$ git diff --patch-with-stat --summary 237535e7fb0ce3a88de6bb979e458e077f143bdf..f5ad4df158375b6c2f3c06152cb13d1f4ae09ac7
.abf.yml | 2 +-
...-QUIC-Add-support-for-BoringSSL-QUIC-APIs.patch | 1855 ++++++++++++++++++++
...QUIC-New-method-to-get-QUIC-secret-length.patch | 99 ++
...UIC-Make-temp-secret-names-less-confusing.patch | 76 +
...UIC-transport-params-to-encrypted-extensi.patch | 26 +
0005-QUIC-Use-proper-secrets-for-handshake.patch | 59 +
0006-QUIC-Handle-partial-handshake-messages.patch | 74 +
0007-QUIC-Fix-duplicate-word-in-docs.patch | 25 +
...C-Fix-quic_transport-constructors-parsers.patch | 89 +
...init-state-in-SSL_process_quic_post_hands.patch | 39 +
...-QUIC-Don-t-process-an-incomplete-message.patch | 51 +
...UIC-Quick-fix-s2c-to-c2s-for-early-secret.patch | 25 +
...C-Add-client-early-traffic-secret-storage.patch | 52 +
0013-QUIC-Add-OPENSSL_NO_QUIC-wrapper.patch | 28 +
0014-QUIC-Correctly-disable-middlebox-compat.patch | 34 +
...UIC-code-out-of-tls13_change_cipher_state.patch | 332 ++++
0016-QUIC-Tweeks-to-quic_change_cipher_state.patch | 126 ++
0017-QUIC-Add-support-for-more-secrets.patch | 44 +
0018-QUIC-Fix-resumption-secret.patch | 54 +
...IC-Handle-EndOfEarlyData-and-MaxEarlyData.patch | 98 ++
0020-QUIC-Fall-through-for-0RTT.patch | 31 +
...IC-Some-cleanup-for-the-main-QUIC-changes.patch | 677 +++++++
0022-QUIC-Prevent-KeyUpdate-for-QUIC.patch | 77 +
0023-QUIC-Test-KeyUpdate-rejection.patch | 37 +
0024-QUIC-Buffer-all-provided-quic-data.patch | 219 +++
...e-consistent-encryption-level-for-handsha.patch | 58 +
0026-QUIC-add-v1-quic_transport_parameters.patch | 669 +++++++
...eturn-success-when-no-post-handshake-data.patch | 27 +
...wur-makes-no-sense-for-void-return-values.patch | 25 +
...-QUIC-remove-SSL_R_BAD_DATA_LENGTH-unused.patch | 50 +
0030-QUIC-Update-shared-library-version.patch | 11 +
0032-QUIC-Fix-3.0.0-GitHub-CI.patch | 42 +
0033-QUIC-SSLerr-ERR_raise-ERR_LIB_SSL.patch | 165 ++
...IC-Add-compile-run-time-checking-for-QUIC.patch | 101 ++
0035-QUIC-Add-early-data-support-11.patch | 504 ++++++
...SL_provide_quic_data-accept-0-length-data.patch | 31 +
...s-multiple-post-handshake-messages-in-a-s.patch | 76 +
...n-up-some-language-in-SSL_CTX_set_quic_me.patch | 32 +
0040-QUIC-Fix-CI-20.patch | 97 +
0041-QUIC-Break-up-header-body-processing.patch | 145 ++
0042-QUIC-Fix-make-doc-nits.patch | 35 +
0045-QUIC-Don-t-muck-with-FIPS-checksums.patch | 131 ++
0047-QUIC-Update-RFC-references.patch | 112 ++
0048-QUIC-revert-white-space-change.patch | 24 +
0049-QUIC-update-copyrights.patch | 49 +
...pdate-SSL_provide_quic_data-documentation.patch | 34 +
...C-expound-on-what-DoS-attacks-QUIC-avoids.patch | 29 +
...C-remove-SSL_get_current_cipher-reference.patch | 28 +
0053-QUIC-use-SSL_IS_QUIC-in-more-places.patch | 53 +
...-when-non-empty-session_id-in-CH-fixes-29.patch | 32 +
...-QUIC-Update-SSL_clear-to-clear-quic-data.patch | 140 ++
0056-QUIC-Better-SSL_clear.patch | 216 +++
0059-QUIC-Fix-extension-test.patch | 46 +
0063-QUIC-Fix-use-of-create_a_psk.patch | 25 +
openssl.spec | 95 +-
55 files changed, 7295 insertions(+), 16 deletions(-)
create mode 100644 0001-QUIC-Add-support-for-BoringSSL-QUIC-APIs.patch
create mode 100644 0002-QUIC-New-method-to-get-QUIC-secret-length.patch
create mode 100644 0003-QUIC-Make-temp-secret-names-less-confusing.patch
create mode 100644 0004-QUIC-Move-QUIC-transport-params-to-encrypted-extensi.patch
create mode 100644 0005-QUIC-Use-proper-secrets-for-handshake.patch
create mode 100644 0006-QUIC-Handle-partial-handshake-messages.patch
create mode 100644 0007-QUIC-Fix-duplicate-word-in-docs.patch
create mode 100644 0008-QUIC-Fix-quic_transport-constructors-parsers.patch
create mode 100644 0009-QUIC-Reset-init-state-in-SSL_process_quic_post_hands.patch
create mode 100644 0010-QUIC-Don-t-process-an-incomplete-message.patch
create mode 100644 0011-QUIC-Quick-fix-s2c-to-c2s-for-early-secret.patch
create mode 100644 0012-QUIC-Add-client-early-traffic-secret-storage.patch
create mode 100644 0013-QUIC-Add-OPENSSL_NO_QUIC-wrapper.patch
create mode 100644 0014-QUIC-Correctly-disable-middlebox-compat.patch
create mode 100644 0015-QUIC-Move-QUIC-code-out-of-tls13_change_cipher_state.patch
create mode 100644 0016-QUIC-Tweeks-to-quic_change_cipher_state.patch
create mode 100644 0017-QUIC-Add-support-for-more-secrets.patch
create mode 100644 0018-QUIC-Fix-resumption-secret.patch
create mode 100644 0019-QUIC-Handle-EndOfEarlyData-and-MaxEarlyData.patch
create mode 100644 0020-QUIC-Fall-through-for-0RTT.patch
create mode 100644 0021-QUIC-Some-cleanup-for-the-main-QUIC-changes.patch
create mode 100644 0022-QUIC-Prevent-KeyUpdate-for-QUIC.patch
create mode 100644 0023-QUIC-Test-KeyUpdate-rejection.patch
create mode 100644 0024-QUIC-Buffer-all-provided-quic-data.patch
create mode 100644 0025-QUIC-Enforce-consistent-encryption-level-for-handsha.patch
create mode 100644 0026-QUIC-add-v1-quic_transport_parameters.patch
create mode 100644 0027-QUIC-return-success-when-no-post-handshake-data.patch
create mode 100644 0028-QUIC-__owur-makes-no-sense-for-void-return-values.patch
create mode 100644 0029-QUIC-remove-SSL_R_BAD_DATA_LENGTH-unused.patch
create mode 100644 0030-QUIC-Update-shared-library-version.patch
create mode 100644 0032-QUIC-Fix-3.0.0-GitHub-CI.patch
create mode 100644 0033-QUIC-SSLerr-ERR_raise-ERR_LIB_SSL.patch
create mode 100644 0034-QUIC-Add-compile-run-time-checking-for-QUIC.patch
create mode 100644 0035-QUIC-Add-early-data-support-11.patch
create mode 100644 0036-QUIC-Make-SSL_provide_quic_data-accept-0-length-data.patch
create mode 100644 0037-QUIC-Process-multiple-post-handshake-messages-in-a-s.patch
create mode 100644 0038-QUIC-Tighten-up-some-language-in-SSL_CTX_set_quic_me.patch
create mode 100644 0040-QUIC-Fix-CI-20.patch
create mode 100644 0041-QUIC-Break-up-header-body-processing.patch
create mode 100644 0042-QUIC-Fix-make-doc-nits.patch
create mode 100644 0045-QUIC-Don-t-muck-with-FIPS-checksums.patch
create mode 100644 0047-QUIC-Update-RFC-references.patch
create mode 100644 0048-QUIC-revert-white-space-change.patch
create mode 100644 0049-QUIC-update-copyrights.patch
create mode 100644 0050-QUIC-update-SSL_provide_quic_data-documentation.patch
create mode 100644 0051-QUIC-expound-on-what-DoS-attacks-QUIC-avoids.patch
create mode 100644 0052-QUIC-remove-SSL_get_current_cipher-reference.patch
create mode 100644 0053-QUIC-use-SSL_IS_QUIC-in-more-places.patch
create mode 100644 0054-QUIC-Error-when-non-empty-session_id-in-CH-fixes-29.patch
create mode 100644 0055-QUIC-Update-SSL_clear-to-clear-quic-data.patch
create mode 100644 0056-QUIC-Better-SSL_clear.patch
create mode 100644 0059-QUIC-Fix-extension-test.patch
create mode 100644 0063-QUIC-Fix-use-of-create_a_psk.patch
diff --git a/.abf.yml b/.abf.yml
index 4991d65..bf11c9b 100644
--- a/.abf.yml
+++ b/.abf.yml
@@ -1,2 +1,2 @@
sources:
- openssl-3.0.6.tar.gz: df7c98f7780babdedd0810fb3c2b55332a8f6b89
+ openssl-3.1.5.tar.gz: bae9e00477fb036e28f1c2e9a837fb6992823c57
diff --git a/0001-QUIC-Add-support-for-BoringSSL-QUIC-APIs.patch b/0001-QUIC-Add-support-for-BoringSSL-QUIC-APIs.patch
new file mode 100644
index 0000000..3df351e
--- /dev/null
+++ b/0001-QUIC-Add-support-for-BoringSSL-QUIC-APIs.patch
@@ -0,0 +1,1855 @@
+From bcf0f1690bd031c2945e2875d03b7617a9dfafc7 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Fri, 12 Apr 2019 11:13:25 -0400
+Subject: [PATCH 01/63] QUIC: Add support for BoringSSL QUIC APIs
+
+This adds a compatible API for BoringSSL's QUIC support, based
+on the current |draft-ietf-quic-tls|.
+
+Based on BoringSSL commit 3c034b2cf386b3131f75520705491871a2e0cafe
+Based on BoringSSL commit c8e0f90f83b9ec38ea833deb86b5a41360b62b6a
+Based on BoringSSL commit 3cbb0299a28a8bd0136257251a78b91a96c5eec8
+Based on BoringSSL commit cc9d935256539af2d3b7f831abf57c0d685ffd81
+Based on BoringSSL commit e6eef1ca16a022e476bbaedffef044597cfc8f4b
+Based on BoringSSL commit 6f733791148cf8a076bf0e95498235aadbe5926d
+Based on BoringSSL commit 384d0eaf1930af1ebc47eda751f0c78dfcba1c03
+Based on BoringSSL commit a0373182eb5cc7b81d49f434596b473c7801c942
+Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37
+---
+ CHANGES.md | 6 +
+ Configure | 2 +
+ INSTALL.md | 4 +
+ crypto/err/openssl.txt | 2 +
+ doc/man3/SSL_CIPHER_get_name.pod | 13 ++
+ doc/man3/SSL_CTX_set_quic_method.pod | 232 +++++++++++++++++++++++++
+ include/openssl/evp.h | 5 +
+ include/openssl/ssl.h.in | 45 +++++
+ include/openssl/sslerr.h | 2 +
+ include/openssl/tls1.h | 3 +
+ include/openssl/types.h | 2 +
+ ssl/build.info | 2 +
+ ssl/s3_msg.c | 10 ++
+ ssl/ssl_ciph.c | 32 ++++
+ ssl/ssl_err.c | 3 +
+ ssl/ssl_lib.c | 41 ++++-
+ ssl/ssl_local.h | 37 ++++
+ ssl/ssl_quic.c | 248 +++++++++++++++++++++++++++
+ ssl/statem/extensions.c | 29 ++++
+ ssl/statem/extensions_clnt.c | 48 ++++++
+ ssl/statem/extensions_srvr.c | 51 ++++++
+ ssl/statem/statem.c | 20 ++-
+ ssl/statem/statem_lib.c | 19 +-
+ ssl/statem/statem_local.h | 19 ++
+ ssl/statem/statem_quic.c | 106 ++++++++++++
+ ssl/tls13_enc.c | 59 +++++++
+ test/helpers/ssltestlib.c | 5 +
+ test/sslapitest.c | 140 +++++++++++++++
+ test/tls13secretstest.c | 7 +
+ util/libssl.num | 11 ++
+ util/other.syms | 2 +
+ 31 files changed, 1199 insertions(+), 6 deletions(-)
+ create mode 100644 doc/man3/SSL_CTX_set_quic_method.pod
+ create mode 100644 ssl/ssl_quic.c
+ create mode 100644 ssl/statem/statem_quic.c
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 4fcb606ee3..be8707649d 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -264,6 +264,12 @@ breaking changes, and mappings for the large list of deprecated functions.
+
+ [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
+
++### Changes between 3.0.8 and 3.0.8+quic [7 Feb 2023]
++
++ * Add QUIC API support from BoringSSL.
++
++ *Todd Short*
++
+ ### Changes between 3.0.7 and 3.0.8 [7 Feb 2023]
+
+ * Fixed NULL dereference during PKCS7 data verification.
+diff --git a/Configure b/Configure
+index 227e5daea2..bd4e0943bf 100755
+--- a/Configure
++++ b/Configure
+@@ -467,6 +467,7 @@ my @disablables = (
+ "poly1305",
+ "posix-io",
+ "psk",
++ "quic",
+ "rc2",
+ "rc4",
+ "rc5",
+@@ -635,6 +636,7 @@ my @disable_cascades = (
+ "legacy" => [ "md2" ],
+
+ "cmp" => [ "crmf" ],
++ "tls1_3" => [ "quic" ],
+
+ "fips" => [ "fips-securitychecks", "acvp-tests" ],
+
+diff --git a/INSTALL.md b/INSTALL.md
+index d13517873c..8268ae86b0 100644
+--- a/INSTALL.md
++++ b/INSTALL.md
+@@ -823,6 +823,10 @@ Don't use POSIX IO capabilities.
+
+ Don't build support for Pre-Shared Key based ciphersuites.
+
++### no-quic
++
++Don't build support for QUIC API from BoringSSL.
++
+ ### no-rdrand
+
+ Don't use hardware RDRAND capabilities.
+diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+index fe4fdd4bf2..b2f90a413a 100644
+--- a/crypto/err/openssl.txt
++++ b/crypto/err/openssl.txt
+@@ -1262,6 +1262,7 @@ SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE:158:\
+ SSL_R_BAD_CHANGE_CIPHER_SPEC:103:bad change cipher spec
+ SSL_R_BAD_CIPHER:186:bad cipher
+ SSL_R_BAD_DATA:390:bad data
++SSL_R_BAD_DATA_LENGTH:802:bad data length
+ SSL_R_BAD_DATA_RETURNED_BY_CALLBACK:106:bad data returned by callback
+ SSL_R_BAD_DECOMPRESSION:107:bad decompression
+ SSL_R_BAD_DH_VALUE:102:bad dh value
+@@ -1549,6 +1550,7 @@ SSL_R_VERSION_TOO_LOW:396:version too low
+ SSL_R_WRONG_CERTIFICATE_TYPE:383:wrong certificate type
+ SSL_R_WRONG_CIPHER_RETURNED:261:wrong cipher returned
+ SSL_R_WRONG_CURVE:378:wrong curve
++SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED:800:wrong encryption level received
+ SSL_R_WRONG_SIGNATURE_LENGTH:264:wrong signature length
+ SSL_R_WRONG_SIGNATURE_SIZE:265:wrong signature size
+ SSL_R_WRONG_SIGNATURE_TYPE:370:wrong signature type
+diff --git a/doc/man3/SSL_CIPHER_get_name.pod b/doc/man3/SSL_CIPHER_get_name.pod
+index e22a85a063..7f00f09d67 100644
+--- a/doc/man3/SSL_CIPHER_get_name.pod
++++ b/doc/man3/SSL_CIPHER_get_name.pod
+@@ -13,6 +13,7 @@ SSL_CIPHER_get_digest_nid,
+ SSL_CIPHER_get_handshake_digest,
+ SSL_CIPHER_get_kx_nid,
+ SSL_CIPHER_get_auth_nid,
++SSL_CIPHER_get_prf_nid,
+ SSL_CIPHER_is_aead,
+ SSL_CIPHER_find,
+ SSL_CIPHER_get_id,
+@@ -34,6 +35,7 @@ SSL_CIPHER_get_protocol_id
+ const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c);
+ int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
+ int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c);
++ int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *c);
+ int SSL_CIPHER_is_aead(const SSL_CIPHER *c);
+ const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);
+ uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c);
+@@ -91,6 +93,15 @@ TLS 1.3 cipher suites) B<NID_auth_any> is returned. Examples (not comprehensive)
+ NID_auth_ecdsa
+ NID_auth_psk
+
++SSL_CIPHER_get_prf_nid() retuns the pseudo-random function NID for B<c>. If B<c> is
++a pre-TLS-1.2 cipher, it returns B<NID_md5_sha1> but note these ciphers use
++SHA-256 in TLS 1.2. Other return values may be treated uniformly in all
++applicable versions. Examples (not comprehensive):
++
++ NID_md5_sha1
++ NID_sha256
++ NID_sha384
++
+ SSL_CIPHER_is_aead() returns 1 if the cipher B<c> is AEAD (e.g. GCM or
+ ChaCha20/Poly1305), and 0 if it is not AEAD.
+
+@@ -201,6 +212,8 @@ required to enable this function.
+
+ The OPENSSL_cipher_name() function was added in OpenSSL 1.1.1.
+
++The SSL_CIPHER_get_prf_nid() function was added in OpenSSL 3.0.0.
++
+ =head1 COPYRIGHT
+
+ Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+diff --git a/doc/man3/SSL_CTX_set_quic_method.pod b/doc/man3/SSL_CTX_set_quic_method.pod
+new file mode 100644
+index 0000000000..d938eb4e30
+--- /dev/null
++++ b/doc/man3/SSL_CTX_set_quic_method.pod
+@@ -0,0 +1,232 @@
++=pod
++
++=head1 NAME
++
++SSL_QUIC_METHOD,
++OSSL_ENCRYPTION_LEVEL,
++SSL_CTX_set_quic_method,
++SSL_set_quic_method,
++SSL_set_quic_transport_params,
++SSL_get_peer_quic_transport_params,
++SSL_quic_max_handshake_flight_len,
++SSL_quic_read_level,
++SSL_quic_write_level,
++SSL_provide_quic_data,
++SSL_process_quic_post_handshake,
++SSL_is_quic
++- QUIC support
++
++=head1 SYNOPSIS
++
++ #include <openssl/ssl.h>
++
++ typedef struct ssl_quic_method_st SSL_QUIC_METHOD;
++ typedef enum ssl_encryption_level_t OSSL_ENCRYPTION_LEVEL;
++
++ int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method);
++ int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method);
++ int SSL_set_quic_transport_params(SSL *ssl,
++ const uint8_t *params,
++ size_t params_len);
++ void SSL_get_peer_quic_transport_params(const SSL *ssl,
++ const uint8_t **out_params,
++ size_t *out_params_len);
++ size_t SSL_quic_max_handshake_flight_len(const SSL *ssl, OSSL_ENCRYPTION_LEVEL level);
++ OSSL_ENCRYPTION_LEVEL SSL_quic_read_level(const SSL *ssl);
++ OSSL_ENCRYPTION_LEVEL SSL_quic_write_level(const SSL *ssl);
++ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
++ const uint8_t *data, size_t len);
++ int SSL_process_quic_post_handshake(SSL *ssl);
++ int SSL_is_quic(SSL *ssl);
++
++=head1 DESCRIPTION
++
++SSL_CTX_set_quic_method() and SSL_set_quic_method() configures the QUIC methods.
++This should only be configured with a minimum version of TLS 1.3. B<quic_method>
++must remain valid for the lifetime of B<ctx> or B<ssl>. Calling this disables
++the SSL_OP_ENABLE_MIDDLEBOX_COMPAT option, which is not required for QUIC.
++
++SSL_set_quic_transport_params() configures B<ssl> to send B<params> (of length
++B<params_len>) in the quic_transport_parameters extension in either the
++ClientHello or EncryptedExtensions handshake message. This extension will
++only be sent if the TLS version is at least 1.3, and for a server, only if
++the client sent the extension. The buffer pointed to by B<params> only need be
++valid for the duration of the call to this function.
++
++SSL_get_peer_quic_transport_params() provides the caller with the value of the
++quic_transport_parameters extension sent by the peer. A pointer to the buffer
++containing the TransportParameters will be put in B<*out_params>, and its
++length in B<*out_params_len>. This buffer will be valid for the lifetime of the
++B<ssl>. If no params were received from the peer, B<*out_params_len> will be 0.
++
++SSL_quic_max_handshake_flight_len() returns returns the maximum number of bytes
++that may be received at the given encryption level. This function should be
++used to limit buffering in the QUIC implementation.
++
++See https://tools.ietf.org/html/draft-ietf-quic-transport-16#section-4.4.
++
++SSL_quic_read_level() returns the current read encryption level.
++
++SSL_quic_write_level() returns the current write encryption level.
++
++SSL_provide_quic_data() provides data from QUIC at a particular encryption
++level B<level>. It is an error to call this function outside of the handshake
++or with an encryption level other than the current read level. It returns one
++on success and zero on error.
++
++SSL_process_quic_post_handshake() processes any data that QUIC has provided
++after the handshake has completed. This includes NewSessionTicket messages
++sent by the server.
++
++SSL_is_quic() indicates whether a connection uses QUIC.
++
++=head1 NOTES
++
++These APIs are implementations of BoringSSL's QUIC APIs.
++
++QUIC acts as an underlying transport for the TLS 1.3 handshake. The following
++functions allow a QUIC implementation to serve as the underlying transport as
++described in draft-ietf-quic-tls.
++
++When configured for QUIC, SSL_do_handshake() will drive the handshake as
++before, but it will not use the configured B<BIO>. It will call functions on
++B<SSL_QUIC_METHOD> to configure secrets and send data. If data is needed from
++the peer, it will return B<SSL_ERROR_WANT_READ>. When received, the caller
++should call SSL_provide_quic_data() and then SSL_do_handshake() to continue
++the handshake. After the handshake is complete, the caller should call
++SSL_provide_quic_data() for any post-handshake data, followed by
++SSL_process_quic_post_handshake() to process it. It is an error to call
++SSL_read()/SSL_read_ex() and SSL_write()/SSL_write_ex() in QUIC.
++
++Note that secrets for an encryption level may be available to QUIC before the
++level is active in TLS. Callers should use SSL_quic_read_level() to determine
++the active read level for SSL_provide_quic_data(). SSL_do_handshake() will
++pass the active write level to add_handshake_data() when writing data. Callers
++can use SSL_quic_write_level() to query the active write level when
++generating their own errors.
++
++See https://tools.ietf.org/html/draft-ietf-quic-tls-15#section-4.1 for more
++details.
++
++To avoid DoS attacks, the QUIC implementation must limit the amount of data
++being queued up. The implementation can call
++SSL_quic_max_handshake_flight_len() to get the maximum buffer length at each
++encryption level.
++
++draft-ietf-quic-tls defines a new TLS extension quic_transport_parameters
++used by QUIC for each endpoint to unilaterally declare its supported
++transport parameters. draft-ietf-quic-transport (section 7.4) defines the
++contents of that extension (a TransportParameters struct) and describes how
++to handle it and its semantic meaning.
++
++OpenSSL handles this extension as an opaque byte string. The caller is
++responsible for serializing and parsing it.
++
++=head2 OSSL_ENCRYPTION_LEVEL
++
++B<OSSL_ENCRYPTION_LEVEL> (B<enum ssl_encryption_level_t>) represents the
++encryption levels:
++
++=over 4
++
++=item ssl_encryption_initial
++
++The initial encryption level that is used for client and server hellos.
++
++=item ssl_encryption_early_data
++
++The encryption level for early data. This is a write-level for the client
++and a read-level for the server.
++
++=item ssl_encryption_handshake
++
++The encryption level for the remainder of the handshake.
++
++=item ssl_encryption_application
++
++The encryption level for the application data.
++
++=back
++
++=head2 SSL_QUIC_METHOD
++
++The B<SSL_QUIC_METHOD> (B<struct ssl_quic_method_st>) describes the
++QUIC methods.
++
++ struct ssl_quic_method_st {
++ int (*set_encryption_secrets)(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
++ const uint8_t *read_secret,
++ const uint8_t *write_secret, size_t secret_len);
++ int (*add_handshake_data)(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
++ const uint8_t *data, size_t len);
++ int (*flush_flight)(SSL *ssl);
++ int (*send_alert)(SSL *ssl, enum ssl_encryption_level_t level, uint8_t alert);
++ };
++ typedef struct ssl_quic_method_st SSL_QUIC_METHOD;
++
++set_encryption_secrets() configures the read and write secrets for the given
++encryption level. This function will always be called before an encryption
++level other than B<ssl_encryption_initial> is used. Note, however, that
++secrets for a level may be configured before TLS is ready to send or accept
++data at that level.
++
++When reading packets at a given level, the QUIC implementation must send
++ACKs at the same level, so this function provides read and write secrets
++together. The exception is B<ssl_encryption_early_data>, where secrets are
++only available in the client to server direction. The other secret will be
++NULL. The server acknowledges such data at B<ssl_encryption_application>,
++which will be configured in the same SSL_do_handshake() call.
++
++This function should use SSL_get_current_cipher() to determine the TLS
++cipher suite.
++
++add_handshake_data() adds handshake data to the current flight at the given
++encryption level. It returns one on success and zero on error.
++
++OpenSSL will pack data from a single encryption level together, but a
++single handshake flight may include multiple encryption levels. Callers
++should defer writing data to the network until flush_flight() to better
++pack QUIC packets into transport datagrams.
++
++flush_flight() is called when the current flight is complete and should be
++written to the transport. Note a flight may contain data at several
++encryption levels.
++
++send_alert() sends a fatal alert at the specified encryption level.
++
++All QUIC methods return 1 on success and 0 on error.
++
++=head1 RETURN VALUES
++
++SSL_CTX_set_quic_method(),
++SSL_set_quic_method(),
++SSL_set_quic_transport_params(), and
++SSL_process_quic_post_handshake()
++return 1 on success, and 0 on error.
++
++SSL_quic_read_level() and SSL_quic_write_level() return the current
++encryption level as B<OSSL_ENCRYPTION_LEVEL> (B<enum ssl_encryption_level_t>).
++
++SSL_quic_max_handshake_flight_len() returns the maximum length of a flight
++for a given encryption level.
++
++SSL_is_quic() returns 1 if QUIC is being used, 0 if not.
++
++=head1 SEE ALSO
++
++L<ssl(7)>, L<SSL_CIPHER_get_prf_nid(3)>, L<SSL_do_handshake(3)>
++
++=head1 HISTORY
++
++These functions were added in OpenSSL 3.0.0.
++
++=head1 COPYRIGHT
++
++Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
++
++Licensed under the Apache License 2.0 (the "License"). You may not use
++this file except in compliance with the License. You can obtain a copy
++in the file LICENSE in the source distribution or at
++L<https://www.openssl.org/source/license.html>.
++
++=cut
+diff --git a/include/openssl/evp.h b/include/openssl/evp.h
+index 86f4e22c70..8479f665f5 100644
+--- a/include/openssl/evp.h
++++ b/include/openssl/evp.h
+@@ -1742,6 +1742,11 @@ int EVP_PKEY_CTX_set_mac_key(EVP_PKEY_CTX *ctx, const unsigned char *key,
+ * Method handles all operations: don't assume any digest related defaults.
+ */
+ # define EVP_PKEY_FLAG_SIGCTX_CUSTOM 4
++
++/* Used by Chromium/QUIC */
++# define X25519_PRIVATE_KEY_LEN 32
++# define X25519_PUBLIC_VALUE_LEN 32
++
+ # ifndef OPENSSL_NO_DEPRECATED_3_0
+ OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type);
+ OSSL_DEPRECATEDIN_3_0 EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags);
+diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
+index f03f52fbd8..e2e31bce9b 100644
+--- a/include/openssl/ssl.h.in
++++ b/include/openssl/ssl.h.in
+@@ -2524,6 +2524,51 @@ void SSL_set_allow_early_data_cb(SSL *s,
+ const char *OSSL_default_cipher_list(void);
+ const char *OSSL_default_ciphersuites(void);
+
++# ifndef OPENSSL_NO_QUIC
++/*
++ * QUIC integration - The QUIC interface matches BoringSSL
++ *
++ * ssl_encryption_level_t represents a specific QUIC encryption level used to
++ * transmit handshake messages. BoringSSL has this as an 'enum'.
++ */
++typedef enum ssl_encryption_level_t {
++ ssl_encryption_initial = 0,
++ ssl_encryption_early_data,
++ ssl_encryption_handshake,
++ ssl_encryption_application
++} OSSL_ENCRYPTION_LEVEL;
++
++struct ssl_quic_method_st {
++ int (*set_encryption_secrets)(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
++ const uint8_t *read_secret,
++ const uint8_t *write_secret, size_t secret_len);
++ int (*add_handshake_data)(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
++ const uint8_t *data, size_t len);
++ int (*flush_flight)(SSL *ssl);
++ int (*send_alert)(SSL *ssl, enum ssl_encryption_level_t level, uint8_t alert);
++};
++
++__owur int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method);
++__owur int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method);
++__owur int SSL_set_quic_transport_params(SSL *ssl,
++ const uint8_t *params,
++ size_t params_len);
++void SSL_get_peer_quic_transport_params(const SSL *ssl,
++ const uint8_t **out_params,
++ size_t *out_params_len);
++__owur size_t SSL_quic_max_handshake_flight_len(const SSL *ssl, OSSL_ENCRYPTION_LEVEL level);
++__owur OSSL_ENCRYPTION_LEVEL SSL_quic_read_level(const SSL *ssl);
++__owur OSSL_ENCRYPTION_LEVEL SSL_quic_write_level(const SSL *ssl);
++__owur int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
++ const uint8_t *data, size_t len);
++__owur int SSL_process_quic_post_handshake(SSL *ssl);
++
++__owur int SSL_is_quic(SSL *ssl);
++
++# endif
++
++int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *c);
++
+ # ifdef __cplusplus
+ }
+ # endif
+diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
+index f1882558ba..d60c892037 100644
+--- a/include/openssl/sslerr.h
++++ b/include/openssl/sslerr.h
+@@ -28,6 +28,7 @@
+ # define SSL_R_BAD_CHANGE_CIPHER_SPEC 103
+ # define SSL_R_BAD_CIPHER 186
+ # define SSL_R_BAD_DATA 390
++# define SSL_R_BAD_DATA_LENGTH 802
+ # define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 106
+ # define SSL_R_BAD_DECOMPRESSION 107
+ # define SSL_R_BAD_DH_VALUE 102
+@@ -333,6 +334,7 @@
+ # define SSL_R_WRONG_CERTIFICATE_TYPE 383
+ # define SSL_R_WRONG_CIPHER_RETURNED 261
+ # define SSL_R_WRONG_CURVE 378
++# define SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED 800
+ # define SSL_R_WRONG_SIGNATURE_LENGTH 264
+ # define SSL_R_WRONG_SIGNATURE_SIZE 265
+ # define SSL_R_WRONG_SIGNATURE_TYPE 370
+diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
+index 793155e186..c4f80dc332 100644
+--- a/include/openssl/tls1.h
++++ b/include/openssl/tls1.h
+@@ -151,6 +151,9 @@ extern "C" {
+ /* Temporary extension type */
+ # define TLSEXT_TYPE_renegotiate 0xff01
+
++/* ExtensionType value from draft-ietf-quic-tls-13 */
++# define TLSEXT_TYPE_quic_transport_parameters 0xffa5
++
+ # ifndef OPENSSL_NO_NEXTPROTONEG
+ /* This is not an IANA defined extension number */
+ # define TLSEXT_TYPE_next_proto_neg 13172
+diff --git a/include/openssl/types.h b/include/openssl/types.h
+index 5f9d8c23ea..31d8c18746 100644
+--- a/include/openssl/types.h
++++ b/include/openssl/types.h
+@@ -232,6 +232,8 @@ typedef struct ossl_decoder_ctx_st OSSL_DECODER_CTX;
+
+ typedef struct ossl_self_test_st OSSL_SELF_TEST;
+
++typedef struct ssl_quic_method_st SSL_QUIC_METHOD;
++
+ #ifdef __cplusplus
+ }
+ #endif
+diff --git a/ssl/build.info b/ssl/build.info
+index 0851357f81..ac87437906 100644
+--- a/ssl/build.info
++++ b/ssl/build.info
+@@ -38,6 +38,8 @@ IF[{- !$disabled{'deprecated-3.0'} -}]
+ SOURCE[../libssl]=ssl_rsa_legacy.c
+ ENDIF
+
++SOURCE[../libssl]=ssl_quic.c statem/statem_quic.c
++
+ DEFINE[../libssl]=$AESDEF
+
+ SOURCE[../providers/libcommon.a]=record/tls_pad.c
+diff --git a/ssl/s3_msg.c b/ssl/s3_msg.c
+index c0f0dbc17d..667c5385e8 100644
+--- a/ssl/s3_msg.c
++++ b/ssl/s3_msg.c
+@@ -81,6 +81,16 @@ int ssl3_dispatch_alert(SSL *s)
+
+ s->s3.alert_dispatch = 0;
+ alertlen = 2;
++#ifndef OPENSSL_NO_QUIC
++ if (SSL_IS_QUIC(s)) {
++ if (!s->quic_method->send_alert(s, s->quic_write_level,
++ s->s3.send_alert[1])) {
++ SSLerr(SSL_F_SSL3_DISPATCH_ALERT, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++ i = 1;
++ } else
++#endif
+ i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3.send_alert[0], &alertlen, 1, 0,
+ &written);
+ if (i <= 0) {
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
+index 93de9cf8fd..deb68b4062 100644
+--- a/ssl/ssl_ciph.c
++++ b/ssl/ssl_ciph.c
+@@ -2244,3 +2244,35 @@ const char *OSSL_default_ciphersuites(void)
+ "TLS_CHACHA20_POLY1305_SHA256:"
+ "TLS_AES_128_GCM_SHA256";
+ }
++
++int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *c)
++{
++ switch (c->algorithm2 & (0xFF << TLS1_PRF_DGST_SHIFT)) {
++ default:
++ break;
++ case TLS1_PRF_SHA1_MD5: /* TLS1_PRF */
++ return NID_md5_sha1;
++ case TLS1_PRF_SHA256:
++ return NID_sha256;
++ case TLS1_PRF_SHA384:
++ return NID_sha384;
++ case TLS1_PRF_GOST94:
++ return NID_id_GostR3411_94_prf;
++ case TLS1_PRF_GOST12_256:
++ return NID_id_GostR3411_2012_256;
++ case TLS1_PRF_GOST12_512:
++ return NID_id_GostR3411_2012_512;
++ }
++ /* TLSv1.3 ciphers don't specify separate PRF */
++ switch (c->algorithm2 & SSL_HANDSHAKE_MAC_MASK) {
++ default:
++ break;
++ case SSL_HANDSHAKE_MAC_MD5_SHA1: /* SSL_HANDSHAKE_MAC_DEFAULT */
++ return NID_md5_sha1;
++ case SSL_HANDSHAKE_MAC_SHA256:
++ return NID_sha256;
++ case SSL_HANDSHAKE_MAC_SHA384:
++ return NID_sha384;
++ }
++ return NID_undef;
++}
+diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
+index 84ee821c3c..0c4d1c1332 100644
+--- a/ssl/ssl_err.c
++++ b/ssl/ssl_err.c
+@@ -27,6 +27,7 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
+ "bad change cipher spec"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CIPHER), "bad cipher"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DATA), "bad data"},
++ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DATA_LENGTH), "bad data length"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK),
+ "bad data returned by callback"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DECOMPRESSION), "bad decompression"},
+@@ -544,6 +545,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_CIPHER_RETURNED),
+ "wrong cipher returned"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_CURVE), "wrong curve"},
++ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED),
++ "wrong encryption level received"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SIGNATURE_LENGTH),
+ "wrong signature length"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SIGNATURE_SIZE),
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index f12ad6d034..6b7633e8a5 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -842,6 +842,10 @@ SSL *SSL_new(SSL_CTX *ctx)
+
+ s->job = NULL;
+
++#ifndef OPENSSL_NO_QUIC
++ s->quic_method = ctx->quic_method;
++#endif
++
+ #ifndef OPENSSL_NO_CT
+ if (!SSL_set_ct_validation_callback(s, ctx->ct_validation_callback,
+ ctx->ct_validation_callback_arg))
+@@ -1241,6 +1245,18 @@ void SSL_free(SSL *s)
+ OPENSSL_free(s->pha_context);
+ EVP_MD_CTX_free(s->pha_dgst);
+
++#ifndef OPENSSL_NO_QUIC
++ OPENSSL_free(s->ext.quic_transport_params);
++ OPENSSL_free(s->ext.peer_quic_transport_params);
++ while (s->quic_input_data_head != NULL) {
++ QUIC_DATA *qd;
++
++ qd = s->quic_input_data_head;
++ s->quic_input_data_head = qd->next;
++ OPENSSL_free(qd);
++ }
++#endif
++
+ sk_X509_NAME_pop_free(s->ca_names, X509_NAME_free);
+ sk_X509_NAME_pop_free(s->client_ca_names, X509_NAME_free);
+
+@@ -1834,6 +1850,12 @@ static int ssl_io_intern(void *vargs)
+
+ int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes)
+ {
++#ifndef OPENSSL_NO_QUIC
++ if (SSL_IS_QUIC(s)) {
++ SSLerr(SSL_F_SSL_READ_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
++ return -1;
++ }
++#endif
+ if (s->handshake_func == NULL) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
+ return -1;
+@@ -1965,6 +1987,12 @@ int SSL_get_early_data_status(const SSL *s)
+
+ static int ssl_peek_internal(SSL *s, void *buf, size_t num, size_t *readbytes)
+ {
++#ifndef OPENSSL_NO_QUIC
++ if (SSL_IS_QUIC(s)) {
++ SSLerr(SSL_F_SSL_PEEK_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
++ return -1;
++ }
++#endif
+ if (s->handshake_func == NULL) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
+ return -1;
+@@ -2025,6 +2053,12 @@ int SSL_peek_ex(SSL *s, void *buf, size_t num, size_t *readbytes)
+
+ int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written)
+ {
++#ifndef OPENSSL_NO_QUIC
++ if (SSL_IS_QUIC(s)) {
++ SSLerr(SSL_F_SSL_WRITE_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
++ return -1;
++ }
++#endif
+ if (s->handshake_func == NULL) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
+ return -1;
+@@ -3839,6 +3873,11 @@ int SSL_get_error(const SSL *s, int i)
+ }
+
+ if (SSL_want_read(s)) {
++#ifndef OPENSSL_NO_QUIC
++ if (SSL_IS_QUIC(s)) {
++ return SSL_ERROR_WANT_READ;
++ }
++#endif
+ bio = SSL_get_rbio(s);
+ if (BIO_should_read(bio))
+ return SSL_ERROR_WANT_READ;
+@@ -4206,7 +4245,7 @@ EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx)
+
+ const SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
+ {
+- if ((s->session != NULL) && (s->session->cipher != NULL))
++ if (s->session != NULL)
+ return s->session->cipher;
+ return NULL;
+ }
+diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
+index 845329a809..3e67b36990 100644
+--- a/ssl/ssl_local.h
++++ b/ssl/ssl_local.h
+@@ -337,6 +337,13 @@
+ /* Flag used on OpenSSL ciphersuite ids to indicate they are for SSLv3+ */
+ # define SSL3_CK_CIPHERSUITE_FLAG 0x03000000
+
++/* Check if an SSL structure is using QUIC (which uses TLSv1.3) */
++# ifndef OPENSSL_NO_QUIC
++# define SSL_IS_QUIC(s) (s->quic_method != NULL)
++# else
++# define SSL_IS_QUIC(s) 0
++# endif
++
+ /* Check if an SSL structure is using DTLS */
+ # define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)
+
+@@ -766,6 +773,7 @@ typedef enum tlsext_index_en {
+ TLSEXT_IDX_cryptopro_bug,
+ TLSEXT_IDX_early_data,
+ TLSEXT_IDX_certificate_authorities,
++ TLSEXT_IDX_quic_transport_params,
+ TLSEXT_IDX_padding,
+ TLSEXT_IDX_psk,
+ /* Dummy index - must always be the last entry */
+@@ -1205,10 +1213,24 @@ struct ssl_ctx_st {
+ uint32_t disabled_mac_mask;
+ uint32_t disabled_mkey_mask;
+ uint32_t disabled_auth_mask;
++
++#ifndef OPENSSL_NO_QUIC
++ const SSL_QUIC_METHOD *quic_method;
++#endif
+ };
+
+ typedef struct cert_pkey_st CERT_PKEY;
+
++#ifndef OPENSSL_NO_QUIC
++struct quic_data_st {
++ struct quic_data_st *next;
++ OSSL_ENCRYPTION_LEVEL level;
++ size_t length;
++};
++typedef struct quic_data_st QUIC_DATA;
++int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level);
++#endif
++
+ struct ssl_st {
+ /*
+ * protocol version (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION,
+@@ -1680,8 +1702,23 @@ struct ssl_st {
+ * selected.
+ */
+ int tick_identity;
++
++#ifndef OPENSSL_NO_QUIC
++ uint8_t *quic_transport_params;
++ size_t quic_transport_params_len;
++ uint8_t *peer_quic_transport_params;
++ size_t peer_quic_transport_params_len;
++#endif
+ } ext;
+
++#ifndef OPENSSL_NO_QUIC
++ OSSL_ENCRYPTION_LEVEL quic_read_level;
++ OSSL_ENCRYPTION_LEVEL quic_write_level;
++ QUIC_DATA *quic_input_data_head;
++ QUIC_DATA *quic_input_data_tail;
++ const SSL_QUIC_METHOD *quic_method;
++ size_t quic_len;
++#endif
+ /*
+ * Parsed form of the ClientHello, kept around across client_hello_cb
+ * calls.
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+new file mode 100644
+index 0000000000..a39e4419c9
+--- /dev/null
++++ b/ssl/ssl_quic.c
+@@ -0,0 +1,248 @@
++/*
++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License"). You may not use
++ * this file except in compliance with the License. You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include "ssl_local.h"
++#include "internal/cryptlib.h"
++#include "internal/refcount.h"
++
++#ifdef OPENSSL_NO_QUIC
++NON_EMPTY_TRANSLATION_UNIT
++#else
++
++int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
++ size_t params_len)
++{
++ uint8_t *tmp;
++
++ if (params == NULL || params_len == 0) {
++ tmp = NULL;
++ params_len = 0;
++ } else {
++ tmp = OPENSSL_memdup(params, params_len);
++ if (tmp == NULL)
++ return 0;
++ }
++
++ OPENSSL_free(ssl->ext.quic_transport_params);
++ ssl->ext.quic_transport_params = tmp;
++ ssl->ext.quic_transport_params_len = params_len;
++ return 1;
++}
++
++void SSL_get_peer_quic_transport_params(const SSL *ssl,
++ const uint8_t **out_params,
++ size_t *out_params_len)
++{
++ *out_params = ssl->ext.peer_quic_transport_params;
++ *out_params_len = ssl->ext.peer_quic_transport_params_len;
++}
++
++size_t SSL_quic_max_handshake_flight_len(const SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
++{
++ /*
++ * Limits flights to 16K by default when there are no large
++ * (certificate-carrying) messages.
++ */
++ static const size_t DEFAULT_FLIGHT_LIMIT = 16384;
++
++ switch (level) {
++ case ssl_encryption_initial:
++ return DEFAULT_FLIGHT_LIMIT;
++ case ssl_encryption_early_data:
++ /* QUIC does not send EndOfEarlyData. */
++ return 0;
++ case ssl_encryption_handshake:
++ if (ssl->server) {
++ /*
++ * Servers may receive Certificate message if configured to request
++ * client certificates.
++ */
++ if ((ssl->verify_mode & SSL_VERIFY_PEER)
++ && ssl->max_cert_list > DEFAULT_FLIGHT_LIMIT)
++ return ssl->max_cert_list;
++ } else {
++ /*
++ * Clients may receive both Certificate message and a CertificateRequest
++ * message.
++ */
++ if (2*ssl->max_cert_list > DEFAULT_FLIGHT_LIMIT)
++ return 2 * ssl->max_cert_list;
++ }
++ return DEFAULT_FLIGHT_LIMIT;
++ case ssl_encryption_application:
++ return DEFAULT_FLIGHT_LIMIT;
++ }
++
++ return 0;
++}
++
++OSSL_ENCRYPTION_LEVEL SSL_quic_read_level(const SSL *ssl)
++{
++ return ssl->quic_read_level;
++}
++
++OSSL_ENCRYPTION_LEVEL SSL_quic_write_level(const SSL *ssl)
++{
++ return ssl->quic_write_level;
++}
++
++int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
++ const uint8_t *data, size_t len)
++{
++ size_t l;
++
++ if (!SSL_IS_QUIC(ssl)) {
++ SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
++ return 0;
++ }
++
++ /* Level can be different than the current read, but not less */
++ if (level < ssl->quic_read_level
++ || (ssl->quic_input_data_tail != NULL && level < ssl->quic_input_data_tail->level)) {
++ SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);
++ return 0;
++ }
++
++ /* Split the QUIC messages up, if necessary */
++ while (len > 0) {
++ QUIC_DATA *qd;
++ const uint8_t *p = data + 1;
++
++ n2l3(p, l);
++ l += SSL3_HM_HEADER_LENGTH;
++
++ if (l > len) {
++ SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, SSL_R_BAD_DATA_LENGTH);
++ return 0;
++ }
++
++ qd = OPENSSL_malloc(sizeof(QUIC_DATA) + l);
++ if (qd == NULL) {
++ SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++
++ qd->next = NULL;
++ qd->length = l;
++ qd->level = level;
++ memcpy((void*)(qd + 1), data, l);
++ if (ssl->quic_input_data_tail != NULL)
++ ssl->quic_input_data_tail->next = qd;
++ else
++ ssl->quic_input_data_head = qd;
++ ssl->quic_input_data_tail = qd;
++
++ data += l;
++ len -= l;
++ }
++
++ return 1;
++}
++
++int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method)
++{
++ switch (ctx->method->version) {
++ case DTLS1_VERSION:
++ case DTLS1_2_VERSION:
++ case DTLS_ANY_VERSION:
++ case DTLS1_BAD_VER:
++ return 0;
++ default:
++ break;
++ }
++ ctx->quic_method = quic_method;
++ ctx->options &= SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
++ return 1;
++}
++
++int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method)
++{
++ switch (ssl->method->version) {
++ case DTLS1_VERSION:
++ case DTLS1_2_VERSION:
++ case DTLS_ANY_VERSION:
++ case DTLS1_BAD_VER:
++ return 0;
++ default:
++ break;
++ }
++ ssl->quic_method = quic_method;
++ ssl->options &= SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
++ return 1;
++}
++
++int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
++{
++ uint8_t *read_secret = NULL;
++ uint8_t *write_secret = NULL;
++ static const unsigned char zeros[EVP_MAX_MD_SIZE];
++
++ if (!SSL_IS_QUIC(ssl))
++ return 1;
++
++ /* secrets from the POV of the client */
++ switch (level) {
++ case ssl_encryption_early_data:
++ write_secret = ssl->early_secret;
++ break;
++ case ssl_encryption_handshake:
++ read_secret = ssl->client_finished_secret;
++ write_secret = ssl->server_finished_secret;
++ break;
++ case ssl_encryption_application:
++ read_secret = ssl->client_app_traffic_secret;
++ write_secret = ssl->server_app_traffic_secret;
++ break;
++ default:
++ return 1;
++ }
++ /* In some cases, we want to set the secret only when BOTH are non-zero */
++ if (read_secret != NULL && write_secret != NULL
++ && !memcmp(read_secret, zeros, ssl->quic_len)
++ && !memcmp(write_secret, zeros, ssl->quic_len))
++ return 1;
++
++ if (ssl->server) {
++ if (!ssl->quic_method->set_encryption_secrets(ssl, level, read_secret,
++ write_secret, ssl->quic_len)) {
++ SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++ } else {
++ if (!ssl->quic_method->set_encryption_secrets(ssl, level, write_secret,
++ read_secret, ssl->quic_len)) {
++ SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++ }
++
++ return 1;
++}
++
++int SSL_process_quic_post_handshake(SSL *ssl)
++{
++ if (SSL_in_init(ssl) || !SSL_IS_QUIC(ssl)) {
++ SSLerr(SSL_F_SSL_PROCESS_QUIC_POST_HANDSHAKE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
++ return 0;
++ }
++
++ ossl_statem_set_in_init(ssl, 1);
++
++ if (ssl->handshake_func(ssl) <= 0)
++ return 0;
++
++ return 1;
++}
++
++int SSL_is_quic(SSL* ssl)
++{
++ return SSL_IS_QUIC(ssl);
++}
++
++#endif
+diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
+index e182b5abac..d8fa8e6913 100644
+--- a/ssl/statem/extensions.c
++++ b/ssl/statem/extensions.c
+@@ -58,6 +58,10 @@ static int final_early_data(SSL *s, unsigned int context, int sent);
+ static int final_maxfragmentlen(SSL *s, unsigned int context, int sent);
+ static int init_post_handshake_auth(SSL *s, unsigned int context);
+ static int final_psk(SSL *s, unsigned int context, int sent);
++#ifndef OPENSSL_NO_QUIC
++static int init_quic_transport_params(SSL *s, unsigned int context);
++static int final_quic_transport_params(SSL *s, unsigned int context, int sent);
++#endif
+
+ /* Structure to define a built-in extension */
+ typedef struct extensions_definition_st {
+@@ -369,6 +373,19 @@ static const EXTENSION_DEFINITION ext_defs[] = {
+ tls_construct_certificate_authorities,
+ tls_construct_certificate_authorities, NULL,
+ },
++#ifndef OPENSSL_NO_QUIC
++ {
++ TLSEXT_TYPE_quic_transport_parameters,
++ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
++ | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
++ init_quic_transport_params,
++ tls_parse_ctos_quic_transport_params, tls_parse_stoc_quic_transport_params,
++ tls_construct_stoc_quic_transport_params, tls_construct_ctos_quic_transport_params,
++ final_quic_transport_params,
++ },
++#else
++ INVALID_EXTENSION,
++#endif
+ {
+ /* Must be immediately before pre_shared_key */
+ TLSEXT_TYPE_padding,
+@@ -1724,3 +1741,15 @@ static int final_psk(SSL *s, unsigned int context, int sent)
+
+ return 1;
+ }
++
++#ifndef OPENSSL_NO_QUIC
++static int init_quic_transport_params(SSL *s, unsigned int context)
++{
++ return 1;
++}
++
++static int final_quic_transport_params(SSL *s, unsigned int context, int sent)
++{
++ return 1;
++}
++#endif
+diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
+index 842be0722b..52742dc36a 100644
+--- a/ssl/statem/extensions_clnt.c
++++ b/ssl/statem/extensions_clnt.c
+@@ -1196,7 +1196,29 @@ EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt,
+ #endif
+ }
+
++#ifndef OPENSSL_NO_QUIC
++/* SAME AS tls_construct_stoc_quic_transport_params() */
++EXT_RETURN tls_construct_ctos_quic_transport_params(SSL *s, WPACKET *pkt,
++ unsigned int context, X509 *x,
++ size_t chainidx)
++{
++ if (s->ext.quic_transport_params == NULL
++ || s->ext.quic_transport_params_len == 0) {
++ return EXT_RETURN_NOT_SENT;
++ }
+
++ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_quic_transport_parameters)
++ || !WPACKET_start_sub_packet_u16(pkt)
++ || !WPACKET_sub_memcpy_u16(pkt, s->ext.quic_transport_params,
++ s->ext.quic_transport_params_len)
++ || !WPACKET_close(pkt)) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ return EXT_RETURN_FAIL;
++ }
++
++ return EXT_RETURN_SENT;
++}
++#endif
+ /*
+ * Parse the server's renegotiation binding and abort if it's not right
+ */
+@@ -1981,3 +2003,29 @@ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+
+ return 1;
+ }
++#ifndef OPENSSL_NO_QUIC
++/* SAME AS tls_parse_ctos_quic_transport_params() */
++int tls_parse_stoc_quic_transport_params(SSL *s, PACKET *pkt, unsigned int context,
++ X509 *x, size_t chainidx)
++{
++ PACKET trans_param;
++
++ if (!PACKET_as_length_prefixed_2(pkt, &trans_param)
++ || PACKET_remaining(&trans_param) == 0) {
++ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
++ return 0;
++ }
++
++ OPENSSL_free(s->ext.peer_quic_transport_params);
++ s->ext.peer_quic_transport_params = NULL;
++ s->ext.peer_quic_transport_params_len = 0;
++
++ if (!PACKET_memdup(&trans_param,
++ &s->ext.peer_quic_transport_params,
++ &s->ext.peer_quic_transport_params_len)) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++ return 1;
++}
++#endif
+diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
+index 00b1ee531e..929e272cd9 100644
+--- a/ssl/statem/extensions_srvr.c
++++ b/ssl/statem/extensions_srvr.c
+@@ -1232,6 +1232,33 @@ int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt,
+ return 1;
+ }
+
++#ifndef OPENSSL_NO_QUIC
++/* SAME AS tls_parse_stoc_quic_transport_params() */
++int tls_parse_ctos_quic_transport_params(SSL *s, PACKET *pkt, unsigned int context,
++ X509 *x, size_t chainidx)
++{
++ PACKET trans_param;
++
++ if (!PACKET_as_length_prefixed_2(pkt, &trans_param)
++ || PACKET_remaining(&trans_param) == 0) {
++ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
++ return 0;
++ }
++
++ OPENSSL_free(s->ext.peer_quic_transport_params);
++ s->ext.peer_quic_transport_params = NULL;
++ s->ext.peer_quic_transport_params_len = 0;
++
++ if (!PACKET_memdup(&trans_param,
++ &s->ext.peer_quic_transport_params,
++ &s->ext.peer_quic_transport_params_len)) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++ return 1;
++}
++#endif
++
+ /*
+ * Add the server's renegotiation binding
+ */
+@@ -1914,3 +1941,27 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
+
+ return EXT_RETURN_SENT;
+ }
++
++#ifndef OPENSSL_NO_QUIC
++/* SAME AS tls_construct_ctos_quic_transport_params() */
++EXT_RETURN tls_construct_stoc_quic_transport_params(SSL *s, WPACKET *pkt,
++ unsigned int context, X509 *x,
++ size_t chainidx)
++{
++ if (s->ext.quic_transport_params == NULL
++ || s->ext.quic_transport_params_len == 0) {
++ return EXT_RETURN_NOT_SENT;
++ }
++
++ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_quic_transport_parameters)
++ || !WPACKET_start_sub_packet_u16(pkt)
++ || !WPACKET_sub_memcpy_u16(pkt, s->ext.quic_transport_params,
++ s->ext.quic_transport_params_len)
++ || !WPACKET_close(pkt)) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ return EXT_RETURN_FAIL;
++ }
++
++ return EXT_RETURN_SENT;
++}
++#endif
+diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
+index 553546d93a..f6caa64e4c 100644
+--- a/ssl/statem/statem.c
++++ b/ssl/statem/statem.c
+@@ -583,6 +583,10 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
+ * In DTLS we get the whole message in one go - header and body
+ */
+ ret = dtls_get_message(s, &mt);
++#ifndef OPENSSL_NO_QUIC
++ } else if (SSL_IS_QUIC(s)) {
++ ret = quic_get_message(s, &mt, &len);
++#endif
+ } else {
+ ret = tls_get_message_header(s, &mt);
+ }
+@@ -612,8 +616,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
+ return SUB_STATE_ERROR;
+ }
+
+- /* dtls_get_message already did this */
+- if (!SSL_IS_DTLS(s)
++ /* dtls_get_message/quic_get_message already did this */
++ if (!SSL_IS_DTLS(s) && !SSL_IS_QUIC(s)
+ && s->s3.tmp.message_size > 0
+ && !grow_init_buf(s, s->s3.tmp.message_size
+ + SSL3_HM_HEADER_LENGTH)) {
+@@ -631,7 +635,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
+ * opportunity to do any further processing.
+ */
+ ret = dtls_get_message_body(s, &len);
+- } else {
++ } else if (!SSL_IS_QUIC(s)) {
++ /* We already got this above for QUIC */
+ ret = tls_get_message_body(s, &len);
+ }
+ if (ret == 0) {
+@@ -921,6 +926,15 @@ static SUB_STATE_RETURN write_state_machine(SSL *s)
+ int statem_flush(SSL *s)
+ {
+ s->rwstate = SSL_WRITING;
++#ifndef OPENSSL_NO_QUIC
++ if (SSL_IS_QUIC(s)) {
++ if (!s->quic_method->flush_flight(s)) {
++ /* NOTE: BIO_flush() does not generate an error */
++ SSLerr(SSL_F_STATEM_FLUSH, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++ } else
++#endif
+ if (BIO_flush(s->wbio) <= 0) {
+ return 0;
+ }
+diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
+index 25055df15c..65899e6b83 100644
+--- a/ssl/statem/statem_lib.c
++++ b/ssl/statem/statem_lib.c
+@@ -44,9 +44,23 @@ int ssl3_do_write(SSL *s, int type)
+ {
+ int ret;
+ size_t written = 0;
++#ifndef OPENSSL_NO_QUIC
++ if (SSL_IS_QUIC(s) && type == SSL3_RT_HANDSHAKE) {
++ ret = s->quic_method->add_handshake_data(s, s->quic_write_level,
++ (const uint8_t*)&s->init_buf->data[s->init_off],
++ s->init_num);
++ if (!ret) {
++ ret = -1;
++ /* QUIC can't sent anything out sice the above failed */
++ SSLerr(SSL_F_SSL3_DO_WRITE, ERR_R_INTERNAL_ERROR);
++ } else {
++ written = s->init_num;
++ }
++ } else
++#endif
++ ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
++ s->init_num, &written);
+
+- ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
+- s->init_num, &written);
+ if (ret <= 0)
+ return -1;
+ if (type == SSL3_RT_HANDSHAKE)
+@@ -1163,6 +1177,7 @@ int tls_get_message_header(SSL *s, int *mt)
+
+ do {
+ while (s->init_num < SSL3_HM_HEADER_LENGTH) {
++ /* QUIC: either create a special ssl_read_bytes... or if/else this */
+ i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
+ &p[s->init_num],
+ SSL3_HM_HEADER_LENGTH - s->init_num,
+diff --git a/ssl/statem/statem_local.h b/ssl/statem/statem_local.h
+index ad4d93b1e2..57e314512b 100644
+--- a/ssl/statem/statem_local.h
++++ b/ssl/statem/statem_local.h
+@@ -104,6 +104,7 @@ __owur int tls_get_message_header(SSL *s, int *mt);
+ __owur int tls_get_message_body(SSL *s, size_t *len);
+ __owur int dtls_get_message(SSL *s, int *mt);
+ __owur int dtls_get_message_body(SSL *s, size_t *len);
++__owur int quic_get_message(SSL *s, int *mt, size_t *len);
+
+ /* Message construction and processing functions */
+ __owur int tls_process_initial_server_flight(SSL *s);
+@@ -251,6 +252,10 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx);
+ int tls_parse_ctos_post_handshake_auth(SSL *, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx);
++#ifndef OPENSSL_NO_QUIC
++int tls_parse_ctos_quic_transport_params(SSL *s, PACKET *pkt, unsigned int context,
++ X509 *x, size_t chainidx);
++#endif
+
+ EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+@@ -311,6 +316,11 @@ EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
+ size_t chainidx);
+ EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx);
++#ifndef OPENSSL_NO_QUIC
++EXT_RETURN tls_construct_stoc_quic_transport_params(SSL *s, WPACKET *pkt,
++ unsigned int context, X509 *x,
++ size_t chainidx);
++#endif
+
+ /* Client Extension processing */
+ EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, unsigned int context,
+@@ -380,6 +390,11 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx);
+ EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx);
++#ifndef OPENSSL_NO_QUIC
++EXT_RETURN tls_construct_ctos_quic_transport_params(SSL *s, WPACKET *pkt,
++ unsigned int context, X509 *x,
++ size_t chainidx);
++#endif
+
+ int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx);
+@@ -423,6 +438,10 @@ int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx);
+ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx);
++#ifndef OPENSSL_NO_QUIC
++int tls_parse_stoc_quic_transport_params(SSL *s, PACKET *pkt, unsigned int context,
++ X509 *x, size_t chainidx);
++#endif
+
+ int tls_handle_alpn(SSL *s);
+
+diff --git a/ssl/statem/statem_quic.c b/ssl/statem/statem_quic.c
+new file mode 100644
+index 0000000000..66acc30d6d
+--- /dev/null
++++ b/ssl/statem/statem_quic.c
+@@ -0,0 +1,106 @@
++/*
++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License"). You may not use
++ * this file except in compliance with the License. You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include "../ssl_local.h"
++#include "statem_local.h"
++#include "internal/cryptlib.h"
++
++#ifdef OPENSSL_NO_QUIC
++NON_EMPTY_TRANSLATION_UNIT
++#else
++
++int quic_get_message(SSL *s, int *mt, size_t *len)
++{
++ size_t l;
++ QUIC_DATA *qd;
++ uint8_t *p;
++
++ if (s->quic_input_data_head == NULL) {
++ s->rwstate = SSL_READING;
++ *len = 0;
++ return 0;
++ }
++
++ /* This is where we check for the proper level, not when data is given */
++ if (s->quic_input_data_head->level != s->quic_read_level) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);
++ *len = 0;
++ return 0;
++ }
++
++ if (!BUF_MEM_grow_clean(s->init_buf, (int)s->quic_input_data_head->length)) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
++ *len = 0;
++ return 0;
++ }
++
++ /* Copy buffered data */
++ qd = s->quic_input_data_head;
++ memcpy(s->init_buf->data, (void*)(qd + 1), qd->length);
++ s->init_buf->length = qd->length;
++ s->quic_input_data_head = qd->next;
++ if (s->quic_input_data_head == NULL)
++ s->quic_input_data_tail = NULL;
++ OPENSSL_free(qd);
++
++ s->s3.tmp.message_type = *mt = *(s->init_buf->data);
++ p = (uint8_t*)s->init_buf->data + 1;
++ n2l3(p, l);
++ s->init_num = s->s3.tmp.message_size = *len = l;
++ s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
++
++ /* No CCS in QUIC/TLSv1.3? */
++ if (*mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
++ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
++ *len = 0;
++ return 0;
++ }
++
++ /*
++ * If receiving Finished, record MAC of prior handshake messages for
++ * Finished verification.
++ */
++ if (*mt == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
++ /* SSLfatal() already called */
++ *len = 0;
++ return 0;
++ }
++
++ /*
++ * We defer feeding in the HRR until later. We'll do it as part of
++ * processing the message
++ * The TLsv1.3 handshake transcript stops at the ClientFinished
++ * message.
++ */
++#define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
++ /* KeyUpdate and NewSessionTicket do not need to be added */
++ if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
++ && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
++ if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
++ || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
++ || memcmp(hrrrandom,
++ s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
++ SSL3_RANDOM_SIZE) != 0) {
++ if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
++ s->init_num + SSL3_HM_HEADER_LENGTH)) {
++ /* SSLfatal() already called */
++ *len = 0;
++ return 0;
++ }
++ }
++ }
++ if (s->msg_callback)
++ s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
++ (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
++ s->msg_callback_arg);
++
++ return 1;
++}
++
++#endif
+diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
+index 9ae2126e3c..b828b509f4 100644
+--- a/ssl/tls13_enc.c
++++ b/ssl/tls13_enc.c
+@@ -422,6 +422,9 @@ int tls13_change_cipher_state(SSL *s, int which)
+ ktls_crypto_info_t crypto_info;
+ BIO *bio;
+ #endif
++#ifndef OPENSSL_NO_QUIC
++ OSSL_ENCRYPTION_LEVEL level = ssl_encryption_initial;
++#endif
+
+ if (which & SSL3_CC_READ) {
+ if (s->enc_read_ctx != NULL) {
+@@ -467,6 +470,9 @@ int tls13_change_cipher_state(SSL *s, int which)
+ label = client_early_traffic;
+ labellen = sizeof(client_early_traffic) - 1;
+ log_label = CLIENT_EARLY_LABEL;
++#ifndef OPENSSL_NO_QUIC
++ level = ssl_encryption_early_data;
++#endif
+
+ handlen = BIO_get_mem_data(s->s3.handshake_buffer, &hdata);
+ if (handlen <= 0) {
+@@ -526,6 +532,9 @@ int tls13_change_cipher_state(SSL *s, int which)
+ goto err;
+ }
+ hashlen = hashlenui;
++#ifndef OPENSSL_NO_QUIC
++ s->quic_len = hashlen;
++#endif
+ EVP_MD_CTX_free(mdctx);
+
+ if (!tls13_hkdf_expand(s, md, insecret,
+@@ -543,6 +552,14 @@ int tls13_change_cipher_state(SSL *s, int which)
+ /* SSLfatal() already called */
+ goto err;
+ }
++#ifndef OPENSSL_NO_QUIC
++ if (SSL_IS_QUIC(s)) {
++ if (s->server)
++ s->quic_read_level = ssl_encryption_early_data;
++ else
++ s->quic_write_level = ssl_encryption_early_data;
++ }
++#endif
+ } else if (which & SSL3_CC_HANDSHAKE) {
+ insecret = s->handshake_secret;
+ finsecret = s->client_finished_secret;
+@@ -550,6 +567,15 @@ int tls13_change_cipher_state(SSL *s, int which)
+ label = client_handshake_traffic;
+ labellen = sizeof(client_handshake_traffic) - 1;
+ log_label = CLIENT_HANDSHAKE_LABEL;
++#ifndef OPENSSL_NO_QUIC
++ if (SSL_IS_QUIC(s)) {
++ level = ssl_encryption_handshake;
++ if (s->server)
++ s->quic_read_level = ssl_encryption_handshake;
++ else
++ s->quic_write_level = ssl_encryption_handshake;
++ }
++#endif
+ /*
+ * The handshake hash used for the server read/client write handshake
+ * traffic secret is the same as the hash for the server
+@@ -572,6 +598,15 @@ int tls13_change_cipher_state(SSL *s, int which)
+ * previously saved value.
+ */
+ hash = s->server_finished_hash;
++#ifndef OPENSSL_NO_QUIC
++ if (SSL_IS_QUIC(s)) {
++ level = ssl_encryption_application; /* ??? */
++ if (s->server)
++ s->quic_read_level = ssl_encryption_application;
++ else
++ s->quic_write_level = ssl_encryption_application;
++ }
++#endif
+ }
+ } else {
+ /* Early data never applies to client-read/server-write */
+@@ -582,11 +617,29 @@ int tls13_change_cipher_state(SSL *s, int which)
+ label = server_handshake_traffic;
+ labellen = sizeof(server_handshake_traffic) - 1;
+ log_label = SERVER_HANDSHAKE_LABEL;
++#ifndef OPENSSL_NO_QUIC
++ if (SSL_IS_QUIC(s)) {
++ level = ssl_encryption_handshake;
++ if (s->server)
++ s->quic_write_level = ssl_encryption_handshake;
++ else
++ s->quic_read_level = ssl_encryption_handshake;
++ }
++#endif
+ } else {
+ insecret = s->master_secret;
+ label = server_application_traffic;
+ labellen = sizeof(server_application_traffic) - 1;
+ log_label = SERVER_APPLICATION_LABEL;
++#ifndef OPENSSL_NO_QUIC
++ if (SSL_IS_QUIC(s)) {
++ level = ssl_encryption_application;
++ if (s->server)
++ s->quic_write_level = ssl_encryption_application;
++ else
++ s->quic_read_level = ssl_encryption_application;
++ }
++#endif
+ }
+ }
+
+@@ -714,6 +767,12 @@ int tls13_change_cipher_state(SSL *s, int which)
+ skip_ktls:
+ # endif
+ #endif
++
++#ifndef OPENSSL_NO_QUIC
++ if (!quic_set_encryption_secrets(s, level))
++ goto err;
++#endif
++
+ ret = 1;
+ err:
+ if ((which & SSL3_CC_EARLY) != 0) {
+diff --git a/test/helpers/ssltestlib.c b/test/helpers/ssltestlib.c
+index f0dccfa54c..c317e03d8e 100644
+--- a/test/helpers/ssltestlib.c
++++ b/test/helpers/ssltestlib.c
+@@ -1157,6 +1157,11 @@ int create_ssl_connection(SSL *serverssl, SSL *clientssl, int want)
+ if (!create_bare_ssl_connection(serverssl, clientssl, want, 1))
+ return 0;
+
++#ifndef OPENSSL_NO_QUIC
++ /* QUIC does not support SSL_read_ex */
++ if (SSL_is_quic(clientssl))
++ return 1;
++#endif
+ /*
+ * We attempt to read some data on the client side which we expect to fail.
+ * This will ensure we have received the NewSessionTicket in TLSv1.3 where
+diff --git a/test/sslapitest.c b/test/sslapitest.c
+index 45286653b9..b0bafe7549 100644
+--- a/test/sslapitest.c
++++ b/test/sslapitest.c
+@@ -10095,6 +10095,7 @@ static int test_inherit_verify_param(void)
+ return testresult;
+ }
+
++
+ static int test_load_dhfile(void)
+ {
+ #ifndef OPENSSL_NO_DH
+@@ -10130,9 +10131,144 @@ end:
+ #endif
+ }
+
++#ifndef OPENSSL_NO_QUIC
++static int test_quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
++ const uint8_t *read_secret,
++ const uint8_t *write_secret, size_t secret_len)
++{
++ test_printf_stderr("quic_set_encryption_secrets() %s, lvl=%d, len=%zd\n",
++ ssl->server ? "server" : "client", level, secret_len);
++ return 1;
++}
++
++static int test_quic_add_handshake_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
++ const uint8_t *data, size_t len)
++{
++ SSL *peer = (SSL*)SSL_get_app_data(ssl);
++
++ test_printf_stderr("quic_add_handshake_data() %s, lvl=%d, *data=0x%02X, len=%zd\n",
++ ssl->server ? "server" : "client", level, (int)*data, len);
++ if (!TEST_ptr(peer))
++ return 0;
++
++ if (!TEST_true(SSL_provide_quic_data(peer, level, data, len))) {
++ ERR_print_errors_fp(stderr);
++ return 0;
++ }
++
++ return 1;
++}
++
++static int test_quic_flush_flight(SSL *ssl)
++{
++ test_printf_stderr("quic_flush_flight() %s\n", ssl->server ? "server" : "client");
++ return 1;
++}
++
++static int test_quic_send_alert(SSL *ssl, enum ssl_encryption_level_t level, uint8_t alert)
++{
++ test_printf_stderr("quic_send_alert() %s, lvl=%d, alert=%d\n",
++ ssl->server ? "server" : "client", level, alert);
++ return 1;
++}
++
++static SSL_QUIC_METHOD quic_method = {
++ test_quic_set_encryption_secrets,
++ test_quic_add_handshake_data,
++ test_quic_flush_flight,
++ test_quic_send_alert,
++};
++
++static int test_quic_api(void)
++{
++ SSL_CTX *cctx = NULL, *sctx = NULL;
++ SSL *clientssl = NULL, *serverssl = NULL;
++ int testresult = 0;
++
++ static const char *server_str = "SERVER";
++ static const char *client_str = "CLIENT";
++ const uint8_t *peer_str;
++ size_t peer_str_len;
++
++ /* Clean up logging space */
++ memset(client_log_buffer, 0, sizeof(client_log_buffer));
++ memset(server_log_buffer, 0, sizeof(server_log_buffer));
++ client_log_buffer_index = 0;
++ server_log_buffer_index = 0;
++ error_writing_log = 0;
++
++
++ if (!TEST_ptr(sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))
++ || !TEST_true(SSL_CTX_set_quic_method(sctx, &quic_method))
++ || !TEST_ptr(sctx->quic_method)
++ || !TEST_ptr(serverssl = SSL_new(sctx))
++ || !TEST_true(SSL_IS_QUIC(serverssl))
++ || !TEST_true(SSL_set_quic_method(serverssl, NULL))
++ || !TEST_false(SSL_IS_QUIC(serverssl))
++ || !TEST_true(SSL_set_quic_method(serverssl, &quic_method))
++ || !TEST_true(SSL_IS_QUIC(serverssl)))
++ goto end;
++
++ SSL_CTX_free(sctx);
++ sctx = NULL;
++ SSL_free(serverssl);
++ serverssl = NULL;
++
++ if (!TEST_true(create_ssl_ctx_pair(libctx,
++ TLS_server_method(),
++ TLS_client_method(),
++ TLS1_3_VERSION, 0,
++ &sctx, &cctx, cert, privkey))
++ || !TEST_true(SSL_CTX_set_quic_method(sctx, &quic_method))
++ || !TEST_true(SSL_CTX_set_quic_method(cctx, &quic_method))
++ || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
++ &clientssl, NULL, NULL))
++ || !TEST_true(SSL_set_quic_transport_params(serverssl,
++ (unsigned char*)server_str,
++ sizeof(server_str)))
++ || !TEST_true(SSL_set_quic_transport_params(clientssl,
++ (unsigned char*)client_str,
++ sizeof(client_str)))
++ || !TEST_true(SSL_set_app_data(serverssl, clientssl))
++ || !TEST_true(SSL_set_app_data(clientssl, serverssl))
++ || !TEST_true(create_ssl_connection(serverssl, clientssl,
++ SSL_ERROR_NONE))
++ || !TEST_true(SSL_version(serverssl) == TLS1_3_VERSION)
++ || !TEST_true(SSL_version(clientssl) == TLS1_3_VERSION)
++ || !(TEST_int_eq(SSL_quic_read_level(clientssl), ssl_encryption_application))
++ || !(TEST_int_eq(SSL_quic_read_level(serverssl), ssl_encryption_application))
++ || !(TEST_int_eq(SSL_quic_write_level(clientssl), ssl_encryption_application))
++ || !(TEST_int_eq(SSL_quic_write_level(serverssl), ssl_encryption_application)))
++ goto end;
++
++ SSL_get_peer_quic_transport_params(serverssl, &peer_str, &peer_str_len);
++ if (!TEST_mem_eq(peer_str, peer_str_len, client_str, sizeof(client_str)))
++ goto end;
++ SSL_get_peer_quic_transport_params(clientssl, &peer_str, &peer_str_len);
++ if (!TEST_mem_eq(peer_str, peer_str_len, server_str, sizeof(server_str)))
++ goto end;
++
++ /* Deal with two NewSessionTickets */
++ if (!TEST_true(SSL_process_quic_post_handshake(clientssl))
++ || !TEST_true(SSL_process_quic_post_handshake(clientssl)))
++ goto end;
++
++ testresult = 1;
++
++ end:
++ SSL_free(serverssl);
++ SSL_free(clientssl);
++ SSL_CTX_free(sctx);
++ SSL_CTX_free(cctx);
++
++ return testresult;
++}
++#endif /* OPENSSL_NO_QUIC */
++
+ #ifndef OSSL_NO_USABLE_TLS1_3
+ /* Test that read_ahead works across a key change */
+ static int test_read_ahead_key_change(void)
++
+ {
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+@@ -10192,6 +10328,7 @@ end:
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
++
+ return testresult;
+ }
+
+@@ -10902,6 +11039,9 @@ int setup_tests(void)
+ ADD_ALL_TESTS(test_pipelining, 7);
+ #endif
+ ADD_ALL_TESTS(test_handshake_retry, 16);
++#ifndef OPENSSL_NO_QUIC
++ ADD_TEST(test_quic_api);
++#endif
+ return 1;
+
+ err:
+diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c
+index bf214d3d5b..8323b23778 100644
+--- a/test/tls13secretstest.c
++++ b/test/tls13secretstest.c
+@@ -224,6 +224,13 @@ void ssl_evp_md_free(const EVP_MD *md)
+ {
+ }
+
++#ifndef OPENSSL_NO_QUIC
++int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
++{
++ return 1;
++}
++#endif
++
+ /* End of mocked out code */
+
+ static int test_secret(SSL *s, unsigned char *prk,
+diff --git a/util/libssl.num b/util/libssl.num
+index f055c967bf..72ee0bedc6 100644
+--- a/util/libssl.num
++++ b/util/libssl.num
+@@ -520,3 +520,14 @@ SSL_load_client_CA_file_ex 520 3_0_0 EXIST::FUNCTION:
+ SSL_set0_tmp_dh_pkey 521 3_0_0 EXIST::FUNCTION:
+ SSL_CTX_set0_tmp_dh_pkey 522 3_0_0 EXIST::FUNCTION:
+ SSL_group_to_name 523 3_0_0 EXIST::FUNCTION:
++SSL_quic_read_level 20000 3_0_0 EXIST::FUNCTION:QUIC
++SSL_set_quic_transport_params 20001 3_0_0 EXIST::FUNCTION:QUIC
++SSL_CIPHER_get_prf_nid 20002 3_0_0 EXIST::FUNCTION:
++SSL_is_quic 20003 3_0_0 EXIST::FUNCTION:QUIC
++SSL_get_peer_quic_transport_params 20004 3_0_0 EXIST::FUNCTION:QUIC
++SSL_quic_write_level 20005 3_0_0 EXIST::FUNCTION:QUIC
++SSL_CTX_set_quic_method 20006 3_0_0 EXIST::FUNCTION:QUIC
++SSL_set_quic_method 20007 3_0_0 EXIST::FUNCTION:QUIC
++SSL_quic_max_handshake_flight_len 20008 3_0_0 EXIST::FUNCTION:QUIC
++SSL_process_quic_post_handshake 20009 3_0_0 EXIST::FUNCTION:QUIC
++SSL_provide_quic_data 20010 3_0_0 EXIST::FUNCTION:QUIC
+diff --git a/util/other.syms b/util/other.syms
+index cdd62e81d0..baba363337 100644
+--- a/util/other.syms
++++ b/util/other.syms
+@@ -142,6 +142,8 @@ custom_ext_free_cb datatype
+ custom_ext_parse_cb datatype
+ pem_password_cb datatype
+ ssl_ct_validation_cb datatype
++OSSL_ENCRYPTION_LEVEL datatype
++SSL_QUIC_METHOD datatype
+ #
+ ASN1_BIT_STRING_digest define
+ BIO_append_filename define
+--
+2.42.0
+
diff --git a/0002-QUIC-New-method-to-get-QUIC-secret-length.patch b/0002-QUIC-New-method-to-get-QUIC-secret-length.patch
new file mode 100644
index 0000000..e296d08
--- /dev/null
+++ b/0002-QUIC-New-method-to-get-QUIC-secret-length.patch
@@ -0,0 +1,99 @@
+From 3673eecaa83e6687d8e4d6ecd826928b27c5c639 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Fri, 14 Jun 2019 12:04:14 -0400
+Subject: [PATCH 02/63] QUIC: New method to get QUIC secret length
+
+---
+ ssl/ssl_local.h | 1 -
+ ssl/ssl_quic.c | 30 ++++++++++++++++++++++++++----
+ ssl/tls13_enc.c | 3 ---
+ 3 files changed, 26 insertions(+), 8 deletions(-)
+
+diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
+index 3e67b36990..725ba1cdc5 100644
+--- a/ssl/ssl_local.h
++++ b/ssl/ssl_local.h
+@@ -1717,7 +1717,6 @@ struct ssl_st {
+ QUIC_DATA *quic_input_data_head;
+ QUIC_DATA *quic_input_data_tail;
+ const SSL_QUIC_METHOD *quic_method;
+- size_t quic_len;
+ #endif
+ /*
+ * Parsed form of the ClientHello, kept around across client_hello_cb
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index a39e4419c9..46cca0b4db 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -181,6 +181,8 @@ int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
+ {
+ uint8_t *read_secret = NULL;
+ uint8_t *write_secret = NULL;
++ size_t len;
++ const EVP_MD *md;
+ static const unsigned char zeros[EVP_MAX_MD_SIZE];
+
+ if (!SSL_IS_QUIC(ssl))
+@@ -202,21 +204,41 @@ int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
+ default:
+ return 1;
+ }
++
++ md = ssl_handshake_md(ssl);
++ if (md == NULL) {
++ /* May not have selected cipher, yet */
++ const SSL_CIPHER *c = NULL;
++
++ if (ssl->session != NULL)
++ c = SSL_SESSION_get0_cipher(ssl->session);
++ else if (ssl->psksession != NULL)
++ c = SSL_SESSION_get0_cipher(ssl->psksession);
++
++ if (c != NULL)
++ md = SSL_CIPHER_get_handshake_digest(c);
++ }
++
++ if ((len = EVP_MD_size(md)) <= 0) {
++ SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++
+ /* In some cases, we want to set the secret only when BOTH are non-zero */
+ if (read_secret != NULL && write_secret != NULL
+- && !memcmp(read_secret, zeros, ssl->quic_len)
+- && !memcmp(write_secret, zeros, ssl->quic_len))
++ && !memcmp(read_secret, zeros, len)
++ && !memcmp(write_secret, zeros, len))
+ return 1;
+
+ if (ssl->server) {
+ if (!ssl->quic_method->set_encryption_secrets(ssl, level, read_secret,
+- write_secret, ssl->quic_len)) {
++ write_secret, len)) {
+ SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ } else {
+ if (!ssl->quic_method->set_encryption_secrets(ssl, level, write_secret,
+- read_secret, ssl->quic_len)) {
++ read_secret, len)) {
+ SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
+index b828b509f4..d4fafc4339 100644
+--- a/ssl/tls13_enc.c
++++ b/ssl/tls13_enc.c
+@@ -532,9 +532,6 @@ int tls13_change_cipher_state(SSL *s, int which)
+ goto err;
+ }
+ hashlen = hashlenui;
+-#ifndef OPENSSL_NO_QUIC
+- s->quic_len = hashlen;
+-#endif
+ EVP_MD_CTX_free(mdctx);
+
+ if (!tls13_hkdf_expand(s, md, insecret,
+--
+2.42.0
+
diff --git a/0003-QUIC-Make-temp-secret-names-less-confusing.patch b/0003-QUIC-Make-temp-secret-names-less-confusing.patch
new file mode 100644
index 0000000..fc7e7e2
--- /dev/null
+++ b/0003-QUIC-Make-temp-secret-names-less-confusing.patch
@@ -0,0 +1,76 @@
+From 0cf2cb7616be1c1133b7724f6972434d39a719a9 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Thu, 15 Aug 2019 11:13:15 -0400
+Subject: [PATCH 03/63] QUIC: Make temp secret names less confusing
+
+---
+ ssl/ssl_quic.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index 46cca0b4db..6ba8f56952 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -179,8 +179,8 @@ int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method)
+
+ int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
+ {
+- uint8_t *read_secret = NULL;
+- uint8_t *write_secret = NULL;
++ uint8_t *c2s_secret = NULL;
++ uint8_t *s2c_secret = NULL;
+ size_t len;
+ const EVP_MD *md;
+ static const unsigned char zeros[EVP_MAX_MD_SIZE];
+@@ -191,15 +191,15 @@ int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
+ /* secrets from the POV of the client */
+ switch (level) {
+ case ssl_encryption_early_data:
+- write_secret = ssl->early_secret;
++ s2c_secret = ssl->early_secret;
+ break;
+ case ssl_encryption_handshake:
+- read_secret = ssl->client_finished_secret;
+- write_secret = ssl->server_finished_secret;
++ c2s_secret = ssl->client_finished_secret;
++ s2c_secret = ssl->server_finished_secret;
+ break;
+ case ssl_encryption_application:
+- read_secret = ssl->client_app_traffic_secret;
+- write_secret = ssl->server_app_traffic_secret;
++ c2s_secret = ssl->client_app_traffic_secret;
++ s2c_secret = ssl->server_app_traffic_secret;
+ break;
+ default:
+ return 1;
+@@ -225,20 +225,20 @@ int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
+ }
+
+ /* In some cases, we want to set the secret only when BOTH are non-zero */
+- if (read_secret != NULL && write_secret != NULL
+- && !memcmp(read_secret, zeros, len)
+- && !memcmp(write_secret, zeros, len))
++ if (c2s_secret != NULL && s2c_secret != NULL
++ && !memcmp(c2s_secret, zeros, len)
++ && !memcmp(s2c_secret, zeros, len))
+ return 1;
+
+ if (ssl->server) {
+- if (!ssl->quic_method->set_encryption_secrets(ssl, level, read_secret,
+- write_secret, len)) {
++ if (!ssl->quic_method->set_encryption_secrets(ssl, level, c2s_secret,
++ s2c_secret, len)) {
+ SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ } else {
+- if (!ssl->quic_method->set_encryption_secrets(ssl, level, write_secret,
+- read_secret, len)) {
++ if (!ssl->quic_method->set_encryption_secrets(ssl, level, s2c_secret,
++ c2s_secret, len)) {
+ SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+--
+2.42.0
+
diff --git a/0004-QUIC-Move-QUIC-transport-params-to-encrypted-extensi.patch b/0004-QUIC-Move-QUIC-transport-params-to-encrypted-extensi.patch
new file mode 100644
index 0000000..273fbad
--- /dev/null
+++ b/0004-QUIC-Move-QUIC-transport-params-to-encrypted-extensi.patch
@@ -0,0 +1,26 @@
+From 796c5cd87644b07d7bd079388cc6495b2731b266 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Thu, 15 Aug 2019 11:35:10 -0400
+Subject: [PATCH 04/63] QUIC: Move QUIC transport params to encrypted
+ extensions
+
+---
+ ssl/statem/extensions.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
+index d8fa8e6913..548772be6d 100644
+--- a/ssl/statem/extensions.c
++++ b/ssl/statem/extensions.c
+@@ -376,7 +376,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
+ #ifndef OPENSSL_NO_QUIC
+ {
+ TLSEXT_TYPE_quic_transport_parameters,
+- SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
++ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
+ | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
+ init_quic_transport_params,
+ tls_parse_ctos_quic_transport_params, tls_parse_stoc_quic_transport_params,
+--
+2.42.0
+
diff --git a/0005-QUIC-Use-proper-secrets-for-handshake.patch b/0005-QUIC-Use-proper-secrets-for-handshake.patch
new file mode 100644
index 0000000..34ca0d0
--- /dev/null
+++ b/0005-QUIC-Use-proper-secrets-for-handshake.patch
@@ -0,0 +1,59 @@
+From 9e02139ca1b6aa2e644cc9b5214f058019c156e1 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Thu, 15 Aug 2019 12:37:03 -0400
+Subject: [PATCH 05/63] QUIC: Use proper secrets for handshake
+
+---
+ ssl/ssl_local.h | 2 ++
+ ssl/ssl_quic.c | 4 ++--
+ ssl/tls13_enc.c | 6 ++++++
+ 3 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
+index 725ba1cdc5..17f8aed1e3 100644
+--- a/ssl/ssl_local.h
++++ b/ssl/ssl_local.h
+@@ -1490,6 +1490,8 @@ struct ssl_st {
+ unsigned char handshake_traffic_hash[EVP_MAX_MD_SIZE];
+ unsigned char client_app_traffic_secret[EVP_MAX_MD_SIZE];
+ unsigned char server_app_traffic_secret[EVP_MAX_MD_SIZE];
++ unsigned char client_hand_traffic_secret[EVP_MAX_MD_SIZE];
++ unsigned char server_hand_traffic_secret[EVP_MAX_MD_SIZE];
+ unsigned char exporter_master_secret[EVP_MAX_MD_SIZE];
+ unsigned char early_exporter_master_secret[EVP_MAX_MD_SIZE];
+ EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index 6ba8f56952..7ece8af9bb 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -194,8 +194,8 @@ int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
+ s2c_secret = ssl->early_secret;
+ break;
+ case ssl_encryption_handshake:
+- c2s_secret = ssl->client_finished_secret;
+- s2c_secret = ssl->server_finished_secret;
++ c2s_secret = ssl->client_hand_traffic_secret;
++ s2c_secret = ssl->server_hand_traffic_secret;
+ break;
+ case ssl_encryption_application:
+ c2s_secret = ssl->client_app_traffic_secret;
+diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
+index d4fafc4339..68b6573fd1 100644
+--- a/ssl/tls13_enc.c
++++ b/ssl/tls13_enc.c
+@@ -705,6 +705,12 @@ int tls13_change_cipher_state(SSL *s, int which)
+ }
+ } else if (label == client_application_traffic)
+ memcpy(s->client_app_traffic_secret, secret, hashlen);
++#ifndef OPENSSL_NO_QUIC
++ else if (label == client_handshake_traffic)
++ memcpy(s->client_hand_traffic_secret, secret, hashlen);
++ else if (label == server_handshake_traffic)
++ memcpy(s->server_hand_traffic_secret, secret, hashlen);
++#endif
+
+ if (!ssl_log_secret(s, log_label, secret, hashlen)) {
+ /* SSLfatal() already called */
+--
+2.42.0
+
diff --git a/0006-QUIC-Handle-partial-handshake-messages.patch b/0006-QUIC-Handle-partial-handshake-messages.patch
new file mode 100644
index 0000000..3937e10
--- /dev/null
+++ b/0006-QUIC-Handle-partial-handshake-messages.patch
@@ -0,0 +1,74 @@
+From 25e71126baa0a061f11bf5365a888c18c92d5b1a Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Thu, 15 Aug 2019 13:26:32 -0400
+Subject: [PATCH 06/63] QUIC: Handle partial handshake messages
+
+---
+ ssl/ssl_local.h | 1 +
+ ssl/ssl_quic.c | 28 ++++++++++++++++++++++------
+ 2 files changed, 23 insertions(+), 6 deletions(-)
+
+diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
+index 17f8aed1e3..b3d0046f09 100644
+--- a/ssl/ssl_local.h
++++ b/ssl/ssl_local.h
+@@ -1225,6 +1225,7 @@ typedef struct cert_pkey_st CERT_PKEY;
+ struct quic_data_st {
+ struct quic_data_st *next;
+ OSSL_ENCRYPTION_LEVEL level;
++ size_t offset;
+ size_t length;
+ };
+ typedef struct quic_data_st QUIC_DATA;
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index 7ece8af9bb..0959bcf2cf 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -114,15 +114,26 @@ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+ QUIC_DATA *qd;
+ const uint8_t *p = data + 1;
+
++ /* Check for an incomplete block */
++ qd = ssl->quic_input_data_tail;
++ if (qd != NULL) {
++ l = qd->length - qd->offset;
++ if (l != 0) {
++ /* we still need to copy `l` bytes into the last data block */
++ if (l > len)
++ l = len;
++ memcpy((char*)(qd+1) + qd->offset, data, l);
++ qd->offset += l;
++ len -= l;
++ data += l;
++ continue;
++ }
++ }
++
+ n2l3(p, l);
+ l += SSL3_HM_HEADER_LENGTH;
+
+- if (l > len) {
+- SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, SSL_R_BAD_DATA_LENGTH);
+- return 0;
+- }
+-
+- qd = OPENSSL_malloc(sizeof(QUIC_DATA) + l);
++ qd = OPENSSL_zalloc(sizeof(QUIC_DATA) + l);
+ if (qd == NULL) {
+ SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, ERR_R_INTERNAL_ERROR);
+ return 0;
+@@ -131,6 +142,11 @@ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+ qd->next = NULL;
+ qd->length = l;
+ qd->level = level;
++ /* partial data received? */
++ if (l > len)
++ l = len;
++ qd->offset = l;
++
+ memcpy((void*)(qd + 1), data, l);
+ if (ssl->quic_input_data_tail != NULL)
+ ssl->quic_input_data_tail->next = qd;
+--
+2.42.0
+
diff --git a/0007-QUIC-Fix-duplicate-word-in-docs.patch b/0007-QUIC-Fix-duplicate-word-in-docs.patch
new file mode 100644
index 0000000..409377e
--- /dev/null
+++ b/0007-QUIC-Fix-duplicate-word-in-docs.patch
@@ -0,0 +1,25 @@
+From b3b6db9ea45d45ccf064c06fe20f876844f6ef83 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Mon, 26 Aug 2019 13:14:19 -0400
+Subject: [PATCH 07/63] QUIC: Fix duplicate word in docs
+
+---
+ doc/man3/SSL_CTX_set_quic_method.pod | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/man3/SSL_CTX_set_quic_method.pod b/doc/man3/SSL_CTX_set_quic_method.pod
+index d938eb4e30..60bf704944 100644
+--- a/doc/man3/SSL_CTX_set_quic_method.pod
++++ b/doc/man3/SSL_CTX_set_quic_method.pod
+@@ -59,7 +59,7 @@ containing the TransportParameters will be put in B<*out_params>, and its
+ length in B<*out_params_len>. This buffer will be valid for the lifetime of the
+ B<ssl>. If no params were received from the peer, B<*out_params_len> will be 0.
+
+-SSL_quic_max_handshake_flight_len() returns returns the maximum number of bytes
++SSL_quic_max_handshake_flight_len() returns the maximum number of bytes
+ that may be received at the given encryption level. This function should be
+ used to limit buffering in the QUIC implementation.
+
+--
+2.42.0
+
diff --git a/0008-QUIC-Fix-quic_transport-constructors-parsers.patch b/0008-QUIC-Fix-quic_transport-constructors-parsers.patch
new file mode 100644
index 0000000..2f4c381
--- /dev/null
+++ b/0008-QUIC-Fix-quic_transport-constructors-parsers.patch
@@ -0,0 +1,89 @@
+From 70010beb14597a438e1a633df18990aa176687a7 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Mon, 26 Aug 2019 13:29:17 -0400
+Subject: [PATCH 08/63] QUIC: Fix quic_transport constructors/parsers
+
+---
+ ssl/statem/extensions_clnt.c | 16 +++-------------
+ ssl/statem/extensions_srvr.c | 16 +++-------------
+ 2 files changed, 6 insertions(+), 26 deletions(-)
+
+diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
+index 52742dc36a..3ae28e68dc 100644
+--- a/ssl/statem/extensions_clnt.c
++++ b/ssl/statem/extensions_clnt.c
+@@ -1208,10 +1208,8 @@ EXT_RETURN tls_construct_ctos_quic_transport_params(SSL *s, WPACKET *pkt,
+ }
+
+ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_quic_transport_parameters)
+- || !WPACKET_start_sub_packet_u16(pkt)
+- || !WPACKET_sub_memcpy_u16(pkt, s->ext.quic_transport_params,
+- s->ext.quic_transport_params_len)
+- || !WPACKET_close(pkt)) {
++ || !WPACKET_sub_memcpy_u16(pkt, s->ext.quic_transport_params,
++ s->ext.quic_transport_params_len)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return EXT_RETURN_FAIL;
+ }
+@@ -2008,19 +2006,11 @@ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ int tls_parse_stoc_quic_transport_params(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+ {
+- PACKET trans_param;
+-
+- if (!PACKET_as_length_prefixed_2(pkt, &trans_param)
+- || PACKET_remaining(&trans_param) == 0) {
+- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
+- return 0;
+- }
+-
+ OPENSSL_free(s->ext.peer_quic_transport_params);
+ s->ext.peer_quic_transport_params = NULL;
+ s->ext.peer_quic_transport_params_len = 0;
+
+- if (!PACKET_memdup(&trans_param,
++ if (!PACKET_memdup(pkt,
+ &s->ext.peer_quic_transport_params,
+ &s->ext.peer_quic_transport_params_len)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
+index 929e272cd9..2fad8f3788 100644
+--- a/ssl/statem/extensions_srvr.c
++++ b/ssl/statem/extensions_srvr.c
+@@ -1237,19 +1237,11 @@ int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt,
+ int tls_parse_ctos_quic_transport_params(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+ {
+- PACKET trans_param;
+-
+- if (!PACKET_as_length_prefixed_2(pkt, &trans_param)
+- || PACKET_remaining(&trans_param) == 0) {
+- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
+- return 0;
+- }
+-
+ OPENSSL_free(s->ext.peer_quic_transport_params);
+ s->ext.peer_quic_transport_params = NULL;
+ s->ext.peer_quic_transport_params_len = 0;
+
+- if (!PACKET_memdup(&trans_param,
++ if (!PACKET_memdup(pkt,
+ &s->ext.peer_quic_transport_params,
+ &s->ext.peer_quic_transport_params_len)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+@@ -1954,10 +1946,8 @@ EXT_RETURN tls_construct_stoc_quic_transport_params(SSL *s, WPACKET *pkt,
+ }
+
+ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_quic_transport_parameters)
+- || !WPACKET_start_sub_packet_u16(pkt)
+- || !WPACKET_sub_memcpy_u16(pkt, s->ext.quic_transport_params,
+- s->ext.quic_transport_params_len)
+- || !WPACKET_close(pkt)) {
++ || !WPACKET_sub_memcpy_u16(pkt, s->ext.quic_transport_params,
++ s->ext.quic_transport_params_len)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return EXT_RETURN_FAIL;
+ }
+--
+2.42.0
+
diff --git a/0009-QUIC-Reset-init-state-in-SSL_process_quic_post_hands.patch b/0009-QUIC-Reset-init-state-in-SSL_process_quic_post_hands.patch
new file mode 100644
index 0000000..523626d
--- /dev/null
+++ b/0009-QUIC-Reset-init-state-in-SSL_process_quic_post_hands.patch
@@ -0,0 +1,39 @@
+From 3e46358deb409f4d288fb28c03a287c9fec67f7d Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Thu, 29 Aug 2019 11:53:41 -0400
+Subject: [PATCH 09/63] QUIC: Reset init state in
+ SSL_process_quic_post_handshake()
+
+---
+ ssl/ssl_quic.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index 0959bcf2cf..ad6696d964 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -265,16 +265,19 @@ int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
+
+ int SSL_process_quic_post_handshake(SSL *ssl)
+ {
++ int ret;
++
+ if (SSL_in_init(ssl) || !SSL_IS_QUIC(ssl)) {
+ SSLerr(SSL_F_SSL_PROCESS_QUIC_POST_HANDSHAKE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return 0;
+ }
+
+ ossl_statem_set_in_init(ssl, 1);
++ ret = ssl->handshake_func(ssl);
++ ossl_statem_set_in_init(ssl, 0);
+
+- if (ssl->handshake_func(ssl) <= 0)
++ if (ret <= 0)
+ return 0;
+-
+ return 1;
+ }
+
+--
+2.42.0
+
diff --git a/0010-QUIC-Don-t-process-an-incomplete-message.patch b/0010-QUIC-Don-t-process-an-incomplete-message.patch
new file mode 100644
index 0000000..716b875
--- /dev/null
+++ b/0010-QUIC-Don-t-process-an-incomplete-message.patch
@@ -0,0 +1,51 @@
+From b665dee2afa9aced43334310bb88ec80d35b4960 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Thu, 29 Aug 2019 12:03:48 -0400
+Subject: [PATCH 10/63] QUIC: Don't process an incomplete message
+
+---
+ ssl/statem/statem_quic.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/ssl/statem/statem_quic.c b/ssl/statem/statem_quic.c
+index 66acc30d6d..982a9a6292 100644
+--- a/ssl/statem/statem_quic.c
++++ b/ssl/statem/statem_quic.c
+@@ -18,30 +18,29 @@ NON_EMPTY_TRANSLATION_UNIT
+ int quic_get_message(SSL *s, int *mt, size_t *len)
+ {
+ size_t l;
+- QUIC_DATA *qd;
++ QUIC_DATA *qd = s->quic_input_data_head;
+ uint8_t *p;
+
+- if (s->quic_input_data_head == NULL) {
++ if (qd == NULL || (qd->length - qd->offset) != 0) {
+ s->rwstate = SSL_READING;
+ *len = 0;
+ return 0;
+ }
+
+ /* This is where we check for the proper level, not when data is given */
+- if (s->quic_input_data_head->level != s->quic_read_level) {
++ if (qd->level != s->quic_read_level) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);
+ *len = 0;
+ return 0;
+ }
+
+- if (!BUF_MEM_grow_clean(s->init_buf, (int)s->quic_input_data_head->length)) {
++ if (!BUF_MEM_grow_clean(s->init_buf, (int)qd->length)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
+ *len = 0;
+ return 0;
+ }
+
+ /* Copy buffered data */
+- qd = s->quic_input_data_head;
+ memcpy(s->init_buf->data, (void*)(qd + 1), qd->length);
+ s->init_buf->length = qd->length;
+ s->quic_input_data_head = qd->next;
+--
+2.42.0
+
diff --git a/0011-QUIC-Quick-fix-s2c-to-c2s-for-early-secret.patch b/0011-QUIC-Quick-fix-s2c-to-c2s-for-early-secret.patch
new file mode 100644
index 0000000..73b2c80
--- /dev/null
+++ b/0011-QUIC-Quick-fix-s2c-to-c2s-for-early-secret.patch
@@ -0,0 +1,25 @@
+From 81f5c892cc882c7fb26b246d13f92cca1d737131 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Thu, 29 Aug 2019 20:21:58 -0400
+Subject: [PATCH 11/63] QUIC: Quick fix: s2c to c2s for early secret
+
+---
+ ssl/ssl_quic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index ad6696d964..14827da88c 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -207,7 +207,7 @@ int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
+ /* secrets from the POV of the client */
+ switch (level) {
+ case ssl_encryption_early_data:
+- s2c_secret = ssl->early_secret;
++ c2s_secret = ssl->early_secret;
+ break;
+ case ssl_encryption_handshake:
+ c2s_secret = ssl->client_hand_traffic_secret;
+--
+2.42.0
+
diff --git a/0012-QUIC-Add-client-early-traffic-secret-storage.patch b/0012-QUIC-Add-client-early-traffic-secret-storage.patch
new file mode 100644
index 0000000..c308790
--- /dev/null
+++ b/0012-QUIC-Add-client-early-traffic-secret-storage.patch
@@ -0,0 +1,52 @@
+From fedcc8ecf230a025ba4f314101a8a2ac83ca257c Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Fri, 30 Aug 2019 09:09:42 -0400
+Subject: [PATCH 12/63] QUIC: Add client early traffic secret storage
+
+---
+ ssl/ssl_local.h | 1 +
+ ssl/ssl_quic.c | 2 +-
+ ssl/tls13_enc.c | 2 ++
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
+index b3d0046f09..b3fd00dbfd 100644
+--- a/ssl/ssl_local.h
++++ b/ssl/ssl_local.h
+@@ -1493,6 +1493,7 @@ struct ssl_st {
+ unsigned char server_app_traffic_secret[EVP_MAX_MD_SIZE];
+ unsigned char client_hand_traffic_secret[EVP_MAX_MD_SIZE];
+ unsigned char server_hand_traffic_secret[EVP_MAX_MD_SIZE];
++ unsigned char client_early_traffic_secret[EVP_MAX_MD_SIZE];
+ unsigned char exporter_master_secret[EVP_MAX_MD_SIZE];
+ unsigned char early_exporter_master_secret[EVP_MAX_MD_SIZE];
+ EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index 14827da88c..0017d1eba9 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -207,7 +207,7 @@ int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
+ /* secrets from the POV of the client */
+ switch (level) {
+ case ssl_encryption_early_data:
+- c2s_secret = ssl->early_secret;
++ c2s_secret = ssl->client_early_traffic_secret;
+ break;
+ case ssl_encryption_handshake:
+ c2s_secret = ssl->client_hand_traffic_secret;
+diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
+index 68b6573fd1..4d89eb314e 100644
+--- a/ssl/tls13_enc.c
++++ b/ssl/tls13_enc.c
+@@ -710,6 +710,8 @@ int tls13_change_cipher_state(SSL *s, int which)
+ memcpy(s->client_hand_traffic_secret, secret, hashlen);
+ else if (label == server_handshake_traffic)
+ memcpy(s->server_hand_traffic_secret, secret, hashlen);
++ else if (label == client_early_traffic)
++ memcpy(s->client_early_traffic_secret, secret, hashlen);
+ #endif
+
+ if (!ssl_log_secret(s, log_label, secret, hashlen)) {
+--
+2.42.0
+
diff --git a/0013-QUIC-Add-OPENSSL_NO_QUIC-wrapper.patch b/0013-QUIC-Add-OPENSSL_NO_QUIC-wrapper.patch
new file mode 100644
index 0000000..3a54397
--- /dev/null
+++ b/0013-QUIC-Add-OPENSSL_NO_QUIC-wrapper.patch
@@ -0,0 +1,28 @@
+From d86593e2dc6babf33f7e85bc66371cb4daf69229 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Fri, 30 Aug 2019 09:15:31 -0400
+Subject: [PATCH 13/63] QUIC: Add OPENSSL_NO_QUIC wrapper
+
+---
+ ssl/ssl_local.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
+index b3fd00dbfd..049d6448c9 100644
+--- a/ssl/ssl_local.h
++++ b/ssl/ssl_local.h
+@@ -1491,9 +1491,11 @@ struct ssl_st {
+ unsigned char handshake_traffic_hash[EVP_MAX_MD_SIZE];
+ unsigned char client_app_traffic_secret[EVP_MAX_MD_SIZE];
+ unsigned char server_app_traffic_secret[EVP_MAX_MD_SIZE];
++# ifndef OPENSSL_NO_QUIC
+ unsigned char client_hand_traffic_secret[EVP_MAX_MD_SIZE];
+ unsigned char server_hand_traffic_secret[EVP_MAX_MD_SIZE];
+ unsigned char client_early_traffic_secret[EVP_MAX_MD_SIZE];
++# endif
+ unsigned char exporter_master_secret[EVP_MAX_MD_SIZE];
+ unsigned char early_exporter_master_secret[EVP_MAX_MD_SIZE];
+ EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
+--
+2.42.0
+
diff --git a/0014-QUIC-Correctly-disable-middlebox-compat.patch b/0014-QUIC-Correctly-disable-middlebox-compat.patch
new file mode 100644
index 0000000..f1126e4
--- /dev/null
+++ b/0014-QUIC-Correctly-disable-middlebox-compat.patch
@@ -0,0 +1,34 @@
+From 748c9fecbea033aa244c9f6b70053468f1f78db9 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Fri, 30 Aug 2019 09:47:48 -0400
+Subject: [PATCH 14/63] QUIC: Correctly disable middlebox compat
+
+---
+ ssl/ssl_quic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index 0017d1eba9..a76c24eac6 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -173,7 +173,7 @@ int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method)
+ break;
+ }
+ ctx->quic_method = quic_method;
+- ctx->options &= SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
++ ctx->options &= ~SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
+ return 1;
+ }
+
+@@ -189,7 +189,7 @@ int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method)
+ break;
+ }
+ ssl->quic_method = quic_method;
+- ssl->options &= SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
++ ssl->options &= ~SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
+ return 1;
+ }
+
+--
+2.42.0
+
diff --git a/0015-QUIC-Move-QUIC-code-out-of-tls13_change_cipher_state.patch b/0015-QUIC-Move-QUIC-code-out-of-tls13_change_cipher_state.patch
new file mode 100644
index 0000000..bc8b8a5
--- /dev/null
+++ b/0015-QUIC-Move-QUIC-code-out-of-tls13_change_cipher_state.patch
@@ -0,0 +1,332 @@
+From c0e8778136a689d8d11aec0f061ca6a1d37550b6 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Fri, 30 Aug 2019 11:17:58 -0400
+Subject: [PATCH 15/63] QUIC: Move QUIC code out of tls13_change_cipher_state()
+
+Create quic_change_cipher_state() that does the minimal required
+to generate the QUIC secrets. (e.g. encryption contexts are not
+initialized).
+---
+ ssl/ssl_quic.c | 7 --
+ ssl/tls13_enc.c | 216 +++++++++++++++++++++++++++++++-----------------
+ 2 files changed, 139 insertions(+), 84 deletions(-)
+
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index a76c24eac6..670deea5ab 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -199,7 +199,6 @@ int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
+ uint8_t *s2c_secret = NULL;
+ size_t len;
+ const EVP_MD *md;
+- static const unsigned char zeros[EVP_MAX_MD_SIZE];
+
+ if (!SSL_IS_QUIC(ssl))
+ return 1;
+@@ -240,12 +239,6 @@ int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
+ return 0;
+ }
+
+- /* In some cases, we want to set the secret only when BOTH are non-zero */
+- if (c2s_secret != NULL && s2c_secret != NULL
+- && !memcmp(c2s_secret, zeros, len)
+- && !memcmp(s2c_secret, zeros, len))
+- return 1;
+-
+ if (ssl->server) {
+ if (!ssl->quic_method->set_encryption_secrets(ssl, level, c2s_secret,
+ s2c_secret, len)) {
+diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
+index 4d89eb314e..1f7b27d4f4 100644
+--- a/ssl/tls13_enc.c
++++ b/ssl/tls13_enc.c
+@@ -385,24 +385,144 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
+ return 1;
+ }
+
++#ifdef CHARSET_EBCDIC
++static const unsigned char client_early_traffic[] = {0x63, 0x20, 0x65, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
++static const unsigned char client_handshake_traffic[] = {0x63, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
++static const unsigned char client_application_traffic[] = {0x63, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
++static const unsigned char server_handshake_traffic[] = {0x73, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
++static const unsigned char server_application_traffic[] = {0x73, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
++static const unsigned char exporter_master_secret[] = {0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00};
++static const unsigned char resumption_master_secret[] = {0x72, 0x65, 0x73, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00};
++static const unsigned char early_exporter_master_secret[] = {0x65, 0x20, 0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00};
++#else
++static const unsigned char client_early_traffic[] = "c e traffic";
++static const unsigned char client_handshake_traffic[] = "c hs traffic";
++static const unsigned char client_application_traffic[] = "c ap traffic";
++static const unsigned char server_handshake_traffic[] = "s hs traffic";
++static const unsigned char server_application_traffic[] = "s ap traffic";
++static const unsigned char exporter_master_secret[] = "exp master";
++static const unsigned char resumption_master_secret[] = "res master";
++static const unsigned char early_exporter_master_secret[] = "e exp master";
++#endif
++#ifndef OPENSSL_NO_QUIC
++static int quic_change_cipher_state(SSL *s, int which)
++{
++ unsigned char hash[EVP_MAX_MD_SIZE];
++ size_t hashlen = 0;
++ int hashleni;
++ int ret = 0;
++ const EVP_MD *md = NULL;
++ OSSL_ENCRYPTION_LEVEL level = ssl_encryption_initial;
++ int is_handshake = ((which & SSL3_CC_HANDSHAKE) == SSL3_CC_HANDSHAKE);
++ int is_client_read = ((which & SSL3_CHANGE_CIPHER_CLIENT_READ) == SSL3_CHANGE_CIPHER_CLIENT_READ);
++ int is_server_write = ((which & SSL3_CHANGE_CIPHER_SERVER_WRITE) == SSL3_CHANGE_CIPHER_SERVER_WRITE);
++ int is_early = (which & SSL3_CC_EARLY);
++
++ md = ssl_handshake_md(s);
++ if (!ssl3_digest_cached_records(s, 1)
++ || !ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) {
++ /* SSLfatal() already called */;
++ goto err;
++ }
++
++ /* Ensure cast to size_t is safe */
++ hashleni = EVP_MD_size(md);
++ if (!ossl_assert(hashleni >= 0)) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
++ goto err;
++ }
++ hashlen = (size_t)hashleni;
++
++ if (is_handshake)
++ level = ssl_encryption_handshake;
++ else
++ level = ssl_encryption_application;
++
++ if (is_client_read || is_server_write) {
++ if (is_handshake) {
++ level = ssl_encryption_handshake;
++
++ if (!tls13_hkdf_expand(s, md, s->handshake_secret, client_handshake_traffic,
++ sizeof(client_handshake_traffic)-1, hash, hashlen,
++ s->client_hand_traffic_secret, hashlen, 1)) {
++ /* SSLfatal() already called */
++ goto err;
++ }
++ if (!ssl_log_secret(s, CLIENT_HANDSHAKE_LABEL, s->client_hand_traffic_secret, hashlen)) {
++ /* SSLfatal() already called */
++ goto err;
++ }
++
++ if (!tls13_hkdf_expand(s, md, s->handshake_secret, server_handshake_traffic,
++ sizeof(server_handshake_traffic)-1, hash, hashlen,
++ s->server_hand_traffic_secret, hashlen, 1)) {
++ /* SSLfatal() already called */
++ goto err;
++ }
++ if (!ssl_log_secret(s, SERVER_HANDSHAKE_LABEL, s->server_hand_traffic_secret, hashlen)) {
++ /* SSLfatal() already called */
++ goto err;
++ }
++ } else {
++ level = ssl_encryption_application;
++
++ if (!tls13_hkdf_expand(s, md, s->master_secret, client_application_traffic,
++ sizeof(client_application_traffic)-1, hash, hashlen,
++ s->client_app_traffic_secret, hashlen, 1)) {
++ /* SSLfatal() already called */
++ goto err;
++ }
++ if (!ssl_log_secret(s, CLIENT_APPLICATION_LABEL, s->client_app_traffic_secret, hashlen)) {
++ /* SSLfatal() already called */
++ goto err;
++ }
++
++ if (!tls13_hkdf_expand(s, md, s->master_secret, server_application_traffic,
++ sizeof(server_application_traffic)-1, hash, hashlen,
++ s->server_app_traffic_secret, hashlen, 1)) {
++ /* SSLfatal() already called */
++ goto err;
++ }
++ if (!ssl_log_secret(s, SERVER_APPLICATION_LABEL, s->server_app_traffic_secret, hashlen)) {
++ /* SSLfatal() already called */
++ goto err;
++ }
++ }
++ if (s->server)
++ s->quic_write_level = level;
++ else
++ s->quic_read_level = level;
++ } else {
++ if (is_early) {
++ level = ssl_encryption_early_data;
++
++ if (!tls13_hkdf_expand(s, md, s->early_secret, client_early_traffic,
++ sizeof(client_early_traffic)-1, hash, hashlen,
++ s->client_early_traffic_secret, hashlen, 1)) {
++ /* SSLfatal() already called */
++ goto err;
++ }
++ if (!ssl_log_secret(s, CLIENT_EARLY_LABEL, s->client_early_traffic_secret, hashlen)) {
++ /* SSLfatal() already called */
++ goto err;
++ }
++ }
++ if (s->server)
++ s->quic_read_level = level;
++ else
++ s->quic_write_level = level;
++ }
++
++ if (level != ssl_encryption_initial && !quic_set_encryption_secrets(s, level))
++ goto err;
++
++ ret = 1;
++ err:
++ return ret;
++}
++#endif /* OPENSSL_NO_QUIC */
+ int tls13_change_cipher_state(SSL *s, int which)
+ {
+- /* ASCII: "c e traffic", in hex for EBCDIC compatibility */
+- static const unsigned char client_early_traffic[] = "\x63\x20\x65\x20\x74\x72\x61\x66\x66\x69\x63";
+- /* ASCII: "c hs traffic", in hex for EBCDIC compatibility */
+- static const unsigned char client_handshake_traffic[] = "\x63\x20\x68\x73\x20\x74\x72\x61\x66\x66\x69\x63";
+- /* ASCII: "c ap traffic", in hex for EBCDIC compatibility */
+- static const unsigned char client_application_traffic[] = "\x63\x20\x61\x70\x20\x74\x72\x61\x66\x66\x69\x63";
+- /* ASCII: "s hs traffic", in hex for EBCDIC compatibility */
+- static const unsigned char server_handshake_traffic[] = "\x73\x20\x68\x73\x20\x74\x72\x61\x66\x66\x69\x63";
+- /* ASCII: "s ap traffic", in hex for EBCDIC compatibility */
+- static const unsigned char server_application_traffic[] = "\x73\x20\x61\x70\x20\x74\x72\x61\x66\x66\x69\x63";
+- /* ASCII: "exp master", in hex for EBCDIC compatibility */
+- static const unsigned char exporter_master_secret[] = "\x65\x78\x70\x20\x6D\x61\x73\x74\x65\x72";
+- /* ASCII: "res master", in hex for EBCDIC compatibility */
+- static const unsigned char resumption_master_secret[] = "\x72\x65\x73\x20\x6D\x61\x73\x74\x65\x72";
+- /* ASCII: "e exp master", in hex for EBCDIC compatibility */
+- static const unsigned char early_exporter_master_secret[] = "\x65\x20\x65\x78\x70\x20\x6D\x61\x73\x74\x65\x72";
+ unsigned char *iv;
+ unsigned char key[EVP_MAX_KEY_LENGTH];
+ unsigned char secret[EVP_MAX_MD_SIZE];
+@@ -422,8 +542,10 @@ int tls13_change_cipher_state(SSL *s, int which)
+ ktls_crypto_info_t crypto_info;
+ BIO *bio;
+ #endif
++
+ #ifndef OPENSSL_NO_QUIC
+- OSSL_ENCRYPTION_LEVEL level = ssl_encryption_initial;
++ if (SSL_IS_QUIC(s))
++ return quic_change_cipher_state(s, which);
+ #endif
+
+ if (which & SSL3_CC_READ) {
+@@ -470,9 +592,6 @@ int tls13_change_cipher_state(SSL *s, int which)
+ label = client_early_traffic;
+ labellen = sizeof(client_early_traffic) - 1;
+ log_label = CLIENT_EARLY_LABEL;
+-#ifndef OPENSSL_NO_QUIC
+- level = ssl_encryption_early_data;
+-#endif
+
+ handlen = BIO_get_mem_data(s->s3.handshake_buffer, &hdata);
+ if (handlen <= 0) {
+@@ -549,14 +668,6 @@ int tls13_change_cipher_state(SSL *s, int which)
+ /* SSLfatal() already called */
+ goto err;
+ }
+-#ifndef OPENSSL_NO_QUIC
+- if (SSL_IS_QUIC(s)) {
+- if (s->server)
+- s->quic_read_level = ssl_encryption_early_data;
+- else
+- s->quic_write_level = ssl_encryption_early_data;
+- }
+-#endif
+ } else if (which & SSL3_CC_HANDSHAKE) {
+ insecret = s->handshake_secret;
+ finsecret = s->client_finished_secret;
+@@ -564,15 +675,6 @@ int tls13_change_cipher_state(SSL *s, int which)
+ label = client_handshake_traffic;
+ labellen = sizeof(client_handshake_traffic) - 1;
+ log_label = CLIENT_HANDSHAKE_LABEL;
+-#ifndef OPENSSL_NO_QUIC
+- if (SSL_IS_QUIC(s)) {
+- level = ssl_encryption_handshake;
+- if (s->server)
+- s->quic_read_level = ssl_encryption_handshake;
+- else
+- s->quic_write_level = ssl_encryption_handshake;
+- }
+-#endif
+ /*
+ * The handshake hash used for the server read/client write handshake
+ * traffic secret is the same as the hash for the server
+@@ -595,15 +697,6 @@ int tls13_change_cipher_state(SSL *s, int which)
+ * previously saved value.
+ */
+ hash = s->server_finished_hash;
+-#ifndef OPENSSL_NO_QUIC
+- if (SSL_IS_QUIC(s)) {
+- level = ssl_encryption_application; /* ??? */
+- if (s->server)
+- s->quic_read_level = ssl_encryption_application;
+- else
+- s->quic_write_level = ssl_encryption_application;
+- }
+-#endif
+ }
+ } else {
+ /* Early data never applies to client-read/server-write */
+@@ -614,29 +707,11 @@ int tls13_change_cipher_state(SSL *s, int which)
+ label = server_handshake_traffic;
+ labellen = sizeof(server_handshake_traffic) - 1;
+ log_label = SERVER_HANDSHAKE_LABEL;
+-#ifndef OPENSSL_NO_QUIC
+- if (SSL_IS_QUIC(s)) {
+- level = ssl_encryption_handshake;
+- if (s->server)
+- s->quic_write_level = ssl_encryption_handshake;
+- else
+- s->quic_read_level = ssl_encryption_handshake;
+- }
+-#endif
+ } else {
+ insecret = s->master_secret;
+ label = server_application_traffic;
+ labellen = sizeof(server_application_traffic) - 1;
+ log_label = SERVER_APPLICATION_LABEL;
+-#ifndef OPENSSL_NO_QUIC
+- if (SSL_IS_QUIC(s)) {
+- level = ssl_encryption_application;
+- if (s->server)
+- s->quic_write_level = ssl_encryption_application;
+- else
+- s->quic_read_level = ssl_encryption_application;
+- }
+-#endif
+ }
+ }
+
+@@ -705,14 +780,6 @@ int tls13_change_cipher_state(SSL *s, int which)
+ }
+ } else if (label == client_application_traffic)
+ memcpy(s->client_app_traffic_secret, secret, hashlen);
+-#ifndef OPENSSL_NO_QUIC
+- else if (label == client_handshake_traffic)
+- memcpy(s->client_hand_traffic_secret, secret, hashlen);
+- else if (label == server_handshake_traffic)
+- memcpy(s->server_hand_traffic_secret, secret, hashlen);
+- else if (label == client_early_traffic)
+- memcpy(s->client_early_traffic_secret, secret, hashlen);
+-#endif
+
+ if (!ssl_log_secret(s, log_label, secret, hashlen)) {
+ /* SSLfatal() already called */
+@@ -773,11 +840,6 @@ skip_ktls:
+ # endif
+ #endif
+
+-#ifndef OPENSSL_NO_QUIC
+- if (!quic_set_encryption_secrets(s, level))
+- goto err;
+-#endif
+-
+ ret = 1;
+ err:
+ if ((which & SSL3_CC_EARLY) != 0) {
+--
+2.42.0
+
diff --git a/0016-QUIC-Tweeks-to-quic_change_cipher_state.patch b/0016-QUIC-Tweeks-to-quic_change_cipher_state.patch
new file mode 100644
index 0000000..55c85ea
--- /dev/null
+++ b/0016-QUIC-Tweeks-to-quic_change_cipher_state.patch
@@ -0,0 +1,126 @@
+From fd4b090efe5e7034742d2a326de313b2f7cedf28 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Fri, 30 Aug 2019 11:38:56 -0400
+Subject: [PATCH 16/63] QUIC: Tweeks to quic_change_cipher_state()
+
+---
+ ssl/tls13_enc.c | 69 +++++++++++++++++--------------------------------
+ 1 file changed, 24 insertions(+), 45 deletions(-)
+
+diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
+index 1f7b27d4f4..5e472044b0 100644
+--- a/ssl/tls13_enc.c
++++ b/ssl/tls13_enc.c
+@@ -433,33 +433,18 @@ static int quic_change_cipher_state(SSL *s, int which)
+ }
+ hashlen = (size_t)hashleni;
+
+- if (is_handshake)
+- level = ssl_encryption_handshake;
+- else
+- level = ssl_encryption_application;
+-
+ if (is_client_read || is_server_write) {
+ if (is_handshake) {
+ level = ssl_encryption_handshake;
+
+ if (!tls13_hkdf_expand(s, md, s->handshake_secret, client_handshake_traffic,
+ sizeof(client_handshake_traffic)-1, hash, hashlen,
+- s->client_hand_traffic_secret, hashlen, 1)) {
+- /* SSLfatal() already called */
+- goto err;
+- }
+- if (!ssl_log_secret(s, CLIENT_HANDSHAKE_LABEL, s->client_hand_traffic_secret, hashlen)) {
+- /* SSLfatal() already called */
+- goto err;
+- }
+-
+- if (!tls13_hkdf_expand(s, md, s->handshake_secret, server_handshake_traffic,
+- sizeof(server_handshake_traffic)-1, hash, hashlen,
+- s->server_hand_traffic_secret, hashlen, 1)) {
+- /* SSLfatal() already called */
+- goto err;
+- }
+- if (!ssl_log_secret(s, SERVER_HANDSHAKE_LABEL, s->server_hand_traffic_secret, hashlen)) {
++ s->client_hand_traffic_secret, hashlen, 1)
++ || !ssl_log_secret(s, CLIENT_HANDSHAKE_LABEL, s->client_hand_traffic_secret, hashlen)
++ || !tls13_hkdf_expand(s, md, s->handshake_secret, server_handshake_traffic,
++ sizeof(server_handshake_traffic)-1, hash, hashlen,
++ s->server_hand_traffic_secret, hashlen, 1)
++ || !ssl_log_secret(s, SERVER_HANDSHAKE_LABEL, s->server_hand_traffic_secret, hashlen)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+@@ -468,26 +453,20 @@ static int quic_change_cipher_state(SSL *s, int which)
+
+ if (!tls13_hkdf_expand(s, md, s->master_secret, client_application_traffic,
+ sizeof(client_application_traffic)-1, hash, hashlen,
+- s->client_app_traffic_secret, hashlen, 1)) {
+- /* SSLfatal() already called */
+- goto err;
+- }
+- if (!ssl_log_secret(s, CLIENT_APPLICATION_LABEL, s->client_app_traffic_secret, hashlen)) {
+- /* SSLfatal() already called */
+- goto err;
+- }
+-
+- if (!tls13_hkdf_expand(s, md, s->master_secret, server_application_traffic,
+- sizeof(server_application_traffic)-1, hash, hashlen,
+- s->server_app_traffic_secret, hashlen, 1)) {
+- /* SSLfatal() already called */
+- goto err;
+- }
+- if (!ssl_log_secret(s, SERVER_APPLICATION_LABEL, s->server_app_traffic_secret, hashlen)) {
++ s->client_app_traffic_secret, hashlen, 1)
++ || !ssl_log_secret(s, CLIENT_APPLICATION_LABEL, s->client_app_traffic_secret, hashlen)
++ || !tls13_hkdf_expand(s, md, s->master_secret, server_application_traffic,
++ sizeof(server_application_traffic)-1, hash, hashlen,
++ s->server_app_traffic_secret, hashlen, 1)
++ || !ssl_log_secret(s, SERVER_APPLICATION_LABEL, s->server_app_traffic_secret, hashlen)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+ }
++ if (!quic_set_encryption_secrets(s, level)) {
++ /* SSLfatal() already called */
++ goto err;
++ }
+ if (s->server)
+ s->quic_write_level = level;
+ else
+@@ -498,24 +477,24 @@ static int quic_change_cipher_state(SSL *s, int which)
+
+ if (!tls13_hkdf_expand(s, md, s->early_secret, client_early_traffic,
+ sizeof(client_early_traffic)-1, hash, hashlen,
+- s->client_early_traffic_secret, hashlen, 1)) {
+- /* SSLfatal() already called */
+- goto err;
+- }
+- if (!ssl_log_secret(s, CLIENT_EARLY_LABEL, s->client_early_traffic_secret, hashlen)) {
++ s->client_early_traffic_secret, hashlen, 1)
++ || !ssl_log_secret(s, CLIENT_EARLY_LABEL, s->client_early_traffic_secret, hashlen)
++ || !quic_set_encryption_secrets(s, level)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
++ } else if (is_handshake) {
++ level = ssl_encryption_handshake;
++ } else {
++ level = ssl_encryption_application;
+ }
++
+ if (s->server)
+ s->quic_read_level = level;
+ else
+ s->quic_write_level = level;
+ }
+
+- if (level != ssl_encryption_initial && !quic_set_encryption_secrets(s, level))
+- goto err;
+-
+ ret = 1;
+ err:
+ return ret;
+--
+2.42.0
+
diff --git a/0017-QUIC-Add-support-for-more-secrets.patch b/0017-QUIC-Add-support-for-more-secrets.patch
new file mode 100644
index 0000000..850a111
--- /dev/null
+++ b/0017-QUIC-Add-support-for-more-secrets.patch
@@ -0,0 +1,44 @@
+From 6dbbc1e4d8edda90261e160da0e7633eab89e569 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Tue, 24 Sep 2019 10:26:42 -0400
+Subject: [PATCH 17/63] QUIC: Add support for more secrets
+
+---
+ ssl/tls13_enc.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
+index 5e472044b0..487365627a 100644
+--- a/ssl/tls13_enc.c
++++ b/ssl/tls13_enc.c
+@@ -441,10 +441,14 @@ static int quic_change_cipher_state(SSL *s, int which)
+ sizeof(client_handshake_traffic)-1, hash, hashlen,
+ s->client_hand_traffic_secret, hashlen, 1)
+ || !ssl_log_secret(s, CLIENT_HANDSHAKE_LABEL, s->client_hand_traffic_secret, hashlen)
++ || !tls13_derive_finishedkey(s, md, s->client_hand_traffic_secret,
++ s->client_finished_secret, hashlen)
+ || !tls13_hkdf_expand(s, md, s->handshake_secret, server_handshake_traffic,
+ sizeof(server_handshake_traffic)-1, hash, hashlen,
+ s->server_hand_traffic_secret, hashlen, 1)
+- || !ssl_log_secret(s, SERVER_HANDSHAKE_LABEL, s->server_hand_traffic_secret, hashlen)) {
++ || !ssl_log_secret(s, SERVER_HANDSHAKE_LABEL, s->server_hand_traffic_secret, hashlen)
++ || !tls13_derive_finishedkey(s, md, s->server_hand_traffic_secret,
++ s->server_finished_secret, hashlen)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+@@ -458,7 +462,10 @@ static int quic_change_cipher_state(SSL *s, int which)
+ || !tls13_hkdf_expand(s, md, s->master_secret, server_application_traffic,
+ sizeof(server_application_traffic)-1, hash, hashlen,
+ s->server_app_traffic_secret, hashlen, 1)
+- || !ssl_log_secret(s, SERVER_APPLICATION_LABEL, s->server_app_traffic_secret, hashlen)) {
++ || !ssl_log_secret(s, SERVER_APPLICATION_LABEL, s->server_app_traffic_secret, hashlen)
++ || !tls13_hkdf_expand(s, md, s->master_secret, resumption_master_secret,
++ sizeof(resumption_master_secret)-1, hash, hashlen,
++ s->resumption_master_secret, hashlen, 1)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+--
+2.42.0
+
diff --git a/0018-QUIC-Fix-resumption-secret.patch b/0018-QUIC-Fix-resumption-secret.patch
new file mode 100644
index 0000000..d062d88
--- /dev/null
+++ b/0018-QUIC-Fix-resumption-secret.patch
@@ -0,0 +1,54 @@
+From 5b4537798713524910ecad330e9b7ce659b50a98 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Tue, 12 Nov 2019 13:52:35 -0500
+Subject: [PATCH 18/63] QUIC: Fix resumption secret
+
+---
+ ssl/tls13_enc.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
+index 487365627a..a5b674d04b 100644
+--- a/ssl/tls13_enc.c
++++ b/ssl/tls13_enc.c
+@@ -462,10 +462,7 @@ static int quic_change_cipher_state(SSL *s, int which)
+ || !tls13_hkdf_expand(s, md, s->master_secret, server_application_traffic,
+ sizeof(server_application_traffic)-1, hash, hashlen,
+ s->server_app_traffic_secret, hashlen, 1)
+- || !ssl_log_secret(s, SERVER_APPLICATION_LABEL, s->server_app_traffic_secret, hashlen)
+- || !tls13_hkdf_expand(s, md, s->master_secret, resumption_master_secret,
+- sizeof(resumption_master_secret)-1, hash, hashlen,
+- s->resumption_master_secret, hashlen, 1)) {
++ || !ssl_log_secret(s, SERVER_APPLICATION_LABEL, s->server_app_traffic_secret, hashlen)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+@@ -479,6 +476,8 @@ static int quic_change_cipher_state(SSL *s, int which)
+ else
+ s->quic_read_level = level;
+ } else {
++ /* is_client_write || is_server_read */
++
+ if (is_early) {
+ level = ssl_encryption_early_data;
+
+@@ -494,6 +493,16 @@ static int quic_change_cipher_state(SSL *s, int which)
+ level = ssl_encryption_handshake;
+ } else {
+ level = ssl_encryption_application;
++ /*
++ * We also create the resumption master secret, but this time use the
++ * hash for the whole handshake including the Client Finished
++ */
++ if (!tls13_hkdf_expand(s, md, s->master_secret, resumption_master_secret,
++ sizeof(resumption_master_secret)-1, hash, hashlen,
++ s->resumption_master_secret, hashlen, 1)) {
++ /* SSLfatal() already called */
++ goto err;
++ }
+ }
+
+ if (s->server)
+--
+2.42.0
+
diff --git a/0019-QUIC-Handle-EndOfEarlyData-and-MaxEarlyData.patch b/0019-QUIC-Handle-EndOfEarlyData-and-MaxEarlyData.patch
new file mode 100644
index 0000000..9e871ed
--- /dev/null
+++ b/0019-QUIC-Handle-EndOfEarlyData-and-MaxEarlyData.patch
@@ -0,0 +1,98 @@
+From c60ebaf44ca48a2bfa9cd3bbd2edff3d2bde308e Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Wed, 13 Nov 2019 12:11:00 -0500
+Subject: [PATCH 19/63] QUIC: Handle EndOfEarlyData and MaxEarlyData
+
+---
+ ssl/statem/extensions_clnt.c | 11 +++++++++++
+ ssl/statem/extensions_srvr.c | 12 ++++++++++--
+ ssl/statem/statem_clnt.c | 8 ++++++++
+ ssl/statem/statem_srvr.c | 4 ++++
+ 4 files changed, 33 insertions(+), 2 deletions(-)
+
+diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
+index 3ae28e68dc..3e76361199 100644
+--- a/ssl/statem/extensions_clnt.c
++++ b/ssl/statem/extensions_clnt.c
+@@ -1919,6 +1919,17 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
+ return 0;
+ }
+
++#ifndef OPENSSL_NO_QUIC
++ /*
++ * QUIC server must send 0xFFFFFFFF or it's a PROTOCOL_VIOLATION
++ * per draft-ietf-quic-tls-24 S4.5
++ */
++ if (s->quic_method != NULL && max_early_data != 0xFFFFFFFF) {
++ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA);
++ return 0;
++ }
++#endif
++
+ s->session->ext.max_early_data = max_early_data;
+
+ return 1;
+diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
+index 2fad8f3788..344dca1292 100644
+--- a/ssl/statem/extensions_srvr.c
++++ b/ssl/statem/extensions_srvr.c
+@@ -1890,12 +1890,20 @@ EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
+ size_t chainidx)
+ {
+ if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
+- if (s->max_early_data == 0)
++ uint32_t max_early_data = s->max_early_data;
++
++ if (max_early_data == 0)
+ return EXT_RETURN_NOT_SENT;
+
++#ifndef OPENSSL_NO_QUIC
++ /* QUIC server must always send 0xFFFFFFFF, per draft-ietf-quic-tls-24 S4.5 */
++ if (s->quic_method != NULL)
++ max_early_data = 0xFFFFFFFF;
++#endif
++
+ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
+ || !WPACKET_start_sub_packet_u16(pkt)
+- || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
++ || !WPACKET_put_bytes_u32(pkt, max_early_data)
+ || !WPACKET_close(pkt)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return EXT_RETURN_FAIL;
+diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
+index 3cd1ee2d3d..36cbba2a50 100644
+--- a/ssl/statem/statem_clnt.c
++++ b/ssl/statem/statem_clnt.c
+@@ -904,6 +904,14 @@ int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt,
+ break;
+
+ case TLS_ST_CW_END_OF_EARLY_DATA:
++#ifndef OPENSSL_NO_QUIC
++ /* QUIC does not send EndOfEarlyData, draft-ietf-quic-tls-24 S8.3 */
++ if (s->quic_method != NULL) {
++ *confunc = NULL;
++ *mt = SSL3_MT_DUMMY;
++ break;
++ }
++#endif
+ *confunc = tls_construct_end_of_early_data;
+ *mt = SSL3_MT_END_OF_EARLY_DATA;
+ break;
+diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
+index 5d59d53563..1c4b7124e4 100644
+--- a/ssl/statem/statem_srvr.c
++++ b/ssl/statem/statem_srvr.c
+@@ -76,6 +76,10 @@ static int ossl_statem_server13_read_transition(SSL *s, int mt)
+ break;
+ } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
+ if (mt == SSL3_MT_END_OF_EARLY_DATA) {
++#ifndef OPENSSL_NO_QUIC
++ if (s->quic_method != NULL)
++ return 0;
++#endif
+ st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA;
+ return 1;
+ }
+--
+2.42.0
+
diff --git a/0020-QUIC-Fall-through-for-0RTT.patch b/0020-QUIC-Fall-through-for-0RTT.patch
new file mode 100644
index 0000000..d1f0d76
--- /dev/null
+++ b/0020-QUIC-Fall-through-for-0RTT.patch
@@ -0,0 +1,31 @@
+From 98f16af8ea10b5bcb8243e438795c4f83e64339f Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Tue, 7 Jan 2020 10:59:08 -0500
+Subject: [PATCH 20/63] QUIC: Fall-through for 0RTT
+
+---
+ ssl/statem/statem_srvr.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
+index 1c4b7124e4..aba18e8c76 100644
+--- a/ssl/statem/statem_srvr.c
++++ b/ssl/statem/statem_srvr.c
+@@ -74,12 +74,9 @@ static int ossl_statem_server13_read_transition(SSL *s, int mt)
+ return 1;
+ }
+ break;
+- } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
++ } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED
++ && !SSL_IS_QUIC(s)) {
+ if (mt == SSL3_MT_END_OF_EARLY_DATA) {
+-#ifndef OPENSSL_NO_QUIC
+- if (s->quic_method != NULL)
+- return 0;
+-#endif
+ st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA;
+ return 1;
+ }
+--
+2.42.0
+
diff --git a/0021-QUIC-Some-cleanup-for-the-main-QUIC-changes.patch b/0021-QUIC-Some-cleanup-for-the-main-QUIC-changes.patch
new file mode 100644
index 0000000..105e93c
--- /dev/null
+++ b/0021-QUIC-Some-cleanup-for-the-main-QUIC-changes.patch
@@ -0,0 +1,677 @@
+From 3cd9c15ff714c4e23e1e7e62263940a53a55536a Mon Sep 17 00:00:00 2001
+From: Benjamin Kaduk <bkaduk@akamai.com>
+Date: Wed, 22 Apr 2020 09:12:36 -0700
+Subject: [PATCH 21/63] QUIC: Some cleanup for the main QUIC changes
+
+Try to reduce unneeded whitespace changes and wrap new code to 80 columns.
+Reword documentation to attempt to improve clarity.
+Add some more sanity checks and clarifying comments to the code.
+Update referenced I-D versions.
+---
+ doc/man3/SSL_CTX_set_quic_method.pod | 43 +++++++-------
+ include/openssl/ssl.h.in | 4 +-
+ include/openssl/tls1.h | 2 +-
+ ssl/build.info | 7 ++-
+ ssl/ssl_ciph.c | 2 +
+ ssl/ssl_lib.c | 2 +-
+ ssl/ssl_local.h | 1 +
+ ssl/ssl_quic.c | 45 +++++++--------
+ ssl/statem/extensions_clnt.c | 2 +-
+ ssl/statem/extensions_srvr.c | 2 +-
+ ssl/statem/statem.c | 2 +-
+ ssl/statem/statem_lib.c | 26 +++++----
+ ssl/statem/statem_local.h | 2 +
+ ssl/statem/statem_quic.c | 22 ++++----
+ ssl/tls13_enc.c | 84 +++++++++++++++++++---------
+ test/sslapitest.c | 11 ++--
+ util/libssl.num | 2 +-
+ 17 files changed, 155 insertions(+), 104 deletions(-)
+
+diff --git a/doc/man3/SSL_CTX_set_quic_method.pod b/doc/man3/SSL_CTX_set_quic_method.pod
+index 60bf704944..3d7bf7e682 100644
+--- a/doc/man3/SSL_CTX_set_quic_method.pod
++++ b/doc/man3/SSL_CTX_set_quic_method.pod
+@@ -63,22 +63,25 @@ SSL_quic_max_handshake_flight_len() returns the maximum number of bytes
+ that may be received at the given encryption level. This function should be
+ used to limit buffering in the QUIC implementation.
+
+-See https://tools.ietf.org/html/draft-ietf-quic-transport-16#section-4.4.
++See https://tools.ietf.org/html/draft-ietf-quic-transport-27#section-4.
+
+ SSL_quic_read_level() returns the current read encryption level.
+
+ SSL_quic_write_level() returns the current write encryption level.
+
+-SSL_provide_quic_data() provides data from QUIC at a particular encryption
+-level B<level>. It is an error to call this function outside of the handshake
+-or with an encryption level other than the current read level. It returns one
+-on success and zero on error.
++SSL_provide_quic_data() is used to provide data from QUIC CRYPTO frames to the
++state machine, at a particular encryption level B<level>. It is an error to
++call this function outside of the handshake or with an encryption level other
++than the current read level. The application must buffer and consolidate any
++frames with less than four bytes of content. It returns one on success and
++zero on error.
+
+ SSL_process_quic_post_handshake() processes any data that QUIC has provided
+ after the handshake has completed. This includes NewSessionTicket messages
+ sent by the server.
+
+-SSL_is_quic() indicates whether a connection uses QUIC.
++SSL_is_quic() indicates whether a connection uses QUIC. A given B<SSL>
++or B<SSL_CTX> can only be used with QUIC or TLS, but not both.
+
+ =head1 NOTES
+
+@@ -89,11 +92,11 @@ functions allow a QUIC implementation to serve as the underlying transport as
+ described in draft-ietf-quic-tls.
+
+ When configured for QUIC, SSL_do_handshake() will drive the handshake as
+-before, but it will not use the configured B<BIO>. It will call functions on
+-B<SSL_QUIC_METHOD> to configure secrets and send data. If data is needed from
+-the peer, it will return B<SSL_ERROR_WANT_READ>. When received, the caller
+-should call SSL_provide_quic_data() and then SSL_do_handshake() to continue
+-the handshake. After the handshake is complete, the caller should call
++before, but it will not use the configured B<BIO>. It will call functions from
++the configured B<SSL_QUIC_METHOD> to configure secrets and send data. If data
++is needed from the peer, it will return B<SSL_ERROR_WANT_READ>. When received,
++the caller should call SSL_provide_quic_data() and then SSL_do_handshake() to
++continue the handshake. After the handshake is complete, the caller should call
+ SSL_provide_quic_data() for any post-handshake data, followed by
+ SSL_process_quic_post_handshake() to process it. It is an error to call
+ SSL_read()/SSL_read_ex() and SSL_write()/SSL_write_ex() in QUIC.
+@@ -105,7 +108,7 @@ pass the active write level to add_handshake_data() when writing data. Callers
+ can use SSL_quic_write_level() to query the active write level when
+ generating their own errors.
+
+-See https://tools.ietf.org/html/draft-ietf-quic-tls-15#section-4.1 for more
++See https://tools.ietf.org/html/draft-ietf-quic-tls-27#section-4.1 for more
+ details.
+
+ To avoid DoS attacks, the QUIC implementation must limit the amount of data
+@@ -113,11 +116,12 @@ being queued up. The implementation can call
+ SSL_quic_max_handshake_flight_len() to get the maximum buffer length at each
+ encryption level.
+
+-draft-ietf-quic-tls defines a new TLS extension quic_transport_parameters
++draft-ietf-quic-tls defines a new TLS extension "quic_transport_parameters"
+ used by QUIC for each endpoint to unilaterally declare its supported
+-transport parameters. draft-ietf-quic-transport (section 7.4) defines the
+-contents of that extension (a TransportParameters struct) and describes how
+-to handle it and its semantic meaning.
++transport parameters. The contents of the extension are specified in
++https://tools.ietf.org/html/draft-ietf-quic-transport-27#section-18 (as
++a sequence of tag/length/value parameters) along with the interpretation of the
++various parameters and the rules for their processing.
+
+ OpenSSL handles this extension as an opaque byte string. The caller is
+ responsible for serializing and parsing it.
+@@ -205,10 +209,11 @@ SSL_process_quic_post_handshake()
+ return 1 on success, and 0 on error.
+
+ SSL_quic_read_level() and SSL_quic_write_level() return the current
+-encryption level as B<OSSL_ENCRYPTION_LEVEL> (B<enum ssl_encryption_level_t>).
++encryption level as an B<OSSL_ENCRYPTION_LEVEL>
++(B<enum ssl_encryption_level_t>).
+
+-SSL_quic_max_handshake_flight_len() returns the maximum length of a flight
+-for a given encryption level.
++SSL_quic_max_handshake_flight_len() returns the maximum length in bytes of a
++flight for a given encryption level.
+
+ SSL_is_quic() returns 1 if QUIC is being used, 0 if not.
+
+diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
+index e2e31bce9b..6b5fbfbf02 100644
+--- a/include/openssl/ssl.h.in
++++ b/include/openssl/ssl.h.in
+@@ -2565,10 +2565,10 @@ __owur int SSL_process_quic_post_handshake(SSL *ssl);
+
+ __owur int SSL_is_quic(SSL *ssl);
+
+-# endif
+-
+ int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *c);
+
++# endif
++
+ # ifdef __cplusplus
+ }
+ # endif
+diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
+index c4f80dc332..062e47c18a 100644
+--- a/include/openssl/tls1.h
++++ b/include/openssl/tls1.h
+@@ -151,7 +151,7 @@ extern "C" {
+ /* Temporary extension type */
+ # define TLSEXT_TYPE_renegotiate 0xff01
+
+-/* ExtensionType value from draft-ietf-quic-tls-13 */
++/* ExtensionType value from draft-ietf-quic-tls-27 */
+ # define TLSEXT_TYPE_quic_transport_parameters 0xffa5
+
+ # ifndef OPENSSL_NO_NEXTPROTONEG
+diff --git a/ssl/build.info b/ssl/build.info
+index ac87437906..d99835c9a0 100644
+--- a/ssl/build.info
++++ b/ssl/build.info
+@@ -37,10 +37,11 @@ IF[{- !$disabled{'deprecated-3.0'} -}]
+ SHARED_SOURCE[../libssl]=s3_cbc.c
+ SOURCE[../libssl]=ssl_rsa_legacy.c
+ ENDIF
+-
+-SOURCE[../libssl]=ssl_quic.c statem/statem_quic.c
+-
+ DEFINE[../libssl]=$AESDEF
+
++IF[{- !$disabled{quic} -}]
++ SOURCE[../libssl]=ssl_quic.c statem/statem_quic.c
++ENDIF
++
+ SOURCE[../providers/libcommon.a]=record/tls_pad.c
+ SOURCE[../providers/libdefault.a ../providers/libfips.a]=s3_cbc.c
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
+index deb68b4062..9dcb49d077 100644
+--- a/ssl/ssl_ciph.c
++++ b/ssl/ssl_ciph.c
+@@ -2245,6 +2245,7 @@ const char *OSSL_default_ciphersuites(void)
+ "TLS_AES_128_GCM_SHA256";
+ }
+
++#ifndef OPENSSL_NO_QUIC
+ int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *c)
+ {
+ switch (c->algorithm2 & (0xFF << TLS1_PRF_DGST_SHIFT)) {
+@@ -2276,3 +2277,4 @@ int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *c)
+ }
+ return NID_undef;
+ }
++#endif
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 6b7633e8a5..9ab43d1573 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -4245,7 +4245,7 @@ EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx)
+
+ const SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
+ {
+- if (s->session != NULL)
++ if ((s->session != NULL) && (s->session->cipher != NULL))
+ return s->session->cipher;
+ return NULL;
+ }
+diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
+index 049d6448c9..c4033b4688 100644
+--- a/ssl/ssl_local.h
++++ b/ssl/ssl_local.h
+@@ -1227,6 +1227,7 @@ struct quic_data_st {
+ OSSL_ENCRYPTION_LEVEL level;
+ size_t offset;
+ size_t length;
++ /* char data[]; should be here but C90 VLAs not allowed here */
+ };
+ typedef struct quic_data_st QUIC_DATA;
+ int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level);
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index 670deea5ab..95b3a8b64e 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -11,10 +11,6 @@
+ #include "internal/cryptlib.h"
+ #include "internal/refcount.h"
+
+-#ifdef OPENSSL_NO_QUIC
+-NON_EMPTY_TRANSLATION_UNIT
+-#else
+-
+ int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
+ size_t params_len)
+ {
+@@ -109,10 +105,10 @@ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+ return 0;
+ }
+
+- /* Split the QUIC messages up, if necessary */
++ /* Split on handshake message boundaries, if necessary */
+ while (len > 0) {
+ QUIC_DATA *qd;
+- const uint8_t *p = data + 1;
++ const uint8_t *p;
+
+ /* Check for an incomplete block */
+ qd = ssl->quic_input_data_tail;
+@@ -130,6 +126,12 @@ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+ }
+ }
+
++ if (len < SSL3_HM_HEADER_LENGTH) {
++ SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, SSL_R_BAD_LENGTH);
++ return 0;
++ }
++ /* TLS Handshake message header has 1-byte type and 3-byte length */
++ p = data + 1;
+ n2l3(p, l);
+ l += SSL3_HM_HEADER_LENGTH;
+
+@@ -163,15 +165,8 @@ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+
+ int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method)
+ {
+- switch (ctx->method->version) {
+- case DTLS1_VERSION:
+- case DTLS1_2_VERSION:
+- case DTLS_ANY_VERSION:
+- case DTLS1_BAD_VER:
++ if (ctx->method->version != TLS_ANY_VERSION)
+ return 0;
+- default:
+- break;
+- }
+ ctx->quic_method = quic_method;
+ ctx->options &= ~SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
+ return 1;
+@@ -179,15 +174,8 @@ int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method)
+
+ int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method)
+ {
+- switch (ssl->method->version) {
+- case DTLS1_VERSION:
+- case DTLS1_2_VERSION:
+- case DTLS_ANY_VERSION:
+- case DTLS1_BAD_VER:
++ if (ssl->method->version != TLS_ANY_VERSION)
+ return 0;
+- default:
+- break;
+- }
+ ssl->quic_method = quic_method;
+ ssl->options &= ~SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
+ return 1;
+@@ -225,6 +213,12 @@ int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
+ /* May not have selected cipher, yet */
+ const SSL_CIPHER *c = NULL;
+
++ /*
++ * It probably doesn't make sense to use an (external) PSK session,
++ * but in theory some kinds of external session caches could be
++ * implemented using it, so allow psksession to be used as well as
++ * the regular session.
++ */
+ if (ssl->session != NULL)
+ c = SSL_SESSION_get0_cipher(ssl->session);
+ else if (ssl->psksession != NULL)
+@@ -265,6 +259,11 @@ int SSL_process_quic_post_handshake(SSL *ssl)
+ return 0;
+ }
+
++ /*
++ * This is always safe (we are sure to be at a record boundary) because
++ * SSL_read()/SSL_write() are never used for QUIC connections -- the
++ * application data is handled at the QUIC layer instead.
++ */
+ ossl_statem_set_in_init(ssl, 1);
+ ret = ssl->handshake_func(ssl);
+ ossl_statem_set_in_init(ssl, 0);
+@@ -278,5 +277,3 @@ int SSL_is_quic(SSL* ssl)
+ {
+ return SSL_IS_QUIC(ssl);
+ }
+-
+-#endif
+diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
+index 3e76361199..06ccd855a0 100644
+--- a/ssl/statem/extensions_clnt.c
++++ b/ssl/statem/extensions_clnt.c
+@@ -1922,7 +1922,7 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
+ #ifndef OPENSSL_NO_QUIC
+ /*
+ * QUIC server must send 0xFFFFFFFF or it's a PROTOCOL_VIOLATION
+- * per draft-ietf-quic-tls-24 S4.5
++ * per draft-ietf-quic-tls-27 S4.5
+ */
+ if (s->quic_method != NULL && max_early_data != 0xFFFFFFFF) {
+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA);
+diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
+index 344dca1292..e3277f685f 100644
+--- a/ssl/statem/extensions_srvr.c
++++ b/ssl/statem/extensions_srvr.c
+@@ -1896,7 +1896,7 @@ EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
+ return EXT_RETURN_NOT_SENT;
+
+ #ifndef OPENSSL_NO_QUIC
+- /* QUIC server must always send 0xFFFFFFFF, per draft-ietf-quic-tls-24 S4.5 */
++ /* QUIC server must always send 0xFFFFFFFF, per draft-ietf-quic-tls-27 S4.5 */
+ if (s->quic_method != NULL)
+ max_early_data = 0xFFFFFFFF;
+ #endif
+diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
+index f6caa64e4c..b040d14cd2 100644
+--- a/ssl/statem/statem.c
++++ b/ssl/statem/statem.c
+@@ -585,6 +585,7 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
+ ret = dtls_get_message(s, &mt);
+ #ifndef OPENSSL_NO_QUIC
+ } else if (SSL_IS_QUIC(s)) {
++ /* QUIC behaves like DTLS -- all in one go. */
+ ret = quic_get_message(s, &mt, &len);
+ #endif
+ } else {
+@@ -929,7 +930,6 @@ int statem_flush(SSL *s)
+ #ifndef OPENSSL_NO_QUIC
+ if (SSL_IS_QUIC(s)) {
+ if (!s->quic_method->flush_flight(s)) {
+- /* NOTE: BIO_flush() does not generate an error */
+ SSLerr(SSL_F_STATEM_FLUSH, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
+index 65899e6b83..c85f35d6bb 100644
+--- a/ssl/statem/statem_lib.c
++++ b/ssl/statem/statem_lib.c
+@@ -44,17 +44,24 @@ int ssl3_do_write(SSL *s, int type)
+ {
+ int ret;
+ size_t written = 0;
++
+ #ifndef OPENSSL_NO_QUIC
+- if (SSL_IS_QUIC(s) && type == SSL3_RT_HANDSHAKE) {
+- ret = s->quic_method->add_handshake_data(s, s->quic_write_level,
+- (const uint8_t*)&s->init_buf->data[s->init_off],
+- s->init_num);
+- if (!ret) {
+- ret = -1;
+- /* QUIC can't sent anything out sice the above failed */
+- SSLerr(SSL_F_SSL3_DO_WRITE, ERR_R_INTERNAL_ERROR);
++ if (SSL_IS_QUIC(s)) {
++ if (type == SSL3_RT_HANDSHAKE) {
++ ret = s->quic_method->add_handshake_data(s, s->quic_write_level,
++ (const uint8_t*)&s->init_buf->data[s->init_off],
++ s->init_num);
++ if (!ret) {
++ ret = -1;
++ /* QUIC can't sent anything out sice the above failed */
++ SSLerr(SSL_F_SSL3_DO_WRITE, ERR_R_INTERNAL_ERROR);
++ } else {
++ written = s->init_num;
++ }
+ } else {
+- written = s->init_num;
++ /* QUIC doesn't use ChangeCipherSpec */
++ ret = -1;
++ SSLerr(SSL_F_SSL3_DO_WRITE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ }
+ } else
+ #endif
+@@ -1177,7 +1184,6 @@ int tls_get_message_header(SSL *s, int *mt)
+
+ do {
+ while (s->init_num < SSL3_HM_HEADER_LENGTH) {
+- /* QUIC: either create a special ssl_read_bytes... or if/else this */
+ i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
+ &p[s->init_num],
+ SSL3_HM_HEADER_LENGTH - s->init_num,
+diff --git a/ssl/statem/statem_local.h b/ssl/statem/statem_local.h
+index 57e314512b..6d5820e2cf 100644
+--- a/ssl/statem/statem_local.h
++++ b/ssl/statem/statem_local.h
+@@ -104,7 +104,9 @@ __owur int tls_get_message_header(SSL *s, int *mt);
+ __owur int tls_get_message_body(SSL *s, size_t *len);
+ __owur int dtls_get_message(SSL *s, int *mt);
+ __owur int dtls_get_message_body(SSL *s, size_t *len);
++#ifndef OPENSSL_NO_QUIC
+ __owur int quic_get_message(SSL *s, int *mt, size_t *len);
++#endif
+
+ /* Message construction and processing functions */
+ __owur int tls_process_initial_server_flight(SSL *s);
+diff --git a/ssl/statem/statem_quic.c b/ssl/statem/statem_quic.c
+index 982a9a6292..df38afbc79 100644
+--- a/ssl/statem/statem_quic.c
++++ b/ssl/statem/statem_quic.c
+@@ -11,10 +11,6 @@
+ #include "statem_local.h"
+ #include "internal/cryptlib.h"
+
+-#ifdef OPENSSL_NO_QUIC
+-NON_EMPTY_TRANSLATION_UNIT
+-#else
+-
+ int quic_get_message(SSL *s, int *mt, size_t *len)
+ {
+ size_t l;
+@@ -23,20 +19,26 @@ int quic_get_message(SSL *s, int *mt, size_t *len)
+
+ if (qd == NULL || (qd->length - qd->offset) != 0) {
+ s->rwstate = SSL_READING;
+- *len = 0;
++ *mt = *len = 0;
++ return 0;
++ }
++
++ if (!ossl_assert(qd->length >= SSL3_HM_HEADER_LENGTH)) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH);
++ *mt = *len = 0;
+ return 0;
+ }
+
+ /* This is where we check for the proper level, not when data is given */
+ if (qd->level != s->quic_read_level) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);
+- *len = 0;
++ *mt = *len = 0;
+ return 0;
+ }
+
+ if (!BUF_MEM_grow_clean(s->init_buf, (int)qd->length)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
+- *len = 0;
++ *mt = *len = 0;
+ return 0;
+ }
+
+@@ -79,8 +81,8 @@ int quic_get_message(SSL *s, int *mt, size_t *len)
+ */
+ #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
+ /* KeyUpdate and NewSessionTicket do not need to be added */
+- if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
+- && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
++ if (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
++ && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE) {
+ if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
+ || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
+ || memcmp(hrrrandom,
+@@ -101,5 +103,3 @@ int quic_get_message(SSL *s, int *mt, size_t *len)
+
+ return 1;
+ }
+-
+-#endif
+diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
+index a5b674d04b..a63beea224 100644
+--- a/ssl/tls13_enc.c
++++ b/ssl/tls13_enc.c
+@@ -404,6 +404,7 @@ static const unsigned char exporter_master_secret[] = "exp master";
+ static const unsigned char resumption_master_secret[] = "res master";
+ static const unsigned char early_exporter_master_secret[] = "e exp master";
+ #endif
++
+ #ifndef OPENSSL_NO_QUIC
+ static int quic_change_cipher_state(SSL *s, int which)
+ {
+@@ -412,7 +413,7 @@ static int quic_change_cipher_state(SSL *s, int which)
+ int hashleni;
+ int ret = 0;
+ const EVP_MD *md = NULL;
+- OSSL_ENCRYPTION_LEVEL level = ssl_encryption_initial;
++ OSSL_ENCRYPTION_LEVEL level;
+ int is_handshake = ((which & SSL3_CC_HANDSHAKE) == SSL3_CC_HANDSHAKE);
+ int is_client_read = ((which & SSL3_CHANGE_CIPHER_CLIENT_READ) == SSL3_CHANGE_CIPHER_CLIENT_READ);
+ int is_server_write = ((which & SSL3_CHANGE_CIPHER_SERVER_WRITE) == SSL3_CHANGE_CIPHER_SERVER_WRITE);
+@@ -435,34 +436,62 @@ static int quic_change_cipher_state(SSL *s, int which)
+
+ if (is_client_read || is_server_write) {
+ if (is_handshake) {
++ /*
++ * This looks a bit weird, since the condition is basically "the
++ * server is writing" but we set both the server *and* client
++ * handshake traffic keys here. That's because there's only a fixed
++ * number of change-cipher-state events in the TLS 1.3 handshake,
++ * and in particular there's not an event in between when the server
++ * writes encrypted handshake messages and when the client writes
++ * encrypted handshake messages, so we generate both here.
++ */
+ level = ssl_encryption_handshake;
+
+- if (!tls13_hkdf_expand(s, md, s->handshake_secret, client_handshake_traffic,
+- sizeof(client_handshake_traffic)-1, hash, hashlen,
+- s->client_hand_traffic_secret, hashlen, 1)
+- || !ssl_log_secret(s, CLIENT_HANDSHAKE_LABEL, s->client_hand_traffic_secret, hashlen)
+- || !tls13_derive_finishedkey(s, md, s->client_hand_traffic_secret,
++ if (!tls13_hkdf_expand(s, md, s->handshake_secret,
++ client_handshake_traffic,
++ sizeof(client_handshake_traffic)-1, hash,
++ hashlen, s->client_hand_traffic_secret,
++ hashlen, 1)
++ || !ssl_log_secret(s, CLIENT_HANDSHAKE_LABEL,
++ s->client_hand_traffic_secret, hashlen)
++ || !tls13_derive_finishedkey(s, md,
++ s->client_hand_traffic_secret,
+ s->client_finished_secret, hashlen)
+- || !tls13_hkdf_expand(s, md, s->handshake_secret, server_handshake_traffic,
+- sizeof(server_handshake_traffic)-1, hash, hashlen,
+- s->server_hand_traffic_secret, hashlen, 1)
+- || !ssl_log_secret(s, SERVER_HANDSHAKE_LABEL, s->server_hand_traffic_secret, hashlen)
+- || !tls13_derive_finishedkey(s, md, s->server_hand_traffic_secret,
+- s->server_finished_secret, hashlen)) {
++ || !tls13_hkdf_expand(s, md, s->handshake_secret,
++ server_handshake_traffic,
++ sizeof(server_handshake_traffic)-1, hash,
++ hashlen, s->server_hand_traffic_secret,
++ hashlen, 1)
++ || !ssl_log_secret(s, SERVER_HANDSHAKE_LABEL,
++ s->server_hand_traffic_secret, hashlen)
++ || !tls13_derive_finishedkey(s, md,
++ s->server_hand_traffic_secret,
++ s->server_finished_secret,
++ hashlen)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+ } else {
++ /*
++ * As above, we generate both sets of application traffic keys at
++ * the same time.
++ */
+ level = ssl_encryption_application;
+
+- if (!tls13_hkdf_expand(s, md, s->master_secret, client_application_traffic,
+- sizeof(client_application_traffic)-1, hash, hashlen,
+- s->client_app_traffic_secret, hashlen, 1)
+- || !ssl_log_secret(s, CLIENT_APPLICATION_LABEL, s->client_app_traffic_secret, hashlen)
+- || !tls13_hkdf_expand(s, md, s->master_secret, server_application_traffic,
+- sizeof(server_application_traffic)-1, hash, hashlen,
++ if (!tls13_hkdf_expand(s, md, s->master_secret,
++ client_application_traffic,
++ sizeof(client_application_traffic)-1, hash,
++ hashlen, s->client_app_traffic_secret,
++ hashlen, 1)
++ || !ssl_log_secret(s, CLIENT_APPLICATION_LABEL,
++ s->client_app_traffic_secret, hashlen)
++ || !tls13_hkdf_expand(s, md, s->master_secret,
++ server_application_traffic,
++ sizeof(server_application_traffic)-1,
++ hash, hashlen,
+ s->server_app_traffic_secret, hashlen, 1)
+- || !ssl_log_secret(s, SERVER_APPLICATION_LABEL, s->server_app_traffic_secret, hashlen)) {
++ || !ssl_log_secret(s, SERVER_APPLICATION_LABEL,
++ s->server_app_traffic_secret, hashlen)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+@@ -482,9 +511,11 @@ static int quic_change_cipher_state(SSL *s, int which)
+ level = ssl_encryption_early_data;
+
+ if (!tls13_hkdf_expand(s, md, s->early_secret, client_early_traffic,
+- sizeof(client_early_traffic)-1, hash, hashlen,
+- s->client_early_traffic_secret, hashlen, 1)
+- || !ssl_log_secret(s, CLIENT_EARLY_LABEL, s->client_early_traffic_secret, hashlen)
++ sizeof(client_early_traffic)-1, hash,
++ hashlen, s->client_early_traffic_secret,
++ hashlen, 1)
++ || !ssl_log_secret(s, CLIENT_EARLY_LABEL,
++ s->client_early_traffic_secret, hashlen)
+ || !quic_set_encryption_secrets(s, level)) {
+ /* SSLfatal() already called */
+ goto err;
+@@ -497,9 +528,11 @@ static int quic_change_cipher_state(SSL *s, int which)
+ * We also create the resumption master secret, but this time use the
+ * hash for the whole handshake including the Client Finished
+ */
+- if (!tls13_hkdf_expand(s, md, s->master_secret, resumption_master_secret,
+- sizeof(resumption_master_secret)-1, hash, hashlen,
+- s->resumption_master_secret, hashlen, 1)) {
++ if (!tls13_hkdf_expand(s, md, s->master_secret,
++ resumption_master_secret,
++ sizeof(resumption_master_secret)-1, hash,
++ hashlen, s->resumption_master_secret,
++ hashlen, 1)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+@@ -516,6 +549,7 @@ static int quic_change_cipher_state(SSL *s, int which)
+ return ret;
+ }
+ #endif /* OPENSSL_NO_QUIC */
++
+ int tls13_change_cipher_state(SSL *s, int which)
+ {
+ unsigned char *iv;
+diff --git a/test/sslapitest.c b/test/sslapitest.c
+index b0bafe7549..bd2b698303 100644
+--- a/test/sslapitest.c
++++ b/test/sslapitest.c
+@@ -10132,9 +10132,11 @@ end:
+ }
+
+ #ifndef OPENSSL_NO_QUIC
+-static int test_quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
++static int test_quic_set_encryption_secrets(SSL *ssl,
++ OSSL_ENCRYPTION_LEVEL level,
+ const uint8_t *read_secret,
+- const uint8_t *write_secret, size_t secret_len)
++ const uint8_t *write_secret,
++ size_t secret_len)
+ {
+ test_printf_stderr("quic_set_encryption_secrets() %s, lvl=%d, len=%zd\n",
+ ssl->server ? "server" : "client", level, secret_len);
+@@ -10146,11 +10148,12 @@ static int test_quic_add_handshake_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+ {
+ SSL *peer = (SSL*)SSL_get_app_data(ssl);
+
+- test_printf_stderr("quic_add_handshake_data() %s, lvl=%d, *data=0x%02X, len=%zd\n",
+- ssl->server ? "server" : "client", level, (int)*data, len);
++ TEST_info("quic_add_handshake_data() %s, lvl=%d, *data=0x%02X, len=%zd\n",
++ ssl->server ? "server" : "client", level, (int)*data, len);
+ if (!TEST_ptr(peer))
+ return 0;
+
++ /* We're called with what is locally written; this gives it to the peer */
+ if (!TEST_true(SSL_provide_quic_data(peer, level, data, len))) {
+ ERR_print_errors_fp(stderr);
+ return 0;
+diff --git a/util/libssl.num b/util/libssl.num
+index 72ee0bedc6..da35cf2970 100644
+--- a/util/libssl.num
++++ b/util/libssl.num
+@@ -522,7 +522,7 @@ SSL_CTX_set0_tmp_dh_pkey 522 3_0_0 EXIST::FUNCTION:
+ SSL_group_to_name 523 3_0_0 EXIST::FUNCTION:
+ SSL_quic_read_level 20000 3_0_0 EXIST::FUNCTION:QUIC
+ SSL_set_quic_transport_params 20001 3_0_0 EXIST::FUNCTION:QUIC
+-SSL_CIPHER_get_prf_nid 20002 3_0_0 EXIST::FUNCTION:
++SSL_CIPHER_get_prf_nid 20002 3_0_0 EXIST::FUNCTION:QUIC
+ SSL_is_quic 20003 3_0_0 EXIST::FUNCTION:QUIC
+ SSL_get_peer_quic_transport_params 20004 3_0_0 EXIST::FUNCTION:QUIC
+ SSL_quic_write_level 20005 3_0_0 EXIST::FUNCTION:QUIC
+--
+2.42.0
+
diff --git a/0022-QUIC-Prevent-KeyUpdate-for-QUIC.patch b/0022-QUIC-Prevent-KeyUpdate-for-QUIC.patch
new file mode 100644
index 0000000..b160db9
--- /dev/null
+++ b/0022-QUIC-Prevent-KeyUpdate-for-QUIC.patch
@@ -0,0 +1,77 @@
+From 9f8fd0f59fa76853371099aa2ae706ae4229d0e3 Mon Sep 17 00:00:00 2001
+From: Benjamin Kaduk <bkaduk@akamai.com>
+Date: Mon, 11 May 2020 13:13:01 -0700
+Subject: [PATCH 22/63] QUIC: Prevent KeyUpdate for QUIC
+
+QUIC does not use the TLS KeyUpdate message/mechanism, and indeed
+it is an error to generate or receive such a message. Add the
+necessary checks (noting that the check for receipt should be
+redundant since SSL_provide_quic_data() is the only way to provide
+input to the TLS layer for a QUIC connection).
+---
+ ssl/ssl_quic.c | 6 ++++++
+ ssl/statem/statem_lib.c | 14 ++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index 95b3a8b64e..7b78b2ec53 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -92,6 +92,7 @@ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+ const uint8_t *data, size_t len)
+ {
+ size_t l;
++ uint8_t mt;
+
+ if (!SSL_IS_QUIC(ssl)) {
+ SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+@@ -131,9 +132,14 @@ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+ return 0;
+ }
+ /* TLS Handshake message header has 1-byte type and 3-byte length */
++ mt = *data;
+ p = data + 1;
+ n2l3(p, l);
+ l += SSL3_HM_HEADER_LENGTH;
++ if (mt == SSL3_MT_KEY_UPDATE) {
++ SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, SSL_R_UNEXPECTED_MESSAGE);
++ return 0;
++ }
+
+ qd = OPENSSL_zalloc(sizeof(QUIC_DATA) + l);
+ if (qd == NULL) {
+diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
+index c85f35d6bb..9c9ac0eda6 100644
+--- a/ssl/statem/statem_lib.c
++++ b/ssl/statem/statem_lib.c
+@@ -656,6 +656,13 @@ int tls_construct_finished(SSL *s, WPACKET *pkt)
+
+ int tls_construct_key_update(SSL *s, WPACKET *pkt)
+ {
++#ifndef OPENSSL_NO_QUIC
++ if (SSL_is_quic(s)) {
++ /* TLS KeyUpdate is not used for QUIC, so this is an error. */
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++#endif
+ if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+@@ -678,6 +685,13 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
+ return MSG_PROCESS_ERROR;
+ }
+
++#ifndef OPENSSL_NO_QUIC
++ if (SSL_is_quic(s)) {
++ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
++ return MSG_PROCESS_ERROR;
++ }
++#endif
++
+ if (!PACKET_get_1(pkt, &updatetype)
+ || PACKET_remaining(pkt) != 0) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE);
+--
+2.42.0
+
diff --git a/0023-QUIC-Test-KeyUpdate-rejection.patch b/0023-QUIC-Test-KeyUpdate-rejection.patch
new file mode 100644
index 0000000..5c2fa01
--- /dev/null
+++ b/0023-QUIC-Test-KeyUpdate-rejection.patch
@@ -0,0 +1,37 @@
+From 3e0ad6fa4444b3a1d9c7a4a98a8209d90b746169 Mon Sep 17 00:00:00 2001
+From: Benjamin Kaduk <bkaduk@akamai.com>
+Date: Mon, 11 May 2020 13:26:07 -0700
+Subject: [PATCH 23/63] QUIC: Test KeyUpdate rejection
+
+For now, just test that we don't generate any, since we don't really
+expose the mechanics for encrypting one and the QUIC API is not
+integrated into the TLSProxy setup.
+---
+ test/sslapitest.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/test/sslapitest.c b/test/sslapitest.c
+index bd2b698303..bc908dd382 100644
+--- a/test/sslapitest.c
++++ b/test/sslapitest.c
+@@ -10256,6 +10256,17 @@ static int test_quic_api(void)
+ || !TEST_true(SSL_process_quic_post_handshake(clientssl)))
+ goto end;
+
++ /* Dummy handshake call should succeed */
++ if (!TEST_true(SSL_do_handshake(clientssl)))
++ goto end;
++ /* Test that we (correctly) fail to send KeyUpdate */
++ if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED))
++ || !TEST_int_le(SSL_do_handshake(clientssl), 0))
++ goto end;
++ if (!TEST_true(SSL_key_update(serverssl, SSL_KEY_UPDATE_NOT_REQUESTED))
++ || !TEST_int_le(SSL_do_handshake(serverssl), 0))
++ goto end;
++
+ testresult = 1;
+
+ end:
+--
+2.42.0
+
diff --git a/0024-QUIC-Buffer-all-provided-quic-data.patch b/0024-QUIC-Buffer-all-provided-quic-data.patch
new file mode 100644
index 0000000..0c28e1b
--- /dev/null
+++ b/0024-QUIC-Buffer-all-provided-quic-data.patch
@@ -0,0 +1,219 @@
+From 27215416c0b1de14648f137edc158b3d9645a193 Mon Sep 17 00:00:00 2001
+From: Benjamin Kaduk <bkaduk@akamai.com>
+Date: Mon, 31 Aug 2020 12:27:33 -0700
+Subject: [PATCH 24/63] QUIC: Buffer all provided quic data
+
+Make all data supplied via SSL_provide_quic_data() pass through an
+internal buffer, so that we can handle data supplied with arbitrary
+framing and only parse complete TLS records onto the list of QUIC_DATA
+managed by quic_input_data_head/quic_input_data_tail.
+
+This lets us remove the concept of "incomplete" QUIC_DATA structures,
+and the 'offset' field needed to support them.
+
+However, we've already moved the provided data onto the buffer by
+the time we can check for KeyUpdate messages, so defer that check
+to quic_get_message() (where it is adjacent to the preexisting
+ChangeCipherSpec check).
+
+To avoid extra memory copies, we also make the QUIC_DATA structures
+just store offsets into the consolidated buffer instead of having copies
+of the TLS handshake messages themselves.
+---
+ ssl/ssl_lib.c | 1 +
+ ssl/ssl_local.h | 5 +--
+ ssl/ssl_quic.c | 75 +++++++++++++++++++---------------------
+ ssl/statem/statem_quic.c | 11 ++++--
+ 4 files changed, 49 insertions(+), 43 deletions(-)
+
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 9ab43d1573..a78ebd55af 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -1248,6 +1248,7 @@ void SSL_free(SSL *s)
+ #ifndef OPENSSL_NO_QUIC
+ OPENSSL_free(s->ext.quic_transport_params);
+ OPENSSL_free(s->ext.peer_quic_transport_params);
++ BUF_MEM_free(s->quic_buf);
+ while (s->quic_input_data_head != NULL) {
+ QUIC_DATA *qd;
+
+diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
+index c4033b4688..44395fb365 100644
+--- a/ssl/ssl_local.h
++++ b/ssl/ssl_local.h
+@@ -1225,9 +1225,8 @@ typedef struct cert_pkey_st CERT_PKEY;
+ struct quic_data_st {
+ struct quic_data_st *next;
+ OSSL_ENCRYPTION_LEVEL level;
+- size_t offset;
++ size_t start; /* offset into quic_buf->data */
+ size_t length;
+- /* char data[]; should be here but C90 VLAs not allowed here */
+ };
+ typedef struct quic_data_st QUIC_DATA;
+ int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level);
+@@ -1721,8 +1720,10 @@ struct ssl_st {
+ #ifndef OPENSSL_NO_QUIC
+ OSSL_ENCRYPTION_LEVEL quic_read_level;
+ OSSL_ENCRYPTION_LEVEL quic_write_level;
++ BUF_MEM *quic_buf; /* buffer incoming handshake messages */
+ QUIC_DATA *quic_input_data_head;
+ QUIC_DATA *quic_input_data_tail;
++ size_t quic_next_record_start;
+ const SSL_QUIC_METHOD *quic_method;
+ #endif
+ /*
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index 7b78b2ec53..e396720551 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -91,8 +91,7 @@ OSSL_ENCRYPTION_LEVEL SSL_quic_write_level(const SSL *ssl)
+ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+ const uint8_t *data, size_t len)
+ {
+- size_t l;
+- uint8_t mt;
++ size_t l, offset;
+
+ if (!SSL_IS_QUIC(ssl)) {
+ SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+@@ -106,42 +105,46 @@ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+ return 0;
+ }
+
+- /* Split on handshake message boundaries, if necessary */
+- while (len > 0) {
+- QUIC_DATA *qd;
+- const uint8_t *p;
+-
+- /* Check for an incomplete block */
+- qd = ssl->quic_input_data_tail;
+- if (qd != NULL) {
+- l = qd->length - qd->offset;
+- if (l != 0) {
+- /* we still need to copy `l` bytes into the last data block */
+- if (l > len)
+- l = len;
+- memcpy((char*)(qd+1) + qd->offset, data, l);
+- qd->offset += l;
+- len -= l;
+- data += l;
+- continue;
+- }
++ if (ssl->quic_buf == NULL) {
++ BUF_MEM *buf;
++ if ((buf = BUF_MEM_new()) == NULL) {
++ SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, ERR_R_INTERNAL_ERROR);
++ return 0;
+ }
+-
+- if (len < SSL3_HM_HEADER_LENGTH) {
+- SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, SSL_R_BAD_LENGTH);
++ if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
++ SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, ERR_R_INTERNAL_ERROR);
++ BUF_MEM_free(buf);
+ return 0;
+ }
++ ssl->quic_buf = buf;
++ /* We preallocated storage, but there's still no *data*. */
++ ssl->quic_buf->length = 0;
++ buf = NULL;
++ }
++
++ offset = ssl->quic_buf->length;
++ if (!BUF_MEM_grow(ssl->quic_buf, offset + len)) {
++ SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++ memcpy(ssl->quic_buf->data + offset, data, len);
++
++ /* Split on handshake message boundaries */
++ while (ssl->quic_buf->length > ssl->quic_next_record_start
++ + SSL3_HM_HEADER_LENGTH) {
++ QUIC_DATA *qd;
++ const uint8_t *p;
++
+ /* TLS Handshake message header has 1-byte type and 3-byte length */
+- mt = *data;
+- p = data + 1;
++ p = (const uint8_t *)ssl->quic_buf->data
++ + ssl->quic_next_record_start + 1;
+ n2l3(p, l);
+ l += SSL3_HM_HEADER_LENGTH;
+- if (mt == SSL3_MT_KEY_UPDATE) {
+- SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, SSL_R_UNEXPECTED_MESSAGE);
+- return 0;
+- }
++ /* Don't allocate a QUIC_DATA if we don't have a full record */
++ if (l > ssl->quic_buf->length - ssl->quic_next_record_start)
++ break;
+
+- qd = OPENSSL_zalloc(sizeof(QUIC_DATA) + l);
++ qd = OPENSSL_zalloc(sizeof(*qd));
+ if (qd == NULL) {
+ SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, ERR_R_INTERNAL_ERROR);
+ return 0;
+@@ -149,21 +152,15 @@ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+
+ qd->next = NULL;
+ qd->length = l;
++ qd->start = ssl->quic_next_record_start;
+ qd->level = level;
+- /* partial data received? */
+- if (l > len)
+- l = len;
+- qd->offset = l;
+
+- memcpy((void*)(qd + 1), data, l);
+ if (ssl->quic_input_data_tail != NULL)
+ ssl->quic_input_data_tail->next = qd;
+ else
+ ssl->quic_input_data_head = qd;
+ ssl->quic_input_data_tail = qd;
+-
+- data += l;
+- len -= l;
++ ssl->quic_next_record_start += l;
+ }
+
+ return 1;
+diff --git a/ssl/statem/statem_quic.c b/ssl/statem/statem_quic.c
+index df38afbc79..a371eeaedb 100644
+--- a/ssl/statem/statem_quic.c
++++ b/ssl/statem/statem_quic.c
+@@ -17,7 +17,7 @@ int quic_get_message(SSL *s, int *mt, size_t *len)
+ QUIC_DATA *qd = s->quic_input_data_head;
+ uint8_t *p;
+
+- if (qd == NULL || (qd->length - qd->offset) != 0) {
++ if (qd == NULL) {
+ s->rwstate = SSL_READING;
+ *mt = *len = 0;
+ return 0;
+@@ -43,7 +43,7 @@ int quic_get_message(SSL *s, int *mt, size_t *len)
+ }
+
+ /* Copy buffered data */
+- memcpy(s->init_buf->data, (void*)(qd + 1), qd->length);
++ memcpy(s->init_buf->data, s->quic_buf->data + qd->start, qd->length);
+ s->init_buf->length = qd->length;
+ s->quic_input_data_head = qd->next;
+ if (s->quic_input_data_head == NULL)
+@@ -62,6 +62,13 @@ int quic_get_message(SSL *s, int *mt, size_t *len)
+ *len = 0;
+ return 0;
+ }
++ /* No KeyUpdate in QUIC */
++ if (*mt == SSL3_MT_KEY_UPDATE) {
++ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
++ *len = 0;
++ return 0;
++ }
++
+
+ /*
+ * If receiving Finished, record MAC of prior handshake messages for
+--
+2.42.0
+
diff --git a/0025-QUIC-Enforce-consistent-encryption-level-for-handsha.patch b/0025-QUIC-Enforce-consistent-encryption-level-for-handsha.patch
new file mode 100644
index 0000000..473af22
--- /dev/null
+++ b/0025-QUIC-Enforce-consistent-encryption-level-for-handsha.patch
@@ -0,0 +1,58 @@
+From 0533f66777e89e43091d03806c0bc3380f29ce11 Mon Sep 17 00:00:00 2001
+From: Benjamin Kaduk <bkaduk@akamai.com>
+Date: Tue, 1 Sep 2020 15:10:41 -0700
+Subject: [PATCH 25/63] QUIC: Enforce consistent encryption level for handshake
+ messages
+
+The QUIC-TLS spec requires that TLS handshake messages do not cross
+encryption level boundaries, but we were not previously enforcing this.
+---
+ ssl/ssl_local.h | 1 +
+ ssl/ssl_quic.c | 12 +++++++++++-
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
+index 44395fb365..d99b751bfc 100644
+--- a/ssl/ssl_local.h
++++ b/ssl/ssl_local.h
+@@ -1720,6 +1720,7 @@ struct ssl_st {
+ #ifndef OPENSSL_NO_QUIC
+ OSSL_ENCRYPTION_LEVEL quic_read_level;
+ OSSL_ENCRYPTION_LEVEL quic_write_level;
++ OSSL_ENCRYPTION_LEVEL quic_latest_level_received;
+ BUF_MEM *quic_buf; /* buffer incoming handshake messages */
+ QUIC_DATA *quic_input_data_head;
+ QUIC_DATA *quic_input_data_tail;
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index e396720551..136d2b8460 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -100,7 +100,8 @@ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+
+ /* Level can be different than the current read, but not less */
+ if (level < ssl->quic_read_level
+- || (ssl->quic_input_data_tail != NULL && level < ssl->quic_input_data_tail->level)) {
++ || (ssl->quic_input_data_tail != NULL && level < ssl->quic_input_data_tail->level)
++ || level < ssl->quic_latest_level_received) {
+ SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);
+ return 0;
+ }
+@@ -122,6 +123,15 @@ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+ buf = NULL;
+ }
+
++ /* A TLS message must not cross an encryption level boundary */
++ if (ssl->quic_buf->length != ssl->quic_next_record_start
++ && level != ssl->quic_latest_level_received) {
++ SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA,
++ SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);
++ return 0;
++ }
++ ssl->quic_latest_level_received = level;
++
+ offset = ssl->quic_buf->length;
+ if (!BUF_MEM_grow(ssl->quic_buf, offset + len)) {
+ SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, ERR_R_INTERNAL_ERROR);
+--
+2.42.0
+
diff --git a/0026-QUIC-add-v1-quic_transport_parameters.patch b/0026-QUIC-add-v1-quic_transport_parameters.patch
new file mode 100644
index 0000000..f3479df
--- /dev/null
+++ b/0026-QUIC-add-v1-quic_transport_parameters.patch
@@ -0,0 +1,669 @@
+From cfef4abc6486d982da98f5de80ea1547bea1b59d Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Sat, 12 Dec 2020 17:27:46 +0900
+Subject: [PATCH 26/63] QUIC: add v1 quic_transport_parameters
+
+---
+ crypto/err/openssl.txt | 2 +
+ doc/man3/SSL_CTX_set_quic_method.pod | 25 +++++-
+ include/openssl/ssl.h.in | 13 ++++
+ include/openssl/sslerr.h | 1 +
+ include/openssl/tls1.h | 3 +-
+ ssl/ssl_err.c | 2 +
+ ssl/ssl_lib.c | 1 +
+ ssl/ssl_local.h | 11 +++
+ ssl/ssl_quic.c | 41 +++++++++-
+ ssl/statem/extensions.c | 39 ++++++++++
+ ssl/statem/extensions_clnt.c | 44 ++++++++++-
+ ssl/statem/extensions_srvr.c | 46 ++++++++++-
+ ssl/statem/statem_local.h | 17 +++++
+ test/sslapitest.c | 110 +++++++++++++++++++++------
+ util/libssl.num | 4 +
+ 15 files changed, 322 insertions(+), 37 deletions(-)
+
+diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+index b2f90a413a..0394c10077 100644
+--- a/crypto/err/openssl.txt
++++ b/crypto/err/openssl.txt
+@@ -1400,6 +1400,8 @@ SSL_R_MISSING_ECDSA_SIGNING_CERT:381:missing ecdsa signing cert
+ SSL_R_MISSING_FATAL:256:missing fatal
+ SSL_R_MISSING_PARAMETERS:290:missing parameters
+ SSL_R_MISSING_PSK_KEX_MODES_EXTENSION:310:missing psk kex modes extension
++SSL_R_MISSING_QUIC_TRANSPORT_PARAMETERS_EXTENSION:801:\
++ missing quic transport parameters extension
+ SSL_R_MISSING_RSA_CERTIFICATE:168:missing rsa certificate
+ SSL_R_MISSING_RSA_ENCRYPTING_CERT:169:missing rsa encrypting cert
+ SSL_R_MISSING_RSA_SIGNING_CERT:170:missing rsa signing cert
+diff --git a/doc/man3/SSL_CTX_set_quic_method.pod b/doc/man3/SSL_CTX_set_quic_method.pod
+index 3d7bf7e682..39ff3a8da4 100644
+--- a/doc/man3/SSL_CTX_set_quic_method.pod
++++ b/doc/man3/SSL_CTX_set_quic_method.pod
+@@ -13,7 +13,11 @@ SSL_quic_read_level,
+ SSL_quic_write_level,
+ SSL_provide_quic_data,
+ SSL_process_quic_post_handshake,
+-SSL_is_quic
++SSL_is_quic,
++SSL_get_peer_quic_transport_version,
++SSL_get_quic_transport_version,
++SSL_set_quic_transport_version,
++SSL_set_quic_use_legacy_codepoint
+ - QUIC support
+
+ =head1 SYNOPSIS
+@@ -39,6 +43,11 @@ SSL_is_quic
+ int SSL_process_quic_post_handshake(SSL *ssl);
+ int SSL_is_quic(SSL *ssl);
+
++ void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy);
++ void SSL_set_quic_transport_version(SSL *ssl, int version);
++ int SSL_get_quic_transport_version(const SSL *ssl);
++ int SSL_get_peer_quic_transport_version(const SSL *ssl);
++
+ =head1 DESCRIPTION
+
+ SSL_CTX_set_quic_method() and SSL_set_quic_method() configures the QUIC methods.
+@@ -83,6 +92,20 @@ sent by the server.
+ SSL_is_quic() indicates whether a connection uses QUIC. A given B<SSL>
+ or B<SSL_CTX> can only be used with QUIC or TLS, but not both.
+
++SSL_set_quic_use_legacy_codepoint() specifies the legacy extension codepoint
++in manner compatible with some versions of BoringSSL.
++
++SSL_set_quic_transport_version() specifies the quic transport version that
++allows for backwards and forwards compatibility. If set to 0 (default) the
++server will use the highest version the client sent. If set to 0 (default)
++the client will send both extensions.
++
++SSL_get_quic_transport_version() returns the value set by
++SSL_set_quic_transport_version().
++
++SSL_get_peer_quic_transport_version() returns the version the that was
++negotiated.
++
+ =head1 NOTES
+
+ These APIs are implementations of BoringSSL's QUIC APIs.
+diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
+index 6b5fbfbf02..e221ebbb41 100644
+--- a/include/openssl/ssl.h.in
++++ b/include/openssl/ssl.h.in
+@@ -2565,6 +2565,19 @@ __owur int SSL_process_quic_post_handshake(SSL *ssl);
+
+ __owur int SSL_is_quic(SSL *ssl);
+
++/* BoringSSL API */
++__owur void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy);
++
++/*
++ * Set an explicit value that you want to use
++ * If 0 (default) the server will use the highest extenstion the client sent
++ * If 0 (default) the client will send both extensions
++ */
++void SSL_set_quic_transport_version(SSL *ssl, int version);
++__owur int SSL_get_quic_transport_version(const SSL *ssl);
++/* Returns the negotiated version, or -1 on error */
++__owur int SSL_get_peer_quic_transport_version(const SSL *ssl);
++
+ int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *c);
+
+ # endif
+diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
+index d60c892037..058ef308d8 100644
+--- a/include/openssl/sslerr.h
++++ b/include/openssl/sslerr.h
+@@ -162,6 +162,7 @@
+ # define SSL_R_MISSING_FATAL 256
+ # define SSL_R_MISSING_PARAMETERS 290
+ # define SSL_R_MISSING_PSK_KEX_MODES_EXTENSION 310
++# define SSL_R_MISSING_QUIC_TRANSPORT_PARAMETERS_EXTENSION 801
+ # define SSL_R_MISSING_RSA_CERTIFICATE 168
+ # define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169
+ # define SSL_R_MISSING_RSA_SIGNING_CERT 170
+diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
+index 062e47c18a..54b6621aa3 100644
+--- a/include/openssl/tls1.h
++++ b/include/openssl/tls1.h
+@@ -152,7 +152,8 @@ extern "C" {
+ # define TLSEXT_TYPE_renegotiate 0xff01
+
+ /* ExtensionType value from draft-ietf-quic-tls-27 */
+-# define TLSEXT_TYPE_quic_transport_parameters 0xffa5
++# define TLSEXT_TYPE_quic_transport_parameters_draft 0xffa5
++# define TLSEXT_TYPE_quic_transport_parameters 0x0039
+
+ # ifndef OPENSSL_NO_NEXTPROTONEG
+ /* This is not an IANA defined extension number */
+diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
+index 0c4d1c1332..ca981ac62b 100644
+--- a/ssl/ssl_err.c
++++ b/ssl/ssl_err.c
+@@ -242,6 +242,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_PARAMETERS), "missing parameters"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_PSK_KEX_MODES_EXTENSION),
+ "missing psk kex modes extension"},
++ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_QUIC_TRANSPORT_PARAMETERS_EXTENSION),
++ "missing quic transport parameters extension"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_CERTIFICATE),
+ "missing rsa certificate"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_ENCRYPTING_CERT),
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index a78ebd55af..1aaef74ef0 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -1247,6 +1247,7 @@ void SSL_free(SSL *s)
+
+ #ifndef OPENSSL_NO_QUIC
+ OPENSSL_free(s->ext.quic_transport_params);
++ OPENSSL_free(s->ext.peer_quic_transport_params_draft);
+ OPENSSL_free(s->ext.peer_quic_transport_params);
+ BUF_MEM_free(s->quic_buf);
+ while (s->quic_input_data_head != NULL) {
+diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
+index d99b751bfc..9bbc528dd9 100644
+--- a/ssl/ssl_local.h
++++ b/ssl/ssl_local.h
+@@ -773,6 +773,7 @@ typedef enum tlsext_index_en {
+ TLSEXT_IDX_cryptopro_bug,
+ TLSEXT_IDX_early_data,
+ TLSEXT_IDX_certificate_authorities,
++ TLSEXT_IDX_quic_transport_params_draft,
+ TLSEXT_IDX_quic_transport_params,
+ TLSEXT_IDX_padding,
+ TLSEXT_IDX_psk,
+@@ -1712,6 +1713,8 @@ struct ssl_st {
+ #ifndef OPENSSL_NO_QUIC
+ uint8_t *quic_transport_params;
+ size_t quic_transport_params_len;
++ uint8_t *peer_quic_transport_params_draft;
++ size_t peer_quic_transport_params_draft_len;
+ uint8_t *peer_quic_transport_params;
+ size_t peer_quic_transport_params_len;
+ #endif
+@@ -1722,6 +1725,14 @@ struct ssl_st {
+ OSSL_ENCRYPTION_LEVEL quic_write_level;
+ OSSL_ENCRYPTION_LEVEL quic_latest_level_received;
+ BUF_MEM *quic_buf; /* buffer incoming handshake messages */
++ /*
++ * defaults to 0, but can be set to:
++ * - TLSEXT_TYPE_quic_transport_parameters_draft
++ * - TLSEXT_TYPE_quic_transport_parameters
++ * Client: if 0, send both
++ * Server: if 0, use same version as client sent
++ */
++ int quic_transport_version;
+ QUIC_DATA *quic_input_data_head;
+ QUIC_DATA *quic_input_data_tail;
+ size_t quic_next_record_start;
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index 136d2b8460..971af0f4c5 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -35,8 +35,45 @@ void SSL_get_peer_quic_transport_params(const SSL *ssl,
+ const uint8_t **out_params,
+ size_t *out_params_len)
+ {
+- *out_params = ssl->ext.peer_quic_transport_params;
+- *out_params_len = ssl->ext.peer_quic_transport_params_len;
++ if (ssl->ext.peer_quic_transport_params_len) {
++ *out_params = ssl->ext.peer_quic_transport_params;
++ *out_params_len = ssl->ext.peer_quic_transport_params_len;
++ } else {
++ *out_params = ssl->ext.peer_quic_transport_params_draft;
++ *out_params_len = ssl->ext.peer_quic_transport_params_draft_len;
++ }
++}
++
++/* Returns the negotiated version, or -1 on error */
++int SSL_get_peer_quic_transport_version(const SSL *ssl)
++{
++ if (ssl->ext.peer_quic_transport_params_len != 0
++ && ssl->ext.peer_quic_transport_params_draft_len != 0)
++ return -1;
++ if (ssl->ext.peer_quic_transport_params_len != 0)
++ return TLSEXT_TYPE_quic_transport_parameters;
++ if (ssl->ext.peer_quic_transport_params_draft_len != 0)
++ return TLSEXT_TYPE_quic_transport_parameters_draft;
++
++ return -1;
++}
++
++void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy)
++{
++ if (use_legacy)
++ ssl->quic_transport_version = TLSEXT_TYPE_quic_transport_parameters_draft;
++ else
++ ssl->quic_transport_version = TLSEXT_TYPE_quic_transport_parameters;
++}
++
++void SSL_set_quic_transport_version(SSL *ssl, int version)
++{
++ ssl->quic_transport_version = version;
++}
++
++int SSL_get_quic_transport_version(const SSL *ssl)
++{
++ return ssl->quic_transport_version;
+ }
+
+ size_t SSL_quic_max_handshake_flight_len(const SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
+diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
+index 548772be6d..34ba69e85e 100644
+--- a/ssl/statem/extensions.c
++++ b/ssl/statem/extensions.c
+@@ -60,6 +60,7 @@ static int init_post_handshake_auth(SSL *s, unsigned int context);
+ static int final_psk(SSL *s, unsigned int context, int sent);
+ #ifndef OPENSSL_NO_QUIC
+ static int init_quic_transport_params(SSL *s, unsigned int context);
++static int final_quic_transport_params_draft(SSL *s, unsigned int context, int sent);
+ static int final_quic_transport_params(SSL *s, unsigned int context, int sent);
+ #endif
+
+@@ -374,6 +375,15 @@ static const EXTENSION_DEFINITION ext_defs[] = {
+ tls_construct_certificate_authorities, NULL,
+ },
+ #ifndef OPENSSL_NO_QUIC
++ {
++ TLSEXT_TYPE_quic_transport_parameters_draft,
++ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
++ | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
++ init_quic_transport_params,
++ tls_parse_ctos_quic_transport_params_draft, tls_parse_stoc_quic_transport_params_draft,
++ tls_construct_stoc_quic_transport_params_draft, tls_construct_ctos_quic_transport_params_draft,
++ final_quic_transport_params_draft,
++ },
+ {
+ TLSEXT_TYPE_quic_transport_parameters,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
+@@ -1748,8 +1758,37 @@ static int init_quic_transport_params(SSL *s, unsigned int context)
+ return 1;
+ }
+
++static int final_quic_transport_params_draft(SSL *s, unsigned int context,
++ int sent)
++{
++ return 1;
++}
++
+ static int final_quic_transport_params(SSL *s, unsigned int context, int sent)
+ {
++ /* called after final_quic_transport_params_draft */
++ if (SSL_IS_QUIC(s)) {
++ if (s->ext.peer_quic_transport_params_len == 0
++ && s->ext.peer_quic_transport_params_draft_len == 0) {
++ SSLfatal(s, SSL_AD_MISSING_EXTENSION,
++ SSL_R_MISSING_QUIC_TRANSPORT_PARAMETERS_EXTENSION);
++ return 0;
++ }
++ /* if we got both, discard the one we can't use */
++ if (s->ext.peer_quic_transport_params_len != 0
++ && s->ext.peer_quic_transport_params_draft_len != 0) {
++ if (s->quic_transport_version == TLSEXT_TYPE_quic_transport_parameters_draft) {
++ OPENSSL_free(s->ext.peer_quic_transport_params);
++ s->ext.peer_quic_transport_params = NULL;
++ s->ext.peer_quic_transport_params_len = 0;
++ } else {
++ OPENSSL_free(s->ext.peer_quic_transport_params_draft);
++ s->ext.peer_quic_transport_params_draft = NULL;
++ s->ext.peer_quic_transport_params_draft_len = 0;
++ }
++ }
++ }
++
+ return 1;
+ }
+ #endif
+diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
+index 06ccd855a0..6da3cc560f 100644
+--- a/ssl/statem/extensions_clnt.c
++++ b/ssl/statem/extensions_clnt.c
+@@ -1197,13 +1197,33 @@ EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt,
+ }
+
+ #ifndef OPENSSL_NO_QUIC
+-/* SAME AS tls_construct_stoc_quic_transport_params() */
++EXT_RETURN tls_construct_ctos_quic_transport_params_draft(SSL *s, WPACKET *pkt,
++ unsigned int context, X509 *x,
++ size_t chainidx)
++{
++ if (s->quic_transport_version == TLSEXT_TYPE_quic_transport_parameters
++ || s->ext.quic_transport_params == NULL
++ || s->ext.quic_transport_params_len == 0) {
++ return EXT_RETURN_NOT_SENT;
++ }
++
++ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_quic_transport_parameters_draft)
++ || !WPACKET_sub_memcpy_u16(pkt, s->ext.quic_transport_params,
++ s->ext.quic_transport_params_len)) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ return EXT_RETURN_FAIL;
++ }
++
++ return EXT_RETURN_SENT;
++}
++
+ EXT_RETURN tls_construct_ctos_quic_transport_params(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+ {
+- if (s->ext.quic_transport_params == NULL
+- || s->ext.quic_transport_params_len == 0) {
++ if (s->quic_transport_version == TLSEXT_TYPE_quic_transport_parameters_draft
++ || s->ext.quic_transport_params == NULL
++ || s->ext.quic_transport_params_len == 0) {
+ return EXT_RETURN_NOT_SENT;
+ }
+
+@@ -2013,7 +2033,23 @@ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ return 1;
+ }
+ #ifndef OPENSSL_NO_QUIC
+-/* SAME AS tls_parse_ctos_quic_transport_params() */
++int tls_parse_stoc_quic_transport_params_draft(SSL *s, PACKET *pkt,
++ unsigned int context, X509 *x,
++ size_t chainidx)
++{
++ OPENSSL_free(s->ext.peer_quic_transport_params_draft);
++ s->ext.peer_quic_transport_params_draft = NULL;
++ s->ext.peer_quic_transport_params_draft_len = 0;
++
++ if (!PACKET_memdup(pkt,
++ &s->ext.peer_quic_transport_params_draft,
++ &s->ext.peer_quic_transport_params_draft_len)) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++ return 1;
++}
++
+ int tls_parse_stoc_quic_transport_params(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+ {
+diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
+index e3277f685f..bfab225651 100644
+--- a/ssl/statem/extensions_srvr.c
++++ b/ssl/statem/extensions_srvr.c
+@@ -1233,7 +1233,22 @@ int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt,
+ }
+
+ #ifndef OPENSSL_NO_QUIC
+-/* SAME AS tls_parse_stoc_quic_transport_params() */
++int tls_parse_ctos_quic_transport_params_draft(SSL *s, PACKET *pkt, unsigned int context,
++ X509 *x, size_t chainidx)
++{
++ OPENSSL_free(s->ext.peer_quic_transport_params_draft);
++ s->ext.peer_quic_transport_params_draft = NULL;
++ s->ext.peer_quic_transport_params_draft_len = 0;
++
++ if (!PACKET_memdup(pkt,
++ &s->ext.peer_quic_transport_params_draft,
++ &s->ext.peer_quic_transport_params_draft_len)) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++ return 1;
++}
++
+ int tls_parse_ctos_quic_transport_params(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+ {
+@@ -1943,13 +1958,36 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
+ }
+
+ #ifndef OPENSSL_NO_QUIC
+-/* SAME AS tls_construct_ctos_quic_transport_params() */
++EXT_RETURN tls_construct_stoc_quic_transport_params_draft(SSL *s, WPACKET *pkt,
++ unsigned int context,
++ X509 *x,
++ size_t chainidx)
++{
++ if (s->quic_transport_version == TLSEXT_TYPE_quic_transport_parameters
++ || s->ext.peer_quic_transport_params_draft_len == 0
++ || s->ext.quic_transport_params == NULL
++ || s->ext.quic_transport_params_len == 0) {
++ return EXT_RETURN_NOT_SENT;
++ }
++
++ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_quic_transport_parameters_draft)
++ || !WPACKET_sub_memcpy_u16(pkt, s->ext.quic_transport_params,
++ s->ext.quic_transport_params_len)) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ return EXT_RETURN_FAIL;
++ }
++
++ return EXT_RETURN_SENT;
++}
++
+ EXT_RETURN tls_construct_stoc_quic_transport_params(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+ {
+- if (s->ext.quic_transport_params == NULL
+- || s->ext.quic_transport_params_len == 0) {
++ if (s->quic_transport_version == TLSEXT_TYPE_quic_transport_parameters_draft
++ || s->ext.peer_quic_transport_params_len == 0
++ || s->ext.quic_transport_params == NULL
++ || s->ext.quic_transport_params_len == 0) {
+ return EXT_RETURN_NOT_SENT;
+ }
+
+diff --git a/ssl/statem/statem_local.h b/ssl/statem/statem_local.h
+index 6d5820e2cf..0065db1744 100644
+--- a/ssl/statem/statem_local.h
++++ b/ssl/statem/statem_local.h
+@@ -255,6 +255,10 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ int tls_parse_ctos_post_handshake_auth(SSL *, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx);
+ #ifndef OPENSSL_NO_QUIC
++int tls_parse_ctos_quic_transport_params_draft(SSL *s, PACKET *pkt,
++ unsigned int context, X509 *x,
++ size_t chainidx);
++
+ int tls_parse_ctos_quic_transport_params(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx);
+ #endif
+@@ -319,6 +323,11 @@ EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
+ EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx);
+ #ifndef OPENSSL_NO_QUIC
++EXT_RETURN tls_construct_stoc_quic_transport_params_draft(SSL *s, WPACKET *pkt,
++ unsigned int context,
++ X509 *x,
++ size_t chainidx);
++
+ EXT_RETURN tls_construct_stoc_quic_transport_params(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx);
+@@ -393,6 +402,10 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
+ EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx);
+ #ifndef OPENSSL_NO_QUIC
++EXT_RETURN tls_construct_ctos_quic_transport_params_draft(SSL *s, WPACKET *pkt,
++ unsigned int context, X509 *x,
++ size_t chainidx);
++
+ EXT_RETURN tls_construct_ctos_quic_transport_params(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx);
+@@ -441,6 +454,10 @@ int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx);
+ #ifndef OPENSSL_NO_QUIC
++int tls_parse_stoc_quic_transport_params_draft(SSL *s, PACKET *pkt,
++ unsigned int context, X509 *x,
++ size_t chainidx);
++
+ int tls_parse_stoc_quic_transport_params(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx);
+ #endif
+diff --git a/test/sslapitest.c b/test/sslapitest.c
+index bc908dd382..bede6e839b 100644
+--- a/test/sslapitest.c
++++ b/test/sslapitest.c
+@@ -10182,7 +10182,13 @@ static SSL_QUIC_METHOD quic_method = {
+ test_quic_send_alert,
+ };
+
+-static int test_quic_api(void)
++static int test_quic_api_set_versions(SSL *ssl, int ver)
++{
++ SSL_set_quic_transport_version(ssl, ver);
++ return 1;
++}
++
++static int test_quic_api_version(int clnt, int srvr)
+ {
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+@@ -10193,29 +10199,7 @@ static int test_quic_api(void)
+ const uint8_t *peer_str;
+ size_t peer_str_len;
+
+- /* Clean up logging space */
+- memset(client_log_buffer, 0, sizeof(client_log_buffer));
+- memset(server_log_buffer, 0, sizeof(server_log_buffer));
+- client_log_buffer_index = 0;
+- server_log_buffer_index = 0;
+- error_writing_log = 0;
+-
+-
+- if (!TEST_ptr(sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))
+- || !TEST_true(SSL_CTX_set_quic_method(sctx, &quic_method))
+- || !TEST_ptr(sctx->quic_method)
+- || !TEST_ptr(serverssl = SSL_new(sctx))
+- || !TEST_true(SSL_IS_QUIC(serverssl))
+- || !TEST_true(SSL_set_quic_method(serverssl, NULL))
+- || !TEST_false(SSL_IS_QUIC(serverssl))
+- || !TEST_true(SSL_set_quic_method(serverssl, &quic_method))
+- || !TEST_true(SSL_IS_QUIC(serverssl)))
+- goto end;
+-
+- SSL_CTX_free(sctx);
+- sctx = NULL;
+- SSL_free(serverssl);
+- serverssl = NULL;
++ TEST_info("original clnt=0x%X, srvr=0x%X\n", clnt, srvr);
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx,
+ TLS_server_method(),
+@@ -10234,6 +10218,8 @@ static int test_quic_api(void)
+ sizeof(client_str)))
+ || !TEST_true(SSL_set_app_data(serverssl, clientssl))
+ || !TEST_true(SSL_set_app_data(clientssl, serverssl))
++ || !TEST_true(test_quic_api_set_versions(clientssl, clnt))
++ || !TEST_true(test_quic_api_set_versions(serverssl, srvr))
+ || !TEST_true(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE))
+ || !TEST_true(SSL_version(serverssl) == TLS1_3_VERSION)
+@@ -10267,6 +10253,19 @@ static int test_quic_api(void)
+ || !TEST_int_le(SSL_do_handshake(serverssl), 0))
+ goto end;
+
++ TEST_info("original clnt=0x%X, srvr=0x%X\n", clnt, srvr);
++ if (srvr == 0 && clnt == 0)
++ srvr = clnt = TLSEXT_TYPE_quic_transport_parameters;
++ else if (srvr == 0)
++ srvr = clnt;
++ else if (clnt == 0)
++ clnt = srvr;
++ TEST_info("expected clnt=0x%X, srvr=0x%X\n", clnt, srvr);
++ if (!TEST_int_eq(SSL_get_peer_quic_transport_version(serverssl), clnt))
++ goto end;
++ if (!TEST_int_eq(SSL_get_peer_quic_transport_version(clientssl), srvr))
++ goto end;
++
+ testresult = 1;
+
+ end:
+@@ -10277,6 +10276,67 @@ static int test_quic_api(void)
+
+ return testresult;
+ }
++
++static int test_quic_api(int tst)
++{
++ SSL_CTX *sctx = NULL;
++ SSL *serverssl = NULL;
++ int testresult = 0;
++ static int clnt_params[] = { 0,
++ TLSEXT_TYPE_quic_transport_parameters_draft,
++ TLSEXT_TYPE_quic_transport_parameters,
++ 0,
++ TLSEXT_TYPE_quic_transport_parameters_draft,
++ TLSEXT_TYPE_quic_transport_parameters,
++ 0,
++ TLSEXT_TYPE_quic_transport_parameters_draft,
++ TLSEXT_TYPE_quic_transport_parameters };
++ static int srvr_params[] = { 0,
++ 0,
++ 0,
++ TLSEXT_TYPE_quic_transport_parameters_draft,
++ TLSEXT_TYPE_quic_transport_parameters_draft,
++ TLSEXT_TYPE_quic_transport_parameters_draft,
++ TLSEXT_TYPE_quic_transport_parameters,
++ TLSEXT_TYPE_quic_transport_parameters,
++ TLSEXT_TYPE_quic_transport_parameters };
++ static int results[] = { 1, 1, 1, 1, 1, 0, 1, 0, 1 };
++
++ /* Failure cases:
++ * test 6/[5] clnt = parameters, srvr = draft
++ * test 8/[7] clnt = draft, srvr = parameters
++ */
++
++ /* Clean up logging space */
++ memset(client_log_buffer, 0, sizeof(client_log_buffer));
++ memset(server_log_buffer, 0, sizeof(server_log_buffer));
++ client_log_buffer_index = 0;
++ server_log_buffer_index = 0;
++ error_writing_log = 0;
++
++ if (!TEST_ptr(sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))
++ || !TEST_true(SSL_CTX_set_quic_method(sctx, &quic_method))
++ || !TEST_ptr(sctx->quic_method)
++ || !TEST_ptr(serverssl = SSL_new(sctx))
++ || !TEST_true(SSL_IS_QUIC(serverssl))
++ || !TEST_true(SSL_set_quic_method(serverssl, NULL))
++ || !TEST_false(SSL_IS_QUIC(serverssl))
++ || !TEST_true(SSL_set_quic_method(serverssl, &quic_method))
++ || !TEST_true(SSL_IS_QUIC(serverssl)))
++ goto end;
++
++ if (!TEST_int_eq(test_quic_api_version(clnt_params[tst], srvr_params[tst]), results[tst]))
++ goto end;
++
++ testresult = 1;
++
++end:
++ SSL_CTX_free(sctx);
++ sctx = NULL;
++ SSL_free(serverssl);
++ serverssl = NULL;
++ return testresult;
++}
+ #endif /* OPENSSL_NO_QUIC */
+
+ #ifndef OSSL_NO_USABLE_TLS1_3
+@@ -11054,7 +11114,7 @@ int setup_tests(void)
+ #endif
+ ADD_ALL_TESTS(test_handshake_retry, 16);
+ #ifndef OPENSSL_NO_QUIC
+- ADD_TEST(test_quic_api);
++ ADD_ALL_TESTS(test_quic_api, 9);
+ #endif
+ return 1;
+
+diff --git a/util/libssl.num b/util/libssl.num
+index da35cf2970..41ebba40b2 100644
+--- a/util/libssl.num
++++ b/util/libssl.num
+@@ -531,3 +531,7 @@ SSL_set_quic_method 20007 3_0_0 EXIST::FUNCTION:QUIC
+ SSL_quic_max_handshake_flight_len 20008 3_0_0 EXIST::FUNCTION:QUIC
+ SSL_process_quic_post_handshake 20009 3_0_0 EXIST::FUNCTION:QUIC
+ SSL_provide_quic_data 20010 3_0_0 EXIST::FUNCTION:QUIC
++SSL_set_quic_use_legacy_codepoint 20011 3_0_0 EXIST::FUNCTION:QUIC
++SSL_set_quic_transport_version 20012 3_0_0 EXIST::FUNCTION:QUIC
++SSL_get_peer_quic_transport_version 20013 3_0_0 EXIST::FUNCTION:QUIC
++SSL_get_quic_transport_version 20014 3_0_0 EXIST::FUNCTION:QUIC
+--
+2.42.0
+
diff --git a/0027-QUIC-return-success-when-no-post-handshake-data.patch b/0027-QUIC-return-success-when-no-post-handshake-data.patch
new file mode 100644
index 0000000..cf8278b
--- /dev/null
+++ b/0027-QUIC-return-success-when-no-post-handshake-data.patch
@@ -0,0 +1,27 @@
+From 3ff0ba16566c029c1f5cf4d6bf5584e95b0661bb Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Tue, 5 Jan 2021 13:50:21 -0500
+Subject: [PATCH 27/63] QUIC: return success when no post-handshake data
+
+---
+ ssl/ssl_quic.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index 971af0f4c5..477a386da3 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -309,6 +309,10 @@ int SSL_process_quic_post_handshake(SSL *ssl)
+ return 0;
+ }
+
++ /* if there is no data, return success as BoringSSL */
++ if (ssl->quic_input_data_head == NULL)
++ return 1;
++
+ /*
+ * This is always safe (we are sure to be at a record boundary) because
+ * SSL_read()/SSL_write() are never used for QUIC connections -- the
+--
+2.42.0
+
diff --git a/0028-QUIC-__owur-makes-no-sense-for-void-return-values.patch b/0028-QUIC-__owur-makes-no-sense-for-void-return-values.patch
new file mode 100644
index 0000000..6626dc0
--- /dev/null
+++ b/0028-QUIC-__owur-makes-no-sense-for-void-return-values.patch
@@ -0,0 +1,25 @@
+From 9956f99908da7a53e4be8fbeb6cdc539546b0549 Mon Sep 17 00:00:00 2001
+From: Benjamin Kaduk <bkaduk@akamai.com>
+Date: Fri, 15 Jan 2021 15:04:00 -0800
+Subject: [PATCH 28/63] QUIC: __owur makes no sense for void return values
+
+---
+ include/openssl/ssl.h.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
+index e221ebbb41..289f55feb1 100644
+--- a/include/openssl/ssl.h.in
++++ b/include/openssl/ssl.h.in
+@@ -2566,7 +2566,7 @@ __owur int SSL_process_quic_post_handshake(SSL *ssl);
+ __owur int SSL_is_quic(SSL *ssl);
+
+ /* BoringSSL API */
+-__owur void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy);
++void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy);
+
+ /*
+ * Set an explicit value that you want to use
+--
+2.42.0
+
diff --git a/0029-QUIC-remove-SSL_R_BAD_DATA_LENGTH-unused.patch b/0029-QUIC-remove-SSL_R_BAD_DATA_LENGTH-unused.patch
new file mode 100644
index 0000000..5e189fc
--- /dev/null
+++ b/0029-QUIC-remove-SSL_R_BAD_DATA_LENGTH-unused.patch
@@ -0,0 +1,50 @@
+From 43a80891c0e95614481d6f25e21922813d76f0b7 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Fri, 19 Feb 2021 10:12:15 -0500
+Subject: [PATCH 29/63] QUIC: remove SSL_R_BAD_DATA_LENGTH (unused)
+
+---
+ crypto/err/openssl.txt | 1 -
+ include/openssl/sslerr.h | 1 -
+ ssl/ssl_err.c | 1 -
+ 3 files changed, 3 deletions(-)
+
+diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+index 0394c10077..3ad6ccf87c 100644
+--- a/crypto/err/openssl.txt
++++ b/crypto/err/openssl.txt
+@@ -1262,7 +1262,6 @@ SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE:158:\
+ SSL_R_BAD_CHANGE_CIPHER_SPEC:103:bad change cipher spec
+ SSL_R_BAD_CIPHER:186:bad cipher
+ SSL_R_BAD_DATA:390:bad data
+-SSL_R_BAD_DATA_LENGTH:802:bad data length
+ SSL_R_BAD_DATA_RETURNED_BY_CALLBACK:106:bad data returned by callback
+ SSL_R_BAD_DECOMPRESSION:107:bad decompression
+ SSL_R_BAD_DH_VALUE:102:bad dh value
+diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
+index 058ef308d8..2281d68bb3 100644
+--- a/include/openssl/sslerr.h
++++ b/include/openssl/sslerr.h
+@@ -28,7 +28,6 @@
+ # define SSL_R_BAD_CHANGE_CIPHER_SPEC 103
+ # define SSL_R_BAD_CIPHER 186
+ # define SSL_R_BAD_DATA 390
+-# define SSL_R_BAD_DATA_LENGTH 802
+ # define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 106
+ # define SSL_R_BAD_DECOMPRESSION 107
+ # define SSL_R_BAD_DH_VALUE 102
+diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
+index ca981ac62b..4635c82fd1 100644
+--- a/ssl/ssl_err.c
++++ b/ssl/ssl_err.c
+@@ -27,7 +27,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
+ "bad change cipher spec"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CIPHER), "bad cipher"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DATA), "bad data"},
+- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DATA_LENGTH), "bad data length"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK),
+ "bad data returned by callback"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DECOMPRESSION), "bad decompression"},
+--
+2.42.0
+
diff --git a/0030-QUIC-Update-shared-library-version.patch b/0030-QUIC-Update-shared-library-version.patch
new file mode 100644
index 0000000..ff9e1f0
--- /dev/null
+++ b/0030-QUIC-Update-shared-library-version.patch
@@ -0,0 +1,11 @@
+diff -up openssl-3.1.3/VERSION.dat.31~ openssl-3.1.3/VERSION.dat
+--- openssl-3.1.3/VERSION.dat.31~ 2023-09-21 16:47:49.935369218 +0200
++++ openssl-3.1.3/VERSION.dat 2023-09-21 16:48:44.834220109 +0200
+@@ -2,6 +2,6 @@ MAJOR=3
+ MINOR=1
+ PATCH=5
+ PRE_RELEASE_TAG=
+-BUILD_METADATA=
++BUILD_METADATA=quic
+ RELEASE_DATE="30 Jan 2024"
+ SHLIB_VERSION=3
diff --git a/0032-QUIC-Fix-3.0.0-GitHub-CI.patch b/0032-QUIC-Fix-3.0.0-GitHub-CI.patch
new file mode 100644
index 0000000..413b5e7
--- /dev/null
+++ b/0032-QUIC-Fix-3.0.0-GitHub-CI.patch
@@ -0,0 +1,42 @@
+From 10be9c95b8b73238c736879371103d3fbd9be365 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Wed, 3 Mar 2021 17:32:31 -0500
+Subject: [PATCH 32/63] QUIC: Fix 3.0.0 GitHub CI
+
+---
+ test/sslapitest.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/test/sslapitest.c b/test/sslapitest.c
+index bede6e839b..f65878212c 100644
+--- a/test/sslapitest.c
++++ b/test/sslapitest.c
+@@ -10212,10 +10212,10 @@ static int test_quic_api_version(int clnt, int srvr)
+ &clientssl, NULL, NULL))
+ || !TEST_true(SSL_set_quic_transport_params(serverssl,
+ (unsigned char*)server_str,
+- sizeof(server_str)))
++ strlen(server_str)+1))
+ || !TEST_true(SSL_set_quic_transport_params(clientssl,
+ (unsigned char*)client_str,
+- sizeof(client_str)))
++ strlen(client_str)+1))
+ || !TEST_true(SSL_set_app_data(serverssl, clientssl))
+ || !TEST_true(SSL_set_app_data(clientssl, serverssl))
+ || !TEST_true(test_quic_api_set_versions(clientssl, clnt))
+@@ -10231,10 +10231,10 @@ static int test_quic_api_version(int clnt, int srvr)
+ goto end;
+
+ SSL_get_peer_quic_transport_params(serverssl, &peer_str, &peer_str_len);
+- if (!TEST_mem_eq(peer_str, peer_str_len, client_str, sizeof(client_str)))
++ if (!TEST_mem_eq(peer_str, peer_str_len, client_str, strlen(client_str)+1))
+ goto end;
+ SSL_get_peer_quic_transport_params(clientssl, &peer_str, &peer_str_len);
+- if (!TEST_mem_eq(peer_str, peer_str_len, server_str, sizeof(server_str)))
++ if (!TEST_mem_eq(peer_str, peer_str_len, server_str, strlen(server_str)+1))
+ goto end;
+
+ /* Deal with two NewSessionTickets */
+--
+2.42.0
+
diff --git a/0033-QUIC-SSLerr-ERR_raise-ERR_LIB_SSL.patch b/0033-QUIC-SSLerr-ERR_raise-ERR_LIB_SSL.patch
new file mode 100644
index 0000000..93c1e68
--- /dev/null
+++ b/0033-QUIC-SSLerr-ERR_raise-ERR_LIB_SSL.patch
@@ -0,0 +1,165 @@
+From c94831f012a90483021a5c6bd8ab58797104b467 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Wed, 3 Mar 2021 17:43:46 -0500
+Subject: [PATCH 33/63] QUIC: SSLerr() -> ERR_raise(ERR_LIB_SSL)
+
+---
+ ssl/s3_msg.c | 2 +-
+ ssl/ssl_lib.c | 6 +++---
+ ssl/ssl_quic.c | 17 ++++++++---------
+ ssl/statem/statem.c | 2 +-
+ ssl/statem/statem_lib.c | 4 ++--
+ 5 files changed, 15 insertions(+), 16 deletions(-)
+
+diff --git a/ssl/s3_msg.c b/ssl/s3_msg.c
+index 667c5385e8..dd2fe040e0 100644
+--- a/ssl/s3_msg.c
++++ b/ssl/s3_msg.c
+@@ -85,7 +85,7 @@ int ssl3_dispatch_alert(SSL *s)
+ if (SSL_IS_QUIC(s)) {
+ if (!s->quic_method->send_alert(s, s->quic_write_level,
+ s->s3.send_alert[1])) {
+- SSLerr(SSL_F_SSL3_DISPATCH_ALERT, ERR_R_INTERNAL_ERROR);
++ ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ i = 1;
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 1aaef74ef0..517104a4df 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -1854,7 +1854,7 @@ int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes)
+ {
+ #ifndef OPENSSL_NO_QUIC
+ if (SSL_IS_QUIC(s)) {
+- SSLerr(SSL_F_SSL_READ_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
++ ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return -1;
+ }
+ #endif
+@@ -1991,7 +1991,7 @@ static int ssl_peek_internal(SSL *s, void *buf, size_t num, size_t *readbytes)
+ {
+ #ifndef OPENSSL_NO_QUIC
+ if (SSL_IS_QUIC(s)) {
+- SSLerr(SSL_F_SSL_PEEK_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
++ ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return -1;
+ }
+ #endif
+@@ -2057,7 +2057,7 @@ int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written)
+ {
+ #ifndef OPENSSL_NO_QUIC
+ if (SSL_IS_QUIC(s)) {
+- SSLerr(SSL_F_SSL_WRITE_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
++ ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return -1;
+ }
+ #endif
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index 477a386da3..d50b1247a6 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -131,7 +131,7 @@ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+ size_t l, offset;
+
+ if (!SSL_IS_QUIC(ssl)) {
+- SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
++ ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return 0;
+ }
+
+@@ -139,18 +139,18 @@ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+ if (level < ssl->quic_read_level
+ || (ssl->quic_input_data_tail != NULL && level < ssl->quic_input_data_tail->level)
+ || level < ssl->quic_latest_level_received) {
+- SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);
++ ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);
+ return 0;
+ }
+
+ if (ssl->quic_buf == NULL) {
+ BUF_MEM *buf;
+ if ((buf = BUF_MEM_new()) == NULL) {
+- SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, ERR_R_INTERNAL_ERROR);
++ ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
+- SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, ERR_R_INTERNAL_ERROR);
++ ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
+ BUF_MEM_free(buf);
+ return 0;
+ }
+@@ -163,15 +163,14 @@ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+ /* A TLS message must not cross an encryption level boundary */
+ if (ssl->quic_buf->length != ssl->quic_next_record_start
+ && level != ssl->quic_latest_level_received) {
+- SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA,
+- SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);
++ ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);
+ return 0;
+ }
+ ssl->quic_latest_level_received = level;
+
+ offset = ssl->quic_buf->length;
+ if (!BUF_MEM_grow(ssl->quic_buf, offset + len)) {
+- SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, ERR_R_INTERNAL_ERROR);
++ ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ memcpy(ssl->quic_buf->data + offset, data, len);
+@@ -193,7 +192,7 @@ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+
+ qd = OPENSSL_zalloc(sizeof(*qd));
+ if (qd == NULL) {
+- SSLerr(SSL_F_SSL_PROVIDE_QUIC_DATA, ERR_R_INTERNAL_ERROR);
++ ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+@@ -305,7 +304,7 @@ int SSL_process_quic_post_handshake(SSL *ssl)
+ int ret;
+
+ if (SSL_in_init(ssl) || !SSL_IS_QUIC(ssl)) {
+- SSLerr(SSL_F_SSL_PROCESS_QUIC_POST_HANDSHAKE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
++ ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return 0;
+ }
+
+diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
+index b040d14cd2..df542579d0 100644
+--- a/ssl/statem/statem.c
++++ b/ssl/statem/statem.c
+@@ -930,7 +930,7 @@ int statem_flush(SSL *s)
+ #ifndef OPENSSL_NO_QUIC
+ if (SSL_IS_QUIC(s)) {
+ if (!s->quic_method->flush_flight(s)) {
+- SSLerr(SSL_F_STATEM_FLUSH, ERR_R_INTERNAL_ERROR);
++ ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ } else
+diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
+index 9c9ac0eda6..877ffa5cb9 100644
+--- a/ssl/statem/statem_lib.c
++++ b/ssl/statem/statem_lib.c
+@@ -54,14 +54,14 @@ int ssl3_do_write(SSL *s, int type)
+ if (!ret) {
+ ret = -1;
+ /* QUIC can't sent anything out sice the above failed */
+- SSLerr(SSL_F_SSL3_DO_WRITE, ERR_R_INTERNAL_ERROR);
++ ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
+ } else {
+ written = s->init_num;
+ }
+ } else {
+ /* QUIC doesn't use ChangeCipherSpec */
+ ret = -1;
+- SSLerr(SSL_F_SSL3_DO_WRITE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
++ ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ }
+ } else
+ #endif
+--
+2.42.0
+
diff --git a/0034-QUIC-Add-compile-run-time-checking-for-QUIC.patch b/0034-QUIC-Add-compile-run-time-checking-for-QUIC.patch
new file mode 100644
index 0000000..df7ddd3
--- /dev/null
+++ b/0034-QUIC-Add-compile-run-time-checking-for-QUIC.patch
@@ -0,0 +1,101 @@
+From 14347b7d94207b9e44a39889aaf84809f674de81 Mon Sep 17 00:00:00 2001
+From: Todd Short <todd.short@me.com>
+Date: Fri, 5 Mar 2021 15:22:18 -0500
+Subject: [PATCH 34/63] QUIC: Add compile/run-time checking for QUIC
+
+---
+ apps/info.c | 12 ++++++++++++
+ crypto/info.c | 4 ++++
+ doc/man3/OpenSSL_version.pod | 8 ++++++++
+ include/openssl/crypto.h.in | 4 ++++
+ 4 files changed, 28 insertions(+)
+
+diff --git a/apps/info.c b/apps/info.c
+index c68603652f..f0f043b7f2 100644
+--- a/apps/info.c
++++ b/apps/info.c
+@@ -15,6 +15,9 @@ typedef enum OPTION_choice {
+ OPT_COMMON,
+ OPT_CONFIGDIR, OPT_ENGINESDIR, OPT_MODULESDIR, OPT_DSOEXT, OPT_DIRNAMESEP,
+ OPT_LISTSEP, OPT_SEEDS, OPT_CPUSETTINGS
++#ifndef OPENSSL_NO_QUIC
++ , OPT_QUIC
++#endif
+ } OPTION_CHOICE;
+
+ const OPTIONS info_options[] = {
+@@ -32,6 +35,9 @@ const OPTIONS info_options[] = {
+ {"listsep", OPT_LISTSEP, '-', "List separator character"},
+ {"seeds", OPT_SEEDS, '-', "Seed sources"},
+ {"cpusettings", OPT_CPUSETTINGS, '-', "CPU settings info"},
++#ifndef OPENSSL_NO_QUIC
++ {"quic", OPT_QUIC, '-', "QUIC info"},
++#endif
+ {NULL}
+ };
+
+@@ -84,6 +90,12 @@ opthelp:
+ type = OPENSSL_INFO_CPU_SETTINGS;
+ dirty++;
+ break;
++#ifndef OPENSSL_NO_QUIC
++ case OPT_QUIC:
++ type = OPENSSL_INFO_QUIC;
++ dirty++;
++ break;
++#endif
+ }
+ }
+ if (opt_num_rest() != 0)
+diff --git a/crypto/info.c b/crypto/info.c
+index 9ef9ee4704..f8a495e098 100644
+--- a/crypto/info.c
++++ b/crypto/info.c
+@@ -203,6 +203,10 @@ const char *OPENSSL_info(int t)
+ if (ossl_cpu_info_str[0] != '\0')
+ return ossl_cpu_info_str + strlen(CPUINFO_PREFIX);
+ break;
++#ifndef OPENSSL_NO_QUIC
++ case OPENSSL_INFO_QUIC:
++ return "QUIC";
++#endif
+ default:
+ break;
+ }
+diff --git a/doc/man3/OpenSSL_version.pod b/doc/man3/OpenSSL_version.pod
+index e1cf16e2a1..946bb151ba 100644
+--- a/doc/man3/OpenSSL_version.pod
++++ b/doc/man3/OpenSSL_version.pod
+@@ -211,6 +211,14 @@ automatically configured but may be set via an environment variable.
+ The value has the same syntax as the environment variable.
+ For x86 the string looks like C<OPENSSL_ia32cap=0x123:0x456>.
+
++=item OPENSSL_INFO_QUIC
++
++This is only defined when compiling with a QUIC-enabled version of
++OpenSSL. At run time, this will return "QUIC" if QUIC is supported.
++
++This can be used as a build time flag to determine if OpenSSL has
++QUIC enabled.
++
+ =back
+
+ For an unknown I<t>, NULL is returned.
+diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in
+index fb0c7cbb87..6eca308b32 100644
+--- a/include/openssl/crypto.h.in
++++ b/include/openssl/crypto.h.in
+@@ -176,6 +176,10 @@ const char *OPENSSL_info(int type);
+ # define OPENSSL_INFO_SEED_SOURCE 1007
+ # define OPENSSL_INFO_CPU_SETTINGS 1008
+
++# ifndef OPENSSL_NO_QUIC
++# define OPENSSL_INFO_QUIC 2000
++# endif
++
+ int OPENSSL_issetugid(void);
+
+ struct crypto_ex_data_st {
+--
+2.42.0
+
diff --git a/0035-QUIC-Add-early-data-support-11.patch b/0035-QUIC-Add-early-data-support-11.patch
new file mode 100644
index 0000000..54520ff
--- /dev/null
+++ b/0035-QUIC-Add-early-data-support-11.patch
@@ -0,0 +1,504 @@
+From b76539534a8c3b4b799007fd24408286ac933b11 Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
+Date: Thu, 11 Mar 2021 23:07:55 +0900
+Subject: [PATCH 35/63] QUIC: Add early data support (#11)
+
+* QUIC: Add early data support
+
+This commit adds SSL_set_quic_early_data_enabled to add early data
+support to QUIC.
+---
+ doc/man3/SSL_CTX_set_quic_method.pod | 10 +-
+ include/openssl/ssl.h.in | 2 +
+ ssl/ssl_lib.c | 15 +++
+ ssl/ssl_quic.c | 76 ++++++++++---
+ ssl/statem/statem_srvr.c | 10 ++
+ ssl/tls13_enc.c | 90 +++++++++++++---
+ test/sslapitest.c | 156 +++++++++++++++++++++++++++
+ util/libssl.num | 1 +
+ 8 files changed, 327 insertions(+), 33 deletions(-)
+
+diff --git a/doc/man3/SSL_CTX_set_quic_method.pod b/doc/man3/SSL_CTX_set_quic_method.pod
+index 39ff3a8da4..86eb257e91 100644
+--- a/doc/man3/SSL_CTX_set_quic_method.pod
++++ b/doc/man3/SSL_CTX_set_quic_method.pod
+@@ -17,7 +17,8 @@ SSL_is_quic,
+ SSL_get_peer_quic_transport_version,
+ SSL_get_quic_transport_version,
+ SSL_set_quic_transport_version,
+-SSL_set_quic_use_legacy_codepoint
++SSL_set_quic_use_legacy_codepoint,
++SSL_set_quic_early_data_enabled
+ - QUIC support
+
+ =head1 SYNOPSIS
+@@ -47,6 +48,7 @@ SSL_set_quic_use_legacy_codepoint
+ void SSL_set_quic_transport_version(SSL *ssl, int version);
+ int SSL_get_quic_transport_version(const SSL *ssl);
+ int SSL_get_peer_quic_transport_version(const SSL *ssl);
++ void SSL_set_quic_early_data_enabled(SSL *ssl, int enabled);
+
+ =head1 DESCRIPTION
+
+@@ -106,6 +108,12 @@ SSL_set_quic_transport_version().
+ SSL_get_peer_quic_transport_version() returns the version the that was
+ negotiated.
+
++SSL_set_quic_early_data_enabled() enables QUIC early data if a nonzero
++value is passed. Client must set a resumed session before calling
++this function. Server must set 0xffffffffu to
++SSL_CTX_set_max_early_data() or SSL_set_max_early_data() so that a
++session ticket indicates that server is able to accept early data.
++
+ =head1 NOTES
+
+ These APIs are implementations of BoringSSL's QUIC APIs.
+diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
+index 289f55feb1..f1d1ec0ec3 100644
+--- a/include/openssl/ssl.h.in
++++ b/include/openssl/ssl.h.in
+@@ -2580,6 +2580,8 @@ __owur int SSL_get_peer_quic_transport_version(const SSL *ssl);
+
+ int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *c);
+
++void SSL_set_quic_early_data_enabled(SSL *ssl, int enabled);
++
+ # endif
+
+ # ifdef __cplusplus
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 517104a4df..9c03564557 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -3979,6 +3979,21 @@ int SSL_do_handshake(SSL *s)
+ ret = s->handshake_func(s);
+ }
+ }
++#ifndef OPENSSL_NO_QUIC
++ if (SSL_IS_QUIC(s) && ret == 1) {
++ if (s->server) {
++ if (s->early_data_state == SSL_EARLY_DATA_ACCEPTING) {
++ s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
++ s->rwstate = SSL_READING;
++ ret = 0;
++ }
++ } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
++ s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY;
++ s->rwstate = SSL_READING;
++ ret = 0;
++ }
++ }
++#endif
+ return ret;
+ }
+
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index d50b1247a6..9d4c801411 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -257,24 +257,46 @@ int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
+ return 1;
+ }
+
+- md = ssl_handshake_md(ssl);
+- if (md == NULL) {
+- /* May not have selected cipher, yet */
+- const SSL_CIPHER *c = NULL;
+-
+- /*
+- * It probably doesn't make sense to use an (external) PSK session,
+- * but in theory some kinds of external session caches could be
+- * implemented using it, so allow psksession to be used as well as
+- * the regular session.
+- */
+- if (ssl->session != NULL)
+- c = SSL_SESSION_get0_cipher(ssl->session);
+- else if (ssl->psksession != NULL)
++ if (level == ssl_encryption_early_data) {
++ const SSL_CIPHER *c = SSL_SESSION_get0_cipher(ssl->session);
++ if (ssl->early_data_state == SSL_EARLY_DATA_CONNECTING
++ && ssl->max_early_data > 0
++ && ssl->session->ext.max_early_data == 0) {
++ if (!ossl_assert(ssl->psksession != NULL
++ && ssl->max_early_data ==
++ ssl->psksession->ext.max_early_data)) {
++ SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
+ c = SSL_SESSION_get0_cipher(ssl->psksession);
++ }
++
++ if (c == NULL) {
++ SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
+
+- if (c != NULL)
+- md = SSL_CIPHER_get_handshake_digest(c);
++ md = ssl_md(ssl->ctx, c->algorithm2);
++ } else {
++ md = ssl_handshake_md(ssl);
++ if (md == NULL) {
++ /* May not have selected cipher, yet */
++ const SSL_CIPHER *c = NULL;
++
++ /*
++ * It probably doesn't make sense to use an (external) PSK session,
++ * but in theory some kinds of external session caches could be
++ * implemented using it, so allow psksession to be used as well as
++ * the regular session.
++ */
++ if (ssl->session != NULL)
++ c = SSL_SESSION_get0_cipher(ssl->session);
++ else if (ssl->psksession != NULL)
++ c = SSL_SESSION_get0_cipher(ssl->psksession);
++
++ if (c != NULL)
++ md = SSL_CIPHER_get_handshake_digest(c);
++ }
+ }
+
+ if ((len = EVP_MD_size(md)) <= 0) {
+@@ -330,3 +352,25 @@ int SSL_is_quic(SSL* ssl)
+ {
+ return SSL_IS_QUIC(ssl);
+ }
++
++void SSL_set_quic_early_data_enabled(SSL *ssl, int enabled)
++{
++ if (!SSL_is_quic(ssl) || !SSL_in_before(ssl))
++ return;
++
++ if (!enabled) {
++ ssl->early_data_state = SSL_EARLY_DATA_NONE;
++ return;
++ }
++
++ if (ssl->server) {
++ ssl->early_data_state = SSL_EARLY_DATA_ACCEPTING;
++ return;
++ }
++
++ if ((ssl->session == NULL || ssl->session->ext.max_early_data == 0)
++ && ssl->psk_use_session_cb == NULL)
++ return;
++
++ ssl->early_data_state = SSL_EARLY_DATA_CONNECTING;
++}
+diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
+index aba18e8c76..e92b0e736e 100644
+--- a/ssl/statem/statem_srvr.c
++++ b/ssl/statem/statem_srvr.c
+@@ -964,6 +964,16 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
+ SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
+ /* SSLfatal() already called */
+ return WORK_ERROR;
++
++#ifndef OPENSSL_NO_QUIC
++ if (SSL_IS_QUIC(s) && s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
++ s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
++ if (!s->method->ssl3_enc->change_cipher_state(
++ s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ))
++ /* SSLfatal() already called */
++ return WORK_ERROR;
++ }
++#endif
+ }
+ break;
+
+diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
+index a63beea224..a1d4dd04b8 100644
+--- a/ssl/tls13_enc.c
++++ b/ssl/tls13_enc.c
+@@ -419,20 +419,76 @@ static int quic_change_cipher_state(SSL *s, int which)
+ int is_server_write = ((which & SSL3_CHANGE_CIPHER_SERVER_WRITE) == SSL3_CHANGE_CIPHER_SERVER_WRITE);
+ int is_early = (which & SSL3_CC_EARLY);
+
+- md = ssl_handshake_md(s);
+- if (!ssl3_digest_cached_records(s, 1)
+- || !ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) {
+- /* SSLfatal() already called */;
+- goto err;
+- }
++ if (is_early) {
++ EVP_MD_CTX *mdctx = NULL;
++ long handlen;
++ void *hdata;
++ unsigned int hashlenui;
++ const SSL_CIPHER *sslcipher = SSL_SESSION_get0_cipher(s->session);
++
++ handlen = BIO_get_mem_data(s->s3.handshake_buffer, &hdata);
++ if (handlen <= 0) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_LENGTH);
++ goto err;
++ }
+
+- /* Ensure cast to size_t is safe */
+- hashleni = EVP_MD_size(md);
+- if (!ossl_assert(hashleni >= 0)) {
+- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
+- goto err;
++ if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
++ && s->max_early_data > 0
++ && s->session->ext.max_early_data == 0) {
++ /*
++ * If we are attempting to send early data, and we've decided to
++ * actually do it but max_early_data in s->session is 0 then we
++ * must be using an external PSK.
++ */
++ if (!ossl_assert(s->psksession != NULL
++ && s->max_early_data ==
++ s->psksession->ext.max_early_data)) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++ sslcipher = SSL_SESSION_get0_cipher(s->psksession);
++ }
++ if (sslcipher == NULL) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
++ goto err;
++ }
++
++ /*
++ * We need to calculate the handshake digest using the digest from
++ * the session. We haven't yet selected our ciphersuite so we can't
++ * use ssl_handshake_md().
++ */
++ mdctx = EVP_MD_CTX_new();
++ if (mdctx == NULL) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
++ goto err;
++ }
++ md = ssl_md(s->ctx, sslcipher->algorithm2);
++ if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL)
++ || !EVP_DigestUpdate(mdctx, hdata, handlen)
++ || !EVP_DigestFinal_ex(mdctx, hash, &hashlenui)) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ EVP_MD_CTX_free(mdctx);
++ goto err;
++ }
++ hashlen = hashlenui;
++ EVP_MD_CTX_free(mdctx);
++ } else {
++ md = ssl_handshake_md(s);
++ if (!ssl3_digest_cached_records(s, 1)
++ || !ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) {
++ /* SSLfatal() already called */;
++ goto err;
++ }
++
++ /* Ensure cast to size_t is safe */
++ hashleni = EVP_MD_size(md);
++ if (!ossl_assert(hashleni >= 0)) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
++ goto err;
++ }
++ hashlen = (size_t)hashleni;
+ }
+- hashlen = (size_t)hashleni;
+
+ if (is_client_read || is_server_write) {
+ if (is_handshake) {
+@@ -538,10 +594,12 @@ static int quic_change_cipher_state(SSL *s, int which)
+ }
+ }
+
+- if (s->server)
+- s->quic_read_level = level;
+- else
+- s->quic_write_level = level;
++ if (level != ssl_encryption_early_data) {
++ if (s->server)
++ s->quic_read_level = level;
++ else
++ s->quic_write_level = level;
++ }
+ }
+
+ ret = 1;
+diff --git a/test/sslapitest.c b/test/sslapitest.c
+index f65878212c..b8e1078670 100644
+--- a/test/sslapitest.c
++++ b/test/sslapitest.c
+@@ -10337,6 +10337,159 @@ end:
+ serverssl = NULL;
+ return testresult;
+ }
++
++# ifndef OSSL_NO_USABLE_TLS1_3
++/*
++ * Helper method to setup objects for QUIC early data test. Caller
++ * frees objects on error.
++ */
++static int quic_setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx,
++ SSL **clientssl, SSL **serverssl,
++ SSL_SESSION **sess, int idx)
++{
++ static const char *server_str = "SERVER";
++ static const char *client_str = "CLIENT";
++
++ if (*sctx == NULL
++ && (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
++ TLS_client_method(),
++ TLS1_3_VERSION, 0,
++ sctx, cctx, cert, privkey))
++ || !TEST_true(SSL_CTX_set_quic_method(*sctx, &quic_method))
++ || !TEST_true(SSL_CTX_set_quic_method(*cctx, &quic_method))
++ || !TEST_true(SSL_CTX_set_max_early_data(*sctx, 0xffffffffu))))
++ return 0;
++
++ if (idx == 1) {
++ /* When idx == 1 we repeat the tests with read_ahead set */
++ SSL_CTX_set_read_ahead(*cctx, 1);
++ SSL_CTX_set_read_ahead(*sctx, 1);
++ } else if (idx == 2) {
++ /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
++ SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
++ SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
++ use_session_cb_cnt = 0;
++ find_session_cb_cnt = 0;
++ srvid = pskid;
++ }
++
++ if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
++ NULL, NULL))
++ || !TEST_true(SSL_set_quic_transport_params(*serverssl,
++ (unsigned char*)server_str,
++ strlen(server_str)+1))
++ || !TEST_true(SSL_set_quic_transport_params(*clientssl,
++ (unsigned char*)client_str,
++ strlen(client_str)+1))
++ || !TEST_true(SSL_set_app_data(*serverssl, *clientssl))
++ || !TEST_true(SSL_set_app_data(*clientssl, *serverssl)))
++ return 0;
++
++ /*
++ * For one of the run throughs (doesn't matter which one), we'll try sending
++ * some SNI data in the initial ClientHello. This will be ignored (because
++ * there is no SNI cb set up by the server), so it should not impact
++ * early_data.
++ */
++ if (idx == 1
++ && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
++ return 0;
++
++ if (idx == 2) {
++ clientpsk = create_a_psk(*clientssl);
++ if (!TEST_ptr(clientpsk)
++ || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
++ 0xffffffffu))
++ || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
++ SSL_SESSION_free(clientpsk);
++ clientpsk = NULL;
++ return 0;
++ }
++ serverpsk = clientpsk;
++
++ if (sess != NULL) {
++ if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
++ SSL_SESSION_free(clientpsk);
++ SSL_SESSION_free(serverpsk);
++ clientpsk = serverpsk = NULL;
++ return 0;
++ }
++ *sess = clientpsk;
++ }
++
++ SSL_set_quic_early_data_enabled(*serverssl, 1);
++ SSL_set_quic_early_data_enabled(*clientssl, 1);
++
++ return 1;
++ }
++
++ if (sess == NULL)
++ return 1;
++
++ if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
++ SSL_ERROR_NONE)))
++ return 0;
++
++ /* Deal with two NewSessionTickets */
++ if (!TEST_true(SSL_process_quic_post_handshake(*clientssl))
++ || !TEST_true(SSL_process_quic_post_handshake(*clientssl)))
++ return 0;
++
++ *sess = SSL_get1_session(*clientssl);
++ SSL_shutdown(*clientssl);
++ SSL_shutdown(*serverssl);
++ SSL_free(*serverssl);
++ SSL_free(*clientssl);
++ *serverssl = *clientssl = NULL;
++
++ if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
++ clientssl, NULL, NULL))
++ || !TEST_true(SSL_set_session(*clientssl, *sess))
++ || !TEST_true(SSL_set_quic_transport_params(*serverssl,
++ (unsigned char*)server_str,
++ strlen(server_str)+1))
++ || !TEST_true(SSL_set_quic_transport_params(*clientssl,
++ (unsigned char*)client_str,
++ strlen(client_str)+1))
++ || !TEST_true(SSL_set_app_data(*serverssl, *clientssl))
++ || !TEST_true(SSL_set_app_data(*clientssl, *serverssl)))
++ return 0;
++
++ SSL_set_quic_early_data_enabled(*serverssl, 1);
++ SSL_set_quic_early_data_enabled(*clientssl, 1);
++
++ return 1;
++}
++
++static int test_quic_early_data(int tst)
++{
++ SSL_CTX *cctx = NULL, *sctx = NULL;
++ SSL *clientssl = NULL, *serverssl = NULL;
++ int testresult = 0;
++ SSL_SESSION *sess = NULL;
++
++ if (!TEST_true(quic_setupearly_data_test(&cctx, &sctx, &clientssl,
++ &serverssl, &sess, tst)))
++ goto end;
++
++ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
++ || !TEST_true(SSL_get_early_data_status(serverssl)))
++ goto end;
++
++ testresult = 1;
++
++ end:
++ SSL_SESSION_free(sess);
++ SSL_SESSION_free(clientpsk);
++ SSL_SESSION_free(serverpsk);
++ clientpsk = serverpsk = NULL;
++ SSL_free(serverssl);
++ SSL_free(clientssl);
++ SSL_CTX_free(sctx);
++ SSL_CTX_free(cctx);
++ return testresult;
++}
++# endif /* OSSL_NO_USABLE_TLS1_3 */
+ #endif /* OPENSSL_NO_QUIC */
+
+ #ifndef OSSL_NO_USABLE_TLS1_3
+@@ -11115,6 +11268,9 @@ int setup_tests(void)
+ ADD_ALL_TESTS(test_handshake_retry, 16);
+ #ifndef OPENSSL_NO_QUIC
+ ADD_ALL_TESTS(test_quic_api, 9);
++# ifndef OSSL_NO_USABLE_TLS1_3
++ ADD_ALL_TESTS(test_quic_early_data, 3);
++# endif
+ #endif
+ return 1;
+
+diff --git a/util/libssl.num b/util/libssl.num
+index 41ebba40b2..4a9d5b2007 100644
+--- a/util/libssl.num
++++ b/util/libssl.num
+@@ -535,3 +535,4 @@ SSL_set_quic_use_legacy_codepoint 20011 3_0_0 EXIST::FUNCTION:QUIC
+ SSL_set_quic_transport_version 20012 3_0_0 EXIST::FUNCTION:QUIC
+ SSL_get_peer_quic_transport_version 20013 3_0_0 EXIST::FUNCTION:QUIC
+ SSL_get_quic_transport_version 20014 3_0_0 EXIST::FUNCTION:QUIC
++SSL_set_quic_early_data_enabled 20015 3_0_0 EXIST::FUNCTION:QUIC
+--
+2.42.0
+
diff --git a/0036-QUIC-Make-SSL_provide_quic_data-accept-0-length-data.patch b/0036-QUIC-Make-SSL_provide_quic_data-accept-0-length-data.patch
new file mode 100644
index 0000000..c43352e
--- /dev/null
+++ b/0036-QUIC-Make-SSL_provide_quic_data-accept-0-length-data.patch
@@ -0,0 +1,31 @@
+From c3240737e2e41f0a3a3e01a49022ac3207302305 Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
+Date: Fri, 12 Mar 2021 00:39:20 +0900
+Subject: [PATCH 36/63] QUIC: Make SSL_provide_quic_data accept 0 length data
+ (#13)
+
+This commit makes SSL_provide_quic_data accept 0 length data, which
+matches BoringSSL behavior.
+
+Fixes #9
+---
+ ssl/ssl_quic.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index 9d4c801411..49a4f3ab5c 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -143,6 +143,9 @@ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+ return 0;
+ }
+
++ if (len == 0)
++ return 1;
++
+ if (ssl->quic_buf == NULL) {
+ BUF_MEM *buf;
+ if ((buf = BUF_MEM_new()) == NULL) {
+--
+2.42.0
+
diff --git a/0037-QUIC-Process-multiple-post-handshake-messages-in-a-s.patch b/0037-QUIC-Process-multiple-post-handshake-messages-in-a-s.patch
new file mode 100644
index 0000000..9836188
--- /dev/null
+++ b/0037-QUIC-Process-multiple-post-handshake-messages-in-a-s.patch
@@ -0,0 +1,76 @@
+From 8ec778771466e27485ff4e48414ff34c06af4935 Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
+Date: Sat, 13 Mar 2021 05:37:34 +0900
+Subject: [PATCH 37/63] QUIC: Process multiple post-handshake messages in a
+ single call (#16)
+
+---
+ ssl/ssl_quic.c | 27 +++++++++++++--------------
+ test/sslapitest.c | 6 ++----
+ 2 files changed, 15 insertions(+), 18 deletions(-)
+
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index 49a4f3ab5c..6cbd47ad2d 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -334,20 +334,19 @@ int SSL_process_quic_post_handshake(SSL *ssl)
+ }
+
+ /* if there is no data, return success as BoringSSL */
+- if (ssl->quic_input_data_head == NULL)
+- return 1;
+-
+- /*
+- * This is always safe (we are sure to be at a record boundary) because
+- * SSL_read()/SSL_write() are never used for QUIC connections -- the
+- * application data is handled at the QUIC layer instead.
+- */
+- ossl_statem_set_in_init(ssl, 1);
+- ret = ssl->handshake_func(ssl);
+- ossl_statem_set_in_init(ssl, 0);
+-
+- if (ret <= 0)
+- return 0;
++ while (ssl->quic_input_data_head != NULL) {
++ /*
++ * This is always safe (we are sure to be at a record boundary) because
++ * SSL_read()/SSL_write() are never used for QUIC connections -- the
++ * application data is handled at the QUIC layer instead.
++ */
++ ossl_statem_set_in_init(ssl, 1);
++ ret = ssl->handshake_func(ssl);
++ ossl_statem_set_in_init(ssl, 0);
++
++ if (ret <= 0)
++ return 0;
++ }
+ return 1;
+ }
+
+diff --git a/test/sslapitest.c b/test/sslapitest.c
+index b8e1078670..e351a0b4e6 100644
+--- a/test/sslapitest.c
++++ b/test/sslapitest.c
+@@ -10238,8 +10238,7 @@ static int test_quic_api_version(int clnt, int srvr)
+ goto end;
+
+ /* Deal with two NewSessionTickets */
+- if (!TEST_true(SSL_process_quic_post_handshake(clientssl))
+- || !TEST_true(SSL_process_quic_post_handshake(clientssl)))
++ if (!TEST_true(SSL_process_quic_post_handshake(clientssl)))
+ goto end;
+
+ /* Dummy handshake call should succeed */
+@@ -10431,8 +10430,7 @@ static int quic_setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx,
+ return 0;
+
+ /* Deal with two NewSessionTickets */
+- if (!TEST_true(SSL_process_quic_post_handshake(*clientssl))
+- || !TEST_true(SSL_process_quic_post_handshake(*clientssl)))
++ if (!TEST_true(SSL_process_quic_post_handshake(*clientssl)))
+ return 0;
+
+ *sess = SSL_get1_session(*clientssl);
+--
+2.42.0
+
diff --git a/0038-QUIC-Tighten-up-some-language-in-SSL_CTX_set_quic_me.patch b/0038-QUIC-Tighten-up-some-language-in-SSL_CTX_set_quic_me.patch
new file mode 100644
index 0000000..a1dee27
--- /dev/null
+++ b/0038-QUIC-Tighten-up-some-language-in-SSL_CTX_set_quic_me.patch
@@ -0,0 +1,32 @@
+From 50edeee44a1aed9eb5e819859aa3e561f307aaa0 Mon Sep 17 00:00:00 2001
+From: kaduk <kaduk-github@mit.edu>
+Date: Fri, 12 Mar 2021 13:03:14 -0800
+Subject: [PATCH 38/63] QUIC: Tighten up some language in
+ SSL_CTX_set_quic_method.pod (#18)
+
+---
+ doc/man3/SSL_CTX_set_quic_method.pod | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/doc/man3/SSL_CTX_set_quic_method.pod b/doc/man3/SSL_CTX_set_quic_method.pod
+index 86eb257e91..906c7591d9 100644
+--- a/doc/man3/SSL_CTX_set_quic_method.pod
++++ b/doc/man3/SSL_CTX_set_quic_method.pod
+@@ -109,10 +109,10 @@ SSL_get_peer_quic_transport_version() returns the version the that was
+ negotiated.
+
+ SSL_set_quic_early_data_enabled() enables QUIC early data if a nonzero
+-value is passed. Client must set a resumed session before calling
+-this function. Server must set 0xffffffffu to
+-SSL_CTX_set_max_early_data() or SSL_set_max_early_data() so that a
+-session ticket indicates that server is able to accept early data.
++value is passed. Clients must set a resumed session before calling this
++function. Servers must additionally call SSL_CTX_set_max_early_data() or
++SSL_set_max_early_data() with 0xffffffffu as the argument, so that any
++issued session tickets indicate that server is able to accept early data.
+
+ =head1 NOTES
+
+--
+2.42.0
+
diff --git a/0040-QUIC-Fix-CI-20.patch b/0040-QUIC-Fix-CI-20.patch
new file mode 100644
index 0000000..d5e2688
--- /dev/null
+++ b/0040-QUIC-Fix-CI-20.patch
@@ -0,0 +1,97 @@
+From 523bacebab18d0d0d5649a6096a4190ea733b518 Mon Sep 17 00:00:00 2001
+From: Todd Short <tmshort@users.noreply.github.com>
+Date: Thu, 18 Mar 2021 12:42:01 -0400
+Subject: [PATCH 40/63] QUIC: Fix CI (#20)
+
+Fixes #2 and #3 and #22
+
+Updates `Configure` script to disable QUIC with `no-bulk` and `no-ec`
+Updates build.info doc docs
+Fixes an issue with extension defintions and `no-quic`
+---
+ Configure | 3 ++-
+ doc/build.info | 6 ++++++
+ ssl/statem/extensions.c | 1 +
+ ssl/statem/extensions_srvr.c | 2 +-
+ 4 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/Configure b/Configure
+index bd4e0943bf..2b37fd497a 100755
+--- a/Configure
++++ b/Configure
+@@ -578,6 +578,7 @@ my @disable_cascades = (
+ "sm3", "sm4", "srp",
+ "srtp", "ssl3-method", "ssl-trace",
+ "ts", "ui-console", "whirlpool",
++ "quic",
+ "fips-securitychecks" ],
+ sub { $config{processor} eq "386" }
+ => [ "sse2" ],
+@@ -585,7 +586,7 @@ my @disable_cascades = (
+ "ssl3-method" => [ "ssl3" ],
+ "zlib" => [ "zlib-dynamic" ],
+ "des" => [ "mdc2" ],
+- "ec" => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost" ],
++ "ec" => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost", "quic" ],
+ "dgram" => [ "dtls", "sctp" ],
+ "sock" => [ "dgram" ],
+ "dtls" => [ @dtls ],
+diff --git a/doc/build.info b/doc/build.info
+index 00dc150721..8f7186d89b 100644
+--- a/doc/build.info
++++ b/doc/build.info
+@@ -2263,6 +2263,10 @@ DEPEND[html/man3/SSL_CTX_set_psk_client_callback.html]=man3/SSL_CTX_set_psk_clie
+ GENERATE[html/man3/SSL_CTX_set_psk_client_callback.html]=man3/SSL_CTX_set_psk_client_callback.pod
+ DEPEND[man/man3/SSL_CTX_set_psk_client_callback.3]=man3/SSL_CTX_set_psk_client_callback.pod
+ GENERATE[man/man3/SSL_CTX_set_psk_client_callback.3]=man3/SSL_CTX_set_psk_client_callback.pod
++DEPEND[html/man3/SSL_CTX_set_quic_method.html]=man3/SSL_CTX_set_quic_method.pod
++GENERATE[html/man3/SSL_CTX_set_quic_method.html]=man3/SSL_CTX_set_quic_method.pod
++DEPEND[man/man3/SSL_CTX_set_quic_method.3]=man3/SSL_CTX_set_quic_method.pod
++GENERATE[man/man3/SSL_CTX_set_quic_method.3]=man3/SSL_CTX_set_quic_method.pod
+ DEPEND[html/man3/SSL_CTX_set_quiet_shutdown.html]=man3/SSL_CTX_set_quiet_shutdown.pod
+ GENERATE[html/man3/SSL_CTX_set_quiet_shutdown.html]=man3/SSL_CTX_set_quiet_shutdown.pod
+ DEPEND[man/man3/SSL_CTX_set_quiet_shutdown.3]=man3/SSL_CTX_set_quiet_shutdown.pod
+@@ -3329,6 +3333,7 @@ html/man3/SSL_CTX_set_msg_callback.html \
+ html/man3/SSL_CTX_set_num_tickets.html \
+ html/man3/SSL_CTX_set_options.html \
+ html/man3/SSL_CTX_set_psk_client_callback.html \
++html/man3/SSL_CTX_set_quic_method.html \
+ html/man3/SSL_CTX_set_quiet_shutdown.html \
+ html/man3/SSL_CTX_set_read_ahead.html \
+ html/man3/SSL_CTX_set_record_padding_callback.html \
+@@ -3932,6 +3937,7 @@ man/man3/SSL_CTX_set_msg_callback.3 \
+ man/man3/SSL_CTX_set_num_tickets.3 \
+ man/man3/SSL_CTX_set_options.3 \
+ man/man3/SSL_CTX_set_psk_client_callback.3 \
++man/man3/SSL_CTX_set_quic_method.3 \
+ man/man3/SSL_CTX_set_quiet_shutdown.3 \
+ man/man3/SSL_CTX_set_read_ahead.3 \
+ man/man3/SSL_CTX_set_record_padding_callback.3 \
+diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
+index 34ba69e85e..a972f3be26 100644
+--- a/ssl/statem/extensions.c
++++ b/ssl/statem/extensions.c
+@@ -395,6 +395,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
+ },
+ #else
+ INVALID_EXTENSION,
++ INVALID_EXTENSION,
+ #endif
+ {
+ /* Must be immediately before pre_shared_key */
+diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
+index bfab225651..c23b35593f 100644
+--- a/ssl/statem/extensions_srvr.c
++++ b/ssl/statem/extensions_srvr.c
+@@ -1912,7 +1912,7 @@ EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
+
+ #ifndef OPENSSL_NO_QUIC
+ /* QUIC server must always send 0xFFFFFFFF, per draft-ietf-quic-tls-27 S4.5 */
+- if (s->quic_method != NULL)
++ if (SSL_IS_QUIC(s))
+ max_early_data = 0xFFFFFFFF;
+ #endif
+
+--
+2.42.0
+
diff --git a/0041-QUIC-Break-up-header-body-processing.patch b/0041-QUIC-Break-up-header-body-processing.patch
new file mode 100644
index 0000000..33b0747
--- /dev/null
+++ b/0041-QUIC-Break-up-header-body-processing.patch
@@ -0,0 +1,145 @@
+From ced2dc4b1d98ecfe0a8b3c33d7a5c797550fd551 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Thu, 6 May 2021 16:24:03 -0400
+Subject: [PATCH 41/63] QUIC: Break up header/body processing
+
+As DTLS has changed, so too must QUIC.
+---
+ ssl/statem/statem.c | 9 ++++++---
+ ssl/statem/statem_local.h | 3 ++-
+ ssl/statem/statem_quic.c | 25 +++++++++++++++----------
+ 3 files changed, 23 insertions(+), 14 deletions(-)
+
+diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
+index df542579d0..e67ee26e87 100644
+--- a/ssl/statem/statem.c
++++ b/ssl/statem/statem.c
+@@ -586,7 +586,7 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
+ #ifndef OPENSSL_NO_QUIC
+ } else if (SSL_IS_QUIC(s)) {
+ /* QUIC behaves like DTLS -- all in one go. */
+- ret = quic_get_message(s, &mt, &len);
++ ret = quic_get_message(s, &mt);
+ #endif
+ } else {
+ ret = tls_get_message_header(s, &mt);
+@@ -636,8 +636,11 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
+ * opportunity to do any further processing.
+ */
+ ret = dtls_get_message_body(s, &len);
+- } else if (!SSL_IS_QUIC(s)) {
+- /* We already got this above for QUIC */
++#ifndef OPENSSL_NO_QUIC
++ } else if (SSL_IS_QUIC(s)) {
++ ret = quic_get_message_body(s, &len);
++#endif
++ } else {
+ ret = tls_get_message_body(s, &len);
+ }
+ if (ret == 0) {
+diff --git a/ssl/statem/statem_local.h b/ssl/statem/statem_local.h
+index 0065db1744..4203c084e8 100644
+--- a/ssl/statem/statem_local.h
++++ b/ssl/statem/statem_local.h
+@@ -105,7 +105,8 @@ __owur int tls_get_message_body(SSL *s, size_t *len);
+ __owur int dtls_get_message(SSL *s, int *mt);
+ __owur int dtls_get_message_body(SSL *s, size_t *len);
+ #ifndef OPENSSL_NO_QUIC
+-__owur int quic_get_message(SSL *s, int *mt, size_t *len);
++__owur int quic_get_message(SSL *s, int *mt);
++__owur int quic_get_message_body(SSL *s, size_t *len);
+ #endif
+
+ /* Message construction and processing functions */
+diff --git a/ssl/statem/statem_quic.c b/ssl/statem/statem_quic.c
+index a371eeaedb..a51bfd74d8 100644
+--- a/ssl/statem/statem_quic.c
++++ b/ssl/statem/statem_quic.c
+@@ -11,7 +11,7 @@
+ #include "statem_local.h"
+ #include "internal/cryptlib.h"
+
+-int quic_get_message(SSL *s, int *mt, size_t *len)
++int quic_get_message(SSL *s, int *mt)
+ {
+ size_t l;
+ QUIC_DATA *qd = s->quic_input_data_head;
+@@ -19,26 +19,26 @@ int quic_get_message(SSL *s, int *mt, size_t *len)
+
+ if (qd == NULL) {
+ s->rwstate = SSL_READING;
+- *mt = *len = 0;
++ *mt = 0;
+ return 0;
+ }
+
+ if (!ossl_assert(qd->length >= SSL3_HM_HEADER_LENGTH)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH);
+- *mt = *len = 0;
++ *mt = 0;
+ return 0;
+ }
+
+ /* This is where we check for the proper level, not when data is given */
+ if (qd->level != s->quic_read_level) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);
+- *mt = *len = 0;
++ *mt = 0;
+ return 0;
+ }
+
+ if (!BUF_MEM_grow_clean(s->init_buf, (int)qd->length)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
+- *mt = *len = 0;
++ *mt = 0;
+ return 0;
+ }
+
+@@ -53,28 +53,32 @@ int quic_get_message(SSL *s, int *mt, size_t *len)
+ s->s3.tmp.message_type = *mt = *(s->init_buf->data);
+ p = (uint8_t*)s->init_buf->data + 1;
+ n2l3(p, l);
+- s->init_num = s->s3.tmp.message_size = *len = l;
++ s->init_num = s->s3.tmp.message_size = l;
+ s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
+
++ return 1;
++}
++
++int quic_get_message_body(SSL *s, size_t *len)
++{
+ /* No CCS in QUIC/TLSv1.3? */
+- if (*mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
++ if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
+ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
+ *len = 0;
+ return 0;
+ }
+ /* No KeyUpdate in QUIC */
+- if (*mt == SSL3_MT_KEY_UPDATE) {
++ if (s->s3.tmp.message_type == SSL3_MT_KEY_UPDATE) {
+ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
+ *len = 0;
+ return 0;
+ }
+
+-
+ /*
+ * If receiving Finished, record MAC of prior handshake messages for
+ * Finished verification.
+ */
+- if (*mt == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
++ if (s->s3.tmp.message_type == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
+ /* SSLfatal() already called */
+ *len = 0;
+ return 0;
+@@ -108,5 +112,6 @@ int quic_get_message(SSL *s, int *mt, size_t *len)
+ (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
+ s->msg_callback_arg);
+
++ *len = s->init_num;
+ return 1;
+ }
+--
+2.42.0
+
diff --git a/0042-QUIC-Fix-make-doc-nits.patch b/0042-QUIC-Fix-make-doc-nits.patch
new file mode 100644
index 0000000..b2be7d5
--- /dev/null
+++ b/0042-QUIC-Fix-make-doc-nits.patch
@@ -0,0 +1,35 @@
+From 117b887a7a132b25425c74613fc9621dd660fecb Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Thu, 24 Jun 2021 15:11:24 -0400
+Subject: [PATCH 42/63] QUIC: Fix make doc-nits
+
+---
+ doc/man1/openssl-info.pod.in | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/doc/man1/openssl-info.pod.in b/doc/man1/openssl-info.pod.in
+index 0e91bb28ee..fe7abee486 100644
+--- a/doc/man1/openssl-info.pod.in
++++ b/doc/man1/openssl-info.pod.in
+@@ -17,6 +17,7 @@ B<openssl info>
+ [B<-listsep>]
+ [B<-seeds>]
+ [B<-cpusettings>]
++[B<-quic>]
+
+ =head1 DESCRIPTION
+
+@@ -73,6 +74,10 @@ Outputs the randomness seed sources.
+
+ Outputs the OpenSSL CPU settings info.
+
++=item B<-quic>
++
++Outputs the OpenSSL QUIC info.
++
+ =back
+
+ =head1 HISTORY
+--
+2.42.0
+
diff --git a/0045-QUIC-Don-t-muck-with-FIPS-checksums.patch b/0045-QUIC-Don-t-muck-with-FIPS-checksums.patch
new file mode 100644
index 0000000..dabf450
--- /dev/null
+++ b/0045-QUIC-Don-t-muck-with-FIPS-checksums.patch
@@ -0,0 +1,131 @@
+From a35de9e5ccb192b8d8b242cff02d6b75ff618a8e Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Fri, 9 Jul 2021 13:29:03 -0400
+Subject: [PATCH 45/63] QUIC: Don't muck with FIPS checksums
+
+---
+ apps/info.c | 1 +
+ crypto/info.c | 1 +
+ include/openssl/crypto.h.in | 4 ----
+ include/openssl/evp.h | 4 ----
+ include/openssl/quic.h | 19 +++++++++++++++++++
+ include/openssl/ssl.h.in | 9 +++++++++
+ include/openssl/types.h | 2 --
+ 7 files changed, 30 insertions(+), 10 deletions(-)
+ create mode 100644 include/openssl/quic.h
+
+diff --git a/apps/info.c b/apps/info.c
+index f0f043b7f2..66f3ef2587 100644
+--- a/apps/info.c
++++ b/apps/info.c
+@@ -10,6 +10,7 @@
+ #include <openssl/crypto.h>
+ #include "apps.h"
+ #include "progs.h"
++#include <openssl/quic.h>
+
+ typedef enum OPTION_choice {
+ OPT_COMMON,
+diff --git a/crypto/info.c b/crypto/info.c
+index f8a495e098..e7a37e3922 100644
+--- a/crypto/info.c
++++ b/crypto/info.c
+@@ -14,6 +14,7 @@
+ #include "internal/cryptlib.h"
+ #include "internal/e_os.h"
+ #include "buildinf.h"
++#include <openssl/quic.h>
+
+ #if defined(__arm__) || defined(__arm) || defined(__aarch64__)
+ # include "arm_arch.h"
+diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in
+index 6eca308b32..fb0c7cbb87 100644
+--- a/include/openssl/crypto.h.in
++++ b/include/openssl/crypto.h.in
+@@ -176,10 +176,6 @@ const char *OPENSSL_info(int type);
+ # define OPENSSL_INFO_SEED_SOURCE 1007
+ # define OPENSSL_INFO_CPU_SETTINGS 1008
+
+-# ifndef OPENSSL_NO_QUIC
+-# define OPENSSL_INFO_QUIC 2000
+-# endif
+-
+ int OPENSSL_issetugid(void);
+
+ struct crypto_ex_data_st {
+diff --git a/include/openssl/evp.h b/include/openssl/evp.h
+index 8479f665f5..db38e5d921 100644
+--- a/include/openssl/evp.h
++++ b/include/openssl/evp.h
+@@ -1743,10 +1743,6 @@ int EVP_PKEY_CTX_set_mac_key(EVP_PKEY_CTX *ctx, const unsigned char *key,
+ */
+ # define EVP_PKEY_FLAG_SIGCTX_CUSTOM 4
+
+-/* Used by Chromium/QUIC */
+-# define X25519_PRIVATE_KEY_LEN 32
+-# define X25519_PUBLIC_VALUE_LEN 32
+-
+ # ifndef OPENSSL_NO_DEPRECATED_3_0
+ OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type);
+ OSSL_DEPRECATEDIN_3_0 EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags);
+diff --git a/include/openssl/quic.h b/include/openssl/quic.h
+new file mode 100644
+index 0000000000..f95e9e8819
+--- /dev/null
++++ b/include/openssl/quic.h
+@@ -0,0 +1,19 @@
++/*
++ * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License"). You may not use
++ * this file except in compliance with the License. You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#ifndef OPENSSL_QUIC_H
++# define OPENSSL_QUIC_H
++# pragma once
++# ifndef OPENSSL_NO_QUIC
++
++/* moved from crypto.h.in to avoid breaking FIPS checksums */
++# define OPENSSL_INFO_QUIC 2000
++
++# endif /* OPENSSL_NO_QUIC */
++#endif /* OPENSSL_QUIC_H */
+diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
+index f1d1ec0ec3..ce29710a95 100644
+--- a/include/openssl/ssl.h.in
++++ b/include/openssl/ssl.h.in
+@@ -2531,6 +2531,15 @@ const char *OSSL_default_ciphersuites(void);
+ * ssl_encryption_level_t represents a specific QUIC encryption level used to
+ * transmit handshake messages. BoringSSL has this as an 'enum'.
+ */
++#include <openssl/quic.h>
++
++/* Used by Chromium/QUIC - moved from evp.h to avoid breaking FIPS checksums */
++# define X25519_PRIVATE_KEY_LEN 32
++# define X25519_PUBLIC_VALUE_LEN 32
++
++/* moved from types.h to avoid breaking FIPS checksums */
++typedef struct ssl_quic_method_st SSL_QUIC_METHOD;
++
+ typedef enum ssl_encryption_level_t {
+ ssl_encryption_initial = 0,
+ ssl_encryption_early_data,
+diff --git a/include/openssl/types.h b/include/openssl/types.h
+index 31d8c18746..5f9d8c23ea 100644
+--- a/include/openssl/types.h
++++ b/include/openssl/types.h
+@@ -232,8 +232,6 @@ typedef struct ossl_decoder_ctx_st OSSL_DECODER_CTX;
+
+ typedef struct ossl_self_test_st OSSL_SELF_TEST;
+
+-typedef struct ssl_quic_method_st SSL_QUIC_METHOD;
+-
+ #ifdef __cplusplus
+ }
+ #endif
+--
+2.42.0
+
diff --git a/0047-QUIC-Update-RFC-references.patch b/0047-QUIC-Update-RFC-references.patch
new file mode 100644
index 0000000..2d975f0
--- /dev/null
+++ b/0047-QUIC-Update-RFC-references.patch
@@ -0,0 +1,112 @@
+From 12f5f6d298f043d13f552725bc101c3de859c227 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Tue, 7 Sep 2021 12:26:10 -0400
+Subject: [PATCH 47/63] QUIC: Update RFC references
+
+---
+ doc/man3/SSL_CTX_set_quic_method.pod | 11 +++++------
+ include/openssl/tls1.h | 2 +-
+ ssl/statem/extensions_clnt.c | 2 +-
+ ssl/statem/extensions_srvr.c | 2 +-
+ ssl/statem/statem_clnt.c | 2 +-
+ 5 files changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/doc/man3/SSL_CTX_set_quic_method.pod b/doc/man3/SSL_CTX_set_quic_method.pod
+index 906c7591d9..e38f1d2124 100644
+--- a/doc/man3/SSL_CTX_set_quic_method.pod
++++ b/doc/man3/SSL_CTX_set_quic_method.pod
+@@ -74,7 +74,7 @@ SSL_quic_max_handshake_flight_len() returns the maximum number of bytes
+ that may be received at the given encryption level. This function should be
+ used to limit buffering in the QUIC implementation.
+
+-See https://tools.ietf.org/html/draft-ietf-quic-transport-27#section-4.
++See L<https://tools.ietf.org/html/RFC9000#section-4>.
+
+ SSL_quic_read_level() returns the current read encryption level.
+
+@@ -120,7 +120,7 @@ These APIs are implementations of BoringSSL's QUIC APIs.
+
+ QUIC acts as an underlying transport for the TLS 1.3 handshake. The following
+ functions allow a QUIC implementation to serve as the underlying transport as
+-described in draft-ietf-quic-tls.
++described in RFC9001.
+
+ When configured for QUIC, SSL_do_handshake() will drive the handshake as
+ before, but it will not use the configured B<BIO>. It will call functions from
+@@ -139,18 +139,17 @@ pass the active write level to add_handshake_data() when writing data. Callers
+ can use SSL_quic_write_level() to query the active write level when
+ generating their own errors.
+
+-See https://tools.ietf.org/html/draft-ietf-quic-tls-27#section-4.1 for more
+-details.
++See L<https://tools.ietf.org/html/RFC9001#section-4.1> for more details.
+
+ To avoid DoS attacks, the QUIC implementation must limit the amount of data
+ being queued up. The implementation can call
+ SSL_quic_max_handshake_flight_len() to get the maximum buffer length at each
+ encryption level.
+
+-draft-ietf-quic-tls defines a new TLS extension "quic_transport_parameters"
++RFC9001 defines a new TLS extension "quic_transport_parameters"
+ used by QUIC for each endpoint to unilaterally declare its supported
+ transport parameters. The contents of the extension are specified in
+-https://tools.ietf.org/html/draft-ietf-quic-transport-27#section-18 (as
++L<https://tools.ietf.org/html/RFC9000#section-18> (as
+ a sequence of tag/length/value parameters) along with the interpretation of the
+ various parameters and the rules for their processing.
+
+diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
+index 54b6621aa3..ee96842e94 100644
+--- a/include/openssl/tls1.h
++++ b/include/openssl/tls1.h
+@@ -151,7 +151,7 @@ extern "C" {
+ /* Temporary extension type */
+ # define TLSEXT_TYPE_renegotiate 0xff01
+
+-/* ExtensionType value from draft-ietf-quic-tls-27 */
++ /* ExtensionType value from RFC9001 */
+ # define TLSEXT_TYPE_quic_transport_parameters_draft 0xffa5
+ # define TLSEXT_TYPE_quic_transport_parameters 0x0039
+
+diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
+index 6da3cc560f..e7c54e633e 100644
+--- a/ssl/statem/extensions_clnt.c
++++ b/ssl/statem/extensions_clnt.c
+@@ -1942,7 +1942,7 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
+ #ifndef OPENSSL_NO_QUIC
+ /*
+ * QUIC server must send 0xFFFFFFFF or it's a PROTOCOL_VIOLATION
+- * per draft-ietf-quic-tls-27 S4.5
++ * per RFC9001 S4.6.1
+ */
+ if (s->quic_method != NULL && max_early_data != 0xFFFFFFFF) {
+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA);
+diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
+index c23b35593f..a90d15d7df 100644
+--- a/ssl/statem/extensions_srvr.c
++++ b/ssl/statem/extensions_srvr.c
+@@ -1911,7 +1911,7 @@ EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
+ return EXT_RETURN_NOT_SENT;
+
+ #ifndef OPENSSL_NO_QUIC
+- /* QUIC server must always send 0xFFFFFFFF, per draft-ietf-quic-tls-27 S4.5 */
++ /* QUIC server must always send 0xFFFFFFFF, per RFC9001 S4.6.1 */
+ if (SSL_IS_QUIC(s))
+ max_early_data = 0xFFFFFFFF;
+ #endif
+diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
+index 36cbba2a50..f9235d4160 100644
+--- a/ssl/statem/statem_clnt.c
++++ b/ssl/statem/statem_clnt.c
+@@ -905,7 +905,7 @@ int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt,
+
+ case TLS_ST_CW_END_OF_EARLY_DATA:
+ #ifndef OPENSSL_NO_QUIC
+- /* QUIC does not send EndOfEarlyData, draft-ietf-quic-tls-24 S8.3 */
++ /* QUIC does not send EndOfEarlyData, RFC9001 S8.3 */
+ if (s->quic_method != NULL) {
+ *confunc = NULL;
+ *mt = SSL3_MT_DUMMY;
+--
+2.42.0
+
diff --git a/0048-QUIC-revert-white-space-change.patch b/0048-QUIC-revert-white-space-change.patch
new file mode 100644
index 0000000..3e9668b
--- /dev/null
+++ b/0048-QUIC-revert-white-space-change.patch
@@ -0,0 +1,24 @@
+From 941ac4b890c4e24ce0cce3f1930c07c90217c4ae Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Tue, 7 Sep 2021 12:29:37 -0400
+Subject: [PATCH 48/63] QUIC: revert white-space change
+
+---
+ include/openssl/evp.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/include/openssl/evp.h b/include/openssl/evp.h
+index db38e5d921..86f4e22c70 100644
+--- a/include/openssl/evp.h
++++ b/include/openssl/evp.h
+@@ -1742,7 +1742,6 @@ int EVP_PKEY_CTX_set_mac_key(EVP_PKEY_CTX *ctx, const unsigned char *key,
+ * Method handles all operations: don't assume any digest related defaults.
+ */
+ # define EVP_PKEY_FLAG_SIGCTX_CUSTOM 4
+-
+ # ifndef OPENSSL_NO_DEPRECATED_3_0
+ OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type);
+ OSSL_DEPRECATEDIN_3_0 EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags);
+--
+2.42.0
+
diff --git a/0049-QUIC-update-copyrights.patch b/0049-QUIC-update-copyrights.patch
new file mode 100644
index 0000000..f79daa4
--- /dev/null
+++ b/0049-QUIC-update-copyrights.patch
@@ -0,0 +1,49 @@
+From 5164990766f47f47af1f546fe3c0f0acbff2b7e2 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Tue, 7 Sep 2021 12:32:54 -0400
+Subject: [PATCH 49/63] QUIC: update copyrights
+
+---
+ doc/man3/SSL_CTX_set_quic_method.pod | 2 +-
+ ssl/ssl_quic.c | 2 +-
+ ssl/statem/statem_quic.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/doc/man3/SSL_CTX_set_quic_method.pod b/doc/man3/SSL_CTX_set_quic_method.pod
+index e38f1d2124..b9191a0264 100644
+--- a/doc/man3/SSL_CTX_set_quic_method.pod
++++ b/doc/man3/SSL_CTX_set_quic_method.pod
+@@ -257,7 +257,7 @@ These functions were added in OpenSSL 3.0.0.
+
+ =head1 COPYRIGHT
+
+-Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
++Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+
+ Licensed under the Apache License 2.0 (the "License"). You may not use
+ this file except in compliance with the License. You can obtain a copy
+diff --git a/ssl/ssl_quic.c b/ssl/ssl_quic.c
+index 6cbd47ad2d..987c1e740c 100644
+--- a/ssl/ssl_quic.c
++++ b/ssl/ssl_quic.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+diff --git a/ssl/statem/statem_quic.c b/ssl/statem/statem_quic.c
+index a51bfd74d8..7bd329c242 100644
+--- a/ssl/statem/statem_quic.c
++++ b/ssl/statem/statem_quic.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+--
+2.42.0
+
diff --git a/0050-QUIC-update-SSL_provide_quic_data-documentation.patch b/0050-QUIC-update-SSL_provide_quic_data-documentation.patch
new file mode 100644
index 0000000..7aec907
--- /dev/null
+++ b/0050-QUIC-update-SSL_provide_quic_data-documentation.patch
@@ -0,0 +1,34 @@
+From 49c1562e8d9ecba4239405abb1426bdfe11b82f7 Mon Sep 17 00:00:00 2001
+From: Benjamin Kaduk <bkaduk@akamai.com>
+Date: Tue, 7 Sep 2021 09:17:39 -0700
+Subject: [PATCH 50/63] QUIC: update SSL_provide_quic_data() documentation
+
+We now let you call this function outside of the handshake, to provide
+post-handshake QUIC data.
+
+We also no longer have the limitation that the application must provide
+the TLS handshake message header in a single call.
+---
+ doc/man3/SSL_CTX_set_quic_method.pod | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/doc/man3/SSL_CTX_set_quic_method.pod b/doc/man3/SSL_CTX_set_quic_method.pod
+index b9191a0264..b2d78872ca 100644
+--- a/doc/man3/SSL_CTX_set_quic_method.pod
++++ b/doc/man3/SSL_CTX_set_quic_method.pod
+@@ -82,10 +82,8 @@ SSL_quic_write_level() returns the current write encryption level.
+
+ SSL_provide_quic_data() is used to provide data from QUIC CRYPTO frames to the
+ state machine, at a particular encryption level B<level>. It is an error to
+-call this function outside of the handshake or with an encryption level other
+-than the current read level. The application must buffer and consolidate any
+-frames with less than four bytes of content. It returns one on success and
+-zero on error.
++call this function with an encryption level less than the current read level.
++It returns one on success and zero on error.
+
+ SSL_process_quic_post_handshake() processes any data that QUIC has provided
+ after the handshake has completed. This includes NewSessionTicket messages
+--
+2.42.0
+
diff --git a/0051-QUIC-expound-on-what-DoS-attacks-QUIC-avoids.patch b/0051-QUIC-expound-on-what-DoS-attacks-QUIC-avoids.patch
new file mode 100644
index 0000000..418ad66
--- /dev/null
+++ b/0051-QUIC-expound-on-what-DoS-attacks-QUIC-avoids.patch
@@ -0,0 +1,29 @@
+From e0900dbdeb1888fdb65af501ad8454463ef9a214 Mon Sep 17 00:00:00 2001
+From: Benjamin Kaduk <bkaduk@akamai.com>
+Date: Tue, 7 Sep 2021 09:17:56 -0700
+Subject: [PATCH 51/63] QUIC: expound on what DoS attacks QUIC avoids
+
+The limit on the amount of queued data is to avoid being an amplification
+vector, specifically.
+---
+ doc/man3/SSL_CTX_set_quic_method.pod | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/doc/man3/SSL_CTX_set_quic_method.pod b/doc/man3/SSL_CTX_set_quic_method.pod
+index b2d78872ca..1ed076c301 100644
+--- a/doc/man3/SSL_CTX_set_quic_method.pod
++++ b/doc/man3/SSL_CTX_set_quic_method.pod
+@@ -139,8 +139,8 @@ generating their own errors.
+
+ See L<https://tools.ietf.org/html/RFC9001#section-4.1> for more details.
+
+-To avoid DoS attacks, the QUIC implementation must limit the amount of data
+-being queued up. The implementation can call
++To avoid amplifying DoS attacks, the QUIC implementation must limit the amount
++of data being queued up. The implementation can call
+ SSL_quic_max_handshake_flight_len() to get the maximum buffer length at each
+ encryption level.
+
+--
+2.42.0
+
diff --git a/0052-QUIC-remove-SSL_get_current_cipher-reference.patch b/0052-QUIC-remove-SSL_get_current_cipher-reference.patch
new file mode 100644
index 0000000..fb33c86
--- /dev/null
+++ b/0052-QUIC-remove-SSL_get_current_cipher-reference.patch
@@ -0,0 +1,28 @@
+From fae17dc5d279bc6de0ad045c87a6e224a62b3730 Mon Sep 17 00:00:00 2001
+From: Benjamin Kaduk <bkaduk@akamai.com>
+Date: Tue, 7 Sep 2021 09:20:44 -0700
+Subject: [PATCH 52/63] QUIC: remove SSL_get_current_cipher() reference
+
+The QUIC APIs have no need to interact with TLS ciphers, since
+QUIC records use different cryptographic protections than TLS ciphers.
+---
+ doc/man3/SSL_CTX_set_quic_method.pod | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/doc/man3/SSL_CTX_set_quic_method.pod b/doc/man3/SSL_CTX_set_quic_method.pod
+index 1ed076c301..f12aa8662b 100644
+--- a/doc/man3/SSL_CTX_set_quic_method.pod
++++ b/doc/man3/SSL_CTX_set_quic_method.pod
+@@ -209,9 +209,6 @@ only available in the client to server direction. The other secret will be
+ NULL. The server acknowledges such data at B<ssl_encryption_application>,
+ which will be configured in the same SSL_do_handshake() call.
+
+-This function should use SSL_get_current_cipher() to determine the TLS
+-cipher suite.
+-
+ add_handshake_data() adds handshake data to the current flight at the given
+ encryption level. It returns one on success and zero on error.
+
+--
+2.42.0
+
diff --git a/0053-QUIC-use-SSL_IS_QUIC-in-more-places.patch b/0053-QUIC-use-SSL_IS_QUIC-in-more-places.patch
new file mode 100644
index 0000000..440cdfd
--- /dev/null
+++ b/0053-QUIC-use-SSL_IS_QUIC-in-more-places.patch
@@ -0,0 +1,53 @@
+From 6f0a1d5c216d28997e1fd4590b194e70a921779d Mon Sep 17 00:00:00 2001
+From: Benjamin Kaduk <bkaduk@akamai.com>
+Date: Tue, 7 Sep 2021 14:21:22 -0700
+Subject: [PATCH 53/63] QUIC: use SSL_IS_QUIC() in more places
+
+---
+ doc/man3/SSL_CTX_set_quic_method.pod | 2 +-
+ ssl/statem/extensions_clnt.c | 2 +-
+ ssl/statem/statem_clnt.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/doc/man3/SSL_CTX_set_quic_method.pod b/doc/man3/SSL_CTX_set_quic_method.pod
+index f12aa8662b..aab5e38889 100644
+--- a/doc/man3/SSL_CTX_set_quic_method.pod
++++ b/doc/man3/SSL_CTX_set_quic_method.pod
+@@ -103,7 +103,7 @@ the client will send both extensions.
+ SSL_get_quic_transport_version() returns the value set by
+ SSL_set_quic_transport_version().
+
+-SSL_get_peer_quic_transport_version() returns the version the that was
++SSL_get_peer_quic_transport_version() returns the version the that was
+ negotiated.
+
+ SSL_set_quic_early_data_enabled() enables QUIC early data if a nonzero
+diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
+index e7c54e633e..caeb818a37 100644
+--- a/ssl/statem/extensions_clnt.c
++++ b/ssl/statem/extensions_clnt.c
+@@ -1944,7 +1944,7 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
+ * QUIC server must send 0xFFFFFFFF or it's a PROTOCOL_VIOLATION
+ * per RFC9001 S4.6.1
+ */
+- if (s->quic_method != NULL && max_early_data != 0xFFFFFFFF) {
++ if (SSL_IS_QUIC(s) && max_early_data != 0xFFFFFFFF) {
+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA);
+ return 0;
+ }
+diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
+index f9235d4160..9d925091b6 100644
+--- a/ssl/statem/statem_clnt.c
++++ b/ssl/statem/statem_clnt.c
+@@ -906,7 +906,7 @@ int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt,
+ case TLS_ST_CW_END_OF_EARLY_DATA:
+ #ifndef OPENSSL_NO_QUIC
+ /* QUIC does not send EndOfEarlyData, RFC9001 S8.3 */
+- if (s->quic_method != NULL) {
++ if (SSL_IS_QUIC(s)) {
+ *confunc = NULL;
+ *mt = SSL3_MT_DUMMY;
+ break;
+--
+2.42.0
+
diff --git a/0054-QUIC-Error-when-non-empty-session_id-in-CH-fixes-29.patch b/0054-QUIC-Error-when-non-empty-session_id-in-CH-fixes-29.patch
new file mode 100644
index 0000000..1801e65
--- /dev/null
+++ b/0054-QUIC-Error-when-non-empty-session_id-in-CH-fixes-29.patch
@@ -0,0 +1,32 @@
+From 9a392d282e622730686a643dffcdfebd034794b1 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Mon, 18 Oct 2021 16:54:31 -0400
+Subject: [PATCH 54/63] QUIC: Error when non-empty session_id in CH (fixes #29)
+
+---
+ ssl/statem/statem_srvr.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
+index e92b0e736e..f7d81370d8 100644
+--- a/ssl/statem/statem_srvr.c
++++ b/ssl/statem/statem_srvr.c
+@@ -1566,6 +1566,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
+ goto err;
+ }
+ }
++#ifndef OPENSSL_NO_QUIC
++ if (SSL_IS_QUIC(s)) {
++ /* Any other QUIC checks on ClientHello here */
++ if (clienthello->session_id_len > 0) {
++ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_MISMATCH);
++ goto err;
++ }
++ }
++#endif
+ }
+
+ if (!PACKET_copy_all(&compression, clienthello->compressions,
+--
+2.42.0
+
diff --git a/0055-QUIC-Update-SSL_clear-to-clear-quic-data.patch b/0055-QUIC-Update-SSL_clear-to-clear-quic-data.patch
new file mode 100644
index 0000000..f4cc146
--- /dev/null
+++ b/0055-QUIC-Update-SSL_clear-to-clear-quic-data.patch
@@ -0,0 +1,140 @@
+From 1493e2f43d4aedd088b75062301771aa917a1a3d Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Tue, 19 Oct 2021 12:13:31 -0400
+Subject: [PATCH 55/63] QUIC: Update SSL_clear() to clear quic data
+
+Fixes #55
+Had to fixup tests because SSL_accept() eventually calls SSL_clear() and
+it was removing the inital ClientHello sent via SSL_provide_quic_data()
+from the server SSL.
+---
+ ssl/ssl_lib.c | 32 ++++++++++++++++++++++++++++++++
+ test/helpers/ssltestlib.c | 5 -----
+ test/sslapitest.c | 19 ++++++++++++++-----
+ 3 files changed, 46 insertions(+), 10 deletions(-)
+
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 9c03564557..3d1734b7cd 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -626,6 +626,38 @@ int SSL_clear(SSL *s)
+ s->shared_sigalgs = NULL;
+ s->shared_sigalgslen = 0;
+
++#if !defined(OPENSSL_NO_QUIC)
++ OPENSSL_free(s->ext.peer_quic_transport_params_draft);
++ s->ext.peer_quic_transport_params_draft = NULL;
++ s->ext.peer_quic_transport_params_draft_len = 0;
++ OPENSSL_free(s->ext.peer_quic_transport_params);
++ s->ext.peer_quic_transport_params = NULL;
++ s->ext.peer_quic_transport_params_len = 0;
++ s->quic_read_level = ssl_encryption_initial;
++ s->quic_write_level = ssl_encryption_initial;
++ s->quic_latest_level_received = ssl_encryption_initial;
++ while (s->quic_input_data_head != NULL) {
++ QUIC_DATA *qd;
++
++ qd = s->quic_input_data_head;
++ s->quic_input_data_head = qd->next;
++ OPENSSL_free(qd);
++ }
++ s->quic_input_data_tail = NULL;
++ BUF_MEM_free(s->quic_buf);
++ s->quic_buf = NULL;
++ s->quic_next_record_start = 0;
++ memset(s->client_hand_traffic_secret, 0, EVP_MAX_MD_SIZE);
++ memset(s->server_hand_traffic_secret, 0, EVP_MAX_MD_SIZE);
++ memset(s->client_early_traffic_secret, 0, EVP_MAX_MD_SIZE);
++ /*
++ * CONFIG - DON'T CLEAR
++ * s->ext.quic_transport_params
++ * s->ext.quic_transport_params_len
++ * s->quic_transport_version
++ * s->quic_method = NULL;
++ */
++#endif
+ /*
+ * Check to see if we were changed into a different method, if so, revert
+ * back.
+diff --git a/test/helpers/ssltestlib.c b/test/helpers/ssltestlib.c
+index c317e03d8e..f0dccfa54c 100644
+--- a/test/helpers/ssltestlib.c
++++ b/test/helpers/ssltestlib.c
+@@ -1157,11 +1157,6 @@ int create_ssl_connection(SSL *serverssl, SSL *clientssl, int want)
+ if (!create_bare_ssl_connection(serverssl, clientssl, want, 1))
+ return 0;
+
+-#ifndef OPENSSL_NO_QUIC
+- /* QUIC does not support SSL_read_ex */
+- if (SSL_is_quic(clientssl))
+- return 1;
+-#endif
+ /*
+ * We attempt to read some data on the client side which we expect to fail.
+ * This will ensure we have received the NewSessionTicket in TLSv1.3 where
+diff --git a/test/sslapitest.c b/test/sslapitest.c
+index e351a0b4e6..977eee0d4b 100644
+--- a/test/sslapitest.c
++++ b/test/sslapitest.c
+@@ -10198,6 +10198,7 @@ static int test_quic_api_version(int clnt, int srvr)
+ static const char *client_str = "CLIENT";
+ const uint8_t *peer_str;
+ size_t peer_str_len;
++ int err;
+
+ TEST_info("original clnt=0x%X, srvr=0x%X\n", clnt, srvr);
+
+@@ -10220,8 +10221,10 @@ static int test_quic_api_version(int clnt, int srvr)
+ || !TEST_true(SSL_set_app_data(clientssl, serverssl))
+ || !TEST_true(test_quic_api_set_versions(clientssl, clnt))
+ || !TEST_true(test_quic_api_set_versions(serverssl, srvr))
+- || !TEST_true(create_ssl_connection(serverssl, clientssl,
+- SSL_ERROR_NONE))
++ || !TEST_int_eq(err = SSL_accept(serverssl), -1)
++ || !TEST_int_eq(SSL_get_error(serverssl, err), SSL_ERROR_WANT_READ)
++ || !TEST_true(create_bare_ssl_connection(serverssl, clientssl,
++ SSL_ERROR_NONE, 0))
+ || !TEST_true(SSL_version(serverssl) == TLS1_3_VERSION)
+ || !TEST_true(SSL_version(clientssl) == TLS1_3_VERSION)
+ || !(TEST_int_eq(SSL_quic_read_level(clientssl), ssl_encryption_application))
+@@ -10348,6 +10351,7 @@ static int quic_setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx,
+ {
+ static const char *server_str = "SERVER";
+ static const char *client_str = "CLIENT";
++ int err;
+
+ if (*sctx == NULL
+ && (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+@@ -10425,8 +10429,10 @@ static int quic_setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx,
+ if (sess == NULL)
+ return 1;
+
+- if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
+- SSL_ERROR_NONE)))
++ if (!TEST_int_eq(err = SSL_accept(*serverssl), -1)
++ || !TEST_int_eq(SSL_get_error(*serverssl, err), SSL_ERROR_WANT_READ)
++ || !TEST_true(create_bare_ssl_connection(*serverssl, *clientssl,
++ SSL_ERROR_NONE, 0)))
+ return 0;
+
+ /* Deal with two NewSessionTickets */
+@@ -10465,12 +10471,15 @@ static int test_quic_early_data(int tst)
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ SSL_SESSION *sess = NULL;
++ int err;
+
+ if (!TEST_true(quic_setupearly_data_test(&cctx, &sctx, &clientssl,
+ &serverssl, &sess, tst)))
+ goto end;
+
+- if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
++ if (!TEST_int_eq(err = SSL_accept(serverssl), -1)
++ || !TEST_int_eq(SSL_get_error(serverssl, err), SSL_ERROR_WANT_READ)
++ || !TEST_true(create_bare_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE, 0))
+ || !TEST_true(SSL_get_early_data_status(serverssl)))
+ goto end;
+
+--
+2.42.0
+
diff --git a/0056-QUIC-Better-SSL_clear.patch b/0056-QUIC-Better-SSL_clear.patch
new file mode 100644
index 0000000..9c0bf54
--- /dev/null
+++ b/0056-QUIC-Better-SSL_clear.patch
@@ -0,0 +1,216 @@
+From b90c5da95a0074369b390abce0f1522006c5d632 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Fri, 29 Oct 2021 14:15:06 -0400
+Subject: [PATCH 56/63] QUIC: Better SSL_clear()
+
+Undo SSL_clear() changes in test
+Break apart SSL_clear() into SSL_clear_quic() and SSL_clear_not_quic()
+In SSL_clear(), call both functions
+In SSL_accept(), call SSL_clear_not_quic()
+Don't make the new functions public.
+---
+ ssl/ssl_lib.c | 81 +++++++++++++++++++++++++++------------------
+ ssl/ssl_local.h | 5 +++
+ ssl/statem/statem.c | 5 +++
+ test/sslapitest.c | 17 +++-------
+ 4 files changed, 63 insertions(+), 45 deletions(-)
+
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 3d1734b7cd..e636383e76 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -567,7 +567,56 @@ static void clear_ciphers(SSL *s)
+ ssl_clear_hash_ctx(&s->write_hash);
+ }
+
++#ifndef OPENSSL_NO_QUIC
+ int SSL_clear(SSL *s)
++{
++ if (!SSL_clear_not_quic(s))
++ return 0;
++ return SSL_clear_quic(s);
++}
++
++int SSL_clear_quic(SSL *s)
++{
++ OPENSSL_free(s->ext.peer_quic_transport_params_draft);
++ s->ext.peer_quic_transport_params_draft = NULL;
++ s->ext.peer_quic_transport_params_draft_len = 0;
++ OPENSSL_free(s->ext.peer_quic_transport_params);
++ s->ext.peer_quic_transport_params = NULL;
++ s->ext.peer_quic_transport_params_len = 0;
++ s->quic_read_level = ssl_encryption_initial;
++ s->quic_write_level = ssl_encryption_initial;
++ s->quic_latest_level_received = ssl_encryption_initial;
++ while (s->quic_input_data_head != NULL) {
++ QUIC_DATA *qd;
++
++ qd = s->quic_input_data_head;
++ s->quic_input_data_head = qd->next;
++ OPENSSL_free(qd);
++ }
++ s->quic_input_data_tail = NULL;
++ BUF_MEM_free(s->quic_buf);
++ s->quic_buf = NULL;
++ s->quic_next_record_start = 0;
++ memset(s->client_hand_traffic_secret, 0, EVP_MAX_MD_SIZE);
++ memset(s->server_hand_traffic_secret, 0, EVP_MAX_MD_SIZE);
++ memset(s->client_early_traffic_secret, 0, EVP_MAX_MD_SIZE);
++ /*
++ * CONFIG - DON'T CLEAR
++ * s->ext.quic_transport_params
++ * s->ext.quic_transport_params_len
++ * s->quic_transport_version
++ * s->quic_method = NULL;
++ */
++ return 1;
++}
++#endif
++
++/* Keep this conditional very local */
++#ifndef OPENSSL_NO_QUIC
++int SSL_clear_not_quic(SSL *s)
++#else
++int SSL_clear(SSL *s)
++#endif
+ {
+ if (s->method == NULL) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_NO_METHOD_SPECIFIED);
+@@ -626,38 +675,6 @@ int SSL_clear(SSL *s)
+ s->shared_sigalgs = NULL;
+ s->shared_sigalgslen = 0;
+
+-#if !defined(OPENSSL_NO_QUIC)
+- OPENSSL_free(s->ext.peer_quic_transport_params_draft);
+- s->ext.peer_quic_transport_params_draft = NULL;
+- s->ext.peer_quic_transport_params_draft_len = 0;
+- OPENSSL_free(s->ext.peer_quic_transport_params);
+- s->ext.peer_quic_transport_params = NULL;
+- s->ext.peer_quic_transport_params_len = 0;
+- s->quic_read_level = ssl_encryption_initial;
+- s->quic_write_level = ssl_encryption_initial;
+- s->quic_latest_level_received = ssl_encryption_initial;
+- while (s->quic_input_data_head != NULL) {
+- QUIC_DATA *qd;
+-
+- qd = s->quic_input_data_head;
+- s->quic_input_data_head = qd->next;
+- OPENSSL_free(qd);
+- }
+- s->quic_input_data_tail = NULL;
+- BUF_MEM_free(s->quic_buf);
+- s->quic_buf = NULL;
+- s->quic_next_record_start = 0;
+- memset(s->client_hand_traffic_secret, 0, EVP_MAX_MD_SIZE);
+- memset(s->server_hand_traffic_secret, 0, EVP_MAX_MD_SIZE);
+- memset(s->client_early_traffic_secret, 0, EVP_MAX_MD_SIZE);
+- /*
+- * CONFIG - DON'T CLEAR
+- * s->ext.quic_transport_params
+- * s->ext.quic_transport_params_len
+- * s->quic_transport_version
+- * s->quic_method = NULL;
+- */
+-#endif
+ /*
+ * Check to see if we were changed into a different method, if so, revert
+ * back.
+diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
+index 9bbc528dd9..3fb1f0956f 100644
+--- a/ssl/ssl_local.h
++++ b/ssl/ssl_local.h
+@@ -2867,6 +2867,11 @@ void custom_exts_free(custom_ext_methods *exts);
+
+ void ssl_comp_free_compression_methods_int(void);
+
++#ifndef OPENSSL_NO_QUIC
++__owur int SSL_clear_not_quic(SSL *s);
++__owur int SSL_clear_quic(SSL *s);
++#endif
++
+ /* ssl_mcnf.c */
+ void ssl_ctx_system_config(SSL_CTX *ctx);
+
+diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
+index e67ee26e87..d80d4da203 100644
+--- a/ssl/statem/statem.c
++++ b/ssl/statem/statem.c
+@@ -334,8 +334,13 @@ static int state_machine(SSL *s, int server)
+ * If we are stateless then we already called SSL_clear() - don't do
+ * it again and clear the STATELESS flag itself.
+ */
++#ifndef OPENSSL_NO_QUIC
++ if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0 && !SSL_clear_not_quic(s))
++ return -1;
++#else
+ if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0 && !SSL_clear(s))
+ return -1;
++#endif
+ }
+ #ifndef OPENSSL_NO_SCTP
+ if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) {
+diff --git a/test/sslapitest.c b/test/sslapitest.c
+index 977eee0d4b..5d2a754043 100644
+--- a/test/sslapitest.c
++++ b/test/sslapitest.c
+@@ -10198,7 +10198,6 @@ static int test_quic_api_version(int clnt, int srvr)
+ static const char *client_str = "CLIENT";
+ const uint8_t *peer_str;
+ size_t peer_str_len;
+- int err;
+
+ TEST_info("original clnt=0x%X, srvr=0x%X\n", clnt, srvr);
+
+@@ -10221,10 +10220,8 @@ static int test_quic_api_version(int clnt, int srvr)
+ || !TEST_true(SSL_set_app_data(clientssl, serverssl))
+ || !TEST_true(test_quic_api_set_versions(clientssl, clnt))
+ || !TEST_true(test_quic_api_set_versions(serverssl, srvr))
+- || !TEST_int_eq(err = SSL_accept(serverssl), -1)
+- || !TEST_int_eq(SSL_get_error(serverssl, err), SSL_ERROR_WANT_READ)
+ || !TEST_true(create_bare_ssl_connection(serverssl, clientssl,
+- SSL_ERROR_NONE, 0))
++ SSL_ERROR_NONE, 0))
+ || !TEST_true(SSL_version(serverssl) == TLS1_3_VERSION)
+ || !TEST_true(SSL_version(clientssl) == TLS1_3_VERSION)
+ || !(TEST_int_eq(SSL_quic_read_level(clientssl), ssl_encryption_application))
+@@ -10351,7 +10348,6 @@ static int quic_setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx,
+ {
+ static const char *server_str = "SERVER";
+ static const char *client_str = "CLIENT";
+- int err;
+
+ if (*sctx == NULL
+ && (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+@@ -10429,10 +10425,8 @@ static int quic_setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx,
+ if (sess == NULL)
+ return 1;
+
+- if (!TEST_int_eq(err = SSL_accept(*serverssl), -1)
+- || !TEST_int_eq(SSL_get_error(*serverssl, err), SSL_ERROR_WANT_READ)
+- || !TEST_true(create_bare_ssl_connection(*serverssl, *clientssl,
+- SSL_ERROR_NONE, 0)))
++ if (!TEST_true(create_bare_ssl_connection(*serverssl, *clientssl,
++ SSL_ERROR_NONE, 0)))
+ return 0;
+
+ /* Deal with two NewSessionTickets */
+@@ -10471,15 +10465,12 @@ static int test_quic_early_data(int tst)
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ SSL_SESSION *sess = NULL;
+- int err;
+
+ if (!TEST_true(quic_setupearly_data_test(&cctx, &sctx, &clientssl,
+ &serverssl, &sess, tst)))
+ goto end;
+
+- if (!TEST_int_eq(err = SSL_accept(serverssl), -1)
+- || !TEST_int_eq(SSL_get_error(serverssl, err), SSL_ERROR_WANT_READ)
+- || !TEST_true(create_bare_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE, 0))
++ if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE, 0))
+ || !TEST_true(SSL_get_early_data_status(serverssl)))
+ goto end;
+
+--
+2.42.0
+
diff --git a/0059-QUIC-Fix-extension-test.patch b/0059-QUIC-Fix-extension-test.patch
new file mode 100644
index 0000000..ddd0a2e
--- /dev/null
+++ b/0059-QUIC-Fix-extension-test.patch
@@ -0,0 +1,46 @@
+From d1ac5c28b113f9faebea2eadca9520bac580f931 Mon Sep 17 00:00:00 2001
+From: Todd Short <tshort@akamai.com>
+Date: Tue, 1 Nov 2022 12:55:46 -0400
+Subject: [PATCH 59/63] QUIC: Fix extension test
+
+---
+ ssl/ssl_local.h | 4 ++--
+ test/ext_internal_test.c | 7 +++++++
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
+index 3fb1f0956f..93f77f9612 100644
+--- a/ssl/ssl_local.h
++++ b/ssl/ssl_local.h
+@@ -773,8 +773,8 @@ typedef enum tlsext_index_en {
+ TLSEXT_IDX_cryptopro_bug,
+ TLSEXT_IDX_early_data,
+ TLSEXT_IDX_certificate_authorities,
+- TLSEXT_IDX_quic_transport_params_draft,
+- TLSEXT_IDX_quic_transport_params,
++ TLSEXT_IDX_quic_transport_parameters_draft,
++ TLSEXT_IDX_quic_transport_parameters,
+ TLSEXT_IDX_padding,
+ TLSEXT_IDX_psk,
+ /* Dummy index - must always be the last entry */
+diff --git a/test/ext_internal_test.c b/test/ext_internal_test.c
+index dec6ee61ef..769b25391d 100644
+--- a/test/ext_internal_test.c
++++ b/test/ext_internal_test.c
+@@ -69,6 +69,13 @@ static EXT_LIST ext_list[] = {
+ EXT_ENTRY(cryptopro_bug),
+ EXT_ENTRY(early_data),
+ EXT_ENTRY(certificate_authorities),
++#ifndef OPENSSL_NO_QUIC
++ EXT_ENTRY(quic_transport_parameters_draft),
++ EXT_ENTRY(quic_transport_parameters),
++#else
++ EXT_EXCEPTION(quic_transport_parameters_draft),
++ EXT_EXCEPTION(quic_transport_parameters),
++#endif
+ EXT_ENTRY(padding),
+ EXT_ENTRY(psk),
+ EXT_END(num_builtins)
+--
+2.42.0
+
diff --git a/0063-QUIC-Fix-use-of-create_a_psk.patch b/0063-QUIC-Fix-use-of-create_a_psk.patch
new file mode 100644
index 0000000..d283b28
--- /dev/null
+++ b/0063-QUIC-Fix-use-of-create_a_psk.patch
@@ -0,0 +1,25 @@
+From ee904e9093c377d0919a65dae9e06530c4459c6b Mon Sep 17 00:00:00 2001
+From: Todd Short <todd.short@me.com>
+Date: Tue, 1 Aug 2023 13:59:55 -0400
+Subject: [PATCH 63/63] QUIC: Fix use of create_a_psk
+
+---
+ test/sslapitest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/test/sslapitest.c b/test/sslapitest.c
+index 5d2a754043..18d7941d2d 100644
+--- a/test/sslapitest.c
++++ b/test/sslapitest.c
+@@ -10395,7 +10395,7 @@ static int quic_setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx,
+ return 0;
+
+ if (idx == 2) {
+- clientpsk = create_a_psk(*clientssl);
++ clientpsk = create_a_psk(*clientssl, SHA384_DIGEST_LENGTH);
+ if (!TEST_ptr(clientpsk)
+ || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
+ 0xffffffffu))
+--
+2.42.0
+
diff --git a/openssl.spec b/openssl.spec
index 753af24..9ce01dd 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -6,15 +6,19 @@
%endif
# (tpg) enable PGO build
+%if %{cross_compiling}
+%bcond_with pgo
+%else
%bcond_without pgo
+%endif
%global optflags %{optflags} -O3
# (tpg) use LLVM/polly for polyhedra optimization and automatic vector code generation
-%define pollyflags -mllvm -polly -mllvm -polly-run-dce -mllvm -polly-run-inliner -mllvm -polly-isl-arg=--no-schedule-serialize-sccs -mllvm -polly-ast-use-context -mllvm -polly-detect-keep-going -mllvm -polly-vectorizer=stripmine
-# "-mllvm -polly-invariant-load-hoisting" removed for now because of https://github.com/llvm/llvm-project/issues/57413
+%define pollyflags -mllvm -polly -mllvm -polly-position=early -mllvm -polly-parallel=true -fopenmp -fopenmp-version=50 -mllvm -polly-dependences-computeout=5000000 -mllvm -polly-detect-profitability-min-per-loop-insts=40 -mllvm -polly-tiling=true -mllvm -polly-prevect-width=256 -mllvm -polly-vectorizer=stripmine -mllvm -polly-omp-backend=LLVM -mllvm -polly-num-threads=0 -mllvm -polly-enable-delicm=true -mllvm -extra-vectorizer-passes -mllvm -enable-cond-stores-vec -mllvm -slp-vectorize-hor-store -mllvm -enable-loopinterchange -mllvm -enable-loop-distribute -mllvm -enable-unroll-and-jam -mllvm -enable-loop-flatten -mllvm -interleave-small-loop-scalar-reduction -mllvm -unroll-runtime-multi-exit -mllvm -aggressive-ext-opt -mllvm -polly-scheduling=dynamic -mllvm -polly-scheduling-chunksize=1 -mllvm -polly-invariant-load-hoisting -mllvm -polly-loopfusion-greedy -mllvm -polly-run-inliner
+# (tpg) 2022-11-21 this -mllvm -polly-run-dce causes segfault on aarch64
-#define beta beta2
+#define beta beta1
%define major 3
%define libssl %mklibname ssl %{major}
%define libcrypto %mklibname crypto %{major}
@@ -26,12 +30,66 @@
%define static32 libopenssl-static-devel
Name: openssl
-Version: 3.0.6
+Version: 3.1.5
Release: %{?beta:0.%{beta}.}1
Group: System/Libraries
Summary: The OpenSSL cryptography and TLS library
Source0: https://www.openssl.org/source/openssl-%{version}%{?beta:-%{beta}}.tar.gz
Patch0: openssl-3.0-additional-clang-targets.patch
+# QUIC support patches from https://github.com/quictls/openssl
+Patch1000: 0001-QUIC-Add-support-for-BoringSSL-QUIC-APIs.patch
+Patch1001: 0002-QUIC-New-method-to-get-QUIC-secret-length.patch
+Patch1002: 0003-QUIC-Make-temp-secret-names-less-confusing.patch
+Patch1003: 0004-QUIC-Move-QUIC-transport-params-to-encrypted-extensi.patch
+Patch1004: 0005-QUIC-Use-proper-secrets-for-handshake.patch
+Patch1005: 0006-QUIC-Handle-partial-handshake-messages.patch
+Patch1006: 0007-QUIC-Fix-duplicate-word-in-docs.patch
+Patch1007: 0008-QUIC-Fix-quic_transport-constructors-parsers.patch
+Patch1008: 0009-QUIC-Reset-init-state-in-SSL_process_quic_post_hands.patch
+Patch1009: 0010-QUIC-Don-t-process-an-incomplete-message.patch
+Patch1010: 0011-QUIC-Quick-fix-s2c-to-c2s-for-early-secret.patch
+Patch1011: 0012-QUIC-Add-client-early-traffic-secret-storage.patch
+Patch1012: 0013-QUIC-Add-OPENSSL_NO_QUIC-wrapper.patch
+Patch1013: 0014-QUIC-Correctly-disable-middlebox-compat.patch
+Patch1014: 0015-QUIC-Move-QUIC-code-out-of-tls13_change_cipher_state.patch
+Patch1015: 0016-QUIC-Tweeks-to-quic_change_cipher_state.patch
+Patch1016: 0017-QUIC-Add-support-for-more-secrets.patch
+Patch1017: 0018-QUIC-Fix-resumption-secret.patch
+Patch1018: 0019-QUIC-Handle-EndOfEarlyData-and-MaxEarlyData.patch
+Patch1019: 0020-QUIC-Fall-through-for-0RTT.patch
+Patch1020: 0021-QUIC-Some-cleanup-for-the-main-QUIC-changes.patch
+Patch1021: 0022-QUIC-Prevent-KeyUpdate-for-QUIC.patch
+Patch1022: 0023-QUIC-Test-KeyUpdate-rejection.patch
+Patch1023: 0024-QUIC-Buffer-all-provided-quic-data.patch
+Patch1024: 0025-QUIC-Enforce-consistent-encryption-level-for-handsha.patch
+Patch1025: 0026-QUIC-add-v1-quic_transport_parameters.patch
+Patch1026: 0027-QUIC-return-success-when-no-post-handshake-data.patch
+Patch1027: 0028-QUIC-__owur-makes-no-sense-for-void-return-values.patch
+Patch1028: 0029-QUIC-remove-SSL_R_BAD_DATA_LENGTH-unused.patch
+Patch1029: 0030-QUIC-Update-shared-library-version.patch
+Patch1031: 0032-QUIC-Fix-3.0.0-GitHub-CI.patch
+Patch1032: 0033-QUIC-SSLerr-ERR_raise-ERR_LIB_SSL.patch
+Patch1033: 0034-QUIC-Add-compile-run-time-checking-for-QUIC.patch
+Patch1034: 0035-QUIC-Add-early-data-support-11.patch
+Patch1035: 0036-QUIC-Make-SSL_provide_quic_data-accept-0-length-data.patch
+Patch1036: 0037-QUIC-Process-multiple-post-handshake-messages-in-a-s.patch
+Patch1037: 0038-QUIC-Tighten-up-some-language-in-SSL_CTX_set_quic_me.patch
+Patch1039: 0040-QUIC-Fix-CI-20.patch
+Patch1040: 0041-QUIC-Break-up-header-body-processing.patch
+Patch1041: 0042-QUIC-Fix-make-doc-nits.patch
+Patch1044: 0045-QUIC-Don-t-muck-with-FIPS-checksums.patch
+Patch1046: 0047-QUIC-Update-RFC-references.patch
+Patch1047: 0048-QUIC-revert-white-space-change.patch
+Patch1048: 0049-QUIC-update-copyrights.patch
+Patch1049: 0050-QUIC-update-SSL_provide_quic_data-documentation.patch
+Patch1050: 0051-QUIC-expound-on-what-DoS-attacks-QUIC-avoids.patch
+Patch1051: 0052-QUIC-remove-SSL_get_current_cipher-reference.patch
+Patch1052: 0053-QUIC-use-SSL_IS_QUIC-in-more-places.patch
+Patch1053: 0054-QUIC-Error-when-non-empty-session_id-in-CH-fixes-29.patch
+Patch1054: 0055-QUIC-Update-SSL_clear-to-clear-quic-data.patch
+Patch1055: 0056-QUIC-Better-SSL_clear.patch
+Patch1058: 0059-QUIC-Fix-extension-test.patch
+Patch1062: 0063-QUIC-Fix-use-of-create_a_psk.patch
License: Apache 2.0
BuildRequires: perl
BuildRequires: perl(Pod::Man)
@@ -89,6 +147,7 @@ Group: System/Libraries
The OpenSSL SSL/TLS library.
%files -n %{libssl}
+%{_modulesloaddir}/openssl-tls.conf
%{_libdir}/libssl.so.%{major}*
%package -n %{libcrypto}
@@ -137,6 +196,7 @@ Static libraries for OpenSSL.
Summary: The OpenSSL SSL/TLS library (32-bit)
Group: System/Libraries
BuildRequires: libc6
+BuildRequires: devel(libz)
Requires: libc6
%description -n %{lib32ssl}
@@ -238,7 +298,7 @@ cd build32
--prefix=%{_prefix} \
--libdir=%{_prefix}/lib \
--openssldir=%{_sysconfdir}/pki/tls \
- threads shared zlib-dynamic sctp 386 enable-fips enable-ktls no-tests
+ threads shared zlib sctp 386 enable-fips enable-ktls no-tests
%make_build
cd ..
@@ -269,15 +329,12 @@ LDFLAGS="$LDFLAGS -fprofile-generate" \
%ifarch %{x86_64} %{ix86}
386 \
%endif
- threads shared zlib-dynamic sctp enable-fips enable-ktls no-tests
+ threads shared zlib sctp enable-fips enable-ktls no-tests
%make_build
-# Run benchmarks on relevant algorithms to generate profile data.
-# We consider "relevant":
-# - Anything used in TLS 1.3
-# - Anything used by OpenSSH
-LD_PRELOAD="./libcrypto.so ./libssl.so" apps/openssl speed sha1 sha256 sha512 aes-128-cbc ecdsa eddsa md5 rsa des-ede3
+# Run benchmarks on all algorithms to generate profile data.
+LD_PRELOAD="./libcrypto.so ./libssl.so" apps/openssl speed
unset LD_LIBRARY_PATH
llvm-profdata merge --output=%{name}-llvm.profdata $(find . -name "*.profraw" -type f)
@@ -290,6 +347,8 @@ CFLAGS="$CFLAGS -fprofile-use=$PROFDATA %{pollyflags}" \
CXXFLAGS="%{optflags} -fprofile-use=$PROFDATA %{pollyflags}" \
LDFLAGS="$LDFLAGS -fprofile-use=$PROFDATA" \
%endif
+CC="%{__cc}" \
+CXX="%{__cxx}" \
../Configure ${TARGET} \
--prefix=%{_prefix} \
--libdir=%{_libdir} \
@@ -300,7 +359,7 @@ LDFLAGS="$LDFLAGS -fprofile-use=$PROFDATA" \
%ifarch %{x86_64} %{ix86}
386 \
%endif
- threads shared zlib-dynamic sctp enable-fips enable-ktls no-tests
+ threads shared zlib sctp enable-fips enable-ktls no-tests
%make_build
@@ -313,12 +372,18 @@ LDFLAGS="$LDFLAGS -fprofile-use=$PROFDATA" \
# Replace bogus absolute symlinks pointing to the buildroot
cd %{buildroot}%{_mandir}
for i in *; do
- cd "$i"
+ cd "$i"
for j in *; do
- [ -L "$j" ] && ln -sf "$(basename $(ls -l "$j" |cut -d'>' -f2-))" "$j"
+ [ -L "$j" ] && ln -sf "$(basename $(ls -l "$j" |cut -d'>' -f2-))" "$j"
done
- cd ..
+ cd ..
done
# Used by e.g. %_create_ssl_certificate (rpm-helper)
mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/private
+
+# enable kernel TLS offload support
+mkdir -p %{buildroot}%{_modulesloaddir}
+cat > %{buildroot}%{_modulesloaddir}/openssl-tls.conf << EOF
+tls
+EOF