grpc 1.9.1 → 1.10.0.pre1

data/third_party/boringssl/ssl/{tls13_both.c → tls13_both.cc}

@@ -17,108 +17,46 @@
 #include <assert.h>
 #include <string.h>
 
+#include <utility>
+
 #include <openssl/bytestring.h>
 #include <openssl/err.h>
 #include <openssl/hkdf.h>
 #include <openssl/mem.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
-#include <openssl/x509v3.h>
 
 #include "../crypto/internal.h"
 #include "internal.h"
 
 
-/* kMaxKeyUpdates is the number of consecutive KeyUpdates that will be
- * processed. Without this limit an attacker could force unbounded processing
- * without being able to return application data. */
-static const uint8_t kMaxKeyUpdates = 32;
-
-int tls13_handshake(SSL_HANDSHAKE *hs) {
-  SSL *const ssl = hs->ssl;
-  for (;;) {
-    /* Resolve the operation the handshake was waiting on. */
-    switch (hs->wait) {
-      case ssl_hs_error:
-        OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
-        return -1;
-
-      case ssl_hs_flush:
-      case ssl_hs_flush_and_read_message: {
-        int ret = ssl->method->flush_flight(ssl);
-        if (ret <= 0) {
-          return ret;
-        }
-        if (hs->wait != ssl_hs_flush_and_read_message) {
-          break;
-        }
-        ssl->method->expect_flight(ssl);
-        hs->wait = ssl_hs_read_message;
-        /* Fall-through. */
-      }
-
-      case ssl_hs_read_message: {
-        int ret = ssl->method->ssl_get_message(ssl);
-        if (ret <= 0) {
-          return ret;
-        }
-        break;
-      }
-
-      case ssl_hs_x509_lookup:
-        ssl->rwstate = SSL_X509_LOOKUP;
-        hs->wait = ssl_hs_ok;
-        return -1;
-
-      case ssl_hs_channel_id_lookup:
-        ssl->rwstate = SSL_CHANNEL_ID_LOOKUP;
-        hs->wait = ssl_hs_ok;
-        return -1;
-
-      case ssl_hs_private_key_operation:
-        ssl->rwstate = SSL_PRIVATE_KEY_OPERATION;
-        hs->wait = ssl_hs_ok;
-        return -1;
-
-      case ssl_hs_ok:
-        break;
-    }
-
-    /* Run the state machine again. */
-    hs->wait = hs->do_tls13_handshake(hs);
-    if (hs->wait == ssl_hs_error) {
-      /* Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the
-       * first time around. */
-      return -1;
-    }
-    if (hs->wait == ssl_hs_ok) {
-      /* The handshake has completed. */
-      return 1;
-    }
+namespace bssl {
 
-    /* Otherwise, loop to the beginning and resolve what was blocking the
-     * handshake. */
-  }
-}
+// kMaxKeyUpdates is the number of consecutive KeyUpdates that will be
+// processed. Without this limit an attacker could force unbounded processing
+// without being able to return application data.
+static const uint8_t kMaxKeyUpdates = 32;
 
 int tls13_get_cert_verify_signature_input(
     SSL_HANDSHAKE *hs, uint8_t **out, size_t *out_len,
     enum ssl_cert_verify_context_t cert_verify_context) {
-  CBB cbb;
-  if (!CBB_init(&cbb, 64 + 33 + 1 + 2 * EVP_MAX_MD_SIZE)) {
-    goto err;
+  ScopedCBB cbb;
+  if (!CBB_init(cbb.get(), 64 + 33 + 1 + 2 * EVP_MAX_MD_SIZE)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+    return 0;
   }
 
   for (size_t i = 0; i < 64; i++) {
-    if (!CBB_add_u8(&cbb, 0x20)) {
-      goto err;
+    if (!CBB_add_u8(cbb.get(), 0x20)) {
+      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+      return 0;
     }
   }
 
   const uint8_t *context;
   size_t context_len;
   if (cert_verify_context == ssl_cert_verify_server) {
-    /* Include the NUL byte. */
+    // Include the NUL byte.
     static const char kContext[] = "TLS 1.3, server CertificateVerify";
     context = (const uint8_t *)kContext;
     context_len = sizeof(kContext);
@@ -131,59 +69,50 @@ int tls13_get_cert_verify_signature_input(
     context = (const uint8_t *)kContext;
     context_len = sizeof(kContext);
   } else {
-    goto err;
+    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+    return 0;
   }
 
-  if (!CBB_add_bytes(&cbb, context, context_len)) {
-    goto err;
+  if (!CBB_add_bytes(cbb.get(), context, context_len)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+    return 0;
   }
 
   uint8_t context_hash[EVP_MAX_MD_SIZE];
   size_t context_hash_len;
-  if (!SSL_TRANSCRIPT_get_hash(&hs->transcript, context_hash,
-                               &context_hash_len) ||
-      !CBB_add_bytes(&cbb, context_hash, context_hash_len) ||
-      !CBB_finish(&cbb, out, out_len)) {
-    goto err;
+  if (!hs->transcript.GetHash(context_hash, &context_hash_len) ||
+      !CBB_add_bytes(cbb.get(), context_hash, context_hash_len) ||
+      !CBB_finish(cbb.get(), out, out_len)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+    return 0;
   }
 
   return 1;
-
-err:
-  OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-  CBB_cleanup(&cbb);
-  return 0;
 }
 
-int tls13_process_certificate(SSL_HANDSHAKE *hs, int allow_anonymous) {
+int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg,
+                              int allow_anonymous) {
   SSL *const ssl = hs->ssl;
-  CBS cbs, context, certificate_list;
-  CBS_init(&cbs, ssl->init_msg, ssl->init_num);
-  if (!CBS_get_u8_length_prefixed(&cbs, &context) ||
-      CBS_len(&context) != 0) {
+  CBS body = msg.body, context, certificate_list;
+  if (!CBS_get_u8_length_prefixed(&body, &context) ||
+      CBS_len(&context) != 0 ||
+      !CBS_get_u24_length_prefixed(&body, &certificate_list) ||
+      CBS_len(&body) != 0) {
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
     return 0;
   }
 
-  const int retain_sha256 =
-      ssl->server && ssl->retain_only_sha256_of_client_certs;
-  int ret = 0;
-
-  EVP_PKEY *pkey = NULL;
-  STACK_OF(CRYPTO_BUFFER) *certs = sk_CRYPTO_BUFFER_new_null();
-  if (certs == NULL) {
+  UniquePtr<STACK_OF(CRYPTO_BUFFER)> certs(sk_CRYPTO_BUFFER_new_null());
+  if (!certs) {
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-    goto err;
-  }
-
-  if (!CBS_get_u24_length_prefixed(&cbs, &certificate_list)) {
-    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
-    goto err;
+    return 0;
   }
 
+  const bool retain_sha256 =
+      ssl->server && ssl->retain_only_sha256_of_client_certs;
+  UniquePtr<EVP_PKEY> pkey;
   while (CBS_len(&certificate_list) > 0) {
     CBS certificate, extensions;
     if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate) ||
@@ -191,42 +120,41 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, int allow_anonymous) {
         CBS_len(&certificate) == 0) {
       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
       OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH);
-      goto err;
+      return 0;
     }
 
-    if (sk_CRYPTO_BUFFER_num(certs) == 0) {
+    if (sk_CRYPTO_BUFFER_num(certs.get()) == 0) {
       pkey = ssl_cert_parse_pubkey(&certificate);
-      if (pkey == NULL) {
+      if (!pkey) {
         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
         OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
-        goto err;
+        return 0;
       }
-      /* TLS 1.3 always uses certificate keys for signing thus the correct
-       * keyUsage is enforced. */
+      // TLS 1.3 always uses certificate keys for signing thus the correct
+      // keyUsage is enforced.
       if (!ssl_cert_check_digital_signature_key_usage(&certificate)) {
         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
-        goto err;
+        return 0;
       }
 
       if (retain_sha256) {
-        /* Retain the hash of the leaf certificate if requested. */
+        // Retain the hash of the leaf certificate if requested.
         SHA256(CBS_data(&certificate), CBS_len(&certificate),
                hs->new_session->peer_sha256);
       }
     }
 
-    CRYPTO_BUFFER *buf =
-        CRYPTO_BUFFER_new_from_CBS(&certificate, ssl->ctx->pool);
-    if (buf == NULL ||
-        !sk_CRYPTO_BUFFER_push(certs, buf)) {
-      CRYPTO_BUFFER_free(buf);
+    UniquePtr<CRYPTO_BUFFER> buf(
+        CRYPTO_BUFFER_new_from_CBS(&certificate, ssl->ctx->pool));
+    if (!buf ||
+        !PushToStack(certs.get(), std::move(buf))) {
       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-      goto err;
+      return 0;
     }
 
-    /* Parse out the extensions. */
-    int have_status_request = 0, have_sct = 0;
+    // Parse out the extensions.
+    bool have_status_request = false, have_sct = false;
     CBS status_request, sct;
     const SSL_EXTENSION_TYPE ext_types[] = {
         {TLSEXT_TYPE_status_request, &have_status_request, &status_request},
@@ -238,16 +166,16 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, int allow_anonymous) {
                               OPENSSL_ARRAY_SIZE(ext_types),
                               0 /* reject unknown */)) {
       ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
-      goto err;
+      return 0;
     }
 
-    /* All Certificate extensions are parsed, but only the leaf extensions are
-     * stored. */
+    // All Certificate extensions are parsed, but only the leaf extensions are
+    // stored.
     if (have_status_request) {
       if (ssl->server || !ssl->ocsp_stapling_enabled) {
         OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
-        goto err;
+        return 0;
       }
 
       uint8_t status_type;
@@ -258,14 +186,17 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, int allow_anonymous) {
           CBS_len(&ocsp_response) == 0 ||
           CBS_len(&status_request) != 0) {
         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-        goto err;
+        return 0;
       }
 
-      if (sk_CRYPTO_BUFFER_num(certs) == 1 &&
-          !CBS_stow(&ocsp_response, &hs->new_session->ocsp_response,
-                    &hs->new_session->ocsp_response_length)) {
-        ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
-        goto err;
+      if (sk_CRYPTO_BUFFER_num(certs.get()) == 1) {
+        CRYPTO_BUFFER_free(hs->new_session->ocsp_response);
+        hs->new_session->ocsp_response =
+            CRYPTO_BUFFER_new_from_CBS(&ocsp_response, ssl->ctx->pool);
+        if (hs->new_session->ocsp_response == nullptr) {
+          ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+          return 0;
+        }
       }
     }
 
@@ -273,114 +204,100 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, int allow_anonymous) {
       if (ssl->server || !ssl->signed_cert_timestamps_enabled) {
         OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
-        goto err;
+        return 0;
       }
 
       if (!ssl_is_sct_list_valid(&sct)) {
         OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-        goto err;
+        return 0;
       }
 
-      if (sk_CRYPTO_BUFFER_num(certs) == 1 &&
-          !CBS_stow(
-              &sct, &hs->new_session->tlsext_signed_cert_timestamp_list,
-              &hs->new_session->tlsext_signed_cert_timestamp_list_length)) {
-        ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
-        goto err;
+      if (sk_CRYPTO_BUFFER_num(certs.get()) == 1) {
+        CRYPTO_BUFFER_free(hs->new_session->signed_cert_timestamp_list);
+        hs->new_session->signed_cert_timestamp_list =
+            CRYPTO_BUFFER_new_from_CBS(&sct, ssl->ctx->pool);
+        if (hs->new_session->signed_cert_timestamp_list == nullptr) {
+          ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+          return 0;
+        }
       }
     }
   }
 
-  if (CBS_len(&cbs) != 0) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
-    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-    goto err;
+  // Store a null certificate list rather than an empty one if the peer didn't
+  // send certificates.
+  if (sk_CRYPTO_BUFFER_num(certs.get()) == 0) {
+    certs.reset();
   }
 
-  EVP_PKEY_free(hs->peer_pubkey);
-  hs->peer_pubkey = pkey;
-  pkey = NULL;
+  hs->peer_pubkey = std::move(pkey);
 
   sk_CRYPTO_BUFFER_pop_free(hs->new_session->certs, CRYPTO_BUFFER_free);
-  hs->new_session->certs = certs;
-  certs = NULL;
+  hs->new_session->certs = certs.release();
 
-  if (!ssl->ctx->x509_method->session_cache_objects(hs->new_session)) {
+  if (!ssl->ctx->x509_method->session_cache_objects(hs->new_session.get())) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-    goto err;
+    return 0;
   }
 
   if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) {
     if (!allow_anonymous) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_CERTIFICATE_REQUIRED);
-      goto err;
+      return 0;
     }
 
-    /* OpenSSL returns X509_V_OK when no certificates are requested. This is
-     * classed by them as a bug, but it's assumed by at least NGINX. */
+    // OpenSSL returns X509_V_OK when no certificates are requested. This is
+    // classed by them as a bug, but it's assumed by at least NGINX.
     hs->new_session->verify_result = X509_V_OK;
 
-    /* No certificate, so nothing more to do. */
-    ret = 1;
-    goto err;
+    // No certificate, so nothing more to do.
+    return 1;
   }
 
   hs->new_session->peer_sha256_valid = retain_sha256;
-
-  if (!ssl_verify_cert_chain(ssl, &hs->new_session->verify_result,
-                             hs->new_session->x509_chain)) {
-    goto err;
-  }
-
-  ret = 1;
-
-err:
-  sk_CRYPTO_BUFFER_pop_free(certs, CRYPTO_BUFFER_free);
-  EVP_PKEY_free(pkey);
-  return ret;
+  return 1;
 }
 
-int tls13_process_certificate_verify(SSL_HANDSHAKE *hs) {
+int tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
   SSL *const ssl = hs->ssl;
-  int ret = 0;
-  uint8_t *msg = NULL;
-  size_t msg_len;
-
   if (hs->peer_pubkey == NULL) {
-    goto err;
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    return 0;
   }
 
-  CBS cbs, signature;
+  CBS body = msg.body, signature;
   uint16_t signature_algorithm;
-  CBS_init(&cbs, ssl->init_msg, ssl->init_num);
-  if (!CBS_get_u16(&cbs, &signature_algorithm) ||
-      !CBS_get_u16_length_prefixed(&cbs, &signature) ||
-      CBS_len(&cbs) != 0) {
+  if (!CBS_get_u16(&body, &signature_algorithm) ||
+      !CBS_get_u16_length_prefixed(&body, &signature) ||
+      CBS_len(&body) != 0) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-    goto err;
+    return 0;
   }
 
-  int al;
-  if (!tls12_check_peer_sigalg(ssl, &al, signature_algorithm)) {
-    ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
-    goto err;
+  uint8_t alert = SSL_AD_DECODE_ERROR;
+  if (!tls12_check_peer_sigalg(ssl, &alert, signature_algorithm)) {
+    ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
+    return 0;
   }
   hs->new_session->peer_signature_algorithm = signature_algorithm;
 
+  uint8_t *input = NULL;
+  size_t input_len;
   if (!tls13_get_cert_verify_signature_input(
-          hs, &msg, &msg_len,
+          hs, &input, &input_len,
           ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) {
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
-    goto err;
+    return 0;
   }
+  UniquePtr<uint8_t> free_input(input);
 
-  int sig_ok =
-      ssl_public_key_verify(ssl, CBS_data(&signature), CBS_len(&signature),
-                            signature_algorithm, hs->peer_pubkey, msg, msg_len);
+  int sig_ok = ssl_public_key_verify(ssl, CBS_data(&signature),
+                                     CBS_len(&signature), signature_algorithm,
+                                     hs->peer_pubkey.get(), input, input_len);
 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
   sig_ok = 1;
   ERR_clear_error();
@@ -388,27 +305,31 @@ int tls13_process_certificate_verify(SSL_HANDSHAKE *hs) {
   if (!sig_ok) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
-    goto err;
+    return 0;
   }
 
-  ret = 1;
-
-err:
-  OPENSSL_free(msg);
-  return ret;
+  return 1;
 }
 
-int tls13_process_finished(SSL_HANDSHAKE *hs) {
+int tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg,
+                           int use_saved_value) {
   SSL *const ssl = hs->ssl;
-  uint8_t verify_data[EVP_MAX_MD_SIZE];
+  uint8_t verify_data_buf[EVP_MAX_MD_SIZE];
+  const uint8_t *verify_data;
   size_t verify_data_len;
-  if (!tls13_finished_mac(hs, verify_data, &verify_data_len, !ssl->server)) {
-    return 0;
+  if (use_saved_value) {
+    assert(ssl->server);
+    verify_data = hs->expected_client_finished;
+    verify_data_len = hs->hash_len;
+  } else {
+    if (!tls13_finished_mac(hs, verify_data_buf, &verify_data_len,
+                            !ssl->server)) {
+      return 0;
+    }
+    verify_data = verify_data_buf;
   }
 
-  int finished_ok =
-      ssl->init_num == verify_data_len &&
-      CRYPTO_memcmp(verify_data, ssl->init_msg, verify_data_len) == 0;
+  int finished_ok = CBS_mem_equal(&msg.body, verify_data, verify_data_len);
 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
   finished_ok = 1;
 #endif
@@ -423,21 +344,18 @@ int tls13_process_finished(SSL_HANDSHAKE *hs) {
 
 int tls13_add_certificate(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
-  CBB cbb, body, certificate_list;
-  if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CERTIFICATE) ||
-      /* The request context is always empty in the handshake. */
+  ScopedCBB cbb;
+  CBB body, certificate_list;
+  if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CERTIFICATE) ||
+      // The request context is always empty in the handshake.
       !CBB_add_u8(&body, 0) ||
       !CBB_add_u24_length_prefixed(&body, &certificate_list)) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    goto err;
+    return 0;
   }
 
   if (!ssl_has_certificate(ssl)) {
-    if (!ssl_add_message_cbb(ssl, &cbb)) {
-      goto err;
-    }
-
-    return 1;
+    return ssl_add_message_cbb(ssl, cbb.get());
   }
 
   CERT *cert = ssl->cert;
@@ -448,7 +366,7 @@ int tls13_add_certificate(SSL_HANDSHAKE *hs) {
                      CRYPTO_BUFFER_len(leaf_buf)) ||
       !CBB_add_u16_length_prefixed(&certificate_list, &extensions)) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    goto err;
+    return 0;
   }
 
   if (hs->scts_requested && ssl->cert->signed_cert_timestamp_list != NULL) {
@@ -461,7 +379,7 @@ int tls13_add_certificate(SSL_HANDSHAKE *hs) {
             CRYPTO_BUFFER_len(ssl->cert->signed_cert_timestamp_list)) ||
         !CBB_flush(&extensions)) {
       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-      goto err;
+      return 0;
     }
   }
 
@@ -477,7 +395,7 @@ int tls13_add_certificate(SSL_HANDSHAKE *hs) {
                        CRYPTO_BUFFER_len(ssl->cert->ocsp_response)) ||
         !CBB_flush(&extensions)) {
       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-      goto err;
+      return 0;
     }
   }
 
@@ -489,82 +407,62 @@ int tls13_add_certificate(SSL_HANDSHAKE *hs) {
                        CRYPTO_BUFFER_len(cert_buf)) ||
         !CBB_add_u16(&certificate_list, 0 /* no extensions */)) {
       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-      goto err;
+      return 0;
     }
   }
 
-  if (!ssl_add_message_cbb(ssl, &cbb)) {
-    goto err;
-  }
-
-  return 1;
-
-err:
-  CBB_cleanup(&cbb);
-  return 0;
+  return ssl_add_message_cbb(ssl, cbb.get());
 }
 
-enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs,
-                                                           int is_first_run) {
+enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
-  enum ssl_private_key_result_t ret = ssl_private_key_failure;
-  uint8_t *msg = NULL;
-  size_t msg_len;
-  CBB cbb, body;
-  CBB_zero(&cbb);
-
   uint16_t signature_algorithm;
   if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) {
-    goto err;
+    return ssl_private_key_failure;
   }
-  if (!ssl->method->init_message(ssl, &cbb, &body,
+
+  ScopedCBB cbb;
+  CBB body;
+  if (!ssl->method->init_message(ssl, cbb.get(), &body,
                                  SSL3_MT_CERTIFICATE_VERIFY) ||
       !CBB_add_u16(&body, signature_algorithm)) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    goto err;
+    return ssl_private_key_failure;
   }
 
-  /* Sign the digest. */
+  // Sign the digest.
   CBB child;
-  const size_t max_sig_len = ssl_private_key_max_signature_len(ssl);
+  const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get());
   uint8_t *sig;
   size_t sig_len;
   if (!CBB_add_u16_length_prefixed(&body, &child) ||
       !CBB_reserve(&child, &sig, max_sig_len)) {
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
-    goto err;
+    return ssl_private_key_failure;
   }
 
-  enum ssl_private_key_result_t sign_result;
-  if (is_first_run) {
-    if (!tls13_get_cert_verify_signature_input(
-            hs, &msg, &msg_len,
-            ssl->server ? ssl_cert_verify_server : ssl_cert_verify_client)) {
-      ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
-      goto err;
-    }
-    sign_result = ssl_private_key_sign(ssl, sig, &sig_len, max_sig_len,
-                                       signature_algorithm, msg, msg_len);
-  } else {
-    sign_result = ssl_private_key_complete(ssl, sig, &sig_len, max_sig_len);
+  uint8_t *msg = NULL;
+  size_t msg_len;
+  if (!tls13_get_cert_verify_signature_input(
+          hs, &msg, &msg_len,
+          ssl->server ? ssl_cert_verify_server : ssl_cert_verify_client)) {
+    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+    return ssl_private_key_failure;
   }
+  UniquePtr<uint8_t> free_msg(msg);
 
+  enum ssl_private_key_result_t sign_result = ssl_private_key_sign(
+      hs, sig, &sig_len, max_sig_len, signature_algorithm, msg, msg_len);
   if (sign_result != ssl_private_key_success) {
-    ret = sign_result;
-    goto err;
+    return sign_result;
   }
 
   if (!CBB_did_write(&child, sig_len) ||
-      !ssl_add_message_cbb(ssl, &cbb)) {
-    goto err;
+      !ssl_add_message_cbb(ssl, cbb.get())) {
+    return ssl_private_key_failure;
   }
 
-  ret = ssl_private_key_success;
-
-err:
-  CBB_cleanup(&cbb);
-  OPENSSL_free(msg);
-  return ret;
+  return ssl_private_key_success;
 }
 
 int tls13_add_finished(SSL_HANDSHAKE *hs) {
@@ -578,23 +476,22 @@ int tls13_add_finished(SSL_HANDSHAKE *hs) {
     return 0;
   }
 
-  CBB cbb, body;
-  if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_FINISHED) ||
+  ScopedCBB cbb;
+  CBB body;
+  if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_FINISHED) ||
       !CBB_add_bytes(&body, verify_data, verify_data_len) ||
-      !ssl_add_message_cbb(ssl, &cbb)) {
-    CBB_cleanup(&cbb);
+      !ssl_add_message_cbb(ssl, cbb.get())) {
     return 0;
   }
 
   return 1;
 }
 
-static int tls13_receive_key_update(SSL *ssl) {
-  CBS cbs;
+static int tls13_receive_key_update(SSL *ssl, const SSLMessage &msg) {
+  CBS body = msg.body;
   uint8_t key_update_request;
-  CBS_init(&cbs, ssl->init_msg, ssl->init_num);
-  if (!CBS_get_u8(&cbs, &key_update_request) ||
-      CBS_len(&cbs) != 0 ||
+  if (!CBS_get_u8(&body, &key_update_request) ||
+      CBS_len(&body) != 0 ||
       (key_update_request != SSL_KEY_UPDATE_NOT_REQUESTED &&
        key_update_request != SSL_KEY_UPDATE_REQUESTED)) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
@@ -602,13 +499,35 @@ static int tls13_receive_key_update(SSL *ssl) {
     return 0;
   }
 
-  /* TODO(svaldez): Send KeyUpdate if |key_update_request| is
-   * |SSL_KEY_UPDATE_REQUESTED|. */
-  return tls13_rotate_traffic_key(ssl, evp_aead_open);
+  if (!tls13_rotate_traffic_key(ssl, evp_aead_open)) {
+    return 0;
+  }
+
+  // Acknowledge the KeyUpdate
+  if (key_update_request == SSL_KEY_UPDATE_REQUESTED &&
+      !ssl->s3->key_update_pending) {
+    ScopedCBB cbb;
+    CBB body_cbb;
+    if (!ssl->method->init_message(ssl, cbb.get(), &body_cbb,
+                                   SSL3_MT_KEY_UPDATE) ||
+        !CBB_add_u8(&body_cbb, SSL_KEY_UPDATE_NOT_REQUESTED) ||
+        !ssl_add_message_cbb(ssl, cbb.get()) ||
+        !tls13_rotate_traffic_key(ssl, evp_aead_seal)) {
+      return 0;
+    }
+
+    // Suppress KeyUpdate acknowledgments until this change is written to the
+    // wire. This prevents us from accumulating write obligations when read and
+    // write progress at different rates. See draft-ietf-tls-tls13-18, section
+    // 4.5.3.
+    ssl->s3->key_update_pending = true;
+  }
+
+  return 1;
 }
 
-int tls13_post_handshake(SSL *ssl) {
-  if (ssl->s3->tmp.message_type == SSL3_MT_KEY_UPDATE) {
+int tls13_post_handshake(SSL *ssl, const SSLMessage &msg) {
+  if (msg.type == SSL3_MT_KEY_UPDATE) {
     ssl->s3->key_update_count++;
     if (ssl->s3->key_update_count > kMaxKeyUpdates) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_KEY_UPDATES);
@@ -616,19 +535,18 @@ int tls13_post_handshake(SSL *ssl) {
       return 0;
     }
 
-    return tls13_receive_key_update(ssl);
+    return tls13_receive_key_update(ssl, msg);
   }
 
   ssl->s3->key_update_count = 0;
 
-  if (ssl->s3->tmp.message_type == SSL3_MT_NEW_SESSION_TICKET &&
-      !ssl->server) {
-    return tls13_process_new_session_ticket(ssl);
+  if (msg.type == SSL3_MT_NEW_SESSION_TICKET && !ssl->server) {
+    return tls13_process_new_session_ticket(ssl, msg);
   }
 
-  // TODO(svaldez): Handle post-handshake authentication.
-
   ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
   OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
   return 0;
 }
+
+}  // namespace bssl