This change introduces a way to tie source address token keys to specific QUIC server configs

net/quic/crypto/crypto_secret_boxer.h

Index: net/quic/crypto/crypto_secret_boxer.h
diff --git a/net/quic/crypto/crypto_secret_boxer.h b/net/quic/crypto/crypto_secret_boxer.h
index ba9baf2bb2aad70d0eb413c68a286d345ca48ba1..6deb7718157a9d2065ba3bd82425538e5e672b9a 100644
--- a/net/quic/crypto/crypto_secret_boxer.h
+++ b/net/quic/crypto/crypto_secret_boxer.h
@@ -7,8 +7,11 @@
 
 #include <string>
 
+#include "base/memory/scoped_ptr.h"
 #include "base/strings/string_piece.h"
 #include "net/base/net_export.h"
+#include "net/quic/crypto/quic_decrypter.h"
+#include "net/quic/crypto/quic_encrypter.h"
 
 namespace net {
 
@@ -19,12 +22,17 @@ class QuicRandom;
 // thread-safe.
 class NET_EXPORT_PRIVATE CryptoSecretBoxer {
  public:
+  // Initializes |encrypter_| and |decrypter_| data members.
+  CryptoSecretBoxer();
+  ~CryptoSecretBoxer();
+
   // GetKeySize returns the number of bytes in a key.
   static size_t GetKeySize();
 
   // SetKey sets the key for this object. This must be done before |Box| or
-  // |Unbox| are called. |key| must be |GetKeySize()| bytes long.
-  void SetKey(base::StringPiece key);
+  // |Unbox| are called. |key| must be |GetKeySize()| bytes long. Returns false
+  // if |encrypter_| or |decrypter_|'s SetKey method fails.
+  bool SetKey(base::StringPiece key);
 
   // Box encrypts |plaintext| using a random nonce generated from |rand| and
   // returns the resulting ciphertext. Since an authenticator and nonce are
@@ -41,7 +49,10 @@ class NET_EXPORT_PRIVATE CryptoSecretBoxer {
              base::StringPiece* out) const;
 
  private:
-  std::string key_;
+  scoped_ptr<QuicEncrypter> encrypter_;
+  scoped_ptr<QuicDecrypter> decrypter_;
+
+  DISALLOW_COPY_AND_ASSIGN(CryptoSecretBoxer);
 };
 
 }  // namespace net