diff --git a/proxy/src/sasl.rs b/proxy/src/sasl.rs index 6d1dd9fba5..da1cf21c6a 100644 --- a/proxy/src/sasl.rs +++ b/proxy/src/sasl.rs @@ -30,6 +30,9 @@ pub enum Error { #[error("Bad client message: {0}")] BadClientMessage(&'static str), + #[error("Internal error: missing digest")] + MissingBinding, + #[error(transparent)] Io(#[from] io::Error), } @@ -38,8 +41,7 @@ impl UserFacingError for Error { fn to_string_client(&self) -> String { use Error::*; match self { - // TODO: add support for channel binding - ChannelBindingFailed(_) => "channel binding is not supported yet".to_string(), + ChannelBindingFailed(m) => m.to_string(), ChannelBindingBadMethod(m) => format!("unsupported channel binding method {m}"), _ => "authentication protocol violation".to_string(), } diff --git a/proxy/src/scram/exchange.rs b/proxy/src/scram/exchange.rs index 319d9b1014..facaba3798 100644 --- a/proxy/src/scram/exchange.rs +++ b/proxy/src/scram/exchange.rs @@ -106,14 +106,14 @@ impl sasl::Mechanism for Exchange<'_> { let channel_binding = cbind_flag.encode(|_| match &self.tls_server_end_point { config::TlsServerEndPoint::Sha256(x) => Ok(x), - config::TlsServerEndPoint::Undefined => { - Err(SaslError::ChannelBindingFailed("no cert digest provided")) - } + config::TlsServerEndPoint::Undefined => Err(SaslError::MissingBinding), })?; // This might've been caused by a MITM attack if client_final_message.channel_binding != channel_binding { - return Err(SaslError::ChannelBindingFailed("data mismatch")); + return Err(SaslError::ChannelBindingFailed( + "insecure connection: secure channel data mismatch", + )); } if client_final_message.nonce != server_first_message.nonce() {