# HG changeset patch
# User Tobias Markmann <tm@ayena.de>
# Date 1295279421 -3600
# Node ID a5f4de8c0b40cb5cb8039392543dcf77daa659f9
# Parent  c0cc4e73d9fae5341aa99e0f7a50468ae9eaae00
util.sasl.scram: Validate channel binding data of client final message.

diff -r c0cc4e73d9fa -r a5f4de8c0b40 util/sasl/scram.lua
--- a/util/sasl/scram.lua	Mon Jan 17 16:50:21 2011 +0100
+++ b/util/sasl/scram.lua	Mon Jan 17 16:50:21 2011 +0100
@@ -200,9 +200,18 @@
 			local client_final_message = message;
 			log("debug", "client_final_message: %s", client_final_message);
 			self.state["channelbinding"], self.state["nonce"], self.state["proof"] = client_final_message:match("^c=(.*),r=(.*),.*p=(.*)");
-	
-			if not self.state.proof or not self.state.nonce or not self.state.channelbinding then
-				return "failure", "malformed-request", "Missing an attribute(p, r or c) in SASL message.";
+
+			if self.state.gs2_cbind_name then
+				local client_gs2_header = base64.decode(self.state.channelbinding)
+				local our_client_gs2_header = "p="..self.state.gs2_cbind_name..","..self.state["authzid"]..","..self.profile.cb[self.state.gs2_cbind_name](self);
+
+				if client_gs2_header ~= our_client_gs2_header then
+					return "failure", "malformed-request", "Invalid channel binding value.";
+				end
+			else
+				if not self.state.proof or not self.state.nonce or not self.state.channelbinding then
+					return "failure", "malformed-request", "Missing an attribute(p, r or c) in SASL message.";
+				end
 			end
 
 			if self.state.nonce ~= self.state.clientnonce..self.state.servernonce then