grpc 1.28.0 → 1.30.0

data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc

@@ -356,7 +356,7 @@ bool tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg)
   }
 
   uint8_t alert = SSL_AD_DECODE_ERROR;
-  if (!tls12_check_peer_sigalg(ssl, &alert, signature_algorithm)) {
+  if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm)) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
     return false;
   }

data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc

@@ -52,6 +52,54 @@ enum client_hs_state_t {
 
 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
 
+// end_of_early_data closes the early data stream for |hs| and switches the
+// encryption level to |level|. It returns true on success and false on error.
+static bool close_early_data(SSL_HANDSHAKE *hs, ssl_encryption_level_t level) {
+  SSL *const ssl = hs->ssl;
+  assert(hs->in_early_data);
+
+  // Note |can_early_write| may already be false if |SSL_write| exceeded the
+  // early data write limit.
+  hs->can_early_write = false;
+
+  // 0-RTT write states on the client differ between TLS 1.3, DTLS 1.3, and
+  // QUIC. TLS 1.3 has one write encryption level at a time. 0-RTT write keys
+  // overwrite the null cipher and defer handshake write keys. While a
+  // HelloRetryRequest can cause us to rewind back to the null cipher, sequence
+  // numbers have no effect, so we can install a "new" null cipher.
+  //
+  // In QUIC and DTLS 1.3, 0-RTT write state cannot override or defer the normal
+  // write state. The two ClientHello sequence numbers must align, and handshake
+  // write keys must be installed early to ACK the EncryptedExtensions.
+  //
+  // We do not currently implement DTLS 1.3 and, in QUIC, the caller handles
+  // 0-RTT data, so we can skip installing 0-RTT keys and act as if there is one
+  // write level. If we implement DTLS 1.3, we'll need to model this better.
+  if (ssl->quic_method == nullptr) {
+    if (level == ssl_encryption_initial) {
+      bssl::UniquePtr<SSLAEADContext> null_ctx =
+          SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl));
+      if (!null_ctx ||
+          !ssl->method->set_write_state(ssl, ssl_encryption_initial,
+                                        std::move(null_ctx),
+                                        /*secret_for_quic=*/{})) {
+        return false;
+      }
+      ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
+    } else {
+      assert(level == ssl_encryption_handshake);
+      if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
+                                 hs->new_session.get(),
+                                 hs->client_handshake_secret())) {
+        return false;
+      }
+    }
+  }
+
+  assert(ssl->s3->write_level == level);
+  return true;
+}
+
 static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
   assert(ssl->s3->have_version);
@@ -183,28 +231,30 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
 
+  // HelloRetryRequest should be the end of the flight.
+  if (ssl->method->has_unprocessed_handshake_data(ssl)) {
+    ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+    OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
+    return ssl_hs_error;
+  }
+
   ssl->method->next_message(ssl);
   ssl->s3->used_hello_retry_request = true;
   hs->tls13_state = state_send_second_client_hello;
   // 0-RTT is rejected if we receive a HelloRetryRequest.
   if (hs->in_early_data) {
     ssl->s3->early_data_reason = ssl_early_data_hello_retry_request;
+    if (!close_early_data(hs, ssl_encryption_initial)) {
+      return ssl_hs_error;
+    }
     return ssl_hs_early_data_rejected;
   }
   return ssl_hs_ok;
 }
 
 static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
-  SSL *const ssl = hs->ssl;
-  // Restore the null cipher. We may have switched due to 0-RTT.
-  bssl::UniquePtr<SSLAEADContext> null_ctx =
-      SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl));
-  if (!null_ctx ||
-      !ssl->method->set_write_state(ssl, std::move(null_ctx))) {
-    return ssl_hs_error;
-  }
-
-  ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
+  // Any 0-RTT keys must have been discarded.
+  assert(hs->ssl->s3->write_level == ssl_encryption_initial);
 
   if (!ssl_write_client_hello(hs)) {
     return ssl_hs_error;
@@ -391,21 +441,28 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
 
   if (!tls13_advance_key_schedule(hs, dhe_secret) ||
       !ssl_hash_message(hs, msg) ||
-      !tls13_derive_handshake_secrets(hs) ||
-      !tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
-                             hs->server_handshake_secret())) {
+      !tls13_derive_handshake_secrets(hs)) {
     return ssl_hs_error;
   }
 
-  if (!hs->early_data_offered) {
-    // If not sending early data, set client traffic keys now so that alerts are
-    // encrypted.
+  // If currently sending early data over TCP, we defer installing client
+  // traffic keys to when the early data stream is closed. See
+  // |close_early_data|. Note if the server has already rejected 0-RTT via
+  // HelloRetryRequest, |in_early_data| is already false.
+  if (!hs->in_early_data || ssl->quic_method != nullptr) {
     if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
+                               hs->new_session.get(),
                                hs->client_handshake_secret())) {
       return ssl_hs_error;
     }
   }
 
+  if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
+                             hs->new_session.get(),
+                             hs->server_handshake_secret())) {
+    return ssl_hs_error;
+  }
+
   ssl->method->next_message(ssl);
   hs->tls13_state = state_read_encrypted_extensions;
   return ssl_hs_ok;
@@ -439,14 +496,20 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
   }
 
   if (ssl->s3->early_data_accepted) {
-    if (hs->early_session->cipher != hs->new_session->cipher ||
-        MakeConstSpan(hs->early_session->early_alpn) !=
-            ssl->s3->alpn_selected) {
+    if (hs->early_session->cipher != hs->new_session->cipher) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_CIPHER_MISMATCH_ON_EARLY_DATA);
+      ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+      return ssl_hs_error;
+    }
+    if (MakeConstSpan(hs->early_session->early_alpn) !=
+        ssl->s3->alpn_selected) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);
+      ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
       return ssl_hs_error;
     }
     if (ssl->s3->channel_id_valid || ssl->s3->token_binding_negotiated) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);
+      ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
       return ssl_hs_error;
     }
   }
@@ -458,6 +521,9 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
   ssl->method->next_message(ssl);
   hs->tls13_state = state_read_certificate_request;
   if (hs->in_early_data && !ssl->s3->early_data_accepted) {
+    if (!close_early_data(hs, ssl_encryption_handshake)) {
+      return ssl_hs_error;
+    }
     return ssl_hs_early_data_rejected;
   }
   return ssl_hs_ok;
@@ -622,6 +688,13 @@ static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
 
+  // Finished should be the end of the flight.
+  if (ssl->method->has_unprocessed_handshake_data(ssl)) {
+    ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+    OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
+    return ssl_hs_error;
+  }
+
   ssl->method->next_message(ssl);
   hs->tls13_state = state_send_end_of_early_data;
   return ssl_hs_ok;
@@ -631,7 +704,6 @@ static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
 
   if (ssl->s3->early_data_accepted) {
-    hs->can_early_write = false;
     // QUIC omits the EndOfEarlyData message. See draft-ietf-quic-tls-22,
     // section 8.3.
     if (ssl->quic_method == nullptr) {
@@ -643,11 +715,8 @@ static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {
         return ssl_hs_error;
       }
     }
-  }
 
-  if (hs->early_data_offered) {
-    if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
-                               hs->client_handshake_secret())) {
+    if (!close_early_data(hs, ssl_encryption_handshake)) {
       return ssl_hs_error;
     }
   }
@@ -741,10 +810,12 @@ static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
   }
 
   // Derive the final keys and enable them.
-  if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,
-                             hs->server_traffic_secret_0()) ||
-      !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
+  if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
+                             hs->new_session.get(),
                              hs->client_traffic_secret_0()) ||
+      !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,
+                             hs->new_session.get(),
+                             hs->server_traffic_secret_0()) ||
       !tls13_derive_resumption_secret(hs)) {
     return ssl_hs_error;
   }

data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc

@@ -139,12 +139,18 @@ static bool derive_secret(SSL_HANDSHAKE *hs, Span out,
 
 bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level,
                            enum evp_aead_direction_t direction,
+                           const SSL_SESSION *session,
                            Span<const uint8_t> traffic_secret) {
-  const SSL_SESSION *session = SSL_get_session(ssl);
   uint16_t version = ssl_session_protocol_version(session);
-
   UniquePtr<SSLAEADContext> traffic_aead;
-  if (ssl->quic_method == nullptr) {
+  Span<const uint8_t> secret_for_quic;
+  if (ssl->quic_method != nullptr) {
+    // Install a placeholder SSLAEADContext so that SSL accessors work. The
+    // encryption itself will be handled by the SSL_QUIC_METHOD.
+    traffic_aead =
+        SSLAEADContext::CreatePlaceholderForQUIC(version, session->cipher);
+    secret_for_quic = traffic_secret;
+  } else {
     // Look up cipher suite properties.
     const EVP_AEAD *aead;
     size_t discard;
@@ -173,34 +179,15 @@ bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level,
       return false;
     }
 
-
     traffic_aead = SSLAEADContext::Create(direction, session->ssl_version,
                                           SSL_is_dtls(ssl), session->cipher,
                                           key, Span<const uint8_t>(), iv);
-  } else {
-    // Install a placeholder SSLAEADContext so that SSL accessors work. The
-    // encryption itself will be handled by the SSL_QUIC_METHOD.
-    traffic_aead =
-        SSLAEADContext::CreatePlaceholderForQUIC(version, session->cipher);
-    // QUIC never installs early data keys at the TLS layer.
-    assert(level != ssl_encryption_early_data);
   }
 
   if (!traffic_aead) {
     return false;
   }
 
-  if (direction == evp_aead_open) {
-    if (!ssl->method->set_read_state(ssl, std::move(traffic_aead))) {
-      return false;
-    }
-  } else {
-    if (!ssl->method->set_write_state(ssl, std::move(traffic_aead))) {
-      return false;
-    }
-  }
-
-  // Save the traffic secret.
   if (traffic_secret.size() >
           OPENSSL_ARRAY_SIZE(ssl->s3->read_traffic_secret) ||
       traffic_secret.size() >
@@ -208,16 +195,23 @@ bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level,
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
     return false;
   }
+
   if (direction == evp_aead_open) {
+    if (!ssl->method->set_read_state(ssl, level, std::move(traffic_aead),
+                                     secret_for_quic)) {
+      return false;
+    }
     OPENSSL_memmove(ssl->s3->read_traffic_secret, traffic_secret.data(),
                     traffic_secret.size());
     ssl->s3->read_traffic_secret_len = traffic_secret.size();
-    ssl->s3->read_level = level;
   } else {
+    if (!ssl->method->set_write_state(ssl, level, std::move(traffic_aead),
+                                      secret_for_quic)) {
+      return false;
+    }
     OPENSSL_memmove(ssl->s3->write_traffic_secret, traffic_secret.data(),
                     traffic_secret.size());
     ssl->s3->write_traffic_secret_len = traffic_secret.size();
-    ssl->s3->write_level = level;
   }
 
   return true;
@@ -243,47 +237,6 @@ bool tls13_derive_early_secret(SSL_HANDSHAKE *hs) {
   return true;
 }
 
-bool tls13_set_early_secret_for_quic(SSL_HANDSHAKE *hs) {
-  SSL *const ssl = hs->ssl;
-  if (ssl->quic_method == nullptr) {
-    return true;
-  }
-  if (ssl->server) {
-    if (!ssl->quic_method->set_encryption_secrets(
-            ssl, ssl_encryption_early_data, hs->early_traffic_secret().data(),
-            /*write_secret=*/nullptr, hs->early_traffic_secret().size())) {
-      OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);
-      return false;
-    }
-  } else {
-    if (!ssl->quic_method->set_encryption_secrets(
-            ssl, ssl_encryption_early_data, /*read_secret=*/nullptr,
-            hs->early_traffic_secret().data(),
-            hs->early_traffic_secret().size())) {
-      OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);
-      return false;
-    }
-  }
-  return true;
-}
-
-static bool set_quic_secrets(SSL_HANDSHAKE *hs, ssl_encryption_level_t level,
-                             Span<const uint8_t> client_write_secret,
-                             Span<const uint8_t> server_write_secret) {
-  SSL *const ssl = hs->ssl;
-  assert(client_write_secret.size() == server_write_secret.size());
-  if (ssl->quic_method == nullptr) {
-    return true;
-  }
-  if (!ssl->server) {
-    std::swap(client_write_secret, server_write_secret);
-  }
-  return ssl->quic_method->set_encryption_secrets(
-      ssl, level,
-      /*read_secret=*/client_write_secret.data(),
-      /*write_secret=*/server_write_secret.data(), client_write_secret.size());
-}
-
 bool tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
   if (!derive_secret(hs, hs->client_handshake_secret(),
@@ -293,10 +246,7 @@ bool tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) {
       !derive_secret(hs, hs->server_handshake_secret(),
                      label_to_span(kTLS13LabelServerHandshakeTraffic)) ||
       !ssl_log_secret(ssl, "SERVER_HANDSHAKE_TRAFFIC_SECRET",
-                      hs->server_handshake_secret()) ||
-      !set_quic_secrets(hs, ssl_encryption_handshake,
-                        hs->client_handshake_secret(),
-                        hs->server_handshake_secret())) {
+                      hs->server_handshake_secret())) {
     return false;
   }
 
@@ -319,10 +269,7 @@ bool tls13_derive_application_secrets(SSL_HANDSHAKE *hs) {
           label_to_span(kTLS13LabelExporter)) ||
       !ssl_log_secret(ssl, "EXPORTER_SECRET",
                       MakeConstSpan(ssl->s3->exporter_secret,
-                                    ssl->s3->exporter_secret_len)) ||
-      !set_quic_secrets(hs, ssl_encryption_application,
-                        hs->client_traffic_secret_0(),
-                        hs->server_traffic_secret_0())) {
+                                    ssl->s3->exporter_secret_len))) {
     return false;
   }
 
@@ -341,11 +288,12 @@ bool tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {
                       ssl->s3->write_traffic_secret_len);
   }
 
-  const EVP_MD *digest = ssl_session_get_digest(SSL_get_session(ssl));
+  const SSL_SESSION *session = SSL_get_session(ssl);
+  const EVP_MD *digest = ssl_session_get_digest(session);
   return hkdf_expand_label(secret, digest, secret,
                            label_to_span(kTLS13LabelApplicationTraffic), {}) &&
          tls13_set_traffic_key(ssl, ssl_encryption_application, direction,
-                               secret);
+                               session, secret);
 }
 
 static const char kTLS13LabelResumption[] = "res master";

data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc

@@ -309,6 +309,23 @@ static enum ssl_ticket_aead_result_t select_session(
   return ssl_ticket_aead_success;
 }
 
+static bool quic_ticket_compatible(const SSL_SESSION *session,
+                                   const SSL_CONFIG *config) {
+  if (!session->is_quic) {
+    return true;
+  }
+  if (session->quic_early_data_hash.size() != SHA256_DIGEST_LENGTH) {
+    return false;
+  }
+  uint8_t early_data_hash[SHA256_DIGEST_LENGTH];
+  if (!compute_quic_early_data_hash(config, early_data_hash) ||
+      CRYPTO_memcmp(session->quic_early_data_hash.data(), early_data_hash,
+                    SHA256_DIGEST_LENGTH) != 0) {
+    return false;
+  }
+  return true;
+}
+
 static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
   SSLMessage msg;
@@ -352,6 +369,10 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
         return ssl_hs_error;
       }
 
+      // |ssl_session_is_resumable| forbids cross-cipher resumptions even if the
+      // PRF hashes match.
+      assert(hs->new_cipher == session->cipher);
+
       if (!ssl->enable_early_data) {
         ssl->s3->early_data_reason = ssl_early_data_disabled;
       } else if (session->ticket_max_early_data == 0) {
@@ -370,6 +391,8 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
       } else if (ssl->s3->ticket_age_skew < -kMaxTicketAgeSkewSeconds ||
                  kMaxTicketAgeSkewSeconds < ssl->s3->ticket_age_skew) {
         ssl->s3->early_data_reason = ssl_early_data_ticket_age_skew;
+      } else if (!quic_ticket_compatible(session.get(), hs->config)) {
+        ssl->s3->early_data_reason = ssl_early_data_quic_parameter_mismatch;
       } else {
         ssl->s3->early_data_reason = ssl_early_data_accepted;
         ssl->s3->early_data_accepted = true;
@@ -558,6 +581,13 @@ static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
 
+  // ClientHello should be the end of the flight.
+  if (ssl->method->has_unprocessed_handshake_data(ssl)) {
+    ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+    OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
+    return ssl_hs_error;
+  }
+
   ssl->method->next_message(ssl);
   hs->tls13_state = state13_send_server_hello;
   return ssl_hs_ok;
@@ -593,6 +623,7 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
   // Derive and enable the handshake traffic secrets.
   if (!tls13_derive_handshake_secrets(hs) ||
       !tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
+                             hs->new_session.get(),
                              hs->server_handshake_secret())) {
     return ssl_hs_error;
   }
@@ -627,7 +658,7 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
         !CBB_add_u16_length_prefixed(&cert_request_extensions,
                                      &sigalg_contents) ||
         !CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) ||
-        !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb)) {
+        !tls12_add_verify_sigalgs(hs, &sigalgs_cbb)) {
       return ssl_hs_error;
     }
 
@@ -693,24 +724,19 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
           hs, MakeConstSpan(kZeroes, hs->transcript.DigestLen())) ||
       !tls13_derive_application_secrets(hs) ||
       !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
+                             hs->new_session.get(),
                              hs->server_traffic_secret_0())) {
     return ssl_hs_error;
   }
 
-  if (ssl->s3->early_data_accepted) {
-    // We defer releasing the early traffic secret to QUIC to this point. First,
-    // the early traffic secret is derived before ECDHE, but ECDHE may later
-    // reject 0-RTT. We only release the secret after 0-RTT is fully resolved.
-    //
-    // Second, 0-RTT data is acknowledged with 1-RTT keys. Both are derived as
-    // part of the ServerHello flight, but future TLS extensions may insert an
-    // asynchronous point in the middle of this flight. We defer releasing the
-    // 0-RTT keys to ensure the QUIC implementation never installs read keys
-    // without the write keys to send the corresponding ACKs.
-    if (!tls13_set_early_secret_for_quic(hs)) {
-      return ssl_hs_error;
-    }
+  hs->tls13_state = state13_send_half_rtt_ticket;
+  return hs->handback ? ssl_hs_handback : ssl_hs_ok;
+}
 
+static enum ssl_hs_wait_t do_send_half_rtt_ticket(SSL_HANDSHAKE *hs) {
+  SSL *const ssl = hs->ssl;
+
+  if (ssl->s3->early_data_accepted) {
     // If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
     // the wire sooner and also avoids triggering a write on |SSL_read| when
     // processing the client Finished. This requires computing the client
@@ -759,9 +785,8 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
 static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
   if (ssl->s3->early_data_accepted) {
-    // QUIC never receives handshake messages under 0-RTT keys.
-    if (ssl->quic_method == nullptr &&
-        !tls13_set_traffic_key(ssl, ssl_encryption_early_data, evp_aead_open,
+    if (!tls13_set_traffic_key(ssl, ssl_encryption_early_data, evp_aead_open,
+                               hs->new_session.get(),
                                hs->early_traffic_secret())) {
       return ssl_hs_error;
     }
@@ -775,6 +800,7 @@ static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {
   // return.
   if (ssl->quic_method != nullptr) {
     if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
+                               hs->new_session.get(),
                                hs->client_handshake_secret())) {
       return ssl_hs_error;
     }
@@ -807,12 +833,10 @@ static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {
     ssl->method->next_message(ssl);
   }
   if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
+                             hs->new_session.get(),
                              hs->client_handshake_secret())) {
     return ssl_hs_error;
   }
-  if (hs->handback) {
-    return ssl_hs_handback;
-  }
   hs->tls13_state = state13_read_client_certificate;
   return ssl_hs_ok;
 }
@@ -920,6 +944,7 @@ static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
       !tls13_process_finished(hs, msg, ssl->s3->early_data_accepted) ||
       // evp_aead_seal keys have already been switched.
       !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,
+                             hs->new_session.get(),
                              hs->client_traffic_secret_0())) {
     return ssl_hs_error;
   }
@@ -986,6 +1011,9 @@ enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {
       case state13_send_server_finished:
         ret = do_send_server_finished(hs);
         break;
+      case state13_send_half_rtt_ticket:
+        ret = do_send_half_rtt_ticket(hs);
+        break;
       case state13_read_second_client_flight:
         ret = do_read_second_client_flight(hs);
         break;
@@ -1040,6 +1068,8 @@ const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs) {
       return "TLS 1.3 server send_server_hello";
     case state13_send_server_certificate_verify:
       return "TLS 1.3 server send_server_certificate_verify";
+    case state13_send_half_rtt_ticket:
+      return "TLS 1.3 server send_half_rtt_ticket";
     case state13_send_server_finished:
       return "TLS 1.3 server send_server_finished";
     case state13_read_second_client_flight: