From f9401fdd3194a9fed42674b63471f1c97d91d53a Mon Sep 17 00:00:00 2001
From: Conrad Ludgate <conrad@neon.tech>
Date: Thu, 7 Dec 2023 11:47:16 +0000
Subject: [PATCH] proxy: fix channel binding error messages (#6054)

## Problem

For channel binding failed messages we were still saying "channel
binding not supported" in the errors.

## Summary of changes

Fix error messages
---
 proxy/src/sasl.rs           | 6 ++++--
 proxy/src/scram/exchange.rs | 8 ++++----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/proxy/src/sasl.rs b/proxy/src/sasl.rs
index 6d1dd9fba5..da1cf21c6a 100644
--- a/proxy/src/sasl.rs
+++ b/proxy/src/sasl.rs
@@ -30,6 +30,9 @@ pub enum Error {
     #[error("Bad client message: {0}")]
     BadClientMessage(&'static str),
 
+    #[error("Internal error: missing digest")]
+    MissingBinding,
+
     #[error(transparent)]
     Io(#[from] io::Error),
 }
@@ -38,8 +41,7 @@ impl UserFacingError for Error {
     fn to_string_client(&self) -> String {
         use Error::*;
         match self {
-            // TODO: add support for channel binding
-            ChannelBindingFailed(_) => "channel binding is not supported yet".to_string(),
+            ChannelBindingFailed(m) => m.to_string(),
             ChannelBindingBadMethod(m) => format!("unsupported channel binding method {m}"),
             _ => "authentication protocol violation".to_string(),
         }
diff --git a/proxy/src/scram/exchange.rs b/proxy/src/scram/exchange.rs
index 319d9b1014..facaba3798 100644
--- a/proxy/src/scram/exchange.rs
+++ b/proxy/src/scram/exchange.rs
@@ -106,14 +106,14 @@ impl sasl::Mechanism for Exchange<'_> {
 
                 let channel_binding = cbind_flag.encode(|_| match &self.tls_server_end_point {
                     config::TlsServerEndPoint::Sha256(x) => Ok(x),
-                    config::TlsServerEndPoint::Undefined => {
-                        Err(SaslError::ChannelBindingFailed("no cert digest provided"))
-                    }
+                    config::TlsServerEndPoint::Undefined => Err(SaslError::MissingBinding),
                 })?;
 
                 // This might've been caused by a MITM attack
                 if client_final_message.channel_binding != channel_binding {
-                    return Err(SaslError::ChannelBindingFailed("data mismatch"));
+                    return Err(SaslError::ChannelBindingFailed(
+                        "insecure connection: secure channel data mismatch",
+                    ));
                 }
 
                 if client_final_message.nonce != server_first_message.nonce() {