Commit 1257adec authored by David Benjamin's avatar David Benjamin Committed by Matt Caswell
Browse files

Tighten up logic around ChangeCipherSpec. 



ChangeCipherSpec messages have a defined value. They also may not occur
in the middle of a handshake message. The current logic will accept a
ChangeCipherSpec with value 2. It also would accept up to three bytes of
handshake data before the ChangeCipherSpec which it would discard
(because s->init_num gets reset).

Instead, require that s->init_num is 0 when a ChangeCipherSpec comes in.

RT#4391

Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
parent 46417569

ssl/statem/statem_lib.c

+10 −0
Original line number Diff line number Diff line
@@ -354,6 +354,16 @@ int tls_get_message_header(SSL *s, int *mt) 
                return 0;

            }

            if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {

                /*

		 * A ChangeCipherSpec must be a single byte and may not occur

		 * in the middle of a handshake message.

		 */

                if (s->init_num != 0 || i != 1 || p[0] != SSL3_MT_CCS) {

                    al = SSL_AD_UNEXPECTED_MESSAGE;

                    SSLerr(SSL_F_TLS_GET_MESSAGE_HEADER,

                           SSL_R_BAD_CHANGE_CIPHER_SPEC);

                    goto f_err;

                }

                s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;

                s->init_num = i - 1;

                s->s3->tmp.message_size = i;