1 files changed, 24 insertions, 2 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index d04232960e..258af84867 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1322,14 +1322,15 @@ static int ssl3_get_client_key_exchange(SSL *s)
                i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
+                al = -1;
+                
                if (i != SSL_MAX_MASTER_KEY_LENGTH)
                        {
                        al=SSL_AD_DECODE_ERROR;
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
-                        goto f_err;
                        }
-                if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
+                if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
                        {
                        /* The premaster secret must contain the same version number as the
                         * ClientHello to detect version rollback attacks (strangely, the
@@ -1347,6 +1348,27 @@ static int ssl3_get_client_key_exchange(SSL *s)
                                }
                        }
+                if (al != -1)
+                        {
+#if 0
+                        goto f_err;
+#else
+                        /* Some decryption failure -- use random value instead as countermeasure
+                         * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
+                         * (see RFC 2246, section 7.4.7.1).
+                         * But note that due to length and protocol version checking, the
+                         * attack is impractical anyway (see section 5 in D. Bleichenbacher:
+                         * "Chosen Ciphertext Attacks Against Protocols Based on the RSA
+                         * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
+                         */
+                        ERR_clear_error();
+                        i = SSL_MAX_MASTER_KEY_LENGTH;
+                        p[0] = s->client_version >> 8;
+                        p[1] = s->client_version & 0xff;
+                        RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
+#endif
+                        }
+        
                s->session->master_key_length=
                        s->method->ssl3_enc->generate_master_secret(s,
                                s->session->master_key,

diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index d04232960e..258af84867 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c
@@ -1322,14 +1322,15 @@ static int ssl3_get_client_key_exchange(SSL *s)
1322		1322
1323	i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);	1323	i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
1324		1324
		1325	al = -1;
		1326
1325	if (i != SSL_MAX_MASTER_KEY_LENGTH)	1327	if (i != SSL_MAX_MASTER_KEY_LENGTH)
1326	{	1328	{
1327	al=SSL_AD_DECODE_ERROR;	1329	al=SSL_AD_DECODE_ERROR;
1328	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);	1330	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1329	goto f_err;
1330	}	1331	}
1331		1332
1332	if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))	1333	if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
1333	{	1334	{
1334	/* The premaster secret must contain the same version number as the	1335	/* The premaster secret must contain the same version number as the
1335	* ClientHello to detect version rollback attacks (strangely, the	1336	* ClientHello to detect version rollback attacks (strangely, the
@@ -1347,6 +1348,27 @@ static int ssl3_get_client_key_exchange(SSL *s)
1347	}	1348	}
1348	}	1349	}
1349		1350
		1351	if (al != -1)
		1352	{
		1353	#if 0
		1354	goto f_err;
		1355	#else
		1356	/* Some decryption failure -- use random value instead as countermeasure
		1357	* against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
		1358	* (see RFC 2246, section 7.4.7.1).
		1359	* But note that due to length and protocol version checking, the
		1360	* attack is impractical anyway (see section 5 in D. Bleichenbacher:
		1361	* "Chosen Ciphertext Attacks Against Protocols Based on the RSA
		1362	* Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
		1363	*/
		1364	ERR_clear_error();
		1365	i = SSL_MAX_MASTER_KEY_LENGTH;
		1366	p[0] = s->client_version >> 8;
		1367	p[1] = s->client_version & 0xff;
		1368	RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
		1369	#endif
		1370	}
		1371
1350	s->session->master_key_length=	1372	s->session->master_key_length=
1351	s->method->ssl3_enc->generate_master_secret(s,	1373	s->method->ssl3_enc->generate_master_secret(s,
1352	s->session->master_key,	1374	s->session->master_key,