Move the TLSv1.3 handshake struct inside the shared handshake struct.

There are currently three different handshake structs that are in use - the SSL_HANDSHAKE struct (as S3I(s)->hs), the SSL_HANDSHAKE_TLS13 struct (as S3I(s)->hs_tls13 or ctx->hs in the TLSv1.3 code) and the infamous 'tmp' embedded in SSL3_STATE_INTERNAL (as S3I(s)->tmp)). This is the first step towards cleaning up the handshake structs so that shared data is in the SSL_HANDSHAKE struct, with sub-structs for TLSv1.2 and TLSv1.3 specific information. Place SSL_HANDSHAKE_TLS13 inside SSL_HANDSHAKE and change ctx->hs to refer to the SSL_HANDSHAKE struct instead of the SSL_HANDSHAKE_TLS13 struct. This allows the TLSv1.3 code to access the shared handshake data without needing the SSL struct. ok inoguchi@ tb@
author: jsing <> 2021-03-21 18:36:34 +0000
committer: jsing <> 2021-03-21 18:36:34 +0000
commit: b4267956efe26acca04e81248b224852ab3b48df (patch)
tree: 04368005066ac217cbc5ba4c6633356e81eb6d00 /src
parent: 25064bbd608cffa42b7bf46d3ea7eeb88d693de4 (diff)
download: openbsd-b4267956efe26acca04e81248b224852ab3b48df.tar.gz
openbsd-b4267956efe26acca04e81248b224852ab3b48df.tar.bz2
openbsd-b4267956efe26acca04e81248b224852ab3b48df.zip
9 files changed, 227 insertions, 226 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 75f71c4c7d..5e39907d9c 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.204 2021/02/07 15:26:32 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.205 2021/03/21 18:36:34 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1565,10 +1565,10 @@ ssl3_free(SSL *s)
        EC_KEY_free(S3I(s)->tmp.ecdh);
        freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
-        tls13_key_share_free(S3I(s)->hs_tls13.key_share);
+        tls13_key_share_free(S3I(s)->hs.tls13.key_share);
-        tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);
+        tls13_secrets_destroy(S3I(s)->hs.tls13.secrets);
-        freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
+        freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len);
-        tls13_clienthello_hash_clear(&S3I(s)->hs_tls13);
+        tls13_clienthello_hash_clear(&S3I(s)->hs.tls13);
        sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
@@ -1605,15 +1605,15 @@ ssl3_clear(SSL *s)
        S3I(s)->hs.sigalgs = NULL;
        S3I(s)->hs.sigalgs_len = 0;
-        tls13_key_share_free(S3I(s)->hs_tls13.key_share);
+        tls13_key_share_free(S3I(s)->hs.tls13.key_share);
-        S3I(s)->hs_tls13.key_share = NULL;
+        S3I(s)->hs.tls13.key_share = NULL;
-        tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);
+        tls13_secrets_destroy(S3I(s)->hs.tls13.secrets);
-        S3I(s)->hs_tls13.secrets = NULL;
+        S3I(s)->hs.tls13.secrets = NULL;
-        freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
+        freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len);
-        S3I(s)->hs_tls13.cookie = NULL;
+        S3I(s)->hs.tls13.cookie = NULL;
-        S3I(s)->hs_tls13.cookie_len = 0;
+        S3I(s)->hs.tls13.cookie_len = 0;
-        tls13_clienthello_hash_clear(&S3I(s)->hs_tls13);
+        tls13_clienthello_hash_clear(&S3I(s)->hs.tls13);
        S3I(s)->hs.extensions_seen = 0;
@@ -1678,8 +1678,8 @@ _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key)
        } else if (sc->peer_x25519_tmp != NULL) {
                if (!ssl_kex_dummy_ecdhe_x25519(pkey))
                        goto err;
-        } else if (S3I(s)->hs_tls13.key_share != NULL) {
+        } else if (S3I(s)->hs.tls13.key_share != NULL) {
-                if (!tls13_key_share_peer_pkey(S3I(s)->hs_tls13.key_share,
+                if (!tls13_key_share_peer_pkey(S3I(s)->hs.tls13.key_share,
                    pkey))
                        goto err;
        } else {
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 99b72cc65e..33eb3bba7d 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.327 2021/03/17 17:42:53 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.328 2021/03/21 18:36:34 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -410,6 +410,44 @@ typedef struct ssl_session_internal_st {
 } SSL_SESSION_INTERNAL;
 #define SSI(s) (s->session->internal)
+typedef struct cert_pkey_st {
+        X509 *x509;
+        EVP_PKEY *privatekey;
+        STACK_OF(X509) *chain;
+} CERT_PKEY;
+typedef struct ssl_handshake_tls13_st {
+        int use_legacy;
+        int hrr;
+        /* Certificate and sigalg selected for use (static pointers). */
+        const CERT_PKEY *cpk;
+        const struct ssl_sigalg *sigalg;
+        /* Version proposed by peer server. */
+        uint16_t server_version;
+        uint16_t server_group;
+        struct tls13_key_share *key_share;
+        struct tls13_secrets *secrets;
+        uint8_t *cookie;
+        size_t cookie_len;
+        /* Preserved transcript hash. */
+        uint8_t transcript_hash[EVP_MAX_MD_SIZE];
+        size_t transcript_hash_len;
+        /* Legacy session ID. */
+        uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
+        size_t legacy_session_id_len;
+        /* ClientHello hash, used to validate following HelloRetryRequest */
+        EVP_MD_CTX *clienthello_md_ctx;
+        unsigned char *clienthello_hash;
+        unsigned int clienthello_hash_len;
+} SSL_HANDSHAKE_TLS13;
 typedef struct ssl_handshake_st {
        /*
         * Minimum and maximum versions supported for this handshake. These are
@@ -428,6 +466,8 @@ typedef struct ssl_handshake_st {
         */
        uint16_t negotiated_tls_version;
+        SSL_HANDSHAKE_TLS13 tls13;
        /* state contains one of the SSL3_ST_* values. */
        int state;
@@ -449,44 +489,6 @@ typedef struct ssl_handshake_st {
        uint8_t *sigalgs;
 } SSL_HANDSHAKE;
-typedef struct cert_pkey_st {
-        X509 *x509;
-        EVP_PKEY *privatekey;
-        STACK_OF(X509) *chain;
-} CERT_PKEY;
-typedef struct ssl_handshake_tls13_st {
-        int use_legacy;
-        int hrr;
-        /* Certificate and sigalg selected for use (static pointers). */
-        const CERT_PKEY *cpk;
-        const struct ssl_sigalg *sigalg;
-        /* Version proposed by peer server. */
-        uint16_t server_version;
-        uint16_t server_group;
-        struct tls13_key_share *key_share;
-        struct tls13_secrets *secrets;
-        uint8_t *cookie;
-        size_t cookie_len;
-        /* Preserved transcript hash. */
-        uint8_t transcript_hash[EVP_MAX_MD_SIZE];
-        size_t transcript_hash_len;
-        /* Legacy session ID. */
-        uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
-        size_t legacy_session_id_len;
-        /* ClientHello hash, used to validate following HelloRetryRequest */
-        EVP_MD_CTX *clienthello_md_ctx;
-        unsigned char *clienthello_hash;
-        unsigned int clienthello_hash_len;
-} SSL_HANDSHAKE_TLS13;
 struct tls12_record_layer;
 struct tls12_record_layer *tls12_record_layer_new(void);
@@ -907,7 +909,6 @@ typedef struct ssl3_state_internal_st {
        int in_read_app_data;
        SSL_HANDSHAKE hs;
-        SSL_HANDSHAKE_TLS13 hs_tls13;
        struct  {
                unsigned char cert_verify_md[EVP_MAX_MD_SIZE];
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 4f4a39d4bb..5ffab919a2 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.87 2021/03/10 18:27:02 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.88 2021/03/21 18:36:34 jsing Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -226,7 +226,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
                uint16_t *groups;
                int i;
-                if (S3I(s)->hs_tls13.hrr) {
+                if (S3I(s)->hs.tls13.hrr) {
                        if (SSI(s)->tlsext_supportedgroups == NULL) {
                                *alert = SSL_AD_HANDSHAKE_FAILURE;
                                return 0;
@@ -759,7 +759,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                goto err;
        }
-        if (s->internal->hit || S3I(s)->hs_tls13.hrr) {
+        if (s->internal->hit || S3I(s)->hs.tls13.hrr) {
                if (s->session->tlsext_hostname == NULL) {
                        *alert = TLS1_AD_UNRECOGNIZED_NAME;
                        goto err;
@@ -1416,7 +1416,7 @@ tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
        if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
                return 0;
-        if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share,
+        if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share,
            &client_shares))
                return 0;
@@ -1454,7 +1454,7 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                 */
                if (S3I(s)->hs.our_max_tls_version < TLS1_3_VERSION)
                        continue;
-                if (S3I(s)->hs_tls13.key_share != NULL)
+                if (S3I(s)->hs.tls13.key_share != NULL)
                        continue;
                /* XXX - consider implementing server preference. */
@@ -1462,10 +1462,10 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                        continue;
                /* Decode and store the selected key share. */
-                S3I(s)->hs_tls13.key_share = tls13_key_share_new(group);
+                S3I(s)->hs.tls13.key_share = tls13_key_share_new(group);
-                if (S3I(s)->hs_tls13.key_share == NULL)
+                if (S3I(s)->hs.tls13.key_share == NULL)
                        goto err;
-                if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share,
+                if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share,
                    group, &key_exchange))
                        goto err;
        }
@@ -1488,16 +1488,16 @@ int
 tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
 {
        /* In the case of a HRR, we only send the server selected group. */
-        if (S3I(s)->hs_tls13.hrr) {
+        if (S3I(s)->hs.tls13.hrr) {
-                if (S3I(s)->hs_tls13.server_group == 0)
+                if (S3I(s)->hs.tls13.server_group == 0)
                        return 0;
-                return CBB_add_u16(cbb, S3I(s)->hs_tls13.server_group);
+                return CBB_add_u16(cbb, S3I(s)->hs.tls13.server_group);
        }
-        if (S3I(s)->hs_tls13.key_share == NULL)
+        if (S3I(s)->hs.tls13.key_share == NULL)
                return 0;
-        if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, cbb))
+        if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, cbb))
                return 0;
        return 1;
@@ -1516,17 +1516,17 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
        if (CBS_len(cbs) == 0) {
                /* HRR does not include an actual key share. */
                /* XXX - we should know that we are in a HRR... */
-                S3I(s)->hs_tls13.server_group = group;
+                S3I(s)->hs.tls13.server_group = group;
                return 1;
        }
        if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
                return 0;
-        if (S3I(s)->hs_tls13.key_share == NULL)
+        if (S3I(s)->hs.tls13.key_share == NULL)
                return 0;
-        if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share,
+        if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share,
            group, &key_exchange))
                goto err;
@@ -1639,7 +1639,7 @@ tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
        }
        /* XXX test between min and max once initialization code goes in */
-        S3I(s)->hs_tls13.server_version = selected_version;
+        S3I(s)->hs.tls13.server_version = selected_version;
        return 1;
 }
@@ -1653,7 +1653,7 @@ int
 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type)
 {
        return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION &&
-            S3I(s)->hs_tls13.cookie_len > 0 && S3I(s)->hs_tls13.cookie != NULL);
+            S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL);
 }
 int
@@ -1664,8 +1664,8 @@ tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
        if (!CBB_add_u16_length_prefixed(cbb, &cookie))
                return 0;
-        if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
+        if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie,
-            S3I(s)->hs_tls13.cookie_len))
+            S3I(s)->hs.tls13.cookie_len))
                return 0;
        if (!CBB_flush(cbb))
@@ -1682,7 +1682,7 @@ tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
        if (!CBS_get_u16_length_prefixed(cbs, &cookie))
                goto err;
-        if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len)
+        if (CBS_len(&cookie) != S3I(s)->hs.tls13.cookie_len)
                goto err;
        /*
@@ -1690,8 +1690,8 @@ tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
         * sent - client *MUST* send the same cookie with new CR after
         * a cookie is sent by the server with an HRR.
         */
-        if (!CBS_mem_equal(&cookie, S3I(s)->hs_tls13.cookie,
+        if (!CBS_mem_equal(&cookie, S3I(s)->hs.tls13.cookie,
-            S3I(s)->hs_tls13.cookie_len)) {
+            S3I(s)->hs.tls13.cookie_len)) {
                /* XXX special cookie mismatch alert? */
                *alert = SSL_AD_ILLEGAL_PARAMETER;
                return 0;
@@ -1712,7 +1712,7 @@ tlsext_cookie_server_needs(SSL *s, uint16_t msg_type)
         * in order to send one, should only be sent with HRR.
         */
        return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION &&
-            S3I(s)->hs_tls13.cookie_len > 0 && S3I(s)->hs_tls13.cookie != NULL);
+            S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL);
 }
 int
@@ -1725,8 +1725,8 @@ tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
        if (!CBB_add_u16_length_prefixed(cbb, &cookie))
                return 0;
-        if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
+        if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie,
-            S3I(s)->hs_tls13.cookie_len))
+            S3I(s)->hs.tls13.cookie_len))
                return 0;
        if (!CBB_flush(cbb))
@@ -1745,8 +1745,8 @@ tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
         * HRR from a server with a cookie to process after accepting
         * one from the server in the same handshake
         */
-        if (S3I(s)->hs_tls13.cookie != NULL ||
+        if (S3I(s)->hs.tls13.cookie != NULL ||
-            S3I(s)->hs_tls13.cookie_len != 0) {
+            S3I(s)->hs.tls13.cookie_len != 0) {
                *alert = SSL_AD_ILLEGAL_PARAMETER;
                return 0;
        }
@@ -1754,8 +1754,8 @@ tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
        if (!CBS_get_u16_length_prefixed(cbs, &cookie))
                goto err;
-        if (!CBS_stow(&cookie, &S3I(s)->hs_tls13.cookie,
+        if (!CBS_stow(&cookie, &S3I(s)->hs.tls13.cookie,
-            &S3I(s)->hs_tls13.cookie_len))
+            &S3I(s)->hs.tls13.cookie_len))
                goto err;
        return 1;
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 4de3d3693b..0f3d435c94 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.74 2021/03/10 18:27:02 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.75 2021/03/21 18:36:34 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -31,12 +31,12 @@ tls13_client_init(struct tls13_ctx *ctx)
        size_t groups_len;
        SSL *s = ctx->ssl;
-        if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version,
+        if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
-            &S3I(s)->hs.our_max_tls_version)) {
+            &ctx->hs->our_max_tls_version)) {
                SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
                return 0;
        }
-        s->client_version = s->version = S3I(s)->hs.our_max_tls_version;
+        s->client_version = s->version = ctx->hs->our_max_tls_version;
        tls13_record_layer_set_retry_after_phh(ctx->rl,
            (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
@@ -51,9 +51,9 @@ tls13_client_init(struct tls13_ctx *ctx)
        tls1_get_group_list(s, 0, &groups, &groups_len);
        if (groups_len < 1)
                return 0;
-        if ((ctx->hs->key_share = tls13_key_share_new(groups[0])) == NULL)
+        if ((ctx->hs->tls13.key_share = tls13_key_share_new(groups[0])) == NULL)
                return 0;
-        if (!tls13_key_share_generate(ctx->hs->key_share))
+        if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
                return 0;
        arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
@@ -65,11 +65,11 @@ tls13_client_init(struct tls13_ctx *ctx)
         * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used.
         */
        if (ctx->middlebox_compat &&
-            S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) {
+            ctx->hs->our_max_tls_version >= TLS1_3_VERSION) {
-                arc4random_buf(ctx->hs->legacy_session_id,
+                arc4random_buf(ctx->hs->tls13.legacy_session_id,
-                    sizeof(ctx->hs->legacy_session_id));
+                    sizeof(ctx->hs->tls13.legacy_session_id));
-                ctx->hs->legacy_session_id_len =
+                ctx->hs->tls13.legacy_session_id_len =
-                    sizeof(ctx->hs->legacy_session_id);
+                    sizeof(ctx->hs->tls13.legacy_session_id);
        }
        return 1;
@@ -92,7 +92,7 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
        SSL *s = ctx->ssl;
        /* Legacy client version is capped at TLS 1.2. */
-        client_version = S3I(s)->hs.our_max_tls_version;
+        client_version = ctx->hs->our_max_tls_version;
        if (client_version > TLS1_2_VERSION)
                client_version = TLS1_2_VERSION;
@@ -103,8 +103,8 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
        if (!CBB_add_u8_length_prefixed(cbb, &session_id))
                goto err;
-        if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id,
+        if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
-            ctx->hs->legacy_session_id_len))
+            ctx->hs->tls13.legacy_session_id_len))
                goto err;
        if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites))
@@ -134,9 +134,7 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        SSL *s = ctx->ssl;
+        if (ctx->hs->our_min_tls_version < TLS1_2_VERSION)
-        if (S3I(s)->hs.our_min_tls_version < TLS1_2_VERSION)
                tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
        /* We may receive a pre-TLSv1.3 alert in response to the client hello. */
@@ -231,7 +229,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                goto err;
        if (tls13_server_hello_is_legacy(cbs)) {
-                if (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) {
+                if (ctx->hs->our_max_tls_version >= TLS1_3_VERSION) {
                        /*
                         * RFC 8446 section 4.1.3: we must not downgrade if
                         * the server random value contains the TLS 1.2 or 1.1
@@ -252,7 +250,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                if (!CBS_skip(cbs, CBS_len(cbs)))
                        goto err;
-                ctx->hs->use_legacy = 1;
+                ctx->hs->tls13.use_legacy = 1;
                return 1;
        }
@@ -265,7 +263,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
        if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
            sizeof(tls13_hello_retry_request_hash))) {
                tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
-                ctx->hs->hrr = 1;
+                ctx->hs->tls13.hrr = 1;
        }
        if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) {
@@ -278,16 +276,16 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
         * Ensure that it was 0x0304 and that legacy version is set to 0x0303
         * (RFC 8446 section 4.2.1).
         */
-        if (ctx->hs->server_version != TLS1_3_VERSION ||
+        if (ctx->hs->tls13.server_version != TLS1_3_VERSION ||
            legacy_version != TLS1_2_VERSION) {
                ctx->alert = TLS13_ALERT_PROTOCOL_VERSION;
                goto err;
        }
-        S3I(s)->hs.negotiated_tls_version = ctx->hs->server_version;
+        ctx->hs->negotiated_tls_version = ctx->hs->tls13.server_version;
        /* The session_id must match. */
-        if (!CBS_mem_equal(&session_id, ctx->hs->legacy_session_id,
+        if (!CBS_mem_equal(&session_id, ctx->hs->tls13.legacy_session_id,
-            ctx->hs->legacy_session_id_len)) {
+            ctx->hs->tls13.legacy_session_id_len)) {
                ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
                goto err;
        }
@@ -305,8 +303,8 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
                goto err;
        }
-        /* XXX - move this to hs_tls13? */
+        /* XXX - move this to hs.tls13? */
-        S3I(s)->hs.new_cipher = cipher;
+        ctx->hs->new_cipher = cipher;
        if (compression_method != 0) {
                ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
@@ -336,21 +334,21 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx)
        /* Derive the shared key and engage record protection. */
-        if (!tls13_key_share_derive(ctx->hs->key_share, &shared_key,
+        if (!tls13_key_share_derive(ctx->hs->tls13.key_share, &shared_key,
            &shared_key_len))
                goto err;
-        s->session->cipher = S3I(s)->hs.new_cipher;
+        s->session->cipher = ctx->hs->new_cipher;
-        s->session->ssl_version = ctx->hs->server_version;
+        s->session->ssl_version = ctx->hs->tls13.server_version;
-        if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
+        if ((ctx->aead = tls13_cipher_aead(ctx->hs->new_cipher)) == NULL)
                goto err;
-        if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
+        if ((ctx->hash = tls13_cipher_hash(ctx->hs->new_cipher)) == NULL)
                goto err;
        if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
                goto err;
-        ctx->hs->secrets = secrets;
+        ctx->hs->tls13.secrets = secrets;
        /* XXX - pass in hash. */
        if (!tls1_transcript_hash_init(s))
@@ -367,7 +365,7 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx)
                goto err;
        /* Handshake secrets. */
-        if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
+        if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
            shared_key_len, &context))
                goto err;
@@ -409,10 +407,10 @@ tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs)
         * This may have been a TLSv1.2 or earlier ServerHello that just happened
         * to have matching server random...
         */
-        if (ctx->hs->use_legacy)
+        if (ctx->hs->tls13.use_legacy)
                return tls13_use_legacy_client(ctx);
-        if (!ctx->hs->hrr)
+        if (!ctx->hs->tls13.hrr)
                return 0;
        if (!tls13_synthetic_handshake_message(ctx))
@@ -420,7 +418,7 @@ tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs)
        if (!tls13_handshake_msg_record(ctx))
                return 0;
-        ctx->hs->hrr = 0;
+        ctx->hs->tls13.hrr = 0;
        return 1;
 }
@@ -433,17 +431,17 @@ tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
         * supported groups and is not the same as the key share we previously
         * offered.
         */
-        if (!tls1_check_curve(ctx->ssl, ctx->hs->server_group))
+        if (!tls1_check_curve(ctx->ssl, ctx->hs->tls13.server_group))
                return 0; /* XXX alert */
-        if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share))
+        if (ctx->hs->tls13.server_group == tls13_key_share_group(ctx->hs->tls13.key_share))
                return 0; /* XXX alert */
        /* Switch to new key share. */
-        tls13_key_share_free(ctx->hs->key_share);
+        tls13_key_share_free(ctx->hs->tls13.key_share);
-        if ((ctx->hs->key_share =
+        if ((ctx->hs->tls13.key_share =
-            tls13_key_share_new(ctx->hs->server_group)) == NULL)
+            tls13_key_share_new(ctx->hs->tls13.server_group)) == NULL)
                return 0;
-        if (!tls13_key_share_generate(ctx->hs->key_share))
+        if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
                return 0;
        if (!tls13_client_hello_build(ctx, cbb))
@@ -470,13 +468,13 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
                        return 0;
        }
-        if (ctx->hs->use_legacy) {
+        if (ctx->hs->tls13.use_legacy) {
                if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR))
                        return 0;
                return tls13_use_legacy_client(ctx);
        }
-        if (ctx->hs->hrr) {
+        if (ctx->hs->tls13.hrr) {
                /* The server has sent two HelloRetryRequests. */
                ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
                return 0;
@@ -687,8 +685,8 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
                goto err;
        if (!CBB_add_u8(&cbb, 0))
                goto err;
-        if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
+        if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
-            ctx->hs->transcript_hash_len))
+            ctx->hs->tls13.transcript_hash_len))
                goto err;
        if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
                goto err;
@@ -738,7 +736,7 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
 int
 tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
        struct tls13_secret context = { .data = "", .len = 0 };
        struct tls13_secret finished_key;
        uint8_t transcript_hash[EVP_MAX_MD_SIZE];
@@ -767,8 +765,8 @@ tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
        if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
            ctx->hash, NULL))
                goto err;
-        if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
+        if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
-            ctx->hs->transcript_hash_len))
+            ctx->hs->tls13.transcript_hash_len))
                goto err;
        verify_data_len = HMAC_size(hmac_ctx);
        if ((verify_data = calloc(1, verify_data_len)) == NULL)
@@ -900,8 +898,8 @@ tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
        if (!tls13_client_select_certificate(ctx, &cpk, &sigalg))
                goto err;
-        ctx->hs->cpk = cpk;
+        ctx->hs->tls13.cpk = cpk;
-        ctx->hs->sigalg = sigalg;
+        ctx->hs->tls13.sigalg = sigalg;
        if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
                goto err;
@@ -950,9 +948,9 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
        memset(&sig_cbb, 0, sizeof(sig_cbb));
-        if ((cpk = ctx->hs->cpk) == NULL)
+        if ((cpk = ctx->hs->tls13.cpk) == NULL)
                goto err;
-        if ((sigalg = ctx->hs->sigalg) == NULL)
+        if ((sigalg = ctx->hs->tls13.sigalg) == NULL)
                goto err;
        pkey = cpk->privatekey;
@@ -966,8 +964,8 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
                goto err;
        if (!CBB_add_u8(&sig_cbb, 0))
                goto err;
-        if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash,
+        if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
-            ctx->hs->transcript_hash_len))
+            ctx->hs->tls13.transcript_hash_len))
                goto err;
        if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
                goto err;
@@ -1024,7 +1022,7 @@ tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
        struct tls13_secret context = { .data = "", .len = 0 };
        struct tls13_secret finished_key = { .data = NULL, .len = 0 };
        uint8_t transcript_hash[EVP_MAX_MD_SIZE];
@@ -1082,7 +1080,7 @@ tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_client_finished_sent(struct tls13_ctx *ctx)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
        /*
         * Any records following the client finished message must be encrypted
diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c
index b3cecc77ef..c18a2dfe06 100644
--- a/src/lib/libssl/tls13_handshake.c
+++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_handshake.c,v 1.64 2020/07/30 16:23:17 tb Exp $ */
+/*      $OpenBSD: tls13_handshake.c,v 1.65 2021/03/21 18:36:34 jsing Exp $      */
 /*
 * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -428,8 +428,9 @@ tls13_handshake_send_action(struct tls13_ctx *ctx,
        if (action->send_preserve_transcript_hash) {
                if (!tls1_transcript_hash_value(ctx->ssl,
-                    ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash),
+                    ctx->hs->tls13.transcript_hash,
-                    &ctx->hs->transcript_hash_len))
+                    sizeof(ctx->hs->tls13.transcript_hash),
+                    &ctx->hs->tls13.transcript_hash_len))
                        return TLS13_IO_FAILURE;
        }
@@ -471,8 +472,9 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx,
        if (action->recv_preserve_transcript_hash) {
                if (!tls1_transcript_hash_value(ctx->ssl,
-                    ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash),
+                    ctx->hs->tls13.transcript_hash,
-                    &ctx->hs->transcript_hash_len))
+                    sizeof(ctx->hs->tls13.transcript_hash),
+                    &ctx->hs->tls13.transcript_hash_len))
                        return TLS13_IO_FAILURE;
        }
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index c339a8ef10..973661acc9 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.88 2021/01/05 17:40:11 tb Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.89 2021/03/21 18:36:34 jsing Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -274,7 +274,7 @@ struct tls13_ctx {
        struct tls13_error error;
        SSL *ssl;
-        struct ssl_handshake_tls13_st *hs;
+        struct ssl_handshake_st *hs;
        uint8_t mode;
        struct tls13_handshake_stage handshake_stage;
        int handshake_started;
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
index f611aa061d..19271ef787 100644
--- a/src/lib/libssl/tls13_legacy.c
+++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_legacy.c,v 1.22 2021/02/25 17:06:05 jsing Exp $ */
+/*      $OpenBSD: tls13_legacy.c,v 1.23 2021/03/21 18:36:34 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -361,7 +361,7 @@ tls13_use_legacy_client(struct tls13_ctx *ctx)
        s->internal->handshake_func = s->method->internal->ssl_connect;
        s->client_version = s->version = s->method->internal->max_tls_version;
-        S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
+        ctx->hs->state = SSL3_ST_CR_SRVR_HELLO_A;
        return 1;
 }
@@ -378,7 +378,7 @@ tls13_use_legacy_server(struct tls13_ctx *ctx)
        s->client_version = s->version = s->method->internal->max_tls_version;
        s->server = 1;
-        S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
+        ctx->hs->state = SSL3_ST_SR_CLNT_HELLO_A;
        return 1;
 }
@@ -396,7 +396,7 @@ tls13_legacy_accept(SSL *ssl)
                }
                ssl->internal->tls13 = ctx;
                ctx->ssl = ssl;
-                ctx->hs = &S3I(ssl)->hs_tls13;
+                ctx->hs = &S3I(ssl)->hs;
                if (!tls13_server_init(ctx)) {
                        if (ERR_peek_error() == 0)
@@ -406,13 +406,13 @@ tls13_legacy_accept(SSL *ssl)
        }
        ERR_clear_error();
-        S3I(ssl)->hs.state = SSL_ST_ACCEPT;
+        ctx->hs->state = SSL_ST_ACCEPT;
        ret = tls13_server_accept(ctx);
        if (ret == TLS13_IO_USE_LEGACY)
                return ssl->method->internal->ssl_accept(ssl);
        if (ret == TLS13_IO_SUCCESS)
-                S3I(ssl)->hs.state = SSL_ST_OK;
+                ctx->hs->state = SSL_ST_OK;
        return tls13_legacy_return_code(ssl, ret);
 }
@@ -438,7 +438,7 @@ tls13_legacy_connect(SSL *ssl)
                }
                ssl->internal->tls13 = ctx;
                ctx->ssl = ssl;
-                ctx->hs = &S3I(ssl)->hs_tls13;
+                ctx->hs = &S3I(ssl)->hs;
                if (!tls13_client_init(ctx)) {
                        if (ERR_peek_error() == 0)
@@ -448,13 +448,13 @@ tls13_legacy_connect(SSL *ssl)
        }
        ERR_clear_error();
-        S3I(ssl)->hs.state = SSL_ST_CONNECT;
+        ctx->hs->state = SSL_ST_CONNECT;
        ret = tls13_client_connect(ctx);
        if (ret == TLS13_IO_USE_LEGACY)
                return ssl->method->internal->ssl_connect(ssl);
        if (ret == TLS13_IO_SUCCESS)
-                S3I(ssl)->hs.state = SSL_ST_OK;
+                ctx->hs->state = SSL_ST_OK;
        return tls13_legacy_return_code(ssl, ret);
 }
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 0b3f636b93..9dbb7d6430 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.57 2021/03/21 16:56:42 jsing Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.58 2021/03/21 18:36:34 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -223,7 +223,7 @@ tls13_legacy_ocsp_status_recv_cb(void *arg)
 static int
 tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
        if (ctx->mode == TLS13_HS_CLIENT)
                return (tls13_update_client_traffic_secret(secrets) &&
@@ -237,7 +237,7 @@ tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx)
 static int
 tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
        if (ctx->mode == TLS13_HS_CLIENT)
                return (tls13_update_server_traffic_secret(secrets) &&
@@ -503,16 +503,16 @@ tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
 int
 tls13_clienthello_hash_init(struct tls13_ctx *ctx)
 {
-        if (ctx->hs->clienthello_md_ctx != NULL)
+        if (ctx->hs->tls13.clienthello_md_ctx != NULL)
                return 0;
-        if ((ctx->hs->clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
+        if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
                return 0;
-        if (!EVP_DigestInit_ex(ctx->hs->clienthello_md_ctx,
+        if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx,
            EVP_sha256(), NULL))
                return 0;
-        if ((ctx->hs->clienthello_hash == NULL) &&
+        if ((ctx->hs->tls13.clienthello_hash == NULL) &&
-            (ctx->hs->clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
+            (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
            NULL)
                return 0;
@@ -520,7 +520,7 @@ tls13_clienthello_hash_init(struct tls13_ctx *ctx)
 }
 void
-tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs)
+tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */
 {
        EVP_MD_CTX_free(hs->clienthello_md_ctx);
        hs->clienthello_md_ctx = NULL;
@@ -532,7 +532,7 @@ int
 tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data,
    size_t len)
 {
-        return EVP_DigestUpdate(ctx->hs->clienthello_md_ctx, data, len);
+        return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len);
 }
 int
@@ -545,12 +545,12 @@ tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs)
 int
 tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
 {
-        if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx,
+        if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
-            ctx->hs->clienthello_hash,
+            ctx->hs->tls13.clienthello_hash,
-            &ctx->hs->clienthello_hash_len))
+            &ctx->hs->tls13.clienthello_hash_len))
                return 0;
-        EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx);
+        EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
-        ctx->hs->clienthello_md_ctx = NULL;
+        ctx->hs->tls13.clienthello_md_ctx = NULL;
        return 1;
 }
@@ -560,18 +560,18 @@ tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
        unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
        unsigned int new_ch_hash_len;
-        if (ctx->hs->clienthello_hash == NULL)
+        if (ctx->hs->tls13.clienthello_hash == NULL)
                return 0;
-        if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx,
+        if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
            new_ch_hash, &new_ch_hash_len))
                return 0;
-        EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx);
+        EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
-        ctx->hs->clienthello_md_ctx = NULL;
+        ctx->hs->tls13.clienthello_md_ctx = NULL;
-        if (ctx->hs->clienthello_hash_len != new_ch_hash_len)
+        if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len)
                return 0;
-        if (memcmp(ctx->hs->clienthello_hash, new_ch_hash,
+        if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash,
            new_ch_hash_len) != 0)
                return 0;
@@ -584,7 +584,7 @@ tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len,
    size_t out_len)
 {
        struct tls13_secret context, export_out, export_secret;
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
        EVP_MD_CTX *md_ctx = NULL;
        unsigned int md_out_len;
        int md_len;
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 29c63bcd06..658aef2cfe 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.71 2021/03/10 18:27:02 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.72 2021/03/21 18:36:34 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -29,12 +29,12 @@ tls13_server_init(struct tls13_ctx *ctx)
 {
        SSL *s = ctx->ssl;
-        if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version,
+        if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
-            &S3I(s)->hs.our_max_tls_version)) {
+            &ctx->hs->our_max_tls_version)) {
                SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
                return 0;
        }
-        s->version = S3I(s)->hs.our_max_tls_version;
+        s->version = ctx->hs->our_max_tls_version;
        tls13_record_layer_set_retry_after_phh(ctx->rl,
            (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
@@ -163,7 +163,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                        goto err;
                return tls13_use_legacy_server(ctx);
        }
-        S3I(s)->hs.negotiated_tls_version = TLS1_3_VERSION;
+        ctx->hs->negotiated_tls_version = TLS1_3_VERSION;
        /* Add decoded values to the current ClientHello hash */
        if (!tls13_clienthello_hash_init(ctx)) {
@@ -198,7 +198,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
        }
        /* Finalize first ClientHello hash, or validate against it */
-        if (!ctx->hs->hrr) {
+        if (!ctx->hs->tls13.hrr) {
                if (!tls13_clienthello_hash_finalize(ctx)) {
                        ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
                        goto err;
@@ -208,7 +208,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                        ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
                        goto err;
                }
-                tls13_clienthello_hash_clear(ctx->hs);
+                tls13_clienthello_hash_clear(&ctx->hs->tls13);
        }
        if (!tls13_client_hello_required_extensions(ctx)) {
@@ -226,13 +226,13 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
        }
        /* Store legacy session identifier so we can echo it. */
-        if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) {
+        if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) {
                ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
                goto err;
        }
-        if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id,
+        if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
-            sizeof(ctx->hs->legacy_session_id),
+            sizeof(ctx->hs->tls13.legacy_session_id),
-            &ctx->hs->legacy_session_id_len)) {
+            &ctx->hs->tls13.legacy_session_id_len)) {
                ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
                goto err;
        }
@@ -249,7 +249,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;
                goto err;
        }
-        S3I(s)->hs.new_cipher = cipher;
+        ctx->hs->new_cipher = cipher;
        sk_SSL_CIPHER_free(s->session->ciphers);
        s->session->ciphers = ciphers;
@@ -293,7 +293,7 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
         * has been enabled. This would probably mean using either an
         * INITIAL | WITHOUT_HRR state, or another intermediate state.
         */
-        if (ctx->hs->key_share != NULL)
+        if (ctx->hs->tls13.key_share != NULL)
                ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR;
        /* XXX - check this is the correct point */
@@ -314,7 +314,7 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
        SSL *s = ctx->ssl;
        uint16_t cipher;
-        cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher);
+        cipher = SSL_CIPHER_get_value(ctx->hs->new_cipher);
        server_random = s->s3->server_random;
        if (hrr) {
@@ -328,8 +328,8 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
                goto err;
        if (!CBB_add_u8_length_prefixed(cbb, &session_id))
                goto err;
-        if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id,
+        if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
-            ctx->hs->legacy_session_id_len))
+            ctx->hs->tls13.legacy_session_id_len))
                goto err;
        if (!CBB_add_u16(cbb, cipher))
                goto err;
@@ -358,20 +358,20 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
        SSL *s = ctx->ssl;
        int ret = 0;
-        if (!tls13_key_share_derive(ctx->hs->key_share,
+        if (!tls13_key_share_derive(ctx->hs->tls13.key_share,
            &shared_key, &shared_key_len))
                goto err;
-        s->session->cipher = S3I(s)->hs.new_cipher;
+        s->session->cipher = ctx->hs->new_cipher;
-        if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
+        if ((ctx->aead = tls13_cipher_aead(ctx->hs->new_cipher)) == NULL)
                goto err;
-        if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
+        if ((ctx->hash = tls13_cipher_hash(ctx->hs->new_cipher)) == NULL)
                goto err;
        if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
                goto err;
-        ctx->hs->secrets = secrets;
+        ctx->hs->tls13.secrets = secrets;
        /* XXX - pass in hash. */
        if (!tls1_transcript_hash_init(s))
@@ -388,7 +388,7 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
                goto err;
        /* Handshake secrets. */
-        if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
+        if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
            shared_key_len, &context))
                goto err;
@@ -418,16 +418,16 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
 {
        int nid;
-        ctx->hs->hrr = 1;
+        ctx->hs->tls13.hrr = 1;
        if (!tls13_synthetic_handshake_message(ctx))
                return 0;
-        if (ctx->hs->key_share != NULL)
+        if (ctx->hs->tls13.key_share != NULL)
                return 0;
        if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef)
                return 0;
-        if ((ctx->hs->server_group = tls1_ec_nid2curve_id(nid)) == 0)
+        if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0)
                return 0;
        if (!tls13_server_hello_build(ctx, cbb, 1))
@@ -444,7 +444,7 @@ tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx)
         * we MUST send a dummy CCS following our first handshake message.
         * See RFC 8446 Appendix D.4.
         */
-        if (ctx->hs->legacy_session_id_len > 0)
+        if (ctx->hs->tls13.legacy_session_id_len > 0)
                ctx->send_dummy_ccs_after = 1;
        return 1;
@@ -462,7 +462,7 @@ tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
        if (s->method->internal->version < TLS1_3_VERSION)
                return 0;
-        ctx->hs->hrr = 0;
+        ctx->hs->tls13.hrr = 0;
        return 1;
 }
@@ -483,14 +483,14 @@ tls13_servername_process(struct tls13_ctx *ctx)
 int
 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        if (ctx->hs->key_share == NULL)
+        if (ctx->hs->tls13.key_share == NULL)
                return 0;
-        if (!tls13_key_share_generate(ctx->hs->key_share))
+        if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
                return 0;
        if (!tls13_servername_process(ctx))
                return 0;
-        ctx->hs->server_group = 0;
+        ctx->hs->tls13.server_group = 0;
        if (!tls13_server_hello_build(ctx, cbb, 0))
                return 0;
@@ -507,7 +507,7 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
         * See RFC 8446 Appendix D.4.
         */
        if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) &&
-            ctx->hs->legacy_session_id_len > 0)
+            ctx->hs->tls13.legacy_session_id_len > 0)
                ctx->send_dummy_ccs_after = 1;
        return tls13_server_engage_record_protection(ctx);
@@ -633,8 +633,8 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
                goto err;
        }
-        ctx->hs->cpk = cpk;
+        ctx->hs->tls13.cpk = cpk;
-        ctx->hs->sigalg = sigalg;
+        ctx->hs->tls13.sigalg = sigalg;
        if ((chain = cpk->chain) == NULL)
                chain = s->ctx->extra_certs;
@@ -705,9 +705,9 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
        memset(&sig_cbb, 0, sizeof(sig_cbb));
-        if ((cpk = ctx->hs->cpk) == NULL)
+        if ((cpk = ctx->hs->tls13.cpk) == NULL)
                goto err;
-        if ((sigalg = ctx->hs->sigalg) == NULL)
+        if ((sigalg = ctx->hs->tls13.sigalg) == NULL)
                goto err;
        pkey = cpk->privatekey;
@@ -721,8 +721,8 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
                goto err;
        if (!CBB_add_u8(&sig_cbb, 0))
                goto err;
-        if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash,
+        if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
-            ctx->hs->transcript_hash_len))
+            ctx->hs->tls13.transcript_hash_len))
                goto err;
        if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
                goto err;
@@ -773,7 +773,7 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
        struct tls13_secret context = { .data = "", .len = 0 };
        struct tls13_secret finished_key = { .data = NULL, .len = 0 } ;
        uint8_t transcript_hash[EVP_MAX_MD_SIZE];
@@ -831,14 +831,14 @@ tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_server_finished_sent(struct tls13_ctx *ctx)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
        struct tls13_secret context = { .data = "", .len = 0 };
        /*
         * Derive application traffic keys.
         */
-        context.data = ctx->hs->transcript_hash;
+        context.data = ctx->hs->tls13.transcript_hash;
-        context.len = ctx->hs->transcript_hash_len;
+        context.len = ctx->hs->tls13.transcript_hash_len;
        if (!tls13_derive_application_secrets(secrets, &context))
                return 0;
@@ -984,8 +984,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
                goto err;
        if (!CBB_add_u8(&cbb, 0))
                goto err;
-        if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
+        if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
-            ctx->hs->transcript_hash_len))
+            ctx->hs->tls13.transcript_hash_len))
                goto err;
        if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
                goto err;
@@ -1042,7 +1042,7 @@ tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs)
 int
 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
        struct tls13_secret context = { .data = "", .len = 0 };
        struct tls13_secret finished_key;
        uint8_t *verify_data = NULL;
@@ -1069,8 +1069,8 @@ tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
        if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
            ctx->hash, NULL))
                goto err;
-        if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
+        if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
-            ctx->hs->transcript_hash_len))
+            ctx->hs->tls13.transcript_hash_len))
                goto err;
        verify_data_len = HMAC_size(hmac_ctx);
        if ((verify_data = calloc(1, verify_data_len)) == NULL)
author	jsing <>	2021-03-21 18:36:34 +0000
committer	jsing <>	2021-03-21 18:36:34 +0000
commit	b4267956efe26acca04e81248b224852ab3b48df (patch)
tree	04368005066ac217cbc5ba4c6633356e81eb6d00 /src
parent	25064bbd608cffa42b7bf46d3ea7eeb88d693de4 (diff)
download	openbsd-b4267956efe26acca04e81248b224852ab3b48df.tar.gz openbsd-b4267956efe26acca04e81248b224852ab3b48df.tar.bz2 openbsd-b4267956efe26acca04e81248b224852ab3b48df.zip