3 files changed, 19 insertions, 2 deletions

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 721c3ba3cb..81e45a758e 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1833,10 +1833,13 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
 		}
 	else
 		{
+		/* aNULL or kPSK do not need public keys */
 		if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK))
-			/* aNULL or kPSK do not need public keys */
 			{
-			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
+			/* Might be wrong key type, check it */
+			if (ssl3_check_cert_and_algorithm(s))
+				/* Otherwise this shouldn't happen */
+				SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
 			goto err;
 			}
 		/* still data left over */
@@ -3334,6 +3337,16 @@ int ssl3_check_cert_and_algorithm(SSL *s)
 			return 1;
 			}
 		}
+	else if (alg_a & SSL_aECDSA)
+		{
+		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_ECDSA_SIGNING_CERT);
+		goto f_err;
+		}
+	else if (alg_k & (SSL_kECDHr|SSL_kECDHe))
+		{
+		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_ECDH_CERT);
+		goto f_err;
+		}
 #endif
 	pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
 	i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 73bb026723..c5d45049a0 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2624,6 +2624,8 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_MISSING_DH_KEY				 163
 #define SSL_R_MISSING_DH_RSA_CERT			 164
 #define SSL_R_MISSING_DSA_SIGNING_CERT			 165
+#define SSL_R_MISSING_ECDH_CERT				 382
+#define SSL_R_MISSING_ECDSA_SIGNING_CERT		 381
 #define SSL_R_MISSING_EXPORT_TMP_DH_KEY			 166
 #define SSL_R_MISSING_EXPORT_TMP_RSA_KEY		 167
 #define SSL_R_MISSING_RSA_CERTIFICATE			 168
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 4a7d7f2194..119a43c6a5 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -431,6 +431,8 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_MISSING_DH_KEY)        ,"missing dh key"},
 {ERR_REASON(SSL_R_MISSING_DH_RSA_CERT)   ,"missing dh rsa cert"},
 {ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT),"missing dsa signing cert"},
+{ERR_REASON(SSL_R_MISSING_ECDH_CERT)     ,"missing ecdh cert"},
+{ERR_REASON(SSL_R_MISSING_ECDSA_SIGNING_CERT),"missing ecdsa signing cert"},
 {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),"missing export tmp dh key"},
 {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),"missing export tmp rsa key"},
 {ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE),"missing rsa certificate"},