grpc 1.28.0 → 1.30.0

data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c

@@ -129,6 +129,14 @@ const ASN1_TIME *X509_get0_notBefore(const X509 *x)
     return x->cert_info->validity->notBefore;
 }
 
+ASN1_TIME *X509_getm_notBefore(X509 *x)
+{
+    // Note this function takes a const |X509| pointer in OpenSSL. We require
+    // non-const as this allows mutating |x|. If it comes up for compatibility,
+    // we can relax this.
+    return x->cert_info->validity->notBefore;
+}
+
 int X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
 {
     ASN1_TIME *in;
@@ -151,6 +159,14 @@ const ASN1_TIME *X509_get0_notAfter(const X509 *x)
     return x->cert_info->validity->notAfter;
 }
 
+ASN1_TIME *X509_getm_notAfter(X509 *x)
+{
+    // Note this function takes a const |X509| pointer in OpenSSL. We require
+    // non-const as this allows mutating |x|. If it comes up for compatibility,
+    // we can relax this.
+    return x->cert_info->validity->notAfter;
+}
+
 int X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
 {
     if ((x == NULL) || (x->cert_info == NULL))

data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c

@@ -2148,6 +2148,11 @@ STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
     return ctx->chain;
 }
 
+STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)
+{
+    return ctx->chain;
+}
+
 STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
 {
     if (!ctx->chain)

data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c

@@ -177,7 +177,7 @@ X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc)
 }
 
 int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
-                               unsigned char *bytes, int len, int loc,
+                               const unsigned char *bytes, int len, int loc,
                                int set)
 {
     X509_NAME_ENTRY *ne;
@@ -191,7 +191,7 @@ int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
 }
 
 int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
-                               unsigned char *bytes, int len, int loc,
+                               const unsigned char *bytes, int len, int loc,
                                int set)
 {
     X509_NAME_ENTRY *ne;
@@ -298,7 +298,8 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
 }
 
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
-                                               int type, unsigned char *bytes,
+                                               int type,
+                                               const unsigned char *bytes,
                                                int len)
 {
     const ASN1_OBJECT *obj = OBJ_nid2obj(nid);

data/third_party/boringssl-with-bazel/src/include/openssl/base.h

@@ -184,7 +184,7 @@ extern "C" {
 // A consumer may use this symbol in the preprocessor to temporarily build
 // against multiple revisions of BoringSSL at the same time. It is not
 // recommended to do so for longer than is necessary.
-#define BORINGSSL_API_VERSION 9
+#define BORINGSSL_API_VERSION 10
 
 #if defined(BORINGSSL_SHARED_LIBRARY)
 
@@ -422,6 +422,10 @@ typedef struct ssl_session_st SSL_SESSION;
 typedef struct ssl_st SSL;
 typedef struct ssl_ticket_aead_method_st SSL_TICKET_AEAD_METHOD;
 typedef struct st_ERR_FNS ERR_FNS;
+typedef struct trust_token_st TRUST_TOKEN;
+typedef struct trust_token_client_st TRUST_TOKEN_CLIENT;
+typedef struct trust_token_issuer_st TRUST_TOKEN_ISSUER;
+typedef struct trust_token_method_st TRUST_TOKEN_METHOD;
 typedef struct v3_ext_ctx X509V3_CTX;
 typedef struct x509_attributes_st X509_ATTRIBUTE;
 typedef struct x509_cert_aux_st X509_CERT_AUX;

data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h

@@ -60,12 +60,17 @@ OPENSSL_EXPORT int CRYPTO_has_asm(void);
 OPENSSL_EXPORT int FIPS_mode(void);
 
 // BORINGSSL_self_test triggers the FIPS KAT-based self tests. It returns one on
-// success and zero on error. The argument is the integrity hash of the FIPS
-// module and may be used to check and write flag files to suppress duplicate
-// self-tests. If it is all zeros, no flag file will be checked nor written and
-// tests will always be run.
+// success and zero on error.
 OPENSSL_EXPORT int BORINGSSL_self_test(void);
 
+// CRYPTO_pre_sandbox_init initializes the crypto library, pre-acquiring some
+// unusual resources to aid running in sandboxed environments. It is safe to
+// call this function multiple times and concurrently from multiple threads.
+//
+// For more details on using BoringSSL in a sandboxed environment, see
+// SANDBOXING.md in the source tree.
+OPENSSL_EXPORT void CRYPTO_pre_sandbox_init(void);
+
 
 // Deprecated functions.
 

data/third_party/boringssl-with-bazel/src/include/openssl/dh.h

@@ -86,6 +86,21 @@ OPENSSL_EXPORT int DH_up_ref(DH *dh);
 
 // Properties.
 
+// DH_get0_pub_key returns |dh|'s public key.
+OPENSSL_EXPORT const BIGNUM *DH_get0_pub_key(const DH *dh);
+
+// DH_get0_priv_key returns |dh|'s private key, or NULL if |dh| is a public key.
+OPENSSL_EXPORT const BIGNUM *DH_get0_priv_key(const DH *dh);
+
+// DH_get0_p returns |dh|'s group modulus.
+OPENSSL_EXPORT const BIGNUM *DH_get0_p(const DH *dh);
+
+// DH_get0_q returns the size of |dh|'s subgroup, or NULL if it is unset.
+OPENSSL_EXPORT const BIGNUM *DH_get0_q(const DH *dh);
+
+// DH_get0_g returns |dh|'s group generator.
+OPENSSL_EXPORT const BIGNUM *DH_get0_g(const DH *dh);
+
 // DH_get0_key sets |*out_pub_key| and |*out_priv_key|, if non-NULL, to |dh|'s
 // public and private key, respectively. If |dh| is a public key, the private
 // key will be set to NULL.
@@ -108,6 +123,11 @@ OPENSSL_EXPORT void DH_get0_pqg(const DH *dh, const BIGNUM **out_p,
 // |p| and |g| must either be specified or already configured on |dh|.
 OPENSSL_EXPORT int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
 
+// DH_set_length sets the number of bits to use for the secret exponent when
+// calling |DH_generate_key| on |dh| and returns one. If unset,
+// |DH_generate_key| will use the bit length of p.
+OPENSSL_EXPORT int DH_set_length(DH *dh, unsigned priv_length);
+
 
 // Standard parameters.
 

data/third_party/boringssl-with-bazel/src/include/openssl/digest.h

@@ -83,6 +83,7 @@ OPENSSL_EXPORT const EVP_MD *EVP_sha224(void);
 OPENSSL_EXPORT const EVP_MD *EVP_sha256(void);
 OPENSSL_EXPORT const EVP_MD *EVP_sha384(void);
 OPENSSL_EXPORT const EVP_MD *EVP_sha512(void);
+OPENSSL_EXPORT const EVP_MD *EVP_sha512_256(void);
 
 // EVP_md5_sha1 is a TLS-specific |EVP_MD| which computes the concatenation of
 // MD5 and SHA-1, as used in TLS 1.1 and below.

data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h

@@ -94,6 +94,22 @@ OPENSSL_EXPORT int DSA_up_ref(DSA *dsa);
 
 // Properties.
 
+// DSA_get0_pub_key returns |dsa|'s public key.
+OPENSSL_EXPORT const BIGNUM *DSA_get0_pub_key(const DSA *dsa);
+
+// DSA_get0_priv_key returns |dsa|'s private key, or NULL if |dsa| is a public
+// key.
+OPENSSL_EXPORT const BIGNUM *DSA_get0_priv_key(const DSA *dsa);
+
+// DSA_get0_p returns |dsa|'s group modulus.
+OPENSSL_EXPORT const BIGNUM *DSA_get0_p(const DSA *dsa);
+
+// DSA_get0_q returns the size of |dsa|'s subgroup.
+OPENSSL_EXPORT const BIGNUM *DSA_get0_q(const DSA *dsa);
+
+// DSA_get0_g returns |dsa|'s group generator.
+OPENSSL_EXPORT const BIGNUM *DSA_get0_g(const DSA *dsa);
+
 // DSA_get0_key sets |*out_pub_key| and |*out_priv_key|, if non-NULL, to |dsa|'s
 // public and private key, respectively. If |dsa| is a public key, the private
 // key will be set to NULL.

data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h

@@ -106,6 +106,12 @@ OPENSSL_EXPORT ECDSA_SIG *ECDSA_SIG_new(void);
 // ECDSA_SIG_free frees |sig| its member |BIGNUM|s.
 OPENSSL_EXPORT void ECDSA_SIG_free(ECDSA_SIG *sig);
 
+// ECDSA_SIG_get0_r returns the r component of |sig|.
+OPENSSL_EXPORT const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig);
+
+// ECDSA_SIG_get0_s returns the s component of |sig|.
+OPENSSL_EXPORT const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig);
+
 // ECDSA_SIG_get0 sets |*out_r| and |*out_s|, if non-NULL, to the two
 // components of |sig|.
 OPENSSL_EXPORT void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **out_r,

data/third_party/boringssl-with-bazel/src/include/openssl/err.h

@@ -319,6 +319,7 @@ enum {
   ERR_LIB_DIGEST,
   ERR_LIB_CIPHER,
   ERR_LIB_HKDF,
+  ERR_LIB_TRUST_TOKEN,
   ERR_LIB_USER,
   ERR_NUM_LIBS
 };
@@ -362,6 +363,7 @@ enum {
 #define ERR_R_DIGEST_LIB ERR_LIB_DIGEST
 #define ERR_R_CIPHER_LIB ERR_LIB_CIPHER
 #define ERR_R_HKDF_LIB ERR_LIB_HKDF
+#define ERR_R_TRUST_TOKEN_LIB ERR_LIB_TRUST_TOKEN
 
 // The following values are global reason codes. They may occur in any library.
 #define ERR_R_FATAL 64

data/third_party/boringssl-with-bazel/src/include/openssl/nid.h

@@ -4246,6 +4246,11 @@ extern "C" {
 #define NID_X448 961
 #define OBJ_X448 1L, 3L, 101L, 111L
 
+#define SN_sha512_256 "SHA512-256"
+#define LN_sha512_256 "sha512-256"
+#define NID_sha512_256 962
+#define OBJ_sha512_256 2L, 16L, 840L, 1L, 101L, 3L, 4L, 2L, 6L
+
 
 #if defined(__cplusplus)
 } /* extern C */

data/third_party/boringssl-with-bazel/src/include/openssl/rand.h

@@ -36,26 +36,12 @@ OPENSSL_EXPORT void RAND_cleanup(void);
 // Obscure functions.
 
 #if !defined(OPENSSL_WINDOWS)
-// RAND_set_urandom_fd causes the module to use a copy of |fd| for system
-// randomness rather opening /dev/urandom internally. The caller retains
-// ownership of |fd| and is at liberty to close it at any time. This is useful
-// if, due to a sandbox, /dev/urandom isn't available. If used, it must be
-// called before the first call to |RAND_bytes|, and it is mutually exclusive
-// with |RAND_enable_fork_unsafe_buffering|.
-//
-// |RAND_set_urandom_fd| does not buffer any entropy, so it is safe to call
-// |fork| at any time after calling |RAND_set_urandom_fd|.
-OPENSSL_EXPORT void RAND_set_urandom_fd(int fd);
-
 // RAND_enable_fork_unsafe_buffering enables efficient buffered reading of
 // /dev/urandom. It adds an overhead of a few KB of memory per thread. It must
-// be called before the first call to |RAND_bytes| and it is mutually exclusive
-// with calls to |RAND_set_urandom_fd|.
+// be called before the first call to |RAND_bytes|.
 //
-// If |fd| is non-negative then a copy of |fd| will be used rather than opening
-// /dev/urandom internally. Like |RAND_set_urandom_fd|, the caller retains
-// ownership of |fd|. If |fd| is negative then /dev/urandom will be opened and
-// any error from open(2) crashes the address space.
+// |fd| must be -1. We no longer support setting the file descriptor with this
+// function.
 //
 // It has an unusual name because the buffer is unsafe across calls to |fork|.
 // Hence, this function should never be called by libraries.

data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h

@@ -99,6 +99,36 @@ OPENSSL_EXPORT int RSA_up_ref(RSA *rsa);
 // RSA_bits returns the size of |rsa|, in bits.
 OPENSSL_EXPORT unsigned RSA_bits(const RSA *rsa);
 
+// RSA_get0_n returns |rsa|'s public modulus.
+OPENSSL_EXPORT const BIGNUM *RSA_get0_n(const RSA *rsa);
+
+// RSA_get0_e returns |rsa|'s public exponent.
+OPENSSL_EXPORT const BIGNUM *RSA_get0_e(const RSA *rsa);
+
+// RSA_get0_d returns |rsa|'s private exponent. If |rsa| is a public key, this
+// value will be NULL.
+OPENSSL_EXPORT const BIGNUM *RSA_get0_d(const RSA *rsa);
+
+// RSA_get0_p returns |rsa|'s first private prime factor. If |rsa| is a public
+// key or lacks its prime factors, this value will be NULL.
+OPENSSL_EXPORT const BIGNUM *RSA_get0_p(const RSA *rsa);
+
+// RSA_get0_q returns |rsa|'s second private prime factor. If |rsa| is a public
+// key or lacks its prime factors, this value will be NULL.
+OPENSSL_EXPORT const BIGNUM *RSA_get0_q(const RSA *rsa);
+
+// RSA_get0_dmp1 returns d (mod p-1) for |rsa|. If |rsa| is a public key or
+// lacks CRT parameters, this value will be NULL.
+OPENSSL_EXPORT const BIGNUM *RSA_get0_dmp1(const RSA *rsa);
+
+// RSA_get0_dmq1 returns d (mod q-1) for |rsa|. If |rsa| is a public key or
+// lacks CRT parameters, this value will be NULL.
+OPENSSL_EXPORT const BIGNUM *RSA_get0_dmq1(const RSA *rsa);
+
+// RSA_get0_iqmp returns q^-1 (mod p). If |rsa| is a public key or lacks CRT
+// parameters, this value will be NULL.
+OPENSSL_EXPORT const BIGNUM *RSA_get0_iqmp(const RSA *rsa);
+
 // RSA_get0_key sets |*out_n|, |*out_e|, and |*out_d|, if non-NULL, to |rsa|'s
 // modulus, public exponent, and private exponent, respectively. If |rsa| is a
 // public key, the private exponent will be set to NULL.
@@ -711,6 +741,7 @@ struct rsa_st {
   // |blindings_inuse| from 0 to 1.
   BN_BLINDING **blindings;
   unsigned char *blindings_inuse;
+  uint64_t blinding_fork_generation;
 
   // private_key_frozen is one if the key has been used for a private key
   // operation and may no longer be mutated.

data/third_party/boringssl-with-bazel/src/include/openssl/sha.h

@@ -261,6 +261,32 @@ struct sha512_state_st {
 };
 
 
+// SHA-512-256
+//
+// See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf section 5.3.6
+
+#define SHA512_256_DIGEST_LENGTH 32
+
+// SHA512_256_Init initialises |sha| and returns 1.
+OPENSSL_EXPORT int SHA512_256_Init(SHA512_CTX *sha);
+
+// SHA512_256_Update adds |len| bytes from |data| to |sha| and returns 1.
+OPENSSL_EXPORT int SHA512_256_Update(SHA512_CTX *sha, const void *data,
+                                     size_t len);
+
+// SHA512_256_Final adds the final padding to |sha| and writes the resulting
+// digest to |out|, which must have at least |SHA512_256_DIGEST_LENGTH| bytes of
+// space. It returns one on success and zero on programmer error.
+OPENSSL_EXPORT int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH],
+                                    SHA512_CTX *sha);
+
+// SHA512_256 writes the digest of |len| bytes from |data| to |out| and returns
+// |out|. There must be at least |SHA512_256_DIGEST_LENGTH| bytes of space in
+// |out|.
+OPENSSL_EXPORT uint8_t *SHA512_256(const uint8_t *data, size_t len,
+                                   uint8_t out[SHA512_256_DIGEST_LENGTH]);
+
+
 #if defined(__cplusplus)
 }  // extern C
 #endif

data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h

@@ -1098,6 +1098,20 @@ OPENSSL_EXPORT int SSL_set_chain_and_key(
     SSL *ssl, CRYPTO_BUFFER *const *certs, size_t num_certs, EVP_PKEY *privkey,
     const SSL_PRIVATE_KEY_METHOD *privkey_method);
 
+// SSL_CTX_get0_chain returns the list of |CRYPTO_BUFFER|s that were set by
+// |SSL_CTX_set_chain_and_key|. Reference counts are not incremented by this
+// call. The return value may be |NULL| if no chain has been set.
+//
+// (Note: if a chain was configured by non-|CRYPTO_BUFFER|-based functions then
+// the return value is undefined and, even if not NULL, the stack itself may
+// contain nullptrs. Thus you shouldn't mix this function with
+// non-|CRYPTO_BUFFER| functions for manipulating the chain.)
+//
+// There is no |SSL*| version of this function because connections discard
+// configuration after handshaking, thus making it of questionable utility.
+OPENSSL_EXPORT const STACK_OF(CRYPTO_BUFFER)*
+    SSL_CTX_get0_chain(const SSL_CTX *ctx);
+
 // SSL_CTX_use_RSAPrivateKey sets |ctx|'s private key to |rsa|. It returns one
 // on success and zero on failure.
 OPENSSL_EXPORT int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
@@ -2436,7 +2450,7 @@ OPENSSL_EXPORT int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
 // one on success and zero on failure.
 //
 // See
-// https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html
+// https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_load_verify_locations.html
 // for documentation on the directory format.
 OPENSSL_EXPORT int SSL_CTX_load_verify_locations(SSL_CTX *ctx,
                                                  const char *ca_file,
@@ -2518,20 +2532,22 @@ OPENSSL_EXPORT int SSL_set0_verify_cert_store(SSL *ssl, X509_STORE *store);
 // reference to |store| will be taken.
 OPENSSL_EXPORT int SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *store);
 
-// SSL_CTX_set_ed25519_enabled configures whether |ctx| advertises support for
-// the Ed25519 signature algorithm when using the default preference list. It is
-// disabled by default and may be enabled if the certificate verifier supports
-// Ed25519.
-OPENSSL_EXPORT void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled);
-
 // SSL_CTX_set_verify_algorithm_prefs configures |ctx| to use |prefs| as the
-// preference list when verifying signature's from the peer's long-term key. It
+// preference list when verifying signatures from the peer's long-term key. It
 // returns one on zero on error. |prefs| should not include the internal-only
 // value |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.
 OPENSSL_EXPORT int SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx,
                                                       const uint16_t *prefs,
                                                       size_t num_prefs);
 
+// SSL_set_verify_algorithm_prefs configures |ssl| to use |prefs| as the
+// preference list when verifying signatures from the peer's long-term key. It
+// returns one on zero on error. |prefs| should not include the internal-only
+// value |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.
+OPENSSL_EXPORT int SSL_set_verify_algorithm_prefs(SSL *ssl,
+                                                  const uint16_t *prefs,
+                                                  size_t num_prefs);
+
 
 // Client certificate CA list.
 //
@@ -3051,38 +3067,6 @@ OPENSSL_EXPORT const char *SSL_get_psk_identity_hint(const SSL *ssl);
 OPENSSL_EXPORT const char *SSL_get_psk_identity(const SSL *ssl);
 
 
-// QUIC transport parameters.
-//
-// draft-ietf-quic-tls defines a new TLS extension quic_transport_parameters
-// used by QUIC for each endpoint to unilaterally declare its supported
-// transport parameters. draft-ietf-quic-transport (section 7.4) defines the
-// contents of that extension (a TransportParameters struct) and describes how
-// to handle it and its semantic meaning.
-//
-// BoringSSL handles this extension as an opaque byte string. The caller is
-// responsible for serializing and parsing it.
-
-// SSL_set_quic_transport_params configures |ssl| to send |params| (of length
-// |params_len|) in the quic_transport_parameters extension in either the
-// ClientHello or EncryptedExtensions handshake message. This extension will
-// only be sent if the TLS version is at least 1.3, and for a server, only if
-// the client sent the extension. The buffer pointed to by |params| only need be
-// valid for the duration of the call to this function. This function returns 1
-// on success and 0 on failure.
-OPENSSL_EXPORT int SSL_set_quic_transport_params(SSL *ssl,
-                                                 const uint8_t *params,
-                                                 size_t params_len);
-
-// SSL_get_peer_quic_transport_params provides the caller with the value of the
-// quic_transport_parameters extension sent by the peer. A pointer to the buffer
-// containing the TransportParameters will be put in |*out_params|, and its
-// length in |*params_len|. This buffer will be valid for the lifetime of the
-// |SSL|. If no params were received from the peer, |*out_params_len| will be 0.
-OPENSSL_EXPORT void SSL_get_peer_quic_transport_params(const SSL *ssl,
-                                                       const uint8_t **out_params,
-                                                       size_t *out_params_len);
-
-
 // Delegated credentials.
 //
 // *** EXPERIMENTAL — PRONE TO CHANGE ***
@@ -3131,10 +3115,11 @@ OPENSSL_EXPORT int SSL_delegated_credential_used(const SSL *ssl);
 // When configured for QUIC, |SSL_do_handshake| will drive the handshake as
 // before, but it will not use the configured |BIO|. It will call functions on
 // |SSL_QUIC_METHOD| to configure secrets and send data. If data is needed from
-// the peer, it will return |SSL_ERROR_WANT_READ|. When received, the caller
-// should call |SSL_provide_quic_data| and then |SSL_do_handshake| to continue
-// the handshake. After the handshake is complete, the caller should call
-// |SSL_provide_quic_data| for any post-handshake data, followed by
+// the peer, it will return |SSL_ERROR_WANT_READ|. As the caller receives data
+// it can decrypt, it calls |SSL_provide_quic_data|. Subsequent
+// |SSL_do_handshake| calls will then consume that data and progress the
+// handshake. After the handshake is complete, the caller should continue to
+// call |SSL_provide_quic_data| for any post-handshake data, followed by
 // |SSL_process_quic_post_handshake| to process it. It is an error to call
 // |SSL_read| and |SSL_write| in QUIC.
 //
@@ -3145,13 +3130,6 @@ OPENSSL_EXPORT int SSL_delegated_credential_used(const SSL *ssl);
 // confirm the handshake. As a client, |SSL_ERROR_EARLY_DATA_REJECTED| and
 // |SSL_reset_early_data_reject| behave as usual.
 //
-// Note that secrets for an encryption level may be available to QUIC before the
-// level is active in TLS. Callers should use |SSL_quic_read_level| to determine
-// the active read level for |SSL_provide_quic_data|. |SSL_do_handshake| will
-// pass the active write level to |SSL_QUIC_METHOD| when writing data. Callers
-// can use |SSL_quic_write_level| to query the active write level when
-// generating their own errors.
-//
 // See https://tools.ietf.org/html/draft-ietf-quic-tls-15#section-4.1 for more
 // details.
 //
@@ -3160,8 +3138,40 @@ OPENSSL_EXPORT int SSL_delegated_credential_used(const SSL *ssl);
 // |SSL_quic_max_handshake_flight_len| to get the maximum buffer length at each
 // encryption level.
 //
-// Note: 0-RTT support is incomplete and does not currently handle QUIC
-// transport parameters and server SETTINGS frame.
+// QUIC implementations must additionally configure transport parameters with
+// |SSL_set_quic_transport_params|. |SSL_get_peer_quic_transport_params| may be
+// used to query the value received from the peer. BoringSSL handles this
+// extension as an opaque byte string. The caller is responsible for serializing
+// and parsing them. See draft-ietf-quic-transport (section 7.3) for details.
+//
+// QUIC additionally imposes restrictions on 0-RTT. In particular, the QUIC
+// transport layer requires that if a server accepts 0-RTT data, then the
+// transport parameters sent on the resumed connection must not lower any limits
+// compared to the transport parameters that the server sent on the connection
+// where the ticket for 0-RTT was issued. In effect, the server must remember
+// the transport parameters with the ticket. Application protocols running on
+// QUIC may impose similar restrictions, for example HTTP/3's restrictions on
+// SETTINGS frames.
+//
+// BoringSSL imposes a stricter check on the server to enforce these
+// restrictions. BoringSSL requires that the transport parameters and
+// application protocol state be a byte-for-byte match between the connection
+// where the ticket was issued and the connection where it is used for 0-RTT. If
+// there is a mismatch, BoringSSL will reject early data (but not reject the
+// resumption attempt).
+//
+// BoringSSL does not perform any client-side checks on the transport
+// parameters received from a server that also accepted early data. It is up to
+// the caller to verify that the received transport parameters do not lower any
+// limits, and to close the QUIC connection if that is not the case. The same
+// holds for any application protocol state remembered for 0-RTT, e.g. HTTP/3
+// SETTINGS.
+//
+// The transport parameter check happens automatically with
+// |SSL_set_quic_transport_params|. QUIC servers must set application state via
+// |SSL_set_quic_early_data_context| to configure the application protocol
+// check. No other mechanisms are provided to have BoringSSL reject early data
+// because of QUIC transport or application protocol restrictions.
 
 // ssl_encryption_level_t represents a specific QUIC encryption level used to
 // transmit handshake messages.
@@ -3174,26 +3184,51 @@ enum ssl_encryption_level_t BORINGSSL_ENUM_INT {
 
 // ssl_quic_method_st (aka |SSL_QUIC_METHOD|) describes custom QUIC hooks.
 struct ssl_quic_method_st {
-  // set_encryption_secrets configures the read and write secrets for the given
-  // encryption level. This function will always be called before an encryption
-  // level other than |ssl_encryption_initial| is used. Note, however, that
-  // secrets for a level may be configured before TLS is ready to send or accept
-  // data at that level.
+  // set_read_secret configures the read secret and cipher suite for the given
+  // encryption level. It returns one on success and zero to terminate the
+  // handshake with an error. It will be called at most once per encryption
+  // level.
   //
-  // When reading packets at a given level, the QUIC implementation must send
-  // ACKs at the same level, so this function provides read and write secrets
-  // together. The exception is |ssl_encryption_early_data|, where secrets are
-  // only available in the client to server direction. The other secret will be
-  // NULL. The server acknowledges such data at |ssl_encryption_application|,
-  // which will be configured in the same |SSL_do_handshake| call.
+  // BoringSSL will not release read keys before QUIC may use them. Once a level
+  // has been initialized, QUIC may begin processing data from it. Handshake
+  // data should be passed to |SSL_provide_quic_data| and application data (if
+  // |level| is |ssl_encryption_early_data| or |ssl_encryption_application|) may
+  // be processed according to the rules of the QUIC protocol.
   //
-  // This function should use |SSL_get_current_cipher| to determine the TLS
-  // cipher suite.
+  // QUIC ACKs packets at the same encryption level they were received at,
+  // except that client |ssl_encryption_early_data| (0-RTT) packets trigger
+  // server |ssl_encryption_application| (1-RTT) ACKs. BoringSSL will always
+  // install ACK-writing keys with |set_write_secret| before the packet-reading
+  // keys with |set_read_secret|. This ensures the caller can always ACK any
+  // packet it decrypts. Note this means the server installs 1-RTT write keys
+  // before 0-RTT read keys.
   //
-  // It returns one on success and zero on error.
-  int (*set_encryption_secrets)(SSL *ssl, enum ssl_encryption_level_t level,
-                                const uint8_t *read_secret,
-                                const uint8_t *write_secret, size_t secret_len);
+  // The converse is not true. An encryption level may be configured with write
+  // secrets a roundtrip before the corresponding secrets for reading ACKs is
+  // available.
+  int (*set_read_secret)(SSL *ssl, enum ssl_encryption_level_t level,
+                         const SSL_CIPHER *cipher, const uint8_t *secret,
+                         size_t secret_len);
+  // set_write_secret behaves like |set_read_secret| but configures the write
+  // secret and cipher suite for the given encryption level. It will be called
+  // at most once per encryption level.
+  //
+  // BoringSSL will not release write keys before QUIC may use them. If |level|
+  // is |ssl_encryption_early_data| or |ssl_encryption_application|, QUIC may
+  // begin sending application data at |level|. However, note that BoringSSL
+  // configures server |ssl_encryption_application| write keys before the client
+  // Finished. This allows QUIC to send half-RTT data, but the handshake is not
+  // confirmed at this point and, if requesting client certificates, the client
+  // is not yet authenticated.
+  //
+  // See |set_read_secret| for additional invariants between packets and their
+  // ACKs.
+  //
+  // Note that, on 0-RTT reject, the |ssl_encryption_early_data| write secret
+  // may use a different cipher suite from the other keys.
+  int (*set_write_secret)(SSL *ssl, enum ssl_encryption_level_t level,
+                          const SSL_CIPHER *cipher, const uint8_t *secret,
+                          size_t secret_len);
   // add_handshake_data adds handshake data to the current flight at the given
   // encryption level. It returns one on success and zero on error.
   //
@@ -3201,6 +3236,9 @@ struct ssl_quic_method_st {
   // single handshake flight may include multiple encryption levels. Callers
   // should defer writing data to the network until |flush_flight| to better
   // pack QUIC packets into transport datagrams.
+  //
+  // If |level| is not |ssl_encryption_initial|, this function will not be
+  // called before |level| is initialized with |set_write_secret|.
   int (*add_handshake_data)(SSL *ssl, enum ssl_encryption_level_t level,
                             const uint8_t *data, size_t len);
   // flush_flight is called when the current flight is complete and should be
@@ -3209,6 +3247,9 @@ struct ssl_quic_method_st {
   int (*flush_flight)(SSL *ssl);
   // send_alert sends a fatal alert at the specified encryption level. It
   // returns one on success and zero on error.
+  //
+  // If |level| is not |ssl_encryption_initial|, this function will not be
+  // called before |level| is initialized with |set_write_secret|.
   int (*send_alert)(SSL *ssl, enum ssl_encryption_level_t level, uint8_t alert);
 };
 
@@ -3221,15 +3262,22 @@ OPENSSL_EXPORT size_t SSL_quic_max_handshake_flight_len(
     const SSL *ssl, enum ssl_encryption_level_t level);
 
 // SSL_quic_read_level returns the current read encryption level.
+//
+// TODO(davidben): Is it still necessary to expose this function to callers?
+// QUICHE does not use it.
 OPENSSL_EXPORT enum ssl_encryption_level_t SSL_quic_read_level(const SSL *ssl);
 
 // SSL_quic_write_level returns the current write encryption level.
+//
+// TODO(davidben): Is it still necessary to expose this function to callers?
+// QUICHE does not use it.
 OPENSSL_EXPORT enum ssl_encryption_level_t SSL_quic_write_level(const SSL *ssl);
 
 // SSL_provide_quic_data provides data from QUIC at a particular encryption
-// level |level|. It is an error to call this function outside of the handshake
-// or with an encryption level other than the current read level. It returns one
-// on success and zero on error.
+// level |level|. It returns one on success and zero on error. Note this
+// function will return zero if the handshake is not expecting data from |level|
+// at this time. The QUIC implementation should then close the connection with
+// an error.
 OPENSSL_EXPORT int SSL_provide_quic_data(SSL *ssl,
                                          enum ssl_encryption_level_t level,
                                          const uint8_t *data, size_t len);
@@ -3252,6 +3300,36 @@ OPENSSL_EXPORT int SSL_CTX_set_quic_method(SSL_CTX *ctx,
 OPENSSL_EXPORT int SSL_set_quic_method(SSL *ssl,
                                        const SSL_QUIC_METHOD *quic_method);
 
+// SSL_set_quic_transport_params configures |ssl| to send |params| (of length
+// |params_len|) in the quic_transport_parameters extension in either the
+// ClientHello or EncryptedExtensions handshake message. It is an error to set
+// transport parameters if |ssl| is not configured for QUIC. The buffer pointed
+// to by |params| only need be valid for the duration of the call to this
+// function. This function returns 1 on success and 0 on failure.
+OPENSSL_EXPORT int SSL_set_quic_transport_params(SSL *ssl,
+                                                 const uint8_t *params,
+                                                 size_t params_len);
+
+// SSL_get_peer_quic_transport_params provides the caller with the value of the
+// quic_transport_parameters extension sent by the peer. A pointer to the buffer
+// containing the TransportParameters will be put in |*out_params|, and its
+// length in |*params_len|. This buffer will be valid for the lifetime of the
+// |SSL|. If no params were received from the peer, |*out_params_len| will be 0.
+OPENSSL_EXPORT void SSL_get_peer_quic_transport_params(
+    const SSL *ssl, const uint8_t **out_params, size_t *out_params_len);
+
+// SSL_set_quic_early_data_context configures a context string in QUIC servers
+// for accepting early data. If a resumption connection offers early data, the
+// server will check if the value matches that of the connection which minted
+// the ticket. If not, resumption still succeeds but early data is rejected. For
+// HTTP/3, this should be the serialized server SETTINGS frame.
+//
+// This function may be called before |SSL_do_handshake| or during server
+// certificate selection. It returns 1 on success and 0 on failure.
+OPENSSL_EXPORT int SSL_set_quic_early_data_context(SSL *ssl,
+                                                   const uint8_t *context,
+                                                   size_t context_len);
+
 
 // Early data.
 //
@@ -3325,6 +3403,18 @@ OPENSSL_EXPORT int SSL_in_early_data(const SSL *ssl);
 // attempted with |session| if enabled.
 OPENSSL_EXPORT int SSL_SESSION_early_data_capable(const SSL_SESSION *session);
 
+// SSL_SESSION_copy_without_early_data returns a copy of |session| with early
+// data disabled. If |session| already does not support early data, it returns
+// |session| with the reference count increased. The caller takes ownership of
+// the result and must release it with |SSL_SESSION_free|.
+//
+// This function may be used on the client to clear early data support from
+// existing sessions when the server rejects early data. In particular,
+// |SSL_R_WRONG_VERSION_ON_EARLY_DATA| requires a fresh connection to retry, and
+// the client would not want 0-RTT enabled for the next connection attempt.
+OPENSSL_EXPORT SSL_SESSION *SSL_SESSION_copy_without_early_data(
+    SSL_SESSION *session);
+
 // SSL_early_data_accepted returns whether early data was accepted on the
 // handshake performed by |ssl|.
 OPENSSL_EXPORT int SSL_early_data_accepted(const SSL *ssl);
@@ -3374,8 +3464,10 @@ enum ssl_early_data_reason_t BORINGSSL_ENUM_INT {
   ssl_early_data_token_binding = 11,
   // The client and server ticket age were too far apart.
   ssl_early_data_ticket_age_skew = 12,
+  // QUIC parameters differ between this connection and the original.
+  ssl_early_data_quic_parameter_mismatch = 13,
   // The value of the largest entry.
-  ssl_early_data_reason_max_value = ssl_early_data_ticket_age_skew,
+  ssl_early_data_reason_max_value = ssl_early_data_quic_parameter_mismatch,
 };
 
 // SSL_get_early_data_reason returns details why 0-RTT was accepted or rejected
@@ -3436,6 +3528,7 @@ OPENSSL_EXPORT enum ssl_early_data_reason_t SSL_get_early_data_reason(
 #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
 #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY
 #define SSL_AD_CERTIFICATE_REQUIRED TLS1_AD_CERTIFICATE_REQUIRED
+#define SSL_AD_NO_APPLICATION_PROTOCOL TLS1_AD_NO_APPLICATION_PROTOCOL
 
 // SSL_alert_type_string_long returns a string description of |value| as an
 // alert type (warning or fatal).
@@ -4211,7 +4304,7 @@ OPENSSL_EXPORT int SSL_set1_sigalgs(SSL *ssl, const int *values,
 // SSL_CTX_set1_sigalgs_list takes a textual specification of a set of signature
 // algorithms and configures them on |ctx|. It returns one on success and zero
 // on error. See
-// https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set1_sigalgs_list.html for
+// https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set1_sigalgs_list.html for
 // a description of the text format. Also note that TLS 1.3 names (e.g.
 // "rsa_pkcs1_md5_sha1") can also be used (as in OpenSSL, although OpenSSL
 // doesn't document that).
@@ -4224,7 +4317,7 @@ OPENSSL_EXPORT int SSL_CTX_set1_sigalgs_list(SSL_CTX *ctx, const char *str);
 // SSL_set1_sigalgs_list takes a textual specification of a set of signature
 // algorithms and configures them on |ssl|. It returns one on success and zero
 // on error. See
-// https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set1_sigalgs_list.html for
+// https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set1_sigalgs_list.html for
 // a description of the text format. Also note that TLS 1.3 names (e.g.
 // "rsa_pkcs1_md5_sha1") can also be used (as in OpenSSL, although OpenSSL
 // doesn't document that).
@@ -5018,7 +5111,7 @@ BSSL_NAMESPACE_END
 #define SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY 252
 #define SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS 253
 #define SSL_R_DOWNGRADE_DETECTED 254
-#define SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE 255
+#define SSL_R_EXCESS_HANDSHAKE_DATA 255
 #define SSL_R_INVALID_COMPRESSION_LIST 256
 #define SSL_R_DUPLICATE_EXTENSION 257
 #define SSL_R_MISSING_KEY_SHARE 258
@@ -5067,6 +5160,8 @@ BSSL_NAMESPACE_END
 #define SSL_R_INVALID_DELEGATED_CREDENTIAL 301
 #define SSL_R_KEY_USAGE_BIT_INCORRECT 302
 #define SSL_R_INCONSISTENT_CLIENT_HELLO 303
+#define SSL_R_CIPHER_MISMATCH_ON_EARLY_DATA 304
+#define SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED 305
 #define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000
 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020