Skip to content

Commit

Permalink
Comprehensive Overhaul of Wireshark Integration
Browse files Browse the repository at this point in the history
- Upgrade Ubuntu to version 24.04.
- Upgrade Wireshark to version 4.4.1.
- Integrate OpenSSL 3 with liboqs and the OQS provider.
- Automate the generation of `qsc.h` using `generate_qsc_header.py`.
- Organize the build with dedicated directories for sources, builds, and installations.
- Migrate from Qt5 to Qt6 for improved compatibility.
- Update `README.md` and remove `USAGE.md`.

Signed-off-by: Khalid <[email protected]>

Update README

Signed-off-by: Khalid <[email protected]>

Refactor qsc.h generation using Jinja2 template

Signed-off-by: Khalid <[email protected]>

Update README.md
  • Loading branch information
Hawazyn committed Nov 14, 2024
1 parent 22966f6 commit 668f742
Show file tree
Hide file tree
Showing 8 changed files with 285 additions and 225 deletions.
211 changes: 140 additions & 71 deletions wireshark/Dockerfile
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,75 +1,144 @@
# Define the wireshark version to be baked in.
ARG WIRESHARK_VERSION=3.4.9
# This Dockerfile builds a Wireshark image with Open Quantum Safe (OQS) support.
# By integrating OQS, the resulting Wireshark build is capable of
# analyzing and handling post-quantum cryptographic protocols.

# Define the SSL naming convention: One of "wolfssl" and "oqs"
ARG QSC_SSL_FLAVOR="oqs"
ARG UBUNTU_VERSION=24.04
ARG WIRESHARK_VERSION=4.4.1
ARG INSTALLDIR=/opt/oqs

FROM ubuntu as intermediate
ENV DEBIAN_FRONTEND noninteractive
# Stage 1: Building stage
FROM ubuntu:${UBUNTU_VERSION} AS build

ENV DEBIAN_FRONTEND=noninteractive
ARG WIRESHARK_VERSION
ARG QSC_SSL_FLAVOR

RUN apt update && apt upgrade -y

# Get all software packages required for building wireshark:
RUN apt install -y gcc g++ \
libtool \
automake \
autoconf \
cmake \
ninja-build \
git \
curl \
perl \
flex \
bison \
2to3 python2-minimal python2 dh-python python-is-python3 \
python3 \
libssl-dev \
libgcrypt-dev \
libpcap-dev \
libc-ares-dev \
qtbase5-dev qttools5-dev-tools qttools5-dev qtmultimedia5-dev \
wget \
libssh-dev

# Get the source and unpack it.
WORKDIR /tmp
RUN curl --output wireshark-${WIRESHARK_VERSION}.tar.xz https://2.na.dl.wireshark.org/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz && tar xmvf wireshark-${WIRESHARK_VERSION}.tar.xz

WORKDIR /tmp/wireshark-${WIRESHARK_VERSION}

COPY wolfssl-qsc.h wolfssl-qsc.h

# Decide on QSC naming/ID mapping
RUN if [ "x$QSC_SSL_FLAVOR" = "xoqs" ] ; then \
wget https://raw.githubusercontent.com/open-quantum-safe/openssl/OQS-OpenSSL_1_1_1-stable/qsc.h; \
elif [ "x$QSC_SSL_FLAVOR" = "xwolfssl" ]; then \
mv wolfssl-qsc.h qsc.h; \
else \
echo "Unknown naming convention in QSC_SSL_FLAVOR ($QSC_SSL_FLAVOR). Exiting."; \
exit 1; \
fi

# Patch QSC-specific ids into wireshark code base
RUN cp qsc.h epan/dissectors && \
sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-pkcs1.c && \
sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-tls-utils.c && \
sed -i "s/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");\nQSC_SIGS/g" epan/dissectors/packet-pkcs1.c && \
sed -i "s/ { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\// { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\/\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c && \
sed -i "s/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,\nQSC_SIG_CPS/g" epan/dissectors/packet-tls-utils.c

# Build wireshark
RUN mkdir -p build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=/opt/wireshark .. && ninja && ninja install

FROM ubuntu
ENV DEBIAN_FRONTEND noninteractive

RUN apt update && apt upgrade -y && apt install -y qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libc-ares2 libqt5multimedia5 pcaputils libssh-dev

# Only retain the ${INSTALLDIR} contents in the final image
COPY --from=intermediate /opt/wireshark /opt/wireshark


CMD /opt/wireshark/bin/wireshark
ARG INSTALLDIR

# Install essential build dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
build-essential libtool automake autoconf cmake ninja-build \
openssl libssl-dev git wget ca-certificates \
python3 python3-pip python3-venv && \
apt-get clean && rm -rf /var/lib/apt/lists/*

WORKDIR /opt
# Set up isolated directories
# src for source files, build for compiling, and install for final binaries
RUN mkdir -p src/liboqs src/openssl src/oqs-provider src/wireshark \
build/liboqs build/openssl build/oqs-provider build/wireshark \
${INSTALLDIR}/lib ${INSTALLDIR}/bin ${INSTALLDIR}/ssl

# Download sources
WORKDIR /opt/src
RUN git clone --depth 1 https://github.com/open-quantum-safe/liboqs.git liboqs && \
git clone --depth 1 --branch master https://github.com/openssl/openssl.git openssl && \
git clone --depth 1 https://github.com/open-quantum-safe/oqs-provider.git oqs-provider && \
wget -O wireshark.tar.xz https://www.wireshark.org/download/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz && \
tar -xf wireshark.tar.xz --strip-components=1 -C wireshark && \
rm wireshark.tar.xz

# Build and install liboqs
WORKDIR /opt/build/liboqs
RUN cmake -G Ninja /opt/src/liboqs \
-D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/liboqs \
-D BUILD_SHARED_LIBS=ON \
-D OQS_USE_OPENSSL=OFF \
-D CMAKE_INSTALL_RPATH="${INSTALLDIR}/liboqs/lib" && \
ninja -j$(nproc) && ninja install

# Build OpenSSL integrated with liboqs
WORKDIR /opt/build/openssl
RUN LDFLAGS="-Wl,-rpath,${INSTALLDIR}/liboqs/lib" \
/opt/src/openssl/config \
--prefix=${INSTALLDIR}/openssl \
--openssldir=${INSTALLDIR}/ssl \
shared && \
make -j$(nproc) && \
make install_sw install_ssldirs

# Build OQS provider for OpenSSL integration
WORKDIR /opt/build/oqs-provider
RUN cmake -G Ninja \
-D OPENSSL_ROOT_DIR=${INSTALLDIR}/openssl \
-D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \
-D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/oqs-provider \
-D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" \
/opt/src/oqs-provider && \
ninja -j$(nproc) && \
mkdir -p ${INSTALLDIR}/openssl/lib/ossl-modules && \
cp /opt/build/oqs-provider/lib/oqsprovider.so ${INSTALLDIR}/openssl/lib/ossl-modules

# Set up OpenSSL to load the OQS provider
RUN CONFIG_FILE="${INSTALLDIR}/ssl/openssl.cnf" && \
sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" "$CONFIG_FILE" && \
sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" "$CONFIG_FILE"

# Using a script from Wireshark to install required build dependencies
WORKDIR /opt/src/wireshark
RUN ./tools/debian-setup.sh -y

# Generate `qsc.h`
WORKDIR ${INSTALLDIR}
RUN cp /opt/src/oqs-provider/oqs-template/generate.yml ${INSTALLDIR}
COPY generate_qsc_header.py ${INSTALLDIR}
COPY qsc_template.jinja2 ${INSTALLDIR}
COPY requirements.txt ${INSTALLDIR}

RUN python3 -m venv ${INSTALLDIR}/venv && \
. ${INSTALLDIR}/venv/bin/activate && \
pip install -r requirements.txt && \
python ${INSTALLDIR}/generate_qsc_header.py && \
deactivate

RUN cp ${INSTALLDIR}/qsc.h /opt/src/wireshark/epan/dissectors/

# Modify Wireshark source files for post-quantum definitions
WORKDIR /opt/src/wireshark
RUN sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-pkcs1.c && \
sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-tls-utils.c && \
sed -i "s/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");\nQSC_SIGS/g" epan/dissectors/packet-pkcs1.c && \
sed -i "s/ { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\// { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\/\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c && \
sed -i "s/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,\nQSC_SIG_CPS/g" epan/dissectors/packet-tls-utils.c

# Build and install Wireshark
WORKDIR /opt/build/wireshark
RUN cmake -G Ninja /opt/src/wireshark \
-D QT5=OFF \
-D QT6=ON \
-D CMAKE_BUILD_TYPE=Release \
-D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/wireshark \
-D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \
-D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" && \
ninja -j$(nproc) && ninja install

# Test integration of OQS provider with OpenSSL
WORKDIR /opt/src/oqs-provider
ENV OPENSSL_CONF=${INSTALLDIR}/ssl/openssl.cnf
ENV OPENSSL_MODULES=${INSTALLDIR}/openssl/lib/ossl-modules
RUN mkdir -p _build
RUN ./scripts/runtests.sh -j$(nproc)

# Stage 2: Minimal runtime image
FROM ubuntu:${UBUNTU_VERSION} AS runtime

ENV DEBIAN_FRONTEND=noninteractive
ARG INSTALLDIR

# Install necessary runtime dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
libc-ares2 pcaputils libssh-4 libgcrypt20 \
libglib2.0-0 libpcap0.8 libspeexdsp1 zlib1g \
libqt6core6 libqt6gui6 libqt6widgets6 libqt6printsupport6 \
libqt6core5compat6 libqt6dbus6 libqt6multimedia6 libgpg-error0 && \
apt-get clean && rm -rf /var/lib/apt/lists/*

ENV PATH="${INSTALLDIR}/wireshark/bin:${INSTALLDIR}/openssl/bin:${PATH}"
ENV OPENSSL_CONF=${INSTALLDIR}/ssl/openssl.cnf
ENV OPENSSL_MODULES=${INSTALLDIR}/openssl/lib/ossl-modules

# Copy essential files from build stage
COPY --from=build ${INSTALLDIR}/wireshark ${INSTALLDIR}/wireshark
COPY --from=build ${INSTALLDIR}/openssl ${INSTALLDIR}/openssl
COPY --from=build ${INSTALLDIR}/liboqs ${INSTALLDIR}/liboqs
COPY --from=build ${INSTALLDIR}/ssl ${INSTALLDIR}/ssl

CMD ["wireshark"]
93 changes: 79 additions & 14 deletions wireshark/README.md
Original file line number Diff line number Diff line change
@@ -1,26 +1,91 @@
This directory contains a Dockerfile that builds wireshark that is patched to understand the OIDs and codepoints in TLS 1.3 that are supported by OQS-OpenSSL.
This project provides a Docker image to build [Wireshark](https://www.wireshark.org/) with quantum-safe cryptography
support through the [Open Quantum Safe (OQS) provider](https://github.com/open-quantum-safe/oqs-provider). This Docker
image allows Wireshark to analyze network traffic encrypted with post-quantum cryptographic protocols.

## Quick start
## Table of Contents

1) Be sure to have [docker installed](https://docs.docker.com/install).
2) Run `docker build -t openquantumsafe/wireshark .` to create an QSC-enabled (codepoint and OID aware) wireshark docker image.
1. [System Requirements](#system-requirements)
2. [Quick Start Guide](#quick-start-guide)
3. [Project Components](#project-components)
4. [Running Wireshark with OQS](#running-wireshark-with-oqs)
- [Explanation of Docker Options](#explanation-of-docker-options)
5. [Testing Quantum-Safe Protocols](#testing-quantum-safe-protocols)
6[Build Configuration and Updates](#build-configuration-and-updates)

## Usage
## System Requirements

Information how to use the image is [available in the separate file USAGE.md](USAGE.md).
- **Docker**: Ensure [Docker](https://docs.docker.com/get-docker/) is installed and running on your system.
- **X-Window System (for GUI Display)**:
- **Linux**: Run `xhost +si:localuser:$USER` to allow Docker to access the display.
- **Windows/macOS**: Install an X server such as [VcXsrv](https://sourceforge.net/projects/vcxsrv/) (Windows)
or [XQuartz](https://www.xquartz.org/) (macOS) and start it, ensuring to **disable access control** and **disable
native OpenGL**.

## Build options
## Quick Start Guide

The Dockerfile provided allows for customization of the image built:
```bash
git clone https://github.com/open-quantum-safe/oqs-demos
cd oqs-demos/wireshark
docker build -t wireshark-oqs .
docker run --rm -it --net=host -e DISPLAY=<your_host_ip>:<your_display_port> -v /tmp/.X11-unix:/tmp/.X11-unix wireshark-oqs
```

### WIRESHARK_VERSION
Replace `<your_host_ip>` with your IP address (e.g., `192.168.x.x`) and `<your_display_port>` with your display port,
typically `:0`.

This permits changing the wireshark code base to be used.
## Project Components

Tested default value is "3.4.9".
1. **Dockerfile**: Builds Wireshark with OpenSSL, liboqs, and OQS provider.
2. **generate_qsc_header.py**: Processes `oqs-provider/oqs-template/generate.yml` with the `qsc_template.jinja2` to generate `qsc.h`,
defining post-quantum KEMs and SIGs for Wireshark.

### QSC_SSL_FLAVOR
## Running Wireshark

Different quantum-safe TLS implementations have different names for the same algorithms. This option permits switching between them. Permitted values are "oqs" and "wolfssl".
You can run the Wireshark Docker container on Linux, Windows, or macOS using the following command:

Default is "oqs".
```bash
docker run --rm -it --net=host -e DISPLAY=<your_host_ip>:<your_display_port> -v /tmp/.X11-unix:/tmp/.X11-unix wireshark-oqs
```
Replace `<your_host_ip>` with your IP address (e.g., `192.168.x.x`) and `<your_display_port>` with your display port,
typically `:0`.

### Explanation of Docker Options

- `--net=host`: Shares the host network with the container.
- `-e DISPLAY`: Sets the display variable for GUI.
- `-v /tmp/.X11-unix:/tmp/.X11-unix`: Mounts the X11 Unix socket for GUI access.

## Testing Quantum-Safe Protocols

Once Wireshark is running, you can capture and filter quantum-safe cryptographic traffic.
At https://test.openquantumsafe.org, most quantum-safe algorithms from the NIST PQC competition are available for TLS
testing. As a client, we recommend using an OQS-enabled curl Docker image for a quick test.

1. **Filter by Quantum-Safe Protocols**: Use the following Wireshark display filter:
```plaintext
tls && ip.addr == <test.openquantumsafe.org IP>
```
Replace `<test.openquantumsafe.org IP>` with the IP address of `test.openquantumsafe.org`.

2. **Test Quantum-Safe Connections**:
```bash
docker run -it openquantumsafe/curl sh -c "curl -k https://test.openquantumsafe.org:6069 --curves kyber1024"
```
You can replace the port (e.g., `6069`) and the algorithm (e.g., `kyber1024`) in the command with the corresponding
values from the [Open Quantum Safe test page](https://test.openquantumsafe.org/).

## Build Configuration and Updates

Customize the build using the following Dockerfile arguments:

- **`UBUNTU_VERSION`**: Specifies the Ubuntu version (default: latest stable).
- **`WIRESHARK_VERSION`**: Defines the Wireshark version to build.
- **`INSTALLDIR`**: Sets the installation path for OQS libraries (default: `/opt/oqs`).

Use `--build-arg ARG_NAME=value` in the `docker build` command to adjust these values.

To keep the build up-to-date, the `Dockerfile` and `generate_qsc_header.py` are designed for easy updates:

- Update the Ubuntu and Wireshark versions by modifying the `UBUNTU_VERSION` and `WIRESHARK_VERSION` arguments.
- The `generate_qsc_header.py` script automatically fetches new OQS algorithms, ensuring the latest definitions are
included.
43 changes: 0 additions & 43 deletions wireshark/USAGE.md

This file was deleted.

Loading

0 comments on commit 668f742

Please sign in to comment.