projects / oweals / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a7c682f) | patch
Fix for CVE-2014-0224
authorDr. Stephen Henson <steve@openssl.org>
Fri, 16 May 2014 11:49:48 +0000 (12:49 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Thu, 5 Jun 2014 12:22:42 +0000 (13:22 +0100)
commita91be10833e61bcdc9002de28489405101c52650
treec5d8d3629e733447f7ea76bad1b05f9460862cbftree | snapshot
parenta7c682fb6f692c9a3868777a7ff305784714c131commit | diff
Fix for CVE-2014-0224

Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.
(cherry picked from commit bc8923b1ec9c467755cd86f7848c50ee8812e441)
ssl/s3_clnt.c diff | blob | history
ssl/s3_pkt.c diff | blob | history
ssl/s3_srvr.c diff | blob | history
ssl/ssl3.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.