summaryrefslogtreecommitdiff
path: root/lib/libssl
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2014-06-05 15:46:25 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2014-06-05 15:46:25 +0000
commitc7a9fdc5abc130d04776987babe83dc28ffb97ee (patch)
tree7cab4ee134270172e5786b105d3f2746c8475f43 /lib/libssl
parentf5a5391fdf83691578269bc0a01b6e7de214e400 (diff)
Be selective as to when ChangeCipherSpec messages will be accepted.
Without this an early ChangeCipherSpec message would result in session keys being generated, along with the Finished hash for the handshake, using an empty master secret. For a detailed analysis see: https://www.imperialviolet.org/2014/06/05/earlyccs.html This is a fix for CVE-2014-0224, from OpenSSL. This issue was reported to OpenSSL by KIKUCHI Masashi. Unfortunately the recent OpenSSL commit was the first we were made aware of the issue. ok deraadt@ sthen@
Diffstat (limited to 'lib/libssl')
-rw-r--r--lib/libssl/s3_clnt.c3
-rw-r--r--lib/libssl/s3_pkt.c8
-rw-r--r--lib/libssl/s3_srvr.c7
-rw-r--r--lib/libssl/ssl3.h1
4 files changed, 16 insertions, 3 deletions
diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c
index 66fb26345ec..60a17ce11b9 100644
--- a/lib/libssl/s3_clnt.c
+++ b/lib/libssl/s3_clnt.c
@@ -556,7 +556,7 @@ ssl3_connect(SSL *s)
case SSL3_ST_CR_FINISHED_A:
case SSL3_ST_CR_FINISHED_B:
-
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
SSL3_ST_CR_FINISHED_B);
if (ret <= 0)
@@ -895,6 +895,7 @@ ssl3_get_server_hello(SSL *s)
SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
goto f_err;
}
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
s->hit = 1;
} else {
/* a miss or crap from the other end */
diff --git a/lib/libssl/s3_pkt.c b/lib/libssl/s3_pkt.c
index f8f31f2a4aa..58d8221fe4c 100644
--- a/lib/libssl/s3_pkt.c
+++ b/lib/libssl/s3_pkt.c
@@ -1209,6 +1209,14 @@ start:
goto f_err;
}
+ /* Check that we should be receiving a Change Cipher Spec. */
+ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) {
+ al = SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY);
+ goto f_err;
+ }
+ s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
+
rr->length = 0;
if (s->msg_callback) {
diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c
index 948569a156e..552f8290b5f 100644
--- a/lib/libssl/s3_srvr.c
+++ b/lib/libssl/s3_srvr.c
@@ -635,6 +635,7 @@ ssl3_accept(SSL *s)
case SSL3_ST_SR_CERT_VRFY_A:
case SSL3_ST_SR_CERT_VRFY_B:
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
/* we should decide if we expected this one */
ret = ssl3_get_cert_verify(s);
@@ -665,6 +666,7 @@ ssl3_accept(SSL *s)
case SSL3_ST_SR_FINISHED_A:
case SSL3_ST_SR_FINISHED_B:
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
SSL3_ST_SR_FINISHED_B);
if (ret <= 0)
@@ -735,10 +737,11 @@ ssl3_accept(SSL *s)
#ifdef OPENSSL_NO_NEXTPROTONEG
s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
#else
- if (s->s3->next_proto_neg_seen)
+ if (s->s3->next_proto_neg_seen) {
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
s->s3->tmp.next_state =
SSL3_ST_SR_NEXT_PROTO_A;
- else
+ } else
s->s3->tmp.next_state =
SSL3_ST_SR_FINISHED_A;
#endif
diff --git a/lib/libssl/ssl3.h b/lib/libssl/ssl3.h
index 1d2bc2f5c01..8444ccb57dd 100644
--- a/lib/libssl/ssl3.h
+++ b/lib/libssl/ssl3.h
@@ -370,6 +370,7 @@ typedef struct ssl3_buffer_st {
#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
+#define SSL3_FLAGS_CCS_OK 0x0080
/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
* restart a handshake because of MS SGC and so prevents us