Fix server-side KeyUpdates.

We sized the post-handshake message limit for the older zero-length KeyUpdate and forgot to update it when it got larger. Thanks to Matt Caswell for catching this. Change-Id: I7d2189479e9516fbfb6c195dfa367794d383582c Reviewed-on: https://boringssl-review.googlesource.com/13805 Reviewed-by: Steven Valdez <[email protected]> Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]> CQ-Verified: CQ bot account: [email protected] <[email protected]>
ClickHouse · Feb 10, 2017 · 7ebe61a · 7ebe61a
1 parent bc6ef7a
commit 7ebe61a
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
@@ -496,7 +496,7 @@ size_t ssl_max_handshake_message_len(const SSL *ssl) {
   if (ssl->server) {
     /* The largest acceptable post-handshake message for a server is a
      * KeyUpdate. We will never initiate post-handshake auth. */
-    return 0;
+    return 1;
   }
 
   /* Clients must accept NewSessionTicket and CertificateRequest, so allow the

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
@@ -2290,7 +2290,16 @@ func addBasicTests() {
 			expectedError: ":WRONG_VERSION_NUMBER:",
 		},
 		{
-			name: "KeyUpdate",
+			name: "KeyUpdate-Client",
+			config: Config{
+				MaxVersion: VersionTLS13,
+			},
+			sendKeyUpdates:   1,
+			keyUpdateRequest: keyUpdateNotRequested,
+		},
+		{
+			testType: serverTest,
+			name:     "KeyUpdate-Server",
 			config: Config{
 				MaxVersion: VersionTLS13,
 			},