From 9ae9cbc0c7c8a4629a6b68bdc690fe85d82b35ca Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Tue, 19 Jul 2016 17:20:58 +0100
Subject: [PATCH] Send alert on CKE error.

RT#4610

Reviewed-by: Rich Salz <rsalz@openssl.org>
---
 ssl/s3_srvr.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 299f85b2fb..803afd8fa4 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2678,12 +2678,14 @@ int ssl3_get_client_key_exchange(SSL *s)
             i = *p;
             p += 1;
             if (n != 1 + i) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
-                goto err;
+                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
+                al = SSL_AD_DECODE_ERROR;
+                goto f_err;
             }
             if (EC_POINT_oct2point(group, clnt_ecpoint, p, i, bn_ctx) == 0) {
                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
-                goto err;
+                al = SSL_AD_HANDSHAKE_FAILURE;
+                goto f_err;
             }
             /*
              * p is pointing to somewhere in the buffer currently, so set it
-- 
2.40.0