Check IsHandshakeComplete() rather than encryption_level_ == ENCRYPTION_FORWARD_SECURE in QuicConnection::ShouldEnqueueUnDecryptablePacket. This allows IETF QUIC handshakes to queue 1-RTT packets when the server has 1-RTT send keys, but not 1-RTT receive keys. Discovered during cr/382276435
Protected by gfe2_reloadable_flags_quic_queue_until_handshake_complete.
PiperOrigin-RevId: 382820452
diff --git a/quic/core/quic_connection.cc b/quic/core/quic_connection.cc
index 498c2d8..88eed21 100644
--- a/quic/core/quic_connection.cc
+++ b/quic/core/quic_connection.cc
@@ -2766,21 +2766,27 @@
}
bool QuicConnection::ShouldEnqueueUnDecryptablePacket(
- EncryptionLevel decryption_level,
- bool has_decryption_key) const {
- if (encryption_level_ == ENCRYPTION_FORWARD_SECURE) {
+ EncryptionLevel decryption_level, bool has_decryption_key) const {
+ if (!GetQuicReloadableFlag(quic_queue_until_handshake_complete) &&
+ encryption_level_ == ENCRYPTION_FORWARD_SECURE) {
// We do not expect to install any further keys.
return false;
}
- if (undecryptable_packets_.size() >= max_undecryptable_packets_) {
- // We do not queue more than max_undecryptable_packets_ packets.
- return false;
- }
if (has_decryption_key) {
// We already have the key for this decryption level, therefore no
// future keys will allow it be decrypted.
return false;
}
+ if (GetQuicReloadableFlag(quic_queue_until_handshake_complete) &&
+ IsHandshakeComplete()) {
+ QUICHE_RELOADABLE_FLAG_COUNT(quic_queue_until_handshake_complete);
+ // We do not expect to install any further keys.
+ return false;
+ }
+ if (undecryptable_packets_.size() >= max_undecryptable_packets_) {
+ // We do not queue more than max_undecryptable_packets_ packets.
+ return false;
+ }
if (version().KnowsWhichDecrypterToUse() &&
decryption_level == ENCRYPTION_INITIAL) {
// When the corresponding decryption key is not available, all
diff --git a/quic/core/quic_flags_list.h b/quic/core/quic_flags_list.h
index f7556f9..ce48d25 100644
--- a/quic/core/quic_flags_list.h
+++ b/quic/core/quic_flags_list.h
@@ -117,6 +117,8 @@
QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_server_reverse_validate_new_path3, true)
// If ture, replace the incoming_connection_ids check with original_destination_connection_id check.
QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_deprecate_incoming_connection_ids, true)
+// Queue packets to attempt decryption later until the handshake is complete.
+QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_queue_until_handshake_complete, false)
// When the STMP connection option is sent by the client, timestamps in the QUIC ACK frame are sent and processed.
QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_send_timestamps, false)
// When true, defaults to BBR congestion control instead of Cubic.
