From: Dr. Stephen Henson Date: Fri, 16 May 2014 11:49:48 +0000 (+0100) Subject: Fix for CVE-2014-0224 X-Git-Tag: OpenSSL_1_0_1h~5 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=bc8923b1ec9c467755cd86f7848c50ee8812e441;p=oweals%2Fopenssl.git Fix for CVE-2014-0224 Only accept change cipher spec when it is expected instead of at any time. This prevents premature setting of session keys before the master secret is determined which an attacker could use as a MITM attack. Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue and providing the initial fix this patch is based on. --- diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index a6b3c01afa..c99a4c495e 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -559,6 +559,7 @@ int ssl3_connect(SSL *s) case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: + s->s3->flags |= SSL3_FLAGS_CCS_OK; ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, SSL3_ST_CR_FINISHED_B); if (ret <= 0) goto end; @@ -915,6 +916,7 @@ int ssl3_get_server_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); goto f_err; } + s->s3->flags |= SSL3_FLAGS_CCS_OK; s->hit=1; } else /* a miss or crap from the other end */ diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 6bc8bf9c8b..98c36e6b36 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -1316,6 +1316,15 @@ start: goto f_err; } + if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) + { + al=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY); + goto f_err; + } + + s->s3->flags &= ~SSL3_FLAGS_CCS_OK; + rr->length=0; if (s->msg_callback) diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 5ac4119b9d..503bed3fe0 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -673,6 +673,7 @@ int ssl3_accept(SSL *s) case SSL3_ST_SR_CERT_VRFY_A: case SSL3_ST_SR_CERT_VRFY_B: + s->s3->flags |= SSL3_FLAGS_CCS_OK; /* we should decide if we expected this one */ ret=ssl3_get_cert_verify(s); if (ret <= 0) goto end; @@ -700,6 +701,7 @@ int ssl3_accept(SSL *s) case SSL3_ST_SR_FINISHED_A: case SSL3_ST_SR_FINISHED_B: + s->s3->flags |= SSL3_FLAGS_CCS_OK; ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, SSL3_ST_SR_FINISHED_B); if (ret <= 0) goto end; @@ -770,7 +772,10 @@ int ssl3_accept(SSL *s) s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; #else if (s->s3->next_proto_neg_seen) + { + s->s3->flags |= SSL3_FLAGS_CCS_OK; s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; + } else s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; #endif diff --git a/ssl/ssl3.h b/ssl/ssl3.h index cb8b2492ec..37f19e3ab5 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 +#define SSL3_FLAGS_CCS_OK 0x0080 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we * restart a handshake because of MS SGC and so prevents us