Internal change
PiperOrigin-RevId: 387394186
diff --git a/quic/core/crypto/proof_source.h b/quic/core/crypto/proof_source.h
index 3bae221..b0a2446 100644
--- a/quic/core/crypto/proof_source.h
+++ b/quic/core/crypto/proof_source.h
@@ -166,6 +166,15 @@
absl::string_view in,
std::unique_ptr<SignatureCallback> callback) = 0;
+ // Return the list of TLS signature algorithms that is acceptable by the
+ // ComputeTlsSignature method. If the entire BoringSSL's default list of
+ // supported signature algorithms are acceptable, return an empty list.
+ //
+ // If returns a non-empty list, ComputeTlsSignature will only be called with a
+ // algorithm in the list.
+ virtual absl::InlinedVector<uint16_t, 8> SupportedTlsSignatureAlgorithms()
+ const = 0;
+
class QUIC_EXPORT_PRIVATE DecryptCallback {
public:
DecryptCallback() = default;
diff --git a/quic/core/crypto/proof_source_x509.cc b/quic/core/crypto/proof_source_x509.cc
index d61df71..c7acd00 100644
--- a/quic/core/crypto/proof_source_x509.cc
+++ b/quic/core/crypto/proof_source_x509.cc
@@ -80,6 +80,13 @@
callback->Run(/*ok=*/!signature.empty(), signature, nullptr);
}
+absl::InlinedVector<uint16_t, 8>
+ProofSourceX509::SupportedTlsSignatureAlgorithms() const {
+ // Let ComputeTlsSignature() report an error if a bad signature algorithm is
+ // requested.
+ return {};
+}
+
ProofSource::TicketCrypter* ProofSourceX509::GetTicketCrypter() {
return nullptr;
}
diff --git a/quic/core/crypto/proof_source_x509.h b/quic/core/crypto/proof_source_x509.h
index 83de1de..9ac6769 100644
--- a/quic/core/crypto/proof_source_x509.h
+++ b/quic/core/crypto/proof_source_x509.h
@@ -41,11 +41,11 @@
const std::string& hostname) override;
void ComputeTlsSignature(
const QuicSocketAddress& server_address,
- const QuicSocketAddress& client_address,
- const std::string& hostname,
- uint16_t signature_algorithm,
- absl::string_view in,
+ const QuicSocketAddress& client_address, const std::string& hostname,
+ uint16_t signature_algorithm, absl::string_view in,
std::unique_ptr<SignatureCallback> callback) override;
+ absl::InlinedVector<uint16_t, 8> SupportedTlsSignatureAlgorithms()
+ const override;
TicketCrypter* GetTicketCrypter() override;
// Adds a certificate chain to the verifier. Returns false if the chain is
diff --git a/quic/core/http/quic_server_session_base.cc b/quic/core/http/quic_server_session_base.cc
index c78df58..69d6cb4 100644
--- a/quic/core/http/quic_server_session_base.cc
+++ b/quic/core/http/quic_server_session_base.cc
@@ -282,4 +282,23 @@
std::move(serialized_settings));
}
+QuicSSLConfig QuicServerSessionBase::GetSSLConfig() const {
+ QUICHE_DCHECK(crypto_config_ && crypto_config_->proof_source());
+
+ QuicSSLConfig ssl_config = QuicSpdySession::GetSSLConfig();
+ if (!GetQuicReloadableFlag(quic_tls_set_signature_algorithm_prefs) ||
+ !crypto_config_ || !crypto_config_->proof_source()) {
+ return ssl_config;
+ }
+
+ absl::InlinedVector<uint16_t, 8> signature_algorithms =
+ crypto_config_->proof_source()->SupportedTlsSignatureAlgorithms();
+ if (!signature_algorithms.empty()) {
+ QUIC_RELOADABLE_FLAG_COUNT_N(quic_tls_set_signature_algorithm_prefs, 1, 2);
+ ssl_config.signing_algorithm_prefs = std::move(signature_algorithms);
+ }
+
+ return ssl_config;
+}
+
} // namespace quic
diff --git a/quic/core/http/quic_server_session_base.h b/quic/core/http/quic_server_session_base.h
index 9bdaa30..bd9f5e7 100644
--- a/quic/core/http/quic_server_session_base.h
+++ b/quic/core/http/quic_server_session_base.h
@@ -68,6 +68,8 @@
serving_region_ = serving_region;
}
+ QuicSSLConfig GetSSLConfig() const override;
+
protected:
// QuicSession methods(override them with return type of QuicSpdyStream*):
QuicCryptoServerStreamBase* GetMutableCryptoStream() override;
diff --git a/quic/core/quic_crypto_client_handshaker_test.cc b/quic/core/quic_crypto_client_handshaker_test.cc
index 660663a..ed5da6c 100644
--- a/quic/core/quic_crypto_client_handshaker_test.cc
+++ b/quic/core/quic_crypto_client_handshaker_test.cc
@@ -105,6 +105,11 @@
callback->Run(true, "Dummy signature", /*details=*/nullptr);
}
+ absl::InlinedVector<uint16_t, 8> SupportedTlsSignatureAlgorithms()
+ const override {
+ return {};
+ }
+
TicketCrypter* GetTicketCrypter() override { return nullptr; }
};
diff --git a/quic/core/quic_flags_list.h b/quic/core/quic_flags_list.h
index 65e511c..d375591 100644
--- a/quic/core/quic_flags_list.h
+++ b/quic/core/quic_flags_list.h
@@ -17,6 +17,8 @@
QUIC_FLAG(FLAGS_quic_restart_flag_quic_testonly_default_false, false)
// A testonly restart flag that will always default to true.
QUIC_FLAG(FLAGS_quic_restart_flag_quic_testonly_default_true, true)
+// If true, GFE will explicitly configure its signature algorithm preference.
+QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_tls_set_signature_algorithm_prefs, false)
// If true, QUIC will default enable MTU discovery at server, with a target of 1450 bytes.
QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_enable_mtu_discovery_at_server, false)
// If true, QuicGsoBatchWriter will support release time if it is available and the process has the permission to do so.
diff --git a/quic/core/quic_types.h b/quic/core/quic_types.h
index 1b8fc47..eb4db07 100644
--- a/quic/core/quic_types.h
+++ b/quic/core/quic_types.h
@@ -840,7 +840,7 @@
absl::optional<bool> early_data_enabled;
// If set, used to configure the SSL object with
// SSL_set_signing_algorithm_prefs.
- absl::optional<absl::InlinedVector<uint16_t, 4>> signing_algorithm_prefs;
+ absl::optional<absl::InlinedVector<uint16_t, 8>> signing_algorithm_prefs;
};
} // namespace quic
diff --git a/quic/qbone/qbone_session_test.cc b/quic/qbone/qbone_session_test.cc
index fb9a288..9887f79 100644
--- a/quic/qbone/qbone_session_test.cc
+++ b/quic/qbone/qbone_session_test.cc
@@ -117,6 +117,14 @@
std::move(callback));
}
+ absl::InlinedVector<uint16_t, 8> SupportedTlsSignatureAlgorithms()
+ const override {
+ if (!proof_source_) {
+ return {};
+ }
+ return proof_source_->SupportedTlsSignatureAlgorithms();
+ }
+
TicketCrypter* GetTicketCrypter() override { return nullptr; }
private:
diff --git a/quic/test_tools/failing_proof_source.h b/quic/test_tools/failing_proof_source.h
index 4f771a3..447b770 100644
--- a/quic/test_tools/failing_proof_source.h
+++ b/quic/test_tools/failing_proof_source.h
@@ -34,6 +34,11 @@
absl::string_view in,
std::unique_ptr<SignatureCallback> callback) override;
+ absl::InlinedVector<uint16_t, 8> SupportedTlsSignatureAlgorithms()
+ const override {
+ return {};
+ }
+
TicketCrypter* GetTicketCrypter() override { return nullptr; }
};
diff --git a/quic/test_tools/fake_proof_source.cc b/quic/test_tools/fake_proof_source.cc
index bc75678..1109d65 100644
--- a/quic/test_tools/fake_proof_source.cc
+++ b/quic/test_tools/fake_proof_source.cc
@@ -123,6 +123,11 @@
std::move(callback), delegate_.get()));
}
+absl::InlinedVector<uint16_t, 8>
+FakeProofSource::SupportedTlsSignatureAlgorithms() const {
+ return delegate_->SupportedTlsSignatureAlgorithms();
+}
+
ProofSource::TicketCrypter* FakeProofSource::GetTicketCrypter() {
if (ticket_crypter_) {
return ticket_crypter_.get();
diff --git a/quic/test_tools/fake_proof_source.h b/quic/test_tools/fake_proof_source.h
index 077f34d..c088d43 100644
--- a/quic/test_tools/fake_proof_source.h
+++ b/quic/test_tools/fake_proof_source.h
@@ -52,6 +52,8 @@
uint16_t signature_algorithm,
absl::string_view in,
std::unique_ptr<ProofSource::SignatureCallback> callback) override;
+ absl::InlinedVector<uint16_t, 8> SupportedTlsSignatureAlgorithms()
+ const override;
TicketCrypter* GetTicketCrypter() override;
// Sets the TicketCrypter to use. If nullptr, the TicketCrypter from