New functions SSL_get_finished, SSL_get_peer_finished.

Add short state string for MS SGC.

diff --git a/CHANGES b/CHANGES
index 5572e1fd318499d592f91e6fefa7ee6beb1d2314..52e0ffb3f2fa91a64b89dac313191377da516fca 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,16 @@
 
  Changes between 0.9.4 and 0.9.5  [xx XXX 1999]
 
-  *) Clean up 'Finished' handling.
+  *) Clean up 'Finished' handling, and add functions SSL_get_finished and
+     SSL_get_peer_finished to allow applications to obtain the latest
+     Finished messages sent to the peer or expected from the peer,
+     respectively.  (SSL_get_peer_finished is usually the Finished message
+     actually received from the peer, otherwise the protocol will be aborted.)
+
+     As the Finished message are message digests of the complete handshake
+     (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
+     be used for external authentication procedures when the authentication
+     provided by SSL/TLS is not desired or is not enough.
      [Bodo Moeller]
 
   *) Enhanced support for Alpha Linux is added. Now ./config checks if

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 96c5a93aecacb62968ee5160f528e7337a12d957..636b8bc2a2a82caced6c1c284c27a11e7978b226 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -704,6 +704,13 @@ struct ssl_st
 #define SSL_ST_READ_BODY                       0xF1
 #define SSL_ST_READ_DONE                       0xF2
 
+/* Obtain latest Finished message
+ *   -- that we sent (SSL_get_finished)
+ *   -- that we expected from peer (SSL_get_peer_finished).
+ * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
+size_t SSL_get_finished(SSL *s, void *buf, size_t count);
+size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
+
 /* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
  * are 'ored' with SSL_VERIFY_PEER if they are desired */
 #define SSL_VERIFY_NONE                        0x00

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 88ff03b3ac52c0e175f32d7edfc9ae5d54d07c93..02f8d112562bbcd17def13cf1ffdb7dbcaa78816 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -477,6 +477,38 @@ err:
        }
 #endif
 
+
+/* return length of latest Finished message we sent, copy to 'buf' */
+size_t SSL_get_finished(SSL *s, void *buf, size_t count)
+       {
+       size_t ret = 0;
+       
+       if (s->s3 != NULL)
+               {
+               ret = s->s3->tmp.finish_md_len;
+               if (count > ret)
+                       count = ret;
+               memcpy(buf, s->s3->tmp.finish_md, count);
+               }
+       return ret;
+       }
+
+/* return length of latest Finished message we expected, copy to 'buf' */
+size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count)
+       {
+       size_t ret = 0;
+       
+       if (s->s3 != NULL)
+               {
+               ret = s->s3->tmp.peer_finish_md_len;
+               if (count > ret)
+                       count = ret;
+               memcpy(buf, s->s3->tmp.peer_finish_md, count);
+               }
+       return ret;
+       }
+
+
 int SSL_get_verify_mode(SSL *s)
        {
        return(s->verify_mode);

diff --git a/ssl/ssl_stat.c b/ssl/ssl_stat.c
index 4042c4e75ce3fba2566c0dfe78404b6d56b685e1..1335764fb3e09ff5347268e39cedaa11795ff58f 100644 (file)
--- a/ssl/ssl_stat.c
+++ b/ssl/ssl_stat.c
@@ -313,6 +313,7 @@ case SSL3_ST_SW_HELLO_REQ_C:                        str="3WHR_C"; break;
 case SSL3_ST_SR_CLNT_HELLO_A:                  str="3RCH_A"; break;
 case SSL3_ST_SR_CLNT_HELLO_B:                  str="3RCH_B"; break;
 case SSL3_ST_SR_CLNT_HELLO_C:                  str="3RCH_C"; break;
+case SSL3_ST_SR_MS_SGC:                                str="3RMSSG"; break;
 case SSL3_ST_SW_SRVR_HELLO_A:                  str="3WSH_A"; break;
 case SSL3_ST_SW_SRVR_HELLO_B:                  str="3WSH_B"; break;
 case SSL3_ST_SW_CERT_A:                                str="3WSC_A"; break;