- if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
- unsigned char workaround_good;
- workaround_good = constant_time_eq_8(rsa_decrypt[padding_len],
- (unsigned)(s->version >> 8));
- workaround_good &=
- constant_time_eq_8(rsa_decrypt[padding_len + 1],
- (unsigned)(s->version & 0xff));
- version_good |= workaround_good;
- }
-
- /*
- * Both decryption and version must be good for decrypt_good to
- * remain non-zero (0xff).
- */
- decrypt_good &= version_good;
-
- /*
- * Now copy rand_premaster_secret over from p using
- * decrypt_good_mask. If decryption failed, then p does not
- * contain valid plaintext, however, a check above guarantees
- * it is still sufficiently large to read from.
- */
- for (j = 0; j < sizeof(rand_premaster_secret); j++) {
- rsa_decrypt[padding_len + j] =
- constant_time_select_8(decrypt_good,
- rsa_decrypt[padding_len + j],
- rand_premaster_secret[j]);
+ if (outlen != SSL_MAX_MASTER_KEY_LENGTH) {
+ OPENSSL_cleanse(rsa_decrypt, SSL_MAX_MASTER_KEY_LENGTH);
+ SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
+ SSL_R_DECRYPTION_FAILED);
+ goto err;