}
s->key_update = SSL_KEY_UPDATE_NONE;
-
return 1;
+
err:
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return 0;
}
-
MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
{
+ int al;
unsigned int updatetype;
+ s->key_update_count++;
+ if (s->key_update_count > MAX_KEY_UPDATE_MESSAGES) {
+ al = SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, SSL_R_TOO_MANY_KEY_UPDATES);
+ goto err;
+ }
+
if (!PACKET_get_1(pkt, &updatetype)
|| PACKET_remaining(pkt) != 0
|| (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
&& updatetype != SSL_KEY_UPDATE_REQUESTED)) {
- ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+ al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, SSL_R_BAD_KEY_UPDATE);
- ossl_statem_set_error(s);
- return MSG_PROCESS_ERROR;
+ goto err;
}
/*
if (updatetype == SSL_KEY_UPDATE_REQUESTED)
s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
+ if (!tls13_update_key(s, 0)) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+
return MSG_PROCESS_FINISHED_READING;
+ err:
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
+ ossl_statem_set_error(s);
+ return MSG_PROCESS_ERROR;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
return SSL_R_UNSUPPORTED_PROTOCOL;
if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
- else if ((method->flags & SSL_METHOD_NO_FIPS) != 0 && FIPS_mode())
- return SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE;
return 0;
}
* Work out what version we should be using for the initial ClientHello if the
* version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
* options, the MinProtocol and MaxProtocol configuration commands, any Suite B
- * or FIPS_mode() constraints and any floor imposed by the security level here,
+ * constraints and any floor imposed by the security level here,
* so we don't advertise the wrong protocol version to only reject the outcome later.
*
* Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,