Merge pull request #541 from toddouska/comp

detect server forcing compression on client w/o support
2025-08-03 20:54:41 +02:00 · 2016-09-09 13:00:22 -07:00
parent fc54c53f38 0c21d76ce3
commit 68e48e84fd
2 changed files with 34 additions and 9 deletions
--- a/src/internal.c
+++ b/src/internal.c
@@ -11162,6 +11162,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
    case MATCH_SUITE_ERROR :
        return "can't match cipher suite";

+    case COMPRESSION_ERROR :
+        return "compression mismatch error";
+
    case BUILD_MSG_ERROR :
        return "build message failure";

@@ -13048,6 +13051,11 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
        ssl->options.cipherSuite  = cs1;
        compression = input[i++];

+        if (compression != NO_COMPRESSION && !ssl->options.usingCompression) {
+            WOLFSSL_MSG("Server forcing compression w/o support");
+            return COMPRESSION_ERROR;
+        }
+
        if (compression != ZLIB_COMPRESSION && ssl->options.usingCompression) {
            WOLFSSL_MSG("Server refused compression, turning off");
            ssl->options.usingCompression = 0;  /* turn off if server refused */
@@ -18024,6 +18032,11 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
        if ((i - begin) + b > helloSz)
            return BUFFER_ERROR;

+        if (b == 0) {
+            WOLFSSL_MSG("No compression types in list");
+            return COMPRESSION_ERROR;
+        }
+
 #ifdef WOLFSSL_DTLS
        if (IsDtlsNotSctpMode(ssl)) {
            byte newCookie[MAX_COOKIE_LEN];
@@ -18063,23 +18076,34 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
        }
 #endif /* WOLFSSL_DTLS */

-        if (ssl->options.usingCompression) {
-            int match = 0;
+        {
+            /* copmression match types */
+            int matchNo = 0;
+            int matchZlib = 0;

            while (b--) {
                byte comp = input[i++];

-                if (comp == ZLIB_COMPRESSION)
-                    match = 1;
+                if (comp == NO_COMPRESSION) {
+                    matchNo = 1;
+                }
+                if (comp == ZLIB_COMPRESSION) {
+                    matchZlib = 1;
+                }
            }

-            if (!match) {
-                WOLFSSL_MSG("Not matching compression, turning off");
+            if (ssl->options.usingCompression == 0 && matchNo) {
+                WOLFSSL_MSG("Matched No Compression");
+            } else if (ssl->options.usingCompression && matchZlib) {
+                WOLFSSL_MSG("Matched zlib Compression");
+            } else if (ssl->options.usingCompression && matchNo) {
+                WOLFSSL_MSG("Could only match no compression, turning off");
                ssl->options.usingCompression = 0;  /* turn off */
+            } else {
+                WOLFSSL_MSG("Could not match compression");
+                return COMPRESSION_ERROR;
            }
        }
-        else
-            i += b; /* ignore, since we're not on */

        *inOutIdx = i;

--- a/wolfssl/error-ssl.h
+++ b/wolfssl/error-ssl.h
@@ -153,7 +153,8 @@ enum wolfSSL_ErrorCodes {

    /* begin negotiation parameter errors */
    UNSUPPORTED_SUITE            = -500,        /* unsupported cipher suite */
-    MATCH_SUITE_ERROR            = -501         /* can't match cipher suite */
+    MATCH_SUITE_ERROR            = -501,        /* can't match cipher suite */
+    COMPRESSION_ERROR            = -502         /* compression mismatch */
    /* end negotiation parameter errors only 10 for now */
    /* add strings to wolfSSL_ERR_reason_error_string in internal.c !!!!! */