Only advertise mechanisms needing channel binding if a channel binding backend is...

diff --git a/util/sasl.lua b/util/sasl.lua
index cd0a1d64233ddf83dab855abc0ce17466590198f..393a09198f2abc1f1a79508d5bbb9ccadb920c3e 100644 (file)
--- a/util/sasl.lua
+++ b/util/sasl.lua
@@ -18,6 +18,7 @@ local type = type
 local setmetatable = setmetatable;
 local assert = assert;
 local require = require;
+local print = print
 
 module "sasl"
 
@@ -44,13 +45,21 @@ local method = {};
 method.__index = method;
 local mechanisms = {};
 local backend_mechanism = {};
+local mechanism_channelbindings = {};
 
 -- register a new SASL mechanims
-local function registerMechanism(name, backends, f)
+local function registerMechanism(name, backends, f, cb_backends)
        assert(type(name) == "string", "Parameter name MUST be a string.");
        assert(type(backends) == "string" or type(backends) == "table", "Parameter backends MUST be either a string or a table.");
        assert(type(f) == "function", "Parameter f MUST be a function.");
+       if cb_backends then assert(type(cb_backends) == "table"); end
        mechanisms[name] = f
+       if cb_backends then
+               mechanism_channelbindings[name] = {};
+               for _, cb_name in ipairs(cb_backends) do
+                       mechanism_channelbindings[name][cb_name] = true;
+               end
+       end
        for _, backend_name in ipairs(backends) do
                if backend_mechanism[backend_name] == nil then backend_mechanism[backend_name] = {}; end
                t_insert(backend_mechanism[backend_name], name);
@@ -86,7 +95,21 @@ end
 
 -- get a list of possible SASL mechanims to use
 function method:mechanisms()
-       return self.mechs;
+       local current_mechs = {};
+       for mech, _ in pairs(self.mechs) do
+               if mechanism_channelbindings[mech] and self.profile.cb then
+                       local ok = false;
+                       for cb_name, _ in pairs(self.profile.cb) do
+                               if mechanism_channelbindings[mech][cb_name] then
+                                       ok = true;
+                               end
+                       end
+                       if ok == true then current_mechs[mech] = true; end
+               else
+                       current_mechs[mech] = true;
+               end
+       end
+       return current_mechs;
 end
 
 -- select a mechanism to use

diff --git a/util/sasl/scram.lua b/util/sasl/scram.lua
index ad26658bf568936da51b4c7e259e6413ea1eb967..071de505142886ba2b4864c9314518f102c5aef9 100644 (file)
--- a/util/sasl/scram.lua
+++ b/util/sasl/scram.lua
@@ -249,7 +249,7 @@ function init(registerMechanism)
                registerMechanism("SCRAM-"..hash_name, {"plain", "scram_"..(hashprep(hash_name))}, scram_gen(hash_name:lower(), hash, hmac_hash));
                
                -- register channel binding equivalent
-               registerMechanism("SCRAM-"..hash_name.."-PLUS", {"plain", "scram_"..(hashprep(hash_name))}, scram_gen(hash_name:lower(), hash, hmac_hash));
+               registerMechanism("SCRAM-"..hash_name.."-PLUS", {"plain", "scram_"..(hashprep(hash_name))}, scram_gen(hash_name:lower(), hash, hmac_hash), {"tls-unique"});
        end
 
        registerSCRAMMechanism("SHA-1", sha1, hmac_sha1);