diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-03-09 22:37:56 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-03-09 22:37:56 +0100 |
| commit | b83e9f20e7f01807ad97d62d9a076dba9d5f4b45 (patch) | |
| tree | 09ab02bcb6a689513c559001c0f17a8f9232b6a8 | |
| parent | 7aee856aa063f7861be7e7fe2970ba014391d9bf (diff) | |
QUIC: fix dissection of draft-34 (#1484)dev-1
QUIC-34 is probably not used in production, but fixing it is trivial and
it doesn't add any noise to the already complex QUIC code.
| -rw-r--r-- | src/lib/protocols/quic.c | 9 | ||||
| -rw-r--r-- | tests/pcap/quic-34.pcap | bin | 0 -> 4924 bytes | |||
| -rw-r--r-- | tests/result/quic-34.pcap.out | 13 |
3 files changed, 18 insertions, 4 deletions
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index f107f87fb..631f47d42 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -97,9 +97,10 @@ static uint8_t get_u8_quic_ver(uint32_t version) /* IETF Draft versions */ if((version >> 8) == 0xff0000) return (uint8_t)version; - /* QUIC (final?) constants for v1 are defined in draft-33 */ + /* QUIC (final?) constants for v1 are defined in draft-33, but latest + draft version is -34 */ if (version == 0x00000001) { - return 33; + return 34; } if (version == V_MVFST_22) @@ -195,7 +196,7 @@ int is_version_with_v1_labels(uint32_t version) if(((version & 0xFFFFFF00) == 0x51303500) /* Q05X */ || ((version & 0xFFFFFF00) == 0x54303500)) /* T05X */ return 1; - return is_quic_ver_less_than(version, 33); + return is_quic_ver_less_than(version, 34); } int quic_len(const uint8_t *buf, uint64_t *value) @@ -912,7 +913,7 @@ static int quic_derive_initial_secrets(uint32_t version, err = hkdf_extract(GCRY_MD_SHA256, handshake_salt_draft_29, sizeof(handshake_salt_draft_29), cid, cid_len, secret); - } else if (is_quic_ver_less_than(version, 33)) { + } else if (is_quic_ver_less_than(version, 34)) { err = hkdf_extract(GCRY_MD_SHA256, handshake_salt_v1, sizeof(handshake_salt_v1), cid, cid_len, secret); diff --git a/tests/pcap/quic-34.pcap b/tests/pcap/quic-34.pcap Binary files differnew file mode 100644 index 000000000..42fab203b --- /dev/null +++ b/tests/pcap/quic-34.pcap diff --git a/tests/result/quic-34.pcap.out b/tests/result/quic-34.pcap.out new file mode 100644 index 000000000..eccd99027 --- /dev/null +++ b/tests/result/quic-34.pcap.out @@ -0,0 +1,13 @@ +Guessed flow protos: 0 + +DPI Packets (UDP): 1 (1.00 pkts/flow) +Confidence DPI : 1 (flows) + +QUIC 4 4836 1 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.56.1 1 + + + 1 UDP 192.168.56.1:55880 <-> 192.168.56.198:4443 [proto: 188/QUIC][Encrypted][Confidence: DPI][cat: Web/5][1 pkts/1294 bytes <-> 3 pkts/3542 bytes][Goodput ratio: 97/96][0.00 sec][ALPN: h3-34;hq-34;h3-33;hq-33;h3-32;hq-32;h3-31;hq-31;h3-29;hq-29;h3-30;hq-30;h3-28;hq-28;h3-27;hq-27;h3;hq-interop][TLS Supported Versions: TLSv1.3;TLSv1.3 (draft);TLSv1.3 (draft);TLSv1.3 (draft)][Risk: ** Known Protocol on Non Standard Port **** Missing SNI TLS Extension **][Risk Score: 100][TLSv1.3][JA3C: 0299b052ace53a14c3a04aceb5efd247][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,25,0,0] |