Fix Early CCS bug

SSL/TLS MITM vulnerability (CVE-2014-0224)

Bug: 15442813
Change-Id: Ie52e8866fc9378d62f1d1fa6eb38b9423c138d64
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index dac9c3e..35eb044 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2685,6 +2685,7 @@
 #define SSL_R_WRONG_VERSION_NUMBER			 267
 #define SSL_R_X509_LIB					 268
 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS		 269
+#define SSL_R_UNEXPECTED_CCS				 388
 
 #ifdef  __cplusplus
 }
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index 4729868..48bacf0 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -388,6 +388,10 @@
 #define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
 #define TLS1_FLAGS_SKIP_CERT_VERIFY		0x0010
 #define TLS1_FLAGS_KEEP_HANDSHAKE		0x0020
+/* SSL3_FLAGS_CCS_OK indicates that a ChangeCipherSpec record is acceptable at
+ * this point in the handshake. If this flag is not set then received CCS
+ * records will cause a fatal error for the connection. */
+#define SSL3_FLAGS_CCS_OK			0x0080
  
 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
  * restart a handshake because of MS SGC and so prevents us
diff --git a/openssl.config b/openssl.config
index 00e4ff9..acc2a6e 100644
--- a/openssl.config
+++ b/openssl.config
@@ -993,6 +993,7 @@
 fix_clang_build.patch \
 tls12_digests.patch \
 alpn.patch \
+early_ccs.patch \
 "
 
 OPENSSL_PATCHES_progs_SOURCES="\
@@ -1068,3 +1069,11 @@
 ssl/tls1.h \
 "
 
+OPENSSL_PATCHES_early_ccs_SOURCES="\
+ssl/s3_clnt.c \
+ssl/s3_pkt.c \
+ssl/s3_srvr.c \
+ssl/ssl.h \
+ssl/ssl3.h \
+ssl/ssl_err.c \
+"
diff --git a/patches/early_ccs.patch b/patches/early_ccs.patch
new file mode 100644
index 0000000..d4c31e6
--- /dev/null
+++ b/patches/early_ccs.patch
@@ -0,0 +1,100 @@
+--- openssl-1.0.1e.orig/ssl/s3_clnt.c
++++ openssl-1.0.1e/ssl/s3_clnt.c
+@@ -606,7 +606,7 @@ int ssl3_connect(SSL *s)
+ 
+ 		case SSL3_ST_CR_FINISHED_A:
+ 		case SSL3_ST_CR_FINISHED_B:
+-
++			s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ 			ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
+ 				SSL3_ST_CR_FINISHED_B);
+ 			if (ret <= 0) goto end;
+@@ -915,6 +916,7 @@
+ 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
+ 		goto f_err;
+ 		}
++	    s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ 	    s->hit=1;
+ 	    }
+ 	else	/* a miss or crap from the other end */
+--- openssl-1.0.1e.orig/ssl/s3_pkt.c
++++ openssl-1.0.1e/ssl/s3_pkt.c
+@@ -1297,6 +1297,13 @@ start:
+ 			goto f_err;
+ 			}
+ 
++		if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
++			{
++			al=SSL_AD_UNEXPECTED_MESSAGE;
++			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_CCS);
++			goto f_err;
++			}
++
+ 		rr->length=0;
+ 
+ 		if (s->msg_callback)
+@@ -1431,7 +1438,12 @@ int ssl3_do_change_cipher_spec(SSL *s)
+ 
+ 	if (s->s3->tmp.key_block == NULL)
+ 		{
+-		if (s->session == NULL) 
++		if (s->session->master_key_length == 0)
++			{
++			SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_UNEXPECTED_CCS);
++			return (0);
++			}
++		if (s->session == NULL)
+ 			{
+ 			/* might happen if dtls1_read_bytes() calls this */
+ 			SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
+--- openssl-1.0.1e.orig/ssl/s3_srvr.c
++++ openssl-1.0.1e/ssl/s3_srvr.c
+@@ -670,6 +670,7 @@ int ssl3_accept(SSL *s)
+ 		case SSL3_ST_SR_CERT_VRFY_B:
+ 
+ 			/* we should decide if we expected this one */
++			s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ 			ret=ssl3_get_cert_verify(s);
+ 			if (ret <= 0) goto end;
+ 
+@@ -687,6 +688,7 @@ int ssl3_accept(SSL *s)
+ 			channel_id = s->s3->tlsext_channel_id_valid;
+ #endif
+ 
++			s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ 			if (next_proto_neg)
+ 				s->state=SSL3_ST_SR_NEXT_PROTO_A;
+ 			else if (channel_id)
+--- openssl-1.0.1e.orig/ssl/ssl.h
++++ openssl-1.0.1e/ssl/ssl.h
+@@ -2640,6 +2640,7 @@ void ERR_load_SSL_strings(void);
+ #define SSL_R_WRONG_VERSION_NUMBER			 267
+ #define SSL_R_X509_LIB					 268
+ #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS		 269
++#define SSL_R_UNEXPECTED_CCS				 388
+ 
+ #ifdef  __cplusplus
+ }
+--- openssl-1.0.1e.orig/ssl/ssl3.h
++++ openssl-1.0.1e/ssl/ssl3.h
+@@ -388,6 +388,10 @@ typedef struct ssl3_buffer_st
+ #define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
+ #define TLS1_FLAGS_SKIP_CERT_VERIFY		0x0010
+ #define TLS1_FLAGS_KEEP_HANDSHAKE		0x0020
++/* SSL3_FLAGS_CCS_OK indicates that a ChangeCipherSpec record is acceptable at
++ * this point in the handshake. If this flag is not set then received CCS
++ * records will cause a fatal error for the connection. */
++#define SSL3_FLAGS_CCS_OK			0x0080
+  
+ /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
+  * restart a handshake because of MS SGC and so prevents us
+--- openssl-1.0.1e.orig/ssl/ssl_err.c
++++ openssl-1.0.1e/ssl/ssl_err.c
+@@ -604,6 +604,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
+ {ERR_REASON(SSL_R_WRONG_VERSION_NUMBER)  ,"wrong version number"},
+ {ERR_REASON(SSL_R_X509_LIB)              ,"x509 lib"},
+ {ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"},
++{ERR_REASON(SSL_R_UNEXPECTED_CCS),"unexpected CCS"},
+ {0,NULL}
+ 	};
+ 
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 88077ea..edfcf58 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -606,7 +606,7 @@
 
 		case SSL3_ST_CR_FINISHED_A:
 		case SSL3_ST_CR_FINISHED_B:
-
+			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
 				SSL3_ST_CR_FINISHED_B);
 			if (ret <= 0) goto end;
@@ -988,6 +988,7 @@
 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
 		goto f_err;
 		}
+	    s->s3->flags |= SSL3_FLAGS_CCS_OK;
 	    s->hit=1;
 	    }
 	else	/* a miss or crap from the other end */
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 804291e..8f0daf3 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -1297,6 +1297,13 @@
 			goto f_err;
 			}
 
+		if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
+			{
+			al=SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_CCS);
+			goto f_err;
+			}
+
 		rr->length=0;
 
 		if (s->msg_callback)
@@ -1431,7 +1438,12 @@
 
 	if (s->s3->tmp.key_block == NULL)
 		{
-		if (s->session == NULL) 
+		if (s->session->master_key_length == 0)
+			{
+			SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_UNEXPECTED_CCS);
+			return (0);
+			}
+		if (s->session == NULL)
 			{
 			/* might happen if dtls1_read_bytes() calls this */
 			SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 5c3343a..8a18833 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -670,6 +670,7 @@
 		case SSL3_ST_SR_CERT_VRFY_B:
 
 			/* we should decide if we expected this one */
+			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			ret=ssl3_get_cert_verify(s);
 			if (ret <= 0) goto end;
 
@@ -687,6 +688,7 @@
 			channel_id = s->s3->tlsext_channel_id_valid;
 #endif
 
+			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			if (next_proto_neg)
 				s->state=SSL3_ST_SR_NEXT_PROTO_A;
 			else if (channel_id)
diff --git a/ssl/ssl.h b/ssl/ssl.h
index dac9c3e..35eb044 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2685,6 +2685,7 @@
 #define SSL_R_WRONG_VERSION_NUMBER			 267
 #define SSL_R_X509_LIB					 268
 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS		 269
+#define SSL_R_UNEXPECTED_CCS				 388
 
 #ifdef  __cplusplus
 }
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 4729868..48bacf0 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -388,6 +388,10 @@
 #define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
 #define TLS1_FLAGS_SKIP_CERT_VERIFY		0x0010
 #define TLS1_FLAGS_KEEP_HANDSHAKE		0x0020
+/* SSL3_FLAGS_CCS_OK indicates that a ChangeCipherSpec record is acceptable at
+ * this point in the handshake. If this flag is not set then received CCS
+ * records will cause a fatal error for the connection. */
+#define SSL3_FLAGS_CCS_OK			0x0080
  
 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
  * restart a handshake because of MS SGC and so prevents us
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index c40c718..bddd794 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -604,6 +604,7 @@
 {ERR_REASON(SSL_R_WRONG_VERSION_NUMBER)  ,"wrong version number"},
 {ERR_REASON(SSL_R_X509_LIB)              ,"x509 lib"},
 {ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"},
+{ERR_REASON(SSL_R_UNEXPECTED_CCS),"unexpected CCS"},
 {0,NULL}
 	};