summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjsing <>2022-02-05 14:54:10 +0000
committerjsing <>2022-02-05 14:54:10 +0000
commit83e485da0e6d59ae7baf4be882b7d2a569774e84 (patch)
treeda7fe094101bf3711667cf1650e3c6f57a50e2ff /src
parenta97d9e9ca8287d1d19559ab919f71b5c5771caeb (diff)
downloadopenbsd-83e485da0e6d59ae7baf4be882b7d2a569774e84.tar.gz
openbsd-83e485da0e6d59ae7baf4be882b7d2a569774e84.tar.bz2
openbsd-83e485da0e6d59ae7baf4be882b7d2a569774e84.zip
Bye bye S3I.
S3I has served us well, however now that libssl is fully opaque it is time to say goodbye. Aside from removing the calloc/free/memset, the rest is mechanical sed. ok inoguchi@ tb@
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/d1_both.c16
-rw-r--r--src/lib/libssl/d1_pkt.c84
-rw-r--r--src/lib/libssl/s3_lib.c143
-rw-r--r--src/lib/libssl/ssl_both.c86
-rw-r--r--src/lib/libssl/ssl_cert.c4
-rw-r--r--src/lib/libssl/ssl_ciph.c6
-rw-r--r--src/lib/libssl/ssl_ciphers.c10
-rw-r--r--src/lib/libssl/ssl_clnt.c272
-rw-r--r--src/lib/libssl/ssl_err.c4
-rw-r--r--src/lib/libssl/ssl_lib.c46
-rw-r--r--src/lib/libssl/ssl_locl.h22
-rw-r--r--src/lib/libssl/ssl_packet.c6
-rw-r--r--src/lib/libssl/ssl_pkt.c204
-rw-r--r--src/lib/libssl/ssl_sigalgs.c14
-rw-r--r--src/lib/libssl/ssl_srvr.c272
-rw-r--r--src/lib/libssl/ssl_stat.c6
-rw-r--r--src/lib/libssl/ssl_tlsext.c200
-rw-r--r--src/lib/libssl/ssl_transcript.c44
-rw-r--r--src/lib/libssl/ssl_versions.c10
-rw-r--r--src/lib/libssl/t1_enc.c20
-rw-r--r--src/lib/libssl/tls12_lib.c18
-rw-r--r--src/lib/libssl/tls13_legacy.c34
-rw-r--r--src/lib/libssl/tls13_lib.c6
23 files changed, 755 insertions, 772 deletions
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index 07c868f45e..fd7c07a4d5 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_both.c,v 1.80 2021/10/23 13:36:03 jsing Exp $ */ 1/* $OpenBSD: d1_both.c,v 1.81 2022/02/05 14:54:10 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -380,15 +380,15 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max)
380 * s3->internal->tmp is used to store messages that are unexpected, caused 380 * s3->internal->tmp is used to store messages that are unexpected, caused
381 * by the absence of an optional handshake message 381 * by the absence of an optional handshake message
382 */ 382 */
383 if (S3I(s)->hs.tls12.reuse_message) { 383 if (s->s3->hs.tls12.reuse_message) {
384 S3I(s)->hs.tls12.reuse_message = 0; 384 s->s3->hs.tls12.reuse_message = 0;
385 if ((mt >= 0) && (S3I(s)->hs.tls12.message_type != mt)) { 385 if ((mt >= 0) && (s->s3->hs.tls12.message_type != mt)) {
386 al = SSL_AD_UNEXPECTED_MESSAGE; 386 al = SSL_AD_UNEXPECTED_MESSAGE;
387 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); 387 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
388 goto fatal_err; 388 goto fatal_err;
389 } 389 }
390 s->internal->init_msg = s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH; 390 s->internal->init_msg = s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH;
391 s->internal->init_num = (int)S3I(s)->hs.tls12.message_size; 391 s->internal->init_num = (int)s->s3->hs.tls12.message_size;
392 return 1; 392 return 1;
393 } 393 }
394 394
@@ -463,9 +463,9 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
463 return SSL_AD_INTERNAL_ERROR; 463 return SSL_AD_INTERNAL_ERROR;
464 } 464 }
465 465
466 S3I(s)->hs.tls12.message_size = msg_len; 466 s->s3->hs.tls12.message_size = msg_len;
467 s->d1->r_msg_hdr.msg_len = msg_len; 467 s->d1->r_msg_hdr.msg_len = msg_len;
468 S3I(s)->hs.tls12.message_type = msg_hdr->type; 468 s->s3->hs.tls12.message_type = msg_hdr->type;
469 s->d1->r_msg_hdr.type = msg_hdr->type; 469 s->d1->r_msg_hdr.type = msg_hdr->type;
470 s->d1->r_msg_hdr.seq = msg_hdr->seq; 470 s->d1->r_msg_hdr.seq = msg_hdr->seq;
471 } else if (msg_len != s->d1->r_msg_hdr.msg_len) { 471 } else if (msg_len != s->d1->r_msg_hdr.msg_len) {
@@ -818,7 +818,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
818 goto fatal_err; 818 goto fatal_err;
819 819
820 /* XDTLS: ressurect this when restart is in place */ 820 /* XDTLS: ressurect this when restart is in place */
821 S3I(s)->hs.state = stn; 821 s->s3->hs.state = stn;
822 822
823 if (frag_len > 0) { 823 if (frag_len > 0) {
824 unsigned char *p = (unsigned char *)s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH; 824 unsigned char *p = (unsigned char *)s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH;
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 12a711324a..e884f2d592 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_pkt.c,v 1.116 2021/11/09 18:40:21 bcook Exp $ */ 1/* $OpenBSD: d1_pkt.c,v 1.117 2022/02/05 14:54:10 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -191,12 +191,12 @@ static int dtls1_process_record(SSL *s);
191static int 191static int
192dtls1_copy_record(SSL *s, DTLS1_RECORD_DATA_INTERNAL *rdata) 192dtls1_copy_record(SSL *s, DTLS1_RECORD_DATA_INTERNAL *rdata)
193{ 193{
194 ssl3_release_buffer(&S3I(s)->rbuf); 194 ssl3_release_buffer(&s->s3->rbuf);
195 195
196 s->internal->packet = rdata->packet; 196 s->internal->packet = rdata->packet;
197 s->internal->packet_length = rdata->packet_length; 197 s->internal->packet_length = rdata->packet_length;
198 memcpy(&(S3I(s)->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER_INTERNAL)); 198 memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER_INTERNAL));
199 memcpy(&(S3I(s)->rrec), &(rdata->rrec), sizeof(SSL3_RECORD_INTERNAL)); 199 memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD_INTERNAL));
200 200
201 return (1); 201 return (1);
202} 202}
@@ -218,15 +218,15 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
218 218
219 rdata->packet = s->internal->packet; 219 rdata->packet = s->internal->packet;
220 rdata->packet_length = s->internal->packet_length; 220 rdata->packet_length = s->internal->packet_length;
221 memcpy(&(rdata->rbuf), &(S3I(s)->rbuf), sizeof(SSL3_BUFFER_INTERNAL)); 221 memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER_INTERNAL));
222 memcpy(&(rdata->rrec), &(S3I(s)->rrec), sizeof(SSL3_RECORD_INTERNAL)); 222 memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD_INTERNAL));
223 223
224 item->data = rdata; 224 item->data = rdata;
225 225
226 s->internal->packet = NULL; 226 s->internal->packet = NULL;
227 s->internal->packet_length = 0; 227 s->internal->packet_length = 0;
228 memset(&(S3I(s)->rbuf), 0, sizeof(SSL3_BUFFER_INTERNAL)); 228 memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER_INTERNAL));
229 memset(&(S3I(s)->rrec), 0, sizeof(SSL3_RECORD_INTERNAL)); 229 memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD_INTERNAL));
230 230
231 if (!ssl3_setup_buffers(s)) 231 if (!ssl3_setup_buffers(s))
232 goto err; 232 goto err;
@@ -293,7 +293,7 @@ dtls1_process_buffered_record(SSL *s)
293static int 293static int
294dtls1_process_record(SSL *s) 294dtls1_process_record(SSL *s)
295{ 295{
296 SSL3_RECORD_INTERNAL *rr = &(S3I(s)->rrec); 296 SSL3_RECORD_INTERNAL *rr = &(s->s3->rrec);
297 uint8_t alert_desc; 297 uint8_t alert_desc;
298 uint8_t *out; 298 uint8_t *out;
299 size_t out_len; 299 size_t out_len;
@@ -349,7 +349,7 @@ dtls1_process_record(SSL *s)
349int 349int
350dtls1_get_record(SSL *s) 350dtls1_get_record(SSL *s)
351{ 351{
352 SSL3_RECORD_INTERNAL *rr = &(S3I(s)->rrec); 352 SSL3_RECORD_INTERNAL *rr = &(s->s3->rrec);
353 unsigned char *p = NULL; 353 unsigned char *p = NULL;
354 DTLS1_BITMAP *bitmap; 354 DTLS1_BITMAP *bitmap;
355 unsigned int is_next_epoch; 355 unsigned int is_next_epoch;
@@ -517,7 +517,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
517 unsigned int n; 517 unsigned int n;
518 SSL3_RECORD_INTERNAL *rr; 518 SSL3_RECORD_INTERNAL *rr;
519 519
520 if (S3I(s)->rbuf.buf == NULL) /* Not initialized yet */ 520 if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
521 if (!ssl3_setup_buffers(s)) 521 if (!ssl3_setup_buffers(s))
522 return (-1); 522 return (-1);
523 523
@@ -554,17 +554,17 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
554 554
555 s->internal->rwstate = SSL_NOTHING; 555 s->internal->rwstate = SSL_NOTHING;
556 556
557 /* S3I(s)->rrec.type - is the type of record 557 /* s->s3->rrec.type - is the type of record
558 * S3I(s)->rrec.data, - data 558 * s->s3->rrec.data, - data
559 * S3I(s)->rrec.off, - offset into 'data' for next read 559 * s->s3->rrec.off, - offset into 'data' for next read
560 * S3I(s)->rrec.length, - number of bytes. */ 560 * s->s3->rrec.length, - number of bytes. */
561 rr = &(S3I(s)->rrec); 561 rr = &(s->s3->rrec);
562 562
563 /* We are not handshaking and have no data yet, 563 /* We are not handshaking and have no data yet,
564 * so process data buffered during the last handshake 564 * so process data buffered during the last handshake
565 * in advance, if any. 565 * in advance, if any.
566 */ 566 */
567 if (S3I(s)->hs.state == SSL_ST_OK && rr->length == 0) 567 if (s->s3->hs.state == SSL_ST_OK && rr->length == 0)
568 dtls1_retrieve_buffered_record(s, &(s->d1->buffered_app_data)); 568 dtls1_retrieve_buffered_record(s, &(s->d1->buffered_app_data));
569 569
570 /* Check for timeout */ 570 /* Check for timeout */
@@ -591,7 +591,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
591 591
592 /* we now have a packet which can be read and processed */ 592 /* we now have a packet which can be read and processed */
593 593
594 if (S3I(s)->change_cipher_spec /* set when we receive ChangeCipherSpec, 594 if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
595 * reset by ssl3_get_finished */ 595 * reset by ssl3_get_finished */
596 && (rr->type != SSL3_RT_HANDSHAKE)) { 596 && (rr->type != SSL3_RT_HANDSHAKE)) {
597 /* We now have application data between CCS and Finished. 597 /* We now have application data between CCS and Finished.
@@ -667,7 +667,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
667 * Application data while renegotiating is allowed. 667 * Application data while renegotiating is allowed.
668 * Try reading again. 668 * Try reading again.
669 */ 669 */
670 S3I(s)->in_read_app_data = 2; 670 s->s3->in_read_app_data = 2;
671 ssl_force_want_read(s); 671 ssl_force_want_read(s);
672 return -1; 672 return -1;
673 } else { 673 } else {
@@ -708,7 +708,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
708 708
709 if (SSL_is_init_finished(s) && 709 if (SSL_is_init_finished(s) &&
710 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && 710 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
711 !S3I(s)->renegotiate) { 711 !s->s3->renegotiate) {
712 s->d1->handshake_read_seq++; 712 s->d1->handshake_read_seq++;
713 s->internal->new_session = 1; 713 s->internal->new_session = 1;
714 ssl3_renegotiate(s); 714 ssl3_renegotiate(s);
@@ -722,7 +722,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
722 } 722 }
723 723
724 if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { 724 if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) {
725 if (S3I(s)->rbuf.left == 0) { 725 if (s->s3->rbuf.left == 0) {
726 ssl_force_want_read(s); 726 ssl_force_want_read(s);
727 return (-1); 727 return (-1);
728 } 728 }
@@ -746,14 +746,14 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
746 (alert_level << 8) | alert_descr); 746 (alert_level << 8) | alert_descr);
747 747
748 if (alert_level == SSL3_AL_WARNING) { 748 if (alert_level == SSL3_AL_WARNING) {
749 S3I(s)->warn_alert = alert_descr; 749 s->s3->warn_alert = alert_descr;
750 if (alert_descr == SSL_AD_CLOSE_NOTIFY) { 750 if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
751 s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; 751 s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN;
752 return (0); 752 return (0);
753 } 753 }
754 } else if (alert_level == SSL3_AL_FATAL) { 754 } else if (alert_level == SSL3_AL_FATAL) {
755 s->internal->rwstate = SSL_NOTHING; 755 s->internal->rwstate = SSL_NOTHING;
756 S3I(s)->fatal_alert = alert_descr; 756 s->s3->fatal_alert = alert_descr;
757 SSLerror(s, SSL_AD_REASON_OFFSET + alert_descr); 757 SSLerror(s, SSL_AD_REASON_OFFSET + alert_descr);
758 ERR_asprintf_error_data("SSL alert number %d", 758 ERR_asprintf_error_data("SSL alert number %d",
759 alert_descr); 759 alert_descr);
@@ -799,7 +799,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
799 799
800 s->d1->change_cipher_spec_ok = 0; 800 s->d1->change_cipher_spec_ok = 0;
801 801
802 S3I(s)->change_cipher_spec = 1; 802 s->s3->change_cipher_spec = 1;
803 if (!ssl3_do_change_cipher_spec(s)) 803 if (!ssl3_do_change_cipher_spec(s))
804 goto err; 804 goto err;
805 805
@@ -835,9 +835,9 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
835 goto start; 835 goto start;
836 } 836 }
837 837
838 if (((S3I(s)->hs.state&SSL_ST_MASK) == SSL_ST_OK) && 838 if (((s->s3->hs.state&SSL_ST_MASK) == SSL_ST_OK) &&
839 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { 839 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
840 S3I(s)->hs.state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; 840 s->s3->hs.state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
841 s->internal->renegotiate = 1; 841 s->internal->renegotiate = 1;
842 s->internal->new_session = 1; 842 s->internal->new_session = 1;
843 } 843 }
@@ -850,7 +850,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
850 } 850 }
851 851
852 if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { 852 if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) {
853 if (S3I(s)->rbuf.left == 0) { 853 if (s->s3->rbuf.left == 0) {
854 ssl_force_want_read(s); 854 ssl_force_want_read(s);
855 return (-1); 855 return (-1);
856 } 856 }
@@ -881,15 +881,15 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
881 * at this point (session renegotiation not yet started), 881 * at this point (session renegotiation not yet started),
882 * we will indulge it. 882 * we will indulge it.
883 */ 883 */
884 if (S3I(s)->in_read_app_data && 884 if (s->s3->in_read_app_data &&
885 (S3I(s)->total_renegotiations != 0) && 885 (s->s3->total_renegotiations != 0) &&
886 (((S3I(s)->hs.state & SSL_ST_CONNECT) && 886 (((s->s3->hs.state & SSL_ST_CONNECT) &&
887 (S3I(s)->hs.state >= SSL3_ST_CW_CLNT_HELLO_A) && 887 (s->s3->hs.state >= SSL3_ST_CW_CLNT_HELLO_A) &&
888 (S3I(s)->hs.state <= SSL3_ST_CR_SRVR_HELLO_A)) || ( 888 (s->s3->hs.state <= SSL3_ST_CR_SRVR_HELLO_A)) || (
889 (S3I(s)->hs.state & SSL_ST_ACCEPT) && 889 (s->s3->hs.state & SSL_ST_ACCEPT) &&
890 (S3I(s)->hs.state <= SSL3_ST_SW_HELLO_REQ_A) && 890 (s->s3->hs.state <= SSL3_ST_SW_HELLO_REQ_A) &&
891 (S3I(s)->hs.state >= SSL3_ST_SR_CLNT_HELLO_A)))) { 891 (s->s3->hs.state >= SSL3_ST_SR_CLNT_HELLO_A)))) {
892 S3I(s)->in_read_app_data = 2; 892 s->s3->in_read_app_data = 2;
893 return (-1); 893 return (-1);
894 } else { 894 } else {
895 al = SSL_AD_UNEXPECTED_MESSAGE; 895 al = SSL_AD_UNEXPECTED_MESSAGE;
@@ -947,7 +947,7 @@ dtls1_write_bytes(SSL *s, int type, const void *buf, int len)
947int 947int
948do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len) 948do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
949{ 949{
950 SSL3_BUFFER_INTERNAL *wb = &(S3I(s)->wbuf); 950 SSL3_BUFFER_INTERNAL *wb = &(s->s3->wbuf);
951 size_t out_len; 951 size_t out_len;
952 CBB cbb; 952 CBB cbb;
953 int ret; 953 int ret;
@@ -964,7 +964,7 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
964 } 964 }
965 965
966 /* If we have an alert to send, let's send it */ 966 /* If we have an alert to send, let's send it */
967 if (S3I(s)->alert_dispatch) { 967 if (s->s3->alert_dispatch) {
968 if ((ret = ssl3_dispatch_alert(s)) <= 0) 968 if ((ret = ssl3_dispatch_alert(s)) <= 0)
969 return (ret); 969 return (ret);
970 /* If it went, fall through and send more stuff. */ 970 /* If it went, fall through and send more stuff. */
@@ -992,10 +992,10 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
992 * Memorize arguments so that ssl3_write_pending can detect 992 * Memorize arguments so that ssl3_write_pending can detect
993 * bad write retries later. 993 * bad write retries later.
994 */ 994 */
995 S3I(s)->wpend_tot = len; 995 s->s3->wpend_tot = len;
996 S3I(s)->wpend_buf = buf; 996 s->s3->wpend_buf = buf;
997 S3I(s)->wpend_type = type; 997 s->s3->wpend_type = type;
998 S3I(s)->wpend_ret = len; 998 s->s3->wpend_ret = len;
999 999
1000 /* We now just need to write the buffer. */ 1000 /* We now just need to write the buffer. */
1001 return ssl3_write_pending(s, type, buf, len); 1001 return ssl3_write_pending(s, type, buf, len);
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index d5a53565f8..916ed4935c 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.225 2022/01/26 11:05:41 tb Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.226 2022/02/05 14:54:10 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1444,8 +1444,8 @@ ssl3_pending(const SSL *s)
1444 if (s->internal->rstate == SSL_ST_READ_BODY) 1444 if (s->internal->rstate == SSL_ST_READ_BODY)
1445 return 0; 1445 return 0;
1446 1446
1447 return (S3I(s)->rrec.type == SSL3_RT_APPLICATION_DATA) ? 1447 return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ?
1448 S3I(s)->rrec.length : 0; 1448 s->s3->rrec.length : 0;
1449} 1449}
1450 1450
1451int 1451int
@@ -1544,10 +1544,6 @@ ssl3_new(SSL *s)
1544{ 1544{
1545 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL) 1545 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL)
1546 return (0); 1546 return (0);
1547 if ((S3I(s) = calloc(1, sizeof(*S3I(s)))) == NULL) {
1548 free(s->s3);
1549 return (0);
1550 }
1551 1547
1552 s->method->ssl_clear(s); 1548 s->method->ssl_clear(s);
1553 1549
@@ -1563,23 +1559,22 @@ ssl3_free(SSL *s)
1563 tls1_cleanup_key_block(s); 1559 tls1_cleanup_key_block(s);
1564 ssl3_release_read_buffer(s); 1560 ssl3_release_read_buffer(s);
1565 ssl3_release_write_buffer(s); 1561 ssl3_release_write_buffer(s);
1566 freezero(S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len); 1562 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
1567 1563
1568 tls_key_share_free(S3I(s)->hs.key_share); 1564 tls_key_share_free(s->s3->hs.key_share);
1569 1565
1570 tls13_secrets_destroy(S3I(s)->hs.tls13.secrets); 1566 tls13_secrets_destroy(s->s3->hs.tls13.secrets);
1571 freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len); 1567 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
1572 tls13_clienthello_hash_clear(&S3I(s)->hs.tls13); 1568 tls13_clienthello_hash_clear(&s->s3->hs.tls13);
1573 1569
1574 sk_X509_NAME_pop_free(S3I(s)->hs.tls12.ca_names, X509_NAME_free); 1570 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1575 sk_X509_pop_free(s->internal->verified_chain, X509_free); 1571 sk_X509_pop_free(s->internal->verified_chain, X509_free);
1576 1572
1577 tls1_transcript_free(s); 1573 tls1_transcript_free(s);
1578 tls1_transcript_hash_free(s); 1574 tls1_transcript_hash_free(s);
1579 1575
1580 free(S3I(s)->alpn_selected); 1576 free(s->s3->alpn_selected);
1581 1577
1582 freezero(S3I(s), sizeof(*S3I(s)));
1583 freezero(s->s3, sizeof(*s->s3)); 1578 freezero(s->s3, sizeof(*s->s3));
1584 1579
1585 s->s3 = NULL; 1580 s->s3 = NULL;
@@ -1588,65 +1583,61 @@ ssl3_free(SSL *s)
1588void 1583void
1589ssl3_clear(SSL *s) 1584ssl3_clear(SSL *s)
1590{ 1585{
1591 struct ssl3_state_internal_st *internal;
1592 unsigned char *rp, *wp; 1586 unsigned char *rp, *wp;
1593 size_t rlen, wlen; 1587 size_t rlen, wlen;
1594 1588
1595 tls1_cleanup_key_block(s); 1589 tls1_cleanup_key_block(s);
1596 sk_X509_NAME_pop_free(S3I(s)->hs.tls12.ca_names, X509_NAME_free); 1590 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1597 sk_X509_pop_free(s->internal->verified_chain, X509_free); 1591 sk_X509_pop_free(s->internal->verified_chain, X509_free);
1598 s->internal->verified_chain = NULL; 1592 s->internal->verified_chain = NULL;
1599 1593
1600 freezero(S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len); 1594 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
1601 S3I(s)->hs.sigalgs = NULL; 1595 s->s3->hs.sigalgs = NULL;
1602 S3I(s)->hs.sigalgs_len = 0; 1596 s->s3->hs.sigalgs_len = 0;
1603 1597
1604 tls_key_share_free(S3I(s)->hs.key_share); 1598 tls_key_share_free(s->s3->hs.key_share);
1605 S3I(s)->hs.key_share = NULL; 1599 s->s3->hs.key_share = NULL;
1606 1600
1607 tls13_secrets_destroy(S3I(s)->hs.tls13.secrets); 1601 tls13_secrets_destroy(s->s3->hs.tls13.secrets);
1608 S3I(s)->hs.tls13.secrets = NULL; 1602 s->s3->hs.tls13.secrets = NULL;
1609 freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len); 1603 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
1610 S3I(s)->hs.tls13.cookie = NULL; 1604 s->s3->hs.tls13.cookie = NULL;
1611 S3I(s)->hs.tls13.cookie_len = 0; 1605 s->s3->hs.tls13.cookie_len = 0;
1612 tls13_clienthello_hash_clear(&S3I(s)->hs.tls13); 1606 tls13_clienthello_hash_clear(&s->s3->hs.tls13);
1613 1607
1614 S3I(s)->hs.extensions_seen = 0; 1608 s->s3->hs.extensions_seen = 0;
1615 1609
1616 rp = S3I(s)->rbuf.buf; 1610 rp = s->s3->rbuf.buf;
1617 wp = S3I(s)->wbuf.buf; 1611 wp = s->s3->wbuf.buf;
1618 rlen = S3I(s)->rbuf.len; 1612 rlen = s->s3->rbuf.len;
1619 wlen = S3I(s)->wbuf.len; 1613 wlen = s->s3->wbuf.len;
1620 1614
1621 tls1_transcript_free(s); 1615 tls1_transcript_free(s);
1622 tls1_transcript_hash_free(s); 1616 tls1_transcript_hash_free(s);
1623 1617
1624 free(S3I(s)->alpn_selected); 1618 free(s->s3->alpn_selected);
1625 S3I(s)->alpn_selected = NULL; 1619 s->s3->alpn_selected = NULL;
1626 S3I(s)->alpn_selected_len = 0; 1620 s->s3->alpn_selected_len = 0;
1627 1621
1628 memset(S3I(s), 0, sizeof(*S3I(s)));
1629 internal = S3I(s);
1630 memset(s->s3, 0, sizeof(*s->s3)); 1622 memset(s->s3, 0, sizeof(*s->s3));
1631 S3I(s) = internal;
1632 1623
1633 S3I(s)->rbuf.buf = rp; 1624 s->s3->rbuf.buf = rp;
1634 S3I(s)->wbuf.buf = wp; 1625 s->s3->wbuf.buf = wp;
1635 S3I(s)->rbuf.len = rlen; 1626 s->s3->rbuf.len = rlen;
1636 S3I(s)->wbuf.len = wlen; 1627 s->s3->wbuf.len = wlen;
1637 1628
1638 ssl_free_wbio_buffer(s); 1629 ssl_free_wbio_buffer(s);
1639 1630
1640 /* Not needed... */ 1631 /* Not needed... */
1641 S3I(s)->renegotiate = 0; 1632 s->s3->renegotiate = 0;
1642 S3I(s)->total_renegotiations = 0; 1633 s->s3->total_renegotiations = 0;
1643 S3I(s)->num_renegotiations = 0; 1634 s->s3->num_renegotiations = 0;
1644 S3I(s)->in_read_app_data = 0; 1635 s->s3->in_read_app_data = 0;
1645 1636
1646 s->internal->packet_length = 0; 1637 s->internal->packet_length = 0;
1647 s->version = TLS1_VERSION; 1638 s->version = TLS1_VERSION;
1648 1639
1649 S3I(s)->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); 1640 s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT);
1650} 1641}
1651 1642
1652long 1643long
@@ -1657,12 +1648,12 @@ _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key)
1657 1648
1658 *key = NULL; 1649 *key = NULL;
1659 1650
1660 if (S3I(s)->hs.key_share == NULL) 1651 if (s->s3->hs.key_share == NULL)
1661 goto err; 1652 goto err;
1662 1653
1663 if ((pkey = EVP_PKEY_new()) == NULL) 1654 if ((pkey = EVP_PKEY_new()) == NULL)
1664 goto err; 1655 goto err;
1665 if (!tls_key_share_peer_pkey(S3I(s)->hs.key_share, pkey)) 1656 if (!tls_key_share_peer_pkey(s->s3->hs.key_share, pkey))
1666 goto err; 1657 goto err;
1667 1658
1668 *key = pkey; 1659 *key = pkey;
@@ -1685,7 +1676,7 @@ _SSL_session_reused(SSL *s)
1685static int 1676static int
1686_SSL_num_renegotiations(SSL *s) 1677_SSL_num_renegotiations(SSL *s)
1687{ 1678{
1688 return S3I(s)->num_renegotiations; 1679 return s->s3->num_renegotiations;
1689} 1680}
1690 1681
1691static int 1682static int
@@ -1693,8 +1684,8 @@ _SSL_clear_num_renegotiations(SSL *s)
1693{ 1684{
1694 int renegs; 1685 int renegs;
1695 1686
1696 renegs = S3I(s)->num_renegotiations; 1687 renegs = s->s3->num_renegotiations;
1697 S3I(s)->num_renegotiations = 0; 1688 s->s3->num_renegotiations = 0;
1698 1689
1699 return renegs; 1690 return renegs;
1700} 1691}
@@ -1702,7 +1693,7 @@ _SSL_clear_num_renegotiations(SSL *s)
1702static int 1693static int
1703_SSL_total_renegotiations(SSL *s) 1694_SSL_total_renegotiations(SSL *s)
1704{ 1695{
1705 return S3I(s)->total_renegotiations; 1696 return s->s3->total_renegotiations;
1706} 1697}
1707 1698
1708static int 1699static int
@@ -1920,7 +1911,7 @@ _SSL_get_signature_nid(SSL *s, int *nid)
1920{ 1911{
1921 const struct ssl_sigalg *sigalg; 1912 const struct ssl_sigalg *sigalg;
1922 1913
1923 if ((sigalg = S3I(s)->hs.our_sigalg) == NULL) 1914 if ((sigalg = s->s3->hs.our_sigalg) == NULL)
1924 return 0; 1915 return 0;
1925 1916
1926 *nid = EVP_MD_type(sigalg->md()); 1917 *nid = EVP_MD_type(sigalg->md());
@@ -1933,7 +1924,7 @@ _SSL_get_peer_signature_nid(SSL *s, int *nid)
1933{ 1924{
1934 const struct ssl_sigalg *sigalg; 1925 const struct ssl_sigalg *sigalg;
1935 1926
1936 if ((sigalg = S3I(s)->hs.peer_sigalg) == NULL) 1927 if ((sigalg = s->s3->hs.peer_sigalg) == NULL)
1937 return 0; 1928 return 0;
1938 1929
1939 *nid = EVP_MD_type(sigalg->md()); 1930 *nid = EVP_MD_type(sigalg->md());
@@ -1946,7 +1937,7 @@ SSL_get_signature_type_nid(const SSL *s, int *nid)
1946{ 1937{
1947 const struct ssl_sigalg *sigalg; 1938 const struct ssl_sigalg *sigalg;
1948 1939
1949 if ((sigalg = S3I(s)->hs.our_sigalg) == NULL) 1940 if ((sigalg = s->s3->hs.our_sigalg) == NULL)
1950 return 0; 1941 return 0;
1951 1942
1952 *nid = sigalg->key_type; 1943 *nid = sigalg->key_type;
@@ -1962,7 +1953,7 @@ SSL_get_peer_signature_type_nid(const SSL *s, int *nid)
1962{ 1953{
1963 const struct ssl_sigalg *sigalg; 1954 const struct ssl_sigalg *sigalg;
1964 1955
1965 if ((sigalg = S3I(s)->hs.peer_sigalg) == NULL) 1956 if ((sigalg = s->s3->hs.peer_sigalg) == NULL)
1966 return 0; 1957 return 0;
1967 1958
1968 *nid = sigalg->key_type; 1959 *nid = sigalg->key_type;
@@ -2564,7 +2555,7 @@ ssl3_get_req_cert_types(SSL *s, CBB *cbb)
2564{ 2555{
2565 unsigned long alg_k; 2556 unsigned long alg_k;
2566 2557
2567 alg_k = S3I(s)->hs.cipher->algorithm_mkey; 2558 alg_k = s->s3->hs.cipher->algorithm_mkey;
2568 2559
2569#ifndef OPENSSL_NO_GOST 2560#ifndef OPENSSL_NO_GOST
2570 if ((alg_k & SSL_kGOST) != 0) { 2561 if ((alg_k & SSL_kGOST) != 0) {
@@ -2608,7 +2599,7 @@ ssl3_shutdown(SSL *s)
2608 * Don't do anything much if we have not done the handshake or 2599 * Don't do anything much if we have not done the handshake or
2609 * we don't want to send messages :-) 2600 * we don't want to send messages :-)
2610 */ 2601 */
2611 if ((s->internal->quiet_shutdown) || (S3I(s)->hs.state == SSL_ST_BEFORE)) { 2602 if ((s->internal->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) {
2612 s->internal->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 2603 s->internal->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
2613 return (1); 2604 return (1);
2614 } 2605 }
@@ -2618,11 +2609,11 @@ ssl3_shutdown(SSL *s)
2618 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY); 2609 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
2619 /* 2610 /*
2620 * Our shutdown alert has been sent now, and if it still needs 2611 * Our shutdown alert has been sent now, and if it still needs
2621 * to be written, S3I(s)->alert_dispatch will be true 2612 * to be written, s->s3->alert_dispatch will be true
2622 */ 2613 */
2623 if (S3I(s)->alert_dispatch) 2614 if (s->s3->alert_dispatch)
2624 return (-1); /* return WANT_WRITE */ 2615 return (-1); /* return WANT_WRITE */
2625 } else if (S3I(s)->alert_dispatch) { 2616 } else if (s->s3->alert_dispatch) {
2626 /* resend it if not sent */ 2617 /* resend it if not sent */
2627 ret = ssl3_dispatch_alert(s); 2618 ret = ssl3_dispatch_alert(s);
2628 if (ret == -1) { 2619 if (ret == -1) {
@@ -2643,7 +2634,7 @@ ssl3_shutdown(SSL *s)
2643 } 2634 }
2644 2635
2645 if ((s->internal->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && 2636 if ((s->internal->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
2646 !S3I(s)->alert_dispatch) 2637 !s->s3->alert_dispatch)
2647 return (1); 2638 return (1);
2648 else 2639 else
2649 return (0); 2640 return (0);
@@ -2654,7 +2645,7 @@ ssl3_write(SSL *s, const void *buf, int len)
2654{ 2645{
2655 errno = 0; 2646 errno = 0;
2656 2647
2657 if (S3I(s)->renegotiate) 2648 if (s->s3->renegotiate)
2658 ssl3_renegotiate_check(s); 2649 ssl3_renegotiate_check(s);
2659 2650
2660 return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, 2651 return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA,
@@ -2667,13 +2658,13 @@ ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2667 int ret; 2658 int ret;
2668 2659
2669 errno = 0; 2660 errno = 0;
2670 if (S3I(s)->renegotiate) 2661 if (s->s3->renegotiate)
2671 ssl3_renegotiate_check(s); 2662 ssl3_renegotiate_check(s);
2672 S3I(s)->in_read_app_data = 1; 2663 s->s3->in_read_app_data = 1;
2673 2664
2674 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, 2665 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len,
2675 peek); 2666 peek);
2676 if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) { 2667 if ((ret == -1) && (s->s3->in_read_app_data == 2)) {
2677 /* 2668 /*
2678 * ssl3_read_bytes decided to call s->internal->handshake_func, 2669 * ssl3_read_bytes decided to call s->internal->handshake_func,
2679 * which called ssl3_read_bytes to read handshake data. 2670 * which called ssl3_read_bytes to read handshake data.
@@ -2686,7 +2677,7 @@ ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2686 buf, len, peek); 2677 buf, len, peek);
2687 s->internal->in_handshake--; 2678 s->internal->in_handshake--;
2688 } else 2679 } else
2689 S3I(s)->in_read_app_data = 0; 2680 s->s3->in_read_app_data = 0;
2690 2681
2691 return (ret); 2682 return (ret);
2692} 2683}
@@ -2712,7 +2703,7 @@ ssl3_renegotiate(SSL *s)
2712 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) 2703 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
2713 return (0); 2704 return (0);
2714 2705
2715 S3I(s)->renegotiate = 1; 2706 s->s3->renegotiate = 1;
2716 return (1); 2707 return (1);
2717} 2708}
2718 2709
@@ -2721,8 +2712,8 @@ ssl3_renegotiate_check(SSL *s)
2721{ 2712{
2722 int ret = 0; 2713 int ret = 0;
2723 2714
2724 if (S3I(s)->renegotiate) { 2715 if (s->s3->renegotiate) {
2725 if ((S3I(s)->rbuf.left == 0) && (S3I(s)->wbuf.left == 0) && 2716 if ((s->s3->rbuf.left == 0) && (s->s3->wbuf.left == 0) &&
2726 !SSL_in_init(s)) { 2717 !SSL_in_init(s)) {
2727 /* 2718 /*
2728 * If we are the server, and we have sent 2719 * If we are the server, and we have sent
@@ -2730,10 +2721,10 @@ ssl3_renegotiate_check(SSL *s)
2730 * to SSL_ST_ACCEPT. 2721 * to SSL_ST_ACCEPT.
2731 */ 2722 */
2732 /* SSL_ST_ACCEPT */ 2723 /* SSL_ST_ACCEPT */
2733 S3I(s)->hs.state = SSL_ST_RENEGOTIATE; 2724 s->s3->hs.state = SSL_ST_RENEGOTIATE;
2734 S3I(s)->renegotiate = 0; 2725 s->s3->renegotiate = 0;
2735 S3I(s)->num_renegotiations++; 2726 s->s3->num_renegotiations++;
2736 S3I(s)->total_renegotiations++; 2727 s->s3->total_renegotiations++;
2737 ret = 1; 2728 ret = 1;
2738 } 2729 }
2739 } 2730 }
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index ad16d2175b..cfd32387d6 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_both.c,v 1.41 2022/02/03 16:33:12 jsing Exp $ */ 1/* $OpenBSD: ssl_both.c,v 1.42 2022/02/05 14:54:10 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -168,33 +168,33 @@ ssl3_send_finished(SSL *s, int state_a, int state_b)
168 168
169 memset(&cbb, 0, sizeof(cbb)); 169 memset(&cbb, 0, sizeof(cbb));
170 170
171 if (S3I(s)->hs.state == state_a) { 171 if (s->s3->hs.state == state_a) {
172 if (!tls12_derive_finished(s)) 172 if (!tls12_derive_finished(s))
173 goto err; 173 goto err;
174 174
175 /* Copy finished so we can use it for renegotiation checks. */ 175 /* Copy finished so we can use it for renegotiation checks. */
176 if (!s->server) { 176 if (!s->server) {
177 memcpy(S3I(s)->previous_client_finished, 177 memcpy(s->s3->previous_client_finished,
178 S3I(s)->hs.finished, S3I(s)->hs.finished_len); 178 s->s3->hs.finished, s->s3->hs.finished_len);
179 S3I(s)->previous_client_finished_len = 179 s->s3->previous_client_finished_len =
180 S3I(s)->hs.finished_len; 180 s->s3->hs.finished_len;
181 } else { 181 } else {
182 memcpy(S3I(s)->previous_server_finished, 182 memcpy(s->s3->previous_server_finished,
183 S3I(s)->hs.finished, S3I(s)->hs.finished_len); 183 s->s3->hs.finished, s->s3->hs.finished_len);
184 S3I(s)->previous_server_finished_len = 184 s->s3->previous_server_finished_len =
185 S3I(s)->hs.finished_len; 185 s->s3->hs.finished_len;
186 } 186 }
187 187
188 if (!ssl3_handshake_msg_start(s, &cbb, &finished, 188 if (!ssl3_handshake_msg_start(s, &cbb, &finished,
189 SSL3_MT_FINISHED)) 189 SSL3_MT_FINISHED))
190 goto err; 190 goto err;
191 if (!CBB_add_bytes(&finished, S3I(s)->hs.finished, 191 if (!CBB_add_bytes(&finished, s->s3->hs.finished,
192 S3I(s)->hs.finished_len)) 192 s->s3->hs.finished_len))
193 goto err; 193 goto err;
194 if (!ssl3_handshake_msg_finish(s, &cbb)) 194 if (!ssl3_handshake_msg_finish(s, &cbb))
195 goto err; 195 goto err;
196 196
197 S3I(s)->hs.state = state_b; 197 s->s3->hs.state = state_b;
198 } 198 }
199 199
200 return (ssl3_handshake_write(s)); 200 return (ssl3_handshake_write(s));
@@ -216,12 +216,12 @@ ssl3_get_finished(SSL *s, int a, int b)
216 return ret; 216 return ret;
217 217
218 /* If this occurs, we have missed a message */ 218 /* If this occurs, we have missed a message */
219 if (!S3I(s)->change_cipher_spec) { 219 if (!s->s3->change_cipher_spec) {
220 al = SSL_AD_UNEXPECTED_MESSAGE; 220 al = SSL_AD_UNEXPECTED_MESSAGE;
221 SSLerror(s, SSL_R_GOT_A_FIN_BEFORE_A_CCS); 221 SSLerror(s, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
222 goto fatal_err; 222 goto fatal_err;
223 } 223 }
224 S3I(s)->change_cipher_spec = 0; 224 s->s3->change_cipher_spec = 0;
225 225
226 md_len = TLS1_FINISH_MAC_LENGTH; 226 md_len = TLS1_FINISH_MAC_LENGTH;
227 227
@@ -233,14 +233,14 @@ ssl3_get_finished(SSL *s, int a, int b)
233 233
234 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); 234 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
235 235
236 if (S3I(s)->hs.peer_finished_len != md_len || 236 if (s->s3->hs.peer_finished_len != md_len ||
237 CBS_len(&cbs) != md_len) { 237 CBS_len(&cbs) != md_len) {
238 al = SSL_AD_DECODE_ERROR; 238 al = SSL_AD_DECODE_ERROR;
239 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH); 239 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH);
240 goto fatal_err; 240 goto fatal_err;
241 } 241 }
242 242
243 if (!CBS_mem_equal(&cbs, S3I(s)->hs.peer_finished, CBS_len(&cbs))) { 243 if (!CBS_mem_equal(&cbs, s->s3->hs.peer_finished, CBS_len(&cbs))) {
244 al = SSL_AD_DECRYPT_ERROR; 244 al = SSL_AD_DECRYPT_ERROR;
245 SSLerror(s, SSL_R_DIGEST_CHECK_FAILED); 245 SSLerror(s, SSL_R_DIGEST_CHECK_FAILED);
246 goto fatal_err; 246 goto fatal_err;
@@ -249,13 +249,13 @@ ssl3_get_finished(SSL *s, int a, int b)
249 /* Copy finished so we can use it for renegotiation checks. */ 249 /* Copy finished so we can use it for renegotiation checks. */
250 OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); 250 OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE);
251 if (s->server) { 251 if (s->server) {
252 memcpy(S3I(s)->previous_client_finished, 252 memcpy(s->s3->previous_client_finished,
253 S3I(s)->hs.peer_finished, md_len); 253 s->s3->hs.peer_finished, md_len);
254 S3I(s)->previous_client_finished_len = md_len; 254 s->s3->previous_client_finished_len = md_len;
255 } else { 255 } else {
256 memcpy(S3I(s)->previous_server_finished, 256 memcpy(s->s3->previous_server_finished,
257 S3I(s)->hs.peer_finished, md_len); 257 s->s3->hs.peer_finished, md_len);
258 S3I(s)->previous_server_finished_len = md_len; 258 s->s3->previous_server_finished_len = md_len;
259 } 259 }
260 260
261 return (1); 261 return (1);
@@ -272,7 +272,7 @@ ssl3_send_change_cipher_spec(SSL *s, int a, int b)
272 272
273 memset(&cbb, 0, sizeof(cbb)); 273 memset(&cbb, 0, sizeof(cbb));
274 274
275 if (S3I(s)->hs.state == a) { 275 if (s->s3->hs.state == a) {
276 if (!CBB_init_fixed(&cbb, s->internal->init_buf->data, 276 if (!CBB_init_fixed(&cbb, s->internal->init_buf->data,
277 s->internal->init_buf->length)) 277 s->internal->init_buf->length))
278 goto err; 278 goto err;
@@ -295,7 +295,7 @@ ssl3_send_change_cipher_spec(SSL *s, int a, int b)
295 dtls1_buffer_message(s, 1); 295 dtls1_buffer_message(s, 1);
296 } 296 }
297 297
298 S3I(s)->hs.state = b; 298 s->s3->hs.state = b;
299 } 299 }
300 300
301 /* SSL3_ST_CW_CHANGE_B */ 301 /* SSL3_ST_CW_CHANGE_B */
@@ -408,22 +408,22 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max)
408 if (SSL_is_dtls(s)) 408 if (SSL_is_dtls(s))
409 return dtls1_get_message(s, st1, stn, mt, max); 409 return dtls1_get_message(s, st1, stn, mt, max);
410 410
411 if (S3I(s)->hs.tls12.reuse_message) { 411 if (s->s3->hs.tls12.reuse_message) {
412 S3I(s)->hs.tls12.reuse_message = 0; 412 s->s3->hs.tls12.reuse_message = 0;
413 if ((mt >= 0) && (S3I(s)->hs.tls12.message_type != mt)) { 413 if ((mt >= 0) && (s->s3->hs.tls12.message_type != mt)) {
414 al = SSL_AD_UNEXPECTED_MESSAGE; 414 al = SSL_AD_UNEXPECTED_MESSAGE;
415 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); 415 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
416 goto fatal_err; 416 goto fatal_err;
417 } 417 }
418 s->internal->init_msg = s->internal->init_buf->data + 418 s->internal->init_msg = s->internal->init_buf->data +
419 SSL3_HM_HEADER_LENGTH; 419 SSL3_HM_HEADER_LENGTH;
420 s->internal->init_num = (int)S3I(s)->hs.tls12.message_size; 420 s->internal->init_num = (int)s->s3->hs.tls12.message_size;
421 return 1; 421 return 1;
422 } 422 }
423 423
424 p = (unsigned char *)s->internal->init_buf->data; 424 p = (unsigned char *)s->internal->init_buf->data;
425 425
426 if (S3I(s)->hs.state == st1) { 426 if (s->s3->hs.state == st1) {
427 int skip_message; 427 int skip_message;
428 428
429 do { 429 do {
@@ -469,7 +469,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max)
469 SSLerror(s, ERR_R_BUF_LIB); 469 SSLerror(s, ERR_R_BUF_LIB);
470 goto err; 470 goto err;
471 } 471 }
472 S3I(s)->hs.tls12.message_type = u8; 472 s->s3->hs.tls12.message_type = u8;
473 473
474 if (l > (unsigned long)max) { 474 if (l > (unsigned long)max) {
475 al = SSL_AD_ILLEGAL_PARAMETER; 475 al = SSL_AD_ILLEGAL_PARAMETER;
@@ -481,8 +481,8 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max)
481 SSLerror(s, ERR_R_BUF_LIB); 481 SSLerror(s, ERR_R_BUF_LIB);
482 goto err; 482 goto err;
483 } 483 }
484 S3I(s)->hs.tls12.message_size = l; 484 s->s3->hs.tls12.message_size = l;
485 S3I(s)->hs.state = stn; 485 s->s3->hs.state = stn;
486 486
487 s->internal->init_msg = s->internal->init_buf->data + 487 s->internal->init_msg = s->internal->init_buf->data +
488 SSL3_HM_HEADER_LENGTH; 488 SSL3_HM_HEADER_LENGTH;
@@ -491,7 +491,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max)
491 491
492 /* next state (stn) */ 492 /* next state (stn) */
493 p = s->internal->init_msg; 493 p = s->internal->init_msg;
494 n = S3I(s)->hs.tls12.message_size - s->internal->init_num; 494 n = s->s3->hs.tls12.message_size - s->internal->init_num;
495 while (n > 0) { 495 while (n > 0) {
496 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, 496 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
497 &p[s->internal->init_num], n, 0); 497 &p[s->internal->init_num], n, 0);
@@ -644,16 +644,16 @@ ssl3_setup_read_buffer(SSL *s)
644 644
645 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); 645 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
646 646
647 if (S3I(s)->rbuf.buf == NULL) { 647 if (s->s3->rbuf.buf == NULL) {
648 len = SSL3_RT_MAX_PLAIN_LENGTH + 648 len = SSL3_RT_MAX_PLAIN_LENGTH +
649 SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align; 649 SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
650 if ((p = calloc(1, len)) == NULL) 650 if ((p = calloc(1, len)) == NULL)
651 goto err; 651 goto err;
652 S3I(s)->rbuf.buf = p; 652 s->s3->rbuf.buf = p;
653 S3I(s)->rbuf.len = len; 653 s->s3->rbuf.len = len;
654 } 654 }
655 655
656 s->internal->packet = S3I(s)->rbuf.buf; 656 s->internal->packet = s->s3->rbuf.buf;
657 return 1; 657 return 1;
658 658
659 err: 659 err:
@@ -674,7 +674,7 @@ ssl3_setup_write_buffer(SSL *s)
674 674
675 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); 675 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
676 676
677 if (S3I(s)->wbuf.buf == NULL) { 677 if (s->s3->wbuf.buf == NULL) {
678 len = s->max_send_fragment + 678 len = s->max_send_fragment +
679 SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align; 679 SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
680 if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) 680 if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
@@ -683,8 +683,8 @@ ssl3_setup_write_buffer(SSL *s)
683 683
684 if ((p = calloc(1, len)) == NULL) 684 if ((p = calloc(1, len)) == NULL)
685 goto err; 685 goto err;
686 S3I(s)->wbuf.buf = p; 686 s->s3->wbuf.buf = p;
687 S3I(s)->wbuf.len = len; 687 s->s3->wbuf.len = len;
688 } 688 }
689 689
690 return 1; 690 return 1;
@@ -715,11 +715,11 @@ ssl3_release_buffer(SSL3_BUFFER_INTERNAL *b)
715void 715void
716ssl3_release_read_buffer(SSL *s) 716ssl3_release_read_buffer(SSL *s)
717{ 717{
718 ssl3_release_buffer(&S3I(s)->rbuf); 718 ssl3_release_buffer(&s->s3->rbuf);
719} 719}
720 720
721void 721void
722ssl3_release_write_buffer(SSL *s) 722ssl3_release_write_buffer(SSL *s)
723{ 723{
724 ssl3_release_buffer(&S3I(s)->wbuf); 724 ssl3_release_buffer(&s->s3->wbuf);
725} 725}
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 71daf3718b..30e99ad184 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_cert.c,v 1.94 2022/01/28 13:14:48 inoguchi Exp $ */ 1/* $OpenBSD: ssl_cert.c,v 1.95 2022/02/05 14:54:10 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -462,7 +462,7 @@ SSL_get_client_CA_list(const SSL *s)
462 if (!s->server) { 462 if (!s->server) {
463 /* We are in the client. */ 463 /* We are in the client. */
464 if ((s->version >> 8) == SSL3_VERSION_MAJOR) 464 if ((s->version >> 8) == SSL3_VERSION_MAJOR)
465 return (S3I(s)->hs.tls12.ca_names); 465 return (s->s3->hs.tls12.ca_names);
466 else 466 else
467 return (NULL); 467 return (NULL);
468 } else { 468 } else {
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 643d668d7c..13dcd90525 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_ciph.c,v 1.125 2021/11/23 18:26:23 tb Exp $ */ 1/* $OpenBSD: ssl_ciph.c,v 1.126 2022/02/05 14:54:10 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -564,10 +564,10 @@ ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md)
564 564
565 *md = NULL; 565 *md = NULL;
566 566
567 if (S3I(s)->hs.cipher == NULL) 567 if (s->s3->hs.cipher == NULL)
568 return 0; 568 return 0;
569 569
570 handshake_mac = S3I(s)->hs.cipher->algorithm2 & 570 handshake_mac = s->s3->hs.cipher->algorithm2 &
571 SSL_HANDSHAKE_MAC_MASK; 571 SSL_HANDSHAKE_MAC_MASK;
572 572
573 /* For TLSv1.2 we upgrade the default MD5+SHA1 MAC to SHA256. */ 573 /* For TLSv1.2 we upgrade the default MD5+SHA1 MAC to SHA256. */
diff --git a/src/lib/libssl/ssl_ciphers.c b/src/lib/libssl/ssl_ciphers.c
index 4e4a0d93a4..7ac40126ed 100644
--- a/src/lib/libssl/ssl_ciphers.c
+++ b/src/lib/libssl/ssl_ciphers.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_ciphers.c,v 1.11 2021/03/11 17:14:46 jsing Exp $ */ 1/* $OpenBSD: ssl_ciphers.c,v 1.12 2022/02/05 14:54:10 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org> 3 * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
4 * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org>
@@ -96,7 +96,7 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
96 uint16_t cipher_value; 96 uint16_t cipher_value;
97 unsigned long cipher_id; 97 unsigned long cipher_id;
98 98
99 S3I(s)->send_connection_binding = 0; 99 s->s3->send_connection_binding = 0;
100 100
101 if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) { 101 if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) {
102 SSLerror(s, ERR_R_MALLOC_FAILURE); 102 SSLerror(s, ERR_R_MALLOC_FAILURE);
@@ -123,7 +123,7 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
123 123
124 goto err; 124 goto err;
125 } 125 }
126 S3I(s)->send_connection_binding = 1; 126 s->s3->send_connection_binding = 1;
127 continue; 127 continue;
128 } 128 }
129 129
@@ -134,8 +134,8 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
134 * Fail if the current version is an unexpected 134 * Fail if the current version is an unexpected
135 * downgrade. 135 * downgrade.
136 */ 136 */
137 if (S3I(s)->hs.negotiated_tls_version < 137 if (s->s3->hs.negotiated_tls_version <
138 S3I(s)->hs.our_max_tls_version) { 138 s->s3->hs.our_max_tls_version) {
139 SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); 139 SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
140 ssl3_send_alert(s, SSL3_AL_FATAL, 140 ssl3_send_alert(s, SSL3_AL_FATAL,
141 SSL_AD_INAPPROPRIATE_FALLBACK); 141 SSL_AD_INAPPROPRIATE_FALLBACK);
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 6d50ade398..607b038825 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_clnt.c,v 1.140 2022/02/03 16:33:12 jsing Exp $ */ 1/* $OpenBSD: ssl_clnt.c,v 1.141 2022/02/05 14:54:10 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -190,12 +190,12 @@ ssl3_connect(SSL *s)
190 SSL_clear(s); 190 SSL_clear(s);
191 191
192 for (;;) { 192 for (;;) {
193 state = S3I(s)->hs.state; 193 state = s->s3->hs.state;
194 194
195 switch (S3I(s)->hs.state) { 195 switch (s->s3->hs.state) {
196 case SSL_ST_RENEGOTIATE: 196 case SSL_ST_RENEGOTIATE:
197 s->internal->renegotiate = 1; 197 s->internal->renegotiate = 1;
198 S3I(s)->hs.state = SSL_ST_CONNECT; 198 s->s3->hs.state = SSL_ST_CONNECT;
199 s->ctx->internal->stats.sess_connect_renegotiate++; 199 s->ctx->internal->stats.sess_connect_renegotiate++;
200 /* break */ 200 /* break */
201 case SSL_ST_BEFORE: 201 case SSL_ST_BEFORE:
@@ -214,8 +214,8 @@ ssl3_connect(SSL *s)
214 } 214 }
215 215
216 if (!ssl_supported_tls_version_range(s, 216 if (!ssl_supported_tls_version_range(s,
217 &S3I(s)->hs.our_min_tls_version, 217 &s->s3->hs.our_min_tls_version,
218 &S3I(s)->hs.our_max_tls_version)) { 218 &s->s3->hs.our_max_tls_version)) {
219 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 219 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
220 ret = -1; 220 ret = -1;
221 goto end; 221 goto end;
@@ -241,7 +241,7 @@ ssl3_connect(SSL *s)
241 goto end; 241 goto end;
242 } 242 }
243 243
244 S3I(s)->hs.state = SSL3_ST_CW_CLNT_HELLO_A; 244 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A;
245 s->ctx->internal->stats.sess_connect++; 245 s->ctx->internal->stats.sess_connect++;
246 s->internal->init_num = 0; 246 s->internal->init_num = 0;
247 247
@@ -270,10 +270,10 @@ ssl3_connect(SSL *s)
270 goto end; 270 goto end;
271 271
272 if (SSL_is_dtls(s) && s->d1->send_cookie) { 272 if (SSL_is_dtls(s) && s->d1->send_cookie) {
273 S3I(s)->hs.state = SSL3_ST_CW_FLUSH; 273 s->s3->hs.state = SSL3_ST_CW_FLUSH;
274 S3I(s)->hs.tls12.next_state = SSL3_ST_CR_SRVR_HELLO_A; 274 s->s3->hs.tls12.next_state = SSL3_ST_CR_SRVR_HELLO_A;
275 } else 275 } else
276 S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A; 276 s->s3->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
277 277
278 s->internal->init_num = 0; 278 s->internal->init_num = 0;
279 279
@@ -290,20 +290,20 @@ ssl3_connect(SSL *s)
290 goto end; 290 goto end;
291 291
292 if (s->internal->hit) { 292 if (s->internal->hit) {
293 S3I(s)->hs.state = SSL3_ST_CR_FINISHED_A; 293 s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
294 if (!SSL_is_dtls(s)) { 294 if (!SSL_is_dtls(s)) {
295 if (s->internal->tlsext_ticket_expected) { 295 if (s->internal->tlsext_ticket_expected) {
296 /* receive renewed session ticket */ 296 /* receive renewed session ticket */
297 S3I(s)->hs.state = SSL3_ST_CR_SESSION_TICKET_A; 297 s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A;
298 } 298 }
299 299
300 /* No client certificate verification. */ 300 /* No client certificate verification. */
301 tls1_transcript_free(s); 301 tls1_transcript_free(s);
302 } 302 }
303 } else if (SSL_is_dtls(s)) { 303 } else if (SSL_is_dtls(s)) {
304 S3I(s)->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A; 304 s->s3->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
305 } else { 305 } else {
306 S3I(s)->hs.state = SSL3_ST_CR_CERT_A; 306 s->s3->hs.state = SSL3_ST_CR_CERT_A;
307 } 307 }
308 s->internal->init_num = 0; 308 s->internal->init_num = 0;
309 break; 309 break;
@@ -315,9 +315,9 @@ ssl3_connect(SSL *s)
315 goto end; 315 goto end;
316 dtls1_stop_timer(s); 316 dtls1_stop_timer(s);
317 if (s->d1->send_cookie) /* start again, with a cookie */ 317 if (s->d1->send_cookie) /* start again, with a cookie */
318 S3I(s)->hs.state = SSL3_ST_CW_CLNT_HELLO_A; 318 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A;
319 else 319 else
320 S3I(s)->hs.state = SSL3_ST_CR_CERT_A; 320 s->s3->hs.state = SSL3_ST_CR_CERT_A;
321 s->internal->init_num = 0; 321 s->internal->init_num = 0;
322 break; 322 break;
323 323
@@ -329,25 +329,25 @@ ssl3_connect(SSL *s)
329 if (ret == 2) { 329 if (ret == 2) {
330 s->internal->hit = 1; 330 s->internal->hit = 1;
331 if (s->internal->tlsext_ticket_expected) 331 if (s->internal->tlsext_ticket_expected)
332 S3I(s)->hs.state = SSL3_ST_CR_SESSION_TICKET_A; 332 s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A;
333 else 333 else
334 S3I(s)->hs.state = SSL3_ST_CR_FINISHED_A; 334 s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
335 s->internal->init_num = 0; 335 s->internal->init_num = 0;
336 break; 336 break;
337 } 337 }
338 /* Check if it is anon DH/ECDH. */ 338 /* Check if it is anon DH/ECDH. */
339 if (!(S3I(s)->hs.cipher->algorithm_auth & 339 if (!(s->s3->hs.cipher->algorithm_auth &
340 SSL_aNULL)) { 340 SSL_aNULL)) {
341 ret = ssl3_get_server_certificate(s); 341 ret = ssl3_get_server_certificate(s);
342 if (ret <= 0) 342 if (ret <= 0)
343 goto end; 343 goto end;
344 if (s->internal->tlsext_status_expected) 344 if (s->internal->tlsext_status_expected)
345 S3I(s)->hs.state = SSL3_ST_CR_CERT_STATUS_A; 345 s->s3->hs.state = SSL3_ST_CR_CERT_STATUS_A;
346 else 346 else
347 S3I(s)->hs.state = SSL3_ST_CR_KEY_EXCH_A; 347 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
348 } else { 348 } else {
349 skip = 1; 349 skip = 1;
350 S3I(s)->hs.state = SSL3_ST_CR_KEY_EXCH_A; 350 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
351 } 351 }
352 s->internal->init_num = 0; 352 s->internal->init_num = 0;
353 break; 353 break;
@@ -357,7 +357,7 @@ ssl3_connect(SSL *s)
357 ret = ssl3_get_server_key_exchange(s); 357 ret = ssl3_get_server_key_exchange(s);
358 if (ret <= 0) 358 if (ret <= 0)
359 goto end; 359 goto end;
360 S3I(s)->hs.state = SSL3_ST_CR_CERT_REQ_A; 360 s->s3->hs.state = SSL3_ST_CR_CERT_REQ_A;
361 s->internal->init_num = 0; 361 s->internal->init_num = 0;
362 362
363 /* 363 /*
@@ -375,7 +375,7 @@ ssl3_connect(SSL *s)
375 ret = ssl3_get_certificate_request(s); 375 ret = ssl3_get_certificate_request(s);
376 if (ret <= 0) 376 if (ret <= 0)
377 goto end; 377 goto end;
378 S3I(s)->hs.state = SSL3_ST_CR_SRVR_DONE_A; 378 s->s3->hs.state = SSL3_ST_CR_SRVR_DONE_A;
379 s->internal->init_num = 0; 379 s->internal->init_num = 0;
380 break; 380 break;
381 381
@@ -386,10 +386,10 @@ ssl3_connect(SSL *s)
386 goto end; 386 goto end;
387 if (SSL_is_dtls(s)) 387 if (SSL_is_dtls(s))
388 dtls1_stop_timer(s); 388 dtls1_stop_timer(s);
389 if (S3I(s)->hs.tls12.cert_request) 389 if (s->s3->hs.tls12.cert_request)
390 S3I(s)->hs.state = SSL3_ST_CW_CERT_A; 390 s->s3->hs.state = SSL3_ST_CW_CERT_A;
391 else 391 else
392 S3I(s)->hs.state = SSL3_ST_CW_KEY_EXCH_A; 392 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A;
393 s->internal->init_num = 0; 393 s->internal->init_num = 0;
394 394
395 break; 395 break;
@@ -403,7 +403,7 @@ ssl3_connect(SSL *s)
403 ret = ssl3_send_client_certificate(s); 403 ret = ssl3_send_client_certificate(s);
404 if (ret <= 0) 404 if (ret <= 0)
405 goto end; 405 goto end;
406 S3I(s)->hs.state = SSL3_ST_CW_KEY_EXCH_A; 406 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A;
407 s->internal->init_num = 0; 407 s->internal->init_num = 0;
408 break; 408 break;
409 409
@@ -430,16 +430,16 @@ ssl3_connect(SSL *s)
430 * message when client's ECDH public key is sent 430 * message when client's ECDH public key is sent
431 * inside the client certificate. 431 * inside the client certificate.
432 */ 432 */
433 if (S3I(s)->hs.tls12.cert_request == 1) { 433 if (s->s3->hs.tls12.cert_request == 1) {
434 S3I(s)->hs.state = SSL3_ST_CW_CERT_VRFY_A; 434 s->s3->hs.state = SSL3_ST_CW_CERT_VRFY_A;
435 } else { 435 } else {
436 S3I(s)->hs.state = SSL3_ST_CW_CHANGE_A; 436 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
437 S3I(s)->change_cipher_spec = 0; 437 s->s3->change_cipher_spec = 0;
438 } 438 }
439 if (!SSL_is_dtls(s)) { 439 if (!SSL_is_dtls(s)) {
440 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { 440 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
441 S3I(s)->hs.state = SSL3_ST_CW_CHANGE_A; 441 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
442 S3I(s)->change_cipher_spec = 0; 442 s->s3->change_cipher_spec = 0;
443 } 443 }
444 } 444 }
445 445
@@ -453,9 +453,9 @@ ssl3_connect(SSL *s)
453 ret = ssl3_send_client_verify(s); 453 ret = ssl3_send_client_verify(s);
454 if (ret <= 0) 454 if (ret <= 0)
455 goto end; 455 goto end;
456 S3I(s)->hs.state = SSL3_ST_CW_CHANGE_A; 456 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
457 s->internal->init_num = 0; 457 s->internal->init_num = 0;
458 S3I(s)->change_cipher_spec = 0; 458 s->s3->change_cipher_spec = 0;
459 break; 459 break;
460 460
461 case SSL3_ST_CW_CHANGE_A: 461 case SSL3_ST_CW_CHANGE_A:
@@ -467,9 +467,9 @@ ssl3_connect(SSL *s)
467 if (ret <= 0) 467 if (ret <= 0)
468 goto end; 468 goto end;
469 469
470 S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A; 470 s->s3->hs.state = SSL3_ST_CW_FINISHED_A;
471 s->internal->init_num = 0; 471 s->internal->init_num = 0;
472 s->session->cipher = S3I(s)->hs.cipher; 472 s->session->cipher = s->s3->hs.cipher;
473 473
474 if (!tls1_setup_key_block(s)) { 474 if (!tls1_setup_key_block(s)) {
475 ret = -1; 475 ret = -1;
@@ -491,18 +491,18 @@ ssl3_connect(SSL *s)
491 goto end; 491 goto end;
492 if (!SSL_is_dtls(s)) 492 if (!SSL_is_dtls(s))
493 s->s3->flags |= SSL3_FLAGS_CCS_OK; 493 s->s3->flags |= SSL3_FLAGS_CCS_OK;
494 S3I(s)->hs.state = SSL3_ST_CW_FLUSH; 494 s->s3->hs.state = SSL3_ST_CW_FLUSH;
495 495
496 /* clear flags */ 496 /* clear flags */
497 if (s->internal->hit) { 497 if (s->internal->hit) {
498 S3I(s)->hs.tls12.next_state = SSL_ST_OK; 498 s->s3->hs.tls12.next_state = SSL_ST_OK;
499 } else { 499 } else {
500 /* Allow NewSessionTicket if ticket expected */ 500 /* Allow NewSessionTicket if ticket expected */
501 if (s->internal->tlsext_ticket_expected) 501 if (s->internal->tlsext_ticket_expected)
502 S3I(s)->hs.tls12.next_state = 502 s->s3->hs.tls12.next_state =
503 SSL3_ST_CR_SESSION_TICKET_A; 503 SSL3_ST_CR_SESSION_TICKET_A;
504 else 504 else
505 S3I(s)->hs.tls12.next_state = 505 s->s3->hs.tls12.next_state =
506 SSL3_ST_CR_FINISHED_A; 506 SSL3_ST_CR_FINISHED_A;
507 } 507 }
508 s->internal->init_num = 0; 508 s->internal->init_num = 0;
@@ -513,7 +513,7 @@ ssl3_connect(SSL *s)
513 ret = ssl3_get_new_session_ticket(s); 513 ret = ssl3_get_new_session_ticket(s);
514 if (ret <= 0) 514 if (ret <= 0)
515 goto end; 515 goto end;
516 S3I(s)->hs.state = SSL3_ST_CR_FINISHED_A; 516 s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
517 s->internal->init_num = 0; 517 s->internal->init_num = 0;
518 break; 518 break;
519 519
@@ -522,7 +522,7 @@ ssl3_connect(SSL *s)
522 ret = ssl3_get_cert_status(s); 522 ret = ssl3_get_cert_status(s);
523 if (ret <= 0) 523 if (ret <= 0)
524 goto end; 524 goto end;
525 S3I(s)->hs.state = SSL3_ST_CR_KEY_EXCH_A; 525 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
526 s->internal->init_num = 0; 526 s->internal->init_num = 0;
527 break; 527 break;
528 528
@@ -540,9 +540,9 @@ ssl3_connect(SSL *s)
540 dtls1_stop_timer(s); 540 dtls1_stop_timer(s);
541 541
542 if (s->internal->hit) 542 if (s->internal->hit)
543 S3I(s)->hs.state = SSL3_ST_CW_CHANGE_A; 543 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
544 else 544 else
545 S3I(s)->hs.state = SSL_ST_OK; 545 s->s3->hs.state = SSL_ST_OK;
546 s->internal->init_num = 0; 546 s->internal->init_num = 0;
547 break; 547 break;
548 548
@@ -553,21 +553,21 @@ ssl3_connect(SSL *s)
553 /* If the write error was fatal, stop trying */ 553 /* If the write error was fatal, stop trying */
554 if (!BIO_should_retry(s->wbio)) { 554 if (!BIO_should_retry(s->wbio)) {
555 s->internal->rwstate = SSL_NOTHING; 555 s->internal->rwstate = SSL_NOTHING;
556 S3I(s)->hs.state = S3I(s)->hs.tls12.next_state; 556 s->s3->hs.state = s->s3->hs.tls12.next_state;
557 } 557 }
558 } 558 }
559 ret = -1; 559 ret = -1;
560 goto end; 560 goto end;
561 } 561 }
562 s->internal->rwstate = SSL_NOTHING; 562 s->internal->rwstate = SSL_NOTHING;
563 S3I(s)->hs.state = S3I(s)->hs.tls12.next_state; 563 s->s3->hs.state = s->s3->hs.tls12.next_state;
564 break; 564 break;
565 565
566 case SSL_ST_OK: 566 case SSL_ST_OK:
567 /* clean a few things up */ 567 /* clean a few things up */
568 tls1_cleanup_key_block(s); 568 tls1_cleanup_key_block(s);
569 569
570 if (S3I(s)->handshake_transcript != NULL) { 570 if (s->s3->handshake_transcript != NULL) {
571 SSLerror(s, ERR_R_INTERNAL_ERROR); 571 SSLerror(s, ERR_R_INTERNAL_ERROR);
572 ret = -1; 572 ret = -1;
573 goto end; 573 goto end;
@@ -610,17 +610,17 @@ ssl3_connect(SSL *s)
610 } 610 }
611 611
612 /* did we do anything */ 612 /* did we do anything */
613 if (!S3I(s)->hs.tls12.reuse_message && !skip) { 613 if (!s->s3->hs.tls12.reuse_message && !skip) {
614 if (s->internal->debug) { 614 if (s->internal->debug) {
615 if ((ret = BIO_flush(s->wbio)) <= 0) 615 if ((ret = BIO_flush(s->wbio)) <= 0)
616 goto end; 616 goto end;
617 } 617 }
618 618
619 if (S3I(s)->hs.state != state) { 619 if (s->s3->hs.state != state) {
620 new_state = S3I(s)->hs.state; 620 new_state = s->s3->hs.state;
621 S3I(s)->hs.state = state; 621 s->s3->hs.state = state;
622 ssl_info_callback(s, SSL_CB_CONNECT_LOOP, 1); 622 ssl_info_callback(s, SSL_CB_CONNECT_LOOP, 1);
623 S3I(s)->hs.state = new_state; 623 s->s3->hs.state = new_state;
624 } 624 }
625 } 625 }
626 skip = 0; 626 skip = 0;
@@ -643,7 +643,7 @@ ssl3_send_client_hello(SSL *s)
643 643
644 memset(&cbb, 0, sizeof(cbb)); 644 memset(&cbb, 0, sizeof(cbb));
645 645
646 if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_A) { 646 if (s->s3->hs.state == SSL3_ST_CW_CLNT_HELLO_A) {
647 SSL_SESSION *sess = s->session; 647 SSL_SESSION *sess = s->session;
648 648
649 if (!ssl_max_supported_version(s, &max_version)) { 649 if (!ssl_max_supported_version(s, &max_version)) {
@@ -734,7 +734,7 @@ ssl3_send_client_hello(SSL *s)
734 if (!ssl3_handshake_msg_finish(s, &cbb)) 734 if (!ssl3_handshake_msg_finish(s, &cbb))
735 goto err; 735 goto err;
736 736
737 S3I(s)->hs.state = SSL3_ST_CW_CLNT_HELLO_B; 737 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_B;
738 } 738 }
739 739
740 /* SSL3_ST_CW_CLNT_HELLO_B */ 740 /* SSL3_ST_CW_CLNT_HELLO_B */
@@ -758,9 +758,9 @@ ssl3_get_dtls_hello_verify(SSL *s)
758 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->internal->max_cert_list)) <= 0) 758 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->internal->max_cert_list)) <= 0)
759 return ret; 759 return ret;
760 760
761 if (S3I(s)->hs.tls12.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { 761 if (s->s3->hs.tls12.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
762 s->d1->send_cookie = 0; 762 s->d1->send_cookie = 0;
763 S3I(s)->hs.tls12.reuse_message = 1; 763 s->s3->hs.tls12.reuse_message = 1;
764 return (1); 764 return (1);
765 } 765 }
766 766
@@ -831,9 +831,9 @@ ssl3_get_server_hello(SSL *s)
831 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); 831 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
832 832
833 if (SSL_is_dtls(s)) { 833 if (SSL_is_dtls(s)) {
834 if (S3I(s)->hs.tls12.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { 834 if (s->s3->hs.tls12.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) {
835 if (s->d1->send_cookie == 0) { 835 if (s->d1->send_cookie == 0) {
836 S3I(s)->hs.tls12.reuse_message = 1; 836 s->s3->hs.tls12.reuse_message = 1;
837 return (1); 837 return (1);
838 } else { 838 } else {
839 /* Already sent a cookie. */ 839 /* Already sent a cookie. */
@@ -844,7 +844,7 @@ ssl3_get_server_hello(SSL *s)
844 } 844 }
845 } 845 }
846 846
847 if (S3I(s)->hs.tls12.message_type != SSL3_MT_SERVER_HELLO) { 847 if (s->s3->hs.tls12.message_type != SSL3_MT_SERVER_HELLO) {
848 al = SSL_AD_UNEXPECTED_MESSAGE; 848 al = SSL_AD_UNEXPECTED_MESSAGE;
849 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); 849 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
850 goto fatal_err; 850 goto fatal_err;
@@ -859,11 +859,11 @@ ssl3_get_server_hello(SSL *s)
859 al = SSL_AD_PROTOCOL_VERSION; 859 al = SSL_AD_PROTOCOL_VERSION;
860 goto fatal_err; 860 goto fatal_err;
861 } 861 }
862 S3I(s)->hs.peer_legacy_version = server_version; 862 s->s3->hs.peer_legacy_version = server_version;
863 s->version = server_version; 863 s->version = server_version;
864 864
865 S3I(s)->hs.negotiated_tls_version = ssl_tls_version(server_version); 865 s->s3->hs.negotiated_tls_version = ssl_tls_version(server_version);
866 if (S3I(s)->hs.negotiated_tls_version == 0) { 866 if (s->s3->hs.negotiated_tls_version == 0) {
867 SSLerror(s, ERR_R_INTERNAL_ERROR); 867 SSLerror(s, ERR_R_INTERNAL_ERROR);
868 goto err; 868 goto err;
869 } 869 }
@@ -881,8 +881,8 @@ ssl3_get_server_hello(SSL *s)
881 sizeof(s->s3->server_random), NULL)) 881 sizeof(s->s3->server_random), NULL))
882 goto err; 882 goto err;
883 883
884 if (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION && 884 if (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION &&
885 S3I(s)->hs.negotiated_tls_version < S3I(s)->hs.our_max_tls_version) { 885 s->s3->hs.negotiated_tls_version < s->s3->hs.our_max_tls_version) {
886 /* 886 /*
887 * RFC 8446 section 4.1.3. We must not downgrade if the server 887 * RFC 8446 section 4.1.3. We must not downgrade if the server
888 * random value contains the TLS 1.2 or TLS 1.1 magical value. 888 * random value contains the TLS 1.2 or TLS 1.1 magical value.
@@ -890,7 +890,7 @@ ssl3_get_server_hello(SSL *s)
890 if (!CBS_skip(&server_random, 890 if (!CBS_skip(&server_random,
891 CBS_len(&server_random) - sizeof(tls13_downgrade_12))) 891 CBS_len(&server_random) - sizeof(tls13_downgrade_12)))
892 goto err; 892 goto err;
893 if (S3I(s)->hs.negotiated_tls_version == TLS1_2_VERSION && 893 if (s->s3->hs.negotiated_tls_version == TLS1_2_VERSION &&
894 CBS_mem_equal(&server_random, tls13_downgrade_12, 894 CBS_mem_equal(&server_random, tls13_downgrade_12,
895 sizeof(tls13_downgrade_12))) { 895 sizeof(tls13_downgrade_12))) {
896 al = SSL_AD_ILLEGAL_PARAMETER; 896 al = SSL_AD_ILLEGAL_PARAMETER;
@@ -981,7 +981,7 @@ ssl3_get_server_hello(SSL *s)
981 981
982 /* TLS v1.2 only ciphersuites require v1.2 or later. */ 982 /* TLS v1.2 only ciphersuites require v1.2 or later. */
983 if ((cipher->algorithm_ssl & SSL_TLSV1_2) && 983 if ((cipher->algorithm_ssl & SSL_TLSV1_2) &&
984 S3I(s)->hs.negotiated_tls_version < TLS1_2_VERSION) { 984 s->s3->hs.negotiated_tls_version < TLS1_2_VERSION) {
985 al = SSL_AD_ILLEGAL_PARAMETER; 985 al = SSL_AD_ILLEGAL_PARAMETER;
986 SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED); 986 SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED);
987 goto fatal_err; 987 goto fatal_err;
@@ -1006,7 +1006,7 @@ ssl3_get_server_hello(SSL *s)
1006 SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 1006 SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
1007 goto fatal_err; 1007 goto fatal_err;
1008 } 1008 }
1009 S3I(s)->hs.cipher = cipher; 1009 s->s3->hs.cipher = cipher;
1010 1010
1011 if (!tls1_transcript_hash_init(s)) 1011 if (!tls1_transcript_hash_init(s))
1012 goto err; 1012 goto err;
@@ -1015,7 +1015,7 @@ ssl3_get_server_hello(SSL *s)
1015 * Don't digest cached records if no sigalgs: we may need them for 1015 * Don't digest cached records if no sigalgs: we may need them for
1016 * client authentication. 1016 * client authentication.
1017 */ 1017 */
1018 alg_k = S3I(s)->hs.cipher->algorithm_mkey; 1018 alg_k = s->s3->hs.cipher->algorithm_mkey;
1019 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST))) 1019 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)))
1020 tls1_transcript_free(s); 1020 tls1_transcript_free(s);
1021 1021
@@ -1044,7 +1044,7 @@ ssl3_get_server_hello(SSL *s)
1044 * which doesn't support RI so for the immediate future tolerate RI 1044 * which doesn't support RI so for the immediate future tolerate RI
1045 * absence on initial connect only. 1045 * absence on initial connect only.
1046 */ 1046 */
1047 if (!S3I(s)->renegotiate_seen && 1047 if (!s->s3->renegotiate_seen &&
1048 !(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) { 1048 !(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
1049 al = SSL_AD_HANDSHAKE_FAILURE; 1049 al = SSL_AD_HANDSHAKE_FAILURE;
1050 SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1050 SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
@@ -1085,12 +1085,12 @@ ssl3_get_server_certificate(SSL *s)
1085 1085
1086 ret = -1; 1086 ret = -1;
1087 1087
1088 if (S3I(s)->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) { 1088 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) {
1089 S3I(s)->hs.tls12.reuse_message = 1; 1089 s->s3->hs.tls12.reuse_message = 1;
1090 return (1); 1090 return (1);
1091 } 1091 }
1092 1092
1093 if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE) { 1093 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE) {
1094 al = SSL_AD_UNEXPECTED_MESSAGE; 1094 al = SSL_AD_UNEXPECTED_MESSAGE;
1095 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); 1095 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1096 goto fatal_err; 1096 goto fatal_err;
@@ -1208,11 +1208,11 @@ ssl3_get_server_kex_dhe(SSL *s, CBS *cbs)
1208 int decode_error, invalid_params, invalid_key; 1208 int decode_error, invalid_params, invalid_key;
1209 int nid = NID_dhKeyAgreement; 1209 int nid = NID_dhKeyAgreement;
1210 1210
1211 tls_key_share_free(S3I(s)->hs.key_share); 1211 tls_key_share_free(s->s3->hs.key_share);
1212 if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL) 1212 if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1213 goto err; 1213 goto err;
1214 1214
1215 if (!tls_key_share_peer_params(S3I(s)->hs.key_share, cbs, 1215 if (!tls_key_share_peer_params(s->s3->hs.key_share, cbs,
1216 &decode_error, &invalid_params)) { 1216 &decode_error, &invalid_params)) {
1217 if (decode_error) { 1217 if (decode_error) {
1218 SSLerror(s, SSL_R_BAD_PACKET_LENGTH); 1218 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
@@ -1220,7 +1220,7 @@ ssl3_get_server_kex_dhe(SSL *s, CBS *cbs)
1220 } 1220 }
1221 goto err; 1221 goto err;
1222 } 1222 }
1223 if (!tls_key_share_peer_public(S3I(s)->hs.key_share, cbs, 1223 if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
1224 &decode_error, &invalid_key)) { 1224 &decode_error, &invalid_key)) {
1225 if (decode_error) { 1225 if (decode_error) {
1226 SSLerror(s, SSL_R_BAD_PACKET_LENGTH); 1226 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
@@ -1279,11 +1279,11 @@ ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs)
1279 goto err; 1279 goto err;
1280 } 1280 }
1281 1281
1282 tls_key_share_free(S3I(s)->hs.key_share); 1282 tls_key_share_free(s->s3->hs.key_share);
1283 if ((S3I(s)->hs.key_share = tls_key_share_new(curve_id)) == NULL) 1283 if ((s->s3->hs.key_share = tls_key_share_new(curve_id)) == NULL)
1284 goto err; 1284 goto err;
1285 1285
1286 if (!tls_key_share_peer_public(S3I(s)->hs.key_share, &public, 1286 if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
1287 &decode_error, NULL)) { 1287 &decode_error, NULL)) {
1288 if (decode_error) 1288 if (decode_error)
1289 goto decode_err; 1289 goto decode_err;
@@ -1309,8 +1309,8 @@ ssl3_get_server_key_exchange(SSL *s)
1309 long alg_k, alg_a; 1309 long alg_k, alg_a;
1310 int al, ret; 1310 int al, ret;
1311 1311
1312 alg_k = S3I(s)->hs.cipher->algorithm_mkey; 1312 alg_k = s->s3->hs.cipher->algorithm_mkey;
1313 alg_a = S3I(s)->hs.cipher->algorithm_auth; 1313 alg_a = s->s3->hs.cipher->algorithm_auth;
1314 1314
1315 /* 1315 /*
1316 * Use same message size as in ssl3_get_certificate_request() 1316 * Use same message size as in ssl3_get_certificate_request()
@@ -1328,7 +1328,7 @@ ssl3_get_server_key_exchange(SSL *s)
1328 1328
1329 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); 1329 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
1330 1330
1331 if (S3I(s)->hs.tls12.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { 1331 if (s->s3->hs.tls12.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
1332 /* 1332 /*
1333 * Do not skip server key exchange if this cipher suite uses 1333 * Do not skip server key exchange if this cipher suite uses
1334 * ephemeral keys. 1334 * ephemeral keys.
@@ -1339,7 +1339,7 @@ ssl3_get_server_key_exchange(SSL *s)
1339 goto fatal_err; 1339 goto fatal_err;
1340 } 1340 }
1341 1341
1342 S3I(s)->hs.tls12.reuse_message = 1; 1342 s->s3->hs.tls12.reuse_message = 1;
1343 EVP_MD_CTX_free(md_ctx); 1343 EVP_MD_CTX_free(md_ctx);
1344 return (1); 1344 return (1);
1345 } 1345 }
@@ -1398,7 +1398,7 @@ ssl3_get_server_key_exchange(SSL *s)
1398 al = SSL_AD_DECODE_ERROR; 1398 al = SSL_AD_DECODE_ERROR;
1399 goto fatal_err; 1399 goto fatal_err;
1400 } 1400 }
1401 S3I(s)->hs.peer_sigalg = sigalg; 1401 s->s3->hs.peer_sigalg = sigalg;
1402 1402
1403 if (!EVP_DigestVerifyInit(md_ctx, &pctx, sigalg->md(), 1403 if (!EVP_DigestVerifyInit(md_ctx, &pctx, sigalg->md(),
1404 NULL, pkey)) 1404 NULL, pkey))
@@ -1462,10 +1462,10 @@ ssl3_get_certificate_request(SSL *s)
1462 1462
1463 ret = 0; 1463 ret = 0;
1464 1464
1465 S3I(s)->hs.tls12.cert_request = 0; 1465 s->s3->hs.tls12.cert_request = 0;
1466 1466
1467 if (S3I(s)->hs.tls12.message_type == SSL3_MT_SERVER_DONE) { 1467 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_DONE) {
1468 S3I(s)->hs.tls12.reuse_message = 1; 1468 s->s3->hs.tls12.reuse_message = 1;
1469 /* 1469 /*
1470 * If we get here we don't need any cached handshake records 1470 * If we get here we don't need any cached handshake records
1471 * as we wont be doing client auth. 1471 * as we wont be doing client auth.
@@ -1474,14 +1474,14 @@ ssl3_get_certificate_request(SSL *s)
1474 return (1); 1474 return (1);
1475 } 1475 }
1476 1476
1477 if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_REQUEST) { 1477 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
1478 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 1478 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1479 SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE); 1479 SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE);
1480 goto err; 1480 goto err;
1481 } 1481 }
1482 1482
1483 /* TLS does not like anon-DH with client cert */ 1483 /* TLS does not like anon-DH with client cert */
1484 if (S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL) { 1484 if (s->s3->hs.cipher->algorithm_auth & SSL_aNULL) {
1485 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 1485 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1486 SSLerror(s, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); 1486 SSLerror(s, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1487 goto err; 1487 goto err;
@@ -1516,8 +1516,8 @@ ssl3_get_certificate_request(SSL *s)
1516 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR); 1516 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1517 goto err; 1517 goto err;
1518 } 1518 }
1519 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, 1519 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs,
1520 &S3I(s)->hs.sigalgs_len)) 1520 &s->s3->hs.sigalgs_len))
1521 goto err; 1521 goto err;
1522 } 1522 }
1523 1523
@@ -1569,9 +1569,9 @@ ssl3_get_certificate_request(SSL *s)
1569 } 1569 }
1570 1570
1571 /* we should setup a certificate to return.... */ 1571 /* we should setup a certificate to return.... */
1572 S3I(s)->hs.tls12.cert_request = 1; 1572 s->s3->hs.tls12.cert_request = 1;
1573 sk_X509_NAME_pop_free(S3I(s)->hs.tls12.ca_names, X509_NAME_free); 1573 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1574 S3I(s)->hs.tls12.ca_names = ca_sk; 1574 s->s3->hs.tls12.ca_names = ca_sk;
1575 ca_sk = NULL; 1575 ca_sk = NULL;
1576 1576
1577 ret = 1; 1577 ret = 1;
@@ -1602,11 +1602,11 @@ ssl3_get_new_session_ticket(SSL *s)
1602 SSL3_ST_CR_SESSION_TICKET_B, -1, 16384)) <= 0) 1602 SSL3_ST_CR_SESSION_TICKET_B, -1, 16384)) <= 0)
1603 return ret; 1603 return ret;
1604 1604
1605 if (S3I(s)->hs.tls12.message_type == SSL3_MT_FINISHED) { 1605 if (s->s3->hs.tls12.message_type == SSL3_MT_FINISHED) {
1606 S3I(s)->hs.tls12.reuse_message = 1; 1606 s->s3->hs.tls12.reuse_message = 1;
1607 return (1); 1607 return (1);
1608 } 1608 }
1609 if (S3I(s)->hs.tls12.message_type != SSL3_MT_NEWSESSION_TICKET) { 1609 if (s->s3->hs.tls12.message_type != SSL3_MT_NEWSESSION_TICKET) {
1610 al = SSL_AD_UNEXPECTED_MESSAGE; 1610 al = SSL_AD_UNEXPECTED_MESSAGE;
1611 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); 1611 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1612 goto fatal_err; 1612 goto fatal_err;
@@ -1673,7 +1673,7 @@ ssl3_get_cert_status(SSL *s)
1673 SSL3_ST_CR_CERT_STATUS_B, -1, 16384)) <= 0) 1673 SSL3_ST_CR_CERT_STATUS_B, -1, 16384)) <= 0)
1674 return ret; 1674 return ret;
1675 1675
1676 if (S3I(s)->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) { 1676 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) {
1677 /* 1677 /*
1678 * Tell the callback the server did not send us an OSCP 1678 * Tell the callback the server did not send us an OSCP
1679 * response, and has decided to head directly to key exchange. 1679 * response, and has decided to head directly to key exchange.
@@ -1696,12 +1696,12 @@ ssl3_get_cert_status(SSL *s)
1696 goto fatal_err; 1696 goto fatal_err;
1697 } 1697 }
1698 } 1698 }
1699 S3I(s)->hs.tls12.reuse_message = 1; 1699 s->s3->hs.tls12.reuse_message = 1;
1700 return (1); 1700 return (1);
1701 } 1701 }
1702 1702
1703 if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE && 1703 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE &&
1704 S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_STATUS) { 1704 s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_STATUS) {
1705 al = SSL_AD_UNEXPECTED_MESSAGE; 1705 al = SSL_AD_UNEXPECTED_MESSAGE;
1706 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); 1706 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1707 goto fatal_err; 1707 goto fatal_err;
@@ -1858,17 +1858,17 @@ ssl3_send_client_kex_dhe(SSL *s, CBB *cbb)
1858 int ret = 0; 1858 int ret = 0;
1859 1859
1860 /* Ensure that we have an ephemeral key from the server for DHE. */ 1860 /* Ensure that we have an ephemeral key from the server for DHE. */
1861 if (S3I(s)->hs.key_share == NULL) { 1861 if (s->s3->hs.key_share == NULL) {
1862 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1862 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1863 SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 1863 SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
1864 goto err; 1864 goto err;
1865 } 1865 }
1866 1866
1867 if (!tls_key_share_generate(S3I(s)->hs.key_share)) 1867 if (!tls_key_share_generate(s->s3->hs.key_share))
1868 goto err; 1868 goto err;
1869 if (!tls_key_share_public(S3I(s)->hs.key_share, cbb)) 1869 if (!tls_key_share_public(s->s3->hs.key_share, cbb))
1870 goto err; 1870 goto err;
1871 if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len)) 1871 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1872 goto err; 1872 goto err;
1873 1873
1874 if (!tls12_derive_master_secret(s, key, key_len)) 1874 if (!tls12_derive_master_secret(s, key, key_len))
@@ -1891,23 +1891,23 @@ ssl3_send_client_kex_ecdhe(SSL *s, CBB *cbb)
1891 int ret = 0; 1891 int ret = 0;
1892 1892
1893 /* Ensure that we have an ephemeral key for ECDHE. */ 1893 /* Ensure that we have an ephemeral key for ECDHE. */
1894 if (S3I(s)->hs.key_share == NULL) { 1894 if (s->s3->hs.key_share == NULL) {
1895 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1895 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1896 SSLerror(s, ERR_R_INTERNAL_ERROR); 1896 SSLerror(s, ERR_R_INTERNAL_ERROR);
1897 goto err; 1897 goto err;
1898 } 1898 }
1899 1899
1900 if (!tls_key_share_generate(S3I(s)->hs.key_share)) 1900 if (!tls_key_share_generate(s->s3->hs.key_share))
1901 goto err; 1901 goto err;
1902 1902
1903 if (!CBB_add_u8_length_prefixed(cbb, &public)) 1903 if (!CBB_add_u8_length_prefixed(cbb, &public))
1904 return 0; 1904 return 0;
1905 if (!tls_key_share_public(S3I(s)->hs.key_share, &public)) 1905 if (!tls_key_share_public(s->s3->hs.key_share, &public))
1906 goto err; 1906 goto err;
1907 if (!CBB_flush(cbb)) 1907 if (!CBB_flush(cbb))
1908 goto err; 1908 goto err;
1909 1909
1910 if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len)) 1910 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1911 goto err; 1911 goto err;
1912 1912
1913 if (!tls12_derive_master_secret(s, key, key_len)) 1913 if (!tls12_derive_master_secret(s, key, key_len))
@@ -1960,7 +1960,7 @@ ssl3_send_client_kex_gost(SSL *s, CBB *cbb)
1960 * If we have client certificate, use its secret as peer key. 1960 * If we have client certificate, use its secret as peer key.
1961 * XXX - this presumably lacks PFS. 1961 * XXX - this presumably lacks PFS.
1962 */ 1962 */
1963 if (S3I(s)->hs.tls12.cert_request != 0 && 1963 if (s->s3->hs.tls12.cert_request != 0 &&
1964 s->cert->key->privatekey != NULL) { 1964 s->cert->key->privatekey != NULL) {
1965 if (EVP_PKEY_derive_set_peer(pkey_ctx, 1965 if (EVP_PKEY_derive_set_peer(pkey_ctx,
1966 s->cert->key->privatekey) <=0) { 1966 s->cert->key->privatekey) <=0) {
@@ -1981,7 +1981,7 @@ ssl3_send_client_kex_gost(SSL *s, CBB *cbb)
1981 } 1981 }
1982 1982
1983 /* XXX check handshake hash instead. */ 1983 /* XXX check handshake hash instead. */
1984 if (S3I(s)->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94) 1984 if (s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94)
1985 nid = NID_id_GostR3411_94; 1985 nid = NID_id_GostR3411_94;
1986 else 1986 else
1987 nid = NID_id_tc26_gost3411_2012_256; 1987 nid = NID_id_tc26_gost3411_2012_256;
@@ -2042,8 +2042,8 @@ ssl3_send_client_key_exchange(SSL *s)
2042 2042
2043 memset(&cbb, 0, sizeof(cbb)); 2043 memset(&cbb, 0, sizeof(cbb));
2044 2044
2045 if (S3I(s)->hs.state == SSL3_ST_CW_KEY_EXCH_A) { 2045 if (s->s3->hs.state == SSL3_ST_CW_KEY_EXCH_A) {
2046 alg_k = S3I(s)->hs.cipher->algorithm_mkey; 2046 alg_k = s->s3->hs.cipher->algorithm_mkey;
2047 2047
2048 if (!ssl3_handshake_msg_start(s, &cbb, &kex, 2048 if (!ssl3_handshake_msg_start(s, &cbb, &kex,
2049 SSL3_MT_CLIENT_KEY_EXCHANGE)) 2049 SSL3_MT_CLIENT_KEY_EXCHANGE))
@@ -2071,7 +2071,7 @@ ssl3_send_client_key_exchange(SSL *s)
2071 if (!ssl3_handshake_msg_finish(s, &cbb)) 2071 if (!ssl3_handshake_msg_finish(s, &cbb))
2072 goto err; 2072 goto err;
2073 2073
2074 S3I(s)->hs.state = SSL3_ST_CW_KEY_EXCH_B; 2074 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_B;
2075 } 2075 }
2076 2076
2077 /* SSL3_ST_CW_KEY_EXCH_B */ 2077 /* SSL3_ST_CW_KEY_EXCH_B */
@@ -2302,7 +2302,7 @@ ssl3_send_client_verify(SSL *s)
2302 2302
2303 memset(&cbb, 0, sizeof(cbb)); 2303 memset(&cbb, 0, sizeof(cbb));
2304 2304
2305 if (S3I(s)->hs.state == SSL3_ST_CW_CERT_VRFY_A) { 2305 if (s->s3->hs.state == SSL3_ST_CW_CERT_VRFY_A) {
2306 if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify, 2306 if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify,
2307 SSL3_MT_CERTIFICATE_VERIFY)) 2307 SSL3_MT_CERTIFICATE_VERIFY))
2308 goto err; 2308 goto err;
@@ -2312,7 +2312,7 @@ ssl3_send_client_verify(SSL *s)
2312 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR); 2312 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
2313 goto err; 2313 goto err;
2314 } 2314 }
2315 S3I(s)->hs.our_sigalg = sigalg; 2315 s->s3->hs.our_sigalg = sigalg;
2316 2316
2317 /* 2317 /*
2318 * For TLS v1.2 send signature algorithm and signature using 2318 * For TLS v1.2 send signature algorithm and signature using
@@ -2344,7 +2344,7 @@ ssl3_send_client_verify(SSL *s)
2344 if (!ssl3_handshake_msg_finish(s, &cbb)) 2344 if (!ssl3_handshake_msg_finish(s, &cbb))
2345 goto err; 2345 goto err;
2346 2346
2347 S3I(s)->hs.state = SSL3_ST_CW_CERT_VRFY_B; 2347 s->s3->hs.state = SSL3_ST_CW_CERT_VRFY_B;
2348 } 2348 }
2349 2349
2350 return (ssl3_handshake_write(s)); 2350 return (ssl3_handshake_write(s));
@@ -2365,16 +2365,16 @@ ssl3_send_client_certificate(SSL *s)
2365 2365
2366 memset(&cbb, 0, sizeof(cbb)); 2366 memset(&cbb, 0, sizeof(cbb));
2367 2367
2368 if (S3I(s)->hs.state == SSL3_ST_CW_CERT_A) { 2368 if (s->s3->hs.state == SSL3_ST_CW_CERT_A) {
2369 if (s->cert->key->x509 == NULL || 2369 if (s->cert->key->x509 == NULL ||
2370 s->cert->key->privatekey == NULL) 2370 s->cert->key->privatekey == NULL)
2371 S3I(s)->hs.state = SSL3_ST_CW_CERT_B; 2371 s->s3->hs.state = SSL3_ST_CW_CERT_B;
2372 else 2372 else
2373 S3I(s)->hs.state = SSL3_ST_CW_CERT_C; 2373 s->s3->hs.state = SSL3_ST_CW_CERT_C;
2374 } 2374 }
2375 2375
2376 /* We need to get a client cert */ 2376 /* We need to get a client cert */
2377 if (S3I(s)->hs.state == SSL3_ST_CW_CERT_B) { 2377 if (s->s3->hs.state == SSL3_ST_CW_CERT_B) {
2378 /* 2378 /*
2379 * If we get an error, we need to 2379 * If we get an error, we need to
2380 * ssl->internal->rwstate = SSL_X509_LOOKUP; return(-1); 2380 * ssl->internal->rwstate = SSL_X509_LOOKUP; return(-1);
@@ -2387,7 +2387,7 @@ ssl3_send_client_certificate(SSL *s)
2387 } 2387 }
2388 s->internal->rwstate = SSL_NOTHING; 2388 s->internal->rwstate = SSL_NOTHING;
2389 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { 2389 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
2390 S3I(s)->hs.state = SSL3_ST_CW_CERT_B; 2390 s->s3->hs.state = SSL3_ST_CW_CERT_B;
2391 if (!SSL_use_certificate(s, x509) || 2391 if (!SSL_use_certificate(s, x509) ||
2392 !SSL_use_PrivateKey(s, pkey)) 2392 !SSL_use_PrivateKey(s, pkey))
2393 i = 0; 2393 i = 0;
@@ -2399,27 +2399,27 @@ ssl3_send_client_certificate(SSL *s)
2399 X509_free(x509); 2399 X509_free(x509);
2400 EVP_PKEY_free(pkey); 2400 EVP_PKEY_free(pkey);
2401 if (i == 0) { 2401 if (i == 0) {
2402 S3I(s)->hs.tls12.cert_request = 2; 2402 s->s3->hs.tls12.cert_request = 2;
2403 2403
2404 /* There is no client certificate to verify. */ 2404 /* There is no client certificate to verify. */
2405 tls1_transcript_free(s); 2405 tls1_transcript_free(s);
2406 } 2406 }
2407 2407
2408 /* Ok, we have a cert */ 2408 /* Ok, we have a cert */
2409 S3I(s)->hs.state = SSL3_ST_CW_CERT_C; 2409 s->s3->hs.state = SSL3_ST_CW_CERT_C;
2410 } 2410 }
2411 2411
2412 if (S3I(s)->hs.state == SSL3_ST_CW_CERT_C) { 2412 if (s->s3->hs.state == SSL3_ST_CW_CERT_C) {
2413 if (!ssl3_handshake_msg_start(s, &cbb, &client_cert, 2413 if (!ssl3_handshake_msg_start(s, &cbb, &client_cert,
2414 SSL3_MT_CERTIFICATE)) 2414 SSL3_MT_CERTIFICATE))
2415 goto err; 2415 goto err;
2416 if (!ssl3_output_cert_chain(s, &client_cert, 2416 if (!ssl3_output_cert_chain(s, &client_cert,
2417 (S3I(s)->hs.tls12.cert_request == 2) ? NULL : s->cert->key)) 2417 (s->s3->hs.tls12.cert_request == 2) ? NULL : s->cert->key))
2418 goto err; 2418 goto err;
2419 if (!ssl3_handshake_msg_finish(s, &cbb)) 2419 if (!ssl3_handshake_msg_finish(s, &cbb))
2420 goto err; 2420 goto err;
2421 2421
2422 S3I(s)->hs.state = SSL3_ST_CW_CERT_D; 2422 s->s3->hs.state = SSL3_ST_CW_CERT_D;
2423 } 2423 }
2424 2424
2425 /* SSL3_ST_CW_CERT_D */ 2425 /* SSL3_ST_CW_CERT_D */
@@ -2440,15 +2440,15 @@ ssl3_check_cert_and_algorithm(SSL *s)
2440 int nid = NID_undef; 2440 int nid = NID_undef;
2441 int i; 2441 int i;
2442 2442
2443 alg_k = S3I(s)->hs.cipher->algorithm_mkey; 2443 alg_k = s->s3->hs.cipher->algorithm_mkey;
2444 alg_a = S3I(s)->hs.cipher->algorithm_auth; 2444 alg_a = s->s3->hs.cipher->algorithm_auth;
2445 2445
2446 /* We don't have a certificate. */ 2446 /* We don't have a certificate. */
2447 if (alg_a & SSL_aNULL) 2447 if (alg_a & SSL_aNULL)
2448 return (1); 2448 return (1);
2449 2449
2450 if (S3I(s)->hs.key_share != NULL) 2450 if (s->s3->hs.key_share != NULL)
2451 nid = tls_key_share_nid(S3I(s)->hs.key_share); 2451 nid = tls_key_share_nid(s->s3->hs.key_share);
2452 2452
2453 /* This is the passed certificate. */ 2453 /* This is the passed certificate. */
2454 2454
@@ -2505,9 +2505,9 @@ ssl3_check_finished(SSL *s)
2505 SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list)) <= 0) 2505 SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list)) <= 0)
2506 return ret; 2506 return ret;
2507 2507
2508 S3I(s)->hs.tls12.reuse_message = 1; 2508 s->s3->hs.tls12.reuse_message = 1;
2509 if ((S3I(s)->hs.tls12.message_type == SSL3_MT_FINISHED) || 2509 if ((s->s3->hs.tls12.message_type == SSL3_MT_FINISHED) ||
2510 (S3I(s)->hs.tls12.message_type == SSL3_MT_NEWSESSION_TICKET)) 2510 (s->s3->hs.tls12.message_type == SSL3_MT_NEWSESSION_TICKET))
2511 return (2); 2511 return (2);
2512 2512
2513 return (1); 2513 return (1);
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index 9ea7cd469a..d4c9fbbf07 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_err.c,v 1.39 2021/09/10 09:25:29 tb Exp $ */ 1/* $OpenBSD: ssl_err.c,v 1.40 2022/02/05 14:54:10 jsing Exp $ */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 * 4 *
@@ -666,5 +666,5 @@ void
666SSL_error_internal(const SSL *s, int r, char *f, int l) 666SSL_error_internal(const SSL *s, int r, char *f, int l)
667{ 667{
668 ERR_PUT_error(ERR_LIB_SSL, 668 ERR_PUT_error(ERR_LIB_SSL,
669 (SSL_state_func_code(S3I(s)->hs.state)), r, f, l); 669 (SSL_state_func_code(s->s3->hs.state)), r, f, l);
670} 670}
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 91080e9360..ad7fe4d575 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.287 2022/01/14 09:10:11 tb Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.288 2022/02/05 14:54:10 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -732,10 +732,10 @@ SSL_get_finished(const SSL *s, void *buf, size_t count)
732{ 732{
733 size_t ret; 733 size_t ret;
734 734
735 ret = S3I(s)->hs.finished_len; 735 ret = s->s3->hs.finished_len;
736 if (count > ret) 736 if (count > ret)
737 count = ret; 737 count = ret;
738 memcpy(buf, S3I(s)->hs.finished, count); 738 memcpy(buf, s->s3->hs.finished, count);
739 return (ret); 739 return (ret);
740} 740}
741 741
@@ -745,10 +745,10 @@ SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
745{ 745{
746 size_t ret; 746 size_t ret;
747 747
748 ret = S3I(s)->hs.peer_finished_len; 748 ret = s->s3->hs.peer_finished_len;
749 if (count > ret) 749 if (count > ret)
750 count = ret; 750 count = ret;
751 memcpy(buf, S3I(s)->hs.peer_finished, count); 751 memcpy(buf, s->s3->hs.peer_finished, count);
752 return (ret); 752 return (ret);
753} 753}
754 754
@@ -1294,7 +1294,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
1294 return (1); 1294 return (1);
1295 case SSL_CTRL_GET_RI_SUPPORT: 1295 case SSL_CTRL_GET_RI_SUPPORT:
1296 if (s->s3) 1296 if (s->s3)
1297 return (S3I(s)->send_connection_binding); 1297 return (s->s3->send_connection_binding);
1298 else return (0); 1298 else return (0);
1299 default: 1299 default:
1300 if (SSL_is_dtls(s)) 1300 if (SSL_is_dtls(s))
@@ -1837,8 +1837,8 @@ void
1837SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, 1837SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
1838 unsigned int *len) 1838 unsigned int *len)
1839{ 1839{
1840 *data = ssl->s3->internal->alpn_selected; 1840 *data = ssl->s3->alpn_selected;
1841 *len = ssl->s3->internal->alpn_selected_len; 1841 *len = ssl->s3->alpn_selected_len;
1842} 1842}
1843 1843
1844void 1844void
@@ -2224,8 +2224,8 @@ ssl_using_ecc_cipher(SSL *s)
2224{ 2224{
2225 unsigned long alg_a, alg_k; 2225 unsigned long alg_a, alg_k;
2226 2226
2227 alg_a = S3I(s)->hs.cipher->algorithm_auth; 2227 alg_a = s->s3->hs.cipher->algorithm_auth;
2228 alg_k = S3I(s)->hs.cipher->algorithm_mkey; 2228 alg_k = s->s3->hs.cipher->algorithm_mkey;
2229 2229
2230 return s->session->tlsext_ecpointformatlist != NULL && 2230 return s->session->tlsext_ecpointformatlist != NULL &&
2231 s->session->tlsext_ecpointformatlist_length > 0 && 2231 s->session->tlsext_ecpointformatlist_length > 0 &&
@@ -2235,7 +2235,7 @@ ssl_using_ecc_cipher(SSL *s)
2235int 2235int
2236ssl_check_srvr_ecc_cert_and_alg(SSL *s, X509 *x) 2236ssl_check_srvr_ecc_cert_and_alg(SSL *s, X509 *x)
2237{ 2237{
2238 const SSL_CIPHER *cs = S3I(s)->hs.cipher; 2238 const SSL_CIPHER *cs = s->s3->hs.cipher;
2239 unsigned long alg_a; 2239 unsigned long alg_a;
2240 2240
2241 alg_a = cs->algorithm_auth; 2241 alg_a = cs->algorithm_auth;
@@ -2259,9 +2259,9 @@ ssl_get_server_send_pkey(const SSL *s)
2259 int i; 2259 int i;
2260 2260
2261 c = s->cert; 2261 c = s->cert;
2262 ssl_set_cert_masks(c, S3I(s)->hs.cipher); 2262 ssl_set_cert_masks(c, s->s3->hs.cipher);
2263 2263
2264 alg_a = S3I(s)->hs.cipher->algorithm_auth; 2264 alg_a = s->s3->hs.cipher->algorithm_auth;
2265 2265
2266 if (alg_a & SSL_aECDSA) { 2266 if (alg_a & SSL_aECDSA) {
2267 i = SSL_PKEY_ECC; 2267 i = SSL_PKEY_ECC;
@@ -2319,9 +2319,9 @@ ssl_dhe_params_auto_key_bits(SSL *s)
2319 2319
2320 if (s->cert->dhe_params_auto == 2) { 2320 if (s->cert->dhe_params_auto == 2) {
2321 key_bits = 1024; 2321 key_bits = 1024;
2322 } else if (S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL) { 2322 } else if (s->s3->hs.cipher->algorithm_auth & SSL_aNULL) {
2323 key_bits = 1024; 2323 key_bits = 1024;
2324 if (S3I(s)->hs.cipher->strength_bits == 256) 2324 if (s->s3->hs.cipher->strength_bits == 256)
2325 key_bits = 3072; 2325 key_bits = 3072;
2326 } else { 2326 } else {
2327 if ((cpk = ssl_get_server_send_pkey(s)) == NULL) 2327 if ((cpk = ssl_get_server_send_pkey(s)) == NULL)
@@ -2352,7 +2352,7 @@ ssl_should_update_external_cache(SSL *s, int mode)
2352 return 1; 2352 return 1;
2353 2353
2354 /* If it's TLS 1.3, do it to match OpenSSL */ 2354 /* If it's TLS 1.3, do it to match OpenSSL */
2355 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) 2355 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION)
2356 return 1; 2356 return 1;
2357 2357
2358 return 0; 2358 return 0;
@@ -2377,7 +2377,7 @@ ssl_should_update_internal_cache(SSL *s, int mode)
2377 return 0; 2377 return 0;
2378 2378
2379 /* If we are lesser than TLS 1.3, Cache it. */ 2379 /* If we are lesser than TLS 1.3, Cache it. */
2380 if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION) 2380 if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
2381 return 1; 2381 return 1;
2382 2382
2383 /* Below this we consider TLS 1.3 or later */ 2383 /* Below this we consider TLS 1.3 or later */
@@ -2556,7 +2556,7 @@ SSL_get_error(const SSL *s, int i)
2556 2556
2557 if (i == 0) { 2557 if (i == 0) {
2558 if ((s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) && 2558 if ((s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) &&
2559 (S3I(s)->warn_alert == SSL_AD_CLOSE_NOTIFY)) 2559 (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
2560 return (SSL_ERROR_ZERO_RETURN); 2560 return (SSL_ERROR_ZERO_RETURN);
2561 } 2561 }
2562 return (SSL_ERROR_SYSCALL); 2562 return (SSL_ERROR_SYSCALL);
@@ -2589,7 +2589,7 @@ SSL_set_accept_state(SSL *s)
2589{ 2589{
2590 s->server = 1; 2590 s->server = 1;
2591 s->internal->shutdown = 0; 2591 s->internal->shutdown = 0;
2592 S3I(s)->hs.state = SSL_ST_ACCEPT|SSL_ST_BEFORE; 2592 s->s3->hs.state = SSL_ST_ACCEPT|SSL_ST_BEFORE;
2593 s->internal->handshake_func = s->method->ssl_accept; 2593 s->internal->handshake_func = s->method->ssl_accept;
2594 ssl_clear_cipher_state(s); 2594 ssl_clear_cipher_state(s);
2595} 2595}
@@ -2599,7 +2599,7 @@ SSL_set_connect_state(SSL *s)
2599{ 2599{
2600 s->server = 0; 2600 s->server = 0;
2601 s->internal->shutdown = 0; 2601 s->internal->shutdown = 0;
2602 S3I(s)->hs.state = SSL_ST_CONNECT|SSL_ST_BEFORE; 2602 s->s3->hs.state = SSL_ST_CONNECT|SSL_ST_BEFORE;
2603 s->internal->handshake_func = s->method->ssl_connect; 2603 s->internal->handshake_func = s->method->ssl_connect;
2604 ssl_clear_cipher_state(s); 2604 ssl_clear_cipher_state(s);
2605} 2605}
@@ -2731,7 +2731,7 @@ SSL_dup(SSL *s)
2731 ret->internal->quiet_shutdown = s->internal->quiet_shutdown; 2731 ret->internal->quiet_shutdown = s->internal->quiet_shutdown;
2732 ret->internal->shutdown = s->internal->shutdown; 2732 ret->internal->shutdown = s->internal->shutdown;
2733 /* SSL_dup does not really work at any state, though */ 2733 /* SSL_dup does not really work at any state, though */
2734 S3I(ret)->hs.state = S3I(s)->hs.state; 2734 ret->s3->hs.state = s->s3->hs.state;
2735 ret->internal->rstate = s->internal->rstate; 2735 ret->internal->rstate = s->internal->rstate;
2736 2736
2737 /* 2737 /*
@@ -3018,13 +3018,13 @@ void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, int val)
3018int 3018int
3019SSL_state(const SSL *ssl) 3019SSL_state(const SSL *ssl)
3020{ 3020{
3021 return (S3I(ssl)->hs.state); 3021 return (ssl->s3->hs.state);
3022} 3022}
3023 3023
3024void 3024void
3025SSL_set_state(SSL *ssl, int state) 3025SSL_set_state(SSL *ssl, int state)
3026{ 3026{
3027 S3I(ssl)->hs.state = state; 3027 ssl->s3->hs.state = state;
3028} 3028}
3029 3029
3030void 3030void
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index ee64ec208e..69e52dcc8c 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.384 2022/02/03 16:33:12 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.385 2022/02/05 14:54:10 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1132,7 +1132,12 @@ typedef struct ssl3_buffer_internal_st {
1132 int left; /* how many bytes left */ 1132 int left; /* how many bytes left */
1133} SSL3_BUFFER_INTERNAL; 1133} SSL3_BUFFER_INTERNAL;
1134 1134
1135typedef struct ssl3_state_internal_st { 1135typedef struct ssl3_state_st {
1136 long flags;
1137
1138 unsigned char server_random[SSL3_RANDOM_SIZE];
1139 unsigned char client_random[SSL3_RANDOM_SIZE];
1140
1136 SSL3_BUFFER_INTERNAL rbuf; /* read IO goes into here */ 1141 SSL3_BUFFER_INTERNAL rbuf; /* read IO goes into here */
1137 SSL3_BUFFER_INTERNAL wbuf; /* write IO goes into here */ 1142 SSL3_BUFFER_INTERNAL wbuf; /* write IO goes into here */
1138 1143
@@ -1204,21 +1209,8 @@ typedef struct ssl3_state_internal_st {
1204 */ 1209 */
1205 unsigned char *alpn_selected; 1210 unsigned char *alpn_selected;
1206 size_t alpn_selected_len; 1211 size_t alpn_selected_len;
1207} SSL3_STATE_INTERNAL;
1208#define S3I(s) (s->s3->internal)
1209
1210typedef struct ssl3_state_st {
1211 long flags;
1212
1213 unsigned char server_random[SSL3_RANDOM_SIZE];
1214 unsigned char client_random[SSL3_RANDOM_SIZE];
1215
1216 struct ssl3_state_internal_st *internal;
1217} SSL3_STATE; 1212} SSL3_STATE;
1218 1213
1219/*#define SSL_DEBUG */
1220/*#define RSA_DEBUG */
1221
1222/* 1214/*
1223 * Flag values for enc_flags. 1215 * Flag values for enc_flags.
1224 */ 1216 */
diff --git a/src/lib/libssl/ssl_packet.c b/src/lib/libssl/ssl_packet.c
index af56dcef7f..091685b217 100644
--- a/src/lib/libssl/ssl_packet.c
+++ b/src/lib/libssl/ssl_packet.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_packet.c,v 1.12 2021/07/01 17:53:39 jsing Exp $ */ 1/* $OpenBSD: ssl_packet.c,v 1.13 2022/02/05 14:54:10 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -209,10 +209,10 @@ ssl_convert_sslv2_client_hello(SSL *s)
209 if (!CBB_finish(&cbb, &data, &data_len)) 209 if (!CBB_finish(&cbb, &data, &data_len))
210 goto err; 210 goto err;
211 211
212 if (data_len > S3I(s)->rbuf.len) 212 if (data_len > s->s3->rbuf.len)
213 goto err; 213 goto err;
214 214
215 s->internal->packet = S3I(s)->rbuf.buf; 215 s->internal->packet = s->s3->rbuf.buf;
216 s->internal->packet_length = data_len; 216 s->internal->packet_length = data_len;
217 memcpy(s->internal->packet, data, data_len); 217 memcpy(s->internal->packet, data, data_len);
218 ret = 1; 218 ret = 1;
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
index e3101eefba..3374713644 100644
--- a/src/lib/libssl/ssl_pkt.c
+++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_pkt.c,v 1.52 2021/10/25 10:14:48 jsing Exp $ */ 1/* $OpenBSD: ssl_pkt.c,v 1.53 2022/02/05 14:54:10 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -142,7 +142,7 @@ ssl_force_want_read(SSL *s)
142/* 142/*
143 * If extend == 0, obtain new n-byte packet; if extend == 1, increase 143 * If extend == 0, obtain new n-byte packet; if extend == 1, increase
144 * packet by another n bytes. 144 * packet by another n bytes.
145 * The packet will be in the sub-array of S3I(s)->rbuf.buf specified 145 * The packet will be in the sub-array of s->s3->rbuf.buf specified
146 * by s->internal->packet and s->internal->packet_length. 146 * by s->internal->packet and s->internal->packet_length.
147 * (If s->internal->read_ahead is set, 'max' bytes may be stored in rbuf 147 * (If s->internal->read_ahead is set, 'max' bytes may be stored in rbuf
148 * [plus s->internal->packet_length bytes if extend == 1].) 148 * [plus s->internal->packet_length bytes if extend == 1].)
@@ -150,7 +150,7 @@ ssl_force_want_read(SSL *s)
150static int 150static int
151ssl3_read_n(SSL *s, int n, int max, int extend) 151ssl3_read_n(SSL *s, int n, int max, int extend)
152{ 152{
153 SSL3_BUFFER_INTERNAL *rb = &(S3I(s)->rbuf); 153 SSL3_BUFFER_INTERNAL *rb = &(s->s3->rbuf);
154 int i, len, left; 154 int i, len, left;
155 size_t align; 155 size_t align;
156 unsigned char *pkt; 156 unsigned char *pkt;
@@ -239,7 +239,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend)
239 } 239 }
240 240
241 while (left < n) { 241 while (left < n) {
242 /* Now we have len+left bytes at the front of S3I(s)->rbuf.buf 242 /* Now we have len+left bytes at the front of s->s3->rbuf.buf
243 * and need to read in more until we have len+n (up to 243 * and need to read in more until we have len+n (up to
244 * len+max if possible) */ 244 * len+max if possible) */
245 245
@@ -288,7 +288,7 @@ ssl3_packet_read(SSL *s, int plen)
288{ 288{
289 int n; 289 int n;
290 290
291 n = ssl3_read_n(s, plen, S3I(s)->rbuf.len, 0); 291 n = ssl3_read_n(s, plen, s->s3->rbuf.len, 0);
292 if (n <= 0) 292 if (n <= 0)
293 return n; 293 return n;
294 if (s->internal->packet_length < plen) 294 if (s->internal->packet_length < plen)
@@ -327,8 +327,8 @@ ssl3_packet_extend(SSL *s, int plen)
327static int 327static int
328ssl3_get_record(SSL *s) 328ssl3_get_record(SSL *s)
329{ 329{
330 SSL3_BUFFER_INTERNAL *rb = &(S3I(s)->rbuf); 330 SSL3_BUFFER_INTERNAL *rb = &(s->s3->rbuf);
331 SSL3_RECORD_INTERNAL *rr = &(S3I(s)->rrec); 331 SSL3_RECORD_INTERNAL *rr = &(s->s3->rrec);
332 uint8_t alert_desc; 332 uint8_t alert_desc;
333 uint8_t *out; 333 uint8_t *out;
334 size_t out_len; 334 size_t out_len;
@@ -483,8 +483,8 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
483 } 483 }
484 484
485 s->internal->rwstate = SSL_NOTHING; 485 s->internal->rwstate = SSL_NOTHING;
486 tot = S3I(s)->wnum; 486 tot = s->s3->wnum;
487 S3I(s)->wnum = 0; 487 s->s3->wnum = 0;
488 488
489 if (SSL_in_init(s) && !s->internal->in_handshake) { 489 if (SSL_in_init(s) && !s->internal->in_handshake) {
490 i = s->internal->handshake_func(s); 490 i = s->internal->handshake_func(s);
@@ -507,7 +507,7 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
507 507
508 i = do_ssl3_write(s, type, &(buf[tot]), nw); 508 i = do_ssl3_write(s, type, &(buf[tot]), nw);
509 if (i <= 0) { 509 if (i <= 0) {
510 S3I(s)->wnum = tot; 510 s->s3->wnum = tot;
511 return i; 511 return i;
512 } 512 }
513 513
@@ -518,7 +518,7 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
518 * empty fragment in ciphersuites with known-IV 518 * empty fragment in ciphersuites with known-IV
519 * weakness. 519 * weakness.
520 */ 520 */
521 S3I(s)->empty_fragment_done = 0; 521 s->s3->empty_fragment_done = 0;
522 522
523 return tot + i; 523 return tot + i;
524 } 524 }
@@ -531,7 +531,7 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
531static int 531static int
532do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) 532do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
533{ 533{
534 SSL3_BUFFER_INTERNAL *wb = &(S3I(s)->wbuf); 534 SSL3_BUFFER_INTERNAL *wb = &(s->s3->wbuf);
535 SSL_SESSION *sess = s->session; 535 SSL_SESSION *sess = s->session;
536 int need_empty_fragment = 0; 536 int need_empty_fragment = 0;
537 size_t align, out_len; 537 size_t align, out_len;
@@ -553,7 +553,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
553 return (ssl3_write_pending(s, type, buf, len)); 553 return (ssl3_write_pending(s, type, buf, len));
554 554
555 /* If we have an alert to send, let's send it. */ 555 /* If we have an alert to send, let's send it. */
556 if (S3I(s)->alert_dispatch) { 556 if (s->s3->alert_dispatch) {
557 if ((ret = ssl3_dispatch_alert(s)) <= 0) 557 if ((ret = ssl3_dispatch_alert(s)) <= 0)
558 return (ret); 558 return (ret);
559 /* If it went, fall through and send more stuff. */ 559 /* If it went, fall through and send more stuff. */
@@ -572,9 +572,9 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
572 * bytes and record version number > TLS 1.0. 572 * bytes and record version number > TLS 1.0.
573 */ 573 */
574 version = s->version; 574 version = s->version;
575 if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_B && 575 if (s->s3->hs.state == SSL3_ST_CW_CLNT_HELLO_B &&
576 !s->internal->renegotiate && 576 !s->internal->renegotiate &&
577 S3I(s)->hs.our_max_tls_version > TLS1_VERSION) 577 s->s3->hs.our_max_tls_version > TLS1_VERSION)
578 version = TLS1_VERSION; 578 version = TLS1_VERSION;
579 579
580 /* 580 /*
@@ -583,8 +583,8 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
583 * is unnecessary for AEAD. 583 * is unnecessary for AEAD.
584 */ 584 */
585 if (sess != NULL && tls12_record_layer_write_protected(s->internal->rl)) { 585 if (sess != NULL && tls12_record_layer_write_protected(s->internal->rl)) {
586 if (S3I(s)->need_empty_fragments && 586 if (s->s3->need_empty_fragments &&
587 !S3I(s)->empty_fragment_done && 587 !s->s3->empty_fragment_done &&
588 type == SSL3_RT_APPLICATION_DATA) 588 type == SSL3_RT_APPLICATION_DATA)
589 need_empty_fragment = 1; 589 need_empty_fragment = 1;
590 } 590 }
@@ -609,7 +609,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
609 if (!tls12_record_layer_seal_record(s->internal->rl, type, 609 if (!tls12_record_layer_seal_record(s->internal->rl, type,
610 buf, 0, &cbb)) 610 buf, 0, &cbb))
611 goto err; 611 goto err;
612 S3I(s)->empty_fragment_done = 1; 612 s->s3->empty_fragment_done = 1;
613 } 613 }
614 614
615 if (!tls12_record_layer_seal_record(s->internal->rl, type, buf, len, &cbb)) 615 if (!tls12_record_layer_seal_record(s->internal->rl, type, buf, len, &cbb))
@@ -624,10 +624,10 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
624 * Memorize arguments so that ssl3_write_pending can detect 624 * Memorize arguments so that ssl3_write_pending can detect
625 * bad write retries later. 625 * bad write retries later.
626 */ 626 */
627 S3I(s)->wpend_tot = len; 627 s->s3->wpend_tot = len;
628 S3I(s)->wpend_buf = buf; 628 s->s3->wpend_buf = buf;
629 S3I(s)->wpend_type = type; 629 s->s3->wpend_type = type;
630 S3I(s)->wpend_ret = len; 630 s->s3->wpend_ret = len;
631 631
632 /* We now just need to write the buffer. */ 632 /* We now just need to write the buffer. */
633 return ssl3_write_pending(s, type, buf, len); 633 return ssl3_write_pending(s, type, buf, len);
@@ -638,17 +638,17 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
638 return -1; 638 return -1;
639} 639}
640 640
641/* if S3I(s)->wbuf.left != 0, we need to call this */ 641/* if s->s3->wbuf.left != 0, we need to call this */
642int 642int
643ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) 643ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len)
644{ 644{
645 int i; 645 int i;
646 SSL3_BUFFER_INTERNAL *wb = &(S3I(s)->wbuf); 646 SSL3_BUFFER_INTERNAL *wb = &(s->s3->wbuf);
647 647
648 /* XXXX */ 648 /* XXXX */
649 if ((S3I(s)->wpend_tot > (int)len) || ((S3I(s)->wpend_buf != buf) && 649 if ((s->s3->wpend_tot > (int)len) || ((s->s3->wpend_buf != buf) &&
650 !(s->internal->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) || 650 !(s->internal->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) ||
651 (S3I(s)->wpend_type != type)) { 651 (s->s3->wpend_type != type)) {
652 SSLerror(s, SSL_R_BAD_WRITE_RETRY); 652 SSLerror(s, SSL_R_BAD_WRITE_RETRY);
653 return (-1); 653 return (-1);
654 } 654 }
@@ -670,7 +670,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len)
670 !SSL_is_dtls(s)) 670 !SSL_is_dtls(s))
671 ssl3_release_write_buffer(s); 671 ssl3_release_write_buffer(s);
672 s->internal->rwstate = SSL_NOTHING; 672 s->internal->rwstate = SSL_NOTHING;
673 return (S3I(s)->wpend_ret); 673 return (s->s3->wpend_ret);
674 } else if (i <= 0) { 674 } else if (i <= 0) {
675 /* 675 /*
676 * For DTLS, just drop it. That's kind of the 676 * For DTLS, just drop it. That's kind of the
@@ -720,7 +720,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
720 unsigned int n; 720 unsigned int n;
721 SSL3_RECORD_INTERNAL *rr; 721 SSL3_RECORD_INTERNAL *rr;
722 722
723 if (S3I(s)->rbuf.buf == NULL) /* Not initialized yet */ 723 if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
724 if (!ssl3_setup_read_buffer(s)) 724 if (!ssl3_setup_read_buffer(s))
725 return (-1); 725 return (-1);
726 726
@@ -737,28 +737,28 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
737 } 737 }
738 738
739 if ((type == SSL3_RT_HANDSHAKE) && 739 if ((type == SSL3_RT_HANDSHAKE) &&
740 (S3I(s)->handshake_fragment_len > 0)) { 740 (s->s3->handshake_fragment_len > 0)) {
741 /* (partially) satisfy request from storage */ 741 /* (partially) satisfy request from storage */
742 unsigned char *src = S3I(s)->handshake_fragment; 742 unsigned char *src = s->s3->handshake_fragment;
743 unsigned char *dst = buf; 743 unsigned char *dst = buf;
744 unsigned int k; 744 unsigned int k;
745 745
746 /* peek == 0 */ 746 /* peek == 0 */
747 n = 0; 747 n = 0;
748 while ((len > 0) && (S3I(s)->handshake_fragment_len > 0)) { 748 while ((len > 0) && (s->s3->handshake_fragment_len > 0)) {
749 *dst++ = *src++; 749 *dst++ = *src++;
750 len--; 750 len--;
751 S3I(s)->handshake_fragment_len--; 751 s->s3->handshake_fragment_len--;
752 n++; 752 n++;
753 } 753 }
754 /* move any remaining fragment bytes: */ 754 /* move any remaining fragment bytes: */
755 for (k = 0; k < S3I(s)->handshake_fragment_len; k++) 755 for (k = 0; k < s->s3->handshake_fragment_len; k++)
756 S3I(s)->handshake_fragment[k] = *src++; 756 s->s3->handshake_fragment[k] = *src++;
757 return n; 757 return n;
758 } 758 }
759 759
760 /* 760 /*
761 * Now S3I(s)->handshake_fragment_len == 0 if 761 * Now s->s3->handshake_fragment_len == 0 if
762 * type == SSL3_RT_HANDSHAKE. 762 * type == SSL3_RT_HANDSHAKE.
763 */ 763 */
764 if (!s->internal->in_handshake && SSL_in_init(s)) { 764 if (!s->internal->in_handshake && SSL_in_init(s)) {
@@ -789,12 +789,12 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
789 s->internal->rwstate = SSL_NOTHING; 789 s->internal->rwstate = SSL_NOTHING;
790 790
791 /* 791 /*
792 * S3I(s)->rrec.type - is the type of record 792 * s->s3->rrec.type - is the type of record
793 * S3I(s)->rrec.data, - data 793 * s->s3->rrec.data, - data
794 * S3I(s)->rrec.off, - offset into 'data' for next read 794 * s->s3->rrec.off, - offset into 'data' for next read
795 * S3I(s)->rrec.length, - number of bytes. 795 * s->s3->rrec.length, - number of bytes.
796 */ 796 */
797 rr = &(S3I(s)->rrec); 797 rr = &(s->s3->rrec);
798 798
799 /* get new packet if necessary */ 799 /* get new packet if necessary */
800 if ((rr->length == 0) || (s->internal->rstate == SSL_ST_READ_BODY)) { 800 if ((rr->length == 0) || (s->internal->rstate == SSL_ST_READ_BODY)) {
@@ -805,7 +805,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
805 805
806 /* we now have a packet which can be read and processed */ 806 /* we now have a packet which can be read and processed */
807 807
808 if (S3I(s)->change_cipher_spec /* set when we receive ChangeCipherSpec, 808 if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
809 * reset by ssl3_get_finished */ 809 * reset by ssl3_get_finished */
810 && (rr->type != SSL3_RT_HANDSHAKE)) { 810 && (rr->type != SSL3_RT_HANDSHAKE)) {
811 al = SSL_AD_UNEXPECTED_MESSAGE; 811 al = SSL_AD_UNEXPECTED_MESSAGE;
@@ -850,7 +850,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
850 s->internal->rstate = SSL_ST_READ_HEADER; 850 s->internal->rstate = SSL_ST_READ_HEADER;
851 rr->off = 0; 851 rr->off = 0;
852 if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && 852 if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS &&
853 S3I(s)->rbuf.left == 0) 853 s->s3->rbuf.left == 0)
854 ssl3_release_read_buffer(s); 854 ssl3_release_read_buffer(s);
855 } 855 }
856 } 856 }
@@ -872,13 +872,13 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
872 unsigned int *dest_len = NULL; 872 unsigned int *dest_len = NULL;
873 873
874 if (rr->type == SSL3_RT_HANDSHAKE) { 874 if (rr->type == SSL3_RT_HANDSHAKE) {
875 dest_maxlen = sizeof S3I(s)->handshake_fragment; 875 dest_maxlen = sizeof s->s3->handshake_fragment;
876 dest = S3I(s)->handshake_fragment; 876 dest = s->s3->handshake_fragment;
877 dest_len = &S3I(s)->handshake_fragment_len; 877 dest_len = &s->s3->handshake_fragment_len;
878 } else if (rr->type == SSL3_RT_ALERT) { 878 } else if (rr->type == SSL3_RT_ALERT) {
879 dest_maxlen = sizeof S3I(s)->alert_fragment; 879 dest_maxlen = sizeof s->s3->alert_fragment;
880 dest = S3I(s)->alert_fragment; 880 dest = s->s3->alert_fragment;
881 dest_len = &S3I(s)->alert_fragment_len; 881 dest_len = &s->s3->alert_fragment_len;
882 } 882 }
883 if (dest_maxlen > 0) { 883 if (dest_maxlen > 0) {
884 /* available space in 'dest' */ 884 /* available space in 'dest' */
@@ -897,30 +897,30 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
897 } 897 }
898 } 898 }
899 899
900 /* S3I(s)->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE; 900 /* s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;
901 * S3I(s)->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT. 901 * s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT.
902 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */ 902 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
903 903
904 /* If we are a client, check for an incoming 'Hello Request': */ 904 /* If we are a client, check for an incoming 'Hello Request': */
905 if ((!s->server) && (S3I(s)->handshake_fragment_len >= 4) && 905 if ((!s->server) && (s->s3->handshake_fragment_len >= 4) &&
906 (S3I(s)->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && 906 (s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
907 (s->session != NULL) && (s->session->cipher != NULL)) { 907 (s->session != NULL) && (s->session->cipher != NULL)) {
908 S3I(s)->handshake_fragment_len = 0; 908 s->s3->handshake_fragment_len = 0;
909 909
910 if ((S3I(s)->handshake_fragment[1] != 0) || 910 if ((s->s3->handshake_fragment[1] != 0) ||
911 (S3I(s)->handshake_fragment[2] != 0) || 911 (s->s3->handshake_fragment[2] != 0) ||
912 (S3I(s)->handshake_fragment[3] != 0)) { 912 (s->s3->handshake_fragment[3] != 0)) {
913 al = SSL_AD_DECODE_ERROR; 913 al = SSL_AD_DECODE_ERROR;
914 SSLerror(s, SSL_R_BAD_HELLO_REQUEST); 914 SSLerror(s, SSL_R_BAD_HELLO_REQUEST);
915 goto fatal_err; 915 goto fatal_err;
916 } 916 }
917 917
918 ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE, 918 ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE,
919 S3I(s)->handshake_fragment, 4); 919 s->s3->handshake_fragment, 4);
920 920
921 if (SSL_is_init_finished(s) && 921 if (SSL_is_init_finished(s) &&
922 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && 922 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
923 !S3I(s)->renegotiate) { 923 !s->s3->renegotiate) {
924 ssl3_renegotiate(s); 924 ssl3_renegotiate(s);
925 if (ssl3_renegotiate_check(s)) { 925 if (ssl3_renegotiate_check(s)) {
926 i = s->internal->handshake_func(s); 926 i = s->internal->handshake_func(s);
@@ -932,7 +932,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
932 } 932 }
933 933
934 if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { 934 if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) {
935 if (S3I(s)->rbuf.left == 0) { 935 if (s->s3->rbuf.left == 0) {
936 ssl_force_want_read(s); 936 ssl_force_want_read(s);
937 return (-1); 937 return (-1);
938 } 938 }
@@ -945,8 +945,8 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
945 } 945 }
946 /* Disallow client initiated renegotiation if configured. */ 946 /* Disallow client initiated renegotiation if configured. */
947 if (s->server && SSL_is_init_finished(s) && 947 if (s->server && SSL_is_init_finished(s) &&
948 S3I(s)->handshake_fragment_len >= 4 && 948 s->s3->handshake_fragment_len >= 4 &&
949 S3I(s)->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO && 949 s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO &&
950 (s->internal->options & SSL_OP_NO_CLIENT_RENEGOTIATION)) { 950 (s->internal->options & SSL_OP_NO_CLIENT_RENEGOTIATION)) {
951 al = SSL_AD_NO_RENEGOTIATION; 951 al = SSL_AD_NO_RENEGOTIATION;
952 goto fatal_err; 952 goto fatal_err;
@@ -957,29 +957,29 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
957 */ 957 */
958 if (s->server && 958 if (s->server &&
959 SSL_is_init_finished(s) && 959 SSL_is_init_finished(s) &&
960 !S3I(s)->send_connection_binding && 960 !s->s3->send_connection_binding &&
961 (S3I(s)->handshake_fragment_len >= 4) && 961 (s->s3->handshake_fragment_len >= 4) &&
962 (S3I(s)->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) && 962 (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
963 (s->session != NULL) && (s->session->cipher != NULL)) { 963 (s->session != NULL) && (s->session->cipher != NULL)) {
964 /*S3I(s)->handshake_fragment_len = 0;*/ 964 /*s->s3->handshake_fragment_len = 0;*/
965 rr->length = 0; 965 rr->length = 0;
966 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); 966 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
967 goto start; 967 goto start;
968 } 968 }
969 if (S3I(s)->alert_fragment_len >= 2) { 969 if (s->s3->alert_fragment_len >= 2) {
970 int alert_level = S3I(s)->alert_fragment[0]; 970 int alert_level = s->s3->alert_fragment[0];
971 int alert_descr = S3I(s)->alert_fragment[1]; 971 int alert_descr = s->s3->alert_fragment[1];
972 972
973 S3I(s)->alert_fragment_len = 0; 973 s->s3->alert_fragment_len = 0;
974 974
975 ssl_msg_callback(s, 0, SSL3_RT_ALERT, 975 ssl_msg_callback(s, 0, SSL3_RT_ALERT,
976 S3I(s)->alert_fragment, 2); 976 s->s3->alert_fragment, 2);
977 977
978 ssl_info_callback(s, SSL_CB_READ_ALERT, 978 ssl_info_callback(s, SSL_CB_READ_ALERT,
979 (alert_level << 8) | alert_descr); 979 (alert_level << 8) | alert_descr);
980 980
981 if (alert_level == SSL3_AL_WARNING) { 981 if (alert_level == SSL3_AL_WARNING) {
982 S3I(s)->warn_alert = alert_descr; 982 s->s3->warn_alert = alert_descr;
983 if (alert_descr == SSL_AD_CLOSE_NOTIFY) { 983 if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
984 s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; 984 s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN;
985 return (0); 985 return (0);
@@ -1000,7 +1000,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1000 } 1000 }
1001 } else if (alert_level == SSL3_AL_FATAL) { 1001 } else if (alert_level == SSL3_AL_FATAL) {
1002 s->internal->rwstate = SSL_NOTHING; 1002 s->internal->rwstate = SSL_NOTHING;
1003 S3I(s)->fatal_alert = alert_descr; 1003 s->s3->fatal_alert = alert_descr;
1004 SSLerror(s, SSL_AD_REASON_OFFSET + alert_descr); 1004 SSLerror(s, SSL_AD_REASON_OFFSET + alert_descr);
1005 ERR_asprintf_error_data("SSL alert number %d", 1005 ERR_asprintf_error_data("SSL alert number %d",
1006 alert_descr); 1006 alert_descr);
@@ -1034,7 +1034,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1034 } 1034 }
1035 1035
1036 /* Check we have a cipher to change to */ 1036 /* Check we have a cipher to change to */
1037 if (S3I(s)->hs.cipher == NULL) { 1037 if (s->s3->hs.cipher == NULL) {
1038 al = SSL_AD_UNEXPECTED_MESSAGE; 1038 al = SSL_AD_UNEXPECTED_MESSAGE;
1039 SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); 1039 SSLerror(s, SSL_R_CCS_RECEIVED_EARLY);
1040 goto fatal_err; 1040 goto fatal_err;
@@ -1052,7 +1052,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1052 1052
1053 ssl_msg_callback(s, 0, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1); 1053 ssl_msg_callback(s, 0, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1);
1054 1054
1055 S3I(s)->change_cipher_spec = 1; 1055 s->s3->change_cipher_spec = 1;
1056 if (!ssl3_do_change_cipher_spec(s)) 1056 if (!ssl3_do_change_cipher_spec(s))
1057 goto err; 1057 goto err;
1058 else 1058 else
@@ -1060,10 +1060,10 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1060 } 1060 }
1061 1061
1062 /* Unexpected handshake message (Client Hello, or protocol violation) */ 1062 /* Unexpected handshake message (Client Hello, or protocol violation) */
1063 if ((S3I(s)->handshake_fragment_len >= 4) && !s->internal->in_handshake) { 1063 if ((s->s3->handshake_fragment_len >= 4) && !s->internal->in_handshake) {
1064 if (((S3I(s)->hs.state&SSL_ST_MASK) == SSL_ST_OK) && 1064 if (((s->s3->hs.state&SSL_ST_MASK) == SSL_ST_OK) &&
1065 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { 1065 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
1066 S3I(s)->hs.state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; 1066 s->s3->hs.state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
1067 s->internal->renegotiate = 1; 1067 s->internal->renegotiate = 1;
1068 s->internal->new_session = 1; 1068 s->internal->new_session = 1;
1069 } 1069 }
@@ -1076,7 +1076,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1076 } 1076 }
1077 1077
1078 if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { 1078 if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) {
1079 if (S3I(s)->rbuf.left == 0) { 1079 if (s->s3->rbuf.left == 0) {
1080 ssl_force_want_read(s); 1080 ssl_force_want_read(s);
1081 return (-1); 1081 return (-1);
1082 } 1082 }
@@ -1115,15 +1115,15 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1115 * at this point (session renegotiation not yet started), 1115 * at this point (session renegotiation not yet started),
1116 * we will indulge it. 1116 * we will indulge it.
1117 */ 1117 */
1118 if (S3I(s)->in_read_app_data && 1118 if (s->s3->in_read_app_data &&
1119 (S3I(s)->total_renegotiations != 0) && 1119 (s->s3->total_renegotiations != 0) &&
1120 (((S3I(s)->hs.state & SSL_ST_CONNECT) && 1120 (((s->s3->hs.state & SSL_ST_CONNECT) &&
1121 (S3I(s)->hs.state >= SSL3_ST_CW_CLNT_HELLO_A) && 1121 (s->s3->hs.state >= SSL3_ST_CW_CLNT_HELLO_A) &&
1122 (S3I(s)->hs.state <= SSL3_ST_CR_SRVR_HELLO_A)) || 1122 (s->s3->hs.state <= SSL3_ST_CR_SRVR_HELLO_A)) ||
1123 ((S3I(s)->hs.state & SSL_ST_ACCEPT) && 1123 ((s->s3->hs.state & SSL_ST_ACCEPT) &&
1124 (S3I(s)->hs.state <= SSL3_ST_SW_HELLO_REQ_A) && 1124 (s->s3->hs.state <= SSL3_ST_SW_HELLO_REQ_A) &&
1125 (S3I(s)->hs.state >= SSL3_ST_SR_CLNT_HELLO_A)))) { 1125 (s->s3->hs.state >= SSL3_ST_SR_CLNT_HELLO_A)))) {
1126 S3I(s)->in_read_app_data = 2; 1126 s->s3->in_read_app_data = 2;
1127 return (-1); 1127 return (-1);
1128 } else { 1128 } else {
1129 al = SSL_AD_UNEXPECTED_MESSAGE; 1129 al = SSL_AD_UNEXPECTED_MESSAGE;
@@ -1142,14 +1142,14 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1142int 1142int
1143ssl3_do_change_cipher_spec(SSL *s) 1143ssl3_do_change_cipher_spec(SSL *s)
1144{ 1144{
1145 if (S3I(s)->hs.tls12.key_block == NULL) { 1145 if (s->s3->hs.tls12.key_block == NULL) {
1146 if (s->session == NULL || s->session->master_key_length == 0) { 1146 if (s->session == NULL || s->session->master_key_length == 0) {
1147 /* might happen if dtls1_read_bytes() calls this */ 1147 /* might happen if dtls1_read_bytes() calls this */
1148 SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); 1148 SSLerror(s, SSL_R_CCS_RECEIVED_EARLY);
1149 return (0); 1149 return (0);
1150 } 1150 }
1151 1151
1152 s->session->cipher = S3I(s)->hs.cipher; 1152 s->session->cipher = s->s3->hs.cipher;
1153 if (!tls1_setup_key_block(s)) 1153 if (!tls1_setup_key_block(s))
1154 return (0); 1154 return (0);
1155 } 1155 }
@@ -1171,11 +1171,11 @@ static int
1171ssl3_write_alert(SSL *s) 1171ssl3_write_alert(SSL *s)
1172{ 1172{
1173 if (SSL_is_dtls(s)) 1173 if (SSL_is_dtls(s))
1174 return do_dtls1_write(s, SSL3_RT_ALERT, S3I(s)->send_alert, 1174 return do_dtls1_write(s, SSL3_RT_ALERT, s->s3->send_alert,
1175 sizeof(S3I(s)->send_alert)); 1175 sizeof(s->s3->send_alert));
1176 1176
1177 return do_ssl3_write(s, SSL3_RT_ALERT, S3I(s)->send_alert, 1177 return do_ssl3_write(s, SSL3_RT_ALERT, s->s3->send_alert,
1178 sizeof(S3I(s)->send_alert)); 1178 sizeof(s->s3->send_alert));
1179} 1179}
1180 1180
1181int 1181int
@@ -1185,15 +1185,15 @@ ssl3_send_alert(SSL *s, int level, int desc)
1185 if (level == SSL3_AL_FATAL) 1185 if (level == SSL3_AL_FATAL)
1186 SSL_CTX_remove_session(s->ctx, s->session); 1186 SSL_CTX_remove_session(s->ctx, s->session);
1187 1187
1188 S3I(s)->alert_dispatch = 1; 1188 s->s3->alert_dispatch = 1;
1189 S3I(s)->send_alert[0] = level; 1189 s->s3->send_alert[0] = level;
1190 S3I(s)->send_alert[1] = desc; 1190 s->s3->send_alert[1] = desc;
1191 1191
1192 /* 1192 /*
1193 * If data is still being written out, the alert will be dispatched at 1193 * If data is still being written out, the alert will be dispatched at
1194 * some point in the future. 1194 * some point in the future.
1195 */ 1195 */
1196 if (S3I(s)->wbuf.left != 0) 1196 if (s->s3->wbuf.left != 0)
1197 return -1; 1197 return -1;
1198 1198
1199 return ssl3_dispatch_alert(s); 1199 return ssl3_dispatch_alert(s);
@@ -1204,9 +1204,9 @@ ssl3_dispatch_alert(SSL *s)
1204{ 1204{
1205 int ret; 1205 int ret;
1206 1206
1207 S3I(s)->alert_dispatch = 0; 1207 s->s3->alert_dispatch = 0;
1208 if ((ret = ssl3_write_alert(s)) <= 0) { 1208 if ((ret = ssl3_write_alert(s)) <= 0) {
1209 S3I(s)->alert_dispatch = 1; 1209 s->s3->alert_dispatch = 1;
1210 return ret; 1210 return ret;
1211 } 1211 }
1212 1212
@@ -1215,13 +1215,13 @@ ssl3_dispatch_alert(SSL *s)
1215 * If the message does not get sent due to non-blocking IO, 1215 * If the message does not get sent due to non-blocking IO,
1216 * we will not worry too much. 1216 * we will not worry too much.
1217 */ 1217 */
1218 if (S3I(s)->send_alert[0] == SSL3_AL_FATAL) 1218 if (s->s3->send_alert[0] == SSL3_AL_FATAL)
1219 (void)BIO_flush(s->wbio); 1219 (void)BIO_flush(s->wbio);
1220 1220
1221 ssl_msg_callback(s, 1, SSL3_RT_ALERT, S3I(s)->send_alert, 2); 1221 ssl_msg_callback(s, 1, SSL3_RT_ALERT, s->s3->send_alert, 2);
1222 1222
1223 ssl_info_callback(s, SSL_CB_WRITE_ALERT, 1223 ssl_info_callback(s, SSL_CB_WRITE_ALERT,
1224 (S3I(s)->send_alert[0] << 8) | S3I(s)->send_alert[1]); 1224 (s->s3->send_alert[0] << 8) | s->s3->send_alert[1]);
1225 1225
1226 return ret; 1226 return ret;
1227} 1227}
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index fd96317fde..daf735a8ff 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_sigalgs.c,v 1.40 2022/01/20 20:37:33 tb Exp $ */ 1/* $OpenBSD: ssl_sigalgs.c,v 1.41 2022/02/05 14:54:10 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -209,7 +209,7 @@ ssl_sigalg_from_value(SSL *s, uint16_t value)
209 size_t len; 209 size_t len;
210 int i; 210 int i;
211 211
212 ssl_sigalgs_for_version(S3I(s)->hs.negotiated_tls_version, 212 ssl_sigalgs_for_version(s->s3->hs.negotiated_tls_version,
213 &values, &len); 213 &values, &len);
214 214
215 for (i = 0; i < len; i++) { 215 for (i = 0; i < len; i++) {
@@ -248,7 +248,7 @@ ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey)
248 /* Default signature algorithms used for TLSv1.2 and earlier. */ 248 /* Default signature algorithms used for TLSv1.2 and earlier. */
249 switch (EVP_PKEY_id(pkey)) { 249 switch (EVP_PKEY_id(pkey)) {
250 case EVP_PKEY_RSA: 250 case EVP_PKEY_RSA:
251 if (S3I(s)->hs.negotiated_tls_version < TLS1_2_VERSION) 251 if (s->s3->hs.negotiated_tls_version < TLS1_2_VERSION)
252 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1); 252 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
253 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1); 253 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
254 case EVP_PKEY_EC: 254 case EVP_PKEY_EC:
@@ -277,7 +277,7 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
277 return 0; 277 return 0;
278 } 278 }
279 279
280 if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION) 280 if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
281 return 1; 281 return 1;
282 282
283 /* RSA cannot be used without PSS in TLSv1.3. */ 283 /* RSA cannot be used without PSS in TLSv1.3. */
@@ -309,14 +309,14 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
309 * RFC 5246 allows a TLS 1.2 client to send no sigalgs extension, 309 * RFC 5246 allows a TLS 1.2 client to send no sigalgs extension,
310 * in which case the server must use the default. 310 * in which case the server must use the default.
311 */ 311 */
312 if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION && 312 if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
313 S3I(s)->hs.sigalgs == NULL) 313 s->s3->hs.sigalgs == NULL)
314 return ssl_sigalg_for_legacy(s, pkey); 314 return ssl_sigalg_for_legacy(s, pkey);
315 315
316 /* 316 /*
317 * If we get here, we have client or server sent sigalgs, use one. 317 * If we get here, we have client or server sent sigalgs, use one.
318 */ 318 */
319 CBS_init(&cbs, S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len); 319 CBS_init(&cbs, s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
320 while (CBS_len(&cbs) > 0) { 320 while (CBS_len(&cbs) > 0) {
321 const struct ssl_sigalg *sigalg; 321 const struct ssl_sigalg *sigalg;
322 uint16_t sigalg_value; 322 uint16_t sigalg_value;
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 30545320b3..359395051a 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_srvr.c,v 1.140 2022/01/11 19:03:15 jsing Exp $ */ 1/* $OpenBSD: ssl_srvr.c,v 1.141 2022/02/05 14:54:10 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -194,12 +194,12 @@ ssl3_accept(SSL *s)
194 s->d1->listen = listen; 194 s->d1->listen = listen;
195 195
196 for (;;) { 196 for (;;) {
197 state = S3I(s)->hs.state; 197 state = s->s3->hs.state;
198 198
199 switch (S3I(s)->hs.state) { 199 switch (s->s3->hs.state) {
200 case SSL_ST_RENEGOTIATE: 200 case SSL_ST_RENEGOTIATE:
201 s->internal->renegotiate = 1; 201 s->internal->renegotiate = 1;
202 /* S3I(s)->hs.state=SSL_ST_ACCEPT; */ 202 /* s->s3->hs.state=SSL_ST_ACCEPT; */
203 203
204 case SSL_ST_BEFORE: 204 case SSL_ST_BEFORE:
205 case SSL_ST_ACCEPT: 205 case SSL_ST_ACCEPT:
@@ -216,8 +216,8 @@ ssl3_accept(SSL *s)
216 } 216 }
217 217
218 if (!ssl_supported_tls_version_range(s, 218 if (!ssl_supported_tls_version_range(s,
219 &S3I(s)->hs.our_min_tls_version, 219 &s->s3->hs.our_min_tls_version,
220 &S3I(s)->hs.our_max_tls_version)) { 220 &s->s3->hs.our_max_tls_version)) {
221 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 221 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
222 ret = -1; 222 ret = -1;
223 goto end; 223 goto end;
@@ -234,7 +234,7 @@ ssl3_accept(SSL *s)
234 234
235 s->internal->init_num = 0; 235 s->internal->init_num = 0;
236 236
237 if (S3I(s)->hs.state != SSL_ST_RENEGOTIATE) { 237 if (s->s3->hs.state != SSL_ST_RENEGOTIATE) {
238 /* 238 /*
239 * Ok, we now need to push on a buffering BIO 239 * Ok, we now need to push on a buffering BIO
240 * so that the output is sent in a way that 240 * so that the output is sent in a way that
@@ -250,9 +250,9 @@ ssl3_accept(SSL *s)
250 goto end; 250 goto end;
251 } 251 }
252 252
253 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; 253 s->s3->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
254 s->ctx->internal->stats.sess_accept++; 254 s->ctx->internal->stats.sess_accept++;
255 } else if (!SSL_is_dtls(s) && !S3I(s)->send_connection_binding) { 255 } else if (!SSL_is_dtls(s) && !s->s3->send_connection_binding) {
256 /* 256 /*
257 * Server attempting to renegotiate with 257 * Server attempting to renegotiate with
258 * client that doesn't support secure 258 * client that doesn't support secure
@@ -265,11 +265,11 @@ ssl3_accept(SSL *s)
265 goto end; 265 goto end;
266 } else { 266 } else {
267 /* 267 /*
268 * S3I(s)->hs.state == SSL_ST_RENEGOTIATE, 268 * s->s3->hs.state == SSL_ST_RENEGOTIATE,
269 * we will just send a HelloRequest. 269 * we will just send a HelloRequest.
270 */ 270 */
271 s->ctx->internal->stats.sess_accept_renegotiate++; 271 s->ctx->internal->stats.sess_accept_renegotiate++;
272 S3I(s)->hs.state = SSL3_ST_SW_HELLO_REQ_A; 272 s->s3->hs.state = SSL3_ST_SW_HELLO_REQ_A;
273 } 273 }
274 break; 274 break;
275 275
@@ -284,10 +284,10 @@ ssl3_accept(SSL *s)
284 if (ret <= 0) 284 if (ret <= 0)
285 goto end; 285 goto end;
286 if (SSL_is_dtls(s)) 286 if (SSL_is_dtls(s))
287 S3I(s)->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A; 287 s->s3->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A;
288 else 288 else
289 S3I(s)->hs.tls12.next_state = SSL3_ST_SW_HELLO_REQ_C; 289 s->s3->hs.tls12.next_state = SSL3_ST_SW_HELLO_REQ_C;
290 S3I(s)->hs.state = SSL3_ST_SW_FLUSH; 290 s->s3->hs.state = SSL3_ST_SW_FLUSH;
291 s->internal->init_num = 0; 291 s->internal->init_num = 0;
292 292
293 if (SSL_is_dtls(s)) { 293 if (SSL_is_dtls(s)) {
@@ -299,7 +299,7 @@ ssl3_accept(SSL *s)
299 break; 299 break;
300 300
301 case SSL3_ST_SW_HELLO_REQ_C: 301 case SSL3_ST_SW_HELLO_REQ_C:
302 S3I(s)->hs.state = SSL_ST_OK; 302 s->s3->hs.state = SSL_ST_OK;
303 break; 303 break;
304 304
305 case SSL3_ST_SR_CLNT_HELLO_A: 305 case SSL3_ST_SR_CLNT_HELLO_A:
@@ -314,9 +314,9 @@ ssl3_accept(SSL *s)
314 314
315 if (ret == 1 && 315 if (ret == 1 &&
316 (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) 316 (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
317 S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A; 317 s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
318 else 318 else
319 S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A; 319 s->s3->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
320 320
321 s->internal->init_num = 0; 321 s->internal->init_num = 0;
322 322
@@ -330,7 +330,7 @@ ssl3_accept(SSL *s)
330 } 330 }
331 331
332 /* If we're just listening, stop here */ 332 /* If we're just listening, stop here */
333 if (listen && S3I(s)->hs.state == SSL3_ST_SW_SRVR_HELLO_A) { 333 if (listen && s->s3->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {
334 ret = 2; 334 ret = 2;
335 s->d1->listen = 0; 335 s->d1->listen = 0;
336 /* 336 /*
@@ -350,7 +350,7 @@ ssl3_accept(SSL *s)
350 } 350 }
351 351
352 s->internal->renegotiate = 2; 352 s->internal->renegotiate = 2;
353 S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A; 353 s->s3->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
354 s->internal->init_num = 0; 354 s->internal->init_num = 0;
355 } 355 }
356 break; 356 break;
@@ -360,8 +360,8 @@ ssl3_accept(SSL *s)
360 ret = ssl3_send_dtls_hello_verify_request(s); 360 ret = ssl3_send_dtls_hello_verify_request(s);
361 if (ret <= 0) 361 if (ret <= 0)
362 goto end; 362 goto end;
363 S3I(s)->hs.state = SSL3_ST_SW_FLUSH; 363 s->s3->hs.state = SSL3_ST_SW_FLUSH;
364 S3I(s)->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A; 364 s->s3->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A;
365 365
366 /* HelloVerifyRequest resets Finished MAC. */ 366 /* HelloVerifyRequest resets Finished MAC. */
367 tls1_transcript_reset(s); 367 tls1_transcript_reset(s);
@@ -378,11 +378,11 @@ ssl3_accept(SSL *s)
378 goto end; 378 goto end;
379 if (s->internal->hit) { 379 if (s->internal->hit) {
380 if (s->internal->tlsext_ticket_expected) 380 if (s->internal->tlsext_ticket_expected)
381 S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_A; 381 s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
382 else 382 else
383 S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A; 383 s->s3->hs.state = SSL3_ST_SW_CHANGE_A;
384 } else { 384 } else {
385 S3I(s)->hs.state = SSL3_ST_SW_CERT_A; 385 s->s3->hs.state = SSL3_ST_SW_CERT_A;
386 } 386 }
387 s->internal->init_num = 0; 387 s->internal->init_num = 0;
388 break; 388 break;
@@ -390,7 +390,7 @@ ssl3_accept(SSL *s)
390 case SSL3_ST_SW_CERT_A: 390 case SSL3_ST_SW_CERT_A:
391 case SSL3_ST_SW_CERT_B: 391 case SSL3_ST_SW_CERT_B:
392 /* Check if it is anon DH or anon ECDH. */ 392 /* Check if it is anon DH or anon ECDH. */
393 if (!(S3I(s)->hs.cipher->algorithm_auth & 393 if (!(s->s3->hs.cipher->algorithm_auth &
394 SSL_aNULL)) { 394 SSL_aNULL)) {
395 if (SSL_is_dtls(s)) 395 if (SSL_is_dtls(s))
396 dtls1_start_timer(s); 396 dtls1_start_timer(s);
@@ -398,19 +398,19 @@ ssl3_accept(SSL *s)
398 if (ret <= 0) 398 if (ret <= 0)
399 goto end; 399 goto end;
400 if (s->internal->tlsext_status_expected) 400 if (s->internal->tlsext_status_expected)
401 S3I(s)->hs.state = SSL3_ST_SW_CERT_STATUS_A; 401 s->s3->hs.state = SSL3_ST_SW_CERT_STATUS_A;
402 else 402 else
403 S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A; 403 s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;
404 } else { 404 } else {
405 skip = 1; 405 skip = 1;
406 S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A; 406 s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;
407 } 407 }
408 s->internal->init_num = 0; 408 s->internal->init_num = 0;
409 break; 409 break;
410 410
411 case SSL3_ST_SW_KEY_EXCH_A: 411 case SSL3_ST_SW_KEY_EXCH_A:
412 case SSL3_ST_SW_KEY_EXCH_B: 412 case SSL3_ST_SW_KEY_EXCH_B:
413 alg_k = S3I(s)->hs.cipher->algorithm_mkey; 413 alg_k = s->s3->hs.cipher->algorithm_mkey;
414 414
415 /* 415 /*
416 * Only send if using a DH key exchange. 416 * Only send if using a DH key exchange.
@@ -429,7 +429,7 @@ ssl3_accept(SSL *s)
429 } else 429 } else
430 skip = 1; 430 skip = 1;
431 431
432 S3I(s)->hs.state = SSL3_ST_SW_CERT_REQ_A; 432 s->s3->hs.state = SSL3_ST_SW_CERT_REQ_A;
433 s->internal->init_num = 0; 433 s->internal->init_num = 0;
434 break; 434 break;
435 435
@@ -455,24 +455,24 @@ ssl3_accept(SSL *s)
455 if (!(s->verify_mode & SSL_VERIFY_PEER) || 455 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
456 ((s->session->peer_cert != NULL) && 456 ((s->session->peer_cert != NULL) &&
457 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 457 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
458 ((S3I(s)->hs.cipher->algorithm_auth & 458 ((s->s3->hs.cipher->algorithm_auth &
459 SSL_aNULL) && !(s->verify_mode & 459 SSL_aNULL) && !(s->verify_mode &
460 SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { 460 SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
461 /* No cert request. */ 461 /* No cert request. */
462 skip = 1; 462 skip = 1;
463 S3I(s)->hs.tls12.cert_request = 0; 463 s->s3->hs.tls12.cert_request = 0;
464 S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A; 464 s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_A;
465 465
466 if (!SSL_is_dtls(s)) 466 if (!SSL_is_dtls(s))
467 tls1_transcript_free(s); 467 tls1_transcript_free(s);
468 } else { 468 } else {
469 S3I(s)->hs.tls12.cert_request = 1; 469 s->s3->hs.tls12.cert_request = 1;
470 if (SSL_is_dtls(s)) 470 if (SSL_is_dtls(s))
471 dtls1_start_timer(s); 471 dtls1_start_timer(s);
472 ret = ssl3_send_certificate_request(s); 472 ret = ssl3_send_certificate_request(s);
473 if (ret <= 0) 473 if (ret <= 0)
474 goto end; 474 goto end;
475 S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A; 475 s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_A;
476 s->internal->init_num = 0; 476 s->internal->init_num = 0;
477 } 477 }
478 break; 478 break;
@@ -484,8 +484,8 @@ ssl3_accept(SSL *s)
484 ret = ssl3_send_server_done(s); 484 ret = ssl3_send_server_done(s);
485 if (ret <= 0) 485 if (ret <= 0)
486 goto end; 486 goto end;
487 S3I(s)->hs.tls12.next_state = SSL3_ST_SR_CERT_A; 487 s->s3->hs.tls12.next_state = SSL3_ST_SR_CERT_A;
488 S3I(s)->hs.state = SSL3_ST_SW_FLUSH; 488 s->s3->hs.state = SSL3_ST_SW_FLUSH;
489 s->internal->init_num = 0; 489 s->internal->init_num = 0;
490 break; 490 break;
491 491
@@ -506,25 +506,25 @@ ssl3_accept(SSL *s)
506 /* If the write error was fatal, stop trying. */ 506 /* If the write error was fatal, stop trying. */
507 if (!BIO_should_retry(s->wbio)) { 507 if (!BIO_should_retry(s->wbio)) {
508 s->internal->rwstate = SSL_NOTHING; 508 s->internal->rwstate = SSL_NOTHING;
509 S3I(s)->hs.state = S3I(s)->hs.tls12.next_state; 509 s->s3->hs.state = s->s3->hs.tls12.next_state;
510 } 510 }
511 } 511 }
512 ret = -1; 512 ret = -1;
513 goto end; 513 goto end;
514 } 514 }
515 s->internal->rwstate = SSL_NOTHING; 515 s->internal->rwstate = SSL_NOTHING;
516 S3I(s)->hs.state = S3I(s)->hs.tls12.next_state; 516 s->s3->hs.state = s->s3->hs.tls12.next_state;
517 break; 517 break;
518 518
519 case SSL3_ST_SR_CERT_A: 519 case SSL3_ST_SR_CERT_A:
520 case SSL3_ST_SR_CERT_B: 520 case SSL3_ST_SR_CERT_B:
521 if (S3I(s)->hs.tls12.cert_request) { 521 if (s->s3->hs.tls12.cert_request) {
522 ret = ssl3_get_client_certificate(s); 522 ret = ssl3_get_client_certificate(s);
523 if (ret <= 0) 523 if (ret <= 0)
524 goto end; 524 goto end;
525 } 525 }
526 s->internal->init_num = 0; 526 s->internal->init_num = 0;
527 S3I(s)->hs.state = SSL3_ST_SR_KEY_EXCH_A; 527 s->s3->hs.state = SSL3_ST_SR_KEY_EXCH_A;
528 break; 528 break;
529 529
530 case SSL3_ST_SR_KEY_EXCH_A: 530 case SSL3_ST_SR_KEY_EXCH_A:
@@ -534,21 +534,21 @@ ssl3_accept(SSL *s)
534 goto end; 534 goto end;
535 535
536 if (SSL_is_dtls(s)) { 536 if (SSL_is_dtls(s)) {
537 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A; 537 s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
538 s->internal->init_num = 0; 538 s->internal->init_num = 0;
539 } 539 }
540 540
541 alg_k = S3I(s)->hs.cipher->algorithm_mkey; 541 alg_k = s->s3->hs.cipher->algorithm_mkey;
542 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { 542 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
543 /* 543 /*
544 * A GOST client may use the key from its 544 * A GOST client may use the key from its
545 * certificate for key exchange, in which case 545 * certificate for key exchange, in which case
546 * the CertificateVerify message is not sent. 546 * the CertificateVerify message is not sent.
547 */ 547 */
548 S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A; 548 s->s3->hs.state = SSL3_ST_SR_FINISHED_A;
549 s->internal->init_num = 0; 549 s->internal->init_num = 0;
550 } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) { 550 } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) {
551 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A; 551 s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
552 s->internal->init_num = 0; 552 s->internal->init_num = 0;
553 if (!s->session->peer_cert) 553 if (!s->session->peer_cert)
554 break; 554 break;
@@ -558,7 +558,7 @@ ssl3_accept(SSL *s)
558 */ 558 */
559 tls1_transcript_freeze(s); 559 tls1_transcript_freeze(s);
560 } else { 560 } else {
561 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A; 561 s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
562 s->internal->init_num = 0; 562 s->internal->init_num = 0;
563 563
564 tls1_transcript_free(s); 564 tls1_transcript_free(s);
@@ -568,8 +568,8 @@ ssl3_accept(SSL *s)
568 * a client cert, it can be verified. 568 * a client cert, it can be verified.
569 */ 569 */
570 if (!tls1_transcript_hash_value(s, 570 if (!tls1_transcript_hash_value(s,
571 S3I(s)->hs.tls12.cert_verify, 571 s->s3->hs.tls12.cert_verify,
572 sizeof(S3I(s)->hs.tls12.cert_verify), 572 sizeof(s->s3->hs.tls12.cert_verify),
573 NULL)) { 573 NULL)) {
574 ret = -1; 574 ret = -1;
575 goto end; 575 goto end;
@@ -588,7 +588,7 @@ ssl3_accept(SSL *s)
588 ret = ssl3_get_cert_verify(s); 588 ret = ssl3_get_cert_verify(s);
589 if (ret <= 0) 589 if (ret <= 0)
590 goto end; 590 goto end;
591 S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A; 591 s->s3->hs.state = SSL3_ST_SR_FINISHED_A;
592 s->internal->init_num = 0; 592 s->internal->init_num = 0;
593 break; 593 break;
594 594
@@ -605,11 +605,11 @@ ssl3_accept(SSL *s)
605 if (SSL_is_dtls(s)) 605 if (SSL_is_dtls(s))
606 dtls1_stop_timer(s); 606 dtls1_stop_timer(s);
607 if (s->internal->hit) 607 if (s->internal->hit)
608 S3I(s)->hs.state = SSL_ST_OK; 608 s->s3->hs.state = SSL_ST_OK;
609 else if (s->internal->tlsext_ticket_expected) 609 else if (s->internal->tlsext_ticket_expected)
610 S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_A; 610 s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
611 else 611 else
612 S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A; 612 s->s3->hs.state = SSL3_ST_SW_CHANGE_A;
613 s->internal->init_num = 0; 613 s->internal->init_num = 0;
614 break; 614 break;
615 615
@@ -618,7 +618,7 @@ ssl3_accept(SSL *s)
618 ret = ssl3_send_newsession_ticket(s); 618 ret = ssl3_send_newsession_ticket(s);
619 if (ret <= 0) 619 if (ret <= 0)
620 goto end; 620 goto end;
621 S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A; 621 s->s3->hs.state = SSL3_ST_SW_CHANGE_A;
622 s->internal->init_num = 0; 622 s->internal->init_num = 0;
623 break; 623 break;
624 624
@@ -627,7 +627,7 @@ ssl3_accept(SSL *s)
627 ret = ssl3_send_cert_status(s); 627 ret = ssl3_send_cert_status(s);
628 if (ret <= 0) 628 if (ret <= 0)
629 goto end; 629 goto end;
630 S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A; 630 s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;
631 s->internal->init_num = 0; 631 s->internal->init_num = 0;
632 break; 632 break;
633 633
@@ -637,9 +637,9 @@ ssl3_accept(SSL *s)
637 SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B); 637 SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
638 if (ret <= 0) 638 if (ret <= 0)
639 goto end; 639 goto end;
640 S3I(s)->hs.state = SSL3_ST_SW_FINISHED_A; 640 s->s3->hs.state = SSL3_ST_SW_FINISHED_A;
641 s->internal->init_num = 0; 641 s->internal->init_num = 0;
642 s->session->cipher = S3I(s)->hs.cipher; 642 s->session->cipher = s->s3->hs.cipher;
643 643
644 if (!tls1_setup_key_block(s)) { 644 if (!tls1_setup_key_block(s)) {
645 ret = -1; 645 ret = -1;
@@ -657,12 +657,12 @@ ssl3_accept(SSL *s)
657 SSL3_ST_SW_FINISHED_B); 657 SSL3_ST_SW_FINISHED_B);
658 if (ret <= 0) 658 if (ret <= 0)
659 goto end; 659 goto end;
660 S3I(s)->hs.state = SSL3_ST_SW_FLUSH; 660 s->s3->hs.state = SSL3_ST_SW_FLUSH;
661 if (s->internal->hit) { 661 if (s->internal->hit) {
662 S3I(s)->hs.tls12.next_state = SSL3_ST_SR_FINISHED_A; 662 s->s3->hs.tls12.next_state = SSL3_ST_SR_FINISHED_A;
663 tls1_transcript_free(s); 663 tls1_transcript_free(s);
664 } else 664 } else
665 S3I(s)->hs.tls12.next_state = SSL_ST_OK; 665 s->s3->hs.tls12.next_state = SSL_ST_OK;
666 s->internal->init_num = 0; 666 s->internal->init_num = 0;
667 break; 667 break;
668 668
@@ -670,7 +670,7 @@ ssl3_accept(SSL *s)
670 /* clean a few things up */ 670 /* clean a few things up */
671 tls1_cleanup_key_block(s); 671 tls1_cleanup_key_block(s);
672 672
673 if (S3I(s)->handshake_transcript != NULL) { 673 if (s->s3->handshake_transcript != NULL) {
674 SSLerror(s, ERR_R_INTERNAL_ERROR); 674 SSLerror(s, ERR_R_INTERNAL_ERROR);
675 ret = -1; 675 ret = -1;
676 goto end; 676 goto end;
@@ -717,18 +717,18 @@ ssl3_accept(SSL *s)
717 /* break; */ 717 /* break; */
718 } 718 }
719 719
720 if (!S3I(s)->hs.tls12.reuse_message && !skip) { 720 if (!s->s3->hs.tls12.reuse_message && !skip) {
721 if (s->internal->debug) { 721 if (s->internal->debug) {
722 if ((ret = BIO_flush(s->wbio)) <= 0) 722 if ((ret = BIO_flush(s->wbio)) <= 0)
723 goto end; 723 goto end;
724 } 724 }
725 725
726 726
727 if (S3I(s)->hs.state != state) { 727 if (s->s3->hs.state != state) {
728 new_state = S3I(s)->hs.state; 728 new_state = s->s3->hs.state;
729 S3I(s)->hs.state = state; 729 s->s3->hs.state = state;
730 ssl_info_callback(s, SSL_CB_ACCEPT_LOOP, 1); 730 ssl_info_callback(s, SSL_CB_ACCEPT_LOOP, 1);
731 S3I(s)->hs.state = new_state; 731 s->s3->hs.state = new_state;
732 } 732 }
733 } 733 }
734 skip = 0; 734 skip = 0;
@@ -748,14 +748,14 @@ ssl3_send_hello_request(SSL *s)
748 748
749 memset(&cbb, 0, sizeof(cbb)); 749 memset(&cbb, 0, sizeof(cbb));
750 750
751 if (S3I(s)->hs.state == SSL3_ST_SW_HELLO_REQ_A) { 751 if (s->s3->hs.state == SSL3_ST_SW_HELLO_REQ_A) {
752 if (!ssl3_handshake_msg_start(s, &cbb, &hello, 752 if (!ssl3_handshake_msg_start(s, &cbb, &hello,
753 SSL3_MT_HELLO_REQUEST)) 753 SSL3_MT_HELLO_REQUEST))
754 goto err; 754 goto err;
755 if (!ssl3_handshake_msg_finish(s, &cbb)) 755 if (!ssl3_handshake_msg_finish(s, &cbb))
756 goto err; 756 goto err;
757 757
758 S3I(s)->hs.state = SSL3_ST_SW_HELLO_REQ_B; 758 s->s3->hs.state = SSL3_ST_SW_HELLO_REQ_B;
759 } 759 }
760 760
761 /* SSL3_ST_SW_HELLO_REQ_B */ 761 /* SSL3_ST_SW_HELLO_REQ_B */
@@ -790,8 +790,8 @@ ssl3_get_client_hello(SSL *s)
790 * If we are SSLv3, we will respond with SSLv3, even if prompted with 790 * If we are SSLv3, we will respond with SSLv3, even if prompted with
791 * TLSv1. 791 * TLSv1.
792 */ 792 */
793 if (S3I(s)->hs.state == SSL3_ST_SR_CLNT_HELLO_A) 793 if (s->s3->hs.state == SSL3_ST_SR_CLNT_HELLO_A)
794 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_B; 794 s->s3->hs.state = SSL3_ST_SR_CLNT_HELLO_B;
795 795
796 s->internal->first_packet = 1; 796 s->internal->first_packet = 1;
797 if ((ret = ssl3_get_message(s, SSL3_ST_SR_CLNT_HELLO_B, 797 if ((ret = ssl3_get_message(s, SSL3_ST_SR_CLNT_HELLO_B,
@@ -845,11 +845,11 @@ ssl3_get_client_hello(SSL *s)
845 al = SSL_AD_PROTOCOL_VERSION; 845 al = SSL_AD_PROTOCOL_VERSION;
846 goto fatal_err; 846 goto fatal_err;
847 } 847 }
848 S3I(s)->hs.peer_legacy_version = client_version; 848 s->s3->hs.peer_legacy_version = client_version;
849 s->version = shared_version; 849 s->version = shared_version;
850 850
851 S3I(s)->hs.negotiated_tls_version = ssl_tls_version(shared_version); 851 s->s3->hs.negotiated_tls_version = ssl_tls_version(shared_version);
852 if (S3I(s)->hs.negotiated_tls_version == 0) { 852 if (s->s3->hs.negotiated_tls_version == 0) {
853 SSLerror(s, ERR_R_INTERNAL_ERROR); 853 SSLerror(s, ERR_R_INTERNAL_ERROR);
854 goto err; 854 goto err;
855 } 855 }
@@ -1015,7 +1015,7 @@ ssl3_get_client_hello(SSL *s)
1015 if (CBS_len(&cbs) != 0) 1015 if (CBS_len(&cbs) != 0)
1016 goto decode_err; 1016 goto decode_err;
1017 1017
1018 if (!S3I(s)->renegotiate_seen && s->internal->renegotiate) { 1018 if (!s->s3->renegotiate_seen && s->internal->renegotiate) {
1019 al = SSL_AD_HANDSHAKE_FAILURE; 1019 al = SSL_AD_HANDSHAKE_FAILURE;
1020 SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1020 SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1021 goto fatal_err; 1021 goto fatal_err;
@@ -1034,8 +1034,8 @@ ssl3_get_client_hello(SSL *s)
1034 */ 1034 */
1035 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 1035 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
1036 1036
1037 if (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION && 1037 if (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION &&
1038 S3I(s)->hs.negotiated_tls_version < S3I(s)->hs.our_max_tls_version) { 1038 s->s3->hs.negotiated_tls_version < s->s3->hs.our_max_tls_version) {
1039 /* 1039 /*
1040 * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3 1040 * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3
1041 * we must set the last 8 bytes of the server random to magical 1041 * we must set the last 8 bytes of the server random to magical
@@ -1044,7 +1044,7 @@ ssl3_get_client_hello(SSL *s)
1044 */ 1044 */
1045 size_t index = SSL3_RANDOM_SIZE - sizeof(tls13_downgrade_12); 1045 size_t index = SSL3_RANDOM_SIZE - sizeof(tls13_downgrade_12);
1046 uint8_t *magic = &s->s3->server_random[index]; 1046 uint8_t *magic = &s->s3->server_random[index];
1047 if (S3I(s)->hs.negotiated_tls_version == TLS1_2_VERSION) { 1047 if (s->s3->hs.negotiated_tls_version == TLS1_2_VERSION) {
1048 /* Indicate we chose to downgrade to 1.2. */ 1048 /* Indicate we chose to downgrade to 1.2. */
1049 memcpy(magic, tls13_downgrade_12, 1049 memcpy(magic, tls13_downgrade_12,
1050 sizeof(tls13_downgrade_12)); 1050 sizeof(tls13_downgrade_12));
@@ -1107,15 +1107,15 @@ ssl3_get_client_hello(SSL *s)
1107 SSLerror(s, SSL_R_NO_SHARED_CIPHER); 1107 SSLerror(s, SSL_R_NO_SHARED_CIPHER);
1108 goto fatal_err; 1108 goto fatal_err;
1109 } 1109 }
1110 S3I(s)->hs.cipher = c; 1110 s->s3->hs.cipher = c;
1111 } else { 1111 } else {
1112 S3I(s)->hs.cipher = s->session->cipher; 1112 s->s3->hs.cipher = s->session->cipher;
1113 } 1113 }
1114 1114
1115 if (!tls1_transcript_hash_init(s)) 1115 if (!tls1_transcript_hash_init(s))
1116 goto err; 1116 goto err;
1117 1117
1118 alg_k = S3I(s)->hs.cipher->algorithm_mkey; 1118 alg_k = s->s3->hs.cipher->algorithm_mkey;
1119 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) || 1119 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) ||
1120 !(s->verify_mode & SSL_VERIFY_PEER)) 1120 !(s->verify_mode & SSL_VERIFY_PEER))
1121 tls1_transcript_free(s); 1121 tls1_transcript_free(s);
@@ -1160,7 +1160,7 @@ ssl3_send_dtls_hello_verify_request(SSL *s)
1160 1160
1161 memset(&cbb, 0, sizeof(cbb)); 1161 memset(&cbb, 0, sizeof(cbb));
1162 1162
1163 if (S3I(s)->hs.state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) { 1163 if (s->s3->hs.state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) {
1164 if (s->ctx->internal->app_gen_cookie_cb == NULL || 1164 if (s->ctx->internal->app_gen_cookie_cb == NULL ||
1165 s->ctx->internal->app_gen_cookie_cb(s, s->d1->cookie, 1165 s->ctx->internal->app_gen_cookie_cb(s, s->d1->cookie,
1166 &(s->d1->cookie_len)) == 0) { 1166 &(s->d1->cookie_len)) == 0) {
@@ -1185,10 +1185,10 @@ ssl3_send_dtls_hello_verify_request(SSL *s)
1185 if (!ssl3_handshake_msg_finish(s, &cbb)) 1185 if (!ssl3_handshake_msg_finish(s, &cbb))
1186 goto err; 1186 goto err;
1187 1187
1188 S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B; 1188 s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
1189 } 1189 }
1190 1190
1191 /* S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */ 1191 /* s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
1192 return (ssl3_handshake_write(s)); 1192 return (ssl3_handshake_write(s));
1193 1193
1194 err: 1194 err:
@@ -1205,7 +1205,7 @@ ssl3_send_server_hello(SSL *s)
1205 1205
1206 memset(&cbb, 0, sizeof(cbb)); 1206 memset(&cbb, 0, sizeof(cbb));
1207 1207
1208 if (S3I(s)->hs.state == SSL3_ST_SW_SRVR_HELLO_A) { 1208 if (s->s3->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {
1209 if (!ssl3_handshake_msg_start(s, &cbb, &server_hello, 1209 if (!ssl3_handshake_msg_start(s, &cbb, &server_hello,
1210 SSL3_MT_SERVER_HELLO)) 1210 SSL3_MT_SERVER_HELLO))
1211 goto err; 1211 goto err;
@@ -1250,7 +1250,7 @@ ssl3_send_server_hello(SSL *s)
1250 1250
1251 /* Cipher suite. */ 1251 /* Cipher suite. */
1252 if (!CBB_add_u16(&server_hello, 1252 if (!CBB_add_u16(&server_hello,
1253 ssl3_cipher_get_value(S3I(s)->hs.cipher))) 1253 ssl3_cipher_get_value(s->s3->hs.cipher)))
1254 goto err; 1254 goto err;
1255 1255
1256 /* Compression method (null). */ 1256 /* Compression method (null). */
@@ -1283,14 +1283,14 @@ ssl3_send_server_done(SSL *s)
1283 1283
1284 memset(&cbb, 0, sizeof(cbb)); 1284 memset(&cbb, 0, sizeof(cbb));
1285 1285
1286 if (S3I(s)->hs.state == SSL3_ST_SW_SRVR_DONE_A) { 1286 if (s->s3->hs.state == SSL3_ST_SW_SRVR_DONE_A) {
1287 if (!ssl3_handshake_msg_start(s, &cbb, &done, 1287 if (!ssl3_handshake_msg_start(s, &cbb, &done,
1288 SSL3_MT_SERVER_DONE)) 1288 SSL3_MT_SERVER_DONE))
1289 goto err; 1289 goto err;
1290 if (!ssl3_handshake_msg_finish(s, &cbb)) 1290 if (!ssl3_handshake_msg_finish(s, &cbb))
1291 goto err; 1291 goto err;
1292 1292
1293 S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_B; 1293 s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_B;
1294 } 1294 }
1295 1295
1296 /* SSL3_ST_SW_SRVR_DONE_B */ 1296 /* SSL3_ST_SW_SRVR_DONE_B */
@@ -1307,8 +1307,8 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
1307{ 1307{
1308 int nid = NID_dhKeyAgreement; 1308 int nid = NID_dhKeyAgreement;
1309 1309
1310 tls_key_share_free(S3I(s)->hs.key_share); 1310 tls_key_share_free(s->s3->hs.key_share);
1311 if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL) 1311 if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1312 goto err; 1312 goto err;
1313 1313
1314 if (s->cert->dhe_params_auto != 0) { 1314 if (s->cert->dhe_params_auto != 0) {
@@ -1320,14 +1320,14 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
1320 SSL_AD_INTERNAL_ERROR); 1320 SSL_AD_INTERNAL_ERROR);
1321 goto err; 1321 goto err;
1322 } 1322 }
1323 tls_key_share_set_key_bits(S3I(s)->hs.key_share, 1323 tls_key_share_set_key_bits(s->s3->hs.key_share,
1324 key_bits); 1324 key_bits);
1325 } else { 1325 } else {
1326 DH *dh_params = s->cert->dhe_params; 1326 DH *dh_params = s->cert->dhe_params;
1327 1327
1328 if (dh_params == NULL && s->cert->dhe_params_cb != NULL) 1328 if (dh_params == NULL && s->cert->dhe_params_cb != NULL)
1329 dh_params = s->cert->dhe_params_cb(s, 0, 1329 dh_params = s->cert->dhe_params_cb(s, 0,
1330 SSL_C_PKEYLENGTH(S3I(s)->hs.cipher)); 1330 SSL_C_PKEYLENGTH(s->s3->hs.cipher));
1331 1331
1332 if (dh_params == NULL) { 1332 if (dh_params == NULL) {
1333 SSLerror(s, SSL_R_MISSING_TMP_DH_KEY); 1333 SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
@@ -1336,16 +1336,16 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
1336 goto err; 1336 goto err;
1337 } 1337 }
1338 1338
1339 if (!tls_key_share_set_dh_params(S3I(s)->hs.key_share, dh_params)) 1339 if (!tls_key_share_set_dh_params(s->s3->hs.key_share, dh_params))
1340 goto err; 1340 goto err;
1341 } 1341 }
1342 1342
1343 if (!tls_key_share_generate(S3I(s)->hs.key_share)) 1343 if (!tls_key_share_generate(s->s3->hs.key_share))
1344 goto err; 1344 goto err;
1345 1345
1346 if (!tls_key_share_params(S3I(s)->hs.key_share, cbb)) 1346 if (!tls_key_share_params(s->s3->hs.key_share, cbb))
1347 goto err; 1347 goto err;
1348 if (!tls_key_share_public(S3I(s)->hs.key_share, cbb)) 1348 if (!tls_key_share_public(s->s3->hs.key_share, cbb))
1349 goto err; 1349 goto err;
1350 1350
1351 return 1; 1351 return 1;
@@ -1366,11 +1366,11 @@ ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
1366 goto err; 1366 goto err;
1367 } 1367 }
1368 1368
1369 tls_key_share_free(S3I(s)->hs.key_share); 1369 tls_key_share_free(s->s3->hs.key_share);
1370 if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL) 1370 if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1371 goto err; 1371 goto err;
1372 1372
1373 if (!tls_key_share_generate(S3I(s)->hs.key_share)) 1373 if (!tls_key_share_generate(s->s3->hs.key_share))
1374 goto err; 1374 goto err;
1375 1375
1376 /* 1376 /*
@@ -1378,11 +1378,11 @@ ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
1378 */ 1378 */
1379 if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE)) 1379 if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))
1380 goto err; 1380 goto err;
1381 if (!CBB_add_u16(cbb, tls_key_share_group(S3I(s)->hs.key_share))) 1381 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share)))
1382 goto err; 1382 goto err;
1383 if (!CBB_add_u8_length_prefixed(cbb, &public)) 1383 if (!CBB_add_u8_length_prefixed(cbb, &public))
1384 goto err; 1384 goto err;
1385 if (!tls_key_share_public(S3I(s)->hs.key_share, &public)) 1385 if (!tls_key_share_public(s->s3->hs.key_share, &public))
1386 goto err; 1386 goto err;
1387 if (!CBB_flush(cbb)) 1387 if (!CBB_flush(cbb))
1388 goto err; 1388 goto err;
@@ -1415,7 +1415,7 @@ ssl3_send_server_key_exchange(SSL *s)
1415 if ((md_ctx = EVP_MD_CTX_new()) == NULL) 1415 if ((md_ctx = EVP_MD_CTX_new()) == NULL)
1416 goto err; 1416 goto err;
1417 1417
1418 if (S3I(s)->hs.state == SSL3_ST_SW_KEY_EXCH_A) { 1418 if (s->s3->hs.state == SSL3_ST_SW_KEY_EXCH_A) {
1419 1419
1420 if (!ssl3_handshake_msg_start(s, &cbb, &server_kex, 1420 if (!ssl3_handshake_msg_start(s, &cbb, &server_kex,
1421 SSL3_MT_SERVER_KEY_EXCHANGE)) 1421 SSL3_MT_SERVER_KEY_EXCHANGE))
@@ -1424,7 +1424,7 @@ ssl3_send_server_key_exchange(SSL *s)
1424 if (!CBB_init(&cbb_params, 0)) 1424 if (!CBB_init(&cbb_params, 0))
1425 goto err; 1425 goto err;
1426 1426
1427 type = S3I(s)->hs.cipher->algorithm_mkey; 1427 type = s->s3->hs.cipher->algorithm_mkey;
1428 if (type & SSL_kDHE) { 1428 if (type & SSL_kDHE) {
1429 if (!ssl3_send_server_kex_dhe(s, &cbb_params)) 1429 if (!ssl3_send_server_kex_dhe(s, &cbb_params))
1430 goto err; 1430 goto err;
@@ -1444,13 +1444,13 @@ ssl3_send_server_key_exchange(SSL *s)
1444 goto err; 1444 goto err;
1445 1445
1446 /* Add signature unless anonymous. */ 1446 /* Add signature unless anonymous. */
1447 if (!(S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL)) { 1447 if (!(s->s3->hs.cipher->algorithm_auth & SSL_aNULL)) {
1448 if ((pkey = ssl_get_sign_pkey(s, S3I(s)->hs.cipher, 1448 if ((pkey = ssl_get_sign_pkey(s, s->s3->hs.cipher,
1449 &md, &sigalg)) == NULL) { 1449 &md, &sigalg)) == NULL) {
1450 al = SSL_AD_DECODE_ERROR; 1450 al = SSL_AD_DECODE_ERROR;
1451 goto fatal_err; 1451 goto fatal_err;
1452 } 1452 }
1453 S3I(s)->hs.our_sigalg = sigalg; 1453 s->s3->hs.our_sigalg = sigalg;
1454 1454
1455 /* Send signature algorithm. */ 1455 /* Send signature algorithm. */
1456 if (SSL_USE_SIGALGS(s)) { 1456 if (SSL_USE_SIGALGS(s)) {
@@ -1511,7 +1511,7 @@ ssl3_send_server_key_exchange(SSL *s)
1511 if (!ssl3_handshake_msg_finish(s, &cbb)) 1511 if (!ssl3_handshake_msg_finish(s, &cbb))
1512 goto err; 1512 goto err;
1513 1513
1514 S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_B; 1514 s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_B;
1515 } 1515 }
1516 1516
1517 EVP_MD_CTX_free(md_ctx); 1517 EVP_MD_CTX_free(md_ctx);
@@ -1546,7 +1546,7 @@ ssl3_send_certificate_request(SSL *s)
1546 1546
1547 memset(&cbb, 0, sizeof(cbb)); 1547 memset(&cbb, 0, sizeof(cbb));
1548 1548
1549 if (S3I(s)->hs.state == SSL3_ST_SW_CERT_REQ_A) { 1549 if (s->s3->hs.state == SSL3_ST_SW_CERT_REQ_A) {
1550 if (!ssl3_handshake_msg_start(s, &cbb, &cert_request, 1550 if (!ssl3_handshake_msg_start(s, &cbb, &cert_request,
1551 SSL3_MT_CERTIFICATE_REQUEST)) 1551 SSL3_MT_CERTIFICATE_REQUEST))
1552 goto err; 1552 goto err;
@@ -1561,7 +1561,7 @@ ssl3_send_certificate_request(SSL *s)
1561 &sigalgs)) 1561 &sigalgs))
1562 goto err; 1562 goto err;
1563 if (!ssl_sigalgs_build( 1563 if (!ssl_sigalgs_build(
1564 S3I(s)->hs.negotiated_tls_version, &sigalgs)) 1564 s->s3->hs.negotiated_tls_version, &sigalgs))
1565 goto err; 1565 goto err;
1566 } 1566 }
1567 1567
@@ -1587,7 +1587,7 @@ ssl3_send_certificate_request(SSL *s)
1587 if (!ssl3_handshake_msg_finish(s, &cbb)) 1587 if (!ssl3_handshake_msg_finish(s, &cbb))
1588 goto err; 1588 goto err;
1589 1589
1590 S3I(s)->hs.state = SSL3_ST_SW_CERT_REQ_B; 1590 s->s3->hs.state = SSL3_ST_SW_CERT_REQ_B;
1591 } 1591 }
1592 1592
1593 /* SSL3_ST_SW_CERT_REQ_B */ 1593 /* SSL3_ST_SW_CERT_REQ_B */
@@ -1614,8 +1614,8 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
1614 1614
1615 arc4random_buf(fakekey, sizeof(fakekey)); 1615 arc4random_buf(fakekey, sizeof(fakekey));
1616 1616
1617 fakekey[0] = S3I(s)->hs.peer_legacy_version >> 8; 1617 fakekey[0] = s->s3->hs.peer_legacy_version >> 8;
1618 fakekey[1] = S3I(s)->hs.peer_legacy_version & 0xff; 1618 fakekey[1] = s->s3->hs.peer_legacy_version & 0xff;
1619 1619
1620 pkey = s->cert->pkeys[SSL_PKEY_RSA].privatekey; 1620 pkey = s->cert->pkeys[SSL_PKEY_RSA].privatekey;
1621 if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) { 1621 if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
@@ -1648,8 +1648,8 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
1648 /* SSLerror(s, SSL_R_BAD_RSA_DECRYPT); */ 1648 /* SSLerror(s, SSL_R_BAD_RSA_DECRYPT); */
1649 } 1649 }
1650 1650
1651 if ((al == -1) && !((pms[0] == (S3I(s)->hs.peer_legacy_version >> 8)) && 1651 if ((al == -1) && !((pms[0] == (s->s3->hs.peer_legacy_version >> 8)) &&
1652 (pms[1] == (S3I(s)->hs.peer_legacy_version & 0xff)))) { 1652 (pms[1] == (s->s3->hs.peer_legacy_version & 0xff)))) {
1653 /* 1653 /*
1654 * The premaster secret must contain the same version number 1654 * The premaster secret must contain the same version number
1655 * as the ClientHello to detect version rollback attacks 1655 * as the ClientHello to detect version rollback attacks
@@ -1704,13 +1704,13 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
1704 int decode_error, invalid_key; 1704 int decode_error, invalid_key;
1705 int ret = 0; 1705 int ret = 0;
1706 1706
1707 if (S3I(s)->hs.key_share == NULL) { 1707 if (s->s3->hs.key_share == NULL) {
1708 SSLerror(s, SSL_R_MISSING_TMP_DH_KEY); 1708 SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1709 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1709 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1710 goto err; 1710 goto err;
1711 } 1711 }
1712 1712
1713 if (!tls_key_share_peer_public(S3I(s)->hs.key_share, cbs, 1713 if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
1714 &decode_error, &invalid_key)) { 1714 &decode_error, &invalid_key)) {
1715 if (decode_error) { 1715 if (decode_error) {
1716 SSLerror(s, SSL_R_BAD_PACKET_LENGTH); 1716 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
@@ -1724,7 +1724,7 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
1724 goto err; 1724 goto err;
1725 } 1725 }
1726 1726
1727 if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len)) 1727 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1728 goto err; 1728 goto err;
1729 1729
1730 if (!tls12_derive_master_secret(s, key, key_len)) 1730 if (!tls12_derive_master_secret(s, key, key_len))
@@ -1747,7 +1747,7 @@ ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
1747 CBS public; 1747 CBS public;
1748 int ret = 0; 1748 int ret = 0;
1749 1749
1750 if (S3I(s)->hs.key_share == NULL) { 1750 if (s->s3->hs.key_share == NULL) {
1751 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1751 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1752 SSLerror(s, SSL_R_MISSING_TMP_DH_KEY); 1752 SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1753 goto err; 1753 goto err;
@@ -1758,7 +1758,7 @@ ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
1758 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1758 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1759 goto err; 1759 goto err;
1760 } 1760 }
1761 if (!tls_key_share_peer_public(S3I(s)->hs.key_share, &public, 1761 if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
1762 &decode_error, NULL)) { 1762 &decode_error, NULL)) {
1763 if (decode_error) { 1763 if (decode_error) {
1764 SSLerror(s, SSL_R_BAD_PACKET_LENGTH); 1764 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
@@ -1767,7 +1767,7 @@ ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
1767 goto err; 1767 goto err;
1768 } 1768 }
1769 1769
1770 if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len)) 1770 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1771 goto err; 1771 goto err;
1772 1772
1773 if (!tls12_derive_master_secret(s, key, key_len)) 1773 if (!tls12_derive_master_secret(s, key, key_len))
@@ -1792,7 +1792,7 @@ ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
1792 CBS gostblob; 1792 CBS gostblob;
1793 1793
1794 /* Get our certificate private key*/ 1794 /* Get our certificate private key*/
1795 if ((S3I(s)->hs.cipher->algorithm_auth & SSL_aGOST01) != 0) 1795 if ((s->s3->hs.cipher->algorithm_auth & SSL_aGOST01) != 0)
1796 pkey = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; 1796 pkey = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
1797 1797
1798 if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) 1798 if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL)
@@ -1865,7 +1865,7 @@ ssl3_get_client_key_exchange(SSL *s)
1865 1865
1866 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); 1866 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
1867 1867
1868 alg_k = S3I(s)->hs.cipher->algorithm_mkey; 1868 alg_k = s->s3->hs.cipher->algorithm_mkey;
1869 1869
1870 if (alg_k & SSL_kRSA) { 1870 if (alg_k & SSL_kRSA) {
1871 if (!ssl3_get_client_kex_rsa(s, &cbs)) 1871 if (!ssl3_get_client_kex_rsa(s, &cbs))
@@ -1932,8 +1932,8 @@ ssl3_get_cert_verify(SSL *s)
1932 pkey = X509_get0_pubkey(peer_cert); 1932 pkey = X509_get0_pubkey(peer_cert);
1933 type = X509_certificate_type(peer_cert, pkey); 1933 type = X509_certificate_type(peer_cert, pkey);
1934 1934
1935 if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) { 1935 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
1936 S3I(s)->hs.tls12.reuse_message = 1; 1936 s->s3->hs.tls12.reuse_message = 1;
1937 if (peer_cert != NULL) { 1937 if (peer_cert != NULL) {
1938 al = SSL_AD_UNEXPECTED_MESSAGE; 1938 al = SSL_AD_UNEXPECTED_MESSAGE;
1939 SSLerror(s, SSL_R_MISSING_VERIFY_MESSAGE); 1939 SSLerror(s, SSL_R_MISSING_VERIFY_MESSAGE);
@@ -1955,7 +1955,7 @@ ssl3_get_cert_verify(SSL *s)
1955 goto fatal_err; 1955 goto fatal_err;
1956 } 1956 }
1957 1957
1958 if (S3I(s)->change_cipher_spec) { 1958 if (s->s3->change_cipher_spec) {
1959 SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); 1959 SSLerror(s, SSL_R_CCS_RECEIVED_EARLY);
1960 al = SSL_AD_UNEXPECTED_MESSAGE; 1960 al = SSL_AD_UNEXPECTED_MESSAGE;
1961 goto fatal_err; 1961 goto fatal_err;
@@ -1984,7 +1984,7 @@ ssl3_get_cert_verify(SSL *s)
1984 al = SSL_AD_DECODE_ERROR; 1984 al = SSL_AD_DECODE_ERROR;
1985 goto fatal_err; 1985 goto fatal_err;
1986 } 1986 }
1987 S3I(s)->hs.peer_sigalg = sigalg; 1987 s->s3->hs.peer_sigalg = sigalg;
1988 1988
1989 if (SSL_USE_SIGALGS(s)) { 1989 if (SSL_USE_SIGALGS(s)) {
1990 EVP_PKEY_CTX *pctx; 1990 EVP_PKEY_CTX *pctx;
@@ -2033,7 +2033,7 @@ ssl3_get_cert_verify(SSL *s)
2033 SSLerror(s, ERR_R_EVP_LIB); 2033 SSLerror(s, ERR_R_EVP_LIB);
2034 goto fatal_err; 2034 goto fatal_err;
2035 } 2035 }
2036 verify = RSA_verify(NID_md5_sha1, S3I(s)->hs.tls12.cert_verify, 2036 verify = RSA_verify(NID_md5_sha1, s->s3->hs.tls12.cert_verify,
2037 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, CBS_data(&signature), 2037 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, CBS_data(&signature),
2038 CBS_len(&signature), rsa); 2038 CBS_len(&signature), rsa);
2039 if (verify < 0) { 2039 if (verify < 0) {
@@ -2055,7 +2055,7 @@ ssl3_get_cert_verify(SSL *s)
2055 goto fatal_err; 2055 goto fatal_err;
2056 } 2056 }
2057 verify = ECDSA_verify(0, 2057 verify = ECDSA_verify(0,
2058 &(S3I(s)->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]), 2058 &(s->s3->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]),
2059 SHA_DIGEST_LENGTH, CBS_data(&signature), 2059 SHA_DIGEST_LENGTH, CBS_data(&signature),
2060 CBS_len(&signature), eckey); 2060 CBS_len(&signature), eckey);
2061 if (verify <= 0) { 2061 if (verify <= 0) {
@@ -2148,7 +2148,7 @@ ssl3_get_client_certificate(SSL *s)
2148 2148
2149 ret = -1; 2149 ret = -1;
2150 2150
2151 if (S3I(s)->hs.tls12.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { 2151 if (s->s3->hs.tls12.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
2152 if ((s->verify_mode & SSL_VERIFY_PEER) && 2152 if ((s->verify_mode & SSL_VERIFY_PEER) &&
2153 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { 2153 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
2154 SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 2154 SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
@@ -2159,17 +2159,17 @@ ssl3_get_client_certificate(SSL *s)
2159 * If tls asked for a client cert, 2159 * If tls asked for a client cert,
2160 * the client must return a 0 list. 2160 * the client must return a 0 list.
2161 */ 2161 */
2162 if (S3I(s)->hs.tls12.cert_request) { 2162 if (s->s3->hs.tls12.cert_request) {
2163 SSLerror(s, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 2163 SSLerror(s, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
2164 ); 2164 );
2165 al = SSL_AD_UNEXPECTED_MESSAGE; 2165 al = SSL_AD_UNEXPECTED_MESSAGE;
2166 goto fatal_err; 2166 goto fatal_err;
2167 } 2167 }
2168 S3I(s)->hs.tls12.reuse_message = 1; 2168 s->s3->hs.tls12.reuse_message = 1;
2169 return (1); 2169 return (1);
2170 } 2170 }
2171 2171
2172 if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE) { 2172 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE) {
2173 al = SSL_AD_UNEXPECTED_MESSAGE; 2173 al = SSL_AD_UNEXPECTED_MESSAGE;
2174 SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE); 2174 SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE);
2175 goto fatal_err; 2175 goto fatal_err;
@@ -2278,7 +2278,7 @@ ssl3_send_server_certificate(SSL *s)
2278 2278
2279 memset(&cbb, 0, sizeof(cbb)); 2279 memset(&cbb, 0, sizeof(cbb));
2280 2280
2281 if (S3I(s)->hs.state == SSL3_ST_SW_CERT_A) { 2281 if (s->s3->hs.state == SSL3_ST_SW_CERT_A) {
2282 if ((cpk = ssl_get_server_send_pkey(s)) == NULL) { 2282 if ((cpk = ssl_get_server_send_pkey(s)) == NULL) {
2283 SSLerror(s, ERR_R_INTERNAL_ERROR); 2283 SSLerror(s, ERR_R_INTERNAL_ERROR);
2284 return (0); 2284 return (0);
@@ -2292,7 +2292,7 @@ ssl3_send_server_certificate(SSL *s)
2292 if (!ssl3_handshake_msg_finish(s, &cbb)) 2292 if (!ssl3_handshake_msg_finish(s, &cbb))
2293 goto err; 2293 goto err;
2294 2294
2295 S3I(s)->hs.state = SSL3_ST_SW_CERT_B; 2295 s->s3->hs.state = SSL3_ST_SW_CERT_B;
2296 } 2296 }
2297 2297
2298 /* SSL3_ST_SW_CERT_B */ 2298 /* SSL3_ST_SW_CERT_B */
@@ -2332,7 +2332,7 @@ ssl3_send_newsession_ticket(SSL *s)
2332 if ((hctx = HMAC_CTX_new()) == NULL) 2332 if ((hctx = HMAC_CTX_new()) == NULL)
2333 goto err; 2333 goto err;
2334 2334
2335 if (S3I(s)->hs.state == SSL3_ST_SW_SESSION_TICKET_A) { 2335 if (s->s3->hs.state == SSL3_ST_SW_SESSION_TICKET_A) {
2336 if (!ssl3_handshake_msg_start(s, &cbb, &session_ticket, 2336 if (!ssl3_handshake_msg_start(s, &cbb, &session_ticket,
2337 SSL3_MT_NEWSESSION_TICKET)) 2337 SSL3_MT_NEWSESSION_TICKET))
2338 goto err; 2338 goto err;
@@ -2417,7 +2417,7 @@ ssl3_send_newsession_ticket(SSL *s)
2417 if (!ssl3_handshake_msg_finish(s, &cbb)) 2417 if (!ssl3_handshake_msg_finish(s, &cbb))
2418 goto err; 2418 goto err;
2419 2419
2420 S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_B; 2420 s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_B;
2421 } 2421 }
2422 2422
2423 EVP_CIPHER_CTX_free(ctx); 2423 EVP_CIPHER_CTX_free(ctx);
@@ -2445,7 +2445,7 @@ ssl3_send_cert_status(SSL *s)
2445 2445
2446 memset(&cbb, 0, sizeof(cbb)); 2446 memset(&cbb, 0, sizeof(cbb));
2447 2447
2448 if (S3I(s)->hs.state == SSL3_ST_SW_CERT_STATUS_A) { 2448 if (s->s3->hs.state == SSL3_ST_SW_CERT_STATUS_A) {
2449 if (!ssl3_handshake_msg_start(s, &cbb, &certstatus, 2449 if (!ssl3_handshake_msg_start(s, &cbb, &certstatus,
2450 SSL3_MT_CERTIFICATE_STATUS)) 2450 SSL3_MT_CERTIFICATE_STATUS))
2451 goto err; 2451 goto err;
@@ -2459,7 +2459,7 @@ ssl3_send_cert_status(SSL *s)
2459 if (!ssl3_handshake_msg_finish(s, &cbb)) 2459 if (!ssl3_handshake_msg_finish(s, &cbb))
2460 goto err; 2460 goto err;
2461 2461
2462 S3I(s)->hs.state = SSL3_ST_SW_CERT_STATUS_B; 2462 s->s3->hs.state = SSL3_ST_SW_CERT_STATUS_B;
2463 } 2463 }
2464 2464
2465 /* SSL3_ST_SW_CERT_STATUS_B */ 2465 /* SSL3_ST_SW_CERT_STATUS_B */
diff --git a/src/lib/libssl/ssl_stat.c b/src/lib/libssl/ssl_stat.c
index b51538c1b2..5d35528acd 100644
--- a/src/lib/libssl/ssl_stat.c
+++ b/src/lib/libssl/ssl_stat.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_stat.c,v 1.17 2021/06/13 15:51:10 jsing Exp $ */ 1/* $OpenBSD: ssl_stat.c,v 1.18 2022/02/05 14:54:10 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -91,7 +91,7 @@ SSL_state_string_long(const SSL *s)
91{ 91{
92 const char *str; 92 const char *str;
93 93
94 switch (S3I(s)->hs.state) { 94 switch (s->s3->hs.state) {
95 case SSL_ST_BEFORE: 95 case SSL_ST_BEFORE:
96 str = "before SSL initialization"; 96 str = "before SSL initialization";
97 break; 97 break;
@@ -347,7 +347,7 @@ SSL_state_string(const SSL *s)
347{ 347{
348 const char *str; 348 const char *str;
349 349
350 switch (S3I(s)->hs.state) { 350 switch (s->s3->hs.state) {
351 case SSL_ST_BEFORE: 351 case SSL_ST_BEFORE:
352 str = "PINIT "; 352 str = "PINIT ";
353 break; 353 break;
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 8070296d9f..f93f44ceba 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_tlsext.c,v 1.109 2022/01/24 13:49:50 tb Exp $ */ 1/* $OpenBSD: ssl_tlsext.c,v 1.110 2022/02/05 14:54:10 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -41,7 +41,7 @@ tlsext_alpn_client_needs(SSL *s, uint16_t msg_type)
41{ 41{
42 /* ALPN protos have been specified and this is the initial handshake */ 42 /* ALPN protos have been specified and this is the initial handshake */
43 return s->internal->alpn_client_proto_list != NULL && 43 return s->internal->alpn_client_proto_list != NULL &&
44 S3I(s)->hs.finished_len == 0; 44 s->s3->hs.finished_len == 0;
45} 45}
46 46
47int 47int
@@ -101,14 +101,14 @@ tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert)
101 s->ctx->internal->alpn_select_cb_arg); 101 s->ctx->internal->alpn_select_cb_arg);
102 102
103 if (r == SSL_TLSEXT_ERR_OK) { 103 if (r == SSL_TLSEXT_ERR_OK) {
104 free(S3I(s)->alpn_selected); 104 free(s->s3->alpn_selected);
105 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { 105 if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) {
106 S3I(s)->alpn_selected_len = 0; 106 s->s3->alpn_selected_len = 0;
107 *alert = SSL_AD_INTERNAL_ERROR; 107 *alert = SSL_AD_INTERNAL_ERROR;
108 return 0; 108 return 0;
109 } 109 }
110 memcpy(S3I(s)->alpn_selected, selected, selected_len); 110 memcpy(s->s3->alpn_selected, selected, selected_len);
111 S3I(s)->alpn_selected_len = selected_len; 111 s->s3->alpn_selected_len = selected_len;
112 112
113 return 1; 113 return 1;
114 } 114 }
@@ -130,7 +130,7 @@ tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert)
130int 130int
131tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 131tlsext_alpn_server_needs(SSL *s, uint16_t msg_type)
132{ 132{
133 return S3I(s)->alpn_selected != NULL; 133 return s->s3->alpn_selected != NULL;
134} 134}
135 135
136int 136int
@@ -144,8 +144,8 @@ tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
144 if (!CBB_add_u8_length_prefixed(&list, &selected)) 144 if (!CBB_add_u8_length_prefixed(&list, &selected))
145 return 0; 145 return 0;
146 146
147 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected, 147 if (!CBB_add_bytes(&selected, s->s3->alpn_selected,
148 S3I(s)->alpn_selected_len)) 148 s->s3->alpn_selected_len))
149 return 0; 149 return 0;
150 150
151 if (!CBB_flush(cbb)) 151 if (!CBB_flush(cbb))
@@ -177,8 +177,8 @@ tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
177 if (CBS_len(&proto) == 0) 177 if (CBS_len(&proto) == 0)
178 goto err; 178 goto err;
179 179
180 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected), 180 if (!CBS_stow(&proto, &(s->s3->alpn_selected),
181 &(S3I(s)->alpn_selected_len))) 181 &(s->s3->alpn_selected_len)))
182 goto err; 182 goto err;
183 183
184 return 1; 184 return 1;
@@ -195,7 +195,7 @@ int
195tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 195tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type)
196{ 196{
197 return ssl_has_ecc_ciphers(s) || 197 return ssl_has_ecc_ciphers(s) ||
198 (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); 198 (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
199} 199}
200 200
201int 201int
@@ -247,7 +247,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
247 uint16_t *groups; 247 uint16_t *groups;
248 int i; 248 int i;
249 249
250 if (S3I(s)->hs.tls13.hrr) { 250 if (s->s3->hs.tls13.hrr) {
251 if (s->session->tlsext_supportedgroups == NULL) { 251 if (s->session->tlsext_supportedgroups == NULL) {
252 *alert = SSL_AD_HANDSHAKE_FAILURE; 252 *alert = SSL_AD_HANDSHAKE_FAILURE;
253 return 0; 253 return 0;
@@ -450,8 +450,8 @@ tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
450 450
451 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 451 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
452 return 0; 452 return 0;
453 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 453 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished,
454 S3I(s)->previous_client_finished_len)) 454 s->s3->previous_client_finished_len))
455 return 0; 455 return 0;
456 if (!CBB_flush(cbb)) 456 if (!CBB_flush(cbb))
457 return 0; 457 return 0;
@@ -469,15 +469,15 @@ tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
469 if (CBS_len(cbs) != 0) 469 if (CBS_len(cbs) != 0)
470 goto err; 470 goto err;
471 471
472 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished, 472 if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished,
473 S3I(s)->previous_client_finished_len)) { 473 s->s3->previous_client_finished_len)) {
474 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 474 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
475 *alert = SSL_AD_HANDSHAKE_FAILURE; 475 *alert = SSL_AD_HANDSHAKE_FAILURE;
476 return 0; 476 return 0;
477 } 477 }
478 478
479 S3I(s)->renegotiate_seen = 1; 479 s->s3->renegotiate_seen = 1;
480 S3I(s)->send_connection_binding = 1; 480 s->s3->send_connection_binding = 1;
481 481
482 return 1; 482 return 1;
483 483
@@ -490,8 +490,8 @@ tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
490int 490int
491tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 491tlsext_ri_server_needs(SSL *s, uint16_t msg_type)
492{ 492{
493 return (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION && 493 return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
494 S3I(s)->send_connection_binding); 494 s->s3->send_connection_binding);
495} 495}
496 496
497int 497int
@@ -501,11 +501,11 @@ tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
501 501
502 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 502 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
503 return 0; 503 return 0;
504 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 504 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished,
505 S3I(s)->previous_client_finished_len)) 505 s->s3->previous_client_finished_len))
506 return 0; 506 return 0;
507 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished, 507 if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished,
508 S3I(s)->previous_server_finished_len)) 508 s->s3->previous_server_finished_len))
509 return 0; 509 return 0;
510 if (!CBB_flush(cbb)) 510 if (!CBB_flush(cbb))
511 return 0; 511 return 0;
@@ -522,10 +522,10 @@ tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
522 * Ensure that the previous client and server values are both not 522 * Ensure that the previous client and server values are both not
523 * present, or that they are both present. 523 * present, or that they are both present.
524 */ 524 */
525 if ((S3I(s)->previous_client_finished_len == 0 && 525 if ((s->s3->previous_client_finished_len == 0 &&
526 S3I(s)->previous_server_finished_len != 0) || 526 s->s3->previous_server_finished_len != 0) ||
527 (S3I(s)->previous_client_finished_len != 0 && 527 (s->s3->previous_client_finished_len != 0 &&
528 S3I(s)->previous_server_finished_len == 0)) { 528 s->s3->previous_server_finished_len == 0)) {
529 *alert = SSL_AD_INTERNAL_ERROR; 529 *alert = SSL_AD_INTERNAL_ERROR;
530 return 0; 530 return 0;
531 } 531 }
@@ -533,31 +533,31 @@ tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
533 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 533 if (!CBS_get_u8_length_prefixed(cbs, &reneg))
534 goto err; 534 goto err;
535 if (!CBS_get_bytes(&reneg, &prev_client, 535 if (!CBS_get_bytes(&reneg, &prev_client,
536 S3I(s)->previous_client_finished_len)) 536 s->s3->previous_client_finished_len))
537 goto err; 537 goto err;
538 if (!CBS_get_bytes(&reneg, &prev_server, 538 if (!CBS_get_bytes(&reneg, &prev_server,
539 S3I(s)->previous_server_finished_len)) 539 s->s3->previous_server_finished_len))
540 goto err; 540 goto err;
541 if (CBS_len(&reneg) != 0) 541 if (CBS_len(&reneg) != 0)
542 goto err; 542 goto err;
543 if (CBS_len(cbs) != 0) 543 if (CBS_len(cbs) != 0)
544 goto err; 544 goto err;
545 545
546 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished, 546 if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished,
547 S3I(s)->previous_client_finished_len)) { 547 s->s3->previous_client_finished_len)) {
548 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 548 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
549 *alert = SSL_AD_HANDSHAKE_FAILURE; 549 *alert = SSL_AD_HANDSHAKE_FAILURE;
550 return 0; 550 return 0;
551 } 551 }
552 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished, 552 if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished,
553 S3I(s)->previous_server_finished_len)) { 553 s->s3->previous_server_finished_len)) {
554 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 554 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
555 *alert = SSL_AD_HANDSHAKE_FAILURE; 555 *alert = SSL_AD_HANDSHAKE_FAILURE;
556 return 0; 556 return 0;
557 } 557 }
558 558
559 S3I(s)->renegotiate_seen = 1; 559 s->s3->renegotiate_seen = 1;
560 S3I(s)->send_connection_binding = 1; 560 s->s3->send_connection_binding = 1;
561 561
562 return 1; 562 return 1;
563 563
@@ -573,17 +573,17 @@ tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
573int 573int
574tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 574tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type)
575{ 575{
576 return (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION); 576 return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION);
577} 577}
578 578
579int 579int
580tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 580tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
581{ 581{
582 uint16_t tls_version = S3I(s)->hs.negotiated_tls_version; 582 uint16_t tls_version = s->s3->hs.negotiated_tls_version;
583 CBB sigalgs; 583 CBB sigalgs;
584 584
585 if (msg_type == SSL_TLSEXT_MSG_CH) 585 if (msg_type == SSL_TLSEXT_MSG_CH)
586 tls_version = S3I(s)->hs.our_min_tls_version; 586 tls_version = s->s3->hs.our_min_tls_version;
587 587
588 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 588 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
589 return 0; 589 return 0;
@@ -604,7 +604,7 @@ tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
604 return 0; 604 return 0;
605 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 605 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
606 return 0; 606 return 0;
607 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 607 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len))
608 return 0; 608 return 0;
609 609
610 return 1; 610 return 1;
@@ -613,7 +613,7 @@ tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
613int 613int
614tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 614tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type)
615{ 615{
616 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION); 616 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION);
617} 617}
618 618
619int 619int
@@ -623,7 +623,7 @@ tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
623 623
624 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 624 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
625 return 0; 625 return 0;
626 if (!ssl_sigalgs_build(S3I(s)->hs.negotiated_tls_version, &sigalgs)) 626 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs))
627 return 0; 627 return 0;
628 if (!CBB_flush(cbb)) 628 if (!CBB_flush(cbb))
629 return 0; 629 return 0;
@@ -643,7 +643,7 @@ tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
643 return 0; 643 return 0;
644 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 644 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
645 return 0; 645 return 0;
646 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 646 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len))
647 return 0; 647 return 0;
648 648
649 return 1; 649 return 1;
@@ -804,7 +804,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
804 goto err; 804 goto err;
805 } 805 }
806 806
807 if (s->internal->hit || S3I(s)->hs.tls13.hrr) { 807 if (s->internal->hit || s->s3->hs.tls13.hrr) {
808 if (s->session->tlsext_hostname == NULL) { 808 if (s->session->tlsext_hostname == NULL) {
809 *alert = SSL_AD_UNRECOGNIZED_NAME; 809 *alert = SSL_AD_UNRECOGNIZED_NAME;
810 goto err; 810 goto err;
@@ -1027,7 +1027,7 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1027int 1027int
1028tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 1028tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type)
1029{ 1029{
1030 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION && 1030 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION &&
1031 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 1031 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
1032 s->ctx->internal->tlsext_status_cb != NULL) { 1032 s->ctx->internal->tlsext_status_cb != NULL) {
1033 s->internal->tlsext_status_expected = 0; 1033 s->internal->tlsext_status_expected = 0;
@@ -1044,7 +1044,7 @@ tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1044{ 1044{
1045 CBB ocsp_response; 1045 CBB ocsp_response;
1046 1046
1047 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) { 1047 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) {
1048 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1048 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
1049 return 0; 1049 return 0;
1050 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1050 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response))
@@ -1451,7 +1451,7 @@ tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1451int 1451int
1452tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1452tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
1453{ 1453{
1454 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); 1454 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1455} 1455}
1456 1456
1457int 1457int
@@ -1463,11 +1463,11 @@ tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1463 return 0; 1463 return 0;
1464 1464
1465 if (!CBB_add_u16(&client_shares, 1465 if (!CBB_add_u16(&client_shares,
1466 tls_key_share_group(S3I(s)->hs.key_share))) 1466 tls_key_share_group(s->s3->hs.key_share)))
1467 return 0; 1467 return 0;
1468 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange)) 1468 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange))
1469 return 0; 1469 return 0;
1470 if (!tls_key_share_public(S3I(s)->hs.key_share, &key_exchange)) 1470 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
1471 return 0; 1471 return 0;
1472 1472
1473 if (!CBB_flush(cbb)) 1473 if (!CBB_flush(cbb))
@@ -1503,9 +1503,9 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1503 * Ignore this client share if we're using earlier than TLSv1.3 1503 * Ignore this client share if we're using earlier than TLSv1.3
1504 * or we've already selected a key share. 1504 * or we've already selected a key share.
1505 */ 1505 */
1506 if (S3I(s)->hs.our_max_tls_version < TLS1_3_VERSION) 1506 if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION)
1507 continue; 1507 continue;
1508 if (S3I(s)->hs.key_share != NULL) 1508 if (s->s3->hs.key_share != NULL)
1509 continue; 1509 continue;
1510 1510
1511 /* XXX - consider implementing server preference. */ 1511 /* XXX - consider implementing server preference. */
@@ -1513,11 +1513,11 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1513 continue; 1513 continue;
1514 1514
1515 /* Decode and store the selected key share. */ 1515 /* Decode and store the selected key share. */
1516 if ((S3I(s)->hs.key_share = tls_key_share_new(group)) == NULL) { 1516 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) {
1517 *alert = SSL_AD_INTERNAL_ERROR; 1517 *alert = SSL_AD_INTERNAL_ERROR;
1518 return 0; 1518 return 0;
1519 } 1519 }
1520 if (!tls_key_share_peer_public(S3I(s)->hs.key_share, 1520 if (!tls_key_share_peer_public(s->s3->hs.key_share,
1521 &key_exchange, &decode_error, NULL)) { 1521 &key_exchange, &decode_error, NULL)) {
1522 if (!decode_error) 1522 if (!decode_error)
1523 *alert = SSL_AD_INTERNAL_ERROR; 1523 *alert = SSL_AD_INTERNAL_ERROR;
@@ -1531,7 +1531,7 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1531int 1531int
1532tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1532tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type)
1533{ 1533{
1534 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION && 1534 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION &&
1535 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); 1535 tlsext_extension_seen(s, TLSEXT_TYPE_key_share));
1536} 1536}
1537 1537
@@ -1541,20 +1541,20 @@ tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1541 CBB key_exchange; 1541 CBB key_exchange;
1542 1542
1543 /* In the case of a HRR, we only send the server selected group. */ 1543 /* In the case of a HRR, we only send the server selected group. */
1544 if (S3I(s)->hs.tls13.hrr) { 1544 if (s->s3->hs.tls13.hrr) {
1545 if (S3I(s)->hs.tls13.server_group == 0) 1545 if (s->s3->hs.tls13.server_group == 0)
1546 return 0; 1546 return 0;
1547 return CBB_add_u16(cbb, S3I(s)->hs.tls13.server_group); 1547 return CBB_add_u16(cbb, s->s3->hs.tls13.server_group);
1548 } 1548 }
1549 1549
1550 if (S3I(s)->hs.key_share == NULL) 1550 if (s->s3->hs.key_share == NULL)
1551 return 0; 1551 return 0;
1552 1552
1553 if (!CBB_add_u16(cbb, tls_key_share_group(S3I(s)->hs.key_share))) 1553 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share)))
1554 return 0; 1554 return 0;
1555 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) 1555 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
1556 return 0; 1556 return 0;
1557 if (!tls_key_share_public(S3I(s)->hs.key_share, &key_exchange)) 1557 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
1558 return 0; 1558 return 0;
1559 1559
1560 if (!CBB_flush(cbb)) 1560 if (!CBB_flush(cbb))
@@ -1579,22 +1579,22 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1579 if (msg_type != SSL_TLSEXT_MSG_HRR) 1579 if (msg_type != SSL_TLSEXT_MSG_HRR)
1580 return 0; 1580 return 0;
1581 1581
1582 S3I(s)->hs.tls13.server_group = group; 1582 s->s3->hs.tls13.server_group = group;
1583 return 1; 1583 return 1;
1584 } 1584 }
1585 1585
1586 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1586 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
1587 return 0; 1587 return 0;
1588 1588
1589 if (S3I(s)->hs.key_share == NULL) { 1589 if (s->s3->hs.key_share == NULL) {
1590 *alert = SSL_AD_INTERNAL_ERROR; 1590 *alert = SSL_AD_INTERNAL_ERROR;
1591 return 0; 1591 return 0;
1592 } 1592 }
1593 if (tls_key_share_group(S3I(s)->hs.key_share) != group) { 1593 if (tls_key_share_group(s->s3->hs.key_share) != group) {
1594 *alert = SSL_AD_INTERNAL_ERROR; 1594 *alert = SSL_AD_INTERNAL_ERROR;
1595 return 0; 1595 return 0;
1596 } 1596 }
1597 if (!tls_key_share_peer_public(S3I(s)->hs.key_share, 1597 if (!tls_key_share_peer_public(s->s3->hs.key_share,
1598 &key_exchange, &decode_error, NULL)) { 1598 &key_exchange, &decode_error, NULL)) {
1599 if (!decode_error) 1599 if (!decode_error)
1600 *alert = SSL_AD_INTERNAL_ERROR; 1600 *alert = SSL_AD_INTERNAL_ERROR;
@@ -1610,7 +1610,7 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1610int 1610int
1611tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1611tlsext_versions_client_needs(SSL *s, uint16_t msg_type)
1612{ 1612{
1613 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); 1613 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1614} 1614}
1615 1615
1616int 1616int
@@ -1620,8 +1620,8 @@ tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1620 uint16_t version; 1620 uint16_t version;
1621 CBB versions; 1621 CBB versions;
1622 1622
1623 max = S3I(s)->hs.our_max_tls_version; 1623 max = s->s3->hs.our_max_tls_version;
1624 min = S3I(s)->hs.our_min_tls_version; 1624 min = s->s3->hs.our_min_tls_version;
1625 1625
1626 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1626 if (!CBB_add_u8_length_prefixed(cbb, &versions))
1627 return 0; 1627 return 0;
@@ -1646,8 +1646,8 @@ tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1646 uint16_t max, min; 1646 uint16_t max, min;
1647 uint16_t matched_version = 0; 1647 uint16_t matched_version = 0;
1648 1648
1649 max = S3I(s)->hs.our_max_tls_version; 1649 max = s->s3->hs.our_max_tls_version;
1650 min = S3I(s)->hs.our_min_tls_version; 1650 min = s->s3->hs.our_min_tls_version;
1651 1651
1652 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1652 if (!CBS_get_u8_length_prefixed(cbs, &versions))
1653 goto err; 1653 goto err;
@@ -1680,7 +1680,7 @@ tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1680int 1680int
1681tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1681tlsext_versions_server_needs(SSL *s, uint16_t msg_type)
1682{ 1682{
1683 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION); 1683 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION);
1684} 1684}
1685 1685
1686int 1686int
@@ -1706,7 +1706,7 @@ tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1706 } 1706 }
1707 1707
1708 /* XXX test between min and max once initialization code goes in */ 1708 /* XXX test between min and max once initialization code goes in */
1709 S3I(s)->hs.tls13.server_version = selected_version; 1709 s->s3->hs.tls13.server_version = selected_version;
1710 1710
1711 return 1; 1711 return 1;
1712} 1712}
@@ -1719,8 +1719,8 @@ tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1719int 1719int
1720tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1720tlsext_cookie_client_needs(SSL *s, uint16_t msg_type)
1721{ 1721{
1722 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION && 1722 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION &&
1723 S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL); 1723 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL);
1724} 1724}
1725 1725
1726int 1726int
@@ -1731,8 +1731,8 @@ tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1731 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1731 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1732 return 0; 1732 return 0;
1733 1733
1734 if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie, 1734 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie,
1735 S3I(s)->hs.tls13.cookie_len)) 1735 s->s3->hs.tls13.cookie_len))
1736 return 0; 1736 return 0;
1737 1737
1738 if (!CBB_flush(cbb)) 1738 if (!CBB_flush(cbb))
@@ -1749,7 +1749,7 @@ tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1749 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1749 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1750 goto err; 1750 goto err;
1751 1751
1752 if (CBS_len(&cookie) != S3I(s)->hs.tls13.cookie_len) 1752 if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len)
1753 goto err; 1753 goto err;
1754 1754
1755 /* 1755 /*
@@ -1757,8 +1757,8 @@ tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1757 * sent - client *MUST* send the same cookie with new CR after 1757 * sent - client *MUST* send the same cookie with new CR after
1758 * a cookie is sent by the server with an HRR. 1758 * a cookie is sent by the server with an HRR.
1759 */ 1759 */
1760 if (!CBS_mem_equal(&cookie, S3I(s)->hs.tls13.cookie, 1760 if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie,
1761 S3I(s)->hs.tls13.cookie_len)) { 1761 s->s3->hs.tls13.cookie_len)) {
1762 /* XXX special cookie mismatch alert? */ 1762 /* XXX special cookie mismatch alert? */
1763 *alert = SSL_AD_ILLEGAL_PARAMETER; 1763 *alert = SSL_AD_ILLEGAL_PARAMETER;
1764 return 0; 1764 return 0;
@@ -1778,8 +1778,8 @@ tlsext_cookie_server_needs(SSL *s, uint16_t msg_type)
1778 * Server needs to set cookie value in tls13 handshake 1778 * Server needs to set cookie value in tls13 handshake
1779 * in order to send one, should only be sent with HRR. 1779 * in order to send one, should only be sent with HRR.
1780 */ 1780 */
1781 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION && 1781 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION &&
1782 S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL); 1782 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL);
1783} 1783}
1784 1784
1785int 1785int
@@ -1792,8 +1792,8 @@ tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1792 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1792 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1793 return 0; 1793 return 0;
1794 1794
1795 if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie, 1795 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie,
1796 S3I(s)->hs.tls13.cookie_len)) 1796 s->s3->hs.tls13.cookie_len))
1797 return 0; 1797 return 0;
1798 1798
1799 if (!CBB_flush(cbb)) 1799 if (!CBB_flush(cbb))
@@ -1812,8 +1812,8 @@ tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1812 * HRR from a server with a cookie to process after accepting 1812 * HRR from a server with a cookie to process after accepting
1813 * one from the server in the same handshake 1813 * one from the server in the same handshake
1814 */ 1814 */
1815 if (S3I(s)->hs.tls13.cookie != NULL || 1815 if (s->s3->hs.tls13.cookie != NULL ||
1816 S3I(s)->hs.tls13.cookie_len != 0) { 1816 s->s3->hs.tls13.cookie_len != 0) {
1817 *alert = SSL_AD_ILLEGAL_PARAMETER; 1817 *alert = SSL_AD_ILLEGAL_PARAMETER;
1818 return 0; 1818 return 0;
1819 } 1819 }
@@ -1821,8 +1821,8 @@ tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1821 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1821 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1822 goto err; 1822 goto err;
1823 1823
1824 if (!CBS_stow(&cookie, &S3I(s)->hs.tls13.cookie, 1824 if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie,
1825 &S3I(s)->hs.tls13.cookie_len)) 1825 &s->s3->hs.tls13.cookie_len))
1826 goto err; 1826 goto err;
1827 1827
1828 return 1; 1828 return 1;
@@ -2049,7 +2049,7 @@ tlsext_extension_seen(SSL *s, uint16_t type)
2049 2049
2050 if (tls_extension_find(type, &idx) == NULL) 2050 if (tls_extension_find(type, &idx) == NULL)
2051 return 0; 2051 return 0;
2052 return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0); 2052 return ((s->s3->hs.extensions_seen & (1 << idx)) != 0);
2053} 2053}
2054 2054
2055static const struct tls_extension_funcs * 2055static const struct tls_extension_funcs *
@@ -2149,7 +2149,7 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
2149 2149
2150 tls_version = ssl_effective_tls_version(s); 2150 tls_version = ssl_effective_tls_version(s);
2151 2151
2152 S3I(s)->hs.extensions_seen = 0; 2152 s->s3->hs.extensions_seen = 0;
2153 2153
2154 /* An empty extensions block is valid. */ 2154 /* An empty extensions block is valid. */
2155 if (CBS_len(cbs) == 0) 2155 if (CBS_len(cbs) == 0)
@@ -2191,9 +2191,9 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
2191 } 2191 }
2192 2192
2193 /* Check for duplicate known extensions. */ 2193 /* Check for duplicate known extensions. */
2194 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0) 2194 if ((s->s3->hs.extensions_seen & (1 << idx)) != 0)
2195 goto err; 2195 goto err;
2196 S3I(s)->hs.extensions_seen |= (1 << idx); 2196 s->s3->hs.extensions_seen |= (1 << idx);
2197 2197
2198 ext = tlsext_funcs(tlsext, is_server); 2198 ext = tlsext_funcs(tlsext, is_server);
2199 if (!ext->parse(s, msg_type, &extension_data, &alert_desc)) 2199 if (!ext->parse(s, msg_type, &extension_data, &alert_desc))
@@ -2215,10 +2215,10 @@ static void
2215tlsext_server_reset_state(SSL *s) 2215tlsext_server_reset_state(SSL *s)
2216{ 2216{
2217 s->tlsext_status_type = -1; 2217 s->tlsext_status_type = -1;
2218 S3I(s)->renegotiate_seen = 0; 2218 s->s3->renegotiate_seen = 0;
2219 free(S3I(s)->alpn_selected); 2219 free(s->s3->alpn_selected);
2220 S3I(s)->alpn_selected = NULL; 2220 s->s3->alpn_selected = NULL;
2221 S3I(s)->alpn_selected_len = 0; 2221 s->s3->alpn_selected_len = 0;
2222 s->internal->srtp_profile = NULL; 2222 s->internal->srtp_profile = NULL;
2223} 2223}
2224 2224
@@ -2241,10 +2241,10 @@ tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2241static void 2241static void
2242tlsext_client_reset_state(SSL *s) 2242tlsext_client_reset_state(SSL *s)
2243{ 2243{
2244 S3I(s)->renegotiate_seen = 0; 2244 s->s3->renegotiate_seen = 0;
2245 free(S3I(s)->alpn_selected); 2245 free(s->s3->alpn_selected);
2246 S3I(s)->alpn_selected = NULL; 2246 s->s3->alpn_selected = NULL;
2247 S3I(s)->alpn_selected_len = 0; 2247 s->s3->alpn_selected_len = 0;
2248} 2248}
2249 2249
2250int 2250int
diff --git a/src/lib/libssl/ssl_transcript.c b/src/lib/libssl/ssl_transcript.c
index 47aa15adc2..c54cdb22cb 100644
--- a/src/lib/libssl/ssl_transcript.c
+++ b/src/lib/libssl/ssl_transcript.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_transcript.c,v 1.5 2021/05/16 14:10:43 jsing Exp $ */ 1/* $OpenBSD: ssl_transcript.c,v 1.6 2022/02/05 14:54:10 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -33,11 +33,11 @@ tls1_transcript_hash_init(SSL *s)
33 goto err; 33 goto err;
34 } 34 }
35 35
36 if ((S3I(s)->handshake_hash = EVP_MD_CTX_new()) == NULL) { 36 if ((s->s3->handshake_hash = EVP_MD_CTX_new()) == NULL) {
37 SSLerror(s, ERR_R_MALLOC_FAILURE); 37 SSLerror(s, ERR_R_MALLOC_FAILURE);
38 goto err; 38 goto err;
39 } 39 }
40 if (!EVP_DigestInit_ex(S3I(s)->handshake_hash, md, NULL)) { 40 if (!EVP_DigestInit_ex(s->s3->handshake_hash, md, NULL)) {
41 SSLerror(s, ERR_R_EVP_LIB); 41 SSLerror(s, ERR_R_EVP_LIB);
42 goto err; 42 goto err;
43 } 43 }
@@ -62,10 +62,10 @@ tls1_transcript_hash_init(SSL *s)
62int 62int
63tls1_transcript_hash_update(SSL *s, const unsigned char *buf, size_t len) 63tls1_transcript_hash_update(SSL *s, const unsigned char *buf, size_t len)
64{ 64{
65 if (S3I(s)->handshake_hash == NULL) 65 if (s->s3->handshake_hash == NULL)
66 return 1; 66 return 1;
67 67
68 return EVP_DigestUpdate(S3I(s)->handshake_hash, buf, len); 68 return EVP_DigestUpdate(s->s3->handshake_hash, buf, len);
69} 69}
70 70
71int 71int
@@ -76,17 +76,17 @@ tls1_transcript_hash_value(SSL *s, const unsigned char *out, size_t len,
76 unsigned int mdlen; 76 unsigned int mdlen;
77 int ret = 0; 77 int ret = 0;
78 78
79 if (S3I(s)->handshake_hash == NULL) 79 if (s->s3->handshake_hash == NULL)
80 goto err; 80 goto err;
81 81
82 if (EVP_MD_CTX_size(S3I(s)->handshake_hash) > len) 82 if (EVP_MD_CTX_size(s->s3->handshake_hash) > len)
83 goto err; 83 goto err;
84 84
85 if ((mdctx = EVP_MD_CTX_new()) == NULL) { 85 if ((mdctx = EVP_MD_CTX_new()) == NULL) {
86 SSLerror(s, ERR_R_MALLOC_FAILURE); 86 SSLerror(s, ERR_R_MALLOC_FAILURE);
87 goto err; 87 goto err;
88 } 88 }
89 if (!EVP_MD_CTX_copy_ex(mdctx, S3I(s)->handshake_hash)) { 89 if (!EVP_MD_CTX_copy_ex(mdctx, s->s3->handshake_hash)) {
90 SSLerror(s, ERR_R_EVP_LIB); 90 SSLerror(s, ERR_R_EVP_LIB);
91 goto err; 91 goto err;
92 } 92 }
@@ -108,17 +108,17 @@ tls1_transcript_hash_value(SSL *s, const unsigned char *out, size_t len,
108void 108void
109tls1_transcript_hash_free(SSL *s) 109tls1_transcript_hash_free(SSL *s)
110{ 110{
111 EVP_MD_CTX_free(S3I(s)->handshake_hash); 111 EVP_MD_CTX_free(s->s3->handshake_hash);
112 S3I(s)->handshake_hash = NULL; 112 s->s3->handshake_hash = NULL;
113} 113}
114 114
115int 115int
116tls1_transcript_init(SSL *s) 116tls1_transcript_init(SSL *s)
117{ 117{
118 if (S3I(s)->handshake_transcript != NULL) 118 if (s->s3->handshake_transcript != NULL)
119 return 0; 119 return 0;
120 120
121 if ((S3I(s)->handshake_transcript = BUF_MEM_new()) == NULL) 121 if ((s->s3->handshake_transcript = BUF_MEM_new()) == NULL)
122 return 0; 122 return 0;
123 123
124 tls1_transcript_reset(s); 124 tls1_transcript_reset(s);
@@ -129,8 +129,8 @@ tls1_transcript_init(SSL *s)
129void 129void
130tls1_transcript_free(SSL *s) 130tls1_transcript_free(SSL *s)
131{ 131{
132 BUF_MEM_free(S3I(s)->handshake_transcript); 132 BUF_MEM_free(s->s3->handshake_transcript);
133 S3I(s)->handshake_transcript = NULL; 133 s->s3->handshake_transcript = NULL;
134} 134}
135 135
136void 136void
@@ -143,7 +143,7 @@ tls1_transcript_reset(SSL *s)
143 * or if it failed (and returned zero)... our implementation never 143 * or if it failed (and returned zero)... our implementation never
144 * fails with a length of zero, so we trust all is okay... 144 * fails with a length of zero, so we trust all is okay...
145 */ 145 */
146 (void)BUF_MEM_grow_clean(S3I(s)->handshake_transcript, 0); 146 (void)BUF_MEM_grow_clean(s->s3->handshake_transcript, 0);
147 147
148 tls1_transcript_unfreeze(s); 148 tls1_transcript_unfreeze(s);
149} 149}
@@ -153,22 +153,22 @@ tls1_transcript_append(SSL *s, const unsigned char *buf, size_t len)
153{ 153{
154 size_t olen, nlen; 154 size_t olen, nlen;
155 155
156 if (S3I(s)->handshake_transcript == NULL) 156 if (s->s3->handshake_transcript == NULL)
157 return 1; 157 return 1;
158 158
159 if (s->s3->flags & TLS1_FLAGS_FREEZE_TRANSCRIPT) 159 if (s->s3->flags & TLS1_FLAGS_FREEZE_TRANSCRIPT)
160 return 1; 160 return 1;
161 161
162 olen = S3I(s)->handshake_transcript->length; 162 olen = s->s3->handshake_transcript->length;
163 nlen = olen + len; 163 nlen = olen + len;
164 164
165 if (nlen < olen) 165 if (nlen < olen)
166 return 0; 166 return 0;
167 167
168 if (BUF_MEM_grow(S3I(s)->handshake_transcript, nlen) == 0) 168 if (BUF_MEM_grow(s->s3->handshake_transcript, nlen) == 0)
169 return 0; 169 return 0;
170 170
171 memcpy(S3I(s)->handshake_transcript->data + olen, buf, len); 171 memcpy(s->s3->handshake_transcript->data + olen, buf, len);
172 172
173 return 1; 173 return 1;
174} 174}
@@ -176,11 +176,11 @@ tls1_transcript_append(SSL *s, const unsigned char *buf, size_t len)
176int 176int
177tls1_transcript_data(SSL *s, const unsigned char **data, size_t *len) 177tls1_transcript_data(SSL *s, const unsigned char **data, size_t *len)
178{ 178{
179 if (S3I(s)->handshake_transcript == NULL) 179 if (s->s3->handshake_transcript == NULL)
180 return 0; 180 return 0;
181 181
182 *data = S3I(s)->handshake_transcript->data; 182 *data = s->s3->handshake_transcript->data;
183 *len = S3I(s)->handshake_transcript->length; 183 *len = s->s3->handshake_transcript->length;
184 184
185 return 1; 185 return 1;
186} 186}
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index b5834dbe33..4069670dc9 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_versions.c,v 1.21 2021/10/23 14:40:54 jsing Exp $ */ 1/* $OpenBSD: ssl_versions.c,v 1.22 2022/02/05 14:54:10 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -224,10 +224,10 @@ ssl_tls_version(uint16_t version)
224uint16_t 224uint16_t
225ssl_effective_tls_version(SSL *s) 225ssl_effective_tls_version(SSL *s)
226{ 226{
227 if (S3I(s)->hs.negotiated_tls_version > 0) 227 if (s->s3->hs.negotiated_tls_version > 0)
228 return S3I(s)->hs.negotiated_tls_version; 228 return s->s3->hs.negotiated_tls_version;
229 229
230 return S3I(s)->hs.our_max_tls_version; 230 return s->s3->hs.our_max_tls_version;
231} 231}
232 232
233int 233int
@@ -255,7 +255,7 @@ ssl_max_legacy_version(SSL *s, uint16_t *max_ver)
255{ 255{
256 uint16_t max_version; 256 uint16_t max_version;
257 257
258 if ((max_version = S3I(s)->hs.our_max_tls_version) > TLS1_2_VERSION) 258 if ((max_version = s->s3->hs.our_max_tls_version) > TLS1_2_VERSION)
259 max_version = TLS1_2_VERSION; 259 max_version = TLS1_2_VERSION;
260 260
261 if (SSL_is_dtls(s)) { 261 if (SSL_is_dtls(s)) {
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index a63da9c263..c996159a47 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_enc.c,v 1.153 2021/12/09 17:54:41 tb Exp $ */ 1/* $OpenBSD: t1_enc.c,v 1.154 2022/02/05 14:54:10 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -149,8 +149,8 @@
149void 149void
150tls1_cleanup_key_block(SSL *s) 150tls1_cleanup_key_block(SSL *s)
151{ 151{
152 tls12_key_block_free(S3I(s)->hs.tls12.key_block); 152 tls12_key_block_free(s->s3->hs.tls12.key_block);
153 S3I(s)->hs.tls12.key_block = NULL; 153 s->s3->hs.tls12.key_block = NULL;
154} 154}
155 155
156/* 156/*
@@ -303,10 +303,10 @@ tls1_change_cipher_state(SSL *s, int is_write)
303 303
304 /* Use client write keys on client write and server read. */ 304 /* Use client write keys on client write and server read. */
305 if ((!s->server && is_write) || (s->server && !is_write)) { 305 if ((!s->server && is_write) || (s->server && !is_write)) {
306 tls12_key_block_client_write(S3I(s)->hs.tls12.key_block, 306 tls12_key_block_client_write(s->s3->hs.tls12.key_block,
307 &mac_key, &key, &iv); 307 &mac_key, &key, &iv);
308 } else { 308 } else {
309 tls12_key_block_server_write(S3I(s)->hs.tls12.key_block, 309 tls12_key_block_server_write(s->s3->hs.tls12.key_block,
310 &mac_key, &key, &iv); 310 &mac_key, &key, &iv);
311 } 311 }
312 312
@@ -354,7 +354,7 @@ tls1_setup_key_block(SSL *s)
354 * XXX - callers should be changed so that they only call this 354 * XXX - callers should be changed so that they only call this
355 * function once. 355 * function once.
356 */ 356 */
357 if (S3I(s)->hs.tls12.key_block != NULL) 357 if (s->s3->hs.tls12.key_block != NULL)
358 return (1); 358 return (1);
359 359
360 if (s->session->cipher && 360 if (s->session->cipher &&
@@ -384,7 +384,7 @@ tls1_setup_key_block(SSL *s)
384 if (!tls12_key_block_generate(key_block, s, aead, cipher, mac_hash)) 384 if (!tls12_key_block_generate(key_block, s, aead, cipher, mac_hash))
385 goto err; 385 goto err;
386 386
387 S3I(s)->hs.tls12.key_block = key_block; 387 s->s3->hs.tls12.key_block = key_block;
388 key_block = NULL; 388 key_block = NULL;
389 389
390 if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && 390 if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&
@@ -393,15 +393,15 @@ tls1_setup_key_block(SSL *s)
393 * Enable vulnerability countermeasure for CBC ciphers with 393 * Enable vulnerability countermeasure for CBC ciphers with
394 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) 394 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
395 */ 395 */
396 S3I(s)->need_empty_fragments = 1; 396 s->s3->need_empty_fragments = 1;
397 397
398 if (s->session->cipher != NULL) { 398 if (s->session->cipher != NULL) {
399 if (s->session->cipher->algorithm_enc == SSL_eNULL) 399 if (s->session->cipher->algorithm_enc == SSL_eNULL)
400 S3I(s)->need_empty_fragments = 0; 400 s->s3->need_empty_fragments = 0;
401 401
402#ifndef OPENSSL_NO_RC4 402#ifndef OPENSSL_NO_RC4
403 if (s->session->cipher->algorithm_enc == SSL_RC4) 403 if (s->session->cipher->algorithm_enc == SSL_RC4)
404 S3I(s)->need_empty_fragments = 0; 404 s->s3->need_empty_fragments = 0;
405#endif 405#endif
406 } 406 }
407 } 407 }
diff --git a/src/lib/libssl/tls12_lib.c b/src/lib/libssl/tls12_lib.c
index f30f3a7b46..773ba30bd0 100644
--- a/src/lib/libssl/tls12_lib.c
+++ b/src/lib/libssl/tls12_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls12_lib.c,v 1.3 2021/05/02 15:57:29 jsing Exp $ */ 1/* $OpenBSD: tls12_lib.c,v 1.4 2022/02/05 14:54:10 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -71,12 +71,12 @@ tls12_derive_finished(SSL *s)
71{ 71{
72 if (!s->server) { 72 if (!s->server) {
73 return tls12_client_finished_verify_data(s, 73 return tls12_client_finished_verify_data(s,
74 S3I(s)->hs.finished, sizeof(S3I(s)->hs.finished), 74 s->s3->hs.finished, sizeof(s->s3->hs.finished),
75 &S3I(s)->hs.finished_len); 75 &s->s3->hs.finished_len);
76 } else { 76 } else {
77 return tls12_server_finished_verify_data(s, 77 return tls12_server_finished_verify_data(s,
78 S3I(s)->hs.finished, sizeof(S3I(s)->hs.finished), 78 s->s3->hs.finished, sizeof(s->s3->hs.finished),
79 &S3I(s)->hs.finished_len); 79 &s->s3->hs.finished_len);
80 } 80 }
81} 81}
82 82
@@ -85,12 +85,12 @@ tls12_derive_peer_finished(SSL *s)
85{ 85{
86 if (s->server) { 86 if (s->server) {
87 return tls12_client_finished_verify_data(s, 87 return tls12_client_finished_verify_data(s,
88 S3I(s)->hs.peer_finished, sizeof(S3I(s)->hs.peer_finished), 88 s->s3->hs.peer_finished, sizeof(s->s3->hs.peer_finished),
89 &S3I(s)->hs.peer_finished_len); 89 &s->s3->hs.peer_finished_len);
90 } else { 90 } else {
91 return tls12_server_finished_verify_data(s, 91 return tls12_server_finished_verify_data(s,
92 S3I(s)->hs.peer_finished, sizeof(S3I(s)->hs.peer_finished), 92 s->s3->hs.peer_finished, sizeof(s->s3->hs.peer_finished),
93 &S3I(s)->hs.peer_finished_len); 93 &s->s3->hs.peer_finished_len);
94 } 94 }
95} 95}
96 96
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
index a62e936ccb..0379c978e9 100644
--- a/src/lib/libssl/tls13_legacy.c
+++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_legacy.c,v 1.35 2022/01/25 15:00:09 tb Exp $ */ 1/* $OpenBSD: tls13_legacy.c,v 1.36 2022/02/05 14:54:10 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -127,7 +127,7 @@ tls13_legacy_error(SSL *ssl)
127 int reason = SSL_R_UNKNOWN; 127 int reason = SSL_R_UNKNOWN;
128 128
129 /* If we received a fatal alert we already put an error on the stack. */ 129 /* If we received a fatal alert we already put an error on the stack. */
130 if (S3I(ssl)->fatal_alert != 0) 130 if (ssl->s3->fatal_alert != 0)
131 return; 131 return;
132 132
133 switch (ctx->error.code) { 133 switch (ctx->error.code) {
@@ -288,7 +288,7 @@ tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len)
288 * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until 288 * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until
289 * we have written out all of the requested data. 289 * we have written out all of the requested data.
290 */ 290 */
291 sent = S3I(ssl)->wnum; 291 sent = ssl->s3->wnum;
292 if (len < sent) { 292 if (len < sent) {
293 SSLerror(ssl, SSL_R_BAD_LENGTH); 293 SSLerror(ssl, SSL_R_BAD_LENGTH);
294 return -1; 294 return -1;
@@ -296,12 +296,12 @@ tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len)
296 n = len - sent; 296 n = len - sent;
297 for (;;) { 297 for (;;) {
298 if (n == 0) { 298 if (n == 0) {
299 S3I(ssl)->wnum = 0; 299 ssl->s3->wnum = 0;
300 return sent; 300 return sent;
301 } 301 }
302 if ((ret = tls13_write_application_data(ctx->rl, 302 if ((ret = tls13_write_application_data(ctx->rl,
303 &buf[sent], n)) <= 0) { 303 &buf[sent], n)) <= 0) {
304 S3I(ssl)->wnum = sent; 304 ssl->s3->wnum = sent;
305 return tls13_legacy_return_code(ssl, ret); 305 return tls13_legacy_return_code(ssl, ret);
306 } 306 }
307 sent += ret; 307 sent += ret;
@@ -330,8 +330,8 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx)
330 /* Stash any unprocessed data from the last record. */ 330 /* Stash any unprocessed data from the last record. */
331 tls13_record_layer_rcontent(ctx->rl, &cbs); 331 tls13_record_layer_rcontent(ctx->rl, &cbs);
332 if (CBS_len(&cbs) > 0) { 332 if (CBS_len(&cbs) > 0) {
333 if (!CBB_init_fixed(&cbb, S3I(s)->rbuf.buf, 333 if (!CBB_init_fixed(&cbb, s->s3->rbuf.buf,
334 S3I(s)->rbuf.len)) 334 s->s3->rbuf.len))
335 goto err; 335 goto err;
336 if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE)) 336 if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE))
337 goto err; 337 goto err;
@@ -344,12 +344,12 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx)
344 if (!CBB_finish(&cbb, NULL, NULL)) 344 if (!CBB_finish(&cbb, NULL, NULL))
345 goto err; 345 goto err;
346 346
347 S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH; 347 s->s3->rbuf.offset = SSL3_RT_HEADER_LENGTH;
348 S3I(s)->rbuf.left = CBS_len(&cbs); 348 s->s3->rbuf.left = CBS_len(&cbs);
349 S3I(s)->rrec.type = SSL3_RT_HANDSHAKE; 349 s->s3->rrec.type = SSL3_RT_HANDSHAKE;
350 S3I(s)->rrec.length = CBS_len(&cbs); 350 s->s3->rrec.length = CBS_len(&cbs);
351 s->internal->rstate = SSL_ST_READ_BODY; 351 s->internal->rstate = SSL_ST_READ_BODY;
352 s->internal->packet = S3I(s)->rbuf.buf; 352 s->internal->packet = s->s3->rbuf.buf;
353 s->internal->packet_length = SSL3_RT_HEADER_LENGTH; 353 s->internal->packet_length = SSL3_RT_HEADER_LENGTH;
354 s->internal->mac_packet = 1; 354 s->internal->mac_packet = 1;
355 } 355 }
@@ -362,9 +362,9 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx)
362 s->internal->init_buf->length, NULL)) 362 s->internal->init_buf->length, NULL))
363 goto err; 363 goto err;
364 364
365 S3I(s)->hs.tls12.reuse_message = 1; 365 s->s3->hs.tls12.reuse_message = 1;
366 S3I(s)->hs.tls12.message_type = tls13_handshake_msg_type(ctx->hs_msg); 366 s->s3->hs.tls12.message_type = tls13_handshake_msg_type(ctx->hs_msg);
367 S3I(s)->hs.tls12.message_size = CBS_len(&cbs) - SSL3_HM_HEADER_LENGTH; 367 s->s3->hs.tls12.message_size = CBS_len(&cbs) - SSL3_HM_HEADER_LENGTH;
368 368
369 return 1; 369 return 1;
370 370
@@ -416,7 +416,7 @@ tls13_legacy_accept(SSL *ssl)
416 } 416 }
417 ssl->internal->tls13 = ctx; 417 ssl->internal->tls13 = ctx;
418 ctx->ssl = ssl; 418 ctx->ssl = ssl;
419 ctx->hs = &S3I(ssl)->hs; 419 ctx->hs = &ssl->s3->hs;
420 420
421 if (!tls13_server_init(ctx)) { 421 if (!tls13_server_init(ctx)) {
422 if (ERR_peek_error() == 0) 422 if (ERR_peek_error() == 0)
@@ -452,7 +452,7 @@ tls13_legacy_connect(SSL *ssl)
452 } 452 }
453 ssl->internal->tls13 = ctx; 453 ssl->internal->tls13 = ctx;
454 ctx->ssl = ssl; 454 ctx->ssl = ssl;
455 ctx->hs = &S3I(ssl)->hs; 455 ctx->hs = &ssl->s3->hs;
456 456
457 if (!tls13_client_init(ctx)) { 457 if (!tls13_client_init(ctx)) {
458 if (ERR_peek_error() == 0) 458 if (ERR_peek_error() == 0)
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 1a9596adca..20d3a38412 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_lib.c,v 1.62 2021/09/16 19:25:30 jsing Exp $ */ 1/* $OpenBSD: tls13_lib.c,v 1.63 2022/02/05 14:54:10 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2019 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -111,7 +111,7 @@ tls13_alert_received_cb(uint8_t alert_desc, void *arg)
111 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 111 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
112 ctx->close_notify_recv = 1; 112 ctx->close_notify_recv = 1;
113 ctx->ssl->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; 113 ctx->ssl->internal->shutdown |= SSL_RECEIVED_SHUTDOWN;
114 S3I(ctx->ssl)->warn_alert = alert_desc; 114 ctx->ssl->s3->warn_alert = alert_desc;
115 return; 115 return;
116 } 116 }
117 117
@@ -124,7 +124,7 @@ tls13_alert_received_cb(uint8_t alert_desc, void *arg)
124 } 124 }
125 125
126 /* All other alerts are treated as fatal in TLSv1.3. */ 126 /* All other alerts are treated as fatal in TLSv1.3. */
127 S3I(ctx->ssl)->fatal_alert = alert_desc; 127 ctx->ssl->s3->fatal_alert = alert_desc;
128 128
129 SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); 129 SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
130 ERR_asprintf_error_data("SSL alert number %d", alert_desc); 130 ERR_asprintf_error_data("SSL alert number %d", alert_desc);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-05 20:16:09 +0000