Use memmove() instead of memcpy() on areas that may overlap.

[openssl.git] / ssl / s3_srvr.c

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 0a46e4ab74e4316e7afa6f513ae7f88220d63211..0b0eceedb014f508140c18b3356cfea14a0dfa5f 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -158,7 +158,7 @@ int ssl3_accept(SSL *s)
 
                        if ((s->version>>8) != 3)
                                {
-                               SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_INTERNAL_ERROR);
+                               SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
                                return -1;
                                }
                        s->type=SSL_ST_ACCEPT;
@@ -1005,7 +1005,7 @@ static int ssl3_send_server_key_exchange(SSL *s)
                        if (s->s3->tmp.dh != NULL)
                                {
                                DH_free(dh);
-                               SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_INTERNAL_ERROR);
+                               SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
                                goto err;
                                }
 
@@ -1333,14 +1333,15 @@ static int ssl3_get_client_key_exchange(SSL *s)
 
                i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
 
+               al = -1;
+               
                if (i != SSL_MAX_MASTER_KEY_LENGTH)
                        {
                        al=SSL_AD_DECODE_ERROR;
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
-                       goto f_err;
                        }
 
-               if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
+               if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
                        {
                        /* The premaster secret must contain the same version number as the
                         * ClientHello to detect version rollback attacks (strangely, the
@@ -1358,6 +1359,27 @@ static int ssl3_get_client_key_exchange(SSL *s)
                                }
                        }
 
+               if (al != -1)
+                       {
+#if 0
+                       goto f_err;
+#else
+                       /* Some decryption failure -- use random value instead as countermeasure
+                        * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
+                        * (see RFC 2246, section 7.4.7.1).
+                        * But note that due to length and protocol version checking, the
+                        * attack is impractical anyway (see section 5 in D. Bleichenbacher:
+                        * "Chosen Ciphertext Attacks Against Protocols Based on the RSA
+                        * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
+                        */
+                       ERR_clear_error();
+                       i = SSL_MAX_MASTER_KEY_LENGTH;
+                       p[0] = s->client_version >> 8;
+                       p[1] = s->client_version & 0xff;
+                       RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
+#endif
+                       }
+       
                s->session->master_key_length=
                        s->method->ssl3_enc->generate_master_secret(s,
                                s->session->master_key,
@@ -1612,7 +1634,7 @@ static int ssl3_get_cert_verify(SSL *s)
        else
 #endif
                {
-               SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_INTERNAL_ERROR);
+               SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
                al=SSL_AD_UNSUPPORTED_CERTIFICATE;
                goto f_err;
                }
@@ -1802,7 +1824,7 @@ int ssl3_send_server_certificate(SSL *s)
                                 & (SSL_MKEY_MASK|SSL_AUTH_MASK))
                         != (SSL_aKRB5|SSL_kKRB5))
                        {
-                       SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,SSL_R_INTERNAL_ERROR);
+                       SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
                        return(0);
                        }