Deprecate FLAGS_quic_disable_pre_30. Remove QUIC versions [25-29].

net/quic/crypto/quic_crypto_server_config.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/quic_crypto_server_config.h"
 
 #include <stdlib.h>
 
 #include <algorithm>
 #include <memory>
@@ skipping 607 matching lines @@
   CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash);
   // No need to get a new proof if one was already generated.
   if (!crypto_proof->chain &&
       !proof_source_->GetProof(
           server_ip, info.sni.as_string(), primary_config->serialized, version,
           chlo_hash, x509_ecdsa_supported, &crypto_proof->chain,
           &crypto_proof->signature, &crypto_proof->cert_sct)) {
     return QUIC_HANDSHAKE_FAILED;
   }
 
-  if (version > QUIC_VERSION_29) {
-    StringPiece cert_sct;
-    if (client_hello.GetStringPiece(kCertificateSCTTag, &cert_sct) &&
-        cert_sct.empty()) {
-      params->sct_supported_by_client = true;
-    }
+  StringPiece cert_sct;
+  if (client_hello.GetStringPiece(kCertificateSCTTag, &cert_sct) &&
+      cert_sct.empty()) {
+    params->sct_supported_by_client = true;
   }
 
   if (!info.reject_reasons.empty() || !requested_config.get()) {
     BuildRejection(version, *primary_config, client_hello, info,
                    validate_chlo_result.cached_network_params,
                    use_stateless_rejects, server_designated_connection_id, rand,
                    compressed_certs_cache, params, *crypto_proof, out);
     return QUIC_NO_ERROR;
   }
 
@@ skipping 68 matching lines @@
   string hkdf_suffix;
   const QuicData& client_hello_serialized = client_hello.GetSerialized();
   hkdf_suffix.reserve(sizeof(connection_id) + client_hello_serialized.length() +
                       requested_config->serialized.size());
   hkdf_suffix.append(reinterpret_cast<char*>(&connection_id),
                      sizeof(connection_id));
   hkdf_suffix.append(client_hello_serialized.data(),
                      client_hello_serialized.length());
   hkdf_suffix.append(requested_config->serialized);
   DCHECK(proof_source_.get());
-  if (version > QUIC_VERSION_25) {
-    if (crypto_proof->chain->certs.empty()) {
-      *error_details = "Failed to get certs";
-      return QUIC_CRYPTO_INTERNAL_ERROR;
-    }
-    hkdf_suffix.append(crypto_proof->chain->certs.at(0));
+  if (crypto_proof->chain->certs.empty()) {
+    *error_details = "Failed to get certs";
+    return QUIC_CRYPTO_INTERNAL_ERROR;
   }
+  hkdf_suffix.append(crypto_proof->chain->certs.at(0));
 
   StringPiece cetv_ciphertext;
   if (requested_config->channel_id_enabled &&
       client_hello.GetStringPiece(kCETV, &cetv_ciphertext)) {
     CryptoHandshakeMessage client_hello_copy(client_hello);
     client_hello_copy.Erase(kCETV);
     client_hello_copy.Erase(kPAD);
 
     const QuicData& client_hello_copy_serialized =
         client_hello_copy.GetSerialized();
@@ skipping 88 matching lines @@
   }
 
   string forward_secure_hkdf_input;
   label_len = strlen(QuicCryptoConfig::kForwardSecureLabel) + 1;
   forward_secure_hkdf_input.reserve(label_len + hkdf_suffix.size());
   forward_secure_hkdf_input.append(QuicCryptoConfig::kForwardSecureLabel,
                                    label_len);
   forward_secure_hkdf_input.append(hkdf_suffix);
 
   string shlo_nonce;
-  if (version > QUIC_VERSION_26) {
-    shlo_nonce = NewServerNonce(rand, info.now);
-    out->SetStringPiece(kServerNonceTag, shlo_nonce);
-  }
+  shlo_nonce = NewServerNonce(rand, info.now);
+  out->SetStringPiece(kServerNonceTag, shlo_nonce);
 
   if (!CryptoUtils::DeriveKeys(
           params->forward_secure_premaster_secret, params->aead,
           info.client_nonce,
           shlo_nonce.empty() ? info.server_nonce : shlo_nonce,
           forward_secure_hkdf_input, Perspective::IS_SERVER,
           CryptoUtils::Diversification::Never(),
           &params->forward_secure_crypters, &params->subkey_secret)) {
     *error_details = "Symmetric key setup failed";
     return QUIC_CRYPTO_SYMMETRIC_KEY_SETUP_FAILED;
@@ skipping 255 matching lines @@
   }
 
   bool found_error = false;
   if (source_address_token_error != HANDSHAKE_OK) {
     info->reject_reasons.push_back(source_address_token_error);
     // No valid source address token.
     found_error = true;
   }
 
   bool get_proof_failed = false;
-  if (version > QUIC_VERSION_25) {
-    bool x509_supported = false;
-    bool x509_ecdsa_supported = false;
-    ParseProofDemand(client_hello, &x509_supported, &x509_ecdsa_supported);
-    string serialized_config = primary_config->serialized;
-    string chlo_hash;
-    CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash);
-    bool need_proof = true;
-    if (FLAGS_quic_refresh_proof) {
-      need_proof = !crypto_proof->chain;
-    }
-    if (FLAGS_enable_async_get_proof) {
-      if (need_proof) {
-        // Make an async call to GetProof and setup the callback to trampoline
-        // back into EvaluateClientHelloAfterGetProof
-        std::unique_ptr<EvaluateClientHelloCallback> cb(
-            new EvaluateClientHelloCallback(
-                *this, found_error, server_ip, version, primary_orbit,
-                requested_config, primary_config, crypto_proof,
-                client_hello_state, done_cb));
-        proof_source_->GetProof(server_ip, info->sni.as_string(),
-                                serialized_config, version, chlo_hash,
-                                x509_ecdsa_supported, std::move(cb));
-        helper.DetachCallback();
-        return;
-      }
-    }
-
-    // No need to get a new proof if one was already generated.
-    if (need_proof &&
-        !proof_source_->GetProof(
-            server_ip, info->sni.as_string(), serialized_config, version,
-            chlo_hash, x509_ecdsa_supported, &crypto_proof->chain,
-            &crypto_proof->signature, &crypto_proof->cert_sct)) {
-      get_proof_failed = true;
+  bool x509_supported = false;
+  bool x509_ecdsa_supported = false;
+  ParseProofDemand(client_hello, &x509_supported, &x509_ecdsa_supported);
+  string serialized_config = primary_config->serialized;
+  string chlo_hash;
+  CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash);
+  bool need_proof = true;
+  if (FLAGS_quic_refresh_proof) {
+    need_proof = !crypto_proof->chain;
+  }
+  if (FLAGS_enable_async_get_proof) {
+    if (need_proof) {
+      // Make an async call to GetProof and setup the callback to trampoline
+      // back into EvaluateClientHelloAfterGetProof
+      std::unique_ptr<EvaluateClientHelloCallback> cb(
+          new EvaluateClientHelloCallback(
+              *this, found_error, server_ip, version, primary_orbit,
+              requested_config, primary_config, crypto_proof,
+              client_hello_state, done_cb));
+      proof_source_->GetProof(server_ip, info->sni.as_string(),
+                              serialized_config, version, chlo_hash,
+                              x509_ecdsa_supported, std::move(cb));
+      helper.DetachCallback();
+      return;
     }
   }
 
+  // No need to get a new proof if one was already generated.
+  if (need_proof &&
+      !proof_source_->GetProof(
+          server_ip, info->sni.as_string(), serialized_config, version,
+          chlo_hash, x509_ecdsa_supported, &crypto_proof->chain,
+          &crypto_proof->signature, &crypto_proof->cert_sct)) {
+    get_proof_failed = true;
+  }
+
   EvaluateClientHelloAfterGetProof(
       found_error, server_ip, version, primary_orbit, requested_config,
       primary_config, crypto_proof, get_proof_failed, client_hello_state,
       done_cb);
   helper.DetachCallback();
 }
 
 void QuicCryptoServerConfig::EvaluateClientHelloAfterGetProof(
     bool found_error,
     const IPAddress& server_ip,
     QuicVersion version,
     const uint8_t* primary_orbit,
     scoped_refptr<Config> requested_config,
     scoped_refptr<Config> primary_config,
     QuicCryptoProof* crypto_proof,
     bool get_proof_failed,
     ValidateClientHelloResultCallback::Result* client_hello_state,
     ValidateClientHelloResultCallback* done_cb) const {
   ValidateClientHelloHelper helper(client_hello_state, done_cb);
   const CryptoHandshakeMessage& client_hello = client_hello_state->client_hello;
   ClientHelloInfo* info = &(client_hello_state->info);
 
   if (get_proof_failed) {
     found_error = true;
     info->reject_reasons.push_back(SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE);
   }
 
-  if (version > QUIC_VERSION_25) {
-    if (!ValidateExpectedLeafCertificate(client_hello, *crypto_proof)) {
-      found_error = true;
-      info->reject_reasons.push_back(INVALID_EXPECTED_LEAF_CERTIFICATE);
-    }
+  if (!ValidateExpectedLeafCertificate(client_hello, *crypto_proof)) {
+    found_error = true;
+    info->reject_reasons.push_back(INVALID_EXPECTED_LEAF_CERTIFICATE);
   }
 
   if (info->client_nonce.size() != kNonceSize) {
     info->reject_reasons.push_back(CLIENT_NONCE_INVALID_FAILURE);
     // Invalid client nonce.
     LOG(ERROR) << "Invalid client nonce: " << client_hello.DebugString();
     DVLOG(1) << "Invalid client nonce.";
     found_error = true;
   }
 
@@ skipping 105 matching lines @@
     DVLOG(1) << "Server: failed to get proof.";
     return false;
   }
 
   const string compressed = CompressChain(
       compressed_certs_cache, chain, params.client_common_set_hashes,
       params.client_cached_cert_hashes, common_cert_sets);
 
   out->SetStringPiece(kCertificateTag, compressed);
   out->SetStringPiece(kPROF, signature);
-  if (params.sct_supported_by_client && version > QUIC_VERSION_29 &&
-      enable_serving_sct_) {
+  if (params.sct_supported_by_client && enable_serving_sct_) {
     if (cert_sct.empty()) {
       DLOG(WARNING) << "SCT is expected but it is empty.";
     } else {
       out->SetStringPiece(kCertificateSCTTag, cert_sct);
     }
   }
   return true;
 }
 
 void QuicCryptoServerConfig::BuildServerConfigUpdateMessage(
@@ skipping 86 matching lines @@
     cb->Run(false, message);
     return;
   }
 
   const string compressed =
       CompressChain(compressed_certs_cache, chain, client_common_set_hashes,
                     client_cached_cert_hashes, common_cert_sets);
 
   message.SetStringPiece(kCertificateTag, compressed);
   message.SetStringPiece(kPROF, signature);
-  if (sct_supported_by_client && version > QUIC_VERSION_29 &&
-      enable_serving_sct_) {
+  if (sct_supported_by_client && enable_serving_sct_) {
     if (leaf_cert_sct.empty()) {
       DLOG(WARNING) << "SCT is expected but it is empty.";
     } else {
       message.SetStringPiece(kCertificateSCTTag, leaf_cert_sct);
     }
   }
 
   cb->Run(true, message);
 }
 
@@ skipping 64 matching lines @@
   //   SCID: 16 bytes
   //   PUBS: 38 bytes
   const size_t kREJOverheadBytes = 166;
   // max_unverified_size is the number of bytes that the certificate chain,
   // signature, and (optionally) signed certificate timestamp can consume before
   // we will demand a valid source-address token.
   const size_t max_unverified_size =
       client_hello.size() * chlo_multiplier_ - kREJOverheadBytes;
   static_assert(kClientHelloMinimumSize * kMultiplier >= kREJOverheadBytes,
                 "overhead calculation may underflow");
-  bool should_return_sct = params->sct_supported_by_client &&
-                           version > QUIC_VERSION_29 && enable_serving_sct_;
+  bool should_return_sct =
+      params->sct_supported_by_client && enable_serving_sct_;
   const size_t sct_size = should_return_sct ? crypto_proof.cert_sct.size() : 0;
   if (info.valid_source_address_token ||
       crypto_proof.signature.size() + compressed.size() + sct_size <
           max_unverified_size) {
     out->SetStringPiece(kCertificateTag, compressed);
     out->SetStringPiece(kPROF, crypto_proof.signature);
     if (should_return_sct) {
       if (crypto_proof.cert_sct.empty()) {
         DLOG(WARNING) << "SCT is expected but it is empty.";
       } else {
@@ skipping 528 matching lines @@
       priority(0),
       source_address_token_boxer(nullptr) {}
 
 QuicCryptoServerConfig::Config::~Config() {
   STLDeleteElements(&key_exchanges);
 }
 
 QuicCryptoProof::QuicCryptoProof() {}
 QuicCryptoProof::~QuicCryptoProof() {}
 }  // namespace net