grpc 1.24.0 → 1.25.0.pre1

data/third_party/boringssl/ssl/tls13_client.cc

@@ -24,13 +24,14 @@
 #include <openssl/digest.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
+#include <openssl/sha.h>
 #include <openssl/stack.h>
 
 #include "../crypto/internal.h"
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 enum client_hs_state_t {
   state_read_hello_retry_request = 0,
@@ -40,6 +41,7 @@ enum client_hs_state_t {
   state_read_certificate_request,
   state_read_server_certificate,
   state_read_server_certificate_verify,
+  state_server_certificate_reverify,
   state_read_server_finished,
   state_send_end_of_early_data,
   state_send_client_certificate,
@@ -157,21 +159,23 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
     }
 
     // The group must be supported.
-    if (!tls1_check_group_id(ssl, group_id)) {
+    if (!tls1_check_group_id(hs, group_id)) {
       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
       return ssl_hs_error;
     }
 
-    // Check that the HelloRetryRequest does not request the key share that
-    // was provided in the initial ClientHello.
-    if (hs->key_share->GroupID() == group_id) {
+    // Check that the HelloRetryRequest does not request a key share that was
+    // provided in the initial ClientHello.
+    if (hs->key_shares[0]->GroupID() == group_id ||
+        (hs->key_shares[1] && hs->key_shares[1]->GroupID() == group_id)) {
       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
       return ssl_hs_error;
     }
 
-    hs->key_share.reset();
+    hs->key_shares[0].reset();
+    hs->key_shares[1].reset();
     hs->retry_group = group_id;
   }
 
@@ -184,6 +188,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
   hs->tls13_state = state_send_second_client_hello;
   // 0-RTT is rejected if we receive a HelloRetryRequest.
   if (hs->in_early_data) {
+    ssl->s3->early_data_reason = ssl_early_data_hello_retry_request;
     return ssl_hs_early_data_rejected;
   }
   return ssl_hs_ok;
@@ -290,6 +295,16 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
 
+  // Recheck supported_versions, in case this is the second ServerHello.
+  uint16_t version;
+  if (!have_supported_versions ||
+      !CBS_get_u16(&supported_versions, &version) ||
+      version != ssl->version) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_SECOND_SERVERHELLO_VERSION_MISMATCH);
+    ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+    return ssl_hs_error;
+  }
+
   alert = SSL_AD_DECODE_ERROR;
   if (have_pre_shared_key) {
     if (ssl->session == NULL) {
@@ -316,7 +331,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
       return ssl_hs_error;
     }
 
-    if (!ssl_session_is_context_valid(ssl, ssl->session)) {
+    if (!ssl_session_is_context_valid(hs, ssl->session.get())) {
       // This is actually a client application bug.
       OPENSSL_PUT_ERROR(SSL,
                         SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
@@ -326,7 +341,8 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
 
     ssl->s3->session_reused = true;
     // Only authentication information carries over in TLS 1.3.
-    hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY);
+    hs->new_session =
+        SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_DUP_AUTH_ONLY);
     if (!hs->new_session) {
       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
       return ssl_hs_error;
@@ -349,11 +365,12 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
 
   // Set up the key schedule and incorporate the PSK into the running secret.
   if (ssl->s3->session_reused) {
-    if (!tls13_init_key_schedule(hs, hs->new_session->master_key,
-                                 hs->new_session->master_key_length)) {
+    if (!tls13_init_key_schedule(
+            hs, MakeConstSpan(hs->new_session->master_key,
+                              hs->new_session->master_key_length))) {
       return ssl_hs_error;
     }
-  } else if (!tls13_init_key_schedule(hs, kZeroes, hash_len)) {
+  } else if (!tls13_init_key_schedule(hs, MakeConstSpan(kZeroes, hash_len))) {
     return ssl_hs_error;
   }
 
@@ -373,19 +390,19 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
 
-  if (!tls13_advance_key_schedule(hs, dhe_secret.data(), dhe_secret.size()) ||
+  if (!tls13_advance_key_schedule(hs, dhe_secret) ||
       !ssl_hash_message(hs, msg) ||
       !tls13_derive_handshake_secrets(hs) ||
-      !tls13_set_traffic_key(ssl, evp_aead_open, hs->server_handshake_secret,
-                             hs->hash_len)) {
+      !tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
+                             hs->server_handshake_secret())) {
     return ssl_hs_error;
   }
 
   if (!hs->early_data_offered) {
     // If not sending early data, set client traffic keys now so that alerts are
     // encrypted.
-    if (!tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,
-                               hs->hash_len)) {
+    if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
+                               hs->client_handshake_secret())) {
       return ssl_hs_error;
     }
   }
@@ -417,26 +434,19 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
   }
 
   // Store the negotiated ALPN in the session.
-  if (!ssl->s3->alpn_selected.empty()) {
-    hs->new_session->early_alpn = (uint8_t *)BUF_memdup(
-        ssl->s3->alpn_selected.data(), ssl->s3->alpn_selected.size());
-    if (hs->new_session->early_alpn == NULL) {
-      ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
-      return ssl_hs_error;
-    }
-    hs->new_session->early_alpn_len = ssl->s3->alpn_selected.size();
+  if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {
+    ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+    return ssl_hs_error;
   }
 
   if (ssl->s3->early_data_accepted) {
     if (hs->early_session->cipher != hs->new_session->cipher ||
-        MakeConstSpan(hs->early_session->early_alpn,
-                      hs->early_session->early_alpn_len) !=
+        MakeConstSpan(hs->early_session->early_alpn) !=
             ssl->s3->alpn_selected) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);
       return ssl_hs_error;
     }
-    if (ssl->s3->tlsext_channel_id_valid || hs->received_custom_extension ||
-        ssl->token_binding_negotiated) {
+    if (ssl->s3->channel_id_valid || ssl->s3->token_binding_negotiated) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);
       return ssl_hs_error;
     }
@@ -458,6 +468,10 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
   // CertificateRequest may only be sent in non-resumption handshakes.
   if (ssl->s3->session_reused) {
+    if (ssl->ctx->reverify_on_resume && !ssl->s3->early_data_accepted) {
+      hs->tls13_state = state_server_certificate_reverify;
+      return ssl_hs_ok;
+    }
     hs->tls13_state = state_read_server_finished;
     return ssl_hs_ok;
   }
@@ -495,7 +509,6 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
       !have_sigalgs ||
       !CBS_get_u16_length_prefixed(&sigalgs,
                                    &supported_signature_algorithms) ||
-      CBS_len(&supported_signature_algorithms) == 0 ||
       !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
@@ -535,8 +548,13 @@ static enum ssl_hs_wait_t do_read_server_certificate(SSL_HANDSHAKE *hs) {
   if (!ssl->method->get_message(ssl, &msg)) {
     return ssl_hs_read_message;
   }
-  if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) ||
-      !tls13_process_certificate(hs, msg, 0 /* certificate required */) ||
+
+  if (msg.type != SSL3_MT_COMPRESSED_CERTIFICATE &&
+      !ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE)) {
+    return ssl_hs_error;
+  }
+
+  if (!tls13_process_certificate(hs, msg, false /* certificate required */) ||
       !ssl_hash_message(hs, msg)) {
     return ssl_hs_error;
   }
@@ -574,6 +592,21 @@ static enum ssl_hs_wait_t do_read_server_certificate_verify(
   return ssl_hs_ok;
 }
 
+static enum ssl_hs_wait_t do_server_certificate_reverify(
+    SSL_HANDSHAKE *hs) {
+  switch (ssl_reverify_peer_cert(hs)) {
+    case ssl_verify_ok:
+      break;
+    case ssl_verify_invalid:
+      return ssl_hs_error;
+    case ssl_verify_retry:
+      hs->tls13_state = state_server_certificate_reverify;
+      return ssl_hs_certificate_verify;
+  }
+  hs->tls13_state = state_read_server_finished;
+  return ssl_hs_ok;
+}
+
 static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
   SSLMessage msg;
@@ -581,10 +614,11 @@ static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {
     return ssl_hs_read_message;
   }
   if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||
-      !tls13_process_finished(hs, msg, 0 /* don't use saved value */) ||
+      !tls13_process_finished(hs, msg, false /* don't use saved value */) ||
       !ssl_hash_message(hs, msg) ||
       // Update the secret to the master secret and derive traffic keys.
-      !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||
+      !tls13_advance_key_schedule(
+          hs, MakeConstSpan(kZeroes, hs->transcript.DigestLen())) ||
       !tls13_derive_application_secrets(hs)) {
     return ssl_hs_error;
   }
@@ -599,18 +633,22 @@ static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {
 
   if (ssl->s3->early_data_accepted) {
     hs->can_early_write = false;
-    ScopedCBB cbb;
-    CBB body;
-    if (!ssl->method->init_message(ssl, cbb.get(), &body,
-                                   SSL3_MT_END_OF_EARLY_DATA) ||
-        !ssl_add_message_cbb(ssl, cbb.get())) {
-      return ssl_hs_error;
+    // QUIC omits the EndOfEarlyData message. See draft-ietf-quic-tls-22,
+    // section 8.3.
+    if (ssl->quic_method == nullptr) {
+      ScopedCBB cbb;
+      CBB body;
+      if (!ssl->method->init_message(ssl, cbb.get(), &body,
+                                     SSL3_MT_END_OF_EARLY_DATA) ||
+          !ssl_add_message_cbb(ssl, cbb.get())) {
+        return ssl_hs_error;
+      }
     }
   }
 
   if (hs->early_data_offered) {
-    if (!tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,
-                               hs->hash_len)) {
+    if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
+                               hs->client_handshake_secret())) {
       return ssl_hs_error;
     }
   }
@@ -629,8 +667,8 @@ static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
   }
 
   // Call cert_cb to update the certificate.
-  if (ssl->cert->cert_cb != NULL) {
-    int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
+  if (hs->config->cert->cert_cb != NULL) {
+    int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg);
     if (rv == 0) {
       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
       OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
@@ -652,9 +690,8 @@ static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
 }
 
 static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
-  SSL *const ssl = hs->ssl;
   // Don't send CertificateVerify if there is no certificate.
-  if (!ssl_has_certificate(ssl)) {
+  if (!ssl_has_certificate(hs)) {
     hs->tls13_state = state_complete_second_flight;
     return ssl_hs_ok;
   }
@@ -680,13 +717,13 @@ static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
 
   // Send a Channel ID assertion if necessary.
-  if (ssl->s3->tlsext_channel_id_valid) {
-    if (!ssl_do_channel_id_callback(ssl)) {
+  if (ssl->s3->channel_id_valid) {
+    if (!ssl_do_channel_id_callback(hs)) {
       hs->tls13_state = state_complete_second_flight;
       return ssl_hs_error;
     }
 
-    if (ssl->tlsext_channel_id_private == NULL) {
+    if (hs->config->channel_id_private == NULL) {
       return ssl_hs_channel_id_lookup;
     }
 
@@ -705,10 +742,10 @@ static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
   }
 
   // Derive the final keys and enable them.
-  if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0,
-                             hs->hash_len) ||
-      !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0,
-                             hs->hash_len) ||
+  if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,
+                             hs->server_traffic_secret_0()) ||
+      !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
+                             hs->client_traffic_secret_0()) ||
       !tls13_derive_resumption_secret(hs)) {
     return ssl_hs_error;
   }
@@ -744,6 +781,9 @@ enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {
       case state_read_server_certificate_verify:
         ret = do_read_server_certificate_verify(hs);
         break;
+      case state_server_certificate_reverify:
+        ret = do_server_certificate_reverify(hs);
+        break;
       case state_read_server_finished:
         ret = do_read_server_finished(hs);
         break;
@@ -794,6 +834,8 @@ const char *tls13_client_handshake_state(SSL_HANDSHAKE *hs) {
       return "TLS 1.3 client read_server_certificate";
     case state_read_server_certificate_verify:
       return "TLS 1.3 client read_server_certificate_verify";
+    case state_server_certificate_reverify:
+      return "TLS 1.3 client server_certificate_reverify";
     case state_read_server_finished:
       return "TLS 1.3 client read_server_finished";
     case state_send_end_of_early_data:
@@ -811,18 +853,18 @@ const char *tls13_client_handshake_state(SSL_HANDSHAKE *hs) {
   return "TLS 1.3 client unknown";
 }
 
-int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
+bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
   if (ssl->s3->write_shutdown != ssl_shutdown_none) {
     // Ignore tickets on shutdown. Callers tend to indiscriminately call
     // |SSL_shutdown| before destroying an |SSL|, at which point calling the new
     // session callback may be confusing.
-    return 1;
+    return true;
   }
 
   UniquePtr<SSL_SESSION> session = SSL_SESSION_dup(
       ssl->s3->established_session.get(), SSL_SESSION_INCLUDE_NONAUTH);
   if (!session) {
-    return 0;
+    return false;
   }
 
   ssl_session_rebase_time(ssl, session.get());
@@ -833,12 +875,12 @@ int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
       !CBS_get_u32(&body, &session->ticket_age_add) ||
       !CBS_get_u8_length_prefixed(&body, &ticket_nonce) ||
       !CBS_get_u16_length_prefixed(&body, &ticket) ||
-      !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) ||
+      !session->ticket.CopyFrom(ticket) ||
       !CBS_get_u16_length_prefixed(&body, &extensions) ||
       CBS_len(&body) != 0) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
-    return 0;
+    return false;
   }
 
   // Cap the renewable lifetime by the server advertised value. This avoids
@@ -848,14 +890,14 @@ int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
   }
 
   if (!tls13_derive_session_psk(session.get(), ticket_nonce)) {
-    return 0;
+    return false;
   }
 
   // Parse out the extensions.
-  bool have_early_data_info = false;
-  CBS early_data_info;
+  bool have_early_data = false;
+  CBS early_data;
   const SSL_EXTENSION_TYPE ext_types[] = {
-      {TLSEXT_TYPE_early_data, &have_early_data_info, &early_data_info},
+      {TLSEXT_TYPE_early_data, &have_early_data, &early_data},
   };
 
   uint8_t alert = SSL_AD_DECODE_ERROR;
@@ -863,29 +905,43 @@ int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
                             OPENSSL_ARRAY_SIZE(ext_types),
                             1 /* ignore unknown */)) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
-    return 0;
+    return false;
   }
 
-  if (have_early_data_info && ssl->cert->enable_early_data) {
-    if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) ||
-        CBS_len(&early_data_info) != 0) {
+  if (have_early_data) {
+    if (!CBS_get_u32(&early_data, &session->ticket_max_early_data) ||
+        CBS_len(&early_data) != 0) {
       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
-      return 0;
+      return false;
+    }
+
+    // QUIC does not use the max_early_data_size parameter and always sets it to
+    // a fixed value. See draft-ietf-quic-tls-22, section 4.5.
+    if (ssl->quic_method != nullptr &&
+        session->ticket_max_early_data != 0xffffffff) {
+      ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+      OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+      return false;
     }
   }
 
-  session->ticket_age_add_valid = 1;
-  session->not_resumable = 0;
+  // Generate a session ID for this session. Some callers expect all sessions to
+  // have a session ID.
+  SHA256(CBS_data(&ticket), CBS_len(&ticket), session->session_id);
+  session->session_id_length = SHA256_DIGEST_LENGTH;
+
+  session->ticket_age_add_valid = true;
+  session->not_resumable = false;
 
-  if ((ssl->ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) &&
-      ssl->ctx->new_session_cb != NULL &&
-      ssl->ctx->new_session_cb(ssl, session.get())) {
+  if ((ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) &&
+      ssl->session_ctx->new_session_cb != NULL &&
+      ssl->session_ctx->new_session_cb(ssl, session.get())) {
     // |new_session_cb|'s return value signals that it took ownership.
     session.release();
   }
 
-  return 1;
+  return true;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

data/third_party/boringssl/ssl/tls13_enc.cc

@@ -17,6 +17,7 @@
 #include <assert.h>
 #include <string.h>
 
+#include <algorithm>
 #include <utility>
 
 #include <openssl/aead.h>
@@ -30,181 +31,196 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
-static int init_key_schedule(SSL_HANDSHAKE *hs, uint16_t version,
-                             const SSL_CIPHER *cipher) {
+static bool init_key_schedule(SSL_HANDSHAKE *hs, uint16_t version,
+                              const SSL_CIPHER *cipher) {
   if (!hs->transcript.InitHash(version, cipher)) {
-    return 0;
+    return false;
   }
 
-  hs->hash_len = hs->transcript.DigestLen();
-
   // Initialize the secret to the zero key.
-  OPENSSL_memset(hs->secret, 0, hs->hash_len);
+  hs->ResizeSecrets(hs->transcript.DigestLen());
+  OPENSSL_memset(hs->secret().data(), 0, hs->secret().size());
 
-  return 1;
+  return true;
+}
+
+static bool hkdf_extract_to_secret(SSL_HANDSHAKE *hs, Span<const uint8_t> in) {
+  size_t len;
+  if (!HKDF_extract(hs->secret().data(), &len, hs->transcript.Digest(),
+                    in.data(), in.size(), hs->secret().data(),
+                    hs->secret().size())) {
+    return false;
+  }
+  assert(len == hs->secret().size());
+  return true;
 }
 
-int tls13_init_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,
-                            size_t psk_len) {
+bool tls13_init_key_schedule(SSL_HANDSHAKE *hs, Span<const uint8_t> psk) {
   if (!init_key_schedule(hs, ssl_protocol_version(hs->ssl), hs->new_cipher)) {
-    return 0;
+    return false;
   }
 
   hs->transcript.FreeBuffer();
-  return HKDF_extract(hs->secret, &hs->hash_len, hs->transcript.Digest(), psk,
-                      psk_len, hs->secret, hs->hash_len);
+  return hkdf_extract_to_secret(hs, psk);
 }
 
-int tls13_init_early_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,
-                                  size_t psk_len) {
+bool tls13_init_early_key_schedule(SSL_HANDSHAKE *hs, Span<const uint8_t> psk) {
   SSL *const ssl = hs->ssl;
-  return init_key_schedule(hs, ssl_session_protocol_version(ssl->session),
+  return init_key_schedule(hs, ssl_session_protocol_version(ssl->session.get()),
                            ssl->session->cipher) &&
-         HKDF_extract(hs->secret, &hs->hash_len, hs->transcript.Digest(), psk,
-                      psk_len, hs->secret, hs->hash_len);
+         hkdf_extract_to_secret(hs, psk);
 }
 
-static int hkdf_expand_label(uint8_t *out, const EVP_MD *digest,
-                             const uint8_t *secret, size_t secret_len,
-                             const char *label, size_t label_len,
-                             const uint8_t *hash, size_t hash_len, size_t len) {
-  static const char kTLS13LabelVersion[] = "tls13 ";
+static Span<const char> label_to_span(const char *label) {
+  return MakeConstSpan(label, strlen(label));
+}
 
+static bool hkdf_expand_label(Span<uint8_t> out, const EVP_MD *digest,
+                              Span<const uint8_t> secret,
+                              Span<const char> label,
+                              Span<const uint8_t> hash) {
+  Span<const char> protocol_label = label_to_span("tls13 ");
   ScopedCBB cbb;
   CBB child;
-  uint8_t *hkdf_label;
-  size_t hkdf_label_len;
-  if (!CBB_init(cbb.get(), 2 + 1 + strlen(kTLS13LabelVersion) + label_len + 1 +
-                               hash_len) ||
-      !CBB_add_u16(cbb.get(), len) ||
+  Array<uint8_t> hkdf_label;
+  if (!CBB_init(cbb.get(), 2 + 1 + protocol_label.size() + label.size() + 1 +
+                               hash.size()) ||
+      !CBB_add_u16(cbb.get(), out.size()) ||
       !CBB_add_u8_length_prefixed(cbb.get(), &child) ||
-      !CBB_add_bytes(&child, (const uint8_t *)kTLS13LabelVersion,
-                     strlen(kTLS13LabelVersion)) ||
-      !CBB_add_bytes(&child, (const uint8_t *)label, label_len) ||
+      !CBB_add_bytes(&child,
+                     reinterpret_cast<const uint8_t *>(protocol_label.data()),
+                     protocol_label.size()) ||
+      !CBB_add_bytes(&child, reinterpret_cast<const uint8_t *>(label.data()),
+                     label.size()) ||
       !CBB_add_u8_length_prefixed(cbb.get(), &child) ||
-      !CBB_add_bytes(&child, hash, hash_len) ||
-      !CBB_finish(cbb.get(), &hkdf_label, &hkdf_label_len)) {
-    return 0;
+      !CBB_add_bytes(&child, hash.data(), hash.size()) ||
+      !CBBFinishArray(cbb.get(), &hkdf_label)) {
+    return false;
   }
 
-  int ret = HKDF_expand(out, len, digest, secret, secret_len, hkdf_label,
-                        hkdf_label_len);
-  OPENSSL_free(hkdf_label);
-  return ret;
+  return HKDF_expand(out.data(), out.size(), digest, secret.data(),
+                     secret.size(), hkdf_label.data(), hkdf_label.size());
 }
 
 static const char kTLS13LabelDerived[] = "derived";
 
-int tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in,
-                               size_t len) {
+bool tls13_advance_key_schedule(SSL_HANDSHAKE *hs, Span<const uint8_t> in) {
   uint8_t derive_context[EVP_MAX_MD_SIZE];
   unsigned derive_context_len;
-  if (!EVP_Digest(nullptr, 0, derive_context, &derive_context_len,
-                  hs->transcript.Digest(), nullptr)) {
-    return 0;
-  }
-
-  if (!hkdf_expand_label(hs->secret, hs->transcript.Digest(), hs->secret,
-                         hs->hash_len, kTLS13LabelDerived,
-                         strlen(kTLS13LabelDerived), derive_context,
-                         derive_context_len, hs->hash_len)) {
-    return 0;
-  }
-
-  return HKDF_extract(hs->secret, &hs->hash_len, hs->transcript.Digest(), in,
-                      len, hs->secret, hs->hash_len);
+  return EVP_Digest(nullptr, 0, derive_context, &derive_context_len,
+                    hs->transcript.Digest(), nullptr) &&
+         hkdf_expand_label(hs->secret(), hs->transcript.Digest(), hs->secret(),
+                           label_to_span(kTLS13LabelDerived),
+                           MakeConstSpan(derive_context, derive_context_len)) &&
+         hkdf_extract_to_secret(hs, in);
 }
 
-// derive_secret derives a secret of length |len| and writes the result in |out|
-// with the given label and the current base secret and most recently-saved
-// handshake context. It returns one on success and zero on error.
-static int derive_secret(SSL_HANDSHAKE *hs, uint8_t *out, size_t len,
-                         const char *label, size_t label_len) {
+// derive_secret derives a secret of length |out.size()| and writes the result
+// in |out| with the given label, the current base secret, and the most
+// recently-saved handshake context. It returns true on success and false on
+// error.
+static bool derive_secret(SSL_HANDSHAKE *hs, Span<uint8_t> out,
+                          Span<const char> label) {
   uint8_t context_hash[EVP_MAX_MD_SIZE];
   size_t context_hash_len;
   if (!hs->transcript.GetHash(context_hash, &context_hash_len)) {
-    return 0;
+    return false;
   }
 
-  return hkdf_expand_label(out, hs->transcript.Digest(), hs->secret,
-                           hs->hash_len, label, label_len, context_hash,
-                           context_hash_len, len);
+  return hkdf_expand_label(out, hs->transcript.Digest(), hs->secret(), label,
+                           MakeConstSpan(context_hash, context_hash_len));
 }
 
-int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction,
-                          const uint8_t *traffic_secret,
-                          size_t traffic_secret_len) {
+bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level,
+                           enum evp_aead_direction_t direction,
+                           Span<const uint8_t> traffic_secret) {
   const SSL_SESSION *session = SSL_get_session(ssl);
   uint16_t version = ssl_session_protocol_version(session);
 
-  if (traffic_secret_len > 0xff) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
-    return 0;
-  }
+  UniquePtr<SSLAEADContext> traffic_aead;
+  if (ssl->quic_method == nullptr) {
+    // Look up cipher suite properties.
+    const EVP_AEAD *aead;
+    size_t discard;
+    if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard, session->cipher,
+                                 version, SSL_is_dtls(ssl))) {
+      return false;
+    }
 
-  // Look up cipher suite properties.
-  const EVP_AEAD *aead;
-  size_t discard;
-  if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard, session->cipher,
-                               version, SSL_is_dtls(ssl))) {
-    return 0;
-  }
+    const EVP_MD *digest = ssl_session_get_digest(session);
 
-  const EVP_MD *digest = ssl_session_get_digest(session);
+    // Derive the key.
+    size_t key_len = EVP_AEAD_key_length(aead);
+    uint8_t key_buf[EVP_AEAD_MAX_KEY_LENGTH];
+    auto key = MakeSpan(key_buf, key_len);
+    if (!hkdf_expand_label(key, digest, traffic_secret, label_to_span("key"),
+                           {})) {
+      return false;
+    }
 
-  // Derive the key.
-  size_t key_len = EVP_AEAD_key_length(aead);
-  uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
-  if (!hkdf_expand_label(key, digest, traffic_secret, traffic_secret_len, "key",
-                         3, NULL, 0, key_len)) {
-    return 0;
-  }
+    // Derive the IV.
+    size_t iv_len = EVP_AEAD_nonce_length(aead);
+    uint8_t iv_buf[EVP_AEAD_MAX_NONCE_LENGTH];
+    auto iv = MakeSpan(iv_buf, iv_len);
+    if (!hkdf_expand_label(iv, digest, traffic_secret, label_to_span("iv"),
+                           {})) {
+      return false;
+    }
 
-  // Derive the IV.
-  size_t iv_len = EVP_AEAD_nonce_length(aead);
-  uint8_t iv[EVP_AEAD_MAX_NONCE_LENGTH];
-  if (!hkdf_expand_label(iv, digest, traffic_secret, traffic_secret_len, "iv",
-                         2, NULL, 0, iv_len)) {
-    return 0;
+
+    traffic_aead = SSLAEADContext::Create(direction, session->ssl_version,
+                                          SSL_is_dtls(ssl), session->cipher,
+                                          key, Span<const uint8_t>(), iv);
+  } else {
+    // Install a placeholder SSLAEADContext so that SSL accessors work. The
+    // encryption itself will be handled by the SSL_QUIC_METHOD.
+    traffic_aead =
+        SSLAEADContext::CreatePlaceholderForQUIC(version, session->cipher);
+    // QUIC never installs early data keys at the TLS layer.
+    assert(level != ssl_encryption_early_data);
   }
 
-  UniquePtr<SSLAEADContext> traffic_aead =
-      SSLAEADContext::Create(direction, session->ssl_version, SSL_is_dtls(ssl),
-                             session->cipher, MakeConstSpan(key, key_len),
-                             Span<const uint8_t>(), MakeConstSpan(iv, iv_len));
   if (!traffic_aead) {
-    return 0;
+    return false;
   }
 
   if (direction == evp_aead_open) {
     if (!ssl->method->set_read_state(ssl, std::move(traffic_aead))) {
-      return 0;
+      return false;
     }
   } else {
     if (!ssl->method->set_write_state(ssl, std::move(traffic_aead))) {
-      return 0;
+      return false;
     }
   }
 
   // Save the traffic secret.
+  if (traffic_secret.size() >
+          OPENSSL_ARRAY_SIZE(ssl->s3->read_traffic_secret) ||
+      traffic_secret.size() >
+          OPENSSL_ARRAY_SIZE(ssl->s3->write_traffic_secret)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    return false;
+  }
   if (direction == evp_aead_open) {
-    OPENSSL_memmove(ssl->s3->read_traffic_secret, traffic_secret,
-                    traffic_secret_len);
-    ssl->s3->read_traffic_secret_len = traffic_secret_len;
+    OPENSSL_memmove(ssl->s3->read_traffic_secret, traffic_secret.data(),
+                    traffic_secret.size());
+    ssl->s3->read_traffic_secret_len = traffic_secret.size();
+    ssl->s3->read_level = level;
   } else {
-    OPENSSL_memmove(ssl->s3->write_traffic_secret, traffic_secret,
-                    traffic_secret_len);
-    ssl->s3->write_traffic_secret_len = traffic_secret_len;
+    OPENSSL_memmove(ssl->s3->write_traffic_secret, traffic_secret.data(),
+                    traffic_secret.size());
+    ssl->s3->write_traffic_secret_len = traffic_secret.size();
+    ssl->s3->write_level = level;
   }
 
-  return 1;
+  return true;
 }
 
 
 static const char kTLS13LabelExporter[] = "exp master";
-static const char kTLS13LabelEarlyExporter[] = "e exp master";
 
 static const char kTLS13LabelClientEarlyTraffic[] = "c e traffic";
 static const char kTLS13LabelClientHandshakeTraffic[] = "c hs traffic";
@@ -212,125 +228,169 @@ static const char kTLS13LabelServerHandshakeTraffic[] = "s hs traffic";
 static const char kTLS13LabelClientApplicationTraffic[] = "c ap traffic";
 static const char kTLS13LabelServerApplicationTraffic[] = "s ap traffic";
 
-int tls13_derive_early_secrets(SSL_HANDSHAKE *hs) {
+bool tls13_derive_early_secret(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
-  if (!derive_secret(hs, hs->early_traffic_secret, hs->hash_len,
-                     kTLS13LabelClientEarlyTraffic,
-                     strlen(kTLS13LabelClientEarlyTraffic)) ||
+  if (!derive_secret(hs, hs->early_traffic_secret(),
+                     label_to_span(kTLS13LabelClientEarlyTraffic)) ||
       !ssl_log_secret(ssl, "CLIENT_EARLY_TRAFFIC_SECRET",
-                      hs->early_traffic_secret, hs->hash_len) ||
-      !derive_secret(hs, ssl->s3->early_exporter_secret, hs->hash_len,
-                     kTLS13LabelEarlyExporter,
-                     strlen(kTLS13LabelEarlyExporter))) {
-    return 0;
+                      hs->early_traffic_secret())) {
+    return false;
   }
-  ssl->s3->early_exporter_secret_len = hs->hash_len;
-  return 1;
+  return true;
+}
+
+bool tls13_set_early_secret_for_quic(SSL_HANDSHAKE *hs) {
+  SSL *const ssl = hs->ssl;
+  if (ssl->quic_method == nullptr) {
+    return true;
+  }
+  if (ssl->server) {
+    if (!ssl->quic_method->set_encryption_secrets(
+            ssl, ssl_encryption_early_data, hs->early_traffic_secret().data(),
+            /*write_secret=*/nullptr, hs->early_traffic_secret().size())) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);
+      return false;
+    }
+  } else {
+    if (!ssl->quic_method->set_encryption_secrets(
+            ssl, ssl_encryption_early_data, /*read_secret=*/nullptr,
+            hs->early_traffic_secret().data(),
+            hs->early_traffic_secret().size())) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);
+      return false;
+    }
+  }
+  return true;
+}
+
+static bool set_quic_secrets(SSL_HANDSHAKE *hs, ssl_encryption_level_t level,
+                             Span<const uint8_t> client_write_secret,
+                             Span<const uint8_t> server_write_secret) {
+  SSL *const ssl = hs->ssl;
+  assert(client_write_secret.size() == server_write_secret.size());
+  if (ssl->quic_method == nullptr) {
+    return true;
+  }
+  if (!ssl->server) {
+    std::swap(client_write_secret, server_write_secret);
+  }
+  return ssl->quic_method->set_encryption_secrets(
+      ssl, level,
+      /*read_secret=*/client_write_secret.data(),
+      /*write_secret=*/server_write_secret.data(), client_write_secret.size());
 }
 
-int tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) {
+bool tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
-  return derive_secret(hs, hs->client_handshake_secret, hs->hash_len,
-                       kTLS13LabelClientHandshakeTraffic,
-                       strlen(kTLS13LabelClientHandshakeTraffic)) &&
-         ssl_log_secret(ssl, "CLIENT_HANDSHAKE_TRAFFIC_SECRET",
-                        hs->client_handshake_secret, hs->hash_len) &&
-         derive_secret(hs, hs->server_handshake_secret, hs->hash_len,
-                       kTLS13LabelServerHandshakeTraffic,
-                       strlen(kTLS13LabelServerHandshakeTraffic)) &&
-         ssl_log_secret(ssl, "SERVER_HANDSHAKE_TRAFFIC_SECRET",
-                        hs->server_handshake_secret, hs->hash_len);
+  if (!derive_secret(hs, hs->client_handshake_secret(),
+                     label_to_span(kTLS13LabelClientHandshakeTraffic)) ||
+      !ssl_log_secret(ssl, "CLIENT_HANDSHAKE_TRAFFIC_SECRET",
+                      hs->client_handshake_secret()) ||
+      !derive_secret(hs, hs->server_handshake_secret(),
+                     label_to_span(kTLS13LabelServerHandshakeTraffic)) ||
+      !ssl_log_secret(ssl, "SERVER_HANDSHAKE_TRAFFIC_SECRET",
+                      hs->server_handshake_secret()) ||
+      !set_quic_secrets(hs, ssl_encryption_handshake,
+                        hs->client_handshake_secret(),
+                        hs->server_handshake_secret())) {
+    return false;
+  }
+
+  return true;
 }
 
-int tls13_derive_application_secrets(SSL_HANDSHAKE *hs) {
+bool tls13_derive_application_secrets(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
-  ssl->s3->exporter_secret_len = hs->hash_len;
-  return derive_secret(hs, hs->client_traffic_secret_0, hs->hash_len,
-                       kTLS13LabelClientApplicationTraffic,
-                       strlen(kTLS13LabelClientApplicationTraffic)) &&
-         ssl_log_secret(ssl, "CLIENT_TRAFFIC_SECRET_0",
-                        hs->client_traffic_secret_0, hs->hash_len) &&
-         derive_secret(hs, hs->server_traffic_secret_0, hs->hash_len,
-                       kTLS13LabelServerApplicationTraffic,
-                       strlen(kTLS13LabelServerApplicationTraffic)) &&
-         ssl_log_secret(ssl, "SERVER_TRAFFIC_SECRET_0",
-                        hs->server_traffic_secret_0, hs->hash_len) &&
-         derive_secret(hs, ssl->s3->exporter_secret, hs->hash_len,
-                       kTLS13LabelExporter, strlen(kTLS13LabelExporter)) &&
-         ssl_log_secret(ssl, "EXPORTER_SECRET", ssl->s3->exporter_secret,
-                        hs->hash_len);
+  ssl->s3->exporter_secret_len = hs->transcript.DigestLen();
+  if (!derive_secret(hs, hs->client_traffic_secret_0(),
+                     label_to_span(kTLS13LabelClientApplicationTraffic)) ||
+      !ssl_log_secret(ssl, "CLIENT_TRAFFIC_SECRET_0",
+                      hs->client_traffic_secret_0()) ||
+      !derive_secret(hs, hs->server_traffic_secret_0(),
+                     label_to_span(kTLS13LabelServerApplicationTraffic)) ||
+      !ssl_log_secret(ssl, "SERVER_TRAFFIC_SECRET_0",
+                      hs->server_traffic_secret_0()) ||
+      !derive_secret(
+          hs, MakeSpan(ssl->s3->exporter_secret, ssl->s3->exporter_secret_len),
+          label_to_span(kTLS13LabelExporter)) ||
+      !ssl_log_secret(ssl, "EXPORTER_SECRET",
+                      MakeConstSpan(ssl->s3->exporter_secret,
+                                    ssl->s3->exporter_secret_len)) ||
+      !set_quic_secrets(hs, ssl_encryption_application,
+                        hs->client_traffic_secret_0(),
+                        hs->server_traffic_secret_0())) {
+    return false;
+  }
+
+  return true;
 }
 
 static const char kTLS13LabelApplicationTraffic[] = "traffic upd";
 
-int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {
-  uint8_t *secret;
-  size_t secret_len;
+bool tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {
+  Span<uint8_t> secret;
   if (direction == evp_aead_open) {
-    secret = ssl->s3->read_traffic_secret;
-    secret_len = ssl->s3->read_traffic_secret_len;
+    secret = MakeSpan(ssl->s3->read_traffic_secret,
+                      ssl->s3->read_traffic_secret_len);
   } else {
-    secret = ssl->s3->write_traffic_secret;
-    secret_len = ssl->s3->write_traffic_secret_len;
+    secret = MakeSpan(ssl->s3->write_traffic_secret,
+                      ssl->s3->write_traffic_secret_len);
   }
 
   const EVP_MD *digest = ssl_session_get_digest(SSL_get_session(ssl));
-  if (!hkdf_expand_label(
-          secret, digest, secret, secret_len, kTLS13LabelApplicationTraffic,
-          strlen(kTLS13LabelApplicationTraffic), NULL, 0, secret_len)) {
-    return 0;
-  }
-
-  return tls13_set_traffic_key(ssl, direction, secret, secret_len);
+  return hkdf_expand_label(secret, digest, secret,
+                           label_to_span(kTLS13LabelApplicationTraffic), {}) &&
+         tls13_set_traffic_key(ssl, ssl_encryption_application, direction,
+                               secret);
 }
 
 static const char kTLS13LabelResumption[] = "res master";
 
-int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) {
-  if (hs->hash_len > SSL_MAX_MASTER_KEY_LENGTH) {
+bool tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) {
+  if (hs->transcript.DigestLen() > SSL_MAX_MASTER_KEY_LENGTH) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    return 0;
+    return false;
   }
-  hs->new_session->master_key_length = hs->hash_len;
-  return derive_secret(hs, hs->new_session->master_key,
-                       hs->new_session->master_key_length,
-                       kTLS13LabelResumption, strlen(kTLS13LabelResumption));
+  hs->new_session->master_key_length = hs->transcript.DigestLen();
+  return derive_secret(
+      hs,
+      MakeSpan(hs->new_session->master_key, hs->new_session->master_key_length),
+      label_to_span(kTLS13LabelResumption));
 }
 
 static const char kTLS13LabelFinished[] = "finished";
 
 // tls13_verify_data sets |out| to be the HMAC of |context| using a derived
-// Finished key for both Finished messages and the PSK binder.
-static int tls13_verify_data(const EVP_MD *digest, uint16_t version,
-                             uint8_t *out, size_t *out_len,
-                             const uint8_t *secret, size_t hash_len,
-                             uint8_t *context, size_t context_len) {
-  uint8_t key[EVP_MAX_MD_SIZE];
+// Finished key for both Finished messages and the PSK binder. |out| must have
+// space available for |EVP_MAX_MD_SIZE| bytes.
+static bool tls13_verify_data(uint8_t *out, size_t *out_len,
+                              const EVP_MD *digest, uint16_t version,
+                              Span<const uint8_t> secret,
+                              Span<const uint8_t> context) {
+  uint8_t key_buf[EVP_MAX_MD_SIZE];
+  auto key = MakeSpan(key_buf, EVP_MD_size(digest));
   unsigned len;
-  if (!hkdf_expand_label(key, digest, secret, hash_len, kTLS13LabelFinished,
-                         strlen(kTLS13LabelFinished), NULL, 0, hash_len) ||
-      HMAC(digest, key, hash_len, context, context_len, out, &len) == NULL) {
-    return 0;
+  if (!hkdf_expand_label(key, digest, secret,
+                         label_to_span(kTLS13LabelFinished), {}) ||
+      HMAC(digest, key.data(), key.size(), context.data(), context.size(), out,
+           &len) == nullptr) {
+    return false;
   }
   *out_len = len;
-  return 1;
+  return true;
 }
 
-int tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,
-                       int is_server) {
-  const uint8_t *traffic_secret;
-  if (is_server) {
-    traffic_secret = hs->server_handshake_secret;
-  } else {
-    traffic_secret = hs->client_handshake_secret;
-  }
+bool tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,
+                        bool is_server) {
+  Span<const uint8_t> traffic_secret =
+      is_server ? hs->server_handshake_secret() : hs->client_handshake_secret();
 
   uint8_t context_hash[EVP_MAX_MD_SIZE];
   size_t context_hash_len;
   if (!hs->transcript.GetHash(context_hash, &context_hash_len) ||
-      !tls13_verify_data(hs->transcript.Digest(), hs->ssl->version, out,
-                         out_len, traffic_secret, hs->hash_len, context_hash,
-                         context_hash_len)) {
+      !tls13_verify_data(out, out_len, hs->transcript.Digest(),
+                         hs->ssl->version, traffic_secret,
+                         MakeConstSpan(context_hash, context_hash_len))) {
     return 0;
   }
   return 1;
@@ -340,154 +400,162 @@ static const char kTLS13LabelResumptionPSK[] = "resumption";
 
 bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce) {
   const EVP_MD *digest = ssl_session_get_digest(session);
-  return hkdf_expand_label(session->master_key, digest, session->master_key,
-                           session->master_key_length, kTLS13LabelResumptionPSK,
-                           strlen(kTLS13LabelResumptionPSK), nonce.data(),
-                           nonce.size(), session->master_key_length);
+  // The session initially stores the resumption_master_secret, which we
+  // override with the PSK.
+  auto session_key = MakeSpan(session->master_key, session->master_key_length);
+  return hkdf_expand_label(session_key, digest, session_key,
+                           label_to_span(kTLS13LabelResumptionPSK), nonce);
 }
 
 static const char kTLS13LabelExportKeying[] = "exporter";
 
-int tls13_export_keying_material(SSL *ssl, Span<uint8_t> out,
-                                 Span<const uint8_t> secret,
-                                 Span<const char> label,
-                                 Span<const uint8_t> context) {
+bool tls13_export_keying_material(SSL *ssl, Span<uint8_t> out,
+                                  Span<const uint8_t> secret,
+                                  Span<const char> label,
+                                  Span<const uint8_t> context) {
   if (secret.empty()) {
     assert(0);
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    return 0;
+    return false;
   }
 
   const EVP_MD *digest = ssl_session_get_digest(SSL_get_session(ssl));
 
-  uint8_t hash[EVP_MAX_MD_SIZE];
-  uint8_t export_context[EVP_MAX_MD_SIZE];
-  uint8_t derived_secret[EVP_MAX_MD_SIZE];
+  uint8_t hash_buf[EVP_MAX_MD_SIZE];
+  uint8_t export_context_buf[EVP_MAX_MD_SIZE];
   unsigned hash_len;
   unsigned export_context_len;
-  unsigned derived_secret_len = EVP_MD_size(digest);
-  return EVP_Digest(context.data(), context.size(), hash, &hash_len, digest,
-                    nullptr) &&
-         EVP_Digest(nullptr, 0, export_context, &export_context_len, digest,
-                    nullptr) &&
-         hkdf_expand_label(derived_secret, digest, secret.data(), secret.size(),
-                           label.data(), label.size(), export_context,
-                           export_context_len, derived_secret_len) &&
-         hkdf_expand_label(out.data(), digest, derived_secret,
-                           derived_secret_len, kTLS13LabelExportKeying,
-                           strlen(kTLS13LabelExportKeying), hash, hash_len,
-                           out.size());
+  if (!EVP_Digest(context.data(), context.size(), hash_buf, &hash_len, digest,
+                  nullptr) ||
+      !EVP_Digest(nullptr, 0, export_context_buf, &export_context_len, digest,
+                  nullptr)) {
+    return false;
+  }
+
+  auto hash = MakeConstSpan(hash_buf, hash_len);
+  auto export_context = MakeConstSpan(export_context_buf, export_context_len);
+  uint8_t derived_secret_buf[EVP_MAX_MD_SIZE];
+  auto derived_secret = MakeSpan(derived_secret_buf, EVP_MD_size(digest));
+  return hkdf_expand_label(derived_secret, digest, secret, label,
+                           export_context) &&
+         hkdf_expand_label(out, digest, derived_secret,
+                           label_to_span(kTLS13LabelExportKeying), hash);
 }
 
 static const char kTLS13LabelPSKBinder[] = "res binder";
 
-static int tls13_psk_binder(uint8_t *out, uint16_t version,
-                            const EVP_MD *digest, uint8_t *psk, size_t psk_len,
-                            uint8_t *context, size_t context_len,
-                            size_t hash_len) {
+static bool tls13_psk_binder(uint8_t *out, size_t *out_len, uint16_t version,
+                             const EVP_MD *digest, Span<const uint8_t> psk,
+                             Span<const uint8_t> context) {
   uint8_t binder_context[EVP_MAX_MD_SIZE];
   unsigned binder_context_len;
   if (!EVP_Digest(NULL, 0, binder_context, &binder_context_len, digest, NULL)) {
-    return 0;
+    return false;
   }
 
   uint8_t early_secret[EVP_MAX_MD_SIZE] = {0};
   size_t early_secret_len;
-  if (!HKDF_extract(early_secret, &early_secret_len, digest, psk, hash_len,
-                    NULL, 0)) {
-    return 0;
+  if (!HKDF_extract(early_secret, &early_secret_len, digest, psk.data(),
+                    psk.size(), NULL, 0)) {
+    return false;
   }
 
-  uint8_t binder_key[EVP_MAX_MD_SIZE] = {0};
-  size_t len;
-  if (!hkdf_expand_label(binder_key, digest, early_secret, hash_len,
-                         kTLS13LabelPSKBinder, strlen(kTLS13LabelPSKBinder),
-                         binder_context, binder_context_len, hash_len) ||
-      !tls13_verify_data(digest, version, out, &len, binder_key, hash_len,
-                         context, context_len)) {
-    return 0;
+  uint8_t binder_key_buf[EVP_MAX_MD_SIZE] = {0};
+  auto binder_key = MakeSpan(binder_key_buf, EVP_MD_size(digest));
+  if (!hkdf_expand_label(binder_key, digest,
+                         MakeConstSpan(early_secret, early_secret_len),
+                         label_to_span(kTLS13LabelPSKBinder),
+                         MakeConstSpan(binder_context, binder_context_len)) ||
+      !tls13_verify_data(out, out_len, digest, version, binder_key, context)) {
+    return false;
   }
 
-  return 1;
+  assert(*out_len == EVP_MD_size(digest));
+  return true;
 }
 
-int tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len) {
-  SSL *const ssl = hs->ssl;
-  const EVP_MD *digest = ssl_session_get_digest(ssl->session);
-  size_t hash_len = EVP_MD_size(digest);
-
-  if (len < hash_len + 3) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    return 0;
+static bool hash_transcript_and_truncated_client_hello(
+    SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, const EVP_MD *digest,
+    Span<const uint8_t> client_hello, size_t binders_len) {
+  // Truncate the ClientHello.
+  if (binders_len + 2 < binders_len || client_hello.size() < binders_len + 2) {
+    return false;
   }
+  client_hello = client_hello.subspan(0, client_hello.size() - binders_len - 2);
 
   ScopedEVP_MD_CTX ctx;
-  uint8_t context[EVP_MAX_MD_SIZE];
-  unsigned context_len;
-
-  if (!EVP_DigestInit_ex(ctx.get(), digest, NULL) ||
-      !EVP_DigestUpdate(ctx.get(), hs->transcript.buffer().data(),
-                        hs->transcript.buffer().size()) ||
-      !EVP_DigestUpdate(ctx.get(), msg, len - hash_len - 3) ||
-      !EVP_DigestFinal_ex(ctx.get(), context, &context_len)) {
-    return 0;
-  }
-
-  uint8_t verify_data[EVP_MAX_MD_SIZE] = {0};
-  if (!tls13_psk_binder(verify_data, ssl->session->ssl_version, digest,
-                        ssl->session->master_key,
-                        ssl->session->master_key_length, context, context_len,
-                        hash_len)) {
-    return 0;
+  unsigned len;
+  if (!hs->transcript.CopyToHashContext(ctx.get(), digest) ||
+      !EVP_DigestUpdate(ctx.get(), client_hello.data(), client_hello.size()) ||
+      !EVP_DigestFinal_ex(ctx.get(), out, &len)) {
+    return false;
   }
 
-  OPENSSL_memcpy(msg + len - hash_len, verify_data, hash_len);
-  return 1;
+  *out_len = len;
+  return true;
 }
 
-int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,
-                            const SSLMessage &msg, CBS *binders) {
-  size_t hash_len = hs->transcript.DigestLen();
+bool tls13_write_psk_binder(SSL_HANDSHAKE *hs, Span<uint8_t> msg) {
+  SSL *const ssl = hs->ssl;
+  const EVP_MD *digest = ssl_session_get_digest(ssl->session.get());
+  size_t hash_len = EVP_MD_size(digest);
 
-  // The message must be large enough to exclude the binders.
-  if (CBS_len(&msg.raw) < CBS_len(binders) + 2) {
+  ScopedEVP_MD_CTX ctx;
+  uint8_t context[EVP_MAX_MD_SIZE];
+  size_t context_len;
+  uint8_t verify_data[EVP_MAX_MD_SIZE];
+  size_t verify_data_len;
+  if (!hash_transcript_and_truncated_client_hello(
+          hs, context, &context_len, digest, msg,
+          1 /* length prefix */ + hash_len) ||
+      !tls13_psk_binder(verify_data, &verify_data_len,
+                        ssl->session->ssl_version, digest,
+                        MakeConstSpan(ssl->session->master_key,
+                                      ssl->session->master_key_length),
+                        MakeConstSpan(context, context_len)) ||
+      verify_data_len != hash_len) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    return 0;
+    return false;
   }
 
-  // Hash a ClientHello prefix up to the binders. This includes the header. For
-  // now, this assumes we only ever verify PSK binders on initial
-  // ClientHellos.
-  uint8_t context[EVP_MAX_MD_SIZE];
-  unsigned context_len;
-  if (!EVP_Digest(CBS_data(&msg.raw), CBS_len(&msg.raw) - CBS_len(binders) - 2,
-                  context, &context_len, hs->transcript.Digest(), NULL)) {
-    return 0;
-  }
+  OPENSSL_memcpy(msg.data() + msg.size() - verify_data_len, verify_data,
+                 verify_data_len);
+  return true;
+}
 
-  uint8_t verify_data[EVP_MAX_MD_SIZE] = {0};
+bool tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,
+                             const SSLMessage &msg, CBS *binders) {
+  uint8_t context[EVP_MAX_MD_SIZE];
+  size_t context_len;
+  uint8_t verify_data[EVP_MAX_MD_SIZE];
+  size_t verify_data_len;
   CBS binder;
-  if (!tls13_psk_binder(verify_data, hs->ssl->version, hs->transcript.Digest(),
-                        session->master_key, session->master_key_length,
-                        context, context_len, hash_len) ||
+  if (!hash_transcript_and_truncated_client_hello(hs, context, &context_len,
+                                                  hs->transcript.Digest(),
+                                                  msg.raw, CBS_len(binders)) ||
+      !tls13_psk_binder(
+          verify_data, &verify_data_len, hs->ssl->version,
+          hs->transcript.Digest(),
+          MakeConstSpan(session->master_key, session->master_key_length),
+          MakeConstSpan(context, context_len)) ||
       // We only consider the first PSK, so compare against the first binder.
       !CBS_get_u8_length_prefixed(binders, &binder)) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    return 0;
+    return false;
   }
 
-  int binder_ok =
-      CBS_len(&binder) == hash_len &&
-      CRYPTO_memcmp(CBS_data(&binder), verify_data, hash_len) == 0;
+  bool binder_ok =
+      CBS_len(&binder) == verify_data_len &&
+      CRYPTO_memcmp(CBS_data(&binder), verify_data, verify_data_len) == 0;
 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
-  binder_ok = 1;
+  binder_ok = true;
 #endif
   if (!binder_ok) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);
-    return 0;
+    return false;
   }
 
-  return 1;
+  return true;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END