Add support of serving SCT on the server side in QUIC, gated by QUIC_VERSION_30.

net/quic/crypto/quic_crypto_server_config.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/quic_crypto_server_config.h"
 
 #include <stdlib.h>
 #include <algorithm>
 
 #include "base/stl_util.h"
@@ skipping 190 matching lines @@
   delete result;
   delete this;
 }
 
 QuicCryptoServerConfig::ConfigOptions::ConfigOptions()
     : expiry_time(QuicWallTime::Zero()),
       channel_id_enabled(false),
       p256(false) {}
 
 QuicCryptoServerConfig::QuicCryptoServerConfig(
-    StringPiece source_address_token_secret,
-    QuicRandom* server_nonce_entropy,
+    StringPiece source_address_token_secret, QuicRandom* server_nonce_entropy,
     ProofSource* proof_source)
     : replay_protection_(true),
       configs_lock_(),
       primary_config_(nullptr),
       next_config_promotion_time_(QuicWallTime::Zero()),
       server_nonce_strike_register_lock_(),
       proof_source_(proof_source),
       strike_register_no_startup_period_(false),
       strike_register_max_entries_(1 << 10),
       strike_register_window_secs_(600),
       source_address_token_future_secs_(3600),
       source_address_token_lifetime_secs_(86400),
       server_nonce_strike_register_max_entries_(1 << 10),
-      server_nonce_strike_register_window_secs_(120) {
+      server_nonce_strike_register_window_secs_(120),
+      enable_serving_sct_(false) {
   DCHECK(proof_source_.get());
   default_source_address_token_boxer_.SetKey(
       DeriveSourceAddressTokenKey(source_address_token_secret));
 
   // Generate a random key and orbit for server nonces.
   server_nonce_entropy->RandBytes(server_nonce_orbit_,
                                   sizeof(server_nonce_orbit_));
   const size_t key_size = server_nonce_boxer_.GetKeySize();
   scoped_ptr<uint8[]> key_bytes(new uint8[key_size]);
   server_nonce_entropy->RandBytes(key_bytes.get(), key_size);
@@ skipping 367 matching lines @@
 
   out->Clear();
 
   bool x509_supported = false;
   bool x509_ecdsa_supported = false;
   ParseProofDemand(client_hello, &x509_supported, &x509_ecdsa_supported);
   DCHECK(proof_source_.get());
   if (!crypto_proof->certs &&
       !proof_source_->GetProof(server_ip, info.sni.as_string(),
                                primary_config->serialized, x509_ecdsa_supported,
-                               &crypto_proof->certs,
-                               &crypto_proof->signature)) {
+                               &crypto_proof->certs, &crypto_proof->signature,
+                               &crypto_proof->cert_sct)) {
     return QUIC_HANDSHAKE_FAILED;
   }
 
+  if (version > QUIC_VERSION_29) {
+    StringPiece cert_sct;
+    if (client_hello.GetStringPiece(kCertificateSCTTag, &cert_sct) &&
+        cert_sct.empty()) {
+      params->sct_supported_by_client = true;
+    }
+  }
+
   if (!info.reject_reasons.empty() || !requested_config.get()) {
-    BuildRejection(*primary_config, client_hello, info,
+    BuildRejection(version, *primary_config, client_hello, info,
                    validate_chlo_result.cached_network_params,
                    use_stateless_rejects, server_designated_connection_id, rand,
                    params, *crypto_proof, out);
     return QUIC_NO_ERROR;
   }
 
   const QuicTag* their_aeads;
   const QuicTag* their_key_exchanges;
   size_t num_their_aeads, num_their_key_exchanges;
   if (client_hello.GetTaglist(kAEAD, &their_aeads,
@@ skipping 376 matching lines @@
       helper.ValidationComplete(QUIC_NO_ERROR, "");
       return;
     }
     found_error = true;
   }
 
   if (version > QUIC_VERSION_25) {
     bool x509_supported = false;
     bool x509_ecdsa_supported = false;
     ParseProofDemand(client_hello, &x509_supported, &x509_ecdsa_supported);
-    if (!proof_source_->GetProof(server_ip, info->sni.as_string(),
-                                 requested_config->serialized,
-                                 x509_ecdsa_supported, &crypto_proof->certs,
-                                 &crypto_proof->signature)) {
+    if (!proof_source_->GetProof(
+            server_ip, info->sni.as_string(), requested_config->serialized,
+            x509_ecdsa_supported, &crypto_proof->certs,
+            &crypto_proof->signature, &crypto_proof->cert_sct)) {
       found_error = true;
       info->reject_reasons.push_back(SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE);
     }
 
     if (!ValidateExpectedLeafCertificate(client_hello, *crypto_proof)) {
       found_error = true;
       info->reject_reasons.push_back(INVALID_EXPECTED_LEAF_CERTIFICATE);
     }
   }
 
@@ skipping 77 matching lines @@
   }
 
   strike_register_client->VerifyNonceIsValidAndUnique(
       info->client_nonce,
       info->now,
       new VerifyNonceIsValidAndUniqueCallback(client_hello_state, done_cb));
   helper.StartedAsyncCallback();
 }
 
 bool QuicCryptoServerConfig::BuildServerConfigUpdateMessage(
+    QuicVersion version,
     const SourceAddressTokens& previous_source_address_tokens,
     const IPAddressNumber& server_ip,
     const IPAddressNumber& client_ip,
     const QuicClock* clock,
     QuicRandom* rand,
     const QuicCryptoNegotiatedParameters& params,
     const CachedNetworkParameters* cached_network_params,
     CryptoHandshakeMessage* out) const {
   base::AutoLock locked(configs_lock_);
   out->set_tag(kSCUP);
   out->SetStringPiece(kSCFG, primary_config_->serialized);
   out->SetStringPiece(
       kSourceAddressTokenTag,
       NewSourceAddressToken(*primary_config_.get(),
                             previous_source_address_tokens, client_ip, rand,
                             clock->WallNow(), cached_network_params));
 
   const vector<string>* certs;
   string signature;
+  string cert_sct;
   if (!proof_source_->GetProof(
           server_ip, params.sni, primary_config_->serialized,
-          params.x509_ecdsa_supported, &certs, &signature)) {
+          params.x509_ecdsa_supported, &certs, &signature, &cert_sct)) {
     DVLOG(1) << "Server: failed to get proof.";
     return false;
   }
 
   const string compressed = CertCompressor::CompressChain(
       *certs, params.client_common_set_hashes, params.client_cached_cert_hashes,
       primary_config_->common_cert_sets);
 
   out->SetStringPiece(kCertificateTag, compressed);
   out->SetStringPiece(kPROF, signature);
+  if (params.sct_supported_by_client && version > QUIC_VERSION_29 &&
+      enable_serving_sct_) {
+    if (cert_sct.empty()) {
+      DLOG(WARNING) << "SCT is expected but it is empty.";
+    } else {
+      out->SetStringPiece(kCertificateSCTTag, cert_sct);
+    }
+  }
   return true;
 }
 
 void QuicCryptoServerConfig::BuildRejection(
-    const Config& config,
-    const CryptoHandshakeMessage& client_hello,
-    const ClientHelloInfo& info,
+    QuicVersion version, const Config& config,
+    const CryptoHandshakeMessage& client_hello, const ClientHelloInfo& info,
     const CachedNetworkParameters& cached_network_params,
     bool use_stateless_rejects,
-    QuicConnectionId server_designated_connection_id,
-    QuicRandom* rand,
-    QuicCryptoNegotiatedParameters* params,
-    const QuicCryptoProof& crypto_proof,
+    QuicConnectionId server_designated_connection_id, QuicRandom* rand,
+    QuicCryptoNegotiatedParameters* params, const QuicCryptoProof& crypto_proof,
     CryptoHandshakeMessage* out) const {
   if (FLAGS_enable_quic_stateless_reject_support && use_stateless_rejects) {
     DVLOG(1) << "QUIC Crypto server config returning stateless reject "
              << "with server-designated connection ID "
              << server_designated_connection_id;
     out->set_tag(kSREJ);
     out->SetValue(kRCID, server_designated_connection_id);
   } else {
     out->set_tag(kREJ);
   }
@@ skipping 35 matching lines @@
   // kREJOverheadBytes is a very rough estimate of how much of a REJ
   // message is taken up by things other than the certificates.
   // STK: 56 bytes
   // SNO: 56 bytes
   // SCFG
   //   SCID: 16 bytes
   //   PUBS: 38 bytes
   const size_t kREJOverheadBytes = 166;
   // kMultiplier is the multiple of the CHLO message size that a REJ message
   // must stay under when the client doesn't present a valid source-address
-  // token.
+  // token. This is used to protect QUIC from amplification attacks.
   const size_t kMultiplier = 2;
-  // max_unverified_size is the number of bytes that the certificate chain
-  // and signature can consume before we will demand a valid source-address
-  // token.
+  // max_unverified_size is the number of bytes that the certificate chain,
+  // signature, and (optionally) signed certificate timestamp can consume before
+  // we will demand a valid source-address token.
   const size_t max_unverified_size =
       client_hello.size() * kMultiplier - kREJOverheadBytes;
   static_assert(kClientHelloMinimumSize * kMultiplier >= kREJOverheadBytes,
-                "overhead calculation may overflow");
+                "overhead calculation may underflow");
+  bool should_return_sct = params->sct_supported_by_client &&
+                           version > QUIC_VERSION_29 && enable_serving_sct_;
+  const size_t sct_size = should_return_sct ? crypto_proof.cert_sct.size() : 0;
   if (info.valid_source_address_token ||
-      crypto_proof.signature.size() + compressed.size() < max_unverified_size) {
+      crypto_proof.signature.size() + compressed.size() + sct_size <
+          max_unverified_size) {
     out->SetStringPiece(kCertificateTag, compressed);
     out->SetStringPiece(kPROF, crypto_proof.signature);
+    if (should_return_sct) {
+      if (crypto_proof.cert_sct.empty()) {
+        DLOG(WARNING) << "SCT is expected but it is empty.";
+      } else {
+        out->SetStringPiece(kCertificateSCTTag, crypto_proof.cert_sct);
+      }
+    }
   }
 }
 
 scoped_refptr<QuicCryptoServerConfig::Config>
 QuicCryptoServerConfig::ParseConfigProtobuf(
     QuicServerConfigProtobuf* protobuf) {
   scoped_ptr<CryptoHandshakeMessage> msg(
       CryptoFramer::ParseMessage(protobuf->config()));
 
   if (msg->tag() != kSCFG) {
@@ skipping 204 matching lines @@
   DCHECK(!server_nonce_strike_register_.get());
   server_nonce_strike_register_max_entries_ = max_entries;
 }
 
 void QuicCryptoServerConfig::set_server_nonce_strike_register_window_secs(
     uint32 window_secs) {
   DCHECK(!server_nonce_strike_register_.get());
   server_nonce_strike_register_window_secs_ = window_secs;
 }
 
+void QuicCryptoServerConfig::set_enable_serving_sct(bool enable_serving_sct) {
+  enable_serving_sct_ = enable_serving_sct;
+}
+
 void QuicCryptoServerConfig::AcquirePrimaryConfigChangedCb(
     PrimaryConfigChangedCallback* cb) {
   base::AutoLock locked(configs_lock_);
   primary_config_changed_cb_.reset(cb);
 }
 
 string QuicCryptoServerConfig::NewSourceAddressToken(
     const Config& config,
     const SourceAddressTokens& previous_tokens,
     const IPAddressNumber& ip,
@@ skipping 241 matching lines @@
 QuicCryptoServerConfig::Config::Config()
     : channel_id_enabled(false),
       is_primary(false),
       primary_time(QuicWallTime::Zero()),
       priority(0),
       source_address_token_boxer(nullptr) {}
 
 QuicCryptoServerConfig::Config::~Config() { STLDeleteElements(&key_exchanges); }
 
 }  // namespace net