint to negotiate during handshake for H3 if client sends new ALPS codepoint.
+QUIC_FLAG(quic_reloadable_flag_quic_gfe_allow_alps_new_codepoint, false)
 // If true, always bundle qpack decoder data with other frames opportunistically.
 QUIC_FLAG(quic_restart_flag_quic_opport_bundle_qpack_decoder_data2, false)
 // If true, an endpoint does not detect path degrading or blackholing until handshake gets confirmed.

diff --git a/quiche/quic/core/tls_client_handshaker.cc b/quiche/quic/core/tls_client_handshaker.cc
index 244fbbb..30831e7 100644
--- a/quiche/quic/core/tls_client_handshaker.cc
+++ b/quiche/quic/core/tls_client_handshaker.cc

@@ -58,6 +58,12 @@
                        crypto_config->preferred_groups().size());
   }
 #endif  // BORINGSSL_API_VERSION
+
+#if BORINGSSL_API_VERSION >= 27
+  // Make sure we use the right ALPS codepoint.
+  SSL_set_alps_use_new_codepoint(ssl(),
+                                 crypto_config->alps_use_new_codepoint());
+#endif  // BORINGSSL_API_VERSION
 }
 
 TlsClientHandshaker::~TlsClientHandshaker() {}

diff --git a/quiche/quic/core/tls_client_handshaker_test.cc b/quiche/quic/core/tls_client_handshaker_test.cc
index 8b2ea68..35c0328 100644
--- a/quiche/quic/core/tls_client_handshaker_test.cc
+++ b/quiche/quic/core/tls_client_handshaker_test.cc

@@ -878,6 +878,41 @@
 }
 #endif  // BORINGSSL_API_VERSION
 
+#if BORINGSSL_API_VERSION >= 27
+TEST_P(TlsClientHandshakerTest, EnableClientAlpsUseNewCodepoint) {
+  // The intent of this test is to demonstrate no matter whether server
+  // allows the new ALPS codepoint or not, the handshake should complete
+  // successfully.
+  for (bool server_allow_alps_new_codepoint : {true, false}) {
+    SCOPED_TRACE(absl::StrCat("Test allows alps new codepoint:",
+                              server_allow_alps_new_codepoint));
+    crypto_config_->set_alps_use_new_codepoint(true);
+    absl::SetFlag(&FLAGS_gfe2_reloadable_flag_quic_gfe_allow_alps_new_codepoint,
+                  server_allow_alps_new_codepoint);
+    CreateConnection();
+
+    // Add a DoS callback on the server, to test that the client sent the new
+    // ALPS codepoint.
+    static bool callback_ran;
+    callback_ran = false;
+    SSL_CTX_set_dos_protection_cb(
+        server_crypto_config_->ssl_ctx(),
+        [](const SSL_CLIENT_HELLO* client_hello) -> int {
+          const uint8_t* data;
+          size_t len;
+          EXPECT_TRUE(SSL_early_callback_ctx_extension_get(
+              client_hello, TLSEXT_TYPE_application_settings, &data, &len));
+          callback_ran = true;
+          return 1;
+        });
+
+    CompleteCryptoHandshake();
+    EXPECT_EQ(PROTOCOL_TLS1_3, stream()->handshake_protocol());
+    EXPECT_TRUE(callback_ran);
+  }
+}
+#endif  // BORINGSSL_API_VERSION
+
 }  // namespace
 }  // namespace test
 }  // namespace quic

diff --git a/quiche/quic/core/tls_server_handshaker.cc b/quiche/quic/core/tls_server_handshaker.cc
index 8173a5a..d141f1a 100644
--- a/quiche/quic/core/tls_server_handshaker.cc
+++ b/quiche/quic/core/tls_server_handshaker.cc

@@ -603,6 +603,17 @@
   return {};
 }
 
+bool TlsServerHandshaker::UseAlpsNewCodepoint() const {
+  if (!select_cert_status_.has_value()) {
+    QUIC_BUG(quic_tls_check_alps_new_codepoint_too_early)
+        << "UseAlpsNewCodepoint must be called after "
+           "EarlySelectCertCallback is started";
+    return false;
+  }
+
+  return alps_new_codepoint_received_;
+}
+
 void TlsServerHandshaker::FinishHandshake() {
   QUICHE_DCHECK(!SSL_in_early_data(ssl()));
 
@@ -883,6 +894,24 @@
     early_data_attempted_ = SSL_early_callback_ctx_extension_get(
         client_hello, TLSEXT_TYPE_early_data, &unused_extension_bytes,
         &unused_extension_len);
+
+#if BORINGSSL_API_VERSION >= 27
+    if (GetQuicReloadableFlag(quic_gfe_allow_alps_new_codepoint)) {
+      QUIC_RELOADABLE_FLAG_COUNT(quic_gfe_allow_alps_new_codepoint);
+
+      alps_new_codepoint_received_ = SSL_early_callback_ctx_extension_get(
+          client_hello, TLSEXT_TYPE_application_settings,
+          &unused_extension_bytes, &unused_extension_len);
+      // Make sure we use the right ALPS codepoint.
+      int use_alps_new_codepoint = 0;
+      if (alps_new_codepoint_received_) {
+        QUIC_CODE_COUNT(quic_gfe_alps_use_new_codepoint);
+        use_alps_new_codepoint = 1;
+      }
+      QUIC_DLOG(INFO) << "ALPS use new codepoint: " << use_alps_new_codepoint;
+      SSL_set_alps_use_new_codepoint(ssl(), use_alps_new_codepoint);
+    }
+#endif  // BORINGSSL_API_VERSION
   }
 
   // This callback is called very early by Boring SSL, most of the SSL_get_foo

diff --git a/quiche/quic/core/tls_server_handshaker.h b/quiche/quic/core/tls_server_handshaker.h
index 682c9f8..5f571ed 100644
--- a/quiche/quic/core/tls_server_handshaker.h
+++ b/quiche/quic/core/tls_server_handshaker.h

@@ -98,6 +98,10 @@
   virtual std::string GetAcceptChValueForHostname(
       const std::string& hostname) const;
 
+  // Returns whether server uses new ALPS codepoint to negotiate application
+  // settings. If client sends new ALPS codepoint in ClientHello, return true.
+  bool UseAlpsNewCodepoint() const;
+
   // Get the ClientCertMode that is currently in effect on this handshaker.
   ClientCertMode client_cert_mode() const {
     return tls_connection_.ssl_config().client_cert_mode;
@@ -345,6 +349,9 @@
   // Force SessionTicketOpen to return ssl_ticket_aead_ignore_ticket if called.
   bool ignore_ticket_open_ = false;
 
+  // True if new ALPS codepoint in the ClientHello.
+  bool alps_new_codepoint_received_ = false;
+
   // nullopt means select cert hasn't started.
   std::optional<QuicAsyncStatus> select_cert_status_;
 

diff --git a/quiche/quic/core/tls_server_handshaker_test.cc b/quiche/quic/core/tls_server_handshaker_test.cc
index 39a34a5..9e4eb9d 100644
--- a/quiche/quic/core/tls_server_handshaker_test.cc
+++ b/quiche/quic/core/tls_server_handshaker_test.cc

@@ -1181,6 +1181,48 @@
 }
 #endif  // BORINGSSL_API_VERSION
 
+#if BORINGSSL_API_VERSION >= 27
+TEST_P(TlsServerHandshakerTest, AlpsUseNewCodepoint) {
+  const struct {
+    bool client_use_alps_new_codepoint;
+    bool server_allow_alps_new_codepoint;
+  } tests[] = {
+      // The intent of this test is to demonstrate different combinations of
+      // ALPS codepoint settings works well for both client and server.
+      {true, true},
+      {false, true},
+      {false, false},
+      {true, true},
+  };
+  for (size_t i = 0; i < arraysize(tests); i++) {
+    SCOPED_TRACE(absl::StrCat("Test #", i));
+    const auto& test = tests[i];
+    client_crypto_config_->set_alps_use_new_codepoint(
+        test.client_use_alps_new_codepoint);
+    absl::SetFlag(&FLAGS_gfe2_reloadable_flag_quic_gfe_allow_alps_new_codepoint,
+                  test.server_allow_alps_new_codepoint);
+
+    ASSERT_TRUE(SetupClientCert());
+    InitializeFakeClient();
+
+    InitializeServerWithFakeProofSourceHandle();
+    server_handshaker_->SetupProofSourceHandle(
+        /*select_cert_action=*/FakeProofSourceHandle::Action::DELEGATE_SYNC,
+        /*compute_signature_action=*/FakeProofSourceHandle::Action::
+            DELEGATE_SYNC);
+
+    // Start handshake.
+    AdvanceHandshakeWithFakeClient();
+    EXPECT_EQ(test.client_use_alps_new_codepoint,
+              server_handshaker_->UseAlpsNewCodepoint());
+
+    CompleteCryptoHandshake();
+    ExpectHandshakeSuccessful();
+    EXPECT_EQ(PROTOCOL_TLS1_3, server_stream()->handshake_protocol());
+  }
+}
+#endif  // BORINGSSL_API_VERSION
+
 }  // namespace
 }  // namespace test
 }  // namespace quic