Remove uses of SSL compression

Remove or modify current uses of session compression.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
This commit is contained in:
Thomas Daubney 2022-06-20 15:12:19 +01:00
parent e579ece305
commit 20f89a9605
5 changed files with 11 additions and 27 deletions

View file

@ -1159,7 +1159,6 @@ struct mbedtls_ssl_session
mbedtls_time_t MBEDTLS_PRIVATE(start); /*!< starting time */ mbedtls_time_t MBEDTLS_PRIVATE(start); /*!< starting time */
#endif #endif
int MBEDTLS_PRIVATE(ciphersuite); /*!< chosen ciphersuite */ int MBEDTLS_PRIVATE(ciphersuite); /*!< chosen ciphersuite */
int MBEDTLS_PRIVATE(compression); /*!< chosen compression */
size_t MBEDTLS_PRIVATE(id_len); /*!< session id length */ size_t MBEDTLS_PRIVATE(id_len); /*!< session id length */
unsigned char MBEDTLS_PRIVATE(id)[32]; /*!< session identifier */ unsigned char MBEDTLS_PRIVATE(id)[32]; /*!< session identifier */
unsigned char MBEDTLS_PRIVATE(master)[48]; /*!< the master secret */ unsigned char MBEDTLS_PRIVATE(master)[48]; /*!< the master secret */

View file

@ -8046,7 +8046,6 @@ static size_t ssl_tls12_session_save( const mbedtls_ssl_session *session,
* Basic mandatory fields * Basic mandatory fields
*/ */
used += 2 /* ciphersuite */ used += 2 /* ciphersuite */
+ 1 /* compression */
+ 1 /* id_len */ + 1 /* id_len */
+ sizeof( session->id ) + sizeof( session->id )
+ sizeof( session->master ) + sizeof( session->master )
@ -8057,8 +8056,6 @@ static size_t ssl_tls12_session_save( const mbedtls_ssl_session *session,
MBEDTLS_PUT_UINT16_BE( session->ciphersuite, p, 0 ); MBEDTLS_PUT_UINT16_BE( session->ciphersuite, p, 0 );
p += 2; p += 2;
*p++ = MBEDTLS_BYTE_0( session->compression );
*p++ = MBEDTLS_BYTE_0( session->id_len ); *p++ = MBEDTLS_BYTE_0( session->id_len );
memcpy( p, session->id, 32 ); memcpy( p, session->id, 32 );
p += 32; p += 32;
@ -8202,14 +8199,12 @@ static int ssl_tls12_session_load( mbedtls_ssl_session *session,
/* /*
* Basic mandatory fields * Basic mandatory fields
*/ */
if( 2 + 1 + 1 + 32 + 48 + 4 > (size_t)( end - p ) ) if( 2 + 1 + 32 + 48 + 4 > (size_t)( end - p ) )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
session->ciphersuite = ( p[0] << 8 ) | p[1]; session->ciphersuite = ( p[0] << 8 ) | p[1];
p += 2; p += 2;
session->compression = *p++;
session->id_len = *p++; session->id_len = *p++;
memcpy( session->id, p, 32 ); memcpy( session->id, p, 32 );
p += 32; p += 32;

View file

@ -1413,7 +1413,6 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
#endif #endif
ssl->session_negotiate->ciphersuite != i || ssl->session_negotiate->ciphersuite != i ||
ssl->session_negotiate->compression != comp ||
ssl->session_negotiate->id_len != n || ssl->session_negotiate->id_len != n ||
memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
{ {
@ -1423,7 +1422,6 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
ssl->session_negotiate->start = mbedtls_time( NULL ); ssl->session_negotiate->start = mbedtls_time( NULL );
#endif #endif
ssl->session_negotiate->ciphersuite = i; ssl->session_negotiate->ciphersuite = i;
ssl->session_negotiate->compression = comp;
ssl->session_negotiate->id_len = n; ssl->session_negotiate->id_len = n;
memcpy( ssl->session_negotiate->id, buf + 35, n ); memcpy( ssl->session_negotiate->id, buf + 35, n );
} }
@ -1486,8 +1484,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
} }
#endif #endif
if( comp != MBEDTLS_SSL_COMPRESS_NULL if( comp != MBEDTLS_SSL_COMPRESS_NULL )
)
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
mbedtls_ssl_send_alert_message( mbedtls_ssl_send_alert_message(
@ -1496,7 +1493,6 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
} }
ssl->session_negotiate->compression = comp;
ext = buf + 40 + n; ext = buf + 40 + n;

View file

@ -1298,7 +1298,10 @@ read_record_header:
buf + ciph_offset + 2, ciph_len ); buf + ciph_offset + 2, ciph_len );
/* /*
* Check the compression algorithms length and pick one * Check the compression algorithm's length.
* The list contents are ignored because implementing
* MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only
* option supported by Mbed TLS.
*/ */
comp_offset = ciph_offset + 2 + ciph_len; comp_offset = ciph_offset + 2 + ciph_len;
@ -1317,12 +1320,6 @@ read_record_header:
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression", MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
buf + comp_offset + 1, comp_len ); buf + comp_offset + 1, comp_len );
ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
/* See comments in ssl_write_client_hello() */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
#endif
/* /*
* Check the extension length * Check the extension length
*/ */
@ -2180,8 +2177,7 @@ static void ssl_handle_id_based_session_resumption( mbedtls_ssl_context *ssl )
if( ret != 0 ) if( ret != 0 )
goto exit; goto exit;
if( session->ciphersuite != session_tmp.ciphersuite || if( session->ciphersuite != session_tmp.ciphersuite )
session->compression != session_tmp.compression )
{ {
/* Mismatch between cached and negotiated session */ /* Mismatch between cached and negotiated session */
goto exit; goto exit;
@ -2331,12 +2327,12 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
MBEDTLS_PUT_UINT16_BE( ssl->session_negotiate->ciphersuite, p, 0 ); MBEDTLS_PUT_UINT16_BE( ssl->session_negotiate->ciphersuite, p, 0 );
p += 2; p += 2;
*p++ = MBEDTLS_BYTE_0( ssl->session_negotiate->compression ); *p++ = MBEDTLS_BYTE_0( MBEDTLS_SSL_COMPRESS_NULL );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) ); mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X", MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
(unsigned int) ssl->session_negotiate->compression ) ); (unsigned int) MBEDTLS_SSL_COMPRESS_NULL ) );
/* /*
* First write extensions, then the total length * First write extensions, then the total length

View file

@ -1733,7 +1733,6 @@ static int ssl_tls12_populate_session( mbedtls_ssl_session *session,
#endif #endif
session->tls_version = MBEDTLS_SSL_VERSION_TLS1_2; session->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
session->ciphersuite = 0xabcd; session->ciphersuite = 0xabcd;
session->compression = 1;
session->id_len = sizeof( session->id ); session->id_len = sizeof( session->id );
memset( session->id, 66, session->id_len ); memset( session->id, 66, session->id_len );
memset( session->master, 17, sizeof( session->master ) ); memset( session->master, 17, sizeof( session->master ) );
@ -4721,12 +4720,11 @@ void ssl_serialize_session_save_load( int ticket_len, char *crt_file,
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( tls_version == MBEDTLS_SSL_VERSION_TLS1_2 ) if( tls_version == MBEDTLS_SSL_VERSION_TLS1_2 )
{ {
TEST_ASSERT( original.compression == restored.compression );
TEST_ASSERT( original.id_len == restored.id_len ); TEST_ASSERT( original.id_len == restored.id_len );
TEST_ASSERT( memcmp( original.id, TEST_ASSERT( memcmp( original.id,
restored.id, sizeof( original.id ) ) == 0 ); restored.id, sizeof( original.id ) ) == 0 );
TEST_ASSERT( memcmp( original.master, TEST_ASSERT( memcmp( original.master,
restored.master, sizeof( original.master ) ) == 0 ); restored.master, sizeof( original.master ) ) == 0 );
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)