1 /*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/ssl.h>
11
12 #include <assert.h>
13 #include <string.h>
14
15 #include <openssl/bytestring.h>
16 #include <openssl/err.h>
17 #include <openssl/mem.h>
18
19 #include "../crypto/internal.h"
20 #include "internal.h"
21
22
23 BSSL_NAMESPACE_BEGIN
24
25 // kMaxEmptyRecords is the number of consecutive, empty records that will be
26 // processed. Without this limit an attacker could send empty records at a
27 // faster rate than we can process and cause record processing to loop
28 // forever.
29 static const uint8_t kMaxEmptyRecords = 32;
30
31 // kMaxEarlyDataSkipped is the maximum number of rejected early data bytes that
32 // will be skipped. Without this limit an attacker could send records at a
33 // faster rate than we can process and cause trial decryption to loop forever.
34 // This value should be slightly above kMaxEarlyDataAccepted, which is measured
35 // in plaintext.
36 static const size_t kMaxEarlyDataSkipped = 16384;
37
38 // kMaxWarningAlerts is the number of consecutive warning alerts that will be
39 // processed.
40 static const uint8_t kMaxWarningAlerts = 4;
41
42 // ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher
43 // state needs record-splitting and zero otherwise.
ssl_needs_record_splitting(const SSL * ssl)44 bool ssl_needs_record_splitting(const SSL *ssl) {
45 #if !defined(BORINGSSL_UNSAFE_FUZZER_MODE)
46 return !ssl->s3->aead_write_ctx->is_null_cipher() &&
47 ssl_protocol_version(ssl) < TLS1_1_VERSION &&
48 (ssl->mode & SSL_MODE_CBC_RECORD_SPLITTING) != 0 &&
49 SSL_CIPHER_is_block_cipher(ssl->s3->aead_write_ctx->cipher());
50 #else
51 return false;
52 #endif
53 }
54
ssl_record_prefix_len(const SSL * ssl)55 size_t ssl_record_prefix_len(const SSL *ssl) {
56 assert(!SSL_is_dtls(ssl));
57 return SSL3_RT_HEADER_LENGTH + ssl->s3->aead_read_ctx->ExplicitNonceLen();
58 }
59
skip_early_data(SSL * ssl,uint8_t * out_alert,size_t consumed)60 static ssl_open_record_t skip_early_data(SSL *ssl, uint8_t *out_alert,
61 size_t consumed) {
62 ssl->s3->early_data_skipped += consumed;
63 if (ssl->s3->early_data_skipped < consumed) {
64 ssl->s3->early_data_skipped = kMaxEarlyDataSkipped + 1;
65 }
66
67 if (ssl->s3->early_data_skipped > kMaxEarlyDataSkipped) {
68 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA);
69 *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
70 return ssl_open_record_error;
71 }
72
73 return ssl_open_record_discard;
74 }
75
tls_record_version(const SSL * ssl)76 static uint16_t tls_record_version(const SSL *ssl) {
77 if (ssl->s3->version == 0) {
78 // Before the version is determined, outgoing records use TLS 1.0 for
79 // historical compatibility requirements.
80 return TLS1_VERSION;
81 }
82
83 // TLS 1.3 freezes the record version at TLS 1.2. Previous ones use the
84 // version itself.
85 return ssl_protocol_version(ssl) >= TLS1_3_VERSION ? TLS1_2_VERSION
86 : ssl->s3->version;
87 }
88
tls_open_record(SSL * ssl,uint8_t * out_type,Span<uint8_t> * out,size_t * out_consumed,uint8_t * out_alert,Span<uint8_t> in)89 ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type,
90 Span<uint8_t> *out, size_t *out_consumed,
91 uint8_t *out_alert, Span<uint8_t> in) {
92 *out_consumed = 0;
93 if (ssl->s3->read_shutdown == ssl_shutdown_close_notify) {
94 return ssl_open_record_close_notify;
95 }
96
97 // If there is an unprocessed handshake message or we are already buffering
98 // too much, stop before decrypting another handshake record.
99 if (!tls_can_accept_handshake_data(ssl, out_alert)) {
100 return ssl_open_record_error;
101 }
102
103 CBS cbs = CBS(in);
104
105 // Decode the record header.
106 uint8_t type;
107 uint16_t version, ciphertext_len;
108 if (!CBS_get_u8(&cbs, &type) || //
109 !CBS_get_u16(&cbs, &version) || //
110 !CBS_get_u16(&cbs, &ciphertext_len)) {
111 *out_consumed = SSL3_RT_HEADER_LENGTH;
112 return ssl_open_record_partial;
113 }
114
115 bool version_ok;
116 if (ssl->s3->aead_read_ctx->is_null_cipher()) {
117 // Only check the first byte. Enforcing beyond that can prevent decoding
118 // version negotiation failure alerts.
119 version_ok = (version >> 8) == SSL3_VERSION_MAJOR;
120 } else {
121 version_ok = version == tls_record_version(ssl);
122 }
123
124 if (!version_ok) {
125 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);
126 *out_alert = SSL_AD_PROTOCOL_VERSION;
127 return ssl_open_record_error;
128 }
129
130 // Check the ciphertext length.
131 if (ciphertext_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
132 OPENSSL_PUT_ERROR(SSL, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
133 *out_alert = SSL_AD_RECORD_OVERFLOW;
134 return ssl_open_record_error;
135 }
136
137 // Extract the body.
138 CBS body;
139 if (!CBS_get_bytes(&cbs, &body, ciphertext_len)) {
140 *out_consumed = SSL3_RT_HEADER_LENGTH + (size_t)ciphertext_len;
141 return ssl_open_record_partial;
142 }
143
144 Span<const uint8_t> header = in.subspan(0, SSL3_RT_HEADER_LENGTH);
145 ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HEADER, header);
146
147 *out_consumed = in.size() - CBS_len(&cbs);
148
149 // In TLS 1.3, during the handshake, skip ChangeCipherSpec records.
150 static const uint8_t kChangeCipherSpec[] = {SSL3_MT_CCS};
151 if (ssl_has_final_version(ssl) &&
152 ssl_protocol_version(ssl) >= TLS1_3_VERSION && SSL_in_init(ssl) &&
153 type == SSL3_RT_CHANGE_CIPHER_SPEC &&
154 Span<const uint8_t>(body) == kChangeCipherSpec) {
155 ssl->s3->empty_record_count++;
156 if (ssl->s3->empty_record_count > kMaxEmptyRecords) {
157 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_EMPTY_FRAGMENTS);
158 *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
159 return ssl_open_record_error;
160 }
161 return ssl_open_record_discard;
162 }
163
164 // Skip early data received when expecting a second ClientHello if we rejected
165 // 0RTT.
166 if (ssl->s3->skip_early_data && //
167 ssl->s3->aead_read_ctx->is_null_cipher() && //
168 type == SSL3_RT_APPLICATION_DATA) {
169 return skip_early_data(ssl, out_alert, *out_consumed);
170 }
171
172 // Ensure the sequence number update does not overflow.
173 if (ssl->s3->read_sequence + 1 == 0) {
174 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
175 *out_alert = SSL_AD_INTERNAL_ERROR;
176 return ssl_open_record_error;
177 }
178
179 // Decrypt the body in-place.
180 if (!ssl->s3->aead_read_ctx->Open(
181 out, type, version, ssl->s3->read_sequence, header,
182 Span(const_cast<uint8_t *>(CBS_data(&body)), CBS_len(&body)))) {
183 if (ssl->s3->skip_early_data && !ssl->s3->aead_read_ctx->is_null_cipher()) {
184 ERR_clear_error();
185 return skip_early_data(ssl, out_alert, *out_consumed);
186 }
187
188 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
189 *out_alert = SSL_AD_BAD_RECORD_MAC;
190 return ssl_open_record_error;
191 }
192
193 ssl->s3->skip_early_data = false;
194 ssl->s3->read_sequence++;
195
196 // TLS 1.3 hides the record type inside the encrypted data.
197 bool has_padding = !ssl->s3->aead_read_ctx->is_null_cipher() &&
198 ssl_protocol_version(ssl) >= TLS1_3_VERSION;
199
200 // If there is padding, the plaintext limit includes the padding, but includes
201 // extra room for the inner content type.
202 size_t plaintext_limit =
203 has_padding ? SSL3_RT_MAX_PLAIN_LENGTH + 1 : SSL3_RT_MAX_PLAIN_LENGTH;
204 if (out->size() > plaintext_limit) {
205 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
206 *out_alert = SSL_AD_RECORD_OVERFLOW;
207 return ssl_open_record_error;
208 }
209
210 if (has_padding) {
211 // The outer record type is always application_data.
212 if (type != SSL3_RT_APPLICATION_DATA) {
213 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_OUTER_RECORD_TYPE);
214 *out_alert = SSL_AD_DECODE_ERROR;
215 return ssl_open_record_error;
216 }
217
218 do {
219 if (out->empty()) {
220 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
221 *out_alert = SSL_AD_DECRYPT_ERROR;
222 return ssl_open_record_error;
223 }
224 type = out->back();
225 *out = out->subspan(0, out->size() - 1);
226 } while (type == 0);
227 }
228
229 // Limit the number of consecutive empty records.
230 if (out->empty()) {
231 ssl->s3->empty_record_count++;
232 if (ssl->s3->empty_record_count > kMaxEmptyRecords) {
233 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_EMPTY_FRAGMENTS);
234 *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
235 return ssl_open_record_error;
236 }
237 // Apart from the limit, empty records are returned up to the caller. This
238 // allows the caller to reject records of the wrong type.
239 } else {
240 ssl->s3->empty_record_count = 0;
241 }
242
243 if (type == SSL3_RT_ALERT) {
244 return ssl_process_alert(ssl, out_alert, *out);
245 }
246
247 // Handshake messages may not interleave with any other record type.
248 if (type != SSL3_RT_HANDSHAKE && //
249 tls_has_unprocessed_handshake_data(ssl)) {
250 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
251 *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
252 return ssl_open_record_error;
253 }
254
255 ssl->s3->warning_alert_count = 0;
256
257 *out_type = type;
258 return ssl_open_record_success;
259 }
260
do_seal_record(SSL * ssl,uint8_t * out_prefix,uint8_t * out,uint8_t * out_suffix,uint8_t type,const uint8_t * in,const size_t in_len)261 static bool do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
262 uint8_t *out_suffix, uint8_t type, const uint8_t *in,
263 const size_t in_len) {
264 SSLAEADContext *aead = ssl->s3->aead_write_ctx.get();
265 uint8_t *extra_in = NULL;
266 size_t extra_in_len = 0;
267 if (!aead->is_null_cipher() && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
268 // TLS 1.3 hides the actual record type inside the encrypted data.
269 extra_in = &type;
270 extra_in_len = 1;
271 }
272
273 size_t suffix_len, ciphertext_len;
274 if (!aead->SuffixLen(&suffix_len, in_len, extra_in_len) ||
275 !aead->CiphertextLen(&ciphertext_len, in_len, extra_in_len)) {
276 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
277 return false;
278 }
279
280 assert(in == out || !buffers_alias(in, in_len, out, in_len));
281 assert(!buffers_alias(in, in_len, out_prefix, ssl_record_prefix_len(ssl)));
282 assert(!buffers_alias(in, in_len, out_suffix, suffix_len));
283
284 if (extra_in_len) {
285 out_prefix[0] = SSL3_RT_APPLICATION_DATA;
286 } else {
287 out_prefix[0] = type;
288 }
289
290 uint16_t record_version = tls_record_version(ssl);
291 out_prefix[1] = record_version >> 8;
292 out_prefix[2] = record_version & 0xff;
293 out_prefix[3] = ciphertext_len >> 8;
294 out_prefix[4] = ciphertext_len & 0xff;
295 Span<const uint8_t> header = Span(out_prefix, SSL3_RT_HEADER_LENGTH);
296
297 // Ensure the sequence number update does not overflow.
298 if (ssl->s3->write_sequence + 1 == 0) {
299 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
300 return false;
301 }
302
303 if (!aead->SealScatter(out_prefix + SSL3_RT_HEADER_LENGTH, out, out_suffix,
304 out_prefix[0], record_version, ssl->s3->write_sequence,
305 header, in, in_len, extra_in, extra_in_len)) {
306 return false;
307 }
308
309 ssl->s3->write_sequence++;
310 ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HEADER, header);
311 return true;
312 }
313
tls_seal_scatter_prefix_len(const SSL * ssl,uint8_t type,size_t in_len)314 static size_t tls_seal_scatter_prefix_len(const SSL *ssl, uint8_t type,
315 size_t in_len) {
316 size_t ret = SSL3_RT_HEADER_LENGTH;
317 if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 &&
318 ssl_needs_record_splitting(ssl)) {
319 // In the case of record splitting, the 1-byte record (of the 1/n-1 split)
320 // will be placed in the prefix, as will four of the five bytes of the
321 // record header for the main record. The final byte will replace the first
322 // byte of the plaintext that was used in the small record.
323 ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher());
324 ret += SSL3_RT_HEADER_LENGTH - 1;
325 } else {
326 ret += ssl->s3->aead_write_ctx->ExplicitNonceLen();
327 }
328 return ret;
329 }
330
tls_seal_scatter_suffix_len(const SSL * ssl,size_t * out_suffix_len,uint8_t type,size_t in_len)331 static bool tls_seal_scatter_suffix_len(const SSL *ssl, size_t *out_suffix_len,
332 uint8_t type, size_t in_len) {
333 size_t extra_in_len = 0;
334 if (!ssl->s3->aead_write_ctx->is_null_cipher() &&
335 ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
336 // TLS 1.3 adds an extra byte for encrypted record type.
337 extra_in_len = 1;
338 }
339 // clang-format off
340 if (type == SSL3_RT_APPLICATION_DATA &&
341 in_len > 1 &&
342 ssl_needs_record_splitting(ssl)) {
343 // With record splitting enabled, the first byte gets sealed into a separate
344 // record which is written into the prefix.
345 in_len -= 1;
346 }
347 // clang-format on
348 return ssl->s3->aead_write_ctx->SuffixLen(out_suffix_len, in_len,
349 extra_in_len);
350 }
351
352 // tls_seal_scatter_record seals a new record of type |type| and body |in| and
353 // splits it between |out_prefix|, |out|, and |out_suffix|. Exactly
354 // |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len|
355 // bytes to |out|, and |tls_seal_scatter_suffix_len| bytes to |out_suffix|. It
356 // returns one on success and zero on error. If enabled,
357 // |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and
358 // may write two records concatenated.
tls_seal_scatter_record(SSL * ssl,uint8_t * out_prefix,uint8_t * out,uint8_t * out_suffix,uint8_t type,const uint8_t * in,size_t in_len)359 static bool tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
360 uint8_t *out_suffix, uint8_t type,
361 const uint8_t *in, size_t in_len) {
362 if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 &&
363 ssl_needs_record_splitting(ssl)) {
364 assert(ssl->s3->aead_write_ctx->ExplicitNonceLen() == 0);
365 const size_t prefix_len = SSL3_RT_HEADER_LENGTH;
366
367 // Write the 1-byte fragment into |out_prefix|.
368 uint8_t *split_body = out_prefix + prefix_len;
369 uint8_t *split_suffix = split_body + 1;
370
371 if (!do_seal_record(ssl, out_prefix, split_body, split_suffix, type, in,
372 1)) {
373 return false;
374 }
375
376 size_t split_record_suffix_len;
377 if (!ssl->s3->aead_write_ctx->SuffixLen(&split_record_suffix_len, 1, 0)) {
378 assert(false);
379 return false;
380 }
381 const size_t split_record_len = prefix_len + 1 + split_record_suffix_len;
382 assert(SSL3_RT_HEADER_LENGTH + ssl_cipher_get_record_split_len(
383 ssl->s3->aead_write_ctx->cipher()) ==
384 split_record_len);
385
386 // Write the n-1-byte fragment. The header gets split between |out_prefix|
387 // (header[:-1]) and |out| (header[-1:]).
388 uint8_t tmp_prefix[SSL3_RT_HEADER_LENGTH];
389 if (!do_seal_record(ssl, tmp_prefix, out + 1, out_suffix, type, in + 1,
390 in_len - 1)) {
391 return false;
392 }
393 assert(tls_seal_scatter_prefix_len(ssl, type, in_len) ==
394 split_record_len + SSL3_RT_HEADER_LENGTH - 1);
395 OPENSSL_memcpy(out_prefix + split_record_len, tmp_prefix,
396 SSL3_RT_HEADER_LENGTH - 1);
397 OPENSSL_memcpy(out, tmp_prefix + SSL3_RT_HEADER_LENGTH - 1, 1);
398 return true;
399 }
400
401 return do_seal_record(ssl, out_prefix, out, out_suffix, type, in, in_len);
402 }
403
tls_seal_record(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,uint8_t type,const uint8_t * in,size_t in_len)404 bool tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len,
405 size_t max_out_len, uint8_t type, const uint8_t *in,
406 size_t in_len) {
407 if (buffers_alias(in, in_len, out, max_out_len)) {
408 OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);
409 return false;
410 }
411
412 const size_t prefix_len = tls_seal_scatter_prefix_len(ssl, type, in_len);
413 size_t suffix_len;
414 if (!tls_seal_scatter_suffix_len(ssl, &suffix_len, type, in_len)) {
415 return false;
416 }
417 if (in_len + prefix_len < in_len ||
418 prefix_len + in_len + suffix_len < prefix_len + in_len) {
419 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
420 return false;
421 }
422 if (max_out_len < in_len + prefix_len + suffix_len) {
423 OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);
424 return false;
425 }
426
427 uint8_t *prefix = out;
428 uint8_t *body = out + prefix_len;
429 uint8_t *suffix = body + in_len;
430 if (!tls_seal_scatter_record(ssl, prefix, body, suffix, type, in, in_len)) {
431 return false;
432 }
433
434 *out_len = prefix_len + in_len + suffix_len;
435 return true;
436 }
437
ssl_process_alert(SSL * ssl,uint8_t * out_alert,Span<const uint8_t> in)438 enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert,
439 Span<const uint8_t> in) {
440 // Alerts records may not contain fragmented or multiple alerts.
441 if (in.size() != 2) {
442 *out_alert = SSL_AD_DECODE_ERROR;
443 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);
444 return ssl_open_record_error;
445 }
446
447 ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_ALERT, in);
448
449 const uint8_t alert_level = in[0];
450 const uint8_t alert_descr = in[1];
451
452 uint16_t alert = (alert_level << 8) | alert_descr;
453 ssl_do_info_callback(ssl, SSL_CB_READ_ALERT, alert);
454
455 if (alert_level == SSL3_AL_WARNING) {
456 if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
457 ssl->s3->read_shutdown = ssl_shutdown_close_notify;
458 return ssl_open_record_close_notify;
459 }
460
461 // Warning alerts do not exist in TLS 1.3, but RFC 8446 section 6.1
462 // continues to define user_canceled as a signal to cancel the handshake,
463 // without specifying how to handle it. JDK11 misuses it to signal
464 // full-duplex connection close after the handshake. As a workaround, skip
465 // user_canceled as in TLS 1.2. This matches NSS and OpenSSL.
466 if (ssl_has_final_version(ssl) &&
467 ssl_protocol_version(ssl) >= TLS1_3_VERSION &&
468 alert_descr != SSL_AD_USER_CANCELLED) {
469 *out_alert = SSL_AD_DECODE_ERROR;
470 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);
471 return ssl_open_record_error;
472 }
473
474 ssl->s3->warning_alert_count++;
475 if (ssl->s3->warning_alert_count > kMaxWarningAlerts) {
476 *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
477 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_WARNING_ALERTS);
478 return ssl_open_record_error;
479 }
480 return ssl_open_record_discard;
481 }
482
483 if (alert_level == SSL3_AL_FATAL) {
484 OPENSSL_PUT_ERROR(SSL, SSL_AD_REASON_OFFSET + alert_descr);
485 ERR_add_error_dataf("SSL alert number %d", alert_descr);
486 *out_alert = 0; // No alert to send back to the peer.
487 return ssl_open_record_error;
488 }
489
490 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
491 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_ALERT_TYPE);
492 return ssl_open_record_error;
493 }
494
495 BSSL_NAMESPACE_END
496
497 using namespace bssl;
498
SSL_max_seal_overhead(const SSL * ssl)499 size_t SSL_max_seal_overhead(const SSL *ssl) {
500 if (SSL_is_dtls(ssl)) {
501 // TODO(crbug.com/381113363): Use the 0-RTT epoch if writing 0-RTT.
502 return dtls_max_seal_overhead(ssl, ssl->d1->write_epoch.epoch());
503 }
504
505 size_t ret = SSL3_RT_HEADER_LENGTH;
506 ret += ssl->s3->aead_write_ctx->MaxOverhead();
507 // TLS 1.3 needs an extra byte for the encrypted record type.
508 if (!ssl->s3->aead_write_ctx->is_null_cipher() &&
509 ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
510 ret += 1;
511 }
512 if (ssl_needs_record_splitting(ssl)) {
513 ret *= 2;
514 }
515 return ret;
516 }
517