1 files changed, 12 insertions, 8 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index a7c3bf2c00..4de3d3693b 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.73 2021/02/25 17:06:05 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.74 2021/03/10 18:27:02 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -31,12 +31,12 @@ tls13_client_init(struct tls13_ctx *ctx)
        size_t groups_len;
        SSL *s = ctx->ssl;
-        if (!ssl_supported_tls_version_range(s, &ctx->hs->min_version,
+        if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version,
-            &ctx->hs->max_version)) {
+            &S3I(s)->hs.our_max_tls_version)) {
                SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
                return 0;
        }
-        s->client_version = s->version = ctx->hs->max_version;
+        s->client_version = s->version = S3I(s)->hs.our_max_tls_version;
        tls13_record_layer_set_retry_after_phh(ctx->rl,
            (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
@@ -64,7 +64,8 @@ tls13_client_init(struct tls13_ctx *ctx)
         * legacy session identifier triggers compatibility mode (see RFC 8446
         * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used.
         */
-        if (ctx->middlebox_compat && ctx->hs->max_version >= TLS1_3_VERSION) {
+        if (ctx->middlebox_compat &&
+            S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) {
                arc4random_buf(ctx->hs->legacy_session_id,
                    sizeof(ctx->hs->legacy_session_id));
                ctx->hs->legacy_session_id_len =
@@ -91,7 +92,7 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
        SSL *s = ctx->ssl;
        /* Legacy client version is capped at TLS 1.2. */
-        client_version = ctx->hs->max_version;
+        client_version = S3I(s)->hs.our_max_tls_version;
        if (client_version > TLS1_2_VERSION)
                client_version = TLS1_2_VERSION;
@@ -133,7 +134,9 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        if (ctx->hs->min_version < TLS1_2_VERSION)
+        SSL *s = ctx->ssl;
+        if (S3I(s)->hs.our_min_tls_version < TLS1_2_VERSION)
                tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
        /* We may receive a pre-TLSv1.3 alert in response to the client hello. */
@@ -228,7 +231,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                goto err;
        if (tls13_server_hello_is_legacy(cbs)) {
-                if (ctx->hs->max_version >= TLS1_3_VERSION) {
+                if (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) {
                        /*
                         * RFC 8446 section 4.1.3: we must not downgrade if
                         * the server random value contains the TLS 1.2 or 1.1
@@ -280,6 +283,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                ctx->alert = TLS13_ALERT_PROTOCOL_VERSION;
                goto err;
        }
+        S3I(s)->hs.negotiated_tls_version = ctx->hs->server_version;
        /* The session_id must match. */
        if (!CBS_mem_equal(&session_id, ctx->hs->legacy_session_id,