search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / epan / dissectors / packet-ssyncp.c
blob757ffd6e92bf75ea4e5aea67a527682cdc8c9456
1 /* packet-ssyncp.c
2 * Routines for dissecting mosh's State Synchronization Protocol
3 * Copyright 2020 Google LLC
4 *
5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
8 *
9 * SPDX-License-Identifier: GPL-2.0-or-later
10 */
11
12 /*
13 * State Synchronization Protocol is the protocol used by mosh:
14 * <https://mosh.org/mosh-paper-draft.pdf>
15 *
16 * The protocol name is abbreviated as SSyncP to avoid conflict with the
17 * "Scripting Service Protocol".
18 *
19 * The protocol is based on UDP, with a plaintext header followed by an
20 * encrypted payload. For now we just support decrypting a single connection at
21 * a time, using the MOSH_KEY dumped from the environment variables
22 * (`cat /proc/$pid/environ | tr '\0' '\n' | grep MOSH_KEY` on Linux).
23 * Note that to display the embedded protobuf properly, you'll have to add
24 * src/protobufs/ from mosh's source code to the ProtoBuf search path.
25 * For now we stop decoding after reaching the first level of protobufs; in
26 * them, a second layer of protobufs is sometimes embedded (e.g. for
27 * transmitting screen contents and such). Implementing that is left as an
28 * exercise for the reader.
29 */
30
31 #include <config.h>
32
33 #include <epan/packet.h> /* Should be first Wireshark include (other than config.h) */
34 #include <epan/conversation.h>
35 #include <epan/wmem_scopes.h>
36 #include <epan/proto_data.h>
37 #include <epan/prefs.h>
38 #include <epan/expert.h>
39 #include <epan/tfs.h>
40 #include <wsutil/array.h>
41 #include <wsutil/report_message.h>
42 #include <wsutil/wsgcrypt.h>
43
44 void proto_reg_handoff_ssyncp(void);
45 void proto_register_ssyncp(void);
46
47 static dissector_handle_t ssyncp_handle;
48
49 static int proto_ssyncp;
50 static int hf_ssyncp_direction;
51 static int hf_ssyncp_seq;
52 static int hf_ssyncp_encrypted;
53 static int hf_ssyncp_seq_delta;
54 static int hf_ssyncp_timestamp;
55 static int hf_ssyncp_timestamp_reply;
56 static int hf_ssyncp_frag_seq;
57 static int hf_ssyncp_frag_final;
58 static int hf_ssyncp_frag_idx;
59 static int hf_ssyncp_rtt_to_server;
60 static int hf_ssyncp_rtt_to_client;
61
62 /* Initialize the subtree pointers */
63 static int ett_ssyncp;
64 static int ett_ssyncp_decrypted;
65
66 static expert_field ei_ssyncp_fragmented;
67 static expert_field ei_ssyncp_bad_key;
68
69 static const char *pref_ssyncp_key;
70 static char ssyncp_raw_aes_key[16];
71 static bool have_ssyncp_key;
72
73 static dissector_handle_t dissector_protobuf;
74
75 typedef struct _ssyncp_conv_info_t {
76 /* last sequence numbers per direction */
77 uint64_t last_seq[2];
78 /* for each direction, have we seen any traffic yet? */
79 bool seen_packet[2];
80
81 uint16_t clock_offset[2];
82 bool clock_seen[2];
83 } ssyncp_conv_info_t;
84
85 typedef struct _ssyncp_packet_info_t {
86 bool first_packet;
87 int64_t seq_delta;
88 bool have_rtt_estimate;
89 int16_t rtt_estimate;
90 } ssyncp_packet_info_t;
91
92 #define SSYNCP_IV_PAD 4
93 #define SSYNCP_SEQ_LEN 8
94 #define SSYNCP_DATAGRAM_HEADER_LEN (SSYNCP_SEQ_LEN + 2 + 2) /* 64-bit IV and two 16-bit timestamps */
95 #define SSYNCP_TRANSPORT_HEADER_LEN (8 + 2)
96 #define SSYNCP_AUTHTAG_LEN 16 /* 128-bit auth tag */
97
98 /*
99 * We only match on 60001, which mosh uses for its first connection.
100 * If there are more connections in the range 60002-61000, the user will have to
101 * mark those as ssyncp traffic manually - we'd have too many false positives
102 * otherwise.
103 */
104 #define SSYNCP_UDP_PORT 60001
105
106 static int
107 dissect_ssyncp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
108 void *data _U_)
109 {
110 /* Check that we have at least a datagram plus an OCB auth tag. */
111 if (tvb_reported_length(tvb) < SSYNCP_DATAGRAM_HEADER_LEN + SSYNCP_TRANSPORT_HEADER_LEN + SSYNCP_AUTHTAG_LEN)
112 return 0;
113
114 uint64_t direction_and_seq = tvb_get_uint64(tvb, 0, ENC_BIG_ENDIAN);
115 unsigned direction = direction_and_seq >> 63;
116 uint64_t seq = direction_and_seq & ~(1ULL << 63);
117
118 /* Heuristic: The 63-bit sequence number starts from zero and increments
119 * from there. Even if you send 1000 packets per second over 10 years, you
120 * won't reach 2^35. So check that the sequence number is not outrageously
121 * high.
122 */
123 if (seq > (1ULL << 35))
124 return 0;
125
126 /* On the first pass, track the previous sequence numbers per direction,
127 * compute deltas between sequence numbers, and save those deltas.
128 * On subsequent passes, use the computed deltas.
129 */
130 ssyncp_packet_info_t *ssyncp_pinfo;
131 ssyncp_conv_info_t *ssyncp_info = NULL;
132 if (pinfo->fd->visited) {
133 ssyncp_pinfo = (ssyncp_packet_info_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_ssyncp, 0);
134 } else {
135 conversation_t *conversation = find_or_create_conversation(pinfo);
136 ssyncp_info = (ssyncp_conv_info_t *)conversation_get_proto_data(conversation, proto_ssyncp);
137 if (!ssyncp_info) {
138 ssyncp_info = wmem_new0(wmem_file_scope(), ssyncp_conv_info_t);
139 conversation_add_proto_data(conversation, proto_ssyncp, ssyncp_info);
140 }
141
142 ssyncp_pinfo = wmem_new(wmem_file_scope(), ssyncp_packet_info_t);
143 ssyncp_pinfo->first_packet = !ssyncp_info->seen_packet[direction];
144 if (ssyncp_pinfo->first_packet) {
145 ssyncp_info->seen_packet[direction] = true;
146 } else {
147 ssyncp_pinfo->seq_delta = seq - ssyncp_info->last_seq[direction];
148 }
149 ssyncp_pinfo->have_rtt_estimate = false;
150 p_add_proto_data(wmem_file_scope(), pinfo, proto_ssyncp, 0, ssyncp_pinfo);
151
152 ssyncp_info->last_seq[direction] = seq;
153 }
154
155 /*** COLUMN DATA ***/
156
157 col_set_str(pinfo->cinfo, COL_PROTOCOL, "ssyncp");
158
159 col_clear(pinfo->cinfo, COL_INFO);
160
161 char *direction_str = direction ? "Server->Client" : "Client->Server";
162 col_set_str(pinfo->cinfo, COL_INFO, direction_str);
163
164 /*** PROTOCOL TREE ***/
165
166 /* create display subtree for the protocol */
167 proto_item *ti = proto_tree_add_item(tree, proto_ssyncp, tvb, 0, -1, ENC_NA);
168
169 proto_tree *ssyncp_tree = proto_item_add_subtree(ti, ett_ssyncp);
170
171 /* Add an item to the subtree, see section 1.5 of README.dissector for more
172 * information. */
173 proto_tree_add_item(ssyncp_tree, hf_ssyncp_direction, tvb,
174 0, 1, ENC_BIG_ENDIAN);
175 proto_tree_add_item(ssyncp_tree, hf_ssyncp_seq, tvb,
176 0, 8, ENC_BIG_ENDIAN);
177 #ifdef GCRY_OCB_BLOCK_LEN
178 proto_item *encrypted_item =
179 #endif
180 proto_tree_add_item(ssyncp_tree, hf_ssyncp_encrypted,
181 tvb, 8, -1, ENC_NA);
182
183 if (!ssyncp_pinfo->first_packet) {
184 proto_item *delta_item =
185 proto_tree_add_int64(ssyncp_tree, hf_ssyncp_seq_delta, tvb, 0, 0,
186 ssyncp_pinfo->seq_delta);
187 proto_item_set_generated(delta_item);
188 }
189
190 unsigned char *decrypted = NULL;
191 unsigned decrypted_len = 0;
192
193 /* avoid build failure on ancient libgcrypt without OCB support */
194 #ifdef GCRY_OCB_BLOCK_LEN
195 if (have_ssyncp_key) {
196 gcry_error_t gcry_err;
197
198 /* try to decrypt the rest of the packet */
199 gcry_cipher_hd_t gcry_hd;
200 gcry_err = gcry_cipher_open(&gcry_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_OCB, 0);
201 if (gcry_err_code(gcry_err)) {
202 /* this shouldn't happen (even if the packet is garbage) */
203 report_failure("ssyncp: unable to initialize cipher???");
204 return tvb_captured_length(tvb);
205 }
206 gcry_err = gcry_cipher_setkey(gcry_hd, ssyncp_raw_aes_key, sizeof(ssyncp_raw_aes_key));
207 if (gcry_err_code(gcry_err)) {
208 /* this shouldn't happen (even if the packet is garbage) */
209 report_failure("ssyncp: unable to set key???");
210 gcry_cipher_close(gcry_hd);
211 return tvb_captured_length(tvb);
212 }
213 char nonce[SSYNCP_IV_PAD + SSYNCP_SEQ_LEN];
214 memset(nonce, 0, SSYNCP_IV_PAD);
215 tvb_memcpy(tvb, nonce + SSYNCP_IV_PAD, 0, SSYNCP_SEQ_LEN);
216 gcry_err = gcry_cipher_setiv(gcry_hd, nonce, sizeof(nonce));
217 if (gcry_err_code(gcry_err)) {
218 /* this shouldn't happen (even if the packet is garbage) */
219 report_failure("ssyncp: unable to set iv???");
220 gcry_cipher_close(gcry_hd);
221 return tvb_captured_length(tvb);
222 }
223 decrypted_len = tvb_captured_length(tvb) - SSYNCP_SEQ_LEN - SSYNCP_AUTHTAG_LEN;
224 decrypted = (unsigned char *)tvb_memdup(pinfo->pool, tvb,
225 SSYNCP_SEQ_LEN, decrypted_len);
226 gcry_cipher_final(gcry_hd);
227 gcry_err = gcry_cipher_decrypt(gcry_hd, decrypted, decrypted_len, NULL, 0);
228 if (gcry_err_code(gcry_err)) {
229 /* this shouldn't happen (even if the packet is garbage) */
230 report_failure("ssyncp: unable to decrypt???");
231 gcry_cipher_close(gcry_hd);
232 return tvb_captured_length(tvb);
233 }
234 gcry_err = gcry_cipher_checktag(gcry_hd,
235 tvb_get_ptr(tvb, SSYNCP_SEQ_LEN+decrypted_len, SSYNCP_AUTHTAG_LEN),
236 SSYNCP_AUTHTAG_LEN);
237 if (gcry_err_code(gcry_err) && gcry_err_code(gcry_err) != GPG_ERR_CHECKSUM) {
238 /* this shouldn't happen (even if the packet is garbage) */
239 report_failure("ssyncp: unable to check auth tag???");
240 gcry_cipher_close(gcry_hd);
241 return tvb_captured_length(tvb);
242 }
243 if (gcry_err_code(gcry_err)) {
244 /* if the tag is wrong, the key was wrong and the decrypted data is useless */
245 decrypted = NULL;
246 expert_add_info(pinfo, encrypted_item, &ei_ssyncp_bad_key);
247 }
248 gcry_cipher_close(gcry_hd);
249 }
250 #endif
251
252 if (decrypted) {
253 tvbuff_t *decrypted_tvb = tvb_new_child_real_data(tvb, decrypted, decrypted_len, decrypted_len);
254 add_new_data_source(pinfo, decrypted_tvb, "Decrypted data");
255
256 if (!pinfo->fd->visited && ssyncp_info) {
257 uint16_t our_clock16 = ((uint64_t)pinfo->abs_ts.secs * 1000 + pinfo->abs_ts.nsecs / 1000000) & 0xffff;
258 uint16_t sender_ts = tvb_get_uint16(decrypted_tvb, 0, ENC_BIG_ENDIAN);
259 uint16_t reply_ts = tvb_get_uint16(decrypted_tvb, 2, ENC_BIG_ENDIAN);
260 ssyncp_info->clock_offset[direction] = sender_ts - our_clock16;
261 ssyncp_info->clock_seen[direction] = true;
262 if (reply_ts != 0xffff && ssyncp_info->clock_seen[1-direction]) {
263 uint16_t projected_send_time_our_clock = reply_ts - ssyncp_info->clock_offset[1-direction];
264 ssyncp_pinfo->rtt_estimate = our_clock16 - projected_send_time_our_clock;
265 ssyncp_pinfo->have_rtt_estimate = true;
266 }
267 }
268
269 proto_tree *dec_tree = proto_tree_add_subtree(ssyncp_tree, decrypted_tvb,
270 0, -1, ett_ssyncp_decrypted, NULL, "Decrypted data");
271
272 proto_tree_add_item(dec_tree, hf_ssyncp_timestamp, decrypted_tvb,
273 0, 2, ENC_BIG_ENDIAN);
274 proto_tree_add_item(dec_tree, hf_ssyncp_timestamp_reply, decrypted_tvb,
275 2, 2, ENC_BIG_ENDIAN);
276
277 if (ssyncp_pinfo->have_rtt_estimate) {
278 int rtt_id = direction ? hf_ssyncp_rtt_to_server : hf_ssyncp_rtt_to_client;
279 proto_item *rtt_item = proto_tree_add_int(dec_tree, rtt_id, decrypted_tvb, 2, 2, ssyncp_pinfo->rtt_estimate);
280 proto_item_set_generated(rtt_item);
281 }
282
283 proto_tree_add_item(dec_tree, hf_ssyncp_frag_seq, decrypted_tvb,
284 4, 8, ENC_BIG_ENDIAN);
285 proto_tree_add_item(dec_tree, hf_ssyncp_frag_final, decrypted_tvb,
286 12, 2, ENC_BIG_ENDIAN);
287 proto_item *frag_idx_item = proto_tree_add_item(dec_tree,
288 hf_ssyncp_frag_idx, decrypted_tvb, 12, 2, ENC_BIG_ENDIAN);
289
290 /* TODO actually handle fragmentation; for now just bail out on fragmentation */
291 if (tvb_get_uint16(decrypted_tvb, 12, ENC_BIG_ENDIAN) != 0x8000) {
292 expert_add_info(pinfo, frag_idx_item, &ei_ssyncp_fragmented);
293 return tvb_captured_length(tvb);
294 }
295
296 tvbuff_t *inflated_tvb = tvb_child_uncompress_zlib(decrypted_tvb, decrypted_tvb, 14, decrypted_len - 14);
297 if (inflated_tvb == NULL)
298 return tvb_captured_length(tvb);
299 add_new_data_source(pinfo, inflated_tvb, "Inflated data");
300
301 if (dissector_protobuf) {
302 call_dissector_with_data(dissector_protobuf, inflated_tvb, pinfo,
303 dec_tree, "message,TransportBuffers.Instruction");
304 }
305 }
306
307 return tvb_captured_length(tvb);
308 }
309
310 /* Register the protocol with Wireshark.
311 *
312 * This format is required because a script is used to build the C function that
313 * calls all the protocol registration.
314 */
315 void
316 proto_register_ssyncp(void)
317 {
318 static const true_false_string direction_name = {
319 "Server->Client",
320 "Client->Server"
321 };
322
323 /* Setup list of header fields See Section 1.5 of README.dissector for
324 * details. */
325 static hf_register_info hf[] = {
326 { &hf_ssyncp_direction,
327 { "Direction", "ssyncp.direction",
328 FT_BOOLEAN, 8, TFS(&direction_name), 0x80,
329 "Direction of packet", HFILL }
330 },
331 { &hf_ssyncp_seq,
332 { "Sequence number", "ssyncp.seq",
333 FT_UINT64, BASE_HEX, NULL, 0x7fffffffffffffff,
334 "Monotonically incrementing packet sequence number", HFILL }
335 },
336 { &hf_ssyncp_encrypted,
337 { "Encrypted data", "ssyncp.enc_data",
338 FT_BYTES, BASE_NONE, NULL, 0,
339 "Encrypted RTT estimation fields and Transport Layer payload, encrypted with AES-128-OCB",
340 HFILL }
341 },
342 { &hf_ssyncp_seq_delta,
343 { "Sequence number delta", "ssyncp.seq_delta",
344 FT_INT64, BASE_DEC, NULL, 0,
345 "Delta from last sequence number; 1 is normal, 0 is duplicated packet, <0 is reordering, >1 is reordering or packet loss", HFILL }
346 },
347 { &hf_ssyncp_timestamp,
348 { "Truncated timestamp", "ssyncp.timestamp",
349 FT_UINT16, BASE_HEX, NULL, 0,
350 "Low 16 bits of sender's time in milliseconds", HFILL }
351 },
352 { &hf_ssyncp_timestamp_reply,
353 { "Last timestamp received", "ssyncp.timestamp_reply",
354 FT_UINT16, BASE_HEX, NULL, 0,
355 "Low 16 bits of timestamp of last received packet plus time since it was received (for RTT estimation)", HFILL }
356 },
357 { &hf_ssyncp_frag_seq,
358 { "Fragment ID", "ssyncp.frag_seq",
359 FT_UINT64, BASE_HEX, NULL, 0,
360 "Transport-level sequence number, used for fragment reassembly", HFILL }
361 },
362 { &hf_ssyncp_frag_final,
363 { "Final fragment", "ssyncp.frag_final",
364 FT_BOOLEAN, 16, NULL, 0x8000,
365 "Is this the last fragment?", HFILL }
366 },
367 { &hf_ssyncp_frag_idx,
368 { "Fragment Index", "ssyncp.frag_idx",
369 FT_UINT16, BASE_HEX, NULL, 0x7fff,
370 "Index of this fragment in the list of fragments of the transport-level message", HFILL }
371 },
372 { &hf_ssyncp_rtt_to_server,
373 { "RTT estimate to server (in ms)", "ssyncp.rtt_est_to_server",
374 FT_INT16, BASE_DEC, NULL, 0,
375 "Estimated round trip time from point of capture to server", HFILL }
376 },
377 { &hf_ssyncp_rtt_to_client,
378 { "RTT estimate to client (in ms)", "ssyncp.rtt_est_to_client",
379 FT_INT16, BASE_DEC, NULL, 0,
380 "Estimated round trip time from point of capture to client", HFILL }
381 }
382 };
383
384 /* Setup protocol subtree array */
385 static int *ett[] = {
386 &ett_ssyncp,
387 &ett_ssyncp_decrypted
388 };
389
390 /* Setup protocol expert items */
391 static ei_register_info ei[] = {
392 { &ei_ssyncp_fragmented,
393 { "ssyncp.fragmented", PI_REASSEMBLE, PI_WARN,
394 "SSYNCP-level fragmentation, dissector can't handle that", EXPFILL }
395 },
396 { &ei_ssyncp_bad_key,
397 { "ssyncp.badkey", PI_DECRYPTION, PI_WARN,
398 "Encrypted data could not be decrypted with the provided key", EXPFILL }
399 }
400 };
401
402 /* Register the protocol name and description */
403 proto_ssyncp = proto_register_protocol("State Synchronization Protocol", "SSyncP", "ssyncp");
404
405 /* Register the dissector handle */
406 ssyncp_handle = register_dissector("ssyncp", dissect_ssyncp, proto_ssyncp);
407
408 /* Required function calls to register the header fields and subtrees */
409 proto_register_field_array(proto_ssyncp, hf, array_length(hf));
410 proto_register_subtree_array(ett, array_length(ett));
411
412 expert_module_t *expert_ssyncp = expert_register_protocol(proto_ssyncp);
413 expert_register_field_array(expert_ssyncp, ei, array_length(ei));
414
415 module_t *ssyncp_module = prefs_register_protocol(proto_ssyncp, proto_reg_handoff_ssyncp);
416
417 prefs_register_string_preference(ssyncp_module, "key",
418 "ssyncp MOSH_KEY",
419 "MOSH_KEY AES key (from mosh-{client,server} environment variable)",
420 &pref_ssyncp_key);
421 }
422
423 void
424 proto_reg_handoff_ssyncp(void)
425 {
426 static bool initialized = false;
427
428 if (!initialized) {
429 dissector_add_uint("udp.port", SSYNCP_UDP_PORT, ssyncp_handle);
430
431 dissector_protobuf = find_dissector("protobuf");
432 if (dissector_protobuf == NULL) {
433 report_failure("unable to find protobuf dissector");
434 }
435
436 initialized = true;
437 }
438
439 have_ssyncp_key = false;
440 if (strlen(pref_ssyncp_key) != 0) {
441 if (strlen(pref_ssyncp_key) != 22) {
442 report_failure("ssyncp: invalid key, must be 22 characters long");
443 return;
444 }
445 char base64_key[25];
446 memcpy(base64_key, pref_ssyncp_key, 22);
447 memcpy(base64_key+22, "==\0", 3);
448 size_t out_len;
449 if (g_base64_decode_inplace(base64_key, &out_len) == NULL || out_len != sizeof(ssyncp_raw_aes_key)) {
450 report_failure("ssyncp: invalid key, base64 decoding (with \"==\" appended) failed");
451 return;
452 }
453 memcpy(ssyncp_raw_aes_key, base64_key, sizeof(ssyncp_raw_aes_key));
454 have_ssyncp_key = true;
455 }
456 }
457
458 /*
459 * Editor modelines - https://www.wireshark.org/tools/modelines.html
460 *
461 * Local variables:
462 * c-basic-offset: 4
463 * tab-width: 8
464 * indent-tabs-mode: nil
465 * End:
466 *
467 * vi: set shiftwidth=4 tabstop=8 expandtab:
468 * :indentSize=4:tabSize=8:noTabs=true:
469 */
Metzes wireshark repo