Fix DH error-handling in tls_process_key_exchange.

[oweals/openssl.git] / ssl / statem / statem_lib.c

diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 6ceb9ec39ead7278ddf2a8b0706d5977ae9bc458..aab4e76aa86353bf665eef7f3e0c56473274f760 100644 (file)
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -19,7 +19,6 @@
 #include "../ssl_locl.h"
 #include "statem_locl.h"
 #include <openssl/buffer.h>
-#include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
@@ -354,6 +353,16 @@ int tls_get_message_header(SSL *s, int *mt)
                 return 0;
             }
             if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
+                /*
+                * A ChangeCipherSpec must be a single byte and may not occur
+                * in the middle of a handshake message.
+                */
+                if (s->init_num != 0 || i != 1 || p[0] != SSL3_MT_CCS) {
+                    al = SSL_AD_UNEXPECTED_MESSAGE;
+                    SSLerr(SSL_F_TLS_GET_MESSAGE_HEADER,
+                           SSL_R_BAD_CHANGE_CIPHER_SPEC);
+                    goto f_err;
+                }
                 s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
                 s->init_num = i - 1;
                 s->s3->tmp.message_size = i;
@@ -965,7 +974,7 @@ int ssl_choose_client_version(SSL *s, int version)
  * or FIPS_mode() constraints and any floor imposed by the security level here,
  * so we don't advertise the wrong protocol version to only reject the outcome later.
  *
- * Computing the right floor matters.  If, e.g.,  TLS 1.0 and 1.2 are enabled,
+ * Computing the right floor matters.  If, e.g., TLS 1.0 and 1.2 are enabled,
  * TLS 1.1 is disabled, but the security level, Suite-B  and/or MinProtocol
  * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
  *