RubyGems - grpc - Versions diffs - 1.0.1 → 1.1.2 - Mend

grpc 1.0.1 → 1.1.2

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (705) hide show

checksums.yaml +4 -4
data/Makefile +3696 -867
data/etc/roots.pem +39 -111
data/include/grpc/byte_buffer.h +64 -1
data/include/grpc/census.h +40 -96
data/include/grpc/compression.h +2 -1
data/include/grpc/grpc.h +42 -7
data/include/grpc/grpc_posix.h +8 -5
data/include/grpc/impl/codegen/atm.h +3 -0
data/include/grpc/impl/codegen/atm_gcc_atomic.h +2 -0
data/include/grpc/impl/codegen/atm_gcc_sync.h +8 -0
data/include/grpc/impl/codegen/atm_windows.h +4 -0
data/include/grpc/impl/codegen/byte_buffer_reader.h +4 -4
data/include/grpc/impl/codegen/compression_types.h +1 -1
data/include/grpc/impl/codegen/connectivity_state.h +2 -0
data/include/grpc/impl/codegen/exec_ctx_fwd.h +41 -0
data/include/grpc/impl/codegen/gpr_slice.h +84 -0
data/include/grpc/impl/codegen/{alloc.h → gpr_types.h} +30 -29
data/include/grpc/impl/codegen/grpc_types.h +91 -9
data/include/grpc/impl/codegen/port_platform.h +25 -92
data/include/grpc/impl/codegen/slice.h +54 -97
data/include/grpc/impl/codegen/sync.h +0 -253
data/include/grpc/module.modulemap +0 -2
data/include/grpc/slice.h +132 -0
data/include/grpc/{impl/codegen/slice_buffer.h → slice_buffer.h} +22 -39
data/include/grpc/support/alloc.h +40 -1
data/include/grpc/support/log.h +80 -1
data/include/grpc/support/log_windows.h +2 -0
data/include/grpc/support/string_util.h +1 -1
data/include/grpc/support/sync.h +252 -0
data/include/grpc/support/time.h +67 -1
data/src/boringssl/err_data.c +639 -627
data/src/core/ext/census/base_resources.c +71 -0
data/src/core/ext/census/base_resources.h +39 -0
data/src/core/ext/census/gen/census.pb.c +26 -29
data/src/core/ext/census/gen/census.pb.h +68 -67
data/src/core/ext/census/gen/trace_context.pb.c +81 -0
data/src/core/ext/census/gen/trace_context.pb.h +99 -0
data/src/core/ext/census/grpc_filter.c +22 -16
data/src/core/ext/census/grpc_plugin.c +2 -1
data/src/core/ext/census/initialize.c +16 -4
data/src/core/ext/census/mlog.h +1 -1
data/src/core/ext/census/placeholders.c +0 -45
data/src/core/ext/census/resource.c +312 -0
data/src/core/ext/census/resource.h +63 -0
data/src/core/ext/census/trace_context.c +86 -0
data/src/core/ext/census/trace_context.h +68 -0
data/src/core/ext/census/tracing.c +8 -2
data/src/core/ext/{client_config → client_channel}/channel_connectivity.c +8 -4
data/src/core/ext/client_channel/client_channel.c +1218 -0
data/src/core/ext/{client_config → client_channel}/client_channel.h +8 -11
data/src/core/ext/{client_config → client_channel}/client_channel_factory.c +33 -3
data/src/core/ext/{client_config → client_channel}/client_channel_factory.h +15 -8
data/src/core/ext/{client_config/client_config_plugin.c → client_channel/client_channel_plugin.c} +16 -15
data/src/core/ext/{client_config → client_channel}/connector.c +1 -1
data/src/core/ext/{client_config → client_channel}/connector.h +5 -8
data/{include/grpc/support/slice_buffer.h → src/core/ext/client_channel/default_initial_connect_string.c} +4 -5
data/src/core/ext/client_channel/http_connect_handshaker.c +399 -0
data/src/core/ext/client_channel/http_connect_handshaker.h +52 -0
data/src/core/ext/{client_config → client_channel}/initial_connect_string.c +6 -7
data/src/core/ext/{client_config → client_channel}/initial_connect_string.h +10 -10
data/src/core/ext/{client_config → client_channel}/lb_policy.c +11 -11
data/src/core/ext/{client_config → client_channel}/lb_policy.h +68 -27
data/src/core/ext/client_channel/lb_policy_factory.c +163 -0
data/src/core/ext/{client_config → client_channel}/lb_policy_factory.h +64 -9
data/src/core/ext/{client_config → client_channel}/lb_policy_registry.c +6 -4
data/src/core/ext/{client_config → client_channel}/lb_policy_registry.h +4 -4
data/src/core/ext/{client_config → client_channel}/parse_address.c +21 -14
data/src/core/ext/{client_config → client_channel}/parse_address.h +8 -10
data/src/core/ext/{client_config → client_channel}/resolver.c +3 -4
data/src/core/ext/{client_config → client_channel}/resolver.h +11 -15
data/src/core/ext/{client_config → client_channel}/resolver_factory.c +4 -3
data/src/core/ext/{client_config → client_channel}/resolver_factory.h +13 -11
data/src/core/ext/{client_config → client_channel}/resolver_registry.c +54 -34
data/src/core/ext/{client_config → client_channel}/resolver_registry.h +21 -8
data/src/core/ext/{client_config → client_channel}/subchannel.c +208 -119
data/src/core/ext/{client_config → client_channel}/subchannel.h +21 -11
data/src/core/ext/{client_config → client_channel}/subchannel_index.c +6 -17
data/src/core/ext/{client_config → client_channel}/subchannel_index.h +7 -7
data/src/core/ext/{client_config → client_channel}/uri_parser.c +21 -28
data/src/core/ext/{client_config → client_channel}/uri_parser.h +3 -3
data/src/core/ext/lb_policy/grpclb/grpclb.c +1406 -0
data/src/core/ext/lb_policy/grpclb/grpclb.h +44 -0
data/src/core/ext/lb_policy/grpclb/load_balancer_api.c +117 -37
data/src/core/ext/lb_policy/grpclb/load_balancer_api.h +31 -12
data/src/core/ext/lb_policy/grpclb/proto/grpc/lb/v1/load_balancer.pb.c +6 -36
data/src/core/ext/lb_policy/grpclb/proto/grpc/lb/v1/load_balancer.pb.h +22 -42
data/src/core/ext/lb_policy/pick_first/pick_first.c +64 -46
data/src/core/ext/lb_policy/round_robin/round_robin.c +324 -160
data/src/core/ext/load_reporting/load_reporting.c +7 -56
data/src/core/ext/load_reporting/load_reporting.h +41 -28
data/src/core/ext/load_reporting/load_reporting_filter.c +132 -42
data/src/core/ext/load_reporting/load_reporting_filter.h +1 -0
data/src/core/ext/resolver/dns/native/dns_resolver.c +88 -80
data/src/core/ext/resolver/sockaddr/sockaddr_resolver.c +57 -102
data/src/core/ext/transport/chttp2/alpn/alpn.c +1 -1
data/src/core/ext/transport/chttp2/client/chttp2_connector.c +253 -0
data/src/core/{lib/iomgr/ev_poll_and_epoll_posix.h → ext/transport/chttp2/client/chttp2_connector.h} +5 -5
data/src/core/ext/transport/chttp2/client/insecure/channel_create.c +31 -160
data/src/core/ext/transport/chttp2/client/insecure/channel_create_posix.c +5 -5
data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.c +44 -243
data/src/core/ext/transport/chttp2/server/chttp2_server.c +342 -0
data/src/core/ext/transport/chttp2/server/chttp2_server.h +47 -0
data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.c +11 -124
data/src/core/ext/transport/chttp2/server/insecure/server_chttp2_posix.c +20 -9
data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.c +28 -236
data/src/core/ext/transport/chttp2/transport/bin_decoder.c +31 -27
data/src/core/ext/transport/chttp2/transport/bin_decoder.h +5 -4
data/src/core/ext/transport/chttp2/transport/bin_encoder.c +25 -22
data/src/core/ext/transport/chttp2/transport/bin_encoder.h +8 -7
data/src/core/ext/transport/chttp2/transport/chttp2_plugin.c +0 -3
data/src/core/ext/transport/chttp2/transport/chttp2_transport.c +1345 -1521
data/src/core/ext/transport/chttp2/transport/chttp2_transport.h +3 -1
data/src/core/ext/transport/chttp2/transport/frame.h +3 -5
data/src/core/ext/transport/chttp2/transport/frame_data.c +50 -47
data/src/core/ext/transport/chttp2/transport/frame_data.h +8 -9
data/src/core/ext/transport/chttp2/transport/frame_goaway.c +19 -21
data/src/core/ext/transport/chttp2/transport/frame_goaway.h +9 -8
data/src/core/ext/transport/chttp2/transport/frame_ping.c +13 -12
data/src/core/ext/transport/chttp2/transport/frame_ping.h +6 -6
data/src/core/ext/transport/chttp2/transport/frame_rst_stream.c +31 -19
data/src/core/ext/transport/chttp2/transport/frame_rst_stream.h +8 -7
data/src/core/ext/transport/chttp2/transport/frame_settings.c +22 -25
data/src/core/ext/transport/chttp2/transport/frame_settings.h +9 -8
data/src/core/ext/transport/chttp2/transport/frame_window_update.c +26 -18
data/src/core/ext/transport/chttp2/transport/frame_window_update.h +5 -6
data/src/core/ext/transport/chttp2/transport/hpack_encoder.c +68 -58
data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +8 -5
data/src/core/ext/transport/chttp2/transport/hpack_parser.c +327 -214
data/src/core/ext/transport/chttp2/transport/hpack_parser.h +14 -9
data/src/core/ext/transport/chttp2/transport/hpack_table.c +24 -19
data/src/core/ext/transport/chttp2/transport/hpack_table.h +9 -6
data/src/core/ext/transport/chttp2/transport/incoming_metadata.c +2 -2
data/src/core/ext/transport/chttp2/transport/incoming_metadata.h +1 -1
data/src/core/ext/transport/chttp2/transport/internal.h +284 -436
data/src/core/ext/transport/chttp2/transport/parsing.c +355 -590
data/src/core/ext/transport/chttp2/transport/stream_lists.c +36 -309
data/src/core/ext/transport/chttp2/transport/stream_map.c +13 -34
data/src/core/ext/transport/chttp2/transport/stream_map.h +3 -4
data/src/core/ext/transport/chttp2/transport/writing.c +174 -286
data/src/core/lib/channel/channel_args.c +70 -13
data/src/core/lib/channel/channel_args.h +28 -2
data/src/core/lib/channel/channel_stack.c +77 -28
data/src/core/lib/channel/channel_stack.h +61 -23
data/src/core/lib/channel/channel_stack_builder.c +33 -25
data/src/core/lib/channel/channel_stack_builder.h +17 -8
data/src/core/lib/channel/compress_filter.c +52 -36
data/src/core/lib/channel/connected_channel.c +20 -12
data/src/core/lib/channel/connected_channel.h +2 -1
data/src/core/lib/channel/context.h +13 -1
data/src/core/lib/channel/deadline_filter.c +344 -0
data/src/core/lib/channel/deadline_filter.h +99 -0
data/src/core/lib/channel/handshaker.c +240 -0
data/src/core/lib/channel/handshaker.h +164 -0
data/src/core/lib/{security/credentials/google_default/credentials_windows.c → channel/handshaker_factory.c} +16 -23
data/src/core/lib/channel/handshaker_factory.h +66 -0
data/src/core/lib/channel/handshaker_registry.c +113 -0
data/src/core/{ext/client_config/client_config.h → lib/channel/handshaker_registry.h} +26 -16
data/src/core/lib/channel/http_client_filter.c +248 -46
data/src/core/lib/channel/http_client_filter.h +3 -0
data/src/core/lib/channel/http_server_filter.c +136 -24
data/src/core/lib/channel/message_size_filter.c +261 -0
data/src/core/lib/channel/message_size_filter.h +39 -0
data/src/core/lib/compression/message_compress.c +43 -37
data/src/core/lib/compression/message_compress.h +7 -5
data/src/core/lib/http/format_request.c +26 -11
data/src/core/lib/http/format_request.h +7 -5
data/src/core/lib/http/httpcli.c +45 -27
data/src/core/lib/http/httpcli.h +4 -4
data/src/core/lib/http/httpcli_security_connector.c +56 -46
data/src/core/lib/http/parser.c +17 -14
data/src/core/lib/http/parser.h +4 -2
data/src/core/lib/iomgr/closure.c +49 -7
data/src/core/lib/iomgr/closure.h +56 -14
data/src/core/lib/iomgr/combiner.c +422 -0
data/src/core/lib/iomgr/combiner.h +64 -0
data/src/core/lib/iomgr/endpoint.c +8 -2
data/src/core/lib/iomgr/endpoint.h +17 -7
data/src/core/lib/iomgr/endpoint_pair.h +3 -2
data/src/core/lib/iomgr/endpoint_pair_posix.c +9 -8
data/src/core/{ext/client_config/lb_policy_factory.c → lib/iomgr/endpoint_pair_uv.c} +18 -13
data/src/core/lib/iomgr/endpoint_pair_windows.c +7 -6
data/src/core/lib/iomgr/error.c +72 -6
data/src/core/lib/iomgr/error.h +30 -3
data/src/core/lib/iomgr/ev_epoll_linux.c +500 -382
data/src/core/lib/iomgr/ev_epoll_linux.h +3 -2
data/src/core/lib/iomgr/ev_poll_posix.c +317 -30
data/src/core/lib/iomgr/ev_poll_posix.h +1 -0
data/src/core/lib/iomgr/ev_posix.c +26 -5
data/src/core/lib/iomgr/ev_posix.h +12 -1
data/src/core/lib/iomgr/exec_ctx.c +27 -94
data/src/core/lib/iomgr/exec_ctx.h +19 -22
data/src/core/lib/iomgr/executor.c +29 -8
data/src/core/lib/iomgr/executor.h +2 -4
data/src/core/lib/iomgr/iocp_windows.c +3 -4
data/src/core/lib/iomgr/iomgr.c +14 -10
data/src/core/lib/iomgr/iomgr.h +6 -2
data/src/core/lib/iomgr/iomgr_posix.c +2 -2
data/src/core/lib/iomgr/iomgr_uv.c +49 -0
data/src/core/lib/iomgr/iomgr_windows.c +2 -2
data/src/core/lib/iomgr/load_file.c +3 -3
data/src/core/lib/iomgr/load_file.h +2 -2
data/src/core/lib/iomgr/network_status_tracker.c +1 -1
data/src/core/lib/iomgr/pollset_set_uv.c +62 -0
data/src/core/lib/iomgr/pollset_set_windows.c +3 -3
data/src/core/lib/iomgr/pollset_uv.c +142 -0
data/src/core/lib/iomgr/pollset_uv.h +42 -0
data/src/core/lib/iomgr/pollset_windows.c +5 -6
data/src/core/lib/iomgr/port.h +129 -0
data/src/core/lib/iomgr/resolve_address.h +2 -1
data/src/core/lib/iomgr/resolve_address_posix.c +14 -13
data/src/core/lib/iomgr/resolve_address_uv.c +233 -0
data/src/core/lib/iomgr/resolve_address_windows.c +14 -12
data/src/core/lib/iomgr/resource_quota.c +832 -0
data/src/core/lib/iomgr/resource_quota.h +159 -0
data/src/core/lib/iomgr/sockaddr.h +10 -2
data/src/core/lib/iomgr/sockaddr_utils.c +63 -36
data/src/core/lib/iomgr/sockaddr_utils.h +14 -14
data/src/core/lib/iomgr/socket_mutator.c +98 -0
data/src/core/lib/iomgr/socket_mutator.h +80 -0
data/src/core/lib/iomgr/socket_utils.h +42 -0
data/src/core/lib/iomgr/socket_utils_common_posix.c +28 -13
data/src/core/lib/iomgr/socket_utils_linux.c +11 -5
data/src/core/lib/iomgr/socket_utils_posix.c +10 -7
data/src/core/lib/iomgr/socket_utils_posix.h +11 -4
data/src/core/lib/iomgr/socket_utils_uv.c +49 -0
data/src/core/lib/iomgr/socket_utils_windows.c +52 -0
data/src/core/lib/iomgr/socket_windows.c +14 -6
data/src/core/lib/iomgr/socket_windows.h +1 -0
data/src/core/lib/iomgr/tcp_client.h +8 -2
data/src/core/lib/iomgr/tcp_client_posix.c +131 -82
data/src/core/lib/iomgr/tcp_client_posix.h +45 -0
data/src/core/lib/iomgr/tcp_client_uv.c +190 -0
data/src/core/lib/iomgr/tcp_client_windows.c +54 -30
data/src/core/lib/iomgr/tcp_posix.c +135 -56
data/src/core/lib/iomgr/tcp_posix.h +2 -2
data/src/core/lib/iomgr/tcp_server.h +14 -6
data/src/core/lib/iomgr/tcp_server_posix.c +154 -118
data/src/core/lib/iomgr/tcp_server_uv.c +388 -0
data/src/core/lib/iomgr/tcp_server_windows.c +127 -100
data/src/core/lib/iomgr/tcp_uv.c +367 -0
data/src/core/lib/iomgr/tcp_uv.h +59 -0
data/src/core/lib/iomgr/tcp_windows.c +65 -48
data/src/core/lib/iomgr/tcp_windows.h +3 -1
data/src/core/lib/iomgr/timer.h +21 -21
data/src/core/lib/iomgr/{timer.c → timer_generic.c} +15 -10
data/src/core/lib/iomgr/timer_generic.h +49 -0
data/src/core/lib/iomgr/timer_heap.c +6 -0
data/src/core/lib/iomgr/timer_uv.c +99 -0
data/src/core/lib/iomgr/timer_uv.h +47 -0
data/src/core/lib/iomgr/udp_server.c +116 -98
data/src/core/lib/iomgr/udp_server.h +5 -3
data/src/core/lib/iomgr/unix_sockets_posix.c +14 -6
data/src/core/lib/iomgr/unix_sockets_posix.h +6 -5
data/src/core/lib/iomgr/unix_sockets_posix_noop.c +4 -4
data/src/core/lib/iomgr/wakeup_fd_cv.c +118 -0
data/src/core/lib/iomgr/wakeup_fd_cv.h +80 -0
data/src/core/lib/iomgr/wakeup_fd_eventfd.c +3 -3
data/src/core/lib/iomgr/wakeup_fd_nospecial.c +3 -3
data/src/core/lib/iomgr/wakeup_fd_pipe.c +12 -6
data/src/core/lib/iomgr/wakeup_fd_posix.c +34 -5
data/src/core/lib/iomgr/wakeup_fd_posix.h +5 -0
data/src/core/lib/iomgr/workqueue.h +12 -20
data/src/core/{ext/client_config/client_config.c → lib/iomgr/workqueue_uv.c} +24 -33
data/{include/grpc/support/slice.h → src/core/lib/iomgr/workqueue_uv.h} +4 -6
data/src/core/lib/iomgr/workqueue_windows.c +9 -8
data/src/core/lib/json/json.c +3 -3
data/src/core/lib/json/json.h +11 -11
data/src/core/lib/json/json_reader.c +9 -5
data/src/core/lib/profiling/basic_timers.c +10 -1
data/src/core/lib/profiling/timers.h +2 -0
data/src/core/lib/security/context/security_context.c +13 -3
data/src/core/lib/security/context/security_context.h +20 -0
data/src/core/lib/security/credentials/composite/composite_credentials.c +28 -14
data/src/core/lib/security/credentials/composite/composite_credentials.h +2 -2
data/src/core/lib/security/credentials/credentials.c +48 -19
data/src/core/lib/security/credentials/credentials.h +36 -19
data/src/core/lib/security/credentials/credentials_metadata.c +11 -8
data/src/core/lib/security/credentials/fake/fake_credentials.c +15 -11
data/src/core/lib/security/credentials/google_default/{credentials_posix.c → credentials_generic.c} +7 -14
data/src/core/lib/security/credentials/google_default/google_default_credentials.c +33 -21
data/src/core/lib/security/credentials/google_default/google_default_credentials.h +14 -0
data/src/core/lib/security/credentials/iam/iam_credentials.c +3 -2
data/src/core/lib/security/credentials/jwt/json_token.c +1 -0
data/src/core/lib/security/credentials/jwt/json_token.h +1 -1
data/src/core/lib/security/credentials/jwt/jwt_credentials.c +54 -19
data/src/core/lib/security/credentials/jwt/jwt_credentials.h +2 -1
data/src/core/lib/security/credentials/jwt/jwt_verifier.c +129 -79
data/src/core/lib/security/credentials/jwt/jwt_verifier.h +9 -6
data/src/core/lib/security/credentials/oauth2/oauth2_credentials.c +63 -28
data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -1
data/src/core/lib/security/credentials/plugin/plugin_credentials.c +32 -11
data/src/core/lib/security/credentials/ssl/ssl_credentials.c +13 -9
data/src/core/lib/security/transport/client_auth_filter.c +33 -27
data/src/core/lib/security/transport/secure_endpoint.c +93 -68
data/src/core/lib/security/transport/secure_endpoint.h +2 -2
data/src/core/lib/security/transport/security_connector.c +133 -168
data/src/core/lib/security/transport/security_connector.h +31 -46
data/src/core/lib/security/transport/security_handshaker.c +501 -0
data/src/core/lib/security/transport/{handshake.h → security_handshaker.h} +10 -10
data/src/core/lib/security/transport/server_auth_filter.c +50 -38
data/src/core/lib/security/util/b64.c +11 -8
data/src/core/lib/security/util/b64.h +5 -4
data/src/core/lib/slice/percent_encoding.c +182 -0
data/src/core/lib/slice/percent_encoding.h +78 -0
data/src/core/lib/{support → slice}/slice.c +81 -50
data/src/core/lib/{support → slice}/slice_buffer.c +78 -60
data/src/core/lib/slice/slice_internal.h +49 -0
data/src/core/lib/slice/slice_string_helpers.c +90 -0
data/src/core/lib/{iomgr/workqueue_posix.h → slice/slice_string_helpers.h} +18 -18
data/src/core/lib/support/backoff.c +24 -13
data/src/core/lib/support/backoff.h +5 -2
data/src/core/lib/support/env.h +0 -2
data/src/core/lib/support/log.c +5 -4
data/src/core/lib/support/log_linux.c +0 -1
data/src/core/lib/support/log_posix.c +1 -1
data/src/core/lib/support/mpscq.c +83 -0
data/src/core/lib/support/mpscq.h +65 -0
data/src/core/lib/support/string.c +58 -49
data/src/core/lib/support/string.h +11 -8
data/src/core/lib/support/subprocess_posix.c +5 -2
data/src/core/lib/support/thd.c +1 -1
data/src/core/lib/support/time.c +43 -79
data/src/core/lib/support/time_posix.c +1 -1
data/src/core/lib/support/tmpfile.h +0 -2
data/src/core/lib/surface/alarm.c +4 -1
data/src/core/lib/surface/byte_buffer.c +17 -11
data/src/core/lib/surface/byte_buffer_reader.c +23 -15
data/src/core/lib/surface/call.c +294 -276
data/src/core/lib/surface/call.h +24 -9
data/src/core/lib/surface/call_log_batch.c +5 -3
data/src/core/lib/surface/channel.c +127 -111
data/src/core/lib/surface/channel.h +14 -5
data/src/core/lib/surface/channel_init.c +1 -1
data/src/core/lib/surface/channel_init.h +10 -1
data/src/core/lib/surface/channel_ping.c +7 -6
data/src/core/lib/surface/completion_queue.c +154 -18
data/src/core/lib/surface/completion_queue.h +5 -0
data/src/core/lib/surface/init.c +40 -6
data/src/core/lib/surface/init.h +1 -0
data/src/core/lib/surface/init_secure.c +5 -2
data/src/core/lib/surface/lame_client.c +28 -18
data/src/core/lib/surface/server.c +134 -87
data/src/core/lib/surface/server.h +8 -0
data/src/core/lib/surface/validate_metadata.c +1 -1
data/src/core/lib/surface/version.c +3 -1
data/src/core/lib/transport/byte_stream.c +7 -4
data/src/core/lib/transport/byte_stream.h +6 -10
data/src/core/lib/transport/connectivity_state.c +21 -12
data/src/core/lib/transport/connectivity_state.h +4 -1
data/src/core/lib/transport/mdstr_hash_table.c +118 -0
data/src/core/lib/transport/mdstr_hash_table.h +77 -0
data/src/core/lib/transport/metadata.c +83 -60
data/src/core/lib/transport/metadata.h +41 -23
data/src/core/lib/transport/metadata_batch.c +17 -11
data/src/core/lib/transport/metadata_batch.h +20 -6
data/src/core/lib/transport/pid_controller.c +57 -0
data/src/core/lib/transport/pid_controller.h +64 -0
data/src/core/lib/transport/service_config.c +251 -0
data/src/core/lib/transport/service_config.h +71 -0
data/src/core/lib/transport/static_metadata.c +18 -16
data/src/core/lib/transport/static_metadata.h +113 -107
data/src/core/{ext/transport/chttp2 → lib}/transport/timeout_encoding.c +3 -3
data/src/core/{ext/transport/chttp2 → lib}/transport/timeout_encoding.h +7 -7
data/src/core/lib/transport/transport.c +84 -23
data/src/core/lib/transport/transport.h +53 -8
data/src/core/lib/transport/transport_impl.h +3 -0
data/src/core/lib/transport/transport_op_string.c +92 -20
data/src/core/lib/tsi/ssl_transport_security.c +3 -1
data/src/core/plugin_registry/grpc_plugin_registry.c +8 -4
data/src/ruby/ext/grpc/extconf.rb +0 -1
data/src/ruby/ext/grpc/rb_byte_buffer.c +8 -7
data/src/ruby/ext/grpc/rb_call.c +15 -5
data/src/ruby/ext/grpc/rb_channel.c +1 -1
data/src/ruby/ext/grpc/rb_compression_options.c +466 -0
data/src/{core/ext/client_config/default_initial_connect_string.c → ruby/ext/grpc/rb_compression_options.h} +10 -5
data/src/ruby/ext/grpc/rb_grpc.c +3 -1
data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +198 -190
data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +306 -294
data/src/ruby/ext/grpc/rb_server.c +18 -12
data/src/ruby/lib/grpc/errors.rb +154 -2
data/src/ruby/lib/grpc/generic/active_call.rb +144 -63
data/src/ruby/lib/grpc/generic/bidi_call.rb +18 -2
data/src/ruby/lib/grpc/generic/client_stub.rb +7 -5
data/src/ruby/lib/grpc/generic/rpc_desc.rb +39 -13
data/src/ruby/lib/grpc/generic/rpc_server.rb +51 -24
data/src/ruby/lib/grpc/generic/service.rb +3 -2
data/src/ruby/lib/grpc/version.rb +1 -1
data/src/ruby/pb/grpc/health/checker.rb +3 -1
data/src/ruby/pb/src/proto/grpc/testing/test_services_pb.rb +7 -0
data/src/ruby/pb/test/client.rb +307 -7
data/src/ruby/pb/test/server.rb +26 -1
data/src/ruby/spec/compression_options_spec.rb +164 -0
data/src/ruby/spec/error_sanity_spec.rb +64 -0
data/src/ruby/spec/generic/active_call_spec.rb +290 -12
data/src/ruby/spec/generic/client_stub_spec.rb +91 -41
data/src/ruby/spec/generic/rpc_desc_spec.rb +36 -16
data/src/ruby/spec/generic/rpc_server_pool_spec.rb +22 -28
data/src/ruby/spec/generic/rpc_server_spec.rb +6 -6
data/src/ruby/spec/pb/health/checker_spec.rb +27 -19
data/src/ruby/spec/spec_helper.rb +2 -0
data/third_party/boringssl/crypto/aes/aes.c +12 -12
data/third_party/boringssl/crypto/aes/mode_wrappers.c +6 -2
data/third_party/boringssl/crypto/asn1/a_d2i_fp.c +28 -13
data/third_party/boringssl/crypto/asn1/a_gentm.c +2 -0
data/third_party/boringssl/crypto/asn1/a_object.c +7 -3
data/third_party/boringssl/crypto/asn1/a_strnid.c +1 -0
data/third_party/boringssl/crypto/asn1/a_time.c +0 -11
data/third_party/boringssl/crypto/asn1/a_type.c +0 -2
data/third_party/boringssl/crypto/asn1/a_utctm.c +1 -30
data/third_party/boringssl/crypto/asn1/asn1_lib.c +56 -76
data/third_party/boringssl/crypto/asn1/asn1_locl.h +0 -10
data/third_party/boringssl/crypto/asn1/asn1_par.c +0 -322
data/third_party/boringssl/crypto/asn1/f_enum.c +1 -108
data/third_party/boringssl/crypto/asn1/f_int.c +1 -106
data/third_party/boringssl/crypto/asn1/f_string.c +1 -106
data/third_party/boringssl/crypto/asn1/tasn_dec.c +10 -14
data/third_party/boringssl/crypto/asn1/tasn_enc.c +17 -11
data/third_party/boringssl/crypto/asn1/tasn_typ.c +29 -42
data/third_party/boringssl/crypto/asn1/tasn_utl.c +1 -1
data/third_party/boringssl/crypto/base64/base64.c +249 -285
data/third_party/boringssl/crypto/bio/bio.c +13 -23
data/third_party/boringssl/crypto/bio/bio_mem.c +3 -2
data/third_party/boringssl/crypto/bio/connect.c +12 -3
data/third_party/boringssl/crypto/bio/fd.c +22 -15
data/third_party/boringssl/crypto/bio/file.c +2 -38
data/third_party/boringssl/crypto/bio/hexdump.c +1 -2
data/third_party/boringssl/crypto/bio/internal.h +3 -0
data/third_party/boringssl/crypto/bio/pair.c +1 -1
data/third_party/boringssl/crypto/bio/socket.c +10 -2
data/third_party/boringssl/crypto/bio/socket_helper.c +2 -2
data/third_party/boringssl/crypto/bn/asm/x86_64-gcc.c +0 -8
data/third_party/boringssl/crypto/bn/bn.c +38 -0
data/third_party/boringssl/crypto/bn/cmp.c +25 -0
data/third_party/boringssl/crypto/bn/convert.c +73 -76
data/third_party/boringssl/crypto/bn/div.c +136 -70
data/third_party/boringssl/crypto/bn/exponentiation.c +86 -381
data/third_party/boringssl/crypto/bn/gcd.c +213 -296
data/third_party/boringssl/crypto/bn/generic.c +0 -80
data/third_party/boringssl/crypto/bn/internal.h +15 -3
data/third_party/boringssl/crypto/bn/montgomery.c +57 -207
data/third_party/boringssl/crypto/bn/montgomery_inv.c +160 -0
data/third_party/boringssl/crypto/bn/mul.c +2 -1
data/third_party/boringssl/crypto/bn/prime.c +24 -8
data/third_party/boringssl/crypto/bn/random.c +47 -33
data/third_party/boringssl/crypto/bn/sqrt.c +4 -5
data/third_party/boringssl/crypto/buf/buf.c +25 -21
data/third_party/boringssl/crypto/bytestring/ber.c +1 -0
data/third_party/boringssl/crypto/bytestring/cbb.c +50 -22
data/third_party/boringssl/crypto/bytestring/cbs.c +28 -4
data/third_party/boringssl/crypto/chacha/{chacha_generic.c → chacha.c} +56 -29
data/third_party/boringssl/crypto/cipher/aead.c +11 -22
data/third_party/boringssl/crypto/cipher/cipher.c +2 -2
data/third_party/boringssl/crypto/cipher/e_aes.c +53 -103
data/third_party/boringssl/crypto/cipher/e_chacha20poly1305.c +2 -8
data/third_party/boringssl/crypto/cipher/e_des.c +3 -5
data/third_party/boringssl/crypto/cipher/e_null.c +1 -1
data/third_party/boringssl/crypto/cipher/e_rc2.c +1 -1
data/third_party/boringssl/crypto/cipher/e_rc4.c +1 -1
data/third_party/boringssl/crypto/cipher/e_ssl3.c +3 -63
data/third_party/boringssl/crypto/cipher/e_tls.c +12 -83
data/third_party/boringssl/crypto/cipher/internal.h +8 -10
data/third_party/boringssl/crypto/cipher/tls_cbc.c +69 -40
data/third_party/boringssl/crypto/conf/conf.c +2 -1
data/third_party/boringssl/crypto/cpu-aarch64-linux.c +61 -0
data/third_party/boringssl/crypto/cpu-arm-linux.c +360 -0
data/third_party/boringssl/crypto/cpu-arm.c +0 -161
data/third_party/boringssl/crypto/cpu-intel.c +5 -3
data/third_party/boringssl/{ssl/test/scoped_types.h → crypto/cpu-ppc64le.c} +21 -9
data/third_party/boringssl/crypto/crypto.c +29 -7
data/third_party/boringssl/crypto/curve25519/curve25519.c +284 -242
data/third_party/boringssl/crypto/curve25519/internal.h +64 -0
data/third_party/boringssl/crypto/curve25519/spake25519.c +464 -0
data/third_party/boringssl/crypto/curve25519/x25519-x86_64.c +21 -0
data/third_party/boringssl/crypto/dh/check.c +22 -6
data/third_party/boringssl/crypto/dh/dh.c +45 -21
data/third_party/boringssl/crypto/dh/dh_asn1.c +96 -20
data/third_party/boringssl/crypto/dh/params.c +30 -78
data/third_party/boringssl/crypto/digest/digest.c +3 -3
data/third_party/boringssl/crypto/dsa/dsa.c +59 -29
data/third_party/boringssl/crypto/dsa/dsa_asn1.c +4 -0
data/third_party/boringssl/crypto/ec/ec.c +84 -140
data/third_party/boringssl/crypto/ec/ec_asn1.c +82 -52
data/third_party/boringssl/crypto/ec/ec_key.c +15 -15
data/third_party/boringssl/crypto/ec/ec_montgomery.c +87 -50
data/third_party/boringssl/crypto/ec/internal.h +12 -36
data/third_party/boringssl/crypto/ec/oct.c +11 -11
data/third_party/boringssl/crypto/ec/p224-64.c +59 -116
data/third_party/boringssl/crypto/ec/p256-64.c +88 -163
data/third_party/boringssl/crypto/ec/p256-x86_64.c +46 -58
data/third_party/boringssl/crypto/ec/simple.c +81 -201
data/third_party/boringssl/crypto/ec/util-64.c +0 -74
data/third_party/boringssl/crypto/ecdh/ecdh.c +7 -1
data/third_party/boringssl/crypto/ecdsa/ecdsa.c +28 -46
data/third_party/boringssl/crypto/ecdsa/ecdsa_asn1.c +1 -0
data/third_party/boringssl/crypto/engine/engine.c +1 -1
data/third_party/boringssl/crypto/err/err.c +3 -3
data/third_party/boringssl/crypto/evp/evp.c +14 -59
data/third_party/boringssl/crypto/evp/evp_asn1.c +144 -87
data/third_party/boringssl/crypto/evp/evp_ctx.c +7 -7
data/third_party/boringssl/crypto/evp/internal.h +4 -46
data/third_party/boringssl/crypto/evp/p_dsa_asn1.c +8 -157
data/third_party/boringssl/crypto/evp/p_ec.c +1 -1
data/third_party/boringssl/crypto/evp/p_ec_asn1.c +22 -170
data/third_party/boringssl/crypto/evp/p_rsa.c +1 -1
data/third_party/boringssl/crypto/evp/p_rsa_asn1.c +10 -548
data/third_party/boringssl/crypto/evp/print.c +520 -0
data/third_party/boringssl/crypto/ex_data.c +4 -6
data/third_party/boringssl/crypto/hkdf/hkdf.c +38 -17
data/third_party/boringssl/crypto/hmac/hmac.c +6 -6
data/third_party/boringssl/crypto/internal.h +57 -77
data/third_party/boringssl/crypto/lhash/lhash.c +6 -10
data/third_party/boringssl/crypto/md4/md4.c +9 -0
data/third_party/boringssl/crypto/mem.c +19 -19
data/third_party/boringssl/crypto/modes/cfb.c +5 -6
data/third_party/boringssl/crypto/modes/ctr.c +10 -18
data/third_party/boringssl/crypto/modes/gcm.c +100 -66
data/third_party/boringssl/crypto/modes/internal.h +15 -27
data/third_party/boringssl/crypto/modes/ofb.c +9 -22
data/third_party/boringssl/crypto/newhope/error_correction.c +131 -0
data/third_party/boringssl/crypto/newhope/internal.h +71 -0
data/third_party/boringssl/crypto/newhope/newhope.c +174 -0
data/third_party/boringssl/crypto/newhope/ntt.c +148 -0
data/third_party/boringssl/crypto/newhope/poly.c +183 -0
data/third_party/boringssl/crypto/newhope/precomp.c +306 -0
data/third_party/boringssl/crypto/newhope/reduce.c +42 -0
data/third_party/boringssl/crypto/obj/obj.c +111 -135
data/third_party/boringssl/crypto/obj/obj_dat.h +4 -10
data/third_party/boringssl/crypto/pem/pem_lib.c +6 -43
data/third_party/boringssl/crypto/pem/pem_pkey.c +10 -19
data/third_party/boringssl/crypto/pkcs8/p5_pbe.c +1 -0
data/third_party/boringssl/crypto/pkcs8/p5_pbev2.c +2 -1
data/third_party/boringssl/crypto/pkcs8/p8_pkey.c +2 -2
data/third_party/boringssl/crypto/pkcs8/pkcs8.c +95 -87
data/third_party/boringssl/crypto/{test/test_util.h → poly1305/internal.h} +15 -10
data/third_party/boringssl/crypto/poly1305/poly1305.c +8 -15
data/third_party/boringssl/crypto/poly1305/poly1305_arm.c +1 -0
data/third_party/boringssl/crypto/poly1305/poly1305_vec.c +3 -3
data/third_party/boringssl/crypto/rand/deterministic.c +47 -0
data/third_party/boringssl/crypto/rand/rand.c +4 -1
data/third_party/boringssl/crypto/rand/urandom.c +5 -7
data/third_party/boringssl/crypto/rand/windows.c +5 -8
data/third_party/boringssl/crypto/rc4/rc4.c +24 -209
data/third_party/boringssl/crypto/refcount_lock.c +2 -2
data/third_party/boringssl/crypto/rsa/blinding.c +74 -232
data/third_party/boringssl/crypto/rsa/internal.h +5 -13
data/third_party/boringssl/crypto/rsa/padding.c +64 -63
data/third_party/boringssl/crypto/rsa/rsa.c +50 -28
data/third_party/boringssl/crypto/rsa/rsa_asn1.c +8 -16
data/third_party/boringssl/crypto/rsa/rsa_impl.c +134 -122
data/third_party/boringssl/crypto/sha/sha256.c +2 -2
data/third_party/boringssl/crypto/sha/sha512.c +7 -7
data/third_party/boringssl/crypto/stack/stack.c +13 -22
data/third_party/boringssl/crypto/thread.c +21 -12
data/third_party/boringssl/crypto/thread_none.c +6 -2
data/third_party/boringssl/crypto/thread_pthread.c +16 -7
data/third_party/boringssl/crypto/thread_win.c +38 -85
data/third_party/boringssl/crypto/x509/a_sign.c +3 -3
data/third_party/boringssl/crypto/x509/a_strex.c +1 -1
data/third_party/boringssl/crypto/x509/a_verify.c +2 -2
data/third_party/boringssl/crypto/{evp → x509}/algorithm.c +37 -53
data/third_party/boringssl/crypto/x509/asn1_gen.c +1 -2
data/third_party/boringssl/crypto/x509/by_dir.c +6 -6
data/third_party/boringssl/crypto/x509/internal.h +66 -0
data/third_party/boringssl/crypto/x509/rsa_pss.c +385 -0
data/third_party/boringssl/crypto/x509/t_x509.c +10 -12
data/third_party/boringssl/crypto/x509/x509.c +5 -0
data/third_party/boringssl/crypto/x509/x509_att.c +9 -3
data/third_party/boringssl/crypto/x509/x509_lu.c +34 -44
data/third_party/boringssl/crypto/x509/x509_obj.c +19 -2
data/third_party/boringssl/crypto/x509/x509_r2x.c +9 -5
data/third_party/boringssl/crypto/x509/x509_set.c +5 -0
data/third_party/boringssl/crypto/x509/x509_txt.c +5 -0
data/third_party/boringssl/crypto/x509/x509_vfy.c +63 -32
data/third_party/boringssl/crypto/x509/x509_vpm.c +29 -18
data/third_party/boringssl/crypto/x509/x509cset.c +2 -1
data/third_party/boringssl/crypto/x509/x_crl.c +2 -2
data/third_party/boringssl/crypto/x509/x_name.c +14 -17
data/third_party/boringssl/crypto/x509/x_pubkey.c +10 -7
data/third_party/boringssl/crypto/x509/x_x509.c +67 -6
data/third_party/boringssl/crypto/x509v3/pcy_cache.c +2 -2
data/third_party/boringssl/crypto/x509v3/pcy_tree.c +2 -1
data/third_party/boringssl/crypto/x509v3/v3_conf.c +4 -3
data/third_party/boringssl/crypto/x509v3/v3_cpols.c +5 -0
data/third_party/boringssl/crypto/x509v3/v3_prn.c +0 -3
data/third_party/boringssl/crypto/x509v3/v3_purp.c +2 -2
data/third_party/boringssl/crypto/x509v3/v3_utl.c +2 -1
data/third_party/boringssl/include/openssl/aead.h +72 -73
data/third_party/boringssl/include/openssl/arm_arch.h +0 -6
data/third_party/boringssl/include/openssl/asn1.h +103 -235
data/third_party/boringssl/include/openssl/asn1_mac.h +17 -74
data/third_party/boringssl/include/openssl/asn1t.h +1 -11
data/third_party/boringssl/include/openssl/base.h +145 -3
data/third_party/boringssl/include/openssl/base64.h +20 -17
data/third_party/boringssl/include/openssl/bio.h +59 -34
data/third_party/boringssl/include/openssl/bn.h +118 -51
data/third_party/boringssl/include/openssl/buf.h +15 -0
data/third_party/boringssl/include/openssl/bytestring.h +52 -4
data/third_party/boringssl/include/openssl/chacha.h +2 -2
data/third_party/boringssl/include/openssl/cipher.h +18 -1
data/third_party/boringssl/include/openssl/cmac.h +11 -0
data/third_party/boringssl/include/openssl/conf.h +13 -2
data/third_party/boringssl/include/openssl/cpu.h +20 -23
data/third_party/boringssl/include/openssl/crypto.h +22 -1
data/third_party/boringssl/include/openssl/curve25519.h +96 -4
data/third_party/boringssl/include/openssl/dh.h +71 -16
data/third_party/boringssl/include/openssl/digest.h +38 -11
data/third_party/boringssl/include/openssl/dsa.h +40 -4
data/third_party/boringssl/include/openssl/ec.h +44 -18
data/third_party/boringssl/include/openssl/ec_key.h +27 -6
data/third_party/boringssl/include/openssl/ecdsa.h +11 -0
data/third_party/boringssl/include/openssl/engine.h +11 -0
data/third_party/boringssl/include/openssl/evp.h +52 -88
data/third_party/boringssl/include/openssl/hkdf.h +24 -4
data/third_party/boringssl/include/openssl/hmac.h +20 -6
data/third_party/boringssl/include/openssl/md4.h +4 -0
data/third_party/boringssl/include/openssl/mem.h +19 -0
data/third_party/boringssl/include/openssl/newhope.h +158 -0
data/third_party/boringssl/include/openssl/nid.h +4166 -0
data/third_party/boringssl/include/openssl/obj.h +31 -3
data/third_party/boringssl/include/openssl/obj_mac.h +17 -4143
data/third_party/boringssl/include/openssl/{opensslfeatures.h → opensslconf.h} +3 -3
data/third_party/boringssl/include/openssl/pem.h +5 -0
data/third_party/boringssl/include/openssl/pkcs8.h +12 -0
data/third_party/boringssl/include/openssl/rand.h +6 -0
data/third_party/boringssl/include/openssl/rc4.h +6 -0
data/third_party/boringssl/{crypto/dh/internal.h → include/openssl/ripemd.h} +38 -11
data/third_party/boringssl/include/openssl/rsa.h +127 -65
data/third_party/boringssl/include/openssl/sha.h +14 -10
data/third_party/boringssl/include/openssl/ssl.h +561 -275
data/third_party/boringssl/include/openssl/ssl3.h +18 -25
data/third_party/boringssl/include/openssl/stack.h +2 -4
data/third_party/boringssl/include/openssl/stack_macros.h +321 -353
data/third_party/boringssl/include/openssl/thread.h +31 -13
data/third_party/boringssl/include/openssl/time_support.h +1 -0
data/third_party/boringssl/include/openssl/tls1.h +37 -33
data/third_party/boringssl/include/openssl/x509.h +69 -26
data/third_party/boringssl/include/openssl/x509_vfy.h +12 -10
data/third_party/boringssl/include/openssl/x509v3.h +23 -2
data/third_party/boringssl/ssl/custom_extensions.c +3 -5
data/third_party/boringssl/ssl/d1_both.c +463 -499
data/third_party/boringssl/ssl/d1_lib.c +38 -109
data/third_party/boringssl/ssl/d1_pkt.c +173 -334
data/third_party/boringssl/ssl/d1_srtp.c +20 -18
data/third_party/boringssl/ssl/{d1_meth.c → dtls_method.c} +88 -15
data/third_party/boringssl/ssl/dtls_record.c +27 -26
data/third_party/boringssl/ssl/{s3_clnt.c → handshake_client.c} +816 -904
data/third_party/boringssl/ssl/handshake_server.c +1932 -0
data/third_party/boringssl/ssl/internal.h +712 -439
data/third_party/boringssl/ssl/s3_both.c +445 -257
data/third_party/boringssl/ssl/s3_enc.c +53 -36
data/third_party/boringssl/ssl/s3_lib.c +23 -268
data/third_party/boringssl/ssl/s3_pkt.c +168 -364
data/third_party/boringssl/ssl/ssl_aead_ctx.c +46 -17
data/third_party/boringssl/ssl/ssl_asn1.c +56 -26
data/third_party/boringssl/ssl/ssl_buffer.c +16 -24
data/third_party/boringssl/ssl/ssl_cert.c +324 -49
data/third_party/boringssl/ssl/ssl_cipher.c +205 -150
data/third_party/boringssl/ssl/ssl_ecdh.c +287 -51
data/third_party/boringssl/ssl/ssl_file.c +21 -68
data/third_party/boringssl/ssl/ssl_lib.c +881 -510
data/third_party/boringssl/ssl/ssl_rsa.c +404 -34
data/third_party/boringssl/ssl/ssl_session.c +324 -103
data/third_party/boringssl/ssl/ssl_stat.c +6 -88
data/third_party/boringssl/ssl/t1_enc.c +23 -39
data/third_party/boringssl/ssl/t1_lib.c +1120 -622
data/third_party/boringssl/ssl/tls13_both.c +440 -0
data/third_party/boringssl/ssl/tls13_client.c +682 -0
data/third_party/boringssl/ssl/tls13_enc.c +391 -0
data/third_party/boringssl/ssl/tls13_server.c +672 -0
data/third_party/boringssl/ssl/{s3_meth.c → tls_method.c} +100 -21
data/third_party/boringssl/ssl/tls_record.c +159 -77
data/third_party/nanopb/pb.h +60 -28
data/third_party/nanopb/pb_decode.c +120 -92
data/third_party/nanopb/pb_decode.h +3 -3
data/third_party/nanopb/pb_encode.c +73 -67
data/third_party/nanopb/pb_encode.h +4 -4
metadata +155 -89
data/include/grpc/impl/codegen/byte_buffer.h +0 -122
data/include/grpc/impl/codegen/log.h +0 -118
data/include/grpc/impl/codegen/time.h +0 -130
data/src/core/ext/client_config/client_channel.c +0 -593
data/src/core/ext/client_config/subchannel_call_holder.c +0 -272
data/src/core/ext/client_config/subchannel_call_holder.h +0 -99
data/src/core/lib/iomgr/ev_poll_and_epoll_posix.c +0 -2046
data/src/core/lib/iomgr/workqueue_posix.c +0 -151
data/src/core/lib/security/transport/handshake.c +0 -368
data/third_party/boringssl/crypto/asn1/a_bytes.c +0 -308
data/third_party/boringssl/crypto/asn1/bio_asn1.c +0 -477
data/third_party/boringssl/crypto/asn1/bio_ndef.c +0 -251
data/third_party/boringssl/crypto/asn1/t_pkey.c +0 -110
data/third_party/boringssl/crypto/asn1/tasn_prn.c +0 -596
data/third_party/boringssl/crypto/chacha/chacha_vec.c +0 -328
data/third_party/boringssl/crypto/directory.h +0 -66
data/third_party/boringssl/crypto/directory_posix.c +0 -108
data/third_party/boringssl/crypto/directory_win.c +0 -144
data/third_party/boringssl/crypto/test/scoped_types.h +0 -140
data/third_party/boringssl/include/openssl/pqueue.h +0 -146
data/third_party/boringssl/ssl/d1_clnt.c +0 -561
data/third_party/boringssl/ssl/d1_srvr.c +0 -476
data/third_party/boringssl/ssl/pqueue/pqueue.c +0 -197
data/third_party/boringssl/ssl/s3_srvr.c +0 -2272
data/third_party/boringssl/ssl/test/async_bio.h +0 -45
data/third_party/boringssl/ssl/test/packeted_bio.h +0 -44
data/third_party/boringssl/ssl/test/test_config.h +0 -110

data/third_party/boringssl/ssl/d1_srtp.c CHANGED

@@ -116,17 +116,15 @@
 #include <openssl/ssl.h>
-#include <stdio.h>
 #include <string.h>
 #include <openssl/bytestring.h>
 #include <openssl/err.h>
-#include <openssl/obj.h>
 #include "internal.h"
-const SRTP_PROTECTION_PROFILE kSRTPProfiles[] = {
+static const SRTP_PROTECTION_PROFILE kSRTPProfiles[] = {
     {
         "SRTP_AES128_CM_SHA1_80", SRTP_AES128_CM_SHA1_80,
     },
@@ -162,27 +160,27 @@ static int find_profile_by_name(const char *profile_name,
 static int ssl_ctx_make_profiles(const char *profiles_string,
                                  STACK_OF(SRTP_PROTECTION_PROFILE) **out) {
-  STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
-  const char *col;
-  const char *ptr = profiles_string;
-  profiles = sk_SRTP_PROTECTION_PROFILE_new_null();
+  STACK_OF(SRTP_PROTECTION_PROFILE) *profiles =
+      sk_SRTP_PROTECTION_PROFILE_new_null();
   if (profiles == NULL) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES);
     return 0;
   }
+  const char *col;
+  const char *ptr = profiles_string;
   do {
-    const SRTP_PROTECTION_PROFILE *p;
     col = strchr(ptr, ':');
-    if (find_profile_by_name(ptr, &p,
-                             col ? (size_t)(col - ptr) : strlen(ptr))) {
-      sk_SRTP_PROTECTION_PROFILE_push(profiles, p);
-    } else {
+    const SRTP_PROTECTION_PROFILE *profile;
+    if (!find_profile_by_name(ptr, &profile,
+                              col ? (size_t)(col - ptr) : strlen(ptr))) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
-      return 0;
+      goto err;
+    }
+    if (!sk_SRTP_PROTECTION_PROFILE_push(profiles, profile)) {
+      goto err;
     }
     if (col) {
@@ -190,9 +188,13 @@ static int ssl_ctx_make_profiles(const char *profiles_string,
     }
   } while (col);
+  sk_SRTP_PROTECTION_PROFILE_free(*out);
   *out = profiles;
   return 1;
+err:
+  sk_SRTP_PROTECTION_PROFILE_free(profiles);
+  return 0;
 }
 int SSL_CTX_set_srtp_profiles(SSL_CTX *ctx, const char *profiles) {
@@ -212,7 +214,7 @@ STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *ssl) {
     return ssl->srtp_profiles;
   }
-  if (ssl->ctx != NULL && ssl->ctx->srtp_profiles != NULL) {
+  if (ssl->ctx->srtp_profiles != NULL) {
     return ssl->ctx->srtp_profiles;
   }

data/third_party/boringssl/ssl/{d1_meth.c → dtls_method.c} RENAMED

@@ -56,51 +56,124 @@
 #include <openssl/ssl.h>
+#include <assert.h>
+#include <string.h>
+#include <openssl/buf.h>
+#include <openssl/err.h>
 #include "internal.h"
-static const SSL_PROTOCOL_METHOD DTLS_protocol_method = {
+static int dtls1_version_from_wire(uint16_t *out_version,
+                                   uint16_t wire_version) {
+  switch (wire_version) {
+    case DTLS1_VERSION:
+      /* DTLS 1.0 maps to TLS 1.1, not TLS 1.0. */
+      *out_version = TLS1_1_VERSION;
+      return 1;
+    case DTLS1_2_VERSION:
+      *out_version = TLS1_2_VERSION;
+      return 1;
+  }
+  return 0;
+}
+static uint16_t dtls1_version_to_wire(uint16_t version) {
+  switch (version) {
+    case TLS1_1_VERSION:
+      /* DTLS 1.0 maps to TLS 1.1, not TLS 1.0. */
+      return DTLS1_VERSION;
+    case TLS1_2_VERSION:
+      return DTLS1_2_VERSION;
+  }
+  /* It is an error to use this function with an invalid version. */
+  assert(0);
+  return 0;
+}
+static int dtls1_set_read_state(SSL *ssl, SSL_AEAD_CTX *aead_ctx) {
+  /* Cipher changes are illegal when there are buffered incoming messages. */
+  if (dtls_has_incoming_messages(ssl)) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE);
+    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+    SSL_AEAD_CTX_free(aead_ctx);
+    return 0;
+  }
+  ssl->d1->r_epoch++;
+  memset(&ssl->d1->bitmap, 0, sizeof(ssl->d1->bitmap));
+  memset(ssl->s3->read_sequence, 0, sizeof(ssl->s3->read_sequence));
+  SSL_AEAD_CTX_free(ssl->s3->aead_read_ctx);
+  ssl->s3->aead_read_ctx = aead_ctx;
+  return 1;
+}
+static int dtls1_set_write_state(SSL *ssl, SSL_AEAD_CTX *aead_ctx) {
+  ssl->d1->w_epoch++;
+  memcpy(ssl->d1->last_write_sequence, ssl->s3->write_sequence,
+         sizeof(ssl->s3->write_sequence));
+  memset(ssl->s3->write_sequence, 0, sizeof(ssl->s3->write_sequence));
+  SSL_AEAD_CTX_free(ssl->s3->aead_write_ctx);
+  ssl->s3->aead_write_ctx = aead_ctx;
+  return 1;
+}
+static const SSL_PROTOCOL_METHOD kDTLSProtocolMethod = {
     1 /* is_dtls */,
+    TLS1_1_VERSION,
+    TLS1_2_VERSION,
+    dtls1_version_from_wire,
+    dtls1_version_to_wire,
     dtls1_new,
     dtls1_free,
-    dtls1_accept,
-    dtls1_connect,
     dtls1_get_message,
+    dtls1_hash_current_message,
+    dtls1_release_current_message,
     dtls1_read_app_data,
     dtls1_read_change_cipher_spec,
     dtls1_read_close_notify,
     dtls1_write_app_data,
     dtls1_dispatch_alert,
     dtls1_supports_cipher,
-    DTLS1_HM_HEADER_LENGTH,
-    dtls1_set_handshake_header,
-    dtls1_handshake_write,
+    dtls1_init_message,
+    dtls1_finish_message,
+    dtls1_write_message,
+    dtls1_send_change_cipher_spec,
+    dtls1_expect_flight,
+    dtls1_received_flight,
+    dtls1_set_read_state,
+    dtls1_set_write_state,
 };
 const SSL_METHOD *DTLS_method(void) {
-  static const SSL_METHOD method = {
+  static const SSL_METHOD kMethod = {
       0,
-      &DTLS_protocol_method,
+      &kDTLSProtocolMethod,
   };
-  return &method;
+  return &kMethod;
 }
 /* Legacy version-locked methods. */
 const SSL_METHOD *DTLSv1_2_method(void) {
-  static const SSL_METHOD method = {
+  static const SSL_METHOD kMethod = {
       DTLS1_2_VERSION,
-      &DTLS_protocol_method,
+      &kDTLSProtocolMethod,
   };
-  return &method;
+  return &kMethod;
 }
 const SSL_METHOD *DTLSv1_method(void) {
-  static const SSL_METHOD method = {
+  static const SSL_METHOD kMethod = {
       DTLS1_VERSION,
-      &DTLS_protocol_method,
+      &kDTLSProtocolMethod,
   };
-  return &method;
+  return &kMethod;
 }
 /* Legacy side-specific methods. */

data/third_party/boringssl/ssl/dtls_record.c CHANGED

@@ -118,6 +118,7 @@
 #include <openssl/err.h>
 #include "internal.h"
+#include "../crypto/internal.h"
 /* to_u64_be treats |in| as a 8-byte big-endian integer and returns the value as
@@ -171,10 +172,12 @@ static void dtls1_bitmap_record(DTLS1_BITMAP *bitmap,
   }
 }
-enum ssl_open_record_t dtls_open_record(
-    SSL *ssl, uint8_t *out_type, uint8_t *out, size_t *out_len,
-    size_t *out_consumed, uint8_t *out_alert, size_t max_out, const uint8_t *in,
-    size_t in_len) {
+enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,
+                                        size_t *out_consumed,
+                                        uint8_t *out_alert, uint8_t *in,
+                                        size_t in_len) {
+  *out_consumed = 0;
   CBS cbs;
   CBS_init(&cbs, in, in_len);
@@ -195,10 +198,8 @@ enum ssl_open_record_t dtls_open_record(
     return ssl_open_record_discard;
   }
-  if (ssl->msg_callback != NULL) {
-    ssl->msg_callback(0 /* read */, 0, SSL3_RT_HEADER, in,
-                      DTLS1_RT_HEADER_LENGTH, ssl, ssl->msg_callback_arg);
-  }
+  ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HEADER, in,
+                      DTLS1_RT_HEADER_LENGTH);
   uint16_t epoch = (((uint16_t)sequence[0]) << 8) | sequence[1];
   if (epoch != ssl->d1->r_epoch ||
@@ -211,11 +212,9 @@ enum ssl_open_record_t dtls_open_record(
     return ssl_open_record_discard;
   }
-  /* Decrypt the body. */
-  size_t plaintext_len;
-  if (!SSL_AEAD_CTX_open(ssl->s3->aead_read_ctx, out, &plaintext_len, max_out,
-                         type, version, sequence, CBS_data(&body),
-                         CBS_len(&body))) {
+  /* Decrypt the body in-place. */
+  if (!SSL_AEAD_CTX_open(ssl->s3->aead_read_ctx, out, type, version, sequence,
+                         (uint8_t *)CBS_data(&body), CBS_len(&body))) {
     /* Bad packets are silently dropped in DTLS. See section 4.2.1 of RFC 6347.
      * Clear the error queue of any errors decryption may have added. Drop the
      * entire packet as it must not have come from the peer.
@@ -226,9 +225,10 @@ enum ssl_open_record_t dtls_open_record(
     *out_consumed = in_len - CBS_len(&cbs);
     return ssl_open_record_discard;
   }
+  *out_consumed = in_len - CBS_len(&cbs);
   /* Check the plaintext length. */
-  if (plaintext_len > SSL3_RT_MAX_PLAIN_LENGTH) {
+  if (CBS_len(out) > SSL3_RT_MAX_PLAIN_LENGTH) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
     *out_alert = SSL_AD_RECORD_OVERFLOW;
     return ssl_open_record_error;
@@ -239,15 +239,24 @@ enum ssl_open_record_t dtls_open_record(
   /* TODO(davidben): Limit the number of empty records as in TLS? This is only
    * useful if we also limit discarded packets. */
+  if (type == SSL3_RT_ALERT) {
+    return ssl_process_alert(ssl, out_alert, CBS_data(out), CBS_len(out));
+  }
+  ssl->s3->warning_alert_count = 0;
   *out_type = type;
-  *out_len = plaintext_len;
-  *out_consumed = in_len - CBS_len(&cbs);
   return ssl_open_record_success;
 }
 int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
                      uint8_t type, const uint8_t *in, size_t in_len,
                      enum dtls1_use_epoch_t use_epoch) {
+  if (buffers_alias(in, in_len, out, max_out)) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);
+    return 0;
+  }
   /* Determine the parameters for the current epoch. */
   uint16_t epoch = ssl->d1->w_epoch;
   SSL_AEAD_CTX *aead = ssl->s3->aead_write_ctx;
@@ -265,12 +274,6 @@ int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
     OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);
     return 0;
   }
-  /* Check the record header does not alias any part of the input.
-   * |SSL_AEAD_CTX_seal| will internally enforce other aliasing requirements. */
-  if (in < out + DTLS1_RT_HEADER_LENGTH && out < in + in_len) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);
-    return 0;
-  }
   out[0] = type;
@@ -299,10 +302,8 @@ int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
   *out_len = DTLS1_RT_HEADER_LENGTH + ciphertext_len;
-  if (ssl->msg_callback) {
-    ssl->msg_callback(1 /* write */, 0, SSL3_RT_HEADER, out,
-                      DTLS1_RT_HEADER_LENGTH, ssl, ssl->msg_callback_arg);
-  }
+  ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HEADER, out,
+                      DTLS1_RT_HEADER_LENGTH);
   return 1;
 }

data/third_party/boringssl/ssl/{s3_clnt.c → handshake_client.c} RENAMED

@@ -150,7 +150,6 @@
 #include <openssl/ssl.h>
 #include <assert.h>
-#include <stdio.h>
 #include <string.h>
 #include <openssl/bn.h>
@@ -163,184 +162,184 @@
 #include <openssl/evp.h>
 #include <openssl/md5.h>
 #include <openssl/mem.h>
-#include <openssl/obj.h>
 #include <openssl/rand.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include "internal.h"
-#include "../crypto/dh/internal.h"
+static int ssl3_send_client_hello(SSL *ssl);
+static int dtls1_get_hello_verify(SSL *ssl);
+static int ssl3_get_server_hello(SSL *ssl);
+static int ssl3_get_server_certificate(SSL *ssl);
+static int ssl3_get_cert_status(SSL *ssl);
+static int ssl3_verify_server_cert(SSL *ssl);
+static int ssl3_get_server_key_exchange(SSL *ssl);
+static int ssl3_get_certificate_request(SSL *ssl);
+static int ssl3_get_server_hello_done(SSL *ssl);
+static int ssl3_send_client_certificate(SSL *ssl);
+static int ssl3_send_client_key_exchange(SSL *ssl);
+static int ssl3_send_cert_verify(SSL *ssl);
+static int ssl3_send_next_proto(SSL *ssl);
+static int ssl3_send_channel_id(SSL *ssl);
+static int ssl3_get_new_session_ticket(SSL *ssl);
 int ssl3_connect(SSL *ssl) {
-  BUF_MEM *buf = NULL;
-  void (*cb)(const SSL *ssl, int type, int value) = NULL;
   int ret = -1;
-  int new_state, state, skip = 0;
+  int state, skip = 0;
   assert(ssl->handshake_func == ssl3_connect);
   assert(!ssl->server);
-  assert(!SSL_IS_DTLS(ssl));
-  ERR_clear_error();
-  ERR_clear_system_error();
-  if (ssl->info_callback != NULL) {
-    cb = ssl->info_callback;
-  } else if (ssl->ctx->info_callback != NULL) {
-    cb = ssl->ctx->info_callback;
-  }
-  ssl->in_handshake++;
   for (;;) {
     state = ssl->state;
     switch (ssl->state) {
-      case SSL_ST_CONNECT:
-        if (cb != NULL) {
-          cb(ssl, SSL_CB_HANDSHAKE_START, 1);
-        }
-        if (ssl->init_buf == NULL) {
-          buf = BUF_MEM_new();
-          if (buf == NULL ||
-              !BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
-            ret = -1;
-            goto end;
-          }
+      case SSL_ST_INIT:
+        ssl->state = SSL_ST_CONNECT;
+        skip = 1;
+        break;
-          ssl->init_buf = buf;
-          buf = NULL;
-        }
+      case SSL_ST_CONNECT:
+        ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_START, 1);
-        if (!ssl_init_wbio_buffer(ssl, 0)) {
+        ssl->s3->hs = ssl_handshake_new(tls13_client_handshake);
+        if (ssl->s3->hs == NULL) {
           ret = -1;
           goto end;
         }
-        /* don't push the buffering BIO quite yet */
-        if (!ssl3_init_handshake_buffer(ssl)) {
-          OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+        if (!ssl_init_wbio_buffer(ssl)) {
           ret = -1;
           goto end;
         }
         ssl->state = SSL3_ST_CW_CLNT_HELLO_A;
-        ssl->init_num = 0;
         break;
       case SSL3_ST_CW_CLNT_HELLO_A:
       case SSL3_ST_CW_CLNT_HELLO_B:
-        ssl->shutdown = 0;
         ret = ssl3_send_client_hello(ssl);
         if (ret <= 0) {
           goto end;
         }
-        ssl->state = SSL3_ST_CR_SRVR_HELLO_A;
-        ssl->init_num = 0;
-        /* turn on buffering for the next lot of output */
-        if (ssl->bbio != ssl->wbio) {
-          ssl->wbio = BIO_push(ssl->bbio, ssl->wbio);
+        if (!SSL_is_dtls(ssl) || ssl->d1->send_cookie) {
+          ssl->s3->tmp.next_state = SSL3_ST_CR_SRVR_HELLO_A;
+        } else {
+          ssl->s3->tmp.next_state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
         }
+        ssl->state = SSL3_ST_CW_FLUSH;
+        break;
+      case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
+        assert(SSL_is_dtls(ssl));
+        ret = dtls1_get_hello_verify(ssl);
+        if (ret <= 0) {
+          goto end;
+        }
+        if (ssl->d1->send_cookie) {
+          ssl->method->received_flight(ssl);
+          ssl->state = SSL3_ST_CW_CLNT_HELLO_A;
+        } else {
+          ssl->state = SSL3_ST_CR_SRVR_HELLO_A;
+        }
         break;
       case SSL3_ST_CR_SRVR_HELLO_A:
-      case SSL3_ST_CR_SRVR_HELLO_B:
         ret = ssl3_get_server_hello(ssl);
+        if (ssl->state == SSL_ST_TLS13) {
+          break;
+        }
         if (ret <= 0) {
           goto end;
         }
-        if (ssl->hit) {
-          ssl->state = SSL3_ST_CR_CHANGE;
-          if (ssl->tlsext_ticket_expected) {
-            /* receive renewed session ticket */
-            ssl->state = SSL3_ST_CR_SESSION_TICKET_A;
-          }
+        if (ssl->session != NULL) {
+          ssl->state = SSL3_ST_CR_SESSION_TICKET_A;
         } else {
           ssl->state = SSL3_ST_CR_CERT_A;
         }
-        ssl->init_num = 0;
         break;
       case SSL3_ST_CR_CERT_A:
-      case SSL3_ST_CR_CERT_B:
-        if (ssl_cipher_has_server_public_key(ssl->s3->tmp.new_cipher)) {
+        if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
           ret = ssl3_get_server_certificate(ssl);
           if (ret <= 0) {
             goto end;
           }
-          if (ssl->s3->tmp.certificate_status_expected) {
-            ssl->state = SSL3_ST_CR_CERT_STATUS_A;
-          } else {
-            ssl->state = SSL3_ST_VERIFY_SERVER_CERT;
+        } else {
+          skip = 1;
+        }
+        ssl->state = SSL3_ST_CR_CERT_STATUS_A;
+        break;
+      case SSL3_ST_CR_CERT_STATUS_A:
+        if (ssl->s3->tmp.certificate_status_expected) {
+          ret = ssl3_get_cert_status(ssl);
+          if (ret <= 0) {
+            goto end;
           }
         } else {
           skip = 1;
-          ssl->state = SSL3_ST_CR_KEY_EXCH_A;
         }
-        ssl->init_num = 0;
+        ssl->state = SSL3_ST_VERIFY_SERVER_CERT;
         break;
       case SSL3_ST_VERIFY_SERVER_CERT:
-        ret = ssl3_verify_server_cert(ssl);
-        if (ret <= 0) {
-          goto end;
+        if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
+          ret = ssl3_verify_server_cert(ssl);
+          if (ret <= 0) {
+            goto end;
+          }
+        } else {
+          skip = 1;
         }
         ssl->state = SSL3_ST_CR_KEY_EXCH_A;
-        ssl->init_num = 0;
         break;
       case SSL3_ST_CR_KEY_EXCH_A:
-      case SSL3_ST_CR_KEY_EXCH_B:
         ret = ssl3_get_server_key_exchange(ssl);
         if (ret <= 0) {
           goto end;
         }
         ssl->state = SSL3_ST_CR_CERT_REQ_A;
-        ssl->init_num = 0;
         break;
       case SSL3_ST_CR_CERT_REQ_A:
-      case SSL3_ST_CR_CERT_REQ_B:
-        ret = ssl3_get_certificate_request(ssl);
-        if (ret <= 0) {
-          goto end;
+        if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
+          ret = ssl3_get_certificate_request(ssl);
+          if (ret <= 0) {
+            goto end;
+          }
+        } else {
+          skip = 1;
         }
         ssl->state = SSL3_ST_CR_SRVR_DONE_A;
-        ssl->init_num = 0;
         break;
       case SSL3_ST_CR_SRVR_DONE_A:
-      case SSL3_ST_CR_SRVR_DONE_B:
-        ret = ssl3_get_server_done(ssl);
+        ret = ssl3_get_server_hello_done(ssl);
         if (ret <= 0) {
           goto end;
         }
-        if (ssl->s3->tmp.cert_req) {
-          ssl->state = SSL3_ST_CW_CERT_A;
-        } else {
-          ssl->state = SSL3_ST_CW_KEY_EXCH_A;
-        }
-        ssl->init_num = 0;
+        ssl->method->received_flight(ssl);
+        ssl->state = SSL3_ST_CW_CERT_A;
         break;
       case SSL3_ST_CW_CERT_A:
       case SSL3_ST_CW_CERT_B:
       case SSL3_ST_CW_CERT_C:
-      case SSL3_ST_CW_CERT_D:
-        ret = ssl3_send_client_certificate(ssl);
-        if (ret <= 0) {
-          goto end;
+        if (ssl->s3->tmp.cert_request) {
+          ret = ssl3_send_client_certificate(ssl);
+          if (ret <= 0) {
+            goto end;
+          }
+        } else {
+          skip = 1;
         }
         ssl->state = SSL3_ST_CW_KEY_EXCH_A;
-        ssl->init_num = 0;
         break;
       case SSL3_ST_CW_KEY_EXCH_A:
@@ -349,44 +348,30 @@ int ssl3_connect(SSL *ssl) {
         if (ret <= 0) {
           goto end;
         }
-        /* For TLS, cert_req is set to 2, so a cert chain
-         * of nothing is sent, but no verify packet is sent */
-        if (ssl->s3->tmp.cert_req == 1) {
-          ssl->state = SSL3_ST_CW_CERT_VRFY_A;
-        } else {
-          ssl->state = SSL3_ST_CW_CHANGE_A;
-        }
-        ssl->init_num = 0;
+        ssl->state = SSL3_ST_CW_CERT_VRFY_A;
         break;
       case SSL3_ST_CW_CERT_VRFY_A:
       case SSL3_ST_CW_CERT_VRFY_B:
       case SSL3_ST_CW_CERT_VRFY_C:
-        ret = ssl3_send_cert_verify(ssl);
-        if (ret <= 0) {
-          goto end;
+        if (ssl->s3->tmp.cert_request) {
+          ret = ssl3_send_cert_verify(ssl);
+          if (ret <= 0) {
+            goto end;
+          }
+        } else {
+          skip = 1;
         }
-        ssl->state = SSL3_ST_CW_CHANGE_A;
-        ssl->init_num = 0;
+        ssl->state = SSL3_ST_CW_CHANGE;
         break;
-      case SSL3_ST_CW_CHANGE_A:
-      case SSL3_ST_CW_CHANGE_B:
-        ret = ssl3_send_change_cipher_spec(ssl, SSL3_ST_CW_CHANGE_A,
-                                           SSL3_ST_CW_CHANGE_B);
+      case SSL3_ST_CW_CHANGE:
+        ret = ssl->method->send_change_cipher_spec(ssl);
         if (ret <= 0) {
           goto end;
         }
-        ssl->state = SSL3_ST_CW_FINISHED_A;
-        if (ssl->s3->tlsext_channel_id_valid) {
-          ssl->state = SSL3_ST_CW_CHANNEL_ID_A;
-        }
-        if (ssl->s3->next_proto_neg_seen) {
-          ssl->state = SSL3_ST_CW_NEXT_PROTO_A;
-        }
-        ssl->init_num = 0;
+        ssl->state = SSL3_ST_CW_NEXT_PROTO_A;
         if (!tls1_change_cipher_state(ssl, SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
           ret = -1;
@@ -397,23 +382,26 @@ int ssl3_connect(SSL *ssl) {
       case SSL3_ST_CW_NEXT_PROTO_A:
       case SSL3_ST_CW_NEXT_PROTO_B:
-        ret = ssl3_send_next_proto(ssl);
-        if (ret <= 0) {
-          goto end;
-        }
-        if (ssl->s3->tlsext_channel_id_valid) {
-          ssl->state = SSL3_ST_CW_CHANNEL_ID_A;
+        if (ssl->s3->next_proto_neg_seen) {
+          ret = ssl3_send_next_proto(ssl);
+          if (ret <= 0) {
+            goto end;
+          }
         } else {
-          ssl->state = SSL3_ST_CW_FINISHED_A;
+          skip = 1;
         }
+        ssl->state = SSL3_ST_CW_CHANNEL_ID_A;
         break;
       case SSL3_ST_CW_CHANNEL_ID_A:
       case SSL3_ST_CW_CHANNEL_ID_B:
-        ret = ssl3_send_channel_id(ssl);
-        if (ret <= 0) {
-          goto end;
+        if (ssl->s3->tlsext_channel_id_valid) {
+          ret = ssl3_send_channel_id(ssl);
+          if (ret <= 0) {
+            goto end;
+          }
+        } else {
+          skip = 1;
         }
         ssl->state = SSL3_ST_CW_FINISHED_A;
         break;
@@ -427,7 +415,7 @@ int ssl3_connect(SSL *ssl) {
         }
         ssl->state = SSL3_ST_CW_FLUSH;
-        if (ssl->hit) {
+        if (ssl->session != NULL) {
           ssl->s3->tmp.next_state = SSL_ST_OK;
         } else {
           /* This is a non-resumption handshake. If it involves ChannelID, then
@@ -445,39 +433,33 @@ int ssl3_connect(SSL *ssl) {
               !ssl->s3->initial_handshake_complete) {
             ssl->s3->tmp.next_state = SSL3_ST_FALSE_START;
           } else {
-            /* Allow NewSessionTicket if ticket expected */
-            if (ssl->tlsext_ticket_expected) {
-              ssl->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
-            } else {
-              ssl->s3->tmp.next_state = SSL3_ST_CR_CHANGE;
-            }
+            ssl->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
           }
         }
-        ssl->init_num = 0;
         break;
+      case SSL3_ST_FALSE_START:
+        ssl->state = SSL3_ST_CR_SESSION_TICKET_A;
+        ssl->s3->tmp.in_false_start = 1;
+        ssl_free_wbio_buffer(ssl);
+        ret = 1;
+        goto end;
       case SSL3_ST_CR_SESSION_TICKET_A:
-      case SSL3_ST_CR_SESSION_TICKET_B:
-        ret = ssl3_get_new_session_ticket(ssl);
-        if (ret <= 0) {
-          goto end;
+        if (ssl->tlsext_ticket_expected) {
+          ret = ssl3_get_new_session_ticket(ssl);
+          if (ret <= 0) {
+            goto end;
+          }
+        } else {
+          skip = 1;
         }
         ssl->state = SSL3_ST_CR_CHANGE;
-        ssl->init_num = 0;
-        break;
-      case SSL3_ST_CR_CERT_STATUS_A:
-      case SSL3_ST_CR_CERT_STATUS_B:
-        ret = ssl3_get_cert_status(ssl);
-        if (ret <= 0) {
-          goto end;
-        }
-        ssl->state = SSL3_ST_VERIFY_SERVER_CERT;
-        ssl->init_num = 0;
         break;
       case SSL3_ST_CR_CHANGE:
-        ret = ssl->method->ssl_read_change_cipher_spec(ssl);
+        ret = ssl->method->read_change_cipher_spec(ssl);
         if (ret <= 0) {
           goto end;
         }
@@ -490,57 +472,76 @@ int ssl3_connect(SSL *ssl) {
         break;
       case SSL3_ST_CR_FINISHED_A:
-      case SSL3_ST_CR_FINISHED_B:
-        ret = ssl3_get_finished(ssl, SSL3_ST_CR_FINISHED_A,
-                                SSL3_ST_CR_FINISHED_B);
+        ret = ssl3_get_finished(ssl);
         if (ret <= 0) {
           goto end;
         }
+        ssl->method->received_flight(ssl);
-        if (ssl->hit) {
-          ssl->state = SSL3_ST_CW_CHANGE_A;
+        if (ssl->session != NULL) {
+          ssl->state = SSL3_ST_CW_CHANGE;
         } else {
           ssl->state = SSL_ST_OK;
         }
-        ssl->init_num = 0;
         break;
       case SSL3_ST_CW_FLUSH:
-        ssl->rwstate = SSL_WRITING;
         if (BIO_flush(ssl->wbio) <= 0) {
+          ssl->rwstate = SSL_WRITING;
           ret = -1;
           goto end;
         }
-        ssl->rwstate = SSL_NOTHING;
         ssl->state = ssl->s3->tmp.next_state;
+        if (ssl->state != SSL_ST_OK) {
+          ssl->method->expect_flight(ssl);
+        }
         break;
-      case SSL3_ST_FALSE_START:
-        /* Allow NewSessionTicket if ticket expected */
-        if (ssl->tlsext_ticket_expected) {
-          ssl->state = SSL3_ST_CR_SESSION_TICKET_A;
-        } else {
-          ssl->state = SSL3_ST_CR_CHANGE;
+      case SSL_ST_TLS13:
+        ret = tls13_handshake(ssl);
+        if (ret <= 0) {
+          goto end;
         }
-        ssl->s3->tmp.in_false_start = 1;
-        ssl_free_wbio_buffer(ssl);
-        ret = 1;
-        goto end;
+        ssl->state = SSL_ST_OK;
+        break;
       case SSL_ST_OK:
-        /* clean a few things up */
+        /* Clean a few things up. */
         ssl3_cleanup_key_block(ssl);
+        ssl->method->release_current_message(ssl, 1 /* free_buffer */);
+        SSL_SESSION_free(ssl->s3->established_session);
+        if (ssl->session != NULL) {
+          SSL_SESSION_up_ref(ssl->session);
+          ssl->s3->established_session = ssl->session;
+        } else {
+          /* We make a copy of the session in order to maintain the immutability
+           * of the new established_session due to False Start. The caller may
+           * have taken a reference to the temporary session. */
+          ssl->s3->established_session =
+              SSL_SESSION_dup(ssl->s3->new_session, SSL_SESSION_DUP_ALL);
+          if (ssl->s3->established_session == NULL) {
+            /* Do not stay in SSL_ST_OK, to avoid confusing |SSL_in_init|
+             * callers. */
+            ssl->state = SSL_ST_ERROR;
+            skip = 1;
+            ret = -1;
+            goto end;
+          }
+          ssl->s3->established_session->not_resumable = 0;
-        BUF_MEM_free(ssl->init_buf);
-        ssl->init_buf = NULL;
+          SSL_SESSION_free(ssl->s3->new_session);
+          ssl->s3->new_session = NULL;
+        }
         /* Remove write buffering now. */
         ssl_free_wbio_buffer(ssl);
+        ssl_handshake_free(ssl->s3->hs);
+        ssl->s3->hs = NULL;
         const int is_initial_handshake = !ssl->s3->initial_handshake_complete;
-        ssl->init_num = 0;
         ssl->s3->tmp.in_false_start = 0;
         ssl->s3->initial_handshake_complete = 1;
@@ -550,12 +551,12 @@ int ssl3_connect(SSL *ssl) {
         }
         ret = 1;
-        /* ssl->server=0; */
-        if (cb != NULL) {
-          cb(ssl, SSL_CB_HANDSHAKE_DONE, 1);
-        }
+        ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_DONE, 1);
+        goto end;
+      case SSL_ST_ERROR:
+        OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
+        ret = -1;
         goto end;
       default:
@@ -564,27 +565,35 @@ int ssl3_connect(SSL *ssl) {
         goto end;
     }
-    if (!ssl->s3->tmp.reuse_message && !skip) {
-      if (cb != NULL && ssl->state != state) {
-        new_state = ssl->state;
-        ssl->state = state;
-        cb(ssl, SSL_CB_CONNECT_LOOP, 1);
-        ssl->state = new_state;
-      }
+    if (!ssl->s3->tmp.reuse_message && !skip && ssl->state != state) {
+      int new_state = ssl->state;
+      ssl->state = state;
+      ssl_do_info_callback(ssl, SSL_CB_CONNECT_LOOP, 1);
+      ssl->state = new_state;
     }
     skip = 0;
   }
 end:
-  ssl->in_handshake--;
-  BUF_MEM_free(buf);
-  if (cb != NULL) {
-    cb(ssl, SSL_CB_CONNECT_EXIT, ret);
-  }
+  ssl_do_info_callback(ssl, SSL_CB_CONNECT_EXIT, ret);
+  return ret;
+}
+uint16_t ssl_get_grease_value(const SSL *ssl, enum ssl_grease_index_t index) {
+  /* Use the client_random for entropy. This both avoids calling |RAND_bytes| on
+   * a single byte repeatedly and ensures the values are deterministic. This
+   * allows the same ClientHello be sent twice for a HelloRetryRequest or the
+   * same group be advertised in both supported_groups and key_shares. */
+  uint16_t ret = ssl->s3->client_random[index];
+  /* This generates a random value of the form 0xωaωa, for all 0 ≤ ω < 16. */
+  ret = (ret & 0xf0) | 0x0a;
+  ret |= ret << 8;
   return ret;
 }
-static int ssl3_write_client_cipher_list(SSL *ssl, CBB *out) {
+static int ssl_write_client_cipher_list(SSL *ssl, CBB *out,
+                                        uint16_t min_version,
+                                        uint16_t max_version) {
   /* Prepare disabled cipher masks. */
   ssl_set_client_disabled(ssl);
@@ -593,25 +602,42 @@ static int ssl3_write_client_cipher_list(SSL *ssl, CBB *out) {
     return 0;
   }
+  /* Add a fake cipher suite. See draft-davidben-tls-grease-01. */
+  if (ssl->ctx->grease_enabled &&
+      !CBB_add_u16(&child, ssl_get_grease_value(ssl, ssl_grease_cipher))) {
+    return 0;
+  }
   STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl);
   int any_enabled = 0;
-  size_t i;
-  for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
+  for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
     const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
     /* Skip disabled ciphers */
     if ((cipher->algorithm_mkey & ssl->cert->mask_k) ||
         (cipher->algorithm_auth & ssl->cert->mask_a)) {
       continue;
     }
-    if (SSL_CIPHER_get_min_version(cipher) >
-        ssl3_version_from_wire(ssl, ssl->client_version)) {
+    if (SSL_CIPHER_get_min_version(cipher) > max_version ||
+        SSL_CIPHER_get_max_version(cipher) < min_version) {
       continue;
     }
     any_enabled = 1;
     if (!CBB_add_u16(&child, ssl_cipher_get_value(cipher))) {
       return 0;
     }
+    /* Add PSK ciphers for TLS 1.3 resumption. */
+    uint16_t session_version;
+    if (ssl->session != NULL &&
+        ssl->method->version_from_wire(&session_version,
+                                       ssl->session->ssl_version) &&
+        session_version >= TLS1_3_VERSION) {
+      uint16_t resumption_cipher;
+      if (ssl_cipher_get_ecdhe_psk_cipher(cipher, &resumption_cipher) &&
+          !CBB_add_u16(&child, resumption_cipher)) {
+        return 0;
+      }
+    }
   }
   /* If all ciphers were disabled, return the error to the caller. */
@@ -627,26 +653,64 @@ static int ssl3_write_client_cipher_list(SSL *ssl, CBB *out) {
     if (!CBB_add_u16(&child, SSL3_CK_SCSV & 0xffff)) {
       return 0;
     }
-    /* The renegotiation extension is required to be at index zero. */
-    ssl->s3->tmp.extensions.sent |= (1u << 0);
   }
-  if ((ssl->mode & SSL_MODE_SEND_FALLBACK_SCSV) &&
-      !CBB_add_u16(&child, SSL3_CK_FALLBACK_SCSV & 0xffff)) {
-    return 0;
+  if (ssl->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
+    if (!CBB_add_u16(&child, SSL3_CK_FALLBACK_SCSV & 0xffff)) {
+      return 0;
+    }
   }
   return CBB_flush(out);
 }
-int ssl3_send_client_hello(SSL *ssl) {
+int ssl_add_client_hello_body(SSL *ssl, CBB *body) {
+  uint16_t min_version, max_version;
+  if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
+    return 0;
+  }
+  /* Renegotiations do not participate in session resumption. */
+  int has_session = ssl->session != NULL &&
+                    !ssl->s3->initial_handshake_complete;
+  CBB child;
+  if (!CBB_add_u16(body, ssl->client_version) ||
+      !CBB_add_bytes(body, ssl->s3->client_random, SSL3_RANDOM_SIZE) ||
+      !CBB_add_u8_length_prefixed(body, &child) ||
+      (has_session &&
+       !CBB_add_bytes(&child, ssl->session->session_id,
+                      ssl->session->session_id_length))) {
+    return 0;
+  }
+  if (SSL_is_dtls(ssl)) {
+    if (!CBB_add_u8_length_prefixed(body, &child) ||
+        !CBB_add_bytes(&child, ssl->d1->cookie, ssl->d1->cookie_len)) {
+      return 0;
+    }
+  }
+  size_t header_len =
+      SSL_is_dtls(ssl) ? DTLS1_HM_HEADER_LENGTH : SSL3_HM_HEADER_LENGTH;
+  if (!ssl_write_client_cipher_list(ssl, body, min_version, max_version) ||
+      !CBB_add_u8(body, 1 /* one compression method */) ||
+      !CBB_add_u8(body, 0 /* null compression */) ||
+      !ssl_add_clienthello_tlsext(ssl, body, header_len + CBB_len(body))) {
+    return 0;
+  }
+  return 1;
+}
+static int ssl3_send_client_hello(SSL *ssl) {
   if (ssl->state == SSL3_ST_CW_CLNT_HELLO_B) {
-    return ssl_do_write(ssl);
+    return ssl->method->write_message(ssl);
   }
-  /* In DTLS, reset the handshake buffer each time a new ClientHello is
-   * assembled. We may send multiple if we receive HelloVerifyRequest. */
-  if (SSL_IS_DTLS(ssl) && !ssl3_init_handshake_buffer(ssl)) {
+  /* The handshake buffer is reset on every ClientHello. Notably, in DTLS, we
+   * may send multiple ClientHellos if we receive HelloVerifyRequest. */
+  if (!ssl3_init_handshake_buffer(ssl)) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
     return -1;
   }
@@ -654,99 +718,115 @@ int ssl3_send_client_hello(SSL *ssl) {
   CBB cbb;
   CBB_zero(&cbb);
+  uint16_t min_version, max_version;
+  if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
+    goto err;
+  }
   assert(ssl->state == SSL3_ST_CW_CLNT_HELLO_A);
   if (!ssl->s3->have_version) {
-    uint16_t max_version = ssl3_get_max_client_version(ssl);
-    /* Disabling all versions is silly: return an error. */
-    if (max_version == 0) {
-      OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);
-      goto err;
-    }
-    ssl->version = max_version;
+    ssl->version = ssl->method->version_to_wire(max_version);
     /* Only set |ssl->client_version| on the initial handshake. Renegotiations,
      * although locked to a version, reuse the value. When using the plain RSA
      * key exchange, the ClientHello version is checked in the premaster secret.
      * Some servers fail when this value changes. */
-    ssl->client_version = max_version;
+    ssl->client_version = ssl->version;
+    if (max_version >= TLS1_3_VERSION) {
+      ssl->client_version = ssl->method->version_to_wire(TLS1_2_VERSION);
+    }
   }
-  /* If the configured session has expired or was created at a version higher
-   * than our maximum version, drop it. */
-  if (ssl->session != NULL &&
-      (ssl->session->session_id_length == 0 || ssl->session->not_resumable ||
-       ssl->session->timeout < (long)(time(NULL) - ssl->session->time) ||
-       (!SSL_IS_DTLS(ssl) && ssl->session->ssl_version > ssl->version) ||
-       (SSL_IS_DTLS(ssl) && ssl->session->ssl_version < ssl->version))) {
-    SSL_set_session(ssl, NULL);
+  /* If the configured session has expired or was created at a disabled
+   * version, drop it. */
+  if (ssl->session != NULL) {
+    uint16_t session_version;
+    if (!ssl->method->version_from_wire(&session_version,
+                                        ssl->session->ssl_version) ||
+        (session_version < TLS1_3_VERSION &&
+         ssl->session->session_id_length == 0) ||
+        ssl->session->not_resumable ||
+        !ssl_session_is_time_valid(ssl, ssl->session) ||
+        session_version < min_version || session_version > max_version) {
+      ssl_set_session(ssl, NULL);
+    }
   }
   /* If resending the ClientHello in DTLS after a HelloVerifyRequest, don't
    * renegerate the client_random. The random must be reused. */
-  if ((!SSL_IS_DTLS(ssl) || !ssl->d1->send_cookie) &&
-      !ssl_fill_hello_random(ssl->s3->client_random,
-                             sizeof(ssl->s3->client_random), 0 /* client */)) {
+  if ((!SSL_is_dtls(ssl) || !ssl->d1->send_cookie) &&
+      !RAND_bytes(ssl->s3->client_random, sizeof(ssl->s3->client_random))) {
     goto err;
   }
-  /* Renegotiations do not participate in session resumption. */
-  int has_session = ssl->session != NULL &&
-                    !ssl->s3->initial_handshake_complete;
-  CBB child;
-  if (!CBB_init_fixed(&cbb, ssl_handshake_start(ssl),
-                      ssl->init_buf->max - SSL_HM_HEADER_LENGTH(ssl)) ||
-      !CBB_add_u16(&cbb, ssl->client_version) ||
-      !CBB_add_bytes(&cbb, ssl->s3->client_random, SSL3_RANDOM_SIZE) ||
-      !CBB_add_u8_length_prefixed(&cbb, &child) ||
-      (has_session &&
-       !CBB_add_bytes(&child, ssl->session->session_id,
-                      ssl->session->session_id_length))) {
+  CBB body;
+  if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CLIENT_HELLO) ||
+      !ssl_add_client_hello_body(ssl, &body) ||
+      !ssl->method->finish_message(ssl, &cbb)) {
     goto err;
   }
-  if (SSL_IS_DTLS(ssl)) {
-    if (!CBB_add_u8_length_prefixed(&cbb, &child) ||
-        !CBB_add_bytes(&child, ssl->d1->cookie, ssl->d1->cookie_len)) {
-      goto err;
-    }
+  ssl->state = SSL3_ST_CW_CLNT_HELLO_B;
+  return ssl->method->write_message(ssl);
+err:
+  CBB_cleanup(&cbb);
+  return -1;
+}
+static int dtls1_get_hello_verify(SSL *ssl) {
+  int al;
+  CBS hello_verify_request, cookie;
+  uint16_t server_version;
+  int ret = ssl->method->ssl_get_message(ssl, -1, ssl_hash_message);
+  if (ret <= 0) {
+    return ret;
   }
-  size_t length;
-  if (!ssl3_write_client_cipher_list(ssl, &cbb) ||
-      !CBB_add_u8(&cbb, 1 /* one compression method */) ||
-      !CBB_add_u8(&cbb, 0 /* null compression */) ||
-      !ssl_add_clienthello_tlsext(ssl, &cbb,
-                                  CBB_len(&cbb) + SSL_HM_HEADER_LENGTH(ssl)) ||
-      !CBB_finish(&cbb, NULL, &length) ||
-      !ssl_set_handshake_header(ssl, SSL3_MT_CLIENT_HELLO, length)) {
-    goto err;
+  if (ssl->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
+    ssl->d1->send_cookie = 0;
+    ssl->s3->tmp.reuse_message = 1;
+    return 1;
   }
-  ssl->state = SSL3_ST_CW_CLNT_HELLO_B;
-  return ssl_do_write(ssl);
+  CBS_init(&hello_verify_request, ssl->init_msg, ssl->init_num);
-err:
-  CBB_cleanup(&cbb);
+  if (!CBS_get_u16(&hello_verify_request, &server_version) ||
+      !CBS_get_u8_length_prefixed(&hello_verify_request, &cookie) ||
+      CBS_len(&hello_verify_request) != 0) {
+    al = SSL_AD_DECODE_ERROR;
+    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+    goto f_err;
+  }
+  if (CBS_len(&cookie) > sizeof(ssl->d1->cookie)) {
+    al = SSL_AD_ILLEGAL_PARAMETER;
+    goto f_err;
+  }
+  memcpy(ssl->d1->cookie, CBS_data(&cookie), CBS_len(&cookie));
+  ssl->d1->cookie_len = CBS_len(&cookie);
+  ssl->d1->send_cookie = 1;
+  return 1;
+f_err:
+  ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
   return -1;
 }
-int ssl3_get_server_hello(SSL *ssl) {
+static int ssl3_get_server_hello(SSL *ssl) {
   STACK_OF(SSL_CIPHER) *sk;
   const SSL_CIPHER *c;
   CERT *ct = ssl->cert;
-  int al = SSL_AD_INTERNAL_ERROR, ok;
-  long n;
+  int al = SSL_AD_INTERNAL_ERROR;
   CBS server_hello, server_random, session_id;
-  uint16_t server_version, cipher_suite;
+  uint16_t server_wire_version, cipher_suite;
   uint8_t compression_method;
-  n = ssl->method->ssl_get_message(ssl, SSL3_ST_CR_SRVR_HELLO_A,
-                                 SSL3_ST_CR_SRVR_HELLO_B, SSL3_MT_SERVER_HELLO,
-                                 20000, /* ?? */
-                                 ssl_hash_message, &ok);
-  if (!ok) {
+  int ret = ssl->method->ssl_get_message(ssl, -1, ssl_hash_message);
+  if (ret <= 0) {
     uint32_t err = ERR_peek_error();
     if (ERR_GET_LIB(err) == ERR_LIB_SSL &&
         ERR_GET_REASON(err) == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE) {
@@ -758,71 +838,91 @@ int ssl3_get_server_hello(SSL *ssl) {
        * See https://crbug.com/446505. */
       OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO);
     }
-    return n;
+    return ret;
+  }
+  if (ssl->s3->tmp.message_type != SSL3_MT_SERVER_HELLO &&
+      ssl->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST) {
+    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+    OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
+    return -1;
   }
-  CBS_init(&server_hello, ssl->init_msg, n);
+  CBS_init(&server_hello, ssl->init_msg, ssl->init_num);
-  if (!CBS_get_u16(&server_hello, &server_version) ||
-      !CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE) ||
-      !CBS_get_u8_length_prefixed(&server_hello, &session_id) ||
-      CBS_len(&session_id) > SSL3_SESSION_ID_SIZE ||
-      !CBS_get_u16(&server_hello, &cipher_suite) ||
-      !CBS_get_u8(&server_hello, &compression_method)) {
+  if (!CBS_get_u16(&server_hello, &server_wire_version)) {
     al = SSL_AD_DECODE_ERROR;
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
     goto f_err;
   }
+  uint16_t min_version, max_version, server_version;
+  if (!ssl_get_version_range(ssl, &min_version, &max_version) ||
+      !ssl->method->version_from_wire(&server_version, server_wire_version) ||
+      server_version < min_version || server_version > max_version) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
+    al = SSL_AD_PROTOCOL_VERSION;
+    goto f_err;
+  }
   assert(ssl->s3->have_version == ssl->s3->initial_handshake_complete);
   if (!ssl->s3->have_version) {
-    if (!ssl3_is_version_enabled(ssl, server_version)) {
-      OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
-      ssl->version = server_version;
-      /* Mark the version as fixed so the record-layer version is not clamped
-       * to TLS 1.0. */
-      ssl->s3->have_version = 1;
-      al = SSL_AD_PROTOCOL_VERSION;
-      goto f_err;
-    }
-    ssl->version = server_version;
+    ssl->version = server_wire_version;
     ssl->s3->enc_method = ssl3_get_enc_method(server_version);
     assert(ssl->s3->enc_method != NULL);
     /* At this point, the connection's version is known and ssl->version is
      * fixed. Begin enforcing the record-layer version. */
     ssl->s3->have_version = 1;
-  } else if (server_version != ssl->version) {
+  } else if (server_wire_version != ssl->version) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);
     al = SSL_AD_PROTOCOL_VERSION;
     goto f_err;
   }
-  /* Copy over the server random. */
-  memcpy(ssl->s3->server_random, CBS_data(&server_random), SSL3_RANDOM_SIZE);
+  if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+    ssl->state = SSL_ST_TLS13;
+    return 1;
+  }
-  assert(ssl->session == NULL || ssl->session->session_id_length > 0);
-  if (!ssl->s3->initial_handshake_complete && ssl->session != NULL &&
-      CBS_mem_equal(&session_id, ssl->session->session_id,
-                    ssl->session->session_id_length)) {
-    if (ssl->sid_ctx_length != ssl->session->sid_ctx_length ||
-        memcmp(ssl->session->sid_ctx, ssl->sid_ctx, ssl->sid_ctx_length)) {
-      /* actually a client application bug */
-      al = SSL_AD_ILLEGAL_PARAMETER;
-      OPENSSL_PUT_ERROR(SSL,
-                        SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
-      goto f_err;
-    }
-    ssl->hit = 1;
+  ssl_clear_tls13_state(ssl);
+  if (ssl->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) {
+    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+    OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
+    return -1;
+  }
+  if (!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE) ||
+      !CBS_get_u8_length_prefixed(&server_hello, &session_id) ||
+      CBS_len(&session_id) > SSL3_SESSION_ID_SIZE ||
+      !CBS_get_u16(&server_hello, &cipher_suite) ||
+      !CBS_get_u8(&server_hello, &compression_method)) {
+    al = SSL_AD_DECODE_ERROR;
+    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+    goto f_err;
+  }
+  /* Copy over the server random. */
+  memcpy(ssl->s3->server_random, CBS_data(&server_random), SSL3_RANDOM_SIZE);
+  /* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
+   * 1.3 is finalized and we are not implementing a draft version. */
+  if (!ssl->s3->initial_handshake_complete && ssl->session != NULL &&
+      ssl->session->session_id_length != 0 &&
+      CBS_mem_equal(&session_id, ssl->session->session_id,
+                    ssl->session->session_id_length)) {
+    ssl->s3->session_reused = 1;
   } else {
     /* The session wasn't resumed. Create a fresh SSL_SESSION to
      * fill out. */
-    ssl->hit = 0;
+    ssl_set_session(ssl, NULL);
     if (!ssl_get_new_session(ssl, 0 /* client */)) {
       goto f_err;
     }
     /* Note: session_id could be empty. */
-    ssl->session->session_id_length = CBS_len(&session_id);
-    memcpy(ssl->session->session_id, CBS_data(&session_id),
+    ssl->s3->new_session->session_id_length = CBS_len(&session_id);
+    memcpy(ssl->s3->new_session->session_id, CBS_data(&session_id),
            CBS_len(&session_id));
   }
@@ -836,7 +936,8 @@ int ssl3_get_server_hello(SSL *ssl) {
   /* If the cipher is disabled then we didn't sent it in the ClientHello, so if
    * the server selected it, it's an error. */
   if ((c->algorithm_mkey & ct->mask_k) || (c->algorithm_auth & ct->mask_a) ||
-      SSL_CIPHER_get_min_version(c) > ssl3_protocol_version(ssl)) {
+      SSL_CIPHER_get_min_version(c) > ssl3_protocol_version(ssl) ||
+      SSL_CIPHER_get_max_version(c) < ssl3_protocol_version(ssl)) {
     al = SSL_AD_ILLEGAL_PARAMETER;
     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
     goto f_err;
@@ -850,7 +951,7 @@ int ssl3_get_server_hello(SSL *ssl) {
     goto f_err;
   }
-  if (ssl->hit) {
+  if (ssl->session != NULL) {
     if (ssl->session->cipher != c) {
       al = SSL_AD_ILLEGAL_PARAMETER;
       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
@@ -861,8 +962,15 @@ int ssl3_get_server_hello(SSL *ssl) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);
       goto f_err;
     }
+    if (!ssl_session_is_context_valid(ssl, ssl->session)) {
+      /* This is actually a client application bug. */
+      al = SSL_AD_ILLEGAL_PARAMETER;
+      OPENSSL_PUT_ERROR(SSL,
+                        SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
+      goto f_err;
+    }
   } else {
-    ssl->session->cipher = c;
+    ssl->s3->new_session->cipher = c;
   }
   ssl->s3->tmp.new_cipher = c;
@@ -871,10 +979,11 @@ int ssl3_get_server_hello(SSL *ssl) {
     goto f_err;
   }
-  /* If doing a full handshake with TLS 1.2, the server may request a client
-   * certificate which requires hashing the handshake transcript under a
-   * different hash. Otherwise, the handshake buffer may be released. */
-  if (ssl->hit || ssl3_protocol_version(ssl) < TLS1_2_VERSION) {
+  /* If doing a full handshake, the server may request a client certificate
+   * which requires hashing the handshake transcript. Otherwise, the handshake
+   * buffer may be released. */
+  if (ssl->session != NULL ||
+      !ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
     ssl3_free_handshake_buffer(ssl);
   }
@@ -895,11 +1004,11 @@ int ssl3_get_server_hello(SSL *ssl) {
   if (CBS_len(&server_hello) != 0) {
     /* wrong packet length */
     al = SSL_AD_DECODE_ERROR;
-    OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);
+    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
     goto f_err;
   }
-  if (ssl->hit &&
+  if (ssl->session != NULL &&
       ssl->s3->tmp.extended_master_secret !=
           ssl->session->extended_master_secret) {
     al = SSL_AD_HANDSHAKE_FAILURE;
@@ -919,184 +1028,131 @@ err:
   return -1;
 }
-/* ssl3_check_leaf_certificate returns one if |leaf| is a suitable leaf server
- * certificate for |ssl|. Otherwise, it returns zero and pushes an error on the
- * error queue. */
-static int ssl3_check_leaf_certificate(SSL *ssl, X509 *leaf) {
-  int ret = 0;
-  EVP_PKEY *pkey = X509_get_pubkey(leaf);
-  if (pkey == NULL) {
-    goto err;
+static int ssl3_get_server_certificate(SSL *ssl) {
+  int ret =
+      ssl->method->ssl_get_message(ssl, SSL3_MT_CERTIFICATE, ssl_hash_message);
+  if (ret <= 0) {
+    return ret;
   }
-  /* Check the certificate's type matches the cipher. */
-  const SSL_CIPHER *cipher = ssl->s3->tmp.new_cipher;
-  int expected_type = ssl_cipher_get_key_type(cipher);
-  assert(expected_type != EVP_PKEY_NONE);
-  if (pkey->type != expected_type) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CERTIFICATE_TYPE);
+  CBS cbs;
+  CBS_init(&cbs, ssl->init_msg, ssl->init_num);
+  uint8_t alert;
+  STACK_OF(X509) *chain = ssl_parse_cert_chain(ssl, &alert, NULL, &cbs);
+  if (chain == NULL) {
+    ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
     goto err;
   }
-  if (cipher->algorithm_auth & SSL_aECDSA) {
-    /* TODO(davidben): This behavior is preserved from upstream. Should key
-     * usages be checked in other cases as well? */
-    /* This call populates the ex_flags field correctly */
-    X509_check_purpose(leaf, -1, 0);
-    if ((leaf->ex_flags & EXFLAG_KUSAGE) &&
-        !(leaf->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) {
-      OPENSSL_PUT_ERROR(SSL, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
-      goto err;
-    }
+  if (sk_X509_num(chain) == 0 || CBS_len(&cbs) != 0) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+    goto err;
+  }
-    if (!tls1_check_ec_cert(ssl, leaf)) {
-      OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECC_CERT);
-      goto err;
-    }
+  X509 *leaf = sk_X509_value(chain, 0);
+  if (!ssl_check_leaf_certificate(ssl, leaf)) {
+    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+    goto err;
   }
-  ret = 1;
+  /* NOTE: Unlike the server half, the client's copy of |cert_chain| includes
+   * the leaf. */
+  sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free);
+  ssl->s3->new_session->cert_chain = chain;
+  X509_free(ssl->s3->new_session->peer);
+  X509_up_ref(leaf);
+  ssl->s3->new_session->peer = leaf;
+  return 1;
 err:
-  EVP_PKEY_free(pkey);
-  return ret;
+  sk_X509_pop_free(chain, X509_free);
+  return -1;
 }
-int ssl3_get_server_certificate(SSL *ssl) {
-  int al, ok, ret = -1;
-  unsigned long n;
-  X509 *x = NULL;
-  STACK_OF(X509) *sk = NULL;
-  EVP_PKEY *pkey = NULL;
-  CBS cbs, certificate_list;
-  const uint8_t *data;
-  n = ssl->method->ssl_get_message(ssl, SSL3_ST_CR_CERT_A, SSL3_ST_CR_CERT_B,
-                                 SSL3_MT_CERTIFICATE, (long)ssl->max_cert_list,
-                                 ssl_hash_message, &ok);
+static int ssl3_get_cert_status(SSL *ssl) {
+  int al;
+  CBS certificate_status, ocsp_response;
+  uint8_t status_type;
-  if (!ok) {
-    return n;
+  int ret = ssl->method->ssl_get_message(ssl, -1, ssl_hash_message);
+  if (ret <= 0) {
+    return ret;
   }
-  CBS_init(&cbs, ssl->init_msg, n);
-  sk = sk_X509_new_null();
-  if (sk == NULL) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-    goto err;
+  if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_STATUS) {
+    /* A server may send status_request in ServerHello and then change
+     * its mind about sending CertificateStatus. */
+    ssl->s3->tmp.reuse_message = 1;
+    return 1;
   }
-  if (!CBS_get_u24_length_prefixed(&cbs, &certificate_list) ||
-      CBS_len(&certificate_list) == 0 ||
-      CBS_len(&cbs) != 0) {
+  CBS_init(&certificate_status, ssl->init_msg, ssl->init_num);
+  if (!CBS_get_u8(&certificate_status, &status_type) ||
+      status_type != TLSEXT_STATUSTYPE_ocsp ||
+      !CBS_get_u24_length_prefixed(&certificate_status, &ocsp_response) ||
+      CBS_len(&ocsp_response) == 0 ||
+      CBS_len(&certificate_status) != 0) {
     al = SSL_AD_DECODE_ERROR;
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
     goto f_err;
   }
-  while (CBS_len(&certificate_list) > 0) {
-    CBS certificate;
-    if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate)) {
-      al = SSL_AD_DECODE_ERROR;
-      OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH);
-      goto f_err;
-    }
-    /* A u24 length cannot overflow a long. */
-    data = CBS_data(&certificate);
-    x = d2i_X509(NULL, &data, (long)CBS_len(&certificate));
-    if (x == NULL) {
-      al = SSL_AD_BAD_CERTIFICATE;
-      OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
-      goto f_err;
-    }
-    if (data != CBS_data(&certificate) + CBS_len(&certificate)) {
-      al = SSL_AD_DECODE_ERROR;
-      OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH);
-      goto f_err;
-    }
-    if (!sk_X509_push(sk, x)) {
-      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-      goto err;
-    }
-    x = NULL;
-  }
-  X509 *leaf = sk_X509_value(sk, 0);
-  if (!ssl3_check_leaf_certificate(ssl, leaf)) {
-    al = SSL_AD_ILLEGAL_PARAMETER;
+  if (!CBS_stow(&ocsp_response, &ssl->s3->new_session->ocsp_response,
+                &ssl->s3->new_session->ocsp_response_length)) {
+    al = SSL_AD_INTERNAL_ERROR;
+    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
     goto f_err;
   }
+  return 1;
-  /* NOTE: Unlike the server half, the client's copy of |cert_chain| includes
-   * the leaf. */
-  sk_X509_pop_free(ssl->session->cert_chain, X509_free);
-  ssl->session->cert_chain = sk;
-  sk = NULL;
-  X509_free(ssl->session->peer);
-  ssl->session->peer = X509_up_ref(leaf);
-  ssl->session->verify_result = ssl->verify_result;
-  ret = 1;
+f_err:
+  ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
+  return -1;
+}
-  if (0) {
-  f_err:
-    ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
+static int ssl3_verify_server_cert(SSL *ssl) {
+  if (!ssl_verify_cert_chain(ssl, &ssl->s3->new_session->verify_result,
+                             ssl->s3->new_session->cert_chain)) {
+    return -1;
   }
-err:
-  EVP_PKEY_free(pkey);
-  X509_free(x);
-  sk_X509_pop_free(sk, X509_free);
-  return ret;
+  return 1;
 }
-int ssl3_get_server_key_exchange(SSL *ssl) {
-  EVP_MD_CTX md_ctx;
-  int al, ok;
+static int ssl3_get_server_key_exchange(SSL *ssl) {
+  int al;
   EVP_PKEY *pkey = NULL;
   DH *dh = NULL;
   EC_KEY *ecdh = NULL;
   EC_POINT *srvr_ecpoint = NULL;
-  /* use same message size as in ssl3_get_certificate_request() as
-   * ServerKeyExchange message may be skipped */
-  long n = ssl->method->ssl_get_message(
-      ssl, SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, ssl->max_cert_list,
-      ssl_hash_message, &ok);
-  if (!ok) {
-    return n;
+  int ret = ssl->method->ssl_get_message(ssl, -1, ssl_hash_message);
+  if (ret <= 0) {
+    return ret;
   }
   if (ssl->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
+    /* Some ciphers (pure PSK) have an optional ServerKeyExchange message. */
     if (ssl_cipher_requires_server_key_exchange(ssl->s3->tmp.new_cipher)) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
       return -1;
     }
-    /* In plain PSK ciphersuite, ServerKeyExchange may be omitted to send no
-     * identity hint. */
-    if (ssl->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK) {
-      /* TODO(davidben): This should be reset in one place with the rest of the
-       * handshake state. */
-      OPENSSL_free(ssl->s3->tmp.peer_psk_identity_hint);
-      ssl->s3->tmp.peer_psk_identity_hint = NULL;
-    }
     ssl->s3->tmp.reuse_message = 1;
     return 1;
   }
   /* Retain a copy of the original CBS to compute the signature over. */
   CBS server_key_exchange;
-  CBS_init(&server_key_exchange, ssl->init_msg, n);
+  CBS_init(&server_key_exchange, ssl->init_msg, ssl->init_num);
   CBS server_key_exchange_orig = server_key_exchange;
   uint32_t alg_k = ssl->s3->tmp.new_cipher->algorithm_mkey;
   uint32_t alg_a = ssl->s3->tmp.new_cipher->algorithm_auth;
-  EVP_MD_CTX_init(&md_ctx);
   if (alg_a & SSL_aPSK) {
     CBS psk_identity_hint;
@@ -1123,8 +1179,13 @@ int ssl3_get_server_key_exchange(SSL *ssl) {
       goto f_err;
     }
-    /* Save the identity hint as a C string. */
-    if (!CBS_strdup(&psk_identity_hint, &ssl->s3->tmp.peer_psk_identity_hint)) {
+    /* Save non-empty identity hints as a C string. Empty identity hints we
+     * treat as missing. Plain PSK makes it possible to send either no hint
+     * (omit ServerKeyExchange) or an empty hint, while ECDHE_PSK can only spell
+     * empty hint. Having different capabilities is odd, so we interpret empty
+     * and missing as identical. */
+    if (CBS_len(&psk_identity_hint) != 0 &&
+        !CBS_strdup(&psk_identity_hint, &ssl->s3->hs->peer_psk_identity_hint)) {
       al = SSL_AD_INTERNAL_ERROR;
       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
       goto f_err;
@@ -1155,11 +1216,11 @@ int ssl3_get_server_key_exchange(SSL *ssl) {
       goto err;
     }
-    ssl->session->key_exchange_info = DH_num_bits(dh);
-    if (ssl->session->key_exchange_info < 1024) {
+    ssl->s3->new_session->key_exchange_info = DH_num_bits(dh);
+    if (ssl->s3->new_session->key_exchange_info < 1024) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_DH_P_LENGTH);
       goto err;
-    } else if (ssl->session->key_exchange_info > 4096) {
+    } else if (ssl->s3->new_session->key_exchange_info > 4096) {
       /* Overly large DHE groups are prohibitively expensive, so enforce a limit
        * to prevent a server from causing us to perform too expensive of a
        * computation. */
@@ -1175,26 +1236,27 @@ int ssl3_get_server_key_exchange(SSL *ssl) {
     if (!CBS_stow(&dh_Ys, &ssl->s3->tmp.peer_key, &peer_key_len)) {
       goto err;
     }
-    /* |dh_Ys| has a u16 length prefix, so this fits in a |uint16_t|. */
+    /* |dh_Ys| was initialized with CBS_get_u16_length_prefixed, so peer_key_len
+     * fits in a uint16_t. */
     assert(sizeof(ssl->s3->tmp.peer_key_len) == 2 && peer_key_len <= 0xffff);
     ssl->s3->tmp.peer_key_len = (uint16_t)peer_key_len;
   } else if (alg_k & SSL_kECDHE) {
     /* Parse the server parameters. */
-    uint8_t curve_type;
-    uint16_t curve_id;
+    uint8_t group_type;
+    uint16_t group_id;
     CBS point;
-    if (!CBS_get_u8(&server_key_exchange, &curve_type) ||
-        curve_type != NAMED_CURVE_TYPE ||
-        !CBS_get_u16(&server_key_exchange, &curve_id) ||
+    if (!CBS_get_u8(&server_key_exchange, &group_type) ||
+        group_type != NAMED_CURVE_TYPE ||
+        !CBS_get_u16(&server_key_exchange, &group_id) ||
         !CBS_get_u8_length_prefixed(&server_key_exchange, &point)) {
       al = SSL_AD_DECODE_ERROR;
       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
       goto f_err;
     }
-    ssl->session->key_exchange_info = curve_id;
+    ssl->s3->new_session->key_exchange_info = group_id;
-    /* Ensure the curve is consistent with preferences. */
-    if (!tls1_check_curve_id(ssl, curve_id)) {
+    /* Ensure the group is consistent with preferences. */
+    if (!tls1_check_group_id(ssl, group_id)) {
       al = SSL_AD_ILLEGAL_PARAMETER;
       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
       goto f_err;
@@ -1202,11 +1264,29 @@ int ssl3_get_server_key_exchange(SSL *ssl) {
     /* Initialize ECDH and save the peer public key for later. */
     size_t peer_key_len;
-    if (!SSL_ECDH_CTX_init(&ssl->s3->tmp.ecdh_ctx, curve_id) ||
+    if (!SSL_ECDH_CTX_init(&ssl->s3->tmp.ecdh_ctx, group_id) ||
         !CBS_stow(&point, &ssl->s3->tmp.peer_key, &peer_key_len)) {
       goto err;
     }
-    /* |point| has a u8 length prefix, so this fits in a |uint16_t|. */
+    /* |point| was initialized with CBS_get_u8_length_prefixed, so peer_key_len
+     * fits in a uint16_t. */
+    assert(sizeof(ssl->s3->tmp.peer_key_len) == 2 && peer_key_len <= 0xffff);
+    ssl->s3->tmp.peer_key_len = (uint16_t)peer_key_len;
+  } else if (alg_k & SSL_kCECPQ1) {
+    SSL_ECDH_CTX_init_for_cecpq1(&ssl->s3->tmp.ecdh_ctx);
+    CBS key;
+    if (!CBS_get_u16_length_prefixed(&server_key_exchange, &key)) {
+      al = SSL_AD_DECODE_ERROR;
+      OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+      goto f_err;
+    }
+    size_t peer_key_len;
+    if (!CBS_stow(&key, &ssl->s3->tmp.peer_key, &peer_key_len)) {
+      goto err;
+    }
+    /* |key| was initialized with CBS_get_u16_length_prefixed, so peer_key_len
+     * fits in a uint16_t. */
     assert(sizeof(ssl->s3->tmp.peer_key_len) == 2 && peer_key_len <= 0xffff);
     ssl->s3->tmp.peer_key_len = (uint16_t)peer_key_len;
   } else if (!(alg_k & SSL_kPSK)) {
@@ -1223,29 +1303,31 @@ int ssl3_get_server_key_exchange(SSL *ssl) {
            CBS_len(&server_key_exchange_orig) - CBS_len(&server_key_exchange));
   /* ServerKeyExchange should be signed by the server's public key. */
-  if (ssl_cipher_has_server_public_key(ssl->s3->tmp.new_cipher)) {
-    pkey = X509_get_pubkey(ssl->session->peer);
+  if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
+    pkey = X509_get_pubkey(ssl->s3->new_session->peer);
     if (pkey == NULL) {
       goto err;
     }
-    const EVP_MD *md = NULL;
+    uint16_t signature_algorithm = 0;
     if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
-      uint8_t hash, signature;
-      if (!CBS_get_u8(&server_key_exchange, &hash) ||
-          !CBS_get_u8(&server_key_exchange, &signature)) {
+      if (!CBS_get_u16(&server_key_exchange, &signature_algorithm)) {
         al = SSL_AD_DECODE_ERROR;
         OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
         goto f_err;
       }
-      if (!tls12_check_peer_sigalg(ssl, &md, &al, hash, signature, pkey)) {
+      if (!tls12_check_peer_sigalg(ssl, &al, signature_algorithm)) {
         goto f_err;
       }
-      ssl->s3->tmp.server_key_exchange_hash = hash;
+      ssl->s3->tmp.peer_signature_algorithm = signature_algorithm;
     } else if (pkey->type == EVP_PKEY_RSA) {
-      md = EVP_md5_sha1();
+      signature_algorithm = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
+    } else if (pkey->type == EVP_PKEY_EC) {
+      signature_algorithm = SSL_SIGN_ECDSA_SHA1;
     } else {
-      md = EVP_sha1();
+      al = SSL_AD_UNSUPPORTED_CERTIFICATE;
+      OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
+      goto f_err;
     }
     /* The last field in |server_key_exchange| is the signature. */
@@ -1257,15 +1339,30 @@ int ssl3_get_server_key_exchange(SSL *ssl) {
       goto f_err;
     }
-    if (!EVP_DigestVerifyInit(&md_ctx, NULL, md, NULL, pkey) ||
-        !EVP_DigestVerifyUpdate(&md_ctx, ssl->s3->client_random,
-                                SSL3_RANDOM_SIZE) ||
-        !EVP_DigestVerifyUpdate(&md_ctx, ssl->s3->server_random,
-                                SSL3_RANDOM_SIZE) ||
-        !EVP_DigestVerifyUpdate(&md_ctx, CBS_data(&parameter),
-                                CBS_len(&parameter)) ||
-        !EVP_DigestVerifyFinal(&md_ctx, CBS_data(&signature),
-                               CBS_len(&signature))) {
+    CBB transcript;
+    uint8_t *transcript_data;
+    size_t transcript_len;
+    if (!CBB_init(&transcript, 2*SSL3_RANDOM_SIZE + CBS_len(&parameter)) ||
+        !CBB_add_bytes(&transcript, ssl->s3->client_random, SSL3_RANDOM_SIZE) ||
+        !CBB_add_bytes(&transcript, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
+        !CBB_add_bytes(&transcript, CBS_data(&parameter), CBS_len(&parameter)) ||
+        !CBB_finish(&transcript, &transcript_data, &transcript_len)) {
+      CBB_cleanup(&transcript);
+      al = SSL_AD_INTERNAL_ERROR;
+      OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+      goto f_err;
+    }
+    int sig_ok = ssl_public_key_verify(
+        ssl, CBS_data(&signature), CBS_len(&signature), signature_algorithm,
+        pkey, transcript_data, transcript_len);
+    OPENSSL_free(transcript_data);
+#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
+    sig_ok = 1;
+    ERR_clear_error();
+#endif
+    if (!sig_ok) {
       /* bad signature */
       al = SSL_AD_DECRYPT_ERROR;
       OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
@@ -1282,7 +1379,6 @@ int ssl3_get_server_key_exchange(SSL *ssl) {
     }
   }
   EVP_PKEY_free(pkey);
-  EVP_MD_CTX_cleanup(&md_ctx);
   return 1;
 f_err:
@@ -1292,35 +1388,18 @@ err:
   DH_free(dh);
   EC_POINT_free(srvr_ecpoint);
   EC_KEY_free(ecdh);
-  EVP_MD_CTX_cleanup(&md_ctx);
   return -1;
 }
-static int ca_dn_cmp(const X509_NAME **a, const X509_NAME **b) {
-  return X509_NAME_cmp(*a, *b);
-}
-int ssl3_get_certificate_request(SSL *ssl) {
-  int ok, ret = 0;
-  unsigned long n;
-  X509_NAME *xn = NULL;
-  STACK_OF(X509_NAME) *ca_sk = NULL;
-  CBS cbs;
-  CBS certificate_types;
-  CBS certificate_authorities;
-  const uint8_t *data;
-  n = ssl->method->ssl_get_message(ssl, SSL3_ST_CR_CERT_REQ_A,
-                                 SSL3_ST_CR_CERT_REQ_B, -1, ssl->max_cert_list,
-                                 ssl_hash_message, &ok);
-  if (!ok) {
-    return n;
+static int ssl3_get_certificate_request(SSL *ssl) {
+  int msg_ret = ssl->method->ssl_get_message(ssl, -1, ssl_hash_message);
+  if (msg_ret <= 0) {
+    return msg_ret;
   }
-  ssl->s3->tmp.cert_req = 0;
+  ssl->s3->tmp.cert_request = 0;
-  if (ssl->s3->tmp.message_type == SSL3_MT_SERVER_DONE) {
+  if (ssl->s3->tmp.message_type == SSL3_MT_SERVER_HELLO_DONE) {
     ssl->s3->tmp.reuse_message = 1;
     /* If we get here we don't need the handshake buffer as we won't be doing
      * client auth. */
@@ -1330,29 +1409,25 @@ int ssl3_get_certificate_request(SSL *ssl) {
   if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
-    OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_MESSAGE_TYPE);
-    goto err;
+    OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
+    return -1;
   }
-  CBS_init(&cbs, ssl->init_msg, n);
-  ca_sk = sk_X509_NAME_new(ca_dn_cmp);
-  if (ca_sk == NULL) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-    goto err;
-  }
+  CBS cbs;
+  CBS_init(&cbs, ssl->init_msg, ssl->init_num);
-  /* get the certificate types */
+  /* Get the certificate types. */
+  CBS certificate_types;
   if (!CBS_get_u8_length_prefixed(&cbs, &certificate_types)) {
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
-    goto err;
+    return -1;
   }
   if (!CBS_stow(&certificate_types, &ssl->s3->tmp.certificate_types,
                 &ssl->s3->tmp.num_certificate_types)) {
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
-    goto err;
+    return -1;
   }
   if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
@@ -1361,223 +1436,111 @@ int ssl3_get_certificate_request(SSL *ssl) {
         !tls1_parse_peer_sigalgs(ssl, &supported_signature_algorithms)) {
       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
-      goto err;
+      return -1;
     }
   }
-  /* get the CA RDNs */
-  if (!CBS_get_u16_length_prefixed(&cbs, &certificate_authorities)) {
-    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-    OPENSSL_PUT_ERROR(SSL, SSL_R_LENGTH_MISMATCH);
-    goto err;
+  uint8_t alert;
+  STACK_OF(X509_NAME) *ca_sk = ssl_parse_client_CA_list(ssl, &alert, &cbs);
+  if (ca_sk == NULL) {
+    ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
+    return -1;
   }
-  while (CBS_len(&certificate_authorities) > 0) {
-    CBS distinguished_name;
-    if (!CBS_get_u16_length_prefixed(&certificate_authorities,
-                                     &distinguished_name)) {
-      ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-      OPENSSL_PUT_ERROR(SSL, SSL_R_CA_DN_TOO_LONG);
-      goto err;
-    }
-    data = CBS_data(&distinguished_name);
-    /* A u16 length cannot overflow a long. */
-    xn = d2i_X509_NAME(NULL, &data, (long)CBS_len(&distinguished_name));
-    if (xn == NULL) {
-      ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-      OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
-      goto err;
-    }
-    if (!CBS_skip(&distinguished_name, data - CBS_data(&distinguished_name))) {
-      ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-      OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-      goto err;
-    }
-    if (CBS_len(&distinguished_name) != 0) {
-      ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-      OPENSSL_PUT_ERROR(SSL, SSL_R_CA_DN_LENGTH_MISMATCH);
-      goto err;
-    }
-    if (!sk_X509_NAME_push(ca_sk, xn)) {
-      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-      goto err;
-    }
+  if (CBS_len(&cbs) != 0) {
+    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+    sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
+    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+    return -1;
   }
-  /* we should setup a certificate to return.... */
-  ssl->s3->tmp.cert_req = 1;
+  ssl->s3->tmp.cert_request = 1;
   sk_X509_NAME_pop_free(ssl->s3->tmp.ca_names, X509_NAME_free);
   ssl->s3->tmp.ca_names = ca_sk;
-  ca_sk = NULL;
-  ret = 1;
-err:
-  sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
-  return ret;
+  return 1;
 }
-int ssl3_get_new_session_ticket(SSL *ssl) {
-  int ok, al;
-  long n = ssl->method->ssl_get_message(
-      ssl, SSL3_ST_CR_SESSION_TICKET_A, SSL3_ST_CR_SESSION_TICKET_B,
-      SSL3_MT_NEWSESSION_TICKET, 16384, ssl_hash_message, &ok);
-  if (!ok) {
-    return n;
+static int ssl3_get_server_hello_done(SSL *ssl) {
+  int ret = ssl->method->ssl_get_message(ssl, SSL3_MT_SERVER_HELLO_DONE,
+                                         ssl_hash_message);
+  if (ret <= 0) {
+    return ret;
   }
-  CBS new_session_ticket, ticket;
-  uint32_t ticket_lifetime_hint;
-  CBS_init(&new_session_ticket, ssl->init_msg, n);
-  if (!CBS_get_u32(&new_session_ticket, &ticket_lifetime_hint) ||
-      !CBS_get_u16_length_prefixed(&new_session_ticket, &ticket) ||
-      CBS_len(&new_session_ticket) != 0) {
-    al = SSL_AD_DECODE_ERROR;
+  /* ServerHelloDone is empty. */
+  if (ssl->init_num > 0) {
+    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
-    goto f_err;
-  }
-  if (CBS_len(&ticket) == 0) {
-    /* RFC 5077 allows a server to change its mind and send no ticket after
-     * negotiating the extension. The value of |tlsext_ticket_expected| is
-     * checked in |ssl_update_cache| so is cleared here to avoid an unnecessary
-     * update. */
-    ssl->tlsext_ticket_expected = 0;
-    return 1;
-  }
-  if (ssl->hit) {
-    /* The server is sending a new ticket for an existing session. Sessions are
-     * immutable once established, so duplicate all but the ticket of the
-     * existing session. */
-    uint8_t *bytes;
-    size_t bytes_len;
-    if (!SSL_SESSION_to_bytes_for_ticket(ssl->session, &bytes, &bytes_len)) {
-      goto err;
-    }
-    SSL_SESSION *new_session = SSL_SESSION_from_bytes(bytes, bytes_len);
-    OPENSSL_free(bytes);
-    if (new_session == NULL) {
-      /* This should never happen. */
-      OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-      goto err;
-    }
-    SSL_SESSION_free(ssl->session);
-    ssl->session = new_session;
-  }
-  if (!CBS_stow(&ticket, &ssl->session->tlsext_tick,
-                &ssl->session->tlsext_ticklen)) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-    goto err;
-  }
-  ssl->session->tlsext_tick_lifetime_hint = ticket_lifetime_hint;
-  /* Generate a session ID for this session based on the session ticket. We use
-   * the session ID mechanism for detecting ticket resumption. This also fits in
-   * with assumptions elsewhere in OpenSSL.*/
-  if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket), ssl->session->session_id,
-                  &ssl->session->session_id_length, EVP_sha256(), NULL)) {
-    goto err;
+    return -1;
   }
   return 1;
-f_err:
-  ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
-err:
-  return -1;
 }
-int ssl3_get_cert_status(SSL *ssl) {
-  int ok, al;
-  long n;
-  CBS certificate_status, ocsp_response;
-  uint8_t status_type;
-  n = ssl->method->ssl_get_message(
-      ssl, SSL3_ST_CR_CERT_STATUS_A, SSL3_ST_CR_CERT_STATUS_B,
-      -1, 16384, ssl_hash_message, &ok);
-  if (!ok) {
-    return n;
-  }
-  if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_STATUS) {
-    /* A server may send status_request in ServerHello and then change
-     * its mind about sending CertificateStatus. */
-    ssl->s3->tmp.reuse_message = 1;
-    return 1;
-  }
-  CBS_init(&certificate_status, ssl->init_msg, n);
-  if (!CBS_get_u8(&certificate_status, &status_type) ||
-      status_type != TLSEXT_STATUSTYPE_ocsp ||
-      !CBS_get_u24_length_prefixed(&certificate_status, &ocsp_response) ||
-      CBS_len(&ocsp_response) == 0 ||
-      CBS_len(&certificate_status) != 0) {
-    al = SSL_AD_DECODE_ERROR;
-    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
-    goto f_err;
-  }
+static int ssl3_send_client_certificate(SSL *ssl) {
+  if (ssl->state == SSL3_ST_CW_CERT_A) {
+    /* Call cert_cb to update the certificate. */
+    if (ssl->cert->cert_cb) {
+      int ret = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
+      if (ret < 0) {
+        ssl->rwstate = SSL_X509_LOOKUP;
+        return -1;
+      }
+      if (ret == 0) {
+        ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+        return -1;
+      }
+    }
-  if (!CBS_stow(&ocsp_response, &ssl->session->ocsp_response,
-                &ssl->session->ocsp_response_length)) {
-    al = SSL_AD_INTERNAL_ERROR;
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-    goto f_err;
+    ssl->state = SSL3_ST_CW_CERT_B;
   }
-  return 1;
-f_err:
-  ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
-  return -1;
-}
-int ssl3_get_server_done(SSL *ssl) {
-  int ok;
-  long n;
+  if (ssl->state == SSL3_ST_CW_CERT_B) {
+    /* Call client_cert_cb to update the certificate. */
+    int should_retry;
+    if (!ssl_do_client_cert_cb(ssl, &should_retry)) {
+      if (should_retry) {
+        ssl->rwstate = SSL_X509_LOOKUP;
+      }
+      return -1;
+    }
-  n = ssl->method->ssl_get_message(ssl, SSL3_ST_CR_SRVR_DONE_A,
-                                 SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE,
-                                 30, /* should be very small, like 0 :-) */
-                                 ssl_hash_message, &ok);
+    if (!ssl_has_certificate(ssl)) {
+      ssl->s3->tmp.cert_request = 0;
+      /* Without a client certificate, the handshake buffer may be released. */
+      ssl3_free_handshake_buffer(ssl);
-  if (!ok) {
-    return n;
-  }
+      if (ssl->version == SSL3_VERSION) {
+        /* In SSL 3.0, send no certificate by skipping both messages. */
+        ssl3_send_alert(ssl, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
+        return 1;
+      }
+    }
-  if (n > 0) {
-    /* should contain no data */
-    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-    OPENSSL_PUT_ERROR(SSL, SSL_R_LENGTH_MISMATCH);
-    return -1;
+    if (!ssl3_output_cert_chain(ssl)) {
+      return -1;
+    }
+    ssl->state = SSL3_ST_CW_CERT_C;
   }
-  return 1;
+  assert(ssl->state == SSL3_ST_CW_CERT_C);
+  return ssl->method->write_message(ssl);
 }
 OPENSSL_COMPILE_ASSERT(sizeof(size_t) >= sizeof(unsigned),
                        SIZE_T_IS_SMALLER_THAN_UNSIGNED);
-int ssl3_send_client_key_exchange(SSL *ssl) {
+static int ssl3_send_client_key_exchange(SSL *ssl) {
   if (ssl->state == SSL3_ST_CW_KEY_EXCH_B) {
-    return ssl_do_write(ssl);
+    return ssl->method->write_message(ssl);
   }
   assert(ssl->state == SSL3_ST_CW_KEY_EXCH_A);
   uint8_t *pms = NULL;
   size_t pms_len = 0;
-  CBB cbb;
-  if (!CBB_init_fixed(&cbb, ssl_handshake_start(ssl),
-                      ssl->init_buf->max - SSL_HM_HEADER_LENGTH(ssl))) {
+  CBB cbb, body;
+  if (!ssl->method->init_message(ssl, &cbb, &body,
+                                 SSL3_MT_CLIENT_KEY_EXCHANGE)) {
     goto err;
   }
@@ -1596,7 +1559,7 @@ int ssl3_send_client_key_exchange(SSL *ssl) {
     char identity[PSK_MAX_IDENTITY_LEN + 1];
     memset(identity, 0, sizeof(identity));
     psk_len = ssl->psk_client_callback(
-        ssl, ssl->s3->tmp.peer_psk_identity_hint, identity, sizeof(identity),
+        ssl, ssl->s3->hs->peer_psk_identity_hint, identity, sizeof(identity),
         psk, sizeof(psk));
     if (psk_len == 0) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
@@ -1605,19 +1568,19 @@ int ssl3_send_client_key_exchange(SSL *ssl) {
     }
     assert(psk_len <= PSK_MAX_PSK_LEN);
-    OPENSSL_free(ssl->session->psk_identity);
-    ssl->session->psk_identity = BUF_strdup(identity);
-    if (ssl->session->psk_identity == NULL) {
+    OPENSSL_free(ssl->s3->new_session->psk_identity);
+    ssl->s3->new_session->psk_identity = BUF_strdup(identity);
+    if (ssl->s3->new_session->psk_identity == NULL) {
       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
       goto err;
     }
     /* Write out psk_identity. */
     CBB child;
-    if (!CBB_add_u16_length_prefixed(&cbb, &child) ||
+    if (!CBB_add_u16_length_prefixed(&body, &child) ||
         !CBB_add_bytes(&child, (const uint8_t *)identity,
                        OPENSSL_strnlen(identity, sizeof(identity))) ||
-        !CBB_flush(&cbb)) {
+        !CBB_flush(&body)) {
       goto err;
     }
   }
@@ -1631,7 +1594,7 @@ int ssl3_send_client_key_exchange(SSL *ssl) {
       goto err;
     }
-    EVP_PKEY *pkey = X509_get_pubkey(ssl->session->peer);
+    EVP_PKEY *pkey = X509_get_pubkey(ssl->s3->new_session->peer);
     if (pkey == NULL) {
       goto err;
     }
@@ -1643,7 +1606,6 @@ int ssl3_send_client_key_exchange(SSL *ssl) {
       goto err;
     }
-    ssl->session->key_exchange_info = EVP_PKEY_bits(pkey);
     EVP_PKEY_free(pkey);
     pms[0] = ssl->client_version >> 8;
@@ -1652,11 +1614,11 @@ int ssl3_send_client_key_exchange(SSL *ssl) {
       goto err;
     }
-    CBB child, *enc_pms = &cbb;
+    CBB child, *enc_pms = &body;
     size_t enc_pms_len;
     /* In TLS, there is a length prefix. */
     if (ssl->version > SSL3_VERSION) {
-      if (!CBB_add_u16_length_prefixed(&cbb, &child)) {
+      if (!CBB_add_u16_length_prefixed(&body, &child)) {
         goto err;
       }
       enc_pms = &child;
@@ -1669,34 +1631,27 @@ int ssl3_send_client_key_exchange(SSL *ssl) {
         /* Log the premaster secret, if logging is enabled. */
         !ssl_log_rsa_client_key_exchange(ssl, ptr, enc_pms_len, pms, pms_len) ||
         !CBB_did_write(enc_pms, enc_pms_len) ||
-        !CBB_flush(&cbb)) {
+        !CBB_flush(&body)) {
       goto err;
     }
-  } else if (alg_k & (SSL_kECDHE|SSL_kDHE)) {
-    /* Generate a keypair and serialize the public half. ECDHE uses a u8 length
-     * prefix while DHE uses u16. */
+  } else if (alg_k & (SSL_kECDHE|SSL_kDHE|SSL_kCECPQ1)) {
+    /* Generate a keypair and serialize the public half. */
     CBB child;
-    int child_ok;
-    if (alg_k & SSL_kECDHE) {
-      child_ok = CBB_add_u8_length_prefixed(&cbb, &child);
-    } else {
-      child_ok = CBB_add_u16_length_prefixed(&cbb, &child);
-    }
-    if (!child_ok ||
-        !SSL_ECDH_CTX_generate_keypair(&ssl->s3->tmp.ecdh_ctx, &child) ||
-        !CBB_flush(&cbb)) {
+    if (!SSL_ECDH_CTX_add_key(&ssl->s3->tmp.ecdh_ctx, &body, &child)) {
       goto err;
     }
     /* Compute the premaster. */
     uint8_t alert;
-    if (!SSL_ECDH_CTX_compute_secret(&ssl->s3->tmp.ecdh_ctx, &pms, &pms_len,
-                                     &alert, ssl->s3->tmp.peer_key,
-                                     ssl->s3->tmp.peer_key_len)) {
+    if (!SSL_ECDH_CTX_accept(&ssl->s3->tmp.ecdh_ctx, &child, &pms, &pms_len,
+                             &alert, ssl->s3->tmp.peer_key,
+                             ssl->s3->tmp.peer_key_len)) {
       ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
       goto err;
     }
+    if (!CBB_flush(&body)) {
+      goto err;
+    }
     /* The key exchange state may now be discarded. */
     SSL_ECDH_CTX_cleanup(&ssl->s3->tmp.ecdh_ctx);
@@ -1744,26 +1699,26 @@ int ssl3_send_client_key_exchange(SSL *ssl) {
   /* The message must be added to the finished hash before calculating the
    * master secret. */
-  size_t length;
-  if (!CBB_finish(&cbb, NULL, &length) ||
-      !ssl_set_handshake_header(ssl, SSL3_MT_CLIENT_KEY_EXCHANGE, length)) {
+  if (!ssl->method->finish_message(ssl, &cbb)) {
     goto err;
   }
   ssl->state = SSL3_ST_CW_KEY_EXCH_B;
-  ssl->session->master_key_length =
-      tls1_generate_master_secret(ssl, ssl->session->master_key, pms, pms_len);
-  if (ssl->session->master_key_length == 0) {
+  ssl->s3->new_session->master_key_length =
+      tls1_generate_master_secret(ssl, ssl->s3->new_session->master_key, pms,
+                                  pms_len);
+  if (ssl->s3->new_session->master_key_length == 0) {
     goto err;
   }
-  ssl->session->extended_master_secret = ssl->s3->tmp.extended_master_secret;
+  ssl->s3->new_session->extended_master_secret =
+      ssl->s3->tmp.extended_master_secret;
   OPENSSL_cleanse(pms, pms_len);
   OPENSSL_free(pms);
-  /* SSL3_ST_CW_KEY_EXCH_B */
-  return ssl_do_write(ssl);
+  return ssl->method->write_message(ssl);
 err:
+  CBB_cleanup(&cbb);
   if (pms != NULL) {
     OPENSSL_cleanse(pms, pms_len);
     OPENSSL_free(pms);
@@ -1771,75 +1726,88 @@ err:
   return -1;
 }
-int ssl3_send_cert_verify(SSL *ssl) {
+static int ssl3_send_cert_verify(SSL *ssl) {
   if (ssl->state == SSL3_ST_CW_CERT_VRFY_C) {
-    return ssl_do_write(ssl);
+    return ssl->method->write_message(ssl);
   }
-  CBB cbb, child;
-  if (!CBB_init_fixed(&cbb, ssl_handshake_start(ssl),
-                      ssl->init_buf->max - SSL_HM_HEADER_LENGTH(ssl))) {
+  assert(ssl_has_private_key(ssl));
+  CBB cbb, body, child;
+  if (!ssl->method->init_message(ssl, &cbb, &body,
+                                 SSL3_MT_CERTIFICATE_VERIFY)) {
     goto err;
   }
-  assert(ssl_has_private_key(ssl));
+  uint16_t signature_algorithm;
+  if (!tls1_choose_signature_algorithm(ssl, &signature_algorithm)) {
+    goto err;
+  }
+  if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
+    /* Write out the digest type in TLS 1.2. */
+    if (!CBB_add_u16(&body, signature_algorithm)) {
+      OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+      goto err;
+    }
+  }
+  /* Set aside space for the signature. */
   const size_t max_sig_len = ssl_private_key_max_signature_len(ssl);
-  size_t sig_len;
+  uint8_t *ptr;
+  if (!CBB_add_u16_length_prefixed(&body, &child) ||
+      !CBB_reserve(&child, &ptr, max_sig_len)) {
+    goto err;
+  }
+  size_t sig_len = max_sig_len;
   enum ssl_private_key_result_t sign_result;
   if (ssl->state == SSL3_ST_CW_CERT_VRFY_A) {
-    /* Select and write out the digest type in TLS 1.2. */
-    const EVP_MD *md = NULL;
-    if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
-      md = tls1_choose_signing_digest(ssl);
-      if (!tls12_add_sigandhash(ssl, &cbb, md)) {
-        OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    /* The SSL3 construction for CertificateVerify does not decompose into a
+     * single final digest and signature, and must be special-cased. */
+    if (ssl3_protocol_version(ssl) == SSL3_VERSION) {
+      if (ssl->cert->key_method != NULL) {
+        OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY);
         goto err;
       }
-    }
-    /* Compute the digest. In TLS 1.1 and below, the digest type is also
-     * selected here. */
-    uint8_t digest[EVP_MAX_MD_SIZE];
-    size_t digest_len;
-    if (!ssl3_cert_verify_hash(ssl, digest, &digest_len, &md,
-                               ssl_private_key_type(ssl))) {
-      goto err;
+      const EVP_MD *md;
+      uint8_t digest[EVP_MAX_MD_SIZE];
+      size_t digest_len;
+      if (!ssl3_cert_verify_hash(ssl, &md, digest, &digest_len,
+                                 signature_algorithm)) {
+        goto err;
+      }
+      sign_result = ssl_private_key_success;
+      EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(ssl->cert->privatekey, NULL);
+      if (pctx == NULL ||
+          !EVP_PKEY_sign_init(pctx) ||
+          !EVP_PKEY_CTX_set_signature_md(pctx, md) ||
+          !EVP_PKEY_sign(pctx, ptr, &sig_len, digest, digest_len)) {
+        EVP_PKEY_CTX_free(pctx);
+        sign_result = ssl_private_key_failure;
+        goto err;
+      }
+      EVP_PKEY_CTX_free(pctx);
+    } else {
+      sign_result = ssl_private_key_sign(
+          ssl, ptr, &sig_len, max_sig_len, signature_algorithm,
+          (const uint8_t *)ssl->s3->handshake_buffer->data,
+          ssl->s3->handshake_buffer->length);
     }
     /* The handshake buffer is no longer necessary. */
     ssl3_free_handshake_buffer(ssl);
-    /* Sign the digest. */
-    uint8_t *ptr;
-    if (!CBB_add_u16_length_prefixed(&cbb, &child) ||
-        !CBB_reserve(&child, &ptr, max_sig_len)) {
-      goto err;
-    }
-    sign_result = ssl_private_key_sign(ssl, ptr, &sig_len, max_sig_len, md,
-                                       digest, digest_len);
   } else {
     assert(ssl->state == SSL3_ST_CW_CERT_VRFY_B);
-    /* Skip over the already written signature algorithm and retry the
-     * signature. */
-    uint8_t *ptr;
-    if ((ssl3_protocol_version(ssl) >= TLS1_2_VERSION &&
-         !CBB_did_write(&cbb, 2)) ||
-        !CBB_add_u16_length_prefixed(&cbb, &child) ||
-        !CBB_reserve(&child, &ptr, max_sig_len)) {
-      goto err;
-    }
-    sign_result =
-        ssl_private_key_sign_complete(ssl, ptr, &sig_len, max_sig_len);
+    sign_result = ssl_private_key_complete(ssl, ptr, &sig_len, max_sig_len);
   }
   switch (sign_result) {
     case ssl_private_key_success:
-      ssl->rwstate = SSL_NOTHING;
       break;
     case ssl_private_key_failure:
-      ssl->rwstate = SSL_NOTHING;
       goto err;
     case ssl_private_key_retry:
       ssl->rwstate = SSL_PRIVATE_KEY_OPERATION;
@@ -1847,118 +1815,22 @@ int ssl3_send_cert_verify(SSL *ssl) {
       goto err;
   }
-  size_t length;
   if (!CBB_did_write(&child, sig_len) ||
-      !CBB_finish(&cbb, NULL, &length) ||
-      !ssl_set_handshake_header(ssl, SSL3_MT_CERTIFICATE_VERIFY, length)) {
+      !ssl->method->finish_message(ssl, &cbb)) {
     goto err;
   }
   ssl->state = SSL3_ST_CW_CERT_VRFY_C;
-  return ssl_do_write(ssl);
+  return ssl->method->write_message(ssl);
 err:
   CBB_cleanup(&cbb);
   return -1;
 }
-/* ssl3_has_client_certificate returns true if a client certificate is
- * configured. */
-static int ssl3_has_client_certificate(SSL *ssl) {
-  return ssl->cert && ssl->cert->x509 && ssl_has_private_key(ssl);
-}
-int ssl3_send_client_certificate(SSL *ssl) {
-  X509 *x509 = NULL;
-  EVP_PKEY *pkey = NULL;
-  int i;
-  if (ssl->state == SSL3_ST_CW_CERT_A) {
-    /* Let cert callback update client certificates if required */
-    if (ssl->cert->cert_cb) {
-      i = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
-      if (i < 0) {
-        ssl->rwstate = SSL_X509_LOOKUP;
-        return -1;
-      }
-      if (i == 0) {
-        ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
-        return 0;
-      }
-      ssl->rwstate = SSL_NOTHING;
-    }
-    if (ssl3_has_client_certificate(ssl)) {
-      ssl->state = SSL3_ST_CW_CERT_C;
-    } else {
-      ssl->state = SSL3_ST_CW_CERT_B;
-    }
-  }
-  /* We need to get a client cert */
-  if (ssl->state == SSL3_ST_CW_CERT_B) {
-    /* If we get an error, we need to:
-     *   ssl->rwstate=SSL_X509_LOOKUP; return(-1);
-     * We then get retried later */
-    i = ssl_do_client_cert_cb(ssl, &x509, &pkey);
-    if (i < 0) {
-      ssl->rwstate = SSL_X509_LOOKUP;
-      return -1;
-    }
-    ssl->rwstate = SSL_NOTHING;
-    if (i == 1 && pkey != NULL && x509 != NULL) {
-      ssl->state = SSL3_ST_CW_CERT_B;
-      if (!SSL_use_certificate(ssl, x509) || !SSL_use_PrivateKey(ssl, pkey)) {
-        i = 0;
-      }
-    } else if (i == 1) {
-      i = 0;
-      OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
-    }
-    X509_free(x509);
-    EVP_PKEY_free(pkey);
-    if (i && !ssl3_has_client_certificate(ssl)) {
-      i = 0;
-    }
-    if (i == 0) {
-      if (ssl->version == SSL3_VERSION) {
-        ssl->s3->tmp.cert_req = 0;
-        ssl3_send_alert(ssl, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
-        return 1;
-      } else {
-        ssl->s3->tmp.cert_req = 2;
-        /* There is no client certificate, so the handshake buffer may be
-         * released. */
-        ssl3_free_handshake_buffer(ssl);
-      }
-    }
-    /* Ok, we have a cert */
-    ssl->state = SSL3_ST_CW_CERT_C;
-  }
-  if (ssl->state == SSL3_ST_CW_CERT_C) {
-    if (ssl->s3->tmp.cert_req == 2) {
-      /* Send an empty Certificate message. */
-      uint8_t *p = ssl_handshake_start(ssl);
-      l2n3(0, p);
-      if (!ssl_set_handshake_header(ssl, SSL3_MT_CERTIFICATE, 3)) {
-        return -1;
-      }
-    } else if (!ssl3_output_cert_chain(ssl)) {
-      return -1;
-    }
-    ssl->state = SSL3_ST_CW_CERT_D;
-  }
-  /* SSL3_ST_CW_CERT_D */
-  return ssl_do_write(ssl);
-}
-int ssl3_send_next_proto(SSL *ssl) {
+static int ssl3_send_next_proto(SSL *ssl) {
   if (ssl->state == SSL3_ST_CW_NEXT_PROTO_B) {
-    return ssl_do_write(ssl);
+    return ssl->method->write_message(ssl);
   }
   assert(ssl->state == SSL3_ST_CW_NEXT_PROTO_A);
@@ -1966,30 +1838,26 @@ int ssl3_send_next_proto(SSL *ssl) {
   static const uint8_t kZero[32] = {0};
   size_t padding_len = 32 - ((ssl->s3->next_proto_negotiated_len + 2) % 32);
-  CBB cbb, child;
-  size_t length;
-  CBB_zero(&cbb);
-  if (!CBB_init_fixed(&cbb, ssl_handshake_start(ssl),
-                      ssl->init_buf->max - SSL_HM_HEADER_LENGTH(ssl)) ||
-      !CBB_add_u8_length_prefixed(&cbb, &child) ||
+  CBB cbb, body, child;
+  if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_NEXT_PROTO) ||
+      !CBB_add_u8_length_prefixed(&body, &child) ||
       !CBB_add_bytes(&child, ssl->s3->next_proto_negotiated,
                      ssl->s3->next_proto_negotiated_len) ||
-      !CBB_add_u8_length_prefixed(&cbb, &child) ||
+      !CBB_add_u8_length_prefixed(&body, &child) ||
       !CBB_add_bytes(&child, kZero, padding_len) ||
-      !CBB_finish(&cbb, NULL, &length) ||
-      !ssl_set_handshake_header(ssl, SSL3_MT_NEXT_PROTO, length)) {
+      !ssl->method->finish_message(ssl, &cbb)) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
     CBB_cleanup(&cbb);
     return -1;
   }
   ssl->state = SSL3_ST_CW_NEXT_PROTO_B;
-  return ssl_do_write(ssl);
+  return ssl->method->write_message(ssl);
 }
-int ssl3_send_channel_id(SSL *ssl) {
+static int ssl3_send_channel_id(SSL *ssl) {
   if (ssl->state == SSL3_ST_CW_CHANNEL_ID_B) {
-    return ssl_do_write(ssl);
+    return ssl->method->write_message(ssl);
   }
   assert(ssl->state == SSL3_ST_CW_CHANNEL_ID_A);
@@ -2010,7 +1878,6 @@ int ssl3_send_channel_id(SSL *ssl) {
     ssl->rwstate = SSL_CHANNEL_ID_LOOKUP;
     return -1;
   }
-  ssl->rwstate = SSL_NOTHING;
   EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(ssl->tlsext_channel_id_private);
   if (ec_key == NULL) {
@@ -2040,26 +1907,21 @@ int ssl3_send_channel_id(SSL *ssl) {
     goto err;
   }
-  CBB cbb, child;
-  size_t length;
-  CBB_zero(&cbb);
-  if (!CBB_init_fixed(&cbb, ssl_handshake_start(ssl),
-                      ssl->init_buf->max - SSL_HM_HEADER_LENGTH(ssl)) ||
-      !CBB_add_u16(&cbb, TLSEXT_TYPE_channel_id) ||
-      !CBB_add_u16_length_prefixed(&cbb, &child) ||
-      !BN_bn2cbb_padded(&child, 32, x) ||
-      !BN_bn2cbb_padded(&child, 32, y) ||
+  CBB cbb, body, child;
+  if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CHANNEL_ID) ||
+      !CBB_add_u16(&body, TLSEXT_TYPE_channel_id) ||
+      !CBB_add_u16_length_prefixed(&body, &child) ||
+      !BN_bn2cbb_padded(&child, 32, x) || !BN_bn2cbb_padded(&child, 32, y) ||
       !BN_bn2cbb_padded(&child, 32, sig->r) ||
       !BN_bn2cbb_padded(&child, 32, sig->s) ||
-      !CBB_finish(&cbb, NULL, &length) ||
-      !ssl_set_handshake_header(ssl, SSL3_MT_ENCRYPTED_EXTENSIONS, length)) {
+      !ssl->method->finish_message(ssl, &cbb)) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
     CBB_cleanup(&cbb);
     goto err;
   }
   ssl->state = SSL3_ST_CW_CHANNEL_ID_B;
-  ret = ssl_do_write(ssl);
+  ret = ssl->method->write_message(ssl);
 err:
   BN_free(x);
@@ -2068,23 +1930,73 @@ err:
   return ret;
 }
-int ssl_do_client_cert_cb(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey) {
-  if (ssl->ctx->client_cert_cb == NULL) {
-    return 0;
+static int ssl3_get_new_session_ticket(SSL *ssl) {
+  int ret = ssl->method->ssl_get_message(ssl, SSL3_MT_NEW_SESSION_TICKET,
+                                         ssl_hash_message);
+  if (ret <= 0) {
+    return ret;
   }
-  return ssl->ctx->client_cert_cb(ssl, out_x509, out_pkey);
-}
-int ssl3_verify_server_cert(SSL *ssl) {
-  int ret = ssl_verify_cert_chain(ssl, ssl->session->cert_chain);
-  if (ssl->verify_mode != SSL_VERIFY_NONE && ret <= 0) {
-    int al = ssl_verify_alarm_type(ssl->verify_result);
-    ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
-    OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
-  } else {
-    ret = 1;
-    ERR_clear_error(); /* but we keep ssl->verify_result */
+  CBS new_session_ticket, ticket;
+  uint32_t tlsext_tick_lifetime_hint;
+  CBS_init(&new_session_ticket, ssl->init_msg, ssl->init_num);
+  if (!CBS_get_u32(&new_session_ticket, &tlsext_tick_lifetime_hint) ||
+      !CBS_get_u16_length_prefixed(&new_session_ticket, &ticket) ||
+      CBS_len(&new_session_ticket) != 0) {
+    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+    return -1;
   }
-  return ret;
+  if (CBS_len(&ticket) == 0) {
+    /* RFC 5077 allows a server to change its mind and send no ticket after
+     * negotiating the extension. The value of |tlsext_ticket_expected| is
+     * checked in |ssl_update_cache| so is cleared here to avoid an unnecessary
+     * update. */
+    ssl->tlsext_ticket_expected = 0;
+    return 1;
+  }
+  int session_renewed = ssl->session != NULL;
+  SSL_SESSION *session = ssl->s3->new_session;
+  if (session_renewed) {
+    /* The server is sending a new ticket for an existing session. Sessions are
+     * immutable once established, so duplicate all but the ticket of the
+     * existing session. */
+    session = SSL_SESSION_dup(ssl->session, SSL_SESSION_INCLUDE_NONAUTH);
+    if (session == NULL) {
+      /* This should never happen. */
+      OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+      goto err;
+    }
+  }
+  if (!CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+    goto err;
+  }
+  session->tlsext_tick_lifetime_hint = tlsext_tick_lifetime_hint;
+  /* Generate a session ID for this session based on the session ticket. We use
+   * the session ID mechanism for detecting ticket resumption. This also fits in
+   * with assumptions elsewhere in OpenSSL.*/
+  if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket),
+                  session->session_id, &session->session_id_length,
+                  EVP_sha256(), NULL)) {
+    goto err;
+  }
+  if (session_renewed) {
+    session->not_resumable = 0;
+    SSL_SESSION_free(ssl->session);
+    ssl->session = session;
+  }
+  return 1;
+err:
+  if (session_renewed) {
+    SSL_SESSION_free(session);
+  }
+  return -1;
 }