diff options
author | Emilia Kasper <emilia@openssl.org> | 2014-11-19 17:01:36 +0100 |
---|---|---|
committer | Emilia Kasper <emilia@openssl.org> | 2014-11-20 15:17:36 +0100 |
commit | e5f261df7369a8d1734045ed59e12b42142a9147 (patch) | |
tree | 7a149a3254d47240c1de4424e913f7ad4dd10fca /ssl/dtls1.h | |
parent | 9baee0216fe3bf572435a867963bdeea8ad95b59 (diff) |
Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset
once the ChangeCipherSpec message is received. Previously, the server would
set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED.
This would allow a second CCS to arrive and would corrupt the server state.
(Because the first CCS would latch the correct keys and subsequent CCS
messages would have to be encrypted, a MitM attacker cannot exploit this,
though.)
Thanks to Joeri de Ruiter for reporting this issue.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e94a6c0ede623960728415b68650a595e48f5a43)
Diffstat (limited to 'ssl/dtls1.h')
-rw-r--r-- | ssl/dtls1.h | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/ssl/dtls1.h b/ssl/dtls1.h index 5cb79f1dac..af86f60fb5 100644 --- a/ssl/dtls1.h +++ b/ssl/dtls1.h @@ -256,6 +256,10 @@ typedef struct dtls1_state_st unsigned int handshake_fragment_len; unsigned int retransmitting; + /* + * Set when the handshake is ready to process peer's ChangeCipherSpec message. + * Cleared after the message has been processed. + */ unsigned int change_cipher_spec_ok; #ifndef OPENSSL_NO_SCTP |