Be selective as to when ChangeCipherSpec messages will be accepted.

Without this an early ChangeCipherSpec message would result in session keys being generated, along with the Finished hash for the handshake, using an empty master secret. For a detailed analysis see: https://www.imperialviolet.org/2014/06/05/earlyccs.html This is a fix for CVE-2014-0224, from OpenSSL. This issue was reported to OpenSSL by KIKUCHI Masashi. Unfortunately the recent OpenSSL commit was the first we were made aware of the issue. ok deraadt@ sthen@
author: jsing <> 2014-06-05 15:46:24 +0000
committer: jsing <> 2014-06-05 15:46:24 +0000
commit: a1aa52709d3c53d1664e282da9d9833869ffcf47 (patch)
tree: 645cbc9565ca3ee2061f628e95849ce560cf786f /src/lib/libssl/s3_clnt.c
parent: d874ba6e9641314de878a6d18eaefe826cbe532b (diff)
download: openbsd-a1aa52709d3c53d1664e282da9d9833869ffcf47.tar.gz
openbsd-a1aa52709d3c53d1664e282da9d9833869ffcf47.tar.bz2
openbsd-a1aa52709d3c53d1664e282da9d9833869ffcf47.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 66fb26345e..60a17ce11b 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -556,7 +556,7 @@ ssl3_connect(SSL *s)
                case SSL3_ST_CR_FINISHED_A:
                case SSL3_ST_CR_FINISHED_B:
+                        s->s3->flags |= SSL3_FLAGS_CCS_OK;
                        ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
                            SSL3_ST_CR_FINISHED_B);
                        if (ret <= 0)
@@ -895,6 +895,7 @@ ssl3_get_server_hello(SSL *s)
                            SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
                        goto f_err;
                }
+                s->s3->flags |= SSL3_FLAGS_CCS_OK;
                s->hit = 1;
        } else {
                /* a miss or crap from the other end */
author	jsing <>	2014-06-05 15:46:24 +0000
committer	jsing <>	2014-06-05 15:46:24 +0000
commit	a1aa52709d3c53d1664e282da9d9833869ffcf47 (patch)
tree	645cbc9565ca3ee2061f628e95849ce560cf786f /src/lib/libssl/s3_clnt.c
parent	d874ba6e9641314de878a6d18eaefe826cbe532b (diff)
download	openbsd-a1aa52709d3c53d1664e282da9d9833869ffcf47.tar.gz openbsd-a1aa52709d3c53d1664e282da9d9833869ffcf47.tar.bz2 openbsd-a1aa52709d3c53d1664e282da9d9833869ffcf47.zip

diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 66fb26345e..60a17ce11b 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c
@@ -556,7 +556,7 @@ ssl3_connect(SSL *s)
556		556
557	case SSL3_ST_CR_FINISHED_A:	557	case SSL3_ST_CR_FINISHED_A:
558	case SSL3_ST_CR_FINISHED_B:	558	case SSL3_ST_CR_FINISHED_B:
559		559	s->s3->flags \|= SSL3_FLAGS_CCS_OK;
560	ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,	560	ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
561	SSL3_ST_CR_FINISHED_B);	561	SSL3_ST_CR_FINISHED_B);
562	if (ret <= 0)	562	if (ret <= 0)
@@ -895,6 +895,7 @@ ssl3_get_server_hello(SSL *s)
895	SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);	895	SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
896	goto f_err;	896	goto f_err;
897	}	897	}
		898	s->s3->flags \|= SSL3_FLAGS_CCS_OK;
898	s->hit = 1;	899	s->hit = 1;
899	} else {	900	} else {
900	/* a miss or crap from the other end */	901	/* a miss or crap from the other end */