Add |SSL_CTX_set0_buffer_pool|.

This currently only works for certificates parsed from the network, but if making several connections that share certificates, some KB of memory might be saved. Change-Id: I0ea4589d7a8b5c41df225ad7f282b6d1376a8db4 Reviewed-on: https://boringssl-review.googlesource.com/12164 Reviewed-by: Adam Langley <alangley@gmail.com>
2016-11-08 16:12:15 -08:00 · 2016-11-08 16:12:15 -08:00 · 5a6e616961
commit 5a6e616961
parent e8509090cf
5 changed files with 24 additions and 2 deletions
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -730,6 +730,16 @@ OPENSSL_EXPORT uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode);
 * modes enabled for |ssl|. */
 OPENSSL_EXPORT uint32_t SSL_get_mode(const SSL *ssl);

+/* SSL_CTX_set0_buffer_pool sets a |CRYPTO_BUFFER_POOL| that will be used to
+ * store certificates. This can allow multiple connections to share
+ * certificates and thus save memory.
+ *
+ * The SSL_CTX does not take ownership of |pool| and the caller must ensure
+ * that |pool| outlives |ctx| and all objects linked to it, including |SSL|,
+ * |X509| and |SSL_SESSION| objects. Basically, don't ever free |pool|. */
+OPENSSL_EXPORT void SSL_CTX_set0_buffer_pool(SSL_CTX *ctx,
+                                             CRYPTO_BUFFER_POOL *pool);
+

 /* Configuring certificates and private keys.
 *
@ -4073,6 +4083,10 @@ struct ssl_ctx_st {
   * TODO(agl): remove once node.js no longer references this. */
  STACK_OF(X509)* extra_certs;
  int freelist_max_len;
+
+  /* pool is used for all |CRYPTO_BUFFER|s in case we wish to share certificate
+   * memory. */
+  CRYPTO_BUFFER_POOL *pool;
 };

 typedef struct ssl_handshake_st SSL_HANDSHAKE;
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@ -685,6 +685,7 @@ static SSL_SESSION *SSL_SESSION_parse(CBS *cbs) {
    }

    if (has_peer) {
+      /* TODO(agl): this should use the |SSL_CTX|'s pool. */
      CRYPTO_BUFFER *buffer = CRYPTO_BUFFER_new_from_CBS(&peer, NULL);
      if (buffer == NULL) {
        OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
@ -719,6 +720,7 @@ static SSL_SESSION *SSL_SESSION_parse(CBS *cbs) {
        }
      }

+      /* TODO(agl): this should use the |SSL_CTX|'s pool. */
      CRYPTO_BUFFER *buffer = CRYPTO_BUFFER_new_from_CBS(&cert, NULL);
      if (buffer == NULL) {
        OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@ -481,7 +481,8 @@ int ssl_parse_cert_chain(SSL *ssl, STACK_OF(CRYPTO_BUFFER) **out_buffers,
      SHA256(CBS_data(&certificate), CBS_len(&certificate), out_leaf_sha256);
    }

-    CRYPTO_BUFFER *buffer = CRYPTO_BUFFER_new_from_CBS(&certificate, NULL);
+    CRYPTO_BUFFER *buffer =
+        CRYPTO_BUFFER_new_from_CBS(&certificate, ssl->ctx->pool);
    if (buffer == NULL) {
      *out_alert = SSL_AD_INTERNAL_ERROR;
      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -1080,6 +1080,10 @@ uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode) {

 uint32_t SSL_get_mode(const SSL *ssl) { return ssl->mode; }

+void SSL_CTX_set0_buffer_pool(SSL_CTX *ctx, CRYPTO_BUFFER_POOL *pool) {
+  ctx->pool = pool;
+}
+
 X509 *SSL_get_peer_certificate(const SSL *ssl) {
  if (ssl == NULL) {
    return NULL;
--- a/ssl/tls13_both.c
+++ b/ssl/tls13_both.c
@ -207,7 +207,8 @@ int tls13_process_certificate(SSL *ssl, int allow_anonymous) {
             ssl->s3->new_session->peer_sha256);
    }

-    CRYPTO_BUFFER *buffer = CRYPTO_BUFFER_new_from_CBS(&certificate, NULL);
+    CRYPTO_BUFFER *buffer =
+        CRYPTO_BUFFER_new_from_CBS(&certificate, ssl->ctx->pool);
    if (buffer == NULL) {
      ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);