New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add zlib oneshot compression #19603
Add zlib oneshot compression #19603
Conversation
ssl/ssl_cert_comp.c
Outdated
break; | ||
case TLSEXT_comp_cert_zstd: | ||
method = COMP_zstd_oneshot(); | ||
break; | ||
default: | ||
fprintf(stderr, "COMP ERROR LINE=%d\n", __LINE__); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LINE is not used in many places in OpenSSL. I can see there is a OPENSSL_LINE in macros.h.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tmshort fprintf to stderr is not a good idea for error reporting in libssl. Either use trace api if this is rather tracing thing or ERR_raise_data.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was my debugging that I missed! It should not be there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm... at least some of these calls actually make sense to be converted into ERR_raise_data().
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is fair, the default
condition here, and some of the error cases could lead to ERR_raise_data().
if (compress(out, &out_size, in, ilen) != Z_OK) | ||
return -1; | ||
|
||
if (out_size > OSSL_SSIZE_MAX) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this imply a memory trash if it got here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This check is here to make sure that the cast on the following line is safe.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved if CI passes.
Hopefully the added bound checks won't trigger Coverity. If so we can fix that later though.
24 hours has passed since 'approval: done' was set, but this PR has failing CI tests. Once the tests pass it will get moved to 'approval: ready to merge' automatically, alternatively please review and set the label manually. |
One of the tests is still pending after 24+ ? |
As far as I can tell, looking at buildbot, there have never been any completed |
Merged to master branch. Thank you for your contribution. |
Appears to have. The failure can only occur if sizeof(size_t) > sizeof(unsigned long), which corresponds to an LLP64 system (Windows 64-bit systems with VC++ or MinGW). I can either create a Coverity exception, or do a |
I've dismissed the Coverity entries. IMO not worth fixing at all but if you want to submit a PR that silences Coverity in one way or another I'd approve it. |
Fixes openssl#19520 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#19603)
Fixes #19520
The existing stream-based ZLIB compression does not close out the stream properly. This is incompatible with RFC1950.
Add a one-shot ZLIB compression method (as used with Brotli and Zstd) to do certificate compression.
This was found by tlsfuzzer.
Checklist