am 410afec1: Merge "Remove small_records.patch in favor of SSL_MODE_RELEASE_BUFFERS"
* commit '410afec19da6b0be40734be660ad6c4395ee827b':
Remove small_records.patch in favor of SSL_MODE_RELEASE_BUFFERS
diff --git a/android.testssl/testssl b/android.testssl/testssl
index 96a90d1..2eda40c 100755
--- a/android.testssl/testssl
+++ b/android.testssl/testssl
@@ -70,15 +70,6 @@
echo test sslv2/sslv3 with both client and server authentication
$ssltest -server_auth -client_auth $CA $extra || exit 1
-echo test sslv2/sslv3 with both client and server authentication and small client buffers
-$ssltest -server_auth -client_auth -c_small_records $CA $extra || exit 1
-
-echo test sslv2/sslv3 with both client and server authentication and small server buffers
-$ssltest -server_auth -client_auth -s_small_records $CA $extra || exit 1
-
-echo test sslv2/sslv3 with both client and server authentication and small client and server buffers
-$ssltest -server_auth -client_auth -c_small_records -s_small_records $CA $extra || exit 1
-
echo test sslv2/sslv3 with both client and server authentication and handshake cutthrough
$ssltest -server_auth -client_auth -cutthrough $CA $extra || exit 1
diff --git a/apps/s_client.c b/apps/s_client.c
index dc3bb0b..7dce4cf 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -357,11 +357,11 @@
BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
BIO_printf(bio_err," -status - request certificate status from server\n");
BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
- BIO_printf(bio_err," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n");
# if !defined(OPENSSL_NO_NEXTPROTONEG)
BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
# endif
#endif
+ BIO_printf(bio_err," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n");
BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index ce15f4f..1aaadf3 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -638,13 +638,10 @@
* TLS only.) "Released" buffers are put onto a free-list in the context
* or just freed (depending on the context's setting for freelist_max_len). */
#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
-/* Use small read and write buffers: (a) lazy allocate read buffers for
- * large incoming records, and (b) limit the size of outgoing records. */
-#define SSL_MODE_SMALL_BUFFERS 0x00000020L
/* When set, clients may send application data before receipt of CCS
* and Finished. This mode enables full-handshakes to 'complete' in
* one RTT. */
-#define SSL_MODE_HANDSHAKE_CUTTHROUGH 0x00000040L
+#define SSL_MODE_HANDSHAKE_CUTTHROUGH 0x00000020L
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
* they cannot be used to clear bits. */
@@ -1434,7 +1431,7 @@
#define SSL_get_state(a) SSL_state(a)
#define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK)
#define SSL_in_init(a) ((SSL_state(a)&SSL_ST_INIT) && \
- !SSL_cutthrough_complete(a))
+ !SSL_cutthrough_complete(a))
#define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE)
#define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT)
#define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT)
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index 3f2103e..f4578aa 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -280,9 +280,6 @@
#define SSL3_RT_MAX_EXTRA (16384)
-/* Default buffer length used for writen records. Thus a generated record
- * will contain plaintext no larger than this value. */
-#define SSL3_RT_DEFAULT_PLAIN_LENGTH 2048
/* Maximum plaintext length: defined by SSL/TLS standards */
#define SSL3_RT_MAX_PLAIN_LENGTH 16384
/* Maximum compression overhead: defined by SSL/TLS standards */
@@ -314,13 +311,6 @@
#define SSL3_RT_MAX_PACKET_SIZE \
(SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
-/* Extra space for empty fragment, headers, MAC, and padding. */
-#define SSL3_RT_DEFAULT_WRITE_OVERHEAD 256
-#define SSL3_RT_DEFAULT_PACKET_SIZE 4096 - SSL3_RT_DEFAULT_WRITE_OVERHEAD
-#if SSL3_RT_DEFAULT_PLAIN_LENGTH + SSL3_RT_DEFAULT_WRITE_OVERHEAD > SSL3_RT_DEFAULT_PACKET_SIZE
-#error "Insufficient space allocated for write buffers."
-#endif
-
#define SSL3_MD_CLIENT_FINISHED_CONST "\x43\x4C\x4E\x54"
#define SSL3_MD_SERVER_FINISHED_CONST "\x53\x52\x56\x52"
@@ -703,3 +693,4 @@
}
#endif
#endif
+
diff --git a/openssl.config b/openssl.config
index f324483..bbe6ad5 100644
--- a/openssl.config
+++ b/openssl.config
@@ -198,7 +198,6 @@
OPENSSL_PATCHES="\
progs.patch \
-small_records.patch \
handshake_cutthrough.patch \
jsse.patch \
sha1_armv4_large.patch \
@@ -224,17 +223,6 @@
test/testssl \
"
-OPENSSL_PATCHES_small_records_SOURCES="\
-ssl/d1_pkt.c \
-ssl/s23_srvr.c \
-ssl/s3_both.c \
-ssl/s3_pkt.c \
-ssl/ssl.h \
-ssl/ssl3.h \
-ssl/ssltest.c \
-test/testssl \
-"
-
OPENSSL_PATCHES_jsse_SOURCES="\
ssl/ssl.h \
ssl/d1_clnt.c \
diff --git a/patches/README b/patches/README
index defd435..7fc0cc2 100644
--- a/patches/README
+++ b/patches/README
@@ -3,18 +3,6 @@
Fixup sources under the apps/ directory that are not built under the android environment.
-small_records.patch:
-
-Reduce OpenSSL memory consumption.
-SSL records may be as large as 16K, but are typically < 2K. In
-addition, a historic bug in Windows allowed records to be as large
-32K. OpenSSL statically allocates read and write buffers (34K and
-18K respectively) used for processing records.
-With this patch, OpenSSL statically allocates 4K + 4K buffers, with
-the option of dynamically growing buffers to 34K + 4K, which is a
-saving of 44K per connection for the typical case.
-
-
handshake_cutthrough.patch
Enables SSL3+ clients to send application data immediately following the
diff --git a/patches/handshake_cutthrough.patch b/patches/handshake_cutthrough.patch
index 57c4c78..7930c44 100644
--- a/patches/handshake_cutthrough.patch
+++ b/patches/handshake_cutthrough.patch
@@ -1,15 +1,22 @@
-diff -uarp openssl-1.0.0.orig/apps/s_client.c openssl-1.0.0/apps/s_client.c
---- openssl-1.0.0.orig/apps/s_client.c 2009-12-16 15:28:28.000000000 -0500
-+++ openssl-1.0.0/apps/s_client.c 2010-04-21 14:39:49.000000000 -0400
-@@ -248,6 +248,7 @@ static void sc_usage(void)
- BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
- BIO_printf(bio_err," -status - request certificate status from server\n");
- BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
-+ BIO_printf(bio_err," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n");
- # if !defined(OPENSSL_NO_NEXTPROTONEG)
+commit 15a86b921a7eaa190a22a0a369e4e99beb91f5ad
+Author: Adam Langley <agl@chromium.org>
+Date: Mon Mar 26 17:43:29 2012 -0400
+
+ handshake_cutthrough
+
+diff --git a/apps/s_client.c b/apps/s_client.c
+index 098cce2..0e10766 100644
+--- a/apps/s_client.c
++++ b/apps/s_client.c
+@@ -361,6 +361,7 @@ static void sc_usage(void)
BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
# endif
-@@ -304,6 +305,7 @@ int MAIN(int argc, char **argv)
+ #endif
++ BIO_printf(bio_err," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n");
+ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
+ BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
+ BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
+@@ -573,6 +574,7 @@ int MAIN(int argc, char **argv)
EVP_PKEY *key = NULL;
char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
@@ -17,18 +24,18 @@
int crlf=0;
int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
SSL_CTX *ctx=NULL;
-@@ -533,6 +535,8 @@ int MAIN(int argc, char **argv)
- else if (strcmp(*argv,"-no_ticket") == 0)
- { off|=SSL_OP_NO_TICKET; }
+@@ -885,6 +887,8 @@ int MAIN(int argc, char **argv)
+ }
+ # endif
#endif
+ else if (strcmp(*argv,"-cutthrough") == 0)
+ cutthrough=1;
else if (strcmp(*argv,"-serverpref") == 0)
off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
- else if (strcmp(*argv,"-cipher") == 0)
-@@ -714,6 +718,15 @@ bad:
- */
- if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
+ else if (strcmp(*argv,"-legacy_renegotiation") == 0)
+@@ -1156,6 +1160,15 @@ bad:
+ SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
+ #endif
+ /* Enable handshake cutthrough for client connections using
+ * strong ciphers. */
@@ -42,29 +49,36 @@
if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
if (cipher != NULL)
if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
-diff -uarp openssl-1.0.0.orig/ssl/s3_clnt.c openssl-1.0.0/ssl/s3_clnt.c
---- openssl-1.0.0.orig/ssl/s3_clnt.c 2010-02-27 19:24:24.000000000 -0500
-+++ openssl-1.0.0/ssl/s3_clnt.c 2010-04-21 14:39:49.000000000 -0400
-@@ -186,6 +186,18 @@ int ssl3_connect(SSL *s)
-
- s->in_handshake++;
- if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
-+#if 0 /* Send app data in separate packet, otherwise, some particular site
-+ * (only one site so far) closes the socket.
-+ * Note: there is a very small chance that two TCP packets
-+ * could be arriving at server combined into a single TCP packet,
-+ * then trigger that site to break. We haven't encounter that though.
-+ */
+diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
+index 4511a91..d2ecc3e 100644
+--- a/ssl/s3_clnt.c
++++ b/ssl/s3_clnt.c
+@@ -215,6 +215,24 @@ int ssl3_connect(SSL *s)
+ }
+ #endif
+
++// BEGIN android-added
++#if 0
++/* Send app data in separate packet, otherwise, some particular site
++ * (only one site so far) closes the socket. http://b/2511073
++ * Note: there is a very small chance that two TCP packets
++ * could be arriving at server combined into a single TCP packet,
++ * then trigger that site to break. We haven't encounter that though.
++ */
++// END android-added
+ if (SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH)
+ {
+ /* Send app data along with CCS/Finished */
+ s->s3->flags |= SSL3_FLAGS_DELAY_CLIENT_FINISHED;
+ }
++
++// BEGIN android-added
+#endif
-
++// END android-added
for (;;)
{
-@@ -454,14 +468,31 @@ int ssl3_connect(SSL *s)
+ state=s->state;
+@@ -527,14 +533,31 @@ int ssl3_connect(SSL *s)
}
else
{
@@ -102,7 +116,7 @@
}
s->init_num=0;
break;
-@@ -512,6 +541,24 @@ int ssl3_connect(SSL *s)
+@@ -582,6 +605,24 @@ int ssl3_connect(SSL *s)
s->state=s->s3->tmp.next_state;
break;
@@ -127,10 +141,11 @@
case SSL_ST_OK:
/* clean a few things up */
ssl3_cleanup_key_block(s);
-diff -uarp openssl-1.0.0.orig/ssl/s3_lib.c openssl-1.0.0/ssl/s3_lib.c
--- openssl-1.0.0.orig/ssl/s3_lib.c 2009-10-16 11:24:19.000000000 -0400
-+++ openssl-1.0.0/ssl/s3_lib.c 2010-04-21 14:39:49.000000000 -0400
-@@ -2551,9 +2551,22 @@ int ssl3_write(SSL *s, const void *buf,
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
+index db75479..a2ea25a 100644
+--- a/ssl/s3_lib.c
++++ b/ssl/s3_lib.c
+@@ -4199,9 +4199,22 @@ int ssl3_write(SSL *s, const void *buf, int len)
static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
{
@@ -154,27 +169,28 @@
if (s->s3->renegotiate) ssl3_renegotiate_check(s);
s->s3->in_read_app_data=1;
ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
-diff -uarp openssl-1.0.0.orig/ssl/ssl.h openssl-1.0.0/ssl/ssl.h
---- openssl-1.0.0.orig/ssl/ssl.h 2010-01-06 12:37:38.000000000 -0500
-+++ openssl-1.0.0/ssl/ssl.h 2010-04-21 16:57:49.000000000 -0400
-@@ -605,6 +605,10 @@ typedef struct ssl_session_st
- /* Use small read and write buffers: (a) lazy allocate read buffers for
- * large incoming records, and (b) limit the size of outgoing records. */
- #define SSL_MODE_SMALL_BUFFERS 0x00000020L
+diff --git a/ssl/ssl.h b/ssl/ssl.h
+index 72ed766..ceaf647 100644
+--- a/ssl/ssl.h
++++ b/ssl/ssl.h
+@@ -638,6 +638,10 @@ struct ssl_session_st
+ * TLS only.) "Released" buffers are put onto a free-list in the context
+ * or just freed (depending on the context's setting for freelist_max_len). */
+ #define SSL_MODE_RELEASE_BUFFERS 0x00000010L
+/* When set, clients may send application data before receipt of CCS
+ * and Finished. This mode enables full-handshakes to 'complete' in
+ * one RTT. */
-+#define SSL_MODE_HANDSHAKE_CUTTHROUGH 0x00000040L
-
++#define SSL_MODE_HANDSHAKE_CUTTHROUGH 0x00000020L
+
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
* they cannot be used to clear bits. */
-@@ -1097,10 +1101,12 @@ extern "C" {
+@@ -1410,10 +1414,12 @@ extern "C" {
/* Is the SSL_connection established? */
#define SSL_get_state(a) SSL_state(a)
#define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK)
-#define SSL_in_init(a) (SSL_state(a)&SSL_ST_INIT)
+#define SSL_in_init(a) ((SSL_state(a)&SSL_ST_INIT) && \
-+ !SSL_cutthrough_complete(a))
++ !SSL_cutthrough_complete(a))
#define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE)
#define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT)
#define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT)
@@ -182,11 +198,11 @@
/* The following 2 states are kept in ssl->rstate when reads fail,
* you should not need these */
-Only in openssl-1.0.0/ssl: ssl.h.orig
-diff -uarp openssl-1.0.0.orig/ssl/ssl3.h openssl-1.0.0/ssl/ssl3.h
--- openssl-1.0.0.orig/ssl/ssl3.h 2010-01-06 12:37:38.000000000 -0500
-+++ openssl-1.0.0/ssl/ssl3.h 2010-04-21 14:39:49.000000000 -0400
-@@ -456,6 +456,7 @@ typedef struct ssl3_state_st
+diff --git a/ssl/ssl3.h b/ssl/ssl3.h
+index 112e627..556ffc1 100644
+--- a/ssl/ssl3.h
++++ b/ssl/ssl3.h
+@@ -547,6 +547,7 @@ typedef struct ssl3_state_st
/*client */
/* extra state */
#define SSL3_ST_CW_FLUSH (0x100|SSL_ST_CONNECT)
@@ -194,13 +210,14 @@
#ifndef OPENSSL_NO_SCTP
#define DTLS1_SCTP_ST_CW_WRITE_SOCK (0x310|SSL_ST_CONNECT)
#define DTLS1_SCTP_ST_CR_READ_SOCK (0x320|SSL_ST_CONNECT)
-diff -uarp openssl-1.0.0.orig/ssl/ssl_lib.c openssl-1.0.0/ssl/ssl_lib.c
---- openssl-1.0.0.orig/ssl/ssl_lib.c 2010-02-17 14:43:46.000000000 -0500
-+++ openssl-1.0.0/ssl/ssl_lib.c 2010-04-21 17:02:45.000000000 -0400
-@@ -3031,6 +3031,19 @@ void SSL_set_msg_callback(SSL *ssl, void
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index f82d071..518f152 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -3211,6 +3211,19 @@ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int con
SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
}
-
+
+int SSL_cutthrough_complete(const SSL *s)
+ {
+ return (!s->server && /* cutthrough only applies to clients */
@@ -217,28 +234,29 @@
/* Allocates new EVP_MD_CTX and sets pointer to it into given pointer
* vairable, freeing EVP_MD_CTX previously stored in that variable, if
* any. If EVP_MD pointer is passed, initializes ctx with this md
-diff -uarp openssl-1.0.0.orig/ssl/ssltest.c openssl-1.0.0/ssl/ssltest.c
---- openssl-1.0.0.orig/ssl/ssltest.c 2010-01-24 11:57:38.000000000 -0500
-+++ openssl-1.0.0/ssl/ssltest.c 2010-04-21 17:06:35.000000000 -0400
-@@ -279,6 +279,7 @@ static void sv_usage(void)
+diff --git a/ssl/ssltest.c b/ssl/ssltest.c
+index 0f8fd39..02ce4ec 100644
+--- a/ssl/ssltest.c
++++ b/ssl/ssltest.c
+@@ -369,6 +369,7 @@ static void sv_usage(void)
+ " (default is sect163r2).\n");
+ #endif
fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
- fprintf(stderr," -c_small_records - enable client side use of small SSL record buffers\n");
- fprintf(stderr," -s_small_records - enable server side use of small SSL record buffers\n");
+ fprintf(stderr," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n");
}
static void print_details(SSL *c_ssl, const char *prefix)
-@@ -436,6 +437,7 @@ int main(int argc, char *argv[])
- int ssl_mode = 0;
- int c_small_records=0;
- int s_small_records=0;
+@@ -549,6 +550,7 @@ int main(int argc, char *argv[])
+ #ifdef OPENSSL_FIPS
+ int fips_mode=0;
+ #endif
+ int cutthrough = 0;
verbose = 0;
debug = 0;
-@@ -632,6 +634,10 @@ int main(int argc, char *argv[])
+@@ -765,6 +767,10 @@ int main(int argc, char *argv[])
{
- s_small_records = 1;
+ test_cipherlist = 1;
}
+ else if (strcmp(*argv, "-cutthrough") == 0)
+ {
@@ -247,29 +265,30 @@
else
{
fprintf(stderr,"unknown option %s\n",*argv);
-@@ -782,6 +788,13 @@ bad:
- ssl_mode |= SSL_MODE_SMALL_BUFFERS;
- SSL_CTX_set_mode(s_ctx, ssl_mode);
+@@ -900,6 +906,12 @@ bad:
+ SSL_CTX_set_cipher_list(c_ctx,cipher);
+ SSL_CTX_set_cipher_list(s_ctx,cipher);
}
-+ ssl_mode = 0;
+ if (cutthrough)
+ {
-+ ssl_mode = SSL_CTX_get_mode(c_ctx);
-+ ssl_mode = SSL_MODE_HANDSHAKE_CUTTHROUGH;
++ int ssl_mode = SSL_CTX_get_mode(c_ctx);
++ ssl_mode |= SSL_MODE_HANDSHAKE_CUTTHROUGH;
+ SSL_CTX_set_mode(c_ctx, ssl_mode);
+ }
#ifndef OPENSSL_NO_DH
if (!no_dhe)
-diff -uarp openssl-1.0.0.orig/test/testssl openssl-1.0.0/test/testssl
---- openssl-1.0.0.orig/test/testssl 2006-03-10 18:06:27.000000000 -0500
-+++ openssl-1.0.0/test/testssl 2010-04-21 16:50:13.000000000 -0400
-@@ -79,6 +79,8 @@ $ssltest -server_auth -client_auth -s_sm
- echo test sslv2/sslv3 with both client and server authentication and small client and server buffers
- $ssltest -server_auth -client_auth -c_small_records -s_small_records $CA $extra || exit 1
+diff --git a/test/testssl b/test/testssl
+index 5ae4dc8..5dfeeeb 100644
+--- a/test/testssl
++++ b/test/testssl
+@@ -70,6 +70,9 @@ $ssltest -client_auth $CA $extra || exit 1
+ echo test sslv2/sslv3 with both client and server authentication
+ $ssltest -server_auth -client_auth $CA $extra || exit 1
+echo test sslv2/sslv3 with both client and server authentication and handshake cutthrough
+$ssltest -server_auth -client_auth -cutthrough $CA $extra || exit 1
-
++
echo test sslv2 via BIO pair
$ssltest -bio_pair -ssl2 $extra || exit 1
+
diff --git a/patches/small_records.patch b/patches/small_records.patch
deleted file mode 100644
index a2ea51c..0000000
--- a/patches/small_records.patch
+++ /dev/null
@@ -1,337 +0,0 @@
---- openssl-1.0.0a.orig/ssl/d1_pkt.c 2010-04-14 00:09:55.000000000 +0000
-+++ openssl-1.0.0a/ssl/d1_pkt.c 2010-08-25 21:12:39.000000000 +0000
-@@ -608,6 +608,24 @@ again:
- goto again;
- }
-
-+ /* If we receive a valid record larger than the current buffer size,
-+ * allocate some memory for it.
-+ */
-+ if (rr->length > s->s3->rbuf.len - DTLS1_RT_HEADER_LENGTH)
-+ {
-+ unsigned char *pp;
-+ unsigned int newlen = rr->length + DTLS1_RT_HEADER_LENGTH;
-+ if ((pp=OPENSSL_realloc(s->s3->rbuf.buf, newlen))==NULL)
-+ {
-+ SSLerr(SSL_F_DTLS1_GET_RECORD,ERR_R_MALLOC_FAILURE);
-+ return(-1);
-+ }
-+ p = pp + (p - s->s3->rbuf.buf);
-+ s->s3->rbuf.buf=pp;
-+ s->s3->rbuf.len=newlen;
-+ s->packet= &(s->s3->rbuf.buf[0]);
-+ }
-+
- /* now s->rstate == SSL_ST_READ_BODY */
- }
-
-@@ -1342,6 +1360,7 @@ int do_dtls1_write(SSL *s, int type, con
- SSL3_BUFFER *wb;
- SSL_SESSION *sess;
- int bs;
-+ unsigned int len_with_overhead = len + SSL3_RT_DEFAULT_WRITE_OVERHEAD;
-
- /* first check if there is a SSL3_BUFFER still being written
- * out. This will happen with non blocking IO */
-@@ -1351,6 +1370,16 @@ int do_dtls1_write(SSL *s, int type, con
- return(ssl3_write_pending(s,type,buf,len));
- }
-
-+ if (s->s3->wbuf.len < len_with_overhead)
-+ {
-+ if ((p=OPENSSL_realloc(s->s3->wbuf.buf, len_with_overhead)) == NULL) {
-+ SSLerr(SSL_F_DO_DTLS1_WRITE,ERR_R_MALLOC_FAILURE);
-+ goto err;
-+ }
-+ s->s3->wbuf.buf = p;
-+ s->s3->wbuf.len = len_with_overhead;
-+ }
-+
- /* If we have an alert to send, lets send it */
- if (s->s3->alert_dispatch)
- {
---- openssl-1.0.0a.orig/ssl/s23_srvr.c 2010-02-16 14:20:40.000000000 +0000
-+++ openssl-1.0.0a/ssl/s23_srvr.c 2010-08-25 21:12:39.000000000 +0000
-@@ -403,8 +403,13 @@ int ssl23_get_client_hello(SSL *s)
- v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
- v[1] = p[4];
-
-+/* The SSL2 protocol allows n to be larger, just pick
-+ * a reasonable buffer size. */
-+#if SSL3_RT_DEFAULT_PACKET_SIZE < 1024*4 - SSL3_RT_DEFAULT_WRITE_OVERHEAD
-+#error "SSL3_RT_DEFAULT_PACKET_SIZE is too small."
-+#endif
- n=((p[0]&0x7f)<<8)|p[1];
-- if (n > (1024*4))
-+ if (n > SSL3_RT_DEFAULT_PACKET_SIZE - 2)
- {
- SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
- goto err;
---- openssl-1.0.0a.orig/ssl/s3_both.c 2010-03-24 23:16:49.000000000 +0000
-+++ openssl-1.0.0a/ssl/s3_both.c 2010-08-25 21:12:39.000000000 +0000
-@@ -715,13 +722,20 @@ int ssl3_setup_read_buffer(SSL *s)
-
- if (s->s3->rbuf.buf == NULL)
- {
-- len = SSL3_RT_MAX_PLAIN_LENGTH
-- + SSL3_RT_MAX_ENCRYPTED_OVERHEAD
-- + headerlen + align;
-- if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
-+ if (SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS)
- {
-- s->s3->init_extra = 1;
-- len += SSL3_RT_MAX_EXTRA;
-+ len = SSL3_RT_DEFAULT_PACKET_SIZE;
-+ }
-+ else
-+ {
-+ len = SSL3_RT_MAX_PLAIN_LENGTH
-+ + SSL3_RT_MAX_ENCRYPTED_OVERHEAD
-+ + headerlen + align;
-+ if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
-+ {
-+ s->s3->init_extra = 1;
-+ len += SSL3_RT_MAX_EXTRA;
-+ }
- }
- #ifndef OPENSSL_NO_COMP
- if (!(s->options & SSL_OP_NO_COMPRESSION))
-@@ -757,7 +771,15 @@ int ssl3_setup_write_buffer(SSL *s)
-
- if (s->s3->wbuf.buf == NULL)
- {
-- len = s->max_send_fragment
-+ if (SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS)
-+ {
-+ len = SSL3_RT_DEFAULT_PACKET_SIZE;
-+ }
-+ else
-+ {
-+ len = s->max_send_fragment;
-+ }
-+ len += 0
- + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
- + headerlen + align;
- #ifndef OPENSSL_NO_COMP
-@@ -767,7 +789,6 @@ int ssl3_setup_write_buffer(SSL *s)
- if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
- len += headerlen + align
- + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
--
- if ((p=freelist_extract(s->ctx, 0, len)) == NULL)
- goto err;
- s->s3->wbuf.buf = p;
-@@ -810,4 +831,3 @@ int ssl3_release_read_buffer(SSL *s)
- }
- return 1;
- }
--
---- openssl-1.0.0a.orig/ssl/s3_pkt.c 2010-03-25 11:22:42.000000000 +0000
-+++ openssl-1.0.0a/ssl/s3_pkt.c 2010-08-25 21:12:39.000000000 +0000
-@@ -293,6 +293,11 @@ static int ssl3_get_record(SSL *s)
- size_t extra;
- int decryption_failed_or_bad_record_mac = 0;
- unsigned char *mac = NULL;
-+#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
-+ long align=SSL3_ALIGN_PAYLOAD;
-+#else
-+ long align=0;
-+#endif
-
- rr= &(s->s3->rrec);
- sess=s->session;
-@@ -301,7 +306,8 @@ static int ssl3_get_record(SSL *s)
- extra=SSL3_RT_MAX_EXTRA;
- else
- extra=0;
-- if (extra && !s->s3->init_extra)
-+ if (!(SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS) &&
-+ extra && !s->s3->init_extra)
- {
- /* An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
- * set after ssl3_setup_buffers() was done */
-@@ -350,6 +356,21 @@ fprintf(stderr, "Record type=%d, Length=
- goto err;
- }
-
-+ /* If we receive a valid record larger than the current buffer size,
-+ * allocate some memory for it.
-+ */
-+ if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH - align)
-+ {
-+ if ((p=OPENSSL_realloc(s->s3->rbuf.buf, rr->length + SSL3_RT_HEADER_LENGTH + align))==NULL)
-+ {
-+ SSLerr(SSL_F_SSL3_GET_RECORD,ERR_R_MALLOC_FAILURE);
-+ goto err;
-+ }
-+ s->s3->rbuf.buf=p;
-+ s->s3->rbuf.len=rr->length + SSL3_RT_HEADER_LENGTH + align;
-+ s->packet= &(s->s3->rbuf.buf[0]);
-+ }
-+
- if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH)
- {
- al=SSL_AD_RECORD_OVERFLOW;
-@@ -576,6 +597,7 @@ int ssl3_write_bytes(SSL *s, int type, c
- const unsigned char *buf=buf_;
- unsigned int tot,n,nw;
- int i;
-+ unsigned int max_plain_length;
-
- s->rwstate=SSL_NOTHING;
- tot=s->s3->wnum;
-@@ -595,8 +617,13 @@ int ssl3_write_bytes(SSL *s, int type, c
- n=(len-tot);
- for (;;)
- {
-- if (n > s->max_send_fragment)
-- nw=s->max_send_fragment;
-+ if (type == SSL3_RT_APPLICATION_DATA && (SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS))
-+ max_plain_length = SSL3_RT_DEFAULT_PLAIN_LENGTH;
-+ else
-+ max_plain_length = s->max_send_fragment;
-+
-+ if (n > max_plain_length)
-+ nw = max_plain_length;
- else
- nw=n;
-
-@@ -727,6 +727,18 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
- s->s3->empty_fragment_done = 1;
- }
-
-+ /* resize if necessary to hold the data. */
-+ if (len + SSL3_RT_DEFAULT_WRITE_OVERHEAD > wb->len)
-+ {
-+ if ((p=OPENSSL_realloc(wb->buf, len + SSL3_RT_DEFAULT_WRITE_OVERHEAD))==NULL)
-+ {
-+ SSLerr(SSL_F_DO_SSL3_WRITE,ERR_R_MALLOC_FAILURE);
-+ goto err;
-+ }
-+ wb->buf = p;
-+ wb->len = len + SSL3_RT_DEFAULT_WRITE_OVERHEAD;
-+ }
-+
- if (create_empty_fragment)
- {
- #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
---- openssl-1.0.0a.orig/ssl/ssl.h 2010-01-06 17:37:38.000000000 +0000
-+++ openssl-1.0.0a/ssl/ssl.h 2010-08-25 21:12:39.000000000 +0000
-@@ -602,6 +602,9 @@ typedef struct ssl_session_st
- * TLS only.) "Released" buffers are put onto a free-list in the context
- * or just freed (depending on the context's setting for freelist_max_len). */
- #define SSL_MODE_RELEASE_BUFFERS 0x00000010L
-+/* Use small read and write buffers: (a) lazy allocate read buffers for
-+ * large incoming records, and (b) limit the size of outgoing records. */
-+#define SSL_MODE_SMALL_BUFFERS 0x00000020L
-
- /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
- * they cannot be used to clear bits. */
---- openssl-1.0.0a.orig/ssl/ssl3.h 2010-01-06 17:37:38.000000000 +0000
-+++ openssl-1.0.0a/ssl/ssl3.h 2010-08-25 21:12:39.000000000 +0000
-@@ -280,6 +280,9 @@ extern "C" {
-
- #define SSL3_RT_MAX_EXTRA (16384)
-
-+/* Default buffer length used for writen records. Thus a generated record
-+ * will contain plaintext no larger than this value. */
-+#define SSL3_RT_DEFAULT_PLAIN_LENGTH 2048
- /* Maximum plaintext length: defined by SSL/TLS standards */
- #define SSL3_RT_MAX_PLAIN_LENGTH 16384
- /* Maximum compression overhead: defined by SSL/TLS standards */
-@@ -311,6 +314,13 @@ extern "C" {
- #define SSL3_RT_MAX_PACKET_SIZE \
- (SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
-
-+/* Extra space for empty fragment, headers, MAC, and padding. */
-+#define SSL3_RT_DEFAULT_WRITE_OVERHEAD 256
-+#define SSL3_RT_DEFAULT_PACKET_SIZE 4096 - SSL3_RT_DEFAULT_WRITE_OVERHEAD
-+#if SSL3_RT_DEFAULT_PLAIN_LENGTH + SSL3_RT_DEFAULT_WRITE_OVERHEAD > SSL3_RT_DEFAULT_PACKET_SIZE
-+#error "Insufficient space allocated for write buffers."
-+#endif
-+
- #define SSL3_MD_CLIENT_FINISHED_CONST "\x43\x4C\x4E\x54"
- #define SSL3_MD_SERVER_FINISHED_CONST "\x53\x52\x56\x52"
-
-@@ -634,4 +645,3 @@ typedef struct ssl3_state_st
- }
- #endif
- #endif
--
---- openssl-1.0.0a.orig/ssl/ssltest.c 2010-01-24 16:57:38.000000000 +0000
-+++ openssl-1.0.0a/ssl/ssltest.c 2010-08-25 21:12:39.000000000 +0000
-@@ -316,6 +316,8 @@ static void sv_usage(void)
- " (default is sect163r2).\n");
- #endif
- fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
-+ fprintf(stderr," -c_small_records - enable client side use of small SSL record buffers\n");
-+ fprintf(stderr," -s_small_records - enable server side use of small SSL record buffers\n");
- }
-
- static void print_details(SSL *c_ssl, const char *prefix)
-@@ -444,6 +447,9 @@ int opaque_prf_input_cb(SSL *ssl, void *
- return arg->ret;
- }
- #endif
-+ int ssl_mode = 0;
-+ int c_small_records=0;
-+ int s_small_records=0;
-
- int main(int argc, char *argv[])
- {
-@@ -680,6 +687,14 @@ int main(int argc, char *argv[])
- {
- test_cipherlist = 1;
- }
-+ else if (strcmp(*argv, "-c_small_records") == 0)
-+ {
-+ c_small_records = 1;
-+ }
-+ else if (strcmp(*argv, "-s_small_records") == 0)
-+ {
-+ s_small_records = 1;
-+ }
- else
- {
- fprintf(stderr,"unknown option %s\n",*argv);
-@@ -802,6 +821,21 @@ bad:
- SSL_CTX_set_cipher_list(s_ctx,cipher);
- }
-
-+ ssl_mode = 0;
-+ if (c_small_records)
-+ {
-+ ssl_mode = SSL_CTX_get_mode(c_ctx);
-+ ssl_mode |= SSL_MODE_SMALL_BUFFERS;
-+ SSL_CTX_set_mode(c_ctx, ssl_mode);
-+ }
-+ ssl_mode = 0;
-+ if (s_small_records)
-+ {
-+ ssl_mode = SSL_CTX_get_mode(s_ctx);
-+ ssl_mode |= SSL_MODE_SMALL_BUFFERS;
-+ SSL_CTX_set_mode(s_ctx, ssl_mode);
-+ }
-+
- #ifndef OPENSSL_NO_DH
- if (!no_dhe)
- {
---- openssl-1.0.0.orig/test/testssl 2006-03-10 15:06:27.000000000 -0800
-+++ openssl-1.0.0/test/testssl 2010-04-26 10:24:55.000000000 -0700
-@@ -70,6 +70,16 @@ $ssltest -client_auth $CA $extra || exit
- echo test sslv2/sslv3 with both client and server authentication
- $ssltest -server_auth -client_auth $CA $extra || exit 1
-
-+echo test sslv2/sslv3 with both client and server authentication and small client buffers
-+$ssltest -server_auth -client_auth -c_small_records $CA $extra || exit 1
-+
-+echo test sslv2/sslv3 with both client and server authentication and small server buffers
-+$ssltest -server_auth -client_auth -s_small_records $CA $extra || exit 1
-+
-+echo test sslv2/sslv3 with both client and server authentication and small client and server buffers
-+$ssltest -server_auth -client_auth -c_small_records -s_small_records $CA $extra || exit 1
-+
-+
- echo test sslv2 via BIO pair
- $ssltest -bio_pair -ssl2 $extra || exit 1
-
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index e3e9864..987af60 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -614,24 +614,6 @@
goto again;
}
- /* If we receive a valid record larger than the current buffer size,
- * allocate some memory for it.
- */
- if (rr->length > s->s3->rbuf.len - DTLS1_RT_HEADER_LENGTH)
- {
- unsigned char *pp;
- unsigned int newlen = rr->length + DTLS1_RT_HEADER_LENGTH;
- if ((pp=OPENSSL_realloc(s->s3->rbuf.buf, newlen))==NULL)
- {
- SSLerr(SSL_F_DTLS1_GET_RECORD,ERR_R_MALLOC_FAILURE);
- return(-1);
- }
- p = pp + (p - s->s3->rbuf.buf);
- s->s3->rbuf.buf=pp;
- s->s3->rbuf.len=newlen;
- s->packet= &(s->s3->rbuf.buf[0]);
- }
-
/* now s->rstate == SSL_ST_READ_BODY */
}
@@ -1470,7 +1452,6 @@
SSL3_BUFFER *wb;
SSL_SESSION *sess;
int bs;
- unsigned int len_with_overhead = len + SSL3_RT_DEFAULT_WRITE_OVERHEAD;
/* first check if there is a SSL3_BUFFER still being written
* out. This will happen with non blocking IO */
@@ -1480,16 +1461,6 @@
return(ssl3_write_pending(s,type,buf,len));
}
- if (s->s3->wbuf.len < len_with_overhead)
- {
- if ((p=OPENSSL_realloc(s->s3->wbuf.buf, len_with_overhead)) == NULL) {
- SSLerr(SSL_F_DO_DTLS1_WRITE,ERR_R_MALLOC_FAILURE);
- goto err;
- }
- s->s3->wbuf.buf = p;
- s->s3->wbuf.len = len_with_overhead;
- }
-
/* If we have an alert to send, lets send it */
if (s->s3->alert_dispatch)
{
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 4c4721f..4877849 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -444,13 +444,8 @@
v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
v[1] = p[4];
-/* The SSL2 protocol allows n to be larger, just pick
- * a reasonable buffer size. */
-#if SSL3_RT_DEFAULT_PACKET_SIZE < 1024*4 - SSL3_RT_DEFAULT_WRITE_OVERHEAD
-#error "SSL3_RT_DEFAULT_PACKET_SIZE is too small."
-#endif
n=((p[0]&0x7f)<<8)|p[1];
- if (n > SSL3_RT_DEFAULT_PACKET_SIZE - 2)
+ if (n > (1024*4))
{
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
goto err;
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index 3a5b497..c8a7d18 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -753,20 +753,13 @@
if (s->s3->rbuf.buf == NULL)
{
- if (SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS)
+ len = SSL3_RT_MAX_PLAIN_LENGTH
+ + SSL3_RT_MAX_ENCRYPTED_OVERHEAD
+ + headerlen + align;
+ if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
{
- len = SSL3_RT_DEFAULT_PACKET_SIZE;
- }
- else
- {
- len = SSL3_RT_MAX_PLAIN_LENGTH
- + SSL3_RT_MAX_ENCRYPTED_OVERHEAD
- + headerlen + align;
- if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
- {
- s->s3->init_extra = 1;
- len += SSL3_RT_MAX_EXTRA;
- }
+ s->s3->init_extra = 1;
+ len += SSL3_RT_MAX_EXTRA;
}
#ifndef OPENSSL_NO_COMP
if (!(s->options & SSL_OP_NO_COMPRESSION))
@@ -802,15 +795,7 @@
if (s->s3->wbuf.buf == NULL)
{
- if (SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS)
- {
- len = SSL3_RT_DEFAULT_PACKET_SIZE;
- }
- else
- {
- len = s->max_send_fragment;
- }
- len += 0
+ len = s->max_send_fragment
+ SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
+ headerlen + align;
#ifndef OPENSSL_NO_COMP
@@ -820,6 +805,7 @@
if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
len += headerlen + align
+ SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
+
if ((p=freelist_extract(s->ctx, 0, len)) == NULL)
goto err;
s->s3->wbuf.buf = p;
@@ -862,3 +848,4 @@
}
return 1;
}
+
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 11a2e3c..a5d646a 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -202,18 +202,6 @@
s->in_handshake++;
if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
-#if 0 /* Send app data in separate packet, otherwise, some particular site
- * (only one site so far) closes the socket.
- * Note: there is a very small chance that two TCP packets
- * could be arriving at server combined into a single TCP packet,
- * then trigger that site to break. We haven't encounter that though.
- */
- if (SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH)
- {
- /* Send app data along with CCS/Finished */
- s->s3->flags |= SSL3_FLAGS_DELAY_CLIENT_FINISHED;
- }
-#endif
#ifndef OPENSSL_NO_HEARTBEATS
/* If we're awaiting a HeartbeatResponse, pretend we
@@ -227,6 +215,24 @@
}
#endif
+// BEGIN android-added
+#if 0
+/* Send app data in separate packet, otherwise, some particular site
+ * (only one site so far) closes the socket. http://b/2511073
+ * Note: there is a very small chance that two TCP packets
+ * could be arriving at server combined into a single TCP packet,
+ * then trigger that site to break. We haven't encounter that though.
+ */
+// END android-added
+ if (SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH)
+ {
+ /* Send app data along with CCS/Finished */
+ s->s3->flags |= SSL3_FLAGS_DELAY_CLIENT_FINISHED;
+ }
+
+// BEGIN android-added
+#endif
+// END android-added
for (;;)
{
state=s->state;
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 1cc3442..adf8c38 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -295,11 +295,6 @@
size_t extra;
int decryption_failed_or_bad_record_mac = 0;
unsigned char *mac = NULL;
-#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
- long align=SSL3_ALIGN_PAYLOAD;
-#else
- long align=0;
-#endif
rr= &(s->s3->rrec);
sess=s->session;
@@ -308,8 +303,7 @@
extra=SSL3_RT_MAX_EXTRA;
else
extra=0;
- if (!(SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS) &&
- extra && !s->s3->init_extra)
+ if (extra && !s->s3->init_extra)
{
/* An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
* set after ssl3_setup_buffers() was done */
@@ -358,21 +352,6 @@
goto err;
}
- /* If we receive a valid record larger than the current buffer size,
- * allocate some memory for it.
- */
- if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH - align)
- {
- if ((p=OPENSSL_realloc(s->s3->rbuf.buf, rr->length + SSL3_RT_HEADER_LENGTH + align))==NULL)
- {
- SSLerr(SSL_F_SSL3_GET_RECORD,ERR_R_MALLOC_FAILURE);
- goto err;
- }
- s->s3->rbuf.buf=p;
- s->s3->rbuf.len=rr->length + SSL3_RT_HEADER_LENGTH + align;
- s->packet= &(s->s3->rbuf.buf[0]);
- }
-
if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH)
{
al=SSL_AD_RECORD_OVERFLOW;
@@ -599,7 +578,6 @@
const unsigned char *buf=buf_;
unsigned int tot,n,nw;
int i;
- unsigned int max_plain_length;
s->rwstate=SSL_NOTHING;
tot=s->s3->wnum;
@@ -619,13 +597,8 @@
n=(len-tot);
for (;;)
{
- if (type == SSL3_RT_APPLICATION_DATA && (SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS))
- max_plain_length = SSL3_RT_DEFAULT_PLAIN_LENGTH;
- else
- max_plain_length = s->max_send_fragment;
-
- if (n > max_plain_length)
- nw = max_plain_length;
+ if (n > s->max_send_fragment)
+ nw=s->max_send_fragment;
else
nw=n;
@@ -734,18 +707,6 @@
s->s3->empty_fragment_done = 1;
}
- /* resize if necessary to hold the data. */
- if (len + SSL3_RT_DEFAULT_WRITE_OVERHEAD > wb->len)
- {
- if ((p=OPENSSL_realloc(wb->buf, len + SSL3_RT_DEFAULT_WRITE_OVERHEAD))==NULL)
- {
- SSLerr(SSL_F_DO_SSL3_WRITE,ERR_R_MALLOC_FAILURE);
- goto err;
- }
- wb->buf = p;
- wb->len = len + SSL3_RT_DEFAULT_WRITE_OVERHEAD;
- }
-
if (create_empty_fragment)
{
#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
diff --git a/ssl/ssl.h b/ssl/ssl.h
index ce15f4f..1aaadf3 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -638,13 +638,10 @@
* TLS only.) "Released" buffers are put onto a free-list in the context
* or just freed (depending on the context's setting for freelist_max_len). */
#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
-/* Use small read and write buffers: (a) lazy allocate read buffers for
- * large incoming records, and (b) limit the size of outgoing records. */
-#define SSL_MODE_SMALL_BUFFERS 0x00000020L
/* When set, clients may send application data before receipt of CCS
* and Finished. This mode enables full-handshakes to 'complete' in
* one RTT. */
-#define SSL_MODE_HANDSHAKE_CUTTHROUGH 0x00000040L
+#define SSL_MODE_HANDSHAKE_CUTTHROUGH 0x00000020L
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
* they cannot be used to clear bits. */
@@ -1434,7 +1431,7 @@
#define SSL_get_state(a) SSL_state(a)
#define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK)
#define SSL_in_init(a) ((SSL_state(a)&SSL_ST_INIT) && \
- !SSL_cutthrough_complete(a))
+ !SSL_cutthrough_complete(a))
#define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE)
#define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT)
#define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT)
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 3f2103e..f4578aa 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -280,9 +280,6 @@
#define SSL3_RT_MAX_EXTRA (16384)
-/* Default buffer length used for writen records. Thus a generated record
- * will contain plaintext no larger than this value. */
-#define SSL3_RT_DEFAULT_PLAIN_LENGTH 2048
/* Maximum plaintext length: defined by SSL/TLS standards */
#define SSL3_RT_MAX_PLAIN_LENGTH 16384
/* Maximum compression overhead: defined by SSL/TLS standards */
@@ -314,13 +311,6 @@
#define SSL3_RT_MAX_PACKET_SIZE \
(SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
-/* Extra space for empty fragment, headers, MAC, and padding. */
-#define SSL3_RT_DEFAULT_WRITE_OVERHEAD 256
-#define SSL3_RT_DEFAULT_PACKET_SIZE 4096 - SSL3_RT_DEFAULT_WRITE_OVERHEAD
-#if SSL3_RT_DEFAULT_PLAIN_LENGTH + SSL3_RT_DEFAULT_WRITE_OVERHEAD > SSL3_RT_DEFAULT_PACKET_SIZE
-#error "Insufficient space allocated for write buffers."
-#endif
-
#define SSL3_MD_CLIENT_FINISHED_CONST "\x43\x4C\x4E\x54"
#define SSL3_MD_SERVER_FINISHED_CONST "\x53\x52\x56\x52"
@@ -703,3 +693,4 @@
}
#endif
#endif
+
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index a950b6e..02ce4ec 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -369,8 +369,6 @@
" (default is sect163r2).\n");
#endif
fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
- fprintf(stderr," -c_small_records - enable client side use of small SSL record buffers\n");
- fprintf(stderr," -s_small_records - enable server side use of small SSL record buffers\n");
fprintf(stderr," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n");
}
@@ -500,10 +498,6 @@
return arg->ret;
}
#endif
- int ssl_mode = 0;
- int c_small_records=0;
- int s_small_records=0;
- int cutthrough = 0;
int main(int argc, char *argv[])
{
@@ -556,6 +550,7 @@
#ifdef OPENSSL_FIPS
int fips_mode=0;
#endif
+ int cutthrough = 0;
verbose = 0;
debug = 0;
@@ -772,14 +767,6 @@
{
test_cipherlist = 1;
}
- else if (strcmp(*argv, "-c_small_records") == 0)
- {
- c_small_records = 1;
- }
- else if (strcmp(*argv, "-s_small_records") == 0)
- {
- s_small_records = 1;
- }
else if (strcmp(*argv, "-cutthrough") == 0)
{
cutthrough = 1;
@@ -919,26 +906,10 @@
SSL_CTX_set_cipher_list(c_ctx,cipher);
SSL_CTX_set_cipher_list(s_ctx,cipher);
}
-
- ssl_mode = 0;
- if (c_small_records)
- {
- ssl_mode = SSL_CTX_get_mode(c_ctx);
- ssl_mode |= SSL_MODE_SMALL_BUFFERS;
- SSL_CTX_set_mode(c_ctx, ssl_mode);
- }
- ssl_mode = 0;
- if (s_small_records)
- {
- ssl_mode = SSL_CTX_get_mode(s_ctx);
- ssl_mode |= SSL_MODE_SMALL_BUFFERS;
- SSL_CTX_set_mode(s_ctx, ssl_mode);
- }
- ssl_mode = 0;
if (cutthrough)
{
- ssl_mode = SSL_CTX_get_mode(c_ctx);
- ssl_mode = SSL_MODE_HANDSHAKE_CUTTHROUGH;
+ int ssl_mode = SSL_CTX_get_mode(c_ctx);
+ ssl_mode |= SSL_MODE_HANDSHAKE_CUTTHROUGH;
SSL_CTX_set_mode(c_ctx, ssl_mode);
}
