resolve conflicts, fix local changes

author: djm <> 2010-10-01 22:59:01 +0000
committer: djm <> 2010-10-01 22:59:01 +0000
commit: 8922d4bc4a8b8893d72a48deb2cdf58215f98505 (patch)
tree: 939b752540947d33507b3acc48d76a8bfb7c3dc3 /src/lib/libssl/s3_both.c
parent: 76262f7bf9262f965142b1b2b2105cb279c5c696 (diff)
download: openbsd-8922d4bc4a8b8893d72a48deb2cdf58215f98505.tar.gz
openbsd-8922d4bc4a8b8893d72a48deb2cdf58215f98505.tar.bz2
openbsd-8922d4bc4a8b8893d72a48deb2cdf58215f98505.zip
1 files changed, 253 insertions, 62 deletions
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index 2ecfbb77cb..a6d869df59 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -160,14 +160,29 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
                p= &(d[4]);
                i=s->method->ssl3_enc->final_finish_mac(s,
-                        &(s->s3->finish_dgst1),
-                        &(s->s3->finish_dgst2),
                        sender,slen,s->s3->tmp.finish_md);
                s->s3->tmp.finish_md_len = i;
                memcpy(p, s->s3->tmp.finish_md, i);
                p+=i;
                l=i;
+                /* Copy the finished so we can use it for
+                   renegotiation checks */
+                if(s->type == SSL_ST_CONNECT)
+                        {
+                         OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
+                         memcpy(s->s3->previous_client_finished, 
+                             s->s3->tmp.finish_md, i);
+                         s->s3->previous_client_finished_len=i;
+                        }
+                else
+                        {
+                        OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
+                        memcpy(s->s3->previous_server_finished, 
+                            s->s3->tmp.finish_md, i);
+                        s->s3->previous_server_finished_len=i;
+                        }
 #ifdef OPENSSL_SYS_WIN16
                /* MSVC 1.5 does not clear the top bytes of the word unless
                 * I do this.
@@ -232,6 +247,23 @@ int ssl3_get_finished(SSL *s, int a, int b)
                goto f_err;
                }
+        /* Copy the finished so we can use it for
+           renegotiation checks */
+        if(s->type == SSL_ST_ACCEPT)
+                {
+                OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
+                memcpy(s->s3->previous_client_finished, 
+                    s->s3->tmp.peer_finish_md, i);
+                s->s3->previous_client_finished_len=i;
+                }
+        else
+                {
+                OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
+                memcpy(s->s3->previous_server_finished, 
+                    s->s3->tmp.peer_finish_md, i);
+                s->s3->previous_server_finished_len=i;
+                }
        return(1);
 f_err:
        ssl3_send_alert(s,SSL3_AL_FATAL,al);
@@ -264,15 +296,31 @@ int ssl3_send_change_cipher_spec(SSL *s, int a, int b)
        return(ssl3_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
        }
+static int ssl3_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x)
+        {
+        int n;
+        unsigned char *p;
+        n=i2d_X509(x,NULL);
+        if (!BUF_MEM_grow_clean(buf,(int)(n+(*l)+3)))
+                {
+                SSLerr(SSL_F_SSL3_ADD_CERT_TO_BUF,ERR_R_BUF_LIB);
+                return(-1);
+                }
+        p=(unsigned char *)&(buf->data[*l]);
+        l2n3(n,p);
+        i2d_X509(x,&p);
+        *l+=n+3;
+        return(0);
+        }
 unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
        {
        unsigned char *p;
-        int n,i;
+        int i;
        unsigned long l=7;
        BUF_MEM *buf;
-        X509_STORE_CTX xs_ctx;
-        X509_OBJECT obj;
        int no_chain;
        if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs)
@@ -289,58 +337,42 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
                }
        if (x != NULL)
                {
-                if(!no_chain && !X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL))
+                if (no_chain)
                        {
-                        SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
+                        if (ssl3_add_cert_to_buf(buf, &l, x))
-                        return(0);
+                                return(0);
                        }
+                else
-                for (;;)
                        {
-                        n=i2d_X509(x,NULL);
+                        X509_STORE_CTX xs_ctx;
-                        if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))
+                        if (!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,x,NULL))
                                {
-                                SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
+                                SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
                                return(0);
                                }
-                        p=(unsigned char *)&(buf->data[l]);
+                        X509_verify_cert(&xs_ctx);
-                        l2n3(n,p);
+                        /* Don't leave errors in the queue */
-                        i2d_X509(x,&p);
+                        ERR_clear_error();
-                        l+=n+3;
+                        for (i=0; i < sk_X509_num(xs_ctx.chain); i++)
+                                {
-                        if (no_chain)
+                                x = sk_X509_value(xs_ctx.chain, i);
-                                break;
+                                if (ssl3_add_cert_to_buf(buf, &l, x))
-                        if (X509_NAME_cmp(X509_get_subject_name(x),
+                                        {
-                                X509_get_issuer_name(x)) == 0) break;
+                                        X509_STORE_CTX_cleanup(&xs_ctx);
+                                        return 0;
-                        i=X509_STORE_get_by_subject(&xs_ctx,X509_LU_X509,
+                                        }
-                                X509_get_issuer_name(x),&obj);
+                                }
-                        if (i <= 0) break;
-                        x=obj.data.x509;
-                        /* Count is one too high since the X509_STORE_get uped the
-                         * ref count */
-                        X509_free(x);
-                        }
-                if (!no_chain)
                        X509_STORE_CTX_cleanup(&xs_ctx);
+                        }
                }
        /* Thawte special :-) */
-        if (s->ctx->extra_certs != NULL)
        for (i=0; i<sk_X509_num(s->ctx->extra_certs); i++)
                {
                x=sk_X509_value(s->ctx->extra_certs,i);
-                n=i2d_X509(x,NULL);
+                if (ssl3_add_cert_to_buf(buf, &l, x))
-                if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))
-                        {
-                        SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
                        return(0);
-                        }
-                p=(unsigned char *)&(buf->data[l]);
-                l2n3(n,p);
-                i2d_X509(x,&p);
-                l+=n+3;
                }
        l-=7;
@@ -518,9 +550,16 @@ int ssl_cert_type(X509 *x, EVP_PKEY *pkey)
        else if (i == EVP_PKEY_EC)
                {
                ret = SSL_PKEY_ECC;
-                }
+                }       
 #endif
+        else if (i == NID_id_GostR3410_94 || i == NID_id_GostR3410_94_cc) 
+                {
+                ret = SSL_PKEY_GOST94;
+                }
+        else if (i == NID_id_GostR3410_2001 || i == NID_id_GostR3410_2001_cc) 
+                {
+                ret = SSL_PKEY_GOST01;
+                }
 err:
        if(!pkey) EVP_PKEY_free(pk);
        return(ret);
@@ -586,37 +625,189 @@ int ssl_verify_alarm_type(long type)
        return(al);
        }
-int ssl3_setup_buffers(SSL *s)
+#ifndef OPENSSL_NO_BUF_FREELISTS
+/* On some platforms, malloc() performance is bad enough that you can't just
+ * free() and malloc() buffers all the time, so we need to use freelists from
+ * unused buffers.  Currently, each freelist holds memory chunks of only a
+ * given size (list->chunklen); other sized chunks are freed and malloced.
+ * This doesn't help much if you're using many different SSL option settings
+ * with a given context.  (The options affecting buffer size are
+ * max_send_fragment, read buffer vs write buffer,
+ * SSL_OP_MICROSOFT_BIG_WRITE_BUFFER, SSL_OP_NO_COMPRESSION, and
+ * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.)  Using a separate freelist for every
+ * possible size is not an option, since max_send_fragment can take on many
+ * different values.
+ *
+ * If you are on a platform with a slow malloc(), and you're using SSL
+ * connections with many different settings for these options, and you need to
+ * use the SSL_MOD_RELEASE_BUFFERS feature, you have a few options:
+ *    - Link against a faster malloc implementation.
+ *    - Use a separate SSL_CTX for each option set.
+ *    - Improve this code.
+ */
+static void *
+freelist_extract(SSL_CTX *ctx, int for_read, int sz)
+        {
+        SSL3_BUF_FREELIST *list;
+        SSL3_BUF_FREELIST_ENTRY *ent = NULL;
+        void *result = NULL;
+        CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+        list = for_read ? ctx->rbuf_freelist : ctx->wbuf_freelist;
+        if (list != NULL && sz == (int)list->chunklen)
+                ent = list->head;
+        if (ent != NULL)
+                {
+                list->head = ent->next;
+                result = ent;
+                if (--list->len == 0)
+                        list->chunklen = 0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+        if (!result)
+                result = OPENSSL_malloc(sz);
+        return result;
+}
+static void
+freelist_insert(SSL_CTX *ctx, int for_read, size_t sz, void *mem)
+        {
+        SSL3_BUF_FREELIST *list;
+        SSL3_BUF_FREELIST_ENTRY *ent;
+        CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+        list = for_read ? ctx->rbuf_freelist : ctx->wbuf_freelist;
+        if (list != NULL &&
+            (sz == list->chunklen || list->chunklen == 0) &&
+            list->len < ctx->freelist_max_len &&
+            sz >= sizeof(*ent))
+                {
+                list->chunklen = sz;
+                ent = mem;
+                ent->next = list->head;
+                list->head = ent;
+                ++list->len;
+                mem = NULL;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+        if (mem)
+                OPENSSL_free(mem);
+        }
+#else
+#define freelist_extract(c,fr,sz) OPENSSL_malloc(sz)
+#define freelist_insert(c,fr,sz,m) OPENSSL_free(m)
+#endif
+int ssl3_setup_read_buffer(SSL *s)
        {
        unsigned char *p;
-        unsigned int extra;
+        size_t len,align=0,headerlen;
-        size_t len;
+        
+        if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
+                headerlen = DTLS1_RT_HEADER_LENGTH;
+        else
+                headerlen = SSL3_RT_HEADER_LENGTH;
+#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
+        align = (-SSL3_RT_HEADER_LENGTH)&(SSL3_ALIGN_PAYLOAD-1);
+#endif
        if (s->s3->rbuf.buf == NULL)
                {
+                len = SSL3_RT_MAX_PLAIN_LENGTH
+                        + SSL3_RT_MAX_ENCRYPTED_OVERHEAD
+                        + headerlen + align;
                if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
-                        extra=SSL3_RT_MAX_EXTRA;
+                        {
-                else
+                        s->s3->init_extra = 1;
-                        extra=0;
+                        len += SSL3_RT_MAX_EXTRA;
-                len = SSL3_RT_MAX_PACKET_SIZE + extra;
+                        }
-                if ((p=OPENSSL_malloc(len)) == NULL)
+#ifndef OPENSSL_NO_COMP
+                if (!(s->options & SSL_OP_NO_COMPRESSION))
+                        len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
+#endif
+                if ((p=freelist_extract(s->ctx, 1, len)) == NULL)
                        goto err;
                s->s3->rbuf.buf = p;
                s->s3->rbuf.len = len;
                }
+        s->packet= &(s->s3->rbuf.buf[0]);
+        return 1;
+err:
+        SSLerr(SSL_F_SSL3_SETUP_READ_BUFFER,ERR_R_MALLOC_FAILURE);
+        return 0;
+        }
+int ssl3_setup_write_buffer(SSL *s)
+        {
+        unsigned char *p;
+        size_t len,align=0,headerlen;
+        if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
+                headerlen = DTLS1_RT_HEADER_LENGTH + 1;
+        else
+                headerlen = SSL3_RT_HEADER_LENGTH;
+#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
+        align = (-SSL3_RT_HEADER_LENGTH)&(SSL3_ALIGN_PAYLOAD-1);
+#endif
        if (s->s3->wbuf.buf == NULL)
                {
-                len = SSL3_RT_MAX_PACKET_SIZE;
+                len = s->max_send_fragment
-                len += SSL3_RT_HEADER_LENGTH + 256; /* extra space for empty fragment */
+                        + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
-                if ((p=OPENSSL_malloc(len)) == NULL)
+                        + headerlen + align;
+#ifndef OPENSSL_NO_COMP
+                if (!(s->options & SSL_OP_NO_COMPRESSION))
+                        len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
+#endif
+                if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
+                        len += headerlen + align
+                                + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
+                if ((p=freelist_extract(s->ctx, 0, len)) == NULL)
                        goto err;
                s->s3->wbuf.buf = p;
                s->s3->wbuf.len = len;
                }
-        s->packet= &(s->s3->rbuf.buf[0]);
-        return(1);
+        return 1;
 err:
-        SSLerr(SSL_F_SSL3_SETUP_BUFFERS,ERR_R_MALLOC_FAILURE);
+        SSLerr(SSL_F_SSL3_SETUP_WRITE_BUFFER,ERR_R_MALLOC_FAILURE);
-        return(0);
+        return 0;
+        }
+int ssl3_setup_buffers(SSL *s)
+        {
+        if (!ssl3_setup_read_buffer(s))
+                return 0;
+        if (!ssl3_setup_write_buffer(s))
+                return 0;
+        return 1;
        }
+int ssl3_release_write_buffer(SSL *s)
+        {
+        if (s->s3->wbuf.buf != NULL)
+                {
+                freelist_insert(s->ctx, 0, s->s3->wbuf.len, s->s3->wbuf.buf);
+                s->s3->wbuf.buf = NULL;
+                }
+        return 1;
+        }
+int ssl3_release_read_buffer(SSL *s)
+        {
+        if (s->s3->rbuf.buf != NULL)
+                {
+                freelist_insert(s->ctx, 1, s->s3->rbuf.len, s->s3->rbuf.buf);
+                s->s3->rbuf.buf = NULL;
+                }
+        return 1;
+        }
author	djm <>	2010-10-01 22:59:01 +0000
committer	djm <>	2010-10-01 22:59:01 +0000
commit	8922d4bc4a8b8893d72a48deb2cdf58215f98505 (patch)
tree	939b752540947d33507b3acc48d76a8bfb7c3dc3 /src/lib/libssl/s3_both.c
parent	76262f7bf9262f965142b1b2b2105cb279c5c696 (diff)
download	openbsd-8922d4bc4a8b8893d72a48deb2cdf58215f98505.tar.gz openbsd-8922d4bc4a8b8893d72a48deb2cdf58215f98505.tar.bz2 openbsd-8922d4bc4a8b8893d72a48deb2cdf58215f98505.zip

diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c index 2ecfbb77cb..a6d869df59 100644 --- a/src/lib/libssl/s3_both.c +++ b/src/lib/libssl/s3_both.c
@@ -160,14 +160,29 @@ int ssl3_send_finished(SSL s, int a, int b, const char sender, int slen)
160	p= &(d[4]);	160	p= &(d[4]);
161		161
162	i=s->method->ssl3_enc->final_finish_mac(s,	162	i=s->method->ssl3_enc->final_finish_mac(s,
163	&(s->s3->finish_dgst1),
164	&(s->s3->finish_dgst2),
165	sender,slen,s->s3->tmp.finish_md);	163	sender,slen,s->s3->tmp.finish_md);
166	s->s3->tmp.finish_md_len = i;	164	s->s3->tmp.finish_md_len = i;
167	memcpy(p, s->s3->tmp.finish_md, i);	165	memcpy(p, s->s3->tmp.finish_md, i);
168	p+=i;	166	p+=i;
169	l=i;	167	l=i;
170		168
		169	/* Copy the finished so we can use it for
		170	renegotiation checks */
		171	if(s->type == SSL_ST_CONNECT)
		172	{
		173	OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
		174	memcpy(s->s3->previous_client_finished,
		175	s->s3->tmp.finish_md, i);
		176	s->s3->previous_client_finished_len=i;
		177	}
		178	else
		179	{
		180	OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
		181	memcpy(s->s3->previous_server_finished,
		182	s->s3->tmp.finish_md, i);
		183	s->s3->previous_server_finished_len=i;
		184	}
		185
171	#ifdef OPENSSL_SYS_WIN16	186	#ifdef OPENSSL_SYS_WIN16
172	/* MSVC 1.5 does not clear the top bytes of the word unless	187	/* MSVC 1.5 does not clear the top bytes of the word unless
173	* I do this.	188	* I do this.
@@ -232,6 +247,23 @@ int ssl3_get_finished(SSL *s, int a, int b)
232	goto f_err;	247	goto f_err;
233	}	248	}
234		249
		250	/* Copy the finished so we can use it for
		251	renegotiation checks */
		252	if(s->type == SSL_ST_ACCEPT)
		253	{
		254	OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
		255	memcpy(s->s3->previous_client_finished,
		256	s->s3->tmp.peer_finish_md, i);
		257	s->s3->previous_client_finished_len=i;
		258	}
		259	else
		260	{
		261	OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
		262	memcpy(s->s3->previous_server_finished,
		263	s->s3->tmp.peer_finish_md, i);
		264	s->s3->previous_server_finished_len=i;
		265	}
		266
235	return(1);	267	return(1);
236	f_err:	268	f_err:
237	ssl3_send_alert(s,SSL3_AL_FATAL,al);	269	ssl3_send_alert(s,SSL3_AL_FATAL,al);
@@ -264,15 +296,31 @@ int ssl3_send_change_cipher_spec(SSL *s, int a, int b)
264	return(ssl3_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));	296	return(ssl3_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
265	}	297	}
266		298
		299	static int ssl3_add_cert_to_buf(BUF_MEM buf, unsigned long l, X509 *x)
		300	{
		301	int n;
		302	unsigned char *p;
		303
		304	n=i2d_X509(x,NULL);
		305	if (!BUF_MEM_grow_clean(buf,(int)(n+(*l)+3)))
		306	{
		307	SSLerr(SSL_F_SSL3_ADD_CERT_TO_BUF,ERR_R_BUF_LIB);
		308	return(-1);
		309	}
		310	p=(unsigned char )&(buf->data[l]);
		311	l2n3(n,p);
		312	i2d_X509(x,&p);
		313	*l+=n+3;
		314
		315	return(0);
		316	}
		317
267	unsigned long ssl3_output_cert_chain(SSL s, X509 x)	318	unsigned long ssl3_output_cert_chain(SSL s, X509 x)
268	{	319	{
269	unsigned char *p;	320	unsigned char *p;
270	int n,i;	321	int i;
271	unsigned long l=7;	322	unsigned long l=7;
272	BUF_MEM *buf;	323	BUF_MEM *buf;
273	X509_STORE_CTX xs_ctx;
274	X509_OBJECT obj;
275
276	int no_chain;	324	int no_chain;
277		325
278	if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) \|\| s->ctx->extra_certs)	326	if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) \|\| s->ctx->extra_certs)
@@ -289,58 +337,42 @@ unsigned long ssl3_output_cert_chain(SSL s, X509 x)
289	}	337	}
290	if (x != NULL)	338	if (x != NULL)
291	{	339	{
292	if(!no_chain && !X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL))	340	if (no_chain)
293	{	341	{
294	SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);	342	if (ssl3_add_cert_to_buf(buf, &l, x))
295	return(0);	343	return(0);
296	}	344	}
297		345	else
298	for (;;)
299	{	346	{
300	n=i2d_X509(x,NULL);	347	X509_STORE_CTX xs_ctx;
301	if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))	348
		349	if (!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,x,NULL))
302	{	350	{
303	SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);	351	SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
304	return(0);	352	return(0);
305	}	353	}
306	p=(unsigned char *)&(buf->data[l]);	354	X509_verify_cert(&xs_ctx);
307	l2n3(n,p);	355	/* Don't leave errors in the queue */
308	i2d_X509(x,&p);	356	ERR_clear_error();
309	l+=n+3;	357	for (i=0; i < sk_X509_num(xs_ctx.chain); i++)
310		358	{
311	if (no_chain)	359	x = sk_X509_value(xs_ctx.chain, i);
312	break;	360
313		361	if (ssl3_add_cert_to_buf(buf, &l, x))
314	if (X509_NAME_cmp(X509_get_subject_name(x),	362	{
315	X509_get_issuer_name(x)) == 0) break;	363	X509_STORE_CTX_cleanup(&xs_ctx);
316		364	return 0;
317	i=X509_STORE_get_by_subject(&xs_ctx,X509_LU_X509,	365	}
318	X509_get_issuer_name(x),&obj);	366	}
319	if (i <= 0) break;
320	x=obj.data.x509;
321	/* Count is one too high since the X509_STORE_get uped the
322	* ref count */
323	X509_free(x);
324	}
325	if (!no_chain)
326	X509_STORE_CTX_cleanup(&xs_ctx);	367	X509_STORE_CTX_cleanup(&xs_ctx);
		368	}
327	}	369	}
328
329	/* Thawte special :-) */	370	/* Thawte special :-) */
330	if (s->ctx->extra_certs != NULL)
331	for (i=0; i<sk_X509_num(s->ctx->extra_certs); i++)	371	for (i=0; i<sk_X509_num(s->ctx->extra_certs); i++)
332	{	372	{
333	x=sk_X509_value(s->ctx->extra_certs,i);	373	x=sk_X509_value(s->ctx->extra_certs,i);
334	n=i2d_X509(x,NULL);	374	if (ssl3_add_cert_to_buf(buf, &l, x))
335	if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))
336	{
337	SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
338	return(0);	375	return(0);
339	}
340	p=(unsigned char *)&(buf->data[l]);
341	l2n3(n,p);
342	i2d_X509(x,&p);
343	l+=n+3;
344	}	376	}
345		377
346	l-=7;	378	l-=7;
@@ -518,9 +550,16 @@ int ssl_cert_type(X509 x, EVP_PKEY pkey)
518	else if (i == EVP_PKEY_EC)	550	else if (i == EVP_PKEY_EC)
519	{	551	{
520	ret = SSL_PKEY_ECC;	552	ret = SSL_PKEY_ECC;
521	}	553	}
522	#endif	554	#endif
523		555	else if (i == NID_id_GostR3410_94 \|\| i == NID_id_GostR3410_94_cc)
		556	{
		557	ret = SSL_PKEY_GOST94;
		558	}
		559	else if (i == NID_id_GostR3410_2001 \|\| i == NID_id_GostR3410_2001_cc)
		560	{
		561	ret = SSL_PKEY_GOST01;
		562	}
524	err:	563	err:
525	if(!pkey) EVP_PKEY_free(pk);	564	if(!pkey) EVP_PKEY_free(pk);
526	return(ret);	565	return(ret);
@@ -586,37 +625,189 @@ int ssl_verify_alarm_type(long type)
586	return(al);	625	return(al);
587	}	626	}
588		627
589	int ssl3_setup_buffers(SSL *s)	628	#ifndef OPENSSL_NO_BUF_FREELISTS
		629	/* On some platforms, malloc() performance is bad enough that you can't just
		630	* free() and malloc() buffers all the time, so we need to use freelists from
		631	* unused buffers. Currently, each freelist holds memory chunks of only a
		632	* given size (list->chunklen); other sized chunks are freed and malloced.
		633	* This doesn't help much if you're using many different SSL option settings
		634	* with a given context. (The options affecting buffer size are
		635	* max_send_fragment, read buffer vs write buffer,
		636	* SSL_OP_MICROSOFT_BIG_WRITE_BUFFER, SSL_OP_NO_COMPRESSION, and
		637	* SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.) Using a separate freelist for every
		638	* possible size is not an option, since max_send_fragment can take on many
		639	* different values.
		640	*
		641	* If you are on a platform with a slow malloc(), and you're using SSL
		642	* connections with many different settings for these options, and you need to
		643	* use the SSL_MOD_RELEASE_BUFFERS feature, you have a few options:
		644	* - Link against a faster malloc implementation.
		645	* - Use a separate SSL_CTX for each option set.
		646	* - Improve this code.
		647	*/
		648	static void *
		649	freelist_extract(SSL_CTX *ctx, int for_read, int sz)
		650	{
		651	SSL3_BUF_FREELIST *list;
		652	SSL3_BUF_FREELIST_ENTRY *ent = NULL;
		653	void *result = NULL;
		654
		655	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
		656	list = for_read ? ctx->rbuf_freelist : ctx->wbuf_freelist;
		657	if (list != NULL && sz == (int)list->chunklen)
		658	ent = list->head;
		659	if (ent != NULL)
		660	{
		661	list->head = ent->next;
		662	result = ent;
		663	if (--list->len == 0)
		664	list->chunklen = 0;
		665	}
		666	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
		667	if (!result)
		668	result = OPENSSL_malloc(sz);
		669	return result;
		670	}
		671
		672	static void
		673	freelist_insert(SSL_CTX ctx, int for_read, size_t sz, void mem)
		674	{
		675	SSL3_BUF_FREELIST *list;
		676	SSL3_BUF_FREELIST_ENTRY *ent;
		677
		678	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
		679	list = for_read ? ctx->rbuf_freelist : ctx->wbuf_freelist;
		680	if (list != NULL &&
		681	(sz == list->chunklen \|\| list->chunklen == 0) &&
		682	list->len < ctx->freelist_max_len &&
		683	sz >= sizeof(*ent))
		684	{
		685	list->chunklen = sz;
		686	ent = mem;
		687	ent->next = list->head;
		688	list->head = ent;
		689	++list->len;
		690	mem = NULL;
		691	}
		692
		693	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
		694	if (mem)
		695	OPENSSL_free(mem);
		696	}
		697	#else
		698	#define freelist_extract(c,fr,sz) OPENSSL_malloc(sz)
		699	#define freelist_insert(c,fr,sz,m) OPENSSL_free(m)
		700	#endif
		701
		702	int ssl3_setup_read_buffer(SSL *s)
590	{	703	{
591	unsigned char *p;	704	unsigned char *p;
592	unsigned int extra;	705	size_t len,align=0,headerlen;
593	size_t len;	706
		707	if (SSL_version(s) == DTLS1_VERSION \|\| SSL_version(s) == DTLS1_BAD_VER)
		708	headerlen = DTLS1_RT_HEADER_LENGTH;
		709	else
		710	headerlen = SSL3_RT_HEADER_LENGTH;
		711
		712	#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
		713	align = (-SSL3_RT_HEADER_LENGTH)&(SSL3_ALIGN_PAYLOAD-1);
		714	#endif
594		715
595	if (s->s3->rbuf.buf == NULL)	716	if (s->s3->rbuf.buf == NULL)
596	{	717	{
		718	len = SSL3_RT_MAX_PLAIN_LENGTH
		719	+ SSL3_RT_MAX_ENCRYPTED_OVERHEAD
		720	+ headerlen + align;
597	if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)	721	if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
598	extra=SSL3_RT_MAX_EXTRA;	722	{
599	else	723	s->s3->init_extra = 1;
600	extra=0;	724	len += SSL3_RT_MAX_EXTRA;
601	len = SSL3_RT_MAX_PACKET_SIZE + extra;	725	}
602	if ((p=OPENSSL_malloc(len)) == NULL)	726	#ifndef OPENSSL_NO_COMP
		727	if (!(s->options & SSL_OP_NO_COMPRESSION))
		728	len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
		729	#endif
		730	if ((p=freelist_extract(s->ctx, 1, len)) == NULL)
603	goto err;	731	goto err;
604	s->s3->rbuf.buf = p;	732	s->s3->rbuf.buf = p;
605	s->s3->rbuf.len = len;	733	s->s3->rbuf.len = len;
606	}	734	}
607		735
		736	s->packet= &(s->s3->rbuf.buf[0]);
		737	return 1;
		738
		739	err:
		740	SSLerr(SSL_F_SSL3_SETUP_READ_BUFFER,ERR_R_MALLOC_FAILURE);
		741	return 0;
		742	}
		743
		744	int ssl3_setup_write_buffer(SSL *s)
		745	{
		746	unsigned char *p;
		747	size_t len,align=0,headerlen;
		748
		749	if (SSL_version(s) == DTLS1_VERSION \|\| SSL_version(s) == DTLS1_BAD_VER)
		750	headerlen = DTLS1_RT_HEADER_LENGTH + 1;
		751	else
		752	headerlen = SSL3_RT_HEADER_LENGTH;
		753
		754	#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
		755	align = (-SSL3_RT_HEADER_LENGTH)&(SSL3_ALIGN_PAYLOAD-1);
		756	#endif
		757
608	if (s->s3->wbuf.buf == NULL)	758	if (s->s3->wbuf.buf == NULL)
609	{	759	{
610	len = SSL3_RT_MAX_PACKET_SIZE;	760	len = s->max_send_fragment
611	len += SSL3_RT_HEADER_LENGTH + 256; /* extra space for empty fragment */	761	+ SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
612	if ((p=OPENSSL_malloc(len)) == NULL)	762	+ headerlen + align;
		763	#ifndef OPENSSL_NO_COMP
		764	if (!(s->options & SSL_OP_NO_COMPRESSION))
		765	len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
		766	#endif
		767	if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
		768	len += headerlen + align
		769	+ SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
		770
		771	if ((p=freelist_extract(s->ctx, 0, len)) == NULL)
613	goto err;	772	goto err;
614	s->s3->wbuf.buf = p;	773	s->s3->wbuf.buf = p;
615	s->s3->wbuf.len = len;	774	s->s3->wbuf.len = len;
616	}	775	}
617	s->packet= &(s->s3->rbuf.buf[0]);	776
618	return(1);	777	return 1;
		778
619	err:	779	err:
620	SSLerr(SSL_F_SSL3_SETUP_BUFFERS,ERR_R_MALLOC_FAILURE);	780	SSLerr(SSL_F_SSL3_SETUP_WRITE_BUFFER,ERR_R_MALLOC_FAILURE);
621	return(0);	781	return 0;
		782	}
		783
		784
		785	int ssl3_setup_buffers(SSL *s)
		786	{
		787	if (!ssl3_setup_read_buffer(s))
		788	return 0;
		789	if (!ssl3_setup_write_buffer(s))
		790	return 0;
		791	return 1;
622	}	792	}
		793
		794	int ssl3_release_write_buffer(SSL *s)
		795	{
		796	if (s->s3->wbuf.buf != NULL)
		797	{
		798	freelist_insert(s->ctx, 0, s->s3->wbuf.len, s->s3->wbuf.buf);
		799	s->s3->wbuf.buf = NULL;
		800	}
		801	return 1;
		802	}
		803
		804	int ssl3_release_read_buffer(SSL *s)
		805	{
		806	if (s->s3->rbuf.buf != NULL)
		807	{
		808	freelist_insert(s->ctx, 1, s->s3->rbuf.len, s->s3->rbuf.buf);
		809	s->s3->rbuf.buf = NULL;
		810	}
		811	return 1;
		812	}
		813