aboutsummaryrefslogtreecommitdiff
path: root/crypto/rsa/rsa_ssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/rsa/rsa_ssl.c')
-rw-r--r--crypto/rsa/rsa_ssl.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/crypto/rsa/rsa_ssl.c b/crypto/rsa/rsa_ssl.c
index 1f155be175da..ecdb3cee1fa3 100644
--- a/crypto/rsa/rsa_ssl.c
+++ b/crypto/rsa/rsa_ssl.c
@@ -55,7 +55,7 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
/*
* Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
- * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also
+ * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also
* preserves error code reporting for backward compatibility.
*/
int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
@@ -122,7 +122,13 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
RSA_R_NULL_BEFORE_BLOCK_MISSING);
mask = ~good;
- good &= constant_time_ge(threes_in_row, 8);
+ /*
+ * Reject if nul delimiter is preceded by 8 consecutive 0x03 bytes. Note
+ * that RFC5246 incorrectly states this the other way around, i.e. reject
+ * if it is not preceded by 8 consecutive 0x03 bytes. However this is
+ * corrected in subsequent errata for that RFC.
+ */
+ good &= constant_time_lt(threes_in_row, 8);
err = constant_time_select_int(mask | good, err,
RSA_R_SSLV3_ROLLBACK_ATTACK);
mask = ~good;
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-19 08:12:04 +0000