Add ChaCha20-Poly1305 decryption support for TLS 1.2 and 1.3

Implements all seven AEAD_CHACHA20_POLY1305 cipher suites from RFC 7905 (for TLS 1.2) and the final missing one for TLS 1.3 (draft -20). New test captures (created using OpenSSL_1_1_0-pre6-2528-g042597b0a) also serve as tests for TLS 1.3 decryption support. Change-Id: Ice6d639c9c7b7bc23a6ff5fb4832d02694abd8c4 Ping-Bug: 12779 Reviewed-on: https://code.wireshark.org/review/21902 Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Peter Wu <peter@lekensteyn.nl>
author: Peter Wu <peter@lekensteyn.nl> 2017-06-02 22:05:10 +0200
committer: Peter Wu <peter@lekensteyn.nl> 2017-06-02 22:04:21 +0000
commit: 57b0527821b69dc8aa0786a3b5a425192795aff2 (patch)
tree: 4f01e3f4ac81d19d8ca3afa9a85a96f99c7c73bd
parent: a86f6603fc8b66a46ce21d18990f2058110acf27 (diff)
download: wireshark-57b0527821b69dc8aa0786a3b5a425192795aff2.tar.gz
8 files changed, 149 insertions, 17 deletions
diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c
index 91b2f86648..c800263da6 100644
--- a/epan/dissectors/packet-ssl-utils.c
+++ b/epan/dissectors/packet-ssl-utils.c
@@ -63,6 +63,10 @@
 /* Whether to provide support for authentication in addition to decryption. */
 #define HAVE_LIBGCRYPT_AEAD
 #endif
+#if GCRYPT_VERSION_NUMBER >= 0x010700 /* 1.7.0 */
+/* Whether AEAD_CHACHA20_POLY1305 can be supported. */
+#define HAVE_LIBGCRYPT_CHACHA20_POLY1305
+#endif
 
 /* Lookup tables {{{ */
 const value_string ssl_version_short_names[] = {
@@ -1500,6 +1504,7 @@ gint ssl_get_keyex_alg(gint cipher)
     case 0xc0a7:
     case 0xc0aa:
     case 0xc0ab:
+    case 0xccad:
     case 0xe41c:
     case 0xe41d:
         return KEX_DHE_PSK;
@@ -1523,6 +1528,7 @@ gint ssl_get_keyex_alg(gint cipher)
     case 0xc09f:
     case 0xc0a2:
     case 0xc0a3:
+    case 0xccaa:
     case 0xe41e:
     case 0xe41f:
         return KEX_DHE_RSA;
@@ -1577,6 +1583,7 @@ gint ssl_get_keyex_alg(gint cipher)
     case 0xc0ad:
     case 0xc0ae:
     case 0xc0af:
+    case 0xcca9:
     case 0xe414:
     case 0xe415:
         return KEX_ECDHE_ECDSA;
@@ -1591,6 +1598,7 @@ gint ssl_get_keyex_alg(gint cipher)
     case 0xc03b:
     case 0xc09a:
     case 0xc09b:
+    case 0xccac:
     case 0xe418:
     case 0xe419:
         return KEX_ECDHE_PSK;
@@ -1607,6 +1615,7 @@ gint ssl_get_keyex_alg(gint cipher)
     case 0xc077:
     case 0xc08a:
     case 0xc08b:
+    case 0xcca8:
     case 0xe412:
     case 0xe413:
         return KEX_ECDHE_RSA;
@@ -1646,6 +1655,7 @@ gint ssl_get_keyex_alg(gint cipher)
     case 0xc0a5:
     case 0xc0a8:
     case 0xc0a9:
+    case 0xccab:
     case 0xe416:
     case 0xe417:
         return KEX_PSK;
@@ -1703,6 +1713,7 @@ gint ssl_get_keyex_alg(gint cipher)
     case 0xc093:
     case 0xc098:
     case 0xc099:
+    case 0xccae:
     case 0xe41a:
     case 0xe41b:
         return KEX_RSA_PSK;
@@ -1977,12 +1988,17 @@ ssl_cipher_init(gcry_cipher_hd_t *cipher, gint algo, guchar* sk,
 #ifdef HAVE_LIBGCRYPT_AEAD
         GCRY_CIPHER_MODE_GCM,
         GCRY_CIPHER_MODE_CCM,
-        GCRY_CIPHER_MODE_CCM
+        GCRY_CIPHER_MODE_CCM,
 #else
         GCRY_CIPHER_MODE_CTR,
         GCRY_CIPHER_MODE_CTR,
         GCRY_CIPHER_MODE_CTR,
 #endif
+#ifdef HAVE_LIBGCRYPT_CHACHA20_POLY1305
+        GCRY_CIPHER_MODE_POLY1305,
+#else
+        -1,                         /* AEAD_CHACHA20_POLY1305 is unsupported. */
+#endif
     };
     gint err;
     if (algo == -1) {
@@ -2160,6 +2176,7 @@ static const gchar *ciphers[]={
     "CAMELLIA128",
     "CAMELLIA256",
     "SEED",
+    "CHACHA20", /* since Libgcrypt 1.7.0 */
     "*UNKNOWN*"
 };
 
@@ -2302,7 +2319,7 @@ static const SslCipherSuite cipher_suites[]={
     /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
     {0x1301,KEX_TLS13,          ENC_AES,        DIG_SHA256, MODE_GCM   },   /* TLS_AES_128_GCM_SHA256 */
     {0x1302,KEX_TLS13,          ENC_AES256,     DIG_SHA384, MODE_GCM   },   /* TLS_AES_256_GCM_SHA384 */
-    /* TODO TLS_CHACHA20_POLY1305_SHA256 */
+    {0x1303,KEX_TLS13,          ENC_CHACHA20,   DIG_SHA256, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
     {0x1304,KEX_TLS13,          ENC_AES,        DIG_SHA256, MODE_CCM   },   /* TLS_AES_128_CCM_SHA256 */
     {0x1305,KEX_TLS13,          ENC_AES,        DIG_SHA256, MODE_CCM_8 },   /* TLS_AES_128_CCM_8_SHA256 */
 
@@ -2418,6 +2435,13 @@ static const SslCipherSuite cipher_suites[]={
     {0xC0AD,KEX_ECDHE_ECDSA,    ENC_AES256,     DIG_NA,     MODE_CCM   },   /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
     {0xC0AE,KEX_ECDHE_ECDSA,    ENC_AES,        DIG_NA,     MODE_CCM_8 },   /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
     {0xC0AF,KEX_ECDHE_ECDSA,    ENC_AES256,     DIG_NA,     MODE_CCM_8 },   /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
+    {0xCCA8,KEX_ECDHE_RSA,      ENC_CHACHA20,   DIG_SHA256, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
+    {0xCCA9,KEX_ECDHE_ECDSA,    ENC_CHACHA20,   DIG_SHA256, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
+    {0xCCAA,KEX_DHE_RSA,        ENC_CHACHA20,   DIG_SHA256, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
+    {0xCCAB,KEX_PSK,            ENC_CHACHA20,   DIG_SHA256, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
+    {0xCCAC,KEX_ECDHE_PSK,      ENC_CHACHA20,   DIG_SHA256, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
+    {0xCCAD,KEX_DHE_PSK,        ENC_CHACHA20,   DIG_SHA256, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
+    {0xCCAE,KEX_RSA_PSK,        ENC_CHACHA20,   DIG_SHA256, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
     {-1,    0,                  0,              0,          MODE_STREAM}
 };
 
@@ -2998,7 +3022,7 @@ ssl_create_decoder(const SslCipherSuite *cipher_suite, gint cipher_algo,
         // decoders since "decryption" is easy for such ciphers.
         dec->mac_key.data = dec->_mac_key_or_write_iv;
         ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
-    } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8) {
+    } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
         // Input for the nonce, to be used with AEAD ciphers.
         DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv));
         dec->write_iv.data = dec->_mac_key_or_write_iv;
@@ -3321,6 +3345,9 @@ ssl_generate_keyring_material(SslDecryptSession*ssl_session)
         /* account for a four-byte salt for client and server side (from
          * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
         write_iv_len = 4;
+    } else if (cipher_suite->mode == MODE_POLY1305) {
+        /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
+        write_iv_len = 12;
     }
 
     /* Compute the key block. First figure out how much data we need */
@@ -3831,6 +3858,7 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
     const guchar   *explicit_nonce = NULL, *ciphertext;
     guint           ciphertext_len, auth_tag_len;
     guchar          nonce[12];
+    const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
 #ifdef HAVE_LIBGCRYPT_AEAD
     const guchar   *auth_tag_wire;
     guchar          auth_tag_calc[16];
@@ -3838,9 +3866,10 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
     guchar          nonce_with_counter[16] = { 0 };
 #endif
 
-    switch (decoder->cipher_suite->mode) {
+    switch (cipher_mode) {
     case MODE_GCM:
     case MODE_CCM:
+    case MODE_POLY1305:
         auth_tag_len = 16;
         break;
     case MODE_CCM_8:
@@ -3852,7 +3881,7 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
     }
 
     /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
-    if (is_v12) {
+    if (is_v12 && cipher_mode != MODE_POLY1305) {
         if (inl < EXPLICIT_NONCE_LEN + auth_tag_len) {
             ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
                     G_STRFUNC, inl, EXPLICIT_NONCE_LEN, auth_tag_len);
@@ -3861,7 +3890,7 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
         explicit_nonce = in;
         ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN;
         ciphertext_len = inl - EXPLICIT_NONCE_LEN - auth_tag_len;
-    } else if (version == TLSV1DOT3_VERSION) {
+    } else if (version == TLSV1DOT3_VERSION || cipher_mode == MODE_POLY1305) {
         if (inl < auth_tag_len) {
             ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC, inl, auth_tag_len);
             return FALSE;
@@ -3876,20 +3905,23 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
     auth_tag_wire = ciphertext + ciphertext_len;
 #endif
 
-    /* Nonce construction is version-specific. */
-    if (is_v12) {
+    /*
+     * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
+     * (RFC 7905) uses a nonce construction similar to TLS 1.3.
+     */
+    if (is_v12 && cipher_mode != MODE_POLY1305) {
         DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN);
         /* Implicit (4) and explicit (8) part of nonce. */
         memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN);
         memcpy(nonce + IMPLICIT_NONCE_LEN, explicit_nonce, EXPLICIT_NONCE_LEN);
 
 #ifndef HAVE_LIBGCRYPT_AEAD
-        if (decoder->cipher_suite->mode == MODE_GCM) {
+        if (cipher_mode == MODE_GCM) {
             /* NIST SP 800-38D, sect. 7.2 says that the 32-bit counter part starts
              * at 1, and gets incremented before passing to the block cipher. */
             memcpy(nonce_with_counter, nonce, IMPLICIT_NONCE_LEN + EXPLICIT_NONCE_LEN);
             nonce_with_counter[IMPLICIT_NONCE_LEN + EXPLICIT_NONCE_LEN + 3] = 2;
-        } else { /* MODE_CCM and MODE_CCM_8 */
+        } else if (cipher_mode == MODE_CCM || cipher_mode == MODE_CCM_8) {
             /* The nonce for CCM and GCM are the same, but the nonce is used as input
              * in the CCM algorithm described in RFC 3610. The nonce generated here is
              * the one from RFC 3610 sect 2.3. Encryption. */
@@ -3898,9 +3930,11 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
             memcpy(nonce_with_counter + 1, nonce, IMPLICIT_NONCE_LEN + EXPLICIT_NONCE_LEN);
             /* struct { opaque salt[4]; opaque nonce_explicit[8] } CCMNonce (RFC 6655) */
             nonce_with_counter[IMPLICIT_NONCE_LEN + EXPLICIT_NONCE_LEN + 3] = 1;
+        } else {
+            g_assert_not_reached();
         }
 #endif
-    } else if (version == TLSV1DOT3_VERSION) {
+    } else if (version == TLSV1DOT3_VERSION || cipher_mode == MODE_POLY1305) {
         /*
          * Technically the nonce length must be at least 8 bytes, but for
          * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
@@ -3911,7 +3945,10 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
         /* Sequence number is left-padded with zeroes and XORed with write_iv */
         phton64(nonce + nonce_len - 8, pntoh64(nonce + nonce_len - 8) ^ decoder->seq);
         ssl_debug_printf("%s seq %" G_GUINT64_FORMAT "\n", G_STRFUNC, decoder->seq);
-        decoder->seq++;             /* Implicit sequence number for TLS 1.3. */
+        /* sequence number for TLS 1.2 is incremented when calculating AAD. */
+        if (!is_v12) {
+            decoder->seq++;         /* Implicit sequence number for TLS 1.3. */
+        }
     }
 
     /* Set nonce and additional authentication data */
@@ -4023,6 +4060,7 @@ ssl_decrypt_record(SslDecryptSession *ssl, SslDecoder *decoder, guint8 ct, guint
     if (decoder->cipher_suite->mode == MODE_GCM ||
         decoder->cipher_suite->mode == MODE_CCM ||
         decoder->cipher_suite->mode == MODE_CCM_8 ||
+        decoder->cipher_suite->mode == MODE_POLY1305 ||
         ssl->session.version == TLSV1DOT3_VERSION) {
 
         if (!tls_decrypt_aead_record(ssl, decoder, ct, record_version, in, inl, out_str, &worklen)) {
diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h
index 269618dee8..17e539d7f9 100644
--- a/epan/dissectors/packet-ssl-utils.h
+++ b/epan/dissectors/packet-ssl-utils.h
@@ -286,7 +286,8 @@ typedef enum {
     MODE_CBC,       /* GenericBlockCipher */
     MODE_GCM,       /* GenericAEADCipher */
     MODE_CCM,       /* AEAD_AES_{128,256}_CCM with 16 byte auth tag */
-    MODE_CCM_8      /* AEAD_AES_{128,256}_CCM with 8 byte auth tag */
+    MODE_CCM_8,     /* AEAD_AES_{128,256}_CCM with 8 byte auth tag */
+    MODE_POLY1305,  /* AEAD_CHACHA20_POLY1305 with 16 byte auth tag (RFC 7905) */
 } ssl_cipher_mode_t;
 
 /* Explicit and implicit nonce length (RFC 5116 - Section 3.2.1) */
@@ -359,6 +360,7 @@ typedef struct _SslDecoder {
 #define KEX_IS_DH(n)    ((n) >= KEX_DHE_DSS && (n) <= KEX_ECDH_RSA)
 #define KEX_TLS13       0x23
 
+/* Order is significant, must match "ciphers" array in packet-ssl-utils.c */
 #define ENC_DES         0x30
 #define ENC_3DES        0x31
 #define ENC_RC4         0x32
@@ -369,7 +371,8 @@ typedef struct _SslDecoder {
 #define ENC_CAMELLIA128 0x37
 #define ENC_CAMELLIA256 0x38
 #define ENC_SEED        0x39
-#define ENC_NULL        0x3A
+#define ENC_CHACHA20    0x3A
+#define ENC_NULL        0x3B
 
 #define DIG_MD5         0x40
 #define DIG_SHA         0x41
diff --git a/test/captures/tls12-chacha20poly1305.pcap b/test/captures/tls12-chacha20poly1305.pcap
new file mode 100644
index 0000000000..1eaa85427f
--- /dev/null
+++ b/test/captures/tls12-chacha20poly1305.pcap
diff --git a/test/captures/tls13-20-chacha20poly1305.pcap b/test/captures/tls13-20-chacha20poly1305.pcap
new file mode 100644
index 0000000000..da2246d69d
--- /dev/null
+++ b/test/captures/tls13-20-chacha20poly1305.pcap
diff --git a/test/config.sh b/test/config.sh
index 7a59ecdeec..6b9d8f339d 100755
--- a/test/config.sh
+++ b/test/config.sh
@@ -106,20 +106,32 @@ export WIRESHARK_QUIT_AFTER_CAPTURE="True"
 
 CAPTURE_DIR="$TESTS_DIR/captures/"
 
+TSHARK_VERSION=$($TSHARK -v | tr '\n' ' ')
+
 # Figure out if we were built with lua or not so we can skip the lua tests if we
 # don't have it.
-$TSHARK -v | grep -q "with Lua"
+echo "$TSHARK_VERSION" | grep -q "with Lua"
 HAVE_LUA=$?
 
 # Check whether we need to skip the HTTP2/HPACK decryption test.
-$TSHARK -v | tr '\n' ' '| grep -q "with nghttp2"
+echo "$TSHARK_VERSION" | grep -q "with nghttp2"
 HAVE_NGHTTP2=$?
 
 # Check whether we need to skip a certain decryption test.
 # XXX What do we print for Nettle?
-$TSHARK -v | tr '\n' ' '| egrep -q "with MIT Kerberos|with Heimdal Kerberos"
+echo "$TSHARK_VERSION" | egrep -q "with MIT Kerberos|with Heimdal Kerberos"
 HAVE_KERBEROS=$?
 
+# first version is "compiled with", second is "running on" version.
+GCRY_VERSION=$(echo "$TSHARK_VERSION" | grep -oE 'Gcrypt [1-9]+(\.[1-9]+)?' | sed -n '1s/Gcrypt //p')
+if [ -n "$GCRY_VERSION" ] && ! echo "$GCRY_VERSION" | grep -q '1\.[456]'; then
+	# Current minimum Gcrypt version is 1.4.2,
+	# assume 1.7 or newer if not 1,4, 1.5 or 1.6.
+	HAVE_LIBGCRYPT17=true
+else
+	HAVE_LIBGCRYPT17=false
+fi
+
 HAVE_ICONV="False"
 hash iconv 2>/dev/null && HAVE_ICONV="True"
 
diff --git a/test/keys/tls12-chacha20poly1305.keys b/test/keys/tls12-chacha20poly1305.keys
new file mode 100644
index 0000000000..cbdbcad7de
--- /dev/null
+++ b/test/keys/tls12-chacha20poly1305.keys
@@ -0,0 +1,9 @@
+# SSL/TLS secrets log file, generated by OpenSSL
+CLIENT_RANDOM ab85fc5f6db67c9cf825cd8a1f34cf6c5e89ec09656a4944ec5536a36aed5728 aee53fb112659bc2b3801db7d230c25100dfb79ffb00f086256885dfc1f8fc545e526fc92fe884348a84964bb7b4bbc0
+CLIENT_RANDOM 59ee68728af906f3fb825bf306f7f40ae1fb68fc13d769a00843d3f2ba5dac45 7b126413d8876316b67a35fc3d530bca6574070a5a4b829868b3f94c36b0b1f673ab0a18f213ee7a5fb47ba50676acb3
+CLIENT_RANDOM 1c73db9d11c0c4fb8acf3f62ec0a50a1559eeaded9a9a54e829f9f291d592069 f38dbcf8c3eb3c30514fbcfe2208efab88b3593468b8695e8c1f55662ffe5ab4151ed4ead5fb207c8707ea073e8aaaba
+RSA 3e2ffbd86d10f694 0303f4d5b30f42e5df09d7d3fe363b4ff104b469bcade9e4506bf6cc621441d577cc5fbe448979fdd9be53556881058a
+CLIENT_RANDOM 121cdd2ae0f9f089b48897272e37c89cf41f4eb8262ac1272cc02a73fd23fa0b 2a169a4a71b6b988d525546ca3f56d185f16490eecc19659963f796bf8c6b4cf10f8739aeb0f2162451c1e46718c137d
+CLIENT_RANDOM db9350951d7ace9c91422b44b526a549fa3ca97b9e0d5c421c08ee3223b3d74a bd0c489a9d428510d937ae09038a0cc84bc3ed72dfe136712d94fcc001d46f54b33992dd3f2f897625cad07f7f9caeb2
+CLIENT_RANDOM 55a097b1bf4bf3c0f7161a81f15be86a78f2ca05f9784b07e0af761c1f9f1d65 bdf97a381c55c50421757a63227717b6a5c840ef8fc61975e0c495cff55f4dde41080b63c896f94639351697810bfcd9
+CLIENT_RANDOM f6fb54f9367adab3128073734d14e7230e6fe3c5c494caa15e130b5a955dbcb6 8409faa69c4c6ebf56cbad7b9ace4f41815de444410c2c595f409b54a80014e0acf944b8ee6f62eb0ef873714514a19f
diff --git a/test/keys/tls13-20-chacha20poly1305.keys b/test/keys/tls13-20-chacha20poly1305.keys
new file mode 100644
index 0000000000..e858b9a56b
--- /dev/null
+++ b/test/keys/tls13-20-chacha20poly1305.keys
@@ -0,0 +1,9 @@
+# SSL/TLS secrets log file, generated by OpenSSL
+SERVER_HANDSHAKE_TRAFFIC_SECRET 3d89529eeebe176375ef29bd146a49e02c375771628244948f6e9408457fdbc1 4e1fbe0594634161e1af3f8b6e940561ba3fc2174b6cefb5b0da3e040cfb23e4
+SERVER_TRAFFIC_SECRET_0 3d89529eeebe176375ef29bd146a49e02c375771628244948f6e9408457fdbc1 1e519f7e8d3e8d45d7cf13038f50a50e1a2f6f0a9f918b9ae856f3269068ef8f
+CLIENT_HANDSHAKE_TRAFFIC_SECRET 3d89529eeebe176375ef29bd146a49e02c375771628244948f6e9408457fdbc1 69c6f71caf5031fc55671bf88c70a77acac0d81de20d3cf5e6b4dd7fac4ffe4d
+CLIENT_TRAFFIC_SECRET_0 3d89529eeebe176375ef29bd146a49e02c375771628244948f6e9408457fdbc1 292497c163345eaa5b16b0b7907faa31dbb7ce76ac9a1c35ca99ba9dafeae72c
+SERVER_HANDSHAKE_TRAFFIC_SECRET 4cfd639e633b0ccdedab543dd333639d2bacd023b2f12a94724eb1c20f5b8e11 976e0b13800a6c2335ed9bb124f38fb2f654c6585dfc14db72eb09cd30148a1c
+SERVER_TRAFFIC_SECRET_0 4cfd639e633b0ccdedab543dd333639d2bacd023b2f12a94724eb1c20f5b8e11 f7e0e34d554b2431353dadb226d9fbf248dd15e76944234bfb13b1102af43aaf
+CLIENT_HANDSHAKE_TRAFFIC_SECRET 4cfd639e633b0ccdedab543dd333639d2bacd023b2f12a94724eb1c20f5b8e11 d46820a69b572a15d2ef8778d32f1e00300725ab42bc9f3e8f6ede598a1ab532
+CLIENT_TRAFFIC_SECRET_0 4cfd639e633b0ccdedab543dd333639d2bacd023b2f12a94724eb1c20f5b8e11 69bf451e01db2af6924af9b78759a9f3e84affab23300238dbf94c54709cdda1
diff --git a/test/suite-decryption.sh b/test/suite-decryption.sh
index 7545b47ed0..a5774708a8 100755
--- a/test/suite-decryption.sh
+++ b/test/suite-decryption.sh
@@ -302,6 +302,65 @@ decryption_step_tls_psk_aes256gcm() {
 	test_step_ok
 }
 
+# TLS 1.2 with ChaCha20-Poly1305
+decryption_step_tls12_chacha20poly1305() {
+	if ! $HAVE_LIBGCRYPT17; then
+		test_step_skipped
+		return
+	fi
+	TEST_KEYS_FILE="$TESTS_DIR/keys/tls12-chacha20poly1305.keys"
+	if [ "$WS_SYSTEM" == "Windows" ] ; then
+		TEST_KEYS_FILE="`cygpath -w $TEST_KEYS_FILE`"
+	fi
+	ciphers='
+		ECDHE-ECDSA-CHACHA20-POLY1305
+		ECDHE-RSA-CHACHA20-POLY1305
+		DHE-RSA-CHACHA20-POLY1305
+		RSA-PSK-CHACHA20-POLY1305
+		DHE-PSK-CHACHA20-POLY1305
+		ECDHE-PSK-CHACHA20-POLY1305
+		PSK-CHACHA20-POLY1305
+	'
+	local stream=0
+	for cipher in $ciphers; do
+		$TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS -q \
+			-r "$CAPTURE_DIR/tls12-chacha20poly1305.pcap" \
+			-o "ssl.keylog_file: $TEST_KEYS_FILE" \
+			-z follow,ssl,ascii,$stream \
+			| grep -q "$cipher"
+		RETURNVALUE=$?
+		if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
+			test_step_failed "Failed to decrypt TLS 1.2 ($cipher)"
+			return
+		fi
+		((stream++))
+	done
+	test_step_ok
+}
+
+# TLS 1.3 with ChaCha20-Poly1305
+decryption_step_tls13_chacha20poly1305() {
+	if ! $HAVE_LIBGCRYPT17; then
+		test_step_skipped
+		return
+	fi
+	TEST_KEYS_FILE="$TESTS_DIR/keys/tls13-20-chacha20poly1305.keys"
+	if [ "$WS_SYSTEM" == "Windows" ] ; then
+		TEST_KEYS_FILE="`cygpath -w $TEST_KEYS_FILE`"
+	fi
+	$TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS -q \
+		-r "$CAPTURE_DIR/tls13-20-chacha20poly1305.pcap" \
+		-o "ssl.keylog_file: $TEST_KEYS_FILE" \
+		-z follow,ssl,ascii,0 \
+		| grep -q TLS13-CHACHA20-POLY1305-SHA256
+	RETURNVALUE=$?
+	if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
+		test_step_failed "Failed to decrypt TLS 1.3 (ChaCha20-Poly1305)"
+		return
+	fi
+	test_step_ok
+}
+
 # ZigBee
 # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7022
 decryption_step_zigbee() {
@@ -582,6 +641,8 @@ tshark_decryption_suite() {
 	test_step_add "SSL Decryption (renegotiation)" decryption_step_ssl_renegotiation
 	test_step_add "TLS 1.2 Decryption (PSK AES-128-CCM)" decryption_step_tls_psk_aes128ccm
 	test_step_add "TLS 1.2 Decryption (PSK AES-256-GCM)" decryption_step_tls_psk_aes256gcm
+	test_step_add "TLS 1.2 Decryption (ChaCha20-Poly1305)" decryption_step_tls12_chacha20poly1305
+	test_step_add "TLS 1.3 Decryption (ChaCha20-Poly1305)" decryption_step_tls13_chacha20poly1305
 	test_step_add "ZigBee Decryption" decryption_step_zigbee
 	test_step_add "ANSI C12.22 Decryption" decryption_step_c1222
 	test_step_add "DVB-CI Decryption" decryption_step_dvb_ci
author	Peter Wu <peter@lekensteyn.nl>	2017-06-02 22:05:10 +0200
committer	Peter Wu <peter@lekensteyn.nl>	2017-06-02 22:04:21 +0000
commit	57b0527821b69dc8aa0786a3b5a425192795aff2 (patch)
tree	4f01e3f4ac81d19d8ca3afa9a85a96f99c7c73bd
parent	a86f6603fc8b66a46ce21d18990f2058110acf27 (diff)
download	wireshark-57b0527821b69dc8aa0786a3b5a425192795aff2.tar.gz