QUIC: implement decryption using new traffic secrets (draft -13)

QUIC draft -12 and before used the TLS Exporter to derive the protected payload secrets. Starting with draft -13, the handshake and 1-RTT protected payloads use keys derived during the TLS 1.3 handshake (but with the "quic " label for HKDF-Expand-Label instead of "tls13 "). That unfortunately means that previous CLIENT_HANDSHAKE_TRAFFIC_SECRET, SERVER_TRAFFIC_SECRET_0, etc. are unusable. As a quick workaround, extend the key log format with new labels similar to the old one (but with "QUIC_" prepended to it). To match draft -13, rename the original "handshake cipher/secret" to "initial cipher/secret" and add a new "handshake cipher". Potential limitation: if the client/server addresses/ports change since the Initial Packet, then a new TLS session is created in the TLS dissector. Attempting to retrieve secrets after the change will fail since the Client Random is empty and the secret cannot be linked. Another more common limitation: (Certificate) handshake messages that span multiple CRYPTO frames are not correctly recognized. Change-Id: I2932c3cc851fae51e8becf859db53ccc5f4beeda Ping-Bug: 13881 Reviewed-on: https://code.wireshark.org/review/29677 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
author: Peter Wu <peter@lekensteyn.nl> 2018-09-16 01:07:21 +0200
committer: Alexis La Goutte <alexis.lagoutte@gmail.com> 2018-09-17 08:14:32 +0000
commit: 2fd42045f5afb556a03d8a1090f3278c77798766 (patch)
tree: 6607c73ce45fcb1d4221c81c8e393256135e7ca1 /epan/dissectors/packet-ssl-utils.c
parent: 9de95b83f87e49a5d99085df1e8aa262f4fa2af1 (diff)
1 files changed, 27 insertions, 0 deletions
diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c
index 3cce6609e7..1c177d4b5b 100644
--- a/epan/dissectors/packet-ssl-utils.c
+++ b/epan/dissectors/packet-ssl-utils.c
@@ -4663,6 +4663,13 @@ ssl_common_init(ssl_master_key_map_t *mk_map,
     mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
     ssl_data_alloc(decrypted_data, 32);
     ssl_data_alloc(compressed_data, 32);
+
+    /* QUIC keys. */
+    mk_map->quic_client_early = g_hash_table_new(ssl_hash, ssl_equal);
+    mk_map->quic_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
+    mk_map->quic_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
+    mk_map->quic_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
+    mk_map->quic_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
 }
 
 void
@@ -4685,6 +4692,13 @@ ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
     g_free(decrypted_data->data);
     g_free(compressed_data->data);
 
+    /* QUIC keys */
+    g_hash_table_destroy(mk_map->quic_client_early);
+    g_hash_table_destroy(mk_map->quic_client_handshake);
+    g_hash_table_destroy(mk_map->quic_server_handshake);
+    g_hash_table_destroy(mk_map->quic_client_appdata);
+    g_hash_table_destroy(mk_map->quic_server_appdata);
+
     /* close the previous keylog file now that the cache are cleared, this
      * allows the cache to be filled with the full keylog file contents. */
     if (*ssl_keylog_file) {
@@ -5108,6 +5122,13 @@ ssl_compile_keyfile_regex(void)
         "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
         "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
         "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
+        /* QUIC (draft >= -13) Client Random to Derived Secrets mapping.
+         * EXPERIMENTAL, subject to change based on QUIC changes! */
+        "|QUIC_CLIENT_EARLY_TRAFFIC_SECRET (?<quic_client_early>" OCTET "{32})"
+        "|QUIC_CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<quic_client_handshake>" OCTET "{32})"
+        "|QUIC_SERVER_HANDSHAKE_TRAFFIC_SECRET (?<quic_server_handshake>" OCTET "{32})"
+        "|QUIC_CLIENT_TRAFFIC_SECRET_0 (?<quic_client_appdata>" OCTET "{32})"
+        "|QUIC_SERVER_TRAFFIC_SECRET_0 (?<quic_server_appdata>" OCTET "{32})"
         ") (?<derived_secret>" OCTET "+)";
 #undef OCTET
     static GRegex *regex = NULL;
@@ -5172,6 +5193,12 @@ ssl_load_keyfile(const gchar *ssl_keylog_filename, FILE **keylog_file,
         { "server_appdata",     mk_map->tls13_server_appdata },
         { "early_exporter",     mk_map->tls13_early_exporter },
         { "exporter",           mk_map->tls13_exporter },
+        /* QUIC map from Client Random to derived secret. */
+        { "quic_client_early",      mk_map->quic_client_early },
+        { "quic_client_handshake",  mk_map->quic_client_handshake },
+        { "quic_server_handshake",  mk_map->quic_server_handshake },
+        { "quic_client_appdata",    mk_map->quic_client_appdata },
+        { "quic_server_appdata",    mk_map->quic_server_appdata },
     };
     /* no need to try if no key log file is configured. */
     if (!ssl_keylog_filename || !*ssl_keylog_filename) {
author	Peter Wu <peter@lekensteyn.nl>	2018-09-16 01:07:21 +0200
committer	Alexis La Goutte <alexis.lagoutte@gmail.com>	2018-09-17 08:14:32 +0000
commit	2fd42045f5afb556a03d8a1090f3278c77798766 (patch)
tree	6607c73ce45fcb1d4221c81c8e393256135e7ca1 /epan/dissectors/packet-ssl-utils.c
parent	9de95b83f87e49a5d99085df1e8aa262f4fa2af1 (diff)