From dab18ab596acb35eff2545643e25757e4f9cd777 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Thu, 7 May 2015 00:04:48 +0100
Subject: Digest cached records if not sending a certificate.

If server requests a certificate, but the client doesn't send one, cache
digested records. This is an optimisation and ensures the correct finished
mac is used when extended master secret is used with client authentication.

Reviewed-by: Tim Hudson <tjh@openssl.org>
---
 ssl/s3_clnt.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index ea4503fbcb..86b7994ca4 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3348,6 +3348,11 @@ int ssl3_send_client_certificate(SSL *s)
                 return (1);
             } else {
                 s->s3->tmp.cert_req = 2;
+                if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) {
+                    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+                    s->state = SSL_ST_ERR;
+                    return 0;
+                }
             }
         }
 
-- 
cgit v1.2.3