Drop support for TLS record-level compression.
Remove option MBEDTLS_ZLIB_SUPPORT.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 4fef36c..83c66b2 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -133,10 +133,6 @@
set(libs ${libs} pkcs11-helper)
endif(USE_PKCS11_HELPER_LIBRARY)
-if(ENABLE_ZLIB_SUPPORT)
- set(libs ${libs} ${ZLIB_LIBRARIES})
-endif(ENABLE_ZLIB_SUPPORT)
-
if(LINK_WITH_PTHREAD)
set(libs ${libs} pthread)
endif()
diff --git a/library/error.c b/library/error.c
index 901a369..c1688ac 100644
--- a/library/error.c
+++ b/library/error.c
@@ -470,8 +470,6 @@
return( "SSL - Hardware acceleration function returned with error" );
case -(MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH):
return( "SSL - Hardware acceleration function skipped / left alone data" );
- case -(MBEDTLS_ERR_SSL_COMPRESSION_FAILED):
- return( "SSL - Processing of the compression / decompression failed" );
case -(MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION):
return( "SSL - Handshake protocol not within min/max boundaries" );
case -(MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET):
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 9286dce..90868dc 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -979,7 +979,6 @@
unsigned char *p, *q;
const unsigned char *end;
- unsigned char offer_compress;
const int *ciphersuites;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
@@ -1228,45 +1227,13 @@
*q++ = (unsigned char)( n >> 7 );
*q++ = (unsigned char)( n << 1 );
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- offer_compress = 1;
-#else
- offer_compress = 0;
-#endif
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
+ MBEDTLS_SSL_COMPRESS_NULL ) );
- /*
- * We don't support compression with DTLS right now: if many records come
- * in the same datagram, uncompressing one could overwrite the next one.
- * We don't want to add complexity for handling that case unless there is
- * an actual need for it.
- */
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
- offer_compress = 0;
-#endif
-
- if( offer_compress )
- {
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
- MBEDTLS_SSL_COMPRESS_DEFLATE,
- MBEDTLS_SSL_COMPRESS_NULL ) );
-
- MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
- *p++ = 2;
- *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
- *p++ = MBEDTLS_SSL_COMPRESS_NULL;
- }
- else
- {
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
- MBEDTLS_SSL_COMPRESS_NULL ) );
-
- MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
- *p++ = 1;
- *p++ = MBEDTLS_SSL_COMPRESS_NULL;
- }
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
+ *p++ = 1;
+ *p++ = MBEDTLS_SSL_COMPRESS_NULL;
/* First write extensions, then the total length */
@@ -2048,9 +2015,6 @@
size_t ext_len;
unsigned char *buf, *ext;
unsigned char comp;
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- int accept_comp;
-#endif
#if defined(MBEDTLS_SSL_RENEGOTIATION)
int renegotiation_info_seen = 0;
#endif
@@ -2219,20 +2183,7 @@
*/
comp = buf[37 + n];
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- /* See comments in ssl_write_client_hello() */
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
- accept_comp = 0;
- else
-#endif
- accept_comp = 1;
-
- if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
- ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
-#else /* MBEDTLS_ZLIB_SUPPORT */
if( comp != MBEDTLS_SSL_COMPRESS_NULL )
-#endif/* MBEDTLS_ZLIB_SUPPORT */
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "server hello, bad compression: %d", comp ) );
@@ -2353,9 +2304,6 @@
#endif
if( comp != MBEDTLS_SSL_COMPRESS_NULL
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
-#endif
)
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index cfd9cab..79eab65 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -1758,115 +1758,6 @@
#undef MAC_PLAINTEXT
#undef MAC_CIPHERTEXT
-#if defined(MBEDTLS_ZLIB_SUPPORT)
-/*
- * Compression/decompression functions
- */
-static int ssl_compress_buf( mbedtls_ssl_context *ssl )
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- unsigned char *msg_post = ssl->out_msg;
- ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;
- size_t len_pre = ssl->out_msglen;
- unsigned char *msg_pre = ssl->compress_buf;
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- size_t out_buf_len = ssl->out_buf_len;
-#else
- size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
-#endif
-
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
-
- if( len_pre == 0 )
- return( 0 );
-
- memcpy( msg_pre, ssl->out_msg, len_pre );
-
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
- ssl->out_msglen ) );
-
- MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
- ssl->out_msg, ssl->out_msglen );
-
- ssl->transform_out->ctx_deflate.next_in = msg_pre;
- ssl->transform_out->ctx_deflate.avail_in = len_pre;
- ssl->transform_out->ctx_deflate.next_out = msg_post;
- ssl->transform_out->ctx_deflate.avail_out = out_buf_len - bytes_written;
-
- ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
- if( ret != Z_OK )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
- return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
- }
-
- ssl->out_msglen = out_buf_len -
- ssl->transform_out->ctx_deflate.avail_out - bytes_written;
-
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
- ssl->out_msglen ) );
-
- MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
- ssl->out_msg, ssl->out_msglen );
-
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
-
- return( 0 );
-}
-
-static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- unsigned char *msg_post = ssl->in_msg;
- ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;
- size_t len_pre = ssl->in_msglen;
- unsigned char *msg_pre = ssl->compress_buf;
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- size_t in_buf_len = ssl->in_buf_len;
-#else
- size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
-#endif
-
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
-
- if( len_pre == 0 )
- return( 0 );
-
- memcpy( msg_pre, ssl->in_msg, len_pre );
-
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
- ssl->in_msglen ) );
-
- MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
- ssl->in_msg, ssl->in_msglen );
-
- ssl->transform_in->ctx_inflate.next_in = msg_pre;
- ssl->transform_in->ctx_inflate.avail_in = len_pre;
- ssl->transform_in->ctx_inflate.next_out = msg_post;
- ssl->transform_in->ctx_inflate.avail_out = in_buf_len - header_bytes;
-
- ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
- if( ret != Z_OK )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
- return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
- }
-
- ssl->in_msglen = in_buf_len -
- ssl->transform_in->ctx_inflate.avail_out - header_bytes;
-
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
- ssl->in_msglen ) );
-
- MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
- ssl->in_msg, ssl->in_msglen );
-
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
-
- return( 0 );
-}
-#endif /* MBEDTLS_ZLIB_SUPPORT */
-
/*
* Fill the input message buffer by appending data to it.
* The amount of data already fetched is in ssl->in_left.
@@ -2693,20 +2584,6 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- if( ssl->transform_out != NULL &&
- ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
- {
- if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
- {
- MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
- return( ret );
- }
-
- len = ssl->out_msglen;
- }
-#endif /*MBEDTLS_ZLIB_SUPPORT */
-
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
if( mbedtls_ssl_hw_record_write != NULL )
{
@@ -4745,26 +4622,6 @@
ssl->in_len[0] = (unsigned char)( rec.data_len >> 8 );
ssl->in_len[1] = (unsigned char)( rec.data_len );
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- if( ssl->transform_in != NULL &&
- ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
- {
- if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
- {
- MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
- return( ret );
- }
-
- /* Check actual (decompress) record content length against
- * configured maximum. */
- if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
- return( MBEDTLS_ERR_SSL_INVALID_RECORD );
- }
- }
-#endif /* MBEDTLS_ZLIB_SUPPORT */
-
return( 0 );
}
@@ -5221,11 +5078,6 @@
if( transform == NULL )
return( (int) out_hdr_len );
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
- return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
-#endif
-
switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
{
case MBEDTLS_MODE_GCM:
@@ -5789,11 +5641,6 @@
if( transform == NULL )
return;
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- deflateEnd( &transform->ctx_deflate );
- inflateEnd( &transform->ctx_inflate );
-#endif
-
mbedtls_cipher_free( &transform->cipher_ctx_enc );
mbedtls_cipher_free( &transform->cipher_ctx_dec );
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index c45f721..4510e5f 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1575,17 +1575,6 @@
buf + comp_offset + 1, comp_len );
ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- for( i = 0; i < comp_len; ++i )
- {
- if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
- {
- ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
- break;
- }
- }
-#endif
-
/* See comments in ssl_write_client_hello() */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 432f480..1e9a141 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -813,9 +813,6 @@
int trunc_hmac,
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- int compression,
-#endif
ssl_tls_prf_t tls_prf,
const unsigned char randbytes[64],
int minor_ver,
@@ -1300,26 +1297,6 @@
#endif /* MBEDTLS_CIPHER_MODE_CBC */
- /* Initialize Zlib contexts */
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- if( compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
- {
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
-
- memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
- memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
-
- if( deflateInit( &transform->ctx_deflate,
- Z_DEFAULT_COMPRESSION ) != Z_OK ||
- inflateInit( &transform->ctx_inflate ) != Z_OK )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
- ret = MBEDTLS_ERR_SSL_COMPRESSION_FAILED;
- goto end;
- }
- }
-#endif /* MBEDTLS_ZLIB_SUPPORT */
-
end:
mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
return( ret );
@@ -1572,9 +1549,6 @@
ssl->session_negotiate->trunc_hmac,
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- ssl->session_negotiate->compression,
-#endif
ssl->handshake->tls_prf,
ssl->handshake->randbytes,
ssl->minor_ver,
@@ -1590,22 +1564,6 @@
mbedtls_platform_zeroize( ssl->handshake->randbytes,
sizeof( ssl->handshake->randbytes ) );
- /* Allocate compression buffer */
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- if( ssl->session_negotiate->compression == MBEDTLS_SSL_COMPRESS_DEFLATE &&
- ssl->compress_buf == NULL )
- {
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
- ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
- if( ssl->compress_buf == NULL )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
- MBEDTLS_SSL_COMPRESS_BUFFER_LEN ) );
- return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
- }
- }
-#endif
-
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
return( 0 );
@@ -6288,9 +6246,6 @@
ssl->session->trunc_hmac,
#endif
#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- ssl->session->compression,
-#endif
ssl_tls12prf_from_cs( ssl->session->ciphersuite ),
p, /* currently pointing to randbytes */
MBEDTLS_SSL_MINOR_VERSION_3, /* (D)TLS 1.2 is forced */
@@ -6506,14 +6461,6 @@
ssl->in_buf = NULL;
}
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- if( ssl->compress_buf != NULL )
- {
- mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
- mbedtls_free( ssl->compress_buf );
- }
-#endif
-
if( ssl->transform )
{
mbedtls_ssl_transform_free( ssl->transform );
diff --git a/library/version_features.c b/library/version_features.c
index 561daf6..ccdadd8 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -597,9 +597,6 @@
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
"MBEDTLS_X509_RSASSA_PSS_SUPPORT",
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- "MBEDTLS_ZLIB_SUPPORT",
-#endif /* MBEDTLS_ZLIB_SUPPORT */
#if defined(MBEDTLS_AESNI_C)
"MBEDTLS_AESNI_C",
#endif /* MBEDTLS_AESNI_C */