grpc 1.24.0 → 1.25.0.pre1

data/third_party/boringssl/ssl/d1_lib.cc

@@ -68,7 +68,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 // DTLS1_MTU_TIMEOUTS is the maximum number of timeouts to expire
 // before starting to decrease the MTU.
@@ -171,7 +171,8 @@ bool dtls1_check_timeout_num(SSL *ssl) {
   // Reduce MTU after 2 unsuccessful retransmissions
   if (ssl->d1->num_timeouts > DTLS1_MTU_TIMEOUTS &&
       !(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
-    long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
+    long mtu =
+        BIO_ctrl(ssl->wbio.get(), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, nullptr);
     if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) {
       ssl->d1->mtu = (unsigned)mtu;
     }
@@ -186,7 +187,7 @@ bool dtls1_check_timeout_num(SSL *ssl) {
   return true;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 using namespace bssl;
 

data/third_party/boringssl/ssl/d1_pkt.cc

@@ -126,7 +126,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 ssl_open_record_t dtls1_open_app_data(SSL *ssl, Span<uint8_t> *out,
                                       size_t *out_consumed, uint8_t *out_alert,
@@ -256,11 +256,11 @@ int dtls1_dispatch_alert(SSL *ssl) {
   if (ret <= 0) {
     return ret;
   }
-  ssl->s3->alert_dispatch = 0;
+  ssl->s3->alert_dispatch = false;
 
   // If the alert is fatal, flush the BIO now.
   if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) {
-    BIO_flush(ssl->wbio);
+    BIO_flush(ssl->wbio.get());
   }
 
   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_ALERT, ssl->s3->send_alert);
@@ -271,4 +271,4 @@ int dtls1_dispatch_alert(SSL *ssl) {
   return 1;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

data/third_party/boringssl/ssl/d1_srtp.cc

@@ -158,8 +158,9 @@ static int find_profile_by_name(const char *profile_name,
   return 0;
 }
 
-static int ssl_ctx_make_profiles(const char *profiles_string,
-                                 STACK_OF(SRTP_PROTECTION_PROFILE) **out) {
+static int ssl_ctx_make_profiles(
+    const char *profiles_string,
+    UniquePtr<STACK_OF(SRTP_PROTECTION_PROFILE)> *out) {
   UniquePtr<STACK_OF(SRTP_PROTECTION_PROFILE)> profiles(
       sk_SRTP_PROTECTION_PROFILE_new_null());
   if (profiles == nullptr) {
@@ -188,8 +189,7 @@ static int ssl_ctx_make_profiles(const char *profiles_string,
     }
   } while (col);
 
-  sk_SRTP_PROTECTION_PROFILE_free(*out);
-  *out = profiles.release();
+  *out = std::move(profiles);
   return 1;
 }
 
@@ -198,27 +198,27 @@ int SSL_CTX_set_srtp_profiles(SSL_CTX *ctx, const char *profiles) {
 }
 
 int SSL_set_srtp_profiles(SSL *ssl, const char *profiles) {
-  return ssl_ctx_make_profiles(profiles, &ssl->srtp_profiles);
+  return ssl->config != nullptr &&
+         ssl_ctx_make_profiles(profiles, &ssl->config->srtp_profiles);
 }
 
 STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *ssl) {
-  if (ssl == NULL) {
-    return NULL;
+  if (ssl == nullptr) {
+    return nullptr;
   }
 
-  if (ssl->srtp_profiles != NULL) {
-    return ssl->srtp_profiles;
+  if (ssl->config == nullptr) {
+    assert(0);
+    return nullptr;
   }
 
-  if (ssl->ctx->srtp_profiles != NULL) {
-    return ssl->ctx->srtp_profiles;
-  }
-
-  return NULL;
+  return ssl->config->srtp_profiles != nullptr
+             ? ssl->config->srtp_profiles.get()
+             : ssl->ctx->srtp_profiles.get();
 }
 
 const SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *ssl) {
-  return ssl->srtp_profile;
+  return ssl->s3->srtp_profile;
 }
 
 int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles) {

data/third_party/boringssl/ssl/dtls_method.cc

@@ -121,7 +121,6 @@ static const SSL_PROTOCOL_METHOD kDTLSProtocolMethod = {
     dtls1_finish_message,
     dtls1_add_message,
     dtls1_add_change_cipher_spec,
-    dtls1_add_alert,
     dtls1_flush_flight,
     dtls1_on_handshake_complete,
     dtls1_set_read_state,

data/third_party/boringssl/ssl/dtls_record.cc

@@ -121,7 +121,7 @@
 #include "../crypto/internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 // to_u64_be treats |in| as a 8-byte big-endian integer and returns the value as
 // a |uint64_t|.
@@ -137,13 +137,13 @@ static uint64_t to_u64_be(const uint8_t in[8]) {
 
 // dtls1_bitmap_should_discard returns one if |seq_num| has been seen in
 // |bitmap| or is stale. Otherwise it returns zero.
-static int dtls1_bitmap_should_discard(DTLS1_BITMAP *bitmap,
-                                       const uint8_t seq_num[8]) {
+static bool dtls1_bitmap_should_discard(DTLS1_BITMAP *bitmap,
+                                        const uint8_t seq_num[8]) {
   const unsigned kWindowSize = sizeof(bitmap->map) * 8;
 
   uint64_t seq_num_u = to_u64_be(seq_num);
   if (seq_num_u > bitmap->max_seq_num) {
-    return 0;
+    return false;
   }
   uint64_t idx = bitmap->max_seq_num - seq_num_u;
   return idx >= kWindowSize || (bitmap->map & (((uint64_t)1) << idx));
@@ -219,8 +219,8 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type,
     return ssl_open_record_discard;
   }
 
-  ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HEADER,
-                      in.subspan(0, DTLS1_RT_HEADER_LENGTH));
+  Span<const uint8_t> header = in.subspan(0, DTLS1_RT_HEADER_LENGTH);
+  ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HEADER, header);
 
   uint16_t epoch = (((uint16_t)sequence[0]) << 8) | sequence[1];
   if (epoch != ssl->d1->r_epoch ||
@@ -235,7 +235,7 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type,
 
   // discard the body in-place.
   if (!ssl->s3->aead_read_ctx->Open(
-          out, type, version, sequence,
+          out, type, version, sequence, header,
           MakeSpan(const_cast<uint8_t *>(CBS_data(&body)), CBS_len(&body)))) {
     // Bad packets are silently dropped in DTLS. See section 4.2.1 of RFC 6347.
     // Clear the error queue of any errors decryption may have added. Drop the
@@ -291,14 +291,14 @@ size_t dtls_seal_prefix_len(const SSL *ssl, enum dtls1_use_epoch_t use_epoch) {
          get_write_aead(ssl, use_epoch)->ExplicitNonceLen();
 }
 
-int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
-                     uint8_t type, const uint8_t *in, size_t in_len,
-                     enum dtls1_use_epoch_t use_epoch) {
+bool dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
+                      uint8_t type, const uint8_t *in, size_t in_len,
+                      enum dtls1_use_epoch_t use_epoch) {
   const size_t prefix = dtls_seal_prefix_len(ssl, use_epoch);
   if (buffers_alias(in, in_len, out, max_out) &&
       (max_out < prefix || out + prefix != in)) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);
-    return 0;
+    return false;
   }
 
   // Determine the parameters for the current epoch.
@@ -314,7 +314,7 @@ int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
 
   if (max_out < DTLS1_RT_HEADER_LENGTH) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);
-    return 0;
+    return false;
   }
 
   out[0] = type;
@@ -328,26 +328,26 @@ int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
   OPENSSL_memcpy(&out[5], &seq[2], 6);
 
   size_t ciphertext_len;
-  if (!aead->Seal(out + DTLS1_RT_HEADER_LENGTH, &ciphertext_len,
-                  max_out - DTLS1_RT_HEADER_LENGTH, type, record_version,
-                  &out[3] /* seq */, in, in_len) ||
-      !ssl_record_sequence_update(&seq[2], 6)) {
-    return 0;
-  }
-
-  if (ciphertext_len >= 1 << 16) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
-    return 0;
+  if (!aead->CiphertextLen(&ciphertext_len, in_len, 0)) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
+    return false;
   }
   out[11] = ciphertext_len >> 8;
   out[12] = ciphertext_len & 0xff;
+  Span<const uint8_t> header = MakeConstSpan(out, DTLS1_RT_HEADER_LENGTH);
 
-  *out_len = DTLS1_RT_HEADER_LENGTH + ciphertext_len;
-
-  ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HEADER,
-                      MakeSpan(out, DTLS1_RT_HEADER_LENGTH));
+  size_t len_copy;
+  if (!aead->Seal(out + DTLS1_RT_HEADER_LENGTH, &len_copy,
+                  max_out - DTLS1_RT_HEADER_LENGTH, type, record_version,
+                  &out[3] /* seq */, header, in, in_len) ||
+      !ssl_record_sequence_update(&seq[2], 6)) {
+    return false;
+  }
+  assert(ciphertext_len == len_copy);
 
-  return 1;
+  *out_len = DTLS1_RT_HEADER_LENGTH + ciphertext_len;
+  ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HEADER, header);
+  return true;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

data/third_party/boringssl/ssl/handoff.cc

@@ -19,20 +19,47 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 constexpr int kHandoffVersion = 0;
 constexpr int kHandbackVersion = 0;
 
-bool SSL_serialize_handoff(const SSL *ssl, CBB *out) {
+// serialize_features adds a description of features supported by this binary to
+// |out|.  Returns true on success and false on error.
+static bool serialize_features(CBB *out) {
+  CBB ciphers;
+  if (!CBB_add_asn1(out, &ciphers, CBS_ASN1_OCTETSTRING)) {
+    return false;
+  }
+  Span<const SSL_CIPHER> all_ciphers = AllCiphers();
+  for (const SSL_CIPHER& cipher : all_ciphers) {
+    if (!CBB_add_u16(&ciphers, static_cast<uint16_t>(cipher.id))) {
+      return false;
+    }
+  }
+  CBB curves;
+  if (!CBB_add_asn1(out, &curves, CBS_ASN1_OCTETSTRING)) {
+    return false;
+  }
+  for (const NamedGroup& g : NamedGroups()) {
+    if (!CBB_add_u16(&curves, g.group_id)) {
+      return false;
+    }
+  }
+  return CBB_flush(out);
+}
+
+bool SSL_serialize_handoff(const SSL *ssl, CBB *out,
+                           SSL_CLIENT_HELLO *out_hello) {
   const SSL3_STATE *const s3 = ssl->s3;
   if (!ssl->server ||
       s3->hs == nullptr ||
-      s3->rwstate != SSL_HANDOFF) {
+      s3->rwstate != SSL_ERROR_HANDOFF) {
     return false;
   }
 
   CBB seq;
+  SSLMessage msg;
   Span<const uint8_t> transcript = s3->hs->transcript.buffer();
   if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
       !CBB_add_asn1_uint64(&seq, kHandoffVersion) ||
@@ -40,7 +67,10 @@ bool SSL_serialize_handoff(const SSL *ssl, CBB *out) {
       !CBB_add_asn1_octet_string(&seq,
                                  reinterpret_cast<uint8_t *>(s3->hs_buf->data),
                                  s3->hs_buf->length) ||
-      !CBB_flush(out)) {
+      !serialize_features(&seq) ||
+      !CBB_flush(out) ||
+      !ssl->method->get_message(ssl, &msg) ||
+      !ssl_client_hello_init(ssl, out_hello, msg)) {
     return false;
   }
 
@@ -51,11 +81,103 @@ bool SSL_decline_handoff(SSL *ssl) {
   const SSL3_STATE *const s3 = ssl->s3;
   if (!ssl->server ||
       s3->hs == nullptr ||
-      s3->rwstate != SSL_HANDOFF) {
+      s3->rwstate != SSL_ERROR_HANDOFF) {
     return false;
   }
 
-  ssl->handoff = false;
+  s3->hs->config->handoff = false;
+  return true;
+}
+
+// apply_remote_features reads a list of supported features from |in| and
+// (possibly) reconfigures |ssl| to disallow the negotation of features whose
+// support has not been indicated.  (This prevents the the handshake from
+// committing to features that are not supported on the handoff/handback side.)
+static bool apply_remote_features(SSL *ssl, CBS *in) {
+  CBS ciphers;
+  if (!CBS_get_asn1(in, &ciphers, CBS_ASN1_OCTETSTRING)) {
+    return false;
+  }
+  bssl::UniquePtr<STACK_OF(SSL_CIPHER)> supported(sk_SSL_CIPHER_new_null());
+  while (CBS_len(&ciphers)) {
+    uint16_t id;
+    if (!CBS_get_u16(&ciphers, &id)) {
+      return false;
+    }
+    const SSL_CIPHER *cipher = SSL_get_cipher_by_value(id);
+    if (!cipher) {
+      continue;
+    }
+    if (!sk_SSL_CIPHER_push(supported.get(), cipher)) {
+      return false;
+    }
+  }
+  STACK_OF(SSL_CIPHER) *configured =
+      ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get()
+                               : ssl->ctx->cipher_list->ciphers.get();
+  bssl::UniquePtr<STACK_OF(SSL_CIPHER)> unsupported(sk_SSL_CIPHER_new_null());
+  for (const SSL_CIPHER *configured_cipher : configured) {
+    if (sk_SSL_CIPHER_find(supported.get(), nullptr, configured_cipher)) {
+      continue;
+    }
+    if (!sk_SSL_CIPHER_push(unsupported.get(), configured_cipher)) {
+      return false;
+    }
+  }
+  if (sk_SSL_CIPHER_num(unsupported.get()) && !ssl->config->cipher_list) {
+    ssl->config->cipher_list = bssl::MakeUnique<SSLCipherPreferenceList>();
+    if (!ssl->config->cipher_list->Init(*ssl->ctx->cipher_list)) {
+      return false;
+    }
+  }
+  for (const SSL_CIPHER *unsupported_cipher : unsupported.get()) {
+    ssl->config->cipher_list->Remove(unsupported_cipher);
+  }
+  if (sk_SSL_CIPHER_num(SSL_get_ciphers(ssl)) == 0) {
+    return false;
+  }
+
+  CBS curves;
+  if (!CBS_get_asn1(in, &curves, CBS_ASN1_OCTETSTRING)) {
+    return false;
+  }
+  Array<uint16_t> supported_curves;
+  if (!supported_curves.Init(CBS_len(&curves) / 2)) {
+    return false;
+  }
+  size_t idx = 0;
+  while (CBS_len(&curves)) {
+    uint16_t curve;
+    if (!CBS_get_u16(&curves, &curve)) {
+      return false;
+    }
+    supported_curves[idx++] = curve;
+  }
+  Span<const uint16_t> configured_curves =
+      tls1_get_grouplist(ssl->s3->hs.get());
+  Array<uint16_t> new_configured_curves;
+  if (!new_configured_curves.Init(configured_curves.size())) {
+    return false;
+  }
+  idx = 0;
+  for (uint16_t configured_curve : configured_curves) {
+    bool ok = false;
+    for (uint16_t supported_curve : supported_curves) {
+      if (supported_curve == configured_curve) {
+        ok = true;
+        break;
+      }
+    }
+    if (ok) {
+      new_configured_curves[idx++] = configured_curve;
+    }
+  }
+  if (idx == 0) {
+    return false;
+  }
+  new_configured_curves.Shrink(idx);
+  ssl->config->supported_group_list = std::move(new_configured_curves);
+
   return true;
 }
 
@@ -74,7 +196,8 @@ bool SSL_apply_handoff(SSL *ssl, Span<const uint8_t> handoff) {
 
   CBS transcript, hs_buf;
   if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
-      !CBS_get_asn1(&seq, &hs_buf, CBS_ASN1_OCTETSTRING)) {
+      !CBS_get_asn1(&seq, &hs_buf, CBS_ASN1_OCTETSTRING) ||
+      !apply_remote_features(ssl, &seq)) {
     return false;
   }
 
@@ -93,19 +216,30 @@ bool SSL_apply_handoff(SSL *ssl, Span<const uint8_t> handoff) {
   if (CBS_len(&transcript) != 0) {
     s3->hs->transcript.Update(transcript);
     s3->is_v2_hello = true;
-    ssl_do_msg_callback(ssl, 0 /* read */, 0 /* V2ClientHello */, transcript);
   }
+  s3->hs->handback = true;
 
   return true;
 }
 
 bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
-  if (!ssl->server ||
-      !ssl->s3->initial_handshake_complete ||
-      ssl->method->is_dtls ||
-      ssl->version < TLS1_VERSION) {
+  if (!ssl->server || ssl->method->is_dtls) {
     return false;
   }
+  handback_t type;
+  switch (ssl->s3->hs->state) {
+    case state12_read_change_cipher_spec:
+      type = handback_after_session_resumption;
+      break;
+    case state12_read_client_certificate:
+      type = handback_after_ecdhe;
+      break;
+    case state12_finish_server_handshake:
+      type = handback_after_handshake;
+      break;
+    default:
+      return false;
+  }
 
   const SSL3_STATE *const s3 = ssl->s3;
   size_t hostname_len = 0;
@@ -113,22 +247,36 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
     hostname_len = strlen(s3->hostname.get());
   }
 
-  size_t iv_len = 0;
-  const uint8_t *read_iv = nullptr, *write_iv = nullptr;
-  if (ssl->version == TLS1_VERSION &&
-      SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) &&
-      (!s3->aead_read_ctx->GetIV(&read_iv, &iv_len) ||
-       !s3->aead_write_ctx->GetIV(&write_iv, &iv_len))) {
+  Span<const uint8_t> transcript;
+  if (type == handback_after_ecdhe ||
+      type == handback_after_session_resumption) {
+    transcript = s3->hs->transcript.buffer();
+  }
+  size_t write_iv_len = 0;
+  const uint8_t *write_iv = nullptr;
+  if ((type == handback_after_session_resumption ||
+       type == handback_after_handshake) &&
+      ssl->version == TLS1_VERSION &&
+      SSL_CIPHER_is_block_cipher(s3->aead_write_ctx->cipher()) &&
+      !s3->aead_write_ctx->GetIV(&write_iv, &write_iv_len)) {
     return false;
   }
+  size_t read_iv_len = 0;
+  const uint8_t *read_iv = nullptr;
+  if (type == handback_after_handshake &&
+      ssl->version == TLS1_VERSION &&
+      SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) &&
+      !s3->aead_read_ctx->GetIV(&read_iv, &read_iv_len)) {
+      return false;
+  }
 
-  CBB seq;
+  // TODO(mab): make sure everything is serialized.
+  CBB seq, key_share;
+  const SSL_SESSION *session =
+      s3->session_reused ? ssl->session.get() : s3->hs->new_session.get();
   if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
       !CBB_add_asn1_uint64(&seq, kHandbackVersion) ||
-      !CBB_add_asn1_uint64(&seq, ssl->version) ||
-      !CBB_add_asn1_uint64(&seq, ssl->conf_max_version) ||
-      !CBB_add_asn1_uint64(&seq, ssl->conf_min_version) ||
-      !CBB_add_asn1_uint64(&seq, ssl->max_send_fragment) ||
+      !CBB_add_asn1_uint64(&seq, type) ||
       !CBB_add_asn1_octet_string(&seq, s3->read_sequence,
                                  sizeof(s3->read_sequence)) ||
       !CBB_add_asn1_octet_string(&seq, s3->write_sequence,
@@ -137,12 +285,11 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
                                  sizeof(s3->server_random)) ||
       !CBB_add_asn1_octet_string(&seq, s3->client_random,
                                  sizeof(s3->client_random)) ||
-      !CBB_add_asn1_octet_string(&seq, read_iv, iv_len) ||
-      !CBB_add_asn1_octet_string(&seq, write_iv, iv_len) ||
+      !CBB_add_asn1_octet_string(&seq, read_iv, read_iv_len) ||
+      !CBB_add_asn1_octet_string(&seq, write_iv, write_iv_len) ||
       !CBB_add_asn1_bool(&seq, s3->session_reused) ||
-      !CBB_add_asn1_bool(&seq, s3->send_connection_binding) ||
-      !CBB_add_asn1_bool(&seq, s3->tlsext_channel_id_valid) ||
-      !ssl_session_serialize(s3->established_session.get(), &seq) ||
+      !CBB_add_asn1_bool(&seq, s3->channel_id_valid) ||
+      !ssl_session_serialize(session, &seq) ||
       !CBB_add_asn1_octet_string(&seq, s3->next_proto_negotiated.data(),
                                  s3->next_proto_negotiated.size()) ||
       !CBB_add_asn1_octet_string(&seq, s3->alpn_selected.data(),
@@ -150,19 +297,24 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
       !CBB_add_asn1_octet_string(
           &seq, reinterpret_cast<uint8_t *>(s3->hostname.get()),
           hostname_len) ||
-      !CBB_add_asn1_octet_string(&seq, s3->tlsext_channel_id,
-                                 sizeof(s3->tlsext_channel_id)) ||
-      !CBB_add_asn1_uint64(&seq, ssl->options) ||
-      !CBB_add_asn1_uint64(&seq, ssl->mode) ||
-      !CBB_add_asn1_uint64(&seq, ssl->max_cert_list) ||
-      !CBB_add_asn1_bool(&seq, ssl->quiet_shutdown) ||
-      !CBB_add_asn1_bool(&seq, ssl->tlsext_channel_id_enabled) ||
-      !CBB_add_asn1_bool(&seq, ssl->retain_only_sha256_of_client_certs) ||
-      !CBB_flush(out)) {
+      !CBB_add_asn1_octet_string(&seq, s3->channel_id,
+                                 sizeof(s3->channel_id)) ||
+      !CBB_add_asn1_bool(&seq, ssl->s3->token_binding_negotiated) ||
+      !CBB_add_asn1_uint64(&seq, ssl->s3->negotiated_token_binding_param) ||
+      !CBB_add_asn1_bool(&seq, s3->hs->next_proto_neg_seen) ||
+      !CBB_add_asn1_bool(&seq, s3->hs->cert_request) ||
+      !CBB_add_asn1_bool(&seq, s3->hs->extended_master_secret) ||
+      !CBB_add_asn1_bool(&seq, s3->hs->ticket_expected) ||
+      !CBB_add_asn1_uint64(&seq, SSL_CIPHER_get_id(s3->hs->new_cipher)) ||
+      !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
+      !CBB_add_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
     return false;
   }
-
-  return true;
+  if (type == handback_after_ecdhe &&
+      !s3->hs->key_shares[0]->Serialize(&key_share)) {
+    return false;
+  }
+  return CBB_flush(out);
 }
 
 bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
@@ -172,25 +324,23 @@ bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
   }
 
   SSL3_STATE *const s3 = ssl->s3;
-  uint64_t handback_version, version, conf_max_version, conf_min_version,
-      max_send_fragment, options, mode, max_cert_list;
+  uint64_t handback_version, negotiated_token_binding_param, cipher, type;
+
   CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv,
-      next_proto, alpn, hostname, channel_id;
-  int session_reused, send_connection_binding, channel_id_valid,
-      quiet_shutdown, channel_id_enabled, retain_only_sha256;
+      next_proto, alpn, hostname, channel_id, transcript, key_share;
+  int session_reused, channel_id_valid, cert_request, extended_master_secret,
+      ticket_expected, token_binding_negotiated, next_proto_neg_seen;
+  SSL_SESSION *session = nullptr;
 
   CBS handback_cbs(handback);
   if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) ||
       !CBS_get_asn1_uint64(&seq, &handback_version) ||
-      handback_version != kHandbackVersion) {
+      handback_version != kHandbackVersion ||
+      !CBS_get_asn1_uint64(&seq, &type)) {
     return false;
   }
 
-  if (!CBS_get_asn1_uint64(&seq, &version) ||
-      !CBS_get_asn1_uint64(&seq, &conf_max_version) ||
-      !CBS_get_asn1_uint64(&seq, &conf_min_version) ||
-      !CBS_get_asn1_uint64(&seq, &max_send_fragment) ||
-      !CBS_get_asn1(&seq, &read_seq, CBS_ASN1_OCTETSTRING) ||
+  if (!CBS_get_asn1(&seq, &read_seq, CBS_ASN1_OCTETSTRING) ||
       CBS_len(&read_seq) != sizeof(s3->read_sequence) ||
       !CBS_get_asn1(&seq, &write_seq, CBS_ASN1_OCTETSTRING) ||
       CBS_len(&write_seq) != sizeof(s3->write_sequence) ||
@@ -205,47 +355,77 @@ bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
       !CBS_get_asn1(&seq, &read_iv, CBS_ASN1_OCTETSTRING) ||
       !CBS_get_asn1(&seq, &write_iv, CBS_ASN1_OCTETSTRING) ||
       !CBS_get_asn1_bool(&seq, &session_reused) ||
-      !CBS_get_asn1_bool(&seq, &send_connection_binding) ||
       !CBS_get_asn1_bool(&seq, &channel_id_valid)) {
     return false;
   }
 
-  s3->established_session =
-      SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
+  s3->hs = ssl_handshake_new(ssl);
+  if (session_reused) {
+    ssl->session =
+        SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
+    session = ssl->session.get();
+  } else {
+    s3->hs->new_session =
+        SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
+    session = s3->hs->new_session.get();
+  }
 
-  if (!s3->established_session ||
-      !CBS_get_asn1(&seq, &next_proto, CBS_ASN1_OCTETSTRING) ||
+  if (!session || !CBS_get_asn1(&seq, &next_proto, CBS_ASN1_OCTETSTRING) ||
       !CBS_get_asn1(&seq, &alpn, CBS_ASN1_OCTETSTRING) ||
       !CBS_get_asn1(&seq, &hostname, CBS_ASN1_OCTETSTRING) ||
       !CBS_get_asn1(&seq, &channel_id, CBS_ASN1_OCTETSTRING) ||
-      CBS_len(&channel_id) != sizeof(s3->tlsext_channel_id) ||
-      !CBS_copy_bytes(&channel_id, s3->tlsext_channel_id,
-                      sizeof(s3->tlsext_channel_id)) ||
-      !CBS_get_asn1_uint64(&seq, &options) ||
-      !CBS_get_asn1_uint64(&seq, &mode) ||
-      !CBS_get_asn1_uint64(&seq, &max_cert_list) ||
-      !CBS_get_asn1_bool(&seq, &quiet_shutdown) ||
-      !CBS_get_asn1_bool(&seq, &channel_id_enabled) ||
-      !CBS_get_asn1_bool(&seq, &retain_only_sha256)) {
+      CBS_len(&channel_id) != sizeof(s3->channel_id) ||
+      !CBS_copy_bytes(&channel_id, s3->channel_id,
+                      sizeof(s3->channel_id)) ||
+      !CBS_get_asn1_bool(&seq, &token_binding_negotiated) ||
+      !CBS_get_asn1_uint64(&seq, &negotiated_token_binding_param) ||
+      !CBS_get_asn1_bool(&seq, &next_proto_neg_seen) ||
+      !CBS_get_asn1_bool(&seq, &cert_request) ||
+      !CBS_get_asn1_bool(&seq, &extended_master_secret) ||
+      !CBS_get_asn1_bool(&seq, &ticket_expected) ||
+      !CBS_get_asn1_uint64(&seq, &cipher)) {
+    return false;
+  }
+  if ((s3->hs->new_cipher =
+           SSL_get_cipher_by_value(static_cast<uint16_t>(cipher))) == nullptr) {
+    return false;
+  }
+  if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
+      !CBS_get_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
     return false;
   }
 
-  ssl->version = version;
-  ssl->conf_max_version = conf_max_version;
-  ssl->conf_min_version = conf_min_version;
-  ssl->max_send_fragment = max_send_fragment;
+  ssl->version = session->ssl_version;
+  s3->have_version = true;
+  if (!ssl_method_supports_version(ssl->method, ssl->version) ||
+      session->cipher != s3->hs->new_cipher ||
+      ssl_protocol_version(ssl) < SSL_CIPHER_get_min_version(session->cipher) ||
+      SSL_CIPHER_get_max_version(session->cipher) < ssl_protocol_version(ssl)) {
+    return false;
+  }
   ssl->do_handshake = ssl_server_handshake;
   ssl->server = true;
-  ssl->options = options;
-  ssl->mode = mode;
-  ssl->max_cert_list = max_cert_list;
-
-  s3->hs.reset();
-  s3->have_version = true;
-  s3->initial_handshake_complete = true;
+  switch (type) {
+    case handback_after_session_resumption:
+      ssl->s3->hs->state = state12_read_change_cipher_spec;
+      if (!session_reused) {
+        return false;
+      }
+      break;
+    case handback_after_ecdhe:
+      ssl->s3->hs->state = state12_read_client_certificate;
+      if (session_reused) {
+        return false;
+      }
+      break;
+    case handback_after_handshake:
+      ssl->s3->hs->state = state12_finish_server_handshake;
+      break;
+    default:
+      return false;
+  }
   s3->session_reused = session_reused;
-  s3->send_connection_binding = send_connection_binding;
-  s3->tlsext_channel_id_valid = channel_id_valid;
+  s3->channel_id_valid = channel_id_valid;
   s3->next_proto_negotiated.CopyFrom(next_proto);
   s3->alpn_selected.CopyFrom(alpn);
 
@@ -260,26 +440,50 @@ bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
     s3->hostname.reset(hostname_str);
   }
 
-  ssl->quiet_shutdown = quiet_shutdown;
-  ssl->tlsext_channel_id_enabled = channel_id_enabled;
-  ssl->retain_only_sha256_of_client_certs = retain_only_sha256;
+  s3->token_binding_negotiated = token_binding_negotiated;
+  s3->negotiated_token_binding_param =
+      static_cast<uint8_t>(negotiated_token_binding_param);
+  s3->hs->next_proto_neg_seen = next_proto_neg_seen;
+  s3->hs->wait = ssl_hs_flush;
+  s3->hs->extended_master_secret = extended_master_secret;
+  s3->hs->ticket_expected = ticket_expected;
+  s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
+  s3->hs->cert_request = cert_request;
+
+  // TODO(davidben): When handoff for TLS 1.3 is added, serialize
+  // |early_data_reason| and stabilize the constants.
+  s3->early_data_reason = ssl_early_data_protocol_version;
 
   Array<uint8_t> key_block;
-  if (!tls1_configure_aead(ssl, evp_aead_open, &key_block,
-                           s3->established_session->cipher, read_iv) ||
-      !tls1_configure_aead(ssl, evp_aead_seal, &key_block,
-                           s3->established_session->cipher, write_iv)) {
+  if ((type == handback_after_session_resumption ||
+       type == handback_after_handshake) &&
+      (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session->cipher,
+                            write_iv) ||
+       !CBS_copy_bytes(&write_seq, s3->write_sequence,
+                       sizeof(s3->write_sequence)))) {
     return false;
   }
-
-  if (!CBS_copy_bytes(&read_seq, s3->read_sequence,
-                      sizeof(s3->read_sequence)) ||
-      !CBS_copy_bytes(&write_seq, s3->write_sequence,
-                      sizeof(s3->write_sequence))) {
+  if (type == handback_after_handshake &&
+      (!tls1_configure_aead(ssl, evp_aead_open, &key_block, session->cipher,
+                            read_iv) ||
+       !CBS_copy_bytes(&read_seq, s3->read_sequence,
+                       sizeof(s3->read_sequence)))) {
+    return false;
+  }
+  if ((type == handback_after_ecdhe ||
+       type == handback_after_session_resumption) &&
+      (!s3->hs->transcript.Init() ||
+       !s3->hs->transcript.InitHash(ssl_protocol_version(ssl),
+                                    s3->hs->new_cipher) ||
+       !s3->hs->transcript.Update(transcript))) {
+    return false;
+  }
+  if (type == handback_after_ecdhe &&
+      (s3->hs->key_shares[0] = SSLKeyShare::Create(&key_share)) == nullptr) {
     return false;
   }
 
-  return true;
+  return CBS_len(&seq) == 0;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END