1 /* Copyright (c) 2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2016, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
8 * \brief A simple in-memory gzip implementation.
19 #ifdef HAVE_NETINET_IN_H
20 #include <netinet/in.h>
27 /* zlib 1.2.4 and 1.2.5 do some "clever" things with macros. Instead of
28 saying "(defined(FOO) ? FOO : 0)" they like to say "FOO-0", on the theory
29 that nobody will care if the compile outputs a no-such-identifier warning.
31 Sorry, but we like -Werror over here, so I guess we need to define these.
32 I hope that zlib 1.2.6 doesn't break these too.
34 #ifndef _LARGEFILE64_SOURCE
35 #define _LARGEFILE64_SOURCE 0
37 #ifndef _LFS64_LARGEFILE
38 #define _LFS64_LARGEFILE 0
40 #ifndef _FILE_OFFSET_BITS
41 #define _FILE_OFFSET_BITS 0
44 #define off64_t int64_t
49 #if defined ZLIB_VERNUM && ZLIB_VERNUM < 0x1200
50 #error "We require zlib version 1.2 or later."
53 static size_t tor_zlib_state_size_precalc(int inflate
,
54 int windowbits
, int memlevel
);
56 /** Total number of bytes allocated for zlib state */
57 static size_t total_zlib_allocation
= 0;
59 /** Return a string representation of the version of the currently running
62 tor_zlib_get_version_str(void)
67 /** Return a string representation of the version of the version of zlib
68 * used at compilation. */
70 tor_zlib_get_header_version_str(void)
75 /** Return the 'bits' value to tell zlib to use <b>method</b>.*/
77 method_bits(compress_method_t method
, zlib_compression_level_t level
)
79 /* Bits+16 means "use gzip" in zlib >= 1.2 */
80 const int flag
= method
== GZIP_METHOD
? 16 : 0;
83 case HIGH_COMPRESSION
: return flag
+ 15;
84 case MEDIUM_COMPRESSION
: return flag
+ 13;
85 case LOW_COMPRESSION
: return flag
+ 11;
90 get_memlevel(zlib_compression_level_t level
)
94 case HIGH_COMPRESSION
: return 8;
95 case MEDIUM_COMPRESSION
: return 7;
96 case LOW_COMPRESSION
: return 6;
101 /* These macros define the maximum allowable compression factor. Anything of
102 * size greater than CHECK_FOR_COMPRESSION_BOMB_AFTER is not allowed to
103 * have an uncompression factor (uncompressed size:compressed size ratio) of
104 * any greater than MAX_UNCOMPRESSION_FACTOR.
106 * Picking a value for MAX_UNCOMPRESSION_FACTOR is a trade-off: we want it to
107 * be small to limit the attack multiplier, but we also want it to be large
108 * enough so that no legitimate document --even ones we might invent in the
109 * future -- ever compresses by a factor of greater than
110 * MAX_UNCOMPRESSION_FACTOR. Within those parameters, there's a reasonably
111 * large range of possible values. IMO, anything over 8 is probably safe; IMO
112 * anything under 50 is probably sufficient.
114 #define MAX_UNCOMPRESSION_FACTOR 25
115 #define CHECK_FOR_COMPRESSION_BOMB_AFTER (1024*64)
118 /** Return true if uncompressing an input of size <b>in_size</b> to an input
119 * of size at least <b>size_out</b> looks like a compression bomb. */
121 is_compression_bomb(size_t size_in
, size_t size_out
)
123 if (size_in
== 0 || size_out
< CHECK_FOR_COMPRESSION_BOMB_AFTER
)
126 return (size_out
/ size_in
> MAX_UNCOMPRESSION_FACTOR
);
129 /** Given <b>in_len</b> bytes at <b>in</b>, compress them into a newly
130 * allocated buffer, using the method described in <b>method</b>. Store the
131 * compressed string in *<b>out</b>, and its length in *<b>out_len</b>.
132 * Return 0 on success, -1 on failure.
135 tor_gzip_compress(char **out
, size_t *out_len
,
136 const char *in
, size_t in_len
,
137 compress_method_t method
)
139 struct z_stream_s
*stream
= NULL
;
140 size_t out_size
, old_size
;
146 tor_assert(in_len
< UINT_MAX
);
150 stream
= tor_malloc_zero(sizeof(struct z_stream_s
));
151 stream
->zalloc
= Z_NULL
;
152 stream
->zfree
= Z_NULL
;
153 stream
->opaque
= NULL
;
154 stream
->next_in
= (unsigned char*) in
;
155 stream
->avail_in
= (unsigned int)in_len
;
157 if (deflateInit2(stream
, Z_BEST_COMPRESSION
, Z_DEFLATED
,
158 method_bits(method
, HIGH_COMPRESSION
),
159 get_memlevel(HIGH_COMPRESSION
),
160 Z_DEFAULT_STRATEGY
) != Z_OK
) {
161 //LCOV_EXCL_START -- we can only provoke failure by giving junk arguments.
162 log_warn(LD_GENERAL
, "Error from deflateInit2: %s",
163 stream
->msg
?stream
->msg
:"<no message>");
168 /* Guess 50% compression. */
169 out_size
= in_len
/ 2;
170 if (out_size
< 1024) out_size
= 1024;
171 *out
= tor_malloc(out_size
);
172 stream
->next_out
= (unsigned char*)*out
;
173 stream
->avail_out
= (unsigned int)out_size
;
176 switch (deflate(stream
, Z_FINISH
))
181 /* In case zlib doesn't work as I think .... */
182 if (stream
->avail_out
>= stream
->avail_in
+16)
186 offset
= stream
->next_out
- ((unsigned char*)*out
);
189 if (out_size
< old_size
) {
190 log_warn(LD_GENERAL
, "Size overflow in compression.");
193 *out
= tor_realloc(*out
, out_size
);
194 stream
->next_out
= (unsigned char*)(*out
+ offset
);
195 if (out_size
- offset
> UINT_MAX
) {
196 log_warn(LD_BUG
, "Ran over unsigned int limit of zlib while "
200 stream
->avail_out
= (unsigned int)(out_size
- offset
);
203 log_warn(LD_GENERAL
, "Gzip compression didn't finish: %s",
204 stream
->msg
? stream
->msg
: "<no message>");
209 *out_len
= stream
->total_out
;
211 /* "Hey Rocky! Watch me change an unsigned field to a signed field in a
213 * "Oh, that trick will just make people do unsafe casts to the unsigned
214 * type in their cross-platform code!"
215 * "Don't be foolish. I'm _sure_ they'll have the good sense to make sure
216 * the newly unsigned field isn't negative." */
217 tor_assert(stream
->total_out
>= 0);
219 if (deflateEnd(stream
)!=Z_OK
) {
220 // LCOV_EXCL_START -- unreachable if we handled the zlib structure right
221 tor_assert_nonfatal_unreached();
222 log_warn(LD_BUG
, "Error freeing gzip structures");
228 if (is_compression_bomb(*out_len
, in_len
)) {
229 log_warn(LD_BUG
, "We compressed something and got an insanely high "
230 "compression factor; other Tors would think this was a zlib bomb.");
244 /** Given zero or more zlib-compressed or gzip-compressed strings of
246 * <b>in_len</b> bytes at <b>in</b>, uncompress them into a newly allocated
247 * buffer, using the method described in <b>method</b>. Store the uncompressed
248 * string in *<b>out</b>, and its length in *<b>out_len</b>. Return 0 on
249 * success, -1 on failure.
251 * If <b>complete_only</b> is true, we consider a truncated input as a
252 * failure; otherwise we decompress as much as we can. Warn about truncated
253 * or corrupt inputs at <b>protocol_warn_level</b>.
256 tor_gzip_uncompress(char **out
, size_t *out_len
,
257 const char *in
, size_t in_len
,
258 compress_method_t method
,
260 int protocol_warn_level
)
262 struct z_stream_s
*stream
= NULL
;
263 size_t out_size
, old_size
;
270 tor_assert(in_len
< UINT_MAX
);
274 stream
= tor_malloc_zero(sizeof(struct z_stream_s
));
275 stream
->zalloc
= Z_NULL
;
276 stream
->zfree
= Z_NULL
;
277 stream
->opaque
= NULL
;
278 stream
->next_in
= (unsigned char*) in
;
279 stream
->avail_in
= (unsigned int)in_len
;
281 if (inflateInit2(stream
,
282 method_bits(method
, HIGH_COMPRESSION
)) != Z_OK
) {
283 // LCOV_EXCL_START -- can only hit this if we give bad inputs.
284 log_warn(LD_GENERAL
, "Error from inflateInit2: %s",
285 stream
->msg
?stream
->msg
:"<no message>");
290 out_size
= in_len
* 2; /* guess 50% compression. */
291 if (out_size
< 1024) out_size
= 1024;
292 if (out_size
>= SIZE_T_CEILING
|| out_size
> UINT_MAX
)
295 *out
= tor_malloc(out_size
);
296 stream
->next_out
= (unsigned char*)*out
;
297 stream
->avail_out
= (unsigned int)out_size
;
300 switch (inflate(stream
, complete_only
? Z_FINISH
: Z_SYNC_FLUSH
))
303 if (stream
->avail_in
== 0)
305 /* There may be more compressed data here. */
306 if ((r
= inflateEnd(stream
)) != Z_OK
) {
307 log_warn(LD_BUG
, "Error freeing gzip structures");
310 if (inflateInit2(stream
,
311 method_bits(method
,HIGH_COMPRESSION
)) != Z_OK
) {
312 log_warn(LD_GENERAL
, "Error from second inflateInit2: %s",
313 stream
->msg
?stream
->msg
:"<no message>");
318 if (!complete_only
&& stream
->avail_in
== 0)
320 /* In case zlib doesn't work as I think.... */
321 if (stream
->avail_out
>= stream
->avail_in
+16)
325 if (stream
->avail_out
> 0) {
326 log_fn(protocol_warn_level
, LD_PROTOCOL
,
327 "possible truncated or corrupt zlib data");
330 offset
= stream
->next_out
- (unsigned char*)*out
;
333 if (out_size
< old_size
) {
334 log_warn(LD_GENERAL
, "Size overflow in uncompression.");
337 if (is_compression_bomb(in_len
, out_size
)) {
338 log_warn(LD_GENERAL
, "Input looks like a possible zlib bomb; "
342 if (out_size
>= SIZE_T_CEILING
) {
343 log_warn(LD_BUG
, "Hit SIZE_T_CEILING limit while uncompressing.");
346 *out
= tor_realloc(*out
, out_size
);
347 stream
->next_out
= (unsigned char*)(*out
+ offset
);
348 if (out_size
- offset
> UINT_MAX
) {
349 log_warn(LD_BUG
, "Ran over unsigned int limit of zlib while "
353 stream
->avail_out
= (unsigned int)(out_size
- offset
);
356 log_warn(LD_GENERAL
, "Gzip decompression returned an error: %s",
357 stream
->msg
? stream
->msg
: "<no message>");
362 *out_len
= stream
->next_out
- (unsigned char*)*out
;
363 r
= inflateEnd(stream
);
366 log_warn(LD_BUG
, "Error freeing gzip structures");
370 /* NUL-terminate output. */
371 if (out_size
== *out_len
)
372 *out
= tor_realloc(*out
, out_size
+ 1);
373 (*out
)[*out_len
] = '\0';
387 /** Try to tell whether the <b>in_len</b>-byte string in <b>in</b> is likely
388 * to be compressed or not. If it is, return the likeliest compression method.
389 * Otherwise, return UNKNOWN_METHOD.
392 detect_compression_method(const char *in
, size_t in_len
)
394 if (in_len
> 2 && fast_memeq(in
, "\x1f\x8b", 2)) {
396 } else if (in_len
> 2 && (in
[0] & 0x0f) == 8 &&
397 (ntohs(get_uint16(in
)) % 31) == 0) {
400 return UNKNOWN_METHOD
;
404 /** Internal state for an incremental zlib compression/decompression. The
405 * body of this struct is not exposed. */
406 struct tor_zlib_state_t
{
407 struct z_stream_s stream
; /**< The zlib stream */
408 int compress
; /**< True if we are compressing; false if we are inflating */
410 /** Number of bytes read so far. Used to detect zlib bombs. */
412 /** Number of bytes written so far. Used to detect zlib bombs. */
413 size_t output_so_far
;
415 /** Approximate number of bytes allocated for this object. */
419 /** Construct and return a tor_zlib_state_t object using <b>method</b>. If
420 * <b>compress</b>, it's for compression; otherwise it's for
423 tor_zlib_new(int compress_
, compress_method_t method
,
424 zlib_compression_level_t compression_level
)
426 tor_zlib_state_t
*out
;
430 /* use this setting for decompression, since we might have the
431 * max number of window bits */
432 compression_level
= HIGH_COMPRESSION
;
435 out
= tor_malloc_zero(sizeof(tor_zlib_state_t
));
436 out
->stream
.zalloc
= Z_NULL
;
437 out
->stream
.zfree
= Z_NULL
;
438 out
->stream
.opaque
= NULL
;
439 out
->compress
= compress_
;
440 bits
= method_bits(method
, compression_level
);
441 memlevel
= get_memlevel(compression_level
);
443 if (deflateInit2(&out
->stream
, Z_BEST_COMPRESSION
, Z_DEFLATED
,
445 Z_DEFAULT_STRATEGY
) != Z_OK
)
446 goto err
; // LCOV_EXCL_LINE
448 if (inflateInit2(&out
->stream
, bits
) != Z_OK
)
449 goto err
; // LCOV_EXCL_LINE
451 out
->allocation
= tor_zlib_state_size_precalc(!compress_
, bits
, memlevel
);
453 total_zlib_allocation
+= out
->allocation
;
462 /** Compress/decompress some bytes using <b>state</b>. Read up to
463 * *<b>in_len</b> bytes from *<b>in</b>, and write up to *<b>out_len</b> bytes
464 * to *<b>out</b>, adjusting the values as we go. If <b>finish</b> is true,
465 * we've reached the end of the input.
467 * Return TOR_ZLIB_DONE if we've finished the entire compression/decompression.
468 * Return TOR_ZLIB_OK if we're processed everything from the input.
469 * Return TOR_ZLIB_BUF_FULL if we're out of space on <b>out</b>.
470 * Return TOR_ZLIB_ERR if the stream is corrupt.
473 tor_zlib_process(tor_zlib_state_t
*state
,
474 char **out
, size_t *out_len
,
475 const char **in
, size_t *in_len
,
479 tor_assert(*in_len
<= UINT_MAX
);
480 tor_assert(*out_len
<= UINT_MAX
);
481 state
->stream
.next_in
= (unsigned char*) *in
;
482 state
->stream
.avail_in
= (unsigned int)*in_len
;
483 state
->stream
.next_out
= (unsigned char*) *out
;
484 state
->stream
.avail_out
= (unsigned int)*out_len
;
486 if (state
->compress
) {
487 err
= deflate(&state
->stream
, finish
? Z_FINISH
: Z_NO_FLUSH
);
489 err
= inflate(&state
->stream
, finish
? Z_FINISH
: Z_SYNC_FLUSH
);
492 state
->input_so_far
+= state
->stream
.next_in
- ((unsigned char*)*in
);
493 state
->output_so_far
+= state
->stream
.next_out
- ((unsigned char*)*out
);
495 *out
= (char*) state
->stream
.next_out
;
496 *out_len
= state
->stream
.avail_out
;
497 *in
= (const char *) state
->stream
.next_in
;
498 *in_len
= state
->stream
.avail_in
;
500 if (! state
->compress
&&
501 is_compression_bomb(state
->input_so_far
, state
->output_so_far
)) {
502 log_warn(LD_DIR
, "Possible zlib bomb; abandoning stream.");
509 return TOR_ZLIB_DONE
;
511 if (state
->stream
.avail_in
== 0 && !finish
)
513 return TOR_ZLIB_BUF_FULL
;
515 if (state
->stream
.avail_out
== 0 || finish
)
516 return TOR_ZLIB_BUF_FULL
;
519 log_warn(LD_GENERAL
, "Gzip returned an error: %s",
520 state
->stream
.msg
? state
->stream
.msg
: "<no message>");
525 /** Deallocate <b>state</b>. */
527 tor_zlib_free(tor_zlib_state_t
*state
)
532 total_zlib_allocation
-= state
->allocation
;
535 deflateEnd(&state
->stream
);
537 inflateEnd(&state
->stream
);
542 /** Return an approximate number of bytes used in RAM to hold a state with
543 * window bits <b>windowBits</b> and compression level 'memlevel' */
545 tor_zlib_state_size_precalc(int inflate_
, int windowbits
, int memlevel
)
549 #define A_FEW_KILOBYTES 2048
554 "The memory requirements for inflate are (in bytes) 1 << windowBits
555 that is, 32K for windowBits=15 (default value) plus a few kilobytes
558 return sizeof(tor_zlib_state_t
) + sizeof(struct z_stream_s
) +
559 (1 << 15) + A_FEW_KILOBYTES
;
561 /* Also from zconf.h:
563 "The memory requirements for deflate are (in bytes):
564 (1 << (windowBits+2)) + (1 << (memLevel+9))
565 ... plus a few kilobytes for small objects."
567 return sizeof(tor_zlib_state_t
) + sizeof(struct z_stream_s
) +
568 (1 << (windowbits
+ 2)) + (1 << (memlevel
+ 9)) + A_FEW_KILOBYTES
;
570 #undef A_FEW_KILOBYTES
573 /** Return the approximate number of bytes allocated for <b>state</b>. */
575 tor_zlib_state_size(const tor_zlib_state_t
*state
)
577 return state
->allocation
;
580 /** Return the approximate number of bytes allocated for all zlib states. */
582 tor_zlib_get_total_allocation(void)
584 return total_zlib_allocation
;