4 files changed, 28 insertions, 77 deletions
diff --git a/src/lib/libssl/s3_cbc.c b/src/lib/libssl/s3_cbc.c
index 8c910c5f86..a1c0ce6b90 100644
--- a/src/lib/libssl/s3_cbc.c
+++ b/src/lib/libssl/s3_cbc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_cbc.c,v 1.16 2017/01/23 08:08:06 beck Exp $ */
+/* $OpenBSD: s3_cbc.c,v 1.17 2018/09/08 14:39:41 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
 *
@@ -135,12 +135,6 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size,
        padding_length = rec->data[rec->length - 1];
-        if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
-                /* padding is already verified */
-                rec->length -= padding_length + 1;
-                return 1;
-        }
        good = constant_time_ge(rec->length, overhead + padding_length);
        /* The padding consists of a length byte at the end of the record and
         * then that many bytes of padding, all with the same value as the
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 59c3ad5a0b..e54fbacdd8 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.104 2018/09/08 14:29:52 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.105 2018/09/08 14:39:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -598,12 +598,20 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
                        *mac_secret_size = ssl_mac_secret_size[i];
        }
-        if (*enc != NULL &&
+        if (*enc == NULL || *md == NULL ||
-            (*md != NULL || (EVP_CIPHER_flags(*enc) & EVP_CIPH_FLAG_AEAD_CIPHER)) &&
+            (mac_pkey_type != NULL && *mac_pkey_type == NID_undef))
-            (!mac_pkey_type || *mac_pkey_type != NID_undef))
+                return 0;
-                return 1;
-        return 0;
+        /*
+         * EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE ciphers are not
+         * supported via EVP_CIPHER (they should be using EVP_AEAD instead).
+         */
+        if (EVP_CIPHER_flags(*enc) & EVP_CIPH_FLAG_AEAD_CIPHER)
+                return 0;
+        if (EVP_CIPHER_mode(*enc) == EVP_CIPH_GCM_MODE)
+                return 0;
+        return 1;
 }
 /*
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
index 163b0292af..4e3ac7722a 100644
--- a/src/lib/libssl/ssl_pkt.c
+++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_pkt.c,v 1.12 2017/05/07 04:22:24 beck Exp $ */
+/* $OpenBSD: ssl_pkt.c,v 1.13 2018/09/08 14:39:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -739,6 +739,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
        p += 2;
        /* Explicit IV length. */
+        eivlen = 0;
        if (s->internal->enc_write_ctx && SSL_USE_EXPLICIT_IV(s)) {
                int mode = EVP_CIPHER_CTX_mode(s->internal->enc_write_ctx);
                if (mode == EVP_CIPH_CBC_MODE) {
@@ -746,16 +747,10 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                        if (eivlen <= 1)
                                eivlen = 0;
                }
-                /* Need explicit part of IV for GCM mode */
-                else if (mode == EVP_CIPH_GCM_MODE)
-                        eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
-                else
-                        eivlen = 0;
        } else if (s->internal->aead_write_ctx != NULL &&
            s->internal->aead_write_ctx->variable_nonce_in_record) {
                eivlen = s->internal->aead_write_ctx->variable_nonce_len;
-        } else
+        }
-                eivlen = 0;
        /* lets setup the record stuff. */
        wr->data = p + eivlen;
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 77ac5899ac..b8ebf52417 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.113 2018/09/06 16:40:45 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.114 2018/09/08 14:39:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -458,6 +458,7 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,
        EVP_CIPHER_CTX *cipher_ctx;
        const EVP_CIPHER *cipher;
        EVP_MD_CTX *mac_ctx;
+        EVP_PKEY *mac_key;
        const EVP_MD *mac;
        int mac_type;
@@ -503,26 +504,13 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,
                s->internal->write_hash = mac_ctx;
        }
-        if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) {
+        EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read);
-                EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, NULL,
-                    !is_read);
+        if ((mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret,
-                EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GCM_SET_IV_FIXED,
+            mac_secret_size)) == NULL)
-                    iv_len, (unsigned char *)iv);
+                goto err;
-        } else
+        EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key);
-                EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read);
+        EVP_PKEY_free(mac_key);
-        if (!(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
-                EVP_PKEY *mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
-                    mac_secret, mac_secret_size);
-                if (mac_key == NULL)
-                        goto err;
-                EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key);
-                EVP_PKEY_free(mac_key);
-        } else if (mac_secret_size > 0) {
-                /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
-                EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_AEAD_SET_MAC_KEY,
-                    mac_secret_size, (unsigned char *)mac_secret);
-        }
        if (S3I(s)->hs.new_cipher->algorithm_enc == SSL_eGOST2814789CNT) {
                int nid;
@@ -589,10 +577,6 @@ tls1_change_cipher_state(SSL *s, int which)
        } else {
                key_len = EVP_CIPHER_key_length(cipher);
                iv_len = EVP_CIPHER_iv_length(cipher);
-                /* If GCM mode only part of IV comes from PRF. */
-                if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE)
-                        iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
        }
        mac_secret_size = s->s3->tmp.new_mac_secret_size;
@@ -676,10 +660,6 @@ tls1_setup_key_block(SSL *s)
                }
                key_len = EVP_CIPHER_key_length(cipher);
                iv_len = EVP_CIPHER_iv_length(cipher);
-                /* If GCM mode only part of IV comes from PRF. */
-                if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE)
-                        iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
        }
        S3I(s)->tmp.new_aead = aead;
@@ -951,28 +931,7 @@ tls1_enc(SSL *s, int send)
                l = rec->length;
                bs = EVP_CIPHER_block_size(ds->cipher);
-                if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
+                if (bs != 1 && send) {
-                        unsigned char buf[13];
-                        if (SSL_IS_DTLS(s)) {
-                                dtls1_build_sequence_number(buf, seq,
-                                    send ? D1I(s)->w_epoch : D1I(s)->r_epoch);
-                        } else {
-                                memcpy(buf, seq, SSL3_SEQUENCE_SIZE);
-                                tls1_record_sequence_increment(seq);
-                        }
-                        buf[8] = rec->type;
-                        buf[9] = (unsigned char)(s->version >> 8);
-                        buf[10] = (unsigned char)(s->version);
-                        buf[11] = rec->length >> 8;
-                        buf[12] = rec->length & 0xff;
-                        pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf);
-                        if (send) {
-                                l += pad;
-                                rec->length += pad;
-                        }
-                } else if ((bs != 1) && send) {
                        i = bs - ((int)l % bs);
                        /* Add weird padding of upto 256 bytes */
@@ -994,11 +953,6 @@ tls1_enc(SSL *s, int send)
                if ((EVP_CIPHER_flags(ds->cipher) &
                    EVP_CIPH_FLAG_CUSTOM_CIPHER) ? (i < 0) : (i == 0))
                        return -1;      /* AEAD can fail to verify MAC */
-                if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) {
-                        rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
-                        rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
-                        rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
-                }
                ret = 1;
                if (EVP_MD_CTX_md(s->read_hash) != NULL)

diff --git a/src/lib/libssl/s3_cbc.c b/src/lib/libssl/s3_cbc.c index 8c910c5f86..a1c0ce6b90 100644 --- a/src/lib/libssl/s3_cbc.c +++ b/src/lib/libssl/s3_cbc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_cbc.c,v 1.16 2017/01/23 08:08:06 beck Exp $ */	1	/* $OpenBSD: s3_cbc.c,v 1.17 2018/09/08 14:39:41 jsing Exp $ */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 2012 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 2012 The OpenSSL Project. All rights reserved.
4	*	4	*
@@ -135,12 +135,6 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size,
135		135
136	padding_length = rec->data[rec->length - 1];	136	padding_length = rec->data[rec->length - 1];
137		137
138	if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
139	/* padding is already verified */
140	rec->length -= padding_length + 1;
141	return 1;
142	}
143
144	good = constant_time_ge(rec->length, overhead + padding_length);	138	good = constant_time_ge(rec->length, overhead + padding_length);
145	/* The padding consists of a length byte at the end of the record and	139	/* The padding consists of a length byte at the end of the record and
146	* then that many bytes of padding, all with the same value as the	140	* then that many bytes of padding, all with the same value as the


diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 59c3ad5a0b..e54fbacdd8 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_ciph.c,v 1.104 2018/09/08 14:29:52 jsing Exp $ */	1	/* $OpenBSD: ssl_ciph.c,v 1.105 2018/09/08 14:39:41 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -598,12 +598,20 @@ ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,
598	*mac_secret_size = ssl_mac_secret_size[i];	598	*mac_secret_size = ssl_mac_secret_size[i];
599	}	599	}
600		600
601	if (*enc != NULL &&	601	if (enc == NULL \|\| md == NULL \|\|
602	(md != NULL \|\| (EVP_CIPHER_flags(enc) & EVP_CIPH_FLAG_AEAD_CIPHER)) &&	602	(mac_pkey_type != NULL && *mac_pkey_type == NID_undef))
603	(!mac_pkey_type \|\| *mac_pkey_type != NID_undef))	603	return 0;
604	return 1;
605		604
606	return 0;	605	/*
		606	* EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE ciphers are not
		607	* supported via EVP_CIPHER (they should be using EVP_AEAD instead).
		608	*/
		609	if (EVP_CIPHER_flags(*enc) & EVP_CIPH_FLAG_AEAD_CIPHER)
		610	return 0;
		611	if (EVP_CIPHER_mode(*enc) == EVP_CIPH_GCM_MODE)
		612	return 0;
		613
		614	return 1;
607	}	615	}
608		616
609	/*	617	/*


diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c index 163b0292af..4e3ac7722a 100644 --- a/src/lib/libssl/ssl_pkt.c +++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_pkt.c,v 1.12 2017/05/07 04:22:24 beck Exp $ */	1	/* $OpenBSD: ssl_pkt.c,v 1.13 2018/09/08 14:39:41 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -739,6 +739,7 @@ do_ssl3_write(SSL s, int type, const unsigned char buf,
739	p += 2;	739	p += 2;
740		740
741	/* Explicit IV length. */	741	/* Explicit IV length. */
		742	eivlen = 0;
742	if (s->internal->enc_write_ctx && SSL_USE_EXPLICIT_IV(s)) {	743	if (s->internal->enc_write_ctx && SSL_USE_EXPLICIT_IV(s)) {
743	int mode = EVP_CIPHER_CTX_mode(s->internal->enc_write_ctx);	744	int mode = EVP_CIPHER_CTX_mode(s->internal->enc_write_ctx);
744	if (mode == EVP_CIPH_CBC_MODE) {	745	if (mode == EVP_CIPH_CBC_MODE) {
@@ -746,16 +747,10 @@ do_ssl3_write(SSL s, int type, const unsigned char buf,
746	if (eivlen <= 1)	747	if (eivlen <= 1)
747	eivlen = 0;	748	eivlen = 0;
748	}	749	}
749	/* Need explicit part of IV for GCM mode */
750	else if (mode == EVP_CIPH_GCM_MODE)
751	eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
752	else
753	eivlen = 0;
754	} else if (s->internal->aead_write_ctx != NULL &&	750	} else if (s->internal->aead_write_ctx != NULL &&
755	s->internal->aead_write_ctx->variable_nonce_in_record) {	751	s->internal->aead_write_ctx->variable_nonce_in_record) {
756	eivlen = s->internal->aead_write_ctx->variable_nonce_len;	752	eivlen = s->internal->aead_write_ctx->variable_nonce_len;
757	} else	753	}
758	eivlen = 0;
759		754
760	/* lets setup the record stuff. */	755	/* lets setup the record stuff. */
761	wr->data = p + eivlen;	756	wr->data = p + eivlen;


diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index 77ac5899ac..b8ebf52417 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_enc.c,v 1.113 2018/09/06 16:40:45 jsing Exp $ */	1	/* $OpenBSD: t1_enc.c,v 1.114 2018/09/08 14:39:41 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -458,6 +458,7 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,
458	EVP_CIPHER_CTX *cipher_ctx;	458	EVP_CIPHER_CTX *cipher_ctx;
459	const EVP_CIPHER *cipher;	459	const EVP_CIPHER *cipher;
460	EVP_MD_CTX *mac_ctx;	460	EVP_MD_CTX *mac_ctx;
		461	EVP_PKEY *mac_key;
461	const EVP_MD *mac;	462	const EVP_MD *mac;
462	int mac_type;	463	int mac_type;
463		464
@@ -503,26 +504,13 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,
503	s->internal->write_hash = mac_ctx;	504	s->internal->write_hash = mac_ctx;
504	}	505	}
505		506
506	if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) {	507	EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read);
507	EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, NULL,	508
508	!is_read);	509	if ((mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret,
509	EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GCM_SET_IV_FIXED,	510	mac_secret_size)) == NULL)
510	iv_len, (unsigned char *)iv);	511	goto err;
511	} else	512	EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key);
512	EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read);	513	EVP_PKEY_free(mac_key);
513
514	if (!(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
515	EVP_PKEY *mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
516	mac_secret, mac_secret_size);
517	if (mac_key == NULL)
518	goto err;
519	EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key);
520	EVP_PKEY_free(mac_key);
521	} else if (mac_secret_size > 0) {
522	/* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
523	EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_AEAD_SET_MAC_KEY,
524	mac_secret_size, (unsigned char *)mac_secret);
525	}
526		514
527	if (S3I(s)->hs.new_cipher->algorithm_enc == SSL_eGOST2814789CNT) {	515	if (S3I(s)->hs.new_cipher->algorithm_enc == SSL_eGOST2814789CNT) {
528	int nid;	516	int nid;
@@ -589,10 +577,6 @@ tls1_change_cipher_state(SSL *s, int which)
589	} else {	577	} else {
590	key_len = EVP_CIPHER_key_length(cipher);	578	key_len = EVP_CIPHER_key_length(cipher);
591	iv_len = EVP_CIPHER_iv_length(cipher);	579	iv_len = EVP_CIPHER_iv_length(cipher);
592
593	/* If GCM mode only part of IV comes from PRF. */
594	if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE)
595	iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
596	}	580	}
597		581
598	mac_secret_size = s->s3->tmp.new_mac_secret_size;	582	mac_secret_size = s->s3->tmp.new_mac_secret_size;
@@ -676,10 +660,6 @@ tls1_setup_key_block(SSL *s)
676	}	660	}
677	key_len = EVP_CIPHER_key_length(cipher);	661	key_len = EVP_CIPHER_key_length(cipher);
678	iv_len = EVP_CIPHER_iv_length(cipher);	662	iv_len = EVP_CIPHER_iv_length(cipher);
679
680	/* If GCM mode only part of IV comes from PRF. */
681	if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE)
682	iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
683	}	663	}
684		664
685	S3I(s)->tmp.new_aead = aead;	665	S3I(s)->tmp.new_aead = aead;
@@ -951,28 +931,7 @@ tls1_enc(SSL *s, int send)
951	l = rec->length;	931	l = rec->length;
952	bs = EVP_CIPHER_block_size(ds->cipher);	932	bs = EVP_CIPHER_block_size(ds->cipher);
953		933
954	if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {	934	if (bs != 1 && send) {
955	unsigned char buf[13];
956
957	if (SSL_IS_DTLS(s)) {
958	dtls1_build_sequence_number(buf, seq,
959	send ? D1I(s)->w_epoch : D1I(s)->r_epoch);
960	} else {
961	memcpy(buf, seq, SSL3_SEQUENCE_SIZE);
962	tls1_record_sequence_increment(seq);
963	}
964
965	buf[8] = rec->type;
966	buf[9] = (unsigned char)(s->version >> 8);
967	buf[10] = (unsigned char)(s->version);
968	buf[11] = rec->length >> 8;
969	buf[12] = rec->length & 0xff;
970	pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf);
971	if (send) {
972	l += pad;
973	rec->length += pad;
974	}
975	} else if ((bs != 1) && send) {
976	i = bs - ((int)l % bs);	935	i = bs - ((int)l % bs);
977		936
978	/* Add weird padding of upto 256 bytes */	937	/* Add weird padding of upto 256 bytes */
@@ -994,11 +953,6 @@ tls1_enc(SSL *s, int send)
994	if ((EVP_CIPHER_flags(ds->cipher) &	953	if ((EVP_CIPHER_flags(ds->cipher) &
995	EVP_CIPH_FLAG_CUSTOM_CIPHER) ? (i < 0) : (i == 0))	954	EVP_CIPH_FLAG_CUSTOM_CIPHER) ? (i < 0) : (i == 0))
996	return -1; /* AEAD can fail to verify MAC */	955	return -1; /* AEAD can fail to verify MAC */
997	if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) {
998	rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
999	rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1000	rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1001	}
1002		956
1003	ret = 1;	957	ret = 1;
1004	if (EVP_MD_CTX_md(s->read_hash) != NULL)	958	if (EVP_MD_CTX_md(s->read_hash) != NULL)