Re: [Openvpn-devel] [PATCH] protocol_dump: support tls-crypt

2023-11-20 Thread Arne Schwabe 

Am 30.10.23 um 11:58 schrieb Reynir:

Dear list,

Please find attached a patch to add support for tls-crypt packets in 
protocol_dump. Currently, protocol_dump will print garbage for tls-crypt 
packets.


This patch makes protocol_dump print the clear text parts of the packet 
such as the auth tag and replay packet id. It does not try to print the 
wKc for HARD_RESET_CLIENT_V3 or CONTROL_WKC_V1 packets. A previous 
iteration, not submitted to the list, printed ENCRYPTED placeholders for 
ack list and DATA, but I decided to cut down on the noise instead.


This is my first patch submitted to openvpn so please bear with me.



Code looks good and works fine here.

Acked-By: Arne Schwabe 



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] protocol_dump: support tls-crypt

2023-10-30 Thread Reynir 

Dear list,

Please find attached a patch to add support for tls-crypt packets in 
protocol_dump. Currently, protocol_dump will print garbage for tls-crypt 
packets.


This patch makes protocol_dump print the clear text parts of the packet 
such as the auth tag and replay packet id. It does not try to print the 
wKc for HARD_RESET_CLIENT_V3 or CONTROL_WKC_V1 packets. A previous 
iteration, not submitted to the list, printed ENCRYPTED placeholders for 
ack list and DATA, but I decided to cut down on the noise instead.


This is my first patch submitted to openvpn so please bear with me.

Best,
Reynir BjörnssonFrom 11926a6234b860a09965e5a074460abe4b4f6e71 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= 
Date: Thu, 26 Oct 2023 16:55:32 +0200
Subject: [PATCH] protocol_dump: tls-crypt support

---
 src/openvpn/openvpn.h |  3 ++-
 src/openvpn/ssl.c | 26 ++
 src/openvpn/ssl.h |  1 +
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h
index 077effeb..0816360d 100644
--- a/src/openvpn/openvpn.h
+++ b/src/openvpn/openvpn.h
@@ -544,7 +544,8 @@ struct context
 #define PROTO_DUMP(buf, gc) protocol_dump((buf), \
   PROTO_DUMP_FLAGS   \
   |(c->c2.tls_multi ? PD_TLS : 0)   \
-  |(c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0), \
+  |(c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0) \
+  |(c->options.tls_crypt_file || c->options.tls_crypt_v2_file ? PD_TLS_CRYPT : 0), \
   gc)
 
 /* this represents "disabled peer-id" */
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 5e6205cc..8bd3cb00 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -4202,6 +4202,32 @@ protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
 }
 buf_printf(, " pid=%s", packet_id_net_print(, (flags & PD_VERBOSE), gc));
 }
+/*
+ * packet_id + tls-crypt hmac
+ */
+if (flags & PD_TLS_CRYPT)
+{
+struct packet_id_net pin;
+uint8_t tls_crypt_hmac[TLS_CRYPT_TAG_SIZE];
+
+if (!packet_id_read(, , true))
+{
+goto done;
+}
+buf_printf(, " pid=%s", packet_id_net_print(, (flags & PD_VERBOSE), gc));
+if (!buf_read(, tls_crypt_hmac, TLS_CRYPT_TAG_SIZE))
+{
+goto done;
+}
+if (flags & PD_VERBOSE)
+{
+buf_printf(, " tls_crypt_hmac=%s", format_hex(tls_crypt_hmac, TLS_CRYPT_TAG_SIZE, 0, gc));
+}
+/*
+ * Remainder is encrypted and optional wKc
+ */
+goto done;
+}
 
 /*
  * ACK list
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 3c40fbed..e8427461 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -525,6 +525,7 @@ tls_set_single_session(struct tls_multi *multi)
 #define PD_SHOW_DATA   (1<<8)
 #define PD_TLS (1<<9)
 #define PD_VERBOSE (1<<10)
+#define PD_TLS_CRYPT   (1<<11)
 
 const char *protocol_dump(struct buffer *buffer,
   unsigned int flags,
-- 
2.30.2

___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel