Explicitly check for empty certificate list.

The NULL checks later on notice, but failing with
SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS on accident is confusing.
Require that the message be non-empty.

Change-Id: Iddfac6a3ae6e6dc66c3de41d3bb26e133c0c6e1d
Reviewed-on: https://boringssl-review.googlesource.com/5046
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index e1b8eb0..a9c5738 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -943,9 +943,10 @@
   }
 
   if (!CBS_get_u24_length_prefixed(&cbs, &certificate_list) ||
+      CBS_len(&certificate_list) == 0 ||
       CBS_len(&cbs) != 0) {
     al = SSL_AD_DECODE_ERROR;
-    OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_LENGTH_MISMATCH);
+    OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_DECODE_ERROR);
     goto f_err;
   }