1 files changed, 46 insertions, 46 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 29c63bcd06..658aef2cfe 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.71 2021/03/10 18:27:02 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.72 2021/03/21 18:36:34 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -29,12 +29,12 @@ tls13_server_init(struct tls13_ctx *ctx)
 {
        SSL *s = ctx->ssl;
-        if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version,
+        if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
-            &S3I(s)->hs.our_max_tls_version)) {
+            &ctx->hs->our_max_tls_version)) {
                SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
                return 0;
        }
-        s->version = S3I(s)->hs.our_max_tls_version;
+        s->version = ctx->hs->our_max_tls_version;
        tls13_record_layer_set_retry_after_phh(ctx->rl,
            (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
@@ -163,7 +163,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                        goto err;
                return tls13_use_legacy_server(ctx);
        }
-        S3I(s)->hs.negotiated_tls_version = TLS1_3_VERSION;
+        ctx->hs->negotiated_tls_version = TLS1_3_VERSION;
        /* Add decoded values to the current ClientHello hash */
        if (!tls13_clienthello_hash_init(ctx)) {
@@ -198,7 +198,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
        }
        /* Finalize first ClientHello hash, or validate against it */
-        if (!ctx->hs->hrr) {
+        if (!ctx->hs->tls13.hrr) {
                if (!tls13_clienthello_hash_finalize(ctx)) {
                        ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
                        goto err;
@@ -208,7 +208,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                        ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
                        goto err;
                }
-                tls13_clienthello_hash_clear(ctx->hs);
+                tls13_clienthello_hash_clear(&ctx->hs->tls13);
        }
        if (!tls13_client_hello_required_extensions(ctx)) {
@@ -226,13 +226,13 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
        }
        /* Store legacy session identifier so we can echo it. */
-        if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) {
+        if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) {
                ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
                goto err;
        }
-        if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id,
+        if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
-            sizeof(ctx->hs->legacy_session_id),
+            sizeof(ctx->hs->tls13.legacy_session_id),
-            &ctx->hs->legacy_session_id_len)) {
+            &ctx->hs->tls13.legacy_session_id_len)) {
                ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
                goto err;
        }
@@ -249,7 +249,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;
                goto err;
        }
-        S3I(s)->hs.new_cipher = cipher;
+        ctx->hs->new_cipher = cipher;
        sk_SSL_CIPHER_free(s->session->ciphers);
        s->session->ciphers = ciphers;
@@ -293,7 +293,7 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
         * has been enabled. This would probably mean using either an
         * INITIAL | WITHOUT_HRR state, or another intermediate state.
         */
-        if (ctx->hs->key_share != NULL)
+        if (ctx->hs->tls13.key_share != NULL)
                ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR;
        /* XXX - check this is the correct point */
@@ -314,7 +314,7 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
        SSL *s = ctx->ssl;
        uint16_t cipher;
-        cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher);
+        cipher = SSL_CIPHER_get_value(ctx->hs->new_cipher);
        server_random = s->s3->server_random;
        if (hrr) {
@@ -328,8 +328,8 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
                goto err;
        if (!CBB_add_u8_length_prefixed(cbb, &session_id))
                goto err;
-        if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id,
+        if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
-            ctx->hs->legacy_session_id_len))
+            ctx->hs->tls13.legacy_session_id_len))
                goto err;
        if (!CBB_add_u16(cbb, cipher))
                goto err;
@@ -358,20 +358,20 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
        SSL *s = ctx->ssl;
        int ret = 0;
-        if (!tls13_key_share_derive(ctx->hs->key_share,
+        if (!tls13_key_share_derive(ctx->hs->tls13.key_share,
            &shared_key, &shared_key_len))
                goto err;
-        s->session->cipher = S3I(s)->hs.new_cipher;
+        s->session->cipher = ctx->hs->new_cipher;
-        if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
+        if ((ctx->aead = tls13_cipher_aead(ctx->hs->new_cipher)) == NULL)
                goto err;
-        if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
+        if ((ctx->hash = tls13_cipher_hash(ctx->hs->new_cipher)) == NULL)
                goto err;
        if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
                goto err;
-        ctx->hs->secrets = secrets;
+        ctx->hs->tls13.secrets = secrets;
        /* XXX - pass in hash. */
        if (!tls1_transcript_hash_init(s))
@@ -388,7 +388,7 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
                goto err;
        /* Handshake secrets. */
-        if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
+        if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
            shared_key_len, &context))
                goto err;
@@ -418,16 +418,16 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
 {
        int nid;
-        ctx->hs->hrr = 1;
+        ctx->hs->tls13.hrr = 1;
        if (!tls13_synthetic_handshake_message(ctx))
                return 0;
-        if (ctx->hs->key_share != NULL)
+        if (ctx->hs->tls13.key_share != NULL)
                return 0;
        if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef)
                return 0;
-        if ((ctx->hs->server_group = tls1_ec_nid2curve_id(nid)) == 0)
+        if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0)
                return 0;
        if (!tls13_server_hello_build(ctx, cbb, 1))
@@ -444,7 +444,7 @@ tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx)
         * we MUST send a dummy CCS following our first handshake message.
         * See RFC 8446 Appendix D.4.
         */
-        if (ctx->hs->legacy_session_id_len > 0)
+        if (ctx->hs->tls13.legacy_session_id_len > 0)
                ctx->send_dummy_ccs_after = 1;
        return 1;
@@ -462,7 +462,7 @@ tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
        if (s->method->internal->version < TLS1_3_VERSION)
                return 0;
-        ctx->hs->hrr = 0;
+        ctx->hs->tls13.hrr = 0;
        return 1;
 }
@@ -483,14 +483,14 @@ tls13_servername_process(struct tls13_ctx *ctx)
 int
 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        if (ctx->hs->key_share == NULL)
+        if (ctx->hs->tls13.key_share == NULL)
                return 0;
-        if (!tls13_key_share_generate(ctx->hs->key_share))
+        if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
                return 0;
        if (!tls13_servername_process(ctx))
                return 0;
-        ctx->hs->server_group = 0;
+        ctx->hs->tls13.server_group = 0;
        if (!tls13_server_hello_build(ctx, cbb, 0))
                return 0;
@@ -507,7 +507,7 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
         * See RFC 8446 Appendix D.4.
         */
        if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) &&
-            ctx->hs->legacy_session_id_len > 0)
+            ctx->hs->tls13.legacy_session_id_len > 0)
                ctx->send_dummy_ccs_after = 1;
        return tls13_server_engage_record_protection(ctx);
@@ -633,8 +633,8 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
                goto err;
        }
-        ctx->hs->cpk = cpk;
+        ctx->hs->tls13.cpk = cpk;
-        ctx->hs->sigalg = sigalg;
+        ctx->hs->tls13.sigalg = sigalg;
        if ((chain = cpk->chain) == NULL)
                chain = s->ctx->extra_certs;
@@ -705,9 +705,9 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
        memset(&sig_cbb, 0, sizeof(sig_cbb));
-        if ((cpk = ctx->hs->cpk) == NULL)
+        if ((cpk = ctx->hs->tls13.cpk) == NULL)
                goto err;
-        if ((sigalg = ctx->hs->sigalg) == NULL)
+        if ((sigalg = ctx->hs->tls13.sigalg) == NULL)
                goto err;
        pkey = cpk->privatekey;
@@ -721,8 +721,8 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
                goto err;
        if (!CBB_add_u8(&sig_cbb, 0))
                goto err;
-        if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash,
+        if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
-            ctx->hs->transcript_hash_len))
+            ctx->hs->tls13.transcript_hash_len))
                goto err;
        if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
                goto err;
@@ -773,7 +773,7 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
        struct tls13_secret context = { .data = "", .len = 0 };
        struct tls13_secret finished_key = { .data = NULL, .len = 0 } ;
        uint8_t transcript_hash[EVP_MAX_MD_SIZE];
@@ -831,14 +831,14 @@ tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_server_finished_sent(struct tls13_ctx *ctx)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
        struct tls13_secret context = { .data = "", .len = 0 };
        /*
         * Derive application traffic keys.
         */
-        context.data = ctx->hs->transcript_hash;
+        context.data = ctx->hs->tls13.transcript_hash;
-        context.len = ctx->hs->transcript_hash_len;
+        context.len = ctx->hs->tls13.transcript_hash_len;
        if (!tls13_derive_application_secrets(secrets, &context))
                return 0;
@@ -984,8 +984,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
                goto err;
        if (!CBB_add_u8(&cbb, 0))
                goto err;
-        if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
+        if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
-            ctx->hs->transcript_hash_len))
+            ctx->hs->tls13.transcript_hash_len))
                goto err;
        if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
                goto err;
@@ -1042,7 +1042,7 @@ tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs)
 int
 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
        struct tls13_secret context = { .data = "", .len = 0 };
        struct tls13_secret finished_key;
        uint8_t *verify_data = NULL;
@@ -1069,8 +1069,8 @@ tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
        if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
            ctx->hash, NULL))
                goto err;
-        if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
+        if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
-            ctx->hs->transcript_hash_len))
+            ctx->hs->tls13.transcript_hash_len))
                goto err;
        verify_data_len = HMAC_size(hmac_ctx);
        if ((verify_data = calloc(1, verify_data_len)) == NULL)

diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 29c63bcd06..658aef2cfe 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.71 2021/03/10 18:27:02 jsing Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.72 2021/03/21 18:36:34 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -29,12 +29,12 @@ tls13_server_init(struct tls13_ctx *ctx)
29	{	29	{
30	SSL *s = ctx->ssl;	30	SSL *s = ctx->ssl;
31		31
32	if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version,	32	if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
33	&S3I(s)->hs.our_max_tls_version)) {	33	&ctx->hs->our_max_tls_version)) {
34	SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);	34	SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
35	return 0;	35	return 0;
36	}	36	}
37	s->version = S3I(s)->hs.our_max_tls_version;	37	s->version = ctx->hs->our_max_tls_version;
38		38
39	tls13_record_layer_set_retry_after_phh(ctx->rl,	39	tls13_record_layer_set_retry_after_phh(ctx->rl,
40	(s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);	40	(s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
@@ -163,7 +163,7 @@ tls13_client_hello_process(struct tls13_ctx ctx, CBS cbs)
163	goto err;	163	goto err;
164	return tls13_use_legacy_server(ctx);	164	return tls13_use_legacy_server(ctx);
165	}	165	}
166	S3I(s)->hs.negotiated_tls_version = TLS1_3_VERSION;	166	ctx->hs->negotiated_tls_version = TLS1_3_VERSION;
167		167
168	/* Add decoded values to the current ClientHello hash */	168	/* Add decoded values to the current ClientHello hash */
169	if (!tls13_clienthello_hash_init(ctx)) {	169	if (!tls13_clienthello_hash_init(ctx)) {
@@ -198,7 +198,7 @@ tls13_client_hello_process(struct tls13_ctx ctx, CBS cbs)
198	}	198	}
199		199
200	/* Finalize first ClientHello hash, or validate against it */	200	/* Finalize first ClientHello hash, or validate against it */
201	if (!ctx->hs->hrr) {	201	if (!ctx->hs->tls13.hrr) {
202	if (!tls13_clienthello_hash_finalize(ctx)) {	202	if (!tls13_clienthello_hash_finalize(ctx)) {
203	ctx->alert = TLS13_ALERT_INTERNAL_ERROR;	203	ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
204	goto err;	204	goto err;
@@ -208,7 +208,7 @@ tls13_client_hello_process(struct tls13_ctx ctx, CBS cbs)
208	ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;	208	ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
209	goto err;	209	goto err;
210	}	210	}
211	tls13_clienthello_hash_clear(ctx->hs);	211	tls13_clienthello_hash_clear(&ctx->hs->tls13);
212	}	212	}
213		213
214	if (!tls13_client_hello_required_extensions(ctx)) {	214	if (!tls13_client_hello_required_extensions(ctx)) {
@@ -226,13 +226,13 @@ tls13_client_hello_process(struct tls13_ctx ctx, CBS cbs)
226	}	226	}
227		227
228	/* Store legacy session identifier so we can echo it. */	228	/* Store legacy session identifier so we can echo it. */
229	if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) {	229	if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) {
230	ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;	230	ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
231	goto err;	231	goto err;
232	}	232	}
233	if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id,	233	if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
234	sizeof(ctx->hs->legacy_session_id),	234	sizeof(ctx->hs->tls13.legacy_session_id),
235	&ctx->hs->legacy_session_id_len)) {	235	&ctx->hs->tls13.legacy_session_id_len)) {
236	ctx->alert = TLS13_ALERT_INTERNAL_ERROR;	236	ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
237	goto err;	237	goto err;
238	}	238	}
@@ -249,7 +249,7 @@ tls13_client_hello_process(struct tls13_ctx ctx, CBS cbs)
249	ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;	249	ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;
250	goto err;	250	goto err;
251	}	251	}
252	S3I(s)->hs.new_cipher = cipher;	252	ctx->hs->new_cipher = cipher;
253		253
254	sk_SSL_CIPHER_free(s->session->ciphers);	254	sk_SSL_CIPHER_free(s->session->ciphers);
255	s->session->ciphers = ciphers;	255	s->session->ciphers = ciphers;
@@ -293,7 +293,7 @@ tls13_client_hello_recv(struct tls13_ctx ctx, CBS cbs)
293	* has been enabled. This would probably mean using either an	293	* has been enabled. This would probably mean using either an
294	* INITIAL \| WITHOUT_HRR state, or another intermediate state.	294	* INITIAL \| WITHOUT_HRR state, or another intermediate state.
295	*/	295	*/
296	if (ctx->hs->key_share != NULL)	296	if (ctx->hs->tls13.key_share != NULL)
297	ctx->handshake_stage.hs_type \|= NEGOTIATED \| WITHOUT_HRR;	297	ctx->handshake_stage.hs_type \|= NEGOTIATED \| WITHOUT_HRR;
298		298
299	/* XXX - check this is the correct point */	299	/* XXX - check this is the correct point */
@@ -314,7 +314,7 @@ tls13_server_hello_build(struct tls13_ctx ctx, CBB cbb, int hrr)
314	SSL *s = ctx->ssl;	314	SSL *s = ctx->ssl;
315	uint16_t cipher;	315	uint16_t cipher;
316		316
317	cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher);	317	cipher = SSL_CIPHER_get_value(ctx->hs->new_cipher);
318	server_random = s->s3->server_random;	318	server_random = s->s3->server_random;
319		319
320	if (hrr) {	320	if (hrr) {
@@ -328,8 +328,8 @@ tls13_server_hello_build(struct tls13_ctx ctx, CBB cbb, int hrr)
328	goto err;	328	goto err;
329	if (!CBB_add_u8_length_prefixed(cbb, &session_id))	329	if (!CBB_add_u8_length_prefixed(cbb, &session_id))
330	goto err;	330	goto err;
331	if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id,	331	if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
332	ctx->hs->legacy_session_id_len))	332	ctx->hs->tls13.legacy_session_id_len))
333	goto err;	333	goto err;
334	if (!CBB_add_u16(cbb, cipher))	334	if (!CBB_add_u16(cbb, cipher))
335	goto err;	335	goto err;
@@ -358,20 +358,20 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
358	SSL *s = ctx->ssl;	358	SSL *s = ctx->ssl;
359	int ret = 0;	359	int ret = 0;
360		360
361	if (!tls13_key_share_derive(ctx->hs->key_share,	361	if (!tls13_key_share_derive(ctx->hs->tls13.key_share,
362	&shared_key, &shared_key_len))	362	&shared_key, &shared_key_len))
363	goto err;	363	goto err;
364		364
365	s->session->cipher = S3I(s)->hs.new_cipher;	365	s->session->cipher = ctx->hs->new_cipher;
366		366
367	if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)	367	if ((ctx->aead = tls13_cipher_aead(ctx->hs->new_cipher)) == NULL)
368	goto err;	368	goto err;
369	if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)	369	if ((ctx->hash = tls13_cipher_hash(ctx->hs->new_cipher)) == NULL)
370	goto err;	370	goto err;
371		371
372	if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)	372	if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
373	goto err;	373	goto err;
374	ctx->hs->secrets = secrets;	374	ctx->hs->tls13.secrets = secrets;
375		375
376	/* XXX - pass in hash. */	376	/* XXX - pass in hash. */
377	if (!tls1_transcript_hash_init(s))	377	if (!tls1_transcript_hash_init(s))
@@ -388,7 +388,7 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
388	goto err;	388	goto err;
389		389
390	/* Handshake secrets. */	390	/* Handshake secrets. */
391	if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,	391	if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
392	shared_key_len, &context))	392	shared_key_len, &context))
393	goto err;	393	goto err;
394		394
@@ -418,16 +418,16 @@ tls13_server_hello_retry_request_send(struct tls13_ctx ctx, CBB cbb)
418	{	418	{
419	int nid;	419	int nid;
420		420
421	ctx->hs->hrr = 1;	421	ctx->hs->tls13.hrr = 1;
422		422
423	if (!tls13_synthetic_handshake_message(ctx))	423	if (!tls13_synthetic_handshake_message(ctx))
424	return 0;	424	return 0;
425		425
426	if (ctx->hs->key_share != NULL)	426	if (ctx->hs->tls13.key_share != NULL)
427	return 0;	427	return 0;
428	if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef)	428	if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef)
429	return 0;	429	return 0;
430	if ((ctx->hs->server_group = tls1_ec_nid2curve_id(nid)) == 0)	430	if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0)
431	return 0;	431	return 0;
432		432
433	if (!tls13_server_hello_build(ctx, cbb, 1))	433	if (!tls13_server_hello_build(ctx, cbb, 1))
@@ -444,7 +444,7 @@ tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx)
444	* we MUST send a dummy CCS following our first handshake message.	444	* we MUST send a dummy CCS following our first handshake message.
445	* See RFC 8446 Appendix D.4.	445	* See RFC 8446 Appendix D.4.
446	*/	446	*/
447	if (ctx->hs->legacy_session_id_len > 0)	447	if (ctx->hs->tls13.legacy_session_id_len > 0)
448	ctx->send_dummy_ccs_after = 1;	448	ctx->send_dummy_ccs_after = 1;
449		449
450	return 1;	450	return 1;
@@ -462,7 +462,7 @@ tls13_client_hello_retry_recv(struct tls13_ctx ctx, CBS cbs)
462	if (s->method->internal->version < TLS1_3_VERSION)	462	if (s->method->internal->version < TLS1_3_VERSION)
463	return 0;	463	return 0;
464		464
465	ctx->hs->hrr = 0;	465	ctx->hs->tls13.hrr = 0;
466		466
467	return 1;	467	return 1;
468	}	468	}
@@ -483,14 +483,14 @@ tls13_servername_process(struct tls13_ctx *ctx)
483	int	483	int
484	tls13_server_hello_send(struct tls13_ctx ctx, CBB cbb)	484	tls13_server_hello_send(struct tls13_ctx ctx, CBB cbb)
485	{	485	{
486	if (ctx->hs->key_share == NULL)	486	if (ctx->hs->tls13.key_share == NULL)
487	return 0;	487	return 0;
488	if (!tls13_key_share_generate(ctx->hs->key_share))	488	if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
489	return 0;	489	return 0;
490	if (!tls13_servername_process(ctx))	490	if (!tls13_servername_process(ctx))
491	return 0;	491	return 0;
492		492
493	ctx->hs->server_group = 0;	493	ctx->hs->tls13.server_group = 0;
494		494
495	if (!tls13_server_hello_build(ctx, cbb, 0))	495	if (!tls13_server_hello_build(ctx, cbb, 0))
496	return 0;	496	return 0;
@@ -507,7 +507,7 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
507	* See RFC 8446 Appendix D.4.	507	* See RFC 8446 Appendix D.4.
508	*/	508	*/
509	if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) &&	509	if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) &&
510	ctx->hs->legacy_session_id_len > 0)	510	ctx->hs->tls13.legacy_session_id_len > 0)
511	ctx->send_dummy_ccs_after = 1;	511	ctx->send_dummy_ccs_after = 1;
512		512
513	return tls13_server_engage_record_protection(ctx);	513	return tls13_server_engage_record_protection(ctx);
@@ -633,8 +633,8 @@ tls13_server_certificate_send(struct tls13_ctx ctx, CBB cbb)
633	goto err;	633	goto err;
634	}	634	}
635		635
636	ctx->hs->cpk = cpk;	636	ctx->hs->tls13.cpk = cpk;
637	ctx->hs->sigalg = sigalg;	637	ctx->hs->tls13.sigalg = sigalg;
638		638
639	if ((chain = cpk->chain) == NULL)	639	if ((chain = cpk->chain) == NULL)
640	chain = s->ctx->extra_certs;	640	chain = s->ctx->extra_certs;
@@ -705,9 +705,9 @@ tls13_server_certificate_verify_send(struct tls13_ctx ctx, CBB cbb)
705		705
706	memset(&sig_cbb, 0, sizeof(sig_cbb));	706	memset(&sig_cbb, 0, sizeof(sig_cbb));
707		707
708	if ((cpk = ctx->hs->cpk) == NULL)	708	if ((cpk = ctx->hs->tls13.cpk) == NULL)
709	goto err;	709	goto err;
710	if ((sigalg = ctx->hs->sigalg) == NULL)	710	if ((sigalg = ctx->hs->tls13.sigalg) == NULL)
711	goto err;	711	goto err;
712	pkey = cpk->privatekey;	712	pkey = cpk->privatekey;
713		713
@@ -721,8 +721,8 @@ tls13_server_certificate_verify_send(struct tls13_ctx ctx, CBB cbb)
721	goto err;	721	goto err;
722	if (!CBB_add_u8(&sig_cbb, 0))	722	if (!CBB_add_u8(&sig_cbb, 0))
723	goto err;	723	goto err;
724	if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash,	724	if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
725	ctx->hs->transcript_hash_len))	725	ctx->hs->tls13.transcript_hash_len))
726	goto err;	726	goto err;
727	if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))	727	if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
728	goto err;	728	goto err;
@@ -773,7 +773,7 @@ tls13_server_certificate_verify_send(struct tls13_ctx ctx, CBB cbb)
773	int	773	int
774	tls13_server_finished_send(struct tls13_ctx ctx, CBB cbb)	774	tls13_server_finished_send(struct tls13_ctx ctx, CBB cbb)
775	{	775	{
776	struct tls13_secrets *secrets = ctx->hs->secrets;	776	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
777	struct tls13_secret context = { .data = "", .len = 0 };	777	struct tls13_secret context = { .data = "", .len = 0 };
778	struct tls13_secret finished_key = { .data = NULL, .len = 0 } ;	778	struct tls13_secret finished_key = { .data = NULL, .len = 0 } ;
779	uint8_t transcript_hash[EVP_MAX_MD_SIZE];	779	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
@@ -831,14 +831,14 @@ tls13_server_finished_send(struct tls13_ctx ctx, CBB cbb)
831	int	831	int
832	tls13_server_finished_sent(struct tls13_ctx *ctx)	832	tls13_server_finished_sent(struct tls13_ctx *ctx)
833	{	833	{
834	struct tls13_secrets *secrets = ctx->hs->secrets;	834	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
835	struct tls13_secret context = { .data = "", .len = 0 };	835	struct tls13_secret context = { .data = "", .len = 0 };
836		836
837	/*	837	/*
838	* Derive application traffic keys.	838	* Derive application traffic keys.
839	*/	839	*/
840	context.data = ctx->hs->transcript_hash;	840	context.data = ctx->hs->tls13.transcript_hash;
841	context.len = ctx->hs->transcript_hash_len;	841	context.len = ctx->hs->tls13.transcript_hash_len;
842		842
843	if (!tls13_derive_application_secrets(secrets, &context))	843	if (!tls13_derive_application_secrets(secrets, &context))
844	return 0;	844	return 0;
@@ -984,8 +984,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx ctx, CBS cbs)
984	goto err;	984	goto err;
985	if (!CBB_add_u8(&cbb, 0))	985	if (!CBB_add_u8(&cbb, 0))
986	goto err;	986	goto err;
987	if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,	987	if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
988	ctx->hs->transcript_hash_len))	988	ctx->hs->tls13.transcript_hash_len))
989	goto err;	989	goto err;
990	if (!CBB_finish(&cbb, &sig_content, &sig_content_len))	990	if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
991	goto err;	991	goto err;
@@ -1042,7 +1042,7 @@ tls13_client_end_of_early_data_recv(struct tls13_ctx ctx, CBS cbs)
1042	int	1042	int
1043	tls13_client_finished_recv(struct tls13_ctx ctx, CBS cbs)	1043	tls13_client_finished_recv(struct tls13_ctx ctx, CBS cbs)
1044	{	1044	{
1045	struct tls13_secrets *secrets = ctx->hs->secrets;	1045	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
1046	struct tls13_secret context = { .data = "", .len = 0 };	1046	struct tls13_secret context = { .data = "", .len = 0 };
1047	struct tls13_secret finished_key;	1047	struct tls13_secret finished_key;
1048	uint8_t *verify_data = NULL;	1048	uint8_t *verify_data = NULL;
@@ -1069,8 +1069,8 @@ tls13_client_finished_recv(struct tls13_ctx ctx, CBS cbs)
1069	if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,	1069	if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
1070	ctx->hash, NULL))	1070	ctx->hash, NULL))
1071	goto err;	1071	goto err;
1072	if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,	1072	if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
1073	ctx->hs->transcript_hash_len))	1073	ctx->hs->tls13.transcript_hash_len))
1074	goto err;	1074	goto err;
1075	verify_data_len = HMAC_size(hmac_ctx);	1075	verify_data_len = HMAC_size(hmac_ctx);
1076	if ((verify_data = calloc(1, verify_data_len)) == NULL)	1076	if ((verify_data = calloc(1, verify_data_len)) == NULL)