From: Matt Caswell Date: Wed, 1 Mar 2017 10:36:38 +0000 (+0000) Subject: Ensure that we never select compression in TLSv1.3 X-Git-Tag: OpenSSL_1_1_1-pre1~2183 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=c19602b543562104b756aa6adec9bd5081207574;p=oweals%2Fopenssl.git Ensure that we never select compression in TLSv1.3 Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2814) --- diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 1943f55f83..abddc0ace3 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1105,7 +1105,9 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) return 0; } #ifndef OPENSSL_NO_COMP - if (ssl_allow_compression(s) && s->ctx->comp_methods) { + if (ssl_allow_compression(s) + && s->ctx->comp_methods + && (SSL_IS_DTLS(s) || s->s3->tmp.max_ver < TLS1_3_VERSION)) { int compnum = sk_SSL_COMP_num(s->ctx->comp_methods); for (i = 0; i < compnum; i++) { comp = sk_SSL_COMP_value(s->ctx->comp_methods, i); diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 26c37c73d0..39e0f59833 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1736,7 +1736,7 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) s->s3->tmp.new_compression = NULL; #ifndef OPENSSL_NO_COMP /* This only happens if we have a cache hit */ - if (s->session->compress_meth != 0) { + if (s->session->compress_meth != 0 && !SSL_IS_TLS13(s)) { int m, comp_id = s->session->compress_meth; unsigned int k; /* Perform sanity checks on resumed compression algorithm */ @@ -1770,9 +1770,10 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING); goto err; } - } else if (s->hit) + } else if (s->hit) { comp = NULL; - else if (ssl_allow_compression(s) && s->ctx->comp_methods) { + } else if (ssl_allow_compression(s) && s->ctx->comp_methods + && !SSL_IS_TLS13(s)) { /* See if we have a match */ int m, nn, v, done = 0; unsigned int o;