From patchwork Thu Oct 17 06:49:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3898 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:29d4:b0:5b9:581e:f939 with SMTP id g20csp63705max; Wed, 16 Oct 2024 23:50:25 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWkM5IkNAcvxFHFKedYRQYx0YSfvpWkNj392fSFSQrFVbSJG9c4ljxmQwvOf3Xt/mNRVahl7DbmoXM=@openvpn.net X-Google-Smtp-Source: AGHT+IGmMfUi7YeUClThtq1MHV7WwzS89jMjX3a9JrpL4cAurWuxGpeobJ9rcrpEtj0dTjrLDwHU X-Received: by 2002:a05:6830:917:b0:710:f926:709c with SMTP id 46e09a7af769-717df307e21mr13994794a34.25.1729147825025; Wed, 16 Oct 2024 23:50:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1729147825; cv=none; d=google.com; s=arc-20240605; b=i80SCkiYB7MRUx7AuHP1eq5NGgfUKbWRGebTEG3J93eWBLbn6zIRHJJXdQh4q47DJK NToXCUhiwf7q0v8H1AxaUddEJPrhRCaazEy9WCYo2zSt7iYmAJ/WGfK8+xux4Y/mvrR9 PNjGqvSq71r8O/B/NszvIxCsC9/LTJqjLauLtePye8UJWYWwxZMjr8aYGW8W067vf4H+ K7n24mWillADEiXttdbnZhj4ig6D8BnVefGbHBaBR6H8RF5nsl+7IK1ONb2fZVskTLuN yol4TKEfD3/9Owf6wVAiFMdFm+5CpD/IT+XbeWH+/p8hanve2FRGazjkLpxX2D66FMhN RKKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=uNHq+e8RkYc27IBg45+rWCKbn5imj4GENQL6IB9ys8E=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=DGdzjQpkhxAVJZm1IeUfp3/RppVMYIa8tfaMNzDYVdDS+GL6cdmD3+uc0dkTOnqrhN Mn3SzjoKNez3A9dU7xNof9vhuQEQxVq4uFxBlIx7ZKR3k2VFZDbWX/KrNA+YaqewQ5vW Gf+olW82vaEPLYcB/ztuarnYQGmNpfUNAmmamxSGgB/LJE6I7anDPesMoK6caeAVdOZY JqAQ2PSV/mqLsh6xs75Z5x8yRxkPuFUIzCwomNHGXr4BzadEW+jb8zHU6Dkaa70OFgoy KvbF9q9h2wrNZwhdfU902ed3n/laJq3X1lsDDsrLm1Ks5pvUuurBjXcnc0z3+9wCjzuK GAtw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=iWGuI3Dk; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=FIzy6bAM; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-717fba3116asi2736055a34.204.2024.10.16.23.50.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 16 Oct 2024 23:50:24 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=iWGuI3Dk; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=FIzy6bAM; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1t1KKr-0005F8-UN; Thu, 17 Oct 2024 06:50:13 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1t1KKq-0005F1-Jc for openvpn-devel@lists.sourceforge.net; Thu, 17 Oct 2024 06:50:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=H+7YGnQJgB//8f41VylhAbdaHAA67eOKuZ/ehevPA00=; b=iWGuI3DkpeuofLCPKwahEGGdtN AoPENKhO+4KTtjqvlpAK1wGBfpXAqidON7JYeNp8qXX5nUkWa7XHMP9u4hXk9vDpSPfh2qISa3xRK 8iWEFo6UrY7hgeIVoC6HKutX5hN6T2uf/3zaaE3FJOFGwlpMbz8IcBTkpruWAJ/Ahr8I=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=H+7YGnQJgB//8f41VylhAbdaHAA67eOKuZ/ehevPA00=; b=FIzy6bAMeK70ItBrjLXLUKTc3V A0oGQlnePNwpDlT9XQ1fQ03PnPSgwm3g3ze4aOX9Fb5xqXUxpV8mRDuI5NbAVYcOj9tGQYU26zwyj C+iOYcTfeLbWvMJSXvthZeBtpZBwZw091YcS7q2jipqkOBZ6ziTbixnZoifVlapOTUrQ=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1t1KKm-00064d-H6 for openvpn-devel@lists.sourceforge.net; Thu, 17 Oct 2024 06:50:11 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 49H6nuH3023969 for ; Thu, 17 Oct 2024 08:49:56 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 49H6nuf4023968 for openvpn-devel@lists.sourceforge.net; Thu, 17 Oct 2024 08:49:56 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 17 Oct 2024 08:49:55 +0200 Message-ID: <20241017064955.23959-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Steffan Karger * Make decryption error messages better understandable. * Increase verbosity level for authentication errors, because those can be expected on bad connections. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-Headers-End: 1t1KKm-00064d-H6 Subject: [Openvpn-devel] [PATCH v1] Improve data channel crypto error messages X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1813142909477191779?= X-GMAIL-MSGID: =?utf-8?q?1813142909477191779?= From: Steffan Karger * Make decryption error messages better understandable. * Increase verbosity level for authentication errors, because those can be expected on bad connections. Change-Id: I0fd48191babe4fe5c56f10eb3ba88182ffb075d1 Signed-off-by: Steffan Karger Acked-by: MaxF --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/774 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): MaxF diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 12ad0b9..064e59e 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -459,14 +459,14 @@ if (!cipher_ctx_update(ctx->cipher, BPTR(&work), &outlen, BPTR(buf), data_len)) { - CRYPT_ERROR("cipher update failed"); + CRYPT_ERROR("packet decryption failed"); } ASSERT(buf_inc_len(&work, outlen)); if (!cipher_ctx_final_check_tag(ctx->cipher, BPTR(&work) + outlen, &outlen, tag_ptr, tag_size)) { - CRYPT_ERROR("cipher final failed"); + CRYPT_DROP("packet tag authentication failed"); } ASSERT(buf_inc_len(&work, outlen)); @@ -538,7 +538,7 @@ /* Compare locally computed HMAC with packet HMAC */ if (memcmp_constant_time(local_hmac, BPTR(buf), hmac_len)) { - CRYPT_ERROR("packet HMAC authentication failed"); + CRYPT_DROP("packet HMAC authentication failed"); } ASSERT(buf_advance(buf, hmac_len)); @@ -572,26 +572,26 @@ /* ctx->cipher was already initialized with key & keylen */ if (!cipher_ctx_reset(ctx->cipher, iv_buf)) { - CRYPT_ERROR("cipher init failed"); + CRYPT_ERROR("decrypt initialization failed"); } /* Buffer overflow check (should never happen) */ if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher))) { - CRYPT_ERROR("potential buffer overflow"); + CRYPT_ERROR("packet too big to decrypt"); } /* Decrypt packet ID, payload */ if (!cipher_ctx_update(ctx->cipher, BPTR(&work), &outlen, BPTR(buf), BLEN(buf))) { - CRYPT_ERROR("cipher update failed"); + CRYPT_ERROR("packet decryption failed"); } ASSERT(buf_inc_len(&work, outlen)); /* Flush the decryption buffer */ if (!cipher_ctx_final(ctx->cipher, BPTR(&work) + outlen, &outlen)) { - CRYPT_ERROR("cipher final failed"); + CRYPT_DROP("packet authentication failed, dropping."); } ASSERT(buf_inc_len(&work, outlen)); diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 61184bc..d91de74 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -288,8 +288,11 @@ * security operation functions. */ }; -#define CRYPT_ERROR(format) \ - do { msg(D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false) +#define CRYPT_ERROR_EXIT(flags, format) \ + do { msg(flags, "%s: " format, error_prefix); goto error_exit; } while (false) + +#define CRYPT_ERROR(format) CRYPT_ERROR_EXIT(D_CRYPT_ERRORS, format) +#define CRYPT_DROP(format) CRYPT_ERROR_EXIT(D_MULTI_DROPPED, format) /** * Minimal IV length for AEAD mode ciphers (in bytes):