sasl: fix early return in new state machine

Previously when there were remote mechanisms that support channel binding we were returning early and not setting the nonce. This resulted in authentication failing when remote mechanisms that support channel binding were advertised. Signed-off-by: Sam Whited <sam@samwhited.com>
2022-12-28 07:43:34 -05:00 · 2022-12-28 07:43:34 -05:00 · e6cbf681b2
parent 827ebd922e
commit e6cbf681b2
3 changed files with 16 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,14 @@
 All notable changes to this project will be documented in this file.


+##  v0.3.1 — 2022-12-28
+
+### Fixed
+
+- Sometimes the nonce was not set on the SASL state machine, resulting in
+  authentication failing
+
+
 ##  v0.3.0 — 2022-08-15

 ### Added
--- a/negotiator.go
+++ b/negotiator.go
@ -50,7 +50,7 @@ func NewClient(m Mechanism, opts ...Option) *Negotiator {
 		lname := m.Name
 		if lname == rname && strings.HasSuffix(lname, "-PLUS") {
 			machine.state |= RemoteCB
-			return machine
+			break
 		}
 	}
 	if len(machine.nonce) == 0 {
@ -76,7 +76,7 @@ func NewServer(m Mechanism, permissions func(*Negotiator) bool, opts ...Option)
 		lname := m.Name
 		if lname == rname && strings.HasSuffix(lname, "-PLUS") {
 			machine.state |= RemoteCB
-			return machine
+			break
 		}
 	}
 	if len(machine.nonce) == 0 {
--- a/sasl_test.go
+++ b/sasl_test.go
@ -451,7 +451,13 @@ func TestSASL(t *testing.T) {
 	for i, tc := range saslTestCases {
 		t.Run(strconv.Itoa(i), func(t *testing.T) {
 			client := sasl.NewClient(tc.mechanism, tc.clientOpts...)
+			if len(client.Nonce()) == 0 {
+				t.Fatal("test client did not set nonce!")
+			}
 			server := sasl.NewServer(tc.mechanism, tc.perm, tc.serverOpts...)
+			if len(client.Nonce()) == 0 {
+				t.Fatal("test server did not set nonce!")
+			}

 			// Run each test twice to make sure that Reset actually sets the state
 			// back to the initial state.