From patchwork Sun Sep 29 08:18:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "flichtenheld (Code Review)" X-Patchwork-Id: 3882 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:101b:b0:5b9:581e:f939 with SMTP id k27csp1182710mae; Sun, 29 Sep 2024 01:19:23 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWJTlzhGgQmtnmAdniqmAKtsDXqty5ZqFlAUDJKVvUaltcQkH4cLyv+TwWNvb1cPZGpNPWFf6Ej6yQ=@openvpn.net X-Google-Smtp-Source: AGHT+IFdyxO3G/qcFD/9v0UlXNIpOznY3QKGRkUI/K5ZfyWr8pf7GLbF+lZPmsZdy2BMkM6ZKHGZ X-Received: by 2002:a05:6870:71d6:b0:27b:4f51:d73a with SMTP id 586e51a60fabf-28710aad154mr4800656fac.21.1727597963226; Sun, 29 Sep 2024 01:19:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1727597963; cv=none; d=google.com; s=arc-20240605; b=ckVyfqyig+eT32E7PT/3qJoFcKimNaeFc4fjE/TxO/mqwHVOtww2fogOygO2POTA4q 52Qb6LtCXUxOOr/meMjqKohtjAfEN50GsQW0Yh+rrI0vxkmq9LaXfqaVqiSoABPae6X/ m46Ju8SwFIY4zyDhPq+JBJC4xBsbHjh+5sIFfCEAmxdsZOej48mVrjwbBbVJE6046qiP CLY8Gg2D1lBC/eM2V9oEJF17eG561i0cgT4Dj/lRoDFOhuDVBMrTS4aJy365DnaA2Zr6 bpnTLpfHZXv+RwnEtr5aELGJY0XbsXqWZKzouhBIt8KR0GlaL5W/XycadLgaQZ6G3HZ5 4QcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=Saq5aPZPHmK6xjaCASrMoP/ZeXkdKKQxM7PX0VRewtk=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=M9Td9TG7qRaqKdLbqJwZRsBkffIehDrZJwXcK5NLCt4VqDSKCqiNnNtPn86HHv9K2q BSdMCUP0KQLrTissoANjISO0HaRiFfr9auTXAS+o5CLQbBHLmEokvapD1pTbSQ6dWmWm RH9G4ufDEWTksW2ergePfZ0gPXh/rgAJwt9q1Q8d0gnQd4OeMhY67mXY+Cz2Sc7ri5cn E+YlAcgL6pgPcTZPDxscwOGE+m7xKtWGC/D+lbuGquFs/boL2XdgiTisp/kpI6L7xF7L NRGMHnuHz1u+WF4KhBUXdjZ5ujniqnYVPDMavhHTw2gjQLhIJZ2LUSOBRT3eWfzDlXgC 8DkA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Nu0r10FE; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=TaVahR4h; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=YHIO2wWJ; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-28712276ab8si2418237fac.176.2024.09.29.01.19.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 29 Sep 2024 01:19:23 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Nu0r10FE; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=TaVahR4h; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=YHIO2wWJ; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1sup97-0003YI-9h; Sun, 29 Sep 2024 08:19:14 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1sup8y-0003XU-1e for openvpn-devel@lists.sourceforge.net; Sun, 29 Sep 2024 08:19:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=RH+BE+vDo66p4E47ij9CD0uotXM8uN6f5dlkW2J/mzQ=; b=Nu0r10FEAogk22xyZISerSbqDJ G3ZuPNvz3gxoPovrjPkf8jN+tYaOCfZFrklC4UNzTLZhwByEC8XWL6chRSbneb00PcG8ebMVqeTiX xg+xe5nwaBv6wmtgTnHGNtSjczp8M8gIF78lag7Iq1nmWXd20waxJfou7U8KAxsxDdPk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=RH+BE+vDo66p4E47ij9CD0uotXM8uN6f5dlkW2J/mzQ=; b=T aVahR4hpU/fI9Sc0hajMHC0Q9RtLtZzXHSRVNvUNWeCVERhlfmSLZ5ywKffpdCExg+9D4rwnAvDW0 D74SUnV5RylbZW5bdw/HrBJfzLUrKBT3dQBCKAuGqYUS8WRcwo7KKpBEGk5AB6K8OlLbT9Qu+fG4Q FDAFIlWUKJ3ldoTI=; Received: from mail-wr1-f51.google.com ([209.85.221.51]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1sup8x-00009J-KV for openvpn-devel@lists.sourceforge.net; Sun, 29 Sep 2024 08:19:04 +0000 Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-37ce6a5b785so172252f8f.1 for ; Sun, 29 Sep 2024 01:19:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1727597937; x=1728202737; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=RH+BE+vDo66p4E47ij9CD0uotXM8uN6f5dlkW2J/mzQ=; b=YHIO2wWJz+wQ6VC+pwfn13faKn25RYRgIfkls4DqqGePoB1sfq6G2SxCylC/QRuXXB OxjvIdXnMqunqSW1X9rh+wziNTmSzxvRkVsY1QV5JD5VYSFU+KhPNUoBPWVO5FiZCqT6 fidiop2tun/nFDVH40VFWZkRUl6Q6Zdl3yS37T/hjGI947fwb4qiOq1N8fM03/mbx6OS YreDGHnP8ucLi/JEOFBEvYbcbq5Uppil6qQTKbYKKSyucUFG2H1o3hQ5+npHNgZGF3D6 TJUfYqYbarU0VW3ArhtO8Ta9l6WlCUfG8Ew2objV+eF52j9ok+JMiAeBidXfpIX2LO0p pCMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727597937; x=1728202737; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=RH+BE+vDo66p4E47ij9CD0uotXM8uN6f5dlkW2J/mzQ=; b=Fmd3zQPDxPy6jLIshAIjPk0rTrEx1OjUxkmpbqFiHoFF6BX6nkzUqvRA/Gf+aGbDHJ ek8+JnvCypXmr888mfCWnzNIb8WWWpb4TEWcwJQep13VOfmL8iZWZd5dwUgy0gqkpTYd W56Q7woGffhqJTk2rtmSJX30iTtf/1irnzmvDIB5+H9ee82esmkazu3PlPzSVyePkrUE bxuwnZgQ9o/7/3ARrfTPxEfKVRFHatBY+UTXu+4s8U2FQdgE+CmAJAhbkbLwKOS830rv 5PRXNGDz4jgHRUBk7wwsKWJqzZL6t6ffiZ/ArCX57CFdGrYY4+pc6KoJx7QTLOIQ7Wi7 XjGQ== X-Gm-Message-State: AOJu0YzTqxT2j0ae4+ZGYPCWK+VwjSNf0K2NgCYwHVbsBVfB1W9cztz6 F61txbqAYLft0lRH8DAPIsYHhjjQVg6e4qzKWC3lLpfF7t3E/62lhGjq2X8TY/+1IKfGW0w5YKq F X-Received: by 2002:adf:e94c:0:b0:374:badf:3017 with SMTP id ffacd0b85a97d-37cd56fb8ecmr4251627f8f.33.1727597936897; Sun, 29 Sep 2024 01:18:56 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37cd564cf07sm6391850f8f.12.2024.09.29.01.18.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Sep 2024 01:18:55 -0700 (PDT) From: "syzzer (Code Review)" X-Google-Original-From: "syzzer (Code Review)" X-Gerrit-PatchSet: 1 Date: Sun, 29 Sep 2024 08:18:54 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I0fd48191babe4fe5c56f10eb3ba88182ffb075d1 X-Gerrit-Change-Number: 774 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 9b3ed20763ddaaf8c34476161689efbbd218254a References: Message-ID: MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -1.1 (-) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-1.1 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.9 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.51 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1sup8x-00009J-KV Subject: [Openvpn-devel] [S] Change in openvpn[master]: Improve data channel crypto error messages X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: steffan@karger.me, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1811517761653278897?= X-GMAIL-MSGID: =?utf-8?q?1811517761653278897?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/774?usp=email to review the following change. Change subject: Improve data channel crypto error messages ...................................................................... Improve data channel crypto error messages * Make decryption error messages better understandable. * Increase verbosity level for authentication errors, because those can be expected on bad connections. Change-Id: I0fd48191babe4fe5c56f10eb3ba88182ffb075d1 Signed-off-by: Steffan Karger --- M src/openvpn/crypto.c M src/openvpn/crypto.h 2 files changed, 12 insertions(+), 9 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/74/774/1 diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 12ad0b9..064e59e 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -459,14 +459,14 @@ if (!cipher_ctx_update(ctx->cipher, BPTR(&work), &outlen, BPTR(buf), data_len)) { - CRYPT_ERROR("cipher update failed"); + CRYPT_ERROR("packet decryption failed"); } ASSERT(buf_inc_len(&work, outlen)); if (!cipher_ctx_final_check_tag(ctx->cipher, BPTR(&work) + outlen, &outlen, tag_ptr, tag_size)) { - CRYPT_ERROR("cipher final failed"); + CRYPT_DROP("packet tag authentication failed"); } ASSERT(buf_inc_len(&work, outlen)); @@ -538,7 +538,7 @@ /* Compare locally computed HMAC with packet HMAC */ if (memcmp_constant_time(local_hmac, BPTR(buf), hmac_len)) { - CRYPT_ERROR("packet HMAC authentication failed"); + CRYPT_DROP("packet HMAC authentication failed"); } ASSERT(buf_advance(buf, hmac_len)); @@ -572,26 +572,26 @@ /* ctx->cipher was already initialized with key & keylen */ if (!cipher_ctx_reset(ctx->cipher, iv_buf)) { - CRYPT_ERROR("cipher init failed"); + CRYPT_ERROR("decrypt initialization failed"); } /* Buffer overflow check (should never happen) */ if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher))) { - CRYPT_ERROR("potential buffer overflow"); + CRYPT_ERROR("packet too big to decrypt"); } /* Decrypt packet ID, payload */ if (!cipher_ctx_update(ctx->cipher, BPTR(&work), &outlen, BPTR(buf), BLEN(buf))) { - CRYPT_ERROR("cipher update failed"); + CRYPT_ERROR("packet decryption failed"); } ASSERT(buf_inc_len(&work, outlen)); /* Flush the decryption buffer */ if (!cipher_ctx_final(ctx->cipher, BPTR(&work) + outlen, &outlen)) { - CRYPT_ERROR("cipher final failed"); + CRYPT_DROP("packet authentication failed, dropping."); } ASSERT(buf_inc_len(&work, outlen)); diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 61184bc..d91de74 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -288,8 +288,11 @@ * security operation functions. */ }; -#define CRYPT_ERROR(format) \ - do { msg(D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false) +#define CRYPT_ERROR_EXIT(flags, format) \ + do { msg(flags, "%s: " format, error_prefix); goto error_exit; } while (false) + +#define CRYPT_ERROR(format) CRYPT_ERROR_EXIT(D_CRYPT_ERRORS, format) +#define CRYPT_DROP(format) CRYPT_ERROR_EXIT(D_MULTI_DROPPED, format) /** * Minimal IV length for AEAD mode ciphers (in bytes):