proposal: crypto/tls: implement RFC 9266: Channel Bindings for TLS 1.3: tls-exporter support

[Neustradamus]

Proposal Details

Dear Golang team, @andres-erbsen (who has added "tls-unique", a part of the RFC 5929),

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

• https://datatracker.ietf.org/doc/html/rfc9266

Channel Bindings for TLS: https://datatracker.ietf.org/doc/html/rfc5929

• XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
• XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
• XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
• XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

Little details, to know easily:

• tls-unique for TLS =< 1.2 (RFC5929)
• tls-server-end-point =< 1.2 + 1.3 (RFC5929)
• tls-exporter for TLS = 1.3 (RFC9266)

After the jabber.ru MITM, it is time to add it:

• https://notes.valdikss.org.ru/jabber.ru-mitm/
• https://snikket.org/blog/on-the-jabber-ru-mitm/
• https://www.devever.net/~hl/xmpp-incident
• https://blog.jmp.chat/b/certwatch/certwatch

Thanks in advance.

Linked to:

• Channel Binding: State of Play scram-sasl/info#1
• https://github.com/golang-auth/go-channelbinding
• https://github.com/search?q=repo%3Agolang-auth%2Fgo-channelbinding+tls-unique&type=code
• https://github.com/search?q=repo%3Agolang-auth%2Fgo-channelbinding+tls-server-end-point&type=code
• https://github.com/search?q=repo%3Agolang-auth%2Fgo-channelbinding+tls-exporter&type=code
• https://github.com/go-ldap/ldap
• https://github.com/search?q=repo%3Ago-ldap%2Fldap+tls-server-end-point&type=code
• Add RFC 5929 channel binding support for SSPI client go-ldap/ldap#565
• RFC 9266: Channel Bindings for TLS 1.3: tls-exporter support go-ldap/ldap#392
• https://github.com/golang/go
• https://github.com/search?q=repo%3Agolang%2Fgo+tls-unique&type=code
• fce6388
• proposal: crypto/tls: implement RFC 9266: Channel Bindings for TLS 1.3: tls-exporter support #54103
• proposal: crypto/tls: implement RFC 5929: Channel Bindings for TLS: tls-server-end-point support #65047
• https://github.com/google/conscrypt
• https://github.com/search?q=repo%3Agoogle%2Fconscrypt+tls-unique&type=code
• Add support for accessing tls-unique channel binding value. google/conscrypt#388
• RFC 9266: Channel Bindings for TLS 1.3: tls-exporter support google/conscrypt#1078
• RFC 5929: Channel Bindings for TLS: tls-server-end-point support google/conscrypt#1411
• https://github.com/xmppo/go-xmpp
• https://github.com/search?q=repo%3Axmppo%2Fgo-xmpp+tls-unique&type=code
• https://github.com/search?q=repo%3Axmppo%2Fgo-xmpp+tls-server-end-point&type=code
• https://github.com/search?q=repo%3Axmppo%2Fgo-xmpp+tls-exporter&type=code
• SCRAM: Add support for tls-server-end-point channel binding. xmppo/go-xmpp#177 + Tls-server-end-point improvements. xmppo/go-xmpp#178

cc: @flooey, @andres-erbsen, @jake-scott, @Chrizpy, @mdosch.

[ianlancetaylor]

CC @golang/security @FiloSottile

[cherrymui]

I guess this will be added to the crypto/tls package? What would the support look like? Thanks.

[Neustradamus]

@cherrymui: Yes :)

It is linked to:

• fce6388
• crypto/tls: documentation of TLSUnique field of ConnectionState struct contains broken link #18842 + 7bd968f
• 039c208
• https://github.com/golang/go/search?q=tlsunique
• https://github.com/golang/go/search?q=tls+unique
• https://github.com/golang/go/search?q=tls+binding

cc: @agl, @andres-erbsen, @FiloSottile, @codesenberg, @seankhliao.

[Neustradamus]

Dear all,

I have update the main description about tls-unique, tls-server-end-point, tls-exporter and I have added XEP-0388/XEP-0440/XEP-0474 links.

I think that you have seen the jabber.ru MITM:

• https://notes.valdikss.org.ru/jabber.ru-mitm/
• https://snikket.org/blog/on-the-jabber-ru-mitm/
• https://www.devever.net/~hl/xmpp-incident
• https://blog.jmp.chat/b/certwatch

[FiloSottile]

RFC 9266, Section 2, says

"tls-exporter" uses Exported Keying Material (EKM), which is already widely exposed by TLS implementations

Indeed, we already support EKM via ConnectionState.ExportKeyingMaterial.

What do you need us to change in crypto/tls?

[Neustradamus]

@FiloSottile: Thanks for your answer but there is not an announcement in code: RFC5929 / RFC9266
And I do not find:

• tls-unique
• tls-server-end-point
• tls-exporter

Example GnuTLS:

• tls-unique: https://gitlab.com/search?search=tls-unique&nav_source=navbar&project_id=179611&group_id=121613&search_code=true&repository_ref=master
• tls-exporter: https://gitlab.com/search?search=tls-exporter&nav_source=navbar&project_id=179611&group_id=121613&search_code=true&repository_ref=master
• tls-server-end-point: https://gitlab.com/search?search=tls-server-end-point&nav_source=navbar&project_id=179611&group_id=121613&search_code=true&repository_ref=master
• rfc5929: https://gitlab.com/search?search=rfc5929&nav_source=navbar&project_id=179611&group_id=121613&search_code=true&repository_ref=master
• rfc9266: https://gitlab.com/search?search=rfc9266&nav_source=navbar&project_id=179611&group_id=121613&search_code=true&repository_ref=master

[morphf]

Is there an update on this?

[WantTrueNerds]

I think the crypto/tls library already provides support for everything needed to perform channel binding.

• "tls-unique" appears to be supported here:

  go/src/crypto/tls/common.go

  Line 290 in 252fbaf

  TLSUnique []byte

• "tls-server-end-point", according to the RFC, simply requires using the hash of the server TLS certificate.
• "tls-exporter" appears to be supported here:

  go/src/crypto/tls/common.go

  Line 318 in 252fbaf

  func (cs *ConnectionState) ExportKeyingMaterial(label string, context []byte, length int) ([]byte, error) {

Assuming my understanding of the RFC is correct, it appears like everything needed to implement channel binding in other libraries is already available. It would then be up to the downstream libraries (such as go-ldap, etc...) to implement channel binding using these attributes.

Note - the title of this issue mentions specifically TLSv1.3, however it is clear from the initial description that the ask is also intended to include TLSv1.2. The reason I say this is because "tis-unique" is only required to complete channel binding in TLSv1.2, and not TLSv1.3.

P.S. I didn't mean to single out go-ldap here, just used it as an example.

[seankhliao]

Doesn't seem like there's anything to do.