feat: QUIC Client Initial parser

dissect.go

@@ -245,6 +245,9 @@ func (dp *DissectedPacket) parseTLSServerName() (string, error) {
 	case dp.TCP != nil:
 		return ExtractTLSServerName(dp.TCP.Payload)
 	case dp.UDP != nil:
+		if sni, err := ExtractQUICServerName(dp.UDP.Payload); err == nil {
+			return sni, err
+		}
 		return ExtractTLSServerName(dp.UDP.Payload)
 	default:
 		return "", ErrDissectTransport

dpidrop.go

@@ -72,11 +72,6 @@ func (r *DPIDropTrafficForTLSSNI) Filter(
 		return nil, false
 	}
 
-	// short circuit for UDP packets
-	if packet.TransportProtocol() != layers.IPProtocolTCP {
-		return nil, false
-	}
-
 	// try to obtain the SNI
 	sni, err := packet.parseTLSServerName()
 	if err != nil {

go.mod

@@ -14,6 +14,7 @@ require (
 require (
 	github.com/google/btree v1.1.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/quic-go/quic-go v0.36.0 // indirect
 	github.com/stretchr/testify v1.8.1 // indirect
 	golang.org/x/net v0.10.0 // indirect
 	golang.org/x/sys v0.8.0 // indirect

go.sum

@@ -78,6 +78,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/quic-go/quic-go v0.36.0 h1:JIrO7p7Ug6hssFcARjWDiqS2RAKJHCiwPxBAA989rbI=
+github.com/quic-go/quic-go v0.36.0/go.mod h1:zPetvwDlILVxt15n3hr3Gf/I3mDf7LpLKPhR4Ez0AZQ=
 github.com/rogpeppe/fastuuid v1.1.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=

quiccrypto.go

@@ -0,0 +1,137 @@
+package netem
+
+import (
+	"crypto"
+	"crypto/aes"
+	"crypto/cipher"
+	"encoding/binary"
+
+	"golang.org/x/crypto/hkdf"
+)
+
+// https://www.rfc-editor.org/rfc/rfc9001.html#protection-keys
+//
+// computeHP derives the header protection key from the initial secret.
+func computeHP(secret []byte) (hp []byte) {
+	hp = hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic hp", 16)
+	return
+}
+
+// SPDX-License-Identifier: BSD-3-Clause
+// This code is borrowed from https://github.com/marten-seemann/qtls-go1-15
+// https://github.com/marten-seemann/qtls-go1-15/blob/0d137e9e3594d8e9c864519eff97b323321e5e74/cipher_suites.go#L281
+type aead interface {
+	cipher.AEAD
+
+	// explicitNonceLen returns the number of bytes of explicit nonce
+	// included in each record. This is eight for older AEADs and
+	// zero for modern ones.
+	explicitNonceLen() int
+}
+
+// SPDX-License-Identifier: BSD-3-Clause
+// This code is borrowed from https://github.com/marten-seemann/qtls-go1-15
+// https://github.com/marten-seemann/qtls-go1-15/blob/0d137e9e3594d8e9c864519eff97b323321e5e74/cipher_suites.go#L375
+func aeadAESGCMTLS13(key, nonceMask []byte) aead {
+	if len(nonceMask) != aeadNonceLength {
+		panic("tls: internal error: wrong nonce length")
+	}
+	aes, err := aes.NewCipher(key)
+	if err != nil {
+		panic(err)
+	}
+	aead, err := cipher.NewGCM(aes)
+	if err != nil {
+		panic(err)
+	}
+	ret := &xorNonceAEAD{aead: aead}
+	copy(ret.nonceMask[:], nonceMask)
+	return ret
+}
+
+// SPDX-License-Identifier: MIT
+// This code is borrowed from https://github.com/lucas-clemente/quic-go/
+// https://github.com/lucas-clemente/quic-go/blob/f3b098775e40f96486c0065204145ddc8675eb7c/internal/handshake/initial_aead.go#L60
+// https://www.rfc-editor.org/rfc/rfc9001.html#protection-keys
+//
+// computeInitialKeyAndIV derives the packet protection key and Initialization Vector (IV) from the initial secret.
+func computeInitialKeyAndIV(secret []byte) (key, iv []byte) {
+	key = hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic key", 16)
+	iv = hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic iv", 12)
+	return
+}
+
+// SPDX-License-Identifier: MIT
+// This code is borrowed from https://github.com/lucas-clemente/quic-go/
+// https://github.com/lucas-clemente/quic-go/blob/f3b098775e40f96486c0065204145ddc8675eb7c/internal/handshake/initial_aead.go#L53
+// https://www.rfc-editor.org/rfc/rfc9001.html#name-initial-secrets
+//
+// computeSecrets computes the initial secrets based on the destination connection ID.
+func computeSecrets(destConnID []byte) (clientSecret, serverSecret []byte) {
+	initialSalt := []byte{0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a}
+	initialSecret := hkdf.Extract(crypto.SHA256.New, destConnID, initialSalt)
+	clientSecret = hkdfExpandLabel(crypto.SHA256, initialSecret, []byte{}, "client in", crypto.SHA256.Size())
+	serverSecret = hkdfExpandLabel(crypto.SHA256, initialSecret, []byte{}, "server in", crypto.SHA256.Size())
+	return
+}
+
+// SPDX-License-Identifier: MIT
+// This code is borrowed from https://github.com/lucas-clemente/quic-go/
+// https://github.com/lucas-clemente/quic-go/blob/master/internal/handshake/hkdf.go
+//
+// hkdfExpandLabel HKDF expands a label.
+func hkdfExpandLabel(hash crypto.Hash, secret, context []byte, label string, length int) []byte {
+	b := make([]byte, 3, 3+6+len(label)+1+len(context))
+	binary.BigEndian.PutUint16(b, uint16(length))
+	b[2] = uint8(6 + len(label))
+	b = append(b, []byte("tls13 ")...)
+	b = append(b, []byte(label)...)
+	b = b[:3+6+len(label)+1]
+	b[3+6+len(label)] = uint8(len(context))
+	b = append(b, context...)
+
+	out := make([]byte, length)
+	n, err := hkdf.Expand(hash.New, secret, b).Read(out)
+	if err != nil || n != length {
+		panic("quic: HKDF-Expand-Label invocation failed unexpectedly")
+	}
+	return out
+}
+
+const aeadNonceLength = 12
+
+// SPDX-License-Identifier: BSD-3-Clause
+// This code is borrowed from https://github.com/marten-seemann/qtls-go1-15
+// https://github.com/marten-seemann/qtls-go1-15/blob/0d137e9e3594d8e9c864519eff97b323321e5e74/cipher_suites.go#L319
+//
+// xorNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce before each call.
+type xorNonceAEAD struct {
+	nonceMask [aeadNonceLength]byte
+	aead      cipher.AEAD
+}
+
+func (f *xorNonceAEAD) NonceSize() int        { return 8 } // 64-bit sequence number
+func (f *xorNonceAEAD) Overhead() int         { return f.aead.Overhead() }
+func (f *xorNonceAEAD) explicitNonceLen() int { return 0 }
+
+func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
+	for i, b := range nonce {
+		f.nonceMask[4+i] ^= b
+	}
+	result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData)
+	for i, b := range nonce {
+		f.nonceMask[4+i] ^= b
+	}
+	return result
+}
+
+func (f *xorNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) {
+	for i, b := range nonce {
+		f.nonceMask[4+i] ^= b
+	}
+	result, err := f.aead.Open(out, f.nonceMask[:], ciphertext, additionalData)
+	for i, b := range nonce {
+		f.nonceMask[4+i] ^= b
+	}
+	return result, err
+}