[Openvpn-devel,4/8] Improve keys out of sync message

Message ID	20201023120259.29783-3-arne@rfc2549.org
State	Accepted
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> From: Arne Schwabe <arne@rfc2549.org> To: openvpn-devel@lists.sourceforge.net Date: Fri, 23 Oct 2020 14:02:55 +0200 Message-Id: <20201023120259.29783-3-arne@rfc2549.org> In-Reply-To: <20201023120259.29783-1-arne@rfc2549.org> References: <20201023113244.26295-1-arne@rfc2549.org> <20201023120259.29783-1-arne@rfc2549.org> NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record Subject: [Openvpn-devel] [PATCH 4/8] Improve keys out of sync message Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	[Openvpn-devel] Remove --disable-def-auth configure argument \| expand [Openvpn-devel] Remove --disable-def-auth configure argument [Openvpn-devel,2/8] Replace key_scan array of static points with inline function [Openvpn-devel,3/8] Add more documentation about our internal TLS functions [Openvpn-devel,4/8] Improve keys out of sync message [Openvpn-devel,5/8] Clean up tls_authentication_status and document it [Openvpn-devel,6/8] Rename DECRYPT_KEY_ENABLED to TLS_AUTHENTICATED [Openvpn-devel,7/8] Send AUTH_FAILED message to clients on renegotiation failures [Openvpn-devel,8/8] Make any auth failure tls_authentication_status return auth failed

Message ID

20201023120259.29783-3-arne@rfc2549.org

State

Accepted

Headers

From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Fri, 23 Oct 2020 14:02:55 +0200
Message-Id: <20201023120259.29783-3-arne@rfc2549.org>
In-Reply-To: <20201023120259.29783-1-arne@rfc2549.org>
References: <20201023113244.26295-1-arne@rfc2549.org>
 <20201023120259.29783-1-arne@rfc2549.org>
Subject: [Openvpn-devel] [PATCH 4/8] Improve keys out of sync message
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

[Openvpn-devel] Remove --disable-def-auth configure argument | expand

Commit Message

Arne Schwabe Oct. 23, 2020, 1:02 a.m. UTC

The current message basically lacks the information to actually figure
out why the keys are out of sync. This adds the missing information to
that diagnostic message.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/ssl.c | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

Comments

Gert Doering Nov. 25, 2020, 4:14 a.m. UTC | #1

Acked-by: Gert Doering <gert@greenie.muc.de>

I have no test bed that will trigger this, but the change is
not hard to understand (extend print_key_id() with a 
"auth=make_string(ks->authenticated)", append the result to
the "TLS Error:" message.

All other users of print_key_id() are all "just debug output",
so the new format will not confuse anything.

Compile tested on the client.

As with 2/8, uncrustify does not like the indenting of the
new switch/case block.  Adjusted.

Your patch has been applied to the master branch.

commit f1f0f074bf6e7b91673bfa8cb08b3be44ebda76b
Author: Arne Schwabe
Date:   Fri Oct 23 14:02:55 2020 +0200

     Improve keys out of sync message

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20201023120259.29783-3-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21226.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 98ce38f9..79ad322a 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -763,6 +763,22 @@  state_name(int state)
     }
 }
 
+static const char *
+ks_auth_name(enum ks_auth_state auth)
+{
+    switch(auth)
+    {
+    case KS_AUTH_TRUE:
+        return "KS_AUTH_TRUE";
+    case KS_AUTH_DEFERRED:
+        return "KS_AUTH_DEFERRED";
+    case KS_AUTH_FALSE:
+        return "KS_AUTH_FALSE";
+    default:
+        return "KS_????";
+    }
+}
+
 static const char *
 packet_opcode_name(int op)
 {
@@ -833,8 +849,9 @@  print_key_id(struct tls_multi *multi, struct gc_arena *gc)
     for (int i = 0; i < KEY_SCAN_SIZE; ++i)
     {
         struct key_state *ks = get_key_scan(multi, i);
-        buf_printf(&out, " [key#%d state=%s id=%d sid=%s]", i,
-                   state_name(ks->state), ks->key_id,
+        buf_printf(&out, " [key#%d state=%s auth=%s id=%d sid=%s]", i,
+                   state_name(ks->state), ks_auth_name(ks->authenticated),
+                   ks->key_id,
                    session_id_print(&ks->session_id_remote, gc));
     }
 
@@ -3331,8 +3348,10 @@  handle_data_channel_packet(struct tls_multi *multi,
     }
 
     msg(D_TLS_ERRORS,
-        "TLS Error: local/remote TLS keys are out of sync: %s [%d]",
-        print_link_socket_actual(from, &gc), key_id);
+        "TLS Error: local/remote TLS keys are out of sync: %s "
+        "(received key id: %d, known key ids: %s)",
+        print_link_socket_actual(from, &gc), key_id,
+        print_key_id(multi, &gc));
 
 done:
     tls_clear_error();

[Openvpn-devel,4/8] Improve keys out of sync message

Commit Message

Comments

Patch