Skip to content

Commit

Permalink
Fix for CVE-2014-0224
Browse files Browse the repository at this point in the history 
Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.
(cherry picked from commit bc8923b1ec9c467755cd86f7848c50ee8812e441)

Conflicts:
	ssl/s3_srvr.c

Change-Id: I259216c5859b8c3a21bf9cf345d465a7ec905ce7
  • Loading branch information
@snhenson @invisiblek
snhenson authored and invisiblek committed Jun 6, 2014
1 parent f12d924 commit f672e21
Show file tree
Hide file tree
Showing 5 changed files with 15 additions and 0 deletions.
1 change: 1 addition & 0 deletions include/openssl/ssl3.h
View file
Expand Up @@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st
#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
#define SSL3_FLAGS_CCS_OK 0x0080

/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
* restart a handshake because of MS SGC and so prevents us
Expand Down
2 changes: 2 additions & 0 deletions ssl/s3_clnt.c
View file
Expand Up @@ -607,6 +607,7 @@ int ssl3_connect(SSL *s)
case SSL3_ST_CR_FINISHED_A:
case SSL3_ST_CR_FINISHED_B:

s->s3->flags |= SSL3_FLAGS_CCS_OK;
ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
SSL3_ST_CR_FINISHED_B);
if (ret <= 0) goto end;
Expand Down Expand Up @@ -988,6 +989,7 @@ int ssl3_get_server_hello(SSL *s)
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
goto f_err;
}
s->s3->flags |= SSL3_FLAGS_CCS_OK;
s->hit=1;
}
else /* a miss or crap from the other end */
Expand Down
9 changes: 9 additions & 0 deletions ssl/s3_pkt.c
View file
Expand Up @@ -1297,6 +1297,15 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
goto f_err;
}

if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
{
al=SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
goto f_err;
}

s->s3->flags &= ~SSL3_FLAGS_CCS_OK;

rr->length=0;

if (s->msg_callback)
Expand Down
2 changes: 2 additions & 0 deletions ssl/s3_srvr.c
View file
Expand Up @@ -669,6 +669,7 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SR_CERT_VRFY_A:
case SSL3_ST_SR_CERT_VRFY_B:

s->s3->flags |= SSL3_FLAGS_CCS_OK;
/* we should decide if we expected this one */
ret=ssl3_get_cert_verify(s);
if (ret <= 0) goto end;
Expand Down Expand Up @@ -721,6 +722,7 @@ int ssl3_accept(SSL *s)

case SSL3_ST_SR_FINISHED_A:
case SSL3_ST_SR_FINISHED_B:
s->s3->flags |= SSL3_FLAGS_CCS_OK;
ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
SSL3_ST_SR_FINISHED_B);
if (ret <= 0) goto end;
Expand Down
1 change: 1 addition & 0 deletions ssl/ssl3.h
View file
Expand Up @@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st
#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
#define SSL3_FLAGS_CCS_OK 0x0080

/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
* restart a handshake because of MS SGC and so prevents us
Expand Down

2 comments on commit f672e21

@sudosurootdev
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you have fixed all CVE issues on: http://www.openssl.org/news/secadv_20140605.txt up to CVE-2014-0224 then version should be at openssl-1.0.1h

@sudosurootdev
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do not worry about it unless you have already started, because I am about to start updating external/openssl and the external/chromium_org/thirdparty/external/openssl so that both are up to openssl-1.0.1h and I will push to CyanogenMod as well as Vanir since this is a security update.

Please sign in to comment.