grpc 1.66.0 → 1.67.0.pre1

data/third_party/boringssl-with-bazel/src/include/openssl/pem.h

@@ -385,10 +385,9 @@ OPENSSL_EXPORT int PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp,
                                   pem_password_cb *callback, void *u);
 
 // PEM_def_callback treats |userdata| as a string and copies it into |buf|,
-// assuming its |size| is sufficient. Returns the length of the string, or 0
-// if there is not enough room. If either |buf| or |userdata| is NULL, 0 is
-// returned. Note that this is different from OpenSSL, which prompts for a
-// password.
+// assuming its |size| is sufficient. Returns the length of the string, or -1 on
+// error. Error cases the buffer being too small, or |buf| and |userdata| being
+// NULL. Note that this is different from OpenSSL, which prompts for a password.
 OPENSSL_EXPORT int PEM_def_callback(char *buf, int size, int rwflag,
                                     void *userdata);
 

data/third_party/boringssl-with-bazel/src/include/openssl/service_indicator.h

@@ -56,7 +56,7 @@ extern "C++" {
     return func;                                                \
   }()
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 enum class FIPSStatus {
   NOT_APPROVED = 0,
@@ -87,7 +87,7 @@ class FIPSIndicatorHelper {
   const uint64_t before_;
 };
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 }  // extern "C++"
 
 #endif  // !BORINGSSL_NO_CXX

data/third_party/boringssl-with-bazel/src/include/openssl/span.h

@@ -30,6 +30,28 @@ extern "C++" {
 #include <string_view>
 #endif
 
+#if defined(__has_include)
+#if __has_include(<version>)
+#include <version>
+#endif
+#endif
+
+#if defined(__cpp_lib_ranges) && __cpp_lib_ranges >= 201911L
+#include <ranges>
+BSSL_NAMESPACE_BEGIN
+template <typename T>
+class Span;
+BSSL_NAMESPACE_END
+
+// Mark `Span` as satisfying the `view` and `borrowed_range` concepts. This
+// should be done before the definition of `Span`, so that any inlined calls to
+// range functionality use the correct specializations.
+template <typename T>
+inline constexpr bool std::ranges::enable_view<bssl::Span<T>> = true;
+template <typename T>
+inline constexpr bool std::ranges::enable_borrowed_range<bssl::Span<T>> = true;
+#endif
+
 BSSL_NAMESPACE_BEGIN
 
 template <typename T>

data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h

@@ -651,6 +651,17 @@ OPENSSL_EXPORT int DTLSv1_handle_timeout(SSL *ssl);
 
 #define DTLS1_VERSION 0xfeff
 #define DTLS1_2_VERSION 0xfefd
+// DTLS1_3_EXPERIMENTAL_VERSION gates experimental, in-progress code for DTLS
+// 1.3.
+//
+// WARNING: Do not use this value. BoringSSL's DTLS 1.3 implementation is still
+// under development. The code enabled by this value is neither stable nor
+// secure. It does not correspond to any real protocol. It is also incompatible
+// with other DTLS implementations, and it is not compatible with future or past
+// versions of BoringSSL.
+//
+// When the DTLS 1.3 implementation is complete, this symbol will be replaced.
+#define DTLS1_3_EXPERIMENTAL_VERSION 0xfc25
 
 // SSL_CTX_set_min_proto_version sets the minimum protocol version for |ctx| to
 // |version|. If |version| is zero, the default minimum version is used. It
@@ -2537,6 +2548,7 @@ OPENSSL_EXPORT size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx);
 #define SSL_GROUP_SECP384R1 24
 #define SSL_GROUP_SECP521R1 25
 #define SSL_GROUP_X25519 29
+#define SSL_GROUP_X25519_MLKEM768 0x11ec
 #define SSL_GROUP_X25519_KYBER768_DRAFT00 0x6399
 
 // SSL_CTX_set1_group_ids sets the preferred groups for |ctx| to |group_ids|.
@@ -3635,13 +3647,13 @@ OPENSSL_EXPORT int SSL_CREDENTIAL_set1_delegated_credential(
 // holds for any application protocol state remembered for 0-RTT, e.g. HTTP/3
 // SETTINGS.
 
-// ssl_encryption_level_t represents a specific QUIC encryption level used to
-// transmit handshake messages.
+// ssl_encryption_level_t represents an encryption level in TLS 1.3. Values in
+// this enum match the first 4 epochs used in DTLS 1.3 (section 6.1).
 enum ssl_encryption_level_t BORINGSSL_ENUM_INT {
   ssl_encryption_initial = 0,
-  ssl_encryption_early_data,
-  ssl_encryption_handshake,
-  ssl_encryption_application,
+  ssl_encryption_early_data = 1,
+  ssl_encryption_handshake = 2,
+  ssl_encryption_application = 3,
 };
 
 // ssl_quic_method_st (aka |SSL_QUIC_METHOD|) describes custom QUIC hooks.
@@ -4617,6 +4629,16 @@ enum ssl_select_cert_result_t BORINGSSL_ENUM_INT {
   // ssl_select_cert_error indicates that a fatal error occured and the
   // handshake should be terminated.
   ssl_select_cert_error = -1,
+  // ssl_select_cert_disable_ech indicates that, although an encrypted
+  // ClientHelloInner was decrypted, it should be discarded. The certificate
+  // selection callback will then be called again, passing in the
+  // ClientHelloOuter instead. From there, the handshake will proceed
+  // without retry_configs, to signal to the client to disable ECH.
+  //
+  // This value may only be returned when |SSL_ech_accepted| returnes one. It
+  // may be useful if the ClientHelloInner indicated a service which does not
+  // support ECH, e.g. if it is a TLS-1.2 only service.
+  ssl_select_cert_disable_ech = -2,
 };
 
 // SSL_early_callback_ctx_extension_get searches the extensions in
@@ -5616,6 +5638,14 @@ enum ssl_compliance_policy_t BORINGSSL_ENUM_INT {
   // implementation risks of using a more obscure primitive like P-384
   // dominate other considerations.
   ssl_compliance_policy_wpa3_192_202304,
+
+  // ssl_compliance_policy_cnsa_202407 confingures a TLS connection to use:
+  //   * For TLS 1.3, AES-256-GCM over AES-128-GCM over ChaCha20-Poly1305.
+  //
+  // I.e. it ensures that AES-GCM will be used whenever the client supports it.
+  // The cipher suite configuration mini-language can be used to similarly
+  // configure prior TLS versions if they are enabled.
+  ssl_compliance_policy_cnsa_202407,
 };
 
 // SSL_CTX_set_compliance_policy configures various aspects of |ctx| based on

data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc

@@ -584,6 +584,11 @@ bool dtls1_add_message(SSL *ssl, Array<uint8_t> data) {
 }
 
 bool dtls1_add_change_cipher_spec(SSL *ssl) {
+  // DTLS 1.3 disables compatibility mode, which means that DTLS 1.3 never sends
+  // a ChangeCipherSpec message.
+  if (ssl_protocol_version(ssl) > TLS1_2_VERSION) {
+    return true;
+  }
   return add_outgoing(ssl, true /* ChangeCipherSpec */, Array<uint8_t>());
 }
 
@@ -624,12 +629,6 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
   assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len);
   assert(msg == &ssl->d1->outgoing_messages[ssl->d1->outgoing_written]);
 
-  if (msg->epoch != ssl->d1->w_epoch &&
-      (ssl->d1->w_epoch == 0 || msg->epoch != ssl->d1->w_epoch - 1)) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    return seal_error;
-  }
-
   size_t overhead = dtls_max_seal_overhead(ssl, msg->epoch);
   size_t prefix = dtls_seal_prefix_len(ssl, msg->epoch);
 

data/third_party/boringssl-with-bazel/src/ssl/d1_lib.cc

@@ -95,6 +95,12 @@ bool dtls1_new(SSL *ssl) {
     return false;
   }
 
+  d1->initial_aead_write_ctx = SSLAEADContext::CreateNullCipher(true);
+  if (!d1->initial_aead_write_ctx) {
+    tls_free(ssl);
+    return false;
+  }
+
   ssl->d1 = d1.release();
 
   // Set the version to the highest supported version.

data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc

@@ -216,6 +216,11 @@ int dtls1_write_app_data(SSL *ssl, bool *out_needs_handshake,
   return 1;
 }
 
+static size_t dtls_seal_align_prefix_len(const SSL *ssl, uint16_t epoch) {
+  return dtls_record_header_write_len(ssl, epoch) +
+         ssl->s3->aead_write_ctx->ExplicitNonceLen();
+}
+
 int dtls1_write_record(SSL *ssl, int type, Span<const uint8_t> in,
                        uint16_t epoch) {
   SSLBuffer *buf = &ssl->s3->write_buffer;
@@ -231,7 +236,7 @@ int dtls1_write_record(SSL *ssl, int type, Span<const uint8_t> in,
   }
 
   size_t ciphertext_len;
-  if (!buf->EnsureCap(ssl_seal_align_prefix_len(ssl),
+  if (!buf->EnsureCap(dtls_seal_align_prefix_len(ssl, epoch),
                       in.size() + SSL_max_seal_overhead(ssl)) ||
       !dtls_seal_record(ssl, buf->remaining().data(), &ciphertext_len,
                         buf->remaining().size(), type, in.data(), in.size(),

data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc

@@ -88,7 +88,16 @@ static bool dtls1_set_read_state(SSL *ssl, ssl_encryption_level_t level,
     return false;
   }
 
-  ssl->d1->r_epoch++;
+  if (ssl_protocol_version(ssl) > TLS1_2_VERSION) {
+    // TODO(crbug.com/boringssl/715): Handle the additional epochs used for key
+    // update.
+    // TODO(crbug.com/boringssl/715): If we want to gracefully handle packet
+    // reordering around KeyUpdate (i.e. accept records from both epochs), we'll
+    // need a separate bitmap for each epoch.
+    ssl->d1->r_epoch = level;
+  } else {
+    ssl->d1->r_epoch++;
+  }
   ssl->d1->bitmap = DTLS1_BITMAP();
   ssl->s3->read_sequence = 0;
 
@@ -106,6 +115,9 @@ static bool dtls1_set_write_state(SSL *ssl, ssl_encryption_level_t level,
   ssl->d1->last_write_sequence = ssl->s3->write_sequence;
   ssl->s3->write_sequence = 0;
 
+  if (ssl_protocol_version(ssl) > TLS1_2_VERSION) {
+    ssl->d1->w_epoch = level;
+  }
   ssl->d1->last_aead_write_ctx = std::move(ssl->s3->aead_write_ctx);
   ssl->s3->aead_write_ctx = std::move(aead_ctx);
   ssl->s3->write_level = level;

data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc

@@ -159,6 +159,148 @@ static void dtls1_bitmap_record(DTLS1_BITMAP *bitmap, uint64_t seq_num) {
   }
 }
 
+// reconstruct_epoch finds the largest epoch that ends with the epoch bits from
+// |wire_epoch| that is less than or equal to |current_epoch|, to match the
+// epoch reconstruction algorithm described in RFC 9147 section 4.2.2.
+static uint16_t reconstruct_epoch(uint8_t wire_epoch, uint16_t current_epoch) {
+  uint16_t current_epoch_high = current_epoch & 0xfffc;
+  uint16_t epoch = (wire_epoch & 0x3) | current_epoch_high;
+  if (epoch > current_epoch && current_epoch_high > 0) {
+    epoch -= 0x4;
+  }
+  return epoch;
+}
+
+uint64_t reconstruct_seqnum(uint16_t wire_seq, uint64_t seq_mask,
+                            uint64_t max_valid_seqnum) {
+  uint64_t max_seqnum_plus_one = max_valid_seqnum + 1;
+  uint64_t diff = (wire_seq - max_seqnum_plus_one) & seq_mask;
+  uint64_t step = seq_mask + 1;
+  uint64_t seqnum = max_seqnum_plus_one + diff;
+  // seqnum is computed as the addition of 3 non-negative values
+  // (max_valid_seqnum, 1, and diff). The values 1 and diff are small (relative
+  // to the size of a uint64_t), while max_valid_seqnum can span the range of
+  // all uint64_t values. If seqnum is less than max_valid_seqnum, then the
+  // addition overflowed.
+  bool overflowed = seqnum < max_valid_seqnum;
+  // If the diff is larger than half the step size, then the closest seqnum
+  // to max_seqnum_plus_one (in Z_{2^64}) is seqnum minus step instead of
+  // seqnum.
+  bool closer_is_less = diff > step / 2;
+  // Subtracting step from seqnum will cause underflow if seqnum is too small.
+  bool would_underflow = seqnum < step;
+  if (overflowed || (closer_is_less && !would_underflow)) {
+    seqnum -= step;
+  }
+  return seqnum;
+}
+
+static bool parse_dtls13_record_header(SSL *ssl, CBS *in, Span<uint8_t> packet,
+                                       uint8_t type, CBS *out_body,
+                                       uint64_t *out_sequence,
+                                       uint16_t *out_epoch,
+                                       size_t *out_header_len) {
+  // TODO(crbug.com/boringssl/715): Decrypt the sequence number before
+  // decoding it.
+  if ((type & 0x10) == 0x10) {
+    // Connection ID bit set, which we didn't negotiate.
+    return false;
+  }
+
+  // TODO(crbug.com/boringssl/715): Add a runner test that performs many
+  // key updates to verify epoch reconstruction works for epochs larger than
+  // 3.
+  *out_epoch = reconstruct_epoch(type, ssl->d1->r_epoch);
+  size_t seqlen = 1;
+  if ((type & 0x08) == 0x08) {
+    // If this bit is set, the sequence number is 16 bits long, otherwise it is
+    // 8 bits. The seqlen variable tracks the length of the sequence number in
+    // bytes.
+    seqlen = 2;
+  }
+  if (!CBS_skip(in, seqlen)) {
+    // The record header was incomplete or malformed.
+    return false;
+  }
+  *out_header_len = packet.size() - CBS_len(in);
+  if ((type & 0x04) == 0x04) {
+    *out_header_len += 2;
+    // 16-bit length present
+    if (!CBS_get_u16_length_prefixed(in, out_body)) {
+      // The record header was incomplete or malformed.
+      return false;
+    }
+  } else {
+    // No length present - the remaining contents are the whole packet.
+    // CBS_get_bytes is used here to advance |in| to the end so that future
+    // code that computes the number of consumed bytes functions correctly.
+    if (!CBS_get_bytes(in, out_body, CBS_len(in))) {
+      return false;
+    }
+  }
+
+  // Decrypt and reconstruct the sequence number:
+  uint8_t mask[AES_BLOCK_SIZE];
+  SSLAEADContext *aead = ssl->s3->aead_read_ctx.get();
+  if (!aead->GenerateRecordNumberMask(mask, *out_body)) {
+    // GenerateRecordNumberMask most likely failed because the record body was
+    // not long enough.
+    return false;
+  }
+  // Apply the mask to the sequence number as it exists in the header. The
+  // header (with the decrypted sequence number bytes) is used as the
+  // additional data for the AEAD function. Since we don't support Connection
+  // ID, the sequence number starts immediately after the type byte.
+  uint64_t seq = 0;
+  for (size_t i = 0; i < seqlen; i++) {
+    packet[i + 1] ^= mask[i];
+    seq = (seq << 8) | packet[i + 1];
+  }
+  *out_sequence = reconstruct_seqnum(seq, (1 << (seqlen * 8)) - 1,
+                                     ssl->d1->bitmap.max_seq_num);
+  return true;
+}
+
+static bool parse_dtls_plaintext_record_header(
+    SSL *ssl, CBS *in, size_t packet_size, uint8_t type, CBS *out_body,
+    uint64_t *out_sequence, uint16_t *out_epoch, size_t *out_header_len,
+    uint16_t *out_version) {
+  SSLAEADContext *aead = ssl->s3->aead_read_ctx.get();
+  uint8_t sequence_bytes[8];
+  if (!CBS_get_u16(in, out_version) ||
+      !CBS_copy_bytes(in, sequence_bytes, sizeof(sequence_bytes))) {
+    return false;
+  }
+  *out_header_len = packet_size - CBS_len(in) + 2;
+  if (!CBS_get_u16_length_prefixed(in, out_body) ||
+      CBS_len(out_body) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
+    return false;
+  }
+
+  bool version_ok;
+  if (aead->is_null_cipher()) {
+    // Only check the first byte. Enforcing beyond that can prevent decoding
+    // version negotiation failure alerts.
+    version_ok = (*out_version >> 8) == DTLS1_VERSION_MAJOR;
+  } else {
+    version_ok = *out_version == aead->RecordVersion();
+  }
+
+  if (!version_ok) {
+    return false;
+  }
+
+  *out_sequence = CRYPTO_load_u64_be(sequence_bytes);
+  *out_epoch = static_cast<uint16_t>(*out_sequence >> 48);
+
+  // Discard the packet if we're expecting an encrypted DTLS 1.3 record but we
+  // get the old record header format.
+  if (!aead->is_null_cipher() && aead->ProtocolVersion() >= TLS1_3_VERSION) {
+    return false;
+  }
+  return true;
+}
+
 enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type,
                                         Span<uint8_t> *out,
                                         size_t *out_consumed,
@@ -174,41 +316,41 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type,
 
   CBS cbs = CBS(in);
 
-  // Decode the record.
   uint8_t type;
-  uint16_t version;
-  uint8_t sequence_bytes[8];
-  CBS body;
-  if (!CBS_get_u8(&cbs, &type) ||
-      !CBS_get_u16(&cbs, &version) ||
-      !CBS_copy_bytes(&cbs, sequence_bytes, sizeof(sequence_bytes)) ||
-      !CBS_get_u16_length_prefixed(&cbs, &body) ||
-      CBS_len(&body) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
+  size_t record_header_len;
+  if (!CBS_get_u8(&cbs, &type)) {
     // The record header was incomplete or malformed. Drop the entire packet.
     *out_consumed = in.size();
     return ssl_open_record_discard;
   }
-
-  bool version_ok;
-  if (ssl->s3->aead_read_ctx->is_null_cipher()) {
-    // Only check the first byte. Enforcing beyond that can prevent decoding
-    // version negotiation failure alerts.
-    version_ok = (version >> 8) == DTLS1_VERSION_MAJOR;
+  SSLAEADContext *aead = ssl->s3->aead_read_ctx.get();
+  uint64_t sequence;
+  uint16_t epoch;
+  uint16_t version = 0;
+  CBS body;
+  bool valid_record_header;
+  // Decode the record header. If the 3 high bits of the type are 001, then the
+  // record header is the DTLS 1.3 format. The DTLS 1.3 format should only be
+  // used for encrypted records with DTLS 1.3. Plaintext records or DTLS 1.2
+  // records use the old record header format.
+  if ((type & 0xe0) == 0x20 && !aead->is_null_cipher() &&
+      aead->ProtocolVersion() >= TLS1_3_VERSION) {
+    valid_record_header = parse_dtls13_record_header(
+        ssl, &cbs, in, type, &body, &sequence, &epoch, &record_header_len);
   } else {
-    version_ok = version == ssl->s3->aead_read_ctx->RecordVersion();
+    valid_record_header = parse_dtls_plaintext_record_header(
+        ssl, &cbs, in.size(), type, &body, &sequence, &epoch,
+        &record_header_len, &version);
   }
-
-  if (!version_ok) {
+  if (!valid_record_header) {
     // The record header was incomplete or malformed. Drop the entire packet.
     *out_consumed = in.size();
     return ssl_open_record_discard;
   }
 
-  Span<const uint8_t> header = in.subspan(0, DTLS1_RT_HEADER_LENGTH);
+  Span<const uint8_t> header = in.subspan(0, record_header_len);
   ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HEADER, header);
 
-  uint64_t sequence = CRYPTO_load_u64_be(sequence_bytes);
-  uint16_t epoch = static_cast<uint16_t>(sequence >> 48);
   if (epoch != ssl->d1->r_epoch ||
       dtls1_bitmap_should_discard(&ssl->d1->bitmap, sequence)) {
     // Drop this record. It's from the wrong epoch or is a replay. Note that if
@@ -220,7 +362,7 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type,
   }
 
   // discard the body in-place.
-  if (!ssl->s3->aead_read_ctx->Open(
+  if (!aead->Open(
           out, type, version, sequence, header,
           MakeSpan(const_cast<uint8_t *>(CBS_data(&body)), CBS_len(&body)))) {
     // Bad packets are silently dropped in DTLS. See section 4.2.1 of RFC 6347.
@@ -235,13 +377,29 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type,
   }
   *out_consumed = in.size() - CBS_len(&cbs);
 
+  // DTLS 1.3 hides the record type inside the encrypted data.
+  bool has_padding =
+      !aead->is_null_cipher() && aead->ProtocolVersion() >= TLS1_3_VERSION;
   // Check the plaintext length.
-  if (out->size() > SSL3_RT_MAX_PLAIN_LENGTH) {
+  size_t plaintext_limit = SSL3_RT_MAX_PLAIN_LENGTH + (has_padding ? 1 : 0);
+  if (out->size() > plaintext_limit) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
     *out_alert = SSL_AD_RECORD_OVERFLOW;
     return ssl_open_record_error;
   }
 
+  if (has_padding) {
+    do {
+      if (out->empty()) {
+        OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+        *out_alert = SSL_AD_DECRYPT_ERROR;
+        return ssl_open_record_error;
+      }
+      type = out->back();
+      *out = out->subspan(0, out->size() - 1);
+    } while (type == 0);
+  }
+
   dtls1_bitmap_record(&ssl->d1->bitmap, sequence);
 
   // TODO(davidben): Limit the number of empty records as in TLS? This is only
@@ -257,24 +415,52 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type,
   return ssl_open_record_success;
 }
 
-static const SSLAEADContext *get_write_aead(const SSL *ssl,
-                                            uint16_t epoch) {
+static SSLAEADContext *get_write_aead(const SSL *ssl, uint16_t epoch) {
+  if (epoch == 0) {
+    return ssl->d1->initial_aead_write_ctx.get();
+  }
+
   if (epoch < ssl->d1->w_epoch) {
-    assert(epoch + 1 == ssl->d1->w_epoch);
+    BSSL_CHECK(epoch + 1 == ssl->d1->w_epoch);
     return ssl->d1->last_aead_write_ctx.get();
   }
 
-  assert(epoch == ssl->d1->w_epoch);
+  BSSL_CHECK(epoch == ssl->d1->w_epoch);
   return ssl->s3->aead_write_ctx.get();
 }
 
+static bool use_dtls13_record_header(const SSL *ssl, uint16_t epoch) {
+  // Plaintext records in DTLS 1.3 also use the DTLSPlaintext structure for
+  // backwards compatibility.
+  return ssl->s3->have_version && ssl_protocol_version(ssl) > TLS1_2_VERSION &&
+         epoch > 0;
+}
+
+size_t dtls_record_header_write_len(const SSL *ssl, uint16_t epoch) {
+  if (!use_dtls13_record_header(ssl, epoch)) {
+    return DTLS_PLAINTEXT_RECORD_HEADER_LENGTH;
+  }
+  // The DTLS 1.3 has a variable length record header. We never send Connection
+  // ID, we always send 16-bit sequence numbers, and we send a length. (Length
+  // can be omitted, but only for the last record of a packet. Since we send
+  // multiple records in one packet, it's easier to implement always sending the
+  // length.)
+  return DTLS1_3_RECORD_HEADER_WRITE_LENGTH;
+}
+
 size_t dtls_max_seal_overhead(const SSL *ssl,
                               uint16_t epoch) {
-  return DTLS1_RT_HEADER_LENGTH + get_write_aead(ssl, epoch)->MaxOverhead();
+  size_t ret = dtls_record_header_write_len(ssl, epoch) +
+               get_write_aead(ssl, epoch)->MaxOverhead();
+  if (use_dtls13_record_header(ssl, epoch)) {
+    // Add 1 byte for the encrypted record type.
+    ret++;
+  }
+  return ret;
 }
 
 size_t dtls_seal_prefix_len(const SSL *ssl, uint16_t epoch) {
-  return DTLS1_RT_HEADER_LENGTH +
+  return dtls_record_header_write_len(ssl, epoch) +
          get_write_aead(ssl, epoch)->ExplicitNonceLen();
 }
 
@@ -289,26 +475,15 @@ bool dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
   }
 
   // Determine the parameters for the current epoch.
-  SSLAEADContext *aead = ssl->s3->aead_write_ctx.get();
+  SSLAEADContext *aead = get_write_aead(ssl, epoch);
   uint64_t *seq = &ssl->s3->write_sequence;
   if (epoch < ssl->d1->w_epoch) {
-    assert(epoch + 1 == ssl->d1->w_epoch);
-    aead = ssl->d1->last_aead_write_ctx.get();
     seq = &ssl->d1->last_write_sequence;
-  } else {
-    assert(epoch == ssl->d1->w_epoch);
   }
+  // TODO(crbug.com/boringssl/715): If epoch is initial or handshake, the value
+  // of seq is probably wrong for a retransmission.
 
-  if (max_out < DTLS1_RT_HEADER_LENGTH) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);
-    return false;
-  }
-
-  out[0] = type;
-
-  uint16_t record_version = ssl->s3->aead_write_ctx->RecordVersion();
-  out[1] = record_version >> 8;
-  out[2] = record_version & 0xff;
+  const size_t record_header_len = dtls_record_header_write_len(ssl, epoch);
 
   // Ensure the sequence number update does not overflow.
   const uint64_t kMaxSequenceNumber = (uint64_t{1} << 48) - 1;
@@ -317,28 +492,87 @@ bool dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
     return false;
   }
 
+  uint16_t record_version = ssl->s3->aead_write_ctx->RecordVersion();
   uint64_t seq_with_epoch = (uint64_t{epoch} << 48) | *seq;
-  CRYPTO_store_u64_be(&out[3], seq_with_epoch);
+
+  bool dtls13_header = use_dtls13_record_header(ssl, epoch);
+  uint8_t *extra_in = NULL;
+  size_t extra_in_len = 0;
+  if (dtls13_header) {
+    extra_in = &type;
+    extra_in_len = 1;
+  }
 
   size_t ciphertext_len;
-  if (!aead->CiphertextLen(&ciphertext_len, in_len, 0)) {
+  if (!aead->CiphertextLen(&ciphertext_len, in_len, extra_in_len)) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
     return false;
   }
-  out[11] = ciphertext_len >> 8;
-  out[12] = ciphertext_len & 0xff;
-  Span<const uint8_t> header = MakeConstSpan(out, DTLS1_RT_HEADER_LENGTH);
+  if (max_out < record_header_len + ciphertext_len) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);
+    return false;
+  }
+
+  if (dtls13_header) {
+    // The first byte of the DTLS 1.3 record header has the following format:
+    // 0 1 2 3 4 5 6 7
+    // +-+-+-+-+-+-+-+-+
+    // |0|0|1|C|S|L|E E|
+    // +-+-+-+-+-+-+-+-+
+    //
+    // We set C=0 (no Connection ID), S=1 (16-bit sequence number), L=1 (length
+    // is present), which is a mask of 0x2c. The E E bits are the low-order two
+    // bits of the epoch.
+    //
+    // +-+-+-+-+-+-+-+-+
+    // |0|0|1|0|1|1|E E|
+    // +-+-+-+-+-+-+-+-+
+    out[0] = 0x2c | (epoch & 0x3);
+    out[1] = *seq >> 8;
+    out[2] = *seq & 0xff;
+    out[3] = ciphertext_len >> 8;
+    out[4] = ciphertext_len & 0xff;
+    // DTLS 1.3 uses the sequence number without the epoch for the AEAD.
+    seq_with_epoch = *seq;
+  } else {
+    out[0] = type;
+    out[1] = record_version >> 8;
+    out[2] = record_version & 0xff;
+    CRYPTO_store_u64_be(&out[3], seq_with_epoch);
+    out[11] = ciphertext_len >> 8;
+    out[12] = ciphertext_len & 0xff;
+  }
+  Span<const uint8_t> header = MakeConstSpan(out, record_header_len);
+
 
-  size_t len_copy;
-  if (!aead->Seal(out + DTLS1_RT_HEADER_LENGTH, &len_copy,
-                  max_out - DTLS1_RT_HEADER_LENGTH, type, record_version,
-                  seq_with_epoch, header, in, in_len)) {
+  if (!aead->SealScatter(out + record_header_len, out + prefix,
+                         out + prefix + in_len, type, record_version,
+                         seq_with_epoch, header, in, in_len, extra_in,
+                         extra_in_len)) {
     return false;
   }
-  assert(ciphertext_len == len_copy);
+
+  // Perform record number encryption (RFC 9147 section 4.2.3).
+  if (dtls13_header) {
+    // Record number encryption uses bytes from the ciphertext as a sample to
+    // generate the mask used for encryption. For simplicity, pass in the whole
+    // ciphertext as the sample - GenerateRecordNumberMask will read only what
+    // it needs (and error if |sample| is too short).
+    Span<const uint8_t> sample =
+        MakeConstSpan(out + record_header_len, ciphertext_len);
+    // AES cipher suites require the mask be exactly AES_BLOCK_SIZE; ChaCha20
+    // cipher suites have no requirements on the mask size. We only need the
+    // first two bytes from the mask.
+    uint8_t mask[AES_BLOCK_SIZE];
+    if (!aead->GenerateRecordNumberMask(mask, sample)) {
+      return false;
+    }
+    out[1] ^= mask[0];
+    out[2] ^= mask[1];
+  }
 
   (*seq)++;
-  *out_len = DTLS1_RT_HEADER_LENGTH + ciphertext_len;
+  *out_len = record_header_len + ciphertext_len;
   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HEADER, header);
   return true;
 }