Set Token-Binding HTTP header

net/socket/ssl_client_socket.h

Index: net/socket/ssl_client_socket.h
diff --git a/net/socket/ssl_client_socket.h b/net/socket/ssl_client_socket.h
index 3a6aa94258f30a72efe54ec5a3ee3183e4022a6d..0ac6e26f95214aea2323bcf0fa0ff87b514795b9 100644
--- a/net/socket/ssl_client_socket.h
+++ b/net/socket/ssl_client_socket.h
@@ -10,6 +10,7 @@
 #include <string>
 
 #include "base/gtest_prod_util.h"
+#include "crypto/ec_private_key.h"

[davidben, 2016/01/22 00:19:21]

Can be forward-declared.

[nharper, 2016/01/22 19:36:52]

Done.

 #include "net/base/completion_callback.h"
 #include "net/base/load_flags.h"
 #include "net/base/net_errors.h"
@@ -144,6 +145,11 @@ class NET_EXPORT SSLClientSocket : public SSLSocket {
   // channel ids are not supported.
   virtual ChannelIDService* GetChannelIDService() const = 0;
 
+  // Signs the EKM value for Token Binding with |*key| and puts it in |*out|.
+  // Returns a net error code of ERR_FAILED or OK.

[davidben, 2016/01/22 00:19:21]

Nit: Also returns ERR_NOT_IMPLEMENTED, strictly speaking. Maybe have it return
an Error and then the type system catures it?

[nharper, 2016/01/22 19:36:52]

Done. I also changed the same method in HttpStream to return an Error instead of
an int (since I'm not returning a non-Error value with my int).

+  virtual int GetSignedEKMForTokenBinding(crypto::ECPrivateKey* key,
+                                          std::vector<uint8_t>* out) = 0;
+
   // Returns the state of the handshake when it failed, or |SSL_FAILURE_NONE| if
   // the handshake succeeded. This is used to classify causes of the TLS version
   // fallback.