grpc 1.27.0 → 1.28.0.pre2

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/internal.h

@@ -1239,6 +1239,11 @@ class SSLBuffer {
   uint16_t size_ = 0;
   // cap_ is how much memory beyond |buf_| + |offset_| is available.
   uint16_t cap_ = 0;
+  // inline_buf_ is a static buffer for short reads.
+  uint8_t inline_buf_[SSL3_RT_HEADER_LENGTH];
+  // buf_allocated_ is true if |buf_| points to allocated data and must be freed
+  // or false if it points into |inline_buf_|.
+  bool buf_allocated_ = false;
 };
 
 // ssl_read_buffer_extend_to extends the read buffer to the desired length. For
@@ -1472,12 +1477,31 @@ enum tls12_server_hs_state_t {
   state12_done,
 };
 
+enum tls13_server_hs_state_t {
+  state13_select_parameters = 0,
+  state13_select_session,
+  state13_send_hello_retry_request,
+  state13_read_second_client_hello,
+  state13_send_server_hello,
+  state13_send_server_certificate_verify,
+  state13_send_server_finished,
+  state13_read_second_client_flight,
+  state13_process_end_of_early_data,
+  state13_read_client_certificate,
+  state13_read_client_certificate_verify,
+  state13_read_channel_id,
+  state13_read_client_finished,
+  state13_send_new_session_ticket,
+  state13_done,
+};
+
 // handback_t lists the points in the state machine where a handback can occur.
 // These are the different points at which key material is no longer needed.
 enum handback_t {
   handback_after_session_resumption,
   handback_after_ecdhe,
   handback_after_handshake,
+  handback_tls13,
 };
 
 
@@ -1693,9 +1717,6 @@ struct SSL_HANDSHAKE {
   // be filled in.
   bool needs_psk_binder : 1;
 
-  bool received_hello_retry_request : 1;
-  bool sent_hello_retry_request : 1;
-
   // handshake_finalized is true once the handshake has completed, at which
   // point accessors should use the established state.
   bool handshake_finalized : 1;
@@ -1914,7 +1935,8 @@ int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
 enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs);
 // ssl_reverify_peer_cert verifies the peer certificate for |hs| when resuming a
 // session.
-enum ssl_verify_result_t ssl_reverify_peer_cert(SSL_HANDSHAKE *hs);
+enum ssl_verify_result_t ssl_reverify_peer_cert(SSL_HANDSHAKE *hs,
+                                                bool send_alert);
 
 enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs);
 bool ssl_send_finished(SSL_HANDSHAKE *hs);
@@ -1976,10 +1998,8 @@ bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out);
 Span<const uint16_t> tls1_get_peer_verify_algorithms(const SSL_HANDSHAKE *hs);
 
 // tls12_add_verify_sigalgs adds the signature algorithms acceptable for the
-// peer signature to |out|. It returns true on success and false on error. If
-// |for_certs| is true, the potentially more restrictive list of algorithms for
-// certificates is used. Otherwise, the online signature one is used.
-bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out, bool for_certs);
+// peer signature to |out|. It returns true on success and false on error.
+bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out);
 
 // tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer
 // signature. It returns true on success and false on error, setting
@@ -1987,11 +2007,6 @@ bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out, bool for_certs);
 bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
                              uint16_t sigalg);
 
-// tls12_has_different_verify_sigalgs_for_certs returns whether |ssl| has a
-// different, more restrictive, list of signature algorithms acceptable for the
-// certificate than the online signature.
-bool tls12_has_different_verify_sigalgs_for_certs(const SSL *ssl);
-
 
 // Underdocumented functions.
 //
@@ -2376,10 +2391,6 @@ struct SSL3_STATE {
   // token_binding_negotiated is set if Token Binding was negotiated.
   bool token_binding_negotiated : 1;
 
-  // pq_experimental_signal_seen is true if the peer was observed
-  // sending/echoing the post-quantum experiment signal.
-  bool pq_experiment_signal_seen : 1;
-
   // alert_dispatch is true there is an alert in |send_alert| to be sent.
   bool alert_dispatch : 1;
 
@@ -2387,6 +2398,10 @@ struct SSL3_STATE {
   // HelloRequest.
   bool renegotiate_pending : 1;
 
+  // used_hello_retry_request is whether the handshake used a TLS 1.3
+  // HelloRetryRequest message.
+  bool used_hello_retry_request : 1;
+
   // hs_buf is the buffer of handshake data to process.
   UniquePtr<BUF_MEM> hs_buf;
 
@@ -3295,10 +3310,6 @@ struct ssl_ctx_st {
   // ed25519_enabled is whether Ed25519 is advertised in the handshake.
   bool ed25519_enabled : 1;
 
-  // rsa_pss_rsae_certs_enabled is whether rsa_pss_rsae_* are supported by the
-  // certificate verifier.
-  bool rsa_pss_rsae_certs_enabled : 1;
-
   // false_start_allowed_without_alpn is whether False Start (if
   // |SSL_MODE_ENABLE_FALSE_START| is enabled) is allowed without ALPN.
   bool false_start_allowed_without_alpn : 1;
@@ -3315,11 +3326,6 @@ struct ssl_ctx_st {
   // If enable_early_data is true, early data can be sent and accepted.
   bool enable_early_data : 1;
 
-  // pq_experiment_signal indicates that an empty extension should be sent
-  // (for clients) or echoed (for servers) to indicate participation in an
-  // experiment of post-quantum key exchanges.
-  bool pq_experiment_signal : 1;
-
  private:
   ~ssl_ctx_st();
   friend void SSL_CTX_free(SSL_CTX *);

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/s3_lib.cc

@@ -151,7 +151,6 @@
 #include <assert.h>
 #include <string.h>
 
-#include <openssl/buf.h>
 #include <openssl/digest.h>
 #include <openssl/err.h>
 #include <openssl/md5.h>
@@ -180,9 +179,9 @@ SSL3_STATE::SSL3_STATE()
       early_data_accepted(false),
       tls13_downgrade(false),
       token_binding_negotiated(false),
-      pq_experiment_signal_seen(false),
       alert_dispatch(false),
-      renegotiate_pending(false) {}
+      renegotiate_pending(false),
+      used_hello_retry_request(false) {}
 
 SSL3_STATE::~SSL3_STATE() {}
 

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/s3_pkt.cc

@@ -112,7 +112,6 @@
 #include <limits.h>
 #include <string.h>
 
-#include <openssl/buf.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/mem.h>

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_asn1.cc

@@ -87,7 +87,6 @@
 
 #include <utility>
 
-#include <openssl/buf.h>
 #include <openssl/bytestring.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
@@ -758,7 +757,7 @@ int SSL_SESSION_to_bytes(const SSL_SESSION *in, uint8_t **out_data,
     static const char kNotResumableSession[] = "NOT RESUMABLE";
 
     *out_len = strlen(kNotResumableSession);
-    *out_data = (uint8_t *)BUF_memdup(kNotResumableSession, *out_len);
+    *out_data = (uint8_t *)OPENSSL_memdup(kNotResumableSession, *out_len);
     if (*out_data == NULL) {
       return 0;
     }

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_buffer.cc

@@ -37,8 +37,11 @@ static_assert((SSL3_ALIGN_PAYLOAD & (SSL3_ALIGN_PAYLOAD - 1)) == 0,
               "SSL3_ALIGN_PAYLOAD must be a power of 2");
 
 void SSLBuffer::Clear() {
-  free(buf_);  // Allocated with malloc().
+  if (buf_allocated_) {
+    free(buf_);  // Allocated with malloc().
+  }
   buf_ = nullptr;
+  buf_allocated_ = false;
   offset_ = 0;
   size_ = 0;
   cap_ = 0;
@@ -54,27 +57,43 @@ bool SSLBuffer::EnsureCap(size_t header_len, size_t new_cap) {
     return true;
   }
 
-  // Add up to |SSL3_ALIGN_PAYLOAD| - 1 bytes of slack for alignment.
-  //
-  // Since this buffer gets allocated quite frequently and doesn't contain any
-  // sensitive data, we allocate with malloc rather than |OPENSSL_malloc| and
-  // avoid zeroing on free.
-  uint8_t *new_buf = (uint8_t *)malloc(new_cap + SSL3_ALIGN_PAYLOAD - 1);
-  if (new_buf == NULL) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-    return false;
+  uint8_t *new_buf;
+  bool new_buf_allocated;
+  size_t new_offset;
+  if (new_cap <= sizeof(inline_buf_)) {
+    // This function is called twice per TLS record, first for the five-byte
+    // header. To avoid allocating twice, use an inline buffer for short inputs.
+    new_buf = inline_buf_;
+    new_buf_allocated = false;
+    new_offset = 0;
+  } else {
+    // Add up to |SSL3_ALIGN_PAYLOAD| - 1 bytes of slack for alignment.
+    //
+    // Since this buffer gets allocated quite frequently and doesn't contain any
+    // sensitive data, we allocate with malloc rather than |OPENSSL_malloc| and
+    // avoid zeroing on free.
+    new_buf = (uint8_t *)malloc(new_cap + SSL3_ALIGN_PAYLOAD - 1);
+    if (new_buf == NULL) {
+      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+      return false;
+    }
+    new_buf_allocated = true;
+
+    // Offset the buffer such that the record body is aligned.
+    new_offset =
+        (0 - header_len - (uintptr_t)new_buf) & (SSL3_ALIGN_PAYLOAD - 1);
   }
 
-  // Offset the buffer such that the record body is aligned.
-  size_t new_offset =
-      (0 - header_len - (uintptr_t)new_buf) & (SSL3_ALIGN_PAYLOAD - 1);
+  // Note if the both old and new buffer are inline, the source and destination
+  // may alias.
+  OPENSSL_memmove(new_buf + new_offset, buf_ + offset_, size_);
 
-  if (buf_ != NULL) {
-    OPENSSL_memcpy(new_buf + new_offset, buf_ + offset_, size_);
+  if (buf_allocated_) {
     free(buf_);  // Allocated with malloc().
   }
 
   buf_ = new_buf;
+  buf_allocated_ = new_buf_allocated;
   offset_ = new_offset;
   cap_ = new_cap;
   return true;

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_cert.cc

@@ -121,7 +121,6 @@
 #include <utility>
 
 #include <openssl/bn.h>
-#include <openssl/buf.h>
 #include <openssl/bytestring.h>
 #include <openssl/ec_key.h>
 #include <openssl/err.h>

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_cipher.cc

@@ -143,7 +143,6 @@
 #include <assert.h>
 #include <string.h>
 
-#include <openssl/buf.h>
 #include <openssl/err.h>
 #include <openssl/md5.h>
 #include <openssl/mem.h>

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_lib.cc

@@ -565,12 +565,10 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
       grease_enabled(false),
       allow_unknown_alpn_protos(false),
       ed25519_enabled(false),
-      rsa_pss_rsae_certs_enabled(true),
       false_start_allowed_without_alpn(false),
       ignore_tls13_downgrade(false),
       handoff(false),
-      enable_early_data(false),
-      pq_experiment_signal(false) {
+      enable_early_data(false) {
   CRYPTO_MUTEX_init(&lock);
   CRYPTO_new_ex_data(&ex_data);
 }
@@ -699,7 +697,7 @@ SSL *SSL_new(SSL_CTX *ctx) {
 
   if (ctx->psk_identity_hint) {
     ssl->config->psk_identity_hint.reset(
-        BUF_strdup(ctx->psk_identity_hint.get()));
+        OPENSSL_strdup(ctx->psk_identity_hint.get()));
     if (ssl->config->psk_identity_hint == nullptr) {
       return nullptr;
     }
@@ -1238,14 +1236,6 @@ int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) {
   return ssl_send_alert_impl(ssl, SSL3_AL_FATAL, alert);
 }
 
-void SSL_CTX_enable_pq_experiment_signal(SSL_CTX *ctx) {
-  ctx->pq_experiment_signal = true;
-}
-
-int SSL_pq_experiment_signal_seen(const SSL *ssl) {
-  return ssl->s3->pq_experiment_signal_seen;
-}
-
 int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
                                   size_t params_len) {
   return ssl->config && ssl->config->quic_transport_params.CopyFrom(
@@ -2129,7 +2119,7 @@ int SSL_set_tlsext_host_name(SSL *ssl, const char *name) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
     return 0;
   }
-  ssl->hostname.reset(BUF_strdup(name));
+  ssl->hostname.reset(OPENSSL_strdup(name));
   if (ssl->hostname == nullptr) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
     return 0;
@@ -2496,6 +2486,11 @@ char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len) {
   return buf;
 }
 
+int SSL_get_shared_sigalgs(SSL *ssl, int idx, int *psign, int *phash,
+                           int *psignandhash, uint8_t *rsig, uint8_t *rhash) {
+  return 0;
+}
+
 int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method) {
   if (ctx->method->is_dtls) {
     return 0;
@@ -2580,7 +2575,7 @@ static int use_psk_identity_hint(UniquePtr<char> *out,
   // ECDHE_PSK can only spell empty hint. Having different capabilities is odd,
   // so we interpret empty and missing as identical.
   if (identity_hint != NULL && identity_hint[0] != '\0') {
-    out->reset(BUF_strdup(identity_hint));
+    out->reset(OPENSSL_strdup(identity_hint));
     if (*out == nullptr) {
       return 0;
     }
@@ -2854,6 +2849,10 @@ void SSL_CTX_set_false_start_allowed_without_alpn(SSL_CTX *ctx, int allowed) {
 
 int SSL_is_tls13_downgrade(const SSL *ssl) { return ssl->s3->tls13_downgrade; }
 
+int SSL_used_hello_retry_request(const SSL *ssl) {
+  return ssl->s3->used_hello_retry_request;
+}
+
 void SSL_CTX_set_ignore_tls13_downgrade(SSL_CTX *ctx, int ignore) {
   ctx->ignore_tls13_downgrade = !!ignore;
 }

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_session.cc

@@ -208,7 +208,8 @@ UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
 
   // Copy authentication state.
   if (session->psk_identity != nullptr) {
-    new_session->psk_identity.reset(BUF_strdup(session->psk_identity.get()));
+    new_session->psk_identity.reset(
+        OPENSSL_strdup(session->psk_identity.get()));
     if (new_session->psk_identity == nullptr) {
       return nullptr;
     }

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_versions.cc

@@ -150,7 +150,7 @@ static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
                             uint16_t version) {
   // Zero is interpreted as the default maximum version.
   if (version == 0) {
-    *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION;
+    *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_3_VERSION;
     return true;
   }
 

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/t1_lib.cc

@@ -411,10 +411,6 @@ bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {
 
 // kVerifySignatureAlgorithms is the default list of accepted signature
 // algorithms for verifying.
-//
-// For now, RSA-PSS signature algorithms are not enabled on Android's system
-// BoringSSL. Once the change in Chrome has stuck and the values are finalized,
-// restore them.
 static const uint16_t kVerifySignatureAlgorithms[] = {
     // List our preferred algorithms first.
     SSL_SIGN_ED25519,
@@ -432,15 +428,10 @@ static const uint16_t kVerifySignatureAlgorithms[] = {
 
     // For now, SHA-1 is still accepted but least preferable.
     SSL_SIGN_RSA_PKCS1_SHA1,
-
 };
 
 // kSignSignatureAlgorithms is the default list of supported signature
 // algorithms for signing.
-//
-// For now, RSA-PSS signature algorithms are not enabled on Android's system
-// BoringSSL. Once the change in Chrome has stuck and the values are finalized,
-// restore them.
 static const uint16_t kSignSignatureAlgorithms[] = {
     // List our preferred algorithms first.
     SSL_SIGN_ED25519,
@@ -472,39 +463,17 @@ struct SSLSignatureAlgorithmList {
       if (skip_ed25519 && sigalg == SSL_SIGN_ED25519) {
         continue;
       }
-      if (skip_rsa_pss_rsae && SSL_is_signature_algorithm_rsa_pss(sigalg)) {
-        continue;
-      }
       *out = sigalg;
       return true;
     }
     return false;
   }
 
-  bool operator==(const SSLSignatureAlgorithmList &other) const {
-    SSLSignatureAlgorithmList a = *this;
-    SSLSignatureAlgorithmList b = other;
-    uint16_t a_val, b_val;
-    while (a.Next(&a_val)) {
-      if (!b.Next(&b_val) ||
-          a_val != b_val) {
-        return false;
-      }
-    }
-    return !b.Next(&b_val);
-  }
-
-  bool operator!=(const SSLSignatureAlgorithmList &other) const {
-    return !(*this == other);
-  }
-
   Span<const uint16_t> list;
   bool skip_ed25519 = false;
-  bool skip_rsa_pss_rsae = false;
 };
 
-static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl,
-                                                          bool for_certs) {
+static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl) {
   SSLSignatureAlgorithmList ret;
   if (!ssl->config->verify_sigalgs.empty()) {
     ret.list = ssl->config->verify_sigalgs;
@@ -512,14 +481,11 @@ static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl,
     ret.list = kVerifySignatureAlgorithms;
     ret.skip_ed25519 = !ssl->ctx->ed25519_enabled;
   }
-  if (for_certs) {
-    ret.skip_rsa_pss_rsae = !ssl->ctx->rsa_pss_rsae_certs_enabled;
-  }
   return ret;
 }
 
-bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out, bool for_certs) {
-  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, for_certs);
+bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out) {
+  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl);
   uint16_t sigalg;
   while (list.Next(&sigalg)) {
     if (!CBB_add_u16(out, sigalg)) {
@@ -531,7 +497,7 @@ bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out, bool for_certs) {
 
 bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
                              uint16_t sigalg) {
-  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, false);
+  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl);
   uint16_t verify_sigalg;
   while (list.Next(&verify_sigalg)) {
     if (verify_sigalg == sigalg) {
@@ -544,11 +510,6 @@ bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
   return false;
 }
 
-bool tls12_has_different_verify_sigalgs_for_certs(const SSL *ssl) {
-  return tls12_get_verify_sigalgs(ssl, true) !=
-         tls12_get_verify_sigalgs(ssl, false);
-}
-
 // tls_extension represents a TLS extension that is handled internally. The
 // |init| function is called for each handshake, before any other functions of
 // the extension. Then the add and parse callbacks are called as needed.
@@ -980,23 +941,11 @@ static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
     return true;
   }
 
-  // Prior to TLS 1.3, there was no way to signal different signature algorithm
-  // preferences between the online signature and certificates. If we do not
-  // send the signature_algorithms_cert extension, use the potentially more
-  // restrictive certificate list.
-  //
-  // TODO(davidben): When TLS 1.3 is finalized, we can likely remove the TLS 1.3
-  // check both here and in signature_algorithms_cert. |hs->max_version| is not
-  // the negotiated version. Rather the expectation is that any server consuming
-  // signature algorithms added in TLS 1.3 will also know to look at
-  // signature_algorithms_cert. For now, TLS 1.3 is not quite yet final and it
-  // seems prudent to condition this new extension on it.
-  bool for_certs = hs->max_version < TLS1_3_VERSION;
   CBB contents, sigalgs_cbb;
   if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
       !CBB_add_u16_length_prefixed(out, &contents) ||
       !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
-      !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, for_certs) ||
+      !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb) ||
       !CBB_flush(out)) {
     return false;
   }
@@ -1022,35 +971,6 @@ static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
 }
 
 
-// Signature Algorithms for Certificates.
-//
-// https://tools.ietf.org/html/rfc8446#section-4.2.3
-
-static bool ext_sigalgs_cert_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
-  SSL *const ssl = hs->ssl;
-  // If this extension is omitted, it defaults to the signature_algorithms
-  // extension, so only emit it if the list is different.
-  //
-  // This extension is also new in TLS 1.3, so omit it if TLS 1.3 is disabled.
-  // There is a corresponding version check in |ext_sigalgs_add_clienthello|.
-  if (hs->max_version < TLS1_3_VERSION ||
-      !tls12_has_different_verify_sigalgs_for_certs(ssl)) {
-    return true;
-  }
-
-  CBB contents, sigalgs_cbb;
-  if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms_cert) ||
-      !CBB_add_u16_length_prefixed(out, &contents) ||
-      !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
-      !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, true /* certs */) ||
-      !CBB_flush(out)) {
-    return false;
-  }
-
-  return true;
-}
-
-
 // OCSP Stapling.
 //
 // https://tools.ietf.org/html/rfc6066#section-8
@@ -1845,7 +1765,7 @@ static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
   // Per RFC 8446 section 4.1.4, skip offering the session if the selected
   // cipher in HelloRetryRequest does not match. This avoids performing the
   // transcript hash transformation for multiple hashes.
-  if (hs->received_hello_retry_request &&
+  if (ssl->s3 && ssl->s3->used_hello_retry_request &&
       ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
     return true;
   }
@@ -2035,7 +1955,7 @@ static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
   SSL *const ssl = hs->ssl;
   // The second ClientHello never offers early data, and we must have already
   // filled in |early_data_reason| by this point.
-  if (hs->received_hello_retry_request) {
+  if (ssl->s3->used_hello_retry_request) {
     assert(ssl->s3->early_data_reason != ssl_early_data_unknown);
     return true;
   }
@@ -2089,7 +2009,7 @@ static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,
                                              CBS *contents) {
   SSL *const ssl = hs->ssl;
   if (contents == NULL) {
-    if (hs->early_data_offered && !hs->received_hello_retry_request) {
+    if (hs->early_data_offered && !ssl->s3->used_hello_retry_request) {
       ssl->s3->early_data_reason = ssl->s3->session_reused
                                        ? ssl_early_data_peer_declined
                                        : ssl_early_data_session_not_resumed;
@@ -2104,7 +2024,7 @@ static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,
   // If we received an HRR, the second ClientHello never offers early data, so
   // the extensions logic will automatically reject early data extensions as
   // unsolicited. This covered by the ServerAcceptsEarlyDataOnHRR test.
-  assert(!hs->received_hello_retry_request);
+  assert(!ssl->s3->used_hello_retry_request);
 
   if (CBS_len(contents) != 0) {
     *out_alert = SSL_AD_DECODE_ERROR;
@@ -2173,7 +2093,7 @@ static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
 
   uint16_t group_id = hs->retry_group;
   uint16_t second_group_id = 0;
-  if (hs->received_hello_retry_request) {
+  if (ssl->s3 && ssl->s3->used_hello_retry_request) {
     // We received a HelloRetryRequest without a new curve, so there is no new
     // share to append. Leave |hs->key_share| as-is.
     if (group_id == 0 &&
@@ -2235,7 +2155,7 @@ static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
 
   // Save the contents of the extension to repeat it in the second
   // ClientHello.
-  if (!hs->received_hello_retry_request &&
+  if (ssl->s3 && !ssl->s3->used_hello_retry_request &&
       !hs->key_share_bytes.CopyFrom(
           MakeConstSpan(CBB_data(&kse_bytes), CBB_len(&kse_bytes)))) {
     return false;
@@ -2855,66 +2775,6 @@ static bool cert_compression_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
 }
 
 
-// Post-quantum experiment signal
-//
-// This extension may be used in order to identify a control group for
-// experimenting with post-quantum key exchange algorithms.
-
-static bool ext_pq_experiment_signal_add_clienthello(SSL_HANDSHAKE *hs,
-                                                     CBB *out) {
-  if (hs->ssl->ctx->pq_experiment_signal &&
-      (!CBB_add_u16(out, TLSEXT_TYPE_pq_experiment_signal) ||
-       !CBB_add_u16(out, 0))) {
-    return false;
-  }
-
-  return true;
-}
-
-static bool ext_pq_experiment_signal_parse_serverhello(SSL_HANDSHAKE *hs,
-                                                       uint8_t *out_alert,
-                                                       CBS *contents) {
-  if (contents == nullptr) {
-    return true;
-  }
-
-  if (!hs->ssl->ctx->pq_experiment_signal || CBS_len(contents) != 0) {
-    return false;
-  }
-
-  hs->ssl->s3->pq_experiment_signal_seen = true;
-  return true;
-}
-
-static bool ext_pq_experiment_signal_parse_clienthello(SSL_HANDSHAKE *hs,
-                                                       uint8_t *out_alert,
-                                                       CBS *contents) {
-  if (contents == nullptr) {
-    return true;
-  }
-
-  if (CBS_len(contents) != 0) {
-    return false;
-  }
-
-  if (hs->ssl->ctx->pq_experiment_signal) {
-    hs->ssl->s3->pq_experiment_signal_seen = true;
-  }
-
-  return true;
-}
-
-static bool ext_pq_experiment_signal_add_serverhello(SSL_HANDSHAKE *hs,
-                                                     CBB *out) {
-  if (hs->ssl->s3->pq_experiment_signal_seen &&
-      (!CBB_add_u16(out, TLSEXT_TYPE_pq_experiment_signal) ||
-       !CBB_add_u16(out, 0))) {
-    return false;
-  }
-
-  return true;
-}
-
 // kExtensions contains all the supported extensions.
 static const struct tls_extension kExtensions[] = {
   {
@@ -2991,14 +2851,6 @@ static const struct tls_extension kExtensions[] = {
     ext_sigalgs_parse_clienthello,
     dont_add_serverhello,
   },
-  {
-    TLSEXT_TYPE_signature_algorithms_cert,
-    NULL,
-    ext_sigalgs_cert_add_clienthello,
-    forbid_parse_serverhello,
-    ignore_parse_clienthello,
-    dont_add_serverhello,
-  },
   {
     TLSEXT_TYPE_next_proto_neg,
     NULL,
@@ -3103,14 +2955,6 @@ static const struct tls_extension kExtensions[] = {
     ext_delegated_credential_parse_clienthello,
     dont_add_serverhello,
   },
-  {
-    TLSEXT_TYPE_pq_experiment_signal,
-    NULL,
-    ext_pq_experiment_signal_add_clienthello,
-    ext_pq_experiment_signal_parse_serverhello,
-    ext_pq_experiment_signal_parse_clienthello,
-    ext_pq_experiment_signal_add_serverhello,
-  },
 };
 
 #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
@@ -4030,7 +3874,3 @@ int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello,
 void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled) {
   ctx->ed25519_enabled = !!enabled;
 }
-
-void SSL_CTX_set_rsa_pss_rsae_certs_enabled(SSL_CTX *ctx, int enabled) {
-  ctx->rsa_pss_rsae_certs_enabled = !!enabled;
-}