From ebe207f71c627ffb6eed5e8c5fd51c8387c10ed0 Mon Sep 17 00:00:00 2001 From: Philipp Hancke Date: Thu, 28 Sep 2023 10:02:54 +0200 Subject: [PATCH] Add field trial for enabling SSL client hello extension permutation using WebRTC-PermuteTlsClientHello as a field trial. This has been launched in Chromium already: https://groups.google.com/a/chromium.org/g/blink-dev/c/bYZK81WxYBo/m/lKLrZ_P2BwAJ WebRTC-specific I2S: https://groups.google.com/a/chromium.org/g/blink-dev/c/1CIKec0W1fg Chromestatus entry: https://chromestatus.com/feature/5191245718880256 BUG=webrtc:15467 Change-Id: I18f4065661bbe2db03e1823d7bfba4c9b60046aa Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/318640 Reviewed-by: Harald Alvestrand Commit-Queue: Philipp Hancke Reviewed-by: Emil Lundmark Cr-Commit-Position: refs/heads/main@{#40831} --- experiments/field_trials.py | 3 ++ rtc_base/openssl_stream_adapter.cc | 5 +++ rtc_base/ssl_stream_adapter_unittest.cc | 43 +++++++++++++++++++++++++ 3 files changed, 51 insertions(+) diff --git a/experiments/field_trials.py b/experiments/field_trials.py index 764c47e551..6cc1d58495 100755 --- a/experiments/field_trials.py +++ b/experiments/field_trials.py @@ -86,6 +86,9 @@ ACTIVE_FIELD_TRIALS: FrozenSet[FieldTrial] = frozenset([ FieldTrial('WebRTC-PaddingMode-RecentLargePacket', 'webrtc:15201', date(2024, 4, 1)), + FieldTrial('WebRTC-PermuteTlsClientHello', + 'webrtc:15467', + date(2024, 7, 1)), FieldTrial('WebRTC-PreventSsrcGroupsWithUnexpectedSize', 'chromium:1459124', date(2024, 4, 1)), diff --git a/rtc_base/openssl_stream_adapter.cc b/rtc_base/openssl_stream_adapter.cc index d462f77ce4..cbbb8e96ab 100644 --- a/rtc_base/openssl_stream_adapter.cc +++ b/rtc_base/openssl_stream_adapter.cc @@ -1098,6 +1098,11 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() { } } +#ifdef OPENSSL_IS_BORINGSSL + SSL_CTX_set_permute_extensions( + ctx, webrtc::field_trial::IsEnabled("WebRTC-PermuteTlsClientHello")); +#endif + return ctx; } diff --git a/rtc_base/ssl_stream_adapter_unittest.cc b/rtc_base/ssl_stream_adapter_unittest.cc index 8417314a3a..0a99d9b1f0 100644 --- a/rtc_base/ssl_stream_adapter_unittest.cc +++ b/rtc_base/ssl_stream_adapter_unittest.cc @@ -1808,3 +1808,46 @@ TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols, SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10); TestHandshake(false); } + +// These tests are a no-op under OpenSSL. +#ifdef OPENSSL_IS_BORINGSSL +// TODO(https://bugs.webrtc.org/10261): when removing +// SSLStreamAdapterTestDTLSLegacyProtocols that this class +// inherits from move the code to this class. +class SSLStreamAdapterTestDTLSExtensionPermutation + : public SSLStreamAdapterTestDTLSLegacyProtocols { + public: + SSLStreamAdapterTestDTLSExtensionPermutation() + : SSLStreamAdapterTestDTLSLegacyProtocols() {} +}; + +// Tests for enabling the (D)TLS extension permutation which randomizes the +// order of extensions in the client hello. +TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation, + ClientDefaultServerDefault) { + ConfigureClient(""); + ConfigureServer(""); + TestHandshake(); +} + +TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation, + ClientDefaultServerPermute) { + ConfigureClient(""); + ConfigureServer("WebRTC-PermuteTlsClientHello/Enabled/"); + TestHandshake(); +} + +TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation, + ClientPermuteServerDefault) { + ConfigureClient("WebRTC-PermuteTlsClientHello/Enabled/"); + ConfigureServer(""); + TestHandshake(); +} + +TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation, + ClientPermuteServerPermute) { + ConfigureClient("WebRTC-PermuteTlsClientHello/Enabled/"); + ConfigureServer("WebRTC-PermuteTlsClientHello/Enabled/"); + TestHandshake(); +} +#endif // OPENSSL_IS_BORINGSSL