Merge tag 'android-4.4.4_r1' into HEAD

Android 4.4.4 Release 1

Change-Id: Ic9cc24af8c3b38bca4d44235245888a4761e144e

12 files changed, 142 insertions, 36 deletions

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index dac9c3e..35eb044 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2685,6 +2685,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_WRONG_VERSION_NUMBER			 267
 #define SSL_R_X509_LIB					 268
 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS		 269
+#define SSL_R_UNEXPECTED_CCS				 388
 
 #ifdef  __cplusplus
 }
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index d63663b..48bacf0 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -388,6 +388,9 @@ typedef struct ssl3_buffer_st
 #define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
 #define TLS1_FLAGS_SKIP_CERT_VERIFY		0x0010
 #define TLS1_FLAGS_KEEP_HANDSHAKE		0x0020
+/* SSL3_FLAGS_CCS_OK indicates that a ChangeCipherSpec record is acceptable at
+ * this point in the handshake. If this flag is not set then received CCS
+ * records will cause a fatal error for the connection. */
 #define SSL3_FLAGS_CCS_OK			0x0080
  
 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
diff --git a/openssl.config b/openssl.config
index 00e4ff9..acc2a6e 100644
--- a/openssl.config
+++ b/openssl.config
@@ -993,6 +993,7 @@ eng_dyn_dirs.patch \
 fix_clang_build.patch \
 tls12_digests.patch \
 alpn.patch \
+early_ccs.patch \
 "
 
 OPENSSL_PATCHES_progs_SOURCES="\
@@ -1068,3 +1069,11 @@ ssl/t1_lib.c \
 ssl/tls1.h \
 "
 
+OPENSSL_PATCHES_early_ccs_SOURCES="\
+ssl/s3_clnt.c \
+ssl/s3_pkt.c \
+ssl/s3_srvr.c \
+ssl/ssl.h \
+ssl/ssl3.h \
+ssl/ssl_err.c \
+"
diff --git a/patches/early_ccs.patch b/patches/early_ccs.patch
new file mode 100644
index 0000000..d4c31e6
--- /dev/null
+++ b/patches/early_ccs.patch
@@ -0,0 +1,100 @@
+--- openssl-1.0.1e.orig/ssl/s3_clnt.c
++++ openssl-1.0.1e/ssl/s3_clnt.c
+@@ -606,7 +606,7 @@ int ssl3_connect(SSL *s)
+ 
+ 		case SSL3_ST_CR_FINISHED_A:
+ 		case SSL3_ST_CR_FINISHED_B:
+-
++			s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ 			ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
+ 				SSL3_ST_CR_FINISHED_B);
+ 			if (ret <= 0) goto end;
+@@ -915,6 +916,7 @@
+ 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
+ 		goto f_err;
+ 		}
++	    s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ 	    s->hit=1;
+ 	    }
+ 	else	/* a miss or crap from the other end */
+--- openssl-1.0.1e.orig/ssl/s3_pkt.c
++++ openssl-1.0.1e/ssl/s3_pkt.c
+@@ -1297,6 +1297,13 @@ start:
+ 			goto f_err;
+ 			}
+ 
++		if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
++			{
++			al=SSL_AD_UNEXPECTED_MESSAGE;
++			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_CCS);
++			goto f_err;
++			}
++
+ 		rr->length=0;
+ 
+ 		if (s->msg_callback)
+@@ -1431,7 +1438,12 @@ int ssl3_do_change_cipher_spec(SSL *s)
+ 
+ 	if (s->s3->tmp.key_block == NULL)
+ 		{
+-		if (s->session == NULL) 
++		if (s->session->master_key_length == 0)
++			{
++			SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_UNEXPECTED_CCS);
++			return (0);
++			}
++		if (s->session == NULL)
+ 			{
+ 			/* might happen if dtls1_read_bytes() calls this */
+ 			SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
+--- openssl-1.0.1e.orig/ssl/s3_srvr.c
++++ openssl-1.0.1e/ssl/s3_srvr.c
+@@ -670,6 +670,7 @@ int ssl3_accept(SSL *s)
+ 		case SSL3_ST_SR_CERT_VRFY_B:
+ 
+ 			/* we should decide if we expected this one */
++			s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ 			ret=ssl3_get_cert_verify(s);
+ 			if (ret <= 0) goto end;
+ 
+@@ -687,6 +688,7 @@ int ssl3_accept(SSL *s)
+ 			channel_id = s->s3->tlsext_channel_id_valid;
+ #endif
+ 
++			s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ 			if (next_proto_neg)
+ 				s->state=SSL3_ST_SR_NEXT_PROTO_A;
+ 			else if (channel_id)
+--- openssl-1.0.1e.orig/ssl/ssl.h
++++ openssl-1.0.1e/ssl/ssl.h
+@@ -2640,6 +2640,7 @@ void ERR_load_SSL_strings(void);
+ #define SSL_R_WRONG_VERSION_NUMBER			 267
+ #define SSL_R_X509_LIB					 268
+ #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS		 269
++#define SSL_R_UNEXPECTED_CCS				 388
+ 
+ #ifdef  __cplusplus
+ }
+--- openssl-1.0.1e.orig/ssl/ssl3.h
++++ openssl-1.0.1e/ssl/ssl3.h
+@@ -388,6 +388,10 @@ typedef struct ssl3_buffer_st
+ #define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
+ #define TLS1_FLAGS_SKIP_CERT_VERIFY		0x0010
+ #define TLS1_FLAGS_KEEP_HANDSHAKE		0x0020
++/* SSL3_FLAGS_CCS_OK indicates that a ChangeCipherSpec record is acceptable at
++ * this point in the handshake. If this flag is not set then received CCS
++ * records will cause a fatal error for the connection. */
++#define SSL3_FLAGS_CCS_OK			0x0080
+  
+ /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
+  * restart a handshake because of MS SGC and so prevents us
+--- openssl-1.0.1e.orig/ssl/ssl_err.c
++++ openssl-1.0.1e/ssl/ssl_err.c
+@@ -604,6 +604,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
+ {ERR_REASON(SSL_R_WRONG_VERSION_NUMBER)  ,"wrong version number"},
+ {ERR_REASON(SSL_R_X509_LIB)              ,"x509 lib"},
+ {ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"},
++{ERR_REASON(SSL_R_UNEXPECTED_CCS),"unexpected CCS"},
+ {0,NULL}
+ 	};
+ 
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 7b88727..b4d52d7 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -786,7 +786,6 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 	int i,al;
 	struct hm_header_st msg_hdr;
 
-	redo:
 	/* see if we have the required fragment already */
 	if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok)
 		{
@@ -845,7 +844,8 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 					s->msg_callback_arg);
 			
 			s->init_num = 0;
-			goto redo;
+			return dtls1_get_message_fragment(s, st1, stn,
+				max, ok);
 			}
 		else /* Incorrectly formated Hello request */
 			{
@@ -1461,36 +1461,26 @@ dtls1_process_heartbeat(SSL *s)
 	unsigned int payload;
 	unsigned int padding = 16; /* Use minimum padding */
 
-	if (s->msg_callback)
-		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
-			&s->s3->rrec.data[0], s->s3->rrec.length,
-			s, s->msg_callback_arg);
-
 	/* Read type and payload length first */
-	if (1 + 2 + 16 > s->s3->rrec.length)
-		return 0; /* silently discard */
 	hbtype = *p++;
 	n2s(p, payload);
-	if (1 + 2 + payload + 16 > s->s3->rrec.length)
-		return 0; /* silently discard per RFC 6520 sec. 4 */
 	pl = p;
 
+	if (s->msg_callback)
+		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
+			&s->s3->rrec.data[0], s->s3->rrec.length,
+			s, s->msg_callback_arg);
+
 	if (hbtype == TLS1_HB_REQUEST)
 		{
 		unsigned char *buffer, *bp;
-		unsigned int write_length = 1 /* heartbeat type */ +
-					    2 /* heartbeat length */ +
-					    payload + padding;
 		int r;
 
-		if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
-			return 0;
-
 		/* Allocate memory for the response, size is 1 byte
 		 * message type, plus 2 bytes payload length, plus
 		 * payload, plus padding
 		 */
-		buffer = OPENSSL_malloc(write_length);
+		buffer = OPENSSL_malloc(1 + 2 + payload + padding);
 		bp = buffer;
 
 		/* Enter response type, length and copy payload */
@@ -1501,11 +1491,11 @@ dtls1_process_heartbeat(SSL *s)
 		/* Random padding */
 		RAND_pseudo_bytes(bp, padding);
 
-		r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
+		r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
 
 		if (r >= 0 && s->msg_callback)
 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-				buffer, write_length,
+				buffer, 3 + payload + padding,
 				s, s->msg_callback_arg);
 
 		OPENSSL_free(buffer);
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 1c4f4db..9eabfd8 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -606,7 +606,6 @@ int ssl3_connect(SSL *s)
 
 		case SSL3_ST_CR_FINISHED_A:
 		case SSL3_ST_CR_FINISHED_B:
-
 			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
 				SSL3_ST_CR_FINISHED_B);
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 31ce0e3..8f0daf3 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -1300,12 +1300,10 @@ start:
 		if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
 			{
 			al=SSL_AD_UNEXPECTED_MESSAGE;
-			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_CCS);
 			goto f_err;
 			}
 
-		s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
-
 		rr->length=0;
 
 		if (s->msg_callback)
@@ -1440,7 +1438,12 @@ int ssl3_do_change_cipher_spec(SSL *s)
 
 	if (s->s3->tmp.key_block == NULL)
 		{
-		if (s->session == NULL || s->session->master_key_length == 0)
+		if (s->session->master_key_length == 0)
+			{
+			SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_UNEXPECTED_CCS);
+			return (0);
+			}
+		if (s->session == NULL)
 			{
 			/* might happen if dtls1_read_bytes() calls this */
 			SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index f76b49c..8a18833 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -669,8 +669,8 @@ int ssl3_accept(SSL *s)
 		case SSL3_ST_SR_CERT_VRFY_A:
 		case SSL3_ST_SR_CERT_VRFY_B:
 
-			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			/* we should decide if we expected this one */
+			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			ret=ssl3_get_cert_verify(s);
 			if (ret <= 0) goto end;
 
@@ -688,6 +688,7 @@ int ssl3_accept(SSL *s)
 			channel_id = s->s3->tlsext_channel_id_valid;
 #endif
 
+			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			if (next_proto_neg)
 				s->state=SSL3_ST_SR_NEXT_PROTO_A;
 			else if (channel_id)
@@ -722,7 +723,6 @@ int ssl3_accept(SSL *s)
 
 		case SSL3_ST_SR_FINISHED_A:
 		case SSL3_ST_SR_FINISHED_B:
-			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
 				SSL3_ST_SR_FINISHED_B);
 			if (ret <= 0) goto end;
diff --git a/ssl/ssl.h b/ssl/ssl.h
index dac9c3e..35eb044 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2685,6 +2685,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_WRONG_VERSION_NUMBER			 267
 #define SSL_R_X509_LIB					 268
 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS		 269
+#define SSL_R_UNEXPECTED_CCS				 388
 
 #ifdef  __cplusplus
 }
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index d63663b..48bacf0 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -388,6 +388,9 @@ typedef struct ssl3_buffer_st
 #define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
 #define TLS1_FLAGS_SKIP_CERT_VERIFY		0x0010
 #define TLS1_FLAGS_KEEP_HANDSHAKE		0x0020
+/* SSL3_FLAGS_CCS_OK indicates that a ChangeCipherSpec record is acceptable at
+ * this point in the handshake. If this flag is not set then received CCS
+ * records will cause a fatal error for the connection. */
 #define SSL3_FLAGS_CCS_OK			0x0080
  
 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index c40c718..bddd794 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -604,6 +604,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_WRONG_VERSION_NUMBER)  ,"wrong version number"},
 {ERR_REASON(SSL_R_X509_LIB)              ,"x509 lib"},
 {ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"},
+{ERR_REASON(SSL_R_UNEXPECTED_CCS),"unexpected CCS"},
 {0,NULL}
 	};
 
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 4e12d3c..f170056 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2647,20 +2647,16 @@ tls1_process_heartbeat(SSL *s)
 	unsigned int payload;
 	unsigned int padding = 16; /* Use minimum padding */
 
-	if (s->msg_callback)
-		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
-			&s->s3->rrec.data[0], s->s3->rrec.length,
-			s, s->msg_callback_arg);
-
 	/* Read type and payload length first */
-	if (1 + 2 + 16 > s->s3->rrec.length)
-		return 0; /* silently discard */
 	hbtype = *p++;
 	n2s(p, payload);
-	if (1 + 2 + payload + 16 > s->s3->rrec.length)
-		return 0; /* silently discard per RFC 6520 sec. 4 */
 	pl = p;
 
+	if (s->msg_callback)
+		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
+			&s->s3->rrec.data[0], s->s3->rrec.length,
+			s, s->msg_callback_arg);
+
 	if (hbtype == TLS1_HB_REQUEST)
 		{
 		unsigned char *buffer, *bp;