Adam Langley’s explanation of the recent Apple security bug in iOS makes me suspicious of whatever SCM Apple uses for developing iOS. The problem was in this function:

static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
                                 uint8_t *signature, UInt16 signatureLen)
{
	OSStatus        err;
	...

	if ( (err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
		goto fail;
	if ( (err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
		goto fail;
		goto fail;
	if ( (err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
		goto fail;
	...

fail:
	SSLFreeBuffer(&signedHashes);
	SSLFreeBuffer(&hashCtx);
	return err;
}

Note the two goto fail; lines? I have seen many of those when using diff3 for merging code. What happens is that parallel modifications are done to the same lines of code, and the hook for the second goto gets deleted in the merge.

It would be really interesting to know what SCM Apple uses for developing this code and whether the error was in fact the result of a bad merge.

Disclaimer: This blog post is pure speculation and I do not have any special information or insight. It could well be the case that someone accidentally pasted the second goto fail line, or even typed it.