2d6ef07fa3
- various null checks and other small fixes from upstream - upstream changes for the renegotiation info according to the latest draft
194 lines
8.2 KiB
Diff
194 lines
8.2 KiB
Diff
diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.tls-comp openssl-1.0.0-beta4/ssl/ssl_err.c
|
|
--- openssl-1.0.0-beta4/ssl/ssl_err.c.tls-comp 2010-01-07 18:45:46.000000000 +0100
|
|
+++ openssl-1.0.0-beta4/ssl/ssl_err.c 2010-01-07 22:46:10.000000000 +0100
|
|
@@ -329,6 +329,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
|
|
{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"},
|
|
{ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT) ,"clienthello tlsext"},
|
|
{ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG),"compressed length too long"},
|
|
+{ERR_REASON(SSL_R_COMPRESSION_DISABLED) ,"compression disabled"},
|
|
{ERR_REASON(SSL_R_COMPRESSION_FAILURE) ,"compression failure"},
|
|
{ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),"compression id not within private range"},
|
|
{ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),"compression library error"},
|
|
@@ -357,8 +358,10 @@ static ERR_STRING_DATA SSL_str_reasons[]
|
|
{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
|
|
{ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"},
|
|
{ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"},
|
|
+{ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"},
|
|
{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
|
|
{ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
|
|
+{ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"},
|
|
{ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"},
|
|
{ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid status response"},
|
|
{ERR_REASON(SSL_R_INVALID_TICKET_KEYS_LENGTH),"invalid ticket keys length"},
|
|
@@ -421,6 +424,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
|
|
{ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"},
|
|
{ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"},
|
|
{ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},
|
|
+{ERR_REASON(SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED),"old session compression algorithm not returned"},
|
|
{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},
|
|
{ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG),"opaque PRF input too long"},
|
|
{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},
|
|
@@ -451,6 +455,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
|
|
{ERR_REASON(SSL_R_RENEGOTIATION_ENCODING_ERR),"renegotiation encoding err"},
|
|
{ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH),"renegotiation mismatch"},
|
|
{ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"},
|
|
+{ERR_REASON(SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING),"required compresssion algorithm missing"},
|
|
{ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
|
|
{ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
|
|
{ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
|
|
diff -up openssl-1.0.0-beta4/ssl/ssl.h.tls-comp openssl-1.0.0-beta4/ssl/ssl.h
|
|
--- openssl-1.0.0-beta4/ssl/ssl.h.tls-comp 2010-01-07 18:45:46.000000000 +0100
|
|
+++ openssl-1.0.0-beta4/ssl/ssl.h 2010-01-07 22:47:07.000000000 +0100
|
|
@@ -485,7 +485,7 @@ typedef struct ssl_session_st
|
|
long timeout;
|
|
long time;
|
|
|
|
- int compress_meth; /* Need to lookup the method */
|
|
+ unsigned int compress_meth; /* Need to lookup the method */
|
|
|
|
const SSL_CIPHER *cipher;
|
|
unsigned long cipher_id; /* when ASN.1 loaded, this
|
|
@@ -2051,6 +2051,7 @@ void ERR_load_SSL_strings(void);
|
|
#define SSL_R_CIPHER_TABLE_SRC_ERROR 139
|
|
#define SSL_R_CLIENTHELLO_TLSEXT 226
|
|
#define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140
|
|
+#define SSL_R_COMPRESSION_DISABLED 343
|
|
#define SSL_R_COMPRESSION_FAILURE 141
|
|
#define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE 307
|
|
#define SSL_R_COMPRESSION_LIBRARY_ERROR 142
|
|
@@ -2079,8 +2080,10 @@ void ERR_load_SSL_strings(void);
|
|
#define SSL_R_HTTPS_PROXY_REQUEST 155
|
|
#define SSL_R_HTTP_REQUEST 156
|
|
#define SSL_R_ILLEGAL_PADDING 283
|
|
+#define SSL_R_INCONSISTENT_COMPRESSION 340
|
|
#define SSL_R_INVALID_CHALLENGE_LENGTH 158
|
|
#define SSL_R_INVALID_COMMAND 280
|
|
+#define SSL_R_INVALID_COMPRESSION_ALGORITHM 341
|
|
#define SSL_R_INVALID_PURPOSE 278
|
|
#define SSL_R_INVALID_STATUS_RESPONSE 328
|
|
#define SSL_R_INVALID_TICKET_KEYS_LENGTH 325
|
|
@@ -2143,6 +2146,7 @@ void ERR_load_SSL_strings(void);
|
|
#define SSL_R_NULL_SSL_CTX 195
|
|
#define SSL_R_NULL_SSL_METHOD_PASSED 196
|
|
#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
|
|
+#define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344
|
|
#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297
|
|
#define SSL_R_OPAQUE_PRF_INPUT_TOO_LONG 327
|
|
#define SSL_R_PACKET_LENGTH_TOO_LONG 198
|
|
@@ -2173,6 +2177,7 @@ void ERR_load_SSL_strings(void);
|
|
#define SSL_R_RENEGOTIATION_ENCODING_ERR 336
|
|
#define SSL_R_RENEGOTIATION_MISMATCH 337
|
|
#define SSL_R_REQUIRED_CIPHER_MISSING 215
|
|
+#define SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING 342
|
|
#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216
|
|
#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217
|
|
#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218
|
|
diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.tls-comp openssl-1.0.0-beta4/ssl/s3_clnt.c
|
|
--- openssl-1.0.0-beta4/ssl/s3_clnt.c.tls-comp 2010-01-07 17:53:12.000000000 +0100
|
|
+++ openssl-1.0.0-beta4/ssl/s3_clnt.c 2010-01-07 22:47:07.000000000 +0100
|
|
@@ -895,10 +895,31 @@ int ssl3_get_server_hello(SSL *s)
|
|
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
|
|
goto f_err;
|
|
}
|
|
+ /* If compression is disabled we'd better not try to resume a session
|
|
+ * using compression.
|
|
+ */
|
|
+ if (s->session->compress_meth != 0)
|
|
+ {
|
|
+ al=SSL_AD_INTERNAL_ERROR;
|
|
+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
|
|
+ goto f_err;
|
|
+ }
|
|
#else
|
|
j= *(p++);
|
|
- if ((j == 0) || (s->options & SSL_OP_NO_COMPRESSION))
|
|
+ if (s->hit && j != s->session->compress_meth)
|
|
+ {
|
|
+ al=SSL_AD_ILLEGAL_PARAMETER;
|
|
+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
|
|
+ goto f_err;
|
|
+ }
|
|
+ if (j == 0)
|
|
comp=NULL;
|
|
+ else if (s->options & SSL_OP_NO_COMPRESSION)
|
|
+ {
|
|
+ al=SSL_AD_ILLEGAL_PARAMETER;
|
|
+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED);
|
|
+ goto f_err;
|
|
+ }
|
|
else
|
|
comp=ssl3_comp_find(s->ctx->comp_methods,j);
|
|
|
|
diff -up openssl-1.0.0-beta4/ssl/s3_srvr.c.tls-comp openssl-1.0.0-beta4/ssl/s3_srvr.c
|
|
--- openssl-1.0.0-beta4/ssl/s3_srvr.c.tls-comp 2010-01-07 17:53:12.000000000 +0100
|
|
+++ openssl-1.0.0-beta4/ssl/s3_srvr.c 2010-01-07 22:46:10.000000000 +0100
|
|
@@ -1088,7 +1088,50 @@ int ssl3_get_client_hello(SSL *s)
|
|
* algorithms from the client, starting at q. */
|
|
s->s3->tmp.new_compression=NULL;
|
|
#ifndef OPENSSL_NO_COMP
|
|
- if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
|
|
+ /* This only happens if we have a cache hit */
|
|
+ if (s->session->compress_meth != 0)
|
|
+ {
|
|
+ int m, comp_id = s->session->compress_meth;
|
|
+ /* Perform sanity checks on resumed compression algorithm */
|
|
+ /* Can't disable compression */
|
|
+ if (s->options & SSL_OP_NO_COMPRESSION)
|
|
+ {
|
|
+ al=SSL_AD_INTERNAL_ERROR;
|
|
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
|
|
+ goto f_err;
|
|
+ }
|
|
+ /* Look for resumed compression method */
|
|
+ for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++)
|
|
+ {
|
|
+ comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
|
|
+ if (comp_id == comp->id)
|
|
+ {
|
|
+ s->s3->tmp.new_compression=comp;
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+ if (s->s3->tmp.new_compression == NULL)
|
|
+ {
|
|
+ al=SSL_AD_INTERNAL_ERROR;
|
|
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRESSION_ALGORITHM);
|
|
+ goto f_err;
|
|
+ }
|
|
+ /* Look for resumed method in compression list */
|
|
+ for (m = 0; m < i; m++)
|
|
+ {
|
|
+ if (q[m] == comp_id)
|
|
+ break;
|
|
+ }
|
|
+ if (m >= i)
|
|
+ {
|
|
+ al=SSL_AD_ILLEGAL_PARAMETER;
|
|
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
|
|
+ goto f_err;
|
|
+ }
|
|
+ }
|
|
+ else if (s->hit)
|
|
+ comp = NULL;
|
|
+ else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
|
|
{ /* See if we have a match */
|
|
int m,nn,o,v,done=0;
|
|
|
|
@@ -1112,6 +1155,16 @@ int ssl3_get_client_hello(SSL *s)
|
|
else
|
|
comp=NULL;
|
|
}
|
|
+#else
|
|
+ /* If compression is disabled we'd better not try to resume a session
|
|
+ * using compression.
|
|
+ */
|
|
+ if (s->session->compress_meth != 0)
|
|
+ {
|
|
+ al=SSL_AD_INTERNAL_ERROR;
|
|
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
|
|
+ goto f_err;
|
|
+ }
|
|
#endif
|
|
|
|
/* Given s->session->ciphers and SSL_get_ciphers, we must
|