Pass QUIC client connection ID to ProofSource. It is valid for multiple QUIC connections to share the same UDP 4-tuple (source/dest addr/port). While usually ProofSource implicitly knows which connection it handles, connection ID is necessary to disambiguate external caches such as EarlyAlia data. PiperOrigin-RevId: 473283841
diff --git a/quiche/quic/core/crypto/proof_source.h b/quiche/quic/core/crypto/proof_source.h index ab2a487..ac34ebb 100644 --- a/quiche/quic/core/crypto/proof_source.h +++ b/quiche/quic/core/crypto/proof_source.h
@@ -310,6 +310,7 @@ virtual QuicAsyncStatus SelectCertificate( const QuicSocketAddress& server_address, const QuicSocketAddress& client_address, + const QuicConnectionId& original_connection_id, absl::string_view ssl_capabilities, const std::string& hostname, absl::string_view client_hello, const std::string& alpn, absl::optional<std::string> alps,
diff --git a/quiche/quic/core/tls_server_handshaker.cc b/quiche/quic/core/tls_server_handshaker.cc index 239de23..dbf0808 100644 --- a/quiche/quic/core/tls_server_handshaker.cc +++ b/quiche/quic/core/tls_server_handshaker.cc
@@ -62,6 +62,7 @@ TlsServerHandshaker::DefaultProofSourceHandle::SelectCertificate( const QuicSocketAddress& server_address, const QuicSocketAddress& client_address, + const QuicConnectionId& /*original_connection_id*/, absl::string_view /*ssl_capabilities*/, const std::string& hostname, absl::string_view /*client_hello*/, const std::string& /*alpn*/, absl::optional<std::string> /*alps*/, @@ -914,6 +915,7 @@ const QuicAsyncStatus status = proof_source_handle_->SelectCertificate( session()->connection()->self_address().Normalized(), session()->connection()->peer_address().Normalized(), + session()->connection()->GetOriginalDestinationConnectionId(), ssl_capabilities_view, crypto_negotiated_params_->sni, absl::string_view( reinterpret_cast<const char*>(client_hello->client_hello),
diff --git a/quiche/quic/core/tls_server_handshaker.h b/quiche/quic/core/tls_server_handshaker.h index bae7741..f82c022 100644 --- a/quiche/quic/core/tls_server_handshaker.h +++ b/quiche/quic/core/tls_server_handshaker.h
@@ -13,6 +13,7 @@ #include "quiche/quic/core/crypto/quic_crypto_server_config.h" #include "quiche/quic/core/crypto/tls_server_connection.h" #include "quiche/quic/core/proto/cached_network_parameters_proto.h" +#include "quiche/quic/core/quic_connection_id.h" #include "quiche/quic/core/quic_crypto_server_stream_base.h" #include "quiche/quic/core/quic_crypto_stream.h" #include "quiche/quic/core/quic_time_accumulator.h" @@ -229,6 +230,7 @@ QuicAsyncStatus SelectCertificate( const QuicSocketAddress& server_address, const QuicSocketAddress& client_address, + const QuicConnectionId& original_connection_id, absl::string_view ssl_capabilities, const std::string& hostname, absl::string_view client_hello, const std::string& alpn, absl::optional<std::string> alps,
diff --git a/quiche/quic/core/tls_server_handshaker_test.cc b/quiche/quic/core/tls_server_handshaker_test.cc index e652f05..bcc9776 100644 --- a/quiche/quic/core/tls_server_handshaker_test.cc +++ b/quiche/quic/core/tls_server_handshaker_test.cc
@@ -14,6 +14,7 @@ #include "quiche/quic/core/crypto/client_proof_source.h" #include "quiche/quic/core/crypto/proof_source.h" #include "quiche/quic/core/crypto/quic_random.h" +#include "quiche/quic/core/quic_connection_id.h" #include "quiche/quic/core/quic_crypto_client_stream.h" #include "quiche/quic/core/quic_session.h" #include "quiche/quic/core/quic_types.h" @@ -600,6 +601,23 @@ "test.example.com"); } +TEST_P(TlsServerHandshakerTest, ServerConnectionIdPassedToSelectCert) { + InitializeServerWithFakeProofSourceHandle(); + + // Disable early data. + server_session_->set_early_data_enabled(false); + + server_handshaker_->SetupProofSourceHandle( + /*select_cert_action=*/FakeProofSourceHandle::Action::DELEGATE_SYNC, + /*compute_signature_action=*/FakeProofSourceHandle::Action:: + DELEGATE_SYNC); + InitializeFakeClient(); + CompleteCryptoHandshake(); + ExpectHandshakeSuccessful(); + + EXPECT_EQ(last_select_cert_args().original_connection_id, TestConnectionId()); +} + TEST_P(TlsServerHandshakerTest, HostnameForCertSelectionAndComputeSignature) { // Client uses upper case letters in hostname. It is considered valid by // QuicHostnameUtils::IsValidSNI, but it should be normalized for cert
diff --git a/quiche/quic/test_tools/fake_proof_source_handle.cc b/quiche/quic/test_tools/fake_proof_source_handle.cc index 07c78fc..ac1f3a5 100644 --- a/quiche/quic/test_tools/fake_proof_source_handle.cc +++ b/quiche/quic/test_tools/fake_proof_source_handle.cc
@@ -4,6 +4,7 @@ #include "quiche/quic/test_tools/fake_proof_source_handle.h" +#include "quiche/quic/core/quic_connection_id.h" #include "quiche/quic/core/quic_types.h" #include "quiche/quic/platform/api/quic_bug_tracker.h" @@ -68,18 +69,21 @@ QuicAsyncStatus FakeProofSourceHandle::SelectCertificate( const QuicSocketAddress& server_address, - const QuicSocketAddress& client_address, absl::string_view ssl_capabilities, - const std::string& hostname, absl::string_view client_hello, - const std::string& alpn, absl::optional<std::string> alps, + const QuicSocketAddress& client_address, + const QuicConnectionId& original_connection_id, + absl::string_view ssl_capabilities, const std::string& hostname, + absl::string_view client_hello, const std::string& alpn, + absl::optional<std::string> alps, const std::vector<uint8_t>& quic_transport_params, const absl::optional<std::vector<uint8_t>>& early_data_context, const QuicSSLConfig& ssl_config) { if (select_cert_action_ != Action::FAIL_SYNC_DO_NOT_CHECK_CLOSED) { QUICHE_CHECK(!closed_); } - all_select_cert_args_.push_back(SelectCertArgs( - server_address, client_address, ssl_capabilities, hostname, client_hello, - alpn, alps, quic_transport_params, early_data_context, ssl_config)); + all_select_cert_args_.push_back( + SelectCertArgs(server_address, client_address, original_connection_id, + ssl_capabilities, hostname, client_hello, alpn, alps, + quic_transport_params, early_data_context, ssl_config)); if (select_cert_action_ == Action::DELEGATE_ASYNC || select_cert_action_ == Action::FAIL_ASYNC) {
diff --git a/quiche/quic/test_tools/fake_proof_source_handle.h b/quiche/quic/test_tools/fake_proof_source_handle.h index 25a7e27..599a1fa 100644 --- a/quiche/quic/test_tools/fake_proof_source_handle.h +++ b/quiche/quic/test_tools/fake_proof_source_handle.h
@@ -6,6 +6,7 @@ #define QUICHE_QUIC_TEST_TOOLS_FAKE_PROOF_SOURCE_HANDLE_H_ #include "quiche/quic/core/crypto/proof_source.h" +#include "quiche/quic/core/quic_connection_id.h" namespace quic { namespace test { @@ -43,6 +44,7 @@ QuicAsyncStatus SelectCertificate( const QuicSocketAddress& server_address, const QuicSocketAddress& client_address, + const QuicConnectionId& original_connection_id, absl::string_view ssl_capabilities, const std::string& hostname, absl::string_view client_hello, const std::string& alpn, absl::optional<std::string> alps, @@ -66,6 +68,7 @@ struct SelectCertArgs { SelectCertArgs(QuicSocketAddress server_address, QuicSocketAddress client_address, + QuicConnectionId original_connection_id, absl::string_view ssl_capabilities, std::string hostname, absl::string_view client_hello, std::string alpn, absl::optional<std::string> alps, @@ -74,6 +77,7 @@ QuicSSLConfig ssl_config) : server_address(server_address), client_address(client_address), + original_connection_id(original_connection_id), ssl_capabilities(ssl_capabilities), hostname(hostname), client_hello(client_hello), @@ -85,6 +89,7 @@ QuicSocketAddress server_address; QuicSocketAddress client_address; + QuicConnectionId original_connection_id; std::string ssl_capabilities; std::string hostname; std::string client_hello;