Client side compression algorithm sanity checks: ensure old compression
authorDr. Stephen Henson <steve@openssl.org>
Fri, 1 Jan 2010 14:39:37 +0000 (14:39 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 1 Jan 2010 14:39:37 +0000 (14:39 +0000)
algorithm matches current and give error if compression is disabled and
server requests it (shouldn't happen unless server is broken).

ssl/s3_clnt.c
ssl/s3_srvr.c
ssl/ssl.h
ssl/ssl_err.c

index 3d40ba4..af30d1a 100644 (file)
@@ -891,10 +891,31 @@ int ssl3_get_server_hello(SSL *s)
                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
                goto f_err;
                }
+       /* If compression is disabled we'd better not try to resume a session
+        * using compression.
+        */
+       if (s->session->compress_meth != 0)
+               {
+               al=SSL_AD_INTERNAL_ERROR;
+               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
+               goto f_err;
+               }
 #else
        j= *(p++);
-       if ((j == 0) || (s->options & SSL_OP_NO_COMPRESSION))
+       if (s->hit && j != (int)s->session->compress_meth)
+               {
+               al=SSL_AD_ILLEGAL_PARAMETER;
+               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
+               goto f_err;
+               }
+       if (j == 0)
                comp=NULL;
+       else if (s->options & SSL_OP_NO_COMPRESSION)
+               {
+               al=SSL_AD_ILLEGAL_PARAMETER;
+               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED);
+               goto f_err;
+               }
        else
                comp=ssl3_comp_find(s->ctx->comp_methods,j);
        
index fadf638..8c8c148 100644 (file)
@@ -1159,7 +1159,7 @@ int ssl3_get_client_hello(SSL *s)
        /* If compression is disabled we'd better not try to resume a session
         * using compression.
         */
-       if (s->session->compress_id != 0)
+       if (s->session->compress_meth != 0)
                {
                al=SSL_AD_INTERNAL_ERROR;
                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
index d6c254e..3b725ea 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2077,6 +2077,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_CIPHER_TABLE_SRC_ERROR                    139
 #define SSL_R_CLIENTHELLO_TLSEXT                        226
 #define SSL_R_COMPRESSED_LENGTH_TOO_LONG                140
+#define SSL_R_COMPRESSION_DISABLED                      343
 #define SSL_R_COMPRESSION_FAILURE                       141
 #define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE   307
 #define SSL_R_COMPRESSION_LIBRARY_ERROR                         142
@@ -2171,6 +2172,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_NULL_SSL_CTX                              195
 #define SSL_R_NULL_SSL_METHOD_PASSED                    196
 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED           197
+#define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344
 #define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE             297
 #define SSL_R_OPAQUE_PRF_INPUT_TOO_LONG                         327
 #define SSL_R_PACKET_LENGTH_TOO_LONG                    198
index 44f2f6b..2bd8631 100644 (file)
@@ -329,6 +329,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"},
 {ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT)    ,"clienthello tlsext"},
 {ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG),"compressed length too long"},
+{ERR_REASON(SSL_R_COMPRESSION_DISABLED)  ,"compression disabled"},
 {ERR_REASON(SSL_R_COMPRESSION_FAILURE)   ,"compression failure"},
 {ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),"compression id not within private range"},
 {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),"compression library error"},
@@ -423,6 +424,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_NULL_SSL_CTX)          ,"null ssl ctx"},
 {ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"},
 {ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},
+{ERR_REASON(SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED),"old session compression algorithm not returned"},
 {ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},
 {ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG),"opaque PRF input too long"},
 {ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},