Encapsulate s->s3->rrec

Reviewed-by: NRichard Levitte <levitte@openssl.org>

ssl/Makefile

@@ -30,7 +30,7 @@ LIBSRC=	\
 	ssl_ciph.c ssl_stat.c ssl_rsa.c \
 	ssl_asn1.c ssl_txt.c ssl_algs.c ssl_conf.c \
 	bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c ssl_utst.c \
-	record/ssl3_buffer.c
+	record/ssl3_buffer.c record/ssl3_record.c
 LIBOBJ= \
 	s3_meth.o  s3_srvr.o  s3_clnt.o  s3_lib.o  s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \
 	s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o          s23_pkt.o \
@@ -41,7 +41,7 @@ LIBOBJ= \
 	ssl_ciph.o ssl_stat.o ssl_rsa.o \
 	ssl_asn1.o ssl_txt.o ssl_algs.o ssl_conf.o \
 	bio_ssl.o ssl_err.o kssl.o t1_reneg.o tls_srp.o t1_trce.o ssl_utst.o \
-	record/ssl3_buffer.o
+	record/ssl3_buffer.o record/ssl3_record.o
 
 SRC= $(LIBSRC)
 

ssl/d1_both.c

@@ -1349,25 +1349,28 @@ int dtls1_shutdown(SSL *s)
 #ifndef OPENSSL_NO_HEARTBEATS
 int dtls1_process_heartbeat(SSL *s)
 {
-    unsigned char *p = &s->s3->rrec.data[0], *pl;
+    unsigned char *p, *pl;
     unsigned short hbtype;
     unsigned int payload;
     unsigned int padding = 16;  /* Use minimum padding */
+    unsigned int length;
+
+    p = SSL3_RECORD_get_data(RECORD_LAYER_get_rrec(&s->rlayer));
+    length = SSL3_RECORD_get_length(RECORD_LAYER_get_rrec(&s->rlayer));
 
     if (s->msg_callback)
         s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
-                        &s->s3->rrec.data[0], s->s3->rrec.length,
-                        s, s->msg_callback_arg);
+                        p, length, s, s->msg_callback_arg);
 
     /* Read type and payload length first */
-    if (1 + 2 + 16 > s->s3->rrec.length)
+    if (1 + 2 + 16 > length)
         return 0;               /* silently discard */
-    if (s->s3->rrec.length > SSL3_RT_MAX_PLAIN_LENGTH)
+    if (length > SSL3_RT_MAX_PLAIN_LENGTH)
         return 0;               /* silently discard per RFC 6520 sec. 4 */
 
     hbtype = *p++;
     n2s(p, payload);
-    if (1 + 2 + payload + 16 > s->s3->rrec.length)
+    if (1 + 2 + payload + 16 > length)
         return 0;               /* silently discard per RFC 6520 sec. 4 */
     pl = p;
 

ssl/d1_pkt.c

@@ -204,7 +204,8 @@ static int dtls1_copy_record(SSL *s, pitem *item)
     s->packet_length = rdata->packet_length;
     memcpy(RECORD_LAYER_get_rbuf(&s->rlayer), &(rdata->rbuf),
         sizeof(SSL3_BUFFER));
-    memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
+    memcpy(RECORD_LAYER_get_rrec(&s->rlayer), &(rdata->rrec),
+        sizeof(SSL3_RECORD));
 
     /* Set proper sequence number for mac calculation */
     memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6);
@@ -238,7 +239,8 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
     rdata->packet_length = s->packet_length;
     memcpy(&(rdata->rbuf), RECORD_LAYER_get_rbuf(&s->rlayer),
         sizeof(SSL3_BUFFER));
-    memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD));
+    memcpy(&(rdata->rrec), RECORD_LAYER_get_rrec(&s->rlayer),
+        sizeof(SSL3_RECORD));
 
     item->data = rdata;
 
@@ -255,7 +257,7 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
     s->packet = NULL;
     s->packet_length = 0;
     memset(RECORD_LAYER_get_rbuf(&s->rlayer), 0, sizeof(SSL3_BUFFER));
-    memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));
+    memset(RECORD_LAYER_get_rrec(&s->rlayer), 0, sizeof(SSL3_RECORD));
 
     if (!ssl3_setup_buffers(s)) {
         SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
@@ -328,7 +330,7 @@ static int dtls1_process_buffered_records(SSL *s)
             if (!dtls1_process_record(s))
                 return (0);
             if (dtls1_buffer_record(s, &(s->d1->processed_rcds),
-                                    s->s3->rrec.seq_num) < 0)
+                SSL3_RECORD_get_seq_num(RECORD_LAYER_get_rrec(&s->rlayer))) < 0)
                 return -1;
         }
     }
@@ -352,7 +354,7 @@ static int dtls1_process_record(SSL *s)
     unsigned int mac_size;
     unsigned char md[EVP_MAX_MD_SIZE];
 
-    rr = &(s->s3->rrec);
+    rr = RECORD_LAYER_get_rrec(&s->rlayer);
     sess = s->session;
 
     /*
@@ -527,7 +529,7 @@ int dtls1_get_record(SSL *s)
     DTLS1_BITMAP *bitmap;
     unsigned int is_next_epoch;
 
-    rr = &(s->s3->rrec);
+    rr = RECORD_LAYER_get_rrec(&s->rlayer);
 
     /*
      * The epoch may have changed.  If so, process all the pending records.
@@ -780,7 +782,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
      * s->s3->rrec.off,     - offset into 'data' for next read
      * s->s3->rrec.length,  - number of bytes.
      */
-    rr = &(s->s3->rrec);
+    rr = RECORD_LAYER_get_rrec(&s->rlayer);
 
     /*
      * We are not handshaking and have no data yet, so process data buffered
@@ -1629,7 +1631,7 @@ static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap)
 
     cmp = satsub64be(seq, bitmap->max_seq_num);
     if (cmp > 0) {
-        memcpy(s->s3->rrec.seq_num, seq, 8);
+        SSL3_RECORD_set_seq_num(RECORD_LAYER_get_rrec(&s->rlayer), seq);
         return 1;               /* this record in new */
     }
     shift = -cmp;
@@ -1638,7 +1640,7 @@ static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap)
     else if (bitmap->map & (1UL << shift))
         return 0;               /* record previously received */
 
-    memcpy(s->s3->rrec.seq_num, seq, 8);
+    SSL3_RECORD_set_seq_num(RECORD_LAYER_get_rrec(&s->rlayer), seq);
     return 1;
 }
 

ssl/record/rec_layer.h

@@ -130,3 +130,4 @@ typedef struct record_layer_st {
 #define RECORD_LAYER_get_read_ahead(rl)         ((rl)->read_ahead)
 #define RECORD_LAYER_get_rbuf(rl)               (&(rl)->rbuf)
 #define RECORD_LAYER_get_wbuf(rl)               (&(rl)->wbuf)
+#define RECORD_LAYER_get_rrec(rl)               (&(rl)->s->s3->rrec)

ssl/record/ssl3_record.c

+/* ssl/record/ssl3_record.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "../ssl_locl.h"
+
+void SSL3_RECORD_clear(SSL3_RECORD *r)
+{
+    memset(r->seq_num, 0, sizeof(r->seq_num));
+}
+
+void SSL3_RECORD_release(SSL3_RECORD *r)
+{
+    if (r->comp != NULL)
+        OPENSSL_free(r->comp);
+    r->comp = NULL;
+}
+
+int SSL3_RECORD_setup(SSL3_RECORD *r, size_t len)
+{
+    if (r->comp == NULL)
+        r->comp = (unsigned char *) OPENSSL_malloc(len);
+    if (r->comp == NULL)
+        return 0;
+    return 1;
+}
+
+void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num)
+{
+    memcpy(r->seq_num, seq_num, 8);
+}

ssl/record/ssl3_record.h

+/* ssl/record/ssl3_record.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+typedef struct ssl3_record_st {
+    /* type of record */
+    /*
+     * r
+     */ int type;
+    /* How many bytes available */
+    /*
+     * rw
+     */ unsigned int length;
+    /*
+     * How many bytes were available before padding was removed? This is used
+     * to implement the MAC check in constant time for CBC records.
+     */
+    /*
+     * rw
+     */ unsigned int orig_len;
+    /* read/write offset into 'buf' */
+    /*
+     * r
+     */ unsigned int off;
+    /* pointer to the record data */
+    /*
+     * rw
+     */ unsigned char *data;
+    /* where the decode bytes are */
+    /*
+     * rw
+     */ unsigned char *input;
+    /* only used with decompression - malloc()ed */
+    /*
+     * r
+     */ unsigned char *comp;
+    /* epoch number, needed by DTLS1 */
+    /*
+     * r
+     */ unsigned long epoch;
+    /* sequence number, needed by DTLS1 */
+    /*
+     * r
+     */ unsigned char seq_num[8];
+} SSL3_RECORD;
+
+#define SSL3_RECORD_get_type(r)                 ((r)->type)
+#define SSL3_RECORD_get_length(r)               ((r)->length)
+#define SSL3_RECORD_get_data(r)                 ((r)->data)
+#define SSL3_RECORD_get_seq_num(r)              ((r)->seq_num)
+
+void SSL3_RECORD_clear(SSL3_RECORD *r);
+void SSL3_RECORD_release(SSL3_RECORD *r);
+int SSL3_RECORD_setup(SSL3_RECORD *r, size_t len);
+void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num);

ssl/s3_enc.c

@@ -270,10 +270,8 @@ int ssl3_change_cipher_state(SSL *s, int which)
                        SSL_R_COMPRESSION_LIBRARY_ERROR);
                 goto err2;
             }
-            if (s->s3->rrec.comp == NULL)
-                s->s3->rrec.comp = (unsigned char *)
-                    OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
-            if (s->s3->rrec.comp == NULL)
+            if(!SSL3_RECORD_setup(RECORD_LAYER_get_rrec(&s->rlayer),
+                SSL3_RT_MAX_PLAIN_LENGTH))
                 goto err;
         }
 #endif
@@ -509,7 +507,7 @@ int ssl3_enc(SSL *s, int send)
             enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
     } else {
         ds = s->enc_read_ctx;
-        rec = &(s->s3->rrec);
+        rec = RECORD_LAYER_get_rrec(&s->rlayer);
         if (s->enc_read_ctx == NULL)
             enc = NULL;
         else
@@ -732,7 +730,7 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
         seq = &(ssl->s3->write_sequence[0]);
         hash = ssl->write_hash;
     } else {
-        rec = &(ssl->s3->rrec);
+        rec = RECORD_LAYER_get_rrec(&ssl->rlayer);
         mac_sec = &(ssl->s3->read_mac_secret[0]);
         seq = &(ssl->s3->read_sequence[0]);
         hash = ssl->read_hash;

ssl/s3_lib.c

@@ -3083,8 +3083,9 @@ int ssl3_pending(const SSL *s)
     if (s->rstate == SSL_ST_READ_BODY)
         return 0;
 
-    return (s->s3->rrec.type ==
-            SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0;
+    return (SSL3_RECORD_get_type(RECORD_LAYER_get_rrec(&s->rlayer))
+           == SSL3_RT_APPLICATION_DATA)
+           ? SSL3_RECORD_get_length(RECORD_LAYER_get_rrec(&s->rlayer)) : 0;
 }
 
 int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len)
@@ -3110,11 +3111,10 @@ int ssl3_new(SSL *s)
     if ((s3 = OPENSSL_malloc(sizeof *s3)) == NULL)
         goto err;
     memset(s3, 0, sizeof *s3);
-    memset(s3->rrec.seq_num, 0, sizeof(s3->rrec.seq_num));
-    memset(s3->wrec.seq_num, 0, sizeof(s3->wrec.seq_num));
-
     s->s3 = s3;
-
+    SSL3_RECORD_clear(RECORD_LAYER_get_rrec(&s->rlayer));
+    memset(s3->wrec.seq_num, 0, sizeof(s3->wrec.seq_num));
+    
 #ifndef OPENSSL_NO_SRP
     if(!SSL_SRP_CTX_init(s))
           goto err;
@@ -3131,8 +3131,7 @@ void ssl3_free(SSL *s)
         return;
 
     ssl3_cleanup_key_block(s);
-    if (s->s3->rrec.comp != NULL)
-        OPENSSL_free(s->s3->rrec.comp);
+    SSL3_RECORD_release(RECORD_LAYER_get_rrec(&s->rlayer));
 #ifndef OPENSSL_NO_DH
     DH_free(s->s3->tmp.dh);
 #endif
@@ -3166,10 +3165,7 @@ void ssl3_clear(SSL *s)
     if (s->s3->tmp.ca_names != NULL)
         sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
 
-    if (s->s3->rrec.comp != NULL) {
-        OPENSSL_free(s->s3->rrec.comp);
-        s->s3->rrec.comp = NULL;
-    }
+    SSL3_RECORD_release(RECORD_LAYER_get_rrec(&s->rlayer));
 #ifndef OPENSSL_NO_DH
     DH_free(s->s3->tmp.dh);
     s->s3->tmp.dh = NULL;

ssl/s3_pkt.c

@@ -316,7 +316,7 @@ static int ssl3_get_record(SSL *s)
     size_t extra;
     unsigned empty_record_count = 0;
 
-    rr = &(s->s3->rrec);
+    rr = RECORD_LAYER_get_rrec(&s->rlayer);
     sess = s->session;
 
     if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
@@ -600,7 +600,7 @@ int ssl3_do_uncompress(SSL *ssl)
     int i;
     SSL3_RECORD *rr;
 
-    rr = &(ssl->s3->rrec);
+    rr = RECORD_LAYER_get_rrec(&ssl->rlayer);
     i = COMP_expand_block(ssl->expand, rr->comp,
                           SSL3_RT_MAX_PLAIN_LENGTH, rr->data,
                           (int)rr->length);
@@ -1235,7 +1235,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
      * s->s3->rrec.off,     - offset into 'data' for next read
      * s->s3->rrec.length,  - number of bytes.
      */
-    rr = &(s->s3->rrec);
+    rr = RECORD_LAYER_get_rrec(&s->rlayer);
 
     /* get new packet if necessary */
     if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) {

ssl/ssl_locl.h

@@ -166,6 +166,7 @@
 # include <openssl/symhacks.h>
 
 #include "record/ssl3_buffer.h"
+#include "record/ssl3_record.h"
 #include "record/rec_layer.h"
 
 # ifdef OPENSSL_BUILD_SHLIBSSL
@@ -1223,47 +1224,6 @@ struct ssl_st {
     RECORD_LAYER rlayer;
 };
 
-typedef struct ssl3_record_st {
-    /* type of record */
-    /*
-     * r
-     */ int type;
-    /* How many bytes available */
-    /*
-     * rw
-     */ unsigned int length;
-    /*
-     * How many bytes were available before padding was removed? This is used
-     * to implement the MAC check in constant time for CBC records.
-     */
-    /*
-     * rw
-     */ unsigned int orig_len;
-    /* read/write offset into 'buf' */
-    /*
-     * r
-     */ unsigned int off;
-    /* pointer to the record data */
-    /*
-     * rw
-     */ unsigned char *data;
-    /* where the decode bytes are */
-    /*
-     * rw
-     */ unsigned char *input;
-    /* only used with decompression - malloc()ed */
-    /*
-     * r
-     */ unsigned char *comp;
-    /* epoch number, needed by DTLS1 */
-    /*
-     * r
-     */ unsigned long epoch;
-    /* sequence number, needed by DTLS1 */
-    /*
-     * r
-     */ unsigned char seq_num[8];
-} SSL3_RECORD;
 
 typedef struct ssl3_state_st {
     long flags;
@@ -1281,7 +1241,7 @@ typedef struct ssl3_state_st {
     int empty_fragment_done;
     /* The value of 'extra' when the buffers were initialized */
     int init_extra;
-    SSL3_RECORD rrec;           /* each decoded record goes in here */
+    SSL3_RECORD rrec;            /* each decoded record goes in here */
     SSL3_RECORD wrec;           /* goes out from here */
     /*
      * storage for Alert/Handshake protocol data received but not yet

ssl/t1_enc.c

@@ -396,10 +396,8 @@ int tls1_change_cipher_state(SSL *s, int which)
                        SSL_R_COMPRESSION_LIBRARY_ERROR);
                 goto err2;
             }
-            if (s->s3->rrec.comp == NULL)
-                s->s3->rrec.comp = (unsigned char *)
-                    OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
-            if (s->s3->rrec.comp == NULL)
+            if (SSL3_RECORD_setup(RECORD_LAYER_get_rrec(&s->rlayer),
+                SSL3_RT_MAX_ENCRYPTED_LENGTH))
                 goto err;
         }
 #endif
@@ -782,7 +780,7 @@ int tls1_enc(SSL *s, int send)
             OPENSSL_assert(n >= 0);
         }
         ds = s->enc_read_ctx;
-        rec = &(s->s3->rrec);
+        rec = RECORD_LAYER_get_rrec(&s->rlayer);
         if (s->enc_read_ctx == NULL)
             enc = NULL;
         else
@@ -977,7 +975,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
         seq = &(ssl->s3->write_sequence[0]);
         hash = ssl->write_hash;
     } else {
-        rec = &(ssl->s3->rrec);
+        rec = RECORD_LAYER_get_rrec(&ssl->rlayer);
         seq = &(ssl->s3->read_sequence[0]);
         hash = ssl->read_hash;
     }

ssl/t1_lib.c

@@ -3594,22 +3594,26 @@ int SSL_get_shared_sigalgs(SSL *s, int idx,
 # ifndef OPENSSL_NO_HEARTBEATS
 int tls1_process_heartbeat(SSL *s)
 {
-    unsigned char *p = &s->s3->rrec.data[0], *pl;
+    unsigned char *p, *pl;
     unsigned short hbtype;
     unsigned int payload;
     unsigned int padding = 16;  /* Use minimum padding */
+    unsigned int length;
+
+    p = SSL3_RECORD_get_data(RECORD_LAYER_get_rrec(&s->rlayer));
+    length = SSL3_RECORD_get_length(RECORD_LAYER_get_rrec(&s->rlayer));
 
     if (s->msg_callback)
         s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
-                        &s->s3->rrec.data[0], s->s3->rrec.length,
+                        p, length,
                         s, s->msg_callback_arg);
 
     /* Read type and payload length first */
-    if (1 + 2 + 16 > s->s3->rrec.length)
+    if (1 + 2 + 16 > length)
         return 0;               /* silently discard */
     hbtype = *p++;
     n2s(p, payload);
-    if (1 + 2 + payload + 16 > s->s3->rrec.length)
+    if (1 + 2 + payload + 16 > length)
         return 0;               /* silently discard per RFC 6520 sec. 4 */
     pl = p;