mirror of
https://github.com/XTLS/Xray-core.git
synced 2024-11-26 17:03:02 +00:00
QUIC sniffer: handle multiple initial packets (#3802)
* QUIC sniffer: handle multiple initial packets Basically copied from Vigilans/v2ray-core@8f33db0 Co-Authored-By: Vigilans <vigilans@foxmail.com> * Remove unnecessary file --------- Co-authored-by: Vigilans <vigilans@foxmail.com>
This commit is contained in:
parent
7970f240de
commit
781aaee21f
@ -41,8 +41,14 @@ func (r *cachedReader) Cache(b *buf.Buffer) {
|
|||||||
if !mb.IsEmpty() {
|
if !mb.IsEmpty() {
|
||||||
r.cache, _ = buf.MergeMulti(r.cache, mb)
|
r.cache, _ = buf.MergeMulti(r.cache, mb)
|
||||||
}
|
}
|
||||||
|
cacheLen := r.cache.Len()
|
||||||
|
if cacheLen <= b.Cap() {
|
||||||
b.Clear()
|
b.Clear()
|
||||||
rawBytes := b.Extend(buf.Size)
|
} else {
|
||||||
|
b.Release()
|
||||||
|
*b = *buf.NewWithSize(cacheLen)
|
||||||
|
}
|
||||||
|
rawBytes := b.Extend(cacheLen)
|
||||||
n := r.cache.Copy(rawBytes)
|
n := r.cache.Copy(rawBytes)
|
||||||
b.Resize(0, int32(n))
|
b.Resize(0, int32(n))
|
||||||
r.Unlock()
|
r.Unlock()
|
||||||
|
@ -207,6 +207,21 @@ func (b *Buffer) Len() int32 {
|
|||||||
return b.end - b.start
|
return b.end - b.start
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Cap returns the capacity of the buffer content.
|
||||||
|
func (b *Buffer) Cap() int32 {
|
||||||
|
if b == nil {
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
return int32(len(b.v))
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewWithSize creates a Buffer with 0 length and capacity with at least the given size.
|
||||||
|
func NewWithSize(size int32) *Buffer {
|
||||||
|
return &Buffer{
|
||||||
|
v: bytespool.Alloc(size),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// IsEmpty returns true if the buffer is empty.
|
// IsEmpty returns true if the buffer is empty.
|
||||||
func (b *Buffer) IsEmpty() bool {
|
func (b *Buffer) IsEmpty() bool {
|
||||||
return b.Len() == 0
|
return b.Len() == 0
|
||||||
|
@ -47,11 +47,19 @@ var (
|
|||||||
)
|
)
|
||||||
|
|
||||||
func SniffQUIC(b []byte) (*SniffHeader, error) {
|
func SniffQUIC(b []byte) (*SniffHeader, error) {
|
||||||
|
// Crypto data separated across packets
|
||||||
|
cryptoLen := 0
|
||||||
|
cryptoData := bytespool.Alloc(int32(len(b)))
|
||||||
|
defer bytespool.Free(cryptoData)
|
||||||
|
|
||||||
|
// Parse QUIC packets
|
||||||
|
for len(b) > 0 {
|
||||||
buffer := buf.FromBytes(b)
|
buffer := buf.FromBytes(b)
|
||||||
typeByte, err := buffer.ReadByte()
|
typeByte, err := buffer.ReadByte()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errNotQuic
|
return nil, errNotQuic
|
||||||
}
|
}
|
||||||
|
|
||||||
isLongHeader := typeByte&0x80 > 0
|
isLongHeader := typeByte&0x80 > 0
|
||||||
if !isLongHeader || typeByte&0x40 == 0 {
|
if !isLongHeader || typeByte&0x40 == 0 {
|
||||||
return nil, errNotQuicInitial
|
return nil, errNotQuicInitial
|
||||||
@ -63,16 +71,14 @@ func SniffQUIC(b []byte) (*SniffHeader, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
versionNumber := binary.BigEndian.Uint32(vb)
|
versionNumber := binary.BigEndian.Uint32(vb)
|
||||||
|
|
||||||
if versionNumber != 0 && typeByte&0x40 == 0 {
|
if versionNumber != 0 && typeByte&0x40 == 0 {
|
||||||
return nil, errNotQuic
|
return nil, errNotQuic
|
||||||
} else if versionNumber != versionDraft29 && versionNumber != version1 {
|
} else if versionNumber != versionDraft29 && versionNumber != version1 {
|
||||||
return nil, errNotQuic
|
return nil, errNotQuic
|
||||||
}
|
}
|
||||||
|
|
||||||
if (typeByte&0x30)>>4 != 0x0 {
|
packetType := (typeByte & 0x30) >> 4
|
||||||
return nil, errNotQuicInitial
|
isQuicInitial := packetType == 0x0
|
||||||
}
|
|
||||||
|
|
||||||
var destConnID []byte
|
var destConnID []byte
|
||||||
if l, err := buffer.ReadByte(); err != nil {
|
if l, err := buffer.ReadByte(); err != nil {
|
||||||
@ -102,6 +108,15 @@ func SniffQUIC(b []byte) (*SniffHeader, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
hdrLen := len(b) - int(buffer.Len())
|
hdrLen := len(b) - int(buffer.Len())
|
||||||
|
if len(b) < hdrLen+int(packetLen) {
|
||||||
|
return nil, common.ErrNoClue // Not enough data to read as a QUIC packet. QUIC is UDP-based, so this is unlikely to happen.
|
||||||
|
}
|
||||||
|
|
||||||
|
restPayload := b[hdrLen+int(packetLen):]
|
||||||
|
if !isQuicInitial { // Skip this packet if it's not initial packet
|
||||||
|
b = restPayload
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
origPNBytes := make([]byte, 4)
|
origPNBytes := make([]byte, 4)
|
||||||
copy(origPNBytes, b[hdrLen:hdrLen+4])
|
copy(origPNBytes, b[hdrLen:hdrLen+4])
|
||||||
@ -142,10 +157,6 @@ func SniffQUIC(b []byte) (*SniffHeader, error) {
|
|||||||
packetNumber = uint32(n)
|
packetNumber = uint32(n)
|
||||||
}
|
}
|
||||||
|
|
||||||
if packetNumber != 0 && packetNumber != 1 {
|
|
||||||
return nil, errNotQuicInitial
|
|
||||||
}
|
|
||||||
|
|
||||||
extHdrLen := hdrLen + int(packetNumberLength)
|
extHdrLen := hdrLen + int(packetNumberLength)
|
||||||
copy(b[extHdrLen:hdrLen+4], origPNBytes[packetNumberLength:])
|
copy(b[extHdrLen:hdrLen+4], origPNBytes[packetNumberLength:])
|
||||||
data := b[extHdrLen : int(packetLen)+hdrLen]
|
data := b[extHdrLen : int(packetLen)+hdrLen]
|
||||||
@ -160,10 +171,6 @@ func SniffQUIC(b []byte) (*SniffHeader, error) {
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
buffer = buf.FromBytes(decrypted)
|
buffer = buf.FromBytes(decrypted)
|
||||||
|
|
||||||
cryptoLen := uint(0)
|
|
||||||
cryptoData := bytespool.Alloc(buffer.Len())
|
|
||||||
defer bytespool.Free(cryptoData)
|
|
||||||
for i := 0; !buffer.IsEmpty(); i++ {
|
for i := 0; !buffer.IsEmpty(); i++ {
|
||||||
frameType := byte(0x0) // Default to PADDING frame
|
frameType := byte(0x0) // Default to PADDING frame
|
||||||
for frameType == 0x0 && !buffer.IsEmpty() {
|
for frameType == 0x0 && !buffer.IsEmpty() {
|
||||||
@ -214,8 +221,14 @@ func SniffQUIC(b []byte) (*SniffHeader, error) {
|
|||||||
if err != nil || length > uint64(buffer.Len()) {
|
if err != nil || length > uint64(buffer.Len()) {
|
||||||
return nil, io.ErrUnexpectedEOF
|
return nil, io.ErrUnexpectedEOF
|
||||||
}
|
}
|
||||||
if cryptoLen < uint(offset+length) {
|
if cryptoLen < int(offset+length) {
|
||||||
cryptoLen = uint(offset + length)
|
cryptoLen = int(offset + length)
|
||||||
|
if len(cryptoData) < cryptoLen {
|
||||||
|
newCryptoData := bytespool.Alloc(int32(cryptoLen))
|
||||||
|
copy(newCryptoData, cryptoData)
|
||||||
|
bytespool.Free(cryptoData)
|
||||||
|
cryptoData = newCryptoData
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if _, err := buffer.Read(cryptoData[offset : offset+length]); err != nil { // Field: Crypto Data
|
if _, err := buffer.Read(cryptoData[offset : offset+length]); err != nil { // Field: Crypto Data
|
||||||
return nil, io.ErrUnexpectedEOF
|
return nil, io.ErrUnexpectedEOF
|
||||||
@ -244,10 +257,15 @@ func SniffQUIC(b []byte) (*SniffHeader, error) {
|
|||||||
tlsHdr := &ptls.SniffHeader{}
|
tlsHdr := &ptls.SniffHeader{}
|
||||||
err = ptls.ReadClientHello(cryptoData[:cryptoLen], tlsHdr)
|
err = ptls.ReadClientHello(cryptoData[:cryptoLen], tlsHdr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
// The crypto data may have not been fully recovered in current packets,
|
||||||
|
// So we continue to sniff rest packets.
|
||||||
|
b = restPayload
|
||||||
|
continue
|
||||||
}
|
}
|
||||||
return &SniffHeader{domain: tlsHdr.Domain()}, nil
|
return &SniffHeader{domain: tlsHdr.Domain()}, nil
|
||||||
}
|
}
|
||||||
|
return nil, common.ErrNoClue
|
||||||
|
}
|
||||||
|
|
||||||
func hkdfExpandLabel(hash crypto.Hash, secret, context []byte, label string, length int) []byte {
|
func hkdfExpandLabel(hash crypto.Hash, secret, context []byte, label string, length int) []byte {
|
||||||
b := make([]byte, 3, 3+6+len(label)+1+len(context))
|
b := make([]byte, 3, 3+6+len(label)+1+len(context))
|
||||||
|
Loading…
Reference in New Issue
Block a user