Comparison

util.sasl.scram: Validate channel binding data of client final message.

comparison

equal deleted inserted replaced

-:c0cc4e73d9fa
+:a5f4de8c0b40
 		else
 			-- we are processing client_final_message
 			local client_final_message = message;
 			log("debug", "client_final_message: %s", client_final_message);
 			self.state["channelbinding"], self.state["nonce"], self.state["proof"] = client_final_message:match("^c=(.*),r=(.*),.*p=(.*)");
-			if not self.state.proof or not self.state.nonce or not self.state.channelbinding then
+			if self.state.gs2_cbind_name then
-				return "failure", "malformed-request", "Missing an attribute(p, r or c) in SASL message.";
+				local client_gs2_header = base64.decode(self.state.channelbinding)
+				local our_client_gs2_header = "p="..self.state.gs2_cbind_name..","..self.state["authzid"]..","..self.profile.cb[self.state.gs2_cbind_name](self);
+				if client_gs2_header ~= our_client_gs2_header then
+					return "failure", "malformed-request", "Invalid channel binding value.";
+				end
+			else
+				if not self.state.proof or not self.state.nonce or not self.state.channelbinding then
+					return "failure", "malformed-request", "Missing an attribute(p, r or c) in SASL message.";
+				end
 			end
 			if self.state.nonce ~= self.state.clientnonce..self.state.servernonce then
 				return "failure", "malformed-request", "Wrong nonce in client-final-message.";
 			end