Request for support for Net::SSLeay::get_finished() support

[ehuelsmann]

Hi,

I'm working to bring SCRAM-SHA- authentication to Perl's Authen::SASL. I've managed to create SCRAM-SHA-1 up to SCRAM-SHA-512. However, I'd like to implement the -PLUS variants too. The PLUS variant is about supporting channel binding. For TLS connections up to 1.2, channel binding has been defined to use tls-unique which wants the peers to include the last "Finished message" in the authentication. Net::SSLeay has supported the callback since 1.82.

At the moment, IO::Socket::SSL does not expose the call as an API on the socket and it carefully keeps the Net::SSLeay object to itself. To keep the latter while still supporting the SASL SCRAM *-PLUS variants, I'd like to request that IO::Socket::SSL grows a call to retrieve the "get_finished" and "get_peer_finished" data.

Thanks for considering my request!

Regards,

Erik.

[noxxi]

... carefully keeps the Net::SSLeay object to itself.

You can get the underlying SSL object with _get_ssl_object and the SSL context with _get_ctx_object. So you should be able to do

     Net::SSLeay::get_finished($socket->_get_ssl_object, my $buf);
     Net::SSLeay::get_peer_finished($socket->_get_ssl_object, my $buf);

[ehuelsmann]

Ok. That method was explicitly marked for internal use, so I didn't want to use it. But if it's what you advise, then I'll use that. Thanks!