From 2c0980d2fad0ed7d87f32a28f0d4f4527b32b9d9 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 20 Jan 2017 17:00:03 +0000 Subject: [PATCH] Make calls to SSL_renegotiate() error out for TLSv1.3 When we have support for KeyUpdate we might consider doing that instead. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2259) --- ssl/ssl_lib.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index e9b566bea8..49c504d719 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1716,9 +1716,12 @@ int SSL_shutdown(SSL *s) int SSL_renegotiate(SSL *s) { - /* Do nothing in TLS1.3 */ + /* + * TODO(TLS1.3): Return an error for now. Perhaps we should do a KeyUpdate + * instead when we support that? + */ if (SSL_IS_TLS13(s)) - return 1; + return 0; if (s->renegotiate == 0) s->renegotiate = 1; @@ -1730,9 +1733,12 @@ int SSL_renegotiate(SSL *s) int SSL_renegotiate_abbreviated(SSL *s) { - /* Do nothing in TLS1.3 */ + /* + * TODO(TLS1.3): Return an error for now. Perhaps we should do a KeyUpdate + * instead when we support that? + */ if (SSL_IS_TLS13(s)) - return 1; + return 0; if (s->renegotiate == 0) s->renegotiate = 1; -- 2.25.1