RubyGems - grpc - Versions diffs - 1.27.0 → 1.30.2 - Mend

grpc 1.27.0 → 1.30.2

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (965) hide show

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_privkey.cc RENAMED

@@ -791,7 +791,8 @@ int SSL_CTX_set1_sigalgs_list(SSL_CTX *ctx, const char *str) {
   if (!SSL_CTX_set_signing_algorithm_prefs(ctx, sigalgs.data(),
                                            sigalgs.size()) ||
-      !ctx->verify_sigalgs.CopyFrom(sigalgs)) {
+      !SSL_CTX_set_verify_algorithm_prefs(ctx, sigalgs.data(),
+                                          sigalgs.size())) {
     return 0;
   }
@@ -811,7 +812,7 @@ int SSL_set1_sigalgs_list(SSL *ssl, const char *str) {
   }
   if (!SSL_set_signing_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size()) ||
-      !ssl->config->verify_sigalgs.CopyFrom(sigalgs)) {
+      !SSL_set_verify_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size())) {
     return 0;
   }
@@ -822,3 +823,13 @@ int SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,
                                        size_t num_prefs) {
   return ctx->verify_sigalgs.CopyFrom(MakeConstSpan(prefs, num_prefs));
 }
+int SSL_set_verify_algorithm_prefs(SSL *ssl, const uint16_t *prefs,
+                                   size_t num_prefs) {
+  if (!ssl->config) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    return 0;
+  }
+  return ssl->config->verify_sigalgs.CopyFrom(MakeConstSpan(prefs, num_prefs));
+}

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_session.cc RENAMED

@@ -197,6 +197,7 @@ UniquePtr SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
   new_session->is_server = session->is_server;
   new_session->ssl_version = session->ssl_version;
+  new_session->is_quic = session->is_quic;
   new_session->sid_ctx_length = session->sid_ctx_length;
   OPENSSL_memcpy(new_session->sid_ctx, session->sid_ctx, session->sid_ctx_length);
@@ -208,7 +209,8 @@ UniquePtr SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
   // Copy authentication state.
   if (session->psk_identity != nullptr) {
-    new_session->psk_identity.reset(BUF_strdup(session->psk_identity.get()));
+    new_session->psk_identity.reset(
+        OPENSSL_strdup(session->psk_identity.get()));
     if (new_session->psk_identity == nullptr) {
       return nullptr;
     }
@@ -266,6 +268,11 @@ UniquePtr SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
     if (!new_session->early_alpn.CopyFrom(session->early_alpn)) {
       return nullptr;
     }
+    if (!new_session->quic_early_data_hash.CopyFrom(
+            session->quic_early_data_hash)) {
+      return nullptr;
+    }
   }
   // Copy the ticket.
@@ -342,6 +349,25 @@ const EVP_MD *ssl_session_get_digest(const SSL_SESSION *session) {
                                   session->cipher);
 }
+bool compute_quic_early_data_hash(const SSL_CONFIG *config,
+                                  uint8_t hash_out[SHA256_DIGEST_LENGTH]) {
+  ScopedEVP_MD_CTX hash_ctx;
+  uint32_t transport_param_len = config->quic_transport_params.size();
+  uint32_t context_len = config->quic_early_data_context.size();
+  if (!EVP_DigestInit(hash_ctx.get(), EVP_sha256()) ||
+      !EVP_DigestUpdate(hash_ctx.get(), &transport_param_len,
+                        sizeof(transport_param_len)) ||
+      !EVP_DigestUpdate(hash_ctx.get(), config->quic_transport_params.data(),
+                        config->quic_transport_params.size()) ||
+      !EVP_DigestUpdate(hash_ctx.get(), &context_len, sizeof(context_len)) ||
+      !EVP_DigestUpdate(hash_ctx.get(), config->quic_early_data_context.data(),
+                        config->quic_early_data_context.size()) ||
+      !EVP_DigestFinal(hash_ctx.get(), hash_out, nullptr)) {
+    return false;
+  }
+  return true;
+}
 int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {
   SSL *const ssl = hs->ssl;
   if (ssl->mode & SSL_MODE_NO_SESSION_CREATION) {
@@ -356,6 +382,14 @@ int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {
   session->is_server = is_server;
   session->ssl_version = ssl->version;
+  session->is_quic = ssl->quic_method != nullptr;
+  if (is_server && ssl->enable_early_data && session->is_quic) {
+    if (!session->quic_early_data_hash.Init(SHA256_DIGEST_LENGTH) ||
+        !compute_quic_early_data_hash(hs->config,
+                                      session->quic_early_data_hash.data())) {
+      return 0;
+    }
+  }
   // Fill in the time from the |SSL_CTX|'s clock.
   struct OPENSSL_timeval now;
@@ -623,10 +657,14 @@ int ssl_session_is_resumable(const SSL_HANDSHAKE *hs,
          ssl->server == session->is_server &&
          // The session must not be expired.
          ssl_session_is_time_valid(ssl, session) &&
-         /* Only resume if the session's version matches the negotiated
-          * version. */
+         // Only resume if the session's version matches the negotiated
+         // version.
          ssl->version == session->ssl_version &&
-         // Only resume if the session's cipher matches the negotiated one.
+         // Only resume if the session's cipher matches the negotiated one. This
+         // is stricter than necessary for TLS 1.3, which allows cross-cipher
+         // resumption if the PRF hashes match. We require an exact match for
+         // simplicity. If loosening this, the 0-RTT accept logic must be
+         // updated to check the cipher.
          hs->new_cipher == session->cipher &&
          // If the session contains a client certificate (either the full
          // certificate or just the hash) then require that the form of the
@@ -634,7 +672,10 @@ int ssl_session_is_resumable(const SSL_HANDSHAKE *hs,
          ((sk_CRYPTO_BUFFER_num(session->certs.get()) == 0 &&
            !session->peer_sha256_valid) ||
           session->peer_sha256_valid ==
-              hs->config->retain_only_sha256_of_client_certs);
+              hs->config->retain_only_sha256_of_client_certs) &&
+         // Only resume if the underlying transport protocol hasn't changed.
+         // This is to prevent cross-protocol resumption between QUIC and TCP.
+         (hs->ssl->quic_method != nullptr) == session->is_quic;
 }
 // ssl_lookup_session looks up |session_id| in the session cache and sets
@@ -848,7 +889,8 @@ ssl_session_st::ssl_session_st(const SSL_X509_METHOD *method)
       peer_sha256_valid(false),
       not_resumable(false),
       ticket_age_add_valid(false),
-      is_server(false) {
+      is_server(false),
+      is_quic(false) {
   CRYPTO_new_ex_data(&ex_data);
   time = ::time(nullptr);
 }
@@ -1049,6 +1091,24 @@ int SSL_SESSION_early_data_capable(const SSL_SESSION *session) {
          session->ticket_max_early_data != 0;
 }
+SSL_SESSION *SSL_SESSION_copy_without_early_data(SSL_SESSION *session) {
+  if (!SSL_SESSION_early_data_capable(session)) {
+    return UpRef(session).release();
+  }
+  bssl::UniquePtr<SSL_SESSION> copy =
+      SSL_SESSION_dup(session, SSL_SESSION_DUP_ALL);
+  if (!copy) {
+    return nullptr;
+  }
+  copy->ticket_max_early_data = 0;
+  // Copied sessions are non-resumable until they're completely filled in.
+  copy->not_resumable = session->not_resumable;
+  assert(!SSL_SESSION_early_data_capable(copy.get()));
+  return copy.release();
+}
 SSL_SESSION *SSL_magic_pending_session_ptr(void) {
   return (SSL_SESSION *)&g_pending_session_magic;
 }

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_stat.cc RENAMED

@@ -197,6 +197,9 @@ const char *SSL_alert_desc_string_long(int value) {
     case TLS1_AD_NO_RENEGOTIATION:
       return "no renegotiation";
+    case TLS1_AD_MISSING_EXTENSION:
+      return "missing extension";
     case TLS1_AD_UNSUPPORTED_EXTENSION:
       return "unsupported extension";
@@ -218,6 +221,9 @@ const char *SSL_alert_desc_string_long(int value) {
     case TLS1_AD_CERTIFICATE_REQUIRED:
       return "certificate required";
+    case TLS1_AD_NO_APPLICATION_PROTOCOL:
+      return "no application protocol";
     default:
       return "unknown";
   }

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_transcript.cc RENAMED

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_versions.cc RENAMED

@@ -150,7 +150,7 @@ static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
                             uint16_t version) {
   // Zero is interpreted as the default maximum version.
   if (version == 0) {
-    *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION;
+    *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_3_VERSION;
     return true;
   }

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_x509.cc RENAMED

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/t1_enc.cc RENAMED

@@ -236,10 +236,14 @@ int tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
   }
   if (direction == evp_aead_open) {
-    return ssl->method->set_read_state(ssl, std::move(aead_ctx));
+    return ssl->method->set_read_state(ssl, ssl_encryption_application,
+                                       std::move(aead_ctx),
+                                       /*secret_for_quic=*/{});
   }
-  return ssl->method->set_write_state(ssl, std::move(aead_ctx));
+  return ssl->method->set_write_state(ssl, ssl_encryption_application,
+                                      std::move(aead_ctx),
+                                      /*secret_for_quic=*/{});
 }
 int tls1_change_cipher_state(SSL_HANDSHAKE *hs,

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/t1_lib.cc RENAMED

@@ -411,13 +411,8 @@ bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {
 // kVerifySignatureAlgorithms is the default list of accepted signature
 // algorithms for verifying.
-//
-// For now, RSA-PSS signature algorithms are not enabled on Android's system
-// BoringSSL. Once the change in Chrome has stuck and the values are finalized,
-// restore them.
 static const uint16_t kVerifySignatureAlgorithms[] = {
     // List our preferred algorithms first.
-    SSL_SIGN_ED25519,
     SSL_SIGN_ECDSA_SECP256R1_SHA256,
     SSL_SIGN_RSA_PSS_RSAE_SHA256,
     SSL_SIGN_RSA_PKCS1_SHA256,
@@ -432,15 +427,10 @@ static const uint16_t kVerifySignatureAlgorithms[] = {
     // For now, SHA-1 is still accepted but least preferable.
     SSL_SIGN_RSA_PKCS1_SHA1,
 };
 // kSignSignatureAlgorithms is the default list of supported signature
 // algorithms for signing.
-//
-// For now, RSA-PSS signature algorithms are not enabled on Android's system
-// BoringSSL. Once the change in Chrome has stuck and the values are finalized,
-// restore them.
 static const uint16_t kSignSignatureAlgorithms[] = {
     // List our preferred algorithms first.
     SSL_SIGN_ED25519,
@@ -464,64 +454,15 @@ static const uint16_t kSignSignatureAlgorithms[] = {
     SSL_SIGN_RSA_PKCS1_SHA1,
 };
-struct SSLSignatureAlgorithmList {
-  bool Next(uint16_t *out) {
-    while (!list.empty()) {
-      uint16_t sigalg = list[0];
-      list = list.subspan(1);
-      if (skip_ed25519 && sigalg == SSL_SIGN_ED25519) {
-        continue;
-      }
-      if (skip_rsa_pss_rsae && SSL_is_signature_algorithm_rsa_pss(sigalg)) {
-        continue;
-      }
-      *out = sigalg;
-      return true;
-    }
-    return false;
-  }
-  bool operator==(const SSLSignatureAlgorithmList &other) const {
-    SSLSignatureAlgorithmList a = *this;
-    SSLSignatureAlgorithmList b = other;
-    uint16_t a_val, b_val;
-    while (a.Next(&a_val)) {
-      if (!b.Next(&b_val) ||
-          a_val != b_val) {
-        return false;
-      }
-    }
-    return !b.Next(&b_val);
-  }
-  bool operator!=(const SSLSignatureAlgorithmList &other) const {
-    return !(*this == other);
-  }
-  Span<const uint16_t> list;
-  bool skip_ed25519 = false;
-  bool skip_rsa_pss_rsae = false;
-};
-static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl,
-                                                          bool for_certs) {
-  SSLSignatureAlgorithmList ret;
-  if (!ssl->config->verify_sigalgs.empty()) {
-    ret.list = ssl->config->verify_sigalgs;
-  } else {
-    ret.list = kVerifySignatureAlgorithms;
-    ret.skip_ed25519 = !ssl->ctx->ed25519_enabled;
+static Span<const uint16_t> tls12_get_verify_sigalgs(const SSL_HANDSHAKE *hs) {
+  if (hs->config->verify_sigalgs.empty()) {
+    return Span<const uint16_t>(kVerifySignatureAlgorithms);
   }
-  if (for_certs) {
-    ret.skip_rsa_pss_rsae = !ssl->ctx->rsa_pss_rsae_certs_enabled;
-  }
-  return ret;
+  return hs->config->verify_sigalgs;
 }
-bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out, bool for_certs) {
-  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, for_certs);
-  uint16_t sigalg;
-  while (list.Next(&sigalg)) {
+bool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out) {
+  for (uint16_t sigalg : tls12_get_verify_sigalgs(hs)) {
     if (!CBB_add_u16(out, sigalg)) {
       return false;
     }
@@ -529,11 +470,9 @@ bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out, bool for_certs) {
   return true;
 }
-bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
+bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert,
                              uint16_t sigalg) {
-  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, false);
-  uint16_t verify_sigalg;
-  while (list.Next(&verify_sigalg)) {
+  for (uint16_t verify_sigalg : tls12_get_verify_sigalgs(hs)) {
     if (verify_sigalg == sigalg) {
       return true;
     }
@@ -544,11 +483,6 @@ bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
   return false;
 }
-bool tls12_has_different_verify_sigalgs_for_certs(const SSL *ssl) {
-  return tls12_get_verify_sigalgs(ssl, true) !=
-         tls12_get_verify_sigalgs(ssl, false);
-}
 // tls_extension represents a TLS extension that is handled internally. The
 // |init| function is called for each handshake, before any other functions of
 // the extension. Then the add and parse callbacks are called as needed.
@@ -975,28 +909,15 @@ static bool ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
 static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
-  SSL *const ssl = hs->ssl;
   if (hs->max_version < TLS1_2_VERSION) {
     return true;
   }
-  // Prior to TLS 1.3, there was no way to signal different signature algorithm
-  // preferences between the online signature and certificates. If we do not
-  // send the signature_algorithms_cert extension, use the potentially more
-  // restrictive certificate list.
-  //
-  // TODO(davidben): When TLS 1.3 is finalized, we can likely remove the TLS 1.3
-  // check both here and in signature_algorithms_cert. |hs->max_version| is not
-  // the negotiated version. Rather the expectation is that any server consuming
-  // signature algorithms added in TLS 1.3 will also know to look at
-  // signature_algorithms_cert. For now, TLS 1.3 is not quite yet final and it
-  // seems prudent to condition this new extension on it.
-  bool for_certs = hs->max_version < TLS1_3_VERSION;
   CBB contents, sigalgs_cbb;
   if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
       !CBB_add_u16_length_prefixed(out, &contents) ||
       !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
-      !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, for_certs) ||
+      !tls12_add_verify_sigalgs(hs, &sigalgs_cbb) ||
       !CBB_flush(out)) {
     return false;
   }
@@ -1022,35 +943,6 @@ static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
 }
-// Signature Algorithms for Certificates.
-//
-// https://tools.ietf.org/html/rfc8446#section-4.2.3
-static bool ext_sigalgs_cert_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
-  SSL *const ssl = hs->ssl;
-  // If this extension is omitted, it defaults to the signature_algorithms
-  // extension, so only emit it if the list is different.
-  //
-  // This extension is also new in TLS 1.3, so omit it if TLS 1.3 is disabled.
-  // There is a corresponding version check in |ext_sigalgs_add_clienthello|.
-  if (hs->max_version < TLS1_3_VERSION ||
-      !tls12_has_different_verify_sigalgs_for_certs(ssl)) {
-    return true;
-  }
-  CBB contents, sigalgs_cbb;
-  if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms_cert) ||
-      !CBB_add_u16_length_prefixed(out, &contents) ||
-      !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
-      !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, true /* certs */) ||
-      !CBB_flush(out)) {
-    return false;
-  }
-  return true;
-}
 // OCSP Stapling.
 //
 // https://tools.ietf.org/html/rfc6066#section-8
@@ -1845,7 +1737,7 @@ static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
   // Per RFC 8446 section 4.1.4, skip offering the session if the selected
   // cipher in HelloRetryRequest does not match. This avoids performing the
   // transcript hash transformation for multiple hashes.
-  if (hs->received_hello_retry_request &&
+  if (ssl->s3 && ssl->s3->used_hello_retry_request &&
       ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
     return true;
   }
@@ -2035,7 +1927,7 @@ static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
   SSL *const ssl = hs->ssl;
   // The second ClientHello never offers early data, and we must have already
   // filled in |early_data_reason| by this point.
-  if (hs->received_hello_retry_request) {
+  if (ssl->s3->used_hello_retry_request) {
     assert(ssl->s3->early_data_reason != ssl_early_data_unknown);
     return true;
   }
@@ -2089,7 +1981,7 @@ static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,
                                              CBS *contents) {
   SSL *const ssl = hs->ssl;
   if (contents == NULL) {
-    if (hs->early_data_offered && !hs->received_hello_retry_request) {
+    if (hs->early_data_offered && !ssl->s3->used_hello_retry_request) {
       ssl->s3->early_data_reason = ssl->s3->session_reused
                                        ? ssl_early_data_peer_declined
                                        : ssl_early_data_session_not_resumed;
@@ -2104,7 +1996,7 @@ static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,
   // If we received an HRR, the second ClientHello never offers early data, so
   // the extensions logic will automatically reject early data extensions as
   // unsolicited. This covered by the ServerAcceptsEarlyDataOnHRR test.
-  assert(!hs->received_hello_retry_request);
+  assert(!ssl->s3->used_hello_retry_request);
   if (CBS_len(contents) != 0) {
     *out_alert = SSL_AD_DECODE_ERROR;
@@ -2173,7 +2065,7 @@ static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
   uint16_t group_id = hs->retry_group;
   uint16_t second_group_id = 0;
-  if (hs->received_hello_retry_request) {
+  if (ssl->s3 && ssl->s3->used_hello_retry_request) {
     // We received a HelloRetryRequest without a new curve, so there is no new
     // share to append. Leave |hs->key_share| as-is.
     if (group_id == 0 &&
@@ -2235,7 +2127,7 @@ static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
   // Save the contents of the extension to repeat it in the second
   // ClientHello.
-  if (!hs->received_hello_retry_request &&
+  if (ssl->s3 && !ssl->s3->used_hello_retry_request &&
       !hs->key_share_bytes.CopyFrom(
           MakeConstSpan(CBB_data(&kse_bytes), CBB_len(&kse_bytes)))) {
     return false;
@@ -2655,10 +2547,17 @@ static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
 static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
                                                       CBB *out) {
-  if (hs->config->quic_transport_params.empty() ||
-      hs->max_version <= TLS1_2_VERSION) {
+  if (hs->config->quic_transport_params.empty() && !hs->ssl->quic_method) {
     return true;
   }
+  if (hs->config->quic_transport_params.empty() || !hs->ssl->quic_method) {
+    // QUIC Transport Parameters must be sent over QUIC, and they must not be
+    // sent over non-QUIC transports. If transport params are set, then
+    // SSL(_CTX)_set_quic_method must also be called.
+    OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
+    return false;
+  }
+  assert(hs->min_version > TLS1_2_VERSION);
   CBB contents;
   if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
@@ -2676,13 +2575,19 @@ static bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs,
                                                         CBS *contents) {
   SSL *const ssl = hs->ssl;
   if (contents == nullptr) {
-    return true;
+    if (!ssl->quic_method) {
+      return true;
+    }
+    assert(ssl->quic_method);
+    *out_alert = SSL_AD_MISSING_EXTENSION;
+    return false;
   }
-  // QUIC requires TLS 1.3.
-  if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
+  if (!ssl->quic_method) {
     *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
     return false;
   }
+  // QUIC requires TLS 1.3.
+  assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);
   return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
 }
@@ -2691,21 +2596,34 @@ static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
                                                         uint8_t *out_alert,
                                                         CBS *contents) {
   SSL *const ssl = hs->ssl;
-  if (!contents || hs->config->quic_transport_params.empty()) {
-    return true;
+  if (!contents) {
+    if (!ssl->quic_method) {
+      if (hs->config->quic_transport_params.empty()) {
+        return true;
+      }
+      // QUIC transport parameters must not be set if |ssl| is not configured
+      // for QUIC.
+      OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
+      *out_alert = SSL_AD_INTERNAL_ERROR;
+    }
+    *out_alert = SSL_AD_MISSING_EXTENSION;
+    return false;
   }
-  // Ignore the extension before TLS 1.3.
-  if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
-    return true;
+  if (!ssl->quic_method) {
+    *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
+    return false;
   }
+  assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);
   return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
 }
 static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
                                                       CBB *out) {
+  assert(hs->ssl->quic_method != nullptr);
   if (hs->config->quic_transport_params.empty()) {
-    return true;
+    // Transport parameters must be set when using QUIC.
+    OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
+    return false;
   }
   CBB contents;
@@ -2855,66 +2773,6 @@ static bool cert_compression_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
 }
-// Post-quantum experiment signal
-//
-// This extension may be used in order to identify a control group for
-// experimenting with post-quantum key exchange algorithms.
-static bool ext_pq_experiment_signal_add_clienthello(SSL_HANDSHAKE *hs,
-                                                     CBB *out) {
-  if (hs->ssl->ctx->pq_experiment_signal &&
-      (!CBB_add_u16(out, TLSEXT_TYPE_pq_experiment_signal) ||
-       !CBB_add_u16(out, 0))) {
-    return false;
-  }
-  return true;
-}
-static bool ext_pq_experiment_signal_parse_serverhello(SSL_HANDSHAKE *hs,
-                                                       uint8_t *out_alert,
-                                                       CBS *contents) {
-  if (contents == nullptr) {
-    return true;
-  }
-  if (!hs->ssl->ctx->pq_experiment_signal || CBS_len(contents) != 0) {
-    return false;
-  }
-  hs->ssl->s3->pq_experiment_signal_seen = true;
-  return true;
-}
-static bool ext_pq_experiment_signal_parse_clienthello(SSL_HANDSHAKE *hs,
-                                                       uint8_t *out_alert,
-                                                       CBS *contents) {
-  if (contents == nullptr) {
-    return true;
-  }
-  if (CBS_len(contents) != 0) {
-    return false;
-  }
-  if (hs->ssl->ctx->pq_experiment_signal) {
-    hs->ssl->s3->pq_experiment_signal_seen = true;
-  }
-  return true;
-}
-static bool ext_pq_experiment_signal_add_serverhello(SSL_HANDSHAKE *hs,
-                                                     CBB *out) {
-  if (hs->ssl->s3->pq_experiment_signal_seen &&
-      (!CBB_add_u16(out, TLSEXT_TYPE_pq_experiment_signal) ||
-       !CBB_add_u16(out, 0))) {
-    return false;
-  }
-  return true;
-}
 // kExtensions contains all the supported extensions.
 static const struct tls_extension kExtensions[] = {
   {
@@ -2991,14 +2849,6 @@ static const struct tls_extension kExtensions[] = {
     ext_sigalgs_parse_clienthello,
     dont_add_serverhello,
   },
-  {
-    TLSEXT_TYPE_signature_algorithms_cert,
-    NULL,
-    ext_sigalgs_cert_add_clienthello,
-    forbid_parse_serverhello,
-    ignore_parse_clienthello,
-    dont_add_serverhello,
-  },
   {
     TLSEXT_TYPE_next_proto_neg,
     NULL,
@@ -3103,14 +2953,6 @@ static const struct tls_extension kExtensions[] = {
     ext_delegated_credential_parse_clienthello,
     dont_add_serverhello,
   },
-  {
-    TLSEXT_TYPE_pq_experiment_signal,
-    NULL,
-    ext_pq_experiment_signal_add_clienthello,
-    ext_pq_experiment_signal_parse_serverhello,
-    ext_pq_experiment_signal_parse_clienthello,
-    ext_pq_experiment_signal_add_serverhello,
-  },
 };
 #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
@@ -4026,11 +3868,3 @@ int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello,
   *out_len = CBS_len(&cbs);
   return 1;
 }
-void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled) {
-  ctx->ed25519_enabled = !!enabled;
-}
-void SSL_CTX_set_rsa_pss_rsae_certs_enabled(SSL_CTX *ctx, int enabled) {
-  ctx->rsa_pss_rsae_certs_enabled = !!enabled;
-}