Fix Early CCS bug SSL/TLS MITM vulnerability (CVE-2014-0224) Bug: 15442813 Change-Id: Ie52e8866fc9378d62f1d1fa6eb38b9423c138d64
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index dac9c3e..35eb044 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h
@@ -2685,6 +2685,7 @@ #define SSL_R_WRONG_VERSION_NUMBER 267 #define SSL_R_X509_LIB 268 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 +#define SSL_R_UNEXPECTED_CCS 388 #ifdef __cplusplus }
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h index 4729868..48bacf0 100644 --- a/include/openssl/ssl3.h +++ b/include/openssl/ssl3.h
@@ -388,6 +388,10 @@ #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 +/* SSL3_FLAGS_CCS_OK indicates that a ChangeCipherSpec record is acceptable at + * this point in the handshake. If this flag is not set then received CCS + * records will cause a fatal error for the connection. */ +#define SSL3_FLAGS_CCS_OK 0x0080 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we * restart a handshake because of MS SGC and so prevents us
diff --git a/openssl.config b/openssl.config index 00e4ff9..acc2a6e 100644 --- a/openssl.config +++ b/openssl.config
@@ -993,6 +993,7 @@ fix_clang_build.patch \ tls12_digests.patch \ alpn.patch \ +early_ccs.patch \ " OPENSSL_PATCHES_progs_SOURCES="\ @@ -1068,3 +1069,11 @@ ssl/tls1.h \ " +OPENSSL_PATCHES_early_ccs_SOURCES="\ +ssl/s3_clnt.c \ +ssl/s3_pkt.c \ +ssl/s3_srvr.c \ +ssl/ssl.h \ +ssl/ssl3.h \ +ssl/ssl_err.c \ +"
diff --git a/patches/early_ccs.patch b/patches/early_ccs.patch new file mode 100644 index 0000000..d4c31e6 --- /dev/null +++ b/patches/early_ccs.patch
@@ -0,0 +1,100 @@ +--- openssl-1.0.1e.orig/ssl/s3_clnt.c ++++ openssl-1.0.1e/ssl/s3_clnt.c +@@ -606,7 +606,7 @@ int ssl3_connect(SSL *s) + + case SSL3_ST_CR_FINISHED_A: + case SSL3_ST_CR_FINISHED_B: +- ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, + SSL3_ST_CR_FINISHED_B); + if (ret <= 0) goto end; +@@ -915,6 +916,7 @@ + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); + goto f_err; + } ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + s->hit=1; + } + else /* a miss or crap from the other end */ +--- openssl-1.0.1e.orig/ssl/s3_pkt.c ++++ openssl-1.0.1e/ssl/s3_pkt.c +@@ -1297,6 +1297,13 @@ start: + goto f_err; + } + ++ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) ++ { ++ al=SSL_AD_UNEXPECTED_MESSAGE; ++ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_CCS); ++ goto f_err; ++ } ++ + rr->length=0; + + if (s->msg_callback) +@@ -1431,7 +1438,12 @@ int ssl3_do_change_cipher_spec(SSL *s) + + if (s->s3->tmp.key_block == NULL) + { +- if (s->session == NULL) ++ if (s->session->master_key_length == 0) ++ { ++ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_UNEXPECTED_CCS); ++ return (0); ++ } ++ if (s->session == NULL) + { + /* might happen if dtls1_read_bytes() calls this */ + SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY); +--- openssl-1.0.1e.orig/ssl/s3_srvr.c ++++ openssl-1.0.1e/ssl/s3_srvr.c +@@ -670,6 +670,7 @@ int ssl3_accept(SSL *s) + case SSL3_ST_SR_CERT_VRFY_B: + + /* we should decide if we expected this one */ ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + ret=ssl3_get_cert_verify(s); + if (ret <= 0) goto end; + +@@ -687,6 +688,7 @@ int ssl3_accept(SSL *s) + channel_id = s->s3->tlsext_channel_id_valid; + #endif + ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + if (next_proto_neg) + s->state=SSL3_ST_SR_NEXT_PROTO_A; + else if (channel_id) +--- openssl-1.0.1e.orig/ssl/ssl.h ++++ openssl-1.0.1e/ssl/ssl.h +@@ -2640,6 +2640,7 @@ void ERR_load_SSL_strings(void); + #define SSL_R_WRONG_VERSION_NUMBER 267 + #define SSL_R_X509_LIB 268 + #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 ++#define SSL_R_UNEXPECTED_CCS 388 + + #ifdef __cplusplus + } +--- openssl-1.0.1e.orig/ssl/ssl3.h ++++ openssl-1.0.1e/ssl/ssl3.h +@@ -388,6 +388,10 @@ typedef struct ssl3_buffer_st + #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 + #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 + #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 ++/* SSL3_FLAGS_CCS_OK indicates that a ChangeCipherSpec record is acceptable at ++ * this point in the handshake. If this flag is not set then received CCS ++ * records will cause a fatal error for the connection. */ ++#define SSL3_FLAGS_CCS_OK 0x0080 + + /* SSL3_FLAGS_SGC_RESTART_DONE is set when we + * restart a handshake because of MS SGC and so prevents us +--- openssl-1.0.1e.orig/ssl/ssl_err.c ++++ openssl-1.0.1e/ssl/ssl_err.c +@@ -604,6 +604,7 @@ static ERR_STRING_DATA SSL_str_reasons[] + {ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) ,"wrong version number"}, + {ERR_REASON(SSL_R_X509_LIB) ,"x509 lib"}, + {ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"}, ++{ERR_REASON(SSL_R_UNEXPECTED_CCS),"unexpected CCS"}, + {0,NULL} + }; +
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 88077ea..edfcf58 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c
@@ -606,7 +606,7 @@ case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: - + s->s3->flags |= SSL3_FLAGS_CCS_OK; ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, SSL3_ST_CR_FINISHED_B); if (ret <= 0) goto end; @@ -988,6 +988,7 @@ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); goto f_err; } + s->s3->flags |= SSL3_FLAGS_CCS_OK; s->hit=1; } else /* a miss or crap from the other end */
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 804291e..8f0daf3 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c
@@ -1297,6 +1297,13 @@ goto f_err; } + if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) + { + al=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_CCS); + goto f_err; + } + rr->length=0; if (s->msg_callback) @@ -1431,7 +1438,12 @@ if (s->s3->tmp.key_block == NULL) { - if (s->session == NULL) + if (s->session->master_key_length == 0) + { + SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_UNEXPECTED_CCS); + return (0); + } + if (s->session == NULL) { /* might happen if dtls1_read_bytes() calls this */ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 5c3343a..8a18833 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c
@@ -670,6 +670,7 @@ case SSL3_ST_SR_CERT_VRFY_B: /* we should decide if we expected this one */ + s->s3->flags |= SSL3_FLAGS_CCS_OK; ret=ssl3_get_cert_verify(s); if (ret <= 0) goto end; @@ -687,6 +688,7 @@ channel_id = s->s3->tlsext_channel_id_valid; #endif + s->s3->flags |= SSL3_FLAGS_CCS_OK; if (next_proto_neg) s->state=SSL3_ST_SR_NEXT_PROTO_A; else if (channel_id)
diff --git a/ssl/ssl.h b/ssl/ssl.h index dac9c3e..35eb044 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h
@@ -2685,6 +2685,7 @@ #define SSL_R_WRONG_VERSION_NUMBER 267 #define SSL_R_X509_LIB 268 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 +#define SSL_R_UNEXPECTED_CCS 388 #ifdef __cplusplus }
diff --git a/ssl/ssl3.h b/ssl/ssl3.h index 4729868..48bacf0 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h
@@ -388,6 +388,10 @@ #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 +/* SSL3_FLAGS_CCS_OK indicates that a ChangeCipherSpec record is acceptable at + * this point in the handshake. If this flag is not set then received CCS + * records will cause a fatal error for the connection. */ +#define SSL3_FLAGS_CCS_OK 0x0080 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we * restart a handshake because of MS SGC and so prevents us
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index c40c718..bddd794 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c
@@ -604,6 +604,7 @@ {ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) ,"wrong version number"}, {ERR_REASON(SSL_R_X509_LIB) ,"x509 lib"}, {ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"}, +{ERR_REASON(SSL_R_UNEXPECTED_CCS),"unexpected CCS"}, {0,NULL} };