analyzer: make http3/quic handling more reliable

2026-02-11 16:11:12 +05:30
parent fc38d0fa9d
commit 5fda34a476
2 changed files with 114 additions and 22 deletions
--- a/analyzer/udp/internal/quic/payload.go
+++ b/analyzer/udp/internal/quic/payload.go
@@ -12,6 +12,16 @@ import (
 	"golang.org/x/crypto/hkdf"
 )

+var defaultPNMaxGuesses = []int64{
+	0, 1, 2, 3, 4, 8, 16, 32, 64, 128, 256, 512, 1024, 2048, 4096,
+}
+
+type ReadCryptoFramesOptions struct {
+	AdditionalConnectionIDs [][]byte
+	TryServerSecret         bool
+	PacketNumberMaxGuesses  []int64
+}
+
 func ReadCryptoPayload(packet []byte) ([]byte, error) {
 	frs, err := ReadCryptoFrames(packet)
 	if err != nil {
@@ -26,6 +36,11 @@ func ReadCryptoPayload(packet []byte) ([]byte, error) {

 // ReadCryptoFrames decrypts a QUIC Initial client packet and returns CRYPTO frames.
 func ReadCryptoFrames(packet []byte) ([]CryptoFrame, error) {
+	return ReadCryptoFramesWithOptions(packet, nil)
+}
+
+// ReadCryptoFramesWithOptions decrypts a QUIC Initial packet and returns CRYPTO frames.
+func ReadCryptoFramesWithOptions(packet []byte, opts *ReadCryptoFramesOptions) ([]CryptoFrame, error) {
 	hdr, offset, err := ParseInitialHeader(packet)
 	if err != nil {
 		return nil, err
@@ -38,13 +53,6 @@ func ReadCryptoFrames(packet []byte) ([]CryptoFrame, error) {
 		return nil, errors.New("invalid packet")
 	}

-	initialSecret := hkdf.Extract(crypto.SHA256.New, hdr.DestConnectionID, getSalt(hdr.Version))
-	clientSecret := hkdfExpandLabel(crypto.SHA256.New, initialSecret, "client in", []byte{}, crypto.SHA256.Size())
-	key, err := NewInitialProtectionKey(clientSecret, hdr.Version)
-	if err != nil {
-		return nil, fmt.Errorf("NewInitialProtectionKey: %w", err)
-	}
-	pp := NewPacketProtector(key)
 	// https://datatracker.ietf.org/doc/html/draft-ietf-quic-tls-32#name-client-initial
 	//
 	// "The unprotected header includes the connection ID and a 4-byte packet number encoding for a packet number of 2"
@@ -52,21 +60,49 @@ func ReadCryptoFrames(packet []byte) ([]CryptoFrame, error) {
 		return nil, fmt.Errorf("packet is too short: %d < %d", len(packet), offset+hdr.Length)
 	}
 	packetView := packet[:offset+hdr.Length]
-	pnMaxGuesses := []int64{0, 1, 2, 3, 4, 8, 16}
+
+	candidateConnIDs := [][]byte{hdr.DestConnectionID}
+	if opts != nil {
+		candidateConnIDs = append(candidateConnIDs, opts.AdditionalConnectionIDs...)
+	}
+	candidateConnIDs = uniqueNonEmptyConnectionIDs(candidateConnIDs)
+
+	pnMaxGuesses := defaultPNMaxGuesses
+	if opts != nil && len(opts.PacketNumberMaxGuesses) > 0 {
+		pnMaxGuesses = opts.PacketNumberMaxGuesses
+	}
+
+	labels := []string{"client in"}
+	if opts != nil && opts.TryServerSecret {
+		labels = append(labels, "server in")
+	}
+
 	var lastErr error
-	for _, pnMax := range pnMaxGuesses {
-		packetCopy := append([]byte(nil), packetView...)
-		unProtectedPayload, err := pp.UnProtect(packetCopy, offset, pnMax)
-		if err != nil {
-			lastErr = err
-			continue
+	for _, connID := range candidateConnIDs {
+		initialSecret := hkdf.Extract(crypto.SHA256.New, connID, getSalt(hdr.Version))
+		for _, label := range labels {
+			secret := hkdfExpandLabel(crypto.SHA256.New, initialSecret, label, []byte{}, crypto.SHA256.Size())
+			key, err := NewInitialProtectionKey(secret, hdr.Version)
+			if err != nil {
+				lastErr = fmt.Errorf("NewInitialProtectionKey: %w", err)
+				continue
+			}
+			pp := NewPacketProtector(key)
+			for _, pnMax := range pnMaxGuesses {
+				packetCopy := append([]byte(nil), packetView...)
+				unProtectedPayload, err := pp.UnProtect(packetCopy, offset, pnMax)
+				if err != nil {
+					lastErr = err
+					continue
+				}
+				frs, err := extractCryptoFrames(bytes.NewReader(unProtectedPayload))
+				if err != nil {
+					lastErr = err
+					continue
+				}
+				return frs, nil
+			}
 		}
-		frs, err := extractCryptoFrames(bytes.NewReader(unProtectedPayload))
-		if err != nil {
-			lastErr = err
-			continue
-		}
-		return frs, nil
 	}
 	if lastErr != nil {
 		return nil, lastErr
@@ -301,6 +337,23 @@ func skipN(r *bytes.Reader, n uint64) error {
 	return err
 }

+func uniqueNonEmptyConnectionIDs(ids [][]byte) [][]byte {
+	out := make([][]byte, 0, len(ids))
+	seen := make(map[string]struct{}, len(ids))
+	for _, id := range ids {
+		if len(id) == 0 {
+			continue
+		}
+		k := string(id)
+		if _, ok := seen[k]; ok {
+			continue
+		}
+		seen[k] = struct{}{}
+		out = append(out, append([]byte(nil), id...))
+	}
+	return out
+}
+
 // assembleCryptoFrames assembles multiple crypto frames into a single slice (if possible).
 // It returns an error if the frames cannot be assembled. This can happen if the frames are not contiguous.
 func assembleCryptoFrames(frames []CryptoFrame) []byte {