From e2a014c0caf752b3a22046020867b98474ea1ae8 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Mon, 27 Sep 2010 01:54:20 +0200
Subject: [PATCH] move CB validation into libsasl

---
 include/saslplug.h |  4 ++--
 lib/server.c       | 13 ++++++++++++-
 plugins/gs2.c      | 22 ++++++++++++----------
 3 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/include/saslplug.h b/include/saslplug.h
index ea5368e..1024fab 100755
--- a/include/saslplug.h
+++ b/include/saslplug.h
@@ -198,7 +198,7 @@ typedef struct sasl_out_params {
     void *spare_ptr4;
     int (*spare_fptr1)();
     int (*spare_fptr2)();
-    int spare_int1;
+    int chanbindingflag;
     int spare_int2;
     int spare_int3;
     int spare_int4;
@@ -566,8 +566,8 @@ typedef struct sasl_server_params {
     void *spare_ptr4;
     int (*spare_fptr1)();
     int (*spare_fptr2)();
-    int chanbindingcrit;
     int chanbindinglen;
+    int chanbindingcrit;
     int spare_int3;
 
     /* flags field as passed to sasl_server_new */
diff --git a/lib/server.c b/lib/server.c
index 3013019..4cdf456 100644
--- a/lib/server.c
+++ b/lib/server.c
@@ -1453,7 +1453,18 @@ int sasl_server_step(sasl_conn_t *conn,
 	    conn->oparams.maxoutbuf = conn->props.maxbufsize;
 	}
 
-	if(conn->oparams.user == NULL || conn->oparams.authid == NULL) {
+        /* Validate channel bindings */
+        if (conn->oparams.chanbindingflag == SASL_CB_FLAG_NONE &&
+            s_conn->sparams->chanbindingcrit) {
+	    sasl_seterror(conn, 0,
+			  "server requires channel binding but client provided none");
+            ret = SASL_BADAUTH;
+        } else if (conn->oparams.chanbindingflag == SASL_CB_FLAG_WANT &&
+            SASL_CB_PRESENT(s_conn->sparams)) {
+            sasl_seterror(conn, 0,
+                          "client incorrectly determined server had no channel binding");
+            ret = SASL_BADAUTH;
+        } else if (conn->oparams.user == NULL || conn->oparams.authid == NULL) {
 	    sasl_seterror(conn, 0,
 			  "mech did not call canon_user for both authzid " \
 			  "and authid");
diff --git a/plugins/gs2.c b/plugins/gs2.c
index cee634f..fefa9af 100644
--- a/plugins/gs2.c
+++ b/plugins/gs2.c
@@ -369,16 +369,6 @@ gs2_server_mech_step(void *conn_context,
                                          &input_token);
         if (ret != SASL_OK)
             goto cleanup;
-
-        if ((text->gs2_flags & GS2_CB_FLAG_MASK) == GS2_CB_FLAG_N) {
-            if (params->chanbindingcrit != 0)
-                ret = SASL_BADAUTH;
-        } else if ((text->gs2_flags & GS2_CB_FLAG_MASK) == GS2_CB_FLAG_Y) {
-            if (SASL_CB_PRESENT(params))
-                ret = SASL_BADAUTH;
-        }
-        if (ret != SASL_OK)
-            goto cleanup;
     } else {
         input_token.value = (void *)clientin;
         input_token.length = clientinlen;
@@ -489,6 +479,18 @@ gs2_server_mech_step(void *conn_context,
     if (ret != SASL_OK)
         goto cleanup;
 
+    switch (text->gs2_flags & GS2_CB_FLAG_MASK) {
+    case GS2_CB_FLAG_N:
+        oparams->chanbindingflag = SASL_CB_FLAG_NONE;
+        break;
+    case GS2_CB_FLAG_P:
+        oparams->chanbindingflag = SASL_CB_FLAG_USED;
+        break;
+    case GS2_CB_FLAG_Y:
+        oparams->chanbindingflag == SASL_CB_FLAG_WANT;
+        break;
+    }
+
     if (text->client_creds != GSS_C_NO_CREDENTIAL)
         oparams->client_creds = &text->client_creds;
     else
-- 
2.1.4