2 files changed, 12 insertions, 6 deletions

diff --git a/lib/handshake.c b/lib/handshake.c
index 14bcdea56a..044b70e2a8 100644
--- a/lib/handshake.c
+++ b/lib/handshake.c
@@ -2926,6 +2926,7 @@ int gnutls_handshake(gnutls_session_t session)
 	if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) {
 		ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX);
 		if (ret < 0) {
+			/* no need to invalidate the session as keys were not set */
 			session->internals.ktls_enabled = 0;
 			_gnutls_audit_log(session,
 					  "disabling KTLS: failed to set keys\n");
diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c
index acfda41290..e366093887 100644
--- a/lib/tls13/key_update.c
+++ b/lib/tls13/key_update.c
@@ -38,13 +38,15 @@
  * because KTLS most likely doesn't support key update.
  */
 #define SET_KTLS_KEYS(session, interface)\
-{\
-	if(_gnutls_ktls_set_keys(session, interface) < 0) {\
+if(_gnutls_ktls_set_keys(session, interface) < 0) {\
 		session->internals.ktls_enabled = 0;\
-		_gnutls_audit_log(session, \
-			  "disabling KTLS: couldn't update keys\n");\
-	}\
-}
+		session->internals.invalid_connection = true;\
+		_gnutls_audit_log(session,\
+			"disabling KTLS: couldn't update keys\n");\
+		_gnutls_audit_log(session,\
+			"invalidating session: No ktls fallback mechanism\n");\
+		ret = GNUTLS_E_INTERNAL_ERROR;\
+}\
 
 static int update_keys(gnutls_session_t session, hs_stage_t stage)
 {
@@ -64,6 +66,9 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage)
 	 * write keys */
 	if (session->internals.recv_state == RECV_STATE_EARLY_START) {
 		ret = _tls13_write_connection_state_init(session, stage);
+		if (ret < 0)
+			return gnutls_assert_val(ret);
+
 		if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND))
 			SET_KTLS_KEYS(session,  GNUTLS_KTLS_SEND)
 	} else {