9 files changed, 227 insertions, 226 deletions

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 75f71c4c7d..5e39907d9c 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.204 2021/02/07 15:26:32 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.205 2021/03/21 18:36:34 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1565,10 +1565,10 @@ ssl3_free(SSL *s)
         EC_KEY_free(S3I(s)->tmp.ecdh);
         freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
 
-        tls13_key_share_free(S3I(s)->hs_tls13.key_share);
-        tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);
-        freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
-        tls13_clienthello_hash_clear(&S3I(s)->hs_tls13);
+        tls13_key_share_free(S3I(s)->hs.tls13.key_share);
+        tls13_secrets_destroy(S3I(s)->hs.tls13.secrets);
+        freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len);
+        tls13_clienthello_hash_clear(&S3I(s)->hs.tls13);
 
         sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
 
@@ -1605,15 +1605,15 @@ ssl3_clear(SSL *s)
         S3I(s)->hs.sigalgs = NULL;
         S3I(s)->hs.sigalgs_len = 0;
 
-        tls13_key_share_free(S3I(s)->hs_tls13.key_share);
-        S3I(s)->hs_tls13.key_share = NULL;
+        tls13_key_share_free(S3I(s)->hs.tls13.key_share);
+        S3I(s)->hs.tls13.key_share = NULL;
 
-        tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);
-        S3I(s)->hs_tls13.secrets = NULL;
-        freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
-        S3I(s)->hs_tls13.cookie = NULL;
-        S3I(s)->hs_tls13.cookie_len = 0;
-        tls13_clienthello_hash_clear(&S3I(s)->hs_tls13);
+        tls13_secrets_destroy(S3I(s)->hs.tls13.secrets);
+        S3I(s)->hs.tls13.secrets = NULL;
+        freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len);
+        S3I(s)->hs.tls13.cookie = NULL;
+        S3I(s)->hs.tls13.cookie_len = 0;
+        tls13_clienthello_hash_clear(&S3I(s)->hs.tls13);
 
         S3I(s)->hs.extensions_seen = 0;
 
@@ -1678,8 +1678,8 @@ _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key)
         } else if (sc->peer_x25519_tmp != NULL) {
                 if (!ssl_kex_dummy_ecdhe_x25519(pkey))
                         goto err;
-        } else if (S3I(s)->hs_tls13.key_share != NULL) {
-                if (!tls13_key_share_peer_pkey(S3I(s)->hs_tls13.key_share,
+        } else if (S3I(s)->hs.tls13.key_share != NULL) {
+                if (!tls13_key_share_peer_pkey(S3I(s)->hs.tls13.key_share,
                     pkey))
                         goto err;
         } else {
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 99b72cc65e..33eb3bba7d 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.327 2021/03/17 17:42:53 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.328 2021/03/21 18:36:34 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -410,6 +410,44 @@ typedef struct ssl_session_internal_st {
 } SSL_SESSION_INTERNAL;
 #define SSI(s) (s->session->internal)
 
+typedef struct cert_pkey_st {
+        X509 *x509;
+        EVP_PKEY *privatekey;
+        STACK_OF(X509) *chain;
+} CERT_PKEY;
+
+typedef struct ssl_handshake_tls13_st {
+        int use_legacy;
+        int hrr;
+
+        /* Certificate and sigalg selected for use (static pointers). */
+        const CERT_PKEY *cpk;
+        const struct ssl_sigalg *sigalg;
+
+        /* Version proposed by peer server. */
+        uint16_t server_version;
+
+        uint16_t server_group;
+        struct tls13_key_share *key_share;
+        struct tls13_secrets *secrets;
+
+        uint8_t *cookie;
+        size_t cookie_len;
+
+        /* Preserved transcript hash. */
+        uint8_t transcript_hash[EVP_MAX_MD_SIZE];
+        size_t transcript_hash_len;
+
+        /* Legacy session ID. */
+        uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
+        size_t legacy_session_id_len;
+
+        /* ClientHello hash, used to validate following HelloRetryRequest */
+        EVP_MD_CTX *clienthello_md_ctx;
+        unsigned char *clienthello_hash;
+        unsigned int clienthello_hash_len;
+} SSL_HANDSHAKE_TLS13;
+
 typedef struct ssl_handshake_st {
         /*
          * Minimum and maximum versions supported for this handshake. These are
@@ -428,6 +466,8 @@ typedef struct ssl_handshake_st {
          */
         uint16_t negotiated_tls_version;
 
+        SSL_HANDSHAKE_TLS13 tls13;
+
         /* state contains one of the SSL3_ST_* values. */
         int state;
 
@@ -449,44 +489,6 @@ typedef struct ssl_handshake_st {
         uint8_t *sigalgs;
 } SSL_HANDSHAKE;
 
-typedef struct cert_pkey_st {
-        X509 *x509;
-        EVP_PKEY *privatekey;
-        STACK_OF(X509) *chain;
-} CERT_PKEY;
-
-typedef struct ssl_handshake_tls13_st {
-        int use_legacy;
-        int hrr;
-
-        /* Certificate and sigalg selected for use (static pointers). */
-        const CERT_PKEY *cpk;
-        const struct ssl_sigalg *sigalg;
-
-        /* Version proposed by peer server. */
-        uint16_t server_version;
-
-        uint16_t server_group;
-        struct tls13_key_share *key_share;
-        struct tls13_secrets *secrets;
-
-        uint8_t *cookie;
-        size_t cookie_len;
-
-        /* Preserved transcript hash. */
-        uint8_t transcript_hash[EVP_MAX_MD_SIZE];
-        size_t transcript_hash_len;
-
-        /* Legacy session ID. */
-        uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
-        size_t legacy_session_id_len;
-
-        /* ClientHello hash, used to validate following HelloRetryRequest */
-        EVP_MD_CTX *clienthello_md_ctx;
-        unsigned char *clienthello_hash;
-        unsigned int clienthello_hash_len;
-} SSL_HANDSHAKE_TLS13;
-
 struct tls12_record_layer;
 
 struct tls12_record_layer *tls12_record_layer_new(void);
@@ -907,7 +909,6 @@ typedef struct ssl3_state_internal_st {
         int in_read_app_data;
 
         SSL_HANDSHAKE hs;
-        SSL_HANDSHAKE_TLS13 hs_tls13;
 
         struct  {
                 unsigned char cert_verify_md[EVP_MAX_MD_SIZE];
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 4f4a39d4bb..5ffab919a2 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.87 2021/03/10 18:27:02 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.88 2021/03/21 18:36:34 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -226,7 +226,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
                 uint16_t *groups;
                 int i;
 
-                if (S3I(s)->hs_tls13.hrr) {
+                if (S3I(s)->hs.tls13.hrr) {
                         if (SSI(s)->tlsext_supportedgroups == NULL) {
                                 *alert = SSL_AD_HANDSHAKE_FAILURE;
                                 return 0;
@@ -759,7 +759,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                 goto err;
         }
 
-        if (s->internal->hit || S3I(s)->hs_tls13.hrr) {
+        if (s->internal->hit || S3I(s)->hs.tls13.hrr) {
                 if (s->session->tlsext_hostname == NULL) {
                         *alert = TLS1_AD_UNRECOGNIZED_NAME;
                         goto err;
@@ -1416,7 +1416,7 @@ tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
         if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
                 return 0;
 
-        if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share,
+        if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share,
             &client_shares))
                 return 0;
 
@@ -1454,7 +1454,7 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                  */
                 if (S3I(s)->hs.our_max_tls_version < TLS1_3_VERSION)
                         continue;
-                if (S3I(s)->hs_tls13.key_share != NULL)
+                if (S3I(s)->hs.tls13.key_share != NULL)
                         continue;
 
                 /* XXX - consider implementing server preference. */
@@ -1462,10 +1462,10 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                         continue;
 
                 /* Decode and store the selected key share. */
-                S3I(s)->hs_tls13.key_share = tls13_key_share_new(group);
-                if (S3I(s)->hs_tls13.key_share == NULL)
+                S3I(s)->hs.tls13.key_share = tls13_key_share_new(group);
+                if (S3I(s)->hs.tls13.key_share == NULL)
                         goto err;
-                if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share,
+                if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share,
                     group, &key_exchange))
                         goto err;
         }
@@ -1488,16 +1488,16 @@ int
 tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
 {
         /* In the case of a HRR, we only send the server selected group. */
-        if (S3I(s)->hs_tls13.hrr) {
-                if (S3I(s)->hs_tls13.server_group == 0)
+        if (S3I(s)->hs.tls13.hrr) {
+                if (S3I(s)->hs.tls13.server_group == 0)
                         return 0;
-                return CBB_add_u16(cbb, S3I(s)->hs_tls13.server_group);
+                return CBB_add_u16(cbb, S3I(s)->hs.tls13.server_group);
         }
 
-        if (S3I(s)->hs_tls13.key_share == NULL)
+        if (S3I(s)->hs.tls13.key_share == NULL)
                 return 0;
 
-        if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, cbb))
+        if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, cbb))
                 return 0;
 
         return 1;
@@ -1516,17 +1516,17 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
         if (CBS_len(cbs) == 0) {
                 /* HRR does not include an actual key share. */
                 /* XXX - we should know that we are in a HRR... */
-                S3I(s)->hs_tls13.server_group = group;
+                S3I(s)->hs.tls13.server_group = group;
                 return 1;
         }
 
         if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
                 return 0;
 
-        if (S3I(s)->hs_tls13.key_share == NULL)
+        if (S3I(s)->hs.tls13.key_share == NULL)
                 return 0;
 
-        if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share,
+        if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share,
             group, &key_exchange))
                 goto err;
 
@@ -1639,7 +1639,7 @@ tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
         }
 
         /* XXX test between min and max once initialization code goes in */
-        S3I(s)->hs_tls13.server_version = selected_version;
+        S3I(s)->hs.tls13.server_version = selected_version;
 
         return 1;
 }
@@ -1653,7 +1653,7 @@ int
 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type)
 {
         return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION &&
-            S3I(s)->hs_tls13.cookie_len > 0 && S3I(s)->hs_tls13.cookie != NULL);
+            S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL);
 }
 
 int
@@ -1664,8 +1664,8 @@ tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
         if (!CBB_add_u16_length_prefixed(cbb, &cookie))
                 return 0;
 
-        if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
-            S3I(s)->hs_tls13.cookie_len))
+        if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie,
+            S3I(s)->hs.tls13.cookie_len))
                 return 0;
 
         if (!CBB_flush(cbb))
@@ -1682,7 +1682,7 @@ tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
         if (!CBS_get_u16_length_prefixed(cbs, &cookie))
                 goto err;
 
-        if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len)
+        if (CBS_len(&cookie) != S3I(s)->hs.tls13.cookie_len)
                 goto err;
 
         /*
@@ -1690,8 +1690,8 @@ tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
          * sent - client *MUST* send the same cookie with new CR after
          * a cookie is sent by the server with an HRR.
          */
-        if (!CBS_mem_equal(&cookie, S3I(s)->hs_tls13.cookie,
-            S3I(s)->hs_tls13.cookie_len)) {
+        if (!CBS_mem_equal(&cookie, S3I(s)->hs.tls13.cookie,
+            S3I(s)->hs.tls13.cookie_len)) {
                 /* XXX special cookie mismatch alert? */
                 *alert = SSL_AD_ILLEGAL_PARAMETER;
                 return 0;
@@ -1712,7 +1712,7 @@ tlsext_cookie_server_needs(SSL *s, uint16_t msg_type)
          * in order to send one, should only be sent with HRR.
          */
         return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION &&
-            S3I(s)->hs_tls13.cookie_len > 0 && S3I(s)->hs_tls13.cookie != NULL);
+            S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL);
 }
 
 int
@@ -1725,8 +1725,8 @@ tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
         if (!CBB_add_u16_length_prefixed(cbb, &cookie))
                 return 0;
 
-        if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
-            S3I(s)->hs_tls13.cookie_len))
+        if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie,
+            S3I(s)->hs.tls13.cookie_len))
                 return 0;
 
         if (!CBB_flush(cbb))
@@ -1745,8 +1745,8 @@ tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
          * HRR from a server with a cookie to process after accepting
          * one from the server in the same handshake
          */
-        if (S3I(s)->hs_tls13.cookie != NULL ||
-            S3I(s)->hs_tls13.cookie_len != 0) {
+        if (S3I(s)->hs.tls13.cookie != NULL ||
+            S3I(s)->hs.tls13.cookie_len != 0) {
                 *alert = SSL_AD_ILLEGAL_PARAMETER;
                 return 0;
         }
@@ -1754,8 +1754,8 @@ tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
         if (!CBS_get_u16_length_prefixed(cbs, &cookie))
                 goto err;
 
-        if (!CBS_stow(&cookie, &S3I(s)->hs_tls13.cookie,
-            &S3I(s)->hs_tls13.cookie_len))
+        if (!CBS_stow(&cookie, &S3I(s)->hs.tls13.cookie,
+            &S3I(s)->hs.tls13.cookie_len))
                 goto err;
 
         return 1;
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 4de3d3693b..0f3d435c94 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.74 2021/03/10 18:27:02 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.75 2021/03/21 18:36:34 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -31,12 +31,12 @@ tls13_client_init(struct tls13_ctx *ctx)
         size_t groups_len;
         SSL *s = ctx->ssl;
 
-        if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version,
-            &S3I(s)->hs.our_max_tls_version)) {
+        if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
+            &ctx->hs->our_max_tls_version)) {
                 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
                 return 0;
         }
-        s->client_version = s->version = S3I(s)->hs.our_max_tls_version;
+        s->client_version = s->version = ctx->hs->our_max_tls_version;
 
         tls13_record_layer_set_retry_after_phh(ctx->rl,
             (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
@@ -51,9 +51,9 @@ tls13_client_init(struct tls13_ctx *ctx)
         tls1_get_group_list(s, 0, &groups, &groups_len);
         if (groups_len < 1)
                 return 0;
-        if ((ctx->hs->key_share = tls13_key_share_new(groups[0])) == NULL)
+        if ((ctx->hs->tls13.key_share = tls13_key_share_new(groups[0])) == NULL)
                 return 0;
-        if (!tls13_key_share_generate(ctx->hs->key_share))
+        if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
                 return 0;
 
         arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
@@ -65,11 +65,11 @@ tls13_client_init(struct tls13_ctx *ctx)
          * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used.
          */
         if (ctx->middlebox_compat &&
-            S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) {
-                arc4random_buf(ctx->hs->legacy_session_id,
-                    sizeof(ctx->hs->legacy_session_id));
-                ctx->hs->legacy_session_id_len =
-                    sizeof(ctx->hs->legacy_session_id);
+            ctx->hs->our_max_tls_version >= TLS1_3_VERSION) {
+                arc4random_buf(ctx->hs->tls13.legacy_session_id,
+                    sizeof(ctx->hs->tls13.legacy_session_id));
+                ctx->hs->tls13.legacy_session_id_len =
+                    sizeof(ctx->hs->tls13.legacy_session_id);
         }
 
         return 1;
@@ -92,7 +92,7 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
         SSL *s = ctx->ssl;
 
         /* Legacy client version is capped at TLS 1.2. */
-        client_version = S3I(s)->hs.our_max_tls_version;
+        client_version = ctx->hs->our_max_tls_version;
         if (client_version > TLS1_2_VERSION)
                 client_version = TLS1_2_VERSION;
 
@@ -103,8 +103,8 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
 
         if (!CBB_add_u8_length_prefixed(cbb, &session_id))
                 goto err;
-        if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id,
-            ctx->hs->legacy_session_id_len))
+        if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
+            ctx->hs->tls13.legacy_session_id_len))
                 goto err;
 
         if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites))
@@ -134,9 +134,7 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        SSL *s = ctx->ssl;
-
-        if (S3I(s)->hs.our_min_tls_version < TLS1_2_VERSION)
+        if (ctx->hs->our_min_tls_version < TLS1_2_VERSION)
                 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
 
         /* We may receive a pre-TLSv1.3 alert in response to the client hello. */
@@ -231,7 +229,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                 goto err;
 
         if (tls13_server_hello_is_legacy(cbs)) {
-                if (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) {
+                if (ctx->hs->our_max_tls_version >= TLS1_3_VERSION) {
                         /*
                          * RFC 8446 section 4.1.3: we must not downgrade if
                          * the server random value contains the TLS 1.2 or 1.1
@@ -252,7 +250,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                 if (!CBS_skip(cbs, CBS_len(cbs)))
                         goto err;
 
-                ctx->hs->use_legacy = 1;
+                ctx->hs->tls13.use_legacy = 1;
                 return 1;
         }
 
@@ -265,7 +263,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
         if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
             sizeof(tls13_hello_retry_request_hash))) {
                 tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
-                ctx->hs->hrr = 1;
+                ctx->hs->tls13.hrr = 1;
         }
 
         if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) {
@@ -278,16 +276,16 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
          * Ensure that it was 0x0304 and that legacy version is set to 0x0303
          * (RFC 8446 section 4.2.1).
          */
-        if (ctx->hs->server_version != TLS1_3_VERSION ||
+        if (ctx->hs->tls13.server_version != TLS1_3_VERSION ||
             legacy_version != TLS1_2_VERSION) {
                 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION;
                 goto err;
         }
-        S3I(s)->hs.negotiated_tls_version = ctx->hs->server_version;
+        ctx->hs->negotiated_tls_version = ctx->hs->tls13.server_version;
 
         /* The session_id must match. */
-        if (!CBS_mem_equal(&session_id, ctx->hs->legacy_session_id,
-            ctx->hs->legacy_session_id_len)) {
+        if (!CBS_mem_equal(&session_id, ctx->hs->tls13.legacy_session_id,
+            ctx->hs->tls13.legacy_session_id_len)) {
                 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
                 goto err;
         }
@@ -305,8 +303,8 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
                 goto err;
         }
-        /* XXX - move this to hs_tls13? */
-        S3I(s)->hs.new_cipher = cipher;
+        /* XXX - move this to hs.tls13? */
+        ctx->hs->new_cipher = cipher;
 
         if (compression_method != 0) {
                 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
@@ -336,21 +334,21 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx)
 
         /* Derive the shared key and engage record protection. */
 
-        if (!tls13_key_share_derive(ctx->hs->key_share, &shared_key,
+        if (!tls13_key_share_derive(ctx->hs->tls13.key_share, &shared_key,
             &shared_key_len))
                 goto err;
 
-        s->session->cipher = S3I(s)->hs.new_cipher;
-        s->session->ssl_version = ctx->hs->server_version;
+        s->session->cipher = ctx->hs->new_cipher;
+        s->session->ssl_version = ctx->hs->tls13.server_version;
 
-        if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
+        if ((ctx->aead = tls13_cipher_aead(ctx->hs->new_cipher)) == NULL)
                 goto err;
-        if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
+        if ((ctx->hash = tls13_cipher_hash(ctx->hs->new_cipher)) == NULL)
                 goto err;
 
         if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
                 goto err;
-        ctx->hs->secrets = secrets;
+        ctx->hs->tls13.secrets = secrets;
 
         /* XXX - pass in hash. */
         if (!tls1_transcript_hash_init(s))
@@ -367,7 +365,7 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx)
                 goto err;
 
         /* Handshake secrets. */
-        if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
+        if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
             shared_key_len, &context))
                 goto err;
 
@@ -409,10 +407,10 @@ tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs)
          * This may have been a TLSv1.2 or earlier ServerHello that just happened
          * to have matching server random...
          */
-        if (ctx->hs->use_legacy)
+        if (ctx->hs->tls13.use_legacy)
                 return tls13_use_legacy_client(ctx);
 
-        if (!ctx->hs->hrr)
+        if (!ctx->hs->tls13.hrr)
                 return 0;
 
         if (!tls13_synthetic_handshake_message(ctx))
@@ -420,7 +418,7 @@ tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs)
         if (!tls13_handshake_msg_record(ctx))
                 return 0;
 
-        ctx->hs->hrr = 0;
+        ctx->hs->tls13.hrr = 0;
 
         return 1;
 }
@@ -433,17 +431,17 @@ tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
          * supported groups and is not the same as the key share we previously
          * offered.
          */
-        if (!tls1_check_curve(ctx->ssl, ctx->hs->server_group))
+        if (!tls1_check_curve(ctx->ssl, ctx->hs->tls13.server_group))
                 return 0; /* XXX alert */
-        if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share))
+        if (ctx->hs->tls13.server_group == tls13_key_share_group(ctx->hs->tls13.key_share))
                 return 0; /* XXX alert */
 
         /* Switch to new key share. */
-        tls13_key_share_free(ctx->hs->key_share);
-        if ((ctx->hs->key_share =
-            tls13_key_share_new(ctx->hs->server_group)) == NULL)
+        tls13_key_share_free(ctx->hs->tls13.key_share);
+        if ((ctx->hs->tls13.key_share =
+            tls13_key_share_new(ctx->hs->tls13.server_group)) == NULL)
                 return 0;
-        if (!tls13_key_share_generate(ctx->hs->key_share))
+        if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
                 return 0;
 
         if (!tls13_client_hello_build(ctx, cbb))
@@ -470,13 +468,13 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
                         return 0;
         }
 
-        if (ctx->hs->use_legacy) {
+        if (ctx->hs->tls13.use_legacy) {
                 if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR))
                         return 0;
                 return tls13_use_legacy_client(ctx);
         }
 
-        if (ctx->hs->hrr) {
+        if (ctx->hs->tls13.hrr) {
                 /* The server has sent two HelloRetryRequests. */
                 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
                 return 0;
@@ -687,8 +685,8 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
                 goto err;
         if (!CBB_add_u8(&cbb, 0))
                 goto err;
-        if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
-            ctx->hs->transcript_hash_len))
+        if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
+            ctx->hs->tls13.transcript_hash_len))
                 goto err;
         if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
                 goto err;
@@ -738,7 +736,7 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
 int
 tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
         struct tls13_secret context = { .data = "", .len = 0 };
         struct tls13_secret finished_key;
         uint8_t transcript_hash[EVP_MAX_MD_SIZE];
@@ -767,8 +765,8 @@ tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
         if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
             ctx->hash, NULL))
                 goto err;
-        if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
-            ctx->hs->transcript_hash_len))
+        if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
+            ctx->hs->tls13.transcript_hash_len))
                 goto err;
         verify_data_len = HMAC_size(hmac_ctx);
         if ((verify_data = calloc(1, verify_data_len)) == NULL)
@@ -900,8 +898,8 @@ tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
         if (!tls13_client_select_certificate(ctx, &cpk, &sigalg))
                 goto err;
 
-        ctx->hs->cpk = cpk;
-        ctx->hs->sigalg = sigalg;
+        ctx->hs->tls13.cpk = cpk;
+        ctx->hs->tls13.sigalg = sigalg;
 
         if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
                 goto err;
@@ -950,9 +948,9 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
 
         memset(&sig_cbb, 0, sizeof(sig_cbb));
 
-        if ((cpk = ctx->hs->cpk) == NULL)
+        if ((cpk = ctx->hs->tls13.cpk) == NULL)
                 goto err;
-        if ((sigalg = ctx->hs->sigalg) == NULL)
+        if ((sigalg = ctx->hs->tls13.sigalg) == NULL)
                 goto err;
         pkey = cpk->privatekey;
 
@@ -966,8 +964,8 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
                 goto err;
         if (!CBB_add_u8(&sig_cbb, 0))
                 goto err;
-        if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash,
-            ctx->hs->transcript_hash_len))
+        if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
+            ctx->hs->tls13.transcript_hash_len))
                 goto err;
         if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
                 goto err;
@@ -1024,7 +1022,7 @@ tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
         struct tls13_secret context = { .data = "", .len = 0 };
         struct tls13_secret finished_key = { .data = NULL, .len = 0 };
         uint8_t transcript_hash[EVP_MAX_MD_SIZE];
@@ -1082,7 +1080,7 @@ tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_client_finished_sent(struct tls13_ctx *ctx)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
 
         /*
          * Any records following the client finished message must be encrypted
diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c
index b3cecc77ef..c18a2dfe06 100644
--- a/src/lib/libssl/tls13_handshake.c
+++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_handshake.c,v 1.64 2020/07/30 16:23:17 tb Exp $ */
+/*      $OpenBSD: tls13_handshake.c,v 1.65 2021/03/21 18:36:34 jsing Exp $      */
 /*
  * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -428,8 +428,9 @@ tls13_handshake_send_action(struct tls13_ctx *ctx,
 
         if (action->send_preserve_transcript_hash) {
                 if (!tls1_transcript_hash_value(ctx->ssl,
-                    ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash),
-                    &ctx->hs->transcript_hash_len))
+                    ctx->hs->tls13.transcript_hash,
+                    sizeof(ctx->hs->tls13.transcript_hash),
+                    &ctx->hs->tls13.transcript_hash_len))
                         return TLS13_IO_FAILURE;
         }
 
@@ -471,8 +472,9 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx,
 
         if (action->recv_preserve_transcript_hash) {
                 if (!tls1_transcript_hash_value(ctx->ssl,
-                    ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash),
-                    &ctx->hs->transcript_hash_len))
+                    ctx->hs->tls13.transcript_hash,
+                    sizeof(ctx->hs->tls13.transcript_hash),
+                    &ctx->hs->tls13.transcript_hash_len))
                         return TLS13_IO_FAILURE;
         }
 
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index c339a8ef10..973661acc9 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.88 2021/01/05 17:40:11 tb Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.89 2021/03/21 18:36:34 jsing Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -274,7 +274,7 @@ struct tls13_ctx {
         struct tls13_error error;
 
         SSL *ssl;
-        struct ssl_handshake_tls13_st *hs;
+        struct ssl_handshake_st *hs;
         uint8_t mode;
         struct tls13_handshake_stage handshake_stage;
         int handshake_started;
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
index f611aa061d..19271ef787 100644
--- a/src/lib/libssl/tls13_legacy.c
+++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_legacy.c,v 1.22 2021/02/25 17:06:05 jsing Exp $ */
+/*      $OpenBSD: tls13_legacy.c,v 1.23 2021/03/21 18:36:34 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -361,7 +361,7 @@ tls13_use_legacy_client(struct tls13_ctx *ctx)
         s->internal->handshake_func = s->method->internal->ssl_connect;
         s->client_version = s->version = s->method->internal->max_tls_version;
 
-        S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
+        ctx->hs->state = SSL3_ST_CR_SRVR_HELLO_A;
 
         return 1;
 }
@@ -378,7 +378,7 @@ tls13_use_legacy_server(struct tls13_ctx *ctx)
         s->client_version = s->version = s->method->internal->max_tls_version;
         s->server = 1;
 
-        S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
+        ctx->hs->state = SSL3_ST_SR_CLNT_HELLO_A;
 
         return 1;
 }
@@ -396,7 +396,7 @@ tls13_legacy_accept(SSL *ssl)
                 }
                 ssl->internal->tls13 = ctx;
                 ctx->ssl = ssl;
-                ctx->hs = &S3I(ssl)->hs_tls13;
+                ctx->hs = &S3I(ssl)->hs;
 
                 if (!tls13_server_init(ctx)) {
                         if (ERR_peek_error() == 0)
@@ -406,13 +406,13 @@ tls13_legacy_accept(SSL *ssl)
         }
 
         ERR_clear_error();
-        S3I(ssl)->hs.state = SSL_ST_ACCEPT;
+        ctx->hs->state = SSL_ST_ACCEPT;
 
         ret = tls13_server_accept(ctx);
         if (ret == TLS13_IO_USE_LEGACY)
                 return ssl->method->internal->ssl_accept(ssl);
         if (ret == TLS13_IO_SUCCESS)
-                S3I(ssl)->hs.state = SSL_ST_OK;
+                ctx->hs->state = SSL_ST_OK;
 
         return tls13_legacy_return_code(ssl, ret);
 }
@@ -438,7 +438,7 @@ tls13_legacy_connect(SSL *ssl)
                 }
                 ssl->internal->tls13 = ctx;
                 ctx->ssl = ssl;
-                ctx->hs = &S3I(ssl)->hs_tls13;
+                ctx->hs = &S3I(ssl)->hs;
 
                 if (!tls13_client_init(ctx)) {
                         if (ERR_peek_error() == 0)
@@ -448,13 +448,13 @@ tls13_legacy_connect(SSL *ssl)
         }
 
         ERR_clear_error();
-        S3I(ssl)->hs.state = SSL_ST_CONNECT;
+        ctx->hs->state = SSL_ST_CONNECT;
 
         ret = tls13_client_connect(ctx);
         if (ret == TLS13_IO_USE_LEGACY)
                 return ssl->method->internal->ssl_connect(ssl);
         if (ret == TLS13_IO_SUCCESS)
-                S3I(ssl)->hs.state = SSL_ST_OK;
+                ctx->hs->state = SSL_ST_OK;
 
         return tls13_legacy_return_code(ssl, ret);
 }
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 0b3f636b93..9dbb7d6430 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.57 2021/03/21 16:56:42 jsing Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.58 2021/03/21 18:36:34 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -223,7 +223,7 @@ tls13_legacy_ocsp_status_recv_cb(void *arg)
 static int
 tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
 
         if (ctx->mode == TLS13_HS_CLIENT)
                 return (tls13_update_client_traffic_secret(secrets) &&
@@ -237,7 +237,7 @@ tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx)
 static int
 tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
 
         if (ctx->mode == TLS13_HS_CLIENT)
                 return (tls13_update_server_traffic_secret(secrets) &&
@@ -503,16 +503,16 @@ tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
 int
 tls13_clienthello_hash_init(struct tls13_ctx *ctx)
 {
-        if (ctx->hs->clienthello_md_ctx != NULL)
+        if (ctx->hs->tls13.clienthello_md_ctx != NULL)
                 return 0;
-        if ((ctx->hs->clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
+        if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
                 return 0;
-        if (!EVP_DigestInit_ex(ctx->hs->clienthello_md_ctx,
+        if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx,
             EVP_sha256(), NULL))
                 return 0;
 
-        if ((ctx->hs->clienthello_hash == NULL) &&
-            (ctx->hs->clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
+        if ((ctx->hs->tls13.clienthello_hash == NULL) &&
+            (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
             NULL)
                 return 0;
 
@@ -520,7 +520,7 @@ tls13_clienthello_hash_init(struct tls13_ctx *ctx)
 }
 
 void
-tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs)
+tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */
 {
         EVP_MD_CTX_free(hs->clienthello_md_ctx);
         hs->clienthello_md_ctx = NULL;
@@ -532,7 +532,7 @@ int
 tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data,
     size_t len)
 {
-        return EVP_DigestUpdate(ctx->hs->clienthello_md_ctx, data, len);
+        return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len);
 }
 
 int
@@ -545,12 +545,12 @@ tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs)
 int
 tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
 {
-        if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx,
-            ctx->hs->clienthello_hash,
-            &ctx->hs->clienthello_hash_len))
+        if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
+            ctx->hs->tls13.clienthello_hash,
+            &ctx->hs->tls13.clienthello_hash_len))
                 return 0;
-        EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx);
-        ctx->hs->clienthello_md_ctx = NULL;
+        EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
+        ctx->hs->tls13.clienthello_md_ctx = NULL;
         return 1;
 }
 
@@ -560,18 +560,18 @@ tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
         unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
         unsigned int new_ch_hash_len;
 
-        if (ctx->hs->clienthello_hash == NULL)
+        if (ctx->hs->tls13.clienthello_hash == NULL)
                 return 0;
 
-        if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx,
+        if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
             new_ch_hash, &new_ch_hash_len))
                 return 0;
-        EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx);
-        ctx->hs->clienthello_md_ctx = NULL;
+        EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
+        ctx->hs->tls13.clienthello_md_ctx = NULL;
 
-        if (ctx->hs->clienthello_hash_len != new_ch_hash_len)
+        if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len)
                 return 0;
-        if (memcmp(ctx->hs->clienthello_hash, new_ch_hash,
+        if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash,
             new_ch_hash_len) != 0)
                 return 0;
 
@@ -584,7 +584,7 @@ tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len,
     size_t out_len)
 {
         struct tls13_secret context, export_out, export_secret;
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
         EVP_MD_CTX *md_ctx = NULL;
         unsigned int md_out_len;
         int md_len;
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 29c63bcd06..658aef2cfe 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.71 2021/03/10 18:27:02 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.72 2021/03/21 18:36:34 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -29,12 +29,12 @@ tls13_server_init(struct tls13_ctx *ctx)
 {
         SSL *s = ctx->ssl;
 
-        if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version,
-            &S3I(s)->hs.our_max_tls_version)) {
+        if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
+            &ctx->hs->our_max_tls_version)) {
                 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
                 return 0;
         }
-        s->version = S3I(s)->hs.our_max_tls_version;
+        s->version = ctx->hs->our_max_tls_version;
 
         tls13_record_layer_set_retry_after_phh(ctx->rl,
             (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
@@ -163,7 +163,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                         goto err;
                 return tls13_use_legacy_server(ctx);
         }
-        S3I(s)->hs.negotiated_tls_version = TLS1_3_VERSION;
+        ctx->hs->negotiated_tls_version = TLS1_3_VERSION;
 
         /* Add decoded values to the current ClientHello hash */
         if (!tls13_clienthello_hash_init(ctx)) {
@@ -198,7 +198,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
         }
 
         /* Finalize first ClientHello hash, or validate against it */
-        if (!ctx->hs->hrr) {
+        if (!ctx->hs->tls13.hrr) {
                 if (!tls13_clienthello_hash_finalize(ctx)) {
                         ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
                         goto err;
@@ -208,7 +208,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                         ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
                         goto err;
                 }
-                tls13_clienthello_hash_clear(ctx->hs);
+                tls13_clienthello_hash_clear(&ctx->hs->tls13);
         }
 
         if (!tls13_client_hello_required_extensions(ctx)) {
@@ -226,13 +226,13 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
         }
 
         /* Store legacy session identifier so we can echo it. */
-        if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) {
+        if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) {
                 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
                 goto err;
         }
-        if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id,
-            sizeof(ctx->hs->legacy_session_id),
-            &ctx->hs->legacy_session_id_len)) {
+        if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
+            sizeof(ctx->hs->tls13.legacy_session_id),
+            &ctx->hs->tls13.legacy_session_id_len)) {
                 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
                 goto err;
         }
@@ -249,7 +249,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;
                 goto err;
         }
-        S3I(s)->hs.new_cipher = cipher;
+        ctx->hs->new_cipher = cipher;
 
         sk_SSL_CIPHER_free(s->session->ciphers);
         s->session->ciphers = ciphers;
@@ -293,7 +293,7 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
          * has been enabled. This would probably mean using either an
          * INITIAL | WITHOUT_HRR state, or another intermediate state.
          */
-        if (ctx->hs->key_share != NULL)
+        if (ctx->hs->tls13.key_share != NULL)
                 ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR;
 
         /* XXX - check this is the correct point */
@@ -314,7 +314,7 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
         SSL *s = ctx->ssl;
         uint16_t cipher;
 
-        cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher);
+        cipher = SSL_CIPHER_get_value(ctx->hs->new_cipher);
         server_random = s->s3->server_random;
 
         if (hrr) {
@@ -328,8 +328,8 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
                 goto err;
         if (!CBB_add_u8_length_prefixed(cbb, &session_id))
                 goto err;
-        if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id,
-            ctx->hs->legacy_session_id_len))
+        if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
+            ctx->hs->tls13.legacy_session_id_len))
                 goto err;
         if (!CBB_add_u16(cbb, cipher))
                 goto err;
@@ -358,20 +358,20 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
         SSL *s = ctx->ssl;
         int ret = 0;
 
-        if (!tls13_key_share_derive(ctx->hs->key_share,
+        if (!tls13_key_share_derive(ctx->hs->tls13.key_share,
             &shared_key, &shared_key_len))
                 goto err;
 
-        s->session->cipher = S3I(s)->hs.new_cipher;
+        s->session->cipher = ctx->hs->new_cipher;
 
-        if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
+        if ((ctx->aead = tls13_cipher_aead(ctx->hs->new_cipher)) == NULL)
                 goto err;
-        if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
+        if ((ctx->hash = tls13_cipher_hash(ctx->hs->new_cipher)) == NULL)
                 goto err;
 
         if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
                 goto err;
-        ctx->hs->secrets = secrets;
+        ctx->hs->tls13.secrets = secrets;
 
         /* XXX - pass in hash. */
         if (!tls1_transcript_hash_init(s))
@@ -388,7 +388,7 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
                 goto err;
 
         /* Handshake secrets. */
-        if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
+        if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
             shared_key_len, &context))
                 goto err;
 
@@ -418,16 +418,16 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
 {
         int nid;
 
-        ctx->hs->hrr = 1;
+        ctx->hs->tls13.hrr = 1;
 
         if (!tls13_synthetic_handshake_message(ctx))
                 return 0;
 
-        if (ctx->hs->key_share != NULL)
+        if (ctx->hs->tls13.key_share != NULL)
                 return 0;
         if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef)
                 return 0;
-        if ((ctx->hs->server_group = tls1_ec_nid2curve_id(nid)) == 0)
+        if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0)
                 return 0;
 
         if (!tls13_server_hello_build(ctx, cbb, 1))
@@ -444,7 +444,7 @@ tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx)
          * we MUST send a dummy CCS following our first handshake message.
          * See RFC 8446 Appendix D.4.
          */
-        if (ctx->hs->legacy_session_id_len > 0)
+        if (ctx->hs->tls13.legacy_session_id_len > 0)
                 ctx->send_dummy_ccs_after = 1;
 
         return 1;
@@ -462,7 +462,7 @@ tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
         if (s->method->internal->version < TLS1_3_VERSION)
                 return 0;
 
-        ctx->hs->hrr = 0;
+        ctx->hs->tls13.hrr = 0;
 
         return 1;
 }
@@ -483,14 +483,14 @@ tls13_servername_process(struct tls13_ctx *ctx)
 int
 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        if (ctx->hs->key_share == NULL)
+        if (ctx->hs->tls13.key_share == NULL)
                 return 0;
-        if (!tls13_key_share_generate(ctx->hs->key_share))
+        if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
                 return 0;
         if (!tls13_servername_process(ctx))
                 return 0;
 
-        ctx->hs->server_group = 0;
+        ctx->hs->tls13.server_group = 0;
 
         if (!tls13_server_hello_build(ctx, cbb, 0))
                 return 0;
@@ -507,7 +507,7 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
          * See RFC 8446 Appendix D.4.
          */
         if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) &&
-            ctx->hs->legacy_session_id_len > 0)
+            ctx->hs->tls13.legacy_session_id_len > 0)
                 ctx->send_dummy_ccs_after = 1;
 
         return tls13_server_engage_record_protection(ctx);
@@ -633,8 +633,8 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
                 goto err;
         }
 
-        ctx->hs->cpk = cpk;
-        ctx->hs->sigalg = sigalg;
+        ctx->hs->tls13.cpk = cpk;
+        ctx->hs->tls13.sigalg = sigalg;
 
         if ((chain = cpk->chain) == NULL)
                 chain = s->ctx->extra_certs;
@@ -705,9 +705,9 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
 
         memset(&sig_cbb, 0, sizeof(sig_cbb));
 
-        if ((cpk = ctx->hs->cpk) == NULL)
+        if ((cpk = ctx->hs->tls13.cpk) == NULL)
                 goto err;
-        if ((sigalg = ctx->hs->sigalg) == NULL)
+        if ((sigalg = ctx->hs->tls13.sigalg) == NULL)
                 goto err;
         pkey = cpk->privatekey;
 
@@ -721,8 +721,8 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
                 goto err;
         if (!CBB_add_u8(&sig_cbb, 0))
                 goto err;
-        if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash,
-            ctx->hs->transcript_hash_len))
+        if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
+            ctx->hs->tls13.transcript_hash_len))
                 goto err;
         if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
                 goto err;
@@ -773,7 +773,7 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
         struct tls13_secret context = { .data = "", .len = 0 };
         struct tls13_secret finished_key = { .data = NULL, .len = 0 } ;
         uint8_t transcript_hash[EVP_MAX_MD_SIZE];
@@ -831,14 +831,14 @@ tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_server_finished_sent(struct tls13_ctx *ctx)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
         struct tls13_secret context = { .data = "", .len = 0 };
 
         /*
          * Derive application traffic keys.
          */
-        context.data = ctx->hs->transcript_hash;
-        context.len = ctx->hs->transcript_hash_len;
+        context.data = ctx->hs->tls13.transcript_hash;
+        context.len = ctx->hs->tls13.transcript_hash_len;
 
         if (!tls13_derive_application_secrets(secrets, &context))
                 return 0;
@@ -984,8 +984,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
                 goto err;
         if (!CBB_add_u8(&cbb, 0))
                 goto err;
-        if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
-            ctx->hs->transcript_hash_len))
+        if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
+            ctx->hs->tls13.transcript_hash_len))
                 goto err;
         if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
                 goto err;
@@ -1042,7 +1042,7 @@ tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs)
 int
 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
-        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
         struct tls13_secret context = { .data = "", .len = 0 };
         struct tls13_secret finished_key;
         uint8_t *verify_data = NULL;
@@ -1069,8 +1069,8 @@ tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
         if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
             ctx->hash, NULL))
                 goto err;
-        if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
-            ctx->hs->transcript_hash_len))
+        if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
+            ctx->hs->tls13.transcript_hash_len))
                 goto err;
         verify_data_len = HMAC_size(hmac_ctx);
         if ((verify_data = calloc(1, verify_data_len)) == NULL)