| Message ID | 20230522091231.2837468-1-arne@rfc2549.org |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [Openvpn-devel] Print a more user-friendly error when tls-crypt-v2 client auth fails | expand |
Acked-by: Gert Doering <gert@greenie.muc.de> I find this a useful addition - with all these crypto stuff it can be quite hard to figure out what particular detail is not right. The patch is trivial, just adding a msg(), so I did not really test it beyond "compile?" and "does it have a space before or after the wrap?" (it has). Your patch has been applied to the master branch. commit 7a477c16a7c2a7016c7b15ea98fe3c40e8ef675b (master) commit 66f51e80b981f08ebc3c38f3fac7d0c88caeb85d (release/2.6) Author: Arne Schwabe Date: Mon May 22 11:12:31 2023 +0200 Print a more user-friendly error when tls-crypt-v2 client auth fails Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20230522091231.2837468-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26718.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 88b2d6d7c..73542368e 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -524,6 +524,8 @@ tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata, dmsg(D_CRYPTO_DEBUG, "tag_check: %s", format_hex(tag_check, sizeof(tag_check), 0, &gc)); CRYPT_ERROR("client key authentication error"); + msg(D_TLS_DEBUG_LOW, "This might be a client-key that was generated for " + "a different tls-crypt-v2 server key)"); } if (buf_len(&plaintext) < sizeof(client_key->keys))
While it might be clear to people being (too?) well versed in typical crypto applications that an authentication failure probably mean wrong decryption key, this is not really obvious for the typical user/server admin. Change-Id: If0f0e7d53f915d39ab69aaaac43dc73bb9c26ae9 Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/tls_crypt.c | 2 ++ 1 file changed, 2 insertions(+)