From bf187b3e2f9b77e2834714ae5b3e5caa0aa44106 Mon Sep 17 00:00:00 2001 From: Sam Whited Date: Tue, 19 Jul 2022 08:56:26 -0400 Subject: [PATCH] Support tls-exporter channel binding type --- CHANGELOG.md | 2 ++ pkg/auth/scram.go | 2 ++ pkg/c2s/in.go | 2 +- pkg/transport/socket.go | 14 ++++++++------ pkg/transport/socket_test.go | 1 + pkg/transport/transport.go | 2 ++ 6 files changed, 16 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e9a859f8..ad9fb1940 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ ## jackal - main / unreleased +* [ENHANCEMENT] Re-enable TLS 1.3 channel binding during auth using [RFC 9266](https://www.rfc-editor.org/rfc/rfc9266). + ## 0.61.0 (2022/06/06) * [ENHANCEMENT] Helm: added support for cloud LB. [237](https://github.com/ortuman/jackal/pull/237) diff --git a/pkg/auth/scram.go b/pkg/auth/scram.go index 2198b10bc..80177fe77 100644 --- a/pkg/auth/scram.go +++ b/pkg/auth/scram.go @@ -357,6 +357,8 @@ func (s *Scram) getCBindInputString() string { switch s.params.cbMechanism { case "tls-unique": buf.Write(s.tr.ChannelBindingBytes(transport.TLSUnique)) + case "tls-exporter": + buf.Write(s.tr.ChannelBindingBytes(transport.TLSExporter)) } } return base64.StdEncoding.EncodeToString(buf.Bytes()) diff --git a/pkg/c2s/in.go b/pkg/c2s/in.go index 226bf5724..2ee108943 100644 --- a/pkg/c2s/in.go +++ b/pkg/c2s/in.go @@ -765,7 +765,7 @@ func (s *inC2S) unauthenticatedFeatures() []stravaganza.Element { sb.WithAttribute(stravaganza.Namespace, saslNamespace) for _, authenticator := range s.authSt.authenticators { if authenticator.UsesChannelBinding() && !supportsCb { - continue // transport doesn't support channel binding (eg. TLS 1.3) + continue // transport doesn't support channel binding } sb.WithChild( stravaganza.NewBuilder("mechanism"). diff --git a/pkg/transport/socket.go b/pkg/transport/socket.go index 29112abc1..7804b68cf 100644 --- a/pkg/transport/socket.go +++ b/pkg/transport/socket.go @@ -47,7 +47,6 @@ type socketTransport struct { wr io.Writer bw *bufio.Writer compressed bool - supportsCb bool connectTimeout time.Duration keepAliveTimeout time.Duration } @@ -147,7 +146,6 @@ func (s *socketTransport) StartTLS(cfg *tls.Config, asClient bool) { tlsConn = tls.Server(s.conn, cfg) } s.conn = newDeadlineConn(tlsConn, s.connectTimeout, s.keepAliveTimeout) - s.supportsCb = tlsConn.ConnectionState().Version < tls.VersionTLS13 lr := ratelimiter.NewReader(s.conn) if rLim := s.lr.ReadRateLimiter(); rLim != nil { @@ -169,13 +167,10 @@ func (s *socketTransport) EnableCompression(level compress.Level) { } func (s *socketTransport) SupportsChannelBinding() bool { - return s.supportsCb + return true } func (s *socketTransport) ChannelBindingBytes(mechanism ChannelBindingMechanism) []byte { - if !s.supportsCb { - return nil - } conn, ok := s.conn.underlyingConn().(tlsStateQueryable) if !ok { return nil @@ -184,6 +179,13 @@ func (s *socketTransport) ChannelBindingBytes(mechanism ChannelBindingMechanism) case TLSUnique: connSt := conn.ConnectionState() return connSt.TLSUnique + case TLSExporter: + connSt := conn.ConnectionState() + ekm, err := connSt.ExportKeyingMaterial("EXPORTER-Channel-Binding", nil, 32) + if err != nil { + return nil + } + return ekm default: break } diff --git a/pkg/transport/socket_test.go b/pkg/transport/socket_test.go index d80328e12..dd292beb9 100644 --- a/pkg/transport/socket_test.go +++ b/pkg/transport/socket_test.go @@ -87,6 +87,7 @@ func TestSocket(t *testing.T) { require.Nil(t, st2.ChannelBindingBytes(ChannelBindingMechanism(99))) require.Nil(t, st2.ChannelBindingBytes(TLSUnique)) + require.Nil(t, st2.ChannelBindingBytes(TLSExporter)) _ = st.Close() require.True(t, conn.closed) diff --git a/pkg/transport/transport.go b/pkg/transport/transport.go index ce28a81ba..2bdd4778b 100644 --- a/pkg/transport/transport.go +++ b/pkg/transport/transport.go @@ -47,6 +47,8 @@ type ChannelBindingMechanism int const ( // TLSUnique represents 'tls-unique' channel binding mechanism. TLSUnique ChannelBindingMechanism = iota + // TLSExporter represents the 'tls-exporter' channel binding mechanism. + TLSExporter ) // Transport represents a stream transport mechanism.