9 files changed, 145 insertions, 108 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 70bda982c6..97418f1ac7 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.84 2021/02/22 15:59:10 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.85 2021/03/10 18:27:01 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -218,7 +218,14 @@ ssl3_connect(SSL *s)
                                goto end;
                        }
-                        /* s->version=SSL3_VERSION; */
+                        if (!ssl_supported_tls_version_range(s,
+                            &S3I(s)->hs.our_min_tls_version,
+                            &S3I(s)->hs.our_max_tls_version)) {
+                                SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
+                                ret = -1;
+                                goto end;
+                        }
                        s->internal->type = SSL_ST_CONNECT;
                        if (!ssl3_setup_init_buffer(s)) {
@@ -904,6 +911,12 @@ ssl3_get_server_hello(SSL *s)
        }
        s->version = server_version;
+        S3I(s)->hs.negotiated_tls_version = ssl_tls_version(server_version);
+        if (S3I(s)->hs.negotiated_tls_version == 0) {
+                SSLerror(s, ERR_R_INTERNAL_ERROR);
+                goto err;
+        }
        if ((method = ssl_get_method(server_version)) == NULL) {
                SSLerror(s, ERR_R_INTERNAL_ERROR);
                goto err;
@@ -1019,7 +1032,7 @@ ssl3_get_server_hello(SSL *s)
        /* TLS v1.2 only ciphersuites require v1.2 or later. */
        if ((cipher->algorithm_ssl & SSL_TLSV1_2) &&
-            (TLS1_get_version(s) < TLS1_2_VERSION)) {
+            S3I(s)->hs.negotiated_tls_version < TLS1_2_VERSION) {
                al = SSL_AD_ILLEGAL_PARAMETER;
                SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED);
                goto fatal_err;
@@ -1982,6 +1995,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
                goto err;
        }
+        /* XXX - our max protocol version. */
        pms[0] = s->client_version >> 8;
        pms[1] = s->client_version & 0xff;
        arc4random_buf(&pms[2], sizeof(pms) - 2);
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index b2af8fd7c9..6f66a8932e 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.324 2021/02/27 14:20:50 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.325 2021/03/10 18:27:01 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -407,6 +407,23 @@ typedef struct ssl_session_internal_st {
 #define SSI(s) (s->session->internal)
 typedef struct ssl_handshake_st {
+        /*
+         * Minimum and maximum versions supported for this handshake. These are
+         * initialised at the start of a handshake based on the method in use
+         * and the current protocol version configuration.
+         */
+        uint16_t our_min_tls_version;
+        uint16_t our_max_tls_version;
+        /*
+         * Version negotiated for this session. For a client this is set once
+         * the server selected version is parsed from the ServerHello (either
+         * from the legacy version or supported versions extension). For a
+         * server this is set once we select the version we will use with the
+         * client.
+         */
+        uint16_t negotiated_tls_version;
        /* state contains one of the SSL3_ST_* values. */
        int state;
@@ -435,10 +452,6 @@ typedef struct cert_pkey_st {
 } CERT_PKEY;
 typedef struct ssl_handshake_tls13_st {
-        uint16_t min_version;
-        uint16_t max_version;
-        uint16_t version;
        int use_legacy;
        int hrr;
@@ -468,7 +481,6 @@ typedef struct ssl_handshake_tls13_st {
        EVP_MD_CTX *clienthello_md_ctx;
        unsigned char *clienthello_hash;
        unsigned int clienthello_hash_len;
 } SSL_HANDSHAKE_TLS13;
 struct tls12_record_layer;
@@ -1117,6 +1129,8 @@ int ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
    uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver);
 int ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
 int ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
+uint16_t ssl_tls_version(uint16_t version);
+uint16_t ssl_effective_tls_version(SSL *s);
 int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver);
 int ssl_max_supported_version(SSL *s, uint16_t *max_ver);
 int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver);
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
index 894064c817..5b1af504fb 100644
--- a/src/lib/libssl/ssl_pkt.c
+++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_pkt.c,v 1.36 2021/02/20 14:14:16 tb Exp $ */
+/* $OpenBSD: ssl_pkt.c,v 1.37 2021/03/10 18:27:02 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -561,8 +561,9 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
         * bytes and record version number > TLS 1.0.
         */
        version = s->version;
-        if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_B && !s->internal->renegotiate &&
+        if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_B &&
-            TLS1_get_version(s) > TLS1_VERSION)
+            !s->internal->renegotiate &&
+            S3I(s)->hs.our_max_tls_version > TLS1_VERSION)
                version = TLS1_VERSION;
        /*
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 1b5aad72f7..68bb6a3889 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.22 2020/10/11 01:13:04 guenther Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.23 2021/03/10 18:27:02 jsing Exp $ */
 /*
 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
 *
@@ -265,7 +265,7 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
        int check_curve = 0;
        CBS cbs;
-        if (TLS1_get_version(s) >= TLS1_3_VERSION) {
+        if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) {
                tls_sigalgs = tls13_sigalgs;
                tls_sigalgs_len = tls13_sigalgs_len;
                check_curve = 1;
@@ -291,7 +291,7 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
         * RFC 5246 allows a TLS 1.2 client to send no sigalgs, in
         * which case the server must use the the default.
         */
-        if (TLS1_get_version(s) < TLS1_3_VERSION &&
+        if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION &&
            S3I(s)->hs.sigalgs == NULL) {
                switch (pkey->type) {
                case EVP_PKEY_RSA:
@@ -323,7 +323,7 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
                        continue;
                /* RSA cannot be used without PSS in TLSv1.3. */
-                if (TLS1_get_version(s) >= TLS1_3_VERSION &&
+                if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION &&
                    sigalg->key_type == EVP_PKEY_RSA &&
                    (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
                        continue;
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index be9c27f73f..373a20d61b 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.95 2021/02/20 14:16:56 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.96 2021/03/10 18:27:02 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -219,6 +219,14 @@ ssl3_accept(SSL *s)
                                goto end;
                        }
+                        if (!ssl_supported_tls_version_range(s,
+                            &S3I(s)->hs.our_min_tls_version,
+                            &S3I(s)->hs.our_max_tls_version)) {
+                                SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
+                                ret = -1;
+                                goto end;
+                        }
                        s->internal->type = SSL_ST_ACCEPT;
                        if (!ssl3_setup_init_buffer(s)) {
@@ -844,7 +852,7 @@ ssl3_get_client_hello(SSL *s)
         */
        if (!ssl_downgrade_max_version(s, &max_version))
                goto err;
-        if (ssl_max_shared_version(s, client_version, &shared_version) != 1) {
+        if (!ssl_max_shared_version(s, client_version, &shared_version)) {
                if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
                    !tls12_record_layer_write_protected(s->internal->rl)) {
                        /*
@@ -860,6 +868,12 @@ ssl3_get_client_hello(SSL *s)
        s->client_version = client_version;
        s->version = shared_version;
+        S3I(s)->hs.negotiated_tls_version = ssl_tls_version(shared_version);
+        if (S3I(s)->hs.negotiated_tls_version == 0) {
+                SSLerror(s, ERR_R_INTERNAL_ERROR);
+                goto err;
+        }
        if ((method = ssl_get_method(shared_version)) == NULL) {
                SSLerror(s, ERR_R_INTERNAL_ERROR);
                goto err;
@@ -1718,6 +1732,8 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
        int al = -1;
        arc4random_buf(fakekey, sizeof(fakekey));
+        /* XXX - peer max protocol version. */
        fakekey[0] = s->client_version >> 8;
        fakekey[1] = s->client_version & 0xff;
@@ -1754,6 +1770,7 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
                /* SSLerror(s, SSL_R_BAD_RSA_DECRYPT); */
        }
+        /* XXX - peer max version. */
        if ((al == -1) && !((pms[0] == (s->client_version >> 8)) &&
            (pms[1] == (s->client_version & 0xff)))) {
                /*
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index dca9de0305..4f4a39d4bb 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.86 2021/02/08 17:20:47 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.87 2021/03/10 18:27:02 jsing Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -174,7 +174,7 @@ int
 tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type)
 {
        return ssl_has_ecc_ciphers(s) ||
-            (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION);
+            (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION);
 }
 int
@@ -472,7 +472,8 @@ tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 int
 tlsext_ri_server_needs(SSL *s, uint16_t msg_type)
 {
-        return (s->version < TLS1_3_VERSION && S3I(s)->send_connection_binding);
+        return (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION &&
+            S3I(s)->send_connection_binding);
 }
 int
@@ -554,7 +555,7 @@ tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 int
 tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type)
 {
-        return (TLS1_get_client_version(s) >= TLS1_2_VERSION);
+        return (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION);
 }
 int
@@ -564,8 +565,7 @@ tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
        size_t tls_sigalgs_len = tls12_sigalgs_len;
        CBB sigalgs;
-        if (TLS1_get_client_version(s) >= TLS1_3_VERSION &&
+        if (S3I(s)->hs.our_min_tls_version >= TLS1_3_VERSION) {
-            S3I(s)->hs_tls13.min_version >= TLS1_3_VERSION) {
                tls_sigalgs = tls13_sigalgs;
                tls_sigalgs_len = tls13_sigalgs_len;
        }
@@ -600,7 +600,7 @@ tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 int
 tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type)
 {
-        return (s->version >= TLS1_3_VERSION);
+        return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION);
 }
 int
@@ -610,7 +610,7 @@ tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
        size_t tls_sigalgs_len = tls12_sigalgs_len;
        CBB sigalgs;
-        if (s->version >= TLS1_3_VERSION) {
+        if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) {
                tls_sigalgs = tls13_sigalgs;
                tls_sigalgs_len = tls13_sigalgs_len;
        }
@@ -632,7 +632,7 @@ tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 {
        CBS sigalgs;
-        if (s->version < TLS1_3_VERSION)
+        if (ssl_effective_tls_version(s) < TLS1_3_VERSION)
                return 0;
        if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
@@ -981,7 +981,7 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 int
 tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type)
 {
-        if (s->version >= TLS1_3_VERSION &&
+        if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION &&
            s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
            s->ctx->internal->tlsext_status_cb != NULL) {
                s->internal->tlsext_status_expected = 0;
@@ -998,7 +998,7 @@ tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
 {
        CBB ocsp_response;
-        if (s->version >= TLS1_3_VERSION) {
+        if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) {
                if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
                        return 0;
                if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response))
@@ -1016,11 +1016,10 @@ tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
 int
 tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 {
-        CBS response;
-        uint16_t version = TLS1_get_client_version(s);
        uint8_t status_type;
+        CBS response;
-        if (version >= TLS1_3_VERSION) {
+        if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) {
                if (msg_type == SSL_TLSEXT_MSG_CR) {
                        /*
                         * RFC 8446, 4.4.2.1 - the server may request an OCSP
@@ -1406,11 +1405,7 @@ tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 int
 tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
 {
-        /* XXX once this gets initialized when we get tls13_client.c */
+        return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION);
-        if (S3I(s)->hs_tls13.max_version == 0)
-                return 0;
-        return (!SSL_is_dtls(s) && S3I(s)->hs_tls13.max_version >=
-            TLS1_3_VERSION);
 }
 int
@@ -1457,7 +1452,7 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                 * Ignore this client share if we're using earlier than TLSv1.3
                 * or we've already selected a key share.
                 */
-                if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
+                if (S3I(s)->hs.our_max_tls_version < TLS1_3_VERSION)
                        continue;
                if (S3I(s)->hs_tls13.key_share != NULL)
                        continue;
@@ -1485,10 +1480,8 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 int
 tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type)
 {
-        if (SSL_is_dtls(s) || s->version < TLS1_3_VERSION)
+        return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION &&
-                return 0;
+            tlsext_extension_seen(s, TLSEXT_TYPE_key_share));
-        return tlsext_extension_seen(s, TLSEXT_TYPE_key_share);
 }
 int
@@ -1550,9 +1543,7 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 int
 tlsext_versions_client_needs(SSL *s, uint16_t msg_type)
 {
-        if (SSL_is_dtls(s))
+        return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION);
-                return 0;
-        return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION);
 }
 int
@@ -1562,11 +1553,8 @@ tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
        uint16_t version;
        CBB versions;
-        max = S3I(s)->hs_tls13.max_version;
+        max = S3I(s)->hs.our_max_tls_version;
-        min = S3I(s)->hs_tls13.min_version;
+        min = S3I(s)->hs.our_min_tls_version;
-        if (min < TLS1_VERSION)
-                return 0;
        if (!CBB_add_u8_length_prefixed(cbb, &versions))
                return 0;
@@ -1591,8 +1579,8 @@ tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
        uint16_t max, min;
        uint16_t matched_version = 0;
-        max = S3I(s)->hs_tls13.max_version;
+        max = S3I(s)->hs.our_max_tls_version;
-        min = S3I(s)->hs_tls13.min_version;
+        min = S3I(s)->hs.our_min_tls_version;
        if (!CBS_get_u8_length_prefixed(cbs, &versions))
                goto err;
@@ -1608,16 +1596,8 @@ tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                        matched_version = version;
        }
-        /*
+        if (matched_version > 0)  {
-         * XXX if we haven't matched a version we should
+                /* XXX - this should be stored for later processing. */
-         * fail - but we currently need to succeed to
-         * ignore this before the server code for 1.3
-         * is set up and initialized.
-         */
-        if (max == 0)
-                return 1; /* XXX */
-        if (matched_version != 0)  {
                s->version = matched_version;
                return 1;
        }
@@ -1633,17 +1613,13 @@ tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 int
 tlsext_versions_server_needs(SSL *s, uint16_t msg_type)
 {
-        return (!SSL_is_dtls(s) && s->version >= TLS1_3_VERSION);
+        return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION);
 }
 int
 tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
 {
-        if (!CBB_add_u16(cbb, TLS1_3_VERSION))
+        return CBB_add_u16(cbb, TLS1_3_VERSION);
-                return 0;
-        /* XXX set 1.2 in legacy version?  */
-        return 1;
 }
 int
@@ -1656,6 +1632,7 @@ tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                return 0;
        }
+        /* XXX - need to fix for DTLS 1.3 */
        if (selected_version < TLS1_3_VERSION) {
                *alert = SSL_AD_ILLEGAL_PARAMETER;
                return 0;
@@ -1675,12 +1652,8 @@ tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 int
 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type)
 {
-        if (SSL_is_dtls(s))
+        return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION &&
-                return 0;
+            S3I(s)->hs_tls13.cookie_len > 0 && S3I(s)->hs_tls13.cookie != NULL);
-        if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
-                return 0;
-        return (S3I(s)->hs_tls13.cookie_len > 0 &&
-            S3I(s)->hs_tls13.cookie != NULL);
 }
 int
@@ -1734,17 +1707,12 @@ tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 int
 tlsext_cookie_server_needs(SSL *s, uint16_t msg_type)
 {
-        if (SSL_is_dtls(s))
-                return 0;
-        if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
-                return 0;
        /*
         * Server needs to set cookie value in tls13 handshake
         * in order to send one, should only be sent with HRR.
         */
-        return (S3I(s)->hs_tls13.cookie_len > 0 &&
+        return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION &&
-            S3I(s)->hs_tls13.cookie != NULL);
+            S3I(s)->hs_tls13.cookie_len > 0 && S3I(s)->hs_tls13.cookie != NULL);
 }
 int
@@ -2033,13 +2001,10 @@ tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb)
        const struct tls_extension *tlsext;
        CBB extensions, extension_data;
        int extensions_present = 0;
+        uint16_t tls_version;
        size_t i;
-        uint16_t version;
-        if (is_server)
+        tls_version = ssl_effective_tls_version(s);
-                version = s->version;
-        else
-                version = TLS1_get_client_version(s);
        if (!CBB_add_u16_length_prefixed(cbb, &extensions))
                return 0;
@@ -2049,7 +2014,7 @@ tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb)
                ext = tlsext_funcs(tlsext, is_server);
                /* RFC 8446 Section 4.2 */
-                if (version >= TLS1_3_VERSION &&
+                if (tls_version >= TLS1_3_VERSION &&
                    !(tlsext->messages & msg_type))
                        continue;
@@ -2112,15 +2077,12 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
        CBS extensions, extension_data;
        uint16_t type;
        size_t idx;
-        uint16_t version;
+        uint16_t tls_version;
        int alert_desc;
-        S3I(s)->hs.extensions_seen = 0;
+        tls_version = ssl_effective_tls_version(s);
-        if (is_server)
+        S3I(s)->hs.extensions_seen = 0;
-                version = s->version;
-        else
-                version = TLS1_get_client_version(s);
        /* An empty extensions block is valid. */
        if (CBS_len(cbs) == 0)
@@ -2143,7 +2105,7 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
                            CBS_len(&extension_data),
                            s->internal->tlsext_debug_arg);
-                if (!SSL_is_dtls(s) && version >= TLS1_3_VERSION && is_server &&
+                if (tls_version >= TLS1_3_VERSION && is_server &&
                    msg_type == SSL_TLSEXT_MSG_CH) {
                        if (!tlsext_clienthello_hash_extension(s, type,
                            &extension_data))
@@ -2155,7 +2117,7 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
                        continue;
                /* RFC 8446 Section 4.2 */
-                if (version >= TLS1_3_VERSION &&
+                if (tls_version >= TLS1_3_VERSION &&
                    !(tlsext->messages & msg_type)) {
                        alert_desc = SSL_AD_ILLEGAL_PARAMETER;
                        goto err;
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index a216de6e81..37957fd0ab 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.13 2021/02/25 17:06:05 jsing Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.14 2021/03/10 18:27:02 jsing Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 *
@@ -171,6 +171,30 @@ ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
        return 1;
 }
+uint16_t
+ssl_tls_version(uint16_t version)
+{
+        if (version == TLS1_VERSION || version == TLS1_1_VERSION ||
+            version == TLS1_2_VERSION || version == TLS1_3_VERSION)
+                return version;
+        if (version == DTLS1_VERSION)
+                return TLS1_1_VERSION;
+        if (version == DTLS1_2_VERSION)
+                return TLS1_2_VERSION;
+        return 0;
+}
+uint16_t
+ssl_effective_tls_version(SSL *s)
+{
+        if (S3I(s)->hs.negotiated_tls_version > 0)
+                return S3I(s)->hs.negotiated_tls_version;
+        return S3I(s)->hs.our_max_tls_version;
+}
 int
 ssl_max_supported_version(SSL *s, uint16_t *max_ver)
 {
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index a7c3bf2c00..4de3d3693b 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.73 2021/02/25 17:06:05 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.74 2021/03/10 18:27:02 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -31,12 +31,12 @@ tls13_client_init(struct tls13_ctx *ctx)
        size_t groups_len;
        SSL *s = ctx->ssl;
-        if (!ssl_supported_tls_version_range(s, &ctx->hs->min_version,
+        if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version,
-            &ctx->hs->max_version)) {
+            &S3I(s)->hs.our_max_tls_version)) {
                SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
                return 0;
        }
-        s->client_version = s->version = ctx->hs->max_version;
+        s->client_version = s->version = S3I(s)->hs.our_max_tls_version;
        tls13_record_layer_set_retry_after_phh(ctx->rl,
            (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
@@ -64,7 +64,8 @@ tls13_client_init(struct tls13_ctx *ctx)
         * legacy session identifier triggers compatibility mode (see RFC 8446
         * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used.
         */
-        if (ctx->middlebox_compat && ctx->hs->max_version >= TLS1_3_VERSION) {
+        if (ctx->middlebox_compat &&
+            S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) {
                arc4random_buf(ctx->hs->legacy_session_id,
                    sizeof(ctx->hs->legacy_session_id));
                ctx->hs->legacy_session_id_len =
@@ -91,7 +92,7 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
        SSL *s = ctx->ssl;
        /* Legacy client version is capped at TLS 1.2. */
-        client_version = ctx->hs->max_version;
+        client_version = S3I(s)->hs.our_max_tls_version;
        if (client_version > TLS1_2_VERSION)
                client_version = TLS1_2_VERSION;
@@ -133,7 +134,9 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        if (ctx->hs->min_version < TLS1_2_VERSION)
+        SSL *s = ctx->ssl;
+        if (S3I(s)->hs.our_min_tls_version < TLS1_2_VERSION)
                tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
        /* We may receive a pre-TLSv1.3 alert in response to the client hello. */
@@ -228,7 +231,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                goto err;
        if (tls13_server_hello_is_legacy(cbs)) {
-                if (ctx->hs->max_version >= TLS1_3_VERSION) {
+                if (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) {
                        /*
                         * RFC 8446 section 4.1.3: we must not downgrade if
                         * the server random value contains the TLS 1.2 or 1.1
@@ -280,6 +283,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                ctx->alert = TLS13_ALERT_PROTOCOL_VERSION;
                goto err;
        }
+        S3I(s)->hs.negotiated_tls_version = ctx->hs->server_version;
        /* The session_id must match. */
        if (!CBS_mem_equal(&session_id, ctx->hs->legacy_session_id,
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 715066fb59..29c63bcd06 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.70 2021/02/25 17:06:05 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.71 2021/03/10 18:27:02 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -29,12 +29,12 @@ tls13_server_init(struct tls13_ctx *ctx)
 {
        SSL *s = ctx->ssl;
-        if (!ssl_supported_tls_version_range(s, &ctx->hs->min_version,
+        if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version,
-            &ctx->hs->max_version)) {
+            &S3I(s)->hs.our_max_tls_version)) {
                SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
                return 0;
        }
-        s->version = ctx->hs->max_version;
+        s->version = S3I(s)->hs.our_max_tls_version;
        tls13_record_layer_set_retry_after_phh(ctx->rl,
            (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
@@ -163,6 +163,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                        goto err;
                return tls13_use_legacy_server(ctx);
        }
+        S3I(s)->hs.negotiated_tls_version = TLS1_3_VERSION;
        /* Add decoded values to the current ClientHello hash */
        if (!tls13_clienthello_hash_init(ctx)) {