diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-03-25 10:16:30 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-03-25 10:16:30 +0100 |
| commit | aeb5f1f947a25c17c062f33e7f224f021fafe539 (patch) | |
| tree | cf2726d8cf36b6179a11a879bc037f4ae5dab331 | |
| parent | af1d20bca1f6b594f1c2f8eee99df12c08a7e640 (diff) | |
QUIC: add support for version 2 draft 01 (#1493)
Support for v2-00 has been removed (it has never been used in real
networks and it is incompatible with v2-01).
Chrome already supports v2-01 in latest versions in Chrome Beta channel.
| -rw-r--r-- | src/lib/protocols/quic.c | 22 | ||||
| -rw-r--r-- | tests/pcap/quic-v2-00.pcapng | bin | 50416 -> 0 bytes | |||
| -rw-r--r-- | tests/pcap/quic-v2-01.pcapng | bin | 0 -> 1346244 bytes | |||
| -rw-r--r-- | tests/result/quic-v2-00.pcapng.out | 13 | ||||
| -rw-r--r-- | tests/result/quic-v2-01.pcapng.out | 13 |
5 files changed, 29 insertions, 19 deletions
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index cd9f00f9c..a33388e98 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -83,7 +83,7 @@ static int is_version_quic(uint32_t version) ((version & 0xFFFFFF00) == 0xFF000000) /* IETF Drafts*/ || ((version & 0xFFFFF000) == 0xfaceb000) /* Facebook */ || ((version & 0x0F0F0F0F) == 0x0a0a0a0a) /* Forcing Version Negotiation */ || - ((version & 0xFFFFFF00) == 0xFF020000) /* V2 IETF Drafts */; + (version == 0x709A50C4); /* V2 IETF Drafts */ } static int is_version_valid(uint32_t version) { @@ -115,9 +115,9 @@ static uint8_t get_u8_quic_ver(uint32_t version) return 29; /* QUIC Version 2 */ - /* For the time being use 100 + draft as a number for V2 */ - if ((version >> 8) == 0xff0200) - return 100 + (uint8_t)version; + /* For the time being use 100 as a number for V2 and let see how v2 drafts evolve */ + if (version == 0x709A50C4) + return 100; return 0; } @@ -188,13 +188,17 @@ int is_version_with_ietf_long_header(uint32_t version) ((version & 0xFFFFFF00) == 0x51303500) /* Q05X */ || ((version & 0xFFFFFF00) == 0x54303500) /* T05X */; } -int is_version_with_v1_labels(uint32_t version) +static int is_version_with_v1_labels(uint32_t version) { if(((version & 0xFFFFFF00) == 0x51303500) /* Q05X */ || ((version & 0xFFFFFF00) == 0x54303500)) /* T05X */ return 1; return is_quic_ver_less_than(version, 34); } +static int is_version_quic_v2(uint32_t version) +{ + return version == 0x709A50C4; +} int quic_len(const uint8_t *buf, uint64_t *value) { @@ -1430,11 +1434,17 @@ static int may_be_initial_pkt(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "Q46 invalid flag 0x%x\n", first_byte); return 0; } - if((is_version_quic(*version) || (*version == V_Q046) || (*version == V_Q050)) && + if(((is_version_quic(*version) && !is_version_quic_v2(*version)) || + (*version == V_Q046) || (*version == V_Q050)) && (pub_bit3 != 0 || pub_bit4 != 0)) { NDPI_LOG_DBG2(ndpi_struct, "Version 0x%x not Initial Packet\n", *version); return 0; } + if(is_version_quic_v2(*version) && + (pub_bit3 != 0 || pub_bit4 != 1)) { + NDPI_LOG_DBG2(ndpi_struct, "Version 0x%x not Initial Packet\n", *version); + return 0; + } /* Forcing Version Negotiation packets are QUIC Initial Packets (i.e. Long Header). It should also be quite rare that a client sends this kind diff --git a/tests/pcap/quic-v2-00.pcapng b/tests/pcap/quic-v2-00.pcapng Binary files differdeleted file mode 100644 index 146d3c935..000000000 --- a/tests/pcap/quic-v2-00.pcapng +++ /dev/null diff --git a/tests/pcap/quic-v2-01.pcapng b/tests/pcap/quic-v2-01.pcapng Binary files differnew file mode 100644 index 000000000..b3394b56b --- /dev/null +++ b/tests/pcap/quic-v2-01.pcapng diff --git a/tests/result/quic-v2-00.pcapng.out b/tests/result/quic-v2-00.pcapng.out deleted file mode 100644 index bafc46d67..000000000 --- a/tests/result/quic-v2-00.pcapng.out +++ /dev/null @@ -1,13 +0,0 @@ -Guessed flow protos: 0 - -DPI Packets (UDP): 1 (1.00 pkts/flow) -Confidence DPI : 1 (flows) - -QUIC 30 27593 1 - -JA3 Host Stats: - IP Address # JA3C - 1 192.168.56.1 1 - - - 1 UDP 192.168.56.1:50277 <-> 192.168.56.198:4443 [proto: 188/QUIC][Encrypted][Confidence: DPI][cat: Web/5][11 pkts/5450 bytes <-> 19 pkts/22143 bytes][Goodput ratio: 92/96][0.01 sec][ALPN: h3-34;hq-34;h3-33;hq-33;h3-32;hq-32;h3-31;hq-31;h3-29;hq-29;h3-30;hq-30;h3-28;hq-28;h3-27;hq-27;h3;hq-interop][TLS Supported Versions: TLSv1.3;TLSv1.3 (draft);TLSv1.3 (draft);TLSv1.3 (draft)][bytes ratio: -0.605 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 3/2 1/1][Pkt Len c2s/s2c min/avg/max/stddev: 97/97 495/1165 1482/1482 539/528][Risk: ** Known Protocol on Non Standard Port **** Missing SNI TLS Extension **][Risk Score: 100][TLSv1.3][JA3C: 0299b052ace53a14c3a04aceb5efd247][PLAIN TEXT (anezfN)][Plen Bins: 0,23,3,0,0,6,0,0,0,0,0,0,3,3,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,47,0,0] diff --git a/tests/result/quic-v2-01.pcapng.out b/tests/result/quic-v2-01.pcapng.out new file mode 100644 index 000000000..dc31ec5a9 --- /dev/null +++ b/tests/result/quic-v2-01.pcapng.out @@ -0,0 +1,13 @@ +Guessed flow protos: 0 + +DPI Packets (UDP): 1 (1.00 pkts/flow) +Confidence DPI : 1 (flows) + +QUIC 923 1311986 1 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.56.1 1 + + + 1 UDP 192.168.56.1:34229 <-> 192.168.56.198:4443 [proto: 188/QUIC][Encrypted][Confidence: DPI][cat: Web/5][34 pkts/6729 bytes <-> 889 pkts/1305257 bytes][Goodput ratio: 79/97][0.02 sec][ALPN: h3-34;hq-34;h3-33;hq-33;h3-32;hq-32;h3-31;hq-31;h3-29;hq-29;h3-30;hq-30;h3-28;hq-28;h3-27;hq-27;h3;hq-interop][TLS Supported Versions: TLSv1.3;TLSv1.3 (draft);TLSv1.3 (draft);TLSv1.3 (draft)][bytes ratio: -0.990 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 2/0 1/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/73 198/1468 1482/1482 306/131][Risk: ** Known Protocol on Non Standard Port **** Missing SNI TLS Extension **][Risk Score: 100][TLSv1.3][JA3C: c0ce40fbb78cbf86a14e6a38b26d6ede][PLAIN TEXT (V/vUIx)][Plen Bins: 0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,94,0,0] |