diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.tls-comp openssl-1.0.0-beta4/ssl/ssl_err.c

--- openssl-1.0.0-beta4/ssl/ssl_err.c.tls-comp	2010-01-07 18:45:46.000000000 +0100

+++ openssl-1.0.0-beta4/ssl/ssl_err.c	2010-01-07 22:46:10.000000000 +0100

@@ -329,6 +329,7 @@ static ERR_STRING_DATA SSL_str_reasons[]

 {ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"},

 {ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT)    ,"clienthello tlsext"},

 {ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG),"compressed length too long"},

+{ERR_REASON(SSL_R_COMPRESSION_DISABLED)  ,"compression disabled"},

 {ERR_REASON(SSL_R_COMPRESSION_FAILURE)   ,"compression failure"},

 {ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),"compression id not within private range"},

 {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),"compression library error"},

@@ -357,8 +358,10 @@ static ERR_STRING_DATA SSL_str_reasons[]

 {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST)   ,"https proxy request"},

 {ERR_REASON(SSL_R_HTTP_REQUEST)          ,"http request"},

 {ERR_REASON(SSL_R_ILLEGAL_PADDING)       ,"illegal padding"},

+{ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"},

 {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},

 {ERR_REASON(SSL_R_INVALID_COMMAND)       ,"invalid command"},

+{ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"},

 {ERR_REASON(SSL_R_INVALID_PURPOSE)       ,"invalid purpose"},

 {ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid status response"},

 {ERR_REASON(SSL_R_INVALID_TICKET_KEYS_LENGTH),"invalid ticket keys length"},

@@ -421,6 +424,7 @@ static ERR_STRING_DATA SSL_str_reasons[]

 {ERR_REASON(SSL_R_NULL_SSL_CTX)          ,"null ssl ctx"},

 {ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"},

 {ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},

+{ERR_REASON(SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED),"old session compression algorithm not returned"},

 {ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},

 {ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG),"opaque PRF input too long"},

 {ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},

@@ -451,6 +455,7 @@ static ERR_STRING_DATA SSL_str_reasons[]

 {ERR_REASON(SSL_R_RENEGOTIATION_ENCODING_ERR),"renegotiation encoding err"},

 {ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH),"renegotiation mismatch"},

 {ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"},

+{ERR_REASON(SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING),"required compresssion algorithm missing"},

 {ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},

 {ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},

 {ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},

diff -up openssl-1.0.0-beta4/ssl/ssl.h.tls-comp openssl-1.0.0-beta4/ssl/ssl.h

--- openssl-1.0.0-beta4/ssl/ssl.h.tls-comp	2010-01-07 18:45:46.000000000 +0100

+++ openssl-1.0.0-beta4/ssl/ssl.h	2010-01-07 22:47:07.000000000 +0100

@@ -485,7 +485,7 @@ typedef struct ssl_session_st

 	long timeout;

 	long time;

-	int compress_meth;		/* Need to lookup the method */

+	unsigned int compress_meth;	/* Need to lookup the method */

 	const SSL_CIPHER *cipher;

 	unsigned long cipher_id;	/* when ASN.1 loaded, this

@@ -2051,6 +2051,7 @@ void ERR_load_SSL_strings(void);

 #define SSL_R_CIPHER_TABLE_SRC_ERROR			 139

 #define SSL_R_CLIENTHELLO_TLSEXT			 226

 #define SSL_R_COMPRESSED_LENGTH_TOO_LONG		 140

+#define SSL_R_COMPRESSION_DISABLED			 343

 #define SSL_R_COMPRESSION_FAILURE			 141

 #define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE	 307

 #define SSL_R_COMPRESSION_LIBRARY_ERROR			 142

@@ -2079,8 +2080,10 @@ void ERR_load_SSL_strings(void);

 #define SSL_R_HTTPS_PROXY_REQUEST			 155

 #define SSL_R_HTTP_REQUEST				 156

 #define SSL_R_ILLEGAL_PADDING				 283

+#define SSL_R_INCONSISTENT_COMPRESSION			 340

 #define SSL_R_INVALID_CHALLENGE_LENGTH			 158

 #define SSL_R_INVALID_COMMAND				 280

+#define SSL_R_INVALID_COMPRESSION_ALGORITHM		 341

 #define SSL_R_INVALID_PURPOSE				 278

 #define SSL_R_INVALID_STATUS_RESPONSE			 328

 #define SSL_R_INVALID_TICKET_KEYS_LENGTH		 325

@@ -2143,6 +2146,7 @@ void ERR_load_SSL_strings(void);

 #define SSL_R_NULL_SSL_CTX				 195

 #define SSL_R_NULL_SSL_METHOD_PASSED			 196

 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED		 197

+#define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344

 #define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE		 297

 #define SSL_R_OPAQUE_PRF_INPUT_TOO_LONG			 327

 #define SSL_R_PACKET_LENGTH_TOO_LONG			 198

@@ -2173,6 +2177,7 @@ void ERR_load_SSL_strings(void);

 #define SSL_R_RENEGOTIATION_ENCODING_ERR		 336

 #define SSL_R_RENEGOTIATION_MISMATCH			 337

 #define SSL_R_REQUIRED_CIPHER_MISSING			 215

+#define SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING	 342

 #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO		 216

 #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO			 217

 #define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO		 218

diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.tls-comp openssl-1.0.0-beta4/ssl/s3_clnt.c

--- openssl-1.0.0-beta4/ssl/s3_clnt.c.tls-comp	2010-01-07 17:53:12.000000000 +0100

+++ openssl-1.0.0-beta4/ssl/s3_clnt.c	2010-01-07 22:47:07.000000000 +0100

@@ -895,10 +895,31 @@ int ssl3_get_server_hello(SSL *s)

 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);

 		goto f_err;

 		}

+	/* If compression is disabled we'd better not try to resume a session

+	 * using compression.

+	 */

+	if (s->session->compress_meth != 0)

+		{

+		al=SSL_AD_INTERNAL_ERROR;

+		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION);

+		goto f_err;

+		}

 #else

 	j= *(p++);

-	if ((j == 0) || (s->options & SSL_OP_NO_COMPRESSION))

+	if (s->hit && j != s->session->compress_meth)

+		{

+		al=SSL_AD_ILLEGAL_PARAMETER;

+		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);

+		goto f_err;

+		}

+	if (j == 0)

 		comp=NULL;

+	else if (s->options & SSL_OP_NO_COMPRESSION)

+		{

+		al=SSL_AD_ILLEGAL_PARAMETER;

+		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED);

+		goto f_err;

+		}

 	else

 		comp=ssl3_comp_find(s->ctx->comp_methods,j);

diff -up openssl-1.0.0-beta4/ssl/s3_srvr.c.tls-comp openssl-1.0.0-beta4/ssl/s3_srvr.c

--- openssl-1.0.0-beta4/ssl/s3_srvr.c.tls-comp	2010-01-07 17:53:12.000000000 +0100

+++ openssl-1.0.0-beta4/ssl/s3_srvr.c	2010-01-07 22:46:10.000000000 +0100

@@ -1088,7 +1088,50 @@ int ssl3_get_client_hello(SSL *s)

 	 * algorithms from the client, starting at q. */

 	s->s3->tmp.new_compression=NULL;

 #ifndef OPENSSL_NO_COMP

-	if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)

+	/* This only happens if we have a cache hit */

+	if (s->session->compress_meth != 0)

+		{

+		int m, comp_id = s->session->compress_meth;

+		/* Perform sanity checks on resumed compression algorithm */

+		/* Can't disable compression */

+		if (s->options & SSL_OP_NO_COMPRESSION)

+			{

+			al=SSL_AD_INTERNAL_ERROR;

+			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);

+			goto f_err;

+			}

+		/* Look for resumed compression method */

+		for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++)

+			{

+			comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);

+			if (comp_id == comp->id)

+				{

+				s->s3->tmp.new_compression=comp;

+				break;

+				}

+			}

+		if (s->s3->tmp.new_compression == NULL)

+			{

+			al=SSL_AD_INTERNAL_ERROR;

+			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRESSION_ALGORITHM);

+			goto f_err;

+			}

+		/* Look for resumed method in compression list */

+		for (m = 0; m < i; m++)

+			{

+			if (q[m] == comp_id)

+				break;

+			}

+		if (m >= i)

+			{

+			al=SSL_AD_ILLEGAL_PARAMETER;

+			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);

+			goto f_err;

+			}

+		}

+	else if (s->hit)

+		comp = NULL;

+	else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)

 		{ /* See if we have a match */

 		int m,nn,o,v,done=0;

@@ -1112,6 +1155,16 @@ int ssl3_get_client_hello(SSL *s)

 		else

 			comp=NULL;

 		}

+#else

+	/* If compression is disabled we'd better not try to resume a session

+	 * using compression.

+	 */

+	if (s->session->compress_meth != 0)

+		{

+		al=SSL_AD_INTERNAL_ERROR;

+		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);

+		goto f_err;

+		}

 #endif

 	/* Given s->session->ciphers and SSL_get_ciphers, we must