From: Matt Caswell <matt@openssl.org>
Date: Fri, 20 Jan 2017 17:00:03 +0000 (+0000)
Subject: Make calls to SSL_renegotiate() error out for TLSv1.3
X-Git-Tag: OpenSSL_1_1_1-pre1~2548
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=2c0980d2fad0ed7d87f32a28f0d4f4527b32b9d9;p=oweals%2Fopenssl.git

Make calls to SSL_renegotiate() error out for TLSv1.3

When we have support for KeyUpdate we might consider doing that instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
---

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e9b566bea8..49c504d719 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1716,9 +1716,12 @@ int SSL_shutdown(SSL *s)
 
 int SSL_renegotiate(SSL *s)
 {
-    /* Do nothing in TLS1.3 */
+    /*
+     * TODO(TLS1.3): Return an error for now. Perhaps we should do a KeyUpdate
+     * instead when we support that?
+     */
     if (SSL_IS_TLS13(s))
-        return 1;
+        return 0;
 
     if (s->renegotiate == 0)
         s->renegotiate = 1;
@@ -1730,9 +1733,12 @@ int SSL_renegotiate(SSL *s)
 
 int SSL_renegotiate_abbreviated(SSL *s)
 {
-    /* Do nothing in TLS1.3 */
+    /*
+     * TODO(TLS1.3): Return an error for now. Perhaps we should do a KeyUpdate
+     * instead when we support that?
+     */
     if (SSL_IS_TLS13(s))
-        return 1;
+        return 0;
 
     if (s->renegotiate == 0)
         s->renegotiate = 1;