From caa2a7c81d19907a6125438bc1e71b6a2f5e16d6 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 10 Jan 2021 20:10:21 +0000 Subject: [PATCH 1/1] channel binding notes --- doc/doc-docbook/spec.xfpt | 4 ++++ src/src/auths/gsasl_exim.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index bb053ed78..4c79e87cf 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -28181,6 +28181,10 @@ supplied by the server. .option server_channelbinding gsasl boolean false Do not set this true and rely on the properties without consulting a cryptographic engineer. +. Unsure what that's about. It might be the "Triple Handshake" +. vulnerability; cf. https://www.mitls.org/pages/attacks/3SHAKE +. If so, we're ok, requiring Extended Master Secret if TLS +. Session Resumption was used. Some authentication mechanisms are able to use external context at both ends of the session to bind the authentication to that context, and fail the diff --git a/src/src/auths/gsasl_exim.c b/src/src/auths/gsasl_exim.c index 12713705b..afd745bd7 100644 --- a/src/src/auths/gsasl_exim.c +++ b/src/src/auths/gsasl_exim.c @@ -831,7 +831,8 @@ if (tls_out.channelbinding && ob->client_channelbinding) { # ifndef DISABLE_TLS_RESUME if (!tls_out.ext_master_secret && tls_out.resumption == RESUME_USED) - { /* per RFC 7677 section 4 */ + { /* Per RFC 7677 section 4. See also RFC 7627, "Triple Handshake" + vulnerability, and https://www.mitls.org/pages/attacks/3SHAKE */ string_format(buffer, buffsize, "%s", "channel binding not usable on resumed TLS without extended-master-secret"); return FAIL; -- 2.30.2