1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
/*
* wireguard.c
*
* Copyright (C) 2019 - ntop.org
* Copyright (C) 2019 - Yağmur Oymak
*
* This file is part of nDPI, an open source deep packet inspection
* library based on the OpenDPI and PACE technology by ipoque GmbH
*
* nDPI is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* nDPI is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with nDPI. If not, see <http://www.gnu.org/licenses/>.
*
*/
#include "ndpi_protocol_ids.h"
#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_WIREGUARD
#include "ndpi_api.h"
/*
* TODO: Detection mechanism can be improved by taking the properties
* of specific message types into account. For example:
* - Handshake messages have a fixed size.
* - Counter field is an integer that is incremented with each packet.
* - Receiver/sender index fields.
* etc. (https://lists.zx2c4.com/pipermail/wireguard/2016-July/000185.html)
* Exploiting these properties may reduce the probability of false positives;
* with the tradeoff of requiring the inspection of multiple packets.
*
* Current approach identifies the protocol with a single packet and
* does not yield false positives in any of the existing tests.
*/
/*
* See https://www.wireguard.com/protocol/ for protocol reference.
*/
void ndpi_search_wireguard(struct ndpi_detection_module_struct
*ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
const u_int8_t *payload = packet->payload;
/*
* The first byte of the payload is the message type.
*/
u_int8_t message_type = payload[0];
NDPI_LOG_DBG(ndpi_struct, "search WireGuard\n");
/*
* A transport packet contains at minimum the following fields:
* u8 message_type
* u8 reserved_zero[3]
* u32 receiver_index
* u64 counter
* u8 encrypted_encapsulated_packet[]
* In the case of a keepalive message, the encapsulated packet will have
* zero length, but will still have a 16 byte poly1305 authentication tag.
* Thus, packet->payload will be at least 32 bytes in size.
* Note that handshake packets have a slightly different structure, but they are larger.
*/
if (packet->payload_packet_len < 32) {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
}
/*
* The next three bytes after the message type are reserved and set to zero.
*/
if (payload[1] != 0 || payload[2] != 0 || payload[3] != 0) {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
}
/*
* Message type can have one of the following values:
* 1) Handshake Initiation
* 2) Handshake Response
* 3) Cookie Reply
* 4) Transport Data
*/
if (message_type == 0 || message_type > 4) {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
}
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WIREGUARD, NDPI_PROTOCOL_UNKNOWN);
return;
}
void init_wireguard_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
{
ndpi_set_bitmask_protocol_detection("WireGuard", ndpi_struct, detection_bitmask, *id,
NDPI_PROTOCOL_WIREGUARD,
ndpi_search_wireguard,
NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
SAVE_DETECTION_BITMASK_AS_UNKNOWN,
ADD_TO_DETECTION_BITMASK);
*id += 1;
}
|