QUIC sniffer: handle multiple initial packets (#3802)

* QUIC sniffer: handle multiple initial packets
Basically copied from Vigilans/v2ray-core@8f33db0

Co-Authored-By: Vigilans <vigilans@foxmail.com>

* Remove unnecessary file

---------

Co-authored-by: Vigilans <vigilans@foxmail.com>
This commit is contained in:
风扇滑翔翼 2024-09-14 01:32:43 +08:00 committed by GitHub
parent 7970f240de
commit 781aaee21f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 217 additions and 178 deletions

View File

@ -41,8 +41,14 @@ func (r *cachedReader) Cache(b *buf.Buffer) {
if !mb.IsEmpty() { if !mb.IsEmpty() {
r.cache, _ = buf.MergeMulti(r.cache, mb) r.cache, _ = buf.MergeMulti(r.cache, mb)
} }
cacheLen := r.cache.Len()
if cacheLen <= b.Cap() {
b.Clear() b.Clear()
rawBytes := b.Extend(buf.Size) } else {
b.Release()
*b = *buf.NewWithSize(cacheLen)
}
rawBytes := b.Extend(cacheLen)
n := r.cache.Copy(rawBytes) n := r.cache.Copy(rawBytes)
b.Resize(0, int32(n)) b.Resize(0, int32(n))
r.Unlock() r.Unlock()

View File

@ -207,6 +207,21 @@ func (b *Buffer) Len() int32 {
return b.end - b.start return b.end - b.start
} }
// Cap returns the capacity of the buffer content.
func (b *Buffer) Cap() int32 {
if b == nil {
return 0
}
return int32(len(b.v))
}
// NewWithSize creates a Buffer with 0 length and capacity with at least the given size.
func NewWithSize(size int32) *Buffer {
return &Buffer{
v: bytespool.Alloc(size),
}
}
// IsEmpty returns true if the buffer is empty. // IsEmpty returns true if the buffer is empty.
func (b *Buffer) IsEmpty() bool { func (b *Buffer) IsEmpty() bool {
return b.Len() == 0 return b.Len() == 0

View File

@ -47,11 +47,19 @@ var (
) )
func SniffQUIC(b []byte) (*SniffHeader, error) { func SniffQUIC(b []byte) (*SniffHeader, error) {
// Crypto data separated across packets
cryptoLen := 0
cryptoData := bytespool.Alloc(int32(len(b)))
defer bytespool.Free(cryptoData)
// Parse QUIC packets
for len(b) > 0 {
buffer := buf.FromBytes(b) buffer := buf.FromBytes(b)
typeByte, err := buffer.ReadByte() typeByte, err := buffer.ReadByte()
if err != nil { if err != nil {
return nil, errNotQuic return nil, errNotQuic
} }
isLongHeader := typeByte&0x80 > 0 isLongHeader := typeByte&0x80 > 0
if !isLongHeader || typeByte&0x40 == 0 { if !isLongHeader || typeByte&0x40 == 0 {
return nil, errNotQuicInitial return nil, errNotQuicInitial
@ -63,16 +71,14 @@ func SniffQUIC(b []byte) (*SniffHeader, error) {
} }
versionNumber := binary.BigEndian.Uint32(vb) versionNumber := binary.BigEndian.Uint32(vb)
if versionNumber != 0 && typeByte&0x40 == 0 { if versionNumber != 0 && typeByte&0x40 == 0 {
return nil, errNotQuic return nil, errNotQuic
} else if versionNumber != versionDraft29 && versionNumber != version1 { } else if versionNumber != versionDraft29 && versionNumber != version1 {
return nil, errNotQuic return nil, errNotQuic
} }
if (typeByte&0x30)>>4 != 0x0 { packetType := (typeByte & 0x30) >> 4
return nil, errNotQuicInitial isQuicInitial := packetType == 0x0
}
var destConnID []byte var destConnID []byte
if l, err := buffer.ReadByte(); err != nil { if l, err := buffer.ReadByte(); err != nil {
@ -102,6 +108,15 @@ func SniffQUIC(b []byte) (*SniffHeader, error) {
} }
hdrLen := len(b) - int(buffer.Len()) hdrLen := len(b) - int(buffer.Len())
if len(b) < hdrLen+int(packetLen) {
return nil, common.ErrNoClue // Not enough data to read as a QUIC packet. QUIC is UDP-based, so this is unlikely to happen.
}
restPayload := b[hdrLen+int(packetLen):]
if !isQuicInitial { // Skip this packet if it's not initial packet
b = restPayload
continue
}
origPNBytes := make([]byte, 4) origPNBytes := make([]byte, 4)
copy(origPNBytes, b[hdrLen:hdrLen+4]) copy(origPNBytes, b[hdrLen:hdrLen+4])
@ -142,10 +157,6 @@ func SniffQUIC(b []byte) (*SniffHeader, error) {
packetNumber = uint32(n) packetNumber = uint32(n)
} }
if packetNumber != 0 && packetNumber != 1 {
return nil, errNotQuicInitial
}
extHdrLen := hdrLen + int(packetNumberLength) extHdrLen := hdrLen + int(packetNumberLength)
copy(b[extHdrLen:hdrLen+4], origPNBytes[packetNumberLength:]) copy(b[extHdrLen:hdrLen+4], origPNBytes[packetNumberLength:])
data := b[extHdrLen : int(packetLen)+hdrLen] data := b[extHdrLen : int(packetLen)+hdrLen]
@ -160,10 +171,6 @@ func SniffQUIC(b []byte) (*SniffHeader, error) {
return nil, err return nil, err
} }
buffer = buf.FromBytes(decrypted) buffer = buf.FromBytes(decrypted)
cryptoLen := uint(0)
cryptoData := bytespool.Alloc(buffer.Len())
defer bytespool.Free(cryptoData)
for i := 0; !buffer.IsEmpty(); i++ { for i := 0; !buffer.IsEmpty(); i++ {
frameType := byte(0x0) // Default to PADDING frame frameType := byte(0x0) // Default to PADDING frame
for frameType == 0x0 && !buffer.IsEmpty() { for frameType == 0x0 && !buffer.IsEmpty() {
@ -214,8 +221,14 @@ func SniffQUIC(b []byte) (*SniffHeader, error) {
if err != nil || length > uint64(buffer.Len()) { if err != nil || length > uint64(buffer.Len()) {
return nil, io.ErrUnexpectedEOF return nil, io.ErrUnexpectedEOF
} }
if cryptoLen < uint(offset+length) { if cryptoLen < int(offset+length) {
cryptoLen = uint(offset + length) cryptoLen = int(offset + length)
if len(cryptoData) < cryptoLen {
newCryptoData := bytespool.Alloc(int32(cryptoLen))
copy(newCryptoData, cryptoData)
bytespool.Free(cryptoData)
cryptoData = newCryptoData
}
} }
if _, err := buffer.Read(cryptoData[offset : offset+length]); err != nil { // Field: Crypto Data if _, err := buffer.Read(cryptoData[offset : offset+length]); err != nil { // Field: Crypto Data
return nil, io.ErrUnexpectedEOF return nil, io.ErrUnexpectedEOF
@ -244,9 +257,14 @@ func SniffQUIC(b []byte) (*SniffHeader, error) {
tlsHdr := &ptls.SniffHeader{} tlsHdr := &ptls.SniffHeader{}
err = ptls.ReadClientHello(cryptoData[:cryptoLen], tlsHdr) err = ptls.ReadClientHello(cryptoData[:cryptoLen], tlsHdr)
if err != nil { if err != nil {
return nil, err // The crypto data may have not been fully recovered in current packets,
// So we continue to sniff rest packets.
b = restPayload
continue
} }
return &SniffHeader{domain: tlsHdr.Domain()}, nil return &SniffHeader{domain: tlsHdr.Domain()}, nil
}
return nil, common.ErrNoClue
} }
func hkdfExpandLabel(hash crypto.Hash, secret, context []byte, label string, length int) []byte { func hkdfExpandLabel(hash crypto.Hash, secret, context []byte, label string, length int) []byte {