src - OpenBSD base system

diff options


context:
space:
mode:

author	Joel Sing <jsing@cvs.openbsd.org>	2021-10-25 10:01:47 +0000
committer	Joel Sing <jsing@cvs.openbsd.org>	2021-10-25 10:01:47 +0000
commit	9a8888a8f129d292d098e5f3f3a7030ff865dcc1 (patch)
tree	958ea4b200297a075f04c022c5f6824246a4bd09 /lib/libssl
parent	ce9c65b9c654a0faeb119fa75291b9fb4a48474f (diff)

Fold SSL_SESSION_INTERNAL back into SSL_SESSION.

ok beck@ tb@

Diffstat (limited to 'lib/libssl')

-rw-r--r--

lib/libssl/s3_lib.c

-rw-r--r--

lib/libssl/ssl_clnt.c

-rw-r--r--

lib/libssl/ssl_lib.c

-rw-r--r--

lib/libssl/ssl_locl.h

-rw-r--r--

lib/libssl/ssl_sess.c

-rw-r--r--

lib/libssl/ssl_srvr.c

-rw-r--r--

lib/libssl/ssl_tlsext.c

-rw-r--r--

lib/libssl/t1_lib.c

-rw-r--r--

lib/libssl/tls13_client.c

-rw-r--r--

lib/libssl/tls13_server.c

10 files changed, 110 insertions, 121 deletions

diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index 8a96a2cdefd..71b86770ca1 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: s3_lib.c,v 1.216 2021/10/24 09:15:00 beck Exp $ */

+/* $OpenBSD: s3_lib.c,v 1.217 2021/10/25 10:01:46 jsing Exp $ */

@@ -1668,10 +1668,10 @@ _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key)

*key = NULL;

- if (s->session == NULL || SSI(s)->sess_cert == NULL)

+ if (s->session == NULL || s->session->sess_cert == NULL)

return 0;

- sc = SSI(s)->sess_cert;

+ sc = s->session->sess_cert;

if ((pkey = EVP_PKEY_new()) == NULL)

return 0;

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index ea502e6a330..fe864d1cdcb 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_clnt.c,v 1.116 2021/10/23 16:11:30 tb Exp $ */

+/* $OpenBSD: ssl_clnt.c,v 1.117 2021/10/25 10:01:46 jsing Exp $ */

@@ -655,7 +655,7 @@ ssl3_send_client_hello(SSL *s)

if (sess == NULL ||

sess->ssl_version != s->version ||

(!sess->session_id_length && !sess->tlsext_tick) ||

- sess->internal->not_resumable) {

+ sess->not_resumable) {

if (!ssl_get_new_session(s, 0))

goto err;

}

@@ -1157,8 +1157,8 @@ ssl3_get_server_certificate(SSL *s)

sc = ssl_sess_cert_new();

if (sc == NULL)

goto err;

- ssl_sess_cert_free(SSI(s)->sess_cert);

- SSI(s)->sess_cert = sc;

+ ssl_sess_cert_free(s->session->sess_cert);

+ s->session->sess_cert = sc;

sc->cert_chain = sk;

@@ -1231,7 +1231,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)

int al;

alg_a = S3I(s)->hs.cipher->algorithm_auth;

- sc = SSI(s)->sess_cert;

+ sc = s->session->sess_cert;

if ((dh = DH_new()) == NULL) {

SSLerror(s, ERR_R_DH_LIB);

@@ -1359,7 +1359,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)

int al;

alg_a = S3I(s)->hs.cipher->algorithm_auth;

- sc = SSI(s)->sess_cert;

+ sc = s->session->sess_cert;

/* Only named curves are supported. */

if (!CBS_get_u8(cbs, &curve_type) ||

@@ -1468,18 +1468,18 @@ ssl3_get_server_key_exchange(SSL *s)

return (1);

}

- if (SSI(s)->sess_cert != NULL) {

- DH_free(SSI(s)->sess_cert->peer_dh_tmp);

- SSI(s)->sess_cert->peer_dh_tmp = NULL;

+ if (s->session->sess_cert != NULL) {

+ DH_free(s->session->sess_cert->peer_dh_tmp);

+ s->session->sess_cert->peer_dh_tmp = NULL;

- EC_KEY_free(SSI(s)->sess_cert->peer_ecdh_tmp);

- SSI(s)->sess_cert->peer_ecdh_tmp = NULL;

+ EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);

+ s->session->sess_cert->peer_ecdh_tmp = NULL;

- free(SSI(s)->sess_cert->peer_x25519_tmp);

- SSI(s)->sess_cert->peer_x25519_tmp = NULL;

+ free(s->session->sess_cert->peer_x25519_tmp);

+ s->session->sess_cert->peer_x25519_tmp = NULL;

} else {

- SSI(s)->sess_cert = ssl_sess_cert_new();

- if (SSI(s)->sess_cert == NULL)

+ s->session->sess_cert = ssl_sess_cert_new();

+ if (s->session->sess_cert == NULL)

goto err;

}

@@ -2267,7 +2267,7 @@ ssl3_send_client_key_exchange(SSL *s)

if (S3I(s)->hs.state == SSL3_ST_CW_KEY_EXCH_A) {

alg_k = S3I(s)->hs.cipher->algorithm_mkey;

- if ((sess_cert = SSI(s)->sess_cert) == NULL) {

+ if ((sess_cert = s->session->sess_cert) == NULL) {

ssl3_send_alert(s, SSL3_AL_FATAL,

SSL_AD_UNEXPECTED_MESSAGE);

SSLerror(s, ERR_R_INTERNAL_ERROR);

@@ -2670,12 +2670,12 @@ ssl3_check_cert_and_algorithm(SSL *s)

if (alg_a & SSL_aNULL)

return (1);

- sc = SSI(s)->sess_cert;

+ sc = s->session->sess_cert;

if (sc == NULL) {

SSLerror(s, ERR_R_INTERNAL_ERROR);

goto err;

}

- dh = SSI(s)->sess_cert->peer_dh_tmp;

+ dh = s->session->sess_cert->peer_dh_tmp;

/* This is the passed certificate. */

diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index cfd5c9bfb8c..f64b89352e8 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_lib.c,v 1.275 2021/10/23 20:42:50 beck Exp $ */

+/* $OpenBSD: ssl_lib.c,v 1.276 2021/10/25 10:01:46 jsing Exp $ */

@@ -887,10 +887,10 @@ SSL_get_peer_cert_chain(const SSL *s)

STACK_OF(X509) *r;

if ((s == NULL) || (s->session == NULL) ||

- (SSI(s)->sess_cert == NULL))

+ (s->session->sess_cert == NULL))

r = NULL;

else

- r = SSI(s)->sess_cert->cert_chain;

+ r = s->session->sess_cert->cert_chain;

* If we are a client, cert_chain includes the peer's own

@@ -2245,8 +2245,8 @@ ssl_using_ecc_cipher(SSL *s)

alg_a = S3I(s)->hs.cipher->algorithm_auth;

alg_k = S3I(s)->hs.cipher->algorithm_mkey;

- return SSI(s)->tlsext_ecpointformatlist != NULL &&

- SSI(s)->tlsext_ecpointformatlist_length > 0 &&

+ return s->session->tlsext_ecpointformatlist != NULL &&

+ s->session->tlsext_ecpointformatlist_length > 0 &&

((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA));

}

diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index aa6233e6172..01c22762ef5 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_locl.h,v 1.366 2021/10/23 20:42:50 beck Exp $ */

+/* $OpenBSD: ssl_locl.h,v 1.367 2021/10/25 10:01:46 jsing Exp $ */

@@ -412,28 +412,6 @@ struct ssl_method_st {

unsigned int enc_flags; /* SSL_ENC_FLAG_* */

};

-typedef struct ssl_session_internal_st {

- CRYPTO_EX_DATA ex_data; /* application specific data */

- /* These are used to make removal of session-ids more

- * efficient and to implement a maximum cache size. */

- struct ssl_session_st *prev, *next;

- /* Used to indicate that session resumption is not allowed.

- * Applications can also set this bit for a new session via

- * not_resumable_session_cb to disable session caching and tickets. */

- int not_resumable;

- /* The cert is the certificate used to establish this connection */

- struct sess_cert_st /* SESS_CERT */ *sess_cert;

- size_t tlsext_ecpointformatlist_length;

- uint8_t *tlsext_ecpointformatlist; /* peer's list */

- size_t tlsext_supportedgroups_length;

- uint16_t *tlsext_supportedgroups; /* peer's list */

-} SSL_SESSION_INTERNAL;

-#define SSI(s) (s->session->internal)

/* Lets make this into an ASN.1 type structure as follows

* SSL_SESSION_ID ::= SEQUENCE {

* version INTEGER, -- structure version number

@@ -500,7 +478,24 @@ struct ssl_session_st {

size_t tlsext_ticklen; /* Session ticket length */

uint32_t tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */

- struct ssl_session_internal_st *internal;

+ CRYPTO_EX_DATA ex_data; /* application specific data */

+ /* These are used to make removal of session-ids more

+ * efficient and to implement a maximum cache size. */

+ struct ssl_session_st *prev, *next;

+ /* Used to indicate that session resumption is not allowed.

+ * Applications can also set this bit for a new session via

+ * not_resumable_session_cb to disable session caching and tickets. */

+ int not_resumable;

+ /* The cert is the certificate used to establish this connection */

+ struct sess_cert_st /* SESS_CERT */ *sess_cert;

+ size_t tlsext_ecpointformatlist_length;

+ uint8_t *tlsext_ecpointformatlist; /* peer's list */

+ size_t tlsext_supportedgroups_length;

+ uint16_t *tlsext_supportedgroups; /* peer's list */

};

typedef struct cert_pkey_st {

diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c
index 4e798e08f07..2fa6af4564a 100644
--- a/lib/libssl/ssl_sess.c
+++ b/lib/libssl/ssl_sess.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_sess.c,v 1.105 2021/09/08 17:27:33 tb Exp $ */

+/* $OpenBSD: ssl_sess.c,v 1.106 2021/10/25 10:01:46 jsing Exp $ */

@@ -186,13 +186,13 @@ SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,

int

SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)

{

- return (CRYPTO_set_ex_data(&s->internal->ex_data, idx, arg));

+ return (CRYPTO_set_ex_data(&s->ex_data, idx, arg));

}

void *

SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)

{

- return (CRYPTO_get_ex_data(&s->internal->ex_data, idx));

+ return (CRYPTO_get_ex_data(&s->ex_data, idx));

}

uint32_t

@@ -221,26 +221,21 @@ SSL_SESSION_new(void)

SSLerrorx(ERR_R_MALLOC_FAILURE);

return (NULL);

}

- if ((ss->internal = calloc(1, sizeof(*ss->internal))) == NULL) {

- free(ss);

- SSLerrorx(ERR_R_MALLOC_FAILURE);

- return (NULL);

- }

ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */

ss->references = 1;

ss->timeout=60*5+4; /* 5 minute timeout by default */

ss->time = time(NULL);

- ss->internal->prev = NULL;

- ss->internal->next = NULL;

+ ss->prev = NULL;

+ ss->next = NULL;

ss->tlsext_hostname = NULL;

- ss->internal->tlsext_ecpointformatlist_length = 0;

- ss->internal->tlsext_ecpointformatlist = NULL;

- ss->internal->tlsext_supportedgroups_length = 0;

- ss->internal->tlsext_supportedgroups = NULL;

+ ss->tlsext_ecpointformatlist_length = 0;

+ ss->tlsext_ecpointformatlist = NULL;

+ ss->tlsext_supportedgroups_length = 0;

+ ss->tlsext_supportedgroups = NULL;

- CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->internal->ex_data);

+ CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);

return (ss);

}

@@ -738,7 +733,7 @@ remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)

CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);

if (ret) {

- r->internal->not_resumable = 1;

+ r->not_resumable = 1;

if (ctx->internal->remove_session_cb != NULL)

ctx->internal->remove_session_cb(ctx, r);

SSL_SESSION_free(r);

@@ -760,12 +755,12 @@ SSL_SESSION_free(SSL_SESSION *ss)

if (i > 0)

return;

- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->internal->ex_data);

+ CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);

explicit_bzero(ss->master_key, sizeof ss->master_key);

explicit_bzero(ss->session_id, sizeof ss->session_id);

- ssl_sess_cert_free(ss->internal->sess_cert);

+ ssl_sess_cert_free(ss->sess_cert);

X509_free(ss->peer);

@@ -773,10 +768,9 @@ SSL_SESSION_free(SSL_SESSION *ss)

free(ss->tlsext_hostname);

free(ss->tlsext_tick);

- free(ss->internal->tlsext_ecpointformatlist);

- free(ss->internal->tlsext_supportedgroups);

+ free(ss->tlsext_ecpointformatlist);

+ free(ss->tlsext_supportedgroups);

- freezero(ss->internal, sizeof(*ss->internal));

freezero(ss, sizeof(*ss));

}

@@ -1007,7 +1001,7 @@ timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p)

* save on locking overhead */

(void)lh_SSL_SESSION_delete(p->cache, s);

SSL_SESSION_list_remove(p->ctx, s);

- s->internal->not_resumable = 1;

+ s->not_resumable = 1;

if (p->ctx->internal->remove_session_cb != NULL)

p->ctx->internal->remove_session_cb(p->ctx, s);

SSL_SESSION_free(s);

@@ -1059,50 +1053,50 @@ ssl_clear_bad_session(SSL *s)

static void

SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)

{

- if ((s->internal->next == NULL) || (s->internal->prev == NULL))

+ if (s->next == NULL || s->prev == NULL)

return;

- if (s->internal->next == (SSL_SESSION *)&(ctx->internal->session_cache_tail)) {

+ if (s->next == (SSL_SESSION *)&(ctx->internal->session_cache_tail)) {

/* last element in list */

- if (s->internal->prev == (SSL_SESSION *)&(ctx->internal->session_cache_head)) {

+ if (s->prev == (SSL_SESSION *)&(ctx->internal->session_cache_head)) {

/* only one element in list */

ctx->internal->session_cache_head = NULL;

ctx->internal->session_cache_tail = NULL;

} else {

- ctx->internal->session_cache_tail = s->internal->prev;

- s->internal->prev->internal->next =

+ ctx->internal->session_cache_tail = s->prev;

+ s->prev->next =

(SSL_SESSION *)&(ctx->internal->session_cache_tail);

}

} else {

- if (s->internal->prev == (SSL_SESSION *)&(ctx->internal->session_cache_head)) {

+ if (s->prev == (SSL_SESSION *)&(ctx->internal->session_cache_head)) {

/* first element in list */

- ctx->internal->session_cache_head = s->internal->next;

- s->internal->next->internal->prev =

+ ctx->internal->session_cache_head = s->next;

+ s->next->prev =

(SSL_SESSION *)&(ctx->internal->session_cache_head);

} else {

/* middle of list */

- s->internal->next->internal->prev = s->internal->prev;

- s->internal->prev->internal->next = s->internal->next;

+ s->next->prev = s->prev;

+ s->prev->next = s->next;

}

- s->internal->prev = s->internal->next = NULL;

+ s->prev = s->next = NULL;

}

static void

SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)

{

- if ((s->internal->next != NULL) && (s->internal->prev != NULL))

+ if (s->next != NULL && s->prev != NULL)

SSL_SESSION_list_remove(ctx, s);

if (ctx->internal->session_cache_head == NULL) {

ctx->internal->session_cache_head = s;

ctx->internal->session_cache_tail = s;

- s->internal->prev = (SSL_SESSION *)&(ctx->internal->session_cache_head);

- s->internal->next = (SSL_SESSION *)&(ctx->internal->session_cache_tail);

+ s->prev = (SSL_SESSION *)&(ctx->internal->session_cache_head);

+ s->next = (SSL_SESSION *)&(ctx->internal->session_cache_tail);

} else {

- s->internal->next = ctx->internal->session_cache_head;

- s->internal->next->internal->prev = s;

- s->internal->prev = (SSL_SESSION *)&(ctx->internal->session_cache_head);

+ s->next = ctx->internal->session_cache_head;

+ s->next->prev = s;

+ s->prev = (SSL_SESSION *)&(ctx->internal->session_cache_head);

ctx->internal->session_cache_head = s;

}

diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index ec1e69a8bba..42f64bf86d4 100644
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_srvr.c,v 1.122 2021/10/23 14:40:54 jsing Exp $ */

+/* $OpenBSD: ssl_srvr.c,v 1.123 2021/10/25 10:01:46 jsing Exp $ */

@@ -2433,15 +2433,15 @@ ssl3_get_client_certificate(SSL *s)

* With the current implementation, sess_cert will always be NULL

* when we arrive here

- if (SSI(s)->sess_cert == NULL) {

- SSI(s)->sess_cert = ssl_sess_cert_new();

- if (SSI(s)->sess_cert == NULL) {

+ if (s->session->sess_cert == NULL) {

+ s->session->sess_cert = ssl_sess_cert_new();

+ if (s->session->sess_cert == NULL) {

SSLerror(s, ERR_R_MALLOC_FAILURE);

goto err;

}

- sk_X509_pop_free(SSI(s)->sess_cert->cert_chain, X509_free);

- SSI(s)->sess_cert->cert_chain = sk;

+ sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);

+ s->session->sess_cert->cert_chain = sk;

* Inconsistency alert: cert_chain does *not* include the

diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c
index 3ad564964de..d8143ce1be7 100644
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_tlsext.c,v 1.99 2021/09/10 09:25:29 tb Exp $ */

+/* $OpenBSD: ssl_tlsext.c,v 1.100 2021/10/25 10:01:46 jsing Exp $ */

@@ -243,7 +243,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,

int i;

if (S3I(s)->hs.tls13.hrr) {

- if (SSI(s)->tlsext_supportedgroups == NULL) {

+ if (s->session->tlsext_supportedgroups == NULL) {

*alert = SSL_AD_HANDSHAKE_FAILURE;

return 0;

}

@@ -251,7 +251,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,

* In the case of TLSv1.3 the client cannot change

* the supported groups.

- if (groups_len != SSI(s)->tlsext_supportedgroups_length) {

+ if (groups_len != s->session->tlsext_supportedgroups_length) {

*alert = SSL_AD_ILLEGAL_PARAMETER;

return 0;

}

@@ -260,7 +260,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,

if (!CBS_get_u16(&grouplist, &group))

goto err;

- if (SSI(s)->tlsext_supportedgroups[i] != group) {

+ if (s->session->tlsext_supportedgroups[i] != group) {

*alert = SSL_AD_ILLEGAL_PARAMETER;

return 0;

}

@@ -269,7 +269,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,

return 1;

}

- if (SSI(s)->tlsext_supportedgroups != NULL)

+ if (s->session->tlsext_supportedgroups != NULL)

goto err;

if ((groups = reallocarray(NULL, groups_len,

@@ -290,8 +290,8 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,

goto err;

}

- SSI(s)->tlsext_supportedgroups = groups;

- SSI(s)->tlsext_supportedgroups_length = groups_len;

+ s->session->tlsext_supportedgroups = groups;

+ s->session->tlsext_supportedgroups_length = groups_len;

}

return 1;

@@ -383,8 +383,8 @@ tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)

}

if (!s->internal->hit) {

- if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist),

- &(SSI(s)->tlsext_ecpointformatlist_length))) {

+ if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist),

+ &(s->session->tlsext_ecpointformatlist_length))) {

*alert = SSL_AD_INTERNAL_ERROR;

return 0;

}

diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index 3cb2d8a1132..092331aae11 100644
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: t1_lib.c,v 1.182 2021/07/01 17:53:39 jsing Exp $ */

+/* $OpenBSD: t1_lib.c,v 1.183 2021/10/25 10:01:46 jsing Exp $ */

@@ -329,8 +329,8 @@ tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats,

size_t *pformatslen)

{

if (client_formats != 0) {

- *pformats = SSI(s)->tlsext_ecpointformatlist;

- *pformatslen = SSI(s)->tlsext_ecpointformatlist_length;

+ *pformats = s->session->tlsext_ecpointformatlist;

+ *pformatslen = s->session->tlsext_ecpointformatlist_length;

return;

}

@@ -352,8 +352,8 @@ tls1_get_group_list(SSL *s, int client_groups, const uint16_t **pgroups,

size_t *pgroupslen)

{

if (client_groups != 0) {

- *pgroups = SSI(s)->tlsext_supportedgroups;

- *pgroupslen = SSI(s)->tlsext_supportedgroups_length;

+ *pgroups = s->session->tlsext_supportedgroups;

+ *pgroupslen = s->session->tlsext_supportedgroups_length;

return;

}

diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c
index 00a1c6baa4e..4dfb02581a1 100644
--- a/lib/libssl/tls13_client.c
+++ b/lib/libssl/tls13_client.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: tls13_client.c,v 1.87 2021/10/23 14:40:54 jsing Exp $ */

+/* $OpenBSD: tls13_client.c,v 1.88 2021/10/25 10:01:46 jsing Exp $ */

@@ -628,16 +628,16 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)

if ((cert_idx = ssl_cert_type(cert, pkey)) < 0)

goto err;

- ssl_sess_cert_free(SSI(s)->sess_cert);

- if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL)

+ ssl_sess_cert_free(s->session->sess_cert);

+ if ((s->session->sess_cert = ssl_sess_cert_new()) == NULL)

goto err;

- SSI(s)->sess_cert->cert_chain = certs;

+ s->session->sess_cert->cert_chain = certs;

certs = NULL;

X509_up_ref(cert);

- SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert;

- SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]);

+ s->session->sess_cert->peer_pkeys[cert_idx].x509 = cert;

+ s->session->sess_cert->peer_key = &(s->session->sess_cert->peer_pkeys[cert_idx]);

X509_free(s->session->peer);

diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c
index a19b3825fe9..733a71f7d1f 100644
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: tls13_server.c,v 1.86 2021/10/23 14:40:54 jsing Exp $ */

+/* $OpenBSD: tls13_server.c,v 1.87 2021/10/25 10:01:46 jsing Exp $ */

@@ -922,16 +922,16 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)

if ((cert_idx = ssl_cert_type(cert, pkey)) < 0)

goto err;

- ssl_sess_cert_free(SSI(s)->sess_cert);

- if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL)

+ ssl_sess_cert_free(s->session->sess_cert);

+ if ((s->session->sess_cert = ssl_sess_cert_new()) == NULL)

goto err;

- SSI(s)->sess_cert->cert_chain = certs;

+ s->session->sess_cert->cert_chain = certs;

certs = NULL;

X509_up_ref(cert);

- SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert;

- SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]);

+ s->session->sess_cert->peer_pkeys[cert_idx].x509 = cert;

+ s->session->sess_cert->peer_key = &(s->session->sess_cert->peer_pkeys[cert_idx]);

X509_free(s->session->peer);