From patchwork Mon Oct 30 09:58:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Reynir X-Patchwork-Id: 3410 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:693c:240a:b0:f2:62eb:61c1 with SMTP id me10csp2208970dyc; Mon, 30 Oct 2023 02:59:02 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGfaJCc16eov7Sll1iOAs0ayd4xKSJj3TEx4v7pfG0fGcK4Y+cMYE3CZOrp11aaUGMGsifJ X-Received: by 2002:a17:902:e00a:b0:1bb:83ec:832 with SMTP id o10-20020a170902e00a00b001bb83ec0832mr9061205plo.2.1698659941556; Mon, 30 Oct 2023 02:59:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698659941; cv=none; d=google.com; s=arc-20160816; b=i2POUm+HXsMnEuByzGfD7JvaR7IFFyXGp5CKNyx5WQGRrIx+2z+i4745osAGsIDsnW 5OEpxr1lW8UcUhe7kuaA8Rf4jbhpa63HZcXNUYq5xBwDeUsnIGpYvSv31ARSSMJY/NSP tL8UggUUeZtUNTsyb4rga7gWaiaugfGgxbuNacu3q8sPMddBj0ZBMbO2l2IWv9u5Rrdz XUmrSWIfrP+AC1Wibysu5vyVyIbXe1cbnvY7uDWmLI7YgZEuJZQ47FXOHngXsNVWGVIT Cp9WxCUOj/at+4QMDMhctiRSVo1QhB54qO6+N/0iW1iu03fk5TjhjbKnzJ9MxZ8hMhJc VROg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:from:to :content-language:user-agent:mime-version:date:message-id :dkim-signature:dkim-signature:dkim-signature; bh=0IBLX8Fbe+Ad9aMrowQs5IDakLcgLFtcSlCEOMyj/Dk=; fh=UWlByhJXNGJKzcJ5WmyoA1tw5ugXp4S86SRVYqcTfsM=; b=aWnlieuMWvcNfKPMqzRqk/6nSHFgupRC1ZNFNtPoIV/+t7PGwwhQt1xGt66gx+U9NG y9nvGbZY75iJKcNUPQWFoZIj7xMcTWJmZ1QDDCxw1VBITdgHojwcBQfLDZtGTV54Rh/c PdiXq1ok6QNradOh3q3mWegdC55CwX/AnVma2qYv/ygZBdvnkuPyq22lCl4x0S7HZHmQ xkgivLK2hyE09PVOiwZp7w53JdGW1yQt3UyX1SadGUgxeDPfD+ruZlzWiLtksisZCxZg fmXPbHKhkUyezD4hPdJ9RCkBQcPkMYTPF3eVMje35lh+DcjLvyTMJFOb4dCQs1SDHlK+ Uqgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Z8+TTfZ0; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WQIbWfFZ; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=IkEa5DTs; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id g3-20020a170902e38300b001bbbbb61c71si1663410ple.399.2023.10.30.02.59.01 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 30 Oct 2023 02:59:01 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Z8+TTfZ0; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WQIbWfFZ; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=IkEa5DTs; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qxP2c-0004NX-JJ; Mon, 30 Oct 2023 09:58:38 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qxP2a-0004NI-OH for openvpn-devel@lists.sourceforge.net; Mon, 30 Oct 2023 09:58:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Subject:From:To:MIME-Version:Date:Message-ID: Content-Type:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=xz4Fi3lRLpJwpTqPhCHPbphW7odrSkICheapoLfbvro=; b=Z8+TTfZ0wUmuYUY+ppWpC4pgdh sFmo2mCctRuKsMRyq+vxeWzXPUyxooIk3oMvRIDlmsmLvrt/nbthMbfo61svBtdL/pu+EUx8LpkSm uxOnrTIp2hzXB1bWrO8bCcOjdbCzHZke7tjOX0o2R0Tdog15Lcv6PKL3moZ0+hv32S80=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Subject:From:To:MIME-Version:Date:Message-ID:Content-Type:Sender:Reply-To :Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=xz4Fi3lRLpJwpTqPhCHPbphW7odrSkICheapoLfbvro=; b=W QIbWfFZa+VWUCEeJT9Ji5Bjs7nCk4nUVi+N3Kj6CHDv96FNNQXpUWOaSnD65PGWmDd8nlKH37J7ob wi+deXEGgVS0dXlPPJNa/lOnsvlGw0omX1LxlQz7fEUJKZLJwaFBWc6u1lazJnoDW+qmkt0ZEH5Hy jgyNHmhF7HYiPms4=; Received: from mail-lj1-f182.google.com ([209.85.208.182]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1qxP2a-0004t1-0H for openvpn-devel@lists.sourceforge.net; Mon, 30 Oct 2023 09:58:36 +0000 Received: by mail-lj1-f182.google.com with SMTP id 38308e7fff4ca-2c509f2c46cso58863111fa.1 for ; Mon, 30 Oct 2023 02:58:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698659909; x=1699264709; darn=lists.sourceforge.net; h=subject:from:to:content-language:user-agent:mime-version:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=xz4Fi3lRLpJwpTqPhCHPbphW7odrSkICheapoLfbvro=; b=IkEa5DTs0AQ2C9/fcKfTeLJcnUCq+QTqA2u71co5vSDZ5cAEkl6E3Uh3tVhsH91fPv BMnUkSYaEiKLQrFVmHLjCH0VJwztYUfOk/AExWfCLluFSOQQJtell9YY9mPXLaYN1klR Q9Nof+UFgk4//m4T5ScBqUOHndl6asfE1wBRx1pSgb5Z+KlN6avfAOOiXytqgEyBWYZi KP1R+mPhtZ3HFK1YrDlxNw09LFvtSJbuV2Tdr5eze3xOJAxEBcPqOmmnbbHgIRDDqRAk g1i0BPuIg34P7t6IE7DBRnplHzQVIEQETOZ5hu/l0Gh1C+i0y3C7iyxmmRKj1fbuxteu UioA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698659909; x=1699264709; h=subject:from:to:content-language:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xz4Fi3lRLpJwpTqPhCHPbphW7odrSkICheapoLfbvro=; b=aMBVELkfGiZzJfJwmYSmgdriPO0JHuzW8JVzGLmog7SNpDxZUlTV2aaRCZwnbWLWR5 mUWBXejARxkZHXvl7qRgNyL8KwC4kTtc/wZFp6oB6oYRKGiuDDAkX1XGPgqurPAi/rj5 Aaa5IC7rZzEMarNQaTsMOlyrTZml68YXeoCpORV3L9rjC9gSByMJq1HTHkYG1fqXkaXd hJwyHRwjaNOemx4eYAhpDWk2foAIicUQItW+ztqYAoEQdHdLxeoKpeDdfIsCuLQrmfVA IL0/6gqto2n86flWux77as0FRjNFr1f6g0rOsQevCOqiyR78/0W7Pk8nVp3TTQGKoOfB KGPw== X-Gm-Message-State: AOJu0YxbJIDiUBRPMRdnW7N9MlH1HKemT8WYKVg83ksmM7fqTf7GF8v5 MjUHwrOgKe7df0/tq03PBP7ga+tmWwE= X-Received: by 2002:a2e:9812:0:b0:2c5:844:9e75 with SMTP id a18-20020a2e9812000000b002c508449e75mr7212783ljj.8.1698659909103; Mon, 30 Oct 2023 02:58:29 -0700 (PDT) Received: from [192.168.1.84] (176-23-192-106-dynamic.dk.customer.tdc.net. [176.23.192.106]) by smtp.gmail.com with ESMTPSA id m6-20020a2e97c6000000b002c505793a23sm1166176ljj.109.2023.10.30.02.58.27 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 30 Oct 2023 02:58:28 -0700 (PDT) Message-ID: <8237adde-2523-9e48-5cd4-070463887dc1@gmail.com> Date: Mon, 30 Oct 2023 10:58:27 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 Content-Language: en-US To: openvpn-devel From: Reynir X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Dear list, Please find attached a patch to add support for tls-crypt packets in protocol_dump. Currently, protocol_dump will print garbage for tls-crypt packets. This patch makes protocol_dump print the clear text parts of the packet such as the auth tag and replay packet id. It does not try to print the wKc for HARD_RESET_CLIENT_V3 or CONTROL_WKC_V1 packets. [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.182 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [reynirr[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.182 listed in wl.mailspike.net] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-Headers-End: 1qxP2a-0004t1-0H Subject: [Openvpn-devel] [PATCH] protocol_dump: support tls-crypt X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1781174047002631122?= X-GMAIL-MSGID: =?utf-8?q?1781174047002631122?= Dear list, Please find attached a patch to add support for tls-crypt packets in protocol_dump. Currently, protocol_dump will print garbage for tls-crypt packets. This patch makes protocol_dump print the clear text parts of the packet such as the auth tag and replay packet id. It does not try to print the wKc for HARD_RESET_CLIENT_V3 or CONTROL_WKC_V1 packets. A previous iteration, not submitted to the list, printed ENCRYPTED placeholders for ack list and DATA, but I decided to cut down on the noise instead. This is my first patch submitted to openvpn so please bear with me. Best, Reynir Björnsson Acked-By: Arne Schwabe From 11926a6234b860a09965e5a074460abe4b4f6e71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= Date: Thu, 26 Oct 2023 16:55:32 +0200 Subject: [PATCH] protocol_dump: tls-crypt support --- src/openvpn/openvpn.h | 3 ++- src/openvpn/ssl.c | 26 ++++++++++++++++++++++++++ src/openvpn/ssl.h | 1 + 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 077effeb..0816360d 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -544,7 +544,8 @@ struct context #define PROTO_DUMP(buf, gc) protocol_dump((buf), \ PROTO_DUMP_FLAGS \ |(c->c2.tls_multi ? PD_TLS : 0) \ - |(c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0), \ + |(c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0) \ + |(c->options.tls_crypt_file || c->options.tls_crypt_v2_file ? PD_TLS_CRYPT : 0), \ gc) /* this represents "disabled peer-id" */ diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 5e6205cc..8bd3cb00 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -4202,6 +4202,32 @@ protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc) } buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc)); } + /* + * packet_id + tls-crypt hmac + */ + if (flags & PD_TLS_CRYPT) + { + struct packet_id_net pin; + uint8_t tls_crypt_hmac[TLS_CRYPT_TAG_SIZE]; + + if (!packet_id_read(&pin, &buf, true)) + { + goto done; + } + buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc)); + if (!buf_read(&buf, tls_crypt_hmac, TLS_CRYPT_TAG_SIZE)) + { + goto done; + } + if (flags & PD_VERBOSE) + { + buf_printf(&out, " tls_crypt_hmac=%s", format_hex(tls_crypt_hmac, TLS_CRYPT_TAG_SIZE, 0, gc)); + } + /* + * Remainder is encrypted and optional wKc + */ + goto done; + } /* * ACK list diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 3c40fbed..e8427461 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -525,6 +525,7 @@ tls_set_single_session(struct tls_multi *multi) #define PD_SHOW_DATA (1<<8) #define PD_TLS (1<<9) #define PD_VERBOSE (1<<10) +#define PD_TLS_CRYPT (1<<11) const char *protocol_dump(struct buffer *buffer, unsigned int flags, -- 2.30.2