Use SSL_set_shed_handshake_config in QUIC to drop BoringSSL handshake state after the handshake finishes in order to save memory.
Also, change `TlsHandshaker::BufferSizeLimitForLevel()` to return 0 once the handshake state has been dropped.
Protected by quic_restart_flag_quic_shed_tls_handshake_config.
PiperOrigin-RevId: 830705599
diff --git a/quiche/common/quiche_feature_flags_list.h b/quiche/common/quiche_feature_flags_list.h
index 81bddf9..149deb5 100755
--- a/quiche/common/quiche_feature_flags_list.h
+++ b/quiche/common/quiche_feature_flags_list.h
@@ -61,6 +61,7 @@
QUICHE_FLAG(bool, quiche_reloadable_flag_quic_use_proof_source_get_cert_chains, false, false, "When true, quic::TlsServerHandshaker will use ProofSource::GetCertChains() instead of ProofSource::GetCertChain()")
QUICHE_FLAG(bool, quiche_reloadable_flag_quic_use_received_client_addresses_cache, true, true, "If true, use a LRU cache to record client addresses of packets received on server's original address.")
QUICHE_FLAG(bool, quiche_restart_flag_quic_dispatcher_close_connection_on_invalid_ack, false, false, "An invalid ack is an ack that the peer sent for a packet that was not sent by the dispatcher. If true, the dispatcher will close the connection if it receives an invalid ack.")
+QUICHE_FLAG(bool, quiche_restart_flag_quic_shed_tls_handshake_config, false, false, "If true, QUIC connections will call SSL_set_shed_handshake_config to drop BoringSSL handshake state after the handshake finishes in order to save memory.")
QUICHE_FLAG(bool, quiche_restart_flag_quic_support_release_time_for_gso, false, false, "If true, QuicGsoBatchWriter will support release time if it is available and the process has the permission to do so.")
QUICHE_FLAG(bool, quiche_restart_flag_quic_testonly_default_false, false, false, "A testonly restart flag that will always default to false.")
QUICHE_FLAG(bool, quiche_restart_flag_quic_testonly_default_true, true, true, "A testonly restart flag that will always default to true.")
diff --git a/quiche/quic/core/crypto/tls_connection.cc b/quiche/quic/core/crypto/tls_connection.cc
index dee6638..13c4e72 100644
--- a/quiche/quic/core/crypto/tls_connection.cc
+++ b/quiche/quic/core/crypto/tls_connection.cc
@@ -9,6 +9,8 @@
#include "absl/strings/string_view.h"
#include "openssl/ssl.h"
#include "quiche/quic/platform/api/quic_bug_tracker.h"
+#include "quiche/quic/platform/api/quic_flag_utils.h"
+#include "quiche/quic/platform/api/quic_flags.h"
namespace quic {
@@ -95,6 +97,10 @@
: delegate_(delegate),
ssl_(SSL_new(ssl_ctx)),
ssl_config_(std::move(ssl_config)) {
+ if (GetQuicRestartFlag(quic_shed_tls_handshake_config)) {
+ QUIC_RESTART_FLAG_COUNT_N(quic_shed_tls_handshake_config, 2, 2);
+ SSL_set_shed_handshake_config(ssl(), /*enable=*/1);
+ }
SSL_set_ex_data(
ssl(), SslIndexSingleton::GetInstance()->ssl_ex_data_index_connection(),
this);
diff --git a/quiche/quic/core/tls_handshaker.cc b/quiche/quic/core/tls_handshaker.cc
index 91f3b59..c8ae325 100644
--- a/quiche/quic/core/tls_handshaker.cc
+++ b/quiche/quic/core/tls_handshaker.cc
@@ -19,6 +19,8 @@
#include "quiche/quic/core/crypto/quic_decrypter.h"
#include "quiche/quic/core/quic_crypto_stream.h"
#include "quiche/quic/platform/api/quic_bug_tracker.h"
+#include "quiche/quic/platform/api/quic_flag_utils.h"
+#include "quiche/quic/platform/api/quic_flags.h"
namespace quic {
@@ -217,6 +219,12 @@
}
size_t TlsHandshaker::BufferSizeLimitForLevel(EncryptionLevel level) const {
+ if (GetQuicRestartFlag(quic_shed_tls_handshake_config) &&
+ level != ENCRYPTION_FORWARD_SECURE && !SSL_in_init(ssl())) {
+ QUIC_RESTART_FLAG_COUNT_N(quic_shed_tls_handshake_config, 1, 2);
+ // TODO(crbug.com/459517298): Remove this branch when BoringSSL is fixed.
+ return 0;
+ }
return SSL_quic_max_handshake_flight_len(
ssl(), TlsConnection::BoringEncryptionLevel(level));
}
