grpc 1.10.0 → 1.11.0.pre2

data/third_party/boringssl/ssl/ssl_privkey.cc

@@ -147,7 +147,7 @@ static int pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
     return 0;
   }
 
-  if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+  if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
     // RSA keys may only be used with RSA-PSS.
     if (alg->pkey_type == EVP_PKEY_RSA && !alg->is_rsa_pss) {
       return 0;
@@ -193,45 +193,17 @@ static int setup_ctx(SSL *ssl, EVP_MD_CTX *ctx, EVP_PKEY *pkey, uint16_t sigalg,
   return 1;
 }
 
-static int legacy_sign_digest_supported(const SSL_SIGNATURE_ALGORITHM *alg) {
-  return (alg->pkey_type == EVP_PKEY_EC || alg->pkey_type == EVP_PKEY_RSA) &&
-         !alg->is_rsa_pss;
-}
-
-static enum ssl_private_key_result_t legacy_sign(
-    SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, uint16_t sigalg,
-    const uint8_t *in, size_t in_len) {
-  // TODO(davidben): Remove support for |sign_digest|-only
-  // |SSL_PRIVATE_KEY_METHOD|s.
-  const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
-  if (alg == NULL || !legacy_sign_digest_supported(alg)) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY);
-    return ssl_private_key_failure;
-  }
-
-  const EVP_MD *md = alg->digest_func();
-  uint8_t hash[EVP_MAX_MD_SIZE];
-  unsigned hash_len;
-  if (!EVP_Digest(in, in_len, hash, &hash_len, md, NULL)) {
-    return ssl_private_key_failure;
-  }
-
-  return ssl->cert->key_method->sign_digest(ssl, out, out_len, max_out, md,
-                                            hash, hash_len);
-}
-
 enum ssl_private_key_result_t ssl_private_key_sign(
     SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out,
-    uint16_t sigalg, const uint8_t *in, size_t in_len) {
+    uint16_t sigalg, Span<const uint8_t> in) {
   SSL *const ssl = hs->ssl;
   if (ssl->cert->key_method != NULL) {
     enum ssl_private_key_result_t ret;
     if (hs->pending_private_key_op) {
       ret = ssl->cert->key_method->complete(ssl, out, out_len, max_out);
     } else {
-      ret = (ssl->cert->key_method->sign != NULL
-                 ? ssl->cert->key_method->sign
-                 : legacy_sign)(ssl, out, out_len, max_out, sigalg, in, in_len);
+      ret = ssl->cert->key_method->sign(ssl, out, out_len, max_out, sigalg,
+                                        in.data(), in.size());
     }
     hs->pending_private_key_op = ret == ssl_private_key_retry;
     return ret;
@@ -240,31 +212,34 @@ enum ssl_private_key_result_t ssl_private_key_sign(
   *out_len = max_out;
   ScopedEVP_MD_CTX ctx;
   if (!setup_ctx(ssl, ctx.get(), ssl->cert->privatekey, sigalg, 0 /* sign */) ||
-      !EVP_DigestSign(ctx.get(), out, out_len, in, in_len)) {
+      !EVP_DigestSign(ctx.get(), out, out_len, in.data(), in.size())) {
     return ssl_private_key_failure;
   }
   return ssl_private_key_success;
 }
 
-int ssl_public_key_verify(SSL *ssl, const uint8_t *signature,
-                          size_t signature_len, uint16_t sigalg, EVP_PKEY *pkey,
-                          const uint8_t *in, size_t in_len) {
+bool ssl_public_key_verify(SSL *ssl, Span<const uint8_t> signature,
+                           uint16_t sigalg, EVP_PKEY *pkey,
+                           Span<const uint8_t> in) {
   ScopedEVP_MD_CTX ctx;
   return setup_ctx(ssl, ctx.get(), pkey, sigalg, 1 /* verify */) &&
-         EVP_DigestVerify(ctx.get(), signature, signature_len, in, in_len);
+         EVP_DigestVerify(ctx.get(), signature.data(), signature.size(),
+                          in.data(), in.size());
 }
 
-enum ssl_private_key_result_t ssl_private_key_decrypt(
-    SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out,
-    const uint8_t *in, size_t in_len) {
+enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs,
+                                                      uint8_t *out,
+                                                      size_t *out_len,
+                                                      size_t max_out,
+                                                      Span<const uint8_t> in) {
   SSL *const ssl = hs->ssl;
   if (ssl->cert->key_method != NULL) {
     enum ssl_private_key_result_t ret;
     if (hs->pending_private_key_op) {
       ret = ssl->cert->key_method->complete(ssl, out, out_len, max_out);
     } else {
-      ret = ssl->cert->key_method->decrypt(ssl, out, out_len, max_out, in,
-                                           in_len);
+      ret = ssl->cert->key_method->decrypt(ssl, out, out_len, max_out,
+                                           in.data(), in.size());
     }
     hs->pending_private_key_op = ret == ssl_private_key_retry;
     return ret;
@@ -279,17 +254,18 @@ enum ssl_private_key_result_t ssl_private_key_decrypt(
 
   // Decrypt with no padding. PKCS#1 padding will be removed as part of the
   // timing-sensitive code by the caller.
-  if (!RSA_decrypt(rsa, out_len, out, max_out, in, in_len, RSA_NO_PADDING)) {
+  if (!RSA_decrypt(rsa, out_len, out, max_out, in.data(), in.size(),
+                   RSA_NO_PADDING)) {
     return ssl_private_key_failure;
   }
   return ssl_private_key_success;
 }
 
-int ssl_private_key_supports_signature_algorithm(SSL_HANDSHAKE *hs,
-                                                 uint16_t sigalg) {
+bool ssl_private_key_supports_signature_algorithm(SSL_HANDSHAKE *hs,
+                                                  uint16_t sigalg) {
   SSL *const ssl = hs->ssl;
   if (!pkey_supports_algorithm(ssl, hs->local_pubkey.get(), sigalg)) {
-    return 0;
+    return false;
   }
 
   // Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that
@@ -301,18 +277,10 @@ int ssl_private_key_supports_signature_algorithm(SSL_HANDSHAKE *hs,
   const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
   if (alg->is_rsa_pss && (size_t)EVP_PKEY_size(hs->local_pubkey.get()) <
                              2 * EVP_MD_size(alg->digest_func()) + 2) {
-    return 0;
-  }
-
-  // Newer algorithms require message-based private keys.
-  // TODO(davidben): Remove this check when sign_digest is gone.
-  if (ssl->cert->key_method != NULL &&
-      ssl->cert->key_method->sign == NULL &&
-      !legacy_sign_digest_supported(alg)) {
-    return 0;
+    return false;
   }
 
-  return 1;
+  return true;
 }
 
 }  // namespace bssl
@@ -434,6 +402,58 @@ void SSL_CTX_set_private_key_method(SSL_CTX *ctx,
   ctx->cert->key_method = key_method;
 }
 
+const char *SSL_get_signature_algorithm_name(uint16_t sigalg,
+                                             int include_curve) {
+  switch (sigalg) {
+    case SSL_SIGN_RSA_PKCS1_MD5_SHA1:
+      return "rsa_pkcs1_md5_sha1";
+    case SSL_SIGN_RSA_PKCS1_SHA1:
+      return "rsa_pkcs1_sha1";
+    case SSL_SIGN_RSA_PKCS1_SHA256:
+      return "rsa_pkcs1_sha256";
+    case SSL_SIGN_RSA_PKCS1_SHA384:
+      return "rsa_pkcs1_sha384";
+    case SSL_SIGN_RSA_PKCS1_SHA512:
+      return "rsa_pkcs1_sha512";
+    case SSL_SIGN_ECDSA_SHA1:
+      return "ecdsa_sha1";
+    case SSL_SIGN_ECDSA_SECP256R1_SHA256:
+      return include_curve ? "ecdsa_secp256r1_sha256" : "ecdsa_sha256";
+    case SSL_SIGN_ECDSA_SECP384R1_SHA384:
+      return include_curve ? "ecdsa_secp384r1_sha384" : "ecdsa_sha384";
+    case SSL_SIGN_ECDSA_SECP521R1_SHA512:
+      return include_curve ? "ecdsa_secp521r1_sha512" : "ecdsa_sha512";
+    case SSL_SIGN_RSA_PSS_SHA256:
+      return "rsa_pss_sha256";
+    case SSL_SIGN_RSA_PSS_SHA384:
+      return "rsa_pss_sha384";
+    case SSL_SIGN_RSA_PSS_SHA512:
+      return "rsa_pss_sha512";
+    case SSL_SIGN_ED25519:
+      return "ed25519";
+    default:
+      return NULL;
+  }
+}
+
+int SSL_get_signature_algorithm_key_type(uint16_t sigalg) {
+  const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
+  return alg != nullptr ? alg->pkey_type : EVP_PKEY_NONE;
+}
+
+const EVP_MD *SSL_get_signature_algorithm_digest(uint16_t sigalg) {
+  const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
+  if (alg == nullptr || alg->digest_func == nullptr) {
+    return nullptr;
+  }
+  return alg->digest_func();
+}
+
+int SSL_is_signature_algorithm_rsa_pss(uint16_t sigalg) {
+  const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
+  return alg != nullptr && alg->is_rsa_pss;
+}
+
 static int set_algorithm_prefs(uint16_t **out_prefs, size_t *out_num_prefs,
                                const uint16_t *prefs, size_t num_prefs) {
   OPENSSL_free(*out_prefs);
@@ -455,7 +475,6 @@ int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,
                              prefs, num_prefs);
 }
 
-
 int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs,
                                     size_t num_prefs) {
   return set_algorithm_prefs(&ssl->cert->sigalgs, &ssl->cert->num_sigalgs,
@@ -467,52 +486,3 @@ int SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,
   return set_algorithm_prefs(&ctx->verify_sigalgs, &ctx->num_verify_sigalgs,
                              prefs, num_prefs);
 }
-
-int SSL_set_private_key_digest_prefs(SSL *ssl, const int *digest_nids,
-                                     size_t num_digests) {
-  OPENSSL_free(ssl->cert->sigalgs);
-
-  static_assert(sizeof(int) >= 2 * sizeof(uint16_t),
-                "sigalgs allocation may overflow");
-
-  ssl->cert->num_sigalgs = 0;
-  ssl->cert->sigalgs =
-      (uint16_t *)OPENSSL_malloc(sizeof(uint16_t) * 2 * num_digests);
-  if (ssl->cert->sigalgs == NULL) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-
-  // Convert the digest list to a signature algorithms list.
-  //
-  // TODO(davidben): Replace this API with one that can express RSA-PSS, etc.
-  for (size_t i = 0; i < num_digests; i++) {
-    switch (digest_nids[i]) {
-      case NID_sha1:
-        ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA1;
-        ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] = SSL_SIGN_ECDSA_SHA1;
-        ssl->cert->num_sigalgs += 2;
-        break;
-      case NID_sha256:
-        ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA256;
-        ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] =
-            SSL_SIGN_ECDSA_SECP256R1_SHA256;
-        ssl->cert->num_sigalgs += 2;
-        break;
-      case NID_sha384:
-        ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA384;
-        ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] =
-            SSL_SIGN_ECDSA_SECP384R1_SHA384;
-        ssl->cert->num_sigalgs += 2;
-        break;
-      case NID_sha512:
-        ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA512;
-        ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] =
-            SSL_SIGN_ECDSA_SECP521R1_SHA512;
-        ssl->cert->num_sigalgs += 2;
-        break;
-    }
-  }
-
-  return 1;
-}

data/third_party/boringssl/ssl/ssl_session.cc

@@ -377,7 +377,7 @@ int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {
   ssl_get_current_time(ssl, &now);
   session->time = now.tv_sec;
 
-  uint16_t version = ssl3_protocol_version(ssl);
+  uint16_t version = ssl_protocol_version(ssl);
   if (version >= TLS1_3_VERSION) {
     // TLS 1.3 uses tickets as authenticators, so we are willing to use them for
     // longer.
@@ -999,9 +999,9 @@ SSL_SESSION *SSL_get_session(const SSL *ssl) {
   // we return the intermediate session, either |session| (for resumption) or
   // |new_session| if doing a full handshake.
   if (!SSL_in_init(ssl)) {
-    return ssl->s3->established_session;
+    return ssl->s3->established_session.get();
   }
-  SSL_HANDSHAKE *hs = ssl->s3->hs;
+  SSL_HANDSHAKE *hs = ssl->s3->hs.get();
   if (hs->early_session) {
     return hs->early_session.get();
   }

data/third_party/boringssl/ssl/ssl_stat.cc

@@ -89,12 +89,12 @@
 
 
 const char *SSL_state_string_long(const SSL *ssl) {
-  if (ssl->s3->hs == NULL) {
+  if (ssl->s3->hs == nullptr) {
     return "SSL negotiation finished successfully";
   }
 
-  return ssl->server ? ssl_server_handshake_state(ssl->s3->hs)
-                     : ssl_client_handshake_state(ssl->s3->hs);
+  return ssl->server ? ssl_server_handshake_state(ssl->s3->hs.get())
+                     : ssl_client_handshake_state(ssl->s3->hs.get());
 }
 
 const char *SSL_state_string(const SSL *ssl) {

data/third_party/boringssl/ssl/ssl_transcript.cc

@@ -209,26 +209,43 @@ const EVP_MD *SSLTranscript::Digest() const {
   return EVP_MD_CTX_md(hash_.get());
 }
 
-bool SSLTranscript::Update(const uint8_t *in, size_t in_len) {
+bool SSLTranscript::UpdateForHelloRetryRequest() {
+  if (buffer_) {
+    buffer_->length = 0;
+  }
+
+  uint8_t old_hash[EVP_MAX_MD_SIZE];
+  size_t hash_len;
+  if (!GetHash(old_hash, &hash_len)) {
+    return false;
+  }
+  const uint8_t header[4] = {SSL3_MT_MESSAGE_HASH, 0, 0,
+                             static_cast<uint8_t>(hash_len)};
+  if (!EVP_DigestInit_ex(hash_.get(), Digest(), nullptr) ||
+      !Update(header) ||
+      !Update(MakeConstSpan(old_hash, hash_len))) {
+    return false;
+  }
+  return true;
+}
+
+bool SSLTranscript::CopyHashContext(EVP_MD_CTX *ctx) {
+  return EVP_MD_CTX_copy_ex(ctx, hash_.get());
+}
+
+bool SSLTranscript::Update(Span<const uint8_t> in) {
   // Depending on the state of the handshake, either the handshake buffer may be
   // active, the rolling hash, or both.
-  if (buffer_) {
-    size_t new_len = buffer_->length + in_len;
-    if (new_len < in_len) {
-      OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
-      return false;
-    }
-    if (!BUF_MEM_grow(buffer_.get(), new_len)) {
-      return false;
-    }
-    OPENSSL_memcpy(buffer_->data + new_len - in_len, in, in_len);
+  if (buffer_ &&
+      !BUF_MEM_append(buffer_.get(), in.data(), in.size())) {
+    return false;
   }
 
   if (EVP_MD_CTX_md(hash_.get()) != NULL) {
-    EVP_DigestUpdate(hash_.get(), in, in_len);
+    EVP_DigestUpdate(hash_.get(), in.data(), in.size());
   }
   if (EVP_MD_CTX_md(md5_.get()) != NULL) {
-    EVP_DigestUpdate(md5_.get(), in, in_len);
+    EVP_DigestUpdate(md5_.get(), in.data(), in.size());
   }
 
   return true;
@@ -355,12 +372,11 @@ bool SSLTranscript::GetFinishedMAC(uint8_t *out, size_t *out_len,
   // its own.
   assert(!buffer_);
 
-  const char *label = TLS_MD_CLIENT_FINISH_CONST;
-  size_t label_len = TLS_MD_SERVER_FINISH_CONST_SIZE;
-  if (from_server) {
-    label = TLS_MD_SERVER_FINISH_CONST;
-    label_len = TLS_MD_SERVER_FINISH_CONST_SIZE;
-  }
+  static const char kClientLabel[] = "client finished";
+  static const char kServerLabel[] = "server finished";
+  auto label = from_server
+                   ? MakeConstSpan(kServerLabel, sizeof(kServerLabel) - 1)
+                   : MakeConstSpan(kClientLabel, sizeof(kClientLabel) - 1);
 
   uint8_t digests[EVP_MAX_MD_SIZE];
   size_t digests_len;
@@ -369,9 +385,9 @@ bool SSLTranscript::GetFinishedMAC(uint8_t *out, size_t *out_len,
   }
 
   static const size_t kFinishedLen = 12;
-  if (!tls1_prf(Digest(), out, kFinishedLen, session->master_key,
-                session->master_key_length, label, label_len, digests,
-                digests_len, NULL, 0)) {
+  if (!tls1_prf(Digest(), MakeSpan(out, kFinishedLen),
+                MakeConstSpan(session->master_key, session->master_key_length),
+                label, MakeConstSpan(digests, digests_len), {})) {
     return false;
   }
 

data/third_party/boringssl/ssl/ssl_versions.cc

@@ -35,6 +35,8 @@ bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
       return true;
 
     case TLS1_3_DRAFT_VERSION:
+    case TLS1_3_DRAFT21_VERSION:
+    case TLS1_3_DRAFT22_VERSION:
     case TLS1_3_EXPERIMENT_VERSION:
     case TLS1_3_EXPERIMENT2_VERSION:
     case TLS1_3_EXPERIMENT3_VERSION:
@@ -59,10 +61,12 @@ bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
 // decreasing preference.
 
 static const uint16_t kTLSVersions[] = {
+    TLS1_3_DRAFT22_VERSION,
     TLS1_3_EXPERIMENT3_VERSION,
     TLS1_3_EXPERIMENT2_VERSION,
     TLS1_3_EXPERIMENT_VERSION,
     TLS1_3_DRAFT_VERSION,
+    TLS1_3_DRAFT21_VERSION,
     TLS1_2_VERSION,
     TLS1_1_VERSION,
     TLS1_VERSION,
@@ -106,6 +110,8 @@ static bool method_supports_version(const SSL_PROTOCOL_METHOD *method,
 static const char *ssl_version_to_string(uint16_t version) {
   switch (version) {
     case TLS1_3_DRAFT_VERSION:
+    case TLS1_3_DRAFT21_VERSION:
+    case TLS1_3_DRAFT22_VERSION:
     case TLS1_3_EXPERIMENT_VERSION:
     case TLS1_3_EXPERIMENT2_VERSION:
     case TLS1_3_EXPERIMENT3_VERSION:
@@ -138,6 +144,8 @@ static uint16_t wire_version_to_api(uint16_t version) {
   switch (version) {
     // Report TLS 1.3 draft versions as TLS 1.3 in the public API.
     case TLS1_3_DRAFT_VERSION:
+    case TLS1_3_DRAFT21_VERSION:
+    case TLS1_3_DRAFT22_VERSION:
     case TLS1_3_EXPERIMENT_VERSION:
     case TLS1_3_EXPERIMENT2_VERSION:
     case TLS1_3_EXPERIMENT3_VERSION:
@@ -152,6 +160,8 @@ static uint16_t wire_version_to_api(uint16_t version) {
 // used in context where that does not matter.
 static bool api_version_to_wire(uint16_t *out, uint16_t version) {
   if (version == TLS1_3_DRAFT_VERSION ||
+      version == TLS1_3_DRAFT21_VERSION ||
+      version == TLS1_3_DRAFT22_VERSION ||
       version == TLS1_3_EXPERIMENT_VERSION ||
       version == TLS1_3_EXPERIMENT2_VERSION ||
       version == TLS1_3_EXPERIMENT3_VERSION) {
@@ -287,7 +297,7 @@ static uint16_t ssl_version(const SSL *ssl) {
   return ssl->version;
 }
 
-uint16_t ssl3_protocol_version(const SSL *ssl) {
+uint16_t ssl_protocol_version(const SSL *ssl) {
   assert(ssl->s3->have_version);
   uint16_t version;
   if (!ssl_protocol_version_from_wire(&version, ssl->version)) {
@@ -301,34 +311,46 @@ uint16_t ssl3_protocol_version(const SSL *ssl) {
 
 bool ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
   SSL *const ssl = hs->ssl;
-  // As a client, only allow the configured TLS 1.3 variant. As a server,
-  // support all TLS 1.3 variants as long as tls13_variant is set to a
-  // non-default value.
-  if (ssl->server) {
-    if (ssl->tls13_variant == tls13_default &&
-        (version == TLS1_3_EXPERIMENT_VERSION ||
-         version == TLS1_3_EXPERIMENT2_VERSION ||
-         version == TLS1_3_EXPERIMENT3_VERSION)) {
-      return false;
-    }
-  } else {
-    if ((ssl->tls13_variant != tls13_experiment &&
-         version == TLS1_3_EXPERIMENT_VERSION) ||
-        (ssl->tls13_variant != tls13_experiment2 &&
-         version == TLS1_3_EXPERIMENT2_VERSION) ||
-        (ssl->tls13_variant != tls13_experiment3 &&
-         version == TLS1_3_EXPERIMENT3_VERSION) ||
-        (ssl->tls13_variant != tls13_default &&
-         version == TLS1_3_DRAFT_VERSION)) {
-      return false;
-    }
+  uint16_t protocol_version;
+  if (!method_supports_version(ssl->method, version) ||
+      !ssl_protocol_version_from_wire(&protocol_version, version) ||
+      hs->min_version > protocol_version ||
+      protocol_version > hs->max_version) {
+    return false;
   }
 
-  uint16_t protocol_version;
-  return method_supports_version(ssl->method, version) &&
-         ssl_protocol_version_from_wire(&protocol_version, version) &&
-         hs->min_version <= protocol_version &&
-         protocol_version <= hs->max_version;
+  // TLS 1.3 variants must additionally match |tls13_variant|.
+  if (protocol_version != TLS1_3_VERSION ||
+      (ssl->tls13_variant == tls13_experiment &&
+       version == TLS1_3_EXPERIMENT_VERSION) ||
+      (ssl->tls13_variant == tls13_experiment2 &&
+       version == TLS1_3_EXPERIMENT2_VERSION) ||
+      (ssl->tls13_variant == tls13_experiment3 &&
+       version == TLS1_3_EXPERIMENT3_VERSION) ||
+      (ssl->tls13_variant == tls13_draft21 &&
+       version == TLS1_3_DRAFT21_VERSION) ||
+      (ssl->tls13_variant == tls13_draft22 &&
+       version == TLS1_3_DRAFT22_VERSION) ||
+      (ssl->tls13_variant == tls13_default &&
+       version == TLS1_3_DRAFT_VERSION)) {
+    return true;
+  }
+
+  // The server, when not configured at |tls13_default|, should additionally
+  // enable all variants, except draft-21 which is implemented solely for QUIC
+  // interop testing and will not be deployed, and draft-22 which will be
+  // enabled once the draft is finalized and ready to be deployed in Chrome.
+  // Currently, this is to implement the draft-18 vs. experiments field trials.
+  // In the future, this will be to transition cleanly to a final draft-22
+  // which hopefully includes the deployability fixes.
+  if (ssl->server &&
+      ssl->tls13_variant != tls13_default &&
+      version != TLS1_3_DRAFT21_VERSION &&
+      version != TLS1_3_DRAFT22_VERSION) {
+    return true;
+  }
+
+  return false;
 }
 
 bool ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) {
@@ -375,25 +397,36 @@ bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
   return false;
 }
 
+bool ssl_is_draft21(uint16_t version) {
+  return version == TLS1_3_DRAFT21_VERSION || version == TLS1_3_DRAFT22_VERSION;
+}
+
+bool ssl_is_draft22(uint16_t version) {
+  return version == TLS1_3_DRAFT22_VERSION;
+}
+
 bool ssl_is_resumption_experiment(uint16_t version) {
   return version == TLS1_3_EXPERIMENT_VERSION ||
          version == TLS1_3_EXPERIMENT2_VERSION ||
-         version == TLS1_3_EXPERIMENT3_VERSION;
+         version == TLS1_3_EXPERIMENT3_VERSION ||
+         version == TLS1_3_DRAFT22_VERSION;
 }
 
 bool ssl_is_resumption_variant(enum tls13_variant_t variant) {
   return variant == tls13_experiment || variant == tls13_experiment2 ||
-         variant == tls13_experiment3;
+         variant == tls13_experiment3 || variant == tls13_draft22;
 }
 
 bool ssl_is_resumption_client_ccs_experiment(uint16_t version) {
   return version == TLS1_3_EXPERIMENT_VERSION ||
-         version == TLS1_3_EXPERIMENT2_VERSION;
+         version == TLS1_3_EXPERIMENT2_VERSION ||
+         version == TLS1_3_DRAFT22_VERSION;
 }
 
 bool ssl_is_resumption_record_version_experiment(uint16_t version) {
   return version == TLS1_3_EXPERIMENT2_VERSION ||
-         version == TLS1_3_EXPERIMENT3_VERSION;
+         version == TLS1_3_EXPERIMENT3_VERSION ||
+         version == TLS1_3_DRAFT22_VERSION;
 }
 
 }  // namespace bssl