Update from https://crrev.com/309415

net/quic/crypto/quic_crypto_server_config.h

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_
 #define NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_
 
 #include <map>
 #include <string>
 #include <vector>
 
 #include "base/memory/ref_counted.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/strings/string_piece.h"
 #include "base/synchronization/lock.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_export.h"
 #include "net/quic/crypto/cached_network_parameters.h"
 #include "net/quic/crypto/crypto_handshake.h"
 #include "net/quic/crypto/crypto_handshake_message.h"
 #include "net/quic/crypto/crypto_protocol.h"
 #include "net/quic/crypto/crypto_secret_boxer.h"
+#include "net/quic/crypto/source_address_token.h"
 #include "net/quic/quic_time.h"
 
 namespace net {
 
 class CryptoHandshakeMessage;
 class EphemeralKeySource;
 class KeyExchange;
 class ProofSource;
 class QuicClock;
 class QuicDecrypter;
@@ skipping 14 matching lines @@
   const QuicWallTime now;
 
   // Outputs from EvaluateClientHello.
   bool valid_source_address_token;
   bool client_nonce_well_formed;
   bool unique;
   base::StringPiece sni;
   base::StringPiece client_nonce;
   base::StringPiece server_nonce;
   base::StringPiece user_agent_id;
+  SourceAddressTokens source_address_tokens;
 
   // Errors from EvaluateClientHello.
   std::vector<uint32> reject_reasons;
   COMPILE_ASSERT(sizeof(QuicTag) == sizeof(uint32), header_out_of_sync);
 };
 
 namespace test {
 class QuicCryptoServerConfigPeer;
 }  // namespace test
 
@@ skipping 183 matching lines @@
       CryptoHandshakeMessage* out,
       std::string* error_details) const;
 
   // BuildServerConfigUpdateMessage sets |out| to be a SCUP message containing
   // the current primary config, an up to date source-address token, and cert
   // chain and proof in the case of secure QUIC. Returns true if successfully
   // filled |out|.
   //
   // |cached_network_params| is optional, and can be nullptr.
   bool BuildServerConfigUpdateMessage(
+      const SourceAddressTokens& previous_source_address_tokens,
       const IPEndPoint& server_ip,
       const IPEndPoint& client_ip,
       const QuicClock* clock,
       QuicRandom* rand,
       const QuicCryptoNegotiatedParameters& params,
       const CachedNetworkParameters* cached_network_params,
       CryptoHandshakeMessage* out) const;
 
   // SetProofSource installs |proof_source| as the ProofSource for handshakes.
   // This object takes ownership of |proof_source|.
@@ skipping 165 matching lines @@
 
   // ParseConfigProtobuf parses the given config protobuf and returns a
   // scoped_refptr<Config> if successful. The caller adopts the reference to the
   // Config. On error, ParseConfigProtobuf returns nullptr.
   scoped_refptr<Config> ParseConfigProtobuf(QuicServerConfigProtobuf* protobuf);
 
   // NewSourceAddressToken returns a fresh source address token for the given
   // IP address. |cached_network_params| is optional, and can be nullptr.
   std::string NewSourceAddressToken(
       const Config& config,
+      const SourceAddressTokens& previous_tokens,
       const IPEndPoint& ip,
       QuicRandom* rand,
       QuicWallTime now,
       const CachedNetworkParameters* cached_network_params) const;
 
-  // ValidateSourceAddressToken returns HANDSHAKE_OK if the source address token
-  // in |token| is a valid and timely token for the IP address |ip| given that
-  // the current time is |now|. Otherwise it returns the reason for failure.
-  // |cached_network_params| is populated if |token| contains a
-  // CachedNetworkParameters proto.
+  // ParseSourceAddressToken parses the source address tokens contained in
+  // the encrypted |token|, and populates |tokens| with the parsed tokens.
+  // Returns HANDSHAKE_OK if |token| could be parsed, or the reason for the
+  // failure.
+  HandshakeFailureReason ParseSourceAddressToken(
+      const Config& config,
+      base::StringPiece token,
+      SourceAddressTokens* tokens) const;
+
+  // ValidateSourceAddressToken returns HANDSHAKE_OK if the source address
+  // tokens in |tokens| contain a valid and timely token for the IP address
+  // |ip| given that the current time is |now|. Otherwise it returns the
+  // reason for failure. |cached_network_params| is populated if the valid
+  // token contains a CachedNetworkParameters proto.
+  // TODO(rch): remove this method when we remove:
+  // FLAGS_quic_use_multiple_address_in_source_tokens.
   HandshakeFailureReason ValidateSourceAddressToken(
       const Config& config,
       base::StringPiece token,
       const IPEndPoint& ip,
       QuicWallTime now,
       CachedNetworkParameters* cached_network_params) const;
 
+  // ValidateSourceAddressTokens returns HANDSHAKE_OK if the source address
+  // tokens in |tokens| contain a valid and timely token for the IP address
+  // |ip| given that the current time is |now|. Otherwise it returns the
+  // reason for failure. |cached_network_params| is populated if the valid
+  // token contains a CachedNetworkParameters proto.
+  HandshakeFailureReason ValidateSourceAddressTokens(
+      const SourceAddressTokens& tokens,
+      const IPEndPoint& ip,
+      QuicWallTime now,
+      CachedNetworkParameters* cached_network_params) const;
+
+  // ValidateSingleSourceAddressToken returns HANDSHAKE_OK if the source
+  // address token in |token| is a timely token for the IP address |ip|
+  // given that the current time is |now|. Otherwise it returns the reason
+  // for failure.
+  HandshakeFailureReason ValidateSingleSourceAddressToken(
+      const SourceAddressToken& token,
+      const IPEndPoint& ip,
+      QuicWallTime now) const;
+
+  // Returns HANDSHAKE_OK if the source address token in |token| is a timely
+  // token given that the current time is |now|. Otherwise it returns the
+  // reason for failure.
+  HandshakeFailureReason ValidateSourceAddressTokenTimestamp(
+      const SourceAddressToken& token,
+      QuicWallTime now) const;
+
   // NewServerNonce generates and encrypts a random nonce.
   std::string NewServerNonce(QuicRandom* rand, QuicWallTime now) const;
 
   // ValidateServerNonce decrypts |token| and verifies that it hasn't been
   // previously used and is recent enough that it is plausible that it was part
   // of a very recently provided rejection ("recent" will be on the order of
   // 10-30 seconds). If so, it records that it has been used and returns
   // HANDSHAKE_OK. Otherwise it returns the reason for failure.
   HandshakeFailureReason ValidateServerNonce(
       base::StringPiece echoed_server_nonce,
@@ skipping 63 matching lines @@
   uint32 source_address_token_lifetime_secs_;
   uint32 server_nonce_strike_register_max_entries_;
   uint32 server_nonce_strike_register_window_secs_;
 
   DISALLOW_COPY_AND_ASSIGN(QuicCryptoServerConfig);
 };
 
 }  // namespace net
 
 #endif  // NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_