| Message ID | 20230522091231.2837468-1-arne@rfc2549.org |
|---|---|
| State | New |
| Headers | show
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:7b9a:b0:c3:1364:a2a2 with SMTP id j26csp1450218dyk;
Mon, 22 May 2023 02:13:16 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ7sb5yFMV6KdFIvw6FLTj84bKnXco2LgOqWxs9axkZQ/+uNwSvXOpdFiZWdqSCe5c2+HaUB
X-Received: by 2002:a92:c852:0:b0:32f:776d:711 with SMTP id
b18-20020a92c852000000b0032f776d0711mr5238070ilq.30.1684746796573;
Mon, 22 May 2023 02:13:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1684746796; cv=none;
d=google.com; s=arc-20160816;
b=omhcxFZgE++2q7iY+gN3r2JE0aHUPo3AWhUISFeZsVXqlfOzm7KL4TngPxke6nmG31
HgsZ5LGAclBMh1jNIa6anUqlzeFO9VSu+J4+3xHvRZXasrNGYrWTFTmrWvzByCz3hcrA
D2DngzISZvwQjOSmKFvhx6re7WkdKFSDrSlY2oazIZ9Q5sm6RB8ZMD05JWWlkkkMQs39
4484CJjES0vtawtAVkc155G9qI83lfo1wA4lCBd3UvAECcdt5Mq06IeWAa8EYuOg29Zh
bzp/cw0XVIOSENa9hvrKtGVGcEgMX8q6Kk0/PZCQJwjeEJ5Gln/MottOxjMbVRKNY/w8
IePA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=errors-to:content-transfer-encoding:list-subscribe:list-help
:list-post:list-archive:list-unsubscribe:list-id:precedence:subject
:mime-version:message-id:date:to:from:dkim-signature:dkim-signature;
bh=P4/DCwjLlDJ2KwSywo8or8+spRTNfYH4B4+eLczSyPQ=;
b=Hb8PHc0KKrykD43Kl/n7WDPOkYfxIgFif7g0/MseTgNS/Xeh5OTR/bTLqojbdgCCLg
3nX3KvM68hQKm4nrScpIjJyi9tqqMvgi0cFM4xpMrOTsgYjMxiHLW7Mpf/3UCYSMo/qW
DnMT2ciPaIE4WTkrL7xPojAVr32IYSUaqsD+1+LGPL3o3o/OOgczBfDgwm6iYIZqs82G
nLosErcRryTcydGTyPB2B5pW0z0sd1k/K5kzFcose4GTZaKygls8/dIgFaMnGBusws33
uKUJVazhyYNV0m0AMJXuXtSLPALITrh8DT4c96ULBc7FvvpU4H9O7SjKOZ5w+fqfdRUM
zG2g==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b="AIYaezE/";
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=Z8q0GELa;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
i12-20020a92c94c000000b00335079f6927si2836838ilq.188.2023.05.22.02.13.16
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Mon, 22 May 2023 02:13:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b="AIYaezE/";
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=Z8q0GELa;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1q11ax-0004Ut-N9;
Mon, 22 May 2023 09:12:47 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <arne@kamera.blinkt.de>) id 1q11aw-0004Um-3t
for openvpn-devel@lists.sourceforge.net;
Mon, 22 May 2023 09:12:46 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id:
Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=mXwtQEfuTPDmYKPoqRvdoc1M5/RyIpLg8s2HDGvo8yY=; b=AIYaezE/10r9cxB8ORp8BoVCEt
Tw4fOQVcvS0PlzwpP1ZLhhO++dYLhAVLnA5vxGUDufJ77ZIQ82N8HkDP0OlZuPw+oQa5G3qrH01Dm
aHJwrLDdB9DYdfJ647vG09DiKNe30QTxHlfrCPDXT8VdSTat596wS2kPqQGiu5FogfMk=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From:
Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date:
Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
List-Owner:List-Archive; bh=mXwtQEfuTPDmYKPoqRvdoc1M5/RyIpLg8s2HDGvo8yY=; b=Z
8q0GELaNBHCcJkWwDjORiX7MHSb7BxctR6+1Mi46SWfh4QV/2jeHwtfPLwg+vmcW0biHvI5oB52Oo
5/e7eGjmJiwaAEQELdToXckBbm7ikt8mx442K5YWdzDuuY5+Kq/j4RKXBS8ZpcMmF3NlXjds7MjYl
qnlGk+yioW5iY9R4=;
Received: from mail.blinkt.de ([192.26.174.232])
by sfi-mx-1.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
id 1q11au-00FbRS-Je for openvpn-devel@lists.sourceforge.net;
Mon, 22 May 2023 09:12:46 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
(envelope-from <arne@kamera.blinkt.de>) id 1q11ah-000MVc-5o
for openvpn-devel@lists.sourceforge.net;
Mon, 22 May 2023 11:12:31 +0200
Received: (nullmailer pid 2837516 invoked by uid 10006);
Mon, 22 May 2023 09:12:31 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Mon, 22 May 2023 11:12:31 +0200
Message-Id: <20230522091231.2837468-1-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
running on the system "util-spamd-1.v13.lw.sourceforge.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: While it might be clear to people being (too?) well versed
in typical crypto applications that an authentication failure probably mean
wrong decryption key, this is not really obvious for the typical [...]
Content analysis details: (0.3 points, 6.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.0 SPF_NONE SPF: sender does not publish an SPF Record
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
X-Headers-End: 1q11au-00FbRS-Je
Subject: [Openvpn-devel] [PATCH] Print a more user-friendly error when
tls-crypt-v2 client auth fails
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1766585057279769958?=
X-GMAIL-MSGID: =?utf-8?q?1766585057279769958?=
|
| Series |
[Openvpn-devel] Print a more user-friendly error when tls-crypt-v2 client auth fails
|
expand
|
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 88b2d6d7c..73542368e 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -524,6 +524,8 @@ tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata, dmsg(D_CRYPTO_DEBUG, "tag_check: %s", format_hex(tag_check, sizeof(tag_check), 0, &gc)); CRYPT_ERROR("client key authentication error"); + msg(D_TLS_DEBUG_LOW, "This might be a client-key that was generated for " + "a different tls-crypt-v2 server key)"); } if (buf_len(&plaintext) < sizeof(client_key->keys))
While it might be clear to people being (too?) well versed in typical crypto applications that an authentication failure probably mean wrong decryption key, this is not really obvious for the typical user/server admin. Change-Id: If0f0e7d53f915d39ab69aaaac43dc73bb9c26ae9 Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/tls_crypt.c | 2 ++ 1 file changed, 2 insertions(+)