From 4365c3f522f2fc57fa0c87bde5f25ea98dd9a59c Mon Sep 17 00:00:00 2001
From: Daniel Bathgate <dbathgate@google.com>
Date: Thu, 14 Apr 2016 17:18:02 -0400
Subject: [PATCH] Send an error rather than assert when decrypt_len !=
 rsa_size.

With SSL_PRIVATE_KEY_METHOD, decryption can happen outside of BoringSSL. Rather than crash the process, it would be nicer if BoringSSL handled the error gracefully.

Change-Id: I3f24d066f7a329d41420b208a7e13c82ec966710
Reviewed-on: https://boringssl-review.googlesource.com/7683
Reviewed-by: David Benjamin <davidben@google.com>
---
 ssl/s3_srvr.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index bc874c75..0821b3a2 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1575,7 +1575,11 @@ int ssl3_get_client_key_exchange(SSL *ssl) {
         goto err;
     }
 
-    assert(decrypt_len == rsa_size);
+    if (decrypt_len != rsa_size) {
+      al = SSL_AD_DECRYPT_ERROR;
+      OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
+      goto f_err;
+    }
 
     /* Prepare a random premaster, to be used on invalid padding. See RFC 5246,
      * section 7.4.7.1. */