aws-crt 0.1.9 → 0.2.0

data/aws-crt-ffi/crt/aws-lc/ssl/ssl_test.cc

@@ -36,6 +36,7 @@
 #include <openssl/err.h>
 #include <openssl/hmac.h>
 #include <openssl/hpke.h>
+#include <openssl/hrss.h>
 #include <openssl/pem.h>
 #include <openssl/rand.h>
 #include <openssl/sha.h>
@@ -46,6 +47,9 @@
 #include "../crypto/internal.h"
 #include "../crypto/test/test_util.h"
 #include "internal.h"
+#include "../crypto/kyber/kem_kyber.h"
+#include "../crypto/kem/internal.h"
+#include "../crypto/fipsmodule/ec/internal.h"
 
 #if defined(OPENSSL_WINDOWS)
 // Windows defines struct timeval in winsock2.h.
@@ -60,7 +64,6 @@ OPENSSL_MSVC_PRAGMA(warning(pop))
 #include <thread>
 #endif
 
-
 BSSL_NAMESPACE_BEGIN
 
 namespace {
@@ -154,6 +157,39 @@ struct CurveTest {
   std::vector<uint16_t> expected;
 };
 
+struct GroupTest {
+  int nid;
+  uint16_t group_id;
+  size_t offer_key_share_size;
+  size_t accept_key_share_size;
+  size_t shared_secret_size;
+};
+
+struct HybridGroupTest {
+  int nid;
+  uint16_t group_id;
+  size_t offer_key_share_size;
+  size_t accept_key_share_size;
+  size_t shared_secret_size;
+  size_t offer_share_sizes[NUM_HYBRID_COMPONENTS];
+  size_t accept_share_sizes[NUM_HYBRID_COMPONENTS];
+};
+
+struct HybridHandshakeTest {
+  // The curves rule string to apply to the client
+  const char *client_rule;
+  // TLS version that the client is configured with
+  uint16_t client_version;
+  // The curves rule string to apply to the server
+  const char *server_rule;
+  // TLS version that the server is configured with
+  uint16_t server_version;
+  // The group that is expected to be negotiated
+  uint16_t expected_group;
+  // Is a HelloRetryRequest expected?
+  bool is_hrr_expected;
+};
+
 template <typename T>
 class UnownedSSLExData {
  public:
@@ -569,6 +605,90 @@ static const CurveTest kCurveTests[] = {
       SSL_GROUP_X25519,
     },
   },
+  {
+    "SecP256r1Kyber768Draft00:prime256v1:secp384r1:secp521r1:x25519",
+    {
+      SSL_GROUP_SECP256R1_KYBER768_DRAFT00,
+      SSL_GROUP_SECP256R1,
+      SSL_GROUP_SECP384R1,
+      SSL_GROUP_SECP521R1,
+      SSL_GROUP_X25519,
+    },
+  },
+  {
+    "X25519Kyber768Draft00:prime256v1:secp384r1",
+    {
+      SSL_GROUP_X25519_KYBER768_DRAFT00,
+      SSL_GROUP_SECP256R1,
+      SSL_GROUP_SECP384R1,
+    },
+  },
+  {
+    "X25519:X25519Kyber768Draft00",
+    {
+      SSL_GROUP_X25519,
+      SSL_GROUP_X25519_KYBER768_DRAFT00,
+    },
+  },
+  {
+    "X25519:SecP256r1Kyber768Draft00:prime256v1",
+    {
+      SSL_GROUP_X25519,
+      SSL_GROUP_SECP256R1_KYBER768_DRAFT00,
+      SSL_GROUP_SECP256R1,
+    },
+  },
+};
+
+
+// SECP256R1:     https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.8.2
+// X25519:        https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.8.2
+static const size_t P256_KEYSHARE_SIZE = ((EC_P256R1_FIELD_ELEM_BYTES * 2) + 1);
+static const size_t P256_SECRET_SIZE = EC_P256R1_FIELD_ELEM_BYTES;
+static const size_t X25519_KEYSHARE_SIZE = 32;
+static const size_t X25519_SECRET_SIZE = 32;
+
+static const GroupTest kKemGroupTests[] = {
+  {
+    NID_KYBER768_R3,
+    SSL_GROUP_KYBER768_R3,
+    KYBER768_R3_PUBLIC_KEY_BYTES,
+    KYBER768_R3_CIPHERTEXT_BYTES,
+    KYBER_R3_SHARED_SECRET_LEN,
+  },
+};
+
+static const HybridGroupTest kHybridGroupTests[] = {
+  {
+    NID_SecP256r1Kyber768Draft00,
+    SSL_GROUP_SECP256R1_KYBER768_DRAFT00,
+    P256_KEYSHARE_SIZE + KYBER768_R3_PUBLIC_KEY_BYTES,
+    P256_KEYSHARE_SIZE + KYBER768_R3_CIPHERTEXT_BYTES,
+    P256_SECRET_SIZE + KYBER_R3_SHARED_SECRET_LEN,
+    {
+      P256_KEYSHARE_SIZE,             // offer_share_sizes[0]
+      KYBER768_R3_PUBLIC_KEY_BYTES,   // offer_share_sizes[1]
+    },
+    {
+      P256_KEYSHARE_SIZE,             // accept_share_sizes[0]
+      KYBER768_R3_CIPHERTEXT_BYTES,   // accept_share_sizes[1]
+    },
+  },
+  {
+    NID_X25519Kyber768Draft00,
+    SSL_GROUP_X25519_KYBER768_DRAFT00,
+    X25519_KEYSHARE_SIZE + KYBER768_R3_PUBLIC_KEY_BYTES,
+    X25519_KEYSHARE_SIZE + KYBER768_R3_CIPHERTEXT_BYTES,
+    X25519_SECRET_SIZE + KYBER_R3_SHARED_SECRET_LEN,
+    {
+      X25519_KEYSHARE_SIZE,           // offer_share_sizes[0]
+      KYBER768_R3_PUBLIC_KEY_BYTES,   // offer_share_sizes[1]
+    },
+    {
+      X25519_KEYSHARE_SIZE,          // accept_share_sizes[0]
+      KYBER768_R3_CIPHERTEXT_BYTES,  // accept_share_sizes[1]
+    },
+  },
 };
 
 static const char *kBadCurvesLists[] = {
@@ -580,8 +700,335 @@ static const char *kBadCurvesLists[] = {
   "P-256:RSA",
   "X25519:P-256:",
   ":X25519:P-256",
+  "kyber768_r3",
+  "x25519_kyber768:prime256v1",
+};
+
+static const HybridHandshakeTest kHybridHandshakeTests[] = {
+  // The corresponding hybrid group should be negotiated when client
+  // and server support only that group
+  {
+    "X25519Kyber768Draft00",
+    TLS1_3_VERSION,
+    "X25519Kyber768Draft00",
+    TLS1_3_VERSION,
+    SSL_GROUP_X25519_KYBER768_DRAFT00,
+    false,
+  },
+
+  {
+    "SecP256r1Kyber768Draft00",
+    TLS1_3_VERSION,
+    "SecP256r1Kyber768Draft00",
+    TLS1_3_VERSION,
+    SSL_GROUP_SECP256R1_KYBER768_DRAFT00,
+    false,
+  },
+
+  // The client's preferred hybrid group should be negotiated when also
+  // supported by the server, even if the server "prefers"/supports other groups.
+  {
+    "X25519Kyber768Draft00:x25519",
+    TLS1_3_VERSION,
+    "x25519:prime256v1:X25519Kyber768Draft00",
+    TLS1_3_VERSION,
+    SSL_GROUP_X25519_KYBER768_DRAFT00,
+    false,
+  },
+
+  {
+    "X25519Kyber768Draft00:x25519",
+    TLS1_3_VERSION,
+    "X25519Kyber768Draft00:x25519",
+    TLS1_3_VERSION,
+    SSL_GROUP_X25519_KYBER768_DRAFT00,
+    false,
+  },
+
+  {
+    "SecP256r1Kyber768Draft00",
+    TLS1_3_VERSION,
+    "X25519Kyber768Draft00:secp384r1:x25519:SecP256r1Kyber768Draft00",
+    TLS1_3_VERSION,
+    SSL_GROUP_SECP256R1_KYBER768_DRAFT00,
+    false,
+  },
+
+  // The client lists PQ/hybrid groups as both first and second preferences.
+  // The key share logic is implemented such that the client will always
+  // attempt to send one hybrid key share and one classical key share.
+  // Therefore, the client will send key shares [SecP256r1Kyber768Draft00, x25519],
+  // skipping X25519Kyber768Draft00, and the server will choose to negotiate
+  // x25519 since it is the only mutually supported group.
+  {
+    "SecP256r1Kyber768Draft00:X25519Kyber768Draft00:x25519",
+    TLS1_3_VERSION,
+    "secp384r1:x25519",
+    TLS1_3_VERSION,
+    SSL_GROUP_X25519,
+    false,
+  },
+
+  // The client will send key shares [x25519, SecP256r1Kyber768Draft00].
+  // The server will negotiate SecP256r1Kyber768Draft00 since it is the only
+  // mutually supported group.
+  {
+    "x25519:secp384r1:SecP256r1Kyber768Draft00",
+    TLS1_3_VERSION,
+    "SecP256r1Kyber768Draft00:prime256v1",
+    TLS1_3_VERSION,
+    SSL_GROUP_SECP256R1_KYBER768_DRAFT00,
+    false,
+  },
+
+  // The client will send key shares [x25519, SecP256r1Kyber768Draft00]. The
+  // server will negotiate x25519 since the client listed it as its first
+  // preference, even though it supports SecP256r1Kyber768Draft00.
+  {
+    "x25519:prime256v1:SecP256r1Kyber768Draft00",
+    TLS1_3_VERSION,
+    "prime256v1:x25519:SecP256r1Kyber768Draft00",
+    TLS1_3_VERSION,
+    SSL_GROUP_X25519,
+    false,
+  },
+
+  // The client will send key shares [SecP256r1Kyber768Draft00, x25519].
+  // The server will negotiate SecP256r1Kyber768Draft00 since the client listed
+  // it as its first preference.
+  {
+    "SecP256r1Kyber768Draft00:x25519:prime256v1",
+    TLS1_3_VERSION,
+    "prime256v1:x25519:SecP256r1Kyber768Draft00",
+    TLS1_3_VERSION,
+    SSL_GROUP_SECP256R1_KYBER768_DRAFT00,
+    false,
+  },
+
+  // In the supported_groups extension, the client will indicate its
+  // preferences, in order, as [SecP256r1Kyber768Draft00, X25519Kyber768Draft00,
+  // x25519, prime256v1]. From those groups, it will send key shares
+  // [SecP256r1Kyber768Draft00, x25519]. The server supports, and receives a
+  // key share for, x25519. However, when selecting a mutually supported group
+  // to negotiate, the server recognizes that the client prefers
+  // X25519Kyber768Draft00 over x25519. Since the server also supports
+  // X25519Kyber768Draft00, but did not receive a key share for it, it will
+  // select it and send an HRR. This ensures that the client's highest
+  // preference group will be negotiated, even at the expense of an additional
+  // round-trip.
+  //
+  // In our SSL implementation, this situation is unique to the case where the
+  // client supports both ECC and hybrid/PQ. When sending key shares, the
+  // client will send at most two key shares in one of the following ways:
+
+  // (a) one ECC key share - if the client supports only ECC;
+  // (b) one PQ key share - if the client supports only PQ;
+  // (c) one ECC and one PQ key share - if the client supports ECC and PQ.
+  //
+  // One of the above cases will be true irrespective of how many groups
+  // the client supports. If, say, the client supports four ECC groups
+  // and zero PQ groups, it will still only send a single ECC share. In cases
+  // (a) and (b), either the server supports that group and chooses to
+  // negotiate it, or it doesn't support it and sends an HRR. Case (c) is the
+  // only case where the server might receive a key share for a mutually
+  // supported group, but chooses to respect the client's preference order
+  // defined in the supported_groups extension at the expense of an additional
+  // round-trip.
+  {
+    "SecP256r1Kyber768Draft00:X25519Kyber768Draft00:x25519:prime256v1",
+    TLS1_3_VERSION,
+    "X25519Kyber768Draft00:prime256v1:x25519",
+    TLS1_3_VERSION,
+    SSL_GROUP_X25519_KYBER768_DRAFT00,
+    true,
+  },
+
+  // Like the previous case, but the client's prioritization of ECC and PQ
+  // is inverted.
+  {
+    "x25519:prime256v1:SecP256r1Kyber768Draft00:X25519Kyber768Draft00",
+    TLS1_3_VERSION,
+    "X25519Kyber768Draft00:prime256v1",
+    TLS1_3_VERSION,
+    SSL_GROUP_SECP256R1,
+    true,
+  },
+
+  // The client will send key shares [SecP256r1Kyber768Draft00, x25519]. The
+  // server will negotiate X25519Kyber768Draft00 after an HRR.
+  {
+    "SecP256r1Kyber768Draft00:X25519Kyber768Draft00:x25519:prime256v1",
+    TLS1_3_VERSION,
+    "X25519Kyber768Draft00:prime256v1",
+    TLS1_3_VERSION,
+    SSL_GROUP_X25519_KYBER768_DRAFT00,
+    true,
+  },
+
+  // EC should be negotiated when client prefers EC, or server does not
+  // support hybrid
+  {
+    "X25519Kyber768Draft00:x25519",
+    TLS1_3_VERSION,
+    "x25519",
+    TLS1_3_VERSION,
+    SSL_GROUP_X25519,
+    false,
+  },
+  {
+    "x25519:SecP256r1Kyber768Draft00",
+    TLS1_3_VERSION,
+    "x25519",
+    TLS1_3_VERSION,
+    SSL_GROUP_X25519,
+    false,
+  },
+  {
+    "prime256v1:X25519Kyber768Draft00",
+    TLS1_3_VERSION,
+    "X25519Kyber768Draft00:prime256v1",
+    TLS1_3_VERSION,
+    SSL_GROUP_SECP256R1,
+    false,
+  },
+  {
+    "prime256v1:x25519:SecP256r1Kyber768Draft00",
+    TLS1_3_VERSION,
+    "x25519:prime256v1:SecP256r1Kyber768Draft00",
+    TLS1_3_VERSION,
+    SSL_GROUP_SECP256R1,
+    false,
+  },
+
+  // EC should be negotiated, after a HelloRetryRequest, if the server
+  // supports only curves for which it did not initially receive a key share
+  {
+    "X25519Kyber768Draft00:x25519:SecP256r1Kyber768Draft00:prime256v1",
+    TLS1_3_VERSION,
+    "prime256v1",
+    TLS1_3_VERSION,
+    SSL_GROUP_SECP256R1,
+    true,
+  },
+  {
+    "X25519Kyber768Draft00:SecP256r1Kyber768Draft00:prime256v1:x25519",
+    TLS1_3_VERSION,
+    "secp224r1:secp384r1:secp521r1:x25519",
+    TLS1_3_VERSION,
+    SSL_GROUP_X25519,
+    true,
+  },
+
+  // Hybrid should be negotiated, after a HelloRetryRequest, if the server
+  // supports only curves for which it did not initially receive a key share
+  {
+    "x25519:prime256v1:SecP256r1Kyber768Draft00:X25519Kyber768Draft00",
+    TLS1_3_VERSION,
+    "secp224r1:X25519Kyber768Draft00:secp521r1",
+    TLS1_3_VERSION,
+    SSL_GROUP_X25519_KYBER768_DRAFT00,
+    true,
+  },
+  {
+    "X25519Kyber768Draft00:x25519:prime256v1:SecP256r1Kyber768Draft00",
+    TLS1_3_VERSION,
+    "SecP256r1Kyber768Draft00",
+    TLS1_3_VERSION,
+    SSL_GROUP_SECP256R1_KYBER768_DRAFT00,
+    true,
+  },
+
+  // If there is no overlap between client and server groups,
+  // the handshake should fail
+  {
+    "SecP256r1Kyber768Draft00:X25519Kyber768Draft00:secp384r1",
+    TLS1_3_VERSION,
+    "prime256v1:x25519",
+    TLS1_3_VERSION,
+    0,
+    false,
+  },
+  {
+    "secp384r1:SecP256r1Kyber768Draft00:X25519Kyber768Draft00",
+    TLS1_3_VERSION,
+    "prime256v1:x25519",
+    TLS1_3_VERSION,
+    0,
+    false,
+  },
+  {
+    "secp384r1:SecP256r1Kyber768Draft00",
+    TLS1_3_VERSION,
+    "prime256v1:x25519:X25519Kyber768Draft00",
+    TLS1_3_VERSION,
+    0,
+    false,
+  },
+  {
+    "SecP256r1Kyber768Draft00",
+    TLS1_3_VERSION,
+    "X25519Kyber768Draft00",
+    TLS1_3_VERSION,
+    0,
+    false,
+  },
+
+  // If the client supports hybrid TLS 1.3, but the server
+  // only supports TLS 1.2, then TLS 1.2 EC should be negotiated.
+  {
+    "SecP256r1Kyber768Draft00:prime256v1",
+    TLS1_3_VERSION,
+    "prime256v1:x25519",
+    TLS1_2_VERSION,
+    SSL_GROUP_SECP256R1,
+    false,
+  },
+
+  // Same as above, but server also has SecP256r1Kyber768Draft00 in it's
+  // supported list, but can't use it since TLS 1.3 is the minimum version that
+  // supports PQ.
+  {
+    "SecP256r1Kyber768Draft00:prime256v1",
+    TLS1_3_VERSION,
+    "SecP256r1Kyber768Draft00:prime256v1:x25519",
+    TLS1_2_VERSION,
+    SSL_GROUP_SECP256R1,
+    false,
+  },
+
+  // If the client configures the curve list to include a hybrid
+  // curve, then initiates a 1.2 handshake, it will not advertise
+  // hybrid groups because hybrid is not supported for 1.2. So
+  // a 1.2 EC handshake will be negotiated (even if the server
+  // supports 1.3 with corresponding hybrid group).
+  {
+    "SecP256r1Kyber768Draft00:x25519",
+    TLS1_2_VERSION,
+    "SecP256r1Kyber768Draft00:x25519",
+    TLS1_3_VERSION,
+    SSL_GROUP_X25519,
+    false,
+  },
+  {
+    "SecP256r1Kyber768Draft00:prime256v1",
+    TLS1_2_VERSION,
+    "prime256v1:x25519",
+    TLS1_2_VERSION,
+    SSL_GROUP_SECP256R1,
+    false,
+  },
 };
 
+const HybridGroup* GetHybridGroup(uint16_t group_id){
+    for (const HybridGroup &g : HybridGroups()) {
+      if (group_id == g.group_id) {
+        return &g;
+      }
+    }
+
+    return NULL;
+}
+
 static STACK_OF(SSL_CIPHER) *tls13_ciphers(const SSL_CTX *ctx) {
   return ctx->tls13_cipher_list->ciphers.get();
 }
@@ -1392,6 +1839,9 @@ TEST(SSLTest, CipherProperties) {
     EXPECT_EQ(t.digest_nid, SSL_CIPHER_get_digest_nid(cipher));
     EXPECT_EQ(t.kx_nid, SSL_CIPHER_get_kx_nid(cipher));
     EXPECT_EQ(t.auth_nid, SSL_CIPHER_get_auth_nid(cipher));
+    const EVP_MD *md = SSL_CIPHER_get_handshake_digest(cipher);
+    ASSERT_TRUE(md);
+    EXPECT_EQ(t.prf_nid, EVP_MD_nid(md));
     EXPECT_EQ(t.prf_nid, SSL_CIPHER_get_prf_nid(cipher));
   }
 }
@@ -2536,10 +2986,7 @@ TEST(SSLTest, ECHPublicName) {
   EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0X01.")));
 }
 
-// When using the built-in verifier, test that |SSL_get0_ech_name_override| is
-// applied automatically.
-TEST(SSLTest, ECHBuiltinVerifier) {
-  // These test certificates generated with the following Go program.
+// These test certificates generated with the following Go program.
   /* clang-format off
 func main() {
   notBefore := time.Date(2000, time.January, 1, 0, 0, 0, 0, time.UTC)
@@ -2573,6 +3020,7 @@ func main() {
   }
 }
 clang-format on */
+static bssl::UniquePtr<X509> GetLeafRoot() {
   bssl::UniquePtr<X509> root = CertFromPEM(R"(
 -----BEGIN CERTIFICATE-----
 MIIBRzCB7aADAgECAgEBMAoGCCqGSM49BAMCMBIxEDAOBgNVBAMTB1Rlc3QgQ0Ew
@@ -2584,7 +3032,11 @@ GU5F4zAKBggqhkjOPQQDAgNJADBGAiEAiiNowddQeHZaZFIygwe6RW5/WG4sUXWC
 dkyl9CQzRaYCIQCFS1EvwZbZtMny27fYm1eeYciY0TkJTEi34H1KwyzzIA==
 -----END CERTIFICATE-----
 )");
-  ASSERT_TRUE(root);
+  EXPECT_TRUE(root);
+  return root;
+}
+
+static bssl::UniquePtr<EVP_PKEY> GetLeafKey() {
   bssl::UniquePtr<EVP_PKEY> leaf_key = KeyFromPEM(R"(
 -----BEGIN PRIVATE KEY-----
 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgj5WKHwHnziiyPauf
@@ -2592,7 +3044,11 @@ MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgj5WKHwHnziiyPauf
 hr6PDITHi1lDlJzvVT4aXBH87sH2n2UV5zpx13NHkq1bIC8eRT8eOIe0
 -----END PRIVATE KEY-----
 )");
-  ASSERT_TRUE(leaf_key);
+  EXPECT_TRUE(leaf_key);
+  return leaf_key;
+}
+
+static bssl::UniquePtr<X509> GetLeafPublic() {
   bssl::UniquePtr<X509> leaf_public = CertFromPEM(R"(
 -----BEGIN CERTIFICATE-----
 MIIBaDCCAQ6gAwIBAgIBAjAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
@@ -2605,7 +3061,11 @@ AwIDSAAwRQIhANqZRhDR/+QL05hsWXMYEwaiHifd9iakKoFEhKFchcF3AiBRAeXw
 wRGGT6+iPmTYM6N5/IDyAb5B9Ke38O6lLEsUwA==
 -----END CERTIFICATE-----
 )");
-  ASSERT_TRUE(leaf_public);
+  EXPECT_TRUE(leaf_public);
+  return leaf_public;
+}
+
+static bssl::UniquePtr<X509> GetLeafSecret() {
   bssl::UniquePtr<X509> leaf_secret = CertFromPEM(R"(
 -----BEGIN CERTIFICATE-----
 MIIBaTCCAQ6gAwIBAgIBAzAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
@@ -2618,8 +3078,13 @@ AwIDSQAwRgIhAPQdIz1xCFkc9WuSkxOxJDpywZiEp9SnKcxJ9nwrlRp3AiEA+O3+
 XRqE7XFhHL+7TNC2a9OOAjQsEF137YPWo+rhgko=
 -----END CERTIFICATE-----
 )");
-  ASSERT_TRUE(leaf_secret);
+  EXPECT_TRUE(leaf_secret);
+  return leaf_secret;
+}
 
+// When using the built-in verifier, test that |SSL_get0_ech_name_override| is
+// applied automatically.
+TEST(SSLTest, ECHBuiltinVerifier) {
   // Use different config IDs so that fuzzer mode, which breaks trial
   // decryption, will observe the key mismatch.
   bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys(/*config_id=*/1);
@@ -2637,7 +3102,7 @@ XRqE7XFhHL+7TNC2a9OOAjQsEF137YPWo+rhgko=
   // BoringSSL will internally override this setting with the public name.
   bssl::UniquePtr<X509_STORE> store(X509_STORE_new());
   ASSERT_TRUE(store);
-  ASSERT_TRUE(X509_STORE_add_cert(store.get(), root.get()));
+  ASSERT_TRUE(X509_STORE_add_cert(store.get(), GetLeafRoot().get()));
   SSL_CTX_set_cert_store(client_ctx.get(), store.release());
   SSL_CTX_set_verify(client_ctx.get(), SSL_VERIFY_PEER, nullptr);
   X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(client_ctx.get()),
@@ -2664,10 +3129,10 @@ XRqE7XFhHL+7TNC2a9OOAjQsEF137YPWo+rhgko=
       ASSERT_TRUE(InstallECHConfigList(client.get(), keys.get()));
 
       // Configure the server with the selected certificate.
-      ASSERT_TRUE(SSL_use_certificate(server.get(), use_leaf_secret
-                                                        ? leaf_secret.get()
-                                                        : leaf_public.get()));
-      ASSERT_TRUE(SSL_use_PrivateKey(server.get(), leaf_key.get()));
+      ASSERT_TRUE(SSL_use_certificate(
+          server.get(),
+          use_leaf_secret ? GetLeafSecret().get() : GetLeafPublic().get()));
+      ASSERT_TRUE(SSL_use_PrivateKey(server.get(), GetLeafKey().get()));
 
       // The handshake may fail due to name mismatch or ECH reject. We check
       // |SSL_get_verify_result| to confirm the handshake got far enough.
@@ -4328,6 +4793,37 @@ TEST_P(SSLVersionTest, SSLClearFailsWithShedding) {
   ASSERT_FALSE(SSL_clear(server_.get()));
 }
 
+TEST_P(SSLVersionTest, SSLClientCiphers) {
+  // Client ciphers ARE NOT SERIALIZED, so skip tests that rely on transfer or
+  // serialization of |ssl| and accompanying objects under test.
+  if (GetParam().transfer_ssl) {
+      return;
+  }
+
+  EXPECT_FALSE(SSL_get_client_ciphers(client_.get()));
+  EXPECT_FALSE(SSL_get_client_ciphers(server_.get()));
+
+  shed_handshake_config_ = false;
+  ASSERT_TRUE(Connect());
+
+  // The client should still have no view of the server's preferences, but the
+  // server should have seen at least one cipher from the client.
+  EXPECT_FALSE(SSL_get_client_ciphers(client_.get()));
+  EXPECT_GT(sk_SSL_CIPHER_num(SSL_get_client_ciphers(server_.get())), (size_t) 0);
+
+  // With config shedding disabled, clearing |server| shouldn't error and
+  // should reset server's client ciphers
+  ASSERT_TRUE(SSL_clear(server_.get()));
+  EXPECT_FALSE(SSL_get_client_ciphers(server_.get()));
+
+  shed_handshake_config_ = true;
+  ASSERT_TRUE(Connect());
+
+  // These should be unaffected by config shedding
+  EXPECT_FALSE(SSL_get_client_ciphers(client_.get()));
+  EXPECT_GT(sk_SSL_CIPHER_num(SSL_get_client_ciphers(server_.get())), (size_t) 0);
+}
+
 static bool ChainsEqual(STACK_OF(X509) *chain,
                         const std::vector<X509 *> &expected) {
   if (sk_X509_num(chain) != expected.size()) {
@@ -4422,6 +4918,94 @@ static bool ExpectSingleError(int lib, int reason) {
   return true;
 }
 
+TEST(SSLTest, BuildCertChain) {
+  bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
+
+  // No certificate set, so this should fail.
+  EXPECT_FALSE(SSL_CTX_build_cert_chain(ctx.get(), 0));
+  EXPECT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_SET));
+
+  ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), GetLeafPublic().get()));
+  ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), GetLeafKey().get()));
+
+  // Verification will fail because there is no valid root cert available.
+  EXPECT_FALSE(SSL_CTX_build_cert_chain(ctx.get(), 0));
+
+  // Should return 2 when |SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR| is set.
+  EXPECT_EQ(
+      SSL_CTX_build_cert_chain(ctx.get(), SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR),
+      2);
+  EXPECT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_CERTIFICATE_VERIFY_FAILED));
+
+  // Should return 2, but with no error on the stack when
+  // |SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR| and |SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR|
+  // are set.
+  EXPECT_EQ(
+      SSL_CTX_build_cert_chain(ctx.get(), SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR |
+                                              SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR),
+      2);
+  EXPECT_FALSE(ERR_get_error());
+
+  // Pass in the trust store. |SSL_CTX_build_cert_chain| should succeed now.
+  ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx.get()),
+                                  GetLeafRoot().get()));
+  X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(ctx.get()),
+                              X509_V_FLAG_NO_CHECK_TIME);
+  EXPECT_EQ(SSL_CTX_build_cert_chain(ctx.get(), 0), 1);
+  STACK_OF(X509) *chain;
+  ASSERT_TRUE(SSL_CTX_get0_chain_certs(ctx.get(), &chain));
+  EXPECT_TRUE(ChainsEqual(chain, {GetLeafRoot().get()}));
+
+  // Root cert is self-signed, so |SSL_BUILD_CHAIN_FLAG_UNTRUSTED| will
+  // still pass.
+  ASSERT_TRUE(SSL_CTX_clear_chain_certs(ctx.get()));
+  EXPECT_TRUE(
+      SSL_CTX_build_cert_chain(ctx.get(), SSL_BUILD_CHAIN_FLAG_UNTRUSTED));
+  ASSERT_TRUE(SSL_CTX_get0_chain_certs(ctx.get(), &chain));
+  EXPECT_TRUE(ChainsEqual(chain, {GetLeafRoot().get()}));
+
+  // |SSL_BUILD_CHAIN_FLAG_CHECK| uses the already built cert chain as the trust
+  // store and verifies against it. If we clear the cert chain, there should be
+  // no trust store to compare against if |SSL_BUILD_CHAIN_FLAG_CHECK| is still
+  // set.
+  EXPECT_EQ(SSL_CTX_build_cert_chain(ctx.get(), SSL_BUILD_CHAIN_FLAG_CHECK), 1);
+  ASSERT_TRUE(SSL_CTX_clear_chain_certs(ctx.get()));
+  EXPECT_FALSE(SSL_CTX_build_cert_chain(ctx.get(), SSL_BUILD_CHAIN_FLAG_CHECK));
+  EXPECT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_CERTIFICATE_VERIFY_FAILED));
+
+  // |SSL_BUILD_CHAIN_FLAG_CHECK| and |SSL_BUILD_CHAIN_FLAG_UNTRUSTED| are
+  // mutually exclusive, with |SSL_BUILD_CHAIN_FLAG_CHECK| taking priority.
+  // The result with both set should be the same as only
+  // |SSL_BUILD_CHAIN_FLAG_CHECK| being set.
+  ASSERT_TRUE(SSL_CTX_clear_chain_certs(ctx.get()));
+  EXPECT_FALSE(SSL_CTX_build_cert_chain(
+      ctx.get(), SSL_BUILD_CHAIN_FLAG_CHECK | SSL_BUILD_CHAIN_FLAG_UNTRUSTED));
+  EXPECT_FALSE(SSL_CTX_build_cert_chain(ctx.get(), SSL_BUILD_CHAIN_FLAG_CHECK));
+  // First call with |SSL_BUILD_CHAIN_FLAG_CHECK| existing will fail, second
+  // call with |SSL_BUILD_CHAIN_FLAG_UNTRUSTED| will succeed.
+  EXPECT_FALSE(SSL_CTX_build_cert_chain(
+      ctx.get(), SSL_BUILD_CHAIN_FLAG_CHECK | SSL_BUILD_CHAIN_FLAG_UNTRUSTED));
+  EXPECT_EQ(SSL_CTX_build_cert_chain(ctx.get(), SSL_BUILD_CHAIN_FLAG_UNTRUSTED),
+            1);
+  // |SSL_BUILD_CHAIN_FLAG_CHECK| will succeed since we have a built chain now.
+  EXPECT_EQ(SSL_CTX_build_cert_chain(ctx.get(), SSL_BUILD_CHAIN_FLAG_CHECK), 1);
+
+  // Test that successful verification with |SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR|
+  // does not return 2.
+  ASSERT_TRUE(SSL_CTX_clear_chain_certs(ctx.get()));
+  EXPECT_EQ(
+      SSL_CTX_build_cert_chain(ctx.get(), SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR),
+      1);
+
+  // Test that successful verification with |SSL_BUILD_CHAIN_FLAG_NO_ROOT|
+  // does include the root cert.
+  ASSERT_TRUE(SSL_CTX_clear_chain_certs(ctx.get()));
+  EXPECT_EQ(SSL_CTX_build_cert_chain(ctx.get(), SSL_BUILD_CHAIN_FLAG_NO_ROOT),
+            1);
+  ASSERT_TRUE(SSL_CTX_get0_chain_certs(ctx.get(), &chain));
+  EXPECT_TRUE(ChainsEqual(chain, {}));
+}
+
 TEST_P(SSLVersionTest, SSLWriteRetry) {
   if (is_dtls()) {
     return;
@@ -7730,6 +8314,9 @@ TEST_F(QUICMethodTest, ZeroRTTAccept) {
   ASSERT_TRUE(CreateClientAndServer());
   SSL_set_session(client_.get(), session.get());
 
+  EXPECT_FALSE(SSL_get_client_ciphers(client_.get()));
+  EXPECT_FALSE(SSL_get_client_ciphers(server_.get()));
+
   // The client handshake should return immediately into the early data state.
   ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
   EXPECT_TRUE(SSL_in_early_data(client_.get()));
@@ -7746,6 +8333,10 @@ TEST_F(QUICMethodTest, ZeroRTTAccept) {
   // 1-RTT read keys until client Finished.
   EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
   EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
+  // The client should still have no view of the server's preferences, but the
+  // server should have seen at least one cipher from the client.
+  EXPECT_FALSE(SSL_get_client_ciphers(client_.get()));
+  EXPECT_GT(sk_SSL_CIPHER_num(SSL_get_client_ciphers(server_.get())), (size_t) 0);
 
   // Finish up the client and server handshakes.
   ASSERT_TRUE(CompleteHandshakesForQUIC());
@@ -9930,6 +10521,154 @@ TEST(SSLTest, NameLists) {
   }
 }
 
+class KemKeyShareTest : public testing::TestWithParam<GroupTest> {};
+
+INSTANTIATE_TEST_SUITE_P(KemKeyShareTests, KemKeyShareTest, testing::ValuesIn(kKemGroupTests));
+
+// Test a successful round-trip for KemKeyShare
+TEST_P(KemKeyShareTest, KemKeyShares) {
+  GroupTest t = GetParam();
+  bssl::UniquePtr<SSLKeyShare> client_key_share = bssl::SSLKeyShare::Create(t.group_id);
+  bssl::UniquePtr<SSLKeyShare> server_key_share = bssl::SSLKeyShare::Create(t.group_id);
+  ASSERT_TRUE(client_key_share);
+  ASSERT_TRUE(server_key_share);
+  EXPECT_EQ(t.group_id, client_key_share->GroupID());
+  EXPECT_EQ(t.group_id, server_key_share->GroupID());
+
+  // The client generates its key pair and outputs the public key.
+  // We initialize the CBB with a capacity of 2 as a sanity check to
+  // ensure that the CBB will grow accordingly if necessary.
+  CBB client_out_public_key;
+  EXPECT_TRUE(CBB_init(&client_out_public_key, 2));
+  EXPECT_TRUE(client_key_share->Offer(&client_out_public_key));
+  EXPECT_EQ(CBB_len(&client_out_public_key), t.offer_key_share_size);
+
+  // The server accepts the public key, generates the shared secret,
+  // and outputs the ciphertext. Again, we initialize the CBB with
+  // a capacity of 2 to ensure it will grow accordingly.
+  CBB server_out_public_key;
+  EXPECT_TRUE(CBB_init(&server_out_public_key, 2));
+  uint8_t server_alert = 0;
+  Array<uint8_t> server_secret;
+  const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key);
+  ASSERT_TRUE(client_out_public_key_data);
+  Span<const uint8_t> client_public_key =
+    MakeConstSpan(client_out_public_key_data, CBB_len(&client_out_public_key));
+  EXPECT_TRUE(server_key_share->Accept(&server_out_public_key, &server_secret,
+                                       &server_alert, client_public_key));
+  EXPECT_EQ(CBB_len(&server_out_public_key), t.accept_key_share_size);
+  EXPECT_EQ(server_secret.size(), t.shared_secret_size);
+  EXPECT_EQ(server_alert, 0);
+
+  // The client accepts the ciphertext and decrypts it to obtain
+  // the shared secret.
+  uint8_t client_alert = 0;
+  Array<uint8_t> client_secret;
+  const uint8_t *server_out_public_key_data = CBB_data(&server_out_public_key);
+  ASSERT_TRUE(server_out_public_key_data);
+  Span<const uint8_t> server_public_key =
+    MakeConstSpan(server_out_public_key_data, CBB_len(&server_out_public_key));
+  EXPECT_TRUE(client_key_share->Finish(&client_secret, &client_alert, server_public_key));
+  EXPECT_EQ(client_secret.size(), t.shared_secret_size);
+  EXPECT_EQ(client_alert, 0);
+
+  // Verify that client and server arrived at the same shared secret.
+  EXPECT_EQ(Bytes(client_secret), Bytes(server_secret));
+
+  CBB_cleanup(&client_out_public_key);
+  CBB_cleanup(&server_out_public_key);
+}
+
+class BadKemKeyShareOfferTest : public testing::TestWithParam<GroupTest> {};
+INSTANTIATE_TEST_SUITE_P(BadKemKeyShareOfferTests, BadKemKeyShareOfferTest, testing::ValuesIn(kKemGroupTests));
+
+// Test failure cases for KEMKeyShare::Offer()
+TEST_P(BadKemKeyShareOfferTest, BadKemKeyShareOffers) {
+  GroupTest t = GetParam();
+  // Basic nullptr checks
+  {
+    bssl::UniquePtr<SSLKeyShare> client_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(client_key_share);
+
+    ASSERT_FALSE(client_key_share->Offer(nullptr));
+  }
+
+  // Offer() should fail if |client_out_public_key| has children
+  {
+    bssl::UniquePtr<SSLKeyShare> client_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(client_key_share);
+    CBB client_out_public_key;
+    CBB child;
+
+    EXPECT_TRUE(CBB_init(&client_out_public_key, 2));
+    client_out_public_key.child = &child;
+    EXPECT_FALSE(client_key_share->Offer(&client_out_public_key));
+    CBB_cleanup(&client_out_public_key);
+  }
+
+  // Offer() should succeed on the first call, but fail on all repeated calls
+  {
+    bssl::UniquePtr<SSLKeyShare> client_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(client_key_share);
+    CBB client_out_public_key;
+
+    EXPECT_TRUE(CBB_init(&client_out_public_key, 2));
+    EXPECT_TRUE(client_key_share->Offer(&client_out_public_key));
+    EXPECT_FALSE(client_key_share->Offer(&client_out_public_key));
+    EXPECT_FALSE(client_key_share->Offer(&client_out_public_key));
+    CBB_cleanup(&client_out_public_key);
+  }
+
+  // Offer() should fail if Accept() was previously called
+  {
+    bssl::UniquePtr<SSLKeyShare> client_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    bssl::UniquePtr<SSLKeyShare> server_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(client_key_share);
+    ASSERT_TRUE(server_key_share);
+    uint8_t server_alert = 0;
+    Array<uint8_t> server_secret;
+    CBB client_out_public_key;
+    CBB server_out_public_key;
+    CBB server_offer_out;
+
+    EXPECT_TRUE(CBB_init(&client_out_public_key, t.offer_key_share_size));
+    EXPECT_TRUE(CBB_init(&server_out_public_key, t.accept_key_share_size));
+    EXPECT_TRUE(CBB_init(&server_offer_out, t.offer_key_share_size));
+
+    EXPECT_TRUE(client_key_share->Offer(&client_out_public_key));
+    const uint8_t *client_public_key_data = CBB_data(&client_out_public_key);
+    Span<const uint8_t> client_public_key =
+      MakeConstSpan(client_public_key_data, CBB_len(&client_out_public_key));
+
+    EXPECT_TRUE(server_key_share->Accept(&server_out_public_key, &server_secret, &server_alert, client_public_key));
+    EXPECT_EQ(server_alert, 0);
+
+    EXPECT_FALSE(server_key_share->Offer(&server_offer_out));
+
+    CBB_cleanup(&client_out_public_key);
+    CBB_cleanup(&server_out_public_key);
+    CBB_cleanup(&server_offer_out);
+  }
+
+  // |client_out_public_key| is properly initialized, some zeros are written
+  // to it so that it records a non-zero length, then its buffer is
+  // invalidated.
+  {
+    bssl::UniquePtr<SSLKeyShare> client_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(client_key_share);
+    CBB client_out_public_key;
+    CBB_init(&client_out_public_key, t.offer_key_share_size);
+    EXPECT_TRUE(CBB_add_zeros(&client_out_public_key, 2));
+    // Keep a pointer to the buffer so we can cleanup correctly
+    uint8_t *buf = client_out_public_key.u.base.buf;
+    client_out_public_key.u.base.buf = nullptr;
+    EXPECT_EQ(CBB_len(&client_out_public_key), (size_t) 2);
+    EXPECT_FALSE(client_key_share->Offer(&client_out_public_key));
+    client_out_public_key.u.base.buf = buf;
+    CBB_cleanup(&client_out_public_key);
+  }
+}
+
 TEST(SSLTest, SessionPrint) {
  static const std::array<std::string, 15> kExpectedTLS13{
       {"SSL-Session:", "    Protocol  :", "    Cipher    : ",
@@ -9977,5 +10716,1099 @@ TEST(SSLTest, SessionPrint) {
   }
 }
 
+class BadKemKeyShareAcceptTest : public testing::TestWithParam<GroupTest> {};
+INSTANTIATE_TEST_SUITE_P(BadKemKeyShareAcceptTests, BadKemKeyShareAcceptTest, testing::ValuesIn(kKemGroupTests));
+
+// Test failure cases for KEMKeyShare::Accept()
+TEST_P(BadKemKeyShareAcceptTest, BadKemKeyShareAccept) {
+  GroupTest t = GetParam();
+  // Basic nullptr checks
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    uint8_t server_alert = 0;
+    Array<uint8_t> server_secret;
+    Span<const uint8_t> client_public_key;
+    CBB server_out_public_key;
+
+    EXPECT_FALSE(server_key_share->Accept(nullptr, &server_secret,
+                                          &server_alert, client_public_key));
+    EXPECT_EQ(server_alert, SSL_AD_INTERNAL_ERROR);
+    server_alert = 0;
+
+    EXPECT_FALSE(server_key_share->Accept(&server_out_public_key, nullptr,
+                                          &server_alert, client_public_key));
+    EXPECT_EQ(server_alert, SSL_AD_INTERNAL_ERROR);
+    server_alert = 0;
+
+    EXPECT_FALSE(server_key_share->Accept(&server_out_public_key,
+                                          &server_secret, nullptr,
+                                          client_public_key));
+  }
+
+  // |server_out_public_key| is properly initialized, then is assigned a child
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    uint8_t server_alert = 0;
+    Array<uint8_t> server_secret;
+    Span<const uint8_t> client_public_key;
+    CBB server_out_public_key;
+    CBB child;
+
+    CBB_init(&server_out_public_key, t.accept_key_share_size);
+    server_out_public_key.child = &child;
+    EXPECT_FALSE(server_key_share->Accept(&server_out_public_key,
+                                          &server_secret, &server_alert,
+                                          client_public_key));
+    EXPECT_EQ(server_alert, SSL_AD_INTERNAL_ERROR);
+    CBB_cleanup(&server_out_public_key);
+  }
+
+  // |server_out_public_key| is properly initialized with CBB_init,
+  // some zeros are written to it so that it records a non-zero length,
+  // then its buffer is invalidated.
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    uint8_t server_alert = 0;
+    Array<uint8_t> server_secret;
+    Span<const uint8_t> client_public_key;
+    CBB server_out_public_key;
+
+    CBB_init(&server_out_public_key, t.accept_key_share_size);
+    EXPECT_TRUE(CBB_add_zeros(&server_out_public_key, 2));
+    // Keep a pointer to the buffer so we can cleanup correctly
+    uint8_t *buf = server_out_public_key.u.base.buf;
+    server_out_public_key.u.base.buf = nullptr;
+    EXPECT_EQ(CBB_len(&server_out_public_key), (size_t) 2);
+    EXPECT_FALSE(server_key_share->Accept(&server_out_public_key,
+                                          &server_secret, &server_alert,
+                                          client_public_key));
+    EXPECT_EQ(server_alert, SSL_AD_INTERNAL_ERROR);
+    server_out_public_key.u.base.buf = buf;
+    CBB_cleanup(&server_out_public_key);
+  }
+
+  // KemKeyShare::Accept() should fail if KemKeyShare::Offer() has been
+  // previously called by that peer. The server should have no reason to
+  // call Offer(); enforcing this case will guard against that type of bug.
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    uint8_t server_alert = 0;
+    Array<uint8_t> server_secret;
+    CBB server_out_public_key;
+    CBB server_offer_out;
+
+    EXPECT_TRUE(CBB_init(&server_out_public_key, t.accept_key_share_size));
+    EXPECT_TRUE(CBB_init(&server_offer_out, t.offer_key_share_size));
+    EXPECT_TRUE(server_key_share->Offer(&server_offer_out));
+    const uint8_t *server_offer_out_data = CBB_data(&server_offer_out);
+    ASSERT_TRUE(server_offer_out_data);
+    Span<const uint8_t> server_offered_pk =
+      MakeConstSpan(server_offer_out_data, CBB_len(&server_offer_out));
+    EXPECT_FALSE(server_key_share->Accept(&server_out_public_key,
+                                          &server_secret, &server_alert,
+                                          server_offered_pk));
+    EXPECT_EQ(server_alert, SSL_AD_INTERNAL_ERROR);
+    CBB_cleanup(&server_out_public_key);
+    CBB_cleanup(&server_offer_out);
+  }
+
+  // |client_public_key| is initialized with too little data
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    bssl::UniquePtr<SSLKeyShare> client_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    ASSERT_TRUE(client_key_share);
+    Span<const uint8_t> client_public_key;
+    Array<uint8_t> server_secret;
+    CBB server_out_public_key;
+    CBB client_out_public_key;
+    uint8_t server_alert = 0;
+
+    // Generate a valid |client_public_key|, then truncate the last byte
+    EXPECT_TRUE(CBB_init(&client_out_public_key, 64));
+    EXPECT_TRUE(client_key_share->Offer(&client_out_public_key));
+    const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key);
+    ASSERT_TRUE(client_out_public_key_data);
+    client_public_key = MakeConstSpan(client_out_public_key_data,
+                                      CBB_len(&client_out_public_key) - 1);
+
+    EXPECT_TRUE(CBB_init(&server_out_public_key, t.accept_key_share_size));
+    EXPECT_FALSE(server_key_share->Accept(&server_out_public_key,
+                                          &server_secret, &server_alert,
+                                          client_public_key));
+    EXPECT_EQ(server_alert, SSL_AD_DECODE_ERROR);
+    CBB_cleanup(&server_out_public_key);
+    CBB_cleanup(&client_out_public_key);
+  }
+
+  // |client_public_key| is initialized with too much data
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    bssl::UniquePtr<SSLKeyShare> client_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    ASSERT_TRUE(client_key_share);
+    Span<const uint8_t> client_public_key;
+    Array<uint8_t> server_secret;
+    CBB server_out_public_key;
+    CBB client_out_public_key;
+    uint8_t server_alert = 0;
+
+    // Generate a valid |client_public_key|, then append a byte
+    EXPECT_TRUE(CBB_init(&client_out_public_key, 64));
+    EXPECT_TRUE(client_key_share->Offer(&client_out_public_key));
+    EXPECT_TRUE(CBB_add_zeros(&client_out_public_key, 1));
+    const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key);
+    ASSERT_TRUE(client_out_public_key_data);
+    client_public_key = MakeConstSpan(client_out_public_key_data,
+                                      CBB_len(&client_out_public_key));
+
+    EXPECT_TRUE(CBB_init(&server_out_public_key, t.accept_key_share_size));
+    EXPECT_FALSE(server_key_share->Accept(&server_out_public_key,
+                                          &server_secret, &server_alert,
+                                          client_public_key));
+    EXPECT_EQ(server_alert, SSL_AD_DECODE_ERROR);
+    CBB_cleanup(&server_out_public_key);
+    CBB_cleanup(&client_out_public_key);
+  }
+
+  // |client_public_key| has been initialized but is empty
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    uint8_t server_alert = 0;
+    Array<uint8_t> server_secret;
+    CBB server_out_public_key;
+
+    EXPECT_TRUE(CBB_init(&server_out_public_key, t.accept_key_share_size));
+    const uint8_t empty_client_public_key_buf[] = {0};
+    Span<const uint8_t> client_public_key =
+      MakeConstSpan(empty_client_public_key_buf, 0);
+    EXPECT_FALSE(server_key_share->Accept(&server_out_public_key,
+                                          &server_secret, &server_alert,
+                                          client_public_key));
+    EXPECT_EQ(server_alert, SSL_AD_DECODE_ERROR);
+    CBB_cleanup(&server_out_public_key);
+  }
+
+  // |client_public_key| is initialized with key material that is the correct
+  // length, but is not a valid key. In this case, the basic sanity checks
+  // will not reject the key because it has been initialized properly with
+  // the correct amount of data. The KEM encapsulate function is written
+  // so that it will return success if given an invalid key of the correct
+  // length. Therefore, the call to server_key_share->Accept() will succeed,
+  // but ultimately, the ciphertext (server's public key) will be garbage,
+  // the server and client will end up with different secrets, and the
+  // overall handshake will eventually fail.
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    bssl::UniquePtr<SSLKeyShare> client_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    ASSERT_TRUE(client_key_share);
+    uint8_t server_alert = 0;
+    uint8_t client_alert = 0;
+    Array<uint8_t> server_secret;
+    Array<uint8_t> client_secret;
+    CBB server_out_public_key;
+    CBB client_out_public_key;
+
+    // Start by having the client Offer() its public key
+    EXPECT_TRUE(CBB_init(&client_out_public_key, t.offer_key_share_size));
+    EXPECT_TRUE(client_key_share->Offer(&client_out_public_key));
+
+    // Then invalidate it by negating the bits in the first byte
+    uint8_t *invalid_client_public_key_buf =
+      (uint8_t *)OPENSSL_malloc(t.offer_key_share_size);
+    ASSERT_TRUE(invalid_client_public_key_buf);
+    const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key);
+    ASSERT_TRUE(client_out_public_key_data);
+    OPENSSL_memcpy(invalid_client_public_key_buf, client_out_public_key_data,
+                   t.offer_key_share_size);
+    invalid_client_public_key_buf[0] = ~invalid_client_public_key_buf[0];
+    Span<const uint8_t> client_public_key =
+      MakeConstSpan(invalid_client_public_key_buf, t.offer_key_share_size);
+
+    // When the server calls Accept() with the invalid public key, it will
+    // return success
+    EXPECT_TRUE(CBB_init(&server_out_public_key, t.accept_key_share_size));
+    EXPECT_TRUE(server_key_share->Accept(&server_out_public_key,
+                                         &server_secret, &server_alert,
+                                         client_public_key));
+
+    // And when the client calls Finish(), it will also return success
+    const uint8_t *server_out_public_key_data = CBB_data(&server_out_public_key);
+    ASSERT_TRUE(server_out_public_key_data);
+    Span<const uint8_t> server_public_key =
+      MakeConstSpan(server_out_public_key_data, CBB_len(&server_out_public_key));
+    EXPECT_TRUE(client_key_share->Finish(&client_secret, &client_alert,
+                                         server_public_key));
+
+    // The shared secrets are of the correct length...
+    EXPECT_EQ(client_secret.size(), t.shared_secret_size);
+    EXPECT_EQ(server_secret.size(), t.shared_secret_size);
+
+    // ... but they are not equal
+    EXPECT_NE(Bytes(client_secret), Bytes(server_secret));
+
+    EXPECT_EQ(server_alert, 0);
+    EXPECT_EQ(client_alert, 0);
+    OPENSSL_free(invalid_client_public_key_buf);
+    CBB_cleanup(&server_out_public_key);
+    CBB_cleanup(&client_out_public_key);
+  }
+}
+
+class BadKemKeyShareFinishTest : public testing::TestWithParam<GroupTest> {};
+INSTANTIATE_TEST_SUITE_P(BadKemKeyShareFinishTests, BadKemKeyShareFinishTest, testing::ValuesIn(kKemGroupTests));
+
+TEST_P(BadKemKeyShareFinishTest, BadKemKeyShareFinish) {
+  GroupTest t = GetParam();
+
+  // Basic nullptr checks
+  {
+    bssl::UniquePtr<SSLKeyShare> client_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(client_key_share);
+    Span<const uint8_t> server_public_key;
+    Array<uint8_t> client_secret;
+    uint8_t client_alert = 0;
+
+    EXPECT_FALSE(client_key_share->Finish(nullptr, &client_alert,
+                                         server_public_key));
+    EXPECT_EQ(client_alert, SSL_AD_INTERNAL_ERROR);
+    client_alert = 0;
+
+    EXPECT_FALSE(client_key_share->Finish(&client_secret, nullptr,
+                                         server_public_key));
+  }
+
+  // A call to Finish() should fail if Offer() was not called previously
+  {
+    bssl::UniquePtr<SSLKeyShare> client_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(client_key_share);
+    Span<const uint8_t> server_public_key;
+    Array<uint8_t> client_secret;
+    uint8_t client_alert = 0;
+
+    EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert,
+                                         server_public_key));
+    EXPECT_EQ(client_alert, SSL_AD_INTERNAL_ERROR);
+  }
+
+  // Set up the client and server states for the remaining tests
+  bssl::UniquePtr<SSLKeyShare> server_key_share = bssl::SSLKeyShare::Create(t.group_id);
+  bssl::UniquePtr<SSLKeyShare> client_key_share = bssl::SSLKeyShare::Create(t.group_id);
+  ASSERT_TRUE(server_key_share);
+  ASSERT_TRUE(client_key_share);
+  CBB client_out_public_key;
+  CBB server_out_public_key;
+  Array<uint8_t> server_secret;
+  Array<uint8_t> client_secret;
+  uint8_t client_alert = 0;
+  uint8_t server_alert = 0;
+  Span<const uint8_t> client_public_key;
+  Span<const uint8_t> server_public_key;
+
+  EXPECT_TRUE(CBB_init(&client_out_public_key, t.offer_key_share_size));
+  EXPECT_TRUE(CBB_init(&server_out_public_key, t.accept_key_share_size));
+  EXPECT_TRUE(client_key_share->Offer(&client_out_public_key));
+  const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key);
+  ASSERT_TRUE(client_out_public_key_data);
+  client_public_key = MakeConstSpan(client_out_public_key_data,
+                                    CBB_len(&client_out_public_key));
+  EXPECT_TRUE(server_key_share->Accept(&server_out_public_key, &server_secret,
+                                      &server_alert, client_public_key));
+  EXPECT_EQ(server_alert, 0);
+
+  // |server_public_key| has been initialized with too little data. Here, we
+  // initialize |server_public_key| with a fragment of an otherwise valid
+  // key. However, it doesn't matter if it is a fragment of a valid key, or
+  // complete garbage, the client will reject it all the same.
+  {
+    const uint8_t *server_out_public_key_data = CBB_data(&server_out_public_key);
+    ASSERT_TRUE(server_out_public_key_data);
+    server_public_key = MakeConstSpan(server_out_public_key_data, t.accept_key_share_size - 1);
+    EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, server_public_key));
+    EXPECT_EQ(client_alert, SSL_AD_INTERNAL_ERROR);
+    client_alert = 0;
+  }
+
+  // |server_public_key| has been initialized with too much data. Here, we
+  // initialize |server_public_key| with a valid public key, and over-read
+  // the buffer to append a random byte. However, it doesn't matter if it is a
+  // valid key with nonsense appended, or complete garbage, the client will
+  // reject it all the same.
+  {
+    const uint8_t *server_out_public_key_data = CBB_data(&server_out_public_key);
+    ASSERT_TRUE(server_out_public_key_data);
+    server_public_key = MakeConstSpan(server_out_public_key_data, t.accept_key_share_size + 1);
+    EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, server_public_key));
+    EXPECT_EQ(client_alert, SSL_AD_INTERNAL_ERROR);
+    client_alert = 0;
+  }
+
+  // |server_public_key| is initialized with an invalid key of the correct
+  // length. The decapsulation operations will succeed; however, the resulting
+  // shared secret will be garbage, and eventually the overall handshake
+  // would fail because the client secret does not match the server secret.
+  {
+    // The server's public key was already correctly generated previously in
+    // a call to Accept(). Here we invalidate it by negating the first byte.
+    uint8_t *invalid_server_public_key_buf = (uint8_t *) OPENSSL_malloc(t.accept_key_share_size);
+    ASSERT_TRUE(invalid_server_public_key_buf);
+    const uint8_t *server_out_public_key_data = CBB_data(&server_out_public_key);
+    ASSERT_TRUE(server_out_public_key_data);
+    OPENSSL_memcpy(invalid_server_public_key_buf, server_out_public_key_data, t.accept_key_share_size);
+    invalid_server_public_key_buf[0] = ~invalid_server_public_key_buf[0];
+
+    // The call to Finish() will return success
+    server_public_key =
+     MakeConstSpan(invalid_server_public_key_buf, t.accept_key_share_size);
+    EXPECT_TRUE(client_key_share->Finish(&client_secret, &client_alert, server_public_key));
+    EXPECT_EQ(client_alert, 0);
+
+    // The shared secrets are of the correct length...
+    EXPECT_EQ(client_secret.size(), t.shared_secret_size);
+    EXPECT_EQ(server_secret.size(), t.shared_secret_size);
+
+    // ... but they are not equal
+    EXPECT_NE(Bytes(client_secret), Bytes(server_secret));
+
+
+    OPENSSL_free(invalid_server_public_key_buf);
+  }
+
+  CBB_cleanup(&server_out_public_key);
+  CBB_cleanup(&client_out_public_key);
+}
+
+class HybridKeyShareTest : public testing::TestWithParam<HybridGroupTest> {};
+INSTANTIATE_TEST_SUITE_P(HybridKeyShareTests, HybridKeyShareTest, testing::ValuesIn(kHybridGroupTests));
+
+// Test a successful round-trip for HybridKeyShare
+TEST_P(HybridKeyShareTest, HybridKeyShares) {
+  HybridGroupTest t = GetParam();
+
+  // Set up client and server with test case parameters
+  bssl::UniquePtr<SSLKeyShare> client_key_share = SSLKeyShare::Create(t.group_id);
+  bssl::UniquePtr<SSLKeyShare> server_key_share = SSLKeyShare::Create(t.group_id);
+  ASSERT_TRUE(client_key_share);
+  ASSERT_TRUE(server_key_share);
+  EXPECT_EQ(t.group_id, client_key_share->GroupID());
+  EXPECT_EQ(t.group_id, server_key_share->GroupID());
+
+  // The client generates its key pair and outputs the public key.
+  // We initialize the CBB with a capacity of 2 as a simple sanity check
+  // to ensure that the CBB will grow accordingly when necessary.
+  CBB client_out_public_key;
+  EXPECT_TRUE(CBB_init(&client_out_public_key, 2));
+  EXPECT_TRUE(client_key_share->Offer(&client_out_public_key));
+  EXPECT_EQ(CBB_len(&client_out_public_key), t.offer_key_share_size);
+
+  // The server accepts the public key, generates the shared secret,
+  // and outputs the ciphertext. Again, we initialize the CBB with
+  // a capacity of 2 to ensure it will grow accordingly.
+  CBB server_out_public_key;
+  EXPECT_TRUE(CBB_init(&server_out_public_key, 2));
+  uint8_t server_alert = 0;
+  Array<uint8_t> server_secret;
+  const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key);
+  ASSERT_TRUE(client_out_public_key_data);
+  Span<const uint8_t> client_public_key =
+    MakeConstSpan(client_out_public_key_data, CBB_len(&client_out_public_key));
+  EXPECT_TRUE(server_key_share->Accept(&server_out_public_key, &server_secret,
+                                       &server_alert, client_public_key));
+  EXPECT_EQ(CBB_len(&server_out_public_key), t.accept_key_share_size);
+  EXPECT_EQ(server_alert, 0);
+
+  // The client accepts the server's public key and decrypts it to obtain
+  // the shared secret.
+  uint8_t client_alert = 0;
+  Array<uint8_t> client_secret;
+  const uint8_t *server_out_public_key_data = CBB_data(&server_out_public_key);
+  ASSERT_TRUE(server_out_public_key_data);
+  Span<const uint8_t> server_public_key = MakeConstSpan(
+    server_out_public_key_data, CBB_len(&server_out_public_key));
+  EXPECT_TRUE(client_key_share->Finish(&client_secret, &client_alert, server_public_key));
+  EXPECT_EQ(client_alert, 0);
+
+  // Verify that client and server arrived at the same shared secret.
+  EXPECT_EQ(server_secret.size(), t.shared_secret_size);
+  EXPECT_EQ(client_secret.size(), t.shared_secret_size);
+  EXPECT_EQ(Bytes(client_secret), Bytes(server_secret));
+
+  CBB_cleanup(&client_out_public_key);
+  CBB_cleanup(&server_out_public_key);
+
+}
+
+class BadHybridKeyShareOfferTest : public testing::TestWithParam<HybridGroupTest> {};
+INSTANTIATE_TEST_SUITE_P(BadHybridKeyShareOfferTests, BadHybridKeyShareOfferTest, testing::ValuesIn(kHybridGroupTests));
+
+// Test failure cases for HybridKeyShare::Offer()
+TEST_P(BadHybridKeyShareOfferTest, BadHybridKeyShareOffers) {
+  HybridGroupTest t = GetParam();
+  // Basic nullptr check
+  {
+    bssl::UniquePtr<SSLKeyShare> client_key_share = SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(client_key_share);
+
+    ASSERT_FALSE(client_key_share->Offer(nullptr));
+  }
+
+  // Offer() should fail if |client_out| has not been initialized at all.
+  {
+    bssl::UniquePtr<SSLKeyShare> client_key_share = SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(client_key_share);
+    CBB client_out_public_key;
+    CBB_zero(&client_out_public_key);
+
+    EXPECT_FALSE(client_key_share->Offer(&client_out_public_key));
+  }
+
+  // Offer() should fail if the CBB has children
+  {
+    bssl::UniquePtr<SSLKeyShare> client_key_share = SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(client_key_share);
+    CBB client_out_public_key;
+    EXPECT_TRUE(CBB_init(&client_out_public_key, 64));
+    CBB child;
+
+    client_out_public_key.child = &child;
+    EXPECT_FALSE(client_key_share->Offer(&client_out_public_key));
+    CBB_cleanup(&client_out_public_key);
+  }
+
+  // Offer() should succeed on the first call, but fail on all repeated calls
+  {
+    bssl::UniquePtr<SSLKeyShare> client_key_share = bssl::SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(client_key_share);
+    CBB client_out_public_key;
+
+    EXPECT_TRUE(CBB_init(&client_out_public_key, 2));
+    EXPECT_TRUE(client_key_share->Offer(&client_out_public_key));
+    EXPECT_FALSE(client_key_share->Offer(&client_out_public_key));
+    EXPECT_FALSE(client_key_share->Offer(&client_out_public_key));
+    CBB_cleanup(&client_out_public_key);
+  }
+
+  // |client_out| is properly initialized, some zeros are written
+  // to it so that it records a non-zero length, then its buffer is
+  // invalidated.
+  {
+    bssl::UniquePtr<SSLKeyShare> client_key_share = SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(client_key_share);
+    CBB client_out_public_key;
+
+    CBB_init(&client_out_public_key, t.offer_key_share_size);
+    EXPECT_TRUE(CBB_add_zeros(&client_out_public_key, 2));
+    // Keep a pointer to the buffer so we can cleanup correctly
+    uint8_t *buf = client_out_public_key.u.base.buf;
+    client_out_public_key.u.base.buf = nullptr;
+    EXPECT_EQ(CBB_len(&client_out_public_key), (size_t) 2);
+    EXPECT_FALSE(client_key_share->Offer(&client_out_public_key));
+    client_out_public_key.u.base.buf = buf;
+    CBB_cleanup(&client_out_public_key);
+  }
+}
+
+class BadHybridKeyShareAcceptTest : public testing::TestWithParam<HybridGroupTest> {};
+INSTANTIATE_TEST_SUITE_P(BadHybridKeyShareAcceptTests, BadHybridKeyShareAcceptTest, testing::ValuesIn(kHybridGroupTests));
+
+// Test failure cases for HybridKeyShare::Accept()
+TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) {
+  HybridGroupTest t = GetParam();
+  // Basic nullptr checks
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    Span<const uint8_t> client_public_key;
+    Array<uint8_t> server_secret;
+    CBB server_out_public_key;
+    uint8_t server_alert = 0;
+
+    EXPECT_FALSE(server_key_share->Accept(nullptr, &server_secret,
+                                          &server_alert, client_public_key));
+    EXPECT_EQ(server_alert, SSL_AD_INTERNAL_ERROR);
+    server_alert = 0;
+
+    EXPECT_FALSE(server_key_share->Accept(&server_out_public_key, nullptr,
+                                          &server_alert, client_public_key));
+    EXPECT_EQ(server_alert, SSL_AD_INTERNAL_ERROR);
+    server_alert = 0;
+
+    EXPECT_FALSE(server_key_share->Accept(&server_out_public_key,
+                                          &server_secret, nullptr,
+                                          client_public_key));
+  }
+
+  // |server_out_public_key| has not been initialized
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    Span<const uint8_t> client_public_key;
+    Array<uint8_t> server_secret;
+    CBB server_out_public_key;
+    uint8_t server_alert = 0;
+
+    EXPECT_FALSE(server_key_share->Accept(&server_out_public_key,
+                                          &server_secret, &server_alert,
+                                          client_public_key));
+    EXPECT_EQ(server_alert, SSL_AD_INTERNAL_ERROR);
+  }
+
+  // |server_out_public_key| is properly initialized, then is assigned a child
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    Span<const uint8_t> client_public_key;
+    Array<uint8_t> server_secret;
+    CBB server_out_public_key;
+    uint8_t server_alert = 0;
+    CBB child;
+
+    CBB_init(&server_out_public_key, 64);
+    server_out_public_key.child = &child;
+    EXPECT_FALSE(server_key_share->Accept(&server_out_public_key,
+                                          &server_secret, &server_alert,
+                                          client_public_key));
+    EXPECT_EQ(server_alert, SSL_AD_INTERNAL_ERROR);
+    CBB_cleanup(&server_out_public_key);
+  }
+
+  // |server_out_public_key| is properly initialized with CBB_init,
+  // some zeros are written to it so that it records a non-zero length,
+  // then its buffer is invalidated.
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    Span<const uint8_t> client_public_key;
+    Array<uint8_t> server_secret;
+    CBB server_out_public_key;
+    uint8_t server_alert = 0;
+
+    CBB_init(&server_out_public_key, t.accept_key_share_size);
+    EXPECT_TRUE(CBB_add_zeros(&server_out_public_key, 2));
+    // Keep a pointer to the buffer so we can cleanup correctly
+    uint8_t *buf = server_out_public_key.u.base.buf;
+    server_out_public_key.u.base.buf = nullptr;
+    EXPECT_EQ(CBB_len(&server_out_public_key), (size_t) 2);
+    EXPECT_FALSE(server_key_share->Accept(&server_out_public_key,
+                                          &server_secret, &server_alert,
+                                          client_public_key));
+    EXPECT_EQ(server_alert, SSL_AD_INTERNAL_ERROR);
+    server_out_public_key.u.base.buf = buf;
+    CBB_cleanup(&server_out_public_key);
+  }
+
+  // |client_public_key| has not been initialized with anything
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    Span<const uint8_t> client_public_key;
+    Array<uint8_t> server_secret;
+    CBB server_out_public_key;
+    uint8_t server_alert = 0;
+
+    EXPECT_TRUE(CBB_init(&server_out_public_key, 64));
+    EXPECT_FALSE(server_key_share->Accept(&server_out_public_key,
+                                          &server_secret, &server_alert,
+                                          client_public_key));
+    EXPECT_EQ(server_alert, SSL_AD_INTERNAL_ERROR);
+    CBB_cleanup(&server_out_public_key);
+  }
+
+  // |client_public_key| has been initialized but is empty
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    Array<uint8_t> server_secret;
+    CBB server_out_public_key;
+    uint8_t server_alert = 0;
+
+    const uint8_t empty_buffer[1] = {0}; // Arrays must have at least 1 element to compile on Windows
+    Span<const uint8_t> client_public_key = MakeConstSpan(empty_buffer, 0);
+
+    EXPECT_TRUE(CBB_init(&server_out_public_key, 64));
+    EXPECT_FALSE(server_key_share->Accept(&server_out_public_key,
+                                          &server_secret, &server_alert,
+                                          client_public_key));
+    EXPECT_EQ(server_alert, SSL_AD_DECODE_ERROR);
+    CBB_cleanup(&server_out_public_key);
+  }
+
+  // |client_public_key| is initialized with too little data
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = SSLKeyShare::Create(t.group_id);
+    bssl::UniquePtr<SSLKeyShare> client_key_share = SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    ASSERT_TRUE(client_key_share);
+    Span<const uint8_t> client_public_key;
+    Array<uint8_t> server_secret;
+    CBB server_out_public_key;
+    CBB client_out_public_key;
+    uint8_t server_alert = 0;
+
+    // Generate a valid |client_public_key|, then truncate the last byte
+    EXPECT_TRUE(CBB_init(&client_out_public_key, 64));
+    EXPECT_TRUE(client_key_share->Offer(&client_out_public_key));
+    const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key);
+    ASSERT_TRUE(client_out_public_key_data);
+    client_public_key = MakeConstSpan(client_out_public_key_data,
+                                      CBB_len(&client_out_public_key) - 1);
+
+    EXPECT_TRUE(CBB_init(&server_out_public_key, 64));
+    EXPECT_FALSE(server_key_share->Accept(&server_out_public_key,
+                                          &server_secret, &server_alert,
+                                          client_public_key));
+    EXPECT_EQ(server_alert, SSL_AD_DECODE_ERROR);
+    CBB_cleanup(&server_out_public_key);
+    CBB_cleanup(&client_out_public_key);
+  }
+
+  // |client_public_key| is initialized with too much data
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = SSLKeyShare::Create(t.group_id);
+    bssl::UniquePtr<SSLKeyShare> client_key_share = SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    ASSERT_TRUE(client_key_share);
+    Span<const uint8_t> client_public_key;
+    Array<uint8_t> server_secret;
+    CBB server_out_public_key;
+    CBB client_out_public_key;
+    uint8_t server_alert = 0;
+
+    // Generate a valid |client_public_key|, then append a byte
+    EXPECT_TRUE(CBB_init(&client_out_public_key, 64));
+    EXPECT_TRUE(client_key_share->Offer(&client_out_public_key));
+    EXPECT_TRUE(CBB_add_zeros(&client_out_public_key, 1));
+    const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key);
+    ASSERT_TRUE(client_out_public_key_data);
+    client_public_key = MakeConstSpan(client_out_public_key_data,
+                                      CBB_len(&client_out_public_key));
+
+    EXPECT_TRUE(CBB_init(&server_out_public_key, 64));
+    EXPECT_FALSE(server_key_share->Accept(&server_out_public_key,
+                                          &server_secret, &server_alert,
+                                          client_public_key));
+    EXPECT_EQ(server_alert, SSL_AD_DECODE_ERROR);
+    CBB_cleanup(&server_out_public_key);
+    CBB_cleanup(&client_out_public_key);
+  }
+
+  // |client_public_key| is initialized with key material that is the correct
+  // length, but is not a valid key. We do this iteratively over each
+  // component group that makes up the hybrid group so that we can test
+  // all Accept() code paths in the hybrid key share.
+  {
+    size_t client_public_key_index = 0;
+    for (size_t i = 0; i < NUM_HYBRID_COMPONENTS; i++) {
+      // We'll need the hybrid group to retrieve the component share sizes
+      const HybridGroup *hybrid_group = GetHybridGroup(t.group_id);
+      ASSERT_TRUE(hybrid_group != NULL);
+
+      // Create the hybrid key shares and generate a valid |client_public_key|
+      bssl::UniquePtr<SSLKeyShare> client_key_share = SSLKeyShare::Create(t.group_id);
+      bssl::UniquePtr<SSLKeyShare> server_key_share = SSLKeyShare::Create(t.group_id);
+      ASSERT_TRUE(client_key_share);
+      ASSERT_TRUE(server_key_share);
+
+      CBB client_out_public_key;
+      CBB server_out_public_key;
+      EXPECT_TRUE(CBB_init(&client_out_public_key, 64));
+      EXPECT_TRUE(CBB_init(&server_out_public_key, 64));
+
+      Array<uint8_t> server_secret;
+      Array<uint8_t> client_secret;
+      uint8_t client_alert = 0;
+      uint8_t server_alert = 0;
+
+      EXPECT_TRUE(client_key_share->Offer(&client_out_public_key));
+
+      // For the current component group, overwrite the bytes of that
+      // component's key share (and *only* that component's key share) with
+      // arbitrary nonsense; leave all other sections of the key share alone.
+      // This ensures:
+      // 1. The overall size of the hybrid key share is still correct
+      // 2. The sizes of the component key shares are still correct; in other
+      //    words, the component key shares are still partitioned correctly
+      //    and will be parsed individually, as intended
+      // 2. The key share associated with the current component group is invalid
+      // 3. All other component key shares are still valid
+      //
+      // (We have to do this in a roundabout way with malloc'ing another
+      // buffer because CBBs cannot be arbitrarily edited.)
+      size_t client_out_public_key_len = CBB_len(&client_out_public_key);
+      const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key);
+      ASSERT_TRUE(client_out_public_key_data);
+      uint8_t *buffer = (uint8_t *)OPENSSL_malloc(client_out_public_key_len);
+      ASSERT_TRUE(buffer);
+      OPENSSL_memcpy(buffer, client_out_public_key_data, client_out_public_key_len);
+
+      for (size_t j = client_public_key_index; j < t.offer_share_sizes[i]; j++) {
+        buffer[j] = 7; // 7 is arbitrary
+      }
+      Span<const uint8_t> client_public_key =
+        MakeConstSpan(buffer, client_out_public_key_len);
+
+      // The server will Accept() the invalid public key
+      bool accepted = server_key_share->
+        Accept(&server_out_public_key, &server_secret, &server_alert, client_public_key);
+
+      if (accepted) {
+        // The Accept() functionality for X25519 and all KEM key shares is
+        // written so that, even if the given public key is invalid, it will
+        // return success, output its own public key, and continue with the
+        // handshake. (This is the intended functionality.) So, in this
+        // case, we assert that the component group was one of those groups,
+        // continue with the handshake, then verify that the client and
+        // server ultimately arrived at different shared secrets.
+        EXPECT_TRUE(
+          hybrid_group->component_group_ids[i] == SSL_GROUP_KYBER768_R3 ||
+          hybrid_group->component_group_ids[i] == SSL_GROUP_X25519
+        );
+
+        // The handshake will complete without error...
+        EXPECT_EQ(server_alert, 0);
+        EXPECT_EQ(server_secret.size(), t.shared_secret_size);
+
+        Span<const uint8_t> server_public_key = MakeConstSpan(
+          CBB_data(&server_out_public_key), CBB_len(&server_out_public_key));
+        EXPECT_TRUE(client_key_share->Finish(&client_secret, &client_alert, server_public_key));
+        EXPECT_EQ(client_secret.size(), t.shared_secret_size);
+        EXPECT_EQ(client_alert, 0);
+
+        // ...but client and server will arrive at different shared secrets
+        EXPECT_NE(Bytes(client_secret), Bytes(server_secret));
+
+      } else {
+        // The Accept() functionality for the NIST curves (e.g. P256) is
+        // written so that it will return failure if the key share is invalid.
+        EXPECT_EQ(hybrid_group->component_group_ids[i], SSL_GROUP_SECP256R1);
+        EXPECT_EQ(server_alert, SSL_AD_DECODE_ERROR);
+      }
+
+      client_public_key_index += t.offer_share_sizes[i];
+      CBB_cleanup(&client_out_public_key);
+      CBB_cleanup(&server_out_public_key);
+      OPENSSL_free(buffer);
+    }
+  }
+}
+
+
+class BadHybridKeyShareFinishTest : public testing::TestWithParam<HybridGroupTest> {};
+INSTANTIATE_TEST_SUITE_P(BadHybridKeyShareFinishTests, BadHybridKeyShareFinishTest, testing::ValuesIn(kHybridGroupTests));
+
+// Test failure cases for HybridKeyShare::Finish()
+TEST_P(BadHybridKeyShareFinishTest, BadHybridKeyShareFinish) {
+  HybridGroupTest t = GetParam();
+  // Basic nullptr checks
+  {
+    bssl::UniquePtr<SSLKeyShare> client_key_share = SSLKeyShare::Create(t.group_id);
+    Span<const uint8_t> server_public_key;
+    Array<uint8_t> client_secret;
+    uint8_t client_alert = 0;
+    CBB client_public_key_out;
+    CBB_init(&client_public_key_out, 2);
+    EXPECT_TRUE(client_key_share->Offer(&client_public_key_out));
+
+    EXPECT_FALSE(client_key_share->Finish(nullptr, &client_alert, server_public_key));
+    EXPECT_EQ(client_alert, SSL_AD_INTERNAL_ERROR);
+    client_alert = 0;
+
+    EXPECT_FALSE(client_key_share->Finish(&client_secret, nullptr, server_public_key));
+
+    CBB_cleanup(&client_public_key_out);
+  }
+
+  // It is an error if Finish() is called without there
+  // having been a previous call to Offer()
+  {
+    bssl::UniquePtr<SSLKeyShare> client_key_share = SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(client_key_share);
+    Array<uint8_t> client_secret;
+    uint8_t client_alert = 0;
+    uint8_t *buffer = (uint8_t *)OPENSSL_malloc(t.accept_key_share_size);
+
+    Span<const uint8_t> server_public_key = MakeConstSpan(buffer, t.accept_key_share_size);
+
+    EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, server_public_key));
+    EXPECT_EQ(client_alert, SSL_AD_INTERNAL_ERROR);
+
+    OPENSSL_free(buffer);
+  }
+
+  // |server_public_key| has not been initialized with anything
+  {
+    bssl::UniquePtr<SSLKeyShare> client_key_share = SSLKeyShare::Create(t.group_id);
+    Span<const uint8_t> server_public_key;
+    Array<uint8_t> client_secret;
+    uint8_t client_alert = 0;
+    CBB client_public_key_out;
+    CBB_init(&client_public_key_out, 2);
+
+    EXPECT_TRUE(client_key_share->Offer(&client_public_key_out));
+
+    EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, server_public_key));
+    EXPECT_EQ(client_alert, SSL_AD_INTERNAL_ERROR);
+
+    CBB_cleanup(&client_public_key_out);
+  }
+
+  // |server_public_key| is initialized but is empty
+  {
+    bssl::UniquePtr<SSLKeyShare> client_key_share = SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(client_key_share);
+    Array<uint8_t> client_secret;
+    uint8_t client_alert = 0;
+    const uint8_t empty_buffer[1] = {0}; // Arrays must have at least 1 element to compile on Windows
+    Span<const uint8_t> server_public_key = MakeConstSpan(empty_buffer, 0);
+    CBB client_public_key_out;
+    CBB_init(&client_public_key_out, 2);
+
+    EXPECT_TRUE(client_key_share->Offer(&client_public_key_out));
+
+    EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, server_public_key));
+    CBB_cleanup(&client_public_key_out);
+    EXPECT_EQ(client_alert, SSL_AD_DECODE_ERROR);
+  }
+
+  // |server_public_key| is initialized with too little data
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = SSLKeyShare::Create(t.group_id);
+    bssl::UniquePtr<SSLKeyShare> client_key_share = SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    ASSERT_TRUE(client_key_share);
+    Span<const uint8_t> client_public_key;
+    Span<const uint8_t> server_public_key;
+    Array<uint8_t> server_secret;
+    Array<uint8_t> client_secret;
+    CBB server_out_public_key;
+    CBB client_out_public_key;
+    uint8_t server_alert = 0;
+    uint8_t client_alert = 0;
+
+    // Generate a valid |client_public_key|
+    EXPECT_TRUE(CBB_init(&client_out_public_key, 64));
+    EXPECT_TRUE(client_key_share->Offer(&client_out_public_key));
+    const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key);
+    ASSERT_TRUE(client_out_public_key_data);
+    client_public_key = MakeConstSpan(client_out_public_key_data,
+                                      CBB_len(&client_out_public_key));
+
+    // Generate a valid |server_public_key|, then truncate the last byte
+    EXPECT_TRUE(CBB_init(&server_out_public_key, 64));
+    EXPECT_TRUE(server_key_share->Accept(&server_out_public_key,
+                                         &server_secret, &server_alert,
+                                         client_public_key));
+    EXPECT_EQ(server_alert, 0);
+    const uint8_t *server_out_public_key_data = CBB_data(&server_out_public_key);
+    ASSERT_TRUE(server_out_public_key_data);
+    server_public_key = MakeConstSpan(server_out_public_key_data,
+                                      CBB_len(&server_out_public_key) - 1);
+
+    EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, server_public_key));
+    EXPECT_EQ(client_alert, SSL_AD_DECODE_ERROR);
+
+    CBB_cleanup(&server_out_public_key);
+    CBB_cleanup(&client_out_public_key);
+  }
+
+  // |server_public_key| is initialized with too much data
+  {
+    bssl::UniquePtr<SSLKeyShare> server_key_share = SSLKeyShare::Create(t.group_id);
+    bssl::UniquePtr<SSLKeyShare> client_key_share = SSLKeyShare::Create(t.group_id);
+    ASSERT_TRUE(server_key_share);
+    ASSERT_TRUE(client_key_share);
+    Span<const uint8_t> client_public_key;
+    Span<const uint8_t> server_public_key;
+    Array<uint8_t> server_secret;
+    Array<uint8_t> client_secret;
+    CBB server_out_public_key;
+    CBB client_out_public_key;
+    uint8_t server_alert = 0;
+    uint8_t client_alert = 0;
+
+    // Generate a valid |client_public_key|
+    EXPECT_TRUE(CBB_init(&client_out_public_key, 64));
+    EXPECT_TRUE(client_key_share->Offer(&client_out_public_key));
+    const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key);
+    ASSERT_TRUE(client_out_public_key_data);
+    client_public_key = MakeConstSpan(client_out_public_key_data,
+                                      CBB_len(&client_out_public_key));
+
+    // Generate a valid |server_public_key|, then append a byte
+    EXPECT_TRUE(CBB_init(&server_out_public_key, 64));
+    EXPECT_TRUE(server_key_share->Accept(&server_out_public_key,
+                                         &server_secret, &server_alert,
+                                         client_public_key));
+    EXPECT_EQ(server_alert, 0);
+    EXPECT_TRUE(CBB_add_zeros(&server_out_public_key, 1));
+    const uint8_t *server_out_public_key_data = CBB_data(&server_out_public_key);
+    ASSERT_TRUE(server_out_public_key_data);
+    server_public_key = MakeConstSpan(server_out_public_key_data,
+                                      CBB_len(&server_out_public_key));
+
+    EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, server_public_key));
+    EXPECT_EQ(client_alert, SSL_AD_DECODE_ERROR);
+
+    CBB_cleanup(&server_out_public_key);
+    CBB_cleanup(&client_out_public_key);
+  }
+
+  // |server_public_key| is initialized with key material that is the correct
+  // length, but is not a valid key. We do this iteratively over each
+  // component group that makes up the hybrid group so that we can test
+  // all Finish() code paths in the hybrid key share.
+  {
+    size_t server_public_key_index = 0;
+    for (size_t i = 0; i < NUM_HYBRID_COMPONENTS; i++) {
+      // We'll need the hybrid group to retrieve the component share sizes
+      const HybridGroup *hybrid_group = GetHybridGroup(t.group_id);
+      ASSERT_TRUE(hybrid_group != NULL);
+
+      // Create the hybrid key shares and generate a valid |server_public_key|
+      bssl::UniquePtr<SSLKeyShare> client_key_share = SSLKeyShare::Create(t.group_id);
+      bssl::UniquePtr<SSLKeyShare> server_key_share = SSLKeyShare::Create(t.group_id);
+      ASSERT_TRUE(client_key_share);
+      ASSERT_TRUE(server_key_share);
+
+      CBB client_out_public_key;
+      CBB server_out_public_key;
+      EXPECT_TRUE(CBB_init(&client_out_public_key, 64));
+      EXPECT_TRUE(CBB_init(&server_out_public_key, 64));
+
+      Array<uint8_t> server_secret;
+      Array<uint8_t> client_secret;
+      uint8_t client_alert = 0;
+      uint8_t server_alert = 0;
+
+      EXPECT_TRUE(client_key_share->Offer(&client_out_public_key));
+
+      Span<const uint8_t> client_public_key = MakeConstSpan(
+        CBB_data(&client_out_public_key), CBB_len(&client_out_public_key));
+      EXPECT_TRUE(server_key_share->Accept(&server_out_public_key,
+                                           &server_secret, &server_alert,
+                                           client_public_key));
+      EXPECT_EQ(server_alert, 0);
+
+      // For the current component group, overwrite the bytes of that
+      // component's key share (and *only* that component's key share) with
+      // arbitrary nonsense; leave all other sections of the key share alone.
+      // This ensures:
+      // 1. The overall size of the hybrid key share is still correct
+      // 2. The sizes of the component key shares are still correct; in other
+      //    words, the component key shares are still partitioned correctly
+      //    and will be parsed individually, as intended
+      // 2. The key share associated with the current component group is invalid
+      // 3. All other component key shares are still valid
+      //
+      // (We have to do this in a roundabout way with malloc'ing another
+      // buffer because CBBs cannot be arbitrarily edited.)
+      size_t server_out_public_key_len = CBB_len(&server_out_public_key);
+      const uint8_t *server_out_public_key_data = CBB_data(&server_out_public_key);
+      ASSERT_TRUE(server_out_public_key_data);
+      uint8_t *buffer = (uint8_t *)OPENSSL_malloc(server_out_public_key_len);
+      ASSERT_TRUE(buffer);
+      OPENSSL_memcpy(buffer, server_out_public_key_data, server_out_public_key_len);
+      for (size_t j = server_public_key_index; j < t.accept_share_sizes[i]; j++) {
+        buffer[j] = 7; // 7 is arbitrary
+      }
+      Span<const uint8_t> server_public_key =
+        MakeConstSpan(buffer, server_out_public_key_len);
+
+      // The client will Finish() with the invalid public key
+      bool accepted = client_key_share->Finish(&client_secret, &client_alert,
+                                               server_public_key);
+
+      if (accepted) {
+        // The Finish() functionality for X25519 and all KEM key shares is
+        // written so that, even if the given public key is invalid, it will
+        // return success, output its own public key, and continue with the
+        // handshake. (This is the intended functionality.) So, in this
+        // case, we assert that the component group was one of those groups,
+        // continue with the handshake, then verify that the client and
+        // server ultimately arrived at different shared secrets.
+        EXPECT_TRUE(
+          hybrid_group->component_group_ids[i] == SSL_GROUP_KYBER768_R3 ||
+          hybrid_group->component_group_ids[i] == SSL_GROUP_X25519
+        );
+
+        // The handshake will complete without error...
+        EXPECT_EQ(client_alert, 0);
+        EXPECT_EQ(client_secret.size(), t.shared_secret_size);
+
+        // ...but client and server will arrive at different shared secrets
+        EXPECT_NE(Bytes(client_secret), Bytes(server_secret));
+
+      } else {
+        // The Finish() functionality for the NIST curves (e.g. P256) is
+        // written so that it will return failure if the key share is invalid.
+        EXPECT_EQ(hybrid_group->component_group_ids[i], SSL_GROUP_SECP256R1);
+        EXPECT_EQ(client_alert, SSL_AD_DECODE_ERROR);
+      }
+
+      server_public_key_index += t.accept_share_sizes[i];
+      CBB_cleanup(&client_out_public_key);
+      CBB_cleanup(&server_out_public_key);
+      OPENSSL_free(buffer);
+    }
+  }
+}
+
+class PerformHybridHandshakeTest : public testing::TestWithParam<HybridHandshakeTest> {};
+INSTANTIATE_TEST_SUITE_P(PerformHybridHandshakeTests, PerformHybridHandshakeTest, testing::ValuesIn(kHybridHandshakeTests));
+
+// This test runs through an overall handshake flow for all of the cases
+// defined in kHybridHandshakeTests. This test runs through both positive and
+// negative cases; refer to the comments inline in kHybridHandshakeTests for
+// specifics about each test case.
+TEST_P(PerformHybridHandshakeTest, PerformHybridHandshake) {
+  HybridHandshakeTest t = GetParam();
+  // Set up client and server with test case parameters
+  bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
+  ASSERT_TRUE(client_ctx);
+  ASSERT_TRUE(SSL_CTX_set1_curves_list(client_ctx.get(), t.client_rule));
+  ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), t.client_version));
+
+  bssl::UniquePtr<SSL_CTX> server_ctx = CreateContextWithTestCertificate(TLS_method());
+  ASSERT_TRUE(server_ctx);
+  ASSERT_TRUE(SSL_CTX_set1_curves_list(server_ctx.get(), t.server_rule));
+  ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), t.server_version));
+
+  bssl::UniquePtr<SSL> client, server;
+  ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(), server_ctx.get()));
+
+  if (t.expected_group != 0) {
+    // In this case, assert that the handshake completes as expected.
+    ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
+
+    SSL_SESSION *client_session = SSL_get_session(client.get());
+    ASSERT_TRUE(client_session);
+    EXPECT_EQ(t.expected_group, client_session->group_id);
+    EXPECT_EQ(t.is_hrr_expected, SSL_used_hello_retry_request(client.get()));
+    EXPECT_EQ(std::min(t.client_version, t.server_version), client_session->ssl_version);
+
+    SSL_SESSION *server_session = SSL_get_session(server.get());
+    ASSERT_TRUE(server_session);
+    EXPECT_EQ(t.expected_group, server_session->group_id);
+    EXPECT_EQ(t.is_hrr_expected, SSL_used_hello_retry_request(server.get()));
+    EXPECT_EQ(std::min(t.client_version, t.server_version), server_session->ssl_version);
+  } else {
+    // In this case, we expect the handshake to fail because client and
+    // server configurations are not compatible.
+    ASSERT_FALSE(CompleteHandshakes(client.get(), server.get()));
+
+    ASSERT_FALSE(client.get()->s3->initial_handshake_complete);
+    EXPECT_EQ(t.is_hrr_expected, SSL_used_hello_retry_request(client.get()));
+
+    ASSERT_FALSE(server.get()->s3->initial_handshake_complete);
+    EXPECT_EQ(t.is_hrr_expected, SSL_used_hello_retry_request(server.get()));
+  }
+}
+
 }  // namespace
 BSSL_NAMESPACE_END