Disable QUIC trial decryption in V44 and above gfe-relnote: Protected by reloadable flag quic_v44_disable_trial_decryption PiperOrigin-RevId: 246159430 Change-Id: I7a1845d0a38555ce774dd58372f4ba19b12e777c
diff --git a/quic/core/quic_framer.cc b/quic/core/quic_framer.cc index 20dc57c..67d32e3 100644 --- a/quic/core/quic_framer.cc +++ b/quic/core/quic_framer.cc
@@ -3975,6 +3975,7 @@ QuicDecrypter* decrypter = decrypter_[level].get(); QuicDecrypter* alternative_decrypter = nullptr; if (version().KnowsWhichDecrypterToUse()) { + QUIC_RELOADABLE_FLAG_COUNT(quic_v44_disable_trial_decryption); level = GetEncryptionLevel(header); decrypter = decrypter_[level].get(); if (decrypter == nullptr) {
diff --git a/quic/core/quic_framer_test.cc b/quic/core/quic_framer_test.cc index dd4a701..0437118 100644 --- a/quic/core/quic_framer_test.cc +++ b/quic/core/quic_framer_test.cc
@@ -3252,6 +3252,7 @@ // not arise. return; } + SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE); // clang-format off PacketFragments packet = { @@ -3833,6 +3834,7 @@ } TEST_P(QuicFramerTest, AckFrameTimeStampDeltaTooHigh) { + SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE); // clang-format off unsigned char packet[] = { // public flags (8 byte connection_id) @@ -3924,6 +3926,7 @@ } TEST_P(QuicFramerTest, AckFrameTimeStampSecondDeltaTooHigh) { + SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE); // clang-format off unsigned char packet[] = { // public flags (8 byte connection_id) @@ -4030,6 +4033,7 @@ if (version_.transport_version == QUIC_VERSION_99) { return; } + SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE); // clang-format off PacketFragments packet = { // public flags (8 byte connection_id) @@ -4113,6 +4117,7 @@ if (version_.transport_version == QUIC_VERSION_99) { return; } + SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE); // clang-format off unsigned char packet[] = { // public flags (8 byte connection_id) @@ -4509,6 +4514,7 @@ // This frame is not supported in version 99. return; } + SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE); // clang-format off PacketFragments packet = { // public flags (8 byte connection_id) @@ -4634,6 +4640,7 @@ // for Version 99 equivalents. return; } + SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE); // clang-format off PacketFragments packet = { // public flags (8 byte connection_id) @@ -9402,6 +9409,7 @@ // effectively unlimited return; } + SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE); QuicPacketHeader header; header.destination_connection_id = FramerTestConnectionId(); @@ -9441,6 +9449,7 @@ // effectively unlimited return; } + SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE); QuicPacketHeader header; header.destination_connection_id = FramerTestConnectionId(); @@ -9481,6 +9490,7 @@ // effectively unlimited return; } + SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE); QuicPacketHeader header; header.destination_connection_id = FramerTestConnectionId(); @@ -9758,12 +9768,12 @@ // Verify that the packet returned by ConstructMisFramedEncryptedPacket() // does cause the framer to return an error. TEST_P(QuicFramerTest, ConstructMisFramedEncryptedPacket) { - SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE); // Since we are using ConstructEncryptedPacket, we have to set the framer's // crypto to be Null. if (framer_.version().KnowsWhichDecrypterToUse()) { - framer_.InstallDecrypter(ENCRYPTION_INITIAL, QuicMakeUnique<NullDecrypter>( - framer_.perspective())); + framer_.InstallDecrypter( + ENCRYPTION_FORWARD_SECURE, + QuicMakeUnique<NullDecrypter>(framer_.perspective())); } else { framer_.SetDecrypter(ENCRYPTION_INITIAL, QuicMakeUnique<NullDecrypter>(framer_.perspective())); @@ -13077,17 +13087,33 @@ {"Unable to read protocol version.", {QUIC_VERSION_BYTES}}, // connection_id length + {"Illegal long header type value.", + {0x00}}, + }; + // clang-format on + + // clang-format off + PacketFragments packet45 = { + // public flags (IETF Retry packet, 0-length original destination CID) + {"Unable to read type.", + {0xf0}}, + // version tag + {"Unable to read protocol version.", + {QUIC_VERSION_BYTES}}, + // connection_id length {"Not yet supported IETF RETRY packet received.", {0x00}}, }; // clang-format on + PacketFragments& fragments = + framer_.transport_version() > QUIC_VERSION_44 ? packet45 : packet; std::unique_ptr<QuicEncryptedPacket> encrypted( - AssemblePacketFromFragments(packet)); + AssemblePacketFromFragments(fragments)); EXPECT_FALSE(framer_.ProcessPacket(*encrypted)); EXPECT_EQ(QUIC_INVALID_PACKET_HEADER, framer_.error()); - CheckFramingBoundaries(packet, QUIC_INVALID_PACKET_HEADER); + CheckFramingBoundaries(fragments, QUIC_INVALID_PACKET_HEADER); } TEST_P(QuicFramerTest, RetryPacketRejectedWithMultiplePacketNumberSpaces) {
diff --git a/quic/core/quic_versions.cc b/quic/core/quic_versions.cc index a5f1f41..a6d237e 100644 --- a/quic/core/quic_versions.cc +++ b/quic/core/quic_versions.cc
@@ -38,7 +38,9 @@ } bool ParsedQuicVersion::KnowsWhichDecrypterToUse() const { - return transport_version == QUIC_VERSION_99 || + return (GetQuicReloadableFlag(quic_v44_disable_trial_decryption) && + transport_version >= QUIC_VERSION_44) || + transport_version == QUIC_VERSION_99 || handshake_protocol == PROTOCOL_TLS1_3; }