diff --git a/src/analyzer/protocol/quic/QUIC.spicy b/src/analyzer/protocol/quic/QUIC.spicy index 9da60bd617..dad22ca097 100644 --- a/src/analyzer/protocol/quic/QUIC.spicy +++ b/src/analyzer/protocol/quic/QUIC.spicy @@ -417,7 +417,7 @@ type CryptoBuffer = unit() { ############## type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { var decrypted_data: bytes; - var slurp_size: uint64 = 0; + var packet_size: uint64 = 0; var start: iterator; sink crypto_sink; @@ -466,11 +466,13 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { : void { if (self?.long_header && can_decrypt(self.long_header, context, from_client)) - self.slurp_size = self.offset(); + # If we have parsed an initial packet that we can decrypt the payload, + # determine the size to store into a buffer. + self.packet_size = self.offset(); } - # Slurp in the whole packet if we determined we have a chance to decrypt. - slurp_data: bytes &parse-at=self.start &size=self.slurp_size if ( self.slurp_size > 0 ) { + # Buffer the whole packet if we determined we have a chance to decrypt. + packet_data: bytes &parse-at=self.start &size=self.packet_size if ( self.packet_size > 0 ) { self.crypto_buffer = new CryptoBuffer(); self.crypto_sink.connect(self.crypto_buffer); @@ -482,7 +484,7 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { # All data is accessible via the `long_header` unit self.decrypted_data = decrypt_crypto_payload( self.long_header.version, - self.slurp_data, + self.packet_data, self.long_header.dest_conn_id, self.long_header.encrypted_offset, self.long_header.payload_length, @@ -501,7 +503,7 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { self.decrypted_data = decrypt_crypto_payload( self.long_header.version, - self.slurp_data, + self.packet_data, context.initial_destination_conn_id, self.long_header.encrypted_offset, self.long_header.payload_length, @@ -560,10 +562,10 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { ############## public type RequestFrame = unit { %context = ConnectionIDInfo; - : Packet(True, self.context()); + : Packet(True, self.context())[]; }; public type ResponseFrame = unit { %context = ConnectionIDInfo; - : Packet(False, self.context()); + : Packet(False, self.context())[]; }; diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log index ecaaed9815..ad6abaf8cc 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 53727 110.213.53.115 443 1 95412c47018cdfe8 (empty) d5412c47018cdfe8 api.cirrus-ci.com h3 ISisH +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 53727 110.213.53.115 443 1 95412c47018cdfe8 (empty) d5412c47018cdfe8 api.cirrus-ci.com h3 ISishH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.events/out b/testing/btest/Baseline/scripts.base.protocols.quic.events/out index 7b074d32a9..e377ed39d4 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.events/out +++ b/testing/btest/Baseline/scripts.base.protocols.quic.events/out @@ -4,17 +4,20 @@ 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, 1b036a11, 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, F, 1, , fc674735 1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , fc674735 +1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , fc674735 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, fc674735, 1.0, handshake_packet, T, C4J4Th3PJpwUYZZ6gc, 1, ef3a4e06, zerortt.pcap 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, b7c7841c64883e3261d840, 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, F, 1, , 8d2041ac 1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , 8d2041ac +1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , 8d2041ac 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, 8d2041ac, 1.0, handshake_packet, T, C4J4Th3PJpwUYZZ6gc, 1, 5b7bc400, 1.0, initial_packet, CtPZjS20MLrsMUOJi2, T, 1, 15ae5e5e4962163f410b5529fc125bbc, 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, 1.0, initial_packet, CtPZjS20MLrsMUOJi2, F, 1, , e483a751 +1.0, handshake_packet, F, CtPZjS20MLrsMUOJi2, 1, , e483a751 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log index 23623d6a05..6d37e079ea 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 40084 193.167.100.100 443 1 a771f6161a4072c0bf10 (empty) 5911deff server4:443 hq-interop ISishIH +1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 40084 193.167.100.100 443 1 a771f6161a4072c0bf10 (empty) 5911deff server4:443 hq-interop ISishhIH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log index 74e8b2a29a..0caca791d3 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log @@ -8,5 +8,5 @@ #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string 1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 4a8294bf9201d6cf (empty) - server4:443 hq-interop ISr -1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 1b036a11 (empty) fc674735 server4:443 hq-interop ISishIH +1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 1b036a11 (empty) fc674735 server4:443 hq-interop ISishhIH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log index 6884c599e4..f2f8098294 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log @@ -7,6 +7,6 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -1.000000 CtPZjS20MLrsMUOJi2 193.167.0.100 49394 193.167.100.100 443 1 15ae5e5e4962163f410b5529fc125bbc (empty) e483a751 server4:443 hq-interop ISZisZZZZZZZZZZZZZZZZZZZZZZZZZZZIH -1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 60492 193.167.100.100 443 1 b7c7841c64883e3261d840 (empty) 8d2041ac server4:443 hq-interop ISishIH +1.000000 CtPZjS20MLrsMUOJi2 193.167.0.100 49394 193.167.100.100 443 1 15ae5e5e4962163f410b5529fc125bbc (empty) e483a751 server4:443 hq-interop ISZishZZZZZZZZZZZZZZZZZZZZZZZZZZZIH +1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 60492 193.167.100.100 443 1 b7c7841c64883e3261d840 (empty) 8d2041ac server4:443 hq-interop ISishhIH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/conn.log.cut new file mode 100644 index 0000000000..46d72b1541 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/conn.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid history service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/quic.log new file mode 100644 index 0000000000..5d580eb317 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/quic.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path quic +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history +#types time string addr port addr port string string string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.4 53241 24.199.110.233 443 1 f21fdf87f736f235846c7f460ca017 1b3ff910 eab5f6f4 - h3 ISishhIH +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/ssl.log b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/ssl.log new file mode 100644 index 0000000000..fb2a422f10 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/ssl.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established ssl_history cert_chain_fps client_cert_chain_fps sni_matches_cert +#types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] bool +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.4 53241 24.199.110.233 443 TLSv13 TLS_AES_128_GCM_SHA256 x25519 - F - - F Cs - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log index ff45b6d535..3dfdfee132 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 46907 127.0.0.1 853 1 fda05288ab9ff546 0fb934775f247b8e a31f4933d8727231 - doq ISishH +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 46907 127.0.0.1 853 1 fda05288ab9ff546 0fb934775f247b8e a31f4933d8727231 - doq ISishhH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log index d5dfb05bc4..a460e7fec8 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 49320 127.0.0.1 443 quicv2 fa603212c8688817af3d3238735bc7 (empty) b168b5cc localhost quic-echo-example ISIIisIH +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 49320 127.0.0.1 443 quicv2 fa603212c8688817af3d3238735bc7 (empty) b168b5cc localhost quic-echo-example ISIIishIH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log index f7b06b5570..45411b3839 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50841 127.0.0.1 443 quicv2 bdf0c5b27927cc667e58d95b 71b8f3f4 cdc8b6e6 - h3 ISishIHH +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50841 127.0.0.1 443 quicv2 bdf0c5b27927cc667e58d95b 71b8f3f4 cdc8b6e6 - h3 ISishhIHH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README index 53b0ea4c12..f5b1e4fb51 100644 --- a/testing/btest/Traces/README +++ b/testing/btest/Traces/README @@ -38,3 +38,6 @@ Trace Index/Sources: - http/docker-http-upgrade.pcap Provided by blightzero on #4068 https://github.com/zeek/zeek/issues/4068 +- quic/merlinc2_Zeek_example.pcapng + Provided by Faan Rossouw on #4198 + https://github.com/zeek/zeek/issues/4198 diff --git a/testing/btest/Traces/quic/merlinc2_Zeek_example.pcapng b/testing/btest/Traces/quic/merlinc2_Zeek_example.pcapng new file mode 100644 index 0000000000..2aba2f1afb Binary files /dev/null and b/testing/btest/Traces/quic/merlinc2_Zeek_example.pcapng differ diff --git a/testing/btest/scripts/base/protocols/quic/merlinc2.zeek b/testing/btest/scripts/base/protocols/quic/merlinc2.zeek new file mode 100644 index 0000000000..733cf8cd25 --- /dev/null +++ b/testing/btest/scripts/base/protocols/quic/merlinc2.zeek @@ -0,0 +1,8 @@ +# @TEST-DOC: Test PCAP for Merlin C2 from issue #4198 + +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -Cr $TRACES/quic/merlinc2_Zeek_example.pcapng base/protocols/quic +# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut +# @TEST-EXEC: btest-diff conn.log.cut +# @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: btest-diff quic.log