Gitweb:
https://git.exim.org/exim.git/commitdiff/caa2a7c81d19907a6125438bc1e71b6a2f5e16d6
Commit: caa2a7c81d19907a6125438bc1e71b6a2f5e16d6
Parent: fc96555ab63243de9d468325aeaaa14cd77b9943
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Jan 10 20:10:21 2021 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sun Jan 10 23:13:59 2021 +0000
channel binding notes
---
doc/doc-docbook/spec.xfpt | 4 ++++
src/src/auths/gsasl_exim.c | 3 ++-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index bb053ed..4c79e87 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -28181,6 +28181,10 @@ supplied by the server.
.option server_channelbinding gsasl boolean false
Do not set this true and rely on the properties
without consulting a cryptographic engineer.
+. Unsure what that's about. It might be the "Triple Handshake"
+. vulnerability; cf.
https://www.mitls.org/pages/attacks/3SHAKE
+. If so, we're ok, requiring Extended Master Secret if TLS
+. Session Resumption was used.
Some authentication mechanisms are able to use external context at both ends
of the session to bind the authentication to that context, and fail the
diff --git a/src/src/auths/gsasl_exim.c b/src/src/auths/gsasl_exim.c
index 1271370..afd745b 100644
--- a/src/src/auths/gsasl_exim.c
+++ b/src/src/auths/gsasl_exim.c
@@ -831,7 +831,8 @@ if (tls_out.channelbinding && ob->client_channelbinding)
{
# ifndef DISABLE_TLS_RESUME
if (!tls_out.ext_master_secret && tls_out.resumption == RESUME_USED)
- { /* per RFC 7677 section 4 */
+ { /* Per RFC 7677 section 4. See also RFC 7627, "Triple Handshake"
+ vulnerability, and https://www.mitls.org/pages/attacks/3SHAKE */
string_format(buffer, buffsize, "%s",
"channel binding not usable on resumed TLS without extended-master-secret");
return FAIL;
