From 2e7be3cfc2e97d982e6dd69dff1b25f7cd3d96b8 Mon Sep 17 00:00:00 2001 From: Khalid <187553667+itsHayyaf@users.noreply.github.com> Date: Thu, 21 Nov 2024 14:45:14 +0300 Subject: [PATCH] Comprehensive Overhaul of Wireshark Integration - Upgrade Ubuntu to version 24.04. - Upgrade Wireshark to version 4.4.1. - Integrate OpenSSL 3 with liboqs and the OQS provider. - Automate the generation of `qsc.h` using `generate_qsc_header.py`. - Organize the build with dedicated directories for sources, builds, and installations. - Migrate from Qt5 to Qt6 for improved compatibility. - Update `README.md` and `USAGE.md`. --- wireshark/Dockerfile | 222 +++++++++++++++++++++---------- wireshark/README.md | 44 +++--- wireshark/USAGE.md | 68 ++++++---- wireshark/build.sh | 61 --------- wireshark/generate_qsc_header.py | 15 +++ wireshark/qsc_template.jinja2 | 49 +++++++ wireshark/requirements.txt | 2 + wireshark/wolfssl-qsc.h | 36 ----- 8 files changed, 282 insertions(+), 215 deletions(-) delete mode 100755 wireshark/build.sh create mode 100644 wireshark/generate_qsc_header.py create mode 100644 wireshark/qsc_template.jinja2 create mode 100644 wireshark/requirements.txt delete mode 100644 wireshark/wolfssl-qsc.h diff --git a/wireshark/Dockerfile b/wireshark/Dockerfile index 1592cb22..c244a8c0 100755 --- a/wireshark/Dockerfile +++ b/wireshark/Dockerfile @@ -1,75 +1,155 @@ -# Define the wireshark version to be baked in. -ARG WIRESHARK_VERSION=3.4.9 +# This Dockerfile builds a Wireshark image with Open Quantum Safe (OQS) support. +# By integrating OQS, the resulting Wireshark build is capable of +# analyzing and handling post-quantum cryptographic protocols. -# Define the SSL naming convention: One of "wolfssl" and "oqs" -ARG QSC_SSL_FLAVOR="oqs" +# Define the base versions and tags for dependencies +ARG UBUNTU_VERSION=24.04 +ARG WIRESHARK_VERSION=4.4.1 +ARG OPENSSL_TAG=3.4.0 +ARG LIBOQS_TAG=0.11.0 +ARG OQSPROVIDER_TAG=0.7.0 -FROM ubuntu as intermediate -ENV DEBIAN_FRONTEND noninteractive +# Define Installation directory +ARG INSTALLDIR=/opt/oqs +# Stage 1: Building stage +FROM ubuntu:${UBUNTU_VERSION} AS build + +LABEL version="2" + +ENV DEBIAN_FRONTEND=noninteractive ARG WIRESHARK_VERSION -ARG QSC_SSL_FLAVOR - -RUN apt update && apt upgrade -y - -# Get all software packages required for building wireshark: -RUN apt install -y gcc g++ \ - libtool \ - automake \ - autoconf \ - cmake \ - ninja-build \ - git \ - curl \ - perl \ - flex \ - bison \ - 2to3 python2-minimal python2 dh-python python-is-python3 \ - python3 \ - libssl-dev \ - libgcrypt-dev \ - libpcap-dev \ - libc-ares-dev \ - qtbase5-dev qttools5-dev-tools qttools5-dev qtmultimedia5-dev \ - wget \ - libssh-dev - -# Get the source and unpack it. -WORKDIR /tmp -RUN curl --output wireshark-${WIRESHARK_VERSION}.tar.xz https://2.na.dl.wireshark.org/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz && tar xmvf wireshark-${WIRESHARK_VERSION}.tar.xz - -WORKDIR /tmp/wireshark-${WIRESHARK_VERSION} - -COPY wolfssl-qsc.h wolfssl-qsc.h - -# Decide on QSC naming/ID mapping -RUN if [ "x$QSC_SSL_FLAVOR" = "xoqs" ] ; then \ - wget https://raw.githubusercontent.com/open-quantum-safe/openssl/OQS-OpenSSL_1_1_1-stable/qsc.h; \ -elif [ "x$QSC_SSL_FLAVOR" = "xwolfssl" ]; then \ - mv wolfssl-qsc.h qsc.h; \ -else \ - echo "Unknown naming convention in QSC_SSL_FLAVOR ($QSC_SSL_FLAVOR). Exiting."; \ - exit 1; \ -fi - -# Patch QSC-specific ids into wireshark code base -RUN cp qsc.h epan/dissectors && \ - sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-pkcs1.c && \ - sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-tls-utils.c && \ - sed -i "s/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");\nQSC_SIGS/g" epan/dissectors/packet-pkcs1.c && \ - sed -i "s/ { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\// { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\/\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c && \ - sed -i "s/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,\nQSC_SIG_CPS/g" epan/dissectors/packet-tls-utils.c - -# Build wireshark -RUN mkdir -p build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=/opt/wireshark .. && ninja && ninja install - -FROM ubuntu -ENV DEBIAN_FRONTEND noninteractive - -RUN apt update && apt upgrade -y && apt install -y qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libc-ares2 libqt5multimedia5 pcaputils libssh-dev - -# Only retain the ${INSTALLDIR} contents in the final image -COPY --from=intermediate /opt/wireshark /opt/wireshark - - -CMD /opt/wireshark/bin/wireshark +ARG OPENSSL_TAG +ARG LIBOQS_TAG +ARG OQSPROVIDER_TAG +ARG INSTALLDIR + +# Install essential build dependencies +RUN apt-get update && apt-get install -y --no-install-recommends \ + build-essential libtool automake autoconf cmake ninja-build \ + openssl libssl-dev git wget ca-certificates \ + python3 python3-pip python3-venv && \ + apt-get clean && rm -rf /var/lib/apt/lists/* + +WORKDIR /opt +# Set up isolated directories +# src for source files, build for compiling, and install for final binaries +RUN mkdir -p src/liboqs src/openssl src/oqs-provider src/wireshark \ + build/liboqs build/openssl build/oqs-provider build/wireshark \ + ${INSTALLDIR}/lib ${INSTALLDIR}/bin ${INSTALLDIR}/ssl + +# Download sources +WORKDIR /opt/src +RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs.git liboqs && \ + git clone --depth 1 --branch openssl-${OPENSSL_TAG} https://github.com/openssl/openssl.git openssl && \ + git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git oqs-provider && \ + wget -O wireshark.tar.xz https://www.wireshark.org/download/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz && \ + tar -xf wireshark.tar.xz --strip-components=1 -C wireshark && \ + rm wireshark.tar.xz + +# Build and install liboqs +WORKDIR /opt/build/liboqs +RUN cmake -G Ninja /opt/src/liboqs \ + -D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/liboqs \ + -D BUILD_SHARED_LIBS=ON \ + -D OQS_USE_OPENSSL=OFF \ + -D CMAKE_INSTALL_RPATH="${INSTALLDIR}/liboqs/lib" && \ + ninja -j$(nproc) && ninja install + +# Build OpenSSL integrated with liboqs +WORKDIR /opt/build/openssl +RUN LDFLAGS="-Wl,-rpath,${INSTALLDIR}/liboqs/lib" \ + /opt/src/openssl/config \ + --prefix=${INSTALLDIR}/openssl \ + --openssldir=${INSTALLDIR}/ssl \ + shared && \ + make -j$(nproc) && \ + make install_sw install_ssldirs + +# Build OQS provider for OpenSSL integration +WORKDIR /opt/build/oqs-provider +RUN cmake -G Ninja \ + -D OPENSSL_ROOT_DIR=${INSTALLDIR}/openssl \ + -D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \ + -D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/oqs-provider \ + -D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" \ + /opt/src/oqs-provider && \ + ninja -j$(nproc) && \ + mkdir -p ${INSTALLDIR}/openssl/lib/ossl-modules && \ + cp /opt/build/oqs-provider/lib/oqsprovider.so ${INSTALLDIR}/openssl/lib/ossl-modules + +# Set up OpenSSL to load the OQS provider +RUN CONFIG_FILE="${INSTALLDIR}/ssl/openssl.cnf" && \ + sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" "$CONFIG_FILE" && \ + sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" "$CONFIG_FILE" + +# Using a script from Wireshark to install required build dependencies +WORKDIR /opt/src/wireshark +RUN ./tools/debian-setup.sh -y + +# Generate `qsc.h` +WORKDIR ${INSTALLDIR} +RUN cp /opt/src/oqs-provider/oqs-template/generate.yml ${INSTALLDIR} +COPY generate_qsc_header.py ${INSTALLDIR} +COPY qsc_template.jinja2 ${INSTALLDIR} +COPY requirements.txt ${INSTALLDIR} + +RUN python3 -m venv ${INSTALLDIR}/venv && \ + . ${INSTALLDIR}/venv/bin/activate && \ + pip install -r requirements.txt && \ + python ${INSTALLDIR}/generate_qsc_header.py && \ + deactivate + +RUN cp ${INSTALLDIR}/qsc.h /opt/src/wireshark/epan/dissectors/ + +# Modify Wireshark source files for post-quantum definitions +WORKDIR /opt/src/wireshark +RUN sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-pkcs1.c && \ + sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-tls-utils.c && \ + sed -i "s/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");\nQSC_SIGS/g" epan/dissectors/packet-pkcs1.c && \ + sed -i "s/ { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\// { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\/\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c && \ + sed -i "s/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,\nQSC_SIG_CPS/g" epan/dissectors/packet-tls-utils.c + +# Build and install Wireshark +WORKDIR /opt/build/wireshark +RUN cmake -G Ninja /opt/src/wireshark \ + -D QT5=OFF \ + -D QT6=ON \ + -D CMAKE_BUILD_TYPE=Release \ + -D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/wireshark \ + -D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \ + -D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" && \ + ninja -j$(nproc) && ninja install + +# Test integration of OQS provider with OpenSSL +WORKDIR /opt/src/oqs-provider +ENV OPENSSL_CONF=${INSTALLDIR}/ssl/openssl.cnf +ENV OPENSSL_MODULES=${INSTALLDIR}/openssl/lib/ossl-modules +RUN mkdir -p _build +RUN ./scripts/runtests.sh -j$(nproc) + +# Stage 2: Minimal runtime image +FROM ubuntu:${UBUNTU_VERSION} AS runtime + +ENV DEBIAN_FRONTEND=noninteractive +ARG INSTALLDIR + +# Install necessary runtime dependencies +RUN apt-get update && apt-get install -y --no-install-recommends \ + libc-ares2 pcaputils libssh-4 libgcrypt20 \ + libglib2.0-0 libpcap0.8 libspeexdsp1 zlib1g \ + libqt6core6 libqt6gui6 libqt6widgets6 libqt6printsupport6 \ + libqt6core5compat6 libqt6dbus6 libqt6multimedia6 libgpg-error0 && \ + apt-get clean && rm -rf /var/lib/apt/lists/* + +ENV PATH="${INSTALLDIR}/wireshark/bin:${INSTALLDIR}/openssl/bin:${PATH}" +ENV OPENSSL_CONF=${INSTALLDIR}/ssl/openssl.cnf +ENV OPENSSL_MODULES=${INSTALLDIR}/openssl/lib/ossl-modules + +# Copy essential files from build stage +COPY --from=build ${INSTALLDIR}/wireshark ${INSTALLDIR}/wireshark +COPY --from=build ${INSTALLDIR}/openssl ${INSTALLDIR}/openssl +COPY --from=build ${INSTALLDIR}/liboqs ${INSTALLDIR}/liboqs +COPY --from=build ${INSTALLDIR}/ssl ${INSTALLDIR}/ssl + +CMD ["wireshark"] \ No newline at end of file diff --git a/wireshark/README.md b/wireshark/README.md index aa2806fd..1ab14404 100644 --- a/wireshark/README.md +++ b/wireshark/README.md @@ -1,31 +1,37 @@ -# DEPRECATED +This project provides a Docker image to build [Wireshark](https://www.wireshark.org/) with quantum-safe cryptography +support through the [Open Quantum Safe (OQS) provider](https://github.com/open-quantum-safe/oqs-provider). This Docker +image allows Wireshark to analyze network traffic encrypted with post-quantum cryptographic protocols. -> [!Warning] -> This integration is currently not supported due to [the end of life of oqs-openssl111](https://github.com/open-quantum-safe/openssl#warning). +## System Requirements -This directory contains a Dockerfile that builds wireshark that is patched to understand the OIDs and codepoints in TLS 1.3 that are supported by OQS-OpenSSL. +- **Docker**: Ensure [Docker](https://docs.docker.com/get-docker/) is installed and running on your system. +- **X-Window System (for GUI Display)**: + - **Linux**: Run `xhost +si:localuser:$USER` to allow Docker to access the display. + - **Windows/macOS**: Install an X server such as [VcXsrv](https://sourceforge.net/projects/vcxsrv/) (Windows) + or [XQuartz](https://www.xquartz.org/) (macOS) and start it, ensuring to **disable access control** and **disable + native OpenGL**. -## Quick start +## Project Components -1) Be sure to have [docker installed](https://docs.docker.com/install). -2) Run `docker build -t openquantumsafe/wireshark .` to create an QSC-enabled (codepoint and OID aware) wireshark docker image. +1. **Dockerfile**: Builds Wireshark with OpenSSL, liboqs, and OQS provider. +2. **generate_qsc_header.py**: Processes `oqs-provider/oqs-template/generate.yml` with the `qsc_template.jinja2` to generate `qsc.h`, +defining post-quantum KEMs and SIGs for Wireshark. ## Usage +For detailed usage instructions, refer to [USAGE.md](USAGE.md). -Information how to use the image is [available in the separate file USAGE.md](USAGE.md). +## Build Configuration and Updates -## Build options +Customize the build using the following Dockerfile arguments: -The Dockerfile provided allows for customization of the image built: +- **`UBUNTU_VERSION`**: Specifies the Ubuntu version (default: latest stable). +- **`WIRESHARK_VERSION`**: Defines the Wireshark version to build. +- **`INSTALLDIR`**: Sets the installation path for OQS libraries (default: `/opt/oqs`). -### WIRESHARK_VERSION +Use `--build-arg ARG_NAME=value` in the `docker build` command to adjust these values. -This permits changing the wireshark code base to be used. +To keep the build up-to-date, the `Dockerfile` and `generate_qsc_header.py` are designed for easy updates: -Tested default value is "3.4.9". - -### QSC_SSL_FLAVOR - -Different quantum-safe TLS implementations have different names for the same algorithms. This option permits switching between them. Permitted values are "oqs" and "wolfssl". - -Default is "oqs". +- Update the Ubuntu and Wireshark versions by modifying the `UBUNTU_VERSION` and `WIRESHARK_VERSION` arguments. +- The `generate_qsc_header.py` script automatically fetches new OQS algorithms, ensuring the latest definitions are + included. \ No newline at end of file diff --git a/wireshark/USAGE.md b/wireshark/USAGE.md index f0cacdfb..65237433 100644 --- a/wireshark/USAGE.md +++ b/wireshark/USAGE.md @@ -1,43 +1,55 @@ -# OQS-wireshark +This project provides a Docker image to build [Wireshark](https://www.wireshark.org/) with quantum-safe cryptography +support through the [Open Quantum Safe (OQS) provider](https://github.com/open-quantum-safe/oqs-provider). This Docker +image allows Wireshark to analyze network traffic encrypted with post-quantum cryptographic protocols. -This docker image contains a version of [wireshark](https://www.wireshark.org/) built to also properly display quantum-safe crypto (QSC) TLS operations. +## Quick Start Guide -To this end, it contains references to algorithms supported by [liboqs](https://github.com/open-quantum-safe/liboqs) and [OQS-OpenSSL](https://github.com/open-quantum-safe/openssl) from the [OpenQuantumSafe](https://openquantumsafe.org) project. +```bash +git clone https://github.com/open-quantum-safe/oqs-demos +cd oqs-demos/wireshark +docker build -t wireshark-oqs . +docker run --rm -it --net=host -e DISPLAY=: -v /tmp/.X11-unix:/tmp/.X11-unix wireshark-oqs +``` -The image is based on Ubuntu and requires the host to run the Unix X-Window system. +Replace `` with your IP address (e.g., `192.168.x.x`) and `` with your display port, +typically `:0`. -## Quick start +## Running Wireshark -Execute this command to open the wireshark window on your host: +You can run the Wireshark Docker container on Linux or Windows using the following command: - docker run --net=host --privileged --env="DISPLAY" --volume="$HOME/.Xauthority:/root/.Xauthority:rw" openquantumsafe/wireshark + ```bash + docker run --rm -it --net=host -e DISPLAY=: -v /tmp/.X11-unix:/tmp/.X11-unix wireshark-oqs + ``` -Then proceed [using wireshark as usual](https://www.wireshark.org/docs/), e.g., by selecting a network interface to monitor/dissect. +Replace `` with your IP address (e.g., `192.168.x.x`) and `` with your display port, +typically `:0`. -*Note*: You may need to grant permissions for Docker to access the X display: +Note: macOS support has not been tested yet. We welcome your feedback and suggestions. Please reach us through +the [oqs-demos issue section](https://github.com/open-quantum-safe/oqs-demos/issues). - xhost +si:localuser:$USER +### Explanation of Docker Options -## Suggested test +- `--net=host`: Shares the host network with the container. +- `-e DISPLAY`: Sets the display variable for GUI. +- `-v /tmp/.X11-unix:/tmp/.X11-unix`: Mounts the X11 Unix socket for GUI access. -At https://test.openquantumsafe.org most quantum-safe algorithms that are still part of the NIST PQC competition are available for TLS interoperability testing. +## Testing Quantum-Safe Protocols -As a client, we recommend using an OQS-enabled `curl` docker image that may be executed for a quick initial test as follows: +Once Wireshark is running, you can capture and filter quantum-safe cryptographic traffic. +At https://test.openquantumsafe.org, most quantum-safe algorithms from the NIST PQC competition are available for TLS +testing. As a client, we recommend using an OQS-enabled curl Docker image for a quick test. - docker run -it openquantumsafe/curl sh -c "curl -k https://test.openquantumsafe.org:6001 --curves frodo640aes" +1. **Filter by Quantum-Safe Protocols**: Use the following Wireshark display filter: + ```plaintext + tls && ip.addr == + ``` + Replace `` with the IP address of `test.openquantumsafe.org`. -For more details regarding the client-side options, we recommend reviewing https://hub.docker.com/repository/docker/openquantumsafe/curl +2. **Test Quantum-Safe Connections**: + ```bash + docker run -it openquantumsafe/curl sh -c "curl -k https://test.openquantumsafe.org:6069 --curves kyber1024" + ``` + You can replace the port (e.g., `6069`) and the algorithm (e.g., `kyber1024`) in the command with the corresponding + values from the [Open Quantum Safe test page](https://test.openquantumsafe.org/). -### Focus on quantum-safe data traffic - -In order to focus `wireshark` on the quantum safe TLS traffic generated by the above `curl` command, we recommend setting a wireshark display filter as follows - - ip.addr == 149.81.106.123 && tls - -which is the current IP address of the OQS interop test server at https://test.openquantumsafe.org. - -Other algorithms can be configured for use as per the [documentation for OQS-curl](https://hub.docker.com/repository/docker/openquantumsafe/curl) and the [OQS test server](https://test.openquantumsafe.org). - -When digging into the TLS traffic, the actual quantum-safe KEM algorithm requested can be seen within the Client and/or Server Hello messages (check "TLS->TLSv1.3 Record Layer->Handshake protocol->Extension: key share"). - -*Note:* `wireshark` might not recognize the TLS traffic as such due to the ports used at the OQS interoperability test server. In such case, enable the port of interest within the wireshark UI by adding it to the "SSL/TLS Ports" list (Edit->Preferences->Protocols->HTTP). diff --git a/wireshark/build.sh b/wireshark/build.sh deleted file mode 100755 index 87ebe53e..00000000 --- a/wireshark/build.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/bash - -# Define the wireshark version to be used -WIRESHARK_VERSION=3.4.9 - -# Define the SSL naming convention: One of "wolfssl" and "oqs" -QSC_SSL_FLAVOR="oqs" - -if [ $QSC_SSL_FLAVOR == "oqs" ]; then - # Obtain OQS-specific ids - wget https://raw.githubusercontent.com/open-quantum-safe/openssl/OQS-OpenSSL_1_1_1-stable/qsc.h -elif [ $QSC_SSL_FLAVOR == "wolfssl" ]; then - mv wolfssl-qsc.h qsc.h -else - echo "Unknown naming convention. Exiting." - exit -1 -fi - -sudo apt update && apt upgrade -y - -# Get all software packages required for building wireshark: -sudo apt install -y gcc \ - libtool \ - automake \ - autoconf \ - cmake \ - ninja-build \ - git \ - curl \ - perl \ - flex \ - bison \ - python \ - python3 \ - libssl-dev \ - libgcrypt-dev \ - libpcap-dev \ - libc-ares-dev \ - qtbase5-dev qttools5-dev-tools qttools5-dev qtmultimedia5-dev \ - libssh-dev - -# Get the source and unpack it. -curl --output wireshark-${WIRESHARK_VERSION}.tar.xz https://2.na.dl.wireshark.org/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz -rm -rf wireshark-${WIRESHARK_VERSION} -tar xmvf wireshark-${WIRESHARK_VERSION}.tar.xz - -cd wireshark-${WIRESHARK_VERSION} - -# patch wireshark code base with IDs -cp ../qsc.h epan/dissectors && \ - sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-pkcs1.c && \ - sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-tls-utils.c && \ - sed -i "s/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");\nQSC_SIGS/g" epan/dissectors/packet-pkcs1.c && \ - sed -i "s/ { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\// { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\/\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c - sed -i "s/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c -# Build wireshark -mkdir -p build && cd build && cmake -GNinja .. && ninja - -# Install wireshark -# ninja install - diff --git a/wireshark/generate_qsc_header.py b/wireshark/generate_qsc_header.py new file mode 100644 index 00000000..61b7ea05 --- /dev/null +++ b/wireshark/generate_qsc_header.py @@ -0,0 +1,15 @@ +import yaml +from jinja2 import Environment, FileSystemLoader + +with open("generate.yml", "r") as file: + data = yaml.safe_load(file) + +env = Environment(loader=FileSystemLoader(".")) +template = env.get_template("qsc_template.jinja2") + +output = template.render(data=data) + +with open("qsc.h", "w") as output_file: + output_file.write(output) + +print("qsc.h has been successfully generated!") \ No newline at end of file diff --git a/wireshark/qsc_template.jinja2 b/wireshark/qsc_template.jinja2 new file mode 100644 index 00000000..443e133e --- /dev/null +++ b/wireshark/qsc_template.jinja2 @@ -0,0 +1,49 @@ +#ifndef QSC_H +#define QSC_H + +// (QSC_KEMS) +#define QSC_KEMS \ +{%- for kem in data.kems if kem.nid and kem.name_group %} + { {{- kem.nid -}},"{{- kem.name_group -}}"},\ {# Notice the removal of space before `}` #} + {%- if kem.nid_hybrid %} + { {{- kem.nid_hybrid -}},"p{{- kem.nid_hybrid|int('16')|length * 64 -}}_{{- kem.name_group -}}"},\ + {%- endif %} + {%- if kem.extra_nids %} + {%- for extra in kem.extra_nids.current if extra.nid and extra.hybrid_group %} + { {{- extra.nid -}},"{{- extra.hybrid_group -}}_{{- kem.name_group -}}"},\ + {%- endfor %} + {%- for extra in kem.extra_nids.old if extra.nid and extra.hybrid_group %} + { {{- extra.nid -}},"{{- extra.hybrid_group -}}_{{- kem.name_group -}}"},\ + {%- endfor %} + {%- endif %} +{%- endfor %} + + +// (QSC_SIGS) +#define QSC_SIGS \ +{%- for sig in data.sigs %} + {%- for variant in sig.variants if variant.oid and variant.name %} + oid_add_from_string("{{- variant.name -}}","{{- variant.oid -}}");\ + {%- if variant.mix_with %} + {%- for mix in variant.mix_with if mix.oid and mix.name %} + oid_add_from_string("{{- mix.name -}}_{{- variant.name -}}","{{- mix.oid -}}");\ + {%- endfor %} + {%- endif %} + {%- endfor %} +{%- endfor %} + + +// (QSC_SIG_CPS) +#define QSC_SIG_CPS \ +{%- for sig in data.sigs %} + {%- for variant in sig.variants if variant.code_point and variant.name %} + { {{- variant.code_point -}},"{{- variant.name -}}"},\ + {%- endfor %} + {%- for variant in sig.variants if variant.mix_with %} + {%- for mix in variant.mix_with if mix.code_point and mix.name %} + { {{- mix.code_point -}},"{{- mix.name -}}_{{- variant.name -}}"},\ + {%- endfor %} + {%- endfor %} +{%- endfor %} + +#endif // QSC_H diff --git a/wireshark/requirements.txt b/wireshark/requirements.txt new file mode 100644 index 00000000..c664af5e --- /dev/null +++ b/wireshark/requirements.txt @@ -0,0 +1,2 @@ +Jinja2 +PyYAML \ No newline at end of file diff --git a/wireshark/wolfssl-qsc.h b/wireshark/wolfssl-qsc.h deleted file mode 100644 index da21f895..00000000 --- a/wireshark/wolfssl-qsc.h +++ /dev/null @@ -1,36 +0,0 @@ -/* wolfSSL naming convention */ - -#define QSC_SIGS \ - oid_add_from_string("falcon_level1", "1.3.9999.3.1"); \ - oid_add_from_string("falcon_level5", "1.3.9999.3.4"); \ - oid_add_from_string("dilithium_level2", "1.3.6.1.4.1.2.267.7.4.4"); \ - oid_add_from_string("dilithium_level3", "1.3.6.1.4.1.2.267.7.6.5"); \ - oid_add_from_string("dilithium_level5", "1.3.6.1.4.1.2.267.7.8.7"); - -#define QSC_KEMS \ - { 532, "ntru_hps_level1" }, \ - { 533, "ntru_hps_level3" }, \ - { 534, "ntru_hps_level5" }, \ - { 535, "ntru_hrss_level3" }, \ - { 536, "saber_level1" }, \ - { 537, "saber_level3" }, \ - { 538, "saber_level5" }, \ - { 570, "kyber_level1" }, \ - { 572, "kyber_level3" }, \ - { 573, "kyber_level5" }, \ - { 12052, "p256_ntru_hps_level1" }, \ - { 12053, "p384_ntru_hps_level3" }, \ - { 12054, "p521_ntru_hps_level5" }, \ - { 12055, "p384_ntru_hrss_level3" }, \ - { 12056, "p256_saber_level1" }, \ - { 12057, "p384_saber_level3" }, \ - { 12058, "p521_saber_level5" }, \ - { 12090, "p256_kyber_level1" }, \ - { 12092, "p384_kyber_level3" }, \ - { 12093, "p521_kyber_level5" }, \ - { 0xfe0b, "falcon_level1" }, \ - { 0xfe0e, "falcon_level5" }, \ - { 0xfea0, "dilithium_level2" }, \ - { 0xfea3, "dilithium_level3" }, \ - { 0xfea5, "dilithium_level5" }, -