projects / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 82ba68c) | patch
Fix for CVE-2014-0224
authorDr. Stephen Henson <steve@openssl.org>
Fri, 16 May 2014 11:49:48 +0000 (12:49 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Tue, 3 Jun 2014 15:30:23 +0000 (16:30 +0100)
commit410a49a4fa1d2a1a9775ee29f9e40cbbda79c149
tree778046d20f87601d63cd20f69e600e4a97f74a93tree | snapshot
parent82ba68c42d6a9cf245afa489471005b2a0377c10commit | diff
Fix for CVE-2014-0224

Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.
ssl/s3_clnt.c diff | blob | history
ssl/s3_pkt.c diff | blob | history
ssl/s3_srvr.c diff | blob | history
ssl/ssl3.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.