openssl/sme8/openssl-fips-0.9.8e-cve-2014-3510.patch

diff -up openssl-fips-0.9.8e/ssl/d1_clnt.c.adh-dos openssl-fips-0.9.8e/ssl/d1_clnt.c
--- openssl-fips-0.9.8e/ssl/d1_clnt.c.adh-dos   2014-08-08 10:53:54.843106757 +0200
+++ openssl-fips-0.9.8e/ssl/d1_clnt.c   2014-08-08 11:45:44.900665548 +0200
@@ -727,6 +727,13 @@ int dtls1_send_client_key_exchange(SSL *
                        RSA *rsa;
                        unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
 
+                       if (s->session->sess_cert == NULL)
+                               {
+                               /* We should always have a server certificate with SSL_kRSA. */
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
+                               goto err;
+                               }
+
                        if (s->session->sess_cert->peer_rsa_tmp != NULL)
                                rsa=s->session->sess_cert->peer_rsa_tmp;
                        else
@@ -917,6 +924,13 @@ int dtls1_send_client_key_exchange(SSL *
                        {
                        DH *dh_srvr,*dh_clnt;
 
+                       if (s->session->sess_cert == NULL)
+                               {
+                               ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
+                               goto err;
+                               }
+
                        if (s->session->sess_cert->peer_dh_tmp != NULL)
                                dh_srvr=s->session->sess_cert->peer_dh_tmp;
                        else
@@ -1158,5 +1172,3 @@ int dtls1_send_client_certificate(SSL *s
        /* SSL3_ST_CW_CERT_D */
        return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
        }
-
-
diff -up openssl-fips-0.9.8e/ssl/s3_clnt.c.adh-dos openssl-fips-0.9.8e/ssl/s3_clnt.c
--- openssl-fips-0.9.8e/ssl/s3_clnt.c.adh-dos   2014-08-08 10:53:54.897107025 +0200
+++ openssl-fips-0.9.8e/ssl/s3_clnt.c   2014-08-08 11:45:44.901665552 +0200
@@ -1675,6 +1675,13 @@ int ssl3_send_client_key_exchange(SSL *s
                        RSA *rsa;
                        unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
 
+                       if (s->session->sess_cert == NULL)
+                               {
+                               /* We should always have a server certificate with SSL_kRSA. */
+                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
+                               goto err;
+                               }
+
                        if (s->session->sess_cert->peer_rsa_tmp != NULL)
                                rsa=s->session->sess_cert->peer_rsa_tmp;
                        else
1	diff -up openssl-fips-0.9.8e/ssl/d1_clnt.c.adh-dos openssl-fips-0.9.8e/ssl/d1_clnt.c
2	--- openssl-fips-0.9.8e/ssl/d1_clnt.c.adh-dos 2014-08-08 10:53:54.843106757 +0200
3	+++ openssl-fips-0.9.8e/ssl/d1_clnt.c 2014-08-08 11:45:44.900665548 +0200
4	@@ -727,6 +727,13 @@ int dtls1_send_client_key_exchange(SSL *
5	RSA *rsa;
6	unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
7
8	+ if (s->session->sess_cert == NULL)
9	+ {
10	+ /* We should always have a server certificate with SSL_kRSA. */
11	+ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
12	+ goto err;
13	+ }
14	+
15	if (s->session->sess_cert->peer_rsa_tmp != NULL)
16	rsa=s->session->sess_cert->peer_rsa_tmp;
17	else
18	@@ -917,6 +924,13 @@ int dtls1_send_client_key_exchange(SSL *
19	{
20	DH dh_srvr,dh_clnt;
21
22	+ if (s->session->sess_cert == NULL)
23	+ {
24	+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
25	+ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
26	+ goto err;
27	+ }
28	+
29	if (s->session->sess_cert->peer_dh_tmp != NULL)
30	dh_srvr=s->session->sess_cert->peer_dh_tmp;
31	else
32	@@ -1158,5 +1172,3 @@ int dtls1_send_client_certificate(SSL *s
33	/* SSL3_ST_CW_CERT_D */
34	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
35	}
36	-
37	-
38	diff -up openssl-fips-0.9.8e/ssl/s3_clnt.c.adh-dos openssl-fips-0.9.8e/ssl/s3_clnt.c
39	--- openssl-fips-0.9.8e/ssl/s3_clnt.c.adh-dos 2014-08-08 10:53:54.897107025 +0200
40	+++ openssl-fips-0.9.8e/ssl/s3_clnt.c 2014-08-08 11:45:44.901665552 +0200
41	@@ -1675,6 +1675,13 @@ int ssl3_send_client_key_exchange(SSL *s
42	RSA *rsa;
43	unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
44
45	+ if (s->session->sess_cert == NULL)
46	+ {
47	+ /* We should always have a server certificate with SSL_kRSA. */
48	+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
49	+ goto err;
50	+ }
51	+
52	if (s->session->sess_cert->peer_rsa_tmp != NULL)
53	rsa=s->session->sess_cert->peer_rsa_tmp;
54	else