Pass QUIC client connection ID to ProofSource.
It is valid for multiple QUIC connections to share the same UDP 4-tuple (source/dest addr/port). While usually ProofSource implicitly knows which connection it handles, connection ID is necessary to disambiguate external caches such as EarlyAlia data.
PiperOrigin-RevId: 473283841
diff --git a/quiche/quic/core/crypto/proof_source.h b/quiche/quic/core/crypto/proof_source.h
index ab2a487..ac34ebb 100644
--- a/quiche/quic/core/crypto/proof_source.h
+++ b/quiche/quic/core/crypto/proof_source.h
@@ -310,6 +310,7 @@
virtual QuicAsyncStatus SelectCertificate(
const QuicSocketAddress& server_address,
const QuicSocketAddress& client_address,
+ const QuicConnectionId& original_connection_id,
absl::string_view ssl_capabilities, const std::string& hostname,
absl::string_view client_hello, const std::string& alpn,
absl::optional<std::string> alps,
diff --git a/quiche/quic/core/tls_server_handshaker.cc b/quiche/quic/core/tls_server_handshaker.cc
index 239de23..dbf0808 100644
--- a/quiche/quic/core/tls_server_handshaker.cc
+++ b/quiche/quic/core/tls_server_handshaker.cc
@@ -62,6 +62,7 @@
TlsServerHandshaker::DefaultProofSourceHandle::SelectCertificate(
const QuicSocketAddress& server_address,
const QuicSocketAddress& client_address,
+ const QuicConnectionId& /*original_connection_id*/,
absl::string_view /*ssl_capabilities*/, const std::string& hostname,
absl::string_view /*client_hello*/, const std::string& /*alpn*/,
absl::optional<std::string> /*alps*/,
@@ -914,6 +915,7 @@
const QuicAsyncStatus status = proof_source_handle_->SelectCertificate(
session()->connection()->self_address().Normalized(),
session()->connection()->peer_address().Normalized(),
+ session()->connection()->GetOriginalDestinationConnectionId(),
ssl_capabilities_view, crypto_negotiated_params_->sni,
absl::string_view(
reinterpret_cast<const char*>(client_hello->client_hello),
diff --git a/quiche/quic/core/tls_server_handshaker.h b/quiche/quic/core/tls_server_handshaker.h
index bae7741..f82c022 100644
--- a/quiche/quic/core/tls_server_handshaker.h
+++ b/quiche/quic/core/tls_server_handshaker.h
@@ -13,6 +13,7 @@
#include "quiche/quic/core/crypto/quic_crypto_server_config.h"
#include "quiche/quic/core/crypto/tls_server_connection.h"
#include "quiche/quic/core/proto/cached_network_parameters_proto.h"
+#include "quiche/quic/core/quic_connection_id.h"
#include "quiche/quic/core/quic_crypto_server_stream_base.h"
#include "quiche/quic/core/quic_crypto_stream.h"
#include "quiche/quic/core/quic_time_accumulator.h"
@@ -229,6 +230,7 @@
QuicAsyncStatus SelectCertificate(
const QuicSocketAddress& server_address,
const QuicSocketAddress& client_address,
+ const QuicConnectionId& original_connection_id,
absl::string_view ssl_capabilities, const std::string& hostname,
absl::string_view client_hello, const std::string& alpn,
absl::optional<std::string> alps,
diff --git a/quiche/quic/core/tls_server_handshaker_test.cc b/quiche/quic/core/tls_server_handshaker_test.cc
index e652f05..bcc9776 100644
--- a/quiche/quic/core/tls_server_handshaker_test.cc
+++ b/quiche/quic/core/tls_server_handshaker_test.cc
@@ -14,6 +14,7 @@
#include "quiche/quic/core/crypto/client_proof_source.h"
#include "quiche/quic/core/crypto/proof_source.h"
#include "quiche/quic/core/crypto/quic_random.h"
+#include "quiche/quic/core/quic_connection_id.h"
#include "quiche/quic/core/quic_crypto_client_stream.h"
#include "quiche/quic/core/quic_session.h"
#include "quiche/quic/core/quic_types.h"
@@ -600,6 +601,23 @@
"test.example.com");
}
+TEST_P(TlsServerHandshakerTest, ServerConnectionIdPassedToSelectCert) {
+ InitializeServerWithFakeProofSourceHandle();
+
+ // Disable early data.
+ server_session_->set_early_data_enabled(false);
+
+ server_handshaker_->SetupProofSourceHandle(
+ /*select_cert_action=*/FakeProofSourceHandle::Action::DELEGATE_SYNC,
+ /*compute_signature_action=*/FakeProofSourceHandle::Action::
+ DELEGATE_SYNC);
+ InitializeFakeClient();
+ CompleteCryptoHandshake();
+ ExpectHandshakeSuccessful();
+
+ EXPECT_EQ(last_select_cert_args().original_connection_id, TestConnectionId());
+}
+
TEST_P(TlsServerHandshakerTest, HostnameForCertSelectionAndComputeSignature) {
// Client uses upper case letters in hostname. It is considered valid by
// QuicHostnameUtils::IsValidSNI, but it should be normalized for cert
diff --git a/quiche/quic/test_tools/fake_proof_source_handle.cc b/quiche/quic/test_tools/fake_proof_source_handle.cc
index 07c78fc..ac1f3a5 100644
--- a/quiche/quic/test_tools/fake_proof_source_handle.cc
+++ b/quiche/quic/test_tools/fake_proof_source_handle.cc
@@ -4,6 +4,7 @@
#include "quiche/quic/test_tools/fake_proof_source_handle.h"
+#include "quiche/quic/core/quic_connection_id.h"
#include "quiche/quic/core/quic_types.h"
#include "quiche/quic/platform/api/quic_bug_tracker.h"
@@ -68,18 +69,21 @@
QuicAsyncStatus FakeProofSourceHandle::SelectCertificate(
const QuicSocketAddress& server_address,
- const QuicSocketAddress& client_address, absl::string_view ssl_capabilities,
- const std::string& hostname, absl::string_view client_hello,
- const std::string& alpn, absl::optional<std::string> alps,
+ const QuicSocketAddress& client_address,
+ const QuicConnectionId& original_connection_id,
+ absl::string_view ssl_capabilities, const std::string& hostname,
+ absl::string_view client_hello, const std::string& alpn,
+ absl::optional<std::string> alps,
const std::vector<uint8_t>& quic_transport_params,
const absl::optional<std::vector<uint8_t>>& early_data_context,
const QuicSSLConfig& ssl_config) {
if (select_cert_action_ != Action::FAIL_SYNC_DO_NOT_CHECK_CLOSED) {
QUICHE_CHECK(!closed_);
}
- all_select_cert_args_.push_back(SelectCertArgs(
- server_address, client_address, ssl_capabilities, hostname, client_hello,
- alpn, alps, quic_transport_params, early_data_context, ssl_config));
+ all_select_cert_args_.push_back(
+ SelectCertArgs(server_address, client_address, original_connection_id,
+ ssl_capabilities, hostname, client_hello, alpn, alps,
+ quic_transport_params, early_data_context, ssl_config));
if (select_cert_action_ == Action::DELEGATE_ASYNC ||
select_cert_action_ == Action::FAIL_ASYNC) {
diff --git a/quiche/quic/test_tools/fake_proof_source_handle.h b/quiche/quic/test_tools/fake_proof_source_handle.h
index 25a7e27..599a1fa 100644
--- a/quiche/quic/test_tools/fake_proof_source_handle.h
+++ b/quiche/quic/test_tools/fake_proof_source_handle.h
@@ -6,6 +6,7 @@
#define QUICHE_QUIC_TEST_TOOLS_FAKE_PROOF_SOURCE_HANDLE_H_
#include "quiche/quic/core/crypto/proof_source.h"
+#include "quiche/quic/core/quic_connection_id.h"
namespace quic {
namespace test {
@@ -43,6 +44,7 @@
QuicAsyncStatus SelectCertificate(
const QuicSocketAddress& server_address,
const QuicSocketAddress& client_address,
+ const QuicConnectionId& original_connection_id,
absl::string_view ssl_capabilities, const std::string& hostname,
absl::string_view client_hello, const std::string& alpn,
absl::optional<std::string> alps,
@@ -66,6 +68,7 @@
struct SelectCertArgs {
SelectCertArgs(QuicSocketAddress server_address,
QuicSocketAddress client_address,
+ QuicConnectionId original_connection_id,
absl::string_view ssl_capabilities, std::string hostname,
absl::string_view client_hello, std::string alpn,
absl::optional<std::string> alps,
@@ -74,6 +77,7 @@
QuicSSLConfig ssl_config)
: server_address(server_address),
client_address(client_address),
+ original_connection_id(original_connection_id),
ssl_capabilities(ssl_capabilities),
hostname(hostname),
client_hello(client_hello),
@@ -85,6 +89,7 @@
QuicSocketAddress server_address;
QuicSocketAddress client_address;
+ QuicConnectionId original_connection_id;
std::string ssl_capabilities;
std::string hostname;
std::string client_hello;