projects / oweals / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f4e6ed0) | patch
Fix for CVE-2014-0224
authorDr. Stephen Henson <steve@openssl.org>
Fri, 16 May 2014 11:49:48 +0000 (12:49 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Tue, 3 Jun 2014 15:30:37 +0000 (16:30 +0100)
commitc97e457d53441c6cb377cdda08905203db8afa0f
tree8469c4c693b1adb08379151ac33948112dbafb24tree | snapshot
parentf4e6ed09e48348f4766eb9f03727326ce6c0b1a3commit | diff
Fix for CVE-2014-0224

Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.
ssl/s3_clnt.c diff | blob | history
ssl/s3_pkt.c diff | blob | history
ssl/s3_srvr.c diff | blob | history
ssl/ssl3.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.