Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset

once the ChangeCipherSpec message is received. Previously, the server would set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED. This would allow a second CCS to arrive and would corrupt the server state. (Because the first CCS would latch the correct keys and subsequent CCS messages would have to be encrypted, a MitM attacker cannot exploit this, though.) Thanks to Joeri de Ruiter for reporting this issue. Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit e94a6c0ede623960728415b68650a595e48f5a43)
author: Emilia Kasper <emilia@openssl.org> 2014-11-19 17:01:36 +0100
committer: Emilia Kasper <emilia@openssl.org> 2014-11-20 15:17:36 +0100
commit: e5f261df7369a8d1734045ed59e12b42142a9147 (patch)
tree: 7a149a3254d47240c1de4424e913f7ad4dd10fca /ssl/dtls1.h
parent: 9baee0216fe3bf572435a867963bdeea8ad95b59 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/ssl/dtls1.h b/ssl/dtls1.h
index 5cb79f1dac..af86f60fb5 100644
--- a/ssl/dtls1.h
+++ b/ssl/dtls1.h
@@ -256,6 +256,10 @@ typedef struct dtls1_state_st
 	unsigned int handshake_fragment_len;
 
 	unsigned int retransmitting;
+	/*
+	 * Set when the handshake is ready to process peer's ChangeCipherSpec message.
+	 * Cleared after the message has been processed.
+	 */
 	unsigned int change_cipher_spec_ok;
 
 #ifndef OPENSSL_NO_SCTP
author	Emilia Kasper <emilia@openssl.org>	2014-11-19 17:01:36 +0100
committer	Emilia Kasper <emilia@openssl.org>	2014-11-20 15:17:36 +0100
commit	e5f261df7369a8d1734045ed59e12b42142a9147 (patch)
tree	7a149a3254d47240c1de4424e913f7ad4dd10fca /ssl/dtls1.h
parent	9baee0216fe3bf572435a867963bdeea8ad95b59 (diff)