diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-05 15:36:18 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-22 12:54:18 +0200 |
| commit | 1b3ece44acaa25c149659a6878d2be807a282f02 (patch) | |
| tree | 1e37ffe93e058d49634c9e62cde98be65d015150 | |
| parent | 60c32a7527ddf5e9889a2e6d25f530f0e25212f3 (diff) | |
| download | gnutls-1b3ece44acaa25c149659a6878d2be807a282f02.tar.gz | |
Removed support for compression mechanisms
They are not required for TLS 1.3, and are deprecated for TLS 1.2.
We eliminate them in order to reduce the complexity in the record
packet handling.
Resolves #212
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | configure.ac | 31 | ||||
| -rw-r--r-- | lib/Makefile.am | 2 | ||||
| -rw-r--r-- | lib/cipher.c | 197 | ||||
| -rw-r--r-- | lib/compress.c | 385 | ||||
| -rw-r--r-- | lib/compress.h | 66 | ||||
| -rw-r--r-- | lib/constate.c | 49 | ||||
| -rw-r--r-- | lib/constate.h | 2 | ||||
| -rw-r--r-- | lib/dtls.c | 10 | ||||
| -rw-r--r-- | lib/gnutls.pc.in | 2 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 10 | ||||
| -rw-r--r-- | lib/handshake.c | 170 | ||||
| -rw-r--r-- | lib/priority.c | 60 | ||||
| -rw-r--r-- | lib/priority_options.gperf | 2 | ||||
| -rw-r--r-- | lib/record.c | 1 | ||||
| -rw-r--r-- | lib/session_pack.c | 11 | ||||
| -rw-r--r-- | lib/sslv2_compat.c | 5 | ||||
| -rw-r--r-- | lib/state.c | 10 |
17 files changed, 112 insertions, 901 deletions
diff --git a/configure.ac b/configure.ac index d5d6ca2f3e..b41499c678 100644 --- a/configure.ac +++ b/configure.ac @@ -697,37 +697,6 @@ AC_CHECK_TYPE(ssize_t, AC_CHECK_SIZEOF(unsigned long int, 4) AC_CHECK_SIZEOF(unsigned int, 4) -AC_ARG_WITH(zlib, AS_HELP_STRING([--without-zlib], - [disable zlib compression support]), - ac_zlib=$withval, ac_zlib=yes) -AC_MSG_CHECKING([whether to include zlib compression support]) -if test x$ac_zlib != xno; then - AC_MSG_RESULT(yes) - AC_LIB_HAVE_LINKFLAGS(z,, [#include <zlib.h>], [compress (0, 0, 0, 0);]) - if test x$ac_cv_libz != xyes; then - AC_MSG_WARN( -*** -*** ZLIB was not found. You will not be able to use ZLIB compression.) - fi -else - AC_MSG_RESULT(no) -fi - -PKG_CHECK_EXISTS(zlib, ZLIB_HAS_PKGCONFIG=y, ZLIB_HAS_PKGCONFIG=n) - -if test x$ac_zlib != xno; then - if test "$ZLIB_HAS_PKGCONFIG" = "y" ; then - if test "x$GNUTLS_REQUIRES_PRIVATE" = x; then - GNUTLS_REQUIRES_PRIVATE="Requires.private: zlib" - else - GNUTLS_REQUIRES_PRIVATE="$GNUTLS_REQUIRES_PRIVATE, zlib" - fi - LIBZ_PC="" - else - LIBZ_PC=$LIBZ - fi -fi -AC_SUBST(LIBZ_PC) AC_SUBST(GNUTLS_REQUIRES_PRIVATE) diff --git a/lib/Makefile.am b/lib/Makefile.am index a019102384..41bc3f7850 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -97,7 +97,7 @@ if ENABLE_NETTLE SUBDIRS += nettle endif -HFILES = abstract_int.h debug.h compress.h cipher.h \ +HFILES = abstract_int.h debug.h cipher.h \ buffers.h errors.h gnutls_int.h dtls.h \ handshake.h num.h algorithms.h \ dh.h kx.h hash_int.h cipher_int.h \ diff --git a/lib/cipher.c b/lib/cipher.c index acb6b39623..6769ec8da2 100644 --- a/lib/cipher.c +++ b/lib/cipher.c @@ -1,6 +1,7 @@ /* * Copyright (C) 2000-2013 Free Software Foundation, Inc. * Copyright (C) 2013 Nikos Mavrogiannopoulos + * Copyright (C) 2017 Red Hat, Inc. * * Author: Nikos Mavrogiannopoulos * @@ -27,7 +28,6 @@ #include "gnutls_int.h" #include "errors.h" -#include "compress.h" #include "cipher.h" #include "algorithms.h" #include "hash_int.h" @@ -42,35 +42,18 @@ #include <state.h> #include <random.h> -static int compressed_to_ciphertext(gnutls_session_t session, - uint8_t * cipher_data, int cipher_size, - gnutls_datum_t * compressed, - size_t min_pad, - content_type_t _type, - record_parameters_st * params); -static int ciphertext_to_compressed(gnutls_session_t session, - gnutls_datum_t * ciphertext, - gnutls_datum_t * compressed, - uint8_t type, - record_parameters_st * params, - gnutls_uint64 * sequence); - -inline static int is_write_comp_null(record_parameters_st * record_params) -{ - if (record_params->compression_algorithm == GNUTLS_COMP_NULL) - return 0; - - return 1; -} - -inline static int is_read_comp_null(record_parameters_st * record_params) -{ - if (record_params->compression_algorithm == GNUTLS_COMP_NULL) - return 0; - - return 1; -} - +static int encrypt_packet(gnutls_session_t session, + uint8_t * cipher_data, int cipher_size, + gnutls_datum_t * plain, + size_t min_pad, + content_type_t _type, + record_parameters_st * params); +static int decrypt_packet(gnutls_session_t session, + gnutls_datum_t * ciphertext, + gnutls_datum_t * plain, + uint8_t type, + record_parameters_st * params, + gnutls_uint64 * sequence); /* returns ciphertext which contains the headers too. This also * calculates the size in the header field. @@ -83,46 +66,18 @@ _gnutls_encrypt(gnutls_session_t session, mbuffer_st * bufel, content_type_t type, record_parameters_st * params) { - gnutls_datum_t comp; - int free_comp = 0; + gnutls_datum_t plaintext; int ret; - if (data_size == 0 || is_write_comp_null(params) == 0) { - comp.data = (uint8_t *) data; - comp.size = data_size; - } else { - /* Here comp is allocated and must be - * freed. - */ - free_comp = 1; - - comp.size = _mbuffer_get_udata_size(bufel); - comp.data = gnutls_malloc(comp.size); - if (comp.data == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - ret = - _gnutls_compress(¶ms->write.compression_state, - data, data_size, comp.data, comp.size, - session->internals.priorities. - stateless_compression); - if (ret < 0) { - gnutls_free(comp.data); - return gnutls_assert_val(ret); - } - - comp.size = ret; - } + plaintext.data = (uint8_t *) data; + plaintext.size = data_size; ret = - compressed_to_ciphertext(session, + encrypt_packet(session, _mbuffer_get_udata_ptr(bufel), _mbuffer_get_udata_size - (bufel), &comp, min_pad, type, + (bufel), &plaintext, min_pad, type, params); - if (free_comp) - gnutls_free(comp.data); - if (ret < 0) return gnutls_assert_val(ret); @@ -158,46 +113,14 @@ _gnutls_decrypt(gnutls_session_t session, if (ciphertext->size == 0) return 0; - if (is_read_comp_null(params) == 0) { - ret = - ciphertext_to_compressed(session, ciphertext, - output, type, params, - sequence); - if (ret < 0) - return gnutls_assert_val(ret); - - return ret; - } else { - gnutls_datum_t tmp; - - tmp.size = output->size; - tmp.data = gnutls_malloc(tmp.size); - if (tmp.data == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - ret = - ciphertext_to_compressed(session, ciphertext, - &tmp, type, params, - sequence); - if (ret < 0) - goto leave; - - tmp.size = ret; - - if (ret != 0) { - ret = - _gnutls_decompress(¶ms->read. - compression_state, tmp.data, - tmp.size, output->data, - output->size); - if (ret < 0) - goto leave; - } + ret = + decrypt_packet(session, ciphertext, + output, type, params, + sequence); + if (ret < 0) + return gnutls_assert_val(ret); - leave: - gnutls_free(tmp.data); - return ret; - } + return ret; } @@ -280,14 +203,14 @@ make_preamble(uint8_t * uint64_data, uint8_t type, unsigned int length, } /* This is the actual encryption - * Encrypts the given compressed datum, and puts the result to cipher_data, + * Encrypts the given plaintext datum, and puts the result to cipher_data, * which has cipher_size size. * return the actual encrypted data length. */ static int -compressed_to_ciphertext(gnutls_session_t session, +encrypt_packet(gnutls_session_t session, uint8_t * cipher_data, int cipher_size, - gnutls_datum_t * compressed, + gnutls_datum_t * plain, size_t min_pad, content_type_t type, record_parameters_st * params) @@ -332,7 +255,7 @@ compressed_to_ciphertext(gnutls_session_t session, pad = min_pad; length = - calc_enc_length_block(session, ver, compressed->size, + calc_enc_length_block(session, ver, plain->size, tag_size, &pad, auth_cipher, blocksize, etm); } else { /* AEAD + STREAM */ @@ -341,7 +264,7 @@ compressed_to_ciphertext(gnutls_session_t session, pad = 0; length = - calc_enc_length_stream(session, compressed->size, + calc_enc_length_stream(session, plain->size, tag_size, auth_cipher, exp_iv_size); } @@ -409,7 +332,7 @@ compressed_to_ciphertext(gnutls_session_t session, if (etm) ret = length-tag_size; else - ret = compressed->size; + ret = plain->size; preamble_size = make_preamble(UINT64DATA(params->write.sequence_number), @@ -436,8 +359,8 @@ compressed_to_ciphertext(gnutls_session_t session, */ ret = _gnutls_auth_cipher_encrypt2_tag(¶ms->write.cipher_state, - compressed->data, - compressed->size, cipher_data, + plain->data, + plain->size, cipher_data, cipher_size, pad); if (ret < 0) return gnutls_assert_val(ret); @@ -446,7 +369,7 @@ compressed_to_ciphertext(gnutls_session_t session, nonce, imp_iv_size + exp_iv_size, preamble, preamble_size, tag_size, - compressed->data, compressed->size, + plain->data, plain->size, cipher_data, cipher_size); if (ret < 0) return gnutls_assert_val(ret); @@ -491,13 +414,13 @@ static void dummy_wait(record_parameters_st * params, } } -/* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size. - * Returns the actual compressed packet size. +/* Deciphers the ciphertext packet, and puts the result to plain. + * Returns the actual plaintext packet size. */ static int -ciphertext_to_compressed(gnutls_session_t session, +decrypt_packet(gnutls_session_t session, gnutls_datum_t * ciphertext, - gnutls_datum_t * compressed, + gnutls_datum_t * plain, uint8_t type, record_parameters_st * params, gnutls_uint64 * sequence) { @@ -609,7 +532,7 @@ ciphertext_to_compressed(gnutls_session_t session, length_to_decrypt = ciphertext->size; - /* Pass the type, version, length and compressed through + /* Pass the type, version, length and plain through * MAC. */ preamble_size = @@ -618,11 +541,11 @@ ciphertext_to_compressed(gnutls_session_t session, if (unlikely - ((unsigned) length_to_decrypt > compressed->size)) { + ((unsigned) length_to_decrypt > plain->size)) { _gnutls_audit_log(session, "Received %u bytes, while expecting less than %u\n", (unsigned int) length_to_decrypt, - (unsigned int) compressed->size); + (unsigned int) plain->size); return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } @@ -632,7 +555,7 @@ ciphertext_to_compressed(gnutls_session_t session, preamble, preamble_size, tag_size, ciphertext->data, length_to_decrypt, - compressed->data, compressed->size); + plain->data, plain->size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); @@ -647,9 +570,9 @@ ciphertext_to_compressed(gnutls_session_t session, length_to_decrypt = ciphertext->size; length = ciphertext->size - tag_size; - tag_ptr = compressed->data + length; + tag_ptr = plain->data + length; - /* Pass the type, version, length and compressed through + /* Pass the type, version, length and plain through * MAC. */ preamble_size = @@ -664,11 +587,11 @@ ciphertext_to_compressed(gnutls_session_t session, return gnutls_assert_val(ret); if (unlikely - ((unsigned) length_to_decrypt > compressed->size)) { + ((unsigned) length_to_decrypt > plain->size)) { _gnutls_audit_log(session, "Received %u bytes, while expecting less than %u\n", (unsigned int) length_to_decrypt, - (unsigned int) compressed->size); + (unsigned int) plain->size); return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } @@ -678,8 +601,8 @@ ciphertext_to_compressed(gnutls_session_t session, cipher_state, ciphertext->data, length_to_decrypt, - compressed->data, - compressed->size); + plain->data, + plain->size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); @@ -721,7 +644,7 @@ ciphertext_to_compressed(gnutls_session_t session, * an API. (the length of plaintext is required to calculate * auth_data, but it is not available before decryption). */ - if (unlikely(ciphertext->size > compressed->size)) + if (unlikely(ciphertext->size > plain->size)) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); @@ -730,12 +653,12 @@ ciphertext_to_compressed(gnutls_session_t session, _gnutls_cipher_decrypt2(¶ms->read.cipher_state. cipher, ciphertext->data, ciphertext->size, - compressed->data, - compressed->size); + plain->data, + plain->size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); - pad = compressed->data[ciphertext->size - 1]; /* pad */ + pad = plain->data[ciphertext->size - 1]; /* pad */ /* Check the pading bytes (TLS 1.x). * Note that we access all 256 bytes of ciphertext for padding check @@ -746,7 +669,7 @@ ciphertext_to_compressed(gnutls_session_t session, #endif for (i = 2; i <= MIN(256, ciphertext->size); i++) { tmp_pad_failed |= - (compressed-> + (plain-> data[ciphertext->size - i] != pad); pad_failed |= ((i <= (1 + pad)) & (tmp_pad_failed)); @@ -763,9 +686,9 @@ ciphertext_to_compressed(gnutls_session_t session, } length = ciphertext->size - tag_size - pad - 1; - tag_ptr = &compressed->data[length]; + tag_ptr = &plain->data[length]; - /* Pass the type, version, length and compressed through + /* Pass the type, version, length and plain through * MAC. */ preamble_size = @@ -782,7 +705,7 @@ ciphertext_to_compressed(gnutls_session_t session, ret = _gnutls_auth_cipher_add_auth(¶ms->read. cipher_state, - compressed->data, length); + plain->data, length); if (unlikely(ret < 0)) return gnutls_assert_val(ret); } else { /* EtM */ @@ -790,12 +713,12 @@ ciphertext_to_compressed(gnutls_session_t session, _gnutls_cipher_decrypt2(¶ms->read.cipher_state. cipher, ciphertext->data, ciphertext->size - tag_size, - compressed->data, - compressed->size); + plain->data, + plain->size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); - pad = compressed->data[ciphertext->size - tag_size - 1]; /* pad */ + pad = plain->data[ciphertext->size - tag_size - 1]; /* pad */ length = ciphertext->size - tag_size - pad - 1; if (unlikely(length < 0)) @@ -823,7 +746,7 @@ ciphertext_to_compressed(gnutls_session_t session, if (unlikely (gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) { /* HMAC was not the same. */ - dummy_wait(params, compressed, pad_failed, pad, + dummy_wait(params, plain, pad_failed, pad, length + preamble_size); return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); diff --git a/lib/compress.c b/lib/compress.c index 8008bf60d8..a24c7c878f 100644 --- a/lib/compress.c +++ b/lib/compress.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000-2012 Free Software Foundation, Inc. + * Copyright (C) 2017 Red Hat, Inc. * * Author: Nikos Mavrogiannopoulos * @@ -20,51 +20,9 @@ * */ -/* This file contains the functions which convert the TLS plaintext - * packet to TLS compressed packet. - */ - #include "gnutls_int.h" -#include "compress.h" -#include "errors.h" -#include "constate.h" -#include <algorithms.h> -#include <gnutls/gnutls.h> - -/* Compression Section */ -#define GNUTLS_COMPRESSION_ENTRY(name, id, wb, ml, cl) \ - { #name, name, id, wb, ml, cl} - - -#define MAX_COMP_METHODS 5 -const int _gnutls_comp_algorithms_size = MAX_COMP_METHODS; - -gnutls_compression_entry _gnutls_compression_algorithms[MAX_COMP_METHODS] = { - GNUTLS_COMPRESSION_ENTRY(GNUTLS_COMP_NULL, 0x00, 0, 0, 0), -#ifdef HAVE_LIBZ - /* draft-ietf-tls-compression-02 */ - GNUTLS_COMPRESSION_ENTRY(GNUTLS_COMP_DEFLATE, 0x01, 15, 8, 3), -#endif - {0, 0, 0, 0, 0, 0} -}; -static const gnutls_compression_method_t supported_compressions[] = { -#ifdef HAVE_LIBZ - GNUTLS_COMP_DEFLATE, -#endif - GNUTLS_COMP_NULL, - 0 -}; - -#define GNUTLS_COMPRESSION_LOOP(b) \ - const gnutls_compression_entry *p; \ - for(p = _gnutls_compression_algorithms; p->name != NULL; p++) { b ; } -#define GNUTLS_COMPRESSION_ALG_LOOP(a) \ - GNUTLS_COMPRESSION_LOOP( if(p->id == algorithm) { a; break; } ) -#define GNUTLS_COMPRESSION_ALG_LOOP_NUM(a) \ - GNUTLS_COMPRESSION_LOOP( if(p->num == num) { a; break; } ) - -/* Compression Functions */ +/* Compatibility compression functions */ /** * gnutls_compression_get_name: @@ -78,13 +36,10 @@ static const gnutls_compression_method_t supported_compressions[] = { const char *gnutls_compression_get_name(gnutls_compression_method_t algorithm) { - const char *ret = NULL; - - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = - p->name + sizeof("GNUTLS_COMP_") - 1); + if (algorithm == GNUTLS_COMP_NULL) + return "NULL"; - return ret; + return NULL; } /** @@ -98,14 +53,10 @@ const char *gnutls_compression_get_name(gnutls_compression_method_t **/ gnutls_compression_method_t gnutls_compression_get_id(const char *name) { - gnutls_compression_method_t ret = GNUTLS_COMP_UNKNOWN; + if (strcasecmp(name, "NULL") == 0) + return GNUTLS_COMP_NULL; - GNUTLS_COMPRESSION_LOOP(if - (strcasecmp - (p->name + sizeof("GNUTLS_COMP_") - 1, - name) == 0) ret = p->id); - - return ret; + return GNUTLS_COMP_UNKNOWN; } /** @@ -118,322 +69,6 @@ gnutls_compression_method_t gnutls_compression_get_id(const char *name) **/ const gnutls_compression_method_t *gnutls_compression_list(void) { - return supported_compressions; -} - -/* return the tls number of the specified algorithm */ -int _gnutls_compression_get_num(gnutls_compression_method_t algorithm) -{ - int ret = -1; - - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->num); - - return ret; -} - -#ifdef HAVE_LIBZ - -static int get_wbits(gnutls_compression_method_t algorithm) -{ - int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->window_bits); - return ret; -} - -static int get_mem_level(gnutls_compression_method_t algorithm) -{ - int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->mem_level); - return ret; -} - -static int get_comp_level(gnutls_compression_method_t algorithm) -{ - int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->comp_level); - return ret; -} - -#endif - -/* returns the gnutls internal ID of the TLS compression - * method num - */ -gnutls_compression_method_t _gnutls_compression_get_id(int num) -{ - gnutls_compression_method_t ret = -1; - - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP_NUM(ret = p->id); - - return ret; -} - -int _gnutls_compression_is_ok(gnutls_compression_method_t algorithm) -{ - ssize_t ret = -1; - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->id); - if (ret >= 0) - ret = 0; - else - ret = 1; - return ret; -} - - - -/* For compression */ - -#define MIN_PRIVATE_COMP_ALGO 0xEF - -/* returns the TLS numbers of the compression methods we support - */ -#define SUPPORTED_COMPRESSION_METHODS session->internals.priorities.compression.algorithms -int -_gnutls_supported_compression_methods(gnutls_session_t session, - uint8_t * comp, size_t comp_size) -{ - unsigned int i, j; - int tmp; - - if (comp_size < SUPPORTED_COMPRESSION_METHODS) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - - for (i = j = 0; i < SUPPORTED_COMPRESSION_METHODS; i++) { - if (IS_DTLS(session) && session->internals.priorities.compression.priority[i] != GNUTLS_COMP_NULL) { - gnutls_assert(); - continue; - } - - tmp = - _gnutls_compression_get_num(session-> - internals.priorities. - compression.priority[i]); - - /* remove private compression algorithms, if requested. - */ - if (tmp == -1 || (tmp >= MIN_PRIVATE_COMP_ALGO && - session->internals.enable_private == 0)) - { - gnutls_assert(); - continue; - } - - comp[j] = (uint8_t) tmp; - j++; - } - - if (j == 0) { - gnutls_assert(); - return GNUTLS_E_NO_COMPRESSION_ALGORITHMS; - } - return j; -} - - -/* The flag d is the direction (compress, decompress). Non zero is - * decompress. - */ -int _gnutls_comp_init(comp_hd_st * handle, - gnutls_compression_method_t method, int d) -{ - handle->algo = method; - handle->handle = NULL; - - switch (method) { - case GNUTLS_COMP_DEFLATE: -#ifdef HAVE_LIBZ - { - int window_bits, mem_level; - int comp_level; - z_stream *zhandle; - int err; - - window_bits = get_wbits(method); - mem_level = get_mem_level(method); - comp_level = get_comp_level(method); - - handle->handle = gnutls_malloc(sizeof(z_stream)); - if (handle->handle == NULL) - return - gnutls_assert_val - (GNUTLS_E_MEMORY_ERROR); - - zhandle = handle->handle; - - zhandle->zalloc = (alloc_func) 0; - zhandle->zfree = (free_func) 0; - zhandle->opaque = (voidpf) 0; - - if (d) - err = inflateInit2(zhandle, window_bits); - else { - err = deflateInit2(zhandle, - comp_level, Z_DEFLATED, - window_bits, mem_level, - Z_DEFAULT_STRATEGY); - } - if (err != Z_OK) { - gnutls_assert(); - gnutls_free(handle->handle); - return GNUTLS_E_COMPRESSION_FAILED; - } - } - break; -#endif - case GNUTLS_COMP_NULL: - case GNUTLS_COMP_UNKNOWN: - break; - default: - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } - - return 0; -} - -/* The flag d is the direction (compress, decompress). Non zero is - * decompress. - */ -void _gnutls_comp_deinit(comp_hd_st * handle, int d) -{ - if (handle != NULL) { - switch (handle->algo) { -#ifdef HAVE_LIBZ - case GNUTLS_COMP_DEFLATE: - { - if (d) - inflateEnd(handle->handle); - else - deflateEnd(handle->handle); - break; - } -#endif - default: - break; - } - gnutls_free(handle->handle); - handle->handle = NULL; - } -} - -/* These functions are memory consuming - */ - -int -_gnutls_compress(comp_hd_st * handle, const uint8_t * plain, - size_t plain_size, uint8_t * compressed, - size_t max_comp_size, unsigned int stateless) -{ - int compressed_size = GNUTLS_E_COMPRESSION_FAILED; - - /* NULL compression is not handled here - */ - if (handle == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - switch (handle->algo) { -#ifdef HAVE_LIBZ - case GNUTLS_COMP_DEFLATE: - { - z_stream *zhandle; - int err; - int type; - - if (stateless) { - type = Z_FULL_FLUSH; - } else - type = Z_SYNC_FLUSH; - - zhandle = handle->handle; - - zhandle->next_in = (Bytef *) plain; - zhandle->avail_in = plain_size; - zhandle->next_out = (Bytef *) compressed; - zhandle->avail_out = max_comp_size; - - err = deflate(zhandle, type); - if (err != Z_OK || zhandle->avail_in != 0) - return - gnutls_assert_val - (GNUTLS_E_COMPRESSION_FAILED); - - - compressed_size = - max_comp_size - zhandle->avail_out; - break; - } -#endif - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } /* switch */ - -#ifdef COMPRESSION_DEBUG - _gnutls_debug_log("Compression ratio: %f\n", - (float) ((float) compressed_size / - (float) plain_size)); -#endif - - return compressed_size; -} - - - -int -_gnutls_decompress(comp_hd_st * handle, uint8_t * compressed, - size_t compressed_size, uint8_t * plain, - size_t max_plain_size) -{ - int plain_size = GNUTLS_E_DECOMPRESSION_FAILED; - - if (compressed_size > max_plain_size + EXTRA_COMP_SIZE) { - gnutls_assert(); - return GNUTLS_E_DECOMPRESSION_FAILED; - } - - /* NULL compression is not handled here - */ - - if (handle == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - switch (handle->algo) { -#ifdef HAVE_LIBZ - case GNUTLS_COMP_DEFLATE: - { - z_stream *zhandle; - int err; - - zhandle = handle->handle; - - zhandle->next_in = (Bytef *) compressed; - zhandle->avail_in = compressed_size; - - zhandle->next_out = (Bytef *) plain; - zhandle->avail_out = max_plain_size; - err = inflate(zhandle, Z_SYNC_FLUSH); - - if (err != Z_OK) - return - gnutls_assert_val - (GNUTLS_E_DECOMPRESSION_FAILED); - - plain_size = max_plain_size - zhandle->avail_out; - break; - } -#endif - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } /* switch */ - - return plain_size; + static const gnutls_compression_method_t list[2] = {GNUTLS_COMP_NULL, 0}; + return list; } diff --git a/lib/compress.h b/lib/compress.h deleted file mode 100644 index 691044113e..0000000000 --- a/lib/compress.h +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright (C) 2000-2012 Free Software Foundation, Inc. - * - * Author: Nikos Mavrogiannopoulos - * - * This file is part of GnuTLS. - * - * The GnuTLS is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public License - * as published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ -#ifndef GNUTLS_COMPRESS_H -#define GNUTLS_COMPRESS_H - -/* Algorithm handling. */ -int _gnutls_supported_compression_methods(gnutls_session_t session, - uint8_t * comp, size_t max_comp); -int _gnutls_compression_is_ok(gnutls_compression_method_t algorithm); -int _gnutls_compression_get_num(gnutls_compression_method_t algorithm); -gnutls_compression_method_t _gnutls_compression_get_id(int num); - -#ifdef HAVE_LIBZ -#include <zlib.h> -#endif - -#define GNUTLS_COMP_FAILED NULL - -typedef struct comp_hd_st { - void *handle; - gnutls_compression_method_t algo; -} comp_hd_st; - -int _gnutls_comp_init(comp_hd_st *, gnutls_compression_method_t, int d); -void _gnutls_comp_deinit(comp_hd_st * handle, int d); - -int _gnutls_decompress(comp_hd_st * handle, uint8_t * compressed, - size_t compressed_size, uint8_t * plain, - size_t max_plain_size); -int _gnutls_compress(comp_hd_st *, const uint8_t * plain, - size_t plain_size, uint8_t * compressed, - size_t max_comp_size, unsigned int stateless); - -struct gnutls_compression_entry { - const char *name; - gnutls_compression_method_t id; - /* the number reserved in TLS for the specific compression method */ - int num; - - /* used in zlib compressor */ - int window_bits; - int mem_level; - int comp_level; -}; -typedef struct gnutls_compression_entry gnutls_compression_entry; - -#endif diff --git a/lib/constate.c b/lib/constate.c index 81cbeff462..daad7bc171 100644 --- a/lib/constate.c +++ b/lib/constate.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001-2012 Free Software Foundation, Inc. + * Copyright (C) 2017 Red Hat, Inc. * * Author: Nikos Mavrogiannopoulos * @@ -219,14 +220,6 @@ _gnutls_init_record_state(record_parameters_st * params, if (ret < 0 && params->cipher->id != GNUTLS_CIPHER_NULL) return gnutls_assert_val(ret); - ret = - _gnutls_comp_init(&state->compression_state, - params->compression_algorithm, - read /*1==decompress */ ); - - if (ret < 0) - return gnutls_assert_val(ret); - return 0; } @@ -281,32 +274,6 @@ _gnutls_set_cipher_suite(gnutls_session_t session, return 0; } -int -_gnutls_set_compression(gnutls_session_t session, - gnutls_compression_method_t comp_algo) -{ - record_parameters_st *params; - int ret; - - ret = _gnutls_epoch_get(session, EPOCH_NEXT, ¶ms); - if (ret < 0) - return gnutls_assert_val(ret); - - if (params->initialized - || params->compression_algorithm != GNUTLS_COMP_UNKNOWN) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - - if (_gnutls_compression_is_ok(comp_algo) != 0) - return - gnutls_assert_val - (GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM); - - session->security_parameters.compression_method = comp_algo; - params->compression_algorithm = comp_algo; - - return 0; -} - void _gnutls_epoch_set_null_algos(gnutls_session_t session, record_parameters_st * params) @@ -321,7 +288,6 @@ _gnutls_epoch_set_null_algos(gnutls_session_t session, params->cipher = cipher_to_entry(GNUTLS_CIPHER_NULL); params->mac = mac_to_entry(GNUTLS_MAC_NULL); - params->compression_algorithm = GNUTLS_COMP_NULL; params->initialized = 1; } @@ -330,7 +296,6 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch) int hash_size; int IV_size; int key_size; - gnutls_compression_method_t comp_algo; record_parameters_st *params; int ret; const version_entry_st *ver = get_version(session); @@ -348,8 +313,6 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch) _gnutls_record_log ("REC[%p]: Initializing epoch #%u\n", session, params->epoch); - comp_algo = params->compression_algorithm; - if (_gnutls_cipher_is_ok(params->cipher) == 0 || _gnutls_mac_is_ok(params->mac) == 0) return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); @@ -360,11 +323,6 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch) if (_gnutls_mac_priority(session, params->mac->id) < 0) return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); - if (_gnutls_compression_is_ok(comp_algo) != 0) - return - gnutls_assert_val - (GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM); - if (!_gnutls_version_has_explicit_iv(ver) && _gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) { IV_size = _gnutls_cipher_get_iv_size(params->cipher); @@ -408,7 +366,6 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch) memcpy( dst->session_id, src->session_id, GNUTLS_MAX_SESSION_ID_SIZE); \ dst->session_id_size = src->session_id_size; \ dst->cert_type = src->cert_type; \ - dst->compression_method = src->compression_method; \ dst->timestamp = src->timestamp; \ dst->ext_master_secret = src->ext_master_secret; \ dst->etm = src->etm; \ @@ -627,7 +584,6 @@ _gnutls_epoch_alloc(gnutls_session_t session, uint16_t epoch, (*slot)->epoch = epoch; (*slot)->cipher = NULL; (*slot)->mac = NULL; - (*slot)->compression_algorithm = GNUTLS_COMP_UNKNOWN; if (IS_DTLS(session)) _gnutls_write_uint16(epoch, @@ -721,9 +677,6 @@ static inline void free_record_state(record_state_st * state, int d) _gnutls_free_datum(&state->key); _gnutls_auth_cipher_deinit(&state->cipher_state); - - if (state->compression_state.handle != NULL) - _gnutls_comp_deinit(&state->compression_state, d); } void diff --git a/lib/constate.h b/lib/constate.h index c62b72b9d0..773c36c6f2 100644 --- a/lib/constate.h +++ b/lib/constate.h @@ -25,8 +25,6 @@ int _gnutls_set_cipher_suite(gnutls_session_t session, const uint8_t suite[2]); -int _gnutls_set_compression(gnutls_session_t session, - gnutls_compression_method_t comp_algo); void _gnutls_epoch_set_null_algos(gnutls_session_t session, record_parameters_st * params); int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch); diff --git a/lib/dtls.c b/lib/dtls.c index ba953ae374..07c4537904 100644 --- a/lib/dtls.c +++ b/lib/dtls.c @@ -495,7 +495,6 @@ void gnutls_dtls_set_mtu(gnutls_session_t session, unsigned int mtu) static int record_overhead(const cipher_entry_st * cipher, const mac_entry_st * mac, - gnutls_compression_method_t comp, unsigned etm, unsigned est_data) { @@ -518,9 +517,6 @@ static int record_overhead(const cipher_entry_st * cipher, total += hash_len; } - if (comp != GNUTLS_COMP_NULL) - total += EXTRA_COMP_SIZE; - /* This must be last */ if (_gnutls_cipher_type(cipher) == CIPHER_BLOCK) { int rem, exp_iv; @@ -554,7 +550,7 @@ static int record_overhead(const cipher_entry_st * cipher, * @version: is a #gnutls_protocol_t value * @cipher: is a #gnutls_cipher_algorithm_t value * @mac: is a #gnutls_mac_algorithm_t value - * @comp: is a #gnutls_compression_method_t value + * @comp: is a #gnutls_compression_method_t value (ignored) * @flags: must be zero * * This function will return the set size in bytes of the overhead @@ -595,7 +591,7 @@ size_t gnutls_est_record_overhead_size(gnutls_protocol_t version, else total = DTLS_RECORD_HEADER_SIZE; - total += record_overhead(c, m, comp, 0, 0); + total += record_overhead(c, m, 0, 0); return total; } @@ -622,7 +618,7 @@ static int record_overhead_rt(gnutls_session_t session, unsigned est_data) return gnutls_assert_val(ret); return record_overhead(params->cipher, params->mac, - params->compression_algorithm, params->etm, est_data); + params->etm, est_data); } /** diff --git a/lib/gnutls.pc.in b/lib/gnutls.pc.in index f656d12c41..9f26852ccd 100644 --- a/lib/gnutls.pc.in +++ b/lib/gnutls.pc.in @@ -19,6 +19,6 @@ Description: Transport Security Layer implementation for the GNU system URL: http://www.gnutls.org/ Version: @VERSION@ Libs: -L${libdir} -lgnutls -Libs.private: @LIBZ_PC@ @LIBINTL@ @LIBSOCKET@ @LIBNSL@ @LIBPTHREAD@ @LIB_SELECT@ @TSS_LIBS@ @GMP_LIBS@ @LIBUNISTRING@ @LIBIDN2_LIBS@ +Libs.private: @LIBINTL@ @LIBSOCKET@ @LIBNSL@ @LIBPTHREAD@ @LIB_SELECT@ @TSS_LIBS@ @GMP_LIBS@ @LIBUNISTRING@ @LIBIDN2_LIBS@ @GNUTLS_REQUIRES_PRIVATE@ Cflags: -I${includedir} diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index b7f491c52c..8bb58f53c4 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -164,7 +164,7 @@ typedef enum record_flush_t { * when receiving we use a different way as there are implementations that * store more data than allowed. */ -#define MAX_RECORD_SEND_OVERHEAD(session) (MAX_CIPHER_BLOCK_SIZE/*iv*/+MAX_PAD_SIZE+((gnutls_compression_get(session)!=GNUTLS_COMP_NULL)?(EXTRA_COMP_SIZE):(0))+MAX_HASH_SIZE/*MAC*/) +#define MAX_RECORD_SEND_OVERHEAD(session) (MAX_CIPHER_BLOCK_SIZE/*iv*/+MAX_PAD_SIZE+MAX_HASH_SIZE/*MAC*/) #define MAX_RECORD_SEND_SIZE(session) (IS_DTLS(session)? \ (MIN((size_t)gnutls_dtls_get_mtu(session), (size_t)session->security_parameters.max_record_send_size+MAX_RECORD_SEND_OVERHEAD(session))): \ ((size_t)session->security_parameters.max_record_send_size+MAX_RECORD_SEND_OVERHEAD(session))) @@ -503,7 +503,6 @@ typedef struct { #include <hash_int.h> #include <cipher_int.h> -#include <compress.h> typedef struct { uint8_t hash_algorithm; @@ -552,7 +551,6 @@ typedef struct { * on resume; */ uint8_t cipher_suite[2]; - gnutls_compression_method_t compression_method; gnutls_mac_algorithm_t prf_mac; uint8_t master_secret[GNUTLS_MASTER_SIZE]; uint8_t client_random[GNUTLS_RANDOM_SIZE]; @@ -598,7 +596,6 @@ struct record_state_st { gnutls_datum_t IV; gnutls_datum_t key; auth_cipher_hd_st cipher_state; - comp_hd_st compression_state; gnutls_uint64 sequence_number; }; @@ -615,8 +612,6 @@ struct record_parameters_st { uint16_t epoch; int initialized; - gnutls_compression_method_t compression_algorithm; - const cipher_entry_st *cipher; bool etm; const mac_entry_st *mac; @@ -653,7 +648,6 @@ struct gnutls_priority_st { priority_st cipher; priority_st mac; priority_st kx; - priority_st compression; priority_st protocol; priority_st cert_type; priority_st sign_algo; @@ -673,8 +667,6 @@ struct gnutls_priority_st { bool no_tickets; bool no_etm; bool have_cbc; - /* Whether stateless compression will be used */ - bool stateless_compression; unsigned int additional_verify_flags; /* The session's expected security level. diff --git a/lib/handshake.c b/lib/handshake.c index d62fd5b89c..720070f889 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2000-2016 Free Software Foundation, Inc. - * Copyright (C) 2015-2016 Red Hat, Inc. + * Copyright (C) 2015-2017 Red Hat, Inc. * * Author: Nikos Mavrogiannopoulos * @@ -29,7 +29,6 @@ #include "dh.h" #include "debug.h" #include "algorithms.h" -#include "compress.h" #include "cipher.h" #include "buffers.h" #include "mbuffers.h" @@ -64,7 +63,7 @@ #define TRUE 1 #define FALSE 0 -static int server_select_comp_method(gnutls_session_t session, +static int check_if_null_comp_present(gnutls_session_t session, uint8_t * data, int datalen); static int handshake_client(gnutls_session_t session); static int handshake_server(gnutls_session_t session); @@ -143,13 +142,6 @@ static int resume_copy_required_values(gnutls_session_t session) if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_set_compression(session, - session->internals. - resumed_security_parameters. - compression_method); - if (ret < 0) - return gnutls_assert_val(ret); - /* or write_compression_algorithm * they are the same */ @@ -637,7 +629,7 @@ read_client_hello(gnutls_session_t session, uint8_t * data, /* select appropriate compression method */ ret = - server_select_comp_method(session, comp_ptr, + check_if_null_comp_present(session, comp_ptr, comp_size); if (ret < 0) { gnutls_assert(); @@ -1054,72 +1046,20 @@ _gnutls_server_select_suite(gnutls_session_t session, uint8_t * data, } -/* This selects the best supported compression method from the ones provided +/* This checks whether the null compression method is present. */ static int -server_select_comp_method(gnutls_session_t session, +check_if_null_comp_present(gnutls_session_t session, uint8_t * data, int datalen) { - int x, i, j; - uint8_t comps[MAX_ALGOS]; - int ret; - - x = _gnutls_supported_compression_methods(session, comps, - MAX_ALGOS); - if (x < 0) { - gnutls_assert(); - return x; - } - - if (session->internals.priorities.server_precedence == 0) { - for (j = 0; j < datalen; j++) { - for (i = 0; i < x; i++) { - if (comps[i] == data[j]) { - gnutls_compression_method_t method - = - _gnutls_compression_get_id - (comps[i]); - - ret = _gnutls_set_compression - (session, method); - if (ret < 0) - return gnutls_assert_val(ret); - - _gnutls_handshake_log - ("HSK[%p]: Selected Compression Method: %s\n", - session, - gnutls_compression_get_name - (method)); - return 0; - } - } - } - } else { - for (i = 0; i < x; i++) { - for (j = 0; j < datalen; j++) { - if (comps[i] == data[j]) { - gnutls_compression_method_t method - = - _gnutls_compression_get_id - (comps[i]); - - ret = _gnutls_set_compression - (session, method); - if (ret < 0) - return gnutls_assert_val(ret); + int j; - _gnutls_handshake_log - ("HSK[%p]: Selected Compression Method: %s\n", - session, - gnutls_compression_get_name - (method)); - return 0; - } - } - } + for (j = 0; j < datalen; j++) { + if (data[j] == 0) + return 0; } - /* we were not able to find a compatible compression + /* we were not able to find a the NULL compression * algorithm */ gnutls_assert(); @@ -1604,49 +1544,6 @@ set_client_ciphersuite(gnutls_session_t session, uint8_t suite[2]) return 0; } -/* This function sets the given comp method to the session. - */ -static int -set_client_comp_method(gnutls_session_t session, - uint8_t comp_method) -{ - int comp_methods_num; - uint8_t compression_methods[MAX_ALGOS]; - int id = _gnutls_compression_get_id(comp_method); - int i; - int ret; - - _gnutls_handshake_log - ("HSK[%p]: Selected compression method: %s (%d)\n", session, - gnutls_compression_get_name(id), (int) comp_method); - - comp_methods_num = _gnutls_supported_compression_methods(session, - compression_methods, - MAX_ALGOS); - if (comp_methods_num < 0) { - gnutls_assert(); - return comp_methods_num; - } - - for (i = 0; i < comp_methods_num; i++) { - if (compression_methods[i] == comp_method) { - comp_methods_num = 0; - break; - } - } - - if (comp_methods_num != 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } - - ret = _gnutls_set_compression(session, id); - if (ret < 0) - return gnutls_assert_val(ret); - - return 0; -} - /* This function returns 0 if we are resuming a session or -1 otherwise. * This also sets the variables in the session. Used only while reading a server * hello. @@ -1690,14 +1587,6 @@ client_check_if_resuming(gnutls_session_t session, gnutls_assert(); goto no_resume; } - ret = _gnutls_set_compression(session, - session->internals. - resumed_security_parameters. - compression_method); - if (ret < 0) { - gnutls_assert(); - goto no_resume; - } session->internals.resumed = RESUME_TRUE; /* we are resuming */ @@ -1806,12 +1695,7 @@ read_server_hello(gnutls_session_t session, /* move to compression */ DECR_LEN(len, 1); - - ret = set_client_comp_method(session, data[pos++]); - if (ret < 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } + pos++; /* Parse extensions. */ @@ -1899,30 +1783,15 @@ copy_ciphersuites(gnutls_session_t session, * Needed in hello messages. Returns the new data length. */ static int -copy_comp_methods(gnutls_session_t session, +append_null_comp(gnutls_session_t session, gnutls_buffer_st * cdata) { - int ret; - uint8_t compression_methods[MAX_ALGOS], comp_num; + uint8_t compression_methods[2] = {0x01, 0x00}; size_t init_length = cdata->length; + int ret; ret = - _gnutls_supported_compression_methods(session, - compression_methods, - MAX_ALGOS); - if (ret < 0) - return gnutls_assert_val(ret); - - comp_num = ret; - - /* put the number of compression methods */ - ret = _gnutls_buffer_append_prefix(cdata, 8, comp_num); - if (ret < 0) - return gnutls_assert_val(ret); - - ret = - _gnutls_buffer_append_data(cdata, compression_methods, - comp_num); + _gnutls_buffer_append_data(cdata, compression_methods, 2); if (ret < 0) return gnutls_assert_val(ret); @@ -2089,7 +1958,7 @@ static int send_client_hello(gnutls_session_t session, int again) /* Copy the compression methods. */ - ret = copy_comp_methods(session, &extdata); + ret = append_null_comp(session, &extdata); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -2150,7 +2019,6 @@ static int send_server_hello(gnutls_session_t session, int again) gnutls_buffer_st extdata; int pos = 0; int datalen, ret = 0; - uint8_t comp; uint8_t session_id_len = session->security_parameters.session_id_size; char buf[2 * GNUTLS_MAX_SESSION_ID_SIZE + 1]; @@ -2211,11 +2079,7 @@ static int send_server_hello(gnutls_session_t session, int again) session->security_parameters.cipher_suite, 2); pos += 2; - comp = - _gnutls_compression_get_num(session-> - security_parameters. - compression_method); - data[pos++] = comp; + data[pos++] = 0x00; if (extdata.length > 0) { memcpy(&data[pos], extdata.data, extdata.length); diff --git a/lib/priority.c b/lib/priority.c index 3d99e69b22..a56b031d12 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -349,12 +349,6 @@ static const int _cipher_priority_secure192[] = { }; static const int* cipher_priority_secure192 = _cipher_priority_secure192; -static const int comp_priority[] = { - /* compression should be explicitly requested to be enabled */ - GNUTLS_COMP_NULL, - 0 -}; - static const int _sign_priority_default[] = { GNUTLS_SIGN_RSA_SHA256, GNUTLS_SIGN_ECDSA_SHA256, @@ -536,7 +530,7 @@ static void prio_add(priority_st * priority_list, unsigned int algo) * @priority: is a #gnutls_priority_t type. * * Sets the priorities to use on the ciphers, key exchange methods, - * macs and compression methods. + * and macs. * * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ @@ -570,8 +564,7 @@ gnutls_priority_set(gnutls_session_t session, gnutls_priority_t priority) if (session->internals.priorities.protocol.algorithms == 0 || session->internals.priorities.cipher.algorithms == 0 || session->internals.priorities.mac.algorithms == 0 || - session->internals.priorities.kx.algorithms == 0 || - session->internals.priorities.compression.algorithms == 0) + session->internals.priorities.kx.algorithms == 0) return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); ADD_PROFILE_VFLAGS(session, priority->additional_verify_flags); @@ -778,10 +771,6 @@ static void enable_no_tickets(gnutls_priority_t c) { c->no_tickets = 1; } -static void enable_stateless_compression(gnutls_priority_t c) -{ - c->stateless_compression = 1; -} static void disable_wildcards(gnutls_priority_t c) { c->additional_verify_flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS; @@ -1124,8 +1113,8 @@ finish: * @priorities: is a string describing priorities (may be %NULL) * @err_pos: In case of an error this will have the position in the string the error occurred * - * Sets priorities for the ciphers, key exchange methods, macs and - * compression methods. The @priority_cache should be deinitialized + * Sets priorities for the ciphers, key exchange methods, and macs. + * The @priority_cache should be deinitialized * using gnutls_priority_deinit(). * * The #priorities option allows you to specify a colon @@ -1164,8 +1153,7 @@ finish: * "SUITEB192" means all the NSA SuiteB ciphersuites with security level * of 192. * - * "NONE" means nothing is enabled. This disables even protocols and - * compression methods. + * "NONE" means nothing is enabled. This disables everything, including protocols. * * "@@KEYWORD1,KEYWORD2,..." The system administrator imposed settings. * The provided keyword(s) will be expanded from a configuration-time @@ -1197,8 +1185,8 @@ finish: * * "NORMAL:+ARCFOUR-128" means normal ciphers plus ARCFOUR-128. * - * "SECURE128:-VERS-SSL3.0:+COMP-DEFLATE" means that only secure ciphers are - * enabled, SSL3.0 is disabled, and libz compression enabled. + * "SECURE128:-VERS-SSL3.0" means that only secure ciphers are + * and enabled, SSL3.0 is disabled. * * "NONE:+VERS-TLS-ALL:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL:+SIGN-RSA-SHA1", * @@ -1254,14 +1242,11 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, } break_list(darg, broken_list, &broken_list_size); - /* This is our default set of protocol version, certificate types and - * compression methods. + /* This is our default set of protocol version, certificate types. */ if (strcasecmp(broken_list[0], LEVEL_NONE) != 0) { _set_priority(&(*priority_cache)->protocol, protocol_priority); - _set_priority(&(*priority_cache)->compression, - comp_priority); _set_priority(&(*priority_cache)->cert_type, cert_type_priority_default); _set_priority(&(*priority_cache)->sign_algo, @@ -1344,22 +1329,8 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, } /* now check if the element is something like -ALGO */ else if (strncasecmp (&broken_list[i][1], "COMP-", 5) == 0) { - if (strncasecmp - (&broken_list[i][1], "COMP-ALL", - 8) == 0) { - bulk_fn(&(*priority_cache)-> - compression, - comp_priority); - } else { - if ((algo = - gnutls_compression_get_id - (&broken_list[i][6])) != - GNUTLS_COMP_UNKNOWN) - fn(&(*priority_cache)-> - compression, algo); - else - goto error; - } + /* ignore all compression methods */ + continue; } /* now check if the element is something like -ALGO */ else if (strncasecmp (&broken_list[i][1], "CURVE-", 6) == 0) { @@ -1465,7 +1436,7 @@ void gnutls_priority_deinit(gnutls_priority_t priority_cache) * @err_pos: In case of an error this will have the position in the string the error occurred * * Sets the priorities to use on the ciphers, key exchange methods, - * macs and compression methods. This function avoids keeping a + * and macs. This function avoids keeping a * priority cache and is used to directly set string priorities to a * TLS session. For documentation check the gnutls_priority_init(). * @@ -1533,7 +1504,7 @@ break_list(char *list, * @session: is a #gnutls_session_t type. * * Sets the default priority on the ciphers, key exchange methods, - * macs and compression methods. This is the recommended method of + * and macs. This is the recommended method of * setting the defaults, in order to promote consistency between applications * using GnuTLS, and to allow GnuTLS using applications to update settings * in par with the library. For client applications which require @@ -1657,11 +1628,10 @@ int gnutls_priority_compression_list(gnutls_priority_t pcache, const unsigned int **list) { - if (pcache->compression.algorithms == 0) - return 0; + static const unsigned int priority[1] = {GNUTLS_COMP_NULL}; - *list = pcache->compression.priority; - return pcache->compression.algorithms; + *list = priority; + return 1; } /** diff --git a/lib/priority_options.gperf b/lib/priority_options.gperf index 9de43785bb..c862ba9c03 100644 --- a/lib/priority_options.gperf +++ b/lib/priority_options.gperf @@ -12,7 +12,7 @@ NO_EXTENSIONS, enable_no_extensions NO_TICKETS, enable_no_tickets NO_ETM, enable_no_etm NO_SESSION_HASH, enable_no_ext_master_secret -STATELESS_COMPRESSION, enable_stateless_compression +STATELESS_COMPRESSION, dummy_func VERIFY_ALLOW_BROKEN, enable_verify_allow_broken VERIFY_ALLOW_SIGN_RSA_MD5, enable_verify_allow_rsa_md5 VERIFY_ALLOW_SIGN_WITH_SHA1, enable_verify_allow_sha1 diff --git a/lib/record.c b/lib/record.c index e08598b829..76ab0ff4a9 100644 --- a/lib/record.c +++ b/lib/record.c @@ -32,7 +32,6 @@ #include "gnutls_int.h" #include "errors.h" #include "debug.h" -#include "compress.h" #include "cipher.h" #include "buffers.h" #include "mbuffers.h" diff --git a/lib/session_pack.c b/lib/session_pack.c index 39f0737042..b8612c5a6b 100644 --- a/lib/session_pack.c +++ b/lib/session_pack.c @@ -691,11 +691,9 @@ unpack_psk_auth_info(gnutls_session_t session, gnutls_buffer_st * ps) * 1 byte the key exchange algorithm used * 1 byte the read cipher algorithm * 1 byte the read mac algorithm - * 1 byte the read compression algorithm * * 1 byte the write cipher algorithm * 1 byte the write mac algorithm - * 1 byte the write compression algorithm * * 1 byte the certificate type * 1 byte the protocol version @@ -747,8 +745,6 @@ pack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps) BUFFER_APPEND_NUM(ps, session->security_parameters.entity); BUFFER_APPEND_NUM(ps, session->security_parameters.kx_algorithm); BUFFER_APPEND(ps, session->security_parameters.cipher_suite, 2); - BUFFER_APPEND_NUM(ps, - session->security_parameters.compression_method); BUFFER_APPEND_NUM(ps, session->security_parameters.cert_type); BUFFER_APPEND_NUM(ps, session->security_parameters.pversion->id); @@ -820,9 +816,6 @@ unpack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps) cipher_suite, 2); BUFFER_POP_NUM(ps, session->internals.resumed_security_parameters. - compression_method); - BUFFER_POP_NUM(ps, - session->internals.resumed_security_parameters. cert_type); BUFFER_POP_NUM(ps, version); session->internals.resumed_security_parameters.pversion = @@ -904,7 +897,7 @@ unpack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps) * @kx: the key exchange method * @cipher: the cipher * @mac: the MAC algorithm - * @comp: the compression method + * @comp: the compression method (ignored) * @master: the master key to use * @session_id: the session identifier * @@ -942,8 +935,6 @@ gnutls_session_set_premaster(gnutls_session_t session, unsigned int entity, if (ret < 0) return gnutls_assert_val(ret); - session->internals.resumed_security_parameters.compression_method = - comp; session->internals.resumed_security_parameters.cert_type = DEFAULT_CERT_TYPE; session->internals.resumed_security_parameters.pversion = diff --git a/lib/sslv2_compat.c b/lib/sslv2_compat.c index 8a875f503b..6dcc4df703 100644 --- a/lib/sslv2_compat.c +++ b/lib/sslv2_compat.c @@ -28,7 +28,6 @@ #include "dh.h" #include "debug.h" #include "algorithms.h" -#include "compress.h" #include "cipher.h" #include "buffers.h" #include "kx.h" @@ -249,10 +248,6 @@ _gnutls_read_client_hello_v2(gnutls_session_t session, uint8_t * data, session->internals.resumed = RESUME_FALSE; } - ret = _gnutls_set_compression(session, GNUTLS_COMP_NULL); - if (ret < 0) - return gnutls_assert_val(ret); - return sret; } #endif diff --git a/lib/state.c b/lib/state.c index 27c4adb3b8..5dfc2e2a36 100644 --- a/lib/state.c +++ b/lib/state.c @@ -158,15 +158,7 @@ gnutls_mac_algorithm_t gnutls_mac_get(gnutls_session_t session) gnutls_compression_method_t gnutls_compression_get(gnutls_session_t session) { - record_parameters_st *record_params; - int ret; - - ret = - _gnutls_epoch_get(session, EPOCH_READ_CURRENT, &record_params); - if (ret < 0) - return gnutls_assert_val(GNUTLS_COMP_NULL); - - return record_params->compression_algorithm; + return GNUTLS_COMP_NULL; } static void deinit_keys(gnutls_session_t session) |