--- /dev/null
+From fd455d5a5e9fef24c208e7ac7d3a4bc58834cbf1 Mon Sep 17 00:00:00 2001
+From: David Garske <david@wolfssl.com>
+Date: Tue, 14 Nov 2017 14:05:50 -0800
+Subject: [PATCH] Fix for handling of static RSA PKCS formatting failures so
+ they are indistinguishable from from correctly formatted RSA blocks (per
+ RFC5246 section 7.4.7.1). Adjusted the static RSA preMasterSecret RNG
+ creation for consistency in client case. Removed obsolete
+ `PMS_VERSION_ERROR`.
+
+---
+ src/internal.c | 70 +++++++++++++++++++++++++++++++++++++++++++++--------
+ wolfssl/error-ssl.h | 2 +-
+ 2 files changed, 61 insertions(+), 11 deletions(-)
+
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -14190,9 +14190,6 @@ const char* wolfSSL_ERR_reason_error_str
+ case NOT_READY_ERROR :
+ return "handshake layer not ready yet, complete first";
+
+- case PMS_VERSION_ERROR :
+- return "premaster secret version mismatch error";
+-
+ case VERSION_ERROR :
+ return "record layer version error";
+
+@@ -18758,8 +18755,10 @@ int SendClientKeyExchange(WOLFSSL* ssl)
+ #ifndef NO_RSA
+ case rsa_kea:
+ {
++ /* build PreMasterSecret with RNG data */
+ ret = wc_RNG_GenerateBlock(ssl->rng,
+- ssl->arrays->preMasterSecret, SECRET_LEN);
++ &ssl->arrays->preMasterSecret[VERSION_SZ],
++ SECRET_LEN - VERSION_SZ);
+ if (ret != 0) {
+ goto exit_scke;
+ }
+@@ -23545,6 +23544,9 @@ static int DoSessionTicket(WOLFSSL* ssl,
+ word32 idx;
+ word32 begin;
+ word32 sigSz;
++ #ifndef NO_RSA
++ int lastErr;
++ #endif
+ } DckeArgs;
+
+ static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs)
+@@ -23770,6 +23772,14 @@ static int DoSessionTicket(WOLFSSL* ssl,
+ ERROR_OUT(BUFFER_ERROR, exit_dcke);
+ }
+
++ /* pre-load PreMasterSecret with RNG data */
++ ret = wc_RNG_GenerateBlock(ssl->rng,
++ &ssl->arrays->preMasterSecret[VERSION_SZ],
++ SECRET_LEN - VERSION_SZ);
++ if (ret != 0) {
++ goto exit_dcke;
++ }
++
+ args->output = NULL;
+ break;
+ } /* rsa_kea */
+@@ -24234,6 +24244,20 @@ static int DoSessionTicket(WOLFSSL* ssl,
+ NULL, 0, NULL
+ #endif
+ );
++
++ /* Errors that can occur here that should be
++ * indistinguishable:
++ * RSA_BUFFER_E, RSA_PAD_E and RSA_PRIVATE_ERROR
++ */
++ if (ret < 0 && ret != BAD_FUNC_ARG) {
++ #ifdef WOLFSSL_ASYNC_CRYPT
++ if (ret == WC_PENDING_E)
++ goto exit_dcke;
++ #endif
++ /* store error code for handling below */
++ args->lastErr = ret;
++ ret = 0;
++ }
+ break;
+ } /* rsa_kea */
+ #endif /* !NO_RSA */
+@@ -24380,16 +24404,42 @@ static int DoSessionTicket(WOLFSSL* ssl,
+ /* Add the signature length to idx */
+ args->idx += args->length;
+
+- if (args->sigSz == SECRET_LEN && args->output != NULL) {
+- XMEMCPY(ssl->arrays->preMasterSecret, args->output, SECRET_LEN);
+- if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major ||
+- ssl->arrays->preMasterSecret[1] != ssl->chVersion.minor) {
+- ERROR_OUT(PMS_VERSION_ERROR, exit_dcke);
++ #ifdef DEBUG_WOLFSSL
++ /* check version (debug warning message only) */
++ if (args->output != NULL) {
++ if (args->output[0] != ssl->chVersion.major ||
++ args->output[1] != ssl->chVersion.minor) {
++ WOLFSSL_MSG("preMasterSecret version mismatch");
+ }
+ }
++ #endif
++
++ /* RFC5246 7.4.7.1:
++ * Treat incorrectly formatted message blocks and/or
++ * mismatched version numbers in a manner
++ * indistinguishable from correctly formatted RSA blocks
++ */
++
++ ret = args->lastErr;
++ args->lastErr = 0; /* reset */
++
++ /* build PreMasterSecret */
++ ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
++ ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
++ if (ret == 0 && args->sigSz == SECRET_LEN &&
++ args->output != NULL) {
++ XMEMCPY(&ssl->arrays->preMasterSecret[VERSION_SZ],
++ &args->output[VERSION_SZ],
++ SECRET_LEN - VERSION_SZ);
++ }
+ else {
+- ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke);
++ /* preMasterSecret has RNG and version set */
++ /* return proper length and ignore error */
++ /* error will be caught as decryption error */
++ args->sigSz = SECRET_LEN;
++ ret = 0;
+ }
++
+ break;
+ } /* rsa_kea */
+ #endif /* !NO_RSA */
+--- a/wolfssl/error-ssl.h
++++ b/wolfssl/error-ssl.h
+@@ -57,7 +57,7 @@ enum wolfSSL_ErrorCodes {
+ DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */
+ WANT_READ = -323, /* want read, call again */
+ NOT_READY_ERROR = -324, /* handshake layer not ready */
+- PMS_VERSION_ERROR = -325, /* pre m secret version error */
++
+ VERSION_ERROR = -326, /* record layer version error */
+ WANT_WRITE = -327, /* want write, call again */
+ BUFFER_ERROR = -328, /* malformed buffer input */