protocol_dump: tls-crypt support

Add support for tls-crypt packets in protocol_dump(). Currently, protocol_dump() will print garbage for tls-crypt packets. This patch makes protocol_dump print the clear text parts of the packet such as the auth tag and replay packet id. It does not try to print the wKc for HARD_RESET_CLIENT_V3 or CONTROL_WKC_V1 packets. It also intentionally does not print ENCRYPTED placeholders for ack list and DATA, to cut down on the noise. Signed-off-by: Reynir Björnsson <reynir@reynir.dk> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <8237adde-2523-9e48-5cd4-070463887dc1@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27310.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 227799b834)
2026-06-09 00:42:51 -04:00 · 2023-10-26 16:55:32 +02:00 · 2023-10-26 16:55:32 +02:00 · 0a39d1c1e2
commit 0a39d1c1e2
parent 3b0d9489cc
3 changed files with 29 additions and 1 deletions
--- a/src/openvpn/openvpn.h
+++ b/src/openvpn/openvpn.h
@ -541,7 +541,8 @@ struct context
 #define PROTO_DUMP(buf, gc) protocol_dump((buf), \
                                          PROTO_DUMP_FLAGS   \
                                          |(c->c2.tls_multi ? PD_TLS : 0)   \
-                                          |(c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0), \
+                                          |(c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0) \
+                                          |(c->options.tls_crypt_file || c->options.tls_crypt_v2_file ? PD_TLS_CRYPT : 0), \
                                          gc)

 /* this represents "disabled peer-id" */
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@ -4275,6 +4275,32 @@ protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
        }
        buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
    }
+    /*
+     * packet_id + tls-crypt hmac
+     */
+    if (flags & PD_TLS_CRYPT)
+    {
+        struct packet_id_net pin;
+        uint8_t tls_crypt_hmac[TLS_CRYPT_TAG_SIZE];
+
+        if (!packet_id_read(&pin, &buf, true))
+        {
+            goto done;
+        }
+        buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
+        if (!buf_read(&buf, tls_crypt_hmac, TLS_CRYPT_TAG_SIZE))
+        {
+            goto done;
+        }
+        if (flags & PD_VERBOSE)
+        {
+            buf_printf(&out, " tls_crypt_hmac=%s", format_hex(tls_crypt_hmac, TLS_CRYPT_TAG_SIZE, 0, gc));
+        }
+        /*
+         * Remainder is encrypted and optional wKc
+         */
+        goto done;
+    }

    /*
     * ACK list
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@ -525,6 +525,7 @@ tls_set_single_session(struct tls_multi *multi)
 #define PD_SHOW_DATA               (1<<8)
 #define PD_TLS                     (1<<9)
 #define PD_VERBOSE                 (1<<10)
+#define PD_TLS_CRYPT               (1<<11)

 const char *protocol_dump(struct buffer *buffer,
                          unsigned int flags,