[Openvpn-devel,4/8] Improve keys out of sync message

Message ID 20201023120259.29783-3-arne@rfc2549.org
State Accepted
Headers show
Series
  • [Openvpn-devel] Remove --disable-def-auth configure argument
Related show

Commit Message

Arne Schwabe Oct. 23, 2020, 12:02 p.m.
The current message basically lacks the information to actually figure
out why the keys are out of sync. This adds the missing information to
that diagnostic message.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/ssl.c | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

Comments

Gert Doering Nov. 25, 2020, 3:14 p.m. | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

I have no test bed that will trigger this, but the change is
not hard to understand (extend print_key_id() with a 
"auth=make_string(ks->authenticated)", append the result to
the "TLS Error:" message.

All other users of print_key_id() are all "just debug output",
so the new format will not confuse anything.

Compile tested on the client.

As with 2/8, uncrustify does not like the indenting of the
new switch/case block.  Adjusted.

Your patch has been applied to the master branch.

commit f1f0f074bf6e7b91673bfa8cb08b3be44ebda76b
Author: Arne Schwabe
Date:   Fri Oct 23 14:02:55 2020 +0200

     Improve keys out of sync message

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20201023120259.29783-3-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21226.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 98ce38f9..79ad322a 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -763,6 +763,22 @@  state_name(int state)
     }
 }
 
+static const char *
+ks_auth_name(enum ks_auth_state auth)
+{
+    switch(auth)
+    {
+    case KS_AUTH_TRUE:
+        return "KS_AUTH_TRUE";
+    case KS_AUTH_DEFERRED:
+        return "KS_AUTH_DEFERRED";
+    case KS_AUTH_FALSE:
+        return "KS_AUTH_FALSE";
+    default:
+        return "KS_????";
+    }
+}
+
 static const char *
 packet_opcode_name(int op)
 {
@@ -833,8 +849,9 @@  print_key_id(struct tls_multi *multi, struct gc_arena *gc)
     for (int i = 0; i < KEY_SCAN_SIZE; ++i)
     {
         struct key_state *ks = get_key_scan(multi, i);
-        buf_printf(&out, " [key#%d state=%s id=%d sid=%s]", i,
-                   state_name(ks->state), ks->key_id,
+        buf_printf(&out, " [key#%d state=%s auth=%s id=%d sid=%s]", i,
+                   state_name(ks->state), ks_auth_name(ks->authenticated),
+                   ks->key_id,
                    session_id_print(&ks->session_id_remote, gc));
     }
 
@@ -3331,8 +3348,10 @@  handle_data_channel_packet(struct tls_multi *multi,
     }
 
     msg(D_TLS_ERRORS,
-        "TLS Error: local/remote TLS keys are out of sync: %s [%d]",
-        print_link_socket_actual(from, &gc), key_id);
+        "TLS Error: local/remote TLS keys are out of sync: %s "
+        "(received key id: %d, known key ids: %s)",
+        print_link_socket_actual(from, &gc), key_id,
+        print_key_id(multi, &gc));
 
 done:
     tls_clear_error();