-
Notifications
You must be signed in to change notification settings - Fork 77
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Comprehensive Overhaul of Wireshark Integration
- Upgrade Ubuntu to version 24.04. - Upgrade Wireshark to version 4.4.1. - Integrate OpenSSL 3 with liboqs and the OQS provider. - Automate the generation of `qsc.h` using `generate_qsc_header.py`. - Organize the build with dedicated directories for sources, builds, and installations. - Migrate from Qt5 to Qt6 for improved compatibility. - Update `README.md` and remove `USAGE.md`. Signed-off-by: Khalid <[email protected]> Update README Signed-off-by: Khalid <[email protected]> Refactor qsc.h generation using Jinja2 template Signed-off-by: Khalid <[email protected]> Update README.md
- Loading branch information
Showing
8 changed files
with
285 additions
and
225 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,75 +1,144 @@ | ||
# Define the wireshark version to be baked in. | ||
ARG WIRESHARK_VERSION=3.4.9 | ||
# This Dockerfile builds a Wireshark image with Open Quantum Safe (OQS) support. | ||
# By integrating OQS, the resulting Wireshark build is capable of | ||
# analyzing and handling post-quantum cryptographic protocols. | ||
|
||
# Define the SSL naming convention: One of "wolfssl" and "oqs" | ||
ARG QSC_SSL_FLAVOR="oqs" | ||
ARG UBUNTU_VERSION=24.04 | ||
ARG WIRESHARK_VERSION=4.4.1 | ||
ARG INSTALLDIR=/opt/oqs | ||
|
||
FROM ubuntu as intermediate | ||
ENV DEBIAN_FRONTEND noninteractive | ||
# Stage 1: Building stage | ||
FROM ubuntu:${UBUNTU_VERSION} AS build | ||
|
||
ENV DEBIAN_FRONTEND=noninteractive | ||
ARG WIRESHARK_VERSION | ||
ARG QSC_SSL_FLAVOR | ||
|
||
RUN apt update && apt upgrade -y | ||
|
||
# Get all software packages required for building wireshark: | ||
RUN apt install -y gcc g++ \ | ||
libtool \ | ||
automake \ | ||
autoconf \ | ||
cmake \ | ||
ninja-build \ | ||
git \ | ||
curl \ | ||
perl \ | ||
flex \ | ||
bison \ | ||
2to3 python2-minimal python2 dh-python python-is-python3 \ | ||
python3 \ | ||
libssl-dev \ | ||
libgcrypt-dev \ | ||
libpcap-dev \ | ||
libc-ares-dev \ | ||
qtbase5-dev qttools5-dev-tools qttools5-dev qtmultimedia5-dev \ | ||
wget \ | ||
libssh-dev | ||
|
||
# Get the source and unpack it. | ||
WORKDIR /tmp | ||
RUN curl --output wireshark-${WIRESHARK_VERSION}.tar.xz https://2.na.dl.wireshark.org/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz && tar xmvf wireshark-${WIRESHARK_VERSION}.tar.xz | ||
|
||
WORKDIR /tmp/wireshark-${WIRESHARK_VERSION} | ||
|
||
COPY wolfssl-qsc.h wolfssl-qsc.h | ||
|
||
# Decide on QSC naming/ID mapping | ||
RUN if [ "x$QSC_SSL_FLAVOR" = "xoqs" ] ; then \ | ||
wget https://raw.githubusercontent.com/open-quantum-safe/openssl/OQS-OpenSSL_1_1_1-stable/qsc.h; \ | ||
elif [ "x$QSC_SSL_FLAVOR" = "xwolfssl" ]; then \ | ||
mv wolfssl-qsc.h qsc.h; \ | ||
else \ | ||
echo "Unknown naming convention in QSC_SSL_FLAVOR ($QSC_SSL_FLAVOR). Exiting."; \ | ||
exit 1; \ | ||
fi | ||
|
||
# Patch QSC-specific ids into wireshark code base | ||
RUN cp qsc.h epan/dissectors && \ | ||
sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-pkcs1.c && \ | ||
sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-tls-utils.c && \ | ||
sed -i "s/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");\nQSC_SIGS/g" epan/dissectors/packet-pkcs1.c && \ | ||
sed -i "s/ { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\// { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\/\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c && \ | ||
sed -i "s/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,\nQSC_SIG_CPS/g" epan/dissectors/packet-tls-utils.c | ||
|
||
# Build wireshark | ||
RUN mkdir -p build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=/opt/wireshark .. && ninja && ninja install | ||
|
||
FROM ubuntu | ||
ENV DEBIAN_FRONTEND noninteractive | ||
|
||
RUN apt update && apt upgrade -y && apt install -y qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libc-ares2 libqt5multimedia5 pcaputils libssh-dev | ||
|
||
# Only retain the ${INSTALLDIR} contents in the final image | ||
COPY --from=intermediate /opt/wireshark /opt/wireshark | ||
|
||
|
||
CMD /opt/wireshark/bin/wireshark | ||
ARG INSTALLDIR | ||
|
||
# Install essential build dependencies | ||
RUN apt-get update && apt-get install -y --no-install-recommends \ | ||
build-essential libtool automake autoconf cmake ninja-build \ | ||
openssl libssl-dev git wget ca-certificates \ | ||
python3 python3-pip python3-venv && \ | ||
apt-get clean && rm -rf /var/lib/apt/lists/* | ||
|
||
WORKDIR /opt | ||
# Set up isolated directories | ||
# src for source files, build for compiling, and install for final binaries | ||
RUN mkdir -p src/liboqs src/openssl src/oqs-provider src/wireshark \ | ||
build/liboqs build/openssl build/oqs-provider build/wireshark \ | ||
${INSTALLDIR}/lib ${INSTALLDIR}/bin ${INSTALLDIR}/ssl | ||
|
||
# Download sources | ||
WORKDIR /opt/src | ||
RUN git clone --depth 1 https://github.com/open-quantum-safe/liboqs.git liboqs && \ | ||
git clone --depth 1 --branch master https://github.com/openssl/openssl.git openssl && \ | ||
git clone --depth 1 https://github.com/open-quantum-safe/oqs-provider.git oqs-provider && \ | ||
wget -O wireshark.tar.xz https://www.wireshark.org/download/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz && \ | ||
tar -xf wireshark.tar.xz --strip-components=1 -C wireshark && \ | ||
rm wireshark.tar.xz | ||
|
||
# Build and install liboqs | ||
WORKDIR /opt/build/liboqs | ||
RUN cmake -G Ninja /opt/src/liboqs \ | ||
-D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/liboqs \ | ||
-D BUILD_SHARED_LIBS=ON \ | ||
-D OQS_USE_OPENSSL=OFF \ | ||
-D CMAKE_INSTALL_RPATH="${INSTALLDIR}/liboqs/lib" && \ | ||
ninja -j$(nproc) && ninja install | ||
|
||
# Build OpenSSL integrated with liboqs | ||
WORKDIR /opt/build/openssl | ||
RUN LDFLAGS="-Wl,-rpath,${INSTALLDIR}/liboqs/lib" \ | ||
/opt/src/openssl/config \ | ||
--prefix=${INSTALLDIR}/openssl \ | ||
--openssldir=${INSTALLDIR}/ssl \ | ||
shared && \ | ||
make -j$(nproc) && \ | ||
make install_sw install_ssldirs | ||
|
||
# Build OQS provider for OpenSSL integration | ||
WORKDIR /opt/build/oqs-provider | ||
RUN cmake -G Ninja \ | ||
-D OPENSSL_ROOT_DIR=${INSTALLDIR}/openssl \ | ||
-D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \ | ||
-D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/oqs-provider \ | ||
-D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" \ | ||
/opt/src/oqs-provider && \ | ||
ninja -j$(nproc) && \ | ||
mkdir -p ${INSTALLDIR}/openssl/lib/ossl-modules && \ | ||
cp /opt/build/oqs-provider/lib/oqsprovider.so ${INSTALLDIR}/openssl/lib/ossl-modules | ||
|
||
# Set up OpenSSL to load the OQS provider | ||
RUN CONFIG_FILE="${INSTALLDIR}/ssl/openssl.cnf" && \ | ||
sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" "$CONFIG_FILE" && \ | ||
sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" "$CONFIG_FILE" | ||
|
||
# Using a script from Wireshark to install required build dependencies | ||
WORKDIR /opt/src/wireshark | ||
RUN ./tools/debian-setup.sh -y | ||
|
||
# Generate `qsc.h` | ||
WORKDIR ${INSTALLDIR} | ||
RUN cp /opt/src/oqs-provider/oqs-template/generate.yml ${INSTALLDIR} | ||
COPY generate_qsc_header.py ${INSTALLDIR} | ||
COPY qsc_template.jinja2 ${INSTALLDIR} | ||
COPY requirements.txt ${INSTALLDIR} | ||
|
||
RUN python3 -m venv ${INSTALLDIR}/venv && \ | ||
. ${INSTALLDIR}/venv/bin/activate && \ | ||
pip install -r requirements.txt && \ | ||
python ${INSTALLDIR}/generate_qsc_header.py && \ | ||
deactivate | ||
|
||
RUN cp ${INSTALLDIR}/qsc.h /opt/src/wireshark/epan/dissectors/ | ||
|
||
# Modify Wireshark source files for post-quantum definitions | ||
WORKDIR /opt/src/wireshark | ||
RUN sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-pkcs1.c && \ | ||
sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-tls-utils.c && \ | ||
sed -i "s/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");\nQSC_SIGS/g" epan/dissectors/packet-pkcs1.c && \ | ||
sed -i "s/ { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\// { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\/\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c && \ | ||
sed -i "s/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,\nQSC_SIG_CPS/g" epan/dissectors/packet-tls-utils.c | ||
|
||
# Build and install Wireshark | ||
WORKDIR /opt/build/wireshark | ||
RUN cmake -G Ninja /opt/src/wireshark \ | ||
-D QT5=OFF \ | ||
-D QT6=ON \ | ||
-D CMAKE_BUILD_TYPE=Release \ | ||
-D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/wireshark \ | ||
-D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \ | ||
-D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" && \ | ||
ninja -j$(nproc) && ninja install | ||
|
||
# Test integration of OQS provider with OpenSSL | ||
WORKDIR /opt/src/oqs-provider | ||
ENV OPENSSL_CONF=${INSTALLDIR}/ssl/openssl.cnf | ||
ENV OPENSSL_MODULES=${INSTALLDIR}/openssl/lib/ossl-modules | ||
RUN mkdir -p _build | ||
RUN ./scripts/runtests.sh -j$(nproc) | ||
|
||
# Stage 2: Minimal runtime image | ||
FROM ubuntu:${UBUNTU_VERSION} AS runtime | ||
|
||
ENV DEBIAN_FRONTEND=noninteractive | ||
ARG INSTALLDIR | ||
|
||
# Install necessary runtime dependencies | ||
RUN apt-get update && apt-get install -y --no-install-recommends \ | ||
libc-ares2 pcaputils libssh-4 libgcrypt20 \ | ||
libglib2.0-0 libpcap0.8 libspeexdsp1 zlib1g \ | ||
libqt6core6 libqt6gui6 libqt6widgets6 libqt6printsupport6 \ | ||
libqt6core5compat6 libqt6dbus6 libqt6multimedia6 libgpg-error0 && \ | ||
apt-get clean && rm -rf /var/lib/apt/lists/* | ||
|
||
ENV PATH="${INSTALLDIR}/wireshark/bin:${INSTALLDIR}/openssl/bin:${PATH}" | ||
ENV OPENSSL_CONF=${INSTALLDIR}/ssl/openssl.cnf | ||
ENV OPENSSL_MODULES=${INSTALLDIR}/openssl/lib/ossl-modules | ||
|
||
# Copy essential files from build stage | ||
COPY --from=build ${INSTALLDIR}/wireshark ${INSTALLDIR}/wireshark | ||
COPY --from=build ${INSTALLDIR}/openssl ${INSTALLDIR}/openssl | ||
COPY --from=build ${INSTALLDIR}/liboqs ${INSTALLDIR}/liboqs | ||
COPY --from=build ${INSTALLDIR}/ssl ${INSTALLDIR}/ssl | ||
|
||
CMD ["wireshark"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,26 +1,91 @@ | ||
This directory contains a Dockerfile that builds wireshark that is patched to understand the OIDs and codepoints in TLS 1.3 that are supported by OQS-OpenSSL. | ||
This project provides a Docker image to build [Wireshark](https://www.wireshark.org/) with quantum-safe cryptography | ||
support through the [Open Quantum Safe (OQS) provider](https://github.com/open-quantum-safe/oqs-provider). This Docker | ||
image allows Wireshark to analyze network traffic encrypted with post-quantum cryptographic protocols. | ||
|
||
## Quick start | ||
## Table of Contents | ||
|
||
1) Be sure to have [docker installed](https://docs.docker.com/install). | ||
2) Run `docker build -t openquantumsafe/wireshark .` to create an QSC-enabled (codepoint and OID aware) wireshark docker image. | ||
1. [System Requirements](#system-requirements) | ||
2. [Quick Start Guide](#quick-start-guide) | ||
3. [Project Components](#project-components) | ||
4. [Running Wireshark with OQS](#running-wireshark-with-oqs) | ||
- [Explanation of Docker Options](#explanation-of-docker-options) | ||
5. [Testing Quantum-Safe Protocols](#testing-quantum-safe-protocols) | ||
6[Build Configuration and Updates](#build-configuration-and-updates) | ||
|
||
## Usage | ||
## System Requirements | ||
|
||
Information how to use the image is [available in the separate file USAGE.md](USAGE.md). | ||
- **Docker**: Ensure [Docker](https://docs.docker.com/get-docker/) is installed and running on your system. | ||
- **X-Window System (for GUI Display)**: | ||
- **Linux**: Run `xhost +si:localuser:$USER` to allow Docker to access the display. | ||
- **Windows/macOS**: Install an X server such as [VcXsrv](https://sourceforge.net/projects/vcxsrv/) (Windows) | ||
or [XQuartz](https://www.xquartz.org/) (macOS) and start it, ensuring to **disable access control** and **disable | ||
native OpenGL**. | ||
|
||
## Build options | ||
## Quick Start Guide | ||
|
||
The Dockerfile provided allows for customization of the image built: | ||
```bash | ||
git clone https://github.com/open-quantum-safe/oqs-demos | ||
cd oqs-demos/wireshark | ||
docker build -t wireshark-oqs . | ||
docker run --rm -it --net=host -e DISPLAY=<your_host_ip>:<your_display_port> -v /tmp/.X11-unix:/tmp/.X11-unix wireshark-oqs | ||
``` | ||
|
||
### WIRESHARK_VERSION | ||
Replace `<your_host_ip>` with your IP address (e.g., `192.168.x.x`) and `<your_display_port>` with your display port, | ||
typically `:0`. | ||
|
||
This permits changing the wireshark code base to be used. | ||
## Project Components | ||
|
||
Tested default value is "3.4.9". | ||
1. **Dockerfile**: Builds Wireshark with OpenSSL, liboqs, and OQS provider. | ||
2. **generate_qsc_header.py**: Processes `oqs-provider/oqs-template/generate.yml` with the `qsc_template.jinja2` to generate `qsc.h`, | ||
defining post-quantum KEMs and SIGs for Wireshark. | ||
|
||
### QSC_SSL_FLAVOR | ||
## Running Wireshark | ||
|
||
Different quantum-safe TLS implementations have different names for the same algorithms. This option permits switching between them. Permitted values are "oqs" and "wolfssl". | ||
You can run the Wireshark Docker container on Linux, Windows, or macOS using the following command: | ||
|
||
Default is "oqs". | ||
```bash | ||
docker run --rm -it --net=host -e DISPLAY=<your_host_ip>:<your_display_port> -v /tmp/.X11-unix:/tmp/.X11-unix wireshark-oqs | ||
``` | ||
Replace `<your_host_ip>` with your IP address (e.g., `192.168.x.x`) and `<your_display_port>` with your display port, | ||
typically `:0`. | ||
|
||
### Explanation of Docker Options | ||
|
||
- `--net=host`: Shares the host network with the container. | ||
- `-e DISPLAY`: Sets the display variable for GUI. | ||
- `-v /tmp/.X11-unix:/tmp/.X11-unix`: Mounts the X11 Unix socket for GUI access. | ||
|
||
## Testing Quantum-Safe Protocols | ||
|
||
Once Wireshark is running, you can capture and filter quantum-safe cryptographic traffic. | ||
At https://test.openquantumsafe.org, most quantum-safe algorithms from the NIST PQC competition are available for TLS | ||
testing. As a client, we recommend using an OQS-enabled curl Docker image for a quick test. | ||
|
||
1. **Filter by Quantum-Safe Protocols**: Use the following Wireshark display filter: | ||
```plaintext | ||
tls && ip.addr == <test.openquantumsafe.org IP> | ||
``` | ||
Replace `<test.openquantumsafe.org IP>` with the IP address of `test.openquantumsafe.org`. | ||
|
||
2. **Test Quantum-Safe Connections**: | ||
```bash | ||
docker run -it openquantumsafe/curl sh -c "curl -k https://test.openquantumsafe.org:6069 --curves kyber1024" | ||
``` | ||
You can replace the port (e.g., `6069`) and the algorithm (e.g., `kyber1024`) in the command with the corresponding | ||
values from the [Open Quantum Safe test page](https://test.openquantumsafe.org/). | ||
|
||
## Build Configuration and Updates | ||
|
||
Customize the build using the following Dockerfile arguments: | ||
|
||
- **`UBUNTU_VERSION`**: Specifies the Ubuntu version (default: latest stable). | ||
- **`WIRESHARK_VERSION`**: Defines the Wireshark version to build. | ||
- **`INSTALLDIR`**: Sets the installation path for OQS libraries (default: `/opt/oqs`). | ||
|
||
Use `--build-arg ARG_NAME=value` in the `docker build` command to adjust these values. | ||
|
||
To keep the build up-to-date, the `Dockerfile` and `generate_qsc_header.py` are designed for easy updates: | ||
|
||
- Update the Ubuntu and Wireshark versions by modifying the `UBUNTU_VERSION` and `WIRESHARK_VERSION` arguments. | ||
- The `generate_qsc_header.py` script automatically fetches new OQS algorithms, ensuring the latest definitions are | ||
included. |
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.