From 7a477c16a7c2a7016c7b15ea98fe3c40e8ef675b Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Mon, 22 May 2023 11:12:31 +0200
Subject: [PATCH] Print a more user-friendly error when tls-crypt-v2 client
 auth fails

While it might be clear to people being (too?) well versed in
typical crypto applications that an authentication failure probably
mean wrong decryption key, this is not really obvious for the typical
user/server admin.

Change-Id: If0f0e7d53f915d39ab69aaaac43dc73bb9c26ae9
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230522091231.2837468-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26718.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/tls_crypt.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index c97f9257a..975d31faf 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -522,6 +522,8 @@ tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata,
         dmsg(D_CRYPTO_DEBUG, "tag_check: %s",
              format_hex(tag_check, sizeof(tag_check), 0, &gc));
         CRYPT_ERROR("client key authentication error");
+        msg(D_TLS_DEBUG_LOW, "This might be a client-key that was generated for "
+            "a different tls-crypt-v2 server key)");
     }
 
     if (buf_len(&plaintext) < sizeof(client_key->keys))
-- 
2.47.3