Do not send PATH_CHALLENGE or PATH_RESPONSE when 1-RTT write key is not available. This does not have functional because:
1) Client does not initiated path validation until handshake confirmed.
2) Server does not allow peer address change during handshake (no reverse path validation until handshake complete).
3) Server can only receive PATH_CHALLENGE in ENCRYPTION_ZERO_RTT and ENCRYPTION_FORWARD_SECURE, while server must have 1-RTT write key. Client can only receive PATH_CHALLENGE in ENCRYPTION_FORWARD_SECURE, while client must have 1-RTT write key.
This is needed since we are going to allow address change during the handshake.
PiperOrigin-RevId: 379936797
diff --git a/quic/core/quic_connection.cc b/quic/core/quic_connection.cc
index ce99e65..d525242 100644
--- a/quic/core/quic_connection.cc
+++ b/quic/core/quic_connection.cc
@@ -6590,6 +6590,9 @@
const QuicSocketAddress& peer_address,
const QuicSocketAddress& effective_peer_address,
QuicPacketWriter* writer) {
+ if (!framer_.HasEncrypterOfEncryptionLevel(ENCRYPTION_FORWARD_SECURE)) {
+ return connected_;
+ }
if (connection_migration_use_new_cid_) {
{
QuicConnectionId client_cid, server_cid;
@@ -6711,6 +6714,9 @@
const QuicPathFrameBuffer& data_buffer,
const QuicSocketAddress& peer_address_to_send,
const QuicSocketAddress& effective_peer_address) {
+ if (!framer_.HasEncrypterOfEncryptionLevel(ENCRYPTION_FORWARD_SECURE)) {
+ return false;
+ }
QuicConnectionId client_cid, server_cid;
if (connection_migration_use_new_cid_) {
FindOnPathConnectionIds(last_received_packet_info_.destination_address,
