From 8bcf6783a5bca2cc9198403c2b75962cedd549a0 Mon Sep 17 00:00:00 2001 From: Nardi Ivan Date: Sun, 6 Sep 2020 21:14:30 +0200 Subject: TLS: add missing parameters in quic_transport_parameters extension These parameters are used by latest GQUIC versions. Pcap examples are available in #16825 I noticed that gquic::dissect_gquic_tag() and gquic::dissect_gquic_tags() don't really need the gquic_info parameter: remove it --- epan/dissectors/packet-gquic.c | 16 +++++------ epan/dissectors/packet-quic.h | 2 ++ epan/dissectors/packet-tls-utils.c | 55 +++++++++++++++++++++++++++++++++++- epan/dissectors/packet-tls-utils.h | 58 +++++++++++++++++++++++++++++++++++++- 4 files changed, 121 insertions(+), 10 deletions(-) diff --git a/epan/dissectors/packet-gquic.c b/epan/dissectors/packet-gquic.c index 1764223df8..d75a10d277 100644 --- a/epan/dissectors/packet-gquic.c +++ b/epan/dissectors/packet-gquic.c @@ -1349,7 +1349,7 @@ gboolean is_gquic_unencrypt(tvbuff_t *tvb, packet_info *pinfo, guint offset, gui } static guint32 -dissect_gquic_tag(tvbuff_t *tvb, packet_info *pinfo, proto_tree *gquic_tree, guint offset, guint32 tag_number, gquic_info_data_t *gquic_info){ +dissect_gquic_tag(tvbuff_t *tvb, packet_info *pinfo, proto_tree *gquic_tree, guint offset, guint32 tag_number){ guint32 tag_offset_start = offset + tag_number*4*2; guint32 tag_offset = 0, total_tag_len = 0; gint32 tag_len; @@ -1438,7 +1438,7 @@ dissect_gquic_tag(tvbuff_t *tvb, packet_info *pinfo, proto_tree *gquic_tree, gui scfg_tag_number = tvb_get_guint32(tvb, tag_offset_start + tag_offset, ENC_LITTLE_ENDIAN); tag_offset += 4; - dissect_gquic_tag(tvb, pinfo, tag_tree, tag_offset_start + tag_offset, scfg_tag_number, gquic_info); + dissect_gquic_tag(tvb, pinfo, tag_tree, tag_offset_start + tag_offset, scfg_tag_number); tag_offset += tag_len - 4 - 4; } break; @@ -1638,8 +1638,8 @@ dissect_gquic_tag(tvbuff_t *tvb, packet_info *pinfo, proto_tree *gquic_tree, gui } -static guint32 -dissect_gquic_tags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *ft_tree, guint offset, gquic_info_data_t *gquic_info){ +guint32 +dissect_gquic_tags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *ft_tree, guint offset){ guint32 tag_number; proto_tree_add_item(ft_tree, hf_gquic_tag_number, tvb, offset, 2, ENC_LITTLE_ENDIAN); @@ -1649,7 +1649,7 @@ dissect_gquic_tags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *ft_tree, guint proto_tree_add_item(ft_tree, hf_gquic_padding, tvb, offset, 2, ENC_NA); offset += 2; - offset = dissect_gquic_tag(tvb, pinfo, ft_tree, offset, tag_number, gquic_info); + offset = dissect_gquic_tag(tvb, pinfo, ft_tree, offset, tag_number); return offset; } @@ -1794,7 +1794,7 @@ dissect_gquic_frame_type(tvbuff_t *tvb, packet_info *pinfo, proto_tree *gquic_tr col_add_fstr(pinfo->cinfo, COL_INFO, "%s", val_to_str(message_tag, message_tag_vals, "Unknown")); offset += 4; - offset = dissect_gquic_tags(tvb, pinfo, ft_tree, offset, gquic_info); + offset = dissect_gquic_tags(tvb, pinfo, ft_tree, offset); } else { /* T050 and T051 */ tvbuff_t *next_tvb = tvb_new_subset_length(tvb, offset, (int)crypto_length); col_set_writable(pinfo->cinfo, -1, FALSE); @@ -1845,7 +1845,7 @@ dissect_gquic_frame_type(tvbuff_t *tvb, packet_info *pinfo, proto_tree *gquic_tr col_add_fstr(pinfo->cinfo, COL_INFO, "%s", val_to_str(message_tag, message_tag_vals, "Unknown")); offset += 4; - offset = dissect_gquic_tags(tvb, pinfo, ft_tree, offset, gquic_info); + offset = dissect_gquic_tags(tvb, pinfo, ft_tree, offset); break; } case 3: { /* Reserved H2 HEADERS (or PUSH_PROMISE..) */ @@ -2165,7 +2165,7 @@ dissect_gquic_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree_add_item(gquic_tree, hf_gquic_padding, tvb, offset, 2, ENC_NA); offset += 2; - offset = dissect_gquic_tag(tvb, pinfo, gquic_tree, offset, tag_number, gquic_info); + offset = dissect_gquic_tag(tvb, pinfo, gquic_tree, offset, tag_number); col_add_fstr(pinfo->cinfo, COL_INFO, "Public Reset, CID: %" G_GINT64_MODIFIER "u", cid); diff --git a/epan/dissectors/packet-quic.h b/epan/dissectors/packet-quic.h index 5bb3074b58..530f1d4c00 100644 --- a/epan/dissectors/packet-quic.h +++ b/epan/dissectors/packet-quic.h @@ -59,6 +59,8 @@ typedef struct gquic_info_data { int dissect_gquic_frame_type(tvbuff_t *tvb, packet_info *pinfo, proto_tree *gquic_tree, guint offset, guint8 len_pkn, gquic_info_data_t *gquic_info); +guint32 +dissect_gquic_tags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *ft_tree, guint offset); #ifdef __cplusplus } diff --git a/epan/dissectors/packet-tls-utils.c b/epan/dissectors/packet-tls-utils.c index 4a45959823..ce50c6ca48 100644 --- a/epan/dissectors/packet-tls-utils.c +++ b/epan/dissectors/packet-tls-utils.c @@ -48,6 +48,7 @@ #include "packet-ocsp.h" #include "packet-tls.h" #include "packet-dtls.h" +#include "packet-quic.h" #if defined(HAVE_LIBGNUTLS) #include #endif @@ -1947,6 +1948,13 @@ const value_string quic_transport_parameter_id[] = { { SSL_HND_QUIC_TP_GREASE_QUIC_BIT, "grease_quic_bit" }, { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP, "enable_time_stamp" }, { SSL_HND_QUIC_TP_MIN_ACK_DELAY, "min_ack_delay" }, + { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT, "google_user_agent" }, + { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED, "google_key_update_not_yet_supported" }, + { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION, "google_quic_version" }, + { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT, "google_initial_rtt" }, + { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE, "google_support_handshake_done" }, + { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS, "google_quic_params" }, + { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS, "google_connection_options" }, { 0, NULL } }; @@ -7296,7 +7304,7 @@ ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tv proto_tree *parameter_tree; guint32 parameter_end_offset; guint64 value; - guint32 len = 0; + guint32 len = 0, i; parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter, NULL, "Parameter"); @@ -7489,6 +7497,51 @@ ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tv proto_item_append_text(parameter_tree, " %" G_GINT64_MODIFIER "u", value); offset += len; break; + case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT: + proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id, + tvb, offset, parameter_length, ENC_ASCII|ENC_NA); + offset += parameter_length; + break; + case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED: + proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported, + tvb, offset, parameter_length, ENC_NA); + offset += parameter_length; + break; + case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION: + for (i = 0; i < parameter_length; i += 4) { + proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version, + tvb, offset + i, 4, ENC_ASCII|ENC_NA); + } + offset += parameter_length; + break; + case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT: + proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt, + tvb, offset, -1, ENC_VARINT_QUIC, &value, &len); + proto_item_append_text(parameter_tree, " %" G_GINT64_MODIFIER "u us", value); + offset += len; + break; + case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE: + proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done, + tvb, offset, parameter_length, ENC_NA); + offset += parameter_length; + break; + case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS: + /* This field was used for non-standard Google-specific parameters encoded as a + * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual + * parameters. Report it as a bytes blob... */ + proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params, + tvb, offset, parameter_length, ENC_NA); + /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */ + proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field, + tvb, offset, 4, ENC_NA); + dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4); + offset += parameter_length; + break; + case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS: + proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options, + tvb, offset, parameter_length, ENC_NA); + offset += parameter_length; + break; case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP: /* No Payload */ break; diff --git a/epan/dissectors/packet-tls-utils.h b/epan/dissectors/packet-tls-utils.h index 77d4a58138..9f9d1355de 100644 --- a/epan/dissectors/packet-tls-utils.h +++ b/epan/dissectors/packet-tls-utils.h @@ -175,6 +175,14 @@ typedef enum { #define SSL_HND_QUIC_TP_GREASE_QUIC_BIT 0x2ab2 /* https://tools.ietf.org/html/draft-thomson-quic-bit-grease-00 */ #define SSL_HND_QUIC_TP_ENABLE_TIME_STAMP 0x7157 /* https://tools.ietf.org/html/draft-huitema-quic-ts-02 */ #define SSL_HND_QUIC_TP_MIN_ACK_DELAY 0xde1a /* https://tools.ietf.org/html/draft-iyengar-quic-delayed-ack-00 */ +/* https://quiche.googlesource.com/quiche/+/refs/heads/master/quic/core/crypto/transport_parameters.cc */ +#define SSL_HND_QUIC_TP_GOOGLE_USER_AGENT 0x3129 +#define SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED 0x312B +#define SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION 0x4752 +#define SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT 0x3127 +#define SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE 0x312A +#define SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS 0x4751 +#define SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS 0x3128 /* * Lookup tables */ @@ -978,6 +986,14 @@ typedef struct ssl_common_dissect { gint hs_ext_quictp_parameter_max_datagram_frame_size; gint hs_ext_quictp_parameter_loss_bits; gint hs_ext_quictp_parameter_min_ack_delay; + gint hs_ext_quictp_parameter_google_user_agent_id; + gint hs_ext_quictp_parameter_google_key_update_not_yet_supported; + gint hs_ext_quictp_parameter_google_quic_version; + gint hs_ext_quictp_parameter_google_initial_rtt; + gint hs_ext_quictp_parameter_google_support_handshake_done; + gint hs_ext_quictp_parameter_google_quic_params; + gint hs_ext_quictp_parameter_google_quic_params_unknown_field; + gint hs_ext_quictp_parameter_google_connection_options; gint esni_suite; gint esni_record_digest_length; @@ -1207,7 +1223,7 @@ ssl_common_dissect_t name = { \ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ - -1, -1, -1, -1, -1, -1, -1, -1, \ + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ }, \ /* ett */ { \ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ @@ -2183,6 +2199,46 @@ ssl_common_dissect_t name = { \ FT_UINT64, BASE_DEC, NULL, 0x00, \ NULL, HFILL } \ }, \ + { & name .hf.hs_ext_quictp_parameter_google_user_agent_id, \ + { "Google UserAgent", prefix ".quic.parameter.google.user_agent", \ + FT_STRING, BASE_NONE, NULL, 0x00, \ + NULL, HFILL } \ + }, \ + { & name .hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported, \ + { "Google Key Update not yet supported", prefix ".quic.parameter.google.key_update_not_yet_supported", \ + FT_NONE, BASE_NONE, NULL, 0x00, \ + NULL, HFILL } \ + }, \ + { & name .hf.hs_ext_quictp_parameter_google_quic_version, \ + { "Google QUIC version", prefix ".quic.parameter.google.quic_version", \ + FT_STRING, BASE_NONE, NULL, 0x00, \ + NULL, HFILL } \ + }, \ + { & name .hf.hs_ext_quictp_parameter_google_initial_rtt, \ + { "Google Initial RTT", prefix ".quic.parameter.google.initial_rtt", \ + FT_UINT64, BASE_DEC, NULL, 0x00, \ + NULL, HFILL } \ + }, \ + { & name .hf.hs_ext_quictp_parameter_google_support_handshake_done, \ + { "Google Support Handshake Done", prefix ".quic.parameter.google.support_handshake_done", \ + FT_NONE, BASE_NONE, NULL, 0x00, \ + NULL, HFILL } \ + }, \ + { & name .hf.hs_ext_quictp_parameter_google_quic_params, \ + { "Google QUIC parameters", prefix ".quic.parameter.google.quic_params", \ + FT_BYTES, BASE_NONE, NULL, 0x00, \ + NULL, HFILL } \ + }, \ + { & name .hf.hs_ext_quictp_parameter_google_quic_params_unknown_field, \ + { "Google Unknown Field", prefix ".quic.parameter.google.quic_params_unknown_field", \ + FT_BYTES, BASE_NONE, NULL, 0x00, \ + NULL, HFILL } \ + }, \ + { & name .hf.hs_ext_quictp_parameter_google_connection_options, \ + { "Google Connection options", prefix ".quic.parameter.google.connection_options", \ + FT_BYTES, BASE_NONE, NULL, 0x00, \ + NULL, HFILL } \ + }, \ { & name .hf.hs_ext_connection_id_length, \ { "Connection ID length", prefix ".connection_id_length", \ FT_UINT8, BASE_DEC, NULL, 0x00, \ -- cgit v1.2.3