sync with OpenBSD -current

lib/libssl/d1_pkt.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.128 2023/07/02 20:16:47 tb Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.129 2024/07/20 04:04:23 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -596,7 +596,7 @@ dtls1_read_handshake_unexpected(SSL *s)
 		 * It should be impossible to hit this, but keep the safety
 		 * harness for now...
 		 */
-		if (s->session == NULL || s->session->cipher == NULL)
+		if (s->session == NULL || s->s3->hs.cipher == NULL)
 			return 1;
 
 		/*
@@ -650,7 +650,7 @@ dtls1_read_handshake_unexpected(SSL *s)
 			return -1;
 		}
 
-		if (s->session == NULL || s->session->cipher == NULL) {
+		if (s->session == NULL || s->s3->hs.cipher == NULL) {
 			SSLerror(s, ERR_R_INTERNAL_ERROR);
 			return -1;
 		}

lib/libssl/s3_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.254 2024/07/16 14:38:04 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.255 2024/07/19 08:54:31 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1478,6 +1478,8 @@ ssl3_free(SSL *s)
 	tls_buffer_free(s->s3->handshake_fragment);
 
 	freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
+
+	sk_SSL_CIPHER_free(s->s3->hs.client_ciphers);
 	sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
 	sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
 	sk_X509_pop_free(s->s3->hs.verified_chain, X509_free);
@@ -1522,6 +1524,8 @@ ssl3_clear(SSL *s)
 	s->s3->hs.sigalgs = NULL;
 	s->s3->hs.sigalgs_len = 0;
 
+	sk_SSL_CIPHER_free(s->s3->hs.client_ciphers);
+	s->s3->hs.client_ciphers = NULL;
 	sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
 	s->s3->hs.peer_certs = NULL;
 	sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);

lib/libssl/ssl_asn1.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_asn1.c,v 1.67 2023/07/08 16:40:13 beck Exp $ */
+/* $OpenBSD: ssl_asn1.c,v 1.68 2024/07/20 04:04:23 jsing Exp $ */
 /*
  * Copyright (c) 2016 Joel Sing <jsing@openbsd.org>
  *
@@ -70,10 +70,7 @@ SSL_SESSION_encode(SSL_SESSION *s, unsigned char **out, size_t *out_len,
 		goto err;
 
 	/* Cipher suite ID. */
-	/* XXX - require cipher to be non-NULL or always/only use cipher_id. */
 	cid = (uint16_t)(s->cipher_id & SSL3_CK_VALUE_MASK);
-	if (s->cipher != NULL)
-		cid = ssl3_cipher_get_value(s->cipher);
 	if (!CBB_add_asn1(&session, &cipher_suite, CBS_ASN1_OCTETSTRING))
 		goto err;
 	if (!CBB_add_u16(&cipher_suite, cid))
@@ -196,7 +193,7 @@ SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len)
 	if (ss == NULL)
 		return 0;
 
-	if (ss->cipher == NULL && ss->cipher_id == 0)
+	if (ss->cipher_id == 0)
 		return 0;
 
 	return SSL_SESSION_encode(ss, out, out_len, 1);
@@ -212,7 +209,7 @@ i2d_SSL_SESSION(SSL_SESSION *ss, unsigned char **pp)
 	if (ss == NULL)
 		return 0;
 
-	if (ss->cipher == NULL && ss->cipher_id == 0)
+	if (ss->cipher_id == 0)
 		return 0;
 
 	if (!SSL_SESSION_encode(ss, &data, &data_len, 0))
@@ -287,9 +284,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
 		goto err;
 	if (CBS_len(&cipher_suite) != 0)
 		goto err;
-
-	/* XXX - populate cipher instead? */
-	s->cipher = NULL;
 	s->cipher_id = SSL3_CK_ID | cipher_value;
 
 	/* Session ID. */

lib/libssl/ssl_ciph.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.144 2024/07/16 14:38:04 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.145 2024/07/20 04:04:23 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -408,25 +408,27 @@ static const SSL_CIPHER cipher_aliases[] = {
 };
 
 int
-ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc,
-    const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size)
+ssl_cipher_get_evp(SSL *s, const EVP_CIPHER **enc, const EVP_MD **md,
+    int *mac_pkey_type, int *mac_secret_size)
 {
+	const SSL_CIPHER *cipher;
+
 	*enc = NULL;
 	*md = NULL;
 	*mac_pkey_type = NID_undef;
 	*mac_secret_size = 0;
 
-	if (ss->cipher == NULL)
+	if ((cipher = s->s3->hs.cipher) == NULL)
 		return 0;
 
 	/*
 	 * This function does not handle EVP_AEAD.
 	 * See ssl_cipher_get_evp_aead instead.
 	 */
-	if (ss->cipher->algorithm_mac & SSL_AEAD)
+	if (cipher->algorithm_mac & SSL_AEAD)
 		return 0;
 
-	switch (ss->cipher->algorithm_enc) {
+	switch (cipher->algorithm_enc) {
 	case SSL_3DES:
 		*enc = EVP_des_ede3_cbc();
 		break;
@@ -450,7 +452,7 @@ ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc,
 		break;
 	}
 
-	switch (ss->cipher->algorithm_mac) {
+	switch (cipher->algorithm_mac) {
 	case SSL_MD5:
 		*md = EVP_md5();
 		break;
@@ -487,16 +489,18 @@ ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc,
  * for s->cipher. It returns 1 on success and 0 on error.
  */
 int
-ssl_cipher_get_evp_aead(const SSL_SESSION *ss, const EVP_AEAD **aead)
+ssl_cipher_get_evp_aead(SSL *s, const EVP_AEAD **aead)
 {
+	const SSL_CIPHER *cipher;
+
 	*aead = NULL;
 
-	if (ss->cipher == NULL)
+	if ((cipher = s->s3->hs.cipher) == NULL)
 		return 0;
-	if ((ss->cipher->algorithm_mac & SSL_AEAD) == 0)
+	if ((cipher->algorithm_mac & SSL_AEAD) == 0)
 		return 0;
 
-	switch (ss->cipher->algorithm_enc) {
+	switch (cipher->algorithm_enc) {
 	case SSL_AES128GCM:
 		*aead = EVP_aead_aes_128_gcm();
 		return 1;
@@ -515,12 +519,14 @@ ssl_cipher_get_evp_aead(const SSL_SESSION *ss, const EVP_AEAD **aead)
 int
 ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md)
 {
+	const SSL_CIPHER *cipher;
+
 	*md = NULL;
 
-	if (s->s3->hs.cipher == NULL)
+	if ((cipher = s->s3->hs.cipher) == NULL)
 		return 0;
 
-	switch (s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_MASK) {
+	switch (cipher->algorithm2 & SSL_HANDSHAKE_MAC_MASK) {
 	case SSL_HANDSHAKE_MAC_SHA256:
 		*md = EVP_sha256();
 		return 1;

lib/libssl/ssl_clnt.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.165 2024/02/03 18:03:49 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.167 2024/07/20 04:04:23 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -481,7 +481,7 @@ ssl3_connect(SSL *s)
 
 			s->s3->hs.state = SSL3_ST_CW_FINISHED_A;
 			s->init_num = 0;
-			s->session->cipher = s->s3->hs.cipher;
+			s->session->cipher_id = s->s3->hs.cipher->id;
 
 			if (!tls1_setup_key_block(s)) {
 				ret = -1;
@@ -941,8 +941,13 @@ ssl3_get_server_hello(SSL *s)
 		}
 		s->session->master_key_length = master_key_length;
 
-		if ((s->session->cipher = pref_cipher) == NULL)
-			s->session->cipher =
+		/*
+		 * XXX - this appears to be completely broken. The
+		 * client cannot change the cipher at this stage,
+		 * as the server has already made a selection.
+		 */
+		if ((s->s3->hs.cipher = pref_cipher) == NULL)
+			s->s3->hs.cipher =
 			    ssl3_get_cipher_by_value(cipher_suite);
 		s->s3->flags |= SSL3_FLAGS_CCS_OK;
 	}
@@ -1011,14 +1016,13 @@ ssl3_get_server_hello(SSL *s)
 	 * and/or cipher_id values may not be set. Make sure that
 	 * cipher_id is set and use it for comparison.
 	 */
-	if (s->session->cipher)
-		s->session->cipher_id = s->session->cipher->id;
 	if (s->hit && (s->session->cipher_id != cipher->id)) {
 		al = SSL_AD_ILLEGAL_PARAMETER;
 		SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
 		goto fatal_err;
 	}
 	s->s3->hs.cipher = cipher;
+	s->session->cipher_id = cipher->id;
 
 	if (!tls1_transcript_hash_init(s))
 		goto err;

lib/libssl/ssl_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.326 2024/07/11 13:48:52 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.328 2024/07/20 04:04:23 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1528,9 +1528,9 @@ LSSL_ALIAS(SSL_get_ciphers);
 STACK_OF(SSL_CIPHER) *
 SSL_get_client_ciphers(const SSL *s)
 {
-	if (s == NULL || s->session == NULL || !s->server)
+	if (s == NULL || !s->server)
 		return NULL;
-	return s->session->ciphers;
+	return s->s3->hs.client_ciphers;
 }
 LSSL_ALIAS(SSL_get_client_ciphers);
 
@@ -1713,10 +1713,10 @@ SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
 	char *end;
 	int i;
 
-	if (!s->server || s->session == NULL || len < 2)
+	if (!s->server || len < 2)
 		return NULL;
 
-	if ((client_ciphers = s->session->ciphers) == NULL)
+	if ((client_ciphers = s->s3->hs.client_ciphers) == NULL)
 		return NULL;
 	if ((server_ciphers = SSL_get_ciphers(s)) == NULL)
 		return NULL;
@@ -3073,11 +3073,10 @@ LSSL_ALIAS(SSL_get_privatekey);
 const SSL_CIPHER *
 SSL_get_current_cipher(const SSL *s)
 {
-	if ((s->session != NULL) && (s->session->cipher != NULL))
-		return (s->session->cipher);
-	return (NULL);
+	return s->s3->hs.cipher;
 }
 LSSL_ALIAS(SSL_get_current_cipher);
+
 const void *
 SSL_get_current_compression(SSL *s)
 {

lib/libssl/ssl_local.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_local.h,v 1.19 2024/07/16 14:38:04 jsing Exp $ */
+/* $OpenBSD: ssl_local.h,v 1.21 2024/07/20 04:04:23 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -438,13 +438,10 @@ struct ssl_session_st {
 	time_t time;
 	int references;
 
-	const SSL_CIPHER *cipher;
 	unsigned long cipher_id;	/* when ASN.1 loaded, this
 					 * needs to be used to load
 					 * the 'cipher' structure */
 
-	STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
-
 	char *tlsext_hostname;
 
 	/* Session resumption - RFC 5077 and RFC 8446. */
@@ -568,6 +565,9 @@ typedef struct ssl_handshake_st {
 	/* Cipher being negotiated in this handshake. */
 	const SSL_CIPHER *cipher;
 
+	/* Ciphers sent by the client. */
+	STACK_OF(SSL_CIPHER) *client_ciphers;
+
 	/* Extensions seen in this handshake. */
 	uint32_t extensions_seen;
 
@@ -1266,9 +1266,9 @@ int ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist,
     STACK_OF(SSL_CIPHER) *cipherlist_tls13,
     STACK_OF(SSL_CIPHER) **out_cipherlist);
 void ssl_update_cache(SSL *s, int mode);
-int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+int ssl_cipher_get_evp(SSL *s, const EVP_CIPHER **enc,
     const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size);
-int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead);
+int ssl_cipher_get_evp_aead(SSL *s, const EVP_AEAD **aead);
 int ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md);
 
 int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);

lib/libssl/ssl_pkt.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_pkt.c,v 1.66 2023/07/11 17:02:47 tb Exp $ */
+/* $OpenBSD: ssl_pkt.c,v 1.67 2024/07/20 04:04:23 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -904,7 +904,7 @@ ssl3_read_handshake_unexpected(SSL *s)
 		 * It should be impossible to hit this, but keep the safety
 		 * harness for now...
 		 */
-		if (s->session == NULL || s->session->cipher == NULL)
+		if (s->session == NULL || s->s3->hs.cipher == NULL)
 			return 1;
 
 		/*
@@ -953,7 +953,7 @@ ssl3_read_handshake_unexpected(SSL *s)
 			return -1;
 		}
 
-		if (s->session == NULL || s->session->cipher == NULL) {
+		if (s->session == NULL || s->s3->hs.cipher == NULL) {
 			SSLerror(s, ERR_R_INTERNAL_ERROR);
 			return -1;
 		}
@@ -1235,7 +1235,8 @@ ssl3_do_change_cipher_spec(SSL *s)
 			return (0);
 		}
 
-		s->session->cipher = s->s3->hs.cipher;
+		s->session->cipher_id = s->s3->hs.cipher->id;
+
 		if (!tls1_setup_key_block(s))
 			return (0);
 	}

lib/libssl/ssl_sess.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.125 2024/03/27 06:47:52 tb Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.127 2024/07/20 04:04:23 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -287,14 +287,8 @@ ssl_session_dup(SSL_SESSION *sess, int include_ticket)
 	copy->time = sess->time;
 	copy->references = 1;
 
-	copy->cipher = sess->cipher;
 	copy->cipher_id = sess->cipher_id;
 
-	if (sess->ciphers != NULL) {
-		if ((copy->ciphers = sk_SSL_CIPHER_dup(sess->ciphers)) == NULL)
-			goto err;
-	}
-
 	if (sess->tlsext_hostname != NULL) {
 		copy->tlsext_hostname = strdup(sess->tlsext_hostname);
 		if (copy->tlsext_hostname == NULL)
@@ -712,12 +706,6 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert)
 		goto err;
 	}
 
-	if (sess->cipher == NULL) {
-		sess->cipher = ssl3_get_cipher_by_id(sess->cipher_id);
-		if (sess->cipher == NULL)
-			goto err;
-	}
-
 	if (sess->timeout < (time(NULL) - sess->time)) {
 		s->session_ctx->stats.sess_timeout++;
 		if (!ticket_decrypted) {
@@ -881,8 +869,6 @@ SSL_SESSION_free(SSL_SESSION *ss)
 
 	X509_free(ss->peer_cert);
 
-	sk_SSL_CIPHER_free(ss->ciphers);
-
 	free(ss->tlsext_hostname);
 	free(ss->tlsext_tick);
 	free(ss->tlsext_ecpointformatlist);
@@ -998,7 +984,7 @@ LSSL_ALIAS(SSL_SESSION_get_protocol_version);
 const SSL_CIPHER *
 SSL_SESSION_get0_cipher(const SSL_SESSION *s)
 {
-	return s->cipher;
+	return ssl3_get_cipher_by_id(s->cipher_id);
 }
 LSSL_ALIAS(SSL_SESSION_get0_cipher);
 

lib/libssl/ssl_srvr.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.161 2024/06/25 14:10:45 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.164 2024/07/20 04:04:23 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -651,7 +651,7 @@ ssl3_accept(SSL *s)
 				goto end;
 			s->s3->hs.state = SSL3_ST_SW_FINISHED_A;
 			s->init_num = 0;
-			s->session->cipher = s->s3->hs.cipher;
+			s->session->cipher_id = s->s3->hs.cipher->id;
 
 			if (!tls1_setup_key_block(s)) {
 				ret = -1;
@@ -978,7 +978,7 @@ ssl3_get_client_hello(SSL *s)
 	/* XXX - CBS_len(&cipher_suites) will always be zero here... */
 	if (s->hit && CBS_len(&cipher_suites) > 0) {
 		j = 0;
-		id = s->session->cipher->id;
+		id = s->session->cipher_id;
 
 		for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
 			c = sk_SSL_CIPHER_value(ciphers, i);
@@ -1078,23 +1078,31 @@ ssl3_get_client_hello(SSL *s)
 		s->hit = 1;
 		s->session->verify_result = X509_V_OK;
 
-		sk_SSL_CIPHER_free(s->session->ciphers);
-		s->session->ciphers = ciphers;
+		sk_SSL_CIPHER_free(s->s3->hs.client_ciphers);
+		s->s3->hs.client_ciphers = ciphers;
 		ciphers = NULL;
 
+		/*
+		 * XXX - this allows the callback to use any client cipher and
+		 * completely ignore the server cipher list. We should ensure
+		 * that the pref_cipher is in both the client list and the
+		 * server list.
+		 */
+
 		/* Check if some cipher was preferred by the callback. */
 		if (pref_cipher == NULL)
-			pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
+			pref_cipher = ssl3_choose_cipher(s, s->s3->hs.client_ciphers,
 			    SSL_get_ciphers(s));
 		if (pref_cipher == NULL) {
 			al = SSL_AD_HANDSHAKE_FAILURE;
 			SSLerror(s, SSL_R_NO_SHARED_CIPHER);
 			goto fatal_err;
 		}
-		s->session->cipher = pref_cipher;
+		s->s3->hs.cipher = pref_cipher;
 
+		/* XXX - why? */
 		sk_SSL_CIPHER_free(s->cipher_list);
-		s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
+		s->cipher_list = sk_SSL_CIPHER_dup(s->s3->hs.client_ciphers);
 	}
 
 	/*
@@ -1108,19 +1116,22 @@ ssl3_get_client_hello(SSL *s)
 			SSLerror(s, SSL_R_NO_CIPHERS_PASSED);
 			goto fatal_err;
 		}
-		sk_SSL_CIPHER_free(s->session->ciphers);
-		s->session->ciphers = ciphers;
+		sk_SSL_CIPHER_free(s->s3->hs.client_ciphers);
+		s->s3->hs.client_ciphers = ciphers;
 		ciphers = NULL;
 
-		if ((c = ssl3_choose_cipher(s, s->session->ciphers,
+		if ((c = ssl3_choose_cipher(s, s->s3->hs.client_ciphers,
 		    SSL_get_ciphers(s))) == NULL) {
 			al = SSL_AD_HANDSHAKE_FAILURE;
 			SSLerror(s, SSL_R_NO_SHARED_CIPHER);
 			goto fatal_err;
 		}
 		s->s3->hs.cipher = c;
+		s->session->cipher_id = s->s3->hs.cipher->id;
 	} else {
-		s->s3->hs.cipher = s->session->cipher;
+		s->s3->hs.cipher = ssl3_get_cipher_by_id(s->session->cipher_id);
+		if (s->s3->hs.cipher == NULL)
+			goto fatal_err;
 	}
 
 	if (!tls1_transcript_hash_init(s))

lib/libssl/ssl_txt.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_txt.c,v 1.37 2023/07/08 16:40:13 beck Exp $ */
+/* $OpenBSD: ssl_txt.c,v 1.38 2024/07/20 04:04:23 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -108,6 +108,7 @@ LSSL_ALIAS(SSL_SESSION_print_fp);
 int
 SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
 {
+	const SSL_CIPHER *cipher;
 	size_t i;
 	int ret = 0;
 
@@ -121,15 +122,15 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
 	    ssl_version_string(x->ssl_version)) <= 0)
 		goto err;
 
-	if (x->cipher == NULL) {
+	if ((cipher = ssl3_get_cipher_by_id(x->cipher_id)) == NULL) {
 		if (BIO_printf(bp, "    Cipher    : %04lX\n",
 		    x->cipher_id & SSL3_CK_VALUE_MASK) <= 0)
 			goto err;
 	} else {
 		const char *cipher_name = "unknown";
 
-		if (x->cipher->name != NULL)
-			cipher_name = x->cipher->name;
+		if (cipher->name != NULL)
+			cipher_name = cipher->name;
 
 		if (BIO_printf(bp, "    Cipher    : %s\n", cipher_name) <= 0)
 			goto err;

lib/libssl/t1_enc.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.157 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.158 2024/07/20 04:04:23 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -357,15 +357,17 @@ tls1_setup_key_block(SSL *s)
 	if (s->s3->hs.tls12.key_block != NULL)
 		return (1);
 
-	if (s->session->cipher &&
-	    (s->session->cipher->algorithm_mac & SSL_AEAD)) {
-		if (!ssl_cipher_get_evp_aead(s->session, &aead)) {
+	if (s->s3->hs.cipher == NULL)
+		return (0);
+
+	if ((s->s3->hs.cipher->algorithm_mac & SSL_AEAD) != 0) {
+		if (!ssl_cipher_get_evp_aead(s, &aead)) {
 			SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
 			return (0);
 		}
 	} else {
 		/* XXX - mac_type and mac_secret_size are now unused. */
-		if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash,
+		if (!ssl_cipher_get_evp(s, &cipher, &mac_hash,
 		    &mac_type, &mac_secret_size)) {
 			SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
 			return (0);
@@ -395,12 +397,12 @@ tls1_setup_key_block(SSL *s)
 		 */
 		s->s3->need_empty_fragments = 1;
 
-		if (s->session->cipher != NULL) {
-			if (s->session->cipher->algorithm_enc == SSL_eNULL)
+		if (s->s3->hs.cipher != NULL) {
+			if (s->s3->hs.cipher->algorithm_enc == SSL_eNULL)
 				s->s3->need_empty_fragments = 0;
 
 #ifndef OPENSSL_NO_RC4
-			if (s->session->cipher->algorithm_enc == SSL_RC4)
+			if (s->s3->hs.cipher->algorithm_enc == SSL_RC4)
 				s->s3->need_empty_fragments = 0;
 #endif
 		}

lib/libssl/tls13_client.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.102 2023/06/10 15:34:36 tb Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.103 2024/07/20 04:04:23 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -347,7 +347,7 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx)
 	    &shared_key_len))
 		goto err;
 
-	s->session->cipher = ctx->hs->cipher;
+	s->session->cipher_id = ctx->hs->cipher->id;
 	s->session->ssl_version = ctx->hs->tls13.server_version;
 
 	if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL)

lib/libssl/tls13_server.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.106 2023/06/10 15:34:36 tb Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.108 2024/07/20 04:04:23 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -275,8 +275,8 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 	}
 	ctx->hs->cipher = cipher;
 
-	sk_SSL_CIPHER_free(s->session->ciphers);
-	s->session->ciphers = ciphers;
+	sk_SSL_CIPHER_free(s->s3->hs.client_ciphers);
+	s->s3->hs.client_ciphers = ciphers;
 	ciphers = NULL;
 
 	/* Ensure only the NULL compression method is advertised. */
@@ -383,7 +383,7 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
 	    &shared_key_len))
 		goto err;
 
-	s->session->cipher = ctx->hs->cipher;
+	s->session->cipher_id = ctx->hs->cipher->id;
 
 	if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL)
 		goto err;