We should check the eight bytes starting at p[-9] for rollback attack
authorBodo Möller <bodo@openssl.org>
Thu, 17 Jul 2008 22:11:53 +0000 (22:11 +0000)
committerBodo Möller <bodo@openssl.org>
Thu, 17 Jul 2008 22:11:53 +0000 (22:11 +0000)
detection, or the probability for an erroneous RSA_R_SSLV3_ROLLBACK_ATTACK
will be larger than necessary.

PR: 1695

crypto/rsa/rsa_ssl.c

index ea72629..cfeff15 100644 (file)
@@ -130,7 +130,7 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
                RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_NULL_BEFORE_BLOCK_MISSING);
                return(-1);
                }
-       for (k= -8; k<0; k++)
+       for (k = -9; k<-1; k++)
                {
                if (p[k] !=  0x03) break;
                }