-
Notifications
You must be signed in to change notification settings - Fork 78
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Comprehensive Overhaul of Wireshark Integration
- Upgrade Ubuntu to version 24.04. - Upgrade Wireshark to version 4.4.1. - Integrate OpenSSL 3 with liboqs and the OQS provider. - Automate the generation of `qsc.h` using `generate_qsc_header.py`. - Organize the build with dedicated directories for sources, builds, and installations. - Migrate from Qt5 to Qt6 for improved compatibility. - Update `README.md` and `USAGE.md`.
- Loading branch information
Showing
8 changed files
with
316 additions
and
214 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,75 +1,156 @@ | ||
# Define the wireshark version to be baked in. | ||
ARG WIRESHARK_VERSION=3.4.9 | ||
# This Dockerfile builds a Wireshark image with Open Quantum Safe (OQS) support. | ||
# By integrating OQS, the resulting Wireshark build is capable of | ||
# analyzing and handling post-quantum cryptographic protocols. | ||
|
||
# Define the SSL naming convention: One of "wolfssl" and "oqs" | ||
ARG QSC_SSL_FLAVOR="oqs" | ||
# Define the base versions and tags for dependencies | ||
ARG UBUNTU_VERSION=24.04 | ||
ARG WIRESHARK_VERSION=4.4.1 | ||
ARG OPENSSL_TAG=3.4.0 | ||
ARG LIBOQS_TAG=0.11.0 | ||
ARG OQSPROVIDER_TAG=0.7.0 | ||
|
||
FROM ubuntu as intermediate | ||
ENV DEBIAN_FRONTEND noninteractive | ||
# Define Installation directory | ||
ARG INSTALLDIR=/opt/oqs | ||
|
||
# Stage 1: Building stage | ||
FROM ubuntu:${UBUNTU_VERSION} AS build | ||
|
||
LABEL version="2" | ||
|
||
ENV DEBIAN_FRONTEND=noninteractive | ||
ARG WIRESHARK_VERSION | ||
ARG QSC_SSL_FLAVOR | ||
|
||
RUN apt update && apt upgrade -y | ||
|
||
# Get all software packages required for building wireshark: | ||
RUN apt install -y gcc g++ \ | ||
libtool \ | ||
automake \ | ||
autoconf \ | ||
cmake \ | ||
ninja-build \ | ||
git \ | ||
curl \ | ||
perl \ | ||
flex \ | ||
bison \ | ||
2to3 python2-minimal python2 dh-python python-is-python3 \ | ||
python3 \ | ||
libssl-dev \ | ||
libgcrypt-dev \ | ||
libpcap-dev \ | ||
libc-ares-dev \ | ||
qtbase5-dev qttools5-dev-tools qttools5-dev qtmultimedia5-dev \ | ||
wget \ | ||
libssh-dev | ||
|
||
# Get the source and unpack it. | ||
WORKDIR /tmp | ||
RUN curl --output wireshark-${WIRESHARK_VERSION}.tar.xz https://2.na.dl.wireshark.org/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz && tar xmvf wireshark-${WIRESHARK_VERSION}.tar.xz | ||
|
||
WORKDIR /tmp/wireshark-${WIRESHARK_VERSION} | ||
|
||
COPY wolfssl-qsc.h wolfssl-qsc.h | ||
|
||
# Decide on QSC naming/ID mapping | ||
RUN if [ "x$QSC_SSL_FLAVOR" = "xoqs" ] ; then \ | ||
wget https://raw.githubusercontent.com/open-quantum-safe/openssl/OQS-OpenSSL_1_1_1-stable/qsc.h; \ | ||
elif [ "x$QSC_SSL_FLAVOR" = "xwolfssl" ]; then \ | ||
mv wolfssl-qsc.h qsc.h; \ | ||
else \ | ||
echo "Unknown naming convention in QSC_SSL_FLAVOR ($QSC_SSL_FLAVOR). Exiting."; \ | ||
exit 1; \ | ||
fi | ||
|
||
# Patch QSC-specific ids into wireshark code base | ||
RUN cp qsc.h epan/dissectors && \ | ||
sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-pkcs1.c && \ | ||
sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-tls-utils.c && \ | ||
sed -i "s/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");\nQSC_SIGS/g" epan/dissectors/packet-pkcs1.c && \ | ||
sed -i "s/ { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\// { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\/\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c && \ | ||
sed -i "s/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,\nQSC_SIG_CPS/g" epan/dissectors/packet-tls-utils.c | ||
|
||
# Build wireshark | ||
RUN mkdir -p build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=/opt/wireshark .. && ninja && ninja install | ||
|
||
FROM ubuntu | ||
ENV DEBIAN_FRONTEND noninteractive | ||
|
||
RUN apt update && apt upgrade -y && apt install -y qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libc-ares2 libqt5multimedia5 pcaputils libssh-dev | ||
|
||
# Only retain the ${INSTALLDIR} contents in the final image | ||
COPY --from=intermediate /opt/wireshark /opt/wireshark | ||
|
||
|
||
CMD /opt/wireshark/bin/wireshark | ||
ARG OPENSSL_TAG | ||
ARG LIBOQS_TAG | ||
ARG OQSPROVIDER_TAG | ||
ARG INSTALLDIR | ||
|
||
# Install essential build dependencies | ||
RUN apt-get update && apt-get install -y --no-install-recommends \ | ||
build-essential libtool automake autoconf cmake ninja-build \ | ||
openssl libssl-dev git wget ca-certificates \ | ||
python3 python3-pip python3-venv && \ | ||
apt-get clean && rm -rf /var/lib/apt/lists/* | ||
|
||
WORKDIR /opt | ||
# Set up isolated directories | ||
# src for source files, build for compiling, and install for final binaries | ||
RUN mkdir -p src/liboqs src/openssl src/oqs-provider src/wireshark \ | ||
build/liboqs build/openssl build/oqs-provider build/wireshark \ | ||
${INSTALLDIR}/lib ${INSTALLDIR}/bin ${INSTALLDIR}/ssl | ||
|
||
# Download sources | ||
WORKDIR /opt/src | ||
RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs.git liboqs && \ | ||
git clone --depth 1 --branch openssl-${OPENSSL_TAG} https://github.com/openssl/openssl.git openssl && \ | ||
git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git oqs-provider && \ | ||
wget -O wireshark.tar.xz https://www.wireshark.org/download/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz && \ | ||
tar -xf wireshark.tar.xz --strip-components=1 -C wireshark && \ | ||
rm wireshark.tar.xz | ||
|
||
# Build and install liboqs | ||
WORKDIR /opt/build/liboqs | ||
RUN cmake -G Ninja /opt/src/liboqs \ | ||
-D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/liboqs \ | ||
-D BUILD_SHARED_LIBS=ON \ | ||
-D OQS_USE_OPENSSL=OFF \ | ||
-D OQS_MINIMAL_BUILD="KEM_kyber_512;KEM_kyber_768;KEM_kyber_1024" \ | ||
-D CMAKE_INSTALL_RPATH="${INSTALLDIR}/liboqs/lib" && \ | ||
ninja -j$(nproc) && ninja install | ||
|
||
# Build OpenSSL integrated with liboqs | ||
WORKDIR /opt/build/openssl | ||
RUN LDFLAGS="-Wl,-rpath,${INSTALLDIR}/liboqs/lib" \ | ||
/opt/src/openssl/config \ | ||
--prefix=${INSTALLDIR}/openssl \ | ||
--openssldir=${INSTALLDIR}/ssl \ | ||
shared && \ | ||
make -j$(nproc) && \ | ||
make install_sw install_ssldirs | ||
|
||
# Build OQS provider for OpenSSL integration | ||
WORKDIR /opt/build/oqs-provider | ||
RUN cmake -G Ninja \ | ||
-D OPENSSL_ROOT_DIR=${INSTALLDIR}/openssl \ | ||
-D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \ | ||
-D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/oqs-provider \ | ||
-D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" \ | ||
/opt/src/oqs-provider && \ | ||
ninja -j$(nproc) && \ | ||
mkdir -p ${INSTALLDIR}/openssl/lib/ossl-modules && \ | ||
cp /opt/build/oqs-provider/lib/oqsprovider.so ${INSTALLDIR}/openssl/lib/ossl-modules | ||
|
||
# Set up OpenSSL to load the OQS provider | ||
RUN CONFIG_FILE="${INSTALLDIR}/ssl/openssl.cnf" && \ | ||
sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" "$CONFIG_FILE" && \ | ||
sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" "$CONFIG_FILE" | ||
|
||
# Using a script from Wireshark to install required build dependencies | ||
WORKDIR /opt/src/wireshark | ||
RUN ./tools/debian-setup.sh -y | ||
|
||
# Generate `qsc.h` | ||
WORKDIR ${INSTALLDIR} | ||
RUN cp /opt/src/oqs-provider/oqs-template/generate.yml ${INSTALLDIR} | ||
COPY generate_qsc_header.py ${INSTALLDIR} | ||
COPY qsc_template.jinja2 ${INSTALLDIR} | ||
COPY requirements.txt ${INSTALLDIR} | ||
|
||
RUN python3 -m venv ${INSTALLDIR}/venv && \ | ||
. ${INSTALLDIR}/venv/bin/activate && \ | ||
pip install -r requirements.txt && \ | ||
python ${INSTALLDIR}/generate_qsc_header.py && \ | ||
deactivate | ||
|
||
RUN cp ${INSTALLDIR}/qsc.h /opt/src/wireshark/epan/dissectors/ | ||
|
||
# Modify Wireshark source files for post-quantum definitions | ||
WORKDIR /opt/src/wireshark | ||
RUN sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-pkcs1.c && \ | ||
sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-tls-utils.c && \ | ||
sed -i "s/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");\nQSC_SIGS/g" epan/dissectors/packet-pkcs1.c && \ | ||
sed -i "s/ { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\// { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\/\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c && \ | ||
sed -i "s/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,\nQSC_SIG_CPS/g" epan/dissectors/packet-tls-utils.c | ||
|
||
# Build and install Wireshark | ||
WORKDIR /opt/build/wireshark | ||
RUN cmake -G Ninja /opt/src/wireshark \ | ||
-D QT5=OFF \ | ||
-D QT6=ON \ | ||
-D CMAKE_BUILD_TYPE=Release \ | ||
-D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/wireshark \ | ||
-D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \ | ||
-D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" && \ | ||
ninja -j$(nproc) && ninja install | ||
|
||
# Test integration of OQS provider with OpenSSL | ||
WORKDIR /opt/src/oqs-provider | ||
ENV OPENSSL_CONF=${INSTALLDIR}/ssl/openssl.cnf | ||
ENV OPENSSL_MODULES=${INSTALLDIR}/openssl/lib/ossl-modules | ||
RUN mkdir -p _build | ||
RUN ./scripts/runtests.sh -j$(nproc) | ||
|
||
# Stage 2: Minimal runtime image | ||
FROM ubuntu:${UBUNTU_VERSION} AS runtime | ||
|
||
ENV DEBIAN_FRONTEND=noninteractive | ||
ARG INSTALLDIR | ||
|
||
# Install necessary runtime dependencies | ||
RUN apt-get update && apt-get install -y --no-install-recommends \ | ||
libc-ares2 pcaputils libssh-4 libgcrypt20 \ | ||
libglib2.0-0 libpcap0.8 libspeexdsp1 zlib1g \ | ||
libqt6core6 libqt6gui6 libqt6widgets6 libqt6printsupport6 \ | ||
libqt6core5compat6 libqt6dbus6 libqt6multimedia6 libgpg-error0 && \ | ||
apt-get clean && rm -rf /var/lib/apt/lists/* | ||
|
||
ENV PATH="${INSTALLDIR}/wireshark/bin:${INSTALLDIR}/openssl/bin:${PATH}" | ||
ENV OPENSSL_CONF=${INSTALLDIR}/ssl/openssl.cnf | ||
ENV OPENSSL_MODULES=${INSTALLDIR}/openssl/lib/ossl-modules | ||
|
||
# Copy essential files from build stage | ||
COPY --from=build ${INSTALLDIR}/wireshark ${INSTALLDIR}/wireshark | ||
COPY --from=build ${INSTALLDIR}/openssl ${INSTALLDIR}/openssl | ||
COPY --from=build ${INSTALLDIR}/liboqs ${INSTALLDIR}/liboqs | ||
COPY --from=build ${INSTALLDIR}/ssl ${INSTALLDIR}/ssl | ||
|
||
CMD ["wireshark"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,31 +1,81 @@ | ||
# DEPRECATED | ||
This project provides a Docker image to build [Wireshark](https://www.wireshark.org/) with quantum-safe cryptography | ||
support through the [Open Quantum Safe (OQS) provider](https://github.com/open-quantum-safe/oqs-provider). This Docker | ||
image allows Wireshark to analyze network traffic encrypted with post-quantum cryptographic protocols. | ||
|
||
> [!Warning] | ||
> This integration is currently not supported due to [the end of life of oqs-openssl111](https://github.com/open-quantum-safe/openssl#warning). | ||
## System Requirements | ||
|
||
This directory contains a Dockerfile that builds wireshark that is patched to understand the OIDs and codepoints in TLS 1.3 that are supported by OQS-OpenSSL. | ||
- **Docker**: Ensure [Docker](https://docs.docker.com/get-docker/) is installed and running on your system. | ||
- **X-Window System (for GUI Display)**: | ||
- **Linux**: | ||
- Run the following commands to allow Docker to access the display: | ||
``` | ||
xhost +local | ||
export DISPLAY=:0 | ||
``` | ||
- **Windows**: | ||
- Install an X server such as [VcXsrv](https://sourceforge.net/projects/vcxsrv/) and configure it with the | ||
following options: | ||
- **Disable access control** | ||
- **Disable native OpenGL** | ||
- In PowerShell, set the display environment variable: | ||
``` | ||
$env:DISPLAY="<your_host_ip>:0" | ||
``` | ||
- **macOS**: | ||
- Install an X server, such as [XQuartz](https://www.xquartz.org), and start it. | ||
- Run the following command in the terminal to allow Docker to access the display: | ||
``` | ||
xhost + | ||
``` | ||
- Set the display environment variable in the terminal: | ||
``` | ||
export DISPLAY=<your_host_ip>:0 | ||
``` | ||
## Quick start | ||
**Notes**: | ||
1) Be sure to have [docker installed](https://docs.docker.com/install). | ||
2) Run `docker build -t openquantumsafe/wireshark .` to create an QSC-enabled (codepoint and OID aware) wireshark docker image. | ||
- **macOS** support has not been tested yet. We welcome your feedback and suggestions. Please reach us through | ||
the [oqs-demos issue section](https://github.com/open-quantum-safe/oqs-demos/issues). | ||
- Replace `<your_host_ip>` with your system's IP address. Use `:0` as the default display port unless configured | ||
otherwise. | ||
## Usage | ||
## Building Instructions | ||
Run the following commands to build and launch Wireshark with OQS support: | ||
``` | ||
git clone https://github.com/open-quantum-safe/oqs-demos | ||
cd oqs-demos/wireshark | ||
docker build -t oqs-wireshark . | ||
docker run --rm -it --net=host -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix oqs-wireshark | ||
``` | ||
Information how to use the image is [available in the separate file USAGE.md](USAGE.md). | ||
### Explanation of Docker Options | ||
## Build options | ||
- `--net=host`: Shares the host network with the container. | ||
- `-e DISPLAY`: Sets the display variable for GUI. | ||
- `-v /tmp/.X11-unix:/tmp/.X11-unix`: Mounts the X11 Unix socket for GUI access. | ||
The Dockerfile provided allows for customization of the image built: | ||
## Project Components | ||
### WIRESHARK_VERSION | ||
1. **Dockerfile**: Builds Wireshark with OpenSSL, liboqs, and OQS provider. | ||
2. **generate_qsc_header.py**: Processes `oqs-provider/oqs-template/generate.yml` with the `qsc_template.jinja2` to | ||
generate `qsc.h`, | ||
defining post-quantum KEMs and SIGs for Wireshark. | ||
## Usage | ||
This permits changing the wireshark code base to be used. | ||
For detailed usage instructions, refer to [USAGE.md](USAGE.md). | ||
Tested default value is "3.4.9". | ||
## Build Configuration and Updates | ||
### QSC_SSL_FLAVOR | ||
Customize the build using the following Dockerfile arguments: | ||
Different quantum-safe TLS implementations have different names for the same algorithms. This option permits switching between them. Permitted values are "oqs" and "wolfssl". | ||
- **`UBUNTU_VERSION`**: Specifies the Ubuntu version. | ||
- **`WIRESHARK_VERSION`**: Defines the Wireshark version to build. | ||
- **`OPENSSL_TAG`**: Sets the OpenSSL version to build. | ||
- **`LIBOQS_TAG`**: Specifies the liboqs version to include. | ||
- **`OQSPROVIDER_TAG`**: Defines the Open Quantum Safe provider version. | ||
- **`INSTALLDIR`**: Sets the installation path for OQS libraries. | ||
Default is "oqs". | ||
To keep the build up-to-date, update the arguments as needed to include the latest versions. |
Oops, something went wrong.