grpc 1.9.1 → 1.10.0.pre1

data/third_party/boringssl/ssl/ssl_versions.cc

@@ -0,0 +1,439 @@
+/* Copyright (c) 2017, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/ssl.h>
+
+#include <assert.h>
+
+#include <openssl/bytestring.h>
+#include <openssl/err.h>
+
+#include "internal.h"
+#include "../crypto/internal.h"
+
+
+namespace bssl {
+
+bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
+  switch (version) {
+    case SSL3_VERSION:
+    case TLS1_VERSION:
+    case TLS1_1_VERSION:
+    case TLS1_2_VERSION:
+      *out = version;
+      return true;
+
+    case TLS1_3_DRAFT_VERSION:
+    case TLS1_3_EXPERIMENT_VERSION:
+    case TLS1_3_EXPERIMENT2_VERSION:
+    case TLS1_3_EXPERIMENT3_VERSION:
+      *out = TLS1_3_VERSION;
+      return true;
+
+    case DTLS1_VERSION:
+      // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0.
+      *out = TLS1_1_VERSION;
+      return true;
+
+    case DTLS1_2_VERSION:
+      *out = TLS1_2_VERSION;
+      return true;
+
+    default:
+      return false;
+  }
+}
+
+// The follow arrays are the supported versions for TLS and DTLS, in order of
+// decreasing preference.
+
+static const uint16_t kTLSVersions[] = {
+    TLS1_3_EXPERIMENT3_VERSION,
+    TLS1_3_EXPERIMENT2_VERSION,
+    TLS1_3_EXPERIMENT_VERSION,
+    TLS1_3_DRAFT_VERSION,
+    TLS1_2_VERSION,
+    TLS1_1_VERSION,
+    TLS1_VERSION,
+    SSL3_VERSION,
+};
+
+static const uint16_t kDTLSVersions[] = {
+    DTLS1_2_VERSION,
+    DTLS1_VERSION,
+};
+
+static void get_method_versions(const SSL_PROTOCOL_METHOD *method,
+                                const uint16_t **out, size_t *out_num) {
+  if (method->is_dtls) {
+    *out = kDTLSVersions;
+    *out_num = OPENSSL_ARRAY_SIZE(kDTLSVersions);
+  } else {
+    *out = kTLSVersions;
+    *out_num = OPENSSL_ARRAY_SIZE(kTLSVersions);
+  }
+}
+
+static bool method_supports_version(const SSL_PROTOCOL_METHOD *method,
+                                    uint16_t version) {
+  const uint16_t *versions;
+  size_t num_versions;
+  get_method_versions(method, &versions, &num_versions);
+  for (size_t i = 0; i < num_versions; i++) {
+    if (versions[i] == version) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// The following functions map between API versions and wire versions. The
+// public API works on wire versions, except that TLS 1.3 draft versions all
+// appear as TLS 1.3. This will get collapsed back down when TLS 1.3 is
+// finalized.
+
+static const char *ssl_version_to_string(uint16_t version) {
+  switch (version) {
+    case TLS1_3_DRAFT_VERSION:
+    case TLS1_3_EXPERIMENT_VERSION:
+    case TLS1_3_EXPERIMENT2_VERSION:
+    case TLS1_3_EXPERIMENT3_VERSION:
+      return "TLSv1.3";
+
+    case TLS1_2_VERSION:
+      return "TLSv1.2";
+
+    case TLS1_1_VERSION:
+      return "TLSv1.1";
+
+    case TLS1_VERSION:
+      return "TLSv1";
+
+    case SSL3_VERSION:
+      return "SSLv3";
+
+    case DTLS1_VERSION:
+      return "DTLSv1";
+
+    case DTLS1_2_VERSION:
+      return "DTLSv1.2";
+
+    default:
+      return "unknown";
+  }
+}
+
+static uint16_t wire_version_to_api(uint16_t version) {
+  switch (version) {
+    // Report TLS 1.3 draft versions as TLS 1.3 in the public API.
+    case TLS1_3_DRAFT_VERSION:
+    case TLS1_3_EXPERIMENT_VERSION:
+    case TLS1_3_EXPERIMENT2_VERSION:
+    case TLS1_3_EXPERIMENT3_VERSION:
+      return TLS1_3_VERSION;
+    default:
+      return version;
+  }
+}
+
+// api_version_to_wire maps |version| to some representative wire version. In
+// particular, it picks an arbitrary TLS 1.3 representative. This should only be
+// used in context where that does not matter.
+static bool api_version_to_wire(uint16_t *out, uint16_t version) {
+  if (version == TLS1_3_DRAFT_VERSION ||
+      version == TLS1_3_EXPERIMENT_VERSION ||
+      version == TLS1_3_EXPERIMENT2_VERSION ||
+      version == TLS1_3_EXPERIMENT3_VERSION) {
+    return false;
+  }
+  if (version == TLS1_3_VERSION) {
+    version = TLS1_3_DRAFT_VERSION;
+  }
+
+  // Check it is a real protocol version.
+  uint16_t unused;
+  if (!ssl_protocol_version_from_wire(&unused, version)) {
+    return false;
+  }
+
+  *out = version;
+  return true;
+}
+
+static bool set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
+                              uint16_t version) {
+  if (!api_version_to_wire(&version, version) ||
+      !method_supports_version(method, version) ||
+      !ssl_protocol_version_from_wire(out, version)) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
+    return false;
+  }
+
+  return true;
+}
+
+static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
+                            uint16_t version) {
+  // Zero is interpreted as the default minimum version.
+  if (version == 0) {
+    // SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS.
+    *out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION;
+    return true;
+  }
+
+  return set_version_bound(method, out, version);
+}
+
+static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
+                            uint16_t version) {
+  // Zero is interpreted as the default maximum version.
+  if (version == 0) {
+    *out = TLS1_2_VERSION;
+    return true;
+  }
+
+  return set_version_bound(method, out, version);
+}
+
+const struct {
+  uint16_t version;
+  uint32_t flag;
+} kProtocolVersions[] = {
+    {SSL3_VERSION, SSL_OP_NO_SSLv3},
+    {TLS1_VERSION, SSL_OP_NO_TLSv1},
+    {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},
+    {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},
+    {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},
+};
+
+bool ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
+                           uint16_t *out_max_version) {
+  // For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
+  // DTLS 1.0 should be mapped to TLS 1.1.
+  uint32_t options = ssl->options;
+  if (SSL_is_dtls(ssl)) {
+    options &= ~SSL_OP_NO_TLSv1_1;
+    if (options & SSL_OP_NO_DTLSv1) {
+      options |= SSL_OP_NO_TLSv1_1;
+    }
+  }
+
+  uint16_t min_version = ssl->conf_min_version;
+  uint16_t max_version = ssl->conf_max_version;
+
+  // OpenSSL's API for controlling versions entails blacklisting individual
+  // protocols. This has two problems. First, on the client, the protocol can
+  // only express a contiguous range of versions. Second, a library consumer
+  // trying to set a maximum version cannot disable protocol versions that get
+  // added in a future version of the library.
+  //
+  // To account for both of these, OpenSSL interprets the client-side bitmask
+  // as a min/max range by picking the lowest contiguous non-empty range of
+  // enabled protocols. Note that this means it is impossible to set a maximum
+  // version of the higest supported TLS version in a future-proof way.
+  bool any_enabled = false;
+  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {
+    // Only look at the versions already enabled.
+    if (min_version > kProtocolVersions[i].version) {
+      continue;
+    }
+    if (max_version < kProtocolVersions[i].version) {
+      break;
+    }
+
+    if (!(options & kProtocolVersions[i].flag)) {
+      // The minimum version is the first enabled version.
+      if (!any_enabled) {
+        any_enabled = true;
+        min_version = kProtocolVersions[i].version;
+      }
+      continue;
+    }
+
+    // If there is a disabled version after the first enabled one, all versions
+    // after it are implicitly disabled.
+    if (any_enabled) {
+      max_version = kProtocolVersions[i-1].version;
+      break;
+    }
+  }
+
+  if (!any_enabled) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED);
+    return false;
+  }
+
+  *out_min_version = min_version;
+  *out_max_version = max_version;
+  return true;
+}
+
+static uint16_t ssl_version(const SSL *ssl) {
+  // In early data, we report the predicted version.
+  if (SSL_in_early_data(ssl) && !ssl->server) {
+    return ssl->s3->hs->early_session->ssl_version;
+  }
+  return ssl->version;
+}
+
+uint16_t ssl3_protocol_version(const SSL *ssl) {
+  assert(ssl->s3->have_version);
+  uint16_t version;
+  if (!ssl_protocol_version_from_wire(&version, ssl->version)) {
+    // |ssl->version| will always be set to a valid version.
+    assert(0);
+    return 0;
+  }
+
+  return version;
+}
+
+bool ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
+  SSL *const ssl = hs->ssl;
+  // As a client, only allow the configured TLS 1.3 variant. As a server,
+  // support all TLS 1.3 variants as long as tls13_variant is set to a
+  // non-default value.
+  if (ssl->server) {
+    if (ssl->tls13_variant == tls13_default &&
+        (version == TLS1_3_EXPERIMENT_VERSION ||
+         version == TLS1_3_EXPERIMENT2_VERSION ||
+         version == TLS1_3_EXPERIMENT3_VERSION)) {
+      return false;
+    }
+  } else {
+    if ((ssl->tls13_variant != tls13_experiment &&
+         version == TLS1_3_EXPERIMENT_VERSION) ||
+        (ssl->tls13_variant != tls13_experiment2 &&
+         version == TLS1_3_EXPERIMENT2_VERSION) ||
+        (ssl->tls13_variant != tls13_experiment3 &&
+         version == TLS1_3_EXPERIMENT3_VERSION) ||
+        (ssl->tls13_variant != tls13_default &&
+         version == TLS1_3_DRAFT_VERSION)) {
+      return false;
+    }
+  }
+
+  uint16_t protocol_version;
+  return method_supports_version(ssl->method, version) &&
+         ssl_protocol_version_from_wire(&protocol_version, version) &&
+         hs->min_version <= protocol_version &&
+         protocol_version <= hs->max_version;
+}
+
+bool ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) {
+  const uint16_t *versions;
+  size_t num_versions;
+  get_method_versions(hs->ssl->method, &versions, &num_versions);
+  for (size_t i = 0; i < num_versions; i++) {
+    if (ssl_supports_version(hs, versions[i]) &&
+        !CBB_add_u16(cbb, versions[i])) {
+      return false;
+    }
+  }
+  return true;
+}
+
+bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
+                           uint16_t *out_version, const CBS *peer_versions) {
+  const uint16_t *versions;
+  size_t num_versions;
+  get_method_versions(hs->ssl->method, &versions, &num_versions);
+  for (size_t i = 0; i < num_versions; i++) {
+    if (!ssl_supports_version(hs, versions[i])) {
+      continue;
+    }
+
+    CBS copy = *peer_versions;
+    while (CBS_len(&copy) != 0) {
+      uint16_t version;
+      if (!CBS_get_u16(&copy, &version)) {
+        OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+        *out_alert = SSL_AD_DECODE_ERROR;
+        return false;
+      }
+
+      if (version == versions[i]) {
+        *out_version = version;
+        return true;
+      }
+    }
+  }
+
+  OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
+  *out_alert = SSL_AD_PROTOCOL_VERSION;
+  return false;
+}
+
+bool ssl_is_resumption_experiment(uint16_t version) {
+  return version == TLS1_3_EXPERIMENT_VERSION ||
+         version == TLS1_3_EXPERIMENT2_VERSION ||
+         version == TLS1_3_EXPERIMENT3_VERSION;
+}
+
+bool ssl_is_resumption_variant(enum tls13_variant_t variant) {
+  return variant == tls13_experiment || variant == tls13_experiment2 ||
+         variant == tls13_experiment3;
+}
+
+bool ssl_is_resumption_client_ccs_experiment(uint16_t version) {
+  return version == TLS1_3_EXPERIMENT_VERSION ||
+         version == TLS1_3_EXPERIMENT2_VERSION;
+}
+
+bool ssl_is_resumption_record_version_experiment(uint16_t version) {
+  return version == TLS1_3_EXPERIMENT2_VERSION ||
+         version == TLS1_3_EXPERIMENT3_VERSION;
+}
+
+}  // namespace bssl
+
+using namespace bssl;
+
+int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {
+  return set_min_version(ctx->method, &ctx->conf_min_version, version);
+}
+
+int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
+  return set_max_version(ctx->method, &ctx->conf_max_version, version);
+}
+
+int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
+  return set_min_version(ssl->method, &ssl->conf_min_version, version);
+}
+
+int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
+  return set_max_version(ssl->method, &ssl->conf_max_version, version);
+}
+
+int SSL_version(const SSL *ssl) {
+  return wire_version_to_api(ssl_version(ssl));
+}
+
+const char *SSL_get_version(const SSL *ssl) {
+  return ssl_version_to_string(ssl_version(ssl));
+}
+
+const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
+  return ssl_version_to_string(session->ssl_version);
+}
+
+uint16_t SSL_SESSION_get_protocol_version(const SSL_SESSION *session) {
+  return wire_version_to_api(session->ssl_version);
+}
+
+int SSL_SESSION_set_protocol_version(SSL_SESSION *session, uint16_t version) {
+  // This picks a representative TLS 1.3 version, but this API should only be
+  // used on unit test sessions anyway.
+  return api_version_to_wire(&session->ssl_version, version);
+}

data/third_party/boringssl/ssl/{ssl_x509.c → ssl_x509.cc}

@@ -152,9 +152,433 @@
 #include <openssl/x509_vfy.h>
 
 #include "internal.h"
+#include "../crypto/internal.h"
 
 
+namespace bssl {
+
+// check_ssl_x509_method asserts that |ssl| has the X509-based method
+// installed. Calling an X509-based method on an |ssl| with a different method
+// will likely misbehave and possibly crash or leak memory.
+static void check_ssl_x509_method(const SSL *ssl) {
+  assert(ssl == NULL || ssl->ctx->x509_method == &ssl_crypto_x509_method);
+}
+
+// check_ssl_ctx_x509_method acts like |check_ssl_x509_method|, but for an
+// |SSL_CTX|.
+static void check_ssl_ctx_x509_method(const SSL_CTX *ctx) {
+  assert(ctx == NULL || ctx->x509_method == &ssl_crypto_x509_method);
+}
+
+// x509_to_buffer returns a |CRYPTO_BUFFER| that contains the serialised
+// contents of |x509|.
+static UniquePtr<CRYPTO_BUFFER> x509_to_buffer(X509 *x509) {
+  uint8_t *buf = NULL;
+  int cert_len = i2d_X509(x509, &buf);
+  if (cert_len <= 0) {
+    return 0;
+  }
+
+  UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new(buf, cert_len, NULL));
+  OPENSSL_free(buf);
+
+  return buffer;
+}
+
+// new_leafless_chain returns a fresh stack of buffers set to {NULL}.
+static STACK_OF(CRYPTO_BUFFER) *new_leafless_chain(void) {
+  STACK_OF(CRYPTO_BUFFER) *chain = sk_CRYPTO_BUFFER_new_null();
+  if (chain == NULL) {
+    return NULL;
+  }
+
+  if (!sk_CRYPTO_BUFFER_push(chain, NULL)) {
+    sk_CRYPTO_BUFFER_free(chain);
+    return NULL;
+  }
+
+  return chain;
+}
+
+// ssl_cert_set_chain sets elements 1.. of |cert->chain| to the serialised
+// forms of elements of |chain|. It returns one on success or zero on error, in
+// which case no change to |cert->chain| is made. It preverses the existing
+// leaf from |cert->chain|, if any.
+static int ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) {
+  UniquePtr<STACK_OF(CRYPTO_BUFFER)> new_chain;
+
+  if (cert->chain != NULL) {
+    new_chain.reset(sk_CRYPTO_BUFFER_new_null());
+    if (!new_chain) {
+      return 0;
+    }
+
+    CRYPTO_BUFFER *leaf = sk_CRYPTO_BUFFER_value(cert->chain, 0);
+    if (!sk_CRYPTO_BUFFER_push(new_chain.get(), leaf)) {
+      return 0;
+    }
+    // |leaf| might be NULL if it's a “leafless” chain.
+    if (leaf != NULL) {
+      CRYPTO_BUFFER_up_ref(leaf);
+    }
+  }
+
+  for (X509 *x509 : chain) {
+    if (!new_chain) {
+      new_chain.reset(new_leafless_chain());
+      if (!new_chain) {
+        return 0;
+      }
+    }
+
+    UniquePtr<CRYPTO_BUFFER> buffer = x509_to_buffer(x509);
+    if (!buffer ||
+        !PushToStack(new_chain.get(), std::move(buffer))) {
+      return 0;
+    }
+  }
+
+  sk_CRYPTO_BUFFER_pop_free(cert->chain, CRYPTO_BUFFER_free);
+  cert->chain = new_chain.release();
+
+  return 1;
+}
+
+static void ssl_crypto_x509_cert_flush_cached_leaf(CERT *cert) {
+  X509_free(cert->x509_leaf);
+  cert->x509_leaf = NULL;
+}
+
+static void ssl_crypto_x509_cert_flush_cached_chain(CERT *cert) {
+  sk_X509_pop_free(cert->x509_chain, X509_free);
+  cert->x509_chain = NULL;
+}
+
+static int ssl_crypto_x509_check_client_CA_list(
+    STACK_OF(CRYPTO_BUFFER) *names) {
+  for (const CRYPTO_BUFFER *buffer : names) {
+    const uint8_t *inp = CRYPTO_BUFFER_data(buffer);
+    X509_NAME *name = d2i_X509_NAME(NULL, &inp, CRYPTO_BUFFER_len(buffer));
+    const int ok = name != NULL && inp == CRYPTO_BUFFER_data(buffer) +
+                                              CRYPTO_BUFFER_len(buffer);
+    X509_NAME_free(name);
+    if (!ok) {
+      return 0;
+    }
+  }
+
+  return 1;
+}
+
+static void ssl_crypto_x509_cert_clear(CERT *cert) {
+  ssl_crypto_x509_cert_flush_cached_leaf(cert);
+  ssl_crypto_x509_cert_flush_cached_chain(cert);
+
+  X509_free(cert->x509_stash);
+  cert->x509_stash = NULL;
+}
+
+static void ssl_crypto_x509_cert_free(CERT *cert) {
+  ssl_crypto_x509_cert_clear(cert);
+  X509_STORE_free(cert->verify_store);
+}
+
+static void ssl_crypto_x509_cert_dup(CERT *new_cert, const CERT *cert) {
+  if (cert->verify_store != NULL) {
+    X509_STORE_up_ref(cert->verify_store);
+    new_cert->verify_store = cert->verify_store;
+  }
+}
+
+static int ssl_crypto_x509_session_cache_objects(SSL_SESSION *sess) {
+  bssl::UniquePtr<STACK_OF(X509)> chain;
+  if (sk_CRYPTO_BUFFER_num(sess->certs) > 0) {
+    chain.reset(sk_X509_new_null());
+    if (!chain) {
+      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+      return 0;
+    }
+  }
+
+  X509 *leaf = nullptr;
+  for (CRYPTO_BUFFER *cert : sess->certs) {
+    UniquePtr<X509> x509(X509_parse_from_buffer(cert));
+    if (!x509) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+      return 0;
+    }
+    if (leaf == nullptr) {
+      leaf = x509.get();
+    }
+    if (!PushToStack(chain.get(), std::move(x509))) {
+      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+      return 0;
+    }
+  }
+
+  sk_X509_pop_free(sess->x509_chain, X509_free);
+  sess->x509_chain = chain.release();
+  sk_X509_pop_free(sess->x509_chain_without_leaf, X509_free);
+  sess->x509_chain_without_leaf = NULL;
+
+  X509_free(sess->x509_peer);
+  if (leaf != NULL) {
+    X509_up_ref(leaf);
+  }
+  sess->x509_peer = leaf;
+  return 1;
+}
+
+static int ssl_crypto_x509_session_dup(SSL_SESSION *new_session,
+                                       const SSL_SESSION *session) {
+  if (session->x509_peer != NULL) {
+    X509_up_ref(session->x509_peer);
+    new_session->x509_peer = session->x509_peer;
+  }
+  if (session->x509_chain != NULL) {
+    new_session->x509_chain = X509_chain_up_ref(session->x509_chain);
+    if (new_session->x509_chain == NULL) {
+      return 0;
+    }
+  }
+
+  return 1;
+}
+
+static void ssl_crypto_x509_session_clear(SSL_SESSION *session) {
+  X509_free(session->x509_peer);
+  session->x509_peer = NULL;
+  sk_X509_pop_free(session->x509_chain, X509_free);
+  session->x509_chain = NULL;
+  sk_X509_pop_free(session->x509_chain_without_leaf, X509_free);
+  session->x509_chain_without_leaf = NULL;
+}
+
+static int ssl_verify_alarm_type(long type) {
+  switch (type) {
+    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+    case X509_V_ERR_UNABLE_TO_GET_CRL:
+    case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
+      return SSL_AD_UNKNOWN_CA;
+
+    case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
+    case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
+    case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
+    case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+    case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+    case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
+    case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
+    case X509_V_ERR_CERT_NOT_YET_VALID:
+    case X509_V_ERR_CRL_NOT_YET_VALID:
+    case X509_V_ERR_CERT_UNTRUSTED:
+    case X509_V_ERR_CERT_REJECTED:
+    case X509_V_ERR_HOSTNAME_MISMATCH:
+    case X509_V_ERR_EMAIL_MISMATCH:
+    case X509_V_ERR_IP_ADDRESS_MISMATCH:
+      return SSL_AD_BAD_CERTIFICATE;
+
+    case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+    case X509_V_ERR_CRL_SIGNATURE_FAILURE:
+      return SSL_AD_DECRYPT_ERROR;
+
+    case X509_V_ERR_CERT_HAS_EXPIRED:
+    case X509_V_ERR_CRL_HAS_EXPIRED:
+      return SSL_AD_CERTIFICATE_EXPIRED;
+
+    case X509_V_ERR_CERT_REVOKED:
+      return SSL_AD_CERTIFICATE_REVOKED;
+
+    case X509_V_ERR_UNSPECIFIED:
+    case X509_V_ERR_OUT_OF_MEM:
+    case X509_V_ERR_INVALID_CALL:
+    case X509_V_ERR_STORE_LOOKUP:
+      return SSL_AD_INTERNAL_ERROR;
+
+    case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+    case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+    case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+    case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+    case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+    case X509_V_ERR_INVALID_CA:
+      return SSL_AD_UNKNOWN_CA;
+
+    case X509_V_ERR_APPLICATION_VERIFICATION:
+      return SSL_AD_HANDSHAKE_FAILURE;
+
+    case X509_V_ERR_INVALID_PURPOSE:
+      return SSL_AD_UNSUPPORTED_CERTIFICATE;
+
+    default:
+      return SSL_AD_CERTIFICATE_UNKNOWN;
+  }
+}
+
+static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
+                                                     SSL *ssl,
+                                                     uint8_t *out_alert) {
+  *out_alert = SSL_AD_INTERNAL_ERROR;
+  STACK_OF(X509) *const cert_chain = session->x509_chain;
+  if (cert_chain == NULL || sk_X509_num(cert_chain) == 0) {
+    return 0;
+  }
+
+  X509_STORE *verify_store = ssl->ctx->cert_store;
+  if (ssl->cert->verify_store != NULL) {
+    verify_store = ssl->cert->verify_store;
+  }
+
+  X509 *leaf = sk_X509_value(cert_chain, 0);
+  ScopedX509_STORE_CTX ctx;
+  if (!X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
+    return 0;
+  }
+  if (!X509_STORE_CTX_set_ex_data(ctx.get(),
+                                  SSL_get_ex_data_X509_STORE_CTX_idx(), ssl)) {
+    return 0;
+  }
+
+  // We need to inherit the verify parameters. These can be determined by the
+  // context: if its a server it will verify SSL client certificates or vice
+  // versa.
+  X509_STORE_CTX_set_default(ctx.get(),
+                             ssl->server ? "ssl_client" : "ssl_server");
+
+  // Anything non-default in "param" should overwrite anything in the ctx.
+  X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()), ssl->param);
+
+  if (ssl->verify_callback) {
+    X509_STORE_CTX_set_verify_cb(ctx.get(), ssl->verify_callback);
+  }
+
+  int verify_ret;
+  if (ssl->ctx->app_verify_callback != NULL) {
+    verify_ret =
+        ssl->ctx->app_verify_callback(ctx.get(), ssl->ctx->app_verify_arg);
+  } else {
+    verify_ret = X509_verify_cert(ctx.get());
+  }
+
+  session->verify_result = ctx->error;
+
+  // If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result.
+  if (verify_ret <= 0 && ssl->verify_mode != SSL_VERIFY_NONE) {
+    *out_alert = ssl_verify_alarm_type(ctx->error);
+    return 0;
+  }
+
+  ERR_clear_error();
+  return 1;
+}
+
+static void ssl_crypto_x509_hs_flush_cached_ca_names(SSL_HANDSHAKE *hs) {
+  sk_X509_NAME_pop_free(hs->cached_x509_ca_names, X509_NAME_free);
+  hs->cached_x509_ca_names = NULL;
+}
+
+static int ssl_crypto_x509_ssl_new(SSL *ssl) {
+  ssl->param = X509_VERIFY_PARAM_new();
+  if (ssl->param == NULL) {
+    return 0;
+  }
+  X509_VERIFY_PARAM_inherit(ssl->param, ssl->ctx->param);
+  return 1;
+}
+
+static void ssl_crypto_x509_ssl_flush_cached_client_CA(SSL *ssl) {
+  sk_X509_NAME_pop_free(ssl->cached_x509_client_CA, X509_NAME_free);
+  ssl->cached_x509_client_CA = NULL;
+}
+
+static void ssl_crypto_x509_ssl_free(SSL *ssl) {
+  ssl_crypto_x509_ssl_flush_cached_client_CA(ssl);
+  X509_VERIFY_PARAM_free(ssl->param);
+}
+
+static int ssl_crypto_x509_ssl_auto_chain_if_needed(SSL *ssl) {
+  // Only build a chain if there are no intermediates configured and the feature
+  // isn't disabled.
+  if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) ||
+      !ssl_has_certificate(ssl) ||
+      ssl->cert->chain == NULL ||
+      sk_CRYPTO_BUFFER_num(ssl->cert->chain) > 1) {
+    return 1;
+  }
+
+  UniquePtr<X509> leaf(
+      X509_parse_from_buffer(sk_CRYPTO_BUFFER_value(ssl->cert->chain, 0)));
+  if (!leaf) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
+    return 0;
+  }
+
+  ScopedX509_STORE_CTX ctx;
+  if (!X509_STORE_CTX_init(ctx.get(), ssl->ctx->cert_store, leaf.get(), NULL)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
+    return 0;
+  }
+
+  // Attempt to build a chain, ignoring the result.
+  X509_verify_cert(ctx.get());
+  ERR_clear_error();
+
+  // Remove the leaf from the generated chain.
+  X509_free(sk_X509_shift(ctx->chain));
+
+  if (!ssl_cert_set_chain(ssl->cert, ctx->chain)) {
+    return 0;
+  }
+
+  ssl_crypto_x509_cert_flush_cached_chain(ssl->cert);
+
+  return 1;
+}
+
+static void ssl_crypto_x509_ssl_ctx_flush_cached_client_CA(SSL_CTX *ctx) {
+  sk_X509_NAME_pop_free(ctx->cached_x509_client_CA, X509_NAME_free);
+  ctx->cached_x509_client_CA = NULL;
+}
+
+static int ssl_crypto_x509_ssl_ctx_new(SSL_CTX *ctx) {
+  ctx->cert_store = X509_STORE_new();
+  ctx->param = X509_VERIFY_PARAM_new();
+  return (ctx->cert_store != NULL && ctx->param != NULL);
+}
+
+static void ssl_crypto_x509_ssl_ctx_free(SSL_CTX *ctx) {
+  ssl_crypto_x509_ssl_ctx_flush_cached_client_CA(ctx);
+  X509_VERIFY_PARAM_free(ctx->param);
+  X509_STORE_free(ctx->cert_store);
+}
+
+const SSL_X509_METHOD ssl_crypto_x509_method = {
+  ssl_crypto_x509_check_client_CA_list,
+  ssl_crypto_x509_cert_clear,
+  ssl_crypto_x509_cert_free,
+  ssl_crypto_x509_cert_dup,
+  ssl_crypto_x509_cert_flush_cached_chain,
+  ssl_crypto_x509_cert_flush_cached_leaf,
+  ssl_crypto_x509_session_cache_objects,
+  ssl_crypto_x509_session_dup,
+  ssl_crypto_x509_session_clear,
+  ssl_crypto_x509_session_verify_cert_chain,
+  ssl_crypto_x509_hs_flush_cached_ca_names,
+  ssl_crypto_x509_ssl_new,
+  ssl_crypto_x509_ssl_free,
+  ssl_crypto_x509_ssl_flush_cached_client_CA,
+  ssl_crypto_x509_ssl_auto_chain_if_needed,
+  ssl_crypto_x509_ssl_ctx_new,
+  ssl_crypto_x509_ssl_ctx_free,
+  ssl_crypto_x509_ssl_ctx_flush_cached_client_CA,
+};
+
+}  // namespace bssl
+
+using namespace bssl;
+
 X509 *SSL_get_peer_certificate(const SSL *ssl) {
+  check_ssl_x509_method(ssl);
   if (ssl == NULL) {
     return NULL;
   }
@@ -167,6 +591,7 @@ X509 *SSL_get_peer_certificate(const SSL *ssl) {
 }
 
 STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) {
+  check_ssl_x509_method(ssl);
   if (ssl == NULL) {
     return NULL;
   }
@@ -180,8 +605,8 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) {
     return session->x509_chain;
   }
 
-  /* OpenSSL historically didn't include the leaf certificate in the returned
-   * certificate chain, but only for servers. */
+  // OpenSSL historically didn't include the leaf certificate in the returned
+  // certificate chain, but only for servers.
   if (session->x509_chain_without_leaf == NULL) {
     session->x509_chain_without_leaf = sk_X509_new_null();
     if (session->x509_chain_without_leaf == NULL) {
@@ -203,6 +628,7 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) {
 }
 
 STACK_OF(X509) *SSL_get_peer_full_cert_chain(const SSL *ssl) {
+  check_ssl_x509_method(ssl);
   SSL_SESSION *session = SSL_get_session(ssl);
   if (session == NULL) {
     return NULL;
@@ -212,54 +638,74 @@ STACK_OF(X509) *SSL_get_peer_full_cert_chain(const SSL *ssl) {
 }
 
 int SSL_CTX_set_purpose(SSL_CTX *ctx, int purpose) {
+  check_ssl_ctx_x509_method(ctx);
   return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
 }
 
 int SSL_set_purpose(SSL *ssl, int purpose) {
+  check_ssl_x509_method(ssl);
   return X509_VERIFY_PARAM_set_purpose(ssl->param, purpose);
 }
 
 int SSL_CTX_set_trust(SSL_CTX *ctx, int trust) {
+  check_ssl_ctx_x509_method(ctx);
   return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
 }
 
 int SSL_set_trust(SSL *ssl, int trust) {
+  check_ssl_x509_method(ssl);
   return X509_VERIFY_PARAM_set_trust(ssl->param, trust);
 }
 
 int SSL_CTX_set1_param(SSL_CTX *ctx, const X509_VERIFY_PARAM *param) {
+  check_ssl_ctx_x509_method(ctx);
   return X509_VERIFY_PARAM_set1(ctx->param, param);
 }
 
 int SSL_set1_param(SSL *ssl, const X509_VERIFY_PARAM *param) {
+  check_ssl_x509_method(ssl);
   return X509_VERIFY_PARAM_set1(ssl->param, param);
 }
 
-X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx) { return ctx->param; }
+X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx) {
+  check_ssl_ctx_x509_method(ctx);
+  return ctx->param;
+}
 
-X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl) { return ssl->param; }
+X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl) {
+  check_ssl_x509_method(ssl);
+  return ssl->param;
+}
 
 int SSL_get_verify_depth(const SSL *ssl) {
+  check_ssl_x509_method(ssl);
   return X509_VERIFY_PARAM_get_depth(ssl->param);
 }
 
 int (*SSL_get_verify_callback(const SSL *ssl))(int, X509_STORE_CTX *) {
+  check_ssl_x509_method(ssl);
   return ssl->verify_callback;
 }
 
-int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) { return ctx->verify_mode; }
+int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) {
+  check_ssl_ctx_x509_method(ctx);
+  return ctx->verify_mode;
+}
 
 int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) {
+  check_ssl_ctx_x509_method(ctx);
   return X509_VERIFY_PARAM_get_depth(ctx->param);
 }
 
 int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(
     int ok, X509_STORE_CTX *store_ctx) {
+  check_ssl_ctx_x509_method(ctx);
   return ctx->default_verify_callback;
 }
 
 void SSL_set_verify(SSL *ssl, int mode,
                     int (*callback)(int ok, X509_STORE_CTX *store_ctx)) {
+  check_ssl_x509_method(ssl);
   ssl->verify_mode = mode;
   if (callback != NULL) {
     ssl->verify_callback = callback;
@@ -267,6 +713,7 @@ void SSL_set_verify(SSL *ssl, int mode,
 }
 
 void SSL_set_verify_depth(SSL *ssl, int depth) {
+  check_ssl_x509_method(ssl);
   X509_VERIFY_PARAM_set_depth(ssl->param, depth);
 }
 
@@ -274,36 +721,43 @@ void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
                                       int (*cb)(X509_STORE_CTX *store_ctx,
                                                 void *arg),
                                       void *arg) {
+  check_ssl_ctx_x509_method(ctx);
   ctx->app_verify_callback = cb;
   ctx->app_verify_arg = arg;
 }
 
 void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
                         int (*cb)(int, X509_STORE_CTX *)) {
+  check_ssl_ctx_x509_method(ctx);
   ctx->verify_mode = mode;
   ctx->default_verify_callback = cb;
 }
 
 void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) {
+  check_ssl_ctx_x509_method(ctx);
   X509_VERIFY_PARAM_set_depth(ctx->param, depth);
 }
 
 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) {
+  check_ssl_ctx_x509_method(ctx);
   return X509_STORE_set_default_paths(ctx->cert_store);
 }
 
 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *ca_file,
                                   const char *ca_dir) {
+  check_ssl_ctx_x509_method(ctx);
   return X509_STORE_load_locations(ctx->cert_store, ca_file, ca_dir);
 }
 
 void SSL_set_verify_result(SSL *ssl, long result) {
+  check_ssl_x509_method(ssl);
   if (result != X509_V_OK) {
     abort();
   }
 }
 
 long SSL_get_verify_result(const SSL *ssl) {
+  check_ssl_x509_method(ssl);
   SSL_SESSION *session = SSL_get_session(ssl);
   if (session == NULL) {
     return X509_V_ERR_INVALID_CALL;
@@ -312,154 +766,42 @@ long SSL_get_verify_result(const SSL *ssl) {
 }
 
 X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) {
+  check_ssl_ctx_x509_method(ctx);
   return ctx->cert_store;
 }
 
 void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) {
+  check_ssl_ctx_x509_method(ctx);
   X509_STORE_free(ctx->cert_store);
   ctx->cert_store = store;
 }
 
-static void ssl_crypto_x509_flush_cached_leaf(CERT *cert) {
-  X509_free(cert->x509_leaf);
-  cert->x509_leaf = NULL;
-}
-
-static void ssl_crypto_x509_flush_cached_chain(CERT *cert) {
-  sk_X509_pop_free(cert->x509_chain, X509_free);
-  cert->x509_chain = NULL;
-}
-
-static void ssl_crypto_x509_clear(CERT *cert) {
-  ssl_crypto_x509_flush_cached_leaf(cert);
-  ssl_crypto_x509_flush_cached_chain(cert);
-
-  X509_free(cert->x509_stash);
-  cert->x509_stash = NULL;
-}
-
-static int ssl_crypto_x509_session_cache_objects(SSL_SESSION *sess) {
-  STACK_OF(X509) *chain = NULL;
-  const size_t num_certs = sk_CRYPTO_BUFFER_num(sess->certs);
-
-  if (num_certs > 0) {
-    chain = sk_X509_new_null();
-    if (chain == NULL) {
-      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-      goto err;
-    }
-  }
-
-  X509 *leaf = NULL;
-  for (size_t i = 0; i < num_certs; i++) {
-    X509 *x509 = X509_parse_from_buffer(sk_CRYPTO_BUFFER_value(sess->certs, i));
-    if (x509 == NULL) {
-      OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
-      goto err;
-    }
-    if (!sk_X509_push(chain, x509)) {
-      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-      X509_free(x509);
-      goto err;
-    }
-    if (i == 0) {
-      leaf = x509;
-    }
-  }
-
-  sk_X509_pop_free(sess->x509_chain, X509_free);
-  sess->x509_chain = chain;
-  sk_X509_pop_free(sess->x509_chain_without_leaf, X509_free);
-  sess->x509_chain_without_leaf = NULL;
-
-  X509_free(sess->x509_peer);
-  if (leaf != NULL) {
-    X509_up_ref(leaf);
-  }
-  sess->x509_peer = leaf;
-
-  return 1;
-
-err:
-  sk_X509_pop_free(chain, X509_free);
-  return 0;
-}
-
-static int ssl_crypto_x509_session_dup(SSL_SESSION *new_session,
-                                       const SSL_SESSION *session) {
-  if (session->x509_peer != NULL) {
-    X509_up_ref(session->x509_peer);
-    new_session->x509_peer = session->x509_peer;
-  }
-  if (session->x509_chain != NULL) {
-    new_session->x509_chain = X509_chain_up_ref(session->x509_chain);
-    if (new_session->x509_chain == NULL) {
-      return 0;
-    }
-  }
-
-  return 1;
-}
-
-static void ssl_crypto_x509_session_clear(SSL_SESSION *session) {
-  X509_free(session->x509_peer);
-  session->x509_peer = NULL;
-  sk_X509_pop_free(session->x509_chain, X509_free);
-  session->x509_chain = NULL;
-  sk_X509_pop_free(session->x509_chain_without_leaf, X509_free);
-  session->x509_chain_without_leaf = NULL;
-}
-
-const SSL_X509_METHOD ssl_crypto_x509_method = {
-  ssl_crypto_x509_clear,
-  ssl_crypto_x509_flush_cached_chain,
-  ssl_crypto_x509_flush_cached_leaf,
-  ssl_crypto_x509_session_cache_objects,
-  ssl_crypto_x509_session_dup,
-  ssl_crypto_x509_session_clear,
-};
-
-/* x509_to_buffer returns a |CRYPTO_BUFFER| that contains the serialised
- * contents of |x509|. */
-static CRYPTO_BUFFER *x509_to_buffer(X509 *x509) {
-  uint8_t *buf = NULL;
-  int cert_len = i2d_X509(x509, &buf);
-  if (cert_len <= 0) {
-    return 0;
-  }
-
-  CRYPTO_BUFFER *buffer = CRYPTO_BUFFER_new(buf, cert_len, NULL);
-  OPENSSL_free(buf);
-
-  return buffer;
-}
-
 static int ssl_use_certificate(CERT *cert, X509 *x) {
   if (x == NULL) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
     return 0;
   }
 
-  CRYPTO_BUFFER *buffer = x509_to_buffer(x);
-  if (buffer == NULL) {
+  UniquePtr<CRYPTO_BUFFER> buffer = x509_to_buffer(x);
+  if (!buffer) {
     return 0;
   }
 
-  const int ok = ssl_set_cert(cert, buffer);
-  CRYPTO_BUFFER_free(buffer);
-  return ok;
+  return ssl_set_cert(cert, std::move(buffer));
 }
 
 int SSL_use_certificate(SSL *ssl, X509 *x) {
+  check_ssl_x509_method(ssl);
   return ssl_use_certificate(ssl->cert, x);
 }
 
 int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) {
+  check_ssl_ctx_x509_method(ctx);
   return ssl_use_certificate(ctx->cert, x);
 }
 
-/* ssl_cert_cache_leaf_cert sets |cert->x509_leaf|, if currently NULL, from the
- * first element of |cert->chain|. */
+// ssl_cert_cache_leaf_cert sets |cert->x509_leaf|, if currently NULL, from the
+// first element of |cert->chain|.
 static int ssl_cert_cache_leaf_cert(CERT *cert) {
   assert(cert->x509_method);
 
@@ -487,84 +829,23 @@ static X509 *ssl_cert_get0_leaf(CERT *cert) {
 }
 
 X509 *SSL_get_certificate(const SSL *ssl) {
+  check_ssl_x509_method(ssl);
   return ssl_cert_get0_leaf(ssl->cert);
 }
 
 X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) {
+  check_ssl_ctx_x509_method(ctx);
+  MutexWriteLock lock(const_cast<CRYPTO_MUTEX*>(&ctx->lock));
   return ssl_cert_get0_leaf(ctx->cert);
 }
 
-/* new_leafless_chain returns a fresh stack of buffers set to {NULL}. */
-static STACK_OF(CRYPTO_BUFFER) *new_leafless_chain(void) {
-  STACK_OF(CRYPTO_BUFFER) *chain = sk_CRYPTO_BUFFER_new_null();
-  if (chain == NULL) {
-    return NULL;
-  }
-
-  if (!sk_CRYPTO_BUFFER_push(chain, NULL)) {
-    sk_CRYPTO_BUFFER_free(chain);
-    return NULL;
-  }
-
-  return chain;
-}
-
-/* ssl_cert_set_chain sets elements 1.. of |cert->chain| to the serialised
- * forms of elements of |chain|. It returns one on success or zero on error, in
- * which case no change to |cert->chain| is made. It preverses the existing
- * leaf from |cert->chain|, if any. */
-static int ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) {
-  STACK_OF(CRYPTO_BUFFER) *new_chain = NULL;
-
-  if (cert->chain != NULL) {
-    new_chain = sk_CRYPTO_BUFFER_new_null();
-    if (new_chain == NULL) {
-      return 0;
-    }
-
-    CRYPTO_BUFFER *leaf = sk_CRYPTO_BUFFER_value(cert->chain, 0);
-    if (!sk_CRYPTO_BUFFER_push(new_chain, leaf)) {
-      goto err;
-    }
-    /* |leaf| might be NULL if it's a “leafless” chain. */
-    if (leaf != NULL) {
-      CRYPTO_BUFFER_up_ref(leaf);
-    }
-  }
-
-  for (size_t i = 0; i < sk_X509_num(chain); i++) {
-    if (new_chain == NULL) {
-      new_chain = new_leafless_chain();
-      if (new_chain == NULL) {
-        goto err;
-      }
-    }
-
-    CRYPTO_BUFFER *buffer = x509_to_buffer(sk_X509_value(chain, i));
-    if (buffer == NULL ||
-        !sk_CRYPTO_BUFFER_push(new_chain, buffer)) {
-      CRYPTO_BUFFER_free(buffer);
-      goto err;
-    }
-  }
-
-  sk_CRYPTO_BUFFER_pop_free(cert->chain, CRYPTO_BUFFER_free);
-  cert->chain = new_chain;
-
-  return 1;
-
-err:
-  sk_CRYPTO_BUFFER_pop_free(new_chain, CRYPTO_BUFFER_free);
-  return 0;
-}
-
 static int ssl_cert_set0_chain(CERT *cert, STACK_OF(X509) *chain) {
   if (!ssl_cert_set_chain(cert, chain)) {
     return 0;
   }
 
   sk_X509_pop_free(chain, X509_free);
-  ssl_crypto_x509_flush_cached_chain(cert);
+  ssl_crypto_x509_cert_flush_cached_chain(cert);
   return 1;
 }
 
@@ -573,31 +854,25 @@ static int ssl_cert_set1_chain(CERT *cert, STACK_OF(X509) *chain) {
     return 0;
   }
 
-  ssl_crypto_x509_flush_cached_chain(cert);
+  ssl_crypto_x509_cert_flush_cached_chain(cert);
   return 1;
 }
 
 static int ssl_cert_append_cert(CERT *cert, X509 *x509) {
   assert(cert->x509_method);
 
-  CRYPTO_BUFFER *buffer = x509_to_buffer(x509);
-  if (buffer == NULL) {
+  UniquePtr<CRYPTO_BUFFER> buffer = x509_to_buffer(x509);
+  if (!buffer) {
     return 0;
   }
 
   if (cert->chain != NULL) {
-    if (!sk_CRYPTO_BUFFER_push(cert->chain, buffer)) {
-      CRYPTO_BUFFER_free(buffer);
-      return 0;
-    }
-
-    return 1;
+    return PushToStack(cert->chain, std::move(buffer));
   }
 
   cert->chain = new_leafless_chain();
   if (cert->chain == NULL ||
-      !sk_CRYPTO_BUFFER_push(cert->chain, buffer)) {
-    CRYPTO_BUFFER_free(buffer);
+      !PushToStack(cert->chain, std::move(buffer))) {
     sk_CRYPTO_BUFFER_free(cert->chain);
     cert->chain = NULL;
     return 0;
@@ -613,7 +888,7 @@ static int ssl_cert_add0_chain_cert(CERT *cert, X509 *x509) {
 
   X509_free(cert->x509_stash);
   cert->x509_stash = x509;
-  ssl_crypto_x509_flush_cached_chain(cert);
+  ssl_crypto_x509_cert_flush_cached_chain(cert);
   return 1;
 }
 
@@ -622,103 +897,72 @@ static int ssl_cert_add1_chain_cert(CERT *cert, X509 *x509) {
     return 0;
   }
 
-  ssl_crypto_x509_flush_cached_chain(cert);
+  ssl_crypto_x509_cert_flush_cached_chain(cert);
   return 1;
 }
 
 int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) {
+  check_ssl_ctx_x509_method(ctx);
   return ssl_cert_set0_chain(ctx->cert, chain);
 }
 
 int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) {
+  check_ssl_ctx_x509_method(ctx);
   return ssl_cert_set1_chain(ctx->cert, chain);
 }
 
 int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) {
+  check_ssl_x509_method(ssl);
   return ssl_cert_set0_chain(ssl->cert, chain);
 }
 
 int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) {
+  check_ssl_x509_method(ssl);
   return ssl_cert_set1_chain(ssl->cert, chain);
 }
 
 int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) {
+  check_ssl_ctx_x509_method(ctx);
   return ssl_cert_add0_chain_cert(ctx->cert, x509);
 }
 
 int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) {
+  check_ssl_ctx_x509_method(ctx);
   return ssl_cert_add1_chain_cert(ctx->cert, x509);
 }
 
 int SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509) {
+  check_ssl_ctx_x509_method(ctx);
   return SSL_CTX_add0_chain_cert(ctx, x509);
 }
 
 int SSL_add0_chain_cert(SSL *ssl, X509 *x509) {
+  check_ssl_x509_method(ssl);
   return ssl_cert_add0_chain_cert(ssl->cert, x509);
 }
 
 int SSL_add1_chain_cert(SSL *ssl, X509 *x509) {
+  check_ssl_x509_method(ssl);
   return ssl_cert_add1_chain_cert(ssl->cert, x509);
 }
 
 int SSL_CTX_clear_chain_certs(SSL_CTX *ctx) {
+  check_ssl_ctx_x509_method(ctx);
   return SSL_CTX_set0_chain(ctx, NULL);
 }
 
 int SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) {
+  check_ssl_ctx_x509_method(ctx);
   return SSL_CTX_clear_chain_certs(ctx);
 }
 
 int SSL_clear_chain_certs(SSL *ssl) {
+  check_ssl_x509_method(ssl);
   return SSL_set0_chain(ssl, NULL);
 }
 
-int ssl_auto_chain_if_needed(SSL *ssl) {
-  /* Only build a chain if there are no intermediates configured and the feature
-   * isn't disabled. */
-  if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) ||
-      !ssl_has_certificate(ssl) ||
-      ssl->cert->chain == NULL ||
-      sk_CRYPTO_BUFFER_num(ssl->cert->chain) > 1) {
-    return 1;
-  }
-
-  X509 *leaf =
-      X509_parse_from_buffer(sk_CRYPTO_BUFFER_value(ssl->cert->chain, 0));
-  if (!leaf) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
-    return 0;
-  }
-
-  X509_STORE_CTX ctx;
-  if (!X509_STORE_CTX_init(&ctx, ssl->ctx->cert_store, leaf, NULL)) {
-    X509_free(leaf);
-    OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
-    return 0;
-  }
-
-  /* Attempt to build a chain, ignoring the result. */
-  X509_verify_cert(&ctx);
-  X509_free(leaf);
-  ERR_clear_error();
-
-  /* Remove the leaf from the generated chain. */
-  X509_free(sk_X509_shift(ctx.chain));
-
-  const int ok = ssl_cert_set_chain(ssl->cert, ctx.chain);
-  X509_STORE_CTX_cleanup(&ctx);
-  if (!ok) {
-    return 0;
-  }
-
-  ssl_crypto_x509_flush_cached_chain(ssl->cert);
-
-  return 1;
-}
-
-/* ssl_cert_cache_chain_certs fills in |cert->x509_chain| from elements 1.. of
- * |cert->chain|. */
+// ssl_cert_cache_chain_certs fills in |cert->x509_chain| from elements 1.. of
+// |cert->chain|.
 static int ssl_cert_cache_chain_certs(CERT *cert) {
   assert(cert->x509_method);
 
@@ -728,30 +972,27 @@ static int ssl_cert_cache_chain_certs(CERT *cert) {
     return 1;
   }
 
-  STACK_OF(X509) *chain = sk_X509_new_null();
-  if (chain == NULL) {
+  UniquePtr<STACK_OF(X509)> chain(sk_X509_new_null());
+  if (!chain) {
     return 0;
   }
 
   for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cert->chain); i++) {
     CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(cert->chain, i);
-    X509 *x509 = X509_parse_from_buffer(buffer);
-    if (x509 == NULL ||
-        !sk_X509_push(chain, x509)) {
-      X509_free(x509);
-      goto err;
+    UniquePtr<X509> x509(X509_parse_from_buffer(buffer));
+    if (!x509 ||
+        !PushToStack(chain.get(), std::move(x509))) {
+      return 0;
     }
   }
 
-  cert->x509_chain = chain;
+  cert->x509_chain = chain.release();
   return 1;
-
-err:
-  sk_X509_pop_free(chain, X509_free);
-  return 0;
 }
 
 int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) {
+  check_ssl_ctx_x509_method(ctx);
+  MutexWriteLock lock(const_cast<CRYPTO_MUTEX*>(&ctx->lock));
   if (!ssl_cert_cache_chain_certs(ctx->cert)) {
     *out_chain = NULL;
     return 0;
@@ -767,6 +1008,7 @@ int SSL_CTX_get_extra_chain_certs(const SSL_CTX *ctx,
 }
 
 int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) {
+  check_ssl_x509_method(ssl);
   if (!ssl_cert_cache_chain_certs(ssl->cert)) {
     *out_chain = NULL;
     return 0;
@@ -777,7 +1019,7 @@ int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) {
 }
 
 static SSL_SESSION *ssl_session_new_with_crypto_x509(void) {
-  return ssl_session_new(&ssl_crypto_x509_method);
+  return ssl_session_new(&ssl_crypto_x509_method).release();
 }
 
 SSL_SESSION *d2i_SSL_SESSION_bio(BIO *bio, SSL_SESSION **out) {
@@ -800,16 +1042,258 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const uint8_t **pp, long length) {
   CBS cbs;
   CBS_init(&cbs, *pp, length);
 
-  SSL_SESSION *ret = SSL_SESSION_parse(&cbs, &ssl_crypto_x509_method,
-                                       NULL /* no buffer pool */);
-  if (ret == NULL) {
+  UniquePtr<SSL_SESSION> ret = SSL_SESSION_parse(&cbs, &ssl_crypto_x509_method,
+                                                 NULL /* no buffer pool */);
+  if (!ret) {
     return NULL;
   }
 
   if (a) {
     SSL_SESSION_free(*a);
-    *a = ret;
+    *a = ret.get();
   }
   *pp = CBS_data(&cbs);
-  return ret;
+  return ret.release();
+}
+
+STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *list) {
+  return sk_X509_NAME_deep_copy(list, X509_NAME_dup, X509_NAME_free);
+}
+
+static void set_client_CA_list(STACK_OF(CRYPTO_BUFFER) **ca_list,
+                               const STACK_OF(X509_NAME) *name_list,
+                               CRYPTO_BUFFER_POOL *pool) {
+  UniquePtr<STACK_OF(CRYPTO_BUFFER)> buffers(sk_CRYPTO_BUFFER_new_null());
+  if (!buffers) {
+    return;
+  }
+
+  for (X509_NAME *name : name_list) {
+    uint8_t *outp = NULL;
+    int len = i2d_X509_NAME(name, &outp);
+    if (len < 0) {
+      return;
+    }
+
+    UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new(outp, len, pool));
+    OPENSSL_free(outp);
+    if (!buffer ||
+        !PushToStack(buffers.get(), std::move(buffer))) {
+      return;
+    }
+  }
+
+  sk_CRYPTO_BUFFER_pop_free(*ca_list, CRYPTO_BUFFER_free);
+  *ca_list = buffers.release();
+}
+
+void SSL_set_client_CA_list(SSL *ssl, STACK_OF(X509_NAME) *name_list) {
+  check_ssl_x509_method(ssl);
+  ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl);
+  set_client_CA_list(&ssl->client_CA, name_list, ssl->ctx->pool);
+  sk_X509_NAME_pop_free(name_list, X509_NAME_free);
+}
+
+void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) {
+  check_ssl_ctx_x509_method(ctx);
+  ctx->x509_method->ssl_ctx_flush_cached_client_CA(ctx);
+  set_client_CA_list(&ctx->client_CA, name_list, ctx->pool);
+  sk_X509_NAME_pop_free(name_list, X509_NAME_free);
+}
+
+static STACK_OF(X509_NAME) *
+    buffer_names_to_x509(const STACK_OF(CRYPTO_BUFFER) *names,
+                         STACK_OF(X509_NAME) **cached) {
+  if (names == NULL) {
+    return NULL;
+  }
+
+  if (*cached != NULL) {
+    return *cached;
+  }
+
+  UniquePtr<STACK_OF(X509_NAME)> new_cache(sk_X509_NAME_new_null());
+  if (!new_cache) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+    return NULL;
+  }
+
+  for (const CRYPTO_BUFFER *buffer : names) {
+    const uint8_t *inp = CRYPTO_BUFFER_data(buffer);
+    UniquePtr<X509_NAME> name(
+        d2i_X509_NAME(nullptr, &inp, CRYPTO_BUFFER_len(buffer)));
+    if (!name ||
+        inp != CRYPTO_BUFFER_data(buffer) + CRYPTO_BUFFER_len(buffer) ||
+        !PushToStack(new_cache.get(), std::move(name))) {
+      return NULL;
+    }
+  }
+
+  *cached = new_cache.release();
+  return *cached;
+}
+
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) {
+  check_ssl_x509_method(ssl);
+  // For historical reasons, this function is used both to query configuration
+  // state on a server as well as handshake state on a client. However, whether
+  // |ssl| is a client or server is not known until explicitly configured with
+  // |SSL_set_connect_state|. If |do_handshake| is NULL, |ssl| is in an
+  // indeterminate mode and |ssl->server| is unset.
+  if (ssl->do_handshake != NULL && !ssl->server) {
+    if (ssl->s3->hs != NULL) {
+      return buffer_names_to_x509(ssl->s3->hs->ca_names.get(),
+                                  &ssl->s3->hs->cached_x509_ca_names);
+    }
+
+    return NULL;
+  }
+
+  if (ssl->client_CA != NULL) {
+    return buffer_names_to_x509(
+        ssl->client_CA, (STACK_OF(X509_NAME) **)&ssl->cached_x509_client_CA);
+  }
+  return SSL_CTX_get_client_CA_list(ssl->ctx);
+}
+
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) {
+  check_ssl_ctx_x509_method(ctx);
+  // This is a logically const operation that may be called on multiple threads,
+  // so it needs to lock around updating |cached_x509_client_CA|.
+  MutexWriteLock lock(const_cast<CRYPTO_MUTEX *>(&ctx->lock));
+  return buffer_names_to_x509(
+      ctx->client_CA,
+      const_cast<STACK_OF(X509_NAME) **>(&ctx->cached_x509_client_CA));
+}
+
+static int add_client_CA(STACK_OF(CRYPTO_BUFFER) **names, X509 *x509,
+                         CRYPTO_BUFFER_POOL *pool) {
+  if (x509 == NULL) {
+    return 0;
+  }
+
+  uint8_t *outp = NULL;
+  int len = i2d_X509_NAME(X509_get_subject_name(x509), &outp);
+  if (len < 0) {
+    return 0;
+  }
+
+  UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new(outp, len, pool));
+  OPENSSL_free(outp);
+  if (!buffer) {
+    return 0;
+  }
+
+  int alloced = 0;
+  if (*names == NULL) {
+    *names = sk_CRYPTO_BUFFER_new_null();
+    alloced = 1;
+
+    if (*names == NULL) {
+      return 0;
+    }
+  }
+
+  if (!PushToStack(*names, std::move(buffer))) {
+    if (alloced) {
+      sk_CRYPTO_BUFFER_pop_free(*names, CRYPTO_BUFFER_free);
+      *names = NULL;
+    }
+    return 0;
+  }
+
+  return 1;
+}
+
+int SSL_add_client_CA(SSL *ssl, X509 *x509) {
+  check_ssl_x509_method(ssl);
+  if (!add_client_CA(&ssl->client_CA, x509, ssl->ctx->pool)) {
+    return 0;
+  }
+
+  ssl_crypto_x509_ssl_flush_cached_client_CA(ssl);
+  return 1;
+}
+
+int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509) {
+  check_ssl_ctx_x509_method(ctx);
+  if (!add_client_CA(&ctx->client_CA, x509, ctx->pool)) {
+    return 0;
+  }
+
+  ssl_crypto_x509_ssl_ctx_flush_cached_client_CA(ctx);
+  return 1;
+}
+
+static int do_client_cert_cb(SSL *ssl, void *arg) {
+  if (ssl_has_certificate(ssl) || ssl->ctx->client_cert_cb == NULL) {
+    return 1;
+  }
+
+  X509 *x509 = NULL;
+  EVP_PKEY *pkey = NULL;
+  int ret = ssl->ctx->client_cert_cb(ssl, &x509, &pkey);
+  if (ret < 0) {
+    return -1;
+  }
+  UniquePtr<X509> free_x509(x509);
+  UniquePtr<EVP_PKEY> free_pkey(pkey);
+
+  if (ret != 0) {
+    if (!SSL_use_certificate(ssl, x509) ||
+        !SSL_use_PrivateKey(ssl, pkey)) {
+      return 0;
+    }
+  }
+
+  return 1;
+}
+
+void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl,
+                                                        X509 **out_x509,
+                                                        EVP_PKEY **out_pkey)) {
+  check_ssl_ctx_x509_method(ctx);
+  // Emulate the old client certificate callback with the new one.
+  SSL_CTX_set_cert_cb(ctx, do_client_cert_cb, NULL);
+  ctx->client_cert_cb = cb;
+}
+
+static int set_cert_store(X509_STORE **store_ptr, X509_STORE *new_store,
+                          int take_ref) {
+  X509_STORE_free(*store_ptr);
+  *store_ptr = new_store;
+
+  if (new_store != NULL && take_ref) {
+    X509_STORE_up_ref(new_store);
+  }
+
+  return 1;
+}
+
+int SSL_get_ex_data_X509_STORE_CTX_idx(void) {
+  // The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the
+  // reserved app_data slot. Before ex_data was introduced, app_data was used.
+  // Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data|
+  // works.
+  return 0;
+}
+
+int SSL_CTX_set0_verify_cert_store(SSL_CTX *ctx, X509_STORE *store) {
+  check_ssl_ctx_x509_method(ctx);
+  return set_cert_store(&ctx->cert->verify_store, store, 0);
+}
+
+int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *store) {
+  check_ssl_ctx_x509_method(ctx);
+  return set_cert_store(&ctx->cert->verify_store, store, 1);
+}
+
+int SSL_set0_verify_cert_store(SSL *ssl, X509_STORE *store) {
+  check_ssl_x509_method(ssl);
+  return set_cert_store(&ssl->cert->verify_store, store, 0);
+}
+
+int SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *store) {
+  check_ssl_x509_method(ssl);
+  return set_cert_store(&ssl->cert->verify_store, store, 1);
 }