From: Daiki Ueno <ueno@gnu.org>
Date: Sun, 28 Aug 2022 21:41:46 +0000 (+0900)
Subject: gnutls_session_channel_binding: perform check on "tls-exporter"
X-Git-Tag: 3.7.8~5^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=12bd7e5337351473bcdf080a602b3336230e689e;p=thirdparty%2Fgnutls.git

gnutls_session_channel_binding: perform check on "tls-exporter"

According to RFC9622 4.2, the "tls-exporter" channel binding is only
usable when the handshake is bound to a unique master secret.  This
adds a check whether either TLS 1.3 or extended master secret
extension is negotiated.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---

diff --git a/NEWS b/NEWS
index f12a06defd..4595555829 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,13 @@ See the end for copying conditions.
    1536, and 1792 bits), in addition to any modulus sizes larger than
    2048 bits, according to SP800-131A rev2.
 
+** libgnutls: gnutls_session_channel_binding performs additional checks when
+   GNUTLS_CB_TLS_EXPORTER is requested. According to RFC9622 4.2, the
+   "tls-exporter" channel binding is only usable when the handshake is
+   bound to a unique master secret (i.e., either TLS 1.3 or extended
+   master secret extension is negotiated). Otherwise the function now
+   returns error.
+
 * Version 3.7.7 (released 2022-07-28)
 
 ** libgnutls: Fixed double free during verification of pkcs7 signatures.
diff --git a/lib/state.c b/lib/state.c
index ee72646128..9e16d99300 100644
--- a/lib/state.c
+++ b/lib/state.c
@@ -1369,7 +1369,7 @@ gnutls_session_channel_binding(gnutls_session_t session,
 	if (cbtype == GNUTLS_CB_TLS_UNIQUE) {
 		const version_entry_st *ver = get_version(session);
 		if (unlikely(ver == NULL || ver->tls13_sem))
-			return GNUTLS_E_INVALID_REQUEST;
+			return GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE;
 
 		cb->size = session->internals.cb_tls_unique_len;
 		cb->data = gnutls_malloc(cb->size);
@@ -1461,6 +1461,21 @@ gnutls_session_channel_binding(gnutls_session_t session,
 #define EXPORTER_CTX_DATA ""
 #define EXPORTER_CTX_LEN 0
 
+		const version_entry_st *ver = get_version(session);
+		if (unlikely(ver == NULL)) {
+			return GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE;
+		}
+
+		/* "tls-exporter" channel binding is defined only when
+		 * the TLS handshake results in unique master secrets,
+		 * i.e., either TLS 1.3, or TLS 1.2 with extended
+		 * master secret negotiated.
+		 */
+		if (!ver->tls13_sem &&
+		    gnutls_session_ext_master_secret_status(session) == 0) {
+			return GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE;
+		}
+
 		cb->size = 32;
 		cb->data = gnutls_malloc(cb->size);
 		if (cb->data == NULL)