diff --git a/CHANGES b/CHANGES index 61d896c510..e94114a893 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,28 @@ +7.0.5-2 | 2025-03-18 16:14:21 -0700 + + * QUIC/decrypt_crypto: Rename all_data to data (Arne Welzel, Corelight) + + (cherry picked from commit 44304973fb4ea3ffc94f13feb8592952675202f1) + + * GH-4201: QUIC: Confirm before forwarding data to SSL (Arne Welzel, Corelight) + + (cherry picked from commit 44304973fb4ea3ffc94f13feb8592952675202f1) + + * GH-4198: QUIC: Parse all QUIC packets in a UDP datagram (Arne Welzel, Corelight) + + A UDP datagram may contain multiple QUIC packets, but the parser so far + handled only the very first packet, ignoring any subsequent packets. + + (cherry picked from commit 44304973fb4ea3ffc94f13feb8592952675202f1) + + * QUIC: Only slurp till packet end, not till &eod (Arne Welzel, Corelight) + + This doesn't change behavior, but avoids slurping in more data than + needed. A UDP packet an contain multiple QUIC packets and we'd read + all following ones instead just the one we're interested in. + + (cherry picked from commit 44304973fb4ea3ffc94f13feb8592952675202f1) + 7.0.5-1 | 2025-03-18 16:12:32 -0700 * fix for ZAM optimization of assigning a record field to result of "in" operation (Vern Paxson, Corelight) diff --git a/VERSION b/VERSION index 48b0c7a0d2..7548436d82 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.0.5-1 +7.0.5-2 diff --git a/src/analyzer/protocol/quic/QUIC.spicy b/src/analyzer/protocol/quic/QUIC.spicy index bde1650ee2..2fdc816f67 100644 --- a/src/analyzer/protocol/quic/QUIC.spicy +++ b/src/analyzer/protocol/quic/QUIC.spicy @@ -9,7 +9,7 @@ import zeek; # The interface to the C++ code that handles the decryption of the INITIAL packet payload using well-known keys public function decrypt_crypto_payload( version: uint32, - all_data: bytes, + data: bytes, connection_id: bytes, encrypted_offset: uint64, payload_offset: uint64, @@ -417,7 +417,7 @@ type CryptoBuffer = unit() { ############## type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { var decrypted_data: bytes; - var full_packet: bytes; + var packet_size: uint64 = 0; var start: iterator; sink crypto_sink; @@ -464,8 +464,15 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { } }; - # Slurp in the whole packet if we determined we have a chance to decrypt. - all_data: bytes &parse-at=self.start &eod if ( self?.long_header && can_decrypt(self.long_header, context, from_client) ) { + : void { + if (self?.long_header && can_decrypt(self.long_header, context, from_client)) + # If we have parsed an initial packet that we can decrypt the payload, + # determine the size to store into a buffer. + self.packet_size = self.offset(); + } + + # Buffer the whole packet if we determined we have a chance to decrypt. + packet_data: bytes &parse-at=self.start &size=self.packet_size if ( self.packet_size > 0 ) { self.crypto_buffer = new CryptoBuffer(); self.crypto_sink.connect(self.crypto_buffer); @@ -477,7 +484,7 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { # All data is accessible via the `long_header` unit self.decrypted_data = decrypt_crypto_payload( self.long_header.version, - self.all_data, + self.packet_data, self.long_header.dest_conn_id, self.long_header.encrypted_offset, self.long_header.payload_length, @@ -496,7 +503,7 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { self.decrypted_data = decrypt_crypto_payload( self.long_header.version, - self.all_data, + self.packet_data, context.initial_destination_conn_id, self.long_header.encrypted_offset, self.long_header.payload_length, @@ -509,6 +516,9 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { # connection. if ( |self.decrypted_data| == 0 ) throw "decryption failed"; + + # We were able to decrypt the INITIAL packet. Confirm QUIC! + spicy::accept_input(); } # Depending on the type of header and whether we were able to decrypt @@ -543,9 +553,6 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { context.client_initial_processed = True; else context.server_initial_processed = True; - - # Take buffered crypto data as confirmation signal. - spicy::accept_input(); } } }; @@ -555,10 +562,10 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { ############## public type RequestFrame = unit { %context = ConnectionIDInfo; - : Packet(True, self.context()); + : Packet(True, self.context())[]; }; public type ResponseFrame = unit { %context = ConnectionIDInfo; - : Packet(False, self.context()); + : Packet(False, self.context())[]; }; diff --git a/src/analyzer/protocol/quic/decrypt_crypto.cc b/src/analyzer/protocol/quic/decrypt_crypto.cc index fa496413ae..b990df61be 100644 --- a/src/analyzer/protocol/quic/decrypt_crypto.cc +++ b/src/analyzer/protocol/quic/decrypt_crypto.cc @@ -87,7 +87,7 @@ Removes the header protection from the INITIAL packet and returns a DecryptionIn that is partially filled */ DecryptionInformation remove_header_protection(const std::vector& client_hp, uint64_t encrypted_offset, - const hilti::rt::Bytes& all_data) { + const hilti::rt::Bytes& data) { DecryptionInformation decryptInfo; int outlen; auto* ctx = get_aes_128_ecb(); @@ -96,16 +96,16 @@ DecryptionInformation remove_header_protection(const std::vector& clien EVP_CipherInit_ex(ctx, NULL, NULL, client_hp.data(), NULL, 1); static_assert(AEAD_SAMPLE_LENGTH > 0); - assert(all_data.size() >= encrypted_offset + MAXIMUM_PACKET_NUMBER_LENGTH + AEAD_SAMPLE_LENGTH); + assert(data.size() >= encrypted_offset + MAXIMUM_PACKET_NUMBER_LENGTH + AEAD_SAMPLE_LENGTH); - const uint8_t* sample = data_as_uint8(all_data) + encrypted_offset + MAXIMUM_PACKET_NUMBER_LENGTH; + const uint8_t* sample = data_as_uint8(data) + encrypted_offset + MAXIMUM_PACKET_NUMBER_LENGTH; std::array mask; EVP_CipherUpdate(ctx, mask.data(), &outlen, sample, AEAD_SAMPLE_LENGTH); // To determine the actual packet number length, // we have to remove the mask from the first byte - uint8_t first_byte = data_as_uint8(all_data)[0]; + uint8_t first_byte = data_as_uint8(data)[0]; if ( first_byte & 0x80 ) { first_byte ^= mask[0] & 0x0F; @@ -118,8 +118,8 @@ DecryptionInformation remove_header_protection(const std::vector& clien int recovered_packet_number_length = (first_byte & 0x03) + 1; // .. and use this to reconstruct the (partially) unprotected header - std::vector unprotected_header(data_as_uint8(all_data), data_as_uint8(all_data) + encrypted_offset + - recovered_packet_number_length); + std::vector unprotected_header(data_as_uint8(data), + data_as_uint8(data) + encrypted_offset + recovered_packet_number_length); uint32_t decoded_packet_number = 0; @@ -150,8 +150,8 @@ std::vector calculate_nonce(std::vector client_iv, uint64_t pa /* Function that calls the AEAD decryption routine, and returns the decrypted data. */ -hilti::rt::Bytes decrypt(const std::vector& client_key, const hilti::rt::Bytes& all_data, - uint64_t payload_length, const DecryptionInformation& decryptInfo) { +hilti::rt::Bytes decrypt(const std::vector& client_key, const hilti::rt::Bytes& data, uint64_t payload_length, + const DecryptionInformation& decryptInfo) { int out, out2; if ( payload_length < decryptInfo.packet_number_length + AEAD_TAG_LENGTH ) @@ -163,18 +163,18 @@ hilti::rt::Bytes decrypt(const std::vector& client_key, const hilti::rt if ( payload_length > 10000 ) throw hilti::rt::RuntimeError(hilti::rt::fmt("payload_length too large %ld", payload_length)); - const uint8_t* encrypted_payload = data_as_uint8(all_data) + decryptInfo.unprotected_header.size(); + const uint8_t* encrypted_payload = data_as_uint8(data) + decryptInfo.unprotected_header.size(); int encrypted_payload_size = payload_length - decryptInfo.packet_number_length - AEAD_TAG_LENGTH; if ( encrypted_payload_size < 0 ) throw hilti::rt::RuntimeError(hilti::rt::fmt("encrypted_payload_size underflow %ld", encrypted_payload_size)); - if ( all_data.size() < decryptInfo.unprotected_header.size() + encrypted_payload_size + AEAD_TAG_LENGTH ) - throw hilti::rt::RuntimeError(hilti::rt::fmt("all_data too short %ld < %ld", all_data.size(), + if ( data.size() < decryptInfo.unprotected_header.size() + encrypted_payload_size + AEAD_TAG_LENGTH ) + throw hilti::rt::RuntimeError(hilti::rt::fmt("data too short %ld < %ld", data.size(), decryptInfo.unprotected_header.size() + encrypted_payload_size)); - const void* tag_to_check = all_data.data() + decryptInfo.unprotected_header.size() + encrypted_payload_size; + const void* tag_to_check = data.data() + decryptInfo.unprotected_header.size() + encrypted_payload_size; int tag_to_check_length = AEAD_TAG_LENGTH; // Allocate memory for decryption. @@ -444,7 +444,7 @@ Function that is called from Spicy, decrypting an INITIAL packet and returning the decrypted payload back to the analyzer. */ hilti::rt::Bytes QUIC_decrypt_crypto_payload(const hilti::rt::integer::safe& version, - const hilti::rt::Bytes& all_data, const hilti::rt::Bytes& connection_id, + const hilti::rt::Bytes& data, const hilti::rt::Bytes& connection_id, const hilti::rt::integer::safe& encrypted_offset, const hilti::rt::integer::safe& payload_length, const hilti::rt::Bool& from_client) { @@ -458,9 +458,9 @@ hilti::rt::Bytes QUIC_decrypt_crypto_payload(const hilti::rt::integer::safe iv = qpp->GetIv(secret); std::vector hp = qpp->GetHp(secret); - DecryptionInformation decryptInfo = remove_header_protection(hp, encrypted_offset, all_data); + DecryptionInformation decryptInfo = remove_header_protection(hp, encrypted_offset, data); // Calculate the correct nonce for the decryption decryptInfo.nonce = calculate_nonce(iv, decryptInfo.packet_number); - return decrypt(key, all_data, payload_length, decryptInfo); + return decrypt(key, data, payload_length, decryptInfo); } diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/conn.log.cut new file mode 100644 index 0000000000..f95a354194 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/conn.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid history service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/out b/testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/out new file mode 100644 index 0000000000..9985d45318 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/out @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +analyzer_confirmation, 1692198386.837988, CHhAvVGS1DHFjwGM9, Analyzer::ANALYZER_QUIC +analyzer_confirmation, 1692198386.837988, CHhAvVGS1DHFjwGM9, Analyzer::ANALYZER_SSL diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log index ecaaed9815..ad6abaf8cc 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 53727 110.213.53.115 443 1 95412c47018cdfe8 (empty) d5412c47018cdfe8 api.cirrus-ci.com h3 ISisH +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 53727 110.213.53.115 443 1 95412c47018cdfe8 (empty) d5412c47018cdfe8 api.cirrus-ci.com h3 ISishH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.events/out b/testing/btest/Baseline/scripts.base.protocols.quic.events/out index 7b074d32a9..e377ed39d4 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.events/out +++ b/testing/btest/Baseline/scripts.base.protocols.quic.events/out @@ -4,17 +4,20 @@ 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, 1b036a11, 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, F, 1, , fc674735 1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , fc674735 +1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , fc674735 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, fc674735, 1.0, handshake_packet, T, C4J4Th3PJpwUYZZ6gc, 1, ef3a4e06, zerortt.pcap 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, b7c7841c64883e3261d840, 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, F, 1, , 8d2041ac 1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , 8d2041ac +1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , 8d2041ac 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, 8d2041ac, 1.0, handshake_packet, T, C4J4Th3PJpwUYZZ6gc, 1, 5b7bc400, 1.0, initial_packet, CtPZjS20MLrsMUOJi2, T, 1, 15ae5e5e4962163f410b5529fc125bbc, 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, 1.0, initial_packet, CtPZjS20MLrsMUOJi2, F, 1, , e483a751 +1.0, handshake_packet, F, CtPZjS20MLrsMUOJi2, 1, , e483a751 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut index 6eadcd2f9d..91c6575829 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut @@ -2,4 +2,4 @@ ts uid history service 0.015059 ClEkJM2Vm5giqnMf4h - - 0.001000 CHhAvVGS1DHFjwGM9 - - -0.648580 C4J4Th3PJpwUYZZ6gc Dd quic,ssl +0.648580 C4J4Th3PJpwUYZZ6gc Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log index 23623d6a05..6d37e079ea 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 40084 193.167.100.100 443 1 a771f6161a4072c0bf10 (empty) 5911deff server4:443 hq-interop ISishIH +1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 40084 193.167.100.100 443 1 a771f6161a4072c0bf10 (empty) 5911deff server4:443 hq-interop ISishhIH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut index f60a9d33e6..82447e238b 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut @@ -2,4 +2,4 @@ ts uid history service 0.000000 CHhAvVGS1DHFjwGM9 - - 0.016059 ClEkJM2Vm5giqnMf4h - - -0.669020 C4J4Th3PJpwUYZZ6gc Dd quic,ssl +0.669020 C4J4Th3PJpwUYZZ6gc Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log index 74e8b2a29a..0caca791d3 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log @@ -8,5 +8,5 @@ #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string 1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 4a8294bf9201d6cf (empty) - server4:443 hq-interop ISr -1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 1b036a11 (empty) fc674735 server4:443 hq-interop ISishIH +1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 1b036a11 (empty) fc674735 server4:443 hq-interop ISishhIH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut index 01d1a432a4..8fa1c1ad8f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut @@ -2,5 +2,5 @@ ts uid history service 0.015059 ClEkJM2Vm5giqnMf4h - - 0.001000 CHhAvVGS1DHFjwGM9 - - -0.790739 CtPZjS20MLrsMUOJi2 Dd quic,ssl -0.718160 C4J4Th3PJpwUYZZ6gc Dd quic,ssl +0.790739 CtPZjS20MLrsMUOJi2 Dd ssl,quic +0.718160 C4J4Th3PJpwUYZZ6gc Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log index 6884c599e4..f2f8098294 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log @@ -7,6 +7,6 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -1.000000 CtPZjS20MLrsMUOJi2 193.167.0.100 49394 193.167.100.100 443 1 15ae5e5e4962163f410b5529fc125bbc (empty) e483a751 server4:443 hq-interop ISZisZZZZZZZZZZZZZZZZZZZZZZZZZZZIH -1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 60492 193.167.100.100 443 1 b7c7841c64883e3261d840 (empty) 8d2041ac server4:443 hq-interop ISishIH +1.000000 CtPZjS20MLrsMUOJi2 193.167.0.100 49394 193.167.100.100 443 1 15ae5e5e4962163f410b5529fc125bbc (empty) e483a751 server4:443 hq-interop ISZishZZZZZZZZZZZZZZZZZZZZZZZZZZZIH +1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 60492 193.167.100.100 443 1 b7c7841c64883e3261d840 (empty) 8d2041ac server4:443 hq-interop ISishhIH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/conn.log.cut new file mode 100644 index 0000000000..f95a354194 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/conn.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid history service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/quic.log new file mode 100644 index 0000000000..5d580eb317 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/quic.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path quic +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history +#types time string addr port addr port string string string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.4 53241 24.199.110.233 443 1 f21fdf87f736f235846c7f460ca017 1b3ff910 eab5f6f4 - h3 ISishhIH +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/ssl.log b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/ssl.log new file mode 100644 index 0000000000..fb2a422f10 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/ssl.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established ssl_history cert_chain_fps client_cert_chain_fps sni_matches_cert +#types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] bool +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.4 53241 24.199.110.233 443 TLSv13 TLS_AES_128_GCM_SHA256 x25519 - F - - F Cs - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log index ff45b6d535..3dfdfee132 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 46907 127.0.0.1 853 1 fda05288ab9ff546 0fb934775f247b8e a31f4933d8727231 - doq ISishH +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 46907 127.0.0.1 853 1 fda05288ab9ff546 0fb934775f247b8e a31f4933d8727231 - doq ISishhH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log index d5dfb05bc4..a460e7fec8 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 49320 127.0.0.1 443 quicv2 fa603212c8688817af3d3238735bc7 (empty) b168b5cc localhost quic-echo-example ISIIisIH +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 49320 127.0.0.1 443 quicv2 fa603212c8688817af3d3238735bc7 (empty) b168b5cc localhost quic-echo-example ISIIishIH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log index f7b06b5570..45411b3839 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50841 127.0.0.1 443 quicv2 bdf0c5b27927cc667e58d95b 71b8f3f4 cdc8b6e6 - h3 ISishIHH +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50841 127.0.0.1 443 quicv2 bdf0c5b27927cc667e58d95b 71b8f3f4 cdc8b6e6 - h3 ISishhIHH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README index 0e7f31431c..dd8d0350fe 100644 --- a/testing/btest/Traces/README +++ b/testing/btest/Traces/README @@ -29,3 +29,6 @@ Trace Index/Sources: - http/cooper-grill-dvwa.pcapng Provided by cooper-grill on #3995 https://github.com/zeek/zeek/pull/3995 +- quic/merlinc2_Zeek_example.pcapng + Provided by Faan Rossouw on #4198 + https://github.com/zeek/zeek/issues/4198 diff --git a/testing/btest/Traces/quic/merlinc2_Zeek_example.pcapng b/testing/btest/Traces/quic/merlinc2_Zeek_example.pcapng new file mode 100644 index 0000000000..2aba2f1afb Binary files /dev/null and b/testing/btest/Traces/quic/merlinc2_Zeek_example.pcapng differ diff --git a/testing/btest/scripts/base/protocols/quic/analyzer-confirmations.zeek b/testing/btest/scripts/base/protocols/quic/analyzer-confirmations.zeek new file mode 100644 index 0000000000..790bea7ff2 --- /dev/null +++ b/testing/btest/scripts/base/protocols/quic/analyzer-confirmations.zeek @@ -0,0 +1,15 @@ +# @TEST-DOC: Test the order of analyzer confirmations for QUIC and SSL, QUIC should come first. + +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -Cr $TRACES/quic/chromium-115.0.5790.110-api-cirrus-com.pcap %INPUT >out +# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut +# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff out +# @TEST-EXEC: btest-diff conn.log.cut + +@load base/protocols/quic + + +event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) + { + print "analyzer_confirmation", network_time(), info$c$uid, atype; + } diff --git a/testing/btest/scripts/base/protocols/quic/merlinc2.zeek b/testing/btest/scripts/base/protocols/quic/merlinc2.zeek new file mode 100644 index 0000000000..733cf8cd25 --- /dev/null +++ b/testing/btest/scripts/base/protocols/quic/merlinc2.zeek @@ -0,0 +1,8 @@ +# @TEST-DOC: Test PCAP for Merlin C2 from issue #4198 + +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -Cr $TRACES/quic/merlinc2_Zeek_example.pcapng base/protocols/quic +# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut +# @TEST-EXEC: btest-diff conn.log.cut +# @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: btest-diff quic.log