Turn off Finished-based APIs at TLS 1.3 and SSL 3.0.
tls-unique isn't defined at TLS 1.3 yet. (Given that it was too small in
1.2, they may just define a new one entirely?) SSL_get_(peer_)finished
doesn't work at 1.3 and is only used in lieu of computing tls-unique,
also undefined at SSL 3.0.
This is in preparation for trimming the copies of the Finished messages
we retain.
Change-Id: Iace99f2baea92c511c4041c592300dfbbe7226e2
Reviewed-on: https://boringssl-review.googlesource.com/11568
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 34eac9a..5d09eee 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -3471,14 +3471,15 @@
/* SSL_get_finished writes up to |count| bytes of the Finished message sent by
* |ssl| to |buf|. It returns the total untruncated length or zero if none has
- * been sent yet.
+ * been sent yet. At SSL 3.0 or TLS 1.3 and later, it returns zero.
*
* Use |SSL_get_tls_unique| instead. */
OPENSSL_EXPORT size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count);
/* SSL_get_peer_finished writes up to |count| bytes of the Finished message
* received from |ssl|'s peer to |buf|. It returns the total untruncated length
- * or zero if none has been received yet.
+ * or zero if none has been received yet. At SSL 3.0 or TLS 1.3 and later, it
+ * returns zero.
*
* Use |SSL_get_tls_unique| instead. */
OPENSSL_EXPORT size_t SSL_get_peer_finished(const SSL *ssl, void *buf,
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 9c9a0df..c91fe81 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1064,6 +1064,13 @@
int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
size_t max_out) {
+ /* tls-unique is not defined for SSL 3.0 or TLS 1.3. */
+ if (!ssl->s3->initial_handshake_complete ||
+ ssl3_protocol_version(ssl) < TLS1_VERSION ||
+ ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+ goto err;
+ }
+
/* The tls-unique value is the first Finished message in the handshake, which
* is the client's in a full handshake and the server's for a resumption. See
* https://tools.ietf.org/html/rfc5929#section-3.1. */
@@ -1078,11 +1085,6 @@
finished_len = ssl->s3->previous_server_finished_len;
}
- if (!ssl->s3->initial_handshake_complete ||
- ssl->version < TLS1_VERSION) {
- goto err;
- }
-
*out_len = finished_len;
if (finished_len > max_out) {
*out_len = max_out;
@@ -1232,30 +1234,32 @@
}
size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) {
- size_t ret = 0;
-
- if (ssl->s3 != NULL) {
- ret = ssl->s3->tmp.finish_md_len;
- if (count > ret) {
- count = ret;
- }
- memcpy(buf, ssl->s3->tmp.finish_md, count);
+ if (!ssl->s3->initial_handshake_complete ||
+ ssl3_protocol_version(ssl) < TLS1_VERSION ||
+ ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+ return 0;
}
+ size_t ret = ssl->s3->tmp.finish_md_len;
+ if (count > ret) {
+ count = ret;
+ }
+ memcpy(buf, ssl->s3->tmp.finish_md, count);
return ret;
}
size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) {
- size_t ret = 0;
-
- if (ssl->s3 != NULL) {
- ret = ssl->s3->tmp.peer_finish_md_len;
- if (count > ret) {
- count = ret;
- }
- memcpy(buf, ssl->s3->tmp.peer_finish_md, count);
+ if (!ssl->s3->initial_handshake_complete ||
+ ssl3_protocol_version(ssl) < TLS1_VERSION ||
+ ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+ return 0;
}
+ size_t ret = ssl->s3->tmp.peer_finish_md_len;
+ if (count > ret) {
+ count = ret;
+ }
+ memcpy(buf, ssl->s3->tmp.peer_finish_md, count);
return ret;
}
