/src/gnutls/lib/ext/compress_certificate.c

Source (jump to first uncovered line)
/*
 * Copyright (C) 2022 Red Hat, Inc.
 *
 * Author: Zoltan Fridrich
 *
 * This file is part of GnuTLS.
 *
 * The GnuTLS is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
 * as published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
 *
 */

#include "errors.h"
#include "gnutls_int.h"
#include "hello_ext_lib.h"
#include "num.h"
#include "ext/compress_certificate.h"

/* Check whether certificate compression method is valid, ie. supported by gnutls
 */
static inline int is_valid_method(gnutls_compression_method_t method)
{
  switch (method) {
#ifdef HAVE_LIBZ
  case GNUTLS_COMP_ZLIB:
    return 1;
#endif
#ifdef HAVE_LIBBROTLI
  case GNUTLS_COMP_BROTLI:
    return 1;
#endif
#ifdef HAVE_LIBZSTD
  case GNUTLS_COMP_ZSTD:
    return 1;
#endif
  default:
    return 0;
  }
}

/* Converts compression algorithm number established in RFC8879 to internal compression method type
 */
gnutls_compression_method_t
_gnutls_compress_certificate_num2method(uint16_t num)
{
  switch (num) {
  case 1:
    return GNUTLS_COMP_ZLIB;
  case 2:
    return GNUTLS_COMP_BROTLI;
  case 3:
    return GNUTLS_COMP_ZSTD;
  default:
    return GNUTLS_COMP_UNKNOWN;
  }
}

/* Converts compression method type to compression algorithm number established in RFC8879
 */
int _gnutls_compress_certificate_method2num(gnutls_compression_method_t method)
{
  switch (method) {
  case GNUTLS_COMP_ZLIB:
    return 1;
  case GNUTLS_COMP_BROTLI:
    return 2;
  case GNUTLS_COMP_ZSTD:
    return 3;
  default:
    return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
  }
}

/* Returns 1 if the method is set as supported compression method for the session,
 * returns 0 otherwise
 */
bool _gnutls_compress_certificate_is_method_enabled(
  gnutls_session_t session, gnutls_compression_method_t method)
{
  int ret;
  unsigned i;
  compress_certificate_ext_st *priv;
  gnutls_ext_priv_data_t epriv;

  ret = _gnutls_hello_ext_get_priv(
    session, GNUTLS_EXTENSION_COMPRESS_CERTIFICATE, &epriv);
  if (ret < 0)
    return false;
  priv = epriv;

  for (i = 0; i < priv->methods_len; ++i)
    if (priv->methods[i] == method)
      return true;

  return false;
}

/**
 * gnutls_compress_certificate_get_selected_method:
 * @session: is a #gnutls_session_t type.
 *
 * This function returns the certificate compression method that has been
 * selected to compress the certificate before sending it to the peer.
 * The selection is done based on the local list of supported compression
 * methods and the peer's requested compression methods.
 *
 * Returns: selected certificate compression method.
 *
 * Since 3.7.4
 **/
gnutls_compression_method_t
gnutls_compress_certificate_get_selected_method(gnutls_session_t session)
{
  return session->internals.compress_certificate_method;
}

/**
 * gnutls_compress_certificate_set_methods:
 * @session: is a #gnutls_session_t type.
 * @methods: is a list of supported compression methods.
 * @methods_len: number of compression methods in @methods
 *
 * This function sets the supported compression methods for certificate compression
 * for the given session. The list of supported compression methods will be used
 * for a) requesting the compression of peer's certificate and b) selecting the
 * method to compress the local certificate before sending it to the peer.
 * The order of compression methods inside the list does matter as the method
 * that appears earlier in the list will be preferred before the later ones.
 * Note that even if you set the list of supported compression methods, the
 * compression might not be used if the peer does not support any of your chosen
 * compression methods.
 *
 * The list of supported compression methods must meet the following criteria:
 * Argument @methods must be an array of valid compression methods of type
 * #gnutls_compression_method_t. Argument @methods_len must contain the number of
 * compression methods stored in the @methods array and must be within range <1, 127>.
 * The length constraints are defined by %MIN_COMPRESS_CERTIFICATE_METHODS
 * and %MAX_COMPRESS_CERTIFICATE_METHODS macros located in the header file
 * compress_certificate.h.
 *
 * If either @methods or @methods_len is equal to 0, current list of supported
 * compression methods will be unset.
 *
 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
 *
 * Since 3.7.4
 **/
int gnutls_compress_certificate_set_methods(
  gnutls_session_t session, const gnutls_compression_method_t *methods,
  size_t methods_len)
{
  unsigned i;
  compress_certificate_ext_st *priv;

  if (methods == NULL || methods_len == 0) {
    _gnutls_hello_ext_unset_priv(
      session, GNUTLS_EXTENSION_COMPRESS_CERTIFICATE);
    return 0;
  }

  if (methods_len > MAX_COMPRESS_CERTIFICATE_METHODS)
    return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);

  for (i = 0; i < methods_len; ++i)
    if (!is_valid_method(methods[i]))
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);

  priv = gnutls_malloc(sizeof(*priv));
  if (priv == NULL)
    return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);

  priv->methods_len = methods_len;
  memcpy(priv->methods, methods, methods_len * sizeof(*methods));
  _gnutls_hello_ext_set_priv(session,
           GNUTLS_EXTENSION_COMPRESS_CERTIFICATE, priv);

  return 0;
}

int _gnutls_compress_certificate_recv_params(gnutls_session_t session,
               const uint8_t *data,
               size_t data_size)
{
  int ret;
  unsigned i, j;
  uint16_t num;
  uint8_t bytes_len;
  size_t methods_len;
  gnutls_compression_method_t methods[MAX_COMPRESS_CERTIFICATE_METHODS];
  gnutls_compression_method_t method;
  compress_certificate_ext_st *priv;
  gnutls_ext_priv_data_t epriv;

  ret = _gnutls_hello_ext_get_priv(
    session, GNUTLS_EXTENSION_COMPRESS_CERTIFICATE, &epriv);
  if (ret < 0)
    return 0;
  priv = epriv;

  DECR_LEN(data_size, 1);
  bytes_len = *data;

  if (bytes_len < 2 || bytes_len > 254 || bytes_len % 2 == 1)
    return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);

  DECR_LEN(data_size, bytes_len);

  methods_len = 0;
  for (i = 0; i < bytes_len / 2; ++i) {
    num = _gnutls_read_uint16(data + i + i + 1);
    method = _gnutls_compress_certificate_num2method(num);
    if (method != GNUTLS_COMP_UNKNOWN)
      methods[methods_len++] = method;
  }

  method = GNUTLS_COMP_UNKNOWN;
  for (i = 0; i < methods_len; ++i)
    for (j = 0; j < priv->methods_len; ++j)
      if (methods[i] == priv->methods[j]) {
        method = methods[i];
        goto endloop;
      }
endloop:
  session->internals.compress_certificate_method = method;

  return 0;
}

int _gnutls_compress_certificate_send_params(gnutls_session_t session,
               gnutls_buffer_st *data)
{
  int ret, num;
  unsigned i;
  uint8_t bytes_len;
  uint8_t bytes[2 * MAX_COMPRESS_CERTIFICATE_METHODS];
  compress_certificate_ext_st *priv;
  gnutls_ext_priv_data_t epriv;

  ret = _gnutls_hello_ext_get_priv(
    session, GNUTLS_EXTENSION_COMPRESS_CERTIFICATE, &epriv);
  if (ret < 0)
    return 0;
  priv = epriv;

  bytes_len = 2 * priv->methods_len;
  for (i = 0; i < priv->methods_len; ++i) {
    num = _gnutls_compress_certificate_method2num(priv->methods[i]);
    _gnutls_write_uint16(num, bytes + i + i);
  }

  ret = _gnutls_buffer_append_data_prefix(data, 8, bytes, bytes_len);
  if (ret < 0)
    return gnutls_assert_val(ret);

  session->internals.hsk_flags |= HSK_COMP_CRT_REQ_SENT;

  return bytes_len + 1;
}

const hello_ext_entry_st ext_mod_compress_certificate = {
  .name = "Compress Certificate",
  .tls_id = 27,
  .gid = GNUTLS_EXTENSION_COMPRESS_CERTIFICATE,
  .client_parse_point = GNUTLS_EXT_TLS,
  .server_parse_point = GNUTLS_EXT_TLS,
  .validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS |
        GNUTLS_EXT_FLAG_CLIENT_HELLO,
  .recv_func = _gnutls_compress_certificate_recv_params,
  .send_func = _gnutls_compress_certificate_send_params,
  .deinit_func = _gnutls_hello_ext_default_deinit
};

Coverage Report

Created: 2024-06-20 06:28

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright (C) 2022 Red Hat, Inc.
3		*
4		* Author: Zoltan Fridrich
5		*
6		* This file is part of GnuTLS.
7		*
8		* The GnuTLS is free software; you can redistribute it and/or
9		* modify it under the terms of the GNU Lesser General Public License
10		* as published by the Free Software Foundation; either version 2.1 of
11		* the License, or (at your option) any later version.
12		*
13		* This library is distributed in the hope that it will be useful, but
14		* WITHOUT ANY WARRANTY; without even the implied warranty of
15		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16		* Lesser General Public License for more details.
17		*
18		* You should have received a copy of the GNU Lesser General Public License
19		* along with this program. If not, see <https://www.gnu.org/licenses/>
20		*
21		*/
22
23		#include "errors.h"
24		#include "gnutls_int.h"
25		#include "hello_ext_lib.h"
26		#include "num.h"
27		#include "ext/compress_certificate.h"
28
29		/* Check whether certificate compression method is valid, ie. supported by gnutls
30		*/
31		static inline int is_valid_method(gnutls_compression_method_t method)
32	0	{
33	0	switch (method) {
34		#ifdef HAVE_LIBZ
35		case GNUTLS_COMP_ZLIB:
36		return 1;
37		#endif
38		#ifdef HAVE_LIBBROTLI
39		case GNUTLS_COMP_BROTLI:
40		return 1;
41		#endif
42		#ifdef HAVE_LIBZSTD
43		case GNUTLS_COMP_ZSTD:
44		return 1;
45		#endif
46	0	default:
47	0	return 0;
48	0	}
49	0	}
50
51		/* Converts compression algorithm number established in RFC8879 to internal compression method type
52		*/
53		gnutls_compression_method_t
54		_gnutls_compress_certificate_num2method(uint16_t num)
55	0	{
56	0	switch (num) {
57	0	case 1:
58	0	return GNUTLS_COMP_ZLIB;
59	0	case 2:
60	0	return GNUTLS_COMP_BROTLI;
61	0	case 3:
62	0	return GNUTLS_COMP_ZSTD;
63	0	default:
64	0	return GNUTLS_COMP_UNKNOWN;
65	0	}
66	0	}
67
68		/* Converts compression method type to compression algorithm number established in RFC8879
69		*/
70		int _gnutls_compress_certificate_method2num(gnutls_compression_method_t method)
71	0	{
72	0	switch (method) {
73	0	case GNUTLS_COMP_ZLIB:
74	0	return 1;
75	0	case GNUTLS_COMP_BROTLI:
76	0	return 2;
77	0	case GNUTLS_COMP_ZSTD:
78	0	return 3;
79	0	default:
80	0	return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
81	0	}
82	0	}
83
84		/* Returns 1 if the method is set as supported compression method for the session,
85		* returns 0 otherwise
86		*/
87		bool _gnutls_compress_certificate_is_method_enabled(
88		gnutls_session_t session, gnutls_compression_method_t method)
89	0	{
90	0	int ret;
91	0	unsigned i;
92	0	compress_certificate_ext_st *priv;
93	0	gnutls_ext_priv_data_t epriv;
94
95	0	ret = _gnutls_hello_ext_get_priv(
96	0	session, GNUTLS_EXTENSION_COMPRESS_CERTIFICATE, &epriv);
97	0	if (ret < 0)
98	0	return false;
99	0	priv = epriv;
100
101	0	for (i = 0; i < priv->methods_len; ++i)
102	0	if (priv->methods[i] == method)
103	0	return true;
104
105	0	return false;
106	0	}
107
108		/**
109		* gnutls_compress_certificate_get_selected_method:
110		* @session: is a #gnutls_session_t type.
111		*
112		* This function returns the certificate compression method that has been
113		* selected to compress the certificate before sending it to the peer.
114		* The selection is done based on the local list of supported compression
115		* methods and the peer's requested compression methods.
116		*
117		* Returns: selected certificate compression method.
118		*
119		* Since 3.7.4
120		**/
121		gnutls_compression_method_t
122		gnutls_compress_certificate_get_selected_method(gnutls_session_t session)
123	0	{
124	0	return session->internals.compress_certificate_method;
125	0	}
126
127		/**
128		* gnutls_compress_certificate_set_methods:
129		* @session: is a #gnutls_session_t type.
130		* @methods: is a list of supported compression methods.
131		* @methods_len: number of compression methods in @methods
132		*
133		* This function sets the supported compression methods for certificate compression
134		* for the given session. The list of supported compression methods will be used
135		* for a) requesting the compression of peer's certificate and b) selecting the
136		* method to compress the local certificate before sending it to the peer.
137		* The order of compression methods inside the list does matter as the method
138		* that appears earlier in the list will be preferred before the later ones.
139		* Note that even if you set the list of supported compression methods, the
140		* compression might not be used if the peer does not support any of your chosen
141		* compression methods.
142		*
143		* The list of supported compression methods must meet the following criteria:
144		* Argument @methods must be an array of valid compression methods of type
145		* #gnutls_compression_method_t. Argument @methods_len must contain the number of
146		* compression methods stored in the @methods array and must be within range <1, 127>.
147		* The length constraints are defined by %MIN_COMPRESS_CERTIFICATE_METHODS
148		* and %MAX_COMPRESS_CERTIFICATE_METHODS macros located in the header file
149		* compress_certificate.h.
150		*
151		* If either @methods or @methods_len is equal to 0, current list of supported
152		* compression methods will be unset.
153		*
154		* Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
155		*
156		* Since 3.7.4
157		**/
158		int gnutls_compress_certificate_set_methods(
159		gnutls_session_t session, const gnutls_compression_method_t *methods,
160		size_t methods_len)
161	0	{
162	0	unsigned i;
163	0	compress_certificate_ext_st *priv;
164
165	0	if (methods == NULL \|\| methods_len == 0) {
166	0	_gnutls_hello_ext_unset_priv(
167	0	session, GNUTLS_EXTENSION_COMPRESS_CERTIFICATE);
168	0	return 0;
169	0	}
170
171	0	if (methods_len > MAX_COMPRESS_CERTIFICATE_METHODS)
172	0	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
173
174	0	for (i = 0; i < methods_len; ++i)
175	0	if (!is_valid_method(methods[i]))
176	0	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
177
178	0	priv = gnutls_malloc(sizeof(*priv));
179	0	if (priv == NULL)
180	0	return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
181
182	0	priv->methods_len = methods_len;
183	0	memcpy(priv->methods, methods, methods_len * sizeof(*methods));
184	0	_gnutls_hello_ext_set_priv(session,
185	0	GNUTLS_EXTENSION_COMPRESS_CERTIFICATE, priv);
186
187	0	return 0;
188	0	}
189
190		int _gnutls_compress_certificate_recv_params(gnutls_session_t session,
191		const uint8_t *data,
192		size_t data_size)
193	0	{
194	0	int ret;
195	0	unsigned i, j;
196	0	uint16_t num;
197	0	uint8_t bytes_len;
198	0	size_t methods_len;
199	0	gnutls_compression_method_t methods[MAX_COMPRESS_CERTIFICATE_METHODS];
200	0	gnutls_compression_method_t method;
201	0	compress_certificate_ext_st *priv;
202	0	gnutls_ext_priv_data_t epriv;
203
204	0	ret = _gnutls_hello_ext_get_priv(
205	0	session, GNUTLS_EXTENSION_COMPRESS_CERTIFICATE, &epriv);
206	0	if (ret < 0)
207	0	return 0;
208	0	priv = epriv;
209
210	0	DECR_LEN(data_size, 1);
211	0	bytes_len = *data;
212
213	0	if (bytes_len < 2 \|\| bytes_len > 254 \|\| bytes_len % 2 == 1)
214	0	return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
215
216	0	DECR_LEN(data_size, bytes_len);
217
218	0	methods_len = 0;
219	0	for (i = 0; i < bytes_len / 2; ++i) {
220	0	num = _gnutls_read_uint16(data + i + i + 1);
221	0	method = _gnutls_compress_certificate_num2method(num);
222	0	if (method != GNUTLS_COMP_UNKNOWN)
223	0	methods[methods_len++] = method;
224	0	}
225
226	0	method = GNUTLS_COMP_UNKNOWN;
227	0	for (i = 0; i < methods_len; ++i)
228	0	for (j = 0; j < priv->methods_len; ++j)
229	0	if (methods[i] == priv->methods[j]) {
230	0	method = methods[i];
231	0	goto endloop;
232	0	}
233	0	endloop:
234	0	session->internals.compress_certificate_method = method;
235
236	0	return 0;
237	0	}
238
239		int _gnutls_compress_certificate_send_params(gnutls_session_t session,
240		gnutls_buffer_st *data)
241	0	{
242	0	int ret, num;
243	0	unsigned i;
244	0	uint8_t bytes_len;
245	0	uint8_t bytes[2 * MAX_COMPRESS_CERTIFICATE_METHODS];
246	0	compress_certificate_ext_st *priv;
247	0	gnutls_ext_priv_data_t epriv;
248
249	0	ret = _gnutls_hello_ext_get_priv(
250	0	session, GNUTLS_EXTENSION_COMPRESS_CERTIFICATE, &epriv);
251	0	if (ret < 0)
252	0	return 0;
253	0	priv = epriv;
254
255	0	bytes_len = 2 * priv->methods_len;
256	0	for (i = 0; i < priv->methods_len; ++i) {
257	0	num = _gnutls_compress_certificate_method2num(priv->methods[i]);
258	0	_gnutls_write_uint16(num, bytes + i + i);
259	0	}
260
261	0	ret = _gnutls_buffer_append_data_prefix(data, 8, bytes, bytes_len);
262	0	if (ret < 0)
263	0	return gnutls_assert_val(ret);
264
265	0	session->internals.hsk_flags \|= HSK_COMP_CRT_REQ_SENT;
266
267	0	return bytes_len + 1;
268	0	}
269
270		const hello_ext_entry_st ext_mod_compress_certificate = {
271		.name = "Compress Certificate",
272		.tls_id = 27,
273		.gid = GNUTLS_EXTENSION_COMPRESS_CERTIFICATE,
274		.client_parse_point = GNUTLS_EXT_TLS,
275		.server_parse_point = GNUTLS_EXT_TLS,
276		.validity = GNUTLS_EXT_FLAG_TLS \| GNUTLS_EXT_FLAG_DTLS \|
277		GNUTLS_EXT_FLAG_CLIENT_HELLO,
278		.recv_func = _gnutls_compress_certificate_recv_params,
279		.send_func = _gnutls_compress_certificate_send_params,
280		.deinit_func = _gnutls_hello_ext_default_deinit
281		};