WebSocket: add permessage-deflate extension support

Bug: 14054
Change-Id: Ib6fbb58cab4d9eb140c0911391a9c330a036cfd1
Reviewed-on: https://code.wireshark.org/review/23515
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>

epan/dissectors/packet-http.c

@@ -2444,17 +2444,18 @@ typedef struct {
 	int		special;
 } header_info;
 
-#define HDR_NO_SPECIAL		0
-#define HDR_AUTHORIZATION	1
-#define HDR_AUTHENTICATE	2
-#define HDR_CONTENT_TYPE	3
-#define HDR_CONTENT_LENGTH	4
-#define HDR_CONTENT_ENCODING	5
-#define HDR_TRANSFER_ENCODING	6
-#define HDR_HOST		7
-#define HDR_UPGRADE		8
-#define HDR_COOKIE		9
-#define HDR_WEBSOCKET_PROTOCOL	10
+#define HDR_NO_SPECIAL			0
+#define HDR_AUTHORIZATION		1
+#define HDR_AUTHENTICATE		2
+#define HDR_CONTENT_TYPE		3
+#define HDR_CONTENT_LENGTH		4
+#define HDR_CONTENT_ENCODING		5
+#define HDR_TRANSFER_ENCODING		6
+#define HDR_HOST			7
+#define HDR_UPGRADE			8
+#define HDR_COOKIE			9
+#define HDR_WEBSOCKET_PROTOCOL		10
+#define HDR_WEBSOCKET_EXTENSIONS	11
 
 static const header_info headers[] = {
 	{ "Authorization", &hf_http_authorization, HDR_AUTHORIZATION },
@@ -2479,7 +2480,7 @@ static const header_info headers[] = {
 	{ "Server", &hf_http_server, HDR_NO_SPECIAL },
 	{ "Location", &hf_http_location, HDR_NO_SPECIAL },
 	{ "Sec-WebSocket-Accept", &hf_http_sec_websocket_accept, HDR_NO_SPECIAL },
-	{ "Sec-WebSocket-Extensions", &hf_http_sec_websocket_extensions, HDR_NO_SPECIAL },
+	{ "Sec-WebSocket-Extensions", &hf_http_sec_websocket_extensions, HDR_WEBSOCKET_EXTENSIONS },
 	{ "Sec-WebSocket-Key", &hf_http_sec_websocket_key, HDR_NO_SPECIAL },
 	{ "Sec-WebSocket-Protocol", &hf_http_sec_websocket_protocol, HDR_WEBSOCKET_PROTOCOL },
 	{ "Sec-WebSocket-Version", &hf_http_sec_websocket_version, HDR_NO_SPECIAL },
@@ -2932,6 +2933,11 @@ process_header(tvbuff_t *tvb, int offset, int next_offset,
 			}
 			break;
 
+		case HDR_WEBSOCKET_EXTENSIONS:
+			if (http_type == HTTP_RESPONSE) {
+				conv_data->websocket_extensions = wmem_strndup(wmem_file_scope(), value, value_len);
+			}
+			break;
 		}
 	}
 }

epan/dissectors/packet-http.h

@@ -70,6 +70,7 @@ typedef struct _http_conv_t {
 	guint32  req_res_num;
 	guint8   upgrade;
 	gchar   *websocket_protocol;	/* Negotiated WebSocket protocol */
+	gchar   *websocket_extensions;	/* Negotiated WebSocket extensions */
 	/* Server address and port, known after first server response */
 	guint16 server_port;
 	address server_addr;

epan/dissectors/packet-websocket.c

@@ -25,13 +25,19 @@
 #include "config.h"
 
 #include <epan/conversation.h>
+#include <epan/proto_data.h>
 #include <epan/packet.h>
 #include <epan/expert.h>
 #include <epan/prefs.h>
+#include <wsutil/strtoi.h>
 
 #include "packet-http.h"
 #include "packet-tcp.h"
 
+#ifdef HAVE_ZLIB
+#define ZLIB_CONST
+#include <zlib.h>
+#endif
 
 /*
  * The information used comes from:
@@ -52,6 +58,27 @@ static dissector_handle_t sip_handle;
 #define WEBSOCKET_SIP 3
 
 static gint  pref_text_type             = WEBSOCKET_NONE;
+static gboolean pref_decompress         = TRUE;
+
+typedef struct {
+  const char   *subprotocol;
+  guint16       server_port;
+  gboolean      permessage_deflate;
+#ifdef HAVE_ZLIB
+  gboolean      permessage_deflate_ok;
+  gint8         server_wbits;
+  gint8         client_wbits;
+  z_streamp     server_take_over_context;
+  z_streamp     client_take_over_context;
+#endif
+} websocket_conv_t;
+
+#ifdef HAVE_ZLIB
+typedef struct {
+  guint8 *decompr_payload;
+  guint decompr_len;
+} websocket_packet_t;
+#endif
 
 /* Initialize the protocol and registered fields */
 static int proto_websocket = -1;
@@ -59,6 +86,7 @@ static int proto_http = -1;
 
 static int hf_ws_fin = -1;
 static int hf_ws_reserved = -1;
+static int hf_ws_pmc = -1;
 static int hf_ws_opcode = -1;
 static int hf_ws_mask = -1;
 static int hf_ws_payload_length = -1;
@@ -81,6 +109,7 @@ static gint ett_ws_mask = -1;
 static gint ett_ws_control_close = -1;
 
 static expert_field ei_ws_payload_unknown = EI_INIT;
+static expert_field ei_ws_decompression_failed = EI_INIT;
 
 #define WS_CONTINUE 0x0
 #define WS_TEXT     0x1
@@ -101,6 +130,7 @@ static const value_string ws_opcode_vals[] = {
 
 #define MASK_WS_FIN 0x80
 #define MASK_WS_RSV 0x70
+#define MASK_WS_RSV1 0x40
 #define MASK_WS_OPCODE 0x0F
 #define MASK_WS_MASK 0x80
 #define MASK_WS_PAYLOAD_LEN 0x7F
@@ -146,6 +176,119 @@ tvb_unmasked(tvbuff_t *tvb, packet_info *pinfo, const guint offset, guint payloa
   return tvb_new_real_data(data_unmask, unmasked_length, payload_length);
 }
 
+#ifdef HAVE_ZLIB
+static gint8
+websocket_extract_wbits(const gchar *str)
+{
+  guint8 wbits;
+  const gchar *end;
+
+  if (str && ws_strtou8(str, &end, &wbits) &&
+      (*end == '\0' || strchr(";\t ", *end))) {
+    if (wbits < 8) {
+      wbits = 8;
+    } else if (wbits > 15) {
+      wbits = 15;
+    }
+  } else {
+    wbits = 15;
+  }
+  return -wbits;
+}
+
+static void *
+websocket_zalloc(void *opaque _U_, unsigned int items, unsigned int size)
+{
+  return wmem_alloc(wmem_file_scope(), items*size);
+}
+
+static void
+websocket_zfree(void *opaque _U_, void *addr)
+{
+  wmem_free(wmem_file_scope(), addr);
+}
+
+static z_streamp
+websocket_init_z_stream_context(gint8 wbits)
+{
+  z_streamp z_strm = wmem_new0(wmem_file_scope(), z_stream);
+
+  z_strm->zalloc = websocket_zalloc;
+  z_strm->zfree = websocket_zfree;
+
+  if (inflateInit2(z_strm, wbits) != Z_OK) {
+    inflateEnd(z_strm);
+    wmem_free(wmem_file_scope(), z_strm);
+    return NULL;
+  }
+  return z_strm;
+}
+
+/*
+ * Decompress the given buffer using the given zlib context. On success, the
+ * (possibly empty) buffer is stored as "proto data" and TRUE is returned.
+ * Otherwise FALSE is returned.
+ */
+static gboolean
+websocket_uncompress(tvbuff_t *tvb, packet_info *pinfo, z_streamp z_strm, tvbuff_t **uncompressed_tvb)
+{
+  /*
+   * Decompression a message: append "0x00 0x00 0xff 0xff" to the end of
+   * message, then apply DEFLATE to the result.
+   * https://tools.ietf.org/html/rfc7692#section-7.2.2
+   */
+  guint8   *decompr_payload = NULL;
+  guint     decompr_len = 0;
+  guint     compr_len, decompr_buf_len;
+  guint8   *compr_payload, *decompr_buf;
+  gint      err;
+
+  compr_len = tvb_captured_length(tvb) + 4;
+  compr_payload = (guint8 *)wmem_alloc(wmem_packet_scope(), compr_len);
+  tvb_memcpy(tvb, compr_payload, 0, compr_len-4);
+  compr_payload[compr_len-4] = compr_payload[compr_len-3] = 0x00;
+  compr_payload[compr_len-2] = compr_payload[compr_len-1] = 0xff;
+  decompr_buf_len = 2*compr_len;
+  decompr_buf = (guint8 *)wmem_alloc(wmem_packet_scope(), decompr_buf_len);
+
+  z_strm->next_in = compr_payload;
+  z_strm->avail_in = compr_len;
+  /* Decompress all available data. */
+  do {
+    z_strm->next_out = decompr_buf;
+    z_strm->avail_out = decompr_buf_len;
+
+    err = inflate(z_strm, Z_SYNC_FLUSH);
+
+    if (err == Z_OK || err == Z_STREAM_END || err == Z_BUF_ERROR) {
+      guint avail_bytes = decompr_buf_len - z_strm->avail_out;
+      if (avail_bytes) {
+        decompr_payload = (guint8 *)wmem_realloc(wmem_file_scope(), decompr_payload,
+                                                 decompr_len + avail_bytes);
+        memcpy(&decompr_payload[decompr_len], decompr_buf, avail_bytes);
+        decompr_len += avail_bytes;
+      }
+    }
+  } while (err == Z_OK);
+
+  if (err == Z_STREAM_END || err == Z_BUF_ERROR) {
+    /* Data was (partially) uncompressed. */
+    websocket_packet_t *pkt_info = wmem_new0(wmem_file_scope(), websocket_packet_t);
+    if (decompr_len > 0) {
+      pkt_info->decompr_payload = decompr_payload;
+      pkt_info->decompr_len = decompr_len;
+      *uncompressed_tvb = tvb_new_real_data(decompr_payload, decompr_len, decompr_len);
+    }
+    p_add_proto_data(wmem_file_scope(), pinfo, proto_websocket, 0, pkt_info);
+    return TRUE;
+  } else {
+    /* decompression failed */
+    wmem_free(wmem_file_scope(), decompr_payload);
+    return FALSE;
+  }
+}
+#endif
+
 static void
 dissect_websocket_control_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 opcode)
 {
@@ -183,28 +326,67 @@ dissect_websocket_control_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *t
 }
 
 static void
-dissect_websocket_data_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *pl_tree, guint8 opcode)
+dissect_websocket_data_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *pl_tree, guint8 opcode, websocket_conv_t *websocket_conv, gboolean pmc _U_)
 {
   proto_item         *ti;
-  const guint         offset = 0, length = tvb_reported_length(tvb);
   dissector_handle_t  handle = NULL;
   heur_dtbl_entry_t  *hdtbl_entry;
-  conversation_t     *conv;
-  http_conv_t        *http_conv = NULL;
 
   /* try to find a dissector which accepts the data. */
-  conv = find_conversation(pinfo->num, &pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
-  if (conv) {
-    http_conv = (http_conv_t *)conversation_get_proto_data(conv, proto_http);
+  if (websocket_conv->subprotocol) {
+    handle = dissector_get_string_handle(protocol_subdissector_table, websocket_conv->subprotocol);
+  } else if (websocket_conv->server_port) {
+    handle = dissector_get_uint_handle(port_subdissector_table, websocket_conv->server_port);
+  }
 
-    if (http_conv) {
-      if (http_conv->websocket_protocol) {
-        handle = dissector_get_string_handle(protocol_subdissector_table, http_conv->websocket_protocol);
-      } else if (!handle) {
-        handle = dissector_get_uint_handle(port_subdissector_table, http_conv->server_port);
+#ifdef HAVE_ZLIB
+  if (websocket_conv && websocket_conv->permessage_deflate_ok && pmc) {
+    tvbuff_t   *uncompressed = NULL;
+    gboolean    uncompress_ok = FALSE;
+
+    if (!PINFO_FD_VISITED(pinfo)) {
+      z_streamp z_strm;
+      gint8 wbits;
+
+      if (pinfo->destport == websocket_conv->server_port) {
+        z_strm = websocket_conv->server_take_over_context;
+        wbits = websocket_conv->server_wbits;
+      } else {
+        z_strm = websocket_conv->client_take_over_context;
+        wbits = websocket_conv->client_wbits;
+      }
+
+      if (z_strm) {
+        uncompress_ok = websocket_uncompress(tvb, pinfo, z_strm, &uncompressed);
+      } else {
+        /* no context take over, initialize a new context */
+        z_strm = wmem_new0(wmem_packet_scope(), z_stream);
+        if (inflateInit2(z_strm, wbits) == Z_OK) {
+          uncompress_ok = websocket_uncompress(tvb, pinfo, z_strm, &uncompressed);
+        }
+        inflateEnd(z_strm);
+      }
+    } else {
+      websocket_packet_t *pkt_info =
+          (websocket_packet_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_websocket, 0);
+      if (pkt_info) {
+        uncompress_ok = TRUE;
+        if (pkt_info->decompr_len > 0) {
+          uncompressed = tvb_new_real_data(pkt_info->decompr_payload, pkt_info->decompr_len, pkt_info->decompr_len);
+        }
       }
     }
+
+    if (!uncompress_ok) {
+      proto_tree_add_expert(tree, pinfo, &ei_ws_decompression_failed, tvb, 0, -1);
+      return;
+    }
+    if (uncompressed) {
+      add_new_data_source(pinfo, uncompressed, "Decompressed payload");
+      tvb = uncompressed;
+    }
   }
+#endif
 
   if (handle) {
     call_dissector_only(handle, tvb, pinfo, tree, NULL);
@@ -243,7 +425,7 @@ dissect_websocket_data_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree
       break;
 
     default: /* Unknown */
-      ti = proto_tree_add_item(pl_tree, hf_ws_payload_unknown, tvb, offset, length, ENC_NA);
+      ti = proto_tree_add_item(pl_tree, hf_ws_payload_unknown, tvb, 0, -1, ENC_NA);
       expert_add_info_format(pinfo, ti, &ei_ws_payload_unknown, "Dissector for Websocket Opcode (%d)"
         " code not implemented, Contact Wireshark developers"
         " if you want this supported", opcode);
@@ -252,7 +434,46 @@ dissect_websocket_data_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree
 }
 
 static void
-dissect_websocket_payload(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *ws_tree, guint8 opcode)
+websocket_parse_extensions(websocket_conv_t *websocket_conv, const char *str)
+{
+  /*
+   * Grammar for the header:
+   *
+   *    Sec-WebSocket-Extensions = extension-list
+   *    extension-list = 1#extension
+   *    extension = extension-token *( ";" extension-param )
+   *    extension-token = registered-token
+   *    registered-token = token
+   *    extension-param = token [ "=" (token | quoted-string) ]
+   */
+
+  /*
+   * RFC 7692 permessage-deflate parsing.
+   */
+
+  websocket_conv->permessage_deflate = !!strstr(str, "permessage-deflate");
+#ifdef HAVE_ZLIB
+  websocket_conv->permessage_deflate_ok = pref_decompress &&
+       websocket_conv->permessage_deflate;
+  if (websocket_conv->permessage_deflate_ok) {
+    websocket_conv->server_wbits =
+        websocket_extract_wbits(strstr(str, "server_max_window_bits="));
+    if (!strstr(str, "server_no_context_takeover")) {
+      websocket_conv->server_take_over_context =
+          websocket_init_z_stream_context(websocket_conv->server_wbits);
+    }
+    websocket_conv->client_wbits =
+        websocket_extract_wbits(strstr(str, "client_max_window_bits="));
+    if (!strstr(str, "client_no_context_takeover")) {
+      websocket_conv->client_take_over_context =
+          websocket_init_z_stream_context(websocket_conv->client_wbits);
+    }
+  }
+#endif
+}
+
+static void
+dissect_websocket_payload(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *ws_tree, guint8 opcode, websocket_conv_t *websocket_conv, gboolean pmc)
 {
   const guint         offset = 0, length = tvb_reported_length(tvb);
   proto_item         *ti;
@@ -282,7 +503,7 @@ dissect_websocket_payload(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, p
   if (opcode & 8) { /* Control frames have MSB set. */
     dissect_websocket_control_frame(tvb_appdata, pinfo, pl_tree, opcode);
   } else {
-    dissect_websocket_data_frame(tvb_appdata, pinfo, tree, pl_tree, opcode);
+    dissect_websocket_data_frame(tvb_appdata, pinfo, tree, pl_tree, opcode, websocket_conv, pmc);
   }
 }
 
@@ -298,6 +519,28 @@ dissect_websocket_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, voi
   proto_tree   *ws_tree;
   const guint8 *masking_key = NULL;
   tvbuff_t     *tvb_payload;
+  conversation_t *conv;
+  websocket_conv_t *websocket_conv;
+  gboolean      pmc = FALSE;
+
+  /*
+   * If this is a new Websocket session, try to parse HTTP Sec-Websocket-*
+   * headers once.
+   */
+  conv = find_or_create_conversation(pinfo);
+  websocket_conv = (websocket_conv_t *)conversation_get_proto_data(conv, proto_websocket);
+  if (!websocket_conv) {
+    websocket_conv = wmem_new0(wmem_file_scope(), websocket_conv_t);
+
+    http_conv_t *http_conv = (http_conv_t *)conversation_get_proto_data(conv, proto_http);
+    if (http_conv) {
+      websocket_conv->subprotocol = http_conv->websocket_protocol;
+      websocket_conv->server_port = http_conv->server_port;
+      websocket_parse_extensions(websocket_conv, http_conv->websocket_extensions);
+    }
+
+    conversation_add_proto_data(conv, proto_websocket, websocket_conv);
+  }
 
   short_length = tvb_get_guint8(tvb, 1) & MASK_WS_PAYLOAD_LEN;
   mask_offset = 2;
@@ -326,6 +569,11 @@ dissect_websocket_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, voi
   proto_tree_add_item(ws_tree, hf_ws_fin, tvb, 0, 1, ENC_NA);
   fin = (tvb_get_guint8(tvb, 0) & MASK_WS_FIN) >> 4;
   proto_tree_add_item(ws_tree, hf_ws_reserved, tvb, 0, 1, ENC_BIG_ENDIAN);
+  if (websocket_conv && websocket_conv->permessage_deflate) {
+    /* RSV1 is Per-Message Compressed bit (RFC 7692). */
+    pmc = !!(tvb_get_guint8(tvb, 0) & MASK_WS_RSV1);
+    proto_tree_add_item(ws_tree, hf_ws_pmc, tvb, 0, 1, ENC_BIG_ENDIAN);
+  }
 
   /* Opcode */
   proto_tree_add_item(ws_tree, hf_ws_opcode, tvb, 0, 1, ENC_BIG_ENDIAN);
@@ -364,7 +612,7 @@ dissect_websocket_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, voi
     } else {
       tvb_payload = tvb_new_subset_length_caplen(tvb, payload_offset, payload_length, payload_length);
     }
-    dissect_websocket_payload(tvb_payload, pinfo, tree, ws_tree, opcode);
+    dissect_websocket_payload(tvb_payload, pinfo, tree, ws_tree, opcode, websocket_conv, pmc);
   }
 
   return tvb_captured_length(tvb);
@@ -428,6 +676,11 @@ proto_register_websocket(void)
       FT_UINT8, BASE_HEX, NULL, MASK_WS_RSV,
       "Must be zero", HFILL }
     },
+    { &hf_ws_pmc,
+      { "Per-Message Compressed", "websocket.pmc",
+      FT_BOOLEAN, 8, NULL, MASK_WS_RSV1,
+      "Whether a message is compressed or not", HFILL }
+    },
     { &hf_ws_opcode,
       { "Opcode", "websocket.opcode",
       FT_UINT8, BASE_DEC, VALS(ws_opcode_vals), MASK_WS_OPCODE,
@@ -514,7 +767,8 @@ proto_register_websocket(void)
   };
 
   static ei_register_info ei[] = {
-     { &ei_ws_payload_unknown, { "websocket.payload.unknown.expert", PI_UNDECODED, PI_NOTE, "Dissector for Websocket Opcode", EXPFILL }},
+    { &ei_ws_payload_unknown, { "websocket.payload.unknown.expert", PI_UNDECODED, PI_NOTE, "Dissector for Websocket Opcode", EXPFILL }},
+    { &ei_ws_decompression_failed, { "websocket.decompression.failed.expert", PI_PROTOCOL, PI_WARN, "Decompression failed", EXPFILL }},
   };
 
   static const enum_val_t text_types[] = {
@@ -557,8 +811,8 @@ proto_register_websocket(void)
         "Dissect websocket text as",
         "Select dissector for websocket text",
         &pref_text_type, text_types, WEBSOCKET_NONE);
-
-
+  prefs_register_bool_preference(websocket_module, "decompress",
+        "Try to decompress permessage-deflate payload", NULL, &pref_decompress);
 }
 
 void