Limit the number of KeyUpdate messages we can process

Too many KeyUpdate message could be inicative of a problem (e.g. an infinite KeyUpdate loop if the peer always responds to a KeyUpdate message with an "update_requested" KeyUpdate response), or (conceivably) an attack. Either way we limit the number of KeyUpdate messages we are prepared to handle. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2609)
author: Matt Caswell <matt@openssl.org> 2017-02-13 11:55:38 +0000
committer: Matt Caswell <matt@openssl.org> 2017-02-17 10:28:00 +0000
commit: 82f992cbe0db628879aae4bf3ddd95cfcb1098a5 (patch)
tree: d2d18ff28dbe453e55ac3378e059cb53a1d7090c /ssl/ssl_err.c
parent: 57389a3261075cc1266218742434aa749cf3733e (diff)
download: openssl-82f992cbe0db628879aae4bf3ddd95cfcb1098a5.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index ec2b41dabf..341712cdb7 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -764,6 +764,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
      "tls illegal exporter label"},
     {ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),
      "tls invalid ecpointformat list"},
+    {ERR_REASON(SSL_R_TOO_MANY_KEY_UPDATES), "too many key updates"},
     {ERR_REASON(SSL_R_TOO_MANY_WARN_ALERTS), "too many warn alerts"},
     {ERR_REASON(SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS),
      "unable to find ecdh parameters"},
author	Matt Caswell <matt@openssl.org>	2017-02-13 11:55:38 +0000
committer	Matt Caswell <matt@openssl.org>	2017-02-17 10:28:00 +0000
commit	82f992cbe0db628879aae4bf3ddd95cfcb1098a5 (patch)
tree	d2d18ff28dbe453e55ac3378e059cb53a1d7090c /ssl/ssl_err.c
parent	57389a3261075cc1266218742434aa749cf3733e (diff)
download	openssl-82f992cbe0db628879aae4bf3ddd95cfcb1098a5.tar.gz