From 95e04490fa57e1b7d1e4ab8310e58818831fcc43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 2 Jan 2020 11:45:12 +0100 Subject: [PATCH 1/4] Add all.sh components with ZLIB enabled ZLIB support is deprecated, but until it's removed it should still be tested. --- tests/scripts/all.sh | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index e76b9d422..203012238 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -697,6 +697,31 @@ component_test_full_cmake_gcc_asan () { if_build_succeeded tests/compat.sh } +component_test_zlib_make() { + msg "build: zlib enabled, make" + scripts/config.py set MBEDTLS_ZLIB_SUPPORT + make ZLIB=1 CFLAGS='-Werror -O1' + + msg "test: main suites (zlib, make)" + make test + + msg "test: ssl-opt.sh (zlib, make)" + if_build_succeeded tests/ssl-opt.sh +} + +component_test_zlib_cmake() { + msg "build: zlib enabled, cmake" + scripts/config.py set MBEDTLS_ZLIB_SUPPORT + cmake -D ENABLE_ZLIB_SUPPORT=On -D CMAKE_BUILD_TYPE:String=Check . + make + + msg "test: main suites (zlib, cmake)" + make test + + msg "test: ssl-opt.sh (zlib, cmake)" + if_build_succeeded tests/ssl-opt.sh +} + component_test_ref_configs () { msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . From 342d2ca9ab2e88a0169b724112403b6c3a495826 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 2 Jan 2020 11:58:00 +0100 Subject: [PATCH 2/4] Add test for record compression in ssl-opt.sh Deprecated but still needs to be tested. --- tests/ssl-opt.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index afaae69d8..3d0ca876b 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -996,6 +996,18 @@ run_test "Default, DTLS" \ -s "Protocol is DTLSv1.2" \ -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" +requires_config_enabled MBEDTLS_ZLIB_SUPPORT +run_test "Default (compression enabled)" \ + "$P_SRV debug_level=3" \ + "$P_CLI debug_level=3" \ + 0 \ + -s "Allocating compression buffer" \ + -c "Allocating compression buffer" \ + -s "Record expansion is unknown (compression)" \ + -c "Record expansion is unknown (compression)" \ + -S "error" \ + -C "error" + requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "CA callback on client" \ "$P_SRV debug_level=3" \ From c40b685837211aa9d66f2a9f15348c1bfbe35055 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 3 Jan 2020 12:18:49 +0100 Subject: [PATCH 3/4] Fix bug in record decompression ssl_decompress_buf() was operating on data from the ssl context, but called at a point where this data is actually in the rec structure. Call it later so that the data is back to the ssl structure. --- library/ssl_tls.c | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 51ae9da3c..4f219a3ad 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5446,7 +5446,7 @@ static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ /* - * If applicable, decrypt (and decompress) record content + * If applicable, decrypt record content */ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl, mbedtls_record *rec ) @@ -5572,18 +5572,6 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl, } -#if defined(MBEDTLS_ZLIB_SUPPORT) - if( ssl->transform_in != NULL && - ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) - { - if( ( ret = ssl_decompress_buf( ssl ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret ); - return( ret ); - } - } -#endif /* MBEDTLS_ZLIB_SUPPORT */ - #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { @@ -6469,6 +6457,26 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl ) ssl->in_len[0] = (unsigned char)( rec.data_len >> 8 ); ssl->in_len[1] = (unsigned char)( rec.data_len ); +#if defined(MBEDTLS_ZLIB_SUPPORT) + if( ssl->transform_in != NULL && + ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) + { + if( ( ret = ssl_decompress_buf( ssl ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret ); + return( ret ); + } + + /* Check actual (decompress) record content length against + * configured maximum. */ + if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); + return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + } + } +#endif /* MBEDTLS_ZLIB_SUPPORT */ + return( 0 ); } From f2e2902c5a373c34090026314640d6b72c52e73d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 24 Jan 2020 10:17:20 +0100 Subject: [PATCH 4/4] Add detection for zlib headers to all.sh --- tests/scripts/all.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 203012238..1ad11ffb5 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -708,6 +708,17 @@ component_test_zlib_make() { msg "test: ssl-opt.sh (zlib, make)" if_build_succeeded tests/ssl-opt.sh } +support_test_zlib_make () { + base=support_test_zlib_$$ + cat <<'EOF' > ${base}.c +#include "zlib.h" +int main(void) { return 0; } +EOF + gcc -o ${base}.exe ${base}.c -lz 2>/dev/null + ret=$? + rm -f ${base}.* + return $ret +} component_test_zlib_cmake() { msg "build: zlib enabled, cmake" @@ -721,6 +732,9 @@ component_test_zlib_cmake() { msg "test: ssl-opt.sh (zlib, cmake)" if_build_succeeded tests/ssl-opt.sh } +support_test_zlib_cmake () { + support_test_zlib_make "$@" +} component_test_ref_configs () { msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s