Check whether we support the proposed channel binding type.

diff --git a/util/sasl.lua b/util/sasl.lua
index 93b79a86a63de48333bc482b0a0de155c3db3aa3..37a234c9130390f721e73d17e4b43afb827be48e 100644 (file)
--- a/util/sasl.lua
+++ b/util/sasl.lua
@@ -27,6 +27,17 @@ Authentication Backend Prototypes:
 state = false : disabled
 state = true : enabled
 state = nil : non-existant
+
+Channel Binding:
+
+To enable support of channel binding in some mechanisms you need to provide appropriate callbacks in a table
+at profile.cb.
+
+Example:
+       profile.cb["tls-unique"] = function(self)
+               return self.user
+       end
+
 ]]
 
 local method = {};

diff --git a/util/sasl/scram.lua b/util/sasl/scram.lua
index fbe3547b24080d846e8641667e90077ccce7f56c..76e9c152e21bb6fd1058d33afc3305aeabe05de5 100644 (file)
--- a/util/sasl/scram.lua
+++ b/util/sasl/scram.lua
@@ -137,6 +137,11 @@ local function scram_gen(hash_name, H_f, HMAC_f)
                                if string.sub(self.state.gs2_cbind_flag, 0, 1) == "y" then
                                        return "failure", "malformed-request";
                                end
+                               
+                               -- check whether we support the proposed channel binding type
+                               if not self.profile.cb[self.state.gs2_cbind_name] then
+                                       return "failure", "malformed-request", "Proposed channel binding type isn't supported.";
+                               end
                        else
                                if self.state.gs2_cbind_flag ~= "n" and self.state.gs2_cbind_flag ~= "y" then
                                        return "failure", "malformed-request";