Google Git
Sign in
quiche/quiche/5e0ef2b341ea5853b3d58f0c92642f2b0f4b96c9^!/.
commit
5e0ef2b341ea5853b3d58f0c92642f2b0f4b96c9
[log] [tgz]
author
fayang <fayang@google.com>
Wed May 12 14:16:28 2021 -0700
committer
Copybara-Service <copybara-worker@google.com>
Wed May 12 14:16:57 2021 -0700
tree
b3eccab2a130c6a4ac2a0fca1115b14b97ed3335
parent
c8b2f226ae67f1089c22d75ffb86c2d51ce0ef35 [diff]
Deprecate gfe2_reloadable_flag_quic_enable_token_based_address_validation.

PiperOrigin-RevId: 373449202

diff --git a/quic/core/http/end_to_end_test.cc b/quic/core/http/end_to_end_test.cc
index 21300de..b54b03f 100644
--- a/quic/core/http/end_to_end_test.cc
+++ b/quic/core/http/end_to_end_test.cc

@@ -1565,17 +1565,11 @@
   server_thread_->Pause();
   QuicConnection* server_connection = GetServerConnection();
   if (server_connection != nullptr) {
-    if (GetQuicReloadableFlag(quic_enable_token_based_address_validation)) {
-      // Verify address is validated via validating token received in INITIAL
-      // packet.
-      EXPECT_FALSE(server_connection->GetStats()
-                       .address_validated_via_decrypting_packet);
-      EXPECT_TRUE(server_connection->GetStats().address_validated_via_token);
-    } else {
-      EXPECT_TRUE(server_connection->GetStats()
-                      .address_validated_via_decrypting_packet);
-      EXPECT_FALSE(server_connection->GetStats().address_validated_via_token);
-    }
+    // Verify address is validated via validating token received in INITIAL
+    // packet.
+    EXPECT_FALSE(
+        server_connection->GetStats().address_validated_via_decrypting_packet);
+    EXPECT_TRUE(server_connection->GetStats().address_validated_via_token);
   } else {
     ADD_FAILURE() << "Missing server connection";
   }
@@ -2490,10 +2484,7 @@
     HalfRttResponseBlocksShloRetransmissionWithoutTokenBasedAddressValidation) {
   // Turn off token based address validation to make the server get constrained
   // by amplification factor during handshake.
-  // TODO(fayang): Keep this test while deprecating
-  // quic_enable_token_based_address_validation. For example, consider always
-  // rejecting the received address token.
-  SetQuicReloadableFlag(quic_enable_token_based_address_validation, false);
+  SetQuicFlag(FLAGS_quic_reject_retry_token_in_initial_packet, true);
   ASSERT_TRUE(Initialize());
   if (!version_.SupportsAntiAmplificationLimit()) {
     return;
@@ -2921,17 +2912,11 @@
   server_thread_->Pause();
   QuicConnection* server_connection = GetServerConnection();
   if (server_connection != nullptr) {
-    if (GetQuicReloadableFlag(quic_enable_token_based_address_validation)) {
-      // Verify address is validated via validating token received in INITIAL
-      // packet.
-      EXPECT_FALSE(server_connection->GetStats()
-                       .address_validated_via_decrypting_packet);
-      EXPECT_TRUE(server_connection->GetStats().address_validated_via_token);
-    } else {
-      EXPECT_TRUE(server_connection->GetStats()
-                      .address_validated_via_decrypting_packet);
-      EXPECT_FALSE(server_connection->GetStats().address_validated_via_token);
-    }
+    // Verify address is validated via validating token received in INITIAL
+    // packet.
+    EXPECT_FALSE(
+        server_connection->GetStats().address_validated_via_decrypting_packet);
+    EXPECT_TRUE(server_connection->GetStats().address_validated_via_token);
   } else {
     ADD_FAILURE() << "Missing server connection";
   }

diff --git a/quic/core/quic_connection.cc b/quic/core/quic_connection.cc
index 1c6111f..f0795cd 100644
--- a/quic/core/quic_connection.cc
+++ b/quic/core/quic_connection.cc

@@ -1376,17 +1376,13 @@
   uber_received_packet_manager_.RecordPacketReceived(
       last_decrypted_packet_level_, last_header_,
       idle_network_detector_.time_of_last_received_packet());
-  if (GetQuicReloadableFlag(quic_enable_token_based_address_validation)) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_token_based_address_validation, 2,
-                                 2);
-    if (EnforceAntiAmplificationLimit() && !IsHandshakeConfirmed() &&
-        !header.retry_token.empty() &&
-        visitor_->ValidateToken(header.retry_token)) {
-      QUIC_DLOG(INFO) << ENDPOINT << "Address validated via token.";
-      QUIC_CODE_COUNT(quic_address_validated_via_token);
-      default_path_.validated = true;
-      stats_.address_validated_via_token = true;
-    }
+  if (EnforceAntiAmplificationLimit() && !IsHandshakeConfirmed() &&
+      !header.retry_token.empty() &&
+      visitor_->ValidateToken(header.retry_token)) {
+    QUIC_DLOG(INFO) << ENDPOINT << "Address validated via token.";
+    QUIC_CODE_COUNT(quic_address_validated_via_token);
+    default_path_.validated = true;
+    stats_.address_validated_via_token = true;
   }
   QUICHE_DCHECK(connected_);
   return true;
@@ -2149,17 +2145,14 @@
   if (debug_visitor_ != nullptr) {
     debug_visitor_->OnNewTokenFrame(frame);
   }
-  if (GetQuicReloadableFlag(quic_enable_token_based_address_validation)) {
-    if (perspective_ == Perspective::IS_SERVER) {
-      CloseConnection(QUIC_INVALID_NEW_TOKEN,
-                      "Server received new token frame.",
-                      ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
-      return false;
-    }
-    // NEW_TOKEN frame should insitgate ACKs.
-    MaybeUpdateAckTimeout();
-    visitor_->OnNewTokenReceived(frame.token);
+  if (perspective_ == Perspective::IS_SERVER) {
+    CloseConnection(QUIC_INVALID_NEW_TOKEN, "Server received new token frame.",
+                    ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+    return false;
   }
+  // NEW_TOKEN frame should insitgate ACKs.
+  MaybeUpdateAckTimeout();
+  visitor_->OnNewTokenReceived(frame.token);
   return true;
 }
 

diff --git a/quic/core/quic_connection_test.cc b/quic/core/quic_connection_test.cc
index 7a38461..33ab3b3 100644
--- a/quic/core/quic_connection_test.cc
+++ b/quic/core/quic_connection_test.cc

@@ -13699,7 +13699,6 @@
   if (!version().HasIetfQuicFrames()) {
     return;
   }
-  SetQuicReloadableFlag(quic_enable_token_based_address_validation, true);
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
 
   QuicNewTokenFrame* new_token = new QuicNewTokenFrame();
@@ -13714,7 +13713,6 @@
   if (!version().HasIetfQuicFrames()) {
     return;
   }
-  SetQuicReloadableFlag(quic_enable_token_based_address_validation, true);
   set_perspective(Perspective::IS_SERVER);
   QuicNewTokenFrame* new_token = new QuicNewTokenFrame();
   EXPECT_CALL(visitor_, OnNewTokenReceived(_)).Times(0);

diff --git a/quic/core/quic_flags_list.h b/quic/core/quic_flags_list.h
index 632000b..f5dddd1 100644
--- a/quic/core/quic_flags_list.h
+++ b/quic/core/quic_flags_list.h

@@ -71,8 +71,6 @@
 QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_enable_version_rfcv1, false)
 // If true, enable server retransmittable on wire PING.
 QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_enable_server_on_wire_ping, true)
-// If true, enable token based address validation in IETF QUIC.
-QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_enable_token_based_address_validation, true)
 // If true, include stream information in idle timeout connection close detail.
 QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_add_stream_info_to_idle_close_detail, true)
 // If true, increase the size of stream sequencer buffer block container on demand.

diff --git a/quic/core/quic_protocol_flags_list.h b/quic/core/quic_protocol_flags_list.h
index 5187c61..56f8359 100644
--- a/quic/core/quic_protocol_flags_list.h
+++ b/quic/core/quic_protocol_flags_list.h

@@ -249,4 +249,11 @@
     true,
     "If true, QUIC QPACK decoder includes 32-bytes overheader per entry while "
     "comparing request/response header size against its upper limit.")
+
+QUIC_PROTOCOL_FLAG(
+    bool,
+    quic_reject_retry_token_in_initial_packet,
+    false,
+    "If true, always reject retry_token received in INITIAL packets")
+
 #endif

diff --git a/quic/core/quic_session.cc b/quic/core/quic_session.cc
index 27c3033..1d4f697 100644
--- a/quic/core/quic_session.cc
+++ b/quic/core/quic_session.cc

@@ -1660,10 +1660,7 @@
     // Server sends HANDSHAKE_DONE to signal confirmation of the handshake
     // to the client.
     control_frame_manager_.WriteOrBufferHandshakeDone();
-    if (GetQuicReloadableFlag(quic_enable_token_based_address_validation) &&
-        connection()->version().HasIetfQuicFrames()) {
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_token_based_address_validation,
-                                   1, 2);
+    if (connection()->version().HasIetfQuicFrames()) {
       MaybeSendAddressToken();
     }
   }
@@ -2615,6 +2612,9 @@
 
 bool QuicSession::ValidateToken(absl::string_view token) const {
   QUICHE_DCHECK_EQ(perspective_, Perspective::IS_SERVER);
+  if (GetQuicFlag(FLAGS_quic_reject_retry_token_in_initial_packet)) {
+    return false;
+  }
   if (token.empty() || token[0] != 0) {
     // Validate the prefix for token received in NEW_TOKEN frame.
     return false;

diff --git a/quic/core/tls_client_handshaker.cc b/quic/core/tls_client_handshaker.cc
index f2b8931..1b9de03 100644
--- a/quic/core/tls_client_handshaker.cc
+++ b/quic/core/tls_client_handshaker.cc

@@ -42,12 +42,10 @@
       has_application_state_(has_application_state),
       crypto_config_(crypto_config),
       tls_connection_(crypto_config->ssl_ctx(), this) {
-  if (GetQuicReloadableFlag(quic_enable_token_based_address_validation)) {
-    std::string token =
-        crypto_config->LookupOrCreate(server_id)->source_address_token();
-    if (!token.empty()) {
-      session->SetSourceAddressTokenToSend(token);
-    }
+  std::string token =
+      crypto_config->LookupOrCreate(server_id)->source_address_token();
+  if (!token.empty()) {
+    session->SetSourceAddressTokenToSend(token);
   }
 }