Remove most of SSL3_ENC_METHOD - we can just inline the function calls

and defines since they are the same everywhere.

ok beck@

11 files changed, 63 insertions, 135 deletions

diff --git a/lib/libssl/d1_clnt.c b/lib/libssl/d1_clnt.c
index 5f8b56ebed7..c0f90dce6fa 100644
--- a/lib/libssl/d1_clnt.c
+++ b/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_clnt.c,v 1.70 2017/01/26 05:31:25 jsing Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.71 2017/01/26 06:32:58 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -437,12 +437,12 @@ dtls1_connect(SSL *s)
 			s->internal->init_num = 0;
 
 			s->session->cipher = S3I(s)->tmp.new_cipher;
-			if (!s->method->internal->ssl3_enc->setup_key_block(s)) {
+			if (!tls1_setup_key_block(s)) {
 				ret = -1;
 				goto end;
 			}
 
-			if (!s->method->internal->ssl3_enc->change_cipher_state(s,
+			if (!tls1_change_cipher_state(s,
 			    SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
 				ret = -1;
 				goto end;
@@ -458,8 +458,8 @@ dtls1_connect(SSL *s)
 				dtls1_start_timer(s);
 			ret = ssl3_send_finished(s,
 			    SSL3_ST_CW_FINISHED_A, SSL3_ST_CW_FINISHED_B,
-			    s->method->internal->ssl3_enc->client_finished_label,
-			    s->method->internal->ssl3_enc->client_finished_label_len);
+			    TLS_MD_CLIENT_FINISH_CONST,
+			    TLS_MD_CLIENT_FINISH_CONST_SIZE);
 			if (ret <= 0)
 				goto end;
 			s->internal->state = SSL3_ST_CW_FLUSH;
diff --git a/lib/libssl/d1_lib.c b/lib/libssl/d1_lib.c
index e4805a1efac..e193d4ab811 100644
--- a/lib/libssl/d1_lib.c
+++ b/lib/libssl/d1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_lib.c,v 1.38 2017/01/25 06:38:01 jsing Exp $ */
+/* $OpenBSD: d1_lib.c,v 1.39 2017/01/26 06:32:58 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -74,19 +74,6 @@ static int dtls1_listen(SSL *s, struct sockaddr *client);
 
 SSL3_ENC_METHOD DTLSv1_enc_data = {
 	.enc = dtls1_enc,
-	.mac = tls1_mac,
-	.setup_key_block = tls1_setup_key_block,
-	.generate_master_secret = tls1_generate_master_secret,
-	.change_cipher_state = tls1_change_cipher_state,
-	.final_finish_mac = tls1_final_finish_mac,
-	.finish_mac_length = TLS1_FINISH_MAC_LENGTH,
-	.cert_verify_mac = tls1_cert_verify_mac,
-	.client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
-	.client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
-	.server_finished_label = TLS_MD_SERVER_FINISH_CONST,
-	.server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
-	.alert_value = tls1_alert_code,
-	.export_keying_material = tls1_export_keying_material,
 	.enc_flags = SSL_ENC_FLAG_EXPLICIT_IV,
 };
 
diff --git a/lib/libssl/d1_pkt.c b/lib/libssl/d1_pkt.c
index 19853d23756..3ea02700b58 100644
--- a/lib/libssl/d1_pkt.c
+++ b/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.59 2017/01/25 06:13:02 jsing Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.60 2017/01/26 06:32:58 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -417,7 +417,7 @@ dtls1_process_record(SSL *s)
 			mac = &rr->data[rr->length];
 		}
 
-		i = s->method->internal->ssl3_enc->mac(s, md, 0 /* not send */);
+		i = tls1_mac(s, md, 0 /* not send */);
 		if (i < 0 || mac == NULL || timingsafe_memcmp(md, mac, (size_t)mac_size) != 0)
 			enc_err = -1;
 		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
@@ -1272,7 +1272,7 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
 	 * wr->data still points in the wb->buf */
 
 	if (mac_size != 0) {
-		if (s->method->internal->ssl3_enc->mac(s, &(p[wr->length + bs]), 1) < 0)
+		if (tls1_mac(s, &(p[wr->length + bs]), 1) < 0)
 			goto err;
 		wr->length += mac_size;
 	}
diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c
index 1be0e4b5963..f36d3f40cd3 100644
--- a/lib/libssl/d1_srvr.c
+++ b/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.80 2017/01/26 05:31:25 jsing Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.81 2017/01/26 06:32:58 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -522,9 +522,9 @@ dtls1_accept(SSL *s)
 
 				/* We need to get hashes here so if there is
 				 * a client cert, it can be verified */
-				s->method->internal->ssl3_enc->cert_verify_mac(s,
+				tls1_cert_verify_mac(s,
 				    NID_md5, &(S3I(s)->tmp.cert_verify_md[0]));
-				s->method->internal->ssl3_enc->cert_verify_mac(s,
+				tls1_cert_verify_mac(s,
 				    NID_sha1,
 				    &(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
 			}
@@ -582,7 +582,7 @@ dtls1_accept(SSL *s)
 		case SSL3_ST_SW_CHANGE_B:
 
 			s->session->cipher = S3I(s)->tmp.new_cipher;
-			if (!s->method->internal->ssl3_enc->setup_key_block(s)) {
+			if (!tls1_setup_key_block(s)) {
 				ret = -1;
 				goto end;
 			}
@@ -597,7 +597,7 @@ dtls1_accept(SSL *s)
 			s->internal->state = SSL3_ST_SW_FINISHED_A;
 			s->internal->init_num = 0;
 
-			if (!s->method->internal->ssl3_enc->change_cipher_state(s,
+			if (!tls1_change_cipher_state(s,
 				SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
 				ret = -1;
 				goto end;
@@ -610,8 +610,8 @@ dtls1_accept(SSL *s)
 		case SSL3_ST_SW_FINISHED_B:
 			ret = ssl3_send_finished(s,
 			    SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
-			    s->method->internal->ssl3_enc->server_finished_label,
-			    s->method->internal->ssl3_enc->server_finished_label_len);
+			    TLS_MD_SERVER_FINISH_CONST,
+			    TLS_MD_SERVER_FINISH_CONST_SIZE);
 			if (ret <= 0)
 				goto end;
 			s->internal->state = SSL3_ST_SW_FLUSH;
diff --git a/lib/libssl/ssl_both.c b/lib/libssl/ssl_both.c
index e556e336edf..9d0dadef83a 100644
--- a/lib/libssl/ssl_both.c
+++ b/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_both.c,v 1.1 2017/01/26 05:51:54 jsing Exp $ */
+/* $OpenBSD: ssl_both.c,v 1.2 2017/01/26 06:32:58 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -170,10 +170,10 @@ ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
 	int md_len;
 
 	if (s->internal->state == a) {
-		md_len = s->method->internal->ssl3_enc->finish_mac_length;
+		md_len = TLS1_FINISH_MAC_LENGTH;
 		OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE);
 
-		if (s->method->internal->ssl3_enc->final_finish_mac(s, sender, slen,
+		if (tls1_final_finish_mac(s, sender, slen,
 		    S3I(s)->tmp.finish_md) != md_len)
 			return (0);
 		S3I(s)->tmp.finish_md_len = md_len;
@@ -217,15 +217,15 @@ ssl3_take_mac(SSL *s)
 		return;
 
 	if (s->internal->state & SSL_ST_CONNECT) {
-		sender = s->method->internal->ssl3_enc->server_finished_label;
-		slen = s->method->internal->ssl3_enc->server_finished_label_len;
+		sender = TLS_MD_SERVER_FINISH_CONST;
+		slen = TLS_MD_SERVER_FINISH_CONST_SIZE;
 	} else {
-		sender = s->method->internal->ssl3_enc->client_finished_label;
-		slen = s->method->internal->ssl3_enc->client_finished_label_len;
+		sender = TLS_MD_CLIENT_FINISH_CONST;
+		slen = TLS_MD_CLIENT_FINISH_CONST_SIZE;
 	}
 
 	S3I(s)->tmp.peer_finish_md_len =
-	    s->method->internal->ssl3_enc->final_finish_mac(s, sender, slen,
+	    tls1_final_finish_mac(s, sender, slen,
 		S3I(s)->tmp.peer_finish_md);
 }
 
@@ -249,7 +249,7 @@ ssl3_get_finished(SSL *s, int a, int b)
 	}
 	S3I(s)->change_cipher_spec = 0;
 
-	md_len = s->method->internal->ssl3_enc->finish_mac_length;
+	md_len = TLS1_FINISH_MAC_LENGTH;
 
 	if (n < 0) {
 		al = SSL_AD_DECODE_ERROR;
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index e7c78b139bf..f7bbca0d787 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.1 2017/01/26 05:51:54 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.2 2017/01/26 06:32:58 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -419,12 +419,12 @@ ssl3_connect(SSL *s)
 			s->internal->init_num = 0;
 
 			s->session->cipher = S3I(s)->tmp.new_cipher;
-			if (!s->method->internal->ssl3_enc->setup_key_block(s)) {
+			if (!tls1_setup_key_block(s)) {
 				ret = -1;
 				goto end;
 			}
 
-			if (!s->method->internal->ssl3_enc->change_cipher_state(s,
+			if (!tls1_change_cipher_state(s,
 			    SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
 				ret = -1;
 				goto end;
@@ -444,8 +444,8 @@ ssl3_connect(SSL *s)
 		case SSL3_ST_CW_FINISHED_B:
 			ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A,
 			    SSL3_ST_CW_FINISHED_B,
-			    s->method->internal->ssl3_enc->client_finished_label,
-			    s->method->internal->ssl3_enc->client_finished_label_len);
+			    TLS_MD_CLIENT_FINISH_CONST,
+			    TLS_MD_CLIENT_FINISH_CONST_SIZE);
 			if (ret <= 0)
 				goto end;
 			s->s3->flags |= SSL3_FLAGS_CCS_OK;
@@ -2005,7 +2005,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
 		goto err;
 
 	s->session->master_key_length =
-	    s->method->internal->ssl3_enc->generate_master_secret(s,
+	    tls1_generate_master_secret(s,
 		s->session->master_key, pms, sizeof(pms));
 
 	ret = 1;
@@ -2060,7 +2060,7 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
 
 	/* Generate master key from the result. */
 	s->session->master_key_length =
-	    s->method->internal->ssl3_enc->generate_master_secret(s,
+	    tls1_generate_master_secret(s,
 		s->session->master_key, key, key_len);
 
 	if (!CBB_add_u16_length_prefixed(cbb, &dh_Yc))
@@ -2135,7 +2135,7 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb)
 
 	/* Generate master key from the result. */
 	s->session->master_key_length =
-	    s->method->internal->ssl3_enc->generate_master_secret(s,
+	    tls1_generate_master_secret(s,
 		s->session->master_key, key, key_len);
 
 	encoded_len = EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh),
@@ -2204,7 +2204,7 @@ ssl3_send_client_kex_ecdhe_ecx(SSL *s, SESS_CERT *sc, CBB *cbb)
 
 	/* Generate master key from the result. */
 	s->session->master_key_length =
-	    s->method->internal->ssl3_enc->generate_master_secret(s,
+	    tls1_generate_master_secret(s,
 		s->session->master_key, shared_key, X25519_KEY_LENGTH);
 
 	ret = 1;
@@ -2344,7 +2344,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
 	}
 	EVP_PKEY_CTX_free(pkey_ctx);
 	s->session->master_key_length =
-	    s->method->internal->ssl3_enc->generate_master_secret(s,
+	    tls1_generate_master_secret(s,
 		s->session->master_key, premaster_secret, 32);
 
 	ret = 1;
@@ -2441,7 +2441,7 @@ ssl3_send_client_verify(SSL *s)
 		EVP_PKEY_sign_init(pctx);
 		if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) {
 			if (!SSL_USE_SIGALGS(s))
-				s->method->internal->ssl3_enc->cert_verify_mac(s,
+				tls1_cert_verify_mac(s,
 				    NID_sha1, &(data[MD5_DIGEST_LENGTH]));
 		} else {
 			ERR_clear_error();
@@ -2475,7 +2475,7 @@ ssl3_send_client_verify(SSL *s)
 			if (!tls1_digest_cached_records(s))
 				goto err;
 		} else if (pkey->type == EVP_PKEY_RSA) {
-			s->method->internal->ssl3_enc->cert_verify_mac(
+			tls1_cert_verify_mac(
 			    s, NID_md5, &(data[0]));
 			if (RSA_sign(NID_md5_sha1, data,
 			    MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, &(p[2]),
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index 6f31d6dcdf7..6d5d5c468b8 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.152 2017/01/26 06:01:44 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.153 2017/01/26 06:32:58 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1732,7 +1732,7 @@ SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
     const char *label, size_t llen, const unsigned char *p, size_t plen,
     int use_context)
 {
-	return (s->method->internal->ssl3_enc->export_keying_material(s, out, olen,
+	return (tls1_export_keying_material(s, out, olen,
 	    label, llen, p, plen, use_context));
 }
 
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index bff28b17729..6834592516c 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.169 2017/01/26 05:31:25 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.170 2017/01/26 06:32:58 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1012,28 +1012,8 @@ typedef struct sess_cert_st {
 /*#define SSL_DEBUG	*/
 /*#define RSA_DEBUG	*/
 
-/* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff
- * It is a bit of a mess of functions, but hell, think of it as
- * an opaque structure :-) */
 typedef struct ssl3_enc_method {
 	int (*enc)(SSL *, int);
-	int (*mac)(SSL *, unsigned char *, int);
-	int (*setup_key_block)(SSL *);
-	int (*generate_master_secret)(SSL *, unsigned char *,
-	    unsigned char *, int);
-	int (*change_cipher_state)(SSL *, int);
-	int (*final_finish_mac)(SSL *,  const char *, int, unsigned char *);
-	int finish_mac_length;
-	int (*cert_verify_mac)(SSL *, int, unsigned char *);
-	const char *client_finished_label;
-	int client_finished_label_len;
-	const char *server_finished_label;
-	int server_finished_label_len;
-	int (*alert_value)(int);
-	int (*export_keying_material)(SSL *, unsigned char *, size_t,
-	    const char *, size_t, const unsigned char *, size_t,
-	    int use_context);
-	/* Flags indicating protocol version requirements. */
 	unsigned int enc_flags;
 } SSL3_ENC_METHOD;
 
diff --git a/lib/libssl/ssl_pkt.c b/lib/libssl/ssl_pkt.c
index 2ab264f33f6..ef5b5737aaa 100644
--- a/lib/libssl/ssl_pkt.c
+++ b/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_pkt.c,v 1.1 2017/01/26 05:51:54 jsing Exp $ */
+/* $OpenBSD: ssl_pkt.c,v 1.2 2017/01/26 06:32:58 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -475,7 +475,7 @@ again:
 			mac = &rr->data[rr->length];
 		}
 
-		i = s->method->internal->ssl3_enc->mac(s,md,0 /* not send */);
+		i = tls1_mac(s,md,0 /* not send */);
 		if (i < 0 || mac == NULL ||
 		    timingsafe_memcmp(md, mac, (size_t)mac_size) != 0)
 			enc_err = -1;
@@ -747,7 +747,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 	 * wr->data still points in the wb->buf */
 
 	if (mac_size != 0) {
-		if (s->method->internal->ssl3_enc->mac(s,
+		if (tls1_mac(s,
 		    &(p[wr->length + eivlen]), 1) < 0)
 			goto err;
 		wr->length += mac_size;
@@ -1360,25 +1360,25 @@ ssl3_do_change_cipher_spec(SSL *s)
 		}
 
 		s->session->cipher = S3I(s)->tmp.new_cipher;
-		if (!s->method->internal->ssl3_enc->setup_key_block(s))
+		if (!tls1_setup_key_block(s))
 			return (0);
 	}
 
-	if (!s->method->internal->ssl3_enc->change_cipher_state(s, i))
+	if (!tls1_change_cipher_state(s, i))
 		return (0);
 
 	/* we have to record the message digest at
 	 * this point so we can get it before we read
 	 * the finished message */
 	if (s->internal->state & SSL_ST_CONNECT) {
-		sender = s->method->internal->ssl3_enc->server_finished_label;
-		slen = s->method->internal->ssl3_enc->server_finished_label_len;
+		sender = TLS_MD_SERVER_FINISH_CONST;
+		slen = TLS_MD_SERVER_FINISH_CONST_SIZE;
 	} else {
-		sender = s->method->internal->ssl3_enc->client_finished_label;
-		slen = s->method->internal->ssl3_enc->client_finished_label_len;
+		sender = TLS_MD_CLIENT_FINISH_CONST;
+		slen = TLS_MD_CLIENT_FINISH_CONST_SIZE;
 	}
 
-	i = s->method->internal->ssl3_enc->final_finish_mac(s, sender, slen,
+	i = tls1_final_finish_mac(s, sender, slen,
 	    S3I(s)->tmp.peer_finish_md);
 	if (i == 0) {
 		SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
@@ -1393,7 +1393,7 @@ int
 ssl3_send_alert(SSL *s, int level, int desc)
 {
 	/* Map tls/ssl alert value to correct one */
-	desc = s->method->internal->ssl3_enc->alert_value(desc);
+	desc = tls1_alert_code(desc);
 	if (desc < 0)
 		return -1;
 	/* If a fatal one, remove from cache */
diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index dfc6ee67b6c..a716947ab9f 100644
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.1 2017/01/26 05:51:54 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.2 2017/01/26 06:32:58 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -519,7 +519,7 @@ ssl3_accept(SSL *s)
 					if (S3I(s)->handshake_dgst[dgst_num]) {
 					int dgst_size;
 
-					s->method->internal->ssl3_enc->cert_verify_mac(s,
+					tls1_cert_verify_mac(s,
 					    EVP_MD_CTX_type(
 					    S3I(s)->handshake_dgst[dgst_num]),
 					    &(S3I(s)->tmp.cert_verify_md[offset]));
@@ -598,7 +598,7 @@ ssl3_accept(SSL *s)
 		case SSL3_ST_SW_CHANGE_B:
 
 			s->session->cipher = S3I(s)->tmp.new_cipher;
-			if (!s->method->internal->ssl3_enc->setup_key_block(s)) {
+			if (!tls1_setup_key_block(s)) {
 				ret = -1;
 				goto end;
 			}
@@ -611,7 +611,7 @@ ssl3_accept(SSL *s)
 			s->internal->state = SSL3_ST_SW_FINISHED_A;
 			s->internal->init_num = 0;
 
-			if (!s->method->internal->ssl3_enc->change_cipher_state(
+			if (!tls1_change_cipher_state(
 			    s, SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
 				ret = -1;
 				goto end;
@@ -623,8 +623,8 @@ ssl3_accept(SSL *s)
 		case SSL3_ST_SW_FINISHED_B:
 			ret = ssl3_send_finished(s,
 			SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
-			s->method->internal->ssl3_enc->server_finished_label,
-			s->method->internal->ssl3_enc->server_finished_label_len);
+			TLS_MD_SERVER_FINISH_CONST,
+			TLS_MD_SERVER_FINISH_CONST_SIZE);
 			if (ret <= 0)
 				goto end;
 			s->internal->state = SSL3_ST_SW_FLUSH;
@@ -1808,7 +1808,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n)
 	}
 
 	s->session->master_key_length =
-	    s->method->internal->ssl3_enc->generate_master_secret(s,
+	    tls1_generate_master_secret(s,
 	        s->session->master_key, p, i);
 
 	explicit_bzero(p, i);
@@ -1864,7 +1864,7 @@ ssl3_get_client_kex_dhe(SSL *s, unsigned char *p, long n)
 	}
 
 	s->session->master_key_length =
-	    s->method->internal->ssl3_enc->generate_master_secret(
+	    tls1_generate_master_secret(
 	        s, s->session->master_key, p, key_size);
 
 	explicit_bzero(p, key_size);
@@ -2018,7 +2018,7 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)
 
 	/* Compute the master secret */
 	s->session->master_key_length =
-	    s->method->internal->ssl3_enc->generate_master_secret(
+	    tls1_generate_master_secret(
 		s, s->session->master_key, p, i);
 
 	explicit_bzero(p, i);
@@ -2060,7 +2060,7 @@ ssl3_get_client_kex_ecdhe_ecx(SSL *s, unsigned char *p, long n)
 	S3I(s)->tmp.x25519 = NULL;
 
 	s->session->master_key_length =
-	    s->method->internal->ssl3_enc->generate_master_secret(
+	    tls1_generate_master_secret(
 		s, s->session->master_key, shared_key, X25519_KEY_LENGTH);
 
 	ret = 1;
@@ -2136,7 +2136,7 @@ ssl3_get_client_kex_gost(SSL *s, unsigned char *p, long n)
 	}
 	/* Generate master secret */
 	s->session->master_key_length =
-	    s->method->internal->ssl3_enc->generate_master_secret(
+	    tls1_generate_master_secret(
 		s, s->session->master_key, premaster_secret, 32);
 	/* Check if pubkey from client certificate was used */
 	if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1,
diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index 9b60d664e56..3585a3ac55c 100644
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.111 2017/01/24 14:57:31 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.112 2017/01/26 06:32:58 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -125,55 +125,16 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
 
 SSL3_ENC_METHOD TLSv1_enc_data = {
 	.enc = tls1_enc,
-	.mac = tls1_mac,
-	.setup_key_block = tls1_setup_key_block,
-	.generate_master_secret = tls1_generate_master_secret,
-	.change_cipher_state = tls1_change_cipher_state,
-	.final_finish_mac = tls1_final_finish_mac,
-	.finish_mac_length = TLS1_FINISH_MAC_LENGTH,
-	.cert_verify_mac = tls1_cert_verify_mac,
-	.client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
-	.client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
-	.server_finished_label = TLS_MD_SERVER_FINISH_CONST,
-	.server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
-	.alert_value = tls1_alert_code,
-	.export_keying_material = tls1_export_keying_material,
 	.enc_flags = 0,
 };
 
 SSL3_ENC_METHOD TLSv1_1_enc_data = {
 	.enc = tls1_enc,
-	.mac = tls1_mac,
-	.setup_key_block = tls1_setup_key_block,
-	.generate_master_secret = tls1_generate_master_secret,
-	.change_cipher_state = tls1_change_cipher_state,
-	.final_finish_mac = tls1_final_finish_mac,
-	.finish_mac_length = TLS1_FINISH_MAC_LENGTH,
-	.cert_verify_mac = tls1_cert_verify_mac,
-	.client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
-	.client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
-	.server_finished_label = TLS_MD_SERVER_FINISH_CONST,
-	.server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
-	.alert_value = tls1_alert_code,
-	.export_keying_material = tls1_export_keying_material,
 	.enc_flags = SSL_ENC_FLAG_EXPLICIT_IV,
 };
 
 SSL3_ENC_METHOD TLSv1_2_enc_data = {
 	.enc = tls1_enc,
-	.mac = tls1_mac,
-	.setup_key_block = tls1_setup_key_block,
-	.generate_master_secret = tls1_generate_master_secret,
-	.change_cipher_state = tls1_change_cipher_state,
-	.final_finish_mac = tls1_final_finish_mac,
-	.finish_mac_length = TLS1_FINISH_MAC_LENGTH,
-	.cert_verify_mac = tls1_cert_verify_mac,
-	.client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
-	.client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
-	.server_finished_label = TLS_MD_SERVER_FINISH_CONST,
-	.server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
-	.alert_value = tls1_alert_code,
-	.export_keying_material = tls1_export_keying_material,
 	.enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|
 	    SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS,
 };