Skip to content

Commit

Permalink
protocol_dump: tls-crypt support
Browse files Browse the repository at this point in the history
Add support for tls-crypt packets in protocol_dump(). Currently,
protocol_dump() will print garbage for tls-crypt packets.

This patch makes protocol_dump print the clear text parts of the packet such
as the auth tag and replay packet id. It does not try to print the wKc for
HARD_RESET_CLIENT_V3 or CONTROL_WKC_V1 packets.  It also intentionally
does not print ENCRYPTED placeholders for ack list and DATA, to cut down
on the noise.

Signed-off-by: Reynir Björnsson <[email protected]>

Acked-by: Arne Schwabe <[email protected]>
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg27310.html
Signed-off-by: Gert Doering <[email protected]>
(cherry picked from commit 227799b)
  • Loading branch information
reynir authored and cron2 committed Nov 20, 2023
1 parent 3b0d948 commit 0a39d1c
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 1 deletion.
3 changes: 2 additions & 1 deletion src/openvpn/openvpn.h
Original file line number Diff line number Diff line change
Expand Up @@ -541,7 +541,8 @@ struct context
#define PROTO_DUMP(buf, gc) protocol_dump((buf), \
PROTO_DUMP_FLAGS \
|(c->c2.tls_multi ? PD_TLS : 0) \
|(c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0), \
|(c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0) \
|(c->options.tls_crypt_file || c->options.tls_crypt_v2_file ? PD_TLS_CRYPT : 0), \
gc)

/* this represents "disabled peer-id" */
Expand Down
26 changes: 26 additions & 0 deletions src/openvpn/ssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -4275,6 +4275,32 @@ protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
}
buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
}
/*
* packet_id + tls-crypt hmac
*/
if (flags & PD_TLS_CRYPT)
{
struct packet_id_net pin;
uint8_t tls_crypt_hmac[TLS_CRYPT_TAG_SIZE];

if (!packet_id_read(&pin, &buf, true))
{
goto done;
}
buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
if (!buf_read(&buf, tls_crypt_hmac, TLS_CRYPT_TAG_SIZE))
{
goto done;
}
if (flags & PD_VERBOSE)
{
buf_printf(&out, " tls_crypt_hmac=%s", format_hex(tls_crypt_hmac, TLS_CRYPT_TAG_SIZE, 0, gc));
}
/*
* Remainder is encrypted and optional wKc
*/
goto done;
}

/*
* ACK list
Expand Down
1 change: 1 addition & 0 deletions src/openvpn/ssl.h
Original file line number Diff line number Diff line change
Expand Up @@ -525,6 +525,7 @@ tls_set_single_session(struct tls_multi *multi)
#define PD_SHOW_DATA (1<<8)
#define PD_TLS (1<<9)
#define PD_VERBOSE (1<<10)
#define PD_TLS_CRYPT (1<<11)

const char *protocol_dump(struct buffer *buffer,
unsigned int flags,
Expand Down

0 comments on commit 0a39d1c

Please sign in to comment.