gnutls_session_channel_binding: perform check on "tls-exporter"

According to RFC9622 4.2, the "tls-exporter" channel binding is only
usable when the handshake is bound to a unique master secret.  This
adds a check whether either TLS 1.3 or extended master secret
extension is negotiated.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

diff --git a/NEWS b/NEWS
index f12a06defdf0f1bc9acf672f5f274bfc782e982a..45955558296dd204fffe010c09f66575c7d80cd8 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,13 @@ See the end for copying conditions.
    1536, and 1792 bits), in addition to any modulus sizes larger than
    2048 bits, according to SP800-131A rev2.
 
+** libgnutls: gnutls_session_channel_binding performs additional checks when
+   GNUTLS_CB_TLS_EXPORTER is requested. According to RFC9622 4.2, the
+   "tls-exporter" channel binding is only usable when the handshake is
+   bound to a unique master secret (i.e., either TLS 1.3 or extended
+   master secret extension is negotiated). Otherwise the function now
+   returns error.
+
 * Version 3.7.7 (released 2022-07-28)
 
 ** libgnutls: Fixed double free during verification of pkcs7 signatures.

diff --git a/lib/state.c b/lib/state.c
index ee72646128bdb23423a40daeac1a46f150059d31..9e16d9930052236fedf53dc24fe2d86a20eaf3fb 100644 (file)
--- a/lib/state.c
+++ b/lib/state.c
@@ -1369,7 +1369,7 @@ gnutls_session_channel_binding(gnutls_session_t session,
        if (cbtype == GNUTLS_CB_TLS_UNIQUE) {
                const version_entry_st *ver = get_version(session);
                if (unlikely(ver == NULL || ver->tls13_sem))
-                       return GNUTLS_E_INVALID_REQUEST;
+                       return GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE;
 
                cb->size = session->internals.cb_tls_unique_len;
                cb->data = gnutls_malloc(cb->size);
@@ -1461,6 +1461,21 @@ gnutls_session_channel_binding(gnutls_session_t session,
 #define EXPORTER_CTX_DATA ""
 #define EXPORTER_CTX_LEN 0
 
+               const version_entry_st *ver = get_version(session);
+               if (unlikely(ver == NULL)) {
+                       return GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE;
+               }
+
+               /* "tls-exporter" channel binding is defined only when
+                * the TLS handshake results in unique master secrets,
+                * i.e., either TLS 1.3, or TLS 1.2 with extended
+                * master secret negotiated.
+                */
+               if (!ver->tls13_sem &&
+                   gnutls_session_ext_master_secret_status(session) == 0) {
+                       return GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE;
+               }
+
                cb->size = 32;
                cb->data = gnutls_malloc(cb->size);
                if (cb->data == NULL)