Skip to content

Commit

Permalink
Comprehensive Overhaul of Wireshark Integration
Browse files Browse the repository at this point in the history 
- Upgrade Ubuntu to version 24.04.
- Upgrade Wireshark to version 4.4.1.
- Integrate OpenSSL 3 with liboqs and the OQS provider.
- Automate the generation of `qsc.h` using `generate_qsc_header.py`.
- Organize the build with dedicated directories for sources, builds, and installations.
- Migrate from Qt5 to Qt6 for improved compatibility.
- Update `README.md` and `USAGE.md`.
  • Loading branch information
@Hawazyn
Hawazyn committed Nov 21, 2024
1 parent 333de4b commit 2e7be3c
Show file tree
Hide file tree
Showing 8 changed files with 282 additions and 215 deletions.
222 changes: 151 additions & 71 deletions wireshark/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,75 +1,155 @@
# Define the wireshark version to be baked in.
ARG WIRESHARK_VERSION=3.4.9
# This Dockerfile builds a Wireshark image with Open Quantum Safe (OQS) support.
# By integrating OQS, the resulting Wireshark build is capable of
# analyzing and handling post-quantum cryptographic protocols.

# Define the SSL naming convention: One of "wolfssl" and "oqs"
ARG QSC_SSL_FLAVOR="oqs"
# Define the base versions and tags for dependencies
ARG UBUNTU_VERSION=24.04
ARG WIRESHARK_VERSION=4.4.1
ARG OPENSSL_TAG=3.4.0
ARG LIBOQS_TAG=0.11.0
ARG OQSPROVIDER_TAG=0.7.0

FROM ubuntu as intermediate
ENV DEBIAN_FRONTEND noninteractive
# Define Installation directory
ARG INSTALLDIR=/opt/oqs

# Stage 1: Building stage
FROM ubuntu:${UBUNTU_VERSION} AS build

LABEL version="2"

ENV DEBIAN_FRONTEND=noninteractive
ARG WIRESHARK_VERSION
ARG QSC_SSL_FLAVOR

RUN apt update && apt upgrade -y

# Get all software packages required for building wireshark:
RUN apt install -y gcc g++ \
libtool \
automake \
autoconf \
cmake \
ninja-build \
git \
curl \
perl \
flex \
bison \
2to3 python2-minimal python2 dh-python python-is-python3 \
python3 \
libssl-dev \
libgcrypt-dev \
libpcap-dev \
libc-ares-dev \
qtbase5-dev qttools5-dev-tools qttools5-dev qtmultimedia5-dev \
wget \
libssh-dev

# Get the source and unpack it.
WORKDIR /tmp
RUN curl --output wireshark-${WIRESHARK_VERSION}.tar.xz https://2.na.dl.wireshark.org/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz && tar xmvf wireshark-${WIRESHARK_VERSION}.tar.xz

WORKDIR /tmp/wireshark-${WIRESHARK_VERSION}

COPY wolfssl-qsc.h wolfssl-qsc.h

# Decide on QSC naming/ID mapping
RUN if [ "x$QSC_SSL_FLAVOR" = "xoqs" ] ; then \
wget https://raw.githubusercontent.com/open-quantum-safe/openssl/OQS-OpenSSL_1_1_1-stable/qsc.h; \
elif [ "x$QSC_SSL_FLAVOR" = "xwolfssl" ]; then \
mv wolfssl-qsc.h qsc.h; \
else \
echo "Unknown naming convention in QSC_SSL_FLAVOR ($QSC_SSL_FLAVOR). Exiting."; \
exit 1; \
fi

# Patch QSC-specific ids into wireshark code base
RUN cp qsc.h epan/dissectors && \
sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-pkcs1.c && \
sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-tls-utils.c && \
sed -i "s/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");\nQSC_SIGS/g" epan/dissectors/packet-pkcs1.c && \
sed -i "s/ { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\// { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\/\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c && \
sed -i "s/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,\nQSC_SIG_CPS/g" epan/dissectors/packet-tls-utils.c

# Build wireshark
RUN mkdir -p build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=/opt/wireshark .. && ninja && ninja install

FROM ubuntu
ENV DEBIAN_FRONTEND noninteractive

RUN apt update && apt upgrade -y && apt install -y qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libc-ares2 libqt5multimedia5 pcaputils libssh-dev

# Only retain the ${INSTALLDIR} contents in the final image
COPY --from=intermediate /opt/wireshark /opt/wireshark


CMD /opt/wireshark/bin/wireshark
ARG OPENSSL_TAG
ARG LIBOQS_TAG
ARG OQSPROVIDER_TAG
ARG INSTALLDIR

# Install essential build dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
build-essential libtool automake autoconf cmake ninja-build \
openssl libssl-dev git wget ca-certificates \
python3 python3-pip python3-venv && \
apt-get clean && rm -rf /var/lib/apt/lists/*

WORKDIR /opt
# Set up isolated directories
# src for source files, build for compiling, and install for final binaries
RUN mkdir -p src/liboqs src/openssl src/oqs-provider src/wireshark \
build/liboqs build/openssl build/oqs-provider build/wireshark \
${INSTALLDIR}/lib ${INSTALLDIR}/bin ${INSTALLDIR}/ssl

# Download sources
WORKDIR /opt/src
RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs.git liboqs && \
git clone --depth 1 --branch openssl-${OPENSSL_TAG} https://github.com/openssl/openssl.git openssl && \
git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git oqs-provider && \
wget -O wireshark.tar.xz https://www.wireshark.org/download/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz && \
tar -xf wireshark.tar.xz --strip-components=1 -C wireshark && \
rm wireshark.tar.xz

# Build and install liboqs
WORKDIR /opt/build/liboqs
RUN cmake -G Ninja /opt/src/liboqs \
-D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/liboqs \
-D BUILD_SHARED_LIBS=ON \
-D OQS_USE_OPENSSL=OFF \
-D CMAKE_INSTALL_RPATH="${INSTALLDIR}/liboqs/lib" && \
ninja -j$(nproc) && ninja install

# Build OpenSSL integrated with liboqs
WORKDIR /opt/build/openssl
RUN LDFLAGS="-Wl,-rpath,${INSTALLDIR}/liboqs/lib" \
/opt/src/openssl/config \
--prefix=${INSTALLDIR}/openssl \
--openssldir=${INSTALLDIR}/ssl \
shared && \
make -j$(nproc) && \
make install_sw install_ssldirs

# Build OQS provider for OpenSSL integration
WORKDIR /opt/build/oqs-provider
RUN cmake -G Ninja \
-D OPENSSL_ROOT_DIR=${INSTALLDIR}/openssl \
-D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \
-D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/oqs-provider \
-D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" \
/opt/src/oqs-provider && \
ninja -j$(nproc) && \
mkdir -p ${INSTALLDIR}/openssl/lib/ossl-modules && \
cp /opt/build/oqs-provider/lib/oqsprovider.so ${INSTALLDIR}/openssl/lib/ossl-modules

# Set up OpenSSL to load the OQS provider
RUN CONFIG_FILE="${INSTALLDIR}/ssl/openssl.cnf" && \
sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" "$CONFIG_FILE" && \
sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" "$CONFIG_FILE"

# Using a script from Wireshark to install required build dependencies
WORKDIR /opt/src/wireshark
RUN ./tools/debian-setup.sh -y

# Generate `qsc.h`
WORKDIR ${INSTALLDIR}
RUN cp /opt/src/oqs-provider/oqs-template/generate.yml ${INSTALLDIR}
COPY generate_qsc_header.py ${INSTALLDIR}
COPY qsc_template.jinja2 ${INSTALLDIR}
COPY requirements.txt ${INSTALLDIR}

RUN python3 -m venv ${INSTALLDIR}/venv && \
. ${INSTALLDIR}/venv/bin/activate && \
pip install -r requirements.txt && \
python ${INSTALLDIR}/generate_qsc_header.py && \
deactivate

RUN cp ${INSTALLDIR}/qsc.h /opt/src/wireshark/epan/dissectors/

# Modify Wireshark source files for post-quantum definitions
WORKDIR /opt/src/wireshark
RUN sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-pkcs1.c && \
sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-tls-utils.c && \
sed -i "s/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");\nQSC_SIGS/g" epan/dissectors/packet-pkcs1.c && \
sed -i "s/ { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\// { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\/\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c && \
sed -i "s/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,\nQSC_SIG_CPS/g" epan/dissectors/packet-tls-utils.c

# Build and install Wireshark
WORKDIR /opt/build/wireshark
RUN cmake -G Ninja /opt/src/wireshark \
-D QT5=OFF \
-D QT6=ON \
-D CMAKE_BUILD_TYPE=Release \
-D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/wireshark \
-D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \
-D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" && \
ninja -j$(nproc) && ninja install

# Test integration of OQS provider with OpenSSL
WORKDIR /opt/src/oqs-provider
ENV OPENSSL_CONF=${INSTALLDIR}/ssl/openssl.cnf
ENV OPENSSL_MODULES=${INSTALLDIR}/openssl/lib/ossl-modules
RUN mkdir -p _build
RUN ./scripts/runtests.sh -j$(nproc)

# Stage 2: Minimal runtime image
FROM ubuntu:${UBUNTU_VERSION} AS runtime

ENV DEBIAN_FRONTEND=noninteractive
ARG INSTALLDIR

# Install necessary runtime dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
libc-ares2 pcaputils libssh-4 libgcrypt20 \
libglib2.0-0 libpcap0.8 libspeexdsp1 zlib1g \
libqt6core6 libqt6gui6 libqt6widgets6 libqt6printsupport6 \
libqt6core5compat6 libqt6dbus6 libqt6multimedia6 libgpg-error0 && \
apt-get clean && rm -rf /var/lib/apt/lists/*

ENV PATH="${INSTALLDIR}/wireshark/bin:${INSTALLDIR}/openssl/bin:${PATH}"
ENV OPENSSL_CONF=${INSTALLDIR}/ssl/openssl.cnf
ENV OPENSSL_MODULES=${INSTALLDIR}/openssl/lib/ossl-modules

# Copy essential files from build stage
COPY --from=build ${INSTALLDIR}/wireshark ${INSTALLDIR}/wireshark
COPY --from=build ${INSTALLDIR}/openssl ${INSTALLDIR}/openssl
COPY --from=build ${INSTALLDIR}/liboqs ${INSTALLDIR}/liboqs
COPY --from=build ${INSTALLDIR}/ssl ${INSTALLDIR}/ssl

CMD ["wireshark"]
44 changes: 25 additions & 19 deletions wireshark/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,31 +1,37 @@
# DEPRECATED
This project provides a Docker image to build [Wireshark](https://www.wireshark.org/) with quantum-safe cryptography
support through the [Open Quantum Safe (OQS) provider](https://github.com/open-quantum-safe/oqs-provider). This Docker
image allows Wireshark to analyze network traffic encrypted with post-quantum cryptographic protocols.

> [!Warning]
> This integration is currently not supported due to [the end of life of oqs-openssl111](https://github.com/open-quantum-safe/openssl#warning).
## System Requirements

This directory contains a Dockerfile that builds wireshark that is patched to understand the OIDs and codepoints in TLS 1.3 that are supported by OQS-OpenSSL.
- **Docker**: Ensure [Docker](https://docs.docker.com/get-docker/) is installed and running on your system.
- **X-Window System (for GUI Display)**:
- **Linux**: Run `xhost +si:localuser:$USER` to allow Docker to access the display.
- **Windows/macOS**: Install an X server such as [VcXsrv](https://sourceforge.net/projects/vcxsrv/) (Windows)
or [XQuartz](https://www.xquartz.org/) (macOS) and start it, ensuring to **disable access control** and **disable
native OpenGL**.

## Quick start
## Project Components

1) Be sure to have [docker installed](https://docs.docker.com/install).
2) Run `docker build -t openquantumsafe/wireshark .` to create an QSC-enabled (codepoint and OID aware) wireshark docker image.
1. **Dockerfile**: Builds Wireshark with OpenSSL, liboqs, and OQS provider.
2. **generate_qsc_header.py**: Processes `oqs-provider/oqs-template/generate.yml` with the `qsc_template.jinja2` to generate `qsc.h`,
defining post-quantum KEMs and SIGs for Wireshark.

## Usage
For detailed usage instructions, refer to [USAGE.md](USAGE.md).

Information how to use the image is [available in the separate file USAGE.md](USAGE.md).
## Build Configuration and Updates

## Build options
Customize the build using the following Dockerfile arguments:

The Dockerfile provided allows for customization of the image built:
- **`UBUNTU_VERSION`**: Specifies the Ubuntu version (default: latest stable).
- **`WIRESHARK_VERSION`**: Defines the Wireshark version to build.
- **`INSTALLDIR`**: Sets the installation path for OQS libraries (default: `/opt/oqs`).

### WIRESHARK_VERSION
Use `--build-arg ARG_NAME=value` in the `docker build` command to adjust these values.

This permits changing the wireshark code base to be used.
To keep the build up-to-date, the `Dockerfile` and `generate_qsc_header.py` are designed for easy updates:

Tested default value is "3.4.9".

### QSC_SSL_FLAVOR

Different quantum-safe TLS implementations have different names for the same algorithms. This option permits switching between them. Permitted values are "oqs" and "wolfssl".

Default is "oqs".
- Update the Ubuntu and Wireshark versions by modifying the `UBUNTU_VERSION` and `WIRESHARK_VERSION` arguments.
- The `generate_qsc_header.py` script automatically fetches new OQS algorithms, ensuring the latest definitions are
included.
68 changes: 40 additions & 28 deletions wireshark/USAGE.md
View file
Original file line number Diff line number Diff line change
@@ -1,43 +1,55 @@
# OQS-wireshark
This project provides a Docker image to build [Wireshark](https://www.wireshark.org/) with quantum-safe cryptography
support through the [Open Quantum Safe (OQS) provider](https://github.com/open-quantum-safe/oqs-provider). This Docker
image allows Wireshark to analyze network traffic encrypted with post-quantum cryptographic protocols.

This docker image contains a version of [wireshark](https://www.wireshark.org/) built to also properly display quantum-safe crypto (QSC) TLS operations.
## Quick Start Guide

To this end, it contains references to algorithms supported by [liboqs](https://github.com/open-quantum-safe/liboqs) and [OQS-OpenSSL](https://github.com/open-quantum-safe/openssl) from the [OpenQuantumSafe](https://openquantumsafe.org) project.
```bash
git clone https://github.com/open-quantum-safe/oqs-demos
cd oqs-demos/wireshark
docker build -t wireshark-oqs .
docker run --rm -it --net=host -e DISPLAY=<your_host_ip>:<your_display_port> -v /tmp/.X11-unix:/tmp/.X11-unix wireshark-oqs
```

The image is based on Ubuntu and requires the host to run the Unix X-Window system.
Replace `<your_host_ip>` with your IP address (e.g., `192.168.x.x`) and `<your_display_port>` with your display port,
typically `:0`.

## Quick start
## Running Wireshark

Execute this command to open the wireshark window on your host:
You can run the Wireshark Docker container on Linux or Windows using the following command:

docker run --net=host --privileged --env="DISPLAY" --volume="$HOME/.Xauthority:/root/.Xauthority:rw" openquantumsafe/wireshark
```bash
docker run --rm -it --net=host -e DISPLAY=<your_host_ip>:<your_display_port> -v /tmp/.X11-unix:/tmp/.X11-unix wireshark-oqs
```

Then proceed [using wireshark as usual](https://www.wireshark.org/docs/), e.g., by selecting a network interface to monitor/dissect.
Replace `<your_host_ip>` with your IP address (e.g., `192.168.x.x`) and `<your_display_port>` with your display port,
typically `:0`.

*Note*: You may need to grant permissions for Docker to access the X display:
Note: macOS support has not been tested yet. We welcome your feedback and suggestions. Please reach us through
the [oqs-demos issue section](https://github.com/open-quantum-safe/oqs-demos/issues).

xhost +si:localuser:$USER
### Explanation of Docker Options

## Suggested test
- `--net=host`: Shares the host network with the container.
- `-e DISPLAY`: Sets the display variable for GUI.
- `-v /tmp/.X11-unix:/tmp/.X11-unix`: Mounts the X11 Unix socket for GUI access.

At https://test.openquantumsafe.org most quantum-safe algorithms that are still part of the NIST PQC competition are available for TLS interoperability testing.
## Testing Quantum-Safe Protocols

As a client, we recommend using an OQS-enabled `curl` docker image that may be executed for a quick initial test as follows:
Once Wireshark is running, you can capture and filter quantum-safe cryptographic traffic.
At https://test.openquantumsafe.org, most quantum-safe algorithms from the NIST PQC competition are available for TLS
testing. As a client, we recommend using an OQS-enabled curl Docker image for a quick test.

docker run -it openquantumsafe/curl sh -c "curl -k https://test.openquantumsafe.org:6001 --curves frodo640aes"
1. **Filter by Quantum-Safe Protocols**: Use the following Wireshark display filter:
```plaintext
tls && ip.addr == <test.openquantumsafe.org IP>
```
Replace `<test.openquantumsafe.org IP>` with the IP address of `test.openquantumsafe.org`.

For more details regarding the client-side options, we recommend reviewing https://hub.docker.com/repository/docker/openquantumsafe/curl
2. **Test Quantum-Safe Connections**:
```bash
docker run -it openquantumsafe/curl sh -c "curl -k https://test.openquantumsafe.org:6069 --curves kyber1024"
```
You can replace the port (e.g., `6069`) and the algorithm (e.g., `kyber1024`) in the command with the corresponding
values from the [Open Quantum Safe test page](https://test.openquantumsafe.org/).

### Focus on quantum-safe data traffic

In order to focus `wireshark` on the quantum safe TLS traffic generated by the above `curl` command, we recommend setting a wireshark display filter as follows

ip.addr == 149.81.106.123 && tls

which is the current IP address of the OQS interop test server at https://test.openquantumsafe.org.

Other algorithms can be configured for use as per the [documentation for OQS-curl](https://hub.docker.com/repository/docker/openquantumsafe/curl) and the [OQS test server](https://test.openquantumsafe.org).

When digging into the TLS traffic, the actual quantum-safe KEM algorithm requested can be seen within the Client and/or Server Hello messages (check "TLS->TLSv1.3 Record Layer->Handshake protocol->Extension: key share").

*Note:* `wireshark` might not recognize the TLS traffic as such due to the ports used at the OQS interoperability test server. In such case, enable the port of interest within the wireshark UI by adding it to the "SSL/TLS Ports" list (Edit->Preferences->Protocols->HTTP).
Loading

0 comments on commit 2e7be3c

Please sign in to comment.