From c7a9fdc5abc130d04776987babe83dc28ffb97ee Mon Sep 17 00:00:00 2001
From: Joel Sing <jsing@cvs.openbsd.org>
Date: Thu, 5 Jun 2014 15:46:25 +0000
Subject: Be selective as to when ChangeCipherSpec messages will be accepted.
 Without this an early ChangeCipherSpec message would result in session keys
 being generated, along with the Finished hash for the handshake, using an
 empty master secret.

For a detailed analysis see:

  https://www.imperialviolet.org/2014/06/05/earlyccs.html

This is a fix for CVE-2014-0224, from OpenSSL.

This issue was reported to OpenSSL by KIKUCHI Masashi. Unfortunately the
recent OpenSSL commit was the first we were made aware of the issue.

ok deraadt@ sthen@
---
 lib/libssl/s3_clnt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib/libssl/s3_clnt.c')

diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c
index 66fb26345ec..60a17ce11b9 100644
--- a/lib/libssl/s3_clnt.c
+++ b/lib/libssl/s3_clnt.c
@@ -556,7 +556,7 @@ ssl3_connect(SSL *s)
 
 		case SSL3_ST_CR_FINISHED_A:
 		case SSL3_ST_CR_FINISHED_B:
-
+			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
 			    SSL3_ST_CR_FINISHED_B);
 			if (ret <= 0)
@@ -895,6 +895,7 @@ ssl3_get_server_hello(SSL *s)
 			    SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
 			goto f_err;
 		}
+		s->s3->flags |= SSL3_FLAGS_CCS_OK;
 		s->hit = 1;
 	} else {
 		/* a miss or crap from the other end */
-- 
cgit v1.2.3