SSL records may be as large as 16K, but are typically < 2K. In
addition, a historic bug in Windows allowed records to be as large
32K. OpenSSL statically allocates read and write buffers (34K and
18K respectively) used for processing records.
With this patch, OpenSSL statically allocates 4K + 4K buffers, with
the option of dynamically growing buffers to 34K + 4K, which is a
saving of 44K per connection for the typical case.
This patch is taken from the Android Open Source Project.
Removed NO_CAST, NO_MD2 and NO_STORE because otherwise there were build errors.
Added NO_CAMELLIA, NO_MDC2, and NO_CMS because otherwise there were linker errors.
ASN1_STRING_to_UTF8() passes an ASN1_STRING to ASN1_STRING_set() but forgot to
initialize the `length` field.
Fixes the following valgrind error:
$ valgrind -q --track-origins=yes --num-callers=19 \
out/Debug/node test/simple/test-tls-client-abort.js
==2690== Conditional jump or move depends on uninitialised value(s)
==2690== at 0x784B69: ASN1_STRING_set (asn1_lib.c:382)
==2690== by 0x809564: ASN1_mbstring_ncopy (a_mbstr.c:204)
==2690== by 0x8090F0: ASN1_mbstring_copy (a_mbstr.c:86)
==2690== by 0x782F1F: ASN1_STRING_to_UTF8 (a_strex.c:570)
==2690== by 0x78F090: asn1_string_canon (x_name.c:409)
==2690== by 0x78EF17: x509_name_canon (x_name.c:354)
==2690== by 0x78EA7D: x509_name_ex_d2i (x_name.c:210)
==2690== by 0x788058: ASN1_item_ex_d2i (tasn_dec.c:239)
==2690== by 0x7890D4: asn1_template_noexp_d2i (tasn_dec.c:746)
==2690== by 0x788CB6: asn1_template_ex_d2i (tasn_dec.c:607)
==2690== by 0x78877A: ASN1_item_ex_d2i (tasn_dec.c:448)
==2690== by 0x7890D4: asn1_template_noexp_d2i (tasn_dec.c:746)
==2690== by 0x788CB6: asn1_template_ex_d2i (tasn_dec.c:607)
==2690== by 0x78877A: ASN1_item_ex_d2i (tasn_dec.c:448)
==2690== by 0x787C93: ASN1_item_d2i (tasn_dec.c:136)
==2690== by 0x78F5E4: d2i_X509 (x_x509.c:141)
==2690== by 0x7C9B91: PEM_ASN1_read_bio (pem_oth.c:81)
==2690== by 0x7CA506: PEM_read_bio_X509 (pem_x509.c:67)
==2690== by 0x703C9A: node::crypto::SecureContext::AddRootCerts(v8::Arguments const&) (node_crypto.cc:497)
==2690== Uninitialised value was created by a stack allocation
==2690== at 0x782E89: ASN1_STRING_to_UTF8 (a_strex.c:560)
Check for potentially exploitable overflows in asn1_d2i_read_bio
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean.
Taken from OpenSSL CVS. Addresses CVE-2012-2110.
The OPENSSL_NO_SOCK macro in OpenSSL missed a couple of networking functions
that called other functions that OPENSSL_NO_SOCK *had* filtered out. None of
the functions (filtered or not) were actually used but it was enough to trip
up the Solaris linker.
* compile with -DOPENSSL_NO_SOCK and -DOPENSSL_NO_DGRAM, we don't need it
* compile with -DOPENSSL_NO_GOST and -DOPENSSL_NO_HW_PADLOCK, works around the
brain dead linker on solaris and maybe others
* compile with -DTERMIOS, OS X doesn't have <termio.h>
* compile with -D__EXTENSIONS__ on solaris, makes siginfo_t available
* compile without -ansi on linux, it hides a number of POSIX declarations
(sigaction, NI_MAXHOST, etc.)
Fixes linker error "undefined reference to `OPENSSL_ia32_cpuid'". This is
sub-optimal and needs to be revisited, the plain C implementations are often
much slower.
Bert Belder
Nathan Rajlich
Ben Noordhuis
Fedor Indutny
Igor Zinkovsky
Evan Martin
Peter Bright
Ryan Dahl