From patchwork Mon May 22 09:12:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3234 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:7b9a:b0:c3:1364:a2a2 with SMTP id j26csp1450218dyk; Mon, 22 May 2023 02:13:16 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7sb5yFMV6KdFIvw6FLTj84bKnXco2LgOqWxs9axkZQ/+uNwSvXOpdFiZWdqSCe5c2+HaUB X-Received: by 2002:a92:c852:0:b0:32f:776d:711 with SMTP id b18-20020a92c852000000b0032f776d0711mr5238070ilq.30.1684746796573; Mon, 22 May 2023 02:13:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684746796; cv=none; d=google.com; s=arc-20160816; b=omhcxFZgE++2q7iY+gN3r2JE0aHUPo3AWhUISFeZsVXqlfOzm7KL4TngPxke6nmG31 HgsZ5LGAclBMh1jNIa6anUqlzeFO9VSu+J4+3xHvRZXasrNGYrWTFTmrWvzByCz3hcrA D2DngzISZvwQjOSmKFvhx6re7WkdKFSDrSlY2oazIZ9Q5sm6RB8ZMD05JWWlkkkMQs39 4484CJjES0vtawtAVkc155G9qI83lfo1wA4lCBd3UvAECcdt5Mq06IeWAa8EYuOg29Zh bzp/cw0XVIOSENa9hvrKtGVGcEgMX8q6Kk0/PZCQJwjeEJ5Gln/MottOxjMbVRKNY/w8 IePA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=P4/DCwjLlDJ2KwSywo8or8+spRTNfYH4B4+eLczSyPQ=; b=Hb8PHc0KKrykD43Kl/n7WDPOkYfxIgFif7g0/MseTgNS/Xeh5OTR/bTLqojbdgCCLg 3nX3KvM68hQKm4nrScpIjJyi9tqqMvgi0cFM4xpMrOTsgYjMxiHLW7Mpf/3UCYSMo/qW DnMT2ciPaIE4WTkrL7xPojAVr32IYSUaqsD+1+LGPL3o3o/OOgczBfDgwm6iYIZqs82G nLosErcRryTcydGTyPB2B5pW0z0sd1k/K5kzFcose4GTZaKygls8/dIgFaMnGBusws33 uKUJVazhyYNV0m0AMJXuXtSLPALITrh8DT4c96ULBc7FvvpU4H9O7SjKOZ5w+fqfdRUM zG2g== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="AIYaezE/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Z8q0GELa; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id i12-20020a92c94c000000b00335079f6927si2836838ilq.188.2023.05.22.02.13.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 May 2023 02:13:16 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="AIYaezE/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Z8q0GELa; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1q11ax-0004Ut-N9; Mon, 22 May 2023 09:12:47 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1q11aw-0004Um-3t for openvpn-devel@lists.sourceforge.net; Mon, 22 May 2023 09:12:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=mXwtQEfuTPDmYKPoqRvdoc1M5/RyIpLg8s2HDGvo8yY=; b=AIYaezE/10r9cxB8ORp8BoVCEt Tw4fOQVcvS0PlzwpP1ZLhhO++dYLhAVLnA5vxGUDufJ77ZIQ82N8HkDP0OlZuPw+oQa5G3qrH01Dm aHJwrLDdB9DYdfJ647vG09DiKNe30QTxHlfrCPDXT8VdSTat596wS2kPqQGiu5FogfMk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=mXwtQEfuTPDmYKPoqRvdoc1M5/RyIpLg8s2HDGvo8yY=; b=Z 8q0GELaNBHCcJkWwDjORiX7MHSb7BxctR6+1Mi46SWfh4QV/2jeHwtfPLwg+vmcW0biHvI5oB52Oo 5/e7eGjmJiwaAEQELdToXckBbm7ikt8mx442K5YWdzDuuY5+Kq/j4RKXBS8ZpcMmF3NlXjds7MjYl qnlGk+yioW5iY9R4=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1q11au-00FbRS-Je for openvpn-devel@lists.sourceforge.net; Mon, 22 May 2023 09:12:46 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1q11ah-000MVc-5o for openvpn-devel@lists.sourceforge.net; Mon, 22 May 2023 11:12:31 +0200 Received: (nullmailer pid 2837516 invoked by uid 10006); Mon, 22 May 2023 09:12:31 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 22 May 2023 11:12:31 +0200 Message-Id: <20230522091231.2837468-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: While it might be clear to people being (too?) well versed in typical crypto applications that an authentication failure probably mean wrong decryption key, this is not really obvious for the typical [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1q11au-00FbRS-Je Subject: [Openvpn-devel] [PATCH] Print a more user-friendly error when tls-crypt-v2 client auth fails X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1766585057279769958?= X-GMAIL-MSGID: =?utf-8?q?1766585057279769958?= While it might be clear to people being (too?) well versed in typical crypto applications that an authentication failure probably mean wrong decryption key, this is not really obvious for the typical user/server admin. Change-Id: If0f0e7d53f915d39ab69aaaac43dc73bb9c26ae9 Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/tls_crypt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 88b2d6d7c..73542368e 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -524,6 +524,8 @@ tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata, dmsg(D_CRYPTO_DEBUG, "tag_check: %s", format_hex(tag_check, sizeof(tag_check), 0, &gc)); CRYPT_ERROR("client key authentication error"); + msg(D_TLS_DEBUG_LOW, "This might be a client-key that was generated for " + "a different tls-crypt-v2 server key)"); } if (buf_len(&plaintext) < sizeof(client_key->keys))