Send bad_record_mac instead of decryption_failed

[openssl.git] / ssl / record / ssl3_record.c
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c

index df7d012049ebef38d917ec7734a771b037516898..8e0b469cf4f8fa5ab59e27b8e390faae58d34e74 100644 (file)
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1,17 +1,18 @@
  /*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
   *
- * Licensed under the OpenSSL license (the "License").  You may not use
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
   * this file except in compliance with the License.  You can obtain a copy
   * in the file LICENSE in the source distribution or at
   * https://www.openssl.org/source/license.html
   */
  
-#include <assert.h>
-#include "../ssl_locl.h"
-#include "internal/constant_time_locl.h"
+#include "../ssl_local.h"
+#include "internal/constant_time.h"
+#include <openssl/trace.h>
  #include <openssl/rand.h>
-#include "record_locl.h"
+#include "record_local.h"
+#include "internal/cryptlib.h"
  
  static const unsigned char ssl3_pad_1[48] = {
      0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
@@ -101,6 +102,53 @@ static int ssl3_record_app_data_waiting(SSL *s)
      return 1;
  }
  
+int early_data_count_ok(SSL *s, size_t length, size_t overhead, int send)
+{
+    uint32_t max_early_data;
+    SSL_SESSION *sess = s->session;
+
+    /*
+     * If we are a client then we always use the max_early_data from the
+     * session/psksession. Otherwise we go with the lowest out of the max early
+     * data set in the session and the configured max_early_data.
+     */
+    if (!s->server && sess->ext.max_early_data == 0) {
+        if (!ossl_assert(s->psksession != NULL
+                         && s->psksession->ext.max_early_data > 0)) {
+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_EARLY_DATA_COUNT_OK,
+                     ERR_R_INTERNAL_ERROR);
+            return 0;
+        }
+        sess = s->psksession;
+    }
+
+    if (!s->server)
+        max_early_data = sess->ext.max_early_data;
+    else if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
+        max_early_data = s->recv_max_early_data;
+    else
+        max_early_data = s->recv_max_early_data < sess->ext.max_early_data
+                         ? s->recv_max_early_data : sess->ext.max_early_data;
+
+    if (max_early_data == 0) {
+        SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
+                 SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA);
+        return 0;
+    }
+
+    /* If we are dealing with ciphertext we need to allow for the overhead */
+    max_early_data += overhead;
+
+    if (s->early_data_count + length > max_early_data) {
+        SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
+                 SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA);
+        return 0;
+    }
+    s->early_data_count += length;
+
+    return 1;
+}
+
  /*
   * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
   * will be processed per call to ssl3_get_record. Without this limit an
@@ -125,8 +173,7 @@ static int ssl3_record_app_data_waiting(SSL *s)
  /* used only by ssl3_read_bytes */
  int ssl3_get_record(SSL *s)
  {
-    int al;
-    int enc_err, rret, ret = -1;
+    int enc_err, rret;
      int i;
      size_t more, n;
      SSL3_RECORD *rr, *thisrr;
@@ -139,9 +186,12 @@ int ssl3_get_record(SSL *s)
      int imac_size;
      size_t num_recs = 0, max_recs, j;
      PACKET pkt, sslv2pkt;
+    size_t first_rec_len;
+    int is_ktls_left;
  
      rr = RECORD_LAYER_get_rrec(&s->rlayer);
      rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
+    is_ktls_left = (rbuf->left > 0);
      max_recs = s->max_pipelines;
      if (max_recs == 0)
          max_recs = 1;
@@ -160,23 +210,47 @@ int ssl3_get_record(SSL *s)
              rret = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH,
                                 SSL3_BUFFER_get_len(rbuf), 0,
                                 num_recs == 0 ? 1 : 0, &n);
-            if (rret <= 0)
-                return rret;     /* error or non-blocking */
+            if (rret <= 0) {
+#ifndef OPENSSL_NO_KTLS
+                if (!BIO_get_ktls_recv(s->rbio))
+                    return rret;     /* error or non-blocking */
+                switch (errno) {
+                case EBADMSG:
+                    SSLfatal(s, SSL_AD_BAD_RECORD_MAC,
+                             SSL_F_SSL3_GET_RECORD,
+                             SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+                    break;
+                case EMSGSIZE:
+                    SSLfatal(s, SSL_AD_RECORD_OVERFLOW,
+                             SSL_F_SSL3_GET_RECORD,
+                             SSL_R_PACKET_LENGTH_TOO_LONG);
+                    break;
+                case EINVAL:
+                    SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
+                             SSL_F_SSL3_GET_RECORD,
+                             SSL_R_WRONG_VERSION_NUMBER);
+                    break;
+                default:
+                    break;
+                }
+#endif
+                return rret;
+            }
              RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
  
              p = RECORD_LAYER_get_packet(&s->rlayer);
              if (!PACKET_buf_init(&pkt, RECORD_LAYER_get_packet(&s->rlayer),
                                   RECORD_LAYER_get_packet_length(&s->rlayer))) {
-                al = SSL_AD_INTERNAL_ERROR;
-                SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
-                goto f_err;
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD,
+                         ERR_R_INTERNAL_ERROR);
+                return -1;
              }
              sslv2pkt = pkt;
              if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len)
                      || !PACKET_get_1(&sslv2pkt, &type)) {
-                al = SSL_AD_INTERNAL_ERROR;
-                SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
-                goto f_err;
+                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,
+                         ERR_R_INTERNAL_ERROR);
+                return -1;
              }
              /*
               * The first record received by the server may be a V2ClientHello.
@@ -200,23 +274,18 @@ int ssl3_get_record(SSL *s)
  
                  if (thisrr->length > SSL3_BUFFER_get_len(rbuf)
                      - SSL2_RT_HEADER_LENGTH) {
-                    al = SSL_AD_RECORD_OVERFLOW;
-                    SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
-                    goto f_err;
+                    SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
+                             SSL_R_PACKET_LENGTH_TOO_LONG);
+                    return -1;
                  }
  
                  if (thisrr->length < MIN_SSL2_RECORD_LEN) {
-                    al = SSL_AD_HANDSHAKE_FAILURE;
-                    SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
-                    goto f_err;
+                    SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,
+                             SSL_R_LENGTH_TOO_SHORT);
+                    return -1;
                  }
              } else {
                  /* SSLv3+ style record */
-                /*
-                 * TODO(TLS1.3): This callback only provides the "outer" record
-                 * type to the callback. Somehow we need to pass the "inner"
-                 * record type
-                 */
                  if (s->msg_callback)
                      s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s,
                                      s->msg_callback_arg);
@@ -225,17 +294,23 @@ int ssl3_get_record(SSL *s)
                  if (!PACKET_get_1(&pkt, &type)
                          || !PACKET_get_net_2(&pkt, &version)
                          || !PACKET_get_net_2_len(&pkt, &thisrr->length)) {
-                    al = SSL_AD_INTERNAL_ERROR;
-                    SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
-                    goto f_err;
+                    SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,
+                             ERR_R_INTERNAL_ERROR);
+                    return -1;
                  }
                  thisrr->type = type;
                  thisrr->rec_version = version;
  
-                /* Lets check version. In TLSv1.3 we ignore this field */
+                /*
+                 * Lets check version. In TLSv1.3 we only check this field
+                 * when encryption is occurring (see later check). For the
+                 * ServerHello after an HRR we haven't actually selected TLSv1.3
+                 * yet, but we still treat it as TLSv1.3, so we must check for
+                 * that explicitly
+                 */
                  if (!s->first_packet && !SSL_IS_TLS13(s)
+                        && s->hello_retry_request != SSL_HRR_PENDING
                          && version != (unsigned int)s->version) {
-                    SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
                      if ((s->version & 0xFF00) == (version & 0xFF00)
                          && !s->enc_write_ctx && !s->write_hash) {
                          if (thisrr->type == SSL3_RT_ALERT) {
@@ -247,15 +322,18 @@ int ssl3_get_record(SSL *s)
                               * shouldn't send a fatal alert back. We'll just
                               * end.
                               */
-                            goto err;
+                            SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD,
+                                     SSL_R_WRONG_VERSION_NUMBER);
+                            return -1;
                          }
                          /*
                           * Send back error using their minor version number :-)
                           */
                          s->version = (unsigned short)version;
                      }
-                    al = SSL_AD_PROTOCOL_VERSION;
-                    goto f_err;
+                    SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL3_GET_RECORD,
+                             SSL_R_WRONG_VERSION_NUMBER);
+                    return -1;
                  }
  
                  if ((version >> 8) != SSL3_VERSION_MAJOR) {
@@ -267,44 +345,81 @@ int ssl3_get_record(SSL *s)
                              strncmp((char *)p, "POST ", 5) == 0 ||
                              strncmp((char *)p, "HEAD ", 5) == 0 ||
                              strncmp((char *)p, "PUT ", 4) == 0) {
-                            SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST);
-                            goto err;
+                            SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD,
+                                     SSL_R_HTTP_REQUEST);
+                            return -1;
                          } else if (strncmp((char *)p, "CONNE", 5) == 0) {
-                            SSLerr(SSL_F_SSL3_GET_RECORD,
-                                   SSL_R_HTTPS_PROXY_REQUEST);
-                            goto err;
+                            SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD,
+                                     SSL_R_HTTPS_PROXY_REQUEST);
+                            return -1;
                          }
  
                          /* Doesn't look like TLS - don't send an alert */
-                        SSLerr(SSL_F_SSL3_GET_RECORD,
-                               SSL_R_WRONG_VERSION_NUMBER);
-                        goto err;
+                        SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD,
+                                 SSL_R_WRONG_VERSION_NUMBER);
+                        return -1;
                      } else {
-                        SSLerr(SSL_F_SSL3_GET_RECORD,
-                               SSL_R_WRONG_VERSION_NUMBER);
-                        al = SSL_AD_PROTOCOL_VERSION;
-                        goto f_err;
+                        SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
+                                 SSL_F_SSL3_GET_RECORD,
+                                 SSL_R_WRONG_VERSION_NUMBER);
+                        return -1;
                      }
                  }
  
-                if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL
-                        && thisrr->type != SSL3_RT_APPLICATION_DATA) {
-                    SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE);
-                    al = SSL_AD_UNEXPECTED_MESSAGE;
-                    goto f_err;
+                if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) {
+                    if (thisrr->type != SSL3_RT_APPLICATION_DATA
+                            && (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC
+                                || !SSL_IS_FIRST_HANDSHAKE(s))
+                            && (thisrr->type != SSL3_RT_ALERT
+                                || s->statem.enc_read_state
+                                   != ENC_READ_STATE_ALLOW_PLAIN_ALERTS)) {
+                        SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
+                                 SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE);
+                        return -1;
+                    }
+                    if (thisrr->rec_version != TLS1_2_VERSION) {
+                        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,
+                                 SSL_R_WRONG_VERSION_NUMBER);
+                        return -1;
+                    }
                  }
  
                  if (thisrr->length >
                      SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
-                    al = SSL_AD_RECORD_OVERFLOW;
-                    SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
-                    goto f_err;
+                    SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
+                             SSL_R_PACKET_LENGTH_TOO_LONG);
+                    return -1;
                  }
              }
  
              /* now s->rlayer.rstate == SSL_ST_READ_BODY */
          }
  
+        if (SSL_IS_TLS13(s)) {
+            if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) {
+                SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
+                         SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
+                return -1;
+            }
+        } else {
+            size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
+
+#ifndef OPENSSL_NO_COMP
+            /*
+             * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
+             * does not include the compression overhead anyway.
+             */
+            if (s->expand == NULL)
+                len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD;
+#endif
+
+            if (thisrr->length > len && !BIO_get_ktls_recv(s->rbio)) {
+                SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
+                         SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
+                return -1;
+            }
+        }
+
          /*
           * s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data.
           * Calculate how much more data we need to read for the rest of the
@@ -316,6 +431,7 @@ int ssl3_get_record(SSL *s)
          } else {
              more = thisrr->length;
          }
+
          if (more > 0) {
              /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
  
@@ -353,13 +469,6 @@ int ssl3_get_record(SSL *s)
           * thisrr->length bytes of encrypted compressed stuff.
           */
  
-        /* check is not needed I believe */
-        if (thisrr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
-            al = SSL_AD_RECORD_OVERFLOW;
-            SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
-            goto f_err;
-        }
-
          /* decrypt in place in 'thisrr->input' */
          thisrr->data = thisrr->input;
          thisrr->orig_len = thisrr->length;
@@ -380,6 +489,43 @@ int ssl3_get_record(SSL *s)
                   & EVP_CIPH_FLAG_PIPELINE)
               && ssl3_record_app_data_waiting(s));
  
+    if (num_recs == 1
+            && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC
+            && (SSL_IS_TLS13(s) || s->hello_retry_request != SSL_HRR_NONE)
+            && SSL_IS_FIRST_HANDSHAKE(s)) {
+        /*
+         * CCS messages must be exactly 1 byte long, containing the value 0x01
+         */
+        if (thisrr->length != 1 || thisrr->data[0] != 0x01) {
+            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL3_GET_RECORD,
+                     SSL_R_INVALID_CCS_MESSAGE);
+            return -1;
+        }
+        /*
+         * CCS messages are ignored in TLSv1.3. We treat it like an empty
+         * handshake record
+         */
+        thisrr->type = SSL3_RT_HANDSHAKE;
+        RECORD_LAYER_inc_empty_record_count(&s->rlayer);
+        if (RECORD_LAYER_get_empty_record_count(&s->rlayer)
+            > MAX_EMPTY_RECORDS) {
+            SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD,
+                     SSL_R_UNEXPECTED_CCS_MESSAGE);
+            return -1;
+        }
+        thisrr->read = 1;
+        RECORD_LAYER_set_numrpipes(&s->rlayer, 1);
+
+        return 1;
+    }
+
+    /*
+     * KTLS reads full records. If there is any data left,
+     * then it is from before enabling ktls
+     */
+    if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left)
+        goto skip_decryption;
+
      /*
       * If in encrypt-then-mac mode calculate mac from encrypted record. All
       * the details below are public so no timing details can leak.
@@ -388,55 +534,74 @@ int ssl3_get_record(SSL *s)
          unsigned char *mac;
          /* TODO(size_t): convert this to do size_t properly */
          imac_size = EVP_MD_CTX_size(s->read_hash);
-        assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE);
-        if (imac_size < 0 || imac_size > EVP_MAX_MD_SIZE) {
-                al = SSL_AD_INTERNAL_ERROR;
-                SSLerr(SSL_F_SSL3_GET_RECORD, ERR_LIB_EVP);
-                goto f_err;
+        if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD,
+                         ERR_LIB_EVP);
+                return -1;
          }
          mac_size = (size_t)imac_size;
          for (j = 0; j < num_recs; j++) {
              thisrr = &rr[j];
  
              if (thisrr->length < mac_size) {
-                al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
-                goto f_err;
+                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,
+                         SSL_R_LENGTH_TOO_SHORT);
+                return -1;
              }
              thisrr->length -= mac_size;
              mac = thisrr->data + thisrr->length;
              i = s->method->ssl3_enc->mac(s, thisrr, md, 0 /* not send */ );
              if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {
-                al = SSL_AD_BAD_RECORD_MAC;
-                SSLerr(SSL_F_SSL3_GET_RECORD,
+                SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD,
                         SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
-                goto f_err;
+                return -1;
              }
          }
      }
  
+    first_rec_len = rr[0].length;
+
      enc_err = s->method->ssl3_enc->enc(s, rr, num_recs, 0);
  
      /*-
       * enc_err is:
-     *    0: (in non-constant time) if the record is publically invalid.
+     *    0: (in non-constant time) if the record is publicly invalid.
       *    1: if the padding is valid
       *    -1: if the padding is invalid
       */
      if (enc_err == 0) {
-        al = SSL_AD_DECRYPTION_FAILED;
-        SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
-        goto f_err;
-    }
-#ifdef SSL_DEBUG
-    printf("dec %"OSSLzu"\n", rr[0].length);
-    {
-        size_t z;
-        for (z = 0; z < rr[0].length; z++)
-            printf("%02X%c", rr[0].data[z], ((z + 1) % 16) ? ' ' : '\n');
+        if (ossl_statem_in_error(s)) {
+            /* SSLfatal() already got called */
+            return -1;
+        }
+        if (num_recs == 1 && ossl_statem_skip_early_data(s)) {
+            /*
+             * Valid early_data that we cannot decrypt might fail here as
+             * publicly invalid. We treat it like an empty record.
+             */
+
+            thisrr = &rr[0];
+
+            if (!early_data_count_ok(s, thisrr->length,
+                                     EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
+                /* SSLfatal() already called */
+                return -1;
+            }
+
+            thisrr->length = 0;
+            thisrr->read = 1;
+            RECORD_LAYER_set_numrpipes(&s->rlayer, 1);
+            RECORD_LAYER_reset_read_sequence(&s->rlayer);
+            return 1;
+        }
+        SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD,
+                 SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
+        return -1;
      }
-    printf("\n");
-#endif
+    OSSL_TRACE_BEGIN(TLS) {
+        BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length);
+        BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4);
+    } OSSL_TRACE_END(TLS);
  
      /* r->length is now the compressed data plus mac */
      if ((sess != NULL) &&
@@ -447,7 +612,11 @@ int ssl3_get_record(SSL *s)
          unsigned char mac_tmp[EVP_MAX_MD_SIZE];
  
          mac_size = EVP_MD_CTX_size(s->read_hash);
-        OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
+        if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) {
+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD,
+                     ERR_R_INTERNAL_ERROR);
+            return -1;
+        }
  
          for (j = 0; j < num_recs; j++) {
              thisrr = &rr[j];
@@ -461,9 +630,9 @@ int ssl3_get_record(SSL *s)
                  /* CBC records must have a padding length byte too. */
                  (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
                   thisrr->orig_len < mac_size + 1)) {
-                al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
-                goto f_err;
+                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,
+                         SSL_R_LENGTH_TOO_SHORT);
+                return -1;
              }
  
              if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
@@ -474,7 +643,11 @@ int ssl3_get_record(SSL *s)
                   * contents of the padding bytes.
                   */
                  mac = mac_tmp;
-                ssl3_cbc_copy_mac(mac_tmp, thisrr, mac_size);
+                if (!ssl3_cbc_copy_mac(mac_tmp, thisrr, mac_size)) {
+                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD,
+                             ERR_R_INTERNAL_ERROR);
+                    return -1;
+                }
                  thisrr->length -= mac_size;
              } else {
                  /*
@@ -496,6 +669,33 @@ int ssl3_get_record(SSL *s)
      }
  
      if (enc_err < 0) {
+        if (ossl_statem_in_error(s)) {
+            /* We already called SSLfatal() */
+            return -1;
+        }
+        if (num_recs == 1 && ossl_statem_skip_early_data(s)) {
+            /*
+             * We assume this is unreadable early_data - we treat it like an
+             * empty record
+             */
+
+            /*
+             * The record length may have been modified by the mac check above
+             * so we use the previously saved value
+             */
+            if (!early_data_count_ok(s, first_rec_len,
+                                     EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
+                /* SSLfatal() already called */
+                return -1;
+            }
+
+            thisrr = &rr[0];
+            thisrr->length = 0;
+            thisrr->read = 1;
+            RECORD_LAYER_set_numrpipes(&s->rlayer, 1);
+            RECORD_LAYER_reset_read_sequence(&s->rlayer);
+            return 1;
+        }
          /*
           * A separate 'decryption_failed' alert was introduced with TLS 1.0,
           * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
@@ -503,36 +703,40 @@ int ssl3_get_record(SSL *s)
           * not reveal which kind of error occurred -- this might become
           * visible to an attacker (e.g. via a logfile)
           */
-        al = SSL_AD_BAD_RECORD_MAC;
-        SSLerr(SSL_F_SSL3_GET_RECORD,
-               SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
-        goto f_err;
+        SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD,
+                 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+        return -1;
      }
  
+ skip_decryption:
+
      for (j = 0; j < num_recs; j++) {
          thisrr = &rr[j];
  
          /* thisrr->length is now just compressed */
          if (s->expand != NULL) {
              if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
-                al = SSL_AD_RECORD_OVERFLOW;
-                SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG);
-                goto f_err;
+                SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
+                         SSL_R_COMPRESSED_LENGTH_TOO_LONG);
+                return -1;
              }
              if (!ssl3_do_uncompress(s, thisrr)) {
-                al = SSL_AD_DECOMPRESSION_FAILURE;
-                SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_DECOMPRESSION);
-                goto f_err;
+                SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, SSL_F_SSL3_GET_RECORD,
+                         SSL_R_BAD_DECOMPRESSION);
+                return -1;
              }
          }
  
-        if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) {
+        if (SSL_IS_TLS13(s)
+                && s->enc_read_ctx != NULL
+                && thisrr->type != SSL3_RT_ALERT) {
              size_t end;
  
-            if (thisrr->length == 0) {
-                al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE);
-                goto f_err;
+            if (thisrr->length == 0
+                    || thisrr->type != SSL3_RT_APPLICATION_DATA) {
+                SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD,
+                         SSL_R_BAD_RECORD_TYPE);
+                return -1;
              }
  
              /* Strip trailing padding */
@@ -545,16 +749,41 @@ int ssl3_get_record(SSL *s)
              if (thisrr->type != SSL3_RT_APPLICATION_DATA
                      && thisrr->type != SSL3_RT_ALERT
                      && thisrr->type != SSL3_RT_HANDSHAKE) {
-                al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE);
-                goto f_err;
+                SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD,
+                         SSL_R_BAD_RECORD_TYPE);
+                return -1;
              }
+            if (s->msg_callback)
+                s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE,
+                                &thisrr->data[end], 1, s, s->msg_callback_arg);
+        }
+
+        /*
+         * TLSv1.3 alert and handshake records are required to be non-zero in
+         * length.
+         */
+        if (SSL_IS_TLS13(s)
+                && (thisrr->type == SSL3_RT_HANDSHAKE
+                    || thisrr->type == SSL3_RT_ALERT)
+                && thisrr->length == 0) {
+            SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD,
+                     SSL_R_BAD_LENGTH);
+            return -1;
          }
  
-        if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
-            al = SSL_AD_RECORD_OVERFLOW;
-            SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
-            goto f_err;
+        if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH && !BIO_get_ktls_recv(s->rbio)) {
+            SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
+                     SSL_R_DATA_LENGTH_TOO_LONG);
+            return -1;
+        }
+
+        /* If received packet overflows current Max Fragment Length setting */
+        if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
+                && thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session)
+                && !BIO_get_ktls_recv(s->rbio)) {
+            SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
+                     SSL_R_DATA_LENGTH_TOO_LONG);
+            return -1;
          }
  
          thisrr->off = 0;
@@ -571,22 +800,26 @@ int ssl3_get_record(SSL *s)
              RECORD_LAYER_inc_empty_record_count(&s->rlayer);
              if (RECORD_LAYER_get_empty_record_count(&s->rlayer)
                  > MAX_EMPTY_RECORDS) {
-                al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_RECORD_TOO_SMALL);
-                goto f_err;
+                SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD,
+                         SSL_R_RECORD_TOO_SMALL);
+                return -1;
              }
          } else {
              RECORD_LAYER_reset_empty_record_count(&s->rlayer);
          }
      }
  
+    if (s->early_data_state == SSL_EARLY_DATA_READING) {
+        thisrr = &rr[0];
+        if (thisrr->type == SSL3_RT_APPLICATION_DATA
+                && !early_data_count_ok(s, thisrr->length, 0, 0)) {
+            /* SSLfatal already called */
+            return -1;
+        }
+    }
+
      RECORD_LAYER_set_numrpipes(&s->rlayer, num_recs);
      return 1;
-
- f_err:
-    ssl3_send_alert(s, SSL3_AL_FATAL, al);
- err:
-    return ret;
  }
  
  int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr)
@@ -623,17 +856,18 @@ int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr)
                              (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD),
                              wr->input, (int)wr->length);
      if (i < 0)
-        return (0);
+        return 0;
      else
          wr->length = i;
  
      wr->input = wr->data;
  #endif
-    return (1);
+    return 1;
  }
  
  /*-
- * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs|
+ * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs|.  Will call
+ * SSLfatal() for internal errors, but not otherwise.
   *
   * Returns:
   *   0: (in non-constant time) if the record is publically invalid (i.e. too
@@ -642,7 +876,7 @@ int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr)
   *   -1: if the record's padding is invalid or, if sending, an internal error
   *       occurred.
   */
-int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int send)
+int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending)
  {
      SSL3_RECORD *rec;
      EVP_CIPHER_CTX *ds;
@@ -657,7 +891,7 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int send)
       */
      if (n_recs != 1)
          return 0;
-    if (send) {
+    if (sending) {
          ds = s->enc_write_ctx;
          if (s->enc_write_ctx == NULL)
              enc = NULL;
@@ -681,7 +915,7 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int send)
  
          /* COMPRESS */
  
-        if ((bs != 1) && send) {
+        if ((bs != 1) && sending) {
              i = bs - (l % bs);
  
              /* we need to add 'i-1' padding bytes */
@@ -695,7 +929,7 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int send)
              rec->input[l - 1] = (unsigned char)(i - 1);
          }
  
-        if (!send) {
+        if (!sending) {
              if (l == 0 || l % bs != 0)
                  return 0;
              /* otherwise, rec->length >= bs */
@@ -708,19 +942,23 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int send)
          if (EVP_MD_CTX_md(s->read_hash) != NULL) {
              /* TODO(size_t): convert me */
              imac_size = EVP_MD_CTX_size(s->read_hash);
-            if (imac_size < 0)
+            if (imac_size < 0) {
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_ENC,
+                         ERR_R_INTERNAL_ERROR);
                  return -1;
+            }
              mac_size = (size_t)imac_size;
          }
-        if ((bs != 1) && !send)
+        if ((bs != 1) && !sending)
              return ssl3_cbc_remove_padding(rec, bs, mac_size);
      }
-    return (1);
+    return 1;
  }
  
  #define MAX_PADDING 256
  /*-
- * tls1_enc encrypts/decrypts |n_recs| in |recs|.
+ * tls1_enc encrypts/decrypts |n_recs| in |recs|.  Will call SSLfatal() for
+ * internal errors, but not otherwise.
   *
   * Returns:
   *   0: (in non-constant time) if the record is publically invalid (i.e. too
@@ -729,7 +967,7 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int send)
   *   -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
   *       an internal error occurred.
   */
-int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
+int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
  {
      EVP_CIPHER_CTX *ds;
      size_t reclen[SSL_MAX_PIPELINES];
@@ -740,10 +978,20 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
      int imac_size;
      const EVP_CIPHER *enc;
  
-    if (send) {
+    if (n_recs == 0) {
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
+                 ERR_R_INTERNAL_ERROR);
+        return 0;
+    }
+
+    if (sending) {
          if (EVP_MD_CTX_md(s->write_hash)) {
              int n = EVP_MD_CTX_size(s->write_hash);
-            OPENSSL_assert(n >= 0);
+            if (!ossl_assert(n >= 0)) {
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
+                         ERR_R_INTERNAL_ERROR);
+                return -1;
+            }
          }
          ds = s->enc_write_ctx;
          if (s->enc_write_ctx == NULL)
@@ -764,10 +1012,12 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
                           * we can't write into the input stream: Can this ever
                           * happen?? (steve)
                           */
-                        SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR);
+                        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
+                                 ERR_R_INTERNAL_ERROR);
                          return -1;
                      } else if (RAND_bytes(recs[ctr].input, ivlen) <= 0) {
-                        SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR);
+                        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
+                                 ERR_R_INTERNAL_ERROR);
                          return -1;
                      }
                  }
@@ -776,7 +1026,11 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
      } else {
          if (EVP_MD_CTX_md(s->read_hash)) {
              int n = EVP_MD_CTX_size(s->read_hash);
-            OPENSSL_assert(n >= 0);
+            if (!ossl_assert(n >= 0)) {
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
+                         ERR_R_INTERNAL_ERROR);
+                return -1;
+            }
          }
          ds = s->enc_read_ctx;
          if (s->enc_read_ctx == NULL)
@@ -801,7 +1055,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
                   * We shouldn't have been called with pipeline data if the
                   * cipher doesn't support pipelining
                   */
-                SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE);
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
+                         SSL_R_PIPELINE_FAILURE);
                  return -1;
              }
          }
@@ -812,14 +1067,14 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
                  & EVP_CIPH_FLAG_AEAD_CIPHER) {
                  unsigned char *seq;
  
-                seq = send ? RECORD_LAYER_get_write_sequence(&s->rlayer)
+                seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer)
                      : RECORD_LAYER_get_read_sequence(&s->rlayer);
  
                  if (SSL_IS_DTLS(s)) {
                      /* DTLS does not support pipelining */
                      unsigned char dtlsseq[9], *p = dtlsseq;
  
-                    s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
+                    s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
                          DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
                      memcpy(p, &seq[2], 6);
                      memcpy(buf[ctr], dtlsseq, 8);
@@ -839,21 +1094,27 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
                  buf[ctr][12] = (unsigned char)(recs[ctr].length & 0xff);
                  pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
                                            EVP_AEAD_TLS1_AAD_LEN, buf[ctr]);
-                if (pad <= 0)
+                if (pad <= 0) {
+                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
+                             ERR_R_INTERNAL_ERROR);
                      return -1;
+                }
  
-                if (send) {
+                if (sending) {
                      reclen[ctr] += pad;
                      recs[ctr].length += pad;
                  }
  
-            } else if ((bs != 1) && send) {
+            } else if ((bs != 1) && sending) {
                  padnum = bs - (reclen[ctr] % bs);
  
                  /* Add weird padding of upto 256 bytes */
  
-                if (padnum > MAX_PADDING)
+                if (padnum > MAX_PADDING) {
+                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
+                             ERR_R_INTERNAL_ERROR);
                      return -1;
+                }
                  /* we need to add 'padnum' padding bytes of value padval */
                  padval = (unsigned char)(padnum - 1);
                  for (loop = reclen[ctr]; loop < reclen[ctr] + padnum; loop++)
@@ -862,7 +1123,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
                  recs[ctr].length += padnum;
              }
  
-            if (!send) {
+            if (!sending) {
                  if (reclen[ctr] == 0 || reclen[ctr] % bs != 0)
                      return 0;
              }
@@ -876,7 +1137,9 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
              }
              if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS,
                                      (int)n_recs, data) <= 0) {
-                SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE);
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
+                         SSL_R_PIPELINE_FAILURE);
+                return -1;
              }
              /* Set the input buffers */
              for (ctr = 0; ctr < n_recs; ctr++) {
@@ -886,7 +1149,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
                                      (int)n_recs, data) <= 0
                  || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS,
                                         (int)n_recs, reclen) <= 0) {
-                SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE);
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
+                         SSL_R_PIPELINE_FAILURE);
                  return -1;
              }
          }
@@ -899,7 +1163,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
              ? (tmpr < 0)
              : (tmpr == 0))
              return -1;          /* AEAD can fail to verify MAC */
-        if (send == 0) {
+
+        if (sending == 0) {
              if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) {
                  for (ctr = 0; ctr < n_recs; ctr++) {
                      recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
@@ -918,11 +1183,14 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
          ret = 1;
          if (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL) {
              imac_size = EVP_MD_CTX_size(s->read_hash);
-            if (imac_size < 0)
+            if (imac_size < 0) {
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
+                         ERR_R_INTERNAL_ERROR);
                  return -1;
+            }
              mac_size = (size_t)imac_size;
          }
-        if ((bs != 1) && !send) {
+        if ((bs != 1) && !sending) {
              int tmpret;
              for (ctr = 0; ctr < n_recs; ctr++) {
                  tmpret = tls1_cbc_remove_padding(s, &recs[ctr], bs, mac_size);
@@ -937,7 +1205,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
                                                 ret, -1);
              }
          }
-        if (pad && !send) {
+        if (pad && !sending) {
              for (ctr = 0; ctr < n_recs; ctr++) {
                  recs[ctr].length -= pad;
              }
@@ -946,7 +1214,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
      return ret;
  }
  
-int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
+int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
  {
      unsigned char *mac_sec, *seq;
      const EVP_MD_CTX *hash;
@@ -955,12 +1223,12 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
      size_t npad;
      int t;
  
-    if (send) {
-        mac_sec = &(ssl->s3->write_mac_secret[0]);
+    if (sending) {
+        mac_sec = &(ssl->s3.write_mac_secret[0]);
          seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
          hash = ssl->write_hash;
      } else {
-        mac_sec = &(ssl->s3->read_mac_secret[0]);
+        mac_sec = &(ssl->s3.read_mac_secret[0]);
          seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
          hash = ssl->read_hash;
      }
@@ -971,7 +1239,7 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
      md_size = t;
      npad = (48 / md_size) * md_size;
  
-    if (!send &&
+    if (!sending &&
          EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
          ssl3_cbc_record_digest_supported(hash)) {
          /*
@@ -1031,7 +1299,7 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
              || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
              || EVP_DigestUpdate(md_ctx, md, md_size) <= 0
              || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
-            EVP_MD_CTX_reset(md_ctx);
+            EVP_MD_CTX_free(md_ctx);
              return 0;
          }
  
@@ -1042,7 +1310,7 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
      return 1;
  }
  
-int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
+int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
  {
      unsigned char *seq;
      EVP_MD_CTX *hash;
@@ -1050,11 +1318,11 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
      int i;
      EVP_MD_CTX *hmac = NULL, *mac_ctx;
      unsigned char header[13];
-    int stream_mac = (send ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
+    int stream_mac = (sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
                        : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
      int t;
  
-    if (send) {
+    if (sending) {
          seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
          hash = ssl->write_hash;
      } else {
@@ -1063,7 +1331,8 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
      }
  
      t = EVP_MD_CTX_size(hash);
-    OPENSSL_assert(t >= 0);
+    if (!ossl_assert(t >= 0))
+        return 0;
      md_size = t;
  
      /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
@@ -1071,15 +1340,17 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
          mac_ctx = hash;
      } else {
          hmac = EVP_MD_CTX_new();
-        if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash))
+        if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash)) {
+            EVP_MD_CTX_free(hmac);
              return 0;
+        }
          mac_ctx = hmac;
      }
  
      if (SSL_IS_DTLS(ssl)) {
          unsigned char dtlsseq[8], *p = dtlsseq;
  
-        s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) :
+        s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) :
              DTLS_RECORD_LAYER_get_r_epoch(&ssl->rlayer), p);
          memcpy(p, &seq[2], 6);
  
@@ -1093,7 +1364,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
      header[11] = (unsigned char)(rec->length >> 8);
      header[12] = (unsigned char)(rec->length & 0xff);
  
-    if (!send && !SSL_READ_ETM(ssl) &&
+    if (!sending && !SSL_READ_ETM(ssl) &&
          EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
          ssl3_cbc_record_digest_supported(mac_ctx)) {
          /*
@@ -1106,10 +1377,10 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
                                     md, &md_size,
                                     header, rec->input,
                                     rec->length + md_size, rec->orig_len,
-                                   ssl->s3->read_mac_secret,
-                                   ssl->s3->read_mac_secret_size, 0) <= 0) {
+                                   ssl->s3.read_mac_secret,
+                                   ssl->s3.read_mac_secret_size, 0) <= 0) {
              EVP_MD_CTX_free(hmac);
-            return -1;
+            return 0;
          }
      } else {
          /* TODO(size_t): Convert these calls */
@@ -1119,33 +1390,16 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
              EVP_MD_CTX_free(hmac);
              return 0;
          }
-        if (!send && !SSL_READ_ETM(ssl) && FIPS_mode())
-            if (!tls_fips_digest_extra(ssl->enc_read_ctx,
-                                       mac_ctx, rec->input,
-                                       rec->length, rec->orig_len)) {
-                EVP_MD_CTX_free(hmac);
-                return 0;
-            }
      }
  
      EVP_MD_CTX_free(hmac);
  
-#ifdef SSL_DEBUG
-    fprintf(stderr, "seq=");
-    {
-        int z;
-        for (z = 0; z < 8; z++)
-            fprintf(stderr, "%02X ", seq[z]);
-        fprintf(stderr, "\n");
-    }
-    fprintf(stderr, "rec=");
-    {
-        size_t z;
-        for (z = 0; z < rec->length; z++)
-            fprintf(stderr, "%02X ", rec->data[z]);
-        fprintf(stderr, "\n");
-    }
-#endif
+    OSSL_TRACE_BEGIN(TLS) {
+        BIO_printf(trc_out, "seq:\n");
+        BIO_dump_indent(trc_out, seq, 8, 4);
+        BIO_printf(trc_out, "rec:\n");
+        BIO_dump_indent(trc_out, rec->data, rec->length, 4);
+    } OSSL_TRACE_END(TLS);
  
      if (!SSL_IS_DTLS(ssl)) {
          for (i = 7; i >= 0; i--) {
@@ -1154,14 +1408,10 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
                  break;
          }
      }
-#ifdef SSL_DEBUG
-    {
-        unsigned int z;
-        for (z = 0; z < md_size; z++)
-            fprintf(stderr, "%02X ", md[z]);
-        fprintf(stderr, "\n");
-    }
-#endif
+    OSSL_TRACE_BEGIN(TLS) {
+        BIO_printf(trc_out, "md:\n");
+        BIO_dump_indent(trc_out, md, md_size, 4);
+    } OSSL_TRACE_END(TLS);
      return 1;
  }
  
@@ -1295,7 +1545,7 @@ int tls1_cbc_remove_padding(const SSL *s,
   */
  #define CBC_MAC_ROTATE_IN_PLACE
  
-void ssl3_cbc_copy_mac(unsigned char *out,
+int ssl3_cbc_copy_mac(unsigned char *out,
                         const SSL3_RECORD *rec, size_t md_size)
  {
  #if defined(CBC_MAC_ROTATE_IN_PLACE)
@@ -1319,8 +1569,9 @@ void ssl3_cbc_copy_mac(unsigned char *out,
      size_t i, j;
      size_t rotate_offset;
  
-    OPENSSL_assert(rec->orig_len >= md_size);
-    OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
+    if (!ossl_assert(rec->orig_len >= md_size
+                     && md_size <= EVP_MAX_MD_SIZE))
+        return 0;
  
  #if defined(CBC_MAC_ROTATE_IN_PLACE)
      rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63);
@@ -1365,11 +1616,13 @@ void ssl3_cbc_copy_mac(unsigned char *out,
          rotate_offset &= constant_time_lt_s(rotate_offset, md_size);
      }
  #endif
+
+    return 1;
  }
  
  int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
  {
-    int i, al;
+    int i;
      int enc_err;
      SSL_SESSION *sess;
      SSL3_RECORD *rr;
@@ -1400,9 +1653,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
  
      /* check is not needed I believe */
      if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
-        al = SSL_AD_RECORD_OVERFLOW;
-        SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
-        goto f_err;
+        SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD,
+                 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
+        return 0;
      }
  
      /* decrypt in place in 'rr->input' */
@@ -1412,20 +1665,23 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
      if (SSL_READ_ETM(s) && s->read_hash) {
          unsigned char *mac;
          mac_size = EVP_MD_CTX_size(s->read_hash);
-        OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
+        if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) {
+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
+                     ERR_R_INTERNAL_ERROR);
+            return 0;
+        }
          if (rr->orig_len < mac_size) {
-            al = SSL_AD_DECODE_ERROR;
-            SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT);
-            goto f_err;
+            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
+                     SSL_R_LENGTH_TOO_SHORT);
+            return 0;
          }
          rr->length -= mac_size;
          mac = rr->data + rr->length;
          i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ );
          if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
-            al = SSL_AD_BAD_RECORD_MAC;
-            SSLerr(SSL_F_DTLS1_PROCESS_RECORD,
+            SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_DTLS1_PROCESS_RECORD,
                     SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
-            goto f_err;
+            return 0;
          }
      }
  
@@ -1437,20 +1693,19 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
       *   -1: if the padding is invalid
       */
      if (enc_err == 0) {
+        if (ossl_statem_in_error(s)) {
+            /* SSLfatal() got called */
+            return 0;
+        }
          /* For DTLS we simply ignore bad packets. */
          rr->length = 0;
          RECORD_LAYER_reset_packet_length(&s->rlayer);
-        goto err;
-    }
-#ifdef SSL_DEBUG
-    printf("dec %ld\n", rr->length);
-    {
-        size_t z;
-        for (z = 0; z < rr->length; z++)
-            printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
+        return 0;
      }
-    printf("\n");
-#endif
+    OSSL_TRACE_BEGIN(TLS) {
+        BIO_printf(trc_out, "dec %zd\n", rr->length);
+        BIO_dump_indent(trc_out, rr->data, rr->length, 4);
+    } OSSL_TRACE_END(TLS);
  
      /* r->length is now the compressed data plus mac */
      if ((sess != NULL) && !SSL_READ_ETM(s) &&
@@ -1462,12 +1717,16 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
          /* TODO(size_t): Convert this to do size_t properly */
          imac_size = EVP_MD_CTX_size(s->read_hash);
          if (imac_size < 0) {
-            al = SSL_AD_INTERNAL_ERROR;
-            SSLerr(SSL_F_DTLS1_PROCESS_RECORD, ERR_LIB_EVP);
-            goto f_err;
+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
+                     ERR_LIB_EVP);
+            return 0;
          }
          mac_size = (size_t)imac_size;
-        OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
+        if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) {
+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
+                     ERR_R_INTERNAL_ERROR);
+            return 0;
+        }
  
          /*
           * orig_len is the length of the record before any padding was
@@ -1479,9 +1738,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
              /* CBC records must have a padding length byte too. */
              (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
               rr->orig_len < mac_size + 1)) {
-            al = SSL_AD_DECODE_ERROR;
-            SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT);
-            goto f_err;
+            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
+                     SSL_R_LENGTH_TOO_SHORT);
+            return 0;
          }
  
          if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
@@ -1492,7 +1751,11 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
               * contents of the padding bytes.
               */
              mac = mac_tmp;
-            ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
+            if (!ssl3_cbc_copy_mac(mac_tmp, rr, mac_size)) {
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
+                         ERR_R_INTERNAL_ERROR);
+                return 0;
+            }
              rr->length -= mac_size;
          } else {
              /*
@@ -1516,38 +1779,37 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
          /* decryption failed, silently discard message */
          rr->length = 0;
          RECORD_LAYER_reset_packet_length(&s->rlayer);
-        goto err;
+        return 0;
      }
  
      /* r->length is now just compressed */
      if (s->expand != NULL) {
          if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
-            al = SSL_AD_RECORD_OVERFLOW;
-            SSLerr(SSL_F_DTLS1_PROCESS_RECORD,
-                   SSL_R_COMPRESSED_LENGTH_TOO_LONG);
-            goto f_err;
+            SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD,
+                     SSL_R_COMPRESSED_LENGTH_TOO_LONG);
+            return 0;
          }
          if (!ssl3_do_uncompress(s, rr)) {
-            al = SSL_AD_DECOMPRESSION_FAILURE;
-            SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION);
-            goto f_err;
+            SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE,
+                     SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION);
+            return 0;
          }
      }
  
      if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
-        al = SSL_AD_RECORD_OVERFLOW;
-        SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
-        goto f_err;
+        SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD,
+                 SSL_R_DATA_LENGTH_TOO_LONG);
+        return 0;
      }
  
      rr->off = 0;
      /*-
       * So at this point the following is true
-     * ssl->s3->rrec.type   is the type of record
-     * ssl->s3->rrec.length == number of bytes in record
-     * ssl->s3->rrec.off    == offset to first valid byte
-     * ssl->s3->rrec.data   == where to take bytes from, increment
-     *                         after use :-).
+     * ssl->s3.rrec.type   is the type of record
+     * ssl->s3.rrec.length == number of bytes in record
+     * ssl->s3.rrec.off    == offset to first valid byte
+     * ssl->s3.rrec.data   == where to take bytes from, increment
+     *                        after use :-).
       */
  
      /* we have pulled in a full packet so zero things */
@@ -1556,17 +1818,11 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
      /* Mark receipt of record. */
      dtls1_record_bitmap_update(s, bitmap);
  
-    return (1);
-
- f_err:
-    ssl3_send_alert(s, SSL3_AL_FATAL, al);
- err:
-    return (0);
+    return 1;
  }
  
  /*
- * retrieve a buffered record that belongs to the current epoch, ie,
- * processed
+ * Retrieve a buffered record that belongs to the current epoch, i.e. processed
   */
  #define dtls1_get_processed_record(s) \
                     dtls1_retrieve_buffered_record((s), \
@@ -1577,9 +1833,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
   * It will return <= 0 if more data is needed, normally due to an error
   * or non-blocking IO.
   * When it finishes, one packet has been decoded and can be found in
- * ssl->s3->rrec.type    - is the type of record
- * ssl->s3->rrec.data,   - data
- * ssl->s3->rrec.length, - number of bytes
+ * ssl->s3.rrec.type    - is the type of record
+ * ssl->s3.rrec.data    - data
+ * ssl->s3.rrec.length  - number of bytes
   */
  /* used only by dtls1_read_bytes */
  int dtls1_get_record(SSL *s)
@@ -1600,8 +1856,10 @@ int dtls1_get_record(SSL *s)
       * The epoch may have changed.  If so, process all the pending records.
       * This is a non-blocking operation.
       */
-    if (!dtls1_process_buffered_records(s))
+    if (!dtls1_process_buffered_records(s)) {
+        /* SSLfatal() already called */
          return -1;
+    }
  
      /* if we're renegotiating, then there may be buffered records */
      if (dtls1_get_processed_record(s))
@@ -1615,8 +1873,10 @@ int dtls1_get_record(SSL *s)
          rret = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH,
                             SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1, &n);
          /* read timeout is handled by dtls1_read_bytes */
-        if (rret <= 0)
+        if (rret <= 0) {
+            /* SSLfatal() already called if appropriate */
              return rret;         /* error or non-blocking */
+        }
  
          /* this packet contained a partial record, dump it */
          if (RECORD_LAYER_get_packet_length(&s->rlayer) !=
@@ -1646,12 +1906,17 @@ int dtls1_get_record(SSL *s)
          p += 6;
  
          n2s(p, rr->length);
+        rr->read = 0;
  
-        /* Lets check version */
-        if (!s->first_packet) {
+        /*
+         * Lets check the version. We tolerate alerts that don't have the exact
+         * version number (e.g. because of protocol version errors)
+         */
+        if (!s->first_packet && rr->type != SSL3_RT_ALERT) {
              if (version != s->version) {
                  /* unexpected version, silently discard */
                  rr->length = 0;
+                rr->read = 1;
                  RECORD_LAYER_reset_packet_length(&s->rlayer);
                  goto again;
              }
@@ -1660,6 +1925,7 @@ int dtls1_get_record(SSL *s)
          if ((version & 0xff00) != (s->version & 0xff00)) {
              /* wrong version, silently discard record */
              rr->length = 0;
+            rr->read = 1;
              RECORD_LAYER_reset_packet_length(&s->rlayer);
              goto again;
          }
@@ -1667,6 +1933,17 @@ int dtls1_get_record(SSL *s)
          if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
              /* record too long, silently discard it */
              rr->length = 0;
+            rr->read = 1;
+            RECORD_LAYER_reset_packet_length(&s->rlayer);
+            goto again;
+        }
+
+        /* If received packet overflows own-client Max Fragment Length setting */
+        if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
+                && rr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) {
+            /* record too long, silently discard it */
+            rr->length = 0;
+            rr->read = 1;
              RECORD_LAYER_reset_packet_length(&s->rlayer);
              goto again;
          }
@@ -1683,7 +1960,12 @@ int dtls1_get_record(SSL *s)
          rret = ssl3_read_n(s, more, more, 1, 1, &n);
          /* this packet contained a partial record, dump it */
          if (rret <= 0 || n != more) {
+            if (ossl_statem_in_error(s)) {
+                /* ssl3_read_n() called SSLfatal() */
+                return -1;
+            }
              rr->length = 0;
+            rr->read = 1;
              RECORD_LAYER_reset_packet_length(&s->rlayer);
              goto again;
          }
@@ -1714,6 +1996,7 @@ int dtls1_get_record(SSL *s)
           */
          if (!dtls1_record_replay_check(s, bitmap)) {
              rr->length = 0;
+            rr->read = 1;
              RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
              goto again;         /* get another record */
          }
@@ -1722,8 +2005,10 @@ int dtls1_get_record(SSL *s)
  #endif
  
      /* just read a 0 length packet */
-    if (rr->length == 0)
+    if (rr->length == 0) {
+        rr->read = 1;
          goto again;
+    }
  
      /*
       * If this record is from the next epoch (either HM or ALERT), and a
@@ -1732,22 +2017,55 @@ int dtls1_get_record(SSL *s)
       */
      if (is_next_epoch) {
          if ((SSL_in_init(s) || ossl_statem_get_in_handshake(s))) {
-            if (dtls1_buffer_record
-                (s, &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)),
-                 rr->seq_num) < 0)
+            if (dtls1_buffer_record (s,
+                    &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)),
+                    rr->seq_num) < 0) {
+                /* SSLfatal() already called */
                  return -1;
+            }
          }
          rr->length = 0;
+        rr->read = 1;
          RECORD_LAYER_reset_packet_length(&s->rlayer);
          goto again;
      }
  
      if (!dtls1_process_record(s, bitmap)) {
+        if (ossl_statem_in_error(s)) {
+            /* dtls1_process_record() called SSLfatal */
+            return -1;
+        }
          rr->length = 0;
+        rr->read = 1;
          RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
          goto again;             /* get another record */
      }
  
-    return (1);
+    return 1;
+
+}
+
+int dtls_buffer_listen_record(SSL *s, size_t len, unsigned char *seq, size_t off)
+{
+    SSL3_RECORD *rr;
+
+    rr = RECORD_LAYER_get_rrec(&s->rlayer);
+    memset(rr, 0, sizeof(SSL3_RECORD));
  
+    rr->length = len;
+    rr->type = SSL3_RT_HANDSHAKE;
+    memcpy(rr->seq_num, seq, sizeof(rr->seq_num));
+    rr->off = off;
+
+    s->rlayer.packet = RECORD_LAYER_get_rbuf(&s->rlayer)->buf;
+    s->rlayer.packet_length = DTLS1_RT_HEADER_LENGTH + len;
+    rr->data = s->rlayer.packet + DTLS1_RT_HEADER_LENGTH;
+
+    if (dtls1_buffer_record(s, &(s->rlayer.d->processed_rcds),
+                            SSL3_RECORD_get_seq_num(s->rlayer.rrec)) <= 0) {
+        /* SSLfatal() already called */
+        return 0;
+    }
+
+    return 1;
  }