Make calls to SSL_renegotiate() error out for TLSv1.3

When we have support for KeyUpdate we might consider doing that instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e9b566bea8bb2060af9768a6d2a9dbdfae8b4934..49c504d719ba71b91c9249eed541bea9217c2ee4 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1716,9 +1716,12 @@ int SSL_shutdown(SSL *s)
 
 int SSL_renegotiate(SSL *s)
 {
-    /* Do nothing in TLS1.3 */
+    /*
+     * TODO(TLS1.3): Return an error for now. Perhaps we should do a KeyUpdate
+     * instead when we support that?
+     */
     if (SSL_IS_TLS13(s))
-        return 1;
+        return 0;
 
     if (s->renegotiate == 0)
         s->renegotiate = 1;
@@ -1730,9 +1733,12 @@ int SSL_renegotiate(SSL *s)
 
 int SSL_renegotiate_abbreviated(SSL *s)
 {
-    /* Do nothing in TLS1.3 */
+    /*
+     * TODO(TLS1.3): Return an error for now. Perhaps we should do a KeyUpdate
+     * instead when we support that?
+     */
     if (SSL_IS_TLS13(s))
-        return 1;
+        return 0;
 
     if (s->renegotiate == 0)
         s->renegotiate = 1;