gfe-relnote: Expose properties of TLS connection in quic::CryptoNegotiatedParameters. Protected by quic_supports_tls_handshake.
These fields are needed in chromium for QuicChromiumClientSession::GetSSLInfo.
PiperOrigin-RevId: 273780806
Change-Id: I4e93da07cae8c613c8f24bee1824dd14ca7199e6
diff --git a/quic/core/crypto/crypto_handshake.h b/quic/core/crypto/crypto_handshake.h
index ecf81d8..040fe9e 100644
--- a/quic/core/crypto/crypto_handshake.h
+++ b/quic/core/crypto/crypto_handshake.h
@@ -147,6 +147,12 @@
// by sending CSCT tag with an empty value in client hello.
bool sct_supported_by_client;
+ // Parameters only populated for TLS handshakes. These will be 0 for
+ // connections not using TLS, or if the TLS handshake is not finished yet.
+ uint16_t cipher_suite = 0;
+ uint16_t key_exchange_group = 0;
+ uint16_t peer_signature_algorithm = 0;
+
protected:
~QuicCryptoNegotiatedParameters() override;
};
diff --git a/quic/core/tls_client_handshaker.cc b/quic/core/tls_client_handshaker.cc
index 88fea66..674cf2c 100644
--- a/quic/core/tls_client_handshaker.cc
+++ b/quic/core/tls_client_handshaker.cc
@@ -328,6 +328,16 @@
handshake_confirmed_ = true;
session()->OnCryptoHandshakeEvent(QuicSession::ENCRYPTION_ESTABLISHED);
session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED);
+
+ // Fill crypto_negotiated_params_:
+ const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl());
+ if (cipher) {
+ crypto_negotiated_params_->cipher_suite = SSL_CIPHER_get_value(cipher);
+ }
+ crypto_negotiated_params_->key_exchange_group = SSL_get_curve_id(ssl());
+ crypto_negotiated_params_->peer_signature_algorithm =
+ SSL_get_peer_signature_algorithm(ssl());
+
session()->connection()->OnHandshakeComplete();
}
diff --git a/quic/core/tls_handshaker_test.cc b/quic/core/tls_handshaker_test.cc
index 1d34321..1d3f8f3 100644
--- a/quic/core/tls_handshaker_test.cc
+++ b/quic/core/tls_handshaker_test.cc
@@ -329,6 +329,34 @@
});
}
+ void ExpectHandshakeSuccessful() {
+ EXPECT_TRUE(client_stream_->handshake_confirmed());
+ EXPECT_TRUE(client_stream_->encryption_established());
+ EXPECT_TRUE(server_stream_->handshake_confirmed());
+ EXPECT_TRUE(server_stream_->encryption_established());
+ EXPECT_TRUE(client_conn_->IsHandshakeConfirmed());
+ EXPECT_TRUE(server_conn_->IsHandshakeConfirmed());
+
+ const auto& client_crypto_params =
+ client_stream_->crypto_negotiated_params();
+ const auto& server_crypto_params =
+ server_stream_->crypto_negotiated_params();
+ // The TLS params should be filled in on the client.
+ EXPECT_NE(0, client_crypto_params.cipher_suite);
+ EXPECT_NE(0, client_crypto_params.key_exchange_group);
+ EXPECT_NE(0, client_crypto_params.peer_signature_algorithm);
+
+ // The cipher suite and key exchange group should match on the client and
+ // server.
+ EXPECT_EQ(client_crypto_params.cipher_suite,
+ server_crypto_params.cipher_suite);
+ EXPECT_EQ(client_crypto_params.key_exchange_group,
+ server_crypto_params.key_exchange_group);
+ // We don't support client certs on the server (yet), so the server
+ // shouldn't have a peer signature algorithm to report.
+ EXPECT_EQ(0, server_crypto_params.peer_signature_algorithm);
+ }
+
MockQuicConnectionHelper conn_helper_;
MockAlarmFactory alarm_factory_;
MockQuicConnection* client_conn_;
@@ -357,12 +385,7 @@
client_stream_->CryptoConnect();
ExchangeHandshakeMessages(client_stream_, server_stream_);
- EXPECT_TRUE(client_stream_->handshake_confirmed());
- EXPECT_TRUE(client_stream_->encryption_established());
- EXPECT_TRUE(server_stream_->handshake_confirmed());
- EXPECT_TRUE(server_stream_->encryption_established());
- EXPECT_TRUE(client_conn_->IsHandshakeConfirmed());
- EXPECT_FALSE(server_conn_->IsHandshakeConfirmed());
+ ExpectHandshakeSuccessful();
}
TEST_F(TlsHandshakerTest, HandshakeWithAsyncProofSource) {
@@ -382,10 +405,7 @@
ExchangeHandshakeMessages(client_stream_, server_stream_);
- EXPECT_TRUE(client_stream_->handshake_confirmed());
- EXPECT_TRUE(client_stream_->encryption_established());
- EXPECT_TRUE(server_stream_->handshake_confirmed());
- EXPECT_TRUE(server_stream_->encryption_established());
+ ExpectHandshakeSuccessful();
}
TEST_F(TlsHandshakerTest, CancelPendingProofSource) {
@@ -425,10 +445,7 @@
ExchangeHandshakeMessages(client_stream_, server_stream_);
- EXPECT_TRUE(client_stream_->handshake_confirmed());
- EXPECT_TRUE(client_stream_->encryption_established());
- EXPECT_TRUE(server_stream_->handshake_confirmed());
- EXPECT_TRUE(server_stream_->encryption_established());
+ ExpectHandshakeSuccessful();
}
TEST_F(TlsHandshakerTest, ClientConnectionClosedOnTlsError) {
@@ -566,12 +583,7 @@
client_stream_->CryptoConnect();
ExchangeHandshakeMessages(client_stream_, server_stream_);
- EXPECT_TRUE(client_stream_->handshake_confirmed());
- EXPECT_TRUE(client_stream_->encryption_established());
- EXPECT_TRUE(server_stream_->handshake_confirmed());
- EXPECT_TRUE(server_stream_->encryption_established());
- EXPECT_TRUE(client_conn_->IsHandshakeConfirmed());
- EXPECT_FALSE(server_conn_->IsHandshakeConfirmed());
+ ExpectHandshakeSuccessful();
}
} // namespace
diff --git a/quic/core/tls_server_handshaker.cc b/quic/core/tls_server_handshaker.cc
index 0b4215d..eb697f1 100644
--- a/quic/core/tls_server_handshaker.cc
+++ b/quic/core/tls_server_handshaker.cc
@@ -263,6 +263,15 @@
encryption_established_ = true;
handshake_confirmed_ = true;
session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED);
+
+ // Fill crypto_negotiated_params_:
+ const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl());
+ if (cipher) {
+ crypto_negotiated_params_->cipher_suite = SSL_CIPHER_get_value(cipher);
+ }
+ crypto_negotiated_params_->key_exchange_group = SSL_get_curve_id(ssl());
+
+ session()->connection()->OnHandshakeComplete();
}
ssl_private_key_result_t TlsServerHandshaker::PrivateKeySign(