Remove SSL_VERIFY_PEER_IF_NO_OBC
Update-Note: SSL_VERIFY_PEER_IF_NO_OBC is removed. This was used as the
transition plan between the long-deprecated TLS Channel ID, and its
even-longer-deprecated precessor, Origin-Bound Certificates. Callers
should have no more reason to use this feature. (See also cl/728350196.)
Change-Id: I7a02e92592c4f71bed343935fdb094564701bd37
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/76687
Commit-Queue: David Benjamin <davidben@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index b9bf7ea..eed2766 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2580,10 +2580,6 @@
// with |SSL_VERIFY_PEER|, otherwise it won't work.
#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
-// SSL_VERIFY_PEER_IF_NO_OBC configures a server to request a client certificate
-// if and only if Channel ID is not negotiated.
-#define SSL_VERIFY_PEER_IF_NO_OBC 0x04
-
// SSL_CTX_set_verify configures certificate verification behavior. |mode| is
// one of the |SSL_VERIFY_*| values defined above. |callback| should be NULL.
//
diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc
index 12f5662..9594210 100644
--- a/ssl/handshake_server.cc
+++ b/ssl/handshake_server.cc
@@ -833,18 +833,10 @@
hs->new_session->group_id = group_id;
}
- // Determine whether to request a client certificate.
- hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER);
- // Only request a certificate if Channel ID isn't negotiated.
- if ((hs->config->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
- hs->channel_id_negotiated) {
- hs->cert_request = false;
- }
- // CertificateRequest may only be sent in certificate-based ciphers.
- if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
- hs->cert_request = false;
- }
-
+ // Determine whether to request a client certificate. CertificateRequest may
+ // only be sent in certificate-based ciphers.
+ hs->cert_request = (hs->config->verify_mode & SSL_VERIFY_PEER) &&
+ ssl_cipher_uses_certificate_auth(hs->new_cipher);
if (!hs->cert_request) {
// OpenSSL returns X509_V_OK when no certificates are requested. This is
// classed by them as a bug, but it's assumed by at least NGINX.
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 2a52dfd..1042b43 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -4767,39 +4767,6 @@
testCases = append(testCases, testCase{
testType: serverTest,
- name: "VerifyPeerIfNoOBC-NoChannelID-" + ver.name,
- config: Config{
- MinVersion: ver.version,
- MaxVersion: ver.version,
- },
- flags: []string{
- "-enable-channel-id",
- "-verify-peer-if-no-obc",
- },
- shouldFail: true,
- expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
- expectedLocalError: certificateRequired,
- })
-
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "VerifyPeerIfNoOBC-ChannelID-" + ver.name,
- config: Config{
- MinVersion: ver.version,
- MaxVersion: ver.version,
- ChannelID: &channelIDKey,
- },
- expectations: connectionExpectations{
- channelID: true,
- },
- flags: []string{
- "-enable-channel-id",
- "-verify-peer-if-no-obc",
- },
- })
-
- testCases = append(testCases, testCase{
- testType: serverTest,
name: ver.name + "-Server-CertReq-CA-List",
config: Config{
MinVersion: ver.version,
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc
index 3d2819d..b3947fa 100644
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc
@@ -409,7 +409,6 @@
BoolFlag("-shim-shuts-down", &TestConfig::shim_shuts_down),
BoolFlag("-verify-fail", &TestConfig::verify_fail),
BoolFlag("-verify-peer", &TestConfig::verify_peer),
- BoolFlag("-verify-peer-if-no-obc", &TestConfig::verify_peer_if_no_obc),
BoolFlag("-expect-verify-result", &TestConfig::expect_verify_result),
IntFlag("-expect-total-renegotiations",
&TestConfig::expect_total_renegotiations),
@@ -2202,12 +2201,6 @@
if (verify_peer) {
mode = SSL_VERIFY_PEER;
}
- if (verify_peer_if_no_obc) {
- // Set SSL_VERIFY_FAIL_IF_NO_PEER_CERT so testing whether client
- // certificates were requested is easy.
- mode = SSL_VERIFY_PEER | SSL_VERIFY_PEER_IF_NO_OBC |
- SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
- }
if (use_custom_verify_callback) {
SSL_set_custom_verify(ssl.get(), mode, CustomVerifyCallback);
} else if (mode != SSL_VERIFY_NONE) {
diff --git a/ssl/test/test_config.h b/ssl/test/test_config.h
index 15d434f..6ddf620 100644
--- a/ssl/test/test_config.h
+++ b/ssl/test/test_config.h
@@ -156,7 +156,6 @@
bool shim_shuts_down = false;
bool verify_fail = false;
bool verify_peer = false;
- bool verify_peer_if_no_obc = false;
bool expect_verify_result = false;
std::vector<uint8_t> signed_cert_timestamps;
int expect_total_renegotiations = 0;
diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc
index 3e83e5f..8f9a34e 100644
--- a/ssl/tls13_server.cc
+++ b/ssl/tls13_server.cc
@@ -977,11 +977,6 @@
if (!ssl->s3->session_reused && !hs->pake_verifier) {
// Determine whether to request a client certificate.
hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER);
- // Only request a certificate if Channel ID isn't negotiated.
- if ((hs->config->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
- hs->channel_id_negotiated) {
- hs->cert_request = false;
- }
}
// Send a CertificateRequest, if necessary.
