Client side compression algorithm sanity checks: ensure old compression (2be3d6eb) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

ssl/s3_clnt.c

+22 −1

Original line number	Diff line number	Diff line
		@@ -891,10 +891,31 @@ int ssl3_get_server_hello(SSL *s)
		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
		goto f_err;
		}
		/* If compression is disabled we'd better not try to resume a session
		* using compression.
		*/
		if (s->session->compress_meth != 0)
		{
		al=SSL_AD_INTERNAL_ERROR;
		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
		goto f_err;
		}
		#else
		j= *(p++);
		if ((j == 0) \|\| (s->options & SSL_OP_NO_COMPRESSION))
		if (s->hit && j != (int)s->session->compress_meth)
		{
		al=SSL_AD_ILLEGAL_PARAMETER;
		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
		goto f_err;
		}
		if (j == 0)
		comp=NULL;
		else if (s->options & SSL_OP_NO_COMPRESSION)
		{
		al=SSL_AD_ILLEGAL_PARAMETER;
		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED);
		goto f_err;
		}
		else
		comp=ssl3_comp_find(s->ctx->comp_methods,j);

+1 −1

Original line number	Diff line number	Diff line
		@@ -1159,7 +1159,7 @@ int ssl3_get_client_hello(SSL *s)
		/* If compression is disabled we'd better not try to resume a session
		* using compression.
		*/
		if (s->session->compress_id != 0)
		if (s->session->compress_meth != 0)
		{
		al=SSL_AD_INTERNAL_ERROR;
		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);

+2 −0

Original line number	Diff line number	Diff line
		@@ -2077,6 +2077,7 @@ void ERR_load_SSL_strings(void);
		#define SSL_R_CIPHER_TABLE_SRC_ERROR 139
		#define SSL_R_CLIENTHELLO_TLSEXT 226
		#define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140
		#define SSL_R_COMPRESSION_DISABLED 343
		#define SSL_R_COMPRESSION_FAILURE 141
		#define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE 307
		#define SSL_R_COMPRESSION_LIBRARY_ERROR 142
		@@ -2171,6 +2172,7 @@ void ERR_load_SSL_strings(void);
		#define SSL_R_NULL_SSL_CTX 195
		#define SSL_R_NULL_SSL_METHOD_PASSED 196
		#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
		#define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344
		#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297
		#define SSL_R_OPAQUE_PRF_INPUT_TOO_LONG 327
		#define SSL_R_PACKET_LENGTH_TOO_LONG 198

+2 −0

Original line number	Diff line number	Diff line
		@@ -329,6 +329,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
		{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"},
		{ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT) ,"clienthello tlsext"},
		{ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG),"compressed length too long"},
		{ERR_REASON(SSL_R_COMPRESSION_DISABLED) ,"compression disabled"},
		{ERR_REASON(SSL_R_COMPRESSION_FAILURE) ,"compression failure"},
		{ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),"compression id not within private range"},
		{ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),"compression library error"},
		@@ -423,6 +424,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
		{ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"},
		{ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"},
		{ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},
		{ERR_REASON(SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED),"old session compression algorithm not returned"},
		{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},
		{ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG),"opaque PRF input too long"},
		{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},