Turn off Finished-based APIs at TLS 1.3 and SSL 3.0.
tls-unique isn't defined at TLS 1.3 yet. (Given that it was too small in
1.2, they may just define a new one entirely?) SSL_get_(peer_)finished
doesn't work at 1.3 and is only used in lieu of computing tls-unique,
also undefined at SSL 3.0.
This is in preparation for trimming the copies of the Finished messages
we retain.
Change-Id: Iace99f2baea92c511c4041c592300dfbbe7226e2
Reviewed-on: https://boringssl-review.googlesource.com/11568
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 34eac9a..5d09eee 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -3471,14 +3471,15 @@
/* SSL_get_finished writes up to |count| bytes of the Finished message sent by
* |ssl| to |buf|. It returns the total untruncated length or zero if none has
- * been sent yet.
+ * been sent yet. At SSL 3.0 or TLS 1.3 and later, it returns zero.
*
* Use |SSL_get_tls_unique| instead. */
OPENSSL_EXPORT size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count);
/* SSL_get_peer_finished writes up to |count| bytes of the Finished message
* received from |ssl|'s peer to |buf|. It returns the total untruncated length
- * or zero if none has been received yet.
+ * or zero if none has been received yet. At SSL 3.0 or TLS 1.3 and later, it
+ * returns zero.
*
* Use |SSL_get_tls_unique| instead. */
OPENSSL_EXPORT size_t SSL_get_peer_finished(const SSL *ssl, void *buf,