From 29d34cdd24326b200a8fe3b4dc103cd7da0b134e Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Fri, 6 Jun 2014 12:21:53 +0200 Subject: merge ccs fix --- main/openssl/include/openssl/ssl.h | 1 + main/openssl/include/openssl/ssl3.h | 4 ++++ main/openssl/openssl.config | 1 + main/openssl/ssl/s3_clnt.c | 3 ++- main/openssl/ssl/s3_pkt.c | 14 +++++++++++++- main/openssl/ssl/s3_srvr.c | 2 ++ main/openssl/ssl/ssl.h | 1 + main/openssl/ssl/ssl3.h | 4 ++++ main/openssl/ssl/ssl_err.c | 1 + main/openvpn/config-version.h | 4 ++-- 10 files changed, 31 insertions(+), 4 deletions(-) (limited to 'main') diff --git a/main/openssl/include/openssl/ssl.h b/main/openssl/include/openssl/ssl.h index 57335a98..54b0eb6c 100644 --- a/main/openssl/include/openssl/ssl.h +++ b/main/openssl/include/openssl/ssl.h @@ -2707,6 +2707,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_WRONG_VERSION_NUMBER 267 #define SSL_R_X509_LIB 268 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 +#define SSL_R_UNEXPECTED_CCS 388 #ifdef __cplusplus } diff --git a/main/openssl/include/openssl/ssl3.h b/main/openssl/include/openssl/ssl3.h index 9086db42..f205f73d 100644 --- a/main/openssl/include/openssl/ssl3.h +++ b/main/openssl/include/openssl/ssl3.h @@ -388,6 +388,10 @@ typedef struct ssl3_buffer_st #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 +/* SSL3_FLAGS_CCS_OK indicates that a ChangeCipherSpec record is acceptable at + * this point in the handshake. If this flag is not set then received CCS + * records will cause a fatal error for the connection. */ +#define SSL3_FLAGS_CCS_OK 0x0080 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we * restart a handshake because of MS SGC and so prevents us diff --git a/main/openssl/openssl.config b/main/openssl/openssl.config index 8e97e9c0..aa028705 100644 --- a/main/openssl/openssl.config +++ b/main/openssl/openssl.config @@ -1098,6 +1098,7 @@ wincrypt.patch \ tls_psk_hint.patch \ arm_asm.patch \ psk_client_callback_128_byte_id_bug.patch \ +early_ccs.patch \ " source ./openssl.trusty.config diff --git a/main/openssl/ssl/s3_clnt.c b/main/openssl/ssl/s3_clnt.c index b65b12d9..5e15b75c 100644 --- a/main/openssl/ssl/s3_clnt.c +++ b/main/openssl/ssl/s3_clnt.c @@ -607,7 +607,7 @@ int ssl3_connect(SSL *s) case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: - + s->s3->flags |= SSL3_FLAGS_CCS_OK; ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, SSL3_ST_CR_FINISHED_B); if (ret <= 0) goto end; @@ -988,6 +988,7 @@ int ssl3_get_server_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); goto f_err; } + s->s3->flags |= SSL3_FLAGS_CCS_OK; s->hit=1; } else /* a miss or crap from the other end */ diff --git a/main/openssl/ssl/s3_pkt.c b/main/openssl/ssl/s3_pkt.c index d88f4dbb..75997ac2 100644 --- a/main/openssl/ssl/s3_pkt.c +++ b/main/openssl/ssl/s3_pkt.c @@ -1309,6 +1309,13 @@ start: goto f_err; } + if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) + { + al=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_CCS); + goto f_err; + } + rr->length=0; if (s->msg_callback) @@ -1443,7 +1450,12 @@ int ssl3_do_change_cipher_spec(SSL *s) if (s->s3->tmp.key_block == NULL) { - if (s->session == NULL) + if (s->session->master_key_length == 0) + { + SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_UNEXPECTED_CCS); + return (0); + } + if (s->session == NULL) { /* might happen if dtls1_read_bytes() calls this */ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY); diff --git a/main/openssl/ssl/s3_srvr.c b/main/openssl/ssl/s3_srvr.c index 0ee781f1..1976efa7 100644 --- a/main/openssl/ssl/s3_srvr.c +++ b/main/openssl/ssl/s3_srvr.c @@ -676,6 +676,7 @@ int ssl3_accept(SSL *s) case SSL3_ST_SR_CERT_VRFY_B: /* we should decide if we expected this one */ + s->s3->flags |= SSL3_FLAGS_CCS_OK; ret=ssl3_get_cert_verify(s); if (ret <= 0) goto end; @@ -693,6 +694,7 @@ int ssl3_accept(SSL *s) channel_id = s->s3->tlsext_channel_id_valid; #endif + s->s3->flags |= SSL3_FLAGS_CCS_OK; if (next_proto_neg) s->state=SSL3_ST_SR_NEXT_PROTO_A; else if (channel_id) diff --git a/main/openssl/ssl/ssl.h b/main/openssl/ssl/ssl.h index 57335a98..54b0eb6c 100644 --- a/main/openssl/ssl/ssl.h +++ b/main/openssl/ssl/ssl.h @@ -2707,6 +2707,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_WRONG_VERSION_NUMBER 267 #define SSL_R_X509_LIB 268 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 +#define SSL_R_UNEXPECTED_CCS 388 #ifdef __cplusplus } diff --git a/main/openssl/ssl/ssl3.h b/main/openssl/ssl/ssl3.h index 9086db42..f205f73d 100644 --- a/main/openssl/ssl/ssl3.h +++ b/main/openssl/ssl/ssl3.h @@ -388,6 +388,10 @@ typedef struct ssl3_buffer_st #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 +/* SSL3_FLAGS_CCS_OK indicates that a ChangeCipherSpec record is acceptable at + * this point in the handshake. If this flag is not set then received CCS + * records will cause a fatal error for the connection. */ +#define SSL3_FLAGS_CCS_OK 0x0080 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we * restart a handshake because of MS SGC and so prevents us diff --git a/main/openssl/ssl/ssl_err.c b/main/openssl/ssl/ssl_err.c index c40c7187..bddd7949 100644 --- a/main/openssl/ssl/ssl_err.c +++ b/main/openssl/ssl/ssl_err.c @@ -604,6 +604,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) ,"wrong version number"}, {ERR_REASON(SSL_R_X509_LIB) ,"x509 lib"}, {ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"}, +{ERR_REASON(SSL_R_UNEXPECTED_CCS),"unexpected CCS"}, {0,NULL} }; diff --git a/main/openvpn/config-version.h b/main/openvpn/config-version.h index ac6ff482..60276cd8 100644 --- a/main/openvpn/config-version.h +++ b/main/openvpn/config-version.h @@ -1,2 +1,2 @@ -#define CONFIGURE_GIT_REVISION "icsopenvpn_613-86da111e79f644a7" -#define CONFIGURE_GIT_FLAGS "" +#define CONFIGURE_GIT_REVISION "icsopenvpn_612-757f9467b41fb40e" +#define CONFIGURE_GIT_FLAGS "+" -- cgit v1.2.3