Deprecate gfe2_reloadable_flag_quic_enable_token_based_address_validation.
PiperOrigin-RevId: 373449202
diff --git a/quic/core/http/end_to_end_test.cc b/quic/core/http/end_to_end_test.cc
index 21300de..b54b03f 100644
--- a/quic/core/http/end_to_end_test.cc
+++ b/quic/core/http/end_to_end_test.cc
@@ -1565,17 +1565,11 @@
server_thread_->Pause();
QuicConnection* server_connection = GetServerConnection();
if (server_connection != nullptr) {
- if (GetQuicReloadableFlag(quic_enable_token_based_address_validation)) {
- // Verify address is validated via validating token received in INITIAL
- // packet.
- EXPECT_FALSE(server_connection->GetStats()
- .address_validated_via_decrypting_packet);
- EXPECT_TRUE(server_connection->GetStats().address_validated_via_token);
- } else {
- EXPECT_TRUE(server_connection->GetStats()
- .address_validated_via_decrypting_packet);
- EXPECT_FALSE(server_connection->GetStats().address_validated_via_token);
- }
+ // Verify address is validated via validating token received in INITIAL
+ // packet.
+ EXPECT_FALSE(
+ server_connection->GetStats().address_validated_via_decrypting_packet);
+ EXPECT_TRUE(server_connection->GetStats().address_validated_via_token);
} else {
ADD_FAILURE() << "Missing server connection";
}
@@ -2490,10 +2484,7 @@
HalfRttResponseBlocksShloRetransmissionWithoutTokenBasedAddressValidation) {
// Turn off token based address validation to make the server get constrained
// by amplification factor during handshake.
- // TODO(fayang): Keep this test while deprecating
- // quic_enable_token_based_address_validation. For example, consider always
- // rejecting the received address token.
- SetQuicReloadableFlag(quic_enable_token_based_address_validation, false);
+ SetQuicFlag(FLAGS_quic_reject_retry_token_in_initial_packet, true);
ASSERT_TRUE(Initialize());
if (!version_.SupportsAntiAmplificationLimit()) {
return;
@@ -2921,17 +2912,11 @@
server_thread_->Pause();
QuicConnection* server_connection = GetServerConnection();
if (server_connection != nullptr) {
- if (GetQuicReloadableFlag(quic_enable_token_based_address_validation)) {
- // Verify address is validated via validating token received in INITIAL
- // packet.
- EXPECT_FALSE(server_connection->GetStats()
- .address_validated_via_decrypting_packet);
- EXPECT_TRUE(server_connection->GetStats().address_validated_via_token);
- } else {
- EXPECT_TRUE(server_connection->GetStats()
- .address_validated_via_decrypting_packet);
- EXPECT_FALSE(server_connection->GetStats().address_validated_via_token);
- }
+ // Verify address is validated via validating token received in INITIAL
+ // packet.
+ EXPECT_FALSE(
+ server_connection->GetStats().address_validated_via_decrypting_packet);
+ EXPECT_TRUE(server_connection->GetStats().address_validated_via_token);
} else {
ADD_FAILURE() << "Missing server connection";
}
diff --git a/quic/core/quic_connection.cc b/quic/core/quic_connection.cc
index 1c6111f..f0795cd 100644
--- a/quic/core/quic_connection.cc
+++ b/quic/core/quic_connection.cc
@@ -1376,17 +1376,13 @@
uber_received_packet_manager_.RecordPacketReceived(
last_decrypted_packet_level_, last_header_,
idle_network_detector_.time_of_last_received_packet());
- if (GetQuicReloadableFlag(quic_enable_token_based_address_validation)) {
- QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_token_based_address_validation, 2,
- 2);
- if (EnforceAntiAmplificationLimit() && !IsHandshakeConfirmed() &&
- !header.retry_token.empty() &&
- visitor_->ValidateToken(header.retry_token)) {
- QUIC_DLOG(INFO) << ENDPOINT << "Address validated via token.";
- QUIC_CODE_COUNT(quic_address_validated_via_token);
- default_path_.validated = true;
- stats_.address_validated_via_token = true;
- }
+ if (EnforceAntiAmplificationLimit() && !IsHandshakeConfirmed() &&
+ !header.retry_token.empty() &&
+ visitor_->ValidateToken(header.retry_token)) {
+ QUIC_DLOG(INFO) << ENDPOINT << "Address validated via token.";
+ QUIC_CODE_COUNT(quic_address_validated_via_token);
+ default_path_.validated = true;
+ stats_.address_validated_via_token = true;
}
QUICHE_DCHECK(connected_);
return true;
@@ -2149,17 +2145,14 @@
if (debug_visitor_ != nullptr) {
debug_visitor_->OnNewTokenFrame(frame);
}
- if (GetQuicReloadableFlag(quic_enable_token_based_address_validation)) {
- if (perspective_ == Perspective::IS_SERVER) {
- CloseConnection(QUIC_INVALID_NEW_TOKEN,
- "Server received new token frame.",
- ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
- return false;
- }
- // NEW_TOKEN frame should insitgate ACKs.
- MaybeUpdateAckTimeout();
- visitor_->OnNewTokenReceived(frame.token);
+ if (perspective_ == Perspective::IS_SERVER) {
+ CloseConnection(QUIC_INVALID_NEW_TOKEN, "Server received new token frame.",
+ ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+ return false;
}
+ // NEW_TOKEN frame should insitgate ACKs.
+ MaybeUpdateAckTimeout();
+ visitor_->OnNewTokenReceived(frame.token);
return true;
}
diff --git a/quic/core/quic_connection_test.cc b/quic/core/quic_connection_test.cc
index 7a38461..33ab3b3 100644
--- a/quic/core/quic_connection_test.cc
+++ b/quic/core/quic_connection_test.cc
@@ -13699,7 +13699,6 @@
if (!version().HasIetfQuicFrames()) {
return;
}
- SetQuicReloadableFlag(quic_enable_token_based_address_validation, true);
EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
QuicNewTokenFrame* new_token = new QuicNewTokenFrame();
@@ -13714,7 +13713,6 @@
if (!version().HasIetfQuicFrames()) {
return;
}
- SetQuicReloadableFlag(quic_enable_token_based_address_validation, true);
set_perspective(Perspective::IS_SERVER);
QuicNewTokenFrame* new_token = new QuicNewTokenFrame();
EXPECT_CALL(visitor_, OnNewTokenReceived(_)).Times(0);
diff --git a/quic/core/quic_flags_list.h b/quic/core/quic_flags_list.h
index 632000b..f5dddd1 100644
--- a/quic/core/quic_flags_list.h
+++ b/quic/core/quic_flags_list.h
@@ -71,8 +71,6 @@
QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_enable_version_rfcv1, false)
// If true, enable server retransmittable on wire PING.
QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_enable_server_on_wire_ping, true)
-// If true, enable token based address validation in IETF QUIC.
-QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_enable_token_based_address_validation, true)
// If true, include stream information in idle timeout connection close detail.
QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_add_stream_info_to_idle_close_detail, true)
// If true, increase the size of stream sequencer buffer block container on demand.
diff --git a/quic/core/quic_protocol_flags_list.h b/quic/core/quic_protocol_flags_list.h
index 5187c61..56f8359 100644
--- a/quic/core/quic_protocol_flags_list.h
+++ b/quic/core/quic_protocol_flags_list.h
@@ -249,4 +249,11 @@
true,
"If true, QUIC QPACK decoder includes 32-bytes overheader per entry while "
"comparing request/response header size against its upper limit.")
+
+QUIC_PROTOCOL_FLAG(
+ bool,
+ quic_reject_retry_token_in_initial_packet,
+ false,
+ "If true, always reject retry_token received in INITIAL packets")
+
#endif
diff --git a/quic/core/quic_session.cc b/quic/core/quic_session.cc
index 27c3033..1d4f697 100644
--- a/quic/core/quic_session.cc
+++ b/quic/core/quic_session.cc
@@ -1660,10 +1660,7 @@
// Server sends HANDSHAKE_DONE to signal confirmation of the handshake
// to the client.
control_frame_manager_.WriteOrBufferHandshakeDone();
- if (GetQuicReloadableFlag(quic_enable_token_based_address_validation) &&
- connection()->version().HasIetfQuicFrames()) {
- QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_token_based_address_validation,
- 1, 2);
+ if (connection()->version().HasIetfQuicFrames()) {
MaybeSendAddressToken();
}
}
@@ -2615,6 +2612,9 @@
bool QuicSession::ValidateToken(absl::string_view token) const {
QUICHE_DCHECK_EQ(perspective_, Perspective::IS_SERVER);
+ if (GetQuicFlag(FLAGS_quic_reject_retry_token_in_initial_packet)) {
+ return false;
+ }
if (token.empty() || token[0] != 0) {
// Validate the prefix for token received in NEW_TOKEN frame.
return false;
diff --git a/quic/core/tls_client_handshaker.cc b/quic/core/tls_client_handshaker.cc
index f2b8931..1b9de03 100644
--- a/quic/core/tls_client_handshaker.cc
+++ b/quic/core/tls_client_handshaker.cc
@@ -42,12 +42,10 @@
has_application_state_(has_application_state),
crypto_config_(crypto_config),
tls_connection_(crypto_config->ssl_ctx(), this) {
- if (GetQuicReloadableFlag(quic_enable_token_based_address_validation)) {
- std::string token =
- crypto_config->LookupOrCreate(server_id)->source_address_token();
- if (!token.empty()) {
- session->SetSourceAddressTokenToSend(token);
- }
+ std::string token =
+ crypto_config->LookupOrCreate(server_id)->source_address_token();
+ if (!token.empty()) {
+ session->SetSourceAddressTokenToSend(token);
}
}