diff options
| -rw-r--r-- | configure.ac | 31 | ||||
| -rw-r--r-- | lib/Makefile.am | 2 | ||||
| -rw-r--r-- | lib/cipher.c | 197 | ||||
| -rw-r--r-- | lib/compress.c | 385 | ||||
| -rw-r--r-- | lib/compress.h | 66 | ||||
| -rw-r--r-- | lib/constate.c | 49 | ||||
| -rw-r--r-- | lib/constate.h | 2 | ||||
| -rw-r--r-- | lib/dtls.c | 10 | ||||
| -rw-r--r-- | lib/gnutls.pc.in | 2 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 10 | ||||
| -rw-r--r-- | lib/handshake.c | 170 | ||||
| -rw-r--r-- | lib/priority.c | 60 | ||||
| -rw-r--r-- | lib/priority_options.gperf | 2 | ||||
| -rw-r--r-- | lib/record.c | 1 | ||||
| -rw-r--r-- | lib/session_pack.c | 11 | ||||
| -rw-r--r-- | lib/sslv2_compat.c | 5 | ||||
| -rw-r--r-- | lib/state.c | 10 |
17 files changed, 112 insertions, 901 deletions
diff --git a/configure.ac b/configure.ac index d5d6ca2f3e..b41499c678 100644 --- a/configure.ac +++ b/configure.ac @@ -697,37 +697,6 @@ AC_CHECK_TYPE(ssize_t, AC_CHECK_SIZEOF(unsigned long int, 4) AC_CHECK_SIZEOF(unsigned int, 4) -AC_ARG_WITH(zlib, AS_HELP_STRING([--without-zlib], - [disable zlib compression support]), - ac_zlib=$withval, ac_zlib=yes) -AC_MSG_CHECKING([whether to include zlib compression support]) -if test x$ac_zlib != xno; then - AC_MSG_RESULT(yes) - AC_LIB_HAVE_LINKFLAGS(z,, [#include <zlib.h>], [compress (0, 0, 0, 0);]) - if test x$ac_cv_libz != xyes; then - AC_MSG_WARN( -*** -*** ZLIB was not found. You will not be able to use ZLIB compression.) - fi -else - AC_MSG_RESULT(no) -fi - -PKG_CHECK_EXISTS(zlib, ZLIB_HAS_PKGCONFIG=y, ZLIB_HAS_PKGCONFIG=n) - -if test x$ac_zlib != xno; then - if test "$ZLIB_HAS_PKGCONFIG" = "y" ; then - if test "x$GNUTLS_REQUIRES_PRIVATE" = x; then - GNUTLS_REQUIRES_PRIVATE="Requires.private: zlib" - else - GNUTLS_REQUIRES_PRIVATE="$GNUTLS_REQUIRES_PRIVATE, zlib" - fi - LIBZ_PC="" - else - LIBZ_PC=$LIBZ - fi -fi -AC_SUBST(LIBZ_PC) AC_SUBST(GNUTLS_REQUIRES_PRIVATE) diff --git a/lib/Makefile.am b/lib/Makefile.am index a019102384..41bc3f7850 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -97,7 +97,7 @@ if ENABLE_NETTLE SUBDIRS += nettle endif -HFILES = abstract_int.h debug.h compress.h cipher.h \ +HFILES = abstract_int.h debug.h cipher.h \ buffers.h errors.h gnutls_int.h dtls.h \ handshake.h num.h algorithms.h \ dh.h kx.h hash_int.h cipher_int.h \ diff --git a/lib/cipher.c b/lib/cipher.c index acb6b39623..6769ec8da2 100644 --- a/lib/cipher.c +++ b/lib/cipher.c @@ -1,6 +1,7 @@ /* * Copyright (C) 2000-2013 Free Software Foundation, Inc. * Copyright (C) 2013 Nikos Mavrogiannopoulos + * Copyright (C) 2017 Red Hat, Inc. * * Author: Nikos Mavrogiannopoulos * @@ -27,7 +28,6 @@ #include "gnutls_int.h" #include "errors.h" -#include "compress.h" #include "cipher.h" #include "algorithms.h" #include "hash_int.h" @@ -42,35 +42,18 @@ #include <state.h> #include <random.h> -static int compressed_to_ciphertext(gnutls_session_t session, - uint8_t * cipher_data, int cipher_size, - gnutls_datum_t * compressed, - size_t min_pad, - content_type_t _type, - record_parameters_st * params); -static int ciphertext_to_compressed(gnutls_session_t session, - gnutls_datum_t * ciphertext, - gnutls_datum_t * compressed, - uint8_t type, - record_parameters_st * params, - gnutls_uint64 * sequence); - -inline static int is_write_comp_null(record_parameters_st * record_params) -{ - if (record_params->compression_algorithm == GNUTLS_COMP_NULL) - return 0; - - return 1; -} - -inline static int is_read_comp_null(record_parameters_st * record_params) -{ - if (record_params->compression_algorithm == GNUTLS_COMP_NULL) - return 0; - - return 1; -} - +static int encrypt_packet(gnutls_session_t session, + uint8_t * cipher_data, int cipher_size, + gnutls_datum_t * plain, + size_t min_pad, + content_type_t _type, + record_parameters_st * params); +static int decrypt_packet(gnutls_session_t session, + gnutls_datum_t * ciphertext, + gnutls_datum_t * plain, + uint8_t type, + record_parameters_st * params, + gnutls_uint64 * sequence); /* returns ciphertext which contains the headers too. This also * calculates the size in the header field. @@ -83,46 +66,18 @@ _gnutls_encrypt(gnutls_session_t session, mbuffer_st * bufel, content_type_t type, record_parameters_st * params) { - gnutls_datum_t comp; - int free_comp = 0; + gnutls_datum_t plaintext; int ret; - if (data_size == 0 || is_write_comp_null(params) == 0) { - comp.data = (uint8_t *) data; - comp.size = data_size; - } else { - /* Here comp is allocated and must be - * freed. - */ - free_comp = 1; - - comp.size = _mbuffer_get_udata_size(bufel); - comp.data = gnutls_malloc(comp.size); - if (comp.data == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - ret = - _gnutls_compress(¶ms->write.compression_state, - data, data_size, comp.data, comp.size, - session->internals.priorities. - stateless_compression); - if (ret < 0) { - gnutls_free(comp.data); - return gnutls_assert_val(ret); - } - - comp.size = ret; - } + plaintext.data = (uint8_t *) data; + plaintext.size = data_size; ret = - compressed_to_ciphertext(session, + encrypt_packet(session, _mbuffer_get_udata_ptr(bufel), _mbuffer_get_udata_size - (bufel), &comp, min_pad, type, + (bufel), &plaintext, min_pad, type, params); - if (free_comp) - gnutls_free(comp.data); - if (ret < 0) return gnutls_assert_val(ret); @@ -158,46 +113,14 @@ _gnutls_decrypt(gnutls_session_t session, if (ciphertext->size == 0) return 0; - if (is_read_comp_null(params) == 0) { - ret = - ciphertext_to_compressed(session, ciphertext, - output, type, params, - sequence); - if (ret < 0) - return gnutls_assert_val(ret); - - return ret; - } else { - gnutls_datum_t tmp; - - tmp.size = output->size; - tmp.data = gnutls_malloc(tmp.size); - if (tmp.data == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - ret = - ciphertext_to_compressed(session, ciphertext, - &tmp, type, params, - sequence); - if (ret < 0) - goto leave; - - tmp.size = ret; - - if (ret != 0) { - ret = - _gnutls_decompress(¶ms->read. - compression_state, tmp.data, - tmp.size, output->data, - output->size); - if (ret < 0) - goto leave; - } + ret = + decrypt_packet(session, ciphertext, + output, type, params, + sequence); + if (ret < 0) + return gnutls_assert_val(ret); - leave: - gnutls_free(tmp.data); - return ret; - } + return ret; } @@ -280,14 +203,14 @@ make_preamble(uint8_t * uint64_data, uint8_t type, unsigned int length, } /* This is the actual encryption - * Encrypts the given compressed datum, and puts the result to cipher_data, + * Encrypts the given plaintext datum, and puts the result to cipher_data, * which has cipher_size size. * return the actual encrypted data length. */ static int -compressed_to_ciphertext(gnutls_session_t session, +encrypt_packet(gnutls_session_t session, uint8_t * cipher_data, int cipher_size, - gnutls_datum_t * compressed, + gnutls_datum_t * plain, size_t min_pad, content_type_t type, record_parameters_st * params) @@ -332,7 +255,7 @@ compressed_to_ciphertext(gnutls_session_t session, pad = min_pad; length = - calc_enc_length_block(session, ver, compressed->size, + calc_enc_length_block(session, ver, plain->size, tag_size, &pad, auth_cipher, blocksize, etm); } else { /* AEAD + STREAM */ @@ -341,7 +264,7 @@ compressed_to_ciphertext(gnutls_session_t session, pad = 0; length = - calc_enc_length_stream(session, compressed->size, + calc_enc_length_stream(session, plain->size, tag_size, auth_cipher, exp_iv_size); } @@ -409,7 +332,7 @@ compressed_to_ciphertext(gnutls_session_t session, if (etm) ret = length-tag_size; else - ret = compressed->size; + ret = plain->size; preamble_size = make_preamble(UINT64DATA(params->write.sequence_number), @@ -436,8 +359,8 @@ compressed_to_ciphertext(gnutls_session_t session, */ ret = _gnutls_auth_cipher_encrypt2_tag(¶ms->write.cipher_state, - compressed->data, - compressed->size, cipher_data, + plain->data, + plain->size, cipher_data, cipher_size, pad); if (ret < 0) return gnutls_assert_val(ret); @@ -446,7 +369,7 @@ compressed_to_ciphertext(gnutls_session_t session, nonce, imp_iv_size + exp_iv_size, preamble, preamble_size, tag_size, - compressed->data, compressed->size, + plain->data, plain->size, cipher_data, cipher_size); if (ret < 0) return gnutls_assert_val(ret); @@ -491,13 +414,13 @@ static void dummy_wait(record_parameters_st * params, } } -/* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size. - * Returns the actual compressed packet size. +/* Deciphers the ciphertext packet, and puts the result to plain. + * Returns the actual plaintext packet size. */ static int -ciphertext_to_compressed(gnutls_session_t session, +decrypt_packet(gnutls_session_t session, gnutls_datum_t * ciphertext, - gnutls_datum_t * compressed, + gnutls_datum_t * plain, uint8_t type, record_parameters_st * params, gnutls_uint64 * sequence) { @@ -609,7 +532,7 @@ ciphertext_to_compressed(gnutls_session_t session, length_to_decrypt = ciphertext->size; - /* Pass the type, version, length and compressed through + /* Pass the type, version, length and plain through * MAC. */ preamble_size = @@ -618,11 +541,11 @@ ciphertext_to_compressed(gnutls_session_t session, if (unlikely - ((unsigned) length_to_decrypt > compressed->size)) { + ((unsigned) length_to_decrypt > plain->size)) { _gnutls_audit_log(session, "Received %u bytes, while expecting less than %u\n", (unsigned int) length_to_decrypt, - (unsigned int) compressed->size); + (unsigned int) plain->size); return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } @@ -632,7 +555,7 @@ ciphertext_to_compressed(gnutls_session_t session, preamble, preamble_size, tag_size, ciphertext->data, length_to_decrypt, - compressed->data, compressed->size); + plain->data, plain->size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); @@ -647,9 +570,9 @@ ciphertext_to_compressed(gnutls_session_t session, length_to_decrypt = ciphertext->size; length = ciphertext->size - tag_size; - tag_ptr = compressed->data + length; + tag_ptr = plain->data + length; - /* Pass the type, version, length and compressed through + /* Pass the type, version, length and plain through * MAC. */ preamble_size = @@ -664,11 +587,11 @@ ciphertext_to_compressed(gnutls_session_t session, return gnutls_assert_val(ret); if (unlikely - ((unsigned) length_to_decrypt > compressed->size)) { + ((unsigned) length_to_decrypt > plain->size)) { _gnutls_audit_log(session, "Received %u bytes, while expecting less than %u\n", (unsigned int) length_to_decrypt, - (unsigned int) compressed->size); + (unsigned int) plain->size); return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } @@ -678,8 +601,8 @@ ciphertext_to_compressed(gnutls_session_t session, cipher_state, ciphertext->data, length_to_decrypt, - compressed->data, - compressed->size); + plain->data, + plain->size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); @@ -721,7 +644,7 @@ ciphertext_to_compressed(gnutls_session_t session, * an API. (the length of plaintext is required to calculate * auth_data, but it is not available before decryption). */ - if (unlikely(ciphertext->size > compressed->size)) + if (unlikely(ciphertext->size > plain->size)) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); @@ -730,12 +653,12 @@ ciphertext_to_compressed(gnutls_session_t session, _gnutls_cipher_decrypt2(¶ms->read.cipher_state. cipher, ciphertext->data, ciphertext->size, - compressed->data, - compressed->size); + plain->data, + plain->size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); - pad = compressed->data[ciphertext->size - 1]; /* pad */ + pad = plain->data[ciphertext->size - 1]; /* pad */ /* Check the pading bytes (TLS 1.x). * Note that we access all 256 bytes of ciphertext for padding check @@ -746,7 +669,7 @@ ciphertext_to_compressed(gnutls_session_t session, #endif for (i = 2; i <= MIN(256, ciphertext->size); i++) { tmp_pad_failed |= - (compressed-> + (plain-> data[ciphertext->size - i] != pad); pad_failed |= ((i <= (1 + pad)) & (tmp_pad_failed)); @@ -763,9 +686,9 @@ ciphertext_to_compressed(gnutls_session_t session, } length = ciphertext->size - tag_size - pad - 1; - tag_ptr = &compressed->data[length]; + tag_ptr = &plain->data[length]; - /* Pass the type, version, length and compressed through + /* Pass the type, version, length and plain through * MAC. */ preamble_size = @@ -782,7 +705,7 @@ ciphertext_to_compressed(gnutls_session_t session, ret = _gnutls_auth_cipher_add_auth(¶ms->read. cipher_state, - compressed->data, length); + plain->data, length); if (unlikely(ret < 0)) return gnutls_assert_val(ret); } else { /* EtM */ @@ -790,12 +713,12 @@ ciphertext_to_compressed(gnutls_session_t session, _gnutls_cipher_decrypt2(¶ms->read.cipher_state. cipher, ciphertext->data, ciphertext->size - tag_size, - compressed->data, - compressed->size); + plain->data, + plain->size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); - pad = compressed->data[ciphertext->size - tag_size - 1]; /* pad */ + pad = plain->data[ciphertext->size - tag_size - 1]; /* pad */ length = ciphertext->size - tag_size - pad - 1; if (unlikely(length < 0)) @@ -823,7 +746,7 @@ ciphertext_to_compressed(gnutls_session_t session, if (unlikely (gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) { /* HMAC was not the same. */ - dummy_wait(params, compressed, pad_failed, pad, + dummy_wait(params, plain, pad_failed, pad, length + preamble_size); return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); diff --git a/lib/compress.c b/lib/compress.c index 8008bf60d8..a24c7c878f 100644 --- a/lib/compress.c +++ b/lib/compress.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000-2012 Free Software Foundation, Inc. + * Copyright (C) 2017 Red Hat, Inc. * * Author: Nikos Mavrogiannopoulos * @@ -20,51 +20,9 @@ * */ -/* This file contains the functions which convert the TLS plaintext - * packet to TLS compressed packet. - */ - #include "gnutls_int.h" -#include "compress.h" -#include "errors.h" -#include "constate.h" -#include <algorithms.h> -#include <gnutls/gnutls.h> - -/* Compression Section */ -#define GNUTLS_COMPRESSION_ENTRY(name, id, wb, ml, cl) \ - { #name, name, id, wb, ml, cl} - - -#define MAX_COMP_METHODS 5 -const int _gnutls_comp_algorithms_size = MAX_COMP_METHODS; - -gnutls_compression_entry _gnutls_compression_algorithms[MAX_COMP_METHODS] = { - GNUTLS_COMPRESSION_ENTRY(GNUTLS_COMP_NULL, 0x00, 0, 0, 0), -#ifdef HAVE_LIBZ - /* draft-ietf-tls-compression-02 */ - GNUTLS_COMPRESSION_ENTRY(GNUTLS_COMP_DEFLATE, 0x01, 15, 8, 3), -#endif - {0, 0, 0, 0, 0, 0} -}; -static const gnutls_compression_method_t supported_compressions[] = { -#ifdef HAVE_LIBZ - GNUTLS_COMP_DEFLATE, -#endif - GNUTLS_COMP_NULL, - 0 -}; - -#define GNUTLS_COMPRESSION_LOOP(b) \ - const gnutls_compression_entry *p; \ - for(p = _gnutls_compression_algorithms; p->name != NULL; p++) { b ; } -#define GNUTLS_COMPRESSION_ALG_LOOP(a) \ - GNUTLS_COMPRESSION_LOOP( if(p->id == algorithm) { a; break; } ) -#define GNUTLS_COMPRESSION_ALG_LOOP_NUM(a) \ - GNUTLS_COMPRESSION_LOOP( if(p->num == num) { a; break; } ) - -/* Compression Functions */ +/* Compatibility compression functions */ /** * gnutls_compression_get_name: @@ -78,13 +36,10 @@ static const gnutls_compression_method_t supported_compressions[] = { const char *gnutls_compression_get_name(gnutls_compression_method_t algorithm) { - const char *ret = NULL; - - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = - p->name + sizeof("GNUTLS_COMP_") - 1); + if (algorithm == GNUTLS_COMP_NULL) + return "NULL"; - return ret; + return NULL; } /** @@ -98,14 +53,10 @@ const char *gnutls_compression_get_name(gnutls_compression_method_t **/ gnutls_compression_method_t gnutls_compression_get_id(const char *name) { - gnutls_compression_method_t ret = GNUTLS_COMP_UNKNOWN; + if (strcasecmp(name, "NULL") == 0) + return GNUTLS_COMP_NULL; - GNUTLS_COMPRESSION_LOOP(if - (strcasecmp - (p->name + sizeof("GNUTLS_COMP_") - 1, - name) == 0) ret = p->id); - - return ret; + return GNUTLS_COMP_UNKNOWN; } /** @@ -118,322 +69,6 @@ gnutls_compression_method_t gnutls_compression_get_id(const char *name) **/ const gnutls_compression_method_t *gnutls_compression_list(void) { - return supported_compressions; -} - -/* return the tls number of the specified algorithm */ -int _gnutls_compression_get_num(gnutls_compression_method_t algorithm) -{ - int ret = -1; - - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->num); - - return ret; -} - -#ifdef HAVE_LIBZ - -static int get_wbits(gnutls_compression_method_t algorithm) -{ - int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->window_bits); - return ret; -} - -static int get_mem_level(gnutls_compression_method_t algorithm) -{ - int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->mem_level); - return ret; -} - -static int get_comp_level(gnutls_compression_method_t algorithm) -{ - int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->comp_level); - return ret; -} - -#endif - -/* returns the gnutls internal ID of the TLS compression - * method num - */ -gnutls_compression_method_t _gnutls_compression_get_id(int num) -{ - gnutls_compression_method_t ret = -1; - - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP_NUM(ret = p->id); - - return ret; -} - -int _gnutls_compression_is_ok(gnutls_compression_method_t algorithm) -{ - ssize_t ret = -1; - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->id); - if (ret >= 0) - ret = 0; - else - ret = 1; - return ret; -} - - - -/* For compression */ - -#define MIN_PRIVATE_COMP_ALGO 0xEF - -/* returns the TLS numbers of the compression methods we support - */ -#define SUPPORTED_COMPRESSION_METHODS session->internals.priorities.compression.algorithms -int -_gnutls_supported_compression_methods(gnutls_session_t session, - uint8_t * comp, size_t comp_size) -{ - unsigned int i, j; - int tmp; - - if (comp_size < SUPPORTED_COMPRESSION_METHODS) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - - for (i = j = 0; i < SUPPORTED_COMPRESSION_METHODS; i++) { - if (IS_DTLS(session) && session->internals.priorities.compression.priority[i] != GNUTLS_COMP_NULL) { - gnutls_assert(); - continue; - } - - tmp = - _gnutls_compression_get_num(session-> - internals.priorities. - compression.priority[i]); - - /* remove private compression algorithms, if requested. - */ - if (tmp == -1 || (tmp >= MIN_PRIVATE_COMP_ALGO && - session->internals.enable_private == 0)) - { - gnutls_assert(); - continue; - } - - comp[j] = (uint8_t) tmp; - j++; - } - - if (j == 0) { - gnutls_assert(); - return GNUTLS_E_NO_COMPRESSION_ALGORITHMS; - } - return j; -} - - -/* The flag d is the direction (compress, decompress). Non zero is - * decompress. - */ -int _gnutls_comp_init(comp_hd_st * handle, - gnutls_compression_method_t method, int d) -{ - handle->algo = method; - handle->handle = NULL; - - switch (method) { - case GNUTLS_COMP_DEFLATE: -#ifdef HAVE_LIBZ - { - int window_bits, mem_level; - int comp_level; - z_stream *zhandle; - int err; - - window_bits = get_wbits(method); - mem_level = get_mem_level(method); - comp_level = get_comp_level(method); - - handle->handle = gnutls_malloc(sizeof(z_stream)); - if (handle->handle == NULL) - return - gnutls_assert_val - (GNUTLS_E_MEMORY_ERROR); - - zhandle = handle->handle; - - zhandle->zalloc = (alloc_func) 0; - zhandle->zfree = (free_func) 0; - zhandle->opaque = (voidpf) 0; - - if (d) - err = inflateInit2(zhandle, window_bits); - else { - err = deflateInit2(zhandle, - comp_level, Z_DEFLATED, - window_bits, mem_level, - Z_DEFAULT_STRATEGY); - } - if (err != Z_OK) { - gnutls_assert(); - gnutls_free(handle->handle); - return GNUTLS_E_COMPRESSION_FAILED; - } - } - break; -#endif - case GNUTLS_COMP_NULL: - case GNUTLS_COMP_UNKNOWN: - break; - default: - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } - - return 0; -} - -/* The flag d is the direction (compress, decompress). Non zero is - * decompress. - */ -void _gnutls_comp_deinit(comp_hd_st * handle, int d) -{ - if (handle != NULL) { - switch (handle->algo) { -#ifdef HAVE_LIBZ - case GNUTLS_COMP_DEFLATE: - { - if (d) - inflateEnd(handle->handle); - else - deflateEnd(handle->handle); - break; - } -#endif - default: - break; - } - gnutls_free(handle->handle); - handle->handle = NULL; - } -} - -/* These functions are memory consuming - */ - -int -_gnutls_compress(comp_hd_st * handle, const uint8_t * plain, - size_t plain_size, uint8_t * compressed, - size_t max_comp_size, unsigned int stateless) -{ - int compressed_size = GNUTLS_E_COMPRESSION_FAILED; - - /* NULL compression is not handled here - */ - if (handle == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - switch (handle->algo) { -#ifdef HAVE_LIBZ - case GNUTLS_COMP_DEFLATE: - { - z_stream *zhandle; - int err; - int type; - - if (stateless) { - type = Z_FULL_FLUSH; - } else - type = Z_SYNC_FLUSH; - - zhandle = handle->handle; - - zhandle->next_in = (Bytef *) plain; - zhandle->avail_in = plain_size; - zhandle->next_out = (Bytef *) compressed; - zhandle->avail_out = max_comp_size; - - err = deflate(zhandle, type); - if (err != Z_OK || zhandle->avail_in != 0) - return - gnutls_assert_val - (GNUTLS_E_COMPRESSION_FAILED); - - - compressed_size = - max_comp_size - zhandle->avail_out; - break; - } -#endif - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } /* switch */ - -#ifdef COMPRESSION_DEBUG - _gnutls_debug_log("Compression ratio: %f\n", - (float) ((float) compressed_size / - (float) plain_size)); -#endif - - return compressed_size; -} - - - -int -_gnutls_decompress(comp_hd_st * handle, uint8_t * compressed, - size_t compressed_size, uint8_t * plain, - size_t max_plain_size) -{ - int plain_size = GNUTLS_E_DECOMPRESSION_FAILED; - - if (compressed_size > max_plain_size + EXTRA_COMP_SIZE) { - gnutls_assert(); - return GNUTLS_E_DECOMPRESSION_FAILED; - } - - /* NULL compression is not handled here - */ - - if (handle == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - switch (handle->algo) { -#ifdef HAVE_LIBZ - case GNUTLS_COMP_DEFLATE: - { - z_stream *zhandle; - int err; - - zhandle = handle->handle; - - zhandle->next_in = (Bytef *) compressed; - zhandle->avail_in = compressed_size; - - zhandle->next_out = (Bytef *) plain; - zhandle->avail_out = max_plain_size; - err = inflate(zhandle, Z_SYNC_FLUSH); - - if (err != Z_OK) - return - gnutls_assert_val - (GNUTLS_E_DECOMPRESSION_FAILED); - - plain_size = max_plain_size - zhandle->avail_out; - break; - } -#endif - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } /* switch */ - - return plain_size; + static const gnutls_compression_method_t list[2] = {GNUTLS_COMP_NULL, 0}; + return list; } diff --git a/lib/compress.h b/lib/compress.h deleted file mode 100644 index 691044113e..0000000000 --- a/lib/compress.h +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright (C) 2000-2012 Free Software Foundation, Inc. - * - * Author: Nikos Mavrogiannopoulos - * - * This file is part of GnuTLS. - * - * The GnuTLS is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public License - * as published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ -#ifndef GNUTLS_COMPRESS_H -#define GNUTLS_COMPRESS_H - -/* Algorithm handling. */ -int _gnutls_supported_compression_methods(gnutls_session_t session, - uint8_t * comp, size_t max_comp); -int _gnutls_compression_is_ok(gnutls_compression_method_t algorithm); -int _gnutls_compression_get_num(gnutls_compression_method_t algorithm); -gnutls_compression_method_t _gnutls_compression_get_id(int num); - -#ifdef HAVE_LIBZ -#include <zlib.h> -#endif - -#define GNUTLS_COMP_FAILED NULL - -typedef struct comp_hd_st { - void *handle; - gnutls_compression_method_t algo; -} comp_hd_st; - -int _gnutls_comp_init(comp_hd_st *, gnutls_compression_method_t, int d); -void _gnutls_comp_deinit(comp_hd_st * handle, int d); - -int _gnutls_decompress(comp_hd_st * handle, uint8_t * compressed, - size_t compressed_size, uint8_t * plain, - size_t max_plain_size); -int _gnutls_compress(comp_hd_st *, const uint8_t * plain, - size_t plain_size, uint8_t * compressed, - size_t max_comp_size, unsigned int stateless); - -struct gnutls_compression_entry { - const char *name; - gnutls_compression_method_t id; - /* the number reserved in TLS for the specific compression method */ - int num; - - /* used in zlib compressor */ - int window_bits; - int mem_level; - int comp_level; -}; -typedef struct gnutls_compression_entry gnutls_compression_entry; - -#endif diff --git a/lib/constate.c b/lib/constate.c index 81cbeff462..daad7bc171 100644 --- a/lib/constate.c +++ b/lib/constate.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001-2012 Free Software Foundation, Inc. + * Copyright (C) 2017 Red Hat, Inc. * * Author: Nikos Mavrogiannopoulos * @@ -219,14 +220,6 @@ _gnutls_init_record_state(record_parameters_st * params, if (ret < 0 && params->cipher->id != GNUTLS_CIPHER_NULL) return gnutls_assert_val(ret); - ret = - _gnutls_comp_init(&state->compression_state, - params->compression_algorithm, - read /*1==decompress */ ); - - if (ret < 0) - return gnutls_assert_val(ret); - return 0; } @@ -281,32 +274,6 @@ _gnutls_set_cipher_suite(gnutls_session_t session, return 0; } -int -_gnutls_set_compression(gnutls_session_t session, - gnutls_compression_method_t comp_algo) -{ - record_parameters_st *params; - int ret; - - ret = _gnutls_epoch_get(session, EPOCH_NEXT, ¶ms); - if (ret < 0) - return gnutls_assert_val(ret); - - if (params->initialized - || params->compression_algorithm != GNUTLS_COMP_UNKNOWN) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - - if (_gnutls_compression_is_ok(comp_algo) != 0) - return - gnutls_assert_val - (GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM); - - session->security_parameters.compression_method = comp_algo; - params->compression_algorithm = comp_algo; - - return 0; -} - void _gnutls_epoch_set_null_algos(gnutls_session_t session, record_parameters_st * params) @@ -321,7 +288,6 @@ _gnutls_epoch_set_null_algos(gnutls_session_t session, params->cipher = cipher_to_entry(GNUTLS_CIPHER_NULL); params->mac = mac_to_entry(GNUTLS_MAC_NULL); - params->compression_algorithm = GNUTLS_COMP_NULL; params->initialized = 1; } @@ -330,7 +296,6 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch) int hash_size; int IV_size; int key_size; - gnutls_compression_method_t comp_algo; record_parameters_st *params; int ret; const version_entry_st *ver = get_version(session); @@ -348,8 +313,6 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch) _gnutls_record_log ("REC[%p]: Initializing epoch #%u\n", session, params->epoch); - comp_algo = params->compression_algorithm; - if (_gnutls_cipher_is_ok(params->cipher) == 0 || _gnutls_mac_is_ok(params->mac) == 0) return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); @@ -360,11 +323,6 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch) if (_gnutls_mac_priority(session, params->mac->id) < 0) return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); - if (_gnutls_compression_is_ok(comp_algo) != 0) - return - gnutls_assert_val - (GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM); - if (!_gnutls_version_has_explicit_iv(ver) && _gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) { IV_size = _gnutls_cipher_get_iv_size(params->cipher); @@ -408,7 +366,6 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch) memcpy( dst->session_id, src->session_id, GNUTLS_MAX_SESSION_ID_SIZE); \ dst->session_id_size = src->session_id_size; \ dst->cert_type = src->cert_type; \ - dst->compression_method = src->compression_method; \ dst->timestamp = src->timestamp; \ dst->ext_master_secret = src->ext_master_secret; \ dst->etm = src->etm; \ @@ -627,7 +584,6 @@ _gnutls_epoch_alloc(gnutls_session_t session, uint16_t epoch, (*slot)->epoch = epoch; (*slot)->cipher = NULL; (*slot)->mac = NULL; - (*slot)->compression_algorithm = GNUTLS_COMP_UNKNOWN; if (IS_DTLS(session)) _gnutls_write_uint16(epoch, @@ -721,9 +677,6 @@ static inline void free_record_state(record_state_st * state, int d) _gnutls_free_datum(&state->key); _gnutls_auth_cipher_deinit(&state->cipher_state); - - if (state->compression_state.handle != NULL) - _gnutls_comp_deinit(&state->compression_state, d); } void diff --git a/lib/constate.h b/lib/constate.h index c62b72b9d0..773c36c6f2 100644 --- a/lib/constate.h +++ b/lib/constate.h @@ -25,8 +25,6 @@ int _gnutls_set_cipher_suite(gnutls_session_t session, const uint8_t suite[2]); -int _gnutls_set_compression(gnutls_session_t session, - gnutls_compression_method_t comp_algo); void _gnutls_epoch_set_null_algos(gnutls_session_t session, record_parameters_st * params); int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch); diff --git a/lib/dtls.c b/lib/dtls.c index ba953ae374..07c4537904 100644 --- a/lib/dtls.c +++ b/lib/dtls.c @@ -495,7 +495,6 @@ void gnutls_dtls_set_mtu(gnutls_session_t session, unsigned int mtu) static int record_overhead(const cipher_entry_st * cipher, const mac_entry_st * mac, - gnutls_compression_method_t comp, unsigned etm, unsigned est_data) { @@ -518,9 +517,6 @@ static int record_overhead(const cipher_entry_st * cipher, total += hash_len; } - if (comp != GNUTLS_COMP_NULL) - total += EXTRA_COMP_SIZE; - /* This must be last */ if (_gnutls_cipher_type(cipher) == CIPHER_BLOCK) { int rem, exp_iv; @@ -554,7 +550,7 @@ static int record_overhead(const cipher_entry_st * cipher, * @version: is a #gnutls_protocol_t value * @cipher: is a #gnutls_cipher_algorithm_t value * @mac: is a #gnutls_mac_algorithm_t value - * @comp: is a #gnutls_compression_method_t value + * @comp: is a #gnutls_compression_method_t value (ignored) * @flags: must be zero * * This function will return the set size in bytes of the overhead @@ -595,7 +591,7 @@ size_t gnutls_est_record_overhead_size(gnutls_protocol_t version, else total = DTLS_RECORD_HEADER_SIZE; - total += record_overhead(c, m, comp, 0, 0); + total += record_overhead(c, m, 0, 0); return total; } @@ -622,7 +618,7 @@ static int record_overhead_rt(gnutls_session_t session, unsigned est_data) return gnutls_assert_val(ret); return record_overhead(params->cipher, params->mac, - params->compression_algorithm, params->etm, est_data); + params->etm, est_data); } /** diff --git a/lib/gnutls.pc.in b/lib/gnutls.pc.in index f656d12c41..9f26852ccd 100644 --- a/lib/gnutls.pc.in +++ b/lib/gnutls.pc.in @@ -19,6 +19,6 @@ Description: Transport Security Layer implementation for the GNU system URL: http://www.gnutls.org/ Version: @VERSION@ Libs: -L${libdir} -lgnutls -Libs.private: @LIBZ_PC@ @LIBINTL@ @LIBSOCKET@ @LIBNSL@ @LIBPTHREAD@ @LIB_SELECT@ @TSS_LIBS@ @GMP_LIBS@ @LIBUNISTRING@ @LIBIDN2_LIBS@ +Libs.private: @LIBINTL@ @LIBSOCKET@ @LIBNSL@ @LIBPTHREAD@ @LIB_SELECT@ @TSS_LIBS@ @GMP_LIBS@ @LIBUNISTRING@ @LIBIDN2_LIBS@ @GNUTLS_REQUIRES_PRIVATE@ Cflags: -I${includedir} diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index b7f491c52c..8bb58f53c4 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -164,7 +164,7 @@ typedef enum record_flush_t { * when receiving we use a different way as there are implementations that * store more data than allowed. */ -#define MAX_RECORD_SEND_OVERHEAD(session) (MAX_CIPHER_BLOCK_SIZE/*iv*/+MAX_PAD_SIZE+((gnutls_compression_get(session)!=GNUTLS_COMP_NULL)?(EXTRA_COMP_SIZE):(0))+MAX_HASH_SIZE/*MAC*/) +#define MAX_RECORD_SEND_OVERHEAD(session) (MAX_CIPHER_BLOCK_SIZE/*iv*/+MAX_PAD_SIZE+MAX_HASH_SIZE/*MAC*/) #define MAX_RECORD_SEND_SIZE(session) (IS_DTLS(session)? \ (MIN((size_t)gnutls_dtls_get_mtu(session), (size_t)session->security_parameters.max_record_send_size+MAX_RECORD_SEND_OVERHEAD(session))): \ ((size_t)session->security_parameters.max_record_send_size+MAX_RECORD_SEND_OVERHEAD(session))) @@ -503,7 +503,6 @@ typedef struct { #include <hash_int.h> #include <cipher_int.h> -#include <compress.h> typedef struct { uint8_t hash_algorithm; @@ -552,7 +551,6 @@ typedef struct { * on resume; */ uint8_t cipher_suite[2]; - gnutls_compression_method_t compression_method; gnutls_mac_algorithm_t prf_mac; uint8_t master_secret[GNUTLS_MASTER_SIZE]; uint8_t client_random[GNUTLS_RANDOM_SIZE]; @@ -598,7 +596,6 @@ struct record_state_st { gnutls_datum_t IV; gnutls_datum_t key; auth_cipher_hd_st cipher_state; - comp_hd_st compression_state; gnutls_uint64 sequence_number; }; @@ -615,8 +612,6 @@ struct record_parameters_st { uint16_t epoch; int initialized; - gnutls_compression_method_t compression_algorithm; - const cipher_entry_st *cipher; bool etm; const mac_entry_st *mac; @@ -653,7 +648,6 @@ struct gnutls_priority_st { priority_st cipher; priority_st mac; priority_st kx; - priority_st compression; priority_st protocol; priority_st cert_type; priority_st sign_algo; @@ -673,8 +667,6 @@ struct gnutls_priority_st { bool no_tickets; bool no_etm; bool have_cbc; - /* Whether stateless compression will be used */ - bool stateless_compression; unsigned int additional_verify_flags; /* The session's expected security level. diff --git a/lib/handshake.c b/lib/handshake.c index d62fd5b89c..720070f889 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2000-2016 Free Software Foundation, Inc. - * Copyright (C) 2015-2016 Red Hat, Inc. + * Copyright (C) 2015-2017 Red Hat, Inc. * * Author: Nikos Mavrogiannopoulos * @@ -29,7 +29,6 @@ #include "dh.h" #include "debug.h" #include "algorithms.h" -#include "compress.h" #include "cipher.h" #include "buffers.h" #include "mbuffers.h" @@ -64,7 +63,7 @@ #define TRUE 1 #define FALSE 0 -static int server_select_comp_method(gnutls_session_t session, +static int check_if_null_comp_present(gnutls_session_t session, uint8_t * data, int datalen); static int handshake_client(gnutls_session_t session); static int handshake_server(gnutls_session_t session); @@ -143,13 +142,6 @@ static int resume_copy_required_values(gnutls_session_t session) if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_set_compression(session, - session->internals. - resumed_security_parameters. - compression_method); - if (ret < 0) - return gnutls_assert_val(ret); - /* or write_compression_algorithm * they are the same */ @@ -637,7 +629,7 @@ read_client_hello(gnutls_session_t session, uint8_t * data, /* select appropriate compression method */ ret = - server_select_comp_method(session, comp_ptr, + check_if_null_comp_present(session, comp_ptr, comp_size); if (ret < 0) { gnutls_assert(); @@ -1054,72 +1046,20 @@ _gnutls_server_select_suite(gnutls_session_t session, uint8_t * data, } -/* This selects the best supported compression method from the ones provided +/* This checks whether the null compression method is present. */ static int -server_select_comp_method(gnutls_session_t session, +check_if_null_comp_present(gnutls_session_t session, uint8_t * data, int datalen) { - int x, i, j; - uint8_t comps[MAX_ALGOS]; - int ret; - - x = _gnutls_supported_compression_methods(session, comps, - MAX_ALGOS); - if (x < 0) { - gnutls_assert(); - return x; - } - - if (session->internals.priorities.server_precedence == 0) { - for (j = 0; j < datalen; j++) { - for (i = 0; i < x; i++) { - if (comps[i] == data[j]) { - gnutls_compression_method_t method - = - _gnutls_compression_get_id - (comps[i]); - - ret = _gnutls_set_compression - (session, method); - if (ret < 0) - return gnutls_assert_val(ret); - - _gnutls_handshake_log - ("HSK[%p]: Selected Compression Method: %s\n", - session, - gnutls_compression_get_name - (method)); - return 0; - } - } - } - } else { - for (i = 0; i < x; i++) { - for (j = 0; j < datalen; j++) { - if (comps[i] == data[j]) { - gnutls_compression_method_t method - = - _gnutls_compression_get_id - (comps[i]); - - ret = _gnutls_set_compression - (session, method); - if (ret < 0) - return gnutls_assert_val(ret); + int j; - _gnutls_handshake_log - ("HSK[%p]: Selected Compression Method: %s\n", - session, - gnutls_compression_get_name - (method)); - return 0; - } - } - } + for (j = 0; j < datalen; j++) { + if (data[j] == 0) + return 0; } - /* we were not able to find a compatible compression + /* we were not able to find a the NULL compression * algorithm */ gnutls_assert(); @@ -1604,49 +1544,6 @@ set_client_ciphersuite(gnutls_session_t session, uint8_t suite[2]) return 0; } -/* This function sets the given comp method to the session. - */ -static int -set_client_comp_method(gnutls_session_t session, - uint8_t comp_method) -{ - int comp_methods_num; - uint8_t compression_methods[MAX_ALGOS]; - int id = _gnutls_compression_get_id(comp_method); - int i; - int ret; - - _gnutls_handshake_log - ("HSK[%p]: Selected compression method: %s (%d)\n", session, - gnutls_compression_get_name(id), (int) comp_method); - - comp_methods_num = _gnutls_supported_compression_methods(session, - compression_methods, - MAX_ALGOS); - if (comp_methods_num < 0) { - gnutls_assert(); - return comp_methods_num; - } - - for (i = 0; i < comp_methods_num; i++) { - if (compression_methods[i] == comp_method) { - comp_methods_num = 0; - break; - } - } - - if (comp_methods_num != 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } - - ret = _gnutls_set_compression(session, id); - if (ret < 0) - return gnutls_assert_val(ret); - - return 0; -} - /* This function returns 0 if we are resuming a session or -1 otherwise. * This also sets the variables in the session. Used only while reading a server * hello. @@ -1690,14 +1587,6 @@ client_check_if_resuming(gnutls_session_t session, gnutls_assert(); goto no_resume; } - ret = _gnutls_set_compression(session, - session->internals. - resumed_security_parameters. - compression_method); - if (ret < 0) { - gnutls_assert(); - goto no_resume; - } session->internals.resumed = RESUME_TRUE; /* we are resuming */ @@ -1806,12 +1695,7 @@ read_server_hello(gnutls_session_t session, /* move to compression */ DECR_LEN(len, 1); - - ret = set_client_comp_method(session, data[pos++]); - if (ret < 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } + pos++; /* Parse extensions. */ @@ -1899,30 +1783,15 @@ copy_ciphersuites(gnutls_session_t session, * Needed in hello messages. Returns the new data length. */ static int -copy_comp_methods(gnutls_session_t session, +append_null_comp(gnutls_session_t session, gnutls_buffer_st * cdata) { - int ret; - uint8_t compression_methods[MAX_ALGOS], comp_num; + uint8_t compression_methods[2] = {0x01, 0x00}; size_t init_length = cdata->length; + int ret; ret = - _gnutls_supported_compression_methods(session, - compression_methods, - MAX_ALGOS); - if (ret < 0) - return gnutls_assert_val(ret); - - comp_num = ret; - - /* put the number of compression methods */ - ret = _gnutls_buffer_append_prefix(cdata, 8, comp_num); - if (ret < 0) - return gnutls_assert_val(ret); - - ret = - _gnutls_buffer_append_data(cdata, compression_methods, - comp_num); + _gnutls_buffer_append_data(cdata, compression_methods, 2); if (ret < 0) return gnutls_assert_val(ret); @@ -2089,7 +1958,7 @@ static int send_client_hello(gnutls_session_t session, int again) /* Copy the compression methods. */ - ret = copy_comp_methods(session, &extdata); + ret = append_null_comp(session, &extdata); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -2150,7 +2019,6 @@ static int send_server_hello(gnutls_session_t session, int again) gnutls_buffer_st extdata; int pos = 0; int datalen, ret = 0; - uint8_t comp; uint8_t session_id_len = session->security_parameters.session_id_size; char buf[2 * GNUTLS_MAX_SESSION_ID_SIZE + 1]; @@ -2211,11 +2079,7 @@ static int send_server_hello(gnutls_session_t session, int again) session->security_parameters.cipher_suite, 2); pos += 2; - comp = - _gnutls_compression_get_num(session-> - security_parameters. - compression_method); - data[pos++] = comp; + data[pos++] = 0x00; if (extdata.length > 0) { memcpy(&data[pos], extdata.data, extdata.length); diff --git a/lib/priority.c b/lib/priority.c index 3d99e69b22..a56b031d12 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -349,12 +349,6 @@ static const int _cipher_priority_secure192[] = { }; static const int* cipher_priority_secure192 = _cipher_priority_secure192; -static const int comp_priority[] = { - /* compression should be explicitly requested to be enabled */ - GNUTLS_COMP_NULL, - 0 -}; - static const int _sign_priority_default[] = { GNUTLS_SIGN_RSA_SHA256, GNUTLS_SIGN_ECDSA_SHA256, @@ -536,7 +530,7 @@ static void prio_add(priority_st * priority_list, unsigned int algo) * @priority: is a #gnutls_priority_t type. * * Sets the priorities to use on the ciphers, key exchange methods, - * macs and compression methods. + * and macs. * * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ @@ -570,8 +564,7 @@ gnutls_priority_set(gnutls_session_t session, gnutls_priority_t priority) if (session->internals.priorities.protocol.algorithms == 0 || session->internals.priorities.cipher.algorithms == 0 || session->internals.priorities.mac.algorithms == 0 || - session->internals.priorities.kx.algorithms == 0 || - session->internals.priorities.compression.algorithms == 0) + session->internals.priorities.kx.algorithms == 0) return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); ADD_PROFILE_VFLAGS(session, priority->additional_verify_flags); @@ -778,10 +771,6 @@ static void enable_no_tickets(gnutls_priority_t c) { c->no_tickets = 1; } -static void enable_stateless_compression(gnutls_priority_t c) -{ - c->stateless_compression = 1; -} static void disable_wildcards(gnutls_priority_t c) { c->additional_verify_flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS; @@ -1124,8 +1113,8 @@ finish: * @priorities: is a string describing priorities (may be %NULL) * @err_pos: In case of an error this will have the position in the string the error occurred * - * Sets priorities for the ciphers, key exchange methods, macs and - * compression methods. The @priority_cache should be deinitialized + * Sets priorities for the ciphers, key exchange methods, and macs. + * The @priority_cache should be deinitialized * using gnutls_priority_deinit(). * * The #priorities option allows you to specify a colon @@ -1164,8 +1153,7 @@ finish: * "SUITEB192" means all the NSA SuiteB ciphersuites with security level * of 192. * - * "NONE" means nothing is enabled. This disables even protocols and - * compression methods. + * "NONE" means nothing is enabled. This disables everything, including protocols. * * "@@KEYWORD1,KEYWORD2,..." The system administrator imposed settings. * The provided keyword(s) will be expanded from a configuration-time @@ -1197,8 +1185,8 @@ finish: * * "NORMAL:+ARCFOUR-128" means normal ciphers plus ARCFOUR-128. * - * "SECURE128:-VERS-SSL3.0:+COMP-DEFLATE" means that only secure ciphers are - * enabled, SSL3.0 is disabled, and libz compression enabled. + * "SECURE128:-VERS-SSL3.0" means that only secure ciphers are + * and enabled, SSL3.0 is disabled. * * "NONE:+VERS-TLS-ALL:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL:+SIGN-RSA-SHA1", * @@ -1254,14 +1242,11 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, } break_list(darg, broken_list, &broken_list_size); - /* This is our default set of protocol version, certificate types and - * compression methods. + /* This is our default set of protocol version, certificate types. */ if (strcasecmp(broken_list[0], LEVEL_NONE) != 0) { _set_priority(&(*priority_cache)->protocol, protocol_priority); - _set_priority(&(*priority_cache)->compression, - comp_priority); _set_priority(&(*priority_cache)->cert_type, cert_type_priority_default); _set_priority(&(*priority_cache)->sign_algo, @@ -1344,22 +1329,8 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, } /* now check if the element is something like -ALGO */ else if (strncasecmp (&broken_list[i][1], "COMP-", 5) == 0) { - if (strncasecmp - (&broken_list[i][1], "COMP-ALL", - 8) == 0) { - bulk_fn(&(*priority_cache)-> - compression, - comp_priority); - } else { - if ((algo = - gnutls_compression_get_id - (&broken_list[i][6])) != - GNUTLS_COMP_UNKNOWN) - fn(&(*priority_cache)-> - compression, algo); - else - goto error; - } + /* ignore all compression methods */ + continue; } /* now check if the element is something like -ALGO */ else if (strncasecmp (&broken_list[i][1], "CURVE-", 6) == 0) { @@ -1465,7 +1436,7 @@ void gnutls_priority_deinit(gnutls_priority_t priority_cache) * @err_pos: In case of an error this will have the position in the string the error occurred * * Sets the priorities to use on the ciphers, key exchange methods, - * macs and compression methods. This function avoids keeping a + * and macs. This function avoids keeping a * priority cache and is used to directly set string priorities to a * TLS session. For documentation check the gnutls_priority_init(). * @@ -1533,7 +1504,7 @@ break_list(char *list, * @session: is a #gnutls_session_t type. * * Sets the default priority on the ciphers, key exchange methods, - * macs and compression methods. This is the recommended method of + * and macs. This is the recommended method of * setting the defaults, in order to promote consistency between applications * using GnuTLS, and to allow GnuTLS using applications to update settings * in par with the library. For client applications which require @@ -1657,11 +1628,10 @@ int gnutls_priority_compression_list(gnutls_priority_t pcache, const unsigned int **list) { - if (pcache->compression.algorithms == 0) - return 0; + static const unsigned int priority[1] = {GNUTLS_COMP_NULL}; - *list = pcache->compression.priority; - return pcache->compression.algorithms; + *list = priority; + return 1; } /** diff --git a/lib/priority_options.gperf b/lib/priority_options.gperf index 9de43785bb..c862ba9c03 100644 --- a/lib/priority_options.gperf +++ b/lib/priority_options.gperf @@ -12,7 +12,7 @@ NO_EXTENSIONS, enable_no_extensions NO_TICKETS, enable_no_tickets NO_ETM, enable_no_etm NO_SESSION_HASH, enable_no_ext_master_secret -STATELESS_COMPRESSION, enable_stateless_compression +STATELESS_COMPRESSION, dummy_func VERIFY_ALLOW_BROKEN, enable_verify_allow_broken VERIFY_ALLOW_SIGN_RSA_MD5, enable_verify_allow_rsa_md5 VERIFY_ALLOW_SIGN_WITH_SHA1, enable_verify_allow_sha1 diff --git a/lib/record.c b/lib/record.c index e08598b829..76ab0ff4a9 100644 --- a/lib/record.c +++ b/lib/record.c @@ -32,7 +32,6 @@ #include "gnutls_int.h" #include "errors.h" #include "debug.h" -#include "compress.h" #include "cipher.h" #include "buffers.h" #include "mbuffers.h" diff --git a/lib/session_pack.c b/lib/session_pack.c index 39f0737042..b8612c5a6b 100644 --- a/lib/session_pack.c +++ b/lib/session_pack.c @@ -691,11 +691,9 @@ unpack_psk_auth_info(gnutls_session_t session, gnutls_buffer_st * ps) * 1 byte the key exchange algorithm used * 1 byte the read cipher algorithm * 1 byte the read mac algorithm - * 1 byte the read compression algorithm * * 1 byte the write cipher algorithm * 1 byte the write mac algorithm - * 1 byte the write compression algorithm * * 1 byte the certificate type * 1 byte the protocol version @@ -747,8 +745,6 @@ pack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps) BUFFER_APPEND_NUM(ps, session->security_parameters.entity); BUFFER_APPEND_NUM(ps, session->security_parameters.kx_algorithm); BUFFER_APPEND(ps, session->security_parameters.cipher_suite, 2); - BUFFER_APPEND_NUM(ps, - session->security_parameters.compression_method); BUFFER_APPEND_NUM(ps, session->security_parameters.cert_type); BUFFER_APPEND_NUM(ps, session->security_parameters.pversion->id); @@ -820,9 +816,6 @@ unpack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps) cipher_suite, 2); BUFFER_POP_NUM(ps, session->internals.resumed_security_parameters. - compression_method); - BUFFER_POP_NUM(ps, - session->internals.resumed_security_parameters. cert_type); BUFFER_POP_NUM(ps, version); session->internals.resumed_security_parameters.pversion = @@ -904,7 +897,7 @@ unpack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps) * @kx: the key exchange method * @cipher: the cipher * @mac: the MAC algorithm - * @comp: the compression method + * @comp: the compression method (ignored) * @master: the master key to use * @session_id: the session identifier * @@ -942,8 +935,6 @@ gnutls_session_set_premaster(gnutls_session_t session, unsigned int entity, if (ret < 0) return gnutls_assert_val(ret); - session->internals.resumed_security_parameters.compression_method = - comp; session->internals.resumed_security_parameters.cert_type = DEFAULT_CERT_TYPE; session->internals.resumed_security_parameters.pversion = diff --git a/lib/sslv2_compat.c b/lib/sslv2_compat.c index 8a875f503b..6dcc4df703 100644 --- a/lib/sslv2_compat.c +++ b/lib/sslv2_compat.c @@ -28,7 +28,6 @@ #include "dh.h" #include "debug.h" #include "algorithms.h" -#include "compress.h" #include "cipher.h" #include "buffers.h" #include "kx.h" @@ -249,10 +248,6 @@ _gnutls_read_client_hello_v2(gnutls_session_t session, uint8_t * data, session->internals.resumed = RESUME_FALSE; } - ret = _gnutls_set_compression(session, GNUTLS_COMP_NULL); - if (ret < 0) - return gnutls_assert_val(ret); - return sret; } #endif diff --git a/lib/state.c b/lib/state.c index 27c4adb3b8..5dfc2e2a36 100644 --- a/lib/state.c +++ b/lib/state.c @@ -158,15 +158,7 @@ gnutls_mac_algorithm_t gnutls_mac_get(gnutls_session_t session) gnutls_compression_method_t gnutls_compression_get(gnutls_session_t session) { - record_parameters_st *record_params; - int ret; - - ret = - _gnutls_epoch_get(session, EPOCH_READ_CURRENT, &record_params); - if (ret < 0) - return gnutls_assert_val(GNUTLS_COMP_NULL); - - return record_params->compression_algorithm; + return GNUTLS_COMP_NULL; } static void deinit_keys(gnutls_session_t session) |