Add support for SCRAM-SHA-*-PLUS channel binding in PHP streams (e.g., tls-unique, tls-exporter)

[fabiang]

Description

Hello,

I'm the maintainer of the fabiang/sasl library, which implements various SASL mechanisms. Since many SASL mechanisms have been deprecated over the years due to security issues, I am interested in improving the security of the SCRAM-SHA-* SASL mechanisms.

The SCRAM-SHA-*-PLUS mechanisms offer better security through channel binding. The recommended channel binding types are:

• tls-unique for TLS <= 1.2
• tls-server-end-point
• tls-exporter for TLS >= 1.3

Currently, PHP lacks support for channel binding, as no API is exposed to access data from the underlying secure socket. Additionally, more and more server software is adding support for channel binding.

For example, Python:

• supports at least "tls-unique" through SSLSocket.get_channel_binding
• and has an open Pull Request for tls-exporter.

To enable this in PHP, a simple API to retrieve channel binding data from a stream context would be beneficial.

A potential function could:

• return data from OpenSSL's SSL_get_peer_finished when channel binding is set to "tls-unique" and TLS 1.2 is used,
• use OpenSSL's SSL_export_keying_material when channel binding is set to "tls-exporter" and TLS <= 1.3 is used,
• trigger a warning when "tls-unique" is used with TLS 1.3,
• and trigger an error if the stream or context is not a TLS connection.

(Note: "tls-exporter" should also be supported on TLS 1.2 connections.)

stream_crypto_channel_binding(resource $stream_or_context, string $channel_binding_type): string;

Making this function compatible with both streams and contexts should cover all use cases.

Thank you.

[Neustradamus]

@fabiang: Thanks for your ticket, a lot of PHP projects wait the solution to add -PLUS variants.

[Neustradamus]

Dear @php team,

Have you progressed on this ticket?

[bukka]

There are still bunch of open bug for tls streams so I won't be probably able to get to it anytime soon but if someone else creates a PR containing tests, I should be able to review it.

[Neustradamus]

@bukka: Thanks for your answer!

It is always possible to work on it before to solve all other bugs?

This feature is very important and permit to have more security...

[Neustradamus]

@bukka: For your information, the recent Dovecot 2.4.0 has SCRAM-SHA-1-PLUS/SCRAM-SHA-256-PLUS supports in more SCRAM-SHA-1/SCRAM-SHA-256. It arrives after Exim, indimail-mta, msmtp, mpop, ...

About PHP, SCRAM has been added in, people wait for -PLUS variants:

• PEAR Auth_SASL/Auth_SASL2/Net_SMTP (used by a lot of projects like Roundcube etc.)
• SnappyMail
• SquirelMail
• Horde

Linked to:

• State of Play scram-sasl/info#1
• https://bugs.php.net/bug.php?id=70679
• https://bugs.php.net/bug.php?id=80344

[Neustradamus]

Dear @php team, @bukka, @fjanisze,

For information: @fabiang has released the 2.0.0 release build of PHP SASL2 Authentification Library:

• https://github.com/fabiang/sasl

The only missing point is Channel Binding :/

Hope that you will solved this problem.

Thanks in advance.

cc: @jfha73

[bukka]

@Neustradamus Bugs and especially security issues are the highest priority so I cannot prioritise this over them. We have got other important features requested for OpenSSL as well (there are many things missing). I understand that this is a priority for you but you will either need to implement it yourself and create a PR or hire someone to do that if you can't do that. Just pinging people will not change their priorities.