gfe-relnote: Expose properties of TLS connection in quic::CryptoNegotiatedParameters. Protected by quic_supports_tls_handshake. These fields are needed in chromium for QuicChromiumClientSession::GetSSLInfo. PiperOrigin-RevId: 273780806 Change-Id: I4e93da07cae8c613c8f24bee1824dd14ca7199e6
diff --git a/quic/core/crypto/crypto_handshake.h b/quic/core/crypto/crypto_handshake.h index ecf81d8..040fe9e 100644 --- a/quic/core/crypto/crypto_handshake.h +++ b/quic/core/crypto/crypto_handshake.h
@@ -147,6 +147,12 @@ // by sending CSCT tag with an empty value in client hello. bool sct_supported_by_client; + // Parameters only populated for TLS handshakes. These will be 0 for + // connections not using TLS, or if the TLS handshake is not finished yet. + uint16_t cipher_suite = 0; + uint16_t key_exchange_group = 0; + uint16_t peer_signature_algorithm = 0; + protected: ~QuicCryptoNegotiatedParameters() override; };
diff --git a/quic/core/tls_client_handshaker.cc b/quic/core/tls_client_handshaker.cc index 88fea66..674cf2c 100644 --- a/quic/core/tls_client_handshaker.cc +++ b/quic/core/tls_client_handshaker.cc
@@ -328,6 +328,16 @@ handshake_confirmed_ = true; session()->OnCryptoHandshakeEvent(QuicSession::ENCRYPTION_ESTABLISHED); session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED); + + // Fill crypto_negotiated_params_: + const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl()); + if (cipher) { + crypto_negotiated_params_->cipher_suite = SSL_CIPHER_get_value(cipher); + } + crypto_negotiated_params_->key_exchange_group = SSL_get_curve_id(ssl()); + crypto_negotiated_params_->peer_signature_algorithm = + SSL_get_peer_signature_algorithm(ssl()); + session()->connection()->OnHandshakeComplete(); }
diff --git a/quic/core/tls_handshaker_test.cc b/quic/core/tls_handshaker_test.cc index 1d34321..1d3f8f3 100644 --- a/quic/core/tls_handshaker_test.cc +++ b/quic/core/tls_handshaker_test.cc
@@ -329,6 +329,34 @@ }); } + void ExpectHandshakeSuccessful() { + EXPECT_TRUE(client_stream_->handshake_confirmed()); + EXPECT_TRUE(client_stream_->encryption_established()); + EXPECT_TRUE(server_stream_->handshake_confirmed()); + EXPECT_TRUE(server_stream_->encryption_established()); + EXPECT_TRUE(client_conn_->IsHandshakeConfirmed()); + EXPECT_TRUE(server_conn_->IsHandshakeConfirmed()); + + const auto& client_crypto_params = + client_stream_->crypto_negotiated_params(); + const auto& server_crypto_params = + server_stream_->crypto_negotiated_params(); + // The TLS params should be filled in on the client. + EXPECT_NE(0, client_crypto_params.cipher_suite); + EXPECT_NE(0, client_crypto_params.key_exchange_group); + EXPECT_NE(0, client_crypto_params.peer_signature_algorithm); + + // The cipher suite and key exchange group should match on the client and + // server. + EXPECT_EQ(client_crypto_params.cipher_suite, + server_crypto_params.cipher_suite); + EXPECT_EQ(client_crypto_params.key_exchange_group, + server_crypto_params.key_exchange_group); + // We don't support client certs on the server (yet), so the server + // shouldn't have a peer signature algorithm to report. + EXPECT_EQ(0, server_crypto_params.peer_signature_algorithm); + } + MockQuicConnectionHelper conn_helper_; MockAlarmFactory alarm_factory_; MockQuicConnection* client_conn_; @@ -357,12 +385,7 @@ client_stream_->CryptoConnect(); ExchangeHandshakeMessages(client_stream_, server_stream_); - EXPECT_TRUE(client_stream_->handshake_confirmed()); - EXPECT_TRUE(client_stream_->encryption_established()); - EXPECT_TRUE(server_stream_->handshake_confirmed()); - EXPECT_TRUE(server_stream_->encryption_established()); - EXPECT_TRUE(client_conn_->IsHandshakeConfirmed()); - EXPECT_FALSE(server_conn_->IsHandshakeConfirmed()); + ExpectHandshakeSuccessful(); } TEST_F(TlsHandshakerTest, HandshakeWithAsyncProofSource) { @@ -382,10 +405,7 @@ ExchangeHandshakeMessages(client_stream_, server_stream_); - EXPECT_TRUE(client_stream_->handshake_confirmed()); - EXPECT_TRUE(client_stream_->encryption_established()); - EXPECT_TRUE(server_stream_->handshake_confirmed()); - EXPECT_TRUE(server_stream_->encryption_established()); + ExpectHandshakeSuccessful(); } TEST_F(TlsHandshakerTest, CancelPendingProofSource) { @@ -425,10 +445,7 @@ ExchangeHandshakeMessages(client_stream_, server_stream_); - EXPECT_TRUE(client_stream_->handshake_confirmed()); - EXPECT_TRUE(client_stream_->encryption_established()); - EXPECT_TRUE(server_stream_->handshake_confirmed()); - EXPECT_TRUE(server_stream_->encryption_established()); + ExpectHandshakeSuccessful(); } TEST_F(TlsHandshakerTest, ClientConnectionClosedOnTlsError) { @@ -566,12 +583,7 @@ client_stream_->CryptoConnect(); ExchangeHandshakeMessages(client_stream_, server_stream_); - EXPECT_TRUE(client_stream_->handshake_confirmed()); - EXPECT_TRUE(client_stream_->encryption_established()); - EXPECT_TRUE(server_stream_->handshake_confirmed()); - EXPECT_TRUE(server_stream_->encryption_established()); - EXPECT_TRUE(client_conn_->IsHandshakeConfirmed()); - EXPECT_FALSE(server_conn_->IsHandshakeConfirmed()); + ExpectHandshakeSuccessful(); } } // namespace
diff --git a/quic/core/tls_server_handshaker.cc b/quic/core/tls_server_handshaker.cc index 0b4215d..eb697f1 100644 --- a/quic/core/tls_server_handshaker.cc +++ b/quic/core/tls_server_handshaker.cc
@@ -263,6 +263,15 @@ encryption_established_ = true; handshake_confirmed_ = true; session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED); + + // Fill crypto_negotiated_params_: + const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl()); + if (cipher) { + crypto_negotiated_params_->cipher_suite = SSL_CIPHER_get_value(cipher); + } + crypto_negotiated_params_->key_exchange_group = SSL_get_curve_id(ssl()); + + session()->connection()->OnHandshakeComplete(); } ssl_private_key_result_t TlsServerHandshaker::PrivateKeySign(