crypto/tls: RFC 9266: Channel Bindings for TLS 1.3 support

[Neustradamus]

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

• https://datatracker.ietf.org/doc/html/rfc9266

Channel Bindings for TLS: https://datatracker.ietf.org/doc/html/rfc5929

• XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
• XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
• XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
• XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

Little details, to know easily:

• tls-unique for TLS =< 1.2
• tls-server-end-point
• tls-exporter for TLS = 1.3

Thanks in advance.

[ianlancetaylor]

CC @golang/security @FiloSottile

[cherrymui]

I guess this will be added to the crypto/tls package? What would the support look like? Thanks.

[Neustradamus]

@cherrymui: Yes :)

It is linked to:

• https://github.com/golang/go/commit/fce63888cecd22dfc01bf1b6dcb5a1429aecbc17
• https://github.com/golang/go/issues/18842 + https://github.com/golang/go/commit/7bd968fbfdfd943d8bfc3f6f48b47c5fe990f9ba
• https://github.com/golang/go/commit/039c2081d1178f90a8fa2f4e6958693129f8de33
• https://github.com/golang/go/search?q=tlsunique
• https://github.com/golang/go/search?q=tls+unique
• https://github.com/golang/go/search?q=tls+binding

cc: @agl, @andres-erbsen, @FiloSottile, @codesenberg, @seankhliao.

[Neustradamus]

Dear all,

I have update the main description about tls-unique, tls-server-end-point, tls-exporter and I have added XEP-0388/XEP-0440/XEP-0474 links.

I think that you have seen the jabber.ru MITM:

• https://notes.valdikss.org.ru/jabber.ru-mitm/
• https://snikket.org/blog/on-the-jabber-ru-mitm/
• https://www.devever.net/~hl/xmpp-incident
• https://blog.jmp.chat/b/certwatch

[FiloSottile]

RFC 9266, Section 2, says

"tls-exporter" uses Exported Keying Material (EKM), which is already widely exposed by TLS implementations

Indeed, we already support EKM via ConnectionState.ExportKeyingMaterial.

What do you need us to change in crypto/tls?

[Neustradamus]

@FiloSottile: Thanks for your answer but there is not an announcement in code: RFC5929 / RFC9266 And I do not find:

• tls-unique
• tls-server-end-point
• tls-exporter

Example GnuTLS:

• tls-unique: https://gitlab.com/search?search=tls-unique&nav_source=navbar&project_id=179611&group_id=121613&search_code=true&repository_ref=master
• tls-exporter: https://gitlab.com/search?search=tls-exporter&nav_source=navbar&project_id=179611&group_id=121613&search_code=true&repository_ref=master
• tls-server-end-point: https://gitlab.com/search?search=tls-server-end-point&nav_source=navbar&project_id=179611&group_id=121613&search_code=true&repository_ref=master
• rfc5929: https://gitlab.com/search?search=rfc5929&nav_source=navbar&project_id=179611&group_id=121613&search_code=true&repository_ref=master
• rfc9266: https://gitlab.com/search?search=rfc9266&nav_source=navbar&project_id=179611&group_id=121613&search_code=true&repository_ref=master

[morphf]

Is there an update on this?

[WantTrueNerds]

I think the crypto/tls library already provides support for everything needed to perform channel binding.

• "tls-unique" appears to be supported here: https://github.com/golang/go/blob/252fbaf30fab5542f959d3ead59258440a0e0903/src/crypto/tls/common.go#L290
• "tls-server-end-point", according to the RFC, simply requires using the hash of the server TLS certificate.
• "tls-exporter" appears to be supported here: https://github.com/golang/go/blob/252fbaf30fab5542f959d3ead59258440a0e0903/src/crypto/tls/common.go#L318

Assuming my understanding of the RFC is correct, it appears like everything needed to implement channel binding in other libraries is already available. It would then be up to the downstream libraries (such as go-ldap, etc...) to implement channel binding using these attributes.

Note - the title of this issue mentions specifically TLSv1.3, however it is clear from the initial description that the ask is also intended to include TLSv1.2. The reason I say this is because "tis-unique" is only required to complete channel binding in TLSv1.2, and not TLSv1.3.

P.S. I didn't mean to single out go-ldap here, just used it as an example.