Comprehensive Overhaul of Wireshark Integration

- Upgrade Ubuntu to version 24.04. - Upgrade Wireshark to version 4.4.1. - Integrate OpenSSL 3 with liboqs and the OQS provider. - Automate the generation of `qsc.h` using `generate_qsc_header.py`. - Organize the build with dedicated directories for sources, builds, and installations. - Migrate from Qt5 to Qt6 for improved compatibility. - Update `README.md` and remove `USAGE.md`. Signed-off-by: Khalid <[email protected]> Update README Signed-off-by: Khalid <[email protected]> Refactor qsc.h generation using Jinja2 template Signed-off-by: Khalid <[email protected]> Update README.md remove branch
open-quantum-safe · Nov 14, 2024 · 8d45f25 · 8d45f25
1 parent 22966f6
commit 8d45f25
Show file tree

Hide file tree

Showing 8 changed files with 285 additions and 225 deletions.
diff --git a/wireshark/Dockerfile b/wireshark/Dockerfile
@@ -1,75 +1,144 @@
-# Define the wireshark version to be baked in.
-ARG WIRESHARK_VERSION=3.4.9
+# This Dockerfile builds a Wireshark image with Open Quantum Safe (OQS) support.
+# By integrating OQS, the resulting Wireshark build is capable of
+# analyzing and handling post-quantum cryptographic protocols.
 
-# Define the SSL naming convention: One of "wolfssl" and "oqs"
-ARG QSC_SSL_FLAVOR="oqs"
+ARG UBUNTU_VERSION=24.04
+ARG WIRESHARK_VERSION=4.4.1
+ARG INSTALLDIR=/opt/oqs
 
-FROM ubuntu as intermediate
-ENV DEBIAN_FRONTEND noninteractive
+# Stage 1: Building stage
+FROM ubuntu:${UBUNTU_VERSION} AS build
 
+ENV DEBIAN_FRONTEND=noninteractive
 ARG WIRESHARK_VERSION
-ARG QSC_SSL_FLAVOR
-
-RUN apt update && apt upgrade -y
-
-# Get all software packages required for building wireshark:
-RUN apt install -y gcc g++ \
-            libtool \
-            automake \
-            autoconf \
-            cmake \
-            ninja-build \
-            git \
-            curl \
-            perl \
-            flex \
-            bison \
-            2to3 python2-minimal python2 dh-python python-is-python3 \
-            python3 \
-            libssl-dev \
-            libgcrypt-dev \
-            libpcap-dev \
-            libc-ares-dev \
-            qtbase5-dev qttools5-dev-tools qttools5-dev qtmultimedia5-dev \
-            wget \
-            libssh-dev
-
-# Get the source and unpack it.
-WORKDIR /tmp
-RUN curl --output wireshark-${WIRESHARK_VERSION}.tar.xz https://2.na.dl.wireshark.org/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz && tar xmvf wireshark-${WIRESHARK_VERSION}.tar.xz
-
-WORKDIR /tmp/wireshark-${WIRESHARK_VERSION} 
-
-COPY wolfssl-qsc.h wolfssl-qsc.h
-
-# Decide on QSC naming/ID mapping
-RUN if [ "x$QSC_SSL_FLAVOR" = "xoqs" ] ; then \
-   wget https://raw.githubusercontent.com/open-quantum-safe/openssl/OQS-OpenSSL_1_1_1-stable/qsc.h; \
-elif [ "x$QSC_SSL_FLAVOR" = "xwolfssl" ]; then \
-   mv wolfssl-qsc.h qsc.h; \
-else \
-   echo "Unknown naming convention in QSC_SSL_FLAVOR ($QSC_SSL_FLAVOR). Exiting."; \
-   exit 1; \
-fi
-
-# Patch QSC-specific ids into wireshark code base
-RUN cp qsc.h epan/dissectors && \
-   sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-pkcs1.c && \
-   sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-tls-utils.c && \
-   sed -i "s/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");\nQSC_SIGS/g" epan/dissectors/packet-pkcs1.c && \
-   sed -i "s/    { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\//    { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\/\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c && \
-   sed -i "s/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,\nQSC_SIG_CPS/g" epan/dissectors/packet-tls-utils.c
-
-# Build wireshark
-RUN mkdir -p build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=/opt/wireshark .. && ninja && ninja install
-
-FROM ubuntu
-ENV DEBIAN_FRONTEND noninteractive
-
-RUN apt update && apt upgrade -y && apt install -y qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libc-ares2 libqt5multimedia5 pcaputils libssh-dev
-
-# Only retain the ${INSTALLDIR} contents in the final image
-COPY --from=intermediate /opt/wireshark /opt/wireshark
-
-
-CMD /opt/wireshark/bin/wireshark
+ARG INSTALLDIR
+
+# Install essential build dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential libtool automake autoconf cmake ninja-build \
+    openssl libssl-dev git wget ca-certificates  \
+    python3 python3-pip python3-venv && \
+    apt-get clean && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /opt
+# Set up isolated directories
+# src for source files, build for compiling, and install for final binaries
+RUN mkdir -p src/liboqs src/openssl src/oqs-provider src/wireshark \
+    build/liboqs build/openssl build/oqs-provider build/wireshark \
+    ${INSTALLDIR}/lib ${INSTALLDIR}/bin ${INSTALLDIR}/ssl
+
+# Download sources
+WORKDIR /opt/src
+RUN git clone --depth 1 https://github.com/open-quantum-safe/liboqs.git liboqs && \
+    git clone --depth 1 https://github.com/openssl/openssl.git openssl && \
+    git clone --depth 1 https://github.com/open-quantum-safe/oqs-provider.git oqs-provider && \
+    wget -O wireshark.tar.xz https://www.wireshark.org/download/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz && \
+    tar -xf wireshark.tar.xz --strip-components=1 -C wireshark && \
+    rm wireshark.tar.xz
+
+# Build and install liboqs
+WORKDIR /opt/build/liboqs
+RUN cmake -G Ninja /opt/src/liboqs \
+    -D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/liboqs \
+    -D BUILD_SHARED_LIBS=ON \
+    -D OQS_USE_OPENSSL=OFF \
+    -D CMAKE_INSTALL_RPATH="${INSTALLDIR}/liboqs/lib" && \
+    ninja -j$(nproc) && ninja install
+
+# Build OpenSSL integrated with liboqs
+WORKDIR /opt/build/openssl
+RUN LDFLAGS="-Wl,-rpath,${INSTALLDIR}/liboqs/lib" \
+    /opt/src/openssl/config \
+        --prefix=${INSTALLDIR}/openssl \
+        --openssldir=${INSTALLDIR}/ssl \
+        shared && \
+    make -j$(nproc) && \
+    make install_sw install_ssldirs
+
+# Build OQS provider for OpenSSL integration
+WORKDIR /opt/build/oqs-provider
+RUN cmake -G Ninja \
+    -D OPENSSL_ROOT_DIR=${INSTALLDIR}/openssl \
+    -D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \
+    -D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/oqs-provider \
+    -D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" \
+    /opt/src/oqs-provider && \
+    ninja -j$(nproc) && \
+    mkdir -p ${INSTALLDIR}/openssl/lib/ossl-modules && \
+    cp /opt/build/oqs-provider/lib/oqsprovider.so ${INSTALLDIR}/openssl/lib/ossl-modules
+
+# Set up OpenSSL to load the OQS provider
+RUN CONFIG_FILE="${INSTALLDIR}/ssl/openssl.cnf" && \
+    sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" "$CONFIG_FILE" && \
+    sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" "$CONFIG_FILE"
+
+# Using a script from Wireshark to install required build dependencies
+WORKDIR /opt/src/wireshark
+RUN ./tools/debian-setup.sh -y
+
+# Generate `qsc.h`
+WORKDIR ${INSTALLDIR}
+RUN cp /opt/src/oqs-provider/oqs-template/generate.yml ${INSTALLDIR}
+COPY generate_qsc_header.py ${INSTALLDIR}
+COPY qsc_template.jinja2 ${INSTALLDIR}
+COPY requirements.txt ${INSTALLDIR}
+
+RUN python3 -m venv ${INSTALLDIR}/venv && \
+    . ${INSTALLDIR}/venv/bin/activate && \
+    pip install -r requirements.txt && \
+    python ${INSTALLDIR}/generate_qsc_header.py && \
+    deactivate
+
+RUN cp ${INSTALLDIR}/qsc.h /opt/src/wireshark/epan/dissectors/
+
+# Modify Wireshark source files for post-quantum definitions
+WORKDIR /opt/src/wireshark
+RUN sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-pkcs1.c && \
+    sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-tls-utils.c && \
+    sed -i "s/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");\nQSC_SIGS/g" epan/dissectors/packet-pkcs1.c && \
+    sed -i "s/    { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\//    { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\/\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c && \
+    sed -i "s/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,\nQSC_SIG_CPS/g" epan/dissectors/packet-tls-utils.c
+
+# Build and install Wireshark
+WORKDIR /opt/build/wireshark
+RUN cmake -G Ninja /opt/src/wireshark \
+    -D QT5=OFF \
+    -D QT6=ON \
+    -D CMAKE_BUILD_TYPE=Release \
+    -D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/wireshark \
+    -D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \
+    -D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" && \
+    ninja -j$(nproc) && ninja install
+
+# Test integration of OQS provider with OpenSSL
+WORKDIR /opt/src/oqs-provider
+ENV OPENSSL_CONF=${INSTALLDIR}/ssl/openssl.cnf
+ENV OPENSSL_MODULES=${INSTALLDIR}/openssl/lib/ossl-modules
+RUN mkdir -p _build
+RUN ./scripts/runtests.sh -j$(nproc)
+
+# Stage 2: Minimal runtime image
+FROM ubuntu:${UBUNTU_VERSION} AS runtime
+
+ENV DEBIAN_FRONTEND=noninteractive
+ARG INSTALLDIR
+
+# Install necessary runtime dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libc-ares2 pcaputils libssh-4 libgcrypt20 \
+    libglib2.0-0 libpcap0.8 libspeexdsp1 zlib1g \
+    libqt6core6 libqt6gui6 libqt6widgets6 libqt6printsupport6 \
+    libqt6core5compat6 libqt6dbus6 libqt6multimedia6 libgpg-error0 && \
+    apt-get clean && rm -rf /var/lib/apt/lists/*
+
+ENV PATH="${INSTALLDIR}/wireshark/bin:${INSTALLDIR}/openssl/bin:${PATH}"
+ENV OPENSSL_CONF=${INSTALLDIR}/ssl/openssl.cnf
+ENV OPENSSL_MODULES=${INSTALLDIR}/openssl/lib/ossl-modules
+
+# Copy essential files from build stage
+COPY --from=build ${INSTALLDIR}/wireshark ${INSTALLDIR}/wireshark
+COPY --from=build ${INSTALLDIR}/openssl ${INSTALLDIR}/openssl
+COPY --from=build ${INSTALLDIR}/liboqs ${INSTALLDIR}/liboqs
+COPY --from=build ${INSTALLDIR}/ssl ${INSTALLDIR}/ssl
+
+CMD ["wireshark"]
diff --git a/wireshark/README.md b/wireshark/README.md
@@ -1,26 +1,91 @@
-This directory contains a Dockerfile that builds wireshark that is patched to understand the OIDs and codepoints in TLS 1.3 that are supported by OQS-OpenSSL.
+This project provides a Docker image to build [Wireshark](https://www.wireshark.org/) with quantum-safe cryptography
+support through the [Open Quantum Safe (OQS) provider](https://github.com/open-quantum-safe/oqs-provider). This Docker
+image allows Wireshark to analyze network traffic encrypted with post-quantum cryptographic protocols.
 
-## Quick start
+## Table of Contents
 
-1) Be sure to have [docker installed](https://docs.docker.com/install).
-2) Run `docker build -t openquantumsafe/wireshark .` to create an QSC-enabled (codepoint and OID aware) wireshark docker image.
+1. [System Requirements](#system-requirements)
+2. [Quick Start Guide](#quick-start-guide)
+3. [Project Components](#project-components)
+4. [Running Wireshark with OQS](#running-wireshark-with-oqs)
+    - [Explanation of Docker Options](#explanation-of-docker-options)
+5. [Testing Quantum-Safe Protocols](#testing-quantum-safe-protocols)
+6[Build Configuration and Updates](#build-configuration-and-updates)
 
-## Usage
+## System Requirements
 
-Information how to use the image is [available in the separate file USAGE.md](USAGE.md).
+- **Docker**: Ensure [Docker](https://docs.docker.com/get-docker/) is installed and running on your system.
+- **X-Window System (for GUI Display)**:
+    - **Linux**: Run `xhost +si:localuser:$USER` to allow Docker to access the display.
+    - **Windows/macOS**: Install an X server such as [VcXsrv](https://sourceforge.net/projects/vcxsrv/) (Windows)
+      or [XQuartz](https://www.xquartz.org/) (macOS) and start it, ensuring to **disable access control** and **disable
+      native OpenGL**.
 
-## Build options
+## Quick Start Guide
 
-The Dockerfile provided allows for customization of the image built:
+```bash
+git clone https://github.com/open-quantum-safe/oqs-demos
+cd oqs-demos/wireshark
+docker build -t wireshark-oqs .
+docker run --rm -it --net=host -e DISPLAY=<your_host_ip>:<your_display_port> -v /tmp/.X11-unix:/tmp/.X11-unix wireshark-oqs
+```
 
-### WIRESHARK_VERSION
+Replace `<your_host_ip>` with your IP address (e.g., `192.168.x.x`) and `<your_display_port>` with your display port,
+typically `:0`.
 
-This permits changing the wireshark code base to be used. 
+## Project Components
 
-Tested default value is "3.4.9".
+1. **Dockerfile**: Builds Wireshark with OpenSSL, liboqs, and OQS provider.
+2. **generate_qsc_header.py**: Processes `oqs-provider/oqs-template/generate.yml` with the `qsc_template.jinja2` to generate `qsc.h`,
+defining post-quantum KEMs and SIGs for Wireshark.
 
-### QSC_SSL_FLAVOR
+## Running Wireshark
 
-Different quantum-safe TLS implementations have different names for the same algorithms. This option permits switching between them. Permitted values are "oqs" and "wolfssl".
+You can run the Wireshark Docker container on Linux, Windows, or macOS using the following command:
 
-Default is "oqs".
+  ```bash
+  docker run --rm -it --net=host -e DISPLAY=<your_host_ip>:<your_display_port> -v /tmp/.X11-unix:/tmp/.X11-unix wireshark-oqs
+  ```
+  Replace `<your_host_ip>` with your IP address (e.g., `192.168.x.x`) and `<your_display_port>` with your display port,
+  typically `:0`.
+
+### Explanation of Docker Options
+
+- `--net=host`: Shares the host network with the container.
+- `-e DISPLAY`: Sets the display variable for GUI.
+- `-v /tmp/.X11-unix:/tmp/.X11-unix`: Mounts the X11 Unix socket for GUI access.
+
+## Testing Quantum-Safe Protocols
+
+Once Wireshark is running, you can capture and filter quantum-safe cryptographic traffic.
+At https://test.openquantumsafe.org, most quantum-safe algorithms from the NIST PQC competition are available for TLS
+testing. As a client, we recommend using an OQS-enabled curl Docker image for a quick test.
+
+1. **Filter by Quantum-Safe Protocols**: Use the following Wireshark display filter:
+   ```plaintext
+   tls && ip.addr == <test.openquantumsafe.org IP>
+   ```
+   Replace `<test.openquantumsafe.org IP>` with the IP address of `test.openquantumsafe.org`.
+
+2. **Test Quantum-Safe Connections**:
+   ```bash
+   docker run -it openquantumsafe/curl sh -c "curl -k https://test.openquantumsafe.org:6069 --curves kyber1024"
+   ```
+   You can replace the port (e.g., `6069`) and the algorithm (e.g., `kyber1024`) in the command with the corresponding
+   values from the [Open Quantum Safe test page](https://test.openquantumsafe.org/).
+
+## Build Configuration and Updates
+
+Customize the build using the following Dockerfile arguments:
+
+- **`UBUNTU_VERSION`**: Specifies the Ubuntu version (default: latest stable).
+- **`WIRESHARK_VERSION`**: Defines the Wireshark version to build.
+- **`INSTALLDIR`**: Sets the installation path for OQS libraries (default: `/opt/oqs`).
+
+Use `--build-arg ARG_NAME=value` in the `docker build` command to adjust these values.
+
+To keep the build up-to-date, the `Dockerfile` and `generate_qsc_header.py` are designed for easy updates:
+
+- Update the Ubuntu and Wireshark versions by modifying the `UBUNTU_VERSION` and `WIRESHARK_VERSION` arguments.
+- The `generate_qsc_header.py` script automatically fetches new OQS algorithms, ensuring the latest definitions are
+  included.
diff --git a/wireshark/USAGE.md b/wireshark/USAGE.md