Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.

SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.

ok inoguchi@ tb@

9 files changed, 83 insertions, 53 deletions

diff --git a/lib/libssl/d1_enc.c b/lib/libssl/d1_enc.c
index 20686d29631..3927fbfe0df 100644
--- a/lib/libssl/d1_enc.c
+++ b/lib/libssl/d1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_enc.c,v 1.14 2017/01/23 08:08:06 beck Exp $ */
+/* $OpenBSD: d1_enc.c,v 1.15 2020/03/12 17:01:53 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -132,7 +132,7 @@
 int
 dtls1_enc(SSL *s, int send)
 {
-	SSL3_RECORD *rec;
+	SSL3_RECORD_INTERNAL *rec;
 	EVP_CIPHER_CTX *ds;
 	unsigned long l;
 	int bs, i, j, k, mac_size = 0;
diff --git a/lib/libssl/d1_lib.c b/lib/libssl/d1_lib.c
index 6171035d238..b7ba6b1092e 100644
--- a/lib/libssl/d1_lib.c
+++ b/lib/libssl/d1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_lib.c,v 1.44 2020/03/10 17:02:21 jsing Exp $ */
+/* $OpenBSD: d1_lib.c,v 1.45 2020/03/12 17:01:53 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -136,17 +136,17 @@ dtls1_clear_queues(SSL *s)
 {
 	pitem *item = NULL;
 	hm_fragment *frag = NULL;
-	DTLS1_RECORD_DATA *rdata;
+	DTLS1_RECORD_DATA_INTERNAL *rdata;
 
 	while ((item = pqueue_pop(D1I(s)->unprocessed_rcds.q)) != NULL) {
-		rdata = (DTLS1_RECORD_DATA *) item->data;
+		rdata = (DTLS1_RECORD_DATA_INTERNAL *) item->data;
 		free(rdata->rbuf.buf);
 		free(item->data);
 		pitem_free(item);
 	}
 
 	while ((item = pqueue_pop(D1I(s)->processed_rcds.q)) != NULL) {
-		rdata = (DTLS1_RECORD_DATA *) item->data;
+		rdata = (DTLS1_RECORD_DATA_INTERNAL *) item->data;
 		free(rdata->rbuf.buf);
 		free(item->data);
 		pitem_free(item);
@@ -167,7 +167,7 @@ dtls1_clear_queues(SSL *s)
 	}
 
 	while ((item = pqueue_pop(D1I(s)->buffered_app_data.q)) != NULL) {
-		rdata = (DTLS1_RECORD_DATA *) item->data;
+		rdata = (DTLS1_RECORD_DATA_INTERNAL *) item->data;
 		free(rdata->rbuf.buf);
 		free(item->data);
 		pitem_free(item);
diff --git a/lib/libssl/d1_pkt.c b/lib/libssl/d1_pkt.c
index 101017449ce..31415b7c3a4 100644
--- a/lib/libssl/d1_pkt.c
+++ b/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.70 2020/03/10 17:02:21 jsing Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.71 2020/03/12 17:01:53 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -186,7 +186,7 @@ static int have_handshake_fragment(SSL *s, int type, unsigned char *buf,
     int len, int peek);
 static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);
 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
-static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
+static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr,
     unsigned int *is_next_epoch);
 static int dtls1_buffer_record(SSL *s, record_pqueue *q,
     unsigned char *priority);
@@ -196,16 +196,16 @@ static int dtls1_process_record(SSL *s);
 static int
 dtls1_copy_record(SSL *s, pitem *item)
 {
-	DTLS1_RECORD_DATA *rdata;
+	DTLS1_RECORD_DATA_INTERNAL *rdata;
 
-	rdata = (DTLS1_RECORD_DATA *)item->data;
+	rdata = (DTLS1_RECORD_DATA_INTERNAL *)item->data;
 
 	free(S3I(s)->rbuf.buf);
 
 	s->internal->packet = rdata->packet;
 	s->internal->packet_length = rdata->packet_length;
-	memcpy(&(S3I(s)->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
-	memcpy(&(S3I(s)->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
+	memcpy(&(S3I(s)->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER_INTERNAL));
+	memcpy(&(S3I(s)->rrec), &(rdata->rrec), sizeof(SSL3_RECORD_INTERNAL));
 
 	/* Set proper sequence number for mac calculation */
 	memcpy(&(S3I(s)->read_sequence[2]), &(rdata->packet[5]), 6);
@@ -217,30 +217,29 @@ dtls1_copy_record(SSL *s, pitem *item)
 static int
 dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
 {
-	DTLS1_RECORD_DATA *rdata;
+	DTLS1_RECORD_DATA_INTERNAL *rdata;
 	pitem *item;
 
 	/* Limit the size of the queue to prevent DOS attacks */
 	if (pqueue_size(queue->q) >= 100)
 		return 0;
 
-	rdata = malloc(sizeof(DTLS1_RECORD_DATA));
+	rdata = malloc(sizeof(DTLS1_RECORD_DATA_INTERNAL));
 	item = pitem_new(priority, rdata);
 	if (rdata == NULL || item == NULL)
 		goto init_err;
 
 	rdata->packet = s->internal->packet;
 	rdata->packet_length = s->internal->packet_length;
-	memcpy(&(rdata->rbuf), &(S3I(s)->rbuf), sizeof(SSL3_BUFFER));
-	memcpy(&(rdata->rrec), &(S3I(s)->rrec), sizeof(SSL3_RECORD));
+	memcpy(&(rdata->rbuf), &(S3I(s)->rbuf), sizeof(SSL3_BUFFER_INTERNAL));
+	memcpy(&(rdata->rrec), &(S3I(s)->rrec), sizeof(SSL3_RECORD_INTERNAL));
 
 	item->data = rdata;
 
-
 	s->internal->packet = NULL;
 	s->internal->packet_length = 0;
-	memset(&(S3I(s)->rbuf), 0, sizeof(SSL3_BUFFER));
-	memset(&(S3I(s)->rrec), 0, sizeof(SSL3_RECORD));
+	memset(&(S3I(s)->rbuf), 0, sizeof(SSL3_BUFFER_INTERNAL));
+	memset(&(S3I(s)->rrec), 0, sizeof(SSL3_RECORD_INTERNAL));
 
 	if (!ssl3_setup_buffers(s))
 		goto err;
@@ -329,7 +328,7 @@ dtls1_process_record(SSL *s)
 	int i, al;
 	int enc_err;
 	SSL_SESSION *sess;
-	SSL3_RECORD *rr;
+	SSL3_RECORD_INTERNAL *rr;
 	unsigned int mac_size, orig_len;
 	unsigned char md[EVP_MAX_MD_SIZE];
 
@@ -467,7 +466,7 @@ err:
 int
 dtls1_get_record(SSL *s)
 {
-	SSL3_RECORD *rr;
+	SSL3_RECORD_INTERNAL *rr;
 	unsigned char *p = NULL;
 	DTLS1_BITMAP *bitmap;
 	unsigned int is_next_epoch;
@@ -638,7 +637,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 {
 	int al, i, j, ret;
 	unsigned int n;
-	SSL3_RECORD *rr;
+	SSL3_RECORD_INTERNAL *rr;
 	void (*cb)(const SSL *ssl, int type2, int val) = NULL;
 
 	if (S3I(s)->rbuf.buf == NULL) /* Not initialized yet */
@@ -1178,15 +1177,15 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
 {
 	unsigned char *p;
 	int i, mac_size, clear = 0;
-	SSL3_RECORD *wr;
-	SSL3_BUFFER *wb;
+	SSL3_RECORD_INTERNAL *wr;
+	SSL3_BUFFER_INTERNAL *wb;
 	SSL_SESSION *sess;
 	int bs;
 	CBB cbb;
 
 	memset(&cbb, 0, sizeof(cbb));
 
-	/* first check if there is a SSL3_BUFFER still being written
+	/* first check if there is a SSL3_BUFFER_INTERNAL still being written
 	 * out.  This will happen with non blocking IO */
 	if (S3I(s)->wbuf.left != 0) {
 		OPENSSL_assert(0); /* XDTLS:  want to see if we ever get here */
@@ -1408,7 +1407,7 @@ dtls1_dispatch_alert(SSL *s)
 
 
 static DTLS1_BITMAP *
-dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch)
+dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr, unsigned int *is_next_epoch)
 {
 
 	*is_next_epoch = 0;
diff --git a/lib/libssl/dtls1.h b/lib/libssl/dtls1.h
index cc672a59345..1ed7c2dc302 100644
--- a/lib/libssl/dtls1.h
+++ b/lib/libssl/dtls1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dtls1.h,v 1.22 2018/08/24 19:35:05 jsing Exp $ */
+/* $OpenBSD: dtls1.h,v 1.23 2020/03/12 17:01:53 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -161,6 +161,8 @@ typedef struct dtls1_state_st {
 	struct dtls1_state_internal_st *internal;
 } DTLS1_STATE;
 
+#ifndef LIBRESSL_INTERNAL
+
 typedef struct dtls1_record_data_st {
 	unsigned char *packet;
 	unsigned int   packet_length;
@@ -170,6 +172,8 @@ typedef struct dtls1_record_data_st {
 
 #endif
 
+#endif
+
 /* Timeout multipliers (timeout slice is defined in apps/timeouts.h */
 #define DTLS1_TMO_READ_COUNT                      2
 #define DTLS1_TMO_WRITE_COUNT                     2
diff --git a/lib/libssl/s3_cbc.c b/lib/libssl/s3_cbc.c
index 4b66e1f17aa..371c68cfcc3 100644
--- a/lib/libssl/s3_cbc.c
+++ b/lib/libssl/s3_cbc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_cbc.c,v 1.18 2020/02/21 16:07:00 jsing Exp $ */
+/* $OpenBSD: s3_cbc.c,v 1.19 2020/03/12 17:01:53 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
  *
@@ -113,8 +113,8 @@ constant_time_eq_8(unsigned a, unsigned b)
  *   1: if the padding was valid
  *  -1: otherwise. */
 int
-tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size,
-    unsigned mac_size)
+tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD_INTERNAL *rec,
+    unsigned block_size, unsigned mac_size)
 {
 	unsigned padding_length, good, to_check, i;
 	const unsigned overhead = 1 /* padding length byte */ + mac_size;
@@ -194,7 +194,7 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size,
 #define CBC_MAC_ROTATE_IN_PLACE
 
 void
-ssl3_cbc_copy_mac(unsigned char* out, const SSL3_RECORD *rec,
+ssl3_cbc_copy_mac(unsigned char* out, const SSL3_RECORD_INTERNAL *rec,
     unsigned md_size, unsigned orig_len)
 {
 #if defined(CBC_MAC_ROTATE_IN_PLACE)
diff --git a/lib/libssl/ssl3.h b/lib/libssl/ssl3.h
index cadf7fd3872..30dc4c5d7d6 100644
--- a/lib/libssl/ssl3.h
+++ b/lib/libssl/ssl3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl3.h,v 1.49 2018/11/08 22:28:52 jsing Exp $ */
+/* $OpenBSD: ssl3.h,v 1.50 2020/03/12 17:01:53 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -314,6 +314,7 @@ extern "C" {
 #define TLS1_HB_RESPONSE	2
 
 #ifndef OPENSSL_NO_SSL_INTERN
+#ifndef LIBRESSL_INTERNAL
 
 typedef struct ssl3_record_st {
 /*r */	int type;               /* type of record */
@@ -334,6 +335,7 @@ typedef struct ssl3_buffer_st {
 } SSL3_BUFFER;
 
 #endif
+#endif
 
 #define SSL3_CT_RSA_SIGN			1
 #define SSL3_CT_DSS_SIGN			2
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 77c1a517980..a696ef99b10 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.267 2020/03/10 17:02:21 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.268 2020/03/12 17:01:53 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -776,6 +776,24 @@ typedef struct ssl_internal_st {
 	int empty_record_count;
 } SSL_INTERNAL;
 
+typedef struct ssl3_record_internal_st {
+	int type;               /* type of record */
+	unsigned int length;    /* How many bytes available */
+	unsigned int off;       /* read/write offset into 'buf' */
+	unsigned char *data;    /* pointer to the record data */
+	unsigned char *input;   /* where the decode bytes are */
+	unsigned long epoch;    /* epoch number, needed by DTLS1 */
+	unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
+} SSL3_RECORD_INTERNAL;
+
+typedef struct ssl3_buffer_internal_st {
+	unsigned char *buf;	/* at least SSL3_RT_MAX_PACKET_SIZE bytes,
+	                         * see ssl3_setup_buffers() */
+	size_t len;		/* buffer size */
+	int offset;		/* where to 'copy from' */
+	int left;		/* how many bytes left */
+} SSL3_BUFFER_INTERNAL;
+
 typedef struct ssl3_state_internal_st {
 	unsigned char read_sequence[SSL3_SEQUENCE_SIZE];
 	int read_mac_secret_size;
@@ -784,8 +802,8 @@ typedef struct ssl3_state_internal_st {
 	int write_mac_secret_size;
 	unsigned char write_mac_secret[EVP_MAX_MD_SIZE];
 
-	SSL3_BUFFER rbuf;	/* read IO goes into here */
-	SSL3_BUFFER wbuf;	/* write IO goes into here */
+	SSL3_BUFFER_INTERNAL rbuf;	/* read IO goes into here */
+	SSL3_BUFFER_INTERNAL wbuf;	/* write IO goes into here */
 
 	/* we allow one fatal and one warning alert to be outstanding,
 	 * send close alert via the warning alert */
@@ -796,8 +814,8 @@ typedef struct ssl3_state_internal_st {
 	int need_empty_fragments;
 	int empty_fragment_done;
 
-	SSL3_RECORD rrec;	/* each decoded record goes in here */
-	SSL3_RECORD wrec;	/* goes out from here */
+	SSL3_RECORD_INTERNAL rrec;	/* each decoded record goes in here */
+	SSL3_RECORD_INTERNAL wrec;	/* goes out from here */
 
 	/* storage for Alert/Handshake protocol data received but not
 	 * yet processed by ssl3_read_bytes: */
@@ -897,6 +915,13 @@ typedef struct ssl3_state_internal_st {
 } SSL3_STATE_INTERNAL;
 #define S3I(s) (s->s3->internal)
 
+typedef struct dtls1_record_data_internal_st {
+	unsigned char *packet;
+	unsigned int packet_length;
+	SSL3_BUFFER_INTERNAL rbuf;
+	SSL3_RECORD_INTERNAL rrec;
+} DTLS1_RECORD_DATA_INTERNAL;
+
 typedef struct dtls1_state_internal_st {
 	unsigned int send_cookie;
 	unsigned char cookie[DTLS1_COOKIE_LENGTH];
@@ -1346,9 +1371,9 @@ long ssl_get_algorithm2(SSL *s);
 int tls1_check_ec_server_key(SSL *s);
 
 /* s3_cbc.c */
-void ssl3_cbc_copy_mac(unsigned char *out, const SSL3_RECORD *rec,
+void ssl3_cbc_copy_mac(unsigned char *out, const SSL3_RECORD_INTERNAL *rec,
     unsigned md_size, unsigned orig_len);
-int tls1_cbc_remove_padding(const SSL *s, SSL3_RECORD *rec,
+int tls1_cbc_remove_padding(const SSL *s, SSL3_RECORD_INTERNAL *rec,
     unsigned block_size, unsigned mac_size);
 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
 int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out,
diff --git a/lib/libssl/ssl_pkt.c b/lib/libssl/ssl_pkt.c
index 8126c42d1d8..4302794d942 100644
--- a/lib/libssl/ssl_pkt.c
+++ b/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_pkt.c,v 1.21 2020/03/10 17:02:21 jsing Exp $ */
+/* $OpenBSD: ssl_pkt.c,v 1.22 2020/03/12 17:01:53 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -152,7 +152,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend)
 	int i, len, left;
 	size_t align;
 	unsigned char *pkt;
-	SSL3_BUFFER *rb;
+	SSL3_BUFFER_INTERNAL *rb;
 
 	if (n <= 0)
 		return n;
@@ -329,7 +329,7 @@ ssl3_get_record(SSL *s)
 {
 	int al;
 	int enc_err, n, i, ret = -1;
-	SSL3_RECORD *rr;
+	SSL3_RECORD_INTERNAL *rr;
 	SSL_SESSION *sess;
 	unsigned char md[EVP_MAX_MD_SIZE];
 	unsigned mac_size, orig_len;
@@ -360,7 +360,7 @@ ssl3_get_record(SSL *s)
 
 		CBS_init(&header, s->internal->packet, SSL3_RT_HEADER_LENGTH);
 
-		/* Pull apart the header into the SSL3_RECORD */
+		/* Pull apart the header into the SSL3_RECORD_INTERNAL */
 		if (!CBS_get_u8(&header, &type) ||
 		    !CBS_get_u16(&header, &ssl_version) ||
 		    !CBS_get_u16(&header, &len)) {
@@ -621,7 +621,7 @@ static int
 ssl3_create_record(SSL *s, unsigned char *p, int type, const unsigned char *buf,
     unsigned int len)
 {
-	SSL3_RECORD *wr = &(S3I(s)->wrec);
+	SSL3_RECORD_INTERNAL *wr = &(S3I(s)->wrec);
 	SSL_SESSION *sess = s->session;
 	int eivlen, mac_size;
 	uint16_t version;
@@ -729,8 +729,8 @@ ssl3_create_record(SSL *s, unsigned char *p, int type, const unsigned char *buf,
 static int
 do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
 {
-	SSL3_RECORD *wr = &(S3I(s)->wrec);
-	SSL3_BUFFER *wb = &(S3I(s)->wbuf);
+	SSL3_RECORD_INTERNAL *wr = &(S3I(s)->wrec);
+	SSL3_BUFFER_INTERNAL *wb = &(S3I(s)->wbuf);
 	SSL_SESSION *sess = s->session;
 	unsigned char *p;
 	int i, clear = 0;
@@ -741,7 +741,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
 		if (!ssl3_setup_write_buffer(s))
 			return -1;
 
-	/* first check if there is a SSL3_BUFFER still being written
+	/* first check if there is a SSL3_BUFFER_INTERNAL still being written
 	 * out.  This will happen with non blocking IO */
 	if (wb->left != 0)
 		return (ssl3_write_pending(s, type, buf, len));
@@ -830,7 +830,7 @@ int
 ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len)
 {
 	int i;
-	SSL3_BUFFER *wb = &(S3I(s)->wbuf);
+	SSL3_BUFFER_INTERNAL *wb = &(S3I(s)->wbuf);
 
 	/* XXXX */
 	if ((S3I(s)->wpend_tot > (int)len) || ((S3I(s)->wpend_buf != buf) &&
@@ -906,7 +906,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 	void (*cb)(const SSL *ssl, int type2, int val) = NULL;
 	int al, i, j, ret, rrcount = 0;
 	unsigned int n;
-	SSL3_RECORD *rr;
+	SSL3_RECORD_INTERNAL *rr;
 
 	if (S3I(s)->rbuf.buf == NULL) /* Not initialized yet */
 		if (!ssl3_setup_read_buffer(s))
diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c
index 1eaa0873832..b399f2bd3ce 100644
--- a/lib/libssl/t1_enc.c
+++ b/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.118 2019/05/13 22:48:30 bcook Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.119 2020/03/12 17:01:53 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -668,7 +668,7 @@ tls1_enc(SSL *s, int send)
 	const SSL_AEAD_CTX *aead;
 	const EVP_CIPHER *enc;
 	EVP_CIPHER_CTX *ds;
-	SSL3_RECORD *rec;
+	SSL3_RECORD_INTERNAL *rec;
 	unsigned char *seq;
 	unsigned long l;
 	int bs, i, j, k, ret, mac_size = 0;
@@ -931,7 +931,7 @@ tls1_final_finish_mac(SSL *s, const char *str, int str_len, unsigned char *out)
 int
 tls1_mac(SSL *ssl, unsigned char *md, int send)
 {
-	SSL3_RECORD *rec;
+	SSL3_RECORD_INTERNAL *rec;
 	unsigned char *seq;
 	EVP_MD_CTX *hash;
 	size_t md_size, orig_len;