| s3_srvr.c (72613) | s3_srvr.c (79998) |
|---|---|
| 1/* ssl/s3_srvr.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * --- 1308 unchanged lines hidden (view full) --- 1317 p-=2; 1318 } 1319 else 1320 n=i; 1321 } 1322 1323 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); 1324 | 1/* ssl/s3_srvr.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * --- 1308 unchanged lines hidden (view full) --- 1317 p-=2; 1318 } 1319 else 1320 n=i; 1321 } 1322 1323 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); 1324 |
| 1325 al = -1; 1326 |
|
| 1325 if (i != SSL_MAX_MASTER_KEY_LENGTH) 1326 { 1327 al=SSL_AD_DECODE_ERROR; 1328 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); | 1327 if (i != SSL_MAX_MASTER_KEY_LENGTH) 1328 { 1329 al=SSL_AD_DECODE_ERROR; 1330 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); |
| 1329 goto f_err; | |
| 1330 } 1331 | 1331 } 1332 |
| 1332 if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) | 1333 if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) |
| 1333 { 1334 /* The premaster secret must contain the same version number as the 1335 * ClientHello to detect version rollback attacks (strangely, the 1336 * protocol does not offer such protection for DH ciphersuites). 1337 * However, buggy clients exist that send the negotiated protocol 1338 * version instead if the server does not support the requested 1339 * protocol version. 1340 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ 1341 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && 1342 (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) 1343 { 1344 al=SSL_AD_DECODE_ERROR; 1345 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); 1346 goto f_err; 1347 } 1348 } 1349 | 1334 { 1335 /* The premaster secret must contain the same version number as the 1336 * ClientHello to detect version rollback attacks (strangely, the 1337 * protocol does not offer such protection for DH ciphersuites). 1338 * However, buggy clients exist that send the negotiated protocol 1339 * version instead if the server does not support the requested 1340 * protocol version. 1341 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ 1342 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && 1343 (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) 1344 { 1345 al=SSL_AD_DECODE_ERROR; 1346 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); 1347 goto f_err; 1348 } 1349 } 1350 |
| 1351 if (al != -1) 1352 { 1353#if 0 1354 goto f_err; 1355#else 1356 /* Some decryption failure -- use random value instead as countermeasure 1357 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding 1358 * (see RFC 2246, section 7.4.7.1). 1359 * But note that due to length and protocol version checking, the 1360 * attack is impractical anyway (see section 5 in D. Bleichenbacher: 1361 * "Chosen Ciphertext Attacks Against Protocols Based on the RSA 1362 * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12). 1363 */ 1364 ERR_clear_error(); 1365 i = SSL_MAX_MASTER_KEY_LENGTH; 1366 p[0] = s->client_version >> 8; 1367 p[1] = s->client_version & 0xff; 1368 RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ 1369#endif 1370 } 1371 |
|
| 1350 s->session->master_key_length= 1351 s->method->ssl3_enc->generate_master_secret(s, 1352 s->session->master_key, 1353 p,i); 1354 memset(p,0,i); 1355 } 1356 else 1357#endif --- 398 unchanged lines hidden --- | 1372 s->session->master_key_length= 1373 s->method->ssl3_enc->generate_master_secret(s, 1374 s->session->master_key, 1375 p,i); 1376 memset(p,0,i); 1377 } 1378 else 1379#endif --- 398 unchanged lines hidden --- |