Print a more user-friendly error when tls-crypt-v2 client auth fails

While it might be clear to people being (too?) well versed in typical crypto applications that an authentication failure probably mean wrong decryption key, this is not really obvious for the typical user/server admin. Change-Id: If0f0e7d53f915d39ab69aaaac43dc73bb9c26ae9 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20230522091231.2837468-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26718.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2024-09-20 03:52:28 +02:00 · 2023-05-22 11:12:31 +02:00 · 2023-05-22 11:12:31 +02:00 · 7a477c16a7
commit 7a477c16a7
parent 53055fd23e
1 changed files with 2 additions and 0 deletions
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@ -522,6 +522,8 @@ tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata,
        dmsg(D_CRYPTO_DEBUG, "tag_check: %s",
             format_hex(tag_check, sizeof(tag_check), 0, &gc));
        CRYPT_ERROR("client key authentication error");
+        msg(D_TLS_DEBUG_LOW, "This might be a client-key that was generated for "
+            "a different tls-crypt-v2 server key)");
    }

    if (buf_len(&plaintext) < sizeof(client_key->keys))