Fix for CVE-2014-0224
authorDr. Stephen Henson <steve@openssl.org>
Fri, 16 May 2014 11:49:48 +0000 (12:49 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Thu, 5 Jun 2014 12:22:42 +0000 (13:22 +0100)
Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.
(cherry picked from commit bc8923b1ec9c467755cd86f7848c50ee8812e441)

ssl/s3_clnt.c
ssl/s3_pkt.c
ssl/s3_srvr.c
ssl/ssl3.h

index 5fc90690068c068402c1a03fc53ac50704f7a7ce..34efff8c73904b977d2d9b3090dafa51f2f99d28 100644 (file)
@@ -599,6 +599,7 @@ int ssl3_connect(SSL *s)
                case SSL3_ST_CR_FINISHED_A:
                case SSL3_ST_CR_FINISHED_B:
 
+                       s->s3->flags |= SSL3_FLAGS_CCS_OK;
                        ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
                                SSL3_ST_CR_FINISHED_B);
                        if (ret <= 0) goto end;
@@ -1051,6 +1052,7 @@ int ssl3_get_server_hello(SSL *s)
                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
                goto f_err;
                }
+           s->s3->flags |= SSL3_FLAGS_CCS_OK;
            s->hit=1;
            }
        else    /* a miss or crap from the other end */
index 34eb2b442331f7cdee5d1fa17f3567bcfb380623..fb9720f41d5c6e2c29a1ba873208d058c03551f2 100644 (file)
@@ -1593,6 +1593,15 @@ start:
                        goto f_err;
                        }
 
+               if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
+                       {
+                       al=SSL_AD_UNEXPECTED_MESSAGE;
+                       SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
+                       goto f_err;
+                       }
+
+               s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
+
                rr->length=0;
 
                if (s->msg_callback)
index 72fd3e40d6653abe7e9a35e73dae9930937bab58..31bfe478b876521db35027883444791f35869f1f 100644 (file)
@@ -708,6 +708,7 @@ int ssl3_accept(SSL *s)
                case SSL3_ST_SR_CERT_VRFY_A:
                case SSL3_ST_SR_CERT_VRFY_B:
 
+                       s->s3->flags |= SSL3_FLAGS_CCS_OK;
                        /* we should decide if we expected this one */
                        ret=ssl3_get_cert_verify(s);
                        if (ret <= 0) goto end;
@@ -735,6 +736,7 @@ int ssl3_accept(SSL *s)
 
                case SSL3_ST_SR_FINISHED_A:
                case SSL3_ST_SR_FINISHED_B:
+                       s->s3->flags |= SSL3_FLAGS_CCS_OK;
                        ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
                                SSL3_ST_SR_FINISHED_B);
                        if (ret <= 0) goto end;
@@ -805,7 +807,10 @@ int ssl3_accept(SSL *s)
                                s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
 #else
                                if (s->s3->next_proto_neg_seen)
+                                       {
+                                       s->s3->flags |= SSL3_FLAGS_CCS_OK;
                                        s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
+                                       }
                                else
                                        s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
 #endif
index 8bd201e08baa7704ea80b0c1894318b008a930ba..82dd76cb6fc3d3840ecf6a41cf35c69f2d4a0625 100644 (file)
@@ -428,6 +428,7 @@ typedef struct ssl3_buffer_st
 #define TLS1_FLAGS_TLS_PADDING_BUG             0x0008
 #define TLS1_FLAGS_SKIP_CERT_VERIFY            0x0010
 #define TLS1_FLAGS_KEEP_HANDSHAKE              0x0020
+#define SSL3_FLAGS_CCS_OK                      0x0080
  
 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
  * restart a handshake because of MS SGC and so prevents us