Google Git
Sign in
quiche/quiche.git/3d6ae702cfc71a84dedf62deabd1407b58aa1854^!/.
commit
3d6ae702cfc71a84dedf62deabd1407b58aa1854
[log]
author
wub <wub@google.com>
Mon May 02 13:47:12 2022 -0700
committer
Copybara-Service <copybara-worker@google.com>
Mon May 02 13:47:54 2022 -0700
tree
a457f43f402009f6a4d508b0de1ae81ac0c75c65
parent
854443f87a77a2859c9fd9c428459d49e2477078 [diff]
Deprecate --gfe2_restart_flag_quic_tls_server_support_client_cert.

PiperOrigin-RevId: 446019879

diff --git a/quiche/quic/core/quic_flags_list.h b/quiche/quic/core/quic_flags_list.h
index b7a888b..dd5b848 100644
--- a/quiche/quic/core/quic_flags_list.h
+++ b/quiche/quic/core/quic_flags_list.h

@@ -25,8 +25,6 @@
 QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_enable_mtu_discovery_at_server, false)
 // If true, QuicGsoBatchWriter will support release time if it is available and the process has the permission to do so.
 QUIC_FLAG(FLAGS_quic_restart_flag_quic_support_release_time_for_gso, false)
-// If true, TlsServerHandshaker will be able to 1) request client cert, and 2) verify the client cert in the virtual method TlsServerHandshaker::VerifyCertChain.
-QUIC_FLAG(FLAGS_quic_restart_flag_quic_tls_server_support_client_cert, true)
 // If true, abort async QPACK header decompression in QuicSpdyStream::Reset() and in QuicSpdyStream::OnStreamReset().
 QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_abort_qpack_on_stream_reset, true)
 // If true, ack frequency frame can be sent from server to client.

diff --git a/quiche/quic/core/quic_session.h b/quiche/quic/core/quic_session.h
index f43ef95..c6d5ec2 100644
--- a/quiche/quic/core/quic_session.h
+++ b/quiche/quic/core/quic_session.h

@@ -617,9 +617,6 @@
 
   virtual QuicSSLConfig GetSSLConfig() const { return QuicSSLConfig(); }
 
-  // Latched value of flag --quic_tls_server_support_client_cert.
-  bool support_client_cert() const { return support_client_cert_; }
-
   // Try converting all pending streams to normal streams.
   void ProcessAllPendingStreams();
 
@@ -1006,9 +1003,6 @@
 
   // Whether BoringSSL randomizes the order of TLS extensions.
   bool permutes_tls_extensions_ = true;
-
-  const bool support_client_cert_ =
-      GetQuicRestartFlag(quic_tls_server_support_client_cert);
 };
 
 }  // namespace quic

diff --git a/quiche/quic/core/tls_server_handshaker.cc b/quiche/quic/core/tls_server_handshaker.cc
index 58ea409..cee7a71 100644
--- a/quiche/quic/core/tls_server_handshaker.cc
+++ b/quiche/quic/core/tls_server_handshaker.cc

@@ -185,9 +185,8 @@
       crypto_negotiated_params_(new QuicCryptoNegotiatedParameters),
       tls_connection_(crypto_config->ssl_ctx(), this, session->GetSSLConfig()),
       crypto_config_(crypto_config) {
-  QUIC_DVLOG(1) << "TlsServerHandshaker: support_client_cert:"
-                << session->support_client_cert()
-                << ", client_cert_mode initial value: " << client_cert_mode();
+  QUIC_DVLOG(1) << "TlsServerHandshaker:  client_cert_mode initial value: "
+                << client_cert_mode();
 
   QUICHE_DCHECK_EQ(PROTOCOL_TLS1_3,
                    session->connection()->version().handshake_protocol);
@@ -611,13 +610,6 @@
     const std::vector<std::string>& /*certs*/, std::string* /*error_details*/,
     std::unique_ptr<ProofVerifyDetails>* /*details*/, uint8_t* /*out_alert*/,
     std::unique_ptr<ProofVerifierCallback> /*callback*/) {
-  if (!session()->support_client_cert()) {
-    QUIC_BUG(quic_bug_10341_5)
-        << "Client certificates are not yet supported on the server";
-    return QUIC_FAILURE;
-  }
-
-  QUIC_RESTART_FLAG_COUNT_N(quic_tls_server_support_client_cert, 2, 2);
   QUIC_DVLOG(1) << "VerifyCertChain returning success";
 
   // No real verification here. A subclass can override this function to verify
@@ -980,13 +972,13 @@
   ticket_encryption_key_ = std::string(ticket_encryption_key);
   select_cert_status_ = QUIC_FAILURE;
   cert_matched_sni_ = cert_matched_sni;
-  if (session()->support_client_cert()) {
-    if (delayed_ssl_config.client_cert_mode.has_value()) {
-      tls_connection_.SetClientCertMode(*delayed_ssl_config.client_cert_mode);
-      QUIC_DVLOG(1) << "client_cert_mode after cert selection: "
-                    << client_cert_mode();
-    }
+
+  if (delayed_ssl_config.client_cert_mode.has_value()) {
+    tls_connection_.SetClientCertMode(*delayed_ssl_config.client_cert_mode);
+    QUIC_DVLOG(1) << "client_cert_mode after cert selection: "
+                  << client_cert_mode();
   }
+
   if (ok) {
     if (chain && !chain->certs.empty()) {
       tls_connection_.SetCertChain(chain->ToCryptoBuffers().value);

diff --git a/quiche/quic/core/tls_server_handshaker_test.cc b/quiche/quic/core/tls_server_handshaker_test.cc
index 34ec60c..e652f05 100644
--- a/quiche/quic/core/tls_server_handshaker_test.cc
+++ b/quiche/quic/core/tls_server_handshaker_test.cc

@@ -924,11 +924,7 @@
 
   CompleteCryptoHandshake();
   ExpectHandshakeSuccessful();
-  if (GetQuicRestartFlag(quic_tls_server_support_client_cert)) {
-    EXPECT_TRUE(server_handshaker_->received_client_cert());
-  } else {
-    EXPECT_FALSE(server_handshaker_->received_client_cert());
-  }
+  EXPECT_TRUE(server_handshaker_->received_client_cert());
 }
 
 TEST_P(TlsServerHandshakerTest, RequestClientCertByDelayedSslConfig) {
@@ -950,11 +946,7 @@
 
   CompleteCryptoHandshake();
   ExpectHandshakeSuccessful();
-  if (GetQuicRestartFlag(quic_tls_server_support_client_cert)) {
-    EXPECT_TRUE(server_handshaker_->received_client_cert());
-  } else {
-    EXPECT_FALSE(server_handshaker_->received_client_cert());
-  }
+  EXPECT_TRUE(server_handshaker_->received_client_cert());
 }
 
 TEST_P(TlsServerHandshakerTest, RequestClientCert_NoCert) {
@@ -983,12 +975,7 @@
 
   CompleteCryptoHandshake();
   ExpectHandshakeSuccessful();
-
-  if (GetQuicRestartFlag(quic_tls_server_support_client_cert)) {
-    EXPECT_TRUE(server_handshaker_->received_client_cert());
-  } else {
-    EXPECT_FALSE(server_handshaker_->received_client_cert());
-  }
+  EXPECT_TRUE(server_handshaker_->received_client_cert());
 }
 
 TEST_P(TlsServerHandshakerTest, RequestAndRequireClientCertByDelayedSslConfig) {
@@ -1010,11 +997,7 @@
 
   CompleteCryptoHandshake();
   ExpectHandshakeSuccessful();
-  if (GetQuicRestartFlag(quic_tls_server_support_client_cert)) {
-    EXPECT_TRUE(server_handshaker_->received_client_cert());
-  } else {
-    EXPECT_FALSE(server_handshaker_->received_client_cert());
-  }
+  EXPECT_TRUE(server_handshaker_->received_client_cert());
 }
 
 TEST_P(TlsServerHandshakerTest, RequestAndRequireClientCert_NoCert) {
@@ -1025,10 +1008,9 @@
       /*compute_signature_action=*/FakeProofSourceHandle::Action::
           DELEGATE_SYNC);
 
-  if (GetQuicRestartFlag(quic_tls_server_support_client_cert)) {
-    EXPECT_CALL(*server_connection_,
-                CloseConnection(QUIC_TLS_CERTIFICATE_REQUIRED, _, _, _));
-  }
+  EXPECT_CALL(*server_connection_,
+              CloseConnection(QUIC_TLS_CERTIFICATE_REQUIRED, _, _, _));
+
   AdvanceHandshakeWithFakeClient();
   AdvanceHandshakeWithFakeClient();
   EXPECT_FALSE(server_handshaker_->received_client_cert());

diff --git a/quiche/quic/test_tools/quic_test_utils.h b/quiche/quic/test_tools/quic_test_utils.h
index 2a3b2b0..f43b12d 100644
--- a/quiche/quic/test_tools/quic_test_utils.h
+++ b/quiche/quic/test_tools/quic_test_utils.h

@@ -1037,11 +1037,7 @@
 
   void set_early_data_enabled(bool enabled) { early_data_enabled_ = enabled; }
 
-  void set_client_cert_mode(ClientCertMode mode) {
-    if (support_client_cert()) {
-      client_cert_mode_ = mode;
-    }
-  }
+  void set_client_cert_mode(ClientCertMode mode) { client_cert_mode_ = mode; }
 
  private:
   MockQuicSessionVisitor visitor_;