Add CONTROL_WKC_V1 definitions and improve packetdump of tls-crypt-v2

nikolalukovic · Nov 16, 2022 · 6bc1a7c · 6bc1a7c
1 parent 067e31e
commit 6bc1a7c
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 8 deletions.
diff --git a/openvpn/crypto/packet_id.hpp b/openvpn/crypto/packet_id.hpp
@@ -141,7 +141,7 @@ namespace openvpn {
     std::string str() const
     {
       std::ostringstream os;
-      os << "[" << time << "," << id << "]";
+      os << std::hex << "[0x" << time << ", 0x" << id << "]";
       return os.str();
     }
   };

diff --git a/openvpn/ssl/proto.hpp b/openvpn/ssl/proto.hpp
@@ -174,6 +174,7 @@ namespace openvpn {
       //CONTROL_HARD_RESET_SERVER_V1 = 2,   // (obsolete) initial key from server, forget previous state
       CONTROL_SOFT_RESET_V1 =        3,   // new key, graceful transition from old to new key
       CONTROL_V1 =                   4,   // control channel packet (usually TLS ciphertext)
+      CONTROL_WKC_V1 =               11,  // control channel packet with wrapped client key appended
       ACK_V1 =                       5,   // acknowledgement for packets received
       DATA_V1 =                      6,   // data channel packet with 1-byte header
       DATA_V2 =                      9,   // data channel packet with 4-byte header
@@ -1077,6 +1078,7 @@ namespace openvpn {
 		    break;
 		  }
 		case CONTROL_HARD_RESET_SERVER_V2:
+                case CONTROL_WKC_V1:
 		  {
 		    if (proto.is_server())
 		      return;
@@ -1127,6 +1129,8 @@ namespace openvpn {
 	  return "CONTROL_HARD_RESET_CLIENT_V3";
 	case CONTROL_HARD_RESET_SERVER_V2:
 	  return "CONTROL_HARD_RESET_SERVER_V2";
+        case CONTROL_WKC_V1:
+          return "CONTROL_WKC_V1";
 	}
       return nullptr;
     }
@@ -1166,17 +1170,15 @@ namespace openvpn {
 	      out << " SRC_PSID=" << src_psid.str();
 	    }
 
-	    if (tls_wrap_mode == TLS_CRYPT)
+	    if (tls_wrap_mode == TLS_CRYPT || tls_wrap_mode == TLS_CRYPT_V2)
 	      {
 		PacketID pid;
 		pid.read(b, PacketID::LONG_FORM);
 		out << " PID=" << pid.str();
 
 		const unsigned char *hmac = b.read_alloc(hmac_size);
 		out << " HMAC=" << render_hex(hmac, hmac_size);
-
-		// nothing else to print as the content is encrypted beyond this point
-		out << " TLS-CRYPT ENCRYPTED";
+                out << " TLS-CRYPT ENCRYPTED PAYLOAD=" << b.size() << " bytes";
 	      }
 	    else
 	      {
@@ -1209,9 +1211,9 @@ namespace openvpn {
 
 	        if (opcode != ACK_V1)
 	          out << " MSG_ID=" << ReliableAck::read_id(b);
-	      }
-	    if (opcode != ACK_V1)
-	      out << " SIZE=" << b.size() << '/' << orig_size;
+
+	        out << " SIZE=" << b.size() << '/' << orig_size;
+            }
 	  }
 #ifdef OPENVPN_DEBUG_PROTO_DUMP
 	out << '\n' << string::trim_crlf_copy(dump_hex(buf));