Server should support alternate types of Channel Bindings #823
Assignees
Milestone
Comments
|
I also believe that a new callback is the better solution. |
|
Thanks for your comment. Since all applications using cyrus-sasl have managed the lifecycle problem of the channel binding data there is not really a need to change the policy of the ownership of the binding data. |
GuidoKiener
added a commit
to GuidoKiener/cyrus-sasl
that referenced
this issue
Feb 15, 2024
Provide a callback function to change the channel binding type of servers (e.g. "tls-server-end-point" instead of "tls-unique") during authentication of secure mechanisms like GS2-KRB5-PLUS or SCRAM-SHA-256-PLUS. The callback is used by the plugins SCRAM and GS2 when the desired binding type of the client does not match the binding type set with property SASL_CHANNEL_BINDING. A server can check the requested type of channel binding and overwrite the current channel binding data with the property SASL_CHANNEL_BINDING before the authentication proceeds. Issue cyrusimap#823 Signed-off-by: Guido Kiener <[email protected]>
GuidoKiener
added a commit
to GuidoKiener/cyrus-sasl
that referenced
this issue
Feb 16, 2024
Provide a callback function to change the channel binding type of servers (e.g. "tls-server-end-point" instead of "tls-unique") during authentication of secure mechanisms like GS2-KRB5-PLUS or SCRAM-SHA-256-PLUS. The callback is used by the plugins SCRAM and GS2 when the desired binding type of the client does not match the binding type set with property SASL_CHANNEL_BINDING. A server can check the requested type of channel binding and overwrite the current channel binding data with the property SASL_CHANNEL_BINDING before the authentication proceeds. Issue cyrusimap#823 Signed-off-by: Guido Kiener <[email protected]>
GuidoKiener
added a commit
to GuidoKiener/cyrus-sasl
that referenced
this issue
Feb 16, 2024
Provide a callback function to change the channel binding type of servers (e.g. "tls-server-end-point" instead of "tls-unique") during authentication of secure mechanisms like GS2-KRB5-PLUS or SCRAM-SHA-256-PLUS. The callback is used by the plugins SCRAM and GS2 when the desired binding type of the client does not match the binding type set with property SASL_CHANNEL_BINDING. A server can check the requested type of channel binding and overwrite the current channel binding data with the property SASL_CHANNEL_BINDING before the authentication proceeds. Issue cyrusimap#823 Signed-off-by: Guido Kiener <[email protected]>
GuidoKiener
added a commit
to GuidoKiener/cyrus-sasl
that referenced
this issue
Feb 16, 2024
Provide a callback function to change the channel binding type of servers (e.g. "tls-server-end-point" instead of "tls-unique") during authentication of secure mechanisms like GS2-KRB5-PLUS or SCRAM-SHA-256-PLUS. The callback is used by the plugins SCRAM and GS2 when the desired binding type of the client does not match the binding type set with property SASL_CHANNEL_BINDING. A server can check the requested type of channel binding and overwrite the current channel binding data with the property SASL_CHANNEL_BINDING before the authentication proceeds. Issue cyrusimap#823 Signed-off-by: Guido Kiener <[email protected]>
|
@ksmurchison, Hi Ken, do you like to review the patch? I tested the patch in my projects and with a patched cyrus-imapd variant. |
@ksmurchison or @quanah: Do you have time to review the patch? |
|
I will try but I'm not an expert on channel binding. @aamelnikov can you give a look? |
|
@aamelnikov: Can you look tickets here?
@GuidoKiener has done a PR here, can you look too? @ksmurchison requests same. |
|
@quanah: I have relaunched @aamelnikov. |
GuidoKiener
added a commit
to GuidoKiener/cyrus-sasl
that referenced
this issue
Aug 9, 2024
Provide a callback function to change the channel binding type of servers (e.g. "tls-server-end-point" instead of "tls-unique") during authentication of secure mechanisms like GS2-KRB5-PLUS or SCRAM-SHA-256-PLUS. The callback is used by the plugins SCRAM and GS2 when the desired binding type of the client does not match the binding type set with property SASL_CHANNEL_BINDING. A server can check the requested type of channel binding and overwrite the current channel binding data with the property SASL_CHANNEL_BINDING before the authentication proceeds. Issue cyrusimap#823 Signed-off-by: Guido Kiener <[email protected]>
GuidoKiener
added a commit
to GuidoKiener/cyrus-sasl
that referenced
this issue
Aug 9, 2024
With the callback SASL_CB_SERVER_CHANNEL_BINDING a server can change the channel binding data to the desired channel binding type of the client. sample/client.c Select the option -d or -D to use the channel binding type "tls-server-end-point". Or select the option -c or -C to use the channel binding type "tls-unique". Options -C or -D force client and server to use channel binding. sample/server.c select option -c to activate channel binding type "tls-unique". Option -C forces clients to use channel binding. Via callback "my_select_binding" the server changes the binding type to "tls-server-end-point" if required. Note that client/server must use the binding type: - "tls-exporter" for TLS 1.3 - "tls-unique" for TLS 1.2 - "tls-server-end-point" works for TLS 1.2 and 1.3 Issue cyrusimap#823 Signed-off-by: Guido Kiener <[email protected]>
GuidoKiener
added a commit
to GuidoKiener/cyrus-sasl
that referenced
this issue
Aug 9, 2024
Provide a callback function to change the channel binding type of servers (e.g. "tls-server-end-point" instead of "tls-unique") during authentication of secure mechanisms like GS2-KRB5-PLUS or SCRAM-SHA-256-PLUS. The callback is used by the plugins SCRAM and GS2 when the desired binding type of the client does not match the binding type set with property SASL_CHANNEL_BINDING. A server can check the requested type of channel binding and overwrite the current channel binding data with the property SASL_CHANNEL_BINDING before the authentication proceeds. Issue cyrusimap#823 Signed-off-by: Guido Kiener <[email protected]>
GuidoKiener
added a commit
to GuidoKiener/cyrus-sasl
that referenced
this issue
Aug 9, 2024
With the callback SASL_CB_SERVER_CHANNEL_BINDING a server can change the channel binding data to the desired channel binding type of the client. sample/client.c Select the option -d or -D to use the channel binding type "tls-server-end-point". Or select the option -c or -C to use the channel binding type "tls-unique". Options -C or -D force client and server to use channel binding. sample/server.c select option -c to activate channel binding type "tls-unique". Option -C forces clients to use channel binding. Via callback "my_select_binding" the server changes the binding type to "tls-server-end-point" if required. Note that client/server must use the binding type: - "tls-exporter" for TLS 1.3 - "tls-unique" for TLS 1.2 - "tls-server-end-point" works for TLS 1.2 and 1.3 Issue cyrusimap#823 Signed-off-by: Guido Kiener <[email protected]>
GuidoKiener
added a commit
to GuidoKiener/cyrus-sasl
that referenced
this issue
Aug 9, 2024
With the callback SASL_CB_SERVER_CHANNEL_BINDING a server can change the channel binding data to the desired channel binding type of the client. sample/client.c Select the option -d or -D to use the channel binding type "tls-server-end-point". Or select the option -c or -C to use the channel binding type "tls-unique". Options -C or -D force client and server to use channel binding. sample/server.c select option -c to activate channel binding type "tls-unique". Option -C forces clients to use channel binding. Via callback "my_select_binding" the server changes the binding type to "tls-server-end-point" if required. Note that client/server must use the binding type: - "tls-exporter" for TLS 1.3 - "tls-unique" for TLS 1.2 - "tls-server-end-point" works for TLS 1.2 and 1.3 Issue cyrusimap#823 Signed-off-by: Guido Kiener <[email protected]>
hyc
pushed a commit
that referenced
this issue
Dec 3, 2024
Provide a callback function to change the channel binding type of servers (e.g. "tls-server-end-point" instead of "tls-unique") during authentication of secure mechanisms like GS2-KRB5-PLUS or SCRAM-SHA-256-PLUS. The callback is used by the plugins SCRAM and GS2 when the desired binding type of the client does not match the binding type set with property SASL_CHANNEL_BINDING. A server can check the requested type of channel binding and overwrite the current channel binding data with the property SASL_CHANNEL_BINDING before the authentication proceeds. Issue #823 Signed-off-by: Guido Kiener <[email protected]>
hyc
pushed a commit
that referenced
this issue
Dec 3, 2024
With the callback SASL_CB_SERVER_CHANNEL_BINDING a server can change the channel binding data to the desired channel binding type of the client. sample/client.c Select the option -d or -D to use the channel binding type "tls-server-end-point". Or select the option -c or -C to use the channel binding type "tls-unique". Options -C or -D force client and server to use channel binding. sample/server.c select option -c to activate channel binding type "tls-unique". Option -C forces clients to use channel binding. Via callback "my_select_binding" the server changes the binding type to "tls-server-end-point" if required. Note that client/server must use the binding type: - "tls-exporter" for TLS 1.3 - "tls-unique" for TLS 1.2 - "tls-server-end-point" works for TLS 1.2 and 1.3 Issue #823 Signed-off-by: Guido Kiener <[email protected]>
|
Thanks to @GuidoKiener for your work and @hyc for reviews/merging! |
This was referenced Jan 8, 2025
Open
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Problem
According to RFC 5929 there are different channel binding types (e.g. "tls-unique", "tls-exporter", "tls-end-point-server") for TLS connections that can be used with SASL mechanisms like SCRAM-SHA-*-PLUS or GS2-KRB5-PLUS. After a TLS connection is established a server can currently set only one binding data with
sasl_setprop(conn, SASL_CHANNEL_BINDING, &cb);.Depending on protocol agreements a client can select e.g. between:
If a server does not support the desired channel binding type of the client then the authentication will fail or the client is obliged to try another channel binding type or even another worse SASL mechanism.
Therefore it's useful to add a new property or callback function that allows the server to select the desired channel binding data.
Proposal: New Callback Function
My preferred solution is adding a new callback function:
This solution is flexibel and a server application can react to specific plugins and binding types.
Alternative Proposal: New property SASL_CHANNEL_BINDING_2
Another way is to add a new property SASL_CHANNEL_BINDING_2 that allows the server to set an alternative channel binding type that is selected by the plugins SCRAM-SHA-*-PLUS or GS2-KRB5-PLUS.
This solution is easy and ok for the next years, but maybe not flexible enough for future security extensions.
Common problem
The property SASL_CHANNEL_BINDING sets only a reference to the channel binding data and the user has to care for the lifecycle of the channel binding data. A less error-prone coding style is to allocate memory and store a copy of the channel binding data within the
struct sasl_server_params. This will help users to implement the callback function for channel binding.cc: @Neustradamus, @quanah, @ksmurchison, @aamelnikov, @dilyanpalauzov : Feedback is welcome. I would contribute the patches.
The text was updated successfully, but these errors were encountered: