grpc-flamingo 1.11.0 → 1.15.0

data/third_party/boringssl/ssl/ssl_privkey.cc

@@ -205,6 +205,9 @@ enum ssl_private_key_result_t ssl_private_key_sign(
       ret = ssl->cert->key_method->sign(ssl, out, out_len, max_out, sigalg,
                                         in.data(), in.size());
     }
+    if (ret == ssl_private_key_failure) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_PRIVATE_KEY_OPERATION_FAILED);
+    }
     hs->pending_private_key_op = ret == ssl_private_key_retry;
     return ret;
   }
@@ -241,6 +244,9 @@ enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs,
       ret = ssl->cert->key_method->decrypt(ssl, out, out_len, max_out,
                                            in.data(), in.size());
     }
+    if (ret == ssl_private_key_failure) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_PRIVATE_KEY_OPERATION_FAILED);
+    }
     hs->pending_private_key_op = ret == ssl_private_key_retry;
     return ret;
   }

data/third_party/boringssl/ssl/ssl_stat.cc

@@ -4,21 +4,21 @@
  * This package is an SSL implementation written
  * by Eric Young (eay@cryptsoft.com).
  * The implementation was written so as to conform with Netscapes SSL.
- * 
+ *
  * This library is free for commercial and non-commercial use as long as
  * the following conditions are aheared to.  The following conditions
  * apply to all code found in this distribution, be it the RC4, RSA,
  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
  * included with this distribution is covered by the same copyright terms
  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
+ *
  * Copyright remains Eric Young's, and as such any Copyright notices in
  * the code are not to be removed.
  * If this package is used in a product, Eric Young should be given attribution
  * as the author of the parts of the library used.
  * This can be in the form of a textual message at program startup or
  * in documentation (online or textual) provided with the package.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -33,10 +33,10 @@
  *     Eric Young (eay@cryptsoft.com)"
  *    The word 'cryptographic' can be left out if the rouines from the library
  *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
+ * 4. If you include any Windows specific code (or a derivative thereof) from
  *    the apps directory (application code) you must include an acknowledgement:
  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,7 +48,7 @@
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
- * 
+ *
  * The licence and distribution terms for any publically available version or
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence

data/third_party/boringssl/ssl/ssl_versions.cc

@@ -34,12 +34,7 @@ bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
       *out = version;
       return true;
 
-    case TLS1_3_DRAFT_VERSION:
-    case TLS1_3_DRAFT21_VERSION:
-    case TLS1_3_DRAFT22_VERSION:
-    case TLS1_3_EXPERIMENT_VERSION:
-    case TLS1_3_EXPERIMENT2_VERSION:
-    case TLS1_3_EXPERIMENT3_VERSION:
+    case TLS1_3_DRAFT23_VERSION:
       *out = TLS1_3_VERSION;
       return true;
 
@@ -61,12 +56,7 @@ bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
 // decreasing preference.
 
 static const uint16_t kTLSVersions[] = {
-    TLS1_3_DRAFT22_VERSION,
-    TLS1_3_EXPERIMENT3_VERSION,
-    TLS1_3_EXPERIMENT2_VERSION,
-    TLS1_3_EXPERIMENT_VERSION,
-    TLS1_3_DRAFT_VERSION,
-    TLS1_3_DRAFT21_VERSION,
+    TLS1_3_DRAFT23_VERSION,
     TLS1_2_VERSION,
     TLS1_1_VERSION,
     TLS1_VERSION,
@@ -109,12 +99,7 @@ static bool method_supports_version(const SSL_PROTOCOL_METHOD *method,
 
 static const char *ssl_version_to_string(uint16_t version) {
   switch (version) {
-    case TLS1_3_DRAFT_VERSION:
-    case TLS1_3_DRAFT21_VERSION:
-    case TLS1_3_DRAFT22_VERSION:
-    case TLS1_3_EXPERIMENT_VERSION:
-    case TLS1_3_EXPERIMENT2_VERSION:
-    case TLS1_3_EXPERIMENT3_VERSION:
+    case TLS1_3_DRAFT23_VERSION:
       return "TLSv1.3";
 
     case TLS1_2_VERSION:
@@ -143,12 +128,7 @@ static const char *ssl_version_to_string(uint16_t version) {
 static uint16_t wire_version_to_api(uint16_t version) {
   switch (version) {
     // Report TLS 1.3 draft versions as TLS 1.3 in the public API.
-    case TLS1_3_DRAFT_VERSION:
-    case TLS1_3_DRAFT21_VERSION:
-    case TLS1_3_DRAFT22_VERSION:
-    case TLS1_3_EXPERIMENT_VERSION:
-    case TLS1_3_EXPERIMENT2_VERSION:
-    case TLS1_3_EXPERIMENT3_VERSION:
+    case TLS1_3_DRAFT23_VERSION:
       return TLS1_3_VERSION;
     default:
       return version;
@@ -159,16 +139,11 @@ static uint16_t wire_version_to_api(uint16_t version) {
 // particular, it picks an arbitrary TLS 1.3 representative. This should only be
 // used in context where that does not matter.
 static bool api_version_to_wire(uint16_t *out, uint16_t version) {
-  if (version == TLS1_3_DRAFT_VERSION ||
-      version == TLS1_3_DRAFT21_VERSION ||
-      version == TLS1_3_DRAFT22_VERSION ||
-      version == TLS1_3_EXPERIMENT_VERSION ||
-      version == TLS1_3_EXPERIMENT2_VERSION ||
-      version == TLS1_3_EXPERIMENT3_VERSION) {
+  if (version == TLS1_3_DRAFT23_VERSION) {
     return false;
   }
   if (version == TLS1_3_VERSION) {
-    version = TLS1_3_DRAFT_VERSION;
+    version = TLS1_3_DRAFT23_VERSION;
   }
 
   // Check it is a real protocol version.
@@ -319,34 +294,18 @@ bool ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
     return false;
   }
 
-  // TLS 1.3 variants must additionally match |tls13_variant|.
+  // This logic is part of the TLS 1.3 variants mechanism used in TLS 1.3
+  // experimentation. Although we currently only have one variant, TLS 1.3 does
+  // not a final stable deployment yet, so leave the logic in place for now.
   if (protocol_version != TLS1_3_VERSION ||
-      (ssl->tls13_variant == tls13_experiment &&
-       version == TLS1_3_EXPERIMENT_VERSION) ||
-      (ssl->tls13_variant == tls13_experiment2 &&
-       version == TLS1_3_EXPERIMENT2_VERSION) ||
-      (ssl->tls13_variant == tls13_experiment3 &&
-       version == TLS1_3_EXPERIMENT3_VERSION) ||
-      (ssl->tls13_variant == tls13_draft21 &&
-       version == TLS1_3_DRAFT21_VERSION) ||
-      (ssl->tls13_variant == tls13_draft22 &&
-       version == TLS1_3_DRAFT22_VERSION) ||
       (ssl->tls13_variant == tls13_default &&
-       version == TLS1_3_DRAFT_VERSION)) {
+       version == TLS1_3_DRAFT23_VERSION)) {
     return true;
   }
 
   // The server, when not configured at |tls13_default|, should additionally
-  // enable all variants, except draft-21 which is implemented solely for QUIC
-  // interop testing and will not be deployed, and draft-22 which will be
-  // enabled once the draft is finalized and ready to be deployed in Chrome.
-  // Currently, this is to implement the draft-18 vs. experiments field trials.
-  // In the future, this will be to transition cleanly to a final draft-22
-  // which hopefully includes the deployability fixes.
-  if (ssl->server &&
-      ssl->tls13_variant != tls13_default &&
-      version != TLS1_3_DRAFT21_VERSION &&
-      version != TLS1_3_DRAFT22_VERSION) {
+  // enable all variants.
+  if (ssl->server && ssl->tls13_variant != tls13_default) {
     return true;
   }
 
@@ -397,38 +356,6 @@ bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
   return false;
 }
 
-bool ssl_is_draft21(uint16_t version) {
-  return version == TLS1_3_DRAFT21_VERSION || version == TLS1_3_DRAFT22_VERSION;
-}
-
-bool ssl_is_draft22(uint16_t version) {
-  return version == TLS1_3_DRAFT22_VERSION;
-}
-
-bool ssl_is_resumption_experiment(uint16_t version) {
-  return version == TLS1_3_EXPERIMENT_VERSION ||
-         version == TLS1_3_EXPERIMENT2_VERSION ||
-         version == TLS1_3_EXPERIMENT3_VERSION ||
-         version == TLS1_3_DRAFT22_VERSION;
-}
-
-bool ssl_is_resumption_variant(enum tls13_variant_t variant) {
-  return variant == tls13_experiment || variant == tls13_experiment2 ||
-         variant == tls13_experiment3 || variant == tls13_draft22;
-}
-
-bool ssl_is_resumption_client_ccs_experiment(uint16_t version) {
-  return version == TLS1_3_EXPERIMENT_VERSION ||
-         version == TLS1_3_EXPERIMENT2_VERSION ||
-         version == TLS1_3_DRAFT22_VERSION;
-}
-
-bool ssl_is_resumption_record_version_experiment(uint16_t version) {
-  return version == TLS1_3_EXPERIMENT2_VERSION ||
-         version == TLS1_3_EXPERIMENT3_VERSION ||
-         version == TLS1_3_DRAFT22_VERSION;
-}
-
 }  // namespace bssl
 
 using namespace bssl;

data/third_party/boringssl/ssl/ssl_x509.cc

@@ -354,66 +354,6 @@ static void ssl_crypto_x509_session_clear(SSL_SESSION *session) {
   session->x509_chain_without_leaf = NULL;
 }
 
-static int ssl_verify_alarm_type(long type) {
-  switch (type) {
-    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-    case X509_V_ERR_UNABLE_TO_GET_CRL:
-    case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
-      return SSL_AD_UNKNOWN_CA;
-
-    case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
-    case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
-    case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
-    case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
-    case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
-    case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
-    case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
-    case X509_V_ERR_CERT_NOT_YET_VALID:
-    case X509_V_ERR_CRL_NOT_YET_VALID:
-    case X509_V_ERR_CERT_UNTRUSTED:
-    case X509_V_ERR_CERT_REJECTED:
-    case X509_V_ERR_HOSTNAME_MISMATCH:
-    case X509_V_ERR_EMAIL_MISMATCH:
-    case X509_V_ERR_IP_ADDRESS_MISMATCH:
-      return SSL_AD_BAD_CERTIFICATE;
-
-    case X509_V_ERR_CERT_SIGNATURE_FAILURE:
-    case X509_V_ERR_CRL_SIGNATURE_FAILURE:
-      return SSL_AD_DECRYPT_ERROR;
-
-    case X509_V_ERR_CERT_HAS_EXPIRED:
-    case X509_V_ERR_CRL_HAS_EXPIRED:
-      return SSL_AD_CERTIFICATE_EXPIRED;
-
-    case X509_V_ERR_CERT_REVOKED:
-      return SSL_AD_CERTIFICATE_REVOKED;
-
-    case X509_V_ERR_UNSPECIFIED:
-    case X509_V_ERR_OUT_OF_MEM:
-    case X509_V_ERR_INVALID_CALL:
-    case X509_V_ERR_STORE_LOOKUP:
-      return SSL_AD_INTERNAL_ERROR;
-
-    case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
-    case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
-    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
-    case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
-    case X509_V_ERR_CERT_CHAIN_TOO_LONG:
-    case X509_V_ERR_PATH_LENGTH_EXCEEDED:
-    case X509_V_ERR_INVALID_CA:
-      return SSL_AD_UNKNOWN_CA;
-
-    case X509_V_ERR_APPLICATION_VERIFICATION:
-      return SSL_AD_HANDSHAKE_FAILURE;
-
-    case X509_V_ERR_INVALID_PURPOSE:
-      return SSL_AD_UNSUPPORTED_CERTIFICATE;
-
-    default:
-      return SSL_AD_CERTIFICATE_UNKNOWN;
-  }
-}
-
 static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
                                                      SSL *ssl,
                                                      uint8_t *out_alert) {
@@ -464,7 +404,7 @@ static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
 
   // If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result.
   if (verify_ret <= 0 && ssl->verify_mode != SSL_VERIFY_NONE) {
-    *out_alert = ssl_verify_alarm_type(ctx->error);
+    *out_alert = SSL_alert_from_verify_result(ctx->error);
     return 0;
   }
 
@@ -1297,3 +1237,61 @@ int SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *store) {
   check_ssl_x509_method(ssl);
   return set_cert_store(&ssl->cert->verify_store, store, 1);
 }
+
+int SSL_alert_from_verify_result(long result) {
+  switch (result) {
+    case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+    case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+    case X509_V_ERR_INVALID_CA:
+    case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+    case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+    case X509_V_ERR_UNABLE_TO_GET_CRL:
+    case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
+    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+    case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+      return SSL_AD_UNKNOWN_CA;
+
+    case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
+    case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
+    case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
+    case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+    case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+    case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
+    case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
+    case X509_V_ERR_CERT_UNTRUSTED:
+    case X509_V_ERR_CERT_REJECTED:
+    case X509_V_ERR_HOSTNAME_MISMATCH:
+    case X509_V_ERR_EMAIL_MISMATCH:
+    case X509_V_ERR_IP_ADDRESS_MISMATCH:
+      return SSL_AD_BAD_CERTIFICATE;
+
+    case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+    case X509_V_ERR_CRL_SIGNATURE_FAILURE:
+      return SSL_AD_DECRYPT_ERROR;
+
+    case X509_V_ERR_CERT_HAS_EXPIRED:
+    case X509_V_ERR_CERT_NOT_YET_VALID:
+    case X509_V_ERR_CRL_HAS_EXPIRED:
+    case X509_V_ERR_CRL_NOT_YET_VALID:
+      return SSL_AD_CERTIFICATE_EXPIRED;
+
+    case X509_V_ERR_CERT_REVOKED:
+      return SSL_AD_CERTIFICATE_REVOKED;
+
+    case X509_V_ERR_UNSPECIFIED:
+    case X509_V_ERR_OUT_OF_MEM:
+    case X509_V_ERR_INVALID_CALL:
+    case X509_V_ERR_STORE_LOOKUP:
+      return SSL_AD_INTERNAL_ERROR;
+
+    case X509_V_ERR_APPLICATION_VERIFICATION:
+      return SSL_AD_HANDSHAKE_FAILURE;
+
+    case X509_V_ERR_INVALID_PURPOSE:
+      return SSL_AD_UNSUPPORTED_CERTIFICATE;
+
+    default:
+      return SSL_AD_CERTIFICATE_UNKNOWN;
+  }
+}

data/third_party/boringssl/ssl/t1_enc.cc

@@ -148,102 +148,20 @@
 #include <openssl/nid.h>
 #include <openssl/rand.h>
 
+#include "../crypto/fipsmodule/tls/internal.h"
 #include "../crypto/internal.h"
 #include "internal.h"
 
 
 namespace bssl {
 
-// tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,
-// section 5. It XORs |out.size()| bytes to |out|, using |md| as the hash and
-// |secret| as the secret. |label|, |seed1|, and |seed2| are concatenated to
-// form the seed parameter. It returns true on success and false on failure.
-static bool tls1_P_hash(Span<uint8_t> out, const EVP_MD *md,
-                        Span<const uint8_t> secret, Span<const char> label,
-                        Span<const uint8_t> seed1, Span<const uint8_t> seed2) {
-  ScopedHMAC_CTX ctx, ctx_tmp, ctx_init;
-  uint8_t A1[EVP_MAX_MD_SIZE];
-  unsigned A1_len;
-  bool ret = false;
-
-  size_t chunk = EVP_MD_size(md);
-
-  if (!HMAC_Init_ex(ctx_init.get(), secret.data(), secret.size(), md,
-                    nullptr) ||
-      !HMAC_CTX_copy_ex(ctx.get(), ctx_init.get()) ||
-      !HMAC_Update(ctx.get(), reinterpret_cast<const uint8_t *>(label.data()),
-                   label.size()) ||
-      !HMAC_Update(ctx.get(), seed1.data(), seed1.size()) ||
-      !HMAC_Update(ctx.get(), seed2.data(), seed2.size()) ||
-      !HMAC_Final(ctx.get(), A1, &A1_len)) {
-    goto err;
-  }
-
-  for (;;) {
-    unsigned len;
-    uint8_t hmac[EVP_MAX_MD_SIZE];
-    if (!HMAC_CTX_copy_ex(ctx.get(), ctx_init.get()) ||
-        !HMAC_Update(ctx.get(), A1, A1_len) ||
-        // Save a copy of |ctx| to compute the next A1 value below.
-        (out.size() > chunk && !HMAC_CTX_copy_ex(ctx_tmp.get(), ctx.get())) ||
-        !HMAC_Update(ctx.get(), reinterpret_cast<const uint8_t *>(label.data()),
-                     label.size()) ||
-        !HMAC_Update(ctx.get(), seed1.data(), seed1.size()) ||
-        !HMAC_Update(ctx.get(), seed2.data(), seed2.size()) ||
-        !HMAC_Final(ctx.get(), hmac, &len)) {
-      goto err;
-    }
-    assert(len == chunk);
-
-    // XOR the result into |out|.
-    if (len > out.size()) {
-      len = out.size();
-    }
-    for (unsigned i = 0; i < len; i++) {
-      out[i] ^= hmac[i];
-    }
-    out = out.subspan(len);
-
-    if (out.empty()) {
-      break;
-    }
-
-    // Calculate the next A1 value.
-    if (!HMAC_Final(ctx_tmp.get(), A1, &A1_len)) {
-      goto err;
-    }
-  }
-
-  ret = true;
-
-err:
-  OPENSSL_cleanse(A1, sizeof(A1));
-  return ret;
-}
-
 bool tls1_prf(const EVP_MD *digest, Span<uint8_t> out,
               Span<const uint8_t> secret, Span<const char> label,
               Span<const uint8_t> seed1, Span<const uint8_t> seed2) {
-  if (out.empty()) {
-    return true;
-  }
-
-  OPENSSL_memset(out.data(), 0, out.size());
-
-  if (digest == EVP_md5_sha1()) {
-    // If using the MD5/SHA1 PRF, |secret| is partitioned between MD5 and SHA-1.
-    size_t secret_half = secret.size() - (secret.size() / 2);
-    if (!tls1_P_hash(out, EVP_md5(), secret.subspan(0, secret_half), label,
-                     seed1, seed2)) {
-      return false;
-    }
-
-    // Note that, if |secret.size()| is odd, the two halves share a byte.
-    secret = secret.subspan(secret.size() - secret_half);
-    digest = EVP_sha1();
-  }
-
-  return tls1_P_hash(out, digest, secret, label, seed1, seed2);
+  return 1 == CRYPTO_tls1_prf(digest, out.data(), out.size(), secret.data(),
+                              secret.size(), label.data(), label.size(),
+                              seed1.data(), seed1.size(), seed2.data(),
+                              seed2.size());
 }
 
 static bool ssl3_prf(Span<uint8_t> out, Span<const uint8_t> secret,
@@ -321,42 +239,26 @@ static bool get_key_block_lengths(const SSL *ssl, size_t *out_mac_secret_len,
   return true;
 }
 
-static bool setup_key_block(SSL_HANDSHAKE *hs) {
-  SSL *const ssl = hs->ssl;
-  if (!hs->key_block.empty()) {
-    return true;
-  }
-
-  size_t mac_secret_len, key_len, fixed_iv_len;
-  Array<uint8_t> key_block;
-  if (!get_key_block_lengths(ssl, &mac_secret_len, &key_len, &fixed_iv_len,
-                             hs->new_cipher) ||
-      !key_block.Init(2 * (mac_secret_len + key_len + fixed_iv_len)) ||
-      !SSL_generate_key_block(ssl, key_block.data(), key_block.size())) {
-    return false;
-  }
-
-  hs->key_block = std::move(key_block);
-  return true;
-}
-
-int tls1_change_cipher_state(SSL_HANDSHAKE *hs,
-                             evp_aead_direction_t direction) {
-  SSL *const ssl = hs->ssl;
-  // Ensure the key block is set up.
+int tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
+                        Array<uint8_t> *key_block_cache,
+                        const SSL_CIPHER *cipher,
+                        Span<const uint8_t> iv_override) {
   size_t mac_secret_len, key_len, iv_len;
-  if (!setup_key_block(hs) ||
-      !get_key_block_lengths(ssl, &mac_secret_len, &key_len, &iv_len,
-                             hs->new_cipher)) {
+  if (!get_key_block_lengths(ssl, &mac_secret_len, &key_len, &iv_len, cipher)) {
     return 0;
   }
 
-  if ((mac_secret_len + key_len + iv_len) * 2 != hs->key_block.size()) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    return 0;
+  // Ensure that |key_block_cache| is set up.
+  const size_t key_block_size = 2 * (mac_secret_len + key_len + iv_len);
+  if (key_block_cache->empty()) {
+    if (!key_block_cache->Init(key_block_size) ||
+        !SSL_generate_key_block(ssl, key_block_cache->data(), key_block_size)) {
+      return 0;
+    }
   }
+  assert(key_block_cache->size() == key_block_size);
 
-  Span<const uint8_t> key_block = hs->key_block;
+  Span<const uint8_t> key_block = *key_block_cache;
   Span<const uint8_t> mac_secret, key, iv;
   if (direction == (ssl->server ? evp_aead_open : evp_aead_seal)) {
     // Use the client write (server read) keys.
@@ -370,9 +272,15 @@ int tls1_change_cipher_state(SSL_HANDSHAKE *hs,
     iv = key_block.subspan(2 * mac_secret_len + 2 * key_len + iv_len, iv_len);
   }
 
-  UniquePtr<SSLAEADContext> aead_ctx =
-      SSLAEADContext::Create(direction, ssl->version, SSL_is_dtls(ssl),
-                             hs->new_cipher, key, mac_secret, iv);
+  if (!iv_override.empty()) {
+    if (iv_override.size() != iv_len) {
+      return 0;
+    }
+    iv = iv_override;
+  }
+
+  UniquePtr<SSLAEADContext> aead_ctx = SSLAEADContext::Create(
+      direction, ssl->version, SSL_is_dtls(ssl), cipher, key, mac_secret, iv);
   if (!aead_ctx) {
     return 0;
   }
@@ -384,6 +292,12 @@ int tls1_change_cipher_state(SSL_HANDSHAKE *hs,
   return ssl->method->set_write_state(ssl, std::move(aead_ctx));
 }
 
+int tls1_change_cipher_state(SSL_HANDSHAKE *hs,
+                             evp_aead_direction_t direction) {
+  return tls1_configure_aead(hs->ssl, direction, &hs->key_block,
+                             hs->new_cipher, {});
+}
+
 int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out,
                                 Span<const uint8_t> premaster) {
   static const char kMasterSecretLabel[] = "master secret";
@@ -458,17 +372,28 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
                                const uint8_t *context, size_t context_len,
                                int use_context) {
   if (!ssl->s3->have_version || ssl->version == SSL3_VERSION) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE);
     return 0;
   }
 
-  // Exporters may not be used in the middle of a renegotiation.
-  if (SSL_in_init(ssl) && !SSL_in_false_start(ssl)) {
+  // Exporters may be used in False Start and server 0-RTT, where the handshake
+  // has progressed enough. Otherwise, they may not be used during a handshake.
+  if (SSL_in_init(ssl) &&
+      !SSL_in_false_start(ssl) &&
+      !(SSL_is_server(ssl) && SSL_in_early_data(ssl))) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE);
     return 0;
   }
 
   if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
-    return tls13_export_keying_material(ssl, out, out_len, label, label_len,
-                                        context, context_len, use_context);
+    if (!use_context) {
+      context = nullptr;
+      context_len = 0;
+    }
+    return tls13_export_keying_material(
+        ssl, MakeSpan(out, out_len),
+        MakeConstSpan(ssl->s3->exporter_secret, ssl->s3->exporter_secret_len),
+        MakeConstSpan(label, label_len), MakeConstSpan(context, context_len));
   }
 
   size_t seed_len = 2 * SSL3_RANDOM_SIZE;
@@ -501,3 +426,27 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
       MakeConstSpan(session->master_key, session->master_key_length),
       MakeConstSpan(label, label_len), seed, {});
 }
+
+int SSL_export_early_keying_material(
+    SSL *ssl, uint8_t *out, size_t out_len, const char *label, size_t label_len,
+    const uint8_t *context, size_t context_len) {
+  if (!SSL_in_early_data(ssl) &&
+      (!ssl->s3->have_version ||
+       ssl_protocol_version(ssl) < TLS1_3_VERSION)) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);
+    return 0;
+  }
+
+  // The early exporter only exists if we accepted early data or offered it as
+  // a client.
+  if (!SSL_in_early_data(ssl) && !SSL_early_data_accepted(ssl)) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_EARLY_DATA_NOT_IN_USE);
+    return 0;
+  }
+
+  return tls13_export_keying_material(
+      ssl, MakeSpan(out, out_len),
+      MakeConstSpan(ssl->s3->early_exporter_secret,
+                    ssl->s3->early_exporter_secret_len),
+      MakeConstSpan(label, label_len), MakeConstSpan(context, context_len));
+}