Fix for CVE-2014-0224

Only accept change cipher spec when it is expected instead of at any time. This prevents premature setting of session keys before the master secret is determined which an attacker could use as a MITM attack. Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue and providing the initial fix this patch is based on.
author: Dr. Stephen Henson <steve@openssl.org> 2014-05-16 12:49:48 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2014-06-03 16:30:37 +0100
commit: c97e457d53441c6cb377cdda08905203db8afa0f (patch)
tree: 8469c4c693b1adb08379151ac33948112dbafb24
parent: f4e6ed09e48348f4766eb9f03727326ce6c0b1a3 (diff)
download: openssl-c97e457d53441c6cb377cdda08905203db8afa0f.zip
openssl-c97e457d53441c6cb377cdda08905203db8afa0f.tar.gz
openssl-c97e457d53441c6cb377cdda08905203db8afa0f.tar.bz2
4 files changed, 14 insertions, 0 deletions
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index f1f9c21..450d559 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -516,6 +516,7 @@ int ssl3_connect(SSL *s)
 		case SSL3_ST_CR_FINISHED_A:
 		case SSL3_ST_CR_FINISHED_B:
 
+			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
 				SSL3_ST_CR_FINISHED_B);
 			if (ret <= 0) goto end;
@@ -829,6 +830,7 @@ int ssl3_get_server_hello(SSL *s)
 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
 		goto f_err;
 		}
+	    s->s3->flags |= SSL3_FLAGS_CCS_OK;
 	    s->hit=1;
 	    }
 	else	/* a miss or crap from the other end */
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 988bfe5..8950e90 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -1258,6 +1258,15 @@ start:
 			goto f_err;
 			}
 
+		if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
+			{
+			al=SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
+			goto f_err;
+			}
+
+		s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
+
 		rr->length=0;
 
 		if (s->msg_callback)
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index b4ec010..9c29cdf 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -578,6 +578,7 @@ int ssl3_accept(SSL *s)
 		case SSL3_ST_SR_CERT_VRFY_A:
 		case SSL3_ST_SR_CERT_VRFY_B:
 
+			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			/* we should decide if we expected this one */
 			ret=ssl3_get_cert_verify(s);
 			if (ret <= 0) goto end;
@@ -588,6 +589,7 @@ int ssl3_accept(SSL *s)
 
 		case SSL3_ST_SR_FINISHED_A:
 		case SSL3_ST_SR_FINISHED_B:
+			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
 				SSL3_ST_SR_FINISHED_B);
 			if (ret <= 0) goto end;
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 7686472..9664a8b 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -379,6 +379,7 @@ typedef struct ssl3_buffer_st
 #define SSL3_FLAGS_POP_BUFFER			0x0004
 #define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
 #define TLS1_FLAGS_SKIP_CERT_VERIFY		0x0010
+#define SSL3_FLAGS_CCS_OK			0x0080
  
 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
  * restart a handshake because of MS SGC and so prevents us
author	Dr. Stephen Henson <steve@openssl.org>	2014-05-16 12:49:48 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2014-06-03 16:30:37 +0100
commit	c97e457d53441c6cb377cdda08905203db8afa0f (patch)
tree	8469c4c693b1adb08379151ac33948112dbafb24
parent	f4e6ed09e48348f4766eb9f03727326ce6c0b1a3 (diff)
download	openssl-c97e457d53441c6cb377cdda08905203db8afa0f.zip openssl-c97e457d53441c6cb377cdda08905203db8afa0f.tar.gz openssl-c97e457d53441c6cb377cdda08905203db8afa0f.tar.bz2