Test QUIC behavior in the worst-case Leto fallback situation
Today, the worst-case QUIC handshake involves sending three CHLO messages. With Leto, that increases to four, since if GFE realizes that Leto is down, it will reject an otherwise-kosher CHLO in order to swap out the ServerConfig whose private key lives on Leto for one generated locally on the GFE.
QUIC clients limit the number of CHLOs they're willing to send per handshake to three. This CL's intent is to increase that limit to four.
However, there is a bug in the QUIC client-side CHLO counting code, which means that the de facto limit was actually four all along. In order to avoid confusion, this CL both increases the constant from three to four, and also fixes the conditional so that the actual limit remains four.
The CHLO-limiting constant is checked in one other spot, but since we're increasing it the change should have no observable effect there.
This CL also adds a test for this behavior, which creates a gigantic certificate to force a three-CHLO handshake, and then brings down Leto to force a four-CHLO handshake, and explicitly verifies the number of CHLOs.
gfe-relnote: Test changes only in GFE code, no-op changes in QUIC code.
PiperOrigin-RevId: 242732499
Change-Id: I7e83ac37269ee5e8d541d058c3f851d0d9a7ff06
diff --git a/quic/core/quic_crypto_client_stream.h b/quic/core/quic_crypto_client_stream.h
index 3518fa7..d0e4ee1 100644
--- a/quic/core/quic_crypto_client_stream.h
+++ b/quic/core/quic_crypto_client_stream.h
@@ -46,12 +46,15 @@
: public QuicCryptoClientStreamBase {
public:
// kMaxClientHellos is the maximum number of times that we'll send a client
- // hello. The value 3 accounts for:
+ // hello. The value 4 accounts for:
// * One failure due to an incorrect or missing source-address token.
// * One failure due the server's certificate chain being unavailible and
// the server being unwilling to send it without a valid source-address
// token.
- static const int kMaxClientHellos = 3;
+ // * One failure due to the ServerConfig private key being located on a
+ // remote oracle which has become unavailable, forcing the server to send
+ // the client a fallback ServerConfig.
+ static const int kMaxClientHellos = 4;
// QuicCryptoClientStream creates a HandshakerDelegate at construction time
// based on the QuicTransportVersion of the connection. Different