Improve error handling in SCRAM-SHA-X-PLUS authentication

Refactor error return to include more specific information and add a check for TLS connection state in SCRAM-SHA-X-PLUS authentication flow. This ensures clearer error messages and verifies essential prerequisites for secure authentication.
This commit is contained in:
Winni Neessen 2024-10-02 18:02:34 +02:00
parent 580981b158
commit e4dd62475a
Signed by: wneessen
GPG key ID: 385AC9889632126E

View file

@ -112,7 +112,7 @@ func (a *scramAuth) Next(fromServer []byte, more bool) ([]byte, error) {
return resp, nil return resp, nil
default: default:
a.reset() a.reset()
return nil, errors.New("unexpected server response") return nil, fmt.Errorf("%w: %s", ErrUnexpectedServerResponse, string(fromServer))
} }
} }
return nil, nil return nil, nil
@ -147,6 +147,9 @@ func (a *scramAuth) initialClientMessage() ([]byte, error) {
// SCRAM-SHA-X-PLUS auth requires channel binding // SCRAM-SHA-X-PLUS auth requires channel binding
if a.isPlus { if a.isPlus {
if a.tlsConnState == nil {
return nil, errors.New("tls connection state is required for SCRAM-SHA-X-PLUS")
}
bindType := "tls-unique" bindType := "tls-unique"
connState := a.tlsConnState connState := a.tlsConnState
bindData := connState.TLSUnique bindData := connState.TLSUnique