diff -up openssl-1.0.1e/ssl/s3_clnt.c.ecdh-downgrade openssl-1.0.1e/ssl/s3_clnt.c

--- openssl-1.0.1e/ssl/s3_clnt.c.ecdh-downgrade	2015-01-12 16:37:49.978126895 +0100

+++ openssl-1.0.1e/ssl/s3_clnt.c	2015-01-12 17:02:01.740959687 +0100

@@ -1287,6 +1287,8 @@ int ssl3_get_key_exchange(SSL *s)

 	int encoded_pt_len = 0;

 #endif

+	EVP_MD_CTX_init(&md_ctx);

+

 	/* use same message size as in ssl3_get_certificate_request()

 	 * as ServerKeyExchange message may be skipped */

 	n=s->method->ssl_get_message(s,

@@ -1297,14 +1299,26 @@ int ssl3_get_key_exchange(SSL *s)

 		&ok;;

 	if (!ok) return((int)n);

+	alg_k=s->s3->tmp.new_cipher->algorithm_mkey;

+

 	if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)

 		{

+		/*

+		 * Can't skip server key exchange if this is an ephemeral

+		 * ciphersuite.

+		 */

+		if (alg_k & (SSL_kEDH|SSL_kEECDH))

+			{

+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);

+			al = SSL_AD_UNEXPECTED_MESSAGE;

+			goto f_err;

+			}

 #ifndef OPENSSL_NO_PSK

 		/* In plain PSK ciphersuite, ServerKeyExchange can be

 		   omitted if no identity hint is sent. Set

 		   session->sess_cert anyway to avoid problems

 		   later.*/

-		if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)

+		if (alg_k & SSL_kPSK)

 			{

 			s->session->sess_cert=ssl_sess_cert_new();

 			if (s->ctx->psk_identity_hint)

@@ -1347,9 +1361,8 @@ int ssl3_get_key_exchange(SSL *s)

 		}

 	param_len=0;

-	alg_k=s->s3->tmp.new_cipher->algorithm_mkey;

+

 	alg_a=s->s3->tmp.new_cipher->algorithm_auth;

-	EVP_MD_CTX_init(&md_ctx);

 #ifndef OPENSSL_NO_PSK

 	if (alg_k & SSL_kPSK)