Ignore key_update_not_yet_support transport parameter
When we first introduced IETF QUIC key update, we were communicating with older versions of our implementation that didn't support this feature. If we updated keys when communicating with that older software, the connection would fail. To avoid that, we had added a temporary key_update_not_yet_support transport parameter that would disable key updates. We stopped sending that transport parameter when we added support for key updates in Chrome m88. That version is no longer in any experiments, and also that version did not yet have IETF QUIC default-enabled, so we are guaranteed to not be communicating using IETF QUIC with this old software any more. It's therefore safe to remove this transport parameter as it no longer provides value. Once we deprecate the flag, we'll remove transport parameter entirely.
Protected by FLAGS_quic_reloadable_flag_quic_ignore_key_update_not_yet_supported.
PiperOrigin-RevId: 402628993
diff --git a/quic/core/crypto/transport_parameters.cc b/quic/core/crypto/transport_parameters.cc
index dcd2fc9..fec6cc5 100644
--- a/quic/core/crypto/transport_parameters.cc
+++ b/quic/core/crypto/transport_parameters.cc
@@ -156,12 +156,13 @@
case TransportParameters::kMaxDatagramFrameSize:
case TransportParameters::kInitialRoundTripTime:
case TransportParameters::kGoogleConnectionOptions:
- case TransportParameters::kGoogleKeyUpdateNotYetSupported:
case TransportParameters::kGoogleQuicVersion:
case TransportParameters::kMinAckDelay:
return true;
case TransportParameters::kGoogleUserAgentId:
return !GetQuicReloadableFlag(quic_ignore_user_agent_transport_parameter);
+ case TransportParameters::kGoogleKeyUpdateNotYetSupported:
+ return !GetQuicReloadableFlag(quic_ignore_key_update_not_yet_supported);
}
return false;
}
@@ -1351,6 +1352,24 @@
out->user_agent_id = std::string(value_reader.ReadRemainingPayload());
break;
case TransportParameters::kGoogleKeyUpdateNotYetSupported:
+ if (GetQuicReloadableFlag(quic_ignore_key_update_not_yet_supported)) {
+ QUIC_RELOADABLE_FLAG_COUNT_N(quic_ignore_key_update_not_yet_supported,
+ 1, 2);
+ QUIC_CODE_COUNT(quic_ignore_key_update_not_yet_supported_ignored);
+ // This is a copy of the default switch statement below.
+ // TODO(dschinazi) remove this case entirely when deprecating the
+ // quic_ignore_key_update_not_yet_supported flag.
+ if (out->custom_parameters.find(param_id) !=
+ out->custom_parameters.end()) {
+ *error_details = "Received a second unknown parameter" +
+ TransportParameterIdToString(param_id);
+ return false;
+ }
+ out->custom_parameters[param_id] =
+ std::string(value_reader.ReadRemainingPayload());
+ break;
+ }
+ QUIC_CODE_COUNT(quic_ignore_key_update_not_yet_supported_received);
if (out->key_update_not_yet_supported) {
*error_details = "Received a second key_update_not_yet_supported";
return false;
diff --git a/quic/core/crypto/transport_parameters_test.cc b/quic/core/crypto/transport_parameters_test.cc
index a758d81..05ada68 100644
--- a/quic/core/crypto/transport_parameters_test.cc
+++ b/quic/core/crypto/transport_parameters_test.cc
@@ -285,7 +285,9 @@
if (!GetQuicReloadableFlag(quic_ignore_user_agent_transport_parameter)) {
orig_params.user_agent_id = CreateFakeUserAgentId();
}
- orig_params.key_update_not_yet_supported = kFakeKeyUpdateNotYetSupported;
+ if (!GetQuicReloadableFlag(quic_ignore_key_update_not_yet_supported)) {
+ orig_params.key_update_not_yet_supported = kFakeKeyUpdateNotYetSupported;
+ }
orig_params.custom_parameters[kCustomParameter1] = kCustomParameter1Value;
orig_params.custom_parameters[kCustomParameter2] = kCustomParameter2Value;
@@ -589,7 +591,9 @@
} else {
EXPECT_FALSE(new_params.user_agent_id.has_value());
}
- EXPECT_TRUE(new_params.key_update_not_yet_supported);
+ if (!GetQuicReloadableFlag(quic_ignore_key_update_not_yet_supported)) {
+ EXPECT_TRUE(new_params.key_update_not_yet_supported);
+ }
}
TEST_P(TransportParametersTest,
@@ -847,7 +851,9 @@
EXPECT_EQ(CreateFakeGoogleConnectionOptions(),
new_params.google_connection_options.value());
EXPECT_FALSE(new_params.user_agent_id.has_value());
- EXPECT_TRUE(new_params.key_update_not_yet_supported);
+ if (!GetQuicReloadableFlag(quic_ignore_key_update_not_yet_supported)) {
+ EXPECT_TRUE(new_params.key_update_not_yet_supported);
+ }
}
TEST_P(TransportParametersTest, ParseServerParametersRepeated) {
diff --git a/quic/core/quic_flags_list.h b/quic/core/quic_flags_list.h
index b40bd6c..3416be7 100644
--- a/quic/core/quic_flags_list.h
+++ b/quic/core/quic_flags_list.h
@@ -121,6 +121,8 @@
QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_match_ietf_reset_code, false)
// When the flag is true, exit STARTUP after the same number of loss events as PROBE_UP.
QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_bbr2_startup_probe_up_loss_events, true)
+// When true, QUIC server will ignore received key_update_not_yet_supported transport parameter.
+QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_ignore_key_update_not_yet_supported, false)
// When true, QUIC server will ignore received user agent transport parameter and rely on getting that information from HTTP headers.
QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_ignore_user_agent_transport_parameter, false)
// When true, QuicDispatcher will silently drop incoming packets whose UDP source port is on the blocklist.
diff --git a/quic/core/tls_server_handshaker.cc b/quic/core/tls_server_handshaker.cc
index 4e47a63..fba927f 100644
--- a/quic/core/tls_server_handshaker.cc
+++ b/quic/core/tls_server_handshaker.cc
@@ -474,17 +474,22 @@
// Notify QuicConnectionDebugVisitor.
session()->connection()->OnTransportParametersReceived(client_params);
- // Chrome clients before 86.0.4233.0 did not send the
- // key_update_not_yet_supported transport parameter, but they did send a
- // Google-internal transport parameter with identifier 0x4751. We treat
- // reception of 0x4751 as having received key_update_not_yet_supported to
- // ensure we do not use key updates with those older clients.
- // TODO(dschinazi) remove this workaround once all of our QUIC+TLS Finch
- // experiments have a min_version greater than 86.0.4233.0.
- if (client_params.custom_parameters.find(
- static_cast<TransportParameters::TransportParameterId>(0x4751)) !=
- client_params.custom_parameters.end()) {
- client_params.key_update_not_yet_supported = true;
+ if (GetQuicReloadableFlag(quic_ignore_key_update_not_yet_supported)) {
+ QUIC_RELOADABLE_FLAG_COUNT_N(quic_ignore_key_update_not_yet_supported, 2,
+ 2);
+ } else {
+ // Chrome clients before 86.0.4233.0 did not send the
+ // key_update_not_yet_supported transport parameter, but they did send a
+ // Google-internal transport parameter with identifier 0x4751. We treat
+ // reception of 0x4751 as having received key_update_not_yet_supported to
+ // ensure we do not use key updates with those older clients.
+ // TODO(dschinazi) remove this workaround once all of our QUIC+TLS Finch
+ // experiments have a min_version greater than 86.0.4233.0.
+ if (client_params.custom_parameters.find(
+ static_cast<TransportParameters::TransportParameterId>(0x4751)) !=
+ client_params.custom_parameters.end()) {
+ client_params.key_update_not_yet_supported = true;
+ }
}
// When interoperating with non-Google implementations that do not send
