diff options
| author | jsing <> | 2014-06-05 15:46:24 +0000 |
|---|---|---|
| committer | jsing <> | 2014-06-05 15:46:24 +0000 |
| commit | a1aa52709d3c53d1664e282da9d9833869ffcf47 (patch) | |
| tree | 645cbc9565ca3ee2061f628e95849ce560cf786f /src/lib/libssl/s3_srvr.c | |
| parent | d874ba6e9641314de878a6d18eaefe826cbe532b (diff) | |
| download | openbsd-a1aa52709d3c53d1664e282da9d9833869ffcf47.tar.gz openbsd-a1aa52709d3c53d1664e282da9d9833869ffcf47.tar.bz2 openbsd-a1aa52709d3c53d1664e282da9d9833869ffcf47.zip | |
Be selective as to when ChangeCipherSpec messages will be accepted.
Without this an early ChangeCipherSpec message would result in session
keys being generated, along with the Finished hash for the handshake,
using an empty master secret.
For a detailed analysis see:
https://www.imperialviolet.org/2014/06/05/earlyccs.html
This is a fix for CVE-2014-0224, from OpenSSL.
This issue was reported to OpenSSL by KIKUCHI Masashi. Unfortunately the
recent OpenSSL commit was the first we were made aware of the issue.
ok deraadt@ sthen@
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 948569a156..552f8290b5 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -635,6 +635,7 @@ ssl3_accept(SSL *s) | |||
| 635 | 635 | ||
| 636 | case SSL3_ST_SR_CERT_VRFY_A: | 636 | case SSL3_ST_SR_CERT_VRFY_A: |
| 637 | case SSL3_ST_SR_CERT_VRFY_B: | 637 | case SSL3_ST_SR_CERT_VRFY_B: |
| 638 | s->s3->flags |= SSL3_FLAGS_CCS_OK; | ||
| 638 | 639 | ||
| 639 | /* we should decide if we expected this one */ | 640 | /* we should decide if we expected this one */ |
| 640 | ret = ssl3_get_cert_verify(s); | 641 | ret = ssl3_get_cert_verify(s); |
| @@ -665,6 +666,7 @@ ssl3_accept(SSL *s) | |||
| 665 | 666 | ||
| 666 | case SSL3_ST_SR_FINISHED_A: | 667 | case SSL3_ST_SR_FINISHED_A: |
| 667 | case SSL3_ST_SR_FINISHED_B: | 668 | case SSL3_ST_SR_FINISHED_B: |
| 669 | s->s3->flags |= SSL3_FLAGS_CCS_OK; | ||
| 668 | ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A, | 670 | ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A, |
| 669 | SSL3_ST_SR_FINISHED_B); | 671 | SSL3_ST_SR_FINISHED_B); |
| 670 | if (ret <= 0) | 672 | if (ret <= 0) |
| @@ -735,10 +737,11 @@ ssl3_accept(SSL *s) | |||
| 735 | #ifdef OPENSSL_NO_NEXTPROTONEG | 737 | #ifdef OPENSSL_NO_NEXTPROTONEG |
| 736 | s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A; | 738 | s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A; |
| 737 | #else | 739 | #else |
| 738 | if (s->s3->next_proto_neg_seen) | 740 | if (s->s3->next_proto_neg_seen) { |
| 741 | s->s3->flags |= SSL3_FLAGS_CCS_OK; | ||
| 739 | s->s3->tmp.next_state = | 742 | s->s3->tmp.next_state = |
| 740 | SSL3_ST_SR_NEXT_PROTO_A; | 743 | SSL3_ST_SR_NEXT_PROTO_A; |
| 741 | else | 744 | } else |
| 742 | s->s3->tmp.next_state = | 745 | s->s3->tmp.next_state = |
| 743 | SSL3_ST_SR_FINISHED_A; | 746 | SSL3_ST_SR_FINISHED_A; |
| 744 | #endif | 747 | #endif |