15 files changed, 126 insertions, 195 deletions
diff --git a/src/lib/libssl/bio_ssl.c b/src/lib/libssl/bio_ssl.c
index 460b09fd87..bb40b2a6f7 100644
--- a/src/lib/libssl/bio_ssl.c
+++ b/src/lib/libssl/bio_ssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_ssl.c,v 1.30 2021/06/11 11:13:53 jsing Exp $ */
+/* $OpenBSD: bio_ssl.c,v 1.31 2021/07/01 17:53:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -294,10 +294,10 @@ ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
                SSL_shutdown(ssl);
                if (ssl->internal->handshake_func ==
-                    ssl->method->internal->ssl_connect)
+                    ssl->method->ssl_connect)
                        SSL_set_connect_state(ssl);
                else if (ssl->internal->handshake_func ==
-                    ssl->method->internal->ssl_accept)
+                    ssl->method->ssl_accept)
                        SSL_set_accept_state(ssl);
                SSL_clear(ssl);
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index 52189128c8..2e5e86641c 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.75 2021/06/11 17:29:48 jsing Exp $ */
+/* $OpenBSD: d1_both.c,v 1.76 2021/07/01 17:53:39 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -600,7 +600,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
                unsigned char devnull [256];
                while (frag_len) {
-                        i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
+                        i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
                            devnull, frag_len > sizeof(devnull) ?
                            sizeof(devnull) : frag_len, 0);
                        if (i <= 0)
@@ -612,7 +612,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
        }
        /* read the body of the fragment (header has already been read */
-        i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
+        i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
            frag->fragment + msg_hdr->frag_off, frag_len, 0);
        if (i <= 0 || (unsigned long)i != frag_len)
                goto err;
@@ -690,7 +690,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
                unsigned char devnull [256];
                while (frag_len) {
-                        i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
+                        i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
                            devnull, frag_len > sizeof(devnull) ?
                            sizeof(devnull) : frag_len, 0);
                        if (i <= 0)
@@ -712,7 +712,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
                if (frag_len) {
                        /* read the body of the fragment (header has already been read */
-                        i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
+                        i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
                            frag->fragment, frag_len, 0);
                        if (i <= 0 || (unsigned long)i != frag_len)
                                goto err;
@@ -756,7 +756,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
        }
        /* read handshake message header */
-        i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, wire,
+        i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, wire,
            DTLS1_HM_HEADER_LENGTH, 0);
        if (i <= 0)     /* nbio, or an error */
        {
@@ -825,7 +825,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
        if (frag_len > 0) {
                unsigned char *p = (unsigned char *)s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH;
-                i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
+                i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
                    &p[frag_off], frag_len, 0);
                /* XDTLS:  fix this--message fragments cannot span multiple packets */
                if (i <= 0) {
diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c
index 66895a361f..6d9959ff43 100644
--- a/src/lib/libssl/d1_lib.c
+++ b/src/lib/libssl/d1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_lib.c,v 1.56 2021/06/19 16:52:47 jsing Exp $ */
+/* $OpenBSD: d1_lib.c,v 1.57 2021/07/01 17:53:39 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -100,7 +100,7 @@ dtls1_new(SSL *s)
        if (s->server)
                s->d1->internal->cookie_len = sizeof(D1I(s)->cookie);
-        s->method->internal->ssl_clear(s);
+        s->method->ssl_clear(s);
        return (1);
 err:
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 0cdf9edd2f..125c108f02 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.211 2021/06/30 18:07:50 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.212 2021/07/01 17:53:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1548,7 +1548,7 @@ ssl3_new(SSL *s)
                return (0);
        }
-        s->method->internal->ssl_clear(s);
+        s->method->ssl_clear(s);
        return (1);
 }
@@ -2688,7 +2688,7 @@ ssl3_shutdown(SSL *s)
                }
        } else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
                /* If we are waiting for a close from our peer, we are closed */
-                s->method->internal->ssl_read_bytes(s, 0, NULL, 0, 0);
+                s->method->ssl_read_bytes(s, 0, NULL, 0, 0);
                if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
                        return(-1);     /* return WANT_READ */
                }
@@ -2709,8 +2709,8 @@ ssl3_write(SSL *s, const void *buf, int len)
        if (S3I(s)->renegotiate)
                ssl3_renegotiate_check(s);
-        return s->method->internal->ssl_write_bytes(s,
+        return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA,
-            SSL3_RT_APPLICATION_DATA, buf, len);
+            buf, len);
 }
 static int
@@ -2722,8 +2722,9 @@ ssl3_read_internal(SSL *s, void *buf, int len, int peek)
        if (S3I(s)->renegotiate)
                ssl3_renegotiate_check(s);
        S3I(s)->in_read_app_data = 1;
-        ret = s->method->internal->ssl_read_bytes(s,
-            SSL3_RT_APPLICATION_DATA, buf, len, peek);
+        ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len,
+            peek);
        if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) {
                /*
                 * ssl3_read_bytes decided to call s->internal->handshake_func,
@@ -2733,8 +2734,8 @@ ssl3_read_internal(SSL *s, void *buf, int len, int peek)
                 * handshake processing and try to read application data again.
                 */
                s->internal->in_handshake++;
-                ret = s->method->internal->ssl_read_bytes(s,
+                ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA,
-                    SSL3_RT_APPLICATION_DATA, buf, len, peek);
+                    buf, len, peek);
                s->internal->in_handshake--;
        } else
                S3I(s)->in_read_app_data = 0;
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index d3d4883b35..03c5a2f1e9 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_both.c,v 1.32 2021/06/11 11:13:53 jsing Exp $ */
+/* $OpenBSD: ssl_both.c,v 1.33 2021/07/01 17:53:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -433,7 +433,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                do {
                        while (s->internal->init_num < 4) {
-                                i = s->method->internal->ssl_read_bytes(s,
+                                i = s->method->ssl_read_bytes(s,
                                    SSL3_RT_HANDSHAKE, &p[s->internal->init_num],
                                    4 - s->internal->init_num, 0);
                                if (i <= 0) {
@@ -500,7 +500,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
        p = s->internal->init_msg;
        n = S3I(s)->hs.tls12.message_size - s->internal->init_num;
        while (n > 0) {
-                i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
+                i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
                    &p[s->internal->init_num], n, 0);
                if (i <= 0) {
                        s->internal->rwstate = SSL_READING;
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index dd46bf9423..bb4b700e0b 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.261 2021/06/19 16:52:47 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.262 2021/07/01 17:53:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -187,7 +187,7 @@ SSL_clear(SSL *s)
                return (0);
        }
-        s->version = s->method->internal->version;
+        s->version = s->method->version;
        s->client_version = s->version;
        s->internal->rwstate = SSL_NOTHING;
        s->internal->rstate = SSL_ST_READ_HEADER;
@@ -207,12 +207,12 @@ SSL_clear(SSL *s)
         */
        if (!s->internal->in_handshake && (s->session == NULL) &&
            (s->method != s->ctx->method)) {
-                s->method->internal->ssl_free(s);
+                s->method->ssl_free(s);
                s->method = s->ctx->method;
-                if (!s->method->internal->ssl_new(s))
+                if (!s->method->ssl_new(s))
                        return (0);
        } else
-                s->method->internal->ssl_clear(s);
+                s->method->ssl_clear(s);
        return (1);
 }
@@ -342,11 +342,11 @@ SSL_new(SSL_CTX *ctx)
        s->method = ctx->method;
-        if (!s->method->internal->ssl_new(s))
+        if (!s->method->ssl_new(s))
                goto err;
        s->references = 1;
-        s->server = ctx->method->internal->server;
+        s->server = ctx->method->server;
        SSL_clear(s);
@@ -566,7 +566,7 @@ SSL_free(SSL *s)
        sk_X509_NAME_pop_free(s->internal->client_CA, X509_NAME_free);
        if (s->method != NULL)
-                s->method->internal->ssl_free(s);
+                s->method->ssl_free(s);
        SSL_CTX_free(s->ctx);
@@ -811,7 +811,7 @@ SSL_get_read_ahead(const SSL *s)
 int
 SSL_pending(const SSL *s)
 {
-        return (s->method->internal->ssl_pending(s));
+        return (s->method->ssl_pending(s));
 }
 X509 *
@@ -866,9 +866,9 @@ SSL_copy_session_id(SSL *t, const SSL *f)
        /* What if we are set up for one protocol but want to talk another? */
        if (t->method != f->method) {
-                t->method->internal->ssl_free(t);
+                t->method->ssl_free(t);
                t->method = f->method;
-                if (!t->method->internal->ssl_new(t))
+                if (!t->method->ssl_new(t))
                        return 0;
        }
@@ -933,7 +933,7 @@ SSL_accept(SSL *s)
        if (s->internal->handshake_func == NULL)
                SSL_set_accept_state(s); /* Not properly initialized yet */
-        return (s->method->internal->ssl_accept(s));
+        return (s->method->ssl_accept(s));
 }
 int
@@ -942,13 +942,13 @@ SSL_connect(SSL *s)
        if (s->internal->handshake_func == NULL)
                SSL_set_connect_state(s); /* Not properly initialized yet */
-        return (s->method->internal->ssl_connect(s));
+        return (s->method->ssl_connect(s));
 }
 int
 SSL_is_dtls(const SSL *s)
 {
-        return s->method->internal->dtls;
+        return s->method->dtls;
 }
 int
@@ -1085,7 +1085,7 @@ SSL_shutdown(SSL *s)
        }
        if (s != NULL && !SSL_in_init(s))
-                return (s->method->internal->ssl_shutdown(s));
+                return (s->method->ssl_shutdown(s));
        return (1);
 }
@@ -1098,7 +1098,7 @@ SSL_renegotiate(SSL *s)
        s->internal->new_session = 1;
-        return (s->method->internal->ssl_renegotiate(s));
+        return (s->method->ssl_renegotiate(s));
 }
 int
@@ -1109,7 +1109,7 @@ SSL_renegotiate_abbreviated(SSL *s)
        s->internal->new_session = 0;
-        return (s->method->internal->ssl_renegotiate(s));
+        return (s->method->ssl_renegotiate(s));
 }
 int
@@ -1825,8 +1825,8 @@ SSL_CTX_new(const SSL_METHOD *meth)
        }
        ret->method = meth;
-        ret->internal->min_tls_version = meth->internal->min_tls_version;
+        ret->internal->min_tls_version = meth->min_tls_version;
-        ret->internal->max_tls_version = meth->internal->max_tls_version;
+        ret->internal->max_tls_version = meth->max_tls_version;
        ret->internal->min_proto_version = 0;
        ret->internal->max_proto_version = 0;
        ret->internal->mode = SSL_MODE_AUTO_RETRY;
@@ -2293,17 +2293,17 @@ SSL_set_ssl_method(SSL *s, const SSL_METHOD *method)
        if (s->method == method)
                return (ret);
-        if (s->internal->handshake_func == s->method->internal->ssl_connect)
+        if (s->internal->handshake_func == s->method->ssl_connect)
-                handshake_func = method->internal->ssl_connect;
+                handshake_func = method->ssl_connect;
-        else if (s->internal->handshake_func == s->method->internal->ssl_accept)
+        else if (s->internal->handshake_func == s->method->ssl_accept)
-                handshake_func = method->internal->ssl_accept;
+                handshake_func = method->ssl_accept;
-        if (s->method->internal->version == method->internal->version) {
+        if (s->method->version == method->version) {
                s->method = method;
        } else {
-                s->method->internal->ssl_free(s);
+                s->method->ssl_free(s);
                s->method = method;
-                ret = s->method->internal->ssl_new(s);
+                ret = s->method->ssl_new(s);
        }
        s->internal->handshake_func = handshake_func;
@@ -2398,7 +2398,7 @@ SSL_do_handshake(SSL *s)
                return (-1);
        }
-        s->method->internal->ssl_renegotiate_check(s);
+        s->method->ssl_renegotiate_check(s);
        if (SSL_in_init(s) || SSL_in_before(s)) {
                ret = s->internal->handshake_func(s);
@@ -2416,7 +2416,7 @@ SSL_set_accept_state(SSL *s)
        s->server = 1;
        s->internal->shutdown = 0;
        S3I(s)->hs.state = SSL_ST_ACCEPT|SSL_ST_BEFORE;
-        s->internal->handshake_func = s->method->internal->ssl_accept;
+        s->internal->handshake_func = s->method->ssl_accept;
        ssl_clear_cipher_state(s);
 }
@@ -2426,7 +2426,7 @@ SSL_set_connect_state(SSL *s)
        s->server = 0;
        s->internal->shutdown = 0;
        S3I(s)->hs.state = SSL_ST_CONNECT|SSL_ST_BEFORE;
-        s->internal->handshake_func = s->method->internal->ssl_connect;
+        s->internal->handshake_func = s->method->ssl_connect;
        ssl_clear_cipher_state(s);
 }
@@ -2503,9 +2503,9 @@ SSL_dup(SSL *s)
                 * and thus we can't use SSL_copy_session_id.
                 */
-                ret->method->internal->ssl_free(ret);
+                ret->method->ssl_free(ret);
                ret->method = s->method;
-                ret->method->internal->ssl_new(ret);
+                ret->method->ssl_new(ret);
                ssl_cert_free(ret->cert);
                if ((ret->cert = ssl_cert_dup(s->cert)) == NULL)
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 10fa9b6c17..6ffc2e053c 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.353 2021/06/30 18:04:06 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.354 2021/07/01 17:53:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -319,19 +319,19 @@ __BEGIN_HIDDEN_DECLS
 /* See if we use signature algorithms extension. */
 #define SSL_USE_SIGALGS(s) \
-        (s->method->internal->enc_flags & SSL_ENC_FLAG_SIGALGS)
+        (s->method->enc_flags & SSL_ENC_FLAG_SIGALGS)
 /* See if we use SHA256 default PRF. */
 #define SSL_USE_SHA256_PRF(s) \
-        (s->method->internal->enc_flags & SSL_ENC_FLAG_SHA256_PRF)
+        (s->method->enc_flags & SSL_ENC_FLAG_SHA256_PRF)
 /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */
 #define SSL_USE_TLS1_2_CIPHERS(s) \
-        (s->method->internal->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)
+        (s->method->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)
 /* Allow TLS 1.3 ciphersuites only. */
 #define SSL_USE_TLS1_3_CIPHERS(s) \
-        (s->method->internal->enc_flags & SSL_ENC_FLAG_TLS1_3_CIPHERS)
+        (s->method->enc_flags & SSL_ENC_FLAG_TLS1_3_CIPHERS)
 #define SSL_PKEY_RSA            0
 #define SSL_PKEY_ECC            1
@@ -378,7 +378,7 @@ struct ssl_cipher_st {
        int alg_bits;                   /* Number of bits for algorithm */
 };
-typedef struct ssl_method_internal_st {
+struct ssl_method_st {
        int dtls;
        int server;
        int version;
@@ -402,17 +402,13 @@ typedef struct ssl_method_internal_st {
            int peek);
        int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len);
-        unsigned int enc_flags;         /* SSL_ENC_FLAG_* */
-} SSL_METHOD_INTERNAL;
-struct ssl_method_st {
        int (*ssl_dispatch_alert)(SSL *s);
        int (*num_ciphers)(void);
        const SSL_CIPHER *(*get_cipher)(unsigned int ncipher);
        const SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
        int (*put_cipher_by_char)(const SSL_CIPHER *cipher, unsigned char *ptr);
-        const struct ssl_method_internal_st *internal;
+        unsigned int enc_flags;         /* SSL_ENC_FLAG_* */
 };
 typedef struct ssl_session_internal_st {
diff --git a/src/lib/libssl/ssl_methods.c b/src/lib/libssl/ssl_methods.c
index f1a59cd738..a3097c37b9 100644
--- a/src/lib/libssl/ssl_methods.c
+++ b/src/lib/libssl/ssl_methods.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_methods.c,v 1.25 2021/05/16 13:56:31 jsing Exp $ */
+/* $OpenBSD: ssl_methods.c,v 1.26 2021/07/01 17:53:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -60,7 +60,7 @@
 #include "ssl_locl.h"
 #include "tls13_internal.h"
-static const SSL_METHOD_INTERNAL DTLS_method_internal_data = {
+static const SSL_METHOD DTLS_method_data = {
        .dtls = 1,
        .server = 1,
        .version = DTLS1_2_VERSION,
@@ -77,19 +77,15 @@ static const SSL_METHOD_INTERNAL DTLS_method_internal_data = {
        .ssl_pending = ssl3_pending,
        .ssl_read_bytes = dtls1_read_bytes,
        .ssl_write_bytes = dtls1_write_app_data_bytes,
-        .enc_flags = TLSV1_2_ENC_FLAGS,
-};
-static const SSL_METHOD DTLS_method_data = {
        .ssl_dispatch_alert = dtls1_dispatch_alert,
        .num_ciphers = ssl3_num_ciphers,
        .get_cipher = dtls1_get_cipher,
        .get_cipher_by_char = ssl3_get_cipher_by_char,
        .put_cipher_by_char = ssl3_put_cipher_by_char,
-        .internal = &DTLS_method_internal_data,
+        .enc_flags = TLSV1_2_ENC_FLAGS,
 };
-static const SSL_METHOD_INTERNAL DTLS_client_method_internal_data = {
+static const SSL_METHOD DTLS_client_method_data = {
        .dtls = 1,
        .server = 0,
        .version = DTLS1_2_VERSION,
@@ -106,19 +102,15 @@ static const SSL_METHOD_INTERNAL DTLS_client_method_internal_data = {
        .ssl_pending = ssl3_pending,
        .ssl_read_bytes = dtls1_read_bytes,
        .ssl_write_bytes = dtls1_write_app_data_bytes,
-        .enc_flags = TLSV1_2_ENC_FLAGS,
-};
-static const SSL_METHOD DTLS_client_method_data = {
        .ssl_dispatch_alert = dtls1_dispatch_alert,
        .num_ciphers = ssl3_num_ciphers,
        .get_cipher = dtls1_get_cipher,
        .get_cipher_by_char = ssl3_get_cipher_by_char,
        .put_cipher_by_char = ssl3_put_cipher_by_char,
-        .internal = &DTLS_client_method_internal_data,
+        .enc_flags = TLSV1_2_ENC_FLAGS,
 };
-static const SSL_METHOD_INTERNAL DTLSv1_method_internal_data = {
+static const SSL_METHOD DTLSv1_method_data = {
        .dtls = 1,
        .server = 1,
        .version = DTLS1_VERSION,
@@ -135,19 +127,15 @@ static const SSL_METHOD_INTERNAL DTLSv1_method_internal_data = {
        .ssl_pending = ssl3_pending,
        .ssl_read_bytes = dtls1_read_bytes,
        .ssl_write_bytes = dtls1_write_app_data_bytes,
-        .enc_flags = TLSV1_1_ENC_FLAGS,
-};
-static const SSL_METHOD DTLSv1_method_data = {
        .ssl_dispatch_alert = dtls1_dispatch_alert,
        .num_ciphers = ssl3_num_ciphers,
        .get_cipher = dtls1_get_cipher,
        .get_cipher_by_char = ssl3_get_cipher_by_char,
        .put_cipher_by_char = ssl3_put_cipher_by_char,
-        .internal = &DTLSv1_method_internal_data,
+        .enc_flags = TLSV1_1_ENC_FLAGS,
 };
-static const SSL_METHOD_INTERNAL DTLSv1_client_method_internal_data = {
+static const SSL_METHOD DTLSv1_client_method_data = {
        .dtls = 1,
        .server = 0,
        .version = DTLS1_VERSION,
@@ -164,19 +152,15 @@ static const SSL_METHOD_INTERNAL DTLSv1_client_method_internal_data = {
        .ssl_pending = ssl3_pending,
        .ssl_read_bytes = dtls1_read_bytes,
        .ssl_write_bytes = dtls1_write_app_data_bytes,
-        .enc_flags = TLSV1_1_ENC_FLAGS,
-};
-static const SSL_METHOD DTLSv1_client_method_data = {
        .ssl_dispatch_alert = dtls1_dispatch_alert,
        .num_ciphers = ssl3_num_ciphers,
        .get_cipher = dtls1_get_cipher,
        .get_cipher_by_char = ssl3_get_cipher_by_char,
        .put_cipher_by_char = ssl3_put_cipher_by_char,
-        .internal = &DTLSv1_client_method_internal_data,
+        .enc_flags = TLSV1_1_ENC_FLAGS,
 };
-static const SSL_METHOD_INTERNAL DTLSv1_2_method_internal_data = {
+static const SSL_METHOD DTLSv1_2_method_data = {
        .dtls = 1,
        .server = 1,
        .version = DTLS1_2_VERSION,
@@ -193,19 +177,15 @@ static const SSL_METHOD_INTERNAL DTLSv1_2_method_internal_data = {
        .ssl_pending = ssl3_pending,
        .ssl_read_bytes = dtls1_read_bytes,
        .ssl_write_bytes = dtls1_write_app_data_bytes,
-        .enc_flags = TLSV1_2_ENC_FLAGS,
-};
-static const SSL_METHOD DTLSv1_2_method_data = {
        .ssl_dispatch_alert = dtls1_dispatch_alert,
        .num_ciphers = ssl3_num_ciphers,
        .get_cipher = dtls1_get_cipher,
        .get_cipher_by_char = ssl3_get_cipher_by_char,
        .put_cipher_by_char = ssl3_put_cipher_by_char,
-        .internal = &DTLSv1_2_method_internal_data,
+        .enc_flags = TLSV1_2_ENC_FLAGS,
 };
-static const SSL_METHOD_INTERNAL DTLSv1_2_client_method_internal_data = {
+static const SSL_METHOD DTLSv1_2_client_method_data = {
        .dtls = 1,
        .server = 0,
        .version = DTLS1_2_VERSION,
@@ -222,16 +202,12 @@ static const SSL_METHOD_INTERNAL DTLSv1_2_client_method_internal_data = {
        .ssl_pending = ssl3_pending,
        .ssl_read_bytes = dtls1_read_bytes,
        .ssl_write_bytes = dtls1_write_app_data_bytes,
-        .enc_flags = TLSV1_2_ENC_FLAGS,
-};
-static const SSL_METHOD DTLSv1_2_client_method_data = {
        .ssl_dispatch_alert = dtls1_dispatch_alert,
        .num_ciphers = ssl3_num_ciphers,
        .get_cipher = dtls1_get_cipher,
        .get_cipher_by_char = ssl3_get_cipher_by_char,
        .put_cipher_by_char = ssl3_put_cipher_by_char,
-        .internal = &DTLSv1_2_client_method_internal_data,
+        .enc_flags = TLSV1_2_ENC_FLAGS,
 };
 const SSL_METHOD *
@@ -289,7 +265,7 @@ DTLS_server_method(void)
 }
 #if defined(LIBRESSL_HAS_TLS1_3_CLIENT) && defined(LIBRESSL_HAS_TLS1_3_SERVER)
-static const SSL_METHOD_INTERNAL TLS_method_internal_data = {
+static const SSL_METHOD TLS_method_data = {
        .dtls = 0,
        .server = 1,
        .version = TLS1_3_VERSION,
@@ -306,20 +282,16 @@ static const SSL_METHOD_INTERNAL TLS_method_internal_data = {
        .ssl_pending = tls13_legacy_pending,
        .ssl_read_bytes = tls13_legacy_read_bytes,
        .ssl_write_bytes = tls13_legacy_write_bytes,
-        .enc_flags = TLSV1_3_ENC_FLAGS,
-};
-static const SSL_METHOD TLS_method_data = {
        .ssl_dispatch_alert = ssl3_dispatch_alert,
        .num_ciphers = ssl3_num_ciphers,
        .get_cipher = ssl3_get_cipher,
        .get_cipher_by_char = ssl3_get_cipher_by_char,
        .put_cipher_by_char = ssl3_put_cipher_by_char,
-        .internal = &TLS_method_internal_data,
+        .enc_flags = TLSV1_3_ENC_FLAGS,
 };
 #endif
-static const SSL_METHOD_INTERNAL TLS_legacy_method_internal_data = {
+static const SSL_METHOD TLS_legacy_method_data = {
        .dtls = 0,
        .server = 1,
        .version = TLS1_2_VERSION,
@@ -336,20 +308,16 @@ static const SSL_METHOD_INTERNAL TLS_legacy_method_internal_data = {
        .ssl_pending = ssl3_pending,
        .ssl_read_bytes = ssl3_read_bytes,
        .ssl_write_bytes = ssl3_write_bytes,
-        .enc_flags = TLSV1_2_ENC_FLAGS,
-};
-static const SSL_METHOD TLS_legacy_method_data = {
        .ssl_dispatch_alert = ssl3_dispatch_alert,
        .num_ciphers = ssl3_num_ciphers,
        .get_cipher = ssl3_get_cipher,
        .get_cipher_by_char = ssl3_get_cipher_by_char,
        .put_cipher_by_char = ssl3_put_cipher_by_char,
-        .internal = &TLS_legacy_method_internal_data,
+        .enc_flags = TLSV1_2_ENC_FLAGS,
 };
 #if defined(LIBRESSL_HAS_TLS1_3_CLIENT)
-static const SSL_METHOD_INTERNAL TLS_client_method_internal_data = {
+static const SSL_METHOD TLS_client_method_data = {
        .dtls = 0,
        .server = 0,
        .version = TLS1_3_VERSION,
@@ -366,21 +334,17 @@ static const SSL_METHOD_INTERNAL TLS_client_method_internal_data = {
        .ssl_pending = tls13_legacy_pending,
        .ssl_read_bytes = tls13_legacy_read_bytes,
        .ssl_write_bytes = tls13_legacy_write_bytes,
-        .enc_flags = TLSV1_3_ENC_FLAGS,
-};
-static const SSL_METHOD TLS_client_method_data = {
        .ssl_dispatch_alert = ssl3_dispatch_alert,
        .num_ciphers = ssl3_num_ciphers,
        .get_cipher = ssl3_get_cipher,
        .get_cipher_by_char = ssl3_get_cipher_by_char,
        .put_cipher_by_char = ssl3_put_cipher_by_char,
-        .internal = &TLS_client_method_internal_data,
+        .enc_flags = TLSV1_3_ENC_FLAGS,
 };
 #else
-static const SSL_METHOD_INTERNAL TLS_legacy_client_method_internal_data = {
+static const SSL_METHOD TLS_legacy_client_method_data = {
        .dtls = 0,
        .server = 0,
        .version = TLS1_2_VERSION,
@@ -397,20 +361,16 @@ static const SSL_METHOD_INTERNAL TLS_legacy_client_method_internal_data = {
        .ssl_pending = ssl3_pending,
        .ssl_read_bytes = ssl3_read_bytes,
        .ssl_write_bytes = ssl3_write_bytes,
-        .enc_flags = TLSV1_2_ENC_FLAGS,
-};
-static const SSL_METHOD TLS_legacy_client_method_data = {
        .ssl_dispatch_alert = ssl3_dispatch_alert,
        .num_ciphers = ssl3_num_ciphers,
        .get_cipher = ssl3_get_cipher,
        .get_cipher_by_char = ssl3_get_cipher_by_char,
        .put_cipher_by_char = ssl3_put_cipher_by_char,
-        .internal = &TLS_legacy_client_method_internal_data,
+        .enc_flags = TLSV1_2_ENC_FLAGS,
 };
 #endif
-static const SSL_METHOD_INTERNAL TLSv1_method_internal_data = {
+static const SSL_METHOD TLSv1_method_data = {
        .dtls = 0,
        .server = 1,
        .version = TLS1_VERSION,
@@ -427,19 +387,15 @@ static const SSL_METHOD_INTERNAL TLSv1_method_internal_data = {
        .ssl_pending = ssl3_pending,
        .ssl_read_bytes = ssl3_read_bytes,
        .ssl_write_bytes = ssl3_write_bytes,
-        .enc_flags = TLSV1_ENC_FLAGS,
-};
-static const SSL_METHOD TLSv1_method_data = {
        .ssl_dispatch_alert = ssl3_dispatch_alert,
        .num_ciphers = ssl3_num_ciphers,
        .get_cipher = ssl3_get_cipher,
        .get_cipher_by_char = ssl3_get_cipher_by_char,
        .put_cipher_by_char = ssl3_put_cipher_by_char,
-        .internal = &TLSv1_method_internal_data,
+        .enc_flags = TLSV1_ENC_FLAGS,
 };
-static const SSL_METHOD_INTERNAL TLSv1_client_method_internal_data = {
+static const SSL_METHOD TLSv1_client_method_data = {
        .dtls = 0,
        .server = 0,
        .version = TLS1_VERSION,
@@ -456,19 +412,15 @@ static const SSL_METHOD_INTERNAL TLSv1_client_method_internal_data = {
        .ssl_pending = ssl3_pending,
        .ssl_read_bytes = ssl3_read_bytes,
        .ssl_write_bytes = ssl3_write_bytes,
-        .enc_flags = TLSV1_ENC_FLAGS,
-};
-static const SSL_METHOD TLSv1_client_method_data = {
        .ssl_dispatch_alert = ssl3_dispatch_alert,
        .num_ciphers = ssl3_num_ciphers,
        .get_cipher = ssl3_get_cipher,
        .get_cipher_by_char = ssl3_get_cipher_by_char,
        .put_cipher_by_char = ssl3_put_cipher_by_char,
-        .internal = &TLSv1_client_method_internal_data,
+        .enc_flags = TLSV1_ENC_FLAGS,
 };
-static const SSL_METHOD_INTERNAL TLSv1_1_method_internal_data = {
+static const SSL_METHOD TLSv1_1_method_data = {
        .dtls = 0,
        .server = 1,
        .version = TLS1_1_VERSION,
@@ -485,19 +437,15 @@ static const SSL_METHOD_INTERNAL TLSv1_1_method_internal_data = {
        .ssl_pending = ssl3_pending,
        .ssl_read_bytes = ssl3_read_bytes,
        .ssl_write_bytes = ssl3_write_bytes,
-        .enc_flags = TLSV1_1_ENC_FLAGS,
-};
-static const SSL_METHOD TLSv1_1_method_data = {
        .ssl_dispatch_alert = ssl3_dispatch_alert,
        .num_ciphers = ssl3_num_ciphers,
        .get_cipher = ssl3_get_cipher,
        .get_cipher_by_char = ssl3_get_cipher_by_char,
        .put_cipher_by_char = ssl3_put_cipher_by_char,
-        .internal = &TLSv1_1_method_internal_data,
+        .enc_flags = TLSV1_1_ENC_FLAGS,
 };
-static const SSL_METHOD_INTERNAL TLSv1_1_client_method_internal_data = {
+static const SSL_METHOD TLSv1_1_client_method_data = {
        .dtls = 0,
        .server = 0,
        .version = TLS1_1_VERSION,
@@ -514,19 +462,15 @@ static const SSL_METHOD_INTERNAL TLSv1_1_client_method_internal_data = {
        .ssl_pending = ssl3_pending,
        .ssl_read_bytes = ssl3_read_bytes,
        .ssl_write_bytes = ssl3_write_bytes,
-        .enc_flags = TLSV1_1_ENC_FLAGS,
-};
-static const SSL_METHOD TLSv1_1_client_method_data = {
        .ssl_dispatch_alert = ssl3_dispatch_alert,
        .num_ciphers = ssl3_num_ciphers,
        .get_cipher = ssl3_get_cipher,
        .get_cipher_by_char = ssl3_get_cipher_by_char,
        .put_cipher_by_char = ssl3_put_cipher_by_char,
-        .internal = &TLSv1_1_client_method_internal_data,
+        .enc_flags = TLSV1_1_ENC_FLAGS,
 };
-static const SSL_METHOD_INTERNAL TLSv1_2_method_internal_data = {
+static const SSL_METHOD TLSv1_2_method_data = {
        .dtls = 0,
        .server = 1,
        .version = TLS1_2_VERSION,
@@ -543,19 +487,15 @@ static const SSL_METHOD_INTERNAL TLSv1_2_method_internal_data = {
        .ssl_pending = ssl3_pending,
        .ssl_read_bytes = ssl3_read_bytes,
        .ssl_write_bytes = ssl3_write_bytes,
-        .enc_flags = TLSV1_2_ENC_FLAGS,
-};
-static const SSL_METHOD TLSv1_2_method_data = {
        .ssl_dispatch_alert = ssl3_dispatch_alert,
        .num_ciphers = ssl3_num_ciphers,
        .get_cipher = ssl3_get_cipher,
        .get_cipher_by_char = ssl3_get_cipher_by_char,
        .put_cipher_by_char = ssl3_put_cipher_by_char,
-        .internal = &TLSv1_2_method_internal_data,
+        .enc_flags = TLSV1_2_ENC_FLAGS,
 };
-static const SSL_METHOD_INTERNAL TLSv1_2_client_method_internal_data = {
+static const SSL_METHOD TLSv1_2_client_method_data = {
        .dtls = 0,
        .server = 0,
        .version = TLS1_2_VERSION,
@@ -572,16 +512,12 @@ static const SSL_METHOD_INTERNAL TLSv1_2_client_method_internal_data = {
        .ssl_pending = ssl3_pending,
        .ssl_read_bytes = ssl3_read_bytes,
        .ssl_write_bytes = ssl3_write_bytes,
-        .enc_flags = TLSV1_2_ENC_FLAGS,
-};
-static const SSL_METHOD TLSv1_2_client_method_data = {
        .ssl_dispatch_alert = ssl3_dispatch_alert,
        .num_ciphers = ssl3_num_ciphers,
        .get_cipher = ssl3_get_cipher,
        .get_cipher_by_char = ssl3_get_cipher_by_char,
        .put_cipher_by_char = ssl3_put_cipher_by_char,
-        .internal = &TLSv1_2_client_method_internal_data,
+        .enc_flags = TLSV1_2_ENC_FLAGS,
 };
 const SSL_METHOD *
diff --git a/src/lib/libssl/ssl_packet.c b/src/lib/libssl/ssl_packet.c
index 0a0c5a29df..af56dcef7f 100644
--- a/src/lib/libssl/ssl_packet.c
+++ b/src/lib/libssl/ssl_packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_packet.c,v 1.11 2021/05/16 14:10:43 jsing Exp $ */
+/* $OpenBSD: ssl_packet.c,v 1.12 2021/07/01 17:53:39 jsing Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 *
@@ -246,8 +246,7 @@ ssl_server_legacy_first_packet(SSL *s)
                return 1;
        /* Only continue if this is not a version locked method. */
-        if (s->method->internal->min_tls_version ==
+        if (s->method->min_tls_version == s->method->max_tls_version)
-            s->method->internal->max_tls_version)
                return 1;
        if (ssl_is_sslv2_client_hello(&header) == 1) {
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index 68e69ebca3..c633b58c25 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.19 2021/06/27 16:54:14 jsing Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.20 2021/07/01 17:53:39 jsing Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 *
@@ -61,7 +61,7 @@ ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
        uint16_t min_proto, min_version, max_version;
        if (proto_ver == 0) {
-                *out_tls_ver = meth->internal->min_tls_version;
+                *out_tls_ver = meth->min_tls_version;
                *out_proto_ver = 0;
                return 1;
        }
@@ -69,17 +69,17 @@ ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
        min_version = proto_ver;
        max_version = max_tls_ver;
-        if (meth->internal->dtls) {
+        if (meth->dtls) {
                if ((min_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
                        return 0;
        }
        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
-            meth->internal->min_tls_version, meth->internal->max_tls_version))
+            meth->min_tls_version, meth->max_tls_version))
                return 0;
        min_proto = min_version;
-        if (meth->internal->dtls) {
+        if (meth->dtls) {
                if ((min_proto = ssl_tls_to_dtls_version(min_version)) == 0)
                        return 0;
        }
@@ -96,7 +96,7 @@ ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
        uint16_t max_proto, min_version, max_version;
        if (proto_ver == 0) {
-                *out_tls_ver = meth->internal->max_tls_version;
+                *out_tls_ver = meth->max_tls_version;
                *out_proto_ver = 0;
                return 1;
        }
@@ -104,17 +104,17 @@ ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
        min_version = min_tls_ver;
        max_version = proto_ver;
-        if (meth->internal->dtls) {
+        if (meth->dtls) {
                if ((max_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
                        return 0;
        }
        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
-            meth->internal->min_tls_version, meth->internal->max_tls_version))
+            meth->min_tls_version, meth->max_tls_version))
                return 0;
        max_proto = max_version;
-        if (meth->internal->dtls) {
+        if (meth->dtls) {
                if ((max_proto = ssl_tls_to_dtls_version(max_version)) == 0)
                        return 0;
        }
@@ -195,8 +195,7 @@ ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
        /* Limit to the versions supported by this method. */
        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
-            s->method->internal->min_tls_version,
+            s->method->min_tls_version, s->method->max_tls_version))
-            s->method->internal->max_tls_version))
                return 0;
        if (min_ver != NULL)
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 15afb1bae8..65e2063398 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.150 2021/06/13 15:34:41 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.151 2021/07/01 17:53:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -389,7 +389,7 @@ tls1_setup_key_block(SSL *s)
        key_block = NULL;
        if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&
-            s->method->internal->version <= TLS1_VERSION) {
+            s->method->version <= TLS1_VERSION) {
                /*
                 * Enable vulnerability countermeasure for CBC ciphers with
                 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 72958b7c56..3cb2d8a113 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.181 2021/06/11 11:13:53 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.182 2021/07/01 17:53:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -129,7 +129,7 @@ tls1_new(SSL *s)
 {
        if (!ssl3_new(s))
                return (0);
-        s->method->internal->ssl_clear(s);
+        s->method->ssl_clear(s);
        return (1);
 }
@@ -147,7 +147,7 @@ void
 tls1_clear(SSL *s)
 {
        ssl3_clear(s);
-        s->version = s->method->internal->version;
+        s->version = s->method->version;
 }
 static const int nid_list[] = {
diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c
index 55fefe544f..310a2116b8 100644
--- a/src/lib/libssl/tls13_handshake.c
+++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_handshake.c,v 1.68 2021/06/28 18:48:56 tb Exp $ */
+/*      $OpenBSD: tls13_handshake.c,v 1.69 2021/07/01 17:53:39 jsing Exp $      */
 /*
 * Copyright (c) 2018-2021 Theo Buehler <tb@openbsd.org>
 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -535,7 +535,7 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx,
        tls13_handshake_msg_free(ctx->hs_msg);
        ctx->hs_msg = NULL;
-        if (ctx->ssl->method->internal->version < TLS1_3_VERSION)
+        if (ctx->ssl->method->version < TLS1_3_VERSION)
                return TLS13_IO_USE_LEGACY;
        return ret;
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
index cd9ec9942d..beb8952402 100644
--- a/src/lib/libssl/tls13_legacy.c
+++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_legacy.c,v 1.25 2021/06/28 15:36:51 tb Exp $ */
+/*      $OpenBSD: tls13_legacy.c,v 1.26 2021/07/01 17:53:39 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -358,8 +358,8 @@ tls13_use_legacy_client(struct tls13_ctx *ctx)
        if (!tls13_use_legacy_stack(ctx))
                return 0;
-        s->internal->handshake_func = s->method->internal->ssl_connect;
+        s->internal->handshake_func = s->method->ssl_connect;
-        s->client_version = s->version = s->method->internal->max_tls_version;
+        s->client_version = s->version = s->method->max_tls_version;
        return 1;
 }
@@ -372,8 +372,8 @@ tls13_use_legacy_server(struct tls13_ctx *ctx)
        if (!tls13_use_legacy_stack(ctx))
                return 0;
-        s->internal->handshake_func = s->method->internal->ssl_accept;
+        s->internal->handshake_func = s->method->ssl_accept;
-        s->client_version = s->version = s->method->internal->max_tls_version;
+        s->client_version = s->version = s->method->max_tls_version;
        s->server = 1;
        return 1;
@@ -405,7 +405,7 @@ tls13_legacy_accept(SSL *ssl)
        ret = tls13_server_accept(ctx);
        if (ret == TLS13_IO_USE_LEGACY)
-                return ssl->method->internal->ssl_accept(ssl);
+                return ssl->method->ssl_accept(ssl);
        return tls13_legacy_return_code(ssl, ret);
 }
@@ -420,7 +420,7 @@ tls13_legacy_connect(SSL *ssl)
        /* XXX drop back to legacy for client auth for now */
        if (ssl->cert->key->privatekey != NULL) {
                ssl->method = tls_legacy_client_method();
-                return ssl->method->internal->ssl_connect(ssl);
+                return ssl->method->ssl_connect(ssl);
        }
 #endif
@@ -444,7 +444,7 @@ tls13_legacy_connect(SSL *ssl)
        ret = tls13_client_connect(ctx);
        if (ret == TLS13_IO_USE_LEGACY)
-                return ssl->method->internal->ssl_connect(ssl);
+                return ssl->method->ssl_connect(ssl);
        return tls13_legacy_return_code(ssl, ret);
 }
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index ff410fbb34..d2c7abbf7c 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.83 2021/06/29 19:20:39 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.84 2021/07/01 17:53:39 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -282,7 +282,7 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
                goto err;
        /* See if we switched back to the legacy client method. */
-        if (s->method->internal->version < TLS1_3_VERSION)
+        if (s->method->version < TLS1_3_VERSION)
                return 1;
        /*
@@ -460,7 +460,7 @@ tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
                return 0;
        /* XXX - need further checks. */
-        if (s->method->internal->version < TLS1_3_VERSION)
+        if (s->method->version < TLS1_3_VERSION)
                return 0;
        ctx->hs->tls13.hrr = 0;