RubyGems - grpc - Versions diffs - 1.37.1 → 1.38.0.pre1 - Mend

grpc 1.37.1 → 1.38.0.pre1

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (544) hide show

data/third_party/boringssl-with-bazel/src/ssl/handoff.cc CHANGED Viewed

@@ -15,6 +15,7 @@
 #include <openssl/ssl.h>
 #include <openssl/bytestring.h>
+#include <openssl/err.h>
 #include "internal.h"
@@ -93,7 +94,7 @@ bool SSL_serialize_handoff(const SSL *ssl, CBB *out,
       !serialize_features(&seq) ||
       !CBB_flush(out) ||
       !ssl->method->get_message(ssl, &msg) ||
-      !ssl_client_hello_init(ssl, out_hello, msg)) {
+      !ssl_client_hello_init(ssl, out_hello, msg.body)) {
     return false;
   }
@@ -708,3 +709,245 @@ bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
 }
 BSSL_NAMESPACE_END
+using namespace bssl;
+int SSL_serialize_capabilities(const SSL *ssl, CBB *out) {
+  CBB seq;
+  if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
+      !serialize_features(&seq) ||  //
+      !CBB_flush(out)) {
+    return 0;
+  }
+  return 1;
+}
+int SSL_request_handshake_hints(SSL *ssl, const uint8_t *client_hello,
+                                size_t client_hello_len,
+                                const uint8_t *capabilities,
+                                size_t capabilities_len) {
+  if (SSL_is_dtls(ssl)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    return 0;
+  }
+  CBS cbs, seq;
+  CBS_init(&cbs, capabilities, capabilities_len);
+  UniquePtr<SSL_HANDSHAKE_HINTS> hints = MakeUnique<SSL_HANDSHAKE_HINTS>();
+  if (hints == nullptr ||
+      !CBS_get_asn1(&cbs, &seq, CBS_ASN1_SEQUENCE) ||
+      !apply_remote_features(ssl, &seq)) {
+    return 0;
+  }
+  SSL3_STATE *const s3 = ssl->s3;
+  s3->v2_hello_done = true;
+  s3->has_message = true;
+  Array<uint8_t> client_hello_msg;
+  ScopedCBB client_hello_cbb;
+  CBB client_hello_body;
+  if (!ssl->method->init_message(ssl, client_hello_cbb.get(),
+                                 &client_hello_body, SSL3_MT_CLIENT_HELLO) ||
+      !CBB_add_bytes(&client_hello_body, client_hello, client_hello_len) ||
+      !ssl->method->finish_message(ssl, client_hello_cbb.get(),
+                                   &client_hello_msg)) {
+    return 0;
+  }
+  s3->hs_buf.reset(BUF_MEM_new());
+  if (!s3->hs_buf || !BUF_MEM_append(s3->hs_buf.get(), client_hello_msg.data(),
+                                     client_hello_msg.size())) {
+    return 0;
+  }
+  s3->hs->hints_requested = true;
+  s3->hs->hints = std::move(hints);
+  return 1;
+}
+// |SSL_HANDSHAKE_HINTS| is serialized as the following ASN.1 structure. We use
+// implicit tagging to make it a little more compact.
+//
+// HandshakeHints ::= SEQUENCE {
+//     serverRandom            [0] IMPLICIT OCTET STRING OPTIONAL,
+//     keyShareHint            [1] IMPLICIT KeyShareHint OPTIONAL,
+//     signatureHint           [2] IMPLICIT SignatureHint OPTIONAL,
+//     -- At most one of decryptedPSKHint or ignorePSKHint may be present. It
+//     -- corresponds to the first entry in pre_shared_keys. TLS 1.2 session
+//     -- tickets will use a separate hint, to ensure the caller does not mix
+//     -- them up.
+//     decryptedPSKHint        [3] IMPLICIT OCTET STRING OPTIONAL,
+//     ignorePSKHint           [4] IMPLICIT NULL OPTIONAL,
+// }
+//
+// KeyShareHint ::= SEQUENCE {
+//     groupId                 INTEGER,
+//     publicKey               OCTET STRING,
+//     secret                  OCTET STRING,
+// }
+//
+// SignatureHint ::= SEQUENCE {
+//     algorithm               INTEGER,
+//     input                   OCTET STRING,
+//     subjectPublicKeyInfo    OCTET STRING,
+//     signature               OCTET STRING,
+// }
+// HandshakeHints tags.
+static const unsigned kServerRandomTag = CBS_ASN1_CONTEXT_SPECIFIC | 0;
+static const unsigned kKeyShareHintTag =
+    CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1;
+static const unsigned kSignatureHintTag =
+    CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2;
+static const unsigned kDecryptedPSKTag = CBS_ASN1_CONTEXT_SPECIFIC | 3;
+static const unsigned kIgnorePSKTag = CBS_ASN1_CONTEXT_SPECIFIC | 4;
+int SSL_serialize_handshake_hints(const SSL *ssl, CBB *out) {
+  const SSL_HANDSHAKE *hs = ssl->s3->hs.get();
+  if (!ssl->server || !hs->hints_requested) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    return 0;
+  }
+  const SSL_HANDSHAKE_HINTS *hints = hs->hints.get();
+  CBB seq, server_random, key_share_hint, signature_hint, decrypted_psk,
+      ignore_psk;
+  if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE)) {
+    return 0;
+  }
+  if (!hints->server_random.empty()) {
+    if (!CBB_add_asn1(&seq, &server_random, kServerRandomTag) ||
+        !CBB_add_bytes(&server_random, hints->server_random.data(),
+                       hints->server_random.size())) {
+      return 0;
+    }
+  }
+  if (hints->key_share_group_id != 0 && !hints->key_share_public_key.empty() &&
+      !hints->key_share_secret.empty()) {
+    if (!CBB_add_asn1(&seq, &key_share_hint, kKeyShareHintTag) ||
+        !CBB_add_asn1_uint64(&key_share_hint, hints->key_share_group_id) ||
+        !CBB_add_asn1_octet_string(&key_share_hint,
+                                   hints->key_share_public_key.data(),
+                                   hints->key_share_public_key.size()) ||
+        !CBB_add_asn1_octet_string(&key_share_hint,
+                                   hints->key_share_secret.data(),
+                                   hints->key_share_secret.size())) {
+      return 0;
+    }
+  }
+  if (hints->signature_algorithm != 0 && !hints->signature_input.empty() &&
+      !hints->signature.empty()) {
+    if (!CBB_add_asn1(&seq, &signature_hint, kSignatureHintTag) ||
+        !CBB_add_asn1_uint64(&signature_hint, hints->signature_algorithm) ||
+        !CBB_add_asn1_octet_string(&signature_hint,
+                                    hints->signature_input.data(),
+                                    hints->signature_input.size()) ||
+        !CBB_add_asn1_octet_string(&signature_hint,
+                                    hints->signature_spki.data(),
+                                    hints->signature_spki.size()) ||
+        !CBB_add_asn1_octet_string(&signature_hint, hints->signature.data(),
+                                    hints->signature.size())) {
+      return 0;
+    }
+  }
+  if (!hints->decrypted_psk.empty()) {
+    if (!CBB_add_asn1(&seq, &decrypted_psk, kDecryptedPSKTag) ||
+        !CBB_add_bytes(&decrypted_psk, hints->decrypted_psk.data(),
+                       hints->decrypted_psk.size())) {
+      return 0;
+    }
+  }
+  if (hints->ignore_psk &&  //
+      !CBB_add_asn1(&seq, &ignore_psk, kIgnorePSKTag)) {
+    return 0;
+  }
+  return CBB_flush(out);
+}
+int SSL_set_handshake_hints(SSL *ssl, const uint8_t *hints, size_t hints_len) {
+  if (SSL_is_dtls(ssl)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    return 0;
+  }
+  UniquePtr<SSL_HANDSHAKE_HINTS> hints_obj = MakeUnique<SSL_HANDSHAKE_HINTS>();
+  if (hints_obj == nullptr) {
+    return 0;
+  }
+  CBS cbs, seq, server_random, key_share, signature_hint, ticket, ignore_psk;
+  int has_server_random, has_key_share, has_signature_hint, has_ticket,
+      has_ignore_psk;
+  CBS_init(&cbs, hints, hints_len);
+  if (!CBS_get_asn1(&cbs, &seq, CBS_ASN1_SEQUENCE) ||
+      !CBS_get_optional_asn1(&seq, &server_random, &has_server_random,
+                             kServerRandomTag) ||
+      !CBS_get_optional_asn1(&seq, &key_share, &has_key_share,
+                             kKeyShareHintTag) ||
+      !CBS_get_optional_asn1(&seq, &signature_hint, &has_signature_hint,
+                             kSignatureHintTag) ||
+      !CBS_get_optional_asn1(&seq, &ticket, &has_ticket, kDecryptedPSKTag) ||
+      !CBS_get_optional_asn1(&seq, &ignore_psk, &has_ignore_psk,
+                             kIgnorePSKTag)) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
+    return 0;
+  }
+  if (has_server_random && !hints_obj->server_random.CopyFrom(server_random)) {
+    return 0;
+  }
+  if (has_key_share) {
+    uint64_t group_id;
+    CBS public_key, secret;
+    if (!CBS_get_asn1_uint64(&key_share, &group_id) ||  //
+        group_id == 0 || group_id > 0xffff ||
+        !CBS_get_asn1(&key_share, &public_key, CBS_ASN1_OCTETSTRING) ||
+        !hints_obj->key_share_public_key.CopyFrom(public_key) ||
+        !CBS_get_asn1(&key_share, &secret, CBS_ASN1_OCTETSTRING) ||
+        !hints_obj->key_share_secret.CopyFrom(secret)) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
+      return 0;
+    }
+    hints_obj->key_share_group_id = static_cast<uint16_t>(group_id);
+  }
+  if (has_signature_hint) {
+    uint64_t sig_alg;
+    CBS input, spki, signature;
+    if (!CBS_get_asn1_uint64(&signature_hint, &sig_alg) ||  //
+        sig_alg == 0 || sig_alg > 0xffff ||
+        !CBS_get_asn1(&signature_hint, &input, CBS_ASN1_OCTETSTRING) ||
+        !hints_obj->signature_input.CopyFrom(input) ||
+        !CBS_get_asn1(&signature_hint, &spki, CBS_ASN1_OCTETSTRING) ||
+        !hints_obj->signature_spki.CopyFrom(spki) ||
+        !CBS_get_asn1(&signature_hint, &signature, CBS_ASN1_OCTETSTRING) ||
+        !hints_obj->signature.CopyFrom(signature)) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
+      return 0;
+    }
+    hints_obj->signature_algorithm = static_cast<uint16_t>(sig_alg);
+  }
+  if (has_ticket && !hints_obj->decrypted_psk.CopyFrom(ticket)) {
+    return 0;
+  }
+  if (has_ignore_psk) {
+    if (CBS_len(&ignore_psk) != 0) {
+      return 0;
+    }
+    hints_obj->ignore_psk = true;
+  }
+  ssl->s3->hs->hints = std::move(hints_obj);
+  return 1;
+}

data/third_party/boringssl-with-bazel/src/ssl/handshake.cc CHANGED Viewed

@@ -126,6 +126,7 @@ BSSL_NAMESPACE_BEGIN
 SSL_HANDSHAKE::SSL_HANDSHAKE(SSL *ssl_arg)
     : ssl(ssl_arg),
+      ech_accept(false),
       ech_present(false),
       ech_is_inner_present(false),
       scts_requested(false),
@@ -148,6 +149,7 @@ SSL_HANDSHAKE::SSL_HANDSHAKE(SSL *ssl_arg)
       pending_private_key_op(false),
       grease_seeded(false),
       handback(false),
+      hints_requested(false),
       cert_compression_negotiated(false),
       apply_jdk11_workaround(false) {
   assert(ssl);
@@ -164,6 +166,28 @@ void SSL_HANDSHAKE::ResizeSecrets(size_t hash_len) {
   hash_len_ = hash_len;
 }
+bool SSL_HANDSHAKE::GetClientHello(SSLMessage *out_msg,
+                                   SSL_CLIENT_HELLO *out_client_hello) {
+  if (!ech_client_hello_buf.empty()) {
+    // If the backing buffer is non-empty, the ClientHelloInner has been set.
+    out_msg->is_v2_hello = false;
+    out_msg->type = SSL3_MT_CLIENT_HELLO;
+    out_msg->raw = CBS(ech_client_hello_buf);
+    out_msg->body = MakeConstSpan(ech_client_hello_buf).subspan(4);
+  } else if (!ssl->method->get_message(ssl, out_msg)) {
+    // The message has already been read, so this cannot fail.
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    return false;
+  }
+  if (!ssl_client_hello_init(ssl, out_client_hello, out_msg->body)) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
+    ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+    return false;
+  }
+  return true;
+}
 UniquePtr<SSL_HANDSHAKE> ssl_handshake_new(SSL *ssl) {
   UniquePtr<SSL_HANDSHAKE> hs = MakeUnique<SSL_HANDSHAKE>(ssl);
   if (!hs || !hs->transcript.Init()) {
@@ -552,7 +576,11 @@ const SSL_SESSION *ssl_handshake_session(const SSL_HANDSHAKE *hs) {
 int ssl_run_handshake(SSL_HANDSHAKE *hs, bool *out_early_return) {
   SSL *const ssl = hs->ssl;
   for (;;) {
-    // Resolve the operation the handshake was waiting on.
+    // Resolve the operation the handshake was waiting on. Each condition may
+    // halt the handshake by returning, or continue executing if the handshake
+    // may immediately proceed. Cases which halt the handshake can clear
+    // |hs->wait| to re-enter the state machine on the next iteration, or leave
+    // it set to keep the condition sticky.
     switch (hs->wait) {
       case ssl_hs_error:
         ERR_restore_state(hs->error.get());
@@ -570,13 +598,13 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, bool *out_early_return) {
       case ssl_hs_read_message:
       case ssl_hs_read_change_cipher_spec: {
         if (ssl->quic_method) {
+          // QUIC has no ChangeCipherSpec messages.
+          assert(hs->wait != ssl_hs_read_change_cipher_spec);
+          // The caller should call |SSL_provide_quic_data|. Clear |hs->wait| so
+          // the handshake can check if there is sufficient data next iteration.
+          ssl->s3->rwstate = SSL_ERROR_WANT_READ;
           hs->wait = ssl_hs_ok;
-          // The change cipher spec is omitted in QUIC.
-          if (hs->wait != ssl_hs_read_change_cipher_spec) {
-            ssl->s3->rwstate = SSL_ERROR_WANT_READ;
-            return -1;
-          }
-          break;
+          return -1;
         }
         uint8_t alert = SSL_AD_DECODE_ERROR;
@@ -646,31 +674,30 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, bool *out_early_return) {
         return -1;
       }
+        // The following cases are associated with callback APIs which expect to
+        // be called each time the state machine runs. Thus they set |hs->wait|
+        // to |ssl_hs_ok| so that, next time, we re-enter the state machine and
+        // call the callback again.
       case ssl_hs_x509_lookup:
         ssl->s3->rwstate = SSL_ERROR_WANT_X509_LOOKUP;
         hs->wait = ssl_hs_ok;
         return -1;
       case ssl_hs_channel_id_lookup:
         ssl->s3->rwstate = SSL_ERROR_WANT_CHANNEL_ID_LOOKUP;
         hs->wait = ssl_hs_ok;
         return -1;
       case ssl_hs_private_key_operation:
         ssl->s3->rwstate = SSL_ERROR_WANT_PRIVATE_KEY_OPERATION;
         hs->wait = ssl_hs_ok;
         return -1;
       case ssl_hs_pending_session:
         ssl->s3->rwstate = SSL_ERROR_PENDING_SESSION;
         hs->wait = ssl_hs_ok;
         return -1;
       case ssl_hs_pending_ticket:
         ssl->s3->rwstate = SSL_ERROR_PENDING_TICKET;
         hs->wait = ssl_hs_ok;
         return -1;
       case ssl_hs_certificate_verify:
         ssl->s3->rwstate = SSL_ERROR_WANT_CERTIFICATE_VERIFY;
         hs->wait = ssl_hs_ok;
@@ -687,6 +714,10 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, bool *out_early_return) {
         hs->wait = ssl_hs_ok;
         return 1;
+      case ssl_hs_hints_ready:
+        ssl->s3->rwstate = SSL_ERROR_HANDSHAKE_HINTS_READY;
+        return -1;
       case ssl_hs_ok:
         break;
     }

data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc CHANGED Viewed

@@ -154,6 +154,8 @@
 #include <openssl/bn.h>
 #include <openssl/bytestring.h>
 #include <openssl/cipher.h>
+#include <openssl/curve25519.h>
+#include <openssl/digest.h>
 #include <openssl/ec.h>
 #include <openssl/ecdsa.h>
 #include <openssl/err.h>
@@ -167,6 +169,7 @@
 #include "internal.h"
 #include "../crypto/internal.h"
+#include "../crypto/hpke/internal.h"
 BSSL_NAMESPACE_BEGIN
@@ -563,7 +566,7 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
   }
   SSL_CLIENT_HELLO client_hello;
-  if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
+  if (!ssl_client_hello_init(ssl, &client_hello, msg.body)) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
     return ssl_hs_error;
@@ -581,12 +584,137 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
     return ssl_hs_handoff;
   }
+  // If the ClientHello contains an encrypted_client_hello extension (and no
+  // ech_is_inner extension), act as a client-facing server and attempt to
+  // decrypt the ClientHelloInner.
+  CBS ech_body;
+  if (ssl_client_hello_get_extension(&client_hello, &ech_body,
+                                      TLSEXT_TYPE_encrypted_client_hello)) {
+    CBS unused;
+    if (ssl_client_hello_get_extension(&client_hello, &unused,
+                                       TLSEXT_TYPE_ech_is_inner)) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
+      ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+      return ssl_hs_error;
+    }
+    // Parse a ClientECH out of the extension body.
+    uint16_t kdf_id, aead_id;
+    CBS config_id, enc, payload;
+    if (!CBS_get_u16(&ech_body, &kdf_id) ||  //
+        !CBS_get_u16(&ech_body, &aead_id) ||
+        !CBS_get_u8_length_prefixed(&ech_body, &config_id) ||
+        !CBS_get_u16_length_prefixed(&ech_body, &enc) ||
+        !CBS_get_u16_length_prefixed(&ech_body, &payload) ||
+        CBS_len(&ech_body) != 0) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+      ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+      return ssl_hs_error;
+    }
+    {
+      MutexReadLock lock(&ssl->ctx->lock);
+      hs->ech_server_config_list = UpRef(ssl->ctx->ech_server_config_list);
+    }
+    if (hs->ech_server_config_list) {
+      for (const ECHServerConfig &ech_config :
+           hs->ech_server_config_list->configs) {
+        // Skip this config if the client-provided config_id does not match or
+        // if the client indicated an unsupported HPKE ciphersuite.
+        if (config_id != ech_config.config_id_sha256() ||
+            !ech_config.SupportsCipherSuite(kdf_id, aead_id)) {
+          continue;
+        }
+        static const uint8_t kInfoLabel[] = "tls ech";
+        ScopedCBB info_cbb;
+        if (!CBB_init(info_cbb.get(),
+                      sizeof(kInfoLabel) + ech_config.raw().size()) ||
+            !CBB_add_bytes(info_cbb.get(), kInfoLabel,
+                           sizeof(kInfoLabel) /* includes trailing NUL */) ||
+            !CBB_add_bytes(info_cbb.get(), ech_config.raw().data(),
+                           ech_config.raw().size())) {
+          OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+          return ssl_hs_error;
+        }
+        // Set up a fresh HPKE context for each decryption attempt.
+        hs->ech_hpke_ctx.Reset();
+        if (CBS_len(&enc) != X25519_PUBLIC_VALUE_LEN ||
+            !EVP_HPKE_CTX_setup_base_r_x25519(
+                hs->ech_hpke_ctx.get(), kdf_id, aead_id, CBS_data(&enc),
+                CBS_len(&enc), ech_config.public_key().data(),
+                ech_config.public_key().size(), ech_config.private_key().data(),
+                ech_config.private_key().size(), CBB_data(info_cbb.get()),
+                CBB_len(info_cbb.get()))) {
+          // Ignore the error and try another ECHConfig.
+          ERR_clear_error();
+          continue;
+        }
+        Array<uint8_t> encoded_client_hello_inner;
+        bool is_decrypt_error;
+        if (!ssl_client_hello_decrypt(hs->ech_hpke_ctx.get(),
+                                      &encoded_client_hello_inner,
+                                      &is_decrypt_error, &client_hello, kdf_id,
+                                      aead_id, config_id, enc, payload)) {
+          if (is_decrypt_error) {
+            // Ignore the error and try another ECHConfig.
+            ERR_clear_error();
+            continue;
+          }
+          OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
+          return ssl_hs_error;
+        }
+        // Recover the ClientHelloInner from the EncodedClientHelloInner.
+        uint8_t alert = SSL_AD_DECODE_ERROR;
+        bssl::Array<uint8_t> client_hello_inner;
+        if (!ssl_decode_client_hello_inner(ssl, &alert, &client_hello_inner,
+                                           encoded_client_hello_inner,
+                                           &client_hello)) {
+          ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
+          OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+          return ssl_hs_error;
+        }
+        hs->ech_client_hello_buf = std::move(client_hello_inner);
+        // Load the ClientHelloInner into |client_hello|.
+        if (!hs->GetClientHello(&msg, &client_hello)) {
+          OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+          return ssl_hs_error;
+        }
+        hs->ech_accept = true;
+        break;
+      }
+    }
+    // If we did not set |hs->ech_accept| to true, we will send the current
+    // ECHConfigs as retry_configs in the ServerHello's encrypted extensions.
+    // Proceed with the ClientHelloOuter.
+  }
   uint8_t alert = SSL_AD_DECODE_ERROR;
   if (!extract_sni(hs, &alert, &client_hello)) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
     return ssl_hs_error;
   }
+  hs->state = state12_read_client_hello_after_ech;
+  return ssl_hs_ok;
+}
+static enum ssl_hs_wait_t do_read_client_hello_after_ech(SSL_HANDSHAKE *hs) {
+  SSL *const ssl = hs->ssl;
+  SSLMessage msg_unused;
+  SSL_CLIENT_HELLO client_hello;
+  if (!hs->GetClientHello(&msg_unused, &client_hello)) {
+    return ssl_hs_error;
+  }
   // Run the early callback.
   if (ssl->ctx->select_certificate_cb != NULL) {
     switch (ssl->ctx->select_certificate_cb(&client_hello)) {
@@ -614,6 +742,7 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
     hs->apply_jdk11_workaround = true;
   }
+  uint8_t alert = SSL_AD_DECODE_ERROR;
   if (!negotiate_version(hs, &alert, &client_hello)) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
     return ssl_hs_error;
@@ -657,11 +786,6 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
 static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
-  SSLMessage msg;
-  if (!ssl->method->get_message(ssl, &msg)) {
-    return ssl_hs_read_message;
-  }
   // Call |cert_cb| to update server certificates if required.
   if (hs->config->cert->cert_cb != NULL) {
     int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg);
@@ -701,10 +825,22 @@ static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) {
     return ssl_hs_ok;
   }
+  // It should not be possible to negotiate TLS 1.2 with ECH. The
+  // ClientHelloInner decoding function rejects ClientHellos which offer TLS 1.2
+  // or below.
+  assert(!hs->ech_accept);
+  // TODO(davidben): Also compute hints for TLS 1.2. When doing so, update the
+  // check in bssl_shim.cc to test this.
+  if (hs->hints_requested) {
+    return ssl_hs_hints_ready;
+  }
   ssl->s3->early_data_reason = ssl_early_data_protocol_version;
+  SSLMessage msg_unused;
   SSL_CLIENT_HELLO client_hello;
-  if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
+  if (!hs->GetClientHello(&msg_unused, &client_hello)) {
     return ssl_hs_error;
   }
@@ -743,7 +879,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
   }
   SSL_CLIENT_HELLO client_hello;
-  if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
+  if (!ssl_client_hello_init(ssl, &client_hello, msg.body)) {
     return ssl_hs_error;
   }
@@ -1693,6 +1829,9 @@ enum ssl_hs_wait_t ssl_server_handshake(SSL_HANDSHAKE *hs) {
       case state12_read_client_hello:
         ret = do_read_client_hello(hs);
         break;
+      case state12_read_client_hello_after_ech:
+        ret = do_read_client_hello_after_ech(hs);
+        break;
       case state12_select_certificate:
         ret = do_select_certificate(hs);
         break;
@@ -1773,6 +1912,8 @@ const char *ssl_server_handshake_state(SSL_HANDSHAKE *hs) {
       return "TLS server start_accept";
     case state12_read_client_hello:
       return "TLS server read_client_hello";
+    case state12_read_client_hello_after_ech:
+      return "TLS server read_client_hello_after_ech";
     case state12_select_certificate:
       return "TLS server select_certificate";
     case state12_tls13: