diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 5b2be63f98c..dabc5be4fd6 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -541,7 +541,8 @@ struct context #define PROTO_DUMP(buf, gc) protocol_dump((buf), \ PROTO_DUMP_FLAGS \ |(c->c2.tls_multi ? PD_TLS : 0) \ - |(c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0), \ + |(c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0) \ + |(c->options.tls_crypt_file || c->options.tls_crypt_v2_file ? PD_TLS_CRYPT : 0), \ gc) /* this represents "disabled peer-id" */ diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 12bc85f9270..18cd21f859f 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -4275,6 +4275,32 @@ protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc) } buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc)); } + /* + * packet_id + tls-crypt hmac + */ + if (flags & PD_TLS_CRYPT) + { + struct packet_id_net pin; + uint8_t tls_crypt_hmac[TLS_CRYPT_TAG_SIZE]; + + if (!packet_id_read(&pin, &buf, true)) + { + goto done; + } + buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc)); + if (!buf_read(&buf, tls_crypt_hmac, TLS_CRYPT_TAG_SIZE)) + { + goto done; + } + if (flags & PD_VERBOSE) + { + buf_printf(&out, " tls_crypt_hmac=%s", format_hex(tls_crypt_hmac, TLS_CRYPT_TAG_SIZE, 0, gc)); + } + /* + * Remainder is encrypted and optional wKc + */ + goto done; + } /* * ACK list diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 3c40fbed35b..e8427461f4e 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -525,6 +525,7 @@ tls_set_single_session(struct tls_multi *multi) #define PD_SHOW_DATA (1<<8) #define PD_TLS (1<<9) #define PD_VERBOSE (1<<10) +#define PD_TLS_CRYPT (1<<11) const char *protocol_dump(struct buffer *buffer, unsigned int flags,