From 0a39d1c1e2582330db09052bcf0e32bbf5bafde2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= Date: Thu, 26 Oct 2023 16:55:32 +0200 Subject: [PATCH] protocol_dump: tls-crypt support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add support for tls-crypt packets in protocol_dump(). Currently, protocol_dump() will print garbage for tls-crypt packets. This patch makes protocol_dump print the clear text parts of the packet such as the auth tag and replay packet id. It does not try to print the wKc for HARD_RESET_CLIENT_V3 or CONTROL_WKC_V1 packets. It also intentionally does not print ENCRYPTED placeholders for ack list and DATA, to cut down on the noise. Signed-off-by: Reynir Björnsson Acked-by: Arne Schwabe Message-Id: <8237adde-2523-9e48-5cd4-070463887dc1@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27310.html Signed-off-by: Gert Doering (cherry picked from commit 227799b8345128dd3adf2029323457804209fe93) --- src/openvpn/openvpn.h | 3 ++- src/openvpn/ssl.c | 26 ++++++++++++++++++++++++++ src/openvpn/ssl.h | 1 + 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 5b2be63f98c..dabc5be4fd6 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -541,7 +541,8 @@ struct context #define PROTO_DUMP(buf, gc) protocol_dump((buf), \ PROTO_DUMP_FLAGS \ |(c->c2.tls_multi ? PD_TLS : 0) \ - |(c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0), \ + |(c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0) \ + |(c->options.tls_crypt_file || c->options.tls_crypt_v2_file ? PD_TLS_CRYPT : 0), \ gc) /* this represents "disabled peer-id" */ diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 12bc85f9270..18cd21f859f 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -4275,6 +4275,32 @@ protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc) } buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc)); } + /* + * packet_id + tls-crypt hmac + */ + if (flags & PD_TLS_CRYPT) + { + struct packet_id_net pin; + uint8_t tls_crypt_hmac[TLS_CRYPT_TAG_SIZE]; + + if (!packet_id_read(&pin, &buf, true)) + { + goto done; + } + buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc)); + if (!buf_read(&buf, tls_crypt_hmac, TLS_CRYPT_TAG_SIZE)) + { + goto done; + } + if (flags & PD_VERBOSE) + { + buf_printf(&out, " tls_crypt_hmac=%s", format_hex(tls_crypt_hmac, TLS_CRYPT_TAG_SIZE, 0, gc)); + } + /* + * Remainder is encrypted and optional wKc + */ + goto done; + } /* * ACK list diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 3c40fbed35b..e8427461f4e 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -525,6 +525,7 @@ tls_set_single_session(struct tls_multi *multi) #define PD_SHOW_DATA (1<<8) #define PD_TLS (1<<9) #define PD_VERBOSE (1<<10) +#define PD_TLS_CRYPT (1<<11) const char *protocol_dump(struct buffer *buffer, unsigned int flags,