Message ID | 20201023120259.29783-3-arne@rfc2549.org |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel] Remove --disable-def-auth configure argument | expand |
Acked-by: Gert Doering <gert@greenie.muc.de> I have no test bed that will trigger this, but the change is not hard to understand (extend print_key_id() with a "auth=make_string(ks->authenticated)", append the result to the "TLS Error:" message. All other users of print_key_id() are all "just debug output", so the new format will not confuse anything. Compile tested on the client. As with 2/8, uncrustify does not like the indenting of the new switch/case block. Adjusted. Your patch has been applied to the master branch. commit f1f0f074bf6e7b91673bfa8cb08b3be44ebda76b Author: Arne Schwabe Date: Fri Oct 23 14:02:55 2020 +0200 Improve keys out of sync message Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20201023120259.29783-3-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21226.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 98ce38f9..79ad322a 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -763,6 +763,22 @@ state_name(int state) } } +static const char * +ks_auth_name(enum ks_auth_state auth) +{ + switch(auth) + { + case KS_AUTH_TRUE: + return "KS_AUTH_TRUE"; + case KS_AUTH_DEFERRED: + return "KS_AUTH_DEFERRED"; + case KS_AUTH_FALSE: + return "KS_AUTH_FALSE"; + default: + return "KS_????"; + } +} + static const char * packet_opcode_name(int op) { @@ -833,8 +849,9 @@ print_key_id(struct tls_multi *multi, struct gc_arena *gc) for (int i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state *ks = get_key_scan(multi, i); - buf_printf(&out, " [key#%d state=%s id=%d sid=%s]", i, - state_name(ks->state), ks->key_id, + buf_printf(&out, " [key#%d state=%s auth=%s id=%d sid=%s]", i, + state_name(ks->state), ks_auth_name(ks->authenticated), + ks->key_id, session_id_print(&ks->session_id_remote, gc)); } @@ -3331,8 +3348,10 @@ handle_data_channel_packet(struct tls_multi *multi, } msg(D_TLS_ERRORS, - "TLS Error: local/remote TLS keys are out of sync: %s [%d]", - print_link_socket_actual(from, &gc), key_id); + "TLS Error: local/remote TLS keys are out of sync: %s " + "(received key id: %d, known key ids: %s)", + print_link_socket_actual(from, &gc), key_id, + print_key_id(multi, &gc)); done: tls_clear_error();
The current message basically lacks the information to actually figure out why the keys are out of sync. This adds the missing information to that diagnostic message. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/ssl.c | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-)