Be selective as to when ChangeCipherSpec messages will be accepted.

Without this an early ChangeCipherSpec message would result in session
keys being generated, along with the Finished hash for the handshake,
using an empty master secret.

For a detailed analysis see:

  https://www.imperialviolet.org/2014/06/05/earlyccs.html

This is a fix for CVE-2014-0224, from OpenSSL.

This issue was reported to OpenSSL by KIKUCHI Masashi. Unfortunately the
recent OpenSSL commit was the first we were made aware of the issue.

ok deraadt@ sthen@

1 files changed, 8 insertions, 0 deletions

diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index f8f31f2a4a..58d8221fe4 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -1209,6 +1209,14 @@ start:
                         goto f_err;
                 }
 
+                /* Check that we should be receiving a Change Cipher Spec. */
+                if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) {
+                        al = SSL_AD_UNEXPECTED_MESSAGE;
+                        SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY);
+                        goto f_err;
+                }
+                s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
+
                 rr->length = 0;
 
                 if (s->msg_callback) {