From e5f261df7369a8d1734045ed59e12b42142a9147 Mon Sep 17 00:00:00 2001
From: Emilia Kasper <emilia@openssl.org>
Date: Wed, 19 Nov 2014 17:01:36 +0100
Subject: Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is
 reset once the ChangeCipherSpec message is received. Previously, the server
 would set the flag once at SSL3_ST_SR_CERT_VRFY and again at
 SSL3_ST_SR_FINISHED. This would allow a second CCS to arrive and would
 corrupt the server state.

(Because the first CCS would latch the correct keys and subsequent CCS
messages would have to be encrypted, a MitM attacker cannot exploit this,
though.)

Thanks to Joeri de Ruiter for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e94a6c0ede623960728415b68650a595e48f5a43)
---
 ssl/dtls1.h | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'ssl/dtls1.h')

diff --git a/ssl/dtls1.h b/ssl/dtls1.h
index 5cb79f1dac..af86f60fb5 100644
--- a/ssl/dtls1.h
+++ b/ssl/dtls1.h
@@ -256,6 +256,10 @@ typedef struct dtls1_state_st
 	unsigned int handshake_fragment_len;
 
 	unsigned int retransmitting;
+	/*
+	 * Set when the handshake is ready to process peer's ChangeCipherSpec message.
+	 * Cleared after the message has been processed.
+	 */
 	unsigned int change_cipher_spec_ok;
 
 #ifndef OPENSSL_NO_SCTP
-- 
cgit v1.2.3