Fix Bleichenbacher PKCS #1 1.5 countermeasure.

         *) applies to 0.9.6a (/0.9.6b) and 0.9.7

         *) applies to 0.9.6a (/0.9.6b) and 0.9.7

         +) applies to 0.9.7 only

         +) applies to 0.9.7 only

  *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5

     RSA encryption was accidentily removed in s3_srvr.c in OpenSSL 0.9.5

     when fixing the server behaviour for backwards-compatible 'client

     hello' messages.  (Note that the attack is impractical against

     SSL 3.0 and TLS 1.0 anyway because length and version checking

     means that the probability of guessing a valid ciphertext is

     around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98

     paper.)

     Before 0.9.5, the countermeasure (hide the error by generating a

     random 'decryption result') did not work properly because

     ERR_clear_error() was missing, meaning that SSL_get_error() would

     detect the supposedly ignored error.

     Both problems are now fixed.

     [Bodo Moeller]

  *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096

     (previously it was 1024).

     [Bodo Moeller]

  +) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also

  +) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also

     tidy up some unecessarily weird code in 'sk_new()').

     tidy up some unecessarily weird code in 'sk_new()').

     [Geoff, reported by Diego Tartara <dtartara@novamens.com>]

     [Geoff, reported by Diego Tartara <dtartara@novamens.com>]

	/* bad decrypt */

	/* bad decrypt */

#if 1

#if 1

	/* If a bad decrypt, continue with protocol but with a

	/* If a bad decrypt, continue with protocol but with a

	 * dud master secret */

	 * random master secret (Bleichenbacher attack) */

	if ((i < 0) ||

	if ((i < 0) ||

		((!is_export && (i != EVP_CIPHER_key_length(c)))

		((!is_export && (i != EVP_CIPHER_key_length(c)))

		|| (is_export && ((i != ek) || (s->s2->tmp.clear+i !=

		|| (is_export && ((i != ek) || (s->s2->tmp.clear+i !=

			EVP_CIPHER_key_length(c))))))

			EVP_CIPHER_key_length(c))))))

		{

		{

		ERR_clear_error();

		if (is_export)

		if (is_export)

			i=ek;

			i=ek;

		else

		else

		i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);

		i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);

		al = -1;

		if (i != SSL_MAX_MASTER_KEY_LENGTH)

		if (i != SSL_MAX_MASTER_KEY_LENGTH)

			{

			{

			al=SSL_AD_DECODE_ERROR;

			al=SSL_AD_DECODE_ERROR;

			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);

			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);

			goto f_err;

			}

			}

		if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))

		if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))

			{

			{

			/* The premaster secret must contain the same version number as the

			/* The premaster secret must contain the same version number as the

			 * ClientHello to detect version rollback attacks (strangely, the

			 * ClientHello to detect version rollback attacks (strangely, the

				}

				}

			}

			}

		if (al != -1)

			{

#if 0

			goto f_err;

#else

			/* Some decryption failure -- use random value instead as countermeasure

			 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding

			 * (see RFC 2246, section 7.4.7.1).

			 * But note that due to length and protocol version checking, the

			 * attack is impractical anyway (see section 5 in D. Bleichenbacher:

			 * "Chosen Ciphertext Attacks Against Protocols Based on the RSA

			 * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).

			 */

			ERR_clear_error();

			i = SSL_MAX_MASTER_KEY_LENGTH;

			p[0] = s->client_version >> 8;

			p[1] = s->client_version & 0xff;

			RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */

#endif

			}

		s->session->master_key_length=

		s->session->master_key_length=

			s->method->ssl3_enc->generate_master_secret(s,

			s->method->ssl3_enc->generate_master_secret(s,

				s->session->master_key,

				s->session->master_key,