This change introduces a way to tie source address token keys to specific QUIC server configs

net/quic/crypto/quic_crypto_server_config.h

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_
 #define NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_
 
 #include <map>
 #include <string>
 #include <vector>
@@ skipping 302 matching lines @@
     // primary_time contains the timestamp when this config should become the
     // primary config. A value of QuicWallTime::Zero() means that this config
     // will not be promoted at a specific time.
     QuicWallTime primary_time;
 
     // Secondary sort key for use when selecting primary configs and
     // there are multiple configs with the same primary time.
     // Smaller numbers mean higher priority.
     uint64 priority;
 
+    // source_address_token_boxer_ is used to protect the
+    // source-address tokens that are given to clients.
+    // Points to either source_address_token_boxer_storage or the
+    // default boxer provided by QuicCryptoServerConfig.
+    const CryptoSecretBoxer* source_address_token_boxer;
+
+    // Holds the override source_address_token_boxer instance if the
+    // Config is not using the default source address token boxer
+    // instance provided by QuicCryptoServerConfig.
+    scoped_ptr<CryptoSecretBoxer> source_address_token_boxer_storage;
+
    private:
     friend class base::RefCounted<Config>;
     virtual ~Config();
 
     DISALLOW_COPY_AND_ASSIGN(Config);
   };
 
   typedef std::map<ServerConfigID, scoped_refptr<Config> > ConfigMap;
 
+  // Get a ref to the config with a given server config id.
+  scoped_refptr<Config> GetConfigWithScid(
+      base::StringPiece requested_scid) const;
+
   // ConfigPrimaryTimeLessThan returns true if a->primary_time <
   // b->primary_time.
   static bool ConfigPrimaryTimeLessThan(const scoped_refptr<Config>& a,
                                         const scoped_refptr<Config>& b);
 
   // SelectNewPrimaryConfig reevaluates the primary config based on the
   // "primary_time" deadlines contained in each.
   void SelectNewPrimaryConfig(QuicWallTime now) const;
 
   // EvaluateClientHello checks |client_hello| for gross errors and determines
   // whether it can be shown to be fresh (i.e. not a replay). The results are
   // written to |info|.
   void EvaluateClientHello(
       const uint8* primary_orbit,
+      scoped_refptr<Config> requested_config,
       ValidateClientHelloResultCallback::Result* client_hello_state,
       ValidateClientHelloResultCallback* done_cb) const;
 
   // BuildRejection sets |out| to be a REJ message in reply to |client_hello|.
   void BuildRejection(
       const scoped_refptr<Config>& config,
       const CryptoHandshakeMessage& client_hello,
       const ClientHelloInfo& info,
       QuicRandom* rand,
       CryptoHandshakeMessage* out) const;
 
   // ParseConfigProtobuf parses the given config protobuf and returns a
   // scoped_refptr<Config> if successful. The caller adopts the reference to the
   // Config. On error, ParseConfigProtobuf returns NULL.
   scoped_refptr<Config> ParseConfigProtobuf(QuicServerConfigProtobuf* protobuf);
 
   // NewSourceAddressToken returns a fresh source address token for the given
   // IP address.
-  std::string NewSourceAddressToken(const IPEndPoint& ip,
-                                    QuicRandom* rand,
-                                    QuicWallTime now) const;
+  std::string NewSourceAddressToken(
+      const QuicCryptoServerConfig::Config* config,

[wtc, 2014/04/07 18:38:24]

Why isn't this parameter a const reference? I found that we simply dereference
|config| without checking, so this cannot be a NULL pointer.

[ramant (doing other things), 2014/04/21 22:39:29]

Done.

+      const IPEndPoint& ip,
+      QuicRandom* rand,
+      QuicWallTime now) const;
 
   // ValidateSourceAddressToken returns true if the source address token in
   // |token| is a valid and timely token for the IP address |ip| given that the
   // current time is |now|.
-  bool ValidateSourceAddressToken(base::StringPiece token,
-                                  const IPEndPoint& ip,
-                                  QuicWallTime now) const;
+  bool ValidateSourceAddressToken(
+      const QuicCryptoServerConfig::Config* config,
+      base::StringPiece token,
+      const IPEndPoint& ip,
+      QuicWallTime now) const;
 
   // NewServerNonce generates and encrypts a random nonce.
   std::string NewServerNonce(QuicRandom* rand, QuicWallTime now) const;
 
   // ValidateServerNonce decrypts |token| and verifies that it hasn't been
   // previously used and is recent enough that it is plausible that it was part
   // of a very recently provided rejection ("recent" will be on the order of
   // 10-30 seconds). If so, it records that it has been used and returns true.
   // Otherwise it returns false.
   bool ValidateServerNonce(base::StringPiece echoed_server_nonce,
@@ skipping 19 matching lines @@
   mutable QuicWallTime next_config_promotion_time_;
   // Callback to invoke when the primary config changes.
   scoped_ptr<PrimaryConfigChangedCallback> primary_config_changed_cb_;
 
   // Protects access to the pointer held by strike_register_client_.
   mutable base::Lock strike_register_client_lock_;
   // strike_register_ contains a data structure that keeps track of previously
   // observed client nonces in order to prevent replay attacks.
   mutable scoped_ptr<StrikeRegisterClient> strike_register_client_;
 
-  // source_address_token_boxer_ is used to protect the source-address tokens
-  // that are given to clients.
-  CryptoSecretBoxer source_address_token_boxer_;
+  // Default source_address_token_boxer_ used to protect the
+  // source-address tokens that are given to clients.  Individual
+  // configs may use boxers with alternate secrets.
+  CryptoSecretBoxer default_source_address_token_boxer_;
 
   // server_nonce_boxer_ is used to encrypt and validate suggested server
   // nonces.
   CryptoSecretBoxer server_nonce_boxer_;
 
   // server_nonce_orbit_ contains the random, per-server orbit values that this
   // server will use to generate server nonces (the moral equivalent of a SYN
   // cookies).
   uint8 server_nonce_orbit_[8];
 
@@ skipping 18 matching lines @@
   uint32 strike_register_window_secs_;
   uint32 source_address_token_future_secs_;
   uint32 source_address_token_lifetime_secs_;
   uint32 server_nonce_strike_register_max_entries_;
   uint32 server_nonce_strike_register_window_secs_;
 };
 
 }  // namespace net
 
 #endif  // NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_