fix(p2p): improve error types for connection signaling

(#2193)

Add AnswerNotProvided variant to P2pConnectionErrorResponse
to distinguish empty relay answers from generic internal
errors in the discovery signaling path.

Add OfferDecryptErrorKind enum to distinguish actual
decryption failures from identity key mismatches in the
exchange signaling path. Key mismatches now log a security
warning while still responding with SignalDecryptionFailed
to avoid leaking information to potential attackers.

Author: iostat

crates/p2p/src/channels/p2p_channels_effectful_effects.rs

@@ -6,7 +6,9 @@ use crate::webrtc::{Offer, P2pConnectionResponse};
 use super::{
     signaling::{
         discovery::{P2pChannelsSignalingDiscoveryAction, SignalingDiscoveryChannelMsg},
-        exchange::{P2pChannelsSignalingExchangeAction, SignalingExchangeChannelMsg},
+        exchange::{
+            OfferDecryptErrorKind, P2pChannelsSignalingExchangeAction, SignalingExchangeChannelMsg,
+        },
     },
     ChannelMsg, MsgId, P2pChannelsEffectfulAction, P2pChannelsService,
 };
@@ -85,13 +87,20 @@ impl P2pChannelsEffectfulAction {
                     Err(_) => {
                         store.dispatch(P2pChannelsSignalingExchangeAction::OfferDecryptError {
                             peer_id,
+                            error: OfferDecryptErrorKind::DecryptionFailed,
                         });
                     }
                     Ok(offer) if offer.identity_pub_key != pub_key => {
-                        // TODO(binier): propagate specific error.
-                        // This is invalid behavior either from relayer or offerer.
+                        // The offer's embedded identity key doesn't match the
+                        // expected public key. This indicates a compromised relay,
+                        // offer tampering, or wrong key pair usage.
+                        //
+                        // We deliberately respond with SignalDecryptionFailed
+                        // rather than a specific mismatch error to avoid leaking
+                        // information to a potential attacker.
                         store.dispatch(P2pChannelsSignalingExchangeAction::OfferDecryptError {
                             peer_id,
+                            error: OfferDecryptErrorKind::IdentityKeyMismatch,
                         });
                     }
                     Ok(offer) => {

crates/p2p/src/channels/signaling/discovery/p2p_channels_signaling_discovery_reducer.rs

@@ -375,10 +375,9 @@ impl P2pChannelsSignalingDiscoveryState {
 
                 let dispatcher = state_context.into_dispatcher();
                 match answer {
-                    // TODO(binier): custom error
                     None => dispatcher.push(P2pConnectionOutgoingAction::AnswerRecvError {
                         peer_id: target_public_key.peer_id(),
-                        error: P2pConnectionErrorResponse::InternalError,
+                        error: P2pConnectionErrorResponse::AnswerNotProvided,
                     }),
                     Some(answer) => dispatcher.push(
                         P2pChannelsEffectfulAction::SignalingDiscoveryAnswerDecrypt {

crates/p2p/src/channels/signaling/exchange/p2p_channels_signaling_exchange_actions.rs

@@ -11,6 +11,12 @@ use crate::{
 
 use super::{P2pChannelsSignalingExchangeState, SignalingExchangeState};
 
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub enum OfferDecryptErrorKind {
+    DecryptionFailed,
+    IdentityKeyMismatch,
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize, ActionEvent)]
 #[action_event(fields(display(peer_id)))]
 pub enum P2pChannelsSignalingExchangeAction {
@@ -36,6 +42,7 @@ pub enum P2pChannelsSignalingExchangeAction {
     },
     OfferDecryptError {
         peer_id: PeerId,
+        error: OfferDecryptErrorKind,
     },
     OfferDecryptSuccess {
         peer_id: PeerId,
@@ -126,7 +133,7 @@ impl redux::EnablingCondition<P2pState> for P2pChannelsSignalingExchangeAction {
                     }
                     _ => false,
                 }),
-            P2pChannelsSignalingExchangeAction::OfferDecryptError { peer_id } => state
+            P2pChannelsSignalingExchangeAction::OfferDecryptError { peer_id, .. } => state
                 .get_ready_peer(peer_id)
                 .is_some_and(|p| match &p.channels.signaling.exchange {
                     P2pChannelsSignalingExchangeState::Ready { local, .. } => {

crates/p2p/src/channels/signaling/exchange/p2p_channels_signaling_exchange_reducer.rs

@@ -117,7 +117,14 @@ impl P2pChannelsSignalingExchangeState {
                 });
                 Ok(())
             }
-            P2pChannelsSignalingExchangeAction::OfferDecryptError { .. } => {
+            P2pChannelsSignalingExchangeAction::OfferDecryptError { error, .. } => {
+                if matches!(error, super::OfferDecryptErrorKind::IdentityKeyMismatch) {
+                    tracing::warn!(
+                        %peer_id,
+                        "offer identity key mismatch: possible relay \
+                         tampering or spoofed offer"
+                    );
+                }
                 let dispatcher = state_context.into_dispatcher();
                 let answer = P2pConnectionResponse::SignalDecryptionFailed;
                 dispatcher.push(P2pChannelsSignalingExchangeAction::AnswerSend { peer_id, answer });

crates/p2p/src/connection/mod.rs

@@ -27,4 +27,6 @@ pub enum P2pConnectionErrorResponse {
     SignalDecryptionFailed,
     #[error("internal error")]
     InternalError,
+    #[error("answer not provided")]
+    AnswerNotProvided,
 }

crates/p2p/src/connection/outgoing/p2p_connection_outgoing_actions.rs

@@ -190,7 +190,8 @@ impl redux::EnablingCondition<P2pState> for P2pConnectionOutgoingAction {
                         }
                         P2pConnectionOutgoingError::Rejected(_)
                         | P2pConnectionOutgoingError::RemoteSignalDecryptionFailed
-                        | P2pConnectionOutgoingError::RemoteInternalError => {
+                        | P2pConnectionOutgoingError::RemoteInternalError
+                        | P2pConnectionOutgoingError::RemoteAnswerNotProvided => {
                             matches!(s, P2pConnectionOutgoingState::AnswerRecvPending { .. })
                         }
                         P2pConnectionOutgoingError::FinalizeError(_) => {

crates/p2p/src/connection/outgoing/p2p_connection_outgoing_reducer.rs

@@ -327,6 +327,9 @@ impl P2pConnectionOutgoingState {
                         P2pConnectionErrorResponse::InternalError => {
                             P2pConnectionOutgoingError::RemoteInternalError
                         }
+                        P2pConnectionErrorResponse::AnswerNotProvided => {
+                            P2pConnectionOutgoingError::RemoteAnswerNotProvided
+                        }
                     },
                 });
                 Ok(())

crates/p2p/src/connection/outgoing/p2p_connection_outgoing_state.rs

@@ -159,6 +159,8 @@ pub enum P2pConnectionOutgoingError {
     RemoteSignalDecryptionFailed,
     #[error("remote internal error")]
     RemoteInternalError,
+    #[error("remote answer not provided")]
+    RemoteAnswerNotProvided,
     #[error("finalization error: {0}")]
     FinalizeError(String),
     #[error("connection authorization error")]