From: David Benjamin Date: Sun, 6 Mar 2016 03:50:44 +0000 (-0500) Subject: Tighten up logic around ChangeCipherSpec. X-Git-Tag: OpenSSL_1_1_0-pre6~755 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=1257adecd4afba978806b77bd5d45f32715d97d3;p=oweals%2Fopenssl.git Tighten up logic around ChangeCipherSpec. ChangeCipherSpec messages have a defined value. They also may not occur in the middle of a handshake message. The current logic will accept a ChangeCipherSpec with value 2. It also would accept up to three bytes of handshake data before the ChangeCipherSpec which it would discard (because s->init_num gets reset). Instead, require that s->init_num is 0 when a ChangeCipherSpec comes in. RT#4391 Reviewed-by: Andy Polyakov Reviewed-by: Matt Caswell --- diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 6ceb9ec39e..eb3e591080 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -354,6 +354,16 @@ int tls_get_message_header(SSL *s, int *mt) return 0; } if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) { + /* + * A ChangeCipherSpec must be a single byte and may not occur + * in the middle of a handshake message. + */ + if (s->init_num != 0 || i != 1 || p[0] != SSL3_MT_CCS) { + al = SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_TLS_GET_MESSAGE_HEADER, + SSL_R_BAD_CHANGE_CIPHER_SPEC); + goto f_err; + } s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; s->init_num = i - 1; s->s3->tmp.message_size = i;