diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2014-05-16 12:49:48 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2014-06-05 13:22:42 +0100 |
commit | a91be10833e61bcdc9002de28489405101c52650 (patch) | |
tree | c5d8d3629e733447f7ea76bad1b05f9460862cbf /ssl/s3_srvr.c | |
parent | a7c682fb6f692c9a3868777a7ff305784714c131 (diff) |
Fix for CVE-2014-0224
Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.
Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.
(cherry picked from commit bc8923b1ec9c467755cd86f7848c50ee8812e441)
Diffstat (limited to 'ssl/s3_srvr.c')
-rw-r--r-- | ssl/s3_srvr.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 72fd3e40d6..31bfe478b8 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -708,6 +708,7 @@ int ssl3_accept(SSL *s) case SSL3_ST_SR_CERT_VRFY_A: case SSL3_ST_SR_CERT_VRFY_B: + s->s3->flags |= SSL3_FLAGS_CCS_OK; /* we should decide if we expected this one */ ret=ssl3_get_cert_verify(s); if (ret <= 0) goto end; @@ -735,6 +736,7 @@ int ssl3_accept(SSL *s) case SSL3_ST_SR_FINISHED_A: case SSL3_ST_SR_FINISHED_B: + s->s3->flags |= SSL3_FLAGS_CCS_OK; ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, SSL3_ST_SR_FINISHED_B); if (ret <= 0) goto end; @@ -805,7 +807,10 @@ int ssl3_accept(SSL *s) s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; #else if (s->s3->next_proto_neg_seen) + { + s->s3->flags |= SSL3_FLAGS_CCS_OK; s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; + } else s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; #endif |