summaryrefslogtreecommitdiff
path: root/main
diff options
context:
space:
mode:
Diffstat (limited to 'main')
-rw-r--r--main/openssl/include/openssl/ssl.h1
-rw-r--r--main/openssl/include/openssl/ssl3.h4
-rw-r--r--main/openssl/openssl.config1
-rw-r--r--main/openssl/ssl/s3_clnt.c3
-rw-r--r--main/openssl/ssl/s3_pkt.c14
-rw-r--r--main/openssl/ssl/s3_srvr.c2
-rw-r--r--main/openssl/ssl/ssl.h1
-rw-r--r--main/openssl/ssl/ssl3.h4
-rw-r--r--main/openssl/ssl/ssl_err.c1
-rw-r--r--main/openvpn/config-version.h4
10 files changed, 31 insertions, 4 deletions
diff --git a/main/openssl/include/openssl/ssl.h b/main/openssl/include/openssl/ssl.h
index 57335a98..54b0eb6c 100644
--- a/main/openssl/include/openssl/ssl.h
+++ b/main/openssl/include/openssl/ssl.h
@@ -2707,6 +2707,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_WRONG_VERSION_NUMBER 267
#define SSL_R_X509_LIB 268
#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269
+#define SSL_R_UNEXPECTED_CCS 388
#ifdef __cplusplus
}
diff --git a/main/openssl/include/openssl/ssl3.h b/main/openssl/include/openssl/ssl3.h
index 9086db42..f205f73d 100644
--- a/main/openssl/include/openssl/ssl3.h
+++ b/main/openssl/include/openssl/ssl3.h
@@ -388,6 +388,10 @@ typedef struct ssl3_buffer_st
#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
+/* SSL3_FLAGS_CCS_OK indicates that a ChangeCipherSpec record is acceptable at
+ * this point in the handshake. If this flag is not set then received CCS
+ * records will cause a fatal error for the connection. */
+#define SSL3_FLAGS_CCS_OK 0x0080
/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
* restart a handshake because of MS SGC and so prevents us
diff --git a/main/openssl/openssl.config b/main/openssl/openssl.config
index 8e97e9c0..aa028705 100644
--- a/main/openssl/openssl.config
+++ b/main/openssl/openssl.config
@@ -1098,6 +1098,7 @@ wincrypt.patch \
tls_psk_hint.patch \
arm_asm.patch \
psk_client_callback_128_byte_id_bug.patch \
+early_ccs.patch \
"
source ./openssl.trusty.config
diff --git a/main/openssl/ssl/s3_clnt.c b/main/openssl/ssl/s3_clnt.c
index b65b12d9..5e15b75c 100644
--- a/main/openssl/ssl/s3_clnt.c
+++ b/main/openssl/ssl/s3_clnt.c
@@ -607,7 +607,7 @@ int ssl3_connect(SSL *s)
case SSL3_ST_CR_FINISHED_A:
case SSL3_ST_CR_FINISHED_B:
-
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
SSL3_ST_CR_FINISHED_B);
if (ret <= 0) goto end;
@@ -988,6 +988,7 @@ int ssl3_get_server_hello(SSL *s)
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
goto f_err;
}
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
s->hit=1;
}
else /* a miss or crap from the other end */
diff --git a/main/openssl/ssl/s3_pkt.c b/main/openssl/ssl/s3_pkt.c
index d88f4dbb..75997ac2 100644
--- a/main/openssl/ssl/s3_pkt.c
+++ b/main/openssl/ssl/s3_pkt.c
@@ -1309,6 +1309,13 @@ start:
goto f_err;
}
+ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
+ {
+ al=SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_CCS);
+ goto f_err;
+ }
+
rr->length=0;
if (s->msg_callback)
@@ -1443,7 +1450,12 @@ int ssl3_do_change_cipher_spec(SSL *s)
if (s->s3->tmp.key_block == NULL)
{
- if (s->session == NULL)
+ if (s->session->master_key_length == 0)
+ {
+ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_UNEXPECTED_CCS);
+ return (0);
+ }
+ if (s->session == NULL)
{
/* might happen if dtls1_read_bytes() calls this */
SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
diff --git a/main/openssl/ssl/s3_srvr.c b/main/openssl/ssl/s3_srvr.c
index 0ee781f1..1976efa7 100644
--- a/main/openssl/ssl/s3_srvr.c
+++ b/main/openssl/ssl/s3_srvr.c
@@ -676,6 +676,7 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SR_CERT_VRFY_B:
/* we should decide if we expected this one */
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
ret=ssl3_get_cert_verify(s);
if (ret <= 0) goto end;
@@ -693,6 +694,7 @@ int ssl3_accept(SSL *s)
channel_id = s->s3->tlsext_channel_id_valid;
#endif
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
if (next_proto_neg)
s->state=SSL3_ST_SR_NEXT_PROTO_A;
else if (channel_id)
diff --git a/main/openssl/ssl/ssl.h b/main/openssl/ssl/ssl.h
index 57335a98..54b0eb6c 100644
--- a/main/openssl/ssl/ssl.h
+++ b/main/openssl/ssl/ssl.h
@@ -2707,6 +2707,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_WRONG_VERSION_NUMBER 267
#define SSL_R_X509_LIB 268
#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269
+#define SSL_R_UNEXPECTED_CCS 388
#ifdef __cplusplus
}
diff --git a/main/openssl/ssl/ssl3.h b/main/openssl/ssl/ssl3.h
index 9086db42..f205f73d 100644
--- a/main/openssl/ssl/ssl3.h
+++ b/main/openssl/ssl/ssl3.h
@@ -388,6 +388,10 @@ typedef struct ssl3_buffer_st
#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
+/* SSL3_FLAGS_CCS_OK indicates that a ChangeCipherSpec record is acceptable at
+ * this point in the handshake. If this flag is not set then received CCS
+ * records will cause a fatal error for the connection. */
+#define SSL3_FLAGS_CCS_OK 0x0080
/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
* restart a handshake because of MS SGC and so prevents us
diff --git a/main/openssl/ssl/ssl_err.c b/main/openssl/ssl/ssl_err.c
index c40c7187..bddd7949 100644
--- a/main/openssl/ssl/ssl_err.c
+++ b/main/openssl/ssl/ssl_err.c
@@ -604,6 +604,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) ,"wrong version number"},
{ERR_REASON(SSL_R_X509_LIB) ,"x509 lib"},
{ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"},
+{ERR_REASON(SSL_R_UNEXPECTED_CCS),"unexpected CCS"},
{0,NULL}
};
diff --git a/main/openvpn/config-version.h b/main/openvpn/config-version.h
index ac6ff482..60276cd8 100644
--- a/main/openvpn/config-version.h
+++ b/main/openvpn/config-version.h
@@ -1,2 +1,2 @@
-#define CONFIGURE_GIT_REVISION "icsopenvpn_613-86da111e79f644a7"
-#define CONFIGURE_GIT_FLAGS ""
+#define CONFIGURE_GIT_REVISION "icsopenvpn_612-757f9467b41fb40e"
+#define CONFIGURE_GIT_FLAGS "+"