From: Todd Short Date: Thu, 31 Oct 2024 18:33:45 +0000 (-0400) Subject: Use correct alerts for some cert comp errors X-Git-Tag: openssl-3.5.0-alpha1~944 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a590a7e3bc9229ba49f6e8828f85baaaf024607d;p=thirdparty%2Fopenssl.git Use correct alerts for some cert comp errors Fixes #25471 Signed-off-by: Todd Short Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25845) --- diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index d52e2a73844..8be8878fe01 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -2859,7 +2859,7 @@ MSG_PROCESS_RETURN tls13_process_compressed_certificate(SSL_CONNECTION *sc, } } if (!found) { - SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_COMPRESSION_ALGORITHM); + SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_COMPRESSION_ALGORITHM); goto err; } } @@ -2884,9 +2884,17 @@ MSG_PROCESS_RETURN tls13_process_compressed_certificate(SSL_CONNECTION *sc, if ((comp = COMP_CTX_new(method)) == NULL || !PACKET_get_net_3_len(pkt, &expected_length) - || !PACKET_get_net_3_len(pkt, &comp_length) - || PACKET_remaining(pkt) != comp_length - || !BUF_MEM_grow(buf, expected_length) + || !PACKET_get_net_3_len(pkt, &comp_length)) { + SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_DECOMPRESSION); + goto err; + } + + if (PACKET_remaining(pkt) != comp_length || comp_length == 0) { + SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_DECOMPRESSION); + goto err; + } + + if (!BUF_MEM_grow(buf, expected_length) || !PACKET_buf_init(tmppkt, (unsigned char *)buf->data, expected_length) || COMP_expand_block(comp, (unsigned char *)buf->data, expected_length, (unsigned char*)PACKET_data(pkt), comp_length) != (int)expected_length) {