Internal change
PiperOrigin-RevId: 395565188
diff --git a/quic/core/crypto/crypto_protocol.h b/quic/core/crypto/crypto_protocol.h
index d594f48..e45d73a 100644
--- a/quic/core/crypto/crypto_protocol.h
+++ b/quic/core/crypto/crypto_protocol.h
@@ -28,7 +28,8 @@
// The following tags have been deprecated and should not be reused:
// "1CON", "BBQ4", "NCON", "RCID", "SREJ", "TBKP", "TB10", "SCLS", "SMHL",
-// "QNZR", "B2HI", "H2PR", "FIFO", "LIFO", "RRWS", "QNSP", "B2CL"
+// "QNZR", "B2HI", "H2PR", "FIFO", "LIFO", "RRWS", "QNSP", "B2CL", "CHSP",
+// "BPTE"
// clang-format off
const QuicTag kCHLO = TAG('C', 'H', 'L', 'O'); // Client hello
@@ -340,8 +341,8 @@
const QuicTag kNSLC = TAG('N', 'S', 'L', 'C'); // Always send connection close
// for idle timeout.
-const QuicTag kCHSP = TAG('C', 'H', 'S', 'P'); // Chaos protection.
-const QuicTag kBPTE = TAG('B', 'P', 'T', 'E'); // BoringSSL Permutes
+const QuicTag kNCHP = TAG('N', 'C', 'H', 'P'); // No chaos protection.
+const QuicTag kNBPE = TAG('N', 'B', 'P', 'E'); // No BoringSSL Permutes
// TLS Extensions.
// Proof types (i.e. certificate types)
diff --git a/quic/core/http/end_to_end_test.cc b/quic/core/http/end_to_end_test.cc
index 0969bdf..c6c6780 100644
--- a/quic/core/http/end_to_end_test.cc
+++ b/quic/core/http/end_to_end_test.cc
@@ -5644,7 +5644,7 @@
std::vector<std::unique_ptr<QuicEncryptedPacket>> packets_;
};
-TEST_P(EndToEndTest, ChaosProtection) {
+TEST_P(EndToEndTest, ChaosProtectionDisabled) {
if (!version_.UsesCryptoFrames()) {
ASSERT_TRUE(Initialize());
return;
@@ -5653,8 +5653,8 @@
auto copying_writer = new CopyingPacketWriter(1);
delete client_writer_;
client_writer_ = copying_writer;
- // Enable chaos protection and perform an HTTP request.
- client_config_.SetClientConnectionOptions(QuicTagVector{kCHSP});
+ // Disable chaos protection and perform an HTTP request.
+ client_config_.SetClientConnectionOptions(QuicTagVector{kNCHP});
ASSERT_TRUE(Initialize());
SendSynchronousFooRequestAndCheckResponse();
// Parse the saved packet to make sure it's valid.
@@ -5667,31 +5667,15 @@
// can inspect the contents of this packet.
}
-TEST_P(EndToEndTest, ChaosProtectionWithMultiPacketChlo) {
- if (!version_.UsesCryptoFrames()) {
- ASSERT_TRUE(Initialize());
- return;
- }
- // Enable chaos protection.
- client_config_.SetClientConnectionOptions(QuicTagVector{kCHSP});
- // Add a transport parameter to make the client hello span multiple packets.
- constexpr auto kCustomParameter =
- static_cast<TransportParameters::TransportParameterId>(0xff34);
- client_config_.custom_transport_parameters_to_send()[kCustomParameter] =
- std::string(2000, '?');
- ASSERT_TRUE(Initialize());
- SendSynchronousFooRequestAndCheckResponse();
-}
-
-TEST_P(EndToEndTest, PermuteTlsExtensions) {
+TEST_P(EndToEndTest, DisablePermuteTlsExtensions) {
if (!version_.UsesTls()) {
ASSERT_TRUE(Initialize());
return;
}
- // Enable TLS extension permutation and perform an HTTP request.
- client_config_.SetClientConnectionOptions(QuicTagVector{kBPTE});
+ // Disable TLS extension permutation and perform an HTTP request.
+ client_config_.SetClientConnectionOptions(QuicTagVector{kNBPE});
ASSERT_TRUE(Initialize());
- EXPECT_TRUE(GetClientSession()->permutes_tls_extensions());
+ EXPECT_FALSE(GetClientSession()->permutes_tls_extensions());
SendSynchronousFooRequestAndCheckResponse();
}
diff --git a/quic/core/quic_connection.cc b/quic/core/quic_connection.cc
index 57d16ec..4617e8c 100644
--- a/quic/core/quic_connection.cc
+++ b/quic/core/quic_connection.cc
@@ -523,8 +523,8 @@
} else {
SetNetworkTimeouts(config.max_time_before_crypto_handshake(),
config.max_idle_time_before_crypto_handshake());
- if (config.HasClientRequestedIndependentOption(kCHSP, perspective_)) {
- packet_creator_.set_chaos_protection_enabled(true);
+ if (config.HasClientRequestedIndependentOption(kNCHP, perspective_)) {
+ packet_creator_.set_chaos_protection_enabled(false);
}
}
diff --git a/quic/core/quic_packet_creator.cc b/quic/core/quic_packet_creator.cc
index 94cf48a..a9f16e0 100644
--- a/quic/core/quic_packet_creator.cc
+++ b/quic/core/quic_packet_creator.cc
@@ -109,8 +109,7 @@
delegate) {}
QuicPacketCreator::QuicPacketCreator(QuicConnectionId server_connection_id,
- QuicFramer* framer,
- QuicRandom* random,
+ QuicFramer* framer, QuicRandom* random,
DelegateInterface* delegate)
: delegate_(delegate),
debug_delegate_(nullptr),
@@ -123,11 +122,7 @@
packet_size_(0),
server_connection_id_(server_connection_id),
client_connection_id_(EmptyQuicConnectionId()),
- packet_(QuicPacketNumber(),
- PACKET_1BYTE_PACKET_NUMBER,
- nullptr,
- 0,
- false,
+ packet_(QuicPacketNumber(), PACKET_1BYTE_PACKET_NUMBER, nullptr, 0, false,
false),
pending_padding_bytes_(0),
needs_full_padding_(false),
@@ -136,7 +131,8 @@
fully_pad_crypto_handshake_packets_(true),
latched_hard_max_packet_length_(0),
max_datagram_frame_size_(0),
- chaos_protection_enabled_(false) {
+ chaos_protection_enabled_(framer->perspective() ==
+ Perspective::IS_CLIENT) {
SetMaxPacketLength(kDefaultMaxPacketSize);
if (!framer_->version().UsesTls()) {
// QUIC+TLS negotiates the maximum datagram frame size via the
diff --git a/quic/core/quic_session.cc b/quic/core/quic_session.cc
index 1e07162..2912b3d 100644
--- a/quic/core/quic_session.cc
+++ b/quic/core/quic_session.cc
@@ -147,8 +147,8 @@
connection_->set_can_receive_ack_frequency_frame();
config_.SetMinAckDelayMs(kDefaultMinAckDelayTimeMs);
}
- if (config_.HasClientRequestedIndependentOption(kBPTE, perspective_)) {
- permutes_tls_extensions_ = true;
+ if (config_.HasClientRequestedIndependentOption(kNBPE, perspective_)) {
+ permutes_tls_extensions_ = false;
}
}
diff --git a/quic/core/quic_session.h b/quic/core/quic_session.h
index 76e4805..7fc0a80 100644
--- a/quic/core/quic_session.h
+++ b/quic/core/quic_session.h
@@ -958,7 +958,7 @@
bool liveness_testing_in_progress_;
// Whether BoringSSL randomizes the order of TLS extensions.
- bool permutes_tls_extensions_ = false;
+ bool permutes_tls_extensions_ = true;
const bool quic_tls_disable_resumption_refactor_ =
GetQuicReloadableFlag(quic_tls_disable_resumption_refactor);
diff --git a/quic/core/tls_client_handshaker.cc b/quic/core/tls_client_handshaker.cc
index 737f449..4010590 100644
--- a/quic/core/tls_client_handshaker.cc
+++ b/quic/core/tls_client_handshaker.cc
@@ -74,13 +74,14 @@
// TODO(b/193650832) Add SetFromConfig to QUIC handshakers and remove reliance
// on session pointer.
- if (session()->permutes_tls_extensions()) {
- // Ask BoringSSL to randomize the order of TLS extensions.
-#if BORINGSSL_API_VERSION >= 16
- QUIC_DLOG(INFO) << "Enabling TLS extension permutation";
- SSL_set_permute_extensions(ssl(), true);
-#endif // BORINGSSL_API_VERSION
+ const bool permutes_tls_extensions = session()->permutes_tls_extensions();
+ if (!permutes_tls_extensions) {
+ QUIC_DLOG(INFO) << "Disabling TLS extension permutation";
}
+#if BORINGSSL_API_VERSION >= 16
+ // Ask BoringSSL to randomize the order of TLS extensions.
+ SSL_set_permute_extensions(ssl(), permutes_tls_extensions);
+#endif // BORINGSSL_API_VERSION
// Set the SNI to send, if any.
SSL_set_connect_state(ssl());