feat(tls): Add ALPS use new endpoint extension

0x676e67 · Feb 3, 2025 · 8802ee3 · 8802ee3
1 parent b3cda7d
commit 8802ee3
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 8 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -109,9 +109,9 @@ socket2 = { version = "0.5", features = ["all"] }
 lru = { version = "0.13", default-features = false }
 
 ## boring-tls
-boring2 = { version = "4.14.0", features = ["pq-experimental"] }
-boring-sys2 = { version = "4.14.0", features = ["pq-experimental"] }
-tokio-boring2 = { version = "4.14.0", features = ["pq-experimental"] }
+boring2 = { version = "4.15.0", features = ["pq-experimental"] }
+boring-sys2 = { version = "4.15.0", features = ["pq-experimental"] }
+tokio-boring2 = { version = "4.15.0", features = ["pq-experimental"] }
 foreign-types = "0.5.0"
 linked_hash_set = "0.1"
 

diff --git a/src/tls/conn/layer.rs b/src/tls/conn/layer.rs
@@ -141,7 +141,7 @@ impl HttpsLayer {
             conf.set_verify_hostname(settings.verify_hostname);
 
             // Set ALPS
-            conf.alps_protos(settings.alps_protos)?;
+            conf.alps_protos(settings.alps_protos, settings.alps_use_new_codepoint)?;
 
             Ok(())
         });

diff --git a/src/tls/conn/mod.rs b/src/tls/conn/mod.rs
@@ -87,8 +87,9 @@ pub struct HttpsLayerSettings {
     enable_ech_grease: bool,
     verify_hostname: bool,
     tls_sni: bool,
-    alps_protos: Option<AlpsProtos>,
     alpn_protos: AlpnProtos,
+    alps_protos: Option<AlpsProtos>,
+    alps_use_new_codepoint: bool,
 }
 
 impl HttpsLayerSettings {
@@ -107,8 +108,9 @@ impl Default for HttpsLayerSettings {
             enable_ech_grease: false,
             verify_hostname: true,
             tls_sni: true,
-            alps_protos: None,
             alpn_protos: AlpnProtos::All,
+            alps_protos: None,
+            alps_use_new_codepoint: false,
         }
     }
 }
@@ -166,6 +168,13 @@ impl HttpsLayerSettingsBuilder {
         self
     }
 
+    /// Sets whether to use the new ALPS codepoint. Defaults to `false`.
+    #[inline]
+    pub fn alps_use_new_codepoint(mut self, enable: bool) -> Self {
+        self.0.alps_use_new_codepoint = enable;
+        self
+    }
+
     /// Consumes the builder, returning a new [`HttpsLayerSettings`]
     #[inline]
     pub fn build(self) -> HttpsLayerSettings {

diff --git a/src/tls/ext.rs b/src/tls/ext.rs
@@ -47,7 +47,11 @@ pub trait ConnectConfigurationExt {
     fn enable_ech_grease(&mut self, enable: bool) -> TlsResult<&mut ConnectConfiguration>;
 
     /// Configure the ALPS for the given `ConnectConfiguration`.
-    fn alps_protos(&mut self, alps: Option<AlpsProtos>) -> TlsResult<&mut ConnectConfiguration>;
+    fn alps_protos(
+        &mut self,
+        alps: Option<AlpsProtos>,
+        new_endpoint: bool,
+    ) -> TlsResult<&mut ConnectConfiguration>;
 
     /// Configure the no session ticket for the given `ConnectConfiguration`.
     fn skip_session_ticket(&mut self) -> TlsResult<&mut ConnectConfiguration>;
@@ -118,7 +122,11 @@ impl ConnectConfigurationExt for ConnectConfiguration {
     }
 
     #[inline]
-    fn alps_protos(&mut self, alps: Option<AlpsProtos>) -> TlsResult<&mut ConnectConfiguration> {
+    fn alps_protos(
+        &mut self,
+        alps: Option<AlpsProtos>,
+        new_endpoint: bool,
+    ) -> TlsResult<&mut ConnectConfiguration> {
         if let Some(alps) = alps {
             sv_handler(unsafe {
                 ffi::SSL_add_application_settings(
@@ -129,6 +137,12 @@ impl ConnectConfigurationExt for ConnectConfiguration {
                     0,
                 )
             })?;
+
+            if new_endpoint {
+                unsafe {
+                    ffi::SSL_set_alps_use_new_codepoint(self.as_ptr(), new_endpoint as _);
+                }
+            }
         }
 
         Ok(self)

diff --git a/src/tls/mod.rs b/src/tls/mod.rs
@@ -117,6 +117,7 @@ impl BoringTlsConnector {
             .skip_session_ticket(config.psk_skip_session_ticket)
             .alpn_protos(config.alpn_protos)
             .alps_protos(config.alps_protos)
+            .alps_use_new_codepoint(config.alps_use_new_codepoint)
             .enable_ech_grease(config.enable_ech_grease)
             .tls_sni(config.tls_sni)
             .verify_hostname(config.verify_hostname)
@@ -246,6 +247,14 @@ pub struct TlsConfig {
     #[builder(default, setter(into))]
     pub alps_protos: Option<AlpsProtos>,
 
+    /// Switching to a new codepoint for TLS ALPS extension to allow adding more data
+    /// in the ACCEPT_CH HTTP/2 and HTTP/3 frame. The ACCEPT_CH HTTP/2 frame with the
+    /// existing TLS ALPS extension had an arithmetic overflow bug in Chrome ALPS decoder.
+    /// It limits the capability to add more than 128 bytes data (in theory, the problem
+    /// range is 128 bytes to 255 bytes) to the ACCEPT_CH frame.
+    #[builder(default = false)]
+    pub alps_use_new_codepoint: bool,
+
     /// **Session Tickets** (RFC 5077) allow **session resumption** without the need for server-side state.
     ///
     /// This mechanism works as follows: