Ensure that we do not process a ChangeCipherSpec with an empty master

secret. This is an additional safeguard against early ChangeCipherSpec handling. From OpenSSL. ok deraadt@
author: jsing <> 2014-06-05 15:51:06 +0000
committer: jsing <> 2014-06-05 15:51:06 +0000
commit: bcda896309b794c3373608e890f68c962197c4a3 (patch)
tree: 2320930b10f493218bdb556b6d4da1184690b4f7 /src
parent: 936e992c50e8d5647745246accae318ebfd549d1 (diff)
download: openbsd-bcda896309b794c3373608e890f68c962197c4a3.tar.gz
openbsd-bcda896309b794c3373608e890f68c962197c4a3.tar.bz2
openbsd-bcda896309b794c3373608e890f68c962197c4a3.zip
2 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 58d8221fe4..942ab37b95 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -1337,7 +1337,7 @@ ssl3_do_change_cipher_spec(SSL *s)
                i = SSL3_CHANGE_CIPHER_CLIENT_READ;
        if (s->s3->tmp.key_block == NULL) {
-                if (s->session == NULL) {
+                if (s->session == NULL || s->session->master_key_length == 0) {
                        /* might happen if dtls1_read_bytes() calls this */
                        SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,
                            SSL_R_CCS_RECEIVED_EARLY);
diff --git a/src/lib/libssl/src/ssl/s3_pkt.c b/src/lib/libssl/src/ssl/s3_pkt.c
index 58d8221fe4..942ab37b95 100644
--- a/src/lib/libssl/src/ssl/s3_pkt.c
+++ b/src/lib/libssl/src/ssl/s3_pkt.c
@@ -1337,7 +1337,7 @@ ssl3_do_change_cipher_spec(SSL *s)
                i = SSL3_CHANGE_CIPHER_CLIENT_READ;
        if (s->s3->tmp.key_block == NULL) {
-                if (s->session == NULL) {
+                if (s->session == NULL || s->session->master_key_length == 0) {
                        /* might happen if dtls1_read_bytes() calls this */
                        SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,
                            SSL_R_CCS_RECEIVED_EARLY);
author	jsing <>	2014-06-05 15:51:06 +0000
committer	jsing <>	2014-06-05 15:51:06 +0000
commit	bcda896309b794c3373608e890f68c962197c4a3 (patch)
tree	2320930b10f493218bdb556b6d4da1184690b4f7 /src
parent	936e992c50e8d5647745246accae318ebfd549d1 (diff)
download	openbsd-bcda896309b794c3373608e890f68c962197c4a3.tar.gz openbsd-bcda896309b794c3373608e890f68c962197c4a3.tar.bz2 openbsd-bcda896309b794c3373608e890f68c962197c4a3.zip

diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c index 58d8221fe4..942ab37b95 100644 --- a/src/lib/libssl/s3_pkt.c +++ b/src/lib/libssl/s3_pkt.c
@@ -1337,7 +1337,7 @@ ssl3_do_change_cipher_spec(SSL *s)
1337	i = SSL3_CHANGE_CIPHER_CLIENT_READ;	1337	i = SSL3_CHANGE_CIPHER_CLIENT_READ;
1338		1338
1339	if (s->s3->tmp.key_block == NULL) {	1339	if (s->s3->tmp.key_block == NULL) {
1340	if (s->session == NULL) {	1340	if (s->session == NULL \|\| s->session->master_key_length == 0) {
1341	/* might happen if dtls1_read_bytes() calls this */	1341	/* might happen if dtls1_read_bytes() calls this */
1342	SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,	1342	SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,
1343	SSL_R_CCS_RECEIVED_EARLY);	1343	SSL_R_CCS_RECEIVED_EARLY);


diff --git a/src/lib/libssl/src/ssl/s3_pkt.c b/src/lib/libssl/src/ssl/s3_pkt.c index 58d8221fe4..942ab37b95 100644 --- a/src/lib/libssl/src/ssl/s3_pkt.c +++ b/src/lib/libssl/src/ssl/s3_pkt.c
@@ -1337,7 +1337,7 @@ ssl3_do_change_cipher_spec(SSL *s)
1337	i = SSL3_CHANGE_CIPHER_CLIENT_READ;	1337	i = SSL3_CHANGE_CIPHER_CLIENT_READ;
1338		1338
1339	if (s->s3->tmp.key_block == NULL) {	1339	if (s->s3->tmp.key_block == NULL) {
1340	if (s->session == NULL) {	1340	if (s->session == NULL \|\| s->session->master_key_length == 0) {
1341	/* might happen if dtls1_read_bytes() calls this */	1341	/* might happen if dtls1_read_bytes() calls this */
1342	SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,	1342	SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,
1343	SSL_R_CCS_RECEIVED_EARLY);	1343	SSL_R_CCS_RECEIVED_EARLY);