Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset

once the ChangeCipherSpec message is received. Previously, the server would set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED. This would allow a second CCS to arrive and would corrupt the server state. (Because the first CCS would latch the correct keys and subsequent CCS messages would have to be encrypted, a MitM attacker cannot exploit this, though.) Thanks to Joeri de Ruiter for reporting this issue. Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit e94a6c0ede623960728415b68650a595e48f5a43) Conflicts: CHANGES ssl/s3_srvr.c
author: Emilia Kasper <emilia@openssl.org> 2014-11-19 17:01:36 +0100
committer: Emilia Kasper <emilia@openssl.org> 2014-11-20 15:32:08 +0100
commit: 249a3e362fe406f8bc05cd3e69955a34a080b2b9 (patch)
tree: 7075cf5e28831f66415f9a5be9e384fd8f53fa76 /ssl/dtls1.h
parent: 15d717f574b2aad393f1f039ca0fbcd1a0886439 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/ssl/dtls1.h b/ssl/dtls1.h
index 192c5deff9..3deffbf1af 100644
--- a/ssl/dtls1.h
+++ b/ssl/dtls1.h
@@ -252,6 +252,10 @@ typedef struct dtls1_state_st
 	unsigned int handshake_fragment_len;
 
 	unsigned int retransmitting;
+	/*
+	 * Set when the handshake is ready to process peer's ChangeCipherSpec message.
+	 * Cleared after the message has been processed.
+	 */
 	unsigned int change_cipher_spec_ok;
 
 #ifndef OPENSSL_NO_SCTP
author	Emilia Kasper <emilia@openssl.org>	2014-11-19 17:01:36 +0100
committer	Emilia Kasper <emilia@openssl.org>	2014-11-20 15:32:08 +0100
commit	249a3e362fe406f8bc05cd3e69955a34a080b2b9 (patch)
tree	7075cf5e28831f66415f9a5be9e384fd8f53fa76 /ssl/dtls1.h
parent	15d717f574b2aad393f1f039ca0fbcd1a0886439 (diff)