RubyGems - grpc - Versions diffs - 1.27.0 → 1.28.0 - Mend

grpc 1.27.0 → 1.28.0

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (681) hide show

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_privkey.cc RENAMED

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_session.cc RENAMED

@@ -208,7 +208,8 @@ UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
   // Copy authentication state.
   if (session->psk_identity != nullptr) {
-    new_session->psk_identity.reset(BUF_strdup(session->psk_identity.get()));
+    new_session->psk_identity.reset(
+        OPENSSL_strdup(session->psk_identity.get()));
     if (new_session->psk_identity == nullptr) {
       return nullptr;
     }

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_stat.cc RENAMED

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_transcript.cc RENAMED

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_versions.cc RENAMED

@@ -150,7 +150,7 @@ static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
                             uint16_t version) {
   // Zero is interpreted as the default maximum version.
   if (version == 0) {
-    *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION;
+    *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_3_VERSION;
     return true;
   }

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_x509.cc RENAMED

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/t1_enc.cc RENAMED

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/t1_lib.cc RENAMED

@@ -411,10 +411,6 @@ bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {
 // kVerifySignatureAlgorithms is the default list of accepted signature
 // algorithms for verifying.
-//
-// For now, RSA-PSS signature algorithms are not enabled on Android's system
-// BoringSSL. Once the change in Chrome has stuck and the values are finalized,
-// restore them.
 static const uint16_t kVerifySignatureAlgorithms[] = {
     // List our preferred algorithms first.
     SSL_SIGN_ED25519,
@@ -432,15 +428,10 @@ static const uint16_t kVerifySignatureAlgorithms[] = {
     // For now, SHA-1 is still accepted but least preferable.
     SSL_SIGN_RSA_PKCS1_SHA1,
 };
 // kSignSignatureAlgorithms is the default list of supported signature
 // algorithms for signing.
-//
-// For now, RSA-PSS signature algorithms are not enabled on Android's system
-// BoringSSL. Once the change in Chrome has stuck and the values are finalized,
-// restore them.
 static const uint16_t kSignSignatureAlgorithms[] = {
     // List our preferred algorithms first.
     SSL_SIGN_ED25519,
@@ -472,39 +463,17 @@ struct SSLSignatureAlgorithmList {
       if (skip_ed25519 && sigalg == SSL_SIGN_ED25519) {
         continue;
       }
-      if (skip_rsa_pss_rsae && SSL_is_signature_algorithm_rsa_pss(sigalg)) {
-        continue;
-      }
       *out = sigalg;
       return true;
     }
     return false;
   }
-  bool operator==(const SSLSignatureAlgorithmList &other) const {
-    SSLSignatureAlgorithmList a = *this;
-    SSLSignatureAlgorithmList b = other;
-    uint16_t a_val, b_val;
-    while (a.Next(&a_val)) {
-      if (!b.Next(&b_val) ||
-          a_val != b_val) {
-        return false;
-      }
-    }
-    return !b.Next(&b_val);
-  }
-  bool operator!=(const SSLSignatureAlgorithmList &other) const {
-    return !(*this == other);
-  }
   Span<const uint16_t> list;
   bool skip_ed25519 = false;
-  bool skip_rsa_pss_rsae = false;
 };
-static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl,
-                                                          bool for_certs) {
+static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl) {
   SSLSignatureAlgorithmList ret;
   if (!ssl->config->verify_sigalgs.empty()) {
     ret.list = ssl->config->verify_sigalgs;
@@ -512,14 +481,11 @@ static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl,
     ret.list = kVerifySignatureAlgorithms;
     ret.skip_ed25519 = !ssl->ctx->ed25519_enabled;
   }
-  if (for_certs) {
-    ret.skip_rsa_pss_rsae = !ssl->ctx->rsa_pss_rsae_certs_enabled;
-  }
   return ret;
 }
-bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out, bool for_certs) {
-  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, for_certs);
+bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out) {
+  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl);
   uint16_t sigalg;
   while (list.Next(&sigalg)) {
     if (!CBB_add_u16(out, sigalg)) {
@@ -531,7 +497,7 @@ bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out, bool for_certs) {
 bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
                              uint16_t sigalg) {
-  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, false);
+  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl);
   uint16_t verify_sigalg;
   while (list.Next(&verify_sigalg)) {
     if (verify_sigalg == sigalg) {
@@ -544,11 +510,6 @@ bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
   return false;
 }
-bool tls12_has_different_verify_sigalgs_for_certs(const SSL *ssl) {
-  return tls12_get_verify_sigalgs(ssl, true) !=
-         tls12_get_verify_sigalgs(ssl, false);
-}
 // tls_extension represents a TLS extension that is handled internally. The
 // |init| function is called for each handshake, before any other functions of
 // the extension. Then the add and parse callbacks are called as needed.
@@ -980,23 +941,11 @@ static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
     return true;
   }
-  // Prior to TLS 1.3, there was no way to signal different signature algorithm
-  // preferences between the online signature and certificates. If we do not
-  // send the signature_algorithms_cert extension, use the potentially more
-  // restrictive certificate list.
-  //
-  // TODO(davidben): When TLS 1.3 is finalized, we can likely remove the TLS 1.3
-  // check both here and in signature_algorithms_cert. |hs->max_version| is not
-  // the negotiated version. Rather the expectation is that any server consuming
-  // signature algorithms added in TLS 1.3 will also know to look at
-  // signature_algorithms_cert. For now, TLS 1.3 is not quite yet final and it
-  // seems prudent to condition this new extension on it.
-  bool for_certs = hs->max_version < TLS1_3_VERSION;
   CBB contents, sigalgs_cbb;
   if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
       !CBB_add_u16_length_prefixed(out, &contents) ||
       !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
-      !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, for_certs) ||
+      !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb) ||
       !CBB_flush(out)) {
     return false;
   }
@@ -1022,35 +971,6 @@ static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
 }
-// Signature Algorithms for Certificates.
-//
-// https://tools.ietf.org/html/rfc8446#section-4.2.3
-static bool ext_sigalgs_cert_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
-  SSL *const ssl = hs->ssl;
-  // If this extension is omitted, it defaults to the signature_algorithms
-  // extension, so only emit it if the list is different.
-  //
-  // This extension is also new in TLS 1.3, so omit it if TLS 1.3 is disabled.
-  // There is a corresponding version check in |ext_sigalgs_add_clienthello|.
-  if (hs->max_version < TLS1_3_VERSION ||
-      !tls12_has_different_verify_sigalgs_for_certs(ssl)) {
-    return true;
-  }
-  CBB contents, sigalgs_cbb;
-  if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms_cert) ||
-      !CBB_add_u16_length_prefixed(out, &contents) ||
-      !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
-      !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, true /* certs */) ||
-      !CBB_flush(out)) {
-    return false;
-  }
-  return true;
-}
 // OCSP Stapling.
 //
 // https://tools.ietf.org/html/rfc6066#section-8
@@ -1845,7 +1765,7 @@ static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
   // Per RFC 8446 section 4.1.4, skip offering the session if the selected
   // cipher in HelloRetryRequest does not match. This avoids performing the
   // transcript hash transformation for multiple hashes.
-  if (hs->received_hello_retry_request &&
+  if (ssl->s3 && ssl->s3->used_hello_retry_request &&
       ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
     return true;
   }
@@ -2035,7 +1955,7 @@ static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
   SSL *const ssl = hs->ssl;
   // The second ClientHello never offers early data, and we must have already
   // filled in |early_data_reason| by this point.
-  if (hs->received_hello_retry_request) {
+  if (ssl->s3->used_hello_retry_request) {
     assert(ssl->s3->early_data_reason != ssl_early_data_unknown);
     return true;
   }
@@ -2089,7 +2009,7 @@ static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,
                                              CBS *contents) {
   SSL *const ssl = hs->ssl;
   if (contents == NULL) {
-    if (hs->early_data_offered && !hs->received_hello_retry_request) {
+    if (hs->early_data_offered && !ssl->s3->used_hello_retry_request) {
       ssl->s3->early_data_reason = ssl->s3->session_reused
                                        ? ssl_early_data_peer_declined
                                        : ssl_early_data_session_not_resumed;
@@ -2104,7 +2024,7 @@ static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,
   // If we received an HRR, the second ClientHello never offers early data, so
   // the extensions logic will automatically reject early data extensions as
   // unsolicited. This covered by the ServerAcceptsEarlyDataOnHRR test.
-  assert(!hs->received_hello_retry_request);
+  assert(!ssl->s3->used_hello_retry_request);
   if (CBS_len(contents) != 0) {
     *out_alert = SSL_AD_DECODE_ERROR;
@@ -2173,7 +2093,7 @@ static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
   uint16_t group_id = hs->retry_group;
   uint16_t second_group_id = 0;
-  if (hs->received_hello_retry_request) {
+  if (ssl->s3 && ssl->s3->used_hello_retry_request) {
     // We received a HelloRetryRequest without a new curve, so there is no new
     // share to append. Leave |hs->key_share| as-is.
     if (group_id == 0 &&
@@ -2235,7 +2155,7 @@ static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
   // Save the contents of the extension to repeat it in the second
   // ClientHello.
-  if (!hs->received_hello_retry_request &&
+  if (ssl->s3 && !ssl->s3->used_hello_retry_request &&
       !hs->key_share_bytes.CopyFrom(
           MakeConstSpan(CBB_data(&kse_bytes), CBB_len(&kse_bytes)))) {
     return false;
@@ -2855,66 +2775,6 @@ static bool cert_compression_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
 }
-// Post-quantum experiment signal
-//
-// This extension may be used in order to identify a control group for
-// experimenting with post-quantum key exchange algorithms.
-static bool ext_pq_experiment_signal_add_clienthello(SSL_HANDSHAKE *hs,
-                                                     CBB *out) {
-  if (hs->ssl->ctx->pq_experiment_signal &&
-      (!CBB_add_u16(out, TLSEXT_TYPE_pq_experiment_signal) ||
-       !CBB_add_u16(out, 0))) {
-    return false;
-  }
-  return true;
-}
-static bool ext_pq_experiment_signal_parse_serverhello(SSL_HANDSHAKE *hs,
-                                                       uint8_t *out_alert,
-                                                       CBS *contents) {
-  if (contents == nullptr) {
-    return true;
-  }
-  if (!hs->ssl->ctx->pq_experiment_signal || CBS_len(contents) != 0) {
-    return false;
-  }
-  hs->ssl->s3->pq_experiment_signal_seen = true;
-  return true;
-}
-static bool ext_pq_experiment_signal_parse_clienthello(SSL_HANDSHAKE *hs,
-                                                       uint8_t *out_alert,
-                                                       CBS *contents) {
-  if (contents == nullptr) {
-    return true;
-  }
-  if (CBS_len(contents) != 0) {
-    return false;
-  }
-  if (hs->ssl->ctx->pq_experiment_signal) {
-    hs->ssl->s3->pq_experiment_signal_seen = true;
-  }
-  return true;
-}
-static bool ext_pq_experiment_signal_add_serverhello(SSL_HANDSHAKE *hs,
-                                                     CBB *out) {
-  if (hs->ssl->s3->pq_experiment_signal_seen &&
-      (!CBB_add_u16(out, TLSEXT_TYPE_pq_experiment_signal) ||
-       !CBB_add_u16(out, 0))) {
-    return false;
-  }
-  return true;
-}
 // kExtensions contains all the supported extensions.
 static const struct tls_extension kExtensions[] = {
   {
@@ -2991,14 +2851,6 @@ static const struct tls_extension kExtensions[] = {
     ext_sigalgs_parse_clienthello,
     dont_add_serverhello,
   },
-  {
-    TLSEXT_TYPE_signature_algorithms_cert,
-    NULL,
-    ext_sigalgs_cert_add_clienthello,
-    forbid_parse_serverhello,
-    ignore_parse_clienthello,
-    dont_add_serverhello,
-  },
   {
     TLSEXT_TYPE_next_proto_neg,
     NULL,
@@ -3103,14 +2955,6 @@ static const struct tls_extension kExtensions[] = {
     ext_delegated_credential_parse_clienthello,
     dont_add_serverhello,
   },
-  {
-    TLSEXT_TYPE_pq_experiment_signal,
-    NULL,
-    ext_pq_experiment_signal_add_clienthello,
-    ext_pq_experiment_signal_parse_serverhello,
-    ext_pq_experiment_signal_parse_clienthello,
-    ext_pq_experiment_signal_add_serverhello,
-  },
 };
 #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
@@ -4030,7 +3874,3 @@ int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello,
 void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled) {
   ctx->ed25519_enabled = !!enabled;
 }
-void SSL_CTX_set_rsa_pss_rsae_certs_enabled(SSL_CTX *ctx, int enabled) {
-  ctx->rsa_pss_rsae_certs_enabled = !!enabled;
-}

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/tls13_both.cc RENAMED

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/tls13_client.cc RENAMED

@@ -184,7 +184,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
   }
   ssl->method->next_message(ssl);
-  hs->received_hello_retry_request = true;
+  ssl->s3->used_hello_retry_request = true;
   hs->tls13_state = state_send_second_client_hello;
   // 0-RTT is rejected if we receive a HelloRetryRequest.
   if (hs->in_early_data) {
@@ -269,8 +269,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
   }
   // Check that the cipher matches the one in the HelloRetryRequest.
-  if (hs->received_hello_retry_request &&
-      hs->new_cipher != cipher) {
+  if (ssl->s3->used_hello_retry_request && hs->new_cipher != cipher) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
     return ssl_hs_error;
@@ -594,7 +593,7 @@ static enum ssl_hs_wait_t do_read_server_certificate_verify(
 static enum ssl_hs_wait_t do_server_certificate_reverify(
     SSL_HANDSHAKE *hs) {
-  switch (ssl_reverify_peer_cert(hs)) {
+  switch (ssl_reverify_peer_cert(hs, /*send_alert=*/true)) {
     case ssl_verify_ok:
       break;
     case ssl_verify_invalid:

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/tls13_enc.cc RENAMED

@@ -62,7 +62,11 @@ bool tls13_init_key_schedule(SSL_HANDSHAKE *hs, Span<const uint8_t> psk) {
     return false;
   }
-  hs->transcript.FreeBuffer();
+  // Handback includes the whole handshake transcript, so we cannot free the
+  // transcript buffer in the handback case.
+  if (!hs->handback) {
+    hs->transcript.FreeBuffer();
+  }
   return hkdf_extract_to_secret(hs, psk);
 }

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/tls13_server.cc RENAMED

@@ -33,24 +33,6 @@
 BSSL_NAMESPACE_BEGIN
-enum server_hs_state_t {
-  state_select_parameters = 0,
-  state_select_session,
-  state_send_hello_retry_request,
-  state_read_second_client_hello,
-  state_send_server_hello,
-  state_send_server_certificate_verify,
-  state_send_server_finished,
-  state_read_second_client_flight,
-  state_process_end_of_early_data,
-  state_read_client_certificate,
-  state_read_client_certificate_verify,
-  state_read_channel_id,
-  state_read_client_finished,
-  state_send_new_session_ticket,
-  state_done,
-};
 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
 // Allow a minute of ticket age skew in either direction. This covers
@@ -244,7 +226,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
-  hs->tls13_state = state_select_session;
+  hs->tls13_state = state13_select_session;
   return ssl_hs_ok;
 }
@@ -405,7 +387,7 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
       return ssl_hs_error;
     case ssl_ticket_aead_retry:
-      hs->tls13_state = state_select_session;
+      hs->tls13_state = state13_select_session;
       return ssl_hs_pending_ticket;
   }
@@ -465,23 +447,14 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
       if (!hs->transcript.UpdateForHelloRetryRequest()) {
         return ssl_hs_error;
       }
-      hs->tls13_state = state_send_hello_retry_request;
+      hs->tls13_state = state13_send_hello_retry_request;
       return ssl_hs_ok;
     }
     return ssl_hs_error;
   }
-  // Note we defer releasing the early traffic secret to QUIC until after ECDHE
-  // is resolved. The early traffic secret should be derived before the key
-  // schedule incorporates ECDHE, but doing so may reject 0-RTT. To avoid
-  // confusing the caller, we split derivation and releasing the secret to QUIC.
-  if (ssl->s3->early_data_accepted &&
-      !tls13_set_early_secret_for_quic(hs)) {
-    return ssl_hs_error;
-  }
   ssl->method->next_message(ssl);
-  hs->tls13_state = state_send_server_hello;
+  hs->tls13_state = state13_send_server_hello;
   return ssl_hs_ok;
 }
@@ -515,8 +488,8 @@ static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
-  hs->sent_hello_retry_request = true;
-  hs->tls13_state = state_read_second_client_hello;
+  ssl->s3->used_hello_retry_request = true;
+  hs->tls13_state = state13_read_second_client_hello;
   return ssl_hs_flush;
 }
@@ -586,7 +559,7 @@ static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {
   }
   ssl->method->next_message(ssl);
-  hs->tls13_state = state_send_server_hello;
+  hs->tls13_state = state13_send_server_hello;
   return ssl_hs_ok;
 }
@@ -612,7 +585,7 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
-  if (!hs->sent_hello_retry_request &&
+  if (!ssl->s3->used_hello_retry_request &&
       !ssl->method->add_change_cipher_spec(ssl)) {
     return ssl_hs_error;
   }
@@ -654,22 +627,10 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
         !CBB_add_u16_length_prefixed(&cert_request_extensions,
                                      &sigalg_contents) ||
         !CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) ||
-        !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb,
-                                  false /* online signature */)) {
+        !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb)) {
       return ssl_hs_error;
     }
-    if (tls12_has_different_verify_sigalgs_for_certs(ssl)) {
-      if (!CBB_add_u16(&cert_request_extensions,
-                       TLSEXT_TYPE_signature_algorithms_cert) ||
-          !CBB_add_u16_length_prefixed(&cert_request_extensions,
-                                       &sigalg_contents) ||
-          !CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) ||
-          !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, true /* certs */)) {
-        return ssl_hs_error;
-      }
-    }
     if (ssl_has_client_CAs(hs->config)) {
       CBB ca_contents;
       if (!CBB_add_u16(&cert_request_extensions,
@@ -698,22 +659,22 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
       return ssl_hs_error;
     }
-    hs->tls13_state = state_send_server_certificate_verify;
+    hs->tls13_state = state13_send_server_certificate_verify;
     return ssl_hs_ok;
   }
-  hs->tls13_state = state_send_server_finished;
+  hs->tls13_state = state13_send_server_finished;
   return ssl_hs_ok;
 }
 static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs) {
   switch (tls13_add_certificate_verify(hs)) {
     case ssl_private_key_success:
-      hs->tls13_state = state_send_server_finished;
+      hs->tls13_state = state13_send_server_finished;
       return ssl_hs_ok;
     case ssl_private_key_retry:
-      hs->tls13_state = state_send_server_certificate_verify;
+      hs->tls13_state = state13_send_server_certificate_verify;
       return ssl_hs_private_key_operation;
     case ssl_private_key_failure:
@@ -737,6 +698,19 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
   }
   if (ssl->s3->early_data_accepted) {
+    // We defer releasing the early traffic secret to QUIC to this point. First,
+    // the early traffic secret is derived before ECDHE, but ECDHE may later
+    // reject 0-RTT. We only release the secret after 0-RTT is fully resolved.
+    //
+    // Second, 0-RTT data is acknowledged with 1-RTT keys. Both are derived as
+    // part of the ServerHello flight, but future TLS extensions may insert an
+    // asynchronous point in the middle of this flight. We defer releasing the
+    // 0-RTT keys to ensure the QUIC implementation never installs read keys
+    // without the write keys to send the corresponding ACKs.
+    if (!tls13_set_early_secret_for_quic(hs)) {
+      return ssl_hs_error;
+    }
     // If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
     // the wire sooner and also avoids triggering a write on |SSL_read| when
     // processing the client Finished. This requires computing the client
@@ -778,7 +752,7 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
     }
   }
-  hs->tls13_state = state_read_second_client_flight;
+  hs->tls13_state = state13_read_second_client_flight;
   return ssl_hs_flush;
 }
@@ -804,11 +778,11 @@ static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {
                                hs->client_handshake_secret())) {
       return ssl_hs_error;
     }
-    hs->tls13_state = state_read_client_certificate;
+    hs->tls13_state = state13_read_client_certificate;
     return ssl->s3->early_data_accepted ? ssl_hs_early_return : ssl_hs_ok;
   }
-  hs->tls13_state = state_process_end_of_early_data;
+  hs->tls13_state = state13_process_end_of_early_data;
   return ssl->s3->early_data_accepted ? ssl_hs_read_end_of_early_data
                                       : ssl_hs_ok;
 }
@@ -836,7 +810,10 @@ static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {
                              hs->client_handshake_secret())) {
     return ssl_hs_error;
   }
-  hs->tls13_state = state_read_client_certificate;
+  if (hs->handback) {
+    return ssl_hs_handback;
+  }
+  hs->tls13_state = state13_read_client_certificate;
   return ssl_hs_ok;
 }
@@ -853,7 +830,7 @@ static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
     }
     // Skip this state.
-    hs->tls13_state = state_read_channel_id;
+    hs->tls13_state = state13_read_channel_id;
     return ssl_hs_ok;
   }
@@ -870,7 +847,7 @@ static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
   }
   ssl->method->next_message(ssl);
-  hs->tls13_state = state_read_client_certificate_verify;
+  hs->tls13_state = state13_read_client_certificate_verify;
   return ssl_hs_ok;
 }
@@ -879,7 +856,7 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(
   SSL *const ssl = hs->ssl;
   if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) {
     // Skip this state.
-    hs->tls13_state = state_read_channel_id;
+    hs->tls13_state = state13_read_channel_id;
     return ssl_hs_ok;
   }
@@ -894,7 +871,7 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(
     case ssl_verify_invalid:
       return ssl_hs_error;
     case ssl_verify_retry:
-      hs->tls13_state = state_read_client_certificate_verify;
+      hs->tls13_state = state13_read_client_certificate_verify;
       return ssl_hs_certificate_verify;
   }
@@ -905,14 +882,14 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(
   }
   ssl->method->next_message(ssl);
-  hs->tls13_state = state_read_channel_id;
+  hs->tls13_state = state13_read_channel_id;
   return ssl_hs_ok;
 }
 static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
   if (!ssl->s3->channel_id_valid) {
-    hs->tls13_state = state_read_client_finished;
+    hs->tls13_state = state13_read_client_finished;
     return ssl_hs_ok;
   }
@@ -927,7 +904,7 @@ static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) {
   }
   ssl->method->next_message(ssl);
-  hs->tls13_state = state_read_client_finished;
+  hs->tls13_state = state13_read_client_finished;
   return ssl_hs_ok;
 }
@@ -954,10 +931,10 @@ static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
     }
     // We send post-handshake tickets as part of the handshake in 1-RTT.
-    hs->tls13_state = state_send_new_session_ticket;
+    hs->tls13_state = state13_send_new_session_ticket;
   } else {
     // We already sent half-RTT tickets.
-    hs->tls13_state = state_done;
+    hs->tls13_state = state13_done;
   }
   ssl->method->next_message(ssl);
@@ -970,7 +947,7 @@ static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
-  hs->tls13_state = state_done;
+  hs->tls13_state = state13_done;
   // In TLS 1.3, the NewSessionTicket isn't flushed until the server performs a
   // write, to prevent a non-reading client from causing the server to hang in
   // the case of a small server write buffer. Consumers which don't write data
@@ -983,54 +960,54 @@ static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
 }
 enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {
-  while (hs->tls13_state != state_done) {
+  while (hs->tls13_state != state13_done) {
     enum ssl_hs_wait_t ret = ssl_hs_error;
-    enum server_hs_state_t state =
-        static_cast<enum server_hs_state_t>(hs->tls13_state);
+    enum tls13_server_hs_state_t state =
+        static_cast<enum tls13_server_hs_state_t>(hs->tls13_state);
     switch (state) {
-      case state_select_parameters:
+      case state13_select_parameters:
         ret = do_select_parameters(hs);
         break;
-      case state_select_session:
+      case state13_select_session:
         ret = do_select_session(hs);
         break;
-      case state_send_hello_retry_request:
+      case state13_send_hello_retry_request:
         ret = do_send_hello_retry_request(hs);
         break;
-      case state_read_second_client_hello:
+      case state13_read_second_client_hello:
         ret = do_read_second_client_hello(hs);
         break;
-      case state_send_server_hello:
+      case state13_send_server_hello:
         ret = do_send_server_hello(hs);
         break;
-      case state_send_server_certificate_verify:
+      case state13_send_server_certificate_verify:
         ret = do_send_server_certificate_verify(hs);
         break;
-      case state_send_server_finished:
+      case state13_send_server_finished:
         ret = do_send_server_finished(hs);
         break;
-      case state_read_second_client_flight:
+      case state13_read_second_client_flight:
         ret = do_read_second_client_flight(hs);
         break;
-      case state_process_end_of_early_data:
+      case state13_process_end_of_early_data:
         ret = do_process_end_of_early_data(hs);
         break;
-      case state_read_client_certificate:
+      case state13_read_client_certificate:
         ret = do_read_client_certificate(hs);
         break;
-      case state_read_client_certificate_verify:
+      case state13_read_client_certificate_verify:
         ret = do_read_client_certificate_verify(hs);
         break;
-      case state_read_channel_id:
+      case state13_read_channel_id:
         ret = do_read_channel_id(hs);
         break;
-      case state_read_client_finished:
+      case state13_read_client_finished:
         ret = do_read_client_finished(hs);
         break;
-      case state_send_new_session_ticket:
+      case state13_send_new_session_ticket:
         ret = do_send_new_session_ticket(hs);
         break;
-      case state_done:
+      case state13_done:
         ret = ssl_hs_ok;
         break;
     }
@@ -1048,38 +1025,38 @@ enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {
 }
 const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs) {
-  enum server_hs_state_t state =
-      static_cast<enum server_hs_state_t>(hs->tls13_state);
+  enum tls13_server_hs_state_t state =
+      static_cast<enum tls13_server_hs_state_t>(hs->tls13_state);
   switch (state) {
-    case state_select_parameters:
+    case state13_select_parameters:
       return "TLS 1.3 server select_parameters";
-    case state_select_session:
+    case state13_select_session:
       return "TLS 1.3 server select_session";
-    case state_send_hello_retry_request:
+    case state13_send_hello_retry_request:
       return "TLS 1.3 server send_hello_retry_request";
-    case state_read_second_client_hello:
+    case state13_read_second_client_hello:
       return "TLS 1.3 server read_second_client_hello";
-    case state_send_server_hello:
+    case state13_send_server_hello:
       return "TLS 1.3 server send_server_hello";
-    case state_send_server_certificate_verify:
+    case state13_send_server_certificate_verify:
       return "TLS 1.3 server send_server_certificate_verify";
-    case state_send_server_finished:
+    case state13_send_server_finished:
       return "TLS 1.3 server send_server_finished";
-    case state_read_second_client_flight:
+    case state13_read_second_client_flight:
       return "TLS 1.3 server read_second_client_flight";
-    case state_process_end_of_early_data:
+    case state13_process_end_of_early_data:
       return "TLS 1.3 server process_end_of_early_data";
-    case state_read_client_certificate:
+    case state13_read_client_certificate:
       return "TLS 1.3 server read_client_certificate";
-    case state_read_client_certificate_verify:
+    case state13_read_client_certificate_verify:
       return "TLS 1.3 server read_client_certificate_verify";
-    case state_read_channel_id:
+    case state13_read_channel_id:
       return "TLS 1.3 server read_channel_id";
-    case state_read_client_finished:
+    case state13_read_client_finished:
       return "TLS 1.3 server read_client_finished";
-    case state_send_new_session_ticket:
+    case state13_send_new_session_ticket:
       return "TLS 1.3 server send_new_session_ticket";
-    case state_done:
+    case state13_done:
       return "TLS 1.3 server done";
   }