Updates following review feedback

Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2609)
2017-02-14 11:20:44 +00:00 · 2017-02-14 11:20:44 +00:00 · f14afcaa42
commit f14afcaa42
parent 82f992cbe0
5 changed files with 11 additions and 9 deletions
--- a/apps/s_client.c
+++ b/apps/s_client.c
@ -2608,8 +2608,8 @@ int s_client_main(int argc, char **argv)
                cbuf_len = 0;
            }

-            if ((!c_ign_eof) && ((cbuf[0] == 'K' || cbuf[0] == 'k' )
-                                 && cmdletters)) {
+            if (!c_ign_eof && (cbuf[0] == 'K' || cbuf[0] == 'k' )
+                    && cmdletters) {
                BIO_printf(bio_err, "KEYUPDATE\n");
                SSL_key_update(con,
                               cbuf[0] == 'K' ? SSL_KEY_UPDATE_REQUESTED
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -1720,6 +1720,11 @@ int SSL_shutdown(SSL *s)

 int SSL_key_update(SSL *s, SSL_KEY_UPDATE updatetype)
 {
+    /*
+     * TODO(TLS1.3): How will applications know whether TLSv1.3+ has been
+     * negotiated, and that it is appropriate to call SSL_key_update() instead
+     * of SSL_renegotiate().
+     */
    if (!SSL_IS_TLS13(s)) {
        SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_WRONG_SSL_VERSION);
        return 0;
@ -1737,9 +1742,7 @@ int SSL_key_update(SSL *s, SSL_KEY_UPDATE updatetype)
    }

    ossl_statem_set_in_init(s, 1);
-
    s->key_update = updatetype;
-
    return 1;
 }

--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@ -996,10 +996,8 @@ struct ssl_st {
    EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
    unsigned char write_iv[EVP_MAX_IV_LENGTH]; /* TLSv1.3 static write IV */
    EVP_MD_CTX *write_hash;     /* used for mac generation */
-
    /* Count of how many KeyUpdate messages we have received */
    unsigned int key_update_count;
-
    /* session info */
    /* client cert? */
    /* This is used to hold the server certificate used */
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@ -503,15 +503,13 @@ int tls_construct_key_update(SSL *s, WPACKET *pkt)
    }

    s->key_update = SSL_KEY_UPDATE_NONE;
-
    return 1;
+
 err:
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
    return 0;
 }

-#define MAX_KEY_UPDATE_MESSAGES     32
-
 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
 {
    int al;
--- a/ssl/statem/statem_locl.h
+++ b/ssl/statem/statem_locl.h
@ -28,6 +28,9 @@
 /* Max should actually be 36 but we are generous */
 #define FINISHED_MAX_LENGTH             64

+/* The maximum number of incoming KeyUpdate messages we will accept */
+#define MAX_KEY_UPDATE_MESSAGES     32
+
 /* Extension context codes */
 /* This extension is only allowed in TLS */
 #define EXT_TLS_ONLY                        0x0001