From ced00b4258e86b14bd313b2701b103fd034dbe8c Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sat, 8 Oct 2016 11:24:09 -0400 Subject: [PATCH] Turn off Finished-based APIs at TLS 1.3 and SSL 3.0. tls-unique isn't defined at TLS 1.3 yet. (Given that it was too small in 1.2, they may just define a new one entirely?) SSL_get_(peer_)finished doesn't work at 1.3 and is only used in lieu of computing tls-unique, also undefined at SSL 3.0. This is in preparation for trimming the copies of the Finished messages we retain. Change-Id: Iace99f2baea92c511c4041c592300dfbbe7226e2 Reviewed-on: https://boringssl-review.googlesource.com/11568 Reviewed-by: Adam Langley --- include/openssl/ssl.h | 5 +++-- ssl/ssl_lib.c | 46 +++++++++++++++++++++++-------------------- 2 files changed, 28 insertions(+), 23 deletions(-) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 34eac9af..5d09eee5 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -3471,14 +3471,15 @@ OPENSSL_EXPORT int SSL_want(const SSL *ssl); /* SSL_get_finished writes up to |count| bytes of the Finished message sent by * |ssl| to |buf|. It returns the total untruncated length or zero if none has - * been sent yet. + * been sent yet. At SSL 3.0 or TLS 1.3 and later, it returns zero. * * Use |SSL_get_tls_unique| instead. */ OPENSSL_EXPORT size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count); /* SSL_get_peer_finished writes up to |count| bytes of the Finished message * received from |ssl|'s peer to |buf|. It returns the total untruncated length - * or zero if none has been received yet. + * or zero if none has been received yet. At SSL 3.0 or TLS 1.3 and later, it + * returns zero. * * Use |SSL_get_tls_unique| instead. */ OPENSSL_EXPORT size_t SSL_get_peer_finished(const SSL *ssl, void *buf, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 9c9a0df4..c91fe81a 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1064,6 +1064,13 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) { int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out) { + /* tls-unique is not defined for SSL 3.0 or TLS 1.3. */ + if (!ssl->s3->initial_handshake_complete || + ssl3_protocol_version(ssl) < TLS1_VERSION || + ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { + goto err; + } + /* The tls-unique value is the first Finished message in the handshake, which * is the client's in a full handshake and the server's for a resumption. See * https://tools.ietf.org/html/rfc5929#section-3.1. */ @@ -1078,11 +1085,6 @@ int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len, finished_len = ssl->s3->previous_server_finished_len; } - if (!ssl->s3->initial_handshake_complete || - ssl->version < TLS1_VERSION) { - goto err; - } - *out_len = finished_len; if (finished_len > max_out) { *out_len = max_out; @@ -1232,30 +1234,32 @@ int SSL_set_rfd(SSL *ssl, int fd) { } size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) { - size_t ret = 0; - - if (ssl->s3 != NULL) { - ret = ssl->s3->tmp.finish_md_len; - if (count > ret) { - count = ret; - } - memcpy(buf, ssl->s3->tmp.finish_md, count); + if (!ssl->s3->initial_handshake_complete || + ssl3_protocol_version(ssl) < TLS1_VERSION || + ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { + return 0; } + size_t ret = ssl->s3->tmp.finish_md_len; + if (count > ret) { + count = ret; + } + memcpy(buf, ssl->s3->tmp.finish_md, count); return ret; } size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) { - size_t ret = 0; - - if (ssl->s3 != NULL) { - ret = ssl->s3->tmp.peer_finish_md_len; - if (count > ret) { - count = ret; - } - memcpy(buf, ssl->s3->tmp.peer_finish_md, count); + if (!ssl->s3->initial_handshake_complete || + ssl3_protocol_version(ssl) < TLS1_VERSION || + ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { + return 0; } + size_t ret = ssl->s3->tmp.peer_finish_md_len; + if (count > ret) { + count = ret; + } + memcpy(buf, ssl->s3->tmp.peer_finish_md, count); return ret; }