diff options
author | Emilia Kasper <emilia@openssl.org> | 2014-11-19 17:01:36 +0100 |
---|---|---|
committer | Emilia Kasper <emilia@openssl.org> | 2014-11-20 15:32:08 +0100 |
commit | 249a3e362fe406f8bc05cd3e69955a34a080b2b9 (patch) | |
tree | 7075cf5e28831f66415f9a5be9e384fd8f53fa76 /ssl/d1_clnt.c | |
parent | 15d717f574b2aad393f1f039ca0fbcd1a0886439 (diff) |
Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset
once the ChangeCipherSpec message is received. Previously, the server would
set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED.
This would allow a second CCS to arrive and would corrupt the server state.
(Because the first CCS would latch the correct keys and subsequent CCS
messages would have to be encrypted, a MitM attacker cannot exploit this,
though.)
Thanks to Joeri de Ruiter for reporting this issue.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e94a6c0ede623960728415b68650a595e48f5a43)
Conflicts:
CHANGES
ssl/s3_srvr.c
Diffstat (limited to 'ssl/d1_clnt.c')
-rw-r--r-- | ssl/d1_clnt.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index 00e14b53c7..9947be22ff 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -249,6 +249,9 @@ int dtls1_connect(SSL *s) memset(s->s3->client_random,0,sizeof(s->s3->client_random)); s->d1->send_cookie = 0; s->hit = 0; + s->d1->change_cipher_spec_ok = 0; + /* Should have been reset by ssl3_get_finished, too. */ + s->s3->change_cipher_spec = 0; break; #ifndef OPENSSL_NO_SCTP @@ -492,7 +495,6 @@ int dtls1_connect(SSL *s) else #endif s->state=SSL3_ST_CW_CHANGE_A; - s->s3->change_cipher_spec=0; } s->init_num=0; @@ -513,7 +515,6 @@ int dtls1_connect(SSL *s) #endif s->state=SSL3_ST_CW_CHANGE_A; s->init_num=0; - s->s3->change_cipher_spec=0; break; case SSL3_ST_CW_CHANGE_A: |