OpenSSL incorrect checks for malformed signatures

Several functions inside OpenSSL incorrectly checked the result after calling the EVP_VerifyFinal function, allowing a malformed signature to be treated as a good signature rather than as an error. This issue affected the signature checks on DSA and ECDSA keys used with SSL/TLS.

One way to exploit this flaw would be for a remote attacker who is in control of a malicious server or who can use a ‘man in the middle’ attack to present a malformed SSL/TLS signature from a certificate chain to a vulnerable client, bypassing validation.

Who is affected?

Everyone using OpenSSL releases prior to 0.9.8j as an SSL/TLS client when connecting to a server whose certificate contains a DSA or ECDSA key. Use of OpenSSL as an SSL/TLS client when connecting to a server whose certificate uses an RSA key is NOT affected. Verification of client certificates by OpenSSL servers for any key type is NOT affected.

Recommendations for users of OpenSSL

Users of OpenSSL 0.9.8 should update to the OpenSSL 0.9.8j release which contains a patch to correct this issue.

The patch used is also appended to this advisory for users or distributions who wish to backport this patch to versions they build from source.