From b9c93d0d0a002f880b65e8fb4410aab1d7dd33a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Tue, 23 Jun 2015 13:53:15 +0200
Subject: [PATCH] Fix earlier incomplete change in RSA PMS reading

Probably a bad merge from the 1.3 branch
---
 library/ssl_srv.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 0a61f487ad..c5e1c4e9a2 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2959,7 +2959,8 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
     unsigned char ver[2];
     unsigned char fake_pms[48], peer_pms[48];
     unsigned char mask;
-    size_t i, diff, peer_pmslen;
+    size_t i, peer_pmslen;
+    unsigned int diff;
 
     if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
     {
@@ -2992,6 +2993,7 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
     mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
                        ssl->handshake->max_minor_ver,
                        ssl->conf->transport, ver );
+
     /*
      * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
      * must not cause the connection to end immediately; instead, send a
@@ -3008,10 +3010,10 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
                       sizeof( peer_pms ),
                       ssl->conf->f_rng, ssl->conf->p_rng );
 
-    diff  = (size_t) ret;
+    diff  = (unsigned int) ret;
     diff |= peer_pmslen ^ 48;
-    diff |= peer_pms[0] ^ ssl->handshake->max_major_ver;
-    diff |= peer_pms[1] ^ ssl->handshake->max_minor_ver;
+    diff |= peer_pms[0] ^ ver[0];
+    diff |= peer_pms[1] ^ ver[1];
 
 #if defined(MBEDTLS_SSL_DEBUG_ALL)
     if( diff != 0 )
@@ -3026,8 +3028,8 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
     }
     ssl->handshake->pmslen = 48;
 
-    mask = ( diff | - diff ) >> ( sizeof( size_t ) * 8 - 1 );
-    mask = (unsigned char)( - ( ret != 0 ) ); /* mask = diff ? 0xff : 0x00 */
+    /* mask = diff ? 0xff : 0x00 */
+    mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
     for( i = 0; i < ssl->handshake->pmslen; i++ )
         pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );