ECDH downgrade bug fix.

Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.

Thanks to Karthikeyan Bhargavan for reporting this issue.

CVE-2014-3572
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit b15f8769644b00ef7283521593360b7b2135cb63)

Conflicts:
	CHANGES
	ssl/s3_clnt.c

2 files changed, 20 insertions, 2 deletions

diff --git a/CHANGES b/CHANGES
index 60a45965d3..75da406b62 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,13 @@
 
  Changes between 0.9.8zc and 0.9.8zd [xx XXX xxxx]
 
+  *) Abort handshake if server key exchange message is omitted for ephemeral
+     ECDH ciphersuites.
+
+     Thanks to Karthikeyan Bhargavan for reporting this issue.
+     (CVE-2014-3572)
+     [Steve Henson]
+
   *) Fix various certificate fingerprint issues.
 
      By using non-DER or invalid encodings outside the signed portion of a
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 4828937566..256fc94e26 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1123,8 +1123,21 @@ int ssl3_get_key_exchange(SSL *s)
 
 	if (!ok) return((int)n);
 
+	alg=s->s3->tmp.new_cipher->algorithms;
+	EVP_MD_CTX_init(&md_ctx);
+
 	if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
 		{
+		/*
+		 * Can't skip server key exchange if this is an ephemeral
+		 * ciphersuite.
+		 */
+		if (alg & (SSL_kEDH|SSL_kECDHE))
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
+			al = SSL_AD_UNEXPECTED_MESSAGE;
+			goto f_err;
+			}
 		s->s3->tmp.reuse_message=1;
 		return(1);
 		}
@@ -1162,8 +1175,6 @@ int ssl3_get_key_exchange(SSL *s)
 
 	/* Total length of the parameters including the length prefix */
 	param_len=0;
-	alg=s->s3->tmp.new_cipher->algorithms;
-	EVP_MD_CTX_init(&md_ctx);
 
 	al=SSL_AD_DECODE_ERROR;
 #ifndef OPENSSL_NO_RSA