http2: make decompression a configure-time option

5 years ago · e0764e1e12
parent 56bda0f9cb
commit e0764e1e12
7 changed files with 32 additions and 4 deletions
--- a/.github/workflows/builds.yml
+++ b/.github/workflows/builds.yml
@ -641,7 +641,7 @@ jobs:
          chmod 755 $HOME/.cargo/bin/cbindgen
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
      - run: ./autogen.sh
-      - run: CFLAGS="$DEFAULT_CFLAGS -DNDEBUG" ./configure --enable-unittests
+      - run: CFLAGS="$DEFAULT_CFLAGS -DNDEBUG" ./configure --enable-unittests --enable-http2-decompression
      - run: make -j2
      - run: make check
      - run: make dist
--- a/configure.ac
+++ b/configure.ac
@ -521,6 +521,14 @@
    ])
    AM_CONDITIONAL([DEBUG_VALIDATION], [test "x$enable_debug_validation" = "xyes"])

+  # enable http2 decompression
+     AC_ARG_ENABLE(http2-decompression,
+            AS_HELP_STRING([--enable-http2-decompression], [Enable http2 decompression]),[enable_http2_decompression=$enableval],[enable_http2_decompression=no])
+     AS_IF([test "x$enable_http2_decompression" = "xyes"], [
+         AC_DEFINE([HTTP2_DECOMPRESSION],[1],[Enable http2 decompression])
+     ])
+     AM_CONDITIONAL([HTTP2_DECOMPRESSION], [test "x$enable_http2_decompression" = "xyes"])
+
  # profiling support
    AC_ARG_ENABLE(profiling,
           AS_HELP_STRING([--enable-profiling], [Enable performance profiling]),[enable_profiling=$enableval],[enable_profiling=no])
@ -2824,6 +2832,7 @@ SURICATA_BUILD_CONF="Suricata Configuration:
  Hyperscan support:                       ${enable_hyperscan}
  Libnet support:                          ${enable_libnet}
  liblz4 support:                          ${enable_liblz4}
+  HTTP2 decompression:                     ${enable_http2_decompression}

  Rust support:                            ${enable_rust}
  Rust strict mode:                        ${enable_rust_strict}
--- a/rust/Cargo.toml.in
+++ b/rust/Cargo.toml.in
@ -17,6 +17,7 @@ strict = []
 debug = []
 debug-validate = []
 function-macro = []
+decompression = ["flate2", "brotli"]

 [dependencies]
 nom = "= 5.1.1"
@ -30,8 +31,8 @@ num-derive = "0.2"
 num-traits = "0.2"
 widestring = "0.4"
 md5 = "0.7.0"
-flate2 = "1.0"
-brotli = "3.3.0"
+flate2 = { version = "1.0", optional = true }
+brotli = { version = "3.3.0", optional = true }

 der-parser = "4.0"
 kerberos-parser = "0.5"
--- a/rust/Makefile.am
+++ b/rust/Makefile.am
@ -27,6 +27,10 @@ if DEBUG_VALIDATION
 RUST_FEATURES +=	debug-validate
 endif

+if HTTP2_DECOMPRESSION
+RUST_FEATURES +=	decompression
+endif
+
 if RUST_CROSS_COMPILE 
 RUST_TARGET = --target $(host_triplet)
 endif
--- a/rust/src/http2/http2.rs
+++ b/rust/src/http2/http2.rs
@ -16,6 +16,7 @@
 */

 use super::files::*;
+#[cfg(feature = "decompression")]
 use super::decompression;
 use super::parser;
 use crate::applayer::{self, *};
@ -127,6 +128,7 @@ pub struct HTTP2Transaction {
    pub frames_tc: Vec<HTTP2Frame>,
    pub frames_ts: Vec<HTTP2Frame>,

+    #[cfg(feature = "decompression")]
    decoder: decompression::HTTP2Decoder,

    de_state: Option<*mut core::DetectEngineState>,
@ -149,6 +151,7 @@ impl HTTP2Transaction {
            state: HTTP2TransactionState::HTTP2StateIdle,
            frames_tc: Vec::new(),
            frames_ts: Vec::new(),
+            #[cfg(feature = "decompression")]
            decoder: decompression::HTTP2Decoder::new(),
            de_state: None,
            events: std::ptr::null_mut(),
@ -168,6 +171,10 @@ impl HTTP2Transaction {
        }
    }

+    #[cfg(not(feature = "decompression"))]
+    fn handle_headers(&mut self, _blocks: &Vec<parser::HTTP2FrameHeaderBlock>, _dir: u8) {}
+
+    #[cfg(feature = "decompression")]
    fn handle_headers(&mut self, blocks: &Vec<parser::HTTP2FrameHeaderBlock>, dir: u8) {
        for i in 0..blocks.len() {
            if blocks[i].name == "content-encoding".as_bytes().to_vec() {
@ -180,8 +187,13 @@ impl HTTP2Transaction {
        &'a mut self, input: &'a [u8], dir: u8, sfcm: &'static SuricataFileContext, over: bool,
        files: &mut FileContainer, flags: u16,
    ) -> io::Result<()> {
+        #[cfg(feature = "decompression")]
        let mut output = Vec::with_capacity(decompression::HTTP2_DECOMPRESSION_CHUNK_SIZE);
+        #[cfg(feature = "decompression")]
        let decompressed = self.decoder.decompress(input, &mut output, dir)?;
+        #[cfg(not(feature = "decompression"))]
+        let decompressed = input;
+
        let xid: u32 = self.tx_id as u32;
        if dir == STREAM_TOCLIENT {
            self.ft_tc.new_chunk(
--- a/rust/src/http2/mod.rs
+++ b/rust/src/http2/mod.rs
@ -15,6 +15,7 @@
 * 02110-1301, USA.
 */

+#[cfg(feature = "decompression")]
 mod decompression;
 pub mod detect;
 pub mod files;
--- a/src/suricata.c
+++ b/src/suricata.c
@ -704,8 +704,9 @@ static void PrintBuildInfo(void)
 #ifdef HAVE_NSS
    strlcat(features, "HAVE_NSS ", sizeof(features));
 #endif
-    /* HTTP2_DECOMPRESSION is not an optional feature in this major version */
+#ifdef HTTP2_DECOMPRESSION
    strlcat(features, "HTTP2_DECOMPRESSION ", sizeof(features));
+#endif
 #ifdef HAVE_LUA
    strlcat(features, "HAVE_LUA ", sizeof(features));
 #endif