diff options
| author | Nardi Ivan <nardi.ivan@gmail.com> | 2023-06-01 08:05:41 +0200 |
|---|---|---|
| committer | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-06-08 17:07:25 +0200 |
| commit | fd4cb10190f00ab4a114c26c95f7fe6e1cb5056b (patch) | |
| tree | 5da8e91bce75ece26f099d0feee4577449bcd4ea | |
| parent | 9987e5b4822cb55d597eb4bbe3c199df99d453b9 (diff) | |
QUIC: add support for QUIC version 2
See: https://www.rfc-editor.org/rfc/rfc9369.txt
Old v2-01 version has been removed, since it has never been really used.
| -rw-r--r-- | src/lib/protocols/quic.c | 17 | ||||
| -rw-r--r-- | tests/cfgs/default/pcap/quic-v2-01.pcapng | bin | 10844 -> 0 bytes | |||
| -rw-r--r-- | tests/cfgs/default/pcap/quic-v2.pcapng | bin | 0 -> 24800 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/quic-v2-01.pcapng.out | 30 | ||||
| -rw-r--r-- | tests/cfgs/default/result/quic-v2.pcapng.out | 30 |
5 files changed, 39 insertions, 38 deletions
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index c095550ab..2c6fd45cb 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -38,8 +38,9 @@ * https://groups.google.com/a/chromium.org/g/proto-quic/c/OAVgFqw2fko/m/jCbjP0AVAAAJ * https://groups.google.com/a/chromium.org/g/proto-quic/c/OAVgFqw2fko/m/-NYxlh88AgAJ * https://docs.google.com/document/d/1FcpCJGTDEMblAs-Bm5TYuqhHyUqeWpqrItw2vkMFsdY/edit - * https://tools.ietf.org/html/draft-ietf-quic-tls-29 - * https://tools.ietf.org/html/draft-ietf-quic-transport-29 + * https://www.rfc-editor.org/rfc/rfc9001.txt [Using TLS over QUIC] + * https://www.rfc-editor.org/rfc/rfc9000.txt [v1] + * https://www.rfc-editor.org/rfc/rfc9369.txt [v2] */ extern int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, @@ -50,6 +51,7 @@ extern int http_process_user_agent(struct ndpi_detection_module_struct *ndpi_str extern int is_valid_rtp_payload_type(uint8_t type); /* Versions */ +#define V_2 0x6b3343cf #define V_1 0x00000001 #define V_Q024 0x51303234 #define V_Q025 0x51303235 @@ -84,7 +86,7 @@ static int is_version_quic(uint32_t version) ((version & 0xFFFFFF00) == 0xFF000000) /* IETF Drafts*/ || ((version & 0xFFFFF000) == 0xfaceb000) /* Facebook */ || ((version & 0x0F0F0F0F) == 0x0a0a0a0a) /* Forcing Version Negotiation */ || - (version == 0x709A50C4); /* V2 IETF Drafts */ + (version == V_2); } static int is_version_valid(uint32_t version) { @@ -116,8 +118,7 @@ static uint8_t get_u8_quic_ver(uint32_t version) return 29; /* QUIC Version 2 */ - /* For the time being use 100 as a number for V2 and let see how v2 drafts evolve */ - if (version == 0x709A50C4) + if (version == V_2) return 100; return 0; @@ -198,7 +199,7 @@ static int is_version_with_v1_labels(uint32_t version) } static int is_version_quic_v2(uint32_t version) { - return version == 0x709A50C4; + return version == V_2; } int quic_len(const uint8_t *buf, uint64_t *value) @@ -876,8 +877,8 @@ static int quic_derive_initial_secrets(struct ndpi_detection_module_struct *ndpi 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a }; static const uint8_t handshake_salt_v2_draft_00[20] = { - 0xa7, 0x07, 0xc2, 0x03, 0xa5, 0x9b, 0x47, 0x18, 0x4a, 0x1d, - 0x62, 0xca, 0x57, 0x04, 0x06, 0xea, 0x7a, 0xe3, 0xe5, 0xd3 + 0x0d, 0xed, 0xe3, 0xde, 0xf7, 0x00, 0xa6, 0xdb, 0x81, 0x93, + 0x81, 0xbe, 0x6e, 0x26, 0x9d, 0xcb, 0xf9, 0xbd, 0x2e, 0xd9 }; gcry_error_t err; uint8_t secret[HASH_SHA2_256_LENGTH]; diff --git a/tests/cfgs/default/pcap/quic-v2-01.pcapng b/tests/cfgs/default/pcap/quic-v2-01.pcapng Binary files differdeleted file mode 100644 index 583986db7..000000000 --- a/tests/cfgs/default/pcap/quic-v2-01.pcapng +++ /dev/null diff --git a/tests/cfgs/default/pcap/quic-v2.pcapng b/tests/cfgs/default/pcap/quic-v2.pcapng Binary files differnew file mode 100644 index 000000000..bb472a44e --- /dev/null +++ b/tests/cfgs/default/pcap/quic-v2.pcapng diff --git a/tests/cfgs/default/result/quic-v2-01.pcapng.out b/tests/cfgs/default/result/quic-v2-01.pcapng.out deleted file mode 100644 index 665824df3..000000000 --- a/tests/cfgs/default/result/quic-v2-01.pcapng.out +++ /dev/null @@ -1,30 +0,0 @@ -Guessed flow protos: 0 - -DPI Packets (UDP): 1 (1.00 pkts/flow) -Confidence DPI : 1 (flows) -Num dissector calls: 61 (61.00 diss/flow) -LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/0/0 (insert/search/found) -LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 0/0/0 (insert/search/found) -LRU cache tls_cert: 0/0/0 (insert/search/found) -LRU cache mining: 0/0/0 (insert/search/found) -LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache stun_zoom: 0/0/0 (insert/search/found) -Automa host: 0/0 (search/found) -Automa domain: 0/0 (search/found) -Automa tls cert: 0/0 (search/found) -Automa risk mask: 0/0 (search/found) -Automa common alpns: 18/18 (search/found) -Patricia risk mask: 2/0 (search/found) -Patricia risk: 0/0 (search/found) -Patricia protocols: 2/0 (search/found) - -QUIC 10 7663 1 - -JA3 Host Stats: - IP Address # JA3C - 1 192.168.56.1 1 - - - 1 UDP 192.168.56.1:34229 <-> 192.168.56.198:4443 [proto: 188/QUIC][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: Web/5][5 pkts/3543 bytes <-> 5 pkts/4120 bytes][Goodput ratio: 94/95][0.00 sec][(Advertised) ALPNs: h3-34;hq-34;h3-33;hq-33;h3-32;hq-32;h3-31;hq-31;h3-29;hq-29;h3-30;hq-30;h3-28;hq-28;h3-27;hq-27;h3;hq-interop][TLS Supported Versions: TLSv1.3;TLSv1.3 (draft);TLSv1.3 (draft);TLSv1.3 (draft)][bytes ratio: -0.075 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 2/0 1/0][Pkt Len c2s/s2c min/avg/max/stddev: 97/97 709/824 1482/1482 569/511][Risk: ** Known Proto on Non Std Port **** Missing SNI TLS Extn **][Risk Score: 100][Risk Info: No server to client traffic][TLSv1.3][JA3C: c0ce40fbb78cbf86a14e6a38b26d6ede][Plen Bins: 0,20,0,0,0,10,0,0,0,0,0,0,10,10,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,20,0,0] diff --git a/tests/cfgs/default/result/quic-v2.pcapng.out b/tests/cfgs/default/result/quic-v2.pcapng.out new file mode 100644 index 000000000..5a25039f8 --- /dev/null +++ b/tests/cfgs/default/result/quic-v2.pcapng.out @@ -0,0 +1,30 @@ +Guessed flow protos: 0 + +DPI Packets (UDP): 1 (1.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 59 (59.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 1/0 (search/found) +Automa domain: 1/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) +Automa common alpns: 1/1 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia protocols: 0/0 (search/found) + +QUIC 19 12970 1 + +JA3 Host Stats: + IP Address # JA3C + 1 ::1 1 + + + 1 UDP [::1]:42086 <-> [::1]:4443 [proto: 188/QUIC][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: Web/5][8 pkts/2734 bytes <-> 11 pkts/10236 bytes][Goodput ratio: 81/93][0.54 sec][Hostname/SNI: test][(Advertised) ALPNs: h3][TLS Supported Versions: TLSv1.3][bytes ratio: -0.578 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 90/44 251/100 114/43][Pkt Len c2s/s2c min/avg/max/stddev: 119/119 342/931 1296/2098 370/669][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][TLSv1.3][JA3C: 5e685944fc983af5eabcc813add3dca1][Plen Bins: 0,26,0,0,5,15,0,0,0,5,0,0,0,10,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,21,0,5] |