2013-01-24 04:26:46 +00:00
|
|
|
/* packet-openvpn.c
|
|
|
|
* routines for openvpn packet dissasembly
|
|
|
|
* - http://www.openvpn.net
|
|
|
|
* - http://fengnet.com/book/vpns%20illustrated%20tunnels%20%20vpnsand%20ipsec/ch08lev1sec5.html
|
|
|
|
*
|
|
|
|
* Created as part of a semester project at the University of Applied Sciences Hagenberg
|
|
|
|
* (http://www.fh-ooe.at/en/hagenberg-campus/)
|
|
|
|
*
|
|
|
|
* Copyright (c) 2013:
|
|
|
|
* Hofer Manuel (manuel@mnlhfr.at)
|
|
|
|
* Nemeth Franz
|
|
|
|
* Scheipner Alexander
|
|
|
|
* Stiftinger Thomas
|
|
|
|
* Werner Sebastian
|
|
|
|
*
|
2018-02-12 11:23:27 +00:00
|
|
|
* SPDX-License-Identifier: GPL-2.0-or-later
|
2013-01-24 04:26:46 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include "config.h"
|
|
|
|
|
|
|
|
#include <epan/packet.h>
|
|
|
|
#include <epan/prefs.h>
|
|
|
|
#include <epan/reassemble.h>
|
2014-12-20 21:23:59 +00:00
|
|
|
#include "packet-tcp.h"
|
2013-01-24 04:26:46 +00:00
|
|
|
|
2013-12-14 10:29:26 +00:00
|
|
|
void proto_register_openvpn(void);
|
|
|
|
void proto_reg_handoff_openvpn(void);
|
|
|
|
|
2013-01-24 04:26:46 +00:00
|
|
|
#define PFNAME "openvpn"
|
|
|
|
#define PNAME "OpenVPN Protocol"
|
|
|
|
#define PSNAME "OpenVPN"
|
|
|
|
|
|
|
|
#define OPENVPN_PORT 1194
|
|
|
|
|
|
|
|
/* packet opcode and key-id are combined in one byte */
|
|
|
|
#define P_OPCODE_MASK 0xF8 /* packet opcode (high 5 bits) */
|
|
|
|
#define P_KEY_ID_MASK 0x07 /* key-id (low 3 bits) */
|
|
|
|
#define HMAC_KEY_LENGTH_MAX 64 /* 512 Bit HMAC is maximum */
|
|
|
|
|
|
|
|
/* Opcodes */
|
|
|
|
#define P_CONTROL_HARD_RESET_CLIENT_V1 1
|
|
|
|
#define P_CONTROL_HARD_RESET_SERVER_V1 2
|
|
|
|
#define P_CONTROL_SOFT_RESET_V1 3
|
|
|
|
#define P_CONTROL_V1 4
|
|
|
|
#define P_ACK_V1 5
|
|
|
|
#define P_DATA_V1 6
|
|
|
|
#define P_CONTROL_HARD_RESET_CLIENT_V2 7
|
|
|
|
#define P_CONTROL_HARD_RESET_SERVER_V2 8
|
2015-02-08 15:21:18 +00:00
|
|
|
#define P_DATA_V2 9
|
2013-01-24 04:26:46 +00:00
|
|
|
|
|
|
|
static gint ett_openvpn = -1;
|
|
|
|
static gint ett_openvpn_data = -1;
|
|
|
|
static gint ett_openvpn_packetarray = -1;
|
|
|
|
static gint ett_openvpn_type = -1;
|
|
|
|
static gint hf_openvpn_data = -1;
|
|
|
|
static gint hf_openvpn_fragment_bytes = -1;
|
|
|
|
static gint hf_openvpn_hmac = -1;
|
|
|
|
static gint hf_openvpn_keyid = -1;
|
|
|
|
static gint hf_openvpn_mpid = -1;
|
|
|
|
static gint hf_openvpn_mpid_arrayelement = -1;
|
|
|
|
static gint hf_openvpn_mpid_arraylength = -1;
|
|
|
|
static gint hf_openvpn_net_time = -1;
|
|
|
|
static gint hf_openvpn_opcode = -1;
|
|
|
|
static gint hf_openvpn_pdu_type = -1;
|
|
|
|
static gint hf_openvpn_pid = -1;
|
|
|
|
static gint hf_openvpn_plen = -1;
|
|
|
|
static gint hf_openvpn_rsessionid = -1;
|
|
|
|
static gint hf_openvpn_sessionid = -1;
|
2015-02-08 15:21:18 +00:00
|
|
|
static gint hf_openvpn_peerid = -1;
|
2013-01-24 04:26:46 +00:00
|
|
|
static gint proto_openvpn = -1;
|
|
|
|
|
2013-11-09 17:46:28 +00:00
|
|
|
static dissector_handle_t openvpn_udp_handle;
|
|
|
|
static dissector_handle_t openvpn_tcp_handle;
|
2013-08-05 18:09:43 +00:00
|
|
|
|
2018-09-13 15:40:27 +00:00
|
|
|
static dissector_handle_t tls_handle;
|
2013-08-05 18:09:43 +00:00
|
|
|
|
2013-01-24 04:26:46 +00:00
|
|
|
/* Preferences */
|
|
|
|
static gboolean pref_long_format = TRUE;
|
|
|
|
static gboolean pref_tls_auth = FALSE;
|
|
|
|
static gboolean pref_tls_auth_override = FALSE;
|
|
|
|
static guint tls_auth_hmac_size = 20; /* Default SHA-1 160 Bits */
|
|
|
|
|
|
|
|
static const value_string openvpn_message_types[] =
|
|
|
|
{
|
|
|
|
{ P_CONTROL_HARD_RESET_CLIENT_V1, "P_CONTROL_HARD_RESET_CLIENT_V1" },
|
|
|
|
{ P_CONTROL_HARD_RESET_SERVER_V1, "P_CONTROL_HARD_RESET_SERVER_V1" },
|
|
|
|
{ P_CONTROL_SOFT_RESET_V1, "P_CONTROL_SOFT_RESET_V1" },
|
|
|
|
{ P_CONTROL_V1, "P_CONTROL_V1" },
|
|
|
|
{ P_ACK_V1, "P_ACK_V1" },
|
|
|
|
{ P_DATA_V1, "P_DATA_V1" },
|
|
|
|
{ P_CONTROL_HARD_RESET_CLIENT_V2, "P_CONTROL_HARD_RESET_CLIENT_V2" },
|
|
|
|
{ P_CONTROL_HARD_RESET_SERVER_V2, "P_CONTROL_HARD_RESET_SERVER_V2" },
|
2015-02-08 15:21:18 +00:00
|
|
|
{ P_DATA_V2, "P_DATA_V2" },
|
2013-01-24 04:26:46 +00:00
|
|
|
{ 0, NULL }
|
|
|
|
};
|
|
|
|
|
|
|
|
/* everything used during the reassembly process */
|
2013-03-22 23:59:54 +00:00
|
|
|
static reassembly_table msg_reassembly_table;
|
2013-01-24 04:26:46 +00:00
|
|
|
|
|
|
|
static gint ett_openvpn_fragment = -1;
|
|
|
|
static gint ett_openvpn_fragments = -1;
|
|
|
|
static gint hf_openvpn_fragment = -1;
|
|
|
|
static gint hf_openvpn_fragment_count = -1;
|
|
|
|
static gint hf_openvpn_fragment_error = -1;
|
|
|
|
static gint hf_openvpn_fragment_multiple_tails = -1;
|
|
|
|
static gint hf_openvpn_fragment_overlap = -1;
|
|
|
|
static gint hf_openvpn_fragment_overlap_conflicts = -1;
|
|
|
|
static gint hf_openvpn_fragment_too_long_fragment = -1;
|
|
|
|
static gint hf_openvpn_fragments = -1;
|
|
|
|
static gint hf_openvpn_reassembled_in = -1;
|
|
|
|
static gint hf_openvpn_reassembled_length = -1;
|
|
|
|
|
|
|
|
static const fragment_items openvpn_frag_items = {
|
|
|
|
/* Fragment subtrees */
|
|
|
|
&ett_openvpn_fragment,
|
|
|
|
&ett_openvpn_fragments,
|
|
|
|
/* Fragment fields */
|
|
|
|
&hf_openvpn_fragments,
|
|
|
|
&hf_openvpn_fragment,
|
|
|
|
&hf_openvpn_fragment_overlap,
|
|
|
|
&hf_openvpn_fragment_overlap_conflicts,
|
|
|
|
&hf_openvpn_fragment_multiple_tails,
|
|
|
|
&hf_openvpn_fragment_too_long_fragment,
|
|
|
|
&hf_openvpn_fragment_error,
|
|
|
|
&hf_openvpn_fragment_count,
|
|
|
|
/* Reassembled in field */
|
|
|
|
&hf_openvpn_reassembled_in,
|
|
|
|
/* Reassembled length field */
|
|
|
|
&hf_openvpn_reassembled_length,
|
|
|
|
/* Reassembled data field */
|
|
|
|
NULL,
|
|
|
|
/* Tag */
|
|
|
|
"Message fragments"
|
|
|
|
};
|
|
|
|
|
|
|
|
/* we check the leading 4 byte of a suspected hmac for 0x00 bytes,
|
|
|
|
if more than 1 byte out of the 4 provided contains 0x00, the
|
|
|
|
hmac is considered not valid, which suggests that no tls auth is used.
|
|
|
|
unfortunatly there is no other way to detect tls auth on the fly */
|
|
|
|
static gboolean
|
|
|
|
check_for_valid_hmac(guint32 hmac)
|
|
|
|
{
|
|
|
|
gint c = 0;
|
|
|
|
if ((hmac & 0x000000FF) == 0x00000000) {
|
|
|
|
c++;
|
|
|
|
}
|
|
|
|
if ((hmac & 0x0000FF00) == 0x00000000) {
|
|
|
|
c++;
|
|
|
|
}
|
|
|
|
if ((hmac & 0x00FF0000) == 0x00000000) {
|
|
|
|
c++;
|
|
|
|
}
|
|
|
|
if ((hmac & 0xFF000000) == 0x00000000) {
|
|
|
|
c++;
|
|
|
|
}
|
|
|
|
if (c > 1) {
|
|
|
|
return FALSE;
|
|
|
|
} else {
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-11-09 17:46:28 +00:00
|
|
|
static int
|
|
|
|
dissect_openvpn_msg_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *openvpn_tree, proto_tree *parent_tree, gint offset)
|
2013-01-24 04:26:46 +00:00
|
|
|
{
|
|
|
|
gboolean tls_auth;
|
|
|
|
guint openvpn_keyid;
|
|
|
|
guint openvpn_opcode;
|
|
|
|
guint32 msg_mpid = -1;
|
|
|
|
guint32 msg_sessionid = -1;
|
|
|
|
guint8 openvpn_predict_tlsauth_arraylength;
|
2014-07-05 19:25:32 +00:00
|
|
|
proto_item *ti2;
|
2013-11-09 17:46:28 +00:00
|
|
|
proto_tree *packetarray_tree, *type_tree;
|
2013-01-24 04:26:46 +00:00
|
|
|
guint32 msg_length_remaining;
|
|
|
|
gboolean msg_lastframe;
|
2013-07-17 21:12:24 +00:00
|
|
|
fragment_head *frag_msg;
|
2013-01-24 04:26:46 +00:00
|
|
|
tvbuff_t *new_tvb;
|
|
|
|
gboolean save_fragmented;
|
|
|
|
|
|
|
|
/* Clear out stuff in the info column */
|
|
|
|
col_set_str(pinfo->cinfo, COL_PROTOCOL, PSNAME);
|
|
|
|
col_clear(pinfo->cinfo,COL_INFO);
|
|
|
|
|
|
|
|
/* read opcode and write to info column */
|
|
|
|
openvpn_opcode = tvb_get_bits8(tvb, offset*8, 5);
|
|
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, "MessageType: %s",
|
2013-02-21 21:04:59 +00:00
|
|
|
val_to_str_const(openvpn_opcode, openvpn_message_types, "Unknown Messagetype"));
|
2013-01-24 04:26:46 +00:00
|
|
|
|
|
|
|
|
|
|
|
openvpn_keyid = tvb_get_bits8(tvb, offset*8 + 5, 3);
|
2013-11-09 17:46:28 +00:00
|
|
|
proto_item_append_text(parent_tree, ", Opcode: %s, Key ID: %d",
|
2013-01-24 04:26:46 +00:00
|
|
|
val_to_str(openvpn_opcode, openvpn_message_types, "Unknown (0x%02x)"),
|
|
|
|
openvpn_keyid);
|
|
|
|
|
|
|
|
ti2 = proto_tree_add_item(openvpn_tree, hf_openvpn_pdu_type, tvb, offset, 1, ENC_BIG_ENDIAN);
|
2013-11-09 17:46:28 +00:00
|
|
|
proto_item_append_text(ti2, " [opcode/key_id]");
|
2013-01-24 04:26:46 +00:00
|
|
|
|
|
|
|
type_tree = proto_item_add_subtree(ti2, ett_openvpn_type);
|
|
|
|
proto_tree_add_item(type_tree, hf_openvpn_opcode, tvb, offset, 1, ENC_BIG_ENDIAN);
|
|
|
|
proto_tree_add_item(type_tree, hf_openvpn_keyid, tvb, offset, 1, ENC_BIG_ENDIAN);
|
|
|
|
offset += 1;
|
|
|
|
|
2015-02-08 15:21:18 +00:00
|
|
|
if (openvpn_opcode == P_DATA_V2) {
|
|
|
|
proto_tree_add_item(openvpn_tree, hf_openvpn_peerid, tvb, offset, 3, ENC_BIG_ENDIAN);
|
|
|
|
offset += 3;
|
|
|
|
} else if (openvpn_opcode != P_DATA_V1) {
|
|
|
|
/* if we have a P_CONTROL or P_ACK packet */
|
|
|
|
|
2013-01-24 04:26:46 +00:00
|
|
|
/* read sessionid */
|
|
|
|
msg_sessionid = tvb_get_bits32(tvb, offset*8+32, 32, ENC_BIG_ENDIAN);
|
|
|
|
proto_tree_add_item(openvpn_tree, hf_openvpn_sessionid, tvb, offset, 8, ENC_BIG_ENDIAN);
|
|
|
|
offset += 8;
|
|
|
|
|
|
|
|
/* tls-auth detection (this can be overridden by preferences */
|
|
|
|
openvpn_predict_tlsauth_arraylength = tvb_get_guint8(tvb, offset);
|
|
|
|
/* if the first 4 bytes that would, if tls-auth is used, contain part of the hmac,
|
|
|
|
lack entropy, we asume no tls-auth is used */
|
|
|
|
if (pref_tls_auth_override == FALSE) {
|
|
|
|
if ((openvpn_opcode != P_DATA_V1)
|
|
|
|
&& (openvpn_predict_tlsauth_arraylength > 0)
|
|
|
|
&& check_for_valid_hmac(tvb_get_ntohl(tvb, offset))) {
|
|
|
|
tls_auth = TRUE;
|
|
|
|
} else {
|
|
|
|
tls_auth = FALSE;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
tls_auth = pref_tls_auth;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (tls_auth == TRUE) {
|
|
|
|
proto_tree_add_item(openvpn_tree, hf_openvpn_hmac, tvb, offset, tls_auth_hmac_size, ENC_NA);
|
|
|
|
offset += tls_auth_hmac_size;
|
|
|
|
|
2015-06-23 22:17:27 +00:00
|
|
|
if (tvb_reported_length_remaining(tvb, offset) >= 8) {
|
2013-01-24 04:26:46 +00:00
|
|
|
proto_tree_add_item(openvpn_tree, hf_openvpn_pid, tvb, offset, 4, ENC_BIG_ENDIAN);
|
|
|
|
offset += 4;
|
|
|
|
|
|
|
|
if (pref_long_format) {
|
|
|
|
proto_tree_add_item(openvpn_tree, hf_openvpn_net_time, tvb, offset, 4, ENC_BIG_ENDIAN);
|
|
|
|
offset += 4;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-06-23 22:17:27 +00:00
|
|
|
if (tvb_reported_length_remaining(tvb, offset) >= 1) {
|
2013-01-24 04:26:46 +00:00
|
|
|
/* read P_ACK packet-id array length */
|
|
|
|
gint pid_arraylength = tvb_get_guint8(tvb, offset);
|
|
|
|
gint i;
|
|
|
|
proto_tree_add_item(openvpn_tree, hf_openvpn_mpid_arraylength, tvb, offset, 1, ENC_BIG_ENDIAN);
|
|
|
|
offset += 1;
|
|
|
|
|
|
|
|
if (pid_arraylength > 0) {
|
|
|
|
|
2014-07-05 19:25:32 +00:00
|
|
|
packetarray_tree = proto_tree_add_subtree(openvpn_tree, tvb, offset, 0, ett_openvpn_packetarray, NULL, "Packet-ID Array");
|
2013-01-24 04:26:46 +00:00
|
|
|
for (i = 0; i < pid_arraylength; i++) {
|
|
|
|
proto_tree_add_item(packetarray_tree, hf_openvpn_mpid_arrayelement, tvb, offset, 4, ENC_BIG_ENDIAN);
|
|
|
|
offset += 4;
|
|
|
|
}
|
|
|
|
|
2015-06-23 22:17:27 +00:00
|
|
|
if (tvb_reported_length_remaining(tvb, offset) >= 8) {
|
2013-01-24 04:26:46 +00:00
|
|
|
proto_tree_add_item(openvpn_tree, hf_openvpn_rsessionid, tvb, offset, 8, ENC_BIG_ENDIAN);
|
|
|
|
offset += 8;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* if we have a P_CONTROL packet */
|
|
|
|
if (openvpn_opcode != P_ACK_V1) {
|
|
|
|
/* read Message Packet-ID */
|
2015-06-23 22:17:27 +00:00
|
|
|
if (tvb_reported_length_remaining(tvb, offset) >= 4) {
|
2013-01-24 04:26:46 +00:00
|
|
|
msg_mpid = tvb_get_bits32(tvb, offset*8, 32, ENC_BIG_ENDIAN);
|
|
|
|
proto_tree_add_item(openvpn_tree, hf_openvpn_mpid, tvb, offset, 4, ENC_BIG_ENDIAN);
|
|
|
|
offset += 4;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-11-09 17:46:28 +00:00
|
|
|
/* if we have more data left, determine what to do */
|
2015-06-23 22:17:27 +00:00
|
|
|
msg_length_remaining = tvb_reported_length_remaining(tvb, offset);
|
2013-01-24 04:26:46 +00:00
|
|
|
|
|
|
|
if (msg_length_remaining == 0) {
|
2015-06-23 18:24:48 +00:00
|
|
|
return tvb_captured_length(tvb);
|
2013-01-24 04:26:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if (openvpn_opcode != P_CONTROL_V1) {
|
|
|
|
proto_tree *data_tree;
|
2014-07-05 19:25:32 +00:00
|
|
|
data_tree = proto_tree_add_subtree_format(openvpn_tree, tvb, offset, -1,
|
|
|
|
ett_openvpn_data, NULL, "Data (%d bytes)",
|
2015-06-23 22:17:27 +00:00
|
|
|
tvb_captured_length_remaining(tvb, offset));
|
2013-01-24 04:26:46 +00:00
|
|
|
|
|
|
|
proto_tree_add_item(data_tree, hf_openvpn_data, tvb, offset, -1, ENC_NA);
|
2015-06-23 18:24:48 +00:00
|
|
|
return tvb_captured_length(tvb);
|
2013-01-24 04:26:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Try to reassemble */
|
|
|
|
|
|
|
|
/* an ordinary openvpn control packet contains 100 bytes only if it is part of a
|
|
|
|
fragmented message and is not the last fragment of the current transmission.
|
|
|
|
Note that the tvb contains exactly one openvpn PDU:
|
|
|
|
UDP: by definition;
|
2013-11-09 17:46:28 +00:00
|
|
|
TCP: because of the use of tcp_dissect_pdus().
|
2013-01-24 04:26:46 +00:00
|
|
|
*/
|
|
|
|
if (msg_length_remaining == 100) {
|
|
|
|
msg_lastframe = FALSE;
|
|
|
|
} else {
|
|
|
|
msg_lastframe = TRUE;
|
|
|
|
}
|
|
|
|
|
|
|
|
save_fragmented = pinfo->fragmented;
|
|
|
|
pinfo->fragmented = TRUE;
|
|
|
|
|
|
|
|
frag_msg = fragment_add_seq_next(
|
2013-03-22 23:59:54 +00:00
|
|
|
&msg_reassembly_table,
|
2013-01-24 04:26:46 +00:00
|
|
|
tvb,
|
|
|
|
offset,
|
|
|
|
pinfo,
|
|
|
|
msg_sessionid, /* ID for fragments belonging together */
|
2013-03-22 23:59:54 +00:00
|
|
|
NULL,
|
2013-01-24 04:26:46 +00:00
|
|
|
msg_length_remaining, /* fragment length - to the end */
|
|
|
|
!(msg_lastframe)); /* More fragments ? */
|
|
|
|
|
|
|
|
/* show "data" fragment on tree unless "reassembled" message has just one part. */
|
|
|
|
/* i.e., show if ("not reassembled") or ("reassembled" and "has multiple fragments") */
|
|
|
|
if ((frag_msg == NULL) || (frag_msg->next != NULL)) {
|
|
|
|
proto_tree *data_tree;
|
2014-07-05 19:25:32 +00:00
|
|
|
data_tree = proto_tree_add_subtree_format(openvpn_tree, tvb, offset, -1,
|
|
|
|
ett_openvpn_data, NULL, "Message fragment (%d bytes)",
|
2015-06-23 22:17:27 +00:00
|
|
|
tvb_captured_length_remaining(tvb, offset));
|
2013-01-24 04:26:46 +00:00
|
|
|
|
|
|
|
proto_tree_add_item(data_tree, hf_openvpn_fragment_bytes, tvb, offset, -1, ENC_NA);
|
|
|
|
}
|
|
|
|
|
|
|
|
new_tvb = NULL;
|
|
|
|
if (frag_msg) {
|
|
|
|
if (msg_lastframe) { /* Reassembled */
|
|
|
|
new_tvb = process_reassembled_data(tvb, offset, pinfo, "Reassembled Message",
|
|
|
|
frag_msg, &openvpn_frag_items, NULL, openvpn_tree);
|
|
|
|
if (frag_msg->next != NULL) { /* multiple frags ? */
|
2013-10-29 14:09:20 +00:00
|
|
|
col_append_str(pinfo->cinfo, COL_INFO, " (Message Reassembled "); /* overwritten by next dissector */
|
2013-01-24 04:26:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
} else { /* Not last packet of reassembled Short Message */
|
|
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, " (Message fragment %d) ", msg_mpid);
|
2016-01-24 03:40:51 +00:00
|
|
|
if (pinfo->num != frag_msg->reassembled_in) {
|
2013-01-24 04:26:46 +00:00
|
|
|
/* Add a "Reassembled in" link if not reassembled in this frame */
|
|
|
|
proto_tree_add_uint(openvpn_tree, hf_openvpn_reassembled_in,
|
|
|
|
tvb, 0, 0, frag_msg->reassembled_in);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} /* if (frag_msg) */
|
|
|
|
|
|
|
|
pinfo->fragmented = save_fragmented;
|
|
|
|
|
|
|
|
/* Now see if we need to call subdissector.
|
|
|
|
new_tvb is non-null if we "reassembled* a message (even just one fragment) */
|
|
|
|
|
|
|
|
if (new_tvb) {
|
|
|
|
/* call SSL/TLS dissector if we just processed the last fragment */
|
2018-09-13 15:40:27 +00:00
|
|
|
call_dissector(tls_handle, new_tvb, pinfo, parent_tree);
|
2013-01-24 04:26:46 +00:00
|
|
|
}
|
2013-11-09 17:46:28 +00:00
|
|
|
|
2015-06-23 18:24:48 +00:00
|
|
|
return tvb_captured_length(tvb);
|
2013-01-24 04:26:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static guint
|
2015-01-25 19:30:13 +00:00
|
|
|
get_msg_length(packet_info *pinfo _U_, tvbuff_t *tvb, gint offset, void *data _U_)
|
2013-01-24 04:26:46 +00:00
|
|
|
{
|
|
|
|
return (guint)tvb_get_ntohs(tvb, offset) + 2; /* length field is at offset 0,
|
|
|
|
+2 to account for the length field itself */
|
|
|
|
}
|
|
|
|
|
2013-11-09 17:46:28 +00:00
|
|
|
static int
|
|
|
|
dissect_openvpn_msg_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
|
2013-01-24 04:26:46 +00:00
|
|
|
{
|
2013-11-09 17:46:28 +00:00
|
|
|
proto_item *ti;
|
|
|
|
proto_tree *openvpn_tree;
|
|
|
|
|
|
|
|
ti = proto_tree_add_item(tree, proto_openvpn, tvb, 0, -1, ENC_NA);
|
|
|
|
openvpn_tree = proto_item_add_subtree(ti, ett_openvpn);
|
2013-01-24 04:26:46 +00:00
|
|
|
|
2013-11-09 17:46:28 +00:00
|
|
|
proto_tree_add_item(openvpn_tree, hf_openvpn_plen, tvb, 0, 2, ENC_BIG_ENDIAN);
|
|
|
|
|
|
|
|
return dissect_openvpn_msg_common(tvb, pinfo, openvpn_tree, tree, 2);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
dissect_openvpn_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
|
|
|
|
{
|
|
|
|
tcp_dissect_pdus( tvb, pinfo, tree,
|
2013-01-24 04:26:46 +00:00
|
|
|
TRUE, /* should data be reassembled? */
|
|
|
|
2, /* how much bytes do we need for get_msg_length to be successful,
|
|
|
|
since the length is the first thing in an openvpn packet we choose 2 */
|
|
|
|
get_msg_length, /* fptr for function to get the packetlength of current frame */
|
2013-11-09 17:46:28 +00:00
|
|
|
dissect_openvpn_msg_tcp, data);
|
2015-06-23 18:24:48 +00:00
|
|
|
return tvb_captured_length(tvb);
|
2013-11-09 17:46:28 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
dissect_openvpn_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
|
|
|
|
{
|
|
|
|
proto_item *ti;
|
|
|
|
proto_tree *openvpn_tree;
|
|
|
|
|
|
|
|
ti = proto_tree_add_item(tree, proto_openvpn, tvb, 0, -1, ENC_NA);
|
|
|
|
openvpn_tree = proto_item_add_subtree(ti, ett_openvpn);
|
|
|
|
|
|
|
|
return dissect_openvpn_msg_common(tvb, pinfo, openvpn_tree, tree, 0);
|
2013-01-24 04:26:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
proto_register_openvpn(void)
|
|
|
|
{
|
|
|
|
static hf_register_info hf[] = {
|
|
|
|
{ &hf_openvpn_plen,
|
|
|
|
{ "Packet Length", "openvpn.plen",
|
|
|
|
FT_UINT16, BASE_DEC,
|
|
|
|
NULL, 0x0,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_pdu_type,
|
|
|
|
{ "Type", "openvpn.type",
|
|
|
|
FT_UINT8, BASE_HEX,
|
|
|
|
NULL, 0x0,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_opcode,
|
|
|
|
{ "Opcode", "openvpn.opcode",
|
|
|
|
FT_UINT8, BASE_HEX,
|
|
|
|
VALS(openvpn_message_types), P_OPCODE_MASK,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_keyid,
|
|
|
|
{ "Key ID", "openvpn.keyid",
|
|
|
|
FT_UINT8, BASE_DEC,
|
|
|
|
NULL, P_KEY_ID_MASK,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
2015-02-08 15:21:18 +00:00
|
|
|
{ &hf_openvpn_peerid,
|
|
|
|
{ "Peer ID", "openvpn.peerid",
|
|
|
|
FT_UINT24, BASE_DEC,
|
|
|
|
NULL, 0x0,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
2013-01-24 04:26:46 +00:00
|
|
|
{ &hf_openvpn_sessionid,
|
|
|
|
{ "Session ID", "openvpn.sessionid",
|
|
|
|
FT_UINT64, BASE_DEC,
|
|
|
|
NULL, 0x0,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_hmac,
|
|
|
|
{ "HMAC", "openvpn.hmac",
|
|
|
|
FT_BYTES, BASE_NONE,
|
|
|
|
NULL, 0x0,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_pid,
|
|
|
|
{ "Packet-ID", "openvpn.pid",
|
|
|
|
FT_UINT32, BASE_DEC,
|
|
|
|
NULL, 0x0,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_net_time,
|
|
|
|
{ "Net Time", "openvpn.net_time",
|
|
|
|
FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
|
|
|
|
NULL, 0x0,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_rsessionid,
|
|
|
|
{ "Remote Session ID", "openvpn.rsessionid",
|
|
|
|
FT_UINT64, BASE_DEC,
|
|
|
|
NULL, 0x0,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_mpid,
|
|
|
|
{ "Message Packet-ID", "openvpn.mpid",
|
|
|
|
FT_UINT32, BASE_DEC,
|
|
|
|
NULL, 0x0,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_mpid_arraylength,
|
|
|
|
{ "Message Packet-ID Array Length", "openvpn.mpidarraylength",
|
|
|
|
FT_UINT8, BASE_DEC,
|
|
|
|
NULL, 0x0,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_mpid_arrayelement,
|
|
|
|
{ "Message Packet-ID Array Element", "openvpn.mpidarrayelement",
|
|
|
|
FT_UINT32, BASE_DEC,
|
|
|
|
NULL, 0x0,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_data,
|
|
|
|
{ "Data", "openvpn.data",
|
|
|
|
FT_BYTES, BASE_NONE,
|
|
|
|
NULL, 0x0,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_fragment_bytes,
|
|
|
|
{ "Fragment bytes", "openvpn.fragment_bytes",
|
|
|
|
FT_BYTES, BASE_NONE,
|
|
|
|
NULL, 0x0,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_fragments,
|
|
|
|
{ "Message fragments", "openvpn.fragments",
|
|
|
|
FT_NONE, BASE_NONE,
|
|
|
|
NULL, 0x00,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_fragment,
|
|
|
|
{ "Message fragment", "openvpn.fragment",
|
|
|
|
FT_FRAMENUM, BASE_NONE,
|
|
|
|
NULL, 0x00,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_fragment_overlap,
|
|
|
|
{ "Message fragment overlap", "openvpn.fragment.overlap",
|
|
|
|
FT_BOOLEAN, 0,
|
|
|
|
NULL, 0x00,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_fragment_overlap_conflicts,
|
|
|
|
{ "Message fragment overlapping with conflicting data", "openvpn.fragment.overlap.conflicts",
|
|
|
|
FT_BOOLEAN, 0,
|
|
|
|
NULL, 0x00,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_fragment_multiple_tails,
|
|
|
|
{ "Message has multiple tail fragments", "openvpn.fragment.multiple_tails",
|
|
|
|
FT_BOOLEAN, 0,
|
|
|
|
NULL, 0x00,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_fragment_too_long_fragment,
|
|
|
|
{ "Message fragment too long", "openvpn.fragment.too_long_fragment",
|
|
|
|
FT_BOOLEAN, 0,
|
|
|
|
NULL, 0x00,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_fragment_error,
|
|
|
|
{ "Message defragmentation error", "openvpn.fragment.error",
|
|
|
|
FT_FRAMENUM, BASE_NONE,
|
|
|
|
NULL, 0x00,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_fragment_count,
|
|
|
|
{ "Message fragment count", "openvpn.fragment.count",
|
|
|
|
FT_UINT32, BASE_DEC,
|
|
|
|
NULL, 0x00,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_reassembled_in,
|
|
|
|
{ "Reassembled message in frame", "openvpn.reassembled.in",
|
|
|
|
FT_FRAMENUM, BASE_NONE,
|
|
|
|
NULL, 0x00,
|
|
|
|
NULL, HFILL }
|
|
|
|
},
|
|
|
|
{ &hf_openvpn_reassembled_length,
|
|
|
|
{"Reassembled message length", "openvpn.reassembled.length",
|
|
|
|
FT_UINT32, BASE_DEC,
|
|
|
|
NULL, 0x00,
|
|
|
|
NULL, HFILL }
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Setup protocol subtree array */
|
|
|
|
static gint *ett[] = {
|
|
|
|
&ett_openvpn,
|
|
|
|
&ett_openvpn_type,
|
|
|
|
&ett_openvpn_data,
|
|
|
|
&ett_openvpn_packetarray,
|
|
|
|
&ett_openvpn_fragment,
|
|
|
|
&ett_openvpn_fragments
|
|
|
|
};
|
|
|
|
module_t *openvpn_module;
|
|
|
|
|
|
|
|
proto_openvpn = proto_register_protocol (
|
|
|
|
PNAME, /* name */
|
|
|
|
PSNAME, /* short name */
|
|
|
|
PFNAME /* abbrev */
|
|
|
|
);
|
|
|
|
|
|
|
|
proto_register_field_array(proto_openvpn, hf, array_length(hf));
|
|
|
|
proto_register_subtree_array(ett, array_length(ett));
|
|
|
|
|
2015-12-09 04:04:01 +00:00
|
|
|
openvpn_udp_handle = register_dissector("openvpn.udp", dissect_openvpn_udp, proto_openvpn);
|
|
|
|
openvpn_tcp_handle = register_dissector("openvpn.tcp", dissect_openvpn_tcp, proto_openvpn);
|
2013-01-24 04:26:46 +00:00
|
|
|
|
2017-01-29 00:53:36 +00:00
|
|
|
reassembly_table_register(&msg_reassembly_table,
|
|
|
|
&addresses_reassembly_table_functions);
|
2013-01-24 04:26:46 +00:00
|
|
|
|
2016-10-05 20:33:54 +00:00
|
|
|
openvpn_module = prefs_register_protocol(proto_openvpn, NULL);
|
2013-01-24 04:26:46 +00:00
|
|
|
|
|
|
|
prefs_register_bool_preference(openvpn_module,
|
|
|
|
"tls_auth_detection_override",
|
|
|
|
"override tls-auth detection",
|
|
|
|
"If tls-auth detection fails, you can choose to override detection and set tls-auth yourself",
|
|
|
|
&pref_tls_auth_override);
|
|
|
|
prefs_register_bool_preference(openvpn_module,
|
|
|
|
"tls_auth",
|
|
|
|
"--tls-auth used?",
|
|
|
|
"If the parameter --tls-auth is used, the following preferences must also be defined.",
|
|
|
|
&pref_tls_auth);
|
|
|
|
prefs_register_uint_preference(openvpn_module,
|
|
|
|
"tls_auth_hmac_size",
|
|
|
|
"size of the HMAC header in bytes",
|
|
|
|
"If the parameter --tls-auth is used, a HMAC header is being inserted.\n"
|
|
|
|
"The default HMAC algorithm is SHA-1 which generates a 160 bit HMAC,"
|
|
|
|
" therefore 20 bytes should be ok.\n"
|
|
|
|
"The value must be between 20 (160 bits) and 64 (512 bits).",
|
|
|
|
10, &tls_auth_hmac_size);
|
|
|
|
|
|
|
|
prefs_register_bool_preference(openvpn_module,
|
|
|
|
"long_format",
|
|
|
|
"packet-id for replay protection includes optional time_t timestamp?",
|
|
|
|
"If the parameter --tls-auth is used, an additional packet-id for replay protection"
|
|
|
|
" is inserted after the HMAC signature."
|
|
|
|
" This field can either be 4 bytes or 8 bytes including an optional time_t timestamp long.\n"
|
|
|
|
" This option is only evaluated if tls_auth_hmac_size > 0.\n"
|
|
|
|
" The default value is TRUE.",
|
|
|
|
&pref_long_format);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
proto_reg_handoff_openvpn(void)
|
|
|
|
{
|
2018-09-13 15:40:27 +00:00
|
|
|
tls_handle = find_dissector_add_dependency("tls", proto_openvpn);
|
2016-10-05 20:33:54 +00:00
|
|
|
dissector_add_uint_with_preference("tcp.port", OPENVPN_PORT, openvpn_tcp_handle);
|
|
|
|
dissector_add_uint_with_preference("udp.port", OPENVPN_PORT, openvpn_udp_handle);
|
2013-01-24 04:26:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Editor modelines - http://www.wireshark.org/tools/modelines.html
|
|
|
|
*
|
|
|
|
* Local variables:
|
|
|
|
* c-basic-offset: 2
|
|
|
|
* tab-width: 8
|
|
|
|
* indent-tabs-mode: nil
|
|
|
|
* End:
|
|
|
|
*
|
|
|
|
* vi: set shiftwidth=2 tabstop=8 expandtab:
|
|
|
|
* :indentSize=2:tabSize=8:noTabs=true
|
|
|
|
*/
|