Add field trial for enabling SSL client hello extension permutation

using WebRTC-PermuteTlsClientHello as a field trial. This has been launched in Chromium already: https://groups.google.com/a/chromium.org/g/blink-dev/c/bYZK81WxYBo/m/lKLrZ_P2BwAJ WebRTC-specific I2S: https://groups.google.com/a/chromium.org/g/blink-dev/c/1CIKec0W1fg Chromestatus entry: https://chromestatus.com/feature/5191245718880256 BUG=webrtc:15467 Change-Id: I18f4065661bbe2db03e1823d7bfba4c9b60046aa Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/318640 Reviewed-by: Harald Alvestrand <hta@webrtc.org> Commit-Queue: Philipp Hancke <phancke@microsoft.com> Reviewed-by: Emil Lundmark <lndmrk@webrtc.org> Cr-Commit-Position: refs/heads/main@{#40831}
2025-05-12 21:30:45 +01:00 · 2023-09-28 10:02:54 +02:00 · 2023-09-28 10:02:54 +02:00 · ebe207f71c
commit ebe207f71c
parent a1475c2210
3 changed files with 51 additions and 0 deletions
--- a/experiments/field_trials.py
+++ b/experiments/field_trials.py
@ -86,6 +86,9 @@ ACTIVE_FIELD_TRIALS: FrozenSet[FieldTrial] = frozenset([
    FieldTrial('WebRTC-PaddingMode-RecentLargePacket',
               'webrtc:15201',
               date(2024, 4, 1)),
+    FieldTrial('WebRTC-PermuteTlsClientHello',
+               'webrtc:15467',
+               date(2024, 7, 1)),
    FieldTrial('WebRTC-PreventSsrcGroupsWithUnexpectedSize',
               'chromium:1459124',
               date(2024, 4, 1)),
--- a/rtc_base/openssl_stream_adapter.cc
+++ b/rtc_base/openssl_stream_adapter.cc
@ -1098,6 +1098,11 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
    }
  }

+#ifdef OPENSSL_IS_BORINGSSL
+  SSL_CTX_set_permute_extensions(
+      ctx, webrtc::field_trial::IsEnabled("WebRTC-PermuteTlsClientHello"));
+#endif
+
  return ctx;
 }

--- a/rtc_base/ssl_stream_adapter_unittest.cc
+++ b/rtc_base/ssl_stream_adapter_unittest.cc
@ -1808,3 +1808,46 @@ TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
  SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
  TestHandshake(false);
 }
+
+// These tests are a no-op under OpenSSL.
+#ifdef OPENSSL_IS_BORINGSSL
+// TODO(https://bugs.webrtc.org/10261): when removing
+// SSLStreamAdapterTestDTLSLegacyProtocols that this class
+// inherits from move the code to this class.
+class SSLStreamAdapterTestDTLSExtensionPermutation
+    : public SSLStreamAdapterTestDTLSLegacyProtocols {
+ public:
+  SSLStreamAdapterTestDTLSExtensionPermutation()
+      : SSLStreamAdapterTestDTLSLegacyProtocols() {}
+};
+
+// Tests for enabling the (D)TLS extension permutation which randomizes the
+// order of extensions in the client hello.
+TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation,
+       ClientDefaultServerDefault) {
+  ConfigureClient("");
+  ConfigureServer("");
+  TestHandshake();
+}
+
+TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation,
+       ClientDefaultServerPermute) {
+  ConfigureClient("");
+  ConfigureServer("WebRTC-PermuteTlsClientHello/Enabled/");
+  TestHandshake();
+}
+
+TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation,
+       ClientPermuteServerDefault) {
+  ConfigureClient("WebRTC-PermuteTlsClientHello/Enabled/");
+  ConfigureServer("");
+  TestHandshake();
+}
+
+TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation,
+       ClientPermuteServerPermute) {
+  ConfigureClient("WebRTC-PermuteTlsClientHello/Enabled/");
+  ConfigureServer("WebRTC-PermuteTlsClientHello/Enabled/");
+  TestHandshake();
+}
+#endif  // OPENSSL_IS_BORINGSSL