Turn off Finished-based APIs at TLS 1.3 and SSL 3.0.

tls-unique isn't defined at TLS 1.3 yet. (Given that it was too small in 1.2, they may just define a new one entirely?) SSL_get_(peer_)finished doesn't work at 1.3 and is only used in lieu of computing tls-unique, also undefined at SSL 3.0. This is in preparation for trimming the copies of the Finished messages we retain. Change-Id: Iace99f2baea92c511c4041c592300dfbbe7226e2 Reviewed-on: https://boringssl-review.googlesource.com/11568 Reviewed-by: Adam Langley <agl@google.com>
2016-10-08 11:24:09 -04:00 · 2016-10-08 11:24:09 -04:00 · ced00b4258
commit ced00b4258
parent a4c8ff0190
2 changed files with 28 additions and 23 deletions
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -3471,14 +3471,15 @@ OPENSSL_EXPORT int SSL_want(const SSL *ssl);

 /* SSL_get_finished writes up to |count| bytes of the Finished message sent by
  * |ssl| to |buf|. It returns the total untruncated length or zero if none has
-  * been sent yet.
+  * been sent yet. At SSL 3.0 or TLS 1.3 and later, it returns zero.
  *
  * Use |SSL_get_tls_unique| instead. */
 OPENSSL_EXPORT size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count);

 /* SSL_get_peer_finished writes up to |count| bytes of the Finished message
  * received from |ssl|'s peer to |buf|. It returns the total untruncated length
-  * or zero if none has been received yet.
+  * or zero if none has been received yet. At SSL 3.0 or TLS 1.3 and later, it
+  * returns zero.
  *
  * Use |SSL_get_tls_unique| instead. */
 OPENSSL_EXPORT size_t SSL_get_peer_finished(const SSL *ssl, void *buf,
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -1064,6 +1064,13 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) {

 int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
                       size_t max_out) {
+  /* tls-unique is not defined for SSL 3.0 or TLS 1.3. */
+  if (!ssl->s3->initial_handshake_complete ||
+      ssl3_protocol_version(ssl) < TLS1_VERSION ||
+      ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+    goto err;
+  }
+
  /* The tls-unique value is the first Finished message in the handshake, which
   * is the client's in a full handshake and the server's for a resumption. See
   * https://tools.ietf.org/html/rfc5929#section-3.1. */
@ -1078,11 +1085,6 @@ int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
    finished_len = ssl->s3->previous_server_finished_len;
  }

-  if (!ssl->s3->initial_handshake_complete ||
-      ssl->version < TLS1_VERSION) {
-    goto err;
-  }
-
  *out_len = finished_len;
  if (finished_len > max_out) {
    *out_len = max_out;
@ -1232,30 +1234,32 @@ int SSL_set_rfd(SSL *ssl, int fd) {
 }

 size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) {
-  size_t ret = 0;
-
-  if (ssl->s3 != NULL) {
-    ret = ssl->s3->tmp.finish_md_len;
-    if (count > ret) {
-      count = ret;
-    }
-    memcpy(buf, ssl->s3->tmp.finish_md, count);
+  if (!ssl->s3->initial_handshake_complete ||
+      ssl3_protocol_version(ssl) < TLS1_VERSION ||
+      ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+    return 0;
  }

+  size_t ret = ssl->s3->tmp.finish_md_len;
+  if (count > ret) {
+    count = ret;
+  }
+  memcpy(buf, ssl->s3->tmp.finish_md, count);
  return ret;
 }

 size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) {
-  size_t ret = 0;
-
-  if (ssl->s3 != NULL) {
-    ret = ssl->s3->tmp.peer_finish_md_len;
-    if (count > ret) {
-      count = ret;
-    }
-    memcpy(buf, ssl->s3->tmp.peer_finish_md, count);
+  if (!ssl->s3->initial_handshake_complete ||
+      ssl3_protocol_version(ssl) < TLS1_VERSION ||
+      ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+    return 0;
  }

+  size_t ret = ssl->s3->tmp.peer_finish_md_len;
+  if (count > ret) {
+    count = ret;
+  }
+  memcpy(buf, ssl->s3->tmp.peer_finish_md, count);
  return ret;
 }