diff --git a/.gitignore b/.gitignore index e420459..af8de15 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,5 @@ build*/ src/inc src/lib64 cmake-build-*/ +.cache/ +.vscode/ diff --git a/src/quic_entry.cpp b/src/quic_entry.cpp index 5693c00..23114f9 100644 --- a/src/quic_entry.cpp +++ b/src/quic_entry.cpp @@ -149,7 +149,10 @@ void quic_free_context(const struct streaminfo *a_stream, int bridge_id, void *d { struct quic_context *context = (struct quic_context *)data; quic_free_client_hello(context->quic_info.client_hello, a_stream->threadnum); - + if(context->quic_buf.buffer) + { + dictator_free(a_stream->threadnum, context->quic_buf.buffer); + } dictator_free(a_stream->threadnum, data); } } diff --git a/src/quic_process.cpp b/src/quic_process.cpp index 3cd0352..b17b750 100644 --- a/src/quic_process.cpp +++ b/src/quic_process.cpp @@ -520,7 +520,7 @@ int parse_tls_client_hello(struct quic_client_hello **client_hello, const char * int parse_quic_decrypted_payload(struct quic_info *quic_info, const char * payload, int payload_len, int thread_seq) { - char join_payload[2048]={0}; + char join_payload[MAX_CLIENT_HELLO_CHUNK_SIZE]={}; int join_payload_len=sizeof(join_payload); unsigned int quic_version=quic_info->quic_version; @@ -767,9 +767,109 @@ enum QUIC_VERSION is_quic_protocol(const char *payload, int payload_len, int *pa return quic_version; } -unsigned char parse_quic_all_version(struct quic_info *quic_info, const char *payload, int payload_len, int thread_seq) +static void quic_chlo_chunk_assemble(struct quic_buffer *qbuf, unsigned char *new_payload, int new_len, int thread_seq) { - int ret=0, payload_offset=0; + if(NULL == new_payload || new_len <= 0){ + return; + } + if(NULL == qbuf->buffer){ + qbuf->buffer = (unsigned char *)dictator_malloc(thread_seq, MAX_CLIENT_HELLO_CHUNK_SIZE); + qbuf->max_size = MAX_CLIENT_HELLO_CHUNK_SIZE; + } + int max_copy_len = MIN((int)(qbuf->max_size - qbuf->datalen), new_len); + memcpy(qbuf->buffer + qbuf->datalen, new_payload, max_copy_len); + qbuf->datalen += max_copy_len; +} + +static int get_chlo_total_length(const unsigned char *payload, int payload_len) +{ + const struct quic_client_hello_msg_hdr *chlo_hdr=(const struct quic_client_hello_msg_hdr *)payload; + int chlo_len=0; + uint8_t *p = (uint8_t *)&chlo_len; + p[2] = chlo_hdr->client_hello_len[0]; + p[1] = chlo_hdr->client_hello_len[1]; + p[0] = chlo_hdr->client_hello_len[2]; + return chlo_len; +} +/* + 1: is chlo, and complete! + 0: is chlo, but fragment; + -1: not support +*/ +static int quic_chlo_is_complete(enum QUIC_VERSION quic_version, const unsigned char *payload, int payload_len) +{ + if(!( (quic_version>=MVFST_VERSION_00 && quic_version<=MVFST_VERSION_0F) || + (quic_version>=GQUIC_VERSION_T050 && quic_version<=GQUIC_VERSION_T059) || + (quic_version>=IQUIC_VERSION_I022 && quic_version<=IQUIC_VERSION_I029) || + (quic_version==IQUIC_VERSION_RFC9000))) + { + return -1; + } + + if((payload[0] != 0x06) && (payload[0] != 0x08)) + { + return -1; + } + int payload_offset = 0; + long frame_offset, frame_length; + payload_offset = 1; //skip frame type + payload_offset+=msb2_varint_decode(payload+payload_offset, &frame_offset); + payload_offset+=msb2_varint_decode(payload+payload_offset, &frame_length); + + if(payload[payload_offset] != QUIC_HANDSHAKE_TYPE_CLIENTHELLO) + { + return -1; + } + int expect_len = get_chlo_total_length(payload + payload_offset, payload_len-payload_offset); + if(payload_len-payload_offset >= expect_len){ + return 1; + } + return 0; +} + +static enum PARSE_RESULT quic_decrypting_payload(struct quic_context *qcontext, unsigned char *udp_payload, int udp_payload_len, int thread_seq) +{ + struct quic_buffer *qbuf = &qcontext->quic_buf; + unsigned char *quic_decrypted_payload; + int ret, quic_decrypted_payload_len; + quic_dpt_t *dpt = quic_deprotection_new(); + enum PARSE_RESULT parse_result = PARSE_RESULT_UNKNOWN; + + if(quic_deprotection(dpt, (const u_char *)udp_payload, udp_payload_len) < 0){ + goto err_exit; + } + + if(qbuf->datalen > 0){ //some fragment exist + quic_chlo_chunk_assemble(qbuf, dpt->payload.data, dpt->payload.len, thread_seq); + quic_decrypted_payload = qbuf->buffer; + quic_decrypted_payload_len = qbuf->datalen; + }else{ + quic_decrypted_payload = dpt->payload.data; + quic_decrypted_payload_len = dpt->payload.len; + } + + ret = quic_chlo_is_complete((enum QUIC_VERSION)qcontext->quic_info.quic_version, quic_decrypted_payload, quic_decrypted_payload_len); + if(0 == ret){ + if(NULL == qbuf->buffer || 0 == qbuf->datalen){ + quic_chlo_chunk_assemble(qbuf, dpt->payload.data, dpt->payload.len, thread_seq); + } + parse_result = PARSE_RESULT_VERSION; + goto fun_exit; + } + parse_result = (enum PARSE_RESULT)parse_quic_decrypted_payload(&qcontext->quic_info, (char *)quic_decrypted_payload, quic_decrypted_payload_len, thread_seq); + +fun_exit: + quic_deprotection_free(dpt); + return parse_result; + +err_exit: + quic_deprotection_free(dpt); + return PARSE_RESULT_VERSION; +} + +unsigned char parse_quic_all_version(struct quic_context *qcontext, const char *payload, int payload_len, int thread_seq) +{ + int payload_offset=0; enum QUIC_VERSION quic_version=QUIC_VERSION_UNKNOWN; if(payload==NULL || payload_len<=0) @@ -783,13 +883,13 @@ unsigned char parse_quic_all_version(struct quic_info *quic_info, const char *pa return PARSE_RESULT_UNKNOWN; } - quic_info->quic_version=quic_version; + qcontext->quic_info.quic_version=quic_version; if(quic_version>=GQUIC_VERSION_Q001 && quic_version<=GQUIC_VERSION_Q048) { if(payload_len > payload_offset) { - return parse_quic_uncryption_payload(quic_info, payload+payload_offset, payload_len-payload_offset, thread_seq); + return parse_quic_uncryption_payload(&qcontext->quic_info, payload+payload_offset, payload_len-payload_offset, thread_seq); } return PARSE_RESULT_VERSION; } @@ -802,6 +902,7 @@ unsigned char parse_quic_all_version(struct quic_info *quic_info, const char *pa && g_quic_param.decrypted_switch>0 ) { +#if 0 quic_dpt_t *dpt = quic_deprotection_new(); if (quic_deprotection(dpt, (const u_char *)payload, payload_len) != 0) { @@ -816,6 +917,9 @@ unsigned char parse_quic_all_version(struct quic_info *quic_info, const char *pa return ret; } quic_deprotection_free(dpt); +#else + return quic_decrypting_payload(qcontext, (unsigned char *)payload, payload_len, thread_seq); +#endif } else { @@ -844,7 +948,7 @@ unsigned char quic_analyze_entry(const struct streaminfo *pstream, struct quic_c parse_result=PARSE_RESULT_PAYLOAD; break; case PARSE_RESULT_VERSION: - parse_result=parse_quic_all_version(&(context->quic_info), (const char *)udp_detail->pdata, udp_detail->datalen, thread_seq); + parse_result=parse_quic_all_version(context, (const char *)udp_detail->pdata, udp_detail->datalen, thread_seq); if(parse_result==PARSE_RESULT_VERSION || parse_result==PARSE_RESULT_UNKNOWN) { parse_result=PARSE_RESULT_PAYLOAD; @@ -872,7 +976,7 @@ unsigned char quic_analyze_entry(const struct streaminfo *pstream, struct quic_c parse_result=PARSE_RESULT_PAYLOAD; break; } - parse_result=parse_quic_all_version(&(context->quic_info), (const char *)udp_detail->pdata, udp_detail->datalen, thread_seq); + parse_result=parse_quic_all_version(context, (const char *)udp_detail->pdata, udp_detail->datalen, thread_seq); break; } @@ -904,15 +1008,15 @@ struct quic_info *quic_protocol_identify(const struct streaminfo *a_stream) return NULL; } - struct quic_info tmp_quic_info={0, NULL}; + struct quic_context tmp_qcontext = {}; unsigned char parse_result=APP_STATE_GIVEME; - parse_result=parse_quic_all_version(&tmp_quic_info, (const char *)a_stream->pudpdetail->pdata, a_stream->pudpdetail->datalen, a_stream->threadnum); + parse_result=parse_quic_all_version(&tmp_qcontext, (const char *)a_stream->pudpdetail->pdata, a_stream->pudpdetail->datalen, a_stream->threadnum); if(parse_result!=PARSE_RESULT_UNKNOWN) { struct quic_context *context=(struct quic_context *)dictator_malloc(a_stream->threadnum, sizeof(struct quic_context)); memset(context, 0, sizeof(struct quic_context)); - context->quic_info=tmp_quic_info; + context->quic_info=tmp_qcontext.quic_info; context->parse_first_pkt=1; context->pre_parse_state=PARSE_RESULT_UNKNOWN; diff --git a/src/quic_process.h b/src/quic_process.h index c0583c6..e6e1baf 100644 --- a/src/quic_process.h +++ b/src/quic_process.h @@ -279,6 +279,14 @@ enum QUIC_VERSION IQUIC_VERSION_I032=0xFF000020 }; +#define MAX_CLIENT_HELLO_CHUNK_SIZE (4096) +struct quic_buffer +{ + unsigned char *buffer; + size_t max_size; + size_t datalen; +}; + struct quic_context { unsigned char link_state; @@ -288,6 +296,7 @@ struct quic_context unsigned char padding[4]; void *business_pme; struct quic_info quic_info; + struct quic_buffer quic_buf; // for client hello fragment }; unsigned char quic_analyze_entry(const struct streaminfo *pstream, struct quic_context* context, int thread_seq, const void* a_packet); diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index fe765b6..bc786db 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -59,3 +59,4 @@ add_test(NAME QUIC_RFC9000_FRAGMENT COMMAND proto_test_main ${CMAKE_CURRENT_SOUR add_test(NAME QUIC_RFC9000_SPECIAL COMMAND proto_test_main ${CMAKE_CURRENT_SOURCE_DIR}/pcap/rfc9000-special/${lib_name}_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/pcap/rfc9000-special/ -name *.pcap|sort -V" WORKING_DIRECTORY ${PROTO_TEST_RUN_DIR}) add_test(NAME QUIC_AIRPORT COMMAND proto_test_main ${CMAKE_CURRENT_SOURCE_DIR}/pcap/airport/${lib_name}_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/pcap/airport -name *.pcap|sort -V" WORKING_DIRECTORY ${PROTO_TEST_RUN_DIR}) add_test(NAME QUIC_SPECIAL COMMAND proto_test_main ${CMAKE_CURRENT_SOURCE_DIR}/pcap/special/${lib_name}_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/pcap/special/ -name *.pcap|sort -V" WORKING_DIRECTORY ${PROTO_TEST_RUN_DIR}) +add_test(NAME QUIC_CHLO_FRAGMENT COMMAND proto_test_main ${CMAKE_CURRENT_SOURCE_DIR}/pcap/rfc9000-chlo-fragment/${lib_name}_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/pcap/rfc9000-chlo-fragment/ -name *.pcap|sort -V" WORKING_DIRECTORY ${PROTO_TEST_RUN_DIR}) diff --git a/test/pcap/rfc9000-chlo-fragment/1-google-chlo-fragment-2.pcap b/test/pcap/rfc9000-chlo-fragment/1-google-chlo-fragment-2.pcap new file mode 100644 index 0000000..c9115fe Binary files /dev/null and b/test/pcap/rfc9000-chlo-fragment/1-google-chlo-fragment-2.pcap differ diff --git a/test/pcap/rfc9000-chlo-fragment/2-google-chlo-fragment-3.pcap b/test/pcap/rfc9000-chlo-fragment/2-google-chlo-fragment-3.pcap new file mode 100644 index 0000000..80ea303 Binary files /dev/null and b/test/pcap/rfc9000-chlo-fragment/2-google-chlo-fragment-3.pcap differ diff --git a/test/pcap/rfc9000-chlo-fragment/3-facebook-chlo-fragment-2.pcap b/test/pcap/rfc9000-chlo-fragment/3-facebook-chlo-fragment-2.pcap new file mode 100644 index 0000000..afde2ee Binary files /dev/null and b/test/pcap/rfc9000-chlo-fragment/3-facebook-chlo-fragment-2.pcap differ diff --git a/test/pcap/rfc9000-chlo-fragment/4-googleapis.com-chlo-fragment-3.pcap b/test/pcap/rfc9000-chlo-fragment/4-googleapis.com-chlo-fragment-3.pcap new file mode 100644 index 0000000..1dd5354 Binary files /dev/null and b/test/pcap/rfc9000-chlo-fragment/4-googleapis.com-chlo-fragment-3.pcap differ diff --git a/test/pcap/rfc9000-chlo-fragment/5-google_quic-2.pcap b/test/pcap/rfc9000-chlo-fragment/5-google_quic-2.pcap new file mode 100644 index 0000000..98b4cb2 Binary files /dev/null and b/test/pcap/rfc9000-chlo-fragment/5-google_quic-2.pcap differ diff --git a/test/pcap/rfc9000-chlo-fragment/quic_result.json b/test/pcap/rfc9000-chlo-fragment/quic_result.json new file mode 100644 index 0000000..e64e872 --- /dev/null +++ b/test/pcap/rfc9000-chlo-fragment/quic_result.json @@ -0,0 +1,32 @@ +[ + { + "Tuple4": "2607:5d00:2:2::38:2.53977>2404:6800:4005:807::2004.443", + "VERSION": "IETF QUIC RFC9000", + "SNI": "www.google.com", + "name": "QUIC_RESULT_1" + }, + { + "Tuple4": "2607:5d00:2:2::38:2.50835>2404:6800:4005:80d::2003.443", + "VERSION": "IETF QUIC RFC9000", + "SNI": "www.google.com.hk", + "name": "QUIC_RESULT_2" + }, + { + "Tuple4": "192.168.64.25.61166>157.240.245.35.443", + "VERSION": "IETF QUIC RFC9000", + "SNI": "www.facebook.com", + "name": "QUIC_RESULT_3" + }, + { + "Tuple4": "2607:5d00:2:2::38:2.54817>2404:6800:4005:80c::200a.443", + "VERSION": "IETF QUIC RFC9000", + "SNI": "optimizationguide-pa.googleapis.com", + "name": "QUIC_RESULT_4" + }, + { + "Tuple4": "192.168.54.157.60388>142.250.71.164.443", + "VERSION": "IETF QUIC RFC9000", + "SNI": "www.google.com", + "name": "QUIC_RESULT_5" + } +] \ No newline at end of file