From: erbsland-dev Date: Wed, 21 Aug 2024 16:18:58 +0000 (+0200) Subject: Correct Alert Handling for Missing Compression Methods X-Git-Tag: openssl-3.4.0-alpha1~28 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c026101be0c3c1a66b64d21d0e8c1ba39bcfd254;p=thirdparty%2Fopenssl.git Correct Alert Handling for Missing Compression Methods Fixes #7940: Updated the compression check logic to improve protocol compliance. The code now returns `SSL_AD_DECODE_ERROR` when no compression method is provided in the ClientHello message. It returns `SSL_AD_ILLEGAL_PARAMETER` if the “null” compression method (0x00) is missing. Additionally, refactored the related test code for enhanced readability and maintainability. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25255) --- diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index b0a6bc42eec..db009f3b774 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1683,7 +1683,6 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) unsigned int j; int i, al = SSL_AD_INTERNAL_ERROR; int protverr; - size_t loop; unsigned long id; #ifndef OPENSSL_NO_COMP SSL_COMP *comp = NULL; @@ -1924,16 +1923,18 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) OSSL_TRACE_END(TLS_CIPHER); } - for (loop = 0; loop < clienthello->compressions_len; loop++) { - if (clienthello->compressions[loop] == 0) - break; - } - - if (loop >= clienthello->compressions_len) { - /* no compress */ + /* At least one compression method must be preset. */ + if (clienthello->compressions_len == 0) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_COMPRESSION_SPECIFIED); goto err; } + /* Make sure at least the null compression is supported. */ + if (memchr(clienthello->compressions, 0, + clienthello->compressions_len) == NULL) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING); + goto err; + } if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) ssl_check_for_safari(s, clienthello);