RubyGems - grpc - Versions diffs - 1.28.0 → 1.30.0 - Mend

grpc 1.28.0 → 1.30.0

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (497) hide show

data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc CHANGED

@@ -185,7 +185,7 @@ SSL3_STATE::SSL3_STATE()
 SSL3_STATE::~SSL3_STATE() {}
-bool ssl3_new(SSL *ssl) {
+bool tls_new(SSL *ssl) {
   UniquePtr<SSL3_STATE> s3 = MakeUnique<SSL3_STATE>();
   if (!s3) {
     return false;
@@ -209,7 +209,7 @@ bool ssl3_new(SSL *ssl) {
   return true;
 }
-void ssl3_free(SSL *ssl) {
+void tls_free(SSL *ssl) {
   if (ssl == NULL || ssl->s3 == NULL) {
     return;
   }

data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc CHANGED

@@ -124,10 +124,10 @@
 BSSL_NAMESPACE_BEGIN
-static int do_ssl3_write(SSL *ssl, int type, const uint8_t *in, unsigned len);
+static int do_tls_write(SSL *ssl, int type, const uint8_t *in, unsigned len);
-int ssl3_write_app_data(SSL *ssl, bool *out_needs_handshake, const uint8_t *in,
-                        int len) {
+int tls_write_app_data(SSL *ssl, bool *out_needs_handshake, const uint8_t *in,
+                       int len) {
   assert(ssl_can_write(ssl));
   assert(!ssl->s3->aead_write_ctx->is_null_cipher());
@@ -147,7 +147,7 @@ int ssl3_write_app_data(SSL *ssl, bool *out_needs_handshake, const uint8_t *in,
   // Ensure that if we end up with a smaller value of data to write out than
   // the the original len from a write which didn't complete for non-blocking
   // I/O and also somehow ended up avoiding the check for this in
-  // ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be possible to
+  // tls_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be possible to
   // end up with (len-tot) as a large number that will then promptly send
   // beyond the end of the users buffer ... so we trap and report the error in
   // a way the user will notice.
@@ -182,7 +182,7 @@ int ssl3_write_app_data(SSL *ssl, bool *out_needs_handshake, const uint8_t *in,
       nw = n;
     }
-    int ret = do_ssl3_write(ssl, SSL3_RT_APPLICATION_DATA, &in[tot], nw);
+    int ret = do_tls_write(ssl, SSL3_RT_APPLICATION_DATA, &in[tot], nw);
     if (ret <= 0) {
       ssl->s3->wnum = tot;
       return ret;
@@ -201,8 +201,8 @@ int ssl3_write_app_data(SSL *ssl, bool *out_needs_handshake, const uint8_t *in,
   }
 }
-static int ssl3_write_pending(SSL *ssl, int type, const uint8_t *in,
-                              unsigned int len) {
+static int tls_write_pending(SSL *ssl, int type, const uint8_t *in,
+                             unsigned int len) {
   if (ssl->s3->wpend_tot > (int)len ||
       (!(ssl->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER) &&
        ssl->s3->wpend_buf != in) ||
@@ -219,11 +219,11 @@ static int ssl3_write_pending(SSL *ssl, int type, const uint8_t *in,
   return ssl->s3->wpend_ret;
 }
-// do_ssl3_write writes an SSL record of the given type.
-static int do_ssl3_write(SSL *ssl, int type, const uint8_t *in, unsigned len) {
+// do_tls_write writes an SSL record of the given type.
+static int do_tls_write(SSL *ssl, int type, const uint8_t *in, unsigned len) {
   // If there is still data from the previous record, flush it.
   if (ssl->s3->wpend_pending) {
-    return ssl3_write_pending(ssl, type, in, len);
+    return tls_write_pending(ssl, type, in, len);
   }
   SSLBuffer *buf = &ssl->s3->write_buffer;
@@ -287,7 +287,7 @@ static int do_ssl3_write(SSL *ssl, int type, const uint8_t *in, unsigned len) {
   // acknowledgments.
   ssl->s3->key_update_pending = false;
-  // Memorize arguments so that ssl3_write_pending can detect bad write retries
+  // Memorize arguments so that tls_write_pending can detect bad write retries
   // later.
   ssl->s3->wpend_tot = len;
   ssl->s3->wpend_buf = in;
@@ -296,12 +296,12 @@ static int do_ssl3_write(SSL *ssl, int type, const uint8_t *in, unsigned len) {
   ssl->s3->wpend_pending = true;
   // We now just need to write the buffer.
-  return ssl3_write_pending(ssl, type, in, len);
+  return tls_write_pending(ssl, type, in, len);
 }
-ssl_open_record_t ssl3_open_app_data(SSL *ssl, Span<uint8_t> *out,
-                                     size_t *out_consumed, uint8_t *out_alert,
-                                     Span<uint8_t> in) {
+ssl_open_record_t tls_open_app_data(SSL *ssl, Span<uint8_t> *out,
+                                    size_t *out_consumed, uint8_t *out_alert,
+                                    Span<uint8_t> in) {
   assert(ssl_can_read(ssl));
   assert(!ssl->s3->aead_read_ctx->is_null_cipher());
@@ -316,7 +316,7 @@ ssl_open_record_t ssl3_open_app_data(SSL *ssl, Span *out,
   if (type == SSL3_RT_HANDSHAKE) {
     // Post-handshake data prior to TLS 1.3 is always renegotiation, which we
-    // never accept as a server. Otherwise |ssl3_get_message| will send
+    // never accept as a server. Otherwise |tls_get_message| will send
     // |SSL_R_EXCESSIVE_MESSAGE_SIZE|.
     if (ssl->server && ssl_protocol_version(ssl) < TLS1_3_VERSION) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
@@ -355,9 +355,9 @@ ssl_open_record_t ssl3_open_app_data(SSL *ssl, Span *out,
   return ssl_open_record_success;
 }
-ssl_open_record_t ssl3_open_change_cipher_spec(SSL *ssl, size_t *out_consumed,
-                                               uint8_t *out_alert,
-                                               Span<uint8_t> in) {
+ssl_open_record_t tls_open_change_cipher_spec(SSL *ssl, size_t *out_consumed,
+                                              uint8_t *out_alert,
+                                              Span<uint8_t> in) {
   uint8_t type;
   Span<uint8_t> body;
   auto ret = tls_open_record(ssl, &type, &body, out_consumed, out_alert, in);
@@ -426,7 +426,7 @@ int ssl_send_alert_impl(SSL *ssl, int level, int desc) {
   return -1;
 }
-int ssl3_dispatch_alert(SSL *ssl) {
+int tls_dispatch_alert(SSL *ssl) {
   if (ssl->quic_method) {
     if (!ssl->quic_method->send_alert(ssl, ssl->s3->write_level,
                                       ssl->s3->send_alert[1])) {
@@ -434,7 +434,7 @@ int ssl3_dispatch_alert(SSL *ssl) {
       return 0;
     }
   } else {
-    int ret = do_ssl3_write(ssl, SSL3_RT_ALERT, &ssl->s3->send_alert[0], 2);
+    int ret = do_tls_write(ssl, SSL3_RT_ALERT, &ssl->s3->send_alert[0], 2);
     if (ret <= 0) {
       return ret;
     }

data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc CHANGED

@@ -129,6 +129,8 @@ BSSL_NAMESPACE_BEGIN
 //     ticketMaxEarlyData      [24] INTEGER OPTIONAL,
 //     authTimeout             [25] INTEGER OPTIONAL, -- defaults to timeout
 //     earlyALPN               [26] OCTET STRING OPTIONAL,
+//     isQuic                  [27] BOOLEAN OPTIONAL,
+//     quicEarlyDataHash       [28] OCTET STRING OPTIONAL,
 // }
 //
 // Note: historically this serialization has included other optional
@@ -188,6 +190,10 @@ static const unsigned kAuthTimeoutTag =
     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 25;
 static const unsigned kEarlyALPNTag =
     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 26;
+static const unsigned kIsQuicTag =
+    CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 27;
+static const unsigned kQuicEarlyDataHashTag =
+    CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 28;
 static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb,
                                      int for_ticket) {
@@ -388,6 +394,23 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb,
     }
   }
+  if (in->is_quic) {
+    if (!CBB_add_asn1(&session, &child, kIsQuicTag) ||
+        !CBB_add_asn1_bool(&child, true)) {
+      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+      return 0;
+    }
+  }
+  if (!in->quic_early_data_hash.empty()) {
+    if (!CBB_add_asn1(&session, &child, kQuicEarlyDataHashTag) ||
+        !CBB_add_asn1_octet_string(&child, in->quic_early_data_hash.data(),
+                                   in->quic_early_data_hash.size())) {
+      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+      return 0;
+    }
+  }
   return CBB_flush(cbb);
 }
@@ -718,6 +741,7 @@ UniquePtr SSL_SESSION_parse(CBS *cbs,
   ret->is_server = is_server;
+  int is_quic;
   if (!SSL_SESSION_parse_u16(&session, &ret->peer_signature_algorithm,
                              kPeerSignatureAlgorithmTag, 0) ||
       !SSL_SESSION_parse_u32(&session, &ret->ticket_max_early_data,
@@ -726,10 +750,15 @@ UniquePtr SSL_SESSION_parse(CBS *cbs,
                              ret->timeout) ||
       !SSL_SESSION_parse_octet_string(&session, &ret->early_alpn,
                                       kEarlyALPNTag) ||
+      !CBS_get_optional_asn1_bool(&session, &is_quic, kIsQuicTag,
+                                  /*default_value=*/false) ||
+      !SSL_SESSION_parse_octet_string(&session, &ret->quic_early_data_hash,
+                                      kQuicEarlyDataHashTag) ||
       CBS_len(&session) != 0) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
     return nullptr;
   }
+  ret->is_quic = is_quic;
   if (!x509_method->session_cache_objects(ret.get())) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);

data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc CHANGED

@@ -896,6 +896,10 @@ int SSL_CTX_set_chain_and_key(SSL_CTX *ctx, CRYPTO_BUFFER *const *certs,
                                 privkey_method);
 }
+const STACK_OF(CRYPTO_BUFFER)* SSL_CTX_get0_chain(const SSL_CTX *ctx) {
+  return ctx->cert->chain.get();
+}
 int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len,
                                  const uint8_t *der) {
   UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new(der, der_len, NULL));

data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc CHANGED

@@ -564,7 +564,6 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
       channel_id_enabled(false),
       grease_enabled(false),
       allow_unknown_alpn_protos(false),
-      ed25519_enabled(false),
       false_start_allowed_without_alpn(false),
       ignore_tls13_downgrade(false),
       handoff(false),
@@ -1249,6 +1248,12 @@ void SSL_get_peer_quic_transport_params(const SSL *ssl,
   *out_params_len = ssl->s3->peer_quic_transport_params.size();
 }
+int SSL_set_quic_early_data_context(SSL *ssl, const uint8_t *context,
+                                    size_t context_len) {
+  return ssl->config && ssl->config->quic_early_data_context.CopyFrom(
+                            MakeConstSpan(context, context_len));
+}
 void SSL_CTX_set_early_data_enabled(SSL_CTX *ctx, int enabled) {
   ctx->enable_early_data = !!enabled;
 }

data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc CHANGED

@@ -791,7 +791,8 @@ int SSL_CTX_set1_sigalgs_list(SSL_CTX *ctx, const char *str) {
   if (!SSL_CTX_set_signing_algorithm_prefs(ctx, sigalgs.data(),
                                            sigalgs.size()) ||
-      !ctx->verify_sigalgs.CopyFrom(sigalgs)) {
+      !SSL_CTX_set_verify_algorithm_prefs(ctx, sigalgs.data(),
+                                          sigalgs.size())) {
     return 0;
   }
@@ -811,7 +812,7 @@ int SSL_set1_sigalgs_list(SSL *ssl, const char *str) {
   }
   if (!SSL_set_signing_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size()) ||
-      !ssl->config->verify_sigalgs.CopyFrom(sigalgs)) {
+      !SSL_set_verify_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size())) {
     return 0;
   }
@@ -822,3 +823,13 @@ int SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,
                                        size_t num_prefs) {
   return ctx->verify_sigalgs.CopyFrom(MakeConstSpan(prefs, num_prefs));
 }
+int SSL_set_verify_algorithm_prefs(SSL *ssl, const uint16_t *prefs,
+                                   size_t num_prefs) {
+  if (!ssl->config) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    return 0;
+  }
+  return ssl->config->verify_sigalgs.CopyFrom(MakeConstSpan(prefs, num_prefs));
+}

data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc CHANGED

@@ -197,6 +197,7 @@ UniquePtr SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
   new_session->is_server = session->is_server;
   new_session->ssl_version = session->ssl_version;
+  new_session->is_quic = session->is_quic;
   new_session->sid_ctx_length = session->sid_ctx_length;
   OPENSSL_memcpy(new_session->sid_ctx, session->sid_ctx, session->sid_ctx_length);
@@ -267,6 +268,11 @@ UniquePtr SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
     if (!new_session->early_alpn.CopyFrom(session->early_alpn)) {
       return nullptr;
     }
+    if (!new_session->quic_early_data_hash.CopyFrom(
+            session->quic_early_data_hash)) {
+      return nullptr;
+    }
   }
   // Copy the ticket.
@@ -343,6 +349,25 @@ const EVP_MD *ssl_session_get_digest(const SSL_SESSION *session) {
                                   session->cipher);
 }
+bool compute_quic_early_data_hash(const SSL_CONFIG *config,
+                                  uint8_t hash_out[SHA256_DIGEST_LENGTH]) {
+  ScopedEVP_MD_CTX hash_ctx;
+  uint32_t transport_param_len = config->quic_transport_params.size();
+  uint32_t context_len = config->quic_early_data_context.size();
+  if (!EVP_DigestInit(hash_ctx.get(), EVP_sha256()) ||
+      !EVP_DigestUpdate(hash_ctx.get(), &transport_param_len,
+                        sizeof(transport_param_len)) ||
+      !EVP_DigestUpdate(hash_ctx.get(), config->quic_transport_params.data(),
+                        config->quic_transport_params.size()) ||
+      !EVP_DigestUpdate(hash_ctx.get(), &context_len, sizeof(context_len)) ||
+      !EVP_DigestUpdate(hash_ctx.get(), config->quic_early_data_context.data(),
+                        config->quic_early_data_context.size()) ||
+      !EVP_DigestFinal(hash_ctx.get(), hash_out, nullptr)) {
+    return false;
+  }
+  return true;
+}
 int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {
   SSL *const ssl = hs->ssl;
   if (ssl->mode & SSL_MODE_NO_SESSION_CREATION) {
@@ -357,6 +382,14 @@ int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {
   session->is_server = is_server;
   session->ssl_version = ssl->version;
+  session->is_quic = ssl->quic_method != nullptr;
+  if (is_server && ssl->enable_early_data && session->is_quic) {
+    if (!session->quic_early_data_hash.Init(SHA256_DIGEST_LENGTH) ||
+        !compute_quic_early_data_hash(hs->config,
+                                      session->quic_early_data_hash.data())) {
+      return 0;
+    }
+  }
   // Fill in the time from the |SSL_CTX|'s clock.
   struct OPENSSL_timeval now;
@@ -624,10 +657,14 @@ int ssl_session_is_resumable(const SSL_HANDSHAKE *hs,
          ssl->server == session->is_server &&
          // The session must not be expired.
          ssl_session_is_time_valid(ssl, session) &&
-         /* Only resume if the session's version matches the negotiated
-          * version. */
+         // Only resume if the session's version matches the negotiated
+         // version.
          ssl->version == session->ssl_version &&
-         // Only resume if the session's cipher matches the negotiated one.
+         // Only resume if the session's cipher matches the negotiated one. This
+         // is stricter than necessary for TLS 1.3, which allows cross-cipher
+         // resumption if the PRF hashes match. We require an exact match for
+         // simplicity. If loosening this, the 0-RTT accept logic must be
+         // updated to check the cipher.
          hs->new_cipher == session->cipher &&
          // If the session contains a client certificate (either the full
          // certificate or just the hash) then require that the form of the
@@ -635,7 +672,10 @@ int ssl_session_is_resumable(const SSL_HANDSHAKE *hs,
          ((sk_CRYPTO_BUFFER_num(session->certs.get()) == 0 &&
            !session->peer_sha256_valid) ||
           session->peer_sha256_valid ==
-              hs->config->retain_only_sha256_of_client_certs);
+              hs->config->retain_only_sha256_of_client_certs) &&
+         // Only resume if the underlying transport protocol hasn't changed.
+         // This is to prevent cross-protocol resumption between QUIC and TCP.
+         (hs->ssl->quic_method != nullptr) == session->is_quic;
 }
 // ssl_lookup_session looks up |session_id| in the session cache and sets
@@ -849,7 +889,8 @@ ssl_session_st::ssl_session_st(const SSL_X509_METHOD *method)
       peer_sha256_valid(false),
       not_resumable(false),
       ticket_age_add_valid(false),
-      is_server(false) {
+      is_server(false),
+      is_quic(false) {
   CRYPTO_new_ex_data(&ex_data);
   time = ::time(nullptr);
 }
@@ -1050,6 +1091,24 @@ int SSL_SESSION_early_data_capable(const SSL_SESSION *session) {
          session->ticket_max_early_data != 0;
 }
+SSL_SESSION *SSL_SESSION_copy_without_early_data(SSL_SESSION *session) {
+  if (!SSL_SESSION_early_data_capable(session)) {
+    return UpRef(session).release();
+  }
+  bssl::UniquePtr<SSL_SESSION> copy =
+      SSL_SESSION_dup(session, SSL_SESSION_DUP_ALL);
+  if (!copy) {
+    return nullptr;
+  }
+  copy->ticket_max_early_data = 0;
+  // Copied sessions are non-resumable until they're completely filled in.
+  copy->not_resumable = session->not_resumable;
+  assert(!SSL_SESSION_early_data_capable(copy.get()));
+  return copy.release();
+}
 SSL_SESSION *SSL_magic_pending_session_ptr(void) {
   return (SSL_SESSION *)&g_pending_session_magic;
 }

data/third_party/boringssl-with-bazel/src/ssl/ssl_stat.cc CHANGED

@@ -197,6 +197,9 @@ const char *SSL_alert_desc_string_long(int value) {
     case TLS1_AD_NO_RENEGOTIATION:
       return "no renegotiation";
+    case TLS1_AD_MISSING_EXTENSION:
+      return "missing extension";
     case TLS1_AD_UNSUPPORTED_EXTENSION:
       return "unsupported extension";
@@ -218,6 +221,9 @@ const char *SSL_alert_desc_string_long(int value) {
     case TLS1_AD_CERTIFICATE_REQUIRED:
       return "certificate required";
+    case TLS1_AD_NO_APPLICATION_PROTOCOL:
+      return "no application protocol";
     default:
       return "unknown";
   }

data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc CHANGED

@@ -236,10 +236,14 @@ int tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
   }
   if (direction == evp_aead_open) {
-    return ssl->method->set_read_state(ssl, std::move(aead_ctx));
+    return ssl->method->set_read_state(ssl, ssl_encryption_application,
+                                       std::move(aead_ctx),
+                                       /*secret_for_quic=*/{});
   }
-  return ssl->method->set_write_state(ssl, std::move(aead_ctx));
+  return ssl->method->set_write_state(ssl, ssl_encryption_application,
+                                      std::move(aead_ctx),
+                                      /*secret_for_quic=*/{});
 }
 int tls1_change_cipher_state(SSL_HANDSHAKE *hs,

data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc CHANGED

@@ -413,7 +413,6 @@ bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {
 // algorithms for verifying.
 static const uint16_t kVerifySignatureAlgorithms[] = {
     // List our preferred algorithms first.
-    SSL_SIGN_ED25519,
     SSL_SIGN_ECDSA_SECP256R1_SHA256,
     SSL_SIGN_RSA_PSS_RSAE_SHA256,
     SSL_SIGN_RSA_PKCS1_SHA256,
@@ -455,39 +454,15 @@ static const uint16_t kSignSignatureAlgorithms[] = {
     SSL_SIGN_RSA_PKCS1_SHA1,
 };
-struct SSLSignatureAlgorithmList {
-  bool Next(uint16_t *out) {
-    while (!list.empty()) {
-      uint16_t sigalg = list[0];
-      list = list.subspan(1);
-      if (skip_ed25519 && sigalg == SSL_SIGN_ED25519) {
-        continue;
-      }
-      *out = sigalg;
-      return true;
-    }
-    return false;
+static Span<const uint16_t> tls12_get_verify_sigalgs(const SSL_HANDSHAKE *hs) {
+  if (hs->config->verify_sigalgs.empty()) {
+    return Span<const uint16_t>(kVerifySignatureAlgorithms);
   }
-  Span<const uint16_t> list;
-  bool skip_ed25519 = false;
-};
-static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl) {
-  SSLSignatureAlgorithmList ret;
-  if (!ssl->config->verify_sigalgs.empty()) {
-    ret.list = ssl->config->verify_sigalgs;
-  } else {
-    ret.list = kVerifySignatureAlgorithms;
-    ret.skip_ed25519 = !ssl->ctx->ed25519_enabled;
-  }
-  return ret;
+  return hs->config->verify_sigalgs;
 }
-bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out) {
-  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl);
-  uint16_t sigalg;
-  while (list.Next(&sigalg)) {
+bool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out) {
+  for (uint16_t sigalg : tls12_get_verify_sigalgs(hs)) {
     if (!CBB_add_u16(out, sigalg)) {
       return false;
     }
@@ -495,11 +470,9 @@ bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out) {
   return true;
 }
-bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
+bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert,
                              uint16_t sigalg) {
-  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl);
-  uint16_t verify_sigalg;
-  while (list.Next(&verify_sigalg)) {
+  for (uint16_t verify_sigalg : tls12_get_verify_sigalgs(hs)) {
     if (verify_sigalg == sigalg) {
       return true;
     }
@@ -936,7 +909,6 @@ static bool ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
 static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
-  SSL *const ssl = hs->ssl;
   if (hs->max_version < TLS1_2_VERSION) {
     return true;
   }
@@ -945,7 +917,7 @@ static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
   if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
       !CBB_add_u16_length_prefixed(out, &contents) ||
       !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
-      !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb) ||
+      !tls12_add_verify_sigalgs(hs, &sigalgs_cbb) ||
       !CBB_flush(out)) {
     return false;
   }
@@ -2575,10 +2547,17 @@ static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
 static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
                                                       CBB *out) {
-  if (hs->config->quic_transport_params.empty() ||
-      hs->max_version <= TLS1_2_VERSION) {
+  if (hs->config->quic_transport_params.empty() && !hs->ssl->quic_method) {
     return true;
   }
+  if (hs->config->quic_transport_params.empty() || !hs->ssl->quic_method) {
+    // QUIC Transport Parameters must be sent over QUIC, and they must not be
+    // sent over non-QUIC transports. If transport params are set, then
+    // SSL(_CTX)_set_quic_method must also be called.
+    OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
+    return false;
+  }
+  assert(hs->min_version > TLS1_2_VERSION);
   CBB contents;
   if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
@@ -2596,13 +2575,19 @@ static bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs,
                                                         CBS *contents) {
   SSL *const ssl = hs->ssl;
   if (contents == nullptr) {
-    return true;
+    if (!ssl->quic_method) {
+      return true;
+    }
+    assert(ssl->quic_method);
+    *out_alert = SSL_AD_MISSING_EXTENSION;
+    return false;
   }
-  // QUIC requires TLS 1.3.
-  if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
+  if (!ssl->quic_method) {
     *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
     return false;
   }
+  // QUIC requires TLS 1.3.
+  assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);
   return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
 }
@@ -2611,21 +2596,34 @@ static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
                                                         uint8_t *out_alert,
                                                         CBS *contents) {
   SSL *const ssl = hs->ssl;
-  if (!contents || hs->config->quic_transport_params.empty()) {
-    return true;
+  if (!contents) {
+    if (!ssl->quic_method) {
+      if (hs->config->quic_transport_params.empty()) {
+        return true;
+      }
+      // QUIC transport parameters must not be set if |ssl| is not configured
+      // for QUIC.
+      OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
+      *out_alert = SSL_AD_INTERNAL_ERROR;
+    }
+    *out_alert = SSL_AD_MISSING_EXTENSION;
+    return false;
   }
-  // Ignore the extension before TLS 1.3.
-  if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
-    return true;
+  if (!ssl->quic_method) {
+    *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
+    return false;
   }
+  assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);
   return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
 }
 static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
                                                       CBB *out) {
+  assert(hs->ssl->quic_method != nullptr);
   if (hs->config->quic_transport_params.empty()) {
-    return true;
+    // Transport parameters must be set when using QUIC.
+    OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
+    return false;
   }
   CBB contents;
@@ -3870,7 +3868,3 @@ int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello,
   *out_len = CBS_len(&cbs);
   return 1;
 }
-void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled) {
-  ctx->ed25519_enabled = !!enabled;
-}