Ensure that we do not process a ChangeCipherSpec with an empty master

secret. This is an additional safeguard against early ChangeCipherSpec handling. From OpenSSL. ok deraadt@
author: jsing <> 2014-06-05 15:51:06 +0000
committer: jsing <> 2014-06-05 15:51:06 +0000
commit: 5a5a7de256385ee0fc587b8576ed7c35eb9ad584 (patch)
tree: 2320930b10f493218bdb556b6d4da1184690b4f7
parent: a1aa52709d3c53d1664e282da9d9833869ffcf47 (diff)
download: openbsd-5a5a7de256385ee0fc587b8576ed7c35eb9ad584.tar.gz
openbsd-5a5a7de256385ee0fc587b8576ed7c35eb9ad584.tar.bz2
openbsd-5a5a7de256385ee0fc587b8576ed7c35eb9ad584.zip
2 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 58d8221fe4..942ab37b95 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -1337,7 +1337,7 @@ ssl3_do_change_cipher_spec(SSL *s)
                i = SSL3_CHANGE_CIPHER_CLIENT_READ;
        if (s->s3->tmp.key_block == NULL) {
-                if (s->session == NULL) {
+                if (s->session == NULL || s->session->master_key_length == 0) {
                        /* might happen if dtls1_read_bytes() calls this */
                        SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,
                            SSL_R_CCS_RECEIVED_EARLY);
diff --git a/src/lib/libssl/src/ssl/s3_pkt.c b/src/lib/libssl/src/ssl/s3_pkt.c
index 58d8221fe4..942ab37b95 100644
--- a/src/lib/libssl/src/ssl/s3_pkt.c
+++ b/src/lib/libssl/src/ssl/s3_pkt.c
@@ -1337,7 +1337,7 @@ ssl3_do_change_cipher_spec(SSL *s)
                i = SSL3_CHANGE_CIPHER_CLIENT_READ;
        if (s->s3->tmp.key_block == NULL) {
-                if (s->session == NULL) {
+                if (s->session == NULL || s->session->master_key_length == 0) {
                        /* might happen if dtls1_read_bytes() calls this */
                        SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,
                            SSL_R_CCS_RECEIVED_EARLY);
author	jsing <>	2014-06-05 15:51:06 +0000
committer	jsing <>	2014-06-05 15:51:06 +0000
commit	5a5a7de256385ee0fc587b8576ed7c35eb9ad584 (patch)
tree	2320930b10f493218bdb556b6d4da1184690b4f7
parent	a1aa52709d3c53d1664e282da9d9833869ffcf47 (diff)
download	openbsd-5a5a7de256385ee0fc587b8576ed7c35eb9ad584.tar.gz openbsd-5a5a7de256385ee0fc587b8576ed7c35eb9ad584.tar.bz2 openbsd-5a5a7de256385ee0fc587b8576ed7c35eb9ad584.zip

diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c index 58d8221fe4..942ab37b95 100644 --- a/src/lib/libssl/s3_pkt.c +++ b/src/lib/libssl/s3_pkt.c
@@ -1337,7 +1337,7 @@ ssl3_do_change_cipher_spec(SSL *s)
1337	i = SSL3_CHANGE_CIPHER_CLIENT_READ;	1337	i = SSL3_CHANGE_CIPHER_CLIENT_READ;
1338		1338
1339	if (s->s3->tmp.key_block == NULL) {	1339	if (s->s3->tmp.key_block == NULL) {
1340	if (s->session == NULL) {	1340	if (s->session == NULL \|\| s->session->master_key_length == 0) {
1341	/* might happen if dtls1_read_bytes() calls this */	1341	/* might happen if dtls1_read_bytes() calls this */
1342	SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,	1342	SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,
1343	SSL_R_CCS_RECEIVED_EARLY);	1343	SSL_R_CCS_RECEIVED_EARLY);


diff --git a/src/lib/libssl/src/ssl/s3_pkt.c b/src/lib/libssl/src/ssl/s3_pkt.c index 58d8221fe4..942ab37b95 100644 --- a/src/lib/libssl/src/ssl/s3_pkt.c +++ b/src/lib/libssl/src/ssl/s3_pkt.c
@@ -1337,7 +1337,7 @@ ssl3_do_change_cipher_spec(SSL *s)
1337	i = SSL3_CHANGE_CIPHER_CLIENT_READ;	1337	i = SSL3_CHANGE_CIPHER_CLIENT_READ;
1338		1338
1339	if (s->s3->tmp.key_block == NULL) {	1339	if (s->s3->tmp.key_block == NULL) {
1340	if (s->session == NULL) {	1340	if (s->session == NULL \|\| s->session->master_key_length == 0) {
1341	/* might happen if dtls1_read_bytes() calls this */	1341	/* might happen if dtls1_read_bytes() calls this */
1342	SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,	1342	SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,
1343	SSL_R_CCS_RECEIVED_EARLY);	1343	SSL_R_CCS_RECEIVED_EARLY);