Ensure that we never select compression in TLSv1.3 (c19602b5) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

ssl/statem/statem_clnt.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -1105,7 +1105,9 @@ int tls_construct_client_hello(SSL s, WPACKET pkt)
		return 0;
		}
		#ifndef OPENSSL_NO_COMP
		if (ssl_allow_compression(s) && s->ctx->comp_methods) {
		if (ssl_allow_compression(s)
		&& s->ctx->comp_methods
		&& (SSL_IS_DTLS(s) \|\| s->s3->tmp.max_ver < TLS1_3_VERSION)) {
		int compnum = sk_SSL_COMP_num(s->ctx->comp_methods);
		for (i = 0; i < compnum; i++) {
		comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);

+4 −3

Original line number	Diff line number	Diff line
		@@ -1736,7 +1736,7 @@ static int tls_early_post_process_client_hello(SSL s, int al)
		s->s3->tmp.new_compression = NULL;
		#ifndef OPENSSL_NO_COMP
		/* This only happens if we have a cache hit */
		if (s->session->compress_meth != 0) {
		if (s->session->compress_meth != 0 && !SSL_IS_TLS13(s)) {
		int m, comp_id = s->session->compress_meth;
		unsigned int k;
		/* Perform sanity checks on resumed compression algorithm */
		@@ -1770,9 +1770,10 @@ static int tls_early_post_process_client_hello(SSL s, int al)
		SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
		goto err;
		}
		} else if (s->hit)
		} else if (s->hit) {
		comp = NULL;
		else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
		} else if (ssl_allow_compression(s) && s->ctx->comp_methods
		&& !SSL_IS_TLS13(s)) {
		/* See if we have a match */
		int m, nn, v, done = 0;
		unsigned int o;