[Openvpn-devel] Print a more user-friendly error when tls-crypt-v2 client auth fails

Message ID 20230522091231.2837468-1-arne@rfc2549.org
State New
Headers show
Series [Openvpn-devel] Print a more user-friendly error when tls-crypt-v2 client auth fails | expand

Commit Message

Arne Schwabe May 22, 2023, 9:12 a.m. UTC
While it might be clear to people being (too?) well versed in
typical crypto applications that an authentication failure probably
mean wrong decryption key, this is not really obvious for the typical
user/server admin.

Change-Id: If0f0e7d53f915d39ab69aaaac43dc73bb9c26ae9
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/tls_crypt.c | 2 ++
 1 file changed, 2 insertions(+)

Patch

diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 88b2d6d7c..73542368e 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -524,6 +524,8 @@  tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata,
         dmsg(D_CRYPTO_DEBUG, "tag_check: %s",
              format_hex(tag_check, sizeof(tag_check), 0, &gc));
         CRYPT_ERROR("client key authentication error");
+        msg(D_TLS_DEBUG_LOW, "This might be a client-key that was generated for "
+            "a different tls-crypt-v2 server key)");
     }
 
     if (buf_len(&plaintext) < sizeof(client_key->keys))