#14371: Add opensll to main repository
diff --git a/jni/openssl/patches/small_records.patch b/jni/openssl/patches/small_records.patch
new file mode 100644
index 0000000..a2ea51c
--- /dev/null
+++ b/jni/openssl/patches/small_records.patch
@@ -0,0 +1,337 @@
+--- openssl-1.0.0a.orig/ssl/d1_pkt.c 2010-04-14 00:09:55.000000000 +0000
++++ openssl-1.0.0a/ssl/d1_pkt.c 2010-08-25 21:12:39.000000000 +0000
+@@ -608,6 +608,24 @@ again:
+ goto again;
+ }
+
++ /* If we receive a valid record larger than the current buffer size,
++ * allocate some memory for it.
++ */
++ if (rr->length > s->s3->rbuf.len - DTLS1_RT_HEADER_LENGTH)
++ {
++ unsigned char *pp;
++ unsigned int newlen = rr->length + DTLS1_RT_HEADER_LENGTH;
++ if ((pp=OPENSSL_realloc(s->s3->rbuf.buf, newlen))==NULL)
++ {
++ SSLerr(SSL_F_DTLS1_GET_RECORD,ERR_R_MALLOC_FAILURE);
++ return(-1);
++ }
++ p = pp + (p - s->s3->rbuf.buf);
++ s->s3->rbuf.buf=pp;
++ s->s3->rbuf.len=newlen;
++ s->packet= &(s->s3->rbuf.buf[0]);
++ }
++
+ /* now s->rstate == SSL_ST_READ_BODY */
+ }
+
+@@ -1342,6 +1360,7 @@ int do_dtls1_write(SSL *s, int type, con
+ SSL3_BUFFER *wb;
+ SSL_SESSION *sess;
+ int bs;
++ unsigned int len_with_overhead = len + SSL3_RT_DEFAULT_WRITE_OVERHEAD;
+
+ /* first check if there is a SSL3_BUFFER still being written
+ * out. This will happen with non blocking IO */
+@@ -1351,6 +1370,16 @@ int do_dtls1_write(SSL *s, int type, con
+ return(ssl3_write_pending(s,type,buf,len));
+ }
+
++ if (s->s3->wbuf.len < len_with_overhead)
++ {
++ if ((p=OPENSSL_realloc(s->s3->wbuf.buf, len_with_overhead)) == NULL) {
++ SSLerr(SSL_F_DO_DTLS1_WRITE,ERR_R_MALLOC_FAILURE);
++ goto err;
++ }
++ s->s3->wbuf.buf = p;
++ s->s3->wbuf.len = len_with_overhead;
++ }
++
+ /* If we have an alert to send, lets send it */
+ if (s->s3->alert_dispatch)
+ {
+--- openssl-1.0.0a.orig/ssl/s23_srvr.c 2010-02-16 14:20:40.000000000 +0000
++++ openssl-1.0.0a/ssl/s23_srvr.c 2010-08-25 21:12:39.000000000 +0000
+@@ -403,8 +403,13 @@ int ssl23_get_client_hello(SSL *s)
+ v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
+ v[1] = p[4];
+
++/* The SSL2 protocol allows n to be larger, just pick
++ * a reasonable buffer size. */
++#if SSL3_RT_DEFAULT_PACKET_SIZE < 1024*4 - SSL3_RT_DEFAULT_WRITE_OVERHEAD
++#error "SSL3_RT_DEFAULT_PACKET_SIZE is too small."
++#endif
+ n=((p[0]&0x7f)<<8)|p[1];
+- if (n > (1024*4))
++ if (n > SSL3_RT_DEFAULT_PACKET_SIZE - 2)
+ {
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
+ goto err;
+--- openssl-1.0.0a.orig/ssl/s3_both.c 2010-03-24 23:16:49.000000000 +0000
++++ openssl-1.0.0a/ssl/s3_both.c 2010-08-25 21:12:39.000000000 +0000
+@@ -715,13 +722,20 @@ int ssl3_setup_read_buffer(SSL *s)
+
+ if (s->s3->rbuf.buf == NULL)
+ {
+- len = SSL3_RT_MAX_PLAIN_LENGTH
+- + SSL3_RT_MAX_ENCRYPTED_OVERHEAD
+- + headerlen + align;
+- if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
++ if (SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS)
+ {
+- s->s3->init_extra = 1;
+- len += SSL3_RT_MAX_EXTRA;
++ len = SSL3_RT_DEFAULT_PACKET_SIZE;
++ }
++ else
++ {
++ len = SSL3_RT_MAX_PLAIN_LENGTH
++ + SSL3_RT_MAX_ENCRYPTED_OVERHEAD
++ + headerlen + align;
++ if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
++ {
++ s->s3->init_extra = 1;
++ len += SSL3_RT_MAX_EXTRA;
++ }
+ }
+ #ifndef OPENSSL_NO_COMP
+ if (!(s->options & SSL_OP_NO_COMPRESSION))
+@@ -757,7 +771,15 @@ int ssl3_setup_write_buffer(SSL *s)
+
+ if (s->s3->wbuf.buf == NULL)
+ {
+- len = s->max_send_fragment
++ if (SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS)
++ {
++ len = SSL3_RT_DEFAULT_PACKET_SIZE;
++ }
++ else
++ {
++ len = s->max_send_fragment;
++ }
++ len += 0
+ + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
+ + headerlen + align;
+ #ifndef OPENSSL_NO_COMP
+@@ -767,7 +789,6 @@ int ssl3_setup_write_buffer(SSL *s)
+ if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
+ len += headerlen + align
+ + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
+-
+ if ((p=freelist_extract(s->ctx, 0, len)) == NULL)
+ goto err;
+ s->s3->wbuf.buf = p;
+@@ -810,4 +831,3 @@ int ssl3_release_read_buffer(SSL *s)
+ }
+ return 1;
+ }
+-
+--- openssl-1.0.0a.orig/ssl/s3_pkt.c 2010-03-25 11:22:42.000000000 +0000
++++ openssl-1.0.0a/ssl/s3_pkt.c 2010-08-25 21:12:39.000000000 +0000
+@@ -293,6 +293,11 @@ static int ssl3_get_record(SSL *s)
+ size_t extra;
+ int decryption_failed_or_bad_record_mac = 0;
+ unsigned char *mac = NULL;
++#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
++ long align=SSL3_ALIGN_PAYLOAD;
++#else
++ long align=0;
++#endif
+
+ rr= &(s->s3->rrec);
+ sess=s->session;
+@@ -301,7 +306,8 @@ static int ssl3_get_record(SSL *s)
+ extra=SSL3_RT_MAX_EXTRA;
+ else
+ extra=0;
+- if (extra && !s->s3->init_extra)
++ if (!(SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS) &&
++ extra && !s->s3->init_extra)
+ {
+ /* An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
+ * set after ssl3_setup_buffers() was done */
+@@ -350,6 +356,21 @@ fprintf(stderr, "Record type=%d, Length=
+ goto err;
+ }
+
++ /* If we receive a valid record larger than the current buffer size,
++ * allocate some memory for it.
++ */
++ if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH - align)
++ {
++ if ((p=OPENSSL_realloc(s->s3->rbuf.buf, rr->length + SSL3_RT_HEADER_LENGTH + align))==NULL)
++ {
++ SSLerr(SSL_F_SSL3_GET_RECORD,ERR_R_MALLOC_FAILURE);
++ goto err;
++ }
++ s->s3->rbuf.buf=p;
++ s->s3->rbuf.len=rr->length + SSL3_RT_HEADER_LENGTH + align;
++ s->packet= &(s->s3->rbuf.buf[0]);
++ }
++
+ if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH)
+ {
+ al=SSL_AD_RECORD_OVERFLOW;
+@@ -576,6 +597,7 @@ int ssl3_write_bytes(SSL *s, int type, c
+ const unsigned char *buf=buf_;
+ unsigned int tot,n,nw;
+ int i;
++ unsigned int max_plain_length;
+
+ s->rwstate=SSL_NOTHING;
+ tot=s->s3->wnum;
+@@ -595,8 +617,13 @@ int ssl3_write_bytes(SSL *s, int type, c
+ n=(len-tot);
+ for (;;)
+ {
+- if (n > s->max_send_fragment)
+- nw=s->max_send_fragment;
++ if (type == SSL3_RT_APPLICATION_DATA && (SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS))
++ max_plain_length = SSL3_RT_DEFAULT_PLAIN_LENGTH;
++ else
++ max_plain_length = s->max_send_fragment;
++
++ if (n > max_plain_length)
++ nw = max_plain_length;
+ else
+ nw=n;
+
+@@ -727,6 +727,18 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+ s->s3->empty_fragment_done = 1;
+ }
+
++ /* resize if necessary to hold the data. */
++ if (len + SSL3_RT_DEFAULT_WRITE_OVERHEAD > wb->len)
++ {
++ if ((p=OPENSSL_realloc(wb->buf, len + SSL3_RT_DEFAULT_WRITE_OVERHEAD))==NULL)
++ {
++ SSLerr(SSL_F_DO_SSL3_WRITE,ERR_R_MALLOC_FAILURE);
++ goto err;
++ }
++ wb->buf = p;
++ wb->len = len + SSL3_RT_DEFAULT_WRITE_OVERHEAD;
++ }
++
+ if (create_empty_fragment)
+ {
+ #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
+--- openssl-1.0.0a.orig/ssl/ssl.h 2010-01-06 17:37:38.000000000 +0000
++++ openssl-1.0.0a/ssl/ssl.h 2010-08-25 21:12:39.000000000 +0000
+@@ -602,6 +602,9 @@ typedef struct ssl_session_st
+ * TLS only.) "Released" buffers are put onto a free-list in the context
+ * or just freed (depending on the context's setting for freelist_max_len). */
+ #define SSL_MODE_RELEASE_BUFFERS 0x00000010L
++/* Use small read and write buffers: (a) lazy allocate read buffers for
++ * large incoming records, and (b) limit the size of outgoing records. */
++#define SSL_MODE_SMALL_BUFFERS 0x00000020L
+
+ /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
+ * they cannot be used to clear bits. */
+--- openssl-1.0.0a.orig/ssl/ssl3.h 2010-01-06 17:37:38.000000000 +0000
++++ openssl-1.0.0a/ssl/ssl3.h 2010-08-25 21:12:39.000000000 +0000
+@@ -280,6 +280,9 @@ extern "C" {
+
+ #define SSL3_RT_MAX_EXTRA (16384)
+
++/* Default buffer length used for writen records. Thus a generated record
++ * will contain plaintext no larger than this value. */
++#define SSL3_RT_DEFAULT_PLAIN_LENGTH 2048
+ /* Maximum plaintext length: defined by SSL/TLS standards */
+ #define SSL3_RT_MAX_PLAIN_LENGTH 16384
+ /* Maximum compression overhead: defined by SSL/TLS standards */
+@@ -311,6 +314,13 @@ extern "C" {
+ #define SSL3_RT_MAX_PACKET_SIZE \
+ (SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
+
++/* Extra space for empty fragment, headers, MAC, and padding. */
++#define SSL3_RT_DEFAULT_WRITE_OVERHEAD 256
++#define SSL3_RT_DEFAULT_PACKET_SIZE 4096 - SSL3_RT_DEFAULT_WRITE_OVERHEAD
++#if SSL3_RT_DEFAULT_PLAIN_LENGTH + SSL3_RT_DEFAULT_WRITE_OVERHEAD > SSL3_RT_DEFAULT_PACKET_SIZE
++#error "Insufficient space allocated for write buffers."
++#endif
++
+ #define SSL3_MD_CLIENT_FINISHED_CONST "\x43\x4C\x4E\x54"
+ #define SSL3_MD_SERVER_FINISHED_CONST "\x53\x52\x56\x52"
+
+@@ -634,4 +645,3 @@ typedef struct ssl3_state_st
+ }
+ #endif
+ #endif
+-
+--- openssl-1.0.0a.orig/ssl/ssltest.c 2010-01-24 16:57:38.000000000 +0000
++++ openssl-1.0.0a/ssl/ssltest.c 2010-08-25 21:12:39.000000000 +0000
+@@ -316,6 +316,8 @@ static void sv_usage(void)
+ " (default is sect163r2).\n");
+ #endif
+ fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
++ fprintf(stderr," -c_small_records - enable client side use of small SSL record buffers\n");
++ fprintf(stderr," -s_small_records - enable server side use of small SSL record buffers\n");
+ }
+
+ static void print_details(SSL *c_ssl, const char *prefix)
+@@ -444,6 +447,9 @@ int opaque_prf_input_cb(SSL *ssl, void *
+ return arg->ret;
+ }
+ #endif
++ int ssl_mode = 0;
++ int c_small_records=0;
++ int s_small_records=0;
+
+ int main(int argc, char *argv[])
+ {
+@@ -680,6 +687,14 @@ int main(int argc, char *argv[])
+ {
+ test_cipherlist = 1;
+ }
++ else if (strcmp(*argv, "-c_small_records") == 0)
++ {
++ c_small_records = 1;
++ }
++ else if (strcmp(*argv, "-s_small_records") == 0)
++ {
++ s_small_records = 1;
++ }
+ else
+ {
+ fprintf(stderr,"unknown option %s\n",*argv);
+@@ -802,6 +821,21 @@ bad:
+ SSL_CTX_set_cipher_list(s_ctx,cipher);
+ }
+
++ ssl_mode = 0;
++ if (c_small_records)
++ {
++ ssl_mode = SSL_CTX_get_mode(c_ctx);
++ ssl_mode |= SSL_MODE_SMALL_BUFFERS;
++ SSL_CTX_set_mode(c_ctx, ssl_mode);
++ }
++ ssl_mode = 0;
++ if (s_small_records)
++ {
++ ssl_mode = SSL_CTX_get_mode(s_ctx);
++ ssl_mode |= SSL_MODE_SMALL_BUFFERS;
++ SSL_CTX_set_mode(s_ctx, ssl_mode);
++ }
++
+ #ifndef OPENSSL_NO_DH
+ if (!no_dhe)
+ {
+--- openssl-1.0.0.orig/test/testssl 2006-03-10 15:06:27.000000000 -0800
++++ openssl-1.0.0/test/testssl 2010-04-26 10:24:55.000000000 -0700
+@@ -70,6 +70,16 @@ $ssltest -client_auth $CA $extra || exit
+ echo test sslv2/sslv3 with both client and server authentication
+ $ssltest -server_auth -client_auth $CA $extra || exit 1
+
++echo test sslv2/sslv3 with both client and server authentication and small client buffers
++$ssltest -server_auth -client_auth -c_small_records $CA $extra || exit 1
++
++echo test sslv2/sslv3 with both client and server authentication and small server buffers
++$ssltest -server_auth -client_auth -s_small_records $CA $extra || exit 1
++
++echo test sslv2/sslv3 with both client and server authentication and small client and server buffers
++$ssltest -server_auth -client_auth -c_small_records -s_small_records $CA $extra || exit 1
++
++
+ echo test sslv2 via BIO pair
+ $ssltest -bio_pair -ssl2 $extra || exit 1
+