/src/wireshark/epan/dissectors/packet-openvpn.c
Line | Count | Source |
1 | | /* packet-openvpn.c |
2 | | * routines for openvpn packet disassembly |
3 | | * - http://www.openvpn.net |
4 | | * - http://fengnet.com/book/vpns%20illustrated%20tunnels%20%20vpnsand%20ipsec/ch08lev1sec5.html |
5 | | * |
6 | | * Created as part of a semester project at the University of Applied Sciences Hagenberg |
7 | | * (http://www.fh-ooe.at/en/hagenberg-campus/) |
8 | | * |
9 | | * Copyright (c) 2013: |
10 | | * Hofer Manuel (manuel@mnlhfr.at) |
11 | | * Nemeth Franz |
12 | | * Scheipner Alexander |
13 | | * Stiftinger Thomas |
14 | | * Werner Sebastian |
15 | | * |
16 | | * SPDX-License-Identifier: GPL-2.0-or-later |
17 | | */ |
18 | | |
19 | | #include "config.h" |
20 | | |
21 | | #include <epan/packet.h> |
22 | | #include <epan/prefs.h> |
23 | | #include <epan/reassemble.h> |
24 | | #include <epan/conversation.h> |
25 | | #include "packet-tcp.h" |
26 | | |
27 | | void proto_register_openvpn(void); |
28 | | void proto_reg_handoff_openvpn(void); |
29 | | |
30 | 30 | #define OPENVPN_PORT 1194 |
31 | | |
32 | | /* packet opcode and key-id are combined in one byte */ |
33 | 15 | #define P_OPCODE_MASK 0xF8 /* packet opcode (high 5 bits) */ |
34 | 15 | #define P_KEY_ID_MASK 0x07 /* key-id (low 3 bits) */ |
35 | | #define HMAC_KEY_LENGTH_MAX 64 /* 512 Bit HMAC is maximum */ |
36 | | |
37 | | /* Opcodes */ |
38 | | #define P_CONTROL_HARD_RESET_CLIENT_V1 1 |
39 | | #define P_CONTROL_HARD_RESET_SERVER_V1 2 |
40 | | #define P_CONTROL_SOFT_RESET_V1 3 |
41 | 498 | #define P_CONTROL_V1 4 |
42 | 252 | #define P_ACK_V1 5 |
43 | 608 | #define P_DATA_V1 6 |
44 | | #define P_CONTROL_HARD_RESET_CLIENT_V2 7 |
45 | | #define P_CONTROL_HARD_RESET_SERVER_V2 8 |
46 | 501 | #define P_DATA_V2 9 |
47 | 1.24k | #define P_CONTROL_HARD_RESET_CLIENT_V3 10 |
48 | 295 | #define P_CONTROL_WKC_V1 11 |
49 | | |
50 | | static int ett_openvpn; |
51 | | static int ett_openvpn_data; |
52 | | static int ett_openvpn_packetarray; |
53 | | static int ett_openvpn_type; |
54 | | static int ett_openvpn_wkc; |
55 | | static int hf_openvpn_data; |
56 | | static int hf_openvpn_wkc_data; |
57 | | static int hf_openvpn_wkc_length; |
58 | | static int hf_openvpn_fragment_bytes; |
59 | | static int hf_openvpn_hmac; |
60 | | static int hf_openvpn_keyid; |
61 | | static int hf_openvpn_mpid; |
62 | | static int hf_openvpn_mpid_arrayelement; |
63 | | static int hf_openvpn_mpid_arraylength; |
64 | | static int hf_openvpn_net_time; |
65 | | static int hf_openvpn_opcode; |
66 | | static int hf_openvpn_pdu_type; |
67 | | static int hf_openvpn_pid; |
68 | | static int hf_openvpn_plen; |
69 | | static int hf_openvpn_rsessionid; |
70 | | static int hf_openvpn_sessionid; |
71 | | static int hf_openvpn_peerid; |
72 | | static int proto_openvpn; |
73 | | |
74 | | static dissector_handle_t openvpn_udp_handle; |
75 | | static dissector_handle_t openvpn_tcp_handle; |
76 | | |
77 | | static dissector_handle_t tls_handle; |
78 | | |
79 | | /* Preferences */ |
80 | | static bool pref_long_format = true; |
81 | | static bool pref_tls_auth; |
82 | | static bool pref_tls_auth_override; |
83 | | static bool pref_tls_crypt_override; |
84 | | static unsigned tls_auth_hmac_size = 20; /* Default SHA-1 160 Bits */ |
85 | | |
86 | | static const value_string openvpn_message_types[] = |
87 | | { |
88 | | { P_CONTROL_HARD_RESET_CLIENT_V1, "P_CONTROL_HARD_RESET_CLIENT_V1" }, |
89 | | { P_CONTROL_HARD_RESET_SERVER_V1, "P_CONTROL_HARD_RESET_SERVER_V1" }, |
90 | | { P_CONTROL_SOFT_RESET_V1, "P_CONTROL_SOFT_RESET_V1" }, |
91 | | { P_CONTROL_V1, "P_CONTROL_V1" }, |
92 | | { P_ACK_V1, "P_ACK_V1" }, |
93 | | { P_DATA_V1, "P_DATA_V1" }, |
94 | | { P_CONTROL_HARD_RESET_CLIENT_V2, "P_CONTROL_HARD_RESET_CLIENT_V2" }, |
95 | | { P_CONTROL_HARD_RESET_SERVER_V2, "P_CONTROL_HARD_RESET_SERVER_V2" }, |
96 | | { P_DATA_V2, "P_DATA_V2" }, |
97 | | { P_CONTROL_HARD_RESET_CLIENT_V3, "P_CONTROL_HARD_RESET_CLIENT_V3" }, |
98 | | { P_CONTROL_WKC_V1, "P_CONTROL_WKC_V1" }, |
99 | | { 0, NULL } |
100 | | }; |
101 | | |
102 | | /* everything used during the reassembly process */ |
103 | | static reassembly_table msg_reassembly_table; |
104 | | |
105 | | static int ett_openvpn_fragment; |
106 | | static int ett_openvpn_fragments; |
107 | | static int hf_openvpn_fragment; |
108 | | static int hf_openvpn_fragment_count; |
109 | | static int hf_openvpn_fragment_error; |
110 | | static int hf_openvpn_fragment_multiple_tails; |
111 | | static int hf_openvpn_fragment_overlap; |
112 | | static int hf_openvpn_fragment_overlap_conflicts; |
113 | | static int hf_openvpn_fragment_too_long_fragment; |
114 | | static int hf_openvpn_fragments; |
115 | | static int hf_openvpn_reassembled_in; |
116 | | static int hf_openvpn_reassembled_length; |
117 | | |
118 | | static const fragment_items openvpn_frag_items = { |
119 | | /* Fragment subtrees */ |
120 | | &ett_openvpn_fragment, |
121 | | &ett_openvpn_fragments, |
122 | | /* Fragment fields */ |
123 | | &hf_openvpn_fragments, |
124 | | &hf_openvpn_fragment, |
125 | | &hf_openvpn_fragment_overlap, |
126 | | &hf_openvpn_fragment_overlap_conflicts, |
127 | | &hf_openvpn_fragment_multiple_tails, |
128 | | &hf_openvpn_fragment_too_long_fragment, |
129 | | &hf_openvpn_fragment_error, |
130 | | &hf_openvpn_fragment_count, |
131 | | /* Reassembled in field */ |
132 | | &hf_openvpn_reassembled_in, |
133 | | /* Reassembled length field */ |
134 | | &hf_openvpn_reassembled_length, |
135 | | /* Reassembled data field */ |
136 | | NULL, |
137 | | /* Tag */ |
138 | | "Message fragments" |
139 | | }; |
140 | | |
141 | | /* we check the leading 4 byte of a suspected hmac for 0x00 bytes, |
142 | | if more than 1 byte out of the 4 provided contains 0x00, the |
143 | | hmac is considered not valid, which suggests that no tls auth is used. |
144 | | unfortunately there is no other way to detect tls auth on the fly */ |
145 | | static bool |
146 | | check_for_valid_hmac(uint32_t hmac) |
147 | 87 | { |
148 | 87 | int c = 0; |
149 | 87 | if ((hmac & 0x000000FF) == 0x00000000) { |
150 | 16 | c++; |
151 | 16 | } |
152 | 87 | if ((hmac & 0x0000FF00) == 0x00000000) { |
153 | 15 | c++; |
154 | 15 | } |
155 | 87 | if ((hmac & 0x00FF0000) == 0x00000000) { |
156 | 18 | c++; |
157 | 18 | } |
158 | 87 | if ((hmac & 0xFF000000) == 0x00000000) { |
159 | 0 | c++; |
160 | 0 | } |
161 | 87 | if (c > 1) { |
162 | 11 | return false; |
163 | 76 | } else { |
164 | 76 | return true; |
165 | 76 | } |
166 | 87 | } |
167 | | |
168 | | static int |
169 | | dissect_openvpn_msg_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *openvpn_tree, proto_tree *parent_tree, int offset) |
170 | 501 | { |
171 | 501 | bool tls_auth; |
172 | 501 | bool tls_crypt = false; |
173 | 501 | unsigned openvpn_keyid; |
174 | 501 | unsigned openvpn_opcode; |
175 | 501 | char *openvpn_message_type; |
176 | 501 | uint32_t msg_sessionid = -1; |
177 | 501 | uint8_t openvpn_predict_tlsauth_arraylength; |
178 | 501 | proto_item *ti2; |
179 | 501 | proto_tree *packetarray_tree, *type_tree; |
180 | 501 | uint32_t msg_length_remaining; |
181 | 501 | int wkc_offset = -1; |
182 | | |
183 | | /* Clear out stuff in the info column */ |
184 | 501 | col_set_str(pinfo->cinfo, COL_PROTOCOL, "OpenVPN"); |
185 | 501 | col_clear(pinfo->cinfo,COL_INFO); |
186 | | |
187 | | /* read opcode and write to info column */ |
188 | 501 | openvpn_opcode = tvb_get_bits8(tvb, offset*8, 5); |
189 | 501 | openvpn_message_type = val_to_str(pinfo->pool, openvpn_opcode, openvpn_message_types, "Unknown (0x%02x)"); |
190 | | |
191 | 501 | col_append_fstr(pinfo->cinfo, COL_INFO, "MessageType: %s", openvpn_message_type); |
192 | | |
193 | 501 | openvpn_keyid = tvb_get_bits8(tvb, offset*8 + 5, 3); |
194 | 501 | proto_item_append_text(openvpn_tree, ", Opcode: %s, Key ID: %d", openvpn_message_type, openvpn_keyid); |
195 | | |
196 | 501 | ti2 = proto_tree_add_item(openvpn_tree, hf_openvpn_pdu_type, tvb, offset, 1, ENC_BIG_ENDIAN); |
197 | 501 | proto_item_append_text(ti2, " [opcode/key_id]"); |
198 | | |
199 | 501 | type_tree = proto_item_add_subtree(ti2, ett_openvpn_type); |
200 | 501 | proto_tree_add_item(type_tree, hf_openvpn_opcode, tvb, offset, 1, ENC_BIG_ENDIAN); |
201 | 501 | proto_tree_add_item(type_tree, hf_openvpn_keyid, tvb, offset, 1, ENC_BIG_ENDIAN); |
202 | 501 | offset += 1; |
203 | | |
204 | 501 | if (openvpn_opcode == P_DATA_V2) { |
205 | 0 | proto_tree_add_item(openvpn_tree, hf_openvpn_peerid, tvb, offset, 3, ENC_BIG_ENDIAN); |
206 | 0 | offset += 3; |
207 | 501 | } else if (openvpn_opcode != P_DATA_V1) { |
208 | | /* if we have a P_CONTROL or P_ACK packet */ |
209 | | |
210 | | /* read sessionid */ |
211 | 126 | msg_sessionid = tvb_get_bits32(tvb, offset*8+32, 32, ENC_BIG_ENDIAN); |
212 | 126 | proto_tree_add_item(openvpn_tree, hf_openvpn_sessionid, tvb, offset, 8, ENC_BIG_ENDIAN); |
213 | 126 | offset += 8; |
214 | | |
215 | | /* tls-auth detection (this can be overridden by preferences */ |
216 | 126 | openvpn_predict_tlsauth_arraylength = tvb_get_uint8(tvb, offset); |
217 | | |
218 | | /* if the first 4 bytes that would, if tls-auth is used, contain part of the hmac, |
219 | | lack entropy, we assume no tls-auth is used */ |
220 | 126 | if (pref_tls_auth_override == false) { |
221 | 107 | if ((openvpn_opcode != P_DATA_V1) |
222 | 107 | && (openvpn_predict_tlsauth_arraylength > 0) |
223 | 88 | && check_for_valid_hmac(tvb_get_ntohl(tvb, offset))) { |
224 | 76 | tls_auth = true; |
225 | 76 | } else { |
226 | 31 | tls_auth = false; |
227 | 31 | } |
228 | 107 | } else { |
229 | 19 | tls_auth = pref_tls_auth; |
230 | 19 | } |
231 | | |
232 | 126 | if (openvpn_opcode == P_CONTROL_HARD_RESET_CLIENT_V3 || openvpn_opcode == P_CONTROL_WKC_V1 || pref_tls_crypt_override == true) { |
233 | | /* these opcodes are always tls-crypt*/ |
234 | 9 | tls_crypt = true; |
235 | 9 | tls_auth = false; |
236 | 9 | } |
237 | | |
238 | 126 | if (tls_auth == true) { |
239 | 70 | proto_tree_add_item(openvpn_tree, hf_openvpn_hmac, tvb, offset, tls_auth_hmac_size, ENC_NA); |
240 | 70 | offset += tls_auth_hmac_size; |
241 | 70 | } |
242 | | |
243 | 126 | if (tls_auth == true || tls_crypt == true) { |
244 | 78 | if (tvb_reported_length_remaining(tvb, offset) >= 8) { |
245 | 34 | proto_tree_add_item(openvpn_tree, hf_openvpn_pid, tvb, offset, 4, ENC_BIG_ENDIAN); |
246 | 34 | offset += 4; |
247 | | |
248 | 34 | if (pref_long_format || tls_crypt == true) { |
249 | 33 | proto_tree_add_item(openvpn_tree, hf_openvpn_net_time, tvb, offset, 4, ENC_BIG_ENDIAN); |
250 | 33 | offset += 4; |
251 | 33 | } |
252 | 34 | } |
253 | 78 | if (tls_crypt == true) { |
254 | | /* tls-crypt uses HMAC-SHA256 */ |
255 | 9 | proto_tree_add_item(openvpn_tree, hf_openvpn_hmac, tvb, offset, 32, ENC_NA); |
256 | 9 | offset += 32; |
257 | 9 | } |
258 | 78 | } |
259 | | |
260 | 126 | if (tvb_reported_length_remaining(tvb, offset) >= 1 && tls_crypt == false) { |
261 | | /* read P_ACK packet-id array length */ |
262 | 94 | int pid_arraylength = tvb_get_uint8(tvb, offset); |
263 | 94 | int i; |
264 | 94 | proto_tree_add_item(openvpn_tree, hf_openvpn_mpid_arraylength, tvb, offset, 1, ENC_BIG_ENDIAN); |
265 | 94 | offset += 1; |
266 | | |
267 | 94 | if (pid_arraylength > 0) { |
268 | | |
269 | 38 | packetarray_tree = proto_tree_add_subtree(openvpn_tree, tvb, offset, 0, ett_openvpn_packetarray, NULL, "Packet-ID Array"); |
270 | 357 | for (i = 0; i < pid_arraylength; i++) { |
271 | 319 | proto_tree_add_item(packetarray_tree, hf_openvpn_mpid_arrayelement, tvb, offset, 4, ENC_BIG_ENDIAN); |
272 | 319 | offset += 4; |
273 | 319 | } |
274 | | |
275 | 38 | if (tvb_reported_length_remaining(tvb, offset) >= 8) { |
276 | 8 | proto_tree_add_item(openvpn_tree, hf_openvpn_rsessionid, tvb, offset, 8, ENC_BIG_ENDIAN); |
277 | 8 | offset += 8; |
278 | 8 | } |
279 | 38 | } |
280 | 94 | } |
281 | | |
282 | | /* if we have a P_CONTROL packet */ |
283 | 126 | if (openvpn_opcode != P_ACK_V1 && tls_crypt == false) { |
284 | | /* read Message Packet-ID */ |
285 | 65 | if (tvb_reported_length_remaining(tvb, offset) >= 4) { |
286 | 54 | proto_tree_add_item(openvpn_tree, hf_openvpn_mpid, tvb, offset, 4, ENC_BIG_ENDIAN); |
287 | 54 | offset += 4; |
288 | 54 | } |
289 | 65 | } |
290 | 126 | } |
291 | | |
292 | | /* if we have more data left, determine what to do */ |
293 | 501 | msg_length_remaining = tvb_reported_length_remaining(tvb, offset); |
294 | | |
295 | 501 | if (msg_length_remaining == 0) { |
296 | 3 | return tvb_captured_length(tvb); |
297 | 3 | } |
298 | | |
299 | 498 | int data_len = msg_length_remaining; |
300 | 498 | int wkc_len = -1; |
301 | 498 | if ((openvpn_opcode == P_CONTROL_HARD_RESET_CLIENT_V3 || openvpn_opcode == P_CONTROL_WKC_V1) |
302 | 7 | && msg_length_remaining >= 2) { |
303 | | |
304 | 6 | wkc_len = tvb_get_ntohs(tvb, tvb_reported_length(tvb) - 2); |
305 | 6 | data_len = msg_length_remaining - wkc_len; |
306 | 6 | } |
307 | | |
308 | 498 | if (openvpn_opcode != P_CONTROL_V1) { |
309 | 31 | proto_tree *data_tree; |
310 | 31 | data_tree = proto_tree_add_subtree_format(openvpn_tree, tvb, offset, data_len, |
311 | 31 | ett_openvpn_data, NULL, "Data (%d bytes)", |
312 | 31 | data_len); |
313 | | |
314 | 31 | proto_tree_add_item(data_tree, hf_openvpn_data, tvb, offset, data_len, ENC_NA); |
315 | | |
316 | 31 | if (wkc_len > 0) |
317 | 1 | { |
318 | 1 | proto_tree *wkc_tree; |
319 | 1 | wkc_offset = tvb_reported_length(tvb) - wkc_len; |
320 | | |
321 | 1 | wkc_tree = proto_tree_add_subtree_format(openvpn_tree, tvb, wkc_offset, wkc_len, |
322 | 1 | ett_openvpn_wkc, NULL, "Wrapped client key (%d bytes)", |
323 | 1 | tvb_reported_length_remaining(tvb, wkc_offset)); |
324 | | |
325 | 1 | proto_tree_add_item(wkc_tree, hf_openvpn_wkc_data, tvb, wkc_offset, wkc_len - 2, ENC_NA); |
326 | 1 | proto_tree_add_item(wkc_tree, hf_openvpn_wkc_length, tvb, tvb_reported_length(tvb) - 2, 2, ENC_BIG_ENDIAN); |
327 | 1 | } |
328 | | |
329 | 31 | return tvb_captured_length(tvb); |
330 | 31 | } |
331 | | |
332 | | /* Control message, possibly fragmented, carrying TLS. Try to reassemble. */ |
333 | | |
334 | 467 | streaming_reassembly_info_t *streaming_reassembly_info = NULL; |
335 | | |
336 | 467 | conversation_t *conv = find_or_create_conversation_by_id(pinfo, CONVERSATION_OPENVPN, msg_sessionid); |
337 | 467 | streaming_reassembly_info = conversation_get_proto_data(conv, proto_openvpn); |
338 | 467 | if (!streaming_reassembly_info) { |
339 | 15 | streaming_reassembly_info = streaming_reassembly_info_new(); |
340 | 15 | conversation_add_proto_data(conv, proto_openvpn, streaming_reassembly_info); |
341 | 15 | } |
342 | | |
343 | 467 | reassemble_streaming_data_and_call_subdissector(tvb, pinfo, offset, |
344 | 467 | msg_length_remaining, openvpn_tree, parent_tree, msg_reassembly_table, |
345 | 467 | streaming_reassembly_info, get_virtual_frame_num64(tvb, pinfo, offset), |
346 | 467 | tls_handle, parent_tree, NULL /* should it be tcpinfo if we have it? */, "OpenVPN Message", |
347 | 467 | &openvpn_frag_items, hf_openvpn_fragment_bytes); |
348 | | |
349 | 467 | return tvb_captured_length(tvb); |
350 | 498 | } |
351 | | |
352 | | static unsigned |
353 | | get_msg_length(packet_info *pinfo _U_, tvbuff_t *tvb, int offset, void *data _U_) |
354 | 483 | { |
355 | 483 | return (unsigned)tvb_get_ntohs(tvb, offset) + 2; /* length field is at offset 0, |
356 | | +2 to account for the length field itself */ |
357 | 483 | } |
358 | | |
359 | | static int |
360 | | dissect_openvpn_msg_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) |
361 | 478 | { |
362 | 478 | proto_item *ti; |
363 | 478 | proto_tree *openvpn_tree; |
364 | | |
365 | 478 | ti = proto_tree_add_item(tree, proto_openvpn, tvb, 0, -1, ENC_NA); |
366 | 478 | openvpn_tree = proto_item_add_subtree(ti, ett_openvpn); |
367 | | |
368 | 478 | proto_tree_add_item(openvpn_tree, hf_openvpn_plen, tvb, 0, 2, ENC_BIG_ENDIAN); |
369 | | |
370 | 478 | return dissect_openvpn_msg_common(tvb, pinfo, openvpn_tree, tree, 2); |
371 | 478 | } |
372 | | |
373 | | static int |
374 | | dissect_openvpn_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data) |
375 | 30 | { |
376 | 30 | tcp_dissect_pdus( tvb, pinfo, tree, |
377 | 30 | true, /* should data be reassembled? */ |
378 | 30 | 2, /* how much bytes do we need for get_msg_length to be successful, |
379 | | since the length is the first thing in an openvpn packet we choose 2 */ |
380 | 30 | get_msg_length, /* fptr for function to get the packetlength of current frame */ |
381 | 30 | dissect_openvpn_msg_tcp, data); |
382 | 30 | return tvb_captured_length(tvb); |
383 | 30 | } |
384 | | |
385 | | static int |
386 | | dissect_openvpn_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) |
387 | 23 | { |
388 | 23 | proto_item *ti; |
389 | 23 | proto_tree *openvpn_tree; |
390 | | |
391 | 23 | ti = proto_tree_add_item(tree, proto_openvpn, tvb, 0, -1, ENC_NA); |
392 | 23 | openvpn_tree = proto_item_add_subtree(ti, ett_openvpn); |
393 | | |
394 | 23 | return dissect_openvpn_msg_common(tvb, pinfo, openvpn_tree, tree, 0); |
395 | 23 | } |
396 | | |
397 | | void |
398 | | proto_register_openvpn(void) |
399 | 15 | { |
400 | 15 | static hf_register_info hf[] = { |
401 | 15 | { &hf_openvpn_plen, |
402 | 15 | { "Packet Length", "openvpn.plen", |
403 | 15 | FT_UINT16, BASE_DEC, |
404 | 15 | NULL, 0x0, |
405 | 15 | NULL, HFILL } |
406 | 15 | }, |
407 | 15 | { &hf_openvpn_pdu_type, |
408 | 15 | { "Type", "openvpn.type", |
409 | 15 | FT_UINT8, BASE_HEX, |
410 | 15 | NULL, 0x0, |
411 | 15 | NULL, HFILL } |
412 | 15 | }, |
413 | 15 | { &hf_openvpn_opcode, |
414 | 15 | { "Opcode", "openvpn.opcode", |
415 | 15 | FT_UINT8, BASE_HEX, |
416 | 15 | VALS(openvpn_message_types), P_OPCODE_MASK, |
417 | 15 | NULL, HFILL } |
418 | 15 | }, |
419 | 15 | { &hf_openvpn_keyid, |
420 | 15 | { "Key ID", "openvpn.keyid", |
421 | 15 | FT_UINT8, BASE_DEC, |
422 | 15 | NULL, P_KEY_ID_MASK, |
423 | 15 | NULL, HFILL } |
424 | 15 | }, |
425 | 15 | { &hf_openvpn_peerid, |
426 | 15 | { "Peer ID", "openvpn.peerid", |
427 | 15 | FT_UINT24, BASE_DEC, |
428 | 15 | NULL, 0x0, |
429 | 15 | NULL, HFILL } |
430 | 15 | }, |
431 | 15 | { &hf_openvpn_sessionid, |
432 | 15 | { "Session ID", "openvpn.sessionid", |
433 | 15 | FT_UINT64, BASE_DEC, |
434 | 15 | NULL, 0x0, |
435 | 15 | NULL, HFILL } |
436 | 15 | }, |
437 | 15 | { &hf_openvpn_hmac, |
438 | 15 | { "HMAC", "openvpn.hmac", |
439 | 15 | FT_BYTES, BASE_NONE, |
440 | 15 | NULL, 0x0, |
441 | 15 | NULL, HFILL } |
442 | 15 | }, |
443 | 15 | { &hf_openvpn_pid, |
444 | 15 | { "Replay-Packet-ID", "openvpn.pid", |
445 | 15 | FT_UINT32, BASE_DEC, |
446 | 15 | NULL, 0x0, |
447 | 15 | NULL, HFILL } |
448 | 15 | }, |
449 | 15 | { &hf_openvpn_net_time, |
450 | 15 | { "Net Time", "openvpn.net_time", |
451 | 15 | FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, |
452 | 15 | NULL, 0x0, |
453 | 15 | NULL, HFILL } |
454 | 15 | }, |
455 | 15 | { &hf_openvpn_rsessionid, |
456 | 15 | { "Remote Session ID", "openvpn.rsessionid", |
457 | 15 | FT_UINT64, BASE_DEC, |
458 | 15 | NULL, 0x0, |
459 | 15 | NULL, HFILL } |
460 | 15 | }, |
461 | 15 | { &hf_openvpn_mpid, |
462 | 15 | { "Message Packet-ID", "openvpn.mpid", |
463 | 15 | FT_UINT32, BASE_DEC, |
464 | 15 | NULL, 0x0, |
465 | 15 | NULL, HFILL } |
466 | 15 | }, |
467 | 15 | { &hf_openvpn_mpid_arraylength, |
468 | 15 | { "Message Packet-ID Array Length", "openvpn.mpidarraylength", |
469 | 15 | FT_UINT8, BASE_DEC, |
470 | 15 | NULL, 0x0, |
471 | 15 | NULL, HFILL } |
472 | 15 | }, |
473 | 15 | { &hf_openvpn_mpid_arrayelement, |
474 | 15 | { "Message Packet-ID Array Element", "openvpn.mpidarrayelement", |
475 | 15 | FT_UINT32, BASE_DEC, |
476 | 15 | NULL, 0x0, |
477 | 15 | NULL, HFILL } |
478 | 15 | }, |
479 | 15 | { &hf_openvpn_data, |
480 | 15 | { "Data", "openvpn.data", |
481 | 15 | FT_BYTES, BASE_NONE, |
482 | 15 | NULL, 0x0, |
483 | 15 | NULL, HFILL } |
484 | 15 | }, |
485 | 15 | { &hf_openvpn_wkc_data, |
486 | 15 | { "Wrapped client key", "openvpn.wkc", |
487 | 15 | FT_BYTES, BASE_NONE, |
488 | 15 | NULL, 0x0, |
489 | 15 | NULL, HFILL } |
490 | 15 | }, |
491 | 15 | { &hf_openvpn_wkc_length, |
492 | 15 | { "Wrapped client key length", "openvpn.wkc_len", |
493 | 15 | FT_UINT16, BASE_DEC, |
494 | 15 | NULL, 0x0, |
495 | 15 | NULL, HFILL } |
496 | 15 | }, |
497 | 15 | { &hf_openvpn_fragment_bytes, |
498 | 15 | { "Fragment bytes", "openvpn.fragment_bytes", |
499 | 15 | FT_BYTES, BASE_NONE, |
500 | 15 | NULL, 0x0, |
501 | 15 | NULL, HFILL } |
502 | 15 | }, |
503 | 15 | { &hf_openvpn_fragments, |
504 | 15 | { "Message fragments", "openvpn.fragments", |
505 | 15 | FT_NONE, BASE_NONE, |
506 | 15 | NULL, 0x00, |
507 | 15 | NULL, HFILL } |
508 | 15 | }, |
509 | 15 | { &hf_openvpn_fragment, |
510 | 15 | { "Message fragment", "openvpn.fragment", |
511 | 15 | FT_FRAMENUM, BASE_NONE, |
512 | 15 | NULL, 0x00, |
513 | 15 | NULL, HFILL } |
514 | 15 | }, |
515 | 15 | { &hf_openvpn_fragment_overlap, |
516 | 15 | { "Message fragment overlap", "openvpn.fragment.overlap", |
517 | 15 | FT_BOOLEAN, BASE_NONE, |
518 | 15 | NULL, 0x00, |
519 | 15 | NULL, HFILL } |
520 | 15 | }, |
521 | 15 | { &hf_openvpn_fragment_overlap_conflicts, |
522 | 15 | { "Message fragment overlapping with conflicting data", "openvpn.fragment.overlap.conflicts", |
523 | 15 | FT_BOOLEAN, BASE_NONE, |
524 | 15 | NULL, 0x00, |
525 | 15 | NULL, HFILL } |
526 | 15 | }, |
527 | 15 | { &hf_openvpn_fragment_multiple_tails, |
528 | 15 | { "Message has multiple tail fragments", "openvpn.fragment.multiple_tails", |
529 | 15 | FT_BOOLEAN, BASE_NONE, |
530 | 15 | NULL, 0x00, |
531 | 15 | NULL, HFILL } |
532 | 15 | }, |
533 | 15 | { &hf_openvpn_fragment_too_long_fragment, |
534 | 15 | { "Message fragment too long", "openvpn.fragment.too_long_fragment", |
535 | 15 | FT_BOOLEAN, BASE_NONE, |
536 | 15 | NULL, 0x00, |
537 | 15 | NULL, HFILL } |
538 | 15 | }, |
539 | 15 | { &hf_openvpn_fragment_error, |
540 | 15 | { "Message defragmentation error", "openvpn.fragment.error", |
541 | 15 | FT_FRAMENUM, BASE_NONE, |
542 | 15 | NULL, 0x00, |
543 | 15 | NULL, HFILL } |
544 | 15 | }, |
545 | 15 | { &hf_openvpn_fragment_count, |
546 | 15 | { "Message fragment count", "openvpn.fragment.count", |
547 | 15 | FT_UINT32, BASE_DEC, |
548 | 15 | NULL, 0x00, |
549 | 15 | NULL, HFILL } |
550 | 15 | }, |
551 | 15 | { &hf_openvpn_reassembled_in, |
552 | 15 | { "Reassembled message in frame", "openvpn.reassembled.in", |
553 | 15 | FT_FRAMENUM, BASE_NONE, |
554 | 15 | NULL, 0x00, |
555 | 15 | NULL, HFILL } |
556 | 15 | }, |
557 | 15 | { &hf_openvpn_reassembled_length, |
558 | 15 | {"Reassembled message length", "openvpn.reassembled.length", |
559 | 15 | FT_UINT32, BASE_DEC, |
560 | 15 | NULL, 0x00, |
561 | 15 | NULL, HFILL } |
562 | 15 | } |
563 | 15 | }; |
564 | | |
565 | | /* Setup protocol subtree array */ |
566 | 15 | static int *ett[] = { |
567 | 15 | &ett_openvpn, |
568 | 15 | &ett_openvpn_type, |
569 | 15 | &ett_openvpn_data, |
570 | 15 | &ett_openvpn_wkc, |
571 | 15 | &ett_openvpn_packetarray, |
572 | 15 | &ett_openvpn_fragment, |
573 | 15 | &ett_openvpn_fragments |
574 | 15 | }; |
575 | 15 | module_t *openvpn_module; |
576 | | |
577 | 15 | proto_openvpn = proto_register_protocol ("OpenVPN Protocol", "OpenVPN", "openvpn"); |
578 | | |
579 | 15 | proto_register_field_array(proto_openvpn, hf, array_length(hf)); |
580 | 15 | proto_register_subtree_array(ett, array_length(ett)); |
581 | | |
582 | 15 | openvpn_udp_handle = register_dissector("openvpn.udp", dissect_openvpn_udp, proto_openvpn); |
583 | 15 | openvpn_tcp_handle = register_dissector("openvpn.tcp", dissect_openvpn_tcp, proto_openvpn); |
584 | | |
585 | 15 | reassembly_table_register(&msg_reassembly_table, |
586 | 15 | &addresses_reassembly_table_functions); |
587 | | |
588 | 15 | openvpn_module = prefs_register_protocol(proto_openvpn, NULL); |
589 | | |
590 | 15 | prefs_register_bool_preference(openvpn_module, |
591 | 15 | "tls_auth_detection_override", |
592 | 15 | "override tls-auth detection", |
593 | 15 | "If tls-auth detection fails, you can choose to override detection and set tls-auth yourself", |
594 | 15 | &pref_tls_auth_override); |
595 | | |
596 | 15 | prefs_register_bool_preference(openvpn_module, |
597 | 15 | "tls_crypt", |
598 | 15 | "assume tls-crypt", |
599 | 15 | "Assume the connection uses tls-crypt", |
600 | 15 | &pref_tls_crypt_override); |
601 | 15 | prefs_register_bool_preference(openvpn_module, |
602 | 15 | "tls_auth", |
603 | 15 | "--tls-auth used?", |
604 | 15 | "If the parameter --tls-auth is used, the following preferences must also be defined.", |
605 | 15 | &pref_tls_auth); |
606 | 15 | prefs_register_uint_preference(openvpn_module, |
607 | 15 | "tls_auth_hmac_size", |
608 | 15 | "size of the HMAC header in bytes", |
609 | 15 | "If the parameter --tls-auth is used, a HMAC header is being inserted.\n" |
610 | 15 | "The default HMAC algorithm is SHA-1 which generates a 160 bit HMAC," |
611 | 15 | " therefore 20 bytes should be ok.\n" |
612 | 15 | "The value must be between 20 (160 bits) and 64 (512 bits).", |
613 | 15 | 10, &tls_auth_hmac_size); |
614 | | |
615 | 15 | prefs_register_bool_preference(openvpn_module, |
616 | 15 | "long_format", |
617 | 15 | "packet-id for replay protection includes optional time_t timestamp?", |
618 | 15 | "If the parameter --tls-auth is used, an additional packet-id for replay protection" |
619 | 15 | " is inserted after the HMAC signature." |
620 | 15 | " This field can either be 4 bytes or 8 bytes including an optional time_t timestamp long.\n" |
621 | 15 | " This option is only evaluated if tls_auth_hmac_size > 0.\n" |
622 | 15 | " The default value is true.", |
623 | 15 | &pref_long_format); |
624 | 15 | } |
625 | | |
626 | | void |
627 | | proto_reg_handoff_openvpn(void) |
628 | 15 | { |
629 | 15 | tls_handle = find_dissector_add_dependency("tls", proto_openvpn); |
630 | 15 | dissector_add_uint_with_preference("tcp.port", OPENVPN_PORT, openvpn_tcp_handle); |
631 | 15 | dissector_add_uint_with_preference("udp.port", OPENVPN_PORT, openvpn_udp_handle); |
632 | 15 | } |
633 | | |
634 | | /* |
635 | | * Editor modelines - https://www.wireshark.org/tools/modelines.html |
636 | | * |
637 | | * Local variables: |
638 | | * c-basic-offset: 2 |
639 | | * tab-width: 8 |
640 | | * indent-tabs-mode: nil |
641 | | * End: |
642 | | * |
643 | | * vi: set shiftwidth=2 tabstop=8 expandtab: |
644 | | * :indentSize=2:tabSize=8:noTabs=true |
645 | | */ |