Implement write pipeline support in libssl

[openssl.git] / ssl / record / ssl3_record.c

diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index ff09f0b16ae197394ba38b54a7dff0128cef90cf..ad19621b11349ab878e3d85e83d6bc9996a7e43c 100644 (file)
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1,4 +1,3 @@
-/* ssl/record/ssl3_record.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -132,9 +131,15 @@ static const unsigned char ssl3_pad_2[48] = {
     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
 };
 
+/*
+ * Clear the contents of an SSL3_RECORD but retain any memory allocated
+ */
 void SSL3_RECORD_clear(SSL3_RECORD *r)
 {
-    memset(r->seq_num, 0, sizeof(r->seq_num));
+    unsigned char *comp = r->comp;
+
+    memset(r, 0, sizeof(*r));
+    r->comp = comp;
 }
 
 void SSL3_RECORD_release(SSL3_RECORD *r)
@@ -187,25 +192,11 @@ int ssl3_get_record(SSL *s)
     unsigned char md[EVP_MAX_MD_SIZE];
     short version;
     unsigned mac_size;
-    size_t extra;
     unsigned empty_record_count = 0;
 
     rr = RECORD_LAYER_get_rrec(&s->rlayer);
     sess = s->session;
 
-    if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
-        extra = SSL3_RT_MAX_EXTRA;
-    else
-        extra = 0;
-    if (extra && !s->s3->init_extra) {
-        /*
-         * An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER set after
-         * ssl3_setup_buffers() was done
-         */
-        SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
-        return -1;
-    }
-
  again:
     /* check if we have the header */
     if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
@@ -220,16 +211,13 @@ int ssl3_get_record(SSL *s)
 
         /*
          * Check whether this is a regular record or an SSLv2 style record. The
-         * latter is only used in an initial ClientHello for old clients.
+         * latter is only used in an initial ClientHello for old clients. We
+         * check s->read_hash and s->enc_read_ctx to ensure this does not apply
+         * during renegotiation
          */
         if (s->first_packet && s->server && !s->read_hash && !s->enc_read_ctx
                 && (p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) {
             /* SSLv2 style record */
-            if (s->msg_callback)
-                s->msg_callback(0, SSL2_VERSION, 0,  p + 2,
-                                RECORD_LAYER_get_packet_length(&s->rlayer) - 2,
-                                s, s->msg_callback_arg);
-
             rr->type = SSL3_RT_HANDSHAKE;
             rr->rec_version = SSL2_VERSION;
 
@@ -262,22 +250,45 @@ int ssl3_get_record(SSL *s)
             n2s(p, rr->length);
 
             /* Lets check version */
-            if (!s->first_packet) {
-                if (version != s->version
-                        && s->method->version != TLS_ANY_VERSION) {
-                    SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
-                    if ((s->version & 0xFF00) == (version & 0xFF00)
-                        && !s->enc_write_ctx && !s->write_hash)
+            if (!s->first_packet && version != s->version) {
+                SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
+                if ((s->version & 0xFF00) == (version & 0xFF00)
+                    && !s->enc_write_ctx && !s->write_hash) {
+                    if (rr->type == SSL3_RT_ALERT) {
                         /*
-                         * Send back error using their minor version number :-)
+                         * The record is using an incorrect version number, but
+                         * what we've got appears to be an alert. We haven't
+                         * read the body yet to check whether its a fatal or
+                         * not - but chances are it is. We probably shouldn't
+                         * send a fatal alert back. We'll just end.
                          */
-                        s->version = (unsigned short)version;
-                    al = SSL_AD_PROTOCOL_VERSION;
-                    goto f_err;
+                         goto err;
+                    }
+                    /*
+                     * Send back error using their minor version number :-)
+                     */
+                    s->version = (unsigned short)version;
                 }
+                al = SSL_AD_PROTOCOL_VERSION;
+                goto f_err;
             }
 
             if ((version >> 8) != SSL3_VERSION_MAJOR) {
+                if (s->first_packet) {
+                    /* Go back to start of packet, look at the five bytes
+                     * that we have. */
+                    p = RECORD_LAYER_get_packet(&s->rlayer);
+                    if (strncmp((char *)p, "GET ", 4) == 0 ||
+                        strncmp((char *)p, "POST ", 5) == 0 ||
+                        strncmp((char *)p, "HEAD ", 5) == 0 ||
+                        strncmp((char *)p, "PUT ", 4) == 0) {
+                        SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST);
+                        goto err;
+                    } else if (strncmp((char *)p, "CONNE", 5) == 0) {
+                        SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_HTTPS_PROXY_REQUEST);
+                        goto err;
+                    }
+                }
                 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
                 goto err;
             }
@@ -309,15 +320,6 @@ int ssl3_get_record(SSL *s)
         n = ssl3_read_n(s, i, i, 1);
         if (n <= 0)
             return (n);         /* error or non-blocking io */
-        /*
-         * now n == rr->length, and
-         * s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length
-         * or
-         * s->packet_length == SSL2_RT_HEADER_LENGTH + rr->length
-         * (if SSLv2 packet)
-         */
-    } else {
-        n = 0;
     }
 
     /* set state for later operations */
@@ -347,7 +349,7 @@ int ssl3_get_record(SSL *s)
      */
 
     /* check is not needed I believe */
-    if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH + extra) {
+    if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
         al = SSL_AD_RECORD_OVERFLOW;
         SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
         goto f_err;
@@ -371,7 +373,7 @@ int ssl3_get_record(SSL *s)
         }
         rr->length -= mac_size;
         mac = rr->data + rr->length;
-        i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
+        i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ );
         if (i < 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
             al = SSL_AD_BAD_RECORD_MAC;
             SSLerr(SSL_F_SSL3_GET_RECORD,
@@ -380,7 +382,7 @@ int ssl3_get_record(SSL *s)
         }
     }
 
-    enc_err = s->method->ssl3_enc->enc(s, 0);
+    enc_err = s->method->ssl3_enc->enc(s, rr, 1, 0);
     /*-
      * enc_err is:
      *    0: (in non-constant time) if the record is publically invalid.
@@ -392,7 +394,7 @@ int ssl3_get_record(SSL *s)
         SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
         goto f_err;
     }
-#ifdef TLS_DEBUG
+#ifdef SSL_DEBUG
     printf("dec %d\n", rr->length);
     {
         unsigned int z;
@@ -447,11 +449,11 @@ int ssl3_get_record(SSL *s)
             mac = &rr->data[rr->length];
         }
 
-        i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
+        i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ );
         if (i < 0 || mac == NULL
             || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
             enc_err = -1;
-        if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra + mac_size)
+        if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
             enc_err = -1;
     }
 
@@ -471,7 +473,7 @@ int ssl3_get_record(SSL *s)
 
     /* r->length is now just compressed */
     if (s->expand != NULL) {
-        if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra) {
+        if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
             al = SSL_AD_RECORD_OVERFLOW;
             SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG);
             goto f_err;
@@ -483,7 +485,7 @@ int ssl3_get_record(SSL *s)
         }
     }
 
-    if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH + extra) {
+    if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
         al = SSL_AD_RECORD_OVERFLOW;
         SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
         goto f_err;
@@ -540,13 +542,11 @@ int ssl3_do_uncompress(SSL *ssl)
     return (1);
 }
 
-int ssl3_do_compress(SSL *ssl)
+int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr)
 {
 #ifndef OPENSSL_NO_COMP
     int i;
-    SSL3_RECORD *wr;
 
-    wr = RECORD_LAYER_get_wrec(&ssl->rlayer);
     i = COMP_compress_block(ssl->compress, wr->data,
                             SSL3_RT_MAX_COMPRESSED_LENGTH,
                             wr->input, (int)wr->length);
@@ -570,7 +570,7 @@ int ssl3_do_compress(SSL *ssl)
  *   -1: if the record's padding is invalid or, if sending, an internal error
  *       occurred.
  */
-int ssl3_enc(SSL *s, int send)
+int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, unsigned int numpipes, int send)
 {
     SSL3_RECORD *rec;
     EVP_CIPHER_CTX *ds;
@@ -578,16 +578,15 @@ int ssl3_enc(SSL *s, int send)
     int bs, i, mac_size = 0;
     const EVP_CIPHER *enc;
 
+    rec = inrecs;
     if (send) {
         ds = s->enc_write_ctx;
-        rec = RECORD_LAYER_get_wrec(&s->rlayer);
         if (s->enc_write_ctx == NULL)
             enc = NULL;
         else
             enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
     } else {
         ds = s->enc_read_ctx;
-        rec = RECORD_LAYER_get_rrec(&s->rlayer);
         if (s->enc_read_ctx == NULL)
             enc = NULL;
         else
@@ -599,7 +598,7 @@ int ssl3_enc(SSL *s, int send)
         rec->input = rec->data;
     } else {
         l = rec->length;
-        bs = EVP_CIPHER_block_size(ds->cipher);
+        bs = EVP_CIPHER_CTX_block_size(ds);
 
         /* COMPRESS */
 
@@ -629,7 +628,7 @@ int ssl3_enc(SSL *s, int send)
         if (EVP_MD_CTX_md(s->read_hash) != NULL)
             mac_size = EVP_MD_CTX_size(s->read_hash);
         if ((bs != 1) && !send)
-            return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
+            return ssl3_cbc_remove_padding(rec, bs, mac_size);
     }
     return (1);
 }
@@ -644,13 +643,14 @@ int ssl3_enc(SSL *s, int send)
  *   -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
  *       an internal error occurred.
  */
-int tls1_enc(SSL *s, int send)
+int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int numpipes, int send)
 {
-    SSL3_RECORD *rec;
     EVP_CIPHER_CTX *ds;
-    unsigned long l;
+    size_t reclen[SSL_MAX_PIPELINES];
+    unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN];
     int bs, i, j, k, pad = 0, ret, mac_size = 0;
     const EVP_CIPHER *enc;
+    unsigned int ctr;
 
     if (send) {
         if (EVP_MD_CTX_md(s->write_hash)) {
@@ -658,7 +658,6 @@ int tls1_enc(SSL *s, int send)
             OPENSSL_assert(n >= 0);
         }
         ds = s->enc_write_ctx;
-        rec = RECORD_LAYER_get_wrec(&s->rlayer);
         if (s->enc_write_ctx == NULL)
             enc = NULL;
         else {
@@ -671,16 +670,19 @@ int tls1_enc(SSL *s, int send)
             else
                 ivlen = 0;
             if (ivlen > 1) {
-                if (rec->data != rec->input)
-                    /*
-                     * we can't write into the input stream: Can this ever
-                     * happen?? (steve)
-                     */
-                    fprintf(stderr,
-                            "%s:%d: rec->data != rec->input\n",
-                            __FILE__, __LINE__);
-                else if (RAND_bytes(rec->input, ivlen) <= 0)
-                    return -1;
+                for (ctr = 0; ctr < numpipes; ctr++) {
+                    if (recs[ctr].data != recs[ctr].input) {
+                        /*
+                         * we can't write into the input stream: Can this ever
+                         * happen?? (steve)
+                         */
+                        SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR);
+                        return -1;
+                    } else if (RAND_bytes(recs[ctr].input, ivlen) <= 0) {
+                        SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR);
+                        return -1;
+                    }
+                }
             }
         }
     } else {
@@ -689,7 +691,6 @@ int tls1_enc(SSL *s, int send)
             OPENSSL_assert(n >= 0);
         }
         ds = s->enc_read_ctx;
-        rec = RECORD_LAYER_get_rrec(&s->rlayer);
         if (s->enc_read_ctx == NULL)
             enc = NULL;
         else
@@ -697,97 +698,147 @@ int tls1_enc(SSL *s, int send)
     }
 
     if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
-        memmove(rec->data, rec->input, rec->length);
-        rec->input = rec->data;
+        for (ctr = 0; ctr < numpipes; ctr++) {
+            memmove(recs[ctr].data, recs[ctr].input, recs[ctr].length);
+            recs[ctr].input = recs[ctr].data;
+        }
         ret = 1;
     } else {
-        l = rec->length;
-        bs = EVP_CIPHER_block_size(ds->cipher);
-
-        if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
-            unsigned char buf[EVP_AEAD_TLS1_AAD_LEN], *seq;
-
-            seq = send ? RECORD_LAYER_get_write_sequence(&s->rlayer)
-                : RECORD_LAYER_get_read_sequence(&s->rlayer);
-
-            if (SSL_IS_DTLS(s)) {
-                unsigned char dtlsseq[9], *p = dtlsseq;
-
-                s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
-                    DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
-                memcpy(p, &seq[2], 6);
-                memcpy(buf, dtlsseq, 8);
-            } else {
-                memcpy(buf, seq, 8);
-                for (i = 7; i >= 0; i--) { /* increment */
-                    ++seq[i];
-                    if (seq[i] != 0)
-                        break;
-                }
-            }
-
-            buf[8] = rec->type;
-            buf[9] = (unsigned char)(s->version >> 8);
-            buf[10] = (unsigned char)(s->version);
-            buf[11] = rec->length >> 8;
-            buf[12] = rec->length & 0xff;
-            pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
-                                      EVP_AEAD_TLS1_AAD_LEN, buf);
-            if (pad <= 0)
+        bs = EVP_CIPHER_block_size(EVP_CIPHER_CTX_cipher(ds));
+
+        if (numpipes > 1) {
+            if(!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
+                                  & EVP_CIPH_FLAG_PIPELINE)) {
+                /*
+                 * We shouldn't have been called with pipeline data if the
+                 * cipher doesn't support pipelining
+                 */
+                SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE);
                 return -1;
-            if (send) {
-                l += pad;
-                rec->length += pad;
             }
-        } else if ((bs != 1) && send) {
-            i = bs - ((int)l % bs);
+        }
+        for (ctr = 0; ctr < numpipes; ctr++) {
+            reclen[ctr] = recs[ctr].length;
+
+            if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
+                    & EVP_CIPH_FLAG_AEAD_CIPHER) {
+                unsigned char *seq;
+
+                seq = send ? RECORD_LAYER_get_write_sequence(&s->rlayer)
+                    : RECORD_LAYER_get_read_sequence(&s->rlayer);
+
+                if (SSL_IS_DTLS(s)) {
+                    /* DTLS does not support pipelining */
+                    unsigned char dtlsseq[9], *p = dtlsseq;
+
+                    s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
+                        DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
+                    memcpy(p, &seq[2], 6);
+                    memcpy(buf[ctr], dtlsseq, 8);
+                } else {
+                    memcpy(buf[ctr], seq, 8);
+                    for (i = 7; i >= 0; i--) { /* increment */
+                        ++seq[i];
+                        if (seq[i] != 0)
+                            break;
+                    }
+                }
 
-            /* Add weird padding of upto 256 bytes */
+                buf[ctr][8] = recs[ctr].type;
+                buf[ctr][9] = (unsigned char)(s->version >> 8);
+                buf[ctr][10] = (unsigned char)(s->version);
+                buf[ctr][11] = recs[ctr].length >> 8;
+                buf[ctr][12] = recs[ctr].length & 0xff;
+                pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
+                                          EVP_AEAD_TLS1_AAD_LEN, buf[ctr]);
+                if (pad <= 0)
+                    return -1;
 
-            /* we need to add 'i' padding bytes of value j */
-            j = i - 1;
-            if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) {
-                if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
-                    j++;
+                if (send) {
+                    reclen[ctr] += pad;
+                    recs[ctr].length += pad;
+                }
+
+            } else if ((bs != 1) && send) {
+                i = bs - ((int)reclen[ctr] % bs);
+
+                /* Add weird padding of upto 256 bytes */
+
+                /* we need to add 'i' padding bytes of value j */
+                j = i - 1;
+                for (k = (int)reclen[ctr]; k < (int)(reclen[ctr] + i); k++)
+                    recs[ctr].input[k] = j;
+                reclen[ctr] += i;
+                recs[ctr].length += i;
+            }
+
+            if (!send) {
+                if (reclen[ctr] == 0 || reclen[ctr] % bs != 0)
+                    return 0;
             }
-            for (k = (int)l; k < (int)(l + i); k++)
-                rec->input[k] = j;
-            l += i;
-            rec->length += i;
         }
+        if (numpipes > 1) {
+            unsigned char *data[SSL_MAX_PIPELINES];
 
-        if (!send) {
-            if (l == 0 || l % bs != 0)
-                return 0;
+            /* Set the output buffers */
+            for(ctr = 0; ctr < numpipes; ctr++) {
+                data[ctr] = recs[ctr].data;
+            }
+            if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS,
+                                      numpipes, data) <= 0) {
+                SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE);
+            }
+            /* Set the input buffers */
+            for(ctr = 0; ctr < numpipes; ctr++) {
+                data[ctr] = recs[ctr].input;
+            }
+            if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_BUFS,
+                                      numpipes, data) <= 0
+                || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS,
+                                      numpipes, reclen) <= 0) {
+                SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE);
+                return -1;
+            }
         }
 
-        i = EVP_Cipher(ds, rec->data, rec->input, l);
-        if ((EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_CUSTOM_CIPHER)
+        i = EVP_Cipher(ds, recs[0].data, recs[0].input, reclen[0]);
+        if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
+                & EVP_CIPH_FLAG_CUSTOM_CIPHER)
             ? (i < 0)
             : (i == 0))
             return -1;          /* AEAD can fail to verify MAC */
-        if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) {
-            rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
-            rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
-            rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
+        if (send == 0) {
+            if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) {
+                for (ctr = 0; ctr < numpipes; ctr++) {
+                    recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
+                    recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
+                    recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
+                }
+            } else if (EVP_CIPHER_mode(enc) == EVP_CIPH_CCM_MODE) {
+                for (ctr = 0; ctr < numpipes; ctr++) {
+                    recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
+                    recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
+                    recs[ctr].length -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
+                }
+            }
         }
 
         ret = 1;
         if (!SSL_USE_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)
             mac_size = EVP_MD_CTX_size(s->read_hash);
-        if ((bs != 1) && !send)
-            ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
+        if ((bs != 1) && !send) {
+            /* TODO: We only support writing for pipelining at the moment */
+            ret = tls1_cbc_remove_padding(s, recs, bs, mac_size);
+        }
         if (pad && !send)
-            rec->length -= pad;
+            recs[0].length -= pad;
     }
     return ret;
 }
 
-int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
+int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
 {
-    SSL3_RECORD *rec;
     unsigned char *mac_sec, *seq;
-    EVP_MD_CTX md_ctx;
     const EVP_MD_CTX *hash;
     unsigned char *p, rec_char;
     size_t md_size;
@@ -795,12 +846,10 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
     int t;
 
     if (send) {
-        rec = RECORD_LAYER_get_wrec(&ssl->rlayer);
         mac_sec = &(ssl->s3->write_mac_secret[0]);
         seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
         hash = ssl->write_hash;
     } else {
-        rec = RECORD_LAYER_get_rrec(&ssl->rlayer);
         mac_sec = &(ssl->s3->read_mac_secret[0]);
         seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
         hash = ssl->read_hash;
@@ -842,61 +891,64 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
         header[j++] = rec->length & 0xff;
 
         /* Final param == is SSLv3 */
-        ssl3_cbc_digest_record(hash,
-                               md, &md_size,
-                               header, rec->input,
-                               rec->length + md_size, rec->orig_len,
-                               mac_sec, md_size, 1);
+        if (ssl3_cbc_digest_record(hash,
+                                   md, &md_size,
+                                   header, rec->input,
+                                   rec->length + md_size, rec->orig_len,
+                                   mac_sec, md_size, 1) <= 0)
+            return -1;
     } else {
         unsigned int md_size_u;
         /* Chop the digest off the end :-) */
-        EVP_MD_CTX_init(&md_ctx);
+        EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
+
+        if (md_ctx == NULL)
+            return -1;
 
-        EVP_MD_CTX_copy_ex(&md_ctx, hash);
-        EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
-        EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad);
-        EVP_DigestUpdate(&md_ctx, seq, 8);
         rec_char = rec->type;
-        EVP_DigestUpdate(&md_ctx, &rec_char, 1);
         p = md;
         s2n(rec->length, p);
-        EVP_DigestUpdate(&md_ctx, md, 2);
-        EVP_DigestUpdate(&md_ctx, rec->input, rec->length);
-        EVP_DigestFinal_ex(&md_ctx, md, NULL);
-
-        EVP_MD_CTX_copy_ex(&md_ctx, hash);
-        EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
-        EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad);
-        EVP_DigestUpdate(&md_ctx, md, md_size);
-        EVP_DigestFinal_ex(&md_ctx, md, &md_size_u);
+        if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
+                || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
+                || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0
+                || EVP_DigestUpdate(md_ctx, seq, 8) <= 0
+                || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0
+                || EVP_DigestUpdate(md_ctx, md, 2) <= 0
+                || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0
+                || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0
+                || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
+                || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
+                || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
+                || EVP_DigestUpdate(md_ctx, md, md_size) <= 0
+                || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
+            EVP_MD_CTX_reset(md_ctx);
+            return -1;
+        }
         md_size = md_size_u;
 
-        EVP_MD_CTX_cleanup(&md_ctx);
+        EVP_MD_CTX_free(md_ctx);
     }
 
     ssl3_record_sequence_update(seq);
     return (md_size);
 }
 
-int tls1_mac(SSL *ssl, unsigned char *md, int send)
+int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
 {
-    SSL3_RECORD *rec;
     unsigned char *seq;
     EVP_MD_CTX *hash;
     size_t md_size;
     int i;
-    EVP_MD_CTX hmac, *mac_ctx;
+    EVP_MD_CTX *hmac = NULL, *mac_ctx;
     unsigned char header[13];
     int stream_mac = (send ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
                       : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
     int t;
 
     if (send) {
-        rec = RECORD_LAYER_get_wrec(&ssl->rlayer);
         seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
         hash = ssl->write_hash;
     } else {
-        rec = RECORD_LAYER_get_rrec(&ssl->rlayer);
         seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
         hash = ssl->read_hash;
     }
@@ -909,9 +961,11 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
     if (stream_mac) {
         mac_ctx = hash;
     } else {
-        if (!EVP_MD_CTX_copy(&hmac, hash))
+        hmac = EVP_MD_CTX_new();
+        if (hmac == NULL
+                || !EVP_MD_CTX_copy(hmac, hash))
             return -1;
-        mac_ctx = &hmac;
+        mac_ctx = hmac;
     }
 
     if (SSL_IS_DTLS(ssl)) {
@@ -940,26 +994,31 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
          * are hashing because that gives an attacker a timing-oracle.
          */
         /* Final param == not SSLv3 */
-        ssl3_cbc_digest_record(mac_ctx,
-                               md, &md_size,
-                               header, rec->input,
-                               rec->length + md_size, rec->orig_len,
-                               ssl->s3->read_mac_secret,
-                               ssl->s3->read_mac_secret_size, 0);
+        if (ssl3_cbc_digest_record(mac_ctx,
+                                   md, &md_size,
+                                   header, rec->input,
+                                   rec->length + md_size, rec->orig_len,
+                                   ssl->s3->read_mac_secret,
+                                   ssl->s3->read_mac_secret_size, 0) <= 0) {
+            EVP_MD_CTX_free(hmac);
+            return -1;
+        }
     } else {
-        EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
-        EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);
-        t = EVP_DigestSignFinal(mac_ctx, md, &md_size);
-        OPENSSL_assert(t > 0);
+        if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0
+                || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0
+                || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) {
+            EVP_MD_CTX_free(hmac);
+            return -1;
+        }
         if (!send && !SSL_USE_ETM(ssl) && FIPS_mode())
             tls_fips_digest_extra(ssl->enc_read_ctx,
                                   mac_ctx, rec->input,
                                   rec->length, rec->orig_len);
     }
 
-    if (!stream_mac)
-        EVP_MD_CTX_cleanup(&hmac);
-#ifdef TLS_DEBUG
+    EVP_MD_CTX_free(hmac);
+
+#ifdef SSL_DEBUG
     fprintf(stderr, "seq=");
     {
         int z;
@@ -983,7 +1042,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
                 break;
         }
     }
-#ifdef TLS_DEBUG
+#ifdef SSL_DEBUG
     {
         unsigned int z;
         for (z = 0; z < md_size; z++)
@@ -1004,8 +1063,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
  *   1: if the padding was valid
  *  -1: otherwise.
  */
-int ssl3_cbc_remove_padding(const SSL *s,
-                            SSL3_RECORD *rec,
+int ssl3_cbc_remove_padding(SSL3_RECORD *rec,
                             unsigned block_size, unsigned mac_size)
 {
     unsigned padding_length, good;
@@ -1062,25 +1120,7 @@ int tls1_cbc_remove_padding(const SSL *s,
 
     padding_length = rec->data[rec->length - 1];
 
-    /*
-     * NB: if compression is in operation the first packet may not be of even
-     * length so the padding bug check cannot be performed. This bug
-     * workaround has been around since SSLeay so hopefully it is either
-     * fixed now or no buggy implementation supports compression [steve]
-     */
-    if ((s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand) {
-        /* First packet is even in size, so check */
-        if ((memcmp(RECORD_LAYER_get_read_sequence(&s->rlayer),
-                "\0\0\0\0\0\0\0\0", 8) == 0) &&
-            !(padding_length & 1)) {
-            s->s3->flags |= TLS1_FLAGS_TLS_PADDING_BUG;
-        }
-        if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) && padding_length > 0) {
-            padding_length--;
-        }
-    }
-
-    if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
+    if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER) {
         /* padding is already verified */
         rec->length -= padding_length + 1;
         return 1;
@@ -1258,7 +1298,7 @@ int dtls1_process_record(SSL *s)
     rr->data = rr->input;
     rr->orig_len = rr->length;
 
-    enc_err = s->method->ssl3_enc->enc(s, 0);
+    enc_err = s->method->ssl3_enc->enc(s, rr, 1, 0);
     /*-
      * enc_err is:
      *    0: (in non-constant time) if the record is publically invalid.
@@ -1271,7 +1311,7 @@ int dtls1_process_record(SSL *s)
         RECORD_LAYER_reset_packet_length(&s->rlayer);
         goto err;
     }
-#ifdef TLS_DEBUG
+#ifdef SSL_DEBUG
     printf("dec %d\n", rr->length);
     {
         unsigned int z;
@@ -1325,7 +1365,7 @@ int dtls1_process_record(SSL *s)
             mac = &rr->data[rr->length];
         }
 
-        i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
+        i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ );
         if (i < 0 || mac == NULL
             || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
             enc_err = -1;
@@ -1522,18 +1562,8 @@ int dtls1_get_record(SSL *s)
     /* Only do replay check if no SCTP bio */
     if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) {
 #endif
-        /*
-         * Check whether this is a repeat, or aged record. Don't check if
-         * we're listening and this message is a ClientHello. They can look
-         * as if they're replayed, since they arrive from different
-         * connections and would be dropped unnecessarily.
-         */
-        if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
-              RECORD_LAYER_get_packet_length(&s->rlayer)
-                  > DTLS1_RT_HEADER_LENGTH &&
-              RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]
-                  == SSL3_MT_CLIENT_HELLO) &&
-            !dtls1_record_replay_check(s, bitmap)) {
+        /* Check whether this is a repeat, or aged record. */
+        if (!dtls1_record_replay_check(s, bitmap)) {
             rr->length = 0;
             RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
             goto again;         /* get another record */
@@ -1549,11 +1579,10 @@ int dtls1_get_record(SSL *s)
     /*
      * If this record is from the next epoch (either HM or ALERT), and a
      * handshake is currently in progress, buffer it since it cannot be
-     * processed at this time. However, do not buffer anything while
-     * listening.
+     * processed at this time.
      */
     if (is_next_epoch) {
-        if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) {
+        if ((SSL_in_init(s) || ossl_statem_get_in_handshake(s))) {
             if (dtls1_buffer_record
                 (s, &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)),
                 rr->seq_num) < 0)
@@ -1576,4 +1605,3 @@ int dtls1_get_record(SSL *s)
     return (1);
 
 }
-