grpc 1.9.1 → 1.10.0.pre1

data/third_party/boringssl/ssl/{ssl_file.c → ssl_file.cc}

@@ -128,8 +128,8 @@ static int xname_cmp(const X509_NAME **a, const X509_NAME **b) {
   return X509_NAME_cmp(*a, *b);
 }
 
-/* TODO(davidben): Is there any reason this doesn't call
- * |SSL_add_file_cert_subjects_to_stack|? */
+// TODO(davidben): Is there any reason this doesn't call
+// |SSL_add_file_cert_subjects_to_stack|?
 STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) {
   BIO *in;
   X509 *x = NULL;
@@ -164,7 +164,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) {
       goto err;
     }
 
-    /* Check for duplicates. */
+    // Check for duplicates.
     if (sk_X509_NAME_find(sk, NULL, xn)) {
       continue;
     }
@@ -222,7 +222,7 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
       goto err;
     }
 
-    /* Check for duplicates. */
+    // Check for duplicates.
     if (sk_X509_NAME_find(stack, NULL, xn)) {
       continue;
     }
@@ -493,15 +493,15 @@ end:
   return ret;
 }
 
-/* Read a file that contains our certificate in "PEM" format, possibly followed
- * by a sequence of CA certificates that should be sent to the peer in the
- * Certificate message. */
+// Read a file that contains our certificate in "PEM" format, possibly followed
+// by a sequence of CA certificates that should be sent to the peer in the
+// Certificate message.
 int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) {
   BIO *in;
   int ret = 0;
   X509 *x = NULL;
 
-  ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
+  ERR_clear_error();  // clear error stack for SSL_CTX_use_certificate()
 
   in = BIO_new(BIO_s_file());
   if (in == NULL) {
@@ -524,12 +524,12 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) {
   ret = SSL_CTX_use_certificate(ctx, x);
 
   if (ERR_peek_error() != 0) {
-    ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
+    ret = 0;  // Key/certificate mismatch doesn't imply ret==0 ...
   }
 
   if (ret) {
-    /* If we could set up our certificate, now proceed to the CA
-     * certificates. */
+    // If we could set up our certificate, now proceed to the CA
+    // certificates.
     X509 *ca;
     int r;
     uint32_t err;
@@ -545,18 +545,18 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) {
         ret = 0;
         goto end;
       }
-      /* Note that we must not free r if it was successfully added to the chain
-       * (while we must free the main certificate, since its reference count is
-       * increased by SSL_CTX_use_certificate). */
+      // Note that we must not free r if it was successfully added to the chain
+      // (while we must free the main certificate, since its reference count is
+      // increased by SSL_CTX_use_certificate).
     }
 
-    /* When the while loop ends, it's usually just EOF. */
+    // When the while loop ends, it's usually just EOF.
     err = ERR_peek_last_error();
     if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
         ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
       ERR_clear_error();
     } else {
-      ret = 0; /* some real error */
+      ret = 0;  // some real error
     }
   }
 
@@ -570,6 +570,14 @@ void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) {
   ctx->default_passwd_callback = cb;
 }
 
+pem_password_cb *SSL_CTX_get_default_passwd_cb(const SSL_CTX *ctx) {
+  return ctx->default_passwd_callback;
+}
+
 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *data) {
   ctx->default_passwd_callback_userdata = data;
 }
+
+void *SSL_CTX_get_default_passwd_cb_userdata(const SSL_CTX *ctx) {
+  return ctx->default_passwd_callback_userdata;
+}

data/third_party/boringssl/ssl/ssl_key_share.cc

@@ -0,0 +1,245 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/ssl.h>
+
+#include <assert.h>
+#include <string.h>
+
+#include <utility>
+
+#include <openssl/bn.h>
+#include <openssl/bytestring.h>
+#include <openssl/curve25519.h>
+#include <openssl/ec.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+#include <openssl/nid.h>
+
+#include "internal.h"
+#include "../crypto/internal.h"
+
+
+namespace bssl {
+
+namespace {
+
+class ECKeyShare : public SSLKeyShare {
+ public:
+  ECKeyShare(int nid, uint16_t group_id) : nid_(nid), group_id_(group_id) {}
+  ~ECKeyShare() override {}
+
+  uint16_t GroupID() const override { return group_id_; }
+
+  bool Offer(CBB *out) override {
+    assert(!private_key_);
+    // Set up a shared |BN_CTX| for all operations.
+    UniquePtr<BN_CTX> bn_ctx(BN_CTX_new());
+    if (!bn_ctx) {
+      return false;
+    }
+    BN_CTXScope scope(bn_ctx.get());
+
+    // Generate a private key.
+    UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(nid_));
+    private_key_.reset(BN_new());
+    if (!group || !private_key_ ||
+        !BN_rand_range_ex(private_key_.get(), 1,
+                          EC_GROUP_get0_order(group.get()))) {
+      return false;
+    }
+
+    // Compute the corresponding public key and serialize it.
+    UniquePtr<EC_POINT> public_key(EC_POINT_new(group.get()));
+    if (!public_key ||
+        !EC_POINT_mul(group.get(), public_key.get(), private_key_.get(), NULL,
+                      NULL, bn_ctx.get()) ||
+        !EC_POINT_point2cbb(out, group.get(), public_key.get(),
+                            POINT_CONVERSION_UNCOMPRESSED, bn_ctx.get())) {
+      return false;
+    }
+
+    return true;
+  }
+
+  bool Finish(Array<uint8_t> *out_secret, uint8_t *out_alert,
+              Span<const uint8_t> peer_key) override {
+    assert(private_key_);
+    *out_alert = SSL_AD_INTERNAL_ERROR;
+
+    // Set up a shared |BN_CTX| for all operations.
+    UniquePtr<BN_CTX> bn_ctx(BN_CTX_new());
+    if (!bn_ctx) {
+      return false;
+    }
+    BN_CTXScope scope(bn_ctx.get());
+
+    UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(nid_));
+    if (!group) {
+      return false;
+    }
+
+    UniquePtr<EC_POINT> peer_point(EC_POINT_new(group.get()));
+    UniquePtr<EC_POINT> result(EC_POINT_new(group.get()));
+    BIGNUM *x = BN_CTX_get(bn_ctx.get());
+    if (!peer_point || !result || !x) {
+      return false;
+    }
+
+    if (!EC_POINT_oct2point(group.get(), peer_point.get(), peer_key.data(),
+                            peer_key.size(), bn_ctx.get())) {
+      *out_alert = SSL_AD_DECODE_ERROR;
+      return false;
+    }
+
+    // Compute the x-coordinate of |peer_key| * |private_key_|.
+    if (!EC_POINT_mul(group.get(), result.get(), NULL, peer_point.get(),
+                      private_key_.get(), bn_ctx.get()) ||
+        !EC_POINT_get_affine_coordinates_GFp(group.get(), result.get(), x, NULL,
+                                             bn_ctx.get())) {
+      return false;
+    }
+
+    // Encode the x-coordinate left-padded with zeros.
+    Array<uint8_t> secret;
+    if (!secret.Init((EC_GROUP_get_degree(group.get()) + 7) / 8) ||
+        !BN_bn2bin_padded(secret.data(), secret.size(), x)) {
+      return false;
+    }
+
+    *out_secret = std::move(secret);
+    return true;
+  }
+
+ private:
+  UniquePtr<BIGNUM> private_key_;
+  int nid_;
+  uint16_t group_id_;
+};
+
+class X25519KeyShare : public SSLKeyShare {
+ public:
+  X25519KeyShare() {}
+  ~X25519KeyShare() override {
+    OPENSSL_cleanse(private_key_, sizeof(private_key_));
+  }
+
+  uint16_t GroupID() const override { return SSL_CURVE_X25519; }
+
+  bool Offer(CBB *out) override {
+    uint8_t public_key[32];
+    X25519_keypair(public_key, private_key_);
+    return !!CBB_add_bytes(out, public_key, sizeof(public_key));
+  }
+
+  bool Finish(Array<uint8_t> *out_secret, uint8_t *out_alert,
+              Span<const uint8_t> peer_key) override {
+    *out_alert = SSL_AD_INTERNAL_ERROR;
+
+    Array<uint8_t> secret;
+    if (!secret.Init(32)) {
+      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+      return false;
+    }
+
+    if (peer_key.size() != 32 ||
+        !X25519(secret.data(), private_key_, peer_key.data())) {
+      *out_alert = SSL_AD_DECODE_ERROR;
+      OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
+      return false;
+    }
+
+    *out_secret = std::move(secret);
+    return true;
+  }
+
+ private:
+  uint8_t private_key_[32];
+};
+
+CONSTEXPR_ARRAY struct {
+  int nid;
+  uint16_t group_id;
+  const char name[8];
+} kNamedGroups[] = {
+    {NID_secp224r1, SSL_CURVE_SECP224R1, "P-224"},
+    {NID_X9_62_prime256v1, SSL_CURVE_SECP256R1, "P-256"},
+    {NID_secp384r1, SSL_CURVE_SECP384R1, "P-384"},
+    {NID_secp521r1, SSL_CURVE_SECP521R1, "P-521"},
+    {NID_X25519, SSL_CURVE_X25519, "X25519"},
+};
+
+}  // namespace
+
+UniquePtr<SSLKeyShare> SSLKeyShare::Create(uint16_t group_id) {
+  switch (group_id) {
+    case SSL_CURVE_SECP224R1:
+      return UniquePtr<SSLKeyShare>(
+          New<ECKeyShare>(NID_secp224r1, SSL_CURVE_SECP224R1));
+    case SSL_CURVE_SECP256R1:
+      return UniquePtr<SSLKeyShare>(
+          New<ECKeyShare>(NID_X9_62_prime256v1, SSL_CURVE_SECP256R1));
+    case SSL_CURVE_SECP384R1:
+      return UniquePtr<SSLKeyShare>(
+          New<ECKeyShare>(NID_secp384r1, SSL_CURVE_SECP384R1));
+    case SSL_CURVE_SECP521R1:
+      return UniquePtr<SSLKeyShare>(
+          New<ECKeyShare>(NID_secp521r1, SSL_CURVE_SECP521R1));
+    case SSL_CURVE_X25519:
+      return UniquePtr<SSLKeyShare>(New<X25519KeyShare>());
+    default:
+      return nullptr;
+  }
+}
+
+bool SSLKeyShare::Accept(CBB *out_public_key, Array<uint8_t> *out_secret,
+                         uint8_t *out_alert, Span<const uint8_t> peer_key) {
+  *out_alert = SSL_AD_INTERNAL_ERROR;
+  return Offer(out_public_key) &&
+         Finish(out_secret, out_alert, peer_key);
+}
+
+int ssl_nid_to_group_id(uint16_t *out_group_id, int nid) {
+  for (const auto &group : kNamedGroups) {
+    if (group.nid == nid) {
+      *out_group_id = group.group_id;
+      return 1;
+    }
+  }
+  return 0;
+}
+
+int ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len) {
+  for (const auto &group : kNamedGroups) {
+    if (len == strlen(group.name) &&
+        !strncmp(group.name, name, len)) {
+      *out_group_id = group.group_id;
+      return 1;
+    }
+  }
+  return 0;
+}
+
+}  // namespace bssl
+
+using namespace bssl;
+
+const char* SSL_get_curve_name(uint16_t group_id) {
+  for (const auto &group : kNamedGroups) {
+    if (group.group_id == group_id) {
+      return group.name;
+    }
+  }
+  return nullptr;
+}

data/third_party/boringssl/ssl/{ssl_lib.c → ssl_lib.cc}

@@ -146,7 +146,6 @@
 
 #include <openssl/bytestring.h>
 #include <openssl/crypto.h>
-#include <openssl/dh.h>
 #include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/mem.h>
@@ -163,22 +162,24 @@
 #endif
 
 
-/* |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it
- * to avoid downstream churn. */
+namespace bssl {
+
+// |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it
+// to avoid downstream churn.
 OPENSSL_DECLARE_ERROR_REASON(SSL, UNKNOWN_PROTOCOL)
 
-/* The following errors are no longer emitted, but are used in nginx without
- * #ifdefs. */
+// The following errors are no longer emitted, but are used in nginx without
+// #ifdefs.
 OPENSSL_DECLARE_ERROR_REASON(SSL, BLOCK_CIPHER_PAD_IS_WRONG)
 OPENSSL_DECLARE_ERROR_REASON(SSL, NO_CIPHERS_SPECIFIED)
 
-/* Some error codes are special. Ensure the make_errors.go script never
- * regresses this. */
-OPENSSL_COMPILE_ASSERT(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION ==
-                           SSL_AD_NO_RENEGOTIATION + SSL_AD_REASON_OFFSET,
-                       ssl_alert_reason_code_mismatch);
+// Some error codes are special. Ensure the make_errors.go script never
+// regresses this.
+static_assert(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION ==
+                  SSL_AD_NO_RENEGOTIATION + SSL_AD_REASON_OFFSET,
+              "alert reason code mismatch");
 
-/* kMaxHandshakeSize is the maximum size, in bytes, of a handshake message. */
+// kMaxHandshakeSize is the maximum size, in bytes, of a handshake message.
 static const size_t kMaxHandshakeSize = (1u << 24) - 1;
 
 static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl =
@@ -186,11 +187,253 @@ static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl =
 static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl_ctx =
     CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;
 
+bool CBBFinishArray(CBB *cbb, Array<uint8_t> *out) {
+  uint8_t *ptr;
+  size_t len;
+  if (!CBB_finish(cbb, &ptr, &len)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    return false;
+  }
+  out->Reset(ptr, len);
+  return true;
+}
+
+void ssl_reset_error_state(SSL *ssl) {
+  // Functions which use |SSL_get_error| must reset I/O and error state on
+  // entry.
+  ssl->rwstate = SSL_NOTHING;
+  ERR_clear_error();
+  ERR_clear_system_error();
+}
+
+int ssl_can_write(const SSL *ssl) {
+  return !SSL_in_init(ssl) || ssl->s3->hs->can_early_write;
+}
+
+int ssl_can_read(const SSL *ssl) {
+  return !SSL_in_init(ssl) || ssl->s3->hs->can_early_read;
+}
+
+void ssl_cipher_preference_list_free(
+    struct ssl_cipher_preference_list_st *cipher_list) {
+  if (cipher_list == NULL) {
+    return;
+  }
+  sk_SSL_CIPHER_free(cipher_list->ciphers);
+  OPENSSL_free(cipher_list->in_group_flags);
+  OPENSSL_free(cipher_list);
+}
+
+void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) {
+  SSL *const ssl = hs->ssl;
+  SSL_CTX *ctx = ssl->session_ctx;
+  // Never cache sessions with empty session IDs.
+  if (ssl->s3->established_session->session_id_length == 0 ||
+      ssl->s3->established_session->not_resumable ||
+      (ctx->session_cache_mode & mode) != mode) {
+    return;
+  }
+
+  // Clients never use the internal session cache.
+  int use_internal_cache = ssl->server && !(ctx->session_cache_mode &
+                                            SSL_SESS_CACHE_NO_INTERNAL_STORE);
+
+  // A client may see new sessions on abbreviated handshakes if the server
+  // decides to renew the ticket. Once the handshake is completed, it should be
+  // inserted into the cache.
+  if (ssl->s3->established_session != ssl->session ||
+      (!ssl->server && hs->ticket_expected)) {
+    if (use_internal_cache) {
+      SSL_CTX_add_session(ctx, ssl->s3->established_session);
+    }
+    if (ctx->new_session_cb != NULL) {
+      SSL_SESSION_up_ref(ssl->s3->established_session);
+      if (!ctx->new_session_cb(ssl, ssl->s3->established_session)) {
+        // |new_session_cb|'s return value signals whether it took ownership.
+        SSL_SESSION_free(ssl->s3->established_session);
+      }
+    }
+  }
+
+  if (use_internal_cache &&
+      !(ctx->session_cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR)) {
+    // Automatically flush the internal session cache every 255 connections.
+    int flush_cache = 0;
+    CRYPTO_MUTEX_lock_write(&ctx->lock);
+    ctx->handshakes_since_cache_flush++;
+    if (ctx->handshakes_since_cache_flush >= 255) {
+      flush_cache = 1;
+      ctx->handshakes_since_cache_flush = 0;
+    }
+    CRYPTO_MUTEX_unlock_write(&ctx->lock);
+
+    if (flush_cache) {
+      struct OPENSSL_timeval now;
+      ssl_get_current_time(ssl, &now);
+      SSL_CTX_flush_sessions(ctx, now.tv_sec);
+    }
+  }
+}
+
+static int cbb_add_hex(CBB *cbb, const uint8_t *in, size_t in_len) {
+  static const char hextable[] = "0123456789abcdef";
+  uint8_t *out;
+
+  if (!CBB_add_space(cbb, &out, in_len * 2)) {
+    return 0;
+  }
+
+  for (size_t i = 0; i < in_len; i++) {
+    *(out++) = (uint8_t)hextable[in[i] >> 4];
+    *(out++) = (uint8_t)hextable[in[i] & 0xf];
+  }
+
+  return 1;
+}
+
+int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret,
+                   size_t secret_len) {
+  if (ssl->ctx->keylog_callback == NULL) {
+    return 1;
+  }
+
+  ScopedCBB cbb;
+  uint8_t *out;
+  size_t out_len;
+  if (!CBB_init(cbb.get(), strlen(label) + 1 + SSL3_RANDOM_SIZE * 2 + 1 +
+                          secret_len * 2 + 1) ||
+      !CBB_add_bytes(cbb.get(), (const uint8_t *)label, strlen(label)) ||
+      !CBB_add_bytes(cbb.get(), (const uint8_t *)" ", 1) ||
+      !cbb_add_hex(cbb.get(), ssl->s3->client_random, SSL3_RANDOM_SIZE) ||
+      !CBB_add_bytes(cbb.get(), (const uint8_t *)" ", 1) ||
+      !cbb_add_hex(cbb.get(), secret, secret_len) ||
+      !CBB_add_u8(cbb.get(), 0 /* NUL */) ||
+      !CBB_finish(cbb.get(), &out, &out_len)) {
+    return 0;
+  }
+
+  ssl->ctx->keylog_callback(ssl, (const char *)out);
+  OPENSSL_free(out);
+  return 1;
+}
+
+int ssl3_can_false_start(const SSL *ssl) {
+  const SSL_CIPHER *const cipher = SSL_get_current_cipher(ssl);
+
+  // False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN.
+  return !SSL_is_dtls(ssl) &&
+      SSL_version(ssl) == TLS1_2_VERSION &&
+      (ssl->s3->alpn_selected != NULL ||
+       ssl->s3->next_proto_negotiated != NULL) &&
+      cipher != NULL &&
+      cipher->algorithm_mkey == SSL_kECDHE &&
+      cipher->algorithm_mac == SSL_AEAD;
+}
+
+void ssl_do_info_callback(const SSL *ssl, int type, int value) {
+  void (*cb)(const SSL *ssl, int type, int value) = NULL;
+  if (ssl->info_callback != NULL) {
+    cb = ssl->info_callback;
+  } else if (ssl->ctx->info_callback != NULL) {
+    cb = ssl->ctx->info_callback;
+  }
+
+  if (cb != NULL) {
+    cb(ssl, type, value);
+  }
+}
+
+void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type,
+                         Span<const uint8_t> in) {
+  if (ssl->msg_callback == NULL) {
+    return;
+  }
+
+  // |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for
+  // a V2ClientHello.
+  int version;
+  switch (content_type) {
+    case 0:
+      // V2ClientHello
+      version = SSL2_VERSION;
+      break;
+    case SSL3_RT_HEADER:
+      version = 0;
+      break;
+    default:
+      version = SSL_version(ssl);
+  }
+
+  ssl->msg_callback(is_write, version, content_type, in.data(), in.size(), ssl,
+                    ssl->msg_callback_arg);
+}
+
+void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock) {
+  // TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the
+  // |ssl| arg from |current_time_cb| if possible.
+  ssl_ctx_get_current_time(ssl->ctx, out_clock);
+}
+
+void ssl_ctx_get_current_time(const SSL_CTX *ctx,
+                              struct OPENSSL_timeval *out_clock) {
+  if (ctx->current_time_cb != NULL) {
+    // TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See
+    // https://crbug.com/boringssl/155.
+    struct timeval clock;
+    ctx->current_time_cb(nullptr /* ssl */, &clock);
+    if (clock.tv_sec < 0) {
+      assert(0);
+      out_clock->tv_sec = 0;
+      out_clock->tv_usec = 0;
+    } else {
+      out_clock->tv_sec = (uint64_t)clock.tv_sec;
+      out_clock->tv_usec = (uint32_t)clock.tv_usec;
+    }
+    return;
+  }
+
+#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
+  out_clock->tv_sec = 1234;
+  out_clock->tv_usec = 1234;
+#elif defined(OPENSSL_WINDOWS)
+  struct _timeb time;
+  _ftime(&time);
+  if (time.time < 0) {
+    assert(0);
+    out_clock->tv_sec = 0;
+    out_clock->tv_usec = 0;
+  } else {
+    out_clock->tv_sec = time.time;
+    out_clock->tv_usec = time.millitm * 1000;
+  }
+#else
+  struct timeval clock;
+  gettimeofday(&clock, NULL);
+  if (clock.tv_sec < 0) {
+    assert(0);
+    out_clock->tv_sec = 0;
+    out_clock->tv_usec = 0;
+  } else {
+    out_clock->tv_sec = (uint64_t)clock.tv_sec;
+    out_clock->tv_usec = (uint32_t)clock.tv_usec;
+  }
+#endif
+}
+
+}  // namespace bssl
+
+using namespace bssl;
+
 int SSL_library_init(void) {
   CRYPTO_library_init();
   return 1;
 }
 
+int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) {
+  CRYPTO_library_init();
+  return 1;
+}
+
 static uint32_t ssl_session_hash(const SSL_SESSION *sess) {
   const uint8_t *session_id = sess->session_id;
 
@@ -210,11 +453,11 @@ static uint32_t ssl_session_hash(const SSL_SESSION *sess) {
   return hash;
 }
 
-/* NB: If this function (or indeed the hash function which uses a sort of
- * coarser function than this one) is changed, ensure
- * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
- * able to construct an SSL_SESSION that will collide with any existing session
- * with a matching session ID. */
+// NB: If this function (or indeed the hash function which uses a sort of
+// coarser function than this one) is changed, ensure
+// SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
+// able to construct an SSL_SESSION that will collide with any existing session
+// with a matching session ID.
 static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) {
   if (a->ssl_version != b->ssl_version) {
     return 1;
@@ -235,12 +478,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) {
     return NULL;
   }
 
-  if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
-    goto err;
-  }
-
-  ret = OPENSSL_malloc(sizeof(SSL_CTX));
+  ret = (SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX));
   if (ret == NULL) {
     goto err;
   }
@@ -271,25 +509,16 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) {
   if (ret->sessions == NULL) {
     goto err;
   }
-  ret->cert_store = X509_STORE_new();
-  if (ret->cert_store == NULL) {
+
+  if (!ret->x509_method->ssl_ctx_new(ret)) {
     goto err;
   }
 
-  ssl_create_cipher_list(ret->method, &ret->cipher_list,
-                         SSL_DEFAULT_CIPHER_LIST, 1 /* strict */);
-  if (ret->cipher_list == NULL ||
-      sk_SSL_CIPHER_num(ret->cipher_list->ciphers) <= 0) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
+  if (!SSL_CTX_set_strict_cipher_list(ret, SSL_DEFAULT_CIPHER_LIST)) {
     goto err2;
   }
 
-  ret->param = X509_VERIFY_PARAM_new();
-  if (!ret->param) {
-    goto err;
-  }
-
-  ret->client_CA = sk_X509_NAME_new_null();
+  ret->client_CA = sk_CRYPTO_BUFFER_new_null();
   if (ret->client_CA == NULL) {
     goto err;
   }
@@ -298,21 +527,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) {
 
   ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
 
-  /* Setup RFC4507 ticket keys */
-  if (!RAND_bytes(ret->tlsext_tick_key_name, 16) ||
-      !RAND_bytes(ret->tlsext_tick_hmac_key, 16) ||
-      !RAND_bytes(ret->tlsext_tick_aes_key, 16)) {
-    ret->options |= SSL_OP_NO_TICKET;
-  }
-
-  /* Disable the auto-chaining feature by default. Once this has stuck without
-   * problems, the feature will be removed entirely. */
+  // Disable the auto-chaining feature by default. Once this has stuck without
+  // problems, the feature will be removed entirely.
   ret->mode = SSL_MODE_NO_AUTO_CHAIN;
 
-  /* Lock the SSL_CTX to the specified version, for compatibility with legacy
-   * uses of SSL_METHOD. */
+  // Lock the SSL_CTX to the specified version, for compatibility with legacy
+  // uses of SSL_METHOD, but we do not set the minimum version for
+  // |SSLv3_method|.
   if (!SSL_CTX_set_max_proto_version(ret, method->version) ||
-      !SSL_CTX_set_min_proto_version(ret, method->version)) {
+      !SSL_CTX_set_min_proto_version(ret, method->version == SSL3_VERSION
+                                              ? 0  // default
+                                              : method->version)) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
     goto err2;
   }
@@ -337,33 +562,34 @@ void SSL_CTX_free(SSL_CTX *ctx) {
     return;
   }
 
-  X509_VERIFY_PARAM_free(ctx->param);
-
-  /* Free internal session cache. However: the remove_cb() may reference the
-   * ex_data of SSL_CTX, thus the ex_data store can only be removed after the
-   * sessions were flushed. As the ex_data handling routines might also touch
-   * the session cache, the most secure solution seems to be: empty (flush) the
-   * cache, then free ex_data, then finally free the cache. (See ticket
-   * [openssl.org #212].) */
+  // Free internal session cache. However: the remove_cb() may reference the
+  // ex_data of SSL_CTX, thus the ex_data store can only be removed after the
+  // sessions were flushed. As the ex_data handling routines might also touch
+  // the session cache, the most secure solution seems to be: empty (flush) the
+  // cache, then free ex_data, then finally free the cache. (See ticket
+  // [openssl.org #212].)
   SSL_CTX_flush_sessions(ctx, 0);
 
   CRYPTO_free_ex_data(&g_ex_data_class_ssl_ctx, ctx, &ctx->ex_data);
 
   CRYPTO_MUTEX_cleanup(&ctx->lock);
   lh_SSL_SESSION_free(ctx->sessions);
-  X509_STORE_free(ctx->cert_store);
   ssl_cipher_preference_list_free(ctx->cipher_list);
   ssl_cert_free(ctx->cert);
   sk_SSL_CUSTOM_EXTENSION_pop_free(ctx->client_custom_extensions,
                                    SSL_CUSTOM_EXTENSION_free);
   sk_SSL_CUSTOM_EXTENSION_pop_free(ctx->server_custom_extensions,
                                    SSL_CUSTOM_EXTENSION_free);
-  sk_X509_NAME_pop_free(ctx->client_CA, X509_NAME_free);
+  sk_CRYPTO_BUFFER_pop_free(ctx->client_CA, CRYPTO_BUFFER_free);
+  ctx->x509_method->ssl_ctx_free(ctx);
   sk_SRTP_PROTECTION_PROFILE_free(ctx->srtp_profiles);
   OPENSSL_free(ctx->psk_identity_hint);
   OPENSSL_free(ctx->supported_group_list);
   OPENSSL_free(ctx->alpn_client_proto_list);
   EVP_PKEY_free(ctx->tlsext_channel_id_private);
+  OPENSSL_free(ctx->verify_sigalgs);
+  OPENSSL_free(ctx->tlsext_ticket_key_current);
+  OPENSSL_free(ctx->tlsext_ticket_key_prev);
 
   OPENSSL_free(ctx);
 }
@@ -378,17 +604,18 @@ SSL *SSL_new(SSL_CTX *ctx) {
     return NULL;
   }
 
-  SSL *ssl = OPENSSL_malloc(sizeof(SSL));
+  SSL *ssl = (SSL *)OPENSSL_malloc(sizeof(SSL));
   if (ssl == NULL) {
     goto err;
   }
   OPENSSL_memset(ssl, 0, sizeof(SSL));
 
-  ssl->min_version = ctx->min_version;
-  ssl->max_version = ctx->max_version;
+  ssl->conf_min_version = ctx->conf_min_version;
+  ssl->conf_max_version = ctx->conf_max_version;
+  ssl->tls13_variant = ctx->tls13_variant;
 
-  /* RFC 6347 states that implementations SHOULD use an initial timer value of
-   * 1 second. */
+  // RFC 6347 states that implementations SHOULD use an initial timer value of
+  // 1 second.
   ssl->initial_timeout_duration_ms = 1000;
 
   ssl->options = ctx->options;
@@ -404,25 +631,25 @@ SSL *SSL_new(SSL_CTX *ctx) {
   ssl->msg_callback_arg = ctx->msg_callback_arg;
   ssl->verify_mode = ctx->verify_mode;
   ssl->verify_callback = ctx->default_verify_callback;
+  ssl->custom_verify_callback = ctx->custom_verify_callback;
   ssl->retain_only_sha256_of_client_certs =
       ctx->retain_only_sha256_of_client_certs;
 
-  ssl->param = X509_VERIFY_PARAM_new();
-  if (!ssl->param) {
-    goto err;
-  }
-  X509_VERIFY_PARAM_inherit(ssl->param, ctx->param);
   ssl->quiet_shutdown = ctx->quiet_shutdown;
   ssl->max_send_fragment = ctx->max_send_fragment;
 
   SSL_CTX_up_ref(ctx);
   ssl->ctx = ctx;
   SSL_CTX_up_ref(ctx);
-  ssl->initial_ctx = ctx;
+  ssl->session_ctx = ctx;
+
+  if (!ssl->ctx->x509_method->ssl_new(ssl)) {
+    goto err;
+  }
 
   if (ctx->supported_group_list) {
-    ssl->supported_group_list = BUF_memdup(ctx->supported_group_list,
-                                           ctx->supported_group_list_len * 2);
+    ssl->supported_group_list = (uint16_t *)BUF_memdup(
+        ctx->supported_group_list, ctx->supported_group_list_len * 2);
     if (!ssl->supported_group_list) {
       goto err;
     }
@@ -430,8 +657,8 @@ SSL *SSL_new(SSL_CTX *ctx) {
   }
 
   if (ctx->alpn_client_proto_list) {
-    ssl->alpn_client_proto_list = BUF_memdup(ctx->alpn_client_proto_list,
-                                             ctx->alpn_client_proto_list_len);
+    ssl->alpn_client_proto_list = (uint8_t *)BUF_memdup(
+        ctx->alpn_client_proto_list, ctx->alpn_client_proto_list_len);
     if (ssl->alpn_client_proto_list == NULL) {
       goto err;
     }
@@ -481,7 +708,9 @@ void SSL_free(SSL *ssl) {
     return;
   }
 
-  X509_VERIFY_PARAM_free(ssl->param);
+  if (ssl->ctx != NULL) {
+    ssl->ctx->x509_method->ssl_free(ssl);
+  }
 
   CRYPTO_free_ex_data(&g_ex_data_class_ssl, ssl, &ssl->ex_data);
 
@@ -490,7 +719,7 @@ void SSL_free(SSL *ssl) {
 
   BUF_MEM_free(ssl->init_buf);
 
-  /* add extra stuff */
+  // add extra stuff
   ssl_cipher_preference_list_free(ssl->cipher_list);
 
   SSL_SESSION_free(ssl->session);
@@ -498,12 +727,12 @@ void SSL_free(SSL *ssl) {
   ssl_cert_free(ssl->cert);
 
   OPENSSL_free(ssl->tlsext_hostname);
-  SSL_CTX_free(ssl->initial_ctx);
+  SSL_CTX_free(ssl->session_ctx);
   OPENSSL_free(ssl->supported_group_list);
   OPENSSL_free(ssl->alpn_client_proto_list);
   EVP_PKEY_free(ssl->tlsext_channel_id_private);
   OPENSSL_free(ssl->psk_identity_hint);
-  sk_X509_NAME_pop_free(ssl->client_CA, X509_NAME_free);
+  sk_CRYPTO_BUFFER_pop_free(ssl->client_CA, CRYPTO_BUFFER_free);
   sk_SRTP_PROTECTION_PROFILE_free(ssl->srtp_profiles);
 
   if (ssl->method != NULL) {
@@ -516,12 +745,12 @@ void SSL_free(SSL *ssl) {
 
 void SSL_set_connect_state(SSL *ssl) {
   ssl->server = 0;
-  ssl->handshake_func = ssl3_connect;
+  ssl->do_handshake = ssl_client_handshake;
 }
 
 void SSL_set_accept_state(SSL *ssl) {
   ssl->server = 1;
-  ssl->handshake_func = ssl3_accept;
+  ssl->do_handshake = ssl_server_handshake;
 }
 
 void SSL_set0_rbio(SSL *ssl, BIO *rbio) {
@@ -535,35 +764,35 @@ void SSL_set0_wbio(SSL *ssl, BIO *wbio) {
 }
 
 void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) {
-  /* For historical reasons, this function has many different cases in ownership
-   * handling. */
+  // For historical reasons, this function has many different cases in ownership
+  // handling.
 
-  /* If nothing has changed, do nothing */
+  // If nothing has changed, do nothing
   if (rbio == SSL_get_rbio(ssl) && wbio == SSL_get_wbio(ssl)) {
     return;
   }
 
-  /* If the two arguments are equal, one fewer reference is granted than
-   * taken. */
+  // If the two arguments are equal, one fewer reference is granted than
+  // taken.
   if (rbio != NULL && rbio == wbio) {
     BIO_up_ref(rbio);
   }
 
-  /* If only the wbio is changed, adopt only one reference. */
+  // If only the wbio is changed, adopt only one reference.
   if (rbio == SSL_get_rbio(ssl)) {
     SSL_set0_wbio(ssl, wbio);
     return;
   }
 
-  /* There is an asymmetry here for historical reasons. If only the rbio is
-   * changed AND the rbio and wbio were originally different, then we only adopt
-   * one reference. */
+  // There is an asymmetry here for historical reasons. If only the rbio is
+  // changed AND the rbio and wbio were originally different, then we only adopt
+  // one reference.
   if (wbio == SSL_get_wbio(ssl) && SSL_get_rbio(ssl) != SSL_get_wbio(ssl)) {
     SSL_set0_rbio(ssl, rbio);
     return;
   }
 
-  /* Otherwise, adopt both references. */
+  // Otherwise, adopt both references.
   SSL_set0_rbio(ssl, rbio);
   SSL_set0_wbio(ssl, wbio);
 }
@@ -572,18 +801,10 @@ BIO *SSL_get_rbio(const SSL *ssl) { return ssl->rbio; }
 
 BIO *SSL_get_wbio(const SSL *ssl) { return ssl->wbio; }
 
-void ssl_reset_error_state(SSL *ssl) {
-  /* Functions which use |SSL_get_error| must reset I/O and error state on
-   * entry. */
-  ssl->rwstate = SSL_NOTHING;
-  ERR_clear_error();
-  ERR_clear_system_error();
-}
-
 int SSL_do_handshake(SSL *ssl) {
   ssl_reset_error_state(ssl);
 
-  if (ssl->handshake_func == NULL) {
+  if (ssl->do_handshake == NULL) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_TYPE_NOT_SET);
     return -1;
   }
@@ -592,20 +813,19 @@ int SSL_do_handshake(SSL *ssl) {
     return 1;
   }
 
-  if (ssl->s3->hs == NULL) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    return -1;
-  }
+  // Run the handshake.
+  SSL_HANDSHAKE *hs = ssl->s3->hs;
 
-  /* Run the handshake. */
-  assert(ssl->s3->hs != NULL);
-  int ret = ssl->handshake_func(ssl->s3->hs);
+  bool early_return = false;
+  int ret = ssl_run_handshake(hs, &early_return);
+  ssl_do_info_callback(
+      ssl, ssl->server ? SSL_CB_ACCEPT_EXIT : SSL_CB_CONNECT_EXIT, ret);
   if (ret <= 0) {
     return ret;
   }
 
-  /* Destroy the handshake object if the handshake has completely finished. */
-  if (!SSL_in_init(ssl)) {
+  // Destroy the handshake object if the handshake has completely finished.
+  if (!early_return) {
     ssl_handshake_free(ssl->s3->hs);
     ssl->s3->hs = NULL;
   }
@@ -614,8 +834,8 @@ int SSL_do_handshake(SSL *ssl) {
 }
 
 int SSL_connect(SSL *ssl) {
-  if (ssl->handshake_func == NULL) {
-    /* Not properly initialized yet */
+  if (ssl->do_handshake == NULL) {
+    // Not properly initialized yet
     SSL_set_connect_state(ssl);
   }
 
@@ -623,24 +843,27 @@ int SSL_connect(SSL *ssl) {
 }
 
 int SSL_accept(SSL *ssl) {
-  if (ssl->handshake_func == NULL) {
-    /* Not properly initialized yet */
+  if (ssl->do_handshake == NULL) {
+    // Not properly initialized yet
     SSL_set_accept_state(ssl);
   }
 
   return SSL_do_handshake(ssl);
 }
 
-static int ssl_do_renegotiate(SSL *ssl) {
-  /* We do not accept renegotiations as a server or SSL 3.0. SSL 3.0 will be
-   * removed entirely in the future and requires retaining more data for
-   * renegotiation_info. */
+static int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) {
+  if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+    return tls13_post_handshake(ssl, msg);
+  }
+
+  // We do not accept renegotiations as a server or SSL 3.0. SSL 3.0 will be
+  // removed entirely in the future and requires retaining more data for
+  // renegotiation_info.
   if (ssl->server || ssl->version == SSL3_VERSION) {
     goto no_renegotiation;
   }
 
-  if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_REQUEST ||
-      ssl->init_num != 0) {
+  if (msg.type != SSL3_MT_HELLO_REQUEST || CBS_len(&msg.body) != 0) {
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HELLO_REQUEST);
     return 0;
@@ -648,7 +871,7 @@ static int ssl_do_renegotiate(SSL *ssl) {
 
   switch (ssl->renegotiate_mode) {
     case ssl_renegotiate_ignore:
-      /* Ignore the HelloRequest. */
+      // Ignore the HelloRequest.
       return 1;
 
     case ssl_renegotiate_once:
@@ -664,15 +887,15 @@ static int ssl_do_renegotiate(SSL *ssl) {
       break;
   }
 
-  /* Renegotiation is only supported at quiescent points in the application
-   * protocol, namely in HTTPS, just before reading the HTTP response. Require
-   * the record-layer be idle and avoid complexities of sending a handshake
-   * record while an application_data record is being written. */
+  // Renegotiation is only supported at quiescent points in the application
+  // protocol, namely in HTTPS, just before reading the HTTP response. Require
+  // the record-layer be idle and avoid complexities of sending a handshake
+  // record while an application_data record is being written.
   if (ssl_write_buffer_is_pending(ssl)) {
     goto no_renegotiation;
   }
 
-  /* Begin a new handshake. */
+  // Begin a new handshake.
   if (ssl->s3->hs != NULL) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
     return 0;
@@ -691,27 +914,19 @@ no_renegotiation:
   return 0;
 }
 
-static int ssl_do_post_handshake(SSL *ssl) {
-  if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
-    return ssl_do_renegotiate(ssl);
-  }
-
-  return tls13_post_handshake(ssl);
-}
-
 static int ssl_read_impl(SSL *ssl, void *buf, int num, int peek) {
   ssl_reset_error_state(ssl);
 
-  if (ssl->handshake_func == NULL) {
+  if (ssl->do_handshake == NULL) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
     return -1;
   }
 
   for (;;) {
-    /* Complete the current handshake, if any. False Start will cause
-     * |SSL_do_handshake| to return mid-handshake, so this may require multiple
-     * iterations. */
-    while (SSL_in_init(ssl)) {
+    // Complete the current handshake, if any. False Start will cause
+    // |SSL_do_handshake| to return mid-handshake, so this may require multiple
+    // iterations.
+    while (!ssl_can_read(ssl)) {
       int ret = SSL_do_handshake(ssl);
       if (ret < 0) {
         return ret;
@@ -722,18 +937,28 @@ static int ssl_read_impl(SSL *ssl, void *buf, int num, int peek) {
       }
     }
 
-    int got_handshake;
-    int ret = ssl->method->read_app_data(ssl, &got_handshake, buf, num, peek);
+    bool got_handshake = false;
+    int ret = ssl->method->read_app_data(ssl, &got_handshake, (uint8_t *)buf,
+                                         num, peek);
     if (ret > 0 || !got_handshake) {
       ssl->s3->key_update_count = 0;
       return ret;
     }
 
-    /* Handle the post-handshake message and try again. */
-    if (!ssl_do_post_handshake(ssl)) {
-      return -1;
+    // If we received an interrupt in early read (the end_of_early_data alert),
+    // loop again for the handshake to process it.
+    if (SSL_in_init(ssl)) {
+      continue;
+    }
+
+    SSLMessage msg;
+    while (ssl->method->get_message(ssl, &msg)) {
+      // Handle the post-handshake message and try again.
+      if (!ssl_do_post_handshake(ssl, msg)) {
+        return -1;
+      }
+      ssl->method->next_message(ssl);
     }
-    ssl->method->release_current_message(ssl, 1 /* free buffer */);
   }
 }
 
@@ -748,84 +973,90 @@ int SSL_peek(SSL *ssl, void *buf, int num) {
 int SSL_write(SSL *ssl, const void *buf, int num) {
   ssl_reset_error_state(ssl);
 
-  if (ssl->handshake_func == NULL) {
+  if (ssl->do_handshake == NULL) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
     return -1;
   }
 
-  if (ssl->s3->send_shutdown != ssl_shutdown_none) {
+  if (ssl->s3->write_shutdown != ssl_shutdown_none) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
     return -1;
   }
 
-  /* If necessary, complete the handshake implicitly. */
-  if (SSL_in_init(ssl) && !SSL_in_false_start(ssl)) {
-    int ret = SSL_do_handshake(ssl);
-    if (ret < 0) {
-      return ret;
-    }
-    if (ret == 0) {
-      OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
-      return -1;
+  int ret = 0;
+  bool needs_handshake = false;
+  do {
+    // If necessary, complete the handshake implicitly.
+    if (!ssl_can_write(ssl)) {
+      ret = SSL_do_handshake(ssl);
+      if (ret < 0) {
+        return ret;
+      }
+      if (ret == 0) {
+        OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
+        return -1;
+      }
     }
-  }
 
-  return ssl->method->write_app_data(ssl, buf, num);
+    ret = ssl->method->write_app_data(ssl, &needs_handshake,
+                                      (const uint8_t *)buf, num);
+  } while (needs_handshake);
+  return ret;
 }
 
 int SSL_shutdown(SSL *ssl) {
   ssl_reset_error_state(ssl);
 
-  if (ssl->handshake_func == NULL) {
+  if (ssl->do_handshake == NULL) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
     return -1;
   }
 
-  /* If we are in the middle of a handshake, silently succeed. Consumers often
-   * call this function before |SSL_free|, whether the handshake succeeded or
-   * not. We assume the caller has already handled failed handshakes. */
+  // If we are in the middle of a handshake, silently succeed. Consumers often
+  // call this function before |SSL_free|, whether the handshake succeeded or
+  // not. We assume the caller has already handled failed handshakes.
   if (SSL_in_init(ssl)) {
     return 1;
   }
 
   if (ssl->quiet_shutdown) {
-    /* Do nothing if configured not to send a close_notify. */
-    ssl->s3->send_shutdown = ssl_shutdown_close_notify;
-    ssl->s3->recv_shutdown = ssl_shutdown_close_notify;
+    // Do nothing if configured not to send a close_notify.
+    ssl->s3->write_shutdown = ssl_shutdown_close_notify;
+    ssl->s3->read_shutdown = ssl_shutdown_close_notify;
     return 1;
   }
 
-  /* This function completes in two stages. It sends a close_notify and then it
-   * waits for a close_notify to come in. Perform exactly one action and return
-   * whether or not it succeeds. */
+  // This function completes in two stages. It sends a close_notify and then it
+  // waits for a close_notify to come in. Perform exactly one action and return
+  // whether or not it succeeds.
 
-  if (ssl->s3->send_shutdown != ssl_shutdown_close_notify) {
-    /* Send a close_notify. */
+  if (ssl->s3->write_shutdown != ssl_shutdown_close_notify) {
+    // Send a close_notify.
     if (ssl3_send_alert(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY) <= 0) {
       return -1;
     }
   } else if (ssl->s3->alert_dispatch) {
-    /* Finish sending the close_notify. */
+    // Finish sending the close_notify.
     if (ssl->method->dispatch_alert(ssl) <= 0) {
       return -1;
     }
-  } else if (ssl->s3->recv_shutdown != ssl_shutdown_close_notify) {
-    /* Wait for the peer's close_notify. */
+  } else if (ssl->s3->read_shutdown != ssl_shutdown_close_notify) {
+    // Wait for the peer's close_notify.
     ssl->method->read_close_notify(ssl);
-    if (ssl->s3->recv_shutdown != ssl_shutdown_close_notify) {
+    if (ssl->s3->read_shutdown != ssl_shutdown_close_notify) {
       return -1;
     }
   }
 
-  /* Return 0 for unidirectional shutdown and 1 for bidirectional shutdown. */
-  return ssl->s3->recv_shutdown == ssl_shutdown_close_notify;
+  // Return 0 for unidirectional shutdown and 1 for bidirectional shutdown.
+  return ssl->s3->read_shutdown == ssl_shutdown_close_notify;
 }
 
 int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) {
   if (ssl->s3->alert_dispatch) {
     if (ssl->s3->send_alert[0] != SSL3_AL_FATAL ||
         ssl->s3->send_alert[1] != alert) {
-      /* We are already attempting to write a different alert. */
+      // We are already attempting to write a different alert.
       OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
       return -1;
     }
@@ -836,7 +1067,47 @@ int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) {
 }
 
 void SSL_CTX_set_early_data_enabled(SSL_CTX *ctx, int enabled) {
-  ctx->enable_early_data = !!enabled;
+  ctx->cert->enable_early_data = !!enabled;
+}
+
+void SSL_CTX_set_tls13_variant(SSL_CTX *ctx, enum tls13_variant_t variant) {
+  ctx->tls13_variant = variant;
+}
+
+void SSL_set_tls13_variant(SSL *ssl, enum tls13_variant_t variant) {
+  ssl->tls13_variant = variant;
+}
+
+void SSL_set_early_data_enabled(SSL *ssl, int enabled) {
+  ssl->cert->enable_early_data = !!enabled;
+}
+
+int SSL_in_early_data(const SSL *ssl) {
+  if (ssl->s3->hs == NULL) {
+    return 0;
+  }
+  return ssl->s3->hs->in_early_data;
+}
+
+int SSL_early_data_accepted(const SSL *ssl) {
+  return ssl->early_data_accepted;
+}
+
+void SSL_reset_early_data_reject(SSL *ssl) {
+  SSL_HANDSHAKE *hs = ssl->s3->hs;
+  if (hs == NULL ||
+      hs->wait != ssl_hs_early_data_rejected) {
+    abort();
+  }
+
+  hs->wait = ssl_hs_ok;
+  hs->in_early_data = false;
+  hs->early_session.reset();
+
+  // Discard any unfinished writes from the perspective of |SSL_write|'s
+  // retry. The handshake will transparently flush out the pending record
+  // (discarded by the server) to keep the framing correct.
+  ssl->s3->wpend_pending = false;
 }
 
 static int bio_retry_reason_to_error(int reason) {
@@ -855,8 +1126,8 @@ int SSL_get_error(const SSL *ssl, int ret_code) {
     return SSL_ERROR_NONE;
   }
 
-  /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
-   * where we do encode the error */
+  // Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
+  // where we do encode the error
   uint32_t err = ERR_peek_error();
   if (err != 0) {
     if (ERR_GET_LIB(err) == ERR_LIB_SYS) {
@@ -866,12 +1137,12 @@ int SSL_get_error(const SSL *ssl, int ret_code) {
   }
 
   if (ret_code == 0) {
-    if (ssl->s3->recv_shutdown == ssl_shutdown_close_notify) {
+    if (ssl->s3->read_shutdown == ssl_shutdown_close_notify) {
       return SSL_ERROR_ZERO_RETURN;
     }
-    /* An EOF was observed which violates the protocol, and the underlying
-     * transport does not participate in the error queue. Bubble up to the
-     * caller. */
+    // An EOF was observed which violates the protocol, and the underlying
+    // transport does not participate in the error queue. Bubble up to the
+    // caller.
     return SSL_ERROR_SYSCALL;
   }
 
@@ -889,8 +1160,8 @@ int SSL_get_error(const SSL *ssl, int ret_code) {
       }
 
       if (BIO_should_write(bio)) {
-        /* TODO(davidben): OpenSSL historically checked for writes on the read
-         * BIO. Can this be removed? */
+        // TODO(davidben): OpenSSL historically checked for writes on the read
+        // BIO. Can this be removed?
         return SSL_ERROR_WANT_WRITE;
       }
 
@@ -908,8 +1179,8 @@ int SSL_get_error(const SSL *ssl, int ret_code) {
       }
 
       if (BIO_should_read(bio)) {
-        /* TODO(davidben): OpenSSL historically checked for reads on the write
-         * BIO. Can this be removed? */
+        // TODO(davidben): OpenSSL historically checked for reads on the write
+        // BIO. Can this be removed?
         return SSL_ERROR_WANT_READ;
       }
 
@@ -928,57 +1199,18 @@ int SSL_get_error(const SSL *ssl, int ret_code) {
 
     case SSL_PRIVATE_KEY_OPERATION:
       return SSL_ERROR_WANT_PRIVATE_KEY_OPERATION;
-  }
-
-  return SSL_ERROR_SYSCALL;
-}
-
-static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
-                           uint16_t version) {
-  if (version == 0) {
-    *out = method->min_version;
-    return 1;
-  }
 
-  if (version == TLS1_3_VERSION) {
-    version = TLS1_3_DRAFT_VERSION;
-  }
-
-  return method->version_from_wire(out, version);
-}
+    case SSL_PENDING_TICKET:
+      return SSL_ERROR_PENDING_TICKET;
 
-static int set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
-                           uint16_t version) {
-  if (version == 0) {
-    *out = method->max_version;
-    /* TODO(svaldez): Enable TLS 1.3 by default once fully implemented. */
-    if (*out > TLS1_2_VERSION) {
-      *out = TLS1_2_VERSION;
-    }
-    return 1;
-  }
+    case SSL_EARLY_DATA_REJECTED:
+      return SSL_ERROR_EARLY_DATA_REJECTED;
 
-  if (version == TLS1_3_VERSION) {
-    version = TLS1_3_DRAFT_VERSION;
+    case SSL_CERTIFICATE_VERIFY:
+      return SSL_ERROR_WANT_CERTIFICATE_VERIFY;
   }
 
-  return method->version_from_wire(out, version);
-}
-
-int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {
-  return set_min_version(ctx->method, &ctx->min_version, version);
-}
-
-int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
-  return set_max_version(ctx->method, &ctx->max_version, version);
-}
-
-int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
-  return set_min_version(ssl->method, &ssl->min_version, version);
-}
-
-int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
-  return set_max_version(ssl->method, &ssl->max_version, version);
+  return SSL_ERROR_SYSCALL;
 }
 
 uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options) {
@@ -1035,22 +1267,25 @@ void SSL_CTX_set0_buffer_pool(SSL_CTX *ctx, CRYPTO_BUFFER_POOL *pool) {
 
 int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
                        size_t max_out) {
-  /* tls-unique is not defined for SSL 3.0 or TLS 1.3. */
+  *out_len = 0;
+  OPENSSL_memset(out, 0, max_out);
+
+  // tls-unique is not defined for SSL 3.0 or TLS 1.3.
   if (!ssl->s3->initial_handshake_complete ||
       ssl3_protocol_version(ssl) < TLS1_VERSION ||
       ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
-    goto err;
+    return 0;
   }
 
-  /* The tls-unique value is the first Finished message in the handshake, which
-   * is the client's in a full handshake and the server's for a resumption. See
-   * https://tools.ietf.org/html/rfc5929#section-3.1. */
+  // The tls-unique value is the first Finished message in the handshake, which
+  // is the client's in a full handshake and the server's for a resumption. See
+  // https://tools.ietf.org/html/rfc5929#section-3.1.
   const uint8_t *finished = ssl->s3->previous_client_finished;
   size_t finished_len = ssl->s3->previous_client_finished_len;
   if (ssl->session != NULL) {
-    /* tls-unique is broken for resumed sessions unless EMS is used. */
+    // tls-unique is broken for resumed sessions unless EMS is used.
     if (!ssl->session->extended_master_secret) {
-      goto err;
+      return 0;
     }
     finished = ssl->s3->previous_server_finished;
     finished_len = ssl->s3->previous_server_finished_len;
@@ -1063,11 +1298,6 @@ int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
 
   OPENSSL_memcpy(out, finished, *out_len);
   return 1;
-
-err:
-  *out_len = 0;
-  OPENSSL_memset(out, 0, max_out);
-  return 0;
 }
 
 static int set_session_id_context(CERT *cert, const uint8_t *sid_ctx,
@@ -1077,7 +1307,7 @@ static int set_session_id_context(CERT *cert, const uint8_t *sid_ctx,
     return 0;
   }
 
-  OPENSSL_COMPILE_ASSERT(sizeof(cert->sid_ctx) < 256, sid_ctx_too_large);
+  static_assert(sizeof(cert->sid_ctx) < 256, "sid_ctx too large");
   cert->sid_ctx_length = (uint8_t)sid_ctx_len;
   OPENSSL_memcpy(cert->sid_ctx, sid_ctx, sid_ctx_len);
   return 1;
@@ -1098,16 +1328,6 @@ const uint8_t *SSL_get0_session_id_context(const SSL *ssl, size_t *out_len) {
   return ssl->cert->sid_ctx;
 }
 
-void ssl_cipher_preference_list_free(
-    struct ssl_cipher_preference_list_st *cipher_list) {
-  if (cipher_list == NULL) {
-    return;
-  }
-  sk_SSL_CIPHER_free(cipher_list->ciphers);
-  OPENSSL_free(cipher_list->in_group_flags);
-  OPENSSL_free(cipher_list);
-}
-
 void SSL_certs_clear(SSL *ssl) { ssl_cert_clear_certs(ssl->cert); }
 
 int SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); }
@@ -1153,7 +1373,7 @@ int SSL_set_wfd(SSL *ssl, int fd) {
     BIO_set_fd(bio, fd, BIO_NOCLOSE);
     SSL_set0_wbio(ssl, bio);
   } else {
-    /* Copy the rbio over to the wbio. */
+    // Copy the rbio over to the wbio.
     BIO_up_ref(rbio);
     SSL_set0_wbio(ssl, rbio);
   }
@@ -1173,7 +1393,7 @@ int SSL_set_rfd(SSL *ssl, int fd) {
     BIO_set_fd(bio, fd, BIO_NOCLOSE);
     SSL_set0_rbio(ssl, bio);
   } else {
-    /* Copy the wbio over to the rbio. */
+    // Copy the wbio over to the rbio.
     BIO_up_ref(wbio);
     SSL_set0_rbio(ssl, wbio);
   }
@@ -1224,8 +1444,8 @@ size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) {
 int SSL_get_verify_mode(const SSL *ssl) { return ssl->verify_mode; }
 
 int SSL_get_extms_support(const SSL *ssl) {
-  /* TLS 1.3 does not require extended master secret and always reports as
-   * supporting it. */
+  // TLS 1.3 does not require extended master secret and always reports as
+  // supporting it.
   if (!ssl->s3->have_version) {
     return 0;
   }
@@ -1233,12 +1453,12 @@ int SSL_get_extms_support(const SSL *ssl) {
     return 1;
   }
 
-  /* If the initial handshake completed, query the established session. */
+  // If the initial handshake completed, query the established session.
   if (ssl->s3->established_session != NULL) {
     return ssl->s3->established_session->extended_master_secret;
   }
 
-  /* Otherwise, query the in-progress handshake. */
+  // Otherwise, query the in-progress handshake.
   if (ssl->s3->hs != NULL) {
     return ssl->s3->hs->extended_master_secret;
   }
@@ -1261,12 +1481,12 @@ int SSL_pending(const SSL *ssl) {
   return ssl->s3->rrec.length;
 }
 
-/* Fix this so it checks all the valid key/cert options */
+// Fix this so it checks all the valid key/cert options
 int SSL_CTX_check_private_key(const SSL_CTX *ctx) {
   return ssl_cert_check_private_key(ctx->cert, ctx->cert->privatekey);
 }
 
-/* Fix this function so that it takes an optional type parameter */
+// Fix this function so that it takes an optional type parameter
 int SSL_check_private_key(const SSL *ssl) {
   return ssl_cert_check_private_key(ssl->cert, ssl->cert->privatekey);
 }
@@ -1276,7 +1496,7 @@ long SSL_get_default_timeout(const SSL *ssl) {
 }
 
 int SSL_renegotiate(SSL *ssl) {
-  /* Caller-initiated renegotiation is not supported. */
+  // Caller-initiated renegotiation is not supported.
   OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
   return 0;
 }
@@ -1351,9 +1571,8 @@ int SSL_get_secure_renegotiation_support(const SSL *ssl) {
          ssl->s3->send_connection_binding;
 }
 
-LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx) { return ctx->sessions; }
-
 size_t SSL_CTX_sess_number(const SSL_CTX *ctx) {
+  MutexReadLock lock(const_cast<CRYPTO_MUTEX *>(&ctx->lock));
   return lh_SSL_SESSION_num_items(ctx->sessions);
 }
 
@@ -1386,10 +1605,18 @@ int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out, size_t len) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
     return 0;
   }
-  uint8_t *out_bytes = out;
-  OPENSSL_memcpy(out_bytes, ctx->tlsext_tick_key_name, 16);
-  OPENSSL_memcpy(out_bytes + 16, ctx->tlsext_tick_hmac_key, 16);
-  OPENSSL_memcpy(out_bytes + 32, ctx->tlsext_tick_aes_key, 16);
+
+  // The default ticket keys are initialized lazily. Trigger a key
+  // rotation to initialize them.
+  if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
+    return 0;
+  }
+
+  uint8_t *out_bytes = reinterpret_cast<uint8_t *>(out);
+  MutexReadLock lock(&ctx->lock);
+  OPENSSL_memcpy(out_bytes, ctx->tlsext_ticket_key_current->name, 16);
+  OPENSSL_memcpy(out_bytes + 16, ctx->tlsext_ticket_key_current->hmac_key, 16);
+  OPENSSL_memcpy(out_bytes + 32, ctx->tlsext_ticket_key_current->aes_key, 16);
   return 1;
 }
 
@@ -1401,10 +1628,22 @@ int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in, size_t len) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
     return 0;
   }
-  const uint8_t *in_bytes = in;
-  OPENSSL_memcpy(ctx->tlsext_tick_key_name, in_bytes, 16);
-  OPENSSL_memcpy(ctx->tlsext_tick_hmac_key, in_bytes + 16, 16);
-  OPENSSL_memcpy(ctx->tlsext_tick_aes_key, in_bytes + 32, 16);
+  if (!ctx->tlsext_ticket_key_current) {
+    ctx->tlsext_ticket_key_current =
+        (tlsext_ticket_key *)OPENSSL_malloc(sizeof(tlsext_ticket_key));
+    if (!ctx->tlsext_ticket_key_current) {
+      return 0;
+    }
+  }
+  OPENSSL_memset(ctx->tlsext_ticket_key_current, 0, sizeof(tlsext_ticket_key));
+  const uint8_t *in_bytes = reinterpret_cast<const uint8_t *>(in);
+  OPENSSL_memcpy(ctx->tlsext_ticket_key_current->name, in_bytes, 16);
+  OPENSSL_memcpy(ctx->tlsext_ticket_key_current->hmac_key, in_bytes + 16, 16);
+  OPENSSL_memcpy(ctx->tlsext_ticket_key_current->aes_key, in_bytes + 32, 16);
+  OPENSSL_free(ctx->tlsext_ticket_key_prev);
+  ctx->tlsext_ticket_key_prev = nullptr;
+  // Disable automatic key rotation.
+  ctx->tlsext_ticket_key_current->next_rotation_tv_sec = 0;
   return 1;
 }
 
@@ -1439,8 +1678,8 @@ int SSL_set1_curves_list(SSL *ssl, const char *curves) {
 }
 
 uint16_t SSL_get_curve_id(const SSL *ssl) {
-  /* TODO(davidben): This checks the wrong session if there is a renegotiation in
-   * progress. */
+  // TODO(davidben): This checks the wrong session if there is a renegotiation
+  // in progress.
   SSL_SESSION *session = SSL_get_session(ssl);
   if (session == NULL) {
     return 0;
@@ -1450,23 +1689,22 @@ uint16_t SSL_get_curve_id(const SSL *ssl) {
 }
 
 int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh) {
-  DH_free(ctx->cert->dh_tmp);
-  ctx->cert->dh_tmp = DHparams_dup(dh);
-  if (ctx->cert->dh_tmp == NULL) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB);
-    return 0;
-  }
   return 1;
 }
 
 int SSL_set_tmp_dh(SSL *ssl, const DH *dh) {
-  DH_free(ssl->cert->dh_tmp);
-  ssl->cert->dh_tmp = DHparams_dup(dh);
-  if (ssl->cert->dh_tmp == NULL) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB);
+  return 1;
+}
+
+STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) {
+  return ctx->cipher_list->ciphers;
+}
+
+int SSL_CTX_cipher_in_group(const SSL_CTX *ctx, size_t i) {
+  if (i >= sk_SSL_CIPHER_num(ctx->cipher_list->ciphers)) {
     return 0;
   }
-  return 1;
+  return ctx->cipher_list->in_group_flags[i];
 }
 
 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl) {
@@ -1484,19 +1722,16 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl) {
 }
 
 const char *SSL_get_cipher_list(const SSL *ssl, int n) {
-  const SSL_CIPHER *c;
-  STACK_OF(SSL_CIPHER) *sk;
-
   if (ssl == NULL) {
     return NULL;
   }
 
-  sk = SSL_get_ciphers(ssl);
+  STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
   if (sk == NULL || n < 0 || (size_t)n >= sk_SSL_CIPHER_num(sk)) {
     return NULL;
   }
 
-  c = sk_SSL_CIPHER_value(sk, n);
+  const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, n);
   if (c == NULL) {
     return NULL;
   }
@@ -1505,71 +1740,23 @@ const char *SSL_get_cipher_list(const SSL *ssl, int n) {
 }
 
 int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) {
-  STACK_OF(SSL_CIPHER) *cipher_list =
-      ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str,
-                             0 /* not strict */);
-  if (cipher_list == NULL) {
-    return 0;
-  }
-
-  /* |ssl_create_cipher_list| may succeed but return an empty cipher list. */
-  if (sk_SSL_CIPHER_num(cipher_list) == 0) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
-    return 0;
-  }
-
-  return 1;
+  return ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str,
+                                false /* not strict */);
 }
 
 int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx, const char *str) {
-  STACK_OF(SSL_CIPHER) *cipher_list =
-      ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str,
-                             1 /* strict */);
-  if (cipher_list == NULL) {
-    return 0;
-  }
-
-  /* |ssl_create_cipher_list| may succeed but return an empty cipher list. */
-  if (sk_SSL_CIPHER_num(cipher_list) == 0) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
-    return 0;
-  }
-
-  return 1;
+  return ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str,
+                                true /* strict */);
 }
 
 int SSL_set_cipher_list(SSL *ssl, const char *str) {
-  STACK_OF(SSL_CIPHER) *cipher_list =
-      ssl_create_cipher_list(ssl->ctx->method, &ssl->cipher_list, str,
-                             0 /* not strict */);
-  if (cipher_list == NULL) {
-    return 0;
-  }
-
-  /* |ssl_create_cipher_list| may succeed but return an empty cipher list. */
-  if (sk_SSL_CIPHER_num(cipher_list) == 0) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
-    return 0;
-  }
-
-  return 1;
+  return ssl_create_cipher_list(ssl->ctx->method, &ssl->cipher_list, str,
+                                false /* not strict */);
 }
 
-int SSL_set_strict_cipher_list(SSL *ssl, const char *str) {
-  STACK_OF(SSL_CIPHER) *cipher_list =
-      ssl_create_cipher_list(ssl->ctx->method, &ssl->cipher_list, str,
-                             1 /* strict */);
-  if (cipher_list == NULL) {
-    return 0;
-  }
-
-  /* |ssl_create_cipher_list| may succeed but return an empty cipher list. */
-  if (sk_SSL_CIPHER_num(cipher_list) == 0) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
-    return 0;
-  }
-
-  return 1;
+int SSL_set_strict_cipher_list(SSL *ssl, const char *str) {
+  return ssl_create_cipher_list(ssl->ctx->method, &ssl->cipher_list, str,
+                                true /* strict */);
 }
 
 const char *SSL_get_servername(const SSL *ssl, const int type) {
@@ -1577,36 +1764,36 @@ const char *SSL_get_servername(const SSL *ssl, const int type) {
     return NULL;
   }
 
-  /* Historically, |SSL_get_servername| was also the configuration getter
-   * corresponding to |SSL_set_tlsext_host_name|. */
+  // Historically, |SSL_get_servername| was also the configuration getter
+  // corresponding to |SSL_set_tlsext_host_name|.
   if (ssl->tlsext_hostname != NULL) {
     return ssl->tlsext_hostname;
   }
 
-  /* During the handshake, report the handshake value. */
-  if (ssl->s3->hs != NULL) {
-    return ssl->s3->hs->hostname;
-  }
-
-  /* SSL_get_servername may also be called after the handshake to look up the
-   * SNI value.
-   *
-   * TODO(davidben): This is almost unused. Can we remove it? */
-  SSL_SESSION *session = SSL_get_session(ssl);
-  if (session == NULL) {
-    return NULL;
-  }
-  return session->tlsext_hostname;
+  return ssl->s3->hostname;
 }
 
 int SSL_get_servername_type(const SSL *ssl) {
-  SSL_SESSION *session = SSL_get_session(ssl);
-  if (session == NULL || session->tlsext_hostname == NULL) {
+  if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) == NULL) {
     return -1;
   }
   return TLSEXT_NAMETYPE_host_name;
 }
 
+void SSL_CTX_set_custom_verify(
+    SSL_CTX *ctx, int mode,
+    enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) {
+  ctx->verify_mode = mode;
+  ctx->custom_verify_callback = callback;
+}
+
+void SSL_set_custom_verify(
+    SSL *ssl, int mode,
+    enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) {
+  ssl->verify_mode = mode;
+  ssl->custom_verify_callback = callback;
+}
+
 void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx) {
   ctx->signed_cert_timestamps_enabled = 1;
 }
@@ -1626,28 +1813,27 @@ void SSL_enable_ocsp_stapling(SSL *ssl) {
 void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out,
                                          size_t *out_len) {
   SSL_SESSION *session = SSL_get_session(ssl);
-
-  *out_len = 0;
-  *out = NULL;
-  if (ssl->server || !session || !session->tlsext_signed_cert_timestamp_list) {
+  if (ssl->server || !session || !session->signed_cert_timestamp_list) {
+    *out_len = 0;
+    *out = NULL;
     return;
   }
 
-  *out = session->tlsext_signed_cert_timestamp_list;
-  *out_len = session->tlsext_signed_cert_timestamp_list_length;
+  *out = CRYPTO_BUFFER_data(session->signed_cert_timestamp_list);
+  *out_len = CRYPTO_BUFFER_len(session->signed_cert_timestamp_list);
 }
 
 void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out,
                             size_t *out_len) {
   SSL_SESSION *session = SSL_get_session(ssl);
-
-  *out_len = 0;
-  *out = NULL;
   if (ssl->server || !session || !session->ocsp_response) {
+    *out_len = 0;
+    *out = NULL;
     return;
   }
-  *out = session->ocsp_response;
-  *out_len = session->ocsp_response_length;
+
+  *out = CRYPTO_BUFFER_data(session->ocsp_response);
+  *out_len = CRYPTO_BUFFER_len(session->ocsp_response);
 }
 
 int SSL_set_tlsext_host_name(SSL *ssl, const char *name) {
@@ -1682,32 +1868,31 @@ int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) {
   return 1;
 }
 
-int SSL_select_next_proto(uint8_t **out, uint8_t *out_len,
-                          const uint8_t *server, unsigned server_len,
-                          const uint8_t *client, unsigned client_len) {
-  unsigned int i, j;
+int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer,
+                          unsigned peer_len, const uint8_t *supported,
+                          unsigned supported_len) {
   const uint8_t *result;
-  int status = OPENSSL_NPN_UNSUPPORTED;
-
-  /* For each protocol in server preference order, see if we support it. */
-  for (i = 0; i < server_len;) {
-    for (j = 0; j < client_len;) {
-      if (server[i] == client[j] &&
-          OPENSSL_memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
-        /* We found a match */
-        result = &server[i];
+  int status;
+
+  // For each protocol in peer preference order, see if we support it.
+  for (unsigned i = 0; i < peer_len;) {
+    for (unsigned j = 0; j < supported_len;) {
+      if (peer[i] == supported[j] &&
+          OPENSSL_memcmp(&peer[i + 1], &supported[j + 1], peer[i]) == 0) {
+        // We found a match
+        result = &peer[i];
         status = OPENSSL_NPN_NEGOTIATED;
         goto found;
       }
-      j += client[j];
+      j += supported[j];
       j++;
     }
-    i += server[i];
+    i += peer[i];
     i++;
   }
 
-  /* There's no overlap between our protocols and the server's list. */
-  result = client;
+  // There's no overlap between our protocols and the peer's list.
+  result = supported;
   status = OPENSSL_NPN_NO_OVERLAP;
 
 found:
@@ -1719,11 +1904,7 @@ found:
 void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data,
                                     unsigned *out_len) {
   *out_data = ssl->s3->next_proto_negotiated;
-  if (*out_data == NULL) {
-    *out_len = 0;
-  } else {
-    *out_len = ssl->s3->next_proto_negotiated_len;
-  }
+  *out_len = ssl->s3->next_proto_negotiated_len;
 }
 
 void SSL_CTX_set_next_protos_advertised_cb(
@@ -1745,7 +1926,7 @@ void SSL_CTX_set_next_proto_select_cb(
 int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
                             unsigned protos_len) {
   OPENSSL_free(ctx->alpn_client_proto_list);
-  ctx->alpn_client_proto_list = BUF_memdup(protos, protos_len);
+  ctx->alpn_client_proto_list = (uint8_t *)BUF_memdup(protos, protos_len);
   if (!ctx->alpn_client_proto_list) {
     return 1;
   }
@@ -1756,7 +1937,7 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
 
 int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, unsigned protos_len) {
   OPENSSL_free(ssl->alpn_client_proto_list);
-  ssl->alpn_client_proto_list = BUF_memdup(protos, protos_len);
+  ssl->alpn_client_proto_list = (uint8_t *)BUF_memdup(protos, protos_len);
   if (!ssl->alpn_client_proto_list) {
     return 1;
   }
@@ -1776,17 +1957,18 @@ void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
 
 void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data,
                             unsigned *out_len) {
-  *out_data = NULL;
-  if (ssl->s3) {
-    *out_data = ssl->s3->alpn_selected;
-  }
-  if (*out_data == NULL) {
-    *out_len = 0;
+  if (SSL_in_early_data(ssl) && !ssl->server) {
+    *out_data = ssl->s3->hs->early_session->early_alpn;
+    *out_len = ssl->s3->hs->early_session->early_alpn_len;
   } else {
+    *out_data = ssl->s3->alpn_selected;
     *out_len = ssl->s3->alpn_selected_len;
   }
 }
 
+void SSL_CTX_set_allow_unknown_alpn_protos(SSL_CTX *ctx, int enabled) {
+  ctx->allow_unknown_alpn_protos = !!enabled;
+}
 
 void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx, int enabled) {
   ctx->tlsext_channel_id_enabled = !!enabled;
@@ -1855,95 +2037,8 @@ size_t SSL_get0_certificate_types(SSL *ssl, const uint8_t **out_types) {
     *out_types = NULL;
     return 0;
   }
-  *out_types = ssl->s3->hs->certificate_types;
-  return ssl->s3->hs->num_certificate_types;
-}
-
-void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) {
-  SSL *const ssl = hs->ssl;
-  SSL_CTX *ctx = ssl->initial_ctx;
-  /* Never cache sessions with empty session IDs. */
-  if (ssl->s3->established_session->session_id_length == 0 ||
-      (ctx->session_cache_mode & mode) != mode) {
-    return;
-  }
-
-  /* Clients never use the internal session cache. */
-  int use_internal_cache = ssl->server && !(ctx->session_cache_mode &
-                                            SSL_SESS_CACHE_NO_INTERNAL_STORE);
-
-  /* A client may see new sessions on abbreviated handshakes if the server
-   * decides to renew the ticket. Once the handshake is completed, it should be
-   * inserted into the cache. */
-  if (ssl->s3->established_session != ssl->session ||
-      (!ssl->server && hs->ticket_expected)) {
-    if (use_internal_cache) {
-      SSL_CTX_add_session(ctx, ssl->s3->established_session);
-    }
-    if (ctx->new_session_cb != NULL) {
-      SSL_SESSION_up_ref(ssl->s3->established_session);
-      if (!ctx->new_session_cb(ssl, ssl->s3->established_session)) {
-        /* |new_session_cb|'s return value signals whether it took ownership. */
-        SSL_SESSION_free(ssl->s3->established_session);
-      }
-    }
-  }
-
-  if (use_internal_cache &&
-      !(ctx->session_cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR)) {
-    /* Automatically flush the internal session cache every 255 connections. */
-    int flush_cache = 0;
-    CRYPTO_MUTEX_lock_write(&ctx->lock);
-    ctx->handshakes_since_cache_flush++;
-    if (ctx->handshakes_since_cache_flush >= 255) {
-      flush_cache = 1;
-      ctx->handshakes_since_cache_flush = 0;
-    }
-    CRYPTO_MUTEX_unlock_write(&ctx->lock);
-
-    if (flush_cache) {
-      struct timeval now;
-      ssl_get_current_time(ssl, &now);
-      SSL_CTX_flush_sessions(ctx, (long)now.tv_sec);
-    }
-  }
-}
-
-static const char *ssl_get_version(int version) {
-  switch (version) {
-    /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
-    case TLS1_3_DRAFT_VERSION:
-      return "TLSv1.3";
-
-    case TLS1_2_VERSION:
-      return "TLSv1.2";
-
-    case TLS1_1_VERSION:
-      return "TLSv1.1";
-
-    case TLS1_VERSION:
-      return "TLSv1";
-
-    case SSL3_VERSION:
-      return "SSLv3";
-
-    case DTLS1_VERSION:
-      return "DTLSv1";
-
-    case DTLS1_2_VERSION:
-      return "DTLSv1.2";
-
-    default:
-      return "unknown";
-  }
-}
-
-const char *SSL_get_version(const SSL *ssl) {
-  return ssl_get_version(ssl->version);
-}
-
-const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
-  return ssl_get_version(session->ssl_version);
+  *out_types = ssl->s3->hs->certificate_types.data();
+  return ssl->s3->hs->certificate_types.size();
 }
 
 EVP_PKEY *SSL_get_privatekey(const SSL *ssl) {
@@ -1963,14 +2058,11 @@ EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) {
 }
 
 const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) {
-  if (ssl->s3->aead_write_ctx == NULL) {
-    return NULL;
-  }
-  return ssl->s3->aead_write_ctx->cipher;
+  return ssl->s3->aead_write_ctx->cipher();
 }
 
 int SSL_session_reused(const SSL *ssl) {
-  return ssl->s3->session_reused;
+  return ssl->s3->session_reused || SSL_in_early_data(ssl);
 }
 
 const COMP_METHOD *SSL_get_current_compression(SSL *ssl) { return NULL; }
@@ -1994,44 +2086,35 @@ void SSL_set_quiet_shutdown(SSL *ssl, int mode) {
 int SSL_get_quiet_shutdown(const SSL *ssl) { return ssl->quiet_shutdown; }
 
 void SSL_set_shutdown(SSL *ssl, int mode) {
-  /* It is an error to clear any bits that have already been set. (We can't try
-   * to get a second close_notify or send two.) */
+  // It is an error to clear any bits that have already been set. (We can't try
+  // to get a second close_notify or send two.)
   assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl));
 
   if (mode & SSL_RECEIVED_SHUTDOWN &&
-      ssl->s3->recv_shutdown == ssl_shutdown_none) {
-    ssl->s3->recv_shutdown = ssl_shutdown_close_notify;
+      ssl->s3->read_shutdown == ssl_shutdown_none) {
+    ssl->s3->read_shutdown = ssl_shutdown_close_notify;
   }
 
   if (mode & SSL_SENT_SHUTDOWN &&
-      ssl->s3->send_shutdown == ssl_shutdown_none) {
-    ssl->s3->send_shutdown = ssl_shutdown_close_notify;
+      ssl->s3->write_shutdown == ssl_shutdown_none) {
+    ssl->s3->write_shutdown = ssl_shutdown_close_notify;
   }
 }
 
 int SSL_get_shutdown(const SSL *ssl) {
   int ret = 0;
-  if (ssl->s3->recv_shutdown != ssl_shutdown_none) {
-    /* Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify
-     * and fatal alert. */
+  if (ssl->s3->read_shutdown != ssl_shutdown_none) {
+    // Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify
+    // and fatal alert.
     ret |= SSL_RECEIVED_SHUTDOWN;
   }
-  if (ssl->s3->send_shutdown == ssl_shutdown_close_notify) {
-    /* Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify. */
+  if (ssl->s3->write_shutdown == ssl_shutdown_close_notify) {
+    // Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify.
     ret |= SSL_SENT_SHUTDOWN;
   }
   return ret;
 }
 
-int SSL_version(const SSL *ssl) {
-  /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
-  if (ssl->version == TLS1_3_DRAFT_VERSION) {
-    return TLS1_3_VERSION;
-  }
-
-  return ssl->version;
-}
-
 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return ssl->ctx; }
 
 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) {
@@ -2039,14 +2122,14 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) {
     return ssl->ctx;
   }
 
-  /* One cannot change the X.509 callbacks during a connection. */
+  // One cannot change the X.509 callbacks during a connection.
   if (ssl->ctx->x509_method != ctx->x509_method) {
     assert(0);
     return NULL;
   }
 
   if (ctx == NULL) {
-    ctx = ssl->initial_ctx;
+    ctx = ssl->session_ctx;
   }
 
   ssl_cert_free(ssl->cert);
@@ -2084,17 +2167,17 @@ char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len) {
 }
 
 int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
-                         CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) {
+                         CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {
   int index;
   if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl, &index, argl, argp,
-                               dup_func, free_func)) {
+                               free_func)) {
     return -1;
   }
   return index;
 }
 
-int SSL_set_ex_data(SSL *ssl, int idx, void *arg) {
-  return CRYPTO_set_ex_data(&ssl->ex_data, idx, arg);
+int SSL_set_ex_data(SSL *ssl, int idx, void *data) {
+  return CRYPTO_set_ex_data(&ssl->ex_data, idx, data);
 }
 
 void *SSL_get_ex_data(const SSL *ssl, int idx) {
@@ -2102,18 +2185,18 @@ void *SSL_get_ex_data(const SSL *ssl, int idx) {
 }
 
 int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
-                             CRYPTO_EX_dup *dup_func,
+                             CRYPTO_EX_dup *dup_unused,
                              CRYPTO_EX_free *free_func) {
   int index;
   if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl_ctx, &index, argl, argp,
-                               dup_func, free_func)) {
+                               free_func)) {
     return -1;
   }
   return index;
 }
 
-int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *arg) {
-  return CRYPTO_set_ex_data(&ctx->ex_data, idx, arg);
+int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *data) {
+  return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
 }
 
 void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx) {
@@ -2124,70 +2207,48 @@ int SSL_want(const SSL *ssl) { return ssl->rwstate; }
 
 void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
                                   RSA *(*cb)(SSL *ssl, int is_export,
-                                             int keylength)) {
-}
+                                             int keylength)) {}
 
 void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export,
-                                                   int keylength)) {
-}
+                                                   int keylength)) {}
 
 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
-                                 DH *(*callback)(SSL *ssl, int is_export,
-                                                 int keylength)) {
-  ctx->cert->dh_tmp_cb = callback;
-}
+                                 DH *(*cb)(SSL *ssl, int is_export,
+                                           int keylength)) {}
 
-void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*callback)(SSL *ssl, int is_export,
-                                                       int keylength)) {
-  ssl->cert->dh_tmp_cb = callback;
-}
+void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*cb)(SSL *ssl, int is_export,
+                                                 int keylength)) {}
 
-int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) {
+static int use_psk_identity_hint(char **out, const char *identity_hint) {
   if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
     return 0;
   }
 
-  OPENSSL_free(ctx->psk_identity_hint);
+  // Clear currently configured hint, if any.
+  OPENSSL_free(*out);
+  *out = NULL;
 
-  if (identity_hint != NULL) {
-    ctx->psk_identity_hint = BUF_strdup(identity_hint);
-    if (ctx->psk_identity_hint == NULL) {
+  // Treat the empty hint as not supplying one. Plain PSK makes it possible to
+  // send either no hint (omit ServerKeyExchange) or an empty hint, while
+  // ECDHE_PSK can only spell empty hint. Having different capabilities is odd,
+  // so we interpret empty and missing as identical.
+  if (identity_hint != NULL && identity_hint[0] != '\0') {
+    *out = BUF_strdup(identity_hint);
+    if (*out == NULL) {
       return 0;
     }
-  } else {
-    ctx->psk_identity_hint = NULL;
   }
 
   return 1;
 }
 
-int SSL_use_psk_identity_hint(SSL *ssl, const char *identity_hint) {
-  if (ssl == NULL) {
-    return 0;
-  }
-
-  if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
-    return 0;
-  }
-
-  /* Clear currently configured hint, if any. */
-  OPENSSL_free(ssl->psk_identity_hint);
-  ssl->psk_identity_hint = NULL;
-
-  /* Treat the empty hint as not supplying one. Plain PSK makes it possible to
-   * send either no hint (omit ServerKeyExchange) or an empty hint, while
-   * ECDHE_PSK can only spell empty hint. Having different capabilities is odd,
-   * so we interpret empty and missing as identical. */
-  if (identity_hint != NULL && identity_hint[0] != '\0') {
-    ssl->psk_identity_hint = BUF_strdup(identity_hint);
-    if (ssl->psk_identity_hint == NULL) {
-      return 0;
-    }
-  }
+int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) {
+  return use_psk_identity_hint(&ctx->psk_identity_hint, identity_hint);
+}
 
-  return 1;
+int SSL_use_psk_identity_hint(SSL *ssl, const char *identity_hint) {
+  return use_psk_identity_hint(&ssl->psk_identity_hint, identity_hint);
 }
 
 const char *SSL_get_psk_identity_hint(const SSL *ssl) {
@@ -2272,56 +2333,16 @@ void SSL_CTX_set_current_time_cb(SSL_CTX *ctx,
   ctx->current_time_cb = cb;
 }
 
-static int cbb_add_hex(CBB *cbb, const uint8_t *in, size_t in_len) {
-  static const char hextable[] = "0123456789abcdef";
-  uint8_t *out;
-
-  if (!CBB_add_space(cbb, &out, in_len * 2)) {
-    return 0;
-  }
-
-  for (size_t i = 0; i < in_len; i++) {
-    *(out++) = (uint8_t)hextable[in[i] >> 4];
-    *(out++) = (uint8_t)hextable[in[i] & 0xf];
-  }
-
-  return 1;
-}
-
-int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret,
-                   size_t secret_len) {
-  if (ssl->ctx->keylog_callback == NULL) {
-    return 1;
-  }
-
-  CBB cbb;
-  uint8_t *out;
-  size_t out_len;
-  if (!CBB_init(&cbb, strlen(label) + 1 + SSL3_RANDOM_SIZE * 2 + 1 +
-                          secret_len * 2 + 1) ||
-      !CBB_add_bytes(&cbb, (const uint8_t *)label, strlen(label)) ||
-      !CBB_add_bytes(&cbb, (const uint8_t *)" ", 1) ||
-      !cbb_add_hex(&cbb, ssl->s3->client_random, SSL3_RANDOM_SIZE) ||
-      !CBB_add_bytes(&cbb, (const uint8_t *)" ", 1) ||
-      !cbb_add_hex(&cbb, secret, secret_len) ||
-      !CBB_add_u8(&cbb, 0 /* NUL */) ||
-      !CBB_finish(&cbb, &out, &out_len)) {
-    CBB_cleanup(&cbb);
-    return 0;
-  }
-
-  ssl->ctx->keylog_callback(ssl, (const char *)out);
-  OPENSSL_free(out);
-  return 1;
-}
-
 int SSL_is_init_finished(const SSL *ssl) {
   return !SSL_in_init(ssl);
 }
 
 int SSL_in_init(const SSL *ssl) {
+  // This returns false once all the handshake state has been finalized, to
+  // allow callbacks and getters based on SSL_in_init to return the correct
+  // values.
   SSL_HANDSHAKE *hs = ssl->s3->hs;
-  return hs != NULL && hs->state != SSL_ST_OK;
+  return hs != nullptr && !hs->handshake_finalized;
 }
 
 int SSL_in_false_start(const SSL *ssl) {
@@ -2342,121 +2363,13 @@ void SSL_get_structure_sizes(size_t *ssl_size, size_t *ssl_ctx_size,
   *ssl_session_size = sizeof(SSL_SESSION);
 }
 
-int ssl3_can_false_start(const SSL *ssl) {
-  const SSL_CIPHER *const cipher = SSL_get_current_cipher(ssl);
-
-  /* False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. */
-  return !SSL_is_dtls(ssl) &&
-      SSL_version(ssl) == TLS1_2_VERSION &&
-      (ssl->s3->alpn_selected != NULL ||
-       ssl->s3->next_proto_negotiated != NULL) &&
-      cipher != NULL &&
-      cipher->algorithm_mkey == SSL_kECDHE &&
-      cipher->algorithm_mac == SSL_AEAD;
-}
-
-const struct {
-  uint16_t version;
-  uint32_t flag;
-} kVersions[] = {
-    {SSL3_VERSION, SSL_OP_NO_SSLv3},
-    {TLS1_VERSION, SSL_OP_NO_TLSv1},
-    {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},
-    {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},
-    {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},
-};
-
-static const size_t kVersionsLen = OPENSSL_ARRAY_SIZE(kVersions);
-
-int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
-                          uint16_t *out_max_version) {
-  /* For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
-   * DTLS 1.0 should be mapped to TLS 1.1. */
-  uint32_t options = ssl->options;
-  if (SSL_is_dtls(ssl)) {
-    options &= ~SSL_OP_NO_TLSv1_1;
-    if (options & SSL_OP_NO_DTLSv1) {
-      options |= SSL_OP_NO_TLSv1_1;
-    }
-  }
-
-  uint16_t min_version = ssl->min_version;
-  uint16_t max_version = ssl->max_version;
-
-  /* Bound the range to only those implemented in this protocol. */
-  if (min_version < ssl->method->min_version) {
-    min_version = ssl->method->min_version;
-  }
-  if (max_version > ssl->method->max_version) {
-    max_version = ssl->method->max_version;
-  }
-
-  /* OpenSSL's API for controlling versions entails blacklisting individual
-   * protocols. This has two problems. First, on the client, the protocol can
-   * only express a contiguous range of versions. Second, a library consumer
-   * trying to set a maximum version cannot disable protocol versions that get
-   * added in a future version of the library.
-   *
-   * To account for both of these, OpenSSL interprets the client-side bitmask
-   * as a min/max range by picking the lowest contiguous non-empty range of
-   * enabled protocols. Note that this means it is impossible to set a maximum
-   * version of the higest supported TLS version in a future-proof way. */
-  int any_enabled = 0;
-  for (size_t i = 0; i < kVersionsLen; i++) {
-    /* Only look at the versions already enabled. */
-    if (min_version > kVersions[i].version) {
-      continue;
-    }
-    if (max_version < kVersions[i].version) {
-      break;
-    }
-
-    if (!(options & kVersions[i].flag)) {
-      /* The minimum version is the first enabled version. */
-      if (!any_enabled) {
-        any_enabled = 1;
-        min_version = kVersions[i].version;
-      }
-      continue;
-    }
-
-    /* If there is a disabled version after the first enabled one, all versions
-     * after it are implicitly disabled. */
-    if (any_enabled) {
-      max_version = kVersions[i-1].version;
-      break;
-    }
-  }
-
-  if (!any_enabled) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);
-    return 0;
-  }
-
-  *out_min_version = min_version;
-  *out_max_version = max_version;
-  return 1;
-}
-
-uint16_t ssl3_protocol_version(const SSL *ssl) {
-  assert(ssl->s3->have_version);
-  uint16_t version;
-  if (!ssl->method->version_from_wire(&version, ssl->version)) {
-    /* TODO(davidben): Use the internal version representation for ssl->version
-     * and map to the public API representation at API boundaries. */
-    assert(0);
-    return 0;
-  }
-
-  return version;
-}
-
 int SSL_is_server(const SSL *ssl) { return ssl->server; }
 
 int SSL_is_dtls(const SSL *ssl) { return ssl->method->is_dtls; }
 
-void SSL_CTX_set_select_certificate_cb(SSL_CTX *ctx,
-                                       int (*cb)(const SSL_CLIENT_HELLO *)) {
+void SSL_CTX_set_select_certificate_cb(
+    SSL_CTX *ctx,
+    enum ssl_select_cert_result_t (*cb)(const SSL_CLIENT_HELLO *)) {
   ctx->select_certificate_cb = cb;
 }
 
@@ -2471,15 +2384,9 @@ void SSL_set_renegotiate_mode(SSL *ssl, enum ssl_renegotiate_mode_t mode) {
 
 int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,
                 const uint8_t **out_write_iv, size_t *out_iv_len) {
-  if (ssl->s3->aead_read_ctx == NULL || ssl->s3->aead_write_ctx == NULL) {
-    return 0;
-  }
-
   size_t write_iv_len;
-  if (!EVP_AEAD_CTX_get_iv(&ssl->s3->aead_read_ctx->ctx, out_read_iv,
-                           out_iv_len) ||
-      !EVP_AEAD_CTX_get_iv(&ssl->s3->aead_write_ctx->ctx, out_write_iv,
-                           &write_iv_len) ||
+  if (!ssl->s3->aead_read_ctx->GetIV(out_read_iv, out_iv_len) ||
+      !ssl->s3->aead_write_ctx->GetIV(out_write_iv, &write_iv_len) ||
       *out_iv_len != write_iv_len) {
     return 0;
   }
@@ -2495,9 +2402,9 @@ static uint64_t be_to_u64(const uint8_t in[8]) {
 }
 
 uint64_t SSL_get_read_sequence(const SSL *ssl) {
-  /* TODO(davidben): Internally represent sequence numbers as uint64_t. */
+  // TODO(davidben): Internally represent sequence numbers as uint64_t.
   if (SSL_is_dtls(ssl)) {
-    /* max_seq_num already includes the epoch. */
+    // max_seq_num already includes the epoch.
     assert(ssl->d1->r_epoch == (ssl->d1->bitmap.max_seq_num >> 48));
     return ssl->d1->bitmap.max_seq_num;
   }
@@ -2514,8 +2421,8 @@ uint64_t SSL_get_write_sequence(const SSL *ssl) {
 }
 
 uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) {
-  /* TODO(davidben): This checks the wrong session if there is a renegotiation
-   * in progress. */
+  // TODO(davidben): This checks the wrong session if there is a renegotiation
+  // in progress.
   SSL_SESSION *session = SSL_get_session(ssl);
   if (session == NULL) {
     return 0;
@@ -2566,37 +2473,35 @@ void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled) {
   ctx->grease_enabled = !!enabled;
 }
 
-void SSL_CTX_set_short_header_enabled(SSL_CTX *ctx, int enabled) {
-  ctx->short_header_enabled = !!enabled;
+int32_t SSL_get_ticket_age_skew(const SSL *ssl) {
+  return ssl->s3->ticket_age_skew;
 }
 
 int SSL_clear(SSL *ssl) {
-  /* In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously
-   * established session to be offered the next time around. wpa_supplicant
-   * depends on this behavior, so emulate it. */
+  // In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously
+  // established session to be offered the next time around. wpa_supplicant
+  // depends on this behavior, so emulate it.
   SSL_SESSION *session = NULL;
   if (!ssl->server && ssl->s3->established_session != NULL) {
     session = ssl->s3->established_session;
     SSL_SESSION_up_ref(session);
   }
 
-  /* TODO(davidben): Some state on |ssl| is reset both in |SSL_new| and
-   * |SSL_clear| because it is per-connection state rather than configuration
-   * state. Per-connection state should be on |ssl->s3| and |ssl->d1| so it is
-   * naturally reset at the right points between |SSL_new|, |SSL_clear|, and
-   * |ssl3_new|. */
+  // TODO(davidben): Some state on |ssl| is reset both in |SSL_new| and
+  // |SSL_clear| because it is per-connection state rather than configuration
+  // state. Per-connection state should be on |ssl->s3| and |ssl->d1| so it is
+  // naturally reset at the right points between |SSL_new|, |SSL_clear|, and
+  // |ssl3_new|.
 
   ssl->rwstate = SSL_NOTHING;
 
   BUF_MEM_free(ssl->init_buf);
   ssl->init_buf = NULL;
-  ssl->init_msg = NULL;
-  ssl->init_num = 0;
 
-  /* The ssl->d1->mtu is simultaneously configuration (preserved across
-   * clear) and connection-specific state (gets reset).
-   *
-   * TODO(davidben): Avoid this. */
+  // The ssl->d1->mtu is simultaneously configuration (preserved across
+  // clear) and connection-specific state (gets reset).
+  //
+  // TODO(davidben): Avoid this.
   unsigned mtu = 0;
   if (ssl->d1 != NULL) {
     mtu = ssl->d1->mtu;
@@ -2620,44 +2525,6 @@ int SSL_clear(SSL *ssl) {
   return 1;
 }
 
-void ssl_do_info_callback(const SSL *ssl, int type, int value) {
-  void (*cb)(const SSL *ssl, int type, int value) = NULL;
-  if (ssl->info_callback != NULL) {
-    cb = ssl->info_callback;
-  } else if (ssl->ctx->info_callback != NULL) {
-    cb = ssl->ctx->info_callback;
-  }
-
-  if (cb != NULL) {
-    cb(ssl, type, value);
-  }
-}
-
-void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type,
-                         const void *buf, size_t len) {
-  if (ssl->msg_callback == NULL) {
-    return;
-  }
-
-  /* |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for
-   * a V2ClientHello. */
-  int version;
-  switch (content_type) {
-    case 0:
-      /* V2ClientHello */
-      version = SSL2_VERSION;
-      break;
-    case SSL3_RT_HEADER:
-      version = 0;
-      break;
-    default:
-      version = SSL_version(ssl);
-  }
-
-  ssl->msg_callback(is_write, version, content_type, buf, len, ssl,
-                    ssl->msg_callback_arg);
-}
-
 int SSL_CTX_sess_connect(const SSL_CTX *ctx) { return 0; }
 int SSL_CTX_sess_connect_good(const SSL_CTX *ctx) { return 0; }
 int SSL_CTX_sess_connect_renegotiate(const SSL_CTX *ctx) { return 0; }
@@ -2700,37 +2567,7 @@ int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key) {
   return SSL_set1_curves(ssl, &nid, 1);
 }
 
-void ssl_get_current_time(const SSL *ssl, struct timeval *out_clock) {
-  if (ssl->ctx->current_time_cb != NULL) {
-    ssl->ctx->current_time_cb(ssl, out_clock);
-    return;
-  }
-
-#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
-  out_clock->tv_sec = 1234;
-  out_clock->tv_usec = 1234;
-#elif defined(OPENSSL_WINDOWS)
-  struct _timeb time;
-  _ftime(&time);
-  out_clock->tv_sec = time.time;
-  out_clock->tv_usec = time.millitm * 1000;
-#else
-  gettimeofday(out_clock, NULL);
-#endif
-}
-
-int SSL_CTX_set_min_version(SSL_CTX *ctx, uint16_t version) {
-  return SSL_CTX_set_min_proto_version(ctx, version);
-}
-
-int SSL_CTX_set_max_version(SSL_CTX *ctx, uint16_t version) {
-  return SSL_CTX_set_max_proto_version(ctx, version);
-}
-
-int SSL_set_min_version(SSL *ssl, uint16_t version) {
-  return SSL_set_min_proto_version(ssl, version);
-}
-
-int SSL_set_max_version(SSL *ssl, uint16_t version) {
-  return SSL_set_max_proto_version(ssl, version);
+void SSL_CTX_set_ticket_aead_method(SSL_CTX *ctx,
+                                    const SSL_TICKET_AEAD_METHOD *aead_method) {
+  ctx->ticket_aead_method = aead_method;
 }