Defer sending a KeyUpdate until after pending writes are complete

[oweals/openssl.git] / ssl / statem / statem_srvr.c

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index bf1819d356f12245cf489a5f397ea738d38ce629..6504f4f74efe1e0423850f0c871200877acf0f95 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -23,6 +23,7 @@
 #include <openssl/dh.h>
 #include <openssl/bn.h>
 #include <openssl/md5.h>
+#include <openssl/trace.h>
 
 #define TICKET_NONCE_SIZE       8
 
@@ -68,7 +69,7 @@ static int ossl_statem_server13_read_transition(SSL *s, int mt)
 
     case TLS_ST_SR_END_OF_EARLY_DATA:
     case TLS_ST_SW_FINISHED:
-        if (s->s3->tmp.cert_request) {
+        if (s->s3.tmp.cert_request) {
             if (mt == SSL3_MT_CERTIFICATE) {
                 st->hand_state = TLS_ST_SR_CERT;
                 return 1;
@@ -171,7 +172,7 @@ int ossl_statem_server_read_transition(SSL *s, int mt)
          *         list if we requested a certificate)
          */
         if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
-            if (s->s3->tmp.cert_request) {
+            if (s->s3.tmp.cert_request) {
                 if (s->version == SSL3_VERSION) {
                     if ((s->verify_mode & SSL_VERIFY_PEER)
                         && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
@@ -192,7 +193,7 @@ int ossl_statem_server_read_transition(SSL *s, int mt)
                 st->hand_state = TLS_ST_SR_KEY_EXCH;
                 return 1;
             }
-        } else if (s->s3->tmp.cert_request) {
+        } else if (s->s3.tmp.cert_request) {
             if (mt == SSL3_MT_CERTIFICATE) {
                 st->hand_state = TLS_ST_SR_CERT;
                 return 1;
@@ -244,7 +245,7 @@ int ossl_statem_server_read_transition(SSL *s, int mt)
 
     case TLS_ST_SR_CHANGE:
 #ifndef OPENSSL_NO_NEXTPROTONEG
-        if (s->s3->npn_seen) {
+        if (s->s3.npn_seen) {
             if (mt == SSL3_MT_NEXT_PROTO) {
                 st->hand_state = TLS_ST_SR_NEXT_PROTO;
                 return 1;
@@ -308,7 +309,7 @@ int ossl_statem_server_read_transition(SSL *s, int mt)
  */
 static int send_server_key_exchange(SSL *s)
 {
-    unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
+    unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
 
     /*
      * only send a ServerKeyExchange if DH or fortezza but we have a
@@ -370,7 +371,7 @@ int send_certificate_request(SSL *s)
             * section "Certificate request" in SSL 3 drafts and in
             * RFC 2246):
             */
-           && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
+           && (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL)
                /*
                 * ... except when the application insists on
                 * verification (against the specs, but statem_clnt.c accepts
@@ -378,12 +379,12 @@ int send_certificate_request(SSL *s)
                 */
                || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
            /* don't request certificate for SRP auth */
-           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
+           && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aSRP)
            /*
             * With normal PSK Certificates and Certificate Requests
             * are omitted
             */
-           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
+           && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
         return 1;
     }
 
@@ -502,12 +503,6 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
         return WRITE_TRAN_CONTINUE;
 
     case TLS_ST_SR_KEY_UPDATE:
-        if (s->key_update != SSL_KEY_UPDATE_NONE) {
-            st->hand_state = TLS_ST_SW_KEY_UPDATE;
-            return WRITE_TRAN_CONTINUE;
-        }
-        /* Fall through */
-
     case TLS_ST_SW_KEY_UPDATE:
         st->hand_state = TLS_ST_OK;
         return WRITE_TRAN_CONTINUE;
@@ -596,7 +591,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
         } else {
             /* Check if it is anon DH or anon ECDH, */
             /* normal PSK or SRP */
-            if (!(s->s3->tmp.new_cipher->algorithm_auth &
+            if (!(s->s3.tmp.new_cipher->algorithm_auth &
                   (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
                 st->hand_state = TLS_ST_SW_CERT;
             } else if (send_server_key_exchange(s)) {
@@ -734,7 +729,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
     case TLS_ST_SW_CHANGE:
         if (SSL_IS_TLS13(s))
             break;
-        s->session->cipher = s->s3->tmp.new_cipher;
+        s->session->cipher = s->s3.tmp.new_cipher;
         if (!s->method->ssl3_enc->setup_key_block(s)) {
             /* SSLfatal() already called */
             return WORK_ERROR;
@@ -752,7 +747,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
 
     case TLS_ST_EARLY_DATA:
         if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING
-                && (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
+                && (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
             return WORK_FINISHED_CONTINUE;
         /* Fall through */
 
@@ -774,6 +769,10 @@ static ossl_inline int conn_is_closed(void)
 #if defined(ECONNRESET)
     case ECONNRESET:
         return 1;
+#endif
+#if defined(WSAECONNRESET)
+    case WSAECONNRESET:
+        return 1;
 #endif
     default:
         return 0;
@@ -1231,7 +1230,7 @@ static int ssl_check_srp_ext_ClientHello(SSL *s)
     int ret;
     int al = SSL_AD_UNRECOGNIZED_NAME;
 
-    if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
+    if ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
         (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
         if (s->srp_ctx.login == NULL) {
             /*
@@ -1352,7 +1351,7 @@ static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello)
     ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
         sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
 
-    s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
+    s->s3.is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
                                              ext_len);
 }
 #endif                          /* !OPENSSL_NO_EC */
@@ -1372,7 +1371,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
             goto err;
         }
         if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0
-                || (!s->s3->send_connection_binding
+                || (!s->s3.send_connection_binding
                     && (s->options
                         & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0)) {
             ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
@@ -1621,7 +1620,7 @@ static int tls_early_post_process_client_hello(SSL *s)
     }
 
     /* Set up the client_random */
-    memcpy(s->s3->client_random, clienthello->random, SSL3_RANDOM_SIZE);
+    memcpy(s->s3.client_random, clienthello->random, SSL3_RANDOM_SIZE);
 
     /* Choose the version */
 
@@ -1716,7 +1715,7 @@ static int tls_early_post_process_client_hello(SSL *s)
         goto err;
     }
 
-    s->s3->send_connection_binding = 0;
+    s->s3.send_connection_binding = 0;
     /* Check what signalling cipher-suite values were received. */
     if (scsvs != NULL) {
         for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) {
@@ -1729,7 +1728,7 @@ static int tls_early_post_process_client_hello(SSL *s)
                              SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
                     goto err;
                 }
-                s->s3->send_connection_binding = 1;
+                s->s3.send_connection_binding = 1;
             } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV &&
                        !ssl_check_version_downgrade(s)) {
                 /*
@@ -1759,8 +1758,8 @@ static int tls_early_post_process_client_hello(SSL *s)
             goto err;
         }
         if (s->hello_retry_request == SSL_HRR_PENDING
-                && (s->s3->tmp.new_cipher == NULL
-                    || s->s3->tmp.new_cipher->id != cipher->id)) {
+                && (s->s3.tmp.new_cipher == NULL
+                    || s->s3.tmp.new_cipher->id != cipher->id)) {
             /*
              * A previous HRR picked a different ciphersuite to the one we
              * just selected. Something must have changed.
@@ -1770,7 +1769,7 @@ static int tls_early_post_process_client_hello(SSL *s)
                      SSL_R_BAD_CIPHER);
             goto err;
         }
-        s->s3->tmp.new_cipher = cipher;
+        s->s3.tmp.new_cipher = cipher;
     }
 
     /* We need to do this before getting the session */
@@ -1835,15 +1834,15 @@ static int tls_early_post_process_client_hello(SSL *s)
         j = 0;
         id = s->session->cipher->id;
 
-#ifdef CIPHER_DEBUG
-        fprintf(stderr, "client sent %d ciphers\n", sk_SSL_CIPHER_num(ciphers));
-#endif
+        OSSL_TRACE_BEGIN(TLS_CIPHER) {
+            BIO_printf(trc_out, "client sent %d ciphers\n",
+                       sk_SSL_CIPHER_num(ciphers));
+        }
         for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
             c = sk_SSL_CIPHER_value(ciphers, i);
-#ifdef CIPHER_DEBUG
-            fprintf(stderr, "client [%2d of %2d]:%s\n",
-                    i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
-#endif
+            if (trc_out != NULL)
+                BIO_printf(trc_out, "client [%2d of %2d]:%s\n", i,
+                           sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
             if (c->id == id) {
                 j = 1;
                 break;
@@ -1857,8 +1856,10 @@ static int tls_early_post_process_client_hello(SSL *s)
             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                      SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                      SSL_R_REQUIRED_CIPHER_MISSING);
+            OSSL_TRACE_CANCEL(TLS_CIPHER);
             goto err;
         }
+        OSSL_TRACE_END(TLS_CIPHER);
     }
 
     for (loop = 0; loop < clienthello->compressions_len; loop++) {
@@ -1894,7 +1895,7 @@ static int tls_early_post_process_client_hello(SSL *s)
      */
     {
         unsigned char *pos;
-        pos = s->s3->server_random;
+        pos = s->s3.server_random;
         if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) {
             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                      SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
@@ -1952,7 +1953,7 @@ static int tls_early_post_process_client_hello(SSL *s)
      * options, we will now look for them.  We have complen-1 compression
      * algorithms from the client, starting at q.
      */
-    s->s3->tmp.new_compression = NULL;
+    s->s3.tmp.new_compression = NULL;
     if (SSL_IS_TLS13(s)) {
         /*
          * We already checked above that the NULL compression method appears in
@@ -1983,11 +1984,11 @@ static int tls_early_post_process_client_hello(SSL *s)
         for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
             comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
             if (comp_id == comp->id) {
-                s->s3->tmp.new_compression = comp;
+                s->s3.tmp.new_compression = comp;
                 break;
             }
         }
-        if (s->s3->tmp.new_compression == NULL) {
+        if (s->s3.tmp.new_compression == NULL) {
             SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                      SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                      SSL_R_INVALID_COMPRESSION_ALGORITHM);
@@ -2025,7 +2026,7 @@ static int tls_early_post_process_client_hello(SSL *s)
                 break;
         }
         if (done)
-            s->s3->tmp.new_compression = comp;
+            s->s3.tmp.new_compression = comp;
         else
             comp = NULL;
     }
@@ -2101,12 +2102,12 @@ static int tls_handle_status_request(SSL *s)
         int ret;
 
         /* If no certificate can't return certificate status */
-        if (s->s3->tmp.cert != NULL) {
+        if (s->s3.tmp.cert != NULL) {
             /*
              * Set current certificate to one we will use so SSL_get_certificate
              * et al can pick it up.
              */
-            s->cert->key = s->s3->tmp.cert;
+            s->cert->key = s->s3.tmp.cert;
             ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
             switch (ret) {
                 /* We don't want to send a status request response */
@@ -2141,24 +2142,24 @@ int tls_handle_alpn(SSL *s)
     const unsigned char *selected = NULL;
     unsigned char selected_len = 0;
 
-    if (s->ctx->ext.alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
+    if (s->ctx->ext.alpn_select_cb != NULL && s->s3.alpn_proposed != NULL) {
         int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len,
-                                           s->s3->alpn_proposed,
-                                           (unsigned int)s->s3->alpn_proposed_len,
+                                           s->s3.alpn_proposed,
+                                           (unsigned int)s->s3.alpn_proposed_len,
                                            s->ctx->ext.alpn_select_cb_arg);
 
         if (r == SSL_TLSEXT_ERR_OK) {
-            OPENSSL_free(s->s3->alpn_selected);
-            s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
-            if (s->s3->alpn_selected == NULL) {
+            OPENSSL_free(s->s3.alpn_selected);
+            s->s3.alpn_selected = OPENSSL_memdup(selected, selected_len);
+            if (s->s3.alpn_selected == NULL) {
                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN,
                          ERR_R_INTERNAL_ERROR);
                 return 0;
             }
-            s->s3->alpn_selected_len = selected_len;
+            s->s3.alpn_selected_len = selected_len;
 #ifndef OPENSSL_NO_NEXTPROTONEG
             /* ALPN takes precedence over NPN. */
-            s->s3->npn_seen = 0;
+            s->s3.npn_seen = 0;
 #endif
 
             /* Check ALPN is consistent with session */
@@ -2263,7 +2264,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
                              SSL_R_NO_SHARED_CIPHER);
                     goto err;
                 }
-                s->s3->tmp.new_cipher = cipher;
+                s->s3.tmp.new_cipher = cipher;
             }
             if (!s->hit) {
                 if (!tls_choose_sigalg(s, 1)) {
@@ -2274,7 +2275,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
                 if (s->not_resumable_session_cb != NULL)
                     s->session->not_resumable =
                         s->not_resumable_session_cb(s,
-                            ((s->s3->tmp.new_cipher->algorithm_mkey
+                            ((s->s3.tmp.new_cipher->algorithm_mkey
                               & (SSL_kDHE | SSL_kECDHE)) != 0));
                 if (s->session->not_resumable)
                     /* do not send a session ticket */
@@ -2282,7 +2283,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
             }
         } else {
             /* Session-id reuse */
-            s->s3->tmp.new_cipher = s->session->cipher;
+            s->s3.tmp.new_cipher = s->session->cipher;
         }
 
         /*-
@@ -2294,7 +2295,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
          * ssl version is set   - sslv3
          * s->session           - The ssl session has been setup.
          * s->hit               - session reuse flag
-         * s->s3->tmp.new_cipher- the new cipher to use.
+         * s->s3.tmp.new_cipher - the new cipher to use.
          */
 
         /*
@@ -2356,7 +2357,7 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
                 */
             || !WPACKET_memcpy(pkt,
                                s->hello_retry_request == SSL_HRR_PENDING
-                                   ? hrrrandom : s->s3->server_random,
+                                   ? hrrrandom : s->s3.server_random,
                                SSL3_RANDOM_SIZE)) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
                  ERR_R_INTERNAL_ERROR);
@@ -2404,14 +2405,14 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
 #ifdef OPENSSL_NO_COMP
     compm = 0;
 #else
-    if (usetls13 || s->s3->tmp.new_compression == NULL)
+    if (usetls13 || s->s3.tmp.new_compression == NULL)
         compm = 0;
     else
-        compm = s->s3->tmp.new_compression->id;
+        compm = s->s3.tmp.new_compression->id;
 #endif
 
     if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl)
-            || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
+            || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt, &len)
             || !WPACKET_put_bytes_u8(pkt, compm)) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
                  ERR_R_INTERNAL_ERROR);
@@ -2454,7 +2455,7 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
 
 int tls_construct_server_done(SSL *s, WPACKET *pkt)
 {
-    if (!s->s3->tmp.cert_request) {
+    if (!s->s3.tmp.cert_request) {
         if (!ssl3_digest_cached_records(s, 0)) {
             /* SSLfatal() already called */
             return 0;
@@ -2473,7 +2474,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
     size_t encodedlen = 0;
     int curve_id = 0;
 #endif
-    const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
+    const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
     int i;
     unsigned long type;
     const BIGNUM *r[4];
@@ -2493,7 +2494,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
         goto err;
     }
 
-    type = s->s3->tmp.new_cipher->algorithm_mkey;
+    type = s->s3.tmp.new_cipher->algorithm_mkey;
 
     r[0] = r[1] = r[2] = r[3] = NULL;
 #ifndef OPENSSL_NO_PSK
@@ -2547,20 +2548,20 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
                      SSL_R_DH_KEY_TOO_SMALL);
             goto err;
         }
-        if (s->s3->tmp.pkey != NULL) {
+        if (s->s3.tmp.pkey != NULL) {
             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                      SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                      ERR_R_INTERNAL_ERROR);
             goto err;
         }
 
-        s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
-        if (s->s3->tmp.pkey == NULL) {
+        s->s3.tmp.pkey = ssl_generate_pkey(pkdhp);
+        if (s->s3.tmp.pkey == NULL) {
             /* SSLfatal() already called */
             goto err;
         }
 
-        dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey);
+        dh = EVP_PKEY_get0_DH(s->s3.tmp.pkey);
         if (dh == NULL) {
             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                      SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
@@ -2578,7 +2579,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
 #ifndef OPENSSL_NO_EC
     if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
 
-        if (s->s3->tmp.pkey != NULL) {
+        if (s->s3.tmp.pkey != NULL) {
             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                      SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                      ERR_R_INTERNAL_ERROR);
@@ -2593,15 +2594,15 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
                      SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
             goto err;
         }
-        s->s3->tmp.pkey = ssl_generate_pkey_group(s, curve_id);
+        s->s3.tmp.pkey = ssl_generate_pkey_group(s, curve_id);
         /* Generate a new key for this curve */
-        if (s->s3->tmp.pkey == NULL) {
+        if (s->s3.tmp.pkey == NULL) {
             /* SSLfatal() already called */
             goto err;
         }
 
         /* Encode the public key. */
-        encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey,
+        encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3.tmp.pkey,
                                                     &encodedPoint);
         if (encodedlen == 0) {
             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
@@ -2642,8 +2643,8 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
         goto err;
     }
 
-    if (((s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
-        || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
+    if (((s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
+        || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
         lu = NULL;
     } else if (lu == NULL) {
         SSLfatal(s, SSL_AD_DECODE_ERROR,
@@ -2744,7 +2745,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
 
     /* not anonymous */
     if (lu != NULL) {
-        EVP_PKEY *pkey = s->s3->tmp.cert->privatekey;
+        EVP_PKEY *pkey = s->s3.tmp.cert->privatekey;
         const EVP_MD *md;
         unsigned char *sigbytes1, *sigbytes2, *tbs;
         size_t siglen, tbslen;
@@ -2893,7 +2894,7 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
 
  done:
     s->certreqs_sent++;
-    s->s3->tmp.cert_request = 1;
+    s->s3.tmp.cert_request = 1;
     return 1;
 }
 
@@ -2943,17 +2944,17 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt)
         return 0;
     }
 
-    OPENSSL_free(s->s3->tmp.psk);
-    s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
+    OPENSSL_free(s->s3.tmp.psk);
+    s->s3.tmp.psk = OPENSSL_memdup(psk, psklen);
     OPENSSL_cleanse(psk, psklen);
 
-    if (s->s3->tmp.psk == NULL) {
+    if (s->s3.tmp.psk == NULL) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                  SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
         return 0;
     }
 
-    s->s3->tmp.psklen = psklen;
+    s->s3.tmp.psklen = psklen;
 
     return 1;
 #else
@@ -3151,7 +3152,7 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt)
                SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
         goto err;
     }
-    skey = s->s3->tmp.pkey;
+    skey = s->s3.tmp.pkey;
     if (skey == NULL) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
                  SSL_R_MISSING_TMP_DH_KEY);
@@ -3191,8 +3192,8 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt)
     }
 
     ret = 1;
-    EVP_PKEY_free(s->s3->tmp.pkey);
-    s->s3->tmp.pkey = NULL;
+    EVP_PKEY_free(s->s3.tmp.pkey);
+    s->s3.tmp.pkey = NULL;
  err:
     EVP_PKEY_free(ckey);
     return ret;
@@ -3207,7 +3208,7 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt)
 static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt)
 {
 #ifndef OPENSSL_NO_EC
-    EVP_PKEY *skey = s->s3->tmp.pkey;
+    EVP_PKEY *skey = s->s3.tmp.pkey;
     EVP_PKEY *ckey = NULL;
     int ret = 0;
 
@@ -3257,8 +3258,8 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt)
     }
 
     ret = 1;
-    EVP_PKEY_free(s->s3->tmp.pkey);
-    s->s3->tmp.pkey = NULL;
+    EVP_PKEY_free(s->s3.tmp.pkey);
+    s->s3.tmp.pkey = NULL;
  err:
     EVP_PKEY_free(ckey);
 
@@ -3329,7 +3330,7 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt)
     PACKET encdata;
 
     /* Get our certificate private key */
-    alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+    alg_a = s->s3.tmp.new_cipher->algorithm_auth;
     if (alg_a & SSL_aGOST12) {
         /*
          * New GOST ciphersuites have SSL_aGOST01 bit too
@@ -3437,7 +3438,7 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
 {
     unsigned long alg_k;
 
-    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
+    alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
 
     /* For PSK parse and retrieve identity, obtain PSK key */
     if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) {
@@ -3493,8 +3494,8 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
     return MSG_PROCESS_CONTINUE_PROCESSING;
  err:
 #ifndef OPENSSL_NO_PSK
-    OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
-    s->s3->tmp.psk = NULL;
+    OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen);
+    s->s3.tmp.psk = NULL;
 #endif
     return MSG_PROCESS_ERROR;
 }
@@ -3546,7 +3547,7 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
         }
         return WORK_FINISHED_CONTINUE;
     } else {
-        if (!s->s3->handshake_buffer) {
+        if (!s->s3.handshake_buffer) {
             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                      SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
                      ERR_R_INTERNAL_ERROR);
@@ -3677,7 +3678,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
             goto err;
         }
         /* No client certificate so digest cached records */
-        if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
+        if (s->s3.handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
             /* SSLfatal() already called */
             goto err;
         }
@@ -3769,7 +3770,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
 
 int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
 {
-    CERT_PKEY *cpk = s->s3->tmp.cert;
+    CERT_PKEY *cpk = s->s3.tmp.cert;
 
     if (cpk == NULL) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
@@ -4099,17 +4100,17 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
         s->session->master_key_length = hashlen;
 
         s->session->time = (long)time(NULL);
-        if (s->s3->alpn_selected != NULL) {
+        if (s->s3.alpn_selected != NULL) {
             OPENSSL_free(s->session->ext.alpn_selected);
             s->session->ext.alpn_selected =
-                OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
+                OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
             if (s->session->ext.alpn_selected == NULL) {
                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                          SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                          ERR_R_MALLOC_FAILURE);
                 goto err;
             }
-            s->session->ext.alpn_selected_len = s->s3->alpn_selected_len;
+            s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
         }
         s->session->ext.max_early_data = s->max_early_data;
     }