Drop support for TLS record-level compression.
Remove option MBEDTLS_ZLIB_SUPPORT.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 260dbab..8ec1428 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -2147,31 +2147,6 @@
* Comment this macro to disallow using RSASSA-PSS in certificates.
*/
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
-
-/**
- * \def MBEDTLS_ZLIB_SUPPORT
- *
- * If set, the SSL/TLS module uses ZLIB to support compression and
- * decompression of packet data.
- *
- * \warning TLS-level compression MAY REDUCE SECURITY! See for example the
- * CRIME attack. Before enabling this option, you should examine with care if
- * CRIME or similar exploits may be applicable to your use case.
- *
- * \note Currently compression can't be used with DTLS.
- *
- * \deprecated This feature is deprecated and will be removed
- * in the next major revision of the library.
- *
- * Used in: library/ssl_tls.c
- * library/ssl_cli.c
- * library/ssl_srv.c
- *
- * This feature requires zlib library and headers to be present.
- *
- * Uncomment to enable use of ZLIB
- */
-//#define MBEDTLS_ZLIB_SUPPORT
/* \} name SECTION: mbed TLS feature support */
/**
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 446d261..a535d21 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -51,19 +51,6 @@
#include "mbedtls/ecdh.h"
#endif
-#if defined(MBEDTLS_ZLIB_SUPPORT)
-
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#warning "Record compression support via MBEDTLS_ZLIB_SUPPORT is deprecated and will be removed in the next major revision of the library"
-#endif
-
-#if defined(MBEDTLS_DEPRECATED_REMOVED)
-#error "Record compression support via MBEDTLS_ZLIB_SUPPORT is deprecated and cannot be used if MBEDTLS_DEPRECATED_REMOVED is set"
-#endif
-
-#include "zlib.h"
-#endif
-
#if defined(MBEDTLS_HAVE_TIME)
#include "mbedtls/platform_time.h"
#endif
@@ -107,7 +94,6 @@
#define MBEDTLS_ERR_SSL_ALLOC_FAILED -0x7F00 /**< Memory allocation failed */
#define MBEDTLS_ERR_SSL_HW_ACCEL_FAILED -0x7F80 /**< Hardware acceleration function returned with error */
#define MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH -0x6F80 /**< Hardware acceleration function skipped / left alone data */
-#define MBEDTLS_ERR_SSL_COMPRESSION_FAILED -0x6F00 /**< Processing of the compression / decompression failed */
#define MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION -0x6E80 /**< Handshake protocol not within min/max boundaries */
#define MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET -0x6E00 /**< Processing of the NewSessionTicket handshake message failed. */
#define MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED -0x6D80 /**< Session ticket has expired. */
@@ -183,7 +169,6 @@
#define MBEDTLS_SSL_ETM_ENABLED 1
#define MBEDTLS_SSL_COMPRESS_NULL 0
-#define MBEDTLS_SSL_COMPRESS_DEFLATE 1
#define MBEDTLS_SSL_VERIFY_NONE 0
#define MBEDTLS_SSL_VERIFY_OPTIONAL 1
@@ -1334,9 +1319,6 @@
uint16_t mtu; /*!< path mtu, used to fragment outgoing messages */
#endif /* MBEDTLS_SSL_PROTO_DTLS */
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- unsigned char *compress_buf; /*!< zlib data buffer */
-#endif /* MBEDTLS_ZLIB_SUPPORT */
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
signed char split_done; /*!< current record already splitted? */
#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
@@ -1497,9 +1479,8 @@
* pointers and data.
*
* \param ssl SSL context
- * \return 0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED,
- MBEDTLS_ERR_SSL_HW_ACCEL_FAILED or
- * MBEDTLS_ERR_SSL_COMPRESSION_FAILED
+ * \return 0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED or
+ MBEDTLS_ERR_SSL_HW_ACCEL_FAILED
*/
int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl );
@@ -1814,9 +1795,6 @@
* \note Values lower than the current record layer expansion will
* result in an error when trying to send data.
*
- * \note Using record compression together with a non-zero MTU value
- * will result in an error when trying to send data.
- *
* \param ssl SSL context
* \param mtu Value of the path MTU in bytes
*/
@@ -3711,14 +3689,9 @@
* \brief Return the (maximum) number of bytes added by the record
* layer: header + encryption/MAC overhead (inc. padding)
*
- * \note This function is not available (always returns an error)
- * when record compression is enabled.
- *
* \param ssl SSL context
*
- * \return Current maximum record expansion in bytes, or
- * MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if compression is
- * enabled, which makes expansion much less predictable
+ * \return Current maximum record expansion in bytes
*/
int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl );
@@ -3795,9 +3768,6 @@
* to the caller to call \c mbedtls_ssl_write() again in
* order to send the remaining bytes if any.
*
- * \note This function is not available (always returns an error)
- * when record compression is enabled.
- *
* \sa mbedtls_ssl_set_mtu()
* \sa mbedtls_ssl_get_output_max_frag_len()
* \sa mbedtls_ssl_get_input_max_frag_len()
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 318591b..a4d4b74 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -127,15 +127,8 @@
/*
* Allow extra bytes for record, authentication and encryption overhead:
- * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
- * and allow for a maximum of 1024 of compression expansion if
- * enabled.
+ * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
*/
-#if defined(MBEDTLS_ZLIB_SUPPORT)
-#define MBEDTLS_SSL_COMPRESSION_ADD 1024
-#else
-#define MBEDTLS_SSL_COMPRESSION_ADD 0
-#endif
/* This macro determines whether CBC is supported. */
#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
@@ -185,8 +178,7 @@
#define MBEDTLS_SSL_MAX_CID_EXPANSION 0
#endif
-#define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD + \
- MBEDTLS_MAX_IV_LENGTH + \
+#define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_MAX_IV_LENGTH + \
MBEDTLS_SSL_MAC_ADD + \
MBEDTLS_SSL_PADDING_ADD + \
MBEDTLS_SSL_MAX_CID_EXPANSION \
@@ -292,15 +284,6 @@
}
#endif
-#ifdef MBEDTLS_ZLIB_SUPPORT
-/* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
-#define MBEDTLS_SSL_COMPRESS_BUFFER_LEN ( \
- ( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN ) \
- ? MBEDTLS_SSL_IN_BUFFER_LEN \
- : MBEDTLS_SSL_OUT_BUFFER_LEN \
- )
-#endif
-
/*
* TLS extension flags (for extensions with outgoing ServerHello content
* that need it (e.g. for RENEGOTIATION_INFO the server already knows because
@@ -750,14 +733,6 @@
unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
- /*
- * Session specific compression layer
- */
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- z_stream ctx_deflate; /*!< compression context */
- z_stream ctx_inflate; /*!< decompression context */
-#endif
-
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
/* We need the Hello random bytes in order to re-derive keys from the
* Master Secret and other session info, see ssl_populate_transform() */