deprecate FLAGS_quic_disable_pre_34

net/quic/core/crypto/quic_crypto_server_config.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/core/crypto/quic_crypto_server_config.h"
 
 #include <stdlib.h>
 
 #include <algorithm>
 #include <memory>
@@ skipping 980 matching lines @@
       params->channel_id = key.as_string();
     }
   }
 
   string hkdf_input;
   size_t label_len = strlen(QuicCryptoConfig::kInitialLabel) + 1;
   hkdf_input.reserve(label_len + hkdf_suffix.size());
   hkdf_input.append(QuicCryptoConfig::kInitialLabel, label_len);
   hkdf_input.append(hkdf_suffix);
 
+  rand->RandBytes(out_diversification_nonce->data(),
+                  out_diversification_nonce->size());
   CryptoUtils::Diversification diversification =
-      CryptoUtils::Diversification::Never();
-  if (version > QUIC_VERSION_32) {
-    rand->RandBytes(out_diversification_nonce->data(),
-                    out_diversification_nonce->size());
-    diversification =
-        CryptoUtils::Diversification::Now(out_diversification_nonce.get());
-  }
-
+      CryptoUtils::Diversification::Now(out_diversification_nonce.get());
   if (!CryptoUtils::DeriveKeys(params->initial_premaster_secret, params->aead,
                                info.client_nonce, info.server_nonce, hkdf_input,
                                Perspective::IS_SERVER, diversification,
                                &params->initial_crypters,
                                &params->initial_subkey_secret)) {
     helper.Fail(QUIC_CRYPTO_SYMMETRIC_KEY_SETUP_FAILED,
                 "Symmetric key setup failed");
     return;
   }
 
@@ skipping 363 matching lines @@
     scoped_refptr<QuicSignedServerConfig> signed_config,
     std::unique_ptr<ProofSource::Details> proof_source_details,
     bool get_proof_failed,
     scoped_refptr<ValidateClientHelloResultCallback::Result> client_hello_state,
     std::unique_ptr<ValidateClientHelloResultCallback> done_cb) const {
   ValidateClientHelloHelper helper(client_hello_state, &done_cb);
   const CryptoHandshakeMessage& client_hello = client_hello_state->client_hello;
   ClientHelloInfo* info = &(client_hello_state->info);
 
   if (get_proof_failed) {
-    found_error = true;
     info->reject_reasons.push_back(SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE);
   }
 
   if (!ValidateExpectedLeafCertificate(client_hello, *signed_config)) {
-    found_error = true;
     info->reject_reasons.push_back(INVALID_EXPECTED_LEAF_CERTIFICATE);
   }
 
   if (info->client_nonce.size() != kNonceSize) {
     info->reject_reasons.push_back(CLIENT_NONCE_INVALID_FAILURE);
     // Invalid client nonce.
     LOG(ERROR) << "Invalid client nonce: " << client_hello.DebugString();
     DVLOG(1) << "Invalid client nonce.";
-    found_error = true;
   }
 
   // Server nonce is optional, and used for key derivation if present.
   client_hello.GetStringPiece(kServerNonceTag, &info->server_nonce);
 
-  if (version > QUIC_VERSION_32) {
-    DVLOG(1) << "No 0-RTT replay protection in QUIC_VERSION_33 and higher.";
-    // If the server nonce is empty and we're requiring handshake confirmation
-    // for DoS reasons then we must reject the CHLO.
-    if (FLAGS_quic_require_handshake_confirmation &&
-        info->server_nonce.empty()) {
-      info->reject_reasons.push_back(SERVER_NONCE_REQUIRED_FAILURE);
-    }
-    helper.ValidationComplete(QUIC_NO_ERROR, "",
-                              std::move(proof_source_details));
-    return;
+  DVLOG(1) << "No 0-RTT replay protection in QUIC_VERSION_33 and higher.";
+  // If the server nonce is empty and we're requiring handshake confirmation
+  // for DoS reasons then we must reject the CHLO.
+  if (FLAGS_quic_require_handshake_confirmation && info->server_nonce.empty()) {
+    info->reject_reasons.push_back(SERVER_NONCE_REQUIRED_FAILURE);
   }
-
-  if (!replay_protection_) {
-    DVLOG(1) << "No replay protection.";
-    helper.ValidationComplete(QUIC_NO_ERROR, "",
-                              std::move(proof_source_details));
-    return;
-  }
-
-  if (!info->server_nonce.empty()) {
-    // If the server nonce is present, use it to establish uniqueness.
-    HandshakeFailureReason server_nonce_error =
-        ValidateServerNonce(info->server_nonce, info->now);
-    bool is_unique = server_nonce_error == HANDSHAKE_OK;
-    if (!is_unique) {
-      info->reject_reasons.push_back(server_nonce_error);
-    }
-    DVLOG(1) << "Using server nonce, unique: " << is_unique;
-    helper.ValidationComplete(QUIC_NO_ERROR, "",
-                              std::move(proof_source_details));
-    return;
-  }
-  // If we hit this block, the server nonce was empty.  If we're requiring
-  // handshake confirmation for DoS reasons and there's no server nonce present,
-  // reject the CHLO.
-  if (FLAGS_quic_require_handshake_confirmation ||
-      FLAGS_quic_require_handshake_confirmation_pre33) {
-    info->reject_reasons.push_back(SERVER_NONCE_REQUIRED_FAILURE);
-    helper.ValidationComplete(QUIC_NO_ERROR, "",
-                              std::move(proof_source_details));
-    return;
-  }
-
-  // We want to contact strike register only if there are no errors because it
-  // is a RPC call and is expensive.
-  if (found_error) {
-    helper.ValidationComplete(QUIC_NO_ERROR, "",
-                              std::move(proof_source_details));
-    return;
-  }
-
-  // Use the client nonce to establish uniqueness.
-  StrikeRegisterClient* strike_register_client;
-  {
-    base::AutoLock locked(strike_register_client_lock_);
-    strike_register_client = strike_register_client_.get();
-  }
-
-  if (!strike_register_client) {
-    // Either a valid server nonces or a strike register is required.
-    // Since neither are present, reject the handshake which will send a
-    // server nonce to the client.
-    info->reject_reasons.push_back(SERVER_NONCE_REQUIRED_FAILURE);
-    helper.ValidationComplete(QUIC_NO_ERROR, "",
-                              std::move(proof_source_details));
-    return;
-  }
-
-  strike_register_client->VerifyNonceIsValidAndUnique(
-      info->client_nonce, info->now,
-      new VerifyNonceIsValidAndUniqueCallback(client_hello_state,
-                                              std::move(proof_source_details),
-                                              std::move(done_cb)));
-  helper.DetachCallback();
+  helper.ValidationComplete(QUIC_NO_ERROR, "", std::move(proof_source_details));
 }
 
 bool QuicCryptoServerConfig::BuildServerConfigUpdateMessage(
     QuicVersion version,
     StringPiece chlo_hash,
     const SourceAddressTokens& previous_source_address_tokens,
     const IPAddress& server_ip,
     const IPAddress& client_ip,
     const QuicClock* clock,
     QuicRandom* rand,
@@ skipping 780 matching lines @@
       source_address_token_boxer(nullptr) {}
 
 QuicCryptoServerConfig::Config::~Config() {
 }
 
 QuicSignedServerConfig::QuicSignedServerConfig()
     : send_expect_ct_header(false) {}
 QuicSignedServerConfig::~QuicSignedServerConfig() {}
 
 }  // namespace net