nfqws: verify quic auth tag. improve initial packet detection

2024-11-11 17:29:16 +05:00 · 2022-03-26 21:00:58 +03:00 · 2022-03-26 21:00:58 +03:00 · 2eec88c2bf
commit 2eec88c2bf
parent 3753349058
12 changed files with 57 additions and 41 deletions
--- a/binaries/aarch64/nfqws
+++ b/binaries/aarch64/nfqws
--- a/binaries/arm/nfqws
+++ b/binaries/arm/nfqws
--- a/binaries/freebsd-x64/dvtws
+++ b/binaries/freebsd-x64/dvtws
--- a/binaries/mips32r1-lsb/nfqws
+++ b/binaries/mips32r1-lsb/nfqws
--- a/binaries/mips32r1-msb/nfqws
+++ b/binaries/mips32r1-msb/nfqws
--- a/binaries/mips64r2-msb/nfqws
+++ b/binaries/mips64r2-msb/nfqws
--- a/binaries/ppc/nfqws
+++ b/binaries/ppc/nfqws
--- a/binaries/x86/nfqws
+++ b/binaries/x86/nfqws
--- a/binaries/x86_64/nfqws
+++ b/binaries/x86_64/nfqws
--- a/nfq/crypto/aes-gcm.c
+++ b/nfq/crypto/aes-gcm.c
@ -1,38 +1,13 @@
 #include "aes-gcm.h"
-int aes_gcm_encrypt(unsigned char* output, const unsigned char* input, size_t input_length, const unsigned char* key, const size_t key_len, const unsigned char * iv, const size_t iv_len) {
+int aes_gcm_crypt(int mode, uint8_t *output, const uint8_t *input, size_t input_length, const uint8_t *key, const size_t key_len, const uint8_t *iv, const size_t iv_len, const uint8_t *adata, size_t adata_len, uint8_t *atag, size_t atag_len)
-
+{
-	int ret = 0;                // our return value
+	int ret = 0;
-	gcm_context ctx;            // includes the AES context structure
+	gcm_context ctx;
 	size_t tag_len = 0;
 	unsigned char * tag_buf = NULL;
 	gcm_setkey(&ctx, key, (const uint)key_len);
-
+	ret = gcm_crypt_and_tag(&ctx, mode, iv, iv_len, adata, adata_len, input, output, input_length, atag, atag_len);
 	ret = gcm_crypt_and_tag(&ctx, ENCRYPT, iv, iv_len, NULL, 0,
 		input, output, input_length, tag_buf, tag_len);
 	gcm_zero_ctx(&ctx);
-	return(ret);
+	return ret;
 }
 int aes_gcm_decrypt(unsigned char* output, const unsigned char* input, size_t input_length, const unsigned char* key, const size_t key_len, const unsigned char * iv, const size_t iv_len) {
 	int ret = 0;                // our return value
 	gcm_context ctx;            // includes the AES context structure
 	size_t tag_len = 0;
 	unsigned char * tag_buf = NULL;
 	gcm_setkey(&ctx, key, (const uint)key_len);
 	ret = gcm_crypt_and_tag(&ctx, DECRYPT, iv, iv_len, NULL, 0,
 		input, output, input_length, tag_buf, tag_len);
 	gcm_zero_ctx(&ctx);
 	return(ret);
 }
--- a/nfq/crypto/aes-gcm.h
+++ b/nfq/crypto/aes-gcm.h
@ -2,5 +2,5 @@
 #include "gcm.h"  
-int aes_gcm_encrypt(unsigned char* output, const unsigned char* input, size_t input_length, const unsigned char* key, const size_t key_len, const unsigned char * iv, const size_t iv_len);
+// mode : ENCRYPT, DECRYPT
-int aes_gcm_decrypt(unsigned char* output, const unsigned char* input, size_t input_length, const unsigned char* key, const size_t key_len, const unsigned char * iv, const size_t iv_len);
+int aes_gcm_crypt(int mode, uint8_t *output, const uint8_t *input, size_t input_length, const uint8_t *key, const size_t key_len, const uint8_t *iv, const size_t iv_len, const uint8_t *adata, size_t adata_len, uint8_t *atag, size_t atag_len);
--- a/nfq/protocol.c
+++ b/nfq/protocol.c
@ -247,6 +247,10 @@ static bool is_quic_version_with_v1_labels(uint32_t version)
 		return true;
 	return is_quic_draft_max(QUICDraftVersion(version), 34);
 }
 static bool is_quic_v2(uint32_t version)
 {
    return version == 0x709A50C4;
 }
 static bool quic_hkdf_expand_label(const uint8_t *secret, uint8_t secret_len, const char *label, uint8_t *out, size_t out_len)
@ -424,7 +428,18 @@ bool QUICDecryptInitial(const uint8_t *data, size_t data_len, uint8_t *clean, si
 	*clean_len = cryptlen;
 	const uint8_t *decrypt_begin = data + pn_offset + pkn_len;
-	return !aes_gcm_decrypt(clean, decrypt_begin, cryptlen, aeskey, sizeof(aeskey), aesiv, sizeof(aesiv));
+	uint8_t atag[16],header[256];
 	size_t header_len = pn_offset + pkn_len;
 	if (header_len > sizeof(header)) return false; // not likely header will be so large
 	memcpy(header, data, header_len);
 	header[0] = packet0;
 	for(uint8_t i = 0; i < pkn_len; i++) header[header_len - 1 - i] = (uint8_t)(pkn >> (8 * i));
 	if (aes_gcm_crypt(DECRYPT, clean, decrypt_begin, cryptlen, aeskey, sizeof(aeskey), aesiv, sizeof(aesiv), header, header_len, atag, sizeof(atag)))
 		return false;
 	// check if message was decrypted correctly : good keys , no data corruption
 	return !memcmp(data + pn_offset + pkn_len + cryptlen, atag, 16);
 }
 bool QUICDefragCrypto(const uint8_t *clean,size_t clean_len, uint8_t *defrag,size_t *defrag_len)
@ -509,12 +524,38 @@ bool QUICExtractHostFromInitial(const uint8_t *data, size_t data_len, char *host
 bool IsQUICInitial(const uint8_t *data, size_t len)
 {
-	// long header, fixed bit, type=initial
+	// too small packets are not likely to be initials with client hello
-	if (len < 512 || (data[0] & 0xF0) != 0xC0) return false;
+	if (len < 256) return false;
-	const uint8_t *p = data + 1;
+
-	uint32_t ver = ntohl(*(uint32_t*)p);
+	// this also ensures long header
 	uint32_t ver = QUICExtractVersion(data,len);
 	if (QUICDraftVersion(ver) < 11) return false;
-	p += 4;
+
-	if (!*p || *p > QUIC_MAX_CID_LENGTH) return false;
+	// quic v1 : initial packets are 00b
-	return true;
+	// quic v2 : initial packets are 01b
 	if ((data[0] & 0x30) != (is_quic_v2(ver) ? 0x10 : 0x00)) return false;
 	uint64_t offset=5, sz;
 	// DCID. must be present
 	if (!data[offset] || data[offset] > QUIC_MAX_CID_LENGTH) return false;
 	offset += 1 + data[offset];
 	// SCID
 	if (data[offset] > QUIC_MAX_CID_LENGTH) return false;
 	offset += 1 + data[offset];
 	// token length
 	offset += tvb_get_varint(data + offset, &sz);
 	offset += sz;
 	if (offset >= len) return false;
 	// payload length
 	if ((offset + tvb_get_size(data[offset])) >= len) return false;
 	tvb_get_varint(data + offset, &sz);
 	offset += sz;
 	if (offset > len) return false;
 	// client hello cannot be too small. likely ACK
 	return sz>=96;
 }