Fix for CVE-2014-0224

Only accept change cipher spec when it is expected instead of at any time. This prevents premature setting of session keys before the master secret is determined which an attacker could use as a MITM attack. Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue and providing the initial fix this patch is based on.
author: Dr. Stephen Henson <steve@openssl.org> 2014-05-16 12:49:48 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2014-06-05 09:04:27 +0100
commit: bc8923b1ec9c467755cd86f7848c50ee8812e441 (patch)
tree: c9873db8cc4f63ab3e6af6680d54f21a6074fb14 /ssl/s3_srvr.c
parent: 1632ef744872edc2aa2a53d487d3e79c965a4ad3 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 5ac4119b9d..503bed3fe0 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s)
 		case SSL3_ST_SR_CERT_VRFY_A:
 		case SSL3_ST_SR_CERT_VRFY_B:
 
+			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			/* we should decide if we expected this one */
 			ret=ssl3_get_cert_verify(s);
 			if (ret <= 0) goto end;
@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s)
 
 		case SSL3_ST_SR_FINISHED_A:
 		case SSL3_ST_SR_FINISHED_B:
+			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
 				SSL3_ST_SR_FINISHED_B);
 			if (ret <= 0) goto end;
@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s)
 				s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
 #else
 				if (s->s3->next_proto_neg_seen)
+					{
+					s->s3->flags |= SSL3_FLAGS_CCS_OK;
 					s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
+					}
 				else
 					s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
 #endif
author	Dr. Stephen Henson <steve@openssl.org>	2014-05-16 12:49:48 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2014-06-05 09:04:27 +0100
commit	bc8923b1ec9c467755cd86f7848c50ee8812e441 (patch)
tree	c9873db8cc4f63ab3e6af6680d54f21a6074fb14 /ssl/s3_srvr.c
parent	1632ef744872edc2aa2a53d487d3e79c965a4ad3 (diff)