++

Author: Damir Zainullin

process-plugin-api/process/http/src/http.cpp

@@ -73,54 +73,67 @@ FlowAction HTTPPlugin::parseHTTP(
 	if (parser.requestParsed && m_requestParsed) {
 		return FlowAction::FlushWithReinsert;
 	}
+	m_requestParsed |= parser.requestParsed;
+
 	if (parser.responseParsed && m_responseParsed) {
 		return FlowAction::FlushWithReinsert;
 	}
+	m_responseParsed |= parser.responseParsed;
 
 	if (parser.method.has_value()) {
 		std::ranges::copy(*parser.method |
 			std::views::take(m_exportData.method.capacity()),
 		std::back_inserter(m_exportData.method));
+		m_fieldHandlers[HTTPFields::HTTP_REQUEST_METHOD].setAsAvailable(flowRecord);
 	}
 	if (parser.uri.has_value()) {
 		std::ranges::copy(*parser.uri |
 			std::views::take(m_exportData.uri.capacity()),
 		std::back_inserter(m_exportData.uri));
+		m_fieldHandlers[HTTPFields::HTTP_REQUEST_URI].setAsAvailable(flowRecord);
 	}
 	if (parser.host.has_value()) {
 		std::ranges::copy(*parser.host |
 			std::views::take(m_exportData.host.capacity()),
 		std::back_inserter(m_exportData.host));
+		m_fieldHandlers[HTTPFields::HTTP_REQUEST_HOST].setAsAvailable(flowRecord);
 	}
 	if (parser.userAgent.has_value()) {
 		std::ranges::copy(*parser.userAgent |
 			std::views::take(m_exportData.userAgent.capacity()),
 		std::back_inserter(m_exportData.userAgent));
+		m_fieldHandlers[HTTPFields::HTTP_REQUEST_AGENT].setAsAvailable(flowRecord);
 	}
 	if (parser.referer.has_value()) {
 		std::ranges::copy(*parser.referer |
 			std::views::take(m_exportData.referer.capacity()),
 		std::back_inserter(m_exportData.referer));
+		m_fieldHandlers[HTTPFields::HTTP_REQUEST_REFERER].setAsAvailable(flowRecord);
 	}
 	if (parser.statusCode.has_value()) {
 		m_exportData.statusCode = *parser.statusCode;
+		m_fieldHandlers[HTTPFields::HTTP_RESPONSE_STATUS_CODE].setAsAvailable(flowRecord);
 	}
 	if (parser.contentType.has_value()) {
 		std::ranges::copy(*parser.contentType |
 			std::views::take(m_exportData.contentType.capacity()),
 		std::back_inserter(m_exportData.contentType));
+		m_fieldHandlers[HTTPFields::HTTP_RESPONSE_CONTENT_TYPE].setAsAvailable(flowRecord);
 	}
 	if (parser.server.has_value()) {
 		std::ranges::copy(*parser.server |
 			std::views::take(m_exportData.server.capacity()),
 		std::back_inserter(m_exportData.server));
+		m_fieldHandlers[HTTPFields::HTTP_RESPONSE_SERVER].setAsAvailable(flowRecord);
 	}
 	if (parser.cookies.has_value()) {
 		std::ranges::copy(*parser.cookies |
 			std::views::take(m_exportData.cookies.capacity()),
 		std::back_inserter(m_exportData.cookies));
+		m_fieldHandlers[HTTPFields::HTTP_RESPONSE_SET_COOKIE_NAMES].setAsAvailable(flowRecord);
 	}
 
+	
 	if (m_requestParsed && m_responseParsed) {
 		return FlowAction::RequestNoData;
 	}

process-plugin-api/process/passiveDns/src/passivedns.cpp

@@ -101,7 +101,7 @@ std::optional<IPAddress> getIPFromPTR(const std::string& ptrName) noexcept
 		ipAsString.erase(ipAsString.size() - ip4Postfix.size());
 		struct in_addr addr;
 		inet_pton(AF_INET, ipAsString.c_str(), &addr);
-		return addr.s_addr;
+		return ntohl(addr.s_addr);
 	}
 
 	std::string_view ip6Postfix = ".ip6.arpa";

process-plugin-api/process/quic/src/quic.cpp

@@ -73,7 +73,136 @@ int QUICPlugin::process_quic(
 	const Packet& pkt,
 	bool new_quic_flow)
 {
-	QUICParser process_quic;
+	QUICParser quicParser;
+
+	quicParser.parse(payload, initialDestConnectionId);
+
+	if (quicParser.headerView.has_value() &&
+		quicParser.packetTypesCumulative.bits.zeroRTT) {
+		m_exportData.version = quicParser.headerView->versionId;
+	}
+
+	if (!m_exportData.packetTypes.full()) {
+		m_exportData.packetTypes.push_back(
+			static_cast<uint8_t>(quicParser.packetTypesCumulative.raw));
+	}
+
+	// TODO get direction ?
+
+	m_exportData.zeroRTTPacket = std::min<uint16_t>(
+		m_exportData.zeroRTTPacket + quicParser.zeroRTTPackets,
+		std::numeric_limits<uint8_t>::max()
+	);
+
+	if (quicParser.initialHeaderView.has_value()) {
+		m_exportData.clientHelloParsed 
+			= quicParser.initialHeaderView->clientHelloParsed;
+	}
+
+	switch (quicParser.packetType) {
+	case QUICParser::PACKET_TYPE::INITIAL:
+		if (!quicParser.initialHeaderView.has_value()) {
+			break; //??
+		}
+		process_quic.quic_get_parsed_initial(parsed_initial);
+		m_initialDestinationConnectionId.clear();
+		std::ranges::copy(quicParser.initialHeaderView->destinationConnectionId |
+			std::views::take(m_initialDestinationConnectionId.capacity()),
+		std::back_inserter(m_initialDestinationConnectionId));
+		// Store DCID from first observed Initial packet. This is used in the crypto operations.
+		// Check length works because the first Initial must have a non-zero DCID.
+		if (quic_data->initial_dcid_length == 0) {
+			process_quic.quic_get_dcid_len(quic_data->initial_dcid_length);
+			process_quic.quic_get_dcid(quic_data->initial_dcid);
+			// Once established it can only be changed by a retry packet.
+		}
+		if (quicParser.initialHeaderView.has_value() &&
+			quicParser.initialHeaderView->clientHelloParsed) {
+				
+			if (m_exportData.sourceConnectionId.empty() && 
+				quicParser.packetDirection.has_value() &&
+				m_tempConnectionIdBuffer[*quicParser.packetDirection].has_value()) {
+				std::ranges::copy(
+					m_tempConnectionIdBuffer[*quicParser.packetDirection].destinationConnectionId |
+					std::views::take(m_exportData.sourceConnectionId.capacity()),
+					std::back_inserter(m_exportData.sourceConnectionId)
+				);
+			}
+			set_stored_cid_fields(quic_data, new_quic_flow);
+			set_client_hello_fields(&process_quic, rec, quic_data, pkt, new_quic_flow);
+			quic_data->client_hello_seen = true;
+
+			if (!quic_data->tls_ext_type_set) {
+				process_quic.quic_get_tls_ext_type(quic_data->tls_ext_type);
+				process_quic.quic_get_tls_ext_type_len(quic_data->tls_ext_type_len);
+				quic_data->tls_ext_type_set = true;
+			}
+
+			if (!quic_data->tls_ext_len_set) {
+				process_quic.quic_get_tls_extension_lengths(quic_data->tls_ext_len);
+				process_quic.quic_get_tls_extension_lengths_len(quic_data->tls_ext_len_len);
+				quic_data->tls_ext_len_set = true;
+			}
+
+			if (!quic_data->tls_ext_set) {
+				process_quic.quic_get_tls_ext(quic_data->tls_ext);
+				process_quic.quic_get_tls_ext_len(quic_data->tls_ext_length);
+				quic_data->tls_ext_set = true;
+			}
+			break;
+		}
+
+		// Update accounting for information from CH, SH.
+		toServer = get_direction_to_server_and_set_port(
+			&process_quic,
+			quic_data,
+			process_quic.quic_get_server_port(),
+			pkt,
+			new_quic_flow);
+		// fallthrough to set cids
+		[[fallthrough]];
+	case QUICParser::PACKET_TYPE::HANDSHAKE:
+		// -1 sets stores intermediately.
+		set_cid_fields(quic_data, rec, &process_quic, toServer, new_quic_flow, pkt);
+		break;
+	case QUICParser::PACKET_TYPE::RETRY:
+		quic_data->cnt_retry_packets += 1;
+		/*
+			* A client MUST accept and process at most one Retry packet for each connection
+			* attempt. After the client has received and processed an Initial or Retry packet from
+			* the server, it MUST discard any subsequent Retry packets that it receives.
+			*/
+		if (quic_data->cnt_retry_packets == 1) {
+			// Additionally set token len
+			process_quic.quic_get_scid(quic_data->retry_scid);
+			process_quic.quic_get_scid_len(quic_data->retry_scid_length);
+			// Update DCID for decryption
+			process_quic.quic_get_dcid_len(quic_data->initial_dcid_length);
+			process_quic.quic_get_scid(quic_data->initial_dcid);
+
+			process_quic.quic_get_token_length(quic_data->quic_token_length);
+		}
+
+		if (!quic_data->occid_set) {
+			process_quic.quic_get_dcid(quic_data->occid);
+			process_quic.quic_get_dcid_len(quic_data->occid_length);
+			quic_data->occid_set = true;
+		}
+
+		break;
+	case QUICParser::PACKET_TYPE::ZERO_RTT:
+		// Connection IDs are identical to Client Initial CH. The DCID might be OSCID at first
+		// and change to SCID later. We ignore the DCID.
+		if (!quic_data->occid_set) {
+			process_quic.quic_get_scid(quic_data->occid);
+			process_quic.quic_get_scid_len(quic_data->occid_length);
+			quic_data->occid_set = true;
+		}
+		break;
+	}
+
+	return QUIC_DETECTED;
+
 
 	// Test for QUIC LH packet in UDP payload
 	if (process_quic.quic_check_quic_long_header_packet(

process-plugin-api/process/quic/src/quic.hpp

@@ -17,8 +17,8 @@
 #include <processPlugin.hpp>
 #include <fieldManager.hpp>
 
-#include "burstStatsExport.hpp"
-#include "burstStatsFields.hpp"
+#include "quicExport.hpp"
+#include "quicFields.hpp"
 
 namespace ipxp {
 
@@ -47,9 +47,16 @@ class QUICPlugin : public ProcessPlugin {
 	QUICPlugin(QUICPlugin&& other) = delete;
 
 private:
-	BurstStatsExport m_exportData;
-	FieldHandlers<BurstStatsFields> m_fieldHandlers;
-	
+	QUICExport m_exportData;
+	FieldHandlers<QUICFields> m_fieldHandlers;
+
+	struct TemporaryConnectionIdBuffer {
+		boost::static_string<QUICExport::MAX_CONNECTION_ID_LENGTH> sourceConnectionId;
+		boost::static_string<QUICExport::MAX_CONNECTION_ID_LENGTH> destinationConnectionId;
+	};
+
+	DirectionalField<std::optional<TemporaryConnectionIdBuffer>> m_tempConnectionIdBuffer;
+	boost::static_string<QUICExport::MAX_CONNECTION_ID_LENGTH> m_initialConnectionId;
 };
 
 } // namespace ipxp

process-plugin-api/process/quic/src/quicDirection.hpp

@@ -0,0 +1,14 @@
+#pragma once
+
+#include <cstdint>
+
+#include <directionalField.hpp>
+
+namespace ipxp
+{
+enum class QUICDirection : uint8_t {
+    CLIENT_TO_SERVER = static_cast<uint8_t>(Direction::Forward),
+    SERVER_TO_CLIENT = static_cast<uint8_t>(Direction::Reverse),
+};
+
+} // namespace ipxp

process-plugin-api/process/quic/src/quicExport.hpp

@@ -3,7 +3,8 @@
 #include <array>
 #include <optional>
 #include <span>
-#include <boost/static_string/static_string.hpp>
+#include <boost/static_string.hpp>
+#include <boost/container/static_vector.hpp>
 
 
 #include "burst.hpp"
@@ -14,41 +15,50 @@ namespace ipxp
 struct QUICExport {
 	constexpr static std::size_t BUFFER_SIZE = 255;
 	constexpr static std::size_t MAX_CONNECTION_ID_LENGTH = 20;
+	constexpr static std::size_t MAX_PACKETS = 30;
+	constexpr static std::size_t MAX_TLS_EXTENSIONS = 30;
 
 	boost::static_string<BUFFER_SIZE> sni;
 	boost::static_string<BUFFER_SIZE> userAgent;
 	uint32_t quicVersion;
 	uint32_t quicClientVersion;
 	uint64_t quicTokenLength;
+	boost::static_string<MAX_CONNECTION_ID_LENGTH> occid;
+	boost::static_string<MAX_CONNECTION_ID_LENGTH> oscid;
+	boost::static_string<MAX_CONNECTION_ID_LENGTH> scid;
+	boost::static_string<MAX_CONNECTION_ID_LENGTH> retryScid;
+	uint8_t quicMultiplexed;
+	uint8_t quicZeroRTTCount;
+	uint8_t clientHelloParsed;
+	uint16_t serverPort;
+	boost::container::static_vector<uint8_t, MAX_PACKETS> packetTypes;
+	boost::container::static_vector<uint16_t, MAX_TLS_EXTENSIONS> tlsExtensionTypes;
+	boost::container::static_vector<uint16_t, MAX_TLS_EXTENSIONS> tlsExtensionLengths;
+
+
+
 	// We use a char as a buffer.
 	uint8_t occidLength;
 	uint8_t oscidLength;
 	uint8_t scidLength;
 	//uint8_t initial_dcid_length;
-	boost::static_string<MAX_CONNECTION_ID_LENGTH> occid;
-	boost::static_string<MAX_CONNECTION_ID_LENGTH> oscid;
-	boost::static_string<MAX_CONNECTION_ID_LENGTH> scid;
+	
 	boost::static_string<MAX_CONNECTION_ID_LENGTH> initialDestConnectionId;
-	boost::static_string<MAX_CONNECTION_ID_LENGTH> retryScid;
 	// Intermediate storage when direction is not clear
-	char dir_scid[MAX_CONNECTION_ID_LENGTH] = {0};
-	char dir_dcid[MAX_CONNECTION_ID_LENGTH] = {0};
-	char dir_scid2[MAX_CONNECTION_ID_LENGTH] = {0};
-	char dir_dcid2[MAX_CONNECTION_ID_LENGTH] = {0};
-	uint16_t dir_dport;
-	uint16_t dir_dport2;
-	uint16_t server_port;
-	uint8_t cnt_retry_packets;
-
-	uint8_t quic_multiplexed;
-	uint8_t quic_zero_rtt;
-	uint8_t pkt_types[QUIC_MAX_ELEMCOUNT];
-
-	uint16_t tls_ext_type[MAX_QUIC_TLS_EXT_LEN];
+	boost::static_string<MAX_CONNECTION_ID_LENGTH> dirScid;
+	boost::static_string<MAX_CONNECTION_ID_LENGTH> dirDcid;
+	boost::static_string<MAX_CONNECTION_ID_LENGTH> dirScid2;
+	boost::static_string<MAX_CONNECTION_ID_LENGTH> dirDcid2;
+	uint16_t dirDport;
+	uint16_t dirDport2;
+	uint8_t cntRetryPackets;
+
+
+
+	
 	uint16_t tls_ext_type_len;
 	bool tls_ext_type_set;
 
-	uint16_t tls_ext_len[MAX_QUIC_TLS_EXT_LEN];
 	uint8_t tls_ext_len_len;
 	bool tls_ext_len_set;
 
@@ -58,7 +68,6 @@ struct QUICExport {
 
 	uint8_t last_pkt_type;
 
-	uint8_t parsed_ch;
 
 	// Flags to ease decisions
 	bool occid_set;

process-plugin-api/process/quic/src/quicHeaderView.hpp

@@ -16,18 +16,18 @@ class QUICHeaderView {
     constexpr static std::size_t QUIC_MIN_PACKET_LENGTH = 8;
 
     enum class PacketType {
-        INITIAL,
+        INITIAL = 0,
         ZERO_RTT,
         HANDSHAKE,
         RETRY,
-        VERSION_NEGOTIATION
+        VERSION_NEGOTIATION = 7
     };
 
     std::byte headerForm;
     QUICVersionId versionId;
-    uint8_t destConnectionIdLength;
+    //uint8_t destConnectionIdLength;
     std::span<const uint8_t> destConnectionId;
-    uint8_t srcConnectionIdLength;
+    //uint8_t srcConnectionIdLength;
     std::span<const uint8_t> srcConnectionId;
 
     constexpr static