Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

QUIC: Use initial destination conn_id for decryption

Browse source 
Ensure the client side also uses the initial destination connection ID
for decryption purposes instead of the one from the current long header
packet. PCAP from local WiFi hotspot.
This commit is contained in:
Arne Welzel 2025-04-30 15:48:17 +02:00
parent ae90524027
commit fe89a521d1
6 changed files with 29 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

3
testing/btest/Baseline/scripts.base.protocols.quic.decrypt-fail-google-de-51833/conn.log.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid history service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl

3
testing/btest/Baseline/scripts.base.protocols.quic.decrypt-fail-google-de-51833/quic.log.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid server_name history
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 www.google.de ZZZIiIIIISiIIIiiiiiishIIHH

3
testing/btest/Baseline/scripts.base.protocols.quic.decrypt-fail-google-de-51833/ssl.log.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid version cipher curve server_name resumed last_alert next_protocol established ssl_history
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 TLSv13 TLS_AES_128_GCM_SHA256 X25519MLKEM768 www.google.de T - - F Cs

BIN
testing/btest/Traces/quic/quic-decrypt-fail-google-de-51833.pcap Normal file
View file

Binary file not shown.

12
testing/btest/scripts/base/protocols/quic/decrypt-fail-google-de-51833.zeek Normal file
View file

@ -0,0 +1,12 @@
# @TEST-DOC: PCAP for which decryption failed due to not using the initial destination connection ID consistently.
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -Cr $TRACES/quic/quic-decrypt-fail-google-de-51833.pcap base/protocols/quic
# @TEST-EXEC: test ! -f analyzer.log
# @TEST-EXEC: test ! -f dpd.log
# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
# @TEST-EXEC: btest-diff conn.log.cut
# @TEST-EXEC: zeek-cut -m ts uid server_name history < quic.log > quic.log.cut
# @TEST-EXEC: btest-diff quic.log.cut
# @TEST-EXEC: zeek-cut -m ts uid version cipher curve server_name resumed last_alert next_protocol established ssl_history < ssl.log > ssl.log.cut
# @TEST-EXEC: btest-diff ssl.log.cut