From 1f49de4b24455ccc504e6255a496b5b2075d0182 Mon Sep 17 00:00:00 2001 From: Anton Salikhmetov Date: Fri, 2 Mar 2018 21:46:34 +0200 Subject: [PATCH] tls: expose Finished messages in TLSSocket Exposes SSL_get_finished and SSL_get_peer_finished routines in OpenSSL as tlsSocket.getFinished and tlsSocket.getPeerFinished, respectively. PR-URL: https://github.com/nodejs/node/pull/19102 Fixes: https://github.com/nodejs/node/issues/19055 Refs: https://github.com/ripple/rippled/issues/2413 Reviewed-By: Fedor Indutny Reviewed-By: James M Snell --- doc/api/tls.md | 35 ++++++++++++++++ lib/_tls_wrap.js | 10 +++++ src/node_crypto.cc | 48 ++++++++++++++++++++++ src/node_crypto.h | 2 + test/parallel/test-tls-finished.js | 66 ++++++++++++++++++++++++++++++ 5 files changed, 161 insertions(+) create mode 100644 test/parallel/test-tls-finished.js diff --git a/doc/api/tls.md b/doc/api/tls.md index e60e3fb8364b82..619c2e571449ca 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -584,6 +584,23 @@ if called on a server socket. The supported types are `'DH'` and `'ECDH'`. The For Example: `{ type: 'ECDH', name: 'prime256v1', size: 256 }` +### tlsSocket.getFinished() + + +* Returns: {Buffer|undefined} The latest `Finished` message that has been +sent to the socket as part of a SSL/TLS handshake, or `undefined` if +no `Finished` message has been sent yet. + +As the `Finished` messages are message digests of the complete handshake +(with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can +be used for external authentication procedures when the authentication +provided by SSL/TLS is not desired or is not enough. + +Corresponds to the `SSL_get_finished` routine in OpenSSL and may be used +to implement the `tls-unique` channel binding from [RFC 5929][]. + ### tlsSocket.getPeerCertificate([detailed]) + +* Returns: {Buffer|undefined} The latest `Finished` message that is expected +or has actually been received from the socket as part of a SSL/TLS handshake, +or `undefined` if there is no `Finished` message so far. + +As the `Finished` messages are message digests of the complete handshake +(with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can +be used for external authentication procedures when the authentication +provided by SSL/TLS is not desired or is not enough. + +Corresponds to the `SSL_get_peer_finished` routine in OpenSSL and may be used +to implement the `tls-unique` channel binding from [RFC 5929][]. + ### tlsSocket.getProtocol()