From 50a0af2e41ea61a79c19c17f9e87541e283ba8bf Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Mon, 7 Aug 2023 14:45:55 +0100
Subject: [PATCH] TLS KeyUpdate messages are not allowed in QUIC

We already disallowed the sending of TLS KeyUpdate messages. We also treat
the receipt of a TLS KeyUpdate message as an unexpected message.

RFC 9001 section 6:
Endpoints MUST treat the receipt of a TLS KeyUpdate message as a connection
error of type 0x010a, equivalent to a fatal TLS alert of unexpected_message;
see Section 4.8.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21686)
---
 ssl/statem/statem_clnt.c | 2 +-
 ssl/statem/statem_srvr.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 655b6ac17a..9336363ca1 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -184,7 +184,7 @@ static int ossl_statem_client13_read_transition(SSL_CONNECTION *s, int mt)
             st->hand_state = TLS_ST_CR_SESSION_TICKET;
             return 1;
         }
-        if (mt == SSL3_MT_KEY_UPDATE) {
+        if (mt == SSL3_MT_KEY_UPDATE && !SSL_IS_QUIC_HANDSHAKE(s)) {
             st->hand_state = TLS_ST_CR_KEY_UPDATE;
             return 1;
         }
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index b1ece8dd97..67865b85fa 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -156,7 +156,7 @@ static int ossl_statem_server13_read_transition(SSL_CONNECTION *s, int mt)
 #endif
         }
 
-        if (mt == SSL3_MT_KEY_UPDATE) {
+        if (mt == SSL3_MT_KEY_UPDATE && !SSL_IS_QUIC_HANDSHAKE(s)) {
             st->hand_state = TLS_ST_SR_KEY_UPDATE;
             return 1;
         }