Move DTLS structs/definitions/prototypes to dtls_locl.h.

Now that the DTLS structs are opaque, add a dtls_locl.h header and move
internal-only structs from dtls1.h, along with prototypes from ssl_locl.h.
Only pull this header in where DTLS code actually exists.

ok inoguchi@ tb@

14 files changed, 282 insertions, 214 deletions

diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c
index 3b9880b6008..22bd3cec2ab 100644
--- a/lib/libssl/d1_both.c
+++ b/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.70 2021/05/05 19:52:00 jsing Exp $ */
+/* $OpenBSD: d1_both.c,v 1.71 2021/05/16 13:56:30 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -124,8 +124,9 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
-#include "pqueue.h"
 #include "bytestring.h"
+#include "dtls_locl.h"
+#include "pqueue.h"
 
 #define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8)
 
diff --git a/lib/libssl/d1_lib.c b/lib/libssl/d1_lib.c
index 4a45e66f34b..dbc89e6f465 100644
--- a/lib/libssl/d1_lib.c
+++ b/lib/libssl/d1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_lib.c,v 1.53 2021/02/20 07:29:07 jsing Exp $ */
+/* $OpenBSD: d1_lib.c,v 1.54 2021/05/16 13:56:30 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -67,6 +67,7 @@
 
 #include <openssl/objects.h>
 
+#include "dtls_locl.h"
 #include "pqueue.h"
 #include "ssl_locl.h"
 
diff --git a/lib/libssl/d1_pkt.c b/lib/libssl/d1_pkt.c
index 31ee5a679a0..3b3fd95f6f9 100644
--- a/lib/libssl/d1_pkt.c
+++ b/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.95 2021/05/05 19:52:00 jsing Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.96 2021/05/16 13:56:30 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -118,13 +118,13 @@
 #include <errno.h>
 #include <stdio.h>
 
-#include "ssl_locl.h"
-
 #include <openssl/buffer.h>
 #include <openssl/evp.h>
 
-#include "pqueue.h"
 #include "bytestring.h"
+#include "dtls_locl.h"
+#include "pqueue.h"
+#include "ssl_locl.h"
 
 static int	do_dtls1_write(SSL *s, int type, const unsigned char *buf,
 		    unsigned int len);
diff --git a/lib/libssl/d1_srtp.c b/lib/libssl/d1_srtp.c
index 2236e94e63c..cbdb4a6144c 100644
--- a/lib/libssl/d1_srtp.c
+++ b/lib/libssl/d1_srtp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srtp.c,v 1.27 2021/05/16 08:24:21 jsing Exp $ */
+/* $OpenBSD: d1_srtp.c,v 1.28 2021/05/16 13:56:30 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -120,11 +120,11 @@
 #include <openssl/objects.h>
 #include <openssl/opensslconf.h>
 
-#include "ssl_locl.h"
-
 #ifndef OPENSSL_NO_SRTP
 
 #include "bytestring.h"
+#include "dtls_locl.h"
+#include "ssl_locl.h"
 #include "srtp.h"
 
 static const SRTP_PROTECTION_PROFILE srtp_known_profiles[] = {
diff --git a/lib/libssl/dtls1.h b/lib/libssl/dtls1.h
index 624df2479b9..7428d8ec3c7 100644
--- a/lib/libssl/dtls1.h
+++ b/lib/libssl/dtls1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dtls1.h,v 1.26 2021/05/10 17:10:57 tb Exp $ */
+/* $OpenBSD: dtls1.h,v 1.27 2021/05/16 13:56:30 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -91,90 +91,6 @@ extern "C" {
 
 #define DTLS1_AL_HEADER_LENGTH                   2
 
-#ifdef LIBRESSL_INTERNAL
-
-typedef struct dtls1_bitmap_st {
-	unsigned long map;		/* track 32 packets on 32-bit systems
-					   and 64 - on 64-bit systems */
-	unsigned char max_seq_num[8];	/* max record number seen so far,
-					   64-bit value in big-endian
-					   encoding */
-} DTLS1_BITMAP;
-
-struct dtls1_retransmit_state {
-	EVP_CIPHER_CTX *enc_write_ctx;	/* cryptographic state */
-	EVP_MD_CTX *write_hash;		/* used for mac generation */
-	SSL_SESSION *session;
-	unsigned short epoch;
-};
-
-struct hm_header_st {
-	unsigned char type;
-	unsigned long msg_len;
-	unsigned short seq;
-	unsigned long frag_off;
-	unsigned long frag_len;
-	unsigned int is_ccs;
-	struct dtls1_retransmit_state saved_retransmit_state;
-};
-
-struct ccs_header_st {
-	unsigned char type;
-	unsigned short seq;
-};
-
-struct dtls1_timeout_st {
-	/* Number of read timeouts so far */
-	unsigned int read_timeouts;
-
-	/* Number of write timeouts so far */
-	unsigned int write_timeouts;
-
-	/* Number of alerts received so far */
-	unsigned int num_alerts;
-};
-
-struct _pqueue;
-
-typedef struct record_pqueue_st {
-	unsigned short epoch;
-	struct _pqueue *q;
-} record_pqueue;
-
-typedef struct hm_fragment_st {
-	struct hm_header_st msg_header;
-	unsigned char *fragment;
-	unsigned char *reassembly;
-} hm_fragment;
-
-struct dtls1_state_internal_st;
-
-typedef struct dtls1_state_st {
-	/* Buffered (sent) handshake records */
-	struct _pqueue *sent_messages;
-
-	/* Indicates when the last handshake msg or heartbeat sent will timeout */
-	struct timeval next_timeout;
-
-	/* Timeout duration */
-	unsigned short timeout_duration;
-
-	struct dtls1_state_internal_st *internal;
-} DTLS1_STATE;
-
-#ifndef LIBRESSL_INTERNAL
-
-typedef struct dtls1_record_data_st {
-	unsigned char *packet;
-	unsigned int   packet_length;
-	SSL3_BUFFER    rbuf;
-	SSL3_RECORD    rrec;
-} DTLS1_RECORD_DATA;
-
-#endif
-
-#endif
-
 /* Timeout multipliers (timeout slice is defined in apps/timeouts.h */
 #define DTLS1_TMO_READ_COUNT                      2
 #define DTLS1_TMO_WRITE_COUNT                     2
diff --git a/lib/libssl/dtls_locl.h b/lib/libssl/dtls_locl.h
new file mode 100644
index 00000000000..9bf1fe66617
--- /dev/null
+++ b/lib/libssl/dtls_locl.h
@@ -0,0 +1,251 @@
+/* $OpenBSD: dtls_locl.h,v 1.1 2021/05/16 13:56:30 jsing Exp $ */
+/*
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_DTLS_LOCL_H
+#define HEADER_DTLS_LOCL_H
+
+#include <sys/time.h>
+
+#include <openssl/dtls1.h>
+
+#include "ssl_locl.h"
+
+__BEGIN_HIDDEN_DECLS
+
+typedef struct dtls1_bitmap_st {
+	unsigned long map;		/* track 32 packets on 32-bit systems
+					   and 64 - on 64-bit systems */
+	unsigned char max_seq_num[8];	/* max record number seen so far,
+					   64-bit value in big-endian
+					   encoding */
+} DTLS1_BITMAP;
+
+struct dtls1_retransmit_state {
+	EVP_CIPHER_CTX *enc_write_ctx;	/* cryptographic state */
+	EVP_MD_CTX *write_hash;		/* used for mac generation */
+	SSL_SESSION *session;
+	unsigned short epoch;
+};
+
+struct hm_header_st {
+	unsigned char type;
+	unsigned long msg_len;
+	unsigned short seq;
+	unsigned long frag_off;
+	unsigned long frag_len;
+	unsigned int is_ccs;
+	struct dtls1_retransmit_state saved_retransmit_state;
+};
+
+struct ccs_header_st {
+	unsigned char type;
+	unsigned short seq;
+};
+
+struct dtls1_timeout_st {
+	/* Number of read timeouts so far */
+	unsigned int read_timeouts;
+
+	/* Number of write timeouts so far */
+	unsigned int write_timeouts;
+
+	/* Number of alerts received so far */
+	unsigned int num_alerts;
+};
+
+struct _pqueue;
+
+typedef struct record_pqueue_st {
+	unsigned short epoch;
+	struct _pqueue *q;
+} record_pqueue;
+
+typedef struct hm_fragment_st {
+	struct hm_header_st msg_header;
+	unsigned char *fragment;
+	unsigned char *reassembly;
+} hm_fragment;
+
+typedef struct dtls1_record_data_internal_st {
+	unsigned char *packet;
+	unsigned int packet_length;
+	SSL3_BUFFER_INTERNAL rbuf;
+	SSL3_RECORD_INTERNAL rrec;
+} DTLS1_RECORD_DATA_INTERNAL;
+
+struct dtls1_state_internal_st;
+
+typedef struct dtls1_state_internal_st {
+	unsigned int send_cookie;
+	unsigned char cookie[DTLS1_COOKIE_LENGTH];
+	unsigned char rcvd_cookie[DTLS1_COOKIE_LENGTH];
+	unsigned int cookie_len;
+
+	/*
+	 * The current data and handshake epoch.  This is initially
+	 * undefined, and starts at zero once the initial handshake is
+	 * completed
+	 */
+	unsigned short r_epoch;
+
+	/* records being received in the current epoch */
+	DTLS1_BITMAP bitmap;
+
+	/* renegotiation starts a new set of sequence numbers */
+	DTLS1_BITMAP next_bitmap;
+
+	/* handshake message numbers */
+	unsigned short handshake_write_seq;
+	unsigned short next_handshake_write_seq;
+
+	unsigned short handshake_read_seq;
+
+	/* Received handshake records (processed and unprocessed) */
+	record_pqueue unprocessed_rcds;
+	record_pqueue processed_rcds;
+
+	/* Buffered handshake messages */
+	struct _pqueue *buffered_messages;
+
+	/* Buffered application records.
+	 * Only for records between CCS and Finished
+	 * to prevent either protocol violation or
+	 * unnecessary message loss.
+	 */
+	record_pqueue buffered_app_data;
+
+	/* Is set when listening for new connections with dtls1_listen() */
+	unsigned int listen;
+
+	unsigned int mtu; /* max DTLS packet size */
+
+	struct hm_header_st w_msg_hdr;
+	struct hm_header_st r_msg_hdr;
+
+	struct dtls1_timeout_st timeout;
+
+	/* storage for Alert/Handshake protocol data received but not
+	 * yet processed by ssl3_read_bytes: */
+	unsigned char alert_fragment[DTLS1_AL_HEADER_LENGTH];
+	unsigned int alert_fragment_len;
+	unsigned char handshake_fragment[DTLS1_HM_HEADER_LENGTH];
+	unsigned int handshake_fragment_len;
+
+	unsigned int retransmitting;
+	unsigned int change_cipher_spec_ok;
+} DTLS1_STATE_INTERNAL;
+#define D1I(s) (s->d1->internal)
+
+typedef struct dtls1_state_st {
+	/* Buffered (sent) handshake records */
+	struct _pqueue *sent_messages;
+
+	/* Indicates when the last handshake msg or heartbeat sent will timeout */
+	struct timeval next_timeout;
+
+	/* Timeout duration */
+	unsigned short timeout_duration;
+
+	struct dtls1_state_internal_st *internal;
+} DTLS1_STATE;
+
+int dtls1_do_write(SSL *s, int type);
+int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
+void dtls1_set_message_header(SSL *s, unsigned char mt, unsigned long len,
+    unsigned long frag_off, unsigned long frag_len);
+void dtls1_set_message_header_int(SSL *s, unsigned char mt,
+    unsigned long len, unsigned short seq_num, unsigned long frag_off,
+    unsigned long frag_len);
+
+int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, int len);
+int dtls1_write_bytes(SSL *s, int type, const void *buf, int len);
+
+int dtls1_read_failed(SSL *s, int code);
+int dtls1_buffer_message(SSL *s, int ccs);
+int dtls1_retransmit_message(SSL *s, unsigned short seq,
+    unsigned long frag_off, int *found);
+int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
+int dtls1_retransmit_buffered_messages(SSL *s);
+void dtls1_clear_record_buffer(SSL *s);
+int dtls1_get_message_header(unsigned char *data,
+    struct hm_header_st *msg_hdr);
+void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
+void dtls1_reset_read_seq_numbers(SSL *s);
+struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft);
+int dtls1_check_timeout_num(SSL *s);
+int dtls1_handle_timeout(SSL *s);
+const SSL_CIPHER *dtls1_get_cipher(unsigned int u);
+void dtls1_start_timer(SSL *s);
+void dtls1_stop_timer(SSL *s);
+int dtls1_is_timer_expired(SSL *s);
+void dtls1_double_timeout(SSL *s);
+unsigned int dtls1_min_mtu(void);
+
+int dtls1_new(SSL *s);
+void dtls1_free(SSL *s);
+void dtls1_clear(SSL *s);
+long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg);
+
+long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
+int dtls1_get_record(SSL *s);
+int dtls1_dispatch_alert(SSL *s);
+
+__END_HIDDEN_DECLS
+
+#endif
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index 2867d32deb4..f056c3bae49 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.209 2021/05/16 08:24:21 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.210 2021/05/16 13:56:30 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -158,8 +158,9 @@
 #include <openssl/objects.h>
 #include <openssl/opensslconf.h>
 
-#include "ssl_locl.h"
 #include "bytestring.h"
+#include "dtls_locl.h"
+#include "ssl_locl.h"
 
 #define SSL3_NUM_CIPHERS	(sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
 
diff --git a/lib/libssl/ssl_both.c b/lib/libssl/ssl_both.c
index c133449a6d4..40dddd08055 100644
--- a/lib/libssl/ssl_both.c
+++ b/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_both.c,v 1.30 2021/05/02 15:55:29 jsing Exp $ */
+/* $OpenBSD: ssl_both.c,v 1.31 2021/05/16 13:56:30 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -118,14 +118,14 @@
 #include <stdio.h>
 #include <string.h>
 
-#include "ssl_locl.h"
-
 #include <openssl/buffer.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
 #include "bytestring.h"
+#include "dtls_locl.h"
+#include "ssl_locl.h"
 
 /*
  * Send s->internal->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index 8520bb7c05d..abfe5c7d60e 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.97 2021/05/16 08:24:21 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.98 2021/05/16 13:56:30 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -171,6 +171,7 @@
 #endif
 
 #include "bytestring.h"
+#include "dtls_locl.h"
 #include "ssl_sigalgs.h"
 #include "ssl_tlsext.h"
 
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index 3cb64cfb16c..c6c499eb024 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.257 2021/05/16 08:24:21 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.258 2021/05/16 13:56:31 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -161,6 +161,7 @@
 #endif
 
 #include "bytestring.h"
+#include "dtls_locl.h"
 #include "ssl_sigalgs.h"
 
 const char *SSL_version_str = OPENSSL_VERSION_TEXT;
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 52daec611fd..2e324e5d312 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.345 2021/05/16 10:55:17 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.346 2021/05/16 13:56:31 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -979,74 +979,6 @@ typedef struct ssl3_state_internal_st {
 } SSL3_STATE_INTERNAL;
 #define S3I(s) (s->s3->internal)
 
-typedef struct dtls1_record_data_internal_st {
-	unsigned char *packet;
-	unsigned int packet_length;
-	SSL3_BUFFER_INTERNAL rbuf;
-	SSL3_RECORD_INTERNAL rrec;
-} DTLS1_RECORD_DATA_INTERNAL;
-
-typedef struct dtls1_state_internal_st {
-	unsigned int send_cookie;
-	unsigned char cookie[DTLS1_COOKIE_LENGTH];
-	unsigned char rcvd_cookie[DTLS1_COOKIE_LENGTH];
-	unsigned int cookie_len;
-
-	/*
-	 * The current data and handshake epoch.  This is initially
-	 * undefined, and starts at zero once the initial handshake is
-	 * completed
-	 */
-	unsigned short r_epoch;
-
-	/* records being received in the current epoch */
-	DTLS1_BITMAP bitmap;
-
-	/* renegotiation starts a new set of sequence numbers */
-	DTLS1_BITMAP next_bitmap;
-
-	/* handshake message numbers */
-	unsigned short handshake_write_seq;
-	unsigned short next_handshake_write_seq;
-
-	unsigned short handshake_read_seq;
-
-	/* Received handshake records (processed and unprocessed) */
-	record_pqueue unprocessed_rcds;
-	record_pqueue processed_rcds;
-
-	/* Buffered handshake messages */
-	struct _pqueue *buffered_messages;
-
-	/* Buffered application records.
-	 * Only for records between CCS and Finished
-	 * to prevent either protocol violation or
-	 * unnecessary message loss.
-	 */
-	record_pqueue buffered_app_data;
-
-	/* Is set when listening for new connections with dtls1_listen() */
-	unsigned int listen;
-
-	unsigned int mtu; /* max DTLS packet size */
-
-	struct hm_header_st w_msg_hdr;
-	struct hm_header_st r_msg_hdr;
-
-	struct dtls1_timeout_st timeout;
-
-	/* storage for Alert/Handshake protocol data received but not
-	 * yet processed by ssl3_read_bytes: */
-	unsigned char alert_fragment[DTLS1_AL_HEADER_LENGTH];
-	unsigned int alert_fragment_len;
-	unsigned char handshake_fragment[DTLS1_HM_HEADER_LENGTH];
-	unsigned int handshake_fragment_len;
-
-	unsigned int retransmitting;
-	unsigned int change_cipher_spec_ok;
-} DTLS1_STATE_INTERNAL;
-#define D1I(s) (s->d1->internal)
-
 typedef struct cert_st {
 	/* Current active set */
 	CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
@@ -1270,42 +1202,11 @@ int ssl3_record_write(SSL *s, int type);
 
 int ssl3_do_change_cipher_spec(SSL *ssl);
 
-int dtls1_do_write(SSL *s, int type);
 int ssl3_packet_read(SSL *s, int plen);
 int ssl3_packet_extend(SSL *s, int plen);
 int ssl_server_legacy_first_packet(SSL *s);
-int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
 int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
     unsigned int len);
-void dtls1_set_message_header(SSL *s, unsigned char mt, unsigned long len,
-    unsigned long frag_off, unsigned long frag_len);
-void dtls1_set_message_header_int(SSL *s, unsigned char mt,
-    unsigned long len, unsigned short seq_num, unsigned long frag_off,
-    unsigned long frag_len);
-
-int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, int len);
-int dtls1_write_bytes(SSL *s, int type, const void *buf, int len);
-
-int dtls1_read_failed(SSL *s, int code);
-int dtls1_buffer_message(SSL *s, int ccs);
-int dtls1_retransmit_message(SSL *s, unsigned short seq,
-    unsigned long frag_off, int *found);
-int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
-int dtls1_retransmit_buffered_messages(SSL *s);
-void dtls1_clear_record_buffer(SSL *s);
-int dtls1_get_message_header(unsigned char *data,
-    struct hm_header_st *msg_hdr);
-void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
-void dtls1_reset_read_seq_numbers(SSL *s);
-struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft);
-int dtls1_check_timeout_num(SSL *s);
-int dtls1_handle_timeout(SSL *s);
-const SSL_CIPHER *dtls1_get_cipher(unsigned int u);
-void dtls1_start_timer(SSL *s);
-void dtls1_stop_timer(SSL *s);
-int dtls1_is_timer_expired(SSL *s);
-void dtls1_double_timeout(SSL *s);
-unsigned int dtls1_min_mtu(void);
 
 /* some client-only functions */
 int ssl3_send_client_hello(SSL *s);
@@ -1347,15 +1248,6 @@ int tls1_new(SSL *s);
 void tls1_free(SSL *s);
 void tls1_clear(SSL *s);
 
-int dtls1_new(SSL *s);
-void dtls1_free(SSL *s);
-void dtls1_clear(SSL *s);
-long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg);
-
-long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
-int dtls1_get_record(SSL *s);
-int dtls1_dispatch_alert(SSL *s);
-
 int ssl_init_wbio_buffer(SSL *s, int push);
 void ssl_free_wbio_buffer(SSL *s);
 
diff --git a/lib/libssl/ssl_methods.c b/lib/libssl/ssl_methods.c
index a3e51ac0d01..f1a59cd7383 100644
--- a/lib/libssl/ssl_methods.c
+++ b/lib/libssl/ssl_methods.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_methods.c,v 1.24 2021/03/31 16:59:32 tb Exp $ */
+/* $OpenBSD: ssl_methods.c,v 1.25 2021/05/16 13:56:31 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -56,6 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
+#include "dtls_locl.h"
 #include "ssl_locl.h"
 #include "tls13_internal.h"
 
diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index 5891424b260..1d63c21af13 100644
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.109 2021/05/16 08:24:21 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.110 2021/05/16 13:56:31 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -168,6 +168,7 @@
 #endif
 
 #include "bytestring.h"
+#include "dtls_locl.h"
 #include "ssl_sigalgs.h"
 #include "ssl_tlsext.h"
 
diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c
index 9cd0c331c18..9dc4a0bfb48 100644
--- a/lib/libssl/t1_enc.c
+++ b/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.145 2021/05/16 08:24:21 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.146 2021/05/16 13:56:31 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -145,6 +145,8 @@
 #include <openssl/md5.h>
 #include <openssl/opensslconf.h>
 
+#include "dtls_locl.h"
+
 void
 tls1_cleanup_key_block(SSL *s)
 {