Deprecate reloadable flag: enable_tls_trust_anchor_ids
This removes the code path in TlsServerConnection::SetCertChain() that uses SSL_set_chain_and_key(). Now, SetCertChain() will always BoringSSL's use the SSL_CREDENTIAL interface.
PiperOrigin-RevId: 822649077
diff --git a/quiche/common/quiche_feature_flags_list.h b/quiche/common/quiche_feature_flags_list.h
index 861fc85..427f473 100755
--- a/quiche/common/quiche_feature_flags_list.h
+++ b/quiche/common/quiche_feature_flags_list.h
@@ -9,7 +9,6 @@
#if defined(QUICHE_FLAG)
QUICHE_FLAG(bool, quiche_reloadable_flag_enable_h3_origin_frame, false, true, "If true, enables support for parsing HTTP/3 ORIGIN frames.")
-QUICHE_FLAG(bool, quiche_reloadable_flag_enable_tls_trust_anchor_ids, true, true, "When true, QUIC client and server will support TLS Trust Anchor IDs.")
QUICHE_FLAG(bool, quiche_reloadable_flag_quic_act_upon_invalid_header, true, true, "If true, reject or send error response code upon receiving invalid request or response headers.")
QUICHE_FLAG(bool, quiche_reloadable_flag_quic_add_stream_info_to_idle_close_detail, false, true, "If true, include stream information in idle timeout connection close detail.")
QUICHE_FLAG(bool, quiche_reloadable_flag_quic_allow_client_enabled_2x_initial_cwnd, true, true, "Doubles the initial congestion window for QUIC connections when initiated by the client")
diff --git a/quiche/quic/core/crypto/tls_server_connection.cc b/quiche/quic/core/crypto/tls_server_connection.cc
index 06c5825..de6f920 100644
--- a/quiche/quic/core/crypto/tls_server_connection.cc
+++ b/quiche/quic/core/crypto/tls_server_connection.cc
@@ -76,30 +76,24 @@
void TlsServerConnection::SetCertChain(
const std::vector<CRYPTO_BUFFER*>& cert_chain,
const std::string& trust_anchor_id) {
- if (GetQuicReloadableFlag(enable_tls_trust_anchor_ids)) {
- QUIC_RELOADABLE_FLAG_COUNT_N(enable_tls_trust_anchor_ids, 1, 2);
- bssl::UniquePtr<SSL_CREDENTIAL> credential(SSL_CREDENTIAL_new_x509());
- SSL_CREDENTIAL_set1_cert_chain(credential.get(), cert_chain.data(),
- cert_chain.size());
- if (ssl_config().signing_algorithm_prefs.has_value()) {
- SSL_CREDENTIAL_set1_signing_algorithm_prefs(
- credential.get(), ssl_config().signing_algorithm_prefs->data(),
- ssl_config().signing_algorithm_prefs->size());
- }
- SSL_CREDENTIAL_set_private_key_method(
- credential.get(), &TlsServerConnection::kPrivateKeyMethod);
- if (!trust_anchor_id.empty()) {
- SSL_CREDENTIAL_set1_trust_anchor_id(
- credential.get(),
- reinterpret_cast<const uint8_t*>(trust_anchor_id.data()),
- trust_anchor_id.size());
- SSL_CREDENTIAL_set_must_match_issuer(credential.get(), 1);
- }
- SSL_add1_credential(ssl(), credential.get());
- } else {
- SSL_set_chain_and_key(ssl(), cert_chain.data(), cert_chain.size(), nullptr,
- &TlsServerConnection::kPrivateKeyMethod);
+ bssl::UniquePtr<SSL_CREDENTIAL> credential(SSL_CREDENTIAL_new_x509());
+ SSL_CREDENTIAL_set1_cert_chain(credential.get(), cert_chain.data(),
+ cert_chain.size());
+ if (ssl_config().signing_algorithm_prefs.has_value()) {
+ SSL_CREDENTIAL_set1_signing_algorithm_prefs(
+ credential.get(), ssl_config().signing_algorithm_prefs->data(),
+ ssl_config().signing_algorithm_prefs->size());
}
+ SSL_CREDENTIAL_set_private_key_method(
+ credential.get(), &TlsServerConnection::kPrivateKeyMethod);
+ if (!trust_anchor_id.empty()) {
+ SSL_CREDENTIAL_set1_trust_anchor_id(
+ credential.get(),
+ reinterpret_cast<const uint8_t*>(trust_anchor_id.data()),
+ trust_anchor_id.size());
+ SSL_CREDENTIAL_set_must_match_issuer(credential.get(), 1);
+ }
+ SSL_add1_credential(ssl(), credential.get());
}
void TlsServerConnection::SetClientCertMode(ClientCertMode client_cert_mode) {
diff --git a/quiche/quic/core/tls_client_handshaker.cc b/quiche/quic/core/tls_client_handshaker.cc
index 7480b57..7008e25 100644
--- a/quiche/quic/core/tls_client_handshaker.cc
+++ b/quiche/quic/core/tls_client_handshaker.cc
@@ -160,18 +160,15 @@
// Configure TLS Trust Anchor IDs
// (https://tlswg.org/tls-trust-anchor-ids/draft-ietf-tls-trust-anchor-ids.html),
// if set.
- if (GetQuicReloadableFlag(enable_tls_trust_anchor_ids)) {
- QUIC_RELOADABLE_FLAG_COUNT_N(enable_tls_trust_anchor_ids, 2, 2);
- if (tls_connection_.ssl_config().trust_anchor_ids.has_value()) {
- if (!SSL_set1_requested_trust_anchors(
- ssl(),
- reinterpret_cast<const uint8_t*>(
- tls_connection_.ssl_config().trust_anchor_ids->data()),
- tls_connection_.ssl_config().trust_anchor_ids->size())) {
- CloseConnection(QUIC_HANDSHAKE_FAILED,
- "Client failed to set TLS Trust Anchor IDs");
- return false;
- }
+ if (tls_connection_.ssl_config().trust_anchor_ids.has_value()) {
+ if (!SSL_set1_requested_trust_anchors(
+ ssl(),
+ reinterpret_cast<const uint8_t*>(
+ tls_connection_.ssl_config().trust_anchor_ids->data()),
+ tls_connection_.ssl_config().trust_anchor_ids->size())) {
+ CloseConnection(QUIC_HANDSHAKE_FAILED,
+ "Client failed to set TLS Trust Anchor IDs");
+ return false;
}
}
diff --git a/quiche/quic/core/tls_client_handshaker_test.cc b/quiche/quic/core/tls_client_handshaker_test.cc
index aa8112b..8305a77 100644
--- a/quiche/quic/core/tls_client_handshaker_test.cc
+++ b/quiche/quic/core/tls_client_handshaker_test.cc
@@ -369,7 +369,6 @@
}
TEST_P(TlsClientHandshakerTest, HandshakeWithTrustAnchorIds) {
- SetQuicReloadableFlag(enable_tls_trust_anchor_ids, true);
const std::string kTestTrustAnchorId = {0x03, 0x01, 0x02, 0x03};
const std::string kTestServerTrustAnchorId = {0x01, 0x02, 0x03};
InitializeFakeServer(kTestServerTrustAnchorId);
@@ -385,7 +384,6 @@
// Trust Anchor IDs, one which matches the server's credential and one which
// doesn't.
TEST_P(TlsClientHandshakerTest, HandshakeWithMultipleTrustAnchorIds) {
- SetQuicReloadableFlag(enable_tls_trust_anchor_ids, true);
// The client sends two trust anchor IDs, the first of which doesn't match the
// server's credential and the second does.
const std::string kTestTrustAnchorIds = {0x04, 0x00, 0x01, 0x02, 0x03,
@@ -403,7 +401,6 @@
// Tests that the client can complete a handshake in which it sends no Trust
// Anchor IDs.
TEST_P(TlsClientHandshakerTest, HandshakeWithEmptyTrustAnchorIdList) {
- SetQuicReloadableFlag(enable_tls_trust_anchor_ids, true);
InitializeFakeServer("");
ssl_config_.emplace();
ssl_config_->trust_anchor_ids.emplace();
