SECURITY fixes backported from openssl-1.0.1f. ok mikeb@

CVE-2013-4353 NULL pointer dereference with crafted Next Protocol
 Negotiation record in TLS handshake.
Upstream: 197e0ea

CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client.
Upstream: ca98926, 0294b2b

CVE-2013-6450 Fix DTLS retransmission from previous session.
Upstream: 3462896

1 files changed, 7 insertions, 0 deletions

diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index 6981852b5b..ed0fcfc532 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
 
                 i=s->method->ssl3_enc->final_finish_mac(s,
                         sender,slen,s->s3->tmp.finish_md);
+                if (i == 0)
+                        return 0;
                 s->s3->tmp.finish_md_len = i;
                 memcpy(p, s->s3->tmp.finish_md, i);
                 p+=i;
@@ -208,6 +210,11 @@ static void ssl3_take_mac(SSL *s) {
         const char *sender;
         int slen;
 
+        /* If no new cipher setup return immediately: other functions will
+         * set the appropriate error.
+         */
+        if (s->s3->tmp.new_cipher == NULL)
+                return;
         if (s->state & SSL_ST_CONNECT)
                 {
                 sender=s->method->ssl3_enc->server_finished_label;