From 939d7f79f231307adf38df534a9f8b00bccd107a Mon Sep 17 00:00:00 2001
From: Lindsay Stewart <slindsay@amazon.com>
Date: Sat, 6 Jul 2024 22:01:31 -0700
Subject: [PATCH] test(pcap): handle pcaps with tcp fragmentation

---
 tests/pcap/data/tcp_fragmentation.pcap | Bin 0 -> 3778 bytes
 tests/pcap/src/handshake_message.rs    |  42 +++++++++++++++++--------
 2 files changed, 29 insertions(+), 13 deletions(-)
 create mode 100644 tests/pcap/data/tcp_fragmentation.pcap

diff --git a/tests/pcap/data/tcp_fragmentation.pcap b/tests/pcap/data/tcp_fragmentation.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b87d966877aed77f322748f820c101e41e9e6af4
GIT binary patch
literal 3778
zcmai%3p`Zm8^_OFaNH6@ZsQUaYlKW$l`_gD<5IGSa;a>HhCxVTiqvA-#TZH|atWn~
z={Cm9M!A(zDRNsSm)bDNlJGz0WLmZHe|?_$Fk`;&@A;kQ{hgVocgwQT02cUnVF48M
zN2xGnUj+pO$k6X_&0Qd10RSdMR}w%H7Tp~K04TV6&DBW7m1#-ve_lY(JfAiI05o>y
zITj6yZR_Y4fuBcVFd{IydO<P(z+{u#0<s#Z*SspY)gPkMFUZU^d{2hy0&+7%-URIg
z*W86@UQKjEH2Vt3vzqA;J%F|t4NPl88c|>L!c<sm4iyCQArxG57edS+?nH=~9}*QH
zBIL&`5rm0LFesE13P6ctFcJq_lG_gU`Gu>pl~+<PZ_LT@JD=?3ShDX@jrvE9REWC8
zH6eVhGcz-EfM3Xo^3KQhSWnl*9Iy6&aX$FIk>^?fk3-?mI1HD-)#vJR4H^p@FL9S~
zwPDpPNcH?a@O5C-<aB}RS%(84hev3OQ8ROVfK`Jqk+-l9yAU7H0^+Q*BZ#yA^#SB+
za<zaNXwvcl0w9FNU@;g#4Eg~9c|ZkF02BctU<J*YJYa?mcrrDa^FT#pIyx6MDR;}7
zbEu{f&G*qJUAl8@^Iz%VvJ5-(2A<1hhrym9n^fBam4EjypHzN13ah@iunz>p2c|&v
zzdkUX=JVkpL_7rz0$g(!G7mJOJK}?)fcV7+rqfp+Lcf^@5Y!l)99*@x36KPo00k^Y
z2qTOEML{u89K?b`pfDCCgc61i<RU-<07L@<_wEkx4GakdG@<9j0W|c|O6U;<8HJqL
zM+^6>i}af&P&cRF?D_h|M1lYX3JAF7F1TN;7k?#8wETLaz9B-_9qshBUpNK8CD3)w
zL<2xN1~cNfUEYC0<Y;ROy?N3Qy{9p=EWtzOjUxS#!|5_Pj?w>}e;m~OR%m?C7%Vg`
zUuNaQ6~m$58tmh}*<yB!Ez?mqI{xuonZ4*{6vj=Z#XD;14<8jpFikUp(0g;(K>VMk
znTM2$Jy%(6K;)u?=a&6H$wK;2D0%2{6|c5F^C1~G?xSwY(TUtpw_M|@zxz1_QJbR@
zvf(Wnoj+%9vs=xM`14ulbE`-1oSkK%ccBv%P4o>=={bQ_5#XD1*LtGZZl8y@^|H2v
za9BZ0n)O|Dy1a(2Xa>c6<gojfNj<>35E$_}#J5UCQ)3Peo4I~W=hq^5#)kBu6}qvL
zYA-(Szpz&;<cLqTeE5OBE}z)8#^w^^x9{YKU6ehqC1yz{8a5hz_S+Cnc$H-#;ee)V
zHTsNXC(Q&UmMANzMr+9XuisH(P(NV!7x{Hs9!{^E+_Pq+%lJ;pvhE@ZIA-NSJ{U`~
zn*K?07onkgyTfbpBd~yxe0-4BSI<>G&D<F#%E1$gGhS}|oKQ7z*tkgDReq>krf%oU
zbB)Hr_g7rKZJSu@XStZ1GR!YLEH3IC()WInczoNCQh)M}rBuI!LK|AqX*5A@^k#8x
zfRjz4hJ#HeclaJDS;SBL<oUxF#iUNXYYeklN;Q>>ls6ueiyZSYxfr*<%TxQTNH1&j
z!#VYGt+r8pa#dA?T#MrgMZ>s{B2$TWSN8MW(-^DmgU-`2p)8fEpiy6^w?>9<`^{9$
z*sFtX9J8J}A28sE&)z=O`#0wAuw1!--1@P$6wFS8%l8hp)?~5mgU<f(t|m{hd9dNy
zj+PCsHLYH{?@4i6Li>5jIss?8b!1GAeXy7GJzQhznJ#OR*ewx0?rT0%lS-yhsYR{4
zDo;!r>QqUbl;er01GJ@J<+Belx%%xSX=$_6*!*&>_JQ&n>46&CUez;p%Bj9F?^{}6
zIF;+FH^c^0&F|%Q8K-`7d#5KEv5`z-sbx*B+fvtD?YTKf-=saB?K@D&O$qQ1jp^)2
zpeXT;Rg|-2&0byfxn(N7%q3Vmf>{?<y1~knQj(hNNA`>kWRHXX8S4&h3TVm_f9kG6
zWkwkL>>`j%;3+<8ud^tE7h~K0s9i$Q^m->V(@%oaFx~UgG~V^HoW#cvUCpB{V|HgB
z>7uF)jWly@o_+Rg8*e=MXW&CaH^0Xvu}hl&VtDxG9sku*{1<VqlZ}P%l|8J;mj#b|
z!+S@)JNw4+iq9mvkEcXqd*XIb3!{g)cRokub@7u|X~|YHj>H^*Rji?8pxc`&l%mEz
zrB?5*&=Scryj>chqGDfGwEee>kL!ciOVIW=-qKw!&w9{G^&noiqn0MC!TBu*rO*8L
zF`@^Ow%&p~n@!v7s^E?cD9<M5+{fVb5rc`waUie-3NpCnE+oI#5j_#2`wxlmeN69b
zo=L*QFL?oTDVm}SDCO%R$(t(Re#yy>jN(dW!FQiLj3BNgOpJtx3`inea~GmCp6G=r
zT`VBZ_FjPW4l9lPsuU&~A=hD~NLKe~>FyS<x2D%4-*4im49QX4D(lybHc^id&<9P|
z&fx3pFSX)}-$^<De2CgbNR6JJfZvJx&}p6@V&Snls3>DUCEwlG%9#giJh^b!`bgI)
z0*!OJp7=r6MljKNnJBOdN_M#BF1TxyCf@)iTIc+b2z5OJ-3MnsZ+-20P*({z0TMm<
zLBG6}iiuA;6UnpEU{BufL$|Fdw5X+qqv9e~aJ%=O6p~Ln`fG6<Uq<1{ik-I$k2vEh
z#FFY*oiwZWiD7FtvhMmHW;s5QLf;@6XJUk;dDtnReHxx>j;igWFC^cbRxvwQ(Jjgw
z%A#Z?X)@9r`^kLXPrOPFT}FK}Oym9wd(LB}T|Axj(w5e*?i_Y<xA@q0H>I)1v$`kd
z@vgGhJxPW#40RlFGwsk?1G*ItWi3%b!g{HwZN?3Fm%ciydNsc+){8n)gJ1LfccO*)
z7~Z|CnNF4IrC+3fm?-&Y`3(CLY+&xf2ChO3%>LHE&J)lePSEBvu=eJjrs3j&-D%S`
z9<Ied%cifznN<a^y|P?k>E2_T$RTZ8Ew0lJ<Vc;Yu6zD!7;}$#PNq9uZxi0tWwdtr
zb;(RydSvM$y{)#{K|RxZTtNK3q==ln{oRXK#*aQxZ*pFDRoUXg?OV0aG+54O?1XVw
z9{VuLJM^>4$x*BSl-9uYa*m%+<vkNMdNKYiooAv@f_FUAUtom|JtlGTmY3`L6H#86
zk*x`es!uIuTuvlR?dlI5l!*@9_P~-htu6O->Dre;vA=DsIql7>Yh{vx3l1>MF8^{T
z_IliXrQUEJS|ae)%E=>39IoofAAt?5hYVaGb9N)=?z`_j%!#VtuCV!Ldc|^4zzrH^
zxaKb8B-`>0ky8@>?Ir076I_yM(tl?fXKsDBLxOPH-v{l_rnj}a(J3LYb`NN$`L*+j
z$WEue+vyatlQfhW|9<~LP7h4HydaUd2XVtoK%7k>*p1(5^APVXNaU|ZG|~mcFPYKx
LJEZZ`kNo`~`$8mk

literal 0
HcmV?d00001

diff --git a/tests/pcap/src/handshake_message.rs b/tests/pcap/src/handshake_message.rs
index 76bf520aac0..f35ad5f9c26 100644
--- a/tests/pcap/src/handshake_message.rs
+++ b/tests/pcap/src/handshake_message.rs
@@ -65,10 +65,14 @@ impl HandshakeMessage {
         // 'fragment_ids' here is a list of the packets containing
         // TLS records which contain fragments of this handshake message.
         //
-        // The "tls.handshake.fragment" data from tshark actually includes the
-        // full hex of each fragment, not just the id of each packet. But rtshark
-        // uses the `show` tag instead of the `value` tag, and the `show` tag is
-        // just the packet id. There's currently no way to access the `value` tag.
+        // Note: `all_metadata` uses the tshark "value" field. For Self::FRAGMENT,
+        // the "value" field is the id of the packet containing the fragment.
+        // The "raw_value" field is the fragment payload. However, the "raw_value"
+        // field does not contain the TLS record header, only the TLS handshake
+        // message. TLS record headers could be useful for later replaying the
+        // handshake, so we continue to use "value" and manually reassemble the
+        // TLS handshake messages from the fragment packets.
+        // See https://github.com/CrabeDeFrance/rtshark/pull/17
         let fragment_ids = packet.all_metadata(Self::FRAGMENT);
         let fragment_ids = if fragment_ids.is_empty() {
             vec![packet.id()]
@@ -86,8 +90,10 @@ impl HandshakeMessage {
             let fragment = tcp_packets
                 .get(&fragment_id)
                 .context("Missing handshake message fragment record")?;
+            // TCP payloads can also be fragmented, so check for a reassembled payload first.
             let tcp_payload = fragment
-                .metadata(Builder::TCP_PAYLOAD)
+                .metadata(Builder::TCP_REASSEMBLED)
+                .or_else(|| fragment.metadata(Builder::TCP_PAYLOAD))
                 .context("Missing handshake message tcp payload")?;
             // The TCP payload is a hex string. However, rtshark formats hex strings
             // like "AB:CD:EF:12" instead of "ABCDEF12".
@@ -129,14 +135,8 @@ pub struct Builder {
 }
 
 impl Builder {
-    // "tcp.payload" is actually insufficient. It's uncommon,
-    // but a TLS record can be split across multiple TCP segments.
-    // Then we would also need to check for "tcp.reassembled.data".
-    // However, rtshark currently doesn't support that field:
-    // https://github.com/CrabeDeFrance/rtshark/pull/16
-    //
-    // For now, parsing will fail if TLS records are reassembled.
     const TCP_PAYLOAD: &'static str = "tcp.payload";
+    const TCP_REASSEMBLED: &'static str = "tcp.reassembled.data";
 
     const MESSAGE_TYPE: &'static str = "tls.handshake.type";
 
@@ -173,6 +173,7 @@ impl Builder {
         let tcp_capture = capture
             .display_filter(Self::TCP_PAYLOAD)
             .metadata_whitelist(Self::TCP_PAYLOAD)
+            .metadata_whitelist(Self::TCP_REASSEMBLED)
             .metadata_whitelist(Packet::PACKET_ID)
             .spawn()?;
 
@@ -199,7 +200,7 @@ mod tests {
     use super::*;
 
     #[test]
-    fn fragmentation() -> Result<()> {
+    fn tls_fragmentation() -> Result<()> {
         let mut builder = Builder::default();
         builder.set_capture_file("data/fragmented_ch.pcap");
         let messages = builder.build()?;
@@ -213,6 +214,21 @@ mod tests {
         Ok(())
     }
 
+    #[test]
+    fn tcp_fragmentation() -> Result<()> {
+        let mut builder = Builder::default();
+        builder.set_capture_file("data/tcp_fragmentation.pcap");
+        let messages = builder.build()?;
+
+        let first = messages.first().unwrap();
+        assert_eq!(first.records.len(), 1);
+        let bytes = first.bytes();
+        // Correct length read from wireshark
+        assert_eq!(bytes.len(), 271);
+
+        Ok(())
+    }
+
     #[test]
     fn multiple_handshakes() -> Result<()> {
         let mut builder = Builder::default();