grpc 0.13.1 → 0.14.1.pre1

data/third_party/boringssl/ssl/ssl_aead_ctx.c

@@ -56,7 +56,7 @@ SSL_AEAD_CTX *SSL_AEAD_CTX_new(enum evp_aead_direction_t direction,
     enc_key_len += fixed_iv_len;
   }
 
-  SSL_AEAD_CTX *aead_ctx = (SSL_AEAD_CTX *)OPENSSL_malloc(sizeof(SSL_AEAD_CTX));
+  SSL_AEAD_CTX *aead_ctx = OPENSSL_malloc(sizeof(SSL_AEAD_CTX));
   if (aead_ctx == NULL) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
     return NULL;

data/third_party/boringssl/ssl/ssl_cert.c

@@ -139,7 +139,7 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void) {
 }
 
 CERT *ssl_cert_new(void) {
-  CERT *ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
+  CERT *ret = OPENSSL_malloc(sizeof(CERT));
   if (ret == NULL) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
     return NULL;
@@ -150,7 +150,7 @@ CERT *ssl_cert_new(void) {
 }
 
 CERT *ssl_cert_dup(CERT *cert) {
-  CERT *ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
+  CERT *ret = OPENSSL_malloc(sizeof(CERT));
   if (ret == NULL) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
     return NULL;

data/third_party/boringssl/ssl/ssl_cipher.c

@@ -1392,7 +1392,7 @@ ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
   /* Now we have to collect the available ciphers from the compiled in ciphers.
    * We cannot get more than the number compiled in, so it is used for
    * allocation. */
-  co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen);
+  co_list = OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen);
   if (co_list == NULL) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
     return NULL;
@@ -1616,6 +1616,10 @@ int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher) {
   return (cipher->algorithm_auth & SSL_aECDSA) != 0;
 }
 
+int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher) {
+  return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
+}
+
 uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
   if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
     /* Cipher suites before TLS 1.2 use the default PRF, while all those added
@@ -1800,7 +1804,6 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
                                    int len) {
   const char *kx, *au, *enc, *mac;
   uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
-  static const char *format = "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n";
 
   alg_mkey = cipher->algorithm_mkey;
   alg_auth = cipher->algorithm_auth;
@@ -1924,7 +1927,8 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
     return "Buffer too small";
   }
 
-  BIO_snprintf(buf, len, format, cipher->name, kx, au, enc, mac);
+  BIO_snprintf(buf, len, "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n",
+               cipher->name, kx, au, enc, mac);
   return buf;
 }
 

data/third_party/boringssl/ssl/ssl_ecdh.c

@@ -0,0 +1,374 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/ssl.h>
+
+#include <assert.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+#include <openssl/bytestring.h>
+#include <openssl/curve25519.h>
+#include <openssl/ec.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+#include <openssl/obj.h>
+
+#include "internal.h"
+
+
+/* |EC_POINT| implementation. */
+
+static void ssl_ec_point_cleanup(SSL_ECDH_CTX *ctx) {
+  BIGNUM *private_key = (BIGNUM *)ctx->data;
+  BN_clear_free(private_key);
+}
+
+static int ssl_ec_point_generate_keypair(SSL_ECDH_CTX *ctx, CBB *out) {
+  assert(ctx->data == NULL);
+  BIGNUM *private_key = BN_new();
+  if (private_key == NULL) {
+    return 0;
+  }
+  ctx->data = private_key;
+
+  /* Set up a shared |BN_CTX| for all operations. */
+  BN_CTX *bn_ctx = BN_CTX_new();
+  if (bn_ctx == NULL) {
+    return 0;
+  }
+  BN_CTX_start(bn_ctx);
+
+  int ret = 0;
+  EC_POINT *public_key = NULL;
+  EC_GROUP *group = EC_GROUP_new_by_curve_name(ctx->method->nid);
+  if (group == NULL) {
+    goto err;
+  }
+
+  /* Generate a private key. */
+  const BIGNUM *order = EC_GROUP_get0_order(group);
+  do {
+    if (!BN_rand_range(private_key, order)) {
+      goto err;
+    }
+  } while (BN_is_zero(private_key));
+
+  /* Compute the corresponding public key and serialize it. */
+  public_key = EC_POINT_new(group);
+  if (public_key == NULL ||
+      !EC_POINT_mul(group, public_key, private_key, NULL, NULL, bn_ctx) ||
+      !EC_POINT_point2cbb(out, group, public_key, POINT_CONVERSION_UNCOMPRESSED,
+                          bn_ctx)) {
+    goto err;
+  }
+
+  ret = 1;
+
+err:
+  EC_GROUP_free(group);
+  EC_POINT_free(public_key);
+  BN_CTX_end(bn_ctx);
+  BN_CTX_free(bn_ctx);
+  return ret;
+}
+
+int ssl_ec_point_compute_secret(SSL_ECDH_CTX *ctx, uint8_t **out_secret,
+                                size_t *out_secret_len, uint8_t *out_alert,
+                                const uint8_t *peer_key, size_t peer_key_len) {
+  BIGNUM *private_key = (BIGNUM *)ctx->data;
+  assert(private_key != NULL);
+  *out_alert = SSL_AD_INTERNAL_ERROR;
+
+  /* Set up a shared |BN_CTX| for all operations. */
+  BN_CTX *bn_ctx = BN_CTX_new();
+  if (bn_ctx == NULL) {
+    return 0;
+  }
+  BN_CTX_start(bn_ctx);
+
+  int ret = 0;
+  EC_GROUP *group = EC_GROUP_new_by_curve_name(ctx->method->nid);
+  EC_POINT *peer_point = NULL, *result = NULL;
+  uint8_t *secret = NULL;
+  if (group == NULL) {
+    goto err;
+  }
+
+  /* Compute the x-coordinate of |peer_key| * |private_key|. */
+  peer_point = EC_POINT_new(group);
+  result = EC_POINT_new(group);
+  if (peer_point == NULL || result == NULL) {
+    goto err;
+  }
+  BIGNUM *x = BN_CTX_get(bn_ctx);
+  if (x == NULL) {
+    goto err;
+  }
+  if (!EC_POINT_oct2point(group, peer_point, peer_key, peer_key_len, bn_ctx)) {
+    *out_alert = SSL_AD_DECODE_ERROR;
+    goto err;
+  }
+  if (!EC_POINT_mul(group, result, NULL, peer_point, private_key, bn_ctx) ||
+      !EC_POINT_get_affine_coordinates_GFp(group, result, x, NULL, bn_ctx)) {
+    goto err;
+  }
+
+  /* Encode the x-coordinate left-padded with zeros. */
+  size_t secret_len = (EC_GROUP_get_degree(group) + 7) / 8;
+  secret = OPENSSL_malloc(secret_len);
+  if (secret == NULL || !BN_bn2bin_padded(secret, secret_len, x)) {
+    goto err;
+  }
+
+  *out_secret = secret;
+  *out_secret_len = secret_len;
+  secret = NULL;
+  ret = 1;
+
+err:
+  EC_GROUP_free(group);
+  EC_POINT_free(peer_point);
+  EC_POINT_free(result);
+  BN_CTX_end(bn_ctx);
+  BN_CTX_free(bn_ctx);
+  OPENSSL_free(secret);
+  return ret;
+}
+
+
+/* X25119 implementation. */
+
+static void ssl_x25519_cleanup(SSL_ECDH_CTX *ctx) {
+  if (ctx->data == NULL) {
+    return;
+  }
+  OPENSSL_cleanse(ctx->data, 32);
+  OPENSSL_free(ctx->data);
+}
+
+static int ssl_x25519_generate_keypair(SSL_ECDH_CTX *ctx, CBB *out) {
+  assert(ctx->data == NULL);
+
+  ctx->data = OPENSSL_malloc(32);
+  if (ctx->data == NULL) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+    return 0;
+  }
+  uint8_t public_key[32];
+  X25519_keypair(public_key, (uint8_t *)ctx->data);
+  return CBB_add_bytes(out, public_key, sizeof(public_key));
+}
+
+static int ssl_x25519_compute_secret(SSL_ECDH_CTX *ctx, uint8_t **out_secret,
+                                     size_t *out_secret_len, uint8_t *out_alert,
+                                     const uint8_t *peer_key,
+                                     size_t peer_key_len) {
+  assert(ctx->data != NULL);
+  *out_alert = SSL_AD_INTERNAL_ERROR;
+
+  uint8_t *secret = OPENSSL_malloc(32);
+  if (secret == NULL) {
+    return 0;
+  }
+
+  if (peer_key_len != 32 ||
+      !X25519(secret, (uint8_t *)ctx->data, peer_key)) {
+    OPENSSL_free(secret);
+    *out_alert = SSL_AD_DECODE_ERROR;
+    OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
+    return 0;
+  }
+
+  *out_secret = secret;
+  *out_secret_len = 32;
+  return 1;
+}
+
+
+/* Legacy DHE-based implementation. */
+
+static void ssl_dhe_cleanup(SSL_ECDH_CTX *ctx) {
+  DH_free((DH *)ctx->data);
+}
+
+static int ssl_dhe_generate_keypair(SSL_ECDH_CTX *ctx, CBB *out) {
+  DH *dh = (DH *)ctx->data;
+  /* The group must have been initialized already, but not the key. */
+  assert(dh != NULL);
+  assert(dh->priv_key == NULL);
+
+  /* Due to a bug in yaSSL, the public key must be zero padded to the size of
+   * the prime. */
+  return DH_generate_key(dh) &&
+         BN_bn2cbb_padded(out, BN_num_bytes(dh->p), dh->pub_key);
+}
+
+static int ssl_dhe_compute_secret(SSL_ECDH_CTX *ctx, uint8_t **out_secret,
+                                  size_t *out_secret_len, uint8_t *out_alert,
+                                  const uint8_t *peer_key,
+                                  size_t peer_key_len) {
+  DH *dh = (DH *)ctx->data;
+  assert(dh != NULL);
+  assert(dh->priv_key != NULL);
+  *out_alert = SSL_AD_INTERNAL_ERROR;
+
+  int secret_len = 0;
+  uint8_t *secret = NULL;
+  BIGNUM *peer_point = BN_bin2bn(peer_key, peer_key_len, NULL);
+  if (peer_point == NULL) {
+    goto err;
+  }
+
+  secret = OPENSSL_malloc(DH_size(dh));
+  if (secret == NULL) {
+    goto err;
+  }
+  secret_len = DH_compute_key(secret, peer_point, dh);
+  if (secret_len <= 0) {
+    goto err;
+  }
+
+  *out_secret = secret;
+  *out_secret_len = (size_t)secret_len;
+  BN_free(peer_point);
+  return 1;
+
+err:
+  if (secret_len > 0) {
+    OPENSSL_cleanse(secret, (size_t)secret_len);
+  }
+  OPENSSL_free(secret);
+  BN_free(peer_point);
+  return 0;
+}
+
+static const SSL_ECDH_METHOD kDHEMethod = {
+    NID_undef, 0, "",
+    ssl_dhe_cleanup,
+    ssl_dhe_generate_keypair,
+    ssl_dhe_compute_secret,
+};
+
+
+static const SSL_ECDH_METHOD kMethods[] = {
+    {
+        NID_X9_62_prime256v1,
+        SSL_CURVE_SECP256R1,
+        "P-256",
+        ssl_ec_point_cleanup,
+        ssl_ec_point_generate_keypair,
+        ssl_ec_point_compute_secret,
+    },
+    {
+        NID_secp384r1,
+        SSL_CURVE_SECP384R1,
+        "P-384",
+        ssl_ec_point_cleanup,
+        ssl_ec_point_generate_keypair,
+        ssl_ec_point_compute_secret,
+    },
+    {
+        NID_secp521r1,
+        SSL_CURVE_SECP521R1,
+        "P-521",
+        ssl_ec_point_cleanup,
+        ssl_ec_point_generate_keypair,
+        ssl_ec_point_compute_secret,
+    },
+    {
+        NID_x25519,
+        SSL_CURVE_X25519,
+        "X25519",
+        ssl_x25519_cleanup,
+        ssl_x25519_generate_keypair,
+        ssl_x25519_compute_secret,
+    },
+};
+
+static const SSL_ECDH_METHOD *method_from_curve_id(uint16_t curve_id) {
+  size_t i;
+  for (i = 0; i < sizeof(kMethods) / sizeof(kMethods[0]); i++) {
+    if (kMethods[i].curve_id == curve_id) {
+      return &kMethods[i];
+    }
+  }
+  return NULL;
+}
+
+static const SSL_ECDH_METHOD *method_from_nid(int nid) {
+  size_t i;
+  for (i = 0; i < sizeof(kMethods) / sizeof(kMethods[0]); i++) {
+    if (kMethods[i].nid == nid) {
+      return &kMethods[i];
+    }
+  }
+  return NULL;
+}
+
+const char* SSL_get_curve_name(uint16_t curve_id) {
+  const SSL_ECDH_METHOD *method = method_from_curve_id(curve_id);
+  if (method == NULL) {
+    return NULL;
+  }
+  return method->name;
+}
+
+int ssl_nid_to_curve_id(uint16_t *out_curve_id, int nid) {
+  const SSL_ECDH_METHOD *method = method_from_nid(nid);
+  if (method == NULL) {
+    return 0;
+  }
+  *out_curve_id = method->curve_id;
+  return 1;
+}
+
+int SSL_ECDH_CTX_init(SSL_ECDH_CTX *ctx, uint16_t curve_id) {
+  SSL_ECDH_CTX_cleanup(ctx);
+
+  const SSL_ECDH_METHOD *method = method_from_curve_id(curve_id);
+  if (method == NULL) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
+    return 0;
+  }
+  ctx->method = method;
+  return 1;
+}
+
+void SSL_ECDH_CTX_init_for_dhe(SSL_ECDH_CTX *ctx, DH *params) {
+  SSL_ECDH_CTX_cleanup(ctx);
+
+  ctx->method = &kDHEMethod;
+  ctx->data = params;
+}
+
+void SSL_ECDH_CTX_cleanup(SSL_ECDH_CTX *ctx) {
+  if (ctx->method == NULL) {
+    return;
+  }
+  ctx->method->cleanup(ctx);
+  ctx->method = NULL;
+  ctx->data = NULL;
+}
+
+int SSL_ECDH_CTX_generate_keypair(SSL_ECDH_CTX *ctx, CBB *out_public_key) {
+  return ctx->method->generate_keypair(ctx, out_public_key);
+}
+
+int SSL_ECDH_CTX_compute_secret(SSL_ECDH_CTX *ctx, uint8_t **out_secret,
+                                size_t *out_secret_len, uint8_t *out_alert,
+                                const uint8_t *peer_key, size_t peer_key_len) {
+  return ctx->method->compute_secret(ctx, out_secret, out_secret_len, out_alert,
+                                     peer_key, peer_key_len);
+}

data/third_party/boringssl/ssl/ssl_lib.c

@@ -181,12 +181,21 @@ int SSL_library_init(void) {
   return 1;
 }
 
-static uint32_t ssl_session_hash(const SSL_SESSION *a) {
+static uint32_t ssl_session_hash(const SSL_SESSION *sess) {
+  const uint8_t *session_id = sess->session_id;
+
+  uint8_t tmp_storage[sizeof(uint32_t)];
+  if (sess->session_id_length < sizeof(tmp_storage)) {
+    memset(tmp_storage, 0, sizeof(tmp_storage));
+    memcpy(tmp_storage, sess->session_id, sess->session_id_length);
+    session_id = tmp_storage;
+  }
+
   uint32_t hash =
-      ((uint32_t)a->session_id[0]) |
-      ((uint32_t)a->session_id[1] << 8) |
-      ((uint32_t)a->session_id[2] << 16) |
-      ((uint32_t)a->session_id[3] << 24);
+      ((uint32_t)session_id[0]) |
+      ((uint32_t)session_id[1] << 8) |
+      ((uint32_t)session_id[2] << 16) |
+      ((uint32_t)session_id[3] << 24);
 
   return hash;
 }
@@ -221,7 +230,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) {
     goto err;
   }
 
-  ret = (SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX));
+  ret = OPENSSL_malloc(sizeof(SSL_CTX));
   if (ret == NULL) {
     goto err;
   }
@@ -344,8 +353,6 @@ void SSL_CTX_free(SSL_CTX *ctx) {
 }
 
 SSL *SSL_new(SSL_CTX *ctx) {
-  SSL *s;
-
   if (ctx == NULL) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_CTX);
     return NULL;
@@ -355,100 +362,99 @@ SSL *SSL_new(SSL_CTX *ctx) {
     return NULL;
   }
 
-  s = (SSL *)OPENSSL_malloc(sizeof(SSL));
-  if (s == NULL) {
+  SSL *ssl = OPENSSL_malloc(sizeof(SSL));
+  if (ssl == NULL) {
     goto err;
   }
-  memset(s, 0, sizeof(SSL));
+  memset(ssl, 0, sizeof(SSL));
 
-  s->min_version = ctx->min_version;
-  s->max_version = ctx->max_version;
+  ssl->min_version = ctx->min_version;
+  ssl->max_version = ctx->max_version;
 
-  s->options = ctx->options;
-  s->mode = ctx->mode;
-  s->max_cert_list = ctx->max_cert_list;
+  ssl->options = ctx->options;
+  ssl->mode = ctx->mode;
+  ssl->max_cert_list = ctx->max_cert_list;
 
-  s->cert = ssl_cert_dup(ctx->cert);
-  if (s->cert == NULL) {
+  ssl->cert = ssl_cert_dup(ctx->cert);
+  if (ssl->cert == NULL) {
     goto err;
   }
 
-  s->msg_callback = ctx->msg_callback;
-  s->msg_callback_arg = ctx->msg_callback_arg;
-  s->verify_mode = ctx->verify_mode;
-  s->sid_ctx_length = ctx->sid_ctx_length;
-  assert(s->sid_ctx_length <= sizeof s->sid_ctx);
-  memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
-  s->verify_callback = ctx->default_verify_callback;
+  ssl->msg_callback = ctx->msg_callback;
+  ssl->msg_callback_arg = ctx->msg_callback_arg;
+  ssl->verify_mode = ctx->verify_mode;
+  ssl->sid_ctx_length = ctx->sid_ctx_length;
+  assert(ssl->sid_ctx_length <= sizeof ssl->sid_ctx);
+  memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx));
+  ssl->verify_callback = ctx->default_verify_callback;
 
-  s->param = X509_VERIFY_PARAM_new();
-  if (!s->param) {
+  ssl->param = X509_VERIFY_PARAM_new();
+  if (!ssl->param) {
     goto err;
   }
-  X509_VERIFY_PARAM_inherit(s->param, ctx->param);
-  s->quiet_shutdown = ctx->quiet_shutdown;
-  s->max_send_fragment = ctx->max_send_fragment;
+  X509_VERIFY_PARAM_inherit(ssl->param, ctx->param);
+  ssl->quiet_shutdown = ctx->quiet_shutdown;
+  ssl->max_send_fragment = ctx->max_send_fragment;
 
   CRYPTO_refcount_inc(&ctx->references);
-  s->ctx = ctx;
+  ssl->ctx = ctx;
   CRYPTO_refcount_inc(&ctx->references);
-  s->initial_ctx = ctx;
+  ssl->initial_ctx = ctx;
 
   if (ctx->tlsext_ellipticcurvelist) {
-    s->tlsext_ellipticcurvelist =
+    ssl->tlsext_ellipticcurvelist =
         BUF_memdup(ctx->tlsext_ellipticcurvelist,
                    ctx->tlsext_ellipticcurvelist_length * 2);
-    if (!s->tlsext_ellipticcurvelist) {
+    if (!ssl->tlsext_ellipticcurvelist) {
       goto err;
     }
-    s->tlsext_ellipticcurvelist_length = ctx->tlsext_ellipticcurvelist_length;
+    ssl->tlsext_ellipticcurvelist_length = ctx->tlsext_ellipticcurvelist_length;
   }
 
-  if (s->ctx->alpn_client_proto_list) {
-    s->alpn_client_proto_list = BUF_memdup(s->ctx->alpn_client_proto_list,
-                                           s->ctx->alpn_client_proto_list_len);
-    if (s->alpn_client_proto_list == NULL) {
+  if (ssl->ctx->alpn_client_proto_list) {
+    ssl->alpn_client_proto_list = BUF_memdup(
+        ssl->ctx->alpn_client_proto_list, ssl->ctx->alpn_client_proto_list_len);
+    if (ssl->alpn_client_proto_list == NULL) {
       goto err;
     }
-    s->alpn_client_proto_list_len = s->ctx->alpn_client_proto_list_len;
+    ssl->alpn_client_proto_list_len = ssl->ctx->alpn_client_proto_list_len;
   }
 
-  s->verify_result = X509_V_OK;
-  s->method = ctx->method;
+  ssl->verify_result = X509_V_OK;
+  ssl->method = ctx->method;
 
-  if (!s->method->ssl_new(s)) {
+  if (!ssl->method->ssl_new(ssl)) {
     goto err;
   }
-  s->enc_method = ssl3_get_enc_method(s->version);
-  assert(s->enc_method != NULL);
 
-  s->rwstate = SSL_NOTHING;
+  ssl->rwstate = SSL_NOTHING;
 
-  CRYPTO_new_ex_data(&s->ex_data);
+  CRYPTO_new_ex_data(&ssl->ex_data);
 
-  s->psk_identity_hint = NULL;
+  ssl->psk_identity_hint = NULL;
   if (ctx->psk_identity_hint) {
-    s->psk_identity_hint = BUF_strdup(ctx->psk_identity_hint);
-    if (s->psk_identity_hint == NULL) {
+    ssl->psk_identity_hint = BUF_strdup(ctx->psk_identity_hint);
+    if (ssl->psk_identity_hint == NULL) {
       goto err;
     }
   }
-  s->psk_client_callback = ctx->psk_client_callback;
-  s->psk_server_callback = ctx->psk_server_callback;
+  ssl->psk_client_callback = ctx->psk_client_callback;
+  ssl->psk_server_callback = ctx->psk_server_callback;
 
-  s->tlsext_channel_id_enabled = ctx->tlsext_channel_id_enabled;
+  ssl->tlsext_channel_id_enabled = ctx->tlsext_channel_id_enabled;
   if (ctx->tlsext_channel_id_private) {
-    s->tlsext_channel_id_private =
+    ssl->tlsext_channel_id_private =
         EVP_PKEY_up_ref(ctx->tlsext_channel_id_private);
   }
 
-  s->signed_cert_timestamps_enabled = s->ctx->signed_cert_timestamps_enabled;
-  s->ocsp_stapling_enabled = s->ctx->ocsp_stapling_enabled;
+  ssl->signed_cert_timestamps_enabled =
+      ssl->ctx->signed_cert_timestamps_enabled;
+  ssl->ocsp_stapling_enabled = ssl->ctx->ocsp_stapling_enabled;
 
-  return s;
+  return ssl;
 
 err:
-  SSL_free(s);
+  SSL_free(ssl);
   OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
 
   return NULL;
@@ -487,8 +493,6 @@ void SSL_free(SSL *ssl) {
   ssl_clear_bad_session(ssl);
   SSL_SESSION_free(ssl->session);
 
-  ssl_clear_cipher_ctx(ssl);
-
   ssl_cert_free(ssl->cert);
 
   OPENSSL_free(ssl->tlsext_hostname);
@@ -498,7 +502,6 @@ void SSL_free(SSL *ssl) {
   EVP_PKEY_free(ssl->tlsext_channel_id_private);
   OPENSSL_free(ssl->psk_identity_hint);
   sk_X509_NAME_pop_free(ssl->client_CA, X509_NAME_free);
-  OPENSSL_free(ssl->next_proto_negotiated);
   sk_SRTP_PROTECTION_PROFILE_free(ssl->srtp_profiles);
 
   if (ssl->method != NULL) {
@@ -514,8 +517,6 @@ void SSL_set_connect_state(SSL *ssl) {
   ssl->shutdown = 0;
   ssl->state = SSL_ST_CONNECT;
   ssl->handshake_func = ssl->method->ssl_connect;
-  /* clear the current cipher */
-  ssl_clear_cipher_ctx(ssl);
 }
 
 void SSL_set_accept_state(SSL *ssl) {
@@ -523,8 +524,6 @@ void SSL_set_accept_state(SSL *ssl) {
   ssl->shutdown = 0;
   ssl->state = SSL_ST_ACCEPT;
   ssl->handshake_func = ssl->method->ssl_accept;
-  /* clear the current cipher */
-  ssl_clear_cipher_ctx(ssl);
 }
 
 void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) {
@@ -740,8 +739,8 @@ int SSL_get_error(const SSL *ssl, int ret_code) {
       /* This one doesn't make too much sense ... We never try to write to the
        * rbio, and an application program where rbio and wbio are separate
        * couldn't even know what it should wait for. However if we ever set
-       * s->rwstate incorrectly (so that we have SSL_want_read(s) instead of
-       * SSL_want_write(s)) and rbio and wbio *are* the same, this test works
+       * ssl->rwstate incorrectly (so that we have SSL_want_read(ssl) instead of
+       * SSL_want_write(ssl)) and rbio and wbio *are* the same, this test works
        * around that bug; so it might be safer to keep it. */
       return SSL_ERROR_WANT_WRITE;
     }
@@ -1109,11 +1108,11 @@ void SSL_set_verify_depth(SSL *ssl, int depth) {
 
 int SSL_CTX_get_read_ahead(const SSL_CTX *ctx) { return 0; }
 
-int SSL_get_read_ahead(const SSL *s) { return 0; }
+int SSL_get_read_ahead(const SSL *ssl) { return 0; }
 
 void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes) { }
 
-void SSL_set_read_ahead(SSL *s, int yes) { }
+void SSL_set_read_ahead(SSL *ssl, int yes) { }
 
 int SSL_pending(const SSL *ssl) {
   if (ssl->s3->rrec.type != SSL3_RT_APPLICATION_DATA) {
@@ -1188,7 +1187,7 @@ void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list) {
   ssl->max_cert_list = (uint32_t)max_cert_list;
 }
 
-void SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, size_t max_send_fragment) {
+int SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, size_t max_send_fragment) {
   if (max_send_fragment < 512) {
     max_send_fragment = 512;
   }
@@ -1196,9 +1195,11 @@ void SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, size_t max_send_fragment) {
     max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
   }
   ctx->max_send_fragment = (uint16_t)max_send_fragment;
+
+  return 1;
 }
 
-void SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) {
+int SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) {
   if (max_send_fragment < 512) {
     max_send_fragment = 512;
   }
@@ -1206,6 +1207,8 @@ void SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) {
     max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
   }
   ssl->max_send_fragment = (uint16_t)max_send_fragment;
+
+  return 1;
 }
 
 int SSL_set_mtu(SSL *ssl, unsigned mtu) {
@@ -1274,17 +1277,17 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl) {
 
 /* return a STACK of the ciphers available for the SSL and in order of
  * algorithm id */
-STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) {
-  if (s == NULL) {
+STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *ssl) {
+  if (ssl == NULL) {
     return NULL;
   }
 
-  if (s->cipher_list_by_id != NULL) {
-    return s->cipher_list_by_id;
+  if (ssl->cipher_list_by_id != NULL) {
+    return ssl->cipher_list_by_id;
   }
 
-  if (s->ctx != NULL && s->ctx->cipher_list_by_id != NULL) {
-    return s->ctx->cipher_list_by_id;
+  if (ssl->ctx != NULL && ssl->ctx->cipher_list_by_id != NULL) {
+    return ssl->ctx->cipher_list_by_id;
   }
 
   return NULL;
@@ -1375,13 +1378,13 @@ int SSL_set_cipher_list(SSL *ssl, const char *str) {
   return 1;
 }
 
-STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, const CBS *cbs) {
+STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *ssl, const CBS *cbs) {
   CBS cipher_suites = *cbs;
   const SSL_CIPHER *c;
   STACK_OF(SSL_CIPHER) *sk;
 
-  if (s->s3) {
-    s->s3->send_connection_binding = 0;
+  if (ssl->s3) {
+    ssl->s3->send_connection_binding = 0;
   }
 
   if (CBS_len(&cipher_suites) % 2 != 0) {
@@ -1404,24 +1407,24 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, const CBS *cbs) {
     }
 
     /* Check for SCSV. */
-    if (s->s3 && cipher_suite == (SSL3_CK_SCSV & 0xffff)) {
+    if (ssl->s3 && cipher_suite == (SSL3_CK_SCSV & 0xffff)) {
       /* SCSV is fatal if renegotiating. */
-      if (s->s3->initial_handshake_complete) {
+      if (ssl->s3->initial_handshake_complete) {
         OPENSSL_PUT_ERROR(SSL, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
-        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+        ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
         goto err;
       }
-      s->s3->send_connection_binding = 1;
+      ssl->s3->send_connection_binding = 1;
       continue;
     }
 
     /* Check for FALLBACK_SCSV. */
-    if (s->s3 && cipher_suite == (SSL3_CK_FALLBACK_SCSV & 0xffff)) {
-      uint16_t max_version = ssl3_get_max_server_version(s);
-      if (SSL_IS_DTLS(s) ? (uint16_t)s->version > max_version
-                         : (uint16_t)s->version < max_version) {
+    if (ssl->s3 && cipher_suite == (SSL3_CK_FALLBACK_SCSV & 0xffff)) {
+      uint16_t max_version = ssl3_get_max_server_version(ssl);
+      if (SSL_IS_DTLS(ssl) ? (uint16_t)ssl->version > max_version
+                         : (uint16_t)ssl->version < max_version) {
         OPENSSL_PUT_ERROR(SSL, SSL_R_INAPPROPRIATE_FALLBACK);
-        ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_INAPPROPRIATE_FALLBACK);
+        ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL3_AD_INAPPROPRIATE_FALLBACK);
         goto err;
       }
       continue;
@@ -1575,11 +1578,11 @@ found:
 
 void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data,
                                     unsigned *out_len) {
-  *out_data = ssl->next_proto_negotiated;
+  *out_data = ssl->s3->next_proto_negotiated;
   if (*out_data == NULL) {
     *out_len = 0;
   } else {
-    *out_len = ssl->next_proto_negotiated_len;
+    *out_len = ssl->s3->next_proto_negotiated_len;
   }
 }
 
@@ -1644,18 +1647,6 @@ void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data,
   }
 }
 
-int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
-                               const char *label, size_t label_len,
-                               const uint8_t *context, size_t context_len,
-                               int use_context) {
-  if (ssl->version < TLS1_VERSION) {
-    return 0;
-  }
-
-  return ssl->enc_method->export_keying_material(
-      ssl, out, out_len, label, label_len, context, context_len, use_context);
-}
-
 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
                                       int (*cb)(X509_STORE_CTX *store_ctx,
                                                 void *arg),
@@ -1683,9 +1674,9 @@ void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg), void *arg) {
   ssl_cert_set_cert_cb(ssl->cert, cb, arg);
 }
 
-void ssl_get_compatible_server_ciphers(SSL *s, uint32_t *out_mask_k,
+void ssl_get_compatible_server_ciphers(SSL *ssl, uint32_t *out_mask_k,
                                        uint32_t *out_mask_a) {
-  CERT *c = s->cert;
+  CERT *c = ssl->cert;
   int have_rsa_cert = 0, dh_tmp;
   uint32_t mask_k, mask_a;
   int have_ecc_cert = 0, ecdsa_ok;
@@ -1693,10 +1684,10 @@ void ssl_get_compatible_server_ciphers(SSL *s, uint32_t *out_mask_k,
 
   dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
 
-  if (s->cert->x509 != NULL && ssl_has_private_key(s)) {
-    if (ssl_private_key_type(s) == EVP_PKEY_RSA) {
+  if (ssl->cert->x509 != NULL && ssl_has_private_key(ssl)) {
+    if (ssl_private_key_type(ssl) == EVP_PKEY_RSA) {
       have_rsa_cert = 1;
-    } else if (ssl_private_key_type(s) == EVP_PKEY_EC) {
+    } else if (ssl_private_key_type(ssl) == EVP_PKEY_EC) {
       have_ecc_cert = 1;
     }
   }
@@ -1721,7 +1712,7 @@ void ssl_get_compatible_server_ciphers(SSL *s, uint32_t *out_mask_k,
     ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE)
                    ? (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)
                    : 1;
-    if (!tls1_check_ec_cert(s, x)) {
+    if (!tls1_check_ec_cert(ssl, x)) {
       ecdsa_ok = 0;
     }
     if (ecdsa_ok) {
@@ -1731,12 +1722,13 @@ void ssl_get_compatible_server_ciphers(SSL *s, uint32_t *out_mask_k,
 
   /* If we are considering an ECC cipher suite that uses an ephemeral EC
    * key, check for a shared curve. */
-  if (tls1_get_shared_curve(s) != NID_undef) {
+  uint16_t unused;
+  if (tls1_get_shared_curve(ssl, &unused)) {
     mask_k |= SSL_kECDHE;
   }
 
   /* PSK requires a server callback. */
-  if (s->psk_server_callback != NULL) {
+  if (ssl->psk_server_callback != NULL) {
     mask_k |= SSL_kPSK;
     mask_a |= SSL_aPSK;
   }
@@ -1822,28 +1814,17 @@ const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
   return ssl_get_version(session->ssl_version);
 }
 
-const char* SSL_get_curve_name(uint16_t curve_id) {
-  return tls1_ec_curve_id2name(curve_id);
-}
-
-void ssl_clear_cipher_ctx(SSL *s) {
-  SSL_AEAD_CTX_free(s->aead_read_ctx);
-  s->aead_read_ctx = NULL;
-  SSL_AEAD_CTX_free(s->aead_write_ctx);
-  s->aead_write_ctx = NULL;
-}
-
-X509 *SSL_get_certificate(const SSL *s) {
-  if (s->cert != NULL) {
-    return s->cert->x509;
+X509 *SSL_get_certificate(const SSL *ssl) {
+  if (ssl->cert != NULL) {
+    return ssl->cert->x509;
   }
 
   return NULL;
 }
 
-EVP_PKEY *SSL_get_privatekey(const SSL *s) {
-  if (s->cert != NULL) {
-    return s->cert->privatekey;
+EVP_PKEY *SSL_get_privatekey(const SSL *ssl) {
+  if (ssl->cert != NULL) {
+    return ssl->cert->privatekey;
   }
 
   return NULL;
@@ -1866,29 +1847,29 @@ EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) {
 }
 
 const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) {
-  if (ssl->aead_write_ctx == NULL) {
+  if (ssl->s3->aead_write_ctx == NULL) {
     return NULL;
   }
-  return ssl->aead_write_ctx->cipher;
+  return ssl->s3->aead_write_ctx->cipher;
 }
 
-const COMP_METHOD *SSL_get_current_compression(SSL *s) { return NULL; }
+const COMP_METHOD *SSL_get_current_compression(SSL *ssl) { return NULL; }
 
-const COMP_METHOD *SSL_get_current_expansion(SSL *s) { return NULL; }
+const COMP_METHOD *SSL_get_current_expansion(SSL *ssl) { return NULL; }
 
-int ssl_init_wbio_buffer(SSL *s, int push) {
+int ssl_init_wbio_buffer(SSL *ssl, int push) {
   BIO *bbio;
 
-  if (s->bbio == NULL) {
+  if (ssl->bbio == NULL) {
     bbio = BIO_new(BIO_f_buffer());
     if (bbio == NULL) {
       return 0;
     }
-    s->bbio = bbio;
+    ssl->bbio = bbio;
   } else {
-    bbio = s->bbio;
-    if (s->bbio == s->wbio) {
-      s->wbio = BIO_pop(s->wbio);
+    bbio = ssl->bbio;
+    if (ssl->bbio == ssl->wbio) {
+      ssl->wbio = BIO_pop(ssl->wbio);
     }
   }
 
@@ -1899,30 +1880,30 @@ int ssl_init_wbio_buffer(SSL *s, int push) {
   }
 
   if (push) {
-    if (s->wbio != bbio) {
-      s->wbio = BIO_push(bbio, s->wbio);
+    if (ssl->wbio != bbio) {
+      ssl->wbio = BIO_push(bbio, ssl->wbio);
     }
   } else {
-    if (s->wbio == bbio) {
-      s->wbio = BIO_pop(bbio);
+    if (ssl->wbio == bbio) {
+      ssl->wbio = BIO_pop(bbio);
     }
   }
 
   return 1;
 }
 
-void ssl_free_wbio_buffer(SSL *s) {
-  if (s->bbio == NULL) {
+void ssl_free_wbio_buffer(SSL *ssl) {
+  if (ssl->bbio == NULL) {
     return;
   }
 
-  if (s->bbio == s->wbio) {
+  if (ssl->bbio == ssl->wbio) {
     /* remove buffering */
-    s->wbio = BIO_pop(s->wbio);
+    ssl->wbio = BIO_pop(ssl->wbio);
   }
 
-  BIO_free(s->bbio);
-  s->bbio = NULL;
+  BIO_free(ssl->bbio);
+  ssl->bbio = NULL;
 }
 
 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) {
@@ -2280,8 +2261,8 @@ int SSL_in_false_start(const SSL *ssl) {
   return ssl->s3->tmp.in_false_start;
 }
 
-int SSL_cutthrough_complete(const SSL *s) {
-  return SSL_in_false_start(s);
+int SSL_cutthrough_complete(const SSL *ssl) {
+  return SSL_in_false_start(ssl);
 }
 
 void SSL_get_structure_sizes(size_t *ssl_size, size_t *ssl_ctx_size,
@@ -2291,13 +2272,13 @@ void SSL_get_structure_sizes(size_t *ssl_size, size_t *ssl_ctx_size,
   *ssl_session_size = sizeof(SSL_SESSION);
 }
 
-int ssl3_can_false_start(const SSL *s) {
-  const SSL_CIPHER *const cipher = SSL_get_current_cipher(s);
+int ssl3_can_false_start(const SSL *ssl) {
+  const SSL_CIPHER *const cipher = SSL_get_current_cipher(ssl);
 
   /* False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. */
-  return !SSL_IS_DTLS(s) &&
-      SSL_version(s) >= TLS1_2_VERSION &&
-      (s->s3->alpn_selected || s->s3->next_proto_neg_seen) &&
+  return !SSL_IS_DTLS(ssl) &&
+      SSL_version(ssl) >= TLS1_2_VERSION &&
+      (ssl->s3->alpn_selected || ssl->s3->next_proto_neg_seen) &&
       cipher != NULL &&
       cipher->algorithm_mkey == SSL_kECDHE &&
       cipher->algorithm_mac == SSL_AEAD;
@@ -2309,99 +2290,100 @@ const SSL3_ENC_METHOD *ssl3_get_enc_method(uint16_t version) {
       return &SSLv3_enc_data;
 
     case TLS1_VERSION:
-      return &TLSv1_enc_data;
-
-    case DTLS1_VERSION:
     case TLS1_1_VERSION:
-      return &TLSv1_1_enc_data;
-
-    case DTLS1_2_VERSION:
     case TLS1_2_VERSION:
-      return &TLSv1_2_enc_data;
+    case DTLS1_VERSION:
+    case DTLS1_2_VERSION:
+      return &TLSv1_enc_data;
 
     default:
       return NULL;
   }
 }
 
-uint16_t ssl3_get_max_server_version(const SSL *s) {
+uint16_t ssl3_get_max_server_version(const SSL *ssl) {
   uint16_t max_version;
 
-  if (SSL_IS_DTLS(s)) {
-    max_version = (s->max_version != 0) ? s->max_version : DTLS1_2_VERSION;
-    if (!(s->options & SSL_OP_NO_DTLSv1_2) && DTLS1_2_VERSION >= max_version) {
+  if (SSL_IS_DTLS(ssl)) {
+    max_version = (ssl->max_version != 0) ? ssl->max_version : DTLS1_2_VERSION;
+    if (!(ssl->options & SSL_OP_NO_DTLSv1_2) &&
+        DTLS1_2_VERSION >= max_version) {
       return DTLS1_2_VERSION;
     }
-    if (!(s->options & SSL_OP_NO_DTLSv1) && DTLS1_VERSION >= max_version) {
+    if (!(ssl->options & SSL_OP_NO_DTLSv1) && DTLS1_VERSION >= max_version) {
       return DTLS1_VERSION;
     }
     return 0;
   }
 
-  max_version = (s->max_version != 0) ? s->max_version : TLS1_2_VERSION;
-  if (!(s->options & SSL_OP_NO_TLSv1_2) && TLS1_2_VERSION <= max_version) {
+  max_version = (ssl->max_version != 0) ? ssl->max_version : TLS1_2_VERSION;
+  if (!(ssl->options & SSL_OP_NO_TLSv1_2) && TLS1_2_VERSION <= max_version) {
     return TLS1_2_VERSION;
   }
-  if (!(s->options & SSL_OP_NO_TLSv1_1) && TLS1_1_VERSION <= max_version) {
+  if (!(ssl->options & SSL_OP_NO_TLSv1_1) && TLS1_1_VERSION <= max_version) {
     return TLS1_1_VERSION;
   }
-  if (!(s->options & SSL_OP_NO_TLSv1) && TLS1_VERSION <= max_version) {
+  if (!(ssl->options & SSL_OP_NO_TLSv1) && TLS1_VERSION <= max_version) {
     return TLS1_VERSION;
   }
-  if (!(s->options & SSL_OP_NO_SSLv3) && SSL3_VERSION <= max_version) {
+  if (!(ssl->options & SSL_OP_NO_SSLv3) && SSL3_VERSION <= max_version) {
     return SSL3_VERSION;
   }
   return 0;
 }
 
-uint16_t ssl3_get_mutual_version(SSL *s, uint16_t client_version) {
+uint16_t ssl3_get_mutual_version(SSL *ssl, uint16_t client_version) {
   uint16_t version = 0;
 
-  if (SSL_IS_DTLS(s)) {
+  if (SSL_IS_DTLS(ssl)) {
     /* Clamp client_version to max_version. */
-    if (s->max_version != 0 && client_version < s->max_version) {
-      client_version = s->max_version;
+    if (ssl->max_version != 0 && client_version < ssl->max_version) {
+      client_version = ssl->max_version;
     }
 
-    if (client_version <= DTLS1_2_VERSION && !(s->options & SSL_OP_NO_DTLSv1_2)) {
+    if (client_version <= DTLS1_2_VERSION &&
+        !(ssl->options & SSL_OP_NO_DTLSv1_2)) {
       version = DTLS1_2_VERSION;
     } else if (client_version <= DTLS1_VERSION &&
-               !(s->options & SSL_OP_NO_DTLSv1)) {
+               !(ssl->options & SSL_OP_NO_DTLSv1)) {
       version = DTLS1_VERSION;
     }
 
     /* Check against min_version. */
-    if (version != 0 && s->min_version != 0 && version > s->min_version) {
+    if (version != 0 && ssl->min_version != 0 && version > ssl->min_version) {
       return 0;
     }
     return version;
   } else {
     /* Clamp client_version to max_version. */
-    if (s->max_version != 0 && client_version > s->max_version) {
-      client_version = s->max_version;
+    if (ssl->max_version != 0 && client_version > ssl->max_version) {
+      client_version = ssl->max_version;
     }
 
-    if (client_version >= TLS1_2_VERSION && !(s->options & SSL_OP_NO_TLSv1_2)) {
+    if (client_version >= TLS1_2_VERSION &&
+        !(ssl->options & SSL_OP_NO_TLSv1_2)) {
       version = TLS1_2_VERSION;
     } else if (client_version >= TLS1_1_VERSION &&
-             !(s->options & SSL_OP_NO_TLSv1_1)) {
+               !(ssl->options & SSL_OP_NO_TLSv1_1)) {
       version = TLS1_1_VERSION;
-    } else if (client_version >= TLS1_VERSION && !(s->options & SSL_OP_NO_TLSv1)) {
+    } else if (client_version >= TLS1_VERSION &&
+               !(ssl->options & SSL_OP_NO_TLSv1)) {
       version = TLS1_VERSION;
-    } else if (client_version >= SSL3_VERSION && !(s->options & SSL_OP_NO_SSLv3)) {
+    } else if (client_version >= SSL3_VERSION &&
+               !(ssl->options & SSL_OP_NO_SSLv3)) {
       version = SSL3_VERSION;
     }
 
     /* Check against min_version. */
-    if (version != 0 && s->min_version != 0 && version < s->min_version) {
+    if (version != 0 && ssl->min_version != 0 && version < ssl->min_version) {
       return 0;
     }
     return version;
   }
 }
 
-uint16_t ssl3_get_max_client_version(SSL *s) {
-  uint32_t options = s->options;
+uint16_t ssl3_get_max_client_version(SSL *ssl) {
+  uint32_t options = ssl->options;
   uint16_t version = 0;
 
   /* OpenSSL's API for controlling versions entails blacklisting individual
@@ -2417,15 +2399,15 @@ uint16_t ssl3_get_max_client_version(SSL *s) {
    *
    * By this scheme, the maximum version is the lowest version V such that V is
    * enabled and V+1 is disabled or unimplemented. */
-  if (SSL_IS_DTLS(s)) {
+  if (SSL_IS_DTLS(ssl)) {
     if (!(options & SSL_OP_NO_DTLSv1_2)) {
       version = DTLS1_2_VERSION;
     }
     if (!(options & SSL_OP_NO_DTLSv1) && (options & SSL_OP_NO_DTLSv1_2)) {
       version = DTLS1_VERSION;
     }
-    if (s->max_version != 0 && version < s->max_version) {
-      version = s->max_version;
+    if (ssl->max_version != 0 && version < ssl->max_version) {
+      version = ssl->max_version;
     }
   } else {
     if (!(options & SSL_OP_NO_TLSv1_2)) {
@@ -2440,53 +2422,53 @@ uint16_t ssl3_get_max_client_version(SSL *s) {
     if (!(options & SSL_OP_NO_SSLv3) && (options & SSL_OP_NO_TLSv1)) {
       version = SSL3_VERSION;
     }
-    if (s->max_version != 0 && version > s->max_version) {
-      version = s->max_version;
+    if (ssl->max_version != 0 && version > ssl->max_version) {
+      version = ssl->max_version;
     }
   }
 
   return version;
 }
 
-int ssl3_is_version_enabled(SSL *s, uint16_t version) {
-  if (SSL_IS_DTLS(s)) {
-    if (s->max_version != 0 && version < s->max_version) {
+int ssl3_is_version_enabled(SSL *ssl, uint16_t version) {
+  if (SSL_IS_DTLS(ssl)) {
+    if (ssl->max_version != 0 && version < ssl->max_version) {
       return 0;
     }
-    if (s->min_version != 0 && version > s->min_version) {
+    if (ssl->min_version != 0 && version > ssl->min_version) {
       return 0;
     }
 
     switch (version) {
       case DTLS1_VERSION:
-        return !(s->options & SSL_OP_NO_DTLSv1);
+        return !(ssl->options & SSL_OP_NO_DTLSv1);
 
       case DTLS1_2_VERSION:
-        return !(s->options & SSL_OP_NO_DTLSv1_2);
+        return !(ssl->options & SSL_OP_NO_DTLSv1_2);
 
       default:
         return 0;
     }
   } else {
-    if (s->max_version != 0 && version > s->max_version) {
+    if (ssl->max_version != 0 && version > ssl->max_version) {
       return 0;
     }
-    if (s->min_version != 0 && version < s->min_version) {
+    if (ssl->min_version != 0 && version < ssl->min_version) {
       return 0;
     }
 
     switch (version) {
       case SSL3_VERSION:
-        return !(s->options & SSL_OP_NO_SSLv3);
+        return !(ssl->options & SSL_OP_NO_SSLv3);
 
       case TLS1_VERSION:
-        return !(s->options & SSL_OP_NO_TLSv1);
+        return !(ssl->options & SSL_OP_NO_TLSv1);
 
       case TLS1_1_VERSION:
-        return !(s->options & SSL_OP_NO_TLSv1_1);
+        return !(ssl->options & SSL_OP_NO_TLSv1_1);
 
       case TLS1_2_VERSION:
-        return !(s->options & SSL_OP_NO_TLSv1_2);
+        return !(ssl->options & SSL_OP_NO_TLSv1_2);
 
       default:
         return 0;
@@ -2494,8 +2476,8 @@ int ssl3_is_version_enabled(SSL *s, uint16_t version) {
   }
 }
 
-uint16_t ssl3_version_from_wire(SSL *s, uint16_t wire_version) {
-  if (!SSL_IS_DTLS(s)) {
+uint16_t ssl3_version_from_wire(const SSL *ssl, uint16_t wire_version) {
+  if (!SSL_IS_DTLS(ssl)) {
     return wire_version;
   }
 
@@ -2515,6 +2497,11 @@ uint16_t ssl3_version_from_wire(SSL *s, uint16_t wire_version) {
   return version;
 }
 
+uint16_t ssl3_protocol_version(const SSL *ssl) {
+  assert(ssl->s3->have_version);
+  return ssl3_version_from_wire(ssl, ssl->version);
+}
+
 int SSL_cache_hit(SSL *ssl) { return SSL_session_reused(ssl); }
 
 int SSL_is_server(SSL *ssl) { return ssl->server; }
@@ -2540,23 +2527,24 @@ void SSL_set_reject_peer_renegotiations(SSL *ssl, int reject) {
 
 int SSL_get_rc4_state(const SSL *ssl, const RC4_KEY **read_key,
                       const RC4_KEY **write_key) {
-  if (ssl->aead_read_ctx == NULL || ssl->aead_write_ctx == NULL) {
+  if (ssl->s3->aead_read_ctx == NULL || ssl->s3->aead_write_ctx == NULL) {
     return 0;
   }
 
-  return EVP_AEAD_CTX_get_rc4_state(&ssl->aead_read_ctx->ctx, read_key) &&
-         EVP_AEAD_CTX_get_rc4_state(&ssl->aead_write_ctx->ctx, write_key);
+  return EVP_AEAD_CTX_get_rc4_state(&ssl->s3->aead_read_ctx->ctx, read_key) &&
+         EVP_AEAD_CTX_get_rc4_state(&ssl->s3->aead_write_ctx->ctx, write_key);
 }
 
 int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,
                 const uint8_t **out_write_iv, size_t *out_iv_len) {
-  if (ssl->aead_read_ctx == NULL || ssl->aead_write_ctx == NULL) {
+  if (ssl->s3->aead_read_ctx == NULL || ssl->s3->aead_write_ctx == NULL) {
     return 0;
   }
 
   size_t write_iv_len;
-  if (!EVP_AEAD_CTX_get_iv(&ssl->aead_read_ctx->ctx, out_read_iv, out_iv_len) ||
-      !EVP_AEAD_CTX_get_iv(&ssl->aead_write_ctx->ctx, out_write_iv,
+  if (!EVP_AEAD_CTX_get_iv(&ssl->s3->aead_read_ctx->ctx, out_read_iv,
+                           out_iv_len) ||
+      !EVP_AEAD_CTX_get_iv(&ssl->s3->aead_write_ctx->ctx, out_write_iv,
                            &write_iv_len) ||
       *out_iv_len != write_iv_len) {
     return 0;
@@ -2565,10 +2553,69 @@ int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,
   return 1;
 }
 
+static uint64_t be_to_u64(const uint8_t in[8]) {
+  return (((uint64_t)in[0]) << 56) | (((uint64_t)in[1]) << 48) |
+         (((uint64_t)in[2]) << 40) | (((uint64_t)in[3]) << 32) |
+         (((uint64_t)in[4]) << 24) | (((uint64_t)in[5]) << 16) |
+         (((uint64_t)in[6]) << 8) | ((uint64_t)in[7]);
+}
+
+uint64_t SSL_get_read_sequence(const SSL *ssl) {
+  /* TODO(davidben): Internally represent sequence numbers as uint64_t. */
+  if (SSL_IS_DTLS(ssl)) {
+    /* max_seq_num already includes the epoch. */
+    assert(ssl->d1->r_epoch == (ssl->d1->bitmap.max_seq_num >> 48));
+    return ssl->d1->bitmap.max_seq_num;
+  }
+  return be_to_u64(ssl->s3->read_sequence);
+}
+
+uint64_t SSL_get_write_sequence(const SSL *ssl) {
+  uint64_t ret = be_to_u64(ssl->s3->write_sequence);
+  if (SSL_IS_DTLS(ssl)) {
+    assert((ret >> 48) == 0);
+    ret |= ((uint64_t)ssl->d1->w_epoch) << 48;
+  }
+  return ret;
+}
+
 uint8_t SSL_get_server_key_exchange_hash(const SSL *ssl) {
   return ssl->s3->tmp.server_key_exchange_hash;
 }
 
+size_t SSL_get_client_random(const SSL *ssl, uint8_t *out, size_t max_out) {
+  if (max_out == 0) {
+    return sizeof(ssl->s3->client_random);
+  }
+  if (max_out > sizeof(ssl->s3->client_random)) {
+    max_out = sizeof(ssl->s3->client_random);
+  }
+  memcpy(out, ssl->s3->client_random, max_out);
+  return max_out;
+}
+
+size_t SSL_get_server_random(const SSL *ssl, uint8_t *out, size_t max_out) {
+  if (max_out == 0) {
+    return sizeof(ssl->s3->server_random);
+  }
+  if (max_out > sizeof(ssl->s3->server_random)) {
+    max_out = sizeof(ssl->s3->server_random);
+  }
+  memcpy(out, ssl->s3->server_random, max_out);
+  return max_out;
+}
+
+const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl) {
+  if (!SSL_in_init(ssl)) {
+    return NULL;
+  }
+  return ssl->s3->tmp.new_cipher;
+}
+
+void SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX *ctx, int enabled) {
+  ctx->retain_only_sha256_of_client_certs = !!enabled;
+}
+
 int SSL_clear(SSL *ssl) {
   if (ssl->method == NULL) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_METHOD_SPECIFIED);
@@ -2607,12 +2654,6 @@ int SSL_clear(SSL *ssl) {
   BUF_MEM_free(ssl->init_buf);
   ssl->init_buf = NULL;
 
-  ssl_clear_cipher_ctx(ssl);
-
-  OPENSSL_free(ssl->next_proto_negotiated);
-  ssl->next_proto_negotiated = NULL;
-  ssl->next_proto_negotiated_len = 0;
-
   /* The ssl->d1->mtu is simultaneously configuration (preserved across
    * clear) and connection-specific state (gets reset).
    *
@@ -2626,8 +2667,6 @@ int SSL_clear(SSL *ssl) {
   if (!ssl->method->ssl_new(ssl)) {
     return 0;
   }
-  ssl->enc_method = ssl3_get_enc_method(ssl->version);
-  assert(ssl->enc_method != NULL);
 
   if (SSL_IS_DTLS(ssl) && (SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
     ssl->d1->mtu = mtu;