From patchwork Mon Nov 20 10:08:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "its_Giaan (Code Review)" X-Patchwork-Id: 3450 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:50e4:b0:f2:62eb:61c1 with SMTP id r4csp2162342dyd; Mon, 20 Nov 2023 02:09:22 -0800 (PST) X-Google-Smtp-Source: AGHT+IGU3yso+yQ1CUFjlBqJNzZS/GT+eZ+5LJ0jyAhw3Y3j+OLdNZ8CovAU7S39PGdBqqOmL/Y+ X-Received: by 2002:a05:6a20:8e27:b0:186:10ae:152a with SMTP id y39-20020a056a208e2700b0018610ae152amr10229442pzj.4.1700474962628; Mon, 20 Nov 2023 02:09:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700474962; cv=none; d=google.com; s=arc-20160816; b=jW2BvLVbVk3elaEqBQfVUHqpElrOUw4y63HBQlKGwCqpGpv3pULOi3bbTcn+xpfQnn K+MBkTB/IDojfmN7qDqIrEfU377afQdphbY9xdYQj7cVc9UBwKJsDptDwkowFJpZLy3S HVWQkQ69DDGyElG8WyTbMIdgIP3IQBfVYxszgf9Pea+B/SSNeyp1ianA1KTzvsIXI01+ hYVuZpUUP25MypepoCEcm116Y3EMiSDunV9/+tkH4OEYWp3E3E4QRwH+SvNewFO3jgEw mY5EBEMUAUU2ysgefeThtxADyUxU3UEezFdUEua71+0gs8wzYhnaDJfzKuJwJCF1OAEY RRnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=kQZ/VC/XuD8RrygTG53U0sD9AFOICBj83diuv+RB4Ec=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=IMQOgAeH0RdGy7o1KpjsmyRjBRR2uwVLBvqCH2D6xYmq0W+sFA+TvM0GMfO+VasZaL VnyzZCwKgVuBb5nMLByNOJ+CK7UqfTio2kB8lzjLkUEtIxb2aUiYBZUzvZh8Aq2lAKFD kuJNaL7SZJu8ehUEvaJL4Dy+5VhQUGvftlepP1xfCYO34JrtijM7zQsismAgdh4a5nvY KXJ5NWUh2kwi6WNvrQpvPHKaP6BcEyu+pmYTO3eLbdN5rxp+I7TBqbg+KAISr38Pi6ME e3dgtDtgI4QIl8gf/Bws/hSZGVSlIeL6xXxnh4HALOAoMVVZvuwT1qOLRyws51yfKR5h 8G/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=CusKax20; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=NwVLivzV; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=cdd6LIQQ; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id t32-20020a635360000000b005c207717411si7058603pgl.864.2023.11.20.02.09.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 20 Nov 2023 02:09:22 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=CusKax20; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=NwVLivzV; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=cdd6LIQQ; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1r51Cj-0002pj-GW; Mon, 20 Nov 2023 10:08:32 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1r51Ch-0002pb-QL for openvpn-devel@lists.sourceforge.net; Mon, 20 Nov 2023 10:08:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=0DT134OfMXCBgWibSbxa3jn/GlefWcgELD8FaTZKCPE=; b=CusKax20OUIA8eDF3ZZhU3nF+W ER0RR79t6TnMzEzP2je3JlT5JYciRXn+8iGDugTR4nOSlCnVPPZQPpI7ck6SK4khK8gwzD2c3t17c rdVzfujwc9ciJe1c8K0S0UdH8mnAkc50Jmwbe7rvH9/5QebSjfP8r9PwpfwSOaHa/j2c=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=0DT134OfMXCBgWibSbxa3jn/GlefWcgELD8FaTZKCPE=; b=N wVLivzVI9neiBYxywEIOlkcWe7j617mtxdYU3nMyhjKdQL2JoLqm5TyA+JDNShlDyZSIErdQBXx+p ll0BI0dkpniXamREj7orhiURUwxHjj2dxlE97bnDa1QtHP1LkCkGWPjbVh88L4xQ4slVeUGIr4viH w/14BhjkCGW//D3s=; Received: from mail-lf1-f43.google.com ([209.85.167.43]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1r51Cd-0006pm-6T for openvpn-devel@lists.sourceforge.net; Mon, 20 Nov 2023 10:08:30 +0000 Received: by mail-lf1-f43.google.com with SMTP id 2adb3069b0e04-50943ccbbaeso5800770e87.2 for ; Mon, 20 Nov 2023 02:08:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1700474900; x=1701079700; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=0DT134OfMXCBgWibSbxa3jn/GlefWcgELD8FaTZKCPE=; b=cdd6LIQQVxS4WXJ1AZ6Vxej+o6JSS/nw/ZEvxh0REsJj8pzmVDrlGLW4GFOE6QVSi2 mnNDk58FqYhRSmh7uFtgramISXMlBTO/iCC4TSaeYcFRnVJfDcBafLB78dugCU8tCCQU 2iCoTxfWbLAaqkK0CQwzWUt8/mXmerlMSpP56UrMd31I/CsnhrTzuAnZoj0HS/TJrc1U zDkvmcD6Of/E1OKiNeOSETuLcXLo6e7baK1FfLpQZzkCHis7k14uVN1ditc8fiD0H3zP 1qEw/TsUGCs4aEc1cSJ3CtMKy9EdNvv10gfXRveVaJgaXP+sx3tIblJZgyPrP07JgGzl farw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700474900; x=1701079700; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0DT134OfMXCBgWibSbxa3jn/GlefWcgELD8FaTZKCPE=; b=cEdnYMEBPp/JQeFsLCaVL8JCdhUS1XVubM3Fbp9YwcODR4Njl4aFr6J3/trqpCr1b1 e4awIjxdLOtxc931WLR9cs/mSTg1EThDN+tYEjsSKMAF8J/wL3ZC2r4BZWSac51McrgK IAXymN7HTfuHOUHoGhGYgnsmRKHlCNgO9jk0xmdtDgFIle+VJOIQ4Ig1i+fNAZIdj9Uc PqDUNP5mPGkbVd4U854LYjlw2xSxcyvG70YZ1g/2b1hSOSc9BtU8lib9eDLq9b0j2dlh OvpPZ6Fdb0v1rVRAFAFotsIQ++qEm81PDhYAIC4zFHIN7pgheO409jjy4FZT2+hOJUhp 1ZzA== X-Gm-Message-State: AOJu0YxQMBBsAsKi5CekQDexumtpM2F5kwu73MkIa1GDVMJW/ULimGa8 KkUQ0oFUawCAjI+UNEGpD+fKQqpqDfG6pnXUf24= X-Received: by 2002:a19:f517:0:b0:509:4980:7bf0 with SMTP id j23-20020a19f517000000b0050949807bf0mr5340312lfb.38.1700474900113; Mon, 20 Nov 2023 02:08:20 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id x11-20020adff0cb000000b00332cb4697ebsm716219wro.55.2023.11.20.02.08.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Nov 2023 02:08:19 -0800 (PST) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Mon, 20 Nov 2023 10:08:19 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Ie25aa287f3534090c1d93fc3bb69727dd20fc6fe X-Gerrit-Change-Number: 442 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 1db6506bca5a09497be1d8f2c073c60649249194 References: Message-ID: <239072d555cb45830e7e28000f6a95977c06c052-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.167.43 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.167.43 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1r51Cd-0006pm-6T Subject: [Openvpn-devel] [S] Change in openvpn[master]: protocol_dump: tls-crypt support X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1783077234516639232?= X-GMAIL-MSGID: =?utf-8?q?1783077234516639232?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/442?usp=email to review the following change. Change subject: protocol_dump: tls-crypt support ...................................................................... protocol_dump: tls-crypt support Change-Id: Ie25aa287f3534090c1d93fc3bb69727dd20fc6fe --- M src/openvpn/openvpn.h M src/openvpn/ssl.c M src/openvpn/ssl.h 3 files changed, 29 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/42/442/1 diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 5b2be63..dabc5be 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -541,7 +541,8 @@ #define PROTO_DUMP(buf, gc) protocol_dump((buf), \ PROTO_DUMP_FLAGS \ |(c->c2.tls_multi ? PD_TLS : 0) \ - |(c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0), \ + |(c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0) \ + |(c->options.tls_crypt_file || c->options.tls_crypt_v2_file ? PD_TLS_CRYPT : 0), \ gc) /* this represents "disabled peer-id" */ diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index b4cd8f5..400230c 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -4272,6 +4272,32 @@ } buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc)); } + /* + * packet_id + tls-crypt hmac + */ + if (flags & PD_TLS_CRYPT) + { + struct packet_id_net pin; + uint8_t tls_crypt_hmac[TLS_CRYPT_TAG_SIZE]; + + if (!packet_id_read(&pin, &buf, true)) + { + goto done; + } + buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc)); + if (!buf_read(&buf, tls_crypt_hmac, TLS_CRYPT_TAG_SIZE)) + { + goto done; + } + if (flags & PD_VERBOSE) + { + buf_printf(&out, " tls_crypt_hmac=%s", format_hex(tls_crypt_hmac, TLS_CRYPT_TAG_SIZE, 0, gc)); + } + /* + * Remainder is encrypted and optional wKc + */ + goto done; + } /* * ACK list diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 3c40fbe..e842746 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -525,6 +525,7 @@ #define PD_SHOW_DATA (1<<8) #define PD_TLS (1<<9) #define PD_VERBOSE (1<<10) +#define PD_TLS_CRYPT (1<<11) const char *protocol_dump(struct buffer *buffer, unsigned int flags,